Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Scenario:
You have been asked to evaluate an OSPF network setup in a test lab and to answer questions a customer has about its operation. The customer has disabled your access to the show running-config command.
Areas of Router 5 and 6 are not normal areas, inspect their routing tables and determine which statement is true?
A. R5's Loopback and R6's Loopback are both present in R5's Routing table
B. R5's Loopback and R6's Loopback are both present in R6's Routing table
C. Only R5's loopback is present in R5's Routing table
D. Only R6's loopback is present in R5's Routing table
E. Only R5's loopback is present in R6's Routing table
Answer: A
Explanation:
Topic 4, VPN Technologies
45. A company has just opened two remote branch offices that need to be connected to the corporate network. Which interface configuration output can be applied to the corporate router to allow communication to the remote sites?
A. interface Tunnel0
bandwidth 1536
ip address 209.165.200.230 255.255.255.224
tunnel source Serial0/0
tunnel mode gre multipoint
B. interface fa0/0
bandwidth 1536
ip address 209.165.200.230 255.255.255.224
tunnel mode gre multipoint
C. interface Tunnel0
bandwidth 1536
ip address 209.165.200.231 255.255.255.224
tunnel source 209.165.201.1
tunnel-mode dynamic
D. interface fa 0/0
bandwidth 1536
ip address 209.165.200.231 255.255.255.224
tunnel source 192.168.161.2
tunnel destination 209.165.201.1
tunnel-mode dynamic
Q2. A network administrator executes the command clear ip route. Which two tables does this command clear and rebuild? (Choose two.)
A. IP routing
B. FIB
C. ARP cache
D. MAC address table
E. Cisco Express Forwarding table
F. topology table
Answer: A,B
Explanation:
To clear one or more entries in the IP routing table, use the following commands in any mode:
Command Purpose
clear ip route {* |
Clears one or more routes from both the
{route |
unicast RIB and all the module FIBs. The
prefix/length}[next-hop route options are as follows:
interface]}
· *--All routes.
[vrf vrf-name]
Example:
· route--An individual IP route.
switch(config)# clear ip
· prefix/length--Any IP prefix.
route
10.2.2.2 · next-hop--The next-hop address · interface--The interface to reach the next-hop address.
The vrf-name can be any case-sensitive, al-phanumeric string up to 32 characters.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/unicast/5_0_3_N1_1/Ci
sco_n5k_layer3_ucast_cfg_rel_503_N1_1/l3_manage-routes.html
Q3. CORRECT TEXT [SIMULATION]
Route.com is a small IT corporation that is attempting to implement the network shown in the exhibit. Currently the implementation is partially completed. OSPF has been configured on routers Chicago and NewYork. The SO/O interface on Chicago and the SO/1 interface on NewYork are in Area 0. The loopbackO interface on NewYork is in Area 1. However, they cannot ping from the serial interface of the Seattle router to the loopback interface of the NewYork router. You have been asked to complete the implementation to allow this ping.
ROUTE.com's corporate implementation guidelines require:
. The OSPF process ID for all routers must be 10.
. The routing protocol for each interface must be enabled under the routing process.
. The routing protocol must be enabled for each interface using the most specific wildcard mask possible.
.The serial link between Seattle and Chicago must be in OSPF area 21.
.OSPF area 21 must not receive any inter-area or external routes.
Network Information
Seattle
S0/0 192.168.16.5/30 - Link between Seattle and Chicago
Secret Password: cisco
Chicago
S0/0 192.168.54.9/30 - Link between Chicago and NewYork
S0/1 192.168.16.6/30 - Link between Seattle and Chicago Secre Password: cisco
NewYork
S0/1 192.168.54.10/30 - Link between Chicago and NewYork
Loopback0 172.16.189.189
Secret Password: cisco
Answer: Here is the solution below:
Explanation:
Note: In actual exam, the IP addressing, OSPF areas and process ID, and router hostnames may change, but the overall solution is the same.
Seattle’s S0/0 IP Address is 192.168.16.5/30. So, we need to find the network address and wildcard mask of 192.168.16.5/30 in order to configure the OSPF.
IP Address: 192.168.16.5 /30
Subnet Mask: 255.255.255.252
Here subtract 252 from 2565, 256-252 = 4, hence the subnets will increment by 4.
First, find the 4th octet of the Network Address:
The 4th octet of IP address (192.168.16.5) belongs to subnet 1 (4 to 7).
Network Address: 192.168.16.4
Broadcast Address: 192.168.16.7
Lets find the wildcard mask of /30.
Subnet Mask: (Network Bits – 1’s, Host Bits – 0’s)
Lets find the wildcard mask of /30:
Now we configure OSPF using process ID 10 (note the process ID may change to something else in real exam).
Seattle>enable
Password: cisco
Seattle#conf t
Seattle(config)#router ospf 10
Seattle(config-router)#network 192.168.16.4 0.0.0.3 area 21
One of the tasks states that area 21 should not receive any external or inter-area routes (except
the default route).
Seattle(config-router)#area 21 stub
Seattle(config-router)#end
Seattle#copy run start
Chicago Configuration:
Chicago>enable
Password: cisco
Chicago#conf t
Chicago(config)#router ospf 10
We need to add Chicago’s S0/1 interface to Area 21
Chicago(config-router)#network 192.168.16.4 0.0.0.3 area 21
Again, area 21 should not receive any external or inter-area routes (except the default route).
In order to accomplish this, we must stop LSA Type 5 if we don’t want to send external routes. And
if we don’t want to send inter-area routes, we have to stop LSA Type 3 and Type 4. Therefore we
want to configure area 21 as a totally stubby area.
Chicago(config-router)#area 21 stub no-summary
Chicago(config-router)#end
Chicago#copy run start
The other interface on the Chicago router is already configured correctly in this scenario, as well
as the New York router so there is nothing that needs to be done on that router.
Q4. Which common issue causes intermittent DMVPN tunnel flaps?
A. a routing neighbor reachability issue
B. a suboptimal routing table
C. interface bandwidth congestion
D. that the GRE tunnel to hub router is not encrypted
Answer: A
Explanation:
DMVPN Tunnel Flaps Intermittently Problem DMVPN tunnel flaps intermittently. Solution
When DMVPN tunnels flap, check the neighborship between the routers as issues with neighborship
formation between routers may cause the DMVPN tunnel to flap. In order to resolve this problem, make
sure the neighborship between the routers is always up. Reference: http://www.cisco.com/c/en/us/support/
docs/security-vpn/ipsec-negotiation-ike- protocols/29240-dcmvpn.html#Prblm1
Q5. Which type of traffic does DHCP snooping drop?
A. discover messages
B. DHCP messages where the source MAC and client MAC do not match
C. traffic from a trusted DHCP server to client
D. DHCP messages where the destination MAC and client MAC do not match
Answer: B
Explanation:
The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping
enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY
packet) from a DHCP server outside the network or firewall.
The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client
hardware address do not match. This check is performed only if the DHCP snooping MAC address
verification option is turned on. · The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0. To support
trusted edge switches that are connected to untrusted aggregation-switch ports, you can enable the DHCP
option-82 on untrusted port feature, which enables untrusted aggregation- switch ports to accept DHCP
packets that include option-82 information. Configure the port on the edge switch that connects to the
aggregation switch as a trusted port. Reference: http:// www.cisco.com/c/en/us/td/docs/switches/lan/
catalyst6500/ios/12- 2SX/configuration/guide/book/snoodhcp.html
Topic 7, Mix Questions
83. Which two commands would be used to troubleshoot high memory usage for a process? (Choose two.)
A. router#show memory allocating-process table
B. router#show memory summary
C. router#show memory dead
D. router#show memory events
E. router#show memory processor statistics
Q6. Refer to the exhibit. Which statement about the configuration is true?
A. 20 packets are being sent every 30 seconds.
B. The monitor starts at 12:05:00 a.m.
C. Jitter is being tested with TCP packets to port 65051.
D. The packets that are being sent use DSCP EF.
Answer: A
Explanation:
Q7. Which three items can you track when you use two time stamps with IP SLAs? (Choose three.)
A. delay
B. jitter
C. packet loss
D. load
E. throughput
F. path
Answer: A,B,C
Q8. A network engineer has been asked to ensure that the PPPoE connection is established and authenticated using an encrypted password. Which technology, in combination with PPPoE, can be used for authentication in this manner?
A. PAP
B. dot1x
C. IPsec
D. CHAP
E. ESP
Answer: D
Explanation:
With PPPoE, the two authentication options are PAP and CHAP. When CHAP is enabled on
an interface and a remote device attempts to connect to it, the access server sends a CHAP packet to the
remote device. The CHAP packet requests or "challenges" the remote device to respond. The challenge
packet consists of an ID, a random number, and the host name of the local router. When the remote device
receives the challenge packet, it concatenates the ID, the remote device's password, and the random
number, and then encrypts all of it using the remote device's password. The remote device sends the
results back to the access server, along with the name associated with the password used in the
encryption process. When the access server receives the response, it uses the name it received to retrieve
a password stored in its user database. The retrieved password should be the same password the remote
device used in its encryption process. The access server then encrypts the concatenated information with
the newly retrieved password--if the result matches the result sent in the response packet, authentication
succeeds. The benefit of using CHAP authentication is that the remote device's password is never
transmitted in clear text (encrypted). This prevents other devices from stealing it and gaining illegal access
to the ISP's network. Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/
guide/fsecur_c/scfathen.ht ml
Q9. When using SNMPv3 with NoAuthNoPriv, which string is matched for authentication?
A. username
B. password
C. community-string
D. encryption-key
Answer: A
Explanation:
The following security models exist: SNMPv1, SNMPv2, SNMPv3. The following security
levels exits: "noAuthNoPriv" (no authentiation and no encryption noauth keyword in CLI),
"AuthNoPriv" (messages are authenticated but not encrypted auth keyword in CLI), "AuthPriv" (messages
are authenticated and encrypted priv keyword in CLI). SNMPv1 and SNMPv2 models only support the
"noAuthNoPriv" model since they use plain community string to match the incoming packets. The SNMPv3
implementations could be configured to use either of the models on per-group basis (in case if
"noAuthNoPriv" is configured, username serves as a replacement for community string). Reference: http://
blog.ine.com/2008/07/19/snmpv3-tutorial/
Q10. IPv6 has just been deployed to all of the hosts within a network, but not to the servers. Which feature allows IPv6 devices to communicate with IPv4 servers?
A. NAT
B. NATng
C. NAT64
D. dual-stack NAT
E. DNS64
Answer: C
Explanation:
NAT64 is a mechanism to allow IPv6 hosts to communicate with IPv4 servers. The NAT64 server is the
endpoint for at least one IPv4 address and an IPv6 network segment of 32-bits (for instance 64:ff9b::/96, see RFC 6052, RFC 6146). The IPv6 client embeds the IPv4 address it wishes to communicate with using these bits, and sends its packets to the resulting address. The NAT64 server then creates a NAT-mapping between the IPv6 and the IPv4 address, allowing them to communicate.
Reference: http://en.wikipedia.org/wiki/NAT64
Q11. Which Cisco VPN technology uses AAA to implement group policies and authorization and is also used for the XAUTH authentication method?
A. DMVPN
B. Cisco Easy VPN
C. GETVPN
D. GREVPN
Answer: B
Explanation:
Q12. Refer to the exhibit. Which statement about the command output is true?
A. The router exports flow information to 10.10.10.1 on UDP port 5127.
B. The router receives flow information from 10.10.10.2 on UDP port 5127.
C. The router exports flow information to 10.10.10.1 on TCP port 5127.
D. The router receives flow information from 10.10.10.2 on TCP port 5127.
Answer: A
Explanation:
Q13. Which two methods of deployment can you use when implementing NAT64? (Choose two.)
A. stateless
B. stateful
C. manual
D. automatic
E. static
F. functional
G. dynamic
Answer: A,B
Explanation:
While stateful and stateless NAT64 perform the task of translating IPv4 packets into IPv6 packets and vice
versa, there are important differences. The following
table provides a high-level overview of the most relevant differences.
Table 2. Differences Between Stateless NAT64 and Stateful NAT64
Stateless NAT64 Stateful NAT64
1:1 translation 1:N translation
No conservation of IPv4 address Conserves IPv4 address
Assures end-to-end address Uses address overloading, hence transparency and scalability lacks in endto-
end address transparency
No state or bindings created on the State or bindings are created on every translation unique translation
Requires IPv4-translatable IPv6 No requirement on the nature of IPv6 addresses assignment (mandatory
address assignment requirement)
Requires either manual or DHCPv6 Free to choose any mode of IPv6 based address assignment for IPv6
address assignment viz. Manual, hosts DHCPv6, SLAAC Reference: http://www.cisco.com/c/en/us/
products/collateral/ios-nx-os-software/enterprise-ipv6- solution/white_paper_c11-676277.html
Q14. For troubleshooting purposes, which method can you use in combination with the “debug ip packet” command to limit the amount of output data?
A. You can disable the IP route cache globally.
B. You can use the KRON scheduler.
C. You can use an extended access list.
D. You can use an IOS parser.
E. You can use the RITE traffic exporter.
Answer: C
Explanation:
The debug ip packet command generates a substantial amount of output and uses a substantial amount of
system resources. This command should be used with caution in production networks. Always use with the access-list command to apply an extended ACL to the debug output. Reference: http://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-troubleshoot-00.html
Q15. Refer to the exhibit. After configuring GRE between two routers running OSPF that are connected to each other via a WAN link, a network engineer notices that the two routers cannot establish the GRE tunnel to begin the exchange of routing updates. What is the reason for this?
A. Either a firewall between the two routers or an ACL on the router is blocking IP protocol number 47.
B. Either a firewall between the two routers or an ACL on the router is blocking UDP 57.
C. Either a firewall between the two routers or an ACL on the router is blocking TCP 47.
D. Either a firewall between the two routers or an ACL on the router is blocking IP protocol number 57.
Answer: A
Explanation:
Q16. You have been asked to evaluate how EIGRP is functioning in a customer network.
What percent of R1’s interfaces bandwidth is EIGRP allowed to use?
A. 10
B. 20
C. 30
D. 40
Answer: B
Explanation: