Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Refer to the exhibit. The command is executed while configuring a point-to-multipoint Frame Relay interface. Which type of IPv6 address is portrayed in the exhibit?
A. link-local
B. site-local
C. global
D. multicast
Answer: A
Explanation:
Q2. You have been asked to evaluate how EIGRP is functioning in a customer network.
Traffic from R1 to R61 s Loopback address is load shared between R1-R2-R4-R6 and R1-R3-R5-R6 paths. What is the ratio of traffic over each path?
A. 1:1
B. 1:5
C. 6:8
D. 19:80
Answer: D
Explanation:
Q3. A network engineer is asked to configure a "site-to-site" IPsec VPN tunnel. One of the last things that the engineer does is to configure an access list (access-list 1 permit any) along with the command ip nat inside source list 1 int s0/0 overload. Which functions do the two commands serve in this scenario?
A. The command access-list 1 defines interesting traffic that is allowed through the tunnel.
B. The command ip nat inside source list 1 int s0/0 overload disables "many-to-one" access for all devices on a defined segment to share a single IP address upon exiting the external interface.
C. The command access-list 1 permit any defines only one machine that is allowed through the tunnel.
D. The command ip nat inside source list 1 int s0/0 overload provides "many-to-one" access for all devices on a defined segment to share a single IP address upon exiting the external interface.
Answer: D
Explanation:
Configuring NAT to Allow Internal Users to Access the Internet Using Overloading NAT Router
interface ethernet 0
ip address 10.10.10.1 255.255.255.0
ip nat inside
!--- Defines Ethernet 0 with an IP address and as a NAT inside interface.
interface ethernet 1
ip address 10.10.20.1 255.255.255.0
ip nat inside
!--- Defines Ethernet 1 with an IP address and as a NAT inside interface.
interface serial 0
ip address 172.16.10.64 255.255.255.0
ip nat outside
!--- Defines serial 0 with an IP address and as a NAT outside interface.
ip nat pool ovrld 172.16.10.1 172.16.10.1 prefix 24 !
!--- Defines a NAT pool named ovrld with a range of a single IP
!--- address, 172.16.10.1.
ip nat inside source list 7 pool ovrld overload
!
!
!
!
!--- Indicates that any packets received on the inside interface that
!--- are permitted by access-list 7 has the source
address
!--- translated to an address out of the NAT pool named ovrld.
!--- Translations are overloaded, which allows multiple inside
!--- devices to be translated to the same valid IP
address.
access-list 7 permit 10.10.10.0 0.0.0.31
access-list 7 permit 10.10.20.0 0.0.0.31
!--- Access-list 7 permits packets with source addresses ranging from
!--- 10.10.10.0 through 10.10.10.31 and 10.10.20.0
through 10.10.20.31.
Note in the previous second configuration, the NAT pool "ovrld"only has a range of one address. The
keyword overload used in the ip nat inside source list 7 pool
ovrld overload command allows NAT to translate multiple inside devices to the single address in the pool.
Reference:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
Q4. When using SNMPv3 with NoAuthNoPriv, which string is matched for authentication?
A. username
B. password
C. community-string
D. encryption-key
Answer: A
Explanation:
The following security models exist: SNMPv1, SNMPv2, SNMPv3. The following security
levels exits: "noAuthNoPriv" (no authentiation and no encryption noauth keyword in CLI),
"AuthNoPriv" (messages are authenticated but not encrypted auth keyword in CLI), "AuthPriv" (messages
are authenticated and encrypted priv keyword in CLI). SNMPv1 and SNMPv2 models only support the
"noAuthNoPriv" model since they use plain community string to match the incoming packets. The SNMPv3
implementations could be configured to use either of the models on per-group basis (in case if
"noAuthNoPriv" is configured, username serves as a replacement for community string). Reference: http://
blog.ine.com/2008/07/19/snmpv3-tutorial/
Q5. Which traffic characteristic is the reason that UDP traffic that carries voice and video is assigned to the queue only on a link that is at least 768 kbps?
A. typically is not fragmented
B. typically is fragmented
C. causes windowing
D. causes excessive delays for video traffic
Answer: A
Explanation:
Q6. A network engineer is notified that several employees are experiencing network performance related issues, and bandwidth-intensive applications are identified as the root cause. In order to identify which specific type of traffic is causing this slowness, information such as the source/destination IP and Layer 4 port numbers is required. Which feature should the engineer use to gather the required information?
A. SNMP
B. Cisco IOS EEM
C. NetFlow
D. Syslog
E. WCCP
Answer: C
Explanation:
NetFlow Flows Key Fields
A network flow is identified as a unidirectional stream of packets between a given source and destination--
both are defined by a network-layer IP address and
transport-layer source and destination port numbers. Specifically, a flow is identified as the combination of
the following key fields:
Source IP address
Destination IP address
Source Layer 4 port number
Destination Layer 4 port number
Layer 3 protocol type
Type of service (ToS)
Input logical interface Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/netflow/configuration/12-4t/
cfg-nflow- data-expt.html
Q7. You have been asked to evaluate how EIGRP is functioning in a customer network.
What percent of R1’s interfaces bandwidth is EIGRP allowed to use?
A. 10
B. 20
C. 30
D. 40
Answer: B
Explanation:
Q8. Which type of traffic does DHCP snooping drop?
A. discover messages
B. DHCP messages where the source MAC and client MAC do not match
C. traffic from a trusted DHCP server to client
D. DHCP messages where the destination MAC and client MAC do not match
Answer: B
Explanation:
The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping
enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY
packet) from a DHCP server outside the network or firewall.
The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client
hardware address do not match. This check is performed only if the DHCP snooping MAC address
verification option is turned on. · The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0. To support
trusted edge switches that are connected to untrusted aggregation-switch ports, you can enable the DHCP
option-82 on untrusted port feature, which enables untrusted aggregation- switch ports to accept DHCP
packets that include option-82 information. Configure the port on the edge switch that connects to the
aggregation switch as a trusted port. Reference: http:// www.cisco.com/c/en/us/td/docs/switches/lan/
catalyst6500/ios/12- 2SX/configuration/guide/book/snoodhcp.html
Topic 7, Mix Questions
83. Which two commands would be used to troubleshoot high memory usage for a process? (Choose two.)
A. router#show memory allocating-process table
B. router#show memory summary
C. router#show memory dead
D. router#show memory events
E. router#show memory processor statistics
Q9. Refer to the exhibit. The network setup is running the RIP routing protocol. Which two events will occur following link failure between R2 and R3? (Choose two.)
A. R2 will advertise network 192.168.2.0/27 with a hop count of 16 to R1.
B. R2 will not send any advertisements and will remove route 192.168.2.0/27 from its routing table.
C. R1 will reply to R2 with the advertisement for network 192.168.2.0/27 with a hop count of 16.
D. After communication fails and after the hold-down timer expires, R1 will remove the 192.168.2.0/27 route from its routing table.
E. R3 will not accept any further updates from R2, due to the split-horizon loop prevention mechanism.
Answer: A,C
Explanation:
Q10. A network engineer executes the show crypto ipsec sa command. Which three pieces of information are displayed in the output? (Choose three.)
A. inbound crypto map
B. remaining key lifetime
C. path MTU
D. tagged packets
E. untagged packets
F. invalid identity packets
Answer: A,B,C
Explanation:
show crypto ipsec sa This command shows IPsec SAs built between peers. The encrypted
tunnel is built between 12.1.1.1 and 12.1.1.2 for traffic that goes between networks 20.1.1.0 and 10.1.1.0.
You can see the two Encapsulating Security Payload (ESP) SAs built inbound and outbound.
Authentication Header (AH) is not used since there are
no AH SAs.
This output shows an example of the show crypto ipsec sa command (bolded ones found in answers for
this question).
interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port):
(10.1.1.0/255.255.255.0/0/0) current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918 #pkts decaps: 7760382, #pkts
decrypt: 7760382, #pkts verify 7760382 #pkts compressed:
0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #recv errors 0 local crypto endpt.: 12.1.1.1, remote crypto
endpt.: 12.1.1.2 path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3442, flow_id: 1443, crypto map: test sa timing: remaining key lifetime (k/sec):
(4608000/52) IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3443, flow_id: 1444, crypto map: test sa timing: remaining key lifetime (k/sec):
(4608000/52) IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike- protocols/5409-
ipsec-debug-00.html
Q11. What is a function of NPTv6?
A. It interferes with encryption of the full IP payload.
B. It maintains a per-node state.
C. It is checksum-neutral.
D. It rewrites transport layer headers.
Answer: C
Explanation:
RFC 6296 describes a stateless IPv6-to-IPv6 Network Prefix Translation (NPTv6) function,
designed to provide address independence to the edge network. It is transport-agnostic with respect to
transports that do not checksum the IP header, such as SCTP, and to transports that use the TCP/UDP/
DCCP (Datagram Congestion Control Protocol) pseudo-header and checksum NPTv6 provides a simple
and compelling solution to meet the address-independence requirement in IPv6. The addressindependence
benefit stems directly from the translation function of the network prefix translator. To avoid
as many of the issues associated with NAPT44 as possible, NPTv6 is defined to include a two-way,
checksum-neutral, algorithmic translation function, and nothing else. Reference: http://tools.ietf.org/html/
rfc6296
Q12. Which two methods of deployment can you use when implementing NAT64? (Choose two.)
A. stateless
B. stateful
C. manual
D. automatic
E. static
F. functional
G. dynamic
Answer: A,B
Explanation:
While stateful and stateless NAT64 perform the task of translating IPv4 packets into IPv6 packets and vice
versa, there are important differences. The following
table provides a high-level overview of the most relevant differences.
Table 2. Differences Between Stateless NAT64 and Stateful NAT64
Stateless NAT64 Stateful NAT64
1:1 translation 1:N translation
No conservation of IPv4 address Conserves IPv4 address
Assures end-to-end address Uses address overloading, hence transparency and scalability lacks in endto-
end address transparency
No state or bindings created on the State or bindings are created on every translation unique translation
Requires IPv4-translatable IPv6 No requirement on the nature of IPv6 addresses assignment (mandatory
address assignment requirement)
Requires either manual or DHCPv6 Free to choose any mode of IPv6 based address assignment for IPv6
address assignment viz. Manual, hosts DHCPv6, SLAAC Reference: http://www.cisco.com/c/en/us/
products/collateral/ios-nx-os-software/enterprise-ipv6- solution/white_paper_c11-676277.html
Q13. A network engineer notices that transmission rates of senders of TCP traffic sharply increase and decrease simultaneously during periods of congestion. Which condition causes this?
A. global synchronization
B. tail drop
C. random early detection
D. queue management algorithm
Answer: A
Explanation:
TCP global synchronization in computer networks can happen to TCP/IP flows during periods of
congestion because each sender will reduce their transmission rate at the same time when packet loss
occurs. Routers on the Internet normally have packet queues, to allow them to hold packets when the
network is busy, rather than discarding them. Because routers have limited resources, the size of these
queues is also limited. The simplest technique to limit queue size is known as tail drop. The queue is
allowed to fill to its maximum size, and then any new packets are simply discarded, until there is space in
the queue again. This causes problems when used on TCP/IP routers handling multiple TCP streams,
especially when bursty traffic is present. While the network is stable, the queue is constantly full, and there
are no problems except that the full queue results in high latency. However, the introduction of a sudden
burst of traffic may cause large numbers of established, steady streams to lose packets simultaneously.
Reference: http://en.wikipedia.org/wiki/TCP_global_synchronization
Q14. Refer to the following output:
Router#show ip nhrp detail
10.1.1.2/8 via 10.2.1.2, Tunnel1 created 00:00:12, expire 01:59:47
TypE. dynamic, Flags: authoritative unique nat registered used
NBMA address: 10.12.1.2
What does the authoritative flag mean in regards to the NHRP information?
A. It was obtained directly from the next-hop server.
B. Data packets are process switches for this mapping entry.
C. NHRP mapping is for networks that are local to this router.
D. The mapping entry was created in response to an NHRP registration request.
E. The NHRP mapping entry cannot be overwritten.
Answer: A
Explanation:
Show NHRP: Examples
The following is sample output from the show ip nhrp command:
Router# show ip nhrp
10.0.0.2 255.255.255.255, tunnel 100 created 0:00:43 expire 1:59:16 Type: dynamic Flags: authoritative
NBMA address: 10.1111.1111.1111.1111.1111.1111.1111.1111.1111.11 10.0.0.1 255.255.255.255,
Tunnel0 created 0:10:03 expire 1:49:56 Type: static Flags: authoritative NBMA address: 10.1.1.2 The
fields in the sample display are as follows:
The IP address and its network mask in the IP-to-NBMA address cache. The mask is always
255.255.255.255 because Cisco does not support aggregation of NBMA information through NHRP.
The interface type and number and how long ago it was created (hours:minutes:seconds).
The time in which the positive and negative authoritative NBMA address will expire
(hours:minutes:seconds). This value is based on the ip nhrp holdtime
command.
Type of interface:
dynamic--NBMA address was obtained from the NHRP Request packet.
static--NBMA address was statically configured.
Flags:
authoritative--Indicates that the NHRP information was obtained from the Next Hop Server or router that
maintains the NBMA-to-IP address mapping for a particular destination. Reference: http://www.cisco.com/
c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html
Q15. Refer to the exhibit. The DHCP client is unable to receive a DHCP address from the DHCP server. Consider the following output:
hostname RouterB ! interface fastethernet 0/0
ip address 172.31.1.1 255.255.255.0 interface serial 0/0 ip address 10.1.1.1 255.255.255.252
! ip route 172.16.1.0 255.255.255.0 10.1.1.2
Which configuration is required on the Router B fastethernet 0/0 port in order to allow the DHCP client to successfully receive an IP address from the DHCP server?
A. RouterB(config-if)# ip helper-address 172.16.1.2
B. RouterB(config-if)# ip helper-address 172.16.1.1
C. RouterB(config-if)# ip helper-address 172.31.1.1
D. RouterB(config-if)# ip helper-address 255.255.255.255
Answer: A
Explanation:
Q16. Refer to the following command: router(config)# ip http secure-port 4433
Which statement is true?
A. The router will listen on port 4433 for HTTPS traffic.
B. The router will listen on port 4433 for HTTP traffic.
C. The router will never accept any HTTP and HTTPS traffic.
D. The router will listen to HTTP and HTTP traffic on port 4433.
Answer: A
Explanation:
To set the secure HTTP (HTTPS) server port number for listening, use the ip http secure-port
command in global configuration mode. To return the HTTPS server port number to the default, use the no
form of this command. ip http secure-port port-number no ip http secure-port Syntax Description port-
Integer in the range of 0 to 65535 is accepted, but the port number must be number higher than 1024
unless the default is used. The default is 443. Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/
https/command/nm-https-cr-cl- sh.html#wp3612805529