Topic 4: MC
Question No : 419 - Topic 4 Which VPN technology requires the use of an external key server? A. GETVPN B. GDOI C. SSL D. DMVPN E. IPsec F. L2TPv3
Answer : A Explanation: A GETVPN deployment has primarily three components, Key Server (KS), Group Member (GM), and Group Domain of Interpretation (GDOI) protocol. GMs do encrypt/decrypt the traffic and KS distribute the encryption key to all the group members. The KS decides on one single data encryption key for a given life time. Since all GMs use the same key, any GM can decrypt the traffic encrypted by any other GM. GDOI protocol is used between the GM and KS for group key and group SA management. Minimum one KS is required for a GETVPN deployment. Reference: http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted- transport-vpn/deployment_guide_c07_554713.html
Question No : 381 - Topic 4 Which mechanism does Cisco recommend for CE router interfaces that face the service provider for an EVPL circuit with multiple EVCs and multiple traffic classes? A. HCBWFQ B. LLQ C. tail drop D. WRED
Answer : A Explanation: In a simple handoff, packets may be discarded in the service provider network, either because of congestion on a link without an appropriate QoS policy or because of a policer QoS configuration on the service provider network that serves to rate limit traffic accessing the WAN core. To address these issues, QoS on the CE device is applied at a per-port level. A QoS service policy is configured on the outside Ethernet interface, and this parent policy includes a shaper that then references a second or subordinate (child) policy that enables queueing within the shaped rate. This is called a hierarchical CBWFQ (HCBWFQ) configuration. Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/Ethernet_Acces s_for_NG_MAN_WAN_V3-1_external.html
Question No : 359 - Topic 4 Which statement about OTV is true? A. The overlay interface becomes active only when configuration is complete and it is manually enabled. B. OTV data groups can operate only in PIM sparse-mode. C. The overlay interface becomes active immediately when it is configured. D. The interface facing the OTV groups must be configured with the highest MTU possible.
Answer : A Explanation: OTV has the following configuration guidelines and limitations: ✑ If the same device serves as the default gateway in a VLAN interface and the OTV edge device for the VLANs being extended, configure OTV on a device (VDC or switch) that is separate from the VLAN interfaces (SVIs). ✑ When possible, we recommend that you use a separate nondefault VDC for OTV to allow for better manageability and maintenance. ✑ An overlay interface will only be in an up state if the overlay interface configuration is complete and enabled (no shutdown). The join interface has to be in an up state. Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx- os/OTV/config_guide/b_Cisco_Nexus_7000_Series_NX- OS_OTV_Configuration_Guide/basic-otv.html
Question No : 403 - Topic 4 PN_1.html What is a reason for 6PE to use two MPLS labels in the data plane instead of one? A. 6PE allows penultimate hop popping and has a requirement that all P routers do not have to be IPv6 aware. B. 6PE does not allow penultimate hop popping. C. It allows MPLS traffic engineering to work in a 6PE network. D. It allows 6PE to work in an MPLS network where 6VPE is also deployed.
Answer : A Explanation: Q. Why does 6PE use two MPLS labels in the data plane? A. 6PE uses two labels: ✑ The top label is the transport label, which is assigned hop-by-hop by the Label Distribution Protocol (LDP) or by MPLS traffic engineering (TE). ✑ The bottom label is the label assigned by the Border Gateway Protocol (BGP) and advertised by the internal BGP (iBGP) between the Provider Edge (PE) routers. When the 6PE was released, a main requirement was that none of the MPLS core routers (the P routers) had to be IPv6-aware. That requirement drove the need for two labels in the data plane. There are two reasons why the 6PE needs both labels. PHP Functionality If only the transport label were used, and if penultimate hop popping (PHP) were used, the penultimate hop router (the P router) would need to understand IPv6. With PHP, this penultimate hop router would need to remove the MPLS label and forward the packet as an IPv6 packet. This P router would need to know that the packet is IPv6 because the P router would need to use the correct Layer 2 encapsulation type for IPv6. (The encapsulation type is different for IPv6 and IPv4; for example, for Ethernet, the encapsulation type is 0x86DD for IPv6, while it is 0x0800 for IPv4.) If the penultimate hop router is not IPv6-capable, it would likely put the Layer 2 encapsulation type for IPv4 for the IPv6 packet. The egress PE router would then believe that the packet was IPv4. There is time-to-live (TTL) processing in both the IPv4 and IPv6 headers. In IPv6, the field is called Hop Limit. The IPv4 and IPv6 fields are at different locations in the headers. Also, the Header Checksum in the IPv4 header would also need to be changed; there is no Header Checksum field in IPv6. If the penultimate hop router is not IPv6-capable, it would cause the IPv6 packet to be malformed since the router expects to find the TTL field and Header Checksum field in the header. Because of these differences, the penultimate hop router would need to know it
Question No : 355 - Topic 4 Which two events occur when a packet is decapsulated in a GRE tunnel? (Choose two.) A. The destination IPv4 address in the IPv4 payload is used to forward the packet. B. The TTL of the payload packet is decremented. C. The source IPv4 address in the IPv4 payload is used to forward the packet. D. The TTL of the payload packet is incremented. E. The version field in the GRE header is incremented. F. The GRE keepalive mechanism is reset.
Answer : A,B Explanation: After the GRE encapsulated packet reaches the remote tunnel endpoint router, the GRE packet is decapsulated. The destination address lookup of the outer IP header (this is the same as the tunnel destination address) will find a local address (receive) entry on the ingress line card. The first step in GRE decapsulation is to qualify the tunnel endpoint, before admitting the GRE packet into the router, based on the combination of tunnel source (the same as source IP address of outer IP header) and tunnel destination (the same as destination IP address of outer IP header). If the received packet fails tunnel admittance qualification check, the packet is dropped by the decapsulation router. On successful tunnel admittance check, the decapsulation strips the outer IP and GRE header off the packet, then starts processing the inner payload packet as a regular packet. When a tunnel endpoint decapsulates a GRE packet, which has an IPv4/IPv6 packet as the payload, the destination address in the IPv4/IPv6 payload packet header is used to forward the packet, and the TTL of the payload packet is decremented. Reference: http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5- 3/addr-serv/configuration/guide/b-ipaddr-cg53asr9k/b-ipaddr- cg53asr9k_chapter_01001.html
Question No : 431 - Topic 4 Which two values comprise the VPN ID for an MPLS VPN? (Choose two.) A. an OUI B. a VPN index C. a route distinguisher D. a 16-bit AS number E. a 32-bit IP address
Answer : A,B Explanation: Each MPLS VPN ID defined by RFC 2685 consists of the following elements: ✑ An Organizational Unique Identifier (OUI), a three-octet hex number: The IEEE Registration Authority assigns OUIs to any company that manufactures components under the ISO/IEC 8802 standard. The OUI is used to generate universal LAN MAC addresses and protocol identifiers for use in local and metropolitan area network applications. For example, an OUI for Cisco Systems is 00-03-6B (hex). ✑ A Virtual Private Network (VPN) index: a four-octet hex number, which identifies the VPN within the company. Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l3_vpns/configuration/15- mt/mp-l3-vpns-15-mt-book/mp-assgn-id-vpn.html
Question No : 377 - Topic 4 Which two statements about 6VPE are true? (Choose two.) A. It allows a service provider to use an existing MPLS network to provide VPN services to IPv6 customers. B. It uses MP-BGP as the carrier protocol to transport IPv6 connectivity. C. It provides IPv6 connectivity to MPLS-VPN customers when IPv6 overlay tunneling is also configured. D. It allows a service provider to use an existing MPLS network to provide global addressing to their IPv6 customers. E. It requires the configuration of a GRE tunnel tagged with a VLAN ID. F. It allows a service provider to use an existing L2TPv3 network to provide VPN services to IPv6 customers.
Answer : A,B Explanation: The IPv6 MPLS VPN service model is similar to that of IPv4 MPLS VPNs. Service providers who have already deployed MPLS IPv4 VPN services over an IPv4 backbone can deploy IPv6 MPLS VPN services over the same IPv4 backbone by upgrading the PE router IOS version and dual-stack configuration, without any change on the core routers. IPv4 services can be provided in parallel with IPv6 services. IPv6 VPN service is exactly the same as MPLS VPN for IPv4. 6VPE offers the same architectural features as MPLS VPN for IPv4. It offers IPv6 VPN and uses the same components, such as: Multiprotocol BGP (MP-BGP) VPN address family Route distinguishers VPN Routing and Forwarding (VRF) instances Site of Origin (SOO) Extended community MP-BGP Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/ip_solution_center/5-
Question No : 423 - Topic 4 Which two parameters does the Tunnel Mode Auto Selection feature select automatically? (Choose two.) A. the tunneling protocol B. the transport protocol C. the ISAKMP profile D. the transform-set E. the tunnel peer
Answer : A,B Explanation: The Tunnel Mode Auto Selection feature eases the configuration and spares you about knowing the responders details. This feature automatically applies the tunneling protocol (GRE or IPsec) and transport protocol (IPv4 or IPv6) on the virtual template as soon as the IKE profile creates the virtual access interface. This feature is useful on dual stack hubs aggregating multivendor remote access, such as Cisco AnyConnect VPN Client, Microsoft Windows7 Client, and so on. Reference: http://www.cisco.com/c/en/us/td/docs/ios- xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec- ipsec-virt-tunnl.html
Question No : 412 - Topic 4 Which three roles does a key server perform when used with GETVPN? (Choose three.) A. It authenticates group members. B. It manages security policies. C. It creates group keys. D. It distributes multicast replication policies. E. It distributes multicast replication keys. F. It configures and routes the GDOI protocol. question_answerVIEW ANSWER SHOW COMMENTS
Answer : A,B,C Explanation: Key server is responsible for maintaining security policies, authenticating the Group Members and providing the session key for encrypting traffic. KS authenticates the individual GMs at the time of registration. Only after successful registration the GMs can participate in group SA. Reference: http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted- transport-vpn/deployment_guide_c07_554713.html
Question No : 429 - Topic 4 Which two tunneling techniques determine the IPv4 destination address on a per-packet basis? (Choose two.) A. 6to4 tunneling B. ISATAP tunneling C. manual tunneling D. GRE tunneling
Answer : A,B Explanation: Tunnel Configuration Parameters by Tunneling Type Tunneling Type Tunnel Configuration Parameter Tunnel Mode Tunnel Source Tunnel Destination Interface Prefix or Address Manual ipv6ip An IPv4 address, or a reference to an interface on which IPv4 is configured. An IPv4 address. An IPv6 address. GRE/IPv4 gre ip An IPv4 address. An IPv6 address. IPv4- compatible ipv6ip auto-tunnel Not required. These are all point-to-multipoint tunneling types. The IPv4 destination address is calculated, on a per-packet basis, from the IPv6 destination. /96. 6to4 ipv6ip 6to4 An IPv6 address. The prefix must embed the tunnel source IPv4 address ISATAP ipv6ip isatap An IPv6 prefix in modified eui-64 format. The IPv6 address is generated from the prefix and the tunnel source IPv4 address. Reference: http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_book/i p6-tunnel.html
Question No : 398 - Topic 4 Which two options are signaling protocols that are used in MPLS? (Choose two.) A. LDP B. RSVP C. BFD D. LISP E. CLNS F. CDP
Answer : A,B Explanation: is the means by which LSRs all along the path know that they are a part of a given LSP. It is a signaling function by which the LSR knows that the internal transit path for the LSP depicted goes from Interface 2 to Interface 4. is the means by which an LSR tells an upstream LSR what label value to use for a particular LSP. There are four protocols that can perform the label distribution function: * Label Distribution Protocol (LDP) * Resource Reservation Protocol with Traffic Engineering Extensions (RSVP-TE) * Constraint-Based Routed LDP (CR-LDP) * Multiprotocol BGP LDP and RSVP-TE are the two most commonly used label distribution protocols Reference: http://www.networkworld.com/article/2237487/cisco-subnet/understanding- mpls-label-distribution.html
Question No : 402 - Topic 4 Which three options are best practices for implementing a DMVPN? (Choose three.) A. Use IPsec in tunnel mode. B. Implement Dead Peer Detection to detect communication loss. C. Configure AES for encryption of transported data. D. Configure SHA-1 for encryption of transported data. E. Deploy IPsec hardware acceleration to minimize router memory overhead. F. Configure QoS services only on the head-end router.
Answer : A,B,C Explanation: Best Practices Summary for Hub-and-Spoke Deployment Model This section describes the best practices for a dual DMVPN cloud topology with the hub- and-spoke deployment, supporting IP multicast (IPmc) traffic including routing protocols. The following are general best practices: Use IPsec in transport mode Configure Triple DES (3DES) or AES for encryption of transported data (exports of encryption algorithms to certain countries may be prohibited by law). Implement Dead Peer Detection (DPD) on the spokes to detect loss of communication between peers. Deploy hardware-acceleration of IPsec to minimize router CPU overhead, to support traffic with low latency and jitter requirements, and for the highest performance for cost. Keep IPsec packet fragmentation to a minimum on the customer network by setting MTU size or using Path MTU Discovery (PMTUD). Use Digital Certificates/Public Key Infrastructure (PKI) for scalable tunnel authentication. Configure a routing protocol (for example, EIGRP, BGP or OSPF) with route summarization for dynamic routing. Set up QoS service policies as appropriate on headend and branch router interfaces to help alleviate interface congestion issues and to attempt to keep higher priority traffic from being dropped during times of congestion. Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG/DMV
Question No : 401 - Topic 4 Which three components comprise the structure of a pseudowire FEC element? (Choose three.) A. pseudowire ID B. pseudowire type C. control word D. Layer 3 PDU E. header checksum F. type of service
Answer : A,B,C Explanation: The Pseudowire ID FEC element has the following components: ✑ Pseudowire ID FEC — The first octet has a value of 128 that identifies it as a Pseudowire ID FEC element. ✑ Control Word Bit (C-Bit) — The C-bit indicates whether the advertising PE expects the control word to be present for pseudowire packets. A control word is an optional 4-byte field located between the MPLS label stack and the Layer 2 payload in the pseudowire packet. The control word carries generic and Layer 2 payload-specific information. If the C-bit is set to 1, the advertising PE expects the control word to be present in every pseudowire packet on the pseudowire that is being signaled. If the C-bit is set to 0, no control word is expected to be present. ✑ Pseudowire Type — PW Type is a 15-bit field that represents the type of pseudowire. Examples of pseudowire types are shown in Table 6-1. ✑ Pseudowire Information Length — Pseudowire Information Length is the length of the Pseudowire ID field and the interface parameters in octets. When the length is set to 0, this FEC element stands for all pseudowires using the specified Group ID. The Pseudowire ID and Interface Parameters fields are not present. ✑ Group ID — The Group ID field is a 32-bit arbitrary value that is assigned to a group of pseudowires. ✑ Pseudowire ID — The Pseudowire ID, also known as VC ID, is a non-zero, 32-bit identifier that distinguishes one pseudowire from another. To connect two attachment circuits through a pseudowire, you need to associate each one with the same Pseudowire ID. ✑ Interface Parameters — The variable-length Interface Parameters field provides attachment circuit-specific information, such as interface MTU, maximum number of concatenated ATM cells, interface description, and so on. Reference: http://www.ciscopress.com/articles/article.asp?p=386788&seqNum=2
Question No : 364 - Topic 4 Which statement describes the function of rekey messages? A. They prevent unencrypted traffic from passing through a group member before registration. B. They refresh IPsec SAs when the key is about to expire. C. They trigger a rekey from the server when configuring the rekey ACL. D. They authenticate traffic passing through a particular group member.
