ROUTE 300-101 Category

Access List

September 20th, 2015 digitaltut 152 comments

Question 1

Explanation

The first answer is not correct because the 10.0.0.0 network range is not correct. It should be 10.0.0.0. to 10.255.255.255.

Question 2

Explanation

Logging-enabled access control lists (ACLs) provide insight into traffic as it traverses the network or is dropped by network devices. Unfortunately, ACL logging can be CPU intensive and can negatively affect other functions of the network device. There are two primary factors that contribute to the CPU load increase from ACL logging: process switching of packets that match log-enabled access control entries (ACEs) and the generation and transmission of log messages.

Process switching is the slowest switching methods (compared to fast switching and Cisco Express Forwarding) because it must find a destination in the routing table. Process switching must also construct a new Layer 2 frame header for every packet. With process switching, when a packet comes in, the scheduler calls a process that examines the routing table, determines which interface the packet should be switched to and then switches the packet. The problem is, this happens for the every packet.

Reference: http://www.cisco.com/web/about/security/intelligence/acl-logging.html

Question 3

Explanation

If you use the “debug ip packet” command on a production router, you can bring it down since it generates an output for every packet and the output can be extensive. The best way to limit the output of debug ip packet is to create an access-list that linked to the debug. Only packets that match the access-list criteria will be subject to debug ip packet. For example, this is how to monitor traffic from 1.1.1.1 to 2.2.2.2

access-list 100 permit ip 1.1.1.1 2.2.2.2
debug ip packet 100

Note: The “debug ip packet” command is used to monitor packets that are processed by the routers routing engine and are not fast switched.

Question 4

Question 5

Point-to-Point Protocol

September 17th, 2015 digitaltut 43 comments

If you are not sure about PPP and PPPoE, please read my PPP tutorial and PPPoE tutorial.

Question 1

Explanation

PPPoE provides a standard method of employing the authentication methods of the Point-to-Point Protocol (PPP) over an Ethernet network. When used by ISPs, PPPoE allows authenticated assignment of IP addresses. In this type of implementation, the PPPoE client and server are interconnected by Layer 2 bridging protocols running over a DSL or other broadband connection.

PPPoE is composed of two main phases:
+ Active Discovery Phase: In this phase, the PPPoE client locates a PPPoE server, called an access concentrator. During this phase, a Session ID is assigned and the PPPoE layer is established.
+ PPP Session Phase: In this phase, PPP options are negotiated and authentication is performed. Once the link setup is completed, PPPoE functions as a Layer 2 encapsulation method, allowing data to be transferred over the PPP link within PPPoE headers.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli/vpn-pppoe.html

Question 2

Explanation

PPP Session Phase: In this phase, PPP options are negotiated and authentication is performed. Once the link setup is completed, PPPoE functions as a Layer 2 encapsulation method, allowing data to be transferred over the PPP link within PPPoE headers.

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli/vpn-pppoe.html

Question 3

Explanation

The “dialer persistent” command (under interface configuration mode) allows a dial-on-demand routing (DDR) dialer profile connection to be brought up without being triggered by interesting traffic. When configured, the dialer persistent command starts a timer when the dialer interface starts up and starts the connection when the timer expires. If interesting traffic arrives before the timer expires, the connection is still brought up and set as persistent. An example of configuring is shown below:

interface Dialer1
ip address 12.12.12.1 255.255.255.0
encapsulation ppp
dialer-pool 1
dialer persistent

Question 4

Explanation

Password Authentication Protocol (PAP) is a very basic two-way process. The username and password are sent in plain text, there is no encryption or protection. If it is accepted, the connection is allowed. The configuration below shows how to configure PAP on two routers:

R1(config)#username R2 password digitaltut1
R1(config)#interface s0/0/0
R1(config-if)#encapsulation ppp
R1(config-if)#ppp authentication PAP
R1(config-if)#ppp pap sent-username R1 password digitaltut2
R2(config)#username R1 password digitaltut2
R2(config)#interface s0/0/0
R2(config-if)#encapsulation ppp
R2(config-if)#ppp authentication PAP
R2(config-if)#ppp pap sent-username R2 password digitaltut1

Note: The PAP “sent-username” and password that each router sends must match those specified with the “username … password …” command on the other router.

Question 5

Explanation

The “vpdn enable” command is used to enable virtual private dialup networking (VPDN) on the router and inform the router to look for tunnel definitions in a local database and on a remote authorization server (home gateway). The following steps include: configure the VPDN group; configure the virtual-template; create the IP pools.

Question 6

Explanation

There are three authentication methods that can be used to authenticate a PPPoE connection:

+ CHAP – Challenge Handshake Authentication Protocol
+ MS-CHAP – Microsoft Challenge Handshake Authentication Protocol Version 1 & 2
+ PAP – Password Authentication Protocol

In which MS-CHAP & CHAP are two encrypted authentication protocol while PAP is unencrypted authentication protocol.

Note: PAP authentication involves a two-way handshake where the username and password are sent across the link in clear text; hence, PAP authentication does not provide any protection against playback and line sniffing.

With CHAP, the server (authenticator) sends a challenge to the remote access client. The client uses a hash algorithm (also known as a hash function) to compute a Message Digest-5 (MD5) hash result based on the challenge and a hash result computed from the user’s password. The client sends the MD5 hash result to the server. The server, which also has access to the hash result of the user’s password, performs the same calculation using the hash algorithm and compares the result to the one sent by the client. If the results match, the credentials of the remote access client are considered authentic. A hash algorithm provides one-way encryption, which means that calculating the hash result for a data block is easy, but determining the original data block from the hash result is mathematically infeasible.

Question 7

Explanation

Challenge Handshake Authentication Protocol (CHAP) periodically verifies the identity of the client by using a three-way handshake. The three-way handshake steps are as follows:

1. When a client contacts a server that uses CHAP, the server (called the authenticator) responds by sending the client a simple text message (sometimes called the challenge text). This text is not important and it does not matter if anyone can intercepts it.
2. The client then takes this information and encrypts it using its password which was shared by both the client and server. The encrypted text is then returned to the server.
3. The server has the same password and uses it as a key to encrypt the information it previously sent to the client. It compares its results with the encrypted results sent by the client. If they are the same, the client is assumed to be authentic.

Note: PPP supports two authentication protocols: PAP and CHAP.

Question 8

Explanation

A PPPoE session is initiated by the PPPoE client. If the session has a timeout or is disconnected, the PPPoE client will immediately attempt to reestablish the session. The following four steps describe the exchange of packets that occurs when a PPPoE client initiates a PPPoE session:
1. The client broadcasts a PPPoE Active Discovery Initiation (PADI) packet.
2. When the access concentrator receives a PADI that it can serve, it replies by sending a PPPoE Active Discovery Offer (PADO) packet to the client.
3. Because the PADI was broadcast, the host may receive more than one PADO packet. The host looks through the PADO packets it receives and chooses one. The choice can be based on the access concentrator name or on the services offered. The host then sends a single PPPoE Active Discovery Request (PADR) packet to the access concentrator that it has chosen.
4. The access concentrator responds to the PADR by sending a PPPoE Active Discovery Session-confirmation (PADS) packet. At this point a virtual access interface is created that will then negotiate PPP, and the PPPoE session will run on this virtual access.

If a client does not receive a PADO for a preceding PADI, the client sends out a PADI at predetermined intervals. That interval is doubled for every successive PADI that does not evoke a response, until the interval reaches a configured maximum.

If PPP negotiation fails or the PPP line protocol is brought down for any reason, the PPPoE session and the virtual access will be brought down. When the PPPoE session is brought down, the client waits for a predetermined number of seconds before trying again to establish a PPPoE.

Reference: http://www.cs.vsb.cz/grygarek/TPS/DSL/pppoe_client.pdf

Question 9

Question 10

CEF & Fast Switching

September 14th, 2015 digitaltut 53 comments

Question 1

Explanation

The command “show ip cef” is used to display the CEF Forwarding Information Base (FIB) table. There are some entries we want to explain:
+ If the “Next Hop” field of a network prefix is set to receive, the entry represents an IP address on one of the router’s interfaces. In this case, 192.168.201.2 and 192.168.201.31 are IP addresses assigned to interfaces on the local router.
+ If the “Next Hop” field of a network prefix is set to attached, the entry represents a network to which the router is directly attached. In this case the prefix 192.168.201.0/27 is a network directly attached to router R2’s Fa0/0 interface.

But there are some special cases:
+ The all-0s host addresses (for example, 192.168.201.0/32) and the all-1s host addresses (not have in the output above but for example, 192.168.201.255/32) also show as receive entries.
+ 255.255.255.255/32 is the local broadcast address for a subnet
+ 0.0.0.0/32: maybe it is a reserved link-local address
+ 0.0.0.0/0: This is the default route that matching all other addresses (also known as “gateway of last resort”). In this case it points to 192.168.201.1 -> Answer C is correct.

Reference: CCNP Routing and Switching ROUTE 300-101 Official Cert Guide

Question 2

Explanation

The “show adjacency” command is used to display information about the Cisco Express Forwarding adjacency table or the hardware Layer 3-switching adjacency table.

There are two known reasons for an incomplete adjacency:
+ The router cannot use ARP successfully for the next-hop interface.
+ After a clear ip arp or a clear adjacency command, the router marks the adjacency as incomplete. Then it fails to clear the entry.

Note: Two nodes in the network are considered adjacent if they can reach each other using only one hop.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/17812-cef-incomp.html

Question 3

Explanation

The “show ip cache” command displays the contents of a router’s fast cache. An example of the output of this command is shown below:

show_ip_cache.jpg

Note: If CEF is disabled and fast switching is enabled, the router begins to populate its fast cache.

Question 4

Frame Relay Questions

September 10th, 2015 digitaltut 40 comments

Question 1

Explanation

Normal (Ethernet) ARP Request knows the Layer 3 address (IP) and requests for Layer 2 address (MAC). On the other hand, Frame Relay Inverse ARP knows the Layer 2 address (DLCI) and requests for Layer 3 address (IP) so we called it “Inverse”. For detail explanation about Inverse ARP Request please read our Frame Relay tutorial – Part 2.

Question 2

Explanation

When saying “Frame Relay point-to-point” network, it means “Frame Relay subinterfaces” run “point-to-point”. Notice that Frame Relay subinterfaces can run in two modes:
+ Point-to-Point: When a Frame Relay point-to-point subinterface is configured, the subinterface emulates a point-to-point network and OSPF treats it as a point-to-point network type
+ Multipoint: When a Frame Relay multipoint subinterface is configured, OSPF treats this subinterface as an NBMA network type.

And there are 4 network types which can be configured with OSPF. The hello & dead intervals of these types are listed below:

Network Type Hello Interval (secs) Dead Interval (secs)
Point-to-Point 10 40
Point-to-Multipoint 30 120
Broadcast 10 40
Non-Broadcast 30 120

Therefore the default OSPF hello interval on a Frame Relay point-to-point network is 10 seconds.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13693-22.html

Question 3

Explanation

Traffic shaping should be used when:
+ Hub site (headquarter) has much faster speed link than the spokes (remote sites). In this case we need to rate-limit the hub site so that it does not exceed the remote side access rate
+ Hub site has the same speed link as the spokes. For example both the headquarter and the spokes use T1 links. In this case, we need to rate-limit the remote sites so as to not overrun the hub.

An example of configuring traffic shaping is shown below:

interface Serial0/1
encapsulation frame-relay
frame-relay traffic-shaping
!
interface Serial0/1.10 point-to-point
ip address 10.10.10.10 255.255.255.0
frame-relay interface-dlci 10 class my_traffic_shaping
!
map-class frame-relay my_traffic_shaping
frame-relay adaptive-shaping becn //Configure the router to respond to frame relay frames that have the BECN bit set
frame-relay cir 128000 //Specify the committed information rate (CIR) for a Frame Relay virtual circuit
frame-relay bc 8000 //Specify the committed burst size (Bc) for a Frame Relay virtual circuit.
frame-relay be 8000 // Specify the excess burst size (Be) for a Frame Relay virtual circuit.
frame-relay mincir 64000 // Specify minimum acceptable CIR for a Frame Relay virtual circuit.

Reference: http://www.cisco.com/c/en/us/support/docs/wan/frame-relay/6151-traffic-shaping-6151.html

Question 4

GRE Tunnel

September 8th, 2015 digitaltut 42 comments

Question 1

Explanation

GRE packets are encapsulated within IP and use IP protocol type 47

Question 2

Explanation

A GRE interface definition includes:

+ An IPv4 address on the tunnel
+ A tunnel source
+ A tunnel destination

Below is an example of how to configure a basic GRE tunnel:

interface Tunnel 0
ip address 10.10.10.1 255.255.255.0
tunnel source fa0/0
tunnel destination 172.16.0.2

In this case the “IPv4 address on the tunnel” is 10.10.10.1/24 and “sourced the tunnel from an Ethernet interface” is the command “tunnel source fa0/0”. Therefore it only needs a tunnel destination, which is 172.16.0.2.

Note: A multiple GRE (mGRE) interface does not require a tunnel destination address.

DMVPN Questions

September 6th, 2015 digitaltut 34 comments

Note: If you are not sure about DMVPN, please read our DMVPN tutorial first.

Question 1

Explanation

From the output we learn that the logical address 10.2.1.2 is mapped to the NBMA address 10.12.1.2. Type “dynamic” means NBMA address was obtained from NHRP Request packet. Type “static” means NBMA address is statically configured. The “authoritative” flag means that the NHRP information was obtained from the Next Hop Server (NHS).

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html

Question 2

Explanation

When DMVPN tunnels flap, check the neighborship between the routers as issues with neighborship formation between routers may cause the DMVPN tunnel to flap. In order to resolve this problem, make sure the neighborship between the routers is always up.

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29240-dcmvpn.html#Prblm1

Question 3

Explanation

DMVPN is not a protocol, it is the combination of the following technologies:

+ Multipoint GRE (mGRE)
+ Next-Hop Resolution Protocol (NHRP)
+ Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP…) (optional)
+ Dynamic IPsec encryption (optional)
+ Cisco Express Forwarding (CEF)

For more information about DMVPN, please read our DMVPN tutorial.

Question 4

Explanation

To allow communication to multiple sites using only one tunnel interface, we need to configure that tunnel in “multipoint” mode. Otherwise we have to create many tunnel interfaces, each can only communicate to one site.

DMVPN_Topo_mGRE.jpg

 

Question 5

Explanation

An mGRE tunnel inherits the concept of a classic GRE tunnel but an mGRE tunnel does not require a unique tunnel interface for each connection between Hub and spoke like traditional GRE. One mGRE can handle multiple GRE tunnels at the other ends. Unlike classic GRE tunnels, the tunnel destination for a mGRE tunnel does not have to be configured; and all tunnels on Spokes connecting to mGRE interface of the Hub can use the same subnet.

DMVPN_Topo_mGRE.jpg

For more information about DMVPN, please read our DMVPN tutorial.

Question 6

Explanation

GRE tunnels are the first thing we have to configure to create a DMVPN network so we should start troubleshooting from there. NHRP can only work properly with operating GRE tunnels.

Question 7

TCP UDP Questions

September 2nd, 2015 digitaltut 21 comments

Question 1

Explanation

It is a general best practice to not mix TCP-based traffic with UDP-based traffic (especially Streaming-Video) within a single service-provider class because of the behaviors of these protocols during periods of congestion. Specifically, TCP transmitters throttle back flows when drops are detected. Although some UDP applications have application-level windowing, flow control, and retransmission capabilities, most UDP transmitters are completely oblivious to drops and, thus, never lower transmission rates because of dropping.
When TCP flows are combined with UDP flows within a single service-provider class and the class experiences congestion, TCP flows continually lower their transmission rates, potentially giving up their bandwidth to UDP flows that are oblivious to drops. This effect is called TCP starvation/UDP dominance.
TCP starvation/UDP dominance likely occurs if TCP-based applications is assigned to the same service-provider class as UDP-based applications and the class experiences sustained congestion.
Granted, it is not always possible to separate TCP-based flows from UDP-based flows, but it is beneficial to be aware of this behavior when making such application-mixing decisions within a single service-provider class.

Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/QoS-SRND-Book/VPNQoS.html

Question 2

Question 3

Explanation

TCP Selective Acknowledgement (SACK) prevents unnecessary retransmissions by specifying successfully received subsequent data. Let’s see an example of the advantages of TCP SACK.

TCP_ACK.jpgTCP (Normal) Acknowledgement TCP_SACK.jpg
TCP Selective Acknowledgement

For TCP (normal) acknowledgement, when a client requests data, server sends the first three segments (named of packets at Layer 4): Segment#1,#2,#3. But suppose Segment#2 was lost somewhere on the network while Segment#3 stills reached the client. Client checks Segment#3 and realizes Segment#2 was missing so it can only acknowledge that it received Segment#1 successfully. Client received Segment#1 and #3 so it creates two ACKs#1 to alert the server that it has not received any data beyond Segment#1. After receiving these ACKs, the server must resend Segment#2,#3 and wait for the ACKs of these segments.

For TCP Selective Acknowledgement, the process is the same until the Client realizes Segment#2 was missing. It also sends ACK#1 but adding SACK to indicate it has received Segment#3 successfully (so no need to retransmit this segment. Therefore the server only needs to resend Segment#2 only. But notice that after receiving Segment#2, the Client sends ACK#3 (not ACK#2) to say that it had all first three segments. Now the server will continue sending Segment #4,#5, …

The SACK option is not mandatory and it is used only if both parties support it.

The TCP Explicit Congestion Notification (ECN) feature allows an intermediate router to notify end hosts of impending network congestion. It also provides enhanced support for TCP sessions associated with applications, such as Telnet, web browsing, and transfer of audio and video data that are sensitive to delay or packet loss. The benefit of this feature is the reduction of delay and packet loss in data transmissions. Use the “ip tcp ecn” command in global configuration mode to enable TCP ECN.

The TCP time-stamp option provides improved TCP round-trip time measurements. Because the time stamps are always sent and echoed in both directions and the time-stamp value in the header is always changing, TCP header compression will not compress the outgoing packet. Use the “ip tcp timestamp” command to enable the TCP time-stamp option.

The TCP Keepalive Timer feature provides a mechanism to identify dead connections. When a TCP connection on a routing device is idle for too long, the device sends a TCP keepalive packet to the peer with only the Acknowledgment (ACK) flag turned on. If a response packet (a TCP ACK packet) is not received after the device sends a specific number of probes, the connection is considered dead and the device initiating the probes frees resources used by the TCP connection.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-3s/asr1000/iap-xe-3s-asr1000-book/iap-tcp.html

Question 4

Explanation

Global synchronization occurs when multiple TCP hosts reduce their transmission rates in response to congestion. But when congestion is reduced, TCP hosts try to increase their transmission rates again simultaneously (known as slow-start algorithm), which causes another congestion. Global synchronization produces this graph:

TCP_Global_Synchronization.jpg

 

Global synchronization reduces optimal throughput of network applications and tail drop contributes to this phenomenon. When an interface on a router cannot transmit a packet immediately, the packet is queued. Packets are then taken out of the queue and eventually transmitted on the interface. But if the arrival rate of packets to the output interface exceeds the ability of the router to buffer and forward traffic, the queues increase to their maximum length and the interface becomes congested. Tail drop is the default queuing response to congestion. Tail drop simply means that “drop all the traffic that exceeds the queue limit. Tail drop treats all traffic equally and does not differentiate among classes of service.

Question 5

Explanation

When TCP is mixing with UDP under congestion, TCP flows will try to lower their transmission rate while UDP flows continue transmitting as usual. As a result of this, UDP flows will dominate the bandwidth of the link and this effect is called TCP-starvation/UDP-dominance. This can increase latency and lower the overall throughput.

Question 6

Question 7

Question 8

Explanation

If the speed of an interface is equal or less than 768 kbps (half of a T1 link), it is considered a low-speed interface. The half T1 only offers enough bandwidth to allow voice packets to enter and leave without delay issues. Therefore if the speed of the link is smaller than 768 kbps, it should not be configured with a queue.

Distribute List

August 27th, 2015 digitaltut 9 comments

Question 1

Question 2

Explanation

A distribute list is used to filter routing updates either coming to or leaving from our router. In this case, the “out” keyword specifies we want to filter traffic leaving from our router. Access-list 2 indicates only routing update for network 1.2.3.0/24 is allowed (notice that every access-list always has an implicit “deny all” at the end).

 

NAT Questions

August 25th, 2015 digitaltut 35 comments

Question 1

Question 2

Explanation

First we will not mention about the effect of the “extendable” keyword. So the purpose of the command “ip nat inside source static tcp 192.168.1.50 80 209.165.201.1 8080” is to translate packets on the inside interface with a source IP address of 192.168.1.50 and port 80 to the IP address 209.165.201.1 with port 8080. This also implies that any packet received on the outside interface with a destination address of 209.165.201.1:8080 has the destination translated to 192.168.1.50:80. Therefore answer C is correct.

Answer A is not correct this command “allows host 192.168.1.50 to access external websites using TCP port 80”, not port 8080.

Answer B is not correct because it allows external clients to connect to a web server at 209.165.201.1. The IP addresses of clients should not be 209.165.201.1.

Answer D is not correct because the configuration is correct.

Now we will talk about the keyword “extendable”.

Usually, the “extendable” keyword should be added if the same Inside Local is mapped to different Inside Global Addresses (the IP address of an inside host as it appears to the outside network). An example of this case is when you have two connections to the Internet on two ISPs for redundancy. So you will need to map two Inside Global IP addresses into one inside local IP address. For example:

nat_extendable.jpg

NAT router:
ip nat inside source static 192.168.1.1 200.1.1.1 extendable
ip nat inside source static 192.168.1.1 200.2.2.2 extendable
//Inside Local: 192.168.1.1 ; Inside Global: 200.1.1.1 & 200.2.2.2

In this case, the traffic from ISP1 and ISP2 to the Server is straightforward as ISP1 will use 200.1.1.1 and ISP2 will use 200.2.2.2 to reach the Server. But how about the traffic from the Server to the ISPs? In other words, how does NAT router know which IP (200.1.1.1 or 200.2.2.2) it should use to send traffic to ISP1 & ISP2 (this is called “ambiguous from the inside”). We tested in GNS3 and it worked correctly! So we guess the NAT router compared the Inside Global addresses with all of IP addresses of the “ip nat outside” interfaces and chose the most suitable one to forward traffic.

This is what Cisco explained about “extendable” keyword:

“They might also want to define static mappings for a particular host using each provider’s address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as “extendable”. For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation”.

(Reference: http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html)

But it is unclear, what will happen if we don’t use a route-map?

Question 3

Explanation

The command “ip nat inside source list 1 int s0/0 overload” translates all source addresses that pass access list 1, which means all the IP addresses, into an address assigned to S0/0 interface. Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports.

Question 4

Explanation

The command “ip nat inside source list 10 interface FastEthernet0/1 overload” configures NAT to overload on the address that is assigned to the Fa0/1 interface.

EVN & VRF Questions

August 24th, 2015 digitaltut 20 comments

Quick review:

Easy Virtual Network (EVN) is an IP-based network virtualization solution that helps enable network administrators to provide traffic separation and path isolation on a shared network infrastructure. EVN uses existing Virtual Route Forwarding (VRF)-Lite technology to:
+ Simplify Layer 3 network virtualization
+ Improve shared services support
+ Enhance management, troubleshooting, and usability

Question 1

Explanation

All the subinterfaces and associated EVNs have the same IP address assigned. In other words, a trunk interface is identified by the same IP address in different EVN contexts. EVN automatically generates subinterfaces for each EVN. For example, both Blue and Green VPN Routing and Forwarding (VRF) use the same IP address of 10.0.0.1 on their trunk interface:

vrf definition Blue
vnet tag 100
vrf definition Green
vnet tag 200
!
interface gigabitethernet0/0/0
vnet trunk
ip address 10.0.0.1 255.255.255.0

-> A is correct.

In fact answer B & C are not correct because each EVN has separate routing table and forwarding table.

Note: The combination of the VPN IP routing table and the associated VPN IP forwarding table is called a VPN routing and forwarding (VRF) instance.

Question 2

Explanation

EVN is supported on any interface that supports 802.1q encapsulation, for example, an Ethernet interface. Instead of adding a new field to carry the VNET tag in a packet, the VLAN ID field in 802.1q is repurposed to carry a VNET tag. The VNET tag uses the same position in the packet as a VLAN ID. On a trunk interface, the packet gets re-encapsulated with a VNET tag. Untagged packets carrying the VLAN ID are not EVN packets and could be transported over the same trunk interfaces.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-vpns-l3vpn/whitepaper_c11-638769.html

Question 3

Explanation

An example of using “autonomous-system {autonomous-system-number}” command is shown below:

router eigrp 100
address-family ipv4 vrf Cust
net 192.168.12.0
autonomous-system 100
no auto-summary

This configuration is performed under the Provide Edge (PE) router to run EIGRP with a Customer Edge (CE) router. The “autonomous-system 100” command indicates that the EIGRP AS100 is running between PE & CE routers.

Question 4

Question 5

Question 6

Explanation

EVN builds on the existing IP-based virtualization mechanism known as VRF-Lite. EVN provides enhancements in path isolation, simplified configuration and management, and improved shared service support

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-overview.html

Maybe the “improved shared services support” term here implies about the support of sharing between different VRFs (through route-target, MP-BGP)

Question 7

Explanation

This question is not clear because we have to configure a static route pointing to the global routing table while it stated that “all interfaces are in the same VRF”. But we should understand both outside and inside interfaces want to ping the loopback interface.

