Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Which two statements about the ipv6 ospf authentication command are true? (Choose two.)
A. The command is required if you implement the IPsec AH header.
B. The command configures an SPI.
C. The command is required if you implement the IPsec TLV.
D. The command can be used in conjunction with the SPI authentication algorithm.
E. The command must be configured under the OSPFv3 process.
Answer: A,B
Explanation:
OSPFv3 requires the use of IPsec to enable authentication. Crypto images are required to use authentication, because only crypto images include the IPsec API needed for use with OSPFv3. In OSPFv3, authentication fields have been removed from OSPFv3 packet headers. When OSPFv3 runs on IPv6, OSPFv3 requires the IPv6 authentication header (AH) or IPv6 ESP header to ensure integrity, authentication, and confidentiality of routing exchanges. IPv6 AH and ESP extension headers can be used to provide authentication and confidentiality to OSPFv3. To use the IPsec AH, you must enable the ipv6 ospf authentication command. To use the IPsec ESP header, you must enable the ipv6 ospf encryption command. The ESP header may be applied alone or in combination with the AH, and when ESP is used, both encryption and authentication are provided. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a security gateway and a host. To configure IPsec, you configure a security policy, which is a combination of the security policy index (SPI) and the key (the key is used to create and validate the hash value). IPsec for OSPFv3 can be configured on an interface or on an OSPFv3 area. For higher security, you should configure a different policy on each interface configured with IPsec. If you configure IPsec for an OSPFv3 area, the policy is applied to all of the interfaces in that area, except for the interfaces that have IPsec configured directly. Once IPsec is configured for OSPFv3, IPsec is invisible to you.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-auth-ipsec.html
Q2. What is the destination address of an IGMPv2 general membership query?
A. 224.0.0.1
B. 224.0.1.1
C. 224.0.0.2
D. the multicast group address
Answer: A
Q3. Refer to the exhibit.
Which LISP component do routers in the public IP network use to forward traffic between the two networks?
A. EID
B. RLOC
C. map server
D. map resolver
Answer: B
Explanation:
Locator ID Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address:
. Endpoint identifiers (EIDs)—assigned to end hosts.
. Routing locators (RLOCs)—assigned to devices (primarily routers) that make up the global routing system. The public networks use the RLOC to forward traffic between networks.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_lisp/configuration/15-mt/irl-15-mt-book/irl-overview.html
Q4. Refer to the exhibit.
Which action must you take to enable full reachability from router C to router D?
A. Build an OSPF virtual link.
B. Build an OSPF sham link.
C. Configure mutual redistribution between OSPF and EIGRP on routers A and B.
D. Add a static route on router D.
Answer: C
Explanation:
For full connectivity, we need to configure mutual redistribution to advertise the EIGRP routes into OSPF and to advertise the OSPF routes into the EIGRP network. This needs to be done at the two border routers that connect to both the EIGRP and OSPF domains.
Q5. The session status for an IPsec tunnel with IPv6-in-IPv4 is down with the error message IKE message from 10.10.1.1 failed its sanity check or is malformed.
Which statement describes a possible cause of this error?
A. There is a verification failure on the IPsec packet.
B. The SA has expired or has been cleared.
C. The pre-shared keys on the peers are mismatched.
D. There is a failure due to a transform set mismatch.
E. An incorrect packet was sent by an IPsec peer.
Answer: C
Explanation:
IKE Message from X.X.X.X Failed its Sanity Check or is Malformed This debug error appears if the pre-shared keys on the peers do not match. In order to fix this issue, check the pre-shared keys on both sides. 1d00H:%CRPTO-4-IKMP_BAD_MESSAGE. IKE message from 150.150.150.1 failed its sanity check or is malformed.
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#ike
Q6. Refer to the exhibit.
All switches have default bridge priorities, and originate BPDUs with MAC addresses as indicated. The numbers shown are STP link metrics. Which two ports are in blocking state after STP converges? (Choose two.)
A. the port on switch SWD that connects to switch SWE
B. the port on switch SWF that connects to switch SWG
C. the port on switch SWD that connects to switch SWC
D. the port on switch SWB that connects to switch SWD
Answer: C,D
Explanation:
This is a scenario that wants you to demonstrate understanding of the Root switch and Root port election process. So, it’s best to start with where the root switch will be and work down from there. It’s setup nicely because the lowest MAC address switch starts at the top and then the lower priority/higher mac addresses move down the architecture. SWA wins the root election and of course all ports in SWA are forwarding. SWB introduces the possibility for a switching loop so it’s important to understand which ports will be put into the blocking state. Since SWD is a higher MAC address it will end up with a blocked port connected to SWB to prevent a loop: and this is one of the correct answers. To prevent the possibility of another potential switching loop, SWD again ends up with the higher MAC address so blocking the link between D and C prevents a B/C/D switching loop.
Q7. Refer to the exhibit.
What will be the extended community value of this route?
A. RT:200:3000 RT:200:9999
B. RT:200:9999 RT:200:3000
C. RT:200:3000
D. RT:200:9999
Answer: D
Explanation:
Here the route map is being used to manually set the extended community RT to 200:9999
Q8. DRAG DROP
Drag and drop the EIGRP query condition on the left to the corresponding action taken by the router on the right.
Answer:
Q9. What happens when an interface is configured as passive in OSPF?
A. No OSPF neighbor ship is formed on the interface.
B. An OSPF neighbor ship is formed with the DR, but not with the BDR.
C. The subnet configured on the interface is not advertised to any other neighbor.
D. OSPF hello messages are sent as unicast instead of multicast.
Answer: A
Q10. Refer to the exhibit.
Router R2 is learning the 192.168.1.0/24 network from R1 via EIGRP and eBGP. R2 then redistributes EIGRP into OSPF as metric-type 2 with default metrics. Which metric of the route in the R3 routing table?
A. 20
B. 30
C. 110
D. The route is not present in the R3 routing table.
Answer: D
Q11. Refer to the exhibit.
Which statement is true?
A. R2 is directly connected to the receiver for this group and is the winner of an assert mechanism.
B. R2 is directly connected to the receiver for this group, and it forwards the traffic onto Ethernet3/0, but it is forwarding duplicate traffic onto Ethernet3/0.
C. R2 has the A flag (Accept flag) set on Ethernet 3/0. This is fine, since the group is in BIDIR-PIM mode.
D. R2 is directly connected to the receiver for this group and is the loser of an assert mechanism.
E. The A flag is set until the SPT threshold is reached for this multicast group.
Answer: A
Explanation:
show ip mroute Field Descriptions
Field
Description
RPF neighbor or RPF nbr
IP address of the upstream router to the source. Tunneling indicates that this router is sending data to the RP encapsulated in register packets. The hexadecimal number in parentheses indicates to which RP it is registering. Each bit indicates a different RP if multiple RPs per group are used. If an asterisk (*) appears after the IP address in this field, the RPF neighbor has been learned through an assert.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/ipmulti/command/reference/fiprmc_r/1rfmult 3.html
Q12. Refer to the exhibit.
Which two options are possible states for the interface configured with the given OSPFv3
authentication? (Choose two.)
A. GOING UP
B. DOWN
C. UNCONFIGURED
D. GOING DOWN
Answer: A,B
Explanation:
To configure IPsec, you configure a security policy, which is a combination of the security policy index (SPI) and the key (the key is used to create and validate the hash value). IPsec for OSPFv3 can be configured on an interface or on an OSPFv3 area. For higher security, you should configure a different policy on each interface configured with IPsec. If you configure IPsec for an OSPFv3 area, the policy is applied to all of the interfaces in that area, except for the interfaces that have IPsec configured directly. Once IPsec is configured for OSPFv3, IPsec is invisible to you. The secure socket API is used by applications to secure traffic. The API needs to allow the application to open, listen, and close secure sockets. The binding between the application and the secure socket layer also allows the secure socket layer to inform the application of changes to the socket, such as connection open and close events. The secure socket API is able to identify the socket; that is, it can identify the local and remote addresses, masks, ports, and protocol that carry the traffic requiring security. Each interface has a secure socket state, which can be one of the following:
. NULL: Do not create a secure socket for the interface if authentication is configured for the area.
. DOWN: IPsec has been configured for the interface (or the area that contains the interface), but OSPFv3 either has not requested IPsec to create a secure socket for this interface, or there is an error condition.
. GOING UP: OSPFv3 has requested a secure socket from IPsec and is waiting for a CRYPTO_SS_SOCKET_UP message from IPsec.
. UP: OSPFv3 has received a CRYPTO_SS_SOCKET_UP message from IPsec.
. CLOSING: The secure socket for the interface has been closed. A new socket may be opened for the interface, in which case the current secure socket makes the transition to the DOWN state. Otherwise, the interface will become UNCONFIGURED.
. UNCONFIGURED. Authentication is not configured on the interface.
OSPFv3 will not send or accept packets while in the DOWN state.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro-15-sy-book/ip6-route-ospfv3-auth-ipsec.html
Q13. Refer to the exhibit.
How can the EIGRP hello and hold time for Gig0/0 be changed to 5 and 15?
A. No action is required, since Gig0/0 is not listed with a nondefault hello and hold time.
B. Add the commands ip hello-interval eigrp 1 5 and ip hold-time eigrp 1 15 under interface Gig0/0.
C. Add the commands hello-interval 5 and hold-time 15 under "af-interface Gig0/0" under the address family.
D. Add the commands default hello-interval and default hold-time under the af-interface Gig0/0 statement under the address family.
Answer: C
Explanation:
To configure the hello interval for an interface, use the hello-interval command in interface configuration mode To configure the hold time for an interface, use the hold-time command in interface configuration mode.
Reference: http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-1/routing/command/reference/b_routing_cr41crs/b_routing_cr41crs_chapter_010.html#wp2 323069468
Q14. What is the function of the command ip pim autorp listener?
A. It allows a border PIM sparse mode router to accept autorp information from another autonomous system.
B. It allows the mapping agents to accept autorp information from the PIM rendezvous point.
C. It allows the routers to flood the autorp information in a sparse-mode-only network.
D. It allows a BSR to accept autorp information and translate it into BSR messages.
Answer: C
Explanation:
To cause IP multicast traffic for the two Auto-RP groups 224.0.1.39 and 224.0.1.40 to be Protocol Independent Multicast (PIM) dense mode flooded across interfaces operating in PIM sparse mode, use the ip pim autorp listener command in global configuration mode. To disable this feature, use the no form of this command.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipmulti/command/imc-cr-book/imc_i3.html#wp3085748429
Q15. Which statement describes Cisco PfR link groups?
A. Link groups enable Cisco PfR Fast Reroute when NetFlow is enabled on the external interfaces of the border routers.
B. Link groups define a strict or loose hop-by-hop path pReference:
C. Link groups are required only when Cisco PfR is configured to load-balance all traffic.
D. Link groups are enabled automatically when Cisco PfR is in Fast Reroute mode.
E. Link groups set a preference for primary and fallback (backup) external exit interfaces.
Answer: E
Explanation:
The Performance Routing - Link Groups feature introduced the ability to define a group of exit links as a preferred set of links, or a fallback set of links for PfR to use when optimizing traffic classes specified in an PfR policy. PfR currently selects the best link for a traffic class based on the preferences specified in a policy and the traffic class performance—using parameters such as reachability, delay, loss, jitter or MOS—on a path out of the specified link.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/pfr/configuration/guide/15_1/pfr_15_1_book/pfr-link-group.html