[PART 2] CCNA 200-125 Dumps Questions and Answers Latest (VCE + PDF)

71.  You have been asked to come up with a subnet mask that will allow all three web servers to be on the same network while providing the maximum number of subnets. Which network address and subnet mask meet this requirement?

  • 192.168.252.0 255.255.255.252
  • 192.168.252.8 255.255.255.248*
  • 192.168.252.8 255.255.255.252
  • 192.168.252.16 255.255.255.240
  • 192.168.252.16 255.255.255.252

72.  What parameter can be different on ports within an EtherChannel?

  • speed
  • DTP negotiation settings*
  • trunk encapsulation
  • duplex
Show (Hide) Explanation/Reference
All interfaces in an EtherChannel must be configured identically to form an EtherChannel. Specific settings that must be identical include:

Speed settings
Duplex settings
+ STP settings
+ VLAN membership (for access ports)
+ Native VLAN (for trunk ports)
+ Allowed VLANs (for trunk ports)
Trunking Encapsulation (ISL or 802.1Q, for trunk ports)

73.  Which two statements about IPv6 router advertisement messages are true? (Choose two.)

  • They use ICMPv6 type 134.*
  • The advertised prefix length must be 64 bits.*
  • The advertised prefix length must be 48 bits.
  • They are sourced from the configured IPv6 interface address.
  • Their destination is always the link-local address of the neighboring node.
Show (Hide) Explanation/Reference
IPv6 router advertisement message is one type of the ICMPv6 packets with Type field value of 134. It lists many facts, including the link-local IPv6 address of the router. Normally, it is sent to the all-IPv6-hosts local-scope multicast address of FF02::1. When sent in response to router solicitation messages (ICMPv6 Type 133), it flows back to either the unicast address of the host that sent the RS or to the all-IPv6-hosts address FF02::1.

The advertised IPv6 prefix length must be 64 bits for the stateless address autoconfiguration to be operational.

74.  Which spanning-tree protocol rides on top of another spanning-tree protocol?

  • MSTP*
  • RSTP
  • PVST+
  • Mono Spanning Tree
Show (Hide) Explanation/Reference
Multiple Spanning Tree (MST) rides on top of RSTP so it converges very fast. The idea behind MST is that some VLANs can be mapped to a single spanning tree instance because most networks do not need more than a few logical topologies.

75.  A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two.)

  • A. The network administrator can apply port security to dynamic access ports
  • B. The network administrator can configure static secure or sticky secure mac addresses in the voice vlan.
  • C. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration.*
  • D. The network administrator can apply port security to EtherChannels.
  • E. When dynamic mac address learning is enabled on an interface, the switch can learn new addresses up to the maximum defined.*
Show (Hide) Explanation/Reference
Follow these guidelines when configuring port security:
Port security can only be configured on static access ports, trunk ports, or 802.1Q tunnel ports. -> A is not correct.
+ A secure port cannot be a dynamic access port.
+ A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
+ A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group. -> D is not correct
You cannot configure static secure or sticky secure MAC addresses on a voice VLAN. -> B is not correct.
+ When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two.
+ If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.
+ When a voice VLAN is configured on a secure port that is also configured as a sticky secure port, all addresses seen on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on the access VLAN (to which the port belongs) are learned as sticky secure addresses.
+ The switch does not support port security aging of sticky secure MAC addresses.
+ The protect and restrict options cannot be simultaneously enabled on an interface.

(Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swtrafc.html#wp1038546)

Note: Dynamic access port or Dynamic port VLAN membership must be connected to an end station. This type of port can be configured with the “switchport access vlan dynamic” command in the interface configuration mode. Please read more about Dynamic access port here: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-1_19_ea1/configuration/guide/3550scg/swvlan.html#wp1103064

76.  Which switching method duplicates the first six bytes of a frame before making a switching decision?

  • fragment-free switching
  • store-and-forward switching
  • cut-through switching*
  • ASIC switching
Show (Hide) Explanation/Reference
In cut-through switching, the switch copies into its memory only the destination MAC address (first six bytes of the frame) of the frame. After processing these first six bytes, the switch had enough information to make a forwarding decision and move the frame to the appropriate switchport. This switching method is faster than store-and-forward switching method.

In store-and-forward switching, the switch copies each complete Ethernet frame into the switch memory and computes a Cyclic Redundancy Check (CRC) for errors. If a CRC error is found, the Ethernet frame is dropped. If no CRC error is found then that frame is forwarded.

77.  Which logging command can enable administrators to correlate syslog messages with millisecond precision?

  • no logging console
  • logging buffered 4
  • no logging monitor
  • service timestamps log datetime mscec*
  • logging host 10.2.0.21
Show (Hide) Explanation/Reference
The “service timestamps log” command configures the system to apply a time stamp to logging messages. The time-stamp format for datetime is MMM DD HH:MM:SS, where MMM is the month, DD is the date, HH is the hour (in 24-hour notation), MM is the minute, and SS is the second. With the additional keyword msec, the system includes milliseconds in the time stamp, in the format HH:DD:MM:SS.mmm, where .mmm is milliseconds.

78.  Which three statements about link-state routing are true? (Choose three.)

  • OSPF is a link-state protocol.*
  • Updates are sent to a broadcast address.
  • It uses split horizon.
  • Routes are updated when a change in topology occurs.*
  • RIP is a link-state protocol.
  • Updates are sent to a multicast address by default.*

79.  Which command can you enter to determine whether a switch is operating in trunking mode?

  • show ip interface brief
  • show vlan
  • show interfaces
  • show interface switchport*
Show (Hide) Explanation/Reference
Below is an example of the output of this command. Interface Ethernet1/0 is operating in trunking mode.

80.  Which command can you enter to view the ports that are assigned to VLAN 20?

  • Switch#show ip interface vlan 20
  • Switch#show vlan id 20*
  • Switch#show ip interface brief
  • Switch#show interface vlan 20

81.  In which two formats can the IPv6 address fd15:0db8:0000:0000:0700:0003:400F:572B be written? (Choose two.)

  • A. fd15:0db8:0000:0000:700:3:400F:527B*
  • B. fd15:0db8::7:3:4F:527B
  • C. fd15::db8::700:3:400F:527B
  • D. fd15:db8::700:3:400F:572B*
  • E. fd15:db8:0::700:3:4F:527B
Show (Hide) Explanation/Reference
In this case we use two rules:

+ Leading zeros in a field are optional
+ Successive fields of 0 are represented as ::, but only once in an address

If you are not sure about IPV6, please read our IPv6 tutorial.

82.  Which function of the IP SLAs ICMP jitter operation can you use to determine whether a VoIP issue is caused by excessive end-to-end time?

  • packet loss
  • jitter
  • successive packet loss
  • round-trip time latency*

83.  Refer to the exhibit.
Which of these statements correctly describes the state of the switch once the boot process has been completed?

  • A. The switch will need a different IOS code in order to support VLANs and ST.
  • Remote access management of this switch will not be possible without configuration change.*
  • As FastEthernet0/12 will be the last to come up, it will be blocked by STP.
  • More VLANs will need to be created for this switch.
Show (Hide) Explanation/Reference
From the output we notice that the administrator has just shut down Interface Vlan1, which is the default VLAN so no one can access it remotely (like telnet) -> B is correct.

Answer A is not correct as STP calculation does not depend on which port comes up first or last. STP recalculates when there is a change in the network.

A normal switch can operate without VLAN -> C is not correct.

This IOS does support VLAN because it has VLAN 1 on it -> D is not correct.

84.  Refer to the exhibit.

The network administrator normally establishes a Telnet session with the switch from host A. However, host A is unavailable. The administrator’s attempt to telnet to the switch from host fails, but pings to the other two hosts are successful. What is the issue?

  • The switch interfaces need the appropriate IP addresses assigned.
  • Host and the switch need to be in the same subnet.
  • The switch needs an appropriate default gateway assigned.*
  • The switch interface connected to the router is down.
  • Host needs to be assigned an IP address in VLAN 1.
Show (Hide) Explanation/Reference
Host A (172.19.1.1) and the management IP address of the Switch (172.19.1.250) are in the same subnet so telnet from host A to the switch can be successful even if a default gateway is not set on host A.

But host B (172.19.32.2) and the management IP address of the Switch (172.19.1.250) are not in the same subnet. Therefore packets from host B must reach the router Fa0/0.32 interface before forwarding to the switch. But when the switch replies, it does not know how to send packets so an appropriate default gateway must be assigned on the switch (to Fa0/0.32 – 172.19.32.254).

Answer A is not correct because even when host B & the switch are in the same subnet, they cannot communicate because of different VLANs.

Answer C is not correct as host B can ping other two hosts.

Answer D is not correct because host B always belongs to VLAN 32 so assigning an IP address in VLAN 1 does not solve the problem.

85.  Which condition does the err-disabled status indicate on an Ethernet interface?

  • There is a duplex mismatch.
  • The device at the other end of the connection is powered off.
  • The serial interface is disabled.
  • The interface is configured with the shutdown command.
  • Port security has disabled the interface.*
  • The interface is fully functioning.
Show (Hide) Explanation/Reference
There are various reasons for the interface to go into errdisable. The reason can be:

+ Duplex mismatch
+ Port channel misconfiguration
+ BPDU guard violation
+ UniDirectional Link Detection (UDLD) condition
+ Late-collision detection
+ Link-flap detection
+ Security violation
+ Port Aggregation Protocol (PAgP) flap
+ Layer 2 Tunneling Protocol (L2TP) guard
+ DHCP snooping rate-limit
+ Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
+ Address Resolution Protocol (ARP) inspection
+ Inline power

Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/69980-errdisable-recovery.html

Therefore in fact there are two correct answers in this question, which are “There is a duplex mismatch” and “Port security has disabled the interface” but maybe you should choose the port security answer as it is the most popular reason.

86.  Refer to the exhibit
All of the routers in the network are configured with the ip subnet-zero command. Which network addresses should be used for Link A and Network A? (Choose two.)

  • Link A ­ 172.16.3.0/30*
  • Link A ­ 172.16.3.112/30
  • Network A ­ 172.16.3.48/26
  • Network A ­ 172.16.3.128/25*
  • Link A ­ 172.16.3.40/30
  • Network A ­ 172.16.3.192/26
Show (Hide) Explanation/Reference
Network A needs 120 hosts < 128 = 27 -> Need a subnet mask of 7 bit 0s -> “/25″.

Because the ip subnet-zero command is used, network 172.16.3.0/30 can be used.

Answer E “Link A – 172.16.3.40/30″ is not correct because this subnet belongs to MARKETING subnet (172.16.3.32/27).
Answer F “Link A – 172.16.3.112/30″ is not correct because this subnet belongs to ADMIN subnet (172.16.3.96/27).

87.  Which type of device can be replaced by the use of subinterfaces for VLAN routing?

  • Layer 2 bridge
  • Layer 2 switch
  • Layer 3 switch*
  • router

88.  Which statement about LLDP is true?

  • It is configured in global configuration mode.
  • It is configured in global configuration mode.*
  • The LLDP update frequency is a fixed value.
  • It runs over the transport layer.
Show (Hide) Explanation/Reference
Link Layer Discovery Protocol (LLDP) is a industry standard protocol that allows devices to advertise, and discover connected devices, and there capabilities (same as CDP of Cisco). To enable it on Cisco devices, we have to use this command under global configuration mode:

Sw(config)# lldp run

89.  If the primary root bridge experiences a power loss, which switch takes over?

  • switch 0040.00.90C5
  • switch 00E0.F90B.6BE3
  • switch 0004.9A1A.C182*
  • switch 00E0.F726.3DC6
Show (Hide) Explanation/Reference
The switches compare their Bridge ID with each other to find out who will be the root bridge. The root bridge is the bridge with the lowest bridge ID.

Bridge ID = Bridge Priority + MAC Address

In this question the bridge priority was not mentioned so we suppose they are the same. Therefore the switch with lowest MAC address will become the new root bridge.

90.  A network administrator is troubleshooting an EIGRP problem on a router and needs to confirm the IP addresses of the devices with which the router has established adjacency. The retransmit interval and the queue counts for the adjacent routers also need to be checked. What command will display the required information?

  • Router# show ip eigrp neighbors*
  • Router# show ip eigrp interfaces
  • Router# show ip eigrp adjacency
  • Router# show ip eigrp topology
Show (Hide) Explanation/Reference
Below is an example of the “show ip eigrp neighbors” output.

Let’s analyze these columns:

H: lists the neighbors in the order this router was learned
Address: the IP address of the neighbors
+ Interface: the interface of the local router on which this Hello packet was received
Hold (sec): the amount of time left before neighbor is considered in “down” status
Uptime: amount of time since the adjacency was established
SRTT (Smooth Round Trip Timer): the average time in milliseconds between the transmission of a packet to a neighbor and the receipt of an acknowledgement.
RTO (Retransmission Timeout): if a multicast has failed, then a unicast is sent to that particular router, the RTO is the time in milliseconds that the router waits for an acknowledgement of that unicast.
Queue count (Q Cnt): shows the number of queued EIGRP packets. It is usually 0.
Sequence Number (Seq Num): the sequence number of the last update EIGRP packet received. Each update message is given a sequence number, and the received ACK should have the same sequence number. The next update message to that neighbor will use Seq Num + 1.

In this question we have to check the RTO and Q cnt fields.

91.  Which three statements about IPv6 prefixes are true? (Choose three.)

  • FEC0::/10 is used for IPv6 broadcast.
  • FC00::/7 is used in private networks.*
  • FE80::/8 is used for link-local unicast.
  • FE80::/10 is used for link-local unicast.*
  • 2001::1/127 is used for loopback addresses.
  • FF00::/8 is used for IPv6 multicast.*
Show (Hide) Explanation/Reference
Below is the list of common kinds of IPv6 addresses:

Loopback address ::1
Link-local address FE80::/10
Site-local address FEC0::/10 (but it is deprecated and replaced with FC00::/7 for used in private networks)
Global address 2000::/3
Multicast address FF00::/8

92.  Which command can you enter to display duplicate IP addresses that the DHCP server assigns?

  • show ip dhcp conflict 10.0.2.12*
  • show ip dhcp database 10.0.2.12
  • show ip dhcp server statistics
  • show ip dhcp binding 10.0.2.12
Show (Hide) Explanation/Reference
The command “show ip dhcp conflict” is used to display address conflicts found by a Cisco IOS DHCP Server when addresses are offered to the client. An example of the output of this command is shown below:

93.  Which three ports will be STP designated ports if all the links are operating at the same bandwidth? (Choose three.)

  • Switch B – F0/0*
  • Switch A – Fa0/1*
  • Switch B – Fa0/1*
  • Switch C – F0/1
  • Switch A – Fa0/0
  • Switch C – Fa0/0

94.  Refer to the exhibit
The network administrator cannot connect to Switch 1 over a Telnet session, although the hosts attached to Switch1 can ping the interface Fa0/0 of the router. Given the information in the graphic and assuming that the router and Switch2 are configured properly, which of the following commands should be issued on Switch1 to correct this problem?

