Ensurepass

CCIE Routing and Switching Written Exam v5.1

 

QUESTION 51

Which three steps are necessary to enable SSH? (Choose three.)

 

A.

generating an RSA or DSA cryptographic key

B.

configuring the version of SSH

C.

configuring a domain name

D.

configuring VTY lines for use with SSH

E.

configuring the port for SSH to listen for connections

F.

generating an AES or SHA cryptographic key

 

Correct Answer: ACD

Explanation:

Here are the steps:1. Configure a hostname for the router using these commands.

yourname#configure terminalEnter configuration commands, one per line. End with CNTL/Z.

yourname (config)#hostname LabRouter

LabRouter(config)#

2. Configure a domain name with the ip domain-name command followed by whatever you would like your domain name to be. I used CiscoLab.com.

LabRouter(config)#ip domain-name CiscoLab.com

3. We generate a certificate that will be used to encrypt the SSH packets using the crypto key generate rsa command.

Take note of the message that is displayed right after we enter this command. “The name for the keys will be. LabRouter.CiscoLab.com” — it combines the hostname of the router along with the domain name we configured to get the name of the encryption key generated; this is why it was important for us to, first of all, configure a hostname then a domain name before we generated the keys.

Notice also that it asks us to choose a size of modulus for the key we’re about to generate. The higher the modulus, the stronger the encryption of the key. For our example, we’ll use a modulus of 1024.

 

clip_image002

 

4. Now that we’ve generated the key, our next step would be to configure our vty lines for SSH access and specify which database we are going to use to provide authentication to the device. The local database on the router will do just fine for this example.

LabRouter(config)#line vty 0 4

LabRouter(config-line)#login local

LabRouter(config-line)#transport input ssh

5. You will need to create an account on the local router’s database to be used for authenticating to the device. This can be accomplished with these commands.

LabRouter(config)#username XXXX privilege 15 secret XXXX

 

Reference: http://blog.pluralsight.com/configure-secure-shell-ssh-on-cisco-router

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 52

Refer to the exhibit. Which two statements about how the configuration processes Telnet traffic are true? (Choose two.)

 

clip_image004

 

A.

Telnet traffic from 10.1.1.9 to 10.10.10.1 is dropped.

B.

All Telnet traffic is dropped.

C.

Telnet traffic from 10.10.10.1 to 10.1.1.9 is permitted.

D.

Telnet traffic from 10.1.1.9 to 10.10.10.1 is permitted.

E.

Telnet traffic is permitted to all IP addresses.

 

Correct Answer: AC

Explanation:

The ACL applied to the COPP policy mat
ches only telnet traffic from 10.1.1.9 to 10.10.10.1, all other telnet traffic is not matched and therefore not used in the COPP policy, which means this traffic will be handled normally (accepted). For telnet traffic from 10.1.1.9 to 10.10.10.1, the COPP policy has defined this traffic as an exceed, and dropped.

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 53

Refer to the exhibit. Service provider SP 1 is running the MPLS-VPN service. The MPLS core network has MP- BGP configured with RR-1 as route reflector. What will be the effect on traffic between PE1 and PE2 if router P1 goes down?

 

clip_image006

 

A.

No effect, because all traffic between PE1 and PE2 will be rerouted through P2.

B.

No effect, because P1 was not the only P router in the forwarding path of traffic.

C.

No effect, because RR-1 will find an alternative path for MP-BGP sessions to PE-1 and PE-2.

D.

All traffic will be lost because RR-1 will lose the MP-BGP sessions to PE-1 and PE-2.

 

Correct Answer: D

Explanation:

If the connection to the route reflector goes down, then routes from PE-1 will not get advertised to PE2, and vice versa. Route reflectors are critical in an MPLS VPN such as the one shown, which is why it is a best practice to have multiple route reflectors in this kind of network.

 

 

 

 

 

 

 

 

 

 

QUESTION 54

Refer to the exhibit. Router A and router B are physically connected over an Ethernet interface, and ISIS is configured as shown. Which option explains why the ISIS neighborship is not getting formed between router A and router B?

 

clip_image008

 

A.

same area ID

B.

same N selector

C.

same domain ID

D.

same system ID

 

Correct Answer: D

Explanation:

With IS-IS, the LSP identifier is derived from the system ID (along with the pseudonode ID and LSP number). Each IS is usually configured with one NET and in one area; each system ID within an area must be unique.

The big difference between NSAP style addressing and IP style addressing is that, in general, there will be a single NSAP address for the entire router, whereas with IP there will be one IP address per interface. All ISs and ESs in a routing domain must have system IDs of the same length. All routers in an area must have the same area address. All Level 2 routers must have a unique system ID domain-wide, and all Level 1 routers must have a unique system ID area-wide.

Reference: http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a3e6f.shtml

 

 

QUESTION 55

Which two statements are true about VPLS? (Choose two.)

 

A.

It can work over any transport that can forward IP packets.

B.

It provides integrated mechanisms to maintain First Hop Resiliency Protocols such as HSRP, VRRP, or GLBP.

C.

It includes automatic detection of multihoming.

D.

It relies on flooding to propagate MAC address reachability information.

E.

It can carry a single VLAN per VPLS instance.

 

Correct Answer: DE

Explanation:

VPLS relies on flooding to propagate MAC address reachability information. Therefore, flooding cannot be prevented.

VPLS can carry a single VLAN per VPLS instance. To multiplex multiple VLANs on a single instance, VPLS uses IEEE QinQ.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-series-switches/white_paper_c11-574984.html

QUESTION 56

Refer to the exhibit. Which statement describes the effect on the network if FastEthernet0/1 goes down temporarily?

 

clip_image010

 

A.

FastEthernet0/2 forwards traffic only until FastEthernet0/1 comes back up.

B.

FastEthernet0/2 stops forwarding traffic until FastEthernet0/1 comes back up.

C.

FastEthernet0/2 forwards traffic indefinitely.

D.

FastEthernet0/1 goes into standby.

 

Correct Answer: C

Explanation:

Use the switchport backup interface interface configuration command on a Layer 2 interface to configure Flex Links, a pair of interfaces that provide backup to each other. Use the no form of this command to remove the Flex Links configuration.

With Flex Links configured, one link acts as the primary interface and forwards traffic, while the other interface is in standby mode, ready to begin forwarding traffic if the primary link shuts down. The interface being configured is referred to as the active link; the specified interface is identified as the backup link. The feature provides an alternative to the Spanning Tree Protocol (STP), allowing users to turn off STP and still retain basic link redundancy.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_53_se/command/reference/2960ComRef/cli3.html#wp3269214

 

 

QUESTION 57

Which three statements about the designated router election in IS-IS are true? (Choose three.)

 

A.

If the IS-IS DR fails, a new DR is elected.

B.

The IS-IS DR will preempt. If a new router with better priority is added, it just becomes active in the network.

C.

If there is a tie in DR priority, the router with a higher IP address wins.

D.

If there is a tie in DR priority, the router with a higher MAC address wins.

E.

If the DR fails, the BDR is promoted as the DR.

F.

The DR is optional in a point-to-point network.

 

Correct Answer: ABD

Explanation:

DR/DIS election

highest priority (0-127)

highest mac address

Setting priority to 0 doesn’t disable DIS election; use point-to-point to disable it.

There can be separate DRs for L1 and L2 adjacencies.

There is no backup DR. If the primary DR fails, a new DR is elected.

DR preemption is enabled by default.

Reference: http://ccie-in-2-months.blogspot.com/2013/12/is-is-hints.html

 

 

QUESTION 58

Refer to the exhibit. Routers R1, R2, and R3 are configured as shown, and traffic from R2 fails to reach 172.29.168.3. Which action can you take to correct the problem?

 

clip_image012

 

A.

Correct the static route on R1.

B.

Correct the default route on R2.

C.

Edit the EIGRP configuration of R3 to enable auto-summary.

D.

Correct the network statement for 172.29.168.3 on R3.

 

Correct Answer: A

Explanation:

On R1 we see there is a wrongly configured static route: ip route 172.29.168.3 255.255.255.255 172.17.17.2. It should be ip route 172.29.168.3 255.255.255.255 10.17.12.3.

 

 

 

 

 

 

 

 

 

 

QUESTION 59

Refer to the exhibit. Which action will solve th
e error state of this interface when connecting a host behind a Cisco IP phone?

 

clip_image013

 

A.

Configure dot1x-port control auto on this interface

B.

Enable errdisable recovery for security violation errors

C.

Enable port security on this interface

D.

Configure multidomain authentication on this interface

 

Correct Answer: D

Explanation:

In single-host mode, a security violation is triggered when more than one device are detected on the data vlan. In multidomain authentication mode, a security violation is triggered when more than one device are detected on the data or voice VLAN. Here we see that single host mode is being used, not multi
domain mode.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/dot1x.html#wp1309041

 

 

QUESTION 60

What is the goal of Unicast Reverse Path Forwarding?

 

A.

to verify the reachability of the destination address in forwarded packets

B.

to help control network congestion

C.

to verify the reachability of the destination address in multicast packets

D.

to verify the reachability of the source address in forwarded packets

 

Correct Answer: D

Explanation:

Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded.

Reference: http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

 

Free VCE & PDF File for Cisco 400-101 Practice Test

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …