[PART 3] CCNA 200-125 Dumps Questions and Answers Latest (VCE + PDF)

141.  Which component of the Cisco SDN solution serves as the centralized management system?

  • Cisco OpenDaylight
  • Cisco ACI
  • Cisco APIC*
  • Cisco IWAN
Show (Hide) Explanation/Reference

Cisco Application Policy Infrastructure Controller (APIC)
Provides single-click access to all Cisco ACI fabric information, enabling network automation, programmability, and centralized management.

The Cisco Application Policy Infrastructure Controller (Cisco APIC) is the unifying point of automation and management for the Application Centric Infrastructure (ACI) fabric. The Cisco APIC provides centralized access to all fabric information, optimizes the application lifecycle for scale and performance, and supports flexible application provisioning across physical and virtual resources.

The Cisco APIC provides centralized access to all fabric information, optimizes the application lifecycle for scale and performance, and supports flexible application provisioning across physical and virtual resources.

Centralized application-level policy engine for physical, virtual, and cloud infrastructures
Designed for automation, programmability, and centralized management, the Cisco APIC itself exposes northbound APIs through XML and JSON. It provides both a command-line interface (CLI) and GUI which utilize the APIs to manage the fabric holistically.
Cisco APIC provides:
A single pane of glass for application-centric network policies
Fabric image management and inventory
Application, tenant, and topology monitoring

142.  What command can you enter in config mode to create DHCP pool?

  • ip dhcp pool DHCP_pool*
  • ip dhcp exclude -add
  • ip dhcp conflict logging
  • service dhcp

143.  Which utility can you use to determine whether a switch can send echo requests and replies?

  • ping*
  • traceroute
  • ssh
  • telnet
Show (Hide) Explanation/Reference
“ping” command is used to send echo requests and receive echo replies.

144.  What is the two benefits of DHCP snooping? (Choose two)

  • static reservation
  • DHCP reservation
  • prevent DHCP rouge server*
  • prevent untrusted host and servers to connect*
Show (Hide) Explanation/Reference
Quick review of DHCP Spoofing and DHCP snooping:

DHCP spoofing is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

DHCP snooping can prevent DHCP spoofing attacks. DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted.

Only ports that connect to an authorized DHCP server are trusted, and allowed to send all types of DHCP messages. All other ports on the switch are untrusted and can send only DHCP requests. If a DHCP response is seen on an untrusted port, the port is shut down -> Answer D is correct.

The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes -> C is correct.

145.  What are the three major components of cisco network virtualization? (Choose Three)

  • network access control*
  • path isolation*
  • virtual network services*
  • policy enforcement
Show (Hide) Explanation/Reference
Network virtualization architecture has three main components:

+ Network access control and segmentation of classes of users: Users are authenticated and either allowed or denied into a logical partition. Users a re segmented into employees, contractors and consultants, and guests, with respective access to IT assets. This component identifies users who are authorized to access the network and then places them into the appropriate logical partition.

Path isolation: Network isolation is preserved across the entire enterprise: from the edge to the campus to the WAN and back again. This component maintains traffic partitioned over a routed infrastructure and transports traffic over and between isolated partitions. The function of mapping isolated paths to VLANs and to virtual services is also performed in component.

Network Services virtualization: This component provides access to shared or dedicated network services such as security, quality of service (QoS), and address management (Dynamic Host Configuration Protocol [DHCP] and Domain Name System [DNS]). It also applies policy per partition and isolates application environments, if required.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series switches/white_paper_c11-531522.pdf

146.  Which feature is config by setting a variance that is at least 2 times the metric?

  • unequal cost load balancing*
  • path selection
  • equal cost load balancing
  • path count
Show (Hide) Explanation/Reference
EIGRP provides a mechanism to load balance over unequal cost paths (or called unequal cost load balancing) through the “variance” command. In other words, EIGRP will install all paths with metric < variance * best_metric into the local routing table, provided that it meets the feasibility condition (to prevent routing loop). The feasibility condition states that, the Advertised Distance (AD) of a route must be lower than the feasible distance of the current successor route.

147.  Standard industrialized protocol of etherchannel?

  • LACP*
  • PAGP
  • PRP
  • REP

148.  Two features of the extended ping command? (Choose two)

  • It can send a specific number of packet*
  • It can send packet from specified interface of IP address*
  • It can resolve the destination host name
  • It can ping multiple host at the same time
Show (Hide) Explanation/Reference
There are many options to choose when using extended ping. Below shows the options that we can choose:

In which:

Repeat count [5]: Number of ping packets that are sent to the destination address. The default is 5 -> A is correct.
Source address or interface: The interface or IP address of the router to use as a source address for the probes -> B is correct.

For more information about extended ping, please read: http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html

149.  What command is used to configure a switch as authoritative NTP server?

  • Switch(config)#ntp master 3*
  • Switch(config)#ntp peer IP
  • Switch(config)#ntp server IP
  • Switch(config)#ntp source IP
Show (Hide) Explanation/Reference
An Authoritative NTP Server can distribute time even when it is not synchronized to an existing time server. To configure a Cisco device as an Authoritative NTP Server, use the ntp master [stratum] command.

150.  Which two statements about syslog logging are true?

  • Syslog logging is disabled by default
  • Messages are stored in the internal memory of device*
  • Messages can be erased when device reboots*
  • Messages are stored external to the device
  • The size of the log file is dependent on the resources of the device.
Show (Hide) Explanation/Reference
By default if we type “show logging” command we will see the Syslog logging has been enabled -> A is not correct.

The syslog messages are stored in the internal buffer of the device. The buffer size is limited to few kilobytes. However, when the device reboots, these syslog messages are lost -> B is correct; C is correct; D is not correct.

151.  How to enable vlans automatically across multiple switches?

  • Configure VLAN
  • Confiture NTP
  • Configure each VLAN
  • Configure VTP*

152.  Which password types are encrypted?

  • SSH
  • Telnet
  • enable secret*
  • enable password
Show (Hide) Explanation/Reference
The “enable secret” password is always encrypted (independent of the “service password-encryption” command) using MD5 hash algorithm.

Note: The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. In general, don’t use enable password, use enable secret instead.

153.  What is the binary pattern of unique ipv6 unique local address?

  • 00000000
  • 11111100*
  • 11111111
  • 11111101
Show (Hide) Explanation/Reference
A IPv6 Unique Local Address is an IPv6 address in the block FC00::/7, which means that IPv6 Unique Local addresses begin with 7 bits with exact binary pattern as 1111 110 -> Answer B is correct.

Note: IPv6 Unique Local Address is the approximate IPv6 counterpart of the IPv4 private address. It is not routable on the global Internet.

154.  Which statement about ACLs is true?

  • An ACL have must at least one permit action, else it just blocks all traffic.*
  • ACLs go bottom-up through the entries looking for a match
  • An ACL has a an implicit permit at the end of ACL.
  • ACLs will check the packet against all entries looking for a match.

155.  What is the cause of the Syslog output messages?

  • The EIGRP neighbor on Fa0/1 went down due to a failed link.
  • The EIGRP neighbor connected to Fa0/1 is participating in a different EIGRP process, causing the adjacency to go down.
  • A shut command was executed on interface Fa0/1, causing the EIGRP adjacency to go down.*
  • Interface Fa0/1 has become error disabled, causing the EIGRP adjacency to go down.
Show (Hide) Explanation/Reference
From the second line of the output, we learned that Fa0/1 interface was shut down so we see the “changed state to administratively down”. The third and fourth line is the result of this action, which cause Fa0/1 interface “changed state to down” and the EIGRP neighbor relationship with was down.

156.  What are contained in layer 2 ethernet frame? (Choose Three.)

  • Preamble*
  • TTL
  • Type/length*
  • Frame check sequence*
  • version
  • others
Show (Hide) Explanation/Reference
At the end of each frame there is a Frame Check Sequence (FCS) field. FCS can be analyzed to determine if errors have occurred. FCS uses cyclic redundancy check (CRC) algorithm to detect errors in the transmitted frames. Before sending data, the sending host generates a CRC based on the header and data of that frame. When this frame arrives, the receiving host uses the same algorithm to generate its own CRC and compare them. If they do not match then a CRC error will occur.

Preamble is used to indicate the start of the frame by arranging the first 62 bits as alternating “1/0s” and the last two bits as “1”s. Like so, 010101010101010………………………10101011. Therefore when the receiving end sees the “11” it knows where the actual Ethernet header starts. The alternating 1s and 0s will also allow the two endpoints to sync their internal clocks. In summary, preamble is used for synchronization.

The “Type/Length” field is used to indicate the “Type”of the payload (Layer 3 protocol) which is indicated as a Hexadecimal value.

Note: Ethernet II uses “Type” while the old Ethernet version use “Length”

157.  Describe the best way to troubleshoot and isolate a network problem?

  • Create an action plan
  • Implement an action plan
  • Gather facts*
  • others
Show (Hide) Explanation/Reference
In fact all three of the above answers are in the problem-solving process but “gather facts” is at Step 2 while “Create an action plan” and “Implement an action plan” is at step 4 & 5 of this link http://www.cisco.com/en/US/docs/internetworking/troubleshooting/guide/tr1901.html

Step 2 Gather the facts that you need to help isolate possible causes.
Ask questions of affected users, network administrators, managers, and other key people. Collect information from sources such as network management systems, protocol analyzer traces, output from router diagnostic commands, or software release notes.

158.  Under normal operations, cisco recommends that you configure switch ports on which vlan?

  • on the default vlan
  • on the management vlan
  • on the native vlan
  • on any vlan except the default vlan*
Show (Hide) Explanation/Reference


Note: There is a potential security consideration with dot1q that the implicit tagging of the native VLAN causes. The transmission of frames from one VLAN to another without a router can be possible. Refer to the Intrusion Detection FAQ leavingcisco.com for further details. The workaround is to use a VLAN ID for the native VLAN of the trunk that is not used for end-user access. In order to achieve this, the majority of Cisco customers simply leave VLAN 1 as the native VLAN on a trunk and assign access ports to VLANs other than VLAN 1.

159.  In which byte of an IP packet can traffic be marked?

  • the QoS byte
  • the CoS byte
  • the ToS byte*
  • the DSCP byte
Show (Hide) Explanation/Reference

160.  Which command can you enter to route all traffic that is destined to to a specific interface?

  • A. router(config)#ip route GigabitEthernet0/1*
  • B. router(config)#ip route GigabitEthernet0/1
  • C. router(config)#ip route GigabitEthernet0/1
  • D. router(config)#ip route GigabitEthernet0/1
Show (Hide) Explanation/Reference
The simple syntax of static route:

ip route destination-network-address subnet-mask {next-hop-IP-address | exit-interface}
+ destination-network-address: destination network address of the remote network
+ subnet mask: subnet mask of the destination network
+ next-hop-IP-address: the IP address of the receiving interface on the next-hop router
+ exit-interface: the local interface of this router where the packets will go out

In the statement “ip route GigabitEthernet0/1″:

+ the destination network
+ GigabitEthernet0/1: the exit-interface

161.  Which two protocol can detect native vlan mismatch errors? (Choose two.)

  • CDP*
  • VTP
  • DTP
  • STP*
  • PAGP
Show (Hide) Explanation/Reference

Oct 5 23:29:16: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet11/43 (512), with WS-C2950-12 FastEthernet0/6 (1)


Case 1: Change the native VLAN on SW1 connection to R3:

interface FastEthernet 1/3
switchport trunk native vlan 2

%SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 2 on FastEthernet1/3 VLAN1.

%SPANTREE-2-BLOCK_PVID_PEER: Blocking FastEthernet1/3 on VLAN2. Inconsistent peer vlan.PVST+: restarted the forward delay timer for FastEthernet1/3

%SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet1/3 on VLAN1. Inconsistent local vlan.PVST+: restarted the forward delay timer for FastEthernet1/3
Note that SW2 detects untagged packet with VLAN ID 2, which does not correspond to the locally configured default native VLAN 1. The corresponding port is put in «inconsistent» state. The reason SW2 detects this condition (and not SW1) is because SW1 sending SSTP BPDUs and SW2 is not (it receives superios BPDUs). As soon as native VLAN is converted back to «1» on SW1, consistency is restored:

162.  Which three options are switchport config that can always avoid duplex mismatch error between the switches? (Choose Three.)

  • set both side on auto-negotation.*
  • set both sides on half-duplex*
  • set one side auto and other side half-duplex
  • set both side of connection to full-duplex*
  • set one side auto and other side on full-duplex
  • set one side full-duplex and other side half-duplex
Show (Hide) Explanation/Reference

163.  What are two benefits of Private IPv4 Addresses? (Choose two.)

  • they can be implemented without requiring admin to coordinate with IANA*
  • they are managed by IANA
  • increase the flexibility of network design
  • provide network isloation from the internet*
  • they are routable over internet
Show (Hide) Explanation/Reference

164.  How many bits represent network id in a IPv6 address?

  • 32
  • 48
  • 64*
  • 128
Show (Hide) Explanation/Reference
Each ISP receives a /32 and provides a /48 for each site-> every ISP can provide 2(48-32) = 65,536 site addresses (note: each network organized by a single entity is often called a site).

Each site provides /64 for each LAN -> each site can provide 2(64-48) = 65,536 LAN addresses for use in their private networks.
So each LAN can provide 264 interface addresses for hosts.

-> Global routing information is identified within the first 64-bit prefix.

Now let’s see an example of IPv6 prefix: 2001:0A3C:5437:ABCD::/64:

In this example, the RIR has been assigned a 12-bit prefix. The ISP has been assigned a 32-bit prefix and the site is assigned a 48-bit site ID. The next 16-bit is the subnet field and it can allow 216, or 65536 subnets. This number is redundant for largest corporations on the world!

The 64-bit left (which is not shown the above example) is the Interface ID or host part and it is much more bigger: 64 bits or 264 hosts per subnet! For example, from the prefix 2001:0A3C:5437:ABCD::/64 an administrator can assign an IPv6 address 2001:0A3C:5437:ABCD:218:34EF:AD34:98D to a host.

165.  ?????(An image on exhibit)
An interface which we have to determine from the routing the route learned by which routing protocol?

  • EIGRP*
  • OSPF
  • RIP
  • BGP

166.  Which WAN topology is most appropriate for a centrally located server farm with several satellite branches?

  • star
  • hub and spoke*
  • point-to-point
  • full mesh
Show (Hide) Explanation/Reference
Star is the most popular topology for Ethernet topology but hub and spoke is the most appropriate WAN topology.

In a Hub-and-spoke network topology, one physical site act as Hub (Example, Main Office or Head Quarter), while other physical sites act as spokes. Spoke sites are connected to each other via Hub site. In Hub-and-spoke topology, the network communication between two spokes always travel through the hub (except when using DMVPN Phase II or Phase III where spokes can communicate with each other directly). The networking device at Hub site is often much more powerful than the ones at spoke sites.

Hub and spoke is an ideal topology when most of the resources lie at the Hub site and the branch sites only need to access to the Hub.

Note: Although some books may say Hub-and-spoke and Star topologies are the same but in fact they have difference. When talking about Hub-and-spoke we often think about the communication between Hub site and Spoke sites. When talking about Star we think about the communication between end devices.

167.  Which function allows EIGRP peers to receive notice of implementing topology changes?

  • successors
  • advertised changes
  • goodbye messages*
  • expiration of the hold timer
Show (Hide) Explanation/Reference
The goodbye message is a feature designed to improve EIGRP network convergence. The goodbye message is broadcast when an EIGRP routing process is shutdown to inform adjacent peers about the impending topology change. This feature allows supporting EIGRP peers to synchronize and recalculate neighbor relationships more efficiently than would occur if the peers discovered the topology change after the hold timer expired.

The following message is displayed by routers that run a supported release when a goodbye message is received:

*Apr 26 13:48:42.523: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Ethernet0/0) is down: Interface Goodbye received

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfeigrp.html

Note: In this question we should understand “impending”, not “implementing” as there are no correct answers with “implementing” topology change.

168.  If you configure syslog messages without specifying the logging trap level, which log messages will the router send?

  • informational messages only
  • warning and error conditions only
  • normal but significant conditions only
  • error conditions only
  • all levels except debugging*
Show (Hide) Explanation/Reference
Syslog levels are listed below

Level Keyword Description
0 emergencies System is unusable
1 alerts Immediate action is needed
2 critical Critical conditions exist
3 errors Error conditions exist
4 warnings Warning conditions exist
5 notification Normal, but significant, conditions exist
6 informational Informational messages
7 debugging Debugging messages

The highest level is level 0 (emergencies). The lowest level is level 7. By default, the router will send informational messages (level 6). That means it will send all the syslog messages from level 0 to 6.

169.  Which three options are benefits of using TACACS+ on a device? (Choose three)

  • A. It ensures that user activity is untraceable.
  • B. It provides a secure accounting facility on the device.
  • C. device-administration packets are encrypted in their entirely.*
  • D. It allows the user to remotely access devices from other vendors.
  • E. It allows the users to be authenticated against a remote server.*
  • F. It supports access-level authorization for commands.*
Show (Hide) Explanation/Reference
TACACS+ (and RADIUS) allow users to be authenticated against a remote server -> E is correct.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header -> C is correct.

TACACS+ supports access-level authorization for commands. That means you can use commands to assign privilege levels on the router -> F is correct.


By default, there are three privilege levels on the router.
+ privilege level 1 = non-privileged (prompt is router>), the default level for logging in
+ privilege level 15 = privileged (prompt is router#), the level after going into enable mode
+ privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

170.  What layer of the OSI Model is included in TCP/IP Model’s INTERNET layer?

  • Application
  • Session
  • Data Link
  • Presentation
  • Network*
Show (Hide) Explanation/Reference
The Internet Layer in TCP/IP Model is equivalent to the Network Layer of the OSI Model.

171.  Which two of these are characteristics of the 802.1Q protocol? (Choose two.)

  • It is used exclusively for tagging VLAN frames and does not address network reconvergence following switched network topology changes.
  • It modifies the 802.3 frame header, and thus requires that the FCS be recomputed.*
  • It is a Layer 2 messaging protocol which maintains VLAN configurations across networks.
  • It includes an 8-bit field which specifies the priority of a frame.
  • It is a trunking protocol capable of carrying untagged frames.*
Show (Hide) Explanation/Reference
IEEE 802.1Q is the networking standard that supports Virtual LANs (VLANs) on an Ethernet network. It is a protocol that allows VLANs to communicate with one another using a router. 802.1Q trunks support tagged and untagged frames.

If a switch receives untagged frames on a trunk port, it believes that frame is a part of the native VLAN. Also, frames from a native VLAN are not tagged when exiting the switch via a trunk port.

The 802.1q frame format is same as 802.3. The only change is the addition of 4 bytes fields. That additional header includes a field with which to identify the VLAN number. Because inserting this header changes the frame, 802.1Q encapsulation forces a recalculation of the original FCS field in the Ethernet trailer.

Note: Frame Check Sequence (FCS) is a four-octet field used to verify that the frame was received without loss or error. FCS is based on the contents of the entire frame.

172.  Which two features can dynamically assign IPv6 addresses? (Choose two.)

  • IPv6 stateless autoconfiguration*
  • DHCP
  • NHRP
  • IPv6 stateful autoconfiguration*
  • ISATAP tunneling
Show (Hide) Explanation/Reference
Answer “DHCP” is not correct because DHCP can only assign IPv4 address. To assign IPv6 address, DHCPv6 should be used instead.

Answer “NHRP” is not correct because it is a protocol used in DMVPN.

Answer “ISATAP tunneling” is not correct because it is an IPv6 transition mechanism to transmit IPv6 packets between dual-stack nodes on top of an IPv4 network.

The two types of autoconfiguration are “stateless” and “stateful.”

Stateful autoconfiguration is the IPv6 equivalent of DHCP. A new protocol, called DHCPv6 (and based closely on DHCP), is used to pass out addressing and service information in the same way that DHCP is used in IPv4. This is called “stateful” because the DHCP server and the client must both maintain state information to keep addresses from conflicting, to handle leases, and to renew addresses over time -> Answer “IPv6 stateful autoconfiguration” is correct.

Stateless Autoconfiguration allows an interface to automatically “lease” an IPv6 address and does not require the establishment of an server to delve out address space. Stateless autoconfiguration allows a host to propose an address which will probably be unique (based on the network prefix and its Ethernet MAC address) and propose its use on the network. Because no server has to approve the use of the address, or pass it out, stateless autoconfiguration is simpler. This is the default mode of operation for most IPv6 systems, including servers. So answer “IPv6 stateless autoconfiguration” is correct too.

173.  A security administrator wants to profile endpoints and gain visibility into attempted authentications. Which 802.1x mode allows these actions?

  • Monitor mode*
  • High-Security mode
  • Low-impact mode
  • Closed mode
Show (Hide) Explanation/Reference
There are three authentication and authorization modes for 802.1x:

+ Monitor mode
+ Low impact mode
+ High security mode

Monitor mode allows for the deployment of the authentication methods IEEE 802.1X without any effect to user or endpoint access to the network. Monitor mode is basically like placing a security camera at the door to monitor and record port access behavior.