  • Switch1(config)# ip default-gateway 192.168.24.1*
  • Switch1(config)# interface fa0/1Switch1(config-if)# switchport mode trunk
  • Switch1(config)# line con0Switch1(config-line)# password ciscoSwitch1(config-line)# login
  • Switch1(config)# interface fa0/1Switch1(config-if)# ip address 192.168.24.3 255.255.255.0
  • Switch1(config)# interface fa0/1Switch1(config-if)# duplex fullSwitch1(confiq-if)# speed 100

95.  Refer to the exhibit.

Each of these four switches has been configured with a hostname, as well as being configured to run RSTP.No other configuration changes have been made. Which three of these show the correct RSTP port roles for the indicated switches and interfaces? (Choose three.)

  • A. SwitchA, Fa0/2, designated *
  • B. SwitchA, Fa0/1, root *
  • C. SwitchB, Gi0/2, root
  • D. SwitchB, Gi0/1, designated
  • E. SwitchC, Fa0/2, root
  • F. SwitchD, Gi0/2, root*
Show (Hide) Explanation/Reference
The question says “no other configuration changes have been made” so we can understand these switches have the same bridge priority. Switch C has lowest MAC address so it will become root bridge and 2 of its ports (Fa0/1 & Fa0/2) will be designated ports -> E is incorrect.

Because SwitchC is the root bridge so the 2 ports nearest SwitchC on SwitchA (Fa0/1) and SwitchD (Gi0/2) will be root ports -> B and F are correct.

Now we come to the most difficult part of this question: SwitchB must have a root port so which port will it choose? To answer this question we need to know about STP cost and port cost.

In general, “cost” is calculated based on bandwidth of the link. The higher the bandwidth on a link, the lower the value of its cost. Below are the cost values you should memorize:

Link speed Cost
10Mbps 100
100Mbps 19
1 Gbps 4

SwitchB will choose the interface with lower cost to the root bridge as the root port so we must calculate the cost on interface Gi0/1 & Gi0/2 of SwitchB to the root bridge. This can be calculated from the “cost to the root bridge” of each switch because a switch always advertises its cost to the root bridge in its BPDU. The receiving switch will add its local port cost value to the cost in the BPDU.

In the exhibit you also we FastEthernet port is connecting to GigabitEthernet port. In this case GigabitEthernet port will operate as a FastEthernet port so the link can be considered as FastEthernet to FastEthernet connection.

One more thing to notice is that a root bridge always advertises the cost to the root bridge (itself) with an initial value of 0.

Now let’s have a look at the topology again

SwitchC advertises its cost to the root bridge with a value of 0. Switch D adds 19 (the cost value of 100Mbps link although the port on Switch D is GigabitEthernet port) and advertises this value (19) to SwitchB. SwitchB adds 4 (the cost value of 1Gbps link) and learns that it can reach SwitchC via Gi0/1 port with a total cost of 23. The same process happens for SwitchA and SwitchB learns that it can reach SwitchC via Gi0/2 with a total cost of 38 -> Switch B chooses Gi0/1 as its root port -> D is not correct.

Now our last task is to identify the port roles of the ports between SwitchA & SwitchB. It is rather easy as the MAC address of SwitchA is lower than that of SwitchB so Fa0/2 of SwitchA will be designated port while Gi0/2 of SwitchB will be alternative port -> A is correct but C is not correct.

Below summaries all the port roles of these switches:

+ DP: Designated Port (forwarding state)
+ RP: Root Port (forwarding state)
+ AP: Alternative Port (blocking state)

96.  Which feature builds a FIB and an adjacency table to expedite packet forwarding?

  • cut through
  • fast switching
  • process switching
  • Cisco Express Forwarding*
Show (Hide) Explanation/Reference
Cisco Express Forwarding (CEF) provides the ability to switch packets through a device in a very quick and efficient way while also keeping the load on the router’s processor low. CEF is made up of two different main components: the Forwarding Information Base (FIB) and the Adjacency Table. These are automatically updated at the same time as the routing table.

The Forwarding Information Base (FIB) contains destination reachability information as well as next hop information. This information is then used by the router to make forwarding decisions. The FIB allows for very efficient and easy lookups.

The adjacency table is tasked with maintaining the layer 2 next-hop information for the FIB.

97.  Which command can you enter to verify that a 128-bit address is live and responding?

  • traceroute
  • telnet
  • ping*
  • show ipv6

98.  What are two reasons that duplex mismatches can be difficult to diagnose? (Choose two.)

  • The interface displays a connected (up/up) state even when the duplex settings are mismatched.*
  • 1-Gbps interfaces are full-duplex by default.
  • Full-duplex interfaces use CSMA/CD logic, so mismatches may be disguised by collisions.
  • The symptoms of a duplex mismatch may be intermittent.*
  • Autonegotiation is disabled.

99.  Which condition indicates that service password-encryption is enabled?

  • The local username password is in clear text in the configuration.
  • The enable secret is in clear text in the configuration.
  • The local username password is encrypted in the configuration.*
  • The enable secret is encrypted in the configuration.
Show (Hide) Explanation/Reference
The service password-encryption command will encrypt all current and future passwords so any password existed in the configuration will be encrypted.

