OSPF & EIGRP Questions

Question 1

Which configuration adds an IPv4 interface to an OSPFv3 process in OSPFv3 address family
configuration?

A.
router ospfv3 1
address-family ipv4

B. Router(config-router)#ospfv3 1 ipv4 area 0

C. Router(config-if)#ospfv3 1 ipv4 area 0

D.
router ospfv3 1
address-family ipv4 unicast

Answer: C

Explanation

The newest OSPFv3 configuration approach utilizes a single OSPFv3 process. It is capable of
supporting IPv4 and IPv6 within a single OSPFv3 process. OSPFv3 builds a single database
with LSAs that carry IPv4 and IPv6 information. The OSPF adjacencies are established
separately for each address family. Settings that are specific to an address family
(IPv4/IPv6) are configured inside that address family router configuration mode.
Running single OSPFv3 for both IPv4 and IPv6 is supported since Cisco IOS Software
Release 15.1(3)S.

The new-style OSPFv3 process is enabled using the router ospfv3 process-
number command. Within the OSPF process configuration mode, the OSPF process ID is
defined (using the router-id ospf-process-ID command).

OSPFv3 New-Style OSPF Configuration Commands:

R1(config)#ipv6 unicast-routing //although only OSPFv3 for IPv4 is configured but we have to enable IPv6
under global configuration mode
R1(config)#router ospfv3 1
R1(config-router)# router-id 1.1.1.1
R1(config)#interface GigabitEthernet0/1
R1(config-if)#ipv6 enable //although only OSPFv3 for IPv4 is configured but we have to enable IPv6 under
interface mode
R1(config-if)#ospfv3 1 ipv4 area 0

Reference: https://www.ciscopress.com/articles/article.asp?p=2294214&seqNum=4

Question 2
Refer to the exhibit. User in the branch network of 2001:db8:0:4 report they cannot access
the internet. Which command is issued in IPv6 router EIGRP 100 configuration mode to
solve this issue?

R1#show ipv6 eigrp topology Branch#show ipv6 eigrp topology

EIGRP-IPv6 Topology Table for AS(100)/ID(10.1.12.1) EIGRP-IPv6 Topology Table for AS(100)/ID(4.4.4.4)
Codes: P – Passive, A – Active, U – Update, Q – Query, Codes: P – Passive, A – Active, U – Update, Q – Query,
R – Rely, R – Rely,
r – reply Status, s – sia Status r – reply Status, s – sia Status
P 2001:DB8:0:4::/64, 1 successors, FD is 28416 P 2001:DB8:0:4::/64, 1 successors, FD is 2816
via FE80::C828:DFF:FEF4:1C (28416/2816), via Connected, GigabitEthernet0/0
FastEthernet3/0 P 2001:DB8:0:1::/64, 1 successors, FD is 28416
P 2001:DB8:0:1::/64, 1 successors, FD is 2816 via FE80:C820:17FF:FE04:54 (28416/2816),
via Connected, GigabitEthernet0/0 FastEthernet1/0
P ::/0, 1 successors, FD is 2816 P 2001:DB8:0:14::/64, 1 successors, FD is 28160
via FE80::C821:17FF:FE04:8 (2816/256), via Connected, FastEthernet1/0
GigabitEthernet1/0 P 2001:DB8:0:12::/64, 1 successors, FD is 28416
P 2001:DB8:0:14::/64, 1 successors, FD is 28160 via FE80:C820:17FF:FE04:54 (28416/2816),
via Connected, FastEthernet3/0 FastEthernet1/0
P 2001:DB8:0:12::/64, 1 successors, FD is 2816
via Connected, GigabitEthernet0/0

A. Issue the eigrp stub command on R1

B. Issue the no eigrp stub command on R1
C. Issue the eigrp stub command on R2
D. Issue the no eigrp stub command on R2

Answer: B

Explanation
In the output of R1, we see R1 has a default route to the Internet via G1/0, which is correct
but R2 does not have this route. One reasonable answer of this issue is R1 has been
configured as a stub router so it only advertised connected and summary routes. In Branch
router output, we also see routes that are directly connected to R1 only.

Note: In this topology, only Branch router should be configured as stub, not R1 router.

Question 3

Refer to the exhibit. An engineer configuration a static route on a router, but when the
engineer checks the route to the destination, a different next hop is chosen. What is the
reason for this?

Router#show running-config | include ip route

ip route 192.168.2.2 255.255.255.255 209.165.200.225 130
Router#show ip route
---output omitted---
Gateway of last resort is not set

192.168.1.0/32 is subnetted, 1 subnets

C 192.168.1.1 is directly connected, Loopback0
192.168.2.0/32 is subnetted, 1 subnets
O 192.168.2.2 [110/11] via 192.168.12.2,00:33:32, Ethernet0/0
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, Ethernet0/0
L 192.168.12.1/32 is directly connected, Ethernet0/0
209.165.200.0/24 is variably subnetted, 2 subnets, 2 masks
C 209.165.200.0/24 is directly connected, Ethernet0/1
 209.165.200.226/32 is directly connected, Ethernet0/1

A. The configured AD for the static route is higher than the AD of OSPF
B. The metric of the OSPF route is lower than the metric of the static route
C. Dynamic routing protocol always have priority over static routes
D. The syntax of the static route is not valid do the route is not considered

Answer: A

Explanation

The AD of static route is manually configured to 130 which is higher than the AD of OSPF
router which is 110.

Question 4

Refer to the exhibit. An engineer is trying to generate a summary route in OSPF for network
10.0.0.0/8, but the summary route does not show up in the routing table. Why is the
summary route missing?

Router#show ip route
Gateway of last resort is not set

192.168.1.0/32 is subnetted, 1 subnets

O 192.168.1.1[110/11] via 192.168.12.1,13:32:22, Ethernet0/0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Loopback0
L 192.168.2.2/32 is directly connected, Loopback0
192.168.3.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.3.0/24 is directly connected, Ethernet0/1
L 192.168.3.1/32 is directly connected, Ethernet0/1
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, Ethernet0/0
L 192.168.12.2/32 is directly connected, Ethernet0/0
Router#show running-config | section ospf
router ospf 1
summary-address 10.0.0.0 255.0.0.0
redistribute static subnets
network 192.168.3.0 0.0.0. 255 area 0
network 192.168.12.0 0.0.0. 255 area 0
Router#

A. The summary route is not visible on this router, but it is visible on other OSPF routers in
the same area
B. The summary-address command is used only for summary prefixes between areas
C. The summary route is visible only in the OSPF database not in the routing table
D. There is no route for a subnet inside 10.0.0.0/8, so the summary route is not generated

Answer: D

Có 2 cách để sumary

C1: Summary tại ABR

C2: Summary tại ASBR

Explanation

The “summary-address” is only used to create aggregate addresses for OSPF at an

autonomous system boundary. It means this command should only be used on the ASBR
when you are trying to summarize externally redistributed routes from another protocol
domain or you have a NSSA area. But a requirement to create a summarized route is:

“The ASBR compares the summary route’s range of addresses with all routes redistributed
into OSPF on that ASBR to find any subordinate subnets (subnets that sit inside the
summary route range). If at least one subordinate subnet exists, the ASBR
advertises the summary route.”

Reference: CCNP Route 642-902 Official Certification Guide

But in this case we found no prefix that belongs to 10.0.0.0/8. Therefore a summarized
route for this subnet could not be created.

Note:
+ If a prefix of this subnet exists in the routing table then after the summarization is
performed, we will see such an entry:

Router# show ip route

— output omitted —
0 10.0.0.0/8 is a summary via null0

+ An example of using the command “summary-address” is shown below:

Recently the RIPv2 domain has been redistributed into our OSPF domain but the
administrator wants to configure a summarized route instead of 32 external type-5 LSAs
(for 172.16.32.0/24 to 172.16.63.0/24) flooding into the OSPF network. In this case the
administrator has to use the “summary-address” command as follows:

Router(config-router)#summary-address 172.16.32.0 255.255.224.0

Note: In this case R1 is the ASBR for OSPF domain.

Question 5

Refer to the exhibit. Which option describes why the EIGRP neighbors of this router are not
learning routes that are received from OSPF?

router eigrp 1
redistribute ospf 100
network 10.10.10.0 0.0.0.255
auto-summary
!
router ospf 100
network 172.16.0.0 0.0.255.255 area 100
redistribute eigrp 1

A. The subnet defined in OSPF is not part of area 0

B. Default metrics are not configured under EIGRP
C. There is no overlap in the subnets advertised
D. The routing protocols do not have the same AS number

Answer: B

Explanation

When redistributing into RIP, EIGRP (and IGRP) we need to specify the metrics or the
redistributed routes would never be learned. In this case we need to configure like this:
router eigrp 1
redistribute ospf 100 metric 10000 100 255 1 1500

BGP Questions

BGP Quick Summary:

Protocol type: Path Vector
Type: EGP (External Gateway Protocol)
Packet Types: Open, Update, KeepAlive, Notification
Administrative Distance: eBGP: 20; iBGP: 200
Transport: TCP port 179
Neighbor States: Idle -> Active -> Connect -> Open Sent -> Open Confirm -> Established
1 – Idle: the initial state of a BGP connection. In this state, the BGP speaker is waiting for a BGP start event,
generally either the establishment of a TCP connection or the re-establishment of a previous connection. Once
the connection is established, BGP moves to the next state.
2 – Connect: In this state, BGP is waiting for the TCP connection to be formed. If the TCP connection
completes, BGP will move to the OpenSent stage; if the connection cannot complete, BGP goes to Active
3 – Active: In the Active state, the BGP speaker is attempting to initiate a TCP session with the BGP speaker it
wants to peer with. If this can be done, the BGP state goes to OpenSent state.
4 – OpenSent: the BGP speaker is waiting to receive an OPEN message from the remote BGP speaker
5 – OpenConfirm: Once the BGP speaker receives the OPEN message and no error is detected, the BGP
speaker sends a KEEPALIVE message to the remote BGP speaker
6 – Established: All of the neighbor negotiations are complete. You will see a number, which tells us the
number of prefixes the router has received from a neighbor or peer group.
Path Selection Attributes: (highest) Weight > (highest) Local Preference > Originate > (shortest) AS Path >
Origin > (lowest) MED > External > IGP Cost > eBGP Peering > (highest) Router ID
(Originate: prefer routes that it installed into BGP by itself over a route that another router installed in BGP)
Authentication: MD5
BGP Origin codes: i – IGP (injected by “network” statement), e – EGP, ? – Incomplete
AS number range: Private AS range: 64512 – 65535, Globally (unique) AS: 1 – 64511

More information about popular Path Selection Attributes

Weight Attribute: Local Preference (LocalPrf) Attribute:

+ Cisco proprietary + Sent to all iBGP neighbor (not be exchanged between
+ First attribute used in Path selection eBGP neighbors)
+ Only used locally in a router (not be exchanged + Used to choose the path to external BGP neighbors
between BGP neighbors) + Higher value is preferred
+ Default value is 100
+ Higher weight is preferred

MED Attribute:
+ Optional nontransitive attribute (nontransitive
means that we can only advertise MED to routers
that are one AS away)
+ Sent through ASes to external BGP neighbors
+ Lower value is preferred (it can be considered the
external metric of a route)
+ Default value is 0
Question 1

Refer to the exhibit. R2 is a route reflector, and R1 and R3 are route reflector clients. The
router R2 learns the route to 172.16.25.0/24 from R1, but it does not advertise to R3. What
is the reason the route is not advertised?

R2#show ip bgp
BGP table version is 4, local router ID is 209.65.200.225
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

* i 172.16.25.0/24 209.165.200.225 0 100 0 ?
R3#show ip bgp summary
BGP router identifier 192.168.3.3, local AS number 65000
BGP table version is 4, main routing table version 4

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down

State/PfxRcd
192.168.2.2 4 65000 8 7 4 0 0 01:00:18 0

A. Route reflector setup requires full BGP mesh between the routers
B. In route reflector setup only classification prefix are advertised from one client to another
C. In route reflector setup only classful prefix are advertised to other clients
D. R2 does not have a route to the next hop, so R2 does not advertise the prefix to the
clients

Answer: D

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-16/irg-
xe-16-book/configuring-internal-bgp-features.html

Mô hình Full Mesh

Mô hình RR

The route reflector can have three type of peerings:

 • EBGP neighbor
• IBGP client neighbor
• IBGP non-client neighbor

When you configure a route reflector you have to tell the router whether the other IBGP router is a client
or non-client. A client is an IBGP router that the route reflector will “reflect” routes to, the non-client is just
a regular IBGP neighbor.

Rules

When a route reflector forwards a route, there are a couple of rules:

1. A route learned from a non-RR client is advertised to RR clients but not to non-RR clients.
2. A route learned from a RR client is advertised to both RR clients and non-RR clients. Even the
RR client that advertised the route will receive a copy and discards it because it sees itself as the
originator.
3. A route learned from an EBGP neighbor is advertised to both RR clients and non-RR clients.

Explanation

With route reflector (RR), we only need to establish a BGP session from the RR to each
internal peer -> Answer A is not correct.

We can advertise both classful and classless prefix to other clients, provided that the prefix
satisfies the RR forwarding rules -> Answer B and answer C are not correct.

Therefore only answer D is left. Maybe we are missing an IGP in our topology so R2 did not
know how to reach the next hop reported by the prefix.

Question 2

Refer to the exhibit. Which control plan policy limits BGP traffic that is destined to the CPU
to 1 Mbps and ignores BGP traffic that is higher rate?

Cat3850-Stack-2#show policy-map

Policy Map LIMIT_BGP

Class BGP
drop

Policy Map SHAPE_BGP

Class BGP
Average Rate Traffic Shaping
cir 10000000 (bps)
Policy Map POLICE_BGP
Class BGP
police cir 1000k bc 1500
conform-action transmit
exceed-action transmit

Policy Map COPP

Class BGP
police cir 1000k bc 1500
conform-action transmit
exceed-action drop

A. policy-map SHAPE_BGP
B. policy-map LIMIT_BGP
C. policy-map POLICE_BGP
D. policy-map COPP

Answer: D

Explanation

The “conform-action” specifies the action to take on packets that conform to the rate limit
and the “exceed-action” specifies the action to be taken on packets when the packet rate is
greater than the rate specified in the maximum-burst-bytes argument.

Question 3

Refer to the exhibit. A router receiving BGP routing updates from multiple neighbors for
routers in AS 690. What is the reason that the router still sends traffic that is destined to AS
690 to a neighbor other than 10.222.1.1?

!
neighbor 10.222.1.1 route-map SET-WEIGHT in
neighbor 10.222.1.1 remote-as 1
!
ip as-path access-list 200 permit ^690$ -> Lọc các Prefix với AS path “690”
ip as-path access-list 200 permit ^1800$
!
route-map SET-WEIGHT permit 10
match as-path 200
set local-preference 250
set weight 200

A. The local preference value in another neighbor statement is higher than 250
B. The local preference value should be set to the same value as the weight in the route
map
C. The route map is applied in the wrong direction
D. The weight value in another statement is higher than 200

Answer: D

Explanation

From the configuration above, we learn that the local-preference and weight in BGP updates
received from neighbor 10.222.1.1 are updated to 250 and 200, respectively (provided that
it matches the AS-PATH in ACL 200).

To answer this question, we have to clearly understand the difference between local-
preference and weight attribute. The local-preference attribute is used to influence the
routing decision on the neighbor IBGP router while the weight attribute is used to influence
the routing decision on the local router (as it is only used locally in a router). Therefore in
this case we have to use the weight attribute -> Answer D is correct.

Question 4

Refer to the exhibit. What is the result if applying this configuration?

R1#show policy-map control-plane
Control Plane
Service-policy input: CoPP-BGP

Class-map: BGP (match-all)

2716 packets, 193843 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name BGP
drop

Class-map: class-default (match-any)

5212 packets, 64484847 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

A. The router can form BGP neighborships with any other device.
B. The router can form BGP neighborships with any device that matched by the access list
named “BGP”
C. The router cannot form BGP neighborships with any other device
D. The router cannot form BGP neighborships with any device that is matched by the access
list named “BGP”

Answer: D

Explanation

The “show policy-map control-plane” is used to display the service-policy associated to the
control-plane. It also shows the packets that matched the class-map. In the output above,
we see the line “Match: access-group name BGP” and the next line “drop” in the first class-
map BGP which mean “all traffic matched by ACL BGP is dropped”.

Note: “match-all” means “all conditions have to match for the match to occur”. For
example:
class-map match-all BGP
match access-group 10
match access-group 20

-> Must match both ACL 10 and ACL 20.

Question 5

Refer to the exhibit, in which circumstance does the BGP neighbor remain in the idle
condition?

R200#show ip bgp summary

BGP router identifier 10.1.1.1, local AS number 65000
BGP table version is 26, main routing table version 26
1 network entries using 132 bytes of memory
1 path entries using 52 bytes of memory
2/1 BGP path/bestpath attribute entries using 296 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 2) using 28 bytes of memory
BGP using 508 total bytes of memory
BGP activity 24/23 prefixes, 24/23 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.0.2.2 4 65100 20335 20329 0 0 0 00:02:04 Idle(PfxCt)

R200#

A. if prefixes are not received from the BGP peer

B. if prefixes reach the maximum limit
C. if a prefix list is applied on the inbound direction
D. if prefixes exceed the maximum limit

Answer: D

Explanation

Idle (PfxCt) means the session is in the Idle state because the neighbor has sent more
prefixes than the configured maximum-prefixes limit.

router bgp 100

neighbor 10.0.0.1 remote-as 200
neighbor 10.0.0.1 maximum-prefix 10 80

In the last command, “10” is the maximum number of prefixes allowed from the neighbor
and the router starts to generate a warning message at 80%.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-
bgp/25160-bgp-maximum-prefix.html

Therefore if the BGP neighbor sent 11 prefixes, the local router will be in Idle (PfxCt) state.

Route-map Questions
Question 1

R2 has a locally originated prefix 192.168.130.0/24 and has these configurations:

 ip prefix-list test seq 5 permit 192.168.130.0/24
route-map OUT permit 10
match ip address prefix-list test
set as-path prepend 65000

What is the result when the route-map OUT command is applied toward an eBGP neighbor
R1 (1.1.1.1) by using the “neighbor 1.1.1.1 route-map OUT out” command?

A. R1 sees 192.168.130.0/24 as two hops away instead of one AS hop away

B. R1 does not forward traffic that is destined for 192.168.130.0/24
C. Network 192.168.130.0/24 is not allowed in the R1 table
D. R1 does not accept any route other than 192.168.130.0/24

Answer: A

Explanation

AS-Path prepending is a way to manipulate the AS-Path attribute of a BGP route. It allows
prepending multiple entries of AS to a BGP route.

Question 2

Refer to the exhibit. An engineer is trying to block the route to 192.168.2.2 from the routing
table by using the configuration that is shown. The route is still present in the routing table
as an OSPF route. Which action blocks the route?

Router#show access-lists
Standard IP access list 1
10 permit 192.168.2.2 (1 match)
Router#
Router#show route-map
route-map RM-OSPF-DL, permit, sequence 10
Match clauses:
ip address (access-lists): 1
Set clauses:
 Policy routing matches: 0 packets, 0 bytes
Router#
Router#show running-config | section ospf
router ospf 1
network 192.168.1.1 0.0.0.0 area 0

network 192.168.12.0 0.0.0.255 area 0

distribute-list route-map RM-OSPF-DL in
Router#

A. Add this statement to the route map “route-map RM-OSPF-DL deny 20”
B. Use a prefix list instead of an access list in the route map
C. Change sequence 10 in the route-map command from permit to deny
D. Use an extended access list instead of a standard access list

Answer: C

Question 3

Refer to the exhibit. Which configuration configures a policy on R1 to forward any traffic
that is sourced from the 192.168.130.0/24 network to 17.20.20.0/30 network?

A. access-list 1 permit 192.168.130.0 0.0.0.255

!
interface Gi0/2
ip policy route-map test
!
route-map test permit 10
match ip address 1
set ip next-hop 172.20.20.2

B. access-list 1 permit 192.168.130.0 0.0.0.255

!
interface Gi0/2
ip policy route-map test
!
route-map test permit 10
match ip address 1
set ip next-hop 172.20.20.1
C. access-list 1 permit 192.168.130.0 0.0.0.255
!
interface Gi0/1
ip policy route-map test
!
route-map test permit 10
match ip address 1
set ip next-hop 172.20.40.2

D. access-list 1 permit 192.168.130.0 0.0.0.255

!
interface Gi0/1
ip policy route-map test
!
route-map test permit 10
match ip address 1
set ip next-hop 172.20.40.1

E. access-list 1 permit 192.168.130.0 0.0.0.255

!
interface Gi0/1
ip policy route-map test
!
route-map test permit 10
match ip address 1
set ip next-hop 172.20.20.1

Answer: E

Explanation

The traffic reaches Gi0/1 interface so we must apply policy (“ip policy route-map test”) on
this interface. The question requires to reach the destination of 172.20.20.0/30 so the next-
hop IP address should be 172.20.20.1.

Redistribution Questions

Question 1

Refer to the exhibit. Which statement about R1 is true?

R1 (config)#route-map ADD permit 20
R1 (config-route-map)#set tag 1
R1 (config)#router ospf 1 (Destination Protocol)
R1 (config-router)#redistribute rip subnets route-map ADD (Source Protocol)

A. OSPF redistributes RIP routes only if they have a tag of one

B. RIP learned routes are distributed to OSPF with a tag value of one
C. R1 adds one to the metric for RIP learned routes before redistributing to OSPF
D. RIP routes are redistributed to OSPF without any changes
Answer: B

Question 2
Refer to the exhibit. Which routes from OSPF process 5 are redistributed into EIGRP?
router eigrp 1
redistribute ospf 5 match external route-map OSPF-TO-EIGRP
metric 10000 2000 255 1 1500
route-map OSPF-TO-EIGRP
match ip address TO-OSPF

A. E1 and E2 subnets matching access list TO-OSPF

B. E1 and E2 subnets matching prefix list TO-OSPF
C. only E2 subnets matching access list TO-OSPF
D. only E1 subnets matching prefix list TO-OSPF

Answer: A
Explanation

Use the external keyword along with the redistribute command to redistribute OSPF
external routes.

In order to use an prefix-list in a “match” statement, we have to use the command “match
ip address prefix-list …”. The syntax of a “match” statement is as follows:

match ip address {access-list-number [access-list-number… | access-list-name…] |

access-list-name [access-list-number…| access-list-name] | prefix-list prefix-list-name
[prefix-list-name…]}

Reference: https://www.cisco.com/c/en/us/td/docs/ios/iproute_pi/command/reference/iri_b
ook/iri_pi1.html

Question 3

Refer to Exhibit. Which statement about redistribution from BGP into OSPF process 10 is
true?

router ospf 10
router-id 192.168.1.1
log-adjacency-changes
redistribute bgp 1 subnets route-map BGP-TO-OSPF
!
route-map BGP-TO-OSPF deny 10
match ip address 50
route-map BGP-TO-OSPF permit 20
!
access-list 50 permit 172.16.1.0 0.0.0.255

A. Network 172.16.1.0/24 is not redistributed into OSPF

B. Network 10.10 10.0/24 is not redistributed into OSPF
C. Network 172.16.1.0/24 is redistributed with administrative distance of 1
D. Network 10.10.10.0/24 is redistributed with administrative distance of 20
Answer: A

Explanation

The first statement of the above route-map (route-map BGP-TO-OSPF deny 10) will prevent
network 172.16.1.0/24 from being redistributed into OSPF.

Question 4

Which two statements about redistributing EIGRP into OSPF are true? (Choose two)
A. The redistributed EIGRP routes appear as type 3 LSAs in the OSPF database
B. The redistributed EIGRP routes appear as type 5 LSAs in the OSPF database
C. The administrative distance of the redistributed routes is 170
D. The redistributed EIGRP routes appear as OSPF external type 1
E. The redistributed EIGRP routes as placed into an OSPF area whose area ID matches the
EIGRP autonomous system number
F. The redistributed EIGRP routes appear as OSPF external type 2 routes in the routing table

Answer: B F

Question 5

Refer to the exhibit. After redistribution is enabled between the routing protocols, PC2, PC3,
and PC4 cannot reach PC1. Which action can the engineer take to solve the issue so that all
the PCs are reachable?
A. Filter the prefix 10.1.1.0/24 when redistributed from OSPF to EIGRP
B. Set the administrative distance 100 under the process on R2
C. Filter the prefix 10.1.1.0/24 when redistributed from RIP to EIGRP
D. Redistribute the directly connected interfaces on R2

Answer: A

Explanation

It seems there is a loop because of mutual redistributions among RIP, OSPF and EIGRP
domains. So we should filter out the prefix 10.1.1.0/24 when redistributed from OSPF to
EIGRP (the second redistribution point) to prevent routing loop.

Question 6

Refer to the exhibit. Which subnet is redistributed from EIGRP to OSPF routing protocols?

R3
router ospf 100 (Des Protocol)
redistribute eigrp 100 subnets route-map OSPF-TAG-1

ip prefix-list OSPF-TAG-PRF seq 5 deny 10.1.0.0/16 le 24

!
ip prefix-list OSPF-TAG-PRF-1 seq 5 permit 10.2.0.0/18 le 24
!
route-map OSPF-TAG-1 deny 5
match ip address prefix-list OSPF-TAG-PRF
set tag 40
!
route-map OSPF-TAG-1 permit 10
match ip address prefix-list OSPF-TAG-PRF-1
set tag 80
!

A. 10.2.2.0/24
B. 10.1.4.0/24
C. 10.1.2.0/24
D. 10.2.3.0/26

Answer: A

Explanation
Only the subnet that matches prefix-list OSPF-TAG-PRF-1 will be redistributed into OSPF (as
indicated by “route-map OSPF-TAG-1 permit 10”). This subnet must match the prefix-list
OSPF-TAG-PRF-1 so it must be 10.2.0.0/18 to 10.2.0.0/24. Only the subnet 10.2.2.0/24
matches this requirement.

Note: The prefix-list “OSPF-TAG-PRF” denies a route (deny 10.1.0.0/16 le 24) is used in a
route-map deny clause (route-map OSPF-TAG-1 deny 5) so according to Cisco:

“If you use an ACL in a route-map permit or deny clause, and the ACL denies a route, then
the route-map clause match is not found and the next route-map clause is evaluated.”

Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-
bgp/49111-route-map-bestp.html

Therefore in this case the first route-map clause will be ignored so we don’t need to care
about it.
Question 7

Refer to the exhibit. An engineer is trying to redistribute OSPF to BGP, but not all of the
routes are redistributed. What is the reason for this issue?

Router#show ip route ospf

--output omitted--
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
O E2 10.0.0.0 [110/20] via 192.168.12.2, 00:00:33, Ethernet0/0
O 192.168.3.0/24 [110/20] via 192.168.12.2, 00:00:43, Ethernet0/0
Router#
Router#show ip bgp
--output omitted--
Network Next Hop Metric LocPrf Weight Path
*> 192.168.1.1/32 0.0.0.0 0 32768 ?
*> 192.168.3.0 192.168.12.2 20 32768 ?
*> 192.168.12.0 0.0.0.0 0 32768 ?
Router#show running-config | section router bgp
router bgp 65000
bgp log-neighbor-changes
redistribute ospf 1
Router#

A. By default, only internal OSPF routes are redistributed into BGP

B. By default, only internal routers and external type 1 routes are redistributed into BGP
C. BGP convergence is slow, so the route will eventually be present in the BGP table
D. Only classful networks are redistributed from OSPF to BGP
Answer: A

Explanation
If you configure the redistribution of OSPF into BGP without keywords, only OSPF intra-area
and inter-area routes are redistributed into BGP, by default.
You can redistribute both internal and external (type-1 & type-2) OSPF routes via this
command: “Router(config-router)#redistribute ospf 1 match internal external 1 external 2”

Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-
bgp/5242-bgp-ospf-redis.html

Question 8

Refer to the exhibit The output of the trace from R5 shows a loop in the network.

R1 R5#traceroute 10.1.1.1
router eigrp 1 Type escape sequence to abort.
redistribute connected Tracing the route to 10.1.1.1
network 10.1.12.1 0.0.0.0
————————————– 1 10.1.35.3 80 msec 44 msec 20 msec R3
R3 2 10.1.23.2 44 msec 104 msec 64 msec R2
router ospf 1 3 10.1.24.4 44 msec 64 msec 40 msec R4
redistribute eigrp 1 4 10.1.45.5 24 msec 40 msec 20 msec R5
network 10.1.35.3 0.0.0.0 area 0 5 10.1.35.3 92 msec 144 msec 147 msec R3
————————————–
 R4 6 10.1.23.2 103 msec 77 msec 88 msec R2
router eigrp 1 —output omitted—
redistribute ospf 1 metric 2000000 1 255 1 1500
!
router ospf 1
network 10.1.45.4 0.0.0.0 area 0

Which configuration prevents this loop?

Option A Option B
R3 R3
router ospf 1 router eigrp 1
redistribute eigrp 1 subnets route-map SET-TAG redistribute ospf 1 subnets route-map SET-TAG
! !
route-map SET-TAG permit 10 route-map SET-TAG permit 10
set tag 1 set tag 1
R4
R4 router eigrp 1
router eigrp 1 redistribute ospf 1 metric 2000000 1 255 1 1500
redistribute ospf 1 metric 2000000 1 255 1 1500 route-map FILTER-TAG
route-map FILTER-TAG network 10.1.24.4 0.0.0.0
! !
route-map FILTER-TAG deny 10 route-map FILTER-TAG deny 10
match tag 1 match tag 1
! !
route-map FILTER-TAG permit 20 route-map FILTER-TAG permit 20

Option C Option D
R3 R3
router ospf 1 router ospf 1
redistribute eigrp 1 subnets route-map SET-TAG redistribute eigrp 1 subnets route-map SET-TAG
! !
route-map SET-TAG permit 10 route-map SET-TAG deny 10
set tag 1 set tag 1
R4 R4
router eigrp 1 router eigrp 1
redistribute ospf 1 metric 2000000 1 255 1 1500 redistribute ospf 1 metric 2000000 1 255 1 1500
route-map FILTER-TAG route-map FILTER-TAG
! !
route-map FILTER-TAG permit 10 route-map FILTER-TAG deny 10
match tag 1 match tag 1

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

In this topology, we are doing mutual redistribution at multiple points (between OSPF and
EIGRP on R3 & R4), which is a very common cause of network problems, especially routing
loops so you should use route-map to prevent redistributed routes from redistributing again
into the original domain.

In this question, route-map is also used for this purpose. In particular, the route-map “SET-
TAG” is used to prevent any routes that have been redistributed into OSPF from
redistributed again into EIGRP domain by tagging these routes with tag 1:

R3
route-map SET-TAG permit 10
set tag 1

These routes are prevented from redistributed again by route-map FILTER_TAG by denying
any routes with tag 1 set:

R4
route-map FILTER-TAG deny 10
match tag 1

MPLS Questions

Question 1

Which transport layer protocol is used to form LDP sessions?

A. UDP
B. SCTP
C. TCP
D. RDP

Answer: C

Explanation

LDP uses TCP as a reliable transport for sessions. When multiple LDP sessions are required
between two LSRs, there is one TCP session for each LDP session.

Reference: https://tools.ietf.org/html/rfc5036

Question 2
Which statement about MPLS LDP router ID is true?
A. The force keyword changes the router ID to the specific address causing any impact

B. The loopback with the highest IP address is selected as the router ID

C. If not configured, the operational physical interface is chosen as the router ID even if a
loopback is configured
D. If MPLS LDP router ID must match the IGP router ID

Answer: B

Question 3

Which command allows traffic to load-balance in an MPLS Layer 3 VPN configuration?

A. Multi-paths eibgp 2
B. Maximum-paths ibgp 2
C. Multi-paths 2
D. Maximum-paths 2

Answer: D

Explanation
The command “maximum-paths [ ibgp ] number-of-paths” configures the maximum number
of multipaths allowed. Use the ibgp keyword to configure iBGP load balancing. This question
does not tell which BGP load-balance it wants (iBGP or eBGP) so in fact answer B is also
correct.’

Question 4
Refer to the exhibit. What does the imp-null tag represent in the MPLS VPN cloud?

Router#show tag-switching tdp bindings

(...)
tib entry: 10.10.10.1/32, rev 31
local binding: tag: 18
remote binding: tsr: 10.10.10.1:0, tag:imp-null
 remote binding: tsr: 10.10.10.2:0, tag:18
remote binding: tsr: 10.10.10.6:0, tag:21
tib entry: 10.10.10.2/32, rev 22
local binding: tag: 17
remote binding: tsr: 10.10.10.2:0, tag:imp-null
remote binding: tsr: 10.10.10.1:0, tag:19
remote binding: tsr: 10.10.10.6:0, tag:22

A. Include the EXP bit

B. Exclude the EXP bit
C. Impose the label
D. Pop the label

Answer: D
Explanation

The “imp-null” (implicit null) tag instructs the upstream router to pop the tag entry off the
tag stack before forwarding the packet.

Note: pop means “remove the top MPLS label”

Question 5

Which list defines the contents of an MPLS label?

A. 20-bit label; 3-bit traffic class; 1 -bit bottom stack; 8-bit TTL
B. 32-bit label; 3-bit flow label; 1-bit bottom stack; 8-bit hop limit
C. 20-bit label; 3-bit flow label; 1-bit bottom stack; 8-bit hop limit
D. 32-bit label; 3-bit traffic class; 1 -bit bottom stack; 8-bit TTL

Answer: A

Explanation

MPLS uses a 32-bit label field that contains the information that follows:

+ 20-bit label (a number)

+ 3-bit class of service (or experimental field, typically used to carry IP precedence value)
+ 1-bit bottom-of-stack indicator (indicates whether this is the last label before the IP
header)
+ 8-bit TTL (equal to the TTL in the IP header)

Question 6

What statement about route distinguishes in an MPLS network is true?

A. Route distinguishers make a unique VPNv4 address across the MPLS network
B. Route distinguishers allow multiple instances of a routing table to coexist within the edge
router
C. Route distinguishers are used for label bindings
D. Route distinguishers define which prefixes are imported and exported on the edge router

Answer: A

Explanation

First we thought answer B is the best answer but in fact it is not. Please read the paragraph
below (quoted from “Designing for Cisco Network Service Architectures (ARCH) Foundation
Learning Guide CCDP ARCH 300-320 Book) to understand more about RD role in an MPLS
network:

“Route Distinguishers
In MPLS VPN, the PE router provides isolation between customers by using VRFs. The
prefixes are propagated to the other PE routers with MP-BGP. The problem is that the
prefixes need to be unique across the MPLS VPN provider network. For instance, if
different customers have overlapping IP addressing (and this is very common and typical for
a shared infrastructure providing transit service for many different customers), this situation
would cause a serious problem for BGP. As mentioned earlier, to solve this problem, the
concept of route distinguisher (RD) was conceived.
The basic idea behind the RD is that every customer receives a unique identifier to
distinguish between the same prefix from different customers. To create a unique prefix,
you combine the RD with the IPv4 prefix. The combination is called a VPNv4 prefix. MP-BGP
needs to carry these VPNv4 prefixes between the PE routers.

An RD is a 64-bit unique identifier prepended to the 32-bit customer prefix learned from the
CE router. The combination of the RD and the prefix will generate a unique 96-bit-long IP
prefix that can be carried across the MPLS-BGP domain as a unique prefix (to overcome
customers’ overlapping IP addresses). There are two formats for the RD. The first one is
ASN:nn, where ASN represents the autonomous system number and nn represents a
number. The second format is IP-address:nn. The first format is the most commonly used.”

VRF-Lite Questions
Question 1

What is the output of the following command:

show ip vrf

A. Shows default RD values

B. Displays IP routing table information associated with a VRF
C. Shows routing protocol information associated with a VRF
D. Displays the ARP table (static and dynamic entries) in the specified VRF
Answer: A

Explanation

An example of the “show ip vrf” is shown below:

Question 2
Which protocol does VRF-Lite support?
A. IS-IS
B. ODR
C. EIGRP
D. IGRP

Answer: C

Question 3

Which two statements about VRF-Lite configurations are true? (Choose two)
A. They support the exchange of MPLS labels
B. Different customers can have overlapping IP addresses on different VPNs
C. They support a maximum of 512.000 routes
D. Each customer has its own dedicated TCAM resources
E. Each customer has its own private routing table
F. They support IS-IS

Answer: B E

Question 4
What is the role of a route distinguisher via a VRF-Lite setup implementation?
A. It extends the IP address to identify which VRF instance it belongs to
B. It manages the import and export of routes between two or more VRF instances
C. It enables multicast distribution for VRF-Lite setups to enhance EGP routing protocol
capabilities
D. It enables multicast distribution for VRF-Lite setups to enhance IGP routing protocol
capabilities

Answer: A
Explanation

In VRF-Lite, Route distinguisher (RD) identifies the customer routing table and “allows
customers to be assigned overlapping addresses”. The below example shows overlapping IP
addresses configured on two interfaces which belong to two different VPNs:

Router(config)#ip vrf VRF_BLUE

Router(config-vrf)# rd 100:1
Router(config-vrf)# exit
Router(config)#ip vrf VRF_GREEN
Router(config-vrf)# rd 100:2
Router(config-vrf)# exit
Router(config)# interface GigabitEthernet0/1
Router(config-if)# ip vrf forwarding VRF_BLUE
Router(config-if)# ip address 10.0.0.1 255.0.0.0
Router(config-vrf)# exit
Router(config)# interface GigabitEthernet0/2
Router(config-if)# ip vrf forwarding VRF_GREEN
Router(config-if)# ip address 10.0.0.1 255.0.0.0

In this example, the RD will be added to the beginning of the IP address. For example with
VRF_BLUE (rd 100:1), an IP address will be seen like this: 100:1:10.0.0.1/8 so that it is
unique in the routing table.

Question 5

Which command displays the IP routing table information that is associated with VRF-Lite?
A. show ip vrf
B. show ip route vrf
C. show run vrf
D. show ip protocols vrf

Answer: B

Question 6

Which configuration enables the VRF that is labeled “Inet” on FastEthernet0/0?

A. R1(config)# ip vrf Inet
R1(config-vrf)#ip vrf FastEthernet0/0

B. R1 (conflg)#ip vrf Inet FastEthernet0/0

C. R1(config)# ip vrf Inet

R1(config-vrf)#interface FastEthernet0/0
R1(config-if)#ip vrf forwarding Inet

D. R1 (config)#router ospf 1 vrf Inet

R1 (config-router)#ip vrf forwarding FastEthernet0/0

Answer: C

Explanation
The first command “R1(config)# ip vrf Inet” creates vrf Inet while the two last commands
associate the VRF with interface Fa0/0.

DMVPN Questions
Question 1

Which protocol is used to determine the NBMA address on the other end of a tunnel when
mGRE is used?
A. NHRP
B. IPsec
C. MP-BGP
D. OSPF

Answer: A

Explanation

NHRP is used to map tunnel IP addresses to “physical” or “real” IP addresses (NBMA

addresses), used by endpoint routers. It resolves private addresses (those behind mGRE
and optionally IPsec) to a public address.In other words, NHRP is used by a branch router
connected to a non-broadcast, multi-access (NBMA) sub-network to determine the IP
address of the “NBMA next hop”.

Question 2

Refer to the exhibits. Phase-3 tunnels cannot be established between spoke-to-spoke in

DMVPN. Which two commands are missing? (Choose two)

On R2: On R3: On R4:

R2(config)#interface tunnel 1 R3(config)#interface tunnel 1 R4(config)#interface tunnel 1
R2(config-if)#ip address 10.1.1.2 R3(config-if)#ip address 10.1.1.3 R4(config-if)#ip address 10.1.1.4
255.255 255.0 255.255.255.0 255.255.255 0
R2(config-if)#tunnel source R3(config-if)#tunnel source R4(config-ff)#tunnel source
FasEthernet0/0 FastEthernet0/0 FastEthernet0/0
R2(config-if)#tunnel mode gre R3(config-if)#tunnel mode gre R4(config-if)#tunnel mode gre
multipoint multipoint multipoint
R2(config-if)#ip nhrp network-id R3(config-if)#ip nhrp network-id R4(config-if)#ip nhrp network-id
222 333 444
 R2(config-if)#ip nhrp nhs 10.1.1.1 R3(config-if)#ip nhrp nhs 10.1.1.1 R4(config-if)#ip nhrp nhs 10.1.1.1
R2(config-if)#ip nhrp map R3(config-if)#ip nhrp map R4(config-if)#ip nhrp map
10.1.1.1 192.1.1.1 10.1.1.1 192.1.1.1 10.1.1.1 192.1.1.1

A. The ip nhrp redirect command is missing on the spoke routers.

B. The ip nhrp shortcut command is missing on the spoke routers.
C. The ip redirect commands is missing on the hub router.
D. The ip shortcut commands is missing on the hub router.
E. The ip nhrp command is missing on the hub router.

Answer: B C

Explanation

DMVPN Phase III is same as Phase 2 but removes some restrictions and complexities of
Phase 2. Also allows greater variety of DMVPN network designs we use:
+ ip nhrp redirect in hub: tells the initiator spoke to look for a better path to the
destination spoke than through the Hub. Upon receiving the NHRP redirect message the
spokes communicate with each other over the hub and they have their NHRP replies for the
NHRP Resolution Requests that they sent out.
+ ip nhrp shortcut in spokes: overwrite the CEF table on the spoke. It basically overrides
the next-hop value for a remote spoke network from the default initial hub tunnel IP
address to the NHRP resolved remote spoke tunnel IP address)

Question 3

Refer to the following output:

Router#show ip nhrp detail
10.1.1.2/8 via 10.2.1.2, Tunnel1 created 00:00:12, expire 01:59:47
Type: dynamic, Flags: authoritative unique nat registered used
NBMA address: 10.12.1.2

What does the authoritative flag mean in regards to the NHRP information?

A. It was obtained directly from the next-hop server

B. Data packets are process switches for this mapping entry
C. NHRP mapping is for networks that are local to this router
D. The mapping entry was created in response to an NHRP registration request
E. The NHRP mapping entry cannot be overwritten

Answer: A

Explanation

From the output we learn that the logical address 10.2.1.2 is mapped to the NBMA address
10.12.1.2. Type “dynamic” means NBMA address was obtained from NHRP Request packet
whilw type “static” means NBMA address is statically configured. The “authoritative” flag
means that the NHRP information was obtained from the Next Hop Server (NHS).

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/ha
dnhrp.html

Question 4
Which Cisco VPN technology can use multipoint tunnel, resulting in a single GRE tunnel
interface on the hub, to support multiple connections from multiple spoke devices?
A. DMVPN
B. GETVPN
C. Cisco Easy VPN
D. FlexVPN

Answer: A

Explanation

An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not
require a unique tunnel interface for each connection between Hub and spoke like traditional
GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE
tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all
tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.

mGRE tunnel is treated as a non-broadcast multi-access (NBMA) environment. mGRE tunnel

does not have to be configured with a tunnel destination so we need another protocol to
take care of the destination addresses. In this case NHRP is used for NBMA environment.

Question 5

Which protocol is used in a DMVPN network to map physical IP addresses to logical IP

addresses?
A. BGP
B. LLDP
C. EIGRP
D. NHRP

Answer: D

Explanation

Maybe this question wanted to ask “Which protocol is used in a DMVPN network to map
logical IP address to physical IP addresses?”

Next Hop Resolution Protocol (NHRP), defined in RFC 2332, is a Layer 2 address resolution
protocol and cache, like Address Resolution Protocol (ARP). NHRP is used by a branch router
connected to a non-broadcast, multi-access (NBMA) sub-network to determine the IP
address of the “NBMA next hop”; in this case, the headend router or the destination IP
address of another branch router.

NHRP is used to map tunnel IP addresses to “physical” or “real” IP addresses, used by

endpoint routers. It resolves private addresses (those behind mGRE and optionally IPSEC)
to a public address. NHRP is layer 2 resolution protocol and cache, much like Address
Resolution Protocol (ARP) or Reverse ARP (Frame Relay).

Question 6
Which two methods use IPsec to provide secure connectivity from the branch office to the
headquarters office? (Choose two)
A. DMVPN
B. MPLS VPN
C. Virtual Tunnel Interface (VTI)
D. SSL VPN
E. PPPoE

Answer: A C

Explanation

Reference: IP security (IPsec) virtual tunnel interfaces (VTIs) provide a routable interface
type for terminating IPsec tunnels and an easy way to define protection between sites to
form an overlay network. IPsec VTIs simplify configuration of IPsec for protection of remote
links, support multicast, and simplify network management and load balancing.

Question 7

Refer to the exhibit. Which interface configuration must be configured on the spoke A to
enable a dynamic DMVPN tunnel with the spoke B router?

A. interface Tunnel0
description mGRE – DMVPN Tunnel
ip address 10.0.0.11 255.255.255.0
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source 10.0.0.1
tunnel destination FastEthernet0/0
tunnel mode gre multipoint

B. interface Tunnel0
ip address 10.1.0.11 255.255.255.0
ip nhrp network-id 1
tunnel source 1.1.1.10
ip nhrp map 10.0.0.11 172.17.0.2
tunnel mode gre
C. interface Tunnel0
ip address 10.0.0.11 255.255.255.0
ip nhrp map multicast static
ip nhrp network-id 1
tunnel source 10.0.0.1
tunnel mode gre multipoint

D. interface Tunnel0
ip address 10.0.0.11 255.255.255.0
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
ip nhrp nhs 10.0.0.1
ip nhrp map 10.0.0.1 172.17.0.1

Answer: D

Explanation

The command “ip nhrp map multicast dynamic” should be only used on Hub router, not
spoke. If we are running dynamic routing protocols based on multicast (like RIP, OSPF,
EIGRP …) we have to add the command “ip nhrp map multicast dynamic” in Hub to
replicate all multicast traffic to all dynamic entries in the NHRP table (multicast will be
proceeded as unicast traffic) -> Answer A is not correct. Also another error in this answer is
the “tunnel source” IP address. It should be the NBMA address of the Spoke interface:
172.17.0.2.

Answer B is not correct as the “tunnel source 1.1.1.10”, “ip nhrp map 10.0.0.11 172.17.0.2”
and “tunnel mode gre” are wrong.

Answer C is not correct as there is no “ip nhrp map multicast static” command, only the “ip
nhrp map multicast <static-IP>” command is available. The “tunnel source 10.0.0.1” is not
correct either.

Answer D is correct. The ” tunnel source FastEthernet0/0″ is equivalent to “tunnel source

172.17.0.2”, which is the NBMA address of Spoke A.

An example of configuring DMVPN Phase II – Dynamic Mapping is shown below:

 DMVPN Phase II – Dynamic Spoke 1 Spoke 2
Mapping interface tunnel 1 interface tunnel 1
Hub ip address 192.168.100.1 ip address 192.168.100.2
interface tunnel 1 255.255.255.0 255.255.255.0
ip address 192.168.100.254 tunnel source 11.11.11.1 tunnel source 12.12.12.2
255.255.255.0 tunnel mode gre multipoint tunnel mode gre multipoint
tunnel source 44.44.44.4 ip nhrp network 10 ip nhrp network 10
tunnel mode gre multipoint ip nhrp map 192.168.100.254 ip nhrp map 192.168.100.254
ip nhrp network 10 44.44.44.4 44.44.44.4
ip nhrp nhs 192.168.100.254 ip nhrp nhs 192.168.100.254
!

If you want to learn more about DMVPN please read our DMVPN Tutorial.

Question 8

Which security feature can protect DMVPN tunnels?

A. IPsec
B. TACACS+
C. RTBH
D. RADIUS

Answer: A

Question 9

Refer to the exhibit. After applying IPsec, the engineer observed that the DMVPN tunnel
went down, and both spoke-to-spoke and hub were not establishing. Which two actions
resolved the issue? (Choose two)
 R2: R3:
R2(config)#crypto isakmp policy 10 R3(config)#crypto isakmp policy 10
R2(config-isakmp)#hash md5 R3(config-isakmp)#hash md5
R2(config-isakmp)#authentication pre-share R3(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2 R3(config-isakmp)#group 2
R2(config-isakmp)#encryption 3des R3(config-isakmp)#encryption 3des
R2(config)#crypto isakmp key cisco address 10.1.1.1 R3(config)#crypto isakmp key cisco address 10.1.1.1
R2(config)#crypto ipsec transform-set TSET esp-des R3(config)#crypto ipsec transform-set TSET esp-des
esp-md5-hmac esp-md5-hmac
R2(cfg-crypto-trans)#mode transport R3(cfg-crypto-trans)#mode tunnel
R2(config)#crypto ipsec profile TST R3(config)#crypto ipsec profile TST
R2(ipsec-profile)#set transform-set TSET R3(ipsec-profile)#set transform-set TSET
R2(config)#interface tunnel 123 R3(config)#interface tunnel 123
R2(config-if)#tunnel protection ipsec profile TST R3(config-if)#tunnel protection ipsec profile TST

A. Configure the crypto isakmp key cisco address 0.0.0.0 on R2 and R3

B. Remove the crypto isakmp key cisco address 10.1.1.1 on R2 and R3
C. Change the mode from mode transport to mode tunnel on R2
D. Configure the mode from mode tunnel to mode transport on R3

Answer: A B
Explanation

The first six commands are used to configure IPSec Phase 1 (ISAKMP Policy). Here is the
details of each command used above:
+ crypto isakmp policy 10 – This command creates ISAKMP policy number 10. You can
create multiple policies, for example 7, 8, 9 with different configuration. Routers
participating in Phase 1 negotiation tries to match a ISAKMP policy matching against the list
of policies one by one. If any policy is matched, the IPSec negotiation moves to Phase 2.
+ hash md5– MD5 algorithm will be used.
+ authentication pre-share – Authentication method is pre-shared key.
+ group 2 – Diffie-Hellman group to be used is group 2.
+ encryption 3des – 3DES encryption algorithm will be used for Phase 1.
+ crypto isakmp key cisco address 10.1.1.1 – The Phase 1 password is cisco and
remote peer IP address is 10.1.1.1
The next two command lines are used to configure IPSec Phase 2 (Transform Set):
+ crypto ipsec transform-set <transform-set-name> – Creates transform-set called
<transform-set-name>
+ esp-des – ESP IPSec protocol with the 56-bit Data Encryption Standard (DES) encryption
algorithm will be used
+ esp-md5-hmac – ESP with the MD5 (HMAC variant) authentication algorithm will be
used.
+ mode transport: only encrypts the payload and ESP trailer
or
+ mode tunnel: encrypts the IP header of the ENTIRE packet
There is an issue with above configuration in both R2 & R3: both R2 and R3 use the DMVPN
tunnel address 10.1.1.1 (in the command “crypto isakmp key cisco address 10.1.1.1”. This
is the tunnel interface IP address which is not correct. They must use the WAN address
192.1.1.1 instead.

We should configure the key with “address 0.0.0.0 0.0.0.0” (means remote peer is any ->
any destination can try to negotiate with this router). While the hub’s public IP address is
known we must keep in mind that R2 and R3 can build dynamic VPN tunnel between them.
Taking into consideration that their public IP address is dynamic it is imperative to use
0.0.0.0 0.0.0.0 for the remote peer.
Note: The “mode tunnel” or “mode transport” is not the problem in this question because it
said “both spoke-to-spoke and hub were not establishing”. It means either of these two
modes of the spokes did not establish DMVPN tunnel with the hub R1. Notice that R1 was
surely configured with one of these two modes.

AAA Questions
Question 1
Refer to the exhibit. An engineer is trying to configure local authentication on the console
line, but the device is trying to authenticate using TACACS+. Which action produces the
desired configuration?
 R1#show running-config | include aaa
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login Console local
R1#show running-config | section line
line con 0
logging synchronous
< login authentication Console>
R1#

A. Add the aaa authentication login default group tacacs+ local-case command to the global
configuration
B. Add the login authentication Console command to the line configuration
C. Replace the capital “C” with a lowercase “c” in the aaa authentication login Console local
command
D. Add the aaa authentication login default none command to the global configuration

Answer: B

Explanation

The keyword “local-case” will use case-sensitive local username for authentication so it will
not solve this problem -> Answer A is not correct.

We test answer B on R1, answer C on R2 (also turned on debugging for AAA authentication
via the “debug aaa authentication” command):

On R1:
So after adding the “login authentication Console” line under line configuration, AAA will
prefer the authentication method listed under specific line configuration, which is “local” in
this case.

On R2:
With two “aaa authentication login” commands, AAA prefers the default login method.

We also tried to put the “aaa authentication login console local” command in front of “aaa
authentication login default group tacacs+ local” but the result is still the same.
About answer D, if we add “aaa authentication login default none” to the current
configuration then the “aaa authentication login default group tacacs+ local” will be
removed -> we can access this device without any authentication.

Question 2

Refer to the exhibit. Why is user authentication being rejected?

TAC+: TCP/IP open to 171.68.118.101/49 failed —
Destination unreachable; gateway or host down
AAA/AUTHEN (2546660185): status = ERROR
AAA/AUTHEN/START (2546660185): Method=LOCAL
AAA/AUTHEN (2546660185): status = FAIL
As1 CHAP: Unable to validate Response. Username chapuser: Authentication failure

A. The TACACS+ server expects “user” but the NT client sends “domain\user”
B. The TACACS+ server refuses the user because the user is set up for CHAP
C. The TACACS+ server is down and the user is in the local database
D. The TACACS+ server is down and the user is not in the local database

Answer: D

Explanation

In the output we noticed that the “Destination unreachable; gateway or host down”
notification while trying to communicate with the TACACS+ server. This means the
TACACS+ server went down. So the next authentication method is via the local database
(“Method=LOCAL”). But the authentication was failed again because of bad username, bad
password or both.

Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-
controller-access-control-system-tacacs-/13864-tacacs-pppdebug.html

NTP Questions
Question 1

Refer to the exhibit. An administrator noticed that after a change was made on R1, the
timestamps on the system logs did not match the clock. What is the reasons for this error?
service timestamps debug datetime msec
service timestamps log datetime
clock timezone MST -7 0
clock summer-time MST recurring
ntp authentication-key 1 md5 00101AOB0152181206224747071E 7
ntp server 10.10.10.10
R1#show clock
*06:13:44.045 MST Sun Dec 30 2018
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#logging host 10.10.10.20
R1(config)#end
R1#
 *Dec 30 13:15:26: %SYS-S-CONFIG_I: Configured from console by console
R1#
*Dec 30 13:1S:28: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.10.10.20 port 514 started –
CLI initiated

A. The keyword localtime is not defined on the timestamp service command

B. The NTP server is in an different time zone
C. An authentication error with the NTP server results in an incorrect timestamp
D. The system clock is set incorrectly to summer-time hours

Answer: A

Explanation
If a router is configured to get the time from a Network Time Protocol (NTP) server, the
times in the router’s log entries may be different from the time on the system clock if the
[localtime] option is not in the service timestamps log command. To solve this issue,
add the [localtime] option to the service timestamps log command. The times should now
be synchronized between the system clock and the log message timestamps.
Reference: https://community.cisco.com/t5/networking-documents/router-log-timestamp-
entries-are-different-from-the-system-clock/ta-p/3132258

Question 2

Refer to the exhibit An engineer is troubleshooting BGP on a device but discovers that the
clock on the device does not correspond to the time stamp of the log entries.
Which action ensures consistency between the two times?
*Feb 28 12:41:57: %BGP-5-ADJCHANGE: neighbor 192.168.2.2 Down User reset
*Feb 28 12:41:57: %BGP_SESSION-5-ADJCHANGE : neighbor 192.168.2.2 IPv4 Unicast
topology base removed from session User reset
*Feb 28 12:41:57: %BGP-5-ADJCHANGE: neighbor 192.168.2.2 Up
R1#show clock
*13:42:00.506 CET Feb 28 2019

A. Configure the logging clock synchronize command in global configuration mode

B. Configure the service timestamps log uptime command in global configuration mode
C. Configure the service timestamps log datetime localtime command in global configuration
mode
D. Make sure that the clock on the device is synchronized with an NTP server

Answer: C

Explanation

Even we had a synchronized clock but it may show different timezone so we should set the
“localtime” keyword (which uses local time zone for timestamps) so that the time of logging
messages is matched with our clock.

Question 3

A network engineer is investigating a flapping (up/down) interface issue on a core switch

that is synchronized to an NTP server. Log output does not show the time of the flap.
Which command allows on the switch the time of the flap according to the dock on the
device?

A. clock calendar-valid
B. service timestamps log datetime localtime show-timezone
C. service timestamps log uptime
D. dock summer-time mst recurring 2 Sunday mar 2:00 1 Sunday nov 2:00

Answer: B

Explanation
By default, Catalyst switches add a simple uptime timestamp to logging messages. This is a
cumulative counter that shows the hours, minutes, and seconds since the switch has been
booted up. For example:
 20w2d: %LINK-3-UPDOWN: Interface FastEthernet1/0/27, changed state to down
21w3d: %SYS-5-CONFIG_I: Configured from console by vty0 (172.25.15.246)

At exactly what date and time did that occur? Who knows!

Instead, you can configure the switch to add accurate clock-like timestamps that are easily
interpreted. you can use the following command to begin using the switch clock as an
accurate timestamp for syslog messages:

Switch(config)# service timestamps log datetime [localtime] [show-timezone] [msec] [year]

Below is the output if we entered the command “service timestamps log datetime localtime
show-timezone” (without”msec” keyword the output would not show time in milisecond)

*Mar 1 00:02:24 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback4, changed state to
up

Note: The command “clock calendar-valid” enables the device to act as a valid time source
to which network peers can synchronize. By default, the time maintained on the software
clock is not considered to be reliable and will not be synchronized with NTP or VINES time
service. To set the hardware clock as a valid time source, use this command.

Access-list Questions
Question 1

Refer to the exhibit. During troubleshooting it was discovered that the device is not
reachable using a secure web browser. What is needed to fix the problem?
access-list 100 deny tcp any any eq 465
access-list 100 deny tcp any eq 465 any
access-list 100 permit tcp any any eq 80
access-list 100 permit tcp any eq 80 any
access-list 100 permit udp any any eq 443
access-list 100 permit udp any eq 443 any

A. permit tcp port 465

B. permit tcp port 443
C. permit udp port 465
D. permit tcp port 22

Answer: B
Question 2

Refer to the exhibit. Which configuration denies Telnet traffic to router 2 from
198A:0:200C:: 1/64?

A. ipv6 access-list Deny_Telnet

sequence 10 deny tcp host 198A:0:200C::1/64 host 201A:0:205C::1/64
!
int Gi0/0
ipv6 access-map Deny_Telnet in
!

B. ipv6 access-list Deny_Telnet

sequence 10 deny tcp host 198A:0:200C::1/64 host 201A:0:205C::1/64
!
int Gi0/0
ipv6 traffic-filter Deny_Telnet in
!

C. ipv6 access-list Deny_Telnet

sequence 10 deny tcp host 198A:0:200C::1/64 host 201A:0:205C::1/64 eq telnet
!
int Gi0/0
ipv6 access-map Deny_Telnet in
!

D. ipv6 access-list Deny_Telnet

sequence 10 deny tcp host 198A:0:200C::1/64 host 201A:0:205C::1/64 eq telnet
!
int Gi0/0
ipv6 traffic-filter Deny_Telnet in

Answer: D

Explanation

When assigning an IPv4 access list to an interface you used the ip access-group
ACL_NAME in|out command in interface configuration mode. To assign an IPv6 ACL to an
interface you’ll use the ipv6 traffic-filter ACL_NAME in|out command in interface
configuration mode.

We should also specific which port (telnet in this case) we want to deny or we will drop all
TCP traffic to the destination.

Note: In fact there is an error with all of the above commands as we cannot use subnet
mask (/64) with keyword “host”. We must remove the subnet mask before applying the ACL
statement.
Control Plane Questions
Question 1
While troubleshooting connectivity issues to a router, these details are noticed:
– standard pings to all router interfaces, including loopbacks, are successful.
– Data traffic is unaffected.
– SNMP connectivity is intermittent.
– SSH is either or disconnects frequently.

Which command must be configured first to troubleshoot this issue?

A. Show policy-map control-plane

B. Show policy-map
C. Show interface inc drop
D. Show ip route

Answer: A

Explanation

The “show policy-map control-plane” is used to display the service-policy associated to the
control-plane. It also shows the packets that matched the class-map. An example of the
output of this command is shown below:

Question 2

Refer to the exhibit. An engineer is trying to connect to a device with SSH but cannot
connect. The engineer connects by using the console and find the displayed output when
troubleshooting. Which command must be used in configuration mode to enable SSH on the
device?
R1#show ip ssh
SSH Disabled — version 1.99
% Please create RSA keys to enable SSH (and of at least 768 bits for SSH v2).
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size: 1024 bits
IOS Keys in SECSH format (ssh-rsa, base64 encoded): NONE
R1#

A. crypto key generate rsa

B. ip ssh enable
C. no ip ssh disable
D. ip ssh version 2

Answer: A

Explanation

We see the notification “% Please create RSA keys to enable SSH” so we have to create RSA
keys with the command:

R1(config)#crypto key generate rsa

Question 3

Which option is the best for protecting CPU utilization on a device?

A. fragmentation
B. COPP
C. ICMP redirects
D. ICMP unreachable messages

Answer: B

Explanation

The traffic managed by a device can be divided into three functional components or planes:
+ Data plane
+ Management plane
+ Control plane

The vast majority of traffic flows through the device via the data plane; however, the route
processor handles certain traffic, such as routing protocol updates, remote-access services,
and network management traffic such as SNMP. This type of traffic is referred to as the
control and management plane. The route processor is critical to network operation.
Therefore any service disruption or security compromise to the route processor, and hence
the control and management planes, can result in network outages that impact regular
operations. For example, a DoS attack targeting the route processor typically involves high
bursty traffic resulting in excessive CPU utilization on the route processor. Such attacks can
be devastating to network stability and availability. The bulk of traffic managed by the route
processor is handled by way of the control and management planes.
The CoPP feature is used to protect the aforementioned control and management planes; to
ensure stability, reachability, and availability and to block unnecessary or DoS traffic. CoPP
uses a dedicated control plane configuration through the modular QoS CLI (MQC) to provide
filtering and rate limiting capabilities for the control plane packets.

Reference: https://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=10

Question 4

An engineer is trying to copy an IOS file from one router to another router by using TFTP.
Which two actions are needed to allow the file to copy? (Choose two)

A. Configure the TFTP authentication on the source router with the “tftp-server
authentication local” command.
B. Configure a user on the source router with the username tftp password tftp command.
C. Enable the TFTP server on the source router with the tftp-server flash:<filename>
command.
D. TFTP is not supported in recent IOS versions, so an alternative method must be used.
E. Copy the file to the destination router with the copy tftp: flash: command

Answer: C E

Explanation

Below are the steps to follow for copying the Cisco IOS software image from a router acting
as TFTP server to another router.

1. Check the image size on Router1 with the show flash command.
2. Check the image size on Router2 with the show flash command to verify if enough space
is available on Router2 for the system image file to be copied.
3. Configure Router1 as the TFTP server: Router1(config)#tftp-server flash:/c2500-js-
l.122-10b
4. When the TFTP server is configured, download the specified image from Router1 to
Router2 using the copy tftp flash command.

Reference: https://www.cisco.com/c/en/us/support/docs/routers/2500-series-
routers/15092-copyimage.html

IPv6 Questions
Question 1

What is a function of IPv6 ND inspection?

A. It learns and secures bindings for stateless autoconfiguration addresses in Layer 3
neighbor tables
B. It learns and secures bindings for stateful autoconfiguration addresses in Layer 3
neighbor tables
C. It learns and secures bindings for stateful autoconfiguration addresses in Layer 2
neighbor tables
D. It learns and secures binding for stateless autoconfiguration addresses in Layer 2
neighbor tables
Answer: D

Explanation

IPv6 Neighbor Discovery (ND) inspection learns and secures bindings for stateless
autoconfiguration addresses in Layer 2 neighbor tables. IPv6 ND inspection analyzes ND
messages in order to build a trusted binding table. IPv6 ND messages that do not have valid
bindings are dropped.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/ipv6_fhsec/configuration/15-sy/ip6-nd-inspect.html

Question 2

Which statement about IPv6 RA Guard is true?

A. It does not offer protection in environments where IPv6 traffic is tunneled
B. It cannot be configured on a switch port interface in the ingress direction
C. Packets that are dropped by IPv6 RA Guard cannot be spanned
D. It is not supported in hardware when TCAM is programmed

Answer: A

Explanation

Restrictions for IPv6 RA Guard

+ The IPv6 RA Guard feature does not offer protection in environments where
IPv6 traffic is tunneled.
+ This feature is supported only in hardware when the ternary content
addressable memory (TCAM) is programmed.
+ This feature can be configured on a switch port interface in the ingress
direction.
+ This feature supports host mode and router mode.
+ This feature is supported only in the ingress direction; it is not supported in the egress
direction.
+ This feature is not supported on EtherChannel and EtherChannel port members.
+ This feature is not supported on trunk ports with merge mode.
+ This feature is supported on auxiliary VLANs and private VLANs (PVLANs). In the case of
PVLANs, primary VLAN features are inherited and merged with port features.
+ Packets dropped by the IPv6 RA Guard feature can be spanned.
+ If the platform ipv6 acl icmp optimize neighbor-discovery command is configured, the
IPv6 RA Guard feature cannot be configured and an error message will be displayed. This
command adds default global Internet Control Message Protocol (ICMP) entries that will
override the RA guard ICMP entries.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/ipv6_fhsec/configuration/xe-3s/ip6f-xe-3s-book/ip6-ra-guard.html

IP SLA Questions
Question 1

Which command is used to check IP SLA when an interface is suspected to receive lots of
traffic with options?
A. show track
B. show threshold
C. show timer
D. show delay

Answer: A

Question 2

Refer to the exhibit. ISP 1 and ISP 2 directly connect to the internet. A customer is tracking
both ISP links to achieve redundancy and cannot see the Cisco IP SLA tracking output on
the router console. Which command is missing from the IP SLA configuration?

A. Start-time now
B. Start-time 00:00
C. Start-time 0
D. Start-time immediately

Answer: A

Explanation

Although the IP SLA tracking has been configured but it needs to activate with the “start-
time now” keyword. An example of configuring IP SLA for ICMP echo and start it
immedicately is shown below:

ip sla 2
icmp-echo 10.10.10.10
!
ip sla schedule 2 start-time now

Question 3

A network engineer needs to verify IP SLA operations on an interface that shows on

indication of excessive traffic. Which command should the engineer use to complete this
action?
A. show frequency
B. show track
C. show reachability
D. show threshold

Answer: B

Question 4
Refer to the exhibit. An IP SLA was configured on router R1 that allows the default route to
be modified in the event that Fa0/0 losses reachability with the router R3 Fa0/0 interface.
The route has changed to flow through route R2.
Which debug command is used to troubleshoot this issue?

A. debug ip flow
B. debug ip sla error
C. debug ip routing
D. debug ip packet
Answer: C

Explanation

The “debug ip routing” command enables debugging messages related to the routing table.
Since the routing table is normally stable, you will only see debug messages when there are
any changes in the routing table.

SNMP Questions
Question 1
Which SNMP verification command shows the encryption and authentication protocols that
are used in SNMPv3?
A. show snmp group
B. show snmp user
C. show snmp
D. show snmp view

Answer: B

Explanation

The command “show snmp user” displays information about the configured characteristics
of SNMP users. The following example specifies the username as abcd with authentication
method of MD5 and encryption method of 3DES.

Router#show snmp user abcd

User name: abcd
Engine ID: 00000009020000000C025808
storage-type: nonvolatile active access-list: 10
Rowstatus: active
Authentication Protocol: MD5
Privacy protocol: 3DES
Group name: VacmGroupName
Group name: VacmGroupName

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t2/snmpv3ae.html

Note: The command “show snmp group” displays the names of groups on the router and the
security model, the status of the different views, and the storage type of each group. Below
is an example of this command.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-
os/system_management/configuration/guide/sm_nx_os_cg/sm_9snmp.html

Question 2

Refer to the exhibit. Network operations cannot read or write an configuration on the device
with this configuration from the operation subnet. Which two configuration fix the issue?
(Choose two)
snmp-server community ciscotest 1
snmp-server host 192.168.1.128 ciscotest
snmp-server enable traps bgp

A. Configure SNMP rw permission in addition to community ciscotest

B. Modify access list 1 and allow operations subnet in the access list
C. Modify SNMP rw permission in addition to version 1
D. Configure SNMP rw permission in addition to version 1
E. Configure SNMP rw permission in addition to community ciscotest 1

Answer: A B

Explanation

The syntax of configuring a SNMP community string is:

snmp-server community string [ view view-name ] [ ro | rw ] [ access-list-number ]

By default, the community string permits read-only (ro) access to all objects. Therefore the
first command in the exhibit above means “allow a SNMP manager that matches access-list
1 and use the password “ciscotest” to have Read-Only access to this device.

But the question mentioned that the network operations cannot read or write configuration
to this device so there are two issues with above SNMP statement:
+ Maybe ACL 1 did not match the IP address of the network operations so we have to
modify ACL 1 to “permit” the operations subnet.
+ This SNMP configuration only allows Read-Only permission so we have to configure the rw
permission by adding the “rw” keyword after the community string (but before the ACL
number).

DHCP Questions
Question 1
Users were moved from the local DHCP server to the remote corporate DHCP server. After
the move, none of the users were able to use the network. Which two issues will prevent
this setup from working property? (Choose two)
A. Auto-QoS is blocking DHCP traffic
B. The DHCP server IP address configuration is missing locally
C. 802.1X is blocking DHCP traffic
D. The broadcast domain is too large for proper DHCP propagation
E. The route to the new DHCP server is missing

Answer: B E

Question 2

Refer to the exhibit. Users report that IP addresses cannot be acquired from the DHCP
server. The DHCP server is configured as shown. About 300 total nonconcurrent users are
using this DHCP server, but none of them are active for more than two hours per day.
Which action fixes the issue within the current resources?

R1#show running-config | section dhcp

ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp pool DHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
lease 0 12

A. Configure the DHCP lease time to a bigger value

B. Add the network 192.168.2.0 255.255.255.0 command to the DHCP pool
C. Modify the subnet mask to the network 192.168.1.0 255.255.254.0 command in the
DHCP pool
D. Configure the DHCP lease time to a smaller value

Answer: D

Explanation

The command “lease 0 12” set the duration of the lease (the time during which a client
computer can use an assigned IP address). The syntax is “lease {days[hours] [minutes] |
infinite}”. In this case the lease is (0 day) 12 hours.
We also notice that the pool of IP addresses that can issue to the clients are rather small as
the network 192.168.1.0/24 only supports 253 assignable IP addresses. But the first 49 IP
addresses were excluded so we only have 253 – 49 = 204 assignable IP addresses < 300
users.

Therefore the best solution is here to reduce the time of each issued IP address (to 2 hours
instead of 12 hours) as they only need to use in 2 hours per day, thus increasing the chance
of reuse the IP addresses for the clients.
DNA Center Questions
Question 1
An engineer configured the wrong default gateway for the Cisco DNA center enterprise
interface during the install. Which command must the engineer run to correct the
configuration?
A. Sudo update config install
B. Sudo maglev reinstall
C. Sudo magiev-config update
D. Sudo maglev install config update

Answer: C

Explanation

Once the appliance is configured, you cannot use the Configuration Wizard to change all
Cisco DNA Center appliance settings. Changes are restricted to the following settings only:
+ Host IP address of the appliance
+ DNS server IP addresses
+ Default gateway IP address
…

Procedure

Using a Secure Shell (SSH) client, log into the IP address of the Enterprise port of the Cisco
DNA Center appliance that needs to be reconfigured, on port 2222. For example:
ssh maglev@Enterprise-port’s-IP-address -p 2222
Step 2
When prompted, enter the Linux Password.
Step 3
Enter the following command to access the Configuration Wizard.
$ sudo maglev-config update
If prompted for the Linux Password, enter it again.
…

For more information about this procedure, please

read https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/1-
2/install/b_dnac_install_1_2/b_dnac_install_1_2_chapter_011.html

Question 2

When provisioning a device in Cisco DNA Center, the engineer sees the error message
“Cannot select the device. Not compatible with template.”. What is the reason for the error?
A. The software version of the template is different from the software version of the device
B. The changes to the template were not committed
C. The template has an incorrect configuration
D. The tag that was used to filter the templates does not match the device tag
Answer: D

Explanation

If you use tags to filter the templates, you must apply the same tags to the device to which
you want to apply the templates. Otherwise, you get the following error during provisioning:
“Cannot select the device. Not compatible with template.”

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/1-2-
10/user_guide/b_cisco_dna_center_ug_1_2_10/b_dnac_ug_1_2_10_chapter_0111.html

Question 3

While working with software images, an engineer observes that Cisco DNA Center cannot
upload its software image directly from the device. Why is the image not uploading?
A. The device has lost connectivity to Cisco DNA Center
B. The software image for the device is in bundle mode
C. The software image for the device is in install mode
D. The device must be resynced to Cisco DNA Center

Answer: C
Explanation

When a device is in Install Mode, Cisco DNA Center is unable to upload its software image
directly from the device. When a device is in install mode, you must first manually upload
the software image to the Cisco DNA Center repository before marking the image as golden.

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center/1-
3/user_guide/b_cisco_dna_center_ug_1_3/b_cisco_dna_center_ug_1_3_chapter_0100.html

Question 1
Drag and drop the MPLS VPN concepts from the left onto the correct descriptions on the
right.
Answer:
+ propagates VPN reachability information: multiprotocol BGP
+ distributes labels for traffic engineering: Resource Reservation Protocol
+ uniquely identifies a customer prefix: route distinguisher
+ controls the import/export of customer prefixes: route target
Question 2
Drag and drop the address from the left onto the correct IPv6 filter purposes on the right.

Answer:
+ permit NTP from this source 2001:0D88:0800:200c::1f – permit ip
2001:d88:800:200c::c/126 2001:0DBB:800:2010::/64 eq 123
+ permit syslog from this source 2001:0D88:0800:200c::1c – permit ip
2001:D88:800:200c::e/126 2001:0DBB:800:2010::/64 eq 514
+ permit HTTP from this source 2001:0D8B:0800:200c::0fff – permit ip
2001:d8b:800:200c::800/117 2001:0DBB:800:2010::/64 eq 80
+ permit HTTPS from this source 2001:0D8B:0800:200c::07ff – permit ip
2001:d8b:800:200c::/117 2001:0DBB:800:2010::/64 eq 443
Explanation
HTTP and HTTPs run on TCP port 80 and 443, respectively and we have to remember them.
Syslog runs on UDP port 514 while NTP runs on UDP port 123 so if we remember them we
can find out the matching answers easily. But maybe there is some typos in this question
as 2001:d88:800:200c::c/126 only ranges
from 2001:d88:800:200c:0:0:0:c to 2001:d88:800:200c:0:0:0:f (4 hosts in total). It
does not cover host 2001:0D88:0800:200c::1f. Same for 2001:D88:800:200c::e/126,
which also ranges from 2001:d88:800:200c:0:0:0:c to 2001:d88:800:200c:0:0:0:f and
does not cover host 2001:0D88:0800:200c::1c.
Question 3
Drag and drop the packet from the left onto the correct descriptions on the right.

Answer:
+ user-generated packets that are always forwarded by network devices to other end-
station devices: data plane packets
+ network device generated or received packets that are used for the creation of the
network itself: control plane packets
+ network device generated or received packets; packets that are used to operate the
network: management plane packets
+ user-generated packets that are forwarded by network devices to other end-station
devices, but that require higher priority than the normal traffic by the network
devices: services plane packets
Explanation
Unlike legacy network technologies such as ISDN, Frame Relay, and ATM that defined
separate data and control channels, IP carries all packets within a single pipe. Thus, IP
network devices such as routers and switches must be able to distinguish between data
plane, control plane, and management plane packets to treat each packet appropriately.
From an IP traffic plane perspective, packets may be divided into four distinct, logical
groups:
1. Data plane packets – End-station, user-generated packets that are always forwarded
by network devices to other end-station devices. From the perspective of the network
device, data plane packets always have a transit destination IP address and can be handled
by normal, destination IP address-based forwarding processes.
2. Control plane packets – Network device generated or received packets that are used
for the creation and operation of the network itself. From the perspective of the network
device, control plane packets always have a receive destination IP address and are handled
by the CPU in the network device route processor. Examples include protocols such as ARP,
BGP, OSPF, and other protocols that glue the network together.
3. Management plane packets – Network device generated or received packets, or
management station generated or received packets that are used to manage the network.
From the perspective of the network device, management plane packets always have a
receive destination IP address and are handled by the CPU in the network device route
processor. Examples include protocols such as Telnet, Secure Shell (SSH), TFTP, SNMP, FTP,
NTP, and other protocols used to manage the device and/or network.
4. Services plane packets – A special case of data plane packets, services plane packets
are also user-generated packets that are also forwarded by network devices to other end-
station devices, but that require high-touch handling by the network device (above and
beyond normal, destination IP address-based forwarding) to forward the packet. Examples
of high-touch handling include such functions as GRE encapsulation, QoS, MPLS VPNs, and
SSL/IPsec encryption/decryption, etc. From the perspective of the network device, services
plane packets may have a transit destination IP address, or may have a receive destination
IP address (for example, in the case of a VPN tunnel endpoint).
Reference: https://tools.cisco.com/security/center/resources/copp_best_practices
Question 4
Drag and drop the SNMP attributes in Cisco IOS devices from the onto the correct SNMPv2c
or SNMPv3 categories on the right.

Answer:
SNMPv2c:
+ community string
+ no encryption
+ read-only
SNMPv3:
+ username and password
+ authentication
+ privileged

Explanation
Both SNMPv1 and v2 did not focus much on security and they provide security based
on community string only. Community string is really just a clear text password (without
encryption). Any data sent in clear text over a network is vulnerable to packet sniffing and
interception. There are two types of community strings in SNMPv2c:
+ Read-only (RO): gives read-only access to the MIB objects which is safer and preferred
to other method.
+ Read-write (RW): gives read and write access to the MIB objects. This method allows
SNMP Manager to change the configuration of the managed router/switch so be careful with
this type.
The community string defined on the SNMP Manager must match one of the community
strings on the Agents in order for the Manager to access the Agents.
SNMPv3 provides significant enhancements to address the security weaknesses existing in
the earlier versions. The concept of community string does not exist in this version. SNMPv3
provides a far more secure communication using entities, users and groups. This is achieved
by implementing three new major features:
+ Message integrity: ensuring that a packet has not been modified in transit.
+ Authentication: by using password hashing (based on the HMAC-MD5 or HMAC-SHA
algorithms) to ensure the message is from a valid source on the network.
+ Privacy (Encryption): by using encryption (56-bit DES encryption, for example) to
encrypt the contents of a packet.
Question 5
Drag and drop the MPLS terms from the left onto the correct definitions on the right.
Answer:
+ device that forwards traffic based on labels: P
+ path that the labeled packet takes: LSP
+ device that is unaware of MPLS labeling: CE
+ device that removes and adds the MPLS labeling: PE
Question 6
Drag and drop the OSPF adjacency states from the left onto the correct descriptions on the
right

Answer:
+ Each router compares the DBD packets that were received from the other router:
Exchange
+ Routers exchange information with other routers in the multiaccess network: 2-way
+ The neighboring router requests the other routers to send missing entries: Loading
+ The network has already elected a DR and a backup BDR: Exstart
+ The OSPF router ID of the receiving router was not contained in the hello message: Init
+ No hellos have been received from a neighbor router: Down
Explanation
When OSPF adjacency is formed, a router goes through several state changes before it
becomes fully adjacent with its neighbor. The states are Down -> Attempt (optional) -> Init
-> 2-Way -> Exstart -> Exchange -> Loading -> Full. Short descriptions about these states
are listed below:
Down: no information (hellos) has been received from this neighbor.
Attempt: only valid for manually configured neighbors in an NBMA environment. In
Attempt state, the router sends unicast hello packets every poll interval to the neighbor,
from which hellos have not been received within the dead interval.
Init: specifies that the router has received a hello packet from its neighbor, but the
receiving router’s ID was not included in the hello packet
2-Way: indicates bi-directional communication has been established between two routers.
Exstart: Once the DR and BDR are elected, the actual process of exchanging link state
information can start between the routers and their DR and BDR.
Exchange: OSPF routers exchange and compare database descriptor (DBD) packets
Loading: In this state, the actual exchange of link state information occurs. Outdated or
missing entries are also requested to be resent.
Full: routers are fully adjacent with each other
(Reference: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800
93f0e.shtml)
Note: At the end of 2-Way state, DR/BDR election has been done.
Question 7
Drag and drop the DHCP messages from the left onto the correct uses on the right.

Answer:
+ server-to-client communication, refusing the request for configuration parameters:
DHCPNAK
+ client-to-server communication, indicating that the network address is already in use:
DHCPDECLINE
+ server-to-client communication with configuration parameters, including committed
network address: DHCPACK
+ client-to-server communication, asking for only local configuration parameters that the
client has already externally configured as an address: DHCPINFORM
Explanation
DHCPINFORM: If a client has obtained a network address through some other means or has
a manually configured IP address, a client workstation may use a DHCPINFORM request
message to obtain other local configuration parameters, such as the domain name and
Domain Name Servers (DNSs). DHCP servers receiving a DHCPINFORM message construct a
DHCPACK message with any local configuration parameters appropriate for the client
without allocating a new IP address. This DHCPACK will be sent unicast to the client.
DHCPNAK: If the selected server is unable to satisfy the DHCPREQUEST message, the DHCP
server will respond with a DHCPNAK message. When the client receives a DHCPNAK
message, or does not receive a response to a DHCPREQUEST message, the client restarts
the configuration process by going into the Requesting state. The client will retransmit the
DHCPREQUEST at least four times within 60 seconds before restarting the Initializing state.
DHCPACK: After the DHCP server receives the DHCPREQUEST, it acknowledges the request
with a DHCPACK message, thus completing the initialization process.
DHCPDECLINE: The client receives the DHCPACK and will optionally perform a final check on
the parameters. The client performs this procedure by sending Address Resolution Protocol
(ARP) requests for the IP address provided in the DHCPACK. If the client detects that the
address is already in use by receiving a reply to the ARP request, the client will send a
DHCPDECLINE message to the server and restart the configuration process by going into
the Requesting state.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-
resolution/27470-100.html

Miscellaneous Questions
Question 1

What is a prerequisite for configuring BFD?

A. All routers in the path between two BFD endpoints must have BFD enabled
B. Jumbo frame support must be configured on the router that is using BFD
C. Cisco Express Forwarding must be enabled on all participating BFD endpoints

D. To use BFD with BGP, the timers 3 9 command must first be configured in the BGP
routing process

Answer: C

Explanation
Bidirectional Forwarding Detection (BFD) is a detection protocol that is designed to provide
fast forwarding path failure detection times for all media types, encapsulations, topologies,
and routing protocols.
Prerequisites for Bidirectional Forwarding Detection:
+ Cisco Express Forwarding and IP routing must be enabled on all participating routers.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/iproute_bfd/configuration/15-mt/irb-15-mt-book/irb-bi-fwd-det.html

Question 2

Which two protocols can cause TCP starvation? (Choose two)

A. TFTP
B. SNMP
C. SMTP
D. HTTPS
E. FTP

Answer: A B

Explanation

It is a general best practice to not mix TCP-based traffic with UDP-based traffic (especially
Streaming-Video) within a single service-provider class because of the behaviors of these
protocols during periods of congestion. Specifically, TCP transmitters throttle back flows
when drops are detected. Although some UDP applications have application-level
windowing, flow control, and retransmission capabilities, most UDP transmitters are
completely oblivious to drops and, thus, never lower transmission rates because of
dropping.
When TCP flows are combined with UDP flows within a single service-provider class
and the class experiences congestion, TCP flows continually lower their transmission rates,
potentially giving up their bandwidth to UDP flows that are oblivious to drops. This effect is
called TCP starvation/UDP dominance.

TCP starvation/UDP dominance likely occurs if TCP-based applications is assigned to the

same service-provider class as UDP-based applications and the class experiences sustained
congestion.
Granted, it is not always possible to separate TCP-based flows from UDP-based flows, but it
is beneficial to be aware of this behavior when making such application-mixing decisions
within a single service-provider class.

Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS
_SRND/QoS-SRND-Book/VPNQoS.html

Therefore two UDP protocols that can cause TCP starvation are TFTP (UDP port 69) and
SNMP (UDP port 161 & 162).

Question 3

Which method changes the forwarding decision that a router makes without first changing
the routing table or influencing the IP data plane?
A. Policy-based routing
B. Nonbroadcast multi-access
C. Packet switching
D. Forwarding information base

Answer: A

Explanation

Policy-based routing (PBR) intercepts the packet after de-encapsulation on the incoming
interface, before the router performs the CEF table lookup. PBR then chooses how to
forward the packet using criteria other than the usual matching of the packet’s destination
address with the CEF table. Therefore PBR does not affect the routing table or the data
plane.

Question 4
Which attribute eliminates LFAs that belong to protected paths in situations where links in a
network are connected through a common fiber?
A. Interface-dispoint
B. Shared risk link group-disjoint
C. Linecard-disjoint
D. Lowest-repair-path-metric

Answer: B
Explanation

Traditionally, link state protocols despite of having full view of the database, never
calculated a backup route. Loop-Free Alternate (LFA) aims to calculate a backup route that
can be used to route traffic, in case of a failure of a directly connected link or node on
primary path.

Shared Risk Link Groups (SRLG) refer to situations in which links in a network share a
common fiber (or a common physical attribute). These links have a shared risk: when one
link fails, other links in the group might also fail. Topology-Independent Loop-Free Alternate
(TI-LFA) SRLG protection attempts to find the post-convergence backup path that excludes
the SRLG of the protected link. All local links that share any SRLG with the protecting link
are excluded.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-
3/segment-routing/configuration/guide/b-segment-routing-cg-asr9000-63x/b-segment-
routing-cg-asr9000-63x_chapter_01001.pdf

Note:

+ Linecard-disjoint: This prefers a backup route from an interface that is on another line
card. This is also a special case of SRLG
+ Interface-disjoint: This means that repair path is over a different interface as compared
to the interface used to reach destination via primary path. In case of point-to-point links,
this condition is always met.

Question 5

Refer to the exhibit. An administrator that is connected to the console does not see debug
messages when remote users log in. Which action ensures that debug messages are
displayed for remote loggings?
R1(config)#do show running-config | section line|username
username cisco secret 5 $l$^e/o$I3G5cXODxpYMSJ70PzEyoO
line con 0
logging synchronous
line vty 0 4
login local
transport input telnet
R1(config)# logging console 7
R1(config)# do debug aaa authentication
R1(config)#

A. Enter the transport input ssh configuration command

B. Enter the terminal monitor exec command
C. Enter the logging console debugging configuration command
D. Enter the aaa new-model configuration command

Answer: D
Explanation

Answer A is not correct as we don’t want to disable telnet access.

Answer C is not correct because the “logging console debugging” command is equal to the
“logging console 7” command, which was typed in the exhibit.

So there are only two answers left. We believe answer D is better because the “debug aaa
authentication” command is used to see the AAA authentication messages. Therefore we
have to enable AAA first via the “aaa new-model” command.

Note: The “logging console” is a default and hidden command. This command only appears
if it is disabled (no logging console) so in fact it is currently enabled in this question.

Question 6

Refer to the exhibit. Why is the remote NetFlow server failing to receive the NetFlow data?

config t
flow record v4_r1
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
!
flow exporter EXPORTER-1
destination 172.16.10.2
transport udp 90
exit
!
flow monitor FLOW-MONITOR-1
record v4_r1
 exit
!
ip cef
!
interface Ethernet0/0.1
ip address 172.16.6.2 255.255.255.0
ip flow monitor FLOW-MONITOR-1 input

A. The flow exporter is configured but is not used.

B. The flow monitor is applied in the wrong direction.
C. The flow monitor is applied to the wrong interface.
D. The destination of the flow exporter is not reachable.

Answer: A

Explanation

Flow exporters are created as separate components in a router’s configuration. Exporters

are assigned to flow monitors to export the data from the flow monitor cache to a remote
system such as a NetFlow collector.

As we can see the “flow exporter EXPORTER-1” was defined but it has not been used. We
can use it inside a flow monitor. For example:

flow monitor FLOW-MONITOR-1

record v4_r1
exporter EXPORTER-1
exit

Question 7

Given the network diagram, which address would successfully summarize only the networks
seen?
A. 192.168.0.0/24
B. 192.168.8.0/20
C. 192.168.8.0/21
D. 192.168.12.0/20
E. 192.168.16.0/21
F. These networks cannot be summarized.

Answer: C

New ENARSI Questions 1

Question 1

Refer to the exhibit. AAA server 10.1.1.1 is configured with the default authentication and
accounting settings, but the switch cannot communicate with the server. Which action
resolves this issue?

A. Correct the timeout value

B. Match the authentication port
C. Correct the shared secret
D. Match the accounting port

Answer: B

Explanation

By default, RADIUS uses UDP port 1812 for authentication and port 1813 for accounting. In
the exhibit above we see port 1814 is being used for authentication to AAA server at
10.1.1.1 which is not the default port so we must adjust the authentication port to the
default value 1812.

Question 2

Refer to the exhibit. A company is evaluating multiple network management system tools.
Trending graphs generated by SNMP data are returned by the NMS and appear to have
multiple gaps. While troubleshooting the issue, an engineer noticed the relevant output.
What solves the gaps in the graphs?

A. Remove the class map NMS from being part of control plane policing
B. Remove the exceed-rate command in the class map
C. Configure the CIR rate to a lower value that accommodates all the NMS tools
D. Separate the NMS class map in multiple class maps based on the specific protocols with
appropriate CoPP actions

Answer: D

Explanation

The class-map NMS in the exhibit did not classify traffic into specific protocols so many
packets were dropped. We should create some class-map to classify the receiving traffic. It
is also a recommendation of CoPP/CPP policy:

“Developing a CPP policy starts with the classification of the control plane traffic. To that
end, the control plane traffic needs to be first identified and separated into different class
maps.”

Reference: https://ptgmedia.pearsoncmg.com/images/9781587143694/downloads/i978158
7143694_app02.pdf

Question 3

Drag and drop the credentials from the left onto the remote login information on the right to
resolve a failed login attempt to vtys. Not all credentials are used.
aaa new-model
aaa authentication login default none
aaa authentication login telnet local
!
username cisco password 0 Ocsic
!
line vty 0
password LetMeIn
login authentication telnet
transport input telnet
line vty 1
password LetMeIn
transport input telnet

Answer:

vty 0:
+ cisco
+ 0csic
vty 1:
+ no username
+ no password

Explanation

The command “aaa authentication login default none” means no authentication is required
when access to the device via Console/VTY/AUX so if one interface does not specify another
login authentication method (via the “login authentication …” command), it will allow to
access without requiring username or password. In this case VTY 1 does not specify another
authentication login method so it will use the default method (which is “none” in this case).

Question 4

Refer to the exhibit. An engineer is monitoring reachability of the configured default routes
to ISP1 and ISP2. The default route from ISP1 is preferred if available. How is this issue
resolved?

R1
ip sla 100
icmp-echo 10.12.1.254
!
track 10 ip sla 100 reachability
!
ip route 0.0.0.0 0.0.0.0 10.12.1.254 track 10
ip route 0.0.0.0 0.0.0.0 10.13.1.254 10
!
R1#show ip route
--Output Omitted--
Gateway of last resort is 10.13.1.254 to network 0.0.0.0

S* 0.0.0.0/0 [10/0] via 10.13.1.254

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.11.1.0/24 is directly connected, GigabitEthernet0/1
L 10.11.1.1/32 is directly connected, GigabitEthernet0/1
C 10.12.1.0/24 is directly connected, GigabitEthernet0/0
L 10.12.1.1/32 is directly connected, GigabitEthernet0/0
C 10.13.1.0/24 is directly connected, GigabitEtheraet0/2
L 10.13.1.1/32 is directly connected, GigabitEthernet0/2

A. Use the icmp-echo command to track both default routes

B. Start IP SLA by matching numbers for track and ip sla commands
C. Start IP SLA by defining frequency and scheduling it
D. Use the same AD for both default routes

Answer: C

Explanation

In the above configuration we have not had activated our IP SLA operation. We can start it
with this command:

R1(config)#ip sla schedule 100 life forever start-time now

Also we should specific the rate of ICMP echo:

R1(config-ip-sla-echo)#frequency 5 // Send ICMP echo every 5 seconds

Question 5

Refer to the exhibit. Redistribution is enabled between the routing protocols, and now PC2
PC3, and PC4 cannot reach PC1. What are the two solutions to fix the problem? (Choose
two)

A. Filter RIP and OSPF routes back into OSPF from EIGRP when redistributing into OSPF in
R2
B. Filter all routes except EIGRP routes when redistributing into OSPF in R3
C. Filter OSPF routes into RIP from EIGRP when redistributing into RIP in R2
D. Filter all routes except RIP routes when redistributing into EIGRP in R2
E. Filter RIP routes back into RIP when redistributing into RIP in R2

Answer: C E

Explanation

Even PC2 cannot reach PC1 so there is something wrong with RIP redistribution in R2.
Because RIP has higher Administrative Distance (AD) value than OSPF and EIGRP so it will
be looped when doing mutual redistribution.

Buổi 2 kết thúc

Question 6

Which label operations are performed by a label edge router?

A. PUSH and PHP
B. SWAP and POP
C. SWAP and PUSH
D. PUSH and POP

Answer: D

Explanation

The entry and exit routers of an MPLS network are called edge LSR (or label edge routers –
LER), which, respectively, inject (push) an MPLS label onto an incoming packet (label
assignment) and remove (pop) it off the outgoing packet (label removal).

Question 7

Refer to the exhibit. The network administrator configured VRF lite for customer A. The
technician at the remote site misconfigured VRF on the router. Which configuration will
resolve connectivity for both sites of customer A?

ip vrf customer_a
 rd 1:1
route-target export 1:1
route-target import 1:1
!
interface FastEthernetO.1
encapsulation dot1Q 2
ip vrf forwarding customer_a
ip address 192.168.4.1 255.255.255.0
!
router ospf 1
log-adj adjacency-changes
!
router ospf 2 vrf customer_a
log-adj adjacency-changes
network 192.168.4.0 0.0.0.255 area 0
!
end

A.
ip vrf customer_a
rd 1:2
route-target both 1:1

B.
ip vrf customer_a
rd 1:2
route-target both 1:2

C.
ip vrf customer_a
rd 1:1
router-target import 1:1
router-target export 1:2

D.
ip vrf customer_a
rd 1:1
route-target export 1:2
router-target import 1:2

Answer: A

Explanation

From the exhibit, we learned:

+ VRF customer_a was exported with Route target (RT) of 1:1 so at the remote site it must
be imported with the same RT 1:1.
+ VRF customer_a was imported with Route target (RT) of 1:1 so at the remote site it must
be exported with the same RT 1:1.
Therefore at the remote site we must configure the command “route-target both 1:1”
(which is equivalent to two commands “route-target import 1:1” & “route-target export
1:1”.

Question 8
Drag and drop the operations from the left onto the locations where the operations are
performed on the right.

Answer:

Label Switch Router:

+ Reads the labels and forwards the packet based on the labels
+ Performs penultimate hop popping

Label Edge Router:

+ Handles traffic between multiple VPNs
+ Assigns labels to unlabelled packets

Question 9

After some changes in the routing policy, it is noticed that the router in AS 45123 is being
used as a transit AS router for several service providers. Which configuration ensures that
the branch router in AS 45123 advertises only the local networks to all SP neighbors?
A.
ip as-path access-list 1 permit ^45123$
!
router bgp 45123
neighbor SP-Neighbors filter-list 1 out

B.
ip as-path access-list 1 permit ^45123
!
router bgp 45123
neighbor SP-Neighbors filter-list 1 out

C.
ip as-path access-list 1 permit ^$
!
router bgp 45123
neighbor SP-Neighbors filter-list 1 out
D.
ip as-path access-list 1 permit
!
router bgp 45123
neighbor SP-Neighbors filter-list 1 out

Answer: C

Explanation
By default BGP advertises all prefixes to external BGP neighbors. This means that if you are
multi-homed (connected to two or more ISPs) then you might become a transit AS. For
example, ISP 2 in AS 200 can send traffic to your router in AS 100 to reach ISP 3 in AS 300
because you advertised prefixes in ISP 3 to ISP 2.

This is what will be seen in the BGP routing table of ISP2:

ISP2#show ip bgp
--output omitted--
Network Next Hop Metric LocPrf Weight Path
....
*> 3.3.3.0/24 192.168.12.1 0 100 300 i

In order to prevent this we have to ensure that your router only advertises prefixes from its
own autonomous system. One of the method to solve this problem is using Filter-list with
AS-PATH access-list:

R1(config)# ip as-path access-list 1 permit ^$

R1(config-router)#neighbor 192.168.12.2 filter-list 1 out
R1(config-router)#neighbor 192.168.23.3 filter-list 1 out

It ensures that we will only advertise prefixes from our own AS. The ^$ regular expression
ensures that we will only advertise locally originated prefixes. We should apply this filter to
both ISPs.

Question 10

Refer to the exhibit. An engineer is trying to get a packet destined for 192.168.32.100
forwarded through 10.1.1.1, but it was forwarded through 10.1.1.2. What action forwards
the packets through 10.1.1.1?

Router#show ip route
…
D 192.168.32.0/19 [90/25789217] via 10.1.1.1
R 192.168.32.0/24 [120/4] via 10.1.1.2
O 192.168.32.0/26 [110/229840] via 10.1.1.3

A. Configure EIGRP to receive 192.168.32.0 route with lower metric

B. Configure EIGRP to receive 192.168.32.0 route with lower administrative distance
C. Configure EIGRP to receive 192.168.32.0 route with equal or longer prefix than /24
D. Configure EIGRP to receive 192.168.32.0 route with longer prefix than /19

Answer: C

Question 11
Refer to the exhibit. A junior engineer updated a branch router configuration. Immediately
after the change, the engineer receives calls from the help desk that branch personnel
cannot reach any network destinations. Which configuration restores service and continues
to block 10.1.1.100/32?

A. ip prefix-list 102 seq 15 permit 0.0.0.0/32 le 32

B. route-map FILTER-IN permit 20
C. ip prefix-list 102 seq 5 permit 0.0.0.0/32 le 32
D. route-map FILTER-IN deny 5

Answer: B

Explanation

By using “deny” keyword in a route-map, we can filter out the prefix specified in the prefix-
list. But there is an implicit “deny all” statement in the prefix-list so we must permit other
prefixes with “permit” keyword in the route-map.

Question 12

An engineer configured a leak-map command to summarize EIGRP routes and advertise

specifically loopback 0 with an IP of 10.1.1.1 255.255.255.252 along with the summary
route. After finishing configuration, the customer complained not receiving summary route
with specific loopback address. Which two configurations will fix it? (Choose two)

router eigrp 1
!
route_map Leak-Route deny 10
match ACL
!
 interface Serial 0/0
ip summary-address eigrp 1 10.0.0.0 255.0.0.0 leak-map Leak-Route

A. Configure route-map Leak-Route permit 10 and match access-list 1

B. Configure access-list 1 permit 10.1.1.1 0.0.0.252
C. Configure access-list 1 and match under route-map Leak-Route
D. Configure route-map Leak-Route permit 20
E. Configure access-list 1 permit 10.1.1.0 0.0.0.3

Answer: A E

Explanation

When you configure an EIGRP summary route, all networks that fall within the range of your
summary are suppressed and no longer advertised on the interface. Only the summary
route is advertised. But if we want to advertise a network that has been suppressed along
with the summary route then we can use leak-map feature. The below commands will fix
the configuration in this question:

R1(config)#access-list 1 permit 10.1.1.0 0.0.0.3

R1(config)#route-map Leak-Route permit 10 // this command will also remove the
“route_map Leak-Route deny 10” command.
R1(config-route-map)#match ip address 1

Question 13

Refer to the exhibit. An IP SLA is configured to use the backup default route when the
primary is down, but it is not working as desired. Which command fixes the issue?

R1(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.1

R1(config)#ip route 0.0.0.0 0.0.0.0 2.2.2.2 10
R1(config)#ip sla 1
R1(config)#icmp-echo 1.1.1.1 source-interface FastEthernet0/0
R1(config)#ip sla schedule 1 life forever start-time now
R1(config)#track 1 ip sla 1 reachability

A. R1(config)# ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 1

B. R1 (config)# ip route 0.0.0 0 0.0.0 0 2.2.2 2
C. R1 (config)# ip route 0.0.0.0 0.0.0.0 2.2.2.2 10 track 1
D. R1(config)# ip sla track 1

Answer: A

Question 14

What is an advantage of using BFD?

A. It detects local link failure at layer 1 and updates routing table
B. It detects local link failure at layer 3 and updates routing protocols
C. It has sub-second failure detection for layer 1 and layer 2 problems
D. It has sub-second failure detection for layer 1 and layer 3 problems
Answer: C

Question 15

Refer to the exhibit. The ACL is placed on the inbound GigabitEthernet 0/1 interface of the
router. Host 192.168.10.10 cannot SSH to host 192.168.100.1 even though the flow is
permitted. Which action resolves the issue without opening full access to this router?
 ip access-list extended FILTER
deny tcp 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255 eq 22
deny tcp 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255 eq 23
deny tcp 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255 eq 80
deny tcp 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255 eq 443
permit tcp host 192.168.10.10 host 192.168.100.10 eq ssh -> Shadow rule
permit ip any any
!
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip access-group FILTER in

A. Temporarily move the permit ip any any line to the beginning of the ACL to see if it the
flow works
B. Run the show access-list FILTER command to view if the SSH entry has any hit statistics
associated with it
C. Move the SSH entry to the beginning of the ACL
D. Temporarily remove the ACL from the interface to see if the flow works

Answer: C

Question 16

Which component of MPLS VPN is used to extend the IP address so that an engineer is able
to identify to which VPN it belongs?

A. RD
B. VPNv4 address family
C. RT
D. LDP

Answer: A

Question 17

Refer to the exhibit. BGP is flapping after the CoPP policy is applied. What are the two
solutions to fix the issue? (Choose two)
policy-mapp COPP-7600
class COPP-CRITICAL-7600
police cir 2000000 bc 62500
conform-action transmit
exceed-action transmit
!
class class-default
police cir 2000000 bc 6250
conform-action transmit
exceed-action drop
!
class-map match-all COPP-CRITICAL-7600
match access-group name COPP-CRITICAL-7600
!
ip access-list extended COPP-CRITICAL-7600
permit ip any any eq http
permit ip any any eq https

A. Configure BGP in the COPP-CRITICAL-7600 ACL

B. Configure a higher value for CIR under the default class to allow more packets during
peak traffic
C. Configure a higher value for CIR under the class COPP-CRITICAL-7600
D. Configure a three-color policer instead of two-color policer under class COPP-CRITICAL-
7600
E. Configure IP CEF to CoPP policy and BGP to work

Answer: A B

Explanation

The policy-map COPP-7600 only rate-limit HTTP & HTTPS traffic (based on the ACL
conditions) so any BGP packets will be processed in the class “class-default”, which drops
exceeded BGP packets. Therefore we have two ways to solve this problem:
+ Add BGP to the ACL with the statement “permit tcp any any eq bgp”
+ Configure higher value for CIR in default class as 2Mbps is too low for web traffic (http &
https)

Question 18

During the maintenance window, an administrator accidentally deleted the telnet-related

configuration that permits a Telnet connection from the inside network (Eth 0/0) to the
outside of the network between Friday-Sunday night hours only. Which configuration
resolves the issue?

A.
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
!
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range
changewindow
!
time-range changewindow
periodic 22:00 to 05:00

B.
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
!
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range
changewindow
!
time-range changewindow
periodic Friday Saturday Sunday 22:00 to 05:00

C.
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
!
access-list 101 permit udp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range
changewindow
!
time-range changewindow
periodic Friday Saturday Sunday 22:00 to 05:00

D.
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
!
access-list 101 permit udp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet time-range
changewindow
!
time-range changewindow
periodic Friday Saturday Sunday

Answer: B

Explanation
Telnet is based on TCP port 23 so we must filter tcp traffic in the ACL.

Note: The time is specified in 24-hour time (hh:mm), where the hours range from 0 to 23
and the minutes range from 0 to 59.

Question 19
Refer to the exhibit. Which action resolve intermittent connectivity observed with the SNMP
trap packets?

A. Add a new class map to match TCP traffic

B. Add one new entry in the ACL 120 to permit the UDP port 161
C. Increase the CIR of the mgmt class map
D. Decrease the committed burst size of the mgmt class map

Answer: C

Question 20

An engineer configured a company’s multiple area OSPF head office router and Site A cisco
routers with VRF lite. Each site router is connected to a PE router of an MPLS backbone.
After finishing both site router configurations, none of the LSA 3,4 5, and 7 are installed at
Site A router.

Which configuration resolves this issue?

A. configure capability vrf-lite on Site A and its connected PE router under router ospf 1
vrf abc
B. configure capability vrf-lite on Head Office and its connected PE router under router
ospf 1 vrf abc
C. configure capability vrf-lite on both PE routers connected to Head Office and Site A
routers under router ospf 1 vrf abc
D. configure capability vrf-lite on Head Office and Site A routers under router ospf 1 vrf
abc
Answer: D

Explanation

In this case both Head Office and Site A routers run VRF (and OSPF) although they are CE
routers. So we must configure “capability vrf-lite” on them too.

For your information, the capability vrf-lite command disables the DN-bit (down bit) and
domain-tag checks in OSPF. Since the CE router acts as the PE router in VRF-lite, these
checks should be disabled, because the PE routers advertise VPN routes with DN-bit set to
the CE routers. If the CE routers receive routes with DN-bit set, it will discard them. Hence,
the checks should be disabled.

========================== New Questions (added on 2nd-Nov-2020)

==========================

Question 21
Drag and drop the MPLS VPN device types from me left onto the definitions on the right.

Answer:

+ device in the enterprise network that connects to other customer devices: Customer (C)
device
+ device in the core of the provider network that switches MPLS packets: Provider (P)
device
+ device that attaches and detaches the VPN labels to the packets in the provider network:
PE device
+ device at the edge of the enterprise network that connects to the SP network: CE device

Question 22

To provide reachability to network 10.1.1.0/24 from R5, the network administrator

redistributes EIGRP into OSPF on R3 but notices that R4 is now taking a suboptimal path
through R5 to reach 10.1.1.0/24 network. Which action fixes the issue while keeping the
reachability from R5 to 10.1.1.0/24 network?
A. Change the administrative distance of OSPF to 200 on R5
B. Change the administrative distance of the external EIGRP to 90
C. Apply the outbound distribution list on R5 toward R4 in OSPF
D. Redistribute OSPF into EIGRP on R4

Answer: B

Explanation

The subnet 10.1.1.1/24 is redistributed into EIGRP domain so it will have the Administrative
Distance (AD) of 170. Therefore R4 also learns about this subnet advertised from R2 with
the same AD of 170.

In the other hand, subnet 10.1.1.0/24 is also redistributed into OSPF on R3 so R5 & R4 will
learn about this subnet with AD of 110, which is better than the above AD of 170 so R4 will
choose path R4 -> R5 -> R3 -> R2 -> R1.

In order to solve this problem, we can configure an outbound distribute list on R5 to prevent
(filter out) this subnet from advertising to R4. Then R4 only has one way to reach R1, which
is R4 -> R2 -> R1. But this method will remove the backup route so it is not the best
solution.
Another solution is to reduce the AD of the external EIGRP to a value smaller than 110. This
method reserves the backup route in case of the main route fails -> This is the best
solution. To do this, we can use the following command on R4:
router eigrp 1
distance eigrp 90 91 //Changes the AD to 90 for internal EIGRP routes and changes the AD
to 91 for EIGRP external routes

We tested this lab in GNS3 and you can read this lab here. This is the result when we type
the “distance eigrp …” command above on R4:

R4#show ip route
Gateway of last resort is not set

10.0.0.0/24 is subnetted, 6 subnets

D 10.1.12.0 [90/30720] via 10.1.24.2, 00:00:05, FastEthernet0/0
D EX 10.1.1.0 [91/33280] via 10.1.24.2, 00:00:05, FastEthernet0/0
C 10.1.24.0 is directly connected, FastEthernet0/0
D 10.1.23.0 [90/30720] via 10.1.24.2, 00:00:05, FastEthernet0/0
C 10.1.45.0 is directly connected, FastEthernet1/0
O 10.1.35.0 [110/2] via 10.1.45.5, 00:00:11, FastEthernet1/0

Note: We can change the AD of EIGRP routes via the “distance eigrp …” command but the
effect of this command is local only.

Question 23

An engineer is configuring a network and needs packets to be forwarded to an interface for

any destination address that is not in the routing table. What should be configured to
accomplish this task?

A. set ip next-hop
B. set ip default next-hop
C. set ip next-hop recursive
D. set ip next-hop verify-availability

Answer: B

Explanation

The set ip default next-hop command verifies the existence of the destination IP address
in the routing table, and…
– If the destination IP address exists, the command does not policy route the packet, but
forwards the packet based on the routing table.
– If the destination IP address does not exist, the command policy routes the packet by
sending it to the specified next hop.
The set ip next-hop command verifies the existence of the next hop specified, and…
– If the next hop exists in the routing table, then the command policy routes the packet to
the next hop.
– If the next hop does not exist in the routing table, the command uses the normal routing
table to forward the packet.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-
cmds-ce.html

Question 24

Refer to the exhibit.

An engineer has configured DMVPN on a spoke router. What is the WAN IP address of
another spoke router within the DMVPN network?

A. 192.168.1.1
B. 172.18.16.2
C. 192.168.1.4
D. 172.18.46.2

Answer: D

Explanation

From the output we can see there are 2 NHRP Peers. The first one with the NBMA Address
of 172.18.16.2 and the “Attribute” (Attrb) of Static (S) so we can deduce it is the Hub
device. Therefore the second one must be the remaining Spoke device with the attribute of
Dynamic (D).

An example of the “show dmvpn” is shown below:

Spoke1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
N - NATed, L - Local, X - No Socket
# Ent --> Number of NHRP entries with same NBMA peer
NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel1, IPv4 NHRP Details

Type:Spoke, NHRP Peers:2,

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 44.44.44.4 192.168.100.254 UP 00:03:40 S
1 12.12.12.2 192.168.100.2 UP 00:03:20 D

Question 25

Refer to the exhibit.

*Jul 23 09:33:34.530: IF-EvD(GigabitEthernet0/0): reports state transition from DOWN to DOWN

*Jul 23 09:33:35.525: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed
state to down
*Jul 23 09:33:35.528: IF-EvD(GigabitEthernet0/0): IP Routing reports state transition from DOWN to DOWN
*Jul 23 09:33:36.215: IF-EvD(GigabitEthernet0/0): IP Routing reports state transition from DOWN to DOWN
*Jul 23 09:33:37.996: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Jul 23 09:33:38.006: IF-EvD(GigabitEthernet0/0): IP Routing reports state transition from DOWN to UP
*Jul 23 09:33:38.998: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed
state to up

R1 is connected with R2 via GigabitEthernet0/0, and R2 cannot ping R1. What action will fix
the issue?

A. Fix route dampening configured on the router.

B. Replace the SFP module because it is not supported.
C. Fix IP Event Dampening configured on the interface.
D. Correct the IP SLA probe that failed.
Answer: C

Explanation

The IP Event Dampening feature introduces a configurable exponential decay mechanism to

suppress the effects of excessive interface flapping events on routing protocols and routing
tables in the network. This feature allows the network operator to configure a router to
automatically identify and selectively dampen a local interface that is flapping.

Dampening an interface effectively removes it from the network until the interface is stable
and stops flapping (bouncing up and down). Configuring IP event dampening also improves
stability and convergence time, because these disturbances are not propagated to other
parts of the network, thus reducing the wastage of system resources required to process
them.

The following example configures interface dampening on Gigabit Ethernet interface 0/0/0
and sets the half life to 30 seconds, the reuse threshold to 1500, the suppress threshold to
10000, and the maximum suppress time to 120 seconds:
interface GigabitEthernet 0/0/0
dampening 30 1500 10000 120
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-
16-11/iri-xe-16-11-book/iri-pi-event-damp.html

Question 26

Refer to the exhibit.

The server for the finance department is not reachable consistently on the 200.30.40.0/24
network and after every second month it gets a new IP address. Which two actions must be
taken to resolve this issue? (Choose two)

A. Configure the server with a static IP address and default gateway

B. Configure the server to use DHCP on the network with default gateway 200 30.40.100
C. Configure the router to exclude a server IP address
D. Configure the server to use DHCP on the network with default gateway 200 30.30.100
E. Configure the router to exclude a server IP address and default gateway

Answer: A C

Explanation

The command “lease 40” set the duration of the lease (the time during which a client
computer can use an assigned IP address). The syntax is “lease {days[hours] [minutes] |
infinite}”. In this case the lease is 40 days. Therefore the server for the finance department
is getting new IP address every 40 days. It is very inconvenient and we should
assign/configure a static IP address for the finance department server. We can do it via two
ways:
+ Static configure an IP address on the finance department server and exclude that IP
address in the DHCP pool
+ Instruct the DHCP pool to assign a specific IP address for the MAC address of the finance
department server (via the “client-identifier …” or “hardware-address …” command)

Question 27

Which protocol does MPLS use to support traffic engineering?

A. Tag Distribution Protocol

B. Label Distribution Protocol
C. Border Gateway Protocol
D. Resource Reservation Protocol
Answer: D

Explanation

The Resource Reservation Protocol (RSVP) is a network control protocol used by a host to
request specific qualities of service from the network for particular application data streams
or flows. RSVP is also used by routers to deliver quality of service (QoS) requests to all
nodes along the path(s) of the flows and to establish and maintain operational state to
provide the requested service. In general, RSVP requests result in resources reserved in
each node along the data path.
The Resource Reservation Protocol for Traffic Engineering (RSVP-TE) is an extended version
of RSVP for MPLS. RSVP-TE uses traffic engineering extensions to support automatic
signaling of LSPs. MPLS uses RSVP-TE to set up traffic-engineered LSPs.

Question 28
Drag and Drop the IPv6 First-Hop Security features from the left onto the definitions on the
right.

Answer:

+ Block reply and advertisement messages from unauthorized DHCP servers and relay
agents: IPv6 DHCPv6 Guard
+ Create a binding table that is based on NS and NA messages: IPv6 ND Inspection
+ Filter inbound traffic on Layer 2 switch port that are not in the IPv6 binding table: IPv6
Source Guard
+ Block a malicious host and permit the router from a legitimate route: IPv6 RA Guard
+ Create IPv6 neighbors connected to the device from information sources such as NDP
snooping: IPv6 Binding Table

Explanation
The DHCPv6 Guard feature blocks DHCP reply and advertisement messages that originate
from unauthorized DHCP servers and relay agents that forward DHCP packets from servers
to clients. Client messages or messages sent by relay agents from clients to servers are not
blocked.

IPv6 ND Inspection creates a binding table that is based on NS (Neighbor Solicitation)

and NA (Neighbor Advertisement) messages. The switch then uses this table to check any
future NS/NA messages. When the IPv6-LLA combination does not match, it drops the
message. This only applies to NS/NA messages, it doesn’t drop any actual data packets that
have a spoofed IPv6 or MAC address.

IPv6 Source Guard filters inbound traffic on L2 switch ports that are not in the IPv6
binding table. The binding table stores the following information:
+ IPv6 address
+ MAC address
+ VLAN
+ Interface ID
Source Guard only looks at information found in the binding table, and it doesn’t fill the
binding table.

The IPv6 RA Guard feature provides support for allowing the network administrator to
block or reject unwanted or rogue RA guard messages that arrive at the network device
platform. RAs are used by devices to announce themselves on the link. The IPv6 RA Guard
feature analyzes these RAs and filters out RAs that are sent by unauthorized devices.

Question 29

Refer to the exhibit.

R1 is being monitored using SNMP and monitoring devices are getting only partial
information. What action should be taken to resolve this issue?

A. Modify the access list to include snmptrap

B. Modify the CoPP policy to increase the configured exceeded limit for SNMP
C. Modify the CoPP policy to increase the configured CIR limit for SNMP
D. Modify the access list to add a second line to allow udp any any eq snmp

Answer: A

Explanation

From the output we can see no SNMP packets have been drop so far so we don’t need to
increase any SNMP limitation. The following statement should be added to the ACL: “permit
udp any any eq snmptrap” so that additional information can be sent.

Question 30

Refer to the exhibit.

A network engineer for AS64512 must remove the inbound and outbound traffic from link A
during maintenance without closing the BGP session. Traffic should flow via the backup link
toward the ASN. Which BGP configuration on R1 accomplishes this goal?

Option A Option B

Option C Option D

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation
Local preference is used to choose the path to external BGP neighbors. An example of using
local-preference is shown below:
In this case all BGP prefixes advertised via Link B will have a local preference of 200, which
is higher than the default value (100) so Link B is preferred over Link A to send traffic.

========================== New Questions (added on 9th-Nov-2020)

==========================

Question 31
Refer to the exhibit. A client is concerned that passwords are visible when running
this show archive log config all.

Which router configuration is needed to resolve this issue?

A. MASS-RTR(config-archive-log-cfg)#hidekeys
B. MASS-RTR(config-archive-log-cfg)#password encryption aes
C. MASS-RTR(config)#service password-encryption
D. MASS-RTR(config)#aaa authentication arap

Answer: A

Explanation
Enabling the hidekeys command increases security by preventing password information
from being displayed in configuration log files.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-
mgmt/configuration/xe-3s/config-mgmt-xe-3s-book/cm-config-logger.html
Question 32

Which IGPs are supported by the MPLS LDP autoconfiguration feature?

A. ISIS and RIPv2

B. RIPv2 and OSPF
C. OSPF and ISIS
D. OSPF and EIGRP

Answer: C

Explanation

The MPLS LDP Autoconfiguration feature enables you to globally enable LDP on every
interface associated with an IGP instance. This feature is supported on OSPF and IS-IS
IGPs. It provides a means to block LDP from being enabled on interfaces that you do not
want enabled.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/mpls/configuration/guide/convert/m
p_ldp_book/mp_ldp_autoconfig.html

Question 33

What does the PE router convert the IPv4 prefix to within an MPLS VPN?

A. 48-bit route combining the IP and PE router-id

B. VPN-IPv4 prefix combined with the 64-bit route distinguisher
C. eBGP path association between the PE and CE sessions
D. prefix that combines the ASN, PE router-id, and IP prefix

Answer: B

Explanation

The IP prefix is a member of the IPv4 address family. After the PE device learns the IP
prefix, the PE converts it into a VPN-IPv4 prefix by combining it with an 8-byte route
distinguisher (RD). The generated prefix is a member of the VPN-IPv4 address family. It
uniquely identifies the customer address, even if the customer site is using globally
nonunique (unregistered private) IP addresses.

Question 34

Refer to the exhibit.

Which two actions should be taken to access the server? (Choose two)

A. Modify the access list to add a second line of permit ip any any
B. Modify the access list to deny the route to 192.168.2.2
C. Modify distribute list seq 10 to permit the route to 192.168.2.2
D. Add a sequence 20 in the route map to permit access list 1
E. Add a floating static route to reach to 192.168.2.2 with administrative distance higher
than OSPF

Answer: B E (maybe this question is missing some information)

Question 35

Refer to the exhibit.

An engineer wanted to set a tag of 30 to route 10.1.80.65/32 but it failed. How is the issue
fixed?
A. Modify route-map ospf-to-eigrp permit 30 and match prefix-list ccnp2.
B. Modify route-map ospf-to-eigrp permit 10 and match prefix-list ccnp2.
C. Modify prefix-list ccnp3 to add 10.1.64.0/20 le 24
D. Modify prefix-list ccnp3 to add 10.1.64.0/20 ge 32

Answer: B

Question 36

What does IPv6 Source Guard utilize to determine if IPv6 source addresses should be
forwarded?

A. Binding Table
B. ACLS
C. ACE
D. DHCP

Answer: A

Explanation

IPv6 Source Guard filters inbound traffic on L2 switch ports that are not in the IPv6 binding
table. The binding table stores the following information:
+ IPv6 address
+ MAC address
+ VLAN
+ Interface ID

Source Guard only looks at information found in the binding table, and it doesn’t fill the
binding table.
Question 37

An engineer needs dynamic routing between two routers and is unable to establish OSPF
adjacency. The output of the show ip ospf neighbor command shows that the neighbor
state is EXSTART/EXCHANGE. Which action should be taken to resolve this issue?

A. match the passwords

B. match the hello timers
C. match the MTUs
D. match the network types

Answer: C

Explanation

Neighbors Stuck in Exstart/Exchange State

The problem occurs most frequently when attempting to run OSPF between a Cisco router
and another vendor’s router. The problem occurs when the maximum transmission unit
(MTU) settings for neighboring router interfaces don’t match. If the router with the higher
MTU sends a packet larger that the MTU set on the neighboring router, the neighboring
router ignores the packet.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-
ospf/13684-12.html

Question 38

Refer to the exhibit.

Option A Option B

Option C Option D

A network administrator configured an IPv6 access list to allow TCP return frame only, but it
is not working as expected. Which changes resolve this issue?

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

The established keyword is only applicable to TCP access list entries to match TCP
segments that have the ACK and/or RST control bit set (regardless of the source and
destination ports), which assumes that a TCP connection has already been established in
one direction only. Let’s see an example below:

Suppose you only want to allow

the hosts inside your company to telnet to an outside server but not vice versa, you can
simply use an “established” access-list like this:

access-list 100 permit tcp any any established

access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out

Question 39

Refer to the exhibit.

Router#show running-config
Building configuration…
!
<output omitted>
!
hostname R1
!
ip domain-name networktut.com
!
crypto key generate rsa modulus 2048
!
username admin privilege 15 secret cisco123
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 deny any log
!
line vty 0 15
access-list 1 in
login local
 !
<output omitted>
!
end

A user cannot SSH to the router. What action must be taken to resolve this issue?

A. Configure transport input ssh

B. Configure transport output ssh
C. Configure ip ssh version 2
D. Configure ip ssh source-interface loopback0

Answer: A

Question 40
Refer to the exhibit. Which interface configuration must be configured on the HUB router to
enable DMVPN with mGRE mode?

Option A Option B
interface Tunnel0
interface Tunnel0 description mGRE – DMVPN Tunnel
description mGRE – DMVPN Tunnel ip address 10.0.0.1 255.255.255.0
ip address 10.1.0.1 255.255.255.0 ip nhrp map multicast dynamic
ip nhrp map multicast dynamic ip nhrp network-id 1
ip nhrp network-id 1 tunnel source 10.0.0.1
tunnel source 172.17.0.1 tunnel mode gre multipoint
ip nhrp map 10.0.0.11 172.17.0.2
ip nhrp map 10.0.0.12 172.17.0.3
tunnel mode gre

Option C Option D
interface Tunnel0 interface Tunnel0
description mGRE – DMVPN Tunnel description mGRE – DMVPN Tunnel
ip address 10.0.0.1 255.255.255.0 ip address 10.0.0.1 255.255.255.0
ip nhrp network-id 1 ip nhrp map multicast dynamic
tunnel source 172.17.0.1 ip nhrp network-id 1
tunnel mode gre multipoint tunnel source 10.0.0.1
 tunnel destination 172.17.0.2
tunnel mode gre multipoint

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

Option A is not correct as we are configuring DMVPN with mGRE mode so we must use the
command “tunnel mode gre multipoint”, not “tunnel mode gre”.

Option B and option D are not correct as the IP address of the “tunnel source” must be the
IP address of the physical interface (NBMA address 172.17.0.1), not tunnel interface.

The “tunnel source” IP address should be the NBMA address of the Hub interface:
172.17.0.1.

Note: If we are running dynamic routing protocols based on multicast (like RIP, OSPF,
EIGRP …) we have to add the command “ip nhrp map multicast dynamic” in Hub to
replicate all multicast traffic to all dynamic entries in the NHRP table (multicast will be
proceeded as unicast traffic).

An example of configuring DMVPN Phase II – Dynamic Mapping is shown below:

DMVPN Phase II – Dynamic Spoke 1 Spoke 2

Mapping interface tunnel 1 interface tunnel 1
Hub ip address 192.168.100.1 ip address 192.168.100.2
interface tunnel 1 255.255.255.0 255.255.255.0
ip address 192.168.100.254 tunnel source 11.11.11.1 tunnel source 12.12.12.2
255.255.255.0 tunnel mode gre multipoint tunnel mode gre multipoint
ip nhrp map multicast dynamic ip nhrp network 10 ip nhrp network 10
tunnel source 44.44.44.4 ip nhrp map 192.168.100.254 ip nhrp map 192.168.100.254
44.44.44.4
 tunnel mode gre multipoint ip nhrp nhs 192.168.100.254 44.44.44.4
ip nhrp network 10 ! ip nhrp nhs 192.168.100.254

If you want to learn more about DMVPN please read our DMVPN Tutorial.

Question 41

Refer to the exhibit.

interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
!
time-range Office-hour
periodic weekdays 08:00 to 17:00
!
access-list 101 permit tcp 10.0.0.0 0.0.0.0 172.16.1.0 0.0.0.255 eq ssh time-
range Office-hour

An IT staff member comes into the office during normal office hours and cannot access
devices through SSH. Which action should be taken to resolve this issue?

A. Modify the access list to use the correct IP address

B. Configure the correct time range
C. Modify the access list to correct the subnet mask
D. Configure the access list in the outbound direction

Answer: A

Question 42

Refer to the exhibit.

 R1#show run | begin line
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred telnet
transport output none
stopbits 0 4
!
line vty 0 4
login
transport preferred telnet
transport input none
transport output telnet
R1#
R1#ssh -l cisco 192.168.12.2
%ssh connections not permitted from this terminal
R1#

Option A Option B
R1(config)#line vty 0
R1(config)#line console 0 R1(config-line)#transport output ssh
R1(config-line)#transport preferred ssh

Option C Option D
R1(config)#line vty 0 R1(config)#line console 0
R1(config-line)#transport output ssh R1(config-line)#transport output ssh
R1(config-line)#transport preferred ssh

An engineer receives this error message when trying to access another router in-band from
the serial interface connected to the console of R1. Which configuration is needed on R1 to
resolve this issue?

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

In this question we only need to check the console configuration of R1 as the connection
was made from the console line of R1. In the “line con 0” configuration of R1 we notice this
line:

transport output none

The “transport output none” command prevents any protocol connection made from R1.
Therefore our SSH connection to 192.168.12.2 was refused. In order to fix this problem we
can configure “transport output ssh” under “line console 0” of R1.
Note: The parameter “-l” specifies the username to log in as on the remote machine.

New ENARSI Questions 2

Question 1

An engineer configured SNMP notifications sent to the management server using

authentication and encryption data with DES. An error in the response PDU is received as
“UNKNOWNUSERNAME, WRONGDIGEST”. Which action resolves the issue?

A. Configure correct authentication and privacy passwords using SNMPv3 authNoPriv

B. Configure the correct authentication password using SNMPv3 authPriv
C. Configure the correct authentication password using SNMPv3 authNoPriv
D. Configure correct authentication and privacy passwords using SNMPv3 authPriv

Answer: B or D

Explanation
In this question, SNMP uses encryption with DES so we must use authPriv (DES for
encryption).

According to https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/15-
e/snmp-15-e-book.pdf there are two circumstances to generate “UNKNOWNUSERNAME,
WRONGDIGEST” message:
+ authPriv with incorrect authentication password and correct privacy password
+ authPriv with incorrect authentication password and incorrect privacy password

Note:

There are three SNMP security levels (for SNMPv1, SNMPv2c, and SNMPv3):
+ noAuthNoPriv: Security level that does not provide authentication or encryption.
+ authNoPriv: Security level that provides authentication but does not provide encryption.
+ authPriv: Security level that provides both authentication and encryption.

For SNMPv3, “noAuthNoPriv” level uses a username match for authentication.

Question 2

An engineer configured a cisco router to send reliable and encrypted notifications for any
events to the management server. It was noticed that line notifications messages are
reliable but not encrypted. Which action resolves the issue?

A. Configure all devices for SNMPv3 traps with priv

B. Configure all devices for SNMPv3 informs with auth
C. Configure all devices for SNMPv3 informs with priv
D. Configure all devices for SNMPv3 traps with auth

Answer: C

Explanation

SNMP notifications can be sent as traps or inform requests. Traps are unreliable because the
receiver does not send acknowledgments when this device receives traps.”Send reliable and
encrypted notifications for any events” so it is SNMP notifications. For encryption we need to
configure “priv”.

Question 3

Refer to the exhibit.

The network administrator must mutually redistribute routes at the Chicago router to the LA
and NewYork routers. The configuration of the Chicago router is this:

router ospf 1
redistribute eigrp 100
router eigrp 100
redistribute ospf 1

After the configuration, the LA router receives all the NewYork routes, but NewYork router
does not receive any LA routes. Which set of configurations fixes the problem on the
Chicago router?

A. router ospf 1
redistribute eigrp 100 subnets

B. router eigrp 100

redistribute ospf 1 metric 10 10 10 10 10

C. router ospf 1
redistribute eigrp 100 metric 20

D. router eigrp 100

redistribute ospf 1 subnets

Answer: B

Explanation

“LA router receives all the NewYork routes but it does not receive any LA routes” because
when redistrubuting into EIGRP, we must configure the default metric.

Question 4

Refer to the exhibit.

A network administrator configured mutual redistribution on R1 and R2 routers, which

caused instability in the network. Which action resolves the issue?
A. Set a tag in the route map when redistributing EIGRP into OSPF on R1. and match the
same tag on R2 to allow when redistributing OSPF into EIGRP.
B. Set a tag in the route map when redistributing EIGRP into OSPF on R1, and match the
same tag on R2 to deny when redistributing OSPF into EIGRP.
C. Apply a prefix list of EIGRP network routes in OSPF domain on R1 to propagate back into
the EIGRP routing domain.
D. Advertise summary routes of EIGRP to OSPF and deny specific EIGRP routes when
redistributing into OSPF.

Answer: B

Explanation

When doing mutual redistribution at multiple points (between OSPF and EIGRP on R1 & R2),
we may create routing loops so we should use route-map to prevent redistributed routes
from redistributing again into the original domain.

In the below example, the route-map “SET-TAG” is used to prevent any routes that have
been redistributed into EIGRP from redistributed again into OSPF domain by tagging these
routes with tag 1:

R3
route-map SET-TAG permit 10
set tag 1

These routes are prevented from redistributed again by route-map FILTER_TAG by denying
any routes with tag 1 set:

R4
route-map FILTER-TAG deny 10
match tag 1

Question 5

How are MPLS layer 3 VPN services deployed?

A. The RD and RT values must match under the VRF

B. The RD and RT values under a VRF must match on the remote PE router
C. The import and export RT values under a VRF must always be the same
D. The label switch path must be available between the local and remote PE routers

Answer: D

Question 6

Refer to the exhibit.

 R1 R2
router bgp 100 router bgp 200
neighbor 10.1.1.2 remote-as 200 neighbor 10.1.1.1 remote-as 100

The neighbor relationship is not coming up. Which two sets of configurations bring the
neighbors up? (Choose two)
A. R2
ip route 10.1.1.2 255.255.255.255 192.168.1.2
router bgp 100
neighbor 10.1.1.2 ttl-security hops 1
neighbor 10.1.1.2 update-source loopback 0

B. R1
ip route 10.1.1.2 255.255.255.255 192.168.1.2
router bgp 100
neighbor 10.1.1.2 disable-connected-check
neighbor 10.1.1.2 update-source loopback0

C. R2
ip route 10.1.1.1 255.255.255.255 192.168.1.1
router bgp 200
neighbor 10.1.1.1 disable-connected-check
neighbor 10.1.1.1 update-source loopback0

D. R2
ip route 10.1.1.1 255.255.255.255 192.168.1.1
router bgp 200
neighbor 10.1.1.1 ttl-security hops 1
neighbor 10.1.1.1 update-source loopback 0

Answer: B C
Explanation

Disable-connected-check enables a directly connected eBGP neighbor to peer using a

loopback address without adjusting the default TTL of 1. In disable connected check the
router does not decrease the TTL of an IP packet that is destined to itself so it only counts
or considers as one hop between the two loopbacks of the routers.

Question 7

What are two functions of IPv6 source guard? (Choose two)

A. It works independent from IPv6 neighbor discovery

B. It denies traffic from unknown sources or unallocated addresses
C. It blocks certain traffic by inspecting DHCP packets for specific sources
D. It uses the populated binding table for allowing legitimate traffic
E. It denies traffic by inspecting neighbor discovery packets for specific patterns

Answer: B D

Explanation

IPv6 Source Guard enables the device to deny traffic when it is originated from an
address that is not stored in the binding table. IPv6 source guard does not inspect ND or
DHCP packets (-> Therefore answer C and answer E are not correct); rather, it works in
conjunction with IPv6 neighbor discovery (ND) inspection (-> Therefore answer A is not
correct) or IPv6 address glean, both of which detect existing addresses on the link and store
them into the binding table.
IPv6 source guard can deny traffic from unknown sources or unallocated addresses, such as
traffic from sources not assigned by a DHCP server.

Question 8

An engineer configured access list NON-CISCO in a policy to infuence routes.

route-map PBR, deny, sequence 5

Match clauses:
ip address (access-list): NON-CISCO
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map PBR, permit, sequence 10
Match clauses:
Set clauses:
ip next-hop 192.168.1.5
Policy routing matches: 389202995 packets, 222006352077 bytes

What are the two effects of this route map configuration? (Choose two)

A. Packets are dropped by the access list

B. Packets are forwarded using normal route lookup
C. Packets are forwarded to the default gateway
D. Packets are not evaluated by sequence 10
E. Packets are evaluated by sequence 10

Answer: C E

Explanation
In the sequence 5 of route-map PBR, all the packets matched access-list NON-CISCO will be
dropped (by “deny” statement). But from the “Policy routing matches: 0 packets, 0 bytes”
line, we can deduce no packets have been dropped so far -> Answer A is not correct.

In the sequence 10 of route-map PBR, if a match command is not present then all routes
match the clause. Therefore all other packets will be matched by sequence 10 (-> Therefore
answer E is correct) and they are forwarded to the default gateway 192.168.1.5 (-> Answer
C is correct).

Question 9

(duplicated so we removed it)

Question 10

Refer to the exhibit.

login block-for 15 attempts 10 within 120

login on-failure log
login on-success log
archive
log config
logging enable
logging size 300
notify syslog
snmp-server enable traps syslog
snmp-server host 172.16.17.1 public syslog

The administrator can see the traps for the failed login attempts, but cannot see the traps of
successful login attempts. What command is needed to resolve the issue?

A. Configure logging history 2

B. Configure logging history 3
C. Configure logging history 4
D. Configure logging history 5
Answer: D

Explanation

By default, the maximum severity sent as a syslog trap is warning. That is why you see
syslog traps for login failures. Since a login success is severity 5 (notifications), those syslog
messages will not be converted to traps. To fix this, configure:

logging history 5

Syslog levels are listed below

Level Keyword Description

0 emergencies System is unusable

1 alerts Immediate action is needed

2 critical Critical conditions exist

3 errors Error conditions exist

4 warnings Warning conditions exist

5 notification Normal, but significant, conditions exist

6 informational Informational messages

7 debugging Debugging messages

Note:

The syntax of login block is:

login block-for seconds attempts tries within seconds

Kết thúc buổi 3

Question 11

Refer to the exhibit.

R1# show policy-map control-plane

Control plane
service-plane input: CoPP
class-map: PERMIT (match-all)
50 packets, 3811 bytes
5 minute offered rate 0000 bps
Match: access-group 100
class-map: ANY (match-all)
210 packets, 19104 bytes
5 minute offered rate 0000 bps, drop rate 0000bps
Match: access-group 199
drop
class-map: class-default (match-any)
348 packets, 48203 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

R1#show access-list 100

Extended IP access list 100
10 permit udp any any eq 23 (100 matches)
20 permit tcp any any eq telnet (5 matches)
30 permit tcp any eq telnet any (10 matches)

R1#show access-list 199

Extended IP access 199
10 deny tcp any eq telnet any (50 matches)
50 permit ip any any (1 match)

R1# show run | section line vty

line vty 0 4
login
transport input telnet ssh
 transport output telnet ssh

Which two actions restrict access to router R1 by SSH? (Choose two)

A. Configure transport input ssh on line vty and remove sequence 30 from access list 100
B. Configure transport output ssh on line vty and remove sequence 10 from access list
199
C. Remove class-map any from service-policy CoPP
D. Remove sequence 10 from access list 100 and add sequence 20 deny tcp any any eq
telnet to access list 199
E. Configure transport output ssh on line vty and remove sequence 20 from access list
100

Answer: A E

Explanation

To only allow SSH to R1, we have to:

+ Deny Telnet in ACL 100 because the action of class-map: PERMIT is “permit”
+ Permit Telnet in ACL 199 because the action of class-map: ANY is “drop”

But:

+ In ACL 100 there is a permit statement for Telnet traffic “20 permit tcp any any eq
telnet (5 matches)” which is not correct so we must remove this statement.
+ In ACL 199 there is an ACL statement “10 deny tcp any eq telnet any (50 matches)“.
This statement is aimed for Telnet traffic leaving R1 which is not correct so we must remove
this statement.

Note:
+ The command “transport output telnet ssh” allows telnet and SSH from this device (to
other devices).
+ Telnet is TCP port 23.
+ When using Telnet on source port, it affects Telnet traffic leaving from R1.

Question 12

What are two functions of LDP? (Choose two)

A. It advertises labels per forwarding equivalence class
B. It is defined in RFC 3038 and 3039
C. It uses forwarding equivalence class
D. It must use resource reservation protocol
E. It requires MPLS traffic engineering

Answer: A C
Explanation

LDP associates a Forwarding Equivalence Class (FEC) [RFC3031] with each LSP it creates.

Reference: https://tools.ietf.org/html/rfc3036

Question 13

A network administrator is using the DNA Assurance Dashboard panel to troubleshoot an

OSPF adjacency that failed between Edge_NYC interface GigabitEthernet1/3 with Neighbor
Edge_SNJ. The administrator observes that the neighborship is stuck in exstart state. How
does the administrator fix this issue?

A. Configure to match the OSPF interface speed and duplex settings on both routers
B. Configure to match the OSPF interface unique IP address and subnet mask on both
routers.
C. Configure to match the OSPF interface network types on both routers
D. Configure to match the OSPF interface MTU settings on both routers

Answer: D

Explanation

After two OSPF neighboring routers establish bi-directional communication and complete
DR/BDR election (on multi-access networks), the routers transition to the exstart state. In
this state, the neighboring routers establish a master/slave relationship and determine the
initial database descriptor (DBD) sequence number to use while exchanging DBD packets.

Neighbors Stuck in Exstart/Exchange State

The problem occurs most frequently when attempting to run OSPF between a Cisco router
and another vendor’s router. The problem occurs when the maximum transmission unit
(MTU) settings for neighboring router interfaces don’t match. If the router with the higher
MTU sends a packet larger that the MTU set on the neighboring router, the neighboring
router ignores the packet.

Question 14

Refer to the exhibit.

A network is discovering a Cisco catalyst 9300 and a Cisco WLC 3504 in Cisco DNA Center.
The 9300 is added successfully but is receiving the error “uncontactable” when the
administrator tries to add it in Cisco DNA Center. Which action discovers and resolves the
issue?

A. Copy the .cert file from cisco DNA Center on the USB and upload it to the WLC 3504
B. Delete the WLC 3504 from cisco DNA center and add it to cisco DNA center again
C. Add the WLC 3504 under the hierarchy of the catalyst 9300 connected devices
D. Copy the .pem file from the cisco DNA center on the USB and upload it to the WLC 3504
Answer: D

Explanation

We need to push the DNA Center Certificate on WLC to validate the WLC.

Question 15

Refer to the exhibit.

R1
int G0/0
ip address 209.165.201.2 255.255.255.252
int G0/1
ip address 209.165.201.6 255.255.255.252
router bgp 65401
bgp log-neighbor-changes
 redistribute static
neighbor 209.165.201.1 remote-as 65402
neighbor 209.165.201.5 remote-as 65403
ip route 209.165.200.224 255.255.255.224 Null0
ip route 209.165.202.128 255.255.255.224 Null0

A company with autonomous system number AS65401 has obtained IP address block
209.165.200.224/27 from ARIN. The company needed more IP addresses and was assigned
block 209.165.202.128/27 from ISP2. An engineer is ISP1 reports they are receiving ISP2
routes from AS65401. Which configuration on R1 resolves the issue?

A. access-list 10 deny 209.165.202.128 0.0.0.31

access-list 10 permit any
!
router bgp 65401
neighbor 209.165.201.1 distribute-list 10 out

B. access-list 10 deny 209.165.202.128 0.0.0.31

access-list 10 permit any
!
router bgp 65401
neighbor 209.165.201.1 distribute-list 10 in
C. ip route 209.165.200.224 255.255.255.224 209.165.201.1
ip route 209.165.202.128 255.255.255.224 209.165.201.5
D. ip route 0.0.0.0 0.0.0.0 209.165.201.1
ip route 0.0.0.0 0.0.0.0 209.165.201.5

Answer: A

Explanation

By default BGP advertises all prefixes to external BGP neighbors. This means that if you are
multi-homed (connected to two or more ISPs) then you might become a transit AS. For
example, ISP 2 in AS 200 can send traffic to your router in AS 100 to reach ISP 3 in AS 300
because you advertised prefixes in ISP 3 to ISP 2.
This is what will be seen in the BGP routing table of ISP2:

ISP2#show ip bgp
--output omitted--
Network Next Hop Metric LocPrf Weight Path
....
*> 3.3.3.0/24 192.168.12.1 0 100 300 i

In order to prevent this we have to ensure that your router only advertises prefixes from its
own autonomous system. One of the method to solve this problem is using distribute-list
(outbound direction) to filter out the transit prefixes:

access-list x deny x.x.x.x y.y.y.y

neighbor a.a.a.a distribute-list x out

In this case we will filter prefix 209.165.202.128/27 out from advertising to ISP1.

Question 16

Drag drop the sequence of configuring a policy to avoid following packet forwarding based
on the normal routing.
Answer:

Step 1 – configure ACLs

Step 2 – configure route map instances
Step 3 – configure match commands
Step 4 – configure set commands
Step 5 – configure PBR on the interface
Step 6 – configure fast switching for PBR

Explanation

Reference: https://www.ciscopress.com/articles/article.asp?p=102092&seqNum=5

Question 17

There is a picture of “Layer 2 loop symptoms” in DNAC and the config below:
interface GigabitEthernet1/0/13
switchport trunk allowed vlan 30-33
switchport mode trunk

int GigabitEthernet1/0/23
switchport trunk allowed vlan 30-33
switchport mode trunk

Refer to the exhibits. An engineer identified a Layer 2 loop using DNAC. Which command
fixes the problem in the SF-D9300-1 Switch?
A. spanning-tree loopguard default
B. spanning-tree portfast bpduguard
C. spanning-tree backbonefast
D. no spanning-tree uplink fast

Answer: B

Câu này cần check

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10596-
84.html#loop_guard

Question 18

Refer to the exhibit.

 A user has set up an IP SLA probe to test if a non SLA host web server on IP address
10.1.1.1 accepts HTTP sessions prior to deployment. The probe is failing. Which action
should the network administrator recommend for the probe to succeed?
A. Re-issue the ip sla schedule command.
B. Add icmp-echo command for the host.
C. Add the control disable option to the tcp connect.
D. Modify the ip sla schedule frequency to forever.

Answer: C

• Use the control disable keyword combination only if you disable the IP SLAs control protocol on both the
source and target devices.
Explanation

We don’t need to add the “icmp-echo” command as it is merely a regular ping sent by the IP
SLA Source -> Answer B is not correct.

According to this Cisco link, we should disable the Control Protocol with “control disable”
keyword (the full command is “tcp connect 10.1.1.1 80 control disable) if the target host is
not running IP SLA -> Answer C is correct.

The frequency is just optional so we don’t need to use it -> Answer D is not correct.
Question 19

Refer to the exhibit.

An IPv6 network was newly deployed in the environment and the help desk reports that R3
cannot SSH to the R2’s Loopback interface. Which action resolves the issue?

A. Modify line 10 of the access list to permit instead of deny.

B. Remove line 60 from the access list.
C. Modify line 30 of the access list to permit instead of deny.
D. Remove line 70 from the access list.

Answer: C
 ============================= New Questions (added on 8th-Mar-
2021) =============================

Question 20

Refer to the exhibit.

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.1.0/24 is directly connected, Ethernet0/0
L 192.168.1.1/32 is directly connected, Ethernet0/0
D 192.168.2.0/24 [90/2297856] via 192.166.12.2.00:02:14, Serial1/1
S 192.168.3.0/24 [1/0] via 192.168.12.2
192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.12.0/24 is directly connected, Serial1/1
L 192.168.12.1/32 is directly connected, Serial1/1
192.168.13.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.13.0/24 is directly connected, Serial1/0
L 192.168.13.1/32 is directly connected, Serial1/0
D 192.168.23.0/24 [90/2681856] via 192.168.13.3,00:06:38, Serial1/0
[90/2681856] via 192.168.12.2, 00:06:38, Serial1/1
D 192.168.24.0/24 [90/2195456] via 192.168.12.2, 00:06:38, Serial1/1

Refer to the exhibits. All the serial links between R1, R2, and R3 have the same bandwidth.
User on the 192.168.1.0/24 network report slow response times while they access resource
on network 192.168.3.0/24. When a traceroute is run on the path. It shows that the packet
is getting forwarded via R2 to R3 although the link between R1 and R3 is still up. What must
the network administrator to fix the slowness?

A. Change the Administrative Distance of EIGRP to 5

B. Add a static route on R1 using the next hop of R3
C. Remove the static route on R1
D. Redistribute the R1 route to EIGRP

Answer: C

Thiếu hình
Question 21

Which feature drops packets if the source address is not found in the snooping table?

A. Binding Table Recovery

B. IPv6 Destination Guard
C. IPv6 Prefix Guard
D. IPv6 Source Guard

Answer: D

Explanation

IPv6 Source Guard filters inbound traffic on L2 switch ports that are not in the IPv6
binding table. The binding table stores the following information:
+ IPv6 address
+ MAC address
+ VLAN
+ Interface ID

Question 22

Refer to the exhibits.

When DMVPN is configured, which configuration allows spoke-to-spoke communication using
loopback as tunnel source?

A. Configure crypto isakmp key cisco address 0.0.0.0 on the hub.

B. Configure crypto isakmp key Cisco address 200.1.0.0 255.255.0.0 on the hub.
C. Configure crypto isakmp key cisco address 200.1.0.0 255.255.0.0 on the spokes.
D. Configure crypto isakmp key cisco address 0.0.0.0 on the spokes.

Answer: D

Explanation

The first five commands are used to configure IPSec Phase 1 (ISAKMP Policy). Here is the
details of each command used above:
+ crypto isakmp policy 10 – This command creates ISAKMP policy number 10. You can
create multiple policies, for example 7, 8, 9 with different configuration. Routers
participating in Phase 1 negotiation tries to match a ISAKMP policy matching against the list
of policies one by one. If any policy is matched, the IPSec negotiation moves to Phase 2.
+ hash md5– MD5 algorithm will be used.
+ authentication pre-share – Authentication method is pre-shared key.
+ group 2 – Diffie-Hellman group to be used is group 2.
+ encryption 3des – 3DES encryption algorithm will be used for Phase 1.

To complete phase 1 we need one additional command which is missing in the exhibit:

+ crypto isakmp key cisco address <peer-address> – The Phase 1 password is cisco
and remote peer IP address is 10.1.1.1

The next two command lines are used to configure IPSec Phase 2 (Transform Set):
+ crypto ipsec transform-set <transform-set-name> – Creates transform-set called
<transform-set-name>
+ esp-des – ESP IPSec protocol with the 56-bit Data Encryption Standard (DES) encryption
algorithm will be used
+ esp-md5-hmac – ESP with the MD5 (HMAC variant) authentication algorithm will be
used.
+ mode transport: only encrypts the payload and ESP trailer
or
+ mode tunnel: encrypts the IP header of the ENTIRE packet

We should configure the key with “address 0.0.0.0 0.0.0.0” (means remote peer is any ->
any destination can try to negotiate with this router). While the hub’s public IP address is
known we must keep in mind that R2 and R3 can build dynamic VPN tunnel between them.
Taking into consideration that their public IP address is dynamic it is imperative to use
0.0.0.0 0.0.0.0 for the remote peer.

Question 23

Refer to the exhibit.

Chicago Router
ip route 192.168.1.0 255.255.255.0 10.1.1.2
ip route 192.168.2.0 255.255.255.0 10.1.1.2
!
router eigrp 100
redistribute static

LA router
ip route 0.0.0.0 0.0.0.0 10.1.1.1

A user on the 192.168.1.0/24 network can successfully ping 192.168.3.1, but the
administrator cannot ping 192.168.3.1 from the LA router. Which set of configurations fixes
the issue?

Option A Option B
Chicago Router Chicago Router
router eigrp 100
redistribute static metric 10 10 10 10 10 router eigrp 100
redistribute connected

Option C Option D
Chicago Router LA Router
ip route 192.168.3.0 255.255.255.0 10.1.2.2 ip route 192.168.3.0 255.255.255.0 10.1.1.1
ip route 192.168.4.0 255.255.255.0 10.1.2.2 ip route 192.168.4.0 255.255.255.0 10.1.1.1

A. Option A
B. Option B
C. Option C
D. Option D
Answer: B

Explanation

“User on the 192.168.1.0/24 network can successfully ping 192.168.3.1” so the static
routes were redistributed into EIGRP successfully (without specifying the metric) but LA
router could not ping 192.168.3.1 because it was using 10.1.1.2 as source address and
NewYork router did not know how to reach 10.1.1.0/24 -> Therefore we have to redistribute
the connected subnet (10.1.1.0/24) too on Chicago router into EIGRP domain.

New ENARSI Questions 3

Question 1

Refer to the exhibit.

The administrator configured route advertisement to a remote low resources router to use
only the default route to reach any network but failed. Which action resolves this issue?

A. Change the direction of the distribute-list command from out to in.

B. Remove the line with the sequence number 10 from the prefix list.
C. Remove the prefix keyword from the distribute-list command.
D. Remove the line with the sequence number 5 from the prefix list.

Answer: D

Question 2

Refer to the exhibits. An engineer filtered messages based on severity to minimize log
messages.
After applying the filter, the engineer noticed that it filtered required messages as well.
Which action must the engineer take to resolve the issue?

A. Configure syslog level 2

B. Configure syslog level 3
C. Configure syslog level 4
D. Configure syslog level 5

Answer: D

Question 3

Refer to the exhibit. The engineer configured and connected Router2 to Router1. The link
came up but could not establish a Telnet connection to Router1 IPv6 address of
2001:DB8::1. Which configuration allows Router2 to establish a Telnet connection to
Router1?
A. IPv6 address on GigabitEthernet0/0
B. permit ICMPv6 on access list INGRESS for Router2 to obtain IPv6 address
C. ipv6 unicast-routing
D. permit ip any any on access list EGRESS2 on Router1

Answer: D

Question 4

A DMVPN single hub topology is using IPsec + mGRE with OSPF. What should be configured
on the hub to ensure it will be the designated router?
A. route map to set the metrics of learned routes to 110
B. OSPF priority to 0
C. OSPF priority greater than 1
D. tunnel interface of the hub with ip nhrp ospf dr

Answer: C

Explanation

By default, the priority is 1 on all routers so we can set the OSPF priority of the hub to a
value which is greater than 1 to make sure it would become the DR.

Question 5
When configuring Control Plane Policing on a router to protect it from malicious traffic, an
engineer observes that the configured routing protocols start flapping on that device. Which
action in the Control Plane Policy prevents this problem in a production environment while
achieving the security objective?

A. Set the conform-action and exceed-action to transmit initially to test the ACLs and
transmit rates and apply the Control Plane Policy in the output direction
B. Set the conform-action and exceed-action to transmit initially to test the ACLs and
transmit rates and apply the Control Plane Policy in the input direction
C. Set the conform-action to transmit and exceed-action to drop to test the ACLs and
transmit rates and apply the Control Plane Policy m the input direction
D. Set the conform-action to transmit and exceed-action to drop to test the ACLs and
transmit rates and apply the Control Plane Policy m the output direction

Answer: B

Question 6

Refer to the exhibit.

R1 and R2 cannot establish an EIGRP adjacency. Which action establishes EIGRP adjacency?

A. Add the no auto-summary command to the R2 configuration so that it matches the R1

configuration
B. Remove the passive-interface command from the R2 configuration so that it matches the
R1 configuration
C. Add the passive-interface command to the R1 configuration so that it matches the R2
configuration
D. Remove the current autonomous system number on one of the routers and change to a
different value

Answer: B

Question 7

In which two ways does the IPv6 First-Hop Security Binding Table operate? (Choose two)

A. by IPv6 routing protocols to securely build neighborships without the need of

authentication
B. by the recovery mechanism to recover the binding table in the event of a device reboot
C. by IPv6 HSRP to make sure neighbors are authenticated before being used as gateways
D. by various IPv6 guard features to validate the data link layer address
E. by storing hashed keys for IPsec tunnels for the built-in IPsec features

Answer: B D
Explanation

Overview of the IPv6 First-Hop Security Binding Table

A database table of IPv6 neighbors connected to the device is created from information
sources such as NDP snooping. This database, or binding table, is used by various IPv6
guard features to validate the link-layer address (LLA), the IPv4 or IPv6 address, and the
prefix binding of the neighbors to prevent spoofing and redirect attacks.

IPv6 First-Hop Security Binding Table Recovery Mechanism

The IPv6 first-hop security binding table recovery mechanism enables the binding table
to recover in the event of a device reboot.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/ipv6_fhsec/configuration/15-s/ip6-fhs-bind-table.html

Question 8

An engineer configured policy-based routing for a destination IP address that does not exist
in the routing table. How is the packet treated through the policy for configuring the set ip
default next-hop command?
A. Packets are forwarded to the specific next hop.
B. Packets are forwarded based on the routing table.
C. Packets are not forwarded to the specific next hop.
D. Packets are forwarded based on a static route.

Answer: A

Explanation

The set ip default next-hop command verifies the existence of the destination IP address
in the routing table, and…
+ if the destination IP address exists, the command does not policy route the packet, but
forwards the packet based on the routing table.
+ if the destination IP address does not exist, the command policy routes the packet by
sending it to the specified next hop.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/ip-routed-protocols/47121-pbr-
cmds-ce.html

Question 9

What are two MPLS label characteristics? (Choose two)

A. A maximum of two labels can be imposed on an MPLS packet.

B. The label edge router swaps labels on the received packets.
C. LDP uses TCP for reliable delivery of information.
D. An MPLS label is a short identifier that identifies a forwarding equivalence class.
E. Labels are imposed in packets after the Layer 3 header.

Answer: C D
Explanation

A label edge router (LER, also known as edge LSR) is a router that operates at the edge of
an MPLS network and acts as the entry and exit points for the network. LERs push an MPLS
label onto an incoming packet and pop it off an outgoing packet -> Answer B is not correct.

MPLS labels are added between the Layer 2 and the Layer 3 header in the packets (->
Therefore MPLS labels are added before Layer 3 header) -> Answer E is not correct

There are no limit on the number of labels in a stack -> Answer A is not correct.

A label is a short, four-byte, fixed-length, locally-significant identifier which is used in order

to identify a Forwarding Equivalence Class (FEC). The label which is put on a particular
packet represents the FEC to which that packet is assigned -> Answer D is correct.

Reference: https://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-
mpls/mpls/4649-mpls-faq-4649.html

LDP uses TCP as a reliable transport for sessions. Each TCP connection has only one LDP
session -> Answer C is correct.

Question 10
Refer to the exhibit. R2 has two paths to reach 192.168.13.0/24, but traffic is sent only
through R3. Which action allows traffic to use both paths?

A. Configure the bandwidth 2000 command under interface FastEthernet0/0 on R2

B. Configure the delay 1 command under interface FastEthernet0/0 on R2
C. Configure the variance 2 command under the EIGRP process on R2
D. Configure the variance 4 command under the EIGRP process on R2
Answer: D

Thiếu Metric

Question 11

Refer to the exhibit.

The network administrator has configured the Customer Edge router (AS 64511) to send
only summarized routes toward ISP-1 (AS 100) and ISP-2 (AS 200).

router bgp 64511

network 172.16.20.0 mask 255.255.255.0
network 172.16.21.0 mask 255.255.255.0
network 172.16.22.0 mask 255.255.255.0
network 172.16.23.0 mask 255.255.255.0
aggregate-address 172.16.20.0 255.255.252.0

After this configuration, ISP-1 and ISP-2 continue to receive the specific routes and the
summary route. Which configuration resolves the issue?

A. router bgp 64511

aggregate-address 172.16.20.0 255.255.252.0 summary-only

B. router bgp 64511

neighbor 192.168.100.1 summary-only
neighbor 192.168.200.2 summary-only

C. interface E0/0
ip bgp suppress-map BLOCK_SPECIFIC
!
interface E0/1
ip bgp suppress-map BLOCK_SPECIFIC
!
ip prefix-list PL_BLOCK_SPECIFIC
permit 172.16.20.0/22 ge 24
!
route-map BLOCK_SPECIFIC permit 10
match ip address prefix-list PL_BLOCK_SPECIFIC

D. ip prefix-list PL_BLOCK_SPECIFIC
deny 172.16.20.0/22 ge 22
ip prefix-list PL_BLOCK_SPECIFIC
permit 172.16.20.0/22
!
route-map BLOCK_SPECIFIC permit 10
match ip address prefix-list PL_BLOCK_SPECIFIC
!
router bgp 64511
aggregate-address 172.16.20.0 255 255.252.0 suppress-map BLOCK_SPECIFIC

Answer: A

Explanation

When the aggregate-address command is used within BGP routing, the aggregated address
is advertised, along with the more specific routes. The exception to this rule is through the
use of the summary-only command. The “summary-only” keyword suppresses the more
specific routes and announces only the summarized route.

Question 12

Refer to the exhibit.

A network administrator configured NTP on a Cisco router to get synchronized time for
system and logs from a unified time source. The configuration did not work as desired.
Which service must be enabled to resolve the issue?
A. Enter the service timestamps log datetime clock-period global command
B. Enter the service timestamps log datetime synchronize global command
C. Enter the service timestamps log datetime console global command
D. Enter the service timestamps log datetime localtime global command

Answer: D

Explanation

If a router is configured to get the time from a Network Time Protocol (NTP) server, the
times in the router’s log entries may be different from the time on the system clock if the
[localtime] option is not in the service timestamps log command. To solve this issue,
add the [localtime] option to the service timestamps log command. The times should now
be synchronized between the system clock and the log message timestamps.

Reference: https://community.cisco.com/t5/networking-documents/router-log-timestamp-
entries-are-different-from-the-system-clock/ta-p/3132258

Question 13

What are two functions of MPLS Layer 3 VPNs? (Choose two)

A. BGP is used for signaling customer VPNv4 routes between PE nodes.

B. It is used for transparent point-to-multipoint connectivity between Ethernet links/sites.
C. LDP and BGP can be used for Pseudowire signaling.
D. A packet with node segment ID is forwarded along with shortest path to destination.
E. Customer traffic is encapsulated in a VPN label when it is forwarded in MPLS network.

Answer: A E

Explanation

MPLS Layer-3 VPNs provide IP connectivity among CE sites

• MPLS VPNs enable full-mesh, hub-and-spoke, and hybrid IP connectivity
• CE sites connect to the MPLS network via IP peering across PE-CE links
• MPLS Layer-3 VPNs are implemented via VRFs on PE edge nodes
• VRFs providing customer routing and forwarding segmentation
• BGP used for signaling customer VPN (VPNv4) routes between PE nodes
• To ensure traffic separation, customer traffic is encapsulated in an additional VPN label
when forwarded in MPLS network
• Key applications are layer-3 business VPN services, enterprise network segmentation, and
segmented layer-3 Data Center access
Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKMPL-
1100.pdf

Question 14
Refer to the exhibit.

BRANCH(config)# ip route 0.0.0.0 0.0.0.0 172.16.35.2 track 1

BRANCH(config)# ip route 0.0.0.0 0.0.0.0 172.16.35.6 5
!
BRANCH(config)# ip sla 1
BRANCH(config-ip-sla)# icmp-echo 172.16.35.2
BRANCH(config-ip-sla)# timeout 200
BRANCH(config-ip-sla)# frequency 5
!
BRANCH(config)#ip sla schedule 1 life forever start-time now
!
BRANCH(config)# track 1 ip sla 1 reachability

An engineer has successfully set up a floating static route from the BRANCH router to the
HQ network using HQ_R1 as the primary default gateway. When the g0/0 goes down on
HQ_R1, the branch network cannot reach the HQ network 192.168.20.0/24. Which set of
configurations resolves the issue?

A. BRANCH(config)# ip sla 1
BRANCH(config-ip-sla)# icmp-echo 192.168.100.2

B. BRANCH(config)# ip sla 1
BRANCH(config-ip-sla)# icmp-echo 192.168.100.1

C. HQ_R3(config)# ip sla responder

HQ_R3(config)# ip sla responder icmp-echo 172.16.35.5

D. HQ_R3(config)# ip sla responder

HQ_R3(config)# ip sla responder icmp-echo 172.16.35.1

Answer: B

Question 15

Refer to the exhibit. Which action restores the routes from neighbors while still filtering
1.1.1.0/24?

access-list 1 permit 1.1.1.0 0.0.0.255

!
route-map FILTER1 deny 10
match ip address 1
!
router eigrp 1
distribute-list route-map FILTER1 in

A. Modify the access list to deny instead of permit it

B. Modify the route map to permit the access list instead of deny it
C. Add a second sequence in the route map permit 20
D. Add a second line in the access list to permit any

Answer: C

Explanation

We need to add a second sequence with the “route-map FILTER1 permit 20” (with no match
conditions) so that all other conditions are permitted.

Question 16
An engineer configured two routers connected to two different service providers using BGP
with default attributes. One of the links is presenting high delay, which causes slowness in
the network. Which BGP attribute must the engineer configure to avoid using the high-delay
ISP link if the second ISP link is up?
A. WEIGHT
B. MED
C. LOCAL_PREF
D. AS-PATH

Answer: C

Question 17

An engineer configured a DHCP server for Cisco IP phones to download its configuration
from a TFTP server, but the IP phones failed to load the configuration. What must be
configured to resolve the issue?

A. DHCP option 66
B. BOOTP port 67
C. BOOTP port 68
D. DHCP option 69

Answer: A

Explanation

DHCP options 3, 66, and 150 are used to configure Cisco IP Phones. Cisco IP Phones
download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does
not have both the IP address and TFTP server IP address preconfigured, it sends a request
with option 150 or 66 to the DHCP server to obtain this information.
+ DHCP option 150 provides the IP addresses of a list of TFTP servers.
+ DHCP option 66 gives the IP address or the hostname of a single TFTP server.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/a
sa_84_cli_config/basic_dhcp.pdf

Question 18

What are two purposes of using IPv4 and VPNv4 address-family configurations in a Layer 3
MPLS VPN? (Choose two)

A. The VPNv4 address is used to advertise the MPLS VPN label.

B. RD is prepended to the IPv4 route to make it unique.
C. MP-BGP is used to allow overlapping IPv4 addresses between customers to advertise
through the network.
D. The IPv4 address is needed to tag the MPLS label.
E. The VPNv4 address consists of a 64-bit route distinguisher that is prepended to the IPv4
prefix.

Answer: B E

Explanation
VPNv4 address consists of 64-bit Route Distinguisher (RD) prepended to IPv4 prefix. This is
to make routes unique that are in different VRFs.

Question 19

Refer to the exhibit.

The DHCP client is unable to receive an IP address from the DHCP server. RouterB is
configured as follows:

interface Fastethernet0/0
description Client DHCP ID 43574645
ip address 172.31.1.1 255.255.255.0
!
ip route 172.16.1.0 255.255.255.0 10.1.1.2

Which command is required on the Fastethernet0/0 interface of RouterB to resolve this

issue?

A. RouterB(config-if)#ip helper-address 172.31.1.1

B. RouterB(config-if)#ip helper-address 172.16.1.2
C. RouterB(config-if)#ip helper-address 172.16.1.1
D. RouterB(config-if)#ip helper-address 255.255.255.255

Answer: B

Question 20

Refer to the exhibit.

OSPF: Send DBD to 10.100.1.2 on GigabitEthernet0/1 seq 0x9E6 opt 0x52 flag 0x7 len 32
OSPF: Retransmitting DBD to 10.100.1.2 on GigabitEthernet0/1 [10]
OSPF: Send DBD to 10.100.1.2 on GigabitEthernet0/1 seq 0x9E6 opt 0x52 flag 0x7 len 32
OSPF: Retransmitting DBD to 10.100.1.2 on GigabitEthernet0/1 [11]
%OSPF-5-ADJCHG: Process 1, Nbr 10.100.1.2 on GigabitEthernet0/1 from EXSTART to DOWN, Neighbor
Down: Too many retransmissions
The OSPF neighbor relationship is not coming up. What must be configured to restore OSPF
neighbor adjacency?

A. matching hello timers

B. matching MTU values
C. use router ID
D. OSPF on the remote router

Answer: B

Question 21

Refer to the exhibit.

A network administrator redistributed the default static route into OSPF toward all internal
routers to reach to Internet. Which set of commands restores reachability to the Internet by
internal routers?
A. router ospf 1
redistribute static subnets

B. router ospf 1
network 0.0.0.0 0.0.0.0 area 0
C. router ospf 1
redistribute connected 0.0.0.0
D. router ospf 1
default-information originate

Answer: D

Question 22

Refer to the exhibit.

ipv6 unicast-routing
!
router ospfv3 4
router-id 192.168.1.1
!
interface E0/0
ipv6 enable
ip address 10.1.1.1 255.255.255.0
ospfv3 4 area 0 ipv4
no shut
!
interface Loopback0
ipv6 enable
ipv4 172.16.1.1 255.255.255.0
ospfv3 4 area 0 ipv4

The network administrator configured the branch router for IPv6 on the E0/0 interface. The
neighboring router is fully configured to meet requirements, but the neighbor relationship is
not coming up. Which action fixes the problem on the branch router to bring the IPv6
neighbors up?

A. Enable the IPv4 address family under the router ospfv3 4 process by using
the address-family ipv4 unicast command
B. Disable IPv6 on the E0/0 interface using the no ipv6 enable command
C. Enable the IPv4 address family under the E0/0 interface by using the address-family
ipv4 unicast command
D. Disable OSPF for IPv4 using the no ospfv3 4 area 0 ipv4 command under the E0/0
interface

Answer: A

Explanation
Once again, Cisco changed the IOS configuration commands required for OSPFv3
configuration. The new OSPFv3 configuration uses the “ospfv3” keyword instead of the
earlier “ipv6 router ospf” routing process command and “ipv6 ospf” interface commands.

The Open Shortest Path First version 3 (OSPFv3) address families feature enables both IPv4
and IPv6 unicast traffic to be supported. With this feature, users may have two processes
per interface, but only one process per address family (AF).

Question 23

What are two characteristics of VRF instance? (Choose two)

A. All VRFs share customers routing and CEF tables

B. Each VRF has a different set of routing and CEF tables
C. An interface must be associated to one VRF
D. A customer site can be associated to different VRFs
E. It is defined by the VPN membership of a customer site attached to a P device

Answer: B D
Explanation

VPN routing information is stored in the IP routing table and in the Cisco Express Forwarding
table for each VRF.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/ipswitch_cef/configuration/xe-3s/isw-cef-xe-3s-book/isw-cef-basic-config.html

Question 24
Which two components are needed for a service provider to utilize the L3VPN MPLS
application? (Choose two)

A. The P routers must be configured with RSVP

B. The P routers must be configured for MP-iBGP toward the PE routers
C. The P and PE routers must be configured with LDP or RSVP
D. The PE routers must be configured for MP-eBGP to connect to CEs
E. The PE routers must be configured for MP-iBGP with other PE routers

Answer: C E

Explanation

MPLS Network Protocols

+ IGP: OSPF, EIGRP, IS-IS on core facing and core links

+ RSVP and/or LDP on core and/or core facing links -> Answer C is correct.
+ MP-iBGP on PE devices (for MPLS services), MP-BGP: Multiprotocol Border Gateway
Protocol, used for MPLS L3 VPN -> Answer E is correct.

Reference: https://www.uio.no/studier/emner/matnat/ifi/IN3230/h19/kursmateriell/mpls-
lecture.pdf

Question 25

Refer to the exhibit. The Los Angeles and New York routers are receiving routes from
Chicago but not from each other. Which configuration fixes the issue?
Chicago
interface Tunnel 1
ip address 192.168.1.1255.255.255.0
tunnel source E0/0
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp map multicast dynamic
no ip next-hop-self eigrp 111
tunnel protection ipsec profile IPSec-PROFILE
!
router eigrp 111
network 192.168.1.0
network 10.0.0.0

A. interface Tunnel1
ip next-hop-self eigrp 111

B. interface Tunnel1
no ip split-horizon eigrp 111

C. interface Tunnel1
tunnel mode ipsec ipv4

D. interface Tunnel1
tunnel protection ipsec profile IPSec-PROFILE

Answer: B
Explanation

In this topology, Chicago router (Hub) will receive advertisements from Los Angeles
(Spoke1) router on its tunnel interface. The problem here is that it also has a connection
with New York (Spoke2) on that same tunnel interface. If we don’t disable EIGRP split-
horizon, then the Hub will not relay routes from Spoke1 to Spoke2 and the other way
around. That is because it received those routes on interface Tunnel1 and therefore it
cannot advertise back out that same interface (split-horizon rule). Therefore we must
disable split-horizon on the Hub router to make sure the Spokes know about each other.

Question 26

Refer to the exhibit.

An engineer sets up a DMVPN connection to connect branch 1 and branch 2 to HQ branch 1

and branch 2 cannot communicate with each other. Which change must be made to resolve
this issue?
A. R1(config)#int e1/1
R1(config-if)#no ip split-horizon eigrp 100

B. R1(config)#int tunnel1
R1(config-if)#no ip split-horizon eigrp 100
C. R1(config)#router eigrp 100
R1(config-if)#neighbor 172.16.1.3

D. R1(config)#router eigrp 100

R1(config-if)#neighbor 172.16.1.2

Answer: B

Question 27

What is the minimum time gap required by the local system before putting a BFD control
packet on the wire?

A. Required Min RX Interval

B. Required Min Echo RX Interval
C. Detect Mult
D. Desired Min TX Interval

Answer: D

Explanation

Desired Min TX Interval: This is the minimum interval, in microseconds, that the local
system would like to use when transmitting BFD Control packets, less any jitter applied. The
value zero is reserved.

Required Min Echo RX Interval: This is the minimum interval, in microseconds, between
received BFD Echo packets that this system is capable of supporting, less any jitter applied
by the sender. If this value is zero, the transmitting system does not support the receipt of
BFD Echo packets.

Reference: https://tools.ietf.org/html/rfc5880

Question 28

Refer to exhibit.

ip dhcp excluded-address 172.16.16.1 172.16.16.2

!
ip dhcp pool 0
network 172.16.16.0 255.255.255.0
domain-name networktut.com
dns-server 172.16.16.2
lease 30

interface Ethernet0/0
ip address 10.1.1.1255.255.255.252
ip access-group 100 in

access-list 100 deny udp any any

access-list 100 permit ip any any

Which two configurations allow clients to get dynamic ip addresses assigned? (Choose two)

A. Configure access-list 100 permit udp any any eq 68 as the first line
B. Configure access-list 100 permit udp any any eq 86 as the first line
C. Configure access-list 100 permit udp any any eq 61 as the first line
D. Configure access-list 100 permit udp any any eq 67 as the first line
E. Configure access-list 100 permit udp any any eq 69 as the first line

Answer: A D

Explanation

A DHCP server that receives a DHCPDISCOVER message may respond with a DHCPOFFER
message on UDP port 68 (BootP client).

In the event that the DHCP server is not on the local subnet, the DHCP server will send the
DHCPOFFER, as a unicast packet, on UDP port 67, back to the DHCP/BootP Relay Agent
from which the DHCPDISCOVER came.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-
resolution/27470-100.html

Question 29

Refer to exhibit.
A network administrator has successfully configured DMVPN topology between a hub and
two spoke routers. Which two configuration commands should establish direct
communications between spoke 1 and spoke 2 without going through the hub? (Choose
two)

A. At the hub router, configure the ip nhrp shortcut command

B. At the hub router, configure ip nhrp redirect command
C. At the hub router, configure the ip nhrp spoke-tunnel command
D. At the spoke routers, configure the ip nhrp shortcut command
E. At the spoke routers, configure the ip nhrp spoke-tunnel command

Answer: B D

Explanation

To configure Spoke to Spoke communication we can configure DMVPN Phase II or Phase III.
But in Phase II, the first few packets would go through Hub. In order to totally ignore the
hub, we have to use DMVPN Phase III:

DMVPN Phase III is same as Phase 2 but removes some restrictions and complexities of
Phase 2. Also allows greater variety of DMVPN network designs we use:
+ ip nhrp redirect in hub: tells the initiator spoke to look for a better path to the
destination spoke than through the Hub. Upon receiving the NHRP redirect message the
spokes communicate with each other over the hub and they have their NHRP replies for the
NHRP Resolution Requests that they sent out.
+ ip nhrp shortcut in spokes: overwrite the CEF table on the spoke. It basically overrides
the next-hop value for a remote spoke network from the default initial hub tunnel IP
address to the NHRP resolved remote spoke tunnel IP address)

Question 30

Which IPv6 first-hop security feature helps to minimize denial of service attacks?
A. IPv6 Router Advertisement Guard
B. IPv6 Destination Guard
C. DHCPv6 Guard
D. IPv6 MAC address filtering

Answer: B

Explanation

The Destination Guard feature helps in minimizing denial-of-service (DoS) attacks. It

performs address resolutions only for those addresses that are active on the link, and
requires the FHS binding table to be populated with the help of the IPv6 snooping
feature.The feature enables the filtering of IPv6 traffic based on the destination address,
and blocks the NDP resolution for destination addresses that are not found in the binding
table. By default, the policy drops traffic coming for an unknown destination.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/gui
de/7600_15_0s_book/IPv6_Security.pdf

Question 31

Refer to the exhibit.

BRANCH(config)# ip route 0.0.0.0 0.0.0.0 172.16.35.2 track 1
BRANCH(config)# ip route 0.0.0.0 0.0.0.0 172.16.35.6 5
!
BRANCH(config)# ip sla 1
BRANCH(config-ip-sla)# icmp-echo 172.16.35.6
BRANCH(config-ip-sla)# timeout 200
BRANCH(config-ip-sla)# frequency 5
!
BRANCH(config)#ip sla schedule 1 life forever start-time now
!
BRANCH(config)# track 1 ip sla 1 reachability

Traffic from the branch network should route through HQ_R1 unless the path is unavailable.
An engineer tests this functionality by shutting down interface on the BRANCH router toward
HQ_R1 router but 192.168.20.0/24 is no longer reachable from the branch router.
Which set of configurations resolves the issue?

A. HQ_R2(config)# ip sla responder

HQ_R2(config)# ip sla responder icmp-echo 172.16.35.5

B. BRANCH(config)# ip sla 1
BRANCH(config-ip-sla)# icmp-echo 172.16.35.1

C. HQ_R1(config)# ip sla responder

HQ_R1(config)# ip sla responder icmp-echo 172.16.35.2

D. BRANCH(config)# ip sla 1
BRANCH(config-ip-sla)#icmp-echo 172.16.35.2

Answer: D

Explanation

In the configuration above, the engineer has made a mistake as he was tracking
172.16.35.6 (the backup path) instead of tracking the main path (172.16.35.2). Therefore,
when he shut down the main path, the track 1 was still up so traffic still went through the
main path -> it failed.

To fix this issue, we just need to correct the tracking interface of the main path.

Question 32

Refer to the exhibit

.

DSW1#sh run int f0/0

Building configuration...

Current configuration : 174 bytes

!
interface FastEthernet 0/0
ip address 10.4.10.1 255.255.255.0
ip helper-address 4.4.4.4
duplex auto
speed auto
ipv6 address 2002:A04:A01::A04:A01/120
ipv6 enable
end

Router DHCP is configured to lease IPv4 and IPv6 addresses to clients on ALS1 and ALS2.
Clients on ALS2 receive IPv4 and IPv6 addresses. Clients on ALS1 receive IPv4 addresses.
Which configuration on DSW1 allows clients on ALS1 to receive IPv6 addresses?

A. DSW1(dhcp-config)# default-router 2002:A04:A01::A04:A01

B. DSW1(config)#ipv6 route 2002:404:404::404:404/128 FastEthernet 1/0
C. DSW1(config)# ipv6 dhcp relay destination 2002:404:404::404:404 GigabitEthernet 1/2
D. DSW1(config-if)# ipv6 helper address 2002:404:404::404:404
Answer: C

Question 33

A network administrator is tasked to permit http and https traffic only toward the internet
from the User1 laptop to adhere to company’s security policy. The administrator can still
ping to www.cisco.com. Which interface should the access list 101 be applied to resolve this
issue?

access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq 80

access-list 101 permit tcp 192.168.10.0 0.0.0.255 any eq 443
access-list 101 deny ip any any log
!
interface Serial1/0
ip address 200.193.22.94 255.255.255.252
ip access-group 101 in

A. Interface G0/48 in the incoming direction

B. Interface G0/0 in the incoming direction
C. Interface S1/0 in the outgoing direction
D. Interface G0/0 in the outgoing direction
Answer: B

Question 34

Refer to the exhibit.

config t
flow record v4_r1
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
collect counter bytes long
collect counter packets long
!
flow exporter EXPORTER-1
destination 172.16.10.2
transport udp 2055
exit
!
flow monitor FLOW-MONITOR-1
exporter EXPORTER-1
record v4_r1
exit
!
flow monitor v4_r1
!
ip cef
!
interface Ethernet0/0.1
ip address 172.16.6.2 255.255.255.0
ip flow monitor v4_r1 input

The remote server is failing to receive the NetFlow data. Which action resolves the issue?

A. Modify the flow transport command transport udp 2055 to move under flow monitor
profile.
B. Modify the interface command to ip flow monitor FLOW-MONITOR-1 input.
C. Modify the udp port under flow exporter profile to ip transport udp 4739.
D. Modify the flow record command record v4_M to move under flow exporter profile.

Answer: B

Explanation

From the exhibit we see there are two flow monitors: the first one “FLOW-MONITOR-1” has
been configured correctly but the second one “v4_r1” was left empty and interface E0/0.1 is
using it. So the remote server does not receive any NetFlow data.

Question 35
An engineer must configure a Cisco router to initiate secure connections from the router to
other devices in the network but kept failing. Which two actions resolve the issue? (Choose
two)
A. Configure a domain name.
B. Configure a crypto key to be generated.
C. Configure a TACACS+ server and enable it.
D. Configure transport input ssh command on the console.
E. Configure a source port for the SSH connection to initiate.

Answer: A B

Explanation

Follow these guidelines when configuring the switch as an SSH server or SSH client:

+ An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server, and the
reverse.
+ If the SSH server is running on a stack master and the stack master fails, the new stack
master uses the RSA key pair generated by the previous stack master.
+ If you get CLI error messages after entering the crypto key generate rsa global
configuration command, an RSA key pair has not been generated. Reconfigure the
hostname and domain, and then enter the crypto key generate rsa command.
+ When generating the RSA key pair, the message No host name specified might appear. If
it does, you must configure a hostname by using the hostname global configuration
command.
+ When generating the RSA key pair, the message No domain specified might appear. If it
does, you must configure an IP domain name by using the ip domain-name global
configuration command.
+ When configuring the local authentication and authorization authentication method, make
sure that AAA is disabled on the console.

Reference: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/
3.2_0_se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_0110
010.html

Note: The “transport input ssh” only needs on the SSH server, not SSH client.

============================= New Question (added on 18th-May-

2021) =============================
Question 36
An engineer is troubleshooting on the console session of a router and turns on multiple
debug commands. The console screen is filled with scrolling debug messages that none of
the commands can be verified if entered correctly or display any output. Which action allows
the engineer to see entered console commands while still continuing the analysis of the
debug messages?
A. Configure the no logging console debugging command globally
B. Configure the logging synchronous command
C. Configure the logging synchronous level all command
D. Configure the term no mon command globally

Answer: B
Explanation
Let’s see how the “logging synchronous” command affect the typing command:
Without this command, a message may pop up and you may not know what you typed if
that message is too long. When trying to erase (backspace) your command, you realize you
are erasing the message instead.

With this command enabled, when a message pops up you will be put to a new line with
your typing command which is very nice:

============================= New Question (added on 13th-Jul-

2021) =============================
Question 37
Bangkok is using ECMP to reach to the 192.168.5.0/24 network. The administrator must
configure Bangkok in such a way that Telnet traffic from 192.168.3.0/24 and
192.168.4.0/24 networks uses the HongKong router as the preferred router. Which set of
configurations accomplishes this task?
A . access-list 101 permit tcp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
!
route-map PBR1 permit 10
match ip address 101
set ip next-hop 172.18.1.2
interface Ethernet0/3
ip policy route-map PBR1
B. access-list 101 permit tcp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 23
access-list 101 permit tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 23
!
route-map PBR1 permit 10
match ip address 101
set ip next-hop 172.18.1.2
interface Ethernet0/1
ip policy route-map PBR1
C. access-list 101 permit tcp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 23
access-list 101 permit tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 23
!
route-map PBR1 permit 10
match ip address 101
set ip next-hop 172.18.1.2
!
interface Ethernet0/3
ip policy route-map PBR1
D. access-list 101 permit tcp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255
!
route-map PBR1 permit 10
match ip address 101
set ip next-hop 172.18.1.2
!
interface Ethernet0/1
ip policy route-map PBR1

Answer: C
Explanation
We need to use Policy Based Routing (PBR) here on Bangkok router to match the traffic
from 192.168.3.0/24 & 192.168.4.0/24 and “set ip next-hop” to HongKong router
(172.18.1.2 in this case).
Note: Please notice that we have to apply the PBR on incoming interface e0/3 to receive
traffic from 192.168.3.0/24 and 192.168.4.0/24.
Question 38
Refer to the exhibit.

Which action resolves the authentication problem?

A. Configure the user name on the TACACS+ server
B. Configure the UDP port 1812 to be allowed on the TACACS+ server
C. Configure the TCP port 49 to be reachable by the router
D. Configure the same password between the TACACS+ server and router.

Answer: D
Explanation
From the last line of the output, we notice that the result was “Invalid AUTHEN packet”.
Therefore something went wrong with the username or password.
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-
controller-access-control-system-tacacs-/200467-Troubleshoot-TACACS-Authentication-
Issue.html
Question 39
Refer to the exhibit.

aaa new-model
!
aaa authentication login default line enable
aaa authorization commands 15 default local
aaa authorization network default local
!
username admin privilege 15 password cisco123!
!
ip ssh version 2
!

access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 22

access-list 101 permit tcp 192.168.5.0 0.0.0.255 any range 22 smtp
!
line vty 0 4
access-class 101 in
password cisco
transport input all
!
line vty 5 15
access-class 101 in
password cisco
transport input all

The administrator successfully logs into R1 but cannot access privileged mode commands.
What should be configured to resolve the issue?
A. aaa authorization reverse-access
B. secret cisco123! at the end of the username command instead of password cisco123!
C. matching password on vty lines as cisco123!
D. enable secret or enable password commands to enter into privileged mode

Answer: D
Explanation
We tested with GNS3 (but instead of SSH we only configured to allow Telnet access) and
the result was:

We had to enter “cisco” to access R1 but R1 did not allow to access privileged mode. R1 did
not ask the password to access privileged mode either.
By configuring “enable secret …” or “enable password …”, we could access privileged mode:

Question 40
Drag and drop the MPLS concepts from the left onto the descriptions on the right.
Answer:
+ allows an LSR to remove the label before forwarding the packet: penultimate hop popping
+ accepts unlabeled packets and imposes labels: label edge router
+ group of packets that are forwarded in the same manner: forwarding equivalence class
+ receives labeled packets and swaps labels: label switch router
Explanation
A label edge router (LER, also known as edge LSR) is a router that operates at the edge of
an MPLS network and acts as the entry and exit points for the network. LERs push an MPLS
label onto an incoming packet and pop it off an outgoing packet.
A forwarding equivalence class (FEC) is a term used to describe a set of packets with similar
or identical characteristics which may be forwarded the same way; that is, they may be
bound to the same MPLS label.
Question 41
Which two protocols work in the control plane of P routers across the MPLS cloud? (choose
two)
A. LSP
B. RSVP
C. ECMP
D. LDP
E. MPLS OAM

Answer: B D
Question 42
Refer to the exhibit.
An engineer configured R2 and R5 as route reflectors and noticed that not all routes are
sent to R1 to advertise to the eBGP peers. Which iBGP routers must be configured as route
reflectors to advertise all routes to restore reachability across all networks?
A. R1 and R4
B. R1 and R5
C. R4 and R5
D. R2 and R5

Answer: C
Explanation
When R2 & R5 are route reflectors (RRs), routes from R4 & R8 are advertised to R5 and R5
advertises to R2. But R2 would drop them as R2 is also a RR. Therefore some routes are
missing on R1 to advertise to eBGP peers.
Good
reference: https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2015/pdf/TECRST-
2310.pdf
Route reflectors (RR) must be fully iBGP meshed so we cannot configure RR on both R1 and
R5.
We should choose routers at the center of the topology RRs, in this case R4 & R5.
Question 43
Refer to the exhibit.
Routing protocols are mutually redistributed on R3 and R1. Users report intermittent
connectivity to services hosted on the 10.1.1.0/24 prefix. Significant routing update
changes are noticed on R3 when the show ip route profile command is run. How must the
services be stabilized?
A. The issue with using BGP must be resolved by using another protocol and redistributing it
into EIGRP on R3
B. The routing loop must be fixed by reducing the admin distance of iBGP from 200 to 100
on R3
C. The routing loop must be fixed by reducing the admin distance of OSPF from 110 to 80
on R3
D. The issue with using iBGP must be fixed by running eBGP between R3 and R4

Answer: B
Explanation
After redistribution, R3 learns about network 10.1.1.0/24 via two paths:
+ Internal BGP (IBGP): advertised from R4 with AD of 200 (and metric of 0)
+ OSPF: advertised from R1 with AD of 110 (O E2) (and metric of 20)
Therefore R3 will choose the path with the lower AD via OSPF
But this is a looped path which is received from R3 -> R2 -> R1 -> R3. So when the
advertised route from R4 is expired, the looped path is also expired soon and R3 will
reinstall the main path from R4. This is the cause of intermittent connectivity.
In order to solve this issue, we can lower the AD of iBGP to a value which is lower than 110
so that it is preferred over OSPF-advertised route.
Question 44
Refer to the exhibit.
A network administrator added one router in the Cisco DNA Center and checked its
discovery and health from the Network Health Dashboard. The network administrator
observed that the router is still showing up as unmonitored. What must be configured on
the router to mount it in the Cisco DNA Center?
A. Configure router with NetFlow data
B. Configure router with the telemetry data
C. Configure router with routing to reach Cisco DNA Center
D. Configure router with SNMPv2c or SNMPv3 traps

Answer: B

Explanation
Unmonitored: Unmonitored devices are devices for which Assurance did not receive any
telemetry data during the specified time range.
Question 45
Refer to the exhibit.
NTP is configured across the network infrastructure and Cisco DNA Center. An NTP issue
was reported on the Cisco DNA Center at 17:15. Which action resolves the issue?
A. Check and resolve reachability between the WLC and the NTP server
B. Reset the NTP server to resolve any synchronization issues tor all devices
C. Check and resolve reachability between Cisco DNA Center and the NTP server
D. Check and configure NTP on the WLC and synchronize with Cisco DNA Center

Answer: D
Explanation
Excessive time lag between Cisco DNA Center and device: The time difference between
Cisco DNA Center and the device IP Address has drifted too far apart. Cisco DNA Center
cannot process the device data accurately if the time difference is more than 3 minutes.
Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-
automation-and-management/dna-center-assurance/1-2-
10/b_cisco_dna_assurance_1_2_10_ug/b_cisco_dna_assurance_1_2_10_ug_chapter_0110
1.html
Question 46
Refer to the exhibit.

Feb 9:15:29:29.713: DHCP_SNOOPING: process new DHCP packet, message type:

DHCPINFORM, input interface:
Po2, MAC da: ffff.ffff.ffff, DHCP yiaddi: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP
giaddr: 0.0.0.0
Feb 9:15:29:29.713: DHCP_SNOOPING_SW: bridge packet get invalid mat entry:
FFFF.FFFF.FFFF, packet is
flooded to ingress VLAN (1)
Feb 9:15:29:29.713: DHCP_SNOOPING_SW: bridge packet send packet to cpu port:
Vlan1.
Feb 9:15:29:31.223: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po2 for
pak. Was Vl1
Feb 9:15:29:31.223: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Vl1 for
pak. Was Po2
Feb 9:15:29:31.223: DHCPSNOOP(hlfm_set_if_input): Setting if_input to Po2 for
pak. Was Vl1
Feb 9:15:29:31.223: DHCP_SNOOPING: received new DHCP packet from input
interface (Port-channel2)

A network administrator enables DHCP snooping on the Cisco Catalyst 3750-X switch and
configures the uplink port (Port-channel2) as a trusted port. Clients are not receiving an IP
address, but when DHCP snooping is disabled, clients start receiving IP addresses. Which
global command resolves the issue?
A. No ip dhcp snooping information option
B. ip dhcp snooping
C. ip dhcp relay information trust portchannel2
D. ip dhcp snooping trust

Answer: A
Question 47
Which configuration feature should be used to block rogue router advertisements instead of
using the IPv6 Router Advertisement Guard feature?
A. VACL blocking broadcast frames from nonauthorized hosts
B. PVLANs with promiscuous ports associated to route advertisements and isolated ports for
nodes
C. PVLANs with community ports associated to route advertisements and isolated ports for
nodes
D. IPv4 ACL blocking route advertisements from nonauthorized hosts

Answer: D
Explanation
The IPv6 Router Advertisement Guard feature provides support for allowing the network
administrator to block or reject unwanted or rogue router advertisement guard messages
that arrive at the network device platform. Router Advertisements are used by devices to
announce themselves on the link. The IPv6 Router Advertisement Guard feature analyzes
these router advertisements and filters out router advertisements that are sent by
unauthorized devices.
Certain switch platforms can already implement some level of rogue RA filtering by the
administrator configuring Access Control Lists (ACLs) that block RA ICMP messages that
might be inbound on “user” ports.
Reference: https://datatracker.ietf.org/doc/html/rfc6104
Question 48
Refer to the exhibit.

ip prefix-list PLIST1 permit 172.20.5.0/24

!
route-map SETLP permit 10
match ip address prefix-list PLIST1
set local-preference 90
!
router bgp 111
neighbor 192.168.10.1 remote-as 100
neighbor 192.168.10.1 route-map SETLP in
neighbor 192.168.20.2 remote-as 200

AS 111 wanted to use AS 200 as the preferred path for 172.20.5.0/24 and AS 100 as the
backup. After the configuration, AS 100 is not used for any other routes. Which
configuration resolves the issue?
A. route-map SETLP permit 10
match ip address prefix-list PLIST1
set local-preference 110
route-map SETLP permit 20
B. route-map SETLP permit 10
match ip address prefix-list PLIST1
set local-preference 99
route-map SETLP permit 20
C. router bgp 111
no neighbor 192.168.10.1 route-map SETLP in
neighbor 192.168.20.2 route-map SETLP in
D. router bgp 111
no neighbor 192.169.10.1 route-map SETLP in
neighbor 192.168.10.1 route-map SETLP out

Answer: B
Explanation
There is an implicit deny all at the end of any route-map so all other traffic that does not
match 172.20.5.0/24 would be dropped. Therefore we have to add a permit sequence at the
end of the route-map to allow other traffic.
The default value of Local Preference is 100 and higher value is preferred so we have to set
the local preference of AS100 lower than that of AS200.
============================= New Question (added on 28th-Jul-
2021) =============================
Question 49
A customer reports to the support desk that they cannot print from their PC to the local
printer id:401987778. Which tool must be used to diagnose the issue using Cisco DNA
Center Assurance?
A. application trace
B. path trace
C. ACL trace
D. device trace

Answer: B

Question 50
Refer to the exhibit.

Gateway-Router# show ipv6 access-list

IPv6 access list Default_Access
permit tcp host 2018:DB1:A:B::1 host 2018:DB1:A:C::1 eq www sequence 10
deny tcp any host 2018:DB1:A:C::1 eq telnet sequence 20
permit tcp host 2018:DB1:A:B::2 host 2018:DB1:A:C::1 eq telnet sequence 30
permit ipv6 2018:DB1:A:B::/64 any sequence 40

PC-2 failed to establish a Telnet connection to the terminal server. Which configuration
resolves the issue?
A. Gateway-Router(config)#ipv6 access-list Default_Access
Gateway-Router(config-ipv6-acl)#sequence 15 permit tcp host 2018:DB1:A:B::2 host
2018:DB1:A:C::1 eq telnet
B. Gateway-Router(config)#ipv6 access-list Default_Access
Gateway-Router(config-ipv6-acl)#permit tcp host 2018:D81:A:B::2 host 2018:DB1:A:C::1
eq telnet
C. Gateway-Router(config)#ipv6 access-list Default_Access
Gateway-Router(config-ipv6-acl)#no sequence 20
Gateway-Router(config-ipv6-acl)#sequence 5 permit tcp host 2018:DB1:A:B::2 host
2018:DB1:A:C::1 eq telnet
D. Gateway-Router(config)#ipv6 access-list Default_Access
Gateway-Router(config-ipv6-acl)#sequence 25 permit tcp host 2018:DB1:A:B::2 host
2018:DB1:A:C::1 eq telnet

Answer: A
Explanation
In fact in this question both answer A and answer C are correct but we believe answer A is
the better choice as it only allows PC-2 to telnet to terminal server. All other hosts are
refused to telnet to terminal server via sequence 20.
Question 51
Thiếu hình

Refer to the exhibit.

L 172.1.12.3/32 is directly connected, Ethernet0/0

C 172.1.13.0/24 is directly connected, Ethernet0/1
L 172.1.13.3/32 is directly connected, Ethernet0/1
O 192.168.1.0/24 [110/2] via 172.1.12.1, 00:04:44, Ethernet0/0
O 192.168.2.0/24 [110/2] via 172.1.12.1, 00:04:44, Ethernet0/1
O 192.168.3.0/24 [110/2] via 172.1.13.2, 00:04:44, Ethernet0/1
O 192.168.4.0/24 [110/2] via 172.1.13.2, 00:04:44, Ethernet0/1
192.168.5.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.5.0/24 is directly connected, Loopback0
L 192.168.5.1/32 is directly connected, Loopback0
192.168.6.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.6.0/24 is directly connected, Loopback1
L 192.168.6.1/32 is directly connected, Loopback1

SanFrancisco and Boston routers are choosing slower links to reach each other despite the
direct links being up. Which configuration fixes the issue?

Option A Option B
All Routers Boston Router
router ospf 1 router ospf 1
auto-cost reference-bandwidth 100 auto-cost reference-bandwidth 1000
 Option C Option D
All Routers SanFrancisco Router
router ospf 1 router ospf 1
auto-cost reference-bandwidth 1000 auto-cost reference-bandwidth 1000

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C
Question 52
Drag and drop the LDP features from the left onto the descriptions on the right.

Answer:
+ packet is encapsulated in MPLS with the option of copying the IP precedence to EXP bits:
explicit null label
+ provides ways of improving load balancing by eliminating the need for DPI at transit
LSRs: entropy label
+ LSR receives an MPLS header with the label set to 3: implicit null label
+ controls the amount of memory used to store LDP label bindings advertised by other
devices: inbound label binding filtering
Explanation
The MPLS LDP Inbound Label Binding Filtering feature can be used to control the
amount of memory used to store Label Distribution Protocol (LDP) label bindings advertised
by other devices. For example, in a simple Multiprotocol Label Switching (MPLS) Virtual
Private Network (VPN) environment, the VPN provider edge (PE) devices might require label
switched paths (LSPs) only to their peer PE devices (that is, they do not need LSPs to core
devices). Inbound label binding filtering enables a PE device to accept labels only from other
PE devices.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ldp/configuration/15-
sy/mp-ldp-15-sy-book/mp-ldp-inbound-filtr.html
Egress LSR initially send a special label value of 3 to “next-to-last LSR” (called the
penultimate LSR). This label 3 is called the IPv4 Implicit Null label. When an LSR receives an
MPLS header in which the label is set to 3, it always POPs the header (it removes the top
label).
The entropy label is protocol independent, it provides a unified way of load balancing
without looking into the protocol header.
Note: DPI is short for deep packet inspection. DPI is performed to determine the load
balancing.
When a packet or Ethernet frame is encapsulated in MPLS, you have the option of copying
the IP precedence or 802.1p bits to the three CoS bits of the MPLS header i.e. EXP Bits.
If a POP is performed at the penultimate LSR, the EXP bits in the MPLS header are no longer
available as a reference for queuing and the packet is queued on the outgoing interface
according to the CoS behavior of the underlying payload (in Ipv4 packet, it will be ToS
field). An explicit null (Label Value 0 for IPv4), on the other hand, leaves the MPLS header
in place until it reaches the egress, preserving the LSP CoS behavior across the entire LSP.
Question 53
Refer to the exhibit.

Debug output:

username: USER55
password:
Aug 26 12:39:23.813: TPLUS: Queuing AAA Authentication request 4950 for
processing
Aug 26 12:39:23.813: TPLUS(00001356) login timer started 1020 sec timeout
Aug 26 12:39:23.813: TPLUS: processing authentication continue request id
4950
Aug 26 12:39:23.813: TPLUS: Authentication continue packet generated for 4950
Aug 26 12:39:23.813: TPLUS(00001356)/0/WRITE/3A72C8D0: Started 5 sec timeout
!
!---output omitted---!
!
Aug 26 12:40:01.241: TAC+: using previously set server 192.168.1.3 from group
tacacs+
Aug 26 12:40:01.241: TAC+: Opening TCP/IP to 192.168.1.3/49 timeout=5
Aug 26 12:40:01.249: TAC+: Opened TCP/IP handle 0x3BE31D1C to 192.168.1.3/49
Aug 26 12:40:01.249: TAC+: Opened 192.168.1.3 index=1
Aug 26 12:40:01.250: TAC+: 192.168.1 3 (3653537180) AUTHOR/START queued
Aug 26 12:40:01.449: TAC+: (3653537180) AUTHOR/START processed
Aug 26 12:40:01.449: TAC+: (-641430116): received author response status =
FAIL
Aug 26 12:40:01.450. TAC+: Closing TCP/IP 0x3BE31D1C connection to
192.168.1.3/49
A network administrator logs into the router using TACACS+ username and password
credentials, but the administrator cannot run any privileged commands. Which action
resolves the issue?
A. Configure TACACS+ synchronization with the Active Directory admin group
B. Configure the username from a local database
C. Configure full access for the username from TACACS+ server
D. Configure an authorized IP address for this user to access this router

Answer: C
Question 54
How does an MPLS Layer 3 VPN function?
A. set of sites use multiprotocol BGP at the customer site for aggregation
B. multiple customer sites interconnect through a service provider network using customer
edge to provider edge connectivity
C. set of sites interconnect privately over the Internet for security
D. multiple customer sites interconnect through service provider network to create secure
tunnels between customer edge devices

Answer: B
Explanation
A Multiprotocol Label Switching(MPLS) Layer 3 Virtual Private Network (VPN) consists of a
set of sites that are interconnected by means of an MPLS provider core network. At each
customer site, one or more customer edge (CE) routers attach to one or more provider edge
(PE) routers.
Reference: https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-
5/lxvpn/configuration/guide/b-l3vpn-cg-asr9000-65x/b-l3vpn-cg-asr9000-
65x_chapter_010.pdf
Question 55
Refer to the exhibit.

ipv6 access-list INTERNET

permit ipv6 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA14::/64
permit tcp 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA13::/64 eq telnet
permit tcp 2001:DB8:AD59:BA21::/64 any eq http
permit ipv6 2001:DB8:AD59::/48 any
deny ipv6 any any log

When monitoring an IPv6 access list, an engineer notices that the ACL does not have any
hits and is causing unnecessary traffic to pass through the interface. Which command must
be configured to resolve the issue?
A. ipv6 traffic-filter INTERNET in
B. access-class INTERNET in
C. ipv6 access-class INTERNET in
D. ip access-group INTERNET in

Answer: A
Explanation
Use the command “ipv6 traffic-filter access-list-name { in | out }” to apply the access list
to incoming or outgoing traffic on the interface.
Question 56
An engineer configured Reverse Path Forwarding on an interface and noticed that the routes
are dropped when a route lookup fails on that interface for a prefix that is available in the
routing table. Which interface configuration resolves the issue?
A. ip verify unicast source reachable-via rx
B. ip verify unicast source reachable-via any
C. ip verify unicast source reachable-via allow-default
D. ip verify unicast source reachable-via 12-src

Answer: B
Explanation
According to this question, uRPF is running in strict mode because packets are dropped even
when that route exists in the routing table. Maybe packets are dropped because the
receiving interface is different from the interface the local router uses to send packets to
that destination.
The ip verify unicast source reachable-via rx command enables Unicast RPF in strict
mode. To enable loose mode, administrators can use the any option (ip verify unicast
source reachable-via any). In loose mode, it doesn’t matter if we use this interface to reach
the source or not.

The allow-default option allows the use of the default

route in the source verification process.
Question 57
Refer to the exhibit.
Troubleshoot and ensure that branch B only ever uses the MPLS B network to reach HQ.
Which action achieves this requirement?
A. Modify the weight of all HQ prefixes received at branch B from the MPLS B network to be
higher than the weights used on the MPLS A network
B. Increase the local preference for all HQ prefixes received at branch B from the MPLS B
network to be higher than the local preferences used on the MPLS A network
C. Introduce AS path prepending on the branch A MPLS B network connection so that any
HQ advertisements from branch A toward the MPLS B network are prepended three times
D. Introduce an AS path filter on branch A routers so that only local prefixes are advertised
into BGP

Answer: D
Explanation
If we modify the weight, increase local preference or use AS path prepending then we can
only make MPLS B prefer over MPLS A. But when MPLS B is down then MPLS A will be used
which does not meet the requirement of this question. Only with AS path filtering we can
deny prefixes from certain AS and make sure branch B never uses MPLS A to reach HQ.
Question 58
Refer to the exhibit.

NY
router ospf 1
network 192.168.12.0 0.0.0.255 area 0
network 172.16.2.0 0.0.0.255 area 0
!
interface E0/0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 Cisco123

The neighbor relationship is not coming up. Which two configurations bring the adjacency
up? (Choose two)
A. LA
router ospf 1
area 0 authentication message-digest
B. NY
interface E0/0
no ip ospf message-digest-key 1 md5 Cisco123
ip ospf authentication-key Cisco123
C. LA
interface E0/0
ip ospf authentication-key Cisco123
D. LA
interface E0/0
ip ospf message-digest-key 1 md5 Cisco123
E. NY
router ospf 1
area 0 authentication message-digest

Answer: A D
Explanation
The configuration on NY router is good for OSPF authentication. So we must enable OSPF
authentication on LA router with the following commands:
router ospf 1
area 0 authentication message-digest
interface E0/0
ip ospf message-digest-key 1 md5 Cisco123
Question 59
Refer to the exhibit.

router ospf 1
redistribute eigrp 1 subnets route-map EIGRP->OSPF
!
router eigrp 1
network 10.0.106.0 0.0.0.255
!
route-map EIGRP->OSPF permit 10
match ip address WAN_PREFIXES
route-map EIGRP->OSPF permit 20
match ip address LOCAL_PREFIXES
route-map EIGRP->OSPF permit 30
match ip address VPN_PREFIXES
!
ip prefix-list LOCAL_PREFIXES seq 5 permit 172.16.0.0/12 le 24
ip prefix-list VPN_PREFIXES seq 5 permit 192.168.0.0/16 le 24
ip prefix-list WAN_PREFIXES seq 5 permit 10.0.0.0/8 le 24
!

The network administrator configured redistribution on an ASBR to reach to all WAN

networks but failed. Which action resolves the issue?
A. The route map must have the keyword prefix-list to evaluate the prefix list entries
B. The OSPF process must have a metric when redistributing prefixes from EIGRP
C. The route map EIGRP->OSPF must have the 10.0.106.0/24 entry to exist in one of the
three prefix lists to pass
D. EIGRP must redistribute the 10.0.106.0/24 route instead of using the network statement

Answer: A
Explanation
In this question we have no information about network 10.0.106.0/24 but we can guess this
network is directly connected to this router. Or it may the network we want to redistribute
into OSPF so we still need to turn on EIGRP on it. When we redistribute from EIGRP into
OSPF, this network will also be redistributed because it is under EIGRP domain -> Answer D
is not correct.
In order to use a prefix-list in a route-map, we must use the keyword “prefix-list” in the
“match” statement. . For example:
match ip address prefix-list WAN_PREFIXES
Without this keyword, the router will try to find an access-list with the same name instead.
Question 60
Refer to the exhibit.
Which action resolves the failed authentication attempt to the router?
A. Configure aaa authorization login command on line vty 0 4
B. Configure aaa authorization login command on line console 0
C. Configure aaa authorization console global command
D. Configure aaa authorization console command on line vty 0 4

Answer: C
Explanation
In the debug output, we see that the Authorization (not Authentication) failed so we need to
correct the authorization. In order to enable authorization, we must use the global
command “aaa authorization console” first.

If you are trying to enable authorization and the no aaa authorization console command
is configured by default, you will see the following message:
%Authorization without the global command aaa authorization console is useless.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-
book/sec-cr-a1.html

Question 61
Refer to the exhibit.

Router# show ip route

2.0.0.0/24 is subnetted, 1 subnets

C 2.2.2.0 is directly connected, Ethernet0/0
C 3.0.0.0/8 is directly connected, Serial1/0
O E2 200.1.1.0/24 [110/20] via 2.2.2.2, 00:16:17, Ethernet0/0
O E1 200.2.2.0/24 [110/104] via 2.2.2.2, 00:00:41, Ethernet0/0
131.108.0.0/24 is subnetted, 2 subnets
O 131.108.2.0 [110/74] via 2.2.2.2, 00:16:17, Ethernet0/0
O IA 131.108.1.0 [110/84] via 2.2.2.2, 00:16:17, Ethernet0/0

Router# show ip bgp

Network Next Hop Metric LocPrf Weight Path

*> 2.2.2.0/24 0.0.0.0 0 32768 ?
*> 131.108.1.0/24 2.2.2 2 84 32768 ?
*> 131.108.2.0/24 2.2.2.2 74 32768 ?

The OSPF routing protocol is redistributed into the BGP routing protocol, but not all the
OSPF routes are distributed into BGP. Which action resolves the issue?
A. Use a route-map command to redistribute OSPF external routes defined in a prefix list.
B. Use a route-map command to redistribute OSPF external routes defined in an access list
C. Include the word external in the redistribute command
D. Include the word internal external in the redistribute command

Answer: D
Explanation
If you configure the redistribution of OSPF into BGP without keywords, only OSPF intra-area
and inter-area routes are redistributed into BGP, by default. You can use
the internal keyword along with the redistribute command under router bgp to redistribute
OSPF intra- and inter-area routes.
Use the external keyword along with the redistribute command under router bgp to
redistribute OSPF external routes into BGP.
-> In order to redistribute all OSPF routes into BGP, we must use
both internal and external keywords. The full command would be (suppose we are using
OSPF 1):

redistribute ospf 1 match internal external

Note: The configuration shows match internal external 1 external 2. This is normal
because OSPF automatically appends “external 1 external 2” in the configuration. In other
words, keyword external = external 1 external 2. External 1 = O E1 and External 2 = O E2.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-
bgp/5242-bgp-ospf-redis.html
Question 62
Refer to the exhibit.
The Math and Science departments connect through the corporate IT router but users in the
Math department must not be able to reach the Science department and vice versa. Which
configuration accomplishes this task?

Option A Option B
vrf definition Science vrf definition Science
address-family ipv4 !
! interface E0/2
interface E0/2 ip address 192.168.1.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0 no shut
no shut !
! interface E0/3
interface E0/3 ip address 192.168.2.1 255.255.255.0
ip address 192.168.2.1 255.255.255.0 no shut
no shut
!

Option C Option D
vrf definition Science vrf definition Science
address-family ipv4 address-family ipv4
! !
interface E0/2 interface E0/2
vrf forwarding Science ip address 192.168.1.1 255.255.255.0
ip address 192.168.1.1 255.255255.0 vrf forwarding Science
no shut no shut
! !
interface E0/3 interface E0/3
vrf forwarding Science ip address 192.168.2.1 255.255.255.0
ip address 192.168.2.1 255.255.255.0 vrf forwarding Science
no shut no shut
A. Option A
B. Option B
C. Option C
D. Option D

Answer: C
Question 63
When determining if a system is capable of support, what is the minimum time spacing
required for a BFD control packet to receive once a control packet is arrived?
A. Desired Min TX Interval
B. Detect Mult
C. Required Min RX Interval
D. Required Min Echo RX Interval

Answer: C
Explanation
Required Min RX Interval: This is the minimum interval, in microseconds, between received
BFD Control packets that this system is capable of supporting.
Reference: https://www.cisco.com/en/US/technologies/tk648/tk365/tk480/technologies_wh
ite_paper0900aecd80244005.html
Note:
Desired Min TX Interval: This is the minimum interval, in microseconds, that the local
system would like to use when transmitting BFD Control packets.
Question 64
While troubleshooting an EIGRP neighbor adjacency problem, the network engineer notices
that the interface connected to the neighboring router is not participating in the EIGRP
process. Which action resolves the issues?

A. Configure the network command to network 172.16.0.1 0.0.0.0

B. Configure the network command under EIGRP address family vrf CLIENT1
C. Configure EIGRP metrics on interface FastEthernet0/3
D. Configure the network command under EIGRP address family ipv4

Answer: B
Explanation
This is how to configure EIGRP under a VRF:

router eigrp 1
...
!
address-family ipv4 vrf CLIENT1
network 172.16.0.0 0.0.0.255
no auto-summary
autonomous-system 1
exit-address-family

Note: The “real” EIGRP AS running under VRF CLIENT1 is specified via the “autonomous-
system 1” command, not “router eigrp 1”.
 ========================= New Questions (17th-Oct-2021)
=========================
Question 65

Refer to the exhibit. An engineer configured BGP between routers R1 and R3. The BGP peers cannot
establish neighbor adjacency to be able to exchange routes. Which configuration resolves this issue?

Option A Option B

R1 R3
router bgp 6501 router bgp 6502
address-family ipv6 address-family ipv6
neighbor AB01:2011:7:100::3 activate neighbor AB01:2011:7:100::1 activate

Option C Option D

R1 R3
router bgp 6501 router bgp 6502
neighbor AB01:2011:7:100::3 ebgp-multihop neighbor AB01:2011:7:100::1 ebgp-multihop
255 255
A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

From the output, we learned that R1 was trying to establish BGP neighbor relationship with R3 but
failed. Both of them were using physical interface to establish neighbor relationship so we don’t need
the “… ebgp-multihop” command here. The only reasonable answer is R3 has not been configured to
activate BGP neighbor relationship with R1.

Question 66

Refer to the exhibit.

AS111

router bgp 111

neighbor 195.1.1.1 remote-as 100
neighbor 195.1.1.1 allowas-in
neighbor 195.1.2.2 remote-as 200
neighbor 195.1.2.2 allowas-in

AS111 is receiving its own routes from AS200 causing a loop in the network. Which configuration
provides loop prevention?

Option A Option B
 router bgp 111 router bgp 111
neighbor 195.1.1.1 as-override neighbor 195.1.2.2 as-override
neighbor 195.1.2.2 allowas-in no neighbor 195.1.1.1 allowas-in

Option C Option D

router bgp 111 router bgp 111

neighbor 195.1.1.1 as-override no neighbor 195.1.1.1 allowas-in
neighbor 195.1.2.2 as-override no neighbor 195.1.2.2 allowas-in

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

A router discards BGP network prefixes if it sees its ASN in AS-Path as a loop prevention mechanism.
The “allowas-in” feature allows routes to be received and processed even if router detects its own ASN
in AS-Path.

In this question, this feature is causing a routing loop so we have to disable it.

Question 67

Which mechanism must be chosen to optimize the reconvergence time for OSPF at company location
407553457 that is less CPU-intensive than reducing the hello and dead timers?

A. SSO
B. OSPF demand circuit
C. Dead Peer Detection keepalives
D. BFD

Answer: D
Question 68

Refer to the exhibit. Which set of commands restore reachability to loopback0?

A. interface loopback0
ip address 4.4.4.4 255.255.255.0
ip ospf network point-to-point

B. interface loopback0
ip address 4.4.4.4 255.255.255.0
ip ospf interface area 10

C. interface loopback0
ip address 4.4.4.4 255.255.255.0
ip ospf interface type network

D. interface loopback0
ip address 4.4.4.4 255.255.255.0
ip ospf network broadcast

Answer: A
Explanation

We tested this config in GNS3 (except the LAN interface) but R1 loopback0 was advertised normally
on R2 and R2 could reach this loopback0.

So we are not sure why this question says “restore reachability to loopback0”. But if we have to
choose a correct answer, we should set the network type of the loopback interface to “point-to-point”
so that the whole subnet would be advertised.

Note: Although the configured loopback address is 4.4.4.4/24 but by default OSPF will advertise this
route to loopback0 as 4.4.4.4/32 (most specific route to that loopback). In order to override this, we
have to change the network type to point-to-point. After this OSPF will advertise the address to
loopback as 4.4.4.0/24.

Question 69

Refer to the exhibit.

Branch-Router#
*Nov 29 15:20:22.415: OSPF-1 HELLO Fa1/1: Rcv hello from 3.3.3 3 area 1 10.2.1.3
*Nov 29 15:20:23.195: OSPF-1 HELLO Fa1/1: Send hello to 224.0.0.5 area 1 from 10.2.1.1

Branch-Router#
*Nov 29 15:20:27.955: OSPF-1 HELLO Fa0/0: Rcv hello from 2.2.2 2 area 1 10.1.1.2
*Nov 29 15:20:27.955: OSPF-1 HELLO Fa0/0: Mismatched hello parameters from 10.1.1.2
*Nov 29 15:20:27.955: OSPF-1 HELLO Fa0/0: Dead R 40 C 40, Hello R 10 C 10 Mask R
 255.255.255.0 C 255.255.255.240
*Nov 29 15:20:28.311: OSPF-1 HELLO Fa0/0: Send hello to 224.0.0.5 area 1 from 10.1.1.1

A network administrator reviews the branch router console log to troubleshoot the OSPF adjacency
issue with the DR router. Which action resolves this issue?

A. Stabilize the DR site flapping link to establish OSPF adjacency

B. Configure matching hello and dead intervals between sites
C. Advertise the branch WAN interface matching subnet for the DR site
D. Configure the WAN interface for DR site in the related OSPF area

Answer: B

Explanation

We see the error “Mismatched hello parameters from 10.1.1.2” which means the hello intervals
between Branch and DR router are mismatched.

Question 70

A network administrator performed a Compact Flash Memory upgrade on a Cisco Catalyst 6509
Switch. Everything is functioning normally except SNMP, which was configured to monitor the
bandwidth of key interfaces but the interface indexes are changed. Which global configuration resolves
the issue?

A. snmp-server ifindex persist

B. snmp-server ifindex permanent
C. snmp ifindex permanent
D. snmp ifindex persist

Answer: A

Explanation
The SNMP ifIndex persistence feature provides an interface index (ifIndex) value that is retained and
used when the router reboots. The ifIndex value is a unique identifying number associated with a
physical or logical interface. In the following example, SNMP ifIndex persistence is enabled for all
interfaces:

router(config)# snmp-server ifindex persist

Question 71

How is VPN routing information distributed in an MPLS network?

A. It is established using VPN IPsec peers.

B. It is controlled through the use of RD
C. The top level of the customer data packet directs it to the correct CE device
D. It is controlled using of VPN target communities

Answer: D

Explanation

The distribution of virtual private network (VPN) routing information is controlled through the use of
VPN route target communities, implemented by Border Gateway Protocol (BGP) extended
communities.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l3_vpns/configuration/15-mt/mp-
l3-vpns-15-mt-book/mp-cfg-layer3-vpn.html

Question 72

Users report issues with reachability between areas as soon as an engineer configured summary
routes between areas in a multiple area OSPF autonomous system. Which action resolves the issue?

A. Configure the summary-address command on the ABR

B. Configure the area range command on the ASBR
C. Configure the summary-address command on the ASBR
D. Configure the area range command on the ABR

Answer: D

Explanation

For OSPF, we can only summary at the ABR with the command “area range” or at the ASBR with the
command “summary-address” -> Therefore answer A and answer B are not correct.

In this question, the most likely problem is that when doing summarization, the network mask is
configured wrong and summarization doesn’t work because of the misconfiguration. When configuring
the area range command, make sure that the summarization mask is in the form of a prefix mask
rather than a wildcard mask (that is, 255.255.255.0 instead of 0.0.0.255).

Good reference: https://www.configrouter.com/troubleshooting-route-summarization-ospf-14082/

Question 73

Refer to the exhibit.

A network is under a cyberattack. A network engineer connected to R1 by SSH and enabled the
terminal monitor via SSH session to find the source and destination of the attack. The session was
flooded with messages, which made it impossible for the engineer to troubleshoot the issue. Which
command resolves this issue on R1?

A. #terminal no monitor
B. #no terminal monitor
C. (config)#no terminal monitor
D. (config)#terminal no monitor

Answer: A

Explanation

To turn off terminal monitor, use “terminal no monitor” in the enable mode.

Question 74

Refer to the exhibit.

Which action resolves the adjacency issue?

A. Match the hello interval timers
B. Match the authentication keys
C. Configure the same EIGRP process IDs
D. Configure the same autonomous system numbers

Answer: D

Explanation

We see R1 is sending two hello messages but it has not received any reply so we can believe that it is
not receiving any reply from R2 so the adjacency has not been formed. Although EIGRP does not
require the same hello and hold-time interval but EIGRP only forms neighbor relationship when it
receives a Hello from the neighbor.

Note:

This is not an authentication problem or we would see this error from the debug:

EIGRP: Ethernet0/0: ignored packet from 10.1.1.3, opcode = 1 (missing authentication or key-chain
missing)

Question 75

Refer to the exhibit.

admin@linux:~$ scp script.py [email protected]:script.py

Password:
Administratively disabled.
admin@linux:~$ Connection to 198.51.100.64 closed by remote host.

A network administrator has developed a Python script on the local Linux machine and is trying to
transfer it to the router. However, the transfer fails. Which action resolves this issue?
A. The Python interpreter must first be enabled with the guestshell enable command
B. The SSH service must be enabled with the crypto key generate rsa command
C. The SSH access must be allowed on the VTY lines using the transport input ssh command
D. The SCP service must be enabled with the ip scp server enable command

Answer: D

Explanation

The error “Administratively disabled” means we need to enable SCP on the router with the command:
Router(config)#ip scp server enable

Question 76
Refer to the exhibit.

A network administrator is trying to access a branch router using TACACS+ username and password
credentials, but the administrator cannot log in to the router because the WAN connectivity is down.
The branch router has following AAA configuration:

aaa new-model
aaa authorization commands 15 default group tacacs+
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
tacacs-server host 10.100.50.99
tacacs-server key Ci$co123

Which command will resolve this problem when WAN connectivity is down?

A. aaa authentication login default group tacacs+ enable

B. aaa authentication login console group tacacs+ enable
C. aaa authentication login default group tacacs+ console
D. aaa authentication login default group tacacs+ local

Answer: D
Explanation

With the “aaa authentication login default group tacacs+ local ” command configured, when logging in,
the password supplied will be attempted to be verified by the TACACS+ server before access is
granted. If the server is unavailable/unreachable, then the switch will fall back to using the local
authentication database.

Question 77

IPv6 is enabled in the infrastructure to support customers with an IPv6 network over WAN and to
connect the head office to branch offices in the local network. One of the customers is already running
IPv6 and wants to enable IPv6 over the DMVPN network infrastructure between the headend and
branch sites. Which configuration command must be applied to establish an mGRE IPv6 tunnel
neighborship?

A. ipv6 nhrp holdtime 30

B. ipv6 unicast-routing
C. tunnel mode gre multipoint ipv6
D. tunnel protection mode ipv6

Answer: C
Explanation

The command “tunnel mode gre multipoint ipv ” sets the encapsulation mode of the tunnel to mGRE
IPv6.

Question 78

Refer to the exhibit.

An engineer configured SNMP communities on the Core_Sw1, but the SNMP server cannot obtain
information from Core_Sw1. Which configuration resolves this issue?

A. access-list 20 permit 10.221.10.12

B. snmp-server group NETVIEW v2c priv read NETVIEW access 20
C. snmp-server group NETADMIN v3 priv read NETVIEW write NETADMIN access 22
D. access-list 20 permit 10.221.10.11

Answer: D

Question 79

Refer to the exhibit.

P 172.29.0.0/16, 1 successors, FD is 307200, serno 2

via 192.168.254.2 (307200/281600), FastEthernet0/1
via 192.168.253.2 (410200/352300), FastEthernet0/0

When the FastEthernet0/1 goes down, the route to 172.29.0.0/16 via 192.168.253.2 is not installed in
the RIB. Which action resolves the issue?

A. Configure reported distance greater than the feasible distance

B. Configure feasible distance greater than the successor’s feasible distance
C. Configure feasible distance greater than the reported distance
D. Configure reported distance greater than the successor’s feasible distance
Answer: C

Explanation

From the exhibit, we notice network 172.29.0.0/16 was learned via two routes:
+ From 192.168.254.2 with FD = 307200 and AD = 281600
+ From 192.168.253.2 with FD = 410200 and AD = 352300

The first route is installed into the RIB as the successor route because of lower FD.
When the first route fails, router will not use the second route as it does not satisfy the feasibility
condition. The feasibility condition states that, the Advertised Distance (AD, also called the reported
distance) of a route must be lower than the feasible distance of the current successor route.

Question 80

Refer to the exhibit.

An engineer is troubleshooting failed access by contractors to the business application server via
Telnet or HTTP during the weekend. Which configuration resolves the issue?
A. R4
no access-list 101 permit tcp 10.3.3.0 0.0.0.255 host 10.1.1.3 eq telnet time-range Contractor
B. R1
no access-list 101 permit tcp 10.3.3.0 0.0.0.255 host 10.1.1.3 eq telnet time-range Contractor

C. R4
time-range Contractor
no periodic weekdays 17:00 to 23:59
periodic daily 8:00 to 16:30
D. R1
time-range Contractor
no periodic weekdays 8:00 to 16:30
periodic daily 8:00 to 16:30

Answer: D

Question 81

Refer to the exhibit.

Route-map PBR, permit, sequence 10

Match clauses:
ip address (access-lists): FILTER_ACL
Set clauses:
ip next-hop verify-availability 209.165.202.129 1 track 100 [down]
ip next-hop verify-availability 209.165.202.131 2 track 200 [up]
Policy routing matches: 0 packets, 0 bytes
route-map PBR, deny, sequence 20
Match clauses:
Set clauses:
ip next-hop 209.165.201.30
Policy routing matches: 275364861 packets, 12200235037 bytes

An engineer has configured policy-based routing and applied the configuration to the correct interface.
How is the configuration applied to the traffic that matches the access list?

A. It is sent to 209.165.202.129.
B. It is sent to 209.165.202.131.
C. It is forwarded using the routing table lookup.
D. It is dropped.

Answer: B

Explanation

The set ip next-hop verify-availability command in route-map configuration mode to configure

policy routing to verify the reachability of the next hop of a route map before the router performs
policy routing to that next hop. In this question we see track 100 is down so the PBR will not use this
next-hop, it will use the second next-hop with track 200 (up).

Question 82

Refer to the exhibit.

*Sep 26 19:50:43.504: SNMP: Packet received via UDP from
192.168.1.2 on GigabitEthernet0/1SrParseV3SnmpMessage: No matching Engine ID.

SrParseV3SnmpMessage: Failed.
SrDoSnmp: authentication failure, Unknown Engine ID

*Sep 26 19:50:43.504: SNMP: Report, reqid 29548, errstat 0,

erridx 0
internet.6.3.15.1.1.4.0 = 3
*Sep 26 19:50:43.508: SNMP: Packet sent via UDP to 192.168.1.2
process_mgmt_req_int: UDP packet being de-queued

Which two commands provide the administrator with the information needed to resolve the issue?
(Choose two)

A. show snmp user

B. debug snmp engine-id
C. show snmpv3 user
D. debug snmpv3 engine-id
E. debug snmp packet

Answer: A E

Explanation

There are 3 values in the SNMPv3 header that must match for the communication to take place:
snmpEngineID, snmpEngineTime, snmpEngineBoots.
The error received indicates a problem with the EngineID value:
“authentication failure, Unknown Engine ID”

To specify the Engine ID, we can use the command “show snmp user”. The following example specifies
the username as abcd with Engine ID: 00000009020000000C025808:

Router#show snmp user abcd

User name: abcd
Engine ID: 00000009020000000C025808
storage-type: nonvolatile active access-list: 10
Rowstatus: active
Authentication Protocol: MD5
Privacy protocol: 3DES
Group name: VacmGroupName
Group name: VacmGroupName

The “debug snmp packet” command displays all SNMP packets that are arriving and being replied to.

Question 83

Refer to the exhibit.

AS65510 iBGP is configured for directly connected neighbors. R4 cannot ping or traceroute network
192.168.100.0/24. Which action resolves this issue?
A. Configure R1 as a route reflector server and configure R2 and R3 as route reflector clients
B. Configure R4 as a route reflector server and configure R2 and R3 as route reflector
C. Configure R4 as a route reflector server and configure R1 as a route reflector client
D. Configure R1 as a route reflector server and configure R4 as a route reflector client

Answer: D

Explanation
A route received from one iBGP peer will NOT be advertised to another iBGP peer. Therefore R4 could
not receive advertisement for network 192.168.100.0/24. We can overcome this BGP limitation by
configuring R1 as a route reflector server and R4 as a route reflector client so that R1 sends
advertisements for R4.

Question 84

Refer to the exhibit.

The network administrator can see the DHCP discovery packet in R1, but R2 is not replying to the
DHCP request. The R1 related interface is configured with the DHCP helper address. If the PC is
directly connected to the Fa0/1 interface on R2, the DHCP server assigns as IP address from the DHCP
pool to the PC. Which two commands resolve this issue? (Choose two)

A. ip dhcp relay information trust-all command on R2

B. ip dhcp relay information enable command on R1
C. ip dhcp option 82 command on R2
D. service dhcp-relay command on R1
E. service dhcp command on R1

Answer: A B
Question 85

A network administrator is troubleshooting a high utilization issue on the route processor of a router
that was reported by NMS. The administrator logged into the router to check the control plane policing
and observed that the BGP process is dropping a high number of routing packets and causing
thousands of routes to recalculate frequently. Which solution resolves this issue?

A. Police the pir for BGP, conform-action set-prec-transmit, and exceed action set-clp-transmit
B. Police the pir for BGP, conform-action transmit, and exceed action transmit
C. Shape the cir for BGP, conform-action transmit, and exceed action transmit
D. Shape the pir for BGP, conform-action set-prec-transmit, and exceed action set-frde-transmit

Answer: A

Question 86

Refer to the exhibit.

An engineer must establish multipoint GRE tunnels between hub router R6 and branch routers R1, R2,
and R3. Which configuration accomplishes this task on R1?

Option A Option B

interface Tunnel 1 interface Tunnel 1

ip address 192.168.1.1 255.255.255.0 ip address 192.168.1.1 255.255.255.0
tunnel source e0/0 tunnel source e0/1
tunnel mode gre multipoint tunnel mode gre multipoint
ip nhrp nhs 192.168.1.6 ip nhrp nhs 192.168.1.6
ip nhrp map 192.168.1.6 192.1.10.1 ip nhrp map 192.168.1.6 192.1.10.6
ip nhrp map 192.168.1.2 192.1.20.2
ip nhrp map 192.168.1.3 192.1.30.3

Option C Option D

interface Tunnel 1 interface Tunnel 1

ip address 192.168.1.1 255.255.255.0 ip address 192.168.1.1 255.255.255.0
tunnel source e0/0 tunnel source e0/1
tunnel mode gre multipoint tunnel mode gre multipoint
ip nhrp network-id 1 ip nhrp network-id 1
ip nhrp nhs 192.168.1.6 ip nhrp nhs 192.168.1.6
ip nhrp map 192.168.1.6 192.1.10.6 ip nhrp map 192.168.1.6 192.1.10.1
ip nhrp map 192.168.1.2 192.1.20.2
ip nhrp map 192.168.1.3 192.1.30.3

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation
We have an example of how to configure DMVPN Phase II and we show the configuration here for your
reference:
DMVPN Phase II – Dynamic Mapping

Hub Spoke 1 Spoke 2

interface tunnel 1 interface tunnel 1 interface tunnel 1
ip address 192.168.100.254 ip address 192.168.100.1 ip address 192.168.100.2
255.255.255.0 255.255.255.0 255.255.255.0
tunnel source 44.44.44.4 tunnel source 11.11.11.1 tunnel source 12.12.12.2
tunnel mode gre multipoint tunnel mode gre multipoint tunnel mode gre multipoint
ip nhrp network 10 ip nhrp network 10 ip nhrp network 10
ip nhrp map 192.168.100.254 ip nhrp map 192.168.100.254
44.44.44.4 44.44.44.4
ip nhrp nhs 192.168.100.254 ip nhrp nhs 192.168.100.254

Note: Although Phase II – Dynamic Mapping is “dynamic” but we still need to add a static entry for the
hub because without that entry, the NHRP registration cannot be sent.
Return to our question, the interface in the “tunnel source …” must be “e0/0” so only Option A and
Option C are correct.

We only need to “map” the tunnel addres of Hub router to the NBMA address of Hub router -> only
Option C is correct.
New ENARSI Questions 4

Question 1

Refer to the exhibit.

The network engineer configured the summarization of the RIP routes into the OSPF domain on R5 but
still sees four different 172.16.0.0/24 networks on R4. Which action resolves the issue?

A. R5(config)#router ospf 1
R5(config-router)#no area
R5(config-router)#summary-address 172.16.0.0 255.255.252.0

B. R4(config)#router ospf 99
R4(config-router)#network 172.16.0.0 0.255.255.255 area 56
R4(config-router)#area 56 range 172.16.0.0 255,255.255.0

C. R4(config)#router ospf 1
R4(config-router)#no area
R4(config-router)#summary-address 172.16.0.0 255.255.252.0
D. R5(config)#router ospf 99
R5(config-router)#network 172.16.0.0 0.255.255.255 area 56
R5(config-router)#area 56 range 172.16.0.0 255.255.255.0

Answer: A
Explanation

Area 36 is a NSSA so R5 is an ASBR so we can summarize external routes using the “summary-
address” command. The command “area area-id range” can only be used on ABR so it is not correct.

The summarization must be done on the ASBR which is R5, not R4 so the correct answer must be
started with “R5(config)#router ospf 1”.

Note: The “no area” command is used to remove any existing “area …” command (maybe “area 56
range …” command).

Question 2

Refer to the exhibit.

The AP status from Cisco DNA Center Assurance Dashboard shows some physical connectivity issues
from access switch interface G1/0/14. Which command generates the diagnostic data to resolve the
physical connectivity issues?

A. verify cable-diagnostics tdr interface GigabitEthernet1/0/14

B. show cable-diagnostics tdr interface GigabitEthernet1/0/14
C. test cable-diagnostics tdr interface GigabitEthernet1/0/14
D. check cable-diagnostics tdr interface GigabitEthernet1/0/14

Answer: C

Explanation

The Time Domain Reflectometer (TDR) feature allows you to determine if a cable is OPEN or SHORT
when it is at fault.

To start the TDR test, perform this task:

Step 1 (Starts the TDR test): test cable-diagnostics tdr {interface {interface-number}}
Step 2 (Displays the TDR test counter information): show cable-diagnostics
tdr {interface interface-number}

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9600/software/release/16-
11/configuration_guide/int_hw/b_1611_int_and_hw_9600_cg/checking_port_status_and_connectivity
.pdf
In this question we only have one choice so we should choose the command to start the TDR test.

After starting the test we will see something like this:

TDR test started on interface Gi1/0/14

A TDR test can take a few seconds to run on an interface
Use ‘show cable-diagnostics tdr’ to read the TDR results.

Wait 10 seconds and then issue the command to show the cable diagnostics result:

TDR test last run on: December 05 18:50:53

Interface Speed Local pair Pair length Remote pair Pair status
Gi1/0/14 1000M Pair A 19 +/- 10 meters Pair B Normal
Pair B 19 +/- 10 meters Pair A Normal
Pair C 19 +/- 10 meters Pair D Normal
Pair D 19 +/- 10 meters Pair C Normal

Notice that the results are “Normal” in the above example. Other results can be:
+ Open: Open circuit. This means that one (or more) pair has “no pin contact”.
+ Short: Short circuit.
+ Impedance Mismatched: Bad cable.

Question 3
Which mechanism provides traffic segmentation within a DMVPN network?

A. MPLS
B. BGP
C. RSVP
D. IPsec

Answer: A

Explanation

To use the DMPVN – Traffic Segmentation Within DMVPN feature you must configure Multiprotocol
Label Switching (MPLS) by using the mpls ip command.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-
16/sec-conn-dmvpn-xe-16-book/sec-conn-dmvpn-dmvpn.html

Question 4

An engineer is implementing a coordinated change with a server team. As part of the change, the
engineer must configure interface GigabitEthernet2 in an existing VRF “RED” then move the interface
to an existing VRF “BLUE” when the server team is ready. The engineer configured interface
GigabitEthernet2 in VRF “RED”:

interface GigabitEthernet2
description Migration ID: B411A21D5032G32
vrf forwarding RED
ip address 10.0.0.0 255.255.255.254
negotiation auto

Which configuration completes the change?

A.
interface GigabitEthernet2
no ip address
ip address 10.0.0.0 255.255.255.254
vrf forwarding BLUE

B.
interface GigabitEthernet2
no vrf forwarding RED
vrf forwarding BLUE
ip address 10.0.0.0 255.255.255.254

C.
interface GigabitEthernet2
no ip address
vrf forwarding BLUE

D.
interface GigabitEthernet2
no vrf forwarding RED
vrf forwarding BLUE

Answer: B

Explanation
When assigning an interface to a VRF, the IP address will be removed so we have to reassign the IP
address to that interface.

Question 5

Which function does LDP provide in an MPLS topology?

A. It exchanges routes for MPLS VPNs across different VRFs.
B. It enables a MPLS topology to connect multiple VPNs to P routers.
C. It provides a means for LSRs to exchange IP routes.
D. It provides hop-by-hop forwarding in an MPLS topology for LSRs.

Answer: D

Explanation

LDP provides a standard methodology for hop-by-hop, or dynamic label, distribution in an MPLS
network by assigning labels to routes that have been chosen by the underlying Interior Gateway
Protocol (IGP) routing protocols. The resulting labeled paths, called label switch paths (LSPs), forward
label traffic across an MPLS backbone to particular destinations.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ldp/configuration/12-4t/mp-ldp-
12-4t-book.pdf

Question 6

An engineer creates a Cisco DNA Center cluster with three nodes, but all the services are running on
one host node. Which action resolves this issue?

A. Click system updates, and upgrade to the latest version of Cisco DNA Center.
B. Enable service distribution from the Systems 360 page.
C. Click the master host node with all the services and select services to be moved to other hosts.
D. Restore the link on the switch interface that is connected to a cluster link on the Cisco DNA Center.
Answer: B

Explanation

To deploy Cisco DNA Center on a three-node cluster with High Availability (HA) enabled, complete the
following procedure:
Step 1: Configure Cisco DNA Center on the first node in your cluster…
Step 2: Configure Cisco DNA Center on the second node in your cluster…
Step 3: Configure Cisco DNA Center on the third node in your cluster…
Step 4: Enable high availability on your cluster:
a. In the Cisco DNA Center GUI, click and choose System Settings. The System 360 tab is displayed
by default.
b. In the Hosts area, click Enable Service Distribution.

After you click Enable Service Distribution, Cisco DNA Center enters into maintenance mode. In this
mode, Cisco DNA Center is unavailable until the redistribution of services is completed. You should
take this into account when scheduling an HA deployment.

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-
and-management/dna-center/1-3-3-0/ha_guide/b_cisco_dna_center_ha_guide_1_3_3_0.html

Therefore we can choose “Enable Service Distribution” to distribute services to other host nodes.

Question 7

Which OSI model is used to insert an MPLS label?

A. between Layer 5 and Layer 6

B. between Layer 2 and Layer 3
C. between Layer 3 and Layer 4
D. between Layer 1 and Layer 2

Answer: B

Question 8

The network administrator configured the router for Control Plane Policing to limit OSPF traffic to be
policed to 1 Mbps. Any traffic that exceeds this limit must also be allowed at this point for traffic
analysis. The router configuration is:

access-list 100 permit ospf any any

!
class-map CM-OSPF
match access-group 100
!
policy-map PM-COPP
class CM-OSPF
police 1000000 conform-action transmit
!
control-plane
service-policy output PM-COPP

The Control Plane Policing failed to monitor and police OSPF traffic. Which configuration resolves this
issue?
 Option A Option B
policy-map PM-COPP policy-map PM-COPP
class CM-OSPF class CM-OSPF
no police 1000000 conform-action transmit no police 1000000 conform-action transmit
police 1000000 conform-action transmit police 1000000 conform-action transmit
exceed-action transmit exceed-action transmit
!
control-plane
no service-policy output PM-COPP
service-policy input PM-COPP

Option C Option D

control-plane no access-list 100

no service-policy output PM-COPP access-list 100 deny ospf any any
service-policy input PM-COPP access-list 100 permit ip any any
!
policy-map PM-COPP
class CM-OSPF
no police 1000000 conform-action transmit
police 1000000 conform-action transmit
exceed-action drop
!
control-plane
no service-policy output PM-COPP
service-policy input PM-COPP

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation
This question wanted to allow exceed traffic for analysis so we need to use “exceed-action transmit” -
> Option D is not correct.

Drop is the default action for traffic that exceeds or violates the committed police rate so we must
explicitly allow the exceeded traffic by using “exceed-action transmit” -> Only Option A and Option B
are correct.

When applying the service policy to the control plane, the input direction is only supported -> Only
Option A is correct.
Question 9

Which feature minimizes DoS attacks on an IPv6 network?

A. IPv6 Binding Security Table

B. IPv6 Router Advertisement Guard
C. IPv6 Prefix Guard
D. IPv6 Destination Guard

Answer: D

Explanation
The Destination Guard feature helps in minimizing denial-of-service (DoS) attacks. It performs
address resolutions only for those addresses that are active on the link, and requires the FHS binding
table to be populated with the help of the IPv6 snooping feature.The feature enables the filtering of
IPv6 traffic based on the destination address, and blocks the NDP resolution for destination addresses
that are not found in the binding table. By default, the policy drops traffic coming for an unknown
destination.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_1
5_0s_book/IPv6_Security.pdf

Question 10

The network administrator configured R1 for Control Plane Policing so that the inbound Telnet traffic is
policed to 100 kbps. This policy must not apply to traffic coming in from 10.1.1.1/32 and
172.16.1.1/32. The administrator has configured this:

access-list 101 permit tcp host 10.1.1.1 any eq 23

access-list 101 permit tcp host 172.16.1.1 any eq 23
!
class-map CoPP-TELNET
match access-group 101
!
policy-map PM-CoPP
class CoPP-TELNET
police 100000 conform transmit exceed drop
!
control-plane
service-policy input PM-CoPP

The network administrator is not getting the desired results. Which set of configurations resolves this
issue?

A.
control-plane
no service-policy input PM-CoPP
!
interface Ethernet 0/0
service-policy input PM-CoPP
B.
control-plane
no service-policy input PM-CoPP
service-policy input PM-CoPP

C.
no access-list 101
access-list 101 deny tcp host 10,1,1.1 any eq 23
access-list 101 deny tcp host 172,16.1.1 any eq 23
access-list 101 permit ip any any

D.
no access-list 101
access-list 101 deny tcp host 10,1.1.1 any eq 23
access-list 101 deny tcp host 172.16.1.1 any eq 23
access-list 101 permit ip any any
!
interface E0/0
service-policy input PM-CoPP
Answer: C

Explanation
Packets that match a deny rule are excluded from that class and cascade to the next class (if one
exists) for classification. Therefore if we don’t want to CoPP traffic from 10.1.1.1/32 and
172.16.1.1/32, we must “deny” them in the ACL.

Question 11

Refer to the exhibit.

R2
route-map E2O permit 10
set tag 111
!
router eigrp 111
redistribute ospf 1 metric 10 10 10 10 10
!
router ospf 1
redistribute eigrp 111 route-map E20 subnets

R4
router rip
redistribute ospf 1 metric 1
!
router ospf 1
redistribute rip subnets

R5 should not receive any routes originated in the EIGRP domain. Which set of configuration changes
removes the EIGRP routes from the R5 routing table to fix the issue?

Option A Option B

R4 R4
route-map O2R deny 10 route-map O2R permit 10
match tag 111 match tag 111
! route-map O2R deny 20
router rip !
redistribute ospf 1 route-map O2R metric 1 router rip
redistribute ospf 1 route-map O2R metric 1

Option C Option D
 R2 R4
route-map E2O deny 20 route-map O2R deny 10
R4 match tag 111
route-map O2R deny 10 route-map O2R permit 20
match tag 111 !
! router rip
router rip redistribute ospf 1 route-map O2R metric 1
redistribute ospf 1 route-map O2R metric 1

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

In this question, routes from EIGRP domain are redistributed into OSPF (with tag 111) then RIPv2 but
without any filtering so R5 learns all routes from both EIGRP and OSPF domain. If we only want R5 to
learn routes from OSPF domain then we must filter out routes with tag 111 and permit other routes.
The line “route-map O2R permit 20” is important to allow other routes because of the implicit deny all
at the end of each route-map.

Question 12

Refer to the exhibit.

BGP and EIGRP are mutually redistributed on R3, and EIGRP and OSPF are mutually redistributed on
R1. Users report packet loss and interruption of service to applications hosted on the 10.1.1.0/24
prefix. An engineer tested the link from R3 to R4 with no packet toss present but has noticed frequent
routing changes on R3 when running the debug ip route command. Which action stabilizes the
service?
A. Tag the 10.1.1.0/24 prefix and deny the prefix from being redistributed into OSPF on R1.
B. Place an OSPF distribute-list outbound on R3 to block the 10.1.1.0/24 prefix from being advertised
back to R3.
C. Reduce frequent OSPF SPF calculations on R3 that cause a high CPU and packet loss on traffic
traversing R3.
D. Repeat the test from R4 using ICMP ping on the local 10.1.1.0/24 prefix, and fix any Layer 2 errors
on the host or switch side of the subnet

Answer: A

Explanation

After redistribution, R3 learns about network 10.1.1.0/24 via two paths:

+ Internal BGP (IBGP): advertised from R4 with AD of 200 (and metric of 0)
+ OSPF: advertised from R1 with AD of 110 (O E2) (and metric of 20)
Therefore R3 will choose the path with the lower AD via OSPF

But this is a looped path which is received from R3 -> R2 -> R1 -> R3. So when the advertised route
from R4 is expired, the looped path is also expired soon and R3 will reinstall the main path from R4.
This is the cause of intermittent connectivity.

We can solve this problem by denying the 10.1.1.0/24 prefix from being redistributed into OSPF on
R1. So R3 will not learn this prefix from R1.

Or another solution is to place an OSPF distribute-list inbound on R3 to block the 10.1.1.0/24 prefix
from being advertised back to R3.

Question 13

Refer to the exhibit.

R1#sh ipv6 access-list GUARD

IPv6 access list GUARD
deny tcp any host 2001:DB8:A:B::10 eq telnet (6 matches) sequence 10
permit tcp host 2001:DB8:A:A::20 host 2001:DB8:A:B:10 eq telnet sequence 20
permit tcp host 2001:DB8:A:A::2 host 2001:DB8:D::1 eq www sequence 30
permit ipv6 2001:DB8:A:A::/64 any (67 matches) sequence 40

PC2 is directly connected to R1. A user at PC2 cannot Telnet to 2001:db8:a:b::10. The user can ping
2001:db8:a:b::10 and receive DHCP-related information from the DHCP server. Which action resolves
the issue?

A. Remove sequence 10 and put it back as sequence 25.

B. Remove sequence 20 and put it back as sequence 45.
C. Remove sequence 30 and put it back as sequence 5.
D. Remove sequence 40 and put it back as sequence 15.

Answer: A

Question 14

What are two characteristics of IPv6 Source Guard? (Choose two)

A. requires IPv6 snooping on Layer 2 access or trunk ports

B. used in service provider deployments to protect DDoS attacks
C. requires the user to configure a static binding
D. requires that validate prefix be enabled
E. recovers missing binding table entries

Answer: D E

Explanation

IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown
sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost
address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source
IPv6 address after dropping the offending packet(s).

Reference: https://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html

Although IPv6 Source Guard looks at information in the binding table and IPv6 snooping can fill this
table but IPv6 snooping is not a must to run IPv6 Source Guard. We can use other methods to fill the
binding table like static binding or ND inspection -> Answer A is not correct.

IPv6 Source Guard is used to mitigate attacks from hosts connected to untrusted access interfaces on
the switch -> Answer B is not correct.

Answer C is not correct as we can use IPv6 Snooping feature to populate the IPv6 binding table.

Question 15

R1 and R2 are configured as eBGP neighbors. R1 is in AS100 and R2 is in AS200, R2 is advertising

these networks to R1:
172.16.16.0/20
172.16.3.0/24
172.16.4.0/24
192.168.1.0/24
192.168.2.0/24
172.16.0.0/16

The network administrator on R1 must improve convergence by blocking all subnets of 172.16.0.0/16
major network with a mask lower than 23 from coming in. Which set of configurations accomplishes
the task on R1?

A. ip prefix-list PL-1 deny 172.16.0.0/16 le 23

ip prefix-list PL-1 permit 0.0.0.0/0 le 32
!
router bgp 100
neighbor 192.168.100.2 remote-as 200
neighbor 192.168.100.2 prefix-list PL-1 in

B. ip prefix-list PL-1 deny 172.16.0.0/16 ge 23

ip prefix-list PL-1 permit 0.0.0.0/0 le 32
!
router bgp 100
neighbor 192.168.100.2 remote-as 200
neighbor 192.168.100.2 prefix-list PL-1 in

C.
access-list 1 deny 172.16.0.0 0.0.254.255
access-list 1 permit any
!
router bgp 100
neighbor 192.168.100.2 remote-as 200
neighbor 192.168.100.2 distribute-list 1 in
D.
ip prefix-list PL-1 deny 172.16.0.0/16
ip prefix-list PL-1 permit 0.0.0.0/0
!
router bgp 100
neighbor 192.168.100.2 remote-as 200
neighbor 192.168.100.2 prefix-list PL-1 in

Answer: A

Explanation
“Blocking all subnets of 172.16.0.0/16 major network with a mask lower than 23 from coming in”
would block 172.16.16.0/20.

The first prefix-list “ip prefix-list PL-1 deny 172.16.0.0/16 le 23” means “all networks that fall within
the 172.16.0.0/16 range AND that have a subnet mask of /23 or less” are denied.

The second prefix-list “ip prefix-list PL-1 permit 0.0.0.0/0 le 32” means allows all other prefixes.

Question 16

Refer to the exhibit.

aaa new-model
aaa group server radius RADIUS-SERVERS
aaa authentication login default group RADIUS-SERVERS local
aaa authentication enable default group RADIUS-SERVERS enable
aaa authorization exec default group RADIUS-SERVERS if-authenticated
aaa authorization network default group RADIUS-SERVERS if-authenticated
aaa accounting send stop-record authentication failure
aaa session-id common
line con 0
logging synchronous
stopbits 1
line vty 0 4
logging synchronous
transport input ssh

A network administrator successfully logs in to a switch using SSH from a RADIUS server. When the
network administrator uses a console port to access the switch, the RADIUS server returns
“shell:priv-lvl=15” and the switch asks to enter the enable command. When the command is
entered, it gets rejected. Which command set is used to troubleshoot and resolve this issue?

A. line con 0
aaa authorization console
authorization exec
!
line vty 0 4
transport input ssh

B. line con 0
aaa authorization console
!
line vty 0 4
authorization exec

C. line con 0
aaa authorization console
authorization priv15
!
line vty 0 4
transport input ssh

D. line con 0
aaa authorization console priv15
!
line vty 0 4
authorization exec

Answer: C (?)

Question 17

Refer to the exhibit.

The ISP router is fully configured for customer A and customer B using the VRF-Lite feature. What is
the minimum configuration required for customer A to communicate between routers A1 and A2?

Option A Option B

A1 A1
interface fa0/0 interface fa0/0
description To->ISP description To->ISP
ip add 172.31.100.1 255.255.255.0 ip vrf forwarding A
no shut ip add 172.31.100.1 255.255.255.0
! no shut
router ospf 100 !
net 172.31.100.1 0.0.0.255 area 0 router ospf 100
A2 net 172.31.100.1 0.0.0.255 area 0
interface fa0/0 A2
description To->ISP interface fa0/0
ip add 172.31.200.1 255.255.255.0 description To->ISP
no shut ip vrf forwarding A
! ip add 172.31.200.1 255.255.255.0
router ospf 100 no shut
net 172.31.200.1 0.0.0.255 area 0 !
 router ospf 100
net 172.31.200.1 0.0.0.255 area 0

Option C Option D
A1 A1
interface fa0/0 interface fa0/0
description To->ISP description To->ISP
ip add 172.31.200.1 255.255.255.0 ip vrf forwarding A
no shut ip add 172.31.100.1 255.255.255.0
! no shut
router ospf 100 !
net 172.31.200.1 0.0.0.255 area 0 router ospf 100 vrf A
A2 net 172.31.200.1 0.0.0.255 area 0
interface fa0/0 A2
description To->ISP interface fa0/0
ip add 172.31.100.1 255.255.255.0 description To->ISP
no shut ip vrf forwarding A
! ip add 172.31.100.1 255.255.255.0
router ospf 100 no shut
net 172.31.100.1 0.0.0.255 area 0 !
router ospf 100 vrf A
net 172.31.200.1 0.0.0.255 area 0

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

This is a tricky question as it is asking the configuration on A1 and A2, which are two customer
routers, not the configuration of the ISP router. In this topology, A1 and A2 routers do not need any
VRF-related configuration as the VRF-related configuration should be configured on ISP router only.
Moreover, there is no correct answer if A1 and A2 routers use VRF (both Option B and Option D are
not correct)
The correct answer is Option A as A1 and A2 routers do not know they belong to VRF A. The two
interfaces of ISP (which are connected to A1 & A2) should be configured like this (we only show the
configure of one interface):

ISP router:
interface g0/0
description ISP->To_CustomerA
ip vrf forwarding A
ip address 172.31.100.2 255.255.255.0
router ospf 100 vrf A
network 172.31.200.2 0.0.0.255 area 0

Question 18

Refer to the exhibit.

An engineer has configured R1 as EIGRP stub router. After the configuration, router R3 failed to reach
to R2 loopback address. Which action advertises R2 loopback back into the R3 routing table?

A. Use a leak map on R3 that matches the required prefix and apply it with the EIGRP stub feature.
B. Add a static null route for R2 loopback address in R1 and redistribute it to advertise to R3.
C. Use a leak map on R1 that matches the required prefix and apply it with the distribute list
command toward R3.
D. Add a static route for R2 loopback address in R1 and redistribute it to advertise to R3.

Answer: C

Explanation

The EIGRP stub feature is useful to prevent unnecessary EIGRP queries and to filter some routes that
you advertise. What if you want to configure your router as a stub router but still make an exception
to some routes that it advertises? That is possible with the leak-map feature. This is how to configure
leak-map in this question:

R1(config)#ip access-list standard R2_L0

R1(config-std-nacl)#permit host 2.2.2.2

R1(config)#route-map R2_L0_LEAK
R2(config-route-map)#match ip address R2_L0

R1(config)#router eigrp 1
R1(config-router)#eigrp stub leak-map R2_L0_LEAK

Question 19

Refer to the exhibit.

R1 is configured with IP SLA to check the availability of the server behind R6 but it kept failing. Which
configuration resolves the issue?

A. R6(config)#ip access-list extended DDOS

R6(config-ext-nacl)#5 permit icmp host 10.10.10.1 host 10.66.66.66

B. R6(config)#ip sla responder

C. R6(config)#ip access-list extended DDOS

R6(config-ext-nacl)#5 permit icmp host 10.66.66.66 host 10.10.10.1

D. R6(config)#ip sla responder udp-echo ip address 10.10.10.1 port 5000

Answer: A

Explanation

In this IP SLA tracking, we don’t need a IP SLA Responder so the command “ip sla responder” on R6 is
not necessary.

We also notice that the ACL is blocking ICMP packets on both interfaces E0/0 & E0/1 of R6 so we need
to allow ICMP from source 10.10.10.1 to destination 10.66.66.66.

Question 20

How does an MPLS Layer 3 VPN differentiate the IP address space used between each VPN?

A. by MP-BGP
B. by address family
C. by RT
D. by RD
Answer: D

Question 21

Refer to the exhibit.

ABR Configuration:

R2 R4
router ospf 1 router ospf 1
router-id 0.0.0.22 router-id 0.0.0.44
area 234 virtual-link 10.34.34.4 area 234 virtual-link 10.23.23.2
network 10.0.0.0 0.0.0.255 area 0 network 10.34.34.0 0.0.0.255 area 234
network 10.2.2.0 0.0.0.255 area 0 network 10.44.44.0 0.0.0.255 area 234
network 10.22.22.0 0.0.0.255 area 234 network 10.45.45.0 0.0.0.255 area 250
network 10.23.23.0 0.0.0.255 area 234

Virtual Link Status:

R2# show ip ospf virtual-links

Run as demand circuit
DoNotAge LSA allowed.
Transit area 234
Topology-MTID Cost Disabled Shutdown Topology Name
0 65535 no no Base
Transmit Delay is 1 sec, State DOWN,

The network administrator configured the network to connect two disjointed networks and all the
connectivity is up except the virtual link, which causes area 250 to be unreachable. Which two
configurations resolve this issue? (Choose two)

A. R2
router ospf 1
router-id 10.23.23.2
B. R2
router ospf 1
no area area 234 virtual-link 10.34.34.4
area 0 virtual-link 0.0.0.44
C. R4
router ospf 1
no area 234 virtual-link 10.23.23.2
area 234 virtual-link 0.0.0.22

D. R2
router ospf 1
no area 234 virtual-link 10.34.34.4
area 234 virtual-link 0.0.0.44

E. R4
router ospf 1
no area area 234 virtual-link 10.23.23.2
area 0 virtual-link 0.0.0.22

Answer: C D

Explanation

An important thing to remember when configuring virtual-link is we need to configure the OSPF router
ID and NOT the IP address of the ABR. Therefore in this question we have to use the command “area
234 virtual-link 0.0.0.44” on R2 and “area 234 virtual-link 0.0.0.22” on R4.

Question 22

Refer to the exhibit.

An engineer configured IP SLA on R1 to avoid the ISP link flapping problem, but it is not working as
designed. IP SLA should wait 30 seconds before switching traffic to a secondary connection and then
revert to the primary link after waiting 20 seconds, when the primary link is available and stabilized.
Which configuration resolves the issue?

A. R1(config)#ip sla 700

R1(config-ip-sla)#delay down 20 up 30

B. R1(config)#ip sla 700

R1(config-ip-sla)#delay down 30 up 20

C. R1(config)#track 700 ip sla 700

R1(config-track)#delay down 20 up 30

D. R1(config)#track 700 ip sla 700

R1(config-track)#delay down 30 up 20

Answer: D

Explanation

“wait 30 seconds before switching traffic to a secondary connection” -> delay down 30
“then revert to the primary link after waiting 20 seconds” -> up 20

Under the track object, you can specify delays so we have to configure delay under “track 700 ip sla
700” (not under “ip sla 700”).

Question 23
A CoPP policy is applied for receiving SSH traffic from the WAN interface on a Cisco ISR4321 router.
However, the SSH response from the router is abnormal and stuck during the high link utilization. The
problem is identified as SSH traffic does not match in the ACL. Which action resolves the issue?

A. Rate-limit SSH traffic to ensure dedicated bandwidth.

B. Apply CoPP on the control plane interface.
C. Increase the IP precedence value of SSH traffic to 6.
D. Apply CoPP on the WAN interface inbound direction.

Answer: B

Explanation

The problem is “SSH traffic does not match in the ACL” and “CoPP policy is applied for receiving SSH
traffic from the WAN interface” so we should apply CoPP on the control plane interface instead.

Question 24

What is a characteristic of Layer 3 MPLS VPNs?

A. Authentication is performed by using digital certificates or preshared keys.

B. Engineering capabilities provide QoS and SLAs.
C. Traffic engineering supports multiple IGP instances.
D. LSP signaling requires the use of unnumbered IP links for traffic engineering.

Answer: B

Explanation

MPLS traffic engineering supports only a single IGP process/instance

The MPLS traffic engineering feature does not support routing and signaling of LSPs over unnumbered
IP links.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_te_path_setup/configuration/xe-
3s/mp-te-path-setup-xe-3s-book/mp-te-enhance-xe.html

Question 25

Refer to the exhibit.

The branch router is configured with a default route toward the Internet and has no routes configured
for the HQ site that is connected through interface G2/0. The HQ router is fully configured and does
not require changes. Which configuration on the branch router makes the intranet website (TCP port
80) available to the branch office users?

Option A Option B

access-list 100 permit tcp host intranet- access-list 101 permit tcp any any eq 80
webserver-ip eq 80 any access-list 102 permit tcp any host intranet-
! webserver-ip
route-map pbr permit 10 !
match ip address 100 route-map pbr permit 10
set ip next-hop 192.168.2.2 match ip address 101
! set ip next-hop 192.168.2.2
interface G1/0 route-map pbr permit 20
ip policy route-map pbr match ip address 102
set ip next-hop 192.168.2.2
!
interface G2/0
ip policy route-map pbr

Option C Option D

access-list 101 permit tcp any any eq 80 access-list 100 permit tcp any host intranet-
access-list 102 permit tcp any host intranet- webserver-ip eq 80
webserver-ip !
! route-map pbr permit 10
route-map pbr permit 10 match ip address 100
match ip address 101 102 set ip next-hop 192.168.2.2
set ip next-hop 192.168.2.2 !
! interface G2/0
interface G1/0 ip policy route-map pbr
ip policy route-map pbr

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

In this question, we have to apply the PBR to interface G1/0 -> Only Option A and Option C are
correct.

But Option A is not correct because of the ACL “access-list 100 permit tcp host intranet-webserver-ip
eq 80 any”. The source IP address should not be from Intranet webserver. The ACL should be “access-
list 100 permit tcp any host intranet-webserver-ip eq 80”.

-> Only Option C is left and this is the best answer.

In Option C, the ACL 101 matches all HTTP pakects while the ACL 102 matches TCP packets destined
to Intranet webserver. These packets will be sent to HQ router.

Note: If a match command refers to several objects in one command, either of them should match
(the logical OR algorithm is applied). For example, in the match ip address 101 102 command, a
route is permitted if it is permitted by access list 101 or access list 102.

Question 26
Refer to the exhibit.

The Internet traffic should always prefer Site-A ISP-1 if the link and BGP connection are up;
otherwise, all Internet traffic should go to ISP-2. Redistribution is configured between BGP and OSPF
routing protocols, and it is not working as expected. What action resolves the issue?

A. Set OSPF Cost 200 at Site-A RTR1, and set OSPF Cost 100 at Site-B RTR2.
B. Set metric-type 1 at Site-A RTR1, and set metric-type 2 at Site-B RTR2.
C. Set metric-type 2 at Site-A RTR1, and set metric-type 1 at Site-B RTR2.
D. Set OSPF Cost 100 at Site-A RTR1, and set OSPF Cost 200 at Site-B RTR2.

Answer: B

Explanation

OSPF type 1 route is always preferred over a type 2 route for the same destination so we can set
metric-type 1 at Site-A RTR1 so that it is preferred over Site-B RTR2.

Note:

Routes are redistributed in OSPF as either type 1 (E1) routes or type 2 (E2) routes, with type 2 being
the default.
– A type 1 route has a metric that is the sum of the internal OSPF cost and the external redistributed
cost.
– A type 2 route has a metric equal only to the redistributed cost.

– If routes are redistributed into OSPF as type 2 then every router in the OSPF domain will see the
same cost to reach the external networks.
– If routes are redistributed into OSPF as type 1, then the cost to reach the external networks could
vary from router to router.

Question 27

Refer to the exhibit.

 *Mar 1 17:19:04.051: %OSPF-5-ADJCHG: Process 100, Nbr 1.1.1.1 on Tunnel100 from LOADING
to FULL, Loading Done
*Mar 1 17:19:06.375: %OSPF-5-ADJCHG: Process 100, Nbr 1.1.1.1 on Tunnel100 from FULL to
DOWN, Neighbor Down: Adjacency forced to reset
*Mar 1 17:19:06.627: %OSPF-5-ADJCHG: Process 100, Nbr 2.2.2.2 on Tunnel100 from LOADING
to FULL, Loading Done
*Mar 1 17:19:10.123: %OSPF-5-ADJCHG: Process 100, Nbr 2.2.2 2 on Tunnel100 from FULL to
DOWN, Neighbor Down: Adjacency forced to reset
*Mar 1 17:19:14.499: %OSPF-5-ADJCHG: Process 100, Nbr 10.10 10 10 on Tunnel100 from
LOADING to FULL, Loading Done
*Mar 1 17:19:19.139: %OSPF-5-ADJCHG: Process 100, Nbr 10 10 10 10 on Tunnel100 from
EXSTART to DOWN, Neighbor Down: Interface down or detached
*Mar 1 17:01:51.975: %OSPF-4-NONEIGHBOR: Received database description from unknown
neighbor 192.168.1.1
*Mar 1 17:01:57.783: OSPF: Rev LS UPD from 192.168.1.1 on Tunnel100 length 88 LSA count 1
*Mar 1 17:01:57.155: OSPF: Send UPD to 10.255.253.1 on Tunnel100 length 100 LSA count 2

A network administrator sets up an OSPF routing protocol for a DMVPN network on the hub router.
Which configuration command is required to establish a DMVPN tunnel with multiple spokes?

A. ip ospf network point-to-multipoint on both spoke routers

B. ip ospf network point-to-point on both spoke routers
C. ip ospf network point-to-multipoint on one spoke router
D. ip ospf network point-to-point on the hub router

Answer: A

Question 28

Refer to the exhibit.

An engineer configured NetFlow on R1, but the NMS server cannot see the flow from R1. Which
configuration resolves the issue?
A. flow exporter FlowAnalyzer1
destination 10.221.10.11

B. interface Ethernet0/0
flow-destination 10.221.10.11

C. flow monitor Flowmonitor1

destination 10.221.10.11

D. interface Ethernet0/1
flow-destination 10.221.10.11

Answer: A

Explanation

From the output we notice that the destination IP address is not correct. The NMS server IP address
should be 10.221.10.11, not 10.221.10.10. Therefore we have to change this information under “flow
exporter …” configuration.

NetFlow configuration reference: https://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/fnetflow/configuration/15-mt/fnf-15-mt-book/cfg-de-fnflow-exprts.html

Question 29

Refer to the exhibit.

*17:40:07.826: AAA/BIND(00000055): Bind i/f

*17:40:07.826: AAA/AUTHEN/LOGIN (00000055): Pick method list ’default’
*17:40:07.826: TPLUS: Queuing AAA Authentication request 85 for processing
*17:40:07.826: TPLUS(00000055) login timer started 1020 sec timeout
 *17:40:07.826: TPLUS: processing authentication start request id 85
*17:40:07.826: TPLUS: Authentication start packet created for 85()
*17:40:07.826: TPLUS: Using server 10.106.60.182
*17:40:07.826: TPLUS(00000055)/0/NB_WAIT/225FE2DC: Started 5 sec timeout
*17:40:07.830: TPLUS(00000055)/0/NB_WAIT: socket event 2
*17:40:07.830: TPLUS(00000055)/0/NB_WAIT: wrote entire 38 bytes request
*17:40:07.830: TPLUS(00000055)/0/READ: socket event 1
*17:40:07.830: TPLUS(00000055)/0/READ: Would block while reading
*17:40:07.886: TPLUS(00000055)/0/READ: socket event 1
*17:40:07.886: TPLUS(00000055)/0/READ: read entire 12 header bytes (expect 6 bytes data)
*17:40:07.886: TPLUS(00000055)/0/READ: socket event 1
*17:40:07.886: TPLUS(00000055)/0/READ: read entire 18 bytes response
*17:40:07.886: TPLUS(00000055)/0/225FE2DC: Processing the reply packet
*17:40:07.886: TPLUS: received bad AUTHEN packet: length = 6, expected 43974
*17:40:07.886: TPLUS: Invalid AUTHEN packet (check keys).

An engineer is troubleshooting a TACACS problem. Which action resolves the issue?

A. Apply a configured AAA profile to the VTY.

B. Configure a matching TACACS server IP.
C. Generate authentication from a relative source interface.
D. Configure a matching preshared key.

Answer: D

Explanation
The last line shows us the reason, which is “Invalid AUTHEN packet (check keys)” so the most likely
cause of this problem is key mismatch.

Question 30

Refer to the exhibit.

A network administrator is troubleshooting IPv6 address assignment for a DHCP client that is not
getting an IPv6 address from the server. Which configuration retrieves the client IPv6 address from
the DHCP server?

A. ipv6 dhcp relay-agent command on the interface

B. ipv6 address autoconfig command on the interface
C. ipv6 dhcp server automatic command on DHCP server
D. service dhcp command on DHCP server

Answer: B

Question 31

Refer to the exhibit.

An engineer must block access to the console ports for all corporate remote Cisco devices based on
the recent corporate security policy but the security team still can connect through the console port.
Which configuration on the console port resolves the issue?

A. no exec
B. transport input telnet
C. exec 0 0
D. login and password

Answer: D

Explanation

“no exec” will disable access to a line. It is used if we want to allow only outgoing session (and disable
incoming session).
There is no “exec 0 0” command. We can only find the “exec prompt” command in IOS Version
15.4(2)T4.

The most similar command is “exec-timeout 0 0” command, which is used to prevent Telnet/SSH
sessions from timing out.

Question 32

Refer to the exhibit.

R1(config)# ip vrf CCNP

R1(config-vrf)# rd 1:100
 R1(config-vrf)# exit
R1(config)# interface Loopback0
R1(config-if)# ip address 10.1.1.1 255.255.255.0
R1(config-if)# ip vrf forwarding CCNP
R1(config-if)# exit
R1(config)# exit
R1# ping vrf CCNP 10.1.1.1
% Unrecognized host or address, or protocol not running.

Which command must be configured to make VRF CCNP work?

A. interface Loopback0
vrf forwarding CCNP

B. interface Loopback0
ip address 10.1.1.1 255.255.255.0
ip vrf forwarding CCNP

C. interface Loopback0
ip address 10.1.1.1 255.255.255.0
vrf forwarding CCNP

D. interface Loopback0
ip address 10.1.1.1 255.255.255.0

Answer: D

Explanation

From the exhibit, we learn that the command “ip address 10.1.1.1 255.255.255.0” has been issued
before the command “ip vrf forwarding CCNP”. But the second command removed the IP address
configured in the first command so we have to retype the IP address command.

Question 33

The network administrator configured R1 to authenticate Telnet connections based on Cisco ISE using
TACACS+. ISE has been configured with an IP address of 192.168.1.5 and with a network device
pointing toward R1(192.168.1.1) with a shared secret password of Cisco123. The administrator cannot
authenticate to R1 based on ISE.

aaa new-model
!
tacacs server ISE1
address ipv4 192.168.1.5
key Cisco123
!
aaa group server tacacs+ TAC-SERV
server name ISE1
!
aaa authentication login telnet group TAC-SERV

Which configuration fixes the issue?

