Appendix C. Answers to the “Do I Know This Already?” Quizzes

2. D. Although a subnet and a VLAN are not equivalent concepts, the devices in one VLAN are typically in the same IP subnet and vice versa.

3. B. 802.1Q defines a 4-byte header, inserted after the original frame’s destination and source MAC address fields. The insertion of this header does not change the original frame’s source or destination address. The header itself holds a 12-bit VLAN ID field, which identifies the VLAN associated with the frame.

4. A and C. The dynamic auto setting means that the switch can negotiate trunking, but it can only respond to negotiation messages, and it cannot initiate the negotiation process. So, the other switch must be configured to trunk or to initiate the negotiation process (based on being configured with the dynamic desirable option).

5. A and B. The configured VTP setting of VTP transparent mode means that the switch can configure VLANs, so the VLAN is configured. In addition, the VLAN configuration details, including the VLAN name, show up as part of the running-config file.

6. B and C. The show interfaces switchport command lists both the administrative and operational status of each port. When a switch considers a port to be trunking, this command lists an operational trunking state of “trunk.” The show interfaces trunk command lists a set of interfaces: the interfaces that are currently operating as trunks. So, both these commands identify interfaces that are operational trunks.

2. C, D. Listening and learning are transitory port states, used only when moving from the blocking to the forwarding state. Discarding is not an 802.1D STP port state. Forwarding and blocking are stable states.

3. C. The smallest numeric bridge ID wins the election.

4. B. Nonroot switches forward Hellos received from the root; the root sends these Hellos based on the root’s configured Hello timer.

5. B, D. RSTP uses port states forwarding, learning, and discarding. Forwarding and learning perform the same functions as the port states used by traditional 802.1D STP.

6. A, D. With RSTP, an alternate port is an alternate to the root port when a switch’s root port fails. A backup port takes over for a designated port if the designated port fails.

7. D. The PortFast feature allows STP to move a port from blocking to forwarding, without going through the interim listening and learning states. STP allows this exception when the link is known to have no switch on the other end of the link, removing the risk of a switching loop. BPDU Guard is a common feature to use at the same time as PortFast, because it watches for incoming bridge protocol data units (BPDU), which should not happen on an access port, and prevents the loops from a rogue switch by disabling the port.

2. B. Cisco switches use the extended system ID format for BIDs by default, in which the priority field is broken down into a base priority value (32,768 in this case) plus the VLAN ID. The priority of this switch allows it to be capable of being the root switch, but the command output does not supply enough information to know whether this switch is currently root.

3. A, D. The spanning-tree cost 19 command sets the cost for all VLANs on that interface unless the cost is set by a spanning-tree cost command that lists the VLAN ID. The two commands with a port-cost parameter are incorrect; the correct keyword is simply cost. Finally, Cisco switches choose the default cost based on the current speed, not the interface’s fastest possible speed. So, this interface, running at 100 Mbps, already defaults to the IEEE default cost for 100 Mbps, or 19.

4. D. IOS uses the channel-group configuration command to create an EtherChannel. Then, the term etherchannel is used in the show etherchannel command, which displays the status of the channel. The output of this show command then names the channel a PortChannel. The only answer that is not used somewhere in IOS to describe this multilink channel is Ethernet-Channel.

5. A, D. First, regarding the listed MAC address of 1833.9d7b.0e80, the first group of messages listed at the beginning of the output of the show spanning-tree command lists information about the root switch, not the local switch. Second, the “protocol rstp” near the top of the output positively identifies that the switch is using RSTP, as configured with the spanning-tree mode rapid-pvst global configuration command.

6. B, D. This question requires that you work through the reasons why a port is listed as a particular type of STP port per the Type column in the output of the show spanning-tree vlan 10 command. To begin, keep in mind that a port must have PortFast enabled to be listed as an edge port. That configuration requires either the spanning-tree portfast interface subcommand or through setting the switch to use PortFast as a default with the spanning-tree portfast default global command. Answer choice A shows a type that includes “edge” and the reason listed has nothing to do with PortFast, so that answer is incorrect.

For the other incorrect answer, C, the trunking status of a port does not impact the STP Type as listed in the output.

Answer B is correct because any port that is using half duplex, either through negotiation or by configuration, is considered to be a shared port, as noted with “Shr” in the type column. Answer D is correct because if a switch has no reason to make a port act as a shared port, or as an edge port, the switch treats it as a point-to-point port.

2. C. When any two switches connect with a trunk, and both use VTP in either client or server mode, they exchange VTP messages. Then the switch with the lower revision number updates its VLAN configuration database to match the VLAN configuration database with the higher revision number. In this case, with all three switches eventually connecting to each other through some path with trunks, the highest revision number database will win.

The STP election process has nothing to do with the choices made by VTP.

3. A, D. VTP synchronization causes two neighboring VTP server and/or client switches to update the switch with the configuration database that has the lower revision number to use the newer database from the neighbor that has the higher revision number. Once completed, the show vtp status command on both switches will list the same revision number. Because both use the same configuration database, both will list the same information about the “last updater,” which is this command’s method of referring to the VTP server that last changed the configuration.

The two incorrect answers list text that does not occur in the output of the show vtp status command.

4. A, B. One correct answer shows a vlan command being issued on a VTP client, which is not allowed. IOS actually rejects the vlan command when issued on a VTP client.

The other correct answer relies on the fact that VTP version 1 (and 2) restricts VTP servers and clients to know of standard range VLANs only (VLANs 1–1005). As a result, the vlan 2000 command on a VTP server (switch SW1) would also be rejected.

As for the two incorrect answers, the vlan 200 command would be accepted on a transparent mode switch. On the VTP server, that same vlan 200 command would be accepted, because VLAN ID 200 is inside the range of standard VLAN IDs.

5. B, C. The VTP domain name must match on two neighboring VTP switches, or they ignore each other’s messages. The domain name is case sensitive, making the answer with domain name “Fred” be correct. Additionally, switch SW1 does not have a vtp password command configured per the question stem. If SW2 were to be configured per the other correct answer, then SW1 would not have a VTP password, SW2 would, and the two switches would ignore each other’s VTP messages. (If configured on one switch, both must have the same case-sensitive password configured.)

