New ENARSI Questions 7

November 10th, 2023Go to comments

Premium Member: You can practice these questions via this link:
+ Question 1 to 21
+ Question 22 to 28
+ Question 29 to 57
+ Question 58 to 78
+ Question 79 to 102

or practice all 102 questions of this part 7 at All ENARSI Questions – Part 7

Question 1

Refer to the exhibit.

R1#debug ip ospf adj

21:12:08.259: OSPF: Send DBD to 2.2.2.2 on Ethernet0/0 seq u opt 0x52 flag 0x7 len 32

21:12:08.339: OSPF: Rcv DBD from 2.2.2.2 on Ethernet0/0 seq 0x836 opt 0x52 flag 0x7 len

32 mtu 1532 state EXSTART

R2#debug ip ospf adj

21:12:08.423: OSPF: Send DBD to 1.1.1.1 on Ethernet0/0 seq 0x836 opt 0x52 flag 0x7 len 32

21:12:08.423: OSPF: First DBD and we are not SLAVE

21:12:08.511: OSPF: Rcv DBD from 1.1.1.1 on Ethernet0/0 seq 0x836 opt 0x52 flag 0x2 len

52 mtu 1500 state EXSTART

R1 cannot establish a neighbor relationship with R2. Which action resolves the issue?
A. Configure the ip ospf network broadcast command on the interfaces of R1 and R2.
B. Configure the ip ospf network point-to-point command on the interfaces of R1 and R2.
C. Configure the mtu ignore command on the interfaces of R1 and R2.
D. Configure the neighbor 2.2.2.2 command on R1 under the OSPF process.

Answer: C

Explanation

Neighbors Stuck in Exstart/Exchange State

The problem occurs most frequently when attempting to run OSPF between a Cisco router
and another vendor’s router. The problem occurs when the maximum transmission unit
(MTU) settings for neighboring router interfaces don’t match. If the router with the higher
MTU sends a packet larger that the MTU set on the neighboring router, the neighboring
router ignores the packet.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/
13684-12.html

-> Therefore we can fix this issue with the “mtu ignore” command.

Question 2

How is the LDP router ID used in an MPLS network?

A. The force keyword changes the router ID to the specified address without causing any
impact.
B. The loopback with the highest IP address is selected as the router ID.
C. The MPLS LDP router ID must match the IGP router ID.
D. If not configured, the operational physical interface is chosen as the router ID even if a
loopback is configured.

Answer: B

Question 3

Refer to the exhibit.

R101# sh top brief

TCB Local Address Foreign Address (state)

11AD5810 1.0.0.2.2000 1.0.0.1.31942 ESTAB

R101# sh run

ip ssh port 2000 rotary 1

ip ssh version 2

line vty 0 4

password cisco

login local

rotary 1

transport input ssh

An engineer must configure router R101 for SSH access on ports 2001 through 2011. After
the configuration, some expected ports were inaccessible. Which command resolves the
issue?

A. ip ssh port 2001 rotary 11

line vty 0 4
transport input telnet

B. ip ssh port 2000 rotary 11

line vty 0 4
transport input ssh

C. ip ssh port 2000 rotary 1 11

line vty 0 4
transport input all
D. ip ssh port 2001 rotary 1 11
line vty 0 4
transport input ssh

Answer: D

Explanation

The command “ip ssh port 2000 rotary 1” means that we want to change the listening port
for SSH from port 22 (default) to port 2000 with a rotary group of 1. This rotary group is then
applied to VTY lines (from 0 to 4) to map the SSH connection to these VTY lines. Now your
router will listen for SSH connections on these five VTY ports.

Next, the command “ip ssh port 2001 rotary 1 11” (11 here is the “High Rotary group
number”) means that the first SSH port is mapped to rotary 1 and the listening ports
increment up from there. Ports 2002, 2003, 2004, …, 2011 will map to rotary 2, 3, 4, …, 11
respectively.

But notice that there are only five VTY ports for 11 SSH connections so if all five VTY ports
are busy then the sixth SSH connection may fail.

Question 4

Refer to the exhibit.

R3#show ip cef

Prefix Next Hop Interface

0.0.0.0/0 no route

0.0.0.0/8 drop

0.0.0.0/32 receive

172.0.0.0/8 drop

172.16.1.0/30 172.16.3.254 GigabitEthernet0/2

172.16.4.254 GigabitEthernet0/3

172.16.3.252/30 attached GigabitEthernet0/2

172.16.3.252/32 receive GigabitEthernet0/2

172.16.3.253/32 receive GigabitEthernet0/2

172.16.3.254/32 attached GigabitEthernet0/2

172.16.3.255/32 receive GigabitEthernet0/2

172.16.4.252/30 attached GigabitEthernet0/3

172.16.4.252/32 receive GigabitEthernet0/3

172.16.4.253/32 receive GigabitEthernet0/3

172.16.4.254/32 attached GigabitEthernet0/3

172.16.4.255/32 receive GigabitEthernet0/3

172.16.222.254/32 172.16.4.254 GigabitEthernet0/3

192.168.100.0/24 172.16.3.254 GigabitEthernet0/2

192.168.200.0/24 172.16.3.254 GigabitEthernet0/2

192.168.222.0/24 172.16.4.254 GigabitEthernet0/3

224.0.0.0/4 drop

224.0.0.0/24 receive

Prefix Next Hop Interface

240.0.0.0/4 drop

255.255.255.255/32 receive

An engineer recently implemented uRPF by configuring the ip verify unicast source

reachable-via rx command on interface gi0/3. The engineer noticed right after implementing
uRPF that an inbound packet on the gi0/3 interface with a source address of 172.16.3.251
was dropped. Which action resolves the issue?

A. Configure uRPF loose mode to forward the packet.

B. Permit the 172.16.3.251 in the inbound ACL on interface gi0/3.
C. Remove inbound ACL from the interface gi0/3 to allow 172.16.3.251.
D. Configure uRPF strict mode to forward the packet.
Answer: A

Explanation

The syntax of configuring uRPF in interface mode is:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-

list-number]

The any option enables a Loose Mode uRPF on the router. This mode allows the router to
reach the source address via any interface.

The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router
reaches the source address only via the interface on which the packet was receive.

In this case the router was configured with uRPF in strict mode so we should change to loose
mode.

Question 5

Refer to the exhibit.

After an engineer modified the configuration for area 7 to permit type 1, 2, and 7 LSAs only,
users connected to router R9 reported that they could no longer access the internet. Which
configuration restores internet access to users on R9 and permits only LSA type 1, 2, and 7?

Option A Option B

R4# R4#
router ospf 1 router ospf 1
area 0 area 7 stub no-summary area 0 nssa default-information-originate
network 10.5.1.0 0.0.0.3 area network 10.5.1.0 0.0.0.3 area 0
0 network 10.8.2.0 0.0.0.3 area 7
network 10.8.2.0 0.0.0.3 area R9#
7 router ospf 1
R9# area 7 nssa
router ospf 1 redistribute eigrp 10 subnets
area 7 stub network 10.8.2.0 0.0.0.3 area 7
redistribute eigrp 10 subnets
network 10.8.2.0 0.0.0.3 area
7

Option C Option D

R4# R4#
router ospf 1 router ospf 1
area 7 nssa area 7 nssa no-summary
network 10.5.1.0 0.0.0.3 area network 10.5.1.0 0.0.0.3 area 0
0 network 10.8.2.0 0.0.0.3 area 7
network 10.8.2.0 0.0.0.3 area R9#
7 router ospf 1
R9# area 7 nssa
router ospf 1 redistribute eigrp 10 subnets
area 7 nssa network 10.8.2.0 0.0.0.3 area 7
 redistribute eigrp 10 subnets
network 10.8.2.0 0.0.0.3 area
7

A. Option A
B. Option B
C. Option C
D. Option D

Answer: D

Explanation

To only permit LSA Types 1, 2 and 7 we have to configure area 7 into a Totally NSSA area:

To configure a totally NSSA area, configure the nssa command on all the routers attached to
the area and configure the nssa no-summary command on the ABR.

Question 6

Refer to the exhibit.

R3#show cef interface gi0/3

Gigabit Ethernet0/3 is up (if_number 5)

Corresponding hwidb fast_if_number 5

Corresponding hwidb firstsw->if_number 5

Internet address is 172.16.4.253/30

 ICMP redirects are never sent

Per packet load-sharing is disabled

IP unicast RPF check is enabled

Input features: uRPF

IP policy routing is disabled

BGP based policy accounting on input is disabled

BGP based policy accounting on output is disabled

Hardware idb is GigabitEthernet0/3

Fast switching type 1, interface type 27

IP CEF switching enabled

IP CEF switching turbo vector

IP prefix lookup IPv4 metric 8-8-8-8 optimized

Input fast flags 0x4000, Output fast flags 0x0

if index 5(5)

Slot Slot unit 3 VC -1

IP MTU 1500

R3#show run int gi0/3

Building configuration...

Current configuration : 162 bytes

interface GigabitEthernet0/3

ip address 172.16.4.253 255.255.255.252

ip verify unicast source reachable-via rx

duplex auto

speed auto
 media-type rj45

end

An engineer implements uRPF to increase security and stop incoming spoofed IP packets.
Same asymmetrically routed packets are also blocked after the configuration. Which
command resolves the issue?

A. ip verify unicast source reachable-via any

B. ip verify unicast source reachable-via rx
C. ip verify unicast reverse-path
D. ip verify unicast reverse-path any

Answer: A

Question 7

How does BFD protocol work?

A. When BFD declares a failure on the primary IGP path, the router on the peer router
chooses to use the secondary path.
B. BFD operates on the route processor module and impacts the route processor CPU
utilization.
C. BFD control packets are sent via UDP port 3784 to the destination router.
D. BFD echo packets are sent to the same source IP and different destination IP with TCP
port of 3786.

Answer: C

Explanation

BFD only detects failure, but the network administrator must explicitly specify which action
is performed next. It may be send an alarm message or use the secondary path -> Answer A
is not correct.
BFD control packets are encapsulated into UDP packets with port number 3784 for single-
hop detection or port number 4784 for multi-hop detection. (It can also be 3784 based on
the configuration task) -> Answer C is correct.

==================== New Questions (added on 26th-Nov-2023)

====================

Question 8

Which two NLRI attributes are used by an MPLS Layer 3 VPN network to exchange VPNv4
routes between MPLS routers via MP-BGP? (Choose two)

A. VPNv4 Prefix
B. Next Hop
C. Extended-Community
D. IPv4 Prefix
E. RT

Answer: B D

Explanation

MP-BGP supports IPv4 unicast/multicast, IPv6 unicast/multicast and it has support for VPNv4
routes. To exchange VPNv4 routes, MP-BGP uses a new NLRI (Network Layer Reachability
Information) format that has the following attributes:
+ RD (Route Distinguisher)
+ IPv4 prefix
+ Next Hop
+ VPN Label

Reference: https://networklessons.com/mpls/mpls-layer-3-vpn-explained

Question 9

Refer to the exhibit.

Which action resolves the issue?

A. Establish connectivity between the NTP server and the switch.

B. Configure the local time on the SW1 device.
C. Configure the local time on Cisco DNA Center.
D. Establish connectivity between the NTP server and Cisco DNA Center.

Answer: A

Explanation

The time on DNA Center looks good so the problem may come from the time on the switch.
By connecting to the NTP server, the switch can update its time and solve this problem.

Question 10

Which two features are required for MPLS forwarding on which types of routers? (Choose
two)

A. MPLS on PE and core routers

B. LDP on PE and core routers
C. MPLS on CE and core routers
D. LDP on PE and CE routers
E. CEF on PE and CE routers

Answer: A B
Explanation

CE router does not need MPLS or LDP or CEF.

Question 11

Refer to the exhibit.

R1# show route-map

route-map Redistribution_EIGRP, permit, sequence 10

Match clauses:

ip address (access-lists): 10

Set clauses:

tag 666

Policy routing matches: 0 packets, 0 bytes

route-map Redistribution_EIGRP, permit, sequence 20

Match clauses:

Set clauses:

Policy routing matches: 0 packets, 0 bytes

R1# show access-lists

Standard IP access list 10

10 permit 172.16.1.0, wildcard bits 0.0.0.255

20 permit 172.16.2.0, wildcard bits 0.0.0.255

The router is redistributing a prefix 172.16.10.0/24 that should have been filtered. Which
action resolves the issue?

A. Add the route in access-list 10.

B. Match the tag 666 for the route in the route map.
C. Remove route-map sequence 20.
D. Permit the route in route-map sequence 20.
Answer: C

Explanation

From the output of the “show route-map” above, we can deduce the following route-map
was configured:

route-map Redistribution_EIGRP permit 10

match ip address 10

set tag 666

route-map Redistribution_EIGRP permit 20

With the last statement “route-map Redistribution_EIGRP permit 20”, all routes are
redistributed so we need to remove this line so that prefix 172.16.10.0/24 is filtered out.

Question 12

Refer to the exhibit.

Which action allows the engineer to successfully copy running-config to the TFTP server?

A. Add a route in the switch to the TFTP server.

B. Add the TFTP server configuration in the switch.
C. Use TFTP server IP address 10.0.1.1.
D. Use file name Switch-confg.txt.

Answer: A

Explanation
Maybe there is something wrong with this question as the IP address of the TFTP Server and
interface E0/1 of the Switch are not in the same subnet. But the best answer in this question
is answer A as other answers are surely not correct.

Question 13

Refer to the exhibit.

UserPC receives the IP address but does not register to the call manager. Which command in
ip dhcp pool VLAN200_USER_VOICE resolves the issue?

A. option 150 ip 10.221.10.10

B. option 15 ip 10.221.10.10
C. option 160 ip 10.221.10.10
D. option 117 ip 10.221.10.10

Answer: A

Explanation
Cisco phones IP addresses can be assigned manually or by using DHCP. Devices also require
access to a TFTP server that contains device configuration name files (.cnf file format), which
enables the device to communicate with Cisco Call Manager.

The command “option 150 ip TFTP_Server_IP_address” is used to tell the Cisco phones which
TFTP server to contact to get their configuration.

Question 14

Refer to the exhibit.

Which action resolves the IP SLA for the UDP jitter problem between R4 and R3 Ethernet 0/1
IP addresses?

A. Delete and configure the ip sla 6500 command with R3 e0/1 IP address.
B. Configure the ip sla 6500 command with R3 e0/1 IP address.
C. Configure the ip sla responder command with R4 E0/1 IP address.
D. Delete and configure the ip sla responder command with R4 E0/1 IP address.

Answer: A

Explanation
From the output of R3 we can see that R3 has been configured with command “ip sla
responder”. Below is the output of the “show ip sla responder” before and after issuing the
command “ip sla responder”:

But we see on R4 the “udp-jitter 209.165.201.4 …” command was not correct as the
destination IP address should be 209.165.201.2 (E0/1 interface of R3). Because of this issue
we can see the “No connection” under the output of “sho ip sla su” (show ip sla summary) of
R4.

Although answer B is a bit unclear but it implied “fix the udp-jitter command with the
correct destination IP address of E0/1 interface of R3″.

Once sla is configured can not be changed, only delete and configured again -> Answer A is
the best choice.

Note: Answer C is not correct as the IP address in the command “ip sla responder …
ipaddress {ipaddress} port {port}” is only used to manually specify which IP address and Ports
you mean for the Responder to listen on. Therefore, the IP address used in this command
should belong to R3, not R4.

Question 15
Refer to the exhibit.

SW101#cop nvram:startup-config tftp:

Address or name of remote host []? 10.1.0.1

Destination filename [sw101-confg]?

%Error opening tftp://10.1.0.1/sw101-confg (Permission denied)

SW101#

SW101#ping 10.1.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 3/7/15 ms

SW101#

SW101 could not transfer its startup configuration to a TFTP server. No ACL is configured on
the switch, and it can successfully ping the host. Which action resolves the issue?

A. Open UDP port 69 on the TFTP server.

B. Open UDP port 179 on the TFTP server.
C. Configure a FW in the middle to allow bidirectional communication for TFTP.
D. Start the TFTP server on the host.

Answer: D

Explanation

“Permission denied” means read access to the file and/or directory is not enabled. Maybe
the TFTP software was installed on the host but it has not been started.

Question 16

Refer to the exhibit.

A network engineer configured routers R1 and R2 with MP-BGP. The engineer noticed that
the routers cannot exchange any IPv6 routes; however, the IPv4 neighbor relationship is
working fine. Which configuration must the engineer apply to router R2 to exchange IPv6
routes?

Option A Option B

ipv6 unicast-routing ipv6 unicast-routing

ipv6 cef ipv6 cef

! !

interface Loopback 100 interface Loopback100

ipv6 address 2001:DB8:128:2/128 ipv6 address 2001:DB8:128:2/128

! !

interface GigabitEthernet1/0 interface GigabitEthernet1/0

ipv6 address 2001:DB8:1::2/64 ipv6 address 2001:DB8:1::2/64

! description AS65001 ID B463:A68D:9D4::8

router bgp 65002 !

no bgp default ipv4-unicast router bgp 65002

neighbor 2001:DB8:1::1 remote-as 65001 no bgp default ipv4-unicast

! neighbor 2001:DB8:1::1 remote-as 65001

address-family ipv6 !

network 2001:D88:128:2/128 address-family ipv4

neighbor 2001:DB8:1::1 activate neighbor 2001:DB8:1::1 activate

 Option C Option D

ipv6 cef ipv6 unicast-routing

! ipv6 cef

interface Loopbach100 !

ipv6 address 2001:DB8:128::2/128 interface Loopback100

! ipv6 address 2001:DB8:128:2/128

interface GigabitEtherne1/0 !

ipv6 address 2001:DB8:1::2/64 interface GigabitEthernet1/0

! ipv6 address 2001:DB8:1::2/64

router bgp 66002 !

no bgp default ipv4-unicast router bgp 65002

neighbor 2001:DB8:1::1 remote-as 65001 no bgp default ipv4-unicast

! neighbor 2001:DB8:1::1 remote-as 65001

address-family ipv6 !

network 2001:DB8:128::2/128 address family ipv6

neighbor 2001:DB8:1::1 activate network 2001:DB8:128:2/128

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

We need to use the “ipv6 unicast-routing” for IPv6 to function and activate the IPv6
neighbor with command “neighbor 2001:DB8:1::1 activate” under “address-family ipv6”.
Question 17

Which Layer 3 VPN attribute installs customer routes in the VRF?

A. RD
B. RT
C. extended-community
D. MPLS label

Answer: A

Explanation

The Route Distinguisher (RD) is to make sure that all prefixes are unique. The customer
prefix + RD together are a VPNv4 route.

Question 18

Refer to the exhibit.

R2#debug ip dhcp server events

000249: *Jun 19 02:13:33.818: DHCPD: Sending notification of DISCOVER:

000250: *Jun 19 02:13:33.823: DHCPD: htype 1 chaddr 0c62.430d.db00

000251: *Jun 19 02:13:33.827: DHCPD: remote id 020a0000c0a8000100000000

000252: *Jun 19 02:13:33.830: DHCPD: circuit id 00000000

000253: *Jun 19 02:13:33.836: DHCPD: Seeing if there is an internally specified
pool class:

000254: *Jun 19 02:13:33.840: DHCPD: htype 1 chaddr 0c82.430d.db00

000255: *Jun 19 02:13:33.843: DHCPD: remote id

020a0000o0a8000100000000

000256: *Jun 19 02:13:33.846: DHCPD: circuit id 00000000

000257: *Jun 19 02:13:33.851: DHCPD: subnet [192.168.0.1,192.168.0.2] in

address pool WAN is empty.

000258: *Jun 19 02:13:33.853: DHCPD: Sending notification of ASSIGNMENT

FAILURE:

000259: *Jun 19 02:13:33.857: DHCPD: htype 1 chaddr 0c82.430d.db00

000260: *Jun 19 02:13:33.861: DHCPD: remote id 020a0000c0a8000100000000

000261: *Jun 19 02:13:33.865: DHCPD: circuit id 00000000

000262: *Jun 19 02:13:33.870: DHCPD: Sending notification of ASSIGNMENT

FAILURE:

000263: *Jun 19 02:13:33.872: DHCPD: due to: POOL EXHAUSTED

000264: *Jun 19 02:13:33.877: DHCPD: htype 1 chaddr 0c82.430d.db00

000265: *Jun 19 02:13:33.879: DHCPD: remote id 020a0000c0a8000100000000

000266: *Jun 19 02:13:33.879: DHCPD: circuit id 00000000

000267: *Jun 19 02:13:36.860: DHCPD: Sending notification of DISCOVER:

000268: *Jun 19 02:13:36.862: DHCPD: htype 1 chaddr 0c82.430d.db00

Router R2 VLAN 10 users cannot get dynamic IP addresses from R1. Which action resolves
the issue?

A. Eliminate the port security feature on the ports of switch SW2.

B. Identify the host with the duplicate IP address.
C. Configure the IP helper feature on the Interface GigabitEthernet 0/2 of router R2.
D. Expand the address scope of VLAN 10.
Answer: D

Explanation

The reason for the failure of DHCP assignment is “DHCPD: due to: POOL EXHAUSTED” which
means there is no IP addresses available in the DHCP pool so we should expand the address
scope of this VLAN.

Question 19

Refer to the exhibit.

R1 lost its directly connected EIGRP peer 172.16.33.2 (SW1). Which configuration resolves
the issue?

Option A Option B

key chain EIGRP key chain EIGRP

key 1 key 1
 key-string Cisco key-string Cisco

! !

interface GigabitEthernet 2.10 interface GigabitEthernet 2

ip authentication mode eigrp 88 md5 ip authentication mode eigrp 88 md5

ip authentication key-chain eigrp 88 EIGRP ip authentication key-chain eigrp 88 EIG

Option C Option D

key chain EIGRP key chain EIGRP

key 1 key 1

key-string Cisco key-string Cisco

! !

interface GigabitEthernet 2.10 interface GigabitEthernet 2

ip authentication mode eigrp 88 md5 ip authentication mode eigrp 88 md5

ip authentication key-chain eigrp 88 Cisco ip authentication key-chain eigrp 88 Cis

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

The last command “ip authentication key-chain eigrp 88 {key-chain}” requires a key-chain so
it must be “EIGRP” -> Only Option A and Option B are correct.

Also the “Message Text” tells us the “Neighbor 172.16.33.2” is on GigabitEthernet2.10 so we

have to apply the authentication under Gi2.10, not Gi2 -> Only Option A is correct.

Question 20
How are CE advertised routes segmented from other CE routers on an MPLS PE router?

A. with a combination of VRF-Lite and MP-BGP

B. by pushing MPLS labels advertised by LDP on customer routes
C. by enabling multiple instances of BGP, one for each CE router
D. by assigning CE-facing interfaces to different VRFs

Answer: D

Explanation

This question is a bit unclear in the way it asks. Maybe this question wanted to ask how PE
router can identify which routes are from which CE. If so then the answer is PE router assigns
different VRFs for its CE-facing interfaces.

Question 21

What is an advantage of MPLS Layer 3 VPN deployment?

A. Planning and modifications are required for the customer intranet before migrating to
Layer 3 VPN.
B. Scalable VPNs are created using connection-oriented, point-to-point, or multipoint overlay
connections.
C. QoS provides performance with policy and support for a best-effort service level in an
MPLS VPN.
D. Security is provided at the edge of the provider network through encryption.

Answer: C

==================== New Questions (added on 5th-Dec-2023) ====================

Question 22

How does MPLS Layer 3 VPN function?

A. When a PE device forwards a packet received from a CE device across the provider
network, it labels the packet with the label learned from the source PE device.
B. When a destination PE device receives a labeled packet, it pops the label and uses it to
forward the packet to the correct CE device.
C. When an EIGRP internal route is redistributed into BGP by one PE and then back into
EIGRP by another PE, the originating router ID for the route is changed to the router ID of
the first PE.
D. When a VPN route is learned from a CE device and injected into IGP, a VPN route
distinguisher attribute is associated with it.

Answer: B

Question 23

Refer to the exhibit.

ip flow-export destination 203.0.113.254 9995

ip flow-export source loopback2

ip flow-export version 9

ip flow-cache timeout active 1

flow-cache timeout inactive 15

ip snmp-server ifindex persist

R1# show ip flow interface

Ethernet1/1

ip flow ingress

Ethernet1/2

ip flow ingress

R1# show ip flow export

Flow export v9 is enabled for main cache

Export source and destination details :

 VRF ID : Default

Sourced(1) 172.16.1.1 (Unknown)

Destination(1) 203.0.113.254 (9995)

Version 9 flow records

0 flows exported in 0 udp datagrams

0 flows failed due to lack of export packet

0 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup

failures

It was noticed that after NetFlow is configured in the router, the collector stopped receiving
flow information. Which action resolves the issue?

A. Configure an IP address on the loopback2 interface to use as a source.

B. Change the IP address of the loopback 2 interface to a public IP address.
C. Modify the source through the ip flow-export source loopback1 command.
D. Apply the ip flow egress command to the loopback2 interface.

Answer: A

Explanation

This question stated that “after NetFlow is configured, the collector stopped receiving flow
information”. It means the router used to reach the collector -> Answer B is not correct.

We don’t know anything about Loopback1 interface so we should not change the source
from loopback2 to loopback1 -> Answer C is not correct.

The command “ip flow egress” is used to count traffic out of an interface. This command
cannot be the issue -> Answer D is not correct.
-> Only answer A is left.

From the line “Sourced(1) 172.16.1.1 (Unknown)”, we learn that loopback2 interface was
configured with IP 172.16.1.1. But it seems this interface no longer exists.

We also tried to recreate this error by removing the configured Loopback0 interface as
shown below and we got the same error output:

First everything worked well:

Loopback0 was configured with 1.1.1.1 then we removed this interface:

Therefore we can say in this question maybe the Loopback 2 has been deleted after
configuring NetFlow -> We need to recreate and assign an IP address to it.

Question 24

What is LDP used for in an LSR?

A. to allow for a system-wide exchange of labels across MPLS network

B. to create a database of label bindings that allow for hop-by-hop forwarding
C. to communicate the routes known for a specific interface
D. to create a label across the PE routers for end-to-end path assignment

Answer: B

Explanation
LDP enables peer label switch routers (LSRs) in an MPLS network to exchange label binding
information for supporting hop-by-hop forwarding in an MPLS network.

Question 25

Refer to the exhibit.

Router R1:

ip prefix-list filter-area-13 seq 5 deny 10.16.3.0/24

ip prefix-list fiiter-area-13 seq 10 permit 0.0.0.0/0 le 32

router ospf 1

area 13 filter-list prefix fitter-area-34 in

Router R2:

ip prefix-list filter-area-0 seq 5 permit 10.16.1.0/23 le 24

ip prefix-list filter-area-0 seq 10 deny 0.0.0.0/0 le 32

router ospf 2

area 0 filter-list prefix filter-area-0 out

R1 should receive 10.16.2.0/24 from R2. Which action resolves the issue?

A. Add prefix-list seq 1 on R1 to permit 10.16.0.0/22.

B. Add prefix-list seq 1 on R1 to permit 10.16.2.0/24.
C. Modify prefix-list seq 5 on R2 to permit 10.16.0.0/22.
D. Modify prefix-list seq 5 on R2 to permit 10.16.0.0/23.

Answer: C

Explanation
The command “area area-number filter-list prefix … in“: Prevent prefixes from entering this
area (in keyword here means “into”)
The command “area area-number filter-list prefix … out“: Prevent other areas that the ABR
is connected to receive the prefix.

Therefore in this question both R2 and R1 must allow 10.16.2.0/24 prefix so that R1 can
receive this prefix.

Current R1 configuration allows this prefix (with “permit 0.0.0.0/0”) so we don’t need to
change anything on R1. Only modification on R2 should be made. Between /22 and /23
surely /22 is the better choice as it covers wider range. But if you are careful then you can
calculate that 10.16.0.0/23 ranges from 10.16.0.0 to 10.16.1.255 which does not cover our
10.16.2.0 prefix while 10.16.0.0/22 ranges from 10.16.0.0 to 10.16.3.255 -> Answer C is
correct.

Question 26

Which characteristic is representative of a hub-and-spoke topology between PE routers in a

Layer 3 MPLS VPN network?

A. Each PE router uses a different RD to identify all branches.

B. The PE routers use different RDs for each VRF to import and export M-BGP prefixes.
C. The PE routers use different RTs to import and export M-BGP prefixes.
D. The PE routers are configured with multiple VRFs for all branches.

Answer: C

Question 27

Refer to the exhibit.

The primary link between R1 and R2 went down, but R3 is still advertising the
192.168.200.0/24 network to R1 and the 192.168.100.0/24 network to R2, which creates a
loop. Which action resolves the issue?

A. Configure the eigrp stub leak-map command under the EIGRP process on R1.
B. Configure the summary-address 192.168.0.0 255.255.0.0 100 command on R3.
C. Configure the eigrp stub command under the EIGRP process on R3.
D. Configure the eigrp stub command under the EIGRP process on R2.

Answer: C

Explanation

EIGRP stub automatically prevents suboptimal transit routing so it can help us in this
question. When R3 is configured with “eigrp stub” command, it only advertises directly
connected routes. Networks learned from R1 or R2 will not be advertised.

Question 28

Refer to the exhibit.

R3 is learning the 1.0.0.0/24 route through OSPF instead of EIGRP. Which action causes R3 to
choose EIGRP to reach the 1.0.0.0/24 network?

A. Configure EIGRP administrative distance to 120.

B. Configure EIGRP administrative distance to 110.
C. Configure OSPF administrative distance to 120.
D. Configure OSPF administrative distance to 200.

Answer: D

Explanation

Suppose all the parameters are in default values. Let’s see what happened:

+ R3 learned route 1.0.0.0/24 redistributed from R2 with AD of 110 (O E2)

+ Maybe E0/1 interface of R3 belongs to EIGRP not OSPF so R3 learned this route from R4
with AD of 170 (D EX).
-> Therefore R3 will choose OSPF.

We need to configure OSPF AD to a higher value than 170 so that R3 chooses the EIGRP path
-> Answer D is correct.

Below lists the Administrative Distances of popular routing protocols for your reference:

==================== New Questions (added on 22nd-Dec-2023)

====================

Question 29

Refer to the exhibit.

A junior engineer configured SNMP to network devices. Malicious users have uploaded
different configurations to the network devices using SNMP and TFTP servers. Which
configuration prevents changes from unauthorized NMS and TFTP servers?

Option A Option B

access-list 20 permit 10.221.10.11 access-list 20 permit 10.221.10.11

access-list 20 deny any log

Option C Option D

access-list 20 permit 10.221.10.11 access-list 20 permit 10.221.10.11

access-list 20 deny any log access-list 20 deny any log
! !
snmp-server group NETVIEW v3 priv read snmp-server group NETVIEW v3 priv read
NETVIEW access 20 NETVIEW access 20
snmp-server group NETADMIN v3 priv read snmp-server group NETADMIN v3 priv read
NETVIEW write NETADMIN access 20 NETVIEW write NETADMIN access 20
snmp-server community Cisc0Us3r RO 20 snmp-server community Ciscowrus3r RO
snmp-server community Cisc0wrus3r RW 20
20 snmp-server community CiscOUs3r RW 20
snmp-server tftp-server list 20 snmp-server tftp-server-list 20

A. Option A
B. Option B
C. Option C
D. Option D

Answer: C

Explanation

To limit access to the SNMP server, we can use ACL in the “snmp-server community”
command. The syntax is:

snmp-server community string [ access-list-number ][ view mib-view ][ ro | rw ]

We can use [ro | rw] in front of the [access-list-number]:

Option D is not correct as the community strings are not matched.

-> Only Option C is correct.

Question 30

Which collection contains the resources to obtain a list of fabric nodes through the vManage
API?

A. device management
B. administration
C. monitoring
D. device inventory

Answer: D
Explanation

The Cisco SD-WAN vManage API is a REST API for controlling, configuring, and monitoring
Cisco devices in an SD-WAN overlay network spanning multiple data centers. The API can be
used for equipment health monitoring, device configuration, such as attaching templates to
devices, device statistics queries, and access to alerts.

vManage APIs are grouped into different resource collections: Device Action, Device
Inventory, Configuration, Certificate Management, Administration, Monitoring, Real-Time
Monitoring

To display all devices in the overlay network that are connected to the vManage instance,
we use:

GET https://{vmanage-ip-address}/dataservice/device

in the Device Inventory collection.

Question 31

Refer to the exhibit.

The route to 192.168.200.0 is flapping between R1 and R2. Which set of configuration
changes resolves the flapping route?

