Chapter 1

1. B. Each OSPF router views the network differently as the root of a unique SPF tree. Each router builds adjacencies based on its own position in the topology. Each routing table in the area is developed individually through the application of the SPF algorithm. The link-state database for an area, however, must reflect the same information for all routers. Regardless of which OSPF area a router resides in, the adjacency database, routing table, and forwarding database are unique for each router. The link-state database lists information about all other routers within an area and is identical across all OSPF routers participating in that area.

2. B, C, and E. The topology table on an OSPF router is a link-state database (LSDB) that lists information about all other routers in the network and represents the network topology. All routers within an area have identical link-state databases, and the table can be viewed using the show ip ospf database command. The SPF algorithm uses the LSDB to produce the unique routing table for each router, which contains the lowest-cost route entries for known networks.

3. A. The adjacency database is used to create the OSPF neighbor table. The link-state database is used to create the topology table, and the forwarding database is used to create the routing table.

4. A. The OSPF Hello packet serves three primary functions: to discover OSPF neighbors and establish adjacencies, to advertise parameters that OSPF neighbors must agree on, and when necessary, to elect the DR and BDR.

5. E. Link-State Update (LSU) packets contain different types of link-state advertisements (LSAs). The LSUs are used to reply to link-state requests (LSRs) and to announce new information.

6. B and E. The OSPF router ID does not contribute to SPF algorithm calculations, nor does it facilitate the transition of the OSPF neighbor state to Full. Although the router ID is contained within OSPF messages when router adjacencies are being established, it has no bearing on the convergence process.

7. B. A multiarea OSPF network requires hierarchical network design (with two levels). The main area is called the backbone area, and all other areas must connect to the main area.

8. D and F. A multiarea OSPF network improves routing performance and efficiency in a large network. As the network is divided into smaller areas, each router maintains a smaller routing table because routes between areas can be summarized. Also, fewer updated routes means fewer LSAs are exchanged, thus reducing the need for CPU resources. Running multiple routing protocols simultaneously and implementing both IPv4 and IPv6 are not primary considerations for a multiarea OSPF network. With multiarea OSPF, only routers within an area share the same link-state database. Changes to the network topology in one area do not impact other areas, which reduces the number of SPF algorithm calculations and the number of link-state databases.

9. A. The show ip ospf database command is used to verify the contents of the LSDB. The show ip ospf interface command is used to verify the configuration information of OSPF-enabled interfaces. The show ip ospf neighbor command is used to gather information regarding OSPF neighbor routers. The show ip route ospf command displays OSPF-related information in the routing table.

10. D. OSPF supports the concept of areas to prevent larger routing tables, excessive SPF calculations, and large LSDBs. Only routers within an area share link-state information. This allows OSPF to scale in a hierarchical fashion with all areas that connect to a backbone area.

11. D. The OSPF operation steps are establish neighbor adjacencies, exchange link-state advertisements, build the topology table, execute the SPF algorithm, and choose the best route.

12. A. The Type 2 Database Description (DBD) packet contains an abbreviated list of the LSDB of the sending router and is used by receiving routers to check against the local LSDB. The LSDB must be identical on all link-state routers within an area to construct an accurate SPF tree.

13. A, D, and F. OSPF operation progresses through seven states in establishing neighboring router adjacency, exchanging routing information, calculating the best routes, and reaching convergence. The Down, Init, and Two-Way states are involved in the phase of neighboring router adjacency establishment.

14. B. When the routers are interconnected over a common Ethernet network, a designated router (DR) and a backup DR (BDR) must be elected.

15. D. After all LSRs have been satisfied for a given router, the adjacent routers are considered synchronized and in a Full state. Updates (LSUs) are sent to neighbors only under the following conditions:

• When a network topology change is detected (incremental updates)

• Every 30 minutes

Chapter 2

1. B. On Cisco routers, the default Dead interval is four times the Hello interval, and this timer has expired in this case. SPF does not determine the state of neighbor routers; it determines which routes become routing table entries. A DR/DBR election does not always automatically run; it depends on the type of network and on whether or not the router that is no longer up was a DR or BDR.

2. A. When electing a DR, the router with the highest OSPF priority becomes the DR. If all routers have the same priority, then the router with the highest router ID is elected.

3. A. The wildcard mask can be found by subtracting the subnet mask from 255.255.255.255.

4. C. While the show ip interface brief and ping commands can be used to determine if Layer 1, 2, and 3 connectivity exists, neither command can be used to determine whether a particular OSPF or EIGRP-initiated relationship has been made. The show ip protocols command is useful in determining the routing parameters such as timers, router ID, and metric information associated with a specific routing protocol. The show ip ospf neighbor command shows if two adjacent routers have exchanged OSPF messages in order to form a neighbor relationship.

5. C. The show ip ospf interface command verifies the active OSPF interfaces. The show ip interface brief command is used to check that the interfaces are operational. The show ip route ospf command displays the entries that are learned via OSPF in the routing table. The show ip protocols command checks that OSPF is enabled and lists the networks that are advertised.

6. C. The show ip ospf interface serial 0/0/0 command displays the configured Hello and Dead timer intervals on a point-to-point serial WAN link between two OSPFv2 routers. The show ipv6 ospf interface serial 0/0/0 command displays the configured Hello and Dead timer intervals on a point-to-point serial link between two OSPFv3 routers. The show ip ospf interface fastethernet 0/1 command displays the configured Hello and Dead timer intervals on a multiaccess link between two (or more) OSPFv2 routers. The show ip ospf neighbor command displays the Dead interval elapsed time since the last Hello message was received, but it does not show the configured value of the timer.

7. A and B. The show ip ospf interface command displays routing table information that is already known. The show ip ospf neighbors command displays adjacency information on neighboring OSPF routers. The show running-configuration and show ip protocols commands display aspects of the OSPF configuration on the router but do not display adjacency state details or timer interval details.

