What is InterVLAN routing?

As we learned, devices within a VLAN can communicate with each other without the need of Layer 3 routing. But devices in separate VLANs require a Layer 3 routing device to communicate with one another. For example, in the topology below host A and B can communicate with each other without a router in the same VLAN 10; host C and D can communicate in the same VLAN 20. But host A can’t communicate with host C or D because they are in different VLANs.

To allow hosts in different VLANs communicate with each other, we need a Layer 3 device (like a router) for routing:

The routing traffic from one VLAN to another VLAN is called InterVLAN routing.

Now host A can communicate with host C or D easily. Now let’s see how the traffic is sent from host A to host D. First, traffic from host A is sent to the switch. The switch tags the frame as originating on VLAN 10 and checks the destination. Switch knows the destination host is in a different VLAN so it forwards that traffic to the router. In turn, the router makes routing decision from VLAN 10 to VLAN 20 and sends back that traffic to the switch, where it is forwarded out to host D.

Notice that the routing decision to another VLAN is done by the router, not the switch. When frames leave the router (step 3 in the picture above), they are tagged with VLAN 20.

Also notice that receiving ends (host A & D in this case) are unaware of any VLAN information. Switch attaches VLAN information when receiving frames from host A and removes VLAN information before forwarding to host D.

But there is one disadvantage in the topology above: for each VLAN we need a physical connection from the router to the switch but in practical, the interfaces of the router are very limited. To overcome this problem, we can create many logical interfaces in one physical interface. For example from a physical interface fa0/0 we can create many sub-interfaces like fa0/0.0, fa0/0.1 … Now this router is often called “router on a stick” (maybe because there is only one physical link connecting from router so it looks like a router on a stick ^^)

The router treats each sub-interface as a separate physical interface in routing decisions -> data can be sent and received in the same physical interface (but different sub-interfaces) without being dropped by the split-horizon rule in the case you want to send routing updates through the router from one VLAN to another.

Configuring InterVLAN routing

Now you understand how InterVLAN works. To accomplish InterVLAN routing, some configuration must be implemented on both router and switch. Let’s see what actions need to be completed when we want to configure InterVLAN in “router on a stick” model using the above topology.

+ The switch port connected to the router interface must be configured as trunk port.
+ The router sub-interfaces must be running a trunking protocol. Two popular trunking protocols in CCNA are 802.1q (open standard) and InterSwitch Link (ISL, a Cisco propriety protocol).
+ Set IP address on each sub-interface.

To help you understand more clearly about InterVLAN, the main configuration of router & switch are shown below:

Configure trunk port on switch:

Switch(config)#interface f0/0
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode trunk

Create sub-interfaces, set 802.1Q trunking protocol and ip address on each sub-interface

Router(config)#interface f0/0
Router(config-if)#no shutdown

(Note: The main interface f0/0 doesn’t need an IP address but it must be turned on)

Router(config-subif)#interface f0/0.0
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 192.168.1.1 255.255.255.0
Router(config-subif)#interface f0/0.1
Router(config-subif)#encapsulation dot11 20
Router(config-subif)#ip address 192.168.2.1 255.255.255.0

(Note: In the “encapsulation dot1q 10″ command, 10 is the VLAN ID this interface operates in)

I also list the full configuration of the above topology for your reference:

Configure VLAN

Switch(config)#vlan 10
Switch(config-vlan)#name SALES
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name TECH

Set ports to access mode & assign ports to VLAN

Switch(config)#interface range fa0/1-2
Switch(config-if)#no shutdown
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)#interface range fa0/3-4
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode access
Switch(config-if)# switchport access vlan 20

In practical, we often use a Layer 3 switch instead of a switch and a “router on the stick”, this helps reduce the complexity of the topology and cost.

Note: With this topology, we don’t need to use a trunking protocol and the “switchport mode trunk” command. The full configuration of Layer 3 switch is listed below:

Switch configuration

And on hosts just assign IP addresses and default gateways (to the corresponding interface VLANs) -> hosts in different VLANs can communicate.

In summary, InterVLAN routing is used to permit devices on separate VLANs to communicate. In this tutorial you need to remember these important terms:

+ Router-on-a-stick: single physical interface routes traffic between multiple VLANs on a network.
+ Subinterfaces are multiple virtual interfaces, associated with one physical interface. These subinterfaces are configured in software on a router that is independently configured with an IP address and VLAN assignment.

Below lists popular modes in Cisco switch/router:

Now let’s discuss each mode in more detail

User mode (Unprivileged mode)
In most case this is the mode you will see on the screen after connecting to it. This mode provides limited access to the router. You are provided with a set of nondestructive commands that allow examination of certain router configuration parameters (mostly to view statistics). You cannot, however, make any changes to the router configuration.

Privileged mode
Also known as the Enabled mode, this mode allows greater examination of the router and provides a more robust command set than the User mode. In Privileged mode, you have access to the configuration commands supplied in the Global Configuration mode, meaning you can edit the configuration for the router.

Configuration mode
Also called the Global Configuration mode, this mode is entered from the Privileged mode and supplies the complete command set for configuring the router. In this mode you can access interface level, routing engine level, line level…

Interface level

In some books, this level is also referred as “interface configuration mode” or “interface mode”. In fact, it is a level inside Configuration mode so you can see the “configuration” part in its prompt (config-if). This level can be accessed by typing a specific interface in Configuration mode. For example:

Router(config)#interface fa0/0
Router(config-if)#

But notice that the prompt doesn’t give you information about which interface is being configured so be careful with this level while you are configuring! This lack of information can make you configure wrong interface easily!

Routing engine level

This is the level where we configure dynamic routing protocols (RIP, OSPF, EIGRP…). You will learn about them later in CCNA.

Line level

In this level we can configure Telnet, Console, AUX port parameters. Also notice that the prompt (config-line) is used for all “lines” on the router so you must be careful about which line you are configuring!

Note: The “line” here can be a physical Console port or a virtual connection like Telnet.

The image below shows how to access each mode and popular levels inside Configuration mode:

Learning about modes is not difficult and you will get familiar with them while configuring routers & switches. Just pay a little attention to them each time you practice and surely you can grasp them easily.

Types of memory

Generally Cisco routers (and switches) contain four types of memory:

Read-Only Memory (ROM): ROM stores the router’s bootstrap startup program, operating system software, and power-on diagnostic test programs (POST).

Flash Memory: Generally referred to simply as “flash”, the IOS images are held here. Flash is erasable and reprogrammable ROM. Flash memory content is retained by the router on reload.

Random-Access Memory (RAM): Stores operational information such as routing tables and the running configuration file. RAM contents are lost when the router is powered down or reloaded. By default, routers look here first for an Internetwork Operating System (IOS) file during boot.

Non-volatile RAM (NVRAM): NVRAM holds the router’s startup configuration file. NVRAM contents are not lost when the router is powered down or reloaded.

Some comparisons to help you remember easier:

+ RAM is a volatile memory so contents are lost on reload, where NVRAM and Flash contents are not.
+ NVRAM holds the startup configuration file, where RAM holds the running configuration file.
+ ROM contains a bootstrap program called ROM Monitor (or ROMmon). When a router is powered on, the bootstrap runs a hardware diagnostic called POST (Power-On Self Test).

Router boot process

The following details the router boot process:
1. The router is powered on.
2. The bootstrap program (ROMmon) in ROM runs Power-On Self Test (POST)
3. The bootstrap checks the Configuration Register value to specify where to load the IOS. By default (the default value of Configuration Register is 2102, in hexadecimal), the router first looks for “boot system” commands in startup-config file. If it finds these commands, it will run boot system commands in order they appear in startup-config to locate the IOS. If not, the IOS image is loaded from Flash . If the IOS is not found in Flash, the bootstrap can try to load the IOS from TFTP server or from ROM (mini-IOS).
4. After the IOS is found, it is loaded into RAM.
5. The IOS attempts to load the configuration file (startup-config) from NVRAM to RAM. If the startup-config is not found in NVRAM, the IOS attempts to load a configuration file from TFTP. If no TFTP server responds, the router enters Setup Mode (Initial Configuration Mode).

And this is the process we can see on our screen when the router is turned on:

In short, when powered on the router needs to do:

1. Run POST to check hardware
2. Search for a valid IOS (the Operating System of the router)
3. Search for a configuration file (all the configurations applied to this router)

Specify how much RAM, NVRAM and Flash of a router

Also, from the information shown above, we can learn some information about router’s model, RAM, Flash, NVRAM memories as shown below:

Note: The “show version” command also gives us this information.

All the above information is straight-forwarding except the information of RAM. In some series of routers, the RAM information is displayed by 2 parameters (in this case 60416K/5120K). The first parameter indicates how much RAM is in the router while the second parameter (5120K) indicates how much DRAM is being used for Packet memory. Packet memory is used for buffering packets.

So, from the output above we can learn:

Amount of RAM: 60416 + 5120 = 65536KB / 1024 = 64MB
Amount of NVRAM: 239KB
Amount of Flash: 62720KB

Question 1

For which type of connection should a straight-through cable be used?

A. switch to switch
B. switch to hub
C. switch to router
D. hub to hub
E. router to PC

Answer: C

Explanation

To specify when we use crossover cable or straight-through cable, we should remember:

Group 1: Router, Host, Server
Group 2: Hub, Switch
One device in group 1 + One device in group 2: use straight-through cable
Two devices in the same group: use crossover cable

In this case we can use straight-through cable to connect a switch to a router -> C is correct.

Question 2

Which type of cable is used to connect the COM port of a host to the COM port of a router or switch?

A. crossover
B. straight-through
C. rolled
D. shielded twisted-pair

Answer: C

Explanation

The correct question should be “Which type of cable is used to connect the COM port of a host to the CONSOLE port of a router or switch?” and the correct answer is rollover cable. But we can’t plug this rollover cable directly into our host because it will not work. We often use a RJ45 to DB9 Female cable converter as shown below:

Question 3

What is the first 24 bits in a MAC address called?

A. NIC
B. BIA
C. OUI
D. VAI

Answer: C

Explanation

Organizational Unique Identifier (OUI) is the first 24 bits of a MAC address for a network device, which indicates the specific vendor for that device as assigned by the Institute of Electrical and Electronics Engineers, Incorporated (IEEE). This identifier uniquely identifies a vendor, manufacturer, or an organization.

Question 4

In an Ethernet network, under what two scenarios can devices transmit? (Choose two)

A. when they receive a special token
B. when there is a carrier
C. when they detect no other devices are sending
D. when the medium is idle
E. when the server grants access

Answer: C D

Explanation

Ethernet network is a shared environment so all devices have the right to access to the medium. If more than one device transmits simultaneously, the signals collide and can not reach the destination.

If a device detects another device is sending, it will wait for a specified amount of time before attempting to transmit.

When there is no traffic detected, a device will transmit its message. While this transmission is occurring, the device continues to listen for traffic or collisions on the LAN. After the message is sent, the device returns to its default listening mode.

So we can see C and D are the correct answers. But in fact “answer C – when they detect no other devices are sending” and “when the medium is idle” are nearly the same.

Question 5

Which two benefits are provided by using a hierarchical addressing network addressing scheme? (Choose two)

A. reduces routing table entries
B. auto-negotiation of media rates
C. efficient utilization of MAC addresses
D. dedicated communications between devices
E. ease of management and troubleshooting

Answer: A E

Question 6

When a host transmits data across a network to another host, which process does the data go through?

A. standardization
B. conversion
C. encapsulation
D. synchronization

Answer: C

Explanation

To transmit to another host, a host must go through the TCP/IP model (very similar to the OSI model). At each layer, the message is encapsulated with that layer’s header (and trailer if it has). This process is called encapsulation.

Question 7

Which two Ethernet fiber-optic modes support distances of greater than 550 meters?

A. 1000BASE-CX
B. 100BASE-FX
C. 1000BASE-LX
D. 1000BASE-SX
E. 1000BASE-ZX

Answer: C E

Explanation

Below lists the cabling standards mentioned above

Note:

+ MM: Multimode
+ SM: Single-mode

(Reference: The official self-study test preparation guide to the Cisco CCNA INTRO exam 640-821)

Question 8

Refer to the exhibit. What type of connection would be supported by the cable diagram shown?

A. PC to router
B. PC to switch
C. server to router
D. router to router

Answer: B

Explanation

From the “Pin” and “Color” in the exhibit we know that this is a straight-through cable so it can be used to connect PC to switch.

Question 9

Refer to the exhibit. What type of connection would be supported by the cable diagram shown?

A. PC to router
B. PC to switch
C. server to switch
D. switch to router

Answer: A

Explanation

This is a crossover cable so it can be used to connect PC and router.

Question 10

Which two topologies are using the correct type of twisted-pair cables? (Choose two)

A.

B.

C.

D.

E.

Answer: D E

Question 1

What are some of the advantages of using a router to segment the network? (Choose two)

A. Filtering can occur based on Layer 3 information.
B. Broadcasts are eliminated.
C. Routers generally cost less than switches.
D. Broadcasts are not forwarded across the router.
E. Adding a router to the network decreases latency.

Answer: A D

Question 2

Which of the following statements describe the network shown in the graphic? (Choose two)

A. There are two broadcast domains in the network.
B. There are four broadcast domains in the network.
C. There are six broadcast domains in the network.
D. There are four collision domains in the network.
E. There are five collision domains in the network.
F. There are seven collision domains in the network.

Answer: A F

Explanation

Only router can break up broadcast domains so in the exhibit there are 2 broadcast domains: from e0 interface to the left is a broadcast domain and from e1 interface to the right is another broadcast domain -> A is correct.

Both router and switch can break up collision domains so there is only 1 collision domain on the left of the router (because hub doesn’t break up collision domain) and there are 6 collision domains on the right of the router (1 collision domain from e1 interface to the switch + 5 collision domains for 5 PCs in Production) -> F is correct.

Question 3

Refer to the exhibit. The two connected ports on the switch are not turning orange or green. What would be the most effective steps to troubleshoot this physical layer problem? (Choose three)

A. Ensure that the Ethernet encapsulations match on the interconnected router and switch ports.
B. Ensure that cables A and B are straight-through cables.
C. Ensure cable A is plugged into a trunk port.
D. Ensure the switch has power.
E. Reboot all of the devices.
F. Reseat all cables.

Answer: B D F

Explanation

The ports on the switch are not up indicating it is a layer 1 (physical) problem so we should check cable type, power and how they are plugged in.

Question 4

For what two purposes does the Ethernet protocol use physical addresses? (Choose two)

A. to uniquely identify devices at Layer 2
B. to allow communication with devices on a different network
C. to differentiate a Layer 2 frame from a Layer 3 packet
D. to establish a priority system to determine which device gets to transmit first
E. to allow communication between different devices on the same network
F. to allow detection of a remote device when its physical address is unknown

Answer: A E

Explanation

Physical addresses or MAC addresses are used to identify devices at layer 2 -> A is correct.

MAC addresses are only used to communicate on the same network. To communicate on different network we have to use Layer 3 addresses (IP addresses) -> B is not correct; E is correct.

Layer 2 frame and Layer 3 packet can be recognized via headers. Layer 3 packet also contains physical address -> C is not correct.

On Ethernet, each frame has the same priority to transmit by default -> D is not correct.

All devices need a physical address to identify itself. If not, they can not communicate -> F is not correct.

Question 5

Refer to the exhibit. Two buildings on the San Jose campus of a small company must be connected to use Ethernet with a bandwidth of at least 100 Mbps. The company is concerned about possible problems from voltage potential difference between the two buildings. Which media type should be used for the connection?

A. UTP cable
B. STP cable
C. Coaxial cable
D. Fiber optic cable

Answer: D

Explanation

Because the company has problem about voltage potential difference between the two buildings so they should connect via fiber optic cable which uses light pulses to transmit information instead of using electronic pulses.

Question 6

Which command can be used from a PC to verify the connectivity between host that connect through path?

A. tracert address
B. ping address
C. arp address
D. traceroute address

Answer: A

Explanation

To check the connectivity between a host and a destination (through some networks) we can use both “tracert” and “ping” commands. But the difference between these 2 commands is the “tracert” command can display a list of near-side router interfaces in the path between the source and the destination. Therefore the best answer in this case is A – tracert address.

Note: “traceroute” command has the same function of the “tracert” command but it is used on Cisco routers only, not on a PC.

Question 7

Refer to the exhibit. A network engineer is troubleshooting an internet connectivity problem on the computer. What causing the problem?

A. wrong DNS server
B. wrong default gateway
C. incorrect IP address
D. incorrect subnet mask

Answer: C

Explanation

The IP address of the PC (192.168.11.2/24) is not on the same network with its gateway 192.168.1.1 -> C is correct.

Question 8

How many broadcast domains are shown in the graphic assuming only the default vlan is configured on the switches?

A. one
B. six
C. twelve
D. two

Answer: A

Explanation

Only router can break up broadcast domains but in this exhibit no router is used so there is only 1 broadcast domain.

For your information, there are 7 collision domains in this exhibit (6 collision domains between hubs & switches + 1 collision between the two switches).

Question 9

Refer to the exhibit.

Host A has tested connectivity to a remote network. What is the default gateway for host A?

A. 172.16.182.1
B. 192.168.1.1
C. 10.16.176.1
D. 192.168.1.6

Answer: A

Explanation

It will list all the routers (from nearest to farthest) it passes through until it reaches its destination so the first hop is its nearest IP. If we ping from a PC, it is also the default gateway for that PC -> A is correct.

Question 10

What functions do routers perform in a network? (Choose two)

A. packet switching
B. access layer security
C. path selection
D. VLAN membership assignment
E. bridging between LAN segments
F. microsegmentation of broadcast domains

Answer: A C

Note: If you are not sure about the boot sequence of a router/switch, please read my Cisco Router Boot Sequence Tutorial.

Question 1

How does using the service password encryption command on a router provide additional security?

A. by encrypting all passwords passing through the router
B. by encrypting passwords in the plain text configuration file
C. by requiring entry of encrypted passwords for access to the device
D. by configuring an MD5 encrypted key to be used by routing protocols to validate routing exchanges
E. by automatically suggesting encrypted passwords for use in configuring the router

Answer: B

Explanation

By using this command, all the (current and future) passwords are encrypted. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

Question 2

Refer to the diagram. What is the largest configuration file that can be stored on this router?

A. 191K bytes
B. 16384K bytes
C. 31369K bytes
D. 114688K bytes

Answer: A

Explanation

Non-volatile RAM (NVRAM) holds the router’s startup configuration file. NVRAM contents are not lost when the router is powered down or reloaded.

Question 3

Which command shows system hardware and software version information?

A. show configuration
B. show environment
C. show inventory
D. show platform
E. show version

Answer: E

Question 4

Refer to the exhibit. If number 2 is selected from the setup script, what happens when the user runs setup from a privileged prompt?

A. Setup is additive and any changes will be added to the config script.
B. Setup effectively starts the configuration over as if the router was booted for the first time.
C. Setup will not run if an enable secret password exists on the router.
D. Setup will not run, because it is only viable when no configuration exists on the router.

Answer: A

Question 5

Which command shows your active Telnet connections?

A. show sessions
B. show cdp neighbors
C. show users
D. show queue

Answer: A

Question 6

Which command can you use to determine the cisco ios feature set on a cisco router?

A. show version
B. dir flash:include ios
C. show environment
D. show diag
E. show inventory

Answer: A

Question 7

A system administrator types the command to change the hostname of a router. Where on the Cisco IFS is that change stored?

A. NVRAM
B. RAM
C. FLASH
D. ROM
E. PCMCIA

Answer: B

Explanation

The change is only reflected in the running-config on RAM. It can be lost if we reset the router without saving it.

Note: Cisco IFS means “Cisco IOS File System”

Question 8

Before installing a new, upgraded version of the IOS, what should be checked on the router, and which command should be used to gather this information? (Choose two)

A. the amount of available ROM
B. the amount of available flash and RAM memory
C. the version of the bootstrap software present on the router
D. show version
E. show processes
F. show running-config

Answer: B D

Explanation

When upgrading new version of the IOS we need to copy the IOS to the Flash so first we have to check if the Flash has enough memory or not. Also running the new IOS may require more RAM than the older one so we should check the available RAM too. We can check both with the “show version” command.

Question 9

Refer to the exhibit. A network administrator configures a new router and enters the copy startup-config running-config on the router. The network administrator powers down the router and sets it up at a remote location. When the router starts, it enter the system configuration dialog as shown. What is the cause of the problem?

A. The network administrator failed to save the configuration.
B. The configuration register is set to 0×2100.
C. The boot system flash command is missing from the configuration.
D. The configuration register is set to 0×2102.
E. The router is configured with the boot system startup command.

Answer: A

Explanation

The “System Configuration Dialog” appears only when no startup configuration file is found. The network administrator has made a mistake because the command “copy startup-config running-config” will copy the startup config (which is empty) over the running config (which is configured by the administrator). So everything configured was deleted.

Note: We can tell the router to ignore the start-up configuration on the next reload by setting the register to 0×2142. This will make the “System Configuration Dialog” appear at the next reload.

Question 10

Refer to the exhibit. What can be determined about the router from the console output?

A. No configuration file was found in NVRAM.
B. No configuration file was found in flash.
C. No configuration file was found in the PCMCIA card.
D. Configuration file is normal and will load in 15 seconds.

Answer: A

Explanation

When no startup configuration file is found in NVRAM, the System Configuration Dialog will appear to ask if we want to enter the initial configuration dialog or not.

Note: If you are not sure about the boot sequence of a router/switch, please read my Cisco Router Boot Sequence Tutorial.

Question 1

When you are logged into a switch, which prompt indicates that you are in privileged mode?

A. %
B. @
C. >
D. $
E. #

Answer: E

Explanation

The “#” (like Switch#) indicates you are in privileged mode while the “>” indicates you are in user mode.

Note: The “#” sign in “Switch(config)#” indicates this is only accessible at privileged EXEC mode. The “(config)#” part indicates we are in configuration mode.

Below lists popular modes in Cisco switch/router:

Question 2

Which command is used to copy the configuration from RAM into NVRAM?

A. copy running-config startup-config
B. copy startup-config: running-config:
C. copy running config startup config
D. copy startup config running config
E. write terminal

Answer: A

Explanation

The running-config is saved in RAM while the startup-config is saved in NVRAM. So in order to copy the configuration from RAM into NVRAM we use the command “copy running-config startup-config” (syntax: copy ).

Question 3

Which command is used to load a configuration from a TFTP server and merge the configuration into RAM?

A. copy running-config: TFTP:
B. copy TFTP: running-config
C. copy TFTP: startup-config
D. copy startup-config: TFTP:

Answer: B

Explanation

The syntax of the copy command is “copy ” so to copy a configuration from a TFTP server into RAM we use the command “copy TFTP: running-config”.

Question 4

There are no boot system commands in a router configuration in NVRAM. What is the fallback sequence that router will use to find an IOS during reload?

A. Flash, TFTP server, ROM
B. Flash, NVRAM, ROM
C. ROM, NVRAM, TFTP server
D. NVRAM, TFTP server, ROM
E. TFTP server, Flash, NVRAM

Answer: A

Explanation

When you turn the router on, it runs through the following boot process.

The Power-On Self Test (POST) checks the router’s hardware. When the POST completes successfully, the System OK LED indicator comes on.
The router checks the configuration register to identify where to load the IOS image from. A setting of 0×2102 means that the router will use information in the startup-config file to locate the IOS image. If the startup-config file is missing or does not specify a location, it will check the following locations for the IOS image:

1. Flash (the default location)
2. TFTP server
3. ROM (used if no other source is found)

The router loads the configuration file into RAM (which configures the router). The router can load a configuration file from:

+ NVRAM (startup-configuration file)
+ TFTP server
If a configuration file is not found, the router starts in setup mode.

Question 5

A Cisco router is booting and has just completed the POST process.It is now ready to find and load an IOS image. What function does the router perform next?

A. It checks the configuration register
B. It attempts to boot from a TFTP server
C. It loads the first image file in flash memory
D. It inspects the configuration file in NVRAM for boot instructions

Answer: A

Explanation

Same as Question 4

Question 6

Refer to the partial command output shown. Which two statements are correct regarding the router hardware? (Choose two)

A. Total RAM size is 32 KB
B. Total RAM size is 16384 KB (16 MB)
C. Total RAM size is 65536 KB (64 MB)
D. Flash size is 32 KB
E. Flash size is 16384 KB (16 MB).
F. Flash size is 65536 KB (64 MB)

Answer: C E

Explanation

The line “Cisco 2621 (MPC860) processor (revision 0×600) with 53248K/12288K bytes of memory” tells how much RAM in your router. The first parameter (53248) specifies how much Dynamic RAM (DRAM) in your router while the second parameter (12288K) indicates how much DRAM is being used for Packet memory (used by incoming and outgoing packets) in your router. Therefore you have to add both numbers to find the amount of DRAM available on your router -> C is correct.

Note: Cisco 4000, 4500, 4700, and 7500 routers have separate DRAM and Packet memory, so you only need to look at the first number to find out the DRAM in that router.

The flash size is straightforward from the line “16384K bytes of processor board system flash (Read/Write)” -> E is correct.

(Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_tech_note09186a00800fb9d9.shtml)

Question 7

Which router IOS commands can be used to troubleshoot LAN connectivity problems? (Choose three)

A. ping
B. tracert
C. ipconfig
D. show ip route
E. winipcfg
F. show interfaces

Answer: A D F

Explanation

The ping command can be used to test if the local device can reach a specific destination -> A is correct.

“tracert” is not a valid command in Cisco IOS commands, the correct command should be “traceroute” -> B is not correct.

The ipconfig command is not a valid command in Cisco IOS too -> C is not correct.

The “show ip route” command can be used to view the routing table of the router. It is a very useful command to find out many connectivity problems (like directly connected networks, learned network via routing protocols…) -> D is correct.

“winipcfg” is an old tool in Windows 95/98 to view IP settings of the installed network interfaces. But it is not a valid command in Cisco IOS commands -> E is not correct.

The “show interfaces” command is used to check all the interfaces on the local device only. It has very limited information to trouble LAN connectivity problem but it is the most reasonable to choose -> F is acceptable.

Question 8

Which two locations can be configured as a source for the IOS image in the boot system command? (Choose two)

A. RAM
B. NVRAM
C. flash memory
D. HTTP server
E. TFTP server
F. Telnet server

Answer: C E

Explanation

The following locations can be configured as a source for the IOS image:

1. + Flash (the default location)
2. + TFTP server
3. + ROM (used if no other source is found)
4. (Please read the explanation of Question 4 for more information)

Question 9

Refer to the exhibit. Why is flash memory erased prior to upgrading the IOS image from the TFTP server?

A. The router cannot verify that the Cisco IOS image currently in flash is valid
B. Flash memory on Cisco routers can contain only a single IOS image.
C. Erasing current flash content is requested during the copy dialog.
D. In order for the router to use the new image as the default, it must be the only IOS image in flash.

Answer: C

Explanation

During the copy process, the router asked “Erasing flash before copying? [confirm]” and the administrator confirmed (by pressing Enter) so the flash was deleted.

Note: In this case, the flash has enough space to copy a new IOS without deleting the current one. The current IOS is deleted just because the administrator wants to do so. If the flash does not have enough space you will see an error message like this:

Question 10

Which command reveals the last method used to powercycle a router?

A. show reload
B. show boot
C. show running-config
D. show version

Answer: D

Explanation

The “show version” command can be used to show the last method to powercycle (reset) a router

Note: If you are not sure about the boot sequence of a router/switch, please read my Cisco Router Boot Sequence Tutorial.

Question 1

Refer to the exhibit. A router boots to the prompt shown in the exhibit. What does this signify, and how should the network administrator respond?

A. This prompt signifies that the configuration file was not found in NVRAM. The network administrator should follow the prompts to enter a basic configuration.
B. The prompt signifies that the configuration file was not found in flash memory. The network administrator should use TFTP to transfer a configuration file to the router.
C. The prompt signifies that the IOS image in flash memory is invalid or corrupted. The network administrator should use TFTP to transfer an IOS image to the router.
D. The prompt signifies that the router could not authenticate the user. The network administrator should modify the IOS image and reboot the router.

Answer: C

Explanation

If a Cisco router boots in ROMmon mode, it means:

+ The value of the configuration register is set to XXX0 (the boot field – fourth bit – is 0)
+ The router is unable to locate a valid Cisco IOS software image (you can use the “dir flash:” command in ROMmon mode to look for the IOS in the Flash then try to boot that flash with the “boot flash:<IOS image>” command).

If the IOS image is invalid or corrupted, the fastest way to re-install a new Cisco IOS software image on the router is to copy a new one from TFTP (with “tftpdnld” command).

Question 2

What should be done prior to backing up an IOS image to a TFTP server? (Choose three)

A. Make sure that the server can be reached across the network.
B. Check that authentication for TFTP access to the server is set.
C. Assure that the network server has adequate space for the IOS image.
D. Verify file naming and path requirements.
E. Make sure that the server can store binary files.
F. Adjust the TCP window size to speed up the transfer.

Answer: A C D

Question 3

Which two privileged mode cisco ios commands can be used to determine a cisco router chassis serial number? (choose two)

A. show inventory
B. show flash filesys
C. dir flash:|include chassis
D. show diag
E. show controllers

Answer: A D

Question 4

Which command helps a network administrator to manage memory by displaying flash memory and NVRAM utilization?

A. show secure
B. show file systems
C. show flash
D. show version

Answer: B

Question 5

A network administrator changes the configuration register to 0×2142 and reboots the router. What are two results of making this change? (Choose two)

A. The IOS image will be ignored.
B. The router will prompt to enter initial configuration mode.
C. The router will boot to ROM.
D. Any configuration entries in NVRAM will be ignored.
E. The configuration in flash memory will be booted.

Answer: B D

Explanation

The router bypasses the startup configuration stored in NVRAM during its boot sequence so the router will enter initial configuration mode. This feature is normally used during a password recovery procedure.

Question 6

Refer to the exhibit. For what two reasons has the router loaded its IOS image from the location that is shown? (Choose two)

A. Router1 has specific boot system command that instruct it to load IOS from TFTP server.
B. Router1 is acting as a TFTP server for other routers.
C. Router1 cannot locate a valid IOS image in flash memory.
D. Router1 defaulted to ROMMON mode and loaded the IOS image from a TFTP sewer.
E. Cisco routers will first attempt to load a image from TFTP for management purposes.

Answer: A C

Explanation

When powered on, the router first checks its hardware via Power-On Self Test (POST). Then it checks the configuration register to identify where to load the IOS image from. In the output above we learn that the Configuration register value is 0×2102 so the router will try to boot the system image from Flash memory first.

But we also see a line “System image file is “tftp://112.16.1.129/hampton/nitro/c7200-j-mz”. Please notice that this line tells us the image file that the device last started. In this case it is from a TFTP server. Therefore we can deduce that the router could not load the IOS image from the flash and the IOS image has been loaded from TFTP server.

