================New Multiple Choice Questions (updated on 26th-July-

2018)================

Question 1

Drag and drop the sequence for configuring SSH in correct order.

A. ip ssh ver 2
B. ip domain-name cisco.com
C. crypto-key generate rsa
D. line vty 0 4
E. Transport input ssh
Transport input telnet

Answer: B -> C -> A -> D -> E

Question 2

Drag and drop about uRPF strict and loose mode

Option 1. Must have the source IP in routing table

Option 2. Must have the same path back
Option 3. Configured on L2 switches
Option 4. Can be used on inside internet router interface
Option 5. Can be used on outside internet router interface
Option 6. ?

Answer:

Strict mode:
+ Must have the same path back
+ Can be used on inside internet router interface
+?

Loose mode:
+ Must have the source IP in routing table
+ Can be used on outside internet router interface
+?

Question 3

Which protocol does mGRE use to send packets?

A. DMVPN
B. NHRP
C. OSPF
D. IPSec

Answer: B

Question 4

Which protocols are supported with MPP? (choose three)

A. HTTP only
B. HTTP and HTTPS
C. SSH
D. FTP
E. SFTP
F. TFTP

Answer: B C F

Explanation
The Management Plane Protection (MPP) feature in Cisco IOS software provides the
capability to restrict the interfaces on which network management packets are allowed to
enter a device. The MPP feature allows a network operator to designate one or more router
interfaces as management interfaces. Device management traffic is permitted to enter a
device only through these management interfaces. After MPP is enabled, no interfaces except
designated management interfaces will accept network management traffic destined to the
device.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mg
mt_plane_prot.html#wp1047623

Following are the management protocols that the management plane protection (MPP)
feature supports. These management protocols are also the only protocols affected when
MPP is enabled.

+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
+ HTTP
+ HTTPS

Reference: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-
1/security/configuration/guide/syssec_cg41crs_chapter7.html#con_1013398

Question 5

Which topologies are allowed with p2p GRE over IPsec? (Choose two)

A. Hub and Spoke

B. Partial mesh
C. Point to multipoint
D. Bus
E. Star

Answer: A B

Question 6

Which keywords can be used with debug condition to filter output? (Choose two)

A. Username
B. Interface ID
C. Port number
D. Protocol
Ε. Packet Size

Answer: A B

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/debug/command/reference/12
2debug/dbfcndtr.html

Question 7

Output of sh access-list, what can you do to correct SSH?

Extended IP access-list 100

Deny tcp any any eq 22
Permit ip any any
Extended IP access-list 150
Permit tcp any any eq 23
Deny tcp any any eq 22
Permit ip any any
Extended IP access-list 170
Permit tcp any any eq 22
 Permit tcp any any eq 23
Line vty 0 4
Access-class 100 in
Transport input ssh

A. Change access-class 100 in with access-class 150 in

B. Change transport input ssh with transport input telnet
C. Change access-class 100 in with access-class 100 out
D. Change access-class 100 in with access-class 170 in

Answer: D

======================================================
===========

Old questions:

Question 1

Which two can use to protect and secure management plane from unwanted & unauthorized
access? (Choose two)

A. Limit physical access to network devices

B. Use RADIUS instead of TACACS+ for AAA
C. Create an ACL to permit Telnet access only
D. Enable authentication for the routing protection
E. Use MPP to limit the interfaces on which management traffic can traverse the device

Answer: A E

Explanation

The Management Plane Protection (MPP) feature in Cisco IOS software provides the
capability to restrict the interfaces on which network management packets are allowed to
enter a device. The MPP feature allows a network operator to designate one or more router
interfaces as management interfaces. Device management traffic is permitted to enter a
device only through these management interfaces. After MPP is enabled, no interfaces except
designated management interfaces will accept network management traffic destined to the
device.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mg
mt_plane_prot.html#wp1047623

Question 2

One router and a computer (exhibit) 192.168.10.0/24

You receive timed out when you start to SSH the router. Which layer is the first that you are
going to look into this matter?

A. Physical
B. Datalink
C. Network

Answer: C

Question 3

When your network experiences Cisco Discovery Protocol and LLDP issues, with which layer
of the OSI model must you begin troubleshooting ?

A. Physical layer
B. Datalink layer
C. Network layer
D. Transport layer
Answer: B

Question 4

About pass encryption in CISCO IOS software, which statement is true?

A. encrypted user type 7 password indicate hashed with MD5

B. encrypted user type 7 password indicate hashed with weak reversible
C. you can choose to encrypt enable secret pass with weak reversible or MD5
D. enable secret is more secure than enable pass, because secret store in configuration file
type 7

Answer: B

Explanation

Type 7 means the password will be encrypted when router store it in Run/Start Files using
Vigenere cipher which any website with type7 reversal can crack it in less than one second.

Question 5

GRE with IPsec tunnel are true (choose two)

A. The header overhead is reduced

B. using crypto map is the only way to encrypt a GRE Tunnel
C. crypto map required an ACL allow protocol 47
D. support hub-and-spoke topologies only
E. Tunnel is first encapsulated, then just encrypted

Answer: C E

Question 6

Question refering to an exhibit – something with PIM, tunnel flapping and neighboring get
rejected, regardless Tunnel 1018 went down.

A. Tunnel interface is misconfigured

B. PIM neighbor is misconfigured
C. route neighbor 10.111.254.213 was removed
D. Route flapping and instability is occuring within the network
E. tunnel destination using tunnel itself

Answer: D E

Explanation

The tunnel destination must be the physical destination address of the other end of the
tunnel. For example in this topology:

GRE Tunnel must be configured as follows:

Then configure GRE Tunnel

R1
interface tunnel0
ip address 12.12.12.1 255.255.255.252
tunnel mode gre ip //this command can be
ignored
tunnel source 192.168.13.1
tunnel destination 192.168.23.2
R2
interface tunnel0
ip address 12.12.12.2 255.255.255.252
tunnel mode gre ip //this command can be
ignored
tunnel source 192.168.23.2
tunnel destination 192.168.13.1

For R1, the tunnel destination must point to 192.168.23.2 (the physical IP address of other
end of the tunnel, not 12.12.12.2 – the other destination of the tunnel itself)

Question 7

How do you make sure AAA will still allow you to login if TACACS fails? (Choose two)

(or Which command enables authenticated login if a TACACS+ failure occurs?)

A. aaa authentication login test group local tacacs+

B. aaa authentication login test group tacacs+ local
C. aaa authentication login test group radius local
D. aaa authentication ppp dialins group tacacs+ local

Answer: B

Question 8

If you want to use GRE with IPSec which compatible with NAT traversal?

A. Enable MD5 mode

B. Enable SHA mode
C. Implement IPSec Tunnel mode
D. Implement IPSec Tunnel transport

Answer: C

Explanation

This is not officially written by Cisco but it is the best we can find:

What is the difference between tunnel mode and transport mode?

The differences are as follow; Tunnel mode is widely implemented in site-to-site VPN
scenarios. While transport mode is implemented for client-to-site VPN scenarios. Also, NAT
traversal is supported with the tunnel mode while NAT traversal is not supported with
the transport mode.

Reference: https://www.coursehero.com/file/p7qcduh/No-GRE-provides-a-stateless-private-
connection-15-What-is-the-GRE-header-for-It/

Question 9

Troubleshoot uRPF loose mode at client gateway router for networks that are not in the
routing table. (Choose two)

A. Dynamic routing is configured on the router

B. CEF is enabled on the router
C. allow-default is configured for loose mode
D. CFE is disabled on the router
E. Static Routing is configured on the router

Answer: B C

Question 10
Which two statements about traceroute are true? (Choose two)

A. It supports a variety of IP header options, including verbose

B. The DF bit is set by default
C. The TTL value can be set to 0
D. The default probe count for each TTL level is 3
E. Extended traceroute operation can use a modified data pattern

Answer: A D

Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13730-ext-ping-trace.html

======================================================
===================

Old questions:

Question 1

The WAN link is 1500 MTU. How to configure GRE Tunnel so that the packets do not get
fragmented? (Choose three)

A. ip tcp path-mtu-discovery
B. ip mtu 1400
C. ip tcp adjust-mss 1360
D. tunnel mode gre ip
E. tunnel mode gre multipoint

Answer: B C and ?

Explanation

Since GRE is an encapsulating protocol, we adjust the maximum transfer unit (mtu) to 1400
bytes and maximum segment size (mss) to 1360 bytes. Because most transport MTUs are
1500 bytes and we have an added overhead because of GRE, we must reduce the MTU to
account for the extra overhead. A setting of 1400 is a common practice and will ensure
unnecessary packet fragmentation is kept to a minimum.

Question 2

Which two ACLs use with IPv6 traffic filters?

A. tagged
B. standard
C. named
D. numbered
E. dynamic

Answer: A C

Explanation

Named and tagged ACLs are both supported in IPv6.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/xe-
3s/ipv6-xe-36s-book/ip6-sec-trfltr-fw.html

Question 3

Which two statements about time based ACL are true? (Choose two)

A. It can use the router’s clock as the time source

B. Only extended ACL can use time ranges
C. It must be defined with an inspect name value
D. It require NTP to be configured
E. Both standard & extended ACLs can use time ranges

Answer: A B

Question 4

GRE tunnel IPv6 over IPv4 (choose two).

Answer: SRC must be IPv4, IPv6 over IPv4

Question 5

Which two statements about uRPF are true? (Choose two)

A. Support with extended ACL and time based ACL

B. Applied to input interface only
C. Require Cisco Express Forwarding to populate FIB
D. It is output function
E. It can mitigate asymmetric routing

Answer: B C

Question 6

GRE tunnel is up but the server or host cannot pass through traffic what are the two things
need to be fixed? (Choose two)

Answer:

Move R1 to global routing

Put R3 on VRF Red

Question 7

Which two protocols does the management plane protection feature support? (Choose two)

A. HTTPS
B. ARP
C. DNS
D. TFTP
E. DHCP

Answer: A D

Explanation

Following are the management protocols that the management plane protection (MPP)
feature supports. These management protocols are also the only protocols affected when
MPP is enabled.

+ SSH, v1 and v2
+ SNMP, all versions
+ Telnet
+ TFTP
+ HTTP
+ HTTPS

Reference: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-
1/security/configuration/guide/syssec_cg41crs_chapter7.html#con_1013398

Question 8

Which method should we use to troubleshooting DHCP issues?

A. divide and conquer
B. top-down
C. bottom-up
D. follow-the-path

Answer: C

Explanation

Let’s assume that you are researching a problem of a user that cannot browse a particular
website and while you are verifying the problem, you find that the user’s workstation is not
even able to obtain an IP address through the DHCP process. In this situation it is reasonable
to suspect lower layers of the OSI model and take a bottom-up troubleshooting approach.

Reference: http://www.ciscopress.com/articles/article.asp?p=2273070&seqNum=2

Question 9

A router knows one destination using EIGRP and two OSPF networks, which will be the best
way to determine the path? (choose two)

A. show ip eigrp topology

B. show ip ospf database
C. traceroute
D. ping
E. show ip route

Answer: C E

Question 10

Which two statements about ping & traceroute are true? (Choose two)

A. ping only use ICMP

B. only ping have TTL
C. to determine if a host is reachable, using traceroute is better than ping
D. traceroute use UDP datagram and ICMP
E. ping use TCP and ICMP

Answer: A D

Reference: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-
releases-121-mainline/12778-ping-traceroute.html

Old MCQs:

Question 1

What is common protocol for ping and traceroute?

A. ICMP
B. PIM
C. IGMP
D. IP

Answer: A

Question 2

Which two options about GRE keepalives are true? (Choose two)

A. enabled by default
B. supports on point-to-point GRE tunnel interface
C. supports on point-to-multipoint mGRE
D. support broadcast
E. supported in VRFs only if fVRF and iVRF match
F. support broadcast multicast

Answer: B E

Explanation

GRE tunnel keepalives are only supported on point-to-point GRE tunnels. Tunnel keepalives
are configurable on multipoint GRE (mGRE) tunnels but have no effect.

GRE keepalives are not supported together with IPsec tunnel protection under any
circumstances.

In general, tunnel keepalives will not work when VRFs are used on the tunnel interface and
the fVRF (‘tunnel vrf …’) and iVRF (‘ip vrf forwarding …’ on tunnel interface) do not match.

Good reference: https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-

encapsulation-gre/118370-technote-gre-00.html

Question 3

When the user is changing configuration of router, which plane is affected?

A. Data
B. Management
C. Control
D. Forwarding

Answer: B

Question 4

A user is able to log into the switch but cannot go to the global config mode. What needs to
be done?

A. change authorization level

B. change accounting
C. change authentication
D. create username and password

Answer: A

Question 5

Which trouble shooting method is used when we troubleshoot a spanning tree issue for any
VLAN?

A. divide and conquer

B. top-down
C. bottom-up
D. follow-the-path

Answer: D

Question 6

D&D Question on Extended Ping

Answer:

Tos – …quality of service

Df-bit – prevent packets from being segmented or broken up
Data pattern – detect framing errors
Hop count – verify routing metrics
Reply – verify reachability

OR

data pattern — troubleshoot framing errors

df-bit — enable do not fragment bit in IP header
source — specify source address or name
tos — specify type of service value
validate — validate reply data

Good reference:

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-
ping-trace.html

Question 7

Which two statements about IPv6 traffic filtering are true? (Choose two)

A. needs to be enable at the interface level

B. needs to enabled with egress ACL only
C. needs to be enabled with ingress ACL only
D. It performs virtual fragmentation reassembly after checking ingress ACL
E. It performs virtual fragmentation reassembly after checking egress ACLs

Answer: A D

Question 8

There was also a question about GRE tunnel with the options of it support multicast,
broadcast traffic or only broadcast and some other options that we needed to choose 2
correct ones.

A. GRE supports broadcast and multicast

B. GRE tunnels broadcast traffic
C. GRE is a non-tunneling VPN technology
D. Option about IPSec

Answer: A B

Question 9

Question about authentication, TACAS/local, based on piece of configuration

AAA and what will be the result with this configuration: it either checks the local database
first or it only authenticate 2 listed users –

A. It will check TACAS authentication but skip for the two users created locally
B. aaa-new model not used and hence policy will not be applied.
C. aaa- not used hence policy will not be applied
D. Part of the script is reject
and 1 more options

Answer:

1. aaa-new-model command is not there in the script ; hence the script will not work
2. Part of the script is reject (as 2 local username and password are there)

Question 10

Drag and drop question related to Tunnel GRE. What are the require configuration and what
are optional?

Answer:
Require:
+ Tunnel destination IP
+ Tunnel Original IP
+ Tunnel IP

Optional:
+ TCP MSS
+ Tunnel key
+ Tunnel mode

======================================================
=======================

Old questions

Question 1

In which troubleshooting approach, you start troubleshooting from middle of OSI layer stack
and then either go up or down layer for further troubleshooting?

A. Bottom-up
B. Top-down
C. Divide-and-conquer
D. Follow-the-path

Answer: C

Question 2

Which two things should you check while troubleshooting uRPF? (Choose two)

A. uRPF enabled on interface

B. uRPF enabled global
C. CEF disabled
D. CEF enabled global
E. Strict or loose mode configured global

Answer: A D

Question 3a

Which access-list allows SSH access from network 10.10.15.0/24?

A. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 21

B. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 23
C. Access-list 142 permit tcp 10.10.15.0 0.0.0.255 any eq 22
D. Access-list 142 permit tcp 10.10.15.0 0.0.0.0 any eq 22

Answer: C

Or

Question 3b

Securing control plane on R1 connected via SSH to the network 10.10.0.0/16. You should
choose right answers and place in right configuring order. Not all options will be used.
Answer:

Sequence 1:
access-list X permit tcp 10.10.0.0/16 eq 22 any estab
access-list X permit tcp 10.10.0.0/16 any eq 22

Sequence 2:
class-map match-all SSH
match access-group X

Sequence 3:
Policy Y
Class SSH

Sequence 4:
Control plane
service-policy input Y

Question 4

What could be reason for GRE Tunnel interface in up/down state? (Choose two)

A. GRE tunnel mode is set to transport mode

B. Tunnel source is in down state
C. Route to tunnel destination points to tunnel interface itself

Answer: B C

Question 5

Which are valid AAA authentications methods? (Choose two)

A. Line
B. Krb6
C. LDAP
D. Local
E. Blowfish

Answer: A D

Question 6

Refer to the exhibit.

Which commands required to setup GRE tunnel between R2 & R3? (Choose two)

A.
R2:
interface tunnel 1
ip address 10.1.1.1 255.255.255.252
tunnel source 192.168.1.1
tunnel destination 192.168.2.3

B.
R3:
interface tunnel 1
ip address 10.1.1.2 255.255.255.252
tunnel source g0/0
tunnel destination 192.168.1.1

Answer: A B

Question 7

While troubleshooting you noticed *** as output of traceroute command. What is the reason
for that?

Answer: Probe is timed out.

Question 8

Drag drop question about MPP.

Answer:

Constructing the CoPP Policy

For CoPP policy construction, several steps are required to create the MQC classification and
policing functions. These include: access-list construction, class-map construction, and
finally, policy-map construction.

https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html

Question 9

Drag Drop question about four valid debug commands on switch (Choose four)

A. debug hsrp
B. debug glbp errors
C. debug ip igmp snooping
D. debug ip interface route-cache
E. debug spanning-tree mstp init

Answer: B C D E

Question 10

Drag and drop question. Choose and place in the right order headers when monitoring GRE
packet

A. Destination tunnel IP header

B. Source tunnel IP header
C. GRE header
D. Original destination IP header
E. Original source IP header
F. Data
Answer: B -> C -> E -> F

======================================================
=======

Premium Member: You can test your knowledge with these questions first via this link.

Question 1

GRE Tunnel Drag and Drop. Which fields are optional and mandatory in a GRE header?

Answer:

Mandatory: Reserved0, Version, Protocol Type

Optional: Checksum, Key, Sequence Number

Question 2

GRE tunnel Header. Which one is standard,which one is extended?

Answer:

Standard Header: Checksum, Reserved0, Version, Protocol Type

Extended Header: Sequence Number, Key

Question 3

What IP header option fields can you modify in an extended ping? (Choose three)
A. Value
B. Strict
C. Record
D. Timestamp
E. Timeout

Answer: B C D

Explanation

All of these can be modified: protocol, IP destination address, repeat count, Datagram size,
Timeout, source address/interface, type of service, DF bit, Validate reply data, Data
pattern, Loose, Strict, Record, Timestamp, Verbose, Sweep range of sizes.

Reference: https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-
rip/13730-ext-ping-trace.html

Question 4

Select valid type of tunnels mode (Choose four)

A. GRE
B. 6to4
C. ISATAP
D. NHRP
E. IPv6IP
F. mGRE

Answer: A B C E

Question 5

Associate debug and show commands with what they do (7 options)

Answer:

debug ip mpacket <-> multicast packet

debug standby errors<-> HSRP issues
debug ip packet <-> All IPv4 information
debug ipv6 packet <-> All IPv6 information
debug vlan <-> 802.1q troubleshoot
debug ip cef <-> hardware forwarding

Question 6

Extended Traceroute Drag Drop. What extended tracroute troubleshooting functions?

+ Probe count <-> limits the number of traceroute
+ Port Number <-> troubleshoot TCP and UDP port
+ Source address <-> troubleshoot connections generated from specific interface
+ Max TTL <-> limits the number of hops a packet travel
+ Type of Service <-> troubleshoot QoS issues