Q1. Which three features are considered part of the IPv6 first-hop security suite? (Choose three.)
A. DNS guard
B. destination guard
C. DHCP guard
D. ICMP guard
E. RA guard
F. DoS guard
Answer: B,C,E
Explanation:
Cisco IOS has (at least) these IPv6 first-hop security features: IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers. DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration. IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world we’d call this feature DHCP Snooping and Dynamic ARP Inspection). IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s). IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes. IPv6 Destination Guard drops IPv6 traffic sent to directly connected destination addresses not in IPv6 First-Hop Security Binding Table, effectively stopping ND exhaustion attacks.
Reference: http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html
Q2. Refer to the exhibit.
You are configuring the S1 switch for the switch port that connects to the client computer. Which configuration blocks users on the port from using more than 6 Mbps of traffic and marks the traffic for a class of service of 1?
A)
B)
C)
D)
A. Exhibit A
B. Exhibit B
C. Exhibit C
D. Exhibit D
Answer: A
Explanation:
Only option A specified that the exceed and violate actions are set to drop for traffic over the CIR of 6 Mbps, and is also configured to set all traffic with a COS of 1 using the “set cos1” command.
Q3. Refer to the exhibit.
R1 and R2 both advertise 10.50.1.0/24 to R3 and R4 as shown. R1 is the primary path. Which path does traffic take from the R4 data center to the file server?
A. All traffic travels from R4 to R2 to the file server.
B. All traffic travels from R4 to R3 to R1 to the file server.
C. Traffic is load-balanced from R4 to R2 and R3. Traffic that is directed to R3 then continues to R1 to the file server. Traffic that is directed to R2 continues to the file server.
D. All traffic travels from R4 to R2 to R1 to the file server.
Answer: A
Q4. Which two statements best describes the difference between active mode monitoring and passive mode monitoring? (Choose two.)
A. Active mode monitoring is the act of Cisco PfR gathering information on user packets assembled into flows by NetFlow.
B. Active mode monitoring uses IP SLA probes for obtaining performance characteristics of the current exit WAN link.
C. Passive mode monitoring uses IP SLA to generate probes for the purpose of obtaining information regarding the characteristics of the WAN links.
D. Passive mode monitoring uses NetFlow for obtaining performance characteristics of the exit WAN links.
Answer: B,D
Q5. What is the cause of ignores and overruns on an interface, when the overall traffic rate of the interface is low?
A. a hardware failure of the interface
B. a software bug
C. a bad cable
D. microbursts of traffic
Answer: D
Explanation:
Micro-bursting is a phenomenon where rapid bursts of data packets are sent in quick succession, leading to periods of full line-rate transmission that can overflow packet buffers of the network stack, both in network endpoints and routers and switches inside the network. Symptoms of micro bursts will manifest in the form of ignores and/ or overruns (also shown as accumulated in “input error” counter within show interface output). This is indicative of receive ring and corresponding packet buffer being overwhelmed due to data bursts coming in over extremely short period of time (microseconds). You will never see a sustained data traffic within show interface’s “input rate” counter as they are averaging bits per second (bps) over 5 minutes by default (way too long to account for microbursts). You can understand microbursts from a scenario where a 3-lane highway merging into a single lane at rush hour – the capacity burst cannot exceed the total available bandwidth (i.e. single lane), but it can saturate it for a period of time.
Reference: http://ccieordie.com/?tag=micro-burst
Q6. Which statement about NAT64 is true?
A. It uses one-to-one mapping between IPv6 addresses and IPv4 addresses.
B. It requires static address mapping between IPv6 addresses and IPv4 addresses.
C. It can be used to translate an IPv6 network to another IPv6 network.
D. It can be configured for stateless and stateful translation.
Answer: D
Q7. Refer to the exhibit.
Which option is the result of this configuration?
A. All SNMP traffic coming into the router is redirected to interface GigabitEthernet1/0.
B. All SNMP traffic generated from the router is redirected to interface GigabitEthernet1/0.
C. All SMTP traffic generated from the router is redirected to interface GigabitEthernet1/0.
D. All POP3 traffic coming into the router is redirected to interface GigabitEthernet1/0.
E. All SMTP traffic coming into the router is redirected to interface GigabitEthernet1/0.
Answer: C
Explanation:
This is an example of policy based routing, where traffic sourced from this router that matches the access list (all traffic with port 25 which is SMTP) will be forced out the Gig 0/1 interface.
Q8. Refer to the exhibit.
Why is network 172.16.1.0/24 not installed in the routing table?
A. There is no ARP entry for 192.168.1.1.
B. The router cannot ping 192.168.1.1.
C. The neighbor 192.168.1.1 just timed out and BGP will flush this prefix the next time that the BGP scanner runs.
D. There is no route for 192.168.1.1 in the routing table.
Answer: D
Explanation:
Here we see that the next hop IP address to reach the 172.16.1.0 network advertised by the BGP peer is 192.168.1.1. However, the 192.168.1.1 IP is not in the routing table of R3 so it adds the route to the BGP table but marks it as inaccessible, as shown.
Q9. Which three events can cause a control plane to become overwhelmed? (Choose three.)
A. a worm attack
B. processing a stream of jumbo packets
C. a microburst
D. a configuration error
E. a reconvergence failure
F. a device-generated FTP session
Answer: A,D,E
Q10. Refer to the exhibit.
Which configuration can you implement on PE-1 to allow CE-1 to receive delegated IPv6 prefixes?
A)
B)
C)
D)
E)
A. Exhibit A
B. Exhibit B
C. Exhibit C
D. Exhibit D
E. Exhibit E
Answer: A