Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Notice that in the exam, the tickets are randomly given so the best way to troubleshooting is to
try pinging to all the devices from nearest to farthest from the client until you don‘t receive the
replies.
One more thing to remember: you can only use ―show‖ commands to find out the problems and
you are not allowed to make any changes in the configuration. In fact, in the exam you can not
enter the global configuration mode!
Multiple Choice Questions
http://www.networktut.com/multiple-choice-questions
Question 1
Which of the following features allows a router to install a floating route in its routing table
when the GRE tunnel is disrupted?
A. tracking objects
B. IP SLA
C. ?
D. GRE keepalive
Answer: D
Explanation
GRE tunnels are designed to be completely stateless. This means that each tunnel endpoint does
not keep any information about the state or availability of the remote tunnel endpoint. A
consequence of this is that the local tunnel endpoint router does not have the ability to bring the
line protocol of the GRE Tunnel interface down if the remote end of the tunnel is unreachable.
The ability to mark an interface as down when the remote end of the link is not available is used
in order to remove any routes (specifically static routes) in the routing table that use that
interface as the outbound interface. Specifically, if the line protocol for an interface is changed
to down, then any static routes that point out that interface are removed from the routing table.
This allows for the installation of an alternate (floating) static route or for Policy Based Routing
(PBR) in order to select an alternate next-hop or interface.
Normally, a GRE Tunnel interface comes up as soon as it is configured and it stays up as long
as there is a valid tunnel source address or interface which is up. The tunnel destination IP
address must also be routable. This is true even if the other side of the tunnel has not been
configured. This means that a static route or PBR forwarding of packets via the GRE tunnel
interface remains in effect even though the GRE tunnel packets do not reach the other end of the
tunnel.
Before GRE keepalives were implemented, there were only ways to determine local issues on
the router and no way to determine problems in the intervening network. For example, the case
in which the GRE tunneled packets are successfully forwarded, but are lost before they reach
the other end of the tunnel. Such scenarios would cause data packets that go through the GRE
tunnel to be ―black holed‖, even though an alternate route that uses PBR or a floating static
route via another interface might be available. Keepalives on the GRE tunnel interface are used
in order to solve this issue in the same way as keepalives are used on physical interfaces.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118370-technote-gre-00.html
Question 2
Which two routing protocols are permitted by the ACL above? (Choose two)
A. BGP
B. OSPF
C. EIGRP
D. GRE
E. NSE (something like that)
Answer: A B
Explanation
BGP operates on TCP port 179 and the ACL statements ―access-list 101 permit tcp any 10.1.1.1
eq 179‖ and ―access-list 101 permit tcp any eq 179 any‖ allows BGP to go through.
The protocol number (not port number) of OSPF is 89 so the first ACL statement ―permit 89
any any‖ is same as ―permit ospf any any‖ -> Answer B is correct.
EIGRP runs directly over IP using IP protocol number 88 – it does not use TCP or UDP. In the
above ACL statements there is no line for EIGRP so it will be dropped by implicit ―deny all‖
statement at the end of the ACL -> Answer C is not correct.
GRE is allowed with the ―access-list 101 permit gre any any‖ statement so GRE is correct but
this question asks about ―routing protocol‖ so GRE is not a valid option.
Note: Keep in mind that there is a big difference between a port number and a protocol
number. In an ACL, the number behind the keyword ―eq‖ (equal) is a port number, not a
protocol number. For example, IP is protocol number 4, ICMP is 1, EIGRP is 88, and OSPF is
protocol number 89.
Question 3
Refer to the exhibit.
R1
int Gigabitethernet 0/2
ip address 10.10.20.2 255.255.55.0
!
int Gigabitethernet 0/3
ip address 10.10.30.2 255.255.55.0
A company is implementing Management Plane Protection (MPP) on its network. Which of the
following commands allows R2 successfully connect to R1 via SSH?
Answer: B
Explanation
R1#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
-vrf Specify vrf name
WORD IP address or hostname of a remote system
In this question it seems R1 does not allow SSH to interface Gi0/0 of R1 (via the line ―SSH 0‖)
so we have to SSH to interface Gi0/2 instead.
Question 4
Section 1
R1#debug ip ospf hello
…
Section 2
R1#
Debugging is
Condition 1 – username
Condition 2 – int g0/2
Section 3
R1#debug ip ospf hello
…
Which of the following commands results in the Section 2 of the output above?
A.
R#debug condition username
R#debug condition interface g0/2
B.
R# debug condition interface g0/2
R#debug condition username
C.
R(conf)# debug condition username
R(conf)#debug condition interface g0/2
D.
R(conf)#debug condition interface g0/2
R(conf)# debug condition username
Answer: A
Explanation
The ―debug condition‖ command must be issued in Privileged mode (not global configuration
mode)
Question 5
Two hosts (PC A & PC B) in the same subnet (IP addresses 10.10.10.10 & 10.10.10.30, both
/24) connected to Layer 2 switches each (using ports g0/5). The layer 2 switches connect to
other switches which connects to a Multilayer (L3) switch.
Answer: B
Explanation
Suppose all the related ports are in up/up state then there are only two reasons that PCA & PCB
cannot communicate:
+ These two PCs are in different VLANs
+ The ports on L3 switch that are connected to two Layer 2 switches are routing ports (with ―no
switchport‖ command)
Question 6
R1#show access-list
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx
2 permit ip host xxxx host xxxxx
3 permit ip host xxxx host xxxxx
4 permit ip host xxxx host xxxxx
5 permit ip host xxxx host xxxxx
6 permit ip host xxxx host xxxxx
7 permit ip host xxxx host xxxxx
8 permit ip host xxxx host xxxxx
9 permit ip host xxxx host xxxx
Which of the following commands inserts five additional lines to the ACL Entry Sequence
between lines 3 and 4 without changing the existing configuration?
Answer: A
Explanation
R1#show access-list
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx
7 permit ip host xxxx host xxxxx
13 permit ip host xxxx host xxxxx
19 permit ip host xxxx host xxxxx
25 permit ip host xxxx host xxxxx
31 permit ip host xxxx host xxxxx
37 permit ip host xxxx host xxxxx
43 permit ip host xxxx host xxxxx
49 permit ip host xxxx host xxxx
-> We can insert five additional lines between two consecutive lines now.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-
3s/sec-data-acl-xe-3s-book/sec-acl-seq-num.html
Question 7
An engineer performed a router upgrade. After an unexpected reboot, the router loaded with the
old IOS version instead of the new one. What is the problem?
Answer: D
Question 8
Answer: A
Question 9
An exhibit that displays the outputs of show interface tunnel0 for two routers. Tunnel 0 is
up/up on one router and up/down on the other router.
Which of the following commands can quickly show the cause of the up/down state of Tunnel0
on the second router?
Answer: C
Question 10
A hub and spoke topology consisting of some routers and switches. Host A is attached to the
spoke network and Host B is attached to the hub network. There is a set of commands beside
the topology:
Client A cannot reach client B while other Spokes can reach client B. What command in the
configuration is the cause of the problem?
Answer: B
Note: Please check to see the NHRP address is wrong. Please read more about DMVPN and
NHRP at https://www.digitaltut.com/dmvpn-tutorial
Answer:
Explanation
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html
Question 12
A. SNMP
B. Local authentication
C. Enable
D. VTY
Answer: B
Note: There are two cases for ticket 11 so please check them carefully
Problem was disable authentication on R1, check where authentication is not given under router
ospf of R1. (use ipv4 Layer 3)
Configuration of R1:
interface Serial0/0/0
description Link to R2
ip address 10.1.1.1 255.255.255.252
ip nat inside
encapsulation frame-relay
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf network point-to-point
!
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 10.1.2.0 0.0.0.255 area 12
network 10.1.10.0 0.0.0.255 area 12
default-information originate always
!
Configuration of R2:
interface Serial0/0/0.12 point-to-point
ip address 10.1.1.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TSHOOT
!
Ans1) R1
Ans2) IPv4 OSPF Routing
Ans3) Enable OSPF authentication on the s0/0/0 interface using the ―ip ospf authentication
message-digest‖ command.
Configuration of DSW1:
interface Vlan10
ip address 10.2.1.1 255.255.255.0
standby 10 ip 10.2.1.254
standby 10 priority 200
standby 10 preempt
standby 10 track 1 decrement 60
Note: 10.1.21.129 is the IP address of a loopback interface on R4. This IP belongs to subnet
10.1.21.128/27.
Ans1) DSW1
Ans2) HSRP
Ans3) delete the command with track 1 and enter the command with track 10 (standby 10 track
10 decrement 60).
Note: For more information about IP route tracking and why the command ―threshold metric up
63 down 64″ is used here please read this tutorial: http://networktut.iptut.com/hsrp-ip-route-
tracking.
Configuration of R1:
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 209.65.200.224 mask 255.255.255.252
neighbor 209.56.200.226 remote-as 65002
no auto-summary
!
interface Serial0/0/1
ip address 209.65.200.225 255.255.255.252
ip nat outside
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.252
ip nat outside
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf authentication message-digest
Ans1) R1
Ans2) NAT
Ans3) Under interface Serial0/0/0 delete the ip nat outside command and add the ip nat inside
command.
Ticket 5 – R1 ACL
Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!
Answer:
Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‗ip access-list extended edge_security‘ configuration add the ‗permit ip
209.65.200.224 0.0.0.3 any‘ command.
Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the
access-list 30 is applied to the inbound direction of S0/0/1 of R1.
Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3
Configuration on DSW1
vlan access-map test1 10
action drop
match ip address 10
vlan access-map test1 20
action drop
match ip address 20
vlan access-map test1 30
action forward
match ip address 30
vlan access-map test1 40
action forward
!
vlan filter test1 vlan-list 10
!
access-list 10 permit 10.2.1.3
access-list 20 permit 10.2.1.4
access-list 30 permit 10.2.1.0 0.0.0.255
!
interface VLAN10
ip address 10.2.1.1 255.255.255.0
Ans1) DSW1
Ans2) VLAN ACL/Port ACL
Ans3) Under the global configuration mode enter no vlan filter test1 vlan-list 10 command.
Note: After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the
VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to
be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also
"VLAN ACL/Port ACL" option for answer 2 if you choose ASW1 but it is wrong.
Ticket 7 – Port Security
Client 1 is unable to ping Client 2 as well as DSW1. The command ‗sh interfaces fa1/0/1′ will
show following message in the first line
‗FastEthernet1/0/1 is down, line protocol is down (err-disabled)‘
Configuration of ASW1
interface fa1/0/1
switchport access vlan 10
switchport mode access
switchport port-security
switchport port-security mac-address 0000.0000.0001
Ans1) ASW1
Ans2) Port security
Ans3) In Configuration mode, using the interface range Fa1/0/1 – 2, then no switchport port-
security, followed by shutdown, no shutdown interface configuration commands.
Answer:
Ans1) ASW1
Ans2) Access Vlans
Ans3) In Configuration mode, using the ‗interface range Fastethernet 1/0/1 – 2‘, then
‗switchport access vlan 10‘ command.
Ans1)ASW1
Ans2)Switch to switch connectivity
Ans3)Under interface Port-Channel 13, 23, add vlan 10,200 and then no shutdown interface
fa1/0/1
Check ip eigrp neighbors from DSW1 you will not see R4 as neighbor.(use ipv4 Layer 3)
‗Show ip route‘ on DSW1 you will not see any 10.x.x.x network route.
On DSW1 & DWS2 the EIGRP AS number is 10 (router eigrp 10) but on R4 it is 1 (router eigrp
1)
Ans1) R4
Ans2) EIGRP
Ans3) Change EIGRP AS number from 1 to 10
Ans1) R4
Ans2) IPv4 Route Redistribution
Ans3) Change the ―route-map OSPF->EIGRP deny 20‖ to ―route-map OSPF->EIGRP permit
20‖
In this topology, we are doing mutual redistribution at multiple points (between OSPF and
EIGRP on R4, DSW1 & DSW2), which is a very common cause of network problems,
especially routing loops so you should use route-map to prevent redistributed routes from
redistributing again into the original domain.
In this ticket, route-map is also used for this purpose. For example, the route-map ―EIGRP-
>OSPF‖ is used to prevent any routes that have been redistributed into OSPF from redistributed
again into EIGRP domain by tagging these routes with tag 90. These routes are prevented from
redistributed again by route-map OSPF->EIGRP by denying any routes with tag 90 set.
Ans1) R4
Ans2) IPv4 Route Redistribution
Ans3) Under the EIGRP process, delete the ‗redistribute ospf 1 route-map OSPF->EIGRP‘
command and enter ‗redistribute ospf 1 route-map OSPF_to_EIGRP‘ command.
Configuration of R2
ipv6 router ospf 6
!
interface s0/0/0.23
ipv6 address 2026::1:1/122
Configuration of R3
ipv6 router ospf 6
router-id 3.3.3.3
!
interface s0/0/0.23
ipv6 address 2026::1:2/122
ipv6 ospf 6 area 0
Answer:
Ans1) R2
Ans2) IPv6 OSPF Routing
Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0 (notice that it is ―area
0″, not ―area 12″)
Configuration on DSW1:
!
interface Vlan 10
ip address 10.2.1.1 255.255.255.0
ip helper-address 10.2.21.129
!
Note: In this ticket you will find port-security configured on ASW1 but it is not the problem.
Ans1) DSW1
Ans2) IP DHCP Server (or DHCP)
Ans3) on DSW1 delete ―ip helper-address 10.2.21.129‖ and apply ―ip helper-address
10.1.21.129‖ command
Ticket 14 – EIGRP Passive Interface
the neighborship between R4 and DSW1 wasn‘t establised. Client 1 can‘t ping R4
Configuration on R4:
router eigrp 10
passive-interface default
redistribute ospf 1 route-map OSPF->EIGRP
network 10.1.4.4 0.0.0.3
network 10.1.4.8 0.0.0.3
network 10.1.21.128 0.0.0.3
default-metric 10000 100 255 1 10000
no auto-summary
Answer 1) R4
Answer 2) IPv4 EIGRP Routing
Answer 3) enter no passive interface for interfaces connected to DSW1 under EIGRP process
(or in Interface f0/1 and f0/0, something like this)
Note: There is a loopback interface on this device which has an IP address of 10.1.21.129 so we
have to include the ―network 10.1.21.128 0.0.0.3‖ command.
* Just for your information, in fact Clients 1 & 2 in this ticket CANNOT receive IP addresses
from DHCP Server because DSW1 cannot reach 10.1.21.129 (an loopback interface on R4)
because of the ―passive-interface default‖ command. But in the exam you will see that Clients 1
& 2 can still get their IP addresses! It is a bug in the exam.
Configuration of R3:
!
interface Tunnel34
no ip address
ipv6 address 2026::34:1/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0.34
tunnel destination 10.1.1.10
tunnel mode ipv6
!
Configuration of R4:
interface Tunnel34
no ip address
ipv6 address 2026::34:2/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0
tunnel destination 10.1.1.9
!
Answer:
Ans1) R3
Ans2) Ipv4 and Ipv6 Interoperability
Ans3) Under the interface Tunnel34, remove ‗tunnel mode ipv6′ command
Configuration of R4:
ipv6 router ospf 6
log-adjacency-changes
!
ipv6 router rip RIP_ZONE
redistribute ospf 6 metric 2 include-connected
!
Answer:
Ans1) R4
Ans2) Ipv6 OSPF Routing
Ans3) Under ipv6 ospf process add the ‗redistribute rip RIP_Zone include-connected‘ command
interface fa1/0/1
switchport access vlan 10
switport mode trunk
switport trunk encapsulation dot1q
interface fa1/0/2
switchport access vlan 10
switport mode trunk
switport trunk encapsulation dot1q
Answer:
Ans1) ASW1
Ans2) Access VLANs
Ans3) In configuration mode, use ‗interface range fa1/0/1-2‘ then ‗switchport mode access‘,
then ‗no switchport trunk encapsulation dot1q‘