In what order are route-map commands processed?
Sequential order based on sequence numbers


What happens if a route-map clause omits the match command?
All packets are matched.


What three things are a part of every route-map command (whether explicit or implicit)?
Explicitly configured name
Action (permit / deny)
Unique sequence number


When a route-map is used for redistribution, the route map processes routes taken from where?
The then-current routing table


True or False: During route redistribution, after a particular route is matched by the route map, further route-map commands are processed for more matches.
False: After a particular route is matched by the route map, it is not processed beyond that matching route-map command (specific to route redistribution). 


Which route-map parameter determines whether or not a matched route is redistributed or not?
The permit or deny parameter in the route-map statement. The route is redistributed when the route-map command has the permit parameter, and not redistributed when it has the deny parameter.


What is the result of this configuration:

ip access-list standard d1p2
  deny 1.0.0.0 0.255.255.255
  permit 2.0.0.0 0.255.255.255

route-map RM deny 10
  match ip address d1p2
Network 1.0.0.0 is not considered
Network 2.0.0.0 is specifically denied


During redistribution, what happens if a route-map clause with the permit parameter does not match any routes?
The routes are processed by the next route-map clause, or not redistributed if there are no further clauses.


During redistribution, what happens when the deny parameter is used in the route-map clause?
The routes are either filtered (if matched) or left in the list of routes to be examined by the next route-map clause (if not matched), if any.


During redistribution, if a route-map clause references an ACL containing a deny action, what happens to the route?
The route is not filtered, it just doesn't match that particular route-map clause.


Route maps include an implicit deny all at the end. How do you configure an explicit permit all?
Configure a clause at the end with a permit action, but no match statements.


What happens if more than one match statement is defined in a single route-map clause?
The route is matched only if all of the match statements parameters match the route.


True or False: During route redistribution, a route-map can be used only to match (select) routes from the routing table.
False: Routes matched for redistribution can also have various attributes (such as the metric) set as the route is redistributed.


What routes does this prefix-list match?

ip prefix-list PFX_TEN permit 10.0.0.0/8 ge 24 le 24
All routes whose first octet is 10 that have an exact prefix length of 24.


What routes does this prefix-list match?

ip prefix-list PFX_TEN permit 10.0.0.0/8 le 24
All routes whose first octet is 10 that have a prefix length between 8 and 24, inclusive.


How can you match only a default route with a prefix list?
ip prefix-list PFX_DEF permit 0.0.0.0/0


How can you match all routes with a prefix list?
ip prefix-list PFX_ALL permit 0.0.0.0/0 le 32


When a router learns a particular route from multiple sources, why is Administrative Distance used to choose a single source?
Routes from different sources (protocols) have different non-comparable metrics. The lowest AD is used to choose which route gets installed into the routing table when identical routes (prefix and length) are present from multiple sources. 


What is the AD of a Connected route?
0


What is the AD of a Static route?
1


What is the AD of a EIGRP summary route?
5


What is the AD of an eBGP route?
20


What is the AD of an internal EIGRP route?
90


What is the AD of an IGRP route?
100


What is the AD of an OSPF route?
110


What is the AD of an IS-IS route?
115


What is the AD of a RIP route?
120


Which route source has the lower AD, IS-IS or OSPF?
OSPF is 110
IS-IS is 115


What is the AD of an external EIGRP route?
170


What is the AD of an iBGP route?
200


What is the AD value of an infinite/unreachable route?
255


How do you change the default administrative distance for a particular routing protocol?
With the distance command under the particular routing protocol's subconfiguration.


True or False: Administrative Distance can be changed per-route.
True. The distance command can be used under the subconfiguration of the particular routing protocol, and individual routes and ACLs can be referenced and modified.


True or False: The default Administrative Distance of OSPF can be changed per route type.
True. With the distance command under the OSPF subconfiguration, individual route types (inter-area, intra-area, external) can have their AD value modified individually.


The ___ command identifies the routing source from which routes are taken, and the ___ command identifies the routing process into which the routes are advertised.
redistribute
router

Example:
router rip
  redistribute eigrp 1


When redistributing BGP, IS-IS, OSPF, or RIP into EIGRP, what happens if the metric is not set?
Routes from BGP, IS-IS, OSPF, or RIP will not be redistributed into EIGRP until a metric is set. You can specify different metrics per-route, per-protocol, or set a default metric. However, until a metric is configured (whether default or more specific), IOS accepts the redistribution commands, but will not actually redistribute the routes.


What is the AD of an ODR route?
160


When redistributing static routes into RIP, what metric is applied if a default or more-specific metric is not set?
Static routes are redistributed into RIP with a metric of 1 (directly connected), unless otherwise set with the default or more-specific metric.


When redistributing into OSPF, if the metric is not set, what happens?
The routes are redistributed with an automatic default cost of 20 (IGP) or 1 (BGP) and are of route type E2.


With the exception of OSPF, what is the metric assigned to a redistributed route if none is specified (either through the metric keyword, or the default-metric subcommand)?
The route will be redistributed with a metric of 0. A metric of 0 is incompatible with RIP and EIGRP. OSPF will assign a default metric of 20 (IGP) or 1 (BGP) unless otherwise specified.


When redistributing into OSPF, what happens if the subnets keyword is not used?
Only major (classful) networks are redistributed. For example, if the source protocol contained the prefix 172.16.10.0/24 to be redistributed, it will be redistributed as 172.16.0.0/16 without the subnets keyword.


True or False: When redistributing into EIGRP, only the metric values (K-values) that are used are required to be set.
False. All EIGRP metric values must be set when redistributing into EIGRP, regardless of the K-values settings.


During redistribution, what are the two sources of the redistributed routes?
Routes from the source protocol in the then-current IP routing table

Connected routes matched by the source routing protocol's network statements.


True or False: When redistributing a routing protocol, any Connected routes matched by the source protocol's network statements are automatically redistributed as well.
True


What are the three methods for setting the metrics of redistributed routes in Cisco IOS?
-Reference a route-map from the redistribute command that uses the set metric command

-Use the metric option with the redistribute command

-Use the default-metric command under the router command


Which redistribution method allows you to set metrics per-route with a single command?
Using the redistribute command that references a route-map.


Which redistribution method most easily lets you set the same metric for all routes redistributed by that redistribute command?
Using the metric option on the redistribute command.


Which redistribution method allows you to set the metric for all redistributed routes whose metric was not set by another method?
The default-metric command under the router protocol process.


What does the metric-type option in the redistribute command do?
The metric-type option lets you set the route type of the redistributed routes. For example, OSPF defaults to E2 routes, but you can use the metric-type option to force the redistributed routes to be E1 instead.


How can you verifiy if a tag was set on a route redistributed into EIGRP?
show ip eigrp topology route | include tag


How can you verify if a tag was set on a route redistributed into OSPF?
show ip ospf database external route | include Tag


By default, all OSPF routes have an Administrative Distance value of 110. How do you modify OSPF so that all routes redistributed into OSPF have an AD value of 180?
router ospf process
  distance ospf external 180


When multiple routers are peforming mutual routing protocol redistribution, what can be a cause of suboptimal routing?
A route redistributed into a lower-AD protocol by one router will be learned by another router, which will then use that redistributed route instead of a potentially more optimal route presented by a higher-AD protocol. 

The solution, where possible, is to mark the redistributed routes with a higher AD value than the source protocol. For example, marking routes redistributed from RIP into OSPF with an AD of 180 will permit the more-optimal routes from the RIP domain to be used.

EIGRP does this by default.


During route redistribution, how can you modify the AD value of individual routes?
Under the routing protocol process:

distance distance-value ip-address/RID wildcard [ACL]

Where ip-address wildcard is the source router that is advertising the routes (or RID in the case of OSPF), and an optional ACL to further define individual routes.


A common method of preventing routing loops with mutual redistribution is to set route tags as the routes are redistributed, and then filter routes with those tags at the other points of redistribution. What is a primary disadvantage of doing this instead of adjusting the Administrative Distance of the redistributed routes?
By filtering routes with the specified tags, the routes are never entered into the routing table, whereas when you set a higher Administrative Distance instead, the routes are still present but are not used unless the lower-AD route is removed from the routing table.


What is the tiebreaker when an OSPF router receives multiple E2 routes of the same prefix?
The route with the lowest cost to the ASBR wins.


By default, what is the metric advertised by a summary route?
The metric advertised by the summary is that of the current lowest-metric component subnet.


True or False: Component subnets are advertised along with the summary address by default.
False, the router does not advertise the component subnets by default.


True or False: Summary routes are still advertised even if there are no component subnets in the current routing table.
False, the router does not advertise the summary when its routing table does not have any of the component subnets.


How does a summarizing router prevent routing loops?
The summarizing router creates a Local discard route to the summary, with destination Null0, to prevent routing loops.


Why does the possibility of suboptimal routing occur when summary routes are used?
Summary routes decrease the amount of specific information in the routing tables, which can sometimes cause suboptimal routing.


How do you configure an EIGRP summary route?
EIGRP summarization is configured on the interface in classic mode, or the af-interface in named mode:

ip summary-address eigrp ASN network mask


How do you modify the AD of an EIGRP summary route?
Under the EIGRP process:

summary-metric network mask AD

In EIGRP named mode, this is configured under the topology.


When an EIGRP summary route is created, its metric is copied from the component subnet with the current lowest metric by default. Why should you set this value manually?
Even if the component route with the lowest metric remains the lowest, the summary metric is recalculated every time any individual component subnet metric changes, which adds to router overhead.

Set the metric manually with the summary-metric command under the EIGRP process.


How do you manually configure the metric used by an EIGRP summary route?
Under the EIGRP process:

summary-metric network mask bandwidth delay reliability load mtu [distance administrative-distance]

In EIGRP named mode, this is configured under the topology.


Why can summarization in OSPF happen only on ABRs and ASBRs?
OSPF routers in the same area must have identical LSDBs after flooding is complete, therefore all routers in an OSPF area must have the same summary routes, they all must be missing the same component subnets of each summary.

OSPF allows route summarization only as routes are injected into an area by an ABR or ASBR.


How do you configure an OSPF inter-area summary?
Under the OSPF process:

area area range network mask [cost cost]

Where area is where the component subnets reside. By default, the lowest-cost component becomes the summary cost, but this can be set statically with the cost keyword.


How do you configure an OSPF external summary?
Under the OSPF process:

summary-address network mask [tag tag]

This summarizes external routes as they are injected into OSPF as an ASBR.


What's the difference between the default ip classless and no ip classless with regard to whether or not a default route is used?
With ip classless, if a packet's destination does not match a specific route in the IP routing table, the router uses the default route.

With no ip classless, the router first checks to see whether any part of the destination address's classful network is in the routing table. If so, that router will not use the default route for forwarding that packet.


In what two ways can both RIP and EIGRP advertise a default route?
Static route to 0.0.0.0, with the redistribute static command

The ip default-network command


Which of the following can OSPF use to advertise a default route?

-Static route to 0.0.0.0 with the redistribute static command
-The default-information originate command
-The ip default-network command
-Using summary routes
Of these four, only the default-information originate command will cause OSPF to advertise a default route.


The default-information originate command can be used by which IGPs?

-RIP
-EIGRP
-OSPF
-IS-IS
RIP, OSPF, and IS-IS


True or False: You can advertise a default route for one routing protocol by redistributing another routing protocol's default route.
True


If a router learns of multiple default routes (using any method), how does it choose which one to use?
In order:

Best AD
Route type (internal vs. external, etc.)
Lowest metric


How can you configure EIGRP to redistribute only a static default route?
Static route > prefix list > route map > redistribute

ip route 0.0.0.0 0.0.0.0 gateway

ip prefix-list zero-prefix permit 0.0.0.0/0

route-map just-default permit 10
 match ip address prefix-list zero-prefix
route-map just-default deny 20

router eigrp ASN
 redistribute static route-map just-default [metric metric]


True or False: OSPF does not support redistribution of statically defined default routes with the redistribute static command.
True: OSPF requires the default-information originate command, which tells OSPF to redistribute any default routes found in the routing table, whether static or from another routing protocol.

If there are no default routes in the routing table, the default-information originate command will not advertise a default route into OSPF, unless the always keyword is used.


When using the default-information originate command with OSPF, what is the default cost and route type?
Cost 1
Type E2

The metric and route type can be set directly when using the default-information originate command.


True or False: You can use the ip default-network command to inject a default route into OSPF.
False. OSPF uses default-information originate


How do RIP and EIGRP use the ip default-network command differently?
RIP advertises a route to 0.0.0.0/0

EIGRP advertises the classful network, but flags it as a candidate default. This is why EIGRP must also be advertising the classful network.


What happens if a router learns a default route from eBGP, and advertises an EIGRP default summary out of an interface?
The EIGRP default summary creates the route 0.0.0.0/0 with the destination null0. The EIGRP summary has a default AD of 5, so that route will be used instead of the eBGP route with its default AD of 20.


When issuing the interface command ip summary-address eigrp ASN summary mask, how is the route installed locally, and then advertised?
The local router creates a local summary route with destination null0 using AD 5. EIGRP then advertises the summary to other routers with AD 90 (EIGRP internal)


What are the five phases in the PfR "phase wheel"?
Profile
Measure
Apply Policy
Control
Verify


What is the goal of the PfR Profile phase?
To learn flows that have high latency and throughput. Traffic being profiled is referred to as a traffic class. The list of all monitored traffic classes (MTC) is referred to as an MTC list.


What is the goal of the PfR Measure phase?
To collect and compute performance metrics for the traffic identified in the Monitored Traffic Classes (MTC) list.


What is the goal of the PfR Apply Policy phase?
To create low and high thresholds to define in-policy and out-of-policy performance categories.


What is the goal of the PfR Control phase?
To influence traffic by manipulating routing or by using policy-based routing (PBR).


What is the goal of the PfR Verify phase?
After controls have been introduced, PfR will verify out-of-policy event performance and make necessary adjustments to bring back in-policy performance.


What are the three primary interface types required in a topology to correctly deploy PfR?
Internal
External
Local


What are PfR Internal interfaces?
Interfaces that are used to connect to the internal network for communication with the control plane manager, the Master Controller.


What are PfR External interfaces?
Interfaces used to transmit packets out of the local network. At least two external interfaces are required to successfully deploy PfR. These are the interfaces where prefixes and exit link performance will be monitored.


What are PfR Local interfaces?
Interfaces used in the formation of the control plane mechanism that drives the PfR process. The local interface defines the source interface that is used to communicate to the Master Controller.


True or False: With PfR, communication between the Master Controller and its slave devices supports optional authentication.
False: Authentication is mandatory, and performed with key chains.


True or False: The PfR Master Controller must be in the same forwarding path taken by the controlled network traffic.
False. However, the MC must be reachable by the border routers.


A single PfR MC can support up to ___ individual border routers, or up to ___ managed exit interfaces (external interfaces).
10
20


True or False: With PfR, the MC and border router can be the same device.
True. Authentication is still required.


With PfR, what two things are border routers responsible for?
Border routers report prefix and transit link measurements back to the MC, and enforce policy changes as instructed from the MC, such as injecting preferred routes to alter the course of packet flows in the network.


When configuring PfR, what is the first required step?
Configure the authentication key-chain.


What command is used to create a PfR Master Controller?
pfr master in global configuration mode.


With PfR, how do you designate the border router's internal and external interfaces?
From the Master Controller:

pfr master
 border border-ip key-chain key-chain
  interface interface {internal | external}


How can you verify the PfR MC / border router relationship status?
show pfr master border


What is the first step to creating a PfR Border router?
Create the authentication key-chain to be used to communicate with the Master Controller.


How do you enable PfR on a Border router?
Enable the process:

pfr border
 master master-IP key-chain key-chain

Define the Local interface used to communicate with the MC:

 local interface

Loopback interfaces are recommended. 


What is required for the PfR MC process to become active?
At least two configured and reachable external interfaces from the Border router(s).


How can you verify the status of PfR?
show pfr master


By default, the PfR Master Controller uses both active and passive monitoring for each traffic class. What is the difference between the two modes, and when is each mode used?
Passive mode uses NetFlow data, and is used constantly.
Active mode uses IP SLA probes and is used when traffic classes are considered Out Of Policy.


When PfR is in passive mode, what metrics are monitored, and what is used to monitor them?
NetFlow is used to monitor: 
delay, packet loss, reachability, throughput


When PfR is in active mode, what metrics are monitored, and what is used to monitor them?
IP SLA probes are used to monitor:
delay, reachability, jitter, MOS


What are two PfR features that enable load balancing?
Link Utilization & Range

Link utilization - upper threshold set, traffic beyond is OOP
Example: 90% link utilization set, traffic that utilizes 95% of the link is out of policy

Range - multiple WAN link usage is kept within a relative utilization range of each other
Example: 10% range tries to keep the usage of multiple links within 10% of each other


What is the default frequency of PfR active probes?
60 seconds


What are the 3 high-level configuration-related steps to optimize voice traffic with PfR?
Identify traffic to be optimized
Configure active probing (including remote ip sla responder)
Configure PfR policy to set performance metrics for PfR to apply to identified traffic


What is a potential symptom of an incorrect split-horizon configuration?
The result is usually that most routes are propagated correctly, but some are not propagated.


What is the default TTL limit of traceroute?
30


In Cisco IOS, what is the traceroute default destination UDP port for the first probe?
33434


What is the most appropriate debug command for tracking down Layer 3 problems?
debug ip routing
debug ipv6 routing


How can you filter IP packet debugging to only receive the information you're looking for?
debug ip packet detail acl

Where acl matches the specific information you're looking for.


How can you display all user-defined applications monitored by a PfR border router?
show pfr border defined


How can you display all applications that are defined on a PfR Master Controller?
show pfr master defined


How can you display the status of an application identified by NBAR for the PfR border routers?
show pfr master nbar application


A multicast address is always used as the ___, never as the ___.
destination, source


On a network segment, how do hosts interested in receiving particular multicast traffic listen for the traffic?
By listening to the Layer 2 multicast address derived from the Layer 3 multicast address.

For example, hosts interested in listening to traffic from 255.5.5.5 will listen to the MAC address 0100.5e05.0505 in addition to the BIA of the NIC.


The assignment of IP multicast addresses is controlled by:
IANA


Which IP addresses are considered permanent multicast groups?
224.0.0.0 - 224.0.1.255


What range of IP addresses are used with Source-Specific Multicast?
232.0.0.0/8


Which range of IP addresses are used for multicast GLOP addressing?
233.0.0.0/8


What is the range of multicast addresses where the 16-bit ASN is mapped to the middle two octets referred to as?
GLOP addresses
233.0.0.0/8


What is the range of private IP multicast addresses?
239.0.0.0/8


If an IP multicast address is not in a reserved range, what is it referred to as?
Transient


What is the range of IP multicast addresses that should not be forwarded by multicast routers?
224.0.0.0/24


What is the range of permanent IP multicast group addresses that should be routed by IP multicast routers?
224.0.1.0/24


What is the purpose of Source-Specific Multicast?
To allow a host to select a source for the multicast group.


How do you convert a multicast IP address to a multicast MAC address?
The multicast MAC OUI will always be 01-00-5E
The last six hex digits of the MAC consist of 0 + the last 23 binary bits of the multicast IP address


What is the overlap of multicast IP addresses to multicast MAC addresses?
There are 32 non-contiguous IP multicast addresses mapped to each multicast MAC address. This means when a host joins a multicast group, it implicitly joins 31 other groups as well.


Without the use of IGMP snooping or CGMP, why would a switch flood multicast traffic out of all ports in the VLAN?
Without IGMP snooping or CGMP, multicast traffic is treated identically to broadcast and unknown unicast traffic in that it is flooded out of all ports in the VLAN because the Source Address is unknown. A Multicast MAC address is never used as a Source Address.


IGMP messages are sent in IP datagrams using IP Protocol ___ with the IP TTL field set to ___.
IP Protocol 2
TTL 1

IGMP packets are local and not forwarded by routers because of the TTL value of 1.


What are the two most important goals of IGMP?
To inform a local multicast router that a host wants to receive multicast traffic for a specific group, or leave that group.


IGMP is used for communication between ___ and ___.
Hosts, routers


What is the default version of IGMP used in IOS 15?
IGMPv2


True or False: IGMP must be enabled per-interface when multicast routing and PIM are configured on a router.
False: IGMP is automatically enabled when multicast routing and PIM are configured on a router.

The IGMP version can be changed per-interface.


True or False: The IGMP version used must be set globally.
False: The IGMP version can be changed per-interface, with IGMPv2 being the default for IOS 15.


What are the four message types defined for the IGMPv2 Type field?
Membership Query (type code 0x11)
Version 1 Membership Report (type code 0x12)
Version 2 Membership Report (type code 0x16)
Leave Group (type code 0x17)


What is the IGMPv2 Version 1 Membership Report message type used for?
The IGMPv2 Version 1 Membership Report message type is used by IGMPv2 hosts for backward compatibility with IGMPv1.


What is the IGMPv2 Version 2 Membership Report message type used for?
The IGMPv2 Version 2 Membership Report is sent by a group member to inform the router that at least one group member is present on the subnet.


What is the IGMPv2 Leave Group message type used for?
The IGMPv2 Leave Group message type is sent by a group member if it was the last member to send a Membership Report to inform the router that it is leaving the group.


What two possible values can be placed in the IGMPv2 Group Address field?
General Query messages set the Group Address field to 0.0.0.0.

All other message types set the Group Address field to the specific multicast group.


True or False: IGMPv2 is completely backward compatible with IGMPv1.
True. IGMPv2 Type Codes 0x11 and 0x12 match the type codes for IGMPv1 Membership Query and Membership Report messages, which enables IGMPv2 hosts and routers to recognize IGMPv1 messages when IGMPv1 hosts or routers are on the network.


What are the four features added to IGMPv2 over IGMPv1?
Leave Group messages
Group-specific Query messages
Maximum Response Time field
Querier election process


How does an IGMPv2 host notify a router that it wishes to leave a particular multicast group?
With a Leave Group message


What does an IGMPv2 router use to send a query for a particular multicast group?
A Group-Specific Query message


What is the effect of setting the IGMPv2 Maximum Response Time higher than the default value of 10 seconds?
The effect is that hosts' collective IGMPv2 Solicited Report messages are spread out over a longer period of time, which results in more uniform consumption of subnet bandwidth and router resources.


How frequently does an IGMPv2 router acting as the IGMPv2 querier send general IGMP Query messages?
Every 60 seconds


What are the source and destination IP and MAC addresses of an IGMPv2 Host Membership Query?
SA: Router interface's IP and MAC
DA: 224.0.0.1 and 0100.5e00.0001


What two steps occur during the IGMPv2 host Membership Query process?
1. Hosts join a particular multicast group and listen on two additional multicast MAC addresses: the calculated MAC corresponding to the multicast group, and the MAC 0100.5e00.0001 corresponding to 224.0.0.1 (all nodes).

2. The local multicast router periodically sends IGMPv2 Host Membership Queries. Hosts that have joined any multicast group reply with an IGMPv2 Report message.


Why is it unnecessary for multiple hosts on a LAN segment to send an IGMP Membership Report to the local router?
The router's interface will forward multicast traffic whether a single host, or multiple hosts belong to a given multicast group, and therefore additional Membership Report messages from multiple hosts are unnecessary.


How does the IGMP Report Suppression mechanism work?
The IGMPv2 Maximum Response Time (MRT) timer is used. The timer is also known as the Query Response Interval. When any host receives an IGMPv2 Query, it picks a random time between 0 and the MRT to send a Host Membership report. However, if the host hears another host send a report for the group, it does not send a report of its own.


What is the purpose of an IGMPv2 Unsolicited Host Membership Report?
To immediately signal to a router that the host wishes to receive traffic for a particular multicast group, without having to wait for the router to send its periodic Host Membership Query message.


What is the relationship between the IGMPv2 Leave Group message, and the Group-Specific Query message?
When an IGMPv2 host leaves a group, it sends a Leave Group message. When the IGMPv2 router receives the message, it immediately sends a Group-Specific Query message for that group to determine if there are any remaining hosts that wish to receive traffic.


To which IP address is the IGMPv2 Leave Group message sent?
224.0.0.2, All Multicast Routers


True or False: Multicast routers do not keep track of hosts that are members of the group, only the group memberships that are active.
True


How does the IGMPv2 Querier Election process work?
When IGMPv2 routers start, they send a General Query to 224.0.0.1. When a router receives a General Query, it compares the source IP with its own, and the router with the lowest IP on the subnet is elected the Querier.


How long is the default time before an IGMPv2 Querier router is considered dead and a new election occurs?
255 seconds

2x Query Intervals (125s) + 1/2 Query Response Interval (10s)


What is the host IGMP Version 1 Router Present timeout?
A time period during which, if an IGMPv2 host does not receive an IGMPv1 Query, the IGMPv2 host concludes that there are no IGMPv1 routers present and starts sending IGMPv2 messages.

The default value is 400 seconds.


What allows a host to indicate interest in receiving multicast packets only from individual source addresses, or from all sources except for individual exclusions?
IGMPv3 Source-Specific Multicast (SSM)


What is the destination address for the IGMPv3 Membership Report message?
224.0.0.22 (IGMPv3)


How does an IGMPv2 host determine that the querying router is IGMPv1?
The MRT field of the IGMPv1 Query is 0, whereas the IGMPv2 MRT field is nonzero.


What happens when an IGMPv2 host determines that the router is using IGMPv1?
It marks its interface as IGMPv1 and stops sending IGMPv2 messages.


What happens when an IGMPv2 host receives an IGMPv1 Query?
The host starts a 400-second Version 1 Router Present Timeout timer, which is reset whenever an IGMPv1 Query is received. If the timer expires, there are no longer any IGMPv1 routers present on the subnet, and the IGMPv2 host starts sending IGMPv2 messages.


How can an IGMPv2 router determine that an IGMPv1 host is present on the subnet?
The IGMPv2 router receives an IGMPv1 Report message (type 0x12), and changes its behavior to accommodate the IGMPv1 host(s).


When an IGMPv2 router is aware of IGMPv1 hosts on the subnet, how does the router change its behavior?
The IGMPv2 router ignores Leave messages and the Group-Specific Queries triggered by receipt of the Leave messages.

IGMPv2 routers continue to ignore Leave messages until the IGMPv1-Host-Present Countdown timer expires (180 seconds).


How long is the router IGMPv1-host-present countdown timer?
Equal to the Group Membership Interval, which is 180 seconds by default for IGMPv1.


How does IGMP snooping determine which ports multicast routers are connected to?
The switch listens for the following routing protocol messages:

IGMP General Queries with GDA 0100.5e00.0001
OSPF messages with GDA 0100.5e00.0005 or 6
PIMv1 and HSRP Hellos with GDA 0100.5e00.0002
PIMv2 Hellos with GDA 0100.5e00.000d
DVMRP Probes with GDA 0100.5e00.0004


What happens when a switch performing IGMP snooping detects a router on a port?
The port is added to the port list of all Group Destination Addresses in the CAM table for that particular VLAN.


What happens when a switch performing IGMP snooping receives an IGMP Report message?
The switch creates an entry in the CAM table for the Group Destination Address and adds the host port and router port to it.


What happens when a switch performing IGMP snooping receives an IGMP Leave message?
The switch removes the host port from the Group Destination Address CAM table entry. The switch then sends the Leave message to the router, unless there are more host ports in the GDA CAM entry, in which case the switch discards the Leave message.


True or False: IGMP snooping is enabled by default on most Cisco Layer 3 switches, including the 3560.
True


How do you disable IGMP snooping for an individual VLAN?
Globally: no ip igmp snooping vlan vlan


True or False: IGMP filtering requires IGMP snooping to be enabled.
True, it is not a standalone feature.


True or False: You can configure IGMP filters separately for each VLAN passing through a trunk port.
True


Where are IGMP filters typically used?
IGMP filters are typically used on access switches connected to end-user devices.


What are the three different types of IGMP filters?
IGMP group/channel access control
IGMP group/channel join limits
IGMP minimum version


What is the IGMP Proxy feature used for?
To enable hosts that are not directly connected to a downstream device to join a multicast group sourced from an upstream network (such as with UniDirectional Link Routing).


What do multicast routers use to prevent loops?
Reverse Path Forwarding (RPF) check


How does the multicast Reverse Path Forwarding (RPF) check work?
The router looks at the source IP of the multicast packet, and if the route to the source is on the interface where the multicast packet was received, the packet passes the RPF check and is forwarded, otherwise it is dropped.


What happens when a multicast source sends a packet to the RP, but no hosts have joined the multicast group?
The multicast packet is dropped at the RP until a multicast host has joined the particular group.


How does the initial RPF check work with downstream routers when using PIM-SM?
The downstream routers check the reverse path to the RP, not the source.


How does multicast TTL scoping work?
The router compares the TTL value on the multicast packet with the configured TTL value on each outgoing interface (whose default is 0). If the configured TTL value is less than or equal to the TTL present in the multicast packet, the packet is forwarded.

For example, if the TTL is set to 10 and the router receives a multicast packet with a TTL of 15, it will be forwarded.


What is the default multicast TTL value on router interfaces?
0


Other than scaling limitations, what is a downside to using TTL scoping on routers to enforce multicast boundaries?
The configured TTL threshold value on an interface applies to all multicast packets, and therefore does not allow for per-group flexibility. 


How does multicast administrative scoping work?
Administratively-scoped multicast addresses are those in the 239.0.0.0/8 range. Administrative scoping works by configuring and applying a filter on the router's interface so that multicast addresses in the administratively-scoped range are not allowed to enter or exit the interface.


What are the three common multicast dense-mode routing protocols?
PIM-DM
DVMRP
MOSPF


What is the default PIMv2 Hello interval?
30 seconds


What is the All-PIM-Routers multicast address?
224.0.0.13


How does PIMv2 discover neighbors and establish/maintain adjacencies?
Neighbors are discovered, and adjacencies are established and maintained by receiving PIMv2 Hellos on PIM-enabled interfaces.


When will a PIMv2 router send PIM messages out of a PIM-enabled interface (other than Hellos)?
Only when it has an active PIMv2 neighbor on the interface, which is established by receiving a PIM Hello message from the neighbor.


What are the terms for a path between a source host that originates multicast packets and all subnets that need to receive a copy of the multicast sent by that host?
Source-based distribution tree
Shortest-path tree
Source tree


What multicast notation refers to a particular shortest-path tree?
(S,G)


What does the PIM Prune message do?
The PIM Prune message is sent from one router to a second router to cause the second router to remove the link on which the Prune is received from a particular (S,G) SPT.


What are the two main reasons for a PIM-DM router to send a Prune message?
Upon receipt of multicast packets on a non-RPF interface.

When there are no locally connected hosts in a particular group and no downstream routers are listening for the group.


When issuing the show ip mroute command, what does the combination of the C-flag and an RPF neighbor of 0.0.0.0 indicate?
The connected device is the source of the particular multicast group.


PIM does not have separate Join or Prune messages, but a single Join/Prune message. How is a Join or Prune indicated within the single message type?
A Prune message is actually a Join/Prune message with a group address listed in the Prune field, and a Join has a group message in the Join field.


What happens when a router interface running PIM-DM receives a Prune message?
The router finds the matching (S,G) SPT entry and marks the interface on which the Prune message was received as "pruned" and starts a Prune timer (whose default is 3 minutes). When the timer expires, the interface is placed into a forwarding state.


What is the PIM-DM State Refresh message?
When a PIM-DM link is pruned, it will begin flooding again after 3 minutes by default. The PIM-DM State Refresh message is sent upstream by pruned routers every 60 seconds by default to reset the 3-minute timer and prevent PIM-DM from flooding traffic on the link.


True or False: The PIM-DM State Refresh message timer is dependent on the Prune timer.
False: PIM-DM State Refresh messages are sent on pruned links every 60 seconds by default, but are not dependent on the 3-minute (default) Prune timer.


What happens when a multicast host wishes to receive traffic for a group that was previously pruned by the router?
A Graft message is sent by the downstream router to the upstream router to request the multicast traffic again for the particular (S,G).


When multiple PIM downstream routers are present on a network segment and one or more of the routers sends a Prune message while at least one other router still needs to send the multicast traffic further downstream, what happens?
When the upstream router receives the Prune, because it was received on a multiaccess network (as opposed to point-to-point), it sets a 3-second timer. The other router(s) on the segement must sent a Prune Override message (which is actually just a normal Join message) before the timer expires. 

The downstream router that sent the Prune will simply ignore the received multicast traffic by not listening on the multicast MAC address for the particular group.


What is the PIM Assert process used for?
When multiple multicast routers are present on a network segment, the PIM Assert process is used to determine which router should be the one to forward the multicast traffic based on which router has a better metric to the multicast source.


During the PIM Assert process, how is the multicast forwarder for a particular group determined?
The routers on the multiaccess network segment receive each other's PIM Assert message, which contains the AD and metric the router used to reach the multicast source. The forwarder is chosen by:

-Lowest AD of routing protocol used to reach the source
-Lowest metric for the route (if AD is tied)
-Highest IP address on the LAN (if AD and metric are tied)


How is a PIM Designated Router elected on a multiaccess network?
The DR is elected by receipt of PIM Hello messages. The PIM router with the highest IP address becomes the DR for the link.


Why is the PIM DR important for IGMPv1?
IGMPv1 does not have a mechanism to elect a querier, so the PIM DR is used as the IGMPv1 Querier.


What is the difference between the winner of the PIM Assert process, and the IGMP Querier?
The winner of the Assert is responsible for forwarding multicast traffic for the particular multicast group onto the LAN.

The IGMP Querier is responsible for managing the IGMP process by sending IGMP Query messages on the LAN.


How can you manually specify the PIM RP address?
Globally: ip pim rp-address ip


What happens in a PIM-SM network when a multicast source sends traffic, but there are no receivers?
The first-hop multicast router attempts to register the group with the RP, but since no receivers for the group have registered with the RP, the RP sends a Register-Stop message back to the first-hop multicast router.


When a PIM-SM router attempts to register with the RP for a particular group, what is encapsulated in the Register message?
The first multicast packet is encapsulated in the Register message in case the RP has interested receivers registered with the group.


What happens when a PIM-SM router receives a Register-Stop message?
The router starts a 1-minute Register-Suppression timer, and does not send any further Register messages to the RP until five seconds before the timer expires, when it then sends a Register message with the Null-Register bit set. 

If the RP still has no interested receivers for the group, it will send back another Register-Stop message, and the process starts over again. If the RP does have interested receivers, it does not reply back to the Register message, and will begin receiving multicast packets when the first router's Register-Stop timer expires.


What two things cause a PIM-SM router send a Join toward the RP?
When the router receives a PIM Join message on any interface other than the one used to route packets toward the RP

When the router receives an IGMP Membership Report from a host on a directly-connected subnet


What is the PIM-SM Root Path Tree (RPT)?
The tree with the RP at the root that defines over which links multicasts should be forwarded to reach all required routers.


What are the two major functions of the PIM-SM Register message?
To allow a router to inform the RP that it has a local source for a particular multicast group

To allow a router to forward multicasts to the RP encapsulated inside a unicast packet, until the registration process is completed.


What type of multicast tree is indicated by the (S,G) notation?
Shortest Path Tree / Source-Based Tree / Source Tree


What type of multicast tree is indicated by the (*,G) notation?
Root Path Tree / Shared Distribution Tree


In a PIM-SM network, after interested receivers register with the RP, and the multicast source begins sending traffic, how does the RP react?
The RP joins the SPT (S,G) toward the multicast source, and sends a Register-Stop message to the source's first-hop router so that it stops sending multicast-encapsulated packets within unicast Register messages.

The end result is that the SPT (S,G) is used between the RP and the source, and the RPT (*,G) is used between the RP and the subnets that need to receive the traffic.


PIM-SM steady-state operation requires PIM-SM routers to send ___ messages periodically.
PIM Join. If the router does not send a PIM Join within the default timeout of 3 minutes, the upstream router's interface reverts to being pruned.

The default interval of sending PIM Join messages is 60 seconds.


During PIM-SM steady-state operations, how frequently are PIM Join messages sent, by default?
Every 60 seconds


A PIM-SM RP uses a ___ tree to pull the traffic from the multicast source to itself, and uses a ___ tree to push the traffic down to the PIM-SM routers that have requested it.
Shortest Path Tree
Shared Tree / Root Path Tree


In PIM-SM operations, after the downstream routers join the RPT from the RP, when do the routers switch over to the multicast SPT between the individual routers and the multicast source?
Cisco routers switch over from the RPT to the source-specific SPT after they receive the first packet from the shared tree, by default.


How do you configure a Cisco router to change from a PIM-SM RPT to a source-specific SPT after a certain rate of traffic?
Global: ip pim spt-threshold kbps

After the threshold of kbps is crossed, the router switches from the RPT through the RP to the SPT to the source. By default, this occurs after the router receives the first multicast packet from the RPT.


Why do receivers of multicast traffic in a PIM-SM network require at least one packet before they can switch from the RPT to the source-specific SPT?
Downstream routers do not know the IP address of the multicast source (only the IP address of the RP) until they receive the first multicast packet for the group from the source.


When looking at the IP multicast routing table, how can you tell which group(s) switched over from the RPT to the SPT?
The presence of the "J" flag.


When a PIM-SM router switches to the SPT toward the multicast source, how does it signal to the RP that it no longer needs traffic from the RPT?
The router sends a Prune for the (S,G) to the RP with the RP-Tree bit set, which indicates to the RP (and to the upstream routers toward the RP) that the router has switched over to the SPT and no longer needs the traffic from the RPT.


What are the three methods for which a Cisco router can learn of the PIM-SM RP?
Statically with ip pim rp-address
Cisco-proprietary Auto-RP protocol
Standard BootStrap Router (BSR) protocol


What are the two methods Cisco IOS supports for providing redundant PIM-SM RPs?
Anycast RP using MSDP
BootStrap Router (BSR)


With Auto-RP, what is the first step the RP performs?
The RP sends RP-Announce messages to 224.0.1.39 stating that the router is an RP, and the particular multicast groups the RP handles.


True or False: The Auto-RP Mapping Agent cannot be on the same router as the RP.
False: The Auto-RP Mapping Agent can be a different router than the RP, but they are usually configured on the same router.


What does the Auto-RP Mapping Agent do?
The mapping agent learns all the RPs and the multicast groups they support, then multicasts RP-Discovery messages that identify the RP for each range of multicast group addresses.


To which multicast address are RP-Discovery messages sent?
224.0.1.40


How does the Auto-RP Mapping Agent receive information about RPs and their associated groups?
By listening to RP-Announce messages from multicast group 224.0.1.39 sent by the RP.


When multiple RPs are present, how does the Auto-RP Mapping Agent determine which RP to use for a particular group?
When multiple RPs are present and serve as RP for the same groups, the Mapping Agent advertises the RP with the highest IP address as the current RP for the particular multicast group.


When PIM is enabled on an interface on a Cisco router, regardless of the mode, what multicast group is automatically joined?
RP-Discovery 224.0.1.40


What is PIM sparse-dense-mode?
Sparse-dense-mode allows an interface to use multicast sparse or dense mode, depending on the particular group.


How can a router interface configured with ip pim sparse-mode discover the RP with Auto-RP?
The global ip pim autorp listener command joins the Auto-RP multicast groups 224.0.1.39 and 224.0.1.40 in dense-mode in order to discover the RP. After the RP is discovered, sparse-mode communications can take place.


How do you configure a router to be an RP with Auto-RP?
Globally:
ip pim send-rp-announce {interface | ip-address} scope TTL [group-list ACL]

Note: the referenced interface (whether by interface or IP) must have multicast enabled.


How do you configure a router to be an Auto-RP Mapping Agent?
Globally:
ip pim send-rp-discovery scope TTL


How can you verify which RP is being used for which multicast groups?
show ip pim rp


True or False: BSR floods Boostrap messages only on RPF interfaces.
False: Boostrap messages are flooded only on non-RPF interfaces. Likewise, loops are prevented because Boostrap messages are discarded when received on non-RPF interfaces.


How does BSR prevent loops when Boostrap messages are flooded?
Boostrap messages are discarded when received on non-RPF interfaces.


What is the BSR analogous to, as compared to Auto-RP?
The BSR is similar to the Auto-RP Mapping Agent.


True or False: The BSR chooses and advertises the best RP for each multicast group.
False: Unlike Auto-RP, BSR sends all group-to-RP mapping information to the other PIM routers, and they independently choose the currently best RP for each multicast group by running the same hash algorithm on the information in the bootstrap message.


To where does the BSR flood Boostrap messages to?
The BSR floods all mapping information in Boostrap messages to the All-PIM-Routers address 224.0.0.13.


How does a BSR learn about the candidate RPs?
When BSR is used, all PIM routers already know the unicast IP address of the BSR from the earlier receipt of Boostrap messages. Candidate RPs send unicast c-RP Advertisements to the BSR which include the IP address used by the c-RP and the groups it supports.


True or False: Multiple PIM-SM BSRs can be configured on the network simultaneously.
True: Each Candidate-BSR sends Bootstrap messages that include the priority of the BSR and its IP address. The highest priority wins (default 0), followed by highest IP address.

The winning BSR is called the Preferred BSR and continues to send Bootstrap messages while the other BSRs monitor the messages to attempt to take over if the Preferred BSR's messages stop.


What is the default priority for BSR routers?
0, higher priority preferred.


How do you configure a router to be a candidate BSR?
Globally:
ip pim bsr-candidate interface

Note: PIM-SM must be configured on the interface


How do you configure a PIM-SM router using BSR to be a candidate RP?
Globally:
ip pim rp-candidate interface

Note: PIM-SM must be enabled on the interface


What capability does Anycast RP add over static RP configuration, Auto-RP, and BSR?
With Anycast RP, RP redundancy and load sharing can be achieved with multiple RPs concurrently acting as the RP for the same group. 

Without Anycast RP, RP redundancy only allows one router to be the active RP for each multicast group, and load sharing is achieved by using one RP for some groups, and another RP for other groups.


What are the two biggest benefits of using Anycast RP?
Multiple RPs share the load for a single multicast group

Recovery after a failed RP is a function of IGP convergence, and so it usually fairly quick.


How does Anycast RP work?
Multiple RPs are configured with the same IP address, cover the same multicast groups, and are advertised into the IGP. All the RPs act as normal, and the same information is distributed either statically, with Auto-RP, or with BSR. All routers use the closest RP based on their unicast routing table.


How do you configure an MSDP peer?
Globally:
ip msdp peer ip


How do you verify an MSDP peer?
show ip msdp peer


What is the purpose of MSDP?
To provide a method for RPs in different multicast domains to register multicast sources with peer RPs.


What are MSDP Source Active (SA) messages?
Source Active (SA) messages list the IP addresses of each source for each multicast group.


How frequently are MSDP SA messages sent between peers?
Every 60 seconds


MSDP peers require routes to ___.
Each of their MSDP peers, as well as to the multicast sources


True or False: MSDP peers must wait for the 60 second interval before receiving updated multicast information from each other.
False: RPs can send Source-Active (SA) request messages. The MSDP peers respond with SA response messages.


What are the four generic steps of PIM-SM operations, starting with the RP?
-RP builds a shared tree with itself as the root
-Source's first-hop router registers to the RP with PIM Register messages
-RP joins SPT to source with PIM Join
-Routers with receivers join SPT to source with PIM Join


How does BiDirectional PIM work differently than PIM-SM?
Normally, PIM-SM uses the shared tree created to the RP to initialize multicast traffic, with both the RP and the receivers eventually joining the SPT to the source.

BiDirectional PIM uses only the shared tree for communications between senders and receivers. The RP and leaf routers do not join the SPT.


What is the primary use case for BiDirectional PIM?
When most of the receivers are also senders, such as videoconferencing.


With BiDirectional PIM, how does traffic flow from sender to receiver?
The sender's first-hop router forwards the traffic up the shared tree to the RP. The RP then forwards the traffic back down the shared tree to all of the leaf routers containing the receivers.


How do you configure PIM BiDir on a router?
Globally:
ip pim bidir-enable

You must then add the bidir keyword to the RP configuration:
Static: ip pim rp-address ip bidir
Auto-RP: ip pim send-rp-announce interface scope ttl bidir
BSR: ip pim rp-candidate interface bidir

Important: enable PIM BiDir on all routers in the network to avoid routing loops.


How can you verify if PIM BiDir is being used?
show ip pim rp mapping will reveal which groups, if any, are using PIM BiDir.


What is the default frequency interval of PIM-DM and PIM-SM Hello and Query messages?
30 seconds


What two configurations are required on a router to use Source-Specific Multicast (SSM)?
Globally:
ip pim ssm default

Interface:
ip igmp version 3

Note: SSM requires IGMPv3 configured on the interface.


Why is an RP not needed with SSM?
SSM receivers know the unicast IP address of the source, and specify it when they join the multicast group. SSM receivers join a specific (S,G).


What is a major advantage of SSM with regard to multicast group addresses?
Without SSM, multicast receivers receive all traffic sent to a particular subscribed multicast group. With SSM, multicast traffic is received only from the specified source on the particular multicast group.


True or False: SSM does not use any RPs or shared trees.
True. SSM only uses SPT and hosts join a specific (S,G) which negates the requirement of RPs and shared trees.


When you issue the global command ip pim ssm range default on a router, which groups are used for SSM?
The default keyword means that the range 232.0.0.0/8 is used for SSM.

Within this range, no shared trees are allowed, and (*,G) joins are dropped.


Why is IGMPv3 required for SSM?
IGMPv1 and IGMPv2 do not allow receivers to explicitly specify sources in order to build SPTs.


How do you enable multicast routing for IPv6 in Cisco IOS?
Globally:
ipv6 multicast-routing


True or False: After issuing the ipv6 multicast-routing command, PIMv6 must be configured on IPv6-enabled interfaces.
False: PIMv6 is enabled automatically for all IPv6-enabled interfaces when ipv6 multicast-routing is issued.


How can you disable PIM on an IPv6-enabled interface?
Interface:
no ipv6 pim


How can you verify IPv6 PIM adjacencies?
show ipv6 pim neighbor


How do you configure the IPv6 PIM DR priority?
Interface:
ipv6 pim dr-priority priority

Higher priority wins.


True or False: IPv6 multicast does not support Auto-RP or dense-mode operation.
True. IPv6 multicast operates only in sparse-mode, and the RP must either be statically defined, use IPv6 BSR, or Embedded RP.


How do you statically configure the IPv6 PIM RP?
Globally:
ipv6 pim rp-address ipv6-address


How do you verify the IPv6 multicast routing table?
show ipv6 mroute


How do you configure a router to be the IPv6 PIM BSR candidate?
Globally:
ipv6 pim bsr candidate bsr ipv6-address


How do you configure a router to be the IPv6 PIM BSR candidate RP?
Globally:
ipv6 pim bsr candidate rp ipv6-address


How do you verify the IPv6 group-to-RP mappings?
show ipv6 pim range-list


IPv6 MLD is comparable to ___.
MLD is comparable to IGMP.

MLDv1 is comparable to IGMPv2
MLDv2 is comparable to IGMPv3


What are the three types of messages used by MLD?
Query
Report
Done


The MLD ___ message is similar to the IGMPv2 Leave message.
Done


How can you verify MLD for an interface?
show ipv6 mld interface interface


How can you verify IPv6 multicast traffic statistics?
show ipv6 pim traffic


What is Embedded RP?
Embedded RP enables the identity of the RP to be embedded as part of the multicast group address.


How do you know that an IPv6 multicast group contains an embedded RP?
Embedded RP addresses always being with FF70::/12

1111 1111 0111


What five pieces of information are contained in an IPv6 Embedded RP address?
Scope
RP interface ID
Prefix length
64-bit RP prefix
32-bit group ID

FF7<scope>:0<RP interface ID><hex prefix length>:<64-bit RP prefix>:<32-bit group ID>:<1-F>


How do you configure a router to join a multicast group?
Interface:
ip igmp join-group address


What are the high-order 3 bits of the ToS byte in the IP header referred to as?
The IP Precedence (IPP) field


What are the IP Precedence names for values 0 - 7?
0 Routine
1 Priority
2 Immediate
3 Flash
4 Flash Override
5 Critical
6 Internetwork Control
7 Network Control

Reverse mnemonic: NIC F FIPR


How are the bits in the IP header's ToS byte defined for DiffServ?
Bits 0 - 5 are the DSCP
Bits 6 - 7 are for ECN


What are the bits formerly used by IPP referred to as with DSCP?
Class Selector PHBs

CS0 - CS7 = IPP 0 - 7


How do the Assured Forwarding (AF) PHBs work?
AFxy where x = 1 - 4 and y = 1 - 3. Higher values of x get better queuing treatment, and higher values of y have a higher probability of being dropped.

Example: with AF11 vs AF23, AF23 will have better queuing treatment, but will have a higher probability of being dropped.


How do you convert AFxy PHB values to decimal?
8x + 2y = decimal

Example: AF41 = (8 * 4) + (2 * 1) = 34


What is the decimal value of the Expedited Forwarding (EF) PHB?
46


True or False: The 3-bit Ethernet CoS field is always present in the Ethernet header.
False: it is present only when the Ethernet frame includes an 802.1Q tag, or an ISL trunking header.


When is classification based on CoS, DE, CLP, or EXP bits performed?
On ingress only, and only if the interface supports that particular header field.


When is marking based on CoS, DE, CLP, or EXP bits performed?
On egress only, and only if the interface supports that particular header field.


In a MQC class-map, what is used to perform matching when the match protocol statement is used?
NBAR


A MQC policy is designed to mark packets as they leave an interface:

policy-map policy1
  class class1
    set dscp ef
  class class2
    set dscp default

interface f0/0
  service-policy output policy1

What happens if a packet does not match either of the two classes referenced by the policy-map?
The packets would not be marked, and will retain their existing DSCP values.


If a class-map is defined without specifying the matching logic, what is the default?
match-all  (logical AND)


What is the result of this configuration?

class-map match-all class1
  match dscp 0
  match dscp 1
No packets are matched because a packet cannot be marked as DSCP 0 and DSCP 1 simultaneously.

The correct way to issue this configuration is:

class-map match-any class1
  match dscp 0 1


If a packet inside a policy-map does not match any referenced classes, how is the packet handled?
It is matched to the special class class-default


When performing class-based marking, what happens if you do not include the ip keyword when setting the IP Precedence or DSCP?
Without the ip keyword, both IPv4 and IPv6 packets are marked.

Example: set dscp value marks both IPv4/IPv6 DSCP, but set ip dscp value marks IPv4 only


How do you verify the configuration of a policy-map?
show policy-map name


How do you verify the statistical information about the behavior of a policy-map enabled on an interface?
show policy-map interface


How can you configure a class-map to use NBAR to match web URLs containing a particular string?
class-map class1
  match protocol http url "*string*"


How do you adjust the time interval over which IOS measures packet and bit rates on an interface?
Interface: load-interval


How can you configure NBAR to gather statistics on an interface?
ip nbar protocol-discovery


How do you upgrade NBAR's Packet Description Language Modules (PLDMs)?
Copy the PLDM file to the router, then configure globally:
ip nbar pldm file


What is the general rule for the location of ingress QoS marking?
Mark as close as possible to the source, but not from untrusted devices.

For example, a server may have the capability to mark packets, but you might not trust those markings and wish to remark them manually on the ingress switch port.


What are the Cisco-recommended CoS/IPP/DSCP values for voice payload traffic?
5 / 5 / EF


What are the Cisco-recommended CoS/IPP/DSCP values for video payload traffic?
4 / 4 / AF41


What are the Cisco-recommended CoS/IPP/DSCP values for voice/video signaling traffic?
3 / 3 / CS3


What are the Cisco-recommended CoS/IPP/DSCP values for mission-critical traffic?
3 / 3 / AF31,AF32,AF33


What are the Cisco-recommended CoS/IPP/DSCP values for transactional data traffic?
2 / 2 / AF21,AF22,AF23


What are the Cisco-recommended CoS/IPP/DSCP values for bulk traffic?
1 / 1 / AF11,AF12,AF13


What are the Cisco-recommended CoS/IPP/DSCP values for best-effort traffic?
0 / 0 / BE


What are the Cisco-recommended CoS/IPP/DSCP values for scavenger traffic?
0 / 0 / 2,4,6


With regard to traffic policing, what are the two components of the traffic contract?
Traffic rate measured in bps
Burst size measured in number of bytes


True or False: The contents of the ToS byte are automatically copied into the tunnel header (in IPsec transport mode, in tunnel mode, and in GRE tunnels) when the packet is encapsulated.
True - however, features like NBAR are broken when working with encapsulated traffic.