100.  Which protocol advertises a virtual IP address to facilitate transparent failover of a Cisco routing device?

  • FHRP*
  • DHCP
  • RSMLT
  • ESRP

Show (Hide) Explanation/Reference
First Hop Redundancy Protocol (FHRP) is a protocol that enables two or more devices to work together in a group, sharing a single IP address, the virtual IP address. One router is elected to handle all requests sent to the virtual IP address. With HSRP, this is the active router. An HSRP group has one active router and at least one standby router.

101.  What is the correct routing match to reach 172.16.1.5/32?

  • 172.16.1.0/26*
  • 172.16.1.0/25
  • 172.16.1.0/24
  • the default route
Show (Hide) Explanation/Reference
Although all above answers are correct but 172.16.1.0/26 is the best choice as it is the most specific prefix-match one.

102.  Which layer in the OSI reference model is responsible for determining the availability of the receiving program and checking to see if enough resources exist for that communication?

  • transport
  • network
  • presentation
  • session
  • application*

103.  What is the purpose of the POST operation on a router?

  • determine whether additional hardware has been added*
  • locate an IOS image for booting
  • enable a TFTP server
  • set the configuration register
Show (Hide) Explanation/Reference
In short, when powered on the router needs to do:

1. Run POST to check hardware
2. Search for a valid IOS (the Operating System of the router)
3. Search for a configuration file (all the configurations applied to this router)

104.  Which protocol is the Cisco proprietary implementation of FHRP?

  • HSRP*
  • VRRP
  • GLBP
  • CARP

105.  Which three characteristics are representative of a link-state routing protocol? (Choose three.)

  • provides common view of entire topology*
  • exchanges routing tables with neighbors
  • calculates shortest path*
  • utilizes event-triggered updates*
  • utilizes frequent periodic updates

106.  Which part of the PPPoE server configuration contains the information used to assign an IP address to a PPPoE client?

  • virtual-template interface*
  • DHCP
  • dialer interface
  • AAA authentication
Show (Hide) Explanation/Reference
The picture below shows all configuration needed for PPPoE:

There is no Dialer interface on the PPPoE Server so answer “Dialer interface” is not correct. The most suitable answer is “Virtual Template” interface as it contains the pool which is used to assign IP address to the PPPoE Client. But this question is weird because according to the CCNAv3 syllabus, candidates only need to grasp the PPPoE on client-side, not sure why this question asked about PPPoE on Server side. For more information about PPPoE, please read our PPPoE tutorial.

107. how is MPLS implemented (like this) :

  • on LAN
  • must be on redundant links
  • can be on redundant or nonredundant links*
  • can’t remember

108.  Which three statements about RSTP are true? (Choose three.)

  • RSTP significantly reduces topology reconverging time after a link failure.*
  • RSTP expands the STP port roles by adding the alternate and backup roles.*
  • RSTP port states are blocking, discarding, learning, or forwarding.
  • RSTP provides a faster transition to the forwarding state on point-to-point links than STP does.*
  • RSTP also uses the STP proposal-agreement sequence.
  • RSTP uses the same timer-based process as STP on point-to-point links

109.  What are two benefits of using NAT? (Choose two.)

  • A. NAT protects network security because private networks are not advertised.*
  • B. NAT accelerates the routing process because no modifications are made on the packets.
  • C. Dynamic NAT facilitates connections from the outside of the network.
  • D. NAT facilitates end-to-end communication when IPsec is enable.
  • E. NAT eliminates the need to re-address all host that require external access.*
  • F. NAT conserves addresses through host MAC-level multiplexing.
Show (Hide) Explanation/Reference
By not reveal the internal IP addresses, NAT adds some security to the inside network -> A is correct.

NAT has to modify the source IP addresses in the packets -> B is not correct.

Connection from the outside to a network through “NAT” is more difficult than a normal network because IP addresses of inside hosts are hidden -> C is not correct.

In order for IPsec to work with NAT we need to allow additional protocols, including Internet Key Exchange (IKE), Encapsulating Security Payload (ESP) and Authentication Header (AH) -> more complex -> D is not correct.

By allocating specific public IP addresses to inside hosts, NAT eliminates the need to re-address the inside hosts -> E is correct.

NAT does conserve addresses but not through host MAC-level multiplexing. It conserves addresses by allowing many private IP addresses to use the same public IP address to go to the Internet -> F is not correct.

110.  Which two commands correctly verify whether port security has been configured on port FastEthernet 0/12 on a switch? (Choose two.)

  • SW1#show port-secure interface FastEthernet 0/12
  • SW1#show switchport port-secure interface FastEthernet 0/12
  • SW1#show running-config*
  • SW1#show port-security interface FastEthernet 0/12*
  • SW1#show switchport port-security interface FastEthernet 0/12
Show (Hide) Explanation/Reference
We can verify whether port security has been configured by using the “show running-config” or “show port-security interface ” for more detail. An example of the output of “show port-security interface ” command is shown below:

111.  Refer to the exhibit. Given this output for SwitchC, what should the network administrator’s next action be?

  • Check the trunk encapsulation mode for Switch C’s fa0/1 port.
  • Check the duplex mode for Switch C’s fa0/1 port.
  • Check the duplex mode for Switch A’s fa0/2 port.*
  • Check the trunk encapsulation mode for Switch A’s fa0/2 port

112.  Which statement is correct regarding the operation of DHCP?

  • A DHCP client uses a ping to detect address conflicts.
  • A DHCP server uses a gratuitous ARP to detect DHCP clients.
  • A DHCP client uses a gratuitous ARP to detect a DHCP server.
  • If an address conflict is detected, the address is removed from the pool and an administrator must resolve the conflict.*
  • If an address conflict is detected, the address is removed from the pool for an amount of time configurable by the administrator.
  • If an address conflict is detected, the address is removed from the pool and will not be reused until the server is rebooted.
Show (Hide) Explanation/Reference
An address conflict occurs when two hosts use the same IP address. During address assignment, DHCP checks for conflicts using ping and gratuitous ARP. If a conflict is detected, the address is removed from the pool. The address will not be assigned until the administrator resolves the conflict.

(Reference: http://www.cisco.com/en/US/docs/ios/12_1/iproute/configuration/guide/1cddhcp.html)

113.  Which two statements about using the CHAP authentication mechanism in a PPP link are true? (Choose two.)

  • CHAP uses a two-way handshake.
  • CHAP uses a three-way handshake.*
  • CHAP authentication periodically occurs after link establishment.*
  • CHAP authentication passwords are sent in plaintext.
  • CHAP authentication is performed only upon link establishment.
  • CHAP has no protection from playback attacks.

114.  Refer to the exhibit. Switch port FastEthernet 0/24 on ALSwitch1 will be used to create an IEEE 802.1Q-compliant trunk to another switch. Based on the output shown, what is the reason the trunk does not form, even though the proper cabling has been attached?

  • VLANs have not been created yet.
  • An IP address must be configured for the port.
  • The port is currently configured for access mode.*
  • The correct encapsulation type has not been configured.
  • The no shutdown command has not been entered for the port.
Show (Hide) Explanation/Reference
The “Operational Mode” is “static access” so this port is currently in access mode.

115.  Refer to the exhibit. A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands. Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two.)

  • Port security needs to be globally enabled.
  • Port security needs to be enabled on the interface.*
  • Port security needs to be configured to shut down the interface in the event of a violation.
  • Port security needs to be configured to allow only one learned MAC address.*
  • Port security interface counters need to be cleared before using the show command.
  • The port security configuration needs to be saved to NVRAM before it can become active.
Show (Hide) Explanation/Reference
As we see in the output, the “Port Security” is in “Disabled” state (line 2 in the output). To enable Port security feature, we must enable it on that interface first with the command:

SwitchA(config-if)#switchport port-security

-> B is correct.

Also from the output, we learn that the switch is allowing 2 devices to connect to it (switchport port-security maximum 2) but the question requires allowing only PC_A to access the network so we need to reduce the maximum number to 1 -> D is correct.

116.  Which three statements about static routing are true? (Choose three.)

  • It uses consistent route determination.*
  • It is best used for small-scale deployments.*
  • Routing is disrupted when links fail.*
  • It requires more resources than other routing methods.
  • It is best used for large-scale deployments.
  • Routers can use update messages to reroute when links fail.
Show (Hide) Explanation/Reference
The static routing specifies a fixed destination so it is “consistent”. It is best used for small-scaled places where there are a few routers only. When links fail, static route cannot automatically find an alternative path like dynamic routing so routing is disrupted.

117.  What are the address that will show at the show ip route if we configure the above statements? (Choose Three.)

  • 10.0.0.0*
  • 10.4.3.0
  • 172.15.4.0
  • 172.15.0.0*
  • 192.168.4.0*
  • 192.168.0.0
Show (Hide) Explanation/Reference
With auto-summary feature is turned on, EIGRP will summary these networks to their classful networks automatically. For example:

+ 172.15.4.0 belongs to class B so it will be summarized to 172.15.0.0
+ 10.4.3.0 belongs to class A so it will be summarized to 10.0.0.0
+ 192.168.4.0 belongs to class C so it will be summarized to 192.168.4.0 (same)

118.   Which feature facilitates the tagging of frames on a specific VLAN?

  • Routing
  • Hairpinning
  • Encapsulation*
  • Switching

119.  What does split horizon prevent?

  • routing loops, link state
  • routing loops, distance vector*
  • switching loops, STP
  • switching loops, VTP
Show (Hide) Explanation/Reference
Split horizon is used in distance vector routing protocols (like RIP, EIGRP) to prevent routing loops by prohibiting a router from advertising a route back to the interface from which it was learned.

120.  Which value to use in HSRP protocol election process?

  • interface
  • virtual IP address
  • priority*
  • router ID
Show (Hide) Explanation/Reference
HSRP election is based on a priority value (0 to 255) that is configured on each router in the group. By default, the priority is 100. The router with the highest priority value (255 is highest) becomes the active router for the group. If all router priorities are equal or set to the default value, the router with the highest IP address on the HSRP interface becomes the active router. Below is an example of assigning HSRP priority of 200 to R1:

R1(config-if)# standby 1 priority 200

121.  Which of the following is needed to be enable back the role of active in HSRP?

  • preempt*
  • priority
  • other options
Show (Hide) Explanation/Reference
The “preempt” command enables the HSRP router with the highest priority to immediately become the active router. For example if we have a new router joining an HSRP of 1 and we want this router becomes the active router immediately (provided it had the highest HSRP priority) then we will need this additional command:

New_Router(config-if)#standby 1 preempt

122.  Which command is used to show the interface status of a router?

  • show interface status
  • show ip interface brief*
  • show ip route
  • show interface
Show (Hide) Explanation/Reference
The “show ip interface brief” command can be used to view a summary of the router interfaces. This command displays the IP address, interface status, and additional information. An example of the “show ip interface brief” command is shown below. We can see the interface status of E0/0 is “up/up”.

123.  Which of the following privilege level is the most secured?

  • Level 0
  • Level 1
  • Level 15*
  • Level 16
Show (Hide) Explanation/Reference
By default, the Cisco IOS CLI has two privilege levels enabled, level 1 and level 15.

+ User EXEC mode (privilege level 1): provides the lowest EXEC mode user privileges and allows only user-level commands available at the Router> prompt.
+ Privileged EXEC mode (privilege level 15): includes all enable-level commands at the Router# prompt. Level 15 users can execute all commands and this is the most secured and powerful privilege level.

However, there are actually 16 privilege levels available on the CLI, from 0 to 15 and you can assign users to any of those levels. Zero-level access allows only five commands -logout, enable, disable, help, and exit. User level (level 1) provides very limited read-only access to the router, and privileged level (level 15) provides complete control over the router.

124.  Which IPV6 feature is supported in IPV4 but is not commonly used?

  • unicast
  • multicast
  • anycast*
  • broadcast
Show (Hide) Explanation/Reference
Only three connection types are commonly known and used in Internet Protocol version four (IPv4) networks: unicast, multicast and broadcast. A fourth connection type, Anycast, was unknown until IPv6 made it a standard connection type. Anycast is not standardized in IPv4 but can be emulated. IPv4 Anycast addressing is a good solution to provide localization for services and servers in order to obtain robustness, redundancy and resiliency.

The basic idea of Anycast is very simple: multiple servers, which share the same IP address, host the same service. The routing infrastructure sends IP packets to the nearest server (according to the metric of the routing protocol used). The major benefits of employing Anycast in IPv4 are improved latency times, server load balancing, and improved security.

Reference: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.116.6367&rep=rep1&type=pdf

125.  Which two statements are true about IPv6 Unique Local Addresses? (Choose Two.)

  • It is the counterpart of IPv4 private addresses*
  • It uses FC00::/7 as prefix*
  • wrong
  • wrong

126.  Which range represents the standard access list?

  • 99*
  • 150
  • 299
  • 2000
Show (Hide) Explanation/Reference
Below is the range of standard and extended access list

Access list type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699

127.  What to do when the router password was forgotten?

  • use default password cisco to reset
  • access router physically
  • use ssl/vpn
  • Type confreg 0x2142 at the rommon 1*
Show (Hide) Explanation/Reference
To reset the password we can type “confreg 0x2142” under rommon mode to set the configuration register to 2142 in hexadecimal (the prefix 0x means hexadecimal (base 16)). With this setting when that router reboots, it bypasses the startup-config.

128.  What is true about Cisco Discovery Protocol?

  • it discovers the routers, switches and gateways.
  • it is network layer protocol
  • it is physical and data link layer protocol
  • it is proprietary protocol*

Show (Hide) Explanation/Reference
The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer protocol (Layer 2 protocol) developed by Cisco. It is used to share information about other directly connected Cisco equipment, such as the operating system version and IP address. The most popular command with CDP is “show cdp neighbors” to discover who is the neighbors.

There are 3 columns we should pay more attention to:

Local Interface (Local Intrfce): the interfaces on the device you are using “show cdp neighbors” command. In this case it is the interface of HOME router

Platform: the platform of neighbor device

Port ID: the neighbor device’s port or interface on which the CDP packets are multicast

Which command you enter on a switc

129.  Which of the following encrypts the traffic on a leased line?

  • telnet
  • ssh*
  • vtp
  • vpn
  • dmvpn
Show (Hide) Explanation/Reference
SSH, or secure shell, is a secure protocol that provides a built-in encryption mechanism for establishing a secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth.

Note: Virtual Private Networks (VPNs) are only secure if encrypted. The word “private” only means a given user’s virtual network is not shared with others. In reality a VPN still runs on a shared infrastructure and is not secured if not encrypted. VPNs are used over a connection you already have. That might be a leased line. It might be an ADSL connection. It could be a mobile network connection.

Therefore answer “SSH” is still better than the answer “VPN”.

130.  How do you configure a hostname?

  • A. Router(config)#hostname R1*
  • B. Router#hostname R1
  • C. Router(config)#host name R1
  • D. Router>hostname R1

131.  How do you maintain security in multiple websites?

  • vpn*
  • dmvpn
  • other
  • other
Show (Hide) Explanation/Reference
In fact in question wants to mention about site-to-site VPN. A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. A site-to-site VPN means that two sites create a VPN tunnel by encrypting and sending data between two devices. One set of rules for creating a site-to-site VPN is defined by IPsec.

In the topology above, Remote Campus sites can connect to the Main Campus through site-to-site VPNs.

132.  Refer to the exhibit. Switch-1 needs to send data to a host with a MAC address of 00b0.d056.efa4. What will Switch-1 do with this data?

  • Switch-1 will drop the data because it does not have an entry for that MAC address.
  • Switch-1 will flood the data out all of its ports except the port from which the data originated.*
  • Switch-1 will send an ARP request out all its ports except the port from which the data originated.
  • Switch-1 will forward the data to its default gateway.
Show (Hide) Explanation/Reference
The MAC address of 00b0.d056.efa4 has not been learned in its MAC address table so Switch-1 will broadcast the frame out all of its ports except the port from which the data originated.

133.  What routing protocol use first-hand information from peers?

  • link-state*
  • distance-vector
  • path-vector
  • other
Show (Hide) Explanation/Reference
http://www.ciscopress.com/articles/article.asp?p=24090&seqNum=4

The reason is that unlike the routing-by-rumor approach of distance vector, link state routers have firsthand information from all their peer routers. Each router originates information about itself, its directly connected links, and the state of those links (hence the name). This information is passed around from router to router, each router making a copy of it, but never changing it. The ultimate objective is that every router has identical information about the internetwork, and each router will independently calculate its own best paths.

134.  What field is consist of 6 bytes in the field identification frame in IEEE 802.1Q?

  • SA*
  • DA
  • FCS
  • other

Show (Hide) Explanation/Reference
The picture below shows the fields in IEEE 802.1Q frame.

The SA field is the source address field. The field should be set to the MAC address of the switch port that transmits the frame. It is a 48-bit value (6 bytes). The receiving device may ignore the SA field of the frame.

In fact there is another correct answer for this question: DA (Destination Address) which also consists of 6 bytes. Maybe there is a mistake or typo in this question.

Which statement a

135.  What is new in HSRPv2?

  • prempt
  • a greater number in hsrp group field*
  • other

136.  What’s are true about MPLS?

  • It use a label to separate traffic from several costumer*
  • It use IPv4 IPv6
  • other
  • other

137.  A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used?

  • reflexive
  • extended
  • standard
  • dynamic*
Show (Hide) Explanation/Reference
We can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here: http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

138.  Which command is necessary to permit SSH or Telnet access to a cisco switch that is otherwise configured for these vty line protocols?

  • transport type all
  • transport output all
  • transport preferred all
  • transport input all*
Show (Hide) Explanation/Reference
The “transport input” command is used to define which protocols to use to connect to a specific line (vty, console, aux…) of the router. The “transport input all” command will allow all protocols (including SSH and Telnet) to do this.

139.  What should be part of a comprehensive network security plan?

  • Allow users to develop their own approach to network security
  • Physically secure network equipment from potential access by unauthorized individuals*
  • Encourage users to use personal information in their passwords to minimize the likelihood of passwords being forgotten
  • Delay deployment of software patches and updates until their effect on end-user equipment is well known and widely reported
  • Minimize network overhead by deactivating automatic antivirus client updates
Show (Hide) Explanation/Reference
All other answers are not recommended for a network security plan so only B is the correct answer.

140.  Which two Cisco IOS commands, used in troubleshooting, can enable debug output to a remote location? (Choose two)

  • no logging console
  • logging host ip-address*
  • terminal monitor*
  • show logging | redirect flashioutput.txt
  • snmp-server enable traps syslog
Show (Hide) Explanation/Reference
The “no logging console” turns off logging to the console connection (it is turned on by default) and it is often used if the console received large amount of logging output. But this command is not recommended in normal configuration -> A is not correct.

The command “logging host ip-address” instructs the device to send syslog messages to an external syslog server -> B is correct.

The “show logging | redirect flashioutput.txt” command will put the text file in the router flash memory because we did not specify a remote location (like tftp) -> D is not correct.

The command “snmp-server enable traps syslog” instructs the device to send syslog messages to your network management server as SNMP traps instead of syslog packets. This command itself does not enable debug output to a remote location -> E is not correct.

By default, Cisco IOS does not send log messages to a terminal session over IP, that is, telnet or SSH connections don’t get log messages. But notice that console connections on a serial cable do have logging enabled by default. The command “terminal monitor” helps logging messages appear on the your terminal. First we don’t think this is a correct answer but after reading the question again, we believe it is a suitable one as a Telnet/SSH session may be considered a “remote location” -> C is correct.


Related Articles

Leave a Reply

avatar
Photo and Image Files
 
 
 
Audio and Video Files
 
 
 
Other File Types
 
 
 

Send this to a friend