A. line vty 0 4
login authentication telnet
B. line vty 0 4
login authentication TAC-SERV
C. ip tacacs-server host 192.168.1.5 key Cisco123
D. tacacs-server host 192.168.1.5 key Cisco123

Answer: A

Explanation

The last command “aaa authentication login telnet group TAC-SERV” created the method list name
telnet so we need to assign it to line vty.

Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-
Configure-ISE-2-0-IOS-TACACS-Authentic.html

Question 34

A company is expanding business by opening 35 branches over the Internet. A network engineer must
configure DMVPN at the branch routers to connect with the hub router and allow NHRP to add spoke
routers securely to the multicast NHRP mappings automatically. Which configuration meets this
requirement at the hub router?

Option A Option B

interface Tunnel0 interface Tunnel0

ip address 10.0.0.1 255.255.255.0 ip address 10.0.0.1 255.255.255 0
ip nhrp authentication KEY1 ip nhrp authentication KEY1
ip nhrp map multicast dynamic ip nhrp registration no-unique
ip nhrp network-id 10 ip nhrp network-id 10
tunnel mode gre multipoint tunnel mode gre nmba

Option C Option D

interface Tunnel0 interface Tunnel0

ip address 10.0.0.1 255.255.255.0 ip address 10.0.0.1 255.255.255.0
ip nhrp authentication KEY1 ip nhrp authentication KEY1
ip nhrp map multicast 224.0.0.0 ip nhrp nhs dynamic
ip nhrp network-id 10 ip nhrp network-id 10
tunnel mode gre ipv4 tunnel mode mgre auto

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

The command “ip nhrp map multicast dynamic” allows NHRP to automatically add spoke routers to the
multicast NHRP mappings.

Question 35

Refer to the exhibit.

 RR ASBR2
router bgp 100 router bgp 100
neighbor 10.1.1.1 remote-as 100 neighbor 10.1.1.4 remote-as 100
neighbor 10.1.2.2 remote-as 100
neighbor 10.1.3.3 remote-as 100

ASBR3 ASBR4
router bgp 100 router bgp 100
neighbor 10.1.2.4 remote-as 100 neighbor 10.1.3.4 remote-as 100

The administrator configured the network device for end-to-end reachability, but the ASBRs are not
propagation routes to each other. Which set of configuration resolves this issue?

Option A Option B

router bgp 100 router bgp 100

neighbor 10.1.1.1 update-source Loopback0 neighbor 10.1.1.1 ebgp-multihop
neighbor 10.1.2.2 update-source Loopback0 neighbor 10.1.2.2 ebgp-multihop
neighbor 10.1.3.3 update-source Loopback0 neighbor 10.1.3.3 ebgp-multihop

Option C Option D

router bgp 100 router bgp 100

neighbor 10.1.1.1 route-reflector-client neighbor 10.1.1.1 next-hop-self
neighbor 10.1.2.2 route-reflector-client neighbor 10.1.2.2 next-hop-self
neighbor 10.1.3.3 route-reflector-client neighbor 10.1.3.3 next-hop-self

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Question 36

What is a function of IPv6 Source Guard?

A. It denies traffic from known sources and allocated addresses.

B. It inspects ND and DHCP packets to build an address binding table.
C. It works with address glean or ND to find existing addresses.
D. It notifies the ND protocol to inform hosts if the traffic is denied by it.

Answer: C

Explanation

IPv6 source guard is an interface feature between the populated binding table and data traffic filtering.
This feature enables the device to deny traffic when it is originated from an address that is not stored
in the binding table. IPv6 source guard does not inspect ND or DHCP packets;rather, it works in
conjunction with IPv6 neighbor discovery (ND) inspection or IPv6 address glean, both of which detect
existing addresses on the link and store them into the binding table.

Question 37

Refer to the exhibit.

R2#show ip route eigrp | include 10.1.

D 10.1.1.0/24

R3#show ip route eigrp | include 10.1.

D 10.1.1.0/24

An engineer configures DMVPN and receives the hub location prefix of 10.1.1.0/24 on R2 and R3. The
R3 prefix of 10.1.3.0/24 is not received on R2, and the R2 prefix 10.1.2.0/24 is not received on R3.
Which action reserves the issue?

A. Split horizon prevents the routes from being advertised between spoke routers it should be disabled
with the command no ip split-horizon eigrp 10 on the tunnel interface of R1
B. There is no spoke-to-spoke connection DMVPN configuration should be modified to enable a tunnel
connection between R2 and R3 and neighbor relationship confirmed by use of the show ip eigrp
neighbor command
C. Split horizon prevents the routes from being advertised between spoke routers it should be disabled
with the no ip split-horizon eigrp 10 command on the Gi0/0 interface of R1.
D. There is no spoke-to-spoke connection DMVPN configuration should be modified with a manual
neighbor relationship configured between R2 and R3 and confirmed by use of the show ip eigrp
neighbor command.

Answer: A

Explanation

In this topology, the Hub router will receive advertisements from R2 Spoke router on its tunnel
interface. The problem here is that it also has a connection with R3 Spoke on that same tunnel
interface. If we don’t disable split-horizon, then the Hub will not relay routes from R2 to R3 and the
other way around. That is because it received those routes on the same interface tunnel and therefore
it cannot advertise back out that same interface (split-horizon rule). Therefore we must disable split-
horizon on the Hub router to make sure the Spokes know about each other.

Question 38

Refer to the exhibit.

R1#show ip interface GigabitEthernet0/0 | include drops

0 verification drops
0 suppressedverification drops

R1#show ip interface GigabitEthernet0/1 | include drops

5 verification drops
0 suppressedverification drops

R1 is configured with uRPF, and ping to R1 is failing from a source present in the R1 routing table via
the GigabitEthernet 0/0 interface. Which action resolves the issue?

A. Remove the access list from the interface GigabitEthernet 0/0

B. Modify the uRPF mode from strict to loose
C. Enable Cisco Express Forwarding to ensure that uRPF is functioning correctly
D. Add a floating static route to the source on R1 to the GigabitEthernet 0/1 interface

Answer: B

Explanation

We see the ping came from Gi0/1 (with “5 verification drops”) but

Question 39

Refer to the exhibit.

 C:\PC> ping 2001:db8:a:b::7

Pinging 2001:db8:a:b::7 with 32 bytes of data:

Reply from 2001:db8:a:b::7: time=46ms
Reply from 2001:db8:a:b::7: time=40ms
Reply from 2001:db8:a:b::7: time=40ms
Reply from 2001:db8:a:b::7: time=40ms
Ping statistics for 2001:db8:a:b::7:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss).
Approximate round trip times in milli-seconds:
Minimum = 40ms, Maximum = 46ms, Average = 41ms

R1# telnet 2001:db8:a:b::7

Trying 2001:DB8:A:B::7… Open
User Access Verification
Password:

R1# show ipv6 access-list TSHOOT

IPv6 access list TSHOOT
deny tcp any host 2001:DB8:A:B::7 eq telnet (6 matches) sequence 10
permit tcp host 2001:DB8:A:A::10 host 2001:DB8:A:B::7 eq telnet sequence 20
permit tcp host 2001:DB8:A:A::10 host 2001:DB8:D::1 eq www sequence 30
permit ipv6 2001:DB8:A:A::/64 any (67 matches) sequence 40

An engineer is troubleshooting a failed Telnet session from PC to the DHCP server. Which action
resolves the issue?

A. Remove sequence 10 to add the PC source IP address and add it back as sequence 10.
B. Remove sequence 20 and add it back to the IPv6 traffic filter as sequence 5.
C. Remove sequence 30 and add it back to the IPv6 traffic filter as sequence 5.
D. Remove sequence 20 for sequence 40 in the access list to allow Telnet.

Answer: B

Question 40

What is an advantage of implementing BFD?

A. BFD provides millisecond failure detection
B. BFD provides faster updates for any flapping route
C. BFD is deployed without the need to run any routing protocol
D. BFD provides better capabilities to maintain the routing table

Answer: A

Question 41

Refer to the exhibit.

After a security audit, the administrator implemented an ACL in the route reflector. The RR became
unreachable from any router in the network. Which two actions resolve the issue? (Choose two)

A. Enable the ND proxy feature on the default gateway.

B. Configure a link-local address on the Ethernet0/1 interface.
C. Change the next hop of the default route to the link-local address of the default gateway.
D. Remove the ACL entry 80.
E. Permit ICMPv6 neighbor discovery traffic in the ACL.

Answer: B E

Question 42

What is the purpose of the DHCPv6 Guard?

A. It block DHCPv6 messages from relay agents to a DHCPv6 server.

B. It allows DHCPv6 replay and advertisements from (rouge) DHCPv6 servers.
C. It messages between a DHCPv6 server and a DHCPv6 client (or relay agent).
D. It shows that clients of a DHCPv6 server are affected.

Answer: C

Explanation

The DHCPv6 Guard feature blocks DHCP reply and advertisement messages that originate from
unauthorized DHCP servers (-> Answer B is not correct) and relay agents that forward DHCP packets
from servers to clients. Client messages or messages sent by relay agents from clients to servers are
not blocked (-> Answer A is not correct)

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16/ip6f-
xe-16-book/ip6-dhcpv6-guard.html

Answer D does not have any meaning so the best answer left is answer C.

Question 43

Refer to the exhibit.

R2# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.99.2 1 EXCHANGE/- 00:00:36 192.168.99.1 Serial0/1
router-6#

R3# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
192.168.99.2 1 EXCHANGE/- 00:00:36 192.168.99.2 Serial0/1

An OSPF neighbor relationship between R2 and R3 is showing stuck in EXCHANGE/EXSTART state. The
neighbor is established between R1 and R2. The network engineer can ping from R2 to R3 and vice
versa, but the neighbor is still down. Which action resolves the issue?

A. Match MTU on both router interfaces or ignore MTU.

B. Restore the Layer 2/Layer 3 connectivity issue in the ISP network.
C. Administrative “shut then no shut” both router interfaces.
D. Enable OSPF on the interface, which is required.

Answer: A

Explanation
After two OSPF neighboring routers establish bi-directional communication and complete DR/BDR
election (on multi-access networks), the routers transition to the exstart state. In this state, the
neighboring routers establish a master/slave relationship and determine the initial database descriptor
(DBD) sequence number to use while exchanging DBD packets.
Neighbors Stuck in Exstart/Exchange State
The problem occurs most frequently when attempting to run OSPF between a Cisco router and another
vendor’s router. The problem occurs when the maximum transmission unit (MTU) settings for
neighboring router interfaces don’t match. If the router with the higher MTU sends a packet larger that
the MTU set on the neighboring router, the neighboring router ignores the packet.

Question 44
Refer to the exhibit.

ip sla 1
icmp-echo 8.8.8.8
threshold 1000
timeout 2000
frequency 5

ip sla schedule 1 life forever start-time now

!
track 1 ip sla 1
!
ip route 0.0.0.0 0.0.0.0 203.0.113.1 name ISP1 track 1
ip route 0.0.0.0 0.0.0.0 198.51.100.1 2 name ISP2

The administrator noticed that the connection was flapping between the two ISPs instead of switching
to ISP2 when the ISP1 failed. Which action resolves the issue?

A. Modify the static routes to refer both to the next hop and the outgoing interface.
B. Reference the track object 1 on the default route through ISP2 instead of ISP1.
C. Include a valid source-interface keyword in the icmp-echo statement.
D. Modify the threshold to match the administrative distance of the ISP2 route.

Answer: D

Explanation

The configuration above means:

Timeout: 2000 miliseconds
frequency: 5 seconds
threshold: 1000 miliseconds

The connection was flapping so the most likely cause is the configured threshold value vs timeout
value.

================================== This is the end of this update

==================================

============================== New Questions (added on 13th-Jan-2022)

==============================

Question 45

Refer to the exhibit.

An engineer configured BGP and wants to select the path from 10.77.255.57 as the best path instead
of current best path. Which action resolves the issue?
A. Configure AS_PATH prepend for the current best path
B. Configure higher MED to select as the best path
C. Configure AS_PATH prepend for the desired best path
D. Configure lower LOCAL_PREF to select as the best path

Answer: D

Explanation

From the output, we learn that the current best path is from 10.57.255.11 (which includes “…valid,
confed-external, best“) and this path is 2 ASes away (64955 65003). Although there are some paths
with only 1 AS away (path from 172.16.254.234 for example) but they were not chosen the best path
so AS_PATH was not used to determine the best path -> Answers A and answer C are not correct.

All the paths in the output have metric of 0 and this is the lowest (best) value for this attribute. If we
configure higher MED then it is less preferred over other paths -> Answer B is not correct.

Only answer D is left but LOCAL_PREF attribute should be configured with higher value to be preferred
so we hope “lower LOCAL_PREF” here means higher value. But this is the best answer.

Question 46

Refer to the exhibit.

An administrator is configuring a GRE tunnel to establish an EIGRP neighbor to a remote router. The
other tunnel endpoint is already configured. After applying the configuration as shown, the tunnel
started flapping. Which action resolves the issue?
A. Modify the network command to use the Tunnel0 interface netmask
B. Advertise the Loopback0 interface from R2 across the tunnel
C. Stop sending a route matching the tunnel destination across the tunnel
D. Readdress the IP network on the Tunnel0 on both routers using the /31 netmask

Answer: C

Explanation

In this question we are advertising the tunnel IP address 192.168.12.2 to the other side. When other
end receives the EIGRP advertisement, it realizes it can reach the other side of the tunnel via EIGRP.
In other words, it reaches the tunnel destination through the tunnel itself -> This causes “recursive
routing” error.

Note: In order to avoid this error, do not advertise the tunnel destination IP address on the tunnel
interface to other side.

Good recursive routing reference: https://networklessons.com/cisco/ccie-routing-switching/gre-

tunnel-recursive-routing-error

Question 47

Which two solutions are used to overcome a flapping link that causes a frequent label binding
exchange between MPLS routers? (Choose two)
A. Create link dampening on links to protect the session.
B. Increase input queue on links to protect the session.
C. Create targeted hellos to protect the session.
D. Increase a hold-timer to protect the session.
E. Increase a session delay to protect the session.

Answer: A C

Explanation

To avoid having to rebuild the LDP session altogether, you can protect it. When the LDP session
between two directly connected LSRs is protected, a targeted LDP session is built between the two
LSRs. When the directly connected link does go down between the two LSRs, the targeted LDP session
is kept up as long as an alternative path exists between the two LSRs.

For the protection to work, you need to enable it on both the LSRs. If this is not possible, you can
enable it on one LSR, and the other LSR can accept the targeted LDP Hellos by configuring the
command mpls ldp discovery targeted-hello accept.

Reference: https://www.ccexpert.us/mpls-network/mpls-ldp-session-protection.html

Or from the reference

at https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/5eU6DfQV/TECMPL-3201.pdf

Troubleshooting LDP Issues

Problem:
I. When a link flaps (for a short time),
…

Solution:
+ When LDP session supported by link hello is setup, create a targeted hello to protect the session.
…

-> Answer C is correct.

Question 48
Refer to the exhibit.

An engineer must configure a LAN-to-LAN IPsec VPN between R1 and the remote router. Which IPsec
Phase 1 configuration must the engineer use for the local router?

Option A Option B

crypto isakmp policy 5 crypto isakmp policy 5

authentication pre-share authentication pre-share
encryption 3des encryption 3des
hash sha hash md5
group 2 group 2
! !
crypto isakmp key cisco123 address 200.1.1.3 crypto isakmp key cisco123 address 200.1.1.3

Option C Option D

crypto isakmp policy 5 crypto isakmp policy 5

authentication pre-share authentication pre-share
encryption 3des encryption 3des
hash md5 hash md5
group 2 group 2
! !
crypto isakmp key cisco123 address 199.1.1.1 crypto isakmp key cisco123! address 199.1.1.1

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

In the “crypto isakmp key … address ” command, the address must be of the IP address of the other
end (which is 200.1.1.3 in this case) so Option A and Option B are correct. The difference between
these two options are in the hash SHA or MD5 method but both of them can be used although SHA is
better than MD5 so we choose Option A the best answer.

Note: Cisco no longer recommends using 3DES, MD5 and DH groups 1, 2 and 5.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_imgmt/configuration/xe-16-
5/sec-ipsec-management-xe-16-5-book/sec-ipsec-usability-enhance.html

Question 49

What is a function of an end device configured with DHCPv6 guard?

A. If it is configured as a server, only prefix assignments are permitted.

B. If it is configured as a relay agent, only prefix assignments are permitted.
C. If it is configured as a client, messages are switched regardless of the assigned role.
D. If it is configured as a client, only DHCP requests are permitted.
Answer: C

Explanation

The DHCPv6 Guard feature blocks reply and advertisement messages that come from unauthorized
DHCP servers and relay agents.
Packets are classified into one of the three DHCP type messages. All client messages are always
switched regardless of device role. DHCP server messages are only processed further if the device role
is set to server. Further processing of server messages includes DHCP server advertisements (for
source validation and server preference) and DHCP server replies (for permitted prefixes).
If the device is configured as a DHCP server, all the messages need to be switched, regardless of the
device role configuration.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-
5/ip6f-xe-16-5-book/ip6-dhcpv6-guard.html

========================== New Questions (added on 18th-Feb-2022)

==========================

Question 50

Refer to the exhibit.

The hub and spokes are configured via two DMVPN tunnel interfaces. The NHRP is configured, and the
tunnels are detected on the hub and the spoke. Which configuration command adds an ipsec profile on
both tunnel interfaces to encrypt traffic?

A. Tunnel protection ipsec profile DMVPN unique

B. Tunnel protection ipsec profile DMVPN tunel1
C. Tunnel protection ipsec profile DMVPN multipoint
D. Tunnel protection ipsec profile DMVPN shared
Answer: D

Explanation

The tunnel protection ipsec profile shared command is used to create a single IPsec SADB for all
the tunnel interfaces that use the same profile and tunnel source interface. This configuration allows a
single IPsec SA to be used for all GRE tunnels (same tunnel source and destination, but different
tunnel keys) between two endpoints of the same type.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/xe-16-
10/sec-conn-dmvpn-xe-16-10-book/sec-conn-dmvpn-share-ipsec-w-tun-protect.html

Question 51

What is considered the primary advantage of running BFD?

A. Reduction in CPU needed to detect Layer 2 switch neighbor failures

B. Reduction in CPU needed to detect Layer 3 switch neighbor failures
C. Reduction in time needed to detect Layer 2 switch neighbor failures
D. Reduction in time needed to detect Layer 3 switch neighbor failures

Answer: D

Explanation

Although reducing the EIGRP, IS-IS, and OSPF timers can result in minimum detection timer of one to
two seconds, BFD can provide failure detection in less than one second.

Because some parts of BFD can be distributed to the data plane, it can be less CPU-intensive than the
reduced EIGRP, IS-IS, and OSPF timers, which exist wholly at the control plane.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fs_bfd.html

Although answer A seems to be correct too but answer D is the best choice.

Question 52

Refer to the exhibit.

An engineer investigates a routing issue on R1 and finds that traffic destined to 5.5.5.0/24 does not
take all of the paths. Which action resolves the issue?

A. Decrease the variance value in EIGRP.

B. Increase the variance value in EIGRP.
C. Remove the adjacency of R3 from EIGRP.
D. Stop advertising 192.168.13.0/24 in EIGRP.

Answer: B

Question 53

Refer to the exhibit.

Bank users must be restricted to access DC-2 and the Hotel users must be restricted to access DC-1
for respective applications. Interfaces VRF config on RG is:

interface GigabitEthernet 0/1

ip vrf forwarding Bank
!
interface GigabitEthernet 0/2
ip vrf forwarding Bank
!
interface GigabitEthernet 0/0
ip vrf forwarding Hotel
!
interface GigabitEthernet 0/3
ip vrf forwarding Hotel

Which configuration meets the requirements?

A. Router bgp 65010

bgp router-id 1.1.1.1
address-family ipv4 vrf Hotel
neighbor 10.0.0.6 remote-as 65020
neighbor 10.0.0.6 activate
address-family ipv4 vrf Bank
neighbor 10.0.0.9 remote-as 65030
neighbor 10.0.0.9 activate

B. Router bgp 65010

bgp router-id 1.1.1.1
address-family ipv4 vrf Hotel
neighbor 10.0.0.9 remote-as 65030
neighbor 10.0.0.9 activate
address-family ipv4 vrf Bank
neighbor 10.0.0.6 remote-as 65020
neighbor 10.0.0.6 activate

C. Router bgp 65010

bgp router-id 1.1.1.1
address-family ipv4 vrf Hotel
neighbor 10.0.0.9 remote-as 65020
neighbor 10.0.0.9 activate
address-family ipv4 vrf Bank
neighbor 10.0.0.6 remote-as 65030
neighbor 10.0.0.6 activate

D. Router bgp 65010

bgp router-id 1.1.1.1
address-family ipv4 vrf Hotel
neighbor 10.0.0.6 remote-as 65030
neighbor 10.0.0.6 activate
address-family ipv4 vrf Bank
neighbor 10.0.0.9 remote-as 65020
neighbor 10.0.0.9 activate

Answer: D

================================ New Questions (added on 24th-Feb-2022)

================================

Question 54

What are the two prerequisites to enable BFD on Cisco routers? (Choose two)

A. ICMP must be allowed on all participating routers.

B. OSPF Demand Circuit must run BFD on all participating routers.
C. A supported IP routing protocol must be configured on the participating routers.
D. UDP port 1985 must be allowed on all participating routers.
E. Cisco Express Forwarding and IP Routing must be enabled on all participating routers.

Answer: C E

Explanation
Bidirectional Forwarding Detection (BFD) is a detection protocol that is designed to provide fast
forwarding path failure detection times for all media types, encapsulations, topologies, and routing
protocols.

Prerequisites for Bidirectional Forwarding Detection:

+ Cisco Express Forwarding and IP routing must be enabled on all participating routers.
+ One of the IP routing protocols supported by BFD must be configured on the routers before BFD is
deployed.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/configuration/15-mt/irb-
15-mt-book/irb-bi-fwd-det.html

Question 55

Refer to the exhibit.

R1(config)#ip prefix-list EIGRP seq 10 deny 0.0.0.0/0 le 32

R1(config)#ip prefix-list EIGRP seq 20 permit 10.0.0.0/8
R1(config)#router eigrp 10
R1(config-router)#distribute-list prefix EIGRP in Ethernet0/0

A prefix list is created to filter routes inbound to an EIGRP process except for network 10 prefixes.
After the prefix list is applied no network 10 prefixes are visible in the routing table from EIGRP. Which
configuration resolves the issue?

A. ip prefix-list EIGRP seq 20 permit 10.0.0.0/8 ge 9

B. ip prefix-list EIGRP seq 10 permit 0.0.0.0/0 le 32
C. ip prefix-list EIGRP seq 20 permit 10.0.0.0/8 ge 9
ip prefix-list EIGRP seq 10 permit 0.0.0.0/0 le 32
D. ip prefix-list EIGRP seq 5 permit 10.0.0.0/8 ge 9
no ip prefix-list EIGRP seq 20 permit 10.0.0.0/8

Answer: D

Explanation

The statement “ip prefix-list … seq 10 deny 0.0.0.0/0 le 32” will match everything so we must put the
network 10 prefixes above this statement.

Question 56

Refer to the exhibit.

Although summarization is configured for R1 to receive 10.0.0.0/8, more specific routes are received
by R1. How should the 10.0.0.0/8 summary route be received from the neighbor, attached to R1 via
Fast Ethernet0/0 interface?

A. The summarization condition is not met. Router 10.1.100.10 requires a route for 10 0.0.0/8 that
points to null 0
B. R1 should configure the ip summary-address eigrp <AS
number> 10.0.0.0.255.0.0.0 command under the Fast Ethernet 0/0 interface
C. The summarization condition is not met. The network 10.1.100.0/24 should be changed to
172.16.0.0/24
D. R1 should configure the ip summary-address eigrp <AS number> 10.0.0.0
0.0.0.255 command under the Fast Ethernet 0/0 interface

Answer: B

Explanation

In the “ip summary-address eigrp …” command, we have to specify the subnet mask, not wildcard
mask in the subnet -> Answer D is not correct.

Question 57

What does the MP-BGP OPEN message contain?

A. NLRI, path attributes, and IP addresses of the sending and receiving routers
B. MPLS labels and the IP address of the router that receives the message
C. IP routing information and the AS number to which the router belongs
D. the version number and the AS number to which the router belongs

Answer: D

Explanation

Here are some of the items you will find in the open message:
+ Version: this includes the BGP version that the router is using. The current version of BGP is
version 4 which is described in RFC 4271. Two BGP routers will try to negotiate a compatible version,
when there is a mismatch then there will be no BGP session.
+ My AS: this includes the AS number of the BGP router, the routers will have to agree on the AS
number(s) and it also defines if they will be running iBGP or eBGP.
+ Hold Time: if BGP doesn’t receive any keepalive or update messages from the other side for the
duration of the hold time then it will declare the other side ‘dead’ and it will tear down the BGP
session. By default the hold time is set to 180 seconds on Cisco IOS routers, the keepalive message is
sent every 60 seconds. BGP routers will use the lowest configured hold down timer.
+ BGP Identifier: this is the local BGP router ID which is elected just like OSPF does:
+ + Use the router-ID that was configured manually with the bgp router-id command.
+ + Use the highest IP address on a loopback interface.
+ + Use the highest IP address on a physical interface.
+ Optional Parameters: here you will find some optional capabilities of the BGP router. This field
has been added so that new features could be added to BGP without having to create a new
version.Things you might find here are:
support for MP-BGP (Multi Protocol BGP).
support for Route Refresh.
support for 4-octet AS numbers.

Reference: https://networklessons.com/bgp/bgp-messages

Question 58

Refer to the exhibit.

An engineer cannot copy the IOS.bin. Which action resolves the issue?

A. Allow file permissions to download the file from the FTP server.
B. Use the copy flash:/ ftp://[email protected]/IOS.bin command.
C. Make memory space on the switch flash or USB drive to download the file.
D. Add the IOS.bin file, which does not exist on FTP server.

Answer: D

Question 59

Refer to the exhibit.

Tunnel source 199.1.1.1, destination 200.1.1.3

Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
 Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)

An engineer must establish a point-to-point GRE VPN between R1 and the remote site. Which
configuration accomplishes the task for the remote site?

A. interface Tunnel1
tunnel source 199.1.1.1
tunnel destination 200.1.1.3
ip address 192.168.1.3 255.255.255.0

B. interface Tunnel1
tunnel source 200.1.1.3
tunnel destination 199.1.1.1
ip address 192.168.1.1.255.255.255.0

C. interface Tunnel1
tunnel source 200.1.1.3
tunnel destination 199.1.1.1
ip address 192.168.1.3.255.255.255.0

D. interface Tunnel
tunnel source 199.1.1.1
tunnel destination 200.1.1.3
ip address 192.168.1.1.255.255.255.0

Answer: C

=============================== New Questions (added on 2nd-Mar-2022)

===============================

Question 60

Refer to the exhibit.

Reachability between servers in a network deployed with DHCPv6 is unstable. Which command must
be removed from the configuration to make DHCPv6 function?

A. ipv6 address 2001:0:1:4::1/64

B. ipv6 dhcp server DHCPPOOL
C. ipv6 nd ra suppress
D. address prefix 2001:0:1:4::/64 lifetime infinite infinite

Answer: C

Question 61

Refer to the exhibit.

R6 should reach R1 via R5>R2>R1. Which action resolves the issue?

A. Decrease the cost to 2 between R6-R5-R2.

B. Decrease the cost to 41 between R2 and R1.
C. Increase the cost to 61 between R2 and R3.
D. Increase the cost to 61 between R2-R3-R1.

Answer: C

Explanation

The cost for the path R6-R5-R2-R1 is 20 + 20 + 80 = 120.

The cost for the path R6-R5-R2-R3-R1 (which is the best path to reach R1 from R6) is 20 + 20 + 20 +
20 = 80.
Therefore in order to use the first path we need to reduce the cost more than: 120 – 80 = 40 or we
have to increase the cost of the second path more than 40.

Question 62

Refer to the exhibit.

Router R2 should be learning the route for 10.123.187.0/24 via EIGRP. Which action resolves the
issue without introducing more issues?

A. Remove route redistribution in R2 for this route in OSPF.

B. Use distribute-list to modify the route as an internal EIGRP route.
C. Redistribute the route in EIGRP with metric, delay, and reliability.
D. Use distribute-list to filter the external routes in OSPF.

Answer: A

Question 63

Refer to the exhibit.

TCP traffic should be reaching host 10.10.10.10/24 via R2. Which action resolves the issue?

A. Allow TCP in the access list with no changes to the route map.
B. Set IP next-hop to 10.10.12.2 under the route-map permit 10 to allow TCP traffic.
C. Add a permit 20 statement in the route map to allow TCP traffic.
D. TCP traffic will reach the destination via R2 without any changes.

Answer: A

Explanation

If we add a “permit 20” statement in the route-map then we will allow other traffic to pass through (in
fact Policy-based routing allows other traffic to pass through by default). But the bandwidth of R1-R4
is higher than that of R1-R2 so TCP traffic might go through R4 instead of R2.
Therefore we should allow TCP in the ACL so that TCP traffic is forwarded via R2.

Question 64

A customer requested a GRE tunnel through the provider network between two customer sites using
loopback to hide internal networks. Which configuration on R2 establishes the tunnel with R1?

A. R2(config)#interface Tunnel1
R2(config-if)#ip address 172.20.1.2 255.255.255.0
R2(config-if)#ip mtu 1500
R2(config-if}#ip tcp adjust-mss 1360
R2(config-if)#tunnel source 192.168.20.1
R2(config-if)#tunnel destination 10.10.1.1
B. R2(config)#interface Tunnel1
R2(config-if)#ip address 172.20.1.2 255.255.255.0
R2(config-if)#ip mtu 1400
R2(config-if)#ip tcp adjust-mss 1360
R2(config-if)#tunnel source 192.168.20.1
R2(config-if)#tunnel destination 192.168.10.1

C. R2(config)#interface Tunnel1
R2(config-if)#ip address 172.20.1.2 255.255.255.0
R2(config-if)#ip mtu 1400
R2(config-if)#ip tcp adjust-mss 1360
R2(config-if)#tunnel source 10.10.2.2
R2(config-if)#tunnel destination 10.10.1.1

D. R2(config)#interface Tunnel1
R2(config-if)#ip address 172.20.1.2 255.255.255.0
R2(config-if)#ip mtu 1500
R2(config-if)#ip tcp adjust-mss 1360
R2(config-if)#tunnel source 10.10.2.2
R2(config-if)#tunnel destination 10.10.1.1

Answer: C

Question 65

An engineer failed to run diagnostic commands on devices using Cisco DNA center, which action in
Cisco DNA center resolves the issue?

A. Enable Secure Shell.

B. Enable Command Runner.
C. Enable APIs.
D. Enable CDP.

Answer: B

Explanation

Command Runner lets you run diagnostic CLI commands on selected devices and view the resulting
command output.

Begin using Command Runner, do the following:

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Software Updates >
Installed Apps. Find the Command Runner application and click Install.
After installation, run a Discovery job to populate Cisco DNA Center with devices. You are presented
with a list of devices from which to run diagnostic CLI commands.

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-
and-management/dna-center/2-1-
2/user_guide/b_cisco_dna_center_ug_2_1_2/b_cisco_dna_center_ug_2_1_1_chapter_0111.html

Question 66
Refer to the exhibit.

A network administrator notices these console messages from host 10.11.110.12 originating from
interface E1/0. The administrator considers this an unauthorized attempt to access SNMP on R1.
Which action prevents the attempts to reach R1 E1/0?

A. Configure IOS management plane protection using ACL 90 on interface E1/0.

B. Configure IOS control plane protection using ACL 90 on interface E1/0.
C. Add a permit statement including the host 10.11.110.12 into ACL 90.
D. Create an inbound ACL on interface E1/0 to deny SNMP from host 10.11.110.12.

Answer: D

Question 67

A network administrator added a new spoke site with dynamic IP on the DMVPN network. Which
configuration command passes traffic on the DMVPN tunnel from the spoke router?

A. ip nhrp registration dynamic

B. ip nhrp registration ignore
C. ip nhrp registration no-registration
D. ip nhrp registration no-unique

Answer: D

Explanation

“ip nhrp registration no-unique”: allow the client to not set the unique flag in the NHRP packets. This
is useful when a station has a dynamic IP address that could change over time.

Question 68

Refer to the exhibit.

R4 is experiencing packet drop when trying to reach 172.16.2.7 behind R2. Which action resolves the
issue?

A. Insert a /24 floating static route on R2 toward R3 with metric 254.

B. Disable auto summarization on R2.
C. Insert a /16 floating static route on R2 toward R3 with metric 254.
D. Enable auto summarization on all three routers R1, R2, and R3.

Answer: B

Question 69

Which two components are required for MPLS Layer 3 VPN configuration? (Choose two)

A. Use MP-BGP for customer routes.

B. Use LDP for customer routes.
C. Use a unique RD per customer VRF.
D. Use pseudowire for Layer 2 routes.
E. Use OSPF between PE and CE.

Answer: A C

Question 70

Refer to the exhibit.

The control plane is heavily impacted after the CoPP configuration is applied to the router. Which
command removal lessens the impact on the control plane?

A. access-list 120 permit eigrp any host 224.0.0.10

B. access-list 120 permit ospf any
C. access-list 120 permit udp any any eq pim-auto-rp
D. access-list 120 permit tcp any gt 1024 eq bgp log

Answer: D

Question 71

Refer to the exhibit.

R1 and R2 are configured for EIGRP peering using authentication and the neighbors failed to come up.
Which action resolves the issue?

A. Configure a matching key-id number on both routers.

B. Configure a matching lowest key-id on both routers.
C. Configure a matching key-chain name on both routers.
D. Configure a matching authentication type on both routers.

Answer: B

Question 72

Which method provides failure detection in BFD?

A. short duration, high overhead

B. short duration, low overhead
C. long duration, high overhead
D. long duration, low overhead

Answer: B

Explanation

BFD provides a low-overhead, short-duration method of detecting failures in the forwarding path
between two adjacent routers, including the interfaces, data links, and forwarding planes.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fs_bfd.html

Question 73
Refer to the exhibit.

During ISP router maintenance, the network produced many alerts because of the flapping interface.
Which configuration on R1 resolves the issue?

A. snmp trap ip verify drop-rate

B. no snmp trap link-status
C. ip verify drop-rate notify hold-down 60
D. snmp trap link-status down

Answer: B

Explanation

The command “snmp trap link-status” (and “no” form) enables or disable the sending of SNMP traps
when an interface goes up and down. This command is useful on interfaces that you expect to change
state frequently (for example, dial-on-demand interfaces). You may not want to send an SNMP trap to
your network management stations whenever these interfaces change state.

Reference: https://www.oreilly.com/library/view/cisco-ios-in/0596008694/re785.html

Note: The command “ip verify drop-rate notify hold-down …” configures the minimum time, in
seconds, between Unicast RPF drop-rate notifications. But RPF is not a concern in this question.

Question 74

Refer to the exhibit.

A loop occurs between R1, R2, and R3 while EIGRP is run with poison reverse enabled. Which action
prevents the loop between R1, R2, and R3?
A. Configure route tagging.
B. Enable split horizon.
C. Configure R3 as stub receive-only.
D. Configure route filtering.

Answer: D

Explanation

In Cisco devices, split horizon is always used along with poison reverse (via the command “ip split-
horizon”) so in this question split horizon is already turned on. To prevent loop we can only use route
filtering.

Question 75

A customer reports that traffic is not passing on an EIGRP enabled multipoint interface on a router
configured as below:

interface Serial0/0/0
no ip address

interface Serial0/0/0.9 multipoint

ip address 10.1.1.1 255.255.255.248
ip split-horizon eigrp 1

Which action resolves the issue?

A. Enable split horizon.

B. Disable poison reverse.
C. Disable split horizon.
D. Enable poison reverse.

Answer: C

Explanation

In this question sub-interface is used so we have to turn off split-horizon for EIGRP.

Question 76

Refer to the exhibit.

R2#sh ipv6 route ospf
O 2002:ABCD::/64 [110/1]
via FastEthernet0/1, directly connected
O 2004:BBAB::/64 [110/1]
via FastEthernet0/0, directly connected
O 2004:BBAC::/64 [110/1]
via FastEthernet1/0, directly connected
O 3010:2:4:0:15::/128 [110/1]
via FE80::C804:1DFF:FB20:8, FastEthernet0/0

A network engineer applied a filter for LSA traffic on OSPFv3 interarea routes on the area 5 ABR to
protect advertising the internal routes of area 5 to the business partner network. All other areas
should receive the area 5 internal routes. After the respective route filtering configuration is applied on
the ABR, area 5 routes are not visible on any of the areas. How must the filter list be applied on the
ABR to resolve this issue?

A. in the “out” direction for area 20 on router R2

B. in the “in” direction for area 5 on router R1
C. in the “out” direction for area 5 on router R1
D. in the “in” direction for area 20 on router R2
Answer: A

Question 77

Refer to the exhibit.

An administrator wanted to make R1 always elected as DR, R2 as BDR, and R3 as DROTHER but could
not achieve the desired results. Which two configurations resolve the issue? (Choose two)

A. On the R2 F0/0 interface, configure OSPF priority to 200.

B. On the R1 F0/0 interface, configure OSPF priority to 202.
C. On the R2 F0/0 interface, configure OSPF priority to 201.
D. On the R1 F0/0 interface, configure OSPF priority to 255.
E. On the R3 F0/0 interface, configure OSPF priority to 201.

Answer: C D
Question 78

Refer to the exhibit.

Which configuration enables OSPF for area 0 interfaces to establish adjacency with a neighboring
router with the same VRF?

A. router ospf 1 vrf CCNP

network 10.1.1.1 0.0.0.0 area 0
network 10.2.2.2 0.0.0.0 area 0

B. router ospf 1
interface Ethernet1
ip ospf 1 area 0.0.0.0
interface Ethernet2
ip ospf 1 area 0.0.0.0

C. router ospf 1 vrf CCNP

interface Ethernet1
ip ospf 1 area 0.0.0.0
interface Ethernet2
ip ospf 1 area 0.0.0.0

D. router ospf 1 vrf CCNP

network 10.0.0.0 0.0.255.255 area 0

Answer: A

Question 79

Refer to the exhibit.

An engineer must advertise routes into IPv6 MP-BGP and failed. Which configuration resolves the issue
on R1?

A. router bgp 65000

no bgp default ipv4-unicast
address-family ipv6 multicast
network 2001:DB8::/64

B. router bgp 65000

no bgp default ipv4-unicast
address-family ipv6 unicast
network 2001:DB8::/64

C. router bgp 64900

no bgp default ipv4-unicast
address-family ipv6 multicast
neighbor 2001:DB8:7000::2 translate-update ipv6 multicast

D. router bgp 64900

no bgp default ipv4-unicast
address-family ipv6 unicast
redistribute ospf
network 2001:DB9::/64

Answer: B

Question 80

Refer to the exhibit.

R1#show ip route
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1/32 is directly connected, Loopback0
2.0.0.0/32 is subnetted, 1 subnets
O 2.2.2.2/32 [110/2] via 10.10.10.2, 00:09:30, GigabitEthernet0/0/0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C 10.10.10.0/30 is directly connected, GigabitEthernet0/0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0/0
C 10.10.20.0/30 is directly connected, GigabitEthernet0/0/1
L 10.10.20.1/32 is directly connected, GigabitEthernet0/0/1
D 10.20.10.0/30 [90/3072] via 10.10.10.2, 00:09:30, GigabitEthernet0/0/0
O 10.30.10.0/30 [90/3328] via 10.10.10.2, 00:05:48, GigabitEthernet0/0/0
S 10.40.10.0/30 [1/0] via 10.10.20.2

Routers R1, R2, R3, and R4 use EIGRP. However, traffic always prefers R1 to R5 backup links in
nonfailure scenarios. Which configuration resolves the issue?

A. R1(config)#no ip route 10.40.10.0 255.255.255.252 10.10.20.2

R1(config)#ip route 10.40.10.0 255.255.255.252 10.10.20.2 115

B. R1(config)#int gigabitEthernet 0/0/0

R1 (config-if)#bandwidth 10000000

C. R1(config-if)#int gigabitEthernet 0/0/0

R1(config-if)#bandwidth 10000

D. R1(config)#no ip route 10.40.10.0 255.255.255.252 10.10.20.2

R1(config)#ip route 0.0.0.0 0.0.0.0 10.10.10.2

Answer: A

Question 81

A newly installed spoke router is configured for DMVPN with the ip mtu 1400 command. Which
configuration allows the spoke to use fragmentation with the maximum negotiated TCP MTU over
GRE?

A. ip tcp adjust-mss 1360

crypto ipsec fragmentation after-encryption
B. ip tcp adjust-mss 1360
crypto ipsec fragmentation mtu-discovery
C. ip tcp payload-mtu 1360
crypto ipsec fragmentation mtu-discovery
D. ip tcp payload-mtu 1360
crypto ipsec fragmentation after-encryption

Answer: A

Explanation

There is no “ip tcp payload-mtu” command so the correct answer should be “ip tcp adjust-mss”.

Note: The “ip tcp adjust-mss 1360” command will signal the source and destination device during the
three-way handshake to use the TCP MSS size of 1360 bytes so that if they create the full size packet
there will still not be any drop/fragmentation on the router.

We tested with Cisco IOSv15.4 but could not find the “crypto ipsec fragmentation mtu-discovery”
command.
Therefore only the “crypto ipsec fragmentation after-encryption” command is valid.

Question 82

Refer to the exhibit.

An engineer is trying to add an encrypted user password that should not be visible in the router
configuration. Which two configuration commands resolve the issue? (Choose two)

A. service password-encryption
B. username Admin password 5 Cisco@123
C. no service password-encryption
D. username Admin password Cisco@123
E. password encryption aes
F. username Admin secret Cisco@123

Answer: A F

Explanation

We can use the “service password-encryption” to encrypt all current and future passwords. Or we can
use the “secret” keyword to encrypt the password with MD5 (although MD5 is not secured nowadays).

Note: The command “service password-encryption” enables the AES password encryption feature
(type 6) but we have to converts existing plain or weakly encrypted passwords to type-6 encrypted
passwords with the “encryption re-encrypt obfuscated” command.

You can enable the AES password encryption feature without a primary key, but encryption starts only
when a primary key is present in the system with the command key config-key password-
encrypt super-secret-password.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3400s/sw/93x/security/
configuration/guide/Cisco-n3400-nx-os-security-configuration-guide-93x/m-configuring-password-
encryption-922.pdf
Question 83

Refer to the exhibit.

Packets arriving from source 209.165.200.215 must be sent with the precedence bit set to 1, and
packets arriving from source 209.165.200.216 must be sent with the precedence bit set to 5. Which
action resolves the issue?

A. set ip precedence immediate in route-map Texas permit 10

B. set ip precedence priority in route-map Texas permit 20
C. set ip precedence critical in route-map Texas permit 10
D. set ip precedence critical in route-map Texas permit 20

Answer: D

Explanation

You can set the value of the IP precedence field in bits 0 to 2 of the IPv4 type of service(ToS) field or
the equivalent Traffic Class field for IPv6 of the IP header. The following table shows the precedence
values:
Therefore the precedence value of 5 is “critical” and we need to set it in route-map Texas permit
20.

Question 84

Refer to the exhibit.

The administrator is trying to overwrite an existing file on the TFTP server that was previously
uploaded by another router. However, the attempt to update the file fails. Which action resolves this
issue?

A. Make the package.conf file executable by all on the TFTP server.

B. Make the package.conf file writable by all on the TFTP server.
C. Make the TFTP folder writable by all on the TFTP server.
D. Make sure to run the TFTP service on the TFTP server.

Answer: B

Question 85

Refer to the exhibit.

The R2 loopback interface is advertised with RIP and EIGRP using default values. Which configuration
changes make R1 reach the R2 loopback using RIP?

A. R1(config)#router rip
R1 (config-router)#distance 100
B. R1(config)#router rip
R1 (config-router)#distance 90
C. R1(config)#router eigrp 1
R1(config-router)#distance eigrp 120 120
D. R1(config)#router eigrp 1
R1(config-router)#distance eigrp 130 120

Answer: D

============================== New Questions (added on 13th-Mar-2022)

==============================
Question 86

Refer to the exhibit.

Which action restores OSPF adjacency between R1 and R2?

A. Change the IP MTU of R1 Fa1/0 to 1300

B. Change the IP MTU of R2 Fa0/0 to 1300
C. Change the IP MTU of R1 Fa1/0 to 1500
D. Change the IP MTU of R2 Fa0/0 to 1500

Answer: D

Explanation

The MTU size of an Ethernet interface is 1500 bytes by default so we have to change MTU of R2 Fa0/0
interface to this value.

Question 87

Refer to the exhibit.

Mutual redistribution is enabled between RIP and EIGRP on R2 and R5. Which configuration resolves
the routing loop for the 192.168.1.0/24 network?

Option A Option B

R2: R2:
router eigrp 10 router eigrp 10
network 181.16.0.0 network 181.16.0.0
redistribute rip metric 1 1 1 1 1 redistribute rip metric 1 1 1 1 1
distribute-list 1 in s1 distribute-list 1 in s0
! !
router rip router rip
network 178.1.0.0 network 178.1.0.0
redistribute eigrp 10 metric 2 redistribute eigrp 10 metric 2
! !
access-list 1 deny 192.168.1.0 access-list 1 deny 192.168.1.0
access-list 1 permit any access-list 1 permit any
R5: R5:
router eigrp 10 router eigrp 10
network 181.16.0.0 network 181.16.0.0
redistribute rip metric 1 1 1 1 1 redistribute rip metric 1 1 1 1 1
distribute-list 1 in s0 distribute-list 1 in s0
! !
router rip router rip
network 178.1.0.0 network 178.1.0.0
redistribute eigrp 10 metric 2 redistribute eigrp 10 metric 2
! !
 access-list 1 deny 192.168.1.0 access-list 1 deny 192.168.1.0
access-list 1 permit any access-list 1 permit any

Option C Option D
R2: R2:
router eigrp 10 router eigrp 7
network 181.16.0.0 network 181.16.0.0
redistribute rip metric 1 1 1 1 1 redistribute rip metric 1 1 1 1 1
distribute-list 1 in s0 distribute-list 1 in s1
! !
router rip router rip
network 178.1.0.0 network 178.1.0.0
redistribute eigrp 10 metric 2 redistribute eigrp 7 metric 2
! !
access-list 1 deny 192.168.1.0 access-list 1 deny 192.168.1.0
access-list 1 permit any access-list 1 permit any
R5: R5:
router eigrp 10 router eigrp 7
network 181.16.0.0 network 181.16.0.0
redistribute rip metric 1 1 1 1 1 redistribute rip metric 1 1 1 1 1
distribute-list 1 in s1 distribute-list 1 in s1
! !
router rip router rip
network 178.1.0.0 network 178.1.0.0
redistribute eigrp 10 metric 2 redistribute eigrp 7 metric 2
! !
access-list 1 deny 192.168.1.0 access-list 1 deny 192.168.1.0
access-list 1 permit any access-list 1 permit any

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

We have to block 192.168.1.0/24 on s1 of R2 (so that this network is only be redistributed from RIP to
EIGRP) and on s1 of R5 (R5 does not need to learn this network from EIGRP because R5 learned
directly from R1).

Note: The “distribute-list 1 in” command creates an incoming distribute list that refers to access list 1.

Question 88

Which IPv6 feature enables a device to reject traffic when it is originated from an address that is not
stored in the device binding table?

A. IPv6 Snooping
B. IPv6 Source Guard
C. IPv6 DAD Proxy
D. IPv6 RA Guard

Answer: B

Explanation
IPv6 source guard is an interface feature between the populated binding table and data traffic filtering.
This feature enables the device to deny traffic when it is originated from an address that is not stored
in the binding table. IPv6 source guard does not inspect ND or DHCP packets; rather, it works in
conjunction with IPv6 neighbor discovery (ND) inspection or IPv6 address glean, both of which detect
existing addresses on the link and store them into the binding table.

Question 89

Which IPv6 first hop security feature controls the traffic necessary for proper discovery of neighbor
device operation and performance?
A. RA Throttling
B. Source or Destination Guard
C. ND Multicast Suppression
D. IPv6 Snooping

Answer: C

Explanation

The IPv6 Neighbor Discovery (ND) multicast suppress feature stops the ND multicast Neighbor Solicit
(NS)messages by dropping them (and responding to solicitations on behalf of the targets) or by
converting them into unicast traffic. This feature reduces the amount of control traffic necessary for
proper link operations.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-
3se/3650/ip6f-xe-3se-3650-book/ip6-nd-mcast-supp.pdf

Question 90

Refer to the exhibit.

While troubleshooting a BGP route reflector configuration, an engineer notices that reflected routes are
missing from neighboring routers. Which two BGP configurations are needed to resolve the issue?
(Choose two)

A. neighbor 10.1.1.14 route-reflector-client

B. neighbor R2 route-reflector-client
C. neighbor 10.1.1.2 allowas-in
D. neighbor R4 route-reflector-client
E. neighbor 10.1.1.2 route-reflector-client
Answer: B D

Explanation
In the above exhibit, we created two peer-groups named R2 and R4. Then we assigned 10.1.1.2 and
10.1.1.14 to these two peer-groups. Therefore we need to assign these two peer-groups to “route-
reflector-client”.

Question 91

An engineer configured a router with this configuration

ip access-list DENY_TELNET
10 deny tcp any any eq 23 log-input

The router console starts receiving log message “%SEC-6-IPACCESSLOGP: list DENY_TELNET denied
tcp192.168.1.10(10222) (FastEthernet1/0 D508.89gb.003f) ->192.168.2.20(23), 1 packet”. Which
action stops messages on the console while still denying Telnet?

A. Configure a 20 permit ip any any command

B. Remove log-input keyword from the access list.
C. Replace log-input keyword with the log keyword in the access list
D. Configure a 20 permit ip any any log-input command.

Answer: B

Explanation

Cisco IOS provides the capability to log matches against access list expressions by appending the log
or log-input keyword to a statement. log-input includes all the detail provided by log plus some
handy layer two information. Therefore if we want to stop receiving messages we can remove the
“log-input” keyword.

Note: This ACL does not have any “permit” statement so all traffic will be dropped because of the
implicit “deny all” statement at the end of the ACL.

Question 92

What are the two goals of micro BFD sessions? (Choose two)

A. The high bandwidth member link of a link aggregation group must run BFD.
B. Run the BFD session with 3×3 ms hello timer.
C. Continuity for each member link of a link aggregation group must be verified.
D. Eny member link on a link aggravation group must run BFD.
E. Each member link of a link aggregation group must run BFD.

Answer: C E

Question 93

Refer to the exhibit.

The static route is not present in the routing table of an adjacent OSPF neighbor router. Which action
resolves the issue?

A. Configure the next hop of 10.20.20.1 in the prefix list DMZ-STATIC

B. Configure the next-hop interface at the end of the static router for it to get redistributed
C. Configure a permit 20 statement to the route map to redistribute the static route
D. Configure the subnets keyword in the redistribution command

Answer: D

============================= New Questions (added on 1st-Apr-2022)

=============================

Question 94
While BGP internet routes are redistributed to a lower class of router via RIP, packets are being
dropped and routes are failing to be distributed in RIP. Which action resolves the issue?

A. Use the input-queue command to prevent the loss of packets.

B. Use RIP V2 to be able to use classless networks from BGP.
C. Use WFQ in the output queue of the high-performance router.
D. Use OSPF instead of RIP to accept all BGP routes.

Answer: A
Explanation

For example, you have two routers, one is a high end router running BGP protocol, and the other one
is low end router running RIP protocol. When you redistribute BGP routes into RIP, it is possible that
you see some packets become lost.
The redistribution of BGP into RIP protocol is generally not recommended and protocols like iBGP,
OSPF, and EIGRP are scalable and have wide options available.

In case you encounter this scenario, which is the redistribution between BGP to RIP, and lose some
packets, it possible that you have to configure this command on the RIP process:
Router(Config)#router rip
Router(Config-router)# input-queue 1024

Note: Consider the use of the input-queue command if you have a high-end router that sends at high
speed to a low-speed router that might not be able to receive at the high speed. The configuration of
this command help prevent the loss of information from the routing table.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-
protocol-eigrp/8606-redist.html

Question 95
Refer to the exhibit.

Which configuration advertises more specific routes to R1 without sending a BGP summary route?

A. R1#Reconfigure terminal
R1(config)#router BGP 100
R1(config-router)#auto-summary

B. R1#Reconfigure terminal
R1 (config)#router BGP 100
R1 (config-router)#no auto-summary

C. R2#configure terminal
R2(config )#router BGP 100
R2(config-router)#auto-summary

D. R2#configure terminal
R2(config)#router BGP 100
R2 (config-router)#no auto-summary

Answer: D

Explanation

We see there is a summary route at the last line of the output 172.16.0.0/16 to Null0 interface. In
order to avoid using this summary route, we should use the “no auto-summary” at the BGP neighbor.

Question 96

Refer to the exhibit.

The default route is not advertised to the neighboring router. Which action resolves the issue?

A. Configure the network 0.0.0.0 255.255.255.255 area 0 command under OSPF.

B. Configure the redistribute static metric 200 subnets command under OSPF.
C. Configure OSPF on the Dialer0 interface.
D. Configure the default-information originate command under OSPF.

Answer: D

Explanation
If you’re redistributing a default route into OSPF (for example, you have a static default route
configured with ip route 0.0.0.0 0.0.0.0 … and you use redistribute static subnets within the OSPF
process), the default route will not be entered into the OSPF database unless you configure default-
information originate within the router ospf configuration.

Reference: https://blog.ipspace.net/2007/06/inserting-default-route-into-ospf.html

============================= New Questions (added on 19th-Apr-2022)

=============================

Question 97

Refer to the exhibit.

The eBGP neighbor 10.1.1.1 of router R2 receives and installs the prefix, but the community value is
not found in the BGP routing table. How must this issue be resolved?

A. Community values are nontransitive and R2 is an eBGP peer, configure R2 to send community.
B. R1 must have a route map assigned to neighbor R2, which is not matching the community values.
C. R2 is not sending the community value to neighbor R1, configure R2 to send community.
D. R1 must have a route map assigned to neighbor R2, which is clearing the community values.

Answer: C

Explanation

We must use the command “neighbor 10.1.1.1 send-community” so that the community attribute is
sent to the neighbor.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/28784-bgp-
community.html

Question 98

Refer to the exhibit.

R1 should receive 10.16.2.0/24 from R2. Which action resolves the issue?

A. Add prefix-list seq 1 on R1 to permit 10.16.2.0/24.

B. Modify prefix-list seq 5 on R2 to permit 10.16.0.0/23.
C. Modify prefix-list seq 5 on R2 to permit 10.16.0.0/22.
D. Add prefix-list seq 1 on R1 to permit 10.16.0.0/22.

Answer: C

Explanation

The ip prefix-list “… 10.16.1.0/23 le 24” means “check the first 23 bits of the prefix 10.16.1.0, where
the subnet mask must be less than or equal to 24”. Therefore it will check 7 bits of the third octet of
prefix 10.16.1.0 (1 = 0000 0001 in binary) and they are allowed if all are 0s -> Only prefix
10.16.0.0/24 and 10.16.1.0/24 are allowed for /24 subnet mask -> prefix 10.16.2.0/24 is not
accepted.

So we have to modify above prefix-list to permit “… 10.16.0.0/22” so that it only checks 6 bits of the
third octet -> Prefix 10.16.2.0/24 and 10.16.3.0/24) are allowed.

Question 99

Refer to the exhibit.

After the network administrator rebuilds the IPv6 DHCP server, clients are not getting the IPv6
address lease. Which action resolves the issue?

A. Add ipv6 dhcp server MY_POOL under the interface ethernet 0/0 on R1.
B. Remove FE80::A8BB:CCFF:FE00:5000 assigned by the IPv6 DHCP server.
C. Add ipv6 dhcp server MY_POOL under the interface ethernet 0/0 on H1.
D. Configure FF02::1:2 to discover all IPv6 DHCP clients.

Answer: A
============================== New Questions (added on 27th-Apr-2022)
==============================

Question 100

Refer to the exhibit.

Which action makes R3 traffic take a direct route between R3 and R4 to reach network A?

A. Reduce the cost of the R3-R4 link in area 0 to less than 30

B. Increase the OSPF overall cost in area 1 to higher than 40
C. Move the R3-R4 link from area 0 to area 1
D. Configure multiarea adjacency between R3 and R4

Answer: D

Explanation

The following rule applies to OSPF intra-area route:

“Intra-area routing to a destination inside a non-backbone area will take the shortest path without
traversing the backbone area”.

Therefore with the above exhibit, R3 will choose link in area 1 because network A is in area 1 too
(intra-area). The cost here does not have any priority because it is the only intra-area route to
network A.

If we want R3 to use the direct link to R4 to reach network A then we have to split area 1 into two
areas. As we know OSPF cannot route to a non-backbone area which is more than 1 area away from
area 0 (except using virtual-link).

Question 101

Which configuration enables a Cisco router to send information to a TACACS+ server for individual
EXEC commands associated with privilege level 15?

A. Router(config)# aaa authorization commands 15 default group tacacs+

B. Router(config)# aaa authorization exec default group tacacs+
C. Router(config)# aaa accounting commands 15 default start-stop group tacacs+
D. Router(config)# aaa accounting exec default start-stop group tacacs+
Answer: C

Explanation

If we want the router to send information for specific privilege level 15 then we must have the
“commands 15” in the statement.
– If it is an “aaa authorization …” command then the router will query the AAA server each time
someone enters a command to see if it is allowed.
– If it is an “aaa accounting …” command then the router will send log to the AAA server on all
commands entered.
We are not sure what is considered “send information” here. If “send information” is “send log” then
only answer C is correct. If a query is also considered “send information” then answer A is also
correct. But we believe answer C is the best choice here.

The “aaa authorization” commands will query the AAA server each time someone enters a command
to see if it is allowed. Therefore it also “sends information” to TACACS+ serer.

Note:
+ “aaa accounting commands 15” activates accounting on all commands entered at privilege level 15.
+ “aaa accounting exec” activates accounting on all EXEC shell sessions (any commands entered after
the “enable” command)
+ The start-stop keywords indicate to send accounting information to the AAA server at both the
beginning and the end. (while the “stop-only” keyword indicates to send information at the end only).

Question 102

An engineer plans to use Python to convert text files that contain device information to JSON. Drag
and drop the code snippets from the bottom onto the blanks in the code to construct the request. Not
all options are used.
Answer:

1. with open(input_file) as text:

2. out_file = open(“Json-Output.json”,”w”)
3. out_file.close()
New ENARSI Questions 5
Question 1

Refer to the exhibit.

An engineer must redistribute networks 192.168.10.0/24 and 192.168.20.0/24 into OSPF from EIGRP,
where the metric must be added when traversing through multiple hops to start an external route of
20. The engineer notices that the external metric is fixed and does not add at each hop. Which
configuration resolves the issue?

Option A Option B

R2(config)#access-list 10 permit 192.168.10.0 R2(config)#access-list 10 permit 192.168.10.0

0.0.0.255 0.0.0.255
R2(config)#access-list 10 permit 192.168.20.0 R2(config)#access-list 10 permit 192.168.20.0
0.0.0.255 0.0.0.255
! !
R2(config)#route-map RD permit 10 R2(config)#route-map RD permit 10
R2(config-route-map)#match ip address 10 R2(config-route-map)#match ip address 10
R2(config-route-map)#set metric 20 R2(config-route-map)#set metric 20
R2(config-route-map)#set metric-type type-2 R2(config-route-map)#set metric-type type-1
! !
R2(config)#router ospf 10 R2(config)#router ospf 10
R2(config-router)#redistribute eigrp 10 subnets R2(config-router)#redistribute eigrp 10 subnets
route-map RD route-map RD

Option C Option D

R1(config)#access-list 10 permit 192.168.10.0 R1(config)#access-list 10 permit 192.168.10.0

0.0.0.255 0.0.0.255
R1(config)#access-list 10 permit 192.168.20.0 R1(config)#access-list 10 permit 192.168.20.0
0.0.0.255 0.0.0.255
! !
R1(config)#route-map RD permit 10 R1(config)#route-map RD permit 10
R1(config-route-map)#match ip address 10 R1(config-route-map)#match ip address 10
R1(config-route-map)#set metric 20 R1(config-route-map)#set metric 20
R1(config-route-map)#set metric-type type-1 R1(config-route-map)#set metric-type type-2
! !
R1(config)#router ospf 10 R1(config)#router ospf 10
R1(config-router)#redistribute eigrp 10 subnets R1(config-router)#redistribute eigrp 10 subnets
route-map RD route-map RD

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation
We have to set the metric-type to E1, which includes the internal cost to ASBR added to the external
cost -> Only Option B and Option C are correct.
We need to redistribute on R2, not R1 -> Only Option B is correct.

Question 2

An engineer notices that R1 does not hold enough log messages to identify the root cause during
troubleshooting. Which command resolves this issue?

A. #logging buffered 4096 critical

B. #logging buffered 16000 critical
C. (config)#logging buffered 16000 informational
D. (config)#logging buffered 4096 informational

Answer: C

Explanation

We can increase the syslog messages in RAM with “logging buffered” command under global
configuration mode. The command “logging buffered 16000 informational” reserves up to 16000 bytes
of RAM for syslog messages. When you reboot your router or switch, the history will be gone.

Question 3

Refer to the exhibit.

A network administrator must block ping from user 3 to the App Server only. An inbound standard
access list is applied to R1 interface G0/0 to block ping. The network administrator was notified that
user 3 cannot even ping user 9 anymore. Where must the access list be applied in the outgoing
direction to resolve the issue?

A. R2 interface G0/0
B. SW1 interface G1/10
C. R2 interface G1/0
D. SW1 interface G2/21
Answer: C

Explanation
It is better to block the ping from R2 G1/0 than on SW1.

Question 4

Refer to the exhibit.

A network engineer must establish communication between three different customer sites with these
requirements:
– Site-A must be restricted to access to any users at Site-B or Site-C.
– Site-B and Site-C: must be able to communicate between sites and share routes using OSPF

PE interface configuration:

interface FastEthernet0/0
ip vrf forwarding Site-A
!
interface FastEthernet0/1
ip vrf forwarding SharedSites
!
interface FastEthernet0/2
ip vrf forwarding SharedSites

Which configuration meets the requirements?

A. PE(config)#router ospf 10 vrf Site-A

PE(config-router)#network 0.0.0.0 255.255.255.255 area 0
PE(config)#router ospf 10 vrf SharedSites
PE(config-router)#network 0.0.0.0 255.255.255.255 area 1

B. PE(config)#router ospf 10 vrf Site-A

PE(config-router)#network 0.0.0.0 255.255.255.255 area 0
PE(config-router)#router ospf 20 vrf SharedSites
PE(config-router)#network 0.0.0.0 255.255.255.255 area 1
C. PE(config)#router ospf 10 vrf Site-A
PE(config-router)#network 0.0.0.0 255.255.255.255 area 0
PE(config)#router ospf 10 vrf SharedSites
PE(config-router)#network 0.0.0.0 255.255.255.255 area 0
D. PE(config)#router ospf 10 vrf Site-A
PE(config-router)#network 0.0.0.0 255.255.255.255 area 0
PE(config)#router ospf 20 vrf SharedSites
PE(config-router)#network 0.0.0.0 255.255.255.255 area 0

Answer: C

Question 5

What is LDP label binding?

A. destination prefix with label

B. two routers with label distribution session
C. source prefix with label
D. neighboring router with label

Answer: A

Explanation

An LDP label binding is an association between a destination prefix and a label.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ldp/configuration/12-4t/mp-ldp-
12-4t-book.pdf

Question 6

Refer to the exhibit.

ip sla 1
icmp-echo 8.8.8.8
threshold 1000
timeout 2000
frequency 5
ip sla schedule 1 life forever start-time now
!
track 1 ip sla 1
!
ip route 0.0.0.0 0.0.0.0 203.0.113.1 name ISP1 track 1
ip route 0.0.0.0 0.0.0.0 198.51.100.1 name ISP2 track 1

An administrator configures a router to stop using a particular default route if the DNS server 8.8.8 8
is not reachable through that route. However, this configuration did not work desired and the default
route still works even if the DNS server 8 8.8.8 is unreachable. Which two configuration changes
resolve the issue? (Choose two)

A. Use a separate track object to reference the existing IP SLA 1 probe for every static route
B. Use a separate IP SLA probe and track object for every static route
C. Associate every IP SLA probe with the proper WAN address of the router
D. Reference the proper exit interfaces along with the next hops in both static default routes
E. Configure two static routes for the 8.8.8.8/32 destination to match the IP SLA probe for each ISP
Answer: C D

Explanation
We should also specify the exit interfaces along with the next hops to make sure both the exit
interface and next hop are up or the default route would be removed.

Question 7

Refer to the exhibit.

The network administrator configured the Chicago router to mutually redistribute the LA and NewYork
routes with OSPF routes to be summarized as a single route in EIGRP using the longest summary
mask:

router eigrp 100

redistribute ospf 1 metric 10 10 10 10 10
router ospf 1
redistribute eigrp 100 subnets
!
interface E 0/0
ip summary-address eigrp 100 172.16.0.0 255.255.0.0

After the configuration, the New York router receives all the specific LA routes but the summary route.
Which set of configurations resolves the issue on the Chicago router?

A. router eigrp 100

summary-address 172.16.8.0 255.255.252.0

B. interface E 0/1
ip summary-address eigrp 100 172.16.8.0 255.255.252.0

C. router eigrp 100

summary-address 172.16.0.0 255.255.0.0

D. interface E 0/1
ip summary-address eigrp 100 172.16.0.0 255.255.0.0

Answer: B

Explanation
The command “summary-address …” is only available for OSPF, BGP, IS-IS. With EIGRP we must use
the “ip summary-address …” command under interface mode to summarize manually.
With the command “ip summary-address eigrp 100 172.16.8.0 255.255.252.0” under interface E0/1,
summary route will be sent to NewYork router.

Question 8

Refer to the exhibit.

An engineer must configure PBR on R1 to reach to 10.2.2.0/24 via R3 AS64513 as the primary path
and a backup route through default route via R2 AS64513. All BGP routes are in the routing table of
R1, but a static default route overrides BGP routes. Which PBR configuration achieves the objective?

A. access-list 100 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255

!
route-map PBR permit 10
match ip address 100
set ip next-hop recursive 10.3.3.1

B. access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

!
route-map PBR permit 10
match ip address 100
set ip next-hop recursive 10.3.3.1

C. access-list 100 permit ip 10.1.1.0 0.0.0.25510.2.2.0 0.0.0.255

!
route-map PBR permit 10
match ip address 100
set ip next-hop 10.3.3.1

D. access-list 100 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

!
route-map PBR permit 10
match ip address 100
set ip next-hop 10.3.3.1

Answer: A
Explanation

The IP address 10.3.3.1 is not a directly connected subnet so we must use the PBR Recursive Next
Hop feature.

Note: Both set ip next-hop and set ip default next-hop require that the next-hop be found on a
directly connected subnet (PBR will fail if it is not and the next set statement or normal forwarding will
be used). With set ip next-hop recursive, the next-hop address does not need to be directly
connected.

Question 9

What is the function of BFD?

A. It creates high CPU utilization on hardware deployments

B. It provides uniform failure detection on the same media type
C. It provides uniform failure detection regardless of media type
D. It negotiates to the highest version if the neighbor version differs

Answer: C

Explanation

Benefits of Configuring BFD for Routing Protocols

+ Fast failure detection times for all media types, encapsulations,topologies, and routing protocols
+ Faster reconvergence of applications
+ Consistent method of failure detection

Reference: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/routing/ios-xe-
17/routing-book-xe/m-bfd-for-routing-protocols.pdf

The system automatically performs BFD version detection, and BFD sessions between neighbors will
run in the highest common BFD version between neighbors. For example, of one BFD neighbor is
running BFD Version 0 and the other BFD neighbor is running Version 1, the session will run BFD
Version 0 -> The highest common version would be used so answer D is not correct.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fs_bfd.html

In fact the above paragraph is rather misleading. It should says “the lower BFD version would be
chosen” instead.

Question 10

Refer to the exhibit.

interface GigabitEthernet0/0
description FTP SERVER
no ip address
ipv6 address 2001:DB8::F/33
ipv6 enable
ipv6 traffic-filter FTP-SERVER in
!
interface GigabitEthernet0/1
description FTP CLIENT
no ip address
ipv6 address 2001:DB8:8000::F/33
ipv6 enable
ipv6 traffic-filter FTP-CLIENT in

ipv6 access-list FTP-CLIENT

permit tcp host 2001:DB8:8000::1 host 2001:DB8::1 eq ftp
permit tcp host 2001:DB8:8000::1 host 2001:DB8::1 eq ftp-data
!
ipv6 access-list FTP-SERVER
permit tcp host 2001:DB8::1 host 2001:DB8:8000::1 eq ftp established
permit tcp host 2001:DB8::1 host 2001:DB8:8000::1 eq ftp-data established

When an FTP client attempts to use passive FTP to connect to the FTP server, the file transfers fail.
Which action resolves the issue?

A. Modify traffic filter FTP-SERVER in to the outbound direction.

B. Configure active FTP traffic
C. Configure to permit TCP ports higher than 1023.
D. Modify FTP-SERVER access list to remove established at the end.

Answer: D

Explanation

Passive FTP is an FTP mode that can be requested by a client to alleviate the issues caused by client-
side firewalls. Both the server and the client must support passive FTP for this process to work. When
passive FTP is used, the client will initiate the connection to the server. This process is effective
because most firewalls allow inbound traffic from sessions initiated by the client.

The established keyword is only applicable to TCP access list entries to match TCP segments that
have the ACK and/or RST control bit set (regardless of the source and destination ports), which
assumes that a TCP connection has already been established in one direction only. Let’s see an
example below:
 Suppose you only want to allow the
hosts inside your company to telnet to an outside server but not vice versa, you can simply use an
“established” access-list like this:

access-list 100 permit tcp any any established

access-list 101 permit tcp any any eq telnet
!
interface S0/0
ip access-group 100 in
ip access-group 101 out

In this question, the established keyword is configured on FTP Server side so it should be removed.

Question 11

Refer to the exhibit.

Configuration output:
aaa new-model
aaa group server tacacs+ admin
server name admin
!
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
aaa session-id common
!
tacacs server admin
address ip 10.11.15.6
key 7 01150F165E3C17032D
!
line vty 0 4
login authentication admin

Debug Output:

Oct 22 12:38 57 587 AAA/BIND(0000001A): Bind I/f

Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A) Pick method list ‘admin’
Oct 22 12:38:57 587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:38 57 587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL – bad password

An administrator configured a Cisco router for TACACS authentication, but the router is using the local
enable password instead. Which action resolves the issue?

A. Configure the aaa authentication login default group admin local if-authenticated command
instead.
B. Configure the aaa authentication login admin group tacacs+ local enable none command
instead.
C. Configure the aaa authentication login admin group tacacs+ local if-
authenticated command instead.
D. Configure the aaa authentication login admin group admin local enable command instead.
Answer: C

Explanation
Maybe in this case the TACACS+ server went down after the first authentication so the router used the
local authentication instead. In this case we can append the “if-authenticated” keyword. If-
authenticated means that if an user has authenticated and later the TACACS server goes down the
user can still do configuration.

Question 12

Refer to the exhibit.

An engineer is trying to connect to R1 via Telnet with no success. Which configuration resolves the
issue?

A. tacacs server prod

address ipv4 10.221.10.11
exit
B. ip route 10.221.0.11 255.255.255.255 ethernet 0/1
C. ip route 10.221.10.10 255.255.255.255 ethernet 0/1
D. tacacs server prod
address ipv4 10.221.10.10
exit

Answer: A

Explanation
In the “debug tacacs” output we see “No route to host” error which means R1 does not know how to
reach TACACS server. Therefore we must specify the IP address of the TACACS server.
Question 13

An administrator attempts to download the pack NBAR2 file using TFTP from the CPE router to another
device over the Gi0/0 interface. The CPE is configured as below:

hostname CPE
!
ip access-list extended WAN
<…>
remark => All UDP rules below for WAN ID: S421T18E58F90
permit udp any eq domain any
permit udp any any eq tftp
deny udp any any
!
interface GigabitEthernet0/0
<…>
ip access-group WAN in
<..>
!
tftp-server flash: pp-adv-csr1000v-1612.1a-37-53.0.0.pack

The transfer fails. Which action resolves this issue?

A. Make the permit udp any eq tftp any entry the last entry in the WAN ACL
B. Shorten the file name to the 8+3 naming convention.
C. Change the WAN ACL to permit the entire UDP destination port range
D. Change the WAN ACL to permit the UDP port 69 to allow TFTP.

Answer: C

Question 14

A network administrator must optimize the segment size of the TCP packet on the DMVPN IPsec
protected tunnel interface, which carries application traffic from the head office to a designated
branch. The TCP segment size must not overwhelm the MTU of the outbound link. Which configuration
must be applied to the router to improve the application performance?

A. interface tunnel30
ip mtu 1400
ip tcp payload-size 1360
!
crypto ipsec fragmentation before-encryption

B. interface tunnel30
ip mtu 1400
ip tcp adjust-mss 1360
!
crypto ipsec fragmentation after-encryption

C. interface tunnel30
ip mtu 1400
ip tcp max-segment 1360
!
crypto ipsec fragmentation before-encryption

D. interface tunnel30
ip mtu 1400
ip tcp packet-size 1360
!
crypto ipsec fragmentation after-encryption

Answer: A

Explanation

When a packet is nearly the size of the MTU of the outbound link of the encrypting router and it is
encapsulated with IPsec headers, it is likely to exceed the MTU of the outbound link. This causes
packet fragmentation after encryption. The decrypting router must then reassemble these packets in
the process path, winch decreases the decrypting router’s performance.

The Pre-fragmentation for IPsec VPNs feature increases the decrypting router’s performance by
enabling it to operate in the high-performance CEF path instead of the process path. An encrypting
router can predetermine the encapsulated packet size from information available in transform sets,
which are configured as part of the IPsec security association (SA). If it is predetermined that the
packet exceeds the MTU of the output interface, the packet is fragmented before encryption. This
function avoids process-level reassembly before decryption and helps improve decryption performance
and overall IPsec traffic throughput.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/xe-16-
10/sec-ipsec-data-plane-xe-16-10-book/sec-pre-frag-vpns.pdf

Question 15

In a DMVPN network, the Spoke1 user observed that the voice traffic is coming to Spoke2 users via
the hub router. Which command is required on both spoke routers to communicate directly to one
another?

A. ip nhrp nhs multicast

B. ip nhrp shortcut
C. ip nhrp map dynamic
D. ip nhrp redirect

Answer: B

Explanation

DMVPN Phase III:

Same as Phase 2 but removes some restrictions and complexities of Phase 2. Also allows greater
variety of DMVPN network designs we use:
+ ip nhrp redirect in hub: tells the initiator spoke to look for a better path to the destination spoke
than through the Hub. Upon receiving the NHRP redirect message the spokes communicate with each
other over the hub and they have their NHRP replies for the NHRP Resolution Requests that they sent
out.
+ ip nhrp shortcut in spokes: overwrite the CEF table on the spoke. It basically overrides the next-
hop value for a remote spoke network from the default initial hub tunnel IP address to the NHRP
resolved remote spoke tunnel IP address)

Note: The command “ip nhrp redirect” is used in hub only while the command “ip nhrp shortcut” is
used in spokes.

Question 16

Refer to the exhibit.

 RR Configuration:

router bgp 100

neighbor IBGP peer-group
neighbor IBGP route-reflector-client
neighbor 10.1.1.1 remote-as 100
neighbor 10.1.2.2 remote-as 100
neighbor 10.1.3.3 remote-as 100

The network administrator configured the network to establish connectivity between all devices and
notices that the ASBRs do not have routes for each other. Which set of configurations resolves this
issue?

A. router bgp 100

neighbor IBGP update-source Loopback0

B. router bgp 100

neighbor IBGP next-hop-self

C. router bgp 100

neighbor 10.1.1.1 next-hop-self
neighbor 10.1.2.2 next-hop-self
neighbor 10.1.3.3 next-hop-self

D. router bgp 100

neighbor 10.1.1.1 peer-group IBGP
neighbor 10.1.2.2 peer-group IBGP
neighbor 10.1.3.3 peer-group IBGP

Answer: D

Question 17

Refer to the exhibit.

An engineer configured SNMP traps to record spoofed packets drop of more than 48000 a minute on
the ethernet0/0 interface. During an IP spoofing attack, the engineer noticed that no notifications
have been received by the SNMP server. Which configuration resolves the issue on R1?

A. ip verify unicast notification threshold 800

B. ip verify unicast notification threshold 8000
C. ip verify unicast notification threshold 48000
D. ip verify unicast notification threshold 80

Answer: A

Explanation

The command “ip verify unicast notification threshold …” configures the threshold value, in packets per
second, which determines whether to send a Unicast RPF drop-rate notification. In this question,
48000 a minute is equal to 48000 / 60 = 800 a second.

Question 18

Refer to the exhibit.

An engineer implemented an access list on R1 to allow anyone to Telnet except R2 Loopback0 to R1
Loopback4. How must sequence 20 be replaced on the R1 access list to resolve the issue?

A. sequence 20 permit tcp host 1001:ABC:2011:7::1 host 400A:0:400C::1 eq telnet

B. sequence 20 deny tcp host 400A:0:400C::1 host 1001:ABC:2011:7::1 eq telnet
C. sequence 20 permit tcp host 400A:0:400C::1 host 1001:ABC:2011:7::1 eq telnet
D. sequence 20 deny tcp host 1001:ABC:2011:7::1 host 400A:0:400C::1 eq telnet

Answer: D

Question 19

Refer to the exhibit.

An engineer implemented CoPP to limit Telnet traffic to protect the router CPU. It was noticed that the
Telnet traffic did not pass through CoPP. Which configuration resolves the issue?

A. ip access-list extended TELNET

permit tcp host 10.2.2.1 host 10.2.2.4 eq telnet
permit tcp host 10.1.1.1 host 10.1.1.3 eq telnet

B. policy-map COPP
class TELNET
police 8000 conform-action transmit exceed-action transmit

C. ip access-list extended TELNET

permit tcp host 10.2.2.4 host 10.2.2.1 eq telnet
permit tcp host 10.1.1.3 host 10.1.1.1 eq telnet

D. policy-map COPP
class TELNET
police 8000 conform-action transmit exceed-action transmit violate-action drop

Answer: C

Explanation

In the exhibit we see R4 tried to connect to 10.2.2.1 but the current access-list is only limiting R4
connects to 10.1.1.1. The same problem for R3 so we must fix the access-list destination IP
addresses.

Question 20
Refer to the exhibit.

After configuring OSPF in R1, some external destinations in the network became unreachable. Which
action resolves the issue?

A. Disconnect the router with the OSPF router ID 0.0.0.0 from the network
B. Increase the SPF delay interval on R1 to synchronize routes.
C. Change the R1 router ID from 10.255.255.1 to a unique value and clear the process
D. Clear the OSPF process on R1 to flush stale LSAs sent by other routers

Answer: C

Explanation

You receive the OSPF-4-FLOOD_WAR error message. The OSPF flood war occurs when the router
repeatedly receives its own Link State Advertisement (LSA) and flushes it from the network or sends a
new version of it. This is meant to detect issues with Type-2 LSAs when duplicate IP addresses are
present in the network, or with Type-5 LSAs when there is a duplicate router ID in different OSPF
Areas.
In a typical scenario, there is one router in the network that originates the LSA and a second router
that flushes the LSA.

Question 21

Refer to the exhibit.

 B(config-if)# do sh run int
e0/1 | b int
B(config-if)# interface
Ethernet0/1
B(config-if)# ip address
78.1.1.8 255.255.255.0
B(config-if)# ipv6 enable
B(config-if)# ospfv3 1 ipv4
area 1

C(config)# interface
Ethernet0/1.78
C(config-subif)# encap dot1q
78
C(config-subif)# ip add
78.1.1.7 255.255.255.0
C(config-subif)# ospfv3 1 ipv4
area 0

D(config-if)# do sh run int

e0/1 | b int
D(config-if)# interface
Ethernet0/1
D(config-if)# no ip address
D(config-if)# ipv6 address
37::3/64
D(config-if)# ipv6 enable
D(config-if)# ipv6 ospf 1 area
0

A network engineer receives a report that Spoke 1 users can perform bank transactions with the
server located at the Center site, but Spoke 2 users cannot. Which action resolves the issue?

A. Configure the Spoke 2 users IP on the router B OSPF domain.

B. Configure IPv6 on the routers B and C interfaces.
C. Configure OSPFv2 on the routers B and C interfaces.
D. Configure encapsulation dot1q 78 on the router C interface.

Answer: C

Question 22

What is an MPLS LDP targeted session?

A. LDP session established by exchanging multicast hello packets

B. LDP session established between LSRs by exchanging TCP hello packets
C. session between neighbors that are connected no more than one hop away
D. label distribution session between non-directly connected neighbors

Answer: D

Question 23

Refer to the exhibit.

 IT Router
vrf definition Science
address-family ipv4
!
interface E 0/2
Vrf forwarding Science
ip address 192.168.1.1 255.255.255.0
No shut
!
Interface E 0/3
Vrf forwarding Science
ip address 192.168.2.1 255.255.255.0
No shut

The IT router has been configured with the Science VRF and the interfaces have been assigned to the
VRF. Which set of configurations advertises Science-1 and Science-2 routes using EIGRP AS 111?

Option A Option B

router eigrp 111 router eigrp 111

address-family ipv4 vrf Science autonomous- address-family ipv4 vrf Science
system 1 network 192.168.1.0
network 192.168.1.0 network 192.168.2.0
network 192.168.2.0

Option C Option D

router eigrp 111 router eigrp 1

network 192.168.1.0 address-family ipv4 vrf Science autonomous-
network 192.168.2.0 system 111
network 192.168.1.0
network 192.168.2.0

A. Option A
B. Option B
C. Option C
D. Option D
Answer: D

Explanation
The following example shows how to configure an EIGRP address family within a VRF with the
autonomous system configured by the address-family autonomous-system-number command in
router configuration mode:

Router(config)# router eigrp 65200

Router(config-router)# address-family ipv4 vrf VRF2 autonomous-system 65500

Reference: https://www.cisco.com/c/en/us/td/docs/ios/iproute_eigrp/command/reference/ire_book/ir
e_a1.html

Question 24

An engineer must override the normal routing behavior of a router for Telnet traffic that is destined to
10.10.10.10 from 10.10.1.0/24 via a next hop of 10.4.4.4, which is directly connected to the router
that is connected to the 10.1.1.0/24 subnet. Which configuration reroutes traffic according to this
requirement?

Option A Option B

access-list 100 deny tcp 10.10.1.0 0.0.0.255 access-list 100 permit tcp 10.10.1.0 0.0.0.255
host 10.10.10.10 eq 23 host 10.10.10.10 eq 23
! !
route-map POLICY permit 10 route-map POLICY permit 10
match ip address 100 match ip address 100
set ip next-hop 10.4.4.4 set ip next-hop 10.4.4.4
route-map POLICY permit 20 route-map POLICY permit 20

Option C Option D
access-list 100 permit tcp 10.10.1.0 0.0.0.255 access-list 100 permit tcp 10.10.1.0 0.0.0.255
host 10.10.10.10 eq 23 host 10.10.10.10 eq 23
! !
route-map POLICY permit 10 route-map POLICY permit 10
match ip address 100 match ip address 100
set ip next-hop recursive 10.4.4.4 set ip next-hop recursive 10.4.4.4
route-map POLICY permit 20

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

We read this question many times as it is very difficult to draw the topology with the description
above. We also suppose there is a typo in this question. It should be “that is connected to
the 10.10.1.0/24 subnet”, not “that is connected to the 10.1.1.0/24 subnet”. So this is the final
topology we could draw:
So if 10.4.4.4 is directly connected to our (local) router than we can set the next-hop to 10.4.4.4
without the keyword “recursive”.

Also in fact option C and option D are the same as we don’t need the last line “route-map POLICY
permit 20”.

Question 25

Refer to the exhibit.

An engineer must configure DMVPN Phase 3 hub-and-spoke topology to enable a spoke-to-spoke

tunnel. Which NHRP configuration meets the requirement on R6?

A. interface Tunnel1
ip nhrp authentication Cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp redirect
B. interface Tunnel 1
ip address 192.168.1.1 255.255.255.0
tunnel source e 0/1
tunnel mode gre multipoint
ip nhrp network-id 1
ip nhrp map 192.168.1.2 192.1.20.2

C. interface Tunnel1
ip nhrp authentication Cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
ip nhrp shortcut

D. interface Tunnel 1
ip address 192.168.1.1 255.255.255.0
tunnel source e 0/0
tunnel mode gre multipoint
ip nhrp network-id 1

Answer: A

Explanation

In this topology, R5 is the Hub and the hub configuration of DMVPN Phase III requires the command
“ip nhrp redirect”.

+ ip nhrp redirect in hub: tells the initiator spoke to look for a better path to the destination spoke
than through the Hub. Upon receiving the NHRP redirect message the spokes communicate with each
other over the hub and they have their NHRP replies for the NHRP Resolution Requests that they sent
out.

Question 26

Refer to the exhibit.

An engineer implemented CoPP but did not see OSPF traffic going through it. Which configuration
resolves the issue?

A. control-plane
service-policy input COPP
B. policy-map COPP
class OSFP
police 8000 conform-action transmit exceed-action transmit violate-action drop

C. ip access-list extended OSPF

permit ospf any any
D. class-map match-all OSFP
match access-group name OSPF

Answer: C

Explanation

OSPF packets are only sent between directly connected routers but R1 is filtering OSPF from R1 to R3.
In an OSPF area, only LSA Type 1 and Type 2 are sent.

Question 27

Refer to the exhibit.

Site1 must perform unequal cost load balancing toward the segments behind Site2 and Site3. Some of
the routes are getting load balanced but others are not. Which configuration allows Site1 to load
balance toward all the LAN segments of the remote routers?

A. Site3
router eigrp 100
variance 2

B. Site2
router eigrp 100
variance 2
C. Site2
router eigrp 100
variance 3

D. Site1
router eigrp 100
variance 3

Answer: D

Explanation

From the “show ip route”, we see networks 192.168.5.0/24 and 192.168.6.0/24 are getting load
balanced but networks 192.168.3.0/24 and 192.168.4.0/24 are not. When checking these two
networks under the “show ip eigrp topology” command we see we need at least a variance of 2 to load
balance them.

Question 28

Refer to the exhibit.

 R2# R1#
router eigrp 100 router eigrp 100
network 10.10.10.0 0.0.0.3 network 10.10.10.0 0.0.0.3
network 10.20.10.0 0.0.0.3 network 10.10.20.0 0.0.0.3
! network 1.1.1.1 0.0.0.0
router ospf 100 !
network 10.10.10.0 0.0.0.3 area 0 router ospf 100
network 10.20.10.0 0.0.0.3 area 0 network 10.10.10.0 0.0.0.3 area 0
! network 10.10.20.0 0.0.0.3 area 0
! !
! router bgp 200
router bgp 100 distance 100 10.10.10.0 0.0.0.3
distance 100 10.20.10.0 0.0.0.3 distance 100 10.20.10.0 0.0.0.3
distance 100 10.10.10.0 0.0.0.3 neighbor 2.2.2.2 remote-as 100
neighbor 1.1.1.1 remote-as 200 neighbor 10.10.10.2 remote-as 100
neighbor 10.10.10.1 remote-as 200 network 10.10.10.0 mask 255.255.255.252
network 10.20.10.0 mask 255.255.255.252 network 10.20.10.0 mask 255.255.255.252

R1 and R2 use IGP protocol to route traffic between AS 100 and AS 200 despite being configured to
use BGP. Which action resolves the issue and ensures the use of BGP?

A. Configure distance to 100 under the OSPF process of R1 and R2.

B. Remove distance commands under BGP AS 100.
C. Remove distance commands under BGP AS 100 and AS 200.
D. Configure distance to 100 under the EIGRP process of R1 and R2.

Answer: C

Explanation

By default, external BGP routes have an administrative distance of 20 and it is preferred over OSPF or
EIGRP. But in this question the distance was manually configured 100 so we should remove distance
command on both routers so that BGP is preferred other IGP protocols.
=============================== New Questions (added on 19th-Jun-2022)
===============================

Question 29

Refer to the exhibit.

The company implemented uRPF to address an antispoofing attack. A network engineer received a call
from the IT security department that the regional data center is under an IP attack. Which
configuration must be implemented on R1 to resolve this issue?

A. interface ethernet0/0
ip verify unicast reverse-path
B. interface ethernet0/1
ip verify unicast reverse-path
C. interface ethernet0/1
ip unicast RPF check reachable-via any allow-default allow-self-ping
D. interface ethernet0/0
ip unicast RPF check reachable-via any allow-default allow-self-ping

Answer: B

Explanation

From the second output we see the that e0/1 is not used uRPF (“IP unicast RPF check is disabled”) so
we have to enable it with the “ip verify unicast reverse-path” command (in “strict mode”).

Note: The command “ip verify unicast reverse-path” is an old command but still available on some
platforms. It is equal to the command “ip verify unicast source reachable-via rx” which enables uRPF
in strict mode.

Question 30
Refer to the exhibit.

An engineer configured NetFlow on R1, but the flows do not reach the NMS server from R1. Which
configuration resolves this issue?

A. R1(config)#flow monitor FlowMonitor1

R1(config-flow-monitor)#destination 10.66.66.66

B. R1(config)#flow exporter FlowExporter1

R1(config-flow-monitor)#destination 10.66.66.66

C. R1(config)#interface Ethernet0/0
R1(config-if)#ip flow monitor Flowmonitor1 input
R1(config-if)#ip flow monitor Flowmonitor1 output

D. R1(config)#interface Ethernet0/1
R1(config-if)#ip flow monitor Flowmonitor1 input
R1(config-if)#ip flow monitor Flowmonitor1 output

Answer: B

Explanation

From the output we notice that the destination IP address is not correct. The NMS server IP address
should be 10.66.66.66, not 10.60.66.66. Therefore we have to change this information under “flow
exporter …” configuration.
NetFlow configuration reference: https://www.cisco.com/c/en/us/td/docs/ios-
xml/ios/fnetflow/configuration/15-mt/fnf-15-mt-book/cfg-de-fnflow-exprts.html
Question 31

Refer to the exhibit.

The remote branch locations have a static neighbor relationship configured to R1. Only R1 has
successful neighbor relationships with the remote locations of R2 and R3, but the end users cannot
communicate with each other. Which configuration resolves the issue?

Option A Option B

R2 and R3 R2
interface FastEthernet0/0 interface FastEthernet0/0.10
no ip split-horizon eigrp 10 encapsulation dot1Q 10
ip address 10.10.10.2 255.255.255.0

R3
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.10.10.3 255.255.255.0

Option C Option D

R1 R2
interface FastEthernet0/0 interface FastEthernet0/0.10
no ip split-horizon eigrp 10 encapsulation dot1Q
ip address 10.10.10.2 255.255.255.0

R3
interface FastEthernet0/0.10
encapsulation dot1Q
ip address 10.10.10.3 255.255.255.0

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C
Explanation

From the “show run | section eigrp” output, we learn that R1 (Hub) connects to both spokes R2
(10.10.10.2) and R3 (10.10.10.3) via Fa0/0 interface. If we don’t disable split-horizon, then the Hub
will not relay routes from R2 to R3 and the other way around. That is because it received those routes
on the same interface tunnel and therefore it cannot advertise back out that same interface (split-
horizon rule). Therefore we must disable split-horizon on the Hub router to make sure the Spokes
know about each other.

Question 32
Refer to the exhibit.

AS 111 must not be used as a transit AS, but ISP-1 is getting ISP-2 routes from AS 111. Which
configuration stops Customer AS from being used as a transit path on ISP-1?

A. ip as-path access-list 1 permit ^ $

B. ip as-path access-list 1 permit_111_
C. ip as-path access-list 1 permit.”
D. ip as-path access-list 1 permit ^111$

Answer: A

Explanation

By default BGP advertises all prefixes to external BGP neighbors. This means that if you are multi-
homed (connected to two or more ISPs) then you might become a transit AS. For example, ISP 2 in
AS 200 can send traffic to your router in AS 100 to reach ISP 3 in AS 300 because you advertised
prefixes in ISP 3 to ISP 2.

This is what will be seen in the BGP routing table of ISP2:

ISP2#show ip bgp
--output omitted--
Network Next Hop Metric LocPrf Weight Path
....
*> 3.3.3.0/24 192.168.12.1 0 100 300 i

In order to prevent this we have to ensure that your router only advertises prefixes from its own
autonomous system. One of the method to solve this problem is using Filter-list with AS-PATH access-
list:

R1(config)# ip as-path access-list 1 permit ^$

R1(config-router)#neighbor 192.168.12.2 filter-list 1 out
R1(config-router)#neighbor 192.168.23.3 filter-list 1 out

It ensures that we will only advertise prefixes from our own AS. The ^$ regular expression ensures
that we will only advertise locally originated prefixes. We should apply this filter to both ISPs.

Question 33

Refer to the exhibit.

Which action limits the access to R2 from 192.168.12.1?

A. Swap sequence 10 with sequence 20 in access-list 100.

B. Modify sequence 20 to permit tcp host 192.168.12.1 eq 22 any to access-list 100
C. Swap sequence 20 with sequence 10 in access-list 100
D. Modify sequence 10 to deny tcp any eq 22 any to access-list 100.

Answer: C

Question 34

A network administrator cannot connect to a device via SSH. The line vty configuration is as follows.
Which action resolves this issue?

line vty 0 4
location S421TE3483FG
session-timeout 10
transport preferred ssh
transport input all
transport output telnet ssh
stopbits 1

A. Increase the session timeout

B. Change the stopbits to 10
C. Configure the transport input SSH
D. Initialize the SSH key

Answer: D

Explanation

The configuration is good for SSH so the only problem left is that the SSH key has not been initialized.

Question 35

Refer to the exhibit.

R1#show route-map

route map FROM->EIGRP, permit, sequence 10

Match clauses:
ip address (access-lists): 10
Set clauses:
Policy routing matches: 0 packets, 0 bytes
R1#show run | sec router
router eigrp 100
network 10.96.69.0 0.0.0.3
no auto-summary
eigrp router-id 1.1.1.1
router ospf 100
router-id i.1.1.1
log adjacency-changes
redistribute eigrp 100 subnets route-map FROM->EIGRP
network 10.99.69.0 0.0.0.3 area 0
R1#show ip access-list
Standard IP access list 10
10 permit 192.168.16.0, wildcard bits 0.0.3.255
11 permit 192.168.0.0, wildcard bits 0.0.7.255
20 deny any
The engineer configured route redistribution in the network but soon received reports that R2 cannot
access 192.168.7.0/24 and 192.168.15.0/24 subnets. Which configuration resolves the issue?
A. R1(config)#ip access-list standard 10
R1(config-std-nacl)#no 10 permit
R1(config-std-nacl)#no 11 permit
R1(config-std-nacl)#10 permit 192.168.0.0 0.0.3.255
R1(config-std-nacl)#11 permit 192.168.8.0 0.0.3.255

B. R1(config)#ip access-list standard 10

R1(config-std-nacl)#no 10 permit
R1(config-std-nacl)#no 11 permit
R1(config-std-nacl)#10 permit 192.168.0.0 0.0.7.255
R1(config-std-nacl)#11 permit 192.168.8.0 0.0.3.255

C. R1(config)#ip access-list standard 10

R1(config-std-nacl)#no 10 permit
R1(config-std-nacl)#no 11 permit
R1(config-std-nacl)#10 permit 192.168.0.0 0.0.3.255
R1(config-std-nacl)#11 permit 192.168.8.0 0.0.7.255

D. R1(config)#ip access-list standard 10

R1(config-std-nacl)#no 10 permit
R1(config-std-nacl)#no 11 permit
R1(config-std-nacl)#10 permit 192.168.4.0 0.0.3.255
R1(config-std-nacl)#11 permit 192.168.12.0 0.0.3.255

Answer: D

Explanation

From the ACL 10 output, we see only these prefixes are redistributed:
+ 192.168.16.0, wildcard bits 0.0.3.255 -> 192.168.16.0/22 (increment: 4 so it ranges from
192.168.16.0 to 192.168.19.255)
+ 192.168.0.0, wildcard bits 0.0.7.255 -> 192.168.0.0/21 (increment: 8 so it ranges from
192.168.0.0 to 192.168.7.255)

Therefore subnets 192.168.7.0/24 and 192.168.15.0/24 are not being redistributed. We need to use
“permit 192.168.4.0 0.0.3.255” to cover 192.168.7.0/24 and “permit 192.168.12.0 0.0.3.255” to
cover 192.168.15.0/24.

Note: In fact you don’t need to cover to subnet mask from wildcard mask to find the increment. The
increment can be found by add 1 to the non-255 octet of the wildcard mask. For example: wildcard
bits 0.0.3.255 -> We get 3 + 1 = 4 which is the increment.

Question 36

Which table is used to map the packets in an MPLS LSP that exit from the same interface, via the
same next hop, and have the same queuing policies?

A. RIB
B. FEC
C. LDP
D. CEF

Answer: B

Explanation
A forwarding equivalence class (FEC) is a term used to describe a set of packets with similar or
identical characteristics which may be forwarded the same way; that is, they may be bound to the
same MPLS label.

Question 37

Drag and drop the ICMPv6 neighbor discovery messages from the left onto the correct packet types on
the right.

Answer:

ICMPv6 Type 134: Router Advertisement

ICMPv6 Type 137: Redirect Message
ICMPv6 Type 135: Neighbor Solicitation
ICMPv6 Type 133: Router Solicitation
ICMPv6 Type 136: Neighbor Advertisement

Question 38

What is a function of BFD?

A. peer recovery after a Layer 3 protocol adjacency failure
B. peer recovery after a Layer 2 adjacency failure
C. failure detection independent of routing protocols and media types
D. failure detection dependent on routing protocols and media types

Answer: C

Question 39

Refer to the exhibit.

An engineer configured SNMP Communities on UserSW2 switch, but the SNMP server cannot upload
modified configurations to the switch. Which configuration resolves this issue?

A. snmp-server community Ciscowruser RW 11

B. snmp-server group NETADMIN v3 priv read NETVIEW write NETADMIN access 22
C. snmp-server community Cisc0Us3r RW 11
D. snmp-server group NETVIEW v2c priv read NETVIEW access 11

Answer: A

Explanation

From the last line “snmp-server community Cisc0wrus3r RW 11″ we see the “Cisc0wrus3r” is read
only. So we have to change to the read/write community “Ciscowruser”.

Question 40

Refer to the exhibit.

RouterB:

router eigrp CLASS

!
address-family ipv4 unicast autonomous-system 10
!
topology base
 redistribute ospf 10 match external 1 external 2 metric 1000000 10 255 1 1500
exit-af-topology
network 172.16.2.2 0.0.0.0
eigrp router-id 2.2.2.2
exit-address-family

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

C 172.16.1.0/30 is directly connected, GigabitEthernet0/0
L 172.16.1.2/32 is directly connected, GigabitEthernet0/0
C 172.16.2.0/30 is directly connected, GigabitEthernet0/1
L 172.16.2.2/32 is directly connected, GigabitEthernet0/1
192.168.0.0/32 is subnetted, 1 subnets
O 192.168.0.1 [110/2] via 172.16.1.1, 1d04h, GigabitEthernet0/0
192.168.1.0/32 is subnetted, 1 subnets
O 192.168.1.1 [110/2] via 172.16.1.1, 1d04h, GigabitEthernet0/0
192.168.2.20/32 is subnetted, 1 subnets
O 192.168.2.1 [110/2] via 172.16.1.1, 1d04h, GigabitEthernet0/0
D 192.168.11.0/24 [90/10880] via 172.16.2.1, 1d04h, GigabitEthernet0/1
D 192.168.12.0/24 [90/10880] via 172.16.2.1, 1d04h, GigabitEthernet0/1
D 192.168.13.0/24 [90/10880] via 172.16.2.1, 1d04h, GigabitEthernet0/1

An engineer configured route exchange between two different companies for a migration project.
EIGRP routes were learned in router C but no OSPF routes were learned in router A. Which
configuration allows router A to receive OSPF routes?

A. (config-router-af)#redistribute ospf 10 1000000 10 255 1 1500

B. (config-router-af-topology)#redistribute ospf 10 metric 1000000 10 255 1 1500
C. (config-router-af-topology)#redistribute connected
D. (config-router-af-topology)#no redistribute ospf 10 match external 1 external 2 metric 1000000 10
255 1 1500

Answer: B

Explanation
From the exhibit, we learned that only External routes Type 1 & Type 2 of OSPF are redistributed into
EIGRP (“redistribute ospf 10 match external 1 external 2 metric 1000000 10 255 1 1500”) so no OSPF
routes were learned in router A. Therefore we must redistribute “normal” routes into OSPF as well via
the “redistribute ospf 10 metric …” command.

Question 41

Refer to the exhibit.

An engineer configured user login based on authentication database on the router, but no one can log
into the router. Which configuration resolves the issue?

A. aaa authentication login default enable

B. aaa authorization network default local
C. aaa authentication login default local
D. aaa authorization exec default local

Answer: C

Question 42

An engineer configures PBR on R5 and wants to create a policy that matches traffic destined toward
10.10.10.0/24 and forwards it toward 10.1.1 1. This traffic must also have its IP precedence set to 5.
All other traffic should be forwarded toward 10.1.1.2 and have its IP precedence set to 0. Which
configuration meets the requirements?

Option A Option B
 Option C Option D

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

We need to match traffic destined to 10.10.10.0/24 so we have to use extended ACL instead of
standard ACL.

Question 43

An engineer received a ticket about a router that has reloaded. The monitoring system graphs show
different traffic patterns between logical and physical interfaces when the router is rebooted. Which
action resolves the issue?

A. Configure the snmp ifindex persist command globally.

B. Clear the logical interfaces with snmp ifindex clear command
C. Configure the snmp ifindex persist command on the physical interfaces.
D. Trigger a new snmpwalk from the monitoring system to synchronize interface OIDs

Answer: A

Explanation

The SNMP ifIndex persistence feature provides an interface index (ifIndex) value that is retained and
used when the router reboots. The ifIndex value is a unique identifying number associated with a
physical or logical interface. In the following example, SNMP ifIndex persistence is enabled for all
interfaces:

router(config)# snmp-server ifindex persist

Question 44

Refer to the exhibit.

PE1# show run | sec router bgp
router bgp 65000
bgp log-neighbor-changes
neighbor 10.255.255.3 remote-as 65000
neighbor 10.255.255.3 update-source Loopback0
PE1# debug ip tcp transactions
PE1# debug ip icmp
[...snip...]

*Feb 22 14:04:12.374: TCP: sending SYN, seq 379810712, ack 0

*Feb 22 14:04:12.374: TCP0: Connection to 10.255.255.3:179,
advertising MSS 1460
*Feb 22 14:04:12.374: TCP0: state was CLOSED -> SYNSENT [21381 -
> 10.255.255.3(179)]
*Feb 22 14:04:12.375: ICMP: dst (10.255.255.1) administratively
prohibited unreachable rcv from 10.0.12.2
*Feb 22 14:04:12.375: TCP0: ICMP destination unreachable received
*Feb 22 14:04:12.375: Released port 21381 in Transport Port
Agent for TCP IP type 1 delay 240000
*Feb 22 14:04:12.375: TCP0: state was SYNSENT -> CLOSED [21381 -
> 10.255.255.3(179)]
*Feb 22 14:04:12.375: TCB 0xE35A92B8 destroyed

The administrator is troubleshooting a BGP peering between PE1 and PE3 that is unable to establish.
Which action resolves the issue?

A. P2 must have a route to PE3 to establish a BGP session to PE1

B. Disable sending ICMP unreachables on P2 to allow PE1 to establish a session with PE3
C. Ensure that the PE3 loopback address is used as a source for BGP peering to PE1
D. Remove the traffic filtering rules on P2 blocking the BGP communication between PE1 and PE3

Answer: C

Question 45

Refer to the exhibits.

London - "show ip route" output

Gateway of last resort is not set

172.1.0.0/16 is variably subnetted, 5 subnets, 2 masks

C 172.1.11.0/24 is directly connected, Ethernet0/0
L 172.1.11.1/32 is directly connected, Ethernet0/0
C 172.1.12.0/24 is directly connected, Ethernet0/1
L 172.1.12.1/32 is directly connected, Ethernet0/1
D 172.1.13.0/24 [90/76800] via 172.1.11.2, 00;00:50, Ethernet0/0
172.16.0.0/16 is variably subnetted, 8 subnets, 2 masks
C 172.16.1.0/24 is directly connected, Loopback0
L 172.16.1.1/32 is directly connected, Ethernet0/0
C 172.16.2.0/24 is directly connected, Loopback1
L 172.16.2.1/32 is directly connected, Loopback1
R 172.16.3.0/24 [120/1] via 172.1.11.2, 00:00:08, Ethernet0/0
R 172.16.4.0/24 [l20/1] via 172.1.11.2, 00:00:08, Ethernet0/0
D 172.16.5.0/24 [90/156160] via 172.1.12.3, 00:00:50, Ethernet0/1
D 172.16.6.0/24 [90/156160] via 172.1.12.3, 00:00:50, Ethernet0/1

Rome - "show run | section router" output

router eigrp 111

network 172.1.0.0
network 172.16.0.0
no auto-summary

London must reach Rome using a faster path via EIGRP if all the links are up but it failed to take this
path. Which action resolves the issue?

A. Increase the bandwidth of the link between London and Barcelona

B. Use the network statement on London to inject the 172.16.X.0/24 networks into EIGRP
C. Change the administrative distance of RIP to 150
D. Use the network statement on Rome to inject the 172.16.X.0/24 networks into EIGRP

Answer: D

Explanation
We see the LAN segments in Rome (172.16.3.0/24 & 172.16.4.0/24) are learned via RIP, not EIGRP in
London router. So we need to advertise these prefixes from Rome.
Question 46

Refer to the exhibit.

enable secret 5 <password>

username cisco privilege 15 secret 5 <password>
username operator password 7 <password>
line vty 0 4
session-timeout 240
password 7 <password>
transport input telnet

The authentication is not working as desired and the user drops into user-exec mode. Which
configuration resolves the issue?

Option A Option B

Option C Option D

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

With this initial configuration, we can only access user-exec mode with the password set under “line
vty”.

We tested all four options but we could only access privilege mode with Option A. The command “aaa
authentication login default local” sets the login authentication to use the local username database.
The default keyword applies the local user database authentication to all ports. The command “aaa
authorization exec default local” configures user AAA authorization, check the local database, and
allow the user to run an EXEC shell.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-
3/configuration_guide/b_163_consolidated_3850_cg/b_163_consolidated_3850_cg_chapter_0110010
0.pdf

With Option A, we can access exec mode (Privileged mode) with only username/password: cisco/(the
password set at 2nd line above) and we just need to enter it once (as the “aaa authorization exec
default local” command sees this username has privilege 15 so it allows to access exec mode too).

If we remove the command “aaa authorization exec default local” in Option A then we must access to
user-exec mode first with username cisco then access exec mode with the password set in “enable
secret …” command.

For Option B, there is no “aaa authorization priv …” command.

For Option C, there is no “aaa authentication login local” command as it is incomplete

For Option D, there is no “aaa authentication common-id …” command

================================== New Questions (added on 26th-Jun-

2022) ==================================

Question 47

Refer to the exhibit.

After a new regional office is set up, not all guests can access the internet via guest Wi Fi. Clients are
getting the correct IP address from guest Wi-Fi VLAN 364. Which action resolves the issue?
A. Allow 10.66.46.0/23 in the outbound ACL
B. Allow DNS traffic through the outbound ACL
C. Allow DNS traffic through the inbound ACL
D. Allow 10.66.46.0/23 in the inbound ACL

Answer: C

Explanation

The following example shows that only Domain Name System (DNS) traffic is permitted, and the rest
of the traffic sourced from NetB destined to NetA is denied.

R1
hostname R1
!
interface ethernet0
ip access-group 102 in
!
access-list 102 permit udp any any eq domain
access-list 102 permit udp any eq domain any
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any

This configuration permits TCP traffic with destination port value 53 (eq domain). The implicit deny all
clause at the end of an ACL denies all other traffic, which does not match the permit clauses.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-
ACLsamples.html#anc15

Therefore we see this configuration is missing under GUEST-ACCESS ACL (inbound).

Note: “bootpc” and “bootps” is only for DHCP service.

Question 48

The network administrator configured CoPP so that all routing protocol traffic toward the router CPU is
limited to 1 mbps. All traffic that exceeds this limit must be dropped. The router is running BGP and
OSPF Management traffic for Telnet and SSH must be limited to 500kbps.

access-list 100 permit tcp any any eq 179

access-list 100 permit tcp any any range 22 23
access-list 100 permit ospf any any
!
class-map CM-ROUTING
match access-group 100
class-map CM-MGMT
match access-group 100
!
policy-map PM-COPP
 class CM-ROUTING
police 1000000 conform-action transmit
class CM-MGMT
police 500000 conform-action transmit
!
control-plane
service-policy output PM-COPP

No traffic is filtering through CoPP, which is resulting in high CPU utilization,which configuration
resolves the issue ?

A. no access-list 100
access-list 100 permit tcp any any eq 179
access-list 100 permit ospf any any
access-list 101 permit tcp any any range 22 23
!
class-map CM-MGMT
no match access-group 100
match access-group 101

B. control-plane
no service-policy output PM-COPP
service-policy input PM-COPP

C. no access-list 100
access-list 100 permit tcp any any eq 179
access-list 100 permit tcp any any range eq 22
access-list 100 permit tcp any any range eq 23
access-list 100 permit ospf any any

D. no access-list 100
access-list 100 permit tcp any any eq 179
access-list 100 permit ospf any any
access-list 101 Permit tcp any any range 22 23
!
class-map CM-MGMT
no match access-group 100

Answer: B

Question 49

An engineer is creating a policy that overrides normal routing behavior. If the route to a destination of
10.100.100.0/24 is withdrawn from the routing table, the policy must direct traffic to a next hop of
10.1 1.1. If the route is present in the routing table, then normal forwarding must occur. Which
configuration meets the requirements?

A. access-list 100 permit ip any any

!
route-map POLICY permit 10
match ip address 100
set ip next-hop recursive 10.1.1.1

B. access-list 100 permit ip any 10.100.100.0 0.0.0.255

!
Route-map POLICY permit 10
match ip address 100

set ip default next-hop 10.1.1.1

C. access-list 100 permit ip any 10.100.100.0 0.0.0.255
!
route-map POLICY permit 10
match ip address 100
set ip next-hop 10.1.1.1
!
route map POLICY permit 20

D. access-list 100 permit ip any 10.100.100.0 0.0.0.255

!
route map POLICY permit 10
match ip address 100
set ip next-hop recursive 10.1.1.1
!
route-map POLICY permit 20

Answer: D

================================= New Questions (added on 22nd-Jul-

2022) =================================

Question 50

The network administrator must configure R1 to authenticate Telnet connections based on Cisco ISE
using RADIUS. ISE has been configured with an IP address of 192.168.1.5 and with a network device
pointing toward R1 (192.168.1.1) with a shared secret password of Cisco123. The administrator has
configured this on R1:

aaa new-model
!
radius server ISE1
address ipv4 192.168.1.5
key Cisco123
!
aaa group server tacacs+ RAD-SERV
server name ISE1
!
aaa authentication login default group RAD-SERV

The network administrator cannot authenticate to access R1 based on ISE. Which set of configurations
fixes the issue?

A. line vty 0 4
login authentication default

B. line vty 0 4
login authentication RAD-SERV

C. aaa group server radius RAD-SERV

server name ISE1

D. aaa group server tacacs+ ISE1

server name RAD-SERV

Answer: C
Explanation

This question asks “to authenticate … using RADIUS” but it is using TACACS+ with the “aaa group
server TACACS+ …” command so we have to change it to RADIUS type “aaa group server radius …”

Note: The default keyword in “aaa authentication login default group… ” applies the authentication to
all ports so we don’t need the “login authentication default” command under “line vty”.

Question 51

Refer to the exhibit.

An engineer noticed that the router log messages do not have any information about when the event
occurred. Which action should the engineer take when enabling service time stamps to improve the
logging functionality at a granular level?

A. Configure the debug uptime option

B. Configure the msec option
C. Configure the timezone option
D. Configure the log uptime option

Answer: D

Explanation

To configure the system to time-stamp debugging or logging messages, use one of the service
timestamps global configuration commands.

service timestamps {log | debug} [uptime]

service timestamps {log | debug} datetime [msec] [localtime] [show-timezone]

The debug timestamp and log timestamp are totally separate operations. Disabling the log timestamp
has no effect on the debug timestamp, and vice versa. The exhibit in this question is log, not debug
output so we have to enable “log” -> Answer D is the best choice.

Note: We can use the “log uptime” option (in the command “service timestamps log uptime”) but we
will only receive the time since the system has been up after a reboot. For example:

00:11:57: %SYS-5-CONFIG_I: Configured from console by console

00:11:57 here means “11 minutes and 57 seconds” have passed since the last reboot.
If service timestamps is specified with no arguments or keywords, default is service timestamps
debug uptime.
Good reference: https://www.thebryantadvantage.com/home/ccna-command-reference/service-
timestamps/

Question 52

Refer to the exhibit.

A network engineer received a call from the vendor for a failed attempt to remotely log in to their
managed router loopback interface from 192.168.40.15. Which action must the network engineer take
to resolve the issue?

A. The IP access list VENDOR must be applied to interface loopback 100.

B. The source IP summarization must be updated to include the vendor source IP address.
C. The EIGRP configuration must be updated to include a network statement for loopback 100.
D. The time-range configuration must be changed to use absolute instead of periodic.
Answer: B

Explanation

The source 192.168.32.0 0.0.7.255 (increment: 8) only covers hosts from 192.168.32.1 to
192.168.39.254 so the IP address 192.168.40.15 is not in this range.

Question 53

The IPv6 network is under attack by an unknown source that is neither in the binding table nor
learned through neighbor discovery. Which feature helps prevent the attack?

A. IPv6 Destination Guard

B. IPv6 Prefix Guard
C. IPv6 Router Advertisement Guard
D. IPv6 Snooping

Answer: A

Explanation

The Destination Guard feature helps in minimizing denial-of-service (DoS) attacks. It performs
address resolutions only for those addresses that are active on the link, and requires the FHS binding
table to be populated with the help of the IPv6 snooping feature.The feature enables the filtering of
IPv6 traffic based on the destination address, and blocks the NDP resolution for destination addresses
that are not found in the binding table. By default, the policy drops traffic coming for an unknown
destination.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_1
5_0s_book/IPv6_Security.pdf

Question 54

Refer to the exhibit.

An engineer configures two ASBRs, 10.4.17.6 and 10.4.15.5, in an OSPF network to redistribute
routes from EIGRP. However, both ASBRs show the EIGRP routes as equal costs even though the
next-hop router 10.4.17.6 is closer to R1. How should the network traffic to the EIGRP prefixes be
sent via 10.4.17.6?

A. The administrative distance should be raised to 120 from the ASBR 10.4.15.5.
B. The ASBR 104.176 should assign a tag to match and assign a lower metric on R1.
C. The administrative distance should be raised to 120 from the ASBR 104.17.6
D. The redistributed prefixes should be advertised as Type 1

Answer: D

Explanation

Routes are redistributed in OSPF as either type 1 (E1) routes or type 2 (E2) routes, with type 2 being
the default.
– A type 1 route has a metric that is the sum of the internal OSPF cost and the external redistributed
cost.
– A type 2 route has a metric equal only to the redistributed cost.

– If routes are redistributed into OSPF as type 2 then every router in the OSPF domain will see the
same cost to reach the external networks.
– If routes are redistributed into OSPF as type 1, then the cost to reach the external networks could
vary from router to router.

Question 55

What is the purpose of an OSPF sham-link?

A. to correct OSPF backdoor routing when OSPF is used as the PE-CE connection protocol in an MPLS
VPN network
B. to allow inter-area routing when OSPF is used as the PE-CE connection protocol in a MPLS VPN
network
C. to correct OSPF backdoor routing when OSPF is used as the PE-PE connection protocol in an MPLS
VPN network
D. to allow intra-area routing when OSPF is used as the PE-CE connection protocol in an MPLS VPN
network

Answer: A

Explanation

OSPF Sham Links are required when you try to use a backdoor link between two CE routers in an
MPLS VPN PE CE scenario where you use OSPF as the PE-CE routing protocol.

Reference: https://networklessons.com/mpls/mpls-layer-3-vpn-pe-ce-ospf-sham-link

The following example shows how an OSPF sham-link works:

If the two CEs aren’t peering over OSPF the only path to reach from CE1 to CE2 is via MPLS VPN
backbone. However if we want to have a backup link by connecting two CEs directly then the traffic
would flow across the directly connected link between the two CEs ignoring the path via MPLS VPN
backbone. This is a undesirable situation as we wish the MPLS VPN connection should be used as
primary link while the directly connected link should only be used as backup link.
Reason for such behavior is that the route from direct connection over OSPF link between CE1-CE2
is intra-area route, and route received from MPLS backbone is inter-area route and keeping in mind
the OSPF route selection the intra-area route is always preferred over the inter-area route.

The only way to solve this undesirable situation is to use sham-link. The sham link is a logical link,
similar to a virtual link. Sham-link would trick two CEs to believe that the MPLS VPN path is an intra-
area, not inter-area route. Then we can use metric to set MPLS VPN path the primary path and the
directly connected link the backup path.

Question 56

Refer to the exhibit.

A network administrator is troubleshooting OSPF adjacency issue by going through the console logs in
the router, but due to an overwhelming log messages stream, it is impossible to capture the problem.
Which two commands reduce console log messages to relevant OSPF neighbor problem details so that
the issue can be resolved? (Choose two)

A. debug condition all

B. debug condition ip
C. debug condition session-id ADJCHG
D. debug condition ospf neighbor
E. debug condition interface

Answer: C E

Explanation
The debug condition session-id command filters a session only after the session has been
established.
Reference: https://www.cisco.com/en/US/docs/ios-xml/ios/isg/configuration/15-2s/isg-debug-
dcd.html

Note: There is no “debug condition ospf neighbor” command.

Question 57

Refer to the exhibit.

A shoe retail company implemented the uRPF solution for an antispoofing attack. A network engineer
received the call that the branch A server is under an IP spoofing attack. Which configuration must be
implemented to resolve the attack?

A. R4
interface ethernet0/1
ip unicast RPF check reachable-via any allow-default alllow-self-ping
B. R3
interface ethernet0/1
ip unicast RPF check reachable-via any allow default alllow-self-ping

C. R3
interface ethernet0/1
ip verify unicast source reachable-via any allow-default allow-self-ping

D. R4
interface ethernet0/1
ip verify unicast source reachable-via any allow-default allow-self-ping

Answer: C

Explanation

From the R3 output we see the that e0/1 is not used uRPF (“IP unicast RPF check is disabled”) so we
have to enable it with loose mode (“ip verify unicast source reachable-via any” command). In loose
mode, it doesn’t matter if we use this interface to reach the source or not.

The allow-default option allows the use of the default route in the source verification process.

Question 58

Refer to the exhibit.

router ospfv3 1
router-id 10.1.1.1
address-family ipv4 unicast
passive-interface Loopback0
exit-address-family
address-family ipv6 unicast
passive-interface Loopback0
exit-address-family
interface Loopback0
ip address 10.1.1.1 255.255.255.255
ipv6 address 2001:DB8::1/64
ospfv3 10 ipv4 area 10
ospfv3 10 ipv6 area 0
interface GigabitEthernet2
ip address 10.10.10.1 255.255.255.0
ipv6 enable
ospfv3 10 ipv4 area 10
ospfv3 10 ipv6 area 0

An administrator must configure the router with OSPF for IPv4 and IPv6 networks under a single
process. The OSPF adjacencies are not established and did not meet the requirement. Which action
resolves the issue?

A. Replace OSPF process 10 on the interfaces with OSPF process 1 for the IPv4 address, and remove
process 10 from the global configuration
B. Replace OSPF process 10 on the interfaces with OSPF process 1, and remove process 10 from the
global configuration
C. Replace OSPF process 10 on the interfaces with OSPF process 1, and configure an additional router
ID with IPv6 address
D. ??? (missing option)

Answer: B

Explanation

OSPFv3 does not only support exchange of IPv6 routes, but it also supports exchange of IPv4 routes.
The newest OSPFv3 configuration approach utilizes a single OSPFv3 process. It is capable of
supporting IPv4 and IPv6 within a single OSPFv3 process. The new-style OSPFv3 process is enabled
using the router ospfv3 process-number command.

The preferred interface mode command for the new style OSPFv3 configuration is the ospfv3 process-
id {ipv4|ipv6} area area-id command. It allows you to selectively activate the OSPFv3 process for an
address family (IPv4 or IPv6) on a given interface.

Reference: https://www.ciscopress.com/articles/article.asp?p=2294214&seqNum=4

In this question, we are using OSPFv3 process ID of 1 in the first line. But under interface modes we
are configuring OSPFv3 process ID of 10 so we have to change the process ID to 1 (and remove the
process ID of 10 which is created automatically).

Question 59

Refer to the exhibit.

Bangkok is using ECMP to reach the 172.20.2.0/24 network. The network administrator must
configure it in such a way that traffic from 172.16.2.0/24 network uses the Singapore router as the
preferred route. Which set of configurations accomplishes this task?
 Option A Option B
Bangkok Dubai

access-list 101 permit ip 172.16.2.0 0.0.0.255 access-list 101 permit ip 172.16.2.0 0.0.0.255
172.20.2.0 0.0.0.255 172.20.2.0 0.0.0.255
! !
route-map PBR1 permit 10 route-map PBR1 permit 10
match ip address 101 match ip address 101
set ip next-hop 172.19.1.2 set ip next-hop 172.19.1.2
! !
interface Ethernet0/2 interface Ethernet0/0
ip policy route-map PBR1 ip policy route-map PBR1

Option C Option D

Bangkok Dubai
access-list 101 permit ip 172.16.2.0 0.0.0.255
172.20.2.0 0.0.0.265 access-list 101 permit ip 172.16.2.0 0.0.0.255
! 172.20.2.0 0.0.0.255
route-map PBR1 permit 10 !
match ip address 101 route-map PBR1 permit 10
set ip next-hop 172.19.1.2 match ip address 101
! set ip next-hop 172.19.1.2
interface Ethernet0/1 set ip next-hop peer-address
ip policy route-map PBR1 !
interface Ethernet0/1
ip policy route-map PBR1

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

We need to use Policy Based Routing (PBR) here on Bangkok router to match the traffic from
172.16.2.0/24 and “set ip next-hop” to Singapore router (172.19.1.2 in this case).

Note: Please notice that we have to apply the PBR on incoming interface e0/2 to receive traffic from
172.16.2.0/24.

Question 60

Which failure detection mechanism is used for BFD?

A. routing protocol failure

B. Layer 2 protocol failure
C. variable rate
D. consistent rate

Answer: D

Explanation

BFD is a detection protocol designed to provide fast forwarding path failure detection times for all
media types, encapsulations, topologies, and routing protocols. In addition to fast forwarding path
failure detection, BFD provides a consistent failure detection method for network administrators.
Because the network administrator can use BFD to detect forwarding path failures at a uniform rate,
rather than the variable rates for different routing protocol hello mechanisms, network profiling and
planning will be easier, and reconvergence time will be consistent and predictable.

Reference: https://www.cisco.com/en/US/docs/ios/12_4t/ip_route/configuration/guide/t_bfd.html

This question asks about failure detection mehanism (method) so maybe “consistent rate” is a better
answer than “routing protocol failure” answer.

Question 61

Refer to the exhibit.

The network administrator must configure Cape Town to reach Dubai via Tokyo based on the speeds
provided by the service provider. It was noticed that Cape Town is reaching Dubai directly and failed
to meet the requirement. Which configuration fixes the issue?

Option A Option B

CapeTown Dubai

router eigrp 100 router eigrp 100

variance 2 variance 2

Option C Option D

Cape Town CapeTown

interface E 0/0 interface E0/0

bandwidth 5000 bandwidth 5000
interface E 0/1 ??? (missing command)
bandwidth 10000

Dubai
 interface E 0/0
bandwidth 50000
interface E 0/1
bandwidth 5000

Tokyo

interface E 0/0
bandwidth 50000
interface E 0/1
bandwidth 10000

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

EIGRP uses the slowest bandwidth of the outgoing interfaces of the route to calculate the metric so
in this case we only need to change the bandwidth of one interface to the lowest value. Therefore we
don’t need to do this on Dubai or Tokyo routers. Therefore option D is the best choice even when we
are missing some information about this option.

Question 62

Refer to the exhibit.

A network engineer is troubleshooting a failed link between R2 and R3. No traffic loss is reported from
router R5 to HQ. Which command fixes the separated backbone?

A. R2(config-router)#area 21 virtual-link 192.168.125.5

B. R3(config-router)#no area 21 stub
C. R3(config-router)#area 21 virtual-link 192.168.125.5
D. R2(config-router)#no area 21 stub

Answer: B

Explanation

In fact the error in the exhibit above was because we issued the command “area 21 virtual-link
2.2.2.2” too slow. But it has been resolved with above config. But we created another issue with the
last command “area 21 stub”. The “transit area” (area 21 in this case) cannot be a stub area of any
kind so we need to remove the “stub” command.

Question 63

How is a preshared key “Test” for all the remote VPN routers configured in a DMVPN using GRE over
IPsec set up?
A. authentication pre-share Test address 0.0.0.0 0.0.0.0
B. set pre-share Test address 0.0.0.0 0.0.0.0
C. crypto ipsec key Test address 0.0.0.0 0.0.0.0
D. crypto isakmp key Test address 0.0.0.0 0.0.0.0
Answer: D

Question 64
Network operations report issues with receiving too many external routes, which caused CPU spoke on
routers with smaller memories. Which action resolves the issue?

A. Configure the area range command when redistributing on ASBR

B. Configure the area range command when redistributing on ABR
C. Configure the summary-address command when redistributing on ABR
D. Configure the summary-address command when redistributing on ASBR

Answer: D

Explanation
For OSPF, we can only summary at the ABR with the command “area range” or at the ASBR with the
command “summary-address”. This question mentioned “receiving too many external routes” so we
should summarize at the ASBR.

Question 65

Refer to the exhibit.

Switch(config)# ip vrf 70
Switch(config-vrf)# rd 70:1
Switch(config-vrf)# route-target export 70:1
Switch(config-vrf)# route-target import 70:1
Switch(config-vrf)# exit
Switch(config)# ip vrf 80
Switch(config-vrf)# rd 80:1
Switch(config-vrf)# route-target export 80:1
Switch(config-vrf)# route-target import 80:1

An engineer must extend VRF-Lite over a trunk to another switch for VLAN 70 (10.70.70.0/24) on port
GigabitEthernet0/0 and VLAN 80 (10.80.80.0/24) on port GigabitEthernet0/1. Which configuration
accomplishes this objective?

Option A Option B

interface GigabitEthernet0/0 interface GigabitEthernet0/0

switchport mode access switchport trunk encapsulation dot1q
switchport access vlan 70 switchport mode trunk
! switchport trunk allowed vlan 70
interface GigabitEthernet0/1 !
switchport mode access interface GigabitEthernet0/1
switchport access vlan 80 switchport trunk encapsulation dot1q
! switchport mode trunk
switchport trunk allowed vlan 80

Option C Option D

interface GigabitEthernet0/0 interface GigabitEthernet0/0

switchport mode access no switchport
switchport access vlan 70 ip vrf forwarding 70
ip vrf forwarding 70 ip address 10.70.70.1 255.255.255.0
! !
interface GigabitEthernet0/1 interface GigabitEthernet0/1
 switchport mode access no switchport
switchport access vlan 80 ip vrf forwarding 80
ip vrf forwarding 80 ip address 10.80.80.1 255.255.255.0
!

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Question 66

Drag and drop the descriptions from the left onto the corresponding MPLS components on the right.

Answer:

+ routers that connect to the customer routers known as PE routers: LER

+ routers in the core of the provider network known as P routers: LSR
+ path along which the traffic flows across an MPLS network: LSP
+ all traffic to be forwarded using the same path and same label: FEC
+ used for exchanging label mapping information between MPLS enabled routers: LDP

Explanation

A label edge router (LER, also known as edge LSR) is a router that operates at the edge of an MPLS
network and acts as the entry and exit points for the network. LERs push an MPLS label onto an
incoming packet and pop it off an outgoing packet

A label is a short, four-byte, fixed-length, locally-significant identifier which is used in order to identify
a Forwarding Equivalence Class (FEC). The label which is put on a particular packet represents the FEC
to which that packet is assigned.

LDP provides a standard methodology for hop-by-hop, or dynamic label, distribution in an MPLS
network by assigning labels to routes that have been chosen by the underlying Interior Gateway
Protocol (IGP) routing protocols. The resulting labeled paths, called label switch paths (LSPs), forward
label traffic across an MPLS backbone to particular destinations.

Question 67
The network administrator configured the router for Control Plane Policing so that inbound SSH traffic
is policed to 500 kbps. This policy must apply to traffic coming in from 10.10.10.0/24 and
192.168.10.0/24 networks.

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

access-list 100 permit tcp 192.168.10.0 0.0.0.255 any eq 23
!
class-map CLASS-SSH
match access-group 100
!
policy-map PM-COPP
class CLASS-SSH
police 500000 conform-action transmit
!
interface E0/0
service-policy input PM-COPP
!
interface E0/1
service-policy input PM-COPP

The Control Plane Policing is not applied to SSH traffic and SSH is open to use any bandwidth
available. Which configuration resolves this issue?

Option A Option B

no access-list 100 interface E0/0

access-list 100 permit tcp 10.10.10.0 0.0.0.255 no service-policy input PM-COPP
any eq 22 !
access-list 100 permit tcp 192.168.10.0 interface E0/1
0.0.0.255 any eq 22 no service-policy input PM-COPP
! !
interface E0/0 control-plane
no service-policy input PM-COPP service-policy input PM-COPP
!
interface E0/1
no service-policy input PM-COPP
!
control-plane
service-policy input PM-COPP

Option C Option D

no access-list 100 no access-list 100

access-list 100 permit tcp 10.10.10.0 0.0.0.255
any eq 22 access-list 100 permit tcp 10.10.10.0 0.0.0.255
access-list 100 permit tcp 192.168.10.0 any eq 22
0.0.0.255 any eq 22 access-list 100 permit tcp 192.168.10.0
0.0.0.255 any eq 22
!
policy-map PM-COPP
class CLASS-SSH
??? (missing command)

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

SSH is operated on port 22, not 23 so we must update the ACL.

The “conform-action” specifies the action to take on packets that conform to the rate limit while the
“exceed-action” specifies the action to be taken on packets when the packet rate is greater than the
rate specified in the maximum-burst-bytes argument. Drop is the default action for traffic that
exceeds or violates the committed police rate so we don’t need to define the exceed or violate action
in this question.

Question 68

Refer to the exhibit.

The Customer Edge router (AS 65500) wants to use AS 100 as the preferred ISP for all external
routes.

Customer Edge
route-map SETLP
set local-preference 111
!
router bgp 65500
neighbor 192.168.111.1 remote-as 100
neighbor 192.168.111.1 route-map SETLP out
 neighbor 192.168.112.2 remote-as 200

This configuration failed to send routes to AS 100 as the preferred path. Which set of configurations
resolves the issue?
A. route-map SETLP
set local-preference 111
!
router bgp 65500
neighbor 192.168.111.1 remote-as 100
neighbor 192.168.111.1 route-map SETLP in

B. route-map SETPP
set as-path prepend 111 111
!
router bgp 65500
neighbor 192.168.111.1 remote-as 100
neighbor 192.168.111.1 route-map SETPP out

C. route-map SETPP
set as-path prepend 100 100
!
router bgp 65500
neighbor 192.168.111.1 remote-as 100
neighbor 192.168.111.1 route-map SETPP in
D. route-map SETLP
set local-preference 111
!
router bgp 65500
neighbor 192.168.111.1 …
??? (missing command)

Answer: A

Explanation

The AS-PATH Prepending technique is only used to deprioritize a route by artificially increasing the
length of the AS-PATH attribute so we cannot apply it to AS100 to make it a preferred path.

Although Local Preference attribute is only sent to all iBGP neighbor and it is not exchanged between
eBGP neighbors but we can apply it to an eBGP neighbor (inbound direction) to affect our local AS
choice. So we can use Local Preference attribute in this question.

Question 69

Refer to the exhibit.

The network administrator configured BGP as the backup route for 10.0.0.0/8 and it should work only
when EIGRP 10.0.0.0/8 failed to install for site S4266T8E713F6. Which configuration resolves the
issued?

A. configure terminal
!
router eigrp 1
distance eigrp 90 170

B. configure terminal
!
ip route 10.0.0.0 269.0.0.0 192.168.90.2

C. configure terminal
!
router eigrp 1
redistribute bgp metric 10000 1 255 1 1500

D. configure terminal
!
router eigrp 1
distance eigrp 10 170
Answer: D

Question 70
Refer to the exhibit.

interface GigabitEthernet2
no ip address
ip helper-address 192.168.255.3
no shutdown
!
interface GigabitEthernet2.10
encapsulation dot1Q 210
ip address 192.168.210.1 255.255.255.0
ip ospf 1 area 0
no shutdown

With the partial configuration of a router-on-a-stick, clients in VLAN 10 on Gi2 cannot obtain IP
configuration from the central DHCP server. The DHCP server is reachable by a successful ping from
the router. Which action resolves the issue?

A. Configure the ip dhcp excluded-address 192.168.255.3 command on the Gi2.10 subinterface

B. Configure a valid IP address on the Gi2 interface so that DHCP requests can be forwarded
C. Configure the ip dhcp pool 1 and network 192.168.210.0 255.255.255.0 commands
D. Configure the ip helper-address 192.168.255.3 command on the Gi2.10 subinterface

Answer: D

Explanation

When configuring router-on-a-stick, the main interface (Gi2 in this question) does not need to have an
IP address -> Answer B is not correct.

User in VLAN 10 will be connected to subinterface Gi2.10 but it is missing the “ip helper-address”
command so we have to configure it.
Note: The subinterface number does not even have to match the associated VLAN ID.
(The encapsulation command, and not the subinterface number, defines the VLAN ID associated with
the subinterface.)

Reference: https://www.ciscopress.com/articles/article.asp?p=2990405&seqNum=2

Maybe there is a typo with this question because the encapsulation command (not the subinterface
number) defines the VLAN ID (210 in this case) but this question stated that “clients in VLAN 10”. It
should be “clients in VLAN 210” or the encapsulation command should be changed to “encapsulation
dot1q 10”.

Question 71

An engineer configured routing between multiple OSPF domains and introduced a routing loop that
caused network instability. Which action resolves the problem?

A. Set a tag using the redistribute command toward a domain and deny inbound in the other domain
by a matching tag
B. Set a tag using the redistribute command toward a different domain and deny the matching tag
when exiting from that domain
C. Set a tag using the network command in a domain and use the route-map command to deny the
matching tag when exiting toward a different domain
D. Set a tag using the network command in a domain and use the route-map command to deny the
matching tag when entering into a different domain

Answer: A

Question 72

Refer to the exhibit.

An engineer must configure OSPF with R9 and R10 and configure redistribution between OSPF and
RIP, causing a routing loop. Which configuration on R9 and R10 meets this objective?

Option A Option B

router ospf 1 router ospf 1

redistribute rip subnets tag 20 distribute-list route-map deny_tag20 in
!
route-map deny_tag20 deny 10 router ospf 1
match tag 20 redistribute rip subnets tag 20
route-map deny_tag20 permit 20 !
! route-map deny_tag20 permit 10
match tag 20
route-map deny tag20 permit 20
!

Option C Option D

router ospf 1 router ospf 1

distribute-list route-map deny_tag20 in redistribute rip subnets tag 20
 router ospf 1 !
redistribute rip subnets tag 20 route-map deny_tag20 deny 10
! match tag 20
route-map deny_tag20 deny 10 route-map deny_tag20 permit 20
match tag 20 !
route-map deny tag20 deny 20 router rip 1
! distribute-list route-map deny_tag20 in
router ospf 1
distribute-list route-map deny_tag20 in

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Question 73

Refer to the exhibit.

R1# configure terminal

R1(config)# hostname CPE1
CPE1(config)# ip domain-name example.com
CPE1(config)# crypto key generate rsa

The name for the keys will be: CPE1.example.com

Choose the size of the key modulus in the range of 360 to 4096
for your General Purpose Keys. Choosing a key modulus greater than 512
may take a few minutes.

How many bits in the modulus [512]: 2048

% Generating 2048 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 2 seconds)

CPE1(config)# service password-encryption

CPC1(config)# username csadmin secret Secur3p4s$w0rd
CPE1(config)# line vty 0 4
CPE1(config-line)# transport input telnet ssh
CPE1(config-line)# login local
CPE1(config-line)# end

CPE1# copy running-config startup-config

Destination filename [startup-config]?
Building configuration...
[OK]
CPE1# ssh 10.0.0.1
% No user specified nor available for SSH client
An administrator must harden a router, but the administrator failed to test the SSH access
successfully to the router. Which action resolves the issue?
A. SSH syntax must be ssh -l user ip to log in to the remote device
B. Configure enable secret to log in to the device
C. SSH must be allowed with the transport output ssh command
D. Configure SSH on the remote device to log in using SSH

Answer: A

================================ New Questions (added on 31st-Aug-2022)

================================

Question 74

The summary route is not shown in the Router_B routing table after this below configuration on
Router_A:

interface ethernet 0
description location ID:$4295T7B39P69
ip address 192.168.3.1 255 255 255 0
ip summary-address eigrp 1 172.16.80.0 255.255.240.0

Which Router_A configuration resolves the issue by advertising the summary route to Router_B?

A. interface loopback 0
ip address 172.16.81.1 255.255.255.0
interface Ethernet 0
ip address 192.168.3.1 255.255.255.0
ip summary-address eigrp 1 172.16.80.0 255.255.240.0

B. interface loopback 0
ip address 172.18.81.1 255.255.255.0
interface Ethernet 0
ip address 192.168.3.1 255.255.255.0
ip summary-address eigrp 1 172.16.80.0 255.255.240.0
C. interface loopback 0
ip address 172.16.79.1 255.255.255.0
interface Ethernet 0
ip address 192.168.3.1 255.255.255.0
ip summary-address eigrp 1 172.16.80.0 255.255.240.0

D. interface loopback 0
ip address 172.16.96.1 255.255.255.0
interface Ethernet 0
ip address 192.168.3.1 255.255.255.0
ip summary-address eigrp 1 172.16.80.0 255.255.240.0

Answer: A

Explanation
The summary route disappeared because there was no more specific route exists. Therefore we have
to configure interface Lo0 whose IP address belongs to the range of the summary route. And its
subnet mask must be longer than that of the summary route.

Question 75

Refer to the exhibit.

ip sla 1
icmp-echo 8.8.8.8
threshold 1000
timeout 2000
frequency 5
ip sla schedule 1 life forever start-time now
!
track 1 ip sla 1
!
ip route 0.0.0.0 0.0.0.0 203.0.113.1 name ISP1 track 1
ip route 0.0.0.0 0.0.0.0 198.51.100.1 name ISP2

After recovering from a power failure. Ethernet0/1 stayed down while Ethernet0/0 returned to the
up/up state. The default route through ISP1 was not reinstated in the routing table until Ethernet0/1
also came up. Which action resolves the issue?

A. Remove the references to the interface names from both static default routes.
B. Configure the default route through ISP1 with a higher administrative distance than 2.
C. Add a static route to the 8.8.8.8/32 destination through the next hop 203.0.113.1.
D. Reference the track object 1 in both static default routes.

Answer: D

Explanation

This question did not say which are the IP addresses of E0/0 & E0/1 so it is not clear. But the second
default route is missing the track object 1 and it is the most likely cause of this problem.

Question 76

Refer to the exhibit.

R1(config)#ip access-list standard EIGRP-FILTER

R1(config-std-nacl)# permit 10.10.10.0 0.0.0.255
R1(config)#router eigrp 10
R1(config-router)#distribute-list route-map EIGRP in
!
R1(config)#route-map EIGRP permit 10
R1(config-route-map)#match ip address EIGRP-FILTER
!
R1#show ip route eigrp
D 10.10.10.0/24

An engineer must filter incoming EIGRP updates to allow only a set of specific prefixes. The distribute
list is tested, and it filters out all routes except network 10.10.10.0/24. How should the engineer
temporarily allow all prefixes to be learned by the router again without adjusting the existing access
list?
A. A continue statement should be added within the permit 10 statement before completing the ACL
with the required prefixes, and then the continue statement can be removed.
B. A permit any statement should be added before completing the ACL with the required prefixes, and
then the permit any statement can be removed.
C. An extended access list must be used instead of a standard access list to accomplish the task.
D. A permit 20 statement should be added before completing the ACL with the required prefixes, and
then the permit 20 statement can be removed.

Answer: B

Explanation

When we first read the requirement “… without adjusting the existing access list”, we think the best
solution is to add the statement “route-map EIGRP permit 20” (without any “match” statement) at the
end of the route-map but there is no such choice.

Besides answer C which is surely not correct, all three answers left have the word “before completing
the ACL” which is hard to understand as we have to adjust the existing access list.

Answer A is not clear as we don’t have a “continue” statement, we only have “permit” or “deny”
statement. So this answer can be eliminated.

If we have to adjust the existing access list then answer B is correct as we can add the “permit any”
statement at the end of the ACL. This would allow all prefixed to be learned.

Answer D would be correct if it states “A permit 20 statement should be added before completing
the route map” (not the ACL).
We can add the “permit any” statement at the end of the ACL to temporarily allow all prefixes. After
the test we can remove it.

Note: There is an implicit “deny all” at the each of each route-map, which is same as how an access-
list works.

Question 77

Refer to the exhibit.

An administrator is troubleshooting a time synchronization problem for the router’s time to another
Cisco IOS XE-based device that has recently undergone security hardening. Which action resolves the
issue?
A. Allow NTP in the ingress ACL on 10.1.255.40 by permitting TCP destined to port 123
B. NTP service is disabled and must be enabled on 10.1.255.40
C. Ensure that the CPE router has a valid route to 10.1.255.40 for NTP and rectify if not reachable
D. Allow NTP in the ingress ACL on 10.1.255.40 by permitting UDP destined to port 123

Answer: B

Explanation

The “reach” field in the “show ntp associations” command indicates the number of packets received
from the NTP server (eight bits in octal is 377, so you want to see a reach field value of 377). If this
field displays 0, the switch does not receive any packet from the NTP server.

NTP is a UDP-based service (-> Answer A is not correct). NTP servers use well-known port 123 to talk
to each other and to NTP clients. NTP clients use random ports above 1023 (-> Answer D is not
correct as NTP client uses random UDP port to talk to NTP server).

Answer C is not correct as from the “debug ip icmp” command we see that CPE can reach NTP server
at 10.1.255.40, only “port unreachable”.

Therefore only answer B is left.

Question 78

Which MPLS value is combined with the IP prefix to convert to a VPNv4 prefix?

A. 8-byte Route Distinguisher

B. 16-byte Route Distinguisher
C. 8-byte Route Target
D. 16-byte Route Target

Answer: A

Explanation

The basic idea behind the RD is that every customer receives a unique identifier to distinguish
between the same prefix from different customers. To create a unique prefix, you combine the RD
with the IPv4 prefix. The combination is called a VPNv4 prefix.

The route distinguisher is made up of an 8 octet field prefixed to to the customer IPv4 address (one
octet consists of 8 bits). An example of VPNv4 prefix: 64512:100:192.168.10.0/24 (in which
“64512:100” is the RD).

Question 79

Refer to the exhibit.

A NOC team receives a ticket that data traffic from RA to RF is not forwarded when the link between
the RC-RE path goes down. All routers learn loopback IP through the IGP protocol. Which configuration
resolves the issue?

A. RB(config)#router bgp 65101

RB(config-router)#neighbor 10.10.10.3 ebgp-multihop 3

B. RB(config)#router bgp 65101

RB(config-router)#neighbor 10.10.10.3 update-source loopback 0

C. RD(config)#router bgp 65201

RD(config-router)#neighbor 10.10.10.2 update-source loopback 0

D. RD(config)#router bgp 65201

RD(config-router)#neighbor 10.10.10.2 ebgp-multihop 3
Answer: A

Explanation

From the exhibit we learn that both RB & RD are using their loopback interfaces (10.10.10.2 &
10.10.10.3) for neighbor relationship. But RD says “External BGP neighbor may be up to 3 hops away”
which means RD has been configured with the command “neighbor 10.10.10.2 ebgp-multihop 3”.

Therefore we should change the “ebgp-multihop” of RB to at least 3 so that it can establish BGP
neighbor relationship with RD even when RD is three hops away.

Question 80

A customer is running an mGRE DMVPN tunnel over WAN infrastructure between hub and spoke sites.
The existing configuration allows NHRP to add spoke routers automatically to the multicast NHRP
mappings. The customer is migrating the network from IPv4 to the IPv6 addressing scheme for those
spokes’ routers that support IPv6 and can run DMVPN tunnel over the IPv6 network. Which
configuration must be applied to support IPv4 and IPv6 DMVPN tunnels on spoke routers?

A. tunnel mode ipv6ip isatap

B. tunnel mode ipv6ip 6rd
C. tunnel mode ipv6ip 6to4
D. tunnel mode ipv6ip auto-tunnel

Answer: A

Explanation

If we use IPv6 Automatic IPv4-Compatible Tunnels (via the command “tunnel mode ipv6ip auto-
tunnel”) then the router at each end of the tunnel must support both the IPv4 and IPv6 protocol
stacks so we cannot use it -> Answer D is not correct.

6to4 tunnel allows isolated IPv6 domains to be connected over an IPv4 network to remote IPv6
networks:

-> Answer C is not correct.

ISATAP is an automatic overlay tunneling mechanism that uses the underlying IPv4 network as a
NBMA link layer for IPv6. ISATAP is designed for transporting IPv6 packets within a site where a native
IPv6 infrastructure is not yet available; for example, when sparse IPv6 hosts are deployed for testing.
ISATAP tunnels allow individual IPv4 or IPv6 dual-stack hosts within a site to communicate with other
such hosts on the same virtual link, basically creating an IPv6 network using the IPv4 infrastructure.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/configuration/xe-3s/ir-xe-3s-
book/ip6-isatap-xe.html

Note:
+ The existing configuration allows NHRP to add spokes automatically so it is using the command
“ip nhrp map multicast dynamic”.

Question 81

The network administrator configured CoPP so that an SNMP traffic from Cisco Prime located at
192.168.1.11 toward the router CPU is limited to 1000 kbps. Any traffic that exceeds this limit must
be dropped.
The network administrator is not getting the desired result for the SNMP traffic and SNMP traffic is
getting dropped frequently. Which set of configurations resolves the issue?

Option A Option B

no access-list 100
access-list 100 permit tcp host
192.168.1.11 any eq 161

Option C Option D

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A
Explanation

SNMP ports are utilized via UDP 161 for SNMP Managers communicating with SNMP Agents -> Option
B is not correct.

We have to apply the CoPP to the control-plane, not interface -> Option C is not correct.

We should change the ACL to only limit SNMP traffic from Cisco Prime with the command “access-list
100 permit udp host 192.168.1.11 any eq 161” -> Option D is not correct.

In the “police” command, the value is in bps so 1000 kbps is “police 1000000 …”

Note: Drop is the default action for traffic that exceeds or violates the committed police rate.

Question 82

Refer to the exhibit.

A bank ATM site has difficulty connecting with the bank server. A network engineer troubleshoots the
issue and finds that R4 has no active route to the bank ATM site. Which action resolves the issue?

A. Advertise 10.10.30.0/24 subnet in R3 EIGRP AS.

B. EIGRP peering between R3 and R4 to be fixed.
C. EIGRP peering between R1 and R2 to be fixed.
D. Advertise 10.10.30.0/24 subnet in R1 EIGRP AS.

Answer: B

Explanation

From the last line of R3 output, we learn that R3 is active (symbol “A”) and awaits a reply from
10.10.30.2 (R4) with symbol (“r”) for the prefix 10.20.10.0/24. R1 is also active and awaits a reply
from 10.10.10.2 (R2) for the same prefix. Therefore answer A and answer D are not correct as the
missing prefix is 10.20.10.0/24, not 10.10.30.0/24.

This is how stuck-in-active (SIA) happened: The Bank ATM prefix 10.20.10.0/24 for some reasons
went down. R1 did not have any feasible successor route for this prefix so it went into Active state to
query others for the information of this prefix. From R1 output we know that R1 is the “local origin” of
the query.
R2 received the query from R1 and also went into Active. Same for R3 and it asked R4. R4 could not
query any other routers so it replied to R3 that it did not have any information about that prefix. We
know that because in the R4 output no active route is found.

But somehow R3 did not receive the reply from R4 because it is still in SIA. So we can conclude
something went wrong between R3 & R4.

If we can use the “show ip eigrp neighbors” on R3 then maybe we will see the “Q cnt” value is greater
than 0. It means R3 is not receiving acknowledgements for the packets it is sending:

There is a very similar scenario in the reference below so you should check for more information.

Likely Causes for Stuck-in-Active:

+ Bad or congested links

+ Query range is too long
+ Excessive redundancy
+ Overloaded router (high CPU)
+ Router memory shortage
+ Software defects (seldom)

Good Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKRST-2331.pdf

Note: You can use the show ip eigrp topology active command in order to help troubleshoot the
SIA issue. Look for the small r in the command output. This means that the router awaits a reply to a
query for that prefix from that neighbor.

Question 83

Refer to the exhibit.

An engineer configures an IPv6 ACL to allow TACACS access to 2001:DB8:B:B::7 and denies any other
host. The ACL does not appear to be working. Which action resolves the issue?

A. Allow the NA and NS messages, which are denied by the implicit deny
B. Apply the ipv6 traffic-filter command to the interface
C. Apply the ACL to the interface.
D. Modify the IPv6 destination address to a valid address

Answer: C

Explanation
Unlike IPv4 access-lists have an invisible implicit deny any at the bottom of every access-list, IPv6
access-lists have three implicit statements at the bottom:

permit icmp any any nd-na

permit icmp any any nd-ns
deny ipv6 any any

The “permit icmp any any nd-na” and “permit icmp any any nd-ns” allow the IPv6 equivalent of ARP
for IPv4. ARP is used to resolve the Layer2 MAC addresses while the IPv6 uses ICMP Neighbor
Discovery (ND) messages to accomplish the same task.

ND has two types of messages Neighbor Solicitation (NS) and Neighbor Advertisement (NA)
messages. So IPv6 ACLs need to implicitly permit ND packets for both directions on an interface.
Therefore, both Neighbor Discovery – Neighbor Advertisement (nd-na) and Neighbor Discovery –
Neighbor Solicitation (nd-ns) messages are permitted.

Therefore answer A is not correct.

In this question the IPv6 destination address (2001:DB8:B:B::7) in the ACL is correct -> Answer D is
not correct.
From the output of the “show ipv6 interface” command, we see the ACL named “ENRASI-ACL” was
applied to G0/2 interface but the ACL name in the “show ipv6 access-list” is “ENARSI-ACL” -> The ACL
names are different but we are not sure if it is a typo in this question or not because only this ACL
name was shown in the “show ipv6 access-list” output. If we have two different ACLs then both of
them must be shown when using this command.

Suppose we have two different ACLs then the best answer here should be “Apply the ACL to the
interface”. The answer “Apply the ipv6 traffic-filter command to the interface” is not wrong but not
totally true as the correct answer should be “Apply the ipv6 traffic-filter ENARSI-ACL command to
the interface”.

Question 84

Refer to the exhibit.

A network administrator is trying to switch to the privileged EXEC level on R1 but failed. Which
configuration resolves the issue?

A. tacacs server enable-password Cisco@123

B. enable password Cisco@123
C. tacacs-server enable-password Cisco@123
D. enable-password Cisco@123

Answer: B

Explanation
Maybe there is something wrong with the exhibit above as it is not related to the question. There is no
“tacacs-server enable-password” and “enable-password” commands so only answer B is left.
Question 85

Refer to the exhibit.

A network engineer finds that PC1 is accessing the hotel website to do the booking but fails to make
payment. Which action resolves the issue?

A. Configure a reverse route on R1 for PC1 172.16.1.0/24

B. Decrease the AD to 5 of OSPF route 192.168.94.0 on R1
C. Allow stub network 10.10.202.168/30 on router R3 OSPF
D. Increase the AD to 200 of static route 192.168.94.0 on R3

Answer: D

Explanation

From the “show ip ospf database router 10.10.202.169” output we can see what R1 is advertising:
+ A stub network to the Bank Server (192.168.94.0/24) with cost of 100 (from “TOS 0 Metrics: 100”)
+ A stub network to 10.10.202.168/30 with cost 1 (from “TOS 0 Metrics: 1”)

From the “show ip route 10.10.202.168” output we can see R3 has a static route to 10.10.202.168/30
via 172.16.1.26 (PC LAN), which is not correct. This output is equivalent to the output “S
10.10.202.168 [1/0] via 172.16.1.26” if we use the “show ip route | in 10.10.202.168” command.

Therefore we can increase the AD of the static route to 200, which is greater than the AD of OSPF
route (110) so that R3 can reach the Bank Server via OSPF route.

Question 86
What is a function of the IPv6 DHCP Guard feature for DHCP messages?

A. If the device is configured as a DHCP server, no message is switched

B. It blocks only DHCP request messages
C. Only access lists are supported for matching traffic
D. All client messages are always switched regardless of the device role

Answer: D

Question 87

An engineer creates a default static route on a router with a next hop of 10.1.1.1. On inspection, the
engineer finds the router has two VRFs, Red and Blue. The next hop is valid for both VRFs and exists
in each assigned VRF. Which configuration achieves connectivity?

A. ip route vrf Red 0.0.0.0 255.255.255.255 10.1.1.1

ip route vrf Blue 0.0.0.0 255.255.255.255 10.1.1.1

B. ip route vrf Red 0.0.0.0 0.0.0.0 10.1.1.1

ip route vrf Blue 0.0.0.0 0.0.0.0 10.1.1.1
C. ip route vrf BLUE 0.0.0.0 255.255.255.255 10.1.1.1
ip route vrf RED 0.0.0.0 255.255.255.25510.1.1.1

D. ip route 0.0.0.0 0.0.0.0 10.1.1.1

Answer: B

Question 88

Refer to the exhibit.

The IT router has been configured with the Maths VRF and the interfaces have been assigned to the
VRF. Which set of configurations exchanges routes between the Maths-1 and Maths-2 routers using
OSPF in area 0?

A. router ospf 1 vrf Maths

network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0

B. router ospf 1
network 192.168.1.0 0.0.0.255 area 0
network 102.168.2.0 0.0.0.255 area 0

C. router ospf 1
address-family ipv4 vrf Maths
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0

D. router ospf 1 vrf Maths area 0

network 192.168.1.0
network 192.168.2.0

Answer: A

Question 89

Refer to the exhibit.

R3 cannot authenticate via TACACS. Which configuration resolves the issue?

A. tacacs server SITE6_TACACS

address ipv4 10.66.66.66
key CiscoTACACS

B. tacacs server SITE6_TACACS

key C!scoTACACS
C. tacacs server SITE6_TACACS
address ipv4 10.60.66.66
key C!sc0TACACS

D. tacacs server SITE6_TACACS

key C!sc0TACACS

Answer: B

Explanation

It is difficult to see but the key for authentication and the configured key here are mismatch. The key
on TACACS server is “C!scoTACACS” while the configured key on R3 is “C!sc0TACACS” (the difference
is “o” and “0”). Therefore we need to update the authentication key (but keep the IP address of the
TACACS server unchanged).

Question 90

Refer to the exhibit.

Routers R1 and R2 have established a network adjacency using EIGRP, and both routers are
advertising subnets to its neighbor. After issuing the show ip EIGRP topology all-links command in
R1, some prefixes are not showing R2 as a successor. Which action resolves the issue?

A. Resolve the incorrect metric on the link.

B. Configure the network statement on the neighbor.
C. Enable split-horizon.
D. Rectify the incorrect router ID in R2.

Answer: B

Question 91

An engineer must establish a connection between two CE routers for two customers with overlapping
IP addresses. Customer_a is connected to interfaces Gig0/0, and Customer_b is connected to
interfaces Gig0/1. Routers CE1 and CE2 are configured as follows:

ip vrf customer_a
rd 1:1
route-target both 1:1
!
ip vrf customer_b
rd 2:2
route-target both 2:2

Drag and drop the code snippets from the right onto the boxes in the configuration to establish the
needed connection. Snippets may be used more than once.
Answer:

From top to bottom:

CE1
Box 1: customer_a
Box 2: 192.168.1.1 255.255.255.0
Box 3: customer_b
Box 4: 192.168.1.1 255.255.255.0

CE2
Box 5: customer_a
Box 6: 192.168.1.2 255.255.255.0
Box 7: customer_b
Box 8: 192.168.1.2 255.255.255.0

Explanation

Notice that two customers use the same (overlapping) IP address on each router.

Question 92

A network engineer must configure a DMVPN network so that a spoke establishes a direct path to
another spoke if the two must send traffic to each other. A spoke must send traffic directly to the hub
if required. Which configuration meets this requirement?
 Option A Option B
At the hub router: At the hub router:
interface tunnel 10 interface tunnel 10
ip nhrp nhs dynamic multipoint ip nhrp map dynamic multipoint
ip nhrp nhs shortcut ip nhrp redirect
tunnel mode gre multicast tunnel mode gre multicast

On the spokes router: On the spokes router:

interface tunnel 10 interface tunnel10
ip nhrp nhs multicast dynamic ip nhrp map multicast dynamic
ip nhrp nhs redirect ip nhrp shortcut
tunnel mode gre multicast tunnel mode gre multicast

Option C Option D

At the hub router: At the hub router:

interface tunned10 interface tunnel10
ip nhrp nhs multicast dynamic ip nhrp map multicast dynamic
ip nhrp nhs shortcut ip nhrp redirect
tunnel mode gre multipoint tunnel mode gre multipoint

On the spokes router: On the spokes router:

interface tunnel10 interface tunnel 10
ip nhrp nhs multicast dynamic ip nhrp map multicast dynamic
ip nhrp nhs redirect ip nhrp shortcut
tunnel mode gre multipoint tunnel mode gre multipoint

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

Spoke can talk to spoke directly -> Use DMVPN Phase II or Phase III. All four options use Phase III so
we should remember this fact: Phase III uses ip nhrp redirect command in hub and ip nhrp
shortcut command in spokes -> Only Option B and Option D are correct.

In spokes we use the command “tunnel mode gre multipoint” (mGRE), not “tunnel mode gre
multicast” -> Only Option D is correct.

Question 93

Refer to the exhibit.

An administrator is attempting to disable the automatic logout after a period of inactivity. After
logging out, the console stopped responding to all keyboard inputs. Remote access through SSH still
works. Which action resolves the issue?

A. Configure the exec command on line con 0.

B. Configure the absolute-timeout command on line con 0.
C. Configure the default exec-timeout command on line con 0.
D. Configure the no exec-timeout command on line con 0.

Answer: A

Explanation

When you want to allow an outgoing connection only for a line (no incoming) use the no
exec command. Therefore we must use the exec command to solve this problem.

Question 94

Refer to the exhibit.

R1(config)#ipv6 prefix-Jist PRE-PEND-PREFIX permit 2001:db8:0:a::/64

R1(config)#route-map PRE-PEND permit 10
R1(config-route-map)#match ipv6 address prefix-list PRE-PEND-PREFIX
R1(config-route-map)#set as-path prepend 65412
R1(config)#router bgp 65412
R1(config-router)#address-family ipv6
R1(config-router-af)#neighbor 2001:db8:0:20::2 route-map PRE-PEND out

R1 has a route map configured, which results in a loss of partial IPv6 prefixes for the BGP neighbor,
resulting in service degradation. How can the full service be restored?

A. The neighbor requires a soft reconfiguration, and this will clear the policy without resetting the BGP
TCP connection.
B. The prefix-list requires all prefixes that R1 is advertising to be added to it, and this will allow
additional prefixes to be advertised.
C. The route map requires a deny 20 statement without set conditions, and this will allow additional
prefixes to be advertised.
D. The route map requires a permit 20 statement without set conditions, and this will allow additional
prefixes to be advertised.

Answer: D

Question 95

Refer to the exhibit.

R1#show ip bgp 10.10.10.4/32

BGP routing table entry for 10.10.10.4/32, version 23
Paths: (2 available, best #2, table Default-IP-Routing-Table)
Not advertised to any peer
65201
10.10.10.5 (metric 2) from 10.10.10.5 (10.10.10.5)
Origin IGP, metric 0, localpref 100, valid, internal
65201
10.10.10.2 (metric 2) from 10.10.10.2 (10.10.10.2)
Origin IGP, metric 0, localpref 100, valid, internal, best

R4#show ip bgp 192.168.1.1/32

BGP routing table entry for 192.168.1.1/32, version 24
Paths: (2 available, best #1, table Default-IP-Routing-Table)
Not advertised to any peer
65101
10.10.10.6 (metric 156160) from 10.10.10.6 (10.10.10.6)
Origin IGP, metric 0, localpref 100, weight 32769 valid, internal, best
65101
10.10.10.3 (metric 2) from 10.10.10.3 (10.10.10.3)
Origin IGP, metric 0, localpref 100, valid, internal
A customer reports that user traffic of bank XYZ to the AAA server is not using the primary path via
the R3-R2 link. The network team observes:
No fiber is cut on links R2 and R3.
65101 and 65201 routers established BGP peering.

Which configuration resolves the issue?

A. R2(config)#route-map BGP-Path permit 10

R2(config-route-map)#set metric 200
R2(config)#router bgp 65101
R2(config-router)#neighbor 10.10.10.3 route-map BGP-Path out

B. R6(config)#router bgp 65201

R6(config-router)#no neighbor 10.10.10.5 weight 32789

C. R4(config)#route-map BGP-Path permit 10

R4(config-router)#no neighbor 10.10.10.6 weight 32769

D. R1(config)#route-map BGP-Path permit 10

R1(config-route-map)#set local-perference 200
R1(config)# router bgp 65101
R1(config-router)#neighbor 10.10.10.2 route-map BGP-Path out

Answer: C

Explanation

The “neighbor 10.10.10.6 weight 32769” assign the weight to routes learned from R6. Therefore R4
will prefer to use R6 as it next-hop -> We have to remove this command.

Question 96

How does LDP operate in an MPLS network?

A. When topology changes occur such as a router failure, LDP generates peer discovery messages that
terminate the LDP session to propagate an LSP change.
B. When an adjacent LSR receives LDP discovery messages, TCP two-way handshake ensures that the
LDP session has unidirectional connectivity.
C. Peer routers establish the LDP session, and the LDP neighbors maintain and terminate the session
by exchanging messages
D. LDP notification messages allow LERs to exchange label information to determine the next hops
within a particular LSP.

Answer: C

Explanation

LDP generates Session message, not Discovery message, to terminate the LDP session -> Answer A is
not correct.

LDP defines the following messages:

+ Discovery message: used to announce or maintain an LSR on a network. For example, Hello
messages are discovery messages.
+ Session message: used to establish, maintain, and terminate sessions between LDP peers. For
example, Initialization and Keepalive messages are session messages.
+ Advertisement message: used to create, modify, and delete label mappings for FECs.
+ Notification message: used to provide advisory and error information -> Answer D is not correct.
Reference: https://support.huawei.com/enterprise/en/doc/EDOC1100074762/22b0901d/ldp-working-
mechanism
New ENARSI Questions 6

Question 1

Which feature is used by LDP in the forwarding path within the MPLS cloud?

A. IP forwarding
B. TTL
C. TDP
D. LSP

Answer: D

Explanation

LDP provides a standard methodology for hop-by-hop, or dynamic label, distribution in an MPLS
network by assigning labels to routes that have been chosen by the underlying Interior Gateway
Protocol (IGP) routing protocols. The resulting labeled paths, called label switch paths (LSPs), forward
label traffic across an MPLS backbone to particular destinations.

Question 2

Refer to the exhibit.

ipv6 inspect udp idle-time 3600

ipv6 inspect name ipv6-firewall tcp
ipv6 inspect name ipv6-firewall udp

ipv6 access-list ipv6-internet

deny ipv6 any DEC0::/10
deny ipv6 any FF00::/8
permit ipv6 any FF02::/16
permit ipv6 any FF0E::/16
permit udp any any eq domain
!
interface gi0/1
ipv6 traffic-filter ipv6-internet in
ipv6 inspect ipv6-firewall in
ipv6 inspect ipv6-firewall out

A network administrator configured name resolution for IPv6 traffic to be allowed through an inbound
access list. After the access list is applied to resolve the issue, name resolution still did not work.
Which action does the network administrator take to resolve the name resolution problem?

A. Remove ipv6 inspect ipv6-firewall in from interface gi0/1

B. Add permit udp any eq domain any log in the access list.
C. Inspect ipv6 inspect name ipv6-firewall udp 53 in global config.
D. Add permit any eq domain 53 any log in the access list.

Answer: B

Explanation
This IPv6 ACL is applied to the interface with inbound direction. But the “permit udp any any eq
domain” statement only allows outbound DNS requests to port 53 (eq domain) from the internal LAN.
The DNS replies are blocked by implicit “deny all” statement so we must permit the DNS replies with
answer B.

Question 3

How do devices operate in MPLS L3VPN topology?

A. P and associated PE routers with IGP populate the VRF table in different VPNs
B. CE routers connect to the provider network and perform LSP functionality
C. P routers provide connectivity between PE devices with MPLS switching
D. P routers support PE to PE VPN tunnel without LSP functionality

Answer: C

Question 4

Refer to the exhibit.

{exhibit about the log server which has some OSPFv3-error records}

SW101#sh run
logging host 10.0.0.200
snmp-server enable traps syslog
snmp-server enable traps ospfv3 errors

An engineer configures SW101 to send OSPFv3 interfaces state change messages to the server.
However, only some OSPFv3 errors are being recorded. Which command resolves the issue?

A. snmp-server enable traps ospfv3 state-change if-state-change

B. snmp-server-enable traps ospfv3 state-change restart-status-change
C. snmp-server-enable traps ospfv3 state-change neighbor-state-change
D. snmp-server-enable traps ospfv3 state-change if-state-change neighbor-state-change

Answer: A

Explanation
The command snmp-server enable traps ospfv3 state-change [if-state-change][neighbor-
restart-helper-status-change][neighbor-state-change][nssa-translator-status-change]
enables SNMP OSPFv3 notifications for OSPFv3 transition state changes. The best command to record
OSPFv3 interfaces state change is answer A.

Question 5

Refer to the exhibit.

{exhibit missing}

An engineer is trying to log in to R1 via R3 loopback address. Which action resolves the issue?

A. Add transport input SCP

B. Add transport input none
C. Remove the IPv6 traffic filter from R1, which is blocking the Telnet
D. Remove the IPv6 traffic from R1, which is blocking the SSH

Answer: C (?)
Explanation

This question is missing the exhibit so we are not sure about the answer. We will update this question
when we have more information about it.

Question 6

The network administrator must implement IPv6 in the network to allow only devices that not only
have registered IP addresses but are also connecting from assigned locations. Which security feature
must be implemented?

A. IPv6 Snooping
B. IPv6 Destination Guard
C. IPv6 Prefix Guard
D. IPv6 Router Advertisement Guard

Answer: B

Explanation

The Destination Guard feature helps in minimizing denial-of-service (DoS) attacks. It performs
address resolutions only for those addresses that are active on the link, and requires the FHS binding
table to be populated with the help of the IPv6 snooping feature.The feature enables the filtering of
IPv6 traffic based on the destination address, and blocks the NDP resolution for destination addresses
that are not found in the binding table. By default, the policy drops traffic coming for an unknown
destination.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/guide/7600_1
5_0s_book/IPv6_Security.pdf

Question 7

Refer to the exhibit.

The security department recently installed a monitoring device between routers R3 and R5, which a
loss of network connectivity for users connected to R5. Troubleshooting revealed that the monitoring
device cannot forward multicast packets. The team already updated R5 with the correct configuration.
Which configuration must be implemented on R3 to resolve the problem by ensuring R3 as the DR for
the R3-R5 segment?

Option A Option B
 interface FastEthernet0/0 interface FastEthernet0/0
ip address 10.99.53.1 255.255.255.252 ip address 10.99.53.1 255.255.255.252
ip access-group 122 in ip access-group 122 in
ip ospf network non-broadcast ip ospf network non-broadcast
ip ospf priority 0 ip ospf priority 0
! !
router ospf 10 router ospf 10
router-id 10.10.3.255 router-id 10.10.3.255
neighbor 10.99.53.2 neighbor 10.99.53.0 0.0.0.0 area 0
! neighbor 10.99.53.2
access-list 122 permit 88 host 10.99.53.2 host !
10.99.53.1 access-list 122 permit 89 host 10.99.53.2 host
access-list 122 deny 88 any any 10.99.53.1
access-list 122 permit tcp any any access-list 122 deny 89 any any
access-list 122 permit udp any any access-list 122 permit tcp any any
access-list 122 permit icmp any any access-list 122 permit udp any any
access-list 122 permit icmp any any

Option C Option D

interface FastEthernet0/0 interface FastEthernet0/0

ip address 10.99.53.1 255.255.255.252 ip address 10.99.53.1 255.255.255.252
ip access-group 122 in ip access-group 122 in
ip ospf network non-broadcast ip ospf network point-to-point
ip ospf priority 100 ip ospf priority 100
! !
router ospf 10 router ospf 10
router-id 10.10.3.255 router-id 10.10.3.255
neighbor 10.99.53.0 0.0.0.3 area 0 neighbor 10.99.53.0 0.0.0.3 area 0
neighbor 10.99.53.2 neighbor 10.99.53.2
! !
access-list 122 permit 89 host 10.99.53.2 host access-list 122 permit 88 host 10.99.53.2 host
10.99.53.1 10.99.53.1
access-list 122 deny 89 any any access-list 122 deny 89 any any
access-list 122 permit tcp any any access-list 122 permit tcp any any
access-list 122 permit udp any any access-list 122 permit udp any any
access-list 122 permit icmp any any access-list 122 permit icmp any any

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Question 8

What must be configured by the network engineer to circumvent AS_PATH prevention mechanism in
IP/VPN Hub and Spoke deployment scenarios?

A. Use allows-in and as-override at all PEs.

B. Use allowas-in and as-override at the PE-Hub.
C. Use allowas-in the PE_Hub
D. Use as-override at the PE_Hub

Answer: D
Explanation

A router discards BGP network prefixes if it sees its ASN in AS-Path as a loop prevention mechanism.
The “allowas-in” feature allows routes to be received and processed even if router detects its own ASN
in AS-Path.

Therefore we have to use this feature on the Hub because in some configurations, Spokes always go
through hub to communicate with each other.

One significant difference is that “As Override” needs to be provisioned at the Service provider end
while “Allowas-in” will be configured at the CE device at the customer site.

Reference: https://ipwithease.com/as-override-vs-allowas-in/

Question 9

Refer to the exhibit.

RD#show ip bgp neighbors 10.10.10.3 advertised-routes

Network Next Hop Metric LocPrf Weight Path
*> 10.0.0.0/30 0.0.0.0 0 32768 i
*> 10.0.0.4/30 0.0.0.0 0 32768 i
r>i10.0.0.12/30 10.10.10.1 0 100 0 i
*> 10.0.0.24/30 0.0.0.0 0 32768 i
r>i10.10.10.1/32 10.10.10.1 0 100 0 i
*> 10.10.10.2/32 0.0.0.0 0 32768 i
*>i172.16.10.10/32 0.10.10.1 0 100 0 i
*>i192.168.1.1/32 10.10.10.1 0 100 0 i

RD#show ip bgp neighbors 10.10.10.4 advertised-routes

Network Next Hop Metric LocPrf Weight
Path
*> 10.0.0.8/30 0.0.0.0 0 32768 i
*>i10.0.0.16/30 10.10.10.6 0 100 0 i
r>i10.0.0.20/30 10.10.10.6 0 100 0 i
*> 10.0.0.28/30 0.0.0.0 0 32768 i
r>i10.10.10.6/32 10.10.10.6 0 100 0 i
*>i172.16.20.1/32 10.10.10.6 0 100 0 i
A network engineer receives a fault ticket about traffic drops from BANK SITE Y to BANK SITE X. The
NOC team observe:
– Users can reach BANK SITE Y from router RA as a source.
– Routers RB and RD are acting as route reflectors.

Which configuration resolves the issue?

A. RC(config)#router bgp 65201
RC(config-router)#neighbor 10.10.10.4 route-reflector-client
B. RF(config)#router bgp 65201
RF(config-router)#neighbor 10.10.10.6 route-reflector-client
C. RC(config)#router bgp 65201
RC(config-router)#neighbor 10.10.10.2 route-reflector-client
D. RB(config)#router bgp 65201
RB(config-router)#neighbor 10.10.10.3 route-reflector-client

Answer: D

Explanation

The command “neighbor … route-reflector-client” should only be used in Route Reflectors (RR) routers
only so it can only be used on RB or RD.

=============================== New Questions (added on 22nd-Dec-2022)

===============================

Question 10

Refer to the exhibit.

Which configuration resolves the IP SLA issue from R1 to the server?

A. R6(config)#ip sla responder

B. R6(config)#ip sla responder udp-echo ipaddress 10.60.60.6 port 5000
C. R6(config)#ip sla 650
R6(config-ip-sla)# udp-jitter 10.60.60.6
D. R6(config)#ip sla schedule 10 life forever start-time now

Answer: A

Question 11

Refer to the exhibit.

RF# traceroute 192.168.1.1

1 10.0.0.9 40 msec 28 msec 24 msec
2 * * *
3 * * *
RE#show ip prefix-list detail
Prefix-list with the last deletion/insertion: Customer
ip prefix-list Customer:
count: 2, range entries: 1, sequences: 5 - 10, refcount: 3
seq 5 deny 192.168.1.1/32 (hit count: 5, refcount: 1)
seq 10 permit 0.0.0.0/0 le 32 (hit count: 26, refcount: 1)

RC#show ip prefix-list detail

Prefix-list with the last deletion/insertion: Customer
ip prefix-list Customer:
count: 1, range entries : 1, sequences: 10 — 10, refcount: 4
 seq 10 permit 0.0.0.0/0 le 32 (hit count: 7, refcount: 1)

The enterprise users fail to authenticate with the TACACS server when a direct fiber link fails between
RB and RD. The NOC team observes Users connected on AS65201 fail to authenticate with TACACS
server 192.168.1.1. Users connected on AS65101 successfully authenticate with TACACS server
192.168.1.1. All AS65101 and AS65201 users are configured to authenticate with the TACACS server.
Which configuration resolves the issue?

A. RC(config)# ip prefix-list Customer seq 5 permit 192.168.30.1/32

B. RC(config)#router bgp 65101

RC(config-router)#neighbor 10.0.0.18 prefix-list Customer in

C. RF(config)#no ip prefix-list Customer seq 5 deny 192.168.1.1/32

D. RF(config)#router bgp 65201

RF(config-router)# neighbor 10.0.0.17 prefix-list Customer out

Answer: B

Explanation

When a direct fiber link fails between RB and RD, we see RF stills uses RD to reach the server
(traceroute 192.168.1.1 still goes through 10.0.0.9 of RD).

We have to make sure RF uses the path through RE for a successful authentication but from the
output of RE, we see it is blocking access to the server “seq 5 deny 192.168.1.1/32”.

Maybe there is something wrong with this question but if we have to choose one best answer then we
believe answer B is the best because it can create a path for RC-RE connection (which may be missing
so RF could not use this path).

Question 12

Refer to the exhibit.

The Customer Edge router wants to use AS 100 as the preferred ISP for all external routes and ISP-2
as a backup.

Customer-Edge
route-map SETAS
set as-path prepend 111
!
router bgp 64555
neighbor 192.168.1.1 remote-as 100
neighbor 192.168.2.2 remote-as 200
neighbor 192.168.2.2 route-map SETAS in

After this configuration, all the backup routes have disappeared from the BGP table on the Customer
Edge router. Which set of configurations resolves the issue on the Customer Edge router?

Option A Option B

route-map SETAS route-map SETAS

set as-path prepend 111 set as-path prepend 200
 ! !
router bgp 64555 router bgp 64555
neighbor 192.168.2.2 remote-as 100 neighbor 192.168.1.1 remote-as 100
neighbor 192.168.1.1 remote-as 200 neighbor 192.168.2.2 remote-as 200
neighbor 192.168.1.1 route-map SETAS in neighbor 192.168.2.2 route-map SETAS in

Option C Option D

route-map SETAS route-map SETAS

set as-path prepend 200 set as-path prepend 111
! !
router bgp 64555 router bgp 64555
neighbor 192.168.1.1 remote-as 100 neighbor 192.168.1.1 remote-as 100
neighbor 192.168.2.2 remote-as 200 neighbor 192.168.2.2 remote-as 200
neighbor 192.168.2.2 route-map SETAS out neighbor 192.168.2.2 route-map SETAS out

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

Maybe the backup routes disappeared because the router did not know how to reach AS 111.
Therefore we should prepend AS 200 instead.

Question 13

Refer to the exhibit.

The client server but the show command does not show the IPv6 DHCP bindings on the server. Which
action resolves the issue?

A. Extend the DHCP lease time because R1 removed the IPv6 address earlier after the lease expired
B. Configure H1 as the DHCP client that manually assigns the IPv6 address on interface e0/0
C. Use the 2001:DBB:BAD:C0DE::/64 prefix for the DHCP pool on R1
D. Configure authorized DHCP servers to avoid IPv6 addresses from a rogue DHCP server
Answer: C

Question 14
Refer to the exhibit.

An engineer cannot determine the time of the problem on R1 due to a mismatch between the router
local clock and legs. Which command synchronizes the time between new log entries and the local
clock on R1?

A. service timestamps debug datetime msec show-timezone

B. service timestamps log datetime localtime msec
C. service timestamps debug datetime localtime msec
D. service timestamps log datetime msec show-timezone

Answer: B

Explanation

From the output we see the local lock is 23:50 while the log is showing 21:49. We can fix this issue by
using the keyword “localtime”, which indicates the local time of the router is used in the log message.

This is a syslog message, not a debug message so the best answer is “service
timestamps log datetime localtime msec”.

Question 15

Refer to the exhibit.

March 10 19:26:53.254 GMT: %SNMP-3-AUTHFAIL: Authentication

failure for SNMP request from host 10.1.1.1
snmp-server community public RO
snmp-server community private RW 16
!
logging snmp-authfail
!
access-list 15 permit 10.1.1.1

access-list 16 permit 10.1.1.2

Which action resolves the issue?

A. Configure host IP address in access-list 16

B. Configure SNMPv3 on the router
C. Configure SNMP authentication on the router
D. Configure a valid SNMP community string

Answer: A

Explanation

The command “snmp-server community private RW 16” is used to enable the read-write (RW)
community string where “private” is the read-write community string. Access-list “16” is associated
with this SNMP config, which allows only host 10.1.1.2 to have read-write access.

Both incorrect community string and access-list blocking the host that sends SNMP request may cause
the error “%SNMP-3-AUTHFAIL: Authentication failure for SNMP request from host”. In this question
we see SNMP request was sent from host 10.1.1.1 while ACL 16 permits only host 10.1.1.2 so this is
likely the cause of this problem. We have to change the host in ACL 16 from 10.1.1.2 to 10.1.1.1.

Question 16

Refer to the exhibit.

Spoke routers do not learn about each other’s routes in the DMVPN Phase2 network. Which action
resolves the issue?
A. Remove default route from spoke routers to establish a spoke-to-spoke tunnel.
B. Configure a static route in each spoke to establish a spoke-to-spoke tunnel.
C. Rectify incorrect wildcard mask configured on the hub router network command.
D. Disable EIGRP split horizon on the Tunnel0 interface of the hub router.

Answer: D

Question 17

Refer to the exhibit.

R1 #show ipv6 access-list

IPv6 access list inbound-acl
permit tcp host 2001 :D88::2 eq bgp host 2001 :DB8::1 (75 matches) sequence 20
permit tcp host 2001:DB8::2 host 2001:DB8::1 eq bgp (17 matches) sequence 30
deny ipv6 2001:DB8::/32 any (77 matches) sequence 40
permit ipv6 any (20 matches) sequence 1000
R1#ping ipv6 2001:DB8::2

Type escape sequence to abort.

Sending 5,100-byte ICMP Echos to 2001:DB8::2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1#show ipv6 access-list
IPv6 access list inbound-acl
permit tcp host 2001:DB8::2 eq bgp host 2001:DB8::1 (77 matches) sequence 20
permit tcp host 2001:DB8::2 host 2001:DB8::1 eq bgp (19 matches) sequence 30
deny ipv6 2001:DB8::/32 any (95 matches) sequence 40
permit ipv6 any (23 matches) sequence 1000
R1#

An engineer applied filter on R1. The interface flapped between R1 and R2 and cleaning the BGP
session did not restore the BGP session and failed. Which action must the engineer take to restore the
BGP session from R2 to R1?

A. Apply the IPv6 traffic filter in the outbound direction on the interface
B. ICMPv6 must be permitted by the IPv6 traffic filter
C. Enable the BGP session, which went down when the session was cleared
D. Swap the source and destination IP addresses in the IPv6 traffic filter

Answer: B
Explanation

After the ping fails we see the match of the “deny ipv6 2001:DB8::/32 any (95 matches) sequence
40” increased significantly so we can conclude that ICMPv6 traffic was dropped at this statement.

Question 18

Refer to the exhibit.

An engineer is investigating an OSPF issue reported by the Cisco DNA Assurance Center. Which action
resolves the issue?

A. One of the neighbor links is down. Bring the interface up by running shut and no shut
B. One of the interfaces is using the wrong MTU. Match interface MTU on both links
C. An ACL entry blocking multicast on the interfaces. Allow multicast through the interface ACL
D. One of the interfaces is using the wrong authentication. Match interface authentication on both
links
Answer: B

Explanation

After two OSPF neighboring routers establish bi-directional communication and complete DR/BDR
election (on multi-access networks), the routers transition to the exstart state. In this state, the
neighboring routers establish a master/slave relationship and determine the initial database descriptor
(DBD) sequence number to use while exchanging DBD packets.

Neighbors Stuck in Exstart/Exchange State

The problem occurs most frequently when attempting to run OSPF between a Cisco router and another
vendor’s router. The problem occurs when the maximum transmission unit (MTU) settings for
neighboring router interfaces don’t match. If the router with the higher MTU sends a packet larger that
the MTU set on the neighboring router, the neighboring router ignores the packet.

Question 19

Refer to the exhibit.

R3#

*Sep 5 07:29:34.031: %TCP-6-BADAUTH: No MD5 digest from 10.10.10.2(179) to

10.10.10.3(60942) (RST)
R2# show ip bgp neighbors 10.10.10.3
BGP neighbor is 10.10.10.3, remote AS 65201, external link
BGP version 4, remote router ID 0.0.0.0
BGP state = Idle
Last read 00:02:19, last write 00:02:19, hold tine is 180, keepalive interval is
60 seconds
Message statistics:
InQ depth is 0
OutQ depth is 0
Sent Rcvd
Opens: 2 2
Notifications: 0 0
Updates: 5 6
Keepalives: 10 9
Route Refresh: 0 0
Total: 17 17
Default minimum time between advertisement runs is 30 seconds
Address tracking is enabled, the RIB does have a route to 10.10.10.3
Connections established 2; dropped 2
Last reset 00:11:58, due to Peer closed the session
External BGP neighbor not directly connected.
Transport (tcp) path-mtu-discovery is enabled
No active TCP connection
The network operation team observes a traffic forwarding issue between R2 and R3: Ping and
traceroute of loopback IP address from R2 to R3 is successful. iBGP peering in AS 65101 and AS
65201 is up. Which configuration resolves the issue?

A. Configure MD5 password authentication on R2.

B. Advertise R2 and R3 loopback IPs in AS 65101 and AS 65201.
C. Remove MD5 password authentication on R3.
D. Set up eBGP multihop on R2 and R3 routers.

Answer: A

Explanation

From the error message “No MD5 digest from 10.10.10.2(179) to 10.10.10.3”, we learn that R3 has a
password configured for a R2, but R2 does not.

Question 20

A newly installed router starts establishing an LDP session from another MPLS router to which it is not
directly connected. Which LDP message type responds by target router to the initiating router using
UDP protocol?
A. notification message
B. session message
C. extended discovery message
D. advertisement message

Answer: C

Explanation

If the LSR is more than one hop from its neighbor, it is nondirectly connected to its neighbor. For
these nondirectly connected neighbors, the LSR sends out a targeted Hello message as a UDP packet,
but as a unicast message specifically addressed to that LSR. The nondirectly connected LSR responds
to the Hello message and the two routers begin to establish an LDP session. This is called extended
discovery.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/mpls/configuration/guide/convert/mp_ldp_boo
k/mp_ldp_overview.html

Question 21
Which router takes an active role between two LDP neighbors when initiating LDP session negotiation
and LDP TCP connection establishment?
A. with one interface in the MPLS backbone
B. with the larger number of LDP TCP neighbors
C. with the lowest IP address
D. with the higher IP address

Answer: D

Explanation

To initiate an LDP session between routers, the routers determine which router will take the active role
and which router will take the passive role. The router that takes the active role establishes the LDP
TCP connection session and initiates the negotiation of the LDP session parameters. To determine the
roles, the two routers compare their transport addresses. The router with the higher IP
address takes the active role and establishes the session.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_ldp/configuration/12-4m/mp-ldp-
12-4m-book.pdf

Question 22

Refer to the exhibit.

A company builds WAN infrastructure between the head office and POPs using DMVPN hub-and-spoke
topology to provide end-to-end communication. All POPs must maintain point-to-point connectivity
with the head office. Which configuration meets the requirement at routers R12 and R13?

Option A Option B

interface Tunnel0 R12#

ip nhrp map multicast 172.16.1.11
ip nhrp map 172.16.1.11 192.168.10.11 interface Tunnel0
ip nhrp network-id 12 ip nhrp map multicast 192.168.10.11
ip nhrp nhs 192.168.10.11 ip nhrp map 172.16.1.11 192.168.10.11
ip nhrp networked 12
ip nhrp nhs 172.16.1.11
 R13# R13#
interface Tunnel0
ip nhrp map multicast 172.16.1.11 interface Tunnel0
ip nhrp map 172.16.1.11 192.168.10.11 ip nhrp map multicast 192.168.10.11
ip nhrp network-id 13 ip nhrp map 172.16.1.11 192.168.10.11
ip nhrp nhs 192.168.10.11 ip nhrp network-id 13
ip nhrp nhs 172.16.1.11

Option C Option D

Configure routers R12 and R13 as: Configure routers R12 and R13 as:
interface Tunnel0 interface Tunnel0
ip nhrp map multicast 192.168.10.11 ip nhrp map multicast 172.16.1.11
ip nhrp map 172.16.1.11 192.168.10.11 ip nhrp map 172.16.1.11 192.168.10.11
ip nhrp network-id 11 ip nhrp network-id 11
ip nhrp nhs 172.16.1.11 ip nhrp nhs 192.168.10.11

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

The NHRP network-id must match between Hub and Spokes so we have to use “network-id 11” on
Spokes -> Only Option C and Option D are correct.

The NHS must point to the Tunnel IP address of the Hub (not the WAN IP address) so the correct NHS
command should be “ip nhrp nhs 172.16.1.11“.

Question 23

Refer to the exhibit.

An engineer must configure a per VRF for TACACS+ for company A. Which configuration on RTG-1
accomplishes the task?

Option A Option B

aaa new-model aaa new-model

aaa group server tacacs+ aaa group server tacacs+
Tacacscluster Tacacscluster
server-private 172.16.1.3 port 49 server-private 172.16.1.1 port 49
key routing key routing
ip tacacs source-interface ip tacacs source-interface
GigabitEthernet 0/0 GigabitEthernet 0/0
ip vrf CompanyA ip vrf forwarding CompanyA

Option C Option D

aaa new-model aaa new-model

aaa group server tacacs+ aaa group server tacacs+
Tacacscluster Tacacscluster
server-private 172.16.1.1 port 49 server-private 172.16.1.3 port 49
key routing key routing
 ip tacacs source-interface ip tacacs source-interface
GigabitEthernet 0/1 GigabitEthernet 0/1
ip vrf CompanyA ip vrf forwarding CompanyA

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

The command to configure a VRF reference of a AAA TACACS+ server group is “ip vrf forwarding
CompanyA” -> Only Option B and Option D are correct.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-
16/sec-usr-tacacs-xe-16-book/sec-vrf-tacas-svrs.html

The IP address of the FTP Server is 172.16.1.3 so only Option D is correct.

Question 24

Refer to the exhibit.

An engineer must connect the Reno and Detroit spokes using DMVPN phase 2.

Hub tunnel configuration is

 Dallas
interface Tunnel0
ip address 10.0.80.1 255.255.255.0
ip nhrp authentication cisco123
ip nhrp multicast dynamic
ip nhrp network-id 5
tunnel source Serial0/0
tunnel mode gre multipoint

Which configuration accomplishes the task?

Option A Option B

Reno Reno
interface Tunnel0 interface Tunnel0
ip address 10.0.80.3 255.255.255.0 ip address 10.0.80.3 255.255.255.0
ip nhrp authentication cisco123 nhrp authentication cisco123
ip nhrp map multicast 10.92.18.2 ip nhrp map multicast 10.92.18.2
ip nhrp map 10.0.80.1 10.92.18.2 ip nhrp map 10.92.18.2 10.0.80.1
ip nhrp network-id 5 ip nhrp network-id 5
ip nhrp nhs 10.0.80.1 ip nhrp nhs 10.0.80.1
tunnel source 10.238.194.2 tunnel source 10.238.194.2
tunnel mode gre multipoint tunnel mode gre multipoint

Detroit Detroit
interface Tunnel 0 interface Tunnel0
ip address 10.0.80.4 255.255.255.0 ip address 10.0.80.4 266.255.255.0
ip nhrp authentication cisco123 ip nhrp authentication cisco123
ip nhrp map 10.0.80.1 10.92.18.2 ip nhrp map 10.92.18.2 10.0.80.1
ip nhrp map multicast 10.92.18.2 ip nhrp map multicast 10.92.18.2
ip nhrp network-id 5 ip nhrp network-id 5
ip nhrp nhs 10.0.80.1 ip nhrp nhs 10.0.80.1
tunnel source 10.7.44.2 tunnel source 10.7.44.2
tunnel mode gre multipoint tunnel mode gre multipoint

Option C Option D

Reno Reno
interface Tunnel0 interface Tunnel0
ip address 10.0.80.3 255.255.255.0 ip address 10.0.80.3 266.255.255.0
ip nhrp authentication cisco123 ip nhrp authentication cisco321
ip nhrp map broadcast 10.92.18.2 ip nhrp map multicast 10.92.18.2
ip nhrp map 10.0.80.1 10.92.18.2 ip nhrp map 10.0.80.1 10.92.18.2
ip nhrp network-id 5 ip nhrp network-id 5
ip nhrp nhs 10.0.80.1 ip nhrp nhs 10.0.80.1
tunnel source 10.238.194.2 tunnel source 10.238.194.2
tunnel mode gre multipoint tunnel mode gre multipoint

Detroit Detroit
interface Tunnel0 interface Tunnel0
ip address 10.0.80.4 255.255.255.0 ip address 10.0.80.4 255.255.255.0
ip nhrp authentication cisco123 ip nhrp authentication cisco321
ip nhrp map 10.0.80.1 10.92.18.2 ip nhrp map 10.0.80.1 10.92.18.2
ip nhrp map broadcast 10.92.18.2 ip nhrp map multicast 10.92.18.2
ip nhrp network-id 5 ip nhrp network-id 5
ip nhrp nhs 10.0.80.1 ip nhrp nhs 10.0.80.1
tunnel source 10.7.44.2 tunnel source 10.7.44.2
tunnel mode gre multipoint tunnel mode gre multipoint
A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

The NHRP authentication command “ip nhrp authentication …” must match on Hub and Spokes. On
Hub the password is “cisco123” so the same password must be configured on Spokes -> Option D is
not correct.

For DMVPN Phase 2 – Dynamic Mapping, the syntax of mapping command is “ip nhrp map {tunnel-
address-of-Hub} {NBMA-address-of-Hub}” so it must be “ip nhrp map 10.0.80.1 10.92.18.2” ->
Option B is not correct.

There is no “ip nhrp map broadcast” command, only “ip nhrp map multicast {NBMA-address-of-
Hub}” command -> Only Option A is correct.

Note: You can read the DMVPN Phase 2 configuration on our site
at https://www.networktut.com/dmvpn-tutorial/2 (both static mapping and dynamic mapping). The
configuration and comparison is very comprehensive so we recommend you to grasp the DMVPN
configuration.

Question 25

Refer to the exhibit.

100.0.0.0/32 is subnetted, 3 subnets

C 100.1.1.1 is directly connected, Loopback0
D 100.2.2.2 [90/156160J via 10.1.1.2, 00:00:46, FastEthernet0/0
D 100.3.3.3 [90/158720] via 10.1.1.14, 00:00:44, FastEthernet1/0
[90/158720] via 10.1.1.2, 00:00:44, FastEthernet0/0
10.0.0.0/8 is variably subnetted, 13 subnets, 4 masks
D 10.1.1.8/30 [90/30720] via 10.1.1.14, 00:00:44, FastEthernet1/0
C 10.1.1.12/30 is directly connected, FastEthernet1/0
C 10.1.1.0/30 is directly connected, FastEthernet0/0
D 10.1.1.4/30 [90/30720] via 10.1.1.2, 00:00:45, FastEthernet0/0
C 10.100.1.40/32 is directly connected, Loopback40
D EX 10.1.1.80/29[170/33280] via 10.1.1.14, 00:00:45, FastEthernet1/0
[170/33280] via 10.1.1.2, 00:00:45, FastEthernet0/0
C 10.100.1.50/32 is directly connected, Loopback50
C 10.100.1.10/32 is directly connected, Loopback10
S 10.100.1.0/24 is a summary, 00:00:48, Null0
C 10.100.1.30/32 is directly connected, Loopback30
C 10.100.1.20/32 is directly connected, Loopback20
C 10.200.1.0/24 is directly connected, FastEthernet0/1
D EX 10.247.10.0/30 [170/2174976] via 10.1.1.14, 00:00:46, FastEthernet1/0
[170/2174976] via 10.1.1.2, 00:00:46, FastEthernet0/0

R1 must advertise all loopback interfaces IP addresses to neighbors, but EIGRP neighbors receive a
summary route. Which action resolves the issue?
A. Redistribute connected routes into EIGRP Enable
B. EIGRP on loopback interfaces
C. Disable auto summarization on R1
D. Remove the 10.100.1.0/24 static route

Answer: C

Explanation

The most likely cause of this problem is EIGRP summarized subnets automatically because all
loopback interfaces are 10.100.1.x/32, which will be summarized into 10.0.0.0/8 automatically.
Therefore we should disable auto summarization with the “no auto-summary” command.

Note: In modern devices, EIGRP auto summarization is disabled by default.

Question 26

Refer to the exhibit.

Which action ensures that 10.10.10.0/24 reaches 10.10.20.0/24 through the direct link between R1
and R2?

A. Configure R1 and R2 LAN links as nonpassive

B. Configure R1 and R2 links under area 1
C. Configure OSPF link cost to 1 between R1 and R2
D. Configure OSPF path cost to 3 between R1 and R2

Answer: B

Explanation
Both LANs are in Area 1 so if we assign the direct link between R1 and r2 to this area then surely
these two LANs will use this link for communication (intra-area route is preferred over inter-area
route).

Question 27

What are the two reasons for RD and VPNv4 addresses in an MPLS Layer 3 VPN? (Choose two)

A. RD is prepended to each prefix to make routes unique.

B. VPN RT communities are used to identify customer unique routes.
C. When the PE redistributes customer routes into MP-BGP, they must be unique.
D. They are on a CE device to use for static configuration.
E. They are used for a BGP session with the CE device.

Answer: A C

Explanation

Why an RD and VPNv4 Address?

1. PE routers service multiple customers

2. Once PE redistributes customer routes into MP-BGP, they must be unique
3. RD is prepended to each prefix to make routes unique

Reference: https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKMPL-1100.pdf

Question 28

Refer to the exhibit.

CPE# show snmp mib ifmib ifindex detail

Description ifIndex Active Persistent Saved TrapStatus
-------------------------------------------------------------
Loopback1 8 yes disabled no enabled
GigabitEthernet1 1 yes disabled no enabled
GigabitEthernet3 3 yes disabled no enabled
Gigabit£thernet3.123 10 yes disabled no disabled
VoIP-Null0 5 yes disabled no enabled
Loopback0 7 yes disabled no enabled
Null0 6 yes disabled no enabled
Loopback2 9 yes disabled no enabled
GigabitEthernet4 4 yes disabled no enabled
GigabitEthernet2 2 yes disabled no enabled

After reloading the router an administrator discovered that the interface utilization graphs displayed
inconsistencies with their previous history in the NMS. Which action prevents this issue from occurring
after another router reload in the future?

A. Rediscover all the router interfaces through SNMP after the router is reloaded
B. Save the router configuration to startup-config before reloading the router
C. Configure SNMP to use static OIDs referring to individual router interfaces
D. Configure SNMP interface index persistence on the router

Answer: D

Explanation
The SNMP ifIndex persistence feature provides an interface index (ifIndex) value that is retained and
used when the router reboots. The ifIndex value is a unique identifying number associated with a
physical or logical interface. In the following example, SNMP ifIndex persistence is enabled for all
interfaces:

router(config)# snmp-server ifindex persist

Question 29

Refer to the exhibit.

R2#show run
interface Loopback10
no ip address
ipv6 address 2002::1/128
ipv6 eigrp 1
!
interface Loopback11
no ip address
ipv6 address 2002::2/128
ipv6 eigrp 1
!
interface Loopback12
no ip address
ipv6 address 2002::3/128
ipv6 eigrp 1
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
ipv6 address autoconfig
ipv6 eigrp 1
!
ipv6 router eigrp 1
stub summary
no shutdown

R1 cannot receive the R2 interfaces with individual prefixes. What must be reconfigured to advertise
R2 interfaces to R1?

A. EIGRP process on R2 by removing the stub command keyword summary

B. Interface FastEthernet0/1 on R2 with an EIGRP summary for all three loopback prefixes
C. EIGRP process on R2 with the command stub summary receive-only
D. EIGRP process on R2 with the command stub summary connected

Answer: A

Explanation

By removing the keyword “summary” we can see all loopback prefixes.

Reference: https://community.cisco.com/t5/networking-knowledge-base/ipv6-eigrp-stub-feature-
demonstration/ta-p/3126796

Question 30

Refer to the exhibit.

An engineer must configure EIGRP between R1 and R2 with no summary route. Which configuration
resolves the issue?

A. R1(config)#router eigrp 1
R1(config-router)#no auto-summary

B. R2(config)#router eigrp 1
R2(config-router)#no auto-summary

C. R2(config)#router eigrp 1
R2(config-router)#auto-summary

D. R1(config)#router eigrp 1
R1(config-router)#auto-summary

Answer: B

Question 31

Refer to the exhibit.

R1#
router ospf 1
redistribute rip subnets
network 131.108.1.0 0.0.0.255 area 2
network 131.108.2.0 0.0.0.5 area 2
distribute-list 1 out
!
access-list 1 permit 132.108.4.0 0.0.0.255

The R1 OSPF neighbor is not receiving type 5 external LSAs for 132.108.2.0/24 and 132.108.3.0/24
networks. Which configuration command resolves the issue?
A. access-list 1 permit 132.108.0.0 0.0.1.255
B. access-list 1 permit 132.108.0.0 0.0.3.255
C. access-list 1 permit 132.108.2.0 0.0.0.255
D. access-list 1 permit 132.108.4.0 0.0.3.255

Answer: B

Question 32
Which routing protocol is used by the PE router to advertise routes to a CE router without
redistribution or static after removing the RD tag from the P router?

A. IS-IS
B. OSPF
C. BGPIPv4
D. MP-BGP

Answer: C

Explanation

We can use BGP as the routing protocol between PE and CE so that we don’t need to redistribute from
other routing protocols (like OSPF, IS-IS…) into BGP and vice versa. A good example can be found
at https://journey2theccie.wordpress.com/2020/05/05/pe-ce-routing-with-bgp/

Question 33

Refer to the exhibit.

The IT manager received reports from users about slow application through network X. Which action
resolves the issue?

A. Use the variance 2 command to enable load balancing.

B. Increase the bandwidth from the service provider.
C. Move the servers into the users subnet.
D. Upgrade the IOS on router E.

Answer: A

Explanation

With above topology, Users will use the Router E -> Router C -> Router A to reach network X.

To use other paths (called unequal cost load balancing) with EIGRP, the new path must satisfy the
feasibility condition. The feasibility condition states that, the Advertised Distance (AD) of a route must
be lower than the feasible distance (FD) of the current successor route.

In this question, only the path Router E -> Router B -> Router A has AD = 10 (the cost from Router B
to Router A) and is lower than the FD of the current successor route, which is 10 + 10 = 20.

The path Router E -> Router D -> Router A has AD of 25 > FD of the current successor route so it
does not satisfy the feasibility condition.

If we use “variance” command then the following rule must be satisfied so that the new path becomes
a successor route:

FD of feasible successor < FD of successor * multiplier

In this question:
+ FD of feasible successor is 20 + 10 = 30
+ FD of successor * multiplier is 20 * 2 = 40

so with “variance 2” the path Router E -> Router B -> Router A will become a successor route.

Note:
Advertised distance (AD): the cost from the neighbor to the destination.
Feasible distance (FD): The sum of the AD plus the cost between the local router and the next-hop
router
Question 34

Which router attaches the VPN label to incoming packets from CE routing?

A. CE router
B. core router
C. P router
D. PE router

Answer: D

Question 35

A company is redesigning WAN infrastructure so that all branch sites must communicate via the head
office and the head office can directly communicate with each site independently. The network
engineer must configure the head office router by considering zero-touch technology when adding new
sites in the same WAN infrastructure. Which configuration must be applied to the head office router to
meet this requirement?

A. interface Tunnel0
tunnel mode ip
ip nhrp map multicast dynamic

B. interface Tunnel0
tunnel mode dvmrp
ip nhrp redirect

C. interface Tunnel0
tunnel mode ip
ip nhrp redirect

D. interface Tunnel0
tunnel mode gre multipoint
ip nhrp map multicast dynamic

Answer: D

Explanation

In Hub we have to configure the interface tunnel in point-to-multipoint (with the command “tunnel
mode gre multipoint”) to allow multiple spokes (still in point-to-point) to connect to a single interface
on the hub.

Question 36

Refer to the exhibit.

An engineer configured NetFlow but cannot receive the flows from R1. Which two configurations
resolve the issue? (Choose two)

A. R1(config)#flow exporter FlowExporter1

R1(config-flow-exporter)#destination 10.66.60.66

B. R4(config)#ip access-list extended DDOS

R4(config-ext-nacl)#5 permit udp any host 10.66.66.66 eq 1090

C. R3(config)#flow exporter FlowExporter1

R3(config-flow-exporter)#destination 10.66.66.66

D. R3(config)#ip access-list extended DDOS

R3(config-ext-nacl)#5 permit udp any host 10.66.66.66 eq 1090

E. R4(config)#flow exporter FlowExporter1

R4(config-flow-exporter)#destination 10.66.66.66

Answer: C D

Explanation

From the “R1#sh flow interface” we see interface E0/0 (secondary link) is exporting NetFlow traffic,
not E0/1 so the change should be made on R3, not R4.

From the output “show flow exporter” on R1, we notice that the destination IP address is not correct.
The NMS server IP address should be 10.66.66.66, not 10.60.66.66. Therefore we have to change this
information under “flow exporter …” configuration.

NetFlow configuration reference: https://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/fnetflow/configuration/15-mt/fnf-15-mt-book/cfg-de-fnflow-exprts.html

Also we see that R3 & R4 are blocking UDP port range 1024 to 65535 while NetFlow is using UDP port
1090 (from the line “Destination Port: 1090” of “R1#show flow exporter” output.

Question 37

Refer to the exhibit.

crypto isakmp policy 1

 authentication pre-share
crypto isakmp key cisco47 address 0.0.0.0
!
crypo ipsec transform-set trans2 esp-des esp-md5-hmac
mode transport
!
crypto tipsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwidth 1000
ip address 10.0.0.1 255.255.255.0
ip mtu 1400
ip nhrp authentication donttell
ip nhrp map multicast dynamic
ip nhrp network-id 99
ip nhrp holdtime 300
no ip split-horizon eigrp 1
ip tcp adjust-mss 1360
delay 1000
tunnel source Gigabitethernet 0/0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface FastEthernet0/0/0
ip address 172.17.0.1 255.255.255.0
!
interface FastEthernet0/0/1
ip address 192.168.0.1 255.255.255.0
!
router eigrp 1
network 10.0.0.0 0.0.0.255
network 192.168.0.0 0.0.0.255
!

A network administrator must configure DMVPN tunnels between the hub and spoke with dynamic
spoke-to-spoke tunnel capabilities using EIGRP. Which tunnel interface command must the network
administrator configure to establish an EIGRP peer?

A. no ip next-hop-self eigrp 1
B. ip next-hop-self eigrp 1
C. no ip nhrp next-hop-self
D. ip nhrp next-hop-self

Answer: A

Explanation
DMVPN Phase 2 Spoke-to-Spoke Implementation

In spoke-to-spoke routing configuration, spokes do not directly exchange routing information with
each other, even though they may be on the same logical subnet (that is tunnel IP address range)
with each other. You need to enable a few commands to ensure that routing functions correctly and
spokes use the correct next hop IP address.

Notice the addition of the command no ip next-hop-self eigrp. This command tells the hub router
that, when it redistributes the subnets received from one spoke back out to other spokes, it should not
replace its own next hop address but should leave the original address provided by the spoke.

Reference: https://www.pearsonitcertification.com/articles/article.aspx?p=3129283&seqNum=7

Question 38

What is a MPLS PHP label operation?

A. Downstream node signals to remove the label

B. It improves P router performance by not performing multiple label lookup
C. It uses implicit-NULL for traffic congestion from source to destination forwarding
D. PE removes the outer label before sending to the P router

Answer: A

Explanation

PHP is penultimate hop popping which means remove the label one hop before its destination. It refers
to the process whereby the outermost label of an MPLS tagged packet is removed by a Label Switch
Router (LSR) before the packet is passed to an adjacent Label Edge Router.

Answer B is not correct as it improves PE router performance only.

Answer C is not correct as it is not used for traffic congestion.

Answer D is not correct as P router removes the outer label (pop), not PE.

Question 39

Which router translates the customer routing information into VPNv4 routes to exchange VPNv4 routes
with other devices through MP-BGP?

A. PE
B. CE
C. P
D. VPNv4 RR

Answer: A

Question 40

Refer to the exhibit.

RD#show ip bgp 192.168.1.1

Advertised to update-groups:
3
65101
10.10.10.2 (metric 2) from 10.10.10.2 (10.10.10.2)
Origin IGP, metric 100, localpref 100, weight 65535, valid, external,
best
65101
10.0.0.17 (metric 2) from 10.10.10.6 (172.16.20.1)
Origin IGP, metric 0, localpref 100, valid, internal

RB#show ip bgp 192.168.1.1

BGP routing table for 192.168.1.1/32, version 10
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to update-groups:
2
Local
10.10.10.1 (metric 2) from 10.10.10.1 (192.168.1.1)
Origin IGP, metric 0, localpref 100, valid, internal, best

A customer finds that traffic from the application server (192.168.1.1) to the HUB site passes through
a congested path that causes random packet drops. The NOC team influences the BGP path with MED
on RB. But RD still sees that traffic coming from RA is not taking an alternate route. Which
configuration resolves the issue?

A. RD(config)#router bgp 65201

RD(config-router)#no neighbor 10.10.10.2 weight 65535

B. RB(config)#router bgp 65101

RB(config-router)#no neighbor 10.10.10.3 route-map HIGH-LP out

C. RB(config)#router bgp 65101

RB(config-router)#neighbor 10.10.10.3 weight 50

D. RC(config)#router bgp 65101

RC(config-router)#neighbor 10.10.10.6 route-map HIGH-LP out

Answer: A

Explanation

From the output we see traffic from the application server is still using the upper path (RA -> RB ->
RD -> RF). We can also see a very high “weight” 65535 on RD for the neighbor RB so RD is choosing
RB as its best path. Therefore we need to remove this weight first.
Question 41

Refer to the exhibit.

R1(config)#ip prefix-list EIGRP seq 10 permit 10.0.0.0/8

R1(config)#ip prefix-list EIGRP seq 20 deny 0.0.0.0/0 le 32
R1(config)#router eigrp 10
R1(config-router)#distribute-list prefix EIGRP in Ethernet0/0

R1#show ip route eigrp | include 10.

D EX 10.0.0.0/8 [170/2665332] via 192.168.10.1, 00:00:10, Ethernet0/0

An engineer applies a prefix-list filter that filters most of the network 10 prefixes instead of allowing
them. Which action resolves the issue?

A. Modify the ip prefix-list EIGRP seq 10 permit 10.0.0.0/8 le 9 command

B. Modify the ip prefix-list EIGRP seq 10 permit 10.0.0.0/8 le 32 command
C. Modify the ip prefix-list EIGRP seq 20 permit 0.0.0.0/0 le 32 command
D. Modify the ip prefix-list EIGRP seq 20 permit 10.0.0.0/8 ge 9 command

Answer: B

Question 42

Refer to the exhibit.

ip prefix-list 1 permit 172.16.0.0/16

ip prefix-list 2 permit 192.168.2.0/24
!
route-map RED permit 10
match ip address prefix-list 1
set ip next hop 10.1.1.1
continue 20
exit
!
route-map RED permit 20
match ip address prefix-list 2
set ip next hop 10.2.2.2
end

The forwarding entries show that the next hop for prefixes from the 172.16.0.0/16 network is set to
10.2.2.2 instead of 10.1.1.1. Which action resolves the issue?

A. Add set ip next hop 10.1.1.1 in route-map RED permit 20

B. Add the continue statement in route-map RED permit 10 instead of continue 20
C. Remove match ip address prefix-list 1 from route-map RED permit 10
D. Remove the continue 20 statement from route-map RED permit 10

Answer: D

Explanation
The “continue [sequence-number]” statement configures a route map to continue to evaluate and
execute match statements after a successful match occurs. If a sequence number is configured, the
continue clause will go to the route map with the specified sequence number.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-mt/irg-
15-mt-book/bgp_route-map_continue.pdf

Also you can find the same configuration of this question from this
link: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/15-mt/irg-15-mt-
book/irg-route-map-continue.html
“In this example, the same set command is repeated in subsequent continue clause entries, but the
behavior is different from the first example. For set commands that configure an absolute value, the
value from the last instance will overwrite the previous value(s). The following example illustrates this
behavior. The set clause value in sequence 20 overwrites the set clause value from sequence 10. The
next hop for prefixes from the 172.16/16 network is set to 10.2.2.2, not 10.1.1.1.

ip prefix-list 1 permit 172.16.0.0/16

ip prefix-list 2 permit 192.168.1.0/24
route-map RED permit 10
match ip address prefix-list 1
set ip next hop 10.1.1.1
continue 20
exit
route-map RED permit 20
match ip address prefix-list 2
set ip next hop 10.2.2.2
end “

Note: This is the most suitable answer but we think there is an error. As the “continue 20” statement
tells the router to check the “route-map RED permit 20”. But there is a “match ip address prefix-list 2”
here and surely it cannot be matched because the prefix must be in 172.16.0.0/16 range. So the “set
ip next hop 10.2.2.2” command will be ignored.

Question 43

Which technique removes the outermost label of an MPLS-tagged packet before the packet is
forwarded to an adjacent LER?

A. label swap
B. explicit-null
C. label imposition
D. PHP

Answer: D

Question 44

Refer to the exhibit.

 ISP(config)
#ip vrf EA
ISP(config-
vrf)#ip vrf
EB

ISP(config-
if)#router
ospf 100
vrf EA
ISP(config-
router)#net
172.16.100.
0 0.0.0.255
area 0
ISP(config-
router)#net
172.16.200.
0 0.0.0.255
area 0
ISP(config-
router)#exi
t

ISP(config-
if)#router
ospf 200
vrf EB
ISP(config-
router)#net
172.16.100.
0 0.0.0.255
area 0
ISP(config-
router)#net
172.16.200.
0 0.0.0.255
area 0
ISP(config-
router)#end

A network engineer is provisioning end-to-end traffic service for two different enterprise networks with
these requirements. The OSPF process must differ between customers on HQ and Branch office
routers, and adjacencies should come up instantly. The enterprise networks are connected with
overlapping networks between HQ and a branch office. Which configuration meets the requirements
for a customer site?

Option A Option B

ISP(config)#int f3/0 ISP(config)#int f2/0

ISP(config-if)#ip vrf forwarding EA ISP(config-if)#ip vrf forwarding EA
ISP(config-if)#description TO->EA2_Branch ISP(config-if)#description TO->EA1_HQ
 ISP(config-if)#ip address 172.16.200.2 ISP(config-if)#ip address 172.16.100.2
255.255.255.0 255.255.255.0
ISP(config-if)#no shut ISP(config-if)#no shut

Option C Option D

ISP(config)#int f0/0 ISP(config)#int f1/0

ISP(config-if)#ip vrf forwarding EB ISP(config-if)#ip vrf forwarding EA
ISP(config-if)#description TO->EB1_HQ ISP(config-if)#description TO->EA2_HQ
ISP(config-if)#ip address 172.16.100.2 ISP(config-if)#ip address 172.16.200.2
255.255.255.0 255.255.255.0
ISP(config-if)#no shut ISP(config-if)#no shut

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

This question requirement is hard to understand. But it asks about the configuration for the “customer
site” so the IP address must be 172.16.200.2/24 -> Only Option A and Option D are correct.

From the router labels, we can guess A1-HQ and A2-Branch routers belong to one customer (VRF EA)
while B1-HQ and B2-Branch belong to another customer (VRF EB). But in option A interface f3/0 was
configured in VRF EB which is not correct. In Option D the configuration was correct as interface f1/0
belongs to VRF EA.

Question 45

Refer to the exhibit.

The R1 routing table has the prefixes for the FTP1 and FTP2 file servers. A network engineer must
configure the R1 with these requirements:
Host1 must use the FTP1 fileserver.
Host2 must use the FTP2 fileserver.
Which configuration meets the requirement on R1?

Option A Option B

ip access-list extended FTP1_R1 ip access-list extended FTP1_R1

permit ip host 10.10.10.11 host permit ip host 10.10.10.11 host
10.10.100.11 10.10.100.11
ip access-list extended FTP2_R1 ip access-list extended FTP2_R1
permit ip host 10.10.10.22 host permit ip host 10.10.10.22 host
10.10.200.22 10.10.200.22
! !
route-map PBR_FTP permit 10 route-map PBR_FTP permit 10
match ip address FTP1_R1 match ip address FTP1_R1
set ip next-hop 10.10.40.1 set ip next-hop 10.10.30.1
route-map PBR_FTP permit 20 !
match ip address FTP2_R1 route-map PBR_FTP permit 20
set ip next-hop 10.10.30.1 match ip address FTP2_R1
! set ip next-hop 10.10.40.1
 ip local policy route-map PBR_FTP !
ip local policy route-map PBR_FTP

Option C Option D

ip access-list extended FTP1_R1 ip access-list extended FTP1_R1

permit ip host 10.10.10.11 host permit ip host 10.10.10.11 any
10.10.100.11 ip access-list extended FTP2_R1
ip access-list extended FTP2_R1 permit ip host 10.10.10.22 any
permit ip host 10.10.10.22 host route-map PBR_FTP permit 10
10.10.200.22
match ip address FTP1_R1
!
set ip next-hop 10.10.30.1
route-map PBR_FTP permit 10
!
match ip address FTP1_R1
route-map PBR_FTP permit 20
set ip next-hop 10.10.30.1
match ip address FTP2_R1
!
set ip next-hop 10.10.40.1
route-map PBR_FTP permit 20
!
match ip address FTP2_R1
interface GigabitEthernet0/0
set ip next-hop 10.10.40.1
ip policy route-map PBR_FTP
!
interface GigabitEthernet0/0
ip policy route-map PBR_FTP

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

The “ip local policy route-map” command is used to policy-route traffic generated locally on the router.
The “ip policy route-map” looks at traffic entering an interface and policy-routes accordingly.

Therefore in this question we have to use “ip policy route-map”. We cannot route all the traffic from
these two hosts to the FTP servers because they still need to access the Internet -> Only Option C is
correct.

Question 46

Refer to the exhibit.

Router R1 peers with two ISPs using static routes to get to the internet. The requirement is that R1
must prefer ISP-A under normal circumstances and failover to ISP-B if the connectivity to ISP-A is
lost. The engineer observes that R1 is load balancing traffic across the two ISPs. Which action resolves
the issue by sending traffic to ISP-A only with failover to ISP-B?

A. Configure OSPF between R1, ISP-A, and ISP-B for dynamic failover if any ISP link to R1 fails
B. Configure two static routes on R1, one pointing to ISP-A and another pointing to ISP-B with 222
admin distance
C. Change the bandwidth of the interface on R1 so that interface to ISP-A has a higher value than the
interface to ISP-B
D. Configure two static routes on R1, one pointing to ISP-B with more specific routes and another
pointing to ISP-A with summary routes

Answer: B

Question 47

Refer to the exhibit.

R2# show ip eigrp topology 10.1.3.0 255.255.255.0

IP-EIGRP (AS 1): topology entry for 10.1.3.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 307200
Routing Descriptor Blocks:
10.1.2.3 (Ethernet0), from 10.1.2.3, Send flag is 0x0
Composite metric is (307200/281600), Route is Internal
Vector metric:
Minimum bandwidth is 10000 Kbit
Total delay is 2000 microseconds
Reliability is 255/255
Load is 1/255
Hop count is 1
10.1.2.4 (Ethernet0), from 10.1.2.4, Send flag is 0x0
Composite metric is (312320/204720), Route is Internal
Vector metric:
Minimal bandwidth is 10000 Mbit
Total delay is 2200 microseconds
 Reliability is 255/255
Load is 1/255
Minimum MTU is 1500
Hop count is 1

A network is configured for EIGRP equal-cost load balancing, but the traffic destined to the servers is
not load balanced. Link metrics from router R2 to R3 and R4 are the same. Which delay value must be
configured to resolve the issue?

A. 208 on R3 E0/0
B. 120 on R4 E0/1
C. 120 on R3 E0/1
D. 2200 on R4 E0/1

Answer: D (?)

Explanation

From the output we see only the “total delay” is different from two paths so we just need to set the
same delay value on both paths for load balancing. But there is no correct answer in this question as
we have to set delay value to 2200 on R3 E0/1 (not on R4) or set delay value to 2000 on R4 E0/1.
Maybe there was a typo (R3 instead of R4) for the answer D of this question so we chose it.

Note: Just for your information, this is how to calculate EIGRP metric:

The simple formula of calculating EIGRP metric is (by default K1 = 1, K2 = 0, K3 = 1, K4 = 0, K5 = 0

which means that the default values use only bandwidth & delay parameters while others are
ignored):

In this question from the exhibit we can calculate the first metric from 10.1.2.3 is:
metric = [(10,000,000 / 10,000) + (2,000 / 10)] * 256 = (1000 + 200) * 256 = 307,200

And the second metric from 10.1.2.4 is:

metric = [(10,000,000 / 10,000) + (2,200 / 10)] * 256 = (1000 + 220) * 256 = 312,320
We have a detailed tutorial of calculating EIGRP metric at https://www.9tut.com/eigrp-routing-
protocol-tutorial/3
Question 48

Refer to the exhibit.

R1#
*Jan 15 19:45:17.027: TPLUS: Queuing AAA Authentication request 20 for
processing
*Jan 15 19:45:17.031: TPLUS: processing authentication start request id 20
*Jan 15 19:45:17.031: TPLUS: Authentication start packet created for 20()
*Jan 15 19:45:17.031: Using server 172.20.32.1
*Jan 15 19:45:17.035: TPLUS(00000014)/0/NB_WAIT/68937BB0: Started 5 sec
timeout
*Jan 15 19:45:17.035: TPLUS(00000014)/0/NB_WAIT/68937BB0: timed out
*Jan 15 19:45:17.035: TPLUS(00000014)/0/NB_WAIT/68937BB0: timed out, clean
up
*Jan 15 19:45:17.035: TPLUS(00000014)/0/68937BB0: Processing the reply
packet

R2#
R2#telnet 192.168.1.1
Trying 192.168.1.1 ... Open
% Authorization failed.
[Connection to 192.168.1.1 closed by foreign host]

A network engineer is troubleshooting an AAA authentication issue for R1 from R2. When an engineer
tries to open a telnet connection to R1 it opens the connection but shows a %Authorization
failed error message on the terminal and closes the connection silently. Which action resolves the
issue?

A. Resolve tacacs+ server host IP authentication miss configuration on the R1 router

B. Resolve tacacs+ server reachability from the R1 router
C. Configure the tacacs+ server host IP on the R1 router
D. Configure authorization commands in the tacacs+ server for the R1 router

Answer: B

Explanation

From the logging messages on R1, we see the Authentication process was not successful
(“Authentication start” but “time out”).

In the next output we see R2 is trying to telnet to R1 but “Authorization failed”.

So we learn that both “Authentication”and “Authorization” failed when R1 contacts to the TACACS+
server. Maybe R1 tried to use the local database for authentication after that so R2 can still connect to
R1, only authorization failed.

The most likely cause of this problem is we need to use the command “ip tacacs source-interface …” to
configure an interface as the source IP address from which the TACACS+ client establishes
connections with TACACS+ servers so the best answer should be answer B.

Question 49

Refer to the exhibit.

R1 uses SP1 as the primary path. A network engineer must force all SSH traffic generated from R1
toward SP2. Which configuration accomplishes the task?

Option A Option B

ip access-list extended match_SSH ip access-list extended match_SSH

permit tcp any any eq 22 permit tcp any any eq 22
! !
route-map PBR_SSH permit 10 route-map PBR_SSH permit 10
match ip address match_SSH match ip address match_SSH
set ip next-hop 10.20.20.1 set ip next-hop 10.10.10.1
! !
interface Gig0/0 ip local policy route-map PBR_SSH
ip policy route-map PBR_SSH

Option C Option D
 ip access-list extended match_SSH ip access-list extended match_SSH
permit tcp any any eq 22 permit tcp any any eq 22
! !
route-map PBR_SSH permit 10 route-map PBR_SSH permit 10
match ip address match_SSH match ip address match_SSH
set ip next-hop 10.20.20.1 set ip next-hop 10.20.20.1
! !
ip local policy route-map PBR_SSH interface Gig0/1
ip policy route-map PBR_SSH

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

SSH traffic generated from the local router so we have to use the command “ip local policy …”. This
command is used in global configuration mode, not interface mode.

With traffic matching SSH we need to set the next-hop IP to 10.20.20.1 for SP2.

Question 50

Refer to the exhibit.

R6#
*Sep 6 05:31:58.891: BGP: 10.0.0.17 went from Idle to Active
*Sep 6 05:31:58.895: BGP: 10.0.0.17 open active, local address 10.0.0.10
*Sep 6 05:31:58.907: BGP: 10.0.0.17 read request no-op
*Sep 6 05:31:58.911: BGP: 10.0.0.17 went from Active to OpenSent
*Sep 6 05:31:58.911: BGP: 10.0.0.17 sending OPEN, version 4, my as: 65201, holdtime
180 seconds
*Sep 6 05:31:58.911: BGP: 10.0.0.17 send message type 1, length (incl. header) 53
*Sep 6 05:31:58.927: BGP: 10.0.0.17 remote close
*Sep 6 05:31:58.931: BGP: 10.0.0.17 ~reset the session
*Sep 6 05:31:58.931: BGPNSF state: 10.0.0.17 went from nsf_not_active to
nsf_not_active

R5#
*Sep 6 05:31:58.063: BGP: 10.0.0.18 passive open to 10.0.0.17
*Sep 6 05:31:58.063: BGP: 10.0.0.18 passive open failed - 10.0.0.17 is not update-
source Loopback0's address (10.10.10.5)
*Sep 6 05:31:58.063: BGP: 10.0.0.18 remote connection attempt failed, local address
10.0.0.17
The traffic from spoke to hub is dropping. The operations team observes: R2-R3 link is down due to
the fiber cut.
R2 and R5 receive traffic from R1 in AS 65101.
R3 and R6 receive traffic from R4 in AS 65201.
Which configuration resolves the issue?

A. R6(config)#router bgp 65101

R6(config-router)#no neighbor 10.0.0.17 update-source Loopback0
B. R5(config)#router bgp 65101
R5(config-router)#no neighbor 10.0.0.18 update-source Loopback0

C. R6(config)#router bgp 65201

R6(config-router)#neighbor 10.10.10.5 remote-as 65101
R6(config-router)#neighbor 10.10.10.5 update-source Loopback0
R6(config-router)#neighbor 10.10.10.5 ebgp-multihop 3

D. R5(config)#router bgp 65101

R5(config-router)#neighbor 10.10.10.6 remote-as 65201
R5(config-router)#neighbor 10.10.10.6 update-source Loopback0
R5(config-router)#neighbor 10.10.10.6 ebgp-multihop 3

Answer: D

Explanation

From the logging messages, we learned that the BGP neighbor relationship between R5 & R6 could not
be established. The reason was “10.0.0.17 is not update-source Loopback0’s address (10.10.10.5)”.

Question 51

Refer to the exhibit.

Configuration
flow exporter Flow-to-collector
destination 192.168.100.17 vrf Mgmt-intf
transport udp 2601
export-protocol netflow-v5
!
flow monitor My-netflow
 exporter Flow-to-collector
record netflow ipv4 original-input
!
! and tho management-interface is configured as follows:
interface GigabitEthernet0
description Management-Interface
vrf forwarding Mgmt-intf
ip address 192.168.100.50 255.255.255.0
negotiation auto

router#sh flow exporter statis

Flow Exporter Flow-to-collector:
Packet send statistics (last cleared 1w4d ago) :
Successfully sent: 0 (0 bytes)
Reason not
given: 8696868 (11473670976 bytes)
Client send statistics:
Client: Flow Monitor OeKB-netflow
Records added: 256783312
- failed to send: 256713312
Bytes added: 2783766384
- failed to send: 2783766384
router#

A network administrator configured NetFlow data, but the data is not visible at the NetFlow collector.
Which configuration allows the router to send the records?

A. Configure the management interface in the global routing table to send the records.
B. Configure a different interface to send the records.
C. Configure the NetFlow collector to listen at export-protocol netflow-v5.
D. Rectify NetFlow collector reachability from the management interface.

Answer: B

Explanation

You can’t send netflow through MGMT interface , select another interface and put the interface under
the MGMT vrf , that will work.
from the docs
Flexible NetFlow export is not supported on the Ethernet management port, Gi0/0.

Reference: https://community.cisco.com/t5/network-management/unable-to-export-netflow-on-
asr1006-gig0-interface/td-p/3880565

Flexible NetFlow export is not supported on the Ethernet management port, GigabitEthernet 0/0.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-
9/configuration_guide/nmgmt/b_169_nmgmt_9300_cg/configuring_flexible_netflow.html

Question 52

An engineer configured VRF-Lite on a router for VRF blue and VRF red. OSPF must be enabled on each
VRF to peer to a directly connected router in each VRF. Which configuration forms OSPF neighbors
over the network 10.10.10.0/28 for VRF blue and 192.168.0.0/30 for VRF red?
 Option A Option B
router ospf 1 vrf blue router ospf 1 vrf blue
network 10.10.10.0 0.0.0.15 area 0 network 10.10.10.0 0.0.0.240 area 0
router ospf 2 vrf red router ospf 2 vrf red
network 192.168.0.0 0.0.0.3 area 0 network 192.168.0.0 0.0.0.240 area 0

Option C Option D

router ospf 1 vrf blue router ospf 1 vrf blue

network 10.10.10.0 0.0.0.252 area 0 network 10.10.10.0 0.0.0.3 area 0
router ospf 2 vrf red router ospf 2 vrf red
network 192.168.0.0 0.0.0.240 area 0 network 192.168.0.0 0.0.0.15 area 0

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Question 53

A network administrator successfully established a DMVPN tunnel with one hub and two spokes using
EIGRP. One of the requirements was to enable spoke-to-spoke tunnels through the hub router using
EIGRP. Which configuration command must the engineer configure to meet the requirement?

A. no ip eigrp 1 split-horizon
B. no ip eigrp 1 mode mgre
C. no ip eigrp 1 tunnel-redirect
D. no ip eigrp 1 mode multipoint

Answer: A

Question 54

A network administrator is troubleshooting a failed AAA login issue on a Cisco Catalyst c3560 switch.
When the network administrator tries to log in with SSH using TACACS+ username and password
credentials, the switch is no longer authenticating and is failing back to the local account. Which action
resolves this issue?

A. Configure ip tacacs source-interface GigabitEthernet 1/1

B. Configure ip tacacs source-ip 192.168.100.55
C. Configure ip tacacs-server source-ip 192.168.100.55
D. Configure ip tacacs-server source-interface GigabitEthernet 1/1

Answer: A

Question 55

Refer to the exhibit.

SW100#sh ip bgp ipv6 uni summ
BGP router identifier 100.0.0.1, local AS number 100
BGP table version is 1, main routing table version 1

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

2001:ABC:AABB:1100:1122:1111:2222:AAA1
4 100 6 5 1 0 0 00:00:58 0

SW100#sh ip bgp ipv6 unicast

SW100#
R1#sh ip bgp ipv6 uni
BGP table version is 4, local router ID is 1.1.1.1
Network Next Hop Metric LocPrf Weight Path
* i 2001::4/128 2001::4 0 100 0 300 i
*>i 2002::2/128 2001::2 0 100 0 i
R1#
R1#sh ipv6 route
O 2001::2/128 [110/1]
via FE80::5200:C3FF:FE01:E600, GigabitEthernet0/0
B 2002::2/128 [200/0]
via 2001::2

SW100 cannot receive routes from R1. Which configuration resolves the issue?
 Option A Option B
R1 R1
router bgp 100 router bgp 100
address-family ipv6 address-family ipv6
neighbor 2001::2 route-reflector-client no synchronization
neighbor 2001:ABC:AABB:1100:1122:1111:2222:AAA2 route-reflector-
client R2
router bgp 100
R2 address-family ipv6
router bgp 100 no synchronization
address-family ipv6 SW100
neighbor 2001::2 router bgp 100
neighbor 2001::1 next-hop-self address-family ipv6
no synchronization

Option C Option D

R1 R1
router bgp 100 router bgp 100
address-family ipv6 address-family ipv6
neighbor 2001::2 route-reflector-client redistribute
neighbor 2001:ABC:AABB:1100:1122:1111:2222:AAA2 route-reflector- connected
client
R2
R2 router bgp 100
router bgp 100 address-family ipv6
address-family ipv6 redistribute
neighbor 2001::2 connected
neighbor 2001::1 as-override

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

IBGP routers do not re-advertise routes learned via IBGP to other IBGP peers so SW100 could not
learn routes from its IBGP R1. One of the two solutions for this is configuring a Route Reflector on R1.

Question 56

Which control plane process allows the MPLS forwarding state to recover when a secondary RP takes
over from a failed primary RP?

A. MP-BGP uses control plane services for label prefix bindings in the MPLS forwarding table
B. LSP uses NSF to recover from disruption in control plane service
C. FEC uses a control plane service to distribute information between primary and secondary
processors
D. LDP uses SSO to recover from disruption in control plane service

Answer: C

Question 57

Refer to the exhibit.

admin@linux:telnet 198.51.100.64
Trying 198.51.100.64...
Connected to 198.51.100.64.
Escape character is '^]'.

User Access Verification

Password: admin
CPE> exit
Connection closed by foreign host.
admin@linux:~$ ssh 198.51.100.64
[email protected]'s password: admin
Permission denied, please try again.
[email protected]'s password: admin
Permission denied, please try again.
[email protected]'s password: admin
Connection closed by 198.51.100.64 port 22
admin@linux:~$

An administrator can log in to the device using Telnet but the attempts to log in to the same device
using SSH with the same credentials fail. Which action resolves this issue?

A. Configure SSH service on the router

B. Configure transport input all on the VTY lines to allow SSH
C. Configure to use the Telnet user database for SSH as well
D. Configure the VTY lines with login local

Answer: C

Question 58

Refer to the exhibit.

Users in VLAN46 cannot get the IP from the DHCP server. Assume that all the parameters are
configured properly in VLAN 10 and on the DHCP server. Which command on interlace VLAN46 allows
users to receive IP from the DHCP server?

A. ip dhcp-address 10.221.10.10
B. ip dhcp server 10.221.10.10
C. ip helper-address 10.221.10.10
D. ip dhcp relay information trust-all

Answer: C

Question 59

What is a characteristic of IPv6 RA Guard?

A. RA messages are allowed from the host port to the switch

B. It is unable to protect tunneled traffic
C. It filters rogue RA broadcasts from connected hosts
D. It is supported on the egress direction of the switch

Answer: B

Explanation

Restrictions for IPv6 RA Guard

• The IPv6 RA Guard feature does not offer protection in environments where IPv6 traffic is tunneled.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15-mt/ip6f-
15-mt-book/ip6-ra-guard.pdf

Question 60

A network administrator opens a telnet connection to the router and gets the message:

R1#telnet 10.1.1.2
Trying 10 1.1 2 Open
(Connection to 10.1.1.2 closed by foreign host)

Router R2 is configured with enable secret and password commands. Which action resolves the issue?

A. Configure the logging synchronous command on line vty.

B. Configure the exec command on line vty.
C. Configure the login local command on line vty
D. Configure the enable password command on line vty.

Answer: C

============================ New Questions (added on 6th-Jan-2023)

============================

Question 61

Refer to the exhibit.

R2#show ip eigrp topology 10.10.10.0 255.255.255.0
IP-EIGRP (AS 1): Topology entry for 10.10.10.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD
is 256005120
Routing Descriptor Blocks:
10.20.20.3 (FastEthernet0/1), from 10.20.20.3, Send flag is
0x0
Composite metric is (256005120/256002560), Route is
External
Vector metric:
Minimum bandwidth is 10 Kbit
Total delay is 200 microseconds
Reliability is 10/255
Load is 10/255
Minimum MTU is 10
Hop count is 1
External data:
Originating router is 10.1.1.1
AS number of route is 1
External protocol is OSPF, external metric is 0
Administrator tag is 0 (0x00000000)
R1#sh run | s eigrp
router eigrp 1
router-id 10.1.1.1
network 10.2.2.0 0.0.0.255
no auto-summary

An engineer configured router R3 to redistribute the prefix 10.10.10.0/24 from OSPF into EIGRP R1
has no connectivity to the prefix. Which action enables receipt of prefixes on R1?

A. R3 is advertising the 10.20.20.0/24 prefix with a TTL of 1, R3 must set the TTL to 2 for this prefix.
B. R1 does not have a neighbor relationship with R2. The EIGRP process should be cleared on R1.
C. Duplicate router IDs on R1 and R3, R1 should modify its router ID.
D. R1 is not receiving the next-hop IP address of R3. R2 must enable the network 10.20.20.0/24
within EIGRP.
Answer: C

Explanation

From the output we see the line “Originating router is 10.1.1.1” for the prefix 10.10.10.0/24. This
prefix was advertised from R3 so we can deduce R3 is using the router-id 10.1.1.1 which is same as
the router-id of R1 (the command “router-id 10.1.1.1” was used on R1). Therefore we must change
the router IDs on these two routers.

Question 62

Refer to the exhibit.

R1#show bgp ipv6 unicast 2001:db8::1/128

BGP routing table entry for 2001:db8::1/128, version 3
Paths: (1 available, best #1, table Global-IPv6-Table)
Not advertised to any peer
Local
2001:db8:33:33::33 (metric 128) from 2001:db8:11:11::11 (1.1.1.1)
Origin IGP, metric 0, localpref 100, valid, internal, best
Originator: 3.3.3.3, Cluster list: 1.1.1.1

An engineer examines the BGP update for the IPv6 prefix 2001:db8::1/128. Which should have been
summarized into a /64 prefix. Which sequence of actions achieves the summarization?

A. R1 is a route reflector client of a RR with a router ID of 1.1.1.1, and the originator of the prefix has
a router ID of 3.3.3.3. Both routers belong to different ASs. The prefix is not advertised to any peer
and must be advertised using the network statement on R3

B. R1 is a route reflector with a router ID of 3.3.3.3, and the originator of the prefix is a route reflector
client, which has a router ID of 3.3.3.3. Both routers belong to the same AS Configure an aggregate
address on the router with ID 1.1.1.1 for the prefix

C. R1 is a route reflector with a router ID of 1.1.1.1, and the originator of the prefix is a route
reflector client, which has a router ID of 3.3.3.3. Both routers belong to the same AS Configure an
aggregate address on the router with ID 1.1.1.1 for the prefix

D. R1 is a route reflector client of a RR with a router ID of 1.1.1.1, and the originator of the prefix has
a router ID of 3.3.3.3. Both routers belong to the same AS. Configure an aggregate address on the
router with ID 3 3.3.3 for the prefix

Answer: D

Explanation
R1 is a RR client because it only has the word “Local”. If RR is a RR then it would show “Local,
(Received from a RR-client)”. The word “Local” also tells us this prefix is sent from an iBGP peer ->
Answer D is correct.

For your information, this is quoted from https://www.cisco.com/c/en/us/support/docs/ip/border-

gateway-protocol-bgp/113419-ipv6-bgp-rr-00.html

In RR clients:

Whenever an iBGP route is reflected (that is, propagated to another iBGP peer), the router
implementing the route reflector appends 2 non-transitive attributes:

Originator ID:
This is a non-transitive optional BGP attribute. The reflected iBGP route will have the router ID of the
iBGP peer from which the route has been received as its originator ID.
Cluster-ID:
This is a non-transitive optional BGP attribute. The reflected iBGP route will have the router ID of the
RR as its Cluster-ID, if the cluster-id value is not configured.

-> Therefore in this question “Cluster list: 1.1.1.1” means the router-id of the RR is 1.1.1.1.
“Originator: 3.3.3.3” means the source of this packet is from 3.3.3.3.

Question 63

Refer to the exhibit.

RtrA#show ip eigrp topology all-links

IP-EIGRP Topology Table for AS(1)/ID(10.1.6.1)
.....snip.....
P 10.200.1.0/24, 1 successors, FD is 21026560
via 10.1.1.2 (21026560/20514560), Serial1/0
via 10.1.2.2 (46740736/20514560), Serial1/1
via 10.1.3.2 (46740736/46228736), Serial1/2

Which action makes 10.1.3.2 the feasible successor to reach 10.200.1.0/24 for location
S42T657F86F34?

A. Increase path bandwidth lower than 10.1.1.2 and lower than 10.1.2.2 between RtrA and the
destination
B. Increase path bandwidth higher than 10.1.2.2 and lower than 10.1.1.2 between RtrA and the
destination
C. Increase path bandwidth higher than 10.1.1.2 and lower than 10.1.2.2 between RtrA and the
destination
D. Increase path bandwidth higher than 10.1.2.2 and higher than 10.1.1.2 between RtrA and the
destination

Answer: B

Explanation

In the output above, there is only “1 successors, FD is 21026560” so the first entry “via 10.1.1.2
(21026560/20514560), Serial1/0”, is surely this successor. Two entries at the bottom are not the
successors but we are not sure if they are feasible successors. To find it out, we have to compare two
values in the brackets.

We notice that there are 2 numbers inside the brackets (46740736/20514560). The first one is the
metric (or Feasible Distance, FD) from the local router to the destination, the second is the Advertised
Distance (AD) of this route, advertised by the neighbor.

To be the feasible successor, the Advertised Distance (AD) of that route must be less than the Feasible
Distance (FD) of the successor. In the output only 10.1.2.2 satisfies this requirement and become the
feasible successor.

This question is not clear when saying “path bandwidth higher than …”. But maybe higher path
bandwidth results in lower FD and AD. If so we only need to make sure the path bandwidth is higher
than 10.1.2.2 (the only feasible successor) and lower than 10.1.1.2 (successor) -> Answer B is
correct.

Note: If we make higher path bandwidth than 10.1.1.2 (successor) then 10.1.3.2 would become the
successor, not become a feasible successor as this question required.

Question 64

Refer to the exhibit.

R2# show ip ospf neighbor
R2#
R2# debug ip ospf hello

*Feb 22 23:46:58.699: OSPF-1 HELLO Et1/1: Rcv hello from

10.255.255.1 area 0 10.0.23.1
*Feb 22 23:46:58.703: OSPF-1 HELLO Et1/1: Mismatched hello
parameters from 10.0.23.1
*Feb 22 23:46:58.703: OSPF-1 HELLO Et1/1: Dead R 30 C 20, Hello
R 10 C 10 Mask R 255.255.255.0 C 255.255.255.0

The connected routers do not show up as OSPF neighbors. Which action resolves the issue?

A. Change the R1 dead timer to 20.

B. Change the R2 dead timer to 20.
C. Change the R2 hello timer to 20.
D. Change the R1 hello timer to 20.

Answer: A

Explanation

“Dead R 30 C 20” means “Dead interval: Received 30, Configured 20” so we can either change local
dead interval to 30 or change remote router R1 dead timer to 20.

Question 65

Which protocol must be secured with MD-5 authentication across the MPLS cloud to prevent hackers
from introducing bogus routers?

A. MP-BGP
B. LSP
C. RSVP
D. LDP

Answer: D

Explanation

The Label Distribution Protocol (LDP) can also be secured with MD-5 authentication across the MPLS
cloud. This prevents hackers from introducing bogus routers, which would participate in the LDP.

Reference: https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-
0/mpls/provisioning/guide/PGmpls1.html

Question 66

Refer to the exhibit.

!
summary-address 10.1.0.0 255.255.0.0
!

The none area 0 routers in OSPF still receive more specific routes of 10.1.1.0, 10.1.2.0, 10.1.3.0 from
area 0. Which action resolves the issue?
A. Configure route summarization on OSPF-enabled interfaces
B. Summarize by using the summary-address 10.1.0.0 255.255.252.0 command
C. Summarize by using the area range command on ABRs
D. Configure the summary-address 10.1.0.0 255.255.252.0 command under OSPF process

Answer: C

Explanation

The “summary-address” is only used to summarize external routes on the domain boundary (ASBRs).
To summarize routes at the area boundary (ABRs), use the command: area area-id range ip-address
mask

Question 67

Refer to the exhibit.

flow exporter EXPORTER-1

destination 172.16.10.2
export-protocol netflow-v9
transport udp 90
exit
!
flow record v4_r1
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport destination-port
collect counter bytes long
collect counter packets long
!
flow monitor FLOW-MONITOR-1
record v4_r1
!
ip cef
!
interface GigabitEthernet0/0/0
ip address 172.16.6.2 255.255.255.0
ip flow monitor FLOW-MONITOR-1 input
!

An engineer configured NetFlow to capture traffic information through the router, but it IOS not
working as expected. Which action captures the flow information from this router to the collector?

A. Change the interface configuration FLOW-MONITOR-1 from input to output

B. Configure a flow exporter under flow FLOW-MONITOR-1
C. Configure more than one flow exporter destination addresses
D. Change the flow exporter transport protocol from UDP to TCP

Answer: B
Explanation

Flow exporters are created as separate components in a router’s configuration. Exporters are assigned
to flow monitors to export the data from the flow monitor cache to a remote system such as a NetFlow
collector.

As we can see the “flow exporter EXPORTER-1” was defined but it has not been used. We can use it
inside a flow monitor. For example:

flow monitor FLOW-MONITOR-1

record v4_r1
exporter EXPORTER-1
exit

Question 68
What must a network architect consider for RTs when planning for a single customer full-mesh VPN in
an MPLS Layer 3 network?

A. RT must be globally unique within the same VPN

B. RT must be globally identical within the same VPN
C. RT values must be different from the RD values in the same VPN
D. Each RT value must be identical to an RD value within the same VPN

Answer: A

============================== New Questions (added on 15th-Jan-2023)

==============================

Question 69
Refer to the exhibit.

*Aug 5 23:18:20.264: EIGRP: Neighbor (10.1.2.192) not yet found

*Aug 5 23:19:18.675: Going down: peer 10.1.2.1 total=2 stub 0, iidb-stud=0 iid-all=0
*Aug 5 23:19:18.675: EIGRP: Handle deallocation failure [1]
*Aug 5 23:19:18.675: EIGRP: Neighbor 10.1.2.1 went down on Tunnel1.
*Aug 5 23:19:22.943: EIGRP: New peer 10.1.2.1.
*Aug 5 23:19:22.943: EIGRP: %DUAL-5-NBRCHANGE: EIGRP-IPv4 3111: Neighbor 10.1.2.1
(Tunnel1) is up: new adjacency

Which configuration command establishes an EIGRP neighbor adjacency between the hub and spoke?

A. connected 10.1.2.192 command on spoke router

B. network 10.1.2.192 command on spoke router
C. eigrp-peer 10.1.2.192 command on the hub router
D. neighbor 10.1.2.192 command on hub router

Answer: D

Explanation

Maybe split-horizon is the cause of this problem so we should configure static EIGRP neighbor between
hub and spokes.

Question 70

Refer to the exhibit.

CPE# copy flash:packages.conf ftp://192.0.2.40/
Address or name of remote host [192.0.2.40]?
Destination filename [packages.conf]?
Writing packages.conf
%Error opening ftp://192.0.2.40/packages.conf (Incorrect
Login/Password)
CPE#

An administrator must upload the packages.conf file to an FTP server. However, the FTP server
rejected anonymous service and required users to authenticate. What are the two ways to resolve the
issue? (Choose two)

A. Use ip ftp username and ip ftp password configuration commands to specify valid FTP server
credentials.
B. Use the copy flash:packages.conf scp: command instead and enter the FTP server credentials
when prompted.
C. Enter the FTP server credentials directly in the FTP URL using
the ftp://username:[email protected]/ syntax .
D. Create a user on the rooter matching the username and password on the FTP server and log in
before attempting the copy
E. Use the copy flash-packages.conf ftp: command instead and enter the FTP server credentials
when prompted.

Answer: A C

Explanation

The FTP protocol requires a client to send a remote username and password on each FTP request to a
server.When you copy a configuration file from the router to a server using FTP, the Cisco IOS
software sends the first valid username it encounters in the following list:
1. The username specified in the copy privileged EXEC command, if a username is specified.
2. The username set by the ip ftp username global configuration command, if the command is
configured.

The router sends the first valid password it encounters in the following list:
1. The password specified in the copy privileged EXEC command, if a password is specified.
2. The password set by the ip ftp password global configuration command, if the command is
configured.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sys-image-mgmt/configuration/xe-16-
7/sysimgmgmt-xe-16-7-book/sysimgmgmt-ftp.pdf

Question 71

Refer to the exhibit.

R7#sh ip ospf interface fa0/0
FastEthernet0/0 is up, line protocol is up
Internet Address 10.19.5.0/28, Area 0, Attached via Network Statement
Process ID 1, Router ID 10.7.7.255, Network Type POINT_TO_POINT, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base

Router R4 is configured correctly with default OSPF values. A network engineer configured R7 for
OSPF. R7 must not be elected as a DR for the segment between R4-R7. The adjacency between R4
and R7 failed to form. Which configuration resolves the issue?

Option A Option B

R7(config)#interface fa0/0 R7(config)#interface fa0/0

R7(config-if)#ip ospf priority 255 R7(config-if)#ip ospf priority 0
R7(config-if)#ip ospf hello-interval 10 R7(config-if)#ip ospf hello-interval 10
R7(config-if)#ip ospf dead-interval 30 R7(config-if)#ip ospf dead-interval 30
R7(config-if)#ip ospf network broadcast R7(config-if)#ip ospf network non-broadcast

Option C Option D

R7(config)#interface fa0/0 R7(config)#interface fa0/0

R7(config-if)#ip ospf priority 0 R7(config-if)#ip ospf priority 255
R7(config-if)#ip ospf hello-interval 10 R7(config-if)#ip ospf hello-interval 10
 R7(config-if)#ip ospf dead-interval 40 R7(config-if)#ip ospf dead-interval 40
R7(config-if)#ip ospf network broadcast R7(config-if)#ip ospf network non-broadcast

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

R7 was configured with default OSPF values on Ethernet so its OSPF hello interval is 10 and dead
interval is 40. We also need to set the OSPF priority of R7 fa0/0 interface to 0 so that it cannot
become a DR/DBR.

Question 72

Refer to the exhibit.

RB#show ip bgp 172.16.16.1

BGP routing table entry for 172.16.16.1/32, version 11
Paths: (1 available, no best path)
Not advertised to any peer
Local
10.10.10.5 (metric 3) from 10.10.10.5 (172.16.16.1)
Origin IGP, metric 0, localpref 100, valid, internal, not synchronized

RD#traceroute 172.16.16.1
Tracing the route to 172.16.16.1
1 10.0.0.10 [MPLS: Label 29 Exp 0] 64 msec 56 msec 60 msec
2 10.0.0.21 60 msec 56 msec 72 msec
3 * * *
A customer reported an issue with a fiber link failure between RC and RE. Users connected through
the spoke location face disconnection and packet drops with the primary email server (172.16.16.1)
but have no issues with the backup email server (172.16.26.1). All the router loopback IPs are
advertised through the OSPF protocol. Which configuration resolves the issue?

A. RB(config)#router bgp 65101

RB(config-router)#no synchronization

B. RB(config)#router bgp 65101

RB(config-router)#neighbor 10.10.10.2 next-hop-self

C. RB(config)#router bgp 65101

RB(config-router)#neighbor 10.10.10.5 next-hop-self

D. RC(config)#router bgp 65101

RC(config-router)#no synchronization

Answer: A

Explanation

The most like cause of this problem is RB has been configured with “synchronization” command. BGP
synchronization used to be a way to avoid blackholes when BGP peers know a route while the
transient hops do not. In this question we see the route to 172.16.16.1 is “not synchronized”. This is
because RB is waiting for its IGP (such as EIGRP or OSPF) to learn the route to 172.16.16.1 before
BGP can advertise this route.

The no synchronization command tells the iBGP routers that you don’t want them to “synchronize”
iBGP with your internal routing protocol.

Note: “no synchronization” is the default value for BGP configuration.

Question 73

Refer to the exhibit.

%DUAL-3-SIA: Route 10.10.1.1/32 stuck-in-active state in IP-EIGRP(0) 1. Cleaning up

%DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 192.168.1.1 (Serial0/0) is down:

stuck in active

An engineer notices a connectivity problem between routers R1 and R2. The frequency of this problem
is high during peak business hours. Which action resolves the issue?
A. Increase the MTU on the interfaces that connect R1 and R2.
B. Increase the available bandwidth between R1 and R2.
C. Decrease the EIGRP keepalive and hold down timers on R1 and R2.
D. Set static EIGRP neighborship between R1 and R2.

Answer: B

Explanation

When an EIGRP router does not receive a reply for its query within 3 minutes, it will put the route in
SIA (Stuck in Active) state and will kill the neighbor adjacency. This question also stated that the SIA
problem increased during peak business hours. So the most likely cause of this problem is the link did
not have enough bandwidth and by somehow EIGRP messages were not prioritized. Therefore by
increasing the bandwidth we may solve this problem.

Question 74

Refer to the exhibit.

R1#show ip route ospf

10.0.0.0/24 is subnetted, 7 subnets

O E1 10.4.9.0 [110/200] via 10.4.17.6, 00:05:43,

FastEthernet0/0

O IA 10.4.27.0 [110/2] via 10.4.15.5, 00:05:44,

FastEthernet0/1

O E1 10.4.49.0 [110/200] via 10.4.17.6, 00:05:43,

FastEthernet0/0

O E1 10.4.59.0 [110/200] via 10.4.17.6, 00:05:43,

FastEthernet0/0

An engineer configured two ASBRs, 10.4.17.6 and 10.4.15.5, in an OSPF network to redistribute
identical routes from BGP. However, only prefixes from 10.4.17.6 are installed into the routing table
on R1. Which action must the engineer take to achieve load sharing for the BGP-originated prefixes?
A. The ASBRs are advertising the redistributed prefixes with the iBGP metric and must be modified to
Type 1 on ASBR 10.4.17.6
B. The ASBRs are advertising the redistributed prefixes with a different admin distance and must be
changed to 110 on ASBR 10.4.15.5
C. The admin distance of the prefixes must be adjusted to 20 on ASBR 10.4.15.5 to advertise prefixes
to R1 identically from both ASBRs
D. The ASBRs are advertising the redistributed prefixes as Type 1 and must be modified to Type 2

Answer: D

Explanation

From the output we see prefixes from 10.4.17.6 are redistributed with Type 1 (O E1).

If an E1 and E2 route exist to the same destination the E1 route will always be preferred irrespective
of the metric.

Reference: https://ipwithease.com/ospf-external-e1-and-e2-routes/

-> Therefore we must make sure both ASBRs use the same type when redistributing.

Question 75

Refer to the exhibit.

An error message “an OSPF-4-FLOOD_WAR” is received on SW2 from SW1. SW2 is repeatedly
receiving its own link-state advertisement and flushes it from the network. Which action resolves the
issue?

A. Change area 5 to a normal area from a nonstub area

B. Resolve different subnet mask issue on the link
C. Configure Layer 3 port channel on interfaces between switches
D. Resolve duplicate IP address issue in the network

Answer: D

Explanation

The OSPF flood war occurs when the router repeatedly receives its own Link State Advertisement
(LSA) and flushes it from the network or sends a new version of it. This is meant to detect issues with
Type-2 LSAs when duplicate IP addresses are present in the network, or with Type-5 LSAs when there
is a duplicate router ID in different OSPF Areas.

Question 76
Refer to the exhibit.

A network engineer cannot remote access R3 using Telnet from switch S1. Which action resolves the
issue?

A. Allow the inbound connection via the exec command on R3.

B. Add the transport input telnet command on R3.
C. Allow to use the ssh -l admin 10.0.0.1 command on the switch.
D. Add the login admin command on the switch.

Answer: A

Explanation

The ‘no exec’ command restricts a line to outgoing connections only.

Question 77

Refer to the exhibit.

RouterA#sh ip route eigrp

Gateway of last resort is not set

10.0.0.0/32 is subnetted, 1 subnets

D 10.1.1.1 [90/156160] via 209.165.201.2, 00:00:06, FastEthernet0/0

***Configuration of RouterB ***

interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 209.165.201.2 255.255.255.252
!
interface FastEthernet1/0
ip address 209.165.200.225 255.255.255.224
!
router eigrp 100
network 10.1.1.1 0.0.0.0
network 209.165.201.0 0.0.0.3
 eigrp stub connected static
!
ip route 10.2.2.2 255.255.255.255 209.165.200.226

Not all connected and static routes of router B are received by router A even though EIGRP
neighborship is established between the routers. Which configuration resolves the issue?

Option A Option B

router eigrp 100 router eigrp 100

network 209.165.200.224 0.0.0.7 network 209.165.200.224 0.0.0.7
redistribute static metric 1000 1
255 1 1500
eigrp stub connected

Option C Option D

router eigrp 100 router eigrp 100

network 209.165.200.224 0.0.0.31 network 209.165.200.224 0.0.0.7
redistribute static metric 1000 1 redistribute static metric 1000 1
255 1 1500 255 1 1500
eigrp stub static

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation
The EIGRP stub static command does not redistribute static routes but allows the advertisement of
already redistributed static routes.

The static keyword will permit the EIGRP Stub Routing feature to send static routes. Without the
configuration of this option, EIGRP will not send any static routes, including internal static routes that
normally would be automatically redistributed. It will still be necessary to redistribute static routes
with the redistribute static command.

-> Therefore in this question we have to redistribute static route first then use the “eigrp stub
connected static” command.

Note: The configurations in four options above are additional configurations (not replace previous
configuration).

Question 78

Which two technologies optimize MPLS infrastructure using bandwidth protection services when
experiencing slow response? (Choose two)

A. IPLFA
B. MPLS OAM
C. VPLS
D. SO-MPLS
E. Fast-Reroute
Answer: A E

Explanation
Fast Reroute (FRR) is a mechanism for protecting MPLS TE LSPs from link and node failures by locally
repairing the LSPs at the point of failure, allowing data to continue to flow on them while their
headend routers attempt to establish new end-to-end LSPs to replace them. FRR locally repairs the
protected LSPs by rerouting them over backup tunnels that bypass failed links or node.

In case an LSP tunnel fails or congestion occurs on a network node, MPLS TE can provide route backup
and Fast Reroute (FRR) -> Answer E is correct.

Reference: https://techhub.hpe.com/eginfolib/networking/docs/switches/5820x-5800/5998-
7393r_mpls_cg/content/441756065.htm

The Loop-Free Alternate (LFA) Fast Reroute (FRR) feature offers an alternative to the MPLS Traffic
Engineering Fast Reroute feature to minimize packet loss due to link or node failure. LFA FRR enables
a backup route to avoid traffic loss if a network fails. The backup routes (repair paths) are
precomputed and installed in the router as the backup for the primary paths. After the router detects
a link or adjacent node failure, it switches to the backup path to avoid traffic loss.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/asr920/configuration/guide/iproute/iri-xe-
3s-asr920-book/m_lfa-frr_920.pdf

Question 79

What action is performed for untagged outgoing labels in an MPLS router?

A. Convert the incoming MPLS packet to an untagged packet and then do a FIB lookup
B. Convert the incoming MPLS packet to an untagged packet and then do a RIB lookup
C. Convert the untagged packet to a labeled packet and forward it to the next router
D. Convert the incoming MPLS packet to an IP packet and forward it to the next router

Answer: C

Question 80

Refer to the exhibit.

R1(config)#ip access-list standard EIGRP-FILTER

R1(config-std-nacl)#deny 10.10.10.0 0.0.0.0
R1(config-std-nacl)#permit 0.0.0.0 0.0.0.0
R1(config)#router eigrp 10
R1(config-router)#distribute-list route-map EIGRP in
!
R1(config)#route-map EIGRP permit 10
R1(config-route-map)#match ip address EIGRP-FILTER
!
R1#show ip route eigrp | include 10.10.10.
D 10.10.10.128/25

An engineer must filter EIGRP updates that are received to block all 10.10.10.0/24 prefixes. The
engineer tests the distribute list and finds one associated prefix. Which action resolves the issue?

A. There is a permit in the route map that allows this prefix. A deny 20 statement is required with a
match condition to match a new ACL that denies all prefixes
B. There is a permit in the ACL that allows this prefix into EIGRP. The ACL should be modified to deny
10.10.10.0 0.0.0.255.
C. There is a permit in the route map that allows this prefix. A deny 20 statement is required with no
match condition to block the prefix.
D. There is a permit in the ACL that allows this prefix into EIGRP. The ACL should be modified to deny
10.10.10.0 255.255.255.0.

Answer: B

Question 81

Refer to the exhibit.

Which policy configuration on R1 forwards any traffic that is sourced from the 192 168 130 0’24
network to R2?

Option A Option B

access-list 1 permit 192.168.130.0 access-list 1 permit 192.168.130.0

0.0.0.255 0.0.0.255
! !
interface Gi0/2 interface Gi0/2
ip policy route-map test ip policy route-map test
! !
route-map test permit 10 route-map test permit 10
match ip address 1 match ip address 1
set ip next-hop 172.20.20.2 set ip next-hop 172.20.20.1

Option C Option D

access-list 1 permit 192.168.130.0 access-list 1 permit 192.168.130.0

0.0.0.255 0.0.0.255
! !
interface Gi0/1 interface Gi0/1
ip policy route-map test ip policy route-map test
! !
route-map test permit 10 route-map test permit 10
match ip address 1 match ip address 1
 set ip next-hop 172.20.40.2 set ip next-hop 172.20.40.1

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

The traffic reaches Gi0/1 interface so we must apply policy (“ip policy route-map test”) on this
interface. The question requires to reach the destination of 172.20.40.0/30 so the next-hop IP address
should be 172.20.40.1.

Question 82

Refer to the exhibit.

R2#sh ip bgp ipv6 uni

BGP table version is 45, local router ID is 2.2.22.22
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path,
Origin codas: i - IGP, e - BGP, ? - incomplete
RPKI validation codas: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 2001:: 5/128 2001: :5 0 0 300 200 1
*> 2001::4/128 2001::4 0 0 300 i
*> 2002:: 2/128 :: 0 32768 i
R2#sh run | section bgp
router bgp 100
address-family ipv6
neighbor 2001::4 route-map Filter in

ip as-path access-list 1 permit _300_[0-9]

route-map Filter permit 10

match as-path 1

R2 has been receiving routes from R4 that originated outside AS300 A network engineer configured an
AS-Path ACL to avoid adding these routes to the R2 BGP table but the routes are still present in the R2
routing table Which action resolves the issue?

A. Replace as-path access-list 1 with the ip as-path access-list 1 permit A300 $ command
B. Replace as-path access-list 1 with the ip as-path access-list 1 permit ..300.” command
C. Replace as-path access-list 1 with the ip as-path access-list 1 permit A300_ command
D. Replace as-path access-list 1 with the ip as-path access-list 1 permit A300.” command

Answer: B

==================== New Questions (added on 9th-Mar-2023)

====================

Question 83
Refer to the exhibit.

CSR103#sh ip ospf interface gigabitEthernet 2

GigabitEthernet2 is up, line protocol is up
Internet Address 172.16.1.42/30, Interface ID 8, Area 1
Process ID 1, Router ID 172.16.100.7, Network Type BROADCAST, Cost: 1
Topology-MTID Cost Disabled Shutdown Topology Name
0 1 no no Base
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 172.16.100.7, Interface address 172.16.1.42
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5

Neighbor Count is 0, Adjacent neighbor count is 0

Suppress hello for 0 neighbor(s)
Cryptographic authentication enabled
Youngest key id is 1

CSR103#sh ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

172.16.100.3 1 FULL/DR 00:00:34 172.16.1.25 GigabitEthernet3
172.16.100.5 1 FULL/BDR 00:00:20 172.16.1.41 GigabitEthernet2
CSR103#
CSR103#
*Jan 11 16:44:22.234: %OSPF-5-ADJCHG: Process 1, Nbr 172.16.100.5 on GigabitEthernet2
from FULL to DOWN, Neighbor Down: Dead timer expired

Which configuration must the engineer apply on CSR103 to resolve the problem?

Option A Option B

key chain ospf key chain ospf

key 1 key 1
key-string 7 02050D480809 key-string 7 02050D480809
cryptographic-algorithm hmac-sha- cryptographic-algorithm hmac-sha-
1 256
! !
int GigabitEthernet 2 router ospf 1
ip ospf message digest-key 1 md5 area 1 authentication message-
cisco digest
ip ospf authentication message- !
digest int GigabitEthernet 2
ip ospf message digest-key 1 md5
cisco

Option C Option D

key chain ospf key chain ospf

key 1 key 1
key-string 7 02050D480809 key-string 7 4A397D810C24
cryptographic-algorithm hmac-sha- cryptographic-algorithm hmac-sha-
1 256
! !
interface GigabitEthernet2 interface GigabitEthernet2
ip ospf authentication key-chain ip ospf authentication key-chain
ospf ospf

A. Option A
B. Option B
C. Option C
D. Option D
Answer: D (?)

Explanation
On Cisco IOS, OSPF HMAC-SHA Cryptographic Authentication can be configured on a per-interface
basis only.

Reference: https://itskillbuilding.com/networking/network/ospf/ospf-hmac-sha-cryptographic-
authentication/

All four options use cryptographic authentication (with command “cryptographic authentication …”) so
we have to configure the command “ip ospf cryptographic authentication …” under interface
GigabitEthernet2 -> Only Option C and Option D are correct.

We are still not sure if Option C or Option D is better as the router support both authentication
algorithms “hmac-sha-1” and “hmac-sha-256”. We suppose HMAC-SHA-256 is better then HMAC-SHA-
1 so the best answer should be Option D.

==================== New Questions (added on 15th-Aug-2023)

====================

Question 84

What is the downstream unsolicited distribution method in MPLS?

A. It advertises labels to peers only when the peer requests.

B. It sends a unicast hello message to a specific LSR.
C. It sends a unicast hello message to a specific LER.
D. It advertises labels to peers without peer request.

Answer: D

Explanation

Unsolicited Downstream

The MPLS architecture also allows an LSR to distribute bindings to LSRs that have not explicitly
requested them. This is known as “unsolicited downstream” label distribution.

Reference: https://www.linkedin.com/pulse/label-distribution-control-modes-dipankar-shaw

Question 85

Refer to the exhibit.

R1#sh run | begin ip forward

ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
access-list 15 permit 172.16.1.15
!
control-plane
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 1
login authentication CCNP
transport input all
!

After a RADIUS server fails AAA authentication, an engineer is trying to reestablish console access to a
switch using the local password.

Which configuration reestablishes the console access to switch SW1 via AAA?

Option A Option B

SW1(config)#aaa authentication login SW1(config)#aaa authentication login

CONSOLE line CONSOLE local
SW1(config)#username ENT password 7 SW1(config)#username ENT secret
RAsek432@ RAsek432@
SW1(config)#line con 0 SW1(config)#line con 0
SW1(config-line)#login SW1(config-line)#login
authentication CONSOLE authentication CONSOLE

Option C Option D

SW1(config)#aaa authentication login SW1(config)#aaa authentication login

CONSOLE local CONSOLE line
SW1(config)#username ENT password 7 SW1(config)#username ENT secret
RAsek432@ RAsek432@
SW1(config)#line con 0 SW1(config)#line con 0
SW1(config-line)#login SW1(config-line)#login
authentication CONSOLE authentication CONSOLE

A. Option A
B. Option B
C. Option C
D. Option D
Answer: B

Explanation

If we want to configure local password then we need to use keyword “local” after the “aaa
authentication login CONSOLE” command, not “line”.

-> Only Option B and Option C are correct. The only difference in these two options are the keyword
“secret” or “password”. We think both can be used but Option B with “secret” keyword is still the
better choice.

Question 86

Refer to the exhibit.

EIGRP peering was lost.

Which configuration resolves the issue?

A. router EIGRP 88
metric weights 1 0 1 0 10
B. router EIGRP 88
metric weights 1 1 1 0 0 0

C. router EIGRP 88
metric weights 0 1 1 0 01

D. router EIGRP 88
metric weights 0 1 1 1 0 0

Answer: D

Explanation

From the exhibit, we only learn that the reason for the failure was “K-value mismatch”. We need six
(not five) parameters for the “metric weights {tos} {k1} {k2} {k3} {k4} {k5}” command:

-> We only have two options left.

The formula to calculate EIGRP metric is shown below:

Currently “tos” parameter is not used so it should be “0” while “k1” is usually set to “1” so “metric
weights 0 1 1 1 0 0” is the best answer.

Question 87

Refer to the exhibit.

An organization is installing a new L3 MPLS link to establish DMVPN Phase 2 tunnels between the hub
and two spoke routers. Which additional configuration should the engineer implement on each device
to achieve optimal routing between the spokes?

Option A Option B

interface Tunnel0 interface Tunnel0

no tunnel destination ip ospf priority 253
192.168.100.11 ip ospf network point-to-
tunnel mode mpls traffic-eng multipoint

Option C Option D

interface Tunnel0 interface Tunnel0

no tunnel destination ip ospf priority 1
192.168.100.11 ip ospf network non-broadcast
tunnel mode gre multipoint

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation
In the configuration above, the “tunnel destination 192.168.100.11” commands on two Spokes will
prevent them to establish direct communication and they must go through Hub so we should remove
this command (and add the command “tunnel mode gre multipoint”.

Question 88

Refer to the exhibit.

An engineer must configure the hub router to add new offices in the same infrastructure without
performing any further configurations at the hub router.

Which tunnel mode configuration on the hub router meets this requirement?

A. interface Tunnel0
tunnel mode ip

B. interface Tunnel0
tunnel mode gre multipoint

C. interface Tunnel0
tunnel mode dvmrp
D. interface Tunnel0
tunnel mode ipsec ipv4

Answer: B