As for the incorrect answers, the VTP version does not have to match on neighboring switches for them to be able to synchronize. Additionally, two neighboring VTP client mode switches will synchronize, which is what the question asked. Neither could be used to configure new VLANs, but both would synchronize with the other.

6. A, B. The case-sensitive domain names must be equal, and the case-sensitive passwords must be equal. The switches must also connect using a trunk before VTP will work. It is normal to have some switches as servers and some as clients. A mismatched pruning configuration setting does not prevent the synchronization of VLAN databases.

2. C. TACACS+, defined by Cisco, uses TCP as its transport protocol. Cisco defines TACACS+ with an ability to authorize users for different subsets of CLI commands, whereas RADIUS does not. Both RADIUS and TACACS+ encrypt the passwords before transmitting them.

3. A, C. DHCP snooping must be implemented on a device that does Layer 2 switching. The DHCP snooping function needs to examine DHCP messages that flow between devices within the same broadcast domain (VLAN). Layer 2 switches perform that function, as well as multilayer switches. Because a router performs only Layer 3 forwarding (that is, routing), and does not forward messages between devices in the same VLAN, a router does not provide a good platform to implement DHCP snooping (and is not even a feature of Cisco IOS on routers).

4. B, C. Switch ports connected to IT-controlled devices from which DHCP messages may be received should be trusted by the DHCP snooping function. Those devices include IT-controlled DHCP servers and IT-controlled routers and switches. All devices that are expected to be DHCP client devices (like PCs) are then treated as untrusted, because DHCP snooping cannot know beforehand from which ports a DHCP-based attack will be launched. In this case, the ports connected to all three PCs will be treated as untrusted by DHCP snooping.

5. C. A switch stack connects the switches with stacking modules and stacking cables so that they can communicate directly. Functionally, the switches in the stack act as a single logical switch. For instance, to manage the switches in the stack, an engineer would log in to one switch, with one IP address, and see one configuration file for the whole switch stack; STP and VTP would run for the logical switch as a whole; and frame forwarding would occur on one switch, forwarding on all ports in the stack.

2. C, D. Both versions of RIP use the same hop-count metric, neither of which is affected by link bandwidth. EIGRP’s metric, by default, is calculated based on bandwidth and delay. OSPF’s metric is a sum of outgoing interfaces costs, with those costs (by default) based on interface bandwidth.

3. B, C, D. Of the listed routing protocols, only the old RIP Version 1 (RIP-1) protocol does not support variable-length subnet masks (VLSM).

4. C. LSAs contain topology information that is useful in calculating routes, but the LSAs do not directly list the route that a router should add to its routing table. In this case, R1 would run a calculation called the Shortest Path First (SPF) algorithm, against the LSAs, to determine what IP routes to add to the IP routing table.

5. B. Neighboring OSPF routers that complete the database exchange are considered fully adjacent and rest in a full neighbor state. The up/up and final states are not OSPF states at all. The 2-way state is either an interim state or a stable state between some routers on the same VLAN.

6. C. The correct answer is the one advantage of using a single-area design. The three wrong answers are advantages of using a multiarea design, with all reasons being much more important with a larger internetwork.

2. A. The network 10.1.0.0 255.255.255.255 area 0 command matches all IP addresses that begin with 10.1, enabling OSPF in area 0 on all interfaces. The answer with wildcard mask 0.255.255.0 is illegal, because it represents more than one string of binary 0s separated by binary 1s. The answer with x’s is syntactically incorrect. The answer with wildcard mask 255.0.0.0 means “Match all addresses whose last three octets are 0.0.0,” so none of the three interfaces are matched.

3. A, E. Of the three wrong answers, two are real commands that simply do not list the OSPF neighbors. show ip ospf interface brief lists interfaces on which OSPF is enabled, but does not list neighbors. show ip interface lists IPv4 details about interfaces, but none related to OSPF. One incorrect answer, show ip neighbor, is not a valid IOS command.

4. C. An ABR, by definition, connects to the backbone area plus one or more nonbackbone areas. To do so, the configuration enables OSPF so that at least one interface is in area 0 (backbone) and at least one interface is in some other area. For the incorrect answers, the abr enable command is imaginary. Routers internal to a nonbackbone area (which are therefore not ABRs) use OSPF network commands that all refer to the same nonbackbone area. Finally, two routers cannot become OSPF neighbors on a link if their interfaces are in different areas.

5. D. The BDR designation on this line is for backup designated router (BDR). On this command, this notation means that the neighbor (2.2.2.2) is the BDR, not the local router on which the command was issued (R1 in this case).

6. B. With OSPFv2 interface configuration mode, the configuration looks just like the traditional configuration, with a couple of exceptions. The network router subcommand is no longer required. Instead, each interface on which OSPF should be enabled is configured with an ip ospf process-id area area-id interface subcommand. This command refers to the OSPF routing process that should be enabled on the interface, and specifies the OSPFv2 area.

7. B. SPF calculates the cost of a route as the sum of the OSPF interface costs for all outgoing interfaces in the route. The interface cost can be set directly (ip ospf cost), or IOS uses a default based on the reference bandwidth and the interface bandwidth. Of the listed answers, delay is the only setting that does not influence OSPFv2 metric calculations.

2. D. Route poisoning means advertising the failed route with an “infinite” metric, as opposed to simply ceasing to advertise the route. Of the incorrect answers, SPF defines how link-state protocols calculate and choose routes; DUAL defines how EIGRP does some of its processing to find replacement routes; and split horizon limits which routes a router advertises to help avoid routing loops.

3. A. EIGRP separates the function of monitoring neighbor state into the Hello message process, relying on the receipt of a Hello message. If a router does not receive an EIGRP Hello within the configured EIGRP hold time, the local router believes the neighbor has failed.

4. A, B. EIGRP uses bandwidth and delay by default. Load and reliability can be added to the mix with configuration, but Cisco recommends against adding these to the metric calculation.

5. B. The feasible distance (FD) is, for all known routes to reach a subnet, the metric for the best of those routes. The best route is called the successor route, and it is added to the IP routing table.

6. C. A route’s reported distance (RD) is the metric used by the neighbor that advertised the route. A router uses it to determine which routes meet the feasibility condition for whether the route can be a feasible successor route.

2. C, D. The EIGRP network 10.0.0.2 0.0.0.0 command exactly matches the interface with address 10.0.0.2 because of the wildcard mask, enabling EIGRP on that interface. The EIGRP ASN value must match on both routers. The network 10.0.0.1 0.0.0.0 command exactly matches the address on R1, but the network command needs to match addresses on the local router, and these commands should exist on Router R2. The network 10 command is syntactically incorrect; the entire classful network must be configured.

3. D. RIP uses R, and OSPF uses O, but EIGRP uses D. The letter E was already in use by an old (and no longer used) routing protocol, so Cisco chose to use nearby letter D for EIGRP.

4. C. The output from the show ip eigrp neighbors command lists EIGRP neighbors. The command lists only routers that have passed all EIGRP neighbor checks. The Address column identifies the neighbor based on the neighbor’s interface IP address on their common link, not based on the neighbor’s EIGRP router ID.

5. C. The first number in parentheses is the computed metric for a route, and the second number is the reported distance (RD) for the route. The route through 10.1.6.3 is the successor route, because the first number in parentheses on this line matches the feasible distance (FD) on the first line. For the other two routes, only the third route’s RD is less than the feasible distance (the metric of the successor route), making this route, with next-hop address 10.1.5.4, a feasible successor route.

6. A. By definition, the successor route is the best route to reach a subnet, and is the one route EIGRP always puts in the IP routing table. So, the show ip route eigrp command lists this route, including the metric. The show ip eigrp topology command lists both successor and feasible successor routes, including their metrics. The show ip eigrp interfaces command does not list route information, and the show ip eigrp database command is not a valid IOS command.

7. B. The unequal-cost load-balancing features allow IOS to place multiple unequal-cost routes into the routing table. The restrictions are that the metric must be less than or equal to variance times the feasible distance (5 times 100 in this case), so three of the routes meet this requirement, ruling out the route with metric 550. This feature also allows only successor and feasible successor routes, ruling out the route with metric 450. Of the two routes that meet both requirements, the route with metric 350 has the highest metric, as requested in the question text.

2. C. External BGP, or eBGP, refers to BGP as used between two autonomous systems (as identified by using different autonomous system numbers). Both Interior BGP (iBGP) and eBGP use TCP. Only iBGP connects to other routers in the same ASN. The one answer that describes what eBGP does, but that iBGP does not, is that eBGP exchanges routes between an enterprise and an ISP, the two of which use different ASNs.

3. B, D. The enterprise typically advertises its public IPv4 address block to the ISP. There is no need to advertise its private IP address block, because Internet routers will not route packets to private IPv4 networks anyway. As for default routes, the enterprise can benefit from using a default route as advertised by the ISP, but not vice versa.

4. A. For this scenario, each router would need a neighbor ip-address remote-as asn BGP subcommand, but no other neighbor commands. For example, if using ASNs 1 and 2, and link IP addresses 1.1.1.1 and 1.1.1.2, respectively, the configuration would be, on R1:

router bgp 1
 neighbor 1.1.1.2 remote-as 2

And on R2:

router bgp 2
 neighbor 1.1.1.1 remote-as 1

5. D. To cause the injection of a route from the IP routing table to the BGP table, the network command must match a route in the IP routing table, unless the auto-summary command has also been added to the configuration. One answer lists prefix 200.1.1.0, but mask 255.255.255.0, and both must match the IP route—and the mask does not match. Likewise, the command with subnet 200.1.1.0 and mask 255.255.255.240 does not match any of the routes, either. The network 200.1.1.0 command implies the default mask—a Class C default mask of 255.255.255.0 in this case—and again does not match any of the routes in the routing table.

Note that the commands that would match routes in this router’s routing table include network 200.1.1.0 mask 255.255.255.224, which matches connected subnet 200.1.1.0/27, and network 200.1.1.32 mask 255.255.255.240, which matches the one OSPF-learned route.

6. A, D. The one BGP peer listed on R1, 1.1.1.1, is an eBGP peer. The line that lists 1.1.1.1 also lists the peer’s ASN (201). The first line of output lists R1’s ASN (101), so with different ASNs, the peer is an eBGP peer.

The line that lists the peer (1.1.1.1) basically relists the information in the neighbor 1.1.1.1 remote-as 201 command in two of the first three items in that line.

The state of this peer is established, which is the final BGP state, after the TCP connection is established and the BGP peers have agreed that their parameters match and they can exchange routes. The state is known by virtue of a number being listed on the far right in the “State/PfxRcd” column. That same column lists 1, meaning R1 has received or learned one prefix from this peer—not that R1 has sent one prefix to this peer.

2. A, C. The encapsulation hdlc command sets the interface encapsulation (data-link protocol) to HDLC. In addition, because Cisco routers default to use the Cisco-proprietary HDLC on serial interfaces, removing the use of PPP with the no encapsulation ppp command also works. The other two answers list commands that do not exist in IOS.

3. C. Of the possible answers, only PAP and CHAP are PPP authentication protocols. PAP sends the password as clear text between the two devices.

4. A, D. Both routers need an encapsulation ppp command, and both also need IP addresses before the ping will work. R1 does not need a clock rate command because R2 is connected to the DCE cable.

5. B, D. The output lists encapsulation PPP, meaning that it is configured to use PPP. The line and protocol status are both up, LCP is open, and both CDPCP and IPCP are open, meaning that IP and CDP packets can be sent over the link.

6. A, E. Both the multilink interface and each of the serial interfaces need the encapsulation ppp and ppp multilink commands, which account for both of the correct answers to this question. Two of the three incorrect answers list a command related to a Layer 3 feature (ip address and ip ospf), which are useful, but would be used in multilink interface mode instead of serial interface configuration mode. The other incorrect answer lists ppp authentication chap, which would not be used on the Layer 3 multilink interface, but instead on the serial interfaces.