A. R2(config)# router ospf 100

R2(config-router)# no redistribute eigrp 100
R2(config-router)# redistribute eigrp 100 metric 1 subnets

B. R1(config)# router ospf 100

R1(config-router)# redistribute rip metric 1 metric-type 1 subnets

C. R1(config)# no router rip

R1(config)# ip route 192.168.200.0 255.255.255.0 10.40.0.2
D. R2(config)# router eigrp 100
R2(config-router)# no redistribute ospf 100
R2(config-router)# redistribute rip

Answer: B

Explanation

R1: RIP <-> EIGRP

R2: OSPF <-> EIGRP

After the redistribution, OSPF is preferred over External EIGRP (AD 170) and RIP (AD 120)
because it has lowest AD (110). Therefore, R1 sees R2 as the next hop while R2 sees R1 as
the next-hop for the route to 192.168.200.0.

If we redistribute RIP into OSPF like in the answer

“R1 (config)# router ospf 100
R1(config-router)# redistribute rip metric 1 metric-type 1 subnets”

then R2 will see 192.168.200.0/24 as an external OSPF route. Therefore R2 will ignore this
prefix which is advertised from EIGRP as OSPF route has a lower AD value than External
EIGRP route (please read this Cisco article for more detail). So R2 cannot advertise to R1
about this prefix any more -> No more routing loop.

Question 32

Refer to the exhibit.

R1 cannot authenticate via TACACS. Which configuration resolves the issue?

A. aaa group server tacacs+ DC_TACACS

server name DC_TACACS

B. tacacs server DC1_TACACS

address ipv4 10.66.66.66
key D@t@c3nter1TACACS

C. tacacs server DC1_TACACS

address ipv4 10.60.66.66
key D@t@c3nter1TACACS

D. aaa group server tacacs+ DC1_TACACS

server name DC_TACACS

Answer: B

Explanation

From the last line of the debug output “Using server UNKNOWN”, we learn that the IP
address of the TACACS server is missing. The “show run” output at the right side also
confirms this as no IP address was configured under “tacacs server DC1_TACACS”. From the
figure we see the correct IP address of the TACACS server is 10.66.66.66, not 10.60.66.66.

Question 33

Refer to the exhibit.

ipv6 access-list INTERNET

permit ipv6 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA14::/64

permit tcp 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA13::/64 eq telnet

permit tcp 2001:DB8:AD59:BA21::/64 any eq http

permit ipv6 2001:DB8:AD59::48 any

deny ipv6 any any log

When monitoring an IPv6 access list, an engineer notices that the ACL does not have any hits
and is causing unnecessary traffic to pass through the interface. Which command must be
configured to resolve the issue?

A. access-class INTERNET in
B. ipv6 traffic-filter INTERNET in
C. ip access-group INTERNET in
D. ipv6 access-class INTERNET in

Answer: B

Explanation

The command “ipv6 access-class ipv6-access-list-name {in| out}” is used to apply ACL to line
interface.

Note: The command “ipv6 traffic-filter access-list-name { in | out }” to apply the access list
to incoming or outgoing traffic on the interface.

In this question we have to apply ACL to interface so we have to use the “ipv6 traffic-filter …”
command.

Question 34
Refer to the exhibit.

R1#sh run | begin router eigrp 100 R2#sh run | begin router eigrp 100

router eigrp 100 router eigrp 100

network 172.16.250.0 0.0.0.3 network 172.16.250.12 0.0.0.3

redistribute ospf 1 metric 1 1 1 1 1 redistribute ospf 1 metric 1 1 1 1 1

! !

router ospf 1 router ospf 1

redistribute eigrp 100 subnets redistribute eigrp 100 metric 100 subnets

network 192.168.250.4 0.0.0.3 area 0 network 192.168.250.8 0.0.0.3 area 0

! !

ip forward-protocol nd ip forward-protocol nd

! !

no ip http server no ip http server

no ip http secure-server no ip http secure-server

R6# traceroute 172.16.3.17

Type escape sequence to abort.

Tracing the route to 172.16.3.17

VRF info: (vrf in name/id, vrf out name/id)

1 192.168.5.1 45 msec 38 msec 21 msec

2 192.168.250.6 165 msec 19 msec 28 msec

3 172.16.250.2 38 :msec 40 msec 45 msec

4 172.16.3.2 30 msec 58 msec *

R6#
An engineer is troubleshooting suboptimal communication from the 192.168.5.32/28 subnet
to the 172.16.3.16/28 segment using the slowest links. Which configuration resolves the
suboptimal routing issue?

A. R2(config-router)#router ospf 1
R2(config-router)#default-metric 10
R1(config-router)#router ospf 1
R1(config-router)#default-metric 1

B. R2(config-router)#router ospf 1
R2(config-router)#default-metric 1
R1(config-router)#router ospf 1
R1(config-router)#default-metric 10

C. R1(config-router)#router eigrp 100

R1(config-router)#redistribute ospf 1 metric 1000000 1 1 1 1

D. R2(config-router)#router eigrp 100

R2(config-router)#redistribute ospf 1 metric 1000000 1 1 1 1

Answer: B

Explanation

We are troubleshooting “communication from the 192.168.5.32/28 subnet to the

172.16.3.16/28 segment” so we only care about the redistribution from EIGRP to OSPF ->
Answer C and answer D are not correct.
We need to make the metric of routes redistributed from R1 higher than that of R2 so we
can set “default-metric” of OSPF on R1 to 10, which is greater than the default-metric of
OSPF on R2 (which is 1) -> Answer B is correct.

Question 35

Refer to the exhibit.

R3#sh ip int brie

Interface IP-Address OK? Method Status

Protocol

GigabitEthernet0/0 unassigned YES NVRAM administratively

down down

GigabitEthernet0/1 172.16.250.2 YES manual up

up

GigabitEthernet0/2 172.16.250.14 YES manual up

up

GigabitEthernet0/3 172.16.1.17 YES manual up

up

R3#

R3#sh run | begin router eigrp

router eigrp 100

network 172.16.1.0 0.0.0.3

network 172.16.1.16 0.0.0.15

no ip http server

no ip http secure-server
ip tftp source-interface GigabitEthernet0/3

line con 0

line aux 0

line vty 0 4

login

transport input none

R4#sh run

hostname R4

ip cef

interface GigabitEthernet0/0

ip address 172.16.2.2 255.255.255.252

ip access-group 120 in

interface GigabitEthernet0/1

ip address 172.16.2.17 255.255.255.240

router eigrp 100

network 172.16.2.0 0.0.0.3

network 172.16.2.16 0.0.0.15

 !

access-list 120 permit udp host 172.16.1.2 host 172.16.2.19 eq tftp

access-list 120 deny udp any any eq tftp

access-list 120 permit tcp any any

The engineer is trying to transfer the new IOS file to the router R3 but is getting an error.
Which configuration achieves the file transfer?

A. R4(config)#no access-list 120 permit udp host 172.16.1.2 host 172.16.2.19 eq 69

R4(config)#access-list 120 permit tcp host 172.16.1.17 host 172.16.2.19 eq 69
R4(config)#access-list 120 permit tcp any any

B. R4(config)#no access-list 120 permit udp host 172.16.1.2 host 172.16.2.19 eq 69

R4(config)#no access-list 120 deny udp any any eq tftp
R4(config)#access-list 120 permit tcp any any

C. R4(config)#no access-list 120 permit udp host 172.16.1.2 host 172.16.2.19 eq 69

R4(config)#access-list 120 permit udp host 172.16.1.17 host 172.16.2.19 eq 69
R4(config)#access-list 120 permit tcp any any

D. R4(config)#no access-list 120 permit udp host 172.16.1.2 host 172.16.2.19 eq 69

R3(config)#no ip tftp source-interface GigabitEthernet0/3
Answer: C

Explanation

In this question we use TFTP to transfer file so we must allow UDP, not TCP. And the source
IP should be 172.16.1.17 (R3) because R3 has been configured with command “ip tftp
source-interface GigabitEthernet0/3” so it will use Gi0/3 IP address 172.16.1.17 as the
source address. The destination IP should be 172.16.2.19 (TFTP server).

Maybe the author forgot the ACL 120 should be removed totally first as there is no correct
answer when the ACL statement “access-list 120 deny udp any any eq tftp” is proceeded
before other statements. When we type new ACL statements, they will be appended to the
existing ACL statements.

But we have to choose one best answer. So the answer C is the best choice as it used correct
source address 172.16.1.17 and UDP, not TCP.

Question 36

A network engineer must configure an EIGRP stub router at a site that advertises only
connected and summary routes. Which configuration performs this task?

A. router eigrp 100

eigrp stub connected

B. router eigrp 100

eigrp stub redistribute

C. router eigrp 100

eigrp stub summary

D. router eigrp 100

eigrp stub

Answer: D

Explanation

The “eigrp stub” command advertises directly connected routes and summary routes by
default.
Question 37

Refer to the exhibit.

R101#sh ip sla summary

IPSLA Latest Operation Summary

Codes: * active, ^ inactive, ~ pending

ID Type Destination Stats (ms) Return Code Last Run

---------------------------------------------------------------

*1 udp-jitter 2.2.2.2 - Timeout 1 minute, 0 seconds ago

R101#sh run | section sla

ip sla 1

udp-jitter 2.2.2.2 16384 control disable codec g711ulaw

ip sla schedule 1 life forever start-time now

R101#

Jitter on the link between R101 and R201 was tested for voice traffic over port 16384
without the control communication on port 1967. Which command enables R201 to receive
RTT for the configured IP SLA?
A. ip sla responder tcp-connect port 1967
B. ip sla responder auto-register 1.1.1.1
C. ip sla responder udp-echo ipaddress 2.2.2.2 port 16384
D. ip sla responder udp-echo ipaddress 1.1.1.1 port 16384

Answer: C

Explanation

In the configuration of R101, we see the command “udp-jitter 2.2.2.2 16384 control
disable codec g711ulaw” was configured. The control disable keyword is used to send the
testing traffic without attempting the default control communication on UDP 1967. It will
use port 16384 instead as indicated in the above command.

But R201 was not configured as an IP SLA Responder so it rejected the connection and the
SLA test failed as shown in the output of “sh ip sla summary” command.

By default, if a router is configured an IP SLA Responder then it will be communicated on

UDP port 1967 (the IP SLA control channel) first. But if we don’t want to use this control port
then we can manually specify which IP address and port we wish the Responder to listen on
with the command:

ip sla responder {tcp-connect | udp-echo} ipaddress ip-address port port-number

-> Therefore on R201 we must use the destination IP address of 2.2.2.2 and destination port
of 16384 to match with the configuration of R101 -> Answer C is correct.

Note: The IP address in the command “ip sla responder … ipaddress {ip-address} port {port-
number}” is only used to manually specify which IP address and Ports you mean for the
Responder to listen on. Therefore, the IP address used in this command should belong to the
local router.

Question 38

Refer to the exhibit.

R3#sh run | begin ip http Server

ip http server
ip http access-class 20

ip http authentication local

no ip http secure-server

ip http max-connections 2

access-list 20 permit 172.16.10.48 0.0.0.15

end

Which configuration allows the operation level 1 team of 10 engineers to log in at least three
at a time to router R3 using network credentials over HTTP?

A. R3(config)#ip http max-connections 3

R3(config)#ip http accounting commands 3 default

B. R3(config)#ip http authentication aaa

R3(config)#ip http max-connections 3

C. R3(config)#ip http authentication enable

R3(config)#no access-list 20 permit 172.16.10.48 0.0.0.15
R3(config)#access-list 20 permit 172.16.10.48 0.0.0.7

D. R3(config)#ip http authentication aaa

R3(config)#no access-list 20 permit 172.16.10.48 0.0.0.15
R3(config)#access-list 20 permit 172.16.10.48 0.0.0.7
Answer: B

Question 39

Refer to the exhibit.

During an unannounced link-maintenance window at the ISP, the DCI link went down, which
caused a significant service outage. What action must the network engineer take at the head
office to ensure Area-0 connectivity without intervention from the ISP?

A. Create a GRE tunnel interface in Area-110 between R1 S0/0 and R2 S0/0

B. Create a virtual link in Area-110 between R1 S0/0 and R2 S0/0
C. Create a GRE tunnel interface in Area-0 between HO E0/0 and DR E0/0
D. Create a virtual link in Area-0 between HO E0/0 and DR E0/0

Answer: B

Explanation

A virtual link is a link that allows discontiguous area 0s to be connected, or a disconnected

area to be connected to area 0, via a transit area.
Reference: https://www.ciscopress.com/articles/article.asp?p=2294214&seqNum=3

Question 40

Refer to the exhibit.

A PC at a new branch office can access the IPv4 network from the head office and internet
segments, and it can reach the IPv6 App and DB servers in the head office as well. However,
the PC cannot reach IPv6 hosts on the internet segment. A network engineer observed that
the branch is not learning the internet IPv6 route via OSPF. Which two actions must the
engineer take to resolve the issue? (Choose two)

A. Add a default IPv6 static route on the branch router toward the head office router
B. Advertise the default-information originate command under the OSPFv3 IPv6 address-
family instance
C. Advertise the default-information originate command under the OSPFv3 routing instance
D. Add a default IPv6 static route on the head office router toward the internet
E. Redistribute the default IPv6 default static route into the OSPF routing protocol

Answer: A C

Explanation

To generate a default external route into an Open Shortest Path First (OSPF) for IPv6 routing
domain, use the default-information originate command in router configuration mode.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-
book/ipv6-d2.html

An example of the configuration is shown below:

In this question, we need to use both options so that the solution can work. Or we can use a
single command “default-information originate always” instead.

Question 41

Refer to the exhibit.

R1

ip as-path access-list 1 deny 65412_$

ip as-path access-list 1 permit *

router bgp 64560

neighbor 10.10.10.10 remote-as 64570

 neighbor 10.10.10.10 route-map FILTER in

route-map FILTER permit 10

match as-path 1

R1#show ip bgp

Network Next hop Metric LocPrf Weight Path

*> 10.0.0.0/8 10.10.10.10 0 100 0 64570 i

*> 10.1.0.0/16 10.10.10.10 0 100 0 64570 i

*> 10.1.1.0/24 10.10.10.10 0 100 0 64570 65412 i

*> 10.1.2.0/24 10.10.10.10 0 100 0 64570 65412 i

*> 10.1.3.0/24 10.10.10.10 0 100 0 64570 65412 i

*> 10.1.4.0/24 10.10.10.10 0 100 0 64570 65412 i

*> 10.1.5.0/24 10.10.10.10 0 100 0 64570 65412 i

*> 10.1.6.0/24 10.10.10.10 0 100 0 64570 65412 i

An engineer must filter prefixes that originate from AS65412. but it is not working correctly.
Which configuration must the engineer apply to R1 to resolve the issue?

A. router bgp 64560

neighbor 10.10.10.10 route-map FILTER out

B. no ip as-path access-list 1
ip as-path access-list 1 deny 65412_
ip as-path access-list 1 permit .*

C. no ip as-path access-list 1
ip as-path access-list 1 deny _65412$
ip as-path access-list 1 permit .*
D. route-map FILTER permit 10
match as-path 1
route-map FILTER permit 20

Answer: C

Explanation

This question wants to test your knowledge of regular expression in BGP AS-PATH. Here is a
quick guide to regular expression:

Modifier Purpose

_ Matches a space or the end of the AS PATH list

(underscore)

^ Indicates the start of a string

$ Indicates the end of a string

[] Matches a single character with a range of characters

– Indicates a range of numbers in brackets

[^] Excludes the characters listed in the brackets

() Nesting of search patterns uses parentheses

| Acts as an OR logic to a query

. Matches a single character including space

* Matches zero or more characters, or pattern

+ Matches one or more instances of the character, or pattern

 ? Matches one or no instances of the character, or pattern

But notice that “$ indicates the end of a string” means “the beginning of the AS PATH” (as
the AS PATHs are filled from right to left) so the command “ip as-path access-list 1 deny
_65412$” means “deny any route that originates from AS 65412”.

“permit .*” means “permit any”.

Some examples of commonly used regular expressions:

Expressio Meaning
n

.* Anything

^$ Locally originated routes

^100_ Learned from AS 100

_100$ Originated in AS 100

_100_ Only routes that pass through 100

^[0-9]+$ Directly connected ASes

A good example of BGP AS PATH regular expression that is same as this question can be
found at https://cs7networks.co.uk/2019/11/26/cisco-bgp-as-path-regex/

Question 42

Refer to the exhibit.

