Q1. Which component of the BGP ORF can you use to permit and deny routing updates?
A. match
B. action
C. AFI
D. SAFI
E. ORF type
Answer: A
Q2. Which three improvements does Cisco IOS XE Software offer over traditional IOS Software? (Choose three.)
A. It can run applications as separate processes on multicore CPUs.
B. It supports drivers for data plane ASICs outside of the operating system.
C. It allows platform-dependent code to be compiled into a single image.
D. It supports multiple IOS instances simultaneously, sharing resources and internal infrastructure for scalability.
E. It allows platform-independent code to be abstracted into a single microkernel for portability across platforms.
F. It uses a QNX Neutrino-based environment underneath the IOS Software.
Answer: A,B,C
Q3. What is the most secure way to store ISAKMP/IPSec preshared keys in Cisco IOS?
A. Use the service password-encryption command.
B. Encrypt the ISAKMP preshared key in secure type 5 format.
C. Encrypt the ISAKMP preshared key in secure type 7 format.
D. Encrypt the ISAKMP preshared key in secure type 6 format.
Answer: D
Explanation:
Using the Encrypted Preshared Key feature, you can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. This is currently the most secure way to store keys.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/asr1000/sec-ike-for-ipsec-vpns-xe-3s-asr1000-book/sec-encrypt-preshare.html
Q4. DRAG DROP
Drag and drop the BGP attribute on the left to the correct category on the right.
Answer:
Q5. Which three statements about Cisco HDLC are true? (Choose three.)
A. HDLC serial encapsulation provides asynchronous framing and error detection.
B. Serial link keepalives are maintained by SLARP.
C. HDLC serial encapsulation provides synchronous framing without retransmission.
D. HDLC frame size can be reduced with MPPC compression.
E. The interface is brought down after five ignored keepalives.
F. The interface is brought down after three ignored keepalives.
Answer: B,C,F
Explanation:
Cisco High-Level Data Link Controller (HDLC) is the Cisco proprietary protocol for sending data over synchronous serial links using HDLC. Cisco HDLC also provides a simple control protocol called Serial Line Address Resolution Protocol (SLARP) to maintain serial link keepalives. For each encapsulation type, a certain number of keepalives ignored by a peer triggers the serial interface to transition to the down state. For HDLC encapsulation, three ignored keepalives causes the interface to be brought down. By default, synchronous serial lines use the High-Level Data Link Control (HDLC) serial encapsulation method, which provides the synchronous framing and error detection functions of HDLC without windowing or retransmission.
Reference: http://www.cisco.com/c/en/us/td/docs/routers/access/800/819/software/configuration/Guide/ 819_SCG/6ser_conf.html#78662
Q6. DRAG DROP
Drag and drop each GET VPN feature on the left to the corresponding function it performs on the right.
Answer:
Q7. Refer to the exhibit.
Which configuration is missing that would enable SSH access on a router that is running Cisco IOS XE Software?
A. int Gig0/0/0
management-interface
B. class-map ssh-class
match access-group protect-ssh
policy-map control-plane-in
class ssh-class
police 80000 conform transmit exceed drop
control-plane
service-policy input control-plane-in
C. control-plane host
management-interface GigabitEthernet0/0/0 allow ssh
D. interface Gig0/0/0
ip access-group protect-ssh in
Answer: C
Explanation:
The feature Management Plane Protection (MPP) allows an administrator to restrict on which interfaces management traffic can be received by a device. This allows the administrator additional control over a device and how the device is accessed. This example shows how to enable the MPP in order to only allow SSH and HTTPS on the GigabitEthernet0/1 interface:
!
control-plane host
management-interface GigabitEthernet 0/1 allow ssh https
!
Reference: http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
Q8. Which two are features of DMVPN? (Choose two.)
A. It does not support spoke routers behind dynamic NAT.
B. It requires IPsec encryption.
C. It only supports remote peers with statically assigned addresses.
D. It supports multicast traffic.
E. It offers configuration reduction.
Answer: D,E
Explanation:
DMVPN Hub-and-spoke deployment model: In this traditional topology, remote sites (spokes) are aggregated into a headend VPN device at the corporate headquarters (hub). Traffic from any remote site to other remote sites would need to pass through the headend device. Cisco DMVPN supports dynamic routing, QoS, and IP Multicast while significantly reducing the configuration effort.
Reference: http://www.cisco.com/c/en/us/products/collateral/security/dynamic-multipoint-vpn-dmvpn/data_sheet_c78-468520.html
Q9. A company is multihomed to several Internet providers using EBGP. Which two measures guarantee that the network of the company does not become a transit AS for Internet traffic? (Choose two.)
A. Prepend three times the AS number of the company to the AS path list.
B. Add the community NO_EXPORT when sending updates to EBGP neighbors.
C. Write AS-path access-list which permits one AS long paths only and use it to filter updates sent to EBGP neighbors.
D. Add the community NO_EXPORT when receiving updates from EBGP neighbors.
Answer: C,D
Explanation:
By default BGP will advertise all prefixes to EBGP (External BGP) neighbors. This means that if you are multi-homed (connected to two or more ISPs) that you might become a transit AS. Let me show you an example:
R1 is connected to ISP1 and ISP2 and each router is in a different AS (Autonomous System). Since R1 is multi-homed it’s possible that the ISPs will use R1 to reach each other. In order to prevent this we’ll have to ensure that R1 only advertises prefixes from its own autonomous system. As far as I know there are 4 methods how you can prevent becoming a transit AS:
Filter-list with AS PATH access-list.
No-Export Community.
Prefix-list Filtering
Distribute-list Filtering
Reference: http://networklessons.com/bgp/bgp-prevent-transit-as/
Q10. DRAG DROP
Drag and drop the argument of the mls ip cef load-sharing command on the left to the function it performs on the right.
Answer: