Home > Drag and Drop 2

Drag and Drop 2

July 7th, 2019 in ROUTE 300-101 Go to comments

Question 1

Question 2

Question 3

Explanation

The most common reason for excessive unicast flooding in steady-state Catalyst switch networks is the lack of proper host port configuration. Hosts, servers, and any other end-devices do not need to participate in the STP process; therefore, the link up and down states on the respective NIC interfaces should not be considered an STP topology change.

Reference: http://www.ciscopress.com/articles/article.asp?p=336872

Question 4

Question 5

Question 6

Explanation

The general rule when applying access lists is to apply standard IP access lists as close to the destination as possible and to apply extended access lists as close to the source as possible. The reasoning for this rule is that standard access lists lack granularity, it is better to implement them as close to the destination as possible; extended access lists have more potential granularity, thus they are better implemented close to the source.

Reference: http://www.ciscopress.com/articles/article.asp?p=1697887

Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. They are generally used to allow outbound traffic and to limit inbound traffic in response to sessions that originate inside the router. Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named IP ACLs, or with other protocol ACLs. Reflexive ACLs can be used in conjunction with other standard and static extended ACLs. Outbound ACL will have the ‘reflect’ keyword. It is the ACL that matches the originating traffic. Inbound ACL will have the ‘evaluate’ keyword. It is the ACL that matches the returning traffic.

Lock and key, also known as dynamic ACLs, was introduced in Cisco IOS Software Release 11.1. This feature is dependent on Telnet, authentication (local or remote), and extended ACLs.
Lock and key configuration starts with the application of an extended ACL to block traffic through the router. Users that want to traverse the router are blocked by the extended ACL until they Telnet to the router and are authenticated. The Telnet connection then drops and a single-entry dynamic ACL is added to the extended ACL that exists. This permits traffic for a particular time period; idle and absolute timeouts are possible.

Reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html

Comments
  1. info on new questions
    August 16th, 2017

    found the information.
    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat64-stateful.html

    I had this question on the last test. Which means the question was (as usual) worded incorrectly only to confuse The answer order is for the Stateful IPv4-to-IPv6 Packet Flow

    The packet flow of IPv4-initiated packets for Stateful NAT64 is as follows:

    The destination address is routed to a NAT Virtual Interface (NVI).

    A virtual interface is created when Stateful NAT64 is configured. For Stateful NAT64 translation to work, all packets must get routed to the NVI. When you configure an address pool, a route is automatically added to all IPv4 addresses in the pool. This route automatically points to the NVI.

    The IPv4-initiated packet hits static or dynamic binding.

    Dynamic address bindings are created by the Stateful NAT64 translator when you configure dynamic Stateful NAT64. A binding is dynamically created between an IPv6 and an IPv4 address pool. Dynamic binding is triggered by the IPv6-to-IPv4 traffic and the address is dynamically allocated. Based on your configuration, you can have static or dynamic binding.

    The IPv4-initiated packet is protocol-translated and the destination IP address of the packet is set to IPv6 based on static or dynamic binding. The Stateful NAT64 translator translates the source IP address to IPv6 by using the Stateful NAT64 prefix (if a stateful prefix is configured) or the Well Known Prefix (WKP) (if a stateful prefix is not configured).

    A session is created based on the translation information.

    All subsequent IPv4-initiated packets are translated based on the previously created session.
    Stateful IPv6-to-IPv4 Packet Flow

    The stateful IPv6-initiated packet flow is as follows:

    The first IPv6 packet is routed to the NAT Virtual Interface (NVI) based on the automatic routing setup that is configured for the stateful prefix. Stateful NAT64 performs a series of lookups to determine whether the IPv6 packet matches any of the configured mappings based on an access control list (ACL) lookup. Based on the mapping, an IPv4 address (and port) is associated with the IPv6 destination address. The IPv6 packet is translated and the IPv4 packet is formed by using the following methods:

    Extracting the destination IPv4 address by stripping the prefix from the IPv6 address. The source address is replaced by the allocated IPv4 address (and port).

    The rest of the fields are translated from IPv6-to-IPv4 to form a valid IPv4 packet.

    Note

    This protocol translation is the same for stateless NAT64.