What is Cisco IOS QoS pre-classification?
QoS pre-classification permits routers to make egress QoS decisions based on the original traffic before encapsulation.


How and where do you enable QoS pre-classification?
With the qos pre-classify command under the tunnel interface, virtual template interface, or IPsec crypto map.


What are the two versions of Auto-QoS?
AutoQoS for VoIP
AutoQoS for Enterprise


How do you enable Auto-QoS for VoIP on an access interface?
auto qos voip {cisco-phone | cisco-soft-phone}


When enabling AutoQoS for VoIP on an access interface, what happens if CDP cannot detect a Cisco phone?
All traffic is marked as DSCP 0 and treated as best effort, which is the default behavior for a normal trunk port.


When using AutoQoS for VoIP, which types (not classes) of traffic are placed into the PQ on the ingress interface?
Voice/Video traffic
Routing protocol traffic
STP BPDUs

All other traffic is placed into the normal ingress queue.


How do you enable AutoQoS for VoIP on an uplink interface?
auto qos voip trust


What five global configurations are added when AutoQoS for VoIP is enabled?
QoS enabled globally
CoS-to-DSCP and DSCP-to-CoS mappings created
PQ enabled for ingress and egress
Mappings of CoS and DSCP values to ingress and egress queues and thresholds
Creation of class-maps and policy-maps to identify, prioritize, and police voice traffic


What happens when you issue the command auto qos voip on a router serial interface with a bandwidth of 768k or less?
The router changes the encapsulation to PPP, creates a PPP Multilink interface, and enables LFI on the interface.


When configuring auto qos voip on a router, what does the trust keyword do with regard to class maps?
With the trust keyword, the router creates class maps that group traffic based on DSCP values, associates the class maps to a policy map, and assigns the policy map to the interface.

Without the trust keyword, the router creates ACLs that match voice/video data and call control ports. The ACLs are associated with class maps, which are associated with a policy map that marks the traffic appropriately. Traffic not matched by the ACLs is marked with DSCP 0.


How do you display the configured interface AutoQoS commands?
show auto qos


What are the two steps required to configure AutoQoS for the Enterprise?
Interface: auto discovery qos [trust]
Interface: auto qos

1. Discover traffic on the interface with NBAR: auto discovery qos [trust] where the trust keyword is used when the arriving traffic is already marked.

2. Generate the AutoQoS configuration based on the collected traffic at the interface: auto qos

Optionally stop NBAR traffic discovery with no auto discovery qos


With AutoQoS for the Enterprise, how do you list the types and amounts of traffic collected by NBAR?
show auto discovery qos


With AutoQoS for the Enterprise, how do you display the class maps, policy maps, and interface configuration generated by the AutoQoS macro?
show auto qos


What is an alternative name for a software queuing (as opposed to hardware queuing)?
Fancy queuing


Hardware queues always use ___ logic.
FIFO


True or False: When an interface finishes sending a packet, the next packet from the hardware queue can be serialized and sent out the interface without requiring a software interrupt to the CPU.
True


True or False: Hardware queues cannot be affected by IOS queuing tools.
True


True or False: IOS automatically shrinks the length of the hardware queue to a smaller length than the default when a queuing tool is present.
True


What is the advantage of having a shorter hardware queue length in conjunction with using software queues?
Short hardware queue lengths mean packets are more likely to be in the controllable software queues, giving the software queuing more control of the traffic leaving the interface.


What is the only function of a hardware queue that can be manipulated?
The queue length


How can you verify the length of a hardware transmit queue?
show controllers interface | inc tx_limited


___ is the ability to look at packet headers to choose the right queue for each packet.
Classification


The rules used to choose which packets to drop as queues begin to fill is known as the ___.
Drop policy


The logic used to determine which packet should be dequeued next is known as ___.
Scheduling


How is LLQ different from the legacy PQ?
LLQ prevents the high-priority queue from starving other queues with policing.


How many queues are supported by CBWFQ and LLQ?
64 queues/classes


CBWFQ and LLQ both have a special queue referred to as ___.
class-default

This queue exists even if it is not configured. If a packet does not match any of the explicitly configured classes in a policy map, IOS places the packet into the class-default class.


True or False: The CBWFQ scheduler guarantees a minimum percentage of a link's bandwidth to each class/queue.
True

If some queues are empty and do not need their bandwidth for a short period, the bandwidth is proportionally allocated across the other classes.


True or False: service-policy input is not allowed on routers for policy maps that perform queuing.
True


What are the three methods available in a policy map for reserving bandwidth?
Explicit
Percent
Remaining percent


How do you configure CBWFQ (as opposed to LLQ)?
By using the bandwidth command within a class map.


How do you configure LLQ?
By using the priority command within a class map.


LLQ uses a policer for the assigned queue. What is the default burst size of the policer?
20 percent of the configured bandwidth


How do you enable a LLQ with a bandwidth of 100 kbps?
class-map class1
  priority 100


When looking at the output of show policy-map policy how can you tell if a class is using LLQ?
The class will say "Strict Priority"


When LLQ is configured within multiple classes in a policy map, which queue is scheduled first?
LLQ places packets from multiple LLQs into a single internal LLQ. Packets in the different LLQs get scheduled ahead of nonpriority queues, but are serviced based on arrival time for all packets in any of the PQs.


What is the reason for using multiple LLQs in a single policy map?
Each LLQ can have different policer settings. One use case is for sending both voice and video. Each traffic class can be placed into its own LLQ, but be individually policed so that neither traffic class overruns the other.


True or False: The class class-default internally allocates any unassigned bandwidth among all classes, but can be configured to reserve a minimum amount of bandwidth.
True


When does IOS use software queuing?
Only when there is congestion, which occurs when the hardware queue is full. 


What is a tail drop, and when does it occur?
When a queue is full, there is no place to put newly arriving packets, so they are discarded.


With regard to WRED, what is the difference between a full drop and a tail drop?
The WRED full drop occurs when the average queue depth rises above the configured maximum threshold, and all new packets are discarded. However, the actual queue might not be full.

When the queue is full, a tail drop occurs.


What value does WRED look at when determining whether a queue has filled enough to begin discarding packets?
The average queue depth

Packets are randomly dropped when the average queue depth is between the configured minimum and maximum thresholds.


What is the WRED Mark Probability Denominator (MPD)?
The MPD is the calculated discard percentage used at the maximum threshold based on 1/MPD.

For example, a MPD of 10 (1/10 = 10%) means that the discard rate grows from 0% to 10% as the average queue depth grows from the minimum threshold to the maximum. When the maximum is reached, a full drop occurs.


What does a WRED traffic profile consist of?
Minimum threshold
Maximum threshold
Mark Probability Denominator (MPD)


For which two locations can WRED be configured?
Physical interfaces (with FIFO queuing)
Non-LLQ classes in a CBWFQ policy map


How do you enable WRED?
With the random-detect keyword either under a physical interface or in a non-LLQ class in a policy map.


What is the difference between random-detect and random-detect dscp-based?
Without the dscp-based keyword, WRED uses IP Precedence.


How do you modify the default WRED traffic profiles?
After issuing the random-detect or random-detect dscp-based command, issue either random-detect precedence or random-detect dscp


Modified Deficit Round-Robin (MDRR) serves as a replacement for what?
MDRR is used in place of CBWFQ and LLQ on the Cisco 12000 series router platform, because it does not support CBWFQ and LLQ.


Modified Deficit Round Robin (MDRR) allows classifying traffic into ___ queues.
seven round-robin queues (0 - 6) plus one PQ


What is the difference between the Modified Deficit Round-Robin (MDRR) PQ strict priority mode and alternate mode?
Strict priority mode serves the PQ whenever traffic is present in the queue, which can lead to starvation of the other queues.

Alternate mode serves the PQ in between servicing each of the other queues: 0, P, 1, P, 2, P, etc. This prevents queue starvation at the expense of jitter and latency as compared to strict priority mode.


What is the relationship between the Modified Deficit Round-Robin (MDRR) Quantum Value and Deficit Count?
The Quantum Value is the number of bytes the queue holds. The Deficit Count is the number of bytes beyond the QV that were transmitted in a single round-robin pass.

Example: If the QV is set to 1500, and two 1000-byte packets were transmitted during a pass, there is a Deficit Count of of -500, so 500 bytes are removed from the next pass, making the QV 1000 for that pass.


The Catalyst 3560 series features ___ ingress queues.
Two, either of which (but not both) can be configured as a PQ


What method is used by the Catalyst 3560 packet scheduler to control the rates at which packets are sent from the ingress queues to the internal switch fabric?
Shared Round Robin (SRR)


On the Catalyst 3560 platform, ___ traffic is placed into queue 2 by default, and all other traffic is placed into queue 1.
CoS 5


On the Catalyst 3560 platform, what is the default bandwidth ratio for the two ingress queues?
90% for queue 1
10% for queue 2


What is the congestion avoidance method (not queuing method) used on the Catalyst 3560?
Weighted Tail Drop (WTD), which allows configuration per-queue


The Catalyst 3560 has ___ egress queues per interface.
Four


What are the two steps involved in classifying and assigning a frame to the proper egress queue on the interface of a Catalyst 3560 switch, assuming the forwarding decision has been made?
DSCP-to-CoS map > CoS-to-queue map

The frame's internal DSCP is compared to a global DSCP-to-CoS map to determine a CoS value

The per-interface CoS-to-queue map determines the queue for a frame based on the assigned CoS value


What is the difference between shared round-robin and shaped round-robin queuing?
Both help to prevent queue starvation when a PQ exists, but shaped round-robin also rate-limits the queues so that they do not exceed the configured percentage of the link's bandwidth.


How do you enable ingress priority queuing on a Catalyst 3560 switch?
Globally:
mls qos srr-queue input priority-queue {1 | 2} bandwidth percentage


How do you verify the input queue settings on a Catalyst 3560 switch?
show mls qos input-queue


On a Catalyst 3560, how do you configure the egress queues?
Per-interface:
srr-queue bandwidth {share | shape} weight1 weight2 weight3 weight4

The default weights are all 25, where each queue gets 25% of the available bandwidth.


What is the difference between Shared Round-Robin and Shaped Round-Robin scheduling with regard to bandwidth utilization?
The shaped scheduler never allows any queue, PQ or non-PQ, to exceed its configured percentage of link bandwidth, even if that means the link sits idle.


True or False: RSVP reservations are unidirectional.
True. Two reservations must be made, from source to destination, and from the destination back to the source.


RSVP reservations are made per ___ and per ___.
Direction, flow


What three things does RSVP use to classify an individual flow?
Destination IP address
Protocol ID
Destination port


How do RSVP messages between two RSVP-capable routers appear in transit to non-RSVP-capable routers?
The RSVP messages appear as ordinary IP packets to non-RSVP-capable routers.


What is the first general step in setting up an RSVP-based reservation?
The first RSVP-capable router in the path from source to destination sends an RSVP PATH message toward the destination IP address.


When the last RSVP-capable router in the path receives a PATH message, what does it do?
It replies with a RESV message requesting the necessary QoS.


If any RSVP router along the path does not have the required resources to reserve, what happens?
The failing RSVP router discards the received RESV message requesting the particular QoS, and returns an error message.


How does an initiating RSVP router know if a reservation has succeeded?
The originating router will receive back a RESV message that has traveled the entire path between source and destination RSVP routers.


How does an originating RSVP router respond to receiving a RESV message?
Receipt of a RESV message means the reservation was successful, and the originating router sends back a RESV message in response to the destination router's PATH message to secure QoS in both directions.

The destination router responds with a ResvConf message, confirming the reservation.


What is the final RSVP message sent from destination back to source when resources have been reserved in both directions?
The destination RSVP router responds with a ResvConf message, which confirms the reservation.


How do you configure the RSVP total and per-flow bandwidth reservation?
Interface:
ip rsvp bandwidth total-kbps single-flow-kbps


How do you set the DSCP value for RSVP control messages?
Interface:
ip rsvp signalling dscp value


True or False: When using RSVP, it is necessary to enable RSVP to establish state on every router in the path.
False. Transit routers do not require RSVP to be enabled, and RSVP messages are forwarded as any other ordinary IP packet.


When traffic shaping is configured, and the configured rate is exceeded, what happens to the packets?
The packets are delayed and held in a shaping queue.

The packets are released from the queue so that over time the overall bit rate does not exceed the shaping rate.


What is the shaper static time interval called?
Tc, which is measured in milliseconds

Tc = Bc/CIR


What is the term for the number of bits that a shaper can send in a time interval (Tc)?
Committed burst (Bc)


What's the difference between the CIR and the shaping rate?
The CIR defines the rate for a VC based on a business contract

The shaping rate is the configured rate for a shaper on a router, which may or may not be the same value as the CIR


What is the shaping term used when more bits than the Bc are allowed to be sent during a given Tc?
Burst excess (Be)


What is the basic formula for traffic shaping?
Tc = Bc / CIR (shaping rate)

With a burst size of 8000 bits and a CIR of 64 kbps, the Tc = 125ms


With regard to traffic shaping, what is the token bucket model?
The bucket size is the Bc, and at the beginning of each Tc, the token bucket is refilled.

Without Be, if there are tokens still in the bucket at the beginning of the next Tc, the overage of new tokens are wasted. If the Bc is 8000, and there are 1000 tokens still in the bucket at the next Tc, 7000 new tokens are placed into the bucket, and 1000 new tokens are wasted.


With the shaper token bucket model, what happens if a packet needs to be sent, but there are not enough tokens in the bucket?
The packet must wait until the next Tc (when new tokens are added to the bucket) to acquire enough tokens for the packet to be sent.


How does Be work with the shaper token bucket model?
Be (excess burst) makes the single token bucket bigger, but there will still only be the Bc (committed burst) number of tokens added at the beginning of each Tc (time interval).


Newer versions of Cisco IOS use class-based shaping. What did older versions of Cisco IOS use?
Generic Traffic Shaping


How do you configure class-based traffic shaping?
Identify the traffic in a class-map
Use the shape command in a policy-map
Apply the policy-map to an interface with service-policy output


How does class-based shaping calculate Bc, Be, and Tc when the rate is less than or equal to 320 kbps?
Tc = 8000 bits / shaping bit rate

Bc = 8000 bits
Be = Bc = 8000 bits
Tc = Bc / shaping rate


How does class-based shaping calculate Bc, Be, and Tc when the rate is more than 320 kbps?
Bc = Tc (25 ms) * shaping rate
Be = Bc
Tc = 25 ms


What happens if the bandwidth is not set on a serial subinterface?
It does not inherit the bandwidth setting of the physical serial interface, it defaults to 1544.


How does shape peak work differently than shape average?
Both calculate Bc, Be, and Tc the same way

shape peak refills Bc + Be (instead of just Bc) tokens each Tc

Peak shaping gets the right to send both the committed burst and excess burst each time period.

Shaping rate = configured rate * (1+ Be/Bc)

Example, shape peak 64000 = 64 (1 + 8000/8000) = 128


Class-based policing is used in newer Cisco IOS versions. What was used in older Cisco IOS versions?
Committed Access Rate


What are the three categories of packets in class-based policing?
Conforming
Exceeding
Violating


What is the simplest form of policing referred to as?
Single-rate, two-color


Shaping token buckets are measured in ___. Policing token buckets are measured in ___.
bits
bytes


How does single-rate, two color (one bucket) policing use the token bucket model?
Tokens are replenished at the policing rate. 

For example, with a policed rate of 128kbps, ther policer replenishes 16,000 tokens per second (tokens represent 1 byte with policing). If 0.1 seconds have passed since the previous packet arrived, 1600 tokens would be replenished.

(Current packet time - previous packet time * policed rate) / 8
(0 - 0.1 * 128000) / 8 = 1600 tokens to be replenished


What is the difference between single-rate, two-color (single bucket) and single-rate, three-color (two bucket) policing?
Single-rate, two-color policing uses a single Bc bucket and supports conform and exceed actions.

Single-rate, three-color policing uses a Bc bucket, a Be bucket, and supports conform, exceed, and violate actions.


With single-rate, two color policing, when is the traffic considered conforming?
When the size of the packet requiring transmission is equal to or less than the number of tokens available in the Bc bucket.

Xp <= Xb
Xp tokens are drained from the Bc bucket


With single-rate, two color policing, when is the traffic considered exceeding?
When the size of the packet requiring transmission is greater than the number of tokens available in the Bc token bucket.

Xp > Xb
No tokens are drained from the Bc bucket


With single-rate, three color policing, when is the traffic considered conforming?
When the size of the packet requiring transmission is equal to or less than the number of tokens available in the Bc bucket.

Xp <= Xbc
Xp tokens are drained from the Bc bucket


With single-rate, three color policing, when is the traffic considered exceeding?
When the size of the packet requiring transmission is greater than the number of tokens available in the Bc bucket, but less than or equal to the number of tokens available in the Be bucket.

Xp > Xbc AND Xp <= Xbe
Xp tokens are drained from the Be bucket


With single-rate, three color policing, when is the traffic considered violating?
When the size of the packet requiring transmission is greater than the number of tokens available in both the Bc and Be buckets.

Xp > Xbc AND Xp > Xbe
No tokens are drained from any bucket


With two-rate, three-color policing, what are the two rates referred to as?
Committed Information Rate (CIR)
Peak Information Rate (PIR)


How does dual-rate, three-color (two bucket) policing work?
The Bc bucket is replenished at the CIR, and the Be bucket is replenished at the PIR.

A conforming packet drains tokens equally from both Bc and Be buckets (the same packet uses double the number of tokens).

An exceeding packet drains tokens from the Be bucket.

Violating packets drain no tokens, because there are none to drain.


Where is class-based policing configured?
With the police command inside a policy-map


How do you configure a single-rate, three-color policer with the following requirements:

Policed traffic rate of 128 kbps
Committed burst time of one second
Excess burst time of half of one second
Conform action of forward
Exceed action of marking the packet to DSCP 0
Violate action of discarding the packet
police cir 128000 bc 16000 be 8000 conform-action transmit exceed-action set-dscp-transmit 0 violate-action drop

CIR = bits
Bc & Be = bytes


In configuring the police command, what is the difference between a single-rate, two-color and a single-rate, three-color configuration?
The single-rate, three-color configuration must either set a violate action, or explicitly set the Be to something larger than 0.


If you do not configure a Bc value with the police command, what is the value used by default?
The number of bytes that could be sent in 1/4 second at the defined policing rate.

Bc = (CIR * 0.25 seconds) / 8  =  CIR / 32

If the result is less than 1500, the default Bc will be 1500.


What is the simplest way to configure dual-rate policing?
police cir cir-bps pir peak-bps


When multiple fields in the same packet are marked when using class-based policing, what is this referred to as?
Multi-action policing


How do you configure multi-action policing?
When configuring the police statement, do not enter any actions. When you enter the command without actions, you are placed into the policing subconfiguration mode, where you can configure multiple actions.


How can you configure policing as a percentage of interface bandwidth?
The police command uses the percent keyword for CIR and PIR, the Bc and Be values use the ms (milliseconds) keyword.

Example:
police cir percent 25 bc 500 ms pir percent 50 be 500 ms conform transmit exceed transmit violate drop

Where the CIR is 25% of the link, the PIR is 50%, and the Bc and Be are both 500 ms.


CAR uses what type of policing?
single-rate, two-color


How do you configure the CAR (Committed Access Rate) feature?
CAR is configured with the rate-limit command under an interface.


How do you configure CAR to perform subclassification?
Configure the first rate-limit statement with conform-action continue which causes all conforming packets to be evaluated by subsequent rate-limit statements.


When configuring traffic shaping for latency-sensitive traffic, what is the recommended Tc setting?
10ms


How do you configure the legacy Generic Traffic Shaping feature?
Interface:
traffic-shape rate rate


What is the default Layer 2 encapsulation type on serial interfaces?
HDLC


HDLC is an ISO standard, but Cisco's version is proprietary. What makes Cisco's version proprietary?
Cisco's version of HDLC includes a 2-byte Type field for multiprotocol support.


How do you determine which end of a cable (DTE or DCE) is connected to a serial interface?
show controllers interface


Which end of a serial link provides the clock signal, and how do you set it?
On the DCE end: clockrate

Newer interfaces and versions of IOS configure this automatically.


How does the PPP header compare to the Cisco HDLC header?
PPP includes a standardized Protocol field in the same location as the Cisco HDLC Type field. PPP also includes padding in the Data field to ensure the frame has an even number of bytes.


What is the difference between the PPP LCP and NCP?
Link Control Protocol (LCP) controls the features independent of any specific Layer 3 protocol

For each Layer 3 protocol supported by PPP, a Network Control Protocol (NCP) is defined (such as IPCP for IP).


What four features are offered by the PPP LCP?
Link Quality Monitoring (link is dropped if a percentage of frames have errors)
Looped Link Detection (by sending a random Magic Number)
Layer 2 Load Balancing (via MLPPP)
Authentication (PAP/CHAP)


How do you enable the PPP LQM feature?
Interface: ppp quality


How does MLPPP perform load balancing?
Each frame is fragmented by the number of links in the bundle, and sent across all links equally.

Example: a multilink bundle containing three links would split each frame into thirds, and send each fragment across the individual links.


How do you enable MLPPP?
Create a multilink interface, enable multilink, and assign a group:
interface multilink number
  ppp multilink
  ppp multilink group x

Assign each interface to the multilink group:
interface interface
  ppp multilink group x


What is Link Fragmentation and Interleaving (LFI)?
LFI prevents small, delay-sensitive packets from having to wait on longer, delay-insensitive packets to be completely serialized out an interface.

LFI fragments larger packets and sends delay-sensitive packets between the fragments.

LFI is most effective on links of 768k or less.


How do you enable MLPPP LFI?
Interface: ppp multilink interleave


After enabling MLPPP LFI, how do you adjust the fragment size?
Interface: ppp multilink fragment-delay x

x = delay in milliseconds

Size = x * bandwidth-kbps

Example: If the link is 256k, and the delay is 5ms, the fragment size = 5 * 256 = 1280 bits = 160 bytes


What are the three types of compression supported by PPP?
Layer 2 payload
TCP header
RTP header


How do you enable PPP compression on a link?
Interface: compress

After issuing this command, PPP starts the Compression Control Protocol (CCP) NCP to support compression negotiation and manage the compression process.


When is PPP TCP and RTP header compression most effective?
When the average payload is small.


How do you configure PPP TCP or RTP header compression?
Class-based policy-map:
compress header ip {tcp | rtp}


What is the purpose of PPPoE?
PPPoE provides an emulated (and optionally authenticated) point-to-point link across a shared medium.


What is the first step in configuring PPPoE on the ISP/server side?
Create a Broadband Aggregation Group to handle the incoming PPPoE connections and bind it to a virtual template interface:

bba-group pppoe name
  virtual-template number


How do you limit the number of PPPoE sessions allowed per-MAC?
Under the bba-group:
  sessions per-mac limit number


Why is the MTU typically lowered to 1492 when using PPPoE?
The PPP header adds 8 bytes of overhead to each frame.


How can you verify a PPPoE connection?
show pppoe session


How do you enable PPPoE authentication on the ISP/server side?
Under the virtual-template interface:
  ppp authentication chap callin


How do you configure a virtual-template interface for PPPoE for the ISP/server side?
interface virtual-template number
  ip address ip mask
  peer default ip address pool pool

The referenced IP address pool is configured globally:
ip local pool pool start-ip end-ip


After creating the BBA group and the virtual-template interface, how do you enable PPPoE on the customer-facing interface on the ISP/server side?
interface interface
  no ip address
  pppoe enable group group

Addressing is issued by the virtual-template.


How do you configure PPPoE on the CPE?
interface dialer1
  dialer pool 1
  encapsulation ppp
  ip address negotiated
  mtu 1492

interface interface
  no ip address
  pppoe-client dial-pool-number 1


What are the four high-level steps required to configure PPPoE on the ISP/server side?
Create a BBA group and assign a virtual template
Edit the virtual template and assign an IP address and an IP pool to use
Create the IP pool
Edit the client-facing interface with no IP address, and enable it for PPPoE


What are the two high-level steps required to configure the client side of a PPPoE connection?
Configure a dialer interface
Associate the dialer interface to a physical interface


How do you configure Cisco IOS to prompt the user for a password when connecting to a console, AUX, or VTY line?
With the login statement under the console, aux, or VTY line.


How do you define the simple password to be used when logging into a console, AUX, or VTY line?
With the password statement under the console, AUX, or VTY line.


How do you obfuscate all clear-text passwords present in the Cisco IOS configuration?
With the global service password-encryption statement.


If passwords have been encrypted with the service password-encryption command, what happens when no service password-encryption is issued?
Individual existing passwords remain encrypted until they are changed.


True or False: The enable secret password is listed in plaintext unless service password-encryption is on.
False: The enable secret password is not affected by service password-encryption and is always encrypted with MD5.


How do you configure VTY lines to use only SSH?
transport input none
transport input ssh

If you do not issue transport input none first, the SSH method is added to the existing default telnet method.


What is the well-known port used for RADIUS?
UDP 1812

1645 was the original defined port, but later changed to 1812. Cisco IOS still uses 1645 by default.


What is the well-known port used for TACACS+?
TCP 49


True or False: When multiple AAA authentication methods are configured, if one method rejects the user, the next method is attempted.
False: the first configured reachable method is used as long as there is a response of either accepting or rejecting the user.

For example, if there are three configured methods, TACACS, RADIUS, and local authentication, and the TACACS server is not reachable, and the user is rejected by the RADIUS server, local authentication is not attempted.


What is the default port used for RADIUS accounting?
UDP 1646


What happens when you enable AAA with regard to accessing console and VTY lines?
If the login statement was configured, it is removed. However, the password statement remains, and is used if the login authentication method is set to line.


What does default refer to in the command aaa authentication login default method?
default refers to the default authentication list. Named authentication lists are also supported. 


What does method refer to in the command aaa authentication login default method?
The method is what is used to validate the AAA function, authentication in this case.

Examples are group, which referes to AAA servers, line for the line password, and local to use the local username/password settings.


What does group refer to in the command aaa authentication login default group?
group refers to groups of AAA servers, including named lists, all LDAP servers, all RADIUS servers, and all TACACS+ servers.

For example, the full command to use all of the configured RADIUS servers is:
aaa authentication login default group radius


What is the default port for RADIUS authentication used by Cisco IOS?
UDP 1645


How do you configure an override for the AAA default login methods for console, aux, or VTY lines?
Configure the global AAA authentication statement with a user-defined list name:
aaa authentication login name method1 ..method2 etc

Configure the console, aux, or VTY lines to refer to the list:
line {con | aux | vty} number
  login authentication name


How do you configure PPP to use AAA for CHAP authentication?
Define the AAA methods for PPP:
aaa authentication ppp list method1 ..method2

Enable PPP authentication on the interface:
ppp authentication chap list


What's the difference between no cdp run and no cdp enable?
no cdp run disables CDP globally for the device

no cdp enable disables CDP at the interface-level


How do you prevent a switch port from sending or processing received DTP messages?
switchport nonegotiate


What are the three methods for which a Catalyst switch can limit device MAC addresses on a switch port?
Static configuration of the allowed MAC addresses
Dynamic learning up to the defined maximum, entries are lost upon reload
Dynamic learning with the addresses saved in the config (sticky learning)


When switchport port-security is enabled, how many MAC addresses are accepted on the port by default?
1


With switchport port-security, what are the three violation modes, and what is the difference between them?
protect silently implements the port security
restrict adds SNMP traps and Syslog logging of events
shutdown places the port into the err-disabled state


How do you view the security related details of a switch port interface?
show port-security interface interface


True or False: Sticky-learned MAC addresses are automatically retained across a reload.
False: While sticky-learned MAC addresses are added to the running configuration, the configuration must be saved before a reload.


How do you enable Dynamic ARP Inspection?
Globally:
ip arp inspection vlan vlan


When Dynamic ARP Inspection is enabled globally, all ports become untrusted. How do you disable DAI on an individual port?
Interface:
ip arp inspection trust


How does DAI interact with DHCP snooping on an untrusted port?
If an ARP reply has a source address that was not DHCP-assigned to a device off that port, the ARP reply is filtered by DAI.


How do you configure DAI to filter invalid ARP messages based on statically defined IP or MAC addresses?
Define an ARP ACL, and reference it via DAI:

Globally:
arp access-list arp-acl-name

ip arp inspection filter arp-acl-name vlan vlans [static]

The static keyword means ARP messages are denied unless explicitly permitted by the ACL. Without the static keyword, if the ARP message does not match the ACL, it is then checked against DHCP bindings.


What does the static keyword refer to in the following configuration?

ip arp inspection filter arp-acl-name vlan vlans [static]
The static keyword means ARP messages are denied unless explicitly permitted by the ACL. Without the static keyword, if the ARP message does not match the ACL, it is then checked against DHCP bindings.


How do you configure DAI to drop ARP replies if the source MAC in the Ethernet header does not match the source MAC in the ARP reply?
Globally:
ip arp inspection validate src-mac


How do you configure DAI to drop ARP messages containing unexpected IP addresses, such as 255.255.255.255 and multicasts.
Globally:
ip arp inspection validate ip


True or False: DAI requires DHCP snooping to be enabled.
False. DAI can use the DHCP snooping binding database, in which case DHCP snooping must first be enabled, however DAI does not require DHCP snooping to be enabled when using static ARP ACLs.


How do you adjust rate limit of ARP messages accepted per port per second with Dynamic ARP Inspection?
Globally:
ip arp inspection limit 


The DHCP snooping binding database can also be used by what two other security features?
Dynamic ARP Inspection
IP Source Guard


How does DHCP snooping prevent a rogue DHCP server MITM attack?
DHCP snooping filters messages sent by only by DHCP servers (not DHCP clients) on untrusted ports, because a DHCP server should never reside on an untrusted port.


How does DHCP snooping prevent an attacking host from releasing a legitimate host's DHCP lease?
DHCP release and decline messages on untrusted ports are checked against the DHCP snooping binding database. The messages are dropped if the IP address in the messages is not associated with the bound port.


How do you enable DHCP snooping?
Globally:
ip dhcp snooping vlan vlans


How do you designate a port as trusted by DHCP snooping?
Interface:
ip dhcp snooping trust


How do you add a static entry into the DHCP snooping binding database?
Privileged EXEC mode:
ip dhcp snooping binding mac vlan vlan ip interface interface


How do you configure the rate at which a port will accept DHCP messages?
Interface:
ip dhcp snooping limit rate messages-per-second

Default: unlimited


What does IP Source Guard do?
IP Source Guard uses either the DHCP snooping database or static bindings to permit incoming packets only from bound IP addresses (and optionally IP + MAC). The helps mitigate IP spoofing.


How do you enable IP Source Guard?
Interface:
ip verify source [port-security]

The port-security keyword verifies both IP and MAC.

Note: DHCP snooping must be enabled, even if static bindings are to be used.


How do you configure a static IP Source Guard binding?
Globally:
ip source binding mac vlan vlan ip interface interface

Note: When using IP Source Guard, DHCP snooping must be enabled, even if static bindings are used.


True or False: IP Source Guard does not work with static bindings unless DHCP snooping is enabled.
True: IOS will accept all IP Source Guard configuration commands, including those for static bindings, but will not become active until DHCP snooping is enabled.


What kind of frames are sent between the 802.1X supplicant and authenticator?
EAPoL: Extensible Authentication Protocol over LAN


With regard to communications between the 802.1X supplicant and authentication server, what role does the authenticator serve?
The authenticator (typically a switch) translates between EAPoL frames between itself and the supplicant, and the RADIUS messages required by the authentication server. The authenticator also enables/disables ports based on the success/failure of authentication.


After enabling AAA and configuring one or more RADIUS servers, how do you enable 802.1X and configure ports for authentication?
Globally:
aaa authentication dot1x default group radius
dot1x system-auth-control

Interface:
authentication port-control {auto | force-authorized | force-unauthorized}


When a port using 802.1X authentication is forced to be unauthorized, what three types of traffic are still allowed?
CDP, STP, and EAPoL


How do you configure Storm Control on EtherChannel ports?
You can use the regular Storm Control configuration commands on EtherChannel interfaces, but the commands have no effect. Storm Control can be enabled only on physical ports.


What types of traffic can Storm Control limit?
Storm Control can limit individually broadcast, multicast, and unicast traffic per-port.


How do you enable the Storm Control feature?
Interface:
storm-control traffic-type level rising [falling]

traffic-type is either broadcast, multicast, or unicast, and is set individually with multiple statements.

The level refers to the rate of packets as either a percentage of the link bandwidth, bps, or pps, and can have separate rising and falling thresholds.


By default, Storm Control drops packets when the configured threshold has been reached. How can you configure the switch to send an SNMP trap or shut down the port when this occurs?
Interface:
storm-control action {trap | shutdown}


How can you verify the settings and current status for Storm Control?
show storm-control


What are the numbered ranges for standard IP ACLs?
1-99 and 1300-1999


What are the numbered ranges for extended IP ACLs?
100-199 and 2000-2699


How do wildcard masks work?
The 0 bits must match, and the 1 bits are "don't care"

Example:
0.0.0.255 = first 24 bits must match
128.0.0.0 = all bits except the first must match
254.255.255.254 = the 8th and last bits must match


What is the quick way to calculate a wildcard mask for a particular prefix length?
255.255.255.255 - subnet mask

Example:
255.255.255.255 - 255.255.240.0 = 0.0.15.255


What is another name for a subnet broadcast address?
A directed broadcast address


What is the default interface command no ip directed-broadcast used for?
This prevents the router from forwarding broadcasts onto the network segment from a different segment. 

This prevents certain attacks like the Smurf attack where a malicious host sends an ICMP Echo to the destination subnet's broadcast address, with the source being a target on the destination subnet. 


What is a unicast Reverse-Path-Forwarding (uRPF) check?
uRPF is a security feature that checks the source IP address of incoming packets and will discard them if the source IP is not reachable on the incoming interface (strict mode) or if it is not reachable via any interface (loose mode).

The default route is not used for this check unless the router is configured to do so.


How do you enable uRPF strict mode?
Interface:
ip verify unicast source reachable-via rx


How do you configure uRPF loose mode?
Interface:
ip verify unicast source reachable-via any


When configuring uRPF, what does the allow-default keyword do?
Whether uRPF strict or loose mode is configured, the default behavior is to not verify the uRPF check against the default route. The allow-default keyword allows the router's default route to be used in determining the validity of the packet.

Interface:
ip verify unicast source reachable-via {rx | any} allow-default


What's the difference between a Smurf attack and a Fraggle attack?
Both trigger IP directed broadcasts. Smurf uses ICMP Echo, Fraggle uses UDP Echo.


With Cisco IOS TCP Intercept, what is the difference between Watch mode and Intercept mode?
TCP Intercept monitors TCP connections for SYN attacks.

In Watch mode, it keeps state information for TCP connections that match an ACL, and if TCP does not complete the 3-way handshake within a particular time period, TCP Intercept sends a TCP RST to the destination to clean up the connection. Watch mode also temporarily denies new TCP requests if more than 1100 occur in one second.

In Intercept mode, the router replies to TCP SYNs instead of forwarding them. If the 3-Way Handshake completes, the router creates a TCP connection to the destination, then stitches the two connections together.


How do you configure TCP Intercept?
Globally:
ip tcp intercept list acl
ip tcp intercept mode {watch | intercept}


How do you verify TCP Intercept?
show tcp intercept {connections | statistics}


After defining a policy-map to be used for CoPP, how do you apply it?
control-plane
  service-policy input policy-map-name


With CoPP, the only Layer 2 protocol that can be explicitly assigned to a class is ___.
ARP

All other Layer 2 protocols fall under the default class.


What are the only three match options that can be used with CoPP class maps?
ACLs
IP Precedence
DSCP


Because classes within a policy-map are evaluated top-down, which traffic should you place at the top for CoPP?
Malicious traffic should be placed at the top so that it is dropped immediately.


How do you configure the proper mode on a tunnel interface for DMVPN?
Tunnel interface:
tunnel mode gre multipoint


When creating a tunnel interface for DMVPN, how do you associate the tunnel interface with a physical interface?
Tunnel interface:
tunnel source physical-interface


With DMVPN, what configuration statement on the hub is necessary to allow dynamic routing protocols to operate?
Tunnel interface:
ip nhrp map multicast dynamic

This prevents the Hub router from needing a separate configuration line for a multicast mapping for each spoke router.


How do you specify which DMVPN a device belongs to?
On the DMVPN Tunnel Interface, ip nrhp network-id id enables NHRP, which is critical to the operation of DMVPN. All routers and interfaces configured with the same ID belong to the same DMVPN.


How do you specify a cleartext password for DMVPN connections?
Tunnel interface:
ip nhrp authentication password


On a DMVPN spoke router, how do you specify the hub router?
Tunnel interface:
ip nhrp map hub-tunnel-ip hub-nbma-ip
ip nhrp nhs hub-tunnel-ip


What two things should you configure in a DMVPN to prevent large packets from being dropped or fragmented?
Lower the MTU on the tunnel interface to account for overhead:
ip mtu 1400

Lower the TCP MSS on the tunnel interface:
ip tcp adjust-mss 1360


How do you configure a DMVPN spoke router to send multicast traffic only to the hub, and not to other spokes?
Tunnel interface:
ip nhrp map multicast hub-nbma-ip

This is necessary to prevent issues with routing protocols like OSPF.


How do you verify the state of DMVPN tunnels?
show dmvpn


What are the five high-level steps of configuring IPsec with PSK?
Create the ISAKMP policy
Set the ISAKMP key
Define the IPsec transform set
Create the IPsec profile
Apply the IPsec profile to the interface

ISAKMP policy, key
IPsec transform, profile, apply profile


How do you configure a basic ISAKMP policy for PSK?
crypto isakmp policy number
  encryption algorithm (aes)
  hash algorithm (md5)
  group dh-group (5)
  lifetime seconds (86400)
  authentication pre-share


How do you configure a PSK for ISAKMP?
Globally:
crypto isakmp key password address 0.0.0.0

With DMVPN, use 0.0.0.0 for the address since the configuration relies on dynamic IP addresses on the spoke routers.


How do you configure a basic IPsec transform set?
Globally:
crypto ipsec transform-set name transform1 transform2

Example:
crypto ipsec transform-set SET esp-aes esp-md5-hmac


How do you configure a basic IPsec profile for DMVPN?
crypto ipsec profile name
  set security-association lifetime seconds seconds (86400)
  set transform-set set-name


After creating an IPsec profile, how do you apply it to a tunnel interface?
Tunnel interface:
tunnel protection ipsec profile ipsec-profile


What are two different ways to verify DMVPN IPsec tunnel encryption?
show crypto session
show crypto ipsec sa


What six functions does NDP for ICMPv6 provide?
Router discovery
SLAAC
IPv6 address resolution
NUD Neighbor Unreachability Detection
DAD
Redirection


IPv6 SeND uses ___ to verify node address validity.
Public/private key pairs


How do you configure RA Guard on a switch?
Globally create the policy to define the role:
ipv6 nd raguard policy name
  device-role {host | router}

Apply the policy to the interface:
ipv6 nd raguard attach-policy name


With DHCPv6 Guard, all ___ messages are always switched regardless of device role, and ___ messages are only processed further if the device role is set to ___.
client
DHCP server
server


What is the purpose of the IPv6 Device Tracking feature?
To track IPv6 host liveness so the neighbor table can be immediately updated when an IPv6 host disappears to revoke network access privileges as they become inactive.


How do you enable IPv6 Device Tracking?
Globally:
ipv6 neighbor binding vlan vlan interface interface


How do you verify IPv6 Device Tracking?
show ipv6 neighbor tracking


With IPv6 ND Inspection, when is an ND message considered trustworthy?
If its IPv6-to-MAC mapping is verifiable


How does IPv6 ND Inspection work?
IPv6 ND Inspection learns and secures bindings for SLAAC addresses in L2 neighbor tables. IPv6 ND Inspection analyzes ND messages to build a trusted binding table database, and ND messages that do not conform are dropped.


How do you configure IPv6 ND Inspection?
Globally create a policy:
ipv6 nd inspection policy name
  device-role role
  drop-unsecure

Apply the policy to an interface:
ipv6 nd inspection attach-policy name


How do you verify an IPv6 ND Inspection policy?
show ipv6 nd inspection policy


IPv6 Source Guard requires what to be populated before it will work?
The IPv6 binding table must be populated with IPv6 prefixes for IPv6 Source Guard to work.


With IPv6 Source Guard, what happens when traffic is denied due to being from an unknown source or unallocated address?
The IPv6 address glean feature is notified so it can try to recover the traffic by querying the DHCP server or by using IPv6 ND.


How do you configure IPv6 Source Guard?
Globally define the policy:
ipv6 source-guard policy name
  permit link-local
  deny global-autoconf
  trusted

Apply the policy to an interface:
ipv6 source-guard attach-policy name


How do you verify IPv6 Source Guard?
show ipv6 source-guard policy


How do you configure DHCPv6 Guard?
ipv6 access-list dhcpv6-server
  permit host dhcpv6-server-ipv6-address any

ipv6 prefix-list pfx permit ipv6-subnet le 128

ipv6 dhcp guard policy policy
  device-role server
  match server access-list dhcpv6-server
  match reply prefix-list pfx
  trusted-port

interface interface
  ipv6 dhcp guard attach-policy policy


How do you verify DHCPv6 Guard?
show ipv6 dhcp guard policy


How do you view the IPv6 address binding table?
show ipv6 neighbors binding


How is traffic processed on an interface when both PACLs and VACLs are configured?
PACLs take precedence. Any traffic allowed by a PACL will then be evaluated by a VACL.


How do you configure PACLs?
Create an IP or MAC ACL

Interface:
{ip | mac} access-group ACL {in | out}


With regard to DMVPN, what does "zero-touch provisioning" refer to?
Spokes can be added without changing configuration on the hub router.


When using Distance Vector-based routing protocols with DMVPN, what must be configured on the hub?
Tunnel interface:
no ip split-horizon protocol


What is the high-level difference in functionality between DMVPN Phase 1 and Phase 2?
Phase 1 only permits hub-to-spoke and spoke-to-hub traffic.
Phase 2 can establish direct spoke-to-spoke tunnels.


What EIGRP behavior must be changed for DMVPN Phase 2?
Tunnel interface:
no ip next-hop-self eigrp asn

EIGRP by default changes the next-hop in routing updates to itself when sending the updates down from the hub to the spokes.


How do you configure a manual IPv6-over-IPv4 tunnel?
With tunnel mode ipv6ip:

interface tunnel number
  ipv6 address ipv6-address
  tunnel source source-interface
  tunnel destination ipv4-address
  tunnel mode ipv6ip


How do you configure a tunnel interface for IPv6-over-IPv4 GRE?
Tunnel interface:
tunnel mode gre ipv6


What type of address is represented with 2002:border-router-IPv4-address::/48 ?
Automatic 6to4 tunnel border router


Cisco IOS supports configuring ___ automatic 6to4 tunnel(s) on a router.
One


How does automatic 6to4 IPv6 addressing work?
IPv6 subnet 2002::/16 is reserved for 6to4 addressing. The full IPv6 prefix is derived from the border router's external-facing IPv4 address encoded as hexadecimal. Using the example 10.1.100.1, the prefix is 2002:0a01:6401::/64.

The tunnel interface will have an address such as 2002:0a01:6401::1/64, while the internal-facing interfaces could have addresses such as 2002:0a01:6401:1::1/64 and 2002:0a01:6401:2::1/64.


What three steps are involved with configuring automatic 6to4 tunneling on a border router?
Tunnel > static route > internal interfaces

interface tunnel number
  ipv6 address 2002:tunnel-source-ip-as-hex::1/64
  tunnel source external-IPv4-interface
  tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 tunnel number

Internal interfaces:
  ipv6 address 2002:external-ip-as-hex:subnet::1/64


How does ISATAP addressing work?
64-bit-prefix:0000:5EFE:ipv4-address-of-isatap-link-in-hex

Example:
IPv6 prefix 2001:0db8:0abc:0def::/64
IPv4 tunnel destination address 172.20.20.1 = AC14:1401
ISATAP address: 2001:0db8:0abc:0def:0000:5efe:ac14:1401


How do you configure the mode on an ISATAP tunnel interface?
tunnel mode ipv6ip isatap


RAs are disabled by default on tunnel interfaces, but must be enabled on ISATAP tunnels. How do you enable this?
no ipv6 nd suppress-ra


L2TPv3 uses IP Protocol ___.
115


What is an advantage of OTV with regard to fault-domain isolation as compared to other L2VPN technologies?
Each CE is its own root, and therefore the STP root does not change when multiple sites are connected.


What is the primary purpose of GET VPN?
To allow more than two devices to exchange traffic securely without requiring a high number of SAs.


In a GET VPN deployment, what is the Key Server?
The KS is used to create, maintain, and send a policy to Group Members, which provides information as to what traffic should be encrypted by the GM and how it should be encrypted.

The KS generates the Transport Encryption Key (TEK) and the Key Encryption Key (KEK).


What is the GET VPN Transport Encryption Key (TEK)?
The TEK is generated by the Key Server (KS) and is used by the Group Members (GMs) to encrypt the data.


What is the GET VPN Key Encryption Key (KEK)?
The Key Server (KS) generates the KEK which is used to encrypt information between the KS and the Group Members (GMs).


How does GET VPN compare with DMVPN for IPsec tunnel usage?
GET VPN does not set up any IPsec tunnels between Group Members (GMs). Every GM has the policy (what to encrypt and how) and encrypts every packet that conforms to the policy and sends it to the network using Encapsulated Security Payload (ESP), using original IP addresses for routing the packets.


What is the GET VPN Rekey phase?
The Key Server (KS) must send out a new Transport Encryption Key (TEK) and Key Encryption Key (KEK) to the Group Members (GMs) before the TEK expires, which is 3600 seconds by default.


What is the protocol used in GET VPN between the Key Server (KS) and Group Members (GMs)?
ISAKMP GDOI (Group Domain of Interpretation)


How does the CEF FIB take the RIB a step further?
The RIB has an entry for each destination prefix containing the next-hop IP address. The CEF FIB goes a step beyond and maintains an adjacency table containing the Layer 2 header of the outgoing interface per destination prefix. 


With MPLS, how do the FIB and LFIB work together?
The ingress PE's FIB knows to push the appropriate label onto the packet for the destination and forward it out the correct interface. The upstream P router receives the labeled packet, and uses its LFIB to forward the packet out the correct interface. The egress PE router receives the labeled packet, and its LFIB knows to pop the label and forward the packet unlabeled to the CE.


What are the four fields that make up the 32-bit MPLS header?
20-bit label
3-bit EXP
1-bit Bottom of Stack
8-bit TTL


What is MPLS TTL propagation?
When an IP packet arrives at the ingress PE, the IP packet's TTL value is copied into the MPLS header's TTL field. As the MPLS packet traverses the MPLS network, the TTL field in the MPLS header is decremented at each hop. When the packet arrives at the egress PE and the label is removed, the MPLS TTL is copied back into the IP packet's TTL field.


How do you configure MPLS TTL propagation in Cisco IOS?
Globally:
[no] mpls ip propagate-ttl [forwarded] [local]


Assuming CEF is enabled and an IGP has been configured, how do you enable basic MPLS unicast IP routing?
Interface:
mpls ip

This automatically enables and uses LDP.


How do you verify the MPLS LIB?
show mpls ldp bindings


How do you verify the MPLS LFIB?
show mpls forwarding-table


How does LDP establish neighborships?
Routers running LDP multicast Hellos to 224.0.0.2 via UDP 646.

The Hellos can list a transport address to be used for the TCP connection. If the transport address is not specified, the LDP ID is used.

After neighbors are discovered, a TCP connection is established also over port 646, and all local label bindings are advertised.


With LDP, which neighbor initiates the TCP connection after the neighbors are discovered?
The LDP neighbor with the highest LDP ID.


How is the LDP ID chosen?
-Manually configured
-Highest IP of up/up loopback
-Highest IP of up/up non-loopback


A Route Distinguisher (RD) value is ___ bytes, with which bytes identifying which of the three formats followed?
An RD is 8 bytes
The first two bytes indicate the format of the last six bytes:

2-byte-integer:4-byte-integer
4-byte-integer:2-byte-integer
4-byte-dotted-decimal:2-byte-integer


The format of a RD is two values separated by a colon. What values are represented by each side of the colon?
Left side: ASN or IPv4 address
Right side: Arbitrary value (16- or 32-bits, depending on left-side value)


An individual prefix can have how many RDs, and how many RTs?
One RD
Multiple RTs


How are Route Targets propagated through the network?
As BGP Extended Communities


True or False: RD and RT values must be the same in order for routes to be associated with the proper customer VPN.
False: RDs make all prefixes unique, while RTs act as a "tag" for VRFs, and can be different from the RD value. 


What is the Route Target export and import function?
VRFs can have a RT export value assigned to them, which tags the routes as BGP extended communities as they are redistributed on the PE into the iBGP table. VRFs on other PE routers can import the same RT value so that the routes are redistributed from the iBGP table back into the VRF routing table.


How do VRF Route Targets facilitate overlapping VPNs?
VRFs can both export and import multiple RTs.

A common use case is a "centralized services" VPN, which has routes that need to be accessible by multiple customers. Each customer has its own VRF, which maintains separation, but each VRF can import routes exported from the centralized services VRF.


What happens when you enter ip vrf forwarding vrf on an interface?
The IP address is removed and must be reapplied.


How do you instantiate a new VRF?
Globally:
vrf definition name


Where and how do you specify a Route Distinguisher?
vrf definition name
  rd asn/ip:nn

Where asn/ip is an ASN or IP address, and nn is an arbitrary number.


Where and how do you configure Route Targets?
vrf definition name
  route-target {import | export | both} asn/ip:nn


What is the difference between ip vrf name and vrf definition name?
ip vrf specifies an IPv4-only VRF, whereas vrf definition specifies a multiprotocol VRF.


How do you associate an interface with a particular VRF?
Interface:
vrf forwarding vrf

Note: When you enter this command, the IP address is removed and must be reapplied.


What happens when you enter the route-target both value command?
IOS automatically creates two lines of configuration:

route-target import value
route-target export value


When configuring an MPLS PE router for routing protocol support for the CE, where is the configuration performed for each customer?
Under the routing protocol's VRF configuration submode.

For example:
router rip
  address-family ipv4 vrf name
    no auto-summary


What happens to BGP if you do not create a Route Distinguisher for a particular VRF?
You cannot enter BGP configuration mode for the particular VRF if it does not first have an RD configured.


How do you take routes learned from a CE router and redistribute them into BGP on the PE router?
PE router:
router bgp asn
  address-family ipv4 vrf vrf
    redistribute protocol


What is an advantage of using BGP as the PE-CE routing protocol for MPLS L3VPN?
Redistribution configuration on the PE is not required, unlike with IGPs and static routing.


What two steps are required to configure MP-BGP between two PE routers?
Configure the peer under the global BGP process
Activate and send communities to the peer under the BGP VPNv4 AF

router bgp asn
  neighbor pe-ip remote-as asn
  address-family vpnv4
    neighbor pe-ip activate
    neighbor pe-ip send-community


In the context of MPLS, what is the VPN label?
The inner label in an MPLS label stack that identifies the outgoing interface the egress PE should use to forward the unlabeled packet.


True or False: The MPLS LFIB is a per-VRF table.
False: A PE router only has one LFIB table, regardless of the number of configured VRFs.


What is the purpose of penultimate hop popping with regard to MPLS VPNs?
The second-to-last router in the LSP pops the outer label so that the egress PE does not have to perform two lookups - one for the outer label, and one for the VPN label.


What is the general definition of a Forwarding Equivalence Class?
A set of packets that are forwarded along the same path and receive the same forwarding treatment.


What is required when configuring VRF Lite between two routers with only a single link?
An interface can only be associated with a single VRF, therefore subinterfaces must be used.

Ethernet links can use 802.1Q subinterfaces.

Serial links can (usually) use Frame Relay encapsulation, which supports point-to-point subinterfaces (whereas HDLC and PPP does not). FR encapsulation does not require a FR network -- just configure the same DLCI on each end per-subinterface.


If no other path attribute has been set, what does BGP use as its default metric mechanism?
AS_PATH


What happens when a router running BGP receives a TCP request on port 179, but the source IP address is not configured as a BGP neighbor?
The router rejects the request


After a TCP connection is established between potential BGP neighbors, what is the first BGP message that is exchanged?
BGP Open


At what point do BGP neighbors reach the Established state?
After BGP Open messages have been exchanged.


What is the default BGP keepalive interval?
60 seconds


What is the default BGP hold time?
180 seconds


How do you adjust the global BGP keepalive and hold timers?
BGP process:
timers bgp keepalive holdtime


How is the BGP Router ID (RID) determined?
-Manually configured router-id
-Highest IP of up/up loopback when BGP process starts
-Highest IP of up/up interface when BGP process starts


How is the source IP address used to reach a BGP neighbor determined?
By default the IP address of the outgoing interface used to reach the neighbor IP address is used.

The IP address can be defined with the BGP neighbor ip-address update-source interface command.


How is the destination IP address used to reach a BGP neighbor determined?
The destination address is explicitly configured with the BGP neighbor ip-address statement.


BGP auto-summary is ___ by default.
Disabled by default in newer IOS versions.

Re-enable with auto-summary


How do you configure basic neighbor authentication in BGP?
neighbor ip-address password password


When should a BGP router use a loopback for peering?
Whenever there is more than one route through which the BGP router can reach a peer.


How does BGP synchronization work?
With synchronization enabled, BGP will not advertise a route to an external neighbor unless the route is local or exists in an IGP.


How do you configure and apply BGP peer groups?
BGP process:
neighbor name peer-group
neighbor name bgp-commands
neighbor neighbor-ip peer-group name

Configured commands with neighbor name bgp-commands get applied to all members of the peer group. Likewise, BGP builds one set of Update messages for the peer group, instead of messages for individual routers.


How do you configure eBGP neighbors that are not directly connected?
BGP:
neighbor ip-address ebgp-multihop ttl

Don't forget to include the associated neighbor update-source command, if necessary.


What show command can you use to verify BGP connectivity without using any show ip bgp or show ip route commands?
show tcp brief | inc .179


What four checks are used when BGP forms neighbor relationships?
Source IP, ASN, RID, MD5:

The router must receive a TCP connection request with a source address that the router finds in a BGP neighbor statement

A router's ASN must match the neighboring router's reference to that ASN in it's neighbor statement (confederations excluded)

The BGP RIDs of the two routers must not be the same

MD5 authentication must pass if configured


What happens if BGP neighbors do not have identical keepalive and holddown timers?
The neighbors both use the lower values of each of the two timers. Mismatched settings do not prevent neighborship.


What are the six BGP neighbor states?
Idle > Connect > Active > OpenSent > OpenConfirm > Established


What is the BGP Idle state?
BGP is enabled on a router, but neighbor statements have not yet been configured and therefore the router is not listening for TCP connections for BGP.


What is the BGP Connect state?
The BGP routing process detects that a peer is trying to establish a TCP session.


What is the BGP Active state?
The BGP routing process is trying to establish a TCP session with a neighbor.


What are the four basic BGP message types?
Open
Keepalive
Update
Notification


What is the BGP Open message used for?
Establishing neighbor relationships and exchanging basic parameters


What is the BGP Keepalive message used for?
To maintain neighbor relationships. The relationship is reset if a keepalive message is not received within the negotiated hold time.


What is the BGP Update message used for?
To exchange NLRI


What is the BGP Notification message used for?
Notification is sent (with FSM error code) if an error or configuration change affects the peering session


What happens if BGP receives a Notification message?
The peering session is reset and must be re-established.


How do you disable the session with a BGP neighbor without removing the configuration?
BGP process:
neighbor ip shutdown


When using the BGP network statement, what causes a route to be placed into the BGP RIB?
The route referenced in the network statement must be in the current IP routing table. If the route does not exist, it is removed from the BGP RIB.


What happens if you enter a BGP network statement without a subnet mask?
The default classful mask is assumed.


When BGP auto-summary is configured, what is the behavior with the redistribute command?
If any subnets of a classful network would be redistributed, only the classful network is redistributed.


When BGP auto-summary is configured, what is the behavior with the network command?
If a network command lists a classful network number, with the classful default mask (or no mask), and any subnets of the classful network exist, inject a route for the classful network.

Unlike with the redistribute command, when the network command is used with auto-summary, subnets are still injected into the BGP table if they exist in the IP routing table.


What are the four components (segments) of the AS_PATH path attribute?
AS_SEQ
AS_SET
AS_CONFED_SEQ
AS_CONFED_SET


Why would the BGP aggregate-address create a summary route for which the AS_SEQ path attribute is null?
If the component subnets of the summary route have different AS_SEQ values, the router uses a null AS_SEQ.


When is the BGP AS_SET path attribute used?
When BGP injects a summary route, if the component subnets have different AS_SEQ values, the summary route has an AS_SEQ value of null. The AS_SEQ values are used for loop prevention. The AS_SEQ values of all the component subnets are placed into the AS_SET so that loop prevention can still occur.

When creating a BGP summary, the as-set keyword causes the generation of the AS_SET values to be included with the summary.


How do you configure a BGP summary address so that the component subnets are not advertised?
BGP process:
aggregate-address summary mask summary-only


How do you configure a BGP summary to generate values for the AS_SET path attribute?
BGP process:
aggregate-address summary mask as-set


True or False: The BGP aggregate-address command will not create a summary if the BGP table does not currently have any routes for the NLRI inside the summary.
True


What happens when all component subnets of a BGP summary address are withdrawn from the aggregating router's BGP table?
The aggregating router removes the summary and notifies its neighbors by withdawing the route.


When a BGP summary is created with the aggregate-address command, what is the NEXT_HOP path attribute set to?
The local BGP table lists the next hop as 0.0.0.0

When the summary route is advertised to the BGP neighbors, the next hop is set to the IP address of the update-source for each neighbor.


True or False: When using the BGP aggregate-address summary mask as-set command, the AS_SET path attribute is always generated.
False. The AS_SET is generated only if the AS_SEQ is null. If the AS_SEQ values of all the component subnets are identical, the AS_SET PA is not generated because the AS_SEQ will be that of the component subnets.


With the BGP aggregate-address command, what three options are available with regard to advertising component subnets?
All component subnets advertised along with the summary
No component subnets advertised with the summary-only keyword
Some component subnets are not advertised with suppress-map


What are the three ways that BGP can inject a default route?
network command
redistribute command
neighbor ip default-originate


How do you inject a default route into BGP without using redistribution or the neighbor default-originate command?
A default route can be injected into BGP with the network 0.0.0.0 BGP command, as long as a route to 0.0.0.0/0 exists in the IP routing table (through any means).


How do you redistribute a default route into BGP?
When you use the redistribute command under the BGP process, all matched routes in the current IP routing table are redistributed, with the exception of the default route.

To redistribute a default route, you must additionally configure under the BGP process:
default-information originate


What is a prerequisite for the BGP neighbor ip default-originate command to advertise a default route to the neighbor?
None: this command does not add a default route to the local BGP table, and it does not check for the existence of a default route in the IP routing table by default.


How do you conditionally advertise a default route to a specific BGP neighbor?
BGP process:
neighbor ip default-originate route-map route-map

The referenced route-map can check for entries in the current IP routing table, and if any of the routes are matched with a permit statement, a default route is advertised to the BGP neighbor.


What is the BGP ORIGIN code for routes redistributed into BGP from an IGP?
Incomplete


What is the BGP ORIGIN code for a summary route created with the aggregate-address command, but without the as-set option?
IGP


What is the BGP ORIGIN code for a summary route created with the aggregate-address command with the as-set option?
IGP if all component subnets also carry the IGP ORIGIN code

Incomplete if at least one of the component subnets has the Incomplete ORIGIN code


What are the three main components of the BGP Update message?
Withdrawn routes
Path Attributes for each route
Prefix/Length for each NLRI


What is the relationship between the Path Attributes and NLRI within a BGP Update message?
Update messages contain NLRI only for those that share the exact same Path Attributes and PA values.

NLRI that have different PAs or PA values requires separate Update messages.


What is the information source of generated BGP Update messages?
The current BGP table.


What is the purpose of the BGP decision process?
BGP will advertise only the single best route from all that are available in the BGP table to a neighbor.


When advertising updates to a BGP neighbor, which routes in the current BGP table are not advertised?
Routes that are not considered best
Routes matched by a deny clause in an outbound BGP filter
iBGP-learned routes if the neighbor is iBGP (excepting route reflectors and confederations)


Assuming no routing policies have affected the BGP decision process, how is the best route chosen?
Shortest AS_PATH
eBGP over iBGP
Lowest IGP metric to NEXT_HOP
Lowest BGP RID of advertising router


For a BGP route to be considered best, the NEXT_HOP PA value must meet either of two conditions. What are the two conditions?
The NEXT_HOP must be 0.0.0.0 as the result of the route being injected on the local router

The NEXT_HOP value must be reachable according to that router's current IP routing table


When advertising a route to an iBGP neighbor, what is the default action with regard to changing the NEXT_HOP path attribute?
Do not change the NEXT_HOP PA value by default when advertising to an iBGP neighbor


When advertising a route to an eBGP neighbor, what is the default action with regard to changing the NEXT_HOP path attribute?
Change the NEXT_HOP value to the update source IP address.


How do you configure BGP to change the NEXT_HOP value when advertising to an iBGP peer?
BGP process:
neighbor ip next-hop-self


How do you configure BGP to keep the existing NEXT_HOP value when advertising to an eBGP peer?
BGP process:
neighbor ip next-hop-unchanged


What two commands are available for changing the BGP NEXT_HOP path attribute?
BGP process:
neighbor ip next-hop-self
neighbor ip next-hop-unchanged


How can you verify which routes are being advertised to a particular BGP neighbor?
show ip bgp neighbor ip advertised-routes


What's the difference between these two BGP commands:

show ip bgp neighbor ip routes
show ip bgp neighbor ip received-routes
routes displays all routes that have been received AND accepted

received-routes displays all routes, both accepted, and rejected, and requires the neighbor to be configured with soft-reconfiguration inbound


With all default settings, an iBGP-learned route has a NEXT_HOP address of the last eBGP router to advertise the route. If the downstream iBGP peer cannot reach the NEXT_HOP address, what two solutions can resolve this?
Make the eBGP neighbor's IP address reachabile by advertising it's subnet into the IGP

Use the next-hop-self command on the upstream iBGP neighbor


What are the two requirements for an eBGP route to be installed in the local IP routing table?
The eBGP route in the BGP table must be considered "best"

If the same prefix has been learned through some other method on the router, the AD for the eBGP route must be lower than the AD for the other sources (eBGP default 20)


What are the three BGP route types for which you can individually adjust the Administrative Distance?
eBGP (default 20)
iBGP (default 200)
Local (locally-injected) (default 200)


How do you change the default Administrative Distance values for BGP?
BGP process:
distance bgp external internal local

Default 20, 200, 200


How do you change the Administrative Distance for individual BGP routes?
BGP process:
distance distance neighbor-ip wildcard [acl]

neighbor-ip represents the IP address used on the BGP neighbor statment. The acl examines routes received from the particular neighbor, and assigns the AD for any routes matching the ACL with a permit action.


How does the BGP command distance distance neighbor-ip wildcard [acl] work?
The neighbor-ip represents the IP address used on the BGP neighbor statment. The acl examines routes received from the particular neighbor, and assigns the AD for any routes matching the ACL with a permit action.


What might cause a recursive route lookup when a route from the BGP table is entered into the IP routing table?
The route entered into the IP routing table contains the exact same prefix, length, and next-hop IP address as listed in the BGP table, even if the NEXT_HOP PA is an IP address that is not in a connected network.

For example, if the NEXT_HOP is 2.2.2.2 and the router is not directly connected to 2.2.2.2, but knows how to get to 2.2.2.2 via another route in the IP routing table, a recursive route lookup must be performed.


How do you configure a BGP backdoor?
BGP process:
network prefix mask mask backdoor


What is the purpose of the BGP backdoor command?
When the same prefix is learned from eBGP and an IGP, the eBGP prefix is preferred, even though the IGP prefix may actually be the better path. The BGP network network backdoor command causes that specific network to use the BGP Local AD (200 by default) and no longer advertises the route with BGP.

As long as the IGP-learned prefix is in the IP routing table, it will be used. If the IGP-learned prefix disappears, the eBGP-learned route is used.


What issue does BGP synchronization resolve?
BGP synchronization resolves routing black holes for internal transit routers between iBGP peers. BGP synchronization says to not consider an iBGP route in the BGP table as best unless the exact prefix was learned through an IGP and is currently in the routing table. This means BGP routers need to redistribute their learned prefixes into the IGP so that traffic is not blackholed on transit routers, and BGP routers cannot advertise unreachable prefixes.


Why is BGP synchronization disabled by default?
BGP synchronization requires BGP-learned routes to be redistributed into the IGP before they can be advertised by an iBGP peer. As the Internet BGP table has grown, it is now infeasible to redistribute all of the routes into the IGP, so synchronization is disabled by default now.


What is a requirement related to BGP synchronization when OSPF is used as the IGP?
BGP does not allow the OSPF-learned route to be considered best if the OSPF RID of the router advertising the prefix is different from the BGP router advertising the same prefix.

When using BGP synchronization, it is a best practice to manually configure the RID to be the same on both BGP and OSPF.


What are the three alternatives to enabling BGP synchronization?
Create a full mesh of iBGP peerings
Confederations
Route Reflectors


What is the BGP 16-bit private ASN range?
64512 - 65535


How do you configure BGP to identify other confederation sub-ASes?
BGP process:
bgp confederation peers sub-as1 ..sub-as2

Confederation peers need to be identified because while the connections appear as eBGP, they do not work as true eBGP connections do. Confederations modify the AS_PATH PA with AS_CONFED_SEQ and AS_CONFED_SET attributes, which are used to prevent loops between the confederations sub-ASes. 

When the routes are advertised to a true eBGP peer, the AS_CONFED information is removed.


True or False: Inside a BGP Confederation Sub-AS, a full mesh of BGP peerings is required.
True. Within a confederation sub-AS, full iBGP rules are in effect.


True or False: Confederation eBGP connections act like normal eBGP connections with a default TTL of 1.
True: If peering between loopbacks, you must adjust the neighbor ip ebgp-multihop ttl value.


True or False: Confederation eBGP connections change the next-hop to the neighbor update source when advertising to other sub-ASes.
False: Confederation eBGP connections work like iBGP connections in that the NEXT_HOP is not changed by default.


True or False: When choosing a BGP best route, confederation ASNs are not considered part of the length of the AS_PATH.
True

For example, in the AS_PATH value (65001 65002) 123, the confederation ASNs in the parenthesis are not counted.


Why are external BGP routers unaware of a confederation being used within an autonomous system?
Confederation routers remove the confederation ASNs from the AS_PATH in Updates sent outside the confederation.


When configuring a router for BGP confederations, how do you define the router's sub-autonomous system?
router bgp sub-asn

This means you cannot simply convert a non-confederation router into a confederation router. You must remove and re-apply the BGP configuration.


When configuring a router for BGP confederations, how do you define the router's actual BGP ASN?
BGP process:
bgp confederation identifier asn


True or False: When using BGP route reflectors, RR clients change their BGP behavior, while non-clients use normal BGP behavior.
False. Only the RR changes its BGP behavior. Both clients and non-clients do not change their behavior and are not even aware of the RR.


BGP route reflectors can learn prefixes from clients, non-clients, and eBGP peers. The prefixes are advertised to both RR clients and non-clients, except for which case?
Prefixes learned from non-clients are not advertised to other non-clients (normal iBGP peering rules).


A single BGP Route Reflector cluster consists of ___ route reflector(s), and clients.
One or more


True or False: When using multiple BGP Route Reflector clusters, and one or more of the clusters contain multiple RRs, all RRs must be directly peered across all clusters.
False: One RR from each cluster must be peered with at least one RR from all clusters. However, it is typical to create a full mesh of peerings between all RRs across all clusters.


True or False: With BGP Route Reflectors, non-client iBGP routers should be included in a full mesh of iBGP peerings between the route reflectors.
True. Normal iBGP advertisement rules are in place between RRs and non-clients, therefore a full mesh of iBGP peerings between RRs and non-clients should be expected.


What are three methods that BGP Route Reflectors use to prevent loops?
Best > Cluster > Originator

Only advertise best routes.

CLUSTER_LIST - RRs add their cluster ID the CLUSTER_LIST PA before sending an Update, and discard received prefixes for which their cluster ID already appears.

ORIGINATOR_ID - RID of first iBGP peer to advertise the route into the AS. If a router sees its own RID as the ORIGINATOR_ID in a received route, it does not use or propagate the route.


What is the BGP CLUSTER_LIST Path Attribute used for?
Route Reflectors add their cluster ID into the CLUSTER_LIST PA before sending an Update. When receiving a BGP Update, RRs discard received prefixes for which their cluster ID already appears.


What is the BGP ORIGINATOR_ID Path Attribute used for?
The ORIGINATOR_ID PA lists the RID of the first iBGP peer to advertise a route into the AS. If a router sees its own RID as the ORIGINATOR_ID in a received route, it does not use or propagate the route.


With BGP route reflectors, how do you configure the cluster ID?
The default is the RID. The cluster ID can be manually configured under the BGP process:
bgp cluster-id id


How do you configure a BGP route reflector client?
Configuration is performed on the RR under the BGP process:
neighbor ip route-reflector-client


In a BGP Route Reflector environment, how can you verify which RR clusters an update has passed through?
Cluster list in show ip bgp prefix


What are the two new attributes introduced with MP-BGP?
MP_REACH_NLRI
MP_UNREACH_NLRI


When BGP is enabled, it will advertise IPv4 unicast prefixes by default. How do you disable this behavior?
BGP process:
no bgp default ipv4-unicast


Which of the four BGP path attribute categories is AS_PATH?
Well-known Mandatory


Which of the four BGP path attribute categories is NEXT_HOP?
Well-known Mandatory


Which of the four BGP path attribute categories is AGGREGATOR?
Optional Transitive


Which of the four BGP path attribute categories is ATOMIC_AGGREGATE?
Well-known Discretionary


Which of the four BGP path attribute categories is ORIGIN?
Well-known Mandatory


Which of the four BGP path attribute categories is ORIGINATOR_ID?
Optional Nontransitive


Which of the four BGP path attribute categories is CLUSTER_LIST?
Optional nontransitive


How do you prevent a BGP route reflector from advertising routes learned from a client to the other clients?
no bgp client-to-client reflection

By default, routes learned from clients are reflected to all other clients.


How do you verify which routes have been locally-injected into BGP?
show ip bgp injected-paths


After applying an updated BGP policy for a specific neighbor, how do you implement the policy without resetting the BGP connection?
clear ip bgp neighbor-ip soft


How do you filter specific routes from being advertised to a specific BGP neighbor with a distribute list?
Create an ACL denying the specific routes, and ending with permit ip any any

Reference the ACL under the BGP process:
neighbor ip distribute-list ACL out


How can you use a prefix list to filter specific routes from being advertised to a specific BGP neighbor?
Create a prefix list that denies the specific routes, and ends with permit 0.0.0.0/0 le 32

Reference the prefix list under the BGP process:
neighbor ip prefix-list prefix-list out


When performing BGP filtering with a route-map, what determines whether NLRI is filtered or allowed to pass?
route-map deny means the matched NLRI is filtered
route-map permit means the matched NLRI is allowed to pass


When performing BGP filtering with a route-map, what determines whether NLRI is matched to a route-map clause?
ACL permit statements match the route-map clause, while ACL deny statements do not match the route-map clause.

Example:
An ACL configured to permit 1.1.1.0/24 referenced in a route-map deny clause means that 1.1.1.0/24 matches the route-map clause and is filtered.


True or False: BGP can perform soft reconfiguration for sent Updates automatically.
True. BGP must be reconfigured to support soft reconfiguration for inbound Updates, though, with the BGP command neighbor ip soft-reconfiguration inbound


Why is BGP inbound soft-reconfiguration disabled by default?
To support soft-reconfiguration inbound, BGP must keep a copy of all of the received Updates from a neighbor, instead of just those that are entered into the BGP table after policies have been applied. This takes up extra memory, which is why it is disabled by default.


How does the matching logic of a BGP aggregate suppress-map work?
Prefixes that are matched by a route-map permit action will not be advertised with the BGP summary address.


How do you filter BGP Updates by matching the AS_PATH path attribute?
Global:
ip as-path access-list num {permit | deny} regex

BGP process:
neighbor ip filter-list num {in | out}

Apply the policy:
clear ip bgp neighbor-ip {in | out | soft}


What are the three steps of the matching logic of AS_PATH filters?
-The regex in the first line in the AS_PATH ACL is applied to the AS_PATH of each route and is passed or filtered based on permit or deny if there is a match
-If NLRI is not matched, the next line in the AS_PATH ACL is tried
-Any NLRI not matched explicity is filtered


What does the regex metacharacter ^ mean?
Start of line


What does the regex metacharacter $ mean?
End of line


What does the regex metacharacter | (pipe) mean?
Logical OR applied between preceeding and succeeding characters.

If preceded by a value in parenthesis, the logic applies to the preceding string listed in side the parenthesis, and not just to the preceding character.


What does the regex metacharacter _ (underscore) mean?
Any delimiter: blank, comma, start of line, end of line


What does the regex metacharacter . (period) mean?
Any single character


What does the regex metacharacter ? mean?
Zero or ONE instance of the preceding character


What does the regex metacharacter * (asterisk) mean?
Zero or more instances of the preceding character


What does the regex metacharacter + mean?
One or more instances of the preceding character


What does the regex metacharacter (string) mean?
Parenthesis combine enclosed string characters as a single entitly when used with ?, *, or +


What does the regex metacharacter [string] mean?
Creates a wildcard for which any of the single characters in the string can be used to match that position in the AS_PATH

For example ^[(]3[12]* would match an AS_PATH beginning with (31 or (32 and could match any combination of ASes that have 1s or 2s afterward, such as (31121


What regex matches all AS_PATHs, and is useful as a final match in an as_path access-list to change the default from deny to permit?
.*


What regex matches null (empty), and is used for NLRIs originated in the same AS?
^$


What regex matches an AS_PATH containing only the single ASN 123?
^123$


What regex matches an AS_PATH whose first ASN begins with (or is) 123?
^123


What regex matches an AS_PATH with two ASNs, beginning with 123 and ending with 45?
^123_45$


What regex matches an AS_PATH beginning with AS 123, and ends in AS 45, but has at least one other AS in between?
^123_.*_45$


What regex matches an AS_PATH beginning with AS 123, with zero or more intermediate ASNs and delimiters, and ending with any AS whose last two digits are 45 (including AS 45)?
^123_.*45


A regex needs to match an AS_PATH beginning with 123 and ending with AS 45, with zero or more other ASNs between the two.

What is the difference between these two regex expressions?

(^123_45$)|(^123_.*_45$)
^123_45$|^123_.*_45$
Without the parenthesis, the | is applied only to the single characters before and after the |. This is a common mistake.


What regex matches an AS_PATH beginning with either an AS_SET or an AS_CONFED_SET?
^{


How do you configure an AS_PATH access list to deny AS_PATHs beginning with AS 1, ending with AS 44, and have three ASNs in between? The access list should deny this specific AS_PATH and allow all others.
ip as-path access-list num deny ^1_.*_.*_.*_44$
ip as-path access-list num permit .*


True or False: Regular expressions can be used in the output of show commands.
True: For example, show ip bgp | include 65000_65000 displays BGP routes that have been prepended by 65000 at least twice.

Note: you cannot use ^ or $ in these statements


How can you verify the effects of the regex in an AS_PATH filter before actually implementing it?
show ip bgp regexp expression

This command parses the AS_PATH variables in a router's BGP table, including all special characters.


True or False: The { and } characters are not used as metacharacters for matching BGP AS_PATH regular expressions.
True. You can enter { and } directly into the AS_PATH access list.

The ( and ) are metacharacters, which is why they must be enclosed in brackets to be literally matched: [(] or [)]


True or False: Because AS_SET and AS_CONFED_SET are both unordered lists, the order of the ASNs does not matter when applying regex logic.
False: Cisco IOS uses the order listed in the output of the show ip bgp command when applying regex logic.


What's the difference between well-known mandatory and well-known discretionary BGP path attributes?
Well-known means that the BGP implementation MUST support the PA.

Mandatory means the PA must be in every BGP Update

Discretionary means the PA is not required in every BGP Update, but must be understood by the BGP implementation because it is mandatory.


What's the difference between a BGP optional transitive and nontransitive path attribute?
Optional means that the BGP implementation is not required to support the particular path attribute.

Transitive means that the router should silently forward the PA to other routers whether or not it understands the meaning of the PA.

Nontransitive means the router should remove the PA so that it is not propagated to any peers.


In the BGP bestpath decision process, what does the first N in the N WLLA OMNI mnemonic mean?
Is the NEXT_HOP PA reachable? If not, reject the route from the decision process.


In the BGP bestpath decision process, what does the W in the N WLLA OMNI mnemonic mean?
Weight: Cisco-proprietary, higher is better. The administrative weight can be assigned to each NLRI locally on the router, and is not passed on in Update messages.


In the BGP bestpath decision process, what does the first L in the N WLLA OMNI mnemonic mean?
LOCAL_PREF PA: higher is better. This well-known discretionary PA can be set on a router inside the AS, and is not distributed outside the AS.


In the BGP bestpath decision process, what does the second L in the N WLLA OMNI mnemonic mean?
Locally-injected routes: choose routes injected locally (via network, redistribution, or summarization) first.


In the BGP bestpath decision process, what does the A in the N WLLA OMNI mnemonic mean?
AS_PATH length: shorter is better. This calculation ignores both AS_CONFED_SET and AS_CONFED_SEQ values, and treats an AS_SET as a single ASN, regardless of the number of ASNs within the set.


How do you configure BGP to not use the length of the AS_PATH PA when calculating the best BGP routes?
BGP process:
bgp bestpath as-path ignore


In the BGP bestpath decision process, what does the O in the N WLLA OMNI mnemonic mean?
ORIGIN PA: IGP routes preferred over EGP routes preferred over Incomplete.  I > E > ?


In the BGP bestpath decision process, what does the M in the N WLLA OMNI mnemonic mean?
MED: smaller is better


In the BGP bestpath decision process, what does the second N in the N WLLA OMNI mnemonic mean?
Neighbor type: eBGP preferred over iBGP. Confederation eBGP is treated as iBGP.


In the BGP bestpath decision process, what does the I in the N WLLA OMNI mnemonic mean?
IGP metric to reach the NEXT_HOP. Lower is better.


What is the goal of the BGP "N WLLA OMNI" process?
To determine the single best path for each NLRI. 


If a BGP bestpath is not decided upon by the normal process, what are the final three tiebreakers?
-Keep the oldest eBGP route (which reduces route flaps)
-Choose smallest neighbor RID (if configured to do so)
-Choose smallest neighbor ID (for peers with two or more neighborships with each other, ID is typically based on configured IP address of neighbor statement)


How do you enable a BGP router to use the smallest neighbor RID as part of the bestpath decision process?
BGP process:
bgp bestpath compare-routerid

This only comes into play after the 9-step "N WLLA OMNI" process, and there is no existing eBGP route.


What is the default BGP Weight for locally-injected routes?
32768


How can you configure the BGP administrative Weight?
Weight is a local value and configured per-neighbor.

Assign weight to all routes from a particular neighbor:
neighbor ip weight weight

Assign weight to some routes from a particular neighbor:
neighbor ip route-map map in

For example, the route-map can match an AS_PATH access list, and set the weight. Be sure to end the route-map with a blank permit, otherwise the routes will be filtered by the implicit deny.


What is the default LOCAL_PREF value?
100, higher is better


How can you change the default BGP local preference?
BGP process:
bgp default local-preference value

Default, 100
Range, 0 - 4B


How do you configure BGP to set the LOCAL_PREF for particular routes from a particular neighbor?
BGP process:
neighbor ip route-map map in

route-map map permit 10
  match routes
  set local-preference value
route-map map permit 20

The final route-map statement is necessary, otherwise routes will be filtered. You can set multiple individual values with multiple route-map statements.


Why might a BGP route need to be compared on a router in the bestpath decision process against the ORIGIN code?
If the router attempts to inject routes locally through multiple methods, such as a route injected through both redistribute connected and the network command. By default, both routes would have the same weight and local preference, so the ORIGIN code would be the tiebreaker.


What are three restrictions associated with automatically removing private BGP ASNs in outbound Updates?
-Private ASNs can be removed only at the point of sending an eBGP Update
-If the current AS_SEQ or AS_CONFED_SEQ contains both private and public ASNs, the private ASNs will not be removed
-If the ASN of the BGP peer is in the current AS_PATH, the private ASNs will not be removed


How do you configure AS_PATH prepending?
BGP process:
neighbor ip route-map map out

route-map map permit 10
  match routes
  set as-path prepend asn1 ..asn2
route-map map permit 20

The final route-map statement is necessary, otherwise routes will be filtered.


How can you configure BGP to use a different ASN when setting up a BGP neighbor session than the one configured on the BGP process with router bgp asn?
With the neighbor local-as keyword.

Example:
router bgp 100
  neighbor ip remote-as 200
  neighbor ip local-as 300

The neighbor would peer with ASN 300 instead of 100.

This is commonly used during ASN migration.


What is the result of this configuration?

router bgp 100
  neighbor 10.10.10.1 remote-as 10
  neighbor 10.10.10.1 local-as 50 no-prepend
With this configuration, BGP communicates with 10.10.10.1 using 50 as its ASN. When the router sends Updates to the neighbor, it prepends 50 100 to each AS_PATH. With the no-prepend keyword, any routes received from the neighbor will not have 50 prepended upon reception, so when this router sends the routes to another neighbor, only 100 will appear in the AS_PATH instead of 50 100.


True or False: It is possible to manually set the BGP ORIGIN code for individual routes.
True, this is accomplished by matching routes and using set origin in a route-map.


True or False: The BGP MED is advertised by one AS into another, and can be propagated inside the AS but not sent to any other ASes.
True, MED is an optional nontransitive PA.


What is the default BGP MED value?
0

Range 0 - 4B, smaller is better


How do you configure the BGP MED value?
Through the BGP neighbor ip route-map map out command. The route map matches the desired routes and changes the MED with set metric


What does the following command do?

bgp bestpath med missing-as-worst
The default MED value for routes is 0. This command makes the default value 4B. 

It is important for all routers to either use the default of 0, or configure this command, otherwise routing choices will be affected.


True or False: BGP ignores the MED value when multiple routes to a single NLRI pass through different neighboring ASNs.
True. You can override this behavior with bgp always-compare-med under the BGP process.

If you implement this command, you should implement it on all routers in an AS, otherwise routing loops can occur.


What does the BGP command bgp deterministic-med do?
By default, Cisco IOS processes BGP table entries from newest (most recently learned) to oldest. When there are multiple routes to the same NLRI, IOS compares the newest two and selects the best, then compares it against the next route and chooses the best of the two, and so on. 

The bgp deterministic-med IOS processes the routes per adjacent AS by choosing the best from each neighboring AS, and then comparing those routes.

Cisco recommends this setting for all new BGP implementations.


True or False: When BGP is configured to allow multiple routes for a particular NLRI (instead of choosing the single bestpath), all routes are added to the IP routing table (similar to how an IGP would), and the routes are all advertised as "best" by BGP.
False: With the maximum-paths command, multiple routes can be added to the local IP routing table, but BGP will still only advertise a single "best" route from the BGP table.


If multiple routes to a BGP NLRI have made it through the normal "N WLLA OMNI" decision process without a single best route, the first tiebreaker is to use the oldest eBGP route. What is the second tiebreaker?
Choose the neighbor with the lowest RID among only eBGP sources if there is a mix of iBGP and eBGP sources, otherwise choose the lowest RID if there are only iBGP sources.


What happens if BGP has a current best route to an NLRI through an eBGP neighbor, but receives an otherwise identical route from a neighbor with a smaller BGP RID?
The existing best route is kept to avoid route flaps. This behavior can be modified with the BGP command bgp bestpath compare-routerid

This applies only to eBGP routes. iBGP routes always use the lowest RID as the tiebreaker.


What happens if BGP has a current best route to an NLRI through an iBGP neighbor, but receives an otherwise identical route from an iBGP neighbor with a smaller BGP RID?
The route through the neighbor with the smaller rid is used for iBGP.

With eBGP, the route remains so as to not cause route flaps, but can be changed with bgp bestpath compare-routerid


What is the final BGP bestpath decision tiebreaker?
The final tiebreaker is the lowest BGP neighbor ID (IP address). This is used when the route is coming from a router who has multiple separate neighbor relationships, as opposed to a single relationship using loopback addresses.


What is the default setting of the BGP maximum-paths command?
1


Assuming the BGP maximum-paths command has been configured higher than 1, when are multiple eBGP routes allowed to be entered into the IP routing table?
-The multiple routes must have made it through the normal BGP "N WLLA OMNI" decision process
-Only eBGP routes whose adjacent ASNs are the same as the single best route are considered as candidates
-If there are more candidates than what is set with maximum-paths the candidates must go through the final tiebreaker steps up to the maximum-paths setting


Assuming the BGP maximum-paths ibgp command has been configured higher than 1, when are multiple iBGP routes allowed to be entered into the IP routing table?
-The iBGP routes must have made it through the normal "N WLLA OMNI" bestpath selection process
-The iBGP routes must have different NEXT_HOP values
-If there are more candidates than what the maximum-paths ibgp allows, the final tiebreaker steps are used to only select the maximum-paths value


What is the BGP maximum-paths eibgp command used for?
This command is used to allow more than a single BGP route to be entered into the routing table for both eBGP and iBGP routes, but only for MPLS under BGP address family configuration mode.


True or False: BGP advertises community values to neighbors by default.
False: You must configure under the BGP process neighbor ip send-community [standard | extended | both]


How do you configure BGP to send a specific community value to a specific neighbor?
BGP process:
neighbor ip send-community
neighbor ip route-map map out

route-map map permit 10
  match routes
  set community value
route-map map permit 20


How do you view BGP table entries tagged with a specific community?
show ip bgp community value


What is the ip community-list command used for?
To permit or deny specific community values, which can then be referenced in a route-map.


How do you configure the router to take an action based on the receipt of a particular BGP community?
Create a community-list:
ip community-list num {permit | deny} value

Reference the list in a route-map:
route-map map permit 10
  match community num
  set attribute
route-map map permit 20


What is the purpose of the global ip bgp-community new-format command?
The original community was a 32-bit decimal value, but the new-format is defined by RFC 1997 which is AA:NN where AA is a 16-bit number typically representing an ASN, and NN is an arbitrary 16-bit number.


Within a route-map, what is the difference between these two commands?

set community 10 20 30
set community 10 20 30 additive
The first command replaces any existing community values with 10, 20, and 30.

The second command adds 10, 20, and 30 to any existing values.


How do you remove all BGP communities from a route?
Route-map:
match community ip-community-list
set community none


What is the BGP NO_EXPORT community used for?
Do not advertise outside this AS (excepting confederations)


What is the BGP NO_ADVERT community used for?
Do not advertise to any other peer.


What is the BGP LOCAL_AS / NO_EXPORT_SUBCONFED community used for?
Do not advertise outside the local confederation sub-AS.


What is the default Update interval for eBGP peers?
30 seconds


How frequently does BGP verify next-hop reachability?
60 seconds by default


What is BGP fast external fall-over?
eBGP sessions between directly-connected neighbors are torn down the moment the connected subnet between the peers is lost. BGP routes are immediately flushed, and BGP immediately begins looking at alternate routes.


What is BGP fast peering session deactivation?
When enabled, BGP monitors the peering session with the specified neighbor, and terminates the BGP session when an adjacency change is detected. A route-map can be referenced to make the fall-over action conditional.

Fast external fall-over is automatic. 


How do you configure BGP fast external fall-over detection?
Global:
[no] bgp fast-external-fallover

Enabled by default.


How do you configure the router to consider the MED value when choosing routes through different Confederation sub-ASes?
BGP process:
bgp bestpath med confed


How do you configure BGP to discard routes whose AS_PATH length exceeds a configured value?
BGP process:
bgp maxas-limit number


What is the BGP neighbor ip unsuppress-map command used for?
When component subnets have been filtered with the aggregate-address command, unsuppress-map can be used per-neighbor to re-advertise specific routes that were filtered through summarization.


How do you remove individual BGP communities from the COMMUNITY PA?
Create an IP community-list to reference the values to be removed:
ip community-list num permit value

Reference the list in a route-map:
match routes
set comm-list num delete


On a standard T568A or T568B-wired straight-through Ethernet cable connected to the host side, which pins transmit, and which pins receive?
1,2 transmit
3,6 receive


What do Cisco (and other vendor) switches use to automatically detect the speed of an Ethernet link?
Fast Link Pulses are detected as part of the autonegotiation process


Without autonegotiation, what duplex is assumed on an Ethernet link?
HDX for 10/100 links
FDX for 1000 links


What is a condition for configuring an Ethernet switch port for half duplex?
If the port is capable of gigabit or higher speeds, the speed must be set to either 10 or 100

If the port is a 10/100 port, the duplex setting is independent of the speed setting.


Other than CDP messages, what is an indication of duplex mismatch on an Ethernet link?
Errors and collisions


On an Ethernet link, what is the difference between a collision and a late collision?
Collions are detected within the first 64 bytes of a transmitted frame, assuming proper cable lengths.

Late collisions are those detected after the first 64 bytes have been transmitted.


What is the position and meaning of the U/L bit in an Ethernet MAC address?
The Universal/Local bit is the 2nd least-significant bit in the first octet of the MAC address. When toggled, it means that the address has been administratively assigned, overriding the vendor-assigned address. 


What is the position and meaning of the I/G bit in an Ethernet MAC address?
The Individual/Group bit is the least-significant bit in the first octet of the MAC address. When toggled, it means the frame is either multicast or broadcast, otherwise it is a unicast frame when not toggled.


What are the three main Ethernet frame formats?
Ethernet II / DIX
IEEE 802.3 + 802.2 LLC
IEEE 802.3 SNAP


What is the most common Ethernet frame format used today?
Ethernet II / DIX


Which types of traffic mostly use the IEEE 802.3 + 802.2 LLC Ethernet frame format?
These frame types are typically used by protocols invented by the IEEE, such as STP


Which types of traffic are often associated with IEEE 802.3 SNAP Ethernet frames?
Vendor-proprietary Layer 2 protocols like CDP, DTP, VTP, etc.


How does a system determine if a received Ethernet frame is in Ethernet II or LLC/SNAP format?
Across the Ethernet formats, there is a 2-byte field after the Preamble, Destination Address, and Source Address.

If the value of the 2-byte field is <= 1500, the frame is in LLC or SNAP format.

If the value of the 2-byte field is >= 1536, the frame is in Ethernet II format.


If an Ethernet frame is received where the 2-byte field after the Source Address has a value of 1536 or greater, what does this indicate?
This is an Ethernet II format frame, and the value is the EtherType.


If an Ethernet frame is received where the 2-byte field after the Source Address has a value of 1500 or less, what does this indicate?
This is an 802.2 LLC or SNAP format Ethernet frame, and this field is interpreted as the total length of the 802.2 header + data field, which is a value between 46 and 1500.


How can you tell if an Ethernet frame is either in 802.2 LLC or in SNAP format?
SNAP frames have the value 0xAA for both the DSAP and SSAP fields in the LLC header. Any other values indicate that the frame is not in SNAP format.


What is the default Catalyst CAM aging time?
300 seconds


What happens when you specify a destination SPAN port that has an existing configuration?
The original configuration is suspended while the port is acting as a SPAN destination. When the SPAN configuration is removed, the port's original configuration is resumed.


How many SPAN destination ports can be configured on a switch?
64


How do you limit a SPAN capture on a trunk port to specific VLANs?
monitor session num filter vlan vlans-to-capture


True or False: Traffic that is routed from another VLAN within a switch to a source VLAN cannot be monitored with SPAN.
True. Only traffic that enters or exits the switch in a source port or VLAN is forwarded in a SPAN session. If the traffic comes from another source within the source (such as routing from another VLAN), that traffic isn't forwarded through SPAN.


What is the difference between Receive (RX) SPAN and Transmit (TX) SPAN with regard to traffic processing?
RX traffic is transmitted to the SPAN destination before any modification, such as VACL/ACL filtering, QoS modification, policing, etc.)

TX traffic is transmitted to the SPAN destination after modification


Many types of Layer 2 frames (such as CDP, BPDUs, etc) are ignored by SPAN. How do you capture and forward this traffic to a SPAN destination?
With the SPAN encapsulation replicate command.


How do you configure an RSPAN VLAN?
vlan number
  remote span


After you designate an RSPAN VLAN, how do you use it?
monitor session num {source | destination} remote vlan num


How do you configure a basic ERSPAN source session?
monitor session num type erspan-source
  source source
  no shutdown
  destination
    erspan-id id
    ip address dst-ip
    origin ip address src-ip


How do you configure a basic ERSPAN destination session?
monitor session num type erspan-destination
  destination destination
  no shutdown
  source
    erspan-id id
    ip address src-ip


How do you verify SPAN/RSPAN/ERSPAN?
show monitor session


What is the VSS Active switch responsible for?
Running the Layer 2 and Layer 3 control protocols for the switching modules on both switches, as well as providing management functions for the VSS including module Online Insertion and Removal (OIR) and the console interface.


How many links can the Virtual Switch Link (VSL) contain?
Up to 8


True or False: The Virtual Switch Link (VSL) automatically gives control and management plane traffic higher priority than data traffic.
True


How many EtherChannels are supported in a VSS?
256


What are the three steps to enable VSS between a pair of switches?
-Configure the switch virtual domain id and switch {1 | 2} on both switches

-Configure unique port-channel interfaces (different numbers on each switch) and issue switch virtual link {1 | 2} and assign physical interfaces to the VSL port channel with channel-group num mode on and make sure to set switchport mode trunk

-Enable VSS with switch convert mode virtual on SW1, then on SW2


The first step in configuring VSS is to assign a domain ID. How do you configure this, and what is the valid range?
Globally:
switch virtual domain 1-255

This same value must be configured on both switches participating in the VSS.


True or False: The Virtual Switch Link (VSL) must be configured with the same port channel number on both switches. 
False: The VSL requires unique port channel values on each switch (e.g. po10 on one, po20 on the other).


What happens if a VSS standby switch VSL port channel number has been previously configured for another use?
The VSS will come up in Route Processor Redundancy mode. To avoid this, the port channel numbers on each switch must be unique and must be available.


What will the status of a configured VSS VSL be before the switches are rebooted into VSS mode?
Up/Down


After setting up the prerequisite configuration, how do you enable VSS mode?
switch convert mode virtual


When in VSS mode, how do you view the VSS domain number, switch number, and switch role?
show switch virtual


What happens when you connect to the console port of a VSS Standby switch?
The prompt will be:

hostname-standby>
Standby console disabled


How can you verify detailed information about the VSS member role?
show switch virtual role


How can you view more detailed information about the VSS VSL?
show switch virtual link [port-channel]


What is the IOS-XE Forwarding and Feature Manager (FFM)?
The FFM provides a set of APIs used to manage the control plane processes, and the FFM programs the data plane through the FED and maintains all forwarding states for the system.


What is the IEEE standard for 100 Mbps Ethernet over copper and optical cabling?
IEEE 802.3u


What is the IEEE standard for gigabit Ethernet over optical cabling?
IEEE 802.3z


What is the IEEE standard for gigabit Ethernet over twisted-pair copper cabling?
IEEE 802.3ab


What is store-and-forward switching?
Store-and-forward switching fully receives all bits in a frame and checks against the FCS for errors before forwarding a frame.


What is the difference between cut-through and fragment-free switching?
Fragment-free switching performs like cut-through, but the switch waits for the first 64 bytes of the frame to be received because Ethernet collisions should be detected within the first 64 bytes of the frame.


What is UTP Category 2 cable used for?
4 Mbps Token Ring


What is UTP Category 4 cabling used for?
16 Mbps Token Ring


What is the maximum single cable length of 10BASE2?
185m


What are the VLAN operational states?
Active (default)
Suspended


What is the range of VLANs configurable in the VLAN Database Configuration mode?
Only normal range: 1 - 1005


How do you enter VLAN Database Configuration mode?
EXEC mode: vlan database


After creating VLANs in VLAN Database Configuration mode with the vlan number command, what must you do next?
You must issue the apply command


When in VLAN Database Configuration mode, how can you view VLANs that have been configured but not yet added to the switch?
show proposed


True or False: Global Configuration mode is the only way to configure Extended-range and Private VLANs.
True. The deprecated VLAN Database Configuration mode can only configure Normal range VLANs, 1 - 1005.


After creating a VLAN in global configuration mode, what must you do for the settings to take effect?
You must exit the VLAN subconfiguration mode before the configuration changes will apply.


What happens if you issue the interface command switchport access vlan num when the num VLAN doesn't exist?
The VLAN is created automatically.


True or False: A VLAN can be disabled both globally with VTP, or locally on the individual switch.
True


What does the VLAN state suspend command do?
This command disables the VLAN globally through VTP, which suspends the VLAN on all switches participating in the VTP domain.


How do you disable a VLAN locally, without deleting it?
Globally:
vlan num
  shutdown

Note: You cannot use this command in VLAN Database Configuration mode.


What is the difference between these two commands?

vlan num
  shutdown

interface vlan num
  shutdown
One shuts down the entire VLAN locally on the switch, the other just shuts down the SVI associated with the VLAN, but does not disable the VLAN itself.


What happens if a VLAN is suspended globally through VTP, but not locally?
The VLAN will be disabled. While a VLAN can be enabled globally and disabled locally, a locally enabled VLAN will still be disabled if it is suspended globally through VTP.

In other words, a VLAN must be enabled both globally and locally.


What is the overall purpose of private VLANs?
To separate switch ports as if they were on different VLANs while consuming only a single IP subnet.


Private VLANs are a Layer 2 construct that are similar in conception to what BGP construct?
Confederations. Private VLANs consist of a Primary VLAN, and one or more Secondary VLANs, but the rest of the network only sees the Primary VLAN. This is similar in concept to a BGP Autonomous System with confederation Sub-ASes, where other ASes only see the main AS.


What are the two types of secondary Private VLANs, and what is the difference between them?
Community VLANs can communicate with the Primary VLAN, and to devices within the single Community VLAN, but not to devices in other Community VLANs.

Isolated VLANs can communicate with the Primary VLAN, but nothing else, including other devices within the same Isolated VLAN.


A Primary Private VLAN can be associated with ___ Isolated VLAN(s).
1

Because devices in an Isolated VLAN cannot communicate with each other, only to the Primary VLAN, there is no need for multiple Isolated VLANs within a single Primary VLAN.


How many Primary Private VLANs can a Secondary or Isolated VLAN be associated with?
1


A Private VLAN Promiscuous port is associated with the ___ VLAN and can communicate with ___ VLANs.
Primary
All Secondary


True or False: A frame received on a promiscuous, community, or isolated Private VLAN port can never be forwarded through a trunk port.
False


If a frame is received on a private VLAN community or isolated port, how is the frame tagged when it is forwarded through a trunk?
The frame is tagged with the corresponding secondary VLAN ID. The receiving switching then forwards the received frame according to the type of secondary VLAN.


If a frame is received on a private VLAN promiscuous port and forwarded across a trunk, how will the frame be tagged?
The frame will be tagged with the associated primary VLAN ID.


When configuring Private VLANs, what is a prerequisite if the switch is not running in VTPv3 mode?
The switch must be placed into vtp mode transparent if not running VTPv3.


How do you create a private VLAN?
Globally:
vlan num
  private-vlan {primary | community | isolated}


How do you associate secondary private VLANs with the primary?
Globally:
vlan primary-number
  private-vlan primary
  private-vlan association secondaries


How do you verify private VLAN types and mappings?
show vlan private-vlan


How do you configure an interface to participate in a secondary private VLAN?
Interface:
switchport mode private-vlan host
switchport private-vlan host-association primary-vlan secondary-vlan


How do you configure an interface to be promiscuous in a private VLAN?
Interface:
switchport mode private-vlan promiscuous
switchport private-vlan mapping primary-vlan secondary-vlans


In a private VLAN environment, what must be configured if an SVI is used for the default gateway?
The SVI must be configured as a promiscuous interface:

SVI interface:
private-vlan mapping secondary-vlans


What are the two types of private VLAN trunks for connecting to devices that do not support private VLANs?
Promiscuous PVLAN trunk
Isolated PVLAN trunk


What is a Promiscuous private VLAN trunk used for?
This is for devices that do not support PVLANs, with the most common use case being a router-on-a-stick scenario.

When traffic from a secondary VLAN is sent over the trunk, its VLAN tag is rewritten with the primary VLAN ID. When a frame is received, no tag manipulation is performed.


What is an Isolated private VLAN trunk used for?
The Isolated PVLAN trunk is used to extend the secondary isolated PVLAN to a switch that doesn't support PVLANs, but is capable of isolating its ports (such as with Catalyst Protected Ports switchport protected).

An Isolated PVLAN trunk port rewrites the primary VLAN ID into the isolated secondary VLAN ID when sending a frame. When a frame is received, no tag manipulation is performed.


How do you enable protected ports?
Enabled at the interface:
switchport protected


What is the size and location of the 802.1Q header?
4 bytes
Location is after the Source Address field


What is the EtherType of a frame containing a 802.1Q tag?
0x8100


What is the result of an 802.1Q Native VLAN mismatch?
Two VLANs are merged into one if the Native VLAN does not match between devices.


True or False: Dynamic Trunking Protocol (DTP) negotiates both whether the port becomes a trunk or access port, and what type of trunking protocol to use.
True. If trunking is negotiated, ISL will be used if both devices support it, otherwise 802.1Q is used.


If DTP negotiates a trunk, and both devices support both ISL and 802.1Q trunking, which protocol is used?
ISL is used if both devices support ISL, otherwise 802.1Q is used.


Older Catalyst switches default to DTP ___ mode, while newer Catalyst switches default to DTP ___ mode.
Dynamic desirable
Dynamic auto


True or False: DTP will successfully negotiate the link operating mode only if the VTP domain name on both switches is either the same or NULL.
True. While DTP and VTP are independent protocols, DTP carries the VTP domain name in its messages. 

This design decision was chosen because different VTP domains may use the same VLANs, but for different purposes, so bridging them together should not be automatic.


What happens if an interface is configured with both switchport access and switchport trunk commands?
These commands specify how the port operates depending on which mode it is in. If the port is in access mode, the switchport access commands are applied, and the switchport trunk commands are ignored, and vice versa.


How do you verify the global DTP settings?
show dtp


What is the default DTP Hello interval?
30 seconds


Which VLANs are allowed across a trunk link by default, and how do you configure this?
All VLANs allowed by default

Trunk interface:
switchport trunk allowed


What are the three requirements for a VLAN to be in the "allowed and active" state on a trunk?
-VLAN must in the allowed list for the trunk
-VLAN must exist in the VLAN configuration on the switch
-VLAN must be in the active state (not suspended or shutdown)


If an interface is configured with switchport mode trunk and nothing else, what must the other side be configured as to form a trunk?
One of the following:
switchport mode trunk
switchport dynamic desirable
switchport dynamic auto


True or False: If an interface is configured with switchport mode trunk and nothing else, DTP is still used on the interface.
True. DTP is always used unless the switchport nonegotiate command is issued.


What is the relationship between the command switchport mode access and DTP?
If switchport mode access is configured on an interface, the interface never forms a trunk, and sends a single DTP message to help the other side reach the same conclusion, but ceases to send or process DTP messages afterward.


How do you configure the 802.1Q Native VLAN on a router's Ethernet subinterface?
encapsulation dot1q native-vlan-id native


What is the outer tag referred to as in QinQ tunneling?
The S-tag (Service Provider)


What is the inner tag referred to as in QinQ tunneling?
The C-tag (Customer)


In a QinQ environment, what is a common configuration with regard to the Native VLAN?
Global:
vlan dot1q tag native

This prevents the issue of a customer's untagged frames from being misforwarded or blackholed when the S-tag is added.


When configuring an 802.1QinQ environment, what is a common setting with regard to the MTU?
The S-tag adds 4 bytes, so it is common to adjust the MTU to 1504.


What is the difference between these two commands?

system mtu 1504
system mtu jumbo 1504
The jumbo keyword applies to 1/10 Gbps interfaces, while the other command applies to 100 Mbps interfaces.


How do you enable 802.1Q-in-Q tunneling on an interface?
switchport mode dot1q-tunnel


True or False: When 802.1Q-in-Q tunnelling is enabled, Layer 2 management protocols are forwarded across the tunnel by default, but can be disabled individually.
False. Layer 2 management protocols are not enabled across the tunnel by default, but can be enabled with the interface command:

l2protocol-tunnel  <-- enables all
l2protocol-tunnel [cdp] [lldp] [stp] [vtp]


What VLAN information is advertised with VTP?
VLAN ID
VLAN name
VLAN type
VLAN state


What is the default VTP version on enterprise IOS-based switches?
VTPv1


How do VTPv1 and VTPv2 handle unknown TLVs differently?
VTPv1 drops all unrecognized TLVs from received messages
VTPv2 keeps all TLVs in propagated messages even if they are not recognized


What are the two circumstances that a switch in VTP Transparent Mode will forward VTP messages?
The VTP domain matches between switches
The VTP domain is NULL


Which VLAN IDs are supported in VTPv2?
Both VTPv1 and VTPv2 support only Normal range VLANs 1 - 1005. The switch must be in VTP Transparent Mode, or use VTPv3 to use Extended range VLANs 1006 - 4094.


True or False: VTPv3 supports Extended range VLAN pruning.
False, VTPv3 supports Extended range VLANs, but can still only prune Normal range VLANs.


True or False: Access ports neither send nor accept VTP messages.
True. For two switches to communicate in VTP, they must first be interconnected through a working trunk link.


What are the four VTPv1 and VTPv2 message types?
Summary advertisement
Subset advertisement
Advertisement request
Join


What is a VTP Summary Advertisement message?
Message originated by both Servers and Clients that carries information about:

-VTP domain name
-Revision number
-ID of last updater
-Timestamp of last update
-MD5 of contents of VLAN database
-VTP password (if configured)
-Number of Subset Advertisements to follow


Which devices generate VTP Summary Advertisement messages?
Both VTP Servers and Clients


True or False: VTP Summary Advertisement messages do not carry VLAN database contents.
True, these are carried in Subset Advertisement messages.


What are VTP Subset Advertisement messages?
Subset advertisement messages carry full contents of the VLAN database. One message can hold multiple VLAN database entries, but multiple messages might be required if the VLAN database is large.


Who sends VTP Subset Advertisement messages, and when?
VTP Subset Advertisement messages are originated by both VTP Servers and Clients whenever the VLAN database is modified.


What is the VTP Advertisement Request message?
A message originated by both VTP Servers and Clients to request their neighbors send all or part of the VTP database.


What three different events cause VTP Advertisement Request messages to be sent?
-When a VTP Client switch is restarted
-When a switch enters VTP Client mode
-When a Server or Client receives a Summary Advertisement with a higher revision number than its own


What are VTP Join messages?
Join messages are originated by both VTP Servers and Clients every 6 seconds when VTP Pruning is enabled. Join messages contain a bit field that indicates for each VLAN in the Normal range if it is active or unused (pruned).


True or False: Since Catalyst switches default to VTP Server mode, VTP updates are sent to trunked neighbors by default.
False. A switch in VTP Server mode does not send VTP updates until a VTP domain name is configured.

While a switch does not need any explicit configuration to become a member of a VTP domain, the minimum requirements for VTP are that at least one switch must have a domain name configured.


What happens when a switch with no VTP configuration forms a trunk to a switch in an existing VTP domain?
The switch with no VTP configuration assumes the VTP domain name of the first received VTP advertisement message, joins the VTP domain as a Server, and configures the advertised VLANs locally.


When using VTP, where is the VLAN configuration stored?
In the vlan.dat file in flash memory, not in NVRAM.


True or False: With VTPv3, the Primary Server is the only switch whose VLAN database can be propagated throughout the VTP domain.
True, VTPv3 Servers (non-Primary) and Clients will share their VLAN databases only if they agree on both the domain name and identity of the Primary server (via base MAC address).


With VTPv3, what is the difference between Servers and Clients?
In VTPv3, Servers and Clients are identical, except Servers can be promoted to the Primary Server, while clients can not.


True or False: VTPv3 secondary servers and clients can overwrite a neighbor's VLAN database if they have a higher revision number than the neighbor.
True, however the switches must agree on the VTP domain name, password, and identity of the Primary Server.


What happens if a VTPv3 switch is disconnected from the VTP domain, promoted to the Primary Server and has changes made to the VLAN database, and then rejoins the VTP domain?
The other switches will be in conflict and will not agree on who the Primary Server is. In this situation, even though this switch may have a higher revision number, the database will not be accepted by the VTP neighbors.


How do you promote a VTPv3 server to the Primary server?
EXEC: vtp primary


What happens when a VTPv3 server is promoted to Primary?
The switch floods its VLAN database to all neighbors, who install and flood the database even if the revision number is lower so that the Primary server's database is asserted over the VTP domain.


True or False: When a VTPv3 server is promoted to Primary, its VLAN database overwrites all other switches in the VTP domain, even if it has a lower revision number.
True


What happens if a switch acting as the VTPv3 Primary server is reloaded?
The Primary server setting is not retained, and the switch resumes the role of a Secondary server.


With VTPv3, how do you reset the revision number to 0?
You must either modify the VTP domain name, or configure a VTP password.

VTPv3 does not reset the revision number by switching to VTP Transparent mode and back, unlike VTPv1 and VTPv2.


What happens if a VTPv3 switch detects a switch running VTPv1 or VTPv2 on its port?
The VTPv3 switch reverts to VTPv2 operation on the port, and forces the neighbor switch to operate in VTPv2 mode if it is running VTPv1.

If the neighboring switch is not VTPv2 capable, VTP communications between the two switches cannot occur.


Two switches that have no VTP configuration are connected together with a trunk link. One switch configures a VTP domain name, changes the VTP version to 3, becomes the Primary server, and creates a new VLAN.

What is the VTP and VLAN status on the second switch after this occurs?
The other switch will start out as a VTPv1 server with a NULL VTP domain. When it receives the advertisement from the first switch, it changes its domain name, changes its version to VTPv2, and installs the VLAN.


How do you configure the VTP domain name?
Globally:
vtp domain name


How do you verify VTP?
show vtp status


In a VTPv1 environment, what happens if you issue the vtp version 2 command on a VTP server?
All switches in the VTP domain change their version to VTPv2.


In a VTP environment, what happens when you issue vtp version 3 on a switch?
Only that switch is changed to VTPv3. VTPv3 must be configured manually on each switch.


What is the single requirement (other than IOS version/feature support) of activating VTPv3?
The switch must have a non-NULL VTP domain name.


What does the command vtp interface interface do?
Specifies the interface whose IP address is used to identify the switch as an updater in VTP updates. By default, a configured IP from the lowest-numbered SVI interface is used.


What is the default IP address used to identify the updater in VTP updates?
The configured IP address of the lowest-numbered SVI, unless explicitly configured with vtp interface interface


True or False: With VTPv3, you can disable VTP per-interface.
True: The no vtp command disables VTP at the interface level. You can disable VTP globally with vtp mode off in VTPv3 mode.


True or False: If a password has been set for the VTP domain, you must enter that password when promoting a VTPv3 server to Primary.
True


How do you configure a VTPv3 password so that it will never be displayed in plaintext?
Globally:
vtp password plaintext-password hidden


How do you configure a VTPv3 password that was previously encrypted on other switches in the VTPv3 domain?
Globally:
vtp password encrypted-password secret


When configuring the PPPoE client-side dialer interface, what are two common commands issued to resolve connectivity issues?
interface dialer num
  mtu 1492
  ip tcp adjust-mss 1452


How do you verify which VLANs are being used internally on a switch (such as those used for Layer 3 switchports).
show vlan internal usage


What are the two types of STP BPDUs?
Configuration
Topology Change Notification (TCN)


What are the twelve fields in a STP Configuration BPDU?
I Verify That Four Raccoons Can Skip Safely Across My Huge Forest

Protocol Identifier (2B)
Protocol Version (1B)
BPDU Type (1B)
Flags (1B)
Root Bridge ID (8B)
Root Path Cost (4B)
Sending Bridge ID (8B)
Sending Port ID (2B)
Message Age (2B)
Max Age (2B)
Hello Time (2B)
Forward Delay (2B)


What are the three fields in a STP Topology Change Notification BPDU?
Protocol Identifier (2B)
Protocol Version (1B)
BPDU Type (1B)


What are the Protocol ID and Protocol Version values for STP BPDUs?
Protocol ID: 0x0000
Protocol Version: 0x00


What is the value of the STP BPDU Type field for a Configuration BPDU?
0x00


What is the value of the STP BPDU Type field for a Topology Change Notification BPDU?
0x80


What are the two flags used in the STP BPDU Flags field?
Topology Change Acknowledgement
Topology Change


What is the Message Age field in a STP BPDU?
An estimatation of the BPDU's age since it was originated at the Root bridge. The Root sets the Message Age to 0, and downstream switches increment the value (usually by 1) as the BPDU propagates outward.


True or False: The STP MaxAge, HelloTime, and ForwardDelay timers are not used on nonroot switches with classic STP, even if they are configured.
True. The timers values are generated by the Root switch, conveyed in BPDUs, and used on all downstream switches in the STP domain.


What is the five-step process to determine which of two STP BPDUs are superior and inferior?
The lowest value of:

Root Bridge ID
Root Path Cost
Sender Bridge ID
Sender Port ID
Receiver Port ID (not included in the BPDU - evaluated locally as the final tiebreaker)


What is another term for STP Configuration BPDUs?
Hellos, because their origination is driven by the Hello timer.


Each port in an STP topology stores the Designated Port's BPDU. DPs send their own BPDU, and Root and Blocking ports store the received BPDU from the upstream switch.

When a port stores a received BPDU, when must it be refreshed?
The BPDU expires within a time interval of MaxAge - MessageAge seconds, and must receive another BPDU within that time frame. 

For example, with the default MaxAge time of 20 seconds, a switch that is two hops away from the Root should receive a BPDU with a MessageAge of 4, therefore it must receive another BPDU within 16 seconds, otherwise the stored BPDU expires.


What are the three steps STP uses to determine which ports to forward and block?
-Elect the root switch
-Determine each switch's Root Port
-Determine the Designated Port for each segment


How does STP elect the root bridge?
When STP is initialized on a switch, it sends out BPDUs claiming itself to be the Root. If it receives a superior BPDU, it stops claiming to be the Root and stops originating BPDUs, and starts forwarding the received superior BPDUs onward.


What is the difference between the original 802.1D Bridge ID, and the revised 802.1t Bridge ID (now a part of 802.1D-2004)?
The original Bridge ID is a 2-byte Priority field + 6-byte System ID (MAC address).

The revised BID splits the Priority field into a 4-bit Priority field + 12-bit System ID Extension (which is typically set to the VLAN ID).

The revised 4-bit Priority field represents the original Priority values in multiples of 4096.


Before the 802.1D Bridge ID format was revised, how did Cisco implement PVST?
Having multiple STP instances with the same BID was in violation of 802.1D that required a distinct BID for each switch. Cisco used a different MAC address for each VLAN, which consumed a large number of reserved MAC addresses in each switch.


What is another term for the revised STP BID System ID Extension field?
MAC address reduction

Prior to the 802.1t amendment, Per-VLAN Spanning-Tree required a separate unique MAC address for the BID for each VLAN, which consumed a large number of reserved MAC addresses on each switch.


What is the next step after the STP Root Bridge is elected?
Each switch must determine its single Root Port.


What happens with regard to cost when a nonroot switch in a STP domain receives a BPDU?
The switch adds the cost of the received port to the RPC value in the received BPDU, yielding a resulting BPDU that can be propagated on the switch's Designated ports. 


When a nonroot switch in a STP domain receives a BPDU on its Root Port, what BPDU values must be updated before the BPDU is propagated on the switch's Designated Port(s)?
Root Path Cost
Sender Bridge ID
Sender Port ID
MessageAge


True or False: Classic STP switches do not forward Configuration BPDUs (Hellos) out Root Ports or ports that stabilize into Blocking state.
True: BPDUs on these ports would be inferior to BPDUs originated by a neighbor's Designated Port for the segment.


Why can there only be a single STP Root Port?
There will always be only a single received Configuration BPDU (Hello) that is superior over all other received BPDUs.


True or False: The STP Root Bridge adds its STP Port Cost when sending BPDUs out its Designated Ports.
False: The Root Bridge sends BPDUs with a Root Path Cost of 0 since it is the root. Additionally, the RPC value is adjusted by adding the port cost when a nonroot switch receives a BPDU.


How do you change the STP cost method?
Global:
spanning-tree pathcost method {short | long}

The short (802.1D-1998) method is used by default for (R)PVST.

The long (802.1D-2004) method is used by default for MST.


What are the STP port costs used for 10 Mbps, 100 Mbps, 1 Gbps, and 10 Gbps links for the 802.1D-1998 standard?
10 Mbps = 100
100 Mbps = 19
1 Gbps = 4
10 Gbps = 2


What are the STP port costs used for 10 Mbps, 100 Mbps, 1 Gbps, and 10 Gbps links for the 802.1D-2004 standard?
10 Mbps = 2,000,000
100 Mbps = 200,000
1 Gbps = 20,000
10 Gbps = 2,000


What is the STP term for the nonroot switch that forwards Configuration BPDUs (Hellos) onto a particular LAN segment?
Designated Bridge (Switch)


With STP, what happens when ports are determined to be neither Root nor Designated?
They are moved to Blocking state.


When determining the STP Root Port, when is the Root Path Cost considered?
After the switch adds the STP Port Cost of the port which received the BPDU, then all received BPDUs (with the local Port Cost added to the RPC value) are compared.


What four events are considered a STP topology change?
-A TCN BPDU is received on a DP
-A port moves to the Forwarding state and the switch has at least one DP
-A port moves from Learning or Forwarding to Blocking
-A switch becomes the Root


What happens if a switch running STP loses its Root Port, but is not receiving BPDUs from adjacent switches?
The switch declares itself as the Root and starts flooding its own BPDUs through its connected ports.


What happens when a STP Root Port starts receiving inferior BPDUs?
The inferior BPDUs are ignored until the current Root Port's stored BPDU expires (MaxAge - MessageAge).


What happens when a switch running STP stops receiving BPDUs on its current Root Port?
The port becomes a Designated Port and moves to the Listening state after the stored BPDU expires (MaxAge - MessageAge). The switch then searches for a new Root Port by comparing received superior BPDUs on other ports.


When there is a STP topology change, why do all of the CAM entries need to be aged out?
When there is a topology change, the link used to reach the Root Bridge might be changed as well, which means the CAM table must be updated to reflect which port is now used to reach the MAC address of the Root Bridge.


What happens when a switch in a STP domain detects a topology change?
The switch sends a TCN BPDU out its Root Port, repeating every Hello interval (2s default) until it is acknowledged by the upstream switch.


What happens in a STP topology when a switch receives a TCN BPDU?
It sends back an acknowledgement in the next forwarded Configuration BPDU (Hello) by marking the Topology Change Acknowledgement bit in the Flags field.


What happens when the Root Bridge in a STP domain is informed of a topology change?
The Root Bridge originates BPDUs with the Topology Change bit set for the next MaxAge + ForwardDelay seconds, which instructs all switches in the STP domain to shorten their aging time for CAM entries to ForwardDelay seconds.


Which classic STP port states are considered stable, and which are transitory?
Blocking, Forwarding, Disabled = stable
Listening, Learning = Transitory 


During which classic STP port states are source MAC addresses learned from received frames?
Learning, Forwarding


What major issue does PVST solve over Common Spanning Tree (CST)?
By creating a different STP instance for each VLAN, each VLAN can use a different Root Bridge, which enables load distribution since a port that is blocked for one VLAN can be forwarding for another VLAN.


Why is classic STP sometimes referred to as "Common Spanning Tree (CST)"?
Classic IEEE 802.1D STP is not VLAN-aware, and uses a single STP topology for all VLANs, which is why it is referred to as "common".


How does Cisco PVST+ interoperate with non-Cisco switches that only support CST?
Cisco PVST+ running on 802.1Q trunks uses a VLAN 1 STP instance to communicate with non-Cisco switches and their STP. This allows for separate PVST+ and CST regions, which creates an overall loop-free topology across the CST regions and VLAN 1 inside PVST+ regions, while each PVST+ region utilizes multiple spanning trees with potentially different topologies within each separate PVST+ region.


In a STP topology containing both CST and PVST+ regions, how does the STP toplogy compare between regions?
There is an overall loop-free topology that is bound to all VLANs in CST regions, and VLAN 1 within PVST+ regions. Within individual PVST+ regions, other VLANs can utilize different per-VLAN STP topologies.


How is PVST+ able to treat CST regions between PVST+ regions as loop-free shared segments?
PVST+ BPDUs are encapulated on trunks differently than ordinary BPDUs. 

-Their destination MAC address is 0100.0CCC.CCCD (as opposed to ordinary BPDU destination 0180.C200.0000)
-They are tagged with the corresponding VLAN (ordinary BPDUs are untagged)
-They are SNAP encapsulated (ordinary BPDUs are LLC encapsulated)
-They have a Port VLAN ID (PVID) TLV placed at the end that carries the originating VLAN number


To which destination MAC address are PVST+ BPDUs sent?
0100.0CCC.CCCD


To which MAC address are regular BPDUs sent?
0180.C200.0000


What type of Ethernet encapsulation do PVST+ BPDUs use?
SNAP


What type of Ethernet encapsulation do regular BPDUs use?
LLC


How is the VLAN information conveyed in PVST+ BPDUs?
PVST+ BPDUs are 802.1Q tagged, and each PVST+ BPDU has a Port VLAN ID (PVID) TLV record carrying the originating VLAN ID.


How can PVST+ BPDUs be used to detect native VLAN mismatches?
PVST+ BPDUs are 802.1Q tagged, and carry a Port VLAN ID (PVID) TLV record. When the destination switch receives the BPDU, it analyzes the PVID and compares it with the VLAN on which it was received. If the BPDU was sent untagged and received on a destination VLAN requiring a tag, or vice-versa, the native VLAN mismatch is detected.


How are PVST+ BPDUs tunneled across CST regions?
CST regions treat PVST+ BPDUs are ordinary multicasts and floods the BPDUs without processing them. When the PVST+ switches receive the flooded BPDUs from the CST regions, they can examine the PVID TLV and process the BPDUs further within the individual PVST+ regions.


How is VLAN 1 treated differently for BPDU processing in PVST+?
VLAN 1 on PVST+ trunks sends both standard BPDUs and PVST+ BPDUs. Only the STP BPDU is used by both CST and PVST+ to compute the spanning tree. The PVST+ BPDU for VLAN 1 is used to detect native VLAN mismatches, but is otherwise ignored upon arrival.


With PVST+, which types of BPDUs are sent on access ports?
Access ports send only IEEE BPDUs relevant to their access VLAN


With PVST+, which types of BPDUs are sent on trunk ports?
Trunk ports always send untagged IEEE BPDUs for VLAN 1, and tagged PVST+ BPDUs for all existing and allowed VLANs, including VLAN 1, though the native VLAN will be untagged.


What happens if an access port receives a non-IEEE BPDU?
When processing received BPDUs, an access port must receive only IEEE BPDUs, otherwise a Type Inconsistent state is declared.


What happens when a trunk port in a PVST+ domain receives an IEEE-formatted BPDU?
That BPDU is processed for the VLAN 1 STP instance.


What are the three processing steps that take place when a trunk port receives a PVST+ BPDU?
-Assign the BPDU to the proper VLAN via 802.1Q tag (or native VLAN if untagged)

-Check the PVID TLV in the BPDU. If the PVID does not match the VLAN, declare PVID_Inconsistent state for the pair of mismatched VLANs

-If the PVID matches the VLAN, process the BPDU with STP, except for VLAN 1. For VLAN 1, drop the BPDU and use the received IEEE BPDU. The PVST+ BPDU for VLAN 1 is only used for the native VLAN mismatch check.


What causes PVID_Inconsistent state?
When a received PVST+ BPDU's PVID TLV does not match the VLAN for which the BPDU was received. There is a native VLAN mismatch in this case, and both VLANs become PVID_Inconsistent. 


When PVST+ regions are interconnected with CST regions, what two high-level steps are performed to ensure an overall loop-free topology?
A loop-free STP topology is calculated across all CST regions, and across VLAN 1 in PVST+ regions. Then the remaining VLANs inside PVST+ regions calculate the loop-free STP topology per-VLAN.


What command displays the STP Root Bridge?
show spanning-tree root


How do you configure the STP priority of a VLAN?
Globally:
spanning-tree vlan vlan priority priority

Where priority is in increments of 4096.


What is the default STP priority for any given VLAN?
32768 + VLAN number (System ID Extension)

Example, VLAN 11 is 32768 + 11 = 32779


How do you adjust the STP cost of a port?
Interface:
spanning-tree [vlan vlan] cost cost


What single command sets the STP Root Bridge and adjusts all of the timers?
Global:
spanning-tree vlan vlan root primary diameter diameter

This command is a macro that configures the switch with a lower priority than all other switches, and adjusts the Hello, ForwardDelay, and MaxAge timers according to the entered diameter value (the default being 7).


What priority values does the command spanning-tree vlan vlan root secondary set the switch to?
28672


What priority value does the command spanning-tree vlan vlan root primary set the switch to?
24576 if the current root is higher, or the same with a higher MAC address, or 4096 less than the current root.


What are the RSTP stable and transitory states?
Discarding, Forwarding = stable
Learning = Transitory


RSTP defines the "Discarding" state as the replacement for which STP states?
Disabled, Blocking, Listening


True or False: Ports in RSTP Discarding or STP Blocking states still process non-data frames including BPDUs and other Layer 2 protocols like DTP, VTP, CDP, etc.
True. Ports in RSTP Discarding or STP Blocking do not forward data frames, receive data frames, or learn source MAC addresses, but do continue to process Layer 2 control plane traffic.


What are the RSTP Port Roles?
Root Port
Designated Port
Alternate Port
Backup Port


What is the difference between an RSTP Alternate Port and Backup Port?
Alternate = replacement Root Port, event-driven
Backup = replacement Designated Port, timer-driven


With RSTP, what happens if the current Root Port is lost, but an Alternate Port exists?
The Alternate Port becomes the new Root Port and immediately transitions to Forwarding.


What are the two RSTP port types, and which is the default?
Edge
Non-Edge (default)


True or False: RSTP Edge ports still send BPDUs.
True: RSTP Edge ports immediately become Designated Forwarding after coming up, and send BPDUs, but do not expect to receive any back. If a BPDU is received on an Edge port, it begins operating as a Non-Edge port.


What happens if an RSTP Edge port receives a BPDU, but is later disconnected or shut down?
When an RSTP Edge port receives a BPDU, it reverts to Non-Edge operations. However, if the port is later disconnected or shutdown, when it comes back up it will revert to RSTP Edge operations until a BPDU is received again.


How do you manually configure the RSTP link type?
Interface:
spanning-tree link-type {point-to-point | shared}


What is the default RSTP port role, state, and type?
Designated, Discarding, Non-Edge


With RSTP, what happens if an inter-switch link is either negotiated to or manually-configured to half-duplex?
The RSTP link type is shared and uses timer-driven operations instead of event-driven.


With RSTP, what happens if an inter-switch link is either negotiated to or manually-configured to full-duplex?
The RSTP link type is point-to-point until proven otherwise (such as RSTP not running on the other end of the link).


How many types of BPDUs are used by RSTP?
One

STP uses Configuration and TCN BPDUs, while RSTP contains everything within the single BPDU type.


What is the BPDU Protocol Version field set to for RSTP?
2


What bits are defined in the Flags field of the RSTP BPDU?
TPPL FAT

Topology Change
Proposal
Port Role (uses 2 bits)
Learning
Forwarding
Agreement
TC Ack


What is the MessageAge BPDU field used for in RSTP?
The MessageAge field is only used as a hop count with RSTP. Any BPDU with a MessageAge equal to or higher than the MaxAge is discarded.


What happens if an RSTP switch misses three Hellos?
When three Hellos are missed on a port, the stored BPDU is aged out immediately.


What happens with RSTP when a Designated Switch starts sending BPDUs that are inferior to those sent previously?
The receiving switch accepts the BPDUs immediately, and replaces the previously-stored BPDUs, as if the previous superior BPDU had expired.

The receiving switch then re-evaluates its port roles and states. This allows RSTP to more quickly react to changes in the topology, because receipt of an inferior BPDU means there was a change with regard to reaching the root (or the root itself changed).


What is the purpose of the RSTP Proposal/Agreement process?
RSTP uses the Proposal/Agreement process on point-to-point links to quickly put them into operation without causing a temporary switching loop or significant interruption in communications.

For example, a newly-added p2p link could cause one of the attached switches to place its Root Port on the new link, which could change other port roles in the network. Without the Proposal/Agreement process, switching loops can occur.


With the RSTP Proposal/Agreement process, what is the meaning of the proposal, and what is the meaning of the agreement?
The Proposal signifies the willingness of a port to become Designated Forwarding.

The Agreement grants permission for the upstream port to become Designated Forwarding immediately.


True or False: Any RSTP Designated Port in the Discarding or Learning state sends BPDUs with the Proposal bit set.
True. The Proposal bit indicates the port's willingness to become Designated Forwarding.


What is the first thing that happens when two ends of an RSTP point-to-point link receive each other's Proposals, assuming each end of the link has the right to be Designated?
The switch receiving the best resulting BPDU changes its port role from Designated to Root (while remaining in the Discarding state).


What are the six steps of the RSTP Proposal/Agreement & Sync process?
Connect > Determine Root > Others Discard > Root Agreement Forward > Designated Agreement Forward > Repeat

-P2P link connected, both ports are Designated Discarding and send Proposals
-Port receiving superior BPDU becomes Root Discarding and adjusts other port roles on the switch
-All Non-Edge Designated ports on the switch are put into Discarding state (Sync)
-New Root moved to Forwarding state and Agreement sent upstream
-Upstream switch receives Agreement and moves Designated port to Forwarding state
-Entire process repeats between downstream switches


Why is it critical to define Edge ports in an RSTP domain?
Non-Edge ports participate in the Proposal/Agreement/Sync process during topology changes, which can result in major temporary connectivity losses if the connected devices do not participate in the process (such as with a regular host), whereas Edge ports are always in the Forwarding state.


What consistutes a topology change event in RSTP?
The transition of a Non-Edge port from Discarding or Learning to Forwarding.

This is due to Forwarding ports providing a path to a set of MAC addresses, and therefore the CAM tables need to be updated.


Why is a port that is moved into the Forwarding state considered a topology change event for RSTP?
When a port is moved into Forwarding state, it can provide a path to a set of MAC addresses, and therefore CAM tables need to be updated.


True or False: RSTP Edge ports never cause a topology change event, and MAC addresses learned on them are not flushed during topology change event handling.
True, Edge ports remain in the Forwarding state, and the MAC addresses learned on Edge ports are unaffected.


How does an RSTP switch detect a topology change?
If one of its own Non-Edge ports moves into the Forwarding state, or if it receives a BPDU on a Root or Designated port with the TC flag set.


What three things happen when an RSTP switch detects a topology change?
-The switch sets a tcWhile timer (Hello + 1 sec) on all Non-Edge Designated Ports and Root Port, except the port that detected/learned the change
-The switch immediately flushes all MAC addresses learned on those ports
-The switch sends BPDUs with the TC flag set on those ports every Hello seconds until the tcWhile timer expires


How do you enable RPVST+?
Globally:
spanning-tree mode rapid-pvst

Important: Define Edge ports with spanning-tree portfast or spanning-tree portfast default


True or False: RPVST+ and RSTP operate exactly like PVST+ and STP with regard to CST and Per-VLAN regions.
True. While PVST+/STP will use classic STP rules, and RPVST+/RSTP will use RSTP rules, Per-VLAN regions are still tunneled over the CST regions in the same manner.


What are the three requirements for RSTP to provide quick reaction to changes in the network topology?
-All switches must run RSTP/RPVST+
-All inter-switch links must be properly installed and recognized as point-to-point links
-All ports toward end stations must be properly identified as Edge ports


What happens if a switch running RSTP/RPVST+ connects to a switch running classic STP or PVST+?
Classic STP / PVST+ rules will be in effect for that port


What happens when switches running RSTP have shared segments (instead of point-to-point links)?
RSTP reverts to timer-based (instead of event-driven) operations on shared segments, which greatly increases reconvergence time during topology changes.


For lower-end Catalyst switching platforms, what is the R/PVST+ instance limitation, and how do you get around it?
Several platforms, such as the 2960, 3560 and 3750, support up to 128 STP instances (and therefore 128 active VLANs). To get around this limitation, use MST.


How many active instances does MST support?
65: Instance 0 + up to 64 user-defined instances


What is the valid range of MST instance numbers?
0 - 4095. MST uses the 802.1t System ID Extension field for instance numbers.


How many BPDUs are used to carry information about MST instances?
MST uses a single BPDU to carry information about about all instances.


In MST, a port sends BPDUs if it is ___ for at least one MST instance.
Designated


What is MST instance 0 referred to as?
Internal Spanning Tree


When MST is used without being configured, where do all VLANs reside?
Without configuration, MST maps all VLANs to instance 0, the Internal Spanning Tree (IST)


What purpose does the MST Internal Spanning Tree serve at MST region boundaries?
At the MST region boundary, the role and state of the port is a part of the IST and is inherited by all VLANs on that port, not just the VLANs mapped onto the IST. This is what allows MST to make the entire region appear as a single switch to other regions and non-MST switches.


How is a loop-free topology built between MST regions?
Each region is treated by the rest of the network as a single switch, and a Common Spanning Tree representing all VLANs is built between each region, and non-MST regions.


What are MST external costs?
Costs in the CST reflecting links both between MST regions and non-MST regions.


What is the MST Common and Internal Spanning Tree (CIST)?
The CIST is the union of the CST between regions and the ISTs inside individual regions, and is the single spanning tree that spans the entire switched topology.

Each IST has a regional Root switch (called the CIST Regional Root), and the CIST has a single CIST Root switch overall.


How is the MST CIST Root Switch elected?
The MST CIST Root Swith is the switch with the lowest Bridge ID from all switches that participate in CIST - both IST roots inside MST regions, and from all STP/RSTP switches.


For MST regions that do not contain the CIST Root, which switches are allowed to assert themselves as IST Root switches?
Only those MST swtiches at the region boundary (those that have links to other regions).


What is the MST Master port?
The MST Master port is the CIST Regional Root switch (IST Root)'s Root Port to reach the CIST Root switch, and provides connectivity toward the CIST Root for all MST instances inside the region.


How are MST IST Root switches elected?
-Lowest external root path cost to the CIST Root switch (the CST cost of reaching the region with the CIST Root)
-Lowest IST Bridge ID of boundary switches if there is a tie in cost


During MST IST Root election, how is the external root path cost calculated?
The external root path cost from candidate IST Root bridges is calculated using the Common Spanning Tree costs toward the region containing the CIST Root switch. In other words, the cost of the links between regions, not the costs within the regions themselves, are used.


What is the reason for the PVST Simulation mechanism?
To allow for a consistent interoperation between MST and PVST+ regions. The PVST Simulation process allows a single MST instance and a single PVST+ instance to directly interact with each other, but have all PVST+ instances arrive at a consistent port role decision.


When MST interacts with PVST+, what does the MST boundary port do to ensure all PVST+ instances make a consistent decision regarding the PVST+ boundary port role?
The MST switch boundary ports replicate the IST's BPDUs into PVST+ BPDUs for all active VLANs.


When a PVST+ region interacts with a MST region, what causes the MST boundary port to become Designated?
If the BPDUs sent by the MST boundary port are superior to all received PVST+ BPDUs on the port.


When a PVST+ region interacts with a MST region, what causes the MST boundary port to become Root?
The MST boundary port must receive PVST+ BPDUs that are identical or superior to the received PVST+ BPDU for VLAN 1. 

For the BPDUs for all VLANs other than 1 to be superior when the System ID Extension is used, their priority must be at least 4096 lower than the priority of the PVST+ VLAN 1 root switch.


When a PVST+ region interacts with a MST region, what causes the MST boundary port to become Non-Designated (but not Root)?
If the incoming VLAN 1 PVST+ BPDU is superior to its own BPDUs, but not superior enough to make it become a Root port (e.g. there is another connection between the regions that is better). Non-Designated ports are blocked.


When a PVST+ region interacts with a MST region, what two rules must be followed to prevent PVST Simulation Inconsistent / Root Inconsistent errors?
-If the Root Bridge for the CIST is in a non-MST region, the STP priority of VLANs 2 and above within that region must be superior to that of VLAN 1

-If the Root Bridge for the CIST is within a MST region, the STP priority of VLANs 2 and above in the non-MST regions must be inferior than that of the CIST root


What is considered a best practice when working with a mixed MST and PVST+ network?
The MST region should appear as a root switch to all PVST+ instances by lowering the IST root's priority below all PVST+ switches in all VLANs.


Which STP mode will a Cisco MST switch port operate in when connecting to a switch running:

-STP
-RSTP
-PVST+
-RPVST+
-STP
-RSTP
-PVST+
-PVST+

When a Cisco MST switch connects to a RPVST+ region, PVST+ operation is used on the region boundary.


What are the three mandatory elements in an MST region whose configuration must match on all switches within the region?
-Region Name
-Revision Number
-VLAN-to-Instance Mappings


How do two MST switches consider themselves to be in the same MST region?
Within the MST BPDUs is the region name, revision number, and MD5 hash of the VLAN-to-Instance mapping. If all three of these match, the switches are in the same MST region.


How are MST VLAN-to-Instance mappings distributed, and how can you verify this?
The MST VLAN-to-Instance mappings are distributed in the MST BPDUs as an MD5 hash, and can be verified with:

show spanning-tree mst configuration digest


What is considered a best practice for MST with regard to VLAN-to-Instance mappings?
Create the VLAN-to-Instance mappings for all possible VLANs within a region, even if the VLANs do not currently exist. 

Modifying the VLAN-to-Instance mapping must be performed on all switches within the region and requires an outage window. However, VLANs can be both created and deleted after they are mapped to an instance and will not cause a topology change event with respect to MST.


How can you verify if a switch supports only pre-standard MST?
show spanning-tree mst configuration digest

If a single MD5 value is listed, the switch only supports pre-standard MST. Two MD5 digests indicate support for both standard and pre-standard MST.


If a switch running standard MST is connected to another switch supporting only pre-standard MST, what must be configured?
The switch running standard MST must have spanning-tree mst pre-standard configured on the port toward the pre-standard MST switch.


What is the first step to configure MST?
Globally:
spanning-tree mst configuration


How do you exit from MST configuration mode without saving the changes?
abort


How do you verify unapplied changes to the MST configuration?
show pending


From within MST configuration mode, how do you verify the existing configuration, whether or not changes have been made?
show current


After configuration, how do you enable MST on a switch?
spanning-tree mode mst


From within MST configuration mode, how do you configure the three required parameters?
name name
revision number
instance number vlan number-or-range


How do you modify the MST priority on a switch?
Globally, per-instance:
spanning-tree mst instance priority priority


What is the relationship between the VTPv3 domain and the MST region?
VTPv3 can distribute MST configuration information, and there is a 1:1 relationship between the VTPv3 domain and the MST region.


How do you configure VTPv3 to distribute the MST configuration?
Globally:
vtp mode server mst

Exec:
vtp primary mst


What does the global command spanning-tree portfast default do?
PortFast will be the default operating mode for all interfaces in access mode (whether statically set or dynamically negotiated), unless configured otherwise, or unless the individual port receives a BPDU.


With PortFast enabled globally, how do you disable it on a specific interface?
Interface:
spanning-tree portfast disable


How do you enable PortFast on a port that connects to a host capable of 802.1Q tagging?
Interface:
spanning-tree portfast trunk

Important: This command is meant for end-devices like routers and hypervisors. Never issue this command on ports connecting to other switches.


What is the purpose of BPDU Guard?
BPDU Guard error-disables a port immediately upon receipt of any BPDU.


What is the purpose of Root Guard?
Root Guard ignores any received superior BPDUs to prevent the port from becoming the Root Port. When a superior BPDU is received, the port is placed into Root-Inconsistent Blocking state and stops sending and receiving data frames until the superior BPDUs stop.


How do you globally enable BPDU Guard?
Globally:
spanning-tree portfast bpduguard default


How do you unconditionally configure the operation of BPDU Guard?
Interface:
spanning-tree bpduguard {enable | disable}


How do you enable Root Guard?
Interface:
spanning-tree guard root


How do you configure BPDU Filter globally?
spanning-tree portfast bpdufilter default


When BPDU Filter is enabled globally, how does it operate?
When enabled globally, BPDU Filter is activated only on PortFast (Edge) ports. When the port comes up, the port sends 11 BPDUs (1 immediately, then again over the next 10 Hello intervals). If no BPDUs are received, the port stops sending BPDUs. If BPDUs are received at any time, BPDU Filter is deactivated on the port and starts sending and receiving BPDUs normally. If the port is disconnected, the process starts over again.


How do you disable BPDU Filter on an interface?
spanning-tree bpdufilter disable


How do you cause a port to unconditionally stop sending and receiving BPDUs?
Interface:
spanning-tree bpdufilter enable


What happens if an interface receives a BPDU when it is configured globally for BPDU Filter, and also configured (either globally or per-port) for BPDU Guard?
The port is automatically err-disabled.


What are the four mechanisms available to detect and avoid issues caused by unidirectional links on Catalyst switches?
UDLD
STP Loop Guard
Bridge Assurance
RSTP/MSTP Dispute


What information is transmitted in UDLD messages?
Switch identity / port identity pair as message originator
List of all neighboring switch/port pairs heard on the same segment


What three ways does UDLD detect unidirectional links, and what happens when a unidirectional link is detected?
-Received UDLD messages do not contain the exact switch/port pair from the list of detected neighbors
-Received UDLD messages containing the exact switch/port pair as the originator (self-looped port)
-Received UDLD messages contain more than one switch/port pair in the list of detected neighbors, but only one neighbor is detected.

If any of these conditions occur, UDLD declares the link as unidirectional and err-disables the port.


What is the difference between UDLD Normal and Aggressive mode?
When UDLD messages are no longer received, both try to reconnect with the switch's neighbor(s) eight times.

If the attempts fail, Normal mode does nothing, while Aggressive mode err-disables the port.


What is a caveat of enabling UDLD globally?
It only applies to fiber ports when enabled globally, whereas per-port UDLD configuration activates regardless of the underlying media type.


How do you enable UDLD?
Globally:
udld {enable | aggressive}

Per-port (required for non-fiber interfaces):
udld port [aggressive]


How do you verify the operational state of UDLD?
show udld


How do you verify connectivity with UDLD neighbors?
show udld neighbors


How do you re-enable a port that has been err-disabled by UDLD?
You can shut/no-shut, or issue the command udld reset


What is the purpose of Loop Guard?
STP Loop Guard prevents Root and Alternate ports from becoming Designated as a result of total loss of incoming BPDUs.


How does Loop Guard work?
STP Loop Guard places Root and Alternate ports into blocking Loop Inconsistent state if they stop receiving BPDUs, and are brought out of that state automatically if they start receiving BPDUs again.


How do you configure Loop Guard globally, and per-port?
Globally:
spanning-tree loopguard default

Interface:
spanning-tree guard loop


What is STP Bridge Assurance?
Bridge Assurance is for RPVST+ and MST, and when enabled, always sends BPDUs each Hello interval, whether the port is Root, Designated, Alternate or Backup. If a BA-protected port does not receive BPDUs, the port is placed into BA-Inconsistent blocking state until it starts receiving BPDUs again.

BA protects against both unidirectional links, and malfunctioning switches that completely stop participating in RPVST+/MST while opening all their ports.


What are the three major requirements of using STP Bridge Assurance?
It requires RPVST+ or MST point-to-point links
It requires configuration on the neighboring device(s)
It requires a supported platform, such as Catalyst 6500


How do you enable STP Bridge Assurance?
Requires both global and per-port configuration.

Global:
spanning-tree bridge assurance

Interface:
spanning-tree portfast network

This can only be configured on RPVST+/MST point-to-point links.


What is the RPVST+/MST Dispute mechanism?
It is used to detect unidirectional link failures.

If a Designated Port receives an inferior BPDU from another port that claims to be Designated Learning or Designated Forwarding, the Designated Port keeps its role but is moved to Discarding state.


Why does the STP Dispute mechanism require RPVST+ / MST?
STP Dispute does not work with classic STP / PVST+ because it relies on the Port Role and Port State flags within the RSTP BPDU, which are not present in classic STP BPDUs.


How do you configure the STP Dispute mechanism?
There is no configuration because it is built into the RSTP protocol and is conveyed by the Port Role and Port State flags inside the RSTP BPDU.


The EtherChannel load-balancing method is based on a proprietary hashing function. What data is fed to this hashing function, and how?
The data is based on the contents of the Layer 2, 3, or 4 headers.

If load balancing is based on only one header field in the frame, that single field is fed to the hashing function.

If multiple headers from the frame are used, an XOR operation between the fields is used, and the result of the XOR is fed to the hashing function.


True or False: Devices on opposite ends of an EtherChannel bundle must use the same load-balancing algorithm.
False, devices can and often do use different load-balancing algorithms on each end.


How do you configure the EtherChannel load distribution method?
Globally:
port-channel load-balance type


What is the difference between the EtherChannel 3-bit and 8-bit load balancing hash?
Some platforms support a 3-bit load balancing hash, and others support an 8-bit hash. The difference is how fine-grained the distribution of traffic is across the links in the bundle. A 3-bit hash means the traffic can be divided into 8 chunks (12.5%), whereas an 8-bit hash can divide traffic into 256 chunks (0.39%). 

If there are three links in an EtherChannel bundle, traffic is distributed across the links in a ratio of 3:3:2 or 37.5%:37.5%:25% with a 3-bit hash. With an 8-bit hash, the same traffic is distributed in a ratio of 86:85:85 or 33.6%:33.2%:33.2%.


True or False: All links in an EtherChannel bundle must have the same speed and duplex settings.
True


True or False: All links in an EtherChannel bundle must have the same operating mode (trunk, access, dynamic).
True


True or False: All links in an EtherChannel bundle must have the same access VLAN if not trunking.
True


True or False: All links in an EtherChannel bundle, if trunking, must use the same trunk type and native VLAN, but can have different allowed VLANs.
False: the trunk type, allowed VLANs, and native VLAN must be the same on all links.


True or False: All links in an EtherChannel bundle must have the same STP cost per-VLAN.
True


True or False: You must create the EtherChannel interface (with the command interface port-channel number) before adding physical interfaces to the bundle.
False. While you can do this, it is recommended to configure the physical interfaces identically first, and then issue the command channel-group number mode mode on each of the physical interfaces. The port-channel interface is automatically created and inherits the configuration of the first physical interface to be added to the bundle.


Why should you have an EtherChannel interface created automatically via the physical interface channel-group number mode mode command, instead of creating the interface manually?
All physical interfaces that are members of an EtherChannel bundle must have the same configuration. When you issue the command channel-group number mode mode on the first physical interface, the port-channel interface is created automatically, the configuration of the first physical interface is copied to it, and the configuration of all subsequent physical interfaces that are added to the bundle are compared to the port-channel interface configuration. Interface configurations that do not conform are suspended from the port-channel interface.


What causes an EtherChannel member to become Suspended?
If the configuration on the physical interface differs from the port-channel interface, it becomes Suspended from the bundle.


What is a caveat of modifying the configuration on a port-channel interface?
The configuration changes are pushed down the the port-channel member interfaces, but only for those that are not currently Suspended. You must manually configure the Suspended members to be identical to the port-channel interface to unsuspend them.


True or False: An EtherChannel can be either Layer 2 or Layer 3, but the mode cannot be changed.
True: You must delete and re-create an EtherChannel to switch the mode. You must change the mode on the physical interfaces first, then re-create the EtherChannel.


If an EtherChannel has err-disabled ports, how do you resolve this without errdisable recovery?
Both the port-channel and physical interfaces must be shutdown, then unshut.

If this does not resolve the issue, the port-channel may need to be deleted and re-created.


How do you configure EtherChannel Misconfig Guard?
Enabled by default, disable with no spanning-tree etherchannel guard misconfig


How does EtherChannel Misconfig Guard work?
EtherChannel Misconfig Guard disables an entire port-channel bundle if it receives BPDUs sources from different MAC addresses on a port-channel interface, indicating that the neighbor is treating some of the links as individual and not bundled together. 


What is the IEEE standard for LACP?
802.1AX
Previously 802.3ad


What is the only configurable parameter of PAgP?
The frequency of sending PAgP messages can be configured per-port:
pagp timer {normal | fast}

Normal = 30 seconds
Fast = 1 second


How many links can be placed into an LACP bundle?
16, though only up to 8 can be active. The remaining are in Standby.


How does an LACP Standby link get promoted to Active?
The switch with the lower LACP System ID selects the link to be promoted. The link with the lowest Port ID is chosen.


What does the LACP System ID consist of?
A configurable 16-bit Priority value + base MAC address


What does the LACP Port ID consist of?
16-bit Priority + port number


How do you configure the LACP System ID?
Globally:
lacp system-priority 0-65535


How do you configure the LACP Port Priority?
Interface:
lacp port-priority 0-65535


What does the EtherChannel channel-protocol {lacp | pagp} command do?
It forces IOS to reject EtherChannel commands for the other protocol, and for on mode. For example, channel-protocol lacp forces you to use the channel-group number mode {active | passive} command, and prevents you from using mode auto, desirable, or on.


True or False: PAgP and LACP perform checks to ensure ports are configured identically with regard to operating mode, allowed VLANs, native VLAN, and enapsulation type.
False: PAgP and LACP only verify whether the links to be bundled are consistently connected to the same neighboring device and are to be bundled into the same link aggregation group.


How frequently are CDP messages generated?
60 seconds


How can you verify the current CDP hello and hold time?
show cdp


How do you adjust the CDP timers?
Globally:
cdp timer seconds
cdp holdtime seconds


How can you view more information about a single CDP neighbor?
show cdp entry DeviceName


What is the IEEE standard for LLDP?
802.1AB


What are the five mandatory LLDP TLVs?
Port description
System description
System capabilities
System name
Management address


How do you enable LLDP?
Globally:
lldp run


When LLDP is enabled globally, how do you enable/disable it per-interface?
Interface:
[no] lldp transmit
[nolldp receive


How do you adjust the LLDP timers?
Globally:
lldp holdtime seconds
lldp reinit seconds
lldp timer seconds


How do you view which ports are in the err-disabled state?
show interfaces status err-disabled


How do you verify which ports have a Spanning-Tree-related error?
show spanning-tree inconsistent ports


What does the STP inconsistency "Type (*TYPE_Inc)" indicate?
PVST+ BPDUs are received on a non-802.1Q port, which is usually caused by interconnecting access and trunk ports.


What does the STP inconsistency "Port VLAN ID (*PVID_Inc)" indicate?
PVST+ BPDUs are received in a different VLAN than they were originated in, which is usually caused by a native VLAN mismatch.


What does the STP inconsistency "PVST Simulation (*PVST_Inc)" indicate?
PVST+ BPDUs received on an MST boundary port do not meet the PVST Simulation consistency criteria.


What does the STP inconsistency "Loop (*LOOP_Inc)" indicate?
A Loop Guard-protected Root or Alternate Port was prevented from becoming Designated after BPDUs stopped arriving.


What does the STP inconsistency "Root (*ROOT_Inc)" indicate?
A Root Guard-protected port tried to become a Root Port after receiving superior BPDUs.


What does the STP inconsistency "Bridge Assurance (*BA_Inc)" indicate?
A Bridge Assurance-protected port stopped receiving BPDUs.


True or False: A different VTP domain name can cause a failure with DTP trunk negotation.
True, the error message received is similar to:

%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port interface because of VTP domain mismatch.


What is an indication of a mismatched VTP password?
show vtp status will reveal "MD5 digest checksum mismatch"


True or False: No port in an EtherChannel can be a SPAN destination port.
True. Individual ports can be a SPAN source, but not a destination.


How is QoS configured with EtherChannels?
QoS parameters are configured on the physical interfaces, not the logical port-channel interface, and must match across all interfaces.


How can you view information about all EtherChannels?
show etherchannel summary


How do you view information about a specific EtherChannel member?
show interface interface etherchannel


What are four ways to troubleshoot a switch for lack of reachability to devices in the same VLAN?
-Eliminate Layer 1 issues with show interface commands
-Verify that the VLAN exists on the switch
-Verify that the interface is assigned to the correct VLAN
-Verify that the VLAN is allowed on the trunk


If a subnet is defined with X host bits, how many valid usable IP addresses are in the subnet?
(2^X) - 2

Example: /24 is 8 host bits, (2^8) - 2 = 254 usable IP addresses.
Example: /30 is 2 host bits, (2^2) - 2 = 2 usable IP addresses
Example: /21 is 11 host bits, (2^11) - 2 = 2046 usable IP addresses


With static NAT, what is the relationship between inside/outside/local/global IP addresses?
-Inside Local (private) address maps to Inside Global (public)
-Outside Local (typically private) address maps to Outside Global (public)


How do you define interfaces for NAT?
Interface:
ip nat {inside | outside}


How do you configure static NAT to map an inside local address to an inside global address?
Globally:
ip nat inside source static inside-local inside-global


How do you verify the current NAT table?
show ip nat translations


How do you configure dynamic NAT to map a range of inside local addresses to a pool of inside global addresses?
access-list number permit subnet wildcard
ip nat pool inside-global start-ip end-ip netmask mask
ip nat inside source list number pool inside-global


When viewing the output of show ip nat translations, what does the "Misses:" field indicate?
Misses occur when NAT looks for a NAT table entry, doesn't find one, and needs to dynamically create the entry.


How do you remove entries from the current NAT table?
clear ip nat translations entry-or-*


How do you configure PAT using a range of IP addresses as inside local addresses, and the IP address of a specific interface as the inside global address?
access-list number permit subnet wildcard
ip nat inside source list number interface interface overload


How do you configure PAT using a range of IP addresses as inside local addresses, and a pool of addresses as inside global addresses?
access-list number permit subnet wildcard
ip nat pool inside-global start-ip end-ip netmask mask
ip nat inside source list number pool inside-global overload


For IPv6, what is the difference between stateful and stateless DHCP?
-Stateful is similar to how DHCP operates for IPv4
-Stateless uses DHCP to provide various DHCP options (such as TFTP server), but uses SLAAC for addressing.


How do you view NAT counters and basic configuration information?
show ip nat statistics


What is the IP protocol number for ICMP?
1


What is the IP protocol number for TCP?
6


What is the IP protocol number for UDP?
17


What are the 13 fields in the IPv4 header?
Very Heavy Dudes Prefer Fat Fried Food To Pretty Healthy Salad Dish Options

Version
Header Length
DS Field
Packet Length
Fragment ID
Fragment Flag
Fragment Offset
TTL
Protocol
Header Checksum
Source IP Address
Destination IP Address
Options


What are the fields in the IPv6 header?
Very Tall Fellows Place Nine Hammers Softly Down

Version
Traffic Class
Flow Label
Payload Length
Next Header
Hop Limit
Source IPv6 Address
Destination IPv6 Address


What is the range of values for the IPv4 header Header Length field?
The Header Length field is