CCNA Part 2 Questions 250 and up
Correct Answer: BDE
QUESTION 259 What are three benefits of GLBP? (Choose three.) A. GLBP supports up to eight virtual forwarders per GLBP group. B. GLBP supports clear text and MD5 password authentication between GLBP group members. C. GLBP is an open source standardized protocol that can be used with multiple vendors. D. GLBP supports up to 1024 virtual routers. E. GLBP can load share traffic across a maximum of four routers. F. GLBP elects two AVGs and two standby AVGs for redundancy.
Correct Answer: E Explanation: The command ping uses ICMP protocol, which is a network layer protocol used to propagate control message between host and router. The command ping is often used to verify the network connectivity, so it works at the network layer.
QUESTION 280 Refer to the exhibit. An administrator pings the default gateway at 10.10.10.1 and sees the output as shown. At which OSI layer is the problem? A. data link layer B. application layer C. access layer D. session layer E. network layer
answer on next slide or page 156 on the Study guide.
QUESTION 281 DRAG DROP
Correct Answer: D Explanation: You must configure all interfaces in an EtherChannel to operate at the same speeds and duplex modes. Based on the output shown, SW1 is configured to run at 10Mb while SW2 is operating at 100 Mb.
QUESTION 285 Refer to the exhibit. If the devices produced the given output, what is the cause of the EtherChannel problem? A. SW1's Fa0/1 interface is administratively shut down. B. There is an encapsulation mismatch between SW1's Fa0/1 and SW2's Fa0/1 interfaces. C. There is an MTU mismatch between SW1's Fa0/1 and SW2's Fa0/1 interfaces. D. There is a speed mismatch between SW1's Fa0/1 and SW2's Fa0/1 interfaces.
Answer on next card or can be found on page 166 of Study Guide
QUESTION 298 DRAG DROP
Correct Answer: AB
QUESTION 299 What are two reasons that duplex mismatches can be difficult to diagnose? (Choose two.) A. The interface displays a connected (up/up) state even when the duplex settings are mismatched. B. The symptoms of a duplex mismatch may be intermittent. C. Autonegotiation is disabled. D. Full-duplex interfaces use CSMA/CD logic, so mismatches may be disguised by collisions. E. 1-Gbps interfaces are full-duplex by default.
Correct Answer: ABC
QUESTION 301 Which three statements about static routing are true? (Choose three.) A. It uses consistent route determination. B. It is best used for small-scale deployments. C. Routing is disrupted when links fail. D. It requires more resources than other routing methods. E. It is best used for large-scale deployments. F. Routers can use update messages to reroute when links fail.
Correct Answer: A
QUESTION 326 Which standards-based First Hop Redundancy Protocol is a Cisco supported alternative to Hot Standby Router Protocol? A. VRRP B. GLBP C. TFTP D. DHCP
Correct Answer: A
QUESTION 329 Which step in the router boot process searches for an IOS image to load into the router? A. bootstrap B. POST C. mini-IOS D. ROMMON mode
Answer to question 281 Also on page 156 on the Study guide.
Answer to question 281
Correct Answer: D Explanation: We need 113 point-to-point links which equal to 113 sub-networks < 128 so we need to borrow 7 bits (because 2^7 = 128). The network used for point-to-point connection should be /30. So our initial network should be 30 - 7 = 23. So 10.10.0.0/23 is the correct answer. You can understand it more clearly when writing it in binary form: /23 = 1111 1111.1111 1110.0000 0000 /30 = 1111 1111.1111 1111.1111 1100 (borrow 7 bits)
QUESTION 250 The network administrator is asked to configure 113 point-to-point links. Which IP addressing scheme defines the address range and subnet mask that meet the requirement and waste the fewest subnet and host addresses? A. 10.10.0.0/16 subnetted with mask 255.255.255.252 B. 10.10.0.0/18 subnetted with mask 255.255.255.252 C. 10.10.1.0/24 subnetted with mask 255.255.255.252 D. 10.10.0.0/23 subnetted with mask 255.255.255.252 E. 10.10.1.0/25 subnetted with mask 255.255.255.252
Correct Answer: ACD Explanation: Cisco IOS software supports the following versions of SNMP: + SNMPv1 - The Simple Network Management Protocol: A Full Internet Standard, defined in RFC 1157. (RFC 1157 replaces the earlier versions that were published as RFC 1067 and RFC 1098.) Security is based on community strings. + SNMPv2c - The community-string based Administrative Framework for SNMPv2. SNMPv2c (the "c" stands for "community") is an Experimental Internet Protocol defined in RFC 1901, RFC 1905, and RFC 1906. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 Classic), and uses the community-based security model of SNMPv1. + SNMPv3 - Version 3 of SNMP. SNMPv3 is an interoperable standards-based protocol defined in RFCs 2273 to 2275. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are as follows: Message integrity: Ensuring that a packet has not been tampered with in transit. Authentication: Determining that the message is from a valid source. Encryption: Scrambling the contents of a packet prevent it from being learned by an unauthorized source.
QUESTION 251 Which three features are added in SNMPv3 over SNMPv2? A. Message Integrity B. Compression C. Authentication D. Encryption E. Error Detection
Correct Answer: A Explanation: In IPv6 the loopback address is written as, ::1 This is a 128bit number, with the first 127 bits being '0' and the 128th bit being '1'. It's just a single address, so could also be written as ::1/128.
QUESTION 252 Which IPv6 address is the equivalent of the IPv4 interface loopback address 127.0.0.1? A. ::1 B. :: C. 2000::/3 D. 0::/10
Correct Answer: ACE Explanation: SNMPv1/v2 can neither authenticate the source of a management message nor provide encryption. Without authentication, it is possible for nonauthorized users to exercise SNMP network management functions. It is also possible for nonauthorized users to eavesdrop on management information as it passes from managed systems to the management system. Because of these deficiencies, many SNMPv1/v2 implementations are limited to simply a read-only capability, reducing their utility to that of a network monitor; no network control applications can be supported. To correct the security deficiencies of SNMPv1/v2, SNMPv3 was issued as a set of Proposed Standards in January 1998. -> A is correct. The two additional messages are added in SNMP2 (compared to SNMPv1) GetBulkRequest The GetBulkRequest message enables an SNMP manager to access large chunks of data. GetBulkRequest allows an agent to respond with as much information as will fit in the response PDU. Agents that cannot provide values for all variables in a list will send partial information. -> E is correct. InformRequest The InformRequest message allows NMS stations to share trap information. (Traps are issued by SNMP agents when a device change occurs.) InformRequest messages are generally used between NMS stations, not between NMS stations and agents. -> C is correct. Note: These two messages are carried over SNMPv3.
