Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The content of this material has not been reviewed by IT-Libraries team and is shared
as is it.
In order to maximize your chances of success we advise in studying the IT-Libraries
Premium Dumps
Feedback
If you have any questions please contact us at support@itlibraries.com
Notice that in the exam, the tickets are randomly given so the best way to troubleshooting is to
try pinging to all the devices from nearest to farthest from the client until you don‘t receive the
replies.
One more thing to remember: you can only use ―show‖ commands to find out the problems and
you are not allowed to make any changes in the configuration. In fact, in the exam you can not
enter the global configuration mode!
Answer:
+ show crypto isakmp sa detail: Verify the current SA lifetime and the time for next
renegotiation
+ show cryto ipsec sa peer: (verify) traffic flows in only one direction
+ show ip eigrp neighbor: Verify that routing protocol neighbor is established
+ debug crypto isakmp: Verify that the spoke router is sending udp 500 packet
Explanation
An example about the output of the ―show crypto isakmp sa detail‖ is shown below:
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
The VPN tunnel between the spoke-to-spoke router is up, but unable to pass data traffic. The
following sample output is from the ―show crypto ipsec sa peer‖ command:
There is no decap packets in Spoke1, which means esp packets are dropped somewhere in the
path return from Spoke2 towards spoke1.
The Spoke2 router shows both encap and decap, which means that ESP traffic is filtered before
reaching Spoke2. It may happen at the ISP end at Spoke2 or at any firewall in path between
Spoke2 router and Spoke1 router. After allowing ESP (IP Protocol 50), Spoke1 and Spoke2
both show encaps and decaps counters are incrementing.
Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-
dmvpn/111976-dmvpn-troubleshoot-00.html#verifyonedirection
Further, check debug crypto isakmp to verify that the spoke router is sending udp 500 packet:
The above debug output shows spoke router is sending udp 500 packet in every 10 seconds.
Question 2
Refer to the exhibit. Which hashing method is being used for the enable secret?
…
enable secret 8 $fdiFJeJdfkjFkFjfdiKFjIgkdj/j90jdfsjifdsjFjfdPK
!
username admin privilege 15 password 7 0348378437387483E8787F
…
A. sha1
B. sha256
C. scrypt
D. md5
Answer: B
Explanation
To determine which scheme has been used to encrypt a specific password, check the digit
preceding the encrypted string in the configuration file. If that digit is a 7, the password has
been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using
the stronger MD5 algorithm.
Note:
+ Type 5: MD5
+ Type 8: sha256
+ Type 9: scrypt
Question 3
Refer to the exhibit. PCB could not ping PCA. The admin has logged into each switch, starting
from SW1 and ending with SW2 and has examined the links between each. Which
troubleshooting method has been used?
Answer: B
Question 4
Drag drop question about GRE characteristics (Overlay and Underlay Network).
Answer:
Overlay network:
+ deencapsulates the tunnel header before routing
+ Virtual tunnel network
Underlay network:
+ Physical network
+ MTU must be increased to avoid fragmentation
Note: The core routers are known as the underlay network. This is responsible for taking GRE
packets and transporting them from one side of the network to the other. The tunnel itself is the
overlay network. Packets passing through the overlay network are unaware of the routers in the
underlay
Question 5
Answer:
Explanation
Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html
Question 6a
User tries to connect to line vty 0 with username Cisco and password ―Cisco123‖ while
TACACS server is unreachable. What happens?
A. The user will be authenticated after the TACACS server fallback timer expires
B. The user will not be authenticated because the username is incorrect
Answer: D
Explanation
With this config, when the user tries to connect to line vty 0, the line password (which is
―CiscoCisco‖) must be used to authenticate. The TACACS server would never been used unless
we remove the ―login authentication LOCAL-VTY‖ statement (as the first aaa command ―aaa
authentication login default group tacacs+ local-case line‖ would be used for all VTY, console,
AUX line because of the ―default‖ group).
