CCIE Routing and Switching Written Exam v5.1

 

QUESTION 361

Which statement about the overload bit in IS-IS is true?

 

A.

The IS-IS adjacencies on the links for which the overload bit is set are brought down.

B.

Routers running SPF ignore LSPs with the overload bit set and hence avoid blackholing traffic.

C.

A router setting the overload bit becomes unreachable to all other routers in the IS-IS area.

D.

The overload bit in IS-IS is used only for external prefixes.

 

Correct Answer: B

Explanation:

The OL bit is used to prevent unintentional blackholing of packets in BGP transit networks. Due to the nature of these protocols, IS-IS and OSPF converge must faster than BGP. Thus there is a possibility that while the IGP has converged, IBGP is still learning the routes. In that case if other IBGP routers start sending traffic towards this IBGP router that has not yet completely converged it will start dropping traffic. This is because it isnt y
et aware of the complete BGP routes. OL bit comes handy in such situations. When a new IBGP neighbor is added or a router restarts, the IS- IS OL bit is set. Since directly connected (including loopbacks) addresses on an “overloaded” router are considered by other routers, IBGP can be bought up and can begin exchanging routes. Other routers will not use this router for transit traffic and will route the packets out through an alternate path. Once BGP has converged, the OL bit is cleared and this router can begin forwarding transit traffic.

Reference: https://routingfreak.wordpress.com/category/ospf-vs-is-is/

 

 

QUESTION 362

Which BGP feature enables you to install a backup path in the forwarding table?

 

A.

soft reconfiguration

B.

prefix independent convergence

C.

route refresh

D.

synchronization

 

Correct Answer: B

Explanation:

To install a backup path into the forwarding table and provide prefix independent convergence (PIC) in case of a PE-CE link failure, use the additional-paths install backup command in an appropriate address family configuration mode. To prevent installing the backup path, use the no form of this command. To disable prefix independent convergence, use the disable keyword. Reference: http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-2/routing/command/reference/b_routing_cr42crs/b_routing_cr42crs_chapter_01.html

 

 

QUESTION 363

Which two statements are true about AAA? (Choose two.)

 

A.

AAA can use RADIUS, TACACS+, or Windows AD to authenticate users.

B.

If RADIUS is the only method configured in AAA, and the server becomes unreachable, the user will be able to log in to the router using a local username and password.

C.

If the local keyword is not included and the AAA server does not respond, then authorization will never be possible and the connection will fail.

D.


AAA can be used to authenticate the enable password with a AAA server.

 

Correct Answer: CD

Explanation:

AAA can be used to authenticate user login and the enable passwords.

Example 1: Same Exec Authentication Methods for All Users

Once authenticated with:

aaa authentication login default group radius local

All users who want to log in to the access server have to be authorized using Radius (first method) or local database (second method).

We configure:

aaa authorization exec default group radius local

Note. On the AAA server, Service-Type=1 (login) must be selected.

Note. With this example, if the local keyword is not included and the AAA server does not respond, then authorization will never be possible and the connection will fail.

 

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/10384-security.html

 

 

 

 

 

 

 

 

QUESTION 364

DRAG DROP

clip_image002

 

Correct Answer:

clip_image004

 

 

QUESTION 365

Which statement about the OSPF Loop-Free Alternate feature is true?

 

A.

It is supported on routers that are configured with virtual links.

B.

It is supported in VRF OSPF instances.

C.

It is supported when a traffic engineering tunnel interface is protected.

D.

It is supported when traffic can be redirected to a primary neighbor.

 

Correct Answer: B

Explanation:

Restrictions for OSPF IPv4 Remote Loop-Free Alternate IP Fast Reroute

The OSPF IPv4 Remote Loop-Free Alternate IP Fast Reroute feature is not supported on devices that are virtual links headends.

The feature is supported only in global VPN routing and forwarding (VRF) OSPF instances.

The only supported tunneling method is MPLS.

You cannot configure a traffic engineering (TE) tunnel interface as a protected interface. Use the MPLS Traffic Engineering—Fast Reroute Link and Node Protection feature to protect these tunnels. For more information, see the “MPLS Traffic Engineering—Fast Reroute Link and Node Protection” section in the Multiprotocol Label Switching Configuration Guide.

You can configure a TE tunnel interface in a repair path, but OSPF will not verify the tunnel’s placement; you must ensure that it is not crossing the physical interface that it is intended to protect.

Not all routes can have repair paths. Multipath primary routes might have repair paths for all, some, or no primary paths, depending on the network topology, the connectivity of the computing router, and the attributes required of repair paths.

Devices that can be selected as tunnel termination points must have a /32 address advertised in the area in which remote LFA is enabled. This address will be used as a tunnel termination IP. If the device does not advertise a /32 address, it may not be used for remote LFA tunnel termination.

All devices in the network that can be selected as tunnel termination points must be configured to accept targeted LDP sessions using the mpls ldp discovery targeted-hello accept command.

 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/iro-ipfrr-lfa.html

 

 

QUESTION 366

Which two statements about SoO checking in EIGRP OTP deployments are true? (Choose two).

 

A.

During the import process, the SoO value in BGP is checked against the SoO value of the site map.

B.

During the reception of an EIGRP update, the SoO value in the EIGRP update is checked against the SoO value of the site map on the ingress interface.

C.

At the ingress of the PE/CE link, the SoO in the EIGRP update is checked against the SoO within the PE/CE routing protocol.

D.

At the egress of the PE/CE link, the SoO is checked against the SoO within the PE/CE routing protocol.

E.

The SoO is checked at the ingress of the backdoor link.

F.

The SoO is checked at the egress of the backdoor link.

Correct Answer: AB

Explanation:

SoO checking:

During the import process the SoO value in BGP update is checked against the SoO value of the site-map attached to VRF interface. The update is propagated to CE only if there is no match (this check is done regardless of protocol used on PE/CE link).

At reception of EIGRP update, the SoO value in the EIGRP update is checked against the SoO value of site-map attached to the incoming interface. This update is accepted only if there is no match (this check can optionally be done on backdoor router).

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ip-routing/whitepaper_C11-730404.html

 

 

QUESTION 367

When deploying redundant route reflectors in BGP, which attribute can you configure on the route reflector to allow routes to be identified as belonging to the same group?

 

A.

ROUTER_ID

B.

CLUSTER_ID

C.

ORIGINATOR_ID

D.

PEER_GROUP

 

Correct Answer: B

Explanation:

Together, a route reflector and its clients form a cluster. When a single route reflector is deployed in a cluster, the cluster is identified by the router ID of the route reflector. The bgp cluster-id command is used to assign a cluster ID to a route reflector when the cluster has one or more route reflectors. Multiple route reflectors are deployed in a cluster to increase redundancy and avoid a single point of failure. When multiple route reflectors are configured in a cluster, the same cluster ID is assigned to all route reflectors. This allows all route reflectors in the cluster to recognize updates from peers in the same cluster and reduces the number of updates that need to be stored in BGP routing tables.

Reference: http://ieoc.com/forums/t/5326.aspx

 

QUESTION 368

Which option is the Cisco recommended method to secure access to the console port?

 

A.

Configure the activation-character command.

B.

Configure a very short timeout (less than 100 milliseconds) for the port.

C.

Set the privilege level to a value less than 15.

D.

Configure an ACL.

 

Correct Answer: A

Explanation:

The activation-character command defines a session activation character. Entering this character at a vacant terminal begins a terminal session. The default activation character is the Return key To secure the console port, you should change this character to a different one as most people simply hit the enter key when trying to access the console.

 

 

QUESTION 369

Which three statements about SPAN traffic monitoring are true? (Choose three.)

 

A.

Traffic from a non-source VLAN is discarded when it arrives on a source VLAN.

B.

Multiple sessions can send traffic to an individual destination port.

C.

It supports up to 32 SPAN ports per switch.

D.

The destination port acts as a normal switchport.

E.

It supports up to 64 SPAN ports per switch.

F.

Only one session can send traffic to an individual destination port.

 

Correct Answer: AEF

Explanation:

You can create up to a total of 64 SPAN and ERSPAN sessions to define sources and destinations on the local device.You can also create a SPAN session to monitor multiple VLAN sources and choose only VLANs of interest to transmit on multiple destination ports. For example, you can configure SPAN on a trunk port and monitor traffic from different VLANs on different destination ports.

You can configure a particular destination port in only one SPAN session.

Traffic from a non-source VLAN is discarded when it arrives on a source VLAN

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_0/troubleshooting/conf iguration/guide/n1000v_troubleshooting/trouble_15span.html

 

 

QUESTION 370

Which two protocols are not protected in an edge router by using control plane policing? (Choose two.)

 

A.

SMTP

B.

RPC

C.

SSH

D.

Telnet

 

Correct Answer: AB

Explanation:

A CoPP policy can limit a number of different packet types that are forwarded to the control plane.

Traffic destined for the switch CPU includes:

 

clip_image006Address Resolution Protocol (ARP)

clip_image006[1]First-hop redundancy protocol packets

clip_image006[2]Layer 2 control packets

clip_image006[3]Management packets (telnet, Secure Shell [SSH] Protocol, Simple Network Management Protocol [SNMP]) <— C and D are not correct.

clip_image006[4]Multicast control packets

clip_image006[5]Routing protocol packets

clip_image006[6]Packets with IP options

clip_image006[7]Packets with time to live (TTL) set to 1

clip_image006[8]Packets that require ACL logging

clip_image006[9]Packets that require an initial lookup (first packet in a flow: FIB miss)

clip_image006[10]Packets that have don’t support hardware switching/routing

 

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_553261.html

 

Free VCE & PDF File for Cisco 400-101 Practice Test

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …