Implementing Cisco Enterprise Advanced Routing and Services (ENARSI)
Exam Details
Exam Code
:300-410
Exam Name
:Implementing Cisco Enterprise Advanced Routing and Services (ENARSI)
Certification
:CCNP Enterprise
Vendor
:Cisco
Total Questions
:925 Q&As
Last Updated
:Mar 31, 2025
Cisco CCNP Enterprise 300-410 Questions & Answers
Question 121:
You are planning the configuration of Easy Virtual Networking (EVN).
Which of the following statements is true of an interface that will be an EVN trunk?
A. It must support 802.1q encapsulation
B. The interface can also be configured for VRF-Lite
C. The interface will support OSPFv3
D. The interface can support RIP
Correct Answer: A
The interface must be able to support 802.1q encapsulation. The EVN trunk carries the traffic of multiple virtual routing and forwarding (VRF) instances, with the traffic of each instance tagged with an ID called the virtual network tag. Since the
VLAN ID field of an 802.1q encapsulated packet is used for this ID, the link must be one that supports 802.1q.
Easy Virtual networking is a technology that allows for the creation of separate networks with separate routing tables and routing instances using the same physical topology. The IP addressing for the networks can even overlap with no
problem. The networks are kept separate using the network ID tags in a similar fashion to the way switches keep VLANs separate by using VLAN tags.
An EVN trunk interface cannot also be configured for VRF-Lite. VRF-Lite is an earlier technology that accomplishes the same goal, but lacks the simplicity of EVN.
Neither RIP nor OSPFv3 is supported in Easy Virtual Networking EVN at all.
After an associate configured a DMVPN hub, you execute the following command on the hub router:
Which of the following statements is true of this output?
A. The NMBA address was statically configured
B. The NHRP information did not come from the NHS
C. The mapping was created through an NHRP registration request
D. The device at 10.1.1.2 is behind a NAT router
Correct Answer: C
The mapping was created through an NHRP registration request, as indicated by the flag setting registered. Next Hop Resolution Protocol (NHRP) can be used in place of static IP address to NBMA address mappings to allow the spoke
routers in an mGRE hub-and-spoke configuration to discover one another's physical IP addresses.
When the output of the show nhrp detail command shows the registered flag listed, it means that the mapping was created dynamically and was learned through a registration request to the next hop server (NHS).
The mapping was not created statically. Had it been created statically, the Type field would not be listed as dynamic. It would say static.
The NHRP information DID come from the next hop server (NHS). That is indicated by the presence of the authoritative flag. The NHS is the next hop to the destination as indicated by the routing table.
The device at 10.1.1.2 is not necessarily behind a NAT router. The presence of the nat flag in the output indicates that the device at 10.1.1.2 supports the NHRP NAT extension type for supporting dynamic spoke-to- spoke tunnels to or from
spokes behind a NAT router. This flag does not mean that the spoke (NHS client) is behind a NAT router.
Objective:
VPN Technologies
Sub-Objective:
Describe DMVPN (single hub)
References:
Home > Support > Product support > Cisco IOS and NX-OS software > Cisco IOS software releases 12.4 mainline > Configure > Feature Guides > NHRP
Question 123:
The following commands were executed on the perimeter router. The Fa1/0 interface in the router is the external interface.
What will be the effect of these commands?
A. all traffic will be blocked incoming
B. traffic sourced from private IP addresses will be blocked incoming
C. traffic destined for private IP addresses will be allowed incoming
D. no traffic will be blocked incoming
Correct Answer: A
All traffic will be blocked incoming. While it appears on the surface that this list was designed to block incoming traffic sourced from private IP addresses, it is lacking a single permit statement. Due to the implied deny all at the end of the list,
no traffic will be allowed incoming.
Blocking incoming traffic from private IP addresses is a way to prevent IP spoofing, since there should be no reason for traffic from private IP addresses to be incoming from the Internet. However, you need to include a permit statement at the
end to allow all other traffic types.
Traffic destined for private IP addresses is not all that will be blocked by this command set. In fact, no traffic would be allowed. If there were a permit ip any any at the end of the list, then incoming traffic destined for private IP addresses would
be allowed. This is probably not a great idea either, but if it a permit IP any were added at the end of the command set in the scenario, it would allow incoming traffic destined for private IP addresses.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify router security features
References:
Cisco > Cisco IOS Security Command Commands A to C > access-list Cisco > Cisco IOS Security Command Commands D to L > ip-group Prevent IP spoofing with the Cisco IOS
Question 124:
Examine the following access list: Which statement is NOT designed to prevent IP spoofing attacks from packets that appear to be sourced from inside the network, but are actually sourced from outside the network?
A. access-list 110 deny ip 10.0.0.0 0.255.255.255 any
B. access-list 110 deny ip 172.16.0.0 0.15.255.255 any
C. access-list 110 deny ip 192.168.0.0 0.0.255.255 any
D. access-list 110 deny ip 208.0.0.0 0.255.255.255 any
Correct Answer: D
Infrastructure access control lists are designed to prevent spoofing attacks from packets that appear to be sourced from inside the network when they are in fact sourced from outside the network. There are two groups of address that should be blocked at the edge of the network: The private address space, which are called RFC 1918 addresses Certain "special use addresses" as defined in RFC 3330
The address 208.0.0.0 0.255.255.255 falls into neither of those categories.
The RFC 1918 addresses that should be blocked are:
10.0.0.0/24 172.16.0.0/16 192.168.0.0/16
The RFC 3330 addresses that should be blocked are:
0.0.0.0 127.0.0.0/8 192.0.2.0/24 224.0.0.0/4
For more information about these special use addresses, see RFC 3330.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify router security features
References:
Home > Support > Technology Support > IP > IP addressing services > Technology information > Technology white paper >Protecting Your Core: Infrastructure Protection Access Control Lists
Question 125:
Examine the following output of the show ip route command and the partial output of the show run command from the router R63:
What will the router do with a packet with a source address of 192.168.5.5/24 and a destination address of 10.11.11.20/ 24 that arrives on the Serial0/0 interface?
A. forward it out the Ethernet0/0 interface
B. forward it out the Tunnel0 interface
C. drop the packet
D. forward it out the Ethernet0/1 interface
Correct Answer: C
It will drop the packet. The partial output of the show run command shows that the ip verify unicast source reachable via rx command has been executed on the Serial 0/0 interface. This enables the Unicast Reverse Path Forwarding (Unicast
RPF) feature. This feature prevents IP spoofing by verifying from the routing table that there is a valid return path to the source IP address. If there is not valid return path, you can assume the IP address has been spoofed. When the
command ends in the keyword rx, it means that there must be a return path through the interface where the command was executed. This is called strict mode.
The packet arrived on the Serial0/0 interface. The routing table shows that there is no routing entry for the 192.168.5.0/24 network that leads back through the entry interface of Serial0/0. In fact, in this instance there is no routing table entry
for that network leading to any interface. When this occurs, the router will drop the packet.
The router will not send the packet to either the Ethernet0/0 or the Tunnel0 interfaces because the destination network, 10.11.11.0/24, is not a reachable destination on those interfaces. Even if it were reachable, the Unicast Reverse Path
Forwarding (Unicast RPF) feature will drop the packet because it has been spoofed.
It will not send the packet to the Ethernet0/1 interface. The Unicast Reverse Path Forwarding (Unicast RPF) feature will drop the packet because it has been spoofed. If the packet were not spoofed, it would be sent to the Ethernet0/1
interface because that is the interface used by the default route. Because there is no route in the table to the 10.11.11.0/24 network, it would be sent to the default route.
An associate creates the following access list that she plans to apply to an interface on a router:
access-list 100 permit ip any any log
What type of traffic could cause this ACL to place a heavy load on the CPU of the router, and what command could be used to reduce the impact of the ACL? (Choose two.)
A. traffic that is CEF switched
B. traffic that is process switched
C. traffic that is fast switched
D. ip access-list log-update threshold
E. ip access-list logging interval
F. logging rate limit
Correct Answer: BE
There are two contributors to the CPU load increase from ACL logging: process switching of packets that match log-enabled access control entries (ACEs), and the generation and transmission of the log messages. To reduce the impact of
process switched traffic, the ip access-list logging interval command can be used. The interval is specified in milliseconds and represents how often a single packet is process switched. While the messages in the generated log entries may
not be as comprehensive after this command is executed, the counter values that are generated by the show access-list and show ip-access list commands will still be accurate.
Packets that are not process switched (CEF switched and fast switched) will examined or accounted for in the logging, so they are not the source of the problem.
The ip access-list log-update threshold command is used to configure how often syslog messages are generated and sent after the initial packet match. While this would be a beneficial command to run, as it addresses the second source of
CPU congestion that is the sending of the syslog messages, that was not listed as a traffic type option. Therefore, this would not be a solution to the issue presented by packet switched traffic.
The logging rate limit command also will reduce the impact of log generation and transmission on the CPU, but again, it does not address the issue presented by process switched traffic.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify router security features
References:
Understanding Access Control List Logging Cisco > Cisco IOS Security Command Commands D to L > ip-group
Question 127:
Which of the following commands enables Unicast Reverse Path forwarding in loose mode?
A. ip verify unicast source reachable-via rx
B. ip verify unicast source reachable-via any
C. ip verify unicast source reachable-via rx allow default
D. ip verify unicast source reachable-via allow default
Correct Answer: B
The command ip verify unicast source reachable-via any enables Unicast Reverse Path Forwarding (RPF) in loose mode. In loose mode, traffic is allowed if the source address is reachable via any interface on the router as indicted in the
routing table. Unicast Reverse Path forwarding uses the source IP address when it validates the packet. Packets are validated when the source address is contained in the routing table and is reachable either via the ingress interface (strict
mode) or via any interface (loose mode).
The command ip verify unicast source reachable-via rx enables Unicast RPF in strict mode, not loose mode. The rx keyword indicates the source must be reachable on the interface where the packet arrived.
The command ip verify unicast source reachable-via rx allow default enables Unicast RPF in strict mode. The inclusion of the allow default keyword indicates the source can be reachable via a default route to be accepted.
The command ip verify unicast source reachable-via allow default is syntactically incorrect. The allow default keyword cannot be present by itself. It must follow either the rx or any keywords.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify router security features
References:
Understanding Unicast Reverse Path Forwarding
Cisco > Cisco IOS Security Command Commands D to L > ip verify unicast source reachable-via
Question 128:
The following access lists are applied to an interface connecting two OSPF routers:
What is the result?
A. the DR on the link will begin updating
B. the OSPF adjacency will go down
C. the last deny statement will fail to log traffic
D. the list will only permit IPv6 neighbor advertisements
Correct Answer: B
If this list is applied to the interface connecting two OSPF routers, the OSPF adjacency would go down. The deny ip any any log statement will deny the IPv6 link local addresses, which are used for the neighbor discovery process and by
OSPF routers to establish neighbor adjacencies when directly connected.
By default, IPv6 access lists have a deny all at the end that does NOT include those addresses. However, when you set an explicit deny all as shown in the scenario, you will block all traffic that is not specified by an earlier statement in the
list.
The DR on the link, if present, will not begin updating because the adjacency will fail. It will then have no neighbor to update.
The last deny statement in the scenario will log any traffic it blocks, as indicated by the inclusion of the log keyword.
The list will NOT permit neighbor advertisements. These are always done in terms of link local addresses, which the explicit deny ip any any log statement at the end will block.
Objective:
Infrastructure Security
Sub-Objective:
Configure and verify router security features
References:
Security Configuration Guide: Access Control Lists, Cisco IOS XE Release 3S > IPv6 Access Control Lists Cisco > Cisco IOS IPv6 Command Reference > ipv6 access-list Cisco > Cisco IOS Security Command Commands M to R > permit
(IP) Cisco > Cisco IOS Security Command Commands D to L > deny (IP)
Question 129:
Which of the following IPv6 access list statements would permit SSH traffic from 2001:DB8:0:4::32 when applied to the VTY lines?
A. permit ipv6 2001:DB3:0:5::/48 any eq ssh
B. permit ipv6 2001:DB8:0:4::/64 any eq ssh
C. permit ipv6 host 2001:DB8:0:4::32 any eq 23
D. permit ipv6 2001:DE8:0:4:::/48 any eq 22
Correct Answer: B
The only statement that would allow SSH traffic from 2001:DB8:0:4::32 is permit ipv6 2001:DB8:0:4::/64 any eq ssh. It would match because it specifies the 2001:DB8:0:4:: subnet as a result of the /64 prefix. With that prefix, traffic must match
in the first four hextets. Since the address 2001:DB8:0:5::32 matches in the first four hextets, it is allowed.
The statement permit ipv6 2001:DB3:0:5::/48 any eq ssh will not permit traffic from 2001:DB8:0:4::32. With a /48 subnet mask, the address must match in the first three hextets, and it does not do
Examine the following output of the show ip route command and the partial output of the show run command from the router R64:
What will the router do with a packet with a source address of 10.2.1.7/24 and a destination address of 10.11.11.50/ 24 that arrives on the Serial0 interface?
A. forward it out the Serial0/0 interface
B. forward it out the Tunnel0 interface
C. drop the packet
D. forward it out the Ethernet0/0 interface
Correct Answer: D
It will forward the packet out the Ethernet 0/0 interface. The partial output of the show run command shows that the ip verify unicast source reachable via any command has been executed on the Serial 0/0 interface. This enables the Unicast Reverse Path Forwarding (Unicast RPF) feature. This feature prevents IP spoofing by verifying from the routing table that there is a valid return path to the source IP address. If there is not valid return path, you can assume the IP has been spoofed.
When the ip verify unicast source reachable via command ends with the key word any , it means the return path can be through any interface, not just the one where the command was executed. This is called loose mode. It also includes the
parameter allow-default which removes the requirement that the network be specifically mentioned in the routing table.
Since there is a routing table entry for the source network leading to the Serial0/0 interface, the packet will be forwarded to the destination network reachable using the route via the E0/0 interface.
The router will not send the packet to either the Serial0/0 or the Tunnel0 interfaces because the destination network, 10.11.11.0/24, is not a reachable destination on those interfaces.
It will not send the packet to the Ethernet0/1 interface because that is the interface used by the default route. Because there is a route in the table to the 10.11.11.0/24 network, it would be sent to the Ethernet 0/0 interface.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Cisco exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your 300-410 exam preparations and Cisco certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
