Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Which two statements about the default router settings for SSH connections are true? (Choose two.)
A. The default timeout value for the SSH negotiation phase is 120 seconds.
B. Data is exchanged in clear text by default unless AAA authentication is enabled on the console.
C. The default number of authentication retries is 3.
D. SSH is enabled by default when you configure the username command.
Answer: A,C
Explanation:
ip ssh {timeout seconds | authentication-retries number}
Configures the SSH control parameters:
. Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. This parameter applies to the SSH negotiation phase. After the connection is established, the Switch uses the default time-out values of the CLI-based sessions. By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes.
. Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/secur ity/configuration_guide/b_sec_3se_3850_cg/b_sec_3se_3850_cg_chapter_01000.html
Q2. Which two tasks are required for configuring SNMP to send traps on a Cisco IOS device? (Choose two.)
A. Create access controls for an SNMP community.
B. Configure SNMP notifications.
C. Configure the SNMP agent.
D. Configure SNMP status monitoring and troubleshooting.
E. Configure SNMP server group names.
F. Configure the SNMP server engine ID.
Answer: A,B
Explanation:
The best current practices recommend applying Access Control Lists (ACLs) to community strings and ensuring that the requests community strings are not identical to notifications community strings. Access lists provide further protection when used in combination with other protective measures. This example sets up ACL to community string:
access-list 1 permit 1.1.1.1 snmp-server community string1 ro 1
. SNMP Notifications
A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that requests be sent from the SNMP manager. Unsolicited (asynchronous) notifications can be generated as traps or inform requests. Traps are messages alerting the SNMP manager to a condition on the network. Inform requests (informs) are traps that include a request for confirmation of receipt from the SNMP manager. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/configuration/guide/ffun_c/fcf014.h tml#wp1007320
Q3. Which three responses can a remote RADIUS server return to a client? (Choose three.)
A. Reject-Challenge
B. Access-Reject
C. Accept-Confirmed
D. Access-Accept
E. Access-Challenge
F. Reject-Access
Answer: B,D,E
Q4. Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.)
A. the process ID
B. the hello interval
C. the subnet mask
D. authentication
E. the router ID
F. the OSPF interface priority
Answer: B,C,D
Q5. Which two statements are true about a 6to4 tunnel connecting two IPv6 islands over the IPv4 Internet? (Choose two.)
A. It embeds the IPv6 packet into the IPv4 payload with the protocol type set to 51.
B. It works by appending the private IPv4 address (converted into hexadecimal format) to the 2002::/16 prefix.
C. It embeds the IPv6 packet into the IPv4 payload with the protocol type set to 41.
D. It works by appending the public IPv4 address (converted into hexadecimal format) to the 2002::/16 prefix.
Answer: C,D
Explanation:
6to4 embeds an IPv6 packet in the payload portion of an IPv4 packet with protocol type 41. To send an IPv6 packet over an IPv4 network to a 6to4 destination address, an IPv4
header with protocol type 41 is prepended to the IPv6 packet. The IPv4 destination address for the prepended packet header is derived from the IPv6 destination address of the inner packet (which is in the format of a 6to4 address), by extracting the 32 bits immediately following the IPv6 destination address's 2002::/16 prefix. The IPv4 source address in the prepended packet header is the IPv4 address of the host or router which is sending the packet over IPv4. The resulting IPv4 packet is then routed to its IPv4 destination address just like any other IPv4 packet.
Reference: http://en.wikipedia.org/wiki/6to4
Q6. Which three TLVs does LLDP use to discover network devices? (Choose three.)
A. Management address
B. Port description
C. Network policy
D. System name
E. Location information
F. Power management
Answer: A,B,D
Explanation:
Basic Management TLV Set
This set includes the following five TLVs used in LLDP:
. Port description TLV: Provides a description of the port in an alpha-numeric format. The value equals the ifDescr object, if the LAN device supports RFC 2863.
. System name TLV: Provides the system's assigned name in an alpha-numeric format. The value equals the sysName object, if the LAN device supports RFC 3418.
. System description TLV: Provides a description of the network entity in an alpha-numeric format. This includes system's name and versions of hardware, operating system and networking software supported in the device. The value equals the sysDescr object, if the LAN device supports RFC 3418.
. System capabilities TLV: Indicates the primary function(s) of the device and whether or not these functions are enabled in the device. The capabilities are indicated by two octects. Bits 0 through 7 indicate Other, Repeater, Bridge, WLAN AP, Router, Telephone, DOCSIS cable device and Station respectively. Bits 8 through 15 are reserved.
. Management address TLV: Indicates the addresses of the local LLDP agent. Other remote managers can use this address to obtain information related to the local device.
Reference: http://www.eetimes.com/document.asp?doc_id=1272069
Q7. What are the three HDLC operating modes? (Choose three.)
A. normal response
B. asynchronous balanced
C. synchronous response
D. asynchronous response
E. normal balanced
F. synchronous balanced
Answer: A,B,D
Q8. Refer to the exhibit.
All switches are Cisco switches. Assume that Cisco Discovery Protocol is enabled only on switches A and C.
Which information is returned when you issue the command show cdp neighbors on switch C?
A. a limited amount of information about switch B
B. no neighbor details will be returned
C. neighbor details for switch B
D. neighbor details for switch A
E. neighbor details for switch C
Answer: B
Explanation:
CDP is used to discover information on directly connected neighbors only, so in this case SwitchC would only be able to obtain CDP information from SwitchB. However, since SwitchB is not running CDP then no neighbor information will be seen on SwitchC. Same goes for Switch A also in this topology.
Q9. Which statement describes the function of rekey messages?
A. They prevent unencrypted traffic from passing through a group member before registration.
B. They refresh IPsec SAs when the key is about to expire.
C. They trigger a rekey from the server when configuring the rekey ACL.
D. They authenticate traffic passing through a particular group member.
Answer: B
Explanation:
Rekey messages are used to refresh IPsec SAs. When the IPsec SAs or the rekey SAs are about to expire, one single rekey message for a particular group is generated on the key server. No new IKE sessions are created for the rekey message distribution. The rekey messages are distributed by the key server over an existing IKE SA. Rekeying can use multicast or unicast messages.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html
Q10. Refer to the exhibit.
The spokes of the DMVPN with the given configuration are having QoS issues.
Which two actions can you take to resolve the problem? (Choose two.)
A. Configure qos pre-classify on the tunnel interface.
B. Configure an NHRP group on the tunnel interface and associate it to a QoS policy.
C. Modify the configuration of the IPsec policy to accept QoS policies.
D. Manually configure a QoS policy on the serial interface.
E. Configure the bandwidth statement on the tunnel interface.
F. Configure the bandwidth statement on the serial interface.
Answer: A,B
Explanation:
It is possible to classify based on information that is encrypted, which is needed in this example. You can use an access-list, configured to match the private subnet behind the remote spoke. The qos pre-classify command is used on the tunnel interface, and is required because the traffic is classified by a parameter that is encrypted as the traffic leaves the physical outbound interface. L4 information from the IP data packet can also classify traffic destined to the same private subnet. The “nhrp map group group-name service-policy output parent-policy-name” command adds the NHRP group to the QoS policy map on the hub.
Q11. DRAG DROP
Drag and drop the SNMP element on the left to the corresponding definition on the right.
Answer:
Q12. Refer to the exhibit.
Which device role could have generated this debug output?
A. an NHS only
B. an NHC only
C. an NHS or an NHC
D. a DMVPN hub router
Answer: B
Explanation:
NHRP works off a server/client relationship, where the NHRP clients (let’s call them next hop clients/NHCs) register with their next hop server (NHS), it’s the responsibility of the NHS to track all of its NHCs this is done with registration request and reply packets. Here we see a registration request, which can only be sent by an NHC.
Q13. Which protocol will accept incoming updates when the passive-interface command is configured?
A. OSPF
B. IS-IS
C. RIP
D. EIGRP
Answer: C
Q14. Which two 802.1D port states are expected in a stable Layer 2 network? (Choose two.)
A. forwarding
B. learning
C. listening
D. blocking
E. disabled
Answer: A,D
Q15. Refer to the exhibit.
Service provider SP 1 is running the MPLS-VPN service. The MPLS core network has MP-BGP configured with RR-1 as route reflector. What will be the effect on traffic between PE1 and PE2 if router P1 goes down?
A. No effect, because all traffic between PE1 and PE2 will be rerouted through P2.
B. No effect, because P1 was not the only P router in the forwarding path of traffic.
C. No effect, because RR-1 will find an alternative path for MP-BGP sessions to PE-1 and PE-2.
D. All traffic will be lost because RR-1 will lose the MP-BGP sessions to PE-1 and PE-2.
Answer: D
Explanation:
If the connection to the route reflector goes down, then routes from PE-1 will not get advertised to PE2, and vice versa. Route reflectors are critical in an MPLS VPN such as the one shown, which is why it is a best practice to have multiple route reflectors in this kind of network.