CCNP ENARSI - Part 3

How does an MPLS Layer 3 VPN function?. A. multiple customer sites interconnect through service provider network to create secure tunnels between customer edge devices. B. multiple customer sites interconnect through a service provider network using customer edge to provider edge connectivity. C. set of sites interconnect privately over the Internet for security. D. set of sites use multiprotocol BGP at the customer site for aggregation.

DRAG DROP - Drag and drop the LDP features from the left onto the descriptions on the right. Select and Place: implicit null label. explicit null label. inbound label binding filtering. entropy label.

Which two protocols work in the control plane of P routers across the MPLS cloud? (Choose two.). A. ECMP. B. LDP. C. RSVP. D. MPLS OAM. E. LSP.

Refer to the exhibit. An engineer has configured DMVPN on a spoke router. What is the WAN IP address of another spoke router within the DMVPN network?. A. 172.18.46.2. B. 172.18.16.2. C. 192.168.1.1. D. 192.168.1.4.

What are two functions of LDP? (Choose two.). A. It advertises labels per Forwarding Equivalence Class. B. It uses Forwarding Equivalence Class. C. It is defined in RFC 3038 and 3039. D. It requires MPLS Traffic Engineering. E. It must use Resource Reservation Protocol.

DRAG DROP - Drag and drop the operations from the left onto the locations where the operations are performed on the right. Select and Place: assigns labels to unlabeled packets. performs penultimate hop popping. handles traffic between multiple VPNs. reads the labels and forwards the packet based on the labels.

Which protocol does MPLS use to support traffic engineering?. A. TDP. B. RSVP. C. LDP. D. BGP.

An engineer configured a company's multiple area OSPF Head Office router and Site A Cisco routers with VRF lite. Each site router is connected to a PE router of an MPLS backbone: Head Office & Site A - ip cef ip vrf abc rd 101:101 ! interface FastEthernet0/0 ip vrf forwarding abc ip address 172.16.16.X 255.255.255.252 ! router ospf 1 vrf abc log-adjacency-changes network 172.16.16.0 0.0.0.255 area 1 After finishing both site router configurations, none of the LSA 3, 4, 5, and 7 are installed at Site A router. Which configuration resolves this issue?. A. configure capability vrf-lite on Site A and its connected PE router under router ospf 1 vrf abc. B. configure capability vrf-lite on both PE routers connected to Head Office and Site A routers under router ospf 1 vrf abc. C. configure capability vrf-lite on Head Office and its connected PE router under router ospf 1 abc. D. configure capability vrf-lite on Head Office and Site A routers under router ospf 1 vrf abc.

Refer to the exhibit. The Los Angeles and New York routers are receiving routers from Chicago but not from each other. Which configuration fixes the issue?. A. interface Tunnel1 no ip split-horizon eigrp 111. B. interface Tunnel1 ip next-hop-self eigrp 111. C. interface Tunnel1 tunnel mode ipsec ipv4. D. interface Tunnel1 tunnel protection ipsec profile IPSec-PROFILE.

DRAG DROP - Drag and drop the MPLS VPN device types from the left onto the definitions on the right. Select and Place: Customer (C) device. CE device. PE device. Provider (P) device.

Refer to the exhibit. The network administrator configured VRF lite for customer A. The technician at the remote site misconfigured VRF on the router. Which configuration will resolve connectivity for both sites of customer_a?. A. ip vrf customer_a rd 1:1 route-target export 1:2 route-target import 1:2. B. ip vrf customer_a rd 1:1 route-target import 1:1 route-target export 1:2. C. ip vrf customer_a rd 1:2 route-target both 1:2. D. ip vrf customer_a rd 1:2 route-target both 1:1.

What does the PE router convert the IPv4 prefix to within an MPLS VPN?. A. eBGP path association between the PE and CE sessions. B. prefix that combines the ASN, PE router-id, and IP prefix. C. 48-bit route combining the IP and PE router-id. D. VPN-IPv4 prefix combined with the 64-bit route distinguisher.

Refer to the exhibit. Which interface configuration must be configured on the HUB router to enable MVPN with mGRE mode?. A. interface Tunnel0 description mGRE - DMVPN Tunnel ip address 10.1.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source 172.17.0.1 ip nhrp map 10.0.0.11 172.17.0.2 ip nhrp map 10.0.0.12 172.17.0.3 tunnel mode gre. B. interface Tunnel0 description mGRE - DMVPN Tunnel ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source 10.0.0.1 tunnel mode gre multipoint. C. interface Tunnel0 description mGRE - DMVPN Tunnel ip address 10.0.0.1 255.255.255.0 ip nhrp network-id 1 tunnel source 172.17.0.1 tunnel mode gre multipoint. D. interface Tunnel0 description mGRE - DMVPN Tunnel ip address 10.0.0.1 255.255.255.0 ip nhrp map multicast dynamic ip nhrp network-id 1 tunnel source 10.0.0.1 tunnel destination 172.17.0.2 tunnel mode gre multipoint.

How are MPLS Layer 3 VPN services deployed?. A. The RD and RT values must match under the VRF. B. The import and export RT values under a VRF must always be the same. C. The label switch path must be available between the local and remote PE routers. D. The RD and RT values under a VRF must match on the remote PE router.

Which IGPs are supported by the MPLS LDP autoconfiguration feature?. A. IS-IS and RIPv2. B. RIPv2 and OSPF. C. OSPF and EIGRP. D. OSPF and IS-IS.

An engineer must establish multipoint GRE tunnels between hub router R6 and branch routers R1, R2, and R3. Which configuration accomplishes this task on R1?. A. interface Tunnel 1 ip address 192.168.1.1 255.255.255.0 tunnel source e0/0 tunnel mode gre multipoint ip nhrp nhs 192.168.1.6 ip nhrp map 192.168.1.6 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map 192.168.1.3 192.1.30.3. B. interface Tunnel 1 ip address 192.168.1.1 255.255.255.0 tunnel source e0/1 tunnel mode gre multipoint ip nhrp nhs 192.168.1.6 ip nhrp map 192. 168.1.6 192.1.10.6. C. interface Tunnel 1 ip address 192.168.1.1 255.255.255.0 tunnel source e0/0 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.6 ip nhrp map 192.168.1.6 192.1.10.6. D. interface Tunnel 1 ip address 192.168.1.1 255. 255.255.0 tunnel source e0/1 tunnel mode gre multipoint ip nhrp network-id 1 ip nhrp nhs 192.168.1.6 ip nhrp map 192.168.1.6 192.1.10.1 ip nhrp map 192.168.1.2 192.1.20.2 ip nhrp map 192.168.1.3 192.1.30.3.

How is VPN routing information distributed in an MPLS network?. A. The top level of the customer data packet directs it to the correct CE device. B. It is established using VPN IPsec peers. C. It is controlled through the use of RD. D. It is controlled using of VPN target communities.

What is a characteristic of Layer 3 MPLS VPNs?. A. Traffic engineering capabilities provide QoS and SLAs. B. Traffic engineering supports multiple IGP instances. C. LSP signaling requires the use of unnumbered IP links for traffic engineering. D. Authentication is performed by using digital certificates or preshared keys.

How does an MPLS Layer 3 VPN differentiate the IP address space used between each VPN?. A. by RT. B. by address family. C. by RD. D. by MP-BGP.

IPv6 is enabled in the infrastructure to support customers with an IPv6 network over WAN and to connect the head office to branch offices in the local network. One of the customers is already running IPv6 and wants to enable IPv6 over the DMVPN network infrastructure between the headend and branch sites. Which configuration command must be applied to establish an mGRE IPv6 tunnel neighborship?. A. ipv6 nhrp holdtime 30. B. tunnel mode gre multipoint ipv6. C. ipv6 unicast-routing. D. tunnel protection mode ipv6.

