================New Multiple Choice Questions (updated on 13th-Nov-

2019)================

Question 1

Which configuration command is used to add an IPv6 ACL to an interface?

A. ipv6 access-class (in/out)

B. ipv6 traffic-filter (in/out)
C. ip access-class (in/out)
D. ip accesss-group (in/out)

Answer: B

Question 2

Refer to the exhibit.

R1#debug ip ospf adj

OSPF adjacency events debugging is on
* Feb 4 110:34:34.245:OSPF: Caanot see ourself in hello from 192.168.1.10 on Serial0/0/0, state INIT
* Feb 4 110:34:34.248:OSPF: Rcv DBD from 192.168.1.10 on Serial0/0/0 seq 0x17B opt 0x58 flag 0x7
len 32 mtu 1500 state INIT
* Feb 4 110:34:34.248:OSPF: 2 Way Communication to 192.168.1.10 on Serial0/0/0, state 2WAY
* Feb 4 110:34:34.252:OSPF: Rcv DBD from 192.168.1.10 on Serial0/0/0 seq 0x23B0 opt 0x58 flag 0x3
len 112 mtu 1500 state ___________

Which output is expected in the blank line?

A. DOWN
B. EXSTART
C. LOADING
D. EXCHANGE

Answer: B

Explanation

Neighbors Stuck in Exstart/Exchange State

The problem occurs most frequently when attempting to run OSPF between a Cisco router and
another vendor’s router. The problem occurs when the maximum transmission unit (MTU)
settings for neighboring router interfaces don’t match. If the router with the higher MTU sends
a packet larger that the MTU set on the neighboring router, the neighboring router ignores the
packet.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-
ospf/13684-12.html

Question 3

G1/2 is the root port for SW4, please choose the command so G1/1 can be the new root port?

A. spanning-tree cost 1 on interfca g1/1

B. spanning-tree cost 5 on interface gi0/1
C. spanning-tree port priority 0 on g1/1
D. spanning-tree port priority 0 on g1/2

Answer: B

Question 4

Which two commands are used to choose uRPF drops?

A. show ip interface
B. show interface
C. show ip cef
D. show ip traffic
E. show cef traffic

Answer: A D

Explanation

With uRPF properly deployed and configured throughout the network infrastructure,
administrators can use the show cef interface type slot/port internal, show ip interface, show
cef drop, show ip cef switching statistics feature, and show ip traffic commands to identify the
number of packets that uRPF has dropped.

Note: Beginning with Cisco IOS Software Release 12.4(20)T, the command show ip cef
switching has been replaced by show ip cef switching statistics feature.

Reference: https://www.cisco.com/c/en/us/about/security-center/identification-ios-security-
mitigations-effectiveness.html
Question 5

Drag drop question about bottom-up troubleshooting method.

Following the bottom-up thsoot method, please order from step 1 to step 4 how to solve an
issue with an IP phone.

Answer:

1. Check PoE
2. Check VLAN
3. Change DHCP gateway with option 150
4. Check image file from TFTP server

Question 6

Console session is being closed by a network device, how can this be solved?

A. Apply exec-timeout 0 0 in line console 0

B. Modify exec-timeout in line vty 0 15
C. Change banner motd

Answer: A

Explanation

By default, an IOS device will disconnect a console or VTY user after 10 minutes of inactivity.
You can specify a different inactivity timer using the exec-timeout MINUTES SECONDS line
mode command.

For example, to disconnect a console user after 90 seconds of inactivity, we can use the
following command:

R1(config)#line con 0
R1(config-line)#exec-timeout 1 30

To prevent Telnet (or SSH) sessions from timing out, use the value of 0 (exec-timeout 0 0)

Question 7

Which sequence allows the communication from router to another router via ssh.

A. 60 permit tcp host xxxx host yyyy eq 22

B. 50 permit tcp host xxxx host yyyy eq 21
C. ?
D. ?

Answer: A

Question 8

Why do clients frequently lose connection at the remote site? (Exhibit of tunnel gre and
outputs from devices)

A. recursive routing
B. static route
C. ACL
D. RIP summarization

Answer: A

Question 9

When is uRPF desired to be applied using loose-mode for security reasons?

A. Asymmetric
B. PIMv2

Answer: A

Question 10

Two switches asking why DTP isn’t working one switch GigabitEthernet, other FastEthernet?

A. Because of a speed issue


B. Different VTP domains
C. SWA has a FastEthernet port

D. Because of dynamic desirable mode

Answer: B
Question 11

Drag drop question about GRE tunnel

Answer:

(1) GRE Tunnel

R1 Source 10.1.1.1 Dest 10.1.2.1
R2 Source 10.1.2.1 Dest 10.1.1.1

================New Multiple Choice Questions (updated on 27th-Sep-

2019)================

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

Refer to the statement.

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

How to correct it?

A. change the source IP of tu0

B. change the destination IP of tu0
C. add tunnel key
D. add static route to tu0 destination

Answer: D

Explanation

The %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing error

message means that the generic routing encapsulation (GRE) tunnel router has discovered a
recursive routing problem. This condition is usually due to one of these causes:
+ A misconfiguration that causes the router to try to route to the tunnel destination address
using the tunnel interface itself (recursive routing)
+ A temporary instability caused by route flapping elsewhere in the network

So in this question maybe there is something wrong with the tunnel destination so we should
add static route to solve it.
Reference: https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-
routing-protocol-eigrp/22327-gre-flap.html

Question 2

A network contains a remote tunnel interface and firewalls in the network path of each router.
An attempt to ping the IP address of the remote tunnel interface fails. Which connections
should be allowed through the firewalls?

A. port 47
B. port 50
C. TCP port 1723
D. IP protocol 47

Answer: D

Question 3

What is the output of the “show crypto ipsec sa | in indent”? (There is an output of the access-
list with “permit gre any any”)

crypto ipsec transform-set AES256 ah-sha256-nmac

mode tunnel
!
crypto ipsec profile default
set transform-set AES256
!
crypto map GRE 10 ipsec-isakmp
set peer 209.165.201.2
set transform-set AES256
match address GRE
!
interface tunnel1
ip address 172.16.1.2 255.255.255.252
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 209.165.201.2
tunnel protection ipsec profile default
!
interface FastEthernet0/0
ip address 209.165.201.6 255.255.255.252
!
ip access-list extended GRE
permit gre any any

A. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/17/47)
remote ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/17/47)
B. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/0/0)
remote ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/0/0)

C. local ident(addr/mask/prot/port):(209.165.201.6/255.255.255.255/47/0)
remote ident(addr/mask/prot/port):(209.165.201.2/255.255.255.255/47/0)

D. local ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/47/0)
remote ident(addr/mask/prot/port):(0.0.0.0/0.0.0.0/47/0)

Answer: B

Explanation

The line “local ident (addr/mask/prot/port)” means local selector that is used for encryption
and decryption.

The answer of this question is based on the ACL applied. Thanks Shaunthesheep for sharing
this:

VPN Tunnel can be established using IPSec or IPSec+GRE. The configuration requires to define a
Crypto map which refers to an ACL for Interesting traffic or the traffic to be encrypted. Look for
the values in the ACL. e.g.

1) permit gre any any —> Answer will be both local and remote indent address entries as 0 and
47 in the protocol field. Like this :

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/47/0)

remote ident (addr/mask/prqwot/port): (0.0.0.0/0.0.0.0/47/0)

2) Permit ip any any —> Answer will be both local and remote indent address entries as 0 and 0
in the protocol field. Like this :

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prqwot/port): (0.0.0.0/0.0.0.0/0/0)

3) Permit ip 10.1.1.0 0.0.0.255 10.10.10.0 0.0.0.255 —> Answer will be both local and remote
indent address entries as in ACL and 0 in the protocol field. Like this :

local ident (addr/mask/prot/port): (10.1.1.1/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

Update: We cannot explain why all fields are “0” here but our candidates got full mark so
please choose it.
Question 4

What should be the next step after the problem is solved?

A. document it
B. knowledge transfer
C. result analysis
D. create an action plan

Answer: A

Explanation

Cisco has broken this process into eight steps:

1. Define the problem.
2. Gather detailed information.
3. Consider probable cause for the failure.
4. Devise a plan to solve the problem.
5. Implement the plan.
6. Observe the results of the implementation.
7. Repeat the process if the plan does not resolve the problem.
8. Document the changes made to solve the problem.

Although some online document does not mention about step 8 (document the changes) (like
the link http://www.ciscopress.com/articles/article.asp?p=1578504&seqNum=2) but this step
is very important so that repeated issue can be solved quickly in the future.

Question 5

This question have 3 router (R1,R2,R3), (R1_fa0/0====fa0/0_R2_fa0/1====fa0/1_R3) and have

loopback, acl for each a router. Loopback from R1 can’t ping loopback of R3 (192.168.254.1/24).
An ACL is configured on R3 that only permits 192.168.0.0 0.0.0.255. What changes need to
occur so R1 can ping R3 loopback?

A.
ip access-list extended 101
no 30
30 permit 192.168.0.0 0.0.0.255

B.
ip access-list extended 101
no 30
30 permit 192.168.0.0 0.0.255.255
C.
ip access-list extended 101
no 100

Answer: B (Modify access-list , no entry 30 and re-add it changing the netmask to 192.168.0.0
0.0.255.255)

Question 6

A topology with three routers R1, R2 and R3 connected to each other and a list of ACL
statements to choose. The question asks which sequence number prevented connection from
R1 to R2 via SSH.

R1 Lo0: x:x::1
R2 Lo0: y:y::2
R3 Lo0: z:z::3

Answer: 20 deny tcp x:x::/64 host y:y::2 eq 22 (so choose the sequence number 20)

Question 7

Refer to the exhibit.

interface Serial0/1/0
ip address 10.12.13.3 255.255.255.0
ip verify unicast source reachable-via any
ip ospf 1 area 0
!
interface serial0/2/0
ip address 10.12.23.3 255.255.255.0
ip verify unicast source reachable-via any
ip ospf 1 area 0

R3#sh ip route
[output omitted]
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 10.12.13.0/24 is directly connected, Serial0/1/0
L 10.12.13.3/32 is directly connected, Serial0/1/0
C 10.12.23.0/24 is directly connected, Serial0/2/0
L 10.12.23.3/32 is directly connected, Serial0/2/0
S 192.168.0.0/16 is directly connected, Null0
O 192.168.1.0/24 [110/65] via 10.12.13.1, 00:05:51, Serial0/1/0
O 192.168.2.0/24 [110/65] via 10.12.23.2, 00:05:51, Serial0/1/0
O 192.168.17.0/24 [110/65] via 10.12.23.2, 00:03:13, Serial0/1/0
O 192.168.27.0/24 [110/65] via 10.12.13.1, 00:04:14, Serial0/1/0

Which feature is required to enable Unicast reverse path forwarding?

A. access control list

B. Cisco express forwarding
C. virtual routing and forwarding
D. bidirectional forwarding detection

Answer: B

Question 8

Which command is used to check the SSH version?

A. show ip ssh
B. show crypto key mypubkey rsa
C. show ssh sessions

Answer: A

Explanation

R1# show ip ssh

Connection Version Encryption Username HMAC Server Hostkey IP Address
Inbound:
1 SSH-2 3des-cbc Raymond hmac-sha1 ssh-dss 10.120.54.2
Outbound:
6 SSH-2 aes256-cbc Steve hmac-sha1 ssh-dss 10.37.77.15
SSH-v2.0 enabled; hostkey: DSA(1024), RSA(2048)

Question 9

Refer to the exhibit.

interface Tunnel0
description Tunnel to Main Office
ip address 192.168.1.1 255.255.255.252
tunnel source 209.165.200.225
tunnel destination 209.165.202.129
tunnel path-mtu-discovery

A remote office was recently connected to the main office by using a GRE tunnel. Path MTU
Discovery (PMTUD) is enabled on the tunnel interface. End users at the remote office report
having issues accessing a file sever in the main office. PMTUD is not working, what is the issue?

A. Local router MTU is 1500

B. Local router MTU is 1400
C. Router in the path has “no ip host unreachable” configured
D. Router in path has ICMP Redirects enabled

Answer: C

Question 10

Topology with three switches which are connected to each other via Gi0/0 & Gi0/1. All
interfaces are configured in VLAN 100 and voice VLAN 101. Duplex mismatch between two
switches (one interface in full duplex which the opposite interface in half duplex). Spanning tree
is detecting a loop in the network, what is causing the loop.

A. duplex mismatch
B. speed mismatch
C. vlan missconfiguration

Answer: A

Explanation

Duplex mismatch is a configuration issue where one side of the network is set to one duplex
mode and the other to another duplex mode. Having one bridge on half duplex and the other
on full duplex results in collisions that cause bridging loops

Question 11

Which statement about the INTERNET ACL is true?

ipv6 access-list INTERNET

permit ipv6 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA::/64
permit tcp 2001:DB8:AD59:BA21::/64 2001:DB8:C0AB:BA13::/64 eq telnet
permit tcp 2001:DB8:AD59:BA21::/64 any eq www
permit ipv6 2001:DB8:AD59::/48 any
deny ipv6 any any log
A. NPD is not working correctly because NS and NA messages are being denied
B. A packet with source address of 2001:DB80:AD59:BA21:101:CAB:64:38 destined to port 80
will be permitted
C. HTTPS traffic from the 2001:DB80:AD59:BA21::/64 subnet will automatically be permitted
along with HTTP traffic
D. A packet with source address 2001:DB8:AD59:ACC0:2020:882:DB8:1125 will be denied

Answer: A

Explanation

Answer B and C are not correct as the IPv6 address 2001:DB80:AD59… is different from the IPv6
address 2001:DB8:AD59… (trailing 0 cannot be omitted).

Answer D is not correct as the source address of 2001:DB8:AD59:ACC0:2020:882:DB8:1125

matches the ACL statement “permit ipv6 2001:DB8:AD59::/48 any” so it will be permitted.

Therefore only answer A is the suitable answer left.

For your information, by default an IPv6 ACL has three implicit statements at the end:
+ permit icmp any any nd-na
+ permit icmp any any nd-ns
+ deny ipv6 any any

The first two statements are required for IPv6 neighbor discovery protocol which are very
important so they are always permitted in an IPv6 ACL. But in this case we explicitly used the
“deny ipv6 any any (log)” command so the two above commands must be typed just before the
last statement (“deny ipv6 any any log”) or that traffic will be blocked.

Question 12

Refer to the exhibit.

R1
int Gigabitethernet 0/2
ip address 10.10.20.2 255.255.55.0
!
int Gigabitethernet 0/3
ip address 10.10.30.2 255.255.55.0

R1#show management-interface
Management interface GigabitEthernet0/2
Protocol Packets processed
http 0
https 10
Management interface GigabitEthernet0/3
Protocol Packets processed
http 0
ssh 10
snmp 1110

R2#ssh -l admin 10.10.20.2

%Destination unreachable, gateway or host down

The organization has implemented Management Plane Protection. Headquarters has decided
that FTP needs to be enabled on all management ports.
Which configuration context must be modified to accomplish this configuration?

A. Policy-map
B. Control-plane
C. Access-list
D. Class-map

Answer: B