Implementing Cisco IP Routing

نمونه سوالات آزمون
Implementing Cisco IP Routing - exam 300-101

Topic 3, Layer 3 Technologies

QUESTION NO: 41

Refer to the exhibit.

What percent of R1’s interfaces bandwidth is EIGRP allowed to use?

A. 10
B. 20
C. 30
D. 40

Answer: B
Explanation:

The relevant configuration of R1 is shown below:

ip bandwidth-percent eigrp 1 20
1 = the EIGRP AS
20 = 20% of the bandwidth

QUESTION NO: 42 Labrator

You have been asked to evaluate an OSPF network setup in a test lab and to answer questions a customer has about its operation. The customer has disabled your access to the show running-config command.

How old is the Type 4 LSA from Router 3 for area 1 on the router R5 based on the output you have examined?

A. 1858
B. 1601
C. 600
D. 1569

Answer: A
Explanation:

Part of the “show ip ospf topology” command on R5 shows this:

The Link ID of R3 (3.3.3.3) shows the age is 1858.

QUESTION NO: 43 Labrator

Which of the following statements is true about the serial links that terminate in R3

A. The R1-R3 link needs the neighbor command for the adjacency to stay up
B. The R2-R3 link OSPF timer values are 30, 120, 120
C. The R1-R3 link OSPF timer values should be 10,40,40
D. R3 is responsible for flooding LSUs to all the routers on the network.

Answer: B

Explanation:

We can see the configured timers using the following command:

Next, the seventh bit from the left, or the universal/local (U/L) bit, needs to be inverted. This bit identifies whether this interface identifier is universally or locally administered. If 0, the address is locally administered and if 1, the address is globally unique. It is worth noticing that in the OUI portion, the globally unique addresses assigned by the IEEE has always been set to 0 whereas the locally created addresses has 1 configured. Therefore, when the bit is inverted, it maintains its original scope (global unique address is still global unique and vice versa). The reason for inverting can be found in RFC4291 section 2.5.1.

QUESTION NO: 44 Labrator

How many times was SPF algorithm executed on R4 for Area 1?

A. 1
B. 5
C. 9
D. 20
E. 54
F. 224

Answer: C
Explanation:

This can be found using the “show ip ospf” command on R4. Look for the Area 1 stats which shows this:

QUESTION NO: 45

Areas of Router 5 and 6 are not normal areas, inspect their routing tables and determine which statement is true?

A. R5's Loopback and R6's Loopback are both present in R5's Routing table
B. R5's Loopback and R6's Loopback are both present in R6's Routing table
C. Only R5's loopback is present in R5's Routing table
D. Only R6's loopback is present in R5's Routing table
E. Only R5's loopback is present in R6's Routing table

Answer: A
Explanation:

Here are the routing tables of R5 and R6:

Topic 4, VPN Technologies

QUESTION NO: 46

A company has just opened two remote branch offices that need to be connected to the corporate network. Which interface configuration output can be applied to the corporate router to allow communication to the remote sites?

A. interface Tunnel0
bandwidth 1536
ip address 209.165.200.230 255.255.255.224
tunnel source Serial0/0
tunnel mode gre multipoint

B. interface fa0/0
bandwidth 1536
ip address 209.165.200.230 255.255.255.224
tunnel mode gre multipoint

C. interface Tunnel0
bandwidth 1536
ip address 209.165.200.231 255.255.255.224
tunnel source 209.165.201.1
tunnel-mode dynamic

D. interface fa 0/0
bandwidth 1536
ip address 209.165.200.231 255.255.255.224
tunnel source 192.168.161.2
tunnel destination 209.165.201.1
tunnel-mode dynamic

Answer: A
Explanation:

The configuration of mGRE allows a tunnel to have multiple destinations. The configuration of mGRE on one side of a tunnel does not have any relation to the tunnel properties that might exist at the exit points. This means that an mGRE tunnel on the hub may connect to a p2p tunnel on the branch. Conversely, a p2p GRE tunnel may connect to an mGRE tunnel. The distinguishing feature between an mGRE interface and a p2p GRE interface is the tunnel destination. An mGRE interface does not have a configured destination. Instead the GRE tunnel is configured with the command tunnel mode gre multipoint. This command is used instead of the tunnel destination x.x.x.x found with p2p GRE tunnels. Besides allowing for multiple destinations, an mGRE tunnel requires NHRP to resolve the tunnel endpoints. Note, tunnel interfaces by default are point-topoint (p-p) using GRE encapsulation, effectively they have the tunnel mode gre command, which is not seen in the configuration because it is the default.
The mGRE configuration is as follows:
!
interface Tunnel0

bandwidth 1536

ip address 10.62.1.10 255.255.255.0
tunnel source Serial0/0
tunnel mode gre multipoint

QUESTION NO: 47

A network engineer executes the show crypto ipsec sa command. Which three pieces of information are displayed in the output? (Choose three.)

