Answers to the “Do I Know This Already?” Quizzes - Appendixes - CCNP Routing and Switching ROUTE 300-101 Official Cert Guide (2015)

CCNP Routing and Switching ROUTE 300-101 Official Cert Guide (2015)

Part VII. Appendixes

Appendix A. Answers to the “Do I Know This Already?” Quizzes

Chapter 1

1. C. The Split Horizon feature prevents a route learned on one interface from being advertised back out of that same interface.

The Summarization feature allows multiple contiguous networks to be represented with a single route advertisement.

The Poison Reverse feature causes a route received on one interface to be advertised back out of that same interface with a metric considered to be infinite.

Convergence is the speed at which a backup route takes over for a failed preferred route.

2. B and C. Both RIP and EIGRP are distance-vector routing protocols, although EIGRP is considered an advanced distance-vector routing protocol.

Both OSPF and IS-IS are link-state routing protocols, and BGP is a path-vector routing protocol.

3. D. A unicast network communication flow is considered a “one-to-one” flow, because there is one source and one destination.

A multicast network communication flow is considered a “one-to-many” flow, because there is one source and potentially many destinations (specifically, destinations that have joined a multicast group).

A broadcast network communication flow is considered a “one-to-all” flow, because there is one source, and the destinations include all devices in a subnet.

An anycast network communication flow is considered as “one-to-nearest” flow, because there are multiple devices assigned the same IPv6 address, and traffic is routed from one source to the nearest device assigned the destination IPv6 address.

4. A and D. A nonbroadcast multiaccess (NBMA) network can have Split Horizon issues in a hub-and-spoke topology, because a route learned by the hub router from a spoke router might not be advertised back out to any other spoke routers, because of Split Horizon operation. Also, if the NBMA network is using OSPF, there can be designated router issues, because the spoke routers might not be able to communicate with one another through broadcasts.

5. B. The term TCP Maximum Segment Size (MSS) seems to imply the size of the entire Layer 4 segment (that is, including Layer 2, Layer 3, and Layer 4 headers). However, TCP MSS only refers to the amount of data in the segment (without the inclusion of any headers).

6. C. The bandwidth-delay product of a segment is the measure of the maximum number of bits that can be on the segment at any one time. The bandwidth-delay product is calculated by multiplying the segment’s bandwidth (in bits/sec) by the latency that packets experience as they cross the segment (in sec).

In this question, the bandwidth-delay product can be calculated as follows:

bandwidth-delay product = 10,000,000 bits/sec * 0.1 sec = 1,000,000 bits.

7. A and C. When converting a Cisco Catalyst switch to Rapid-PVST+, you can remove the UplinkFast and BackboneFast features, because similar features are built into Rapid-PVST+. However, the following features can still be used with Rapid-PVST+: PortFast, BPDU Guard, BPDU Filter, Root Guard, and Loop Guard.

8. A. Cisco Easy Virtual Network (EVN) uses a Virtual Network Trunk (VNET Trunk) to carry traffic for each virtual network, and eliminates the need to manually configure a subinterface for each virtual network on all routers.

Inter-Switch Link (ISL) is a Cisco-proprietary trunking technology for Ethernet networks.

IEEE 802.1Q is an industry-standard trunking technology for Ethernet networks.

IEEE 802.10 is an industry-standard trunking technology for FDDI networks.

Chapter 2

1. C. A hybrid VPN uses more than one VPN technology. While you can encrypt a packet that has already been encapsulated by a VPN technology, and while you can encapsulate a packet that has already been encrypted, you might need to decrease the MTU for a frame on an interface configured for tunneling. The reason for the MTU decrease is that additional header information is added for each VPN technology you use. As a result, the maximum amount of data contained in a frame is reduced.

2. A. In a Layer 3 MPLS VPN, a customer edge (CE) router forms a neighborship with a provider edge (PE) router (or an edge label switch router [ELSR]) in an MPLS network. In a Layer 2 MPLS VPN, the MPLS network acts as a Layer 2 switch. IP multicast traffic can flow across an MPLS network with no issue.

3. C. A GRE tunnel can encapsulate any Layer 3 protocol, including IP unicast, multicast, and broadcast traffic. However, a GRE tunnel does not offer encryption. An IPsec tunnel does offer encryption, but it can only transmit unicast IP traffic. Therefore, to meet the design requirements in this question, you could encapsulate the IP unicast, multicast, and broadcast traffic inside of a GRE tunnel. Because a GRE packet is a unicast IP packet, you could encapsulate the GRE packets inside of an IPsec tunnel, thus providing the required encryption.

4. A, B, and D. A DMVPN network uses mGRE to dynamically form GRE tunnels between two sites needing a direct tunnel. NHRP is used by mGRE to discover the IP address of the device at the remote side of the tunnel. IPsec is used to secure the GRE packets. However, MPLS is not a requirement.

5. A and B. Like traditional GRE, mGRE can transport a wide variety of protocols (for example, IP unicast, multicast, and broadcast traffic). Also, a single mGRE interface can service multiple tunnels.

6. B and D. NHRP (Next Hop Resolution Protocol) spokes are configured with the IP address of an NHRP hub, but the hub is not configured with the IP addresses of the spokes. When the spokes come online, they inform the hub of both the physical IP address (assigned to a physical interface) and the logical IP address (assigned to a virtual tunnel interface) that are going to be used for their tunnels. With the hub’s database populated, a spoke can query the hub to find out the IP address of a physical interface that corresponds to a specific tunnel interface’s IP address.

7. B. Data confidentiality is provided by encrypting data. Data integrity ensures that data is not modified in transit. Data authentication allows parties involved in a conversation to verify that the other party is the party it claims to be. IPsec uses antireplay protection to ensure that packets being sent are not duplicate packets.

Chapter 3

1. D. Inside a quartet, any leading 0s can be omitted, and one sequence of one or more quartets of all 0s can be replaced with “::”. The correct answer replaces the longer three-quartet sequence of 0s with ::.

2. C. The name of the prefix generally represents the group to which the prefix is given, with the exception of the term global routing. IANA assigns a prefix to a registry (registry prefix). The registry can assign a subset of that range as a prefix to an ISP (ISP prefix). That ISP then subdivides that range of addresses into prefixes and assigns a prefix to one of its customers (site prefix, also called global routing prefix). The enterprise network engineers then further subdivide the range, often with prefix length 64, into subnet prefixes.

3. A and C. IPv6 supports stateful DHCP, which works similarly to IPv4’s DHCP to dynamically assign the entire IP address. Stateless autoconfiguration also allows for the assignment by finding the prefix from some nearby router and calculating the Interface ID using the EUI-64 format. Stateless DHCP simply supplies the DNS server IP addresses, and NDP supplies Layer 2 mapping information.

4. D. Stateless autoconfiguration only helps a host learn and form its own IP address, but it does not help the host learn a default gateway. Stateless RS is not a valid term or feature. Neighbor Discovery Protocol (NDP) is used for several purposes, including the same purpose as ARP in IPv4, plus to learn configuration parameters such as a default gateway IP address.

5. D. Global unicast addresses begin with 2000::/3, meaning that the first 3 bits match the value in hex 2000. Similarly, unique local addresses match FD00::/8, and link-local addresses match FE80::/10 (values that begin with FE8, FE9, FEA, and FEB hex). Multicast IPv6 addresses begin FF00::/8, meaning that the first two hex digits are F.

6. B. When created automatically, link-local addresses begin FE80::/64, because after the prefix of FE80::/10, the device builds the next 54 bits as binary 0s. Statically assigned link-local addresses simply need to conform to the FE80::/10 prefix. As a result, only two answers are candidates with a beginning quartet of FE80. Of these, only one has only hex 0s in the second, third, and fourth quartets, making answer B the only valid answer.

7. A and C. The ipv6 address command does not list an eui-64 parameter, so R1 does not form its global unicast address using the EUI-64 format. However, it does form its link-local address using EUI-64. The show ipv6 interface brief command lists both the global unicast and link-local addresses in its output.

8. A. The group addresses listed in the output are the all IPv6 hosts address (FF02::1), the all IPv6 routers address (FF02::2), and the solicited node address that is based on R1’s global unicast address (FF02::1:FF12:3456). Also, R1’s global unicast address is listed correctly in answer B, but the “[EUI]” notation implies that R1 derived the interface ID portion using EUI-64 conventions.

9. A, B, and D. RIPv2 and RIPng both use UDP, both use distance-vector logic, and both use the same metric, with the same maximum (15) and same metric that means infinity (16). RIPng does not perform automatic route summarization because IPv6 has no concept of a classful network. RIPng also uses the built-in IPv6 authentication mechanisms rather than a RIP-specific authentication such as RIPv2.

10. B. The fact that the configuration will be copied/pasted into a router means that the order of the commands matters. In this case, the fact that the ipv6 rip one enable command precedes the ipv6 address command on interface f0/0 means that Cisco IOS will reject the first of these commands, therefore not enabling RIPng on F0/0. The correct order listed under S0/0/0 means that RIPng will be enabled on S0/0/0. As a result, RIPng on R1 will advertise about S0/0/0’s connected IPv6 prefixes, and send Updates on S0/0/0, but will do nothing related for F0/0.

Chapter 4

1. B and C. The network 172.16.1.0 0.0.0.255 command tells Cisco IOS to match the first three octets when comparing the interface IP addresses to the configured “172.16.1.0” value. Only two answers match in the first three octets. The other two answers have a 0 in the third octet, making the addresses not match the network command.

2. D. The show ip eigrp interfaces command displays interfaces on which EIGRP has been enabled but omits passive interfaces. Making the interface passive would omit the interface from the output of this command.

3. D. The show ip eigrp interfaces detail command does display a router’s EIGRP Hello timer setting for each enabled interface. The other listed commands do not display the timer. Also, EIGRP routers do not have to have matching Hello timers to become neighbors.

4. C. The neighbor 172.16.2.20 fa0/0 command would only be rejected if the IP address (172.16.2.20) is not inside the range of addresses in the subnet (172.16.2.0/26, range 172.16.2.0–172.16.2.63). This command does not impact the interface state. The command does disable all EIGRP multicasts, and because the three dynamically discovered neighbors require the EIGRP multicasts, all three neighbors fail. Although 172.16.2.20 is a valid potential neighbor, both routers must be configured with static neighbor commands, and we know that 172.16.2.20 was not previously configured with a static neighbor command; otherwise, it could not have been a neighbor with R1.

5. A and D. Table 4-4 lists the issues. For EIGRP, Router IDs do not have to be unique for EIGRP routers to become neighbors, and the hold timer does not have to match between the two neighbors. However, making an interface passive disables the processing of all EIGRP messages on the interface, preventing all neighborships. Mismatched IP subnets also prevent neighborships from forming.

6. A. The configuration requires the ip authentication mode eigrp asn md5 command, which is currently missing. This command enables MD5-style authentication, rather than the default of no authentication. Adding this one command completes the configuration. Any valid key numbers can be used. Also, the 9 in the ip authentication key-chain eigrp 9 fred command refers to the EIGRP ASN, not an authentication type.

7. A. EIGRP forms neighborships only when two routers can communicate directly over a data link. As a result, with Frame Relay, EIGRP neighborships occur only between routers on the ends of a PVC, so in this case, 100 neighborships exist.

Chapter 5

1. B and C. Other than the two listed correct answers, the local router also adds connected routes for which the network command matches the corresponding interfaces, so it might not add all connected routes. Also, EIGRP does not add static routes to the EIGRP topology table, unless those routes are redistributed.

2. B and D. EIGRP sends bandwidth, delay, reliability, load, MTU, and hop count in the message. The formula to calculate the metric includes bandwidth, delay, reliability, and load.

3. A. EIGRP performs WAN bandwidth control without any explicit configuration, using default settings. Because no bandwidth commands have been configured, each subinterface uses the default 1544-kbps setting. For S0/0.1, WAN bandwidth control divides the 1544 by 3 (515 kbps) and then takes the (default) WAN bandwidth of 50 percent, meaning about 250 kbps for each of the three DLCIs. For the two subinterfaces with one PVC, the default 1544 is multiplied by the 50 percent default WAN bandwidth, meaning that each could use about 750 kbps.

4. A. This command lists all successor and feasible successor routes. The output states that two successors exist, and only two routes (listed with the “via...” text) exist. So, no feasible successor routes exist.

5. A and C. By default, the metric weights cause EIGRP to consider bandwidth and delay in the metric calculation, so changing either bandwidth or delay impacts the calculation of the feasible distance and reported distance, and impacts the choice of feasible successor routes. Offset lists also change the metric, which in turn can change whether a route is an FS route. Link loading would impact the metrics, but not without changing the metric weights to nonrecommended values. Finally, variance impacts which routes end up in the IP routing table, but it is not considered by EIGRP when determining which routes are FS routes.

6. C and E. The EIGRP metric calculation treats bandwidth and delay differently. For bandwidth, EIGRP takes the lowest bandwidth, in kbps, which is in this case 500 kbps. For delay, EIGRP takes the cumulative delay, which is 20100 per the various show interfaces commands. However, the show interfaces command uses a unit of microseconds, and the interface delay command and the EIGRP metric formula use a unit of tens-of-microseconds, making the delay that feeds into the formula be 2010.

7. C and E. R1, as a stub router with the connected option, still advertises routes, but only routes for connected subnets. R1 announces its stub attribute to R2, so R2 chooses to not send Query messages to R1, knowing that R1 cannot be a transit router for other subnets anyway.

8. D. EIGRP considers only successor and feasible successor routes. Each of those routes must have metrics such that variance * metric is less than the best route’s metric; the best route’s metric is called the feasible distance (FD).

9. B. Of the five options, show ip route eigrp all-links and show ip eigrp topology all-learned are not valid commands. Both show ip eigrp topology and show ip route eigrp can show at most successor and feasible successor routes. However, show ip eigrp topology all-links shows also nonfeasible successor routes, making it more likely to show all possible neighbors.

10. D and E. The two listed commands correctly configure EIGRP route filtering such that prefixes matched by the ACL’s permit clause will be allowed. All other prefixes will be filtered because of the implied deny all at the end of the ACL. The ACL permits numbers in the range 10.10.32.0–10.10.47.255, which leaves 10.10.48.0 and 10.10.60.0 unmatched by the permit clause.

11. B, C, and E. Sequence number 5 matches prefixes 10.1.2.0–10.1.2.255, with prefix lengths between 25 and 27, and denies (filters) those prefixes. This results in answer A being incorrect, because the prefix length (/24) is not in the correct range. Clause 15 matches prefixes 10.2.0.0–10.2.255.255, with prefix length exactly 30, matching answer C. Clause 20 matches only prefix 0.0.0.0 with length /0, so only a default route would match this entry. As a result, 10.0.0.0/8 does not match any of the three clauses.

12. C. When used for route filtering, the route map action (permit or deny) defines the filtering action, and any referenced match commands’ permit or deny action just defines whether the prefix is matched. By not matching ACL 1 with a permit action, EIGRP does not consider a match to have occurred with clause 10, so it moves to clause 20. The prefix list referenced in clause 20 has a permit action, matching prefixes 10.10.10.0–10.10.11.255, with prefix lengths from 23 to 25. Both criteria match the prefix in question, making answer C correct.

13. B and C. Answer A is invalid. The ge value must be larger than /24 in this case, so the command is rejected. Answer B implies a prefix length range of 24–28, inclusive. Answer C implies a range of 25–32 inclusive, because no le parameter exists to limit the prefix length lower than the full length of an IPv4 subnet mask. The same logic applies with answer D, but with a range of 28–32, so this final list could not match prefix lengths of /27.

14. B. 10.1.0.0/18 implies a range of 10.1.0.0–10.1.63.255, which includes none of the four subnets. 10.1.64.0/18 implies a range of 10.1.64.0–10.1.127.255, which includes all subnets. 10.1.100.0/24 implies a range of 10.1.100.0–10.1.100.255, which leaves out two of the subnets. Finally, 10.1.98.0/22 does not actually represent a summary. Instead, 10.1.96.0/22 represents a range of 10.1.96.0–10.1.99.255, with 10.1.98.0 as listed in answer D being an IP address in that range. As such, Cisco IOS would actually accept the command, would change the parameter from 10.1.98.0 to 10.1.96.0, and would not include the four listed subnets.

15. B. The ip summary-address command does reset neighborships, but only on the interface under which it is configured. After those neighborships come up, R1 will advertise the summary route, but none of the subordinate routes inside that summary. The summary route will use a metric equal to the metric of the lowest metric subordinate route, approximately 1,000,000 in this case.

16. B and D. R2 has interfaces only in Class A network 10.0.0.0, so the auto-summary setting has no effect. R3 has interfaces in both Class A network 10.0.0.0 and Class B network 172.16.0.0, so auto-summary causes R3 to summarize all subnets of 172.16.0.0/16 as a summary route when advertising to R2.

17. D. The phrase quoted in the question means that R1 is using its route for Class A network 2.0.0.0 to decide where to send packets by default. R1’s route for network 2.0.0.0 must have 1.1.1.1 as its next-hop router. This phrase occurs when EIGRP has learned a route for Class A network 2.0.0.0 that has been flagged as a candidate default route by another router. The router flagging a route as a candidate default route, using the ip default-network command, does not actually use the route as its default route.

18. C and E. With the suggested configuration style, the static route must first be configured statically, as shown in answer A. Then, either this route must be redistributed as a static route into EIGRP (answer B) or pulled into EIGRP by virtue of the network 0.0.0.0 EIGRP subcommand (answer D). The other two options have no effect on default route creation and advertisement.

Chapter 6

1. A. By default, IPv6 routing is not enabled on a router. To enable it, you issue the ipv6 unicast-routing command in global configuration mode.

As a best practice, you should also enter ipv6 cef in global configuration mode (not router configuration mode) to enable Cisco Express Forwarding for IPv6.

However, ipv6 eigrp is not a valid command.

2. B. EIGRP uses the link-local address as the next hop for routing protocols. Based on R2’s MAC address, R2’s link-local address on Fa 0/0 will be FE80::1311:11FF:FE11:1111. This value is derived by splitting the MAC, inserting FFFE, and flipping bit 7, making the initial hex 11 become hex 13.

3. B. General EIGRP commands (for example, metric, eigrp stub, and eigrp router-id) are configured under address-family configuration mode.

Commands entered under interface configuration mode with a traditional EIGRP configuration (for example, authentication, bandwidth-percent, hello-interval, hold-time, passive-interface, and split-horizon) are entered under address-family-interface configuration mode with Named EIGRP.

Commands having a direct impact on a router’s EIGRP topology (for example, auto-summary, maximum-paths, redistribute, and variance) are given under address-family-topology configuration mode.

There is no address-family-global configuration mode.

4. D. General EIGRP commands (for example, metric, eigrp stub, and eigrp router-id) are configured under address-family configuration mode.

Commands entered under interface configuration mode with a traditional EIGRP configuration (for example, authentication, bandwidth-percent, hello-interval, hold-time, passive-interface, and split-horizon) are entered under address-family-interface configuration mode with Named EIGRP.

Commands having a direct impact on a router’s EIGRP topology (for example, auto-summary, maximum-paths, redistribute, and variance) are given under address-family-topology configuration mode.

There is no address-family-global configuration mode.

5. B. EIGRP parameters configured under interface configuration mode with a traditional EIGRP configuration can be configured under address-family-interface configuration mode with Named EIGRP. To enter address-family-interface configuration mode for a specific interface, you can enter the af-interface interface_identifier command.

However, if you want an interface setting to be applied to all interfaces, you can enter the af-interface default command. Although commands entered from this configuration mode are inherited by all router interfaces, you can go into address-family-interface configuration mode for specific interfaces to override any globally configured interface settings.

None of the commands given in the question, other than af-interface default, are valid.

6. B. Even though Named EIGRP is configured quite differently than a traditional EIGRP configuration, the verification commands remain the same. Therefore, to view a router’s EIGRP for IPv4 topology table, you would issue the same show ip eigrp topology command that you would use with a traditional EIGRP for IPv4 configuration.

Chapter 7

1. A and D. The wildcard mask is used for matching the prefix only, and not the prefix length. As such, 172.16.1.0 0.0.0.255 matches all addresses that begin with 172.16.1, and 172.16.0.0 0.0.255.255 matches all addresses that begin 172.16. Also, OSPF reviews the network command with the most specific wildcard masks (wildcard masks with the most binary 0s) first, so an interface IP address beginning with 172.16.1 matches the command that references area 8.

2. D. ABRs, by definition, connect the backbone area to one or more nonbackbone areas. To perform this function, a router must have at least one interface assigned to the backbone area and at least one interface assigned to a nonbackbone area.

3. B and C. First, for the two correct answers: show ip ospf interface brief explicitly lists all OSPF-enabled interfaces that are not passive. show ip protocols lists either the details of the configured network commands, or if configured using the ip ospf area command, it lists the interfaces on which OSPF is enabled. This command also lists the passive interfaces, so armed with interface IP address information, the list of OSPF-enabled nonpassive interfaces could be derived. Of the three wrong answers, show ip ospf database does not list enough detail to show the OSPF-enabled interfaces. show ip route ospf lists only routes learned with OSPF, so if no routes use a particular OSPF-enabled interface as an outgoing interface, this command would not indirectly identify the interface. Finally, an interface might be OSPF-enabled but with no neighbors reachable on the interface, so the show ip ospf neighbor command might not identify all OSPF-enabled interfaces.

4. B and C. On a LAN, the non-DRs form fully adjacent neighborships with only the DR and BDR, giving R1 two neighbors in the FULL state. The other two neighbors settle into the 2-Way state.

5. C and D. The show ip ospf interface command displays a router’s OSPF Hello Interval setting for each enabled interface. The other listed commands do not display the timer. Also, OSPF routers do need to have matching Hello timers to become neighbors, so the neighborship would fail.

6. E. Table 7-5 in Chapter 7 lists the issues. For OSPF, Router IDs must be unique, the interfaces must not be passive, the dead timers must match, and the primary IP addresses must be in the same subnet, with the same subnet mask. However, the process IDs, found in the router ospfprocess-id command, do not have to match.

7. A. Frame Relay is a Layer 2 service and as such does not participate in customer routing protocols. Because the design uses a separate subnet per PVC, and one point-to-point subinterface per PVC/subnet, OSPF will use a point-to-point network type. That means that the two routers on either end of a PVC will become neighbors, and become fully adjacent, meaning that the central-site router will have 100 fully adjacent neighborships.

8. D. The answer with area 0 virtual-link 4.4.4.4 cost 3 is incorrect, because the show command output lists a transit area of 1, but the answer’s area parameter refers to area 0 as the transit area. (There is also no cost parameter on the area virtual-link command.) The RID of the router on the other end of the virtual link, 4.4.4.4 per the show command output, does not have to be pingable for the virtual link to work. The cost of the virtual link is 3, but that cost is calculated as the cost to reach the other router through the transit area, so the command output listed with the question cannot be used to predict Fa0/1’s OSPF interface cost alone. However, because the output lists area 1 as the transit area, and because the neighbor RID is listed as 4.4.4.4, R1 will use the area 1 LSDB entries to calculate the cost to reach 4.4.4, a process that will include the area 1 Type 1 LSA for RID 4.4.4.4.

9. B. The area virtual-link command defines the virtual link, with the transit area—the area through which the virtual link passes—listed as the first parameter. The other parameter is the RID of the other router. Two of the wrong answers are not Cisco IOS commands.

Chapter 8

1. D. As an ABR connected to areas 0 and 2, ABR2 will have LSDB entries for both area 0 and area 2. In area 0, ABR2 learns Type 1 LSAs from the four routers internal to area 0, plus ABR1, and plus 1 for the area 0 Type 1 LSA that ABR2 creates for itself. In area 2, ABR2 learns 1 each for the five routers internal to area 2, plus the 1 Type 1 LSA ABR2 created for itself inside area 2. The total is 12.

2. E. OSPF creates a Type 2 LSA for a subnet when the router interface connected to the subnet calls for the election of a designated router (DR) and at least two routers have discovered each other and elected a DR. Then, the DR creates and floods the Type 2 LSA. IOS by default does not elect a DR on point-to-point topologies. It does on router LAN interfaces. One answer states that one router only exists in the subnet, so it does not actually find a second router and elect a DR. In the other case, a DR and BDR have been elected, but the router described in the answer is the BDR, not the DR. So, none of the other answers is correct.

3. C. Each ABR, by definition, creates a single Type 3 LSA to represent a subnet known in one area to be advertised into another area. Assuming that 10.100.0.0 is a subnet in area 0, both ABR1 and ABR2 would advertise a Type 3 LSA into area 100. The show ip ospf database summary command specifically lists Type 3 network summary LSAs.

4. C. The Database Description (DD) packet lists a short LSA header but not the entire LSA. The Link State Request (LSR) packet asks the neighbors for a copy of an LSA. The Link State Update (LSU) holds the LSAs. LSAck simply acknowledges received LSAs, and Hello is used for neighbor discovery and neighbor state maintenance.

5. B and D. Because the subnet was stable before R5 arrived, the other routers will have elected a DR and BDR. OSPF does not preemptively elect a new DR or BDR, so R5 will be neither (DROther). As a result, R5’s messages to the DR will be sent to the 224.0.0.6 all-DR-routers multicast address, and the DR’s messages directed to R5 will be sent to the 224.0.0.5 all-SPF-router address.

6. E. R1, internal to area 1, can use LSAs only in the area 1 LSDB. R2’s Type 1 LSA exists only in area 2’s LSDB. The Type 2 LSA for subnet 10.1.1.0/24, if one exists, also only exists in area 2’s LSDB. R1 will use ABR1’s Type 1 LSA in area 1 to calculate the possible intra-area routes inside area 1, but R1 will use ABR1’s Type 1 LSA in area 1. Finally, the Type 3 LSA, created for 10.1.1.0/24 and flooded into area 1, is also needed to calculate the metric.

7. A and B. OSPF builds the SPF tree based on the topology information in Type 1 and Type 2 LSAs. Changes therefore require another SPF run. Changes to the other LSA types do not require an SPF calculation.

8. A and B. Because none of the interfaces have a bandwidth command configured, the only commands that can influence the OSPF cost are the auto-cost reference-bandwidth router subcommand and the ip ospf cost interface subcommand. To give the output shown in the question, the interface cost could be set directly on all three interfaces listed. Alternatively, the reference bandwidth could be set (in router configuration mode) to cause one of the interface costs to be as shown in the output, with the other two interfaces having their costs set directly.

For the wrong answers, the ip ospf cost interface s0/0/0.1 router subcommand does not exist—instead, it is an interface subcommand. An auto-cost of 64700, used as the numerator in the ref-bw/bandwidth cost calculation, does not result in any of the three listed interface costs.

For the two correct answers, with a default bandwidth of 1544 (kbps) on the serial subinterfaces, a reference bandwidth of 1000 (Mbps) implies the math 1,000,000 / 1544, for an interface cost of 647. With a default bandwidth of 100,000 kbps (100 Mbps) on Fa0/0, a reference bandwidth of 2000 (Mbps) implies math of 2000 / 100 = 20.

9. A, B, and C. OSPF uses Types 1, 2, and 3 for calculating routes internal to the OSPF domain. OSPF uses Types 4, 5, and 7 for external routes redistributed into the OSPF domain, as discussed in Chapter 10, “Route Redistribution.”

Chapter 9

1. C. The output lists all of B1’s routes for subnets within the range 10.1.0.0–10.1.255.255 whose prefix lengths are longer than /16. One answer lists subnet 10.2.2.0/24, which is not in this range, so the output cannot be used to confirm or deny whether the subnet was filtered. B1’s route for 10.1.2.0/24 is an intra-area route by virtue of not listing an inter-area (IA) code by the route. Type 3 LSA filtering only filters Type 3 LSAs, which routers use to calculate interarea routes, so the output tells us nothing about any filtering of 10.1.2.0/24. The output shows a single interarea route for 10.1.3.0/24, so at least one ABR has flooded a Type 3 LSA for this route. Additionally, the output confirms that at least one ABR flooded a Type 3 LSA for 10.1.3.0/24, or the output would not show an IA route for 10.1.3.0/24. So, the Type 3 LSA for 10.1.3.0/24 was not filtered by both ABRs.

2. C. When referenced from a distribute list, OSPF filters routes from being added to that router’s IP routing table but has no impact on the flow of LSAs. As such, neither A nor B is correct. An OSPF distribute-list command does attempt to filter routes from being added to the IP routing table by OSPF, so the two answers that mention the IP routing table might be correct. Sequence number 5 matches prefixes from 10.1.2.0 through 10.1.2.255, with prefix lengths in the range 25–27, and denies (filters) those prefixes. So, the prefix list will match 10.1.2.0/26 with the first line, with a deny action. The 10.1.2.0/24 subnet does not match the first line of the prefix list, but it does match the third line, the match all line, with a permit action. Because 10.1.2.0/26 is matched by a deny clause, this route is indeed filtered, so it is not added to R1’s IP routing table. 10.1.2.0/24, matched with a permit clause, is allowed and would be in the IP routing table.

3. A. When referenced from an area filter-list command, OSPF filters Type 3 LSAs created on that router, preventing them from being flooded into area 1 (per the configuration command). As an ABR, R1 would calculate intra-area routes to these area 0 subnets, so this filtering will have no effect on R1’s routes. Sequence number 5 matches prefixes from 10.1.2.0 through 10.1.2.255, with prefix lengths in the range 25–27, and denies (filters) those prefixes. So, the prefix list will match 10.1.2.0/26 with the first line, with a deny action. The 10.1.2.0/24 subnet does not match the first line of the prefix list, because the prefix length does not match. However, it does match the third line, the match all line, with a permit action. By matching subnet 10.1.2.0/26 with a deny action, the filter list does prevent R1 from flooding a Type 3 LSA for that subnet. By matching 10.1.2.0/24 with a permit action, R1 does not filter the Type 3 LSA for that subnet.

4. B and D. The area range command does not cause a failure in neighborships. Because at least one intra-area subordinate subnet of 10.1.0.0/16 exists in R1, R1 both creates a summary route for 10.1.0.0/16 and stops advertising LSAs for the (three) subordinate subnets. By default, the metric of the summary is the metric of the lowest-metric component subnet.

5. D. The show ip ospf database summary command lists only Type 3 LSAs. The summary-address command creates Type 5 LSAs on ASBRs, ruling out one answer. The output does not specify whether the LSA was created as a summary route; all references to the word “summary” refer to Type 3 Summary LSAs. If created by an area range command, the metric defaults to be the best metric of all subordinate subnets, but it can also be explicitly set, ruling out another of the possible answers. In short, this LSA can represent a route summarized by the area rangecommand, but that fact cannot be proved or disproved by the output as shown.

6. B. Without the always parameter, the default-information originate command generates an LSA for a default route, with prefix 0.0.0.0/0, but only if its own IP routing table has a route for 0.0.0.0/0. It does not flag another LSA as being used as a candidate default route.

7. C and D. Both types of NSSA stubby areas allow the redistribution of external routes into an area, but these routes are advertised as Type 7 LSAs. As a totally NSSA, the ABR should flood no Type 5 LSAs into the area and flood no Type 3 LSAs into the area, except for the Type 3 LSAs used to advertise the default route into the area. As such, a router internal to a totally stubby area should see zero Type 5 LSAs and a small number of Type 3 LSAs for the default route(s) advertised by the ABR(s).

8. B. The stub keyword means either a stub area or a totally stubby area. The no-summary command means that the area is totally stubby.

9. B. When using OSPFv3’s Address Family configuration to support both IPv4 and IPv6, LSAs for both IPv4 and IPv6 networks populate a single link-state database. The database can be viewed with the show ospfv3 database command.

10. D. With Named EIGRP, all EIGRP configuration can be done under a single EIGRP virtual instance. However, with an OSPFv3 Address Family configuration, you have to enter interface configuration mode to instruct an interface to participate in the routing process. The command (issued in interface configuration mode) is ospfv3 process_id ipv6 area area_number.

11. C. OSPFv3 introduces two LSAs, Type 8 LSAs (called Link LSAs) and Type 9 LSAs (called Intra-Area Prefix LSAs).

The Type 8 LSAs, called Link LSAs, only exist on a local link, where they are used by a router to advertise its link-local address to all other routers on the same link. Additionally, the Type 8 LSA provides a listing of all IPv6 addresses associated with a link to routers on that link. OSPFv3 also uses the Type 8 LSA to set option bits for a specific network’s LSA.

A Type 9 LSA can send information about IPv6 networks (including stub networks) attached to a router (similar to the Type 1 LSA for IPv4 networks). Additionally, a Type 9 LSA can send information about transit network segments within an area (similar to the Type 2 LSA for IPv4 networks).

Chapter 10

1. D. The three incorrect answers list typical reasons for using route redistribution. The correct answer—the least likely reason among the answers for using route redistribution—lists a problem for which an OSPF virtual link is often used. Route redistribution could be attempted to solve a problem with a discontiguous OSPF area, but the redistribution completely changes the LSAs that would have otherwise been known and could have negative impacts on route summaries and cause routing loops, and have other problems as well.

2. B and D. For a router to redistribute routes between two routing protocols, the router must have both routing protocols configured, have a working link into each routing domain, and configure redistribute commands under each routing process. The redistribute command, issued in routing protocol configuration mode, pulls routes into that routing process from another routing process as referenced on the redistribute command.

3. B and C. Because the metrics come from a different routing protocol than EIGRP, the metric must be set. The metric must be set with five components; EIGRP will then use those components as it would for an internal route. The metric components can be set as listed in the two correct answers, plus using a route map as referenced by the redistribute command.

4. C. This output is the external data section of a detailed view of an EIGRP topology table entry for an external route. This output confirms that this route was redistributed into EIGRP. If R1 were the redistributing router, the output would include the phrase “(this system)”; this example does not include that notation. The output means that on the router that did the redistribution, the route was redistributed from OSPF process 1, and the OSPF metric was 64. R1’s metric is not based on the OSPF metric of the route.

5. B. The redistribute ospf command will attempt to redistribute OSPF routes and connected routes from interfaces on which OSPF is enabled. The metric components include 1000 kbps (or 1 Mbps), 100 tens-of-microseconds (or 1000 microseconds), 10 for the loading, 1 for the reliability, and 1500 for MTU. The EIGRP version of the redistribute command does not include a subnets option.

6. A and C. Because the routes come from OSPF and feed into OSPF, the metrics can be set with the usual tools or the metric can default. When taking routes from OSPF into another OSPF process, the default metric is taken from the source route’s OSPF cost. Alternatively, the metric can be set for all routes, regardless of the route source, using the default-metric OSPF subcommand. The metric transparent keywords cannot be used for an OSPF redistribute command.

7. D. This command lists the output of Type 4 Summary ASBR LSAs. The LSID identifies the redistributing ASBR (9.9.9.9). The advertising router is the ABR that created and flooded the LSA (3.3.3.3), and the metric is the ABR’s best metric route to reach the ASBR.

8. D. Routers add internal and external costs for E1 routes and use only external costs for E2 routes, so the cost for the route through R22 will always be lower. However, for a given prefix/length, OSPF always prefers intra-area routes first, then interarea, then E1, and finally, E2, all regardless of metric.

9. E. Because OSPF does not use hop count as a metric, the information about the number of hops is not available in OSPF routes in the IP routing table. The other answers list items that can be matched with the route map match subcommand.

10. A. The deny clauses in the route map mean that the route map will filter routes matched by that clause. The permit or deny action of the referenced ACLs just defines whether the route is matched. So, routes permitted by ACL “two” will be matched and then filtered because of the route map clause deny action. Routes denied by ACL “one” simply do not match the route map clause numbered 10; such routes might or might not be redistributed depending on the next two clauses. Clause number 100 does not have a match command, meaning that it matches all routes not otherwise matched, with a permit action, allowing these routes to be redistributed.

11. A and C. The problem states that R1 has learned OSPF intra-area routes for 10.1.1.0/24, so show ip route will display that subnet. As an intra-area route based on a Type 2 LSA, the show ip ospf database command lists the summary of the LSAs, including the 10.1.1.0 subnet number for that Type 2 LSA. However, because the redistribution filtering discards subnet 10.1.1.0/24, this value will not be included in the EIGRP topology table.

12. B. The external 2 parameters on the redistribute command act as matching logic. Only routes from the source routing protocol (in this case OSPF 2) that match this extra logic will be considered for redistribution by this redistribute command. The set metric-type type-1 route map subcommand sets the route type as it is injected into the destination routing protocol (in this case, OSPF 1); this logic is not used for matching the source routes. The routes permitted by ACL 1 will be redistributed, but only those that are also E2 routes from the (source) OSPF 2 domain. The redistribute function will not change the attributes of routes inside a single routing domain, but only in the destination routing domain (OSPF 1), so the configuration has no effect on the OSPF 2 routes that remain in OSPF 2.

13. C. EIGRP, by default, sets a different AD for internal (90) and external (170) routes. The rest of the answers are accurate regarding default settings.

14. A. All the answers list reasonable options in some cases, but the only feature listed that is useful with all three routing protocols is the route tag feature. RIPv2 does not support the concept of differentiating between internal and external routes, so the two answers that suggest setting administrative distance (AD) based on the route type (internal or external) could not be used in all three routing domains, as required by the question. All three routing protocols support setting route tags and setting the AD per route. However, because RIPv2 cannot match based on the route type (internal/external), the option to set the route tags is the only option that applies to all three routing domains.

15. D. AD can be used to prevent the domain loop problem with two routing domains by making each routing protocol’s AD for internal routes be better (lower) than the other routing protocol’s AD for external routes. RIP uses AD 120 for all routes, with no distinction of internal or external. As such, OSPF’s internal default AD settings of 110 meet the requirement that OSPF’s internal AD (110) is better than RIP’s external (120). However, RIP’s default of 120 is not better than OSPF’s default for externals (110), so the distance ospf external 180 command changes that setting to meet both requirements. The three wrong answers, while syntactically valid, do not help meet the requirements.

16. E. Route tags are unitless integers that can be given to a route and even passed between different routing protocols by routers that perform redistribution.

Chapter 11

1. B and C. Cisco Express Forwarding (CEF) maintains its information in two tables, the Adjacency Table (which contains information about Layer 2 adjacencies) and the Forwarding Information Base (FIB) (which contains Layer 3 information). The Routing Information Base (RIB) is a data structure used by a routing protocol such as OSPF. The ARP Cache contains IP address to MAC address mappings. Although information from the ARP Cache is used to help populate the Adjacency Table, the ARP Cache itself is not a CEF table.

2. D. To globally enable CEF on a router, use the ip cef command in global configuration mode. The ip flow egress interface configuration mode command is used to enable outbound NetFlow. The ip route-cache cef interface configuration mode command is used to enable CEF on an individual interface, if CEF has already been globally enabled on the router. The no ip route-cache interface configuration mode command is used to enable process switching on an interface.

3. A and C. PBR supports processing packets on an interface, for the inbound direction only. The referenced route map causes PBR to attempt policy routing of packets that match a permit clause in the route map.

4. B and E. Packets created by Telnet use TCP, so the packets will match ACL 101 with a permit action. PBR will match the only route map clause shown in the configuration, with the permit route map clause listing a set command. The set command lists S0/0/1 as the outgoing interface and without a default parameter. So, Router R1 will first attempt to forward the packet based on the set command (interface S0/0/1), but if the interface is down, R1 will then try to forward based on the IP routing table (interface S0/1/1).

5. D. The output from the show ip policy command shows the interfaces on which PBR has been enabled and the name of the route map enabled for PBR on each interface. For the purposes of this question, the output tells us the interfaces on which PBR has been enabled. Two answers mention packets exiting the interface. Therefore, these answers cannot be correct, because PBR applies to packets entering an interface. For the two interfaces that mention inbound packets, one suggests that all packets will be forwarded per the PBR configuration; some might not be forwarded per PBR, depending on the configuration of the route map. The correct answer specifically mentions that PBR will consider all packets with PBR, which is the more accurate statement about PBR operations.

6. A and B. The IP SLA feature focuses on IP traffic. Therefore, Cisco IOS does not include Novell’s older IPX protocol as part of IP SLA. IP SLA uses SNMP MIBs to store statistics, but it does not use SNMP as an operation.

7. C. The three lines shown create the operation number (first command), define the operation (second command), and start the operation (third command). All commands are correct. After the operation is started, IP SLA stores the data in the RTTMON MIB; no additional configuration is necessary.

8. D. The up timer on the tracking object defines how long to wait, when in a down state, after seeing the IP SLA object transition to an OK state. Similarly, the down timer defines how long to wait, when in an OK state, after seeing the IP SLA object move to a down state, before moving the tracking object to a down state.

9. D. Both Cisco EVN and VRF-Lite allow a single physical router to run multiple virtual router instances, and both technologies allow routes from one VRF to be selectively leaked to other VRFs. However, a major difference is the way that two physical routers interconnect. With VRF-Lite, a router is configured with multiple subinterfaces, one for each VRF. However, with Cisco EVN, routers interconnect using a VNET trunk, which simplifies configuration.

Chapter 12

1. D. A default route is specified with an IP address/mask combination of 0.0.0.0 0.0.0.0. As a best practice, you should point a default route to a next-hop IP address, rather than an Ethernet interface, because specifying an Ethernet interface can generate an excessive number of ARP requests and hurt router performance.

2. C. The command used to instruct an interface to obtain its IP address information from a DHCP server is ip address dhcp. All the other options are not valid commands.

3. A. The no ip dhcp client request router command can be used to prevent a router from automatically installing a static default route based on default gateway information learned from a DHCP server. None of the other options are valid commands.

4. C. The administrative distance (AD) of a static default route automatically installed in a router based on default gateway information provided by a DHCP server is 254. This makes the default static route a “floating static route,” meaning that it will only be used if another routing source (with a lower AD) does not know of a default static route.

5. C. Dynamic NAT (DNAT) allows an inside local address to be dynamically associated with an inside global address specified in a pool of available inside global addresses. Static NAT (SNAT) specifies an inside global address to be associated with an inside local address. Port Address Translation (PAT) allows multiple inside local addresses to use a single inside global address, for use when communicating on the Internet. MAT is not a valid variant of NAT.

6. B. An outside global address represents a device outside of a network with a globally routable address. In this scenario, the web server’s IP address of 203.0.113.10 would be an outside global address.

An inside local address represents a device inside of a network with an address that is not routable on the public Internet. In this scenario, the laptop’s IP address of 10.1.1.241 would be an inside local address.

An inside global address represents a device on the inside of our network with an address that is a globally routable address. In this scenario, the laptop’s translated address of 198.51.100.54 would be an inside global address.

An outside local address represents a device on the outside of a network that has an address that is not routable on the public Internet. For example, if NAT were being performed at a remote site, the destination device at the remote site would have an outside local address. In the scenario presented in this question, there is no outside local address.

7. A. An outside global address represents a device outside of a network with a globally routable address. In this scenario, the web server’s IP address of 203.0.113.10 would be an outside global address.

An inside local address represents a device inside of a network with an address that is not routable on the public Internet. In this scenario, the laptop’s IP address of 10.1.1.241 would be an inside local address.

An inside global address represents a device on the inside of our network with an address that is a globally routable address. In this scenario, the laptop’s translated address of 198.51.100.54 would be an inside global address.

An outside local address represents a device on the outside of a network that has an address that is not routable on the public Internet. For example, if NAT were being performed at a remote site, the destination device at the remote site would have an outside local address. In the scenario presented in this question, there is no outside local address.

Chapter 13

1. B and E. The private IPv4 address space consists of Class A network 10.0.0.0, Class B networks 172.16.0.0–172.31.0.0, and the 256 Class C networks that begin 192.168.

2. B. ICANN and IANA manage the assignment of public IPv4 address space such that large address blocks (often called CIDR blocks) exist in a particular geography or are assigned to particular ISPs. As such, Internet routers can more easily create summary routes to help keep the routing table small in the Internet. 200.1.2.0/24 would likely also be allocated to some registrar, ISP, or customer in Asia. Because of the large route summaries, in this case possibly a summary for 200.0.0.0/8, routers in North America would not see an increase in the size of their routing tables.

3. A. The router in ASN 22, R22, advertises the BGP update with (at least) 22 in the AS_Path Path Attribute (PA). When R1 advertises the route to R2, also in ASN 11, R1 does not add an ASN. As a result, R2’s AS_Path has at least ASN 22 and not ASN 11.