QUESTION 253 Which three statements about the features of SNMPv2 and SNMPv3 are true? (Choose three.) A. SNMPv3 enhanced SNMPv2 security features. B. SNMPv3 added the Inform protocol message to SNMP. C. SNMPv2 added the Inform protocol message to SNMP. D. SNMPv3 added the GetBulk protocol messages to SNMP. E. SNMPv2 added the GetBulk protocol message to SNMP. F. SNMPv2 added the GetNext protocol message to SNMP.
Correct Answer: C Explanation: A subnet with 60 host is 2*2*2*2*2*2 = 64 -2 == 62 6 bits needed for hosts part. Therefore subnet bits are 2 bits (8-6) in fourth octet. 8bits+ 8bits+ 8bits + 2bits = /26 /26 bits subnet is 24bits + 11000000 = 24bits + 192 256 - 192 = 64 0 -63 64 - 127
QUESTION 254 Refer to the exhibit. A new subnet with 60 hosts has been added to the network. Which subnet address should this network use to provide enough usable addresses while wasting the fewest addresses? A. 192.168.1.56/26 B. 192.168.1.56/27 C. 192.168.1.64/26 D. 192.168.1.64/27
Correct Answer: CDF Explanation: The Syslog sender sends a small (less than 1KB) text message to the Syslog receiver. The Syslog receiver is commonly called "syslogd," "Syslog daemon," or "Syslog server." Syslog messages can be sent via UDP (port 514) and/or TCP (typically, port 5000). While there are some exceptions, such as SSL wrappers, this data is typically sent in clear text over the network. A Syslog server provides the storage space necessary to store log files without using router disk space. In general, there are significantly more Syslog messages available within IOS as compared to SNMP Trap messages. For example, a Cisco Catalyst 6500 switch running Cisco IOS Software Release 12.2(18)SXF contains about 90 SNMP trap notification messages, but has more than 6000 Syslog event messages. System logging is a method of collecting messages from devices to a server running a syslog daemon. Logging to a central syslog server helps in aggregation of logs and alerts. Cisco devices can send their log messages to a UNIX-style syslog service. A syslog service accepts messages and stores them in files, or prints them according to a simple configuration file. Reference: http://www.cisco.com/c/en/us/products/collateral/services/high-availability/white_paper_c11-557812.html
QUESTION 255 Which three statements about Syslog utilization are true? (Choose three.) A. Utilizing Syslog improves network performance. B. The Syslog server automatically notifies the network administrator of network problems. C. A Syslog server provides the storage space necessary to store log files without using router disk space. D. There are more Syslog messages available within Cisco IOS than there are comparable SNMP trap messages. E. Enabling Syslog on a router automatically enables NTP for accurate time stamping. F. A Syslog server helps in aggregation of logs and alerts.
Correct Answer: B Explanation: The 10.0.0.0/22 subnet mask will include the 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 networks, and only those four networks.
QUESTION 256 Refer to the exhibit. What is the most appropriate summarization for these routes? A. 10.0.0.0 /21 B. 10.0.0.0 /22 C. 10.0.0.0 /23 D. 10.0.0.0 /24
Correct Answer: A Explanation: An address conflict occurs when two hosts use the same IP address. During address assignment, DHCP checks for conflicts using ping and gratuitous ARP. If a conflict is detected, the address is removed from the pool. The address will not be assigned until the administrator resolves the conflict. Reference: http://www.cisco.com/en/US/docs/ios/12_1/iproute/configuration/guide/1cddhcp.html
QUESTION 257 Refer to the exhibit. Which rule does the DHCP server use when there is an IP address conflict? A. The address is removed from the pool until the conflict is resolved. B. The address remains in the pool until the conflict is resolved. C. Only the IP detected by Gratuitous ARP is removed from the pool. D. Only the IP detected by Ping is removed from the pool. E. The IP will be shown, even after the conflict is resolved.
Correct Answer: C Explanation: For the 192.168.20.24/29 network, the usable hosts are 192.168.24.25 (router) - 192.168.24.30 (used for the sales server).
QUESTION 258 An administrator must assign static IP addresses to the servers in a network. For network 192.168.20.24/29, the router is assigned the first usable host address while the sales server is given the last usable host address. Which of the following should be entered into the IP properties box for the sales server? A. IP address: 192.168.20.14 Subnet Mask: 255.255.255.248 Default Gateway: 192.168.20.9 B. IP address: 192.168.20.254 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.20.1 C. IP address: 192.168.20.30 Subnet Mask: 255.255.255.248 Default Gateway: 192.168.20.25 D. IP address: 192.168.20.30 Subnet Mask: 255.255.255.240 Default Gateway: 192.168.20.17 E. IP address: 192.168.20.30 Subnet Mask: 255.255.255.240 Default Gateway: 192.168.20.25
Correct Answer: AC Explanation: "access-list 10 permit ip 192.168.146.0 0.0.1.255" would allow only the 192.168.146.0 and 192.168.147.0 networks, and "access-list 10 permit ip 192.168.148.0 0.0.1.255" would allow only the 192.168.148.0 and 192.168.149.0 networks.
QUESTION 260 A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two.) A. access-list 10 permit ip 192.168.146.0 0.0.1.255 B. access-list 10 permit ip 192.168.147.0 0.0.255.255 C. access-list 10 permit ip 192.168.148.0 0.0.1.255 D. access-list 10 permit ip 192.168.149.0 0.0.255.255 E. access-list 10 permit ip 192.168.146.0 0.0.0.255 F. access-list 10 permit ip 192.168.146.0 255.255.255.0
Correct Answer: D Explanation: The "ip access-group" is used to apply and ACL to an interface. From the output shown, we know that the ACL is applied to outbound traffic, so "no ip access-group 102 out" will remove the effect of this ACL.
QUESTION 261 Refer to the exhibit. An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 102? A. no ip access-class 102 in B. no ip access-class 102 out C. no ip access-group 102 in D. no ip access-group 102 out E. no ip access-list 102 in
Correct Answer: CD Explanation: Follow these guidelines when configuring port security: Port security can only be configured on static access ports, trunk ports, or 802.1Q tunnel ports. A secure port cannot be a dynamic access port. A secure port cannot be a destination port for Switched Port Analyzer (SPAN). A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group. You cannot configure static secure or sticky secure MAC addresses on a voice VLAN. When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two. If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN. When a voice VLAN is configured on a secure port that is also configured as a sticky secure port, all addresses seen on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on the access VLAN (to which the port belongs) are learned as sticky secure addresses. The switch does not support port security aging of sticky secure MAC addresses. The protect and restrict options cannot be simultaneously enabled on an interface. Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swtrafc.html
QUESTION 262 A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two.) A. The network administrator can apply port security to dynamic access ports. B. The network administrator can apply port security to EtherChannels. C. When dynamic MAC address learning is enabled on an interface, the switch can learn new addresses, up to the maximum defined. D. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration. E. The network administrator can configure static secure or sticky secure MAC addresses in the
Correct Answer: B Explanation: By using this command, all the (current and future) passwords are encrypted. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.