R1

ip sla 2

icmp-echo 10.1.1.1

timeout 3000

threshold 1000

frequency 5

track 2 ip sla 200 reachability

delay down 30 up 180

ip route 0.0.0.0 0.0.0.0 10.1.1.1

The default route from R1 must be withdrawn from the routing table if R1 cannot ping
10.1.1.1, but it is not working correctly .Which configuration resolves the issue?

Option A Option B

ip sla 2 ip sla 2

icmp-echo 10.1.1.1 icmp-echo 10.1.1.1

timeout 3000 timeout 3000

threshold 1000 threshold 1000

frequency 5 frequency 5
 ! !

ip sla schedule 2 life forever start-time now track 2 ip sla 2 reachability

! delay down 30 up 180

track 2 ip sla 2 reachability !

delay down 30 up 180 ip route 0.0.0.0 0.0.0.0 10.1.1.1 track 2

ip route 0 0.0.0 0.0.0.0 10.1.1.1 track 2

Option C Option D

ip sla 2 ip sla 2

icmp-echo 10.1.1.1 icmp-echo 10.1.1.1

timeout 3000 timeout 3000

threshold 1000 threshold 1000

frequency 5 frequency 5

! !

ip sla schedule 2 life forever start-time now ip sla schedule 2 life forever start-time now

! !

track 2 ip sla 200 reachability track 2 ip sla 200 reachability

delay down 30 up 180 delay down 30 up 180

! !

ip route 0.0.0.0 0.0.0.0 10.1 1.1 track 2 250 ip route 0.0.0.0 0.0.0.0 10.1.1.1

A. Option A
B. Option B
C. Option C
D. Option D
Answer: A

Explanation

Surely the answer must include the commands “ip sla schedule 2 life forever start-time now”
to start the tracking and the command “ip route 0.0.0.0 0.0.0.0 10.1 1.1 track 2” so Option B
and Option D are not correct.

Option C is not correct as it defined the track object 2 which wrongly tracks the IP SLA 200,
not IP SLA 2.

-> Only Option A is correct.

Question 43

An engineer is configuring an NHRP client router to advertise NBMA addresses that are valid
for 20 minutes to clients. Which configuration must the engineer apply to interface
gigabitethernet0/0/1 to meet the requirement?

A. Router(config-if)# interface gigabitethernet 0/0/1

Router(config-if)# ip nhrp holdtime 1200
B. Router(config-if)# interface gigabitethernet 0/0/1
Router(config-if)# ip nhrp interest 20
C. Router(config-if)# interface gigabitethernet 0/0/1
Router(config-if)# ip nhrp registration timeout 1200
D. Router(config-if)# interface gigabitethernet 0/0/1
Router(config-if)# ip nhrp holdtime 20

Answer: A

Explanation

The “ip nhrp holdtime seconds” command changes the number of seconds that NHRP NBMA
addresses are advertised as valid in positive NHRP responses.. The default is to send NHRP
registrations every one-third the NHRP holdtime value (default = 2400 seconds (40
minutes)).
The optional “ip nhrp registration timeout value” command can be used to set the interval
for sending NHRP registration requests independently from the NHRP holdtime. Changes the
interval that NHRP NHCs send NHRP registration requests to configured NHRP NHSs.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nhrp/
configuration/xe-3s/nhrp-xe-3s-book/config-nhrp.html

-> Therefore the correct answer here should be answer A.

Question 44

Refer to the exhibit.

R1

router bgp 200

no synchronization

bgp log-neighbor-changes

neighbor 192.168.200.6 remote-as 100

neighbor 192.168.200.6 update-source Loopback0

no auto-summary

ip route 192.168.200.6 255.255.255.255 192.168.100.1

R1#show ip bgp neighbor 192.168.200.6

BGP neighbor is 192.168.200.6, remote AS 100, external link

BGP version 4, remote router ID 0.0.0.0

BGP state = Idle

Last read 00:00:00, last write 00:00:00, hold time is 180, keepalive interval is

60 seconds

!
For address family: IPv4 Unicast

BGP table version 1, neighbor version 0/0

Output queue size: 0

Index 1, Offset 0, Mask 0x2

Connections established 0; dropped 0

Last set never

No active TCP connection

The BGP neighbor is not coming up. Which action resolves the issue?

A. Configure the ebgp-multihop 2 command on R1 toward the neighbor

B. Configure a valid router ID on the neighbor that shows an invalid router ID of 0.0.0.0
C. Enable synchronization between the neighbors to bring the neighborship up
D. The route map on eBGP sessions must allow the prefixes from the neighbor

Answer: A

Explanation

With eBGP peering, by default the TTL value of BGP messages is 1 so the BGP neighbor
relationship can only be built on two physical interfaces in the same network. If we want to
change the source IP address of the BGP messages to a loopback interface then we also need
to increase the TTL value to at least 2 so that the BGP messages can reach the BGP peer. The
full required command in this question is “neighbor 192.168.200.6 ebgp-multihop 2”.

Question 45

Refer to the exhibit.

Router#show logging

Syslog logging : enabled (0 messages dropped , 0 messages rate-limitted , 0 flushes, 0

overruns xml disabled, filtering disabled.

No Active Message Discriminator.

No Inactive Message Discriminator.

No Inactive message Discriminator.

Console logging: level critical, 8 messages logged , xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged , xml disabled,

filtering disabled

Buffer logging: level debugging, 15 messages logged , xml disabled,

filtering disabled

Exception Logging: size (8192 bytes)

Count and timestamp logging messages: disabled

Persistent logging : disabled

No active filter modules.

No active filter modules.

Trap logging : level debugging, 14 messages lines logged

Logging to 10.1.1.1 (udp port 514, audit disabled,

link up)

2 messages lines logged

0 messages lines rate-limited

0 messages lines dropped-by-MD

xml disabled, sequence number disabled

filtering disabled

Logging Source-Interface: VRF Name:

 Loopback 0

A network engineer notices that the syslog server has high utilization due to the high
number of log messages received from the network devices. This high volume of log
messages also makes it difficult to identify the important logs. Which configuration resolves
the issue?

A. logging synchronous level 4 limit 100

B. logging monitor filtered warning
C. logging monitor warning
D. logging trap warning

Answer: D

Question 46

Refer to the exhibit.

Client> ping 10.1.2.1

84 bytes from 10.1.2.1 icmp_seq=1 ttl=255 time=16.586 ms

84 bytes from 10.1.2.1 icmp_seq=2 ttl=255 time=17.198 ms

84 bytes from 10.1.2.1 icmp_seq=3 ttl=255 time=15.784 ms

84 bytes from 10.1.2.1 icmp_seq=4 ttl=255 time=16.293 ms

84 bytes from 10.1.2.1 icmp_seq=5 ttl=255 time=15.223 ms

Client> ping 10.1.2.10

*10.1.2.1 icmp_seq=1 ttl=255 time=16.784 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=2 ttl=255 time=16.051 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=3 ttl=255 time=15.313 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=4 ttl=255 time=15.161 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=5 ttl=255 time=15.652 ms (ICMP types:3, code:1, Destination host

unreachable)

Client> ping 10.1.2.11

*10.1.2.1 icmp_seq=1 ttl=255 time=16.784 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=2 ttl=255 time=16.051 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=3 ttl=255 time=15.313 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=4 ttl=255 time=15.161 ms (ICMP types:3, code:1, Destination host

unreachable)
*10.1.2.1 icmp_seq=5 ttl=255 time=15.652 ms (ICMP types:3, code:1, Destination host
unreachable)

Client> ping 10.1.2.12

*10.1.2.1 icmp_seq=1 ttl=255 time=16.784 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=2 ttl=255 time=16.051 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=3 ttl=255 time=15.313 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=4 ttl=255 time=15.161 ms (ICMP types:3, code:1, Destination host

unreachable)

*10.1.2.1 icmp_seq=5 ttl=255 time=15.652 ms (ICMP types:3, code:1, Destination host

unreachable)

The EIGRP neighborship between the routers is up. However, the app servers are
unreachable from the client PC. Which action must the engineer take to resolve the issue?

A. Configure the default network 10.1.2.0 0.0.0.255 command in the EIGRP protocol on R2
only
B. Configure the network 10.1.1.0 command in the EIGRP protocol on R1 only
C. Configure the no auto-summary command in the EIGRP protocol on both routers
D. Configure the neighbor 10.1.2.0 FastEthernet 0/0 command in the EIGRP protocol on R2
only

Answer: C

Explanation

Note: There is a typo in the configuration in the IP address under “interface

FastEthernet0/1”. It should be “10.1.2.1” instead of “10.1.1.1”.
In the configuration of R1 and R2, EIGRP is configured with “auto-summary” so EIGRP will
summaryize advertised networks across a different major network (192.168.1.0/24 in this
case). We have two major 10.0.0.0/8 networks (discontigious network) at both sides so
EIGRP will reject routing updates for this network.

==================== New Questions (added on 19th-Feb-2024) ====================

Question 47

How are LDP neighbors discovered?

A. Broadcasts hellos are sent to the 255.255.255.255 broadcast address.

B. Multicast hellos are sent to the 224.0.0.5 group address.
C. Unicast hellos are sent to directly connected neighbors IP addresses.
D. Multicast hellos are sent to the 224.0.0.2 group address.

Answer: D

Explanation

Normally LDP neighbors are found automatically by sending UDP Hello packets on Port 646
with the destination of multicast address 224.0.0.2 out of each LDP enabled interface.

Reference: https://networkers-online.com/p/what-is-ldp-extended-discovery

Question 48

Refer to the exhibit.

R101#sh run | section sla

ip sla 1

tcp-connect 2.2.2.2 3000 source-ip 1.1.1.1

threshold 1000

timeout 1000

frequency 10

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-jitter 2.2.2.2 source-ip 1.1.1.1 num-packets 100 interval 10

threshold 1000

timeout 1000

frequency 10

ip sla schedule 2 life forever start-time now

R101#sh ip sla summary

IPSLAs Latest Operation Summary

Codes: * active, * inactive, ~ pending

ID Type Destination Stats (ms) Return Code Last Run

----------------------------------------------------------------

*1 tcp-connect 2.2.2.2 - No connection 33 seconds ago

*2 icmp-jitter 2.2.2.2 RTT=4 OK 3 seconds ago

While troubleshooting an issue on the network, an engineer notices that a TCP Connect
operation failed on port 3000 between R101 and R201. Which command must be configured
on R201 to respond to the R101 IP SLA configurations with a control connection on UDP port
1967?

A. ip sla responder udp-echo ipaddress 1.1.1.1 port 1967

B. ip sla responder tcp-connect ipaddress 2.2.2.2 port 3001
C. ip sla responder tcp-connect ipaddress 1.1.1.1 port 3000
D. ip sla responder

Answer: D

Explanation

By default, if a router is configured an IP SLA Responder then it will be communicated on

UDP port 1967 (the IP SLA control channel) first. But if we don’t want to use this control port
then we can manually specify which IP address and port we wish the Responder to listen on
with the command:

ip sla responder {tcp-connect | udp-echo} ipaddress ip-address port port-number

In this question we use the default UDP port 1967 as requested -> Answer D is correct.

Note: Answer A is not correct as we need “tcp-connect”, not “udp-echo”.

Question 49

Refer to the exhibit.

Which configuration is required for R2 to get the IP address from the DHCP server.

A. ip access-list extended R2WAN

permit tcp any any eq 68

B. ip access-list extended R2WAN

permit udp any any eq 68

C. ip access-list extended R2WAN

permit udp any any eq 67

D. interface GigabitEthernet0/0
ip access-group R2WAN out

Answer: B

Explanation

BOOTP is implemented using the User Datagram Protocol (UDP) for transport. Port number
67 is used by the server for receiving client requests, and port number 68 is used by the
client for receiving server responses.

In this question, the ACL is applied on the client side so it must allow DHCP messages sent
from DHCP server to DHCP client (port 68).

Question 50

Refer to the exhibit.

R2#show ip bgp 130.130.130.0 255.255.255.0 longer

BGP table version is 4, local router ID is 10.10.20.1

Network Next Hop Metric LocPrf Weight Path

* i130.130.130.0/24 10.10.20.3 0 100 0 i

R2#show ip protocols

Routing Protocol is "bgp 1"

Outgoing update filter list for all interfaces is not set

Incoming update filter list for all interfaces is not set

IGP synchronization is enabled

Automatic route summarization is disabled

Neighbor(s):

Address

10.10.10.2

10.10.20.3

Maximum path: 1

Routing for Networks:

Routing Information Sources:

Gateway Distance Last Update

10.10.20.3 200 01:48:24

Distance: external 20 internal 200 local 200

The 130.130.130.0/24 route shows in the R2 routing table but is getting filtering toward R3.
Which action resolves the issue?

A. IGP synchronization must be disabled on R2.

B. The outgoing filter list for all interfaces must be set on R2.
C. Automatic route summarization must be enabled on R2.
D. The incoming filter list for all interfaces must be set on R2.
Answer: A

Explanation

From the line “IGP synchronization is enabled” we learn that BGP synchronization is enabled.

BGP synchronization is an old rule from the days when we didn’t run IBGP on all routers
within a transit AS. In short, BGP will not advertise something that it learns from an IBGP
neighbor to an EBGP neighbor if the prefix can’t be validated in its IGP.

Question 51

What are the two major components of an MPLS-based VPN? (Choose two.)

A. VPN route target communities

B. MP-BGP peering of VPN community CE devices
C. MP-BGP peering of VPN community P devices
D. MP-BGP peering of VPN community PE devices
E. VPN route distinguisher
F. VPN route reflectors

Answer: A D

Explanation

A Multiprotocol Label Switching (MPLS)-based virtual private network (VPN) has three major
components:
+ VPN route target communities – A VPN route target community is a list of all members of
a VPN community. VPN route targets need to be configured for each VPN community
member.
+ Multiprotocol BGP (MP-BGP) peering of VPN community provider edge (PE) devices –
MP-BGP propagates virtual routing and forwarding (VRF) reachability information to all
members of a VPN community. MP-BGP peering must be configured on all PE devices within
a VPN community.
+ MPLS forwarding – MPLS transports all traffic between all VPN community members
across a VPN service-provider network.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/
release/17-3/configuration_guide/mpls/b_173_mpls_9500_cg/
configuring_mpls_layer_3_vpn.html

Question 52

Refer to the exhibit.

R1#show ipv6 ospf neighbor

R1#debug ipv6 ospf hello

OSPFv3 hello events debugging is on

OSPFv3: Rev hello from 10.1.1.1 area 10 from FastEthernet0/1 FE80::C801:FFF:FE94:1C

interface ID 4

OSPFv3: Hello from FE80::C801:FFF:FE94:1C with mismatched NSSA option bit

OSPFv3: Send hello to FF02::5 area 10 on FastEthernet0/1 from FE80::C004:22FF:FE78:1

interface ID 5

R1 is not forming adjacency on a point-to-point interface. Which action resolves the issue?

A. The area numbers must be configured the same on each router.

B. The no-summary command must be included in the area configuration on R1.
C. The no-summary command must be included in the area configuration on R2.
D. The area types must be configured the same on each router.

Answer: D

==================== New Questions (added on 6th-Mar-2024) ====================

Question 53

Refer to the exhibit.

R1 is configured with IP SLA to check the availability of the server behind R6 but it kept
failing. Which configuration resolves the issue?

A. R1(config)# ip sla 700

R1(config-track)# delay down 30 up 20

B. R1(config)# ip sla 700

R1(config-track)# delay down 20 up 30

C. R1(config)# track 700 ip sla 700

R1(config-track)# delay down 30 up 20

D. R1(config)# track 700 ip sla 700

R1(config-track)# delay down 20 up 30

Answer: C

Explanation

Under the track object, you can specify delays so we have to configure delay under “track
700 ip sla 700” (not under “ip sla 700”).

delay down 30: “wait 30 seconds before switching traffic to a secondary connection”
up 20: “then revert to the primary link after waiting 20 seconds”
We should choose the answer with “down 30 up 20” than “down 20 up 30” as we should
prefer the primary link and only change to backup link after 30 seconds (rather than 20
seconds only).

Question 54

Refer to the exhibit.

ip sla 10

icmp-echo 10.1.1.10

timeout 2000

threshold 2000

frequency 40

ip sla schedule 10 life forever start-time now

track 1 ip sla 10 reachability

An engineer configured IP SLA to monitor a next hop on a router for reachability. When the
next hop is unreachable, the router is executing tracking and failing over another route, but
packet loss is experienced because the reachability is flapping. Which action resolves the
issue?

