Q201. Which three condition types can be monitored by crypto conditional debug? (Choose three.) 

A. Peer hostname 

B. SSL 

C. ISAKMP 

D. Flow ID 

E. IPsec 

F. Connection ID 

Answer: A,D,F 

Explanation: 

Supported Condition Types 

The new crypto conditional debug CLIs--debug crypto condition, debug crypto condition unmatched, and show crypto debug-condition--allow you to specify conditions (filter values) in which to generate and display debug messages related only to the specified conditions. The table below lists the supported condition types. 

Table 1 Supported Condition Types for Crypto Debug CLI 

Condition Type (Keyword) 

Description 

connid 1 

An integer between 1-32766. Relevant debug messages will be shown if the current IPSec operation uses this value as the connection ID to interface with the crypto engine. 

flowid 1 

An integer between 1-32766. Relevant debug messages will be shown if the current IPSec operation uses this value as the flow-ID to interface with the crypto engine. 

FVRF 

The name string of a virtual private network (VPN) routing and forwarding (VRF) instance. Relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its front-door VRF (FVRF). 

IVRF 

The name string of a VRF instance. Relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its inside VRF (IVRF). 

peer group 

A Unity group-name string. Relevant debug messages will be shown if the peer is using this group name as its identity. 

peer hostname 

A fully qualified domain name (FQDN) string. Relevant debug messages will be shown if the peer is using this string as its identity; for example, if the peer is enabling IKE Xauth with this FQDN string. 

peeripaddress 

A single IP address. Relevant debug messages will be shown if the current IPSec operation is related to the IP address of this peer. 

peer subnet 

A subnet and a subnet mask that specify a range of peer IP addresses. Relevant debug messages will be shown if the IP address of the current IPSec peer falls into the specified subnet range. 

peer username 

A username string. Relevant debug messages will be shown if the peer is using this username as its identity; for example, if the peer is enabling IKE Extended Authentication (Xauth) with this username. 

SPI 1 

A 32-bit unsigned integer. Relevant debug messages will be shown if the current IPSec operation uses this value as the SPI. 

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-crypto-debug-sup.html 


Q202. Which two statements about OSPF default route injection are true? (Choose two.) 

A. The ABR requires manual configuration to send a default route into an NSSA area. 

B. The ABR injects a default route into a Totally Stub Area. 

C. In a stub area, the ASBR generates a summary LSA with link-state ID 0.0.0.0. 

D. If the default route is missing from the routing table, the ASBR can use the default-information originate command to advertise the default into the OSPF domain. 

E. By default, OSPF normal areas will generate default routes into the routing domain if a default route exists. 

Answer: A,B 


Q203. You are configuring a DMVPN hub to perform CBWFQ on a per-spoke basis. Which information is used to identify the spoke? 

A. the NHRP network ID 

B. the spoke tunnel source IP 

C. the spoke tunnel interface IP address 

D. the NHRP group 

Answer:


Q204. DRAG DROP 

Drag and drop each IPv6 neighbor discovery message type on the left to the corresponding description on the right. 

Answer: 


Q205. Refer to the exhibit. 

IPv6 SLAAC clients that are connected to the router are unable to acquire IPv6 addresses. What is the reason for this issue? 

A. Router advertisements are not sent by the router. 

B. Duplicate address detection is disabled but is required on multiaccess networks. 

C. The interface is configured to support DHCPv6 clients only. 

D. The configured interface MTU is too low for IPv6 to be operational. 

Answer:


Q206. Refer to the exhibit. 

While configuring AAA with a local database, users can log in via Telnet, but receive the message "error in authentication" when they try to go into enable mode. Which action can solve this problem? 

A. Configure authorization to allow the enable command. 

B. Use aaa authentication login default enable to allow authentication when using the enable command. 

C. Verify whether an enable password has been configured. 

D. Use aaa authentication enable default enable to allow authentication when using the enable command. 

Answer:

Explanation: 

If a different enable password is configured, it will override the privilege level 15 of that user and force the existing password to be used for enable access. 


Q207. Refer to the exhibit. 

The two standalone chassis are unable to convert into a VSS. What can you do to correct the problem? 

A. Set a different port channel number on each chassis. 

B. Set a different virtual domain ID on each chassis. 

C. Set the redundancy mode to rpr on both chassis. 

D. Add two ports to the port channel group. 

Answer:


Q208. Which two statements about MLD are true? (Choose two.) 

A. MLD is a subprotocol of ICMPv6. 

B. When a single link supports multiple interfaces, only one interface is required to send MLD messages. 

C. MLD is a subprotocol of PIMv6. 

D. When a single link supports multiple interfaces, all supported interfaces are required to send MLD messages. 

E. There are three subtypes of MLD query messages. 

F. The code section in the MLD message is set to 1 by the sender and ignored by receivers. 

Answer: A,B 


Q209. DRAG DROP 

Drag and drop each DHCP term on the left to the corresponding definition on the right. 

Answer: 


Q210. Which two options are reasons for TCP starvation? (Choose two.) 

A. The use of tail drop 

B. The use of WRED 

C. Mixing TCP and UDP traffic in the same traffic class 

D. The use of TCP congestion control 

Answer: C,D 

Explanation: 

It is a general best practice to not mix TCP-based traffic with UDP-based traffic (especially Streaming-Video) within a single service-provider class because of the behaviors of these protocols during periods of congestion. Specifically, TCP transmitters throttle back flows when drops are detected. Although some UDP applications have application-level windowing, flow control, and retransmission capabilities, most UDP transmitters are completely oblivious to drops and, thus, never lower transmission rates because of dropping. When TCP flows are combined with UDP flows within a single service-provider class and the class experiences congestion, TCP flows continually lower their transmission rates, potentially giving up their bandwidth to UDP flows that are oblivious to drops. This effect is called TCP starvation/UDP dominance. TCP starvation/UDP dominance likely occurs if (TCP-based) Mission-Critical Data is assigned to the same service-provider class as (UDP-based) Streaming-Video and the class experiences sustained congestion. Even if WRED or other TCP congestion control mechanisms are enabled on the service-provider class, the same behavior would be observed because WRED (for the most part) manages congestion only on TCP-based flows. 

Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/Qo S-SRND-Book/VPNQoS.html