    A new NAT64 translation is created in the session database and in the bind database. The pool and port databases are updated depending on the configuration. The return traffic and the subsequent traffic of the IPv6 packet flow will use this session database entry for translation.

  2. info on new questions
    August 16th, 2017

    Question about IPV6 access class vs filtering

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/12-2sr/ipv6-12-2sr-book/ip6-sec-trfltr-fw.html

    Access Class Filtering in IPv6

    Filtering incoming and outgoing connections to and from the router based on an IPv6 ACL is performed using the ipv6 access-class command in line configuration mode. The ipv6 access-class command is similar to the access-class command, except the IPv6 ACLs are defined by a name. If the IPv6 ACL is applied to inbound traffic, the source address in the ACL is matched against the incoming connection source address and the destination address in the ACL is matched against the local router address on the interface. If the IPv6 ACL is applied to outbound traffic, the source address in the ACL is matched against the local router address on the interface and the destination address in the ACL is matched against the outgoing connection source address. We recommend that identical restrictions are set on all the virtual terminal lines because a user can attempt to connect to any of them.

    Access Control Lists for IPv6 Traffic Filtering

    The standard ACL functionality in IPv6 is similar to standard ACLs in IPv4. Access lists determine what traffic is blocked and what traffic is forwarded at router interfaces and allow filtering based on source and destination addresses, inbound and outbound to a specific interface. Each access list has an implicit deny statement at the end. IPv6 ACLs are defined and their deny and permit conditions are set using the ipv6 access-listcommand with the deny and permit keywords in global configuration mode.

    IPv6 extended ACLs augments standard IPv6 ACL functionality to support traffic filtering based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4).

    Each IPv6 ACL contains implicit permit rules to enable IPv6 neighbor discovery. These rules can be overridden by the user by placing a deny ipv6 any any statement within an ACL. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
    Time-based and reflexive ACLs are not supported for IPv4 or IPv6 on the Cisco 12000 series platform. The reflect, timeout, and time-range keywords of the permit command in IPv6 are excluded on the Cisco 12000 series.

    SUMMARY STEPS for ipv6 Access Filter applied to interface

    1. enable

    2. configure terminal

    3. interface type number

    4. ipv6 traffic-filter access-list-name {in| out}

    SUMMARY STEPS for Access CLASS applied to VTY lines

    1. enable

    2. configure terminal

    3. line [aux| console| tty| vty] line-number[ending-line-number]

    4. ipv6 access-class ipv6-access-list-name {in| out}

  3. info on new questions
    August 16th, 2017

    CoPP and MPP
    https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html

    Control Plane Policing (CoPP) – CoPP is the Cisco IOS-wide route processor protection mechanism. As illustrated in Figure 2, and similar to rACLs, CoPP is deployed once to the punt path of the router. However, unlike rACLs that only apply to receive destination IP packets, CoPP applies to all packets that punt to the route processor for handling. CoPP therefore covers not only receive destination IP packets, it also exceptions IP packets and non-IP packets. In addition, CoPP is implemented using the Modular QoS CLI (MQC) framework for policy construction. In this way, in addition to simply permit and deny functions, specific packets may be permitted but rate-limited. This behavior substantially improves the ability to define an effective CoPP policy. (Note: that “Control Plane Policing” is something of a misnomer because CoPP generally protects the punt path to the route processor and not solely the control plane.)

    CoPP Policy Construction and Deployment Concepts

    Before describing the details of CoPP policy construction and deployment, some of the important details related to MQC and its operation, especially within the context of CoPP are discussed.

    In MQC, the class-map command is used to define a traffic class. A traffic class contains three major elements: a name, one or a series of match commands, and an instruction on how to evaluate these match commands. Match commands are used to specify various criteria for classifying packets. Packets are checked to see whether they match the criteria specified in the match commands. If a packet matches the specified criteria, that packet is considered a member of the class and is treated according to the QoS specifications set in the service policy. Packets that fail to meet any of the matching criteria are classified as members of the default class.

    The instruction for evaluating match commands is specified as either match-any or match-all. When more than one match statement is included, match-any requires that a packet match at least one of the statements to be included in the class. If match-all is used, a packet must match all of the statements to be included in the class.

    The policy-map command is used to associate a traffic class, defined by the class-map command, with one or more QoS policies. The result of this association is called a service policy. A service policy contains three elements: a name, a traffic class (specified with the class command), and the QoS policies. The purpose of the service policy is to associate a traffic class with one or more QoS policies. Classes included within policy maps are processed top-down. When a packet is found to match a class, no further processing is performed. That is, a packet can only belong to a single class, and it is the first one to which a match occurs. When a packet does not match any of the defined classes, it is automatically placed in the class class-default. The default class is always applied, whether it is explicitly configured or not.

    The service-policy command is used to attach the service policy, as specified with the policy-map command, to an interface. In the case of CoPP, this is the control-plane interface. Because the elements of the service policy can be applied to packets entering, or in some versions of CoPP, leaving the interface, users are required to specify whether the service policy characteristics should be applied to incoming or outgoing packets.

    It is important to note that MQC is a general framework used for enabling all QoS throughout Cisco IOS, and not exclusively for CoPP. Not all features available within the MQC framework are available or applicable to CoPP policies. For example, only certain classification (match) criteria are applicable to CoPP. In some instances, there are MQC platform and/or IOS-dependencies that may apply to CoPP. Consult the appropriate product references and configuration guides for any CoPP-specific dependencies.

    Constructing the CoPP Policy
    Deploying the CoPP Policy
    Verifying the CoPP Policy
    Tuning the CoPP Policy

    https://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html#wp1049321

    Management Plane

    The management plane is the logical path of all traffic related to the management of a routing platform. One of three planes in a communication architecture that is structured in layers and planes, the management plane performs management functions for a network and coordinates functions among all the planes (management, control, data). The management plane also is used to manage a device through its connection to the network.

    Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for CLI access. Restricting access to devices to internal sources (trusted networks) is critical.

    Benefits of the Management Plane Protection Feature

    Implementing the MPP feature provides the following benefits:

    •Greater access control for managing a device than allowing management protocols on all interfaces

    •Improved performance for data packets on nonmanagement interfaces

    •Support for network scalability

    •Simplifies the task of using per-interface ACLs to restrict management access to the device

    •Fewer ACLs needed to restrict access to the device

    •Management packet floods on switching and routing interfaces are prevented from reaching the CPU

  4. Bomber
    August 21st, 2017

    today passed with 876 , about 10 new questions in exam such as PPP authentication , Framerelay map.
    new Drag and Drops are inside. Labs are same as here.

  5. joe
    August 22nd, 2017

    @bomber : can yo share about DND topics?

  6. Steffy
    August 28th, 2017

    Hello friends, for latest valid dump with continuous update, please contact me at steffyshirls @ gmail .com

  7. EngelL
    August 29th, 2017

    not sure about Q6 here… I would say :
    – DnD
    reflexive – must be named
    standard – 1300-1399
    extended – apply closest to the source or origin
    time-based – access to device at certain times
    dynamic – it needs telnet to authenticate

    here are dynamic ACL:
    https://supportforums.cisco.com/t5/security-management/difference-between-static-dynamic-acl/td-p/2246320

  8. Shaun
    August 30th, 2017

    I was willing to know If the digital tut team could help me with this membership. My membership is expiring on Sep 3 and I have exam scheduled for September 6. Is it possible the team to extend my membership for two more days without renewing the membership. Please do let me know if thats possible
    Thank You.

  9. digitaltut
    August 31st, 2017

    @Shaun: Please send an email to support@digitaltut.com so that we can help you.

  10. Shaun
    September 26th, 2017

    Here is the best solution all that you need to passs route exam easily:
    VCE And PDF file
    Packet Tracer / GNS3 Labs

    DOWNLOAD:
    https://docs.google.com/document/d/1cp2vtCYSV_21JTZF9D14Ua2gHdijtZjfIDuyVT1NyJg/edit?usp=sharing

  11. learner
    October 13th, 2017

    Table 1 – ACL Number Ranges

    Protocol Range

    Standard IP
    1–99 and 1300–1999

    Extended IP
    100–199 and 2000–2699

    **************************************
    Standard near the destination; Extended near the Source.

  12. Chikku
    October 31st, 2017

    Anyone who took the exam recently can confirm which are the SIMs in the exam?????
    I’m gonna take it early next week.
    Please respond asap.

  13. durshen
    November 11th, 2017

    Hello buddies, I have the valid dump with me and I’m wiling to share. Please contact me via durshen81 @ gmail .com

  14. sara
    November 13th, 2017

    Can anyone provide the drag and drop questions? I see just the explanations only and need to know the questions first.
    {email not allowed}

  15. sara
    November 13th, 2017

    Can anyone provide the drag and drop questions? I see just the explanations only and need to know the questions first.
    sara80abona at yahoo

  16. david hartuni
    December 1st, 2017

    I don’t know why I can’t see questions

  17. Can’t see the questions.
    December 4th, 2017

    I only see the question numbers not the actual questions. Could someone advise.

  18. durshen
    December 13th, 2017

    Hi guys, I’m willing to share valid dumps that guarantee you pass. Please contact me via durshen81 @ gmail .com

  19. Talal
    December 22nd, 2017

    Hi all,
    Tomorrow is my route exam. I am practicing procyber(1/11) dumps on vce, but some confusing about drag & drop Q’s as the vce incorrect my answers if i answer not as sequence of vce like “ipv6 router security features” drag n drop; like I answer corretly option under ‘ipv6 traffic filtering’ and ‘ipv6 access classes’ but if I place “it filters traffic at the interface level” on second sequence as on first “it supports tagged acls” ; then dumps vce incorrect my answers, similarly on other drag n drop as well.
    I place the answers under correct options but not as dumps vce sequence, dumps vce incorrect my answers.
    Any one please inform me urgently that I need to remember the dumps vce ans sequence or not for my real exam ??
    Thanks in advance.

  20. Talal
    December 22nd, 2017

    Any one plz response to my querry, its urgent, tomorrow is my exam..

  21. dumpspro
    January 26th, 2018

    latest dumps ccnp

    dumpspro.com/ccnp-dumps

  22. Jitter
    January 30th, 2018

    LMI
    Address registration – allows neighbouring Cisco devices to exchange the management ip addresses
    Global addressing – Enables Frame Relay to identify interfaces in same manner as LAN
    Multicasting – provides most efficient transmission of routing protocol messages and support address resolution
    Simple flow control – supports devices that are unable to use congestion notification
    Virtual circuit – Prevents data from being transmitted in Black Hole

    IPv6 Security
    IPv6 traffic Filtering
    It filters traffic at the interface level
    It supports tagged ACLS
    IPv6 Access Classes
    It controls traffic to and from the router
    It requires the destination address of the inbound traffic to be a local address.
    It filters management traffic

    Router
    Passes logon information to the TACAS+ server
    Prompts the user for username and password
    TACACS+ Server
    Authenticates the user
    Authorises the user
    User
    Attempts to access the router
    Provides access credentials

    Frame Relay components
    + SVC: A circuit that provides temporary on-demand connections between DTEs
    + LMI: A signalling mechanism for Frame Relay devices
    + DLCI: A locally significant ID
    + FECN: An indicator of congestion on the network
    + PVC: A logical connection comprising two endpoints and a CIR

  23. LATEST DUMPS + VCE Player + LABs + etc
    February 20th, 2018

    Guaranteed Latest Stuff to pass exam.
    HERE Instant DOWNLOAD
    20 US$ only

    Copy Below Link:
    docs.google.com/document/d/1afXgWBvIWTSr8R0Mt-kDRdMmFCI3ytfuSK-1vOyWov0/edit

  24. RPM
    April 6th, 2018

    Where can i find DHCP and adverse network congestion DnD ?

  25. orc_Japan
    May 8th, 2018

    Hi, does anyone have a information about EVN DnD question?
    I heard that’s new one in test, and I have no idea.
    Thanks

  26. fasfasf45646
    May 30th, 2018

    NEW 100% valid CCNP Exam questions

    dumps
    pro
    dot
    com

  27. Ayessi Kaye
    June 4th, 2018

    Does anyone know that new DND frame relay q? Is the dumps still valid?

  28. p3dr0
    June 4th, 2018

    does anyone have new dnd’s please? the ones in Kikavich pdf are cut in half so can’t work out correct answers ;/

  29. p3dr0
    June 4th, 2018

    doesn’t matter managed to extract the images
    dropbox .com/s /7dj0u7 yifj72puw/DandD.pdf?dl=0

  30. Snash
    June 13th, 2018

    Hey Pedro

    this link dropbox .com/s /7dj0u7 yifj72puw/DandD.pdf?dl=0 is not working, pls repost a correct one

  31. worto
    September 10th, 2018

    @Smash the link works fine, there are 3 spaces you have to take out.

    @Pedra – Thanks!

  32. Snash
    October 17th, 2018

    @Worto Thanks buddy i managed to open the photos

  33. Kuiwal
    November 19th, 2018

    New D&D on the exam that I noticed, I can only remember the things needed to drag but I hope this helps with study

    AAA D & D
    Things to drag are:

    Network
    Command
    Exec
    Auth-Proxy
    Resource
    Can’t remember the last, might have been Authenticate?

  34. CurryRouters
    December 12th, 2018

    Got today the CoPP vs MPP…

  35. Kris
    January 7th, 2019

    Can someone share drag and drop questions ?

  36. Good Guy
    January 7th, 2019

    Hi folks, i have collected all drag and drop question at one place. It has 17. DnDs.
    All from forum and .PDFs.

    umrezen.in.rs/cisco-ccnp-route-300-101-drag-and-drop-questions-2019/

  37. Kris
    January 8th, 2019

    Thanks, good job

  38. gent
    February 6th, 2019

    Are the labs on here still valid?

  39. Bob
    April 29th, 2019

    Hi,

    Can anyone advise on this question as it seems to conflict with a drag and drop question

    Which two statements about PPPoE packet types are true? (Choose two)
    A. PADR is a broadcast packet sent from the client to request a new server
    B. PADI is an initialization packet sent as a broadcast message
    C. PADO is a unicast reply packet sent to the client
    D. PADO is a broadcast reply packet sent to the client
    E. PADR is a unicast confirmation packet sent to the client
    Correct Answer: BC

    B&C does seem to check out looking into it but the drag and drop question says that PADS is unicast and PADO is not?

    Are PADO and PADS both unicast?
    Thanks.

  40. Bob
    April 29th, 2019

    The drag and drop it seems to conflict with is this one

    PADI –> Signal sent by host to remote device
    PADR –> Unicast signal sent by host
    PADO –> signal sent by remote device back to client
    PADS –> Unicast signal sent by remote device back to host
    PADT –> signal sent to terminate

  41. mop
    May 13th, 2019

    ACL one still valid (Reflexive, Time based, Dynamic, Standard, Extended)

  42. kloo
    June 27th, 2019

    The best preparation for the Cisco exam, I passed the cisco exam with the help of it.
    good luck guys
    http
    ://c7.gg
    /fCXw8

  43. SPAMPolice
    June 27th, 2019

    @Kloo, people like you are ruining the internet! $120 for a dump SCAM – be warned!

  44. Anonymous
    July 22nd, 2019

    @Bob

    – → PADI (PPPoE Active Discovery Initialization)
    – Broadcast from client to AC
    – “Are there any PPPoE Servers out there? My unique Host-ID is xx-xx”
    – ← PADO (PPPoE Active Discovery Offer)
    – Unicast from AC to client
    – “Yes, I’m here xx-xx. My unique AC ID is yy.yy”
    – → PADR (PPPoE Active Discovery Request)
    – Unicast from client to AC
    – “Thanks for the info! Can I have a Session-ID please? ”
    – ← PADS (PPPoE Active Discovery Session-Confirmation)
    – Unicast from AC to client
    – “Yes, let’s use Session-ID 0x02”

  45. Anonymous
    July 22nd, 2019

    Oh and PADT- terminate

  46. pools
    September 22nd, 2019

    helpmee!!!

    I cant see all Drag and drop, only see 1 and 2, but i dont see 3 and 4.

    Where can see this drag and drop 3 and 4

  47. asker
    November 3rd, 2019

    Hi , please send me drag and drop , please

  48. MSCbync
    March 10th, 2021

    Услуги мультимодальных перевозок, таможенный агент Азия-Трейдинг

  1. No trackbacks yet.