4. A and C. The public range of 16-bit BGP ASNs is 1 through 64,495.

5. D. The question asks which answers are true about the eBGP peer but also not true about an iBGP peer. Both iBGP and eBGP use TCP port 179. An eBGP peer uses a different ASN than the local router, by definition, making that answer incorrect. The correct answer refers to the fact that an eBGP peer adds its own ASN to the BGP AS_Path PA before sending routing information to another router, whereas iBGP peers do not.

6. A. Although using BGP does avoid some static configuration at the enterprise and the ISP, the primary reason to consider using BGP in the enterprise is to influence and react to Path Attributes for the purpose of choosing the best path. Typically, engineers do not redistribute BGP routes into the IGP because of scalability problems. And although it can be interesting to monitor the size of the Internet BGP table, it is not a primary motivation for choosing to use BGP on a router.

7. C and D. The term “homed” makes reference to a single-homed ISP, and “multi-homed” references multiple ISPs. The terms “single” and “dual” refer to the number of connections to each ISP.

8. B and C. The router bgp command lists the local ASN, and the neighbor remote-as command lists the neighbor’s ASN. Because the neighbor relationship uses the IP addresses on the common link, the routers do not need to identify the update source interface, because each will default to use their S0/0 interfaces (in this case) as the update source.

9. D. Three of the commands list valid commands. The neighbor 2.2.2.2 multihop 2 command is syntactically incorrect; it should be neighbor 2.2.2.2 ebgp-multihop 2.

10. D. The show ip bgp command lists the BGP neighbor state in the last column of output, listing the literal state, unless in an established state. In that state, the output lists the number of prefixes learned from the neighbor, so a numeric value implies an established state.

11. A and D. The output lists R2’s local ASN as ASN 11, a value that is configured in the router bgp asn command. The line for neighbor 1.1.1.1 lists that router’s ASN as 1, so a neighbor 1.1.1.1 remote-as 1 command should exist on R2 instead of the neighbor 1.1.1.1 remote-as 11command. The state for neighbor 1.1.1.1 lists “Idle (Admin),” implying that the neighbor 1.1.1.1 shutdown command has been configured. The other answer lists a nonexistent command.

12. A. The BGP Update message lists a set of PAs, plus any prefixes/lengths that use those PAs. It can also list withdrawn routes in the same Update message as newly advertised routes. It can also list multiple prefixes in a single Update message.

13. C. The “Known via” text refers to the local router’s (R1’s) router bgp command, which identifies the local router’s ASN. The rest of the output does not identify the neighboring ASN, nor the rest of the AS_Path details. It does list that the route is external, with the text “type external” and the AS Hops (which is the AS_Path length).

14. A. The third character in each line for each router is either blank, meaning that the route is an eBGP route, or an “i,” meaning an iBGP-learned route. The contents of the AS_Path can be determined (1, 2, 3, 4), but the answer about AS_Path does not suggest four ASNs. The best route for each prefix has a “>” in the second character, and this route does not.

15. D. The network command will take the route from the IP routing table and put the equivalent into the BGP table, if that exact route exists. The output does not show a route for 130.1.16.0/20, so the network 130.1.16.0 mask 255.255.240.0 command does not match a specific route. The other answer with a network command is syntactically incorrect. Redistribution without aggregation would redistribute the three routes, but all three subordinate routes would be advertised into eBGP. By also using BGP route summarization, a single route for 130.1.16.0/20 can be advertised.

Chapter 14

1. C. R1 needs to be configured with router bgp 1, neighbor 2.2.2.2 remote-as 1, and neighbor 2.2.2.2 update-source loopback1. The neighbor 2.2.2.2 ibgp-multihop 2 and neighbor 2.2.2.2 ibgp-mode commands are simply unsupported commands. The neighbor 1.1.1.1 remote-as 1 command has correct syntax and is used as a command in R2’s configuration but not on R1. The neighbor 2.2.2.2 remote-as 2 command has the correct syntax but with the wrong ASN (2 instead of 1).

2. D. The small letter “i” in the third character position implies that the route was learned with iBGP. Of the five lines, four have an “i” in the third column.

3. B and C. The line reading “1.1.1.1 from 2.2.2.2...” implies the BGP RID of the neighbor is 1.1.1.1, with neighbor ID—the IP address on the local router’s neighbor command—of 2.2.2.2. The end of the output shows that the route is internal (iBGP learned) and is best, so both the > and i will be displayed for this route by the show ip bgp command. Finally, the output does not identify the local ASN, although it does list the AS_Path of the route (1, 2, 3, 4).

4. B. By default, when a router advertises an iBGP route, it leaves the Next-Hop PA unchanged. By default, R2’s next hop for routes learned from I2 will be I2’s IP address used on the R2-I2 neighbor relationship.

5. A and C. The enterprise core routers need to know which exit point (R1 or R2) is best; the correct answers supply those routes to the routers internal to the company. Note that redistribution from BGP into the IGP is not recommended, but it does defeat this particular problem.

6. B. The show ip bgp neighbors 2.2.2.2 advertised-routes command does list the post-outbound-filter BGP Update; however, the user did not issue a clear command, so the filter has not yet taken effect. As such, the output still lists the original three prefixes as if the filter had not yet been applied.

7. B, D, and E. The neighbor distribute-list out command refers to an ACL, but for the ACL to match on both prefix and prefix length, the ACL must be an extended ACL. The neighbor filter-list command refers to an AS-path filter and cannot match based on prefix/length.

8. A and B. The router resets the BGP neighborship when performing a hard reset of the peer. See Table 14-3 in the chapter for a list of several variations of the clear command and whether they perform a hard or soft reset.

9. B. Weight and Local_Pref were created for the purpose of giving engineers tools to influence the BGP best-path choice. AS_Path was created for loop avoidance, but AS_Path length can also be manipulated (for example, with AS_Path prepend) to influence the best-path choice. Although the Origin PA can be changed by configuration for the purpose of influencing the best-path decision, the intent of this PA is to identify the source from which the route was introduced into BGP. Additionally, the best-path algorithm considers the Origin PA after the other PAs listed in the answers, making Origin the least useful of these answers for influencing path choice.

10. A. Of the items listed in the question, Weight is the first one considered in the best-path algorithm, with a bigger Weight being better. As a result, Route 1 is the better route of the two.

11. B. Of the items listed in the question, Weight is the first one considered in the best-path algorithm, and it is a tie. The next item considered, Local Preference, uses bigger-is-better logic, so Route 2 will be considered best.

12. B and D. Weight, a Cisco-proprietary feature of BGP on Cisco routers, cannot be transmitted in a BGP Update, so setting Weight on an outbound route map at the ISPs will have no effect. Also, the goals call for setting Weight for all routes from an ISP to the same number, so creating a prefix list to match a subset of reachable prefixes, in this case all Class C networks, is not useful. However, two methods of configuring Weight do exist: the neighbor weight command and configuring an inbound route map with a set weight command in the route map.

13. B. The output shows the results of AS_Path prepending. The repetitive 1s cannot mean that the route has been advertised into and out of the same ASN repeatedly because loop prevention would have prevented such an advertisement. With AS_Path prepending, the neighboring ASN typically adds its own ASN to the end of the AS_Path (as listed on the left of the output).

14. C. The command lists the administrative distance as the first number inside the square brackets and the MED values as the second number in brackets. The AD of 20 implies an eBGP route instead of iBGP. The output says nothing about the Weight or AS_Path length.

Chapter 15

1. B. With Stateless Address Autoconfiguration (SLAAC), an ISP router could send Router Advertisements (RA), which advertise an IPv6 prefix, on the link connecting to a customer router. Stateless DHCPv6 uses SLAAC for IP address assignment and a DHCPv6 server to provide additional configuration options. Stateful DHCPv6 uses a DHCPv6 server for address assignment, as opposed to SLAAC. DHCPv6 Prefix Delegation (DHCPv6-PD) allows a DHCPv6 server to assign a collection of IPv6 networks to a DHCPv6 client (such as a router). However, stateless SLAAC is not a valid option.

2. D. The ipv6 route ::/0 next_hop_ipv6_address command is used to create a default static IPv6 route.

3. A, B, and D. In addition to the deny ipv6 any any implicit command (which blocks all IPv6 traffic) at the very bottom of an IPv6 ACL, the permit icmp any any nd-na and permit icmp any any nd-ns commands are used to permit Neighbor Discovery – Neighbor Advertisementsand Neighbor Discovery – Neighbor Solicitations. These Neighbor Discovery commands are required for IPv6 to function properly.

4. B. When configuring IPv6 routing over an IPv4 BGP session, you need to create a route map that specifies the local router interface’s IPv6 address as the next-hop IPv6 address to advertise to its neighbor. However, this step is not a requirement when configuring IPv6 routing over an IPv6 BGP session.

5. A, C, and D. The show bgp ipv6 unicast summary command displays several valuable pieces of information, including the local router’s BGP router ID, a list of configured BGP neighbors, and the AS of configured BGP neighbors. However, while the show bgp ipv6 unicast summary command does not list IPv6 routes known to the BGP table, the show bgp ipv6 unicast command does.

6. A and B. The only valid options after ipv6 prefix-list LIST1 seq 10 permit 2000::/16 are le (meaning less than or equal to) and ge (meaning greater than or equal to). The number of bits in the prefix length then follows those options.

7. C. The AS path length and weights are the same for both next hops. However, the next-hop IPv6 address of 2000:3::2 has a higher Local Preference (150) than 2000:2::2 (50). Therefore, 2000:3::2 is chosen as the best next hop (as indicated with the “>” sign). Also, while having a lower router ID can cause BGP to select a best path, it is used as a tiebreaker, which is not needed in this example.

Chapter 16

1. B and D. Unicast Reverse Path Forwarding (uRPF) can help prevent IP spoofing attacks by checking the source IP address of received traffic and verifying that the traffic is arriving on the interface that would be used to send traffic to that IP address. ACLs can also be used to help prevent IP spoofing attacks by denying traffic coming in on an interface having a source address that lives off of a different interface. AAA is a technology that is used to authenticate users, authorize what they can do, and keep a log of what they did. However, AAA does not protect against IP spoofing attacks. CAR (Committed Access Rate) is a legacy quality of service (QoS) policing mechanism that does not protect against IP spoofing.

2. B. Hot Standby Router Protocol (HSRP) is a first-hop redundancy protocol that provides router redundancy. Specifically, HSRP can have two or more routers capable of servicing a single IP address, and that IP address can be used as the default gateway IP address for devices residing on a subnet connected to the HSRP routers. SNMP is a network management protocol. AAA is a technology that is used to authenticate users, authorize what they can do, and keep a log of what they did. TACACS+ is a type of server that can be used with AAA.

3. B and C. A periodic time-based ACL can specify a recurring time period during which the ACL will be active. An absolute time-based ACL can specify a specific starting and ending time and date (or just an ending time and date). A reflexive ACL contains temporary entries that are created when a session begins. There is no “adaptive” ACL.

4. D. An infrastructure ACL is typically an extended ACL that is applied to routers residing on the outer edges of an enterprise network. The primary purpose of this ACL is to prevent malicious traffic from entering the enterprise. A time-based ACL is an ACL that specifies a time period during which the ACL is active. A reflexive ACL contains temporary entries that are created when a session begins. “Absolute” is a type of time-based ACL.

5. A and C. Of the options listed, only host name and domain name are used by a router when generating an RSA key pair.

6. D. Type 7 password encryption is a very weak encryption, and it uses the Vigenere cipher. A Type 0 password has no encryption. A Type 4 password is represented by an SHA-256 hash value, and a Type 5 password is represented by an MD5 hash value.

7. B. Unicast Reverse Path Forwarding (uRPF) has three modes of operation: strict mode, loose mode, and VRF mode. In strict mode, a router not only checks to make sure that the source IP address of an arriving packet is reachable, based on the router’s FIB, but the packet must also be arriving on the same interface that the router would use to send traffic back to that IP address. In loose mode, a router only verifies that the source IP address of the packet is reachable, based on the router’s FIB. VRF mode is similar to loose mode, in that the source IP addresses are checked against the FIB of a specific VRF. There is no auto or desirable uRPF mode.

8. B and D. TACACS+ and RADIUS are each protocols that can be used by a AAA server. TACACS+ uses TCP, while RADIUS uses UDP. TACACS+ encrypts an entire packet, while RADIUS only encrypts a password. TACACS+ offers basic accounting functionality. However, RADIUS offers robust accounting. Also, TACACS+ is a Cisco-proprietary protocol, while RADIUS is an open standard protocol.

Chapter 17

1. A and C. Cisco IOS supports both plain text and hashing authentication for neighboring routers to authenticate themselves to one another. Plain text authentication sends a shared secret key across a network in clear text. However, hashing authentication sends the hash value of a key across a network, as opposed to the key itself. Therefore, hashing authentication is considered more secure. There is no support for two-factor or biometric authentication to authenticate neighboring routers.

2. C. A key string specifies a preshared key to be used between routers. Therefore, the key string must match on two routers for them to mutually authenticate. The key chain name and key number values are locally significant and do not have to match on a neighboring router. Also, as long as a matching key on each router is currently active, the specific send and receive lifetimes do not have to match on mutually authenticating routers.

3. B and C. Plain text authentication is not supported by Named EIGRP, nor is Password Authentication Protocol (PAP), which might be found on WAN connections using the Point-to-Point Protocol (PPP). Named EIGRP does support both MD5 and SHA hashing authentication. Traditional EIGRP does not support SHA hashing authentication, but does support MD5 hashing authentication.

4. A. A key chain, which consists of one or more key numbers each of which can be assigned a key string, can be viewed with the show key chain Cisco IOS command. None of the other options are valid Cisco IOS commands.

5. B. OSPF can have authentication enabled at the area level (in router configuration mode) or at the interface level (in interface configuration mode). The question states that authentication is functioning and is using MD5 hashing, but there is no area 0 authentication message-digestcommand in router configuration mode. Therefore, OSPF MD5 authentication must be enabled in interface configuration mode, which is done with the ip ospf authentication message-digest command.

6. A and B. Authentication is not a feature natively built into OSPFv3. However, OSPFv3 can leverage IPsec for authentication (and even encryption). As a result, both the MD5 and SHA hashing algorithms can be used. Plain text authentication is not supported by OSPFv3, nor is Password Authentication Protocol (PAP), which might be found on WAN connections using the Point-to-Point Protocol (PPP).

7. C. BGP only supports MD5 for neighbor authentication. Neither plain text nor SHA is supported, and Diffie Hellman Group 1 is an approach to exchanging shared secret keys over an untrusted network.

8. C. Unlike OSPF and EIGRP, which can dynamically find neighbors through multicast, BGP requires neighbors to be statically configured. Therefore, BGP is less susceptible to a malicious user adding a router to a network and using that router to corrupt the routing table of production routers. However, after a session (which is TCP-based) is established between two BGP neighbors, a malicious user could attempt to do session hijacking to take over the existing BGP neighborship.