8. D. Cisco IOS automatically modifies the Dead interval to four times the Hello interval.

9. A and B. The Hello and Dead interval timers contained in a Hello packet must be the same on neighboring routers in order to form an adjacency.

10. B. The router priority value is used in a DR/BDR election. The default priority for all OSPF routers is 1, but it can be manually altered to any value from 0 to 255.

11. A. OSPF routers send Hello packets to monitor the state of a neighbor. When a router stops receiving Hello packets from a neighbor, that neighbor is considered unreachable, and the adjacency is broken.

12. A. The first preference for an OSPF router ID is an explicitly configured 32-bit address. This address is not included in the routing table and is not defined by the network command. If a router ID that is configured through the router-id command is not available, OSPF routers next use the highest IPv4 address available on a loopback interface, as loopbacks used as router IDs are also not routable addresses. Lacking either of these alternatives, an OSPF router will use the highest IPv4 address from its active physical interfaces.

13. C. To advertise only the 10.1.1.0 network, the wildcard mask used in the network command must match the first 24 bits exactly. An alternative method of configuring this would also be to use the network 10.1.1.0 255.255.255.0 area 0 command.

14. A. OSPF uses the formula Cost = 100,000, 000 / bandwidth. Because OSPF will only use integers as cost, any bandwidth of 100 Mbps or greater will equal a cost of 1.

15. C. The correct network statement is network 64.100.1.64 0.0.0.63 area 0.

16. C and D. There may be several reasons two routers running OSPF will fail to form an OSPF adjacency, including subnet masks not matching, OSPF Hello or Dead timers not matching, OSPF network types not matching, and a missing or incorrect OSPF network command. Mismatched IOS versions, the use of private IP addresses, and different types of interface ports used are not causes for an OSPF adjacency failing to form between two routers.

Chapter 3

1. D. Internal threats can be intentional or accidental and can cause greater damage than external threats because an internal user has direct access to the internal corporate network and corporate data.

2. B. Cybercriminals are commonly motivated by money. Hackers are known to hack for status. Cyberterrorists are motivated to commit cybercrimes for religious or political reasons.

3. B. Hackers are categorized by motivating factors. Hacktivists are motivated by protesting political and social issues.

4. B. Trojan horse malware appears as useful software but hides malicious code. Trojan horse malware may cause annoying computer problems, but it can also cause fatal problems. Some Trojan horses may be distributed over the internet, but they can also be distributed by USB memory sticks and other means. Specifically targeted Trojan horse malware can be some of the most difficult malware to detect.

5. C. Social engineering involves attempting to gain the confidence of an employee and convince that person to divulge confidential and sensitive information, such as usernames and passwords. DDoS attacks, spam, and keylogging are all examples of software-based security threats, not social engineering.

6. B. A ping sweep is a technique that is used during a reconnaissance attack to locate line IP addresses. Other tools that might be used during this type of attack include a port scan or an internet information query. A reconnaissance attack is used to gather information about a particular network, usually in preparation for another type of network attack.

7. A. Zombies are infected computers that make up a botnet. They are used to deploy a distributed denial-of-service (DDoS) attack.

8. C. When an asymmetric algorithm is used, public and private keys are used for the encryption. Either key can be used for encryption, but the complementary matched key must be used for the decryption. For example, if the public key is used for encryption, the private key must be used for the decryption.

9. C. Integrity is ensured by implementing SHA hash generating algorithms. Many modern networks ensure authentication with protocols such as HMACs. Data confidentiality is ensured through symmetric encryption algorithms, including 3DES and AES. Data confidentiality can also be ensured using asymmetric algorithms.

10. A. An advantage of an intrusion prevention system (IPS) is that it can identify and stop malicious packets. However, because an IPS is deployed inline, it can add latency to the network.

11. A. Black hat hackers are unethical threat actors who use their skills to compromise computer and network security vulnerabilities. The goal is usually financial gain or personal gain, or the hacker may have malicious intent. A vulnerability broker is a gray hat hacker who attempts to discover exploits and report them to vendors, sometimes for prizes or rewards. Hacktivists are gray hat hackers who publicly protest organizations or governments by posting articles or videos, leaking sensitive information, and performing network attacks. Script kiddies are inexperienced hackers (sometimes teenagers) running existing scripts, tools, and exploits to cause harm—but typically not for profit.

12. C. A threat is a potential danger to a company’s assets, data, or network functionality. An exploit is a mechanism that takes advantage of a vulnerability. A vulnerability is a weakness in a system, or its design, that could be exploited by a threat.

13. D. Origin authentication guarantees that a message is not a forgery and does actually come from the person who is supposed to have sent it. Data nonrepudiation guarantees that the sender cannot repudiate, or refute, the validity of a message sent. An exploit is a mechanism that takes advantage of a vulnerability. Mitigation describes a countermeasure to eliminate or reduce the potential of a threat or risk.

14. B. An exploit is a mechanism that takes advantage of a vulnerability. A threat is a potential danger to a company’s assets, data, or network functionality. A vulnerability is a weakness in a system, or its design, that could be exploited by a threat.

15. A. Data nonrepudiation guarantees that the sender cannot repudiate, or refute, the validity of a message sent. An exploit is a mechanism that takes advantage of a vulnerability. Mitigation is a countermeasure to eliminate or reduce the potential of a threat or risk. Origin authentication guarantees that a message is not a forgery and does actually come from the person who is supposed to have sent it.

Chapter 4

1. B and C. An ACL can be configured as a simple firewall that provides security using basic traffic filtering capabilities. ACLs are used to filter host traffic by allowing or blocking matching packets to networks.

2. C, D, and E. If the information in a packet header and an ACL statement match, the rest of the statements in the list are skipped, and the packet is permitted or denied as specified by the matched statement. If a packet header does not match an ACL statement, the packet is tested against the next statement in the list. This matching process continues until the end of the list is reached. At the end of every ACL is an implicit “deny any” statement that is applied to all packets for which conditions did not test true and results in a “deny” action.

3. A, D, and E. Extended ACLs should be placed as close as possible to the source IP address so that traffic that needs to be filtered does not cross the network and use network resources. Because standard ACLs do not specify a destination address, they should be placed as close to the destination as possible. Placing a standard ACL close to the source may have the effect of filtering all traffic and limiting services to other hosts. Filtering unwanted traffic before it enters low-bandwidth links preserves bandwidth and supports network functionality. Decisions on placing ACLs inbound or outbound are dependent on the requirements to be met.

4. B and E. Standard ACLs filter traffic based solely on a specified source IP address. Extended ACLs can filter by source or destination, protocol, or port. Both standard and extended ACLs contain an implicit deny as a final ACE. Standard and extended ACLs can be identified by either names or numbers.

5. A and E. With an inbound ACL, incoming packets are processed before they are routed. With an outbound ACL, packets are first routed to the outbound interface, and then they are processed. Thus, processing inbound is more efficient from the router’s perspective. The structure, filtering methods, and limitations (that is, only one inbound and one outbound ACL can be configured on an interface) are the same for both types of ACLs.

6. D. An outbound ACL should be used when the same ACL filtering rules will be applied to packets coming from more than one inbound interface before exiting a single outbound interface. The outbound ACL will be applied on the single outbound interface.

7. D. The subnets 10.16.0.0 through 10.19.0.0 all share the same 14 high-level bits. A wildcard mask in binary that matches 14 high-order bits is 00000000.00000011.11111111.11111111. In dotted decimal, this wildcard mask is 0.3.255.255.

8. A. The two types of ACLs are standard and extended. Both types can be named or numbered, but extended ACLs offer greater flexibility. Extended ACLs provide the most options and therefore the most filtering control.

9. D. A standard IPv4 ACL can filter traffic based on source IP addresses only. Unlike an extended ACL, it cannot filter traffic based on Layer 4 ports. However, both standard and extended ACLs can be identified with either numbers or names, and both are configured in global configuration mode.

10. C. A /26 is 255.255.255.192. Therefore, 255.255.255.255 – 255.255.255.192 = 0.0.0.63.

Chapter 5

1. D. access-list 110 permit tcp 172.16.0.0 0.0.0.255 any eq 22 ACE matches traffic on port 22, which is for SSH, that is sourced from network 172.16.0.0/24 with any destination.

2. B and D. The host keyword is used when using a specific device IP address in an ACL. For example, the deny host 192.168.5.5 command is the same as the deny 192.168.5.5 0.0.0.0 command. The any keyword is used to allow any mask that meets the criteria. For example, the permit any command is the same as the permit 0.0.0.0 255.255.255.255 command.

3. C and D. Extended access lists commonly filter on source and destination IPv4 addresses and TCP or UDP port numbers. Additional filtering can be provided for protocol types.

4. D. You can use the ip access-list command to edit an existing numbered or named ACL. The ACL ACEs can be removed using the no command followed by the sequence number.

5. A and D. To permit or deny one specific IPv4 address, either the wildcard mask 0.0.0.0 (used after the IP address) or the wildcard mask keyword host (used before the IP address) can be used.

6. B and D. To deny traffic from the 10.10.0.0/16 network, the access-list 55 deny 10.10.0.0 0.0.255.255 command is used. To permit all other traffic, the access-list 55 permit any statement is added.

7. B. The host must be filtered first, so adding sequence 5 at the beginning of the ACE would insert it before the 192.168.10.0/24 network is permitted.

8. A. The access-group acl-name in line configuration mode command correctly applies a standard ACL to the vty interfaces.

9. D. Traffic originating from 10.10.100/24 is permitted to all destinations listening to TCP port 80 (that is, www).

10. A. After you enter the command, you go into named extended ACL configuration mode R1(config-ext-nacl).

Chapter 6

1. C. Typically, the translation from private IPv4 addresses to public IPv4 addresses is performed on routers in corporate environments. In a home environment, this device might be an access point that has routing capability or a DSL or cable router.

2. D. It is common practice to configure addresses from the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 ranges.

3. B. PAT allows many hosts on a private network to share a single public address by mapping sessions to TCP/UDP port numbers.

4. D. A one-to-one mapping of an inside local address to an inside global address is accomplished through static NAT.

5. D. Many internet protocols and applications depend on end-to-end addressing from the source to the destination. Because parts of the header of the IPv4 packets are modified, the router needs to alter the checksum of the IPv4 packets. Using a single public IPv4 address allows for the conservation of legally registered IPv4 addressing schemes. If an addressing scheme needs to be modified, it is cheaper to use private IPv4 addresses.

6. D. Dynamic NAT provides a dynamic mapping of inside local to inside global IPv4 addresses. NAT is merely the one-to-one mapping of one address to another address without consideration for whether the address is public or private. DHCP involves automatic assignment of IPv4 addresses to hosts. DNS maps hostnames to IPv4 addresses.

7. A. In order for the ip nat inside source list 4 pool NAT-POOL command to work, the following procedure needs to occur:

1. Create an access list that defines the private IPv4 addresses affected by NAT.

2. Establish a NAT pool of starting and ending public IPv4 addresses by using the ip nat pool command.

3. Use the ip nat inside source list command to associate the access list with the NAT pool.

4. Apply NAT to internal and external interfaces by using the ip nat inside and ip nat outside commands.

8. D. If all the addresses in the NAT pool have been used, a device must wait for an available address before it can access the outside network.

9. C. With the ip nat inside source list 1 interface serial 0/0/0 overload command, the router is configured to translate internal private IPv4 addresses in the range 10.0.0.0/8 to a single public IPv4 address, 209.165.200.225/30. The other options will not work because the IPv4 addresses defined in the pool, 192.168.2.0/28, are not routable on the internet.

10. B and E. The steps that are required to configure PAT are to define a pool of global addresses to be used for overload translation, to configure source translation by using the keywords interface and overload, and to identify the interfaces that are involved in the PAT.

11. A. An inside local address is the address of the source, as seen from the inside of the network. An outside global address is the address of the destination, as seen from the outside network.

Chapter 7

1. A. For this small office, an appropriate connection to the internet would be through a common broadband service such as digital subscriber line (DSL), available from the company’s local telephone service provider, or a cable connection from the cable company. Because the company has so few employees, bandwidth is not a significant issue. If the company were bigger, with branch offices in remote sites, private lines would be more appropriate. VSATs are used to provide connectivity to remote locations and are typically used only when no other connectivity options are available.

2. D. When traveling employees need to connect to a corporate email server through a WAN connection, the VPN creates a secure tunnel between an employee laptop and the corporate network over the WAN connection. Obtaining dynamic IP addresses through DHCP is a function of LAN communication. Sharing files among separate buildings on a corporate campus is accomplished through the LAN infrastructure. A DMZ is a protected network inside the corporate LAN infrastructure.

3. D. WANs are used to interconnect an enterprise LAN to remote branch site LANs and telecommuter sites. A WAN is owned by a service provider. Although WAN connections are typically made through serial interfaces, not all serial links are connected to a WAN. LANs, not WANs, provide end-user network connectivity in an organization.

4. B. Digital leased lines require a channel service unit (CSU) and a data service unit (DSU). An access server concentrates dialup modem dial-in and dial-out user communications. Dialup modems are used to temporarily enable the use of analog telephone lines for digital data communications. A Layer 2 switch is used to connect a LAN.

5. C. A connection-oriented system predetermines the network path, creates a virtual circuit for the duration of the packet delivery, and requires that each packet carry an identifier. A connectionless packet-switched network, such as the internet, requires each data packet to carry addressing information.

6. B. Unlike circuit-switched networks, which typically require expensive permanent connections, packet-switched networks can take alternate paths, if available, to reach the destination.

7. B. Dense wavelength-division multiplexing (DWDM) is a newer technology that increases the data-carrying capacity of SDH and SONET by simultaneously multiplexing data using different wavelengths of light. ISDN (Integrated Services Digital Network), ATM (Asynchronous Transfer Mode), and MPLS (Multiprotocol Label Switching) are not fiber-optic technologies.

8. D. Corporate communications over public WANs should use VPNs for security. ISDN and ATM are Layer 1 and 2 technologies that are typically used on private WANs. Municipal Wi-Fi is a wireless public WAN technology.

9. D and E. SDH and SONET are high-bandwidth fiber-optic standards that define how to transfer data, voice, and video communications using lasers or light-emitting diodes (LEDs). ATM (Asynchronous Transfer Mode) is a Layer 2 technology. ANSI (American National Standards Institute) and ITU (International Telecommunication Union) are standards organizations.

10. D. A leased line establishes a dedicated constant point-to-point connection between two sites. ATM is cell switched. ISDN is circuit switched. Frame Relay is packet switched.

11. A. A private WAN solution that involves dedicated links between sites offers the best security and confidentiality. Private and public WAN solutions offer comparable connection bandwidth, depending on the technology chosen. Connecting multiple sites with private WAN connections could be very expensive. The website and file exchange service support is not relevant.

12. B and D. VPNs over the internet provide low-cost, secure connections to remote users. VPNs are deployed over the internet public infrastructure.

13. B. LTE, or Long-Term Evolution, is a fourth-generation cellular access technology that supports internet access.

14. B. The equipment located at a cable service provider office, the cable modem termination system (CMTS), sends and receives digital cable modem signals on a cable network to provide internet services to cable subscribers. A DSLAM performs a similar function for DSL service providers. A CSU/DSU is used in leased-line connections. Access servers are needed to process multiple simultaneous dialup connections to a central office (CO).

15. B. MPLS can use a variety of technologies, such as T- and E-carriers, optical carrier, ATM, Frame Relay, and DSL, all of which support lower speeds than an Ethernet WAN. Neither a circuit-switched network, such as the public switched telephone network (PSTN) or Integrated Service Digital Network (ISDN), nor a packet-switched network is considered high speed.

Chapter 8

1. D. A GRE IP tunnel does not provide authentication or security. A leased line is not cost-effective compared to using high-speed broadband technology with VPNs. A dedicated ISP is not required when utilizing VPNs between multiple sites.

2. B. Site-to-site VPNs are statically defined VPN connections between two sites that use VPN gateways. The internal hosts do not require VPN client software and send normal, unencapsulated packets onto the network, where they are encapsulated by the VPN gateway.

3. C. The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. The hash message authentication code (HMAC) is a data integrity algorithm that uses a hash value to guarantee the integrity of a message.

4. A. The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms that are used to ensure that data is not intercepted and modified (data integrity) are MD5 and SHA. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm that is used for authentication.

5. C and E. The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms used to ensure that data is not intercepted and modified (data integrity and authentication) are MD5 and SHA.

6. A and E. The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two algorithms that can be used within an IPsec policy to protect interesting traffic are AES, which is an encryption protocol, and SHA, which is a hashing algorithm.

7. A. Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that encapsulates multiprotocol traffic between remote Cisco routers. GRE does not encrypt data. OSPF is an open-source routing protocol. IPsec is a suite of protocols that allow for the exchange of information that can be encrypted and verified. Internet Key Exchange (IKE) is a key management standard used with IPsec.

8. B. When a web browser is used to securely access the corporate network, the browser must use a secure version of HTTP to provide SSL encryption. A VPN client is not required to be installed on the remote host, so a clientless SSL connection is used.

9. B. Confidentiality is a function of IPsec and utilizes encryption to protect data transfers with a key. Integrity is a function of IPsec and ensures that data arrives unchanged at the destination through the use of a hashing algorithm. Authentication is a function of IPsec and provides specific access to users and devices with valid authentication factors. Secure key exchange is a function of IPsec and allows two peers to maintain their private key confidentiality while sharing their public key.

10. C and D. VPNs can be managed and deployed as either enterprise VPNs (which is a common solution for securing enterprise traffic across the internet and includes site-to-site and remote-access VPNs) or service provider VPNs (that is, VPNs created and managed over the provider network, such as Layer 2 and Layer 3 MPLS VPNS, or legacy Frame Relay and ATM VPNs).

11. A and B. Enterprise managed remote-access VPNs are created dynamically when required. Remote-access VPNs include client-based IPsec VPNs and clientless SSL VPNs.

12. D. Site-to-site VPNs are static and are used to connect entire networks. Hosts have no knowledge of the VPN and send TCP/IP traffic to VPN gateways. The VPN gateway is responsible for encapsulating the traffic and forwarding it through the VPN tunnel to a peer gateway at the other end that decapsulates the traffic.

13. A. The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. DH (Diffie-Hellman) is an algorithm used for key exchange. DH is a public key exchange method that allows two IPsec peers to establish a shared secret key over an insecure channel.

14. B. In a GRE over IPsec tunnel, the term passenger protocol refers to the original packet that is to be encapsulated by GRE. The carrier protocol is the protocol that encapsulates the original passenger packet. The transport protocol is the protocol that will be used to forward the packet.

15. A. An IPsec VTI is a newer IPsec VPN technology that simplifies the configuration required to support multiple sites and remote access. IPsec VTI configurations use virtual interfaces to send and receive IP unicast and multicast encrypted traffic. Therefore, routing protocols are automatically supported without requiring configuration of GRE tunnels.

16. A. When a client negotiates an SSL VPN connection with the VPN gateway, it connects using Transport Layer Security (TLS). TLS is the newer version of SSL and is sometimes expressed as SSL/TLS. The two terms are often used interchangeably.

17. B. An MPLS VPN has both Layer 2 and Layer 3 implementations. A GRE over IPsec VPN involves a nonsecure tunneling protocol encapsulated by IPsec. An IPsec VTI VPN routes packets through virtual tunnel interfaces for encryption and forwarding. An IPsec VTI VPN and GRE over IPsec VPN allows multicast and broadcast traffic over a secure site-to-site VPN. An SSL VPN uses the public key infrastructure and digital certificates.

18. E. An SSL VPN uses the public key infrastructure and digital certificates. An MPLS VPN has both Layer 2 and Layer 3 implementations. A GRE over IPsec VPN involves a nonsecure tunneling protocol encapsulated by IPsec. An IPsec VTI VPN routes packets through virtual tunnel interfaces for encryption and forwarding. An IPsec VTI VPN and a GRE over IPsec VPN allow multicast and broadcast traffic over a secure site-to-site VPN.

19. A and D. An IPsec VTI VPN routes packets through virtual tunnel interfaces for encryption and forwarding. An IPsec VTI VPN and a GRE over IPsec VPN allow multicast and broadcast traffic over a secure site-to-site VPN. An MPLS VPN has both Layer 2 and Layer 3 implementations. A GRE over IPsec VPN involves a nonsecure tunneling protocol being encapsulated by IPsec. An SSL VPN uses the public key infrastructure and digital certificates.

20. A and C. A GRE over IPsec VPN involves a nonsecure tunneling protocol being encapsulated by IPsec. An IPsec VTI VPN and a GRE over IPsec VPN allow multicast and broadcast traffic over a secure site-to-site VPN. An MPLS VPN has both Layer 2 and Layer 3 implementations. An IPsec VTI VPN routes packets through virtual tunnel interfaces for encryption and forwarding. An SSL VPN uses the public key infrastructure and digital certificates.

Chapter 9

1. B. Traffic requires enough bandwidth to support services. When there is not enough bandwidth, congestion occurs and typically results in packet loss.

2. C. Quality of service (QoS) needs to be enabled on routers to provide support for VoIP and video conferencing. QoS refers to the capability of a network to provide better service to selected network traffic, such as voice and video traffic.

3. B. When the volume of traffic is greater than what can be transported across the network, devices queue, or hold, the packets in memory until resources become available to transmit them. If the number of packets to be queued continues to increase, the memory in the device fills up, and packets are dropped.

4. A. CBWFQ extends the standard WFQ functionality to provide support for user-defined traffic classes. A FIFO queue is reserved for each class, and traffic belonging to a class is directed to the queue for that class.

5. D. With LLQ, delay-sensitive data is sent first, before packets in other queues are treated. Although it is possible to enqueue various types of real-time traffic to the strict priority queue, Cisco recommends that only voice traffic be directed to the priority queue.

6. B. When no other queuing strategies are configured, all interfaces except serial interfaces at E1 (2.048 Mbps) and below use FIFO by default. Serial interfaces at E1 and below use WFQ by default.

7. D. When no other queuing strategies are configured, all interfaces except serial interfaces at E1 (2.048 Mbps) and below use FIFO by default. Serial interfaces at E1 and below use WFQ by default.

8. A. The best-effort model has no way to classify packets; therefore, all network packets are treated the same way. Without QoS, the network cannot tell the difference between packets and, as a result, cannot treat packets preferentially.

9. C. IntServ uses Resource Reservation Protocol (RSVP) to signal the QoS needs of an application’s traffic along devices in the end-to-end path through the network. If network devices along the path can reserve the necessary bandwidth, the originating application can begin transmitting. If the requested reservation fails along the path, the originating application does not send any data.

10. C. Marking means adding a value to the packet header. Devices receiving the packet look at this field to see whether it matches a defined policy. Marking should be done as close to the source device as possible to establish the trust boundary.

11. B. Trusted endpoints have the capabilities and intelligence to mark application traffic to the appropriate Layer 2 CoS and/or Layer 3 DSCP values. Examples of trusted endpoints include IP phones, wireless access points, video-conferencing gateways and systems, and IP conferencing stations.

12. A. The 802.1p standard uses the first 3 bits in the Tag Control Information (TCI) field. Known as the Priority (PRI) field, this 3-bit field identifies the Class of Service (CoS) markings. Three bits means that a Layer 2 Ethernet frame can be marked with one of eight levels of priority (values 0–7).

13. D. RFC 2474 redefines the ToS field with a new 6-bit Differentiated Services Code Point (DSCP) QoS field. Six bits offers a maximum of 64 possible classes of service.

Chapter 10

1. C. LLDP requires two commands to configure an interface: lldp transmit and lldp receive.

2. B and C. The no cdp enable command interface configuration command cannot be executed from a global configuration prompt. Options D and E are invalid commands.

3. C. Both commands provide information for options A, B, and D. However, only show cdp neighbors detail provides the IP address.

4. D. Options A through C are invalid commands. The options to enable LLDP on interfaces are lldp transmit and lldp receive.

5. C. To enable LLDP on interfaces, use lldp transmit and lldp receive. The lldp run global configuration command enables LLDP globally. Interface LLDP configuration commands override the global command.

6. B. These are all syslog messages, but the most common ones are link up and link down messages.

7. A. The smaller the level numbers, the more critical the alarms. Emergency—Level 0 messages indicate that the system is unusable. This would be an event that has halted the system. Alert—Level 1 messages indicate that immediate action is needed, as in the case of a failed connection to the ISP. Critical—Level 2 messages indicate a critical condition, such as the failure of a backup connection to the ISP. Error—Level 3 messages indicate error conditions, such as an interface being down.

8. D. Cisco developed NetFlow for the purpose of gathering statistics on packets flowing through Cisco routers and multilayer switches. SNMP can be used to collect and store information about a device. Syslog is used to access and store system messages. NTP is used to allow network devices to synchronize time settings.

9. B. Syslog messages can be sent to the logging buffer, the console line, the terminal line, or a syslog server. However, debug-level messages are only forwarded to the internal buffer and are accessible only through the Cisco CLI.

10. A. The console receives all syslog messages by default. Syslog messages for Cisco routers and switches can be sent to memory, the console, a tty line, or a syslog server.

11. A. The logging trap level allows a network administrator to limit event messages that are being sent to a syslog server based on severity.

12. D. Option A is for syslog, B for TFTP, and the explanation for C is incorrect.

13. B and D. A is incorrect. NTP has nothing to do with MTBF, and multiple NTP servers can be identified for redundancy.

14. C. ROMMON mode must be accessed to perform password recovery on a router.

15. B. With the configuration register at 0x2142, the device ignores the startup configuration file during startup, and the startup configuration file is where the forgotten passwords are stored.

16. D. Options A and C are global configuration commands, and Option B is the default setting and looks for the startup configuration file.

17. D. An administrator must have physical access to the device along with a console connection to perform password recovery.

18. B. The show flash0: command displays the amount of flash available (free) and the amount of flash used. The command also displays the files stored in flash, including their size and when they were copied.

19. A and E. To upgrade Cisco IOS, you need the device IOS image file located on a reachable TFTP server. Image files are copied to flash memory. Therefore, it is important to verify the amount of flash memory available on the device.

20. B. An SNMP agent that resides on a managed device collects and stores information about the device and its operation. This information is stored by the agent locally in the MIB. An NMS periodically polls the SNMP agents that are residing on managed devices by using the get request to query the devices for data. The NMS uses a set request to change the configuration in the agent device or to initiate actions within a device.

21. D. To solve the issue of the delay that exists between when an event occurs and the time when it is noticed via polling by the NMS, you can use SNMP trap messages. SNMP trap messages are generated from SNMP agents and are sent to the NMS immediately to inform it of certain events without requiring a` wait for the device to be polled by the NMS.

22. A. SNMPv1 and SNMPv2 use community strings to control access to the MIB. SNMPv3 uses encryption, message integrity, and source validation.

23. B. Both SNMPv1 and SNMPv2c use a community-based form of security consisting of community strings. However, these are plaintext passwords and are not considered a strong security mechanism. Version 1 is a legacy solution and not often encountered in networks today.

Chapter 11

1. C. One of the basic functions of the distribution layer of the Cisco Borderless Networks architecture is to perform routing between different VLANs. Acting as a backbone and aggregating campus blocks are functions of the core layer. Providing access to end-user devices is a function of the access layer.

2. D. A collapsed core design is appropriate for a small, single-building business. This type of design uses two layers (the collapsed core and distribution layers consolidated into one layer and the access layer). Larger businesses use the traditional three-tier switch design model.

3. D and E. A converged network provides a single infrastructure that combines voice, video, and data. Analog phones, user data, and point-to-point video traffic are all contained within the single network infrastructure of a converged network.

4. D. Maintaining three separate network tiers is not always required or cost-efficient. All network designs require an access layer, but a two-tier design can collapse the distribution and core layers into one layer to serve the needs of a small location with few users.

5. A. A fixed-configuration switch would meet all the requirements of the law firm in this example.

6. A. A switch builds a table of MAC addresses and associated port numbers by examining the source MAC addresses found in inbound frames. To forward a frame onward, the switch examines the destination MAC address, looks in the MAC address for a port number associated with that destination MAC address, and sends it to the specific port. If the destination MAC address is not in the table, the switch forwards the frame out all ports except the inbound port that originated the frame.

7. C. A switch provides microsegmentation so that no other devices compete for the same Ethernet network bandwidth.

8. D. When a switch receives a frame with a source MAC address that is not in the MAC address table, the switch adds that MAC address to the table and maps that address to a specific port. Switches do not use IP addressing in the MAC address table.

9. D and F. A switch has the ability to create temporary point-to-point connections between the directly attached transmitting and receiving network devices. The two devices have full-bandwidth, full-duplex connectivity during the transmission. Segmentation adds collision domains to reduce collisions.

10. B. When a LAN switch with the microsegmentation feature is used, each port represents a segment, which in turns forms a collision domain. If each port is connected with an end-user device, there will be no collisions. However, if multiple end devices are connected to a hub and the hub is connected to a port on the switch, some collisions will occur in that particular segment—but not beyond it.

11. converged

12. B and C. The Cisco enterprise architecture consists of a hierarchical design. The network is divided into three functional layers: core, distribution, and access. In smaller networks, this three-layer division of functional layers is collapsed into two layers, with the core and distribution layers combined to form a collapsed core.

13. D. Routers or multilayer switches are usually deployed in pairs with access layer switches evenly divided between them. This configuration is referred to as a building switch block or a departmental switch block. Each switch block acts independently of the others. As a result, the failure of a single device does not cause the network to go down. Even the failure of an entire switch block does not affect a significant number of end users.

14. C and E. Providing wireless connectivity offers many advantages, such as increased flexibility, reduced costs, and the ability to grow and adapt to changing network and business requirements.

15. A. Link aggregation allows an administrator to increase the amount of bandwidth between devices by creating one logical link by grouping several physical links together. EtherChannel is a form of link aggregation used in switched networks.

16. B. Cisco Meraki cloud-managed access switches enable virtual stacking of switches. They monitor and configure thousands of switch ports over the web, without the intervention of onsite IT staff.

17. D. The thickness of a switch determines how much space on the rack it will take up and is measured in rack units.

18. A and C. Routers play a critical role in networking by determining the best path for sending packets. They connect multiple IP networks by connecting homes and businesses to the internet. They are also used to interconnect multiple sites within an enterprise network, providing redundant paths to destinations. Routers can also act as translators between different media types and protocols.

Chapter 12

1. A. A physical topology defines the way in which computers and other network devices are connected to a network.

2. B. Baseline measurements should not be performed during times of unique traffic patterns because the data would provide an inaccurate picture of normal network operations. Baseline analysis of a network should be conducted on a regular basis during normal work hours of the organization. Perform an annual analysis of the entire network or baseline different sections of the network on a rotating basis. Analysis must be conducted regularly to understand how the network is affected by growth and other changes.

3. E. In the “narrow the scope” step of gathering symptoms, a network engineer determines whether the network problem is at the core, distribution, or access layer of the network. After this step is complete and the layer is identified, the network engineer can determine which pieces of equipment are the most likely causes.

4. D. To efficiently establish exactly when the user first experienced email problems, the technician should ask an open-ended question so that the user can state the day and time that the problem was first noticed. Closed questions require only a yes or no answer, and further questions will be needed to determine the actual time of the problem.

5. A. Change-control procedures should be established and applied for each stage to ensure a consistent approach to implementing the solutions and to enable changes to be rolled back if they cause other unforeseen problems.

6. B. A successful ping indicates that everything is working on the physical, data link, and network layers. All of the other layers should be investigated.

7. A. In bottom-up troubleshooting, you start with the physical components of the network and move up through the layers of the OSI model until the cause of the problem is identified.

8. B. Framing errors are symptoms of problems at the data link layer (Layer 2) of the OSI model.

9. D. The issue is that the new website is configured with TCP port 90 for HTTP, which is different from the normal TCP port 80. Therefore, this is a transport layer issue.

10. C. The symptom of excessive runt packets and jabber is typically a Layer 1 issue, such as caused by a corrupted NIC driver, which could be the result of a software error during the NIC driver upgrade process. Cable faults would cause intermittent connections, but in this case, the network is not touched, and the cable analyzer has detected frame problems, not signal problems. Ethernet signal attenuation is caused by an extended or long cable, but in this case, the cable has not been changed. A NIC driver is part of the operating system; it is not an application.

11. C. Because other computers on the same network work properly, the default gateway router has a default route, and the link between the workgroup switch and the router works. An incorrectly configured switch port VLAN would not cause these symptoms.

12. D, E, and F. Information recorded on a logical network diagram may include device identifiers, IP addresses and prefix lengths, interface identifiers, connection type, Frame Relay DLCI for virtual circuits (if applicable), site-to-site VPNs, routing protocols, static routes, data link protocols, and WAN technologies used.

13. D. Protocol analyzers are useful for investigating the contents of packets that are flowing through the network. A protocol analyzer decodes the various protocol layers in a recorded frame and presents this information in a relatively easy-to-use format.

14. A. The lower the level number, the higher the severity level. By default, all messages from levels 0 to 7 are logged to the console.

Chapter 13

1. C. The Internet of Things (IoT) is a phrase that denotes the billions of electronic devices that are now able to connect to data networks and the internet.

2. B. With IaaS, the cloud provider is responsible for access to the network equipment, virtualized network services, and supporting network infrastructure.

3. A. Cloud computing enables access to organizational data anywhere and at any time; streamlines the organization’s IT operations by subscribing only the needed services; eliminates or reduces the need for onsite IT equipment, maintenance, and management; reduces costs for equipment, energy, physical plant requirements, and personnel training needs; and enables rapid responses to increasing data volume requirements.

4. A. IaaS would be the best solution because the cloud provider is responsible for access to the network equipment, virtualized network services, and supporting network infrastructure.

5. C. A private cloud’s applications and services are intended for a specific organization or entity, such as the government.

6. D. A benefit of virtualization is increased server uptime with advanced redundant fault-tolerance features such as live migration, storage migration, high availability, and distributed resource scheduling.

7. C. The terms cloud computing and virtualization are often used interchangeably; however, they mean different things. Virtualization is the foundation of cloud computing. Without it, cloud computing, as it is most widely implemented, would not be possible. Cloud computing separates the application from the hardware. Virtualization separates the OS from the hardware.

8. B. A Type 2 hypervisor, also called a hosted hypervisor, is software that creates and runs VM instances. A big advantage of Type 2 hypervisors is that management console software is not required.

9. C. A Type 1 hypervisor is installed directly on the server or networking hardware. Instances of an OS are installed on the hypervisor. Type 1 hypervisors have direct access to the hardware resources; therefore, they are more efficient than hosted architectures. Type 1 hypervisors improve scalability, performance, and robustness.

10. D. Software-defined networking (SDN) is a network architecture that has been developed to virtualize the network. For example, SDN can virtualize the control plane. It is also known as controller-based SDN. SDN moves the control plane from each network device to a central network intelligence and policy-making entity called the SDN controller.

11. B and C. The control plane contains Layer 2 and Layer 3 route forwarding mechanisms, such as routing protocol neighbor tables and topology tables, IPv4 and IPv6 routing tables, STP, and the ARP table. Information sent to the control plane is processed by the CPU.

12. C. Using Type 1 hypervisors is also called the “bare metal” approach because the hypervisor is installed directly on the hardware. Type 1 hypervisors are usually used on enterprise servers and data center networking devices.

13. D. Type 2 hypervisors are very popular with consumers and with organizations experimenting with virtualization. Common Type 2 hypervisors include Virtual PC, VMware Workstation, Oracle VM VirtualBox, VMware Fusion, and Mac OS X Parallels.

14. B. The APIC is considered to be the brains of the ACI architecture. An APIC is a centralized software controller that manages and operates a scalable ACI clustered fabric. It is designed for programmability and centralized management. It translates application policies into network programming.

Chapter 14

1. D. YAML Ain’t Markup Language (YAML) separates the key/value pairs using a colon without quotation marks. YAML also uses indentation to define the structure, without using brackets or commas. JavaScript Object Notation (JSON) encloses key/value pairs in braces, { }. Keys must be strings within double quotation marks, “ ”. A key is separated from a value by a colon. Extensible Markup Language (XML) data is enclosed within a related set of tags: <tag>data</tag>.

2. B. JavaScript Object Notation (JSON) encloses key/value pairs in braces, { }. Keys must be strings within double quotation marks, “ ”. A key is separated from a value by a colon. YAML Ain’t Markup Language (YAML) separates the key/value pairs using a colon without quotation marks. YAML also uses indentation to define the structure, without using brackets or commas. Extensible Markup Language (XML) data is enclosed within a related set of tags: <tag>data</tag>.

3. C. A RESTful API, including a public API, may require a key. The key is used to identify the source of the request through authentication.

4. A and E. Ansible and SaltStack are configuration management tools developed using Python. Chef and Puppet were developed using Ruby. Ruby is typically considered a more difficult language to learn than Python. RESTCONF is a network management protocol.

5. C. Puppet is an agent-based configuration management tool built on Ruby that allows you to create a set of instructions called a manifest. Ansible is an agentless configuration management tool built on Python that allows you to create a set of instructions called a playbook. Chef is an agent-based configuration management tool built on Ruby that allows you to create a set of instructions called a cookbook. SaltStack is an agentless configuration management tool built on Python that allows you to create a set of instructions called a pillar.

6. A. The HTTP operation POST corresponds to the RESTful operation create, GET to read, PUT/PATCH to update, and DELETE to delete.

7. D. YAML Ain’t Markup Language (YAML) separates the key/value pairs using a colon without quotation marks. YAML also uses indentation to define its structure, without using brackets or commas. Extensible Markup Language (XML) data is enclosed within a related set of tags: <tag>data</tag>. JavaScript Object Notation (JSON) encloses key/value pairs in braces, { }. Keys must be strings within double quotation marks, “ ”. A key is separated from a value by a colon.

8. A. Ansible is an agentless configuration management tool built on Python that allows you to create a set of instructions called a playbook. Chef is an agent-based configuration management tool built on Ruby that allows you to create a set of instructions called a cookbook. Puppet is an agent-based configuration management tool built on Ruby that allows you to create a set of instructions called a manifest. SaltStack is an agentless configuration management tool built on Python that allows you to create a set of instructions called a pillar.

9. C. Extensible Markup Language (XML) data is enclosed within a related set of tags: <tag>data</tag>. JavaScript Object Notation (JSON) encloses key/value pairs in braces, { }. Keys must be strings within double quotation marks, “ ”. A key is from a value by a colon. YAML Ain’t Markup Language (YAML) separates the key/value pairs using a colon without quotation marks. YAML also uses indentation to define its structure without using brackets or commas.

10. B. Like XML, HTML uses a related set of tags to enclose data. However, HTML uses predefined tags, whereas XML does not. XML is a human-readable data structure that applications use to store, transfer, and read data.

11. D. REST is not a protocol or service but rather a style of software architecture for designing web service applications. A REST API is an API that works on top of HTTP. It defines a set of functions developers can use to perform requests and receive responses via HTTP, such as GET and POST.

12. D. The HTTP operation PUT corresponds to the RESTful operation update, POST to create, GET to read, and DELETE to delete.

13. B. JSON is a lightweight data format for storing and transporting data. It is simpler and more readable than XML and is supported by web browsers. Like JSON, YAML Ain’t Markup Language (YAML) is a data format that applications use to store and transport data. YAML is considered a superset of JSON.

14. A. Public, or open, APIs have no restrictions and are available to the public. Some API providers do require a user to obtain a free key or token prior to using the API in order to control the volume of API requests received and processed.