71. You have been asked to come up with a subnet mask that will allow all three web servers to be on the same network while providing the maximum number of subnets. Which network address and subnet mask meet this requirement?
- 192.168.252.0 255.255.255.252
- 192.168.252.8 255.255.255.248*
- 192.168.252.8 255.255.255.252
- 192.168.252.16 255.255.255.240
- 192.168.252.16 255.255.255.252
72. What parameter can be different on ports within an EtherChannel?
- DTP negotiation settings*
- trunk encapsulation
+ Speed settings
+ Duplex settings
+ STP settings
+ VLAN membership (for access ports)
+ Native VLAN (for trunk ports)
+ Allowed VLANs (for trunk ports)
+ Trunking Encapsulation (ISL or 802.1Q, for trunk ports)
73. Which two statements about IPv6 router advertisement messages are true? (Choose two.)
- They use ICMPv6 type 134.*
- The advertised prefix length must be 64 bits.*
- The advertised prefix length must be 48 bits.
- They are sourced from the configured IPv6 interface address.
- Their destination is always the link-local address of the neighboring node.
The advertised IPv6 prefix length must be 64 bits for the stateless address autoconfiguration to be operational.
74. Which spanning-tree protocol rides on top of another spanning-tree protocol?
- Mono Spanning Tree
75. A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two.)
- A. The network administrator can apply port security to dynamic access ports
- B. The network administrator can configure static secure or sticky secure mac addresses in the voice vlan.
- C. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration.*
- D. The network administrator can apply port security to EtherChannels.
- E. When dynamic mac address learning is enabled on an interface, the switch can learn new addresses up to the maximum defined.*
+ Port security can only be configured on static access ports, trunk ports, or 802.1Q tunnel ports. -> A is not correct.
+ A secure port cannot be a dynamic access port.
+ A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
+ A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group. -> D is not correct
+ You cannot configure static secure or sticky secure MAC addresses on a voice VLAN. -> B is not correct.
+ When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two.
+ If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.
+ When a voice VLAN is configured on a secure port that is also configured as a sticky secure port, all addresses seen on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on the access VLAN (to which the port belongs) are learned as sticky secure addresses.
+ The switch does not support port security aging of sticky secure MAC addresses.
+ The protect and restrict options cannot be simultaneously enabled on an interface.
Note: Dynamic access port or Dynamic port VLAN membership must be connected to an end station. This type of port can be configured with the “switchport access vlan dynamic” command in the interface configuration mode. Please read more about Dynamic access port here: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swvlan.html#wp1103064
76. Which switching method duplicates the first six bytes of a frame before making a switching decision?
- fragment-free switching
- store-and-forward switching
- cut-through switching*
- ASIC switching
In store-and-forward switching, the switch copies each complete Ethernet frame into the switch memory and computes a Cyclic Redundancy Check (CRC) for errors. If a CRC error is found, the Ethernet frame is dropped. If no CRC error is found then that frame is forwarded.
77. Which logging command can enable administrators to correlate syslog messages with millisecond precision?
- no logging console
- logging buffered 4
- no logging monitor
- service timestamps log datetime mscec*
- logging host 10.2.0.21
78. Which three statements about link-state routing are true? (Choose three.)
- OSPF is a link-state protocol.*
- Updates are sent to a broadcast address.
- It uses split horizon.
- Routes are updated when a change in topology occurs.*
- RIP is a link-state protocol.
- Updates are sent to a multicast address by default.*
79. Which command can you enter to determine whether a switch is operating in trunking mode?
- show ip interface brief
- show vlan
- show interfaces
- show interface switchport*
80. Which command can you enter to view the ports that are assigned to VLAN 20?
- Switch#show ip interface vlan 20
- Switch#show vlan id 20*
- Switch#show ip interface brief
- Switch#show interface vlan 20
81. In which two formats can the IPv6 address fd15:0db8:0000:0000:0700:0003:400F:572B be written? (Choose two.)
- A. fd15:0db8:0000:0000:700:3:400F:527B*
- B. fd15:0db8::7:3:4F:527B
- C. fd15::db8::700:3:400F:527B
- D. fd15:db8::700:3:400F:572B*
- E. fd15:db8:0::700:3:4F:527B
+ Leading zeros in a field are optional
+ Successive fields of 0 are represented as ::, but only once in an address
If you are not sure about IPV6, please read our IPv6 tutorial.
82. Which function of the IP SLAs ICMP jitter operation can you use to determine whether a VoIP issue is caused by excessive end-to-end time?
- packet loss
- successive packet loss
- round-trip time latency*
83. Refer to the exhibit.
Which of these statements correctly describes the state of the switch once the boot process has been completed?
- A. The switch will need a different IOS code in order to support VLANs and ST.
- Remote access management of this switch will not be possible without configuration change.*
- As FastEthernet0/12 will be the last to come up, it will be blocked by STP.
- More VLANs will need to be created for this switch.
Answer A is not correct as STP calculation does not depend on which port comes up first or last. STP recalculates when there is a change in the network.
A normal switch can operate without VLAN -> C is not correct.
This IOS does support VLAN because it has VLAN 1 on it -> D is not correct.
84. Refer to the exhibit.
The network administrator normally establishes a Telnet session with the switch from host A. However, host A is unavailable. The administrator’s attempt to telnet to the switch from host fails, but pings to the other two hosts are successful. What is the issue?
- The switch interfaces need the appropriate IP addresses assigned.
- Host and the switch need to be in the same subnet.
- The switch needs an appropriate default gateway assigned.*
- The switch interface connected to the router is down.
- Host needs to be assigned an IP address in VLAN 1.
But host B (172.19.32.2) and the management IP address of the Switch (172.19.1.250) are not in the same subnet. Therefore packets from host B must reach the router Fa0/0.32 interface before forwarding to the switch. But when the switch replies, it does not know how to send packets so an appropriate default gateway must be assigned on the switch (to Fa0/0.32 – 172.19.32.254).
Answer A is not correct because even when host B & the switch are in the same subnet, they cannot communicate because of different VLANs.
Answer C is not correct as host B can ping other two hosts.
Answer D is not correct because host B always belongs to VLAN 32 so assigning an IP address in VLAN 1 does not solve the problem.
85. Which condition does the err-disabled status indicate on an Ethernet interface?
- There is a duplex mismatch.
- The device at the other end of the connection is powered off.
- The serial interface is disabled.
- The interface is configured with the shutdown command.
- Port security has disabled the interface.*
- The interface is fully functioning.
+ Duplex mismatch
+ Port channel misconfiguration
+ BPDU guard violation
+ UniDirectional Link Detection (UDLD) condition
+ Late-collision detection
+ Link-flap detection
+ Security violation
+ Port Aggregation Protocol (PAgP) flap
+ Layer 2 Tunneling Protocol (L2TP) guard
+ DHCP snooping rate-limit
+ Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
+ Address Resolution Protocol (ARP) inspection
+ Inline power
Therefore in fact there are two correct answers in this question, which are “There is a duplex mismatch” and “Port security has disabled the interface” but maybe you should choose the port security answer as it is the most popular reason.
86. Refer to the exhibit
All of the routers in the network are configured with the ip subnet-zero command. Which network addresses should be used for Link A and Network A? (Choose two.)
- Link A 172.16.3.0/30*
- Link A 172.16.3.112/30
- Network A 172.16.3.48/26
- Network A 172.16.3.128/25*
- Link A 172.16.3.40/30
- Network A 172.16.3.192/26
Because the ip subnet-zero command is used, network 172.16.3.0/30 can be used.
Answer E “Link A – 172.16.3.40/30″ is not correct because this subnet belongs to MARKETING subnet (172.16.3.32/27).
Answer F “Link A – 172.16.3.112/30″ is not correct because this subnet belongs to ADMIN subnet (172.16.3.96/27).
87. Which type of device can be replaced by the use of subinterfaces for VLAN routing?
- Layer 2 bridge
- Layer 2 switch
- Layer 3 switch*
88. Which statement about LLDP is true?
- It is configured in global configuration mode.