A. Append delay up 0 down 0 to the track command

B. Increase the timeout of the sla probe to 6000
C. Append delay up 50 down 60 to the track command
D. Increase the frequency of the sla probe to 60.

Answer: C

Question 55

Which Layer 3 VPN attribute allows different customers to connect to the same MPLS
network with overlapping IP ranges?
A. VRF
B. RT
C. MP-BGP
D. RD

Answer: D

Explanation

The Route Distinguisher (RD) is to make sure that all prefixes are unique. The customer
prefix + RD together are a VPNv4 route.

Question 56

Refer to the exhibit.

Router# show ip interface brief

Interface IP-Address OK? Method Status Protocol

Ethernet0/0 90.0.1.1 YES NVRAM up up

Ethernet1/0 118.8.10.1 YES NVRAM up up

Loopback6 10.1.7.6 YES NVRAM up up

Loopback7 10.1.7.7 YES NVRAM up up

Router# show ip bgp

BGP table version is 10, local router ID is 10.1.7 7

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, x best-external

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> 10.0.0.0 0.0.0 0 0 32768 ?

*> 10.1.7.7/32 0.0.0 0 0 32768 i

*> 90.0.0.0 0.0.0.0 0 32768 ?

r> 90.0.1.0/24 100.0.1.254 0 06?

*>118.0.0.0 0.0.0 0 0 32768 ?

r>i118.8.10.0/24 118.8.10.254 0 100 0 ?

Which action adds the 10.1.7.6/32 route to the BGP table?

A. Add a static roue for the 10.1.7.6/32 network

B. Add the network 10.1.7.6 mask 255.255.255.255 backdoor command
C. Add summary-address 10.1.7.6 255.255.255.0
D. Add the network 10.1.7.6 mask 255.255.255.255 command

Answer: D

Explanation

Unlike other dynamic routing protocols like OSPF, EIGRP…, with BGP we must declare the
correct subnet mask so that the prefix is installed into the routing table.

Question 57

What is the role of LDP in MPLS networks?

A. It enables label binding that exchanges route descriptors

B. It creates MPLS packet forwarding along with the IGP routes
C. It disables label binding information to exchange with peer LSRs
D. It enables label binding information to exchange with peer LSRs

Answer: D

Explanation

The Label Distribution Protocol (LDP) plays a crucial role in MPLS networks. Its primary
function is to distribute labels used for forwarding packets along Label Switched Paths (LSPs)
within an MPLS network. Here’s a breakdown of its role:
1. Label Distribution: LDP is responsible for distributing labels across the MPLS network.
When an LSR (Label Switching Router) needs to establish an LSP to forward packets for a
particular FEC (Forwarding Equivalence Class), it communicates with neighboring LSRs to
exchange label information.

2. Label Assignment: LDP assigns a unique label to each FEC. This label is used by routers in
the network to forward packets along the correct LSP. The assigned label is distributed to all
LSRs participating in the MPLS network, ensuring consistent forwarding behavior.

3. Label Mapping: LDP maintains a mapping table that associates FECs with corresponding
labels. This mapping information is crucial for LSRs to make forwarding decisions based on
the labels received in incoming packets.

4. Label Retention: LDP ensures that all routers in the MPLS network retain the label
mappings received from neighboring routers. This retention allows routers to efficiently
forward packets based on the labels without needing to repeatedly request label mappings.

5. Label Withdrawal: LDP provides mechanisms for withdrawing label mappings when they
are no longer needed or when network conditions change. This ensures that routers do not
use outdated label mappings for forwarding packets.

==================== New Questions (added on 8th-Mar-2024) ====================

Question 58

Which two reasons would cause an LSP to break between two PE routers? (Choose two)

A. lost LDP adjacency

B. IGP hello adjacency
C. matching labels
D. prefix mismatch
E. MPLS not enabled

Answer: A D

Explanation
There are various reasons that the LSP fails to come up, as follows:
+ Configuration errors and implementation issues.
+ When an LDP hello adjacency or an LDP session with a peer is lost due to some error while
the IGP still points to that peer. IP forwarding of traffic continues on the IGP link associated
with the LDP peer rather than being shifted to another IGP link with which LDP is
synchronized -> Answer A is correct.
…

Reference: https://www.juniper.net/documentation/us/en/software/junos/is-is/topics/
concept/ldp-igp-synchronization.html

If label bindings are received from a downstream neighbor for prefixes (including subnet
mask) which do not appear in a router’s routing and CEF tables, these bindings will not be
used. In a similar manner, if a router advertises labels for a subnet/subnet mask pair, which
do not correspond to the routing updates also advertised by this router for the same
subnet/subnet mask pair, these labels will not be used by upstream neighbors and the Label
Switched Path (LSP) between these devices will fail. -> Answer D is correct.

Reference: https://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-
mpls/mpls/23565-troubleshoot-mpls-vpn.html

Question 59

What is a characteristic of an MPLS LSP tunnel?

A. unidirectional tunnel
B. secured bidirectional tunnel
C. hop-by-hop tunnel
D. bidirectional tunnel

Answer: A

Explanation

MPLS tunnels are unidirectional, which means we need one tunnel in each direction to send
traffic.

Question 60
What is the function of penultimate hop popping?

A. The last P router in the path pops off the transport label before traffic is forwarded
toward the PE.
B. The second to last P router in the path pops off the VPN label before traffic is forwarded
to the last P router.
C. The transport label is popped off at the egress LSR, and unlabeled traffic is forwarded
toward the CE.
D. The VPN label is popped off at the egress LSR, and unlabeled traffic is forwarded toward
the CE.

Answer: A

Explanation

PHP is penultimate hop popping which means remove the label one hop before its
destination. It refers to the process whereby the outermost label of an MPLS tagged packet
is removed by a Label Switch Router (LSR) before the packet is passed to an adjacent Label
Edge Router.

PHP can be performed on the last P router.

Question 61

What is the failure detection time with BFD?

A. 3 seconds
B. 2 seconds
C. 1 second
D. less than a second

Answer: D

Explanation

BFD can provide millisecond failure detection.

Question 62

Refer to the exhibit.

After the network administrator rebuilds the IPv6 DHCP server, clients are not getting the
IPv6 address lease. Which action resolves the issue?

A. Add ipv6 dhcp server MY_POOL under the interface ethernet 0/0 on R1.
B. Remove FE80::A8BB:CCFF:FE00:5000 assigned by the IPv6 DHCP server.
C. Add ipv6 dhcp server MY_POOL under the interface ethernet 0/0 on H1.
D. Configure FF02::1:2 to discover all IPv6 DHCP clients.

Answer: A

Explanation

We need to add the command “ipv6 dhcp server …” to tell the interface which pool it needs
to use.

==================== New Questions (added on 17th-Apr-2024) ====================

Question 63

Refer to the exhibit.

An engineer troubleshoots a connectivity problem that is impacting the communication from
the users at segment 172.16.3.16/28 to the server farm at 192.168.5.16/28. Which
configuration resolves the issue on router R1?

A. router ospf 1
redistribute rip metric 16

B. router rip
redistribute ospf 1 metric 14

C. router ospf 1
redistribute rip metric 14
D. router rip
redistribute ospf 1 metric 16

Answer: B

Explanation

From the “show run” output of R1, we see that OSPF is redistributed into RIP with metric of
15 (with command “redistribute ospf 1 metric 15”). This is the maximum usable metric for
RIP. RIP will discard any route with metric with 16 or higher. Therefore we can see R3 still
received redistributed routes from OSPF while R4 did not receive any routes because the
metric now is 16.

Therefore we need to lower metric value when redistributing from OSPF to RIP.

Question 64

Refer to the exhibit.

Router R1 (head office) is not always preferred for all users to access hosting services R1
should be primary, and the DR site should only be used if router R1 or its uplink fails. Which
configuration resolves the issue?

Option A Option B

R1 router ospf 100

router ospf 100 default-information originate

default auto-cost reference-bandwidth summary-address 192.168.0.0 255.255.0.0

10000 tag 100

R2 R2

router ospf 100 router ospf 100

auto-cost reference-bandwidth 1000 default-information originate

summary-address 192.168.0.0 255.255.0.0

tag 200

Option C Option D

R1 R1

router ospf 100 router ospf 100

default-information originate default-metric 10000

redistribute static subnets metric-type 1 R2

R2 router ospf 100

router ospf 100 default-metric 1000

default-information originate

redistribute static subnets metric-type 2

A. Option A
B. Option B
C. Option C
D. Option D
Answer: C

Explanation

OSPF prefers E1 routes over E2 routes so R1 will be preferred when we redistribute static
routes with “metric-type 1” -> Option C is correct.

Option A & Option D are not correct as they make R2 have smaller metric than R1.

Option B is not correct as tagging a route does not affect the routing decision.

Note: Interface cost = Reference bandwidth / Interface bandwidth

Question 65

Which IPv6 security feature blocks all traffic from an IPv6 host when initially connecting to a
switch port except for traffic to gain an IPv6 address and discover IPv6 neighbors?

A. IPv6 RA Guard
B. IPv6 DHCP Guard
C. IPv6 Source Guard
D. IPv6 Destination Guard

Answer: C

Explanation

IPv6 Source Guard (SG) is a security feature that filters the IPv6 traffic on Layer 2 ports that
are not trusted. SG helps a switch or router deny access to traffic from an address that is not
stored in the binding table of the IPv6 Snooping feature.

Initially, SG blocks all IPv6 traffic on the target except for Dynamic Host Configuration
Protocol (DHCP) or Neighbor Discovery Protocol (NDP) packets that are used for IPv6
Snooping processes.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/
guide/7600_15_0s_book/IPv6_Security.html

Question 66
Refer to the exhibit.

R3(config-ipv6-acl)#do show ipv6 access-list

IPv6 access list Block PC1 to PC2

permit ipv6 2001:DB8:/16 2001:DB8:/16 sequence 20

deny ipv6 host 2001:DB8:0:10::3B host 2001:DB8:A:A::19 sequence 30

An IPv6 ACL is applied to restrict PC1 from communicating with PC2 and allow all other
traffic. Which configuration resolves the issue?

A. R3(config-ipv6-acl)#no sequence 20
R3(config-ipv6-acl)#deny ipv6 host 2001:DB8:0:10::3B host 2001:DB8:A:A::19 sequence 10

B. R3(ccnfig-ipv6-acl)#no sequence 30
R3(config-ipv6-acl)#deny ipv6 host 2001:DB8:0:10::3B host 2001:DB8:A:A::19 sequence 10

C. R3(config-lpv6-acl)#no sequence 20
R3(config-ipv6-acl)#deny ipv6 host 2001:DB8:0:10::3B any sequence 10

D. R3(config-ipv6-acl)#no sequence 30
R3(config-ipv6-acl)#deny ipv6 host 2001:DB8:0:10::3B any sequence 10

Answer: B

Question 67

Refer to the exhibit.

An engineer recently modified the configuration for area 3 to accept only type 1, 2, and 3
LSAs. Immediately after the changes, users connected to router R6 began to report
connectivity issues. Which configuration restores connectivity to R6 and meets the
requirement?

Option A Option B

R19# R19#

router ospf 1 router ospf 1

area 3 stub area 3 stub no-summary

network 10.2.18.0 0.0.0.3 area 3 network 10.2.18.0 0.0.0.3 area 3

network 10.5.1.0 0.0.0.3 area 0 network 10.5.1.0 0.0.0.3 area 0

R6# R6#

router ospf 1 router ospf 1

router-id 10.6.6.255 network 10.2.18.0 0.0.0.3 area 3

area 3 stub network 10.6.6.255 0.0.0.0 area

3
network 10.2.18.0 0.0.0.3 area 3

network 10.6.6.255 0.0.0.0 area

 3

Option C Option D

R19# R19#

router ospf 1 router ospf 1

area 3 stub area 3 nssa

network 10.2.18.0 0.0.0.3 area 3 network 10.2.18.0 0.0.0.3 area 3

network 10.5.1.0 0.0.0.3 area 0 network 10.5.1.0 0.0.0.3 area 0

R6# R6#

router ospf 1 router ospf 1

network 10.2.18.0 0.0.0.3 area 3 area 3 nssa

network 10.6.6.255 0.0.0.0 area network 10.2.18.0 0.0.0.3 area 3

3 network 10.6.6.255 0.0.0.0 area
3

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

“accept only type 1, 2, and 3 LSAs” means stub area -> Option B and Option D are not
correct.
To configure a stub area, you need to enter the “area {area-id} stub” command on the ABR
and all routers internal to that area -> Only Option A is correct.

Question 68

Which tag is used by the PE router to forward the packet to the correct customer?

A. extended-community
B. RD
C. RT
D. VNI

Answer: B

==================== New Questions (added on 6th-May-2024) ====================

Question 69

Which feature filters the IPv6 traffic on Layer 2 untrusted ports?

A. IPv6 Source Guard

B. DHCPv6 Guard
C. IPv6 RA Guard
D. Binding Table Recovery

Answer: A

Explanation
IPv6 Source Guard (SG) is a security feature that filters the IPv6 traffic on Layer 2 ports that
are not trusted. SG helps a switch or router deny access to traffic from an address that is not
stored in the binding table of the IPv6 Snooping feature.

Initially, SG blocks all IPv6 traffic on the target except for Dynamic Host Configuration
Protocol (DHCP) or Neighbor Discovery Protocol (NDP) packets that are used for IPv6
Snooping processes.

Reference: https://www.cisco.com/c/en/us/td/docs/routers/7600/ios/15S/configuration/
guide/7600_15_0s_book/IPv6_Security.html

Question 70

Refer to the exhibit.

R1

ip dhcp excluded-address 192.168.40.1 192.168.40.10

!
ip dhcp pool Branch 2

network 192.168.40.0 255.255.255.0

default-router 192.168.40.1

dns-server 192.168.1.40

Branch 2 hosts cannot receive dynamic IP addresses. Which action resolves the issue?

A. Configure the ip helper command on the interface GigabitEthernet 0/2 of the R2 router.
B. Configure the ip helper command on the interface GigabitEthernet 0/0 of the DHCP
router.
C. Configure the ip helper command on the Layer 2 switch SW2 interfaces.
D. Configure the ip helper command on the interface GigabitEthernet 0/2 of the DHCP
router.

Answer: A

Question 71

Refer to the exhibit.

SW3#sh run

interface GigabitEthernet0/0

ip address 1.0.0.1 255.255.255.252

interface Vlan5
ip address 10.5.5.1 255.255.255.0

interface Vlan6

ip address 10.6.6.1 255.255.255.0

end

*Feb 10 00:34:30.978: DHCP_SNOOPING_SW: bridge packet get invalid mat entry:

FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (5)

*Feb 10 00:34:30.979: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan5

*Feb 10 00:36:16.243: DHCP_SNOOPING_SW: bridge packet get invalid mat entry:

FFFF.FFFF.FFFF, packet is flooded to ingress VLAN: (6)

*Feb 10 00:36:16.244: DHCP_SNOOPING_SW: bridge packet send packet to cpu port: Vlan6

HostA and HostB cannot receive IP addresses from the DHCP server. The switches are
configured with the DHCP snooping. Which configuration on SW3 resolves the issue?

A. ip dhcp relay information option-insert

B. ip helper-address 1.0.0.2
C. ip dhcp server use subscriber-id client-id
D. no ip dhcp snooping information option

Answer: D

Explanation

Not sure why the command “no ip dhcp snooping information option” (which is used to turn
off DHCP Option 82) can solve this issue but the owner of the same question in this Cisco
forum link confirmed it can solve his problem.

Question 72

Drag and drop the terminology from the left onto the corresponding definitions on the right.
Answer:

+ set of packets with similar characteristics that might be bound to the same MPLS label:
Forwarding Equivalence Class (FEC)
+ data-carrying mechanism that is independent of any data link layer protocol: Multiprotocol
Label Switching (MPLS)
+ router that functions as the ingress and/or egress router to the MPLS domain: Provider
Edge (PE)
+ route through an MPLS network, defined by a signaling protocol such as LDP or BGP: Label
Switched Path (LSP)
+ mechanism by which two routers exchange label mapping information: Label Distribution
Protocol (LDP)

Explanation

MPLS, or Multi-Protocol Label Switching, is a scalable, protocol-independent data-carrying

service. Unlike traditional IP routing that relies heavily on examining the packet header to
make forwarding decisions, MPLS uses labels to determine packet forwarding.

Reference: https://www.vc4.com/blog/unpacking-mpls-a-technical-overview-of-multi-
protocol-label-switching/

Label Distribution Protocol (LDP) —A mechanism by which two Label Switch Routers (LSR)
exchange label mapping information. This protocol is defined by the IETF ( RFC 5036).

Provider Edge (PE) —The LER that functions as the ingress and/or egress routers to the MPLS
domain.
Label Switched Path (LSP) —A route through an MPLS network, defined by a signaling
protocol such as LDP or the Border Gateway Protocol (BGP). The path is set up based on
criteria in the forwarding equivalence class (FEC).

Forwarding Equivalence Class (FEC) —A set of packets with similar characteristics that might
be bound to the same MPLS label. An FEC tends to correspond to a label switched path (LSP);
however, an LSP might be used for multiple FECs.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/mpls/
configuration/guide/mpls_cg/mp_mpls_overview.html

Question 73

Users report web connectivity problems on the server (10.1.1.10). Which IP SLA
configuration captures the failure details through the network to resolve the issue?

Option A Option B

ip sla 5 ip sla 5

http get url http://10.1.1.10 icmp-echo 10.1.1.10

frequency 60 frequency 60

timeout 3000 timeout 3000

! ip sla schedule 5 life forever start-time now

ip sla schedule 5 life forever start-time now

Option C Option D

ip sla 5 ip sla 5

icmp-echo 10.1.1.10 http get url http://10.1.1.10

frequency 1 frequency 1

timeout 3 timeout 3

ip sla schedule 5 life forever start-time now !

ip sla schedule 5 life forever start-time now

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Question 74

Refer to the exhibit.

CPE# show ip route static

S* 0.0.0.0/0 is directly connected, Dialer0

S 198.51.100.0/24 [1/0] via 192.168.1.1

S 203.0.113.0/24 [1/0] via 192.168.2.1

CPE# show run | section router ospf

router ospf 1

redistribute static subnets

CPE# show ip ospf database | begin Type-5

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag

198.51.100.0 192.168.0.1 14 0x80000001 0x0007D0 0

203.0.113.0 192.168.0.1 14 0x80000001 0x009C5C 0

The default route is not advertised to the neighboring router. Which action resolves the
issue?
A. Configure the network 0.0.0.0 255.255.255.255 area 0 command under OSPF
B. Configure the default-information originate command under OSPF
C. Configure the redistribute static metric 200 subnets command under OSPF
D. Configure OSPF on the Dialer0 interface

Answer: B

==================== New Questions (added on 18th-May-2024)

====================

Question 75

What are the two benefits of using BFD? (Choose two)

A. synchronous path determination

B. subsecond failure detection
C. supports all routing protocols
D. supports UDLD failure
E. forwarding path failure detection

Answer: B E

Question 76

Drag and drop the IPv6 first hop security device roles from the left onto the corresponding
descriptions on the right.
Answer:

+ Receives valid and rogue router advertisements and all router solicitation: monitor
+ Receives router solicitation and sends router advertisements: router
+ Receives router advertisements from valid routers, and no router solicitation are received:
host
+ Received router advertisements are trusted and are flooded to synchronize states: switch

Explanation

For RA-guard, devices can have different roles

+ Host (default): can only receive RA from valid routers, no RS will be received
+ Router: can receive RS and send RA
+ Monitor: receive valid and rogue RA and all RS
+ Switch: RA are trusted and flooded to synchronize states

Reference: https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2022/pdf/
BRKENT-3002.pdf

Question 77

Refer to the exhibit.

*Mar 10 20:13:58.156: AAA/BIND(00000055): Bind i/f

*Mar 10 20:13:58.156: AAA/AUTHEN/LOGIN (00000055): Pick method list 'default'

*Mar 10 20:13:58.156: TAC+: Queuing AAA Authentication request 85 for processing

*Mar 10 20:13:58.156: TAC+:(00000055) login timer started 1020 sec timeout

*Mar 10 20:13:58.156: TAC+: processing authentication start request id 85

*Mar 10 20:13:58.156: TAC+: Authentication start packet created for 85()

*Mar 10 20:13:58.156: TAC+: Using server 10.106.60.182

*Mar 10 20:13:58.156: TAC+:(00000055)/0/IMB_WAIT/225FE2DC: Started 5 sec timeout

*Mar 10 20:13:58.156: TAC+:(00000055)/0/NB_WAIT: socket event 2

*Mar 10 20:13:58.156: TAC+:(00000055)/0/NB_WAIT: wrote entire 38 bytes request

*Mar 10 20:13:58.156: TAC+:(00000055)/0/READ: socket event 1

*Mar 10 20:13:58.156: TAC+:(00000055)/0/READ: Would block while reading

*Mar 10 20:13:58.156: TAC+:(00000055)/0/READ: socket event 1

*Mar 10 20:13:58.156: TAC+:(00000055)/0/READ: read entire 12 header bytes (expect 6

bytes data)

*Mar 10 20:13:58.156: TAC+:(00000055)/0/READ: socket event 1

*Mar 10 20:13:58.156: TAC+:(00000055)/0/READ: read entire 18 bytes response

*Mar 10 20:13:58.156: TAC+:(00000055)/0/225FE2DC: Processing the reply packet

*Mar 10 20:13:58.156: TAC+:: received bad AUTHEN packet: length = 6, expected 43974

*Mar 10 20:13:58.156: TAC+:: Invalid AUTHEN packet (check keys).

An engineer must troubleshoot an issue affecting the communication from router R2 to the
TACACS server. Which configuration resolves the issue?

A. R1 (config)#tacacs-server packet maxsize 43974

B. R2(config)#tacacs server advrt

R2(config-server-tacacs)#key xyz123

C. R2 (config )#tacacs-server packet maxsize 43974

D. R1(config)#tacacs server advrt

R1(config-server-tacacs)#key xyz123

Answer: B

Explanation

From the last line of the output “Invalid AUTHEN packet (check keys)”, we can deduce the
key is not matched. So we need to change the key on R2.

Question 78

Refer to the exhibit.

An engineer configured SNMP in R1 to be able to save and upload configurations to the
SNMP server but failed when they tried to backup R1 configuration on the server. Which
configuration resolves the issue?

A. snmp-server tftp-server-list 66
B. copy running-config tftp://10.66.66.66/r1-confg
C. snmp-server tftp server-list 20
D. copy running-config tftp://10.66.66.66/c: r1-confg

Answer: A

Explanation

ACL 20 in the statement “snmp-server tftp-server-list 20” is blocking the SNMP server so we
should change to ACL 66.

==================== New Questions (added on 20th-Jun-2024) ====================

Question 79

Refer to the exhibit.

R1(config)#interface fastethernet 0/0

R1(config-if)#description ISP1
R1(config-if)#ip verify unicast source reachable-via any allow-default

R1(config)#interface fastethernet 0/1

R1(config-if)#description ISP2

R1(config-if)#ip verify unicast source reachable-via rx

R1 is multihomed to ISP1 and ISP2. uRPF strict mode has been configured on both interfaces
uplinked to the ISPs. Traffic destined to the Internet over ISP1 returns to R1 via ISP2 and is
immediately dropped.

Which configuration changes address this issue and allow return traffic from the other ISP?

A. R1(config)#interface fastethernet 0/0

R1 (config-if)# ip verify unicast source reachable-via rx

B. R1(config)#interface fastethernet 0/1

R1(config-if)# ip verify unicast source reachable-via any allow-default

C. R1(config)#interface fastethernet 0/1

R1(config-if)# ip verify unicast source reachable-via any

D. R1(config)#interface fastethernet 0/0

R1(config-if)# no ip verify unicast source reachable-via any allow-default

Answer: B

Explanation

Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming
packets. If it matches with the interface used to reach this source IP then the packets are
allowed to enter (strict mode).
The syntax of configuring uRPF in interface mode is:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-

list-number]

The any option enables a Loose Mode uRPF on the router. This mode allows the router to
reach the source address via any interface.

The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router
reaches the source address only via the interface on which the packet was receive.

Therefore in this question, we need to change uRPF from strict mode to loose mode on
interface fa0/1. And maybe R1 sends traffic to ISP2 by default route then we should include
the keyword “allow-default”.

Note: To allow return traffic back via the default route from any IP address, use the “allow-
default” keyword.

Question 80

What is the use of IPv6 snooping?

A. captures any type of user traffic to create a binding table

B. requires an external IPv6 packet analyzer
C. captures IPv6 routing protocol packets to analyze
D. required for the operation of IPv6 RA Guard

Answer: D
Explanation

IPv6 snooping allows network devices to identify and inspect RA messages sent by devices
on the network. Therefore IPv6 RA Guard relies on IPv6 snooping to function correctly. Once
RA messages are identified via snooping, IPv6 RA Guard applies policies to allow or block
these messages based on configured rules.

Question 81

Refer to the exhibit.

R1#show run | begin router eigrp R3#show ip route

100 Gateway of last resort is not set
router eigrp 100

network 172.16.250.0 0.0.0.3 192.168.1.0/24 is variably subnetted, 2 subnets,

redistribute ospf 10 metric 1 1 1 1 2 masks
1 C 192.168.1.0/30 is directly connected,
! GigabitEthernet0/1

router ospf 10 L 192.168.1.2/32 is directly connected,

GigabitEthernet0/1
network 192.168.1.0 0.0.0.3 area
0 192.168.2.0/24 is variably subnetted, 2 subnets,
2 masks
!
C 192.168.2.0/24 is directly connected,
ip forward-protocol nd
Loopback2
!
L 192.168.2.33/32 is directly connected,
!
Loopback2
no ip http server
192.168.3.0/24 is variably subnetted, 2 subnets,
2 masks

C 192.168.3.0/24 is directly connected,

Loopback1

L 192.168.3.17/32 is directly connected,

 Loopback1

R3#

R3#traceroute 172.16.2.48 R4#show running-config | begin router eigrp

Type escape sequence to abort. router eigrp 100

Tracing the route to 172.16.2.48 network 172.16.2.0 0.0.0.3

VRF info: (vrf in name/id, vrf out network 172.16.2.16 0.0.0.15

name/id) network 172.16.2.32 0.0.0.15
1 * * * redistribute static metric 100 1 1 1 1 route-map
2 * * * CCNP

3 * * * !

ip forward-protocol nd

no ip http server

no ip http secure-server

ip route 172.16.2.48 255.255.255.240 172.16.2.34

route-map CCNP permit 10

match ip address 10

set tag 200

access-list 10 permit 172.16.2.48 0.0.0.15

An engineer must troubleshoot a connectivity issue impacting the redistribution of the
subnet 172.16.2.48/28 into the OSPF domain. Which configuration on router R1 advertises
this subnet into the OSPF domain?

Option A Option B

R1(config)#route-map CCNP permit 10 R1(config)#route-map CCNP deny 10

R1(config-route-map)#match route-type R1(config-route-map)#match tag 200
level-2 R1(config)#route-map CCNP permit 20
R1(config)#router ospf 10 R1(config)#router ospf 10
R1(config-router)#redistribute eigrp 100 R1(config-router)#redistribute eigrp 100
subnets route-map CCNP subnets route-map CCNP

Option C Option D

R1(config)#route-map CCNP permit 10 R1(config)#route-map CCNP permit 10

R1(config-route-map)#match tag 200 R1(config-route-map)#match route-type
R1(config-route-map)#exit internal
R1(config)#router ospf 10 R1(config)#router ospf 10
R1(config-router)#redistribute eigrp 100 R1(config-router)#redistribute eigrp 100
 subnets route-map CCNP subnets route-map CCNP

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

From the output of R4, we notice that R4 is redistributing a static route for the destination
172.16.2.48/28 with the command “ip route 172.16.2.48 255.255.255.240 172.16.2.34”. This
subnet is same as the “Outside EIGRP Routes 172.16.2.48/28” from R2 so we need to block
the advertisement from R4 for this subnet.

On R4, this subnet is set with tag 200 so we can use a route-map to “deny” when we see this
tag -> Option B is correct.

Option A is not correct as “match route-type level-2” is used for OSPF type 2 only (O E2) but
this route is External EIGRP (D EX)

Option C is not correct as it only permits 172.16.2.48/28 from R4 with tag 200.

Option D is not correct as it only permits “internal” route while our route is external (D EX).

Question 82

Refer to the exhibit.

An engineer must advertise LAN network 192.168.1.0 of router A to router B through OSPF.
The engineer notices that router B was configured, but the LAN network of router A is not in
the routing table of router B. Which configuration on router A resolves the problem?

Option A Option B

interface Serial0/0/0 interface GigabitEthernet0/0/0

ip address 10.0.0.1 255.255.255.0 ip address 192.168.1.254

255.255.255.0
negotiation auto
negotiation auto
ipv6 enable
ipv6 enable
ospfv3 1 ipv4 area 1 ospfv3 1 ipv4 area 1

router ospfv3 1 interface Serial0/0/0

address-family ipv4 unicast ip address 10.0.0.1 255.255.255.0

area 1 range 192.168.1.0 255.255.255.0 negotiation auto

router-id 1.1.1.1 ipv6 enable

exit-address-family ospfv3 1 ipv4 area 1

router ospfv3 1

address-family ipv4 unicast

router-id 1.1.1.1

exit-address-family

Option C Option D

interface GigabitEthernet0/0/0 interface GigabitEthernet0/0/0

ip address 192.168.1.254 ip address 192.168.1.254

255.255.255.0 255.255.255.0

negotiation auto negotiation auto

ipv6 enable ipv6 enable

ospfv3 1 ipv4 area 1

interface Serial0/0/0

interface Serial0/0/0 ip address 10.0.0.1 255.255.255.0

ip address 10.0.0.1 255.255.255.0 negotiation auto

negotiation auto ipv6 enable

ipv6 enable ospfv3 1 ipv4 area 1

 router ospfv3 1

address-family ipv4 unicast

router-id 1.1.1.1

exit-address-family

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

From the output of “sh ospfv3 interface brief”, we notice that OSPFv3 was only enabled on
S0/0/1, not S0/0/0 so we have to turn on OSPFv3 on S0/0/1 -> Option C is not correct as it
only enabled IPv6 on S0/0/0.

In three Options left, Option B is the best choice as it enables OSPFv3 on both Gi0/0/0 &
S0/0/0.

Option A only enables OSPFv3 on S0/0/0 while Option D only enables OSPFv3 on S0/0/0.

Question 83

What are two features of BFD? (Choose two)

A. intensive on CPU for Layer 2 links

B. scalable
C. replaces hello messages
D. requires routing protocols
E. reliable

Answer: B E
Explanation

There are several advantages to implementing BFD over reduced timer mechanisms for
routing protocols:
+ BFD on the CPU operates under interrupt like CEF switched traffic. EIGRP, IS-IS and OSPF
protocol hellos are handled in the process switching path. This provides BFD greater
scalability and reliability over protocol hellos. (-> Answer B and answer E are correct)
+ Although reducing the EIGRP, IS-IS, and OSPF timers can result in minimum detection timer
of one to two seconds, BFD can provide failure detection in less than one second.
+ Because BFD is not tied to any particular routing protocol, it can be used as a generic and
consistent failure detection mechanism for EIGRP, IS-IS, and OSPF.
+ Because some parts of BFD can be distributed to the data plane, it can be less CPU-
intensive (-> Answer A is not correct) than the reduced EIGRP, IS-IS, and OSPF timers, which
exist wholly at the control plane.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bfd/
configuration/xe-3s/irb-xe-3s-book/irb-bi-fwd-det.html

Question 84

Refer to the exhibit.

R1

interface loopback1

no ip address

ipv6 address 100A:0:100C::1/64

ipv6 enable

ipv6 ospf 1 area 0

interface loopback2

no ip address

ipv6 address 200A:0:200C::1/64

ipv6 enable
ipv6 ospf 1 area 0

ipv6 traffic-filter DENY_TELNET_Lo2 in

interface GigabitEthernet0/0

no ip address

ipv6 address AB01:2011:8:100::/64 eui-64

ipv6 enable

ipv6 ospf network point-to-point

ipv6 ospf 1 area 0

ipv6 access-list DENY_TELNET_Lo2

sequence 20 deny tcp host 100B:1:310B::1 host 200A:0:210C::1 eq telnet

permit ipv6 any any

Routers R1 and R2 exchange routes to each other’s loopback through OSPF. Telnet traffic
must be blocked from R2 Lo0 to R1 Lo2. Which configuration resolves the issue?

Option A Option B

R1 R1

interface Loopback1 interface Loopback1

no ip address no ip address

ipv6 address 100A:0:100C::1/64 ipv6 address 100A:0:100C::1/64

ipv6 enable ipv6 enable

ipv6 ospf 1 area 0 ipv6 ospf 1 area 0

! !

interface Loopback2 interface Loopback2

no ip address no ip address

ipv6 address 200A:0:200C::1/64 ipv6 address 200A:0:200C::1/64

ipv6 enable ipv6 enable

ipv6 ospf 1 area 0 ipv6 ospf 1 area 0

! !

interface GigabitEthernet0/0 interface GigabitEthernet0/0

no ip address no ip address

ipv6 address AB01:2011:8:100::/64 eui-64 ipv6 address AB01:2011:8:100::/64 eui-64

ipv6 enable ipv6 enable

ipv6 ospf network point-to-point ipv6 ospf network point-to-point

ipv6 ospf 1 area 0 ipv6 ospf 1 area 0

! ipv6 traffic-filter DENY_TELNET_Lo2 in

ipv6 access-list DENY_TELNET_Lo2 !

sequence 20 deny tcp host 100B:1:310B::1 ipv6 access-list DENY_TELNET_Lo2

host 200A:0:210C::1 eq telnet sequence 20 deny tcp host 100B:1:310B::1
permit ipv6 any any host 200A:0:210C::1 eq telnet

permit ipv6 any any

Option C Option D

R1 R1

interface Loopback1 interface Loopback1

no ip address no ip address
 ipv6 address 100A:0:100C::1/64 ipv6 address 100A:0:100C::1/64

ipv6 enable ipv6 enable

ipv6 ospf 1 area 0 ipv6 ospf 1 area 0

! !

interface Loopback2 interface Loopback2

no ip address no ip address

ipv6 address 200A:0:200C::1/64 ipv6 address 200A:0:200C::1/64

ipv6 enable ipv6 enable

ipv6 ospf 1 area 0 ipv6 ospf 1 area 0

! ipv6 access-class DENY_TELNET_Lo2 in

interface GigabitEthernet0/0 !

no ip address interface GigabitEthernet0/0

ipv6 address AB01:2011:8:100::/64 eui-64 no ip address

ipv6 enable ipv6 address AB01:2011:8:100::/64 eui-64

ipv6 ospf network point-to-point ipv6 enable

ipv6 ospf 1 area 0 ipv6 ospf network point-to-point

ipv6 access-class DENY_TELNET_Lo2 in ipv6 ospf 1 area 0

! !

ipv6 access-list DENY_TELNET_Lo2 ipv6 access-list DENY_TELNET_Lo2

sequence 20 deny tcp host 100B:1:310B::1 sequence 20 deny tcp host 100B:1:310B::1
host 200A:0:210C::1 eq telnet host 200A:0:210C::1 eq telnet

permit ipv6 any any permit ipv6 any any

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

In order to assign an IPv6 ACL to an interface, use this command in interface configuration
mode: ipv6 traffic-filter access-list-name {in | out}

IPv6 ACLs are applied to lines using the command ipv6 access-class.

Option A is not correct as the IPv6 access-list DENY_TELNET_Lo2 is not applied to any
interface.

Option C and Option D are not correct as the “ipv6 access-class” command cannot be
applied to an interface. It can only be applied to a line (console, vty…).

Question 85

Refer to the exhibit.

After an engineer configured a new Cisco router as a DHCP server, users reported two
primary issues:
+ Devices in the HR subnet have intermittent connectivity problems.
+ Workstations in the LEGAL subnet cannot obtain IP addresses.
Which configurations must the engineer apply to ROUTER_1 to restore connectivity for the
affected devices?

Option A Option B

interface GigabitEthernet0/0.5 interface GigabitEthernet0/0.5

encapsulation dot1Q 5 encapsulation dot1Q 5

ip address 192.168.5.10 255.255.255.0 ip address 192.168.5.10 255.255.255.0

ip helper-address 192.168.39.100 ip helper-address 192.168.39.100

! !

interface GigabitEthernet0/0.80 interface GigabitEthernet0/0.80

encapsulation dot1Q 80 encapsulation dot1Q 80

ip address 192.168.80.10 255.255.255.128 ip address 192.168.80.10

255.255.255.128
ip helper-address 192.168.39.100
ip helper-address 192.168.39.100
!
!
ip dhcp excluded-address 192.168.80.1
192.168.80.10 ip dhcp excluded-address 192.168.5.1
192.168.5.10
!
ip dhcp excluded-address 192.168.80.1
ip dhcp pool LEGAL
192.168.80.10
network 192.168.80.0 255.255.255.128
!
default-router 192.168.80.10
ip dhcp pool LEGAL
!
network 192.168.80.0 255.255.255.128
ip dhcp pool HR
default-router 192.168.80.10
network 192.168.5.0 255.255.255.0
!
default-router 192.168.5.10
ip dhcp pool HR

network 192.168.5.0 255.255.255.0

 default-router 192.168.5.10

Option C Option D

interface GigabitEthernet0/0.5 interface GigabitEthernet0/0.5

encapsulation dot1Q 5 encapsulation dot1Q 5

ip address 192.168.5.10 255.255.255.0 ip address 192.168.5.10 255.255.255.0

ip helper-address 192.168.39.100 ip helper-address 192.168.93.100

! !

interface GigabitEthernet0/0.80 interface GigabitEthernet0/0.80

encapsulation dot1Q 80 encapsulation dot1Q 80

ip address 192.168.80.10 255.255.255.128 ip address 192.168.80.10

255.255.255.128
ip helper-address 192.168.39.100
ip helper-address 192.168.39.100
!
!
ip dhcp excluded-address 192.168.5.1
192.168.5.5 ip dhcp excluded-address 192.168.5.1
192.168.5.1
ip dhcp excluded-address 192.168.80.1
192.168.80.110 ip dhcp excluded-address 192.168.80.1
192.168.80.10
!
!
ip dhcp pool LEGAL
ip dhcp pool LEGAL
network 192.168.80.0 255.255.255.128
network 192.168.80.0 255.255.255.128
default-router 192.168.80.10
default-router 192.168.80.10
!
!
ip dhcp pool HR
ip dhcp pool HR
network 192.168.5.0 255.255.255.0
network 192.168.5.0 255.255.255.0
default-router 192.168.5.10
 default-router 192.168.5.10

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

Option A is not correct as it did not exclude any IP addresses in HR department. Therefore
the IP addresses of the default gateway of this subnet (192.168.5.10) can be assigned to a
user, which may cause intermittent connectivity problems.

Option C is not correct as the command “ip dhcp excluded-address 192.168.80.1

192.168.80.110” excludes most of the IP addresses in the subnet 192.168.80.0/25. Therefore
most of the users in LEGAL department could not receive usable IP addresses.

Option D is not correct as the command “ip helper-address 192.168.93.100” is using wrong
IP address. It should be 192.168.39.100 instead (but we are not sure if it is only a typo).
Moreover the command “ip dhcp excluded-address 192.168.5.1 192.168.5.1” could not
cover 192.168.5.10, which is the default gateway of this subnet.

Question 86

An engineer must configure encrypted packets for a single router OSPF neighborship. Which
configuration meets this requirement?

Option A Option B

router ospf 100 interface Ethernet0/2

area 0 authentication ip ospf authentication message-

digest
!
ip ospf message-digest-key 1 md5
interface Ethernet0/2
 ip ospf authentication-key exam exam

Option C Option D

router ospf 100 interface Ethernet0/2

area 0 authentication message-digest-key 1 md5 ip ospf authentication-key exam

exam

interface Ethernet0/2

ip ospf message-digest-key 1 md5 exam

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

OSPF authentication can be enabling in two ways:

1) Per interface: Authentication is enabling per interface using the “ip ospf authentication”
command. For example:

Router(config)#int fa0/0
Router(config-if)#ip ospf authentication message-digest
Router(config-if)#ip ospf message-digest-key 1 md5 networktut@123

2) Area authentication: Authentication for area can enable using “area {area-number}
authentication” command. For example:

Router(config)#interface fa0/0
Router(config-if)#ip ospf message-digest-key 1 md5 networktut@123 // “1” here is the key
number
Router(config-if)#exit
Router(config)#router ospf 100
Router(config-router)#area 2 authentication message-digest

Question 87

Refer to the exhibit.

R6#sh ip bgp

BGP table version is 9, local router ID is 6.6.6.6

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

t secondary path,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next HopMetric LocPrf Weight Path

*> 1.1.1.1/32 46.0.0.1 0 100 i

*> 2.2.2.2/32 46.0.0.1 0 100 i

*> 3.3.3.3/32 46.0.0.1 0 100 i

*> 4.4.4.4/32 46.0.0.1 0 0 100 i

*> 5.5.5.5/32 46.0.0.1 0 100 500 i

*> 6.6.6.6/32 0.0.0.0 0 32768 i

R6#sh run | sec bgp

router bgp 600

bgp log-neighbor-changes

network 6.6.6.6 mask 255.255.255.255

neighbor 46.0.0.1 remote-as 100

R6#

Customer B has decided not to receive any routes from R1 that originated outside the AS
100. Which AS path access list must the engineer choose to meet this requirement?

A. ip as-path access-list 1 permit ^10[0-9]*$

B. ip as-path access-list 1 permit ^100$
C. ip as-path access-list 1 permit _100$
D. ip as-path access-list 1 permit _100_

Answer: B

Explanation

This question wants to test your knowledge of regular expression in BGP AS-PATH. Here is a
quick guide to regular expression:

Modifier Purpose

_ Matches a space or the end of the AS PATH list

(underscore)
 ^ Indicates the start of a string

$ Indicates the end of a string

[] Matches a single character with a range of characters

– Indicates a range of numbers in brackets

[^] Excludes the characters listed in the brackets

() Nesting of search patterns uses parentheses

| Acts as an OR logic to a query

. Matches a single character including space

* Matches zero or more characters, or pattern

+ Matches one or more instances of the character, or pattern

? Matches one or no instances of the character, or pattern

But notice that “$ indicates the end of a string” means “the beginning of the AS PATH” (as
the AS PATHs are filled from right to left) so the command “ip as-path access-list 1 permit
_100$” means “permit any route that ends with AS 100”.

+ The command “ip as-path access-list 1 permit _100$” permits AS paths that end with the
AS 100, where 100 is the last AS in the path.

+ The command “ip as-path access-list 1 permit ^100$” permits AS paths that contain only
the AS number 100 (originated in AS 100)

-> We need to use the second command.

This is how to apply this AS-Path on R6:

ip as-path access-list 1 permit ^100$

!
router bgp 600

neighbor 46.0.0.1 route-map networktut_RM in

route-map networktut_RM permit 10

match as-path 1

Question 88

Refer to the exhibit.

R4

service timestamps debug uptime

service timestamps log datetime msec

clock timezone EET 2 0

end

---------------------------------------------------------

R4#show clock

*02:26:57.608 EET Sun Nov 15 2020

R4#debug ip packet

IP packet debugging is on

2d21h: IP: s=10.2.2.1 (Ethernet0/1), d=224.0.0.5, len 80, input feature,

Access List(44), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
2d21h: IP: s=10.2.2.1 (Ethernet0/1), d=224.0.0.5, len 80, input feature,

uRPF(57), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

2d21h: IP: s=10.2.2.1 (Ethernet0/1), d=224.0.0.5, len 80, rcvd 0

2d21h: IP: s=10.2.2.1 (Ethernet0/1), d=224.0.0.5, len 80, input feature,

packet consumed, MCI Check(101), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk
FALSE

An engineer is troubleshooting an issue using the debug ip packet command and notices
that no time stamps are shown on R4 to establish the event time. Which configuration
resolves this issue by showing time stamps regardless of the time zone in R4 logs?

A. service timestamps debug datetime msec show-timezone

B. service timestamps debug datetime localtime msec
C. service timestamps log datetime msec show-timezone
D. service timestamps log datetime localtime msec

Answer: A

Explanation

This is a debug message, not a logging message so we must use “service timestamps debug
…” command. And we don’t want to include to local time of R4 so we don’t use “localtime”
keyword here.

The command service timestamps debug datetime msec show-timezone configures the
format of the timestamp that is included in debug messages. Here’s a detailed breakdown of
what each part of the command does:

+ service timestamps debug: specifies that timestamps should be included in debug output.
+ datetime: indicates that the timestamp should include the date and time.
+ msec: specifies that the timestamp should include milliseconds for precise timing
information.
+ show-timezone: indicates that the timestamp should include the timezone information.

Question 89
Refer to the exhibit.

The engineer is reviewing the logs on the DENVER router and notices that this error message
repeats constantly:

*Jun 12 13:42:03.399: %TCP-6-BADAUTH: No MD5 digest from 10.40.1.1(27174) to

10.40.1.2(179) tableid - 0

Which action resolves the issue?

A. Configure OSPF link authentication on the router with IP address 10.40.1.1.

B. Configure BGP authentication on the router with IP address 10.40.1.1.
C. Configure BGP authentication on the router with IP address 10.40.1.2.
D. Configure NTP authentication on the router with IP address 10.40.1.1.

Answer: B

Explanation

Peering succeeds only if both routers are configured for authentication and have the same
password. If a router has a password configured for a neighbor, but the neighbor router
does not, then the following message is displayed on the console while the routers attempt
to establish a BGP session between them:
%TCP-6-BADAUTH: No MD5 digest from [peer’s IP address](port) to [local router’s IP
address](179)

==================== New Questions (added on 4th-Nov-2024) ====================

Question 90

In an IPv6 network, the network administrator restricted remote access of the core router to
a single user. The administrator configured the IPv6 access list and applied it on the WAN
interface of the core router. The administrator also wanted to investigate who else is trying
to access the router and added a permit host entry with log statement in the access list but
could not find any details. Which action does the network administrator take to resolve the
issue?

A. Apply the access list on line vty using the ipv6 access-class out command.
B. Apply the access list on the WAN interface using the ipv6 traffic-filter out command
C. Apply the access list on line vty using the ipv6 access-class in command.
D. Apply the access list on all interfaces using the ipv6 access-class in command.

Answer: C

Explanation

The network administrator is trying to restrict remote access (likely SSH or Telnet) to the
router. To control access to the router’s VTY (virtual terminal) lines, the access list should be
applied to the VTY lines rather than the WAN interface. The ipv6 access-class in command
applies the access list on inbound connections to the VTY lines, which is where remote
management access occurs. This will allow the administrator to monitor and restrict who can
remotely access the router, and log any unauthorized access attempts as intended.

Question 91

How many labels are present in an MPLS Layer 3 packet traversing through the network
without traffic engineering?

A. 1
B. 2
C. 3
D. 4

Answer: A
Explanation

In an MPLS Layer 3 VPN network without traffic engineering, each MPLS packet typically
carries a single label as it traverses the network. This label is used to forward the packet
through the MPLS network, where routers (referred to as Label Switch Routers or LSRs) read
and swap labels to direct the packet along the established path.

Question 92

Refer to the exhibit.

An engineer must establish optimal routing between the app servers connected at the
SPOKE routers. Which configurations are required on each router to create a distributed
mapping database between SPOKE1 and SPOKE2 to achieve optimal routing so the traffic is
forwarded directly from the App1 server to the App2 server?

Option A Option B

R0# R0#

interface Tunnel0 interface Tunnel0

tunnel mode gre multipoint tunnel mode dvmrp

ip nhrp redirect ip nhrp shortcut

R1# R1#

interface Tunnel0 interface Tunnel0

tunnel mode gre multipoint tunnel mode dvmrp

ip nhrp shortcut ip nhrp redirect

R2# R2 #

interface Tunnel0 interface Tunnel0

tunnel mode gre multipoint tunnel mode dvmrp

ip nhrp shortcut ip nhrp redirect

Option C Option D

R0# R0#

interface Tunnel0 interface Tunnel0

tunnel mode dvmrp tunnel mode gre multipoint

ip nhrp redirect ip nhrp shortcut

R1# R1#

interface Tunnel0 interface Tunnel0

tunnel mode dvmrp tunnel mode gre multipoint

ip nhrp shortcut ip nhrp redirect

R2# R2#

interface Tunnel0 interface Tunnel0

 tunnel mode dvmrp tunnel mode gre multipoint

ip nhrp shortcut ip nhrp redirect

A. Option A
B. Option B
C. Option C
D. Option D

Answer: A

Explanation

We need to use DMVPN, not DVMRP tunnel so Option B and Option D are not correct.

To allow direct Spoke-to-Spoke communication, we can use DMVPN Phase II or Phase III. In
this question, the administrator wants to use Phase III (with “shortcut” and “redirect”
keywords). We configure ip nhrp redirect in hub and ip nhrp shortcut in spokes -> Only
Option A is correct.

Note: A Distance Vector Multicast Routing Protocol (DVMRP) tunnel in a Cisco router is used
to transmit multicast traffic over networks that do not natively support multicast routing.

Question 93

Refer to exhibit.

R1(config)# ip access-list extended CoPP-4_OSPF

R1(config-ext-nacl)# permit ospf any host 224.0.0.5 log

R1(config-ext-nacl)# permit ospf any host 224.0.0.6 log-input

R1(config-ext-nacl)# end

A network engineer is facing issues between OSPF neighbors changing states frequently. The
engineer enabled an ACL for CoPP and applied it at the control plane interface but got
unexpected results. Which action resolves the issue?

A. Apply ACL on OSPF physical interface in the outward direction

B. Add one more ACL line to permit 224.0.0.6 in the inward direction
C. Apply ACL on OSPF physical interface in the inward direction
D. Remove the log and log-input keywords from ACL

Answer: D

Explanation

The log and log-input keywords in an ACL cause the router to generate a log message for
every matching packet, which can increase CPU load, especially with frequently exchanged
control plane traffic like OSPF. This added CPU load can lead to delays or even dropped
packets in processing OSPF packets, which in turn causes OSPF neighbors to change states
frequently.

By removing the log and log-input keywords, the router’s CPU will not be burdened with
excessive logging, helping to stabilize the OSPF neighbor relationship.

Question 94

While examining log messages from a router, an administrator sees this error message:
“Mar 13 11:32:42.453: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 10.10.10.1
(Ethernet0/1) is down: K-value mismatch.

Both routers are using default values. Which action resolves this issue?

A. Match authentication parameters to support the goodbye message that establishes

adjacency.
B. Upgrade the peer device IOS to support the goodbye message that establishes adjacency.
C. Resolve metric differences between the peers to calculate the valid K-value.
D. Configure metric weights between the peers to calculate the valid K-value.

Answer: D

Explanation

The error message indicates an EIGRP K-value mismatch. K-values are the metrics EIGRP
uses to calculate the best path, and for EIGRP neighbors to establish an adjacency, their K-
values must match. Even if both routers have default configurations, the K-values between
them may not be the same, depend on IOS versions. Therefore it is better to explicitly
declare five K-values with “metric weights” command.

Note: The syntax of metric weights is: “metric weights TOS K1 K2 K3 K4 K5″

Question 95

Refer to the exhibit.

GigabitEthernet0/3 is up, line protocol is up (connected)

Hardware is iGbE, address is 502c.4801.2a03 (bia 502c.4801.2a03)

internet address is 172.16.1.25/30

MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Auto Duplex, Auto speed, link type is auto, media type is RJ45

output flow-control is unsupported, input flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:06, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

 Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 272000 bits/sec, 48 packets/sec

5 minute output rate 236000 bits/sec, 40 packets/sec

365738 packets input, 100001249 bytes, 0 no buffer

Received 2 broadcasts (0 IP multicasts)

8568 runts, 0 giants, 0 throttles

8568 input errors, 0 CRC, 0 frame. 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

196663 packets output, 27428090 bytes, 0 underruns

0 output errors, 0 collisions, 5 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

1 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

Which action resolves the issue?

A. Resolve the misconfigured QoS parameters

B. Replace the faulty cable
C. Upgrade the hardware to increase the interlace input buffers
D. Implement traffic policing to prevent the interface input traffic being exceeded

Answer: B

Explanation

The output from the interface shows a high number of input errors and runts, which are
small packets that fall below the minimum packet size. This issue often points to a physical
layer problem, such as a faulty cable or bad connections.
Question 96

Refer to the exhibit.

Sw303#sh ip eigrp Interfaces detail vlan 10

EIGRP-IPv4 interfaces for AS(88)

Xmit Queue PeerQ Mean Pacing Time Multicast Pending

Interface Peers Un/Reliable un/Reliable SRTT Un/Reliable Flow Timer Routes

Vl10 2 0/0 0/0 220 0/0 888 0

Hello-interval is 5, Hold-time is 15

Split-horizon is enabled

Next xmit serial <none>

Packetized sent/expedited: 4/1

Hello's sent/expedited: 241/3

Un/reliable mcasts: 0/3 Un/reliable ucasts: 5/5

Mcast exceptions: 0 CR packets: 0 ACKs suppressed: 1

Retransmissions sent: 2 Out-of-sequence rcvd: 2

Topology-ids on interface - 0

Authentication mode is not set

Topologies advertised on this interface: base

Topologies not advertised on this interface:

SW303 connects to a CSR via VLAN 10. The CSR is also an EIGRP neighbor to SW303. After
enabling BFD on the CSR and SW303, an engineer notices the absence of stats related to BFD
on SW303. Which action resolves the issue?
A. Configure the bfd interval 500 min_rx 500 multiplier 5 command on a physical interface
B. Configure the bfd all-interfaces command under EIGRP for AS 88
C. Configure the bfd interface vlan 10 command under EIGRP for AS 88
D. Configure the bfd l2cos 0 command

Answer: B

Explanation

Using bfd all-interfaces under EIGRP will enable BFD on all interfaces that are participating in
EIGRP for AS 88. This is necessary for EIGRP to establish BFD sessions on all interfaces within
the AS, including VLAN interfaces.

==================== New Questions (added on 11th-Nov-2024)

====================

Question 97

A switch has been configured to provide DHCP relay on VLAN100 to a server with an IP
address of 10.1.1.1. The DHCP server is sending syslog reports of multiple TFTP requests that
also originate from the switch. As a result, the server CPU exceeded a configured threshold.
Which action does the network administrator recommend to bring the server CPU threshold
down?

A. Configure the switch with an access list on VLAN100 to deny TFTP

B. Configure the switch with ip forward-protocol udp 67 globally
C. Configure the switch with no ip forward-protocol udp 69 on VLAN100
D. Configure the switch with a VACL on VLAN100 to deny TFTP

Answer: C

Explanation

The command ip forward-protocol udp is used to specify which UDP protocols are forwarded
by the switch. By default, the switch forwards several UDP protocols, including TFTP (port
69), which can generate additional, unnecessary traffic if not needed.
Since TFTP (UDP port 69) is not required for DHCP operations and is causing excessive traffic,
the recommended action is to disable forwarding for this specific protocol with the
command no ip forward-protocol udp 69. This prevents the switch from forwarding TFTP
requests, reducing the load on the DHCP server’s CPU.

Question 98

Refer to the exhibit.

router eigrp 1

redistribute ospf 100 route-map ospf-to-eigrp

default-metric 20000 2000 255 1 1500

!-- Output suppressed.

route-map ospf-to-eigrp deny 10

match tag 6

match route-type external type-2

route-map ospf-to-eigrp permit 20

match ip address prefix-list pfx

route-map ospf-to-eigrp permit 30

set tag 8

Which action fixes the OSPF routes redistribution into EIGRP?

A. Match OSPF and EIGRP IDs.

B. Set a default metric in the route map.
C. Match external type to type-1.
D. Set tags before matching into EIGRP.
Answer: B (?)

Explanation

Answer A is not correct as OSPF and EIGRP IDs do not have any relationship, so they do not
need to be matched.

Answer C is not correct as there’s no indication that external type-1 routes are preferred or
necessary in this configuration

Answer D is not correct as tag is just optional and used for reference only.

Answer B is not correct as we already had a “default-metric 20000 2000 255 1 1500” for all
routes redistributed into EIGRP.

Although there is no correct answer in this question but if we have to choose one, then
answer B may have any effect on redistributed routes.

Question 99

Refer to the exhibit.

R5#

*Sep 19 08:29:51.088: BGP: 10.10.10.2 open active, local address 10.0.0.14

*Sep 19 08:29:51.120: BGP: 10.10.10.2 read request no-op

*Sep 19 08:29:51.124: BGP: 10.10.10.2 open failed: Connection refused by

remote host, open active delayed 12988ms (20000ms max, 60% jitter)

R2#show ip bgp neighbors 10.10.10.5

BGP neighbor is 10.10.10.5, remote AS 65101, internal link

BGP version 4, remote router ID 0.0.0.0

BGP state = Active

Last read 00:01:18, last write 00:01:18, hold time is 15, keepalive

interval is 3 seconds

Configured hold time is 15, keepalive interval is 3 seconds

 Minimum holdtime from neighbor is 0 seconds

Address tracking is enabled, the RIB does have a route to 10.10.10.5

Connections established 13; dropped 13

Last reset 00:01:18, due to User reset

Transport(tcp) path-mtu-discovery is enabled

No active TCP connection

A customer reported a failure and intermittent disconnection between two office buildings,
site X and site Y. The network team finds that site X and site Y are exchanging email
application traffic with the data center network. Which configuration resolves the issue
between site X and site Y?

A. R2(config)#router bgp 65101

R2(config-router)#neighbor 10.10.10.5 next-hop-self

B. R2(config)#router bgp 65101

R2(config-router)#neighbor 10.10.10.5 update-source loopback 0

C. R5(config)#router bgp 65101

R5(config-router)#neighbor 10.10.10.2 next-hop-self
D. R2(config)#router bgp 65101
R2(config-router)#no timers bgp 3 15

Answer: B

Explanation

From the output of “show ip bgp neighbors 10.10.10.5”, we learned that BGP is stuck in
“Active” state as there was no response from 10.10.10.5. Therefore the most likely cause of
this problem is R5 was configured with the command “neighbor 10.10.10.2 remote-as
65101” under BGP. Therefore R2 must use its loopback 0 interface to establish BGP neighbor
relationship with R5.

Note: If a BGP router receives a TCP connection request from a source IP address that is not
configured as BGP neighbor, the router rejects the request.

Question 100

Refer to the exhibit.

R1 Configuration:

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

router eigrp 100

network 10.0.0.0

R2 Configuration:
interface FastEthernet0/0

ip address 10.1.1.2 255.255.255.0

interface FastEthernet1/0

ip address 10.2.2.1 255.255.255.0

router eigrp 100

network 10.0.0.0

router ospf 1

network 10.2.2.1 0.0.0.0 area 0

R1 Routing Table Output:

R1# sh ip route

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C 10.11.0/24 is directly connected, FastEthernet0/0

L 10.1.1.1/32 is directly connected, FastEthernet0/0

D 10.2.2.0/24 [90130720] via 10.1.1.2, 01:19:35, FastEthernet0/0

The R2 OSPF route 10.2.2.0/24 shows in the R1 EIGRP routing table without route
redistribution performed between OSPF and EIGRP routing protocols. Which configuration is
required on router R2 to resolve the issue?

A. Add the no auto-summary command in EIGRP 100

B. Replace the network 10.0.0.0 command with FastEthernet0/0 network in EIGRP 100
C. Add the passive-interface FastEthernet0/0 command in OSPF 1
D. Add the passive-interface FastEthernet 1/0 command in EIGRP 100
Answer: B

Explanation

Answer A will not change the result as both networks will still advertise in EIGRP.

Answer C is not correct as it is the problem of EIGRP, not OSPF.

Using “passive-interface FastEthernet1/0” in EIGRP will only suppress the sending of Hellos
out of this interface, while still advertising that interface’s subnet to our EIGRP neighbors ->
Answer D is not correct.

Good example: https://www.kwtrain.com/blog/understanding-eigrp-part-4-passive-

interfaces

Only answer B is the best choice. By specific FastEthernet0/0 network in EIGRP 100, we will
prevent Fa0/1 network from being advertising. The exact command used to solve this
problem should be: “network 10.1.1.0 0.0.0.255” under EIGRP 100.

Question 101

Refer to the exhibit.

R1 should have BGP routes as “i”. Which configuration resolves the issue?

Option A Option B

R7 R7

route-map RC permit 10 route-map RC permit 10

match ip address 1 match ip address 1

set origin igp set metric 1

Option C Option D

R1 R1

route-map RC permit 10 route-map RC permit 10

match ip address 1 match ip address 1

set origin igp set metric 1

A. Option A
B. Option B
C. Option C
D. Option D
Answer: A

Explanation

The BGP routes 77.77.78.0/24, 77.77.79.0/24 and 77.77.80.0/24 are showing the origin code
as “?” (incomplete), rather than “i” (IGP). This typically occurs when routes are redistributed
into BGP without specifying the origin. By default, routes injected into BGP through
redistribution are marked as “incomplete,” indicated by the “?” origin code.

To ensure that these routes show an origin of “i” (IGP), you need to set the origin attribute
to “IGP” in the route map on the router where the routes are injected into BGP—in this
case, R7.

Question 102

Refer to the exhibit.

The network operation team opened a trouble ticket stating that users connected to R2 and
R4 cannot reach server 1. Some partial configuration and show commands are included in
the ticket:

R4#sh ip route 10.71.2.100

Routing entry for 10.71.2.0/24

Known via "eigrp 100", distance 90, metric 35840, type internal

Redistributing via eigrp 100

Last update from 10.3.111.2 on FastEthernet1/1, 00:01:14 ago

Routing Descriptor Blocks:

* 10.3.111.2, from 10.3.111.2, 00:01:14 ago, via FastEthernet1/1

R2#sh ip route 10.71.2.0

Routing entry for 10.71.2.0/24

Known via "eigrp 100", distance 90, metric 33280, type internal

Redistributing via eigrp 100

Last update from 10.1.95.2 on FastEthernet0/0, 00:12:58 ago

Routing Descriptor Blocks:

* 10.1.95.2, from 10.1.95.2, 00:12:58 ago, via FastEthernet0/0

R2#sh run | i route

ip route 10.71.2.100 255.255.255.255 Null0 name SERVER1

R2#sh run | s eigrp

router eigrp 100

network 10.1.95.0 0.0.0.3

network 10.2.2.2 0.0.0.0

network 10.3.111.0 0.0.0.3

network 10.23.32.0 0.0.0.255

R4#sh run | i route

ip route 10.71.2.0 255.255.254.0 Null0 name SERVER1

R4#sh run | s eigrp

router eigrp 100

network 10.3.111.0 0.0.0.3

network 10.4.4.4 0.0.0.0

network 10.29.89.0 0.0.0.3

network 10.60.9.0 0.0.0.255

distance 200 10.29.89.2 0.0.0.0 10

access-list 10 permit 10.71.2.0 0.0.0.255

Which configuration resolves the issue?

Option A Option B

R4# R2#

router eigrp 100 router eigrp 100

distance 160 10.29.89.2 0.0.0.0 10 distance 170 10.1.95.2 0.0.0.0 10

! !

no ip route 10.71.2.0 255.255.254.0 no ip route 10.71.2.100 255.255.255.255

Null0 name SERVER1 Null0 name SERVER1
 Option C Option D

R4# R2#

router eigrp 100 router eigrp 100

no distance 200 10.29.89.2 0.0.0.0 10 distance 90 10.1.95.2 0.0.0.0 10

! !

no access-list 10 permit 10.71.2.0 no ip route 10.71.2.100 255.255.255.0 Null0

0.0.0.255 name SERVER1

A. Option A
B. Option B
C. Option C
D. Option D

Answer: B

Explanation

From the “sh run | i route” output, we learn that both R2 and R4 have the static route Null0
to Server 1 (10.71.2.100/32 on R2 and 10.71.2.0/23 on R4). These Null0 routes cause packets
destined for Server 1 to be discarded, which is why users cannot reach the server.

Although R4 has a static route to Null0 to Server 1 but from the last line of the output of
“R4#sh ip route 10.71.2.100” (* 10.3.111.2, from 10.3.111.2, 00:01:14 ago, via
FastEthernet1/1), we learn that R4 choose R2 (10.3.111.2) to reach Server 1 based on
longest prefix match rule. This is because R2 has longer prefix 10.71.2.0/24 than the static
route Null0 10.71.2.0/23 -> We don’t need to remove the static route Null0 on R4, we only
need to do it on R2 with “no ip route 10.71.2.100 255.255.255.255 Null0 name SERVER1”
command -> Option B is correct.

Option D is not correct because it uses wrong subnet mask 255.255.255.0.

About the “distance” command, maybe it is there just to convince us Option D is better than
Option B.