With AAA RADIUS accounting enabled, you can log authentication attempts and gain visibility into who and what is connecting to your network with an audit trail. You can discover the following:
+ Which endpoints such as PCs, printers, cameras, and so on, are connecting to your network
+ Where these endpoints connected
+ Whether they are 802.1X capable or not
+ Whether they have valid credentials
+ In the event of failed MAB attempts, whether the endpoints have known, valid MAC addresses

Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features enabled, as follows:
sw(config-if)#authentication open
sw(config-if)#authentication host-mode multi-auth

For more information about each mode, please read this article: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Phased_Deploy/Phased_Dep_Guide.html

174.  How to verify strong and secured SSH connection?

  • ssh -v 1 -l admin
  • ssh -v 2 -l admin*
  • ssh -l admin
  • ssh ­v 2 admin
Show (Hide) Explanation/Reference
This question wants to ask how to use the router as the SSH client to connect into other routers. The table below shows the parameters used with SSH:

SSH command parameters Description
-v specifies whether we are going to use version 1 or version 2
-c {3des | aes128-cbc | aes192-cbc j aes256-cbc} specifies the encryption you are going to use when communicating with the router. This value is optional; if you choose not to use it, the routers will negotiate the encryption algorithm to use automatically
-l username specifies the username to use when logging in to the remote router
-m {hmac-md5 | hmac-md5-96 | hmac-sha1 | hmac-sha1-96} specifies the type of hashing algorithm to use when sending your password. It is optional and if you do not use it, the routers will negotiate what type of hashing to use.
ip-address | hostname we need to specify the IP address or, if you have DNS or static hostnames configured, the name of the router you want to connect to

For example the command “ssh -v 2 -l admin” means “use SSH version 2 to connect to a router at with username “admin”.

Answer C is not correct because it is missing the version needed to use.

175.  How many usable host are there per subnet if you have the address of with a subnet mask of

  • 4
  • 8
  • 16
  • 14*
Show (Hide) Explanation/Reference
From the subnet mask of (/28) we learn there are 24 – 2 = 14 hosts per subnet.

176.  What interconnection cable can you use when you use a MDI connection?

  • cut-through
  • straight-through
  • crossover*
  • rollover
Show (Hide) Explanation/Reference
MDI stands for “Medium Dependent Interface”. MDI is a type of Ethernet port found on network devices. When connecting two devices with MDI ports (two hosts, for example) an Ethernet crossover cable is required. The crossover cable switches the send and receive ports on the two connectors, allowing data to flow correctly between two MDI ports. 

177.  Which cisco platform can verify ACLs?

  • Cisco Prime Infrastructure
  • Cisco Wireless LAN Controller
  • Cisco APIC-EM*
  • Cisco IOS-XE
Show (Hide) Explanation/Reference
The APIC-EM Path Trace ACL Analysis Tool can display the ACLs that are using (by downloading the configurations after a specific period of time and shows them when we do a path trace). Therefore it helps verify the ACLs more easily.

178.  In order to comply with new auditing standards, a security administrator must be able to correlate system security alert logs directly with the employee who triggers the alert. Which of the following should the security administrator implement in order to meet this requirement?

  • Access control lists on file servers
  • Elimination of shared accounts
  • Group-based privileges for accounts
  • Periodic user account access reviews*

179.  When you deploy multilink PPP on your network, where must you configure the group IP Address on each device?

  • In the global config
  • Under serial interface
  • Under the routing protocol
  • Under the multilink interface*
Show (Hide) Explanation/Reference
Suppose R1 has two Serial interfaces which are directly connected to R2. This is how to configure multilink on R1:

R1(config-if)# interface Serial 0/0 
R1(config-if)# encapsulation ppp 
R1(config-if)# ppp multilink 
R1(config-if)# ppp multilink group 1 
R1(config-if)# no shutdown

R1(config-if)# interface Serial 0/1 
R1(config-if)# encapsulation ppp 
R1(config-if)# ppp multilink 
R1(config-if)# ppp multilink group 1 
R1(config-if)# no shutdown

R1(config)# interface multilink 1 
R1(config-if)# ip address 
R1(config-if)# ppp multilink 
R1(config-if)# ppp multilink group 1

Therefore we must configure IP address under multilink interface, not physical member interfaces.

180.  If you want multiple hosts on a network, where do you configure the setting?

  • in the IP protocol*
  • in the multicast interface
  • in the serial interface
  • in the global configuration

181.  Which option is the benefit of implementing an intelligent DNS for a cloud computing solution?

  • It reduces the need for a backup data center.
  • It can redirect user requests to locations that are using fewer network resources.*
  • It enables the ISP to maintain DNS records automatically.
  • It eliminates the need for a GSS.

182.  Which statement about the IP SLAs ICMP Echo operation is true?

  • The frequency of the operation .s specified in milliseconds.
  • It is used to identify the best source interface from which to send traffic.
  • It is configured in enable mode.
  • It is used to determine the frequency of ICMP packets.*
Show (Hide) Explanation/Reference
The ICMP Echo operation measures end-to-end response time between a Cisco router and any devices using IP. Response time is computed by measuring the time taken between sending an ICMP Echo request message to the destination and receiving an ICMP Echo reply. Many customers use IP SLAs ICMP-based operations, in-house ping testing, or ping-based dedicated probes for response time measurements.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_icmp_echo.html

183.  Which action can change the order of entries in a named access-list?

  • removing an entry
  • opening the access-list in notepad
  • adding an entry
  • resequencing*
Show (Hide) Explanation/Reference
You can check the named access-list with the “show ip access-list” (or “show access-list”) command:

R1#show ip access-list
Standard IP access list nat_traffic
    10 permit, wildcard bits
    15 permit, wildcard bits
    20 permit, wildcard bits

We can resequence a named access-list with the command: “ip access-list resequence access-list-name starting-sequence-number increment“. For example:

R1(config)#ip access-list nat_traffic 100 10

Then we can check this access-list again:

R1#show ip access-list
Standard IP access list nat_traffic
    100 permit, wildcard bits
    110 permit, wildcard bits
    120 permit, wildcard bits

We can see the starting sequence number is now 100 and the increment is 10. But notice that resequencing an access-list cannot change the order of entries inside it but it is the best choice in this question. Adding or removing a n entry does not change the order of entries. Maybe we should understand this question “how to renumber the entries in a named access-list”.

