Cisco CCNP Enterprise 300-410 Questions & Answers

• Question 131:

  When the log keyword is added to an access list statement, CPU utilization increases. What is the source of the increased CPU utilization? (Choose all that apply.)

  A. the process switching of packets that match the ACE

  B. the incrementing of the match counter every 60 seconds

  C. the generation and transmission of log messages

  D. the CEF switching of packets that match the ACE

  Correct Answer: AC

  The source of the increased CPU utilization will have two sources. First is the process switching of each packet that matches the ACE, which is a slower switching method than CEF switching. The second is the generation and transmission of

  the log messages. Both effects can be mitigated by adjusting the logging interval and the message interval.

  The CPU utilization does NOT increase from the incrementing of the match counter every 60 seconds. The match counter increments every 5 minutes by default.

  The CPU utilization does NOT increase from the CEF switching of packets that match the ACE. Those packets will be process switched, which is a much slower process than CEF switching.

  Objective:

  Infrastructure Security

  Sub-Objective:

  Configure and verify router security features

  References:

  Understanding Access Control List Logging

  Cisco > Cisco IOS Security Command Commands D to L > ip access-list log-update Cisco > Cisco IOS Broadband Access Aggregation and DSL Command Reference > logging rate-limit

• Question 132:

  Earlier today you created and applied an access list designed to restrict remote access to the router R62 ONLY from the device at 2001:DB8:0:4:: 32. During testing, you discover that it is not having the desired effect. You execute the show run command and see the following partial output that is relevant to the issue:

  

  Why is the access list not functioning correctly?

  A. the IPv6 address in the list is not formatted correctly

  B. the list is not applied to the proper interface

  C. the list is missing a deny statement

  D. the ipv6 access-group command should be used to apply the list

  Correct Answer: B

  The list is applied to the wrong interface. An access list that is designed to control remote access should be applied to the VTY lines, not to one of the physical interfaces. If the command were formatted correctly, the show run output would appear as follows:

  

  The IPv6 address is formatted correctly. Although it has been shortened in format, it follows all of the shortening rules. It omits only leading zeros and it utilizes the double colon only once.

  The access list does not require a deny statement. There is an implicit deny all at the end of the list.

  The ipv6 access-group command should not be used to apply the list. This command is used when an access list is applied to a physical interface, not the VTY lines.

  Objective:

  Infrastructure Security

  Sub-Objective:

  Configure and verify router security features

  References:

  Cisco > IPv6 Configuration Guide, Cisco IOS Release 15.0S > Implementing Traffic Filters and Firewalls for IPv6 Security > Access Control Lists for IPv6 Traffic Filtering Cisco > Security Configuration Guide: Access Control Lists, Cisco IOS

  Release 15S > Controlling Access to a Virtual Terminal Line

• Question 133:

  The following command was executed on the router R61.

  R61#debug ip packet detail 105

  What type of information will this debug command generate?

  A. all information on packets that are not fast switched by the router named 105

  B. all information on packets that are not fast switched by the local router

  C. information on packets that are not fast switched as filtered by the access list 105

  D. information on packets sent from router 105

  Correct Answer: C

  This debug command will generate information on packets that are not fast switched as filtered by the access list 105. The output of certain debug commands can generate a tremendous amount of output, and in most cases a lot of

  information you don't need. It can even impact the performance of the router while the debug command is in effect. The best way to reduce this output is to filter it through an extended access list.

  To do this, you create the access list as you would any other access list and then reference the access list number when you execute the debug command. For example, to restrict the output of the debug ip packet detail command to the

  traffic generate between the devices with the IP addresses 10.10.10.2 and 13.1.1.1, you would create the following extended access list:

  access-list 105 permit icmp host 10.10.10.2 host 13.1.1.1

  access-list 105 permit icmp host 13.1.1.1 host 10.10.10.2

  When you then execute the debug ip packet detail command and reference the list number of 105, it will only display debug output concerning communications between these IP addresses.

  The number 105 in the command does not reference a router name or number. It references an access list number.

  The command will not display all information on packets that are not fast switched by the local router. It will be limited to information as filtered in the access list 105.

  The command will not list information on packets sent from router 105. The number 105 refers to an access list number, not a router.

  Objective:

  Infrastructure Security

  Sub-Objective:

  Configure and verify router security features

  References:

  Home > Support > Technology support > Dial and access > Integrated services digital networks (isdn), channel-associated signaling (cas) > Troubleshoot and alerts > Important Information on Debug Commands Cisco > Cisco IOS Debug

  Command Reference - Commands I through L > debug ip packet

• Question 134:

  Which of the following commands must be present in the configuration to support Unicast RFP?

  A. bandwidth

  B. ip cef

  C. ip route 0.0.0.0 0.0.0.0

  D. log

  Correct Answer: B

  The command ip cef must be present in the configuration to support Unicast Reverse Path Forwarding (RPF). If the router is set to its defaults, it will be present. Unicasts RPF uses the tables created by CEF to validate packet source

  addresses. Therefore, it must be enabled. Unicast RPF can be enabled in three modes:

  Strict mode - The source address must be must be reachable on the interface where the packet arrived. Loose mode - Traffic is allowed if the source address is reachable via any interface on the router as indicted in the routing table.

  VRF mode - Evaluates an incoming packet's source IP address against the VRF table configured for an eBGP neighbor.

  The bandwidth command, while desirable to ensure proper cost calculation of the interface for routing purposes, is not a requirement for Unicast RPF.

  The ip route 0.0.0.0 0.0.0 command creates a default route. A default route does not need to be present for Unicast RPF to function.

  The log command is not required. This command should be used with caution with any access list, as it causes an increase in CPU usage in the router.

  Objective:

  Infrastructure Security

  Sub-Objective:

  Configure and verify router security features

  References:

  Cisco IOS Security Configuration Guide, Release 12.2 > Part 5: Other Security Features > Configuring Unicast Reverse Path Forwarding Cisco > Cisco IOS IP Switching Command Reference > ip cef

• Question 135:

  When the auth keyword is used in the snmp-server host command, which of the flowing must be configured with an authentication mechanism?

  A. the interface

  B. the host

  C. the user

  D. the group

  Correct Answer: C

  The auth keyword specifies that the user should be authenticated using either the HMAC-MD5 or HMAC-SHA algorithms. These algorithms are specified during the creation of the SNMP user.

  For example, the following command creates a user named V3User that will be a member of the SNMP group V3Group and will use HMAC-MD5 with a password of MyPassword:

  snmp-server user V3User V3Group v3 auth md5 MyPassword

  The authentication mechanism is not configured on the interface. All SNMP commands are executed at the global configuration prompt.

  The authentication mechanism is not configured at the host level. The version and security model (authentication, authentication and encryption, or neither) are set at the host level.

  The authentication mechanism is not configured at the SNMP group level. The group level is where access permissions like read and write are set. This is why a user account must be a member of a group to derive an access level, even if it

  is a group of one.

  Objective:

  Infrastructure Services

  Sub-Objective:

  Configure and verify SNMP

  References:

  Configuring SNMP Support > Understanding SNMP > SNMP Versions Cisco IOS Network Management Command Reference > snmp-server engineID local through snmp trap link- status > snmp-server host

• Question 136:

  You recently implemented SNMPv3 to increase the security of your network management system. A partial output of the show run command displays the following output that relates to SNMP.

  snmp-server group NORMAL v3 noauth read NORMAL write NORMAL

  Which of the following statements is true of this configuration?

  A. it provides encryption, but it does not provide authentication

  B. it provides neither authentication nor encryption

  C. it provides authentication, but it does not provide encryption

  D. it provides both authentication and encryption

  Correct Answer: B

  It provides neither authentication nor encryption. In SNMPv3 there are three combinations of security that can be used:

  noAuthNoPriv- no authentication and no encryption noauth keyword in the configuration AuthNoPriv - messages are authenticated but not encrypted auth keyword in the configuration AuthPriv - messages are authenticated and encrypted priv

  keyword in the configuration In this case, the keyword noauth in the configuration indicates that no authentication and no encryption are provided. This makes the implementation no more secure than SNMPv1 or SNMPv2.

  In SNMPv1 and SNMPv2, authentication is performed using a community string. When you implement SNMP using the noauth keyword, it does not use community strings for authentication. Instead it uses the configured user or group name

  (in this case NORMAL). Regardless, it does not provide either authentication or encryption.

  Objective:

  Infrastructure Services

  Sub-Objective:

  Configure and verify SNMP

  References:

  SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) > SNMPv3

• Question 137:

  You execute the following command.

  router(config-if)#ip helper-address 172.20.14.225

  Which of the following traffic types will NOT be forwarded to the IP address 172.20.14.225?

  A. TFTP

  B. SMTP

  C. DNS

  D. TACACS

  Correct Answer: B

  While the ip helper address command is typically used to forward DHCP broadcasts to a DHCP server located in a remote subnet, it will also forward the following broadcast packets by default as well: TFTP - UDP port 69 Domain Name System (DNS) UDP port 53 Time service - port 37 NetBIOS Name Server - port137 NetBIOS Datagram Server - port 138 Bootstrap Protocol (BOOTP) - port 67 TACACS UDP port 49 Objective: Infrastructure Services Sub-Objective:

  Configure and verify IPv4 and IPv6 DHCP

  References:

  Cisco IOS IP Application Services Command Reference > ip accounting through ip sctp authenticate > ip helper-address

• Question 138:

  You execute the debug ip packet command and find that you receive no output.

  Which of the following is the MOST likely reason?