Question 8

Explanation

EVN supports IPv4, static routes, Open Shortest Path First version 2 (OSPFv2), and Enhanced Interior Gateway Routing Protocol (EIGRP) for unicast routing, and Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) for IPv4 Multicast routing. EVN also supports Cisco Express Forwarding (CEF) and Simple Network Management Protocol (SNMP).

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-overview.html

Question 9

Explanation

Route-target is is tagged to each VPN when it is exported. In other words, when a prefix is exported with a route-target, an extended BGP community is attached to that prefix. If this community is matched with the (import) route-target of the receiving side then the prefix is imported to the receiving VRF.

OSPF Questions

August 23rd, 2015 digitaltut 30 comments

Question 1

Explanation

LSA Type 7 is generated by an ASBR inside a Not So Stubby Area (NSSA) to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it leaves the NSSA. These routes appear as N1 or N2 in the routing table inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR -> LSA Type 7 only exists in an NSSA area.

Question 2

Question 3

Explanation

Answer B is not correct because using “passive-interface” command on ASW1 & ASW2 does not prevent DSW1 & DSW2 from sending routing updates to two access layer switches.

EIGRP Questions

August 23rd, 2015 digitaltut 21 comments

Question 1

Explanation

By default, EIGRP load-shares over four equal-cost paths. EIGRP also support unequal-cost load balancing via the “variance” command.

Question 2

Explanation

The table below lists the default administrative distance values of popular routing protocols:

Routing Protocols Default Administrative Distance
EIGRP 90
OSPF 110
RIP 120
eBGP 20
iBGP 200
Connected interface 0
Static route 1

BGP Questions

August 22nd, 2015 digitaltut 21 comments

Question 1

Explanation

Private autonomous system (AS) numbers which range from 64512 to 65535 are used to conserve globally unique AS numbers. Globally unique AS numbers (1 – 64511) are assigned by InterNIC. These private AS number cannot be leaked to a global Border Gateway Protocol (BGP) table because they are not unique (BGP best path calculation expects unique AS numbers).

Reference: http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13756-32.html

Unicast Reverse Path Forwarding

August 20th, 2015 digitaltut 19 comments

Question 1

Explanation

The Unicast Reverse Path Forwarding feature (Unicast RPF) helps the network guard against malformed or “spoofed” IP packets passing through a router. A spoofed IP address is one that is manipulated to have a forged IP source address. Unicast RPF enables the administrator to drop packets that lack a verifiable source IP address at the router.

Unicast RPF is enabled on a router interface. When this feature is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface. Cisco Express Forwarding (CEF) is required on the router because the Forwarding Information Base (FIB) is the mechanism checked for the interface match.

Unicast RPF works in one of three different modes:
+ Strict mode: router will perform two checks for all incoming packets on a certain interface. First check is if the router has a matching entry for the source in the routing table. Second check is if the router uses the same interface to reach this source as where it received this packet on.
+ Loose mode: only check if the router has a matching entry for the source in the routing table
+ VRF mode: leverage either loose or strict mode in a given VRF and will evaluate an incoming packet’s source IP address against the VRF table configured for an eBGP neighbor.

Reference: CCIE Routing and Switching v4.0 Quick Reference, 2nd Edition

Question 2

Explanation

When Unicast Reverse Path Forwarding is enabled, the router checks packets that arrive inbound on the interface to see whether the source address matches the receiving interface.

Question 3

Explanation

First we need to understand the “allow-default” keyword here:

Normally, uRPF will not allow traffic that only matches the default route. The “allow-default” keyword will override this behavior and uRPF will allow traffic matched the default route to pass through.

In answer A, The “ip verify unicast source reachable-via rx allow-default” command under interface Fa0/0 enables uRPF strict mode on Fa0/0. Therefore traffic from the 172.16.1.0/24 network (and any traffic) can go through this interface except the 10.0.0.0/8 network because this network is matched on Fa0/1 interface only. The network 10.0.0.0/8 can only enter TUT router from Fa0/1, thus “limiting spoofed 10.0.0.0/8 hosts that could enter router”.

Question 4

Explanation

Unicast Reverse Path Forwarding (uRPF) examines the source IP address of incoming packets. If it matches with the interface used to reach this source IP then the packets are allowed to enter (strict mode).

uRPF.jpg

The syntax of configuring uRPF in interface mode is:

ip verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-number]
The any option enables a Loose Mode uRPF on the router. This mode allows the router to reach the source address via any interface.
The rx option enables a Strict Mode uRPF on the router. This mode ensures that the router reaches the source address only via
the interface on which the packet was received.
You can also use the allow-default option, so that the default route can match when checking source address -> Answer “allow default route” is a valid option
The allow-self-ping option allows the router to ping itself -> Answer “allow self ping to router” is a valid option.
Another feature of uRPF is we can use an access-list to specify the traffic we want or don’t want to check -> Answer “allow based on ACL match” is a valid option. An example is shown below:
Router(config)#access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Router(config)#interface fa0/1
Router(config-if)#ip verify unicast source reachable-via any 110
Note: Access-list “permit” statements allow traffic to be forwarded even if they fail the Unicast RPF check, access list deny statements will drop traffic matched that fail the Unicast RPF check. In above example, 192.168.1.0/24 network is allowed even if it failed uRPF check.
The last option is “source reachable via both” is not clear and it is the best answer in this case. Although it may mention about the uRPF loose mode.

IP Services Questions

August 17th, 2015 digitaltut 10 comments

Question 1

Explanation

The switch validates DHCP packets received on the untrusted interfaces of VLANs with DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case the packet is dropped):
+ The switch receives a packet (such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet) from a DHCP server outside the network or firewall.
+ The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.
+ The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.
+ The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html#wp1101946

Question 2

Explanation

We can test the action of HSRP by tracking the loopback interface and decrease the HSRP priority so that the standby router can take the active role.

Question 3

Explanation

The “ip http secure-port

” is used to set the secure HTTP (HTTPS) server port number for listening.

Question 4

Explanation

This command shows IPsec Security Associations (SAs) built between peers. An example of the output of above command is shown below:

Router#show crypto ipsec sa
interface: FastEthernet0
    Crypto map tag: test, local addr. 12.1.1.1
   local  ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer: 12.1.1.2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
    #pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, 
    #pkts decompress failed: 0, #send errors 1, #recv errors 0
     local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2
     path mtu 1500, media mtu 1500
     current outbound spi: 3D3
     inbound esp sas:
      spi: 0x136A010F(325714191)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4608000/52)
        IV size: 8 bytes
        replay detection support: Y
     inbound ah sas:
     inbound pcp sas:
inbound pcp sas:
outbound esp sas:
   spi: 0x3D3(979)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
    sa timing: remaining key lifetime (k/sec): (4608000/52)
    IV size: 8 bytes
    replay detection support: Y
outbound ah sas:
outbound pcp sas:

The first part shows the interface and cypto map name that are associated with the interface. Then the inbound and outbound SAs are shown. These are either AH or ESP SAs. In this case, because you used only ESP, there are no AH inbound or outbound SAs.

Note: Maybe “inbound crypto map” here mentions about crypto map name.

IP SLA Questions

August 15th, 2015 digitaltut 20 comments

Question 1

Question 2

Explanation

IP SLA PBR (Policy-Based Routing) Object Tracking allows you to make sure that the next hop is reachable before that route is used. If the next hop is not reachable, another route is used as defined in the PBR configuration. If no other route is present in the route map, the routing table is used.

An example of configuring PBR based on tracking object is shown below:

//Configure and schedule IP SLA operations
ip sla 1
icmp-echo 10.3.3.2
ip sla schedule 1 life forever start-time now
!
// Configure Object Tracking to track the operations
track 1 ip sla 1 reachability
!
//Configure ACL
ip access-list standard ACL
permit ip 10.2.2.0/24 10.1.1.1/32
!
//Configure PBR policing on the router
route-map PBR
match ip address ACL
set ip next-hop verify-availability 10.3.3.2 track 1
set ip next-hop verify-availability 10.3.3.2 track 2 -> Track 2 is not shown here but it is used if track 1 fails
!
//Apply PBR policy on the incoming interface of the router.
interface ethernet 0/0
ip address 10.2.2.1 255.255.255.0
ip policy route-map PBR

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/IPSLA/configuration/guide/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide_rel_6-x/b_Cisco_Nexus_7000_Series_NX-OS_IP_SLAs_Configuration_Guide_rel_6-x_chapter_01000.html

Question 3

Explanation

The keyword “tcp-connect” enables the responder for TCP connect operations. TCP is a connection-oriented transport layer protocol -> C is correct.

Question 4

Explanation

The “num-packets” specifies the number of packets to be sent for a jitter operation.

The “frequency” is the rate (in seconds) at which this IP SLA operation repeats. The “tos” defines a type of service (ToS) byte in the IP header of this IP SLA operation.

Question 5

Explanation

When enabled, the IP SLAs Responder allows the target device to take two time stamps both when the packet arrives on the interface at interrupt level and again just as it is leaving, eliminating the processing time. At times of high network activity, an ICMP ping test often shows a long and inaccurate response time, while an IP SLAs test shows an accurate response time due to the time stamping on the responder.

An additional benefit of the two time stamps at the target device is the ability to track one-way delay, jitter, and directional packet loss. Because much network behavior is asynchronous, it is critical to have these statistics. However, to capture one-way delay measurements the configuration of both the source device and target device with Network Time Protocol (NTP) is required. Both the source and target need to be synchronized to the same clock source. One-way jitter measurements do not require clock synchronization.

Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipsla/configuration/15-mt/sla-15-mt-book/sla_overview.html

Question 6

Question 7

SNMP Questions

August 14th, 2015 digitaltut 6 comments

Question 1

Explanation

“The engineer is not concerned with authentication or encryption” so we don’t need to use SNMP version 3. And we only use “one-way SNMP notifications” so SNMP messages should be sent as traps (no need to acknowledge from the SNMP server) -> A is correct.

Question 2

Explanation

There are three SNMP security levels (for SNMPv1, SNMPv2c, and SNMPv3):

+ noAuthNoPriv: Security level that does not provide authentication or encryption.
+ authNoPriv: Security level that provides authentication but does not provide encryption.
+ authPriv: Security level that provides both authentication and encryption.

For SNMPv3, “noAuthNoPriv” level uses a username match for authentication.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/CLIConfigurationGuide/sm_snmp.html

Question 3

Explanation

The SNMPv3 Agent supports the following set of security levels:
+ NoAuthnoPriv: Communication without authentication and privacy.
+ AuthNoPriv: Communication with authentication and without privacy. The protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm).
+ AuthPriv: Communication with authentication and privacy. The protocols used for Authentication are MD5 and SHA ; and for Privacy, DES (Data Encryption Standard) and AES (Advanced Encryption Standard) protocols can be used. For Privacy Support, you have to install some third-party privacy packages.

Question 4

Explanation

The SNMPv3 Agent supports the following set of security levels:
+ NoAuthnoPriv: Communication without authentication and privacy.
+ AuthNoPriv: Communication with authentication and without privacy. The protocols used for Authentication are MD5 and SHA (Secure Hash Algorithm).
+ AuthPriv: Communication with authentication and privacy. The protocols used for Authentication are MD5 and SHA ; and for Privacy, DES (Data Encryption Standard) and AES (Advanced Encryption Standard) protocols can be used. For Privacy Support, you have to install some third-party privacy packages.

In the CLI, we use “priv” keyword for “AuthPriv” (“noAuth” keyword for “noAuthnoPriv”; “auth” keyword for “AuthNoPriv”). The following example shows how to configure a remote user to receive traps at the “priv” security level when the SNMPv3 security model is enabled:
Router(config)# snmp-server group group1 v3 priv
Router(config)# snmp-server user PrivateUser group1 remote 1.2.3.4 v3 auth md5 password1 priv access des56

NetFlow Questions

August 13th, 2015 digitaltut 7 comments

If you are not sure about NetFlow, please read our NetFlow tutorial.

Quick review:

NetFlow is a network protocol to report information about the traffic on a router/switch or other network device. NetFlow collects and summaries the data that is carried over a device, and then transmitting that summary to a NetFlow collector for storage and analysis. An IP flow is based on a set of five, and up to seven, IP packet attributes, which may include the following:
+ Destination IP address
+ Source IP address
+ Source port
+ Destination port
+ Layer 3 protocol type
+ Class of Service (optional)
+ Router or switch interface (optional)

Question 1

Explanation

The “show ip flow export” command is used to display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches. An example of the output of this command is shown below:

Router# show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 10.51.12.4 (9991) 10.1.97.50 (9111)
Exporting using source IP address 10.1.97.17
Version 5 flow records
11 flows exported in 8 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to output drops

The “output drops” line indicates the total number of export packets that were dropped because the send queue was full while the packet was being transmitted.

Reference: http://www.cisco.com/en/US/docs/ios/12_3t/netflow/command/reference/nfl_a1gt_ps5207_TSD_Products_Command_Reference_Chapter.html#wp1188401

Question 2

Explanation

In general, NetFlow requires CEF to be configured in most recent IOS releases. CEF decides which interface the traffic is sent out. With CEF disabled, router will not have specific destination interface in the NetFlow report packets. Therefore a NetFlow Collector cannot show the OUT traffic for the interface.

Question 3

Explanation

This command is used to display the current status of the specific flow exporter, in this case Flow_Exporter-1. For example

N7K1# show flow export
Flow exporter Flow_Exporter-1:
    Description: Fluke Collector
    Destination: 10.255.255.100
    VRF: default (1)
    Destination UDP Port 2055
    Source Interface Vlan10 (10.10.10.5)
    Export Version 9
    Exporter Statistics
        Number of Flow Records Exported 726
        Number of Templates Exported 1
        Number of Export Packets Sent 37
        Number of Export Bytes Sent 38712
        Number of Destination Unreachable Events 0
        Number of No Buffer Events 0
        Number of Packets Dropped (No Route to Host) 0
        Number of Packets Dropped (other) 0
        Number of Packets Dropped (LC to RP Error) 0
        Number of Packets Dropped (Output Drops) 0
        Time statistics were last cleared: Thu Feb 15 21:12:06 2015

Question 4

Explanation

The sampling mode determines the algorithm that selects a subset of traffic for NetFlow processing. In the random sampling mode, incoming packets are randomly selected so that one out of each n sequential packets is selected on average for NetFlow processing. For example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the 5th, 120th, 299th, 302nd, and so on packets. This sample configuration provides NetFlow data on 1 percent of total traffic. The n value is a parameter from 1 to 65535 packets that you can configure.

In the above output we can learn the number of packets that has been sampled is 10. The sampling mode is “random sampling mode” and sampling interval is 100 (NetFlow samples 1 out of 100 packets).

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfstatsa.html

Question 5

Explanation

The “ip flow-export destination 10.10.10.1 5858” command is used to export the information captured by the “ip flow-capture” command to the destination 10.10.10.1. “5858” is the UDP port to which NetFlow packets are sent (default is 2055). The syntax of this command is:

ip flow-export destination ip-address [udp-port] [version 5 {origin-as | peer-as}]

Question 6

Explanation

Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a record and a cache. You add the record to the flow monitor after you create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic during the monitoring process based on the key and nonkey fields in the record, which is configured for the flow monitor and stored in the flow monitor cache.
For example, the following example creates a flow monitor named FLOW-MONITOR-1 and enters Flexible NetFlow flow monitor configuration mode:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)#

(Reference: http://www.cisco.com/c/en/us/td/docs/ios/fnetflow/command/reference/fnf_book/fnf_01.html#wp1314030)

Question 7

Question 8

Explanation

The following is an example of configuring an interface to capture flows into the NetFlow cache. CEF followed by NetFlow flow capture is configured on the interface:

Router(config)# ip cef
Router(config)# interface ethernet 1/0
Router(config-if)# ip flow ingress
or
Router(config-if)# ip route-cache flow

Note: Either ip flow ingress or ip route-cache flow command can be used depending on the Cisco IOS Software version. Ip flow ingress is available in Cisco IOS Software Release 12.2(15)T or above.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

Question 9

Question 10

Explanation

There are two primary methods to access NetFlow data: the Command Line Interface (CLI) with show commands or utilizing an application reporting tool. If you are interested in an immediate view of what is happening in your network, the CLI can be used. The other choice is to export NetFlow to a reporting server or what is called the “NetFlow collector”.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

NTP Questions

August 12th, 2015 digitaltut 9 comments

Question 1

Explanation

The command “ntp master [stratum]” is used to configure the device as an authoritative NTP server. You can specify a different stratum level from which NTP clients get their time synchronized. The range is from 1 to 15.

The stratum levels define the distance from the reference clock. A reference clock is a stratum 0 device that is assumed to be accurate and has little or no delay associated with it. Stratum 0 servers cannot be used on the network but they are directly connected to computers which then operate as stratum-1 servers. A stratum 1 time server acts as a primary network time standard.

A stratum 2 server is connected to the stratum 1 server; then a stratum 3 server is connected to the stratum 2 server and so on. A stratum 2 server gets its time via NTP packet requests from a stratum 1 server. A stratum 3 server gets its time via NTP packet requests from a stratum-2 server… A stratum server may also peer with other stratum servers at the same level to provide more stable and robust time for all devices in the peer group (for example a stratum 2 server can peer with other stratum 2 servers).

Question 2

Explanation

The “ntp broadcast client” command is used under interface mode to allow the device to receive Network Time Protocol (NTP) broadcast packets on that interface

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf012.html#wp1123148

Question 3

IPv6 Questions

August 10th, 2015 digitaltut 12 comments

Question 1

Explanation

Dual-stack method is the most common technique which only requires edge routers to run both IPv4 and IPv6 while the inside routers only run IPv4. At the edge network, IPv4 packets are converted to IPv6 packets before sending out.

6to4 tunnel is a technique which relies on reserved address space 2002::/16 (you must remember this range). These tunnels determine the appropriate destination address by combining the IPv6 prefix with the globally unique destination 6to4 border router’s IPv4 address, beginning with the 2002::/16 prefix, in this format:

2002:border-router-IPv4-address::/48

For example, if the border-router-IPv4-address is 64.101.64.1, the tunnel interface will have an IPv6 prefix of 2002:4065:4001:1::/64, where 4065:4001 is the hexadecimal equivalent of 64.101.64.1. This technique allows IPv6 sites to communicate with each other over the IPv4 network without explicit tunnel setup but we have to implement it on all routers on the path.

NAT-PT provides IPv4/IPv6 protocol translation. It resides within an IP router, situated at the boundary of an IPv4 network and an IPv6 network. By installing NAT-PT between an IPv4 and IPv6 network, all IPv4 users are given access to the IPv6 network without modification in the local IPv4-hosts (and vice versa). Equally, all hosts on the IPv6 network are given access to the IPv4 hosts without modification to the local IPv6-hosts. This is accomplished with a pool of IPv4 addresses for assignment to IPv6 nodes on a dynamic basis as sessions are initiated across IPv4-IPv6 boundaries.

Question 2

Explanation

Overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4 infrastructure (a core network or the Internet). By using overlay tunnels, you can communicate with isolated IPv6 networks without upgrading the IPv4 infrastructure between them. Overlay tunnels can be configured between border routers or between a border router and a host; however, both tunnel endpoints must support both the IPv4 and IPv6 protocol stacks.

IPv6_tunneling.jpg

Reference: http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_book/ip6-tunnel.html

Question 3

Explanation

In Stateless Configuration mode, hosts will listen for Router Advertisements (RA) messages which are transmitted periodically from the router (DHCP Server). This RA message allows a host to create a global IPv6 address from:
+ Its interface identifier (EUI-64 address)
+ Link Prefix (obtained via RA)
Note: Global address is the combination of Link Prefix and EUI-64 address

Question 4

Explanation

The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The Mac address is first separated into two 24-bits, with one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two 24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address.

In this question, the MAC address C601.420F.0007 is divided into two 24-bit parts, which are “C60142” (OUI) and “0F0007” (NIC). Then “FFFE” is inserted in the middle. Therefore we have the address: C601.42FF.FE0F.0007.

Then, according to the RFC 3513 we need to invert the Universal/Local bit (“U/L” bit) in the 7th position of the first octet. The “u” bit is set to 1 to indicate Universal, and it is set to zero (0) to indicate local scope. In this case we don’t need to set this bit to 1 because it is already 1 (C6 = 11000110).

Therefore with the subnet of 2001:DB8:0:1::/64, the full IPv6 address is 2001:DB8:0:1:C601:42FF:FE0F:7/64

Question 5

Question 6

Explanation

NPTv6 stands for Network Prefix Translation. It’s a form of NAT for IPv6 and it supports one-to-one translation between inside and outside addresses

Question 7

Explanation

The command “ipv6 flowset” allows the device to track destinations to which the device has sent packets that are 1280 bytes or larger.

Question 8

Explanation

NAT64 is used to make IPv4-only servers available to IPv6 clients.

Note:
NAT44 – NAT from IPv4 to IPv4
NAT66 – NAT from IPv6 to IPv6
NAT46 – NAT from IPv4 to IPv6
NAT64 – NAT from IPv6 to IPv4

Question 9

Explanation

The IPv6 EUI-64 format address is obtained through the 48-bit MAC address. The Mac address is first separated into two 24-bits, with one being OUI (Organizationally Unique Identifier) and the other being NIC specific. The 16-bit 0xFFFE is then inserted between these two 24-bits to for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address.

Question 10

Explanation

IPv6 allows devices to configure their own IP addresses and other parameters automatically without the need for a DHCP server. This method is called “IPv6 Stateless Address Autoconfiguration” (which contrasts to the server-based method using DHCPv6, called “stateful”). In Stateless Autoconfiguration method, a host sends a router solicitation to request a prefix. The router then replies with a router advertisement (RA) message which contains the prefix of the link. Host will use this prefix and its MAC address to create its own unique IPv6 address.

Note:
+ RA messages are sent periodically and in response to device solicitation messages
+ In the absence of a router, a host can generate only link-local addresses. Link-local addresses are only sufficient for allowing communication among nodes that are attached to the same link

IPv6 Questions 2

August 7th, 2015 digitaltut 7 comments

Question 1

Question 2

Question 3

Explanation

Address Family Translation (AFT) using NAT64 technology can be achieved by either stateless or stateful means:
+ Stateless NAT64 is a translation mechanism for algorithmically mapping IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it does not maintain any bindings or session state while performing translation, and it supports both IPv6-initiated and IPv4-initiated communications.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it creates or modifies bindings or session state while performing translation. It supports both IPv6-initiated and IPv4-initiated communications using static or manual mappings.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-676278.html

Question 4

Question 5

Explanation

When a change is made to one of the IP header fields in the IPv6 pseudo-header checksum (such as one of the IP addresses), the checksum field in the transport layer header may become invalid. Fortunately, an incremental change in the area covered by the Internet standard checksum [RFC1071] will result in a well-defined change to the checksum value [RFC1624]. So, a checksum change caused by modifying part of the area covered by the checksum can be corrected by making a complementary change to a different 16-bit field covered by the same checksum.

Reference: https://tools.ietf.org/html/rfc6296

Question 6

Question 7

Explanation

Link-local addresses are always configured with the FE80::/64 prefix. Most routing protocols use the link-local address for a next-hop.

Question 8

Explanation

A link-local address is an IPv6 unicast address that can be automatically configured on any interface using the link-local prefix FE80::/10 (1111 1110 10) and the interface identifier in the modified EUI-64 format. Link-local addresses are not necessarily bound to the MAC address (configured in a EUI-64 format). Link-local addresses can also be manually configured in the FE80::/10 format using the ipv6 address link-local command.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/113328-ipv6-lla.html

Question 9

Explanation

Stateless Address Auto Configuration (SLAAC) is a method in which the host or router interface is assigned a 64-bit prefix, and then the last 64 bits of its address are derived by the host or router with help of EUI-64 process.

Question 10

Question 11

Explanation

The components of IPv6 header is shown below:

IPv6_header.jpg

The Traffic Class field (8 bits) is where quality of service (QoS) marking for Layer 3 can be identified. In a nutshell, the higher the value of this field, the more important the packet. Your Cisco routers (and some switches) can be configured to read this value and send a high-priority packet sooner than other lower ones during times of congestion. This is very important for some applications, especially VoIP.

The Flow Label field (20 bits) is originally created for giving real-time applications special service. The flow label when set to a non-zero value now serves as a hint to routers and switches with multiple outbound paths that these packets should stay on the same path so that they will not be reordered. It has further been suggested that the flow label be used to help detect spoofed packets.

The Hop Limit field (8 bits) is similar to the Time to Live field in the IPv4 packet header. The value of the Hop Limit field specifies the maximum number of routers that an IPv6 packet can pass through before the packet is considered invalid. Each router decrements the value by one. Because no checksum is in the IPv6 header, the router can decrease the value without needing to recalculate the checksum, which saves processing resources.

Question 12

Explanation

We need to summarize three IPv6 prefixes with /64 subnet mask so the summarized route should have a smaller subnet mask. As we can see all four answers have the same summarized route of 2001:DB8:: so /48 is the best choice.

Note: IPv6 consists of 8 fields with each 16 bits (8×16 = 128).

RIPng Questions

August 6th, 2015 digitaltut 8 comments

Question 1

Explanation

The default timers of RIP and RIPng are the same. The meanings of these timers are described below:

Update: how often the router sends update. Default update timer is 30 seconds
Invalid (also called Expire): how much time must expire before a route becomes invalid since seeing a valid update; and place the route into holddown. Default invalid timer is 180 seconds
Holddown: if RIP receives an update with a hop count (metric) higher than the hop count recording in the routing table, RIP does not “believe in” that update. Default holddown timer is 180 seconds
Flush: how much time since the last valid update, until RIP deletes that route in its routing table. Default Flush timer is 240 seconds

RIPng_timer.jpg

Miscellaneous Questions

August 4th, 2015 digitaltut 31 comments

Question 1

Explanation

The command “clear ip route” clears one or more routes from both the unicast RIB (IP routing table) and all the module Forwarding Information Bases (FIBs).

Question 2

Explanation

The prefix-list “ip prefix-list name permit 10.8.0.0/16 ge 24 le 24” means
+ Check the first 16 bits of the prefix. It must be 10.8
+ The subnet mask must be greater or equal 24
+ The subnet mask must be less than or equal 24

-> The subnet mask must be exactly 24

Therefore the suitable prefix that is matched by above ip prefix-list should be 10.8.x.x/24

Question 3

Explanation

This is a new user (client) that has not been configured to accept SSL VPN connection. So that user must open a web browser, enter the URL and login successfully to be authenticated. A small software will also be downloaded and installed on the client computer for the first time. Next time the user can access file shares on that network normally.

Question 4

Explanation

“Increase the logging history” here is same as “increase the logging buffer”. The default buffer size is 4096 bytes. By increasing the logging buffer size we can see more history logging messages. But do not make the buffer size too large because the access point could run out of memory for other tasks. We can write the logging messages to a outside logging server instead.

Question 5

Explanation

A core dump is a file containing a process’s address space (memory) when the process terminates unexpectedly to identify the cause of the crash

Question 6

Question 7

Explanation

The “show memory allocating-process table” command displays statistics on allocated memory with corresponding allocating processes. This command can be also used to find out memory leaks. A memory leak occurs when a process requests or allocates memory and then forgets to free (de-allocate) the memory when it is finished that task.

Note: In fact the correct command should be “show memory allocating-process totals” (not “table”)

The “show memory summary” command displays a summary of all memory pools and memory usage per Alloc PC (address of the system call that allocated the block). An example of the output of this command is shown below:

show_memory_summary.jpg

Legend:

+ Total: the total amount of memory available after the system image loads and builds its data structures.
+ Used: the amount of memory currently allocated.
+ Free: the amount of memory currently free.
+ Lowest: the lowest amount of free memory recorded by the router since it was last booted.
+ Largest: the largest free memory block currently available.

Note: The show memory allocating-process totals command contains the same information as the first three lines of the show memory summary command.

An example of a high memory usage problem is large amount of free memory, but a small value in the “Lowest” column. In this case, a normal or abnormal event (for example, a large routing instability) causes the router to use an unusually large amount of processor memory for a short period of time, during which the memory has run out.

The show memory dead command is only used to view the memory allocated to a process which has terminated. The memory allocated to this process is reclaimed by the kernel and returned to the memory pool by the router itself when required. This is the way IOS handles memory. A memory block is considered as dead if the process which created the block exits (no longer running).

The command show memory events does not exist.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf013.html and http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/6507-mallocfail.html

Question 8

Question 9

Explanation

If the DHCP Server is not on the same subnet with the DHCP Client, we need to configure the router on the DHCP client side to act as a DHCP Relay Agent so that it can forward DHCP messages between the DHCP Client & DHCP Server. To make a router a DHCP Relay Agent, simply put the “ip helper-address <IP-address-of-DHCP-Server>” command under the interface that receives the DHCP messages from the DHCP Client.

Question 10

Explanation

Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized technique to determine the maximum transmission unit (MTU) size on the network path between two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in IPv4. However, all modern operating systems use it on endpoints.

Note: IP fragmentation involves breaking a datagram into a number of pieces that can be reassembled later.

Question 11

Explanation

Both RADIUS (Remote Authentication Dial-in User Service) and TACACS+ (Terminal Access Controller Access-Control System) Plus) are the main protocols to provide Authentication, Authorization, and Accounting (AAA) services on network devices.

Both RADIUS and TACACS+ support accounting of commands. Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.

For example, to send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode

Note: TACACS+ was developed by Cisco from TACACS.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html

Question 12

Explanation

Bandwidth-delay product (BDP) is the maximum amount of data “in-transit” at any point in time, between two endpoints. In other words, it is the amount of data “in flight” needed to saturate the link. You can think the link between two devices as a pipe. The cross section of the pipe represents the bandwidth and the length of the pipe represents the delay (the propagation delay due to the length of the pipe).

Therefore the Volume of the pipe = Bandwidth x Delay. The volume of the pipe is also the BDP.

Bandwidth-delay_Product.jpg

Return to our question, the formula to calculate BDP is:

BDP (bits) = total available bandwidth (bits/sec) * round trip time (sec) = 64,000 * 3 = 192,000 bits

-> BDP (bytes) = 192,000 / 8 = 24,000 bytes

Therefore we need 24KB to fulfill this link.

For your information, BDP is very important in TCP communication as it optimizes the use of bandwidth on a link. As you know, a disadvantage of TCP is it has to wait for an acknowledgment from the receiver before sending another data. The waiting time may be very long and we may not utilize full bandwidth of the link for the transmission.

Bandwidth-delay_Product_Wasted.jpg

Based on BDP, the sending host can increase the number of data sent on a link (usually by increasing the window size). In other words, the sending host can fill the whole pipe with data and no bandwidth is wasted.Bandwidth-delay_Product_Optimized.jpg

Question 13

Explanation

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.

During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.

Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html

Question 14

Drag and Drop

August 3rd, 2015 digitaltut 45 comments

Question 1

Explanation

NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network address translation (NAT). NAT64 requires a dedicated prefix, called NAT64 prefix, to recognize which hosts need IPv4-IPv6 translation. NAT64 prefix can be a Network-specific prefix (NSP), which is configured by a network administrator, or a well-known prefix (which is 64:FF9B::/96). When a NAT64 router receives a packet which starts with NAT64 prefix, it will proceed this packet with NAT64.

NAT64 is not as simple as IPv4 NAT which only translates source or destination IPv4 address. NAT64 translates nearly everything (source & destination IP addresses, port number, IPv4/IPv6 headers… which is called a session) from IPv4 to IPv6 and vice versa. So NAT64 “modifies session during translation”.

Question 2

Explanation

The order of the BGP states is: Idle -> Connect -> (Active) -> OpenSent -> OpenConfirm -> Established

+ Idle: No peering; router is looking for neighbor. Idle (admin) means that the neighbor relationship has been administratively shut down.
+ Connect: TCP handshake completed.
+ Active: BGP tries another TCP handshake to establish a connection with the remote BGP neighbor. If it is successful, it will move to the OpenSent state. If the ConnectRetry timer expires then it will move back to the Connect state. Note: Active is not a good state.
+ OpenSent: An open message was sent to try to establish the peering.
+ OpenConfirm: Router has received a reply to the open message.
+ Established: Routers have a BGP peering session. This is the desired state.

Reference: http://www.ciscopress.com/articles/article.asp?p=1565538&seqNum=3

Question 3

Drag and drop the Cisco Express Forwarding adjacency types from the left to the correct type of processing on the right.

Punt Adjacency Packets are discarded
Drop Adjacency Features that require special handling or features that are not yet supported in conjunction with CEF switching paths are forwarded to the next switching layer for handling. Features that are not supported are forwarded to the next higher switching level.
Null Adjacency When a router is connected directly to several hosts, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix.
Discard Adjacency Packets are dropped, but the prefix is checked.
Glean Adjacency Packets destined for a Null0 interface are dropped. This can be used as an effective form of access filtering.

Answer:

Punt Adjacency: Features that require special handling or features that are not yet supported in conjunction with CEF switching paths are forwarded to the next switching layer for handling. Features that are not supported are forwarded to the next higher switching level.
Drop Adjacency: Packets are dropped, but the prefix is checked.
Null Adjacency: Packets destined for a Null0 interface are dropped. This can be used as an effective form of access filtering.
Discard Adjacency: Packets are discarded.
Glean Adjacency: When a router is connected directly to several hosts, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.html

 

ROUTE FAQs & Tips

August 1st, 2015 digitaltut 605 comments

In this article, I will try to summarize all the Frequently Asked Questions in the ROUTE 300-101 Exam. Hope it will save you some time searching through the Internet and asking your friends & teachers.

1. Please tell me how many questions in the real ROUTE exam, and how much time to answer them?

There are 50 questions, including 4 lab-sims. You have 120 minutes to answer them but if your native language is not English, Cisco allows you a 30-minute exam time extension (150 minutes in total).

2. How much does the ROUTE 300-101 cost? And how many points I need to pass the exam?

This exam costs $300. You need at least 790/1000 points to pass this exam.

3. I passed the ROUTE exam, will I get a certificate for it?

No, Cisco does not ship ROUTE Exam certificate, it only ships you a certificate after completing the full CCNP track of 3 exams (ROUTE, SWITCH & TSHOOT) within three years. Once again we have to notice that you need to finish these three exams within three years (not nine years). Many candidates misunderstand this and think they have nine years to complete three exams.

4. Which sims will I see in the ROUTE exam?

The popular sims now are Policy Based routing sim, EIGRP OSPF Redistribution sim, OSPF Evaluation Sim and EIGRP Evaluation Sim and please notice that the IP addresses, router names may be different (it is also true for Drag and Drop questions)

5. How many points will I get for one sim?

Maybe you will get about 80 to 100 points for each sim, just like the CCNA exam.

6. In the real exam, I clicked “Next” after choosing the answer, can I go back for reviewing?

No, you can’t go back so you can’t re-check your answers after clicking the “Next” button.

7. What is the difference between the old BSCI & the new ROUTE exam?

In the new ROUTE exam, there are no IS-IS, DHCP, Multicast questions so you can ignore them if you are reading old BSCI books. In fact, DHCP & Multicast are good topics and maybe you will have a chance to learn about them in other Cisco exams.

8. Can I use short commands, for example “conf t” instead of “configure terminal”? Will I get full mark for short commands?

From the comments on this site, maybe you will get full mark for short commands. But sometimes short commands don’t work so please be careful with them. We highly recommend you should learn the full commands.

9. What are your recommended materials for ROUTE?

There are many materials for learning ROUTE but below are popular materials that many candidates recommend.

Books

CCNP ROUTE Official Certification Guide

ROUTE Student Guide

CCNP ROUTE Portable Command Guide

CCNP Route Quick Reference Sheet

Video training

CBT Nuggets

Simulator (all are free)

 

GNS3 – the best simulator for learning ROUTE

Packet Tracer

10. How much time should I spend on each sim?

You should not spend more than 15 minutes for each sim. Recall that you only have 90 minutes so if you spend 15 minutes for each sim x 4 sims = 60 minutes. The 30 minutes left is for solving 46 multiple choice & drag-and-drop questions. If you are not a native English speaker and have 30-minute expansion (ask the mentor to confirm) than you can spend 20 minutes for each sim.

11. Can I pass without doing sims?

As mentioned above, each sim will cost you from 80 to 100 points. In the real exam you will have to solve 4 sims that give from 320 to 400 points. Suppose you answer all other questions perfectly then you will get 600 to 680 points but the passing score is 790. It means that you surely fail if ignore them.

From the calculation above, if you miss only one sim the chance to pass is average but if you miss two, the chance to pass is very, very low.

12. Are the exam questions the same in all the geographical locations?

Yes, the exam questions are the same in all geographical locations. But notice that Cisco has a pool of questions and each time you take the exam, a number of random questions will show up so you will not see all the same questions as the previous exam.

13. I don’t want to lose points so should I use the “copy running-config startup-config” after finishing each lab-sim?

In the ROUTE exam, we can’t use that command so surely you will not lose any points if not using that command.

14. I passed the ROUTE exam. Do you have any site similar for CCNP exams?
We have certprepare.com for SWITCH, networktut.com for TSHOOT, voicetut.com for CCNA Voice, securitytut.com for CCNA Security, rstut.com for CCIE Written & Lab, dstut.com for CCDA. Hope you enjoy these sites too!

15. Why don’t I see any questions and answers on digitaltut.com? I only see the explanation…

Because of copyrighted issues, we had to remove all the questions and answers. You can download a PDF file to see the questions at this link: http://www.digitaltut.com/route-questions-and-answers

Is there anything you want to ask, just ask! All of us will help you.

OSPF Evaluation Sim

February 9th, 2015 digitaltut 653 comments

You have been asked to evaluate an OSPF network and to answer questions a customer has about its operation. Note: You are not allowed to use the show running-config command.

OSPF.jpg

Read more…

EIGRP Evaluation Sim

February 9th, 2015 digitaltut 204 comments

You have been asked to evaluate how EIGRP is functioning in a network.

EIGRP_Topology.jpg

Read more…

Share your ROUTE v2.0 Experience

January 22nd, 2015 digitaltut 10,862 comments

The ROUTE 300-101 (ROUTE v2.0) exam has been used to replace the old ROUTE 642-902 exam so this article is devoted for candidates who took this exam sharing their experience.

Please tell with us what are your materials, the way you learned, your feeling and experience after taking the ROUTE v2.0 exam… But please DO NOT share any information about the detail of the exam or your personal information, your score, exam date and location, your email…

Note: Posting email is not allowed in the comment section.

Your posts are warmly welcome!

Practice Real ROUTE Labs with GNS3

May 8th, 2014 digitaltut 170 comments

Well, the title said it all. Here are some screenshots of the labs in GNS3:

+ OSPF Sim:

OSPF_Sim.jpg

Read more…

EIGRP OSPF Redistribution Sim

May 8th, 2014 digitaltut 410 comments

Question

OSPF_EIGRP_Redistribution.jpg

Answer and Explanation:

Read more…

Policy Based Routing Sim

May 8th, 2014 digitaltut 316 comments

Question

Company TUT has two links to the Internet. The company policy requires that web traffic must be forwarded only to Frame Relay link if available and other traffic can go through any links. No static or default routing is allowed.

BGP_Policy_Based_Routing_Sim.jpg

 

Answer and Explanation:

Read more…

IPv6 OSPF Virtual Link Sim

May 8th, 2014 digitaltut 95 comments

Question

TUT is a small company that has an existing enterprise network that is running IPv6 OSPFv3. However, R4’s loopback address (FEC0:4:4) cannot be seen in R1. Identify and fix this fault, do not change the current area assignments. Your task is complete when R4’s loopback address (FEC0:4:4) can be seen in the routing table of R1.

OSPFv3_IPv6_VirtualLink

Special Note: To gain the maximum number of points you must remove all incorrect or unneeded configuration statements related to this issue.

Answer and Explanation:

Read more…

EIGRP Stub Sim

May 8th, 2014 digitaltut 86 comments

Question

TUT Corporation has just extended their business. R3 is the new router from which they can reach all Corporate subnets. In order to raise network stableness and lower the memory usage and broadband utilization to R3, TUT Corporation makes use of route summarization together with the EIGRP Stub Routing feature. Another network engineer is responsible for this solution. However, in the process of configuring EIGRP stub routing connectivity with the remote network devices off of R3 has been missing.

EIGRPStubSim

Presently TUT has configured EIGRP on all routers in the network R2, R3, and R4. Your duty is to find and solve the connectivity failure problem with the remote office router R3. You should then configure route summarization only to the distant office router R3 to complete the task after the problem has been solved.

The success of pings from R4 to the R3 LAN interface proves that the fault has been corrected and the R3 IP routing table only contains two 10.0.0.0 subnets.

Answer and Explanation:

Read more…

OSPF Sim

May 8th, 2014 digitaltut 140 comments

Question

OSPF is configured on routers Amani and Lynaic. Amani’s S0/0 interface and Lynaic’s S0/1 interface are in Area 0. Lynaic’s Loopback0 interface is in Area 2.

OSPFSim

Your task is to configure the following:

Portland’s S0/0 interface in Area 1
Amani’s S0/1 interface in Area 1
Use the appropriate mask such that ONLY Portland’s S0/0 and Amnani’s S0/1 could be in Area 1.
Area 1 should not receive any external or inter-area routes (except the default route).

Answer and Explanation:

Read more…

EIGRP Simlet

May 5th, 2014 digitaltut 220 comments

EIGRP – SHOW IP EIGRP TOPOLOGY ALL-LINKS

 

Here you will find answers to EIGRP Simlet question

Question

Refer to the exhibit. BigBids Incorporated is a worldwide auction provider. The network uses EIGRP as its routing protocol throughout the corporation. The network administrator does not understand the convergence of EIGRP. Using the output of the show ip eigrp topology all-links command, answer the administrator’s questions.

simlet_show_ip_eigrp_topology_all_links

Read more…