184.  How does a router handle an incoming packet whose destination network is missing from the routing table?

  • it broadcast the packet to each interface on the router
  • it discards the packet*
  • it broadcasts the packet to each network on the router
  • it routes the packet to the default route
Show (Hide) Explanation/Reference
Change from “it discards the packet” to “it routes the packet to the default route” because there is new question Which definition of default route is true? with answer “A route used when a destination route is missing.”

185.  Which two components are used to identify a neighbor in a BGP configuration? (Choose two.)

  • autonomous system number*
  • version number
  • router ID
  • subnet mask
  • IP address*
Show (Hide) Explanation/Reference
This is an example of how to configure BGP neighbor between two routers (suppose all interfaces are configured correctly)

R1(config)#router bgp 1
R1(config-router)#neighbor remote-as 2
R2(config)#router bgp 2
R2(config-router)#neighbor remote-as 1

So as you see, we need the neighbor’s IP address and neighbor’s AS number for the BGP neighbor relationship.

186.  Which three statements about HSRP operation are true? (Choose three.)?

  • The virtual IP address and virtual MAC address are active on the HSRP Master router.*
  • The HSRP default timers are a 3 second hello interval and a 10 second dead interval.*
  • HSRP supports only clear-text authentication
  • The HSRP virtual IP address must be on a different subnet than the routers’ interfaces on the same LAN.
  • The HSRP virtual IP address must be the same as one of the router’s interface addresses on the LAN.
  • HSRP supports up to 255 groups per interface, enabling an administrative form of load balancing.*
Show (Hide) Explanation/Reference
“The active router sources hello packets from its configured IP address and the HSRP virtual MAC
address. The standby router sources hellos from its configured IP address and the burned-in MAC address
“By default, these timers are set to 3 and 10 seconds, respectively…”
Load Sharing with HSRP
“…has a 256 unique HSRP group ID limit.”
“…the allowed group ID range (0-255). … MSFC2A (Supervisor Engine 32) can use any number of group
IDs from that range.

187.  Which two options describe benefits of aggregated chassis technology ( choose 2)?

  • it reduces management overhead.*
  • switches can be located anywhere regardless of there physical location.
  • it requires only 1 IP add per VLAN.*
  • it requires only 3 IP add per VLAN.
  • it supports HSRP VRRP GLBP.
  • it support redundant configuration files.
Show (Hide) Explanation/Reference
Chassis aggregation is a Cisco technology to make multiple switches operate as a single switch. It is similar to stacking but meant for powerful switches (like the 6500 and 6800 series switches). Chassis aggregation is often used in the core layer and distribution layer (while switching stacking is used for access layer).

The books do not mention about the benefits of chassis aggregation but they are the same as switch stacking.

+ The stack would have a single management IP address.
+ The engineer would connect with Telnet or SSH to one switch (with that one management IP address), not multiple switches.
+ One configuration file would include all interfaces in all physical switches.
+ STP, CDP, VTP would run on one switch, not multiple switches.
+ The switch ports would appear as if all are on the same switch.
+ There would be one MAC address table, and it would reference all ports on all physical switches.

Reference: CCNA Routing and Switching ICND2 200-105 Official Cert Guide

VSS is a chassis aggregation technology but it is dedicated for Cisco Catalyst 6500 Series Switches. VSS increases operational efficiency by simplifying the network, reducing switch management overhead by at least 50 percent -> A is correct

Single point of management, IP address, and routing instance for the Cisco Catalyst 6500 virtual switch
+ Single configuration file and node to manage. Removes the need to configure redundant switches twice with identical policies.
Only one gateway IP address is required per VLAN, instead of the three IP addresses per VLAN used today -> C is correct while D is not correct.
+ Removes the need for Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP)-> so maybe E is not correct.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-virtual-switching-system-1440/prod_qas0900aecd806ed74b.html

188.  How to trouble DNS issue ( choose two)?

  • Ping a public website IP address.
  • Ping the DNS Server.*
  • Determine whether a DHCP address has been assigned.
  • Determine whether the hardware address is correct.
  • Determine whether the name servers have been configured.*
Show (Hide) Explanation/Reference
Ping the destination by name perform a DNS lookup on the destination

189.  Which utility can you use to identify redundant or shadow rules?

  • The ACL trace tool in Cisco APIC-EM.
  • The ACL analysis tool in Cisco APIC-EM.*
  • The Cisco APIC-EM automation scheduler.
  • The Cisco IWAN application.
Show (Hide) Explanation/Reference
Cisco APIC-EM supports the following policy analysis features:

+ Inspection, interrogation, and analysis of network access control policies.
+ Ability to trace application specific paths between end devices to quickly identify ACLs in use and problem areas.
Enables ACL change management with easy identification of conflicts and shadows -> Maybe B is the most suitable answer.

Reference: http://www.cisco.com/c/en/us/td/docs/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/1-2-x/config-guide/b_apic-em_config_guide_v_1-2-x/b_apic-em_config_guide_v_1-2-x_chapter_01000.pdf

The ACL trace tool can only help us to identify which ACL on which router is blocking or allowing traffic. It cannot help identify redundant/shadow rules.


Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) is a Cisco Software Defined Networking (SDN) controller, which uses open APIs for policy-based management and security through a single controller, abstracting the network and making network services simpler. APIC-EM provides centralized automation of policy-based application profiles.

Reference: CCNA Routing and Switching Complete Study Guide

Cisco Intelligent WAN (IWAN) application simplifies the provisioning of IWAN network profiles with simple business policies. The IWAN application defines business-level preferences by application or groups of applications in terms of the preferred path for hybrid WAN links. Doing so improves the application experience over any connection and saves telecom costs by leveraging cheaper WAN links.

Shadow rules are the rules that are never matched (usually because of the first rules). For example two access-list statements:

access-list 100 permit ip any any
access-list 100 deny tcp host A host B

Then the second access-list statement would never be matched because all traffic have been already allowed by the first statement. In this case we call statement 1 shadows statement 2.

190.  What does traffic shaping do to reduce congestion in a network?

  • buffers and queues packets.*
  • buffers without queuing packets.
  • queqes without buffering packets.
  • drops packets.
Show (Hide) Explanation/Reference
The following diagram illustrates the key difference between traffic policing and traffic shaping. Traffic policing propagates bursts. When the traffic rate reaches the configured maximum rate (or committed information rate), excess traffic is dropped (or remarked). The result is an output rate that appears as a saw-tooth with crests and troughs. In contrast to policing, traffic shaping retains excess packets in a queue and then schedules the excess for later transmission over increments of time. The result of traffic shaping is a smoothed packet output rate.

Note: Committed information rate (CIR): The minimum guaranteed data transfer rate agreed to by the routing device.

191.  Which 2 statements about extended traceroute command is true?

  • it can send packets from specified interface or ip add.*
  • it can use a specified TTL value.*
  • it can validate the reply data.
  • it can use a specificed TOS.
  • it can repeated automatically to a specified interval.
Show (Hide) Explanation/Reference
http://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-pingtrace.html#ext_troute “This table lists the traceroute command field descriptions:
Source address: The interface or IP address of the router to use as a source address for the probes. The router normally picks the IP address of the outbound interface to use.
Minimum Time to Live [1]: The TTL value for the first probes. The default is 1, but it can be set to a higher value to suppress the display of known hops.
Maximum Time to Live [30]: The largest TTL value that can be used. The default is 30. The traceroute command terminates when the destination is reached or when this value is reached.

192.  Which command can you enter to determine the addresses that have been assigned on a DHCP Server?

  • Show ip DHCP database.
  • Show ip DHCP pool.
  • Show ip DHCP binding.*
  • Show ip DHCP server statistic.
Show (Hide) Explanation/Reference
“Router#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type 24d9.2141.0ddd Jan 12 2013 03:42 AM Automatic”

193.  Which statement about SNMPv2 is true?

  • Its privacy algorithms use MD5 encryption by default.
  • it requires passwords to be encrypyed.
  • Its authetication and privacy algorithms are enable without default values.*
  • It requires passwords at least eight characters en length.
Show (Hide) Explanation/Reference
Default values do not exist for authentication or privacy algorithms when you configure the SNMP commands. Also, no default passwords exist. The minimum length for a password is one character, although we recommend that you use at least eight characters for security. If you forget a password, you cannot recover it and must reconfigure the user. You can specify either a plain text password or a localized Message Digest 5 (MD5) digest.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-3se/3850/snmp-xe-3se-3850-book/nm-snmp-snmpv2c.pdf

194.  Which symptom most commonly indicates that 2 connecting interface are configured with a duplex mismatch?

  • an int with up/down state.
  • an int with down/down state.
  • late collisions on the interface.*
  • the spanning tree process shutting down.
Show (Hide) Explanation/Reference
A late collision is defined as any collision that occurs after the first 512 bits of the frame have been transmitted. The usual possible causes are full-duplex/half-duplex mismatch, exceeded Ethernet cable length limits, or defective hardware such as incorrect cabling, non-compliant number of hubs in the network, or a bad NIC.

Note: On an Ethernet connection, a duplex mismatch is a condition where two connected devices operate in different duplex modes, that is, one operates in half duplex while the other one operates in full duplex.

Duplex mismatch would not cause the link to be down/down, but would only result in poor performance like increase late collisions on the interface.

195.  Which VTP mode can not make a change to vlan?

  • Server.
  • Client.*
  • Transparent.
  • Off
Show (Hide) Explanation/Reference
VTP Client
· VTP clients function the same way as VTP servers, but you cannot create, change, or delete VLANs on a VTP client.
· A VTP client only stores the VLAN information for the entire domain while the switch is on.
· A switch reset deletes the VLAN information.
· You must configure VTP client mode on a switch. 

196.  Which function does IP SLA ICMP ECHO operation perform to assist with troubleshooting?

  • A. one way jitter measurement
  • B. congestion detection
  • C. hop-by-hop response time*
  • D. packet-loss detection
Show (Hide) Explanation/Reference
The ICMP Echo operation measures end-to-end response time between a Cisco router and any devices using IP. Response time is computed by measuring the time taken between sending an ICMP Echo request message to the destination and receiving an ICMP Echo reply. Many customers use IP SLAs ICMP-based operations, in-house ping testing, or ping-based dedicated probes for response time measurements.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_icmp_echo.html

197.  Which mode are in PAgP? (choose two)

  • Auto.*
  • Desirable.*
  • Active.
  • Passive.
  • On.
Show (Hide) Explanation/Reference
There are two PAgP modes:

Auto Responds to PAgP messages but does not aggressively negotiate a PAgP EtherChannel. A channel is formed only if the port on the other end is set to Desirable. This is the default mode.
Desirable Port actively negotiates channeling status with the interface on the other end of the link. A channel is formed if the other side is Auto or Desirable.

The table below lists if an EtherChannel will be formed or not for PAgP:

PAgP Desirable Auto
Desirable Yes Yes
Auto Yes No

198.  In an Ethernet network, under what two scenarios can devices transmit? (Choose two.)

  • when they receive a special token.
  • when there is a carrier.
  • when they detect no other devices are sending.*
  • when the server grants access.
  • when the medium is idle.*

199.  Which two protocols are used by bridges and/or switches to prevent loops in a layer 2 network? (Choose two.)

  • 802.1d*
  • VTP
  • 802.1q
  • SAP
  • STP*

200.  At which layer of the OSI model does PPP perform?

  • Layer 2*
  • Layer 3
  • Layer 4
  • Layer 5
  • Layer 1

201.  What are three reasons that an organization with multiple branch offices and roaming users might implement a Cisco VPN solution instead of point-to-point WAN links?(Choose three.)

  • reduced cost.*
  • better throughput.
  • broadband incompatibility.
  • increased security.*
  • scalability.*
  • reduced latency.

202.  Which IPv6 header field is equivalent to the TTL?

  • Scan Timer.
  • TTD.
  • Flow Label.
  • Hop Limit.*
  • Hop Count.
Show (Hide) Explanation/Reference
This field is same as Time To Live (TTL) in IPv4, which is used to stop packet to loop in the network infinitely. The value of Hop Limit field is decremented by 1 when it passes a Layer 3 device (like a router). When this field reaches 0 the packet is dropped.

203.  which port security mode can assist with troubleshooting by keeping count of violations?

  • access.
  • protect.
  • restrict.*
  • shutdown.

204.  which 2 optns are requirements for configuring ripv2 for ipv4 (choose 2 )?

  • enabling RIP authentication.
  • connecting RIP to a WAN Interface.
  • enabling auto route sumamrization.
  • allowing unicast updates for RIP.*
  • enabling RIP on the router.*
Show (Hide) Explanation/Reference
To enable RIP surely we have to enable it first (with the “router rip” command in global configuration mode) -> E is correct.

RIPv2 sends its updates via multicast but in Nonbroadcast Multiple Access (NBMA) environment, multicast is not allowed so we have to use unicast to send RIPv2 updates -> D is correct.

205.  which configuration command can u apply to a hsrp router so that its local interface becomes active if all other routers in the group fail?

  • standby 1 preempt
  • no additional config is required*
  • standby 1 priority 250
  • standby 1 track ethernet
Show (Hide) Explanation/Reference
When all other routers in the group fail, the local router will not receive any HSRP Hello messages so it will become “active”. Notice that in this case the “preempt” command is not necessary. The “preempt” command is only useful when the local router receives a HSRP Hello message from the active HSRP router with a lower priority (then the local router will decide to take over the active role).

206.  which 2 statement about EIGRP on IPv6 device is true?

  • A. It is configured on the interface*
  • B. It is globally configured
  • C. It is configured using a network statement
  • D. It is vendor agnostic
  • E. It supports a shutdown feature*
Show (Hide) Explanation/Reference

207.  which command can you enter to troubleshoot the failure of address assignment?

  • sh ip dhcp database
  • sh ip dhcp pool*
  • sh ip dhcp import
  • sh ip dhcp server statistics
Show (Hide) Explanation/Reference
The command “show ip dhcp pool” is used to display information about the DHCP address pools. There are some information we can use to check the failure of address assignment. For example we can see how many IP addresses have been leased for a specific pool. If some IP addresses have been assigned from a pool but a client of that pool has not received the assignment then maybe the issue belongs to the client itself.

R1#show ip dhcp pool
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0 
 Total addresses                : 1
 Leased addresses               : 1
 Pending event                  : none
 0 subnet is currently in the pool :
 Current index        IP address range                    Leased addresses   -    1

208.  which three technical services support cloud computing?

  • A. network-monitored power sources
  • B. layer 3 network routing*
  • C. ip localization*
  • D. redundant connections
  • E. VPN connectivity
  • F. extended SAN services*
Show (Hide) Explanation/Reference
Four technical services are essential to supporting the high level of flexibility, resource availability, and transparent resource connectivity required for cloud computing:

+ The Layer 3 network offers the traditional routed interconnection between remote sites and provides end-user access to cloud services.
+ The extended LAN between two or more sites offers transparent transport and supports application and operating system mobility.
+ Extended SAN services support data access and accurate data replication.
+ IP Localization improves northbound and southbound traffic as well as server-to-server workflows.

Reference: https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xr-software/white_paper_c11-694882.html

209.  which two steps must you perform to enbale router- on- stick on a switch?

  • connect the router to a trunk port*
  • config the subint number exactly the same as the matching VLAN
  • config full duplex
  • cofigure an ip route to the vlan destn net
  • assign the access port to the vlan*
Show (Hide) Explanation/Reference
This question only asks about enable router-on-stick on a switch, not a router. We don’t have subinterface on a switch so B is not a correct answer.

210.  which add prefix does OSPFv3 use when multiple IPv6 address are configured on a single interface?

  • all prefix on the interface*
  • the prefix that the administrator configure for OSPFv3 use
  • the lowest prefix on the interface
  • the highest prefix on the interface
Show (Hide) Explanation/Reference
“In IPv6, you can configure many address prefixes on an interface. In OSPFv3, all address prefixes on an
interface are included by default. You cannot select some address prefixes to be imported into OSPFv3;
either all address prefixes on an interface are imported, or no address prefixes on an interface are

Related Articles

Leave a Reply

Photo and Image Files
Audio and Video Files
Other File Types

Send this to a friend