0% found this document useful (0 votes)

572 views88 pages

Networktut MCQ

The document contains 11 multiple choice questions about networking topics such as IPv6 ACL configuration, OSPF neighbor state, spanning tree port cost configuration, troubleshooting IP phones, console session timeouts, SSH configuration, tunnel configuration, GRE tunnel configuration, recursive routing on tunnels, DTP compatibility issues between switch port types, and bottom-up troubleshooting methods. The questions cover a wide range of Cisco networking technologies and configurations.

Uploaded by

Ramon Pirbux

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

572 views88 pages

Networktut MCQ

Uploaded by

Ramon Pirbux

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

You are on page 1/ 88

Question 1

Which configuration command is used to add an IPv6 ACL to an interface?

A. ipv6 access-class (in/out)

B. ipv6 traffic-filter (in/out)
C. ip access-class (in/out)
D. ip accesss-group (in/out)

Answer: B

Question 2

Refer to the exhibit.

R1#debug ip ospf adj

OSPF adjacency events debugging is on
* Feb 4 110:34:34.245:OSPF: Caanot see ourself in hello from 192.168.1.10 on
Serial0/0/0, state INIT
* Feb 4 110:34:34.248:OSPF: Rcv DBD from 192.168.1.10 on Serial0/0/0 seq 0x17B opt
0x58 flag 0x7 len 32 mtu 1500 state INIT
* Feb 4 110:34:34.248:OSPF: 2 Way Communication to 192.168.1.10 on Serial0/0/0, state
2WAY
* Feb 4 110:34:34.252:OSPF: Rcv DBD from 192.168.1.10 on Serial0/0/0 seq 0x23B0 opt
0x58 flag 0x3 len 112 mtu 1500 state ___________

Which output is expected in the blank line?

A. DOWN
B. EXSTART
C. LOADING
D. EXCHANGE

Answer: B

Question 3

Exhibit with the “show spanning-tree” command and shows G1/1 as cost 4, G1/2 as cost 1. Please
choose the command so G1/1 can be the new root port?

A. spanning-tree cost 1 on interface g1/1

B. spanning-tree cost 5 on interface g1/2
C. spanning-tree port priority 0 on g1/1
D. spanning-tree port priority 0 on g1/2

Answer: B

Question 4

Which two commands are used to choose uRPF drops? (Choose two)
A. show ip interface
B. show interface
C. show ip cef
D. show ip traffic
E. show cef traffic

Answer: A D

Explanation

With uRPF properly deployed and configured throughout the network infrastructure, administrators
can use the show cef interface type slot/port internal, show ip interface, show cef drop,
show ip cef switching statistics feature, and show ip traffic commands to identify the
number of packets that uRPF has dropped.

Note: Beginning with Cisco IOS Software Release 12.4(20)T, the command show ip cef
switching has been replaced by show ip cef switching statistics feature.

Reference: https://www.cisco.com/c/en/us/about/security-center/identification-ios-security-
mitigations-effectiveness.html

Question 5

Drag drop question about bottom-up troubleshooting method.

Following the bottom-up tshoot method, please order from step 1 to step 4 how to solve an issue
with an IP phone.

Answer:

1. Check PoE
2. Check VLAN
3. Change DHCP gateway with option 150
4. Check image file from TFTP server

Question 6

Console session is being closed by a network device, how can this be solved?

A. Apply exec-timeout 0 0 in line console 0

B. Modify exec-timeout in line vty 0 15
C. Change banner motd

Answer: A

Explanation

By default, an IOS device will disconnect a console or VTY user after 10 minutes of inactivity. You
can specify a different inactivity timer using the exec-timeout MINUTES SECONDS line mode
command.

For example, to disconnect a console user after 90 seconds of inactivity, we can use the following
command:

R1(config)#line con 0
R1(config-line)#exec-timeout 1 30
To prevent Telnet (or SSH) sessions from timing out, use the value of 0 (exec-timeout 0 0)

Question 7

Which sequence allows the communication from router to another router via ssh.

A. 60 permit tcp host xxxx host yyyy eq 22

B. 50 permit tcp host xxxx host yyyy eq 21
C. ?
D. ?

Answer: A

Question 8

Why do clients frequently lose connection at the remote site? (Exhibit of tunnel gre and outputs
from devices)

A. recursive routing
B. static route
C. ACL
D. RIP summarization

Answer: A

Question 9

When is uRPF desired to be applied using loose-mode for security reasons?

A. Asymmetric
B. PIMv2

Answer: A

Question 10

Two switches asking why DTP isn’t working one switch GigabitEthernet, other FastEthernet?

A. Because of a speed issue 

B. Different VTP domains
C. SWA has a FastEthernet port 
D. Because of dynamic desirable mode

Answer: B

Question 11

Drag drop question about GRE tunnel. GRE tunnel is missing configuration between R1 and R2.

R1 (10.1.1.1)=============R(CA)=============R2 (10.1.2.1)

R1: R2:
R1(config)# interface Tunnel0 R2(config)# interface Tunnel0
R1(config-if)# tunnel mode gre ip R2(config-if)# tunnel mode gre ip
R1(config-if)# ip address 10.1.3.1 R2(config-if)# ip address 10.1.3.2
255.255.255.0 255.255.255.0

Which configuration will complete the configuration on R1 & R2? (Choose two)

A. R1:
Configure the tunnel source to be 10.1.1.1
Configure the tunnel destination to be 10.1.2.1

B. R1:
Configure the tunnel source to be 10.1.2.1
Configure the tunnel destination to be 10.1.1.1

C. R2:
Configure the tunnel destination to be 10.1.1.1
Configure the tunnel source to be 10.1.2.1

D. R2:
Configure the tunnel destination to be 10.1.2.1
Configure the tunnel source to be 10.1.1.1

Answer: A C

================New Multiple Choice Questions (updated on 27th-Sep-

2019)================

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

Refer to the statement.

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

How to correct it?

A. change the source IP of tu0

B. change the destination IP of tu0
C. add tunnel key
D. add static route to tu0 destination

Answer: D

Explanation

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error

message means that the generic routing encapsulation (GRE) tunnel router has discovered a
recursive routing problem. This condition is usually due to one of these causes:
+ A misconfiguration that causes the router to try to route to the tunnel destination address using
the tunnel interface itself (recursive routing)
+ A temporary instability caused by route flapping elsewhere in the network

So in this question maybe there is something wrong with the tunnel destination so we should add
static route to solve it.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-
protocol-eigrp/22327-gre-flap.html

Question 2

A network contains a remote tunnel interface and firewalls in the network path of each router. An
attempt to ping the IP address of the remote tunnel interface fails. Which connections should be
allowed through the firewalls?

A. port 47
B. port 50
C. TCP port 1723
D. IP protocol 47

Answer: D

Question 3

What is the output of the “show crypto ipsec sa | in indent”? (There is an output of the access-list
with “permit gre any any”)

crypto ipsec transform-set AES256 ah-sha256-nmac

mode tunnel
!
crypto ipsec profile default
set transform-set AES256
!
crypto map GRE 10 ipsec-isakmp
set peer 209.165.201.2
set transform-set AES256
match address GRE
!
interface tunnel1
ip address 172.16.1.2 255.255.255.252
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 209.165.201.2
tunnel protection ipsec profile default
!
interface FastEthernet0/0
ip address 209.165.201.6 255.255.255.252
!
ip access-list extended GRE
permit gre any any

A. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/17/47)
remote ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/17/47)
B. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/0/0)
remote ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/0/0)

C. local ident(addr/mask/prot/port):(209.165.201.6/255.255.255.255/47/0)
remote ident(addr/mask/prot/port):(209.165.201.2/255.255.255.255/47/0)

D. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/47/0)
remote ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/47/0)

Answer: B

Explanation

The line “local ident (addr/mask/prot/port)” means local selector that is used for encryption and
decryption.

The answer of this question is based on the ACL applied. Thanks Shaunthesheep for sharing this:

VPN Tunnel can be established using IPSec or IPSec+GRE. The configuration requires to define a
Crypto map which refers to an ACL for Interesting traffic or the traffic to be encrypted. Look for the
values in the ACL. e.g.

1) permit gre any any —> Answer will be both local and remote indent address entries as 0 and 47
in the protocol field. Like this :

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)

remote ident (addr/mask/prqwot/port): (0.0.0.0/0.0.0.0/47/0)

2) Permit ip any any —> Answer will be both local and remote indent address entries as 0 and 0 in
the protocol field. Like this :

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prqwot/port): (0.0.0.0/0.0.0.0/0/0)

3) Permit ip 10.1.1.0 0.0.0.255 10.10.10.0 0.0.0.255 —> Answer will be both local and remote
indent address entries as in ACL and 0 in the protocol field. Like this :

local ident (addr/mask/prot/port): (10.1.1.1/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

Update: We cannot explain why all fields are “0” here but our candidates got full mark so please
choose it.

Question 4

What should be the next step after the problem is solved?

A. document it
B. knowledge transfer
C. result analysis
D. create an action plan

Answer: A

Explanation

Cisco has broken this process into eight steps:

1. Define the problem.
2. Gather detailed information.
3. Consider probable cause for the failure.
4. Devise a plan to solve the problem.
5. Implement the plan.
6. Observe the results of the implementation.
7. Repeat the process if the plan does not resolve the problem.
8. Document the changes made to solve the problem.

Although some online document does not mention about step 8 (document the changes) (like the
link http://www.ciscopress.com/articles/article.asp?p=1578504&seqNum=2) but this step is very
important so that repeated issue can be solved quickly in the future.

Question 5

This question have 3 router (R1,R2,R3), (R1_fa0/0====fa0/0_R2_fa0/1====fa0/1_R3) and have

loopback, acl for each a router. Loopback from R1 can’t ping loopback of R3 (192.168.254.1/24).
An ACL is configured on R3 that only permits 192.168.0.0 0.0.0.255. What changes need to occur
so R1 can ping R3 loopback?

A.
ip access-list extended 101
no 30
30 permit 192.168.0.0 0.0.0.255

B.
ip access-list extended 101
no 30
30 permit 192.168.0.0 0.0.255.255

C.
ip access-list extended 101
no 100

Answer: B (Modify access-list , no entry 30 and re-add it changing the netmask to 192.168.0.0
0.0.255.255)

Question 6

A topology with three routers R1, R2 and R3 connected to each other and a list of ACL statements
to choose. The question asks which sequence number prevented connection from R1 to R2 via
SSH.

R1 Lo0: x:x::1
R2 Lo0: y:y::2
R3 Lo0: z:z::3

Answer: 20 deny tcp x:x::/64 host y:y::2 eq 22 (so choose the sequence number 20)
Question 7

Refer to the exhibit.

interface Serial0/1/0
ip address 10.12.13.3 255.255.255.0
ip verify unicast source reachable-via any
ip ospf 1 area 0
!
interface serial0/2/0
ip address 10.12.23.3 255.255.255.0
ip verify unicast source reachable-via any
ip ospf 1 area 0

R3#sh ip route
[output omitted]

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.12.13.0/24 is directly connected, Serial0/1/0
L 10.12.13.3/32 is directly connected, Serial0/1/0
C 10.12.23.0/24 is directly connected, Serial0/2/0
L 10.12.23.3/32 is directly connected, Serial0/2/0
S 192.168.0.0/16 is directly connected, Null0
O 192.168.1.0/24 [110/65] via 10.12.13.1, 00:05:51, Serial0/1/0
O 192.168.2.0/24 [110/65] via 10.12.23.2, 00:05:51, Serial0/1/0
O 192.168.17.0/24 [110/65] via 10.12.23.2, 00:03:13, Serial0/1/0
O 192.168.27.0/24 [110/65] via 10.12.13.1, 00:04:14, Serial0/1/0

Which feature is required to enable Unicast reverse path forwarding?

A. access control list

B. Cisco express forwarding
C. virtual routing and forwarding
D. bidirectional forwarding detection

Answer: B

Question 8

Which command is used to check the SSH version?

A. show ip ssh
B. show crypto key mypubkey rsa
C. show ssh sessions
Answer: A

Explanation

R1# show ip ssh

Connection Version Encryption Username HMAC Server Hostkey IP Address
Inbound:
1 SSH-2 3des-cbc Raymond hmac-sha1 ssh-dss 10.120.54.2
Outbound:
6 SSH-2 aes256-cbc Steve hmac-sha1 ssh-dss 10.37.77.15
SSH-v2.0 enabled; hostkey: DSA(1024), RSA(2048)

Question 9

Refer to the exhibit.

interface Tunnel0
description Tunnel to Main Office
ip address 192.168.1.1 255.255.255.252
tunnel source 209.165.200.225
tunnel destination 209.165.202.129
tunnel path-mtu-discovery

A remote office was recently connected to the main office by using a GRE tunnel. Path MTU
Discovery (PMTUD) is enabled on the tunnel interface. End users at the remote office report having
issues accessing a file sever in the main office. PMTUD is not working, what is the issue?

A. Local router MTU is 1500

B. Local router MTU is 1400
C. Router in the path has “no ip host unreachable” configured
D. Router in path has ICMP Redirects enabled

Answer: C

Question 10

Topology with three switches which are connected to each other via Gi0/0 & Gi0/1. All interfaces
are configured in VLAN 100 and voice VLAN 101. Duplex mismatch between two switches (one
interface in full duplex which the opposite interface in half duplex). Spanning tree is detecting a
loop in the network, what is causing the loop.

A. duplex mismatch
B. speed mismatch
C. vlan missconfiguration

Answer: A

Explanation
Duplex mismatch is a configuration issue where one side of the network is set to one duplex mode
and the other to another duplex mode. Having one bridge on half duplex and the other on full
duplex results in collisions that cause bridging loops

Question 11

Which statement about the INTERNET ACL is true?

ipv6 access-list INTERNET

permit ipv6 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA::/64
permit tcp 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA13::/64 eq telnet
permit tcp 2001:DB8:AD59:BA21::/64 any eq www
permit ipv6 2001:DB8:AD59::/48 any
deny ipv6 any any log

A. NPD is not working correctly because NS and NA messages are being denied
B. A packet with source address of 2001:DB80:AD59:BA21:101:CAB:64:38 destined to port 80 will
be permitted
C. HTTPS traffic from the 2001:DB80:AD59:BA21::/64 subnet will automatically be permitted along
with HTTP traffic
D. A packet with source address 2001:DB8:AD59:ACC0:2020:882:DB8:1125 will be denied

Answer: A

Explanation

Answer B and C are not correct as the IPv6 address 2001:DB80:AD59… is different from the IPv6
address 2001:DB8:AD59… (trailing 0 cannot be omitted).

Answer D is not correct as the source address of 2001:DB8:AD59:ACC0:2020:882:DB8:1125

matches the ACL statement “permit ipv6 2001:DB8:AD59::/48 any” so it will be permitted.

Therefore only answer A is the suitable answer left.

For your information, by default an IPv6 ACL has three implicit statements at the end:
+ permit icmp any any nd-na
+ permit icmp any any nd-ns
+ deny ipv6 any any

The first two statements are required for IPv6 neighbor discovery protocol which are very
important so they are always permitted in an IPv6 ACL. But in this case we explicitly used the
“deny ipv6 any any (log)” command so the two above commands must be typed just before the
last statement (“deny ipv6 any any log”) or that traffic will be blocked.

Question 12

Refer to the exhibit.

R1
int Gigabitethernet 0/2
ip address 10.10.20.2 255.255.55.0
!
int Gigabitethernet 0/3
ip address 10.10.30.2 255.255.55.0

R1#show management-interface
Management interface GigabitEthernet0/2
Protocol Packets processed
http 0
https 10
Management interface GigabitEthernet0/3
Protocol Packets processed
http 0
ssh 10
snmp 1110

R2#ssh -l admin 10.10.20.2

%Destination unreachable, gateway or host down

The organization has implemented Management Plane Protection. Headquarters has decided that
FTP needs to be enabled on all management ports.
Which configuration context must be modified to accomplish this configuration?

A. Policy-map
B. Control-plane
C. Access-list
D. Class-map

Answer: B

================New Multiple Choice Questions (updated on 4th-Aug-

2019)================

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

Which protocol can be added into MPP? (Choose two)

A. telnet
B. scp
C. tftp
D. smtp

Answer: A C

Explanation

Following are the management protocols that the MPP feature supports. These management
protocols are also the only protocols affected when MPP is enabled.
+ Blocks Extensible Exchange Protocol (BEEP)
+ FTP
+ HTTP
+ HTTPS
+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_pla
ne_prot.html

Question 2

OSPF neighbor not forming. Exhibit shows DBD packets are being re-transmitted to the neighbor.
Debug shows that Exstart state to Down. What is the reason?

A. MTU mismatch
B. The router did not receive a Hello packet
C. OSPF is not running on the other router
D. The packet does not have RID

Answer: A

Explanation

After two OSPF neighboring routers establish bi-directional communication and complete DR/BDR
election (on multi-access networks), the routers transition to the exstart state. In this state, the
neighboring routers establish a master/slave relationship and determine the initial database
descriptor (DBD) sequence number to use while exchanging DBD packets.

Neighbors Stuck in Exstart/Exchange State

The problem occurs most frequently when attempting to run OSPF between a Cisco router and
another vendor’s router. The problem occurs when the maximum transmission unit (MTU) settings
for neighboring router interfaces don’t match. If the router with the higher MTU sends a packet
larger that the MTU set on the neighboring router, the neighboring router ignores the packet.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13684-
12.html

Question 3

When troubleshoot a connection to a Point-to-Point Tunneling Protocol server behind a NAT router,
which two filters should be used to capture all traffic related to the Point-to-Point Tunneling
Protocol? (Choose two)

A. UDP port 500

B. protocol ESP (or protocol 50)
C. TCP port 47
D. protocol 47
E. TCP port 1723

Answer: D E

Explanation

The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer
of data from a remote client to an enterprise server by creating a VPN across TCP/IP-based data
networks. PPTP encapsulates PPP packets into IP datagrams for transmission over the Internet or
other public TCP/IP-based networks.
PPTP establishes a tunnel for each communicating PPTP network server (PNS)-PPTP Access
Concentrator (PAC) pair. After the tunnel is set up, PPP packets are exchanged using enhanced
generic routing encapsulation (GRE). A call ID present in the GRE header indicates the session to
which a particular PPP packet belongs.
Network Address Translation (NAT) translates only the IP address and the port number of a PPTP
message. Static and dynamic NAT configurations work with PPTP without the requirement of the
PPTP application layer gateway (ALG). However, Port Address Translation (PAT) configuration
requires the PPTP ALG to parse the PPTP header and facilitate the translation of call IDs in PPTP
control packets. NAT then parses the GRE header and translates call IDs for PPTP data sessions.
The PPTP ALG does not translate any embedded IP address in the PPTP payload. The PPTP ALG is
enabled by default when NAT is configured.
NAT recognizes PPTP packets that arrive on the default TCP port, 1723, and invokes the PPTP ALG
to parse control packets. NAT translates the call ID parsed by the PPTP ALG by assigning a global
address or port number. Based on the client and server call IDs, NAT creates two doors based on
the request of the PPTP ALG. ( A door is created when there is insufficient information to create a
complete NAT-session entry. A door contains information about the source IP address and the
destination IP address and port.) Two NAT sessions are created (one with the server call ID and the
other with the client call ID) for two-way data communication between the client and server. NAT
translates the GRE packet header for data packets that complies with RFC 2673.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-
16/nat-xe-16-book/iadnat-pptp-pat.html

Question 4

The user was able to access the router via line vty 5 min ago. But he is no longer able to log in
now. No change in the network. What is the issue?

A. exec-timeout 0 0
B. the VTY lines are at capacity
C. SSH is not configured
D. Console line is in use by someone else

Answer: B

Question 5

Drag drop question about debug commands.

Answer:

Debug condition standby -> display debug messages related to HSRP

Debug condition glbp -> displays debug messages from virtual MAC address 0007.b400.0101
Debug aaa authentication -> displays debug messages related to determine the users’ identity
Debug aaa authorization -> displays debug messages related to determine the users’ permissions

Question 6

The command “ip verify unicast source reachable-via any” is configured on the interface. Router
received with source IP address 172.16.100.10. Routing table shows a valid route to
172.16.100.0/24 is learned via OSPF.
There is a null static route to 172.16.0.0/16.
Question is what the router will do that packet?

A. The packet is dropped

B. The packet is allowed to route to the destination

Answer: B

Explanation
Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it
matches with the interface used to reach this source IP then the packets are allowed to enter
(strict mode).

The syntax of configuring uRPF in interface mode is:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping]

[access-list-number]

The any option enables a Loose Mode uRPF on the router. This mode allows the router to reach the
source address via any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router reaches
the source address only via the interface on which the packet was receive.
In this case the router was configured with uRPF in loose mode.

Question 7

After applying below config on one router, OTHER router started showing authentication errors
(you will see output log with errors).

Applied configuration:
Standby group 100
Standby 100 vip 172.x.x.x
Standby 100 md5 authentictaion cisco123!

What is likely the cause?

A. Configure “standby 100 authentication md5 key-string cisco123!” on both routers

B. Configure “standby 100 authentication text cisco123!” on both routers
C. Configure the aaa authentication login default group standby enable command
D. Configure the aaa authentication login default group 100 enable command

Answer: A

Question 8

High CPU utilization of the router. How to display the lines including a process name Or beginning
with CPU from show proc cpu output.

A. show proc cpu | include process_name | begin CPU

B. show proc cpu | include process_name |$CPU
C. show xxx | include process_name |^CPU
Answer: C

Explanation

Below is an example of the “show process cpu” output:

Let’s check various “show process cpu” with pipe commands

In the above output we only see the pipe “^CPU” displays the “CPU utilization for five seconds …”
line so this is the correct answer.

Question 9

Someone has changed the password for a router and saved the configuration, anyway he forget
the password and unable to access the router anymore. Which actions needed to solve the issue?

A. Change configuration register to 0x2102

B. Change configuration register to 0x2142
C. Reboot the router

Answer: B

Explanation

With the value 0x2142, the device will bypass the startup configuration stored in NVRAM during its
boot sequence.

Question 10

Refer to the exhibit about GRE tunnel0 interface:.

R1#show ip interface brief

Interface IP-Address OK? Method Status
Protocol
...
Tunnel0 unassigned YES manual up
down

What is required to bring up a point-to-point tunnel?

A. assign IP to the tunnel interface

B. define tunnel source and destination IP
C. apply no shut command to Tunnel0

Answer: B

Explanation

In order to make a Point-to-Point GRE Tunnel interface in up/up state, two requirements must be
met:
+ A valid tunnel source (which is in up/up state and has an IP address configured on it) and tunnel
destination must be configured
+ A valid tunnel destination is one which is routable. However, it does not have to be reachable.

Question 11

Router L ==== Router C ==== Router R

L and R routers were showing GRE and IPSec configurations, questions is an ACL applied in router
C is blocking all IP traffic, which protocol should be allowed in the ACL to allow traffic.

A. ESP
B. GRE
C. ICMP
D. UDP

Answer: D

Explanation

GRE with IPSec traffic will be encrypted/encapsulated inside an ESP packet. ESP packet, in turn,
will be encapsulated inside a UDP port 500 (or UDP port 4500 in case of NAT) datagram.

Therefore we have to permit UDP port 500/4500 on the middle routers so that GRE with IPSec
traffic can flow through.

Question 12

Refer to the exhibit.

There is a time-range acl but the query is to resolve a ping issue from interface eth0/0 to a host on
172.16.10.100 with an ACL line. The ACL is applied inbound of the router. The question asks what
ACL line needs to be added in order to allow ping access from the local router to server
172.16.10.100.

A. access-list 101 permit icmp host 172.16.10.100 10.1.1.0 0.0.0.15

B. access-list 101 permit icmp host 172.16.10.100 10.1.1.x 0.0.0.3
C. access-list 101 permit icmp 10.1.1.0 0.0.0.15 172.16.10.100 0.0.0.255
D. access-list 101 permit icmp 10.1.1.0 0.0.0.255 host 172.16.10.100
E. access-list 101 permit icmp host 172.16.10.100 10.1.1.0 0.0.0.31

Answer: E

Explanation

This ACL was applied to the inbound direction of e0/0 interface so we need to permit the ICMP
reply packet to go through. Therefore the source IP address must be the server IP address and the
destination IP address range must cover the e0/0 interface IP address. In this case only answer E
with the destination wildcard mask of 0.0.0.31 covers 10.1.1.25 so it is the correct answer. Notice
that answer A has similar solution but its wildcard mask of 0.0.0.15 does not cover 10.1.1.25.

================New Multiple Choice Questions (updated on 3rd-Jun-

2019)================

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

Drag drop question about IPSec.

Answer:

+ show crypto isakmp sa detail: Verify the current SA lifetime and the time for next
renegotiation
+ show cryto ipsec sa peer: (verify) traffic flows in only one direction
+ show ip eigrp neighbor: Verify that routing protocol neighbor is established
+ debug crypto isakmp: Verify that the spoke router is sending udp 500 packet

Explanation

An example about the output of the “show crypto isakmp sa detail” is shown below:

Router1#show crypto isakmp sa detail

Codes: C – IKE configuration mode, D – Dead Peer Detection
K – Keepalives, N – NAT-traversal
T – cTCP encapsulation, X – IKE Extended Authentication
psk – Preshared key, rsig – RSA signature
renc – RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 192.168.3.2 192.168.4.2 ACTIVE aes sha256 psk 5 11:54:20
Engine-id:Conn-id = SW:1

Verify whether the traffic flows in only one direction

The VPN tunnel between the spoke-to-spoke router is up, but unable to pass data traffic. The
following sample output is from the “show crypto ipsec sa peer” command:
Spoke1# show crypto ipsec sa peer 172.16.2.11
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)
#pkts encaps: 110, #pkts encrypt: 110
#pkts decaps: 0, #pkts decrypt: 0,
local crypto endpt.: 172.16.1.1,
remote crypto endpt.: 172.16.2.11
inbound esp sas:
spi: 0x4C36F4AF(1278669999)
outbound esp sas:
spi: 0x6AC801F4(1791492596)
================================================
Spoke2#sh crypto ipsec sa peer 172.16.1.1
local ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
#pkts encaps: 116, #pkts encrypt: 116,
#pkts decaps: 110, #pkts decrypt: 110,
local crypto endpt.: 172.16.2.11,
remote crypto endpt.: 172.16.1.1
inbound esp sas:
spi: 0x6AC801F4(1791492596)
outbound esp sas:
spi: 0x4C36F4AF(1278669999

There is no decap packets in Spoke1, which means esp packets are dropped somewhere in the
path return from Spoke2 towards spoke1.

The Spoke2 router shows both encap and decap, which means that ESP traffic is filtered before
reaching Spoke2. It may happen at the ISP end at Spoke2 or at any firewall in path between
Spoke2 router and Spoke1 router. After allowing ESP (IP Protocol 50), Spoke1 and Spoke2 both
show encaps and decaps counters are incrementing.

Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-
dmvpn/111976-dmvpn-troubleshoot-00.html#verifyonedirection

Further, check debug crypto isakmp to verify that the spoke router is sending udp 500 packet:

Router#debug crypto isakmp

04:14:44.450: ISAKMP:(0):Old State = IKE_READY
New State = IKE_I_MM1
04:14:44.450: ISAKMP:(0): beginning Main Mode exchange
04:14:44.450: ISAKMP:(0): sending packet to 172.17.0.1
my_port 500 peer_port 500 (I) MM_NO_STATE
04:14:44.450: ISAKMP:(0):Sending an IKE IPv4 Packet.
04:14:54.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
04:14:54.450: ISAKMP (0:0): incrementing error counter on sa,
attempt 1 of 5: retransmit phase 1
04:14:54.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
04:14:54.450: ISAKMP:(0): sending packet to 172.17.0.1
my_port 500 peer_port 500 (I) MM_NO_STATE
04:14:54.450: ISAKMP:(0):Sending an IKE IPv4 Packet.
04:15:04.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
04:15:04.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
04:15:04.450: ISAKMP (0:0): incrementing error counter on sa,
attempt 2 of 5: retransmit phase 1
04:15:04.450: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

The above debug output shows spoke router is sending udp 500 packet in every 10 seconds.

Reference: https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-
dmvpn/111976-dmvpn-troubleshoot-00.html

Question 2

Refer to the exhibit. Which hashing method is being used for the enable secret?

…
enable secret 8 $fdiFJeJdfkjFkFjfdiKFjIgkdj/j90jdfsjifdsjFjfdPK
!
username admin privilege 15 password 7 0348378437387483E8787F
…

A. sha1
B. sha256
C. scrypt
D. md5

Answer: B

Explanation

To determine which scheme has been used to encrypt a specific password, check the digit
preceding the encrypted string in the configuration file. If that digit is a 7, the password has been
encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using the
stronger MD5 algorithm.

Note:
+ Type 5: MD5
+ Type 8: sha256
+ Type 9: scrypt

Question 3

Refer to the exhibit. PCB could not ping PCA. The admin has logged into each switch, starting from
SW1 and ending with SW2 and has examined the links between each. Which troubleshooting
method has been used?
A. top down
B. follow the path
C. bottom up
D. divide and conquer

Answer: B

Question 4

Drag drop question about GRE characteristics (Overlay and Underlay Network).

Answer:

Overlay network:
+ deencapsulates the tunnel header before routing
+ Virtual tunnel network

Underlay network:
+ Physical network
+ MTU must be increased to avoid fragmentation

Unused option: Must use IPv6 as the Layer 3 protocol

Note: The core routers are known as the underlay network. This is responsible for taking GRE
packets and transporting them from one side of the network to the other. The tunnel itself is
the overlay network. Packets passing through the overlay network are unaware of the routers in
the underlay

Question 5

Drag the GRE tunnel state from the left onto the correct description on the right.

Answer:

Match the various tunnel states to the corresponding description.

Up/up ————– traffic is flowing across the tunnel

Up/down ———- the shutdown command has been issued on the physical interface
Down/down —— the shutdown command has been issued on the tunnel interface
Reset/up ———- transient state where the next hope server is its own ip address

Explanation

Four Different Tunnel States

There are four possible states in which a GRE tunnel interface can be:
+ Up/up – This implies that the tunnel is fully functional and passes traffic. It is both
administratively up and it’s protocol is up as well.
+ Administratively down/down – This implies that the interface has been administratively shut
down.
+ Up/down – This implies that, even though the tunnel is administratively up, something causes
the line protocol on the interface to be down.
+ Reset/down – This is usually a transient state when the tunnel is reset by software. This usually
happens when the tunnel is misconfigured with a Next Hop Server (NHS) that is it’s own IP
address.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html

Question 6a

Refer to the exhibit.

aaa authentication login default group tacacs+ local-case line

aaa authentication login LOCAL-VTY line
….
username cisco password cisco123
!
line vty 0 4
password CiscoCisco
login authentication LOCAL-VTY
transport input all

User tries to connect to line vty 0 with username Cisco and password “Cisco123” while TACACS
server is unreachable. What happens?

A. The user will be authenticated after the TACACS server fallback timer expires
B. The user will not be authenticated because the username is incorrect
C. The user will not be authenticated because the TACACS server is unreachable
D. The user will not be authenticated because the password is incorrect

Answer: D

Explanation

With this config, when the user tries to connect to line vty 0, the line password (which is
“CiscoCisco”) must be used to authenticate. The TACACS server would never been used unless we
remove the “login authentication LOCAL-VTY” statement (as the first aaa command “aaa
authentication login default group tacacs+ local-case line” would be used for all VTY, console, AUX
line because of the “default” group).

Question 6b

Refer to the exhibit.

username cisco password 123456
aaa authentication login default local-case

Client try to connect with this command : ssh -l Cisco 123456. What he can reach the destination

A. bad password
B. bad username
C. ?
D. ?

Answer: B

Explanation

The keyword “local-case” is used in the authentication so the username is case-sensitive and we
can to write the username exactly.

Question 7

Refer to the exhibit. Why can’t an user SCP to a server at 172.16.1.200 on Monday at 11:00 pm?

access-list 101 permit 89 any any

access-list 101 permit tcp any any eq 179
access-list 101 permit tcp any eq 179 any
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 deny ospf any any
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh time-range TIME
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq eq 500
access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq 4500
access-list 101 deny tcp any any eq 21
access-list 101 deny tcp any any eq 23
access-list 101 deny ip any any log
!
time-range TIME
periodic Mondy Wednesday Friday 6:00 to 18:00
!
interface Ethernet0/0
ip address 10.1.1.25 255.255.255.0
ip access-group 101 in

A. the ACL “time-range” blocks the traffic

B. SCP is denied by ACL deny tcp any any eq 21
C. The ACL deny ip any any blocks the traffic
D. SCP is denied by ACL deny tcp any any eq 23

Answer: C

Explanation

The user cannot access the server on Monday at 11pm because of two reasons:
+ First, it does not match the time-range TIME (only allowed to access from 6am 6pm), defined by
the ACL statement “access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh
time-range TIME”) so this traffic is continued to check with the rest of the ACL to see if there is any
matched entry for it.
+ Second, the last ACL statement drops this traffic as none of the above ACL statement matched
it.

So in this question the last line of the ACL is the place where the SCP traffic is dropped.

Note: SCP runs over TCP port 22 by default and connect via an encrypted connection or secure
shell connection (SSH).

Question 8

Drag and drop Windows and Cisco commands on the left to the corresponding description on the
right.

Answer:

+ C:> tracert [IP address]: uses path verification from the endpoint to the destination that is
unreachable
+ C:> ping [IP address]: identifies gateway reachability from an endpoint that is experiencing
the issue
+ Router# traceroute [IP address]: uses path verification from the network device where the
endpoint is connected
+ Router# ping [IP address]: identifies host reachability status from the closest network device
where the problem exists

Question 9

What is tshoot method use in DHCP problem?

A. top down
B. follow the path
C. bottom up
D. divide and conquer

Answer: C

Explanation

Let’s assume that you are researching a problem of a user that cannot browse a particular website
and while you are verifying the problem, you find that the user’s workstation is not even able to
obtain an IP address through the DHCP process. In this situation it is reasonable to suspect lower
layers of the OSI model and take a bottom-up troubleshooting approach.

Reference: http://www.ciscopress.com/articles/article.asp?p=2273070&seqNum=2

Question 10

What is tshoot method use in spanning-tree?

A. top down
B. follow the path
C. bottom up
D. divide and conquer

Answer: B
Question 11

Refer to the exhibit.

C:> Tracert 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

1 1ms 1ms 1ms 192.168.100.1
2 3ms 2ms 3ms 172.16.10.200
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.

What is the next step to troubleshoot the issue?

A. Verify HQ Router and Firewall are in the same VLAN

B. traceroute to the WAN IP address of HQ
C. Ping the LAN IP address of the HQ router
D. Check MTU between BR and HQ

Answer: A

Explanation

The trace route stops at the inbound interface of the HQ router so the problem must be somewhere
between HQ and the Firewall so answer A is the best choice here.

Question 12

Refer to the exhibit.

R1
int Gigabitethernet 0/2
ip address 10.10.20.2 255.255.55.0
!
int Gigabitethernet 0/3
ip address 10.10.30.2 255.255.55.0

R2#ssh -l admin 10.10.20.2

%Destination unreachable, gateway or host down

A company is implementing Management Plane Protection (MPP) on its network. The team needs to
copy the configuration of Router A via CLI encrypted transport. Which interface must the team use?

A. GigabitEthernet0/2
B. mgmt0
C. con0
D. GigabitEthernet0/3

Answer: D

Explanation

In this question it seems R1 does not allow SSH to interface Gi0/2 of R1 (no traffic for SSH) so we
have to SSH to interface Gi0/3 instead.

Question 13

Refer to the exhibit.The traceroute fails from R1 to R3.What is the cause of the failure?

R1#traceroute 3.3.3.3
…
1 10.10.10.2 18msec
2 10.10.10.5 !A
…
!A

A. Redistribution of connected routes into OSPF in not configuration

B. An ACL applied inbound on fa0/1 of R3 is dropping the traffic
C. An ACL applied inbound on loopback0 of R2 is dropping the traffic
D. The loopback on R3 is in a shutdown state

Answer: B

Explanation

The !A is the response that indicates that you received a response of Administratively Prohibited.
This is the result when the traceroute is denied by an access list.
Note: The OSPF process ID is just locally significant but R2 is using two different OSPF process IDs
(#1 and #2) so they should be redistributed into each other like this:

router ospf 1
redistribute ospf 2 subnets
router ospf 2
redistribute ospf 1 subnets

But it is not the problem here.

Question 14

Which scenario causes a GRE tunnel interface to be in an up/down state?

A. The is no route to the tunnel destination address

B. The tunnel source and destination addresses are in different subnets
C. The subnet masks on the tunnel interfaces do not match
D. The route to the tunnel destination address is not routed through the tunnel

Answer: A

Explanation

Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down
state:
– There is no route, which includes the default route, to the tunnel destination address.
– The interface that anchors the tunnel source is down.
– The route to the tunnel destination address is through the tunnel itself, which results in
recursion.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html

================Multiple Choice Questions (updated on 21st-Apr-

2019)================

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

Which of the following features allows a router to install a floating route in its routing table when
the GRE tunnel is disrupted?

A. tracking objects
B. IP SLA
C. ?
D. GRE keepalive

Answer: D

Explanation

GRE tunnels are designed to be completely stateless. This means that each tunnel endpoint does
not keep any information about the state or availability of the remote tunnel endpoint. A
consequence of this is that the local tunnel endpoint router does not have the ability to bring the
line protocol of the GRE Tunnel interface down if the remote end of the tunnel is unreachable. The
ability to mark an interface as down when the remote end of the link is not available is used in
order to remove any routes (specifically static routes) in the routing table that use that interface as
the outbound interface. Specifically, if the line protocol for an interface is changed to down, then
any static routes that point out that interface are removed from the routing table. This allows for
the installation of an alternate (floating) static route or for Policy Based Routing (PBR) in order to
select an alternate next-hop or interface.

Normally, a GRE Tunnel interface comes up as soon as it is configured and it stays up as long as
there is a valid tunnel source address or interface which is up. The tunnel destination IP address
must also be routable. This is true even if the other side of the tunnel has not been configured.
This means that a static route or PBR forwarding of packets via the GRE tunnel interface remains in
effect even though the GRE tunnel packets do not reach the other end of the tunnel.

Before GRE keepalives were implemented, there were only ways to determine local issues on the
router and no way to determine problems in the intervening network. For example, the case in
which the GRE tunneled packets are successfully forwarded, but are lost before they reach the
other end of the tunnel. Such scenarios would cause data packets that go through the GRE tunnel
to be “black holed”, even though an alternate route that uses PBR or a floating static route via
another interface might be available. Keepalives on the GRE tunnel interface are used in order to
solve this issue in the same way as keepalives are used on physical interfaces.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118370-technote-gre-00.html

Question 2

Refer to the exhibit.

access-list 101 permit 89 any any

access-list 101 permit tcp any 10.1.1.1 0.0.0.0 eq 179
access-list 101 permit tcp any eq 179 any
access-list 101 permit gre any any
access-list 101 permit tcp nse any
access-list 101 deny ospf any any
access-list 101 permit tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq 22
access-list 101 permit tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq telnet
access-list 101 permit tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq 80
access-list 101 deny tcp 10.1.1.1 172.16.1.0 0.0.0.255 eq 2

Which two routing protocols are permitted by the ACL above? (Choose two)

A. BGP
B. OSPF
C. EIGRP
D. GRE
E. NSE (something like that)

Answer: A B

Explanation

BGP operates on TCP port 179 and the ACL statements “access-list 101 permit tcp any 10.1.1.1 eq
179” and “access-list 101 permit tcp any eq 179 any” allows BGP to go through.
The protocol number (not port number) of OSPF is 89 so the first ACL statement “permit 89 any
any” is same as “permit ospf any any” -> Answer B is correct.

EIGRP runs directly over IP using IP protocol number 88 – it does not use TCP or UDP. In the above
ACL statements there is no line for EIGRP so it will be dropped by implicit “deny all” statement at
the end of the ACL -> Answer C is not correct.

GRE is allowed with the “access-list 101 permit gre any any” statement so GRE is correct but this
question asks about “routing protocol” so GRE is not a valid option.

Note: Keep in mind that there is a big difference between a port number and a protocol
number. In an ACL, the number behind the keyword “eq” (equal) is a port number, not a protocol
number. For example, IP is protocol number 4, ICMP is 1, EIGRP is 88, and OSPF is protocol
number 89.

Question 3

Refer to the exhibit.

R1
int Gigabitethernet 0/2
ip address 10.10.20.2 255.255.55.0
!
int Gigabitethernet 0/3
ip address 10.10.30.2 255.255.55.0

R1#show management-interface interface

Management interface GigabitEthernet0/2
Protocol Packets processed
http 0
https 10
Management interface GigabitEthernet0/3
Protocol Packets processed
http 0
ssh 10
snmp 110

R2#ssh -l admin 10.10.20.2

%Destination unreachable, gateway or host down

A company is implementing Management Plane Protection (MPP) on its network. Which of the
following commands allows R2 successfully connect to R1 via SSH?

A. ssh -p 22 -l admin 10.10.30.2

B. ssh -v 2 -l admin 10.10.30.2
C. ssh -p 22 -l admin 10.10.20.2
D. ssh -v 2 -l admin 10.10.20.2

Answer: B

Explanation
SSH has the following options:

R1#ssh ?
-c Select encryption algorithm
-l Log in using this user name
-m Select HMAC algorithm
-o Specify options
-p Connect to this port
-v Specify SSH Protocol Version
-vrf Specify vrf name
WORD IP address or hostname of a remote system

In this question it seems R1 does not allow SSH to interface Gi0/2 of R1 (no traffic for SSH) so we
have to SSH to interface Gi0/3 instead.

Question 4

Section 1
R1#debug ip ospf hello
…
Section 2
R1#
Debugging is
Condition 1 – username
Condition 2 – int g0/2
Section 3
R1#debug ip ospf hello
…

Which of the following commands results in the Section 2 of the output above?

A.
R#debug condition username
R#debug condition interface g0/2

B.
R# debug condition interface g0/2
R#debug condition username

C.
R(conf)# debug condition username
R(conf)#debug condition interface g0/2

D.
R(conf)#debug condition interface g0/2
R(conf)# debug condition username

Answer: A

Explanation

The “debug condition” command must be issued in Privileged mode (not global configuration mode)

Question 5
Two hosts (PC A & PC B) in the same subnet (IP addresses 10.10.10.10 & 10.10.10.30, both /24)
connected to Layer 2 switches each (using ports g0/5). The layer 2 switches connect to other
switches which connects to a Multilayer (L3) switch.

What is the reason PC A cannot reach PC B?

A. IP routing is not enabled in the L3 switch

B. Interfaces g0/5 of the switches are in different VLANs
C. PC A and PC B are in different subnets
D. Interfaces Gi0/1 and Gi0/2 are not in an Etherchannel port

Answer: B

Explanation

Suppose all the related ports are in up/up state then there are only two reasons that PCA & PCB
cannot communicate:
+ These two PCs are in different VLANs
+ The ports on L3 switch that are connected to two Layer 2 switches are routing ports (with “no
switchport” command)

Question 6

Refer to the exhibit

R1#show access-list
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx
2 permit ip host xxxx host xxxxx
3 permit ip host xxxx host xxxxx
4 permit ip host xxxx host xxxxx
5 permit ip host xxxx host xxxxx
6 permit ip host xxxx host xxxxx
7 permit ip host xxxx host xxxxx
8 permit ip host xxxx host xxxxx
9 permit ip host xxxx host xxxx

Which of the following commands inserts five additional lines to the ACL Entry Sequence between
lines 3 and 4 without changing the existing configuration?

A. R(conf)# ip access-list resequence Super_User 1 6

B. R(conf)# ip access-list resequence Super_User 1 5
C. R(conf-nacl)# ip access-list resequence Super_User 1 6
D. R(conf-nacl)# ip access-list resequence Super_User 1 5

Answer: A

Explanation

The command “ip access-list resequence access-list-name starting-sequence-

number increment” (for example: “Router(config)# ip access-list resequence Super_User 1 6”) will
resequence the “Super_User” ACL using the starting sequence number (1) and the increment of
sequence numbers (6). After this command the “Super_User” ACL will be like this:

R1#show access-list
IP access-list extended Super_User
1 permit ip host xxxx host xxxxx
7 permit ip host xxxx host xxxxx
13 permit ip host xxxx host xxxxx
19 permit ip host xxxx host xxxxx
25 permit ip host xxxx host xxxxx
31 permit ip host xxxx host xxxxx
37 permit ip host xxxx host xxxxx
43 permit ip host xxxx host xxxxx
49 permit ip host xxxx host xxxx

-> We can insert five additional lines between two consecutive lines now.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-
3s/sec-data-acl-xe-3s-book/sec-acl-seq-num.html

Question 7

An engineer performed a router upgrade. After an unexpected reboot, the router loaded with the
old IOS version instead of the new one. What is the problem?

A. The configuration register is set to 0x2103

B. The old IOS image is corrupted
C. The new IOS image is corrupted
D. The boot loader is not present

Answer: D

Question 8

An exhibit with output of BGP debug

%TCP-6-….: Active to Idle
…
%TCP-6-BADAUTH: No MD5 digest from 192.168.1.1(179) to 192.168.4.1(45577) tabled-0
%TCP-6-BADAUTH: No MD5 digest from 192.168.4.1(179) to 192.168.1.1(45577) tabled-0

Why are the two routers not forming BGP neighborship?

A. Mismatched BGP authentication

B. Mismatched BGP Autonomous System numbers
C. Mismatched Hello and Hold timer
D. Mismatched BGP peer-group

Answer: A

Question 9

An exhibit that displays the outputs of show interface tunnel0 for two routers. Tunnel 0 is up/up
on one router and up/down on the other router.
Which of the following commands can quickly show the cause of the up/down state of Tunnel0 on
the second router?

A. show ip interface brief

B. sh ip protocols (or something else)
C. show ip route
D. show ip gre

Answer: C

Question 10

A hub and spoke topology consisting of some routers and switches. Host A is attached to the spoke
network and Host B is attached to the hub network. There is a set of commands beside the
topology:
Client A cannot reach client B while other Spokes can reach client B. What command in the
configuration is the cause of the problem?

A. ip nhrp network-id 12345

B. tunnel source e0/1
C. ip nhrp shortcut
D. tunnel mode gre multipoint

Answer: B

Note: Please check to see the NHRP address is wrong. Please read more about DMVPN and NHRP
at https://www.digitaltut.com/dmvpn-tutorial

Question 11

Drag the GRE tunnel state from the left onto the correct description on the right.

Answer:

Match the various tunnel states to the corresponding description.

Up/up ————– tunnel is up and functional

Up/down ———- tunnel is up but not passing traffic
Administratively Down/down —— tunnel is administratively shutdown (shutdown by configuration
or an administrator)
Reset/up ———- tunnel is ….. (maybe “misconfigured with a Next Hop Server (NHS) that is it’s own
IP address.”)

Explanation

Four Different Tunnel States

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html

Question 12

Refer to the exhibit.

enable secret 8 8asdknkjajf89nklasdnflkjajnslkdf

username cisco privilleage 15 password 7 8273872397892
no aaa new-model
line vty 0 4
login local

Which reversible encryption method is used?

A. SNMP
B. Local authentication
C. Enable
D. VTY

Answer: B

================New Multiple Choice Questions (updated on 10th-Mar-

2019)================

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

Which statements about uRPF are true? (Choose two)

A. CEF should be enabled

B. CEF should be disabled
C. Packet with source 0.0.0.0 destination 255.255.255.255 will be permited
D. Packet with source 0.0.0.0 destination 255.255.255.255 will be denied
E. ?

Answer: A C

Explanation

uRPF uses the Cisco Express Forwarding (CEF) Forwarding Information Base (FIB) to perform
reverse path look-up on the source IP address of an incoming packet. The CEF FIB is a database of
network layer routing information and associated forwarding/adjacency information used in the CEF
switching of packets.
Unicast RPF will allow packets with 0.0.0.0 source and 255.255.255.255 destination to pass so that
Bootstrap Protocol (BOOTP) and Dynamic Host Configuration Protocol (DHCP) functions work
properly.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c
/scfrpf.pdf

Question 2

Routes are not advertised in the GRE tunnel. What is the problem?

A. Implement dynamic routing in tunnel interfaces

B. ACLs are blocking packets
C. ?
D. ?

Answer: B

Question 3

How can we limit the number of simultaneous access to the VTY lines?

A. session-limit
B. something about ACL
C. ?
D. ?

Answer: A

Explanation

The “session-limit” command is used to configure the maximum number of the concurrent virtual
terminal sessions on a device. The range is from 1 to 64.

Question 4

Drag drop question about extended ping which includes: TTL, df-bit, ToS, Timeout.

Answer:

ToS = Specifies the packet classification

df-bit = allows for testing the path MTU
TTL = determines the maximum hop count
timeout = sets the interval to wait for a response

Good reference:

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-
trace.html

Question 5

There is an exhibit with hub & spook topology with 2 PCs: Pc1 spoke side and Pc2 hub . PC1 not
pinging PC2. In the exhibit there is configuration of NHRP. Something like this:

interface tunnel0
ip address 10.100.0.3 255.255.25.0
no ip redirects
ip nhrp network-id 12345
ip nhrp shortcut
ip nhrp nhs 10.100.0.1 nbma 200.1.1.9 multicast
tunnel source e0/1
tunnel mode gre multipoint

What command can be used to troubleshoot GRE issues?

A. show dmvpn
B. show ip interface brief
C. show ip route
D. show ip bgp summary

Answer: A

Note: If in the exam there is anything related to DMVPN technology then the answer should be A.
Otherwise it should be B.

Update: The configuration is related to NHRP so the correct answer is A.

Question 6

Refer to the exhibit.

PC was not configured to obtain default-gateway from the DHCP server. What can we do for PC to
access the Internet?

A. Configure static ARP in gateway router

B. Configure dynamic ARP in gateway router
C. Configure proxy-ARP in gateway router
D. ?

Answer: C

Question 7

Output been given of RA tunnel up &up and RC tunnel up/down.

R-A and R-C tunnel interfaces configuration are shown. The only difference is RA MTU is 1490, RC
MTU is 1476. What is the issue?
The answers are like this:

A. Loopback 1.1.1.1 is not advertised………….

B. Loopback 4.4.4.4 is not advertised………….
C. MTU mismatched ….
D. RB configured not properly ……

Answer: A

Explanation

Note: The tunnel connection does not get down when the MTUs on two sides are mismatched -> C
is not correct. You can find from the output that Loopback 1.1.1.1 is not advertised.

Question 8

Question about “show debug condition” command.

Refer to the exhibit.

Router#show debug condition

condition 1: int g0/1 …
condition 2: int g0/2 …
Router##no debug condition 1

What is the output of “show debug condition “?

A. Router#show debug condition

condition 1: int g0/1 …
condition 2: int g0/2 …
B. Router#show debug condition
condition 1: int g0/2 …
C. Router#show debug condition
condition 1: int g0/1 …
D. Router#show debug condition
condition 2: int g0/2 …

Answer: D

Explanation

We tested it with IOSv15.4 and this is the result:

Question 9

Refer to exhibit. Client unable to enter the privilege mode

Answer: enable password should be configured

Question 10

Refer to the exhibit.

ipv6 access-list INTERNET

permit ipv6 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA14::/64
permit tcp 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA14::/64 eq telnet
permit tcp 2001:DB8:AD59:BA21::/64 any eq http
permit ipv6 2001:DB8:AD59::/48 any
deny ipv6 any any log

Which statement about the INTERNET ACL is true?

A. The denied entries will be logged because of the explicit deny ipv6 any any log line
B. A packet with source address of 2001:DB80:AD59:BA21:101:CAB:64:38 destined to port 80 will
be permitted
C. HTTPS traffic from the 2001:DB80:AD59:BA21::/64 subnet will automatically be permitted along
with HTTP traffic
D. A packet with source address 2001:DB8:AD59:ACC0:2020:882:DB8:1125 will be denied

Answer: A

Question 11

A. tunnel route-via ethernet0/1

B. tunnel mode gre
C. tunnel destination 10.100.0.1
D. tunnel source ethernet0/0

Answer: D

Question 12

Regarding extended ping, why ping is failed (refer to exhibit)?

Answer: df bit is set (should be unset, mtu issue)

Question 13

Routes are not being shared dynamically over a functional GRE tunnel. Which scenario is causing
the issue?
A. An ACI is blocking the datat plane traffic between the remote devices
B. MTU is configured at 1500 on the tunnel interface
C. The tunel made is mismatched between the two routers
D. The tunnel interface is not participating in the dynamic routing process

Answer: D

Question 14

There is a diagram with a HQ site connected with Branch site via GRE Tunnel

A. Change tunnel source in HQ site from G0/1 to 0/0

B. Change tunnel in Branch site from G0/0 to 0/1

Topology with 2 host connected via GRE (HQ and Branch)

Answer: A

================New Multiple Choice Questions (updated on 9th-Feb-

2019)================

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

A topology with three routers R1, R2 and R3 connected to each other and a list of ACL statements
to choose. The question asks which sequence number allows connection from R1 to R2 via SSH.

R1 Lo0: x:x::1
R2 Lo0: y:y::2
R3 Lo0: z:z::3

Answer: 20 permit tcp x:x::/64 host y:y::2 eq 22 (so choose the sequence number 20)

Question 2

How to apply an IPv6 access-list to lines?

A. ipv6 access-group <ipv6 access-list name>

B. ipv6 access-list <ipv6 access-list name>
C. ipv6 access-class <ipv6 access-list name>

Answer: C

Question 3
Drag drop about AAA.

Answer:

+ AAA Accounting commands: configures AAA to send commands executed to the configured
target
+ AAA Authentication banner: configures AAA to change the message displayed when a user
logs in
+ AAA authorization exec: (none)
+ AAA authentication enable: configures AAA to prompt for a password to enter privileged mode
+ AAA authorization config-commands: configures AAA to validate a user’s permission to
change the running configuration

Explanation

The “AAA authentication banner” command is used to configure a banner that is displayed when a
user logs in (replacing the default message for login).

If aaa authorization commands level method command is enabled, all commands, including
configuration commands, are authorized by AAA using the method specified. Use the aaa
authorization config-commands command if you need to reestablish the default set by the aaa
authorization commands level method command.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r
/srfauth.html

Question 4

An exhibit with three routers A, B and C. Router A is connected to Router B. Router B is connected
to Router C.

The output of “show interface Tunnel 1” on Router C shows that the tunnel is in “up/down” state.
The question asks what is the reason for this.

A. Router C does not have a route to the loopback interface of Router A (which is used as the
tunnel source on Router A and tunnel destination on Router C).
B. The tunnel mode should be changed to “gre mode multipoint”
C.
D.
Answer: A

Explanation

Reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-
gre/118361-technote-gre-00.html

Question 5

A network administrator attempts to restrict AUX access to R4 from a single host IP address
192.168.x.x has failed. Which action will restrict access?

access-list 150 permit tcp host 192.168.x.x any eq 22

access-list 150 permit tcp host 192.168.x.x any eq telnet
line vty 0 4
access-class 2 in
session-limit 1
login local
transport input all
line con 0
(no config)
line aux 0
(no config)

A. Set ACL 150 with inbound direction on AUX

B. Set ACL 150 on VTY lines
C. Set session-limit 0 command on AUX
D. Change session-limit to 0 on VTY

Answer: A

Explanation

The “session-limit” command is used to configure the maximum number of the concurrent virtual
terminal sessions on a device. The range is from 1 to 64.

Question on restricting access via AUX to ip’s/ranges in shown ACL. Config showing all the lines,
vty, aux and con and an ACL. Only VTY had config on, including access-class but ACL number was
not as in the config shown.
Question was something like why IP’s out of the range specified in the acl can access the router via
AUX – remember there was no config on AUX at all.

Question 6
A firewall has been inserted between 2 routers running GRE. Which protocol needs to be allowed
through on the firewall?

A. Create a firewall rule to allow IP protocol 47

B. Create a firewall rule to allow TCP/IP Port 47

Answer: A

Explanation

GRE is a protocol on the same level as TCP and UDP. When configuring a firewall to allow GRE, you
do not configure a port like you would for Telnet or SSH. Instead, you must configure the firewall
to allow protocol 47. Cisco router offer the keyword “gre” for configuring access lists.
Reference: Network Warrior, page 178 by Gary Donahue.

The access-list statement should be “access-list 100 permit gre any any” (or “access-list 100
permit gre host x.x.x.x host y.y.y.y” to allow specific host)

Question 7

How to apply IPv6 access list?

Answer: ipv6 traffic-filter

Question 8

Router is configured with AAA using the “local-case” keyword in authentication:

username Admin password cisco

aaa authentication login default local-case …
…

The question asks why the admin cannot login with the command:

ssh -l admin x.x.x.x

A. ssh -l Admin x.x.x.x

B. ssh -p Admin x.x.x.x
C. ssh port 1111
D. ?

Answer: A

Explanation

The keyword “local-case” is used in the authentication so the username is case-sensitive we must
care about upper-case letter “A”.

Question 9

Refer to the exhibit (ClientA is connecting to the network via e0/0 interface while the “tunnel
source e0/1” in the configuration). ClientA is unable to reach ClientB while other users from other
Spokes can reach ClientB. Which command resolves this issue?

A. tunnel route-via ethernet0/1

B. tunnel mode gre
C. tunnel destination 10.100.0.1
D. tunnel source ethernet0/0

Answer: D

Question 10

Large exhibit with many routers. Why a PC client is unable to communicate with HQ router by
looking at the routing table

Answer: did not have a route in his routing table

Question 11

An exhibit with the Admin PC (IP address: 192.168.1.200/28) connecting to the router R1 (Lo0:
192.168.1.55/28) with AAA config. The question asks why Telnet attempt to the router from the
Admin PC fails.

aaa new-model
!
aaa authentication login default line enable
aaa authorization commands 15 default local
aaa authorization network default local
!
username admin privilege 15 password cisco
!
ip ssh version 2
!
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 22
access-list 101 permit tcp 192.168.5.0 0.0.0.255 any range 22 stp
!
line vty 0 4
access-class 101 in
password cico
transport input all
!
line vty 5 15
access-class 101 in
password cico
transport input all
!

Answer: ACL is blocking the connection (because the ACL only allows port 22, which is SSH so
Telnet would be dropped)

Question 12

The GRE tunnel went down when an unrelated interface went down. What is the reason for that?

A. The CEF entry for the tunnel source use that interface
B. The CEF entry for the tunnel destination uses that interface
C. The interface is configured as the tunnel source
D. The interface is configured as the tunnel destination

Answer: B

Question 13

One question about OSPF and IBGP.

BGP R1 3.3.3.3 ——————OSPF Router—————–BGP R2 4.4.4.4

[Large output showing the BGP neighbor relationship will not establish]

Why will the neighbor relationship not establish?

A. Because there’s no route between the routers from present in the routing table
B. Something about OSPF advertisement
C. ?
D. ?

================New Multiple Choice Questions (updated on 11th-Jan-

2019)================

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

Picture of 3 routers and the question was related to IPv4 -> IPv6 tunnelling stating that all
interfaces were configured with MTU 1500 other than the tunnel interface which didn’t set the MTU.
The engineer noticed that packets were being fragmented how do you fix this?

A. set the MTU on the tunnel interface to 1476

B. increase the IPv6 packet MTU.
C. increase the IPv4 packet MTU.
D. set the MTU on the tunnel interface to 1500.

Answer: A

Question 2

Refer to the statement.

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

error message

What could be causing the syslog?

A. Source virtual interface shutdown.

B. Tunnel interface is not participating in routing.
C. Physical interface is down/down.
D. The route to destination was learnt by the tunnel itself

Answer: D
Explanation

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

error message means that the generic routing encapsulation (GRE) tunnel router has discovered a
recursive routing problem. This condition is usually due to one of these causes:
+ A misconfiguration that causes the router to try to route to the tunnel destination address using
the tunnel interface itself (recursive routing)
+ A temporary instability caused by route flapping elsewhere in the network

So in this question if there is an option with either of the conditions above please choose it.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-
protocol-eigrp/22327-gre-flap.html

Question 3

How do you view an access-list that’s set on a int G0/0?

A. show ip access-lists int g0/0

B. show int g0/0
C. show ip access-list applied
D. show interface G0/0 stat

Answer: A

Explanation

The “show ip access-list int …” command is only available in IOS v15 or IOS XE (you cannot find it
in IOS v12):

R2#sh ip access-lists ?
<1-199> Access list number
<1300-2699> Access list number (expanded range)
WORD Access list name
dynamic List dynamic IP access lists
interface List ACL attached to an interface
| Output modifiers
<cr>
R2#sh ip access-lists int ?
Async Async interface
Auto-Template Auto-Template interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
Ethernet IEEE 802.3
GMPLS MPLS interface
LISP Locator/ID Separation Protocol Virtual Interface
LongReachEthernet Long-Reach Ethernet interface
Loopback Loopback interface
Lspvif LSP virtual interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-TokenRing Virtual TokenRing
vmi Virtual Multipoint Interface

Question 4

What can you use to collect stats on Cisco IOS?

A. SNMP
B. LLDP
C. HSRP
D. ICMP

Answer: A

Question 5

Refer to the exhibit.

line vty 0 4
ip access-class 1 in
transport input telnet only
!
ip access list permit tcp any any eq 22
ip access list permit tcp any any telnet

Cisco engineer is trying to setup secure access to the router but why is SSH failing?

A. access-list needs to be applied with access-group command.

B. access-list only allows telnet access.
C. They’re needed to be transport input ssh on line vty 0 4.
D. ?

Answer: C

Question 6

Diagram showing 2 hosts each connected to different access switches. Host A in VLAN 300 Host B
in VLAN 200. Why can host A not access a DHCP server in VLAN 200?

A. VLAN 200 needs to be added to access switch B.

B. Create a port channel.
C. Host A has the wrong subnet mask.
D. ?

Answer: C (Host A has /24 and the gateway ( int vlan 300) was /22)

Question 7a
There was a question on how to limit debug output for a particular interface and one of the options
was debug condition interface g0/0.

A. debug condition interface g0/0

B. ?
C. ?
D. ?

Answer: A

Explanation

The command “debug condition interface <interface>” command is used to disable debugging
messages for all interfaces except the specified interface so in this case the debug output will be
shown on Fa0/1 interface only.

Note: If in this question there is another “debug condition interface …” command configured then
the answer should be both interfaces will show debugging ouput.

Question 7b

An exhibit showing output of a debug command that would display debugs on interfaces g0/0 and
g/2, and then second output showing only messages for G0/2.

The question was what is the command that would limit the debug output as shown in the exhibit
(only for G0/2)?

A. debug condition interface g0/2

B. debug condition interface g0/0
C. debug condition 192.168.22.2
D. debug condition …

Answer: A

Question 8

Refer to the exhibit. How would you confirm on R1 that load balancing is actually occurring on the
default-network (0.0.0.0)?

A. Use ping and the show ip route command to confirm the timers for each default network resets
to 0.
B. Load balancing does not occur over default networks; the second route will only be used for
failover.
C. Use an extended ping along with repeated show ip route commands to confirm the gateway of
last resort address toggles back and forth.
D. Use the traceroute command to an address that is not explicitly in the routing table.

Answer: D

Question 9

Which statement indicates a cause for Tunnel0‘s connection failure?

A. The tunnel source interface is in an up/down state and the tunnel destination is recursively
routing as a result.
B. The tunnel destination interface is flapping, which causes the tunnel to go up and down.
C. The tunnel is configured with the wrong encapsulation.
D. The tunnel destination is intermittently reachable via multiple routing protocols.

Answer: D

Explanation

Answer A says “the tunnel destination is recursively routing” as a result of “tunnel source interface
is in up/down state” is not correct according to this paragraph from Cisco website:

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error message
means that the generic routing encapsulation (GRE) tunnel router has discovered a recursive
routing problem. This condition is usually due to one of these causes:
+ A misconfiguration that causes the router to try to route to the tunnel destination
address using the tunnel interface itself (recursive routing)
+ A temporary instability caused by route flapping elsewhere in the network
Tunnel interface status depends on the IP reachability to the tunnel destination. When the router
detects a recursive routing failure for the tunnel destination, it shuts the tunnel interface down for
a few minutes so that the situation causing the problem can resolve itself as routing protocols
converge. If the problem is caused by misconfiguration, the link can oscillate indefinitely.
Another symptom of this problem is continuously flapping Enhanced Interior Gateway
Routing Protocol (EIGRP), Open Shortest Path First (OSPF), or Border Gateway Protocol
(BGP) neighbors, when the neighbors are over a GRE tunnel.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-
protocol-eigrp/22327-gre-flap.html

The tunnel source does not know the state of tunnel destination so answer B is not correct.

If the tunnel is configured with wrong encapsulation then the tunnel is still up but packets go
through it would be dropped. Although this answer seems to be correct but we believe answer D is
the best choice as it matches to the above Cisco statement:

“Another symptom of this problem is continuously flapping Enhanced Interior Gateway

Routing Protocol (EIGRP), Open Shortest Path First (OSPF), or Border Gateway Protocol
(BGP) neighbors, when the neighbors are over a GRE tunnel.“

Question 10

Refer to exhibit. Host A is not able to https to http://www.cisco.com. All NAT was checked and
confirmed as OK. What would be the first step in troubleshooting.

Question about engineer can’t reach http://www.cisco.com server so what is the command to
check the issue with presenting all the encountered hops

A. traceroute to http://www.cisco.com
B. check physical interface on firewall
C. nslookup http://www.cico.com
D. ?

Answer: A

Question 11

Which AAA command configures login using the local database?

A. aaa authentication login default local
B. ?
C. ?
D. ?

Answer: A

Question 12

Which Cisco IOS feature allows you to create your own event definition for a network device and
specify the action that should be performed in response to that event?

A. Embedded Event Manager (EEM)

B. ?
C. ?
D. ?

Answer: A

Question 13a

GRE tunnel is in down/down on source host. What can be a cause? (What causes GRE tunnel
interface to be in down/down state?)

A. The source interface is administrative shutdown.

B. physical interface of source is down/down
C. Wrong source/destination addressing (something like that).
D. The destination interface is down/not reachable.
E. Shutdown the virtual interface

Answer: A (in fact it is not correct)

Explanation

A tunnel interface is in up/down state right after we create it (with the “interface tunnel <tunnel-
number>” command). We cannot put it into down/down state, even if we shut down the source
interface. We can only put it into “administratively down/down” by shutting down the tunnel itself.
The tunnel interface does not change state when we change/configure the other end of the tunnel.

Question 13b

Which scenario would cause the tunnel interface on a router to show a status of down/down?

A. The destination address is missing on the tunnel configuration.

B. The shutdown command has been issued on the virtual interface.
C. The source physical interface is in a down/down state.
D. the destination router’s physical interface is shut down.

Answer: B

Explanation

A tunnel interface is in up/down state right after we create it (with the “interface tunnel <tunnel-
number>” command). We cannot put it into down/down state, even if we shut down the source
interface. We can only put it into “administratively down/down” by shutting down the tunnel itself.
Therefore in fact this question is not totally correct. The tunnel interface does not change state
when we change/configure the other end of the tunnel.

Question 14

There are two exhibit of GRE tunnel interface configuration on R1 and R2, they look almost
identical in terms of configuration expect on R1 the interface is configured with keepalive 4 5 and
R2 doesn’t. Question says something like which statement best describes how the GRE interfaces
will behave.

A. R1 will send keepalives, but R2 will drop them.

B. R1 does not send keepalives until R2 is also configured with keepalive.
C. R1 will detect tunnel outage within 5 seconds.
D. R1 will detect tunnel outage within 20 seconds.

Answer: D (R1 will shutdown the tunnel after 20 sec ( 4 sec with 5 retries))

==========================================================
========================

Old Questions:

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

Which of the following is the ping response to a transmitted ICMP echo datagram that needed to be
fragmented when fragmentation was not permitted?

A. U
B. .
C. M
D. D

Answer: C

Question 2

Which two of the following options are categories of Network Maintenance tasks? (Choose two)

A. Firefighting
B. Interrupt-driven
C. Policy-based
D. Structured

Answer: B D

Question 3

Which three of the following are reasons EIGRP neighbor relationships might not form? (Choose
three)

A. Different autonomous system numbers

B. Different K values
C. Different timers
D. Different authentication parameters

Answer: A B D

Question 4

What type of cable is used to connect to the console port and aux port of two routers together?

A. Straight-through
B. Crossover
C. Rollover
D. DB 25 DCE

Answer: C

Question 5

Which statement best describes GRE protocol?

A. GRE adds the new IP header, encapsulates the original IP packet, and adds the GRE header at
the end of the IP packet.
B. GRE adds the new IP header, inserts the GRE header, and encapsulates the original IP packet.
C. GRE uses the original IP header and adds the GRE header at the end of the packet.
D. GRE uses the original IP header and inserts the GRE header between the IP header and payload.

Answer: B

Question 6

A network administrator is troubleshooting an EIGRP connection between RouterA, IP address

10.1.2.1, and RouterB, IP address 10.1.2.2. Given the debug output on RouterA, which two
statements are true? (Choose two)

EIGRP: Received UPDATE on Ethernet0/0 nbr 10.1.1.1

AS 1, Flags 0x1, Seq 478/0 idbQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
K-value mismatch

A. RouterA received a hello packet with mismatched autonomous system numbers.

B. RouterA received a hello packet with mismatched hello timers.
C. RouterA received a hello packet with mismatched authentication parameters.
D. RouterA received a hello packet with mismatched metric-calculation mechanisms.
E. RouterA will form an adjacency with RouterB.
F. RouterA will not form an adjacency with RouterB.

Answer: D F

Question 7

You are troubleshooting an issue with a GRE tunnel between R1 and R2 and find that routing is OK
on all intermediary routers. The tunnel is up on R1, but down on R2. Which two possible issues can
prevent the tunnel from coming up? (Choose two)
A. The tunnel does not come up unless traffic is sent through it.
B. The tunnel source interface is down on R2.
C. No specific route interface is down on R2.
D. R2 does not know how to reach the tunnel destination.
E. The tunnel keep alive timer doesn’t match on R1 and R2.

Answer: B D

Question 8

How to check debugging fragmentation?

A. debug tcp
B. debug ip icmp
C. debug ip packet detail
D. debug ip policy

Answer: B

Question 9

Refer to exhibit.

(exhibit missing)

Which IP address should be configured as the tunnel source on the HQ router for maximum
resiliency?

A. Loopback IP address of HQ
B. Serial IP address of HQ
C. Fastethernet IP address of HQ
D. ?

Answer: A

Question 10

WFQ not supported on control plane.

A. Router capabilities
B. bandwidth command not supported
C. cannot be input (pick this one as fragmentation only occurs outbound, but I’m not completely
sure)
D. missing license

Answer: B

Question 11

A client reports all password in plan text after running ‘show archive log config all’. How can you
prevent/encrypt all messages?
A. password encrypt aes
B. hidekeys
C. service-password encryption
D. aaa authentication arap

Answer: B

Explanation

The command “hidekeys” (Device(config-archive-log-config)# hidekeys) suppresses the display of

password information in configuration log files.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/xe-
3s/config-mgmt-xe-3s-book/cm-config-logger.html

Question 12

Client X unable telnet the terminal Server – IPv6 ACL

Client X – adb:2018::xx:1
Client Y – adb:2018::xx:2
Terminal Server – adb::2018:yy:1

something to do with sequence on ACL.

10 permit tcp host adb:2018::xx:2 host adb::2018:yy:1 eq telnet

20 deny tcp any host adb::2018:yy:1 eq telnet
30 ?

A. ?
B. Add sequence 15 & permit tcp host adb:2018::xx:1 host adb::2018:yy:1 eq telnet
C. Delete sequence 20 & add sequence 5 permit tcp host adb:2018::xx:1 host adb::2018:yy:1 eq
telnet
D. Add sequence 25 & permit …

Answer: B

Question 13

Which two statements about GRE tunnels are true? (Choose two)

A. GRE tunnels operate in GRE/IPsec mode by default

B. GRE tunnels operate in GRE/IP mode by default
C. GRE encapsulates the original packet
D. The carrier protocol adds the delivery header
E. The IP header encapsulates the GRE header

Answer: B C

Explanation

By default GRE tunnel operates in GRE/IP mode so the command “tunnel mode gre ip” command is
not necessary -> B is correct.

When the sending router decides to send a packet into the GRE Tunnel, it will “wrap” the whole
packet into another IP packet with two headers: one is the GRE header which uses to manage the
tunnel itself. The other is called “Delivery header” which includes the new source and destination IP
addresses of two virtual interfaces of the tunnel (called tunnel interfaces). This process is called
encapsulation -> C is correct.

Answer D seems to be correct but a bit unclear. If answer D said “GRE adds the delivery header”
then it would be correct.
Answer E seems to be correct too but it said “The IP header encapsulates …” which is not totally
correct. It should be “The delivery header (not IP header) encapsulates the GRE header”.

Question 14

When troubleshooting recursive routing issues with GRE tunnels, which three actions resolve the
issue? (Choose three)

A. Add static routes …

B. Remove the network advertisements…
C. If using OSPF to peer across …
D. Change the tunnel source or destination interface
E. Remove the configuration on the tunnel interface and reconfigure
F. Perform shut and no shut commands on the tunnel interface

Answer: A B D

Question 15

Refer to the exhibit.

service password-encryption
!
line console
password a123124
!
line vty 0 4
password asdfasf12
login
transport input telnet

What will happen if client A telnet to this device?

A. Telnet will be successful

B. Telnet will fail
Answer: A

Explanation

With this configuration, we can telnet to this device (as there is a password under VTY lines).

Question 16

Refer to the statement.

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

error message

Which statement indicates a cause for Tunnel0’s connection failure?

A. The tunnel source interface is in an up/down state and the tunnel destination is recursively
routing as a result
B. The tunnel destination interface is flapping, which causes the tunnel to go up and down
C. The tunnel is configured with the wrong encapsulation
D. The tunnel destination is intermittently reachable via multiple routing protocols

Answer: D

Explanation

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

So in this question if there is an option with either of the conditions above please choose it.
Otherwise answer D is the best option.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-
protocol-eigrp/22327-gre-flap.html

Question 17

A network engineer has configured GRE between two IOS routers. The state of the tunnel interface
is continuously oscillating between up and down. What is the solution to this problem?

A. Create a more specific static route to define how to reach the remote router.
B. Create a more specific ARP entry to define how to reach the remote router.
C. Save the configuration and reload the router.
D. Check whether the internet service provider link is stable

Answer: A

==========================================================
=================

Old questions:

Question 1

Which tunnel technology provide multicast, security and simplicity?

A. IPSec
B. GRE over IPSec

Answer: B

Question 2

Which two condition can be used to filter the output of debug crypto condition? (Choose two)

A. encryption algorithm
B. isakmp profile name
C. destination IP address
D. front door vrf name/instance
E. router event filter

Answer: B D

Good reference: https://www.cisco.com/c/en/us/td/docs/ios-

xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-crypto-
debug-sup.html

Question 3

What are components of GRE packet? (Choose two)

A. GRE header
B. Payload packet
C.
D.

Answer: A B

Question 4

What are properties of GRE? (Choose two)

A. Data encapsulation
B. Multicast support

Answer: A B

Question 5

What are two requirements for GRE? (Choose two)

A. Protocol 47 should be allowed

B. Destination of the tunnel should be reachable

Answer: A B

Question 6

You see a running config user logins.

aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication login ONLYLOCAL local
aaa authentication ppp default radius local
username xxx password xxx
line vty 0 4
password xxxxx

Which login procedure will ask first?

A. RADIUS
B. TACACS+
C. local

Answer: B

Explanation

If under “line vty 0 4” is not configured with ONLYLOCAL group as follows:

line vty 0 4
login authentication ONLYLOCAL

Then this group would never be used for authentication. Only the default method list is used (which
uses TACACS+ first then enable password if TACACS+ fails to respond). So in this question the
device will authenticate with the default method list.

Question 7a

User was not able to login using telnet.

Router#show management-interface
Management interface FastEthernet0/0
Protocol Packets processed
ssh 0
snmp 0

What is the issue?

A. MPP applied on wrong interface

B. MPP does not allow telnet by default
C. MPP is not configured for telnet
D. ?

Answer: C

Explanation

According to the output above, we can conclude that MPP is enabled on Fa0/0 interface and only
accepts SSH and SNMP management protocols. In particular, MPP was configured with the
following command:

Router(config)# control-plane host

Router(config-cp-host)# management-interface FastEthernet 0/0 allow ssh snmp
Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_pla
ne_prot.html

As a result of this, other management traffic would be blocked, including Telnet traffic.

Question 7b

R1 is configured with MPP, f0/0 is configured to connect from console. client is able to login on port
22 is but not on 23

R1# show management-interface

Management interface FastEthernet0/0
SSH 42
FTP 147
HTTPs 68

A. MPP configured with only SSH

B. MPP does not allow SSH and telnet at the same time
C. MPP configured with SSH however telnet is not configured
D. ?

Answer: C

Question 8

Which command will encrypt the enable password? (Choose two)

A. enable secret
B. service password-encryption

Answer: A (although in real life it should be B but in the exam they want answer A)

Question 9

Which statements about extended ping are true? (Choose two)

A. You can use data gram size option to set size of ping in bytes
B. You can use minimum and maximum TTL
C. You can select UDP destination port
D. You can use data pattern to troubleshoot framing error on serial lines
E. You can use ToS bit to control fragmentation of data gram

Answer: A D

Good reference:

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-
trace.html

Question 10

Question about creating or generating a new crypto key.

Answer: crypto key generate rsa

Question 11
How do you check the crypto public key?

A. show crypto session

B. show crypto map
C. show crypto key mypubkey rsa
D. ?

Answer: C

Old questions:

Question 1

Which alerts will be seen on the console by issuing logging console critical? (Choose three)

A. Emergency
B. Alert
C. Critical
D. Notification
E. Informational

Answer: A B C

Explanation

Syslog levels are listed below

Level Keyword Description

0 emergencies System is unusable

1 alerts Immediate action is needed

2 critical Critical conditions exist

3 errors Error conditions exist

4 warnings Warning conditions exist

5 notification Normal, but significant, conditions exist

6 informational Informational messages

7 debugging Debugging messages

The highest level is level 0 (emergencies). The lowest level is level 7. By default, the router will
send informational messages (level 6). That means it will send all the syslog messages from level 0
to 6.

Question 2
Question about telnet, what should be done to make router to listen only on port 3033 rather then
on 23

A. add rotary 33
B. remove authentication login TTC
C. remove authorization exec TTC
D. remove transport input telnet
E. using access-lists

Answer: A

Explanation

Adjust the expected ssh listening port and assign that to a rotary group:
Router(config)#ip ssh port 3333 rotary 1

Apply the rotary group to your vty interface

Router(config)#line vty 0 4
Router(config-line)#rotary 1

Your router will now listen for ssh on port 3333 on these 5 vty ports.

Question 3

Which two site-to-site technologies allows dynamic routing, private addressing and multicasting?
(Choose two)

A. GRE
B. DMVPN
C. MPLS VPN
D. IPSec

Answer: A B

Question 4

User is supposed to access between 6:00 PM to 6:00 AM.

ip access-list SWITCH_ACCESS time-range NOC_ACCESS

permit x.x.x.x
!
line vty 0 4
access-class SWITCH_ACCESS
!
time-range NOC_ACCESS
periodic daily 06:00 to 18:00
periodic daily 18:00 to 23:59
!
username NOC_ACCESS password xxxx

A.
time-range NOC_ACCESS
periodic daily 18:00 to 06:00
B.
time-range NOC_ACCESS
periodic daily 18:00 to 23:59
periodic daily 00:00 to 06:00

C.
time-range NOC_ACCESS
periodic daily 06:01 to 23:59

D.
time-range SWITCH_ACCESS
periodic daily 06:01 to 23:59

Answer: B

Question 5a

“show version” command output. – SSH not working. What is the issue?

Check the configuration register, it is 0x2142.

A. IOS upgrade
B. ROM memory upgrade
C. incorrect Configuration register 0x2102
D. ?

Answer: C

Note: In this question you will be shown with the “show version” output on a router. Please check
carefully if:
+ The “Configuration register” is set to 0x2142 or not. With this value the device will bypass the
startup configuration stored in NVRAM during its boot sequence
+ The IOS image is missing “k9” which is the security feature or not. If it is missing “k9” then we
need to upgrade IOS so that SSH can work. According to recent reports this is the correct answer.

Question 5b

A question with “show version” output. The register was 0x2102

A. IOS update
B. less memory
C. configuration register is wrong
D. need new boot ROM

Answer: A

Explanation

The IOS image is missing “k9” which is the security feature or not. If it is missing “k9” then we
need to upgrade IOS so that SSH can work. According to recent reports this is the correct answer.

Question 6

Must use route protocol for using TLV and fast-reroute (Choose two)
A. ISIS
B. OSPF
C. EIGRP
D. RIP
E. RIPv2

Answer: A B

Explanation

Prerequisites for Loop-Free Alternate Fast Reroute

Any of the following protocols must be supported for Loop-Free Alternate Fast Reroute:
– Intermediate System-to-Intermediate System (IS-IS)
– Open Shortest Path First (OSPF)
While configuring ISIS protocol, isis network point-to-point must be configured.

Question 7

Which system architect allow GRE and IPSec perform routing separately?

A. Server-client
B. peer-to-peer
C. Headend
D. Backend

Answer: C

Explanation

Headend System Architectures

The following two headend system architectures are described in this design guide:
+ Single Tier Headend Architecture – Incorporates both the p2p GRE and crypto functions onto a
single routing processor.
+ Dual Tier Headend Architecture – Splits the p2p GRE and crypto functions onto two different
routing processors.

Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_
IPSec/P2P_GRE/2_p2pGRE_Phase2.html

Question 8

Which technology support dynamic routing and non-ip protocals?

A. Easy VPN
B. GET VPN
C. DMVPN
D. GRE

Answer: D

Question 9

A question about extended traceroute (Choose two)

A. TTL can be modified

B. Can use strict IP header options
C. IP header options verbose allow you to specify the hops you want the packet to go through
D. ?
E. ?

Answer: A B

Which two statements about traceroute are true? (Choose two)

A. It supports a variety of IP header options, including verbose

B. The DF bit is set by default
C. The TTL value can be set to 0
D. The default probe count for each TTL level is 3
E. Extended traceroute operation can use a modified data pattern

Answer: A D

Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13730-ext-ping-trace.html

+ Probe count: limits the number of traceroute

+ Port Number: troubleshoot TCP and UDP port
+ Source address: troubleshoot connections generated from specific interface
+ Max TTL: limits the number of hops a packet travel
+ Type of Service: troubleshoot QoS issues

Should read: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-

rip/13730-ext-ping-trace.html

A question about extended traceroute (Choose two)

A. verbose mode
B. strict mode
C. changing TTL
D. changing IP Header option
E. ?

Answer: C D

Question 10a

Which options are correct about enable secret and enable password? (Choose two)

A. Enable secret and enable password can not be configured same time
B. Enable password is difficult to decipher
C. Enable secret is difficult to decipher
D. Enable password is more preferable than enable secret
E. Enable secret is more preferable than enable password

Answer: C E
Question 10b

Which options are correct about enable secret and enable password? (Choose two)

A. Enable secret and enable password can not be configured same time
B. Enable password is easy to decipher
C. Enable secret is easy to decipher
D. Enable password has higher preference than enable secret
E. Enable secret has higher preference than enable password

Answer: B E

Question 11

Which tunnel supports routing and multicasting?

A. DMVPN
B. GRE
C. IPSec
D. ?

Answer: B

==========================================================
=======

Old questions:

Question 1

Drag and drop the sequence for configuring SSH in correct order.

A. ip ssh ver 2
B. ip domain-name cisco.com
C. crypto-key generate rsa
D. line vty 0 4
E. Transport input ssh
Transport input telnet

Answer: B -> C -> A -> D -> E

Question 2

Drag and drop about uRPF strict and loose mode

Option 1. Must have the source IP in routing table (IPv4 Source IP address must be the part of the
routing table)
Option 2. Must have the same path back
Option 3. Supports asymmetric routing feature
Option 4. Can be used to configure on the inside interface of the Internet router
Option 5. Can be used to configure on the outside interface of the Internet router
Option 6. Supports symmetric routing feature

Answer:
Strict mode:
+ Must have the same path back
+ Can be used to configure on the inside interface of the Internet router
+ Supports symmetric routing feature

Loose mode:
+ Must have the source IP in routing table (IPv4 Source IP address must be the part of the routing
table)
+ Can be used to configure on the outside interface of the Internet router

Question 3

Which protocol does mGRE use to send packets?

A. DMVPN
B. NHRP
C. OSPF
D. IPSec

Answer: B

Question 4

Which protocols are supported with MPP? (choose three)

A. HTTP only
B. HTTP and HTTPS
C. SSH
D. FTP
E. SFTP
F. TFTP

Answer: B C F

Explanation

The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to
restrict the interfaces on which network management packets are allowed to enter a device. The
MPP feature allows a network operator to designate one or more router interfaces as management
interfaces. Device management traffic is permitted to enter a device only through these
management interfaces. After MPP is enabled, no interfaces except designated management
interfaces will accept network management traffic destined to the device.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_pla
ne_prot.html#wp1047623

Following are the management protocols that the management plane protection (MPP) feature
supports. These management protocols are also the only protocols affected when MPP is enabled.

+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
+ HTTP
+ HTTPS
Reference: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-
1/security/configuration/guide/syssec_cg41crs_chapter7.html#con_1013398

Question 5

Which topologies are allowed with p2p GRE over IPsec? (Choose two)

A. Hub and Spoke

B. Partial mesh
C. Point to multipoint
D. Bus
E. Star

Answer: A B

Question 6

Which keywords can be used with debug condition to filter output? (Choose two)

A. Username
B. Interface ID
C. Port number
D. Protocol
Ε. Packet Size

Answer: A B

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/debug/command/reference/122debug
/dbfcndtr.html

Question 7

Output of sh access-list, what can you do to correct SSH?

Extended IP access-list 100

Deny tcp any any eq 22
Permit ip any any
Extended IP access-list 150
Permit tcp any any eq 23
Deny tcp any any eq 22
Permit ip any any
Extended IP access-list 175
Permit tcp any any eq 22
Permit tcp any any eq 23
Line vty 0 4
Access-class 100 in
Transport input ssh

A. Change access-class 100 in with access-class 150 in

B. Change transport input ssh with transport input telnet
C. Change access-class 100 in with access-class 100 out
D. Change access-class 100 in with access-class 175 in

Answer: D
Question 8

How will you troubleshoot OSPF adjacency issue?

A. Using ‘debug ospf adj’ command on a router

B. Process ID on the routers should match
C. Router IDs should match
D. Using ‘debug ospf nsf’ command
E. Hello timers mismatch (or Subnets should match)

Answer: A E (in fact the correct answer on answer A should be “debug ip ospf adj”)

Question 9

Which IPSec mode with least overhead?

A. dynamic
B. transport
C. transparent
D. tunnel

Answer: B

Explanation

IPsec supports two encryption modes: Transport mode and Tunnel mode. Transport mode
encrypts only the data portion (payload) of each packet and leaves the packet header untouched.

Tunnel mode is more secure than Transport mode because it encrypts both the payload and the
header.

Reference: https://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-
0/ip_security/provisioning/guide/IPsecPG1.html

GRE IPsec tunnel mode consists of the following overhead:

ESP Overhead: 52 Bytes

GRE Overhead: 20 (GRE IP Hdr) + 4 (GRE) = 24 Bytes
Total Overhead: 52 + 24 = 76 Bytes

GRE IPsec transport mode consists of the following overhead:

ESP Overhead: 52 Bytes

GRE Overhead: 4 (GRE) = 4 Bytes
Total Overhead: 52 + 4 = 56 Bytes

Question 10

A question showing EIGRP logs, something like this:

*Aug 1 13:09:38.896: EIGRP: received packet with MD5 authentication, key id = 1234
*Aug 1 13:09:38.896: EIGRP: Received HELLO on Gi0/0 – paklen 70 nbr 192.168.1.2
*Aug 1 13:09:38.897: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0
*Aug 1 13:09:38.898: EIGRP: Add Peer: Total 1 (3/0/0/0/0)
*Aug 1 13:09:38.898: K-value mismatch
*Aug 1 13:09:38.899: EIGRP: Sending TIDLIST on GigabitEthernet0/0 – 1 items0
*Aug 1 13:09:38.902: EIGRP: Sending HELLO on Gi0/0 – paklen 70
*Aug 1 13:09:38.903: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0
*Aug 1 13:09:38.904: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.1.2
(GigabitEthernet0/0) is down: K-value mismatch
R1#
*Aug 1 13:09:38.905: EIGRP: Lost Peer: Total 1 (2/0/0/0/0)
*Aug 1 13:09:39.894: EIGRP: Gi0/1: ignored packet from 192.168.2.3, opcode = 5 (missing
authentication)
R1#
*Aug 1 13:09:40.204: EIGRP: Sending HELLO on Gi0/1 – paklen 60
*Aug 1 13:09:40.204: AS 10, Flags 0x0:(NULL), Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0

A. Hello Timers mismatches

B. Hold Timers mismatches
C. AS mismatches
D. Metric calculation mismatches
E. Authentication mismatches

Answer: D E

==========================================================
=======

Old questions:

Question 1

Which two can use to protect and secure management plane from unwanted & unauthorized
access? (Choose two)

A. Limit physical access to network devices

B. Use RADIUS instead of TACACS+ for AAA
C. Create an ACL to permit Telnet access only
D. Enable authentication for the routing protection
E. Use MPP to limit the interfaces on which management traffic can traverse the device

Answer: A E

Explanation

Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_pla
ne_prot.html#wp1047623

Question 2

One router and a computer (exhibit) 192.168.10.0/24

You receive timed out when you start to SSH the router. Which layer is the first that you are going
to look into this matter?
A. Physical
B. Datalink
C. Network

Answer: C

Question 3

When your network experiences Cisco Discovery Protocol and LLDP issues, with which layer of the
OSI model must you begin troubleshooting ?

A. Physical layer
B. Datalink layer
C. Network layer
D. Transport layer

Answer: B

Question 4

About pass encryption in CISCO IOS software, which statement is true?

A. encrypted user type 7 password indicate hashed with MD5

B. encrypted user type 7 password indicate hashed with weak reversible
C. you can choose to encrypt enable secret pass with weak reversible or MD5
D. enable secret is more secure than enable pass, because secret store in configuration file type 7

Answer: B

Explanation

Type 7 means the password will be encrypted when router store it in Run/Start Files using Vigenere
cipher which any website with type7 reversal can crack it in less than one second.

Question 5

GRE with IPsec tunnel are true (choose two)

A. The header overhead is reduced

B. using crypto map is the only way to encrypt a GRE Tunnel
C. crypto map required an ACL allow protocol 47
D. support hub-and-spoke topologies only
E. Tunnel is first encapsulated, then just encrypted

Answer: C E

Question 6

Question refering to an exhibit – something with PIM, tunnel flapping and neighboring get rejected,
regardless Tunnel 1018 went down.

A. Tunnel interface is misconfigured

B. PIM neighbor is misconfigured
C. route neighbor 10.111.254.213 was removed
D. Route flapping and instability is occuring within the network
E. tunnel destination using tunnel itself

Answer: D E

Explanation

The tunnel destination must be the physical destination address of the other end of the tunnel. For
example in this topology:

GRE Tunnel must be configured as follows:

Then configure GRE Tunnel

R1 R2
interface tunnel0 interface tunnel0
ip address 12.12.12.1 255.255.255.252 ip address 12.12.12.2 255.255.255.252
tunnel mode gre ip //this command can be tunnel mode gre ip //this command can be
ignored ignored
tunnel source 192.168.13.1 tunnel source 192.168.23.2
tunnel destination 192.168.23.2 tunnel destination 192.168.13.1

For R1, the tunnel destination must point to 192.168.23.2 (the physical IP address of other end of
the tunnel, not 12.12.12.2 – the other destination of the tunnel itself)

Question 7

How do you make sure AAA will still allow you to login if TACACS fails? (Choose two)

(or Which command enables authenticated login if a TACACS+ failure occurs?)

A. aaa authentication login test group local tacacs+

B. aaa authentication login test group tacacs+ local
C. aaa authentication login test group radius local
D. aaa authentication ppp dialins group tacacs+ local

Answer: B

Question 8

If you want to use GRE with IPSec which compatible with NAT traversal?

A. Enable MD5 mode

B. Enable SHA mode
C. Implement IPSec Tunnel mode
D. Implement IPSec Tunnel transport

Answer: C

Explanation

This is not officially written by Cisco but it is the best we can find:

What is the difference between tunnel mode and transport mode?

The differences are as follow; Tunnel mode is widely implemented in site-to-site VPN scenarios.
While transport mode is implemented for client-to-site VPN scenarios. Also, NAT traversal is
supported with the tunnel mode while NAT traversal is not supported with the transport mode.

Reference: https://www.coursehero.com/file/p7qcduh/No-GRE-provides-a-stateless-private-
connection-15-What-is-the-GRE-header-for-It/

Question 9

Troubleshoot uRPF loose mode at client gateway router for networks that are not in the routing
table. (Choose two)

A. Dynamic routing is configured on the router

B. CEF is enabled on the router
C. allow-default is configured for loose mode
D. CFE is disabled on the router
E. Static Routing is configured on the router

Answer: B C

Question 10

Which two statements about traceroute are true? (Choose two)

A. It supports a variety of IP header options, including verbose

B. The DF bit is set by default
C. The TTL value can be set to 0
D. The default probe count for each TTL level is 3
E. Extended traceroute operation can use a modified data pattern

Answer: A D

Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13730-ext-ping-trace.html

==========================================================
===============

Old questions:

Question 1
The WAN link is 1500 MTU. How to configure GRE Tunnel so that the packets do not get
fragmented? (Choose three)

A. ip tcp path-mtu-discovery
B. ip mtu 1400
C. ip tcp adjust-mss 1360
D. tunnel mode gre ip
E. tunnel mode gre multipoint

Answer: B C and ?

Explanation

Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400 bytes
and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are 1500 bytes
and we have an added overhead because of GRE, we must reduce the MTU to account for the extra
overhead. A setting of 1400 is a common practice and will ensure unnecessary packet
fragmentation is kept to a minimum.

Question 2

Which two ACLs use with IPv6 traffic filters?

A. tagged
B. standard
C. named
D. numbered
E. dynamic

Answer: A C

Explanation

Named and tagged ACLs are both supported in IPv6.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/xe-3s/ipv6-xe-
36s-book/ip6-sec-trfltr-fw.html

Question 3

Which two statements about time based ACL are true? (Choose two)

A. It can use the router’s clock as the time source

B. Only extended ACL can use time ranges
C. It must be defined with an inspect name value
D. It require NTP to be configured
E. Both standard & extended ACLs can use time ranges

Answer: A B

Question 4

GRE tunnel IPv6 over IPv4 (choose two).

Answer: SRC must be IPv4, IPv6 over IPv4

Question 5

Which two statements about uRPF are true? (Choose two)

A. Support with extended ACL and time based ACL

B. Applied to input interface only
C. Require Cisco Express Forwarding to populate FIB
D. It is output function
E. It can mitigate asymmetric routing

Answer: B C

Question 6

GRE tunnel is up but the server or host cannot pass through traffic what are the two things need to
be fixed? (Choose two)

Answer:

Move R1 to global routing

Put R3 on VRF Red

Question 7

Which two protocols does the management plane protection feature support? (Choose two)

A. HTTPS
B. ARP
C. DNS
D. TFTP
E. DHCP

Answer: A D

Explanation

Following are the management protocols that the management plane protection (MPP) feature
supports. These management protocols are also the only protocols affected when MPP is enabled.

+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
+ HTTP
+ HTTPS

Reference: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-
1/security/configuration/guide/syssec_cg41crs_chapter7.html#con_1013398

Question 8

Which method should we use to troubleshooting DHCP issues?

A. divide and conquer

B. top-down
C. bottom-up
D. follow-the-path
Answer: C

Explanation

Reference: http://www.ciscopress.com/articles/article.asp?p=2273070&seqNum=2

Question 9

A router knows one destination using EIGRP and two OSPF networks, which will be the best way to
determine the path? (choose two)

A. show ip eigrp topology

B. show ip ospf database
C. traceroute
D. ping
E. show ip route

Answer: C E

Question 10

Which two statements about ping & traceroute are true? (Choose two)

A. ping only use ICMP

B. only ping have TTL
C. to determine if a host is reachable, using traceroute is better than ping
D. traceroute use UDP datagram and ICMP
E. ping use TCP and ICMP

Answer: A D

Reference: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-
121-mainline/12778-ping-traceroute.html

Old MCQs:

Question 1

What is common protocol for ping and traceroute?

A. ICMP
B. PIM
C. IGMP
D. IP

Answer: A

Question 2

Which two options about GRE keepalives are true? (Choose two)
A. enabled by default
B. supports on point-to-point GRE tunnel interface
C. supports on point-to-multipoint mGRE
D. support broadcast
E. supported in VRFs only if fVRF and iVRF match
F. support broadcast multicast

Answer: B E

Explanation

GRE tunnel keepalives are only supported on point-to-point GRE tunnels. Tunnel keepalives are
configurable on multipoint GRE (mGRE) tunnels but have no effect.

GRE keepalives are not supported together with IPsec tunnel protection under any circumstances.

In general, tunnel keepalives will not work when VRFs are used on the tunnel interface and the
fVRF (‘tunnel vrf …’) and iVRF (‘ip vrf forwarding …’ on tunnel interface) do not match.

Good reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-

gre/118370-technote-gre-00.html

Question 3

When the user is changing configuration of router, which plane is affected?

A. Data
B. Management
C. Control
D. Forwarding

Answer: B

Question 4

A user is able to log into the switch but cannot go to the global config mode. What needs to be
done?

A. change authorization level

B. change accounting
C. change authentication
D. create username and password

Answer: A

Question 5

Which trouble shooting method is used when we troubleshoot a spanning tree issue for any VLAN?

A. divide and conquer

B. top-down
C. bottom-up
D. follow-the-path

Answer: D
Question 6

D&D Question on Extended Ping

Answer:

Tos – …quality of service

Df-bit – prevent packets from being segmented or broken up
Data pattern – detect framing errors
Hop count – verify routing metrics
Reply – verify reachability

data pattern — troubleshoot framing errors

df-bit — enable do not fragment bit in IP header
source — specify source address or name
tos — specify type of service value
validate — validate reply data

Good reference:

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-
trace.html

Question 7

Which two statements about IPv6 traffic filtering are true? (Choose two)

A. needs to be enable at the interface level

B. needs to enabled with egress ACL only
C. needs to be enabled with ingress ACL only
D. It performs virtual fragmentation reassembly after checking ingress ACL
E. It performs virtual fragmentation reassembly after checking egress ACLs

Answer: A D

Question 8

There was also a question about GRE tunnel with the options of it support multicast, broadcast
traffic or only broadcast and some other options that we needed to choose 2 correct ones.

A. GRE supports broadcast and multicast

B. GRE tunnels broadcast traffic
C. GRE is a non-tunneling VPN technology
D. Option about IPSec

Answer: A B

Question 9

Question about authentication, TACAS/local, based on piece of configuration

AAA and what will be the result with this configuration: it either checks the local database first or it
only authenticate 2 listed users –

A. It will check TACAS authentication but skip for the two users created locally
B. aaa-new model not used and hence policy will not be applied.
C. aaa- not used hence policy will not be applied
D. Part of the script is reject
and 1 more options

Answer:

1. aaa-new-model command is not there in the script ; hence the script will not work
2. Part of the script is reject (as 2 local username and password are there)

Question 10

Drag and drop question related to Tunnel GRE. What are the require configuration and what are
optional?

Answer:

Require:
+ Tunnel destination IP
+ Tunnel Original IP
+ Tunnel IP

Optional:
+ TCP MSS
+ Tunnel key
+ Tunnel mode

==========================================================
===================

Old questions

Question 1

In which troubleshooting approach, you start troubleshooting from middle of OSI layer stack and
then either go up or down layer for further troubleshooting?

A. Bottom-up
B. Top-down
C. Divide-and-conquer
D. Follow-the-path

Answer: C

Question 2

Which two things should you check while troubleshooting uRPF? (Choose two)

A. uRPF enabled on interface

B. uRPF enabled global
C. CEF disabled
D. CEF enabled global
E. Strict or loose mode configured global

Answer: A D

Question 3a

Which access-list allows SSH access from network 10.10.15.0/24?

A. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 21
B. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 23
C. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 22
D. Access-list 142 permit tcp 10.10.15.0 0.0.0.0 any eq 22

Answer: C

Question 3b

Securing control plane on R1 connected via SSH to the network 10.10.0.0/16. You should choose
right answers and place in right configuring order. Not all options will be used.

Answer:

Sequence 1:
access-list X permit tcp 10.10.0.0/16 eq 22 any estab
access-list X permit tcp 10.10.0.0/16 any eq 22

Sequence 2:
class-map match-all SSH
match access-group X

Sequence 3:
Policy Y
Class SSH

Sequence 4:
Control plane
service-policy input Y

Question 4

What could be reason for GRE Tunnel interface in up/down state? (Choose two)

A. GRE tunnel mode is set to transport mode

B. Tunnel source is in down state
C. Route to tunnel destination points to tunnel interface itself
Answer: B C

Question 5

Which are valid AAA authentications methods? (Choose two)

A. Line
B. Krb6
C. LDAP
D. Local
E. Blowfish

Answer: A D

Question 6

Refer to the exhibit.

Which commands required to setup GRE tunnel between R2 & R3? (Choose two)

A.
R2:
interface tunnel 1
ip address 10.1.1.1 255.255.255.252
tunnel source 192.168.1.1
tunnel destination 192.168.2.3

B.
R3:
interface tunnel 1
ip address 10.1.1.2 255.255.255.252
tunnel source g0/0
tunnel destination 192.168.1.1

Answer: A B

Question 7

While troubleshooting you noticed *** as output of traceroute command. What is the reason for
that?

Answer: Probe is timed out.

Question 8

Drag drop question about MPP.

Answer:

Constructing the CoPP Policy

For CoPP policy construction, several steps are required to create the MQC classification and
policing functions. These include: access-list construction, class-map construction, and finally,
policy-map construction.

https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html

Question 9

Drag Drop question about four valid debug commands on switch (Choose four)

A. debug hsrp
B. debug glbp errors
C. debug ip igmp snooping
D. debug ip interface route-cache
E. debug spanning-tree mstp init

Answer: B C D E

Question 10

Drag and drop question. Choose and place in the right order headers when monitoring GRE packet

A. Destination tunnel IP header

B. Source tunnel IP header
C. GRE header
D. Original destination IP header
E. Original source IP header
F. Data

Answer: B -> C -> E -> F

==========================================================
===

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

GRE Tunnel Drag and Drop. Which fields are optional and mandatory in a GRE header?

Answer:
Mandatory: Reserved0, Version, Protocol Type
Optional: Checksum, Key, Sequence Number

Question 2

GRE tunnel Header. Which one is standard,which one is extended?

Answer:

Standard Header: Checksum, Reserved0, Version, Protocol Type

Extended Header: Sequence Number, Key

Question 3

What IP header option fields can you modify in an extended ping? (Choose three)
A. Value
B. Strict
C. Record
D. Timestamp
E. Timeout

Answer: B C D

Explanation

All of these can be modified: protocol, IP destination address, repeat count, Datagram size,
Timeout, source address/interface, type of service, DF bit, Validate reply data, Data
pattern, Loose, Strict, Record, Timestamp, Verbose, Sweep range of sizes.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13730-ext-ping-trace.html

Question 4

Select valid type of tunnels mode (Choose four)

A. GRE
B. 6to4
C. ISATAP
D. NHRP
E. IPv6IP
F. mGRE

Answer: A B C E

Question 5

Associate debug and show commands with what they do (7 options)

Answer:

debug ip mpacket <-> multicast packet

debug standby errors<-> HSRP issues
debug ip packet <-> All IPv4 information
debug ipv6 packet <-> All IPv6 information
debug vlan <-> 802.1q troubleshoot
debug ip cef <-> hardware forwarding

Question 6

Extended Traceroute Drag Drop. What extended tracroute troubleshooting functions?

+ Probe count <-> limits the number of traceroute
+ Port Number <-> troubleshoot TCP and UDP port
+ Source address <-> troubleshoot connections generated from specific interface
+ Max TTL <-> limits the number of hops a packet travel
+ Type of Service <-> troubleshoot QoS issues

Comments (43) Comments

Comment pages
« Previous 1 … 92 93 94

1. Nick
December 18th, 2019

Do we have to check all the MCQs (about 190) or will it be from the latest MCQs (13th-Nov-2019)?
Anyone who recently took the test, please confirm?
2. Laila
December 18th, 2019

Hey guys, can anyone please tell me where are the mcq list of questions. I can’t find those.

Kind regards
3. Anonymous
December 18th, 2019

13 November questions are still valid. passed with 923/1000 score.

4. Miaari
December 18th, 2019

Where is this dump 13 NOV

5. Chris
December 18th, 2019

@ Laila and Miaari: the MCQs are only visible, if you buy a premium membership.

Have my exam tomorrow. Will keep you updated.

6. James
December 19th, 2019

Failed with 783/1000 this week

I missed MCQs that were in premium that I didn’t realise
Also, really need to know the labs, they all have the same sets of answers for each scenario so just
knowing the answers wont help you unless you can identify the problem without a doubt (and
quickly)

@Chris, how did you go today with yours? I am re-sitting next week after going through premium
7. YellowBanana
December 19th, 2019

12/18/2019 just passed the tshoot today with 1000 point 100%, got both bgp & hsrp simplet. I
have a little trouble with 1 ticket regarding IP NAT INSIDE/Outside to ISP because I was able to
ping all the way and there’s nothing wrong with layer 2 or client DHCP so I couldn’t figure where is
the issue. on DSW1, a tracer 209.65.200.241 s 10.2.1.1 stops at R1. I just see the running config
on R1 to check

Most MCQ is here, some tunnel interface ip have changed but u should understand it at this CCNP
level
BGP simplet also have a different IP on EBGP wrong ip address, so read the Show Run
8. Laila
December 19th, 2019

@Chris
pls update us with your exam
9. Anonymous
December 19th, 2019

I have an tshoot exam and i tried to register with tut to review the questions but i face some issue
while iam login my exam will be in 22/12 and i am want to review all multiple questions D&D
Please any one can help me ..
10. Curious
December 19th, 2019

@YellowBanana thanks for the update

11. Chris (Premium User)
December 19th, 2019

Hello Guys,
passed with 884 of 1000 today. 24 questions
Had both Simlets, HSRP and BGP.
Tickets: 1, 4, 6, 9, 11a, 12, 13, 14, 17.
MCQs (you can see them, if you are premium member): all questions from 13th Nov, except Q7,
but instead 3 new questions with drag and drop router config and VPN Tunnel content and other
stuff.
At the end had 25 minutes left.

Best regards
Chris
12. Anonymous
December 19th, 2019

Passed with 923. All MCQs from Nov 13th valid. There was an additional drag and drop MCQ with
GRE/VPN tunnels, source and destination addresses using class C addresses.
13. tut user
December 19th, 2019

@Chris,

can you share the new drag and drop questions? I am scheduled to do the test in 2 days and looks
like they are adding some new questions recently.
14. YellowBanana
December 19th, 2019

I had the bottom up question regarding troubleshooting ip phone

15. Anonymous
December 19th, 2019

Hi Guys, Passed with 980 today. 24 Questions

17 Nov 2019 MCQ still valid 1 new question about GRE config with RIPv2 and static routes.
16. Anonymous
December 20th, 2019

Passed with 1000. MCQs from Nov 13th valid but 1 MCQ did come up newly on the test.

I could not remember clearly but it was related to IPv6 ACL.

Correct answer is E: 60 permit tcp (R3 IP address) (R2 IP address) eq 22

17. eleslon
December 20th, 2019

I passed yesterday. MCQ, Tickets and Simlets are still valid.

And I also had new question about IPv6 – answer 60 permit ….
18. Anonymous
December 20th, 2019

Today, Dump is still valid.

But Cisco will change TSHOOT MCQs soon, study and take exams ASAP!
@@@Contact me to get share (VCE, PDF, PKT) with VCE tool player and all lab sim on Packet
Tracer: saaau_holo(at)yaaahoo.com (replace aaa=a)

@@@D&D
Q1: Follwing the buttom-up TShoot methods, please order from step 1 to step 4 how to solve an
issue with an IP phone:
Step 1. Confirm that enough power is received by using PoE
Step 2. Confirm that the phone is on the correct VLAN
Step 3. Verify the DHCP server configuration and option 150
Step 4. Verify the configuration the file from the TFTP serverver

Q2: Drag and drop questions to correct GRE configuration: (case 1)

R1 (10.1.1.1)=============R(CA)=============R2 (10.1.2.1)

R1(config)# interface Tunnel0

R1(config-if)# tunnel mode gre ip
R1(config-if)# ip address 10.1.3.1 255.255.255.0

R2(config)# interface Tunnel0

R2(config-if)# tunnel mode gre ip
R2(config-if)# ip address 10.1.3.2 255.255.255.0
Answer:
R1:
Configure the tunnel source to be 10.1.1.1
Configure the tunnel destination to be 10.1.2.1
R2:
Configure the tunnel destination to be 10.1.1.1
Configure the tunnel source to be 10.1.2.1

Q3: Drag and drop questions to correct GRE configuration (case 2):
R1 (192.1.1.1)=============R(CA)=============R2 (192.1.2.1)

R1(config)# interface Tunnel0

R1(config-if)# tunnel mode gre ip
R1(config-if)# ip address 10.1.1.1 255.255.255.0

R2(config)# interface Tunnel0

R2(config-if)# tunnel mode gre ip
R2(config-if)# ip address 10.1.1.2 255.255.255.0

Answer:
R1:
Configure the tunnel source to be 192.1.1.1
Configure the tunnel destination to be 192.1.2.1
R2:
Configure the tunnel destination to be 192.1.1.1
Configure the tunnel source to be 192.1.2.1

@@@MCQs
Q1: B. ipv6 traffic-filter INTERNET {in|out}
Q2: A. sh ip interface
D. sh ip traffic
Q3: A. Normal network traffic experiences asymmetric routing
Q4: E. 60 permit tcp host 2002:ABC:2000:2:2::2 host 2000:ABC:20:2:2::2 eq 22
Q5: A. set the exec-timeout 0 0 command on line con 0
Q6: A. EXSTART
Q7: D. DSW-01(config)#interface gig1/2
DSW-01(config-if)#spanning-tree cost 5
Q8: A. There are different VTP domain for S1 and S2
Q9: A. Recursive routing
Q10: A. On R2, change the tunnel source to 10.1.2.1
B.On R1, change the tunnel source to 10.1.1.1
19. Shar
December 21st, 2019

I passed today MCQ, Tickets and Simlets are still valid

20. Anonymous
December 21st, 2019

Guys, is it enough to pass the test if I learn all tickets and MCQs in this page?
21. Shar
December 21st, 2019

Yes brother it is enough to pass I did myself and I got 1000/1000

22. Petrus_li
December 21st, 2019
Hi All,

Yes I agree with Shar. It is enough with MCQ and Test.

I took the exam yesterday 1000/1000

23. Tarzan
December 21st, 2019

@Petrus_li did you buy premium or just prepared through here?

24. Miaari
December 21st, 2019

Guys NOV MCQ or all MCQs in all this page??

25. Help_to_pass_exam
December 21st, 2019

Can someone send me the dump,I’ll be very grateful

faaarmaaanovsaaalmaaan2gmail.com (replace aaa=a,2=@)
26. Shar
December 22nd, 2019

Tarzan, Miaari,and Help_to_pass_exam you guys you don’t need Dump, premium.
you Guys you need only to study Two Sim BGP, HSRP, Tickets and Anonymous December 20th,
2019. that is it.
27. ,,,,,,,
December 22nd, 2019

Guys only NOV MCQ or all MCQ in this page ?? PLZ want ans
28. Shar
December 23rd, 2019

Only NOV MCQ

29. SeaHawker1221
December 23rd, 2019

Passed my CCNP Tshoot with flying colors (961/1000… should’ve been 1000…) 12/21 with help
from this premium resource. The multiple choice questions primarily came from the November
section. Practice practice practice with the lab. So glad I went here for my 3rd attempt. This is all
you need
30. macko
December 23rd, 2019

No need to focus on the old MCQ.

Passed with 923 – possibly an error in a ticket. Exam date Dec 18
31. KasaBlanka
December 23rd, 2019

I Passed the exam today and got 903/1000 and I got 24 Questions:
There is one lab I spent 40 min think about the it and I failed to solve it and its very weird but
what I am sure the problem located between ASW1 & DSW1 it has port security but when I
checked the interface its up so its not port security.

I got the HSRP & BGP Siml.

R1 2 tickets: OSPF Authentication & NAT Outside

R2: the IPV6 OSPF
R3: IPV6 GRE Tunnel Problem
R4: IPV4 Redistribution (a), and Passive Interface
DSW1: VLAN Filter
ASW1: VLAN in Port Channel, Adding vlan 10 to the interfaces

Q2: Drag and drop questions to correct GRE configuration: (case 1)

R1 (10.1.1.1)=============R(CA)=============R2 (10.1.2.1)

R1(config)# interface Tunnel0

R1(config-if)# tunnel mode gre ip
R1(config-if)# ip address 10.1.3.1 255.255.255.0

R2(config)# interface Tunnel0

R2(config-if)# tunnel mode gre ip
R2(config-if)# ip address 10.1.3.2 255.255.255.0

Answer:
R1:
Configure the tunnel source to be 10.1.1.1
Configure the tunnel destination to be 10.1.2.1
R2:
Configure the tunnel destination to be 10.1.1.1
Configure the tunnel source to be 10.1.2.1

Q3: Drag and drop questions to correct GRE configuration (case 2):
R1 (192.1.1.1)=============R(CA)=============R2 (192.1.2.1)

R1(config)# interface Tunnel0

R1(config-if)# tunnel mode gre ip
R1(config-if)# ip address 10.1.1.1 255.255.255.0

R2(config)# interface Tunnel0

R2(config-if)# tunnel mode gre ip
R2(config-if)# ip address 10.1.1.2 255.255.255.0

I have a real picture of the MCQ & D&D if someone need them email me but the answers not
accurate use the same answer here above.

miaaari2020!gmail.com replace (aaa=a, !=@)

Good Luck everyone.

300-410 Cisco Exam Updated Dumps
100% (1)
300-410 Cisco Exam Updated Dumps
101 pages
Ensa Ccnav7 Ensa Final Exam Answers
No ratings yet
Ensa Ccnav7 Ensa Final Exam Answers
35 pages
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
From Everand
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
Redouane MEDDANE
No ratings yet
CCNA (640-802) Exam Questions Cisco
From Everand
CCNA (640-802) Exam Questions Cisco
Eddie Vi
4.5/5 (14)
Brkaci 2641
100% (1)
Brkaci 2641
92 pages
MCQ Question (Latest)
No ratings yet
MCQ Question (Latest)
13 pages
MCQ - Networktut V2
No ratings yet
MCQ - Networktut V2
67 pages
Tshoot 300-315
No ratings yet
Tshoot 300-315
19 pages
Tshoot CCNP
No ratings yet
Tshoot CCNP
19 pages
Tshoot Nov 2019
No ratings yet
Tshoot Nov 2019
16 pages
Tshoot May 2019
No ratings yet
Tshoot May 2019
21 pages
New Multiple Choice Questions CCNP TSHOOT
No ratings yet
New Multiple Choice Questions CCNP TSHOOT
15 pages
TSHOOT Mar 2019 PDF
No ratings yet
TSHOOT Mar 2019 PDF
17 pages
300 101
0% (1)
300 101
484 pages
A Guide For The TSHOOT Exam: 2 Simlet Multiple Choice Questions
No ratings yet
A Guide For The TSHOOT Exam: 2 Simlet Multiple Choice Questions
22 pages
A Guide For The TSHOOT Exam: 2 Simlet Multiple Choice Questions
No ratings yet
A Guide For The TSHOOT Exam: 2 Simlet Multiple Choice Questions
22 pages
300-101 (v5 15 RESP) S PDF
No ratings yet
300-101 (v5 15 RESP) S PDF
3 pages
300-135 IPHelper August 2018 PDF
No ratings yet
300-135 IPHelper August 2018 PDF
99 pages
CCNAquestions Feb 2019 PDF
100% (1)
CCNAquestions Feb 2019 PDF
238 pages
CCNAquestions Apr 2019 PDF
100% (1)
CCNAquestions Apr 2019 PDF
276 pages
New ENARSI Questions 7
No ratings yet
New ENARSI Questions 7
145 pages
230q File PDF
No ratings yet
230q File PDF
135 pages
Worktut 300-135 v2015-07-21 by Emmy 68q
No ratings yet
Worktut 300-135 v2015-07-21 by Emmy 68q
205 pages
Tshoot
No ratings yet
Tshoot
20 pages
Examen 3 - 110p
No ratings yet
Examen 3 - 110p
66 pages
300 101
No ratings yet
300 101
102 pages
300 410 Demo
No ratings yet
300 410 Demo
13 pages
Vendor: Exam Code: Exam Name:: Cisco 300-101 Implementing Cisco IP Routing Demo
No ratings yet
Vendor: Exam Code: Exam Name:: Cisco 300-101 Implementing Cisco IP Routing Demo
18 pages
Cisco Tshoot 2019 July Dumps
No ratings yet
Cisco Tshoot 2019 July Dumps
93 pages
New Questions11
No ratings yet
New Questions11
16 pages
Implementing Cisco Enterprise Advanced Routing and Services (300-410 ENARSI) Updated January 2024
No ratings yet
Implementing Cisco Enterprise Advanced Routing and Services (300-410 ENARSI) Updated January 2024
309 pages
Solution For ACL Question 100% Correct
No ratings yet
Solution For ACL Question 100% Correct
14 pages
Question & Answer: Accurate Study Guides High Passing Rate!
No ratings yet
Question & Answer: Accurate Study Guides High Passing Rate!
5 pages
CCNA
No ratings yet
CCNA
22 pages
ENARSI Sep 2020
No ratings yet
ENARSI Sep 2020
55 pages
Cisco CCNA 200-301 14 Januari 2022
No ratings yet
Cisco CCNA 200-301 14 Januari 2022
77 pages
CCNA - 200-125 - 88q - by - PenPineappleApplePen PDF
No ratings yet
CCNA - 200-125 - 88q - by - PenPineappleApplePen PDF
37 pages
Dumpleader: Ensure Success With Money Back Guarantee
No ratings yet
Dumpleader: Ensure Success With Money Back Guarantee
19 pages
Ccnpnuevo 3
No ratings yet
Ccnpnuevo 3
21 pages
Cisco Actualtests 640-875 v2014-03-31 by ESTHER 103q
No ratings yet
Cisco Actualtests 640-875 v2014-03-31 by ESTHER 103q
44 pages
CCNP 300 410 Enarsi NetworkTUT New Questions 13 Sep 2020
No ratings yet
CCNP 300 410 Enarsi NetworkTUT New Questions 13 Sep 2020
55 pages
300-410 15 Q&As
No ratings yet
300-410 15 Q&As
15 pages
CCNA Exam 6-4
No ratings yet
CCNA Exam 6-4
22 pages
Pass4test: Certification IT Garanti, The Easy Way!
No ratings yet
Pass4test: Certification IT Garanti, The Easy Way!
20 pages
350 401.v2022 03 16.q75
No ratings yet
350 401.v2022 03 16.q75
33 pages
CCNA Model MCQs
No ratings yet
CCNA Model MCQs
1 page
CCNA 200-125 182q
No ratings yet
CCNA 200-125 182q
70 pages
Kuis Jarkom 2 Pert 9-15
No ratings yet
Kuis Jarkom 2 Pert 9-15
11 pages
Infosyte Test13
No ratings yet
Infosyte Test13
31 pages
Killtest: Kijgt3Wcnkv ($Gvvgt5Gtxkeg
No ratings yet
Killtest: Kijgt3Wcnkv ($Gvvgt5Gtxkeg
5 pages
300-101 New Dump Oct 2016 PDF
No ratings yet
300-101 New Dump Oct 2016 PDF
21 pages
Tshoot Dec 2017
No ratings yet
Tshoot Dec 2017
14 pages
Chainess Dump - Mode PDF
No ratings yet
Chainess Dump - Mode PDF
99 pages
Cisco CCENT ICND1
No ratings yet
Cisco CCENT ICND1
243 pages
Cisco PrepKing 642-504 v2012-08-11 by Carlos 146q
No ratings yet
Cisco PrepKing 642-504 v2012-08-11 by Carlos 146q
102 pages
GB0 Huawei
No ratings yet
GB0 Huawei
243 pages
CCNA Exam Excellence: Study Guide & Practice Tests
From Everand
CCNA Exam Excellence: Study Guide & Practice Tests
SUJAN
No ratings yet
Comptia Network+ Primer
From Everand
Comptia Network+ Primer
John Greene
No ratings yet
Network with Practical Labs Configuration: Step by Step configuration of Router and Switch configuration
From Everand
Network with Practical Labs Configuration: Step by Step configuration of Router and Switch configuration
Mulayam Singh
No ratings yet
CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting Network
From Everand
CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting Network
Mulayam Singh
No ratings yet
CCNA Exam Focus: Study Guide with Practice Tests
From Everand
CCNA Exam Focus: Study Guide with Practice Tests
SUJAN
No ratings yet
BRKSPG 2557
No ratings yet
BRKSPG 2557
55 pages
LTRRST 2734 LG
No ratings yet
LTRRST 2734 LG
44 pages
Brkaci 2644
No ratings yet
Brkaci 2644
53 pages
Ltraci 2226 PDF
No ratings yet
Ltraci 2226 PDF
43 pages
Chapter 11 PDF
No ratings yet
Chapter 11 PDF
22 pages
Brksec 2011
No ratings yet
Brksec 2011
158 pages
Brkaci 2644
No ratings yet
Brkaci 2644
53 pages
Brkewn 2439
No ratings yet
Brkewn 2439
212 pages
Brksec 2011
No ratings yet
Brksec 2011
158 pages
Par 2984 PDF
No ratings yet
Par 2984 PDF
28 pages
Par 2984 PDF
No ratings yet
Par 2984 PDF
28 pages
Psospg 2188 PDF
No ratings yet
Psospg 2188 PDF
68 pages
1.overview and Traffic Flow
100% (1)
1.overview and Traffic Flow
9 pages
Brkaci 2271 PDF
No ratings yet
Brkaci 2271 PDF
168 pages
FortiGate I 01 Introduction
No ratings yet
FortiGate I 01 Introduction
35 pages
Amsix Member List
No ratings yet
Amsix Member List
372 pages
CBT Nug - Python Programming
No ratings yet
CBT Nug - Python Programming
2 pages
R 4
No ratings yet
R 4
10 pages
Hadoroh 3 Tarikat
No ratings yet
Hadoroh 3 Tarikat
2 pages
Allama Iqbal Open University, Islamabad (Department of English Language & Applied Linguistics) Warning
No ratings yet
Allama Iqbal Open University, Islamabad (Department of English Language & Applied Linguistics) Warning
2 pages
1-Evolution Fundamentals Herbers EncyclopediaAnimalBeh2010
No ratings yet
1-Evolution Fundamentals Herbers EncyclopediaAnimalBeh2010
9 pages
G7 Q1 W2 Activity Sheet
100% (1)
G7 Q1 W2 Activity Sheet
3 pages
c24 Grand Btest-2 Maths (Paper-1)
No ratings yet
c24 Grand Btest-2 Maths (Paper-1)
11 pages
Fertilizer Brochure
No ratings yet
Fertilizer Brochure
8 pages
Ashley Dohr Cover Letter
No ratings yet
Ashley Dohr Cover Letter
2 pages
VFR Chart Icao LR 1 Romania
No ratings yet
VFR Chart Icao LR 1 Romania
1 page
Saiva Siddhanta Church Act, No 22 of 1988
No ratings yet
Saiva Siddhanta Church Act, No 22 of 1988
2 pages
Ghulam Khan
No ratings yet
Ghulam Khan
3 pages
Conclusion
No ratings yet
Conclusion
3 pages
Cheat LEGO BATMAN
No ratings yet
Cheat LEGO BATMAN
5 pages
Book of Hajj From Summarized Fiqh of Shaykh Fawzan
100% (1)
Book of Hajj From Summarized Fiqh of Shaykh Fawzan
67 pages
Counter Affidavit of FR Shay Cullen
No ratings yet
Counter Affidavit of FR Shay Cullen
6 pages
Development of An Approach To The Problem
No ratings yet
Development of An Approach To The Problem
47 pages
Diesel SWD
No ratings yet
Diesel SWD
4 pages
Republic Act 6809
No ratings yet
Republic Act 6809
1 page
Cookery 9-12 - Dmya at
No ratings yet
Cookery 9-12 - Dmya at
9 pages
Spicejet Improves Transparency and Control With Ibm Airline Office and Sap Erp
No ratings yet
Spicejet Improves Transparency and Control With Ibm Airline Office and Sap Erp
4 pages
Pantasya
No ratings yet
Pantasya
33 pages
History of Japanese Culture - Wiki - Wiki
No ratings yet
History of Japanese Culture - Wiki - Wiki
1 page
Biochemistry Exam Review (Exam 3)
No ratings yet
Biochemistry Exam Review (Exam 3)
11 pages
Plain English / Plain Language Version of "Ad Cautelam"
No ratings yet
Plain English / Plain Language Version of "Ad Cautelam"
3 pages
Wireless Body Area Network (WBAN)
No ratings yet
Wireless Body Area Network (WBAN)
21 pages
Fine Dining Lovers
No ratings yet
Fine Dining Lovers
3 pages
Basics of Jyotish Science
No ratings yet
Basics of Jyotish Science
2 pages
1VW BF820W NPN HV
No ratings yet
1VW BF820W NPN HV
7 pages
Classroom Rules For Online Learning
No ratings yet
Classroom Rules For Online Learning
1 page
Exercise and Tests of The Police Power
No ratings yet
Exercise and Tests of The Police Power
17 pages
Jee Result
No ratings yet
Jee Result
1 page

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.