Question 6b
Client try to connect with this command : ssh -l Cisco 123456. What he can reach the
destination
A. bad password
B. bad username
C. ?
D. ?
Answer: B
Explanation
The keyword ―local-case‖ is used in the authentication so the username is case-sensitive and we
can to write the username exactly.
Question 7
Refer to the exhibit. Why can‘t an user SCP to a server at 172.16.1.200 on Monday at 11:00
pm?
Answer: C
Explanation
The user cannot access the server on Monday at 11pm because of two reasons:
+ First, it does not match the time-range TIME (only allowed to access from 6am 6pm), defined
by the ACL statement ―access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh
time-range TIME‖) so this traffic is continued to check with the rest of the ACL to see if there
is any matched entry for it.
+ Second, the last ACL statement drops this traffic as none of the above ACL statement
matched it.
So in this question the last line of the ACL is the place where the SCP traffic is dropped.
Note: SCP runs over TCP port 22 by default and connect via an encrypted connection or secure
shell connection (SSH).
Question 8
Drag and drop Windows and Cisco commands on the left to the corresponding description on
the right.
Answer:
Question 9
A. top down
B. follow the path
C. bottom up
D. divide and conquer
Answer: C
Explanation
Let‘s assume that you are researching a problem of a user that cannot browse a particular
website and while you are verifying the problem, you find that the user‘s workstation is not
even able to obtain an IP address through the DHCP process. In this situation it is reasonable to
suspect lower layers of the OSI model and take a bottom-up troubleshooting approach.
Reference: http://www.ciscopress.com/articles/article.asp?p=2273070&seqNum=2
Question 10
A. top down
B. follow the path
C. bottom up
D. divide and conquer
Answer: B
Question 11
Answer: A
Explanation
The trace route stops at the inbound interface of the HQ router so the problem must be
somewhere between HQ and the Firewall so answer A is the best choice here.
Question 12
R1
int Gigabitethernet 0/2
ip address 10.10.20.2 255.255.55.0
!
int Gigabitethernet 0/3
ip address 10.10.30.2 255.255.55.0
A company is implementing Management Plane Protection (MPP) on its network. Which of the
following commands allows R2 successfully connect to R1 via SSH?
Answer: B
Explanation
R1#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
-vrf Specify vrf name
WORD IP address or hostname of a remote system
In this question it seems R1 does not allow SSH to interface Gi0/2 of R1 (no traffic for SSH) so
we have to SSH to interface Gi0/3 instead.
Question 13
Refer to the exhibit.The traceroute fails from R1 to R3.What is the cause of the failure?
R1#traceroute 3.3.3.3
…
1 10.10.10.2 18msec
Answer: B
Explanation
The !A is the response that indicates that you received a response of Administratively
Prohibited. This is the result when the traceroute is denied by an access list.
Note: The OSPF process ID is just locally significant but R2 is using two different OSPF
process IDs (#1 and #2) so they should be redistributed into each other like this:
router ospf 1
redistribute ospf 2 subnets
router ospf 2
redistribute ospf 1 subnets
Note: There are two cases for ticket 11 so please check them carefully
Problem was disable authentication on R1, check where authentication is not given under router
ospf of R1. (use ipv4 Layer 3)
Configuration of R1:
interface Serial0/0/0
description Link to R2
ip address 10.1.1.1 255.255.255.252
ip nat inside
encapsulation frame-relay
ip ospf message-digest-key 1 md5 TSHOOT
ip ospf network point-to-point
!
Configuration of R2:
interface Serial0/0/0.12 point-to-point
ip address 10.1.1.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 TSHOOT
!
Ans1) R1
Ans2) IPv4 OSPF Routing
Ans3) Enable OSPF authentication on the s0/0/0 interface using the ―ip ospf authentication
message-digest‖ command.
Configuration of DSW1:
interface Vlan10
ip address 10.2.1.1 255.255.255.0
standby 10 ip 10.2.1.254
standby 10 priority 200
standby 10 preempt
standby 10 track 1 decrement 60
Note: 10.1.21.129 is the IP address of a loopback interface on R4. This IP belongs to subnet
10.1.21.128/27.
Ans1) DSW1
Ans2) HSRP
Ans3) delete the command with track 1 and enter the command with track 10 (standby 10 track
10 decrement 60).
Note: For more information about IP route tracking and why the command ―threshold metric up
63 down 64″
Configuration of R1:
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 209.65.200.224 mask 255.255.255.252
neighbor 209.56.200.226 remote-as 65002
no auto-summary
Ans1) R1
Ans2) BGP
Ans3) delete the wrong neighbor statement and enter the correct neighbor address in the
neighbor command (change ―neighbor 209.56.200.226 remote-as 65002″ to ―neighbor
209.65.200.226 remote-as 65002″)
Ans1) R1
Ans2) IP NAT
Ans3) Under the ip access-list standard nat_traffic configuration enter the ‗permit 10.2.0.0
0.0.255.255‘ command.
Ticket 5 – R1 ACL
Configuration on R1
interface Serial0/0/1
description Link to ISP
ip address 209.65.200.224 255.255.255.252
ip nat outside
ip access-group edge_security in
!
ip access-list extended edge_security
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny 127.0.0.0 0.255.255.255 any
permit ip host 209.65.200.241 any
!
Answer:
Ans1) R1
Ans2) IPv4 layer 3 security
Ans3) Under the ‗ip access-list extended edge_security‘ configuration add the ‗permit ip
209.65.200.224 0.0.0.3 any‘ command.
Note:
+ This is the only ticket the extended access-list edge_security exists. In other tickets, the
access-list 30 is applied to the inbound direction of S0/0/1 of R1.
Vlan Access map is applied on DSW1 blocking the ip address of client 10.2.1.3
Configuration on DSW1
vlan access-map test1 10
action drop
match ip address 10
vlan access-map test1 20
action drop
match ip address 20
vlan access-map test1 30
action forward
match ip address 30
vlan access-map test1 40
action forward
!
vlan filter test1 vlan-list 10
!
access-list 10 permit 10.2.1.3
access-list 20 permit 10.2.1.4
access-list 30 permit 10.2.1.0 0.0.0.255
!
interface VLAN10
ip address 10.2.1.1 255.255.255.0
Ans1) DSW1
Ans2) VLAN ACL/Port ACL
Ans3) Under the global configuration mode enter no vlan filter test1 vlan-list 10 command.
Note: After choosing DSW1 for Ans1, next page (for Ans2) you have to scroll down to find the
VLAN ACL/Port ACL option. The scroll bar only appears in this ticket and is very difficult to
be seen. Also make sure you choose DSW1 (not ASW1) for the first question as there is also
"VLAN ACL/Port ACL" option for answer 2 if you choose ASW1 but it is wrong.
Configuration of ASW1
interface fa1/0/1
Ans1) ASW1
Ans2) Port security
Ans3) In Configuration mode, using the interface range Fa1/0/1 – 2, then no switchport port-
security, followed by shutdown, no shutdown interface configuration commands.
Answer:
Ans1) ASW1
Ans2) Access Vlans
Ans3) In Configuration mode, using the ‗interface range Fastethernet 1/0/1 – 2‘, then
‗switchport access vlan 10‘ command.
Ans1)ASW1
Ans2)Switch to switch connectivity
Ans3)Under interface Port-Channel 13, 23, add vlan 10,200 and then no shutdown interface
fa1/0/1
Check ip eigrp neighbors from DSW1 you will not see R4 as neighbor.(use ipv4 Layer 3)
‗Show ip route‘ on DSW1 you will not see any 10.x.x.x network route.
On DSW1 & DWS2 the EIGRP AS number is 10 (router eigrp 10) but on R4 it is 1 (router eigrp
1)
Ans1) R4
Ans2) EIGRP
Ans3) Change EIGRP AS number from 1 to 10
Ans1) R4
Ans2) IPv4 Route Redistribution
In this topology, we are doing mutual redistribution at multiple points (between OSPF and
EIGRP on R4, DSW1 & DSW2), which is a very common cause of network problems,
especially routing loops so you should use route-map to prevent redistributed routes from
redistributing again into the original domain.
In this ticket, route-map is also used for this purpose. For example, the route-map ―EIGRP-
>OSPF‖ is used to prevent any routes that have been redistributed into OSPF from redistributed
again into EIGRP domain by tagging these routes with tag 90. These routes are prevented from
redistributed again by route-map OSPF->EIGRP by denying any routes with tag 90 set.
Ans1) R4
Ans2) IPv4 Route Redistribution
Ans3) Under the EIGRP process, delete the ‗redistribute ospf 1 route-map OSPF->EIGRP‘
command and enter ‗redistribute ospf 1 route-map OSPF_to_EIGRP‘ command.
Configuration of R2
ipv6 router ospf 6
!
Configuration of R3
ipv6 router ospf 6
router-id 3.3.3.3
!
interface s0/0/0.23
ipv6 address 2026::1:2/122
ipv6 ospf 6 area 0
Answer:
Ans1) R2
Ans2) IPv6 OSPF Routing
Ans3) on the serial interface of R2, enter the command ipv6 ospf 6 area 0 (notice that it is ―area
0″, not ―area 12″)
Configuration on DSW1:
!
interface Vlan 10
ip address 10.2.1.1 255.255.255.0
ip helper-address 10.2.21.129
!
Note: In this ticket you will find port-security configured on ASW1 but it is not the problem.
Ans1) DSW1
Ans2) IP DHCP Server (or DHCP)
Ans3) on DSW1 delete ―ip helper-address 10.2.21.129‖ and apply ―ip helper-address
10.1.21.129‖ command
Answer 1) R4
Answer 2) IPv4 EIGRP Routing
Answer 3) enter no passive interface for interfaces connected to DSW1 under EIGRP process
(or in Interface f0/1 and f0/0, something like this)
Note: There is a loopback interface on this device which has an IP address of 10.1.21.129 so we
have to include the ―network 10.1.21.128 0.0.0.3‖ command.
* Just for your information, in fact Clients 1 & 2 in this ticket CANNOT receive IP addresses
from DHCP Server because DSW1 cannot reach 10.1.21.129 (an loopback interface on R4)
because of the ―passive-interface default‖ command. But in the exam you will see that Clients 1
& 2 can still get their IP addresses! It is a bug in the exam.
Configuration of R3:
!
interface Tunnel34
no ip address
ipv6 address 2026::34:1/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0.34
tunnel destination 10.1.1.10
tunnel mode ipv6
!
Configuration of R4:
interface Tunnel34
no ip address
ipv6 address 2026::34:2/122
ipv6 enable
ipv6 ospf 6 area 34
tunnel source Serial0/0/0
tunnel destination 10.1.1.9
!
Answer:
Ans1) R3
Configuration of R4:
ipv6 router ospf 6
log-adjacency-changes
!
ipv6 router rip RIP_ZONE
redistribute ospf 6 metric 2 include-connected
!
Answer:
Ans1) R4
Ans2) Ipv6 OSPF Routing
Ans3) Under ipv6 ospf process add the ‗redistribute rip RIP_Zone include-connected‘ command
interface fa1/0/1
switchport access vlan 10
switport mode trunk
switport trunk encapsulation dot1q
interface fa1/0/2
switchport access vlan 10
switport mode trunk
switport trunk encapsulation dot1q
Answer:
Ans1) ASW1
Ans2) Access VLANs
Ans3) In configuration mode, use ‗interface range fa1/0/1-2‘ then ‗switchport mode access‘,
then ‗no switchport trunk encapsulation dot1q‘