  A. someone executed the no ip route-cache command

  B. someone executed the no ip mroute cache command

  C. someone attached an extended access list to the debug process

  D. someone executed the ip cef command

  Correct Answer: D

  When the ip cef command is executed, it enables Cisco Express Forwarding. When CEF is enabled, packets are no longer switched to the processor, so the output shows nothing. You must disable CEF and fast switching on the interface

  while you are running the debug ip packet command.

  Executing the no ip route-cache command would disable fast switching and would enable the gathering of packets rather than disable the operation.

  Executing the no ip-mroute cache command would disable fast switching of multicast packets and would enable the gathering of multicast packets.

  While it is possible that that an overly restrictive access list could result in NO output, this is only a possibility. On the other hand, it is certain that no output will be produced if the ip cef command was executed. Access lists SHOULD be used

  in conjunction with the debug ip packet command to reduce the significant amount of information generated and the system resources required to do so.

  Objective:

  Infrastructure Services

  Sub-Objective:

  Configure and verify logging

  References:

  Home > Support > Technology support > Dial and access > Integrated Services Digital Networks (ISDN) Channel-Associated Signaling (CAS) > Troubleshoot and alerts > Troubleshooting Technotes > Important Information on Debug

  Commands

  Cisco > Cisco IOS IP Switching Command Reference > ip cache-invalidate-delay through monitor event-trace cef ipv6 global > ip cef

• Question 139:

  View the sample output of the debug ip eigrp command.

  

  What is the significance of the number 4294967295 as shown in the output?

  A. It represents the unreachable metric for EIGRP.

  B. It represents the administrative distance for EIGRP.

  C. It represents a reachable metric for the given network.

  D. It represents one of the link characteristics that EIGRP uses to calculate the metric.

  Correct Answer: A

  The value 4294967295 in the debug ip eigrp output represents the unreachable metric for EIGRP. This means that the network has become unavailable and cannot be reached. In this output, the M represents the local metric, and the SM

  represents the metric that was reported by the neighbor that advertised the network to the local router.

  The administrative distance (AD) for internal EIGRP is 90.

  The link characteristics that are used in the EIGRP calculation are shown following the dash after the M and SM values (1657856 4294967295). By default, EIGRP only uses bandwidth and delay in its calculation.

  Objective:

  Layer 3 Technologies

  Sub-Objective:

  Describe and optimize EIGRP metrics

  References:

  Cisco > Cisco IOS Debug Command Reference > debug h225 asn1 through debug ip ftp > debug ip eigrp

• Question 140:

  The network administrator has configured router R2 to redistribute a newly installed EIGRP network into their core OSPF network. The redistributed networks and subnets are not properly appearing in the routing tables of the other routers.

  The following output displays partial configuration for router R2:

  router ospf 10

  redistribute eigrp 50 metric 100 metric-type 1

  network 192.16.31.0 0.0.0.255

  What two modifications would correct the problem? (Choose two.)

  A. Change the EIGRP AS number from 50 to 10

  B. Change the AS number specified for OSPF to 50

  C. Add the command network 10.0.0.0 0.0.0.255

  D. Add the command network 10.0.0.0 255.255.255.0

  E. Add the level-1-2 keyword to the redistribute command

  F. Add the subnets keyword to the redistribute command

  G. Change the command network 192.16.31.0 0.0.0.255 to include the area keyword and value

  Correct Answer: FG

  The R2 router will not form adjacencies with neighboring routers in the area if the area IDs do not match. The area keyword in the network command is missing from the initial router R2 configuration. The correct command would be: R2(config)# network 192.16.31.0 0.0.0.255 area 1 Secondly, the subnets keyword should be used in the redistribute command to ensure that all of the subnets in the 10.0.0.0/8 are redistributed into OSPF. For example, you would use the following commands to redistribute EIGRP

  autonomous system (AS) 50 networks and subnetworks into OSPF with a metric of 100 and advertise them as external Type 1 routes:

  R2(config)# router ospf

  R2(config-router)# redistribute eigrp 50 metric 100 metric-type 1

  The complete syntax for the redistribute command when used in OSPF is as follows:

  redistribute protocol [process-id] [metric metric-value] [metric-type type-value] [subnets]

  The command parameters are:

  protocol - Identifies the source protocol, such as BGP, connected, EIGRP, IGRP, ISIS, OSPF, static, or rip. process-id - Depending on the routing protocol, identifies the source autonomous system number or process ID. metric - Identifies the

  seed metric for the redistributed route. The default is 0. metric-type - For OSPF, it identifies the redistributed routes as either external Type 1 or Type 2 routes. The default is Type 2. subnets - Optional keyword for use with OSPF to indicate

  that the scope of the networks to be redistributed also includes subnets.

  Objective:

  Layer 3 Technologies

  Sub-Objective:

  Configure and verify redistribution between any routing protocols or routing sources

  References:

  Cisco > Cisco IOS IP Routing: Protocol-Independent Command Reference > redistribute (ip)