A. inbound crypto map
B. remaining key lifetime
C. path MTU
D. tagged packets
E. untagged packets
F. invalid identity packets

Answer: A,B,C
Explanation:

show crypto ipsec sa
This command shows IPsec SAs built between peers. The encrypted tunnel is built between 12.1.1.1 and 12.1.1.2 for traffic that goes between networks 20.1.1.0 and 10.1.1.0. You can see the two Encapsulating Security Payload (ESP) SAs built inbound and outbound. Authentication Header (AH) is not used since there are no AH SAs.
This output shows an example of the show crypto ipsec sa command (bolded ones found in
answers for this question).
interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2

path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:

QUESTION NO: 48

Refer to the following output:

Router#show ip nhrp detail
10.1.1.2/8 via 10.2.1.2, Tunnel1 created 00:00:12, expire 01:59:47
TypE. dynamic, Flags: authoritative unique nat registered used
NBMA address: 10.12.1.2

What does the authoritative flag mean in regards to the NHRP information?

A. It was obtained directly from the next-hop server.
B. Data packets are process switches for this mapping entry.
C. NHRP mapping is for networks that are local to this router.
D. The mapping entry was created in response to an NHRP registration request.
E. The NHRP mapping entry cannot be overwritten.

Answer: A
Explanation:

QUESTION NO: 49

Which common issue causes intermittent DMVPN tunnel flaps?

A. a routing neighbor reachability issue
B. a suboptimal routing table
C. interface bandwidth congestion
D. that the GRE tunnel to hub router is not encrypted

Answer: A
Explanation:

DMVPN Tunnel Flaps Intermittently
Problem
DMVPN tunnel flaps intermittently.
Solution
When DMVPN tunnels flap, check the neighborship between the routers as issues with neighborship formation between routers may cause the DMVPN tunnel to flap. In order to resolve this problem, make sure the neighborship between the routers is always up.

QUESTION NO: 50

Which encapsulation supports an interface that is configured for an EVN trunk?

A. 802.1Q
B. ISL
C. PPP
D. Frame Relay
E. MPLS
F. HDLC

Answer: A
Explanation:

Restrictions for EVN
• An EVN trunk is allowed on any interface that supports 802.1q encapsulation, such as Fast Ethernet, Gigabit Ethernet, and port channels.
• A single IP infrastructure can be virtualized to provide up to 32 virtual networks end-to-end.
• If an EVN trunk is configured on an interface, you cannot configure VRF-Lite on the same interface.
• OSPFv3 is not supported; OSPFv2 is supported.

QUESTION NO: 51

Which three characteristics are shared by subinterfaces and associated EVNs? (Choose three.)

A. IP address
B. routing table
C. forwarding table
D. access control lists
E. NetFlow configuration

Answer: A,B,C
Explanation:

A trunk interface can carry traffic for multiple EVNs. To simplify the configuration process, all the subinterfaces and associated EVNs have the same IP address assigned. In other words, the trunk interface is identified by the same IP address in different EVN contexts. This is accomplished as a result of each EVN having a unique routing and forwarding table, thereby enabling support for overlapping IP addresses across multiple EVNs.

QUESTION NO: 52

A user is having issues accessing file shares on a network. The network engineer advises the user to open a web browser, input a prescribed IP address, and follow the instructions. After doing this, the user is able to access company shares. Which type of remote access did the engineer enable?

A. EZVPN
B. IPsec VPN client access
C. VPDN client access
D. SSL VPN client access

Answer: D
Explanation:

The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for remote users. Without a previously installed client, remote users enter the IP address in their browser of an interface configured to accept SSL VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>.
After entering the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the client, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure SSL connection and either remains or uninstalls itself (depending on the security appliance configuration) when the connection terminates.

QUESTION NO: 53

Which Cisco IOS VPN technology leverages IPsec, mGRE, dynamic routing protocol, NHRP, and Cisco Express Forwarding?

A. FlexVPN
B. DMVPN
C. GETVPN
D. Cisco Easy VPN

Answer: B

Explanation:

Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers and Unix-like Operating Systems based on the standard protocols, GRE, NHRP and IPsec. This DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial huband- spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks. DMVPN is combination of the following technologies.

Topic 5, Infrastructure Security

QUESTION NO: 54

Which traffic does the following configuration allow?

ipv6 access-list cisco
permit ipv6 host 2001:DB8:0:4::32 any eq ssh
line vty 0 4
ipv6 access-class cisco in

A. all traffic to vty 0 4 from source 2001:DB8:0:4::32
B. only ssh traffic to vty 0 4 from source all
C. only ssh traffic to vty 0 4 from source 2001:DB8:0:4::32
D. all traffic to vty 0 4 from source all

Answer: C

Explanation:

Here we see that the IPv6 access list called “cisco” is being applied to incoming VTY connections to the router. IPv6 access list has just one entry, which allows only the single IPv6 IP address of 2001:DB8:0:4::32 to connect using SSH only.

QUESTION NO: 55

For troubleshooting purposes, which method can you use in combination with the “debug ip packet” command to limit the amount of output data?

A. You can disable the IP route cache globally.
B. You can use the KRON scheduler.
C. You can use an extended access list.
D. You can use an IOS parser.
E. You can use the RITE traffic exporter.

Answer: C

Explanation:

The debug ip packet command generates a substantial amount of output and uses a substantial
amount of system resources. This command should be used with caution in production networks.
Always use with the access-list command to apply an extended ACL to the debug output.

QUESTION NO: 56

Refer to the following access list.

access-list 100 permit ip any any log

After applying the access list on a Cisco router, the network engineer notices that the router CPU utilization has risen to 99 percent. What is the reason for this?

A. A packet that matches access-list with the "log" keyword is Cisco Express Forwarding switched.
B. A packet that matches access-list with the "log" keyword is fast switched.
C. A packet that matches access-list with the "log" keyword is process switched.
D. A large amount of IP traffic is being permitted on the router.

Answer: C

Explanation:

Logging-enabled access control lists (ACLs) provide insight into traffic as it traverses the network or is dropped by network devices. Unfortunately, ACL logging can be CPU intensive and can negatively affect other functions of the network device. There are two primary factors that contribute to the CPU load increase from ACL logging: process switching of packets that match log-enabled access control entries (ACEs) and the generation and transmission of log messages.

QUESTION NO: 57

Which address is used by the Unicast Reverse Path Forwarding protocol to validate a packet against the routing table?

A. source address
B. destination address
C. router interface
D. default gateway

Answer: A
Explanation:

The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. For example, a number of common types of denial-of-service (DoS) attacks, including Smurf and Tribal Flood Network (TFN), can take advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. For Internet service providers (ISPs) that provide public access, Unicast RPF deflects such attacks by forwarding only packets that have source addresses that are valid and consistent with the IP routing table. This action protects the network of the ISP, its customer, and the rest of the Internet.

QUESTION NO: 58

What are the three modes of Unicast Reverse Path Forwarding?

A. strict mode, loose mode, and VRF mode
B. strict mode, loose mode, and broadcast mode
C. strict mode, broadcast mode, and VRF mode
D. broadcast mode, loose mode, and VRF mode

Answer: A
Explanation:

Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works in one of three different modes: strict mode, loose mode, or VRF mode. Note that not all network devices support all three modes of operation. Unicast RPF in VRF mode will not be covered in this document.
When administrators use Unicast RPF in strict mode, the packet must be received on the interface that the router would use to forward the return packet. Unicast RPF configured in strict mode may drop legitimate traffic that is received on an interface that was not the router's choice for sending return traffic. Dropping this legitimate traffic could occur when asymmetric routing paths are present in the network.

When administrators use Unicast RPF in loose mode, the source address must appear in the routing table. Administrators can change this behavior using the allow-default option, which allows the use of the default route in the source verification process. Additionally, a packet that contains a source address for which the return route points to the Null 0 interface will be dropped. An access list may also be specified that permits or denies certain source addresses in Unicast RPF loose mode.
Care must be taken to ensure that the appropriate Unicast RPF mode (loose or strict) is configured during the deployment of this feature because it can drop legitimate traffic. Although asymmetric traffic flows may be of concern when deploying this feature, Unicast RPF loose mode is a scalable option for networks that contain asymmetric routing paths.

QUESTION NO: 59

What does the following access list, which is applied on the external interface FastEthernet 1/0 of the perimeter router, accomplish?

router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
router (config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
router (config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
router (config)#access-list 101 permit ip any any
router (config)#interface fastEthernet 1/0
router (config-if)#ip access-group 101 in

A. It prevents incoming traffic from IP address ranges 10.0.0.0-10.0.0.255, 172.16.0.0- 172.31.255.255, 192.168.0.0-192.168.255.255 and logs any intrusion attempts.
B. It prevents the internal network from being used in spoofed denial of service attacks and logs any exit to the Internet.
C. It filters incoming traffic from private addresses in order to prevent spoofing and logs any intrusion attempts.
D. It prevents private internal addresses to be accessed directly from outside.

Answer: C
Explanation:

The private IP address ranges defined in RFC 1918 are as follows:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
These IP addresses should never be allowed from external networks into a corporate network as they would only be able to reach the network from the outside via routing problems or if the IP addresses were spoofed. This ACL is used to prevent all packets with a spoofed reserved private source IP address to enter the network. The log keyword also enables logging of this intrusion attempt.

QUESTION NO: 60

Refer to the following command:

router(config)# ip http secure-port 4433

Which statement is true?

A. The router will listen on port 4433 for HTTPS traffic.
B. The router will listen on port 4433 for HTTP traffic.
C. The router will never accept any HTTP and HTTPS traffic.
D. The router will listen to HTTP and HTTP traffic on port 4433.

Answer: A

Explanation:

To set the secure HTTP (HTTPS) server port number for listening, use the ip http secure-port command in global configuration mode. To return the HTTPS server port number to the default, use the no form of this command.
ip http secure-port port-number
no ip http secure-port
Syntax Description
port-number
Integer in the range of 0 to 65535 is accepted, but the port number must be higher than 1024 unless the default is used. The default is 443.