Note:

If the startup-config file is missing or does not specify a location, it will check the following locations for the IOS image:

+ Flash (the default location)
+ TFTP server
+ ROM (used if no other source is found)

Let’s take an example in our real life to demonstrate the OSI model. Maybe you have ever sent a mail to your friend, right? To do it, you have to follow these steps:

1. Write your letter
2. Insert it into an envelope
3. Write information about sender and receiver on that envelope
4. Stamp it
5. Go to the post office and drop it into a mail inbox

From the example above, I want to imply we have to go through some steps in a specific order to complete a task. It is also applied for two PCs to communicate with each other. They have to use a predefined model, named OSI, to complete each step. There are 7 steps in this model as listed below:

This is also the well-known table of the OSI model so you must take time to learn by heart. A popular way to remember this table is to create a fun sentence with the first letters of each layer. For example: All People Seem To Need Data Processing or a more funny sentence sorted from layer 1 to layer 7: Please Do Not Throw Sausage Pizza Away.

There are two notices about this table:

1. First, the table is arranged from top to bottom (numbering from 7 to 1). Each step is called a “layer” so we have 7 layers (maybe we usually call them “layers” to make them more… technical ^^).

When a device wants to send information to another one, its data must go from top to bottom layer. But when a device receives this information, it must go from bottom to top to “decapsulate” it. In fact, the reverse action at the other end is very natural in our life. It is very similar when two people communicate via mail. First, the writer must write the letter, insert it into an envelope while the receiver must first open the envelope and then read the mail. The picture below shows the whole process of sending and receiving information.

Note: The OSI model layers are often referred to by number than by name (for example, we refer saying “layer 3″ to “network layer”) so you should learn the number of each layer as well.

2. When the information goes down through layers (from top to bottom), a header is added to it. This is called encapsulation because it is like wrapping an object in a capsule. Each header can be understood only by the corresponding layer at the receiving side. Other layers only see that layer’s header as a part of data.

At the receiving side, corresponding header is stripped off in the same layer it was attached.

Understand each layer

Layer 7 – Application layer

This is the closest layer to the end user. It provides the interface between the applications we use and the underlying layers. But notice that the programs you are using (like a web browser – IE, Firefox or Opera…) do not belong to Application layer. Telnet, FTP, email client (SMTP), HyperText Transfer Protocol (HTTP) are examples of Application layer.

Layer 6 – Presentation layer

This layer ensures the presentation of data, that the communications passing through are in the appropriate form for the recipient. In general, it acts as a translator of the network. For example, you want to send an email and the Presentation will format your data into email format. Or you want to send photos to your friend, the Presentation layer will format your data into GIF, JPG or PNG… format.

Layer 5 – Session layer

Layer 5 establishes, maintains and ends communication with the receiving device.

Layer 4 – Transport layer

This layer maintains flow control of data and provides for error checking and recovery of data between the devices. The most common example of Transport layer is Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).

Layer 3 – Network layer

This layer provides logical addresses which routers will use to determine the path to the destination. In most cases, the logic addresses here means the IP addresses (including source & destination IP addresses).

Layer 2 – Data Link Layer

The Data Link layer formats the message into a data frame, and adds a header containing the hardware destination and source address to it. This header is responsible for finding the next destination device on a local network.

Notice that layer 3 is responsible for finding the path to the last destination (network) but it doesn’t care about who will be the next receiver. It is the Layer 2 that helps data to reach the next destination.

This layer is subdivide into 2 sub-layers: logical link control (LLC) and media access control (MAC).

The LLC functions include:
+ Managing frames to upper and lower layers
+ Error Control
+ Flow control

The MAC sublayer carries the physical address of each device on the network. This address is more commonly called a device’s MAC address. MAC address is a 48 bits address which is burned into the NIC card on the device by its manufacturer.

Layer 1 – Physical layer

The Physical Layer defines the physical characteristics of the network such as connections, voltage levels and timing.

To help you remember the functions of each layer more easily, I created a fun story in which Henry (English) wants to send a document to Charles (French) to demonstrate how the OSI model works.

Lastly, I summarize all the important functions of each layer in the below table (please remember them, they are very important knowledge you need to know about OSI model):

Note: In fact, OSI is just is a theoretical model of networking. The practical model used in modern networks is the TCP/IP model. You may think “Hm, it’s just theoretic and has no use in real life! I don’t care!” but believe me, you will use this model more often than the TCP/IP model so take time to grasp it, you will not regret – I promise :)

Note: If you are not sure about OSI Model, please read my OSI tutorial.

Question 1

Which of the following correctly describe steps in the OSI data encapsulation process? (Choose two)

A. The transport layer divides a data stream into segments and may add reliability and flow control information.
B. The data link layer adds physical source and destination addresses and an FCS to the segment.
C. Packets are created when the network layer encapsulates a frame with source and destination host addresses and protocol-related control information.
D. Packets are created when the network layer adds Layer 3 addresses and control information to a segment.
E. The presentation layer translates bits into voltages for transmission across the physical link.

Answer: A D

Explanation

The transport layer segments data into smaller pieces for transport. Each segment is assigned a sequence number, so that the receiving device can reassemble the data on arrival.

The transport layer also use flow control to maximize the transfer rate while minimizing the requirements to retransmit. For example, in TCP, basic flow control is implemented by acknowledgment by the receiver of the receipt of data; the sender waits for this acknowledgment before sending the next part.

-> A is correct.

The data link layer adds physical source and destination addresses and an Frame Check Sequence (FCS) to the packet (on Layer 3), not segment (on Layer 4) -> B is not correct.

Packets are created when network layer encapsulates a segment (not frame) with source and destination host addresses and protocol-related control information. Notice that the network layer encapsulates messages received from higher layers by placing them into datagrams (also called packets) with a network layer header -> C is not correct.

The Network layer (Layer 3) has two key responsibilities. First, this layer controls the logical addressing of devices. Second, the network layer determines the best path to a particular destination network, and routes the data appropriately.

-> D is correct.

The Physical layer (presentation layer) translates bits into voltages for transmission across the physical link -> E is not correct.

Question 2

Which layer of the OSI reference model uses the hardware address of a device to ensure message delivery to the proper host on a LAN?

A. physical
B. data link
C. network
D. transport

Answer: B

Explanation

The hardware address of a device or the Media Access Control (MAC) address is added in the Data Link layer. An Ethernet MAC address is a 48-bit binary value expressed as 12 hexadecimal digits (for example: 00:15:A4:CB:03:CA).

Question 3

Which layer of the OSI reference model uses flow control, sequencing, and acknowledgments to ensure that reliable networking occurs?

A. data link
B. network
C. transport
D. presentation
E. physical

Answer: C

Question 4

Which layer in the OSI reference model is responsible for determining the availability of the receiving program and checking to see if enough resources exist for that communication?

A. transport
B. network
C. presentation
D. session
E. application

Answer: E

Question 5

Data transfer is slow between the source and destination. The quality of service requested by the transport layer in the OSI reference model is not being maintained. To fix this issue, at which layer should the troubleshooting process begin?

A. presentation
B. session
C. transport
D. network
E. physical

Answer: D

Question 6

Which protocols are found in the network layer of the OSI reference model and are responsible for path determination and traffic switching?

A. LAN
B. routing
C. WAN
D. network

Answer: B

Question 7

Refer to the exhibit. An administrator pings the default gateway at 10.10.10.1 and sees the output as shown. At which OSI layer is the problem?

A. data link layer
B. application layer
C. access layer
D. session layer
E. network layer

Answer: E

Explanation

The Network layer is responsible for network addressing and routing through the internetwork. So a ping fails, you may have an issue with the Network layer (although lower layers like Data Link & Physical may cause the problem).

Question 8

Which of the following are types of flow control? (Choose three)

A. buffering
B. cut-through
C. windowing
D. congestion avoidance
E. load balancing

Answer: A C D

Explanation

Three types of flow control are buffering, windowing & congestion avoidance:

+ Buffering: If a device receives packets too quickly for it to handle then it can store them in a memory section called a buffer and proceed them later.

+ Windowing: a window is the quantity of data segments that the transmitting device is allowed to send without receiving an acknowledgment for them. For example:

With the window size of 1, the sending device sends 1 segment and the receiving device must reply with 1 ACK before the sending device can send the next segment. This “waiting” takes some time.

By increasing the window size to 3, the sending device will send up to 3 segments before waiting an ACK -> helps reduce the waiting time.

+ Congestion avoidance: lower-priority traffic can be discarded when the network is overloaded -> minimize delays.

Question 9

A network administrator is verifying the configuration of a newly installed host by establishing an FTP connection to a remote server. What is the highest layer of the protocol stack that the network administrator is using for this operation?

A. application
B. presentation
C. session
D. transport
E. internet
F. data link

Answer: A

Explanation

FTP belongs to Application layer and it is also the highest layer of the OSI model.

Question 10

A receiving host computes the checksum on a frame and determines that the frame is damaged. The frame is then discarded. At which OSI layer did this happen?

A. session
B. network
C. physical
D. data link
E. transport

Answer: D

Explanation

When using the term “frame” we can easily recognize it belongs to the Data Link layer. In this layer, an Frame Check Sequence (FCS) field is added to the frame to verify that the frame data is received correctly.

Question 11

As a frame leaves a Layer 3 device, the Layer 2 encapsulation information is changed from what it was when it entered the device. For what two reasons can this happen? (Choose two)

A. The data is moving from 10BASE-TX to 100BASE-TX.
B. The WAN encapsulation type has changed.
C. The data format has changed from analog to digital.
D. The source and destination hosts are in the same subnet.
E. The source and destination MAC addresses have changed.

Answer: B E

Question 12

Acknowledgement, Sequencing, and Flow control are characteristics of which OSI layer?

A. Layer 2
B. Layer 3
C. Layer 4
D. Layer 5
E. Layer 6
F. Layer 7

Answer: C

Question 1

An inbound access list has been configured on a serial interface to deny packet entry for TCP and UDP ports 21, 23 and 25. What types of packets will be permitted by this ACL? (Choose three)

A. FTP
B. Telnet
C. SMTP
D. DNS
E. HTTP
F. POP3

Answer: D E F

Explanation

The access list denies packet entry for TCP & UDP -> all the services on ports 21, 23 and 25 are disabled. Services on these ports are FTP (port 21), Telnet (port 23), SMTP (port 25). Other services are allowed so D E F are the correct answers.

Question 2

What are two characteristics of Telnet? (Choose two)

A. It sends data in clear text format.
B. It is no longer supported on Cisco network devices.
C. It is more secure than SSH.
D. It requires an enterprise license in order to be implemented.
E. It requires that the destination device be configured to support Telnet connections.

Answer: A E

Explanation

Telnet, part of the TCP/IP protocol suite, is a virtual terminal protocol that allows you to make connections to remote devices, gather information, and run programs. Telnet is considered insecure because it transfers all data in clear text -> A is correct.

The destination device needs to support Telnet connection. For example, if a device doesn’t support TCP/IP protocol suit then maybe we can’t telnet to it.

Question 3

An administrator issues the command ping 127.0.0.1 from the command line prompt on a PC. If a reply is received, what does this confirm?

A. The PC has connectivity with a local host.
B. The PC has connectivity with a Layer 3 device.
C. The PC has a default gateway correctly configured
D. The PC has connectivity up to Layer 5 of the OSI model
E. The PC has the TCP/IP protocol stack correctly installed.

Answer: E

Explanation

The address 127.0.0.1 is called loopback address. When we ping 127.0.0.1, in fact we are pinging the local network card and test the TCP/IP protocol suite on our device.

Question 4

Where does routing occur within the DoD TCP/IP reference model?

A. application
B. internet
C. network
D. transport

Answer: B

Explanation

The picture below shows the comparison between TCP/IP model & OSI model. Notice that the Internet Layer of TCP/IP is equivalent to the Network Layer which is responsible for routing decision.

Question 5

A host is attempting to send data to another host on a different network. What is the first action that the sending host will take?

A. Drop the data.
B. Send the data frames to the default gateway.
C. Create an ARP request to get a MAC address for the receiving host.
D. Send a TCP SYN and wait for the SYN ACK with the IP address of the receiving host.

Answer: B

Explanation

Before sending data, the sending host checks if the destination host is inside or outside the local network. If it is outside the local network, the data will be sent to the default gateway.

Question 6

A TCP/IP Transfer is diagrammed in the exhibit.
A window size of three has been negotiated for this transfer. Which message will be returned from the receiver to the sender as part of this TCP/IP transfer?

A. Send ACK 1-3
B. Send ACK 3
C. Send ACK 4
D. Send ACK 4-6
E. Send ACK 6
F. Send ACK 7

Answer: C

Explanation

In response, the receiver replies with an ACK. The acknowledgment number is set to one more than the received sequence number. The ACK means “I have got all messages up to sequence number n-1 so please send me the message for sequence number n”.

Question 7

What is the purpose using the traceroute command?

A. to map all the devices on a network.
B. to display the current TCP/IP configuration values.
C. to see how a device MAC address is mapped to its IP address.
D. to see the path a packet will take when traveling to a specified destination.
E. to display the MTU values for each router in a specified network path from source to a destination.

Answer: D

Question 8

A network admin wants to know every hop the packets take when he accesses cisco.com. Which command is the most appropriate to use?

A. path cisco.com
B. debugcisco.com
C. trace cisco.com
D. traceroute cisco.com

Answer: D

Question 9

Refer to the exhibit. Host A pings Host B. What source MAC address and source IP address are contained in the frame as the frame leaves R2 destined for host B?

A. abcd.abcd.a001
B. abcd.abcd.b002
C. abcd.abcd.c003
D. 10.2.0.15
E. 10.0.64.1
F. 10.0.128.15

Answer: B D

Explanation

When packets are sent from Host A to Host B, the source and destination IP addresses are never changed and they are the IP addresses of Host A & Host B. Only the MAC addresses will be changed to reflect the device of the current network. In this case, when the frame leaves R2 destined for host B. It will have:

+ Source IP: IP of Host A - 10.2.0.15 (never changed)
+ Destination IP: IP of Host B – 10.0.128.15 (never changed)
+ Source MAC: MAC of Fa0/0 of R2 – abcd.abcd.b002
+ Destination MAC: MAC of Host B – abcd.abcd.d004

Question 10

Host 1 is trying to communicate with Host 2. The e0 interface on Router C is down. Which of the following are true? (Choose two)

A. Router C will use ICMP to inform Host 1 that Host 2 cannot be reached.
B. Router C will use ICMP to inform Router B that Host 2 cannot be reached.
C. Router C will use ICMP to inform Host 1, Router A, and Router B that Host 2 cannot be reached.
D. Router C will send a Destination Unreachable message type.
E. Router C will send a Router Selection message type.
F. Router C will send a Source Quench message type.

Answer: A D

Explanation

The last known good router will try to inform you that the destination cannot be reached (with a Destination Unreachable message type) so from that information you can learn how far your packets can travel to and where the problem is.

Question 11

Refer to the exhibit. The switch in the graphic has a default configuration and the MAC table is fully populated. In addition, this network is operating properly. The graphic represents selected header information in a frame leaving host A. What can be concluded from this information?

A. The MAC address of host A is FFFF.FFFF.FFFF.
B. The router will forward the packet in this frame to the Internet.
C. The switch will only forward this frame to the attached router interface.
D. All devices in this LAN except host A will pass the packet to Layer 3.

Answer: D

Explanation

This frame is leaving host A so host A is the source of this frame. In this frame, the MAC destination is FFFF.FFFF.FFFF which is a broadcast address so Sw1 will flood this frame out all its ports except the port it received the frame -> Hosts B, C, D and the interface connected to Sw1 on R1 will receive this frame. When receiving this frame, they will pass the packet to Layer 3 (because they consider broadcast address “everyone, including me”). At Layer 3, the Destination IP will be checked and only the host (or the interface on the router) with correct IP will respond to Host A while others keep silence -> D is correct.

Just for your information, maybe you can ask “this is a broadcast message so why router R1 doesn’t drop it?”. Suppose this is an ARP Request message. In fact, R1 drops that packet but it also learns that it is an ARP Request so R1 looks up its routing table to find a route to that destination. If it can find one, it will send an ARP Reply back for host A”.

Question 1

Refer to the exhibit. What can be determined from the output?

A. 192.168.1.2 is local to the router.
B. 192.168.3.1 is local to the router.
C. 192.168.1.2 will age out in less than 1 minute.
D. 192.168.3.1 has aged out and is marked for deletion.

Answer: B

Explanation

The “Age” field in the “show ip arp” command is the age in minutes of the cache entry. A hyphen (-) means the address is local so in this case 192.168.1.1 & 192.168.3.1 are local to this router -> B is correct.

Note: The “Age 0″ means that the address was cached less than 1 minute ago.

Question 2

Refer to the exhibit. What could be possible causes for the “Serial0/0 is down” interface status? (Choose two)

A. A Layer 1 problem exists.
B. The bandwidth is set too low.
C. A protocol mismatch exists.
D. An incorrect cable is being used.
E. There is an incorrect IP address on the Serial 0/0 interface.

Answer: A D

Explanation

The first part of the “Serial0/0 is down, line protocol is down” indicates a layer 1 problem while the second part indicates a layer 2 problem -> A is correct.

Some popular layer 1 problems are listed below:

+ device power off
+ device power unplugged
+ loose network cable connection
+ incorrect cable type
+ faulty network cable

Answer B “The bandwidth is set too low” will not make a layer 1 problem.
Answer C is a layer 2 problem.
Answer E is a layer 3 problem.

Question 3

Which line from the output of the show ip interface command indicates a layer 1 problem?

A. Serial0/1 is up, line protocol is down
B. Serial0/1 is down, line protocol is down
C. Serial0/1 is up, line protocol is up
D. Serial0/1 is administratively down, line protocol is down

Answer: B

Explanation

Same as question 1.

Question 4

Refer to the exhibit. What is the meaning of the output MTU 1500 bytes?

A. The maximum number of bytes that can traverse this interface per second is 1500.
B. The minimum segment size that can traverse this interface is 1500 bytes.
C. The maximum segment size that can traverse this interface is 1500 bytes.
D. The minimum packet size that can traverse this interface is 1500 bytes.
E. The maximum packet size that can traverse this interface is 1500 bytes.
F. The maximum frame size that can traverse this interface is 1500 bytes.

Answer: E

Explanation

The Maximum Transmission Unit (MTU) defines the maximum Layer 3 packet (in bytes) that the layer can pass onwards.

Question 5

The network administrator normally establishes a Telnet session with the switch from host A. The administrator’s attempt to establish a connect via Telnet to the switch from host B fails, but pings from host B to other two hosts are successful. What is the issue for this problem?

A. Host B and the switch need to be in the same subnet.
B. The switch needs an appropriate default gateway assigned.
C. The switch interface connected to the router is down.
D. Host B need to be assigned an IP address in vlan 1.

Answer: B

Explanation

Host A (172.19.1.1) and the management IP address of the Switch (172.19.1.250) are in the same subnet so telnet from host A to the switch can be successful even if a default gateway is not set on host A.

But host B (172.19.32.2) and the management IP address of the Switch (172.19.1.250) are not in the same subnet so host B needs a default gateway to telnet to the switch. The default gateway on host B should be 172.19.32.254.

Question 6

Which command displays CPU utilization?

A. show protocols
B. show process
C. show system
D. show version

Answer: B

Explanation

The “show process” (in fact, the full command is “show processes”) command gives us lots of information about each process but in fact it is not easy to read. Below shows the output of this command (some next pages are omitted)

A more friendly way to check the CPU utilization is the command “show processes cpu history”, in which the total CPU usage on the router over a period of time: one minute, one hour, and 72 hours are clearly shown:

+ The Y-axis of the graph is the CPU utilization.
+ The X-axis of the graph is the increment within the period displayed in the graph

For example, from the last graph (last 72 hours) we learn that the highest CPU utilization within 72 hours is 37% about six hours ago.

Question 7

Refer to the exhibit. You are connected to the router as user Mike. Which command allows you to see output from the OSPF debug command?

A. terminal monitor
B. show debugging
C. show sessions
D. show ip ospf interface

Answer: A

Explanation

By default, Cisco IOS does not send log messages to a terminal session over IP like Telnet, SSH but console connections do have logging feature enabled by default. To display debug command output and system error messages for Telnet or SSH session, use the “terminal monitor” command in privileged mode.

Question 1

An administrator attempts a traceroute but receives a “Destination Unreachable” message. Which protocol is responsible for that message?

A. RARP
B. RUDP
C. ICMP
D. SNMP

Answer: C

Explanation

The ICMP destination unreachable message is generated by a router (which is reachable) to inform the source host that the destination unicast address is unreachable.

Question 2

DNS servers provide what service?

A. They run a spell check on host names to ensure accurate routing
B. They convert domain names into IP address
C. Given an IP address.they determine the name of the host that is sought
D. They map individual hosts to their specific IP addresses

Answer: B

Explanation

For example, when you open a web browser (IE, Firefox…) and type a domain (like google.com). This domain will be sent to a DNS server. The DNS server looks up this domain in its database and sends back a corresponding IP address which you can use to access that website.

Note: A DNS server can be a dedicated device for DNS service or integrated into a networking device (like router).

Question 3

Which of the following protocols uses both TCP and UDP ports?

A. SMTP
B. Telnet
C. FTP
D. DNS

Answer: D

Explanation

DNS can use either the User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) with a destination port of 53.

Note:

+Simple Mail Transfer Protocol (SMTP) is specified for mail transport and uses TCP port 25.
+ Telnet uses TCP on port 23.
+ File Transfer Protocol (FTP) uses TCP on port 20, 21.
+ Trivial File Transfer Protocol (TFTP) uses UDP on port 69.
+ HTTP Secure (HTTPS) uses TCP on port 443.

Question 4

Which protocol should be used to establish a secure terminal connection to a remote network device?

A. ARP
B. SSH
C. Telnet
D. WEP
E. SNMPv1
F. SNMPv2

Answer: B

Explanation

Secure Shell (SSH) protocols secure terminal session data across insecure environments such as the internet.

Question 5

A network administrator issues the ping 192.168.2.5 command and successfully tests connectivity to a host that has been newly connected to the network. Which protocols were used during the test? (Choose two)

A. ARP
B. CDP
C. DHCP
D. DNS
E. ICMP

Answer: A E

Explanation

In this question we are not sure the host 192.168.2.5 is in or outside the local network. But in both cases the ARP protocol are used to get the MAC address:

+ If host 192.168.2.5 is inside the local network, our device will broadcast an ARP Request to ask the MAC address of the host 192.168.2.5 (something like “If your IP is 192.168.2.5, please send me your MAC address”).
+ If host 192.168.2.5 is outside the local network, our device will broadcast an ARP Request to ask the MAC address of the local port (the port in the same subnet with our device) of the default gateway. Notice that the IP of the default gateway has been already configured in our device.

-> In both cases, our device must broadcast an ARP Request -> A is correct.

After getting the ARP of the destination device, our device will use ICMP protocol to send the “ping” -> E is correct.

Note: The question states “the host has been newly connected to the network” which means our device hasn’t had the MAC address of this host in its ARP table -> it needs to send ARP Request.

There is one situation which makes answer A incorrect: the newly connected host is outside the network but our device has already learned the MAC address of the default gateway -> in this case no ARP Request will be sent. So I assume the question wants to imply the newly connected host is in the local network.

Question 6

Which network protocol does DNS use?

A. FTP
B. TFTP
C. TCP
D. UDP
E. SCP

Answer: D

Explanation

It is funny that in Question 3 I answered “DNS uses both TCP & UDP” but in this question we can only choose one answer and it should be “DNS uses UDP”. So I wish to explain more:

Normally a client sends a DNS Query using UDP Protocol over Port 53. If it does not get response from a DNS Server, it must re-transmit the DNS Query using TCP after 3-5 seconds. So we can say DNS prefers using UDP to TCP -> the answer should be UDP.

Question 7

When two hosts are trying to communicate across a network, how does the host originating the communication determine the hardware address of the host that it wants to “talk” to?

A. RARP request
B. Show Network Address request
C. Proxy ARP request
D. ARP request
E. Show Hardware Address request

Answer: D

Explanation

The address resolution protocol (ARP) is a protocol used to map IP network addresses to the hardware addresses.

+ If the destination host is inside the local network, the originating host will broadcast an ARP Request to ask the MAC address of that host.
+ If the destination host is outside the local network, the originating host will broadcast an ARP Request to ask the MAC address of the local port (the port in the same subnet with our device) of the default gateway. Notice that the IP of the default gateway has been already configured in our device.

The table below summarizes the possible network numbers, the total number of each type, and the number of hosts in each Class A, B, and C network.

Table 1 – Default subnet mask & range of each class

Class A addresses begin with a 0 bit. Therefore, all addresses from 1.0.0.0 to 126.255.255.255 belong to class A (1=0000 0001; 126 = 0111 1110).
The 0.0.0.0 address is reserved for default routing and the 127.0.0.0 address is reserved for loopback testing so they don’t belong to any class.
Class B addresses begin with a 1 bit and a 0 bit. Therefore, all addresses from 128.0.0.0 to 191.255.255.255 belong to class B (128=1000 0000; 191 = 1011 1111).
Class C addresses begin with two 1 bits and a 0 bit. Class C addresses range from 192.0.0.0 to 223.255.255.255 (192 = 1100 0000; 223 = 1101 1111).

Class D & E are used for Multicast and Research purposes and we are not allowed to subnet them so they are not mentioned here.

Note: The number behind the slash notation (/) specifies how many bits are turned on (bit 1). For example:

+ “/8″ equals “1111 1111.0000 0000.0000 0000.0000 0000″ -> 8 bits are turned on (bit 1)
+ “/12″ equals “1111 1111.1111 0000.0000 0000.0000 0000″ -> 12 bits are turned on (bit 1)
+ “/28″ equals “1111 1111.1111 1111.1111 1111.1111 0000″ -> 28 bits are turned on (bit 1)
+ “/32″ equals “1111 1111.1111 1111.1111 1111.1111 1111″ -> 32 bits are turned on (bit 1) and this is also the maximum value because all bits are turned on.

The slash notation (following with a number) is equivalent to a subnet mask. If you know the slash notation you can figure out the subnet mask and vice versa. For example, “/8″ is equivalent to “255.0.0.0″; “/12″ is equivalent to “255.240.0.0″; “/28″ is equivalent to “255.255.240.0″; “/32″ is equivalent to “255.255.255.255″.

The Network & Host parts of each class by default

From the “default subnet mask” shown above, we can identify the network and host part of each class. Notice that in the subnet mask, bit 1 represents for Network part while bit 0 presents for Host part (255 equals to 1111 1111 and 0 equals to 0000 0000 in binary form).

What is “subnetting”?

When changing a number in the Network part of an IP address we will be in a different network from the previous address. For example, the IP address 11.0.0.1 belongs to class A and has a default subnet mask of 255.0.0.0; if we change the number in the first octet (a block of 8 bits, the first octet is the leftmost 8 bits) we will create a different network. For example, 12.0.0.1 is in a different network from 11.0.0.1. But if we change a number in the Host part, we are still in the same Network. For example, 11.1.0.1 is in the same network of 11.0.0.1.

The problem here is if we want to create 300 networks how can we do that? In the above example, we can only create different networks when changing the first octet so we can create a maximum of 255 networks because the first octet can only range from 1 to 255 (in fact it is much smaller because class A only range from 1 to 126). Now we have to use a technique called “subnetting” to achieve our purpose.

“Subnetting” means we borrow some bits from the Host part to add to the Network part. This allows us to have more networks than using the default subnet mask. For example, we can borrow some bits in the next octet to make the address 11.1.0.1 belong to a different network from 11.0.0.1.

How to subnet?

Do you remember that I said “in the subnet mask, bit 1 represents for Network part while bit 0 presents for Host part”? Well, this also means that we can specify how many bits we want to borrow by changing how many bit 0 to bit 1 in the subnet mask.

Let’s come back to our example with the IP 11.0.0.1, we will write all numbers in binary form to reveal what a computer really sees in an IP address.

Now you can clearly see that the subnet mask will decide which is the Network part, which is the Host part. By borrowing 8 bits, our subnet mask will be like this:

After changing the second octet of the subnet mask from all “0″ to all “1″, the Network part is now extended. Now we can create new networks by changing number in the first or second octet. This greatly increases the number of networks we can create. With this new subnet mask, IP 11.1.0.1 is in different network from IP 11.0.0.1 because “1″ in the second octet now belongs to the Network part.

So, in conclusion we “subnet” by borrowing bit “0″ in the Host portion and converting them to bit “1″. The number of borrowed bits is depended on how many networks we need.

Note: A rule of borrowing bits is we can only borrow bit 0 from the left to the right without skipping any bit 0. For example, you can borrow like this: “1111 1111. 1100 0000.0000 0000.0000 0000″ but not this: “1111 1111. 1010 0000.0000 0000.0000 0000″. In general, just make sure all your bit “1″s are successive on the left and all your bit “0″s are successive on the right.

In part 2 we will learn how to calculate the number of sub-networks and hosts-per-subnet

]]> http://www.9tut.com/subnetting-tutorial/feed 28 http://www.9tut.com/frame-relay-tutorial http://www.9tut.com/frame-relay-tutorial#comments Wed, 07 Sep 2011 11:38:17 +0000 9tutq http://www.9tut.com/?p=817 Let’s start this article with the question: Why do we need Frame Relay?

Let’s take a simple example. Suppose you are working in a big company and your company has just expanded to two new locations. The main site is connected to two branch offices, named Branch 1 & Branch 2 and your boss wants these two branches can communicate with the main site. The most simple solution is to connect them directly (called a leased line) as shown below:

To connect to these two branches, the main site router, HeadQuarter, requires two serial interfaces which a router can provide. But what happens when the company expands to 10 branches, 50 branches? For each point-to-point line, HeadQuarter needs a separate physical serial interface (and maybe a separate CSU/DSU if it is not integrated into the WAN card). As you can imagine, it will need many routers with many interfaces and lots of rack space for the routers and CSU/DSUs. Maybe we should use another solution for this problem? Luckily, Frame Relay can do it!

By using Frame Relay we only need one serial interface at the HeadQuarter to connect to all branches. This is also true when we expand to 10 or 50 branches. Moreover, the cost is much lesser than using leased-lines.

Frame Relay is a high-performance WAN protocol that operates at the physical and data link layers of the OSI reference model. It offers lower-cost data transfer when compared to typical point-to-point applications, by using virtual connections within the frame relay network and by combining those connections into a single physical connection at each location. Frame relay providers use a frame relay switch to route the data on each virtual circuit to the appropriate destination.

Maybe these terminologies of Frame Relay are difficult to understand so we will explain them in more detail in this article.

DCE & DTE

The first concept in Frame Relay you must grasp is about DTE & DCE:

+ Data terminal equipment (DTE), which is actually the user device and the logical Frame-relay end-system
+ Data communication equipment (DCE, also called data circuit-terminating equipment), which consists of modem and packet switch

In general, the routers are considered DTE, and the Frame Relay switches are DCE. The purpose of DCE equipment is to provide clocking and switching services in a network. In our example, HeadQuarter, Branch 1 & Branch 2 are DTEs while Frame Relay switches are DCEs.

Virtual Circuits

The logical connection through the Frame Relay network between two DTEs is called a virtual circuit (VC). The term “virtual” here means that the two DTEs are not connected directly but through a network. For example, the HeadQuarter & Branch 1 (or Branch 2) can communicate with each other as if they were directly connected but in fact they are connected through a Frame Relay network with many Frame Relay switches between them.

There are two types of VCs
+ switched virtual circuits (SVCs): are temporary connections that are only used when there is sporadic data transfer between DTE devices across the Frame Relay network. SVC is set up dynamically when needed. SVC connections require call setup and termination for each connection.
+ permanent virtual circuits (PVCs): A predefined VC. A PVC can be equated to a leased line in concept.

Nowadays most service providers offer PVC service only to save additional costs for signaling and billing procedures.

]]> http://www.9tut.com/frame-relay-tutorial/feed 26 http://www.9tut.com/wireless-tutorial http://www.9tut.com/wireless-tutorial#comments Fri, 12 Aug 2011 07:52:16 +0000 9tutq http://www.9tut.com/?p=787 In this article we will discuss about Wireless technologies mentioned in CCNA.

Wireless LAN (WLAN) is very popular nowadays. Maybe you have ever used some wireless applications on your laptop or cellphone. Wireless LANs enable users to communicate without the need of cable. Below is an example of a simple WLAN:

Each WLAN network needs a wireless Access Point (AP) to transmit and receive data from users. Unlike a wired network which operates at full-duplex (send and receive at the same time), a wireless network operates at half-duplex so sometimes an AP is referred as a Wireless Hub.

The major difference between wired LAN and WLAN is WLAN transmits data by radiating energy waves, called radio waves, instead of transmitting electrical signals over a cable.

Also, WLAN uses CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) instead of CSMA/CD for media access. WLAN can’t use CSMA/CD as a sending device can’t transmit and receive data at the same time. CSMA/CA operates as follows:

+ Listen to ensure the media is free. If it is free, set a random time before sending data
+ When the random time has passed, listen again. If the media is free, send the data. If not, set another random time again
+ Wait for an acknowledgment that data has been sent successfully
+ If no acknowledgment is received, resend the data

IEEE 802.11 standards:

Nowadays there are three organizations influencing WLAN standards. They are:

+ ITU-R: is responsible for allocation of the RF bands
+ IEEE: specifies how RF is modulated to transfer data
+ Wi-Fi Alliance: improves the interoperability of wireless products among vendors

But the most popular type of wireless LAN today is based on the IEEE 802.11 standard, which is known informally as Wi-Fi.

* 802.11a: operates in the 5.7 GHz ISM band. Maximum transmission speed is 54Mbps and approximate wireless range is 25-75 feet indoors.
* 802.11b: operates in the 2.4 GHz ISM band. Maximum transmission speed is 11Mbps and approximate wireless range is 100-200 feet indoors.
* 802/11g: operates in the 2.4 GHz ISM band. Maximum transmission speed is 54Mbps and approximate wireless range is 100-200 feet indoors.

ISM Band: The ISM (Industrial, Scientific and Medical) band, which is controlled by the FCC in the US, generally requires licensing for various spectrum use. To accommodate wireless LAN’s, the FCC has set aside bandwidth for unlicensed use including the 2.4Ghz spectrum where many WLAN products operate.

Wi-Fi: stands for Wireless Fidelity and is used to define any of the IEEE 802.11 wireless standards. The term Wi-Fi was created by the Wireless Ethernet Compatibility Alliance (WECA). Products certified as Wi-Fi compliant are interoperable with each other even if they are made by different manufacturers.

Access points can support several or all of the three most popular IEEE WLAN standards including 802.11a, 802.11b and 802.11g.

WLAN Modes:

WLAN has two basic modes of operation:

* Ad-hoc mode: In this mode devices send data directly to each other without an AP.

* Infrastructure mode: Connect to a wired LAN, supports two modes (service sets):

+ Basic Service Set (BSS): uses only a single AP to create a WLAN
+ Extended Service Set (ESS): uses more than one AP to create a WLAN, allows roaming in a larger area than a single AP. Usually there is an overlapped area between two APs to support roaming. The overlapped area should be more than 10% (from 10% to 15%) to allow users moving between two APs without losing their connections (called roaming). The two adjacent APs should use non-overlapping channels to avoid interference. The most popular non-overlapping channels are channels 1, 6 and 11 (will be explained later).

Roaming: The ability to use a wireless device and be able to move from one access point’s range to another without losing the connection.

When configuring ESS, each of the APs should be configured with the same Service Set Identifier (SSID) to support roaming function. SSID is the unique name shared among all devices on the same wireless network. In public places, SSID is set on the AP and broadcasts to all the wireless devices in range. SSIDs are case sensitive text strings and have a maximum length of 32 characters. SSID is also the minimum requirement for a WLAN to operate. In most Linksys APs (a product of Cisco), the default SSID is “linksys”.

In the next part we will discuss about Wireless Encoding, popular Wireless Security Standard and some sources of wireless interference.

]]> http://www.9tut.com/wireless-tutorial/feed 17 http://www.9tut.com/frame-relay-gns3-lab http://www.9tut.com/frame-relay-gns3-lab#comments Sat, 30 Jul 2011 10:51:10 +0000 9tutq http://www.9tut.com/?p=775 In this article we will create a Frame Relay in GNS3 to learn how to configure Frame-Relay.

First we create 4 routers and link them as follows:

IOS used in this lab: c2600-bin-mz.123-6f.bin

Configure IP addresses

First we will assign IP addresses for all relevant interfaces. Notice that R1 will be Frame-Relay switch in this lab so its interfaces don’t need IP addresses.

On R0:

R0#configure terminal
R0(config)#interface s0/0
R0(config-if)#ip address 192.168.1.1 255.255.255.0
R0(config-if)#no shutdown

On R2:

R2#configure terminal
R2(config)#interface s0/0
R2(config-if)#ip address 192.168.1.2 255.255.255.0
R2(config-if)#no shutdown

On R3:

R3#configure terminal
R3(config)#interface s0/0
R3(config-if)#ip address 192.168.1.3 255.255.255.0
R3(config-if)#no shutdown

Configure Frame-Relay

To configure Frame-Relay on R0, R2 and R3 we need to enable Frame-Relay encapsulation and specify a type of LMI (ansi – in this case)

R0,R2,R3(config)#interface s0/0
R0,R2,R3(config-if)#encapsulation frame-relay
R0,R2,R3(config-if)#frame-relay lmi-type ansi

Configure R1 as a Frame-Relay switch

In this lab R1 will be configured as a Frame-relay switch so no IP address is required.

Turn on Frame-Relay switching feature on R1:
R1(config)#frame-relay switching

On each interface we must specify how the frame will be proceeded. In practical, the Frame-Relay switch (R1) is placed at the ISP side so its interfaces should be set to DCE.

R1(config)# interface s0/0
R1(config-if)#encapsulation frame-relay
R1(config-if)#encapsulation lmi-type ansi
R1(config-if)#encapsulation lmi-type dce
R1(config-if)#clock rate 64000
R1(config-if)#frame-relay route 102 interface Serial0/1 201 (will be explained later)
R1(config-if)#frame-relay route 103 interface Serial0/2 301

The command frame-relay route 102 interface Serial0/1 201 means frame-relay traffic come to R1 which has a DLCI of 102 will be sent to interface Serial0/1 with a DLCI of 201.

Note: Data link connection identifiers (DLCIs) are numbers that refer to paths through the Frame Relay network. They are only locally significant.

Continue configuring s0/1 & s0/2 interfaces (same as s0/0)

R1(config)# interface s0/1
R1(config-if)#encapsulation frame-relay
R1(config-if)#encapsulation lmi-type ansi
R1(config-if)#encapsulation lmi-type dce
R1(config-if)#clock rate 64000
R1(config-if)#frame-relay route 201 interface Serial0/0 102

R1(config)# interface s0/2
R1(config-if)#encapsulation frame-relay
R1(config-if)#encapsulation lmi-type ansi
R1(config-if)#encapsulation lmi-type dce
R1(config-if)#clock rate 64000
R1(config-if)#frame-relay route 301 interface Serial0/0 103

Use the show frame-relay map command to display the current map entries for static and dynamic routes

R0#show frame-relay map

By default, Cisco uses Inverse ARP to map remote IP address of the PVC with the DLCI of the local interface as we can see here. Fraom the output above we learn that DLCI 102 is set on Serial0/0 of R0 and mapped with 192.168.1.2. The status of this connection is “dynamic” and “active”, which means it is operating correctly.

Below are the outputs of this command on other routers:

Notice that you will only see the “map” at two ends. If we issue this command on Frame-Relay switch (R1 is this case) it will show nothing.

The show frame-relay pvc command is used to display the status of all configured connections, traffic statistics, BECN and FECN packets received by the router.

Use the show frame-relay lmi to display LMI traffic statistics (including LMI type, status messages sent and invalid LMI messages)

Pings from R0 to R2 & R3 are successful.

However ping from R2 to R3 is unsuccessful. It means that customers cannot see each other. This is because the split horizon rule: “A router never sends information about a route back in same direction which is original information came”. To overcome this problem we can configure subinterfaces on R0.

This task requires you to use the CLI of Sw-AC3 to answer five multiple-choice questions. This does not require any configuration.

To answer the multiple-choice questions, click on the numbered boxes in the right panel.

There are five multiple-choice questions with this task. Be sure to answer all five questions before leaving this item.

Notice: All the images in this VTP LAB are used for demonstration only, you will see slightly different images in the real CCNA exam. You can download this sim to practice here: http://www.9tut.com/download/9tut.com_CCNA_vtp_sim.pka

If you are not sure about VTP, please read my VTP Tutorial

Question 1

What interface did Sw-AC3 associate with source MAC address 0010.5a0c.ffba ?

a) Fa0/1

b) Fa0/3

c) Fa0/6

d) Fa0/8

e) Fa0/9

f) Fa0/12

Answer: Fa 0/8

Explanation: to find out which interface associated with a given MAC address, use the show mac-address-table command. It shows the learned MAC addresses and their associated interfaces. After entering this command, you will see a MAC address table like this:

From this table we can figure out that the MAC address 0010.5a0c.ffba is associated with interface Fa0/8.

Note: There are some reports that the “show mac-address-table” command does not exist in the exam. So in the exam, if you cannot use the “show mac-address-table” command then try using the “show mac address-table” (without “-”) instead.

Question 2

What ports on Sw-AC3 are operating has trunks (choose three)?

a) Fa0/1

b) Fa0/3

c) Fa0/4

d) Fa0/6

e) Fa0/9

f) Fa0/12

Answer: Fa0/3, Fa0/9 and Fa0/12

Explanation: Use the show interface trunk command to determine the trunking status of a link and VLAN status. This command lists port, its mode, encapsulation and whether it is trunking. The image below shows how it works:

(This image is used for demonstration only)

Question 3

What kind of router is VLAN-R1?

a) 1720

b) 1841

c) 2611

d) 2620

Answer: 2620

Explanation: VLAN-R1 is the router directly connected to Sw-Ac3 switch, so we can use the show cdp neighbors command to see:

1. Neighbor Device ID : The name of the neighbor device;

2. Local Interface : The interface to which this neighbor is heard

3. Capability: Capability of this neighboring device – R for router, S for switch, H for Host etc.

4. Platform: Which type of device the neighbor is

5. Port ID: The interface of the remote neighbor you receive CDP information

6. Holdtime: Decremental hold time in seconds

Sample output of show cdp neighbors command:

One thing I want to notice you is “Local Intrfce” in the image above refers to the local interface on the device you are running the “show cdp neighbors” command

Question 4

Which switch is the root bridge for VLAN 1?

Answer: Sw-DS1

Explanation: First we use the show spanning-tree vlan 1 to view the spanning-tree information of VLAN 1

From the “Cost 19″, we learn that the root switch is directly connected to the Sw-Ac3 switch over a 100Mbps Ethernet link

Notice that if you see all of the interface roles are Desg (designated) then you can confirm Sw-Ac3 switch is the root bridge for this VLAN (VLAN 1).

If you see there is at least one Root port in the interface roles then you can confirm Sw-Ac3 is not the root bridge because root bridge does not have root port. In this case, we notice that the root port on Sw-Ac3 switch is FastEthernet0/12, so we have to figure out which switch is associated with this port -> it is the root bridge. You can verify it with the show cdp neighbors command:

The “Local Intrfce” column refers to the interface on the switch running “show cdp neighbors” command. In this case, Sw-DS1 is associated with interface FastEthernet0/12 -> Sw-DS1 is the root bridge

Question 5

What address should be configured as the default-gateway for the host connected to interface fa 0/4 of SW-Ac3?

Answer: 192.168.44.254

Explanation:

First we have to identify which VLAN interface Fa0/4 belongs to by the show vlan command

From the exhibit we know that VLAN 44 is configured on router using sub-interface Fa0/0.44 with IP address 192.168.44.254/24

Therefore the default gateway of the host should be 192.168.44.254

Question 6

From which switch did Sw-Ac3 receive VLAN information ?

Answer: Sw-AC2

Explanation: to view the VTP configuration information, use the show vtp status command

So we knew Sw-Ac3 received VLAN information from 163.5.8.3 (notice:the IP address may be different). Finally we use the show cdp neighbors detail to find out who 163.5.8.3 is:

Question 7

Refer to the exibit, SwX was taken out of the production network for maintenance. It will be reconnected to the Fa 0/16 port of Sw-Ac3. What happens to the network when it is reconnected and a trunk exists between the two switches?

A – All VLANs except the default VLAN win be removed from all switches

B – All existing switches will have the students, admin, faculty, Servers, Management, Production, and no-where VLANs

C – The VLANs Servers, Management, Production and no-where will replace the VLANs on SwX

D – The VLANs Servers, Management, Production and no-where will be removed from existing switches

Answer and Explanation:

First we should view the VTP configuration of switch Sw-Ac3 by using the show vtp status command on Sw-Ac3

Notice that its configuration revision number is 5 and VTP Domain Name is home-office

Next, from the exhibit we know that SwX has a revision number of 6, which is greater than that of Sw-Ac3 switch, and both of them have same VTP Domain Name called “home-office”.

Therefore SwX will replace vlan information on other switches with its own information. We should check vlan information of Sw-Ac3 switch with show vlan command

So the correct answer is D – The VLANs Servers, Management, Production and no-where will be removed from existing switches

Please notice that in the real CCNA exam you may see a different configuration revision of Sw-Ac3 or of SwX. In general, which switch has a higher revision number it will become the updater and other switches will overwrite their current databases with the new information received from the updater (provided that they are on the same domain and that switch is not in transparent mode). In particular, if the revision number of SwX is lower than that of Sw-Ac3, the answer should be “C – The VLANs Servers, Management, Production and no-where will replace the VLANs on SwX”.

Also, some recent comments have said that the new switch’s VTP Operating Mode is Server but the answer is still the same.

Note: If a switch is in client mode and has a higher Revision number, it can still update other Server switches (with lower Revision numbers).

Question 8

Out of which ports will a frame be forwarded that has source mac-address 0010.5a0c.fd86 and destination mac-address 000a.8a47.e612? (Choose three)

A – Fa0/8

B – Fa0/3

C – Fa0/1

D – Fa0/12

Answer: B C D

Explanation:

First we check to see which ports the source mac-address and the destination mac-address belong to by using show mac-address-table command

We notice that the source mac-address 0010.5a0c.fd86 is listed in the table and it belongs to Vlan 33 but we can’t find the destination mac-address 000a.8a47.e612 in this table. In this case, the switch will flood to all ports of Vlan 33 and flood to all the trunk links, except the port it received this frame (port Fa0/6). Therefore from the output above, we can figure out it will flood this frame to Fa0/1, Fa0/3 and Fa0/12.

Please notice that the “show mac-address-table” command just lists information that was learned by the switch, it means that there can be other ports besides Fa0/1, Fa0/3 and Fa0/12 belong to Vlan 33. You can use the show vlan command to see which ports belong to vlan 33

And we found other ports which belong to vlan 33, they are Fa0/2, Fa0/5 and Fa0/7. Our switch will flood the frame to these ports, too.

And we can check which trunk ports will receive this frame by the show interface trunk command

-> Port Fa0/9 will also receive this frame!

Question 9

If one of the host connected to Sw-AC3 wants to send something for the ip 190.0.2.5 (or any ip that is not on the same subnet) what will be the destination MAC address?

Answer and Explanation:

Because the destination address is not on the same subnet with the switch, it will forward the packet to its default gateway. So we have to find out who is the default gateway of this switch by using the show running-config command

From the output, we notice that its default-gateway is 192.168.1.254. In fact, we can easily guess that its default gateway should be a layer 3 device like a router; and in this case, the VLAN-R1 router. To verify our theory, use the show cdp neighbor detail command and focus on the description of VLAN-R1 router

From this output, we can confirm the switch’s default gateway is VLAN-R1 router (with the IP address of 192.168.1.254). And “the interface: FastEthernet0/3″ tells us that the switch is connected to VLAN-R1 router through Fa0/3 port (Fa0/3 is the port on the switch).

Finally we just need to use the show mac-address-table command to find out which MAC address is associated with this interface

(Notice that in the real CCNA exam the MAC address or port may be different)

And we find out the corresponding MAC address is 000a.b7e9.8360. Although there are some entries of port Fa0/3 with different Vlans but they have the same MAC address

Other lab-sims on this site:

CCNA Access List Sim

CCNA Access List Sim 2

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA EIGRP LAB

CCNA Drag and Drop SIM

CCNA Implementation SIM

“A virtual LAN (VLAN) is a group of networking devices in the same broadcast domain”

It is the concept of VLAN that most of the books are using but it doesn’t help us understand the benefits of VLANs. If you ask “What is a LAN?” you will receive the same answer: it is also a group of networking devices in the same broadcast domain!

To make it clearer, I expanded the above statement into a bit longer statement :)

“A virtual LAN (VLAN) is a group of networking devices in the same broadcast domain, logically”

It means that the devices in the same VLAN may be widely separated in the network, both by geography and location. VLANs logically segment the network into different broadcast domains so that packets are only switched between ports that are designated for the same VLAN.

Let’s take an example to understand the benefits of VLAN. Suppose you are working in a big company with many departments, some of them are SALES and TECHNICAL departments. You are tasked to separate these departments so that each of them can only access specific resources in the company.

This task is really easy, you think. To complete this task, you just need to use different networks for these departments and use access-list to allow/deny that network to a specific resource. For example, you assign network 192.168.1.0/24 for SALES and 192.168.2.0/24 for TECH. At the “Company router” you apply an access-list to filter traffic from these networks. Below is the topology of your network without VLANs:

Everything looks good and you implement this design to your company. But after one month you receive many complaints from both your colleagues and leaders.

+ First, your department leaders need to access to additional private resources which employees are not allowed.
+ Second, the company has just recruited some new SALES employees but now the SALES room is full so they have to sit at the 1st floor (in the TECH area). They want to access to SALES resources but they can only access to the TECH resources because they are connecting to TECH switch.

To solve the first problem maybe you will create a new and more powerful network for your leaders. But notice that each leader sits at different floor so you will need to link all of them to a switch -> what a mess!

The second problem is more difficult than the first one. Maybe you have to create another network at the TECH area and apply the same policy as the SALES department for these hosts -> another mess in management!

Maybe you will be glad to know VLAN can solve all these problems. VLAN helps you group users together according to their function rather than their physical location. This means you can use the same network for hosts in different floors (of course they can communicate with each other).

In this design:

+ you can logically create a new network with additional permissions for your leaders (LEADER network) by adding another VLAN.
+ employees can sit anywhere to access the resources in their departments, provided that you allow them to do so.
+ computers in the same department can communicate with each other although they are at different floors.

If these departments expand in the future you can still use the same network in any other floor. For example, SALES needs to have 40 more employees -> you can use 4th floor for this expansion without changing the current network.

But wait… maybe you recognize something strange in the above design? How can 2 computers connecting to 2 different switches communicate? If one computer sends a broadcast packet will it be flooded to other departments as switch doesn’t break up broadcast domains?

The answer is “Yes, they can!” and it is the beauty of VLAN. Hosts in the same VLAN can communicate normally even they are connecting to 2 or more different switches. This makes the management much more simple.

Although layer 2 switches can only break up collision domains but VLANs can be used to break up broadcast domains. So if a computer in SALES broadcasts, only computers in SALES will receive that frame.

So we don’t need a router, right? The answer is “we still need a router” to enable different VLANs to communicate with each other. Without a router, the computers within each VLAN can communicate with each other but not with any other computers in another VLAN. For example, we need a router to transfer file from LEADER to TECH. This is called “interVLAN routing”.

When using VLANs in networks that have multiple interconnected switches, you need to use VLAN trunking between the switches. With VLAN trunking, the switches tag each frame sent between switches so that the receiving switch knows which VLAN the frame belongs to. This tag is known as a VLAN ID. A VLAN ID is a number which is used to identify a VLAN.

Notice that the tag is only added and removed by the switches when frames are sent out on the trunk links. Hosts don’t know about this tag because it is added on the first switch and removed on the last switch. The picture below describes the process of a frame sent from PC A to PC B.

Note: Trunk link does not belong to a specific VLAN, rather it is a conduit for VLANs between switches and routers.

To allow interVLAN routing you need to configure trunking on the link between router and switch.

Therefore in our example we need to configure 3 links as “trunk”.

Cisco switches support two different trunking protocols, Inter-Switch Link (ISL) and IEEE 802.1q. Cisco created ISL before the IEEE standardized trunking protocol. Because ISL is Cisco proprietary, it can be used only between two Cisco switches -> 802.1q is usually used in practical.

In 802.1q encapsulation, there is a concept called native VLAN that was created for backward compatibility with old devices that don’t support VLANs. Native VLAN works as follows:

+ Frame belonging to the native VLAN is not tagged when sent out on the trunk links
+ Frame received untagged on the trunk link is set to the native VLAN.

So if an old switch doesn’t support VLAN it can still “understand” that frame and continue sending it (without dropping it).

Every port belongs to at least one VLAN. If a switch receives untagged frames on a trunkport, they are assumed to be part of the native vlan. By default, VLAN 1 is the default and native VLAN but this can be changed on a per port basis by configuration.

]]> http://www.9tut.com/virtual-local-area-network-vlan-tutorial/feed 55 http://www.9tut.com/78-ccna-access-list-sim-2 http://www.9tut.com/78-ccna-access-list-sim-2#comments Fri, 15 Jul 2011 10:38:35 +0000 9tutq http://www.9tut.com/?p=41 Question

A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.

The task is to create and apply a numberd access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.

All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 – 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17

Answer and Explanation

(Note: If you are not sure how to use access-list, please check out my access-list tutorial at: http://www.9tut.com/access-list-tutorial, also some modifications about the access-list have been reported so you should read the “Some modifications” section at the end of this question to understand more. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_Access-list_sim2.pkt

Corp1>enable (you may enter “cisco” as it passwords here)

We should create an access-list and apply it to the interface which is connected to the Server LAN because it can filter out traffic from both Sw-2 and Core networks. The Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number shown in the figure). Use the “show running-config” command to check which interface has the IP address of 172.22.242.30.

Corp1#show running-config

We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is the interface we will apply our access-list (for outbound direction).

Corp1#configure terminal

Our access-list needs to allow host C – 192.168.33.3 to the Finance Web Server 172.22.242.23 via web (port 80)

Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80

Deny other hosts access to the Finance Web Server via web

Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80

All other traffic is permitted

Corp1(config)#access-list 100 permit ip any any

Apply this access-list to Fa0/1 interface (outbound direction)

Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out

Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the access-list can filter traffic coming from both the LAN and the Core networks. If we apply access list to the inbound interface we can only filter traffic from the LAN network.

In the real exam, just click on host C and open its web browser. In the address box type http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your configuration is correct then you can access it.

Click on other hosts (A, B and D) and check to make sure you can’t access Finance Web Server from these hosts.

Finally, save the configuration

Corp1(config-if)#end
Corp1#copy running-config startup-config

(This configuration only prevents hosts from accessing Finance Web Server via web but if this server supports other traffic – like FTP, SMTP… then other hosts can access it, too.)

Notice: In the real exam, you might be asked to allow other host (A, B or D) to access the Finance Web Server so please read the requirement carefully.

Some modifications:

* There are some reports about the command of “All hosts in the core and on the local LAN should be able to access the Public web server” saying that the correct command should be “access-list 100 permit ip any any”, not “access-list 100 permit ip any host (IP of Public Web Server)”. Although I believe the second command is better but maybe you should use the first command “access-list 100 permit ip any any” instead as some reports said they got 100% when using this command (even if the question gives you the IP address of Public Web Server). It is a bug in this sim.

(Note: Don’t forget to apply this access list to the suitable interface or you will lose points
interface fa0/1
ip access-group 100 out

And in the exam, they may slightly change the requirements, for example host A, host B instead of host C… so make sure you read the requirement carefully and use the access-list correctly)

I created this sim in Packet Tracer v5.2.1 so you can practice with it. You will need new version of Packet Tracer to open it (v5.1+).

Download this sim here

Notice: After typing the commands above, if you make a “ping” from other hosts (PC0, PC1, PC3) then PC4 (Finance Web Server) can still reply because we just filter HTTP traffic, not ICMP traffic. To generate HTTP traffic, select “Web Browser” in the “Desktop” tab of these PCs. When a web browser opens, type the IP address of Finance Web Server and you can see how traffic flows in Simulation Mode.

And notice that in the initial configuration of this sim the Core network can ping Finance Web Server. We have to create an access-list that can filter this traffic too.

Other lab-sims on this site:

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

CCNA Drag and Drop SIM

CCNA Implementation SIM

“VTP allows a network manager to configure a switch so that it will propagate VLAN configurations to other switches in the network”

VTP minimizes misconfigurations and configuration inconsistencies that can cause problems, such as duplicate VLAN names or incorrect VLAN-type specifications. VTP helps you simplify management of the VLAN database across multiple switches.

VTP is a Cisco-proprietary protocol and is available on most of the Cisco switches.

Why we need VTP?

To answer this question, let’s discuss a real and popular network topology.

Suppose you are working in a medium company in a 5-floor office. You assigned each floor to a switch for easy management and of course they can be assigned to different VLANs. For example, your bosses can sit in any floor and still access Manage VLAN (VLAN 7). Your technical colleagues can sit anywhere on the floors to access Technical VLAN (VLAN 4). This is the best design because each person’s permission is not limited by the physical location.

Now let’s discuss about VTP role in this topology! Suppose VTP is not running on these switches. One day, your boss decides to add a new department to your office, the Support Department, and you are tasked to add a new SUPPORT VLAN for this department. How will you do that? Well, without VTP you have to go to each switch to enable this new VLAN. Fortunately your office only has 5 floors so you can finish this task in some hours :)

But just imagine if your company was bigger with 100-floor office and some VLANs needed to be added every month! Well, it will surely become a daunting task to add a new VLAN like this. Luckily, Cisco always “thinks big” to create a method for you to just sit at the “Main Sw”, adding your new VLANs and magically, other switches automatically learn about this VLAN, sweet, right? It is not a dream, it is what VTP does for you!

How VTP Works

To make switches exchange their VLAN information with each other, they need to be configured in the same VTP domain. Only switches belonging to the same domain share their VLAN information. When a change is made to the VLAN database, it is propagated to all switches via VTP advertisements.

To maintain domain consistency, only one switch should be allowed to create (or delete, modify) new VLAN. This switch is like the “master” of the whole VTP domain and it is operated in Server mode. This is also the default mode.

Other switches are only allowed to receive and forward updates from the “server” switch. They are operated in Client mode.

In some cases, the network manager doesn’t want a switch to learn VTP information from other switches. He can set it to Transparent mode. In this mode, a switch maintains its own VLAN database and never learn VTP information from other switches (even the server). However, it still forwards VTP advertisements from the server to other switches (but doesn’t read that update). A transparent switch can add, delete and modify VLAN database locally.

Now return to the example above, we can configure any switches as the “server” but for our convenience, the “Main Sw” should be assigned this function and we should place it in a safe place.

As said above, VTP advertisements bring VLAN information to all the switches in a VTP domain. Each VTP advertisement is sent with a Revision number. This number is used in order to determine whether the VTP advertisement is more recent than the current version of that switch. Because each time you make a VLAN change in a switch, the configuration revision is incremented by one. So the higher the revision number, the better your VTP advertisement.

For example, the first time the Main Sw sends a VTP advertisement, its Revision number is 1. When you add a new VLAN to the Main Sw, it will send a VTP advertisement with the Revision number of 2. Client switches first receive the VTP advertisement with the Revision number of 1, which is bigger than its current Revision number (0) so it updates its VLAN database. Next it receives the VTP advertisement with the Revision number of 2, it continues comparing with its current Revision number (1) -> it continues update its VLAN database.

One important thing you must know is when a switch receives a better VTP advertisement, it deletes its whole VTP information and copy the new information from the better VTP advertisement to its VLAN database. A switch does not try to compare its own VLAN database with information from the received VTP advertisements to find out and update the difference!

Note: VTP advertisements are sent as multicast frames and all neighbors in that domain receive the frames.

The “show vtp status” command analysis

The most important command to view the status of VTP on Cisco switches that each CCNA learners must grasp is the “show vtp status” command. Let’s have a look at the output of this command:

+ VTP Version: displays the VTP version the switch is running. By default, the switch runs version 1 but can be set to version 2. Within a domain, the two VTP versions are not interoperable so make sure to configure the same VTP version on every switch in a domain.
+ Configuration Revision: current Revision number on this switch.
+ Maximum VLANs Supported Locally: maximum number of VLANs supported locally.
+ Number of Existing VLANs: Number of existing VLANs.
+ VTP Operating Mode: can be server, client, or transparent.
+ VTP Domain Name: name that identifies the administrative domain for the switch.

By default, a switch operates in VTP Server mode with a NULL (blank) domain name with no password configured (the password field is not listed in the output)

+ VTP Pruning Mode: displays whether pruning is enabled or disabled. We will discuss about VTP Pruning later.
+ VTP V2 Mode: displays if VTP version 2 mode is enabled. VTP version 2 is disabled by default.
+ VTP Traps Generation: displays whether VTP traps are sent to a network management station.
+ MD5 Digest: a 16-byte checksum of the VTP configuration.
+ Configuration Last Modified: date and time of the last configuration modification. Displays the IP address of the switch that caused the configuration change to the database.

VTP Pruning

To understand what VTP Pruning is, let’s see an example:

When PC A sends a broadcast frame on VLAN 10, it travels across all trunk links in the VTP domain. Switches Server, Sw2, and Sw3 all receive broadcast frames from PC A. But only Sw3 has user on VLAN 10 and it is a waste of bandwidth on Sw2. Moreover, that broadcast traffic also consumes processor time on Sw2. The link between switches Server and Sw2 does not carry any VLAN 10 traffic so it can be “pruned”.

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN. In the above example, Server switch doesn’t send broadcast frame to Sw2 because Sw2 doesn’t have ports in VLAN 10.

When a switch has a port associated with a VLAN, the switch sends an advertisement to its neighbors to inform that it has active ports on that VLAN. For example, Sw3 sends an advertisement to Server switch to inform that it has active port for VLAN 10. Sw2 has not advertised about VLAN 10 so Server switch will prune VLAN 10 on the trunk to Sw2.

You only need to enable pruning on one VTP server switch in the domain.