Answer : B Explanation: Rekey messages are used to refresh IPsec SAs. When the IPsec SAs or the rekey SAs are about to expire, one single rekey message for a particular group is generated on the key server. No new IKE sessions are created for the rekey message distribution. The rekey messages are distributed by the key server over an existing IKE SA. Rekeying can use multicast or unicast messages. Reference: http://www.cisco.com/c/en/us/td/docs/ios- xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html
Question No : 399 - Topic 4 Which three statements about GET VPN are true? (Choose three.) A. It encrypts WAN traffic to increase data security and provide transport authentication. B. It provides direct communication between sites, which reduces latency and jitter. C. It can secure IP multicast, unicast, and broadcast group traffic. D. It uses a centralized key server for membership control. E. It enables the router to configure tunnels. F. It maintains full-mesh connectivity for IP networks.
Answer : A,B,D Explanation: Cisco GET VPN Features and Benefits Feature Description and Benefit Key Services Key Servers are responsible for ensuring that keys are granted to authenticated and authorized devices only. They maintain the freshness of the key material, pushing re-key messages as well as security policies on a regular basis. The chief characteristics include: Key Servers can be located centrally, granting easy control over membership. Key Servers are not in the "line of fire" - encrypted application traffic flows directly between VPN end points without a bottleneck or an additional point of failure. Supports both local and global policies, applicable to all members in a group - such as "Permit any any", a policy to encrypt all traffic. Supports IP Multicast to distribute and manage keys, for improved efficiency; Unicast is also supported where IP Multicast is not possible. Scalability and Throughput The full mesh nature of the solution allows devices to communicate directly with each other, without requiring transport through a central hub; this minimizes extra encrypts and decrypts at the hub router; it also helps minimize latency and jitter. Efficient handling of IP Multicast traffic by using the core network for replication can boost effective throughput further Security Provides data security and transport authentication, helping to meet security compliance and internal regulation by encrypting all WAN traffic Reference: http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted- transport-vpn/product_data_sheet0900aecd80582067.html
Question No : 380 - Topic 4 On an MPLS L3VPN, which two tasks are performed by the PE router? (Choose two.) A. It exchanges VPNv4 routes with other PE routers. B. It typically exchanges iBGP routing updates with the CE device. C. It distributes labels and forwards labeled packets. D. It exchanges VPNv4 routes with CE devices. E. It forwards labeled packets between CE devices.
Answer : A,C Explanation: MPLS VPN functionality is enabled at the edge of an MPLS network. The PE router performs these tasks: Exchanges routing updates with the CE router Translates the CE routing information into VPN version 4 (VPNv4) routes Exchanges VPNv4 routes with other PE routers through the Multiprotocol Border Gateway Protocol (MP-BGP) A PE router binds a label to each customer prefix learned from a CE router and includes the label in the network reachability information for the prefix that it advertises to other PE routers. When a PE router forwards a packet received from a CE router across the provider network, it labels the packet with the label learned from the destination PE router. When the destination PE router receives the labeled packet, it pops the label and uses it to direct the packet to the correct CE router. Label forwarding across the provider backbone is based on either dynamic label switching or traffic engineered paths. A customer data packet carries two levels of labels when traversing the backbone Reference: http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4- 2/lxvpn/configuration/guide/vcasr9kv342/vcasr9k42v3.html
Question No : 434 - Topic 4 Which three statements describe the characteristics of a VPLS architecture? (Choose three.) A. It forwards Ethernet frames. B. It maps MAC address destinations to IP next hops. C. It supports MAC address aging. D. It replicates broadcast and multicast frames to multiple ports. E. It conveys MAC address reachability information in a separate control protocol. F. It can suppress the flooding of traffic.
Answer : A,C,D Explanation: As a VPLS forwards Ethernet frames at Layer 2, the operation of VPLS is exactly the same as that found within IEEE 802.1 bridges in that VPLS will self learn source MAC address to port associations, and frames are forwarded based upon the destination MAC address. Like other 802.1 bridges, MAC address aging is supported. Reference: http://www.cisco.com/en/US/products/hw/routers/ps368/products_white_paper09186a0080 1f6084.shtml
Question No : 393 - Topic 4 Which IPv6 prefix is used for 6to4 tunnel addresses? A. 2001::/23 B. 2002::/16 C. 3ffe::/16 D. 5f00::/8 E. 2001::/32
Answer : B Explanation: 6to4 works by taking advantage of a reserved IPv6 prefix, 2002::/16. A 6to4 tunnel interface automatically converts the 32 bits in its IPv6 address following this prefix to a global unicast IPv4 address for transport across an IPv4 network such as the public Internet. Reference: http://packetlife.net/blog/2010/mar/15/6to4-ipv6-tunneling/
Question No : 360 - Topic 4 By default, how does a GET VPN group member router handle traffic when it is unable to register to a key server? A. All traffic is queued until registration is successful or the queue is full. B. All traffic is forwarded through the router unencrypted. C. All traffic is forwarded through the router encrypted. D. All traffic through the router is dropped.
Answer : B Explanation: In the basic GETVPN configuration, the traffic passing through group members will be sent in clear until it registers with the Key Server. This is because the crypto ACL is configured on the KS and GM will get that information only after the registration is successful. This means for a short period of time the traffic can go out unencrypted after a GM is booted up or the existing GETVPN session is cleared manually. This mode is called fail open and it is the default behavior. This behavior can be turned off by configuring Fail Close mode on the GMs. Reference: http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted- transport-vpn/deployment_guide_c07_554713.html
Question No : 357 - Topic 4 Which Carrier Ethernet service supports the multiplexing of multiple point-to-point EVCs across as a single UNI? A. EPL B. EVPL C. EMS D. ERMS
Answer : B Explanation: Ethernet Relay Service (ERS or EVPL) An Ethernet Virtual Circuit (EVC) is used to logically connect endpoints, but multiple EVCs could exist per single UNI. Each EVC is distinguished by 802.1q VLAN tag identification. The ERS network acts as if the Ethernet frames have crossed a switched network, and certain control traffic is not carried between ends of the EVC. ERS is analogous to Frame Relay where the CE-VLAN tag plays the role of a Data-Link Connection Identifier (DLCI). The MEF term for this service is EVPL. Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/ip_solution_center/5- 1/carrier_ethernet/user/guide/l2vpn51book/concepts.html
Question No : 416 - Topic 4 What is the new designation for the MPLS EXP (experimental) bits? A. QoS bits B. traffic class bits C. flow bits D. precedence bits
Answer : B Explanation: To avoid misunderstanding about how this field may be used, it has become increasingly necessary to rename this field. This document changes the name of the EXP field to the "Traffic Class field" ("TC field"). In doing so, it also updates documents that define the current use of the EXP field. Reference: https://tools.ietf.org/html/rfc5462
Question No : 426 - Topic 4 Which two statements about the C-bit and PW type are true? (Choose two.) A. The C-bit is 1 byte and the PW type is 15 bytes. B. The PW type indicates the type of pseudowire. C. The C-bit is 3 bits and the PW type is 10 bits. D. The C-bit set to 1 indicates a control word is present. E. The PW type indicates the encryption type.
Answer : B,D Explanation: The control word carries generic and Layer 2 payload-specific information. If the C-bit is set to 1, the advertising PE expects the control word to be present in every pseudowire packet on the pseudowire that is being signaled. If the C-bit is set to 0, no control word is expected to be present. Pseudowire TypePW Type is a 15-bit field that represents the type of pseudowire. Reference: http://www.ciscopress.com/articles/article.asp?p=386788&seqNum=2
Question No : 361 - Topic 4 You are configuring a DMVPN spoke to use IPsec over a physical interface that is located within a VRF. For which three configuration sections must you specify the VRF name? (Choose three.) A. the ISAKMP profile B. the crypto keyring C. the IPsec profile D. the IPsec transform set E. the tunnel interface F. the physical interface
Answer : B,E,F Explanation: Example: Router(config-if)# ip vrf forwarding green Associates a virtual private network (VPN) routing and forwarding (VRF) instance with an interface or subinterface. is the name assigned to a VRF. Router(config-if)# tunnel vrfvrf-name Example: Router(config-if)# tunnel vrf finance1 Associates a VPN routing and forwarding (VRF) instance with a specific tunnel destination. vrf-name is the name assigned to a VRF. Router(config)# crypto keyringkeyring-name [vrf fvrf-name] Defines a crypto keyring to be used during IKE authentication and enters keyring configuration mode. keyring-nameName of the crypto keyring. fvrf-name(Optional) Front door virtual routing and forwarding (FVRF) name to which the keyring will be referenced. fvrf-name must match the FVRF name that was defined during virtual routing and forwarding (VRF) configuration
Question No : 413 - Topic 4 The session status for an IPsec tunnel with IPv6-in-IPv4 is down with the error message IKE message from 10.10.1.1 failed its sanity check or is malformed. Which statement describes a possible cause of this error? A. There is a verification failure on the IPsec packet. B. The SA has expired or has been cleared. C. The pre-shared keys on the peers are mismatched. D. There is a failure due to a transform set mismatch. E. An incorrect packet was sent by an IPsec peer.
Answer : C Explanation: IKE Message from X.X.X.X Failed its Sanity Check or is Malformed This debug error appears if the pre-shared keys on the peers do not match. In order to fix this issue, check the pre-shared keys on both sides. 1d00H:%CRPTO-4-IKMP_BAD_MESSAGE. IKE message from 150.150.150.1 failed its sanity check or is malformed. Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike- protocols/5409-ipsec-debug-00.html#ike
Question No : 379 - Topic 4 According to RFC 4577, OSPF for BGP/MPLS IP VPNs, when must the down bit be set? A. when an OSPF route is distributed from the PE to the CE, for Type 3 LSAs B. when an OSPF route is distributed from the PE to the CE, for Type 5 LSAs C. when an OSPF route is distributed from the PE to the CE, for Type 3 and Type 5 LSAs D. when an OSPF route is distributed from the PE to the CE, for all types of LSAs
Answer : C Explanation: If an OSPF route is advertised from a PE router into an OSPF area, the Down bit (DN) is set. Another PE router in the same area does not redistribute this route into iBGP of the MPLS VPN network if down is set. RFC 4577 says: When a type 3 LSA is sent from a PE router to a CE router, the DN bit in the LSA Options field MUST be set. This is used to ensure that if any CE router sends this type 3 LSA to a PE router, the PE router will not redistribute it further. When a PE router needs to distribute to a CE router a route that comes from a site outside the latters OSPF domain, the PE router presents itself as an ASBR (Autonomous System Border Router), and distributes the route in a type 5 LSA. The DN bit [OSPF-DN] MUST be set in these LSAs to ensure that they will be ignored by any other PE routers that receive them. For more information about Down bit according to RFC 4577 please read more herE. http://tools.ietf.org/html/rfc4577#section-4.2.5.1.
Question No : 362 - Topic 4 MPLS LDP IGP synchronization is configured on a link. The OSPF adjacency on that link is UP but MPLS LDP synchronization is not achieved. Which statement about this scenario is true? A. The router excludes the link from its OSPF LSA type 1. B. The router flushes its own router LSA. C. The router advertises the link in its router LSA with max-metric. D. The router advertises an LSA type 2 for this link, with the metric set to max-metric. E. The router advertises the link and OSPF adjacency as it would when the synchronization is achieved.
Answer : C Explanation: To enable LDP-IGP Synchronization on each interface that belongs to an OSPF or IS-IS process, enter the mpls ldp sync command. If you do not want some of the interfaces to have LDP-IGP Synchronization enabled, issue the no mpls ldp igp sync command on those interfaces. If the LDP peer is reachable, the IGP waits indefinitely (by default) for synchronization to be achieved. To limit the length of time the IGP session must wait, enter the mpls ldp igp sync holddown command. If the LDP peer is not reachable, the IGP establishes the adjacency to enable the LDP session to be established. When an IGP adjacency is established on a link but LDP-IGP Synchronization is not yet achieved or is lost, the IGP advertises the max-metric on that link. Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsldpsyn.html
Question No : 391 - Topic 4 For which feature is the address family "rtfilter" used? A. Enhanced Route Refresh B. MPLS VPN filtering C. Route Target Constraint D. Unified MPLS
Answer : C Explanation: With Multiprotocol Label Switching (MPLS) VPN, the internal Border Gateway Protocol (iBGP) peer or Route Reflector (RR) sends all VPN4 and/or VPN6 prefixes to the PE routers. The PE router drops the VPN4/6 prefixes for which there is no importing VPN routing and forwarding (VRF). This is a behavior where the RR sends VPN4/6 prefixes to the PE router, which it does not need. This is a waste of processing power on the RR and the PE and a waste of bandwidth. With Route Target Constraint (RTC), the RR sends only wanted VPN4/6 prefixes to the PE. 'Wanted' means that the PE has VRF importing the specific prefixes. RFC 4684 specifies Route Target Constraint (RTC). The support is through a new address family rtfilter for both VPNv4 and VPNv6. Reference: http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching- mpls/mpls/116062-technologies-technote-restraint-00.html
Question No : 435 - Topic 4 Which two statements are true about a 6to4 tunnel connecting two IPv6 islands over the IPv4 Internet? (Choose two.) A. It embeds the IPv6 packet into the IPv4 payload with the protocol type set to 51. B. It works by appending the private IPv4 address (converted into hexadecimal format) to the 2002::/16 prefix. C. It embeds the IPv6 packet into the IPv4 payload with the protocol type set to 41. D. It works by appending the public IPv4 address (converted into hexadecimal format) to the 2002::/16 prefix.
Answer : C,D Explanation: 6to4 embeds an IPv6 packet in the payload portion of an IPv4 packet with protocol type 41. To send an IPv6 packet over an IPv4 network to a 6to4 destination address, an IPv4 header with protocol type 41 is prepended to the IPv6 packet. The IPv4 destination address for the prepended packet header is derived from the IPv6 destination address of the inner packet (which is in the format of a 6to4 address), by extracting the 32 bits immediately following the IPv6 destination address's 2002::/16 prefix. The IPv4 source address in the prepended packet header is the IPv4 address of the host or router which is sending the packet over IPv4. The resulting IPv4 packet is then routed to its IPv4 destination address just like any other IPv4 packet. Reference: http://en.wikipedia.org/wiki/6to4
Question No : 418 - Topic 4 Which two services are used to transport Layer 2 frames across a packet-switched network? (Choose two.) A. Frame Relay B. ATM C. AToM D. L2TPv3
Answer : C,D Explanation: Both AToM and L2TPv3 have the common objective of transmitting packet switched traffic of L2 frames (Frame Relay, ATM, and Ethernet) across a packet-switched network. Reference: Layer 2 VPN Architectures - Google Books Result Wei Luo, Carlos Pignataro, Anthony Chan https://books.google.com/books?isbn=0132796864
Question No : 356 - Topic 4 Which two statements are true about OTV? (Choose two.) A. It relies on flooding to propagate MAC address reachability information. B. It uses a full mesh of point-to-multipoint tunnels to prevent head-end replication of multicast traffic. C. It can work over any transport that can forward IP packets. D. It supports automatic detection of multihoming.
Answer : C,D Explanation: The overlay nature of OTV allows it to work over any transport as long as this transport can forward IP packets. Any optimizations performed for IP in the transport will benefit the OTV encapsulated traffic. As part of the OTV control protocol, automatic detection of multihoming is included. This feature enables the multihoming of sites without requiring additional configuration or protocols Reference: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series- switches/white_paper_c11-574984.html
Question No : 365 - Topic 4 Which three statements are functions that are performed by IKE phase 1? (Choose three.) A. It builds a secure tunnel to negotiate IKE phase 1 parameters. B. It establishes IPsec security associations. C. It authenticates the identities of the IPsec peers. D. It protects the IKE exchange by negotiating a matching IKE SA policy. E. It protects the identities of IPsec peers. F. It negotiates IPsec SA parameter
Answer : C,D,E Explanation: The basic purpose of IKE phase 1 is to authenticate the IPSec peers and to set up a secure channel between the peers to enable IKE exchanges. IKE phase 1 performs the following functions: ✑ Authenticates and protects the identities of the IPSec peers ✑ Negotiates a matching IKE SA policy between peers to protect the IKE exchange ✑ Performs an authenticated Diffie-Hellman exchange with the end result of having matching shared secret keys ✑ Sets up a secure tunnel to negotiate IKE phase 2 parameters Reference: http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
Question No : 415 - Topic 4 In which two modes do IPv6-in-IPv4 tunnels operate? (Choose two.) A. tunnel mode B. transport mode C. 6to4 mode D. 4to6 mode E. ISATAP mode
Answer : C,E Explanation: *There are 5 tunneling solution in IPv6:* *1. Using the Tunnel mode ipv6ip, in this case the tunnel source and destination are configured with IPv4 addressing and the tunnel interface is configured with IPv6. This will use protocol 41. This is used for IPv6/IPv4. * R1(config)#int tunnel 1 R1(config-if)#ipv6 address 12:1:12::1/64 R1(config-if)#tunnel source 10.1.12.1 R1(config-if)#tunnel destination 10.1.12.2 R1(config-if)#*tunnel mode ipv6ip* *2. Using the Tunnel mode gre ipv6, in this case the tunnel source and destination are all configured with IPv6 addressing. This is used for IPv6/IPv6. * BB1(config)#int tunnel 1 BB1(config-if)#ipv6 address 121:1:121::111/64 BB1(config-if)#tunnel source 10:1:111::111 BB1(config-if)#tunnel destination 10:1:112::112 BB1(config-if)#*tunnel mode gre ipv6* *3. In this case, the third type, the tunnel mode is NOT used at all, note that the tunnel interface is configured with IPv6 and the tunnel source and destination is configured with IPv4 but no mention of tunnel mode. This configuration will use protocol 47. This is used for IPv6/IPv4. * R1(config)#int tunnel 13 R1(config-if)#ipv6 address 13:1:13::1/64 R1(config-if)#tunnel source 10.1.13.1 R1(config-if)#tunnel destination 10.1.13.3 *4. Note in this case a special addressing is assigned to the tunnel interface which is a concatenation of a reserved IPv6 address of 2002followed by the translated IPv4 address of a given interface on the router. In this configuration ONLY the tunnel source address is used and since the tunnel is automatic, the destination address is NOT configured. The tunnel mode is set to Tunnel mode ipv6ip 6to4. Note the IPv4 address of 10.1.1.1 is translated to 0A.01.01.01 and once concatenated, it will be 2002:0A01:0101: or 2002:A01:101. This is used for IPv6/IPv4. * R1(config)#interface Tunnel14 R1(config-if)#ipv6 address 2002:A01:101::/128 R1(config-if)#tunnel source 10.1.1.1 R1(config-if)#*tunnel mode ipv6ip 6to4* *5. ISATAP, ISATAP works like 6to
Question No : 395 - Topic 4 A GRE tunnel is down with the error message %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error. Which two options describe possible causes of the error? (Choose two.) A. Incorrect destination IP addresses are configured on the tunnel. B. There is link flapping on the tunnel. C. There is instability in the network due to route flapping. D. The tunnel mode and tunnel IP address are misconfigured. E. The tunnel destination is being routed out of the tunnel interface.
Answer : C,E Explanation: The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message means that the generic routing encapsulation (GRE) tunnel router has discovered a recursive routing problem. This condition is usually due to one of these causes: ✑ A misconfiguration that causes the router to try to route to the tunnel destination address using the tunnel interface itself (recursive routing) ✑ A temporary instability caused by route flapping elsewhere in the network Reference: http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway- routing-protocol-eigrp/22327-gre-flap.html
Question No : 367 - Topic 4 When you configure the ip pmtu command under an L2TPv3 pseudowire class, which two things can happen when a packet exceeds the L2TP path MTU? (Choose two.) A. The router drops the packet. B. The router always fragments the packet after L2TP/IP encapsulation. C. The router drops the packet and sends an ICMP unreachable message back to the sender only if the DF bit is set to 1. D. The router always fragments the packet before L2TP/IP encapsulation. E. The router fragments the packet after L2TP/IP encapsulation only if the DF bit is set to 0. F. The router fragments the packet before L2TP/IP encapsulation only if the DF bit is set to 0.
Answer : C,F Explanation: If you enable the ip pmtu command in the pseudowire class, the L2TPv3 control channel participates in the path MTU discovery. When you enable this feature, the following processing is performed: ICMP unreachable messages sent back to the L2TPv3 router are deciphered and the tunnel MTU is updated accordingly. In order to receive ICMP unreachable messages for fragmentation errors, the DF bit in the tunnel header is set according to the DF bit value received from the CE, or statically if the ip dfbit set option is enabled. The tunnel MTU is periodically reset to the default value based on a periodic timer. ICMP unreachable messages are sent back to the clients on the CE side. ICMP unreachable messages are sent to the CE whenever IP packets arrive on the CE-PE interface and have a packet size greater than the tunnel MTU. A Layer 2 header calculation is performed before the ICMP unreachable message is sent to the CE. Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/l2tpv325.html
Question No : 384 - Topic 4 Which IPv6 tunneling type establishes a permanent link between IPv6 domains over IPv4? A. IPv4-compatible tunneling B. ISATAP tunneling C. 6to4 tunneling D. manual tunneling
Answer : D Explanation: A manually configured tunnel is equivalent to a permanent link between two IPv6 domains over an IPv4 backbone. The primary use is for stable connections that require regular secure communication between two edge routers or between an end system and an edge router, or for connection to remote IPv6 networks. Reference: http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_book/i p6-tunnel.html
Question No : 427 - Topic 4 What is a key advantage of Cisco GET VPN over DMVPN? A. Cisco GET VPN provides zero-touch deployment of IPSEC VPNs. B. Cisco GET VPN supports certificate authentication for tunnel establishment. C. Cisco GET VPN has a better anti-replay mechanism. D. Cisco GET VPN does not require a secondary overlay routing infrastructure.
Answer : D Explanation: DMVPN requires overlaying a secondary routing infrastructure through the tunnels, which results in suboptimal routing while the dynamic tunnels are built. The overlay routing topology also reduces the inherent scalability of the underlying IP VPN network topology. Traditional point-to-point IPsec tunneling solutions suffer from multicast replication issues because multicast replication must be performed before tunnel encapsulation and encryption at the IPsec CE (customer edge) router closest to the multicast source. Multicast replication cannot be performed in the provider network because encapsulated multicasts appear to the core network as unicast data. Ciscos Group Encrypted Transport VPN (GET VPN) introduces the concept of a trusted group to eliminate point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any other GM. (Note that IPsec CE acts as a GM.) In GET VPN networks, there is no need to negotiate point-to- point IPsec tunnels between the members of a group, because GET VPN is tunnel-less. Reference: Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide PDF
Question No : 421 - Topic 4 Which statement is true comparing L2TPv3 to EoMPLS? A. L2TPv3 requires OSPF routing, whereas EoMPLS does not. B. EoMPLS requires BGP routing, whereas L2TPv3 does not. C. L2TPv3 carries L2 frames inside MPLS tagged packets, whereas EoMPLS carries L2 frames inside IPv4 packets. D. L2TPv3 carries L2 frames inside IPv4 packets, whereas EoMPLS carries L2 frames inside MPLS packets. question_answerVIEW ANSWER SHOW COMMENTS 0
Answer : D Explanation: Ethernet-over-MPLS (EoMPLS) provides a tunneling mechanism for Ethernet traffic through an MPLS-enabled L3 core and encapsulates Ethernet protocol data units (PDUs) inside MPLS packets (using label stacking) to forward them across the MPLS network. Another technology that more or less achieves the result of AToM is L2TPV3. In the case of L2TPV3 Layer 2 frames are encapsulated into an IP packet instead of a labelled MPLS packet. Reference: http://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4- 3/lxvpn/configuration/guide/lesc43xbook/lesc43p2ps.html
Question No : 410 - Topic 4 In GETVPN, which key is used to secure the control plane? A. Traffic Encryption Key (TEK) B. content encryption key (CEK) C. message encryption key (MEK) D. Key Encryption Key (KEK).
Answer : D Explanation: GDOI introduces two different encryption keys. One key secures the GET VPN control plane; the otheAnswer : C,D Explanation: Following the MEF approach, the services that comprise the Metro Ethernet (ME) solution can be classified into the following two general categories: Point-to-point (PtP) A single point-to-point Ethernet circuit provisioned between two User Network Interfaces (UNIs). Multipoint-to-multipoint (MPtMP) A single multipoint-to-multipoint Ethernet circuit provisioned between two or more UNIs. When there are only two UNIs in the circuit, more UNIs can be added to the same Ethernet virtual connection if required, which distinguishes this from the point-to-point type. In the MEF terminology, this maps to the following Ethernet service types: Ethernet Line Service Type (E-Line) Point-to-point Ethernet service Ethernet LAN Service Type (E-LAN) Multipoint-to-multipoint Ethernet service Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Data_Center/HA_Clusters/HA_C lusters/HA_ME3_6.pdfr key secures the data traffic. The key used to secure the control plane is commonly called the Key Encryption Key (KEK), and the key used to encrypt data traffic is known as Traffic Encryption Key (TEK). Reference: Group Encrypted Transport VPN (Get VPN) Design and Implementation Guide PDF
Question No : 385 - Topic 4 What is a disadvantage of using aggressive mode instead of main mode for ISAKMP/IPsec establishment? A. It does not use Diffie-Hellman for secret exchange. B. It does not support dead peer detection. C. It does not support NAT traversal. D. It does not hide the identity of the peer.
Answer : D Explanation: IKE phase 1's purpose is to establish a secure authenticated communication channel by using the DiffieHellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA). The authentication can be performed using either pre- shared key (shared secret), signatures, or public key encryption.Phase 1 operates in either Main Mode or Aggressive Mode. Main Mode protects the identity of the peers; Aggressive Mode does not. Reference: http://en.wikipedia.org/wiki/Internet_Key_Exchange
Question No : 424 - Topic 4 A service provider is deploying L2VPN LAN services in its MPLS cloud. Which statement is true regarding LDP signaling and autodiscovery? A. LDP signaling requires that each PE is identified, and that an LDP session is active with its P neighbor for autodiscovery to take place. B. LDP signaling requires that each P is identified, and that a targeted LDP session is active for autodiscovery to take place. C. LDP signaling requires that each PE is identified, and that a targeted LDP session with a BGP route reflector is active for autodiscovery to take place. D. LDP signaling requires that each PE is identified, and that a targeted LDP session is active for autodiscovery to take place.
Answer : D Explanation: LDP signaling requires that each PE is identified and a targeted LDP session is active for autodiscovery to take place. Although the configuration can be automated using NMS/OSS the overall scalability of the solution is poor as a PE must be associated with all other PEs for LDP discovery to work, which can lead to a large number of targeted LDP sessions (n2), which may be largely unused as not all VPLS will be associated with every PE. The security attributes of LDP are reasonably good, although additional configuration is required to prevent unauthorized sessions being set up. Although LDP can signal additional attributes, it requires additional configuration either from an NMS/OSS or static configuration. Reference: http://www.cisco.com/en/US/products/hw/routers/ps368/products_white_paper09186a0080 1f6084.shtml
Question No : 400 - Topic 4 Which technology facilitates neighbor IP address resolution in DMVPN? A. CEF B. mGRE C. a dynamic routing protocol D. NHRP
Answer : D Explanation: NHRP Used with a DMVPN NHRP is used to facilitate building a VPN and provides address resolution in DMVPN. In this context, a VPN consists of a virtual Layer 3 network that is built on top of an actual Layer 3 network. The topology you use over the VPN is largely independent of the underlying network, and the protocols you run over it are completely independent of it. The VPN network (DMVPN) is based on GRE IP logical tunnels that can be protected by adding in IPsec to encrypt the GRE IP tunnels. Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html#w p1057255
Question No : 394 - Topic 4 What is the main component of Unified MPLS? A. Multiple IGPs in the network are used, where the loopback IP addresses of the PE routers are aggregated on the area border routers. B. Confederations are used to provide scalability. C. The loopback prefixes from one IGP area are redistributed into BGP without changing the next hop. D. The ABR is a BGP route reflector and sets next-hop to self for all reflected routes.
Answer : D Explanation: Since the core and aggregation parts of the network are integrated and end-to-end LSPs are provided, the Unified MPLS solution is also referred to as "Seamless MPLS." New technologies or protocols are not used here, only MPLS, Label Distribution Protocol (LDP), IGP, and BGP. Since you do not want to distribute the loopback prefixes of the PE routers from one part of the network into another part, you need to carry the prefixes in BGP. The Internal Border Gateway Protocol (iBGP) is used in one network, so the next hop address of the prefixes is the loopback prefixes of the PE routers, which is not known by the IGP in the other parts of the network. This means that the next hop address cannot be used to recurse to an IGP prefix. The trick is to make the ABR routers Route Reflectors (RR) and set the next hop to self, even for the reflected iBGP prefixes. In order for this to work, a new knob is needed. Reference: http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching- mpls/mpls/116127-configure-technology-00.html
Question No : 397 - Topic 4 What is the purpose of Route Target Constraint? A. to avoid using route reflectors in MPLS VPN networks B. to avoid using multiple route distinguishers per VPN in MPLS VPN networks C. to be able to implement VPLS with BGP signaling D. to avoid sending unnecessary BGP VPNv4 or VPNv6 updates to the PE router E. to avoid BGP having to perform route refreshes
Answer : D Explanation: Some service providers have a very large number of routing updates being sent from RRs to PEs, using considerable resources. A PE does not need routing updates for VRFs that are not on the PE; therefore, the PE determines that many routing updates it receives are unwanted. The PE can filter out the unwanted updates using Route Target Constraint. Reference: http://www.cisco.com/c/en/us/td/docs/ios/ios_xe/iproute_bgp/configuration/guide/2_xe/irg_x e_book/irg_rt_filter_xe.html.
Question No : 373 - Topic 4 Where is multicast traffic sent, when it is originated from a spoke site in a DMVPN phase 2 cloud? A. spoke-spoke B. nowhere, because multicast does not work over DMVPN C. spoke-spoke and spoke-hub D. spoke-hub
Answer : D Explanation: Spokes map multicasts to the static NBMA IP address of the hub, but hub maps multicast packets to the dynamic mappings that is, the hub replicates multicast packets to all spokes registered via NHRP, so multicast traffic is sent to the hub from a spoke instead of to the other spokes directly.
Question No : 387 - Topic 4 Which statement about the NHRP network ID is true? A. It is sent from the spoke to the hub to identify the spoke as a member of the same NHRP domain. B. It is sent from the hub to the spoke to identify the hub as a member of the same NHRP domain. C. It is sent between spokes to identify the spokes as members of the same NHRP domain. D. It is a locally significant ID used to define the NHRP domain for an interface.
Answer : D Explanation: The NHRP network ID is used to define the NHRP domain for an NHRP interface and differentiate between multiple NHRP domains or networks, when two or more NHRP domains (GRE tunnel interfaces) are available on the same NHRP node (router). The NHRP network ID is used to help keep two NHRP networks (clouds) separate from each other when both are configured on the same router. The NHRP network ID is a local only parameter. It is significant only to the local router and it is not transmitted in NHRP packets to other NHRP nodes. For this reason the actual value of the NHRP network ID configured on a router need not match the same NHRP network ID on another router where both of these routers are in the same NHRP domain. As NHRP packets arrive on a GRE interface, they are assigned to the local NHRP domain in the NHRP network ID that is configured on that interface. Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html
Question No : 433 - Topic 4 Which is the way to enable the control word in an L2 VPN dynamic pseudowire connection on router R1? A. R1(config)# pseudowire-class cw-enable R1(config-pw-class)# encapsulation mpls R1(config-pw-class)# set control-word B. R1(config)# pseudowire-class cw-enable R1(config-pw-class)# encapsulation mpls R1(config-pw-class)# enable control-word C. R1(config)# pseudowire-class cw-enable R1(config-pw-class)# encapsulation mpls R1(config-pw-class)# default control-word D. R1(config)# pseudowire-class cw-enable R1(config-pw-class)# encapsulation mpls R1(config-pw-class)# control-word
Answer : D Explanation: The following example shows how to enable the control word in an AToM dynamic pseudowire connection: Device(config)# pseudowire-class cw-enable Device(config-pw-class)# encapsulation mpls Device(config-pw-class)# control-word Device(config-pw-class)# exit Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mpls/command/mp-cr- book/mp-a1.html
Question No : 407 - Topic 4 What is the most secure way to store ISAKMP/IPSec preshared keys in Cisco IOS? A. Use the service password-encryption command. B. Encrypt the ISAKMP preshared key in secure type 5 format. C. Encrypt the ISAKMP preshared key in secure type 7 format. D. Encrypt the ISAKMP preshared key in secure type 6 format.
Answer : D Explanation: Using the Encrypted Preshared Key feature, you can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. This is currently the most secure way to store keys. Reference: http://www.cisco.com/c/en/us/td/docs/ios- xml/ios/sec_conn_ikevpn/configuration/xe-3s/asr1000/sec-ike-for-ipsec-vpns-xe-3s- asr1000-book/sec-encrypt-preshare.html
Question No : 411 - Topic 4 Which statement is true about VPLS? A. MPLS is not required for VPLS to work. B. VPLS carries packets as Layer 3 multicast. C. VPLS has been introduced to address some shortcomings of OTV. D. VPLS requires an MPLS network.
Answer : D Explanation: VPLS uses MPLS labels so an MPLS network is required. VPLS MPLS packets have a two-label stack. The outer label is used for normal MPLS forwarding in the service provider's network. If BGP is used to establish the VPLS, the inner label is allocated by a PE as part of a label block. If LDP is used, the inner label is a virtual circuit ID assigned by LDP when it first established a mesh between the participating PEs. Every PE keeps track of assigned inner label, and associates these with the VPLS instance. Reference: http://en.wikipedia.org/wiki/Virtual_Private_LAN_Service
Question No : 375 - Topic 4 Which two are features of DMVPN? (Choose two.) A. It does not support spoke routers behind dynamic NAT. B. It requires IPsec encryption. C. It only supports remote peers with statically assigned addresses. D. It supports multicast traffic. E. It offers configuration reduction.
Answer : D,E Explanation: DMVPN Hub-and-spoke deployment model: In this traditional topology, remote sites (spokes) are aggregated into a headend VPN device at the corporate headquarters (hub). Traffic from any remote site to other remote sites would need to pass through the headend device. Cisco DMVPN supports dynamic routing, QoS, and IP Multicast while significantly reducing the configuration effort. Reference: http://www.cisco.com/c/en/us/products/collateral/security/dynamic-multipoint- vpn-dmvpn/data_sheet_c78-468520.html
Question No : 370 - Topic 4 Which two statements are true about VPLS? (Choose two.) A. It can work over any transport that can forward IP packets. B. It provides integrated mechanisms to maintain First Hop Resiliency Protocols such as HSRP, VRRP, or GLBP. C. It includes automatic detection of multihoming. D. It relies on flooding to propagate MAC address reachability information. E. It can carry a single VLAN per VPLS instance.
Answer : D,E Explanation: VPLS relies on flooding to propagate MAC address reachability information. Therefore, flooding cannot be prevented. VPLS can carry a single VLAN per VPLS instance. To multiplex multiple VLANs on a single instance, VPLS uses IEEE QinQ. Reference: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series- switches/white_paper_c11-574984.html
Question No : 404 - Topic 4 Which attribute is not part of the BGP extended community when a PE creates a VPN-IPv4 route while running OSPF between PE-CE? A. OSPF domain identifier B. OSPF route type C. OSPF router ID D. MED E. OSPF network type question_answerVIEW ANSWER
Answer : E Explanation: By process of elimination, from RFC 4577: For every address prefix that was installed in the VRF by one of its associated OSPF instances, the PE must create a VPN-IPv4 route in BGP. Each such route will have some of the following Extended Communities attributes: The OSPF Domain Identifier Extended Communities attribute. If the OSPF instance that installed the route has a non-NULL primary Domain Identifier, this MUST be present; if that OSPF instance has only a NULL Domain Identifier, it MAY be omitted. OSPF Route Type Extended Communities Attribute. This attribute MUST be present. It is encoded with a two-byte type field, and its type is 0306. OSPF Router ID Extended Communities Attribute. This OPTIONAL attribute specifies the OSPF Router ID of the system that is identified in the BGP Next Hop attribute. More precisely, it specifies the OSPF Router Id of the PE in the OSPF instance that installed the route into the VRF from which this route was exported. MED (Multi_EXIT_DISC attribute). By default, this SHOULD be set to the value of the OSPF distance associated with the route, plus 1. Reference: https://tools.ietf.org/html/rfc4577
Question No : 396 - Topic 4 Which option is an incorrect design consideration when deploying OSPF areas? A. area 1 - area 0 - MPLS VPN backbone - area 0 - area 2 B. area 1 - MPLS VPN backbone - area 2 C. area 1 - MPLS VPN backbone - area 1 D. area 2 - area 0 - MPLS VPN backbone - area 1 E. area 0 - area 2 - MPLS VPN superbackbone - area 1
Answer : E Explanation: In the case of MPLS-VPN Backbone as The OSPF superbackbone behaves exactly like Area 0 in regular OSPF, so we cannot have two different area 0s that are not directly connected to each other. When area 0 connects to the superbackbone, it simply becomes an extension of area 0.
Question No : 428 - Topic 4 For which kind of MPLS deployment is the next-hop-self all keyword used on a BGP neighbor command? A. 6VPE B. MPLS Carrier's carrier C. inter-AS MPLS VPN option D D. inter-AS MPLS VPN option C E. Unified MPLS question_answerVIEW ANSWER
Answer : E Explanation: Since the core and aggregation parts of the network are integrated and end-to-end LSPs are provided, the Unified MPLS solution is also referred to as "Seamless MPLS." New technologies or protocols are not used here, only MPLS, Label Distribution Protocol (LDP), IGP, and BGP. Since you do not want to distribute the loopback prefixes of the PE routers from one part of the network into another part, you need to carry the prefixes in BGP. The Internal Border Gateway Protocol (iBGP) is used in one network, so the next hop address of the prefixes is the loopback prefixes of the PE routers, which is not known by the IGP in the other parts of the network. This means that the next hop address cannot be used to recurse to an IGP prefix. The trick is to make the ABR routers Route Reflectors (RR) and set the next hop to self, even for the reflected iBGP prefixes. In order for this to work, a new knob is needed. Only the RRs need newer software to support this architecture. Since the RRs advertise the BGP prefixes with the next hop set to themselves, they assign a local MPLS label to the BGP prefixes. This means that in the data plane, the packets forwarded on these end-to- end LSPs have an extra MPLS label in the label stack. The RRs are in the forwarding path. There are two possible scenarios: ✑ The ABR does not set the next hop to self for the prefixes advertised (reflected by BGP) by the ABR into the aggregation part of the network. Because of this, the ABR needs to redistribute the loopback prefixes of the ABRs from the core IGP into the aggregation IGP. If this is done, there is still scalability. Only the ABR loopback prefixes (from the core) need to be advertised into the aggregation part, not the loopback prefixes from the PE routers from the remote aggregation parts. ✑ The ABR sets the next hop to self for the prefixes advertised (reflected by BGP) by the ABR into the aggregation part. Because of this, the ABR does not need to redistribute the loopback pre
Question No : 405 - Topic 4 Which technology is not necessary to set up a basic MPLS domain? A. IP addressing B. an IGP C. LDP or TDP D. CEF E. a VRF
Answer : E Explanation: The simplest form of VRF implementation is VRF Lite. In this implementation, each router within the network participates in the virtual routing environment in a peer-based fashion. While simple to deploy and appropriate for small to medium enterprises and shared data centres, VRF Lite does not scale to the size required by global enterprises or large carriers, as there is the need to implement each VRF instance on every router, including intermediate routers. VRFs were initially introduced in combination with MPLS, but VRF proved to be so useful that it eventually evolved to live independent of MPLS. This is the historical explanation of the term VRF Lite. Usage of VRFs without MPLS. Reference: http://en.wikipedia.org/wiki/Virtual_routing_and_forwarding