- It is configured in global configuration mode.*
- The LLDP update frequency is a fixed value.
- It runs over the transport layer.
Sw(config)# lldp run
89. If the primary root bridge experiences a power loss, which switch takes over?
- switch 0040.00.90C5
- switch 00E0.F90B.6BE3
- switch 0004.9A1A.C182*
- switch 00E0.F726.3DC6
Bridge ID = Bridge Priority + MAC Address
In this question the bridge priority was not mentioned so we suppose they are the same. Therefore the switch with lowest MAC address will become the new root bridge.
90. A network administrator is troubleshooting an EIGRP problem on a router and needs to confirm the IP addresses of the devices with which the router has established adjacency. The retransmit interval and the queue counts for the adjacent routers also need to be checked. What command will display the required information?
- Router# show ip eigrp neighbors*
- Router# show ip eigrp interfaces
- Router# show ip eigrp adjacency
- Router# show ip eigrp topology
Let’s analyze these columns:
+ H: lists the neighbors in the order this router was learned
+ Address: the IP address of the neighbors
+ Interface: the interface of the local router on which this Hello packet was received
+ Hold (sec): the amount of time left before neighbor is considered in “down” status
+ Uptime: amount of time since the adjacency was established
+ SRTT (Smooth Round Trip Timer): the average time in milliseconds between the transmission of a packet to a neighbor and the receipt of an acknowledgement.
+ RTO (Retransmission Timeout): if a multicast has failed, then a unicast is sent to that particular router, the RTO is the time in milliseconds that the router waits for an acknowledgement of that unicast.
+ Queue count (Q Cnt): shows the number of queued EIGRP packets. It is usually 0.
+ Sequence Number (Seq Num): the sequence number of the last update EIGRP packet received. Each update message is given a sequence number, and the received ACK should have the same sequence number. The next update message to that neighbor will use Seq Num + 1.
In this question we have to check the RTO and Q cnt fields.
91. Which three statements about IPv6 prefixes are true? (Choose three.)
- FEC0::/10 is used for IPv6 broadcast.
- FC00::/7 is used in private networks.*
- FE80::/8 is used for link-local unicast.
- FE80::/10 is used for link-local unicast.*
- 2001::1/127 is used for loopback addresses.
- FF00::/8 is used for IPv6 multicast.*
|Site-local address||FEC0::/10 (but it is deprecated and replaced with FC00::/7 for used in private networks)|
92. Which command can you enter to display duplicate IP addresses that the DHCP server assigns?
- show ip dhcp conflict 10.0.2.12*
- show ip dhcp database 10.0.2.12
- show ip dhcp server statistics
- show ip dhcp binding 10.0.2.12
93. Which three ports will be STP designated ports if all the links are operating at the same bandwidth? (Choose three.)
- Switch B – F0/0*
- Switch A – Fa0/1*
- Switch B – Fa0/1*
- Switch C – F0/1
- Switch A – Fa0/0
- Switch C – Fa0/0
94. Refer to the exhibit
The network administrator cannot connect to Switch 1 over a Telnet session, although the hosts attached to Switch1 can ping the interface Fa0/0 of the router. Given the information in the graphic and assuming that the router and Switch2 are configured properly, which of the following commands should be issued on Switch1 to correct this problem?
- Switch1(config)# ip default-gateway 192.168.24.1*
- Switch1(config)# interface fa0/1Switch1(config-if)# switchport mode trunk
- Switch1(config)# line con0Switch1(config-line)# password ciscoSwitch1(config-line)# login
- Switch1(config)# interface fa0/1Switch1(config-if)# ip address 192.168.24.3 255.255.255.0
- Switch1(config)# interface fa0/1Switch1(config-if)# duplex fullSwitch1(confiq-if)# speed 100
95. Refer to the exhibit.
Each of these four switches has been configured with a hostname, as well as being configured to run RSTP.No other configuration changes have been made. Which three of these show the correct RSTP port roles for the indicated switches and interfaces? (Choose three.)
- A. SwitchA, Fa0/2, designated *
- B. SwitchA, Fa0/1, root *
- C. SwitchB, Gi0/2, root
- D. SwitchB, Gi0/1, designated
- E. SwitchC, Fa0/2, root
- F. SwitchD, Gi0/2, root*
Because SwitchC is the root bridge so the 2 ports nearest SwitchC on SwitchA (Fa0/1) and SwitchD (Gi0/2) will be root ports -> B and F are correct.
Now we come to the most difficult part of this question: SwitchB must have a root port so which port will it choose? To answer this question we need to know about STP cost and port cost.
In general, “cost” is calculated based on bandwidth of the link. The higher the bandwidth on a link, the lower the value of its cost. Below are the cost values you should memorize:
SwitchB will choose the interface with lower cost to the root bridge as the root port so we must calculate the cost on interface Gi0/1 & Gi0/2 of SwitchB to the root bridge. This can be calculated from the “cost to the root bridge” of each switch because a switch always advertises its cost to the root bridge in its BPDU. The receiving switch will add its local port cost value to the cost in the BPDU.
In the exhibit you also we FastEthernet port is connecting to GigabitEthernet port. In this case GigabitEthernet port will operate as a FastEthernet port so the link can be considered as FastEthernet to FastEthernet connection.
One more thing to notice is that a root bridge always advertises the cost to the root bridge (itself) with an initial value of 0.
Now let’s have a look at the topology again
SwitchC advertises its cost to the root bridge with a value of 0. Switch D adds 19 (the cost value of 100Mbps link although the port on Switch D is GigabitEthernet port) and advertises this value (19) to SwitchB. SwitchB adds 4 (the cost value of 1Gbps link) and learns that it can reach SwitchC via Gi0/1 port with a total cost of 23. The same process happens for SwitchA and SwitchB learns that it can reach SwitchC via Gi0/2 with a total cost of 38 -> Switch B chooses Gi0/1 as its root port -> D is not correct.
Now our last task is to identify the port roles of the ports between SwitchA & SwitchB. It is rather easy as the MAC address of SwitchA is lower than that of SwitchB so Fa0/2 of SwitchA will be designated port while Gi0/2 of SwitchB will be alternative port -> A is correct but C is not correct.
Below summaries all the port roles of these switches:
+ DP: Designated Port (forwarding state)
+ RP: Root Port (forwarding state)
+ AP: Alternative Port (blocking state)
96. Which feature builds a FIB and an adjacency table to expedite packet forwarding?
- cut through
- fast switching
- process switching
- Cisco Express Forwarding*
The Forwarding Information Base (FIB) contains destination reachability information as well as next hop information. This information is then used by the router to make forwarding decisions. The FIB allows for very efficient and easy lookups.
The adjacency table is tasked with maintaining the layer 2 next-hop information for the FIB.
97. Which command can you enter to verify that a 128-bit address is live and responding?
- show ipv6
98. What are two reasons that duplex mismatches can be difficult to diagnose? (Choose two.)
- The interface displays a connected (up/up) state even when the duplex settings are mismatched.*
- 1-Gbps interfaces are full-duplex by default.
- Full-duplex interfaces use CSMA/CD logic, so mismatches may be disguised by collisions.
- The symptoms of a duplex mismatch may be intermittent.*
- Autonegotiation is disabled.
99. Which condition indicates that service password-encryption is enabled?
- The local username password is in clear text in the configuration.
- The enable secret is in clear text in the configuration.
- The local username password is encrypted in the configuration.*
- The enable secret is encrypted in the configuration.
100. Which protocol advertises a virtual IP address to facilitate transparent failover of a Cisco routing device?
101. What is the correct routing match to reach 172.16.1.5/32?
- the default route
102. Which layer in the OSI reference model is responsible for determining the availability of the receiving program and checking to see if enough resources exist for that communication?
103. What is the purpose of the POST operation on a router?
- determine whether additional hardware has been added*
- locate an IOS image for booting
- enable a TFTP server
- set the configuration register
1. Run POST to check hardware
2. Search for a valid IOS (the Operating System of the router)
3. Search for a configuration file (all the configurations applied to this router)
104. Which protocol is the Cisco proprietary implementation of FHRP?
105. Which three characteristics are representative of a link-state routing protocol? (Choose three.)
- provides common view of entire topology*
- exchanges routing tables with neighbors
- calculates shortest path*
- utilizes event-triggered updates*
- utilizes frequent periodic updates
106. Which part of the PPPoE server configuration contains the information used to assign an IP address to a PPPoE client?
- virtual-template interface*
- dialer interface
- AAA authentication
There is no Dialer interface on the PPPoE Server so answer “Dialer interface” is not correct. The most suitable answer is “Virtual Template” interface as it contains the pool which is used to assign IP address to the PPPoE Client. But this question is weird because according to the CCNAv3 syllabus, candidates only need to grasp the PPPoE on client-side, not sure why this question asked about PPPoE on Server side. For more information about PPPoE, please read our PPPoE tutorial.
107. how is MPLS implemented (like this) :
- on LAN
- must be on redundant links
- can be on redundant or nonredundant links*
- can’t remember
108. Which three statements about RSTP are true? (Choose three.)
- RSTP significantly reduces topology reconverging time after a link failure.*
- RSTP expands the STP port roles by adding the alternate and backup roles.*
- RSTP port states are blocking, discarding, learning, or forwarding.
- RSTP provides a faster transition to the forwarding state on point-to-point links than STP does.*
- RSTP also uses the STP proposal-agreement sequence.
- RSTP uses the same timer-based process as STP on point-to-point links
109. What are two benefits of using NAT? (Choose two.)
- A. NAT protects network security because private networks are not advertised.*
- B. NAT accelerates the routing process because no modifications are made on the packets.
- C. Dynamic NAT facilitates connections from the outside of the network.
- D. NAT facilitates end-to-end communication when IPsec is enable.
- E. NAT eliminates the need to re-address all host that require external access.*
- F. NAT conserves addresses through host MAC-level multiplexing.
NAT has to modify the source IP addresses in the packets -> B is not correct.
Connection from the outside to a network through “NAT” is more difficult than a normal network because IP addresses of inside hosts are hidden -> C is not correct.
In order for IPsec to work with NAT we need to allow additional protocols, including Internet Key Exchange (IKE), Encapsulating Security Payload (ESP) and Authentication Header (AH) -> more complex -> D is not correct.
By allocating specific public IP addresses to inside hosts, NAT eliminates the need to re-address the inside hosts -> E is correct.
NAT does conserve addresses but not through host MAC-level multiplexing. It conserves addresses by allowing many private IP addresses to use the same public IP address to go to the Internet -> F is not correct.
110. Which two commands correctly verify whether port security has been configured on port FastEthernet 0/12 on a switch? (Choose two.)
- SW1#show port-secure interface FastEthernet 0/12
- SW1#show switchport port-secure interface FastEthernet 0/12
- SW1#show running-config*
- SW1#show port-security interface FastEthernet 0/12*
- SW1#show switchport port-security interface FastEthernet 0/12
111. Refer to the exhibit. Given this output for SwitchC, what should the network administrator’s next action be?
- Check the trunk encapsulation mode for Switch C’s fa0/1 port.
- Check the duplex mode for Switch C’s fa0/1 port.
- Check the duplex mode for Switch A’s fa0/2 port.*
- Check the trunk encapsulation mode for Switch A’s fa0/2 port
112. Which statement is correct regarding the operation of DHCP?
- A DHCP client uses a ping to detect address conflicts.
- A DHCP server uses a gratuitous ARP to detect DHCP clients.
- A DHCP client uses a gratuitous ARP to detect a DHCP server.
- If an address conflict is detected, the address is removed from the pool and an administrator must resolve the conflict.*
- If an address conflict is detected, the address is removed from the pool for an amount of time configurable by the administrator.
- If an address conflict is detected, the address is removed from the pool and will not be reused until the server is rebooted.
113. Which two statements about using the CHAP authentication mechanism in a PPP link are true? (Choose two.)
- CHAP uses a two-way handshake.
- CHAP uses a three-way handshake.*
- CHAP authentication periodically occurs after link establishment.*
- CHAP authentication passwords are sent in plaintext.
- CHAP authentication is performed only upon link establishment.
- CHAP has no protection from playback attacks.
114. Refer to the exhibit. Switch port FastEthernet 0/24 on ALSwitch1 will be used to create an IEEE 802.1Q-compliant trunk to another switch. Based on the output shown, what is the reason the trunk does not form, even though the proper cabling has been attached?
- VLANs have not been created yet.
- An IP address must be configured for the port.
- The port is currently configured for access mode.*
- The correct encapsulation type has not been configured.
- The no shutdown command has not been entered for the port.
115. Refer to the exhibit. A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands. Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two.)
- Port security needs to be globally enabled.
- Port security needs to be enabled on the interface.*
- Port security needs to be configured to shut down the interface in the event of a violation.
- Port security needs to be configured to allow only one learned MAC address.*
- Port security interface counters need to be cleared before using the show command.
- The port security configuration needs to be saved to NVRAM before it can become active.
-> B is correct.
Also from the output, we learn that the switch is allowing 2 devices to connect to it (switchport port-security maximum 2) but the question requires allowing only PC_A to access the network so we need to reduce the maximum number to 1 -> D is correct.
116. Which three statements about static routing are true? (Choose three.)
- It uses consistent route determination.*
- It is best used for small-scale deployments.*
- Routing is disrupted when links fail.*
- It requires more resources than other routing methods.
- It is best used for large-scale deployments.
- Routers can use update messages to reroute when links fail.
117. What are the address that will show at the show ip route if we configure the above statements? (Choose Three.)
+ 18.104.22.168 belongs to class B so it will be summarized to 22.214.171.124
+ 10.4.3.0 belongs to class A so it will be summarized to 10.0.0.0
+ 192.168.4.0 belongs to class C so it will be summarized to 192.168.4.0 (same)
118. Which feature facilitates the tagging of frames on a specific VLAN?
119. What does split horizon prevent?
- routing loops, link state
- routing loops, distance vector*
- switching loops, STP
- switching loops, VTP
120. Which value to use in HSRP protocol election process?
- virtual IP address
- router ID
R1(config-if)# standby 1 priority 200
121. Which of the following is needed to be enable back the role of active in HSRP?
- other options
New_Router(config-if)#standby 1 preempt
122. Which command is used to show the interface status of a router?
- show interface status
- show ip interface brief*
- show ip route
- show interface
123. Which of the following privilege level is the most secured?
- Level 0
- Level 1
- Level 15*
- Level 16
+ User EXEC mode (privilege level 1): provides the lowest EXEC mode user privileges and allows only user-level commands available at the Router> prompt.
+ Privileged EXEC mode (privilege level 15): includes all enable-level commands at the Router# prompt. Level 15 users can execute all commands and this is the most secured and powerful privilege level.
However, there are actually 16 privilege levels available on the CLI, from 0 to 15 and you can assign users to any of those levels. Zero-level access allows only five commands -logout, enable, disable, help, and exit. User level (level 1) provides very limited read-only access to the router, and privileged level (level 15) provides complete control over the router.
124. Which IPV6 feature is supported in IPV4 but is not commonly used?
The basic idea of Anycast is very simple: multiple servers, which share the same IP address, host the same service. The routing infrastructure sends IP packets to the nearest server (according to the metric of the routing protocol used). The major benefits of employing Anycast in IPv4 are improved latency times, server load balancing, and improved security.
125. Which two statements are true about IPv6 Unique Local Addresses? (Choose Two.)
- It is the counterpart of IPv4 private addresses*
- It uses FC00::/7 as prefix*
126. Which range represents the standard access list?
|Access list type||Range|
127. What to do when the router password was forgotten?
- use default password cisco to reset
- access router physically
- use ssl/vpn
- Type confreg 0x2142 at the rommon 1*
128. What is true about Cisco Discovery Protocol?
- it discovers the routers, switches and gateways.
- it is network layer protocol
- it is physical and data link layer protocol
- it is proprietary protocol*
There are 3 columns we should pay more attention to:
+ Local Interface (Local Intrfce): the interfaces on the device you are using “show cdp neighbors” command. In this case it is the interface of HOME router
+ Platform: the platform of neighbor device
+ Port ID: the neighbor device’s port or interface on which the CDP packets are multicast
129. Which of the following encrypts the traffic on a leased line?
Note: Virtual Private Networks (VPNs) are only secure if encrypted. The word “private” only means a given user’s virtual network is not shared with others. In reality a VPN still runs on a shared infrastructure and is not secured if not encrypted. VPNs are used over a connection you already have. That might be a leased line. It might be an ADSL connection. It could be a mobile network connection.
Therefore answer “SSH” is still better than the answer “VPN”.
130. How do you configure a hostname?
- A. Router(config)#hostname R1*
- B. Router#hostname R1
- C. Router(config)#host name R1
- D. Router>hostname R1
131. How do you maintain security in multiple websites?
In the topology above, Remote Campus sites can connect to the Main Campus through site-to-site VPNs.
132. Refer to the exhibit. Switch-1 needs to send data to a host with a MAC address of 00b0.d056.efa4. What will Switch-1 do with this data?
- Switch-1 will drop the data because it does not have an entry for that MAC address.
- Switch-1 will flood the data out all of its ports except the port from which the data originated.*
- Switch-1 will send an ARP request out all its ports except the port from which the data originated.
- Switch-1 will forward the data to its default gateway.
133. What routing protocol use first-hand information from peers?
The reason is that unlike the routing-by-rumor approach of distance vector, link state routers have firsthand information from all their peer routers. Each router originates information about itself, its directly connected links, and the state of those links (hence the name). This information is passed around from router to router, each router making a copy of it, but never changing it. The ultimate objective is that every router has identical information about the internetwork, and each router will independently calculate its own best paths.
134. What field is consist of 6 bytes in the field identification frame in IEEE 802.1Q?
The SA field is the source address field. The field should be set to the MAC address of the switch port that transmits the frame. It is a 48-bit value (6 bytes). The receiving device may ignore the SA field of the frame.
In fact there is another correct answer for this question: DA (Destination Address) which also consists of 6 bytes. Maybe there is a mistake or typo in this question.
135. What is new in HSRPv2?
- a greater number in hsrp group field*
136. What’s are true about MPLS?
- It use a label to separate traffic from several costumer*
- It use IPv4 IPv6
137. A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used?
138. Which command is necessary to permit SSH or Telnet access to a cisco switch that is otherwise configured for these vty line protocols?
- transport type all
- transport output all
- transport preferred all
- transport input all*
139. What should be part of a comprehensive network security plan?
- Allow users to develop their own approach to network security
- Physically secure network equipment from potential access by unauthorized individuals*
- Encourage users to use personal information in their passwords to minimize the likelihood of passwords being forgotten
- Delay deployment of software patches and updates until their effect on end-user equipment is well known and widely reported
- Minimize network overhead by deactivating automatic antivirus client updates
140. Which two Cisco IOS commands, used in troubleshooting, can enable debug output to a remote location? (Choose two)
- no logging console
- logging host ip-address*
- terminal monitor*
- show logging | redirect flashioutput.txt
- snmp-server enable traps syslog
The command “logging host ip-address” instructs the device to send syslog messages to an external syslog server -> B is correct.
The “show logging | redirect flashioutput.txt” command will put the text file in the router flash memory because we did not specify a remote location (like tftp) -> D is not correct.
The command “snmp-server enable traps syslog” instructs the device to send syslog messages to your network management server as SNMP traps instead of syslog packets. This command itself does not enable debug output to a remote location -> E is not correct.
By default, Cisco IOS does not send log messages to a terminal session over IP, that is, telnet or SSH connections don’t get log messages. But notice that console connections on a serial cable do have logging enabled by default. The command “terminal monitor” helps logging messages appear on the your terminal. First we don’t think this is a correct answer but after reading the question again, we believe it is a suitable one as a Telnet/SSH session may be considered a “remote location” -> C is correct.