QUESTION 263 How does using the service password-encryption command on a router provide additional security? A. by encrypting all passwords passing through the router B. by encrypting passwords in the plain text configuration file C. by requiring entry of encrypted passwords for access to the device D. by configuring an MD5 encrypted key to be used by routing protocols to validate routing exchanges E. by automatically suggesting encrypted passwords for use in configuring the router
Correct Answer: D Explanation: We only enable PortFast feature on access ports (ports connected to end stations). But if someone does not know he can accidentally plug that port to another switch and a loop may occur when BPDUs are being transmitted and received on these ports. With BPDU Guard, when a PortFast receives a BPDU, it will be shut down to prevent a loop.
QUESTION 264 Which Cisco Catalyst feature automatically disables the port in an operational PortFast upon receipt of a BPDU? A. BackboneFast B. UplinkFast C. Root Guard D. BPDU Guard E. BPDU Filter
Correct Answer: C Explanation: We can have only 1 access list per protocol, per direction and per interface. It means: We cannot have 2 inbound access lists on an interface We can have 1 inbound and 1 outbound access list on an interface
QUESTION 265 Which statement about access lists that are applied to an interface is true? A. You can place as many access lists as you want on any interface. B. You can apply only one access list on any interface. C. You can configure one access list, per direction, per Layer 3 protocol. D. You can apply multiple access lists with the same protocol or in different directions.
Correct Answer: D Explanation: Incorrect answer: show ip access-lists does not show interfaces affected by an ACL.
QUESTION 266 When you are troubleshooting an ACL issue on a router, which command would you use to verify which interfaces are affected by the ACL? A. show ip access-lists B. show access-lists C. show interface D. show ip interface E. list ip interface
Correct Answer: BD Explanation: From the output we can see that port security is disabled so this needs to be enabled. Also, the maximum number of devices is set to 2 so this needs to be just one if we want the single host to have access and nothing else.
QUESTION 267 Refer to the exhibit. A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands. Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two.) A. Port security needs to be globally enabled. B. Port security needs to be enabled on the interface. C. Port security needs to be configured to shut down the interface in the event of a violation. D. Port security needs to be configured to allow only one learned MAC address. E. Port security interface counters need to be cleared before using the show command. F. The port security configuration needs to be saved to NVRAM before it can become active.
Check answer on page 148 of Document
QUESTION 268 DRAG DROP
Correct Answer: B Explanation: The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access list.
QUESTION 269 Which item represents the standard IP ACL? A. access-list 110 permit ip any any B. access-list 50 deny 192.168.1.1 0.0.0.255 C. access list 101 deny tcp any host 192.168.1.1 D. access-list 2500 deny tcp any host 192.168.1.1 eq 22
Correct Answer: B Explanation: In the interface configuration mode, the command switchport port-security mac-address sticky enables sticky learning. When entering this command, the interface converts all the dynamic secure MAC addresses to sticky secure MAC addresses.
QUESTION 270 What will be the result if the following configuration commands are implemented on a Cisco switch? Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address sticky A. A dynamically learned MAC address is saved in the startup-configuration file. B. A dynamically learned MAC address is saved in the running-configuration file. C. A dynamically learned MAC address is saved in the VLAN database. D. Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received. E. Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.
Correct Answer: C Explanation: The login keyword has been set, but not password. This will result in the "password required, but none set" message to users trying to telnet to this router.
QUESTION 271 Refer to exhibit. A network administrator cannot establish a Telnet session with the indicated router. What is the cause of this failure? A. A Level 5 password is not set. B. An ACL is blocking Telnet access. C. The vty password is missing. D. The console password is missing.
Correct Answer: D Explanation: Routers go line by line through an access list until a match is found and then will not look any further, even if a more specific of better match is found later on in the access list. So, it it best to begin with the most specific entries first, in this cast the two hosts in line C and D. Then, include the subnet (B) and then finally the rest of the traffic (A).
QUESTION 272 Refer to the exhibit. Statements A, B, C, and D of ACL 10 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet 172.21.1.128/28) from accessing the network. But as is, the ACL does not restrict anyone from the network. How can the ACL statements be re-arranged so that the system works as intended? A. ACDB B. BADC C. DBAC D. CDBA
Correct Answer: BD Explanation: The configuration shown here is an example of port security, specifically port security using sticky addresses. You can use port security with dynamically learned and static MAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port. Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.
QUESTION 273 Refer to the exhibit. The following commands are executed on interface fa0/1 of 2950Switch. 2950Switch(config-if)# switchport port-security 2950Switch(config-if)# switchport port-security mac-address sticky 2950Switch(config-if)# switchport port-security maximum 1 The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two.) A. The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF. B. Only host A will be allowed to transmit frames on fa0/1. C. This frame will be discarded when it is received by 2950Switch. D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1. E. Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1. F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.
Correct Answer: C Explanation: This question is to examine the layer 2 security configuration. In order to satisfy the requirements of this question, you should perform the following configurations in the interface mode: First, configure the interface mode as the access mode. Second, enable the port security and set the maximum number of connections to 1.
QUESTION 274 Which set of commands is recommended to prevent the use of a hub in the access layer? A. switch(config-if)#switchport mode trunk switch(config-if)#switchport port-security maximum 1 B. switch(config-if)#switchport mode trunk switch(config-if)#switchport port-security mac-address 1 C. switch(config-if)#switchport mode access switch(config-if)#switchport port-security maximum 1 D. switch(config-if)#switchport mode access switch(config-if)#switchport port-security mac-address 1
Correct Answer: DE Explanation: It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -> We cannot physically secure a virtual interface because it is "virtual" ->. To apply an access list to a virtual terminal interface we must use the "access-class" command. The "access-group" command is only used to apply an access list to a physical interface -> C is not correct. The most simple way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login.
QUESTION 275 What can be done to secure the virtual terminal interfaces on a router? (Choose two.) A. Administratively shut down the interface. B. Physically secure the interface. C. Create an access list and apply it to the virtual terminal interfaces with the access-group command. D. Configure a virtual terminal password and login process. E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
Correct Answer: CD Explanation: We can verify whether port security has been configured by using the "show running- config" or "show port-security interface" for more detail. An example of the output of "show port-security interface" command is shown below: See image on page 153 on study guide
QUESTION 276 Which two commands correctly verify whether port security has been configured on port FastEthernet 0/12 on a switch? (Choose two.) A. SW1#show port-secure interface FastEthernet 0/12 B. SW1#show switchport port-secure interface FastEthernet 0/12 C. SW1#show running-config D. SW1#show port-security interface FastEthernet 0/12 E. SW1#show switchport port-security interface FastEthernet 0/12
Correct Answer: ACD Explanation: NetFlow traditionally enables several key customer applications including: Network Monitoring - NetFlow data enables extensive near real time network monitoring capabilities. Flow-based analysis techniques may be utilized to visualize traffic patterns associated with individual routers and switches as well as on a network-wide basis (providing aggregate traffic or application based views) to provide proactive problem detection, efficient troubleshooting, and rapid problem resolution. Application Monitoring and Profiling - NetFlow data enables network managers to gain a detailed, time-based, view of application usage over the network. This information is used to plan, understand new services, and allocate network and application resources (e.g. Web server sizing and VoIP deployment) to responsively meet customer demands. User Monitoring and Profiling - NetFlow data enables network engineers to gain detailed understanding of customer/user utilization of network and application resources. This information may then be utilized to efficiently plan and allocate access, backbone and application resources as well as to detect and resolve potential security and policy violations. Network Planning - NetFlow can be used to capture data over a long period of time producing the opportunity to track and anticipate network growth and plan upgrades to increase the number of routing devices, ports, or higher- bandwidth interfaces. NetFlow services data optimizes network planning including peering, backbone upgrade planning, and routing policy planning. NetFlow helps to minimize the total cost of network operations while maximizing network performance, capacity, and reliability. NetFlow detects unwanted WAN traffic, validates bandwidth and Quality of Service (QOS) and allows the analysis of new network applications. NetFlow will give you valuable information to reduce the cost of operating your network. Security Analysis - NetFlow identifies and classifies DDOS attacks, viruses and worms in real-time. Changes in network behavior indicate anomalies that are clearly demonstrated in NetFlow data. The data is also a valuable forensic tool to understand and replay the history of security incidents. Accounting/Billing - NetFlow data provides fine-grained metering (e.g. flow data includes details such as IP addresses, packet and byte counts, timestamps, type-of-service and application ports, etc.) for highly flexible and detailed resource utilization accounting. Service providers may utilize the information for billing based on time-of-day, bandwidth usage, application usage, quality of service, etc. Enterprise customers may utilize the information for departmental charge-back or cost allocation for resource utilization.
QUESTION 277 What are the benefits of using Netflow? (Choose three.) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing
Correct Answer: D Explanation: Spanning-Tree Protocol (STP) is a Layer 2 protocol that utilizes a special-purpose algorithm to discover physical loops in a network and effect a logical loop-free topology. STP creates a loopfree tree structure consisting of leaves and branches that span the entire Layer 2 network. The actual mechanics of how bridges communicate and how the STP algorithm works will be discussed at length in the following topics. Note that the terms bridge and switch are used interchangeably when discussing STP. In addition, unless otherwise indicated, connections between switches are assumed to be trunks.
QUESTION 278 Refer to the exhibit. A problem with network connectivity has been observed. It is suspected that the cable connected to switch port Fa0/9 on Switch1 is disconnected. What would be an effect of this cable being disconnected? A. Host B would not be able to access the server in VLAN9 until the cable is reconnected. B. Communication between VLAN3 and the other VLANs would be disabled. C. The transfer of files from Host B to the server in VLAN9 would be significantly slower. D. For less than a minute, Host B would not be able to access the server in VLAN9. Then normal network function would resume.
Correct Answer: C Explanation: The following is an example of how to visualize the NetFlow data using the CLI. There are three methods to visualize the data depending on the version of Cisco IOS Software. The traditional show command for NetFlow is "show ip cache flow" also available are two forms of top talker commands. One of the top talkers commands uses a static configuration to view top talkers in the network and another command called dynamic top talkers allows real-time sorting and aggregation of NetFlow data. Also shown is a show MLS command to view the hardware cache on the Cisco Catalyst 6500 Series Switch. The following is the original NetFlow show command used for many years in Cisco IOS Software. Information provided includes packet size distribution; basic statistics about number of flows and export timer setting, a view of the protocol distribution statistics and the NetFlow cache. The "show ip cache flow" command displays a summary of the NetFlow accounting statistics. Check page 155 on the Study Guide.
QUESTION 279 What command visualizes the general NetFlow data on the command line? A. show ip flow export B. show ip flow top-talkers C. show ip cache flow D. show mls sampling E. show mls netflow ip
Correct Answer: D Explanation: Sometimes, messages like this might appear in the router console: %SNMP-3-CPUHOG: Processing [chars] of [chars] They mean that the SNMP agent on the device has taken too much time to process a request. You can determine the cause of high CPU use in a router by using the output of the show process cpu command. Note: A managed device is a part of the network that requires some form of monitoring and management (routers, switches, servers, workstations, printers...).
QUESTION 282 Which protocol can cause overload on a CPU of a managed device? A. Netflow B. WCCP C. IP SLA D. SNMP
Correct Answer: A Explanation: Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a record and a cache. You add the record to the flow monitor after you create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic during the monitoring process based on the key and nonkey fields in the record, which is configured for the flow monitor and stored in the flow monitor cache. For example, the following example creates a flow monitor named FLOW-MONITOR-1 and enters Flexible NetFlow flow monitor configuration mode: Router(config)# flow monitor FLOW-MONITOR-1 Router(config-flow-monitor)#
QUESTION 283 What Netflow component can be applied to an interface to track IPv4 traffic? A. flow monitor B. flow record C. flow sampler D. flow exporter
Correct Answer: EF Explanation: From the output we can see that there is a problem with the Serial 0/0 interface. It is enabled, but the line protocol is down. There could be a result of mismatched encapsulation or the interface not receiving a clock signal from the CSU/DSU.
QUESTION 284 Refer to the exhibit. Hosts in network 192.168.2.0 are unable to reach hosts in network 192.168.3.0. Based on the output from RouterA, what are two possible reasons for the failure? (Choose two.) A. The cable that is connected to S0/0 on RouterA is faulty. B. Interface S0/0 on RouterB is administratively down. C. Interface S0/0 on RouterA is configured with an incorrect subnet mask. D. The IP address that is configured on S0/0 of RouterB is not in the correct subnet. E. Interface S0/0 on RouterA is not receiving a clock signal from the CSU/DSU. F. The encapsulation that is configured on S0/0 of RouterB does not match the encapsulation that is configured on S0/0 of RouterA.
Correct Answer: BD Explanation: The switch 1 is configured with two VLANs: VLAN1 and VLAN2. The IP information of member Host A in VLAN1 is as follows: Address : 10.1.1.126 Mask : 255.255.255.0 Gateway : 10.1.1.254 The IP information of member Host B in VLAN2 is as follows: Address : 10.1.1.12 Mask : 255.255.255.0 Gateway : 10.1.1.254 The configuration of sub-interface on router 2 is as follows: Fa0/0.1 -- 10.1.1.254/24 VLAN1 Fa0/0.2 -- 10.1.2.254/24 VLAN2 It is obvious that the configurations of the gateways of members in VLAN2 and the associated network segments are wrong. The layer3 addressing information of Host B should be modified as follows: Address : 10.1.2.X Mask : 255.255.255.0
QUESTION 286 Refer to the exhibit. The network shown in the diagram is experiencing connectivity problems. Which of the following will correct the problems? (Choose two.) A. Configure the gateway on Host A as 10.1.1.1. B. Configure the gateway on Host B as 10.1.2.254. C. Configure the IP address of Host A as 10.1.2.2. D. Configure the IP address of Host B as 10.1.2.2. E. Configure the masks on both hosts to be 255.255.255.224. F. Configure the masks on both hosts to be 255.255.255.240.
Correct Answer: BDF Explanation: The ports on the switch are not up indicating it is a layer 1 (physical) problem so we should check cable type, power and how they are plugged in.
QUESTION 287 Refer to the exhibit. The two connected ports on the switch are not turning orange or green. What would be the most effective steps to troubleshoot this physical layer problem? (Choose three.) A. Ensure that the Ethernet encapsulations match on the interconnected router and switch ports. B. Ensure that cables A and B are straight-through cables. C. Ensure cable A is plugged into a trunk port. D. Ensure the switch has power. E. Reboot all of the devices. F. Reseat all cables.
Correct Answer: B Explanation: Netflow can be used to diagnose slow network performance, bandwidth hogs and bandwidth utilization quickly with command line interface or reporting tools. Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html
QUESTION 288 What Cisco IOS feature can be enabled to pinpoint an application that is causing slow network performance? A. SNMP B. Netflow C. WCCP D. IP SLA
Correct Answer: ACD Explanation: What is an IP Flow? Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets. Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes. IP Packet attributes used by NetFlow: IP source address IP destination address Source port Destination port Layer 3 protocol type Class of Service Router or switch interface
QUESTION 289 What are the three things that the Netflow uses to consider the traffic to be in a same flow? (Choose three) A. IP address B. Interface name C. Port numbers D. L3 protocol type E. MAC address
Correct Answer: ADF Explanation: Ping, show ip route, and show interfaces are all valid troubleshooting IOS commands. Tracert, ipconfig, and winipcfg are PC commands, not IOS.
QUESTION 290 Which router IOS commands can be used to troubleshoot LAN connectivity problems? (Choose three.) A. ping B. tracert C. ipconfig D. show ip route E. winipcfg F. show interfaces
Correct Answer: C Explanation: Host1 tries to communicate with Host2. The message destination host unreachable from Router1 indicates that the problem occurs when the data is forwarded from Host1 to Host2. According to the topology, we can infer that the link between Router1 and Router2 is down.
QUESTION 291 Refer to the exhibit. A network administrator attempts to ping Host2 from Host1 and receives the results that are shown. What is the problem? A. The link between Host1 and Switch1 is down. B. TCP/IP is not functioning on Host1 C. The link between Router1 and Router2 is down. D. The default gateway on Host1 is incorrect. E. Interface Fa0/0 on Router1 is shutdown. F. The link between Switch1 and Router1 is down.
Correct Answer: D Explanation: Now let's find out the range of the networks on serial link: For the network 192.168.1.62/27: Increment: 32 Network address: 192.168.1.32 Broadcast address: 192.168.1.63 For the network 192.168.1.65/27: Increment: 32 Network address: 192.168.1.64 Broadcast address: 192.168.1.95 > These two IP addresses don't belong to the same network and they can't see each other.
QUESTION 292 Refer to the exhibit. HostA cannot ping HostB. Assuming routing is properly configured, what is the cause of this problem? A. HostA is not on the same subnet as its default gateway. B. The address of SwitchA is a subnet address. C. The Fa0/0 interface on RouterA is on a subnet that can't be used. D. The serial interfaces of the routers are not on the same subnet. E. The Fa0/0 interface on RouterB is using a broadcast address.
Correct Answer: ADF Explanation: NetFlow facilitates solutions to many common problems encountered by IT professionals. Analyze new applications and their network impact Identify new application network loads such as VoIP or remote site additions. Reduction in peak WAN traffic Use NetFlow statistics to measure WAN traffic improvement from application-policy changes; understand who is utilizing the network and the network top talkers. Troubleshooting and understanding network pain points Diagnose slow network performance, bandwidth hogs and bandwidth utilization quickly with command line interface or reporting tools. -> D is correct. Detection of unauthorized WAN traffic Avoid costly upgrades by identifying the applications causing congestion. -> A is correct. Security and anomaly detection NetFlow can be used for anomaly detection and worm diagnosis along with applications such as Cisco CS-Mars. Validation of QoS parameters Confirm that appropriate bandwidth has been allocated to each Class of Service (CoS) and that no CoS is over- or under-subscribed.-> F is correct.
QUESTION 293 What are three reasons to collect Netflow data on a company network? (Choose three.) A. To identify applications causing congestion. B. To authorize user network access. C. To report and alert link up / down instances. D. To diagnose slow network performance, bandwidth hogs, and bandwidth utilization. E. To detect suboptimal routing in the network. F. To confirm the appropriate amount of bandwidth that has been allocated to each Class of Service.
Correct Answer: D Explanation: In OSPF, the hello and dead intervals must match and here we can see the hello interval is set to 5 on R1 and 10 on R2. The dead interval is also set to 20 on R1 but it is 40 on R2.
QUESTION 294 A network administrator is troubleshooting the OSPF configuration of routers R1 and R2. The routers cannot establish an adjacency relationship on their common Ethernet link. The graphic shows the output of the show ip ospf interface e0 command for routers R1 and R2. Based on the information in the graphic, what is the cause of this problem? A. The OSPF area is not configured properly. B. The priority on R1 should be set higher. C. The cost on R1 should be set higher. D. The hello and dead timers are not configured properly. E. A backup designated router needs to be added to the network. F. The OSPF process ID numbers must match.
Correct Answer: D Explanation: If we connect two switches via 2 or more links and do not enable STP on these switches then a loop (which creates multiple copies of the same unicast frame) will occur. It is an example of an improperly implemented redundant topology.
QUESTION 295 In which circumstance are multiple copies of the same unicast frame likely to be transmitted in a switched LAN? A. during high traffic periods B. after broken links are re-established C. when upper-layer protocols require high reliability D. in an improperly implemented redundant topology E. when a dual ring topology is in use
Correct Answer: ABC Explanation: NetFlow has a reputation for increasing CPU utilization on your network devices. Cisco's performance testing seems to indicate that newer hardware can accommodate this load pretty well, but you will still want to check it out before you turn on the feature. Some symptoms of high CPU utilization are very large jitter and increased delay. Services running on the device may also be affected. Another thing to keep in mind is the amount of data you're going to be sending across the network. Depending on how much traffic you have and how you configure it, the traffic can be substantial. For example, you may not want to send NetFlow data from a datacenter switch to a NetFlow collector on the other side of a small WAN circuit. Also bear in mind that the flows from aggregating large numbers of devices can add up. Reference: http://searchenterprisewan.techtarget.com/tip/How-the-NetFlow-protocol-monitors-your-WAN
QUESTION 296 What are three factors a network administrator must consider before implementing Netflow in the network? (Choose three.) A. CPU utilization B. where Netflow data will be sent C. number of devices exporting Netflow data D. port availability E. SNMP version F. WAN encapsulation
Correct Answer: ADE Explanation: Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets. Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes. IP Packet attributes used by NetFlow: IP source address IP destination address Source port Destination port Layer 3 protocol type Class of Service Router or switch interface All packets with the same source/destination IP address, source/destination ports, protocol interface and class of service are grouped into a flow and then packets and bytes are tallied. This methodology of fingerprinting or determining a flow is scalable because a large amount of network information is condensed into a database of NetFlow information called the NetFlow cache. Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios- netflow/prod_white_paper0900aecd80406232.html
QUESTION 297 What are three values that must be the same within a sequence of packets for Netflow to consider them a network flow? (Choose three.) A. source IP address B. source MAC address C. egress interface D. ingress interface E. destination IP address F. IP next-hop
Correct Answer: B Explanation: LLDP runs over the Data Link Layer, so devices that use different Network so Answer D is wrong. LLDP or Link Layer Discovery Protocol is vendor neutral. The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol in the Internet Protocol Suite used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, principally wired Ethernet The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery specified in IEEE 802.1AB[2] and IEEE 802.3-2012 section 6 clause 79. LLDP performs functions similar to several proprietary protocols, such as the Cisco Discovery Protocol (CDP), Extreme Discovery Protocol, Foundry Discovery Protocol (FDP), Nortel Discovery Protocol (also known as SONMP), and Microsoft's Link Layer Topology Discovery (LLTD).
QUESTION 300 Which statement about LLDP is true? A. It is a Cisco proprietary protocol. B. It is configured in global configuration mode. C. The LLDP update frequency is a fixed value. D. It runs over the transport layer.
Correct Answer: E
QUESTION 302 Which condition does the err-disabled status indicate on an Ethernet interface? A. There is a duplex mismatch. B. The device at the other end of the connection is powered off. C. The serial interface is disabled. D. The interface is configured with the shutdown command. E. Port security has disabled the interface. F. The interface is fully functioning.
Correct Answer: D
QUESTION 303 Which command sets and automatically encrypts the privileged enable mode password? A. Enable password c1sc0 B. Secret enable c1sc0 C. Password enable c1sc0 D. Enable secret c1sc0
Correct Answer: D
QUESTION 304 Which command is necessary to permit SSH or Telnet access to a cisco switch that is otherwise configured for these vty line protocols? A. transport type all B. transport output all C. transport preferred all D. transport input all
Correct Answer: C Explanation: Ordinarily the loopback interface would be selected as the router ID. In the event that no loopback interface is configured, the router ID will be the first active interface that comes up on the router. If that particular interface has more then one IP address, then the highest address will be selected as the Router ID.
QUESTION 305 If all OSPF routers in a single area are configured with the same priority value, what value does a router use for the OSPF router ID in the absence of a loopback interface? A. the IP address of the first Fast Ethernet interface B. the IP address of the console management interface C. the highest IP address among its active interfaces D. the lowest IP address among its active interfaces E. the priority value until a loopback interface is configured
Correct Answer: ABC
QUESTION 306 Which three statements about link-state routing are true? (Choose three.) A. Routes are updated when a change in topology occurs. B. Updates are sent to a multicast address by default. C. OSPF is a link-state protocol. D. Updates are sent to a broadcast address. E. RIP is a link-state protocol. F. It uses split horizon.
Correct Answer: AB
QUESTION 307 Which two statements about IPv6 router advertisement messages are true? (Choose two.) A. They use ICMPv6 type 134. B. The advertised prefix length must be 64 bits. C. The advertised prefix length must be 48 bits. D. They are sourced from the configured IPv6 interface address. E. Their destination is always the link-local address of the neighboring node.
Correct Answer: A
QUESTION 308 Which command can you execute to set the user inactivity timer to 10 seconds? A. SW1(config-line)#exec-timeout 0 10 B. SW1(config-line)#exec-timeout 10 C. SW1(config-line)#absolute-timeout 0 10 D. SW1(config-line)#absolute-timeout 10
Correct Answer: A
QUESTION 309 Which command can you enter to verify that a BGP connection to a remote device is established? A. show ip bgp summary B. show ip community-list C. show ip bgp paths D. show ip route
Correct Answer: BCD Explanation: Normally, a GRE Tunnel interface comes up as soon as it is configured and it stays up as long as there is a valid tunnel source address or interface which is up. The tunnel destination IP address must also be routable. This is true even if the other side of the tunnel has not been configured. This means that a static route or PBR forwarding of packets via the GRE tunnel interface remains in effect even though the GRE tunnel packets do not reach the other end of the tunnel. Before GRE keepalives were implemented, there were only three reasons for a GRE tunnel to shut down: There is no route to the tunnel destination address. The interface that anchors the tunnel source is down. The route to the tunnel destination address is through the tunnel itself. These three rules (missing route, interface down and mis-routed tunnel destination) are problems local to the router at the tunnel endpoints and do not cover problems in the intervening network. For example, these rules do not cover the case in which the GRE tunneled packets are successfully forwarded, but are lost before they reach the other end of the tunnel. This causes data packets that go through the GRE tunnel to be "black holed", even though an alternate route that uses PBR or a floating static route via another interface is potentially available. Keepalives on the GRE tunnel interface are used in order to solve this issue in the same way as keepalives are used on physical interfaces.
QUESTION 310 Which three circumstances can cause a GRE tunnel to be in an up/down state? (Choose three.) A. The tunnel interface IP address is misconfigured. B. The tunnel interface is down. C. A valid route to the destination address is missing from the routing table. D. The tunnel address is routed through the tunnel itself. E. The ISP is blocking the traffic. F. An ACL is blocking the outbound traffic.
Correct Answer: ABC
QUESTION 311 What are three broadband wireless technologies? (Choose three.) A. WiMax B. satellite Internet C. municipal Wi-Fi D. site-to-site VPN E. DSLAM F. CMTS
Correct Answer: ACD
QUESTION 312 Which three characteristics are representative of a link-state routing protocol? (Choose three.) A. provides common view of entire topology B. exchanges routing tables with neighbors C. calculates shortest path D. utilizes event-triggered updates E. utilizes frequent periodic updates
Correct Answer: A
QUESTION 313 Which protocol advertises a virtual IP address to facilitate transparent failover of a Cisco routing device? A. FHRP B. DHCP C. RSMLT D. ESRP
Correct Answer: D
QUESTION 314 Which command can you enter to determine whether a switch is operating in trunking mode? A. show ip interface brief B. show vlan C. show interfaces D. show interface switchport
Correct Answer: A
QUESTION 315 Which technology allows a large number of private IP addresses to be represented by a smaller number of public IP addresses? A. NAT B. NTP C. RFC 1631 D. RFC 1918
Correct Answer: ABC
QUESTION 316 What are three characteristics of satellite Internet connections? (Choose three.) A. Their upload speed is about 10 percent of their download speed. B. They are frequently used by rural users without access to other high-speed connections. C. They are usually at least 10 times faster than analog modem connections. D. They are usually faster than cable and DSL connections. E. They require a WiMax tower within 30 miles of the user location. F. They use radio waves to communicate with cellular phone towers.
Correct Answer: A
QUESTION 317 If primary and secondary root switches with priority 16384 both experience catastrophic losses, which tertiary switch can take over? A. a switch with priority 20480 B. a switch with priority 8192 C. a switch with priority 4096 D. a switch with priority 12288
Correct Answer: ABC
QUESTION 318 Which three statements about IPv6 prefixes are true? (Choose three.) A. FF00::/8 is used for IPv6 multicast. B. FE80::/10 is used for link-local unicast. C. FC00::/7 is used in private networks. D. 2001::1/127 is used for loopback addresses. E. FE80::/8 is used for link-local unicast. F. FEC0::/10 is used for IPv6 broadcast.
Correct Answer: A
QUESTION 319 Which command can you enter to display the hits counter for NAT traffic? A. show ip nat statistics B. debug ip nat C. show ip debug nat D. clear ip nat statistics
Correct Answer: BC Explanation: Telnet presents a potential security risk, so Telnet uses vty for connecting a remote Cisco switch. For access security, the vty password and enable password must be configured.
QUESTION 320 Which two passwords must be supplied in order to connect by Telnet to a properly secured Cisco switch and make changes to the device configuration? (Choose two.) A. tty password B. enable secret password C. vty password D. aux password E. console password F. username password
Correct Answer: A
QUESTION 321 Which command can you enter to configure a local username with an encrypted password and EXEC mode user privileges? A. Router(config)#username jdone privilege 1 password 7 08314D5D1A48 B. Router(config)#username jdone privilege 1 password 7 PASSWORD1 C. Router(config)#username jdone privilege 15 password 0 08314D5D1A48 D. Router(config)#username jdone privilege 15 password 0 PASSWORD1
Correct Answer: A
QUESTION 322 What is the effect of the overload keyword in a static NAT translation configuration? A. It enables port address translation. B. It enables the use of a secondary pool of IP addresses when the first pool is depleted. C. It enables the inside interface to receive traffic. D. It enables the outside interface to forward traffic.
Correct Answer: A
QUESTION 323 Which command can you enter to set the default route for all traffic to an interface? A. router(config)#ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 B. router(config)#ip route 0.0.0.0 255.255.255.255 GigabitEthernet0/1 C. router(config-router)#default-information originate D. router(config-router)#default-information originate always
Correct Answer: BC Explanation: APIC-EM Northbound InterfaceThe APIC-EM Northbound Interface is the only API that you will need to control your network programmatically. The API is function rich and provides you with an easy-to-use, programmatic control of your network elements, interfaces, and hosts. The APIC-EM API provides you with the ability to think about your network at a higher policy level rather than how to implement that policy. When you use the APIC-EM API, your applications will make network policy decisions, which will then be implemented by the APIC-EM Controller through its Southbound Interfaces. Thus you tell the network what you want (i.e., the policy) and the controller figures out how to implement that policy for you. The APIC-EM API is REST based and thus you will discover and control your network using HTTP protocol with HTTP verbs (i.e., GET, POST, PUT, and DELETE) with JSON syntax. The APIC-EM GA release focus's on the following key customer applications: Intelligent WAN (IWAN) - automates the configuration of advanced IWAN features on Cisco 4000 Series Integrated Service Routers. Plug and Play (PnP) - delivers zero-touch deployment of Cisco Enterprise Network routers, switches and wireless controllers (including Wireless Access Points). Path Trace - eases and accelerates the task of computing end-to-end application flow path. Southbound InterfacesAlthough APIC-EM only exposes its Northbound Interfaces as an API, it is important that you understand how the Southbound Interface is built. Southbound Interfaces are implemented with a Service Abstraction Layer (SAL) which speak to network elements using SNMP and CLI (Command Line Interface) of the elements that make up the network. The use of the SNMP and CLI ensures that APIC- EM works with legacy Cisco legacy products. Future APIC-EM releases will leverage other southbound technology such as NetConf as they become available.
QUESTION 324 Which two statements about northbound and southbound APIs are true? (Choose two.) A. Only southbound APIs allow program control of the network. B. Only northbound APIs allow program control of the network. C. Only southbound API interfaces use a Service Abstraction Layer. D. Only northbound API interfaces use a Service Abstraction Layer. E. Both northbound and southbound API interfaces use a Service Abstraction Layer. F. Both northbound and southbound APIs allow program control of the network.
Correct Answer: ABC
QUESTION 325 In which three ways is an IPv6 header simpler than an IPv4 header? (Choose three.) A. Unlike IPv4 headers, IPv6 headers have a fixed length. B. IPv6 uses an extension header instead of the IPv4 Fragmentation field. C. IPv6 headers eliminate the IPv4 Checksum field. D. IPv6 headers use the Fragment Offset field in place of the IPv4 Fragmentation field. E. IPv6 headers use a smaller Option field size than IPv4 headers. F. IPv6 headers use a 4-bit TTL field, and IPv4 headers use an 8-bit TTL field.
Correct Answer: BCF
QUESTION 327 What are three characteristics of the TCP protocol? (Choose three.) A. It uses a single SYN-ACK message to establish a connection. B. The connection is established before data is transmitted. C. It ensures that all data is transmitted and received by the remote device. D. It supports significantly higher transmission speeds than UDP. E. It requires applications to determine when data packets must be retransmitted. F. It uses separate SYN and ACK messages to establish a connection.
Correct Answer: BC
QUESTION 328 Which two Cisco IOS commands, used in troubleshooting, can enable debug output to a remote location? (Choose two) A. no logging console B. logging host ip-address C. terminal monitor D. show logging | redirect flashioutput.txt E. snmp-server enable traps syslog
Correct Answer: A
QUESTION 330 Which condition indicates that service password-encryption is enabled? A. The local username password is encrypted in the configuration. B. The enable secret is encrypted in the configuration. C. The local username password is in clear text in the configuration. D. The enable secret is in clear text in the configuration.
Correct Answer: A
QUESTION 331 Refer to the exhibit. What is the effect of the given configuration? A. It configures an inactive switch virtual interface. B. It configures an active management interface. C. It configures the native VLAN. D. It configures the default VLAN.
Correct Answer: A
QUESTION 332 Which protocol is the Cisco proprietary implementation of FHRP? A. HSRP B. VRRP C. GLBP D. CARP
Correct Answer: B
QUESTION 333 The enable secret command is used to secure access to which CLI mode? A. global configuration mode B. privileged EXEC mode C. user EXEC mode D. auxiliary setup mode
Correct Answer: BE
QUESTION 334 Which two security appliances will you use in a network? (Choose two.) A. ATM B. IDS C. IOS D. IOX E. IPS F. SDM
Correct Answer: A
QUESTION 335 If the primary root bridge experiences a power loss, which switch takes over? A. switch 0004.9A1A.C182 B. switch 00E0.F90B.6BE3 C. switch 00E0.F726.3DC6 D. switch 0040.0BC0.90C5
Correct Answer: BC
QUESTION 336 What are two benefits of private IPv4 IP addresses? (Choose two.) A. They are routed the same as public IP addresses. B. They are less costly than public IP addresses. C. They can be assigned to devices without Internet connections. D. They eliminate the necessity for NAT policies. E. They eliminate duplicate IP conflicts.
Correct Answer: A
QUESTION 337 What is the authoritative source for an address lookup? A. a recursive DNS search B. the operating system cache C. the ISP local cache D. the browser cache
Correct Answer: A
QUESTION 338 What is the purpose of the POST operation on a router? A. determine whether additional hardware has been added B. locate an IOS image for booting C. enable a TFTP server D. set the configuration register
Correct Answer: A
QUESTION 339 After you configure the Loopback0 interface, which command can you enter to verify the status of the interface and determine whether fast switching is enabled? A. Router#show ip interface loopback 0 B. Router#show run C. Router#show interface loopback 0 D. Router#show ip interface brief
Correct Answer: A Explanation: RADIUS Background RADIUS is an access server that uses AAA protocol. It is a system of distributed security that secures remote access to networks and network services against unauthorized access. RADIUS comprises three components: A protocol with a frame format that utilizes User Datagram Protocol (UDP)/IP. A server. A client. The server runs on a central computer typically at the customer's site, while the clients reside in the dial-up access servers and can be distributed throughout the network. Cisco has incorporated the RADIUS Client into Cisco IOS Software Release 11.1 and later and other device software. Client/Server Model A network access server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and returning all configuration information necessary for the client to deliver service to the user. The RADIUS servers can act as proxy clients to other kinds of authentication servers. Network Security Transactions between the client and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network. In addition, any user passwords are sent encrypted between the client and RADIUS server. This eliminates the possibility that someone snooping on an unsecured network could determine a user's password. Flexible Authentication Mechanisms The RADIUS server supports a variety of methods to authenticate a user. When it is provided with the user name and original password given by the user, it can support PPP, Password Authentication Protocol (PAP), or Challenge Handshake Authentication Protocol (CHAP), UNIX login, and other authentication mechanisms. RADIUS does not support these protocols: AppleTalk Remote Access (ARA) protocol NetBIOS Frame Protocol Control protocol Novell Asynchronous Services Interface (NASI) X.25 PAD connection TACACS+ offers multiprotocol support.
QUESTION 340 Which statement about RADIUS security is true? A. It supports EAP authentication for connecting to wireless networks. B. It provides encrypted multiprotocol support. C. Device-administration packets are encrypted in their entirety. D. It ensures that user activity is fully anonymous.
Correct Answer: A
QUESTION 341 What is the first step in the NAT configuration process? A. Define inside and outside interfaces. B. Define public and private IP addresses. C. Define IP address pools. D. Define global and local interfaces.
Correct Answer: AB
QUESTION 342 Which two commands can you enter to verify that a configured NetFlow data export is operational? (Choose two.) A. show ip flow export B. show ip cache flow C. ip flow ingress D. ip flow egress E. interface ethernet 0/0 F. ip flow-export destination
Correct Answer: BC Explanation: A loopback interface never comes down even if the link is broken so it provides stability for the OSPF process (for example we use that loopback interface as the router-id) - The router-ID is chosen in the order below: The highest IP address assigned to a loopback (logical) interface. If a loopback interface is not defined, the highest IP address of all active router's physical interfaces will be chosen. > The loopback interface will be chosen as the router ID of RouterB
QUESTION 343 Refer to the exhibit. Which two statements are true about the loopback address that is configured on RouterB? (Choose two.) A. It ensures that data will be forwarded by RouterB. B. It provides stability for the OSPF process on RouterB. C. It specifies that the router ID for RouterB should be 10.0.0.1. D. It decreases the metric for routes that are advertised from RouterB. E. It indicates that RouterB should be elected the DR for the LAN.
Correct Answer: AB
QUESTION 344 Which two features can dynamically assign IPv6 addresses? (Choose two.) A. IPv6 stateless autoconfiguration B. DHCP C. NHRP D. IPv6 stateful autoconfiguration E. ISATAP tunneling
Correct Answer: A
QUESTION 345 Which NAT function can map multiple inside addresses to a single outside address? A. PAT B. SFTP C. RARP D. ARP E. TFTP
Correct Answer: A
QUESTION 346 Which command can you enter to view the ports that are assigned to VLAN 20? A. Switch#show vlan id 20 B. Switch#show ip interface brief C. Switch#show interface vlan 20 D. Switch#show ip interface vlan 20
Correct Answer: A
QUESTION 347 Which technology can enable multiple VLANs to communicate with one another? A. inter-VLAN routing using a Layer 3 switch B. inter-VLAN routing using a Layer 2 switch C. intra-VLAN routing using router on a stick D. intra-VLAN routing using a Layer 3 switch