Which OSI model is used to insert an MPLS label?. A. between Layer 2 and Layer 3. B. between Layer 5 and Layer 6. C. between Layer 1 and Layer 2. D. between Layer 3 and Layer 4.

Which function does LDP provide in an MPLS topology?. A. It enables a MPLS topology to connect multiple VPNs to P routers. B. It provides hop-by-hop forwarding in an MPLS topology for LSRs. C. It exchanges routes for MPLS VPNs across different VRFs. D. It provides a means for LSRs to exchange IP routes.

Which mechanism provides traffic segmentation within a DMVPN network?. A. BGP. B. IPsec. C. MPLS. D. RSVP.

Refer to the exhibit. Which configuration denies Telnet traffic to router 2 from 198A:0:200C::1/64?. A. ipv6 access-list Deny_Telnet sequence 10 deny tcp host 198A:0:200C::1/64 host 201A:0:205C::1/64 eq telnet ! int Gi0/0 ipv6 traffic-filter Deny_Telnet in. B. ipv6 access-list Deny_Telnet sequence 10 deny tcp host 198A:0:200C::1/64 host 201A:0:205C::1/64 eq telnet ! int Gi0/0 ipv6 access-map Deny_Telnet in. C. ipv6 access-list Deny_Telnet sequence 10 deny tcp host 198A:0:200C::1/64 host 201A:0:205C::1/64 ! int Gi0/0 ipv6 access-map Deny_Telnet in. D. ipv6 access-list Deny_Telnet sequence 10 deny tcp host 198A:0:200C::1/64 host 201A:0:205C::1/64 ! int Gi0/0 ipv6 traffic-filter Deny_Telnet in.

Refer to the exhibit. During troubleshooting it was discovered that the device is not reachable using a secure web browser. What is needed to fix the problem?. A. permit tcp port 443. B. permit udp port 465. C. permit tcp port 465. D. permit tcp port 22.

DRAG DROP - Drag and drop the packet types from the left onto the correct descriptions on the right. Select and Place: data plane packets. control plane packets. management plane packets. service plane packets.

DRAG DROP - Drag and drop the addresses from the left onto the correct IPv6 filter purposes on the right. Select and Place: permit ip 2001:db8:800:200c::/117 2001:0DBB:800:2010::/64 eq 443. permit ip 2001:db8:800:200c::e/126 2001:0DBB:800:2010::/64 eq 514. permit ip 2001:db8:800:200c::800/117 2001:0DBB:800:2010::/64 eq 80. permit ip 2001:db8:800:200c::c/126 2001:0DBB:800:2010::/64 eq 123.

Refer to the exhibit. An engineer is trying to configure local authentication on the console line, but the device is trying to authenticate using TACACS+. Which action produces the desired configuration?. A. Add the aaa authentication login default none command to the global configuration. B. Replace the capital ג€Cג€ with a lowercase ג€cג€ in the aaa authentication login Console local command. C. Add the aaa authentication login default group tacacs+ local-case command to the global configuration. D. Add the login authentication Console command to the line configuration.

Refer to the exhibit. An engineer is trying to connect to a device with SSH but cannot connect. The engineer connects by using the console and finds the displayed output when troubleshooting. Which command must be used in configuration mode to enable SSH on the device?. A. no ip ssh disable. B. ip ssh enable. C. ip ssh version 2. D. crypto key generate rsa.

Which statement about IPv6 ND inspection is true?. A. It learns and secures bindings for stateless autoconfiguration addresses in Layer 3 neighbor tables. B. It learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables. C. It learns and secures bindings for stateful autoconfiguration addresses in Layer 3 neighbor tables. D. It learns and secures bindings for stateful autoconfiguration addresses in Layer 2 neighbor tables.

While troubleshooting connectivity issues to a router, these details are noticed: ✑ Standard pings to all router interfaces, including loopbacks, are successful. ✑ Data traffic is unaffected. ✑ SNMP connectivity is intermittent. ✑ SSH is either slow or disconnects frequently. Which command must be configured first to troubleshoot this issue?. A. show policy-map control-plane. B. show policy-map. C. show interface | inc drop. D. show ip route.

Refer to the exhibit. Why is user authentication being rejected?. A. The TACACS+ server expects ג€userג€, but the NT client sends ג€domain/userג€. B. The TACACS+ server refuses the user because the user is set up for CHAP. C. The TACACS+ server is down, and the user is in the local database. D. The TACACS+ server is down, and the user is not in the local database.

Refer to the exhibit. Which control plane policy limits BGP traffic that is destined to the CPU to 1 Mbps and ignores BGP traffic that is sent at higher rate?. A. policy-map SHAPE_BGP. B. policy-map LIMIT_BGP. C. policy-map POLICE_BGP. D. policy-map COPP.

Which statement about IPv6 RA Guard is true?. A. It does not offer protection in environments where IPv6 traffic is tunneled. B. It cannot be configured on a switch port interface in the ingress direction. C. Packets that are dropped by IPv6 RA Guard cannot be spanned. D. It is not supported in hardware when TCAM is programmed.

An engineer must configure a Cisco router to initiate secure connections from the router to other devices in the network but kept failing. Which two actions resolve the issue? (Choose two.). A. Configure transport input ssh command on the console. B. Configure a domain name. C. Configure a crypto key to be generated. D. Configure a source port for the SSH connection to initiate. E. Configure a TACACS+ server and enable it.

When configuring Control Plane Policing on a router to protect it from malicious traffic, an engineer observes that the configured routing protocols start flapping on that device. Which action in the Control Plane Policy prevents this problem in a production environment while achieving the security objective?. A. Set the conform-action and exceed-action to transmit initially to test the ACLs and transmit rates and apply the Control Plane Policy in the output direction. B. Set the conform-action and exceed-action to transmit initially to test the ACLs and transmit rates and apply the Control Plane Policy in the input direction. C. Set the conform-action to transmit and exceed-action to drop to test the ACLs and transmit rates and apply the Control Plane Policy in the input direction. D. Set the conform-action to transmit and exceed-action to drop to test the ACLs and transmit rates and apply the Control Plane Policy in the output direction.

In which two ways does the IPv6 First-Hop Security Binding Table operate? (Choose two.). A. by IPv6 HSRP to make sure neighbors are authenticated before being used as gateways. B. by various IPv6 guard features to validate the data link layer address. C. by the recovery mechanism to recover the binding table in the event of a device reboot. D. by IPv6 routing protocols to securely build neighborships without the need of authentication. E. by storing hashed keys for IPsec tunnels for the built-in IPsec features.

Refer to the exhibit. The engineer configured and connected Router2 to Router1. The link came up but could not establish a Telnet connection to Router1 IPv6 address of 2001:DB8::1. Which configuration allows Router2 to establish a Telnet connection to Router1?. A. ipv6 unicast-routing. B. permit ICMPv6 on access list INGRESS for Router2 to obtain IPv6 address. C. permit ip any any on access list EGRESS2 on Router1. D. IPv6 address on GigabitEthernet0/0.

An engineer configured Reverse Path Forwarding on an interface and noticed that the routes are dropped when a route lookup fails on that interface for a prefix that is available in the routing table. Which interface configuration resolves the issue?. A. ip verify unicast source reachable-via l2-src. B. ip verify unicast source reachable-via allow-default. C. ip verify unicast source reachable-via any. D. ip verify unicast source reachable-via rx.

Refer to the exhibit. When monitoring an IPv6 access list, an engineer notices that the ACL does not have any hits and is causing unnecessary traffic through the interface Which command must be configured to resolve the issue?. A. ip access-group INTERNET in. B. ipv6 traffic-filter INTERNET in. C. ipv6 access-class INTERNET in. D. access-class INTERNET in.

Which configuration feature should be used to block rogue router advertisements instead of using the IPv6 Router Advertisement Guard feature?. A. VACL blocking broadcast frames from nonauthorized hosts. B. PVLANs with promiscuous ports associated to route advertisements and isolated ports for nodes. C. PVLANs with community ports associated to route advertisements and isolated ports for nodes. D. IPv4 ACL blocking route advertisements from nonauthorized hosts.

Refer to the exhibit. Which action resolves the failed authentication attempt to the router?. A. Configure aaa authorization console global command. B. Configure aaa authorization console command on line vty 0 4. C. Configure aaa authorization login command on line console 0. D. Configure aaa authorization login command on line vty 0 4.

Refer to the exhibit. A network administrator logs into the router using TACACS+ username and password credentials, but the administrator cannot run any privileged commands. Which action resolves the issue?. A. Configure the username from a local database. B. Configure TACACS+ synchronization with the Active Directory admin group. C. Configure an authorized IP address for this user to access this router. D. Configure full access for the username from TACACS+ server.

Refer to the exhibit. AAA server 10.1.1.1 is configured with the default authentication and accounting settings, but the switch cannot communicate with the server. Which action resolves this issue?. A. Correct the timeout value. B. Match the authentication port. C. Correct the shared secret. D. Match the accounting port.

Refer to the exhibit. R1 is being monitored using SNMP and monitoring devices are getting only partial information. What action should be taken to resolve this issue?. A. Modify the CoPP policy to increase the configured exceeded limit for SNMP. B. Modify the access list to include snmptrap. C. Modify the CoPP policy to increase the configured CIR limit for SNMP. D. Modify the access list to add a second line to allow udp any any eq snmp.

Refer to the exhibit. A client is concerned that passwords are visible when running this show archive log config all. Which router configuration is needed to resolve this issue?. A. MASS-RTR(config)#aaa authentication arap. B. MASS-RTR(config-archive-log-cfg)#password encryption aes. C. MASS-RTR(config)#service password-encryption. D. MASS-RTR(config-archive-log-cfg)#hidekeys.

Refer to the exhibit. BGP is flapping after the CoPP policy is applied. What are the two solutions to fix the issue? (Choose two.). A. Configure a higher value for CIR under the Class COPP-CRITICAL-7600. B. Configure a higher value for CIR under the default class to allow more packets during peak traffic. C. Configure BGP in the COPP-CRITICAL-7600 ACL. D. Configure IP CEF for CoPP policy and BGP to work. E. Configure a three-color policer instead of two-color policer under Class COPP-CRITICAL-7600.

Refer to the exhibit. A network administrator configured an IPv6 access list to allow TCP return traffic only, but it is not working as expected. Which changes resolve this issue?. A. ipv6 access-list inbound permit tcp any any established deny ipv6 any any log ! interface gi0/0 ipv6 traffic-filter inbound in. B. ipv6 access-list inbound permit tcp any any established deny ipv6 any any log ! interface gi0/0 ipv6 traffic-filter inbound out. C. ipv6 access-list inbound permit tcp any any syn deny ipv6 any any log ! interface gi0/0 ipv6 traffic-filter inbound in. D. ipv6 access-list inbound permit tcp any any syn deny ipv6 any any log ! interface gi0/0 ipv6 traffic-filter inbound out.

What are two functions of IPv6 Source Guard? (Choose two.). A. It works independent from IPv6 neighbor discovery. B. It denies traffic from unknown sources or unallocated addresses. C. It uses the populated binding table to allow legitimate traffic. D. It denies traffic by inspecting neighbor discovery packets for specific patterns. E. It blocks certain traffic by inspecting DHCP packets for specific sources.

Refer to the exhibit. Which two actions restrict access to router R1 by SSH? (Choose two.). A. Remove class-map ANY from service-policy CoPP. B. Configure transport output ssh on line vty and remove sequence 20 from access list 100. C. Configure transport input ssh on line vty and remove sequence 30 from access list 100. D. Remove sequence 10 from access list 100 and add sequence 20 deny tcp any any eq telnet to access list 199. E. Configure transport output ssh on line vty and remove sequence 10 from access list 199.