VTP Configuration

Main Sw(config)#vtp version 2
Main Sw(config)#vtp domain 9tut
Main Sw(config)#vtp mode server
Main Sw(config)#vtp password keepitsecret

On client switches

Client(config)#vtp version 2
Client(config)#vtp domain 9tut
Client(config)#vtp password keepitsecret
Client(config)#vtp mode client

Notice: Before configuring VTP make sure the links between your switches are trunk links. Your trunk link can automatically be formed if both of your switches are not 2960 or 3560 because ports on the 2960 and 3560 switches are set to dynamic auto by default. If both sides are set to dynamic auto, the link will remain in access mode. To configure trunk between these ports, use these commands:

Client(config)#interface fa0/1 (or the interface on the link you want to be trunk)
Client(config-if)#switchport mode trunk

These commands only need to be used on one of two switches to form the trunk.

Below summaries important notes about VTP:

+ Whenever a change occurs in the VLAN database, the VTP server increments its configuration revision number and then advertises the new revision throughout the VTP domain via VTP advertisements.
+ VTP operates in one of three modes: server, transparent, or client.

VTP modes:

* Server: The default mode. When you make a change to the VLAN configuration on a VTP server, the change is propagated to all switches in the VTP domain. VTP messages are transmitted out of all the trunk connections. In Server mode we can create, modify, delete VLANs.

* Client: cannot make changes to the VLAN configuration when in this mode; however, a VTP client can send any VLANs currently listed in its database to other VTP switches. VTP client also forwards VTP advertisements (but cannot create VTP advertisements).

* Transparent: When you make a change to the VLAN configuration in this mode, the change affects only the local switch and does not propagate to other switches in the VTP domain. VTP transparent mode does forward VTP advertisements that it receives within the domain.

VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN.

An administrator is trying to ping and telnet from Switch to Router with the results shown below:

Switch>
Switch> ping 10.4.4.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.4.3,timeout is 2 seconds:
.U.U.U
Success rate is 0 percent (0/5)
Switch>
Switch> telnet 10.4.4.3
Trying 10.4.4.3 …
% Destination unreachable; gateway or host down
Switch>

Click the console connected to Router and issue the appropriate commands to answer the questions.

Answer and Explanation

Note: If you are not sure about Access-list, please read my Access-list tutorial. You can also download this sim to practice (open with Packet Tracer) here: http://www.9tut.com/download/9tut.com_CCNA_Access_List_Sim.pkt

For this question we only need to use the show running-config command to answer all the questions below

Router>enable
Router#show running-config

Question 1:

Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?

A – Correctly assign an IP address to interface fa0/1
B – Change the ip access-group command on fa0/0 from “in” to “out”
C – Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
D – Remove access-group 102 out from interface s0/0/0 and add access-group 114 in
E – Remove access-group 106 in from interface fa0/0 and add access-group 104 in

Answer: E

Explanation:

Let’s have a look at the access list 104:

The question does not ask about ftp traffic so we don’t care about the two first lines. The 3rd line denies all telnet traffic and the 4th line allows icmp traffic to be sent (ping). Remember that the access list 104 is applied on the inbound direction so the 5th line “access-list 104 deny icmp any any echo-reply” will not affect our icmp traffic because the “echo-reply” message will be sent over the outbound direction.

Question 2:

What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?

A – Attempts to telnet to the router would fail
B – It would allow all traffic from the 10.4.4.0 network
C – IP traffic would be passed through the interface but TCP and UDP traffic would not
D – Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0 interface

Answer: B

Explanation:

From the output of access-list 114: access-list 114 permit ip 10.4.4.0 0.0.0.255 any we can easily understand that this access list allows all traffic (ip) from 10.4.4.0/24 network

Question 3:

What would be the effect of issuing the command access-group 115 in on the s0/0/1 interface?

A – No host could connect to Router through s0/0/1
B – Telnet and ping would work but routing updates would fail.
C – FTP, FTP-DATA, echo, and www would work but telnet would fail
D – Only traffic from the 10.4.4.0 network would pass through the interface

Answer: A

Explanation:

First let’s see what was configured on interface S0/0/1:

Recall that each interface only accepts one access-list, so when using the command “ip access-group 115 in” on the s0/0/1 interface it will overwrite the initial access-list 102. Therefore any telnet connection will be accepted (so we can eliminate answer C).
B is not correct because if telnet and ping can work then routing updates can, too.
D is not correct because access-list 115 does not mention about 10.4.4.0 network. So the most reasonable answer is A.

But here raise a question…

The wildcard mask of access-list 115, which is 255.255.255.0, means that only host with ip addresses in the form of x.x.x.0 will be accepted. But we all know that x.x.x.0 is likely to be a network address so the answer A: “no host could connect to Router through s0/0/1” seems right…

But what will happen if we don’t use a subnet mask of 255.255.255.0? For example we can use an ip address of 10.45.45.0 255.255.0.0, such a host with that ip address exists and we can connect to the router through that host. Now answer A seems incorrect!

Please comment if you have any idea for this sim!

Other lab-sims on this site:

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

CCNA Drag and Drop SIM

CCNA Implementation SIM

Solution

Note: If you are not sure how NAT & PAT work, please read my Network Address Translation NAT Tutorial. You can download a similar sim to practice here: http://www.9tut.com/download/9tut.com_CCNA_NAT_sim_question.zip

The company has 62 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18.32.65 to 198.18.32.70/29 => we have to use NAT overload (or PAT)

Double click on PC1 to access Router1′s command line interface

Router1>enable
Router1#configure terminal

Create a NAT pool of global addresses to be allocated with their netmask (notice that /29 = 248)

Router1(config)#ip nat pool mypool 198.18.32.65 198.18.32.70 netmask 255.255.255.248

Create a standard access control list that permits the addresses that are to be translated

Router1(config)#access-list 1 permit 192.168.6.64 0.0.0.63

Establish dynamic source translation, specifying the access list that was defined in the prior step

Router1(config)#ip nat inside source list 1 pool mypool overload

This command translates all source addresses that pass access list 1, which means a source address from 192.168.6.65 to 192.168.6.126, into an address from the pool named mypool (the pool contains addresses from 198.18.32.65 to 198.18.32.70)

Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports

The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements.

This is how to configure the NAT inside and NAT outside, just for your understanding:

Router1(config)#interface fa0/0
Router1(config-if)#ip nat inside

Router1(config-if)#exit

Router1(config)#interface s0/0
Router1(config-if)#ip nat outside

Before leaving Router1, you should save the configuration:

Router1(config)#end (or Router1(config-if)#end)
Router1#copy running-config startup-config

Check your configuration by going to PC2 and type:

C:\>ping 192.0.2.114

The ping should work well and you will be replied from 192.0.2.114

Other lab-sims on this site:

CCNA Access List Sim

CCNA NAT SIM Question 1

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

CCNA Drag and Drop SIM

CCNA Implementation SIM

Drag the appropriate device icons to the labeled Device
Drag the appropriate connections to the locations labeled Connections.
Drag the appropriate IP addresses to the locations labeled IP address

(Hint: use the given host addresses and Main router information)
To remove a device or connection, drag it away from the topology.

Use information gathered from the Main router to complete the configuration of any additional routers. No passwords are required to access the Main router. The config terminal command has been disabled for the HQ router. The router does not require any configuration.

Configure each additional router with the following:

Configure the interfaces with the correct IP address and enable the interfaces.
Set the password to allow console access to consolepw
Set the password to allow telnet access to telnetpw
Set the password to allow privilege mode access to privpw

Note: Because routes are not being added to the configurations, you will not be able to ping through the internetwork.
All devices have cable autosensing capabilities disabled.
All hosts are PC’s

Answer and explanation

Note: You can download this sim to practice here: http://www.9tut.com/download/9tut.com_CCNA_Implementation_question.zip

Specify appropriate devices and drag them on the “Device” boxes

For the device at the bottom-right box, we notice that it has 2 interfaces Fa0/2 and Fa0/4; moreover the link connects the PC on the right with the device on the bottom-right is a straight-through link -> it is a switch

The question stated that this topology contains 3 routers and 1 switch -> two other devices are routers

Place them on appropriate locations as following:

(Host D and host E will be automatically added after placing two routers. Click on them to access neighboring routers)

Specify appropriate connections between these devices:

+ The router on the left is connected with the Main router through FastEthernet interfaces: use a crossover cable
+ The router on the right is connected with the Main router through Serial interfaces: use a serial cable
+ The router on the right and the Switch: use a straight-through cable
+ The router on the left and the computer: use a crossover cable

(To remember which type of cable you should use, follow these tips:

- To connect two serial interfaces of 2 routers we use serial cable
– To specify when we use crossover cable or straight-through cable, we should remember:
Group 1: Router, Host, Server
Group 2: Hub, Switch
One device in group 1 + One device in group 2: use straight-through cable
Two devices in the same group: use crossover cable

For example: we use straight-through cable to connect switch to router, switch to host, hub to host, hub to server… and we use crossover cable to connect switch to switch, switch to hub, router to router, host to host… )

Assign appropriate IP addresses for interfaces:

From Main router, use show running-config command:

(Notice that you may see different IP addresses in the real CCNA exam, the ones shown above are just used for demonstration)

From the output we learned that the ip address of Fa0/0 interface of the Main router is 192.168.152.177/28. This address belongs to a subnetwork which has:

Increment: 16 (/28 = 255.255.255.240 or 1111 1111.1111 1111.1111 1111.1111 0000)
Network address: 192.168.152.176 (because 176 = 16 * 11 and 176 < 177)
Broadcast address: 192.168.152.191 (because 191 = 176 + 16 – 1)

And we can pick up an ip address from the list that belongs to this subnetwork: 192.168.152.190 and assign it to the Fa0/0 interface the router on the left

Use the same method for interface Serial0/0 with an ip address of 192.168.152.161

Increment: 16
Network address: 192.168.152.160 (because 160 = 16 * 10 and 160 < 161)
Broadcast address: 192.168.152.175 (because 176 = 160 + 16 – 1)

-> and we choose 192.168.152.174 for Serial0/0 interface of the router on the right

Interface Fa0/1 of the router on the left

IP (of the computer on the left) : 192.168.152.129/28

Increment: 16
Network address: 192.168.152.128 (because 128 = 16 * 8 and 128 < 129)
Broadcast address: 192.168.152.143 (because 143 = 128 + 16 – 1)

-> we choose 192.168.152.142 from the list

Interface Fa0/0 of the router on the right

IP (of the computer on the left) : 192.168.152.225/28

Increment: 16
Network address: 192.168.152.224 (because 224 = 16 * 14 and 224 < 225)
Broadcast address: 192.168.152.239 (because 239 = 224 + 16 – 1)

-> we choose 192.168.152.238 from the list

Let’s have a look at the picture below to summarize

Configure two routers on the left and right with these commands:

Router1 = router on the left

Assign appropriate IP addresses to Fa0/0 & Fa0/1 interfaces:

Router1>enable
Router1#configure terminal
Router1(config)#interface fa0/0
Router1(config-if)#ip address 192.168.152.190 255.255.255.240
Router1(config-if)#no shutdown

Router1(config-if)#interface fa0/1
Router1(config-if)#ip address 192.168.152.142 255.255.255.240
Router1(config-if)#no shutdown

Set passwords (configure on two routers)

+ Console password:

Router1(config-if)#exit
Router1(config)#line console 0
Router1(config-line)#password consolepw
Router1(config-line)#login
Router1(config-line)#exit

+ Telnet password:

Router1(config)#line vty 0 4
Router1(config-line)#password telnetpw
Router1(config-line)#login
Router1(config-line)#exit

+ Privilege mode password:

Router1(config)#enable password privpw

Save the configuration:

Router1(config)#exit
Router1#copy running-config startup-config

Configure IP addresses of Router2 (router on the right)

Router2>enable
Router2#configure terminal
Router2(config)#interface fa0/0
Router2(config-if)#ip address 192.168.152.238 255.255.255.240
Router2(config-if)#no shutdown

Router2(config-if)#interface serial0/0
Router2(config-if)#ip address 192.168.152.174 255.255.255.240
Router2(config-if)#no shutdown

and set console, telnet and privilege mode passwords for Router2 as we did for Router1, remember to save the configuration when you finished

Other lab-sims on this site:

CCNA Access List Sim

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

CCNA Drag and Drop SIM

After adding R3 router, no routing updates are being exchanged between R3 and the new location. All other inter connectivity and Internet access for the existing locations of the company are working properly.

The task is to identify the fault(s) and correct the router configuration to provide full connectivity between the routers.

Access to the router CLI can be gained by clicking on the appropriate host. All passwords on all routers are cisco.

IP addresses are listed in the chart below.

Answer and explanation

(Note: If you are not sure how EIGRP works, please read my EIGRP tutorial: http://www.9tut.com/eigrp-routing-protocol-tutorial. Note: You can download this sim to practice here: http://www.9tut.com/download/9tut.com_CCNA_EIGRP_sim_question.zip)

We should check the configuration of the new added router first because it does not function properly while others work well. From the command line interface of R3 router, enter the show running-config command

From the output above, we know that this router was wrongly configured with an autonomous number (AS) of 22. When the AS numbers among routers are mismatched, no adjacency is formed.

(You should check the AS numbers on other routers for sure)

To solve this problem, we simply re-configure router R3 with the following commands:

R3>enable (you have to enter cisco as its password here)

R3#configure terminal

R3(config)#no router eigrp 22

R3(config)#router eigrp 212

R3(config-router)#network 192.168.60.0

R3(config-router)#network 192.168.77.0

R3(config-router)#no auto-summary

R3(config-router)#end

R3#copy running-config startup-config

Check R1 router with the show running-config command:

Notice that it is missing a definition to the network R3. Therefore we have to add it so that it can recognize R3 router

R1>enable (you have to enter cisco as its password here)

R1#configure terminal

R1(config)#router eigrp 212

R1(config-router)#network 192.168.77.0

R1(config-router)#end

R1#copy running-config startup-config

Now the whole network will work well. You should check again with ping command from router R3 to other routers!

Modifications:

Maybe in this EIGRP Sim you will see the “passive-interface …” command somewhere in R1 configuration. If the link between R1 to R2 (or R3, r4) routers has the “passive interface” then we have to remove it with the “no passive-interface …” command because it prevents EIGRP update from being sent on that interface. But if the “passive interface” is applied to the link between R1 and ISP router then we just leave it. Don’t use the “no passive-interface s1/0″ on R1 because the link between R1 & ISP doesn’t need EIGRP to run on it. A static route from R1 to ISP & “ip default-network” command in R1 are the correct answers.

(Note: The “ip default-network” command in R1 will advertise the static route of R1 (to go to the Internet) to other routers (R2,R3,R4) so that they can access the Internet too). In the exam you will see these lines in R1 configuration:

!
ip default-network 198.0.18.0
ip route 0.0.0.0 0.0.0.0 198.0.18.5
!

If you want to learn more about “ip default-network” command please read: http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml

I read recent comments and realized that you will see the “passive-interface” in the link between R1 & ISP so just leave it.

Other lab-sims on this site:

CCNA Access List Sim

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA Drag and Drop SIM

CCNA Implementation SIM

IPv6 was created by the Internet Engineering Task Force (IETF), a standards body, as a replacement to IPv4 in 1998. So what happened with IPv5? IP Version 5 was defined for experimental reasons and never was deployed.

While IPv4 uses 32 bits to address the IP (provides approximately 2³² = 4,294,967,296 unique addresses – but in fact about 3.7 billion addresses are assignable because the IPv4 addressing system separates the addresses into classes and reserves addresses for multicasting, testing, and other specific uses), IPv6 uses up to 128 bits which provides 2¹²⁸ addresses or approximately 3.4 * 10³⁸ addresses. Well, maybe we should say it is extremely extremely extremely huge :)

IPv6 Address Types

A single interface may be assigned multiple IPv6 addresses of any type (unicast, anycast, multicast)

IPv6 address format

Format:

x:x:x:x:x:x:x:x – where x is a 16 bits hexadecimal field and x represents four hexadecimal digits.
An example of IPv6:
2001:0000:5723:0000:0000:D14E:DBCA:0764

There are:
+ 8 groups of 4 hexadecimal digits.
+ Each group represents 16 bits (4 hexa digits * 4 bit)
+ Separator is “:”
+ Hex digits are not case sensitive, so “DBCA” is same as “dbca” or “DBca”…

IPv6 (128-bit) address contains two parts:
+ The first 64-bits is known as the prefix. The prefix includes the network and subnet address. Because addresses are allocated based on physical location, the prefix also includes global routing information. The 64-bit prefix is often referred to as the global routing prefix.
+ The last 64-bits is the interface ID. This is the unique address assigned to an interface.

Note: Addresses are assigned to interfaces (network connections), not to the host. Each interface can have more than one IPv6 address.

Rules for abbreviating IPv6 Addresses:

+ Leading zeros in a field are optional

2001:0DA8:E800:0000:0260:3EFF:FE47:0001 can be written as

2001:DA8:E800:0:260:3EFF:FE47:1

+ Successive fields of 0 are represented as ::, but only once in an address:

2001:0DA8:E800:0000:0000:0000:0000:0001 -> 2001:DA8:E800::1

Other examples:
– FF02:0:0:0:0:0:0:1 => FF02::1
– 3FFE:0501:0008:0000:0260:97FF:FE40:EFAB = 3FFE:501:8:0:260:97FF:FE40:EFAB = 3FFE:501:8::260:97FF:FE40:EFAB
– 0:0:0:0:0:0:0:1 => ::1
– 0:0:0:0:0:0:0:0 => ::

IPv6 Addressing In Use

IPv6 uses the “/” notation to denote how many bits in the IPv6 address represent the subnet.

The full syntax of IPv6 is

where
+ ipv6-address is the 128-bit IPv6 address
+ /prefix-length is a decimal value representing how many of the left most contiguous bits of the address comprise the prefix.

Let’s analyze an example:
2001:C:7:ABCD::1/64 is really
2001:000C:0007:ABCD:0000:0000:0000:0001/64
+ The first 64-bits 2001:000C:0007:ABCD is the address prefix
+ The last 64-bits 0000:0000:0000:0001 is the interface ID
+ /64 is the prefix length (/64 is well-known and also the prefix length in most cases)

In the next part, we will understand more about each prefix of an IPv6 address.

]]> http://www.9tut.com/ipv6-tutorial/feed 35 http://www.9tut.com/65-ccna-drag-and-drop-sim-question http://www.9tut.com/65-ccna-drag-and-drop-sim-question#comments Wed, 15 Jun 2011 10:34:22 +0000 9tutq http://www.9tut.com/?p=31 Question

You have been hired by Specialty Hardware Incorporated to document the layout of the network. Complete the following tasks: Complete the network topology shown in the graphic by dragging the labels below with the appropriate router types, interface types, and IP addresses to the graphic . Find the information you need by using the router console attached to the R-CENTER router.

Answer and explanation

Note: You can download this sim to practice here: http://www.9tut.com/download/9tut.com_CCNA_drag_and_drop_sim_question.pkt

This is the simplest lab question in four labs you see in the real CCNA exam. First we should identify the types of these routers by using the show cdp neighbors command:

There are 3 columns we should pay more attention to:

+ Local Interface: the interface on the device you are using “show cdp neighbors” command. In this case it is the interface of R-CENTER router

+ Platform: the platform of neighbor device

+ Port ID: the neighbor device’s port or interface on which the CDP packets are multicast

From the exhibit, the “Local Interface”, “Platform” and “Port ID” columns, we can identify where these four routers should be placed and their corresponding associated ports

Finally, use the show running-config command to find out the ip addresses of four interfaces on R-CENTER

And we can easily assign corresponding ip addresses to four neighbor routers, which are on the same network with R-CENTER router’s interfaces

Please remember in the real CCNA Exam the routers’ types, ip addresses and interfaces may be different! So make sure you understand how it works.

Other lab-sims on this site:

CCNA Access List Sim

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

CCNA Implementation SIM

To configure the router (R2-RC) click on the console host icon that is connected to a router by a serial console cable (shown in the diagram as a dashed black line)

CCNA Training Company recently installed a new router in their office. Complete the network installation by performing the initial router configurations and configuring RIPV2 routing using the router command line interface (CLI) on the R2-RC.

Name of the router is R2-RC
Enable-secret password is cisco1
The password to access user EXEC mode using the console is cisco2
The password to allow telnet access to the router is cisco3
IPV4 addresses must be configured as follows:
Ethernet network 209.165.202.128/27 – router has last assignable host address in subnet
Serial network is 192.0.2.16/28 – router has last assignable host address in the subnet. Interfaces should be enabled.
Router protocol is RIP V2

Solution

(Note: If you are not sure how RIP works, please read my RIP tutorial: http://www.9tut.com/rip-routing-protocol-tutorial. Note: You can download this sim to practice here: http://www.9tut.com/download/9tut.com_CCNA_RIP_Configuration.zip)

1) Name the router:

Router>enable
Router#configure terminal
Router(config)#hostname R2-RC

2) Set secret password:

R2-RC(config)# enable secret cisco1

3) Set password for the console:

R2-RC(config)#line console 0
R2-RC(config-line)#password cisco2
R2-RC(config-line)#login
R2-RC(config-line)#exit

4) Set the Telnet password:

R2-RC(config)#line vty 0 4
R2-RC(config-line)#password cisco3
R2-RC(config-line)#login
R2-RC(config-line)#exit

5) Assign IP address for Ethernet interface (Fa0/0):

The Ethernet network 209.165.202.128/27 has:

Increment:32 (/27 = 255.255.255.224 or 1111 1111.1111 1111.1111 1111.1110 0000)
Network address: 209.165.202.128
Broadcast address: 209.165.202.159 (because 128 + 32 – 1 = 159)

Therefore the last assignable host address in this subnet is 209.165.202.158 and we will assign it to Fa0/0 interface with these commands:

R2-RC(config)# interface fa0/0
R2-RC(config-if)#ip address 209.165.202.158 255.255.255.224
R2-RC(config-if)#no shutdown
R2-RC(config-if)#exit

6) Assign IP address for Serial interface (S0/0/0):

Serial network 192.0.2.16/28 has:

Increment:16 (/28 = 255.255.255.240 or 1111 1111.1111 1111.1111 1111.1111 0000)
Network address: 192.0.2.16
Broadcast address: 192.0.2.31 (because 16 + 16 – 1 = 31)

So the last assignable host address in this subnet is 192.0.2.30. Finally we assign it to s0/0/0 interface:

R2-RC(config)# interface s0/0/0
R2-RC(config-if)#ip address 192.0.2.30 255.255.255.240
R2-RC(config-if)#no shutdown
R2-RC(config-if)#exit

7) Configure RIP v2 routing protocol:

R2-RC(config)#router rip
R2-RC(config-router)#version 2
R2-RC(config-router)#network 209.165.202.0
R2-RC(config-router)#network 192.0.2.0
R2-RC(config-router)#end
R2-RC#copy running-config startup-config

Note: We should use classful networks (209.165.202.0 & 192.0.2.0) when configuring RIP. If we use detailed networks (209.165.202.128 & 192.0.2.16) the router will automatically convert them into classful networks.

A network associate is configuring a router for the CCNA Training company to provide internet access. The ISP has provided the company six public IP addresses of 198.18.184.105 198.18.184.110. The company has 14 hosts that need to access the internet simultaneously. The hosts in the CCNA Training company LAN have been assigned private space addresses in the range of 192.168.100.17 – 192.168.100.30.

The task is to complete the NAT configuration using all IP addresses assigned by the ISP to provide Internet access for the hosts in the Weaver LAN. Functionality can be tested by clicking on the host provided for testing.

Configuration information
router name – Weaver
inside global addresses – 198.18.184.105 198.18.184.110/29
inside local addresses – 192.168.100.17 – 192.168.100.30/28
number of inside hosts – 14

Solution

Note: If you are not sure how NAT & PAT work, please read my Network Address Translation NAT Tutorial. You can download this sim to practice here: http://www.9tut.com/download/9tut.com_CCNA_NAT_sim_question.zip

The CCNA Training company has 14 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from 198.18.184.105 to 198.18.184.110/29. Therefore we have to use NAT overload (or PAT)

Double click on the Weaver router to open it

Router>enable
Router#configure terminal

First you should change the router’s name to Weaver

Router(config)#hostname Weaver

Create a NAT pool of global addresses to be allocated with their netmask (/29 = 255.255.255.248). There were reports that the simulator in the real exam did not accept “prefix-length” keryword so you should use “netmask” keyword.

Weaver(config)#ip nat pool mypool 198.18.184.105 198.18.184.110 netmask 255.255.255.248

Create a standard access control list that permits the addresses that are to be translated

Weaver(config)#access-list 1 permit 192.168.100.16 0.0.0.15

Establish dynamic source translation, specifying the access list that was defined in the prior step

Weaver(config)#ip nat inside source list 1 pool mypool overload

This command translates all source addresses that pass access list 1, which means a source address from 192.168.100.17 to 192.168.100.30, into an address from the pool named mypool (the pool contains addresses from 198.18.184.105 to 198.18.184.110)

Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports

The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements.

This is how to configure the NAT inside and NAT outside, just for your understanding:

Weaver(config)#interface fa0/0
Weaver(config-if)#ip nat inside

Weaver(config-if)#exit

Weaver(config)#interface s0/0
Weaver(config-if)#ip nat outside
Weaver(config-if)#end

Finally, we should save all your work with the following command:

Weaver#copy running-config startup-config

Check your configuration by going to “Host for testing” and type:

C:\>ping 192.0.2.114

The ping should work well and you will be replied from 192.0.2.114

Other lab-sims on this site:

CCNA NAT SIM Question 1

CCNA NAT SIM Question 2

CCNA Frame Relay Sim

CCNA Configuration SIM Question (RIPv2 SIM)

CCNA VTP SIM

CCNA EIGRP LAB

CCNA Drag and Drop SIM

CCNA Implementation SIM

Rapid Spanning Tree Protocol (RSTP)

One big disadvantage of STP is the low convergence which is very important in switched network. To overcome this problem, in 2001, the IEEE with document 802.1w introduced an evolution of the Spanning Tree Protocol: Rapid Spanning Tree Protocol (RSTP), which significantly reduces the convergence time after a topology change occurs in the network. While STP can take 30 to 50 seconds to transit from a blocking state to a forwarding state, RSTP is typically able to respond less than 10 seconds of a physical link failure.

RSTP works by adding an alternative port and a backup port compared to STP. These ports are allowed to immediately enter the forwarding state rather than passively wait for the network to converge.

RSTP bridge port roles:

* Root port – A forwarding port that is the closest to the root bridge in terms of path cost
* Designated port – A forwarding port for every LAN segment
* Alternate port – A best alternate path to the root bridge. This path is different than using the root port. The alternative port moves to the forwarding state if there is a failure on the designated port for the segment.
* Backup port – A backup/redundant path to a segment where another bridge port already connects. The backup port applies only when a single switch has two links to the same segment (collision domain). To have two links to the same collision domain, the switch must be attached to a hub.
* Disabled port – Not strictly part of STP, a network administrator can manually disable a port

Now let’s see an example of three switches below:

Suppose all the switches have the same bridge priority so the switch with lowest MAC address will become root bridge -> Sw1 is the root bridge and therefore all of its ports will be Designated ports (forwarding).

Two ports fa0/0 on Sw2 & Sw3 are closest to the root bridge (in terms of path cost) so they will become root ports.

On the segment between Sw2 and Sw3, because Sw2 has lower MAC than Sw3 so it will advertise better BPDU on this segment -> fa0/1 of Sw2 will be Designated port and fa0/1 of Sw3 will be Alternative port.

Now for the two ports connecting to the hub, we know that there will have only one Designated port for each segment (notice that the two ports fa0/2 & fa0/3 of Sw2 are on the same segment as they are connected to a hub). The other port will be Backup port according to the definition of Backup port above. But how does Sw2 select its Designated and Backup port? The decision process involves the following parameters inside the BPDU:

* Lowest path cost to the Root
* Lowest Sender Bridge ID (BID)
* Lowest Port ID

Well, both fa0/2 & fa0/3 of Sw2 has the same “path cost to the root” and “sender bridge ID” so the third parameter “lowest port ID” will be used. Because fa0/2 is inferior to fa0/3, Sw2 will select fa0/2 as its Designated port.

Note: Alternative Port and Backup Port are in discarding state.

RSTP Port States:

There are only three port states left in RSTP that correspond to the three possible operational states. The 802.1D disabled, blocking, and listening states are merged into the 802.1w discarding state.

* Discarding – the port does not forward frames, process received frames, or learn MAC addresses – but it does listen for BPDUs (like the STP blocking state)
* Learning – receives and transmits BPDUs and learns MAC addresses but does not yet forward frames (same as STP).
* Forwarding – receives and sends data, normal operation, learns MAC address, receives and transmits BPDUs (same as STP).

Although the learning state is also used in RSTP but it only takes place for a short time as compared to STP. RSTP converges with all ports either in forwarding state or discarding state.

RSTP Quick Summary:

RSTP provides faster convergence than 802.1D STP when topology changes occur.
* RSTP defines three port states: discarding, learning, and forwarding.
* RSTP defines five port roles: root, designated, alternate, backup, and disabled.

Some labs and questions in ICND1 & ICND2 are similar to the composite CCNA exam so it is a good way to test yourself with different IP addresses and subnet masks on both sites. I also added some new CCNA 640-802 questions in this site. Hope you will enjoy this new site and good luck to all in your exam!

(Note: the terms bridge, switch are used interchangeably when discussing STP)

To prevent bridging loops, the IEEE 802.1d committee defined a standard called the spanning tree algorithm (STA), or spanning tree protocol (STP). Spanning-Tree Protocol is a link management protocol that provides path redundancy while preventing undesirable loops in the network. For an Ethernet network to function properly, only one active path can exist between two stations.

Let’s see a situation when there is no loop-avoidance process in operation. Suppose you have two switches connected with redundant links. One switch connected to PC A and the other switch connected to PC B.

Now PC A wants to talk to PC B. It then sends a broadcast, say an Address Resolution Protocol (ARP) to find out where the location of PC B, the green arrow shows a broadcast frame sent by PC A.

When the switch A receives a broadcast frame, it forwards that frame to all ports except the port where it receives the request -> SwA forwards that ARP frame out of fa0/0 and fa0/1 ports.

Suppose SwB receives the broadcast frame from fa0/0 first then it will forward that frame to the two other links ( fa0/1 and fa0/5 of SwB).

The other broadcast frame from SwA comes to fa0/1 of SwB so SwB forwards it to fa0/0 and fa0/5.

As you can see, SwA has sent 2 broadcast frames out of its fa0/0 and fa0/1, SwB receives each of them, creates 2 copies and sends one of them back to SwA (the other is sent to PC B).

When SwA receives these broadcast frames it continues broadcasting them again to its other interfaces, this will keep going on forever until you shutdown the network. This phenomenon is called a broadcast storm.

Broadcast storm consumes entire bandwidth and denies bandwidth for normal network traffic. Broadcast storm is a serious network problem and can shut down entire network in seconds.

Other problems:

Multiple frame transmission: Multiple copies of unicast frames may be delivered to destination stations. Many protocols expect to receive only a single copy of each transmission. Multiple copies of the same frame can cause unrecoverable errors. In the above example, if the first frame is not a ARP broadcast but a unicast and SwA and SwB haven’t learned about the destination in that frame yet then they flood the frame on all ports except the originating port. The same phenomenon occurs and PC B will receive more than one copy of that frame.

MAC Database Instability: MAC database instability results when multiple copies of a frame arrive on different ports of a switch. We can see it in the above example too when the two ports on SwB (fa0/0 and fa0/1) receive the same frame.

Now you learned about problems when there is no looping-avoidance mechanism running on the network. All of these problems can be solved with the Spanning Tree Protocol (STP)

STP prevents loop by blocking one of switch’s port. For example, by blocking port fa0/0 of SwA, no data traffic is sent on this link and the loop in the network is eliminated.

But how STP decides which port should be blocked. The whole process is more complex than what is shown above. We will learn it in the next part.

]]> http://www.9tut.com/spanning-tree-protocol-stp-tutorial/feed 36 http://www.9tut.com/configure-nat-gns3-lab http://www.9tut.com/configure-nat-gns3-lab#comments Tue, 24 May 2011 15:24:28 +0000 9tutq http://www.9tut.com/?p=578 In this article we will demonstrate how to configure NAT using GNS3

Note: If you are not sure about NAT, please read my Network Address Translation NAT Tutorial

To configure static NAT we need to complete these tasks:
* Define the router’s interfaces as inside or outside:
R0uter(config-if)#ip nat inside (or ip nat outside)

* Define static mapping between the inside address and the outside address:
R0uter(config)#ip nat inside source static

+ Static NAT:

To make everything clear, we will configure static NAT in GNS3. Open your GNS3 and build a topology like this:

(IOS used: c2600-bin-mz.123-6f.bin but you can use other versions)

We should use 3 routers in this topology but I want to save some RAM and demonstrate how to ping from the loopback interface so I only use two :) Therefore we should configure the loopback interface of R0 as the source IP address and the fa0/0 interface of R0 as the “outgoing static NAT” address.

R0#configure terminal
R0(config)#int loopback0
R0(config-if)#ip address 10.0.0.1 255.0.0.0
R0(config-if)#ip nat inside

R0(config-if)#int f0/0
R0(config-if)#ip address 200.0.0.1 255.255.255.0
R0(config-if)#no shutdown
R0(config-if)#ip nat outside
R0(config-if)#exit

Finally, we have to tell the router to translate my private IP 10.0.0.1 to public IP 200.0.0.2 so that I can go to the Internet!

R0(config)#ip nat inside source static 10.0.0.1 200.0.0.2

In R1 we just assign the IP address and no shut its interface.

R1#config terminal
R1(config)#int f0/0
R1(config-if)#ip address 200.0.0.10 255.255.255.0
R1(config-if)#no shutdown

Check if all things are right or not:

R0#show ip nat translations

In this article we don’t use a host attached to R0 so if we want to test our NAT configuration we have to ping from R0′s loopback interface by using the ping extended command:

We can use the extended ping command by typing only “ping” at the privileged mode, specify the “target IP address” and type “y” at the “Extended commands” and specify the “source address or interface” at shown below:

To approve NAT works well we can disable static NAT with the following command

R0(config)#no ip nat inside source static 10.0.0.1 200.0.0.2

Now if we use the extended ping command (without NAT configured):

-> We can’t ping from the loopback interface.

Download static NAT configuration: http://www.9tut.com/download/NAT_static_CCNA_self_study.zip

+ Dynamic NAT:

To configure dynamic NAT we need to complete these tasks:

* Define a pool of addresses (public IP) to be used for dynamic NAT allocation

Router(config)#ip nat pool pool_name start_ip end_ip { netmask netmask | prefix-length prefix-length }

* Configure a standard access control list to define what internal traffic will be translated

Router(config)#access-list access-list-number permit source [source-wildcard]

Link the access list to the NAT pool

Router(config)#ip nat inside source list access-list-number pool pool_name

Router(config-if)# ip nat inside (on fa0/0, for example)
Router(config-if)#ip nat outside (on fa0/1, for example)

* Dynamic NAT configuration example:

RouterA(config)# access-list 1 permit 192.168.0.0 0.0.0.255
RouterA(config)# ip nat pool PoolforNAT 200.23.123.6 200.23.123.10 netmask 255.255.255.0
RouterA(config)# ip nat inside source list 1 pool PoolforNAT

Note: In the above command, the word “inside” means “I want to NAT from inside to outside”; “list 1″ means “the source IP addresses to NAT are included in Access-list 1″; “pool PoolforNAT” means “NAT to the IP addresses specified in PoolforNAT”.

RouterA(config)# int loopback0
RouterA(config-if)# ip nat inside

RouterA(config-if)# int fa0/0
RouterA(config-if)# ip nat outside

Configure PAT (NAT Overload)

* Configure a standard access list to define what internal traffic will be translated
* Link the access list to the interface to be used for PAT
* Define interfaces as either inside or outside

PAT router commands
RouterA(config)# access-list 1 permit 192.168.0.0 0.0.0.255
RouterA(config)# ip nat inside source list 1 interface fa0/0 overload

(Notice the “interface fa0/0″ means “NAT out of this interface” and the keyword overload for PAT in the above command)

RouterA(config)# interface fa0/0
RouterA(config-if)# ip nat outside

RouterA(config-if)# interface loopback0
RouterA(config-if)# ip nat inside

“NAT allows a host that does not have a valid registered IP address to communicate with other hosts through the Internet”

For example your computer is assigned a private IP address of 10.0.0.9 and of course this address can not be routed on the internet but you can still access the internet. This is because your router (or modem) translates this address into a public IP address, 123.12.23.1 for example, before routing your data into the internet.

Of course when your router receives a reply packet destined for 123.12.23.1 it will convert back to your private IP 10.0.0.9 before sending that packet to you.

Maybe you will ask “hey, I don’t see any difference of using NAT to save tons of IP addresses because you still need a public IP address for each host to access the Internet and it doesn’t save you anything, why you need to use NAT?”

Ok, you are right :), in the above example we don’t see its usefulness but you now understand the fundamental of NAT!

Let’s take another example!

Suppose your company has 500 employees but your Internet Service Provider (ISP) only gives you 50 public IP addresses. It means that you can only allow 50 hosts to access the internet at the same time. Here NAT comes to save your life!

One thing you should notice that in real life, not all of your employees uses internet at the same time. Say, maybe 50 of them use internet to read newspaper at the morning; 50 others use internet at noon for checking mail… By using NAT you can dynamically assign these 50 public IP addresses to those who really need them at that time. This is called dynamic NAT.

But the above NAT solution does not solve our problem completely because in some days there can be more than 50 people surfing web at the morning. In this case, only the first 50 people can access internet, others must wait to their turns.

Another problem is, in fact, your ISP only gives you much lesser IP addresses than the number 50 because each public IP is very precious now.

To solve the two problems above, another feature of NAT can be used: NAT Overload or sometimes called Port Address Translation (PAT)

PAT permits multiple devices on a local area network (LAN) to be mapped to a single public IP address with different port numbers. Therefore, it’s also known as port address translation (PAT). When using PAT, the router maintains unique source port numbers on the inside global IP address to distinguish between translations. In the below example, each host is assigned to the same public IP address 123.1.1.1 1 but with different port numbers (from 1000 to 1002).

Note: Cisco uses the term inside local for the private IP addresses and inside global for the public IP addresses replaced by the router.

The outside host IP address can also be changed with NAT. The outside global address represents the outside host with a public IP address that can be used for routing in the public Internet.

The last term, outside local address, is a private address of an external device as it is referred to by devices on its local network. You can understand outside local address as the inside local address of the external device which lies at the other end of the Internet.

Maybe you will ask how many ports can we use for each IP? Well, because the port number field has 16 bits, PAT can support about 2¹⁶ ports, which is more than 64,000 connections using one public IP address.

Now you has learned all the most useful features of NAT but we should summary all features of NAT:

There are two types of NAT translation: dynamic and static.

Static NAT: Designed to allow one-to-one mapping between local and global addresses. This flavor requires you to have one real Internet IP address for every host on your network.

Dynamic NAT: Designed to map an unregistered IP address to a registered IP address from a pool of registered IP addresses. You don’t have to statically configure your router to map an inside to an outside address as in static NAT, but you do have to have enough real IP addresses for everyone who wants to send packets through the Internet. With dynamic NAT, you can configure the NAT router with more IP addresses in the inside local address list than in the inside global address pool. When being defined in the inside global address pool, the router allocates registered public IP addresses from the pool until all are allocated. If all the public IP addresses are already allocated, the router discards the packet that requires a public IP address.

PAT (NAT Overloading): is also a kind of dynamic NAT that maps multiple private IP addresses to a single public IP address (many-to-one) by using different ports. Static NAT and Dynamic NAT both require a one-to-one mapping from the inside local to the inside global address. By using PAT, you can have thousands of users connect to the Internet using only one real global IP address. PAT is the technology that helps us not run out of public IP address on the Internet. This is the most popular type of NAT.

Besides NAT gives you the option to advertise only a single address for your entire network to the outside world. Doing this effectively hides the internal network from the public world really well, giving you some additional security for your network.

NAT terms:

* Inside local address – The IP address assigned to a host on the inside network. The address is usually not an IP address assigned by the Internet Network Information Center (InterNIC) or service provider. This address is likely to be an RFC 1918 private address.
* Inside global address – A legitimate IP address assigned by the InterNIC or service provider that represents one or more inside local IP addresses to the outside world.
* Outside local address – The IP address of an outside host as it is known to the hosts on the inside network.
* Outside global address – The IP address assigned to a host on the outside network. The owner of the host assigns this address.

To learn how to configure NAT please read my Configure NAT GNS3 Lab tutorial

Privacy Policy:

• Google, as a third party vendor, uses cookies to serve ads on your site.
• Google’s use of the DART cookie enables it to serve ads to your users based on their visit to your sites and other sites on the Internet.
• Users may opt out of the use of the DART cookie by visiting the Google ad and content network privacy policy.

We respect your privacy and we are committed to safeguarding your privacy while online at our site The following discloses the information gathering and dissemination practices for this Web site.

Log Files

Like most standard Web site servers we use log files. This includes internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, platform type, date/time stamp, and number of clicks to analyze trends, administer the site, track user’s movement in the aggregate, and gather broad demographic information for aggregate use. IP addresses, etc. are not linked to personally identifiable information.

Cookies

A cookie is a piece of data stored on the user’s computer tied to information about the user. Our site don’t use cookies. However, Some of our business partners use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies, once we have given permission for them to set cookies for advertising.

Links

This Web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every Web site that collects personally identifiable information. This privacy statement applies solely to information collected by this Web site.

Advertisers

We use outside ad companies to display ads on our site. These ads may contain cookies and are collected by our ad companies, and we do not have access to this information. We work with the ad companies: Google Adsense. Please check their websites for respective privacy policies.

Note: If you are not sure about how to use Access list, please read my Access list tutorial

Question 1

Your boss is learning a CCNA training course, refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two)

access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
access-list 101 permit ip any any

A. source ip address: 192.168.15.5; destination port: 21
B. source ip address: 192.168.15.37 destination port: 21
C. source ip address: 192.168.15.41 destination port: 21
D. source ip address: 192.168.15.36 destination port: 23
E. source ip address: 192.168.15.46; destination port: 23
F. source ip address: 192.168.15.49 destination port: 23

Answer: D E

Explanation

First we notice that telnet uses port 23 so only D, E & F can satisfy this requirement.

The purpose of this access-list is to deny traffic from network 192.168.15.32 255.255.255.240 (to find out the subnet mask just convert all bit “0″ to “1″ and all bit “1″ to “0″ of the wildcard mask) to telnet to any device. So we need to figure out the range of this network to learn which ip address will be denied.

Increment: 16
Network address: 192.168.15.32
Broadcast address: 192.168.15.47

-> Only 192.168.15.36 (Answer D) & 192.168.15.46 (Answer E) belong to this range so they are the correct answer.

Question 2

Refer to the graphic. It has been decided that PC1 should be denied access to Server. Which of the following commands are required to prevent only PC1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two)

A – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 out
B – Router(config)# interface fa0/0
Router(config-if)# ip access-group 101 in
C – Router(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
Router(config)# access-list 101 permit ip any any
D – Router(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
Router(config)# access-list 101 permit ip any any

Answer: B C

Question 3

Refer to the exhibit. Why would the network administrator configure RA in this manner?

A. to give students access to the Internet
B. to prevent students from accessing the command prompt of RA
C. to prevent administrators from accessing the console of RA
D. to give administrators access to the Internet
E. to prevent students from accessing the Internet
F. to prevent students from accessing the Admin network

Answer: B

Explanation

Although the access-list is used to “permit” network 10.1.1.0/24 but the best answer here is “to prevent students from accessing the command prompt of RA”. From the picture above, we know that 10.1.1.0/24 is the “Admin” network. This access list is applied to “line vty 0 4″ so it will permit only Telnet traffic from “Admin” to RA while drop all other traffic (because of the implicit “deny all” command at the end of the access list). Therefore we can deduce that it will “prevent students from accessing the command prompt of RA”.

This access list only filters Telnet traffic (because it is applied to vty line) so it will not prevent or allow anyone to access the Internet -> A, D, E are not correct.

C is not correct as this access list allows administrators to access the console of RA.

F is not correct as this access list does not proceed TCP, UDP or IP traffic so the students still access the Admin network.

(Notice that the “command prompt” here implies telnet as telnet is the only way to remotely access RA)

Question 4

An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?

A. access-list 10 permit 172.29.16.0 0.0.0.255
B. access-list 10 permit 172.29.16.0 0.0.1.255
C. access-list 10 permit 172.29.16.0 0.0.3.255
D. access-list 10 permit 172.29.16.0 0.0.15.255
E. access-list 10 permit 172.29.0.0 0.0.255.255

Answer: C

Explanation

Four statements above allow 4 networks (from 172.29.16.0/24 to 172.29.19.0/24) to go through so we can summary them as network 172.29.16.0/22.

/22 = 255.255.252.0 so it equals 0.0.3.255 when converting into wildcard mask -> C is correct.

A, B, D are not correct as their wildcard masks are false. For example:
Answer A allows from 172.29.16.0 to 172.29.16.255
Answer B allows from 172.29.16.0 to 172.29.17.255
Answer D allows from 172.29.16.0 to 172.29.31.255

Both the network address and wildcard mask of answer E are false as it allows the whole major network 172.29.0.0/16 to go through.

Question 5

A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?

A – access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
B – access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
access-list 101 permit ip any any
C – access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21
access-list 1 permit ip any any
D – access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
access-list 1 permit ip any any

Answer: A

Explanation:

First the question asks to block only Telnet access so the port we have to use is 23 -> C is not correct.

Next we need to block traffic from hosts on the subnet 192.168.1.128/28, which is 192.168.1.128 0.0.0.15 if we convert to wildcard mask (just invert all bits of the subnet mask,from 0 to 1 and from 1 to 0 we will get the equivalent wildcard mask of that subnet mask) -> so B is incorrect

In this case, we have to use extended access list because we need to specify which type of traffic (TCP) and which port (23) we want to block -> so D is incorrect because it uses standard access list.

Question 6

As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?

A – access-list 101 in
B – access-list 101 out
C – ip access-group 101 in
D – ip access-group 101 out

Answer: C

Question 7

The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN:

access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any
access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any

How will the above access lists affect traffic?

A – FTP traffic from 192.169.1.22 will be denied
B – No traffic, except for FTP traffic will be allowed to exit E0
C – FTP traffic from 192.169.1.9 to any host will be denied
D – All traffic exiting E0 will be denied
E – All FTP traffic to network 192.169.1.9/29 will be denied

Answer: D

Explanation:

There is always an implicit “deny all” command at the end of every access list, so if an access list doesn’t have any “permit” command, it will block all the traffic. If we use the command “access-list 135 permit ip any any” at the end of this access list then the answer should be C – FTP traffic from 192.169.1.9 to any host will be denied.

Question 8

The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two)

A – from host PC1 to host 5.1.1.10
B – from host PC1 to host 5.1.3.10
C – from host PC2 to host 5.1.2.10
D – from host PC2 to host 5.1.3.8

Answer: B D

Explanation

Below is the simple syntax of an extended access list:

access-list access-list-number {deny | permit} {ip|tcp|udp|icmp} source [source-mask] dest [dest-mask] [eq dest-port]

Notice that this access list is applied to the Ethernet interface of R1 in the “in direction” so in this case, it will filter all the packets originated from E1 network (host PC1 and PC2) with these parameters:

Source network: 5.1.1.8 0.0.0.3 which means 5.1.1.8/252 (just invert all the wildcard bits to get the equivalent subnet mask) -> Packets from 5.1.1.8 to 5.1.1.11 will be filtered.

Destination network: 5.1.3.0 0.0.0.255 which means 5.1.3.0/24-> Packets to 5.1.3.0/24 will be filtered

Therefore packets originated from 5.1.1.8 to 5.1.1.11 and have the destination to the host 5.1.3.x (via Telnet) will be denied.

Question 9

The following configuration line was added to router R1

Access-list 101 permit ip 10.25.30.0 0.0.0.255 any

What is the effect of this access list configuration?
A – permit all packets matching the first three octets of the source address to all destinations
B – permit all packet matching the last octet of the destination address and accept all source addresses
C – permit all packet matching the host bits in the source address to all destinations
D – permit all packet from the third subnet of the network address to all destinations

Answer: A

Note: If you are not sure about Access list, please read my Access list tutorial.

Question 1

Refer to the exhibit. What will happen to HTTP traffic coming from the Internet that is destined for 172.16.12.10 if the traffic is processed by this ACL?

A. Traffic will be dropped per line 30 of the ACL.
B. Traffic will be accepted per line 40 of the ACL.
C. Traffic will be dropped, because of the implicit deny all at the end of the ACL.
D. Traffic will be accepted, because the source address is not covered by the ACL.

Answer: C

Explanation

The syntax of an extended access list is:

access-list access-list-number {permit | deny} protocol source {source-mask} destination {destination-mask} [eq destination-port]

Notice that in our access list, the network 172.16.0.0 0.0.255.255 is specified as the source but the question asks about “HTTP traffic coming from the Internet that is destined for 172.16.12.10″, which means 172.16.0.0 0.0.255.255 is the destination network. So in this case there is no match in our access list and the traffic will be dropped because of the implicit deny all at the end of the ACL. It is surely a tricky question!

Question 2

Refer to the exhibit. Which statement describes the effect that the Router1 configuration has on devices in the 172.16.16.0 subnet when they try to connect to SVR-A using Telnet or SSH?

A. Devices will not be able to use Telnet or SSH.
B. Devices will be able to use SSH, but not Telnet.
C. Devices will be able to use Telnet, but not SSH.
D. Devices will be able to use Telnet and SSH.

Answer: B

Explanation

Let’s analyze the access list 100:

+ 10 permit tcp 172.16.16.0 0.0.0.15 host 172.16.48.63 eq 22: allows TCP traffic from network 172.16.16.0/28 to access host 172.16.48.63 with a destination port of 22 (SSH)
+ 20 permit tcp 172.16.16.0 0.0.0.15 eq telnet host 172.16.48.63: allows TCP traffic from network 172.16.16.0/28 with a source port of 23 (telnet) to access host 172.16.48.63

Notice that if a device wants to telnet (or SSH) to SVR-A server it must use the destination port of 23 (or 22), not a source port of 23 (or 22).

Access list 100 is applied on the inbound direction of Fa0/0 so it will only filter traffic from 172.16.16.0 subnet to the SVR-A server.

Access list 101 is very similar to access list 100 but it is applied on the inbound direction of Fa0/1 so it will filter traffic from SVR-A server to 172.16.16.0 subnet. In ACL 101:

+ 10 permit tcp host 172.16.48.63 eq 22 172.16.16.0 0.0.0.15: allows TCP traffic from host 172.16.48.63 with a source port of 22 (SSH) to access network 172.16.16.0/28.
+ 20 permit tcp host 172.16.48.63 172.16.16.0 0.0.0.15 eq telnet: allows TCP traffic from host 172.16.48.63 to access network 172.16.16.0/28 with a destination port of telnet.

Notice that the returned traffic from SVR-A to network 172.16.16.0/28 (resulting from telnet or SSH session) will have a source port of 23 (Telnet) or 22 (SSH)

In conclusion, the first statements of each ACL will allow devices to “SSH” to SVR-A. But they can’t telnet because of the implicit deny all at the end of the ACL.

In this question, the second statements of each ACL can be considered “wrong” if we intend to filter telnet or SSH traffic and they have no effect on the Telnet or SSH traffic.

Question 3

Refer to the exhibit. Which three variables (router, protocol port, and router ACL direction) apply to an extended ACL that will prevent student 01 from securely browsing the internet?

A. OUT
B. Router 3
C. HTTPS
D. IN
E. Router 1

Answer: B C D

Explanation

There are 3 routers we can place this access list: Router 1, Router Main and Router 3 but in theory, an extended access list should be placed close to the source -> Router 3 is the best choice -> B is correct.

The traffic we need to filter here is “securely browsing the internet” so it is HTTPS -> C is correct.

Finally we should apply this access list to the inbound direction so that Router 3 will filter this traffic before making routing decision. It helps save processing resources on Router 3 -> D is correct.

Question 4

Which two statements apply to dynamic access lists? (choose two)

A. they offer simpler management in large internetworks.
B. you can control logging messages.
C. they allow packets to be filtered based on upper-layer session information.
D. you can set a time-based security policy.
E. they provide a level of security against spoofing.
F. they are used to authenticate individual users.

Answer: A F

Explanation

Dynamic ACLs have the following security benefits over standard and static extended ACLs:
+ Use of a challenge mechanism to authenticate individual users
+ Simplified management in large internetworks
+ In many cases, reduction of the amount of router processing that is required for ACLs
+ Reduction of the opportunity for network break-ins by network hackers
+ Creation of dynamic user access through a firewall, without compromising other configured security restrictions

(Reference: CCNA Exploration 4 – Dynamic ACLs)

Question 5

Which command shows if an access list is assigned to an interface?

A. show ip interface [interface] access-lists
B. show ip access-lists interface [interface]
C. show ip interface [interface]
D. show ip access-lists [interface]

Answer: C

Explanation

The output of “show ip interface [interface]” command is shown below:

In the output we can see the access list 1 is applied to this interface on inbound direction.

Question 6

Which item represents the standard IP ACL?

A. access-list 50 deny 192.168.1.1 0.0.0.255
B. access-list 110 permit ip any any
C. access-list 2500 deny tcp any host 192.168.1.1 eq 22
D. access-list 101 deny tcp any host 192.168.1.1

Answer: A

Explanation

The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access list.

Question 7

Which statement about access lists that are applied to an interface is true?

A. you can apply only one access list on any interface
B. you can configure one access list, per direction, per layer 3 protocol
C. you can place as many access lists as you want on any interface
D. you can configure one access list, per direction, per layer 2 protocol

Answer: B

Explanation

We can have only 1 access list per protocol, per direction and per interface. It means:

+ We can not have 2 inbound access lists on an interface
+ We can have 1 inbound and 1 outbound access list on an interface

Question 8

A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used?

A. reflexive
B. extended
C. standard
D. dynamic

Answer: D

Explanation

We can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here: http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

Question 9

Which parameter standard access list takes into consideration for traffic filtering decisions?

A. Source MAC address
B. Destination IP address
C. Destination MAC address
D. Source IP address

Answer: D

Question 10

In which solution is a router ACL used?

A. protecting a server from unauthorized access
B. controlling path selection, based on the route metric
C. reducing router CPU utilization
D. filtering packets that are passing through a router

Answer: D

If you are not sure about Frame Relay, please read my Frame Relay tutorial.

Question 1

The command frame-relay map ip 10.121.16.8 102 broadcast was entered on the router. Which of the following statements is true concerning this command?

A: This command should be executed from the global configuration mode.

B: The IP address 10.121.16.8 is the local router port used to forward data.

C: 102 is the remote DLCI that will receive the information.

D: This command is required for all Frame Relay configurations.

E: The broadcast option allows packets, such as RIP updates, to be forwarded across the PVC.

Correct Answers: E

Explanation:

The command frame-relay map ip 10.121.16.8 102 broadcast means to mapping the distal IP 10.121.16.8 102 to the local DLCI 102. When the “broadcast” keyword is included, it turns Frame Relay network as a broadcast network, which can forward broadcasts

Question 2

Refer to the exhibit. Which statement describes DLCI 17?

A: DLCI 17 describes the ISDN circuit between R2 and R3.

B: DLCI 17 describes a PVC on R2. It cannot be used on R3 or R1.

C: DLCI 17 is the Layer 2 address used by R2 to describe a PVC to R3.

D: DLCI 17 describes the dial-up circuit from R2 and R3 to the service provider.

Correct Answers: C

Explanation:

DLCI stands for Data Link Connection Identifier. DLCI values are used on Frame Relay interfaces to distinguish between different virtual circuits. DLCIs have local significance because the identifier references the point between the local router and the local Frame Relay switch to which the DLCI is connected.

Question 3

A default Frame Relay WAN is classified as what type of physical network?

A: point-to-point

B: broadcast multi-access

C: nonbroadcast multi-access

D: nonbroadcast multipoint

E: broadcast point-to-multipoint

Correct Answer: C

Explanation:

Non-Broadcast Multi-Access (NBMA) networks are types such as Frame Relay, X.25, and Asynchronous Transfer Mode (ATM). These networks allow for multi-access, but have no broadcast ability like Ethernet

Question 4

Which of the following are key characteristics of PPP? (Choose three.)

A: can be used over analog circuits

B: maps Layer 2 to Layer 3 address

C: encapsulates several routed protocols

D: supports IP only

E: provides error correction

Correct Answers: A C E

Explanation

Below is some more information about PPP:

PPP (Point-to-Point Protocol) allows authentication such as Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) and multilink connections (allow several separate physical paths to appear to be one logical path at layer 3) and can be run over asynchronous and synchronous links.

PPP can work with numerous network layer protocols, including Internet Protocol (IP), Novell’s Internetwork Packet Exchange (IPX), NBF and AppleTalk.

PPP only supports error detection, not error correction so answer E should be understood as “provides error detection”. It is a mistake of this question.

Question 5

Which three Layer 2 encapsulation types would be used on a WAN rather than a LAN? (Choose three)

A: HDLC

B: Ethernet

C: Token Ring

D: PPP

E: FDDI

F: Frame Relay

Correct Answer: A D F

Question 6

Refer to the exhibit. What is the meaning of the term dynamic as displayed in the output of the show frame-relay map command shown?

A: The Serial0/0 interface is passing traffic.

B: The DLCI 100 was dynamically allocated by the router

C: The Serial0/0 interface acquired the IP address of 172.16.3.1 from a DHCP server

D: The DLCI 100 will be dynamically changed as required to adapt to changes in the Frame Relay cloud

E: The mapping between DLCI 100 and the end station IP address 172.16.3.1 was learned through Inverse ARP

Correct Answer: E

Explanation

The term dynamic indicates that the DLCI number and the remote router IP address 172.16.3.1 are learned via the Inverse ARP process.

Inverse ARP is a technique by which dynamic mappings are constructed in a network, allowing a device such as a router to locate the logical network address and associate it with a permanent virtual circuit (PVC).

Question 7

Which of the following describes the roles of devices in a WAN? (Choose three.)

A: A CSU/DSU terminates a digital local loop

B: A modem terminates a digital local loop

C: A CSU/DSU terminates an analog local loop

D: A modem terminates an analog local loop

E: A router is commonly considered a DTE device

F: A router is commonly considered a DCE device

Correct Answers: A D E

Explanation

The idea behind a WAN is to be able to connect two DTE networks together through a DCE network. The network’s DCE device (includes CSU/DSU) provides clocking to the DTE-connected interface (the router’s serial interface).

Question 8

How should a router that is being used in a Frame Relay network be configured to avoid split horizon issues from preventing routing updates?

A: Configure a separate sub-interface for each PVC with a unique DLCI and subnet assigned to the sub-interface

B: Configure each Frame Relay circuit as a point-to-point line to support multicast and broadcast traffic

C: Configure many sub-interfaces on the same subnet

D: Configure a single sub-interface to establish multiple PVC connections to multiple remote router interfaces

Correct Answer: A

Explanation

Look at the figure below:

In the figure, router R1 has two point-to-point subinterfaces. The s0.1 subinterface connects to router R3 and the s0.2 subinterface connects to router R2. Each subinterface is on a different subnet.

Question 9

What can a network administrator utilize by using PPP Layer 2 encapsulation? (Choose three.)

A: VLAN support

B: compression

C: authentication

D: sliding windows

E: multilink support

F: quality of service

Correct Answers: B C E

Explanation

Same as question 4

Question 10

The Frame Relay network in the diagram is not functioning properly. What is the cause of the problem?

A: The Gallant router has the wrong LMI type configured

B: Inverse ARP is providing the wrong PVC information to the Gallant router

C: The S3 interface of the Steele router has been configured with the frame-relay encapsulation ietf command

D: The frame-relay map statement in the Attalla router for the PVC to Steele is not correct

E: The IP address on the serial interface of the Attalla router is configured incorrectly

Correct Answer: D

Explanation

At Attalla router, we find a deleted status but the next map statement indicates an active status, which if for Gallant. Therefore we can deduce the map statement for the PVC from Attalla to Steele is incorrect. Incorrect DLCI assignments that are configured normally shown up as “deleted” in the frame relay maps.

If you are not sure about Frame Relay, please read my Frame Relay tutorial.

Question 1

Users have been complaining that their Frame Relay connection to the corporate site is very slow. The network administrator suspects that the link is overloaded. Based on the partial output of the Router#show frame relay pvc command shown in the graphic, which output value indicates to the local router that traffic sent to the corporate site is experiencing congestion?

A. DLCI=100
B. last time PVC status changed 00:25:40
C. in BECN packets 192
D. in FECN packets 147
E. in DF packets 0

Answer: C

Explanation

First we should grasp the concept of BECN & FECN through an example:

Suppose Router A wants to send data to Router B through a Frame Relay network. If the network is congested, Switch 1 (a DCE device) will set the FECN bit value of that frame to 1, indicating that frame experienced congestion in the path from source to destination. This frame is forwarded to Switch 2 and to Router B (with the FECN bit = 1).

Switch 1 knows that the network is congesting so it also sends frames back to Router A with BECN bit set to 1 to inform that path through the network is congested.

In general, BECN is used on frames traveling away from the congested area to warn source devices that congestion has occurred on that path while FECN is used to alert receiving devices if the frame experiences congestion.

BECN also informs the transmitting devices to slow down the traffic a bit until the network returns to normal state.

The question asks “which output value indicates to the local router that traffic sent to the corporate site is experiencing congestion” which means it asks about the returned parameter which indicates congestion -> BECN.

Question 2

When troubleshooting a Frame Relay connection, what is the first step when performing a loopback test?

A. Set the encapsulation of the interface to HDLC.
B. Place the CSU/DSU in local-loop mode.
C. Enable local-loop mode on the DCE Frame Relay router.
D. Verify that the encapsulation is set to Frame Relay.

Answer: A

Explanation

The first thing when performing a loopback test on a Frame Relay connection is to reconfigure the encapsulation of the interface to HDLC protocol instead of Frame Relay protocol. The main reason is Frame Relay requires a pair of DCE/DTE which cannot be used in a loopback test.

For more information about steps of trouble shooting Frame Relay, please read: http://www.cisco.com/en/US/tech/tk713/tk237/technologies_tech_note09186a008014f8a7.shtml#topic20

For your information, below is a paragraph quoted from the above link:

“Serial0 is down, line protocol is down”

This output means you have a problem with the cable, channel service unit/data service unit (CSU/DSU), or the serial line. You need to troubleshoot the problem with a loopback test. To do a loopback test, follow the steps below:

1. Set the serial line encapsulation to HDLC and keepalive to 10 seconds. To do so, issue the commands encapsulation hdlc and keepalive 10 under the serial interface.
2. Place the CSU/DSU or modem in local loop mode. If the line protocol comes up when the CSU, DSU or modem is in local loopback mode (indicated by a “line protocol is up (looped)” message), it suggests that the problem is occurring beyond the local CSU/DSU. If the status line does not change states, there is possibly a problem in the router, connecting cable, CSU/DSU or modem. In most cases, the problem is with the CSU/DSU or modem.
3. Ping your own IP address with the CSU/DSU or modem looped. There should not be any misses. An extended ping of 0×0000 is helpful in resolving line problems since a T1 or E1 derives clock from data and requires a transition every 8 bits. B8ZS ensures that. A heavy zero data pattern helps to determine if the transitions are appropriately forced on the trunk. A heavy ones pattern is used to appropriately simulate a high zero load in case there is a pair of data inverters in the path. The alternating pattern (0×5555) represents a “typical” data pattern. If your pings fail or if you get cyclic redundancy check (CRC) errors, a bit error rate tester (BERT) with an appropriate analyzer from the telco is needed.
4. When you are finished testing, make sure you return the encapsulation to Frame Relay.

Question 3

What occurs on a Frame Relay network when the CIR is exceeded?

A. All TCP traffic is marked discard eligible.
B. All UDP traffic is marked discard eligible and a BECN is sent.
C. All TCP traffic is marked discard eligible and a BECN is sent.
D. All traffic exceeding the CIR is marked discard eligible.

Answer: D

Explanation

Committed information rate (CIR): The minimum guaranteed data transfer rate agreed to by the Frame Relay switch. Frames that are sent in excess of the CIR are marked as discard eligible (DE) which means they can be dropped if the congestion occurs within the Frame Relay network.

Note: In the Frame Relay frame format, there is a bit called Discard eligible (DE) bit that is used to identify frames that are first to be dropped when the CIR is exceeded.

Question 4

What are two characteristics of Frame Relay point-to-point subinterfaces? (Choose two)

A. They create split-horizon issues.
B. They require a unique subnet within a routing domain.
C. They emulate leased lines.
D. They are ideal for full-mesh topologies.
E. They require the use of NBMA options when using OSPF.

Answer: B C

Question 5

The output of the show frame-relay pvc command shows ”PVC STATUS=INACTIVE”. What does this mean?

A. The PVC is configured correctly and is operating normally,but no data packets have been detected for more than five minutes.
B. The PVC is configured correctly, is operating normally and is no longer actively seeking the address the remote route,
C. The PVC is configured correctly, is operating normally and is waiting for interesting to trigger a call to the remote router.
D. The PVC is configured correctly on the local switch, but there is a problem on the remote end of the PVC.
E. The PVC is not configured on the switch.

Answer: D

Explanation

The PVC STATUS displays the status of the PVC. The DCE device creates and sends the report to the DTE devices. There are 4 statuses:

+ ACTIVE: the PVC is operational and can transmit data
+ INACTIVE: the connection from the local router to the switch is working, but the connection to the remote router is not available
+ DELETED: the PVC is not present and no LMI information is being received from the Frame Relay switch
+ STATIC: the Local Management Interface (LMI) mechanism on the interface is disabled (by using the “no keepalive” command). This status is rarely seen so it is ignored in some books.

Question 6

Which encapsulation type is a Frame Relay encapsulation type that is supported by Cisco routers?

A. Q933-A Annex A
B. IETF
C. ANSI Annex D
D. HDLC

Answer: B

Explanation

Cisco supports two Frame Relay encapsulation types: the Cisco encapsulation and the IETF Frame Relay encapsulation, which is in conformance with RFC 1490 and RFC 2427. The former is often used to connect two Cisco routers while the latter is used to connect a Cisco router to a non-Cisco router. You can test with your Cisco router when typing the command Router(config-if)#encapsulation frame-relay ? on a WAN link. Below is the output of this command (notice Cisco is the default encapsulation so it is not listed here, just press Enter to use it).

Note: Three LMI options are supported by Cisco routers are ansi, Cisco, and Q933a. They represent the ANSI Annex D, Cisco, and ITU Q933-A (Annex A) LMI types, respectively.

HDLC is a WAN protocol same as Frame-Relay and PPP so it is not a Frame Relay encapsulation type.

Question 1

Which IP address can be assigned to an Internet interface?

A. 10.180.48.224
B. 9.255.255.10
C. 192.168.20.223
D. 172.16.200.18

Answer: B

Explanation

The IP address which can be assigned to an Internet interface is a public IP address. Private IP address are found in the following ranges:

* From 10.0.0.0 to 10.255.255.255
* From 172.16.0.0 to 172.31.255.255
* From 192.168.0.0 to 192.168.255.255

Also some special IP addresses (like the local loopback address 127.0.0.1, multicast addresses…) can’t be assigned to an Internet interface.

In this question only answer B doesn’t belong to the range of private IP address -> B is the correct answer.

Question 2

What will happen if a private IP address is assigned to a public interface connected to an ISP?

A. Addresses in a private range will be not routed on the Internet backbone.
B. Only the ISP router will have the capability to access the public network.
C. The NAT process will be used to translate this address in a valid IP address.
D. Several automated methods will be necessary on the private network.
E. A conflict of IP addresses happens, because other public routers can use the same range.

Answer: A

Question 3

When is it necessary to use a public IP address on a routing interface?

A. Connect a router on a local network.
B. Connect a router to another router.
C. Allow distribution of routes between networks.
D. Translate a private IP address.
E. Connect a network to the Internet.

Answer: E

Question 4

When a DHCP server is configured, which two IP addresses should never be assignable to hosts? (Choose two)

A. network or subnetwork IP address
B. broadcast address on the network
C. IP address leased to the LAN
D. IP address used by the interfaces
E. manually assigned address to the clients
F. designated IP address to the DHCP server

Answer: A B

Explanation

Network or subnetwork IP address (for example 11.0.0.0/8 or 13.1.0.0/16) and broadcast address (for example 23.2.1.255/24) should never be assignable to hosts. When try to assign these addresses to hosts, you will receive an error message saying that they can’t be assignable.

Question 6

The network administrator has asked you to check the status of the workstation’s IP stack by pinging the loopback address. Which address would you ping to perform this task?

A. 10.1.1.1
B. 127.0.0.1
C. 192.168.0.1
D. 239.1.1.1

Answer: B

Explanation

The IP address of 127.0.0.1 is the well-known loopback IP address on a computer. When try pinging this address, you are testing if the TCP/IP stack is working or not.

Question 7

Which command is used to see the path taken by packets across an IP network?

A. show ip route
B. show route
C. traceroute
D. trace ip route

Answer: C

Explanation

Notice that “traceroute” is the command used on a Cisco router while the “tracert” is the command used in MSDOS of Windows. They have the same purpose of finding the path that packets use to reach a destination network.

Question 8

Refer to the exhibit. Which value will be configured for Default Gateway of the Local Area Connection?

A. 10.0.0.0
B. 10.0.0.254
C. 192.223.129.0
D. 192.223.129.254

Answer: B

Explanation

The default gateway IP address must be on the same network with the configured host’s IP address and not is the network or broadcast address -> B is correct.

Question 9

Which of the following describe private IP addresses? (Choose two)

A. addresses chosen by a company to communicate with the Internet
B. addresses that cannot be routed through the public Internet
C. addresses that can be routed through the public Internet
D. a scheme to conserve public addresses
E. addresses licensed to enterprises or ISPs by an Internet registry organization

Answer: B D

Question 10

Refer to the exhibit. A network technician is asked to design a small network with redundancy. The exhibit represents this design, with all hosts configured in the same VLAN. What conclusions can be made about this design?

A. The design will function as intended
B. Spanning-tree will need to be used.
C. The router will not accept the addressing scheme.
D. The connection between switches should be a trunk.
E. The router interfaces must be encapsulated with the 802.1Q protocol.

Answer: C

Explanation

Each interface on a router must be in a different network. If two interfaces are in the same network, the router will not accept it and show error when the administrator assigns it.

Question 1

Refer to the exhibit. Assume that the routing protocol referenced in each choice below is configured with its default settings and the given routing protocol is running on all the routers. Which two conditional statements accurately state the path that will be chosen between networks 10.1.0.0 and 10.3.2.0 for the routing protocol mentioned? (Choose two)

A. If OSPF is the routing protocol, the path will be from R1 to R3 to R4 to R5.
B. If OSPF is the routing protocol, the path will be from R1 to R2 to R5.
C. If OSPF is the routing protocol, the path will be from R1 to R5.
D. If RIPv2 is the routing protocol, the path will be from R1 to R3 to R4 to R5.
E. If RIPv2 is the routing protocol, the path will be from R1 to R5.

Answer: A E

Explanation

First we need to know the speed of these links:

+ T1: 1.544 Mbps
+ 10BaseT: 10 Mbps
+ 100BaseT (often referred to as FastEthernet): 100Mbps

OSPF chooses the best path via bandwidth while RIP only uses hop count (the sum of routers to reach the destination).

Therefore if OSPF is used, it will choose the path R1 -> R3 -> R4 -> R5 because these links have much higher speed than other paths -> A is correct.

But if RIP is used it only counts the number of routers to reach the destination (the less the better) so it will choose path R1 -> R5 (hop count: 1) -> E is correct.

Question 2

Refer to the exhibit. Which three statements are true about how router JAX will choose a path to the 10.1.3.0/24 network when different routing protocols are configured? (Choose three)

A. By default, if RIPv2 is the routing protocol, only the path JAX-ORL will be installed into the routing table.
B. The equal cost paths JAX-CHI-ORL and JAX- NY-ORL will be installed in the routing table if RIPv2 is the routing protocol.
C. When EIGRP is the routing protocol, only the path JAX-ORL will be installed in the routing table by default.
D. When EIGRP is the routing protocol, the equal cost paths JAX-CHI-ORL, and JAX-NY-ORL will be installed in the routing table by default.
E. With EIGRP and OSPF both running on the network with their default configurations, the EIGRP paths will be installed in the routing table.
F. The OSPF paths will be installed in the routing table, if EIGRP and OSPF are both running on the network with their default configurations.

Answer: A D E

Explanation

First we need to know the speed of these links:

+ T1: 1.544 Mbps
+ T3: 45 Mbps (each T3 line consists of 28 T1 lines)

RIP chooses the path with minimum hop count to reach the destination so it will choose JAX-ORL path -> A is correct.

EIGRP, by default, calculates metric via bandwidth & delay (metric = bandwidth + delay). Delay parameter can be ignored in this case so EIGRP will choose the path via metric. Both the path JAX-CHI-ORL and JAX- NY-ORL have the same metric (each includes two T3 lines) so EIGRP will use these paths -> D is correct.

EIGRP has lower Administrative Distance than OSPF (EIGRP: 90 < OSPF: 110) which is better -> EIGRP will be preferred to OSPF -> E is correct.

Question 3

Refer to the exhibit. The network administrator must establish a route by which London workstations can forward traffic to the Manchester workstations. What is the simplest way to accomplish this?

A. Configure a dynamic routing protocol on London to advertise all routes to Manchester.
B. Configure a dynamic routing protocol on London to advertise summarized routes to Manchester.
C. Configure a dynamic routing protocol on Manchester to advertise a default route to the London router.
D. Configure a static default route on London with a next hop of 10.1.1.1.
E. Configure a static route on London to direct all traffic destined for 172.16.0.0/22 to 10.1.1.2.
F. Configure Manchester to advertise a static default route to London.

Answer: E

Question 4

Which command is used to configure a default route?

A. ip route 172.16.1.0 255.255.255.0 0.0.0.0
B. ip route 172.16.1.0 255.255.255.0 172.16.2.1
C. ip route 0.0.0.0 255.255.255.0 172.16.2.1
D. ip route 0.0.0.0 0.0.0.0 172.16.2.1

Answer: D

Explanation

The simple syntax of static route:

ip route destination-network-address subnet-mask {next-hop-IP-address | exit-interface}
+ destination-network-address: destination network address of the remote network
+ subnet mask: subnet mask of the destination network
+ next-hop-IP-address: the IP address of the receiving interface on the next-hop router
+ exit-interface: the local interface of this router where the packets will go out

In the statement “ip route 0.0.0.0 0.0.0.0 172.16.2.1″:

+ 0.0.0.0 0.0.0.0: refer to any network
+ 172.16.2.1: the next-hop-IP-address

Question 5

If IP routing is enabled, which two commands set the gateway of last resort to the default gateway? (Choose two)

A. ip default-gateway 0.0.0.0
B. ip route 172.16.2.1 0.0.0.0 0.0.0.0
C. ip default-network 0.0.0.0
D. ip default-route 0.0.0.0 0.0.0.0 172.16.2.1
E. ip route 0.0.0.0 0.0.0.0 172.16.2.1

Answer: C E

Question 6

What must be set correctly when configuring a serial interface so that higher-level protocols calculate the best route?

A. bandwidth
B. delay
C. load
D. reliability

Answer: A

Explanation

Higher-level protocols (OSPF, EIGRP) calculate the best route mainly based on bandwidth so it must be set correctly -> A is correct.

Question 7

Which destination addresses will be used by Host A to send data to Host C? (Choose two)

A. the IP address of Switch 1
B. the MAC address of Switch 1
C. the IP address of Host C
D. the MAC address of Host C
E. the IP address of the router’s E0 interface
F. the MAC address of the router’s E0 interface

Answer: C F

Explanation

While transferring data through many different networks, the source and destination IP addresses are not changed. Only the source and destination MAC addresses are changed. So in this case Host A will use the IP address of Host C and the MAC address of E0 interface to send data. When the router receives this data, it replaces the source MAC address with it own E1 interface’s MAC address and replaces the destination MAC address with Host C’s MAC address before sending to Host C -> C and F are correct.

Question 8

Which routing protocols can be used within the enterprise network shown in the diagram? (Choose three)

A. RIPv1
B. RIP v2
C. IGRP
D. OSPF
E. BGP
F. EIGRP

Answer: B D F

Explanation

RIPv1 & IGRP can not be used in this network because they do not support Variable Length Subnet Masking (VLSM) -> A and C are not correct.

BGP is a complicated routing protocol between different network (usually very big) or different Autonomous System. For example BGP can be used between two Internet Service Providers (ISP). The above network is very small in an enterprise so BGP is not a suitable choice -> E is not correct.

RIPv2 supports VLSM and can be used in networks which have less than 15 routers -> B is correct.

OSPF and EIGRP can be always used in most of enterprise networks -> D F are correct.

(But notice that EIGRP is a Cisco-proprietary routing protocol so it can be used in Cisco routers only)

Question 9

Which routing protocols will support the following IP addressing scheme? (Choose three)

Network 1 – 192.168.10.0 /26
Network 2 – 192.168.10.64 /27
Network 3 – 192.168.10.96 /27
Network 4 – 192.168.10.128 /30
Network 5 – 192.168.10.132 /30

A. RIP version 1
B. RIP version 2
C. IGRP
D. EIGRP
E. OSPF

Answer: B D E

Explanation

RIPv2, OSPF and EIGRP are classless routing protocol which support VLSM.

Question 10

Refer to the graphic. A static route to the 10.5.6.0/24 network is to be configured on the HFD router. Which commands will accomplish this? (Choose two)

A. HFD (config) #ip route 10.5.6.0 0.0.0.255 fa0/0
B. HFD(config)# ip route 10.5.6.0 0.0.0.255 10.5.4.6
C. HFD(config)# ip route 10.5.6.0 255.255.255.0 fa0/0
D. HFD(config)# ip route 10.5.6.0 255.255.255.0 10.5.4.6
E. HFD(config)# ip route 10.5.4.6 0.0.0.255 10.5.6.0
F. HFD(config)# ip route 10.5.4.6 255.255.255.0 10.5.6.0

Answer: C D

Explanation

The simple syntax of static route:

ip route destination-network-address subnet-mask {next-hop-IP-address | exit-interface}
+ destination-network-address: destination network address of the remote network
+ subnet mask: subnet mask of the destination network
+ next-hop-IP-address: the IP address of the receiving interface on the next-hop router
+ exit-interface: the local interface of this router where the packets will go out

In the statement “ip route 10.5.6.0 255.255.255.0 fa0/0″:

+ 10.5.6.0 255.255.255.0: the destination network
+fa0/0: the exit-interface

Question 1

Refer to the exhibit. Host A is to send data to Host B. How will Router1 handle the data frame received from Host A? (Choose three)

A. Router1 will strip off the source MAC address and replace it with the MAC address on the forwarding FastEthernet interface.
B. Router1 will strip off the source IP address and replace it with the IP address on the forwarding FastEthernet interface.
C. Router1 will strip off the destination MAC address and replace it with the MAC address of Host B.
D. Router1 will strip off the destination IP address and replace it with the IP address of Host B.
E. Router1 will forward the data frame out interface FastEthernet0/1.
F. Router1 will forward the data frame out interface FastEthernet0/2.

Answer: A C F

Explanation

While transferring data through many different networks, the source and destination IP addresses are not changed. Only the source and destination MAC addresses are changed. So in this case, Host A will use the IP address of Host B and the MAC address of Fa0/0 interface to send data. When the router receives this data, it replaces the source MAC address with it own Fa0/2 interface’s MAC address and replaces the destination MAC address with Host B’s MAC address before sending to Host B -> A, C and F are correct.

Question 2

What is an appropriate use of a default route?

A. to provide routing to a local web server
B. to provide routing from an ISP to a stub network
C. to provide routing that will override the configured dynamic routing protocol
D. to provide routing to a destination that is not specified in the routing table and which is outside the local network

Answer: D

Explanation

Default routes are used to direct packets addressed to networks not explicitly listed in the routing table. An example of default route is:

Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1

(Notice that the network address of default route is 0.0.0.0 0.0.0.0)

Question 3

A medium-sized company has a Class C IP address. It has two Cisco routers and one non-Cisco router.
All three routers are using RIP version 1.
The company network is using the block of 198.133.219.0/24.
The company has decided it would be a good idea to split the network into three smaller subnets and create the option of conserving addresses with VLSM.

What is the best course of action if the company wants to have 40 hosts in each of the three subnets?

A. Convert all the routers to EIGRP and use 198.133.219.32/27, 198.133.219.64/27, and 198.133.219.92/27 as the new subnetworks.
B. Maintain the use of RIP version 1 and use 198.133.219.32/27, 198.133.219.64/27, and 198.133.219.92/27 as the new subnetworks.
C. Convert all the routers to EIGRP and use 198.133.219.64/26, 198.133.219.128/26, and 198.133.219.192/26 as the new subnetworks.
D. Convert all the routers to RIP version 2 and use 198.133.219.64/26, 198.133.219.128/26, and 198.133.219.192/26 as the new subnetworks.
E. Convert all the routers to OSPF and use 198.133.219.16/28, 198.133.219.32/28, and 198.133.219.48/28 as the new subnetworks.
F. Convert all the routers to static routes and use 198.133.219.16/28, 198.133.219.32/28, and 198.133.219.48/28 as the new subnetworks.

Answer: D

Explanation

RIP version 1 does not support VLSM so we have to convert into RIPv2, OSPF or EIGRP -> B is not correct.

But EIGRP is a Cisco-proprietary routing protocol so it can not be used in a non-Cisco router -> A and C are not correct.

To support 40 hosts per subnet we need a subnet mask of /26 or lower (which leaves 6 bits 0 and 2⁶ = 64 > 40 hosts). Therefore a subnet mask of /28 is not suitable in this case -> E & F are not correct.

Question 4

Refer to the exhibit. Which command will created a default route on RouterB to reach all networks beyond RouterA?

A. ip route 0.0.0.0 0.0.0.0 192.168.2.2
B. ip route 192.168.1.0 255.255.255.0 192.168.2.1
C. ip route 192.168.1.0 255.255.255.0 s0/0/0
D. ip route 10:0.0.0 255.255.255.0 s0/0/0
E. ip route 0.0.0.0 255.255.255.0 192.168.2.2

Answer: A

Explanation

Notice that in the static (or default) route we need to specify the exit-interface (local on that router) or the next-hop IP address (of a directly connected router) -> A is correct.

Question 5

Refer to the exhibit. S0/0 on R1 is configured as a multipoint interface to communicate with R2 and R3 in the hub-and-spoke Frame Relay topology. While testing this configuration, a technician notes that pings are successfully from hosts on the 172.16.1.0/24 network to hosts on both the 172.16.2.0/25 and 172.16.0.2.128/25 networks. However, pings between hosts on the 172.16.2.0/25 and 172.16.2.128/25 network are not successful. What could explain this connectivity problem?

A. The ip subnet-zero command has been issued on the R1 router.
B. The RIPv2 dynamic routing protocol cannot be used across a Frame Relay network.
C. Split horizon is preventing R2 from learning about the R3 networks and R3 from learning about R2 networks.
D. The 172.16.2.0/25 and 172.16.2.128/25 networks are overlapping networks that can be seen by R1, but not between R2 and R3.
E. The 172.16.3.0/29 network used on the Frame Relay links is creating a discontiguous network between the R2 and R3 router subnetworks.

Answer: C

Explanation

The split horizon rule states “a router never sends information about a route back in same direction which is original information came”. In this case it means whenR3 sends update to R1 via s0/0, R1 does not send any update for same network out of interface s0/0. To solve this problem we can configure sub-interfaces on s0/0 or explicitly allow the update to be sent back on the same interface.

Question 6

S0/0 on R1 is configured as a multipoint interface to communicate with R2 and R3 in the hub-and-spoke Frame Relay topology shown in the exhibit. Originally, static routes were configured between these routers to successfully route traffic between the attached networks. What will need to be done in order to use RIPv2 in place of the static routes?

A. Configure the no ip subnet-zero command on R1, R2, and R3.
B. Dynamic routing protocols such as RIPv2 cannot be used across Frame Relay networks.
C. Configure the S0/0 interface on R1 as two subinterfaces and configure point-to-point links to R2 and R3.
D. Change the 172.16.2.0/25 and 172.16.2.128/25 subnetworks so that at least two bits are borrowed from the last octet.
E. Change the network address configuration to eliminate the discontiguous 172.16.2.0/25 and 172.16.2.128/25 subnetwork.

Answer: C

Explanation

Same as Question 5

Question 7

Refer to the exhibit. A network associate has configured the internetwork that is shown in the exhibit, but has failed to configure routing properly.

Which configuration will allow the hosts on the Branch LAN to access resources on the HQ LAN with the least impact on router processing and WAN bandwidth?

A.
HQ(config)# ip route 192.168.1.0 255.255.255.0 192.168.2.5
Branch(config) # ip route 172.16.25.0 255.255.255.0 192.168.2.6

B.
HQ(config)# router rip
HQ(config-router)# network 192.168.2.0
HQ(config-router)# network 172.16.0.0
Branch(config)# router rip
Branch(config-router) # network 192.168.1.0
Branch(config-router)# network 192.168.2.0

C.
HQ(config)# router eigrp 56
HQ(config-router)# network 192.168.2.4
HQ(config-router)# network 172.16.25.0
Branch(config)# router eigrp 56
Branch(config-router)# network 192.168.1.0
Branch(config-router) # network 192.168.2.4

D.
HQ(config)# router ospf 1
HQ(config-router)# network 192.168.2.4 0.0.0.3 area 0
HQ(config-router)# network 172.16.25.0 0.0.0.255 area 0
Branch(config)# router ospf 1
Branch(config-router)# network 192.168.1.0 0.0.0.255 area 0

Answer: A

Explanation

By configuring static route, we can minimize the router processing and WAN bandwidth.

Question 8

Refer to the exhibit. The network administrator requires easy configuration options and minimal routing protocol traffic. Which two options provide adequate routing table information for traffic that passes between the two routers and satisfy the requests of the network administrator?(choose two)

A. a dynamic routing protocol on InternetRouter to advertise summarized routers to CentralRouter.
B. a dynamic routing protocol on CentralRouter to advertise summarized routers to InternetRouter.
C. a static route on InternetRouter to direct traffic that is destined for 172.16.0.0/16 to CentralRouter.
D. a dynamic routing protocol on InternetRouter to advertise all routes to CentralRouer.
E. a dynamic routing protocol on CentralRouer to advertise all routes to InternetRouter
F. a static, default route on CentralRouter that directs traffic to InternetRouter.

Answer: C F

Question 9

A router receives information about network 192.168.10.0/24 from multiple sources. What will the router consider the most reliable information about the path to that network?

A. an OSPF update for network 192.168.0.0/16
B. a static router to network 192.168.10.0/24
C. a static router to network 192.168.10.0/24 with a local serial interface configured as the next hop
D. a RIP update for network 192.168.10.0/24
E. a directly connected interface with an address of 192.168.10.254/24
F. a default route with a next hop address of 192.168.10.1

Answer: E

Question 10

Which parameter can be tuned to affect the selection of a static route as a backup when a dynamic protocol is also being used?

A. link bandwidth
B. hop count
C. link cost
D. administrative distance
E. link delay

Answer: D

Question 11

Which statement is true, as relates to classful or classless routing?

A. RIPV1 and OSPF are classless routing protocols.
B. Classful routing protocols send the subnet mask in routing updates.
C. Automatic summarization at classful boundaries can cause problems on discontiguous networks.
D. EIGRP and OSPF are classful routing protocols and summarize routes by default.

Answer: C

Question 12

Which two are advantages of static routing when compared to dynamic routing? (choose two)

A. Security increases because only the network administrator may change the routing tables.
B. Configuration complexity decreases as network size increases.
C. Routing updates are automatically sent to neighbors.
D. Route summarization is computed automatically by the router.
E. Routing traffic load is reduced when used in stub network links.
F. An efficient algorithm is used to build routing tables using automatic updates.
G. Routing tables adapt automatically to topology changes.

Answer: A E

Question 13

The speed of all serial links is E1 and the speed of the all other links is 100Mb/s. A static route will be established on the Manchester router to direct traffic toward to the internet over the most direct path available. What configuration of the Manchester router will establish a route toward to the internet for traffic from workstation on the Manchester LAN?

A. ip route 0.0.0.0 255.255.255.0 172.16.100.2
B. ip route 0.0.0.0 255.255.255.252 128.107.1.1
C. ip route 0.0.0.0 0.0.0.0 128.107.1.1
D. ip route 0.0.0.00.0:0:0 172.16.100.1
E. ip route 0.0.0.0 255.255.255.255 172.16.100.2
F. ip route 0.0.0.0 0.0.0.0 172.16.100.2

Answer: F

Explanation

Maybe “the most direct path available” here means via R2 because it is directly connected with the Internet while the London path needs to go through R1. So we need a command to send traffic to R2 and the correct command is “ip route 0.0.0.0 0.0.0.0 172.16.100.2″.

Note: If you are not sure about RIP, please read my RIP tutorial.

Question 1

Which statement about RIPng is true?

A. RIPng allows for routes with up to 30 hops.
B. RIPng is enabled on each interface separately.
C. RIPng uses broadcasts to exchange routes.
D. There can be only one RIPng process per router.

Answer: B

Explanation

RIPng is similar to RIPv2 but is used for IPv6. But unlike RIPv1 and RIPv2, RIPng is enabled on each interface separately. For example:

Router(config)#ipv6 unicast-routing (Enables the forwarding of IPv6 unicast datagrams globally on the router)
Router(config)#interface fa0/0
Router(config-if)#ipv6 rip 9tut enable (9tut is the process name of this RIPng)

Question 2

What are two characteristics of RIPv2? (Choose two)

A. classful routing protocol
B. variable-length subnet masks
C. broadcast addressing
D. manual route summarization
E. uses SPF algorithm to compute path

Answer: B D

Question 3

Refer to the exhibit. Which (config-router) command will allow the network represented on the interface to be advertised by RIP?

A. redistribute ethernet0
B. network ethernet0
C. redistribute 10.12.0.0
D. network 10.12.0.0

Answer: D

Question 4

Refer to the exhibit. What information can be gathered from the output?

A. One router is running RIPv1.
B. RIP neighbor is 224.0.0.9.
C. The network contains a loop.
D. Network 10.10.1.0 is reachable.

Answer: D

Question 5

Which series of commands will configure router R1 for LAN-to-LAN communication with router R2? The enterprise network address is 192.1.1.0/24 and the routing protocol in use is RIP. (Choose three)

A.
R1 (config)# interface ethernet 0
R1 (config-if)# ip address 192.1.1.129 255.255.255.192
R1 (config-if)# no shutdown
B.
R1 (config)# interface ethernet 0
R1(config-if)#ip address 192.1.1.97 255.255.255.192
R1 (config-if)# no shutdown
C.
R1 (config)# interface serial 0
R1 (config-if)# ip address 192.1.1.4 255.255.255.252
R1 (config-if)# clock rate 56000
D.
R1 (config)# interface serial 0
R1(config-if)#ip address 192.1.1.6 255.255.255.252
R1 (config-it)# no shutdown
E.
R1 (config)# router rip
R1 (config-router)# network 192.1.1.4
R1 (config-router)# network 192.1.1.128
F.
R1 (config)# router rip
R1 (config-router)# version 2
R1 (config-router)# network 192.1.1.0

Answer: A D F

Explanation

First we notice that the ip address of the E0 interface of R2 is 192.1.1.65/26, which has:

+ Increment: 64 (/26 = 1111 1111.1111 1111.1111 1111.1100 0000)
+ Network address: 192.1.1.64
+ Broadcast address: 192.1.1.127

Therefore, the ip address of the E0 interface of R1 cannot belong to this range or the network cannot operate correctly.

In answer A, the ip address of E0 interface of R1 is 192.1.1.129, which does not belong in this range -> A is correct.
In answer B, E0 interface of R1 has the ip address of 192.1.1.97, which belongs in this range -> B is not correct.

The s0 interface of R1 must belong to the same network of s0 interface of R2, which has:

+ Increment: 4 (/30 = 1111 1111.1111 1111.1111 1111.1111 1100)
+ Network address: 192.1.1.4
+ Broadcast address: 192.1.1.7

The ip 192.1.1.5 has been used by s0 of R2 so the only suitable ip address of s0 of R1 is 192.1.1.6 -> C is wrong but D is correct.

Now the last thing we must do is enabling RIP. Because e0 interface of R1 and e0 interface of R2 have the same major network (192.1.1.0/24) so we must use RIP version 2 to support discontiguous network -> F is correct.

For answer E, if we configure 2 networks
R1 (config-router)# network 192.1.1.4
R1 (config-router)# network 192.1.1.128
then these networks will be automatically summarized as 192.1.1.0 network.

Question 6

Refer to the exhibit. Two routers have just been configured by a new technician. All interfaces are up. However, the routers are not sharing their routing tables. What is the problem?

A. Split horizon is preventing Router2 from receiving routing information from Router1.
B. Router1 is configured for RIP version 2, and Router2 is configured for RIP version 1.
C. Router1 has an ACL that is blocking RIP version 2.
D. There is a physical connectivity problem between Router1 and Router2.
E. Router1 is using authentication and Router2 is not.

Answer: B

Explanation

As we can see from the output, Router2 is sending v1 update and ignoring v2 update from neighbor so we can conclude Router2 is running RIPv1. Its neighbor, Router1 (ip address of 192.168.2.1), is running RIPv2.

Notice that router running RIPv2 can “understand” RIPv1 update but router running RIPv1 cannot understand RIPv2 update.

Question 7

What is the default routing update period for RIPv2?
A. 15 seconds
B. 30 Seconds
C. 180 Seconds
D. 240 Seconds

Answer: B

Question 8

Refer to the exhibit. The network manager is evaluating the efficiency of the current network design. RIPv2 is enabled on all Layer 3 devices in the network. What network devices participate in passing traffic from the PC at 10.10.1.7 to File Server at 10.20.1.6 in the order that they will forward traffic from source to destination?

A. Switch, Switch2
B. Switch, Switch2, Router2, Switch2
C. Switch1, Router1, Switch1, Switch2
D. Switch1, Router1, Router2, Switch2

Answer: D

Explanation

The PC and File Server are in different VLANs so surely traffic from PC to File Server must go through Router1 but which path will the packet go next, through Router 2 or Switch1? Well, it is a hard question to answer.

As many comments said “the connection between R1 and Switch is Blue, so that means its under Vlan 10, and R2 to Switch 2 is red. The two routers do not have subinterfaces and are not running router on a stick basing on the color of the links” so D should be the correct answer.

Just for your information, I keep this explanation (which supports answer C) but in the exam you should choose D as your answer!

I haven’t had tested it yet but I guess that because there is a VLAN 20 on Switch 1 so Router1 will try to send that packet back to Switch1. If the link between Switch1 and Switch2 is a trunk link then the returned packet will also be sent to this link. Switch 2 receives that packet and it sends to the File Server at VLAN20. So the path will be Switch1 -> Router1 -> Switch1 -> Switch2.

There are some debates about this question but if the routers are properly configured then the packets can go from Switch1 -> Router1 -> Router2 -> Switch2 (D answer) so D can be a correct answer.

Question 9

Refer to the exhibit. Router A has interfaces with addresses 192.168.1.1 and 172.16.1.1. Router B, which is connected to router A over a serial link, has interfaces with address 172.16.1.2 and 10.1.1.2.

Which sequence of commands will configure RIPv2 on router B?

A.
B( config)# router rip
B(config-router)#version 2
B(config-router)# network 172.16.0.0
B(config-router)# network 10.0.0.0
B(config-router)# end

B.
B(config)# router rip 2
B(config-router)# network 172.16.0.0
B(config-router)# network 10.0.0.0
B(config-router)# end

C.
B(config)# router rip
B(config-router)#version 2
B(config-router)# network 172.16.0.0
B(config-router)#network 192.168.1.0
B(config-router)#end

D.
B(config)# router rip version 2
B(config-router)# network 172.16.0.0
B(config-router)# network 10.0.0.0
B(config-router)#end

Answer: A

Question 10

Refer to the exhibit. S0/0 on R1 is configured as a multipoint interface to communicate with R2 and R3 in this hub-and-spoke Frame Relay topology.
While testing this configuration, a technician notes that pings are successful from hosts on the 172.16.1.0/24 network to hosts on both the 172.16.2.0/25 and 172.16.2.128/25 networks. However, pings between hosts on the 172.16.2.0/25 and 172.16.2.128/25 networks are not successful. What could explain this connectivity problem?

A. The ip subnet-zero command has been issued on the R1 router.
B. The RIP v2 dynamic routing protocol cannot be used across a Frame Relay network.
C. Split horizon is preventing R2 from learning about the R3 networks and R3 from learning about the R2 networks.
D. The 172.16.2.0/25 and 172.16.2.128/25 networks are overlapping networks that can be seen by R1, but not between R2 and R3.
E. The 172.16.3.0/29 network used on the Frame Relay links is creating a discontiguous network between the R2 and R3 router subnetworks.

Answer: C

Explanation

The “ip subnet-zero” allows the use of the first subnet but it doesn’t cause this problem and we don’t have that first subnet (like 172.16.0.0/24) so we can’t confirm if the “ip subnet-zero” was used or not -> A is not correct.

Frame-Relay can use RIPv2 with no problem if we configure it correctly -> B is not correct.

In the exhibit above we notice that the s0/0 interface of R1 has not been divided into sub-interfaces so the split horizon will prevent updates from R2 to R3 and vice versa. The split horizon rule states “A router never sends information about a route back in same direction which is original information came”. In this case R2 send an update to S0/0 of R1 so R1 cannot send that update back on S0/0 -> R3 will not learn about networks of R2 (and vice versa) -> C is correct.

172.16.2.0/25 and 172.16.2.128/25 networks are not overlapping networks. They are two different sub-networks -> D is not correct.

RIPv2 is a classless routing protocol so it supports VLSM and discontiguous networks -> E is not correct.

Question 11

Refer to the exhibit. After a RIP route is marked invalid on Router_1, how much time will elapse before that route is removed from the routing table?

A. 30 seconds
B. 60 seconds
C. 90 seconds
D. 180 seconds
E. 240 seconds

Answer: B

Question 12

Refer to the graphic. Host 1 cannot receive packets from Host 2. Assuming that RIP v1 is the routing protocol in use, what is wrong with the IP configuration information shown? (Choose two)

A. The fa0/1 interface of router R2 has been assigned a broadcast address.
B. The fa0/1 network on router R2 overlaps with the LAN attached to R1.
C. Host 2 has been assigned the incorrect subnet mask.
D. Host 1 has been configured with the 255.255.248.0 subnet mask.
E. Host 2 on router R2 is on a different subnet than its gateway.

Answer: B C

Explanation

The fa0/1 interface of R2 is assigned an IP address of 10.1.40.255/20. It seems to be a broadcast address but it is not. If we calculate the range of this network we will understand why:

Network 10.1.40.255/20
Increment: 16 (/20 = 1111 1111.1111 1111.1111 0000.0000 0000)
Network address: 10.1.32.0
Broadcast address: 10.1.47.255

-> 10.1.40.255/20 is an usable host address -> A is not correct.

The IP address of host 1 (10.1.32.48) belongs to the range of interface fa0/1 on R2 as shown above -> B is correct.

In the topology above, all subnet masks are /20 (255.255.240.0) excepting the subnet mask of Host 2 (255.255.252.0)  so C can be incorrect.

The subnet mask of Host 1 is 255.255.240.0, not 255.255.248.0 -> D is not correct.

Host 2 is not on a different subnet than its gateway even if the subnet mask 255.255.252.0 is used. Let’s analyze the range of Host 2 network:

Network 10.1.40.96/22
Increment: 4
Network address: 10.1.40.0
Broadcast address: 10.1.43.255

Its gateway (10.1.40.255) is still belongs to this range -> E is not correct.

Note: In this question, C is the best suitable answer after eliminating A, D, E answers. But in fact Host 2 can ping its gateway because they are on the same subnet.

Question 13

What two things will a router do when running a distance vector routing protocol? (Choose two)

A. Send periodic updates regardless of topology changes.
B. Send entire routing table to all routers in the routing domain.
C. Use the shortest-path algorithm to the determine best path.
D. Update the routing table based on updates from their neighbors.
E. Maintain the topology of the entire network in its database.

Answer: A D

Question 14

Use the output from the router shown in the graphic above to determine which of the following are correct. (Choose two)

A. Router John uses a link-state routing protocol.
B. Router John will receive routing updates on the Serial0/0 interface.
C. Router John will receive routing updates on the Serial0/1 interface.
D. Router John will send routing updates out the Serial0/0 interface.
E. Router John will send routing updates out the FastEthernet0/0 interface.
F. Router John will send routing updates out the Serial0/1 interface.

Answer: B D

Question 15

What can be determined from the line of show ip route output shown in the exhibit? (Choose two)

R 10.10.10.8 [120/2] via 10.10.10.6,00:00:25, Serial0/1

A. The next routing update can be expected in 35 seconds.
B. The IP address 10.10.10.6 is configured on S0/1.
C. The IP address 10.10.10.8 is configured on S0/1.
D. This route is using the default administrative distance.
E. The 10.10.10.8 network is two hops away from this router.

Answer: D E

Explanation

From the output, we can see 2 parameters [120/2]. The first is the administrative distance of the routing protocol being used. In this case it is RIP (symbolized by the letter “R”). Because 120 is also the default administrative distance value of RIP -> D is correct.

In RIP, the metric is hop count so “2″ means the network 10.10.10.8 is two hops (routers) away from this router.

Note: If you are not sure about OSPF, please read my OSPF tutorial

Question 1

Which of the following statements below best describe the process identifier that is used to run OSPF on a router? (Choose two)

A – It is an optional parameter required only if multiple OSPF processes are running on the router
B – It is locally significant
C – It is needed to identify a unique instance of an OSPF database
D – All routers in the same OSPF area must have the same process ID if they are to exchange routing information

Answer: B C

Question 2:

Why R1 can’t establish an OSPF neighbor relationship with R3 according to the following graphic? (Choose two)

A – Configure EIGRP on these routers with a lower administrative distance
B – All routers should be configured for backbone Area 1
C – R1 and R3 have been configured in different areas
D – The hello and dead interval timers are not configured the same values on R1 and R3

Answer: C D

Explanation:

A is not correct because configure EIGRP on these routers (with a lower administrative distance) will force these routers to run EIGRP, not OSPF.

B is not correct because the backbone area of OSPF is always Area 0.

C and D are correct because these entries must match on neighboring routers:

- Hello and dead intervals
– Area ID (Area 0 in this case)
– Authentication password
– Stub area flag

Question 3:

Which items are correct about the routing protocol OSPF? (Choose three)

A – Support VLSM
B – Increase routing overhead on the network
C – Confine network instability to one area of the network
D – Allow extensive control of routing updates

Answer: A C D

Explanation:

Routing overhead is the amount of information needed to describe the changes in a dynamic network topology. All routers in an OSPF area have identical copies of the topology database and the topology database of one area is hidden from the rest of the areas to reduce routing overhead because fewer routing updates are sent and smaller routing trees are computed and maintained (allow extensive control of routing updates and confine network instability to one area of the network).

Question 4:

Which three features are of OSPF routing protocol? (Choose three)

A – Converge quickly
B – OSPF is a classful routing protocol
C – Identify the best route by use of cost
D – Before exchanging routing information, OSPF routers find out neighbors

Answer: A C D

Question 5:

OSPF routing uses the concept of areas. What are the characteristics of OSPF areas? (Chose three)

A – Each OSPF area requires a loopback interface to be configured
B – Areas may be assigned any number from 0 to 65535
C – Area 0 is called the backbone area
D – Hierarchical OSPF networks do not require multiple areas
E – Multiple OSPF areas must connect to area 0
F – Single area OSPF networks must be configured in area 1

Answer: B C E

Explanation:

I used to think the answers should be C D E and here is my explanation:

OSPF can use an active interface for its router ID, so a loopback interface is not a must -> A is incorrect.

OSPF Area is a 32-bit number so we can use up to 2³² – 1 = 4294967296 – 1 (since Area 0 is the first area). Remember that only process ID is a 16-bit number and ranges from 1 to 65535 -> B is incorrect.

F is incorrect too because single area OSPF netwoks must be configured in Area 0, which is called the backbone area.

For answer D, it is a bit hard to guess what they want to say about “hierarchical” but we should understand “Hierarchical OSPF networks” as “OSPF networks”. D is correct bercause we can only have one area (area 0 – the backbone area) for our networks.

But TT commented on 01-11-2010:

Especially to note on choice B, D, and E:

Choice B: we all know that The areas can be any number from 0 to 4.2 billion and 1 to 65,535 for the Process ID. As choice B specifies ‘area’ (be aware, it’s not saying ‘process id), there is no reason to say that we cannot assign numbers from 0 to 65535 for area # (it is using ‘may be’, not ‘have to be’ or ‘ought to be’). Hence, we do not worry about assigning ’0′.

Choice E: as Area 0 is the backbone, we all understand that any areas in a OSPF network have to be connected to it. And actually this is implicitly saying that multiple areas form a hierarchical OSPF network, as Area 0 being a root and others being its leaves.

Choice D: when it specifies ‘Hierarchical’, at least 2 areas should be required to form such topology (of course that includes Area 0)

Although Choice B is not an absolutely accurate statement since it not only can be assigned up to 65535, it is still a correct answer. And again, it specifies ‘area’, not ‘process id’, so ’0′ can be included. Finally, it would be meaningless to call OSPF a hierarchical network if no more than one area is present.

—————————————————————————————————-

I reviewed the question and think it is a more suitable solution with choice B than choice D, surely it is a tricky question!

Question 6:

Part of the OSPF network is shown below:

Configuration exhibit:

R1 routing commands:

ip route 0.0.0.0 0.0.0.0 serial0/0
router ospf 1
network 172.16.100.0 0.0.0.3 area 0
network 172.16.100.64 0.0.0.63 area 0
network 172.16.100.128 0.0.0.31 area 0
default-information originate

You work as a network technician, study the exhibits carefully. Assume that all router interfaces are operational and correctly configured. In addition, assume that OSPF has been correctly configured on router R2. How will the default route configured on R1 affect the operation of R2?

A – Any packet destined for a network that is not directly connected to router R2 will be dropped immediately
B – Any packet destined for a network that is not directly connected to router R1 will be dropped
C – Any packet destined for a network that is not directly connected to router R2 will be dropped immediately because of the lack of a gateway on R1
D – The network directly connected to a router R2 will not be able to communicate with the 172.16.100.0, 172.16.100.28 and 172.16.100.64 subnetworks.
E – Any packet destined for a network that is not referenced in the routing table of router R2 will be directed to R1. R1 will then send that packet back to R2 and a routing loop will occur

Answer: E

Explanation:

First, notice that the more-specific routes will always be favored over less-specific routes regardless of the administrative distance set for a protocol. In this case, because we use OSPF for three networks (172.16.100.0 0.0.0.3, 172.16.100.64 0.0.0.63, 172.16.100.128 0.0.0.31) so the packets destined for these networks will not be affected by the default route.

The default route configured on R1 “ip route 0.0.0.0 0.0.0.0 serial0/0″ will send any packet whose destination network is not referenced in the routing table of router R1 to R2, it doesn’t drop anything so answers A, B and C are not correct. D is not correct too because these routes are declared in R1 and the question says that “OSPF has been correctly configured on router R2″, so network directly connected to router R2 can communicate with those three subnetworks.

As said above, the default route configured on R1 will send any packet destined for a network that is not referenced in its routing table to R2; R2 in turn sends it to R1 because it is the only way and a routing loop will occur.

Note: If you are not sure about OSPF, please read my OSPF tutorial

Question 1

Refer to the exhibit. Which two statements are true about the loopback address that is configured on RouterB? (Choose two)

A. It ensures that data will be forwarded by RouterB.
B. It provides stability for the OSPF process on RouterB.
C. It specifies that the router ID for RouterB should be 10.0.0.1.
D. It decreases the metric for routes that are advertised from RouterB.
E. It indicates that RouterB should be elected the DR for the LAN.

Answer: B C

Explanation

A loopback interface never comes down even if the link is broken so it provides stability for the OSPF process (for example we use that loopback interface as the router-id) -> B is correct.

The router-ID is chosen in the order below:

+ The highest IP address assigned to a loopback (logical) interface.
+ If a loopback interface is not defined, the highest IP address of all active router’s physical interfaces will be chosen.

-> The loopback interface will be chosen as the router ID of RouterB -> C is correct.

Question 2

Which characteristics are representative of a link-state routing protocol? (Choose three)

A. provides common view of entire topology
B. exchanges routing tables with neighbors
C. calculates shortest path
D. utilizes event-triggered updates
E. utilizes frequent periodic updates

Answer: A C D

Explanation

Each of routers running link-state routing protocol learns paths to all the destinations in its “area” so we can say A is correct although it is a bit unclear.

Link-state routing protocols generate routing updates only (not the whole routing table) when a change occurs in the network topology so B is not correct.

Link-state routing protocol like OSPF uses Dijkstra algorithm to calculate the shortest path -> C is correct.

Unlike Distance vector routing protocol (which utilizes frequent periodic updates), link-state routing protocol utilizes event-triggered updates (only sends update when a change occurs) -> D is correct but E is not correct.

Question 3

The internetwork infrastructure of company XYZ consists of a single OSPF area as shown in the graphic. There is concern that a lack of router resources is impeding internetwork performance.

As part of examining the router resources the OSPF DRs need to be known.

All the router OSPF priorities are at the default and the router IDs are shown with each router.

Which routers are likely to have been elected as DR? (Choose two)

A. Corp-1
B. Corp-2
C. Corp-3
D. Corp4
E. Branch-1
F. Branch-2

Answer: D F

Explanation

There are 2 segments on the topology above which are separated by Corp-3 router. Each segment will have a DR so we have 2 DRs.

To select which router will become DR they will compare their router-IDs. The router with highest (best) router-ID will become DR. The router-ID is chosen in the order below:

+ The highest IP address assigned to a loopback (logical) interface.

+ If a loopback interface is not defined, the highest IP address of all active router’s physical interfaces will be chosen.

In this question, the IP addresses of loopback interfaces are not mentioned so we will consider IP addresses of all active router’s physical interfaces. Router Corp-4 (10.1.40.40) & Branch-2 (10.2.20.20) have highest “active” IP addresses so they will become DRs.

Question 4

A network associate has configured OSPF with the command:
City(config-router)# network 192.168.12.64 0.0.0.63 area 0

After completing the configuration, the associate discovers that not all the interfaces are participating in OSPF.
Which three of the interfaces shown in the exhibit will participate in OSPF according to this configuration statement? (Choose three)

A. FastEthernet0/0
B. FastEthernet0/1
C. Serial0/0
D. Serial0/1.102
E. Serial0/1.103
F. Serial0/1.104

Answer: B C D

Explanation

The “network 192.168.12.64 0.0.0.63″ equals to network 192.168.12.64/26. This network has:
+ Increment: 64 (/26= 1111 1111.1111 1111.1111 1111.1100 0000)
+ Network address: 192.168.12.64
+ Broadcast address: 192.168.12.127
Therefore all interface in the range of this network will join OSPF -> B C D are correct.

Question 5

When running OSPF, what would cause router A not to form an adjacency with router B?

A. The loopback addresses are on different subnets.
B. The values of the dead timers on the routers are different.
C. Route summarization is enabled on both routers.
D. The process identifier on router A is different than the process identifier on router

Answer: B

Explanation

To form an adjacency (become neighbor), router A & B must have the same Hello interval, Dead interval and AREA number.

Question 6

Refer to the exhibit. The network is converged. After link-state advertisements are received from Router_A, what information will Router_E contain in its routing table for the subnets 208.149.23.64 and 208.149.23.96?

A. 208.149.23.64[110/13] via 190.173.23.10, 00:00:00:07, FastEthernet0/0
208.149.23.96[110/13] via 190.173.23.10, 00:00:00:16, FastEthernet0/0

B. 208.149.23.64[110/1] via 190.173.23.10, 00:00:00:07, Serial1/0
208.149.23.96[110/3] via 190.173.23.10, 00:00:00:16, FastEthernet0/0

C. 208.149.23.64[110/13] via 190.173.23.10, 00:00:00:07, Serial1/0
208.149.23.96[110/13] via 190.173.23.10, 00:00:00:16, Serial1/0
208.149.23.96[110/13] via 190.173.23.10, 00:00:00:16, FastEthernet0/0

D. 208.149.23.64[110/13] via 190.173.23.10, 00:00:00:07, Serial1/0
208.149.23.96[110/13] via 190.173.23.10, 00:00:00:16, Serial1/0

Answer: A

Explanation

Router_E learns two subnets subnets 208.149.23.64 and 208.149.23.96 via Router_A through FastEthernet interface. The interface cost is calculated with the formula 10⁸ / Bandwidth. For FastEthernet it is 10⁸ / 100 Mbps = 10⁸ / 10,000,000,000 = 1. Therefore the cost is 12 (learned from Router_A) + 1 = 13 for both subnets -> B is not correct.

The cost through T1 link is much higher than through T3 link (T1 cost = 10⁸ / 1.544 Mbps = 64; T3 cost = 10⁸ / 45 Mbps = 2) so surely OSPF will choose the path through T3 link -> Router_E will choose the path from Router_A through FastEthernet0/0, not Serial1/0 -> C & D are not correct.

In fact, we can quickly eliminate answers B, C and D because they contain at least one subnet learned from Serial1/0 -> they are surely incorrect.

Question 7

Refer to the exhibit. Given the output for this command, if the router ID has not been manually set, what router ID will OSPF use for this RouterD?

RouterD# show ip interface brief

A. 10.1.1.2
B. 10.154.154.1
C. 172.16.5.1
D. 192.168.5.316

Answer: C

Explanation

The highest IP address of all loopback interfaces will be chosen -> Loopback 0 will be chosen as the router ID.

Question 8

Which commands are required to properly configure a router to run OSPF and to add network 192.168.16.0/24 to OSPF area 0? (choose two)

A. Router(config)#router ospf 1
B. Router(config)#router ospf 0
C. Router(config)#router ospf area 0
D. Router(config-router)#network 192.168.16.0 0.0.0.255 area 0
E. Router(config-router)#network 192.168.16.0 0.0.0.255 0
F. Router(config-router)#network 192.168.16.0 255.255.255.0 area 0

Answer: A D

Explanation

In the router ospf

Note: If you are not sure about EIGRP, please read my EIGRP tutorial

Question 1

Refer to the exhibit, when running EIGRP what is required for R1 to exchange routing updates with R3?

A – AS numbers must be changed to match on all the routers
B – Loopback interfaces must be configured so a DR is elected
C – The no auto-summary command is needed on R1 and R3
D – R2 needs to have two network statements, one for each connected network

Answer: A

Question 2:

As a Cisco technician, you need to know EIGRP protocol very well. Which of the following is true about EIGRP successor routes? (Choose two)

A – A successor route is used by EIGRP to forward traffic to a destination
B – Successor routes are stored in the neighbor table following the discovery process
C – Successor routes are flagged as “active” in the routing table
D – A successor route may be backed up by a feasible successor route

Answer: A D

Explanation:

B is not correct because neighbor table only contains a list of directly connected EIGRP routers that have an adjacency with this router, it doesn’t contain successor routes.

C is not correct because successor routes are not flagged as “active”, they are always the best route to reach remote networks and are always used to send packets.

A and D are correct because successor route is the best and primary route to a remote network. It is stored in the routing table and topology table. If this route fails, a backup route (called feasible successor route) in the topology table will be used to route traffic to a destination.

Question 3:

Which two statements are true regarding EIGRP? (Choose two)

A – Passive routes are in the process of being calculated by DUAL
B – EIGRP supports VLSM, route summarization, and routing update authentication
C – EIGRP exchanges full routing table information with neighboring routers with every update
D – If the feasible successor has a higher advertised distance than the successor route, it becomes the primary route
E – A query process is used to discover a replacement for a failed route if a feasible successor is not identified from the current routing information

Answer: B E

Explanation:

Diffusing Update Algorithm (DUAL) is the algorithm for selecting and maintaining the best path to each remote network. DUAL tracks all the routes advertised by neighbors and selects routes based on feasible successors. It inserts lowest cost paths into the routing table (these routes are known as primary routes or successor routes) -> A is not correct.

EIGRP is still a distance-vector protocol, but has certain features that belong to link-state algorithms (like OSPF) than distance-vector algorithms. For example, EIGRP sends a partial routing table update, which includes just routes that have been changed, not the full routing table like distance-vector algorithms -> C is not correct.

The feasible successor route will become the primary route when its advertised distance is lower than the feasible distance of the successor route. The feasible successor route can be used in the event that the successor route goes down. Notice that the feasible successor route does not get installed in the routing table but is kept in the topology table as a backup route -> D is not correct.

“Support VLSM, route summarization, and routing update authentication” are the features of EIGRP -> B is correct.

When a route fails and has no feasible successor, EIGRP uses a distributed algorithm called Diffusing Update Algorithm (DUAL) to discover a replacement for a failed route. When a new route is found, DUAL adds it to the routing table -> E is correct.

Question 1

Which component of VPN technology ensures that data can be read only by its intended recipient?

A. data integrity
B. encryption
C. key exchange
D. authentication

Answer: D

Explanation

First you need to understand what these terms mean:

Data integrity: verifying that the packet was not changed as the packet transited the Internet

Encryption: conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people

Authentication: the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication can take place at both sides, the sender and the receiver.

Key exchange: is any method in cryptography by which cryptographic keys are exchanged between users, allowing use of a cryptographic algorithm.

So in this question we realize that only authentication involves in the end user while others are about processing data -> D is correct.

Question 2

What can be done to secure the virtual terminal interfaces on a router? (Choose two)

A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.

Answer: D E

Explanation

It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -> A is not correct.

We can not physically secure a virtual interface because it is “virtual” -> B is not correct.

To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -> C is not correct; E is correct.

The most simple way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login -> D is correct.

Question 3

The enable secret command is used to secure access to which CLI mode?

A. user EXEC mode
B. global configuration mode
C. privileged EXEC mode
D. auxiliary setup mode

Answer: C

Question 4

Which type of attack is characterized by flood of packet that requesting a TCP connection to a server?

A. denial of service
B. brute force
C. reconnaissance
D. Trojan horse

Answer: A

Question 5

Which IPsec security protocol should be used when confidentiality is required?

A. AH
B. MD5
C. PSK
D. ESP

Answer: D

Explanation

IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), which provide security services for IP datagrams.

ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header).

AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.

Question 6

What algorithm technology must be used for ensuring data integrity when dataflow goes over VPN tunnel? (Choose two)

A. RSA
B. DH-1
C. DH-2
D. HMAC-MD5
E. HMAC-SHA1

Answer: D E

Explanation

Data integrity ensures data has not been altered in the transmission. A data-integrity algorithm adds a hash to the message to guarantee the integrity of the message.

A Hashed Message Authentication Code (HMAC) is a data-integrity algorithm that ensures the integrity of the message. Two popular algorithms a VPN gateway uses for verifying integrity of data are HMAC-Message Digest 5 (HMAC-MD5) and HMAC-Secure Hash Algorithm 1 (HMAC-SHA1)

+ HMAC-MD5 uses a 128-bit shared-secret key of any size. The variable-length message and shared-secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and is forwarded to the remote end.

+ HMAC-SHA-1 uses a secret key of any size. The variable-length message and the shared-secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and is forwarded to the remote end.

Diffie-Hellman Group 1 (DH-1) & Diffie-Hellman Group 2 (DH-2) are two encryption algorithms for VPN, not data integrity algorithms.

RSA is also an encryption algorithm, not data integrity algorithm.

(Reference: Implementing Cisco IOS Network Security IINS)

Question 7

What are two security appliances that can be installed in a network? (Choose two)

A. ATM
B. IDS
C. IOS
D. IOX
E. IPS
F. SDM

Answer: B E

Explanation

Intrusion detection system (IDS) and intrusion prevention system (IPS) solutions form an integral part of a robust network defense solution.

IDS monitors network and system activities for malicious activities or policy violations and produces reports to a Management Station.

IPS provides policies and rules for network traffic along with an intrusion detection system for alerting system or network administrators to suspicious traffic, but allows the administrator to provide the action upon being alerted.

The key to differentiating an IDS from an IPS is that an IPS responds immediately and does not allow any malicious traffic to pass, whereas an IDS allows malicious traffic to pass before it can respond.

(Reference: Implementing Cisco IOS Network Security IINS)

Note: Asynchronous Transfer Mode (ATM) is a layer 2 WAN transport protocol. It encodes data into small, fixed-sized cells consisting of 48 bytes of payload and 5 bytes of cell header -> A is not correct

Cisco Router and Security Device Manager (SDM) is a Web-based device-management tool for Cisco routers that can help you configure a router via a web browser -> In general, it only helps simplify the network management, router configuration so it is not a security appliance -> F is not correct.

Question 8

Which device might be installed at a branch office to enable and manage an IPsec site-to-site VPN?

A. Cisco IOS IPsec/SSL VPN client
B. Cisco VPN Client
C. ISDN terminal adapter
D. Cisco Adaptive Security Appliance

Answer: D

Explanation

An example of IPsec site-to-site VPN is your corporation has departments in many countries which need to communicate with each other. A popular solution is site-to-site (LAN-to-LAN) VPN to create private networks through the Internet. But as we know, Internet is not a safe environment for important data to be transferred. That is the reason why we need IPsec, a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session.

Cisco Adaptive Security Appliance (ASA) supports IPsec, that’s all I can say! If you wish to learn more about the configuration, please read http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

Question 9

Refer to the exhibit. What is the result of setting the no login command?

A. This is a virtually limitless supply of IP addresses
B. Telnet access requires a new password at first login
C. Telnet access requires a password
D. Telnet access is denied

Answer: No correct answer

Explanation

There is a mistake in this question because this configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).

If we want to deny telnet we can configure like this:

Router(config)#line vty 0 4
Router(config-line)#no password (if the password is set before)
Router(config-line)#login

With this configuration, when someone tries to telnet to this router, a message “Password required, but none set” is displayed.

Question 10

What is the effect of using the service password-encryption command?

A. Only passwords configured after the command has been entered will be encrypted.
B. Only the enable password will be encrypted.
C. Only the enable secret password will be encrypted
D. It will encrypt the secret password and remove the enable secret password from the configuration.
E. It will encrypt all current and future passwords.

Answer: E

Explanation

The secret password (configured by the command “enable secret “) is always encrypted even if the “service password-encryption” command is not used. Moreover, the secret password is not removed from the configuration with this command, we still see it in encrypted form in the running-config -> D is not correct.

The “enable password ” does not encrypt the password and can be viewed in clear text in the running-config. By using the “service password-encryption” command, that password is encrypted (both current and future passwords) -> A is not correct, E is correct.

Answer B – Only the enable password will be encrypted seems to be correct but it implies the secret password will not be encrypted and stay in clear text, which is not correct.

For your information, the secret password is encrypted with MD5 one-way hash algorithm which is harder to break than the encryption algorithm used by the “service password-encryption” command.

Question 11

Which command sets and automatically encrypts the privileged enable mode password?

A. enable password c1sco
B. secret enable c1sco
C. password enable c1sco
D. enable secret c1sco

Answer: D

Question 1

Refer to the exhibit. Which rule does the DHCP server use when there is an IP address conflict?

A. The address is removed from the pool until the conflict is resolved.
B. The address remains in the pool until the conflict is resolved.
C. Only the IP detected by Gratuitous ARP is removed from the pool.
D. Only the IP detected by Ping is removed from the pool.
E. The IP will be shown, even after the conflict is resolved.

Answer: A

Question 2

How dose a DHCP server dynamically assign IP address to host?

A. Addresses are allocated after a negotiation between the server and the host to determine the length of the agreement.
B. Addresses are assigned for a fixed period of time. At the end of period, a new quest for an address must be made, and another address is then assigned.
C. Addresses are leased to host. A host will usually keep the same address by periodically contacting the DHCP sever to renew the lease.
D. Addresses are permanently assigned so that the host uses the same address at all times.

Answer: C

Question 3

Which two tasks does the Dynamic Host Configuration Protocol perform? (Choose two)

A. Set the IP gateway to be used by the network.
B. Perform host discovery used DHCPDISCOVER message.
C. Configure IP address parameters from DHCP server to a host.
D. Provide an easy management of layer 3 devices.
E. Monitor IP performance using the DHCP server.
F. Assign and renew IP address from the default pool.

Answer: C F

Question 4

Which statement is correct regarding the operation of DHCP?

A. A DHCP client uses a ping to detect address conflicts.
B. A DHCP server uses a gratuitous ARP to detect DHCP clients.
C. A DHCP client uses a gratuitous ARP to detect a DHCP server.
D. If an address conflict is detected, the address is removed from the pool and an administrator must resolve the conflict.
E. If an address conflict is detected, the address is removed from the pool for an amount of time configurable by the administrator.
F. If an address conflict is detected, the address is removed from the pool and will not be reused until the server is rebooted.

Answer: D

Explanation

An address conflict occurs when two hosts use the same IP address. During address assignment, DHCP checks for conflicts using ping and gratuitous ARP. If a conflict is detected, the address is removed from the pool. The address will not be assigned until the administrator resolves the conflict.

(Reference: http://www.cisco.com/en/US/docs/ios/12_1/iproute/configuration/guide/1cddhcp.html)

Refer to the exhibit. Using the information shown, answer the question

Question 1:

All hosts in the networks have been operational for several hours when the DHCP server goes down. What happens to the hosts that have obtained service from the DHCP server?

A – The hosts will not be able to communicate with any other hosts.
B – The hosts will continue to communicate normally for a period of time.
C – The hosts will be able to communicate with hosts outsides their own network
D – The hosts will only be able to communicate with other hosts by IP address not by hostname

Answer: B

Explanation:

DHCP often uses dynamic allocation mechanism to save IP addresses, which assigns an IP address to a client for a limited period of time. So when the DHCP server goes down, that client can still use the allocated IP address for a period of time

Question 2:

What is the purpose of the DHCP server?

A – to provide storage for email
B – to translate URLs to IP addresses
C – to translate IPv4 addresses to MAC addresses
D – to provide an IP configuration information to hosts

Answer: D

Explanation:

The main purpose of the DHCP server is to provide IP configuration parameters to hosts such as the default gateway, domain name, Domain Name System (DNS) server…

Question 3:

How is the message sent from a PC2 when is first powers on and attempts to contact the DHCP Server?

A – Layer 3 unicast
B – Layer 3 broadcast
C – Layer 3 multicast
D – Without any Layer 3 encapsulation

Answer: B

Explanation:

When a client boots up for the first time, it transmits a DHCPDISCOVER message on its local physical subnet. Because the client has no way of knowing the subnet to which it belongs, the DHCPDISCOVER is an all-subnets broadcast (destination IP address of 255.255.255.255, which is a layer 3 broadcast address). The client does not have a configured IP address, so the source IP address of 0.0.0.0 is used.

Question 4:

What is the default behavior of R1 when PC1 requests service from DHCP server?

A – Drop the request
B – Broadcast the request to R2 and R3
C – Forward the request to R2
D – Broadcast the request to R2, R3 and ISP

Answer: A

Explanation:

When PC1 requests service from DHCP server (for example, it requests an IP address), it sends a broadcast packet. But R1 router, by default, will not forward broadcast packet and drop it.

For your information, if you want to use the DHCP server from another network (like in this case) you can use the ip helper-address command which will make the router forward UDP broadcasts.

In the real exam you will be taken to a LAB simulation environment but it is, in fact, just a group of 4 multi-choice questions!

Note: If you are not sure about NAT & PAT, please read my NAT tutorial.

Question 1

Refer to the exhibit. What does the (*) represent in the output?

A. Packet is destined for a local interface to the router.
B. Packet was translated, but no response was received from the distant device.
C. Packet was not translated, because no additional ports are available.
D. Packet was translated and fast switched to the destination.

Answer: D

Explanation

The above output is from the “debug ip nat” command. In this output, the first two lines show the Domain Name System (DNS) request and reply debugging output.

In the first line (DNS request):

s=10.10.0.2->1.2.4.2: source of the IP address (10.10.0.2) and how it is being translated (to 1.2.4.2)
d=1.2.4.1: destination address of the packet
[51607]: the IP identification number of the packet

In the second line (DNS reply):

s=1.2.4.1: source of the reply
d=1.2.4.2->10.10.0.2: how the destination is being translated

The remaining lines show debugging output from a Telnet connection from a host on the inside of the network to a host on the outside of the network. All Telnet packets, except for the first packet, were translated in the fast path, as indicated by the asterisk (*).

Note: If the connection is already established, the security appliance does not need to re-check packets and the packets are sent to the Fast Path.

(Reference: http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_i2gt.html)

Question 2

Refer to the exhibit. What command sequence will enable PAT from the inside to outside network?

A. (config)# ip nat pool isp-net 1.2.4.2 netmask 255.255.255.0 overload
B. (config-if)# ip nat outside overload
C. (config)# ip nat inside source list 1 interface ethernet1 overload
D. (config-if)# ip nat inside overload

Answer: C

Explanation

The command “ip nat inside source list 1 interface ethernet1 overload” means:

+ “ip nat”: use NAT
+ “inside”: NAT from inside to outside
+ “source list 1″: the source addresses can be found in access list 1
+ “interface ethernet1″: NAT out of this interface
+ “overload”: use NAT overload (PAT)

Question 3

Refer to the exhibit. A junior network engineer has prepared the exhibited configuration file. What two statements are true of the planned configuration for interface fa0/1? (Choose two)

A. The two FastEthernet interfaces will require NAT configured on two outside serial interfaces.
B. Address translation on fa0/1 is not required for DMZ Devices to access the Internet.
C. The fa0/1 IP address overlaps with the space used by s0/0.
D. The fa0/1 IP address is invalid for the IP subnet on which it resides.
E. Internet hosts may not initiate connections to DMZ Devices through the configuration that is shown.

Answer: B E

Explanation

Both inside FastEthernet interfaces can use only one outside interface to go to the Internet -> A is not correct.

DMZ devices use IP addresses in the range of 128.107.1.128/25 which are public IP addresses so they don’t need address translation to access the Internet -> B is correct.

The fa0/1 interface’s IP address is 128.107.1.254 255.255.255.128 (range from 128.107.1.128 to 128.107.1.255) while the IP address of s0/0 is 128.107.1.1 255.255.255.252 (ranges from 128.107.1.0 to 128.107.1.4) so they are not overlapped with each other -> C is not correct.

DMZ devices are in the range of 128.107.1.128/25 (from 128.107.1.128 to 128.107.1.255) and fa0/1 IP address (128.107.1.254) is a valid IP address on this subnet -> D is not correct.

DMZ devices (and other internal hosts) are using dynamic PAT, which is a type of dynamic NAT. With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. In other words, if DMZ devices communicate with outside hosts first, dynamic translation works fine. But if outside hosts communicate with DMZ devices first, no translation is created in NAT table and the packets will be dropped. This is the reason why “Internet hosts may not initiate connections to DMZ Devices through the configuration that is shown” -> E is correct.

Question 4

Refer to the exhibit. What statement is true of the configuration for this network?

A. The configuration that is shown provides inadequate outside address space for translation of the number of inside addresses that are supported.
B. Because of the addressing on interface FastEthernet0/1, the Serial0/0 interface address will not support the NAT configuration as shown.
C. The number 1 referred to in the ip nat inside source command references access-list number 1.
D. ExternalRouter must be configured with static routers to network 172.16.2.0/24

Answer: C

Explanation

The “list 1″ refers to the access-list number 1.

Question 5

What are two benefits of using NAT? (choose two)

A. NAT protects network security because private networks are not advertised.
B. NAT accelerates the routing process because no modifications are made on the packets.
C. Dynamic NAT facilitates connections from the outside of the network.
D. NAT facilitates end-to-end communication when IPsec is enable.
E. NAT eliminates the need to re-address all host that require external access.
F. NAT conserves addresses through host MAC-level multiplexing.

Answer: A E

Explanation

By not reveal the internal Ip addresses, NAT adds some security to the inside network -> A is correct.

NAT has to modify the source IP addresses in the packets -> B is not correct.

Connection from the outside of the network through a “NAT” network is more difficult than a more network because IP addresses of inside hosts are hidden -> C is not correct.

In order for IPsec to work with NAT we need to allow additional protocols, including Internet Key Exchange (IKE), Encapsulating Security Payload (ESP) and Authentication Header (AH) -> more complex -> D is not correct.

By allocating specific public IP addresses to inside hosts, NAT eliminates the need to re-address the inside hosts -> E is correct.

NAT does conserve addresses but not through host MAC-level multiplexing. It conserves addresses by allowing many private IP addresses to use the same public IP address to go to the Internet -> F is not correct.

Question 6

Which two statements about static NAT translations are true? (choose two)

A. They are always present in the NAT table.
B. They allow connection to be initiated from the outside.
C. They can be configured with access lists, to allow two or more connections to be initiated from the outside.
D. They require no inside or outside interface markings because addresses are statically defined.

Answer: A B

Explanation

With static NAT, translations exist in the NAT translation table as soon as you configure static NAT command(s), and they remain in the translation table until you delete the static NAT command(s).

With dynamic NAT, translations do not exist in the NAT table until the router receives traffic that requires translation. Dynamic translations have a timeout period after which they are purged from the translation table.

-> A is correct.

Because static NAT translations are always present in the NAT table so outside hosts can initiate the connection without being dropped -> B is correct.

Static translations can not be configured with access lists. To configure static NAT, we only need to specify source IP, NAT IP, inside interface & outside interface.

-> C is not correct.

We have to specify which is the inside and outside interface -> D is not correct.

For your information, below is an example of configuring static NAT:

R0(config)#int f0/0
R0(config-if)#ip nat inside

R0(config-if)#int f0/1
R0(config-if)#ip nat outside

R0(config)#ip nat inside source static 10.0.0.1 200.0.0.2

(Reference: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml)

Question 7

Refer to the exhibit. Which statement about packet addresses are true during data exchange when host A makes Web-request to WWW Server, considering that there is NAT overload scheme for data passing from Corp LAN hosts to outside networks in use?

A. Source 234.15.27.226:3015 and destination 234.15.27.225:80
B. Source 200.15.239.128:3015 and destination 192.168.10.34:80
C. Destination 192.168.10.11:3015 and source 200.15.239.128:80
D. Source 192.168.10.34:80 and destination 192.168.10.254:3015
E. Destination 234.15.27.225:3015 and source 200.15.239.128:80

Answer: E

Explanation

From A to Corp router:
+ Source: 192.168.10.34: 3015 & Destination: 200.15.239.128:80
From Corp to WWW Server:
+ Source: 234.15.27.225:3015 & Destination: 200.15.239.128:80
From WWW Server to Corp:
+ Source: 200.15.239.128:80 & Destination: 234.15.27.225:3015
From Corp to Host A:
+ Source: 192.168.10.254:80 & Destination: 192.168.10.34:3015

So the only correct answer is E (from WWW server to Corp)

Question 1:

A dental firm is redesigning the network that connects its three locations. The administrator gave the networking team 192.168.164.0 to use for addressing the entire netwok. After subnetting the address, the team is ready to assign the addresses. The administrator plans to configure ip subnet-zero and use RIP v2 as the routing protocol. As a member of the networking team, you must address the network and at the same time conserver unused addresses for future growth. With those goals in mind, drag the host addresses on the left to the correct router interface. Once of the routers is partially configured. Move your mouse over a router to view its configuration. Not all of the host addresses on the left are necessary.

Answer:

Explanation:

In short, we should start calculating from the biggest network (with 16 hosts) to the smallest one using the formula 2ⁿ – 2 (n is the number of bits we need to borrow).Therefore:

16 hosts < 2⁵ – 2 (we need to borrow 5 bits -> /27)

11 hosts < 2⁴ – 2 (borrow 4 bits -> /28)

5 hosts < 2³ – 2 (borrow 3 bits -> /29)

From the available ip addresses, we see that each of them has only one suitable solution (they are 192.168.164.149/27,192.168.164.166/28 and 192.168.164.178/29)

The smallest network is the Floss S0/0 which only requires 2 hosts = 2² – 2 (need to borrow 2 bits ->/30). There are 2 suitable answers: 192.168.164.189/30 and 192.168.164.188/30 but notice that 192.168.164.188/30 is the network address so we can not use it (because 188 = 4 * 47) -> we have to choose 192.168.164.189 as the correct solution.

In fact, it is not the formal way to solve a VLSM question so I recommend you to review your CCNA book if you haven’t grasped it well yet.

Question 2:

In order to complete a basic switch configuration, drag each switch IOS command on the left to its purpose on the right

Answer:

1) enable

2) configure terminal

3) hostname

4) Interface vlan 1

5) no shutdown

6) ip address

7) ip default-gateway

Question 3:

The Missouri branch office router is connected through its s0 interface to the Alabama Headquarters router s1 interface. The Alabama router has two LANs. Missouri users obtain Internet access through the Headquarters router. The network interfaces in the topology are addressed as follows: Missouri: e0 – 192.168.35.17/28; s0 – 192.168.35.33/28; Alabama: e0 – 192.168.35.49/28; e1 – 192.168.35.65/28; s1 – 192.168.35.34/28. The accounting server has the address of 192.168.35.66/28. Match the access list conditions on the left with the goals on the right. (Not all options on the left are used.)

Answer:

1) deny ip 192.168.35.16 0.0.0.15 host 192.168.35.66

2) deny ip 192.168.35.55 0.0.0.0 host 192.168.35.66

3) permit ip 192.168.35.0 0.0.0.255 host 192.168.35.66

Explanation:

1) The wildcard mask of the command “deny ip 192.168.35.16 0.0.0.15 host 192.16.35.66″ is 0.0.0.15, which is equal to network mask of 255.255.255.240 = /28. So the access list will deny all traffic from network 192.168.35.16/28 from accessing host 192.16.35.66, which is the IP address of accounting server.

2) The command “deny ip 192.168.35.55 0.0.0.0 host 192.168.35.66″ will deny host 192.168.35.55, which is a user and belongs to interface e0 of Alabama router (192.168.35.49/28) from accessing accounting server.

3) Because there is an implicit “deny all” command at the end of each access list so the command “permit ip 192.168.35.0 0.0.0.255 host 192.168.35.66″ will only let network 192.168.35.0/24 access accounting server whilst prevent traffic from other networks.

Question 4:

A host with the address of 192.168.125.34/27 needs to be denied access to all hosts outside its own subnet. To accomplish this, complete the command in brackets, [access-list 100 deny protocol address mask any], by dragging the appropriate options on the left to their correct placeholders on the right.

Answer:

1) ip

2) 192.168.125.34

3) 0.0.0.0

Full command: access-list 100 deny ip 192.168.125.34 0.0.0.0

Question 5:

Drag and drop the network user application to the appropriate description of its primary use (not all options are used)

Answer:

1) web browser

2) instant message

3) e-mail

4) database

5) collaboration

Question 6:

This topology contains 3 routers and 1 switch. Complete the topology.

(Hint: use the given host addresses and Main router information)

To remove a device or connection, drag it away from the topology.

Use information gathered from the Main router to complete the configuration of any additional routers. No passwords are required to access the Main router . The config terminal command has been disabled for the HQ router. The router does not require any configuration.

Configure each additional router with the following

Note: Because routes are not being added to the configurations, you will not be able to ping through the internetwork.

All devices have cable autosensing capabilities disabled.

All hosts are PC’s

Answer:

View full explanation of this question here

Question 1

The left describes OSI layers, while the right provides some terms. Drag the items on the right to the proper locations.

Answer:

Network Layer:

1) IP addresses
2) packets
3) routing

Transport Layer:

1) windowing
2) UDP
3) segments

Question 2

The above describes some categories, while the below provides their corresponding router output lines. Drag the above items to the proper locations.

Answer:

1) Port operational: Serial0/1 is up, line protocol is up
2) Layer 2 problem: Serial0/1 is up, line protocol is down
3) Layer 1 problem: Serial0/1 is down, line protocol is down
4) Port disabled: Serial0/1 is administrator down, line protocol is down

Explanation:

A simple way to find out which layer is having problem is to remember this rule: “the first statement is for Layer 1, the last statement is for Layer 2 and if Layer 1 is down then surely Layer 2 will be down too”, so you have to check Layer 1 before checking Layer 2. For example, from the output “Serial0/1 is up, line protocol is down” we know that it is a layer 2 problem because the first statement (Serial0/1 is up) is good while the last statement (line protocol is down) is bad. For the statement “Serial0/1 is down, line protocol is down”, both layers are down so the problem belongs to Layer 1.

There is only one special case with the statement “…. is administrator down, line protocol is down”. In this case, we know that the port is currently disabled and shut down by the administrators.

Question 3

A user is unable to connect to the Internet. Based on the layered approach to troubleshooting and beginning with the lowest layer. Follow the guide and drag the contents to relevant modules.

Answer:

1) Verify Ethernet cable connection: Step 1
2) Verify NIC operation: Step 2
3) Verify IP configuration: Step 3
4) Verify URL: Step 4

Explanation:

The question asks us to “begin with the lowest layer” so we have to begin with Layer 1: verify physical connection; in this case an Ethernet cable connection. For your information, “verify Ethernet cable connection” means that we check if the type of connection (crossover, straight-through, rollover…) is correct, the RJ45 headers are plugged in, the signal on the cable is acceptable…

Next we “verify NIC operation”. We do this by simply making a ping to the loopback interface 127.0.0.1. If it works then the NIC card (layer 1,2) and TCP/IP stack (layer 3) are working properly.

Verify IP configuration belongs to layer 3. For example, checking if the IP can be assignable for host, the PC’s IP is in the same network with the gateway…

Verifying the URL by typing in your browser some popular websites like google.com, microsoft.com to assure that the far end server is not down (it sometimes make we think we can’t access to the Internet). We are using a URL so this step belongs to layer 7 of the OSI model.

Question 4

The left describes the types of cables, while the right describes the purposes of the cables. Drag the items on the left to the proper locations. (Not all items can be used).

Answer:

1) straight-through: switch access port to router
2) crossover: switch to switch
3) rollover: PC COM port to switch

Explanation:

To remember which type of cable you should use, follow these tips:

- To connect two serial interfaces of 2 routers we use serial cable
– To specify when we use crossover cable or straight-through cable, we should remember:
Group 1: Router, Host, Server
Group 2: Hub, Switch
One device in group 1 + One device in group 2: use straight-through cable
Two devices in the same group: use crossover cable

For example: we use straight-through cable to connect switch to router, switch to host, hub to host, hub to server… and we use crossover cable to connect switch to switch, switch to hub, router to router, host to host… )

Question 5

The left describes the types of switch ports, while the right describes the features. Drag the options on the right to the proper locations.

Answer:

Access Port:

- Carries traffic for a single VLAN
– Uses a straight-through cable to connect a device
– Connects an end-user workstation to a switch

Trunk Port:

- Carries traffic for a multiple VLAN
– Uses 802.1q to identify traffic from different VLANs
– Facilitates interVLAN communications when connected to a Layer 3 device

Question 6

The above describes the Spanning-Tree Protocol port states, while the below describes their functions. Drag the above items to the proper locations.

Answer:

- Learning: populating the MAC address table but not forwarding data frames
– Forwarding: sending and receiving data frames
– Listening: preparing to forward data frames without populating the MAC address table
– Blocking: preventing the use of looped paths

Question 1

Drag the security features on the left to the specific security risks they help protect against on the right. (Not all options are used)

Answer:

1) VTY password: remote access to device console
2) console password: access to the console 0 line
3) access-group: access to connected networks or resources
4) service password-encryption: viewing of passwords
5) enable secret: access to privileged mode

The unselected left-box – CHAP – is used to verify the identity of the peer by means of a three-way handshake.

Question 2

Refer to the exhibit. PC-A is sending packets to the FTP server. Consider the packets as they leave RA interface Fa0/0 forwards RB. Drag the correct frame and packet address to their places in the table.

Answer:

Source MAC: 0000.0C93.9999
Destination MAC: 0000.0C89.3333
Source IP: 172.16.21.7
Destination IP: 172.16.34.250

Explanation

Remember these rules:

The IP addresses (of source and destination) of a packet never change during the transportation through the network. For example if PC-A wants to send a packet to PC-Z then the source and destination IP addresses of the packet will be the IP addresses of PC-A and PC-Z no matter how many devices they go through.

The MAC addresses, conversely, will change while passing the devices. The source MAC address is the address of the last sender and the destination MAC address is the address of the next device.

Question 3

As a network administrator, you are required to configure the network security policy. And the policy requires that only one host be permitted to attach dynamically to each switch interface. If that policy is violated, the interface should shut down. Which two commands must the network administrator configure on the 2950 Catalyst switch to meet this policy? Please choose appropriate commands and drag the items to the proper locations.

Answer:

Appropriate commands:

SW(config-if)# switchport port-security maximum 1
SW(config-if)# switchport port-security violation shutdown

Question 4

The left describes boot sequence, while the right describes the orders. Drag the items on the left to the proper locations.

Answer:

1) Step 1: The power on self test executes.
2) Step 2: The bootstrap loader in ROM executes.
3) Step 3: The IOS is located and loaded based on boot system commands in NVRAM.
4) Step 4: The configuration file is loaded from NVRAM.
5) Step 5: If no configuration file is located, the setup dialog initiates.

Explanation

When a router boots up, it performs a series of steps, called the boot sequence, to test the hardware and load the necessary software. The boot sequence consists of the following steps:

1) Power on self test (POST): tests the hardware to verify that all components of the device are operational and present.
2) The bootstrap loader in ROM executes: The bootstrap loader is a program in ROM that is used to find where a valid Cisco IOS image is located.
3) If a valid Cisco IOS image is located, it is loaded.
4) IOS loads configuration file. Once the IOS image is loaded, it will search for a valid startup configuration in NVRAM.
5) If a valid startup configuration file cannot be found, the router will load the System Configuration Dialog (sometimes called setup mode). This mode allows you to perform the initial configuration of the router.

Question 5

Drag and Drop question. Drag the items to the proper locations.

Routing has been configured on the local router with these commands:
Local(config)# ip route 0.0.0.0 0.0.0.0 192.168.1.1
Local(config)# ip route 10.1.0.0 255.255.255.0 192.168.2.2
Local(config)# ip route 10.1.0.0 255.255.0.0 192.168.3.3

Drag each destination IP address on the top to its correct next hop address at the bottom.

Answer:

Next hop 192.168.1.1:
+ 10.2.1.3
+ 10.6.8.4

Next hop 192.168.2.2:
+ 10.1.0.14
+ 10.1.0.123

Next hop 192.168.3.3:
+ 10.1.1.10
+ 10.1.4.6

Explanation

If we have many entries matching for next hop ip address then the router will choose the one with most specific path to send the packet. This is called the “longest match” rule, the route with the most bits in the mask set to “1″ will be chosen to route packet.

Question 6

If a Cisco router has learned about network 10.1.1.0 from multiple sources, the router will select and install only one entry into the routing table. Indicate the order of preference that the router will use by dragging the routes on the left to the order of preference category on the right.

Answer:

1) First preference: S 10.1.1.0 is directly connected, Serial1
2) Second preference: S 10.1 1.0/24 [1/0] via 10.1.2.2
3) Third preference: D 10.1.1.0/24 [90/2172416] via 10.1.5.5, Serial0
4) Fourth preference: O 10.1.1.0/24 [ 110/789] via 10.1.3.1, Serial0
5) Fifth preference: R 10.1.1.0/24 [120/3] via 10.1.3.1, Senal0

Explanation

Administrative distance is the first criterion that a router uses to determine which routing protocol to use if two protocols provide route information for the same destination. It is a measure of the trustworthiness of the source of the routing information. The smaller the administrative distance value, the more reliable the protocol.

In this question, notice that the destination of all routes is 10.1.1.0/24 so we need to use Administrative distance of each routing protocol to specify the priority of each route. Below lists the Administrative Distance default values of popular routing protocols:

+ Directly connected: 0
+ Static route: 1
+ EIGRP (symbolize by “D”): 90
+ OSPF (symbolize by “O”): 110
+ RIP (symbolize by “R”): 120

Question 1

Drag the function on the left to the matching security appliance or application on the right. (Not all functions are used)

Answer:

1) antispyware: detects software designed to capture sensitive information and removes it from the computer
2) antivirus: prevents known malicious programs from being installed on workstations
3) IDS: identifies malicious network traffic and alerts network personnel
4) firewall: filters traffic based on source and destination IP address or traffic type

Question 2

Drag the Frame Relay acronym on the left to match its definition on the right. (Not all acronyms are used)

Answer:

1) a router is this type of device: DTE
2) the most common type of virtual circuit: PVC
3) provides status messages between DTE and DCE devices: LMI
4) identifies the virtual connection between the DTE and the switch: DLCI

Question 3

The left describes some types of connections while the right describes some types of cables. Drag the items on the left to the proper locations.

Answer:

Explanation:

To specify when we use crossover cable or straight-through cable, we should remember:
Group 1: Router, Host(PC), Server
Group 2: Hub, Switch
One device in group 1 + One device in group 2: use straight-through cable
Two devices in the same group: use crossover cable

For example: we use straight-through cable to connect switch to router, switch to host, hub to host, hub to server… and we use crossover cable to connect switch to switch, switch to hub, router to router, host to host… ).

+ We can connect a modem to router auxiliary port using a rollover cable. Recall that the purpose of the router’s auxiliary port is for connecting to a modem and most Cisco routers have a second port on the back called the auxiliary port. We can use this port in case of a far-away router goes down, the administrator can have someone in the area go to the router, plug in a modem and access to the router remotely (if using the console port, we have to go to the site to work with that router).

+ We can connect a PC serial port to a switch/router console port through the RJ-45 to DB-9 or RJ-45 to DB-25 adapter (at the PC end), depending on the computer.

Question 4

The above provides some descriptions, while the below provides some routing protocols. Drag the above items to the proper locations.

Answer:

Explanation:

Enhanced Interior Gateway Routing Protocol (EIGRP) is a Cisco proprietary routing protocol, so it is vendor-specific. By default, EIGRP internal routes have an administrative distance value of 90.

OSPF uses cost as its metric. By default, the cost of an interface is calculated based on bandwidth with the formula cost= 10000 0000/bandwith (in bps). OSPF elects a DR on each broadcast and nonbroadcast multiaccess networks (like Ethernet and Frame Relay environments, respectively). It doesn’t elect a DR on point-to-point link (like a serial WAN).

Question 5

As a CCNA candidate, you are required to have a firm understanding of the OSI model. At which layers of the OSI model do Wide Area Networks operate in? Please drag the items to the proper locations.

Answer:

Explanation

WAN operates in the two lowest layers which are Data Link and Physical layers.

Question 1

Drag the Cisco default administrative distance to the appropriate routing protocol or route (Not all options are used)

Answer:

+ RIP: 120
+ OSPF: 110
+ static route referencing IP address of next hop: 1
+ internal EIGRP route: 90
+ directly connected network: 0

Question 2

Drag the term on the left to its definition on the right (not all options are used)

Answer:

+ poison reverse: A router learns from its neighbor that a route is down and the router sends an update back to the neighbor with an infinite metric to that route
+ LSA: The packets flooded when a topology change occurs, causing network routers to update their topological databases and recalculate routes
+ split horizon: This prevents sending information about a routeback out the same interface that originally learned about the route
+ holddown timer: For a given period, this causes the router to ignore any updates with poorer metrics to a lost network

Question 3

Drag the description on the left to the correct router mode on the right

Answer:

+ user EXEC mode: limited to basic monitoring commands
+ privileged EXEC mode: provide access to all other router commands
+ global configuration mode: commands that affect the entire system
+ specific configuration mode: commands that affect interfaces/processes only
+ setup mode: interactive configuration dialog

Question 4

Drag each definition on the left to the matching term on the right

Answer:

+ cost: a configurable value based by default on the bandwidth of the interface
+ load: the amount of activity on a network resource
+ bandwidth: the data capacity of a link
+ hop count: the number of point-to-point links in a transmission path
+ reliability: usually refers to the bit error rate of each network link
+ delay: the amount of time required to move a packet from source to destination

Question 1

Which two commands can be used to verify a trunk link configuration status on a Cisco switch? (choose two)

A. show interfaces trunk
B. show interfaces switchport
C. show ip interface brief
D. show interfaces vlan

Answer: A B

Explanation

The “show interfaces trunk” command and “show interfaces switchport” command can be used to verify the status of an interface (trunking or not). The outputs of these commands are shown below (port Ethernet 1/0 has been configured as trunk):

The “show ip interface brief” command only gives us information about the IP address, the status (up/down) of an interface:

The “show interfaces vlan” command only gives us information about that VLAN, not about which ports are the trunk links:

Question 2

Refer to the exhibit. The following commands are executed on interface fa0/1 of 2950Switch.

2950Switch(config-if)#switchport port-security
2950Switch(config-if)#switchport port-security mac-address sticky
2950Switch(config-if)#switchport port-security maximum 1

The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two)

A. The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
B. Only host A will be allowed to transmit frames on fa0/1.
C. This frame will be discarded when it is received by 2950Switch.
D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.
E. Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.

Answer: B D

Explanation

Please read the explanation at http://www.9tut.net/icnd2/icnd2-operations

Question 3

Which Cisco Catalyst feature automatically disables the port in an operational PortFast upon receipt of a BPDU?

A. BackboneFast
B. UplinkFast
C. Root Guard
D. BPDU Guard
E. BPDU Filter

Answer: D

Explanation

We only enable PortFast feature on access ports (ports connected to end stations). But if someone does not know he can accidentally plug that port to another switch and a loop may occur when BPDUs are being transmitted and received on these ports.

With BPDU Guard, when a PortFast receives a BPDU, it will be shut down to prevent a loop -> D is correct.

Question 4

Why will a switch never learn a broadcast address?

A. Broadcast frames are never sent to switches.
B. Broadcast addresses use an incorrect format for the switching table.
C. A broadcast address will never be the source address of a frame.
D. Broadcasts only use network layer addressing.
E. A broadcast frame is never forwarded by a switch.

Answer: C

Question 5

Which three statements accurately describe layer 2 Ethernet switches? (choose three)

A. Microsegmentation decreases the number of collisions on the network.
B. If a switch receives a frame for an unknown destination.it uses ARP to resolve the address.
C. Spanning Tree Protocol allows switches to automatically share vlan information.
D. In a property functioning network with redundant switched paths, each switched segment will contain one root bridge with all its ports in the forwarding state. All other switches in that broadcast domain will have only one root port.
E. Establishing vlans increases the number of broadcast domains.
F. Switches that are configured with vlans make forwarding decisions based on both layer 2 and layer 3 address information.

Answer: A D E

Question 6

Switch ports operating in which two roles will forward traffic according to the IEEE 802.1w standard? (Choose two)

A. alternate
B. backup
C. designated
D. disabled
E. root

Answer: C E

Explanation

IEEE 802.1w is the standard of Rapid Spanning Tree Protocol (RSTP). There are 5 port roles in this standard: Root port, Designated port, Alternative port, Backup port and Disabled port. In these 5 port roles, only Root port and Designated port can forward traffic.

Question 7

Select the action that results from executing these commands:

Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky

A. A dynamically learned MAC address is saved in the startup-configuration file.
B. A dynamically learned MAC address is saved in the running-configuration file.
C. A dynamically learned MAC address is saved in the VLAN database.
D. Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
E. Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.

Answer: B

Explanation

The full syntax of the second command is: