Cisco 300-101 Free Practice Questions

Answer: A 

Explanation: 

Answer: A,B,C 

Explanation: 

show crypto ipsec sa This command shows IPsec SAs built between peers. The encrypted

tunnel is built between 12.1.1.1 and 12.1.1.2 for traffic that goes between networks 20.1.1.0 and 10.1.1.0.

You can see the two Encapsulating Security Payload (ESP) SAs built inbound and outbound.

Authentication Header (AH) is not used since there are

no AH SAs.

This output shows an example of the show crypto ipsec sa command (bolded ones found in answers for

this question).

interface: FastEthernet0

Crypto map tag: test, local addr. 12.1.1.1

local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port):

(10.1.1.0/255.255.255.0/0/0) current_peer: 12.1.1.2

PERMIT, flags={origin_is_acl,}

#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918 #pkts decaps: 7760382, #pkts

decrypt: 7760382, #pkts verify 7760382 #pkts compressed:

0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0,

#pkts decompress failed: 0, #send errors 1, #recv errors 0 local crypto endpt.: 12.1.1.1, remote crypto

endpt.: 12.1.1.2 path mtu 1500, media mtu 1500

current outbound spi: 3D3

inbound esp sas:

spi: 0x136A010F(325714191)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3442, flow_id: 1443, crypto map: test sa timing: remaining key lifetime (k/sec):

(4608000/52) IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

inbound pcp sas:

outbound esp sas:

spi: 0x3D3(979)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3443, flow_id: 1444, crypto map: test sa timing: remaining key lifetime (k/sec):

(4608000/52) IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike- protocols/5409-

ipsec-debug-00.html

Answer: A 

Explanation: 

Answer: A 

Explanation: 

Dual stack means that devices are able to run IPv4 and IPv6 in parallel. It allows hosts to simultaneously

reach IPv4 and IPv6 content, so it offers a very flexible coexistence strategy. For sessions that support IPv6, IPv6 is used on a dual stack endpoint. If both

endpoints support IPv4 only, then IPv4 is used.

Benefits:

Native dual stack does not require any tunneling mechanisms on internal networks

Both IPv4 and IPv6 run independent of each other

Dual stack supports gradual migration of endpoints, networks, and applications. Reference: http://

www.cisco.com/web/strategy/docs/gov/IPV6at_a_glance_c45-625859.pdf

Answer: C 

Explanation: 

Answer: E 

Explanation: 

NPTv6 provides a mechanism to translate the private internal organization prefixes to public globally

reachable addresses. The translation mechanism is stateless and provides a 1:1 relationship between the internal addresses and external addresses. The use cases for NPTv6 outlined in the RFC include peering with partner networks, multi homing, and redundancy and load sharing.

Reference:

http://www.cisco.com/c/dam/en/us/td/docs/solutions/SBA/August2012/Cisco_SBA_BN_IPv6AddressingGuide-Aug2012.pdf

Answer: A 

Explanation: 

TCP global synchronization in computer networks can happen to TCP/IP flows during periods of

congestion because each sender will reduce their transmission rate at the same time when packet loss

occurs. Routers on the Internet normally have packet queues, to allow them to hold packets when the

network is busy, rather than discarding them. Because routers have limited resources, the size of these

queues is also limited. The simplest technique to limit queue size is known as tail drop. The queue is

allowed to fill to its maximum size, and then any new packets are simply discarded, until there is space in

the queue again. This causes problems when used on TCP/IP routers handling multiple TCP streams,

especially when bursty traffic is present. While the network is stable, the queue is constantly full, and there

are no problems except that the full queue results in high latency. However, the introduction of a sudden

burst of traffic may cause large numbers of established, steady streams to lose packets simultaneously.

Reference: http://en.wikipedia.org/wiki/TCP_global_synchronization

Answer: B 

Explanation: 

Autoconfiguration is performed on multicast-enabled links only and begins when a multicastenabled

interface is enabled (during system startup or manually). Nodes (both, hosts and routers) begin

the process by generating a link-local address for the interface. It is formed by appending the interface

identifier to well-known link-local prefix FE80 :: 0. The interface identifier replaces the right-most zeroes of

the link-local prefix. Before the link-local address can be assigned to the interface, the node performs the

Duplicate Address Detection mechanism to see if any other node is using the same link-local address on

the link. It does this by sending a Neighbor Solicitation message with target address as the "tentative"

address and destination address as the solicited-node multicast address corresponding to this tentative

address. If a node responds with a Neighbor Advertisement message with tentative address as the target

address, the address is a duplicate address and must not be used. Hence, manual configuration is

required. Once the node verifies that its tentative address is unique on the link, it assigns that link-local

address to the interface. At this stage, it has IP-connectivity to other neighbors on this link. The

autoconfiguration on the routers stop at this stage, further tasks are performed only by the hosts. The

routers will need manual configuration (or stateful configuration) to receive site-local or global addresses.

The next phase involves obtaining Router Advertisements from routers if any routers are present on the

link. If no routers are present, a stateful configuration is required. If routers are present, the Router

Advertisements notify what sort of configurations the hosts need to do and the hosts receive a global

unicast IPv6 address. Reference: https://sites.google.com/site/amitsciscozone/home/important-tips/ipv6/

ipv6-stateless- autoconfiguration

Answer: A 

Explanation: 

Restrictions for EVN

An EVN trunk is allowed on any interface that supports 802.1q encapsulation, such as Fast Ethernet,

Gigabit Ethernet, and port channels.

A single IP infrastructure can be virtualized to provide up to 32 virtual networks end-to-end.

If an EVN trunk is configured on an interface, you cannot configure VRF-Lite on the same interface.

OSPFv3 is not supported; OSPFv2 is supported.

Reference: 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s- book/evnoverview.Pdf

Answer: C 

Explanation: 

The private IP address ranges defined in RFC 1918 are as follows:

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255 

These IP addresses should never be allowed from external networks into a

corporate network as they would only be able to reach the network from the outside via routing problems or

if the IP addresses were spoofed. This ACL is used to prevent all packets with a spoofed reserved private

source IP address to enter the network. The log keyword also enables logging of this intrusion attempt.

Answer: D 

Explanation: 

Access list 2 is more specific, allowing only 1.2.3.0/24, whereas access list 1 permits all 1.0.0.0/8

networks. This question also asks us to apply this distribute list only to the outbound direction of the fast Ethernet 0/0 interface, so the correct command is "distribute list 2

out FastEthernet0/0."

Answer: B 

Explanation: Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a virtual

private network (VPN) supported on Cisco IOS-based routers and Unix-like Operating Systems based on

the standard protocols, GRE, NHRP and IPsec. This DMVPN provides the capability for creating a

dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers,

including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key

Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by

statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is

required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be

dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This

dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke

networks. DMVPN is combination of the following technologies:

Multipoint GRE (mGRE)

Next-Hop Resolution Protocol (NHRP)

Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)

Dynamic IPsec encryption

Cisco Express Forwarding (CEF)

Reference: http://en.wikipedia.org/wiki/Dynamic_Multipoint_Virtual_Private_Network

Topic 5, Infrastructure Security 

53. Which traffic does the following configuration allow? 

ipv6 access-list cisco 

permit ipv6 host 2001:DB8:0:4::32 any eq ssh 

line vty 0 4 

ipv6 access-class cisco in 

A. all traffic to vty 0 4 from source 2001:DB8:0:4::32 

B. only ssh traffic to vty 0 4 from source all 

C. only ssh traffic to vty 0 4 from source 2001:DB8:0:4::32 

D. all traffic to vty 0 4 from source all 

Answer: A 

Explanation: 

Explanation: Mixing TCP with UDP It is a general best practice to not mix TCP-based traffic with UDPbased

traffic (especially Streaming-Video) within a single service-provider class because of the behaviors

of these protocols during periods of congestion. Specifically, TCP transmitters throttle back flows when

drops are detected. Although some UDP applications have application-level windowing, flow control, and

retransmission capabilities, most UDP transmitters are completely oblivious to drops and, thus, never lower

transmission rates because of dropping. When TCP flows are combined with UDP flows within a single

service-provider class and the class experiences congestion, TCP flows continually lower their

transmission rates, potentially giving up their bandwidth to UDP flows that are oblivious to drops. This

effect is called TCP starvation/UDP dominance. TCP starvation/UDP dominance likely occurs if (TCP-based) Mission-Critical Data is assigned to the same service-provider class as (UDP-based) Streaming-

Video and the class experiences sustained congestion. Even if WRED is enabled on the service-provider

class, the same behavior would be observed because WRED (for the most part) manages congestion only

on TCP-based flows. Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/

WAN_and_MAN/QoS_SRND/QoS- SRND-Book/VPNQoS.html

Topic 2, Layer 2 Technologies 

13. Prior to enabling PPPoE in a virtual private dialup network group, which task must be completed? 

A. Disable CDP on the interface. 

B. Execute the vpdn enable command. 

C. Execute the no switchport command. 

D. Enable QoS FIFO for PPPoE support. 

Answer: A,B 

Explanation: 

The TCP Window Scaling feature adds support for the Window Scaling option in RFC 1323,

TCP Extensions for High Performance . A larger window size is recommended to improve TCP performance in network paths with large bandwidth-delay product characteristics that are called Long Fat

Networks (LFNs). 

The TCP Window Scaling enhancement provides that support. The window scaling extension in Cisco IOS software expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. 

The window size can increase to a scale factor of 14. Typical applications use a scale factor of 3 when deployed in LFNs. 

The TCP Window Scaling feature complies with RFC 1323. The larger scalable window size will allow TCP to perform better over LFNs. 

Use the ip tcp window-size command in global configuration mode to configure the TCP window size. In order for this to work, the remote host must also support this feature and its window size must be increased. 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/

configuration/12-4t/iap-12- 4t-book/iap-tcp.html#GUID-BD998AC6-F128-47DD-B5F7-B226546D4B08

Answer: A,B 

Explanation: 

Answer: We need to configure policy based routing to send specific traffic along a path that is different from the best path in the routing table. Here are the step by Step Solution for this: 

1) First create the access list that catches the HTTP traffic: R1(config)#access-list 101 permit tcp any any eq www 

2) Configure the route map that sets the next hop address to be ISP1 and permits the rest of the traffic: R1(config)#route-map pbr permit 10 

R1(config-route-map)#match ip address 101 

R1(config-route-map)#set ip next-hop 10.1.100.2 

R1(config-route-map)#exit 

R1(config)#route-map pbr permit 20 

3) Apply the route-map on the interface to the server in the EIGRP Network: 

R1(config-route-map)#exit 

R1(config)#int fa0/1 

R1(config-if)#ip policy route-map pbr 

R1(config-if)#exit 

R1(config)#exit 

Explanation: 

First you need to configure access list to HTTP traffic and then configure that access list. After that configure the route map and then apply it on the interface to the server in EIGRP network.