Chapter 1: Network Fundamentals

1. A. The core layer should be as fast as possible. Never do anything to slow down traffic. This includes making sure you don’t use access lists, perform routing between virtual local area networks, or implement packet filtering.
2. C. SOHO stands for small office, home office and is a single or small group of users connecting to a switch, with a router providing a connection to the Internet for the small network.
3. A, C. The access layer provides users, phones, and other devices with access to the internetwork. PoE and switch port security are implemented here.
4. C. 1000Base-ZX (Cisco standard) is a Cisco-specified standard for Gigabit Ethernet communication. 1000Base-ZX operates on ordinary single-mode fiber-optic links with spans up to 43.5 miles (70 km).
5. D. A T3, referred to as an S3, comprises 28 DS1s bundled together, or 672 DS0s, for a bandwidth of 44.736 Mbps.
6. B. Since there is no such thing as layer 2 packets, we wouldn’t be able to do packet inspection with any device on this nonexistent packet type.
7. C. The IEEE has created a standard for PoE called 802.3af. For PoE+, it’s referred to as 802.3at.
8. B. In a two-tier, the design is meant to maximize performance and user availability to the network, while still allowing for design scalability over time.
9. C. 10GBase-T is a standard proposed by the IEEE 802.3an committee to provide 10 Gbps connections over conventional UTP cables (category 5e, 6, or 7 cables).
10. A. In a spine-leaf design, people refer to this as a Top-of-Rack (ToR) design because the switches physically reside at the top of a rack.

Chapter 2: TCP/IP

1. C. If a DHCP conflict is detected, either by the server sending a ping and getting a response or by a host using a gratuitous ARP (arp’ing for its own IP address and seeing if a host responds), then the server will hold that address and not use it again until it is fixed by an administrator.
2. B. The Secure Shell (SSH) protocol sets up a secure session that’s similar to Telnet over a standard TCP/IP connection and is employed for doing things like logging into systems, running programs on remote systems, and moving files from one system to another.
3. C. A host uses something called a gratuitous ARP to help avoid a possible duplicate address. The DHCP client sends an ARP broadcast out on the local LAN or VLAN with its newly assigned address to find out if another host replies, and this helps solve conflicts before they occur.
4. A, B. The client that sends out a DHCP Discover message in order to receive an IP address sends out a broadcast at both layer 2 and layer 3. The layer 2 broadcast is all Fs in hex, or ff:ff:ff:ff:ff:ff. The layer 3 broadcast is 255.255.255.255, which means any networks and all hosts. DHCP is connectionless, which means it uses User Datagram Protocol (UDP) at the Transport layer, also called the Host-to-Host layer.
5. B, D, E. SMTP, FTP, and HTTP use TCP.
6. C. The range of multicast addresses starts with 224.0.0.0 and goes through 239.255.255.255.
7. C, E. The Class A private address range is 10.0.0.0 through 10.255.255.255. The Class B private address range is 172.16.0.0 through 172.31.255.255, and the Class C private address range is 192.168.0.0 through 192.168.255.255.
8. B. The four layers of the TCP/IP stack (also called the DoD model) are Application/Process, Host-to-Host (also called Transport on the objectives), Internet, and Network Access/Link. The Host-to-Host layer is equivalent to the Transport layer of the OSI model.
9. B, C. ICMP is used for diagnostics and destination unreachable messages. ICMP is encapsulated within IP datagrams, and because it is used for diagnostics, it will provide hosts with information about network problems.
10. C. The range of a Class B network address is 128–191. This makes our binary range 10xxxxxx.

Chapter 3: Easy Subnetting

1. D. A /27 (255.255.255.224) is 3 bits on and 5 bits off. This provides 8 subnets, each with 30 hosts. Does it matter if this mask is used with a Class A, B, or C network address? Not at all. The number of subnet bits would never change.
2. D. A 240 mask is 4 subnet bits and provides 16 subnets, each with 14 hosts. We need more subnets, so let’s add subnet bits. One more subnet bit would be a 248 mask. This provides 
5 subnet bits (32 subnets) with 3 host bits (6 hosts per subnet). This is the best answer.
3. C. This is a pretty simple question. A /28 is 255.255.255.240, which means that our block size is 16 in the fourth octet. 0, 16, 32, 48, 64, 80, etc. The host is in the 64 subnet.
4. F. A CIDR address of /19 is 255.255.224.0. This is a Class B address, so that is only 3 subnet bits, but it provides 13 host bits, or 8 subnets, each with 8,190 hosts.
5. B, D. The mask 255.255.254.0 (/23) used with a Class A address means that there are 15 subnet bits and 9 host bits. The block size in the third octet is 2 (256 – 254). So this makes the subnets in the interesting octet 0, 2, 4, 6, etc., all the way to 254. The host 10.16.3.65 is in the 2.0 subnet. The next subnet is 4.0, so the broadcast address for the 2.0 subnet is 3.255. The valid host addresses are 2.1 through 3.254.
6. D. A /30, regardless of the class of address, has a 252 in the fourth octet. This means we have a block size of 4 and our subnets are 0, 4, 8, 12, 16, etc. Address 14 is obviously in the 12 subnet.
7. D. A point-to-point link uses only two hosts. A /30, or 255.255.255.252, mask provides two hosts per subnet.
8. C. A /21 is 255.255.248.0, which means we have a block size of 8 in the third octet, so we just count by 8 until we reach 66. The subnet in this question is 64.0. The next subnet is 72.0, so the broadcast address of the 64 subnet is 71.255.
9. A. A /29 (255.255.255.248), regardless of the class of address, has only 3 host bits. Six is the maximum number of hosts on this LAN, including the router interface.
10. C. A /29 is 255.255.255.248, which is a block size of 8 in the fourth octet. The subnets are 0, 8, 16, 24, 32, 40, etc. 192.168.19.24 is the 24 subnet, and since 32 is the next subnet, the broadcast address for the 24 subnet is 31. 192.168.19.26 is the only correct answer.

Chapter 4: Troubleshooting IP Addressing

1. D. A point-to-point link uses only two hosts. A /30, or 255.255.255.252, mask provides two hosts per subnet.
2. B. With an incorrect gateway, Host A will not be able to communicate with the router or beyond the router but will be able to communicate within the subnet.
3. A. All steps will work at this point, except pinging the remote computer would fail if any of the other steps fail.
4. C. When a ping to the local host IP address fails, you can assume the NIC is not functional.
5. C, D. If a ping to the local host succeeds, you can rule out IP stack or NIC failure.
6. A. The most likely problem if you can ping a computer by IP address but not by name is a failure of DNS.
7. D. When you issue the ping command, you are using the ICMP protocol.
8. B. The traceroute command displays the networks traversed on a path to a network destination.
9. C. The ping command tests connectivity to another station. The full command output is shown in the question.
10. C. The /all switch must be added to the ipconfig command on a PC to verify DNS configuration.

Chapter 5: IP Routing

1. C. The ip route command is used to display the routing table of a router.
2. B. In the new 15 IOS code, Cisco defines a different route called a local route. Each has a /32 prefix defining a route just for the one address, which is the router’s interface.
3. A, B. Although option D almost seems right, it is not; the mask option is the mask used on the remote network, not the source network. Since there is no number at the end of the static route, it is using the default administrative distance of 1.
4. B. This mapping was learned dynamically, which means it was learned through ARP.
5. B. Hybrid protocols use aspects of both distance vector and link state—for example, EIGRP. Be advised, however, that Cisco typically just calls EIGRP an advanced distance-vector routing protocol.
6. A. Since the destination MAC address is different at each hop, it must keep changing. The IP address, which is used for the routing process, does not. Do not be misled by the way the question is worded. Yes, I know that MAC addresses are not in a packet. You must read the question to understand of what it is really asking.
7. C. This is how most people see routers, and certainly they could do this type of plain ol’ packet switching in 1990 when Cisco released its very first router and traffic was seriously slow, but not in today’s networks! This process involves looking up every destination in the routing table and finding the exit interface for every packet.
8. A, C. The S* shows that this is a candidate for default route and that it was configured manually.
9. B. RIP has an administrative distance (AD) of 120, while OSPF has an administrative distance of 110, so the router will discard any route with a higher AD than 110 to that same network.
10. D. Recovery from a lost route requires manual intervention by a human to replace the 
lost route.

Chapter 6: Open Shortest Path First (OSPF)

1. A, C. The process ID for OSPF on a router is only locally significant, and you can use the same number on each router, or each router can have a different number—it just doesn’t matter. The numbers you can use are from 1 to 65,535. Don’t get this confused with area numbers, which can be from 0 to 4.2 billion.
2. B. The router ID (RID) is an IP address used to identify the router. It need not and should not match.
3. A. The administrator typed in the wrong wildcard mask configuration. The wildcard should have been 0.0.0.255 or even 0.255.255.255.
4. A. A dash (-) in the State column indicates no DR election because they are not required on a point-to-point link such as a serial connection.
5. D. By default, the administrative distance of OSPF is 110.
6. A. Hello packets are addressed to multicast address 224.0.0.5.
7. A. 224.0.0.6 is used on broadcast networks to reach the DR and BDR.
8. D. The Hello and Dead timers must be set the same on two routers on the same link or they will not form an adjacency (relationship). The default timers for OSPF are 10 seconds for the Hello timer and 40 seconds for the Dead timer.
9. A. The default OSPF interface priority is 1, and the highest interface priority determines the designated router (DR) for a subnet. The output indicates that the router with a router ID of 192.168.45.2 is currently the backup designated router (BDR) for the segment, which indicates that another router became the DR. It can be then be assumed that the DR router has an interface priority higher than 2. (The router serving the DR function is not present in the truncated sample output.)
10. A. LSA packets are used to update and maintain the topological database.

Chapter 7: Layer 2 Switching

1. A. Layer 2 switches and bridges are faster than routers because they don’t take up time looking at the Network Layer header information. They do make use of the Data Link layer information.
2. A, D. In the output shown, you can see that the port is in Secure-shutdown mode and the light for the port would be amber. To enable the port again, you’d need to do the following:

• S3(config-if)#shutdown
• S3(config-if)#no shutdown

3. B. The switchport port-security command enables port security, which is a prerequisite for the other commands to function.
4. B. Gateway redundancy is not an issue addressed by STP.
5. A, C. 
   • Protect—This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed MAC address limit. When configured with this mode, no notification action is taken when traffic is dropped.
   • Restrict—This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed MAC address limit. When configured with this mode, a syslog message is logged, a Simple Network Management Protocol (SNMP) trap is sent, and a violation counter is incremented when traffic is dropped.
   • Shutdown—This mode is the default violation mode; when in this mode, the switch will automatically force the switchport into an error disabled (err-disable) state when 
a violation occurs. While in this state, the switchport forwards no traffic. A Simple Network Management Protocol (SNMP) trap is sent.
6. C. The IP address is configured under a logical interface, called a management domain or VLAN 1.
7. B. The show port-security interface command displays the current port security and status of a switch port.
8. B, D. To limit connections to a specific host, you should configure the MAC address of the host as a static entry associated with the port, although be aware that this host can still connect to any other port but no other port can connect to F0/3 in this example. Another solution would be to configure port security to accept traffic only from the MAC address of the host. By default, an unlimited number of MAC addresses can be learned on a single switch port, whether it is configured as an access port or a trunk port. Switch ports can be secured by defining one or more specific MAC addresses that should be allowed to connect and by defining violation policies (such as disabling the port) to be enacted if additional hosts try to gain a connection.
9. D. The command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port. By default, an unlimited number of MAC addresses can be learned on a single switch port, whether it is configured as an access port or a trunk port. Switch ports can be secured by defining one or more specific MAC addresses that should be allowed to connect and violation policies (such as disabling the port) if additional hosts try to gain a connection.
10. D. You would not make the port a trunk. In this example, this switchport is a member of one VLAN. However, you can configure port security on a trunk port, but again, that’s not valid for this question.

Chapter 8: VLANs and Inter-VLAN Routing

1. D. Here’s a list of ways VLANs simplify network management:
   • Network adds, moves, and changes are achieved with ease by just configuring a port into the appropriate VLAN.
   • A group of users that need an unusually high level of security can be put into its own VLAN so that users outside of the VLAN can’t communicate with them.
   • As a logical grouping of users by function, VLANs can be considered independent from their physical or geographic locations.
   • VLANs greatly enhance network security if implemented correctly.
   • VLANs increase the number of broadcast domains while decreasing their size.
2. B. While in all other cases access ports can be a member of only one VLAN, most switches will allow you to add a second VLAN to an access port on a switch port for your voice traffic; it’s called the voice VLAN. The voice VLAN used to be called the auxiliary VLAN, which allowed it to be overlaid on top of the data VLAN, enabling both types of traffic through the same port.
3. A. Yes, you need to do a no shutdown on the VLAN interface.
4. C. Unlike ISL, which encapsulates the frame with control information, 802.1q inserts an 802.1q field along with tag control information.
5. A. With a multilayer switch, by enabling IP routing and creating one logical interface for each VLAN by using the interface vlan number command, you’re now doing inter-VLAN routing on the backplane of the switch!
6. A. Ports Fa0/15–18 are not present in any VLANs. They are trunk ports.
7. C. Untagged frames are members of the native VLAN, which by default is VLAN 1.
8. C. A VLAN is a broadcast domain on a layer 2 switch. You need a separate address space (subnet) for each VLAN. There are four VLANs, so that means four broadcast domains/subnets.
9. C. Frame tagging is used when VLAN traffic travels over a trunk link. Trunk links carry frames for multiple VLANs. Therefore, frame tags are used for identification of frames from different VLANs.
10. B. 802.1q uses the native VLAN.

Chapter 9: Enhanced Switched Technologies

1. B, D. The switch is not the root bridge for VLAN 1 or the output would tell us exactly that. The root bridge for VLAN 1 is off of interface G1/2 with a cost of 4, meaning it is directly connected. Use the command show cdp nei to find your root bridge at this point. Also, the switch is running RSTP (802.1w), not STP.
2. D. Option A seems like the best answer, and had switches not been configured with the primary and secondary command, then the switch configured with priority 4096 would have been root. However, since the primary and secondary both had a priority of 16384, then the tertiary switch would be a switch with a higher priority in this case.
3. A, D. It’s important that you can find your root bridge and the show spanning-tree command will help you do this. To quickly find out which VLANs your switch is the root bridge for, use the show spanning-tree summary command.
4. A. 802.1w is the also called Rapid Spanning Tree Protocol. It’s not enabled by default on Cisco switches, but it is a better STP to run because it has all the fixes that the Cisco extensions provide with 802.1d. Remember, Cisco runs RSTP PVST+, not just RSTP.
5. B. The Spanning Tree Protocol is used to stop switching loops in a layer 2 switched network with redundant paths.
6. C. Convergence occurs when all ports on bridges and switches have transitioned to either the forwarding or blocking states. No data is forwarded until convergence is complete. Before data can be forwarded again, all devices must be updated.
7. C, E. There are two types of EtherChannel: Cisco’s PAgP and the IEEE’s LACP. They are basically the same, and there’s little difference to configuring them. For PAgP, use auto or desirable mode, and with LACP use passive or active. These modes decide which method you’re using, and they must be configured the same on both sides of the EtherChannel bundle.
8. A, B, F. RSTP helps with convergence issues that plague traditional STP. Rapid PVST+ is based on the 802.1w standard in the same way that PVST+ is based on 802.1d. The operation of Rapid PVST+ is simply a separate instance of 802.1w for each VLAN.
9. D. BPDU Guard is used when a port is configured for PortFast, or it should be used, because if that port receives a BPDU from another switch, BPDU Guard will shut that port down to stop a loop from occurring.
10. C. To allow for the PVST+ to operate, there’s a field inserted into the BPDU to accommodate the extended system ID so that PVST+ can have a root bridge configured on a per-STP instance. The extended system ID (VLAN ID) is a 12-bit field, and we can even see what this field is carrying via the show spanning-tree command output.

Chapter 10: Access Lists

1. D. It’s compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.
2. C. The range of 192.168.160.0 to 192.168.191.0 is a block size of 32. The network address is 192.168.160.0, and the mask would be 255.255.224.0, which for an access list must be a wildcard format of 0.0.31.255. The 31 is used for a block size of 32. The wildcard is always one less than the block size.
3. C. Using a named access list just replaces the number used when applying the list to the router’s interface. ip access-group Blocksales in is correct.
4. B. The list must specify TCP as the Transport layer protocol and use a correct wildcard mask (in this case 0.0.0.255), and it must specify the destination port (80). It also should specify any as the set of computers allowed to have this access.
5. A. The first thing to check in a question like this is the access-list number. Right away, you can see that the second option is wrong because it is using a standard IP access-list number. The second thing to check is the protocol. If you are filtering by upper-layer protocol, then you must be using either UDP or TCP; this eliminates the fourth option. The third and last options have the wrong syntax.
6. C. Of the available choices, only the show ip interface command will tell you which interfaces have access lists applied. show access-lists will not show you which interfaces have an access list applied.
7. C. The extended access list ranges are 100–199 and 2000–2699, so the access-list number of 100 is valid. Telnet uses TCP, so the protocol TCP is valid. Now you just need to look for the source and destination addresses. Only the third option has the correct sequence of parameters. Option B may work, but the question specifically states only to network 192.168.10.0, and the wildcard in option B is too broad.
8. E. Extended IP access lists use numbers 100–199 and 2000–2699 and filter based on source and destination IP address, protocol number, and port number. The last option is correct because of the second line that specifies permit ip any any. (I used 0.0.0.0 255.255.255.255, which is the same as the any option.) The other options does not have this, so they would deny access but not allow everything else.
9. D. First, you must know that a /20 is 255.255.240.0, which is a block size of 16 in the third octet. Counting by 16s, this makes our subnet 48 in the third octet, and the wildcard for the third octet would be 15 since the wildcard is always one less than the block size.
10. B. To find the wildcard (inverse) version of this mask, the zero and one bits are simply reversed as follows: 11111111.11111111.11111111.11100000 (27 one bits, or /27) 00000000.00000000.00000000.00011111 (wildcard/inverse mask). However, the answer is always one less (-1), and a /27 is a block of 32, so the answer is easily 31 in the fourth octet (no math!).

Chapter 11: Network Address Translation (NAT)

1. A, C, E. NAT is not perfect and can cause some issues in some networks. In most networks, it works just fine. NAT can cause delays and troubleshooting problems, and some applications just won’t work with it.
2. B, D, F. NAT is not perfect, but there are some advantages. It conserves global addresses, allowing us to add millions of hosts to the Internet without “real” IP addresses. This provides flexibility in our corporate networks. NAT can also allow you to use the same subnet more than once in the same network without overlapping networks.
3. C. The command debug ip nat will show you in real time the translations occurring on your router.
4. A. The command show ip nat translations will show you the translation table containing all the active NAT entries.
5. D. The command clear ip nat translations * will clear all the active NAT entries in your translation table.
6. B. The show ip nat statistics command displays a summary of the NAT configuration as well as counts of active translation types, hits to an existing mapping, misses (an attempt to create a mapping), and expired translations. *
7. B. The command ip nat pool name creates the address pool that hosts can use to get onto the global Internet. What makes option B correct is that the range 171.16.10.65 through 171.16.10.94 includes 30 hosts, but the mask has to match 30 hosts as well, and that mask is 255.255.255.224. Option C is wrong because there is a lowercase t in the pool name. Pool names are case sensitive.
8. A, C, E. You can configure NAT three ways on a Cisco router: static, dynamic, and NAT Overload (PAT).
9. B. Instead of the netmask command, you can use the prefix-length length statement.
10. C. In order for NAT to provide translation services, you must have ip nat inside and ip nat outside configured on your router’s interfaces.

Chapter 12: IP Services

1. B. You can enter the ACL directly in the SNMP configuration to provide security, using either a number or a name.
2. A, D. With a read-only community string, no changes can be made to the router. However, SNMPv2c can use GETBULK to create and return multiple requests at once.
3. C, D. SNMPv2c introduced the GETBULK and INFORM SNMP messages but didn’t offer any more security than SNMPv1. SNMPv3 uses TCP and provides encryption and authentication.
4. C. This command can be run on both routers and switches, and it displays detailed information about each device connected to the device you’re running the command on, including the IP address.
5. C. The Port ID column describes the interfaces on the remote device end of the connection.
6. B. Syslog levels range from 0–7, and level 7 (known as Debugging or local7) is the default if you were to use the logging ip_address command from global config.
7. D. By default, Cisco IOS devices use facility local7. Moreover, most Cisco devices provide options to change the facility level from their default value.
8. C, D, F. There are significantly more syslog messages available within IOS as compared to SNMP Trap messages. System logging is a method of collecting messages from devices to a server running a syslog daemon. Logging to a central syslog server helps in aggregation of logs and alerts.
9. D. To enable a device to be an NTP client, use the ntp server IP_address version number command at global configuration mode. That’s all there is to it! Assuming your NTP server is working, of course.
10. B, D, F. If you specify a level with the logging trap level command, that level and all the higher levels will be logged. For example, when you use the logging trap 3 command, emergencies, alerts, critical, and error messages will be logged. Only three of these were listed as possible options.
11. C, D. To configure SSH on your router, you need to set the username command, the IP domain name, login local, transport input ssh under the VTY lines and the crypto key command. SSH version 2 is suggested but not required.

Chapter 13: Security

1. D. To enable the AAA commands on a router or switch, use the global configuration command aaa new-model.
2. A, C. To mitigate access layer threats, use port security, DHCP snooping, dynamic ARP inspection, and identity-based networking.
3. C, D. The key words in the question are not true. DHCP snooping validates DHCP messages, builds and maintains the DHCP snooping binding database, and rate-limits DHCP traffic for trusted and untrusted source.
4. A, D. TACACS+ uses TCP, is Cisco proprietary, and offers multiprotocol support as well as separated AAA services.
5. B. Unlike TACACS+, which separates AAA services, this is not an option when configuring RADIUS.
6. D. The correct answer is option D. Take your newly created RADIUS group and use it for authentication and be sure to use the keyword local at the end.
7. B. DAI, used with DHCP snooping, tracks IP-to-MAC bindings from DHCP transactions to protect against ARP poisoning. DHCP snooping is required in order to build the MAC-to-IP bindings for DAI validation.
8. A, D, E. There are three roles: Client, also referred to as a supplicant, is software that runs on a client that is 802.1x compliant. The authenticator is typically a switch that controls physical access to the network and is a proxy between the client and the authentication server. The authentication server (RADIUS) authenticates each client before many available any services.
9. B. MFA, biometrics, and certificates are all password alternatives.
10. A. A security program that is backed by a security policy is one of the best ways to maintain a secure posture at all times. This program should cover many elements, but three are key: user awareness, training, and physical security.
11. C, E, F. There are many problems with the IP stack, especially in Microsoft products. Session replaying is a weakness that is found in TCP. Both SNMP and SMTP are listed by Cisco as inherently insecure protocols in the TCP/IP stack.
12. B. The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack.
13. B, E, G. By using the Cisco Lock and Key along with CHAP and TACACS, you can create a more secure network and help stop unauthorized access.
14. C. Network snooping and packet sniffing are common terms for eavesdropping.
15. C. IP spoofing is fairly easy to stop once you understand the way spoofing takes place. An IP spoofing attack occurs when an attacker outside your network pretends to be a trusted computer by using an IP address that is within the range of IP addresses for your network. The attacker wants to steal an IP address from a trusted source so it can use this to gain access to network resources.

Chapter 14: First Hop Redundancy Protocol (HSRP)

1. C. By setting a higher number than the default on a router, that router would become the active router. Setting preempt would assure that if the active router went down, it would become the active router again when it come back up.
2. C. The idea of a first hop redundancy protocol is to provide redundancy for a default gateway.
3. A, B. A router interface can be in many states with HSRP, and Established and Idle are not HSRP states.
4. A. Only option D has the correct sequence to enable HSRP on an interface.
5. D. This is a question that I used in a lot of job interviews on prospects. Show standby is your friend when dealing with HSRP.
6. D. There’s nothing wrong with leaving the priorities at the defaults of 100. The first router up with be the active router.
7. C. In version 1, HSRP messages are sent to the multicast IP address 224.0.0.2 and UDP port 1985. HSRP version 2 uses the multicast IP address 224.0.0.102 and UDP port 1985.
8. B, C. If HSRP1 is configured to preempt, then it will become active because of the higher priority. If not, HSRP2 will remain the active router.
9. C. In version 1, HSRP messages are sent to the multicast IP address 224.0.0.2 and UDP port 1985. HSRP version 2 uses the multicast IP address 224.0.0.102 and UDP port 1985.

Chapter 15: Virtual Private Networks (VPNs)

1. A, D. GRE tunnels have the following characteristics: GRE uses a protocol-type field in the GRE header so any layer 3 protocol can be used through the tunnel, GRE is stateless and has no flow control, GRE offers no security, and GRE creates additional overhead for tunneled packets—at least 24 bytes.
2. C. If you receive this flapping message when you configure your GRE tunnel, it means you used your tunnel interface address instead of the tunnel destination address.
3. D. The show running-config interface tunnel 0 command will show you the configuration of the interface, not the status of the tunnel.
4. C. The show interfaces tunnel 0 command shows the configuration settings and the interface status as well as the IP address and tunnel source and destination address.
5. B. All web browsers support Secure Sockets Layer (SSL), and SSL VPNs are known as Web VPNs. Remote users can use their browser to create an encrypted connection and they don’t need to install any software. GRE doesn’t encrypt the data.
6. A, C, E. VPNs can provide good security by using advanced encryption and authentication protocols, which help protect your network from unauthorized access. By connecting the corporate remote offices to their closest Internet provider and then creating a VPN tunnel with encryption and authentication, you’ll gain a huge savings over opting for traditional leased point-to-point lines. VPNs scale very well to quickly bring up new offices or have mobile users connect securely while traveling or when connecting from home. VPNs are very compatible with broadband technologies.
7. A, D. Internet providers who have an existing Layer 2 network may choose to use layer 2 VPNs instead of the other common layer 3 MPLS VPN. Virtual Private Lan Switch (VPLS) and Virtual Private Wire Service (VPWS) are two technologies that provide layer 2 MPLS VPNs.
8. D. IPsec is an industry-wide standard suite of protocols and algorithms that allows for secure data transmission over an IP-based network that functions at the layer 3 Network layer of the OSI model.
9. C. A VPN allows or describes the creation of private networks across the Internet, enabling privacy and tunneling of TCP/IP protocols. A VPN can be set up across any type of link.
10. B, C. Layer 2 MPLS VPNs and the more popular Layer 3 MPLS VPN are services provided to customers and managed by the provider.

Chapter 16: Quality of Service (QoS)

1. B. Dropping packets as they arrive is called tail drop. Selective dropping of packets during the time queues are filling up is called congestion avoidance (CA). Cisco uses weighted random early detection (WRED) as a CA scheme to monitor the buffer depth and performs early discards (drops) on random packets when the minimum defined queue threshold is exceeded.
2. B, D, E. Voice traffic is real-time traffic requiring consistent, predictable bandwidth and packet arrival times. One-way requirements include latency < 150 ms, jitter <30 ms, and loss < 1%. Bandwidth needs to be 30 to 128 Kbps.
3. C. A trust boundary is where packets are classified and marked. IP phones and the boundary between the ISP and enterprise network are common examples of trust boundaries.
4. A. NBAR is a layer 4 to layer 7, deep-packet inspection classifier. NBAR is more CPU intensive than marking and uses the existing markings, addresses, or ACLs.
5. C. DSCP is a set of 6-bit values that are used to describe the meaning of the layer 3 IPv4 ToS field. While IP precedence is the old way to mark ToS, DSCP is the new way and is backward compatible with IP precedence.
6. D. Class of service (CoS) is a term used to describe designated fields in a frame or packet header. How devices treat packets in your network depends on the field values. CoS is usually used with Ethernet frames and contains 3 bits.
7. C. When traffic exceeds the allocated rate, the policer can take one of two actions: It can either drop traffic or re-mark it to another class of service. The new class usually has a higher drop probability.

Chapter 17: Internet Protocol Version 6 (IPv6)

1. D. The modified EUI-64 format interface identifier is derived from the 48-bit link-layer (MAC) address by inserting the hexadecimal number FFFE between the upper 3 bytes (OUI field) and the lower 3 bytes (serial number) of the link-layer address.
2. D. An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets). The groups are separated by colons (:). Option A has two double colons, B doesn’t have 8 fields, and option C has invalid hex characters.
3. A, B, C. This question is easier to answer if you just take out the wrong options. First, the loopback is only ::1, so that makes option D wrong. Link local is FE80::/10, not /8, and there are no broadcasts.
4. A, C, D. Several methods are used in terms of migration, including tunneling, translators, and dual-stack. Tunnels are used to carry one protocol inside another, while translators simply translate IPv6 packets into IPv4 packets. Dual-stack uses a combination of both native IPv4 and IPv6. With dual-stack, devices are able to run IPv4 and IPv6 together, and if IPv6 communication is possible, that is the preferred protocol. Hosts can simultaneously reach IPv4 and IPv6 content.
5. A, B. ICMPv6 router advertisements use type 134 and must be at least 64 bits in length.
6. B, E, F. Anycast addresses identify multiple interfaces, which is somewhat similar to multicast addresses; however, the big difference is that the anycast packet is only delivered to one address, the first one it finds defined in terms of routing distance. This address can also be called one-to-one-of-many, or one-to-nearest.
7. C. The loopback address with IPv4 is 127.0.0.1. With IPv6, that address is ::1.
8. B, C, E. An important feature of IPv6 is that it allows the plug-and-play option to the network devices by allowing them to configure themselves independently. It is possible to plug a node into an IPv6 network without requiring any human intervention. IPv6 does not implement traditional IP broadcasts.
9. A, D. The loopback address is ::1, link-local starts with FE80::/10, site-local addresses start with FEC0::/10, global addresses start with 2000::/3, and multicast addresses start with FF00::/8.
10. C. A router solicitation is sent out using the all-routers multicast address of FF02::2. The router can send a router advertisement to all hosts using the FF02::1 multicast address.

Chapter 18: Troubleshooting IP, IPv6, and VLANs

1. D. Positive confirmation has been received confirming that the path to the neighbor is functioning correctly. REACH is good!
2. B. The most common cause of interface errors is a mismatched duplex mode between two ends of an Ethernet link. If they have mismatched duplex settings, you’ll receive a legion of errors, which cause ugly slow performance issues, intermittent connectivity, and massive collisions—even total loss of communication!
3. D. You can verify the DTP status of an interface with the sh dtp interface interface command.
4. A. No DTP frames are generated from the interface. Nonegotiate can be used only if the neighbor interface is manually set as trunk or access.
5. D. The command show ipv6 neighbors provides the ARP cache on a router.
6. B. The state is STALE when the interface has not communicated within the neighbor-reachable time frame. The next time the neighbor communicates, the state will change back to REACH.
7. B. There is no IPv6 default gateway, which will be the link-local address of the router interface, sent to the host as a router advertisement. Until this host receives the router address, the host will communicate with IPv6 only on the local subnet.
8. D. This host is using IPv4 to communicate on the network, and without an IPv6 global address, the host will be able to communicate to only remote networks with IPv4. The IPv4 address and default gateway are not configured into the same subnet.
9. B, C. The commands show interface trunk and show interface interface switchport will show you statistics of ports, which includes native VLAN information.
10. A. Most Cisco switches ship with a default port mode of auto, meaning that they will automatically trunk if they connect to a port that is on or desirable. Remember that not all switches are shipped as mode auto, but many are, and you need to set one side to either on or desirable in order to trunk between switches.

Chapter 19: Wireless Technologies

1. B. WPA3 Enterprise uses GCMP-256 for encryption, WPA2 uses AES-CCMP for encryption, and WPA uses TKIP.
2. C. The IEEE 802.11b and IEEE 802.11g standards both run in the 2.4 GHz RF range.
3. D. The IEEE 802.11a standard runs in the 5 GHz RF range.
4. C. The IEEE 802.11b and IEEE 802.11g standards both run in the 2.4 GHz RF range.
5. C. The minimum parameter configured on an AP for a simple WLAN installation is the SSID, although you should set the channel and authentication method as well.
6. A. WPA3 Enterprise uses GCMP-256 for encryption, WPA2 uses AES-CCMP for encryption, and WPA uses TKIP.
7. A. The IEEE 802.11b standard provides three non-overlapping channels.
8. C. WPA3 is resistant to offline dictionary attacks where an attacker attempts to determine a network password by trying possible passwords without further network interaction
9. D. The IEEE 802.11a standard provides a maximum data rate of up to 54 Mbps.
10. D. The IEEE 802.11g standard provides a maximum data rate of up to 54 Mbps.
11. B. The IEEE 802.11b standard provides a maximum data rate of up to 11 Mbps.
12. C. The 802.11 “open” authentication support has been replaced with Opportunistic Wireless Encryption (OWE) enhancement, which is an enhancement, not a mandatory certified setting.
13. D. Although this question is cryptic at best, the only possible answer is option D. If the SSID is not being broadcast (which we must assume in this question), the client must be configured with the correct SSID in order to associate to the AP.
14. B, E. WPA uses Temporal Key Integrity Protocol (TKIP), which includes both broadcast key rotation (dynamic keys that change) and sequencing of frames.
15. A, D. Both WEP and TKIP (WPA) use the RC4 algorithm. It is advised to use WPA2, which uses the AES encryption, or WPA3 when it is available to you.
16. C. Two wireless hosts directly connected wirelessly is no different than two hosts connecting with a crossover cable. They are both ad hoc networks, but in wireless, we call this an Independent Basic Service Set (IBSS).
17. A, C. WPA, although using the same RC4 encryption that WEP uses, provides enhancements to the WEP protocol by using dynamic keys that change constantly as well as providing a Pre-Shared Key method of authentication.
18. B. To create an Extended Service Set (ESS), you need to overlap the wireless BSA from each AP by at least 15 percent in order to not have a gap in coverage so users do not lose their connection when roaming between APs.
19. A. Extended service set ID means that you have more than one access point and they all are set to the same SSID and all are connected together in the same VLAN or distribution system so users can roam.
20. A, B, D. The three basic parameters to configure when setting up an access point are the SSID, the RF channel, and the authentication method.

Chapter 20: Configuring Wireless Technologies

1. B. Windows 10 CMD uses ipconfig to display IP information. Get-NetIPAddress is a PowerShell command and won’t work in the cmd prompt.
2. A, C, D. The three things the SP needs are as follows: (1) the switch port must be a access port because VLAN tagging is not supported, (2) you need to add static routes to the network from which you are managing the WLC, and (3) the SP interface must be connected to a switch.
3. E. For the DNS method, you need to create an A record for CISCO-CAPWAP-CONTROLLER that points to the WLC management IP.
4. D. WLANs default to silver queue, which effectively means no QoS is being utilized.
5. A. WLC’s gold queue is also known as the video queue.
6. C. The best solution is to use the interface group to extend the amount of IP addresses available to the WLAN. Creating a new WLAN would be a burden to the employees and would only confuse them. Adding more APs won’t help the issue since we need more IP addresses, and the session timeout won’t free up IP addresses.
7. B, C, E. LAGs on a WLC are fairly restrictive. All interfaces must be part of the bundle, channel-group # mode on must be used because LACP or PAGP isn’t supported, and the WLC must be rebooted for the LAG to be enabled.
8. B, C, D. Autonomous access points (AAPs) are less desirable than lightweight because they are managed independently, which means that security policies must be manually adjusted. Since there is no central controller, AAPs can’t see the bigger picture when making decisions, and CAPWAP isn’t supported on AAPs since there’s no controller to tunnel to.
9. B. TACACS+ is better suited for device administration, so it’s used to control management user access to the WLC.
10. E. TACACS+ uses port TCP 49 for all operations.
11. C. RADIUS uses UDP 1812 for authentication.
12. A. RADIUS uses UDP 1645 for authentication on legacy servers.
13. B. The virtual interface is used to redirect client traffic to the WLC.
14. D. The recommended IP used to be 1.1.1.1 but is now 192.0.2.1.
15. B. Macs are based on Unix and use the ifconfig command to display IP address info.
16. B. Telnet is disabled by default on the WLC and is not recommended.
17. C. A dynamic interface is similar to a SVI on a switch because it’s a virtual interface that terminates a VLAN.
18. B. The hex value is F102 because it’s single controller, and 192.168.123.100 converts to A87B64.
19. A. APs use Local mode by default. This uses a CAPWAP to tunnel traffic to the controller.
20. A, C. The two AP modes listed that can serve wireless traffic are Local and FlexConnect.

Chapter 21: Virtualization, Automation, and Programmability

1. E. 404 is the status code when what you requested isn’t found.
2. B. VMware Workstation is a Type-2 solution.
3. A, C, E. JSON files must use double quotes and Boolean values must be lower case. Trailing commas are not allowed.
4. E. Microsoft makes the Hyper-V.
5. C. REST stands for Representational State Transfer
6. A. The resource section of the URI points to the specific
7. B. A virtual network device from a vendor is a virtual appliance.
8. B. YAML doesn’t support using the tab in the file. You must always use the spacebar, otherwise it will throw an error when you try to run it.
9. B. In YAML a mapping is a simple key-value pair such as Name: Todd
10. A. Snapshots let you restore virtual machines back to a state in time. Cloning can also be used to make a backup, but it isn’t as practical as a snapshot is.
11. C. You use the GET operation to “get” information from Restful API, so it’s most like a show command on a router.
12. A. You use the POST operation to “post” information to Restful API, is most like a configuration command on a router.
13. D. The token is used to authenticate you to the restful API service. Restful API does not support authorization.

Chapter 22: SDN Controllers

1. B. The north bound interface (NBI) allows users to interface with the SDN controller through a web interface or through scripts that call RESTful API.
2. C. The job of the underlay is to provide connectivity to the overlay so tunnels can be formed.
3. A, B, C. A controller offers many benefits, including central management, system-wide network monitoring, and the ability to push out configuration to multiple devices.
4. D. The campus architecture uses an access, distribution, and core layer.
5. A, C, D. The management plane provides management access to the device; it contains protocols such as Telnet, SSH, and SNMP.
6. A, B, D. The control plane provides all protocols that live on the router, including protocols such as CDP, LLDP, and OSPF.
7. E. The data plane does not run protocols; rather it is concerned with forwarding traffic.
8. B. OpenDaylight uses OpenFlow to communicate with switches.
9. D. Cisco ACI uses OpFlex to communicate with switches.
10. C, E. You usually interact with the northbound interface of a SDN controller through Restful API, either directly or through a Python script.
11. A, B, C. EasyQoS is a DNA Center application that automatically configures QoS throughout your network based on best practices. It also makes it easy to adjust QoS policies by just letting you tell DNA Center what applications are important to your company.
12. D. DNA Center stores the network snapshot for one week, though it is possible this number will increase as DNA Center continues to improve over time.
13. D. LAN Automation uses the Plug and Play feature to configure new switches. It can’t use any other protocol because the switch won’t have any SNMP or login information out of the box.
14. A. NMS solutions use SNMP to poll network devices for information and to detect problems.
15. A, B, C. NCM solutions use Telnet or SSH to log in into network devices to do configurations. The server can also use the SNMP Read-Write community to do configurations.
16. B, D. CLOS architecture is also known as spine/leaf architecture, so it makes sense that it uses spine and leaf switches.
17. A, C, E. Campus architecture consists of access, distribution, and core switches.
18. B. A fabric entirely consists of layer 3 only.
19. B. The Command Runner is a useful tool for pushing show commands to devices and viewing the results.
20. C. The Code Preview feature can generate a simple code snippet for several programming languages so you can quickly add it into your script.

Chapter 23: Configuration Management

1. A, C. Puppet and Chef require you to install an agent on the node before the configuration server can manage it.
2. C. Ansible deploys playbooks to nodes.
3. B. Ansible is the best solution for managing Cisco solutions because it has the widest support since it doesn’t require an agent.
4. D. While Ansible is based on python, the playbooks are written in YAML.
5. A. Puppet uses manifest files to apply configuration to nodes.
6. B. Chef is better suited for developers because while its more complex, it’s more programmer-friendly than the other solutions.
7. B. Because Ansible pushes configuration to nodes, it needs an inventory file to keep track of the nodes since it doesn’t use agents like Puppet and Chef.
8. C. Puppet is based on the ruby language.
9. B, C. Ansible uses SSH to connect to Linux and network systems and Powershell to manage Windows systems.
10. D. Knife is the name of the CLI utility used to manage Chef.
11. A, B, C. The Chef deployment uses a Chef Server, a Workstation for managing the recipes and a bookshelf for storing the recipes for use on the nodes.
12. B. Puppet is the solution most sysadmins prefer because it uses agents to ensure configuration doesn’t drift from the desired state. Plus, it isn’t as complicated as Chef.
13. B. YAML uses white space to properly read the configuration contents, tabs aren’t allowed because it confuses the spacing.
14. C. Ansible uses the ansible-playbook command to run a playbook against a group of nodes.
15. C. Ansible uses the ansible-doc command to lookup a module and how to use it.