7. C, D. The question states a problem symptom with an interface state of line status up, and protocol status down. One incorrect answer refers to a physical layer problem, which usually results in a line status (first status code) value of down. Another incorrect answer mentions an IP address mismatch on the ends of a link; this mistake allows both the line and protocol status of the interface to reach an up state. The two correct answers result in the router having a line status of up, but a protocol status of down.

Of the incorrect answers, the full mesh term refers to topology designs in which each pair in the group can send data directly to each other, which is typical of a MetroE E-LAN service. The term point-to-point refers to topologies with only two nodes in the design, and they can send directly to each other, typical of a MetroE E-Line service.

2. A. Metro Ethernet uses Ethernet access links of various types. Time-division multiplexing (TDM) links such as serial links, even higher-speed links like T3 and E3, do not use Ethernet protocols, and are less likely to be used. MPLS is a WAN technology that creates a Layer 3 service.

Two answers refer to Ethernet standards usable as the physical access link for a Metro Ethernet service. However, 100Base-T supports cable lengths of only 100 meters, so it is less likely to be used as a Metro Ethernet access link in comparison to 100Base-LX10, which supports lengths of 10 km.

3. A, D. An E-LAN service is one in which the Metro Ethernet service acts as if the WAN were a single Ethernet switch, so that each device can communicate directly to every other device. As a result, the routers sit in the same subnet. With one headquarters router and ten remote sites, each router will have ten EIGRP neighbors.

4. B, C. A Layer 3 MPLS VPN creates an IP service with a different subnet on each access link. With one headquarters router and ten remote sites, 11 access links exist, so 11 subnets are used.

As for the EIGRP neighbor relationships, each enterprise router has a neighbor relationship with the MPLS provider edge (PE) router, but not with any of the other enterprise (customer edge) routers. So each remote site router would have only one EIGRP neighbor relationship.

5. D. Architecturally, MPLS allows for a wide variety of access technologies. Those include TDM (that is, serial links), Frame Relay, ATM, Metro Ethernet, and traditional Internet access technologies such as DSL and cable.

6. A. The PE-CE link is the link between the customer edge (CE) router and the MPLS provider’s provider edge (PE) router. When using OSPF, that link will be configured to be in some area. OSPF design allows for that link to be in the backbone area, or not, through the use of the OSPF super backbone, which exists between all the PE routers.

2. A. GRE tunnels that use private IP addresses on the tunnel and then use the Internet between the two routers need to configure references to both the private and public IP addresses. First, each router’s tunnel interface has an ip address command that refers to the local router’s private IP address. Additionally, each router configures a tunnel destination and tunnel source that refer to the public IP address of the other router (tunnel destination) and the local router (tunnel source).

Two answers refer to Router A’s private address. Per the first paragraph of this explanation, that address would be configured on a tunnel interface with an ip address command, on Router A, making one of those two answers correct. Private addresses would not be configured as the tunnel source or destination, making the other answer that mentions Router A’s private address incorrect.

Two answers refer to Router B’s public address. Per the first paragraph of this explanation, that address would only be configured as a tunnel source or tunnel destination, and not with the ip address command. That fact makes one of the answers incorrect. Next, Router B’s public IP address would be listed as the tunnel source on Router B, and the tunnel destination on Router A. The final (incorrect) answer suggests that Router B’s public address would be configured as the tunnel source, but on Router A, which would be an incorrect setting.

3. C. To justify the correct answer: R1’s source address for the tunnel must be an address on R1, on an interface in an up/up state, or the tunnel will fail to an up/down state.

For the two answers that mention ping, GRE tunnels do local checks to determine the interface status, but they do not check connectivity with pings. So, a tunnel interface can reach an up/up state even though a ping to the destination of the tunnel would currently fail. (The router must have a route for forwarding packets to the destination; just no guarantee that the packet would arrive.) In this case, R1 would have a route that matches destination 2.2.2.2, R2 would have a route that matches 1.1.1.1, and the tunnel interface could be up/up even though a ping would currently fail for other reasons.

Finally, for the tunnel to work correctly, and forward traffic, R2 would need a working interface with address 2.2.2.2. However, R1’s tunnel interface state is independent from whether R2’s interfaces are currently up or down.

4. B. DMVPN uses multipoint GRE tunnels, which means the hub router requires only a single tunnel interface. DMVPN allows designs for which the packets going from one spoke site to another route through the hub site, but it also allows for spoke-to-spoke traffic. In any case, packet forwarding between all the sites is allowed.

5. C. With PPPoE, the physical interface disables Layer 3 processing with the no ip address command. A dialer interface is used as the Layer 3 interface. For address assignment, the ISP typically uses PPP’s IP Control Protocol (IPCP) to assign the address to the customer router; to enable that function on the customer router, use the ip address negotiated command. Note that the ip address dhcp command is a valid command if using DHCP to assign the IP address to the router.

6. B, D. The show pppoe session command lists many key facts about a current PPPoE session. As for the correct answers, the State of UP on the far right confirms that the PPPoE session is working correctly. Also, the listing of the Di1 (Dialer1) and Vi1 (Virtual-access 1) interfaces implies that the two interfaces are bound by the PPPoE session.

As for the incorrect answers, MAC 0200.0000.3333 is in use, but by the ISP router. The heading lines list RemMAC (Remote MAC) above and LocMAC (Local MAC) below, so it is the lower of the two MAC addresses (0200.0000.3003) that is used by the local router, R1. Also, the PPPoE configuration is added to the dialer interface and the physical interface (G0/0 in this case), but the virtual-access interface is not directly configured. Instead, IOS generates its configuration from the configuration listed under the dialer interface.

7. A. The show pppoe session command lists a short group of messages about each PPPoE session once the router is trying to establish that session. However, a router does not even attempt to start a PPPoE session until PPPoE has been enabled on the physical interface using the pppoe enable command. (Note that the pppoe-client dial-pool-number number interface subcommand on the physical interface causes IOS to automatically add the pppoe enable command as well.) Until these commands are added, the router makes no attempt to create a PPPoE session, and as a result, the show pppoe session command lists no output at all.

For the incorrect answers, if the dialer interface’s commands related to PPP were incorrect or missing, there might be a problem, but those problems would not result in no output at all from the show pppoe session command. Instead the command would list some status messages. Similarly, any errors in the configuration related to IP address learning would not prevent the show pppoe session command from listing output. Finally, the virtual-access interface does not have any specific configuration; its configuration is generated by the router.

2. A and D. The range of valid ACL numbers for standard numbered IP ACLs is 1–99 and 1300–1999, inclusive.

3. D. 0.0.0.255 matches all packets that have the same first three octets. This is useful when you want to match a subnet in which the subnet part comprises the first three octets, as in this case.

4. E. 0.0.15.255 matches all packets with the same first 20 bits. This is useful when you want to match a subnet in which the subnet part comprises the first 20 bits, as in this case.

5. A. The router always searches the ACL statements in order, and stops trying to match ACL statements after a statement is matched. In other words, it uses first-match logic. A packet with source IP address 1.1.1.1 would match any of the three explicitly configured commands described in the question. As a result, the first statement will be used.

6. B. One wrong answer, with wildcard mask 0.0.255.0, matches all packets that begin with 172.16, with a 5 in the last octet. One wrong answer matches only specific IP address 172.16.5.0. One wrong answer uses a wildcard mask of 0.0.0.128, which has only one wildcard bit (in binary), and happens to only match addresses 172.16.5.0 and 172.16.5.128. The correct answer matches the range of addresses 172.16.4.0–172.16.5.255.

2. A and E. The correct range of ACL numbers for extended IP access lists is 100 to 199 and 2000 to 2699. The answers that list the eq www parameter after 10.1.1.1 match the source port number, and the packets are going toward the web server, not away from it.

3. E. Because the packet is going toward any web client, you need to check for the web server’s port number as a source port. The client IP address range is not specified in the question, but the servers are, so the source address beginning with 172.16.5 is the correct answer.

4. A and C. Before IOS 12.3, numbered ACLs must be removed and then reconfigured to remove a line from the ACL. As of IOS 12.3, you can also use ACL configuration mode and sequence numbers to delete one ACL line at a time.

5. B and C. A router bypasses the ACL logic for its own outbound ACLs for packets created by that router. Routers do not make any kind of exception for inbound packets. As a result, ACL B creates more risk than ACL A, because B is enabled as an inbound ACL.

The ping 1.1.1.1 command in two answers is a self-ping of a router’s Ethernet interface. As a result, the router would bypass any outbound ACL logic on that interface, but consider any inbound ACL logic. So router R1 would bypass the logic of ACL A, which would be enabled as an outbound ACL on R1’s G0/1 interface.

6. C and D. The show ip access-lists and show access-lists commands both display the configuration of IPv4 access lists, including ACL line numbers. Neither the show running-config nor show startup-config commands list the ACL line numbers; in this case, the startup-config file would not contain the ACL configuration at all.

2. B, C. The Class of Service (CoS) field exists in the 802.1Q header, so it would be used only on trunks, and it would be stripped of the incoming data link header by any router in the path. The MPLS EXP bits exist as the packet crosses the MPLS network only. The other two fields, IP Precedence (IPP) and Differentiated Services Code Point (DSCP), exist in the IP header, and would flow from source host to destination host.

3. A, B, C. In general, matching a packet with DiffServ relies on a comparison to something inside the message itself. The 802.1p CoS field exists in the data link header on VLAN trunks; the IP DSCP field exists in the IP header; and extended ACLs check fields in message headers. The SNMP Location variable does not flow inside individual packets, but is a value that can be requested from a device.

4. D. Low Latency Queuing (LLQ) applies priority queue scheduling, always taking the next packet from the LLQ if a packet is in that queue. To prevent queue starvation of the other queues, IOS also applies policing to the LLQ. Most traffic chosen for LLQ classification requires low delay, jitter, and loss, so using a congestion management tool makes little sense. Likewise, applying shaping to an LLQ slows the traffic, and makes no sense with the presence of a policing function already.

5. A, D. Policers monitor the bit rate and take action if the bit rate exceeds the policing rate. However, the action can be to discard some packets, or to re-mark some packets, or even to do nothing to the packets, simply measuring the rate for later reporting. For shaping, when a shaper is enabled because the traffic has exceeded the shaping rate, the shaper always queues packets and slows the traffic. There is no option to re-mark the packets or to bypass the shaping function.

6. C, D. Drop management relies on the behavior of TCP, in that TCP connections slow down sending packets due to the TCP congestion window calculation. Voice traffic uses UDP, and the question states that queue 1 uses UDP. So, queues 2 and 3 are reasonable candidates for using a congestion management tool.

2. B, C. Subinterface G0/1.1 must be in an administratively down state due to the shutdown command being issued on that subinterface. For subinterface G0/1.2, its status cannot be administratively down, because of the no shutdown command. G0/1.2’s state will then track to the state of the underlying physical interface. With a physical interface state of down/down, subinterface G0/1.2 will be in a down/down state in this case.

3. C. The configuration of the Layer 3 switch’s routing feature uses VLAN interfaces. The VLAN interface numbers must match the associated VLAN ID, so with VLANs 1, 2, and 3 in use, the switch will configure interface vlan 1, interface vlan 2 (which is the correct answer), and interface vlan 3. The matching connected routes, like all connected IP routes, will list the VLAN interfaces.

As for the incorrect answers, a list of connected routes will not list any next-hop IP addresses. Each route will list an outgoing interface, but the outgoing interface will not be a physical interface, but rather a VLAN interface, because the question states that the configuration uses SVIs. Finally, all the listed subnets have a /25 mask, which is 255.255.255.128, so none of the routes will list a 255.255.255.0 mask.

4. C, D. First, for the correct answers, a Layer 3 switch will not route packets on a VLAN interface unless it is in an up/up state. A VLAN interface will only be up/up if the matching VLAN (with the same VLAN number) exists on the switch. If VTP deletes the VLAN, then the VLAN interface moves to a down/down state, and routing in/out that interface stops. Also, disabling VLAN 2 with the shutdown command in VLAN configuration mode also causes the matching VLAN 2 interface to fail, which makes routing on interface VLAN 2 stop as well.

As for the incorrect answers, a Layer 3 switch needs only one access port or trunk port forwarding for a VLAN to enable routing for that VLAN, so nine of the ten access ports in VLAN 2 could fail, leaving one working port, and the switch would keep routing for VLAN 2.

A shutdown of VLAN 4 has no effect on routing for VLAN interfaces 2 and 3. Had that answer listed VLANs 2 or 3, it would definitely be a reason to make routing fail for that VLAN interface.

5. A, C. With a Layer 3 EtherChannel, the physical ports and the port-channel interface must disable the behavior of acting like a switch port, and therefore act like a routed port, through the configuration of the no switchport interface subcommand. (The routedport command is not an IOS command.) Once created, the physical interfaces should not have an IP address configured. The port-channel interface (the interface representing the EtherChannel) should be configured with the IP address.

6. B, C. With a Layer 3 EtherChannel, two configuration settings must be the same on all the physical ports, specifically the speed and duplex as set with the speed and duplex commands. Additionally, the physical ports and port-channel port must all have the no switchport command configured to make each act as a routed port. So, having a different speed setting, or being configured with switchport rather than no switchport, would prevent IOS from adding interface G0/2 to the Layer 3 EtherChannel.

As for the wrong answers, both have to do with Layer 2 configuration settings. Once Layer 2 operations have been disabled because of the no switchport command, those settings related to Layer 2 that could cause problems on Layer 2 EtherChannels do not then cause problems for the Layer 3 EtherChannel. So, Layer 2 settings about access VLANs, trunking allowed lists, and STP settings, which must match before an interface can be added to a Layer 2 EtherChannel, do not matter for a Layer 3 EtherChannel.

2. C. The use of an FHRP in this design purposefully allows either router to fail and still support off-subnet traffic from all hosts in the subnet. Both routers can attach to the same LAN subnet per IPv4 addressing rules.

3. C. HSRP uses a virtual IP address. The virtual IP address comes from the same subnet as the routers’ LAN interfaces, but is a different IP address than the router addresses configured with the ip address interface subcommand. As a result, the hosts will not point to 10.1.19.1 or 10.1.19.2 in this design. The other wrong answer lists an idea of using Domain Name System (DNS) to direct hosts to the right default router; although this idea exists in some other forms of network load balancing, it is not a part of any of the three FHRP protocols.

4. B. The command, taken from R3, lists R3 as HSRP active. That means R3 currently takes on the role of the router with the virtual IP address, listed as 10.1.12.2. R3 will send back Address Resolution Protocol (ARP) Reply messages when hosts send ARP messages looking for 10.1.12.2, and process packets sent to the matching virtual MAC address. The 10.1.12.1 IP address is the interface IP address of the other router in the HSRP group, the one that is standing by to take over for Router R3. Finally, R3 does not configure the virtual IP address with the ip address interface command, but instead with the standby group ip virtual-address interface subcommand.

5. C. R2 has a better priority because the priority value is higher. However, because R1 comes up first, R1 becomes HSRP active before R2 boots. R2 must then have preemption configured, otherwise it will not preempt R1 to become active. As for the wrong answers, R1’s preemption setting does not matter in this case. The other two wrong answers state that a router is active regardless of other settings, and the answer is dependent on other configuration.

6. A, C. Two HSRP misconfigurations cause both HSRP routers to attempt to use the same virtual IP address (VIP), at the same time, because both routers believe that they should be active. With a correct configuration other than mismatched group numbers, the two routers act independently, both using the VIP, resulting in the duplicate address message. The same kind of logic applies when the two routers have correct configuration other than a mismatched HSRP version: they do not act together, but act independently, both use the address, and then detect the duplicate use of the address.

As for the incorrect answers, an ACL that prevents a router from even receiving the HSRP messages will prevent that router from noticing the duplicate use of the VIP, so it does not list the duplicate address log message. Finally, if the configuration mistake is that the two routers configure two different VIPs, then they are using different addresses, so there is no need to issue a message about using duplicate addresses.

2. B. OSPFv3 uses the exact same rules for choosing its router ID (RID) as does OSPFv2, even choosing the 32-bit RID value based on IPv4 addresses, and not based on the IPv6 addresses. The two answers that mention the ipv6 address command have no impact on the OSPFv3 RID. For the other incorrect answer, the ospf router-id command does not exist; instead, the command is simply the router-id command. Only the answer with the ip address interface subcommand can impact a router’s choice of OSPFv3 RID.

3. B. OSPFv3 does not use a network command in OSPFv3 router configuration mode, ruling out two of the answers. It does use an interface subcommand that both refers to the OSPFv3 by process ID and defines the area number. The correct answer lists that interface subcommand with the correct syntax.

4. B. The OSPFv3 configuration would use ipv6 router ospf process-id, router-id router-id, and then, under each interface, the ipv6 ospf process-id area area-id command. OSPFv2 uses the exact same syntax on the router-id command. Only OSPFv3 uses the ipv6 ospf process-id area area-id interface subcommand, and OSPFv3 does not use the network command.

5. A, D, E. OSPFv3 uses the same rules as OSPFv2 in regard to all these items except the addresses; OSPFv3 does not require that the neighbors have IPv6 addresses in the same subnet. Mismatched Hello timers prevents neighbor relationships, as do duplicate router IDs. Also, neither can have its interface set to passive; otherwise, the neighbor relationship fails to complete. The PIDs can be different or the same because they are not checked as part of the choice to become neighbors.

6. B, D. The second line lists the forwarding instructions for the route, specifically the link-local address of the neighboring router and the local router’s outgoing interface. These facts identify one correct and one incorrect answer. The OI code indeed means OSPF and interarea; intra-area routes simply omit the I. In brackets, the first number is the administrative distance, and the second number (129 in this case) is the metric.

7. C. The correct answer lists detailed information about OSPFv3 related to interface G0/1, including a notation that the interface is passive (if it is). Of the incorrect answers, in the show ipv6 ospf interface passive command, the passive keyword does not exist. The other two commands list all OSPFv3-enabled interfaces on the router, but the list includes passive interfaces, with no notation about which are passive and which are not.

2. A. The three incorrect answers have separate settings. The Hello timer can be set with the ip hello-timer eigrp asn timer command for EIGRP for IPv4, and with the IP the ipv6 hello-timer eigrp asn timer command for EIGRP for IPv6. The variance and maximum-paths commands, router subcommands, have the same syntax for both routing protocols but are set separately for EIGRP for IPv4 and EIGRP for IPv6. The interface bandwidth and delay commands impact both EIGRP for IPv4 and EIGRP for IPv6.

3. D. The EIGRP for IPv6 configuration would use ipv6 router eigrp asn, eigrp router-id router-id, and then, under each interface, ipv6 eigrp asn. EIGRP for IPv6 does not use the router eigrp asn command (it uses the ipv6 router eigrp asn command instead), and EIGRP for IPv6 also does not use the network command.

4. D. Before the changes, R1 must have had working neighbor relationships with R2, R3, and R4. Once R1’s ASN is changed, R1 cannot be neighbors with those same routers, because the ASNs must be the same number to be neighbors. As for the incorrect answers, changing R2’s ASN makes R2’s neighborships fail, but R1 should use the redundant routes through R3 and R4. The other two answers cause no failures to routes or neighbors at all.

5. B, E. EIGRP for IPv6 uses the same rules as EIGRP for IPv4 in regard to all these items except the addresses; EIGRP for IPv6 does not require that the neighbors have IPv6 addresses in the same subnet. The two routers must use the same ASN, and neither can have its interface set to passive; otherwise, the neighbor relationship fails to complete. However, the Hello timer can be different, the router IDs can be the same, and the IPv6 addresses can be in different subnets.

6. A. The output of this command identifies the neighbor router, based on the neighbor’s link-local address on the link between the two routers. The two incorrect answers that mention the router ID have to be incorrect because EIGRP for IPv6 router IDs are 32-bit values represented as dotted-decimal numbers, so they look like IPv4 addresses.

2. C. IPv4 ACLs can be applied to a routed interface in the inbound and outbound direction. Similarly, IPv6 ACLs can be applied to a routed interface in the inbound and outbound direction. Therefore, it is possible to have a routed interface with four ACLs applied: two IPv4 ACLs (one inbound and one outbound) and two IPv6 ACLs (one inbound and one outbound).

3. D. IPv6 ACLs use the any keyword to represent all possible IPv6 address (as in the whole Internet). The 2001:db8:1111:1::/64 prefix uses this syntax to represent any node on the network that has those first four hextets with the “/64” prefix length notation.

4. E. IPv6 ACLs can filter on any field in the IPv6 header (including flow label, next-header, etc.). IPv6 ACLs can filter ICMPv6 packets and IPv6 ACLs can filter on the TCP or UDP packets with various source or destination port numbers.

5. B. Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages are essential to the function of Neighbor Discovery Protocol (NDP) and establishment and maintenance of the IPv6 interface neighbor cache. If these packets were to be blocked, the neighbor cache entries on that interface would time out and affect reachability to the next-hop device.

2. A, C. The first parameter after the community keyword defines the community value. At the end of the command, if a text value is listed but without an ipv6 keyword, the text value is the name of an IPv4 ACL. The ACL (textvalue2 in this case) filters incoming SNMP messages received by the SNMP agent on the device.

3. D. To work correctly with an SNMP manager, the snmp-server user command must configure its parameters based on the security level in the referenced group as defined in the referenced snmp-server group command. In this case, the referenced snmp-server group command lists a security level of auth, so the snmp-server user command needs the auth keyword and associated parameters, but not the priv keyword and its associated parameters.

Two answers are incorrect because they either do not include the auth keyword and associated parameters, or because it also includes the priv keyword. Of the two answers that include only the auth option, one is incorrect by referencing 3des as an authentication hash algorithm; this keyword refers to an encryption type that could follow the priv keyword, but it is invalid as an authentication option. The correct answer correctly lists sha as a valid authentication hash option, along with the user-defined password (pass1).

4. A. Of these, only show snmp lists status and counter variables about the operation of the SNMP agent. The other commands list configuration details.

5. C. IP Service Level Agreement (IP SLA) can generate a variety of different types of probes, including some that use ICMP Echo messages, and some that mimic voice traffic. However, the question asks about “ICMP Echo-based” IP SLA, referring to the specific IP SLA probe that sends ICMP Echo Request messages.

ICMP Echo probes with IP SLA do not require a router to be configured as an IP SLA responder, although many other types of IP SLA probes do require a responder. The Echo probes send a normal ICMP Echo Request, so the probe can be sent to any IP address, relying on that host to send back a normal ICMP Echo Reply.

IP SLA on the source router will gather basic statistics. With the ICMP Echo probe, the probe does not measure jitter (ruling out another incorrect answer), but it does measure round-trip time (RTT). These statistics can be gathered into a history report, which can be useful when troubleshooting problems.

6. A, B. The show ip sla summary command lists one line of information about the most recent attempt to perform the actions of an IP SLA probe. The Type implies an ICMP Echo probe, and the destination defines the IP address to which the Echo is sent, accounting for one correct answer. The “OK” return code means not only was the probe message sent, but in this case, that an ICMP Echo Reply packet was received back.

For the two incorrect answers, the Stats column lists the round-trip time (RTT), not the one-way delay as mentioned in one answer. Also, the “1” on the far left of the output refers to the IP SLA operation number.

7. C. The requirements in the question ask that you gather all traffic sent between Host1 and Host2, to avoid gathering extra copies of the same frame. That requirement means you need to capture frames sent from Host1 to Host2, and frames sent from Host2 back to Host1. It also means that the solution should not capture the same frame multiple times. Each incorrect answer either gathers too little traffic, or gathers the required traffic but also more traffic than the correct answer would gather.

First, the answer of collecting from F0/1 for a single (transmit) direction is incorrect because it gathers too little traffic. Frames sent by Host2 to Host1 would arrive in switch port F0/2 and then be sent out port F0/1 to Host1, and would be copied by the SPAN session. However, frames sent by Host1 would be received on switch port F0/1, and would not be copied by that SPAN session.

The answer about using VLAN 5 as a source would work, but because all FastEthernet ports on the switch are in VLAN 5, this option gathers more traffic than is necessary.

The answer about using F0/2 as the source, for both directions of traffic, is correct. It will copy all frames sent by Host1 to Host2 (frames that the switch transmits out port F0/2), as well as frames sent by Host2 to Host1 (which will be frames received on switch port F0/2). This option does gather frames sent between Host2 and other hosts as well.

The final incorrect answer refers to collecting traffic from both F0/1 and F0/2, but in both directions. That option would gather all frames sent between Host1 and Host2 twice, which would work, but the question asked that you gather no more traffic than is required.

8. A, C. Local SPAN has a variety of configuration dependencies. Each Local SPAN session can have multiple sources, but they must be either interfaces or VLANs, and not a mix. Source ports can include both access and trunk ports as well as EtherChannel interfaces. Finally, each SPAN destination port can be used in only one SPAN session at the same time. To reuse that destination port, you must first unconfigure the destination port from the original SPAN session (no monitor session destination) and then configure it to be part of another SPAN session.

As for the wrong answers, Software as a Service (SaaS) supplies a predefined software application, but typically with no ability to then later install your own applications. IaaS (Infrastructure as a Service) supplies one or more working VMs, optionally with an OS installed, so it could be used for software development, but the developer would have to install a variety of development tools, making IaaS less useful than a PaaS service. Finally, SLBaaS (Server Load Balancing as a Service) can be offered as a cloud service, but it is not a general service in which customers get access to VMs on which they can then install their own applications.

2. A. IaaS (Infrastructure as a Service) supplies one or more working virtual machines (VM), optionally with an OS installed, as a place where you can then customize the systems by installing your own applications.

Software as a Service (SaaS) supplies a predefined software application, but typically with no ability to then later install your own applications. Platform as a Service (PaaS) could be used to install your own application, because PaaS does supply one or more VMs, but it is most likely used as a software development environment, a service designed specifically to be used for development, with VMs that include various tools that are useful for software development. Finally, SLBaaS (Server Load Balancing as a Service) can be offered as a cloud service, but it is not a general service in which customers get access to VMs on which they can then install their own applications.

3. A. Both options that use the Internet allow for easier migration because public cloud providers typically provide easy access over the Internet. An intercloud exchange is a purpose-built WAN service that connects to enterprises as well as most public cloud providers, with the advantage of making the cloud migration process easier. The one correct answer—the worst option in terms of being prepared for migrating to a new cloud provider—is to use a private WAN connection to one cloud provider. While useful in other ways, migrating when using this strategy would require installing a new private WAN connection to the new cloud provider.

4. A, C. Private WAN options use technologies like Ethernet WAN and MPLS, both of which keep data private by their nature and which include QoS services. An intercloud exchange is a purpose-built WAN service that connects to enterprises as well as most public cloud providers, using the same kinds of private WAN technology with those same benefits.

For the two incorrect answers, both use the Internet, so both cannot provide QoS services. The Internet VPN option does encrypt the data to keep it private.

5. C. A virtual network function (VNF) is a virtual version of a networking appliance, such as a virtual router (like the Cisco CSR) or virtual firewall (like the Cisco ASAv). VNFs are deployed as a VM, with customer access to the user interface, so that customers can then configure the VNF to meet their needs.

Cloud providers can implement many networking services that create the cloud network, but not give the customer direct access to the VM or appliance. For instance, public cloud providers typically provide DNS services and address assignment services that use DHCP behind the scenes, but without giving the customer direct access to a VM that implements a DNS or DHCP server.

2. C. The control plane includes all networking device actions that create the information used by the data plane when processing messages. The control plane includes functions like IP routing protocols and Spanning Tree Protocol (STP).

The term table plane is not used in networking. The management plane and data plane are not concerned with collecting the information that the data plane then uses.

3. C. Although many variations of SDN architectures exist, they typically use a centralized controller. That controller may centralize some or even all control plane functions in the controller. However, the data plane function of receiving messages, matching them based on header fields, taking actions (like making a forwarding decision), and forwarding the message still happens on the network elements (switches) and not on the controller.

For the incorrect answers, the control plane functions may all happen on the controller, or some may happen on the controller, and some on the switches. The Northbound and Southbound Interfaces are API interfaces on the controller, not on the switches.

4. A. The Cisco Open SDN Controller uses an Open SDN model with an OpenFlow Southbound Interface as defined by the Open Networking Foundation (ONF). The ONF SDN model centralizes most control plane functions. The APIC model for data centers partially centralizes control plane functions. The APIC-EM controller (as of time of publication) makes no changes to the control plane of routers and switches, leaving those to run with a completely distributed control plane.

5. D. APIC-EM does all the features described in the answers. APIC-EM has a built-in function to discover the topology of a network, using a variety of protocols such as SSH, CDP, and LLDP. Once discovered, the APIC-EM Path Trace feature analyzes the forwarding tables on each device in comparison to a source and destination as typed in by an APIC-EM user. Path Trace then determines the path through the network, including the Layer 2 and Layer 3 paths.

The feature that uses the name Path Trace ACL Analysis (or Path Trace ACL Trace, or a similar name) refers to the additional analysis done by APIC-EM to then compare that imaginary packet to the ACLs that exist in the network. The tool shows the ACLs and points out which ACLs would deny (that is, discard) the packet based on its current configuration.