Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Refer to the exhibit.
Which technology can be used on the switch to enable host A to receive multicast packets for 239.2.2.2 but prevent host B from receiving them?
A. IGMP filtering
B. MLD snooping
C. IGMP snooping
D. MLD filtering
Answer: C
Explanation:
IGMP snooping is the process of listening to Internet Group Management Protocol (IGMP) network traffic. The feature allows a network switch to listen in on the IGMP conversation between hosts and routers. By listening to these conversations the switch maintains a map of which links need which IP multicast streams. Multicasts may be filtered from the links which do not need them and thus controls which ports receive specific multicast traffic.
Q2. DRAG DROP
What is the correct order of the VSS initialization process? Drag the actions on the left to the correct initialization step on the right.
Answer:
Q3. Refer to the exhibit.
Which configuration reduces CPU utilization on R2 while still advertising the connected routes of R2 to R1?
A. Configure eigrp stub connected on R2.
B. Configure eigrp stub receive-only on R1.
C. Configure eigrp stub static on R2.
D. Configure eigrp stub summary on R1.
Answer: A
Q4. Which technology can be used to secure the core of an STP domain?
A. UplinkFast
B. BPDU guard
C. BPDU filter
D. root guard
Answer: D
Explanation:
Since STP does not implement any authentication or encryption to protect the exchange of BPDUs, it is vulnerable to unauthorized participation and attacks. Cisco IOS offers the STP Root Guard feature to enforce the placement of the root bridge and secure the core of the STP domain.
STP root guard forces a port to become a designated port so that no switch on the other end of the link can become a root switch. If a port configured for root guard receives a superior BPDU, the port it is received on is blocked. In this way, STP root guard blocks other devices from trying to become the root bridge.
STP root guard should be enabled on all ports that will never connect to a root bridge, for example, all end user ports. This ensures that a root bridge will never be negotiated on those ports.
Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/secur ebasebook/sec_chap7.html
Q5. Refer to the exhibit.
Which BGP feature allows R1 to instruct R2 which prefixes it is allowed to advertise to R1?
A. route refresh
B. Prefix-Based Outbound Route Filtering
C. distribute lists
D. prefix lists
Answer: B
Q6. Which statement describes the function of rekey messages?
A. They prevent unencrypted traffic from passing through a group member before registration.
B. They refresh IPsec SAs when the key is about to expire.
C. They trigger a rekey from the server when configuring the rekey ACL.
D. They authenticate traffic passing through a particular group member.
Answer: B
Explanation:
Rekey messages are used to refresh IPsec SAs. When the IPsec SAs or the rekey SAs are about to expire, one single rekey message for a particular group is generated on the key server. No new IKE sessions are created for the rekey message distribution. The rekey messages are distributed by the key server over an existing IKE SA. Rekeying can use multicast or unicast messages.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html
Q7. Refer to the exhibit.
Routers R1 and R2 are configured as shown, and traffic from R1 fails to reach host 209.165.201.254.
Which action can you take to correct the problem?
A. Ensure that R2 has a default route in its routing table.
B. Change the OSPF area type on R1 and R2.
C. Edit the router configurations so that address 209.165.201.254 is a routable address.
D. Remove the default-information originate command from the OSPF configuration of R2.
Answer: A
Explanation:
Not sure that any of these answers are correct, it appears that this configuration is valid for reaching that one specific host IP. Answer A does have a route to that host so it would not need a default route to get to it. Choice B is incorrect as the area types have nothing to do with this. C is incorrect as that IP address is routable, and D is needed so that R1 will have a default route advertised to it from R2 so that it can reach this destination.
Q8. Which two statements about a network running MPLS VPN with IS-IS IGP are true? (Choose two.)
A. IS-IS traffic engineering uses wide metric TLV type 135 with an up/down bit to define a leaked route.
B. IS-IS traffic engineering uses wide metric TLV type 128 with an internal/external bit and an up/down bit to define a leaked route.
C. IS-IS traffic engineering uses wide metric TLV type 130 with an internal/external bit and an up/down bit to define a leaked route.
D. If the IS-IS up/down bit is set to 1, the leaked route originated in the L1 area.
E. The MPLS VPN IS-IS core is inherently protected against IP-based attacks.
Answer: A,E
Q9. Refer to the exhibit.
Which action will solve the error state of this interface when connecting a host behind a Cisco IP phone?
A. Configure dot1x-port control auto on this interface
B. Enable errdisable recovery for security violation errors
C. Enable port security on this interface
D. Configure multidomain authentication on this interface
Answer: D
Explanation:
In single-host mode, a security violation is triggered when more than one device are detected on the data vlan. In multidomain authentication mode, a security violation is triggered when more than one device are detected on the data or voice VLAN. Here we see that single host mode is being used, not multidomain mode.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/dot1x.html#wp1309041
Q10. Which variable in an EEM applet is set when you use the sync yes option?
A. $_cli_result
B. $_result
C. $_string_result
D. $_exit_status
Answer: D
Explanation:
The CLI event detector screens CLI commands for a regular expression match. When a match is found, an event is published. The match logic is performed on the fully expanded CLI command after the command is successfully parsed and before it is executed. The CLI event detector supports three publish modes:
. Synchronous publishing of CLI events--The CLI command is not executed until the EEM policy exits, and the EEM policy can control whether the command is executed. The read/write variable, _exit_status, allows you to set the exit status at policy exit for policies triggered from synchronous events. If _exit_status is 0, the command is skipped, if _exit_status is 1, the command is run.
. Asynchronous publishing of CLI events--The CLI event is published, and then the CLI command is executed.
. Asynchronous publishing of CLI events with command skipping--The CLI event is published, but the CLI command is not executed.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/command/eem-cr-
book/eem-cr-e1.html
Q11. Which two configuration changes should be made on the OTP interface of an EIGRP OTP route reflector? (Choose two.)
A. passive-interface
B. no split-horizon
C. no next-hop-self
D. hello-interval 60, hold-time 180
Answer: B,C
Explanation:
The EIGRP Over the Top feature enables a single end-to-end Enhanced Interior Gateway Routing Protocol (EIGRP) routing domain that is transparent to the underlying public or private WAN transport that is used for connecting disparate EIGRP customer sites. When an enterprise extends its connectivity across multiple sites through a private or a public WAN connection, the service provider mandates that the enterprise use an additional routing protocol, typically the Border Gateway Protocol (BGP), over the WAN links to ensure end-to-end routing. The use of an additional protocol causes additional complexities for the enterprise, such as additional routing processes and sustained interaction between EIGRP and the routing protocol to ensure connectivity, for the enterprise. With the EIGRP Over the Top feature, routing is consolidated into a single protocol (EIGRP) across the WAN.
Perform this task to configure a customer edge (CE) device in a network to function as an EIGRP Route Reflector:
1. enable
2. configure terminal
3. router eigrp virtual-name
4. address-family ipv4 unicast autonomous-system as-number
5. af-interface interface-type interface-number
6. no next-hop-self
7. no split-horizon
8. exit
9. remote-neighbors source interface-type interface-number unicast-listen lisp-encap
10. network ip-address
11. end
Note. Use no next-hop-self to instruct EIGRP to use the received next hop and not the local outbound interface address as the next hop to be advertised to neighboring devices. If no next-hop-self is not configured, the data traffic will flow through the EIGRP Route Reflector.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_eigrp/configuration/xe-3s/ire-xe-3s-book/ire-eigrp-over-the-top.html
Q12. Which three statements about bridge assurance are true? (Choose three.)
A. Bridge assurance must be enabled on both ends of a link.
B. Bridge assurance can be enabled on one end of a link or on both ends.
C. Bridge assurance is enabled on STP point-to-point links only.
D. Bridge assurance is enabled on STP multipoint links only.
E. If a bridge assurance port fails to receive a BPDU after a timeout, the port is put into a blocking state.
F. If a bridge assurance port fails to receive a BPDU after a timeout, the port is put into an error disabled state.
Answer: A,C,E
Explanation:
Bridge Assurance is enabled by default and can only be disabled globally. Also, Bridge Assurance can be enabled only on spanning tree network ports that are point-to-point links.
Finally, both ends of the link must have Bridge Assurance enabled.
With Bridge Assurance enabled, BPDUs are sent out on all operational network ports, including alternate and backup ports, for each hello time period. If the port does not receive a BPDU for a specified period, the port moves into the blocking state and is not used in the root port calculation. Once that port receives a BPDU, it resumes the normal spanning tree transitions.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guid e/cli/CLIConfigurationGuide/SpanningEnhanced.html
Q13. Which two BGP attributes are optional, non-transitive attributes? (Choose two.)
A. AS path
B. local preference
C. MED
D. weight
E. cluster list
Answer: C,E
Q14. Which two statements about MLD are true? (Choose two.)
A. MLD is a subprotocol of ICMPv6.
B. When a single link supports multiple interfaces, only one interface is required to send MLD messages.
C. MLD is a subprotocol of PIMv6.
D. When a single link supports multiple interfaces, all supported interfaces are required to send MLD messages.
E. There are three subtypes of MLD query messages.
F. The code section in the MLD message is set to 1 by the sender and ignored by receivers.
Answer: A,B
Q15. Which three steps are necessary to enable SSH? (Choose three.)
A. generating an RSA or DSA cryptographic key
B. configuring the version of SSH
C. configuring a domain name
D. configuring VTY lines for use with SSH
E. configuring the port for SSH to listen for connections
F. generating an AES or SHA cryptographic key
Answer: A,C,D
Explanation:
Here are the steps:
1. Configure a hostname for the router using these commands.
yourname#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
yourname (config)#hostname LabRouter
LabRouter(config)#
2. Configure a domain name with the ip domain-name command followed by whatever you would like your domain name to be. I used CiscoLab.com.
LabRouter(config)#ip domain-name CiscoLab.com
3. We generate a certificate that will be used to encrypt the SSH packets using the crypto key generate rsa command.
Take note of the message that is displayed right after we enter this command. “The name for the keys will bE. LabRouter.CiscoLab.com” — it combines the hostname of the router along with the domain name we configured to get the name of the encryption key generated; this is why it was important for us to, first of all, configure a hostname then a domain name before we generated the keys.
Notice also that it asks us to choose a size of modulus for the key we’re about to generate.
The higher the modulus, the stronger the encryption of the key. For our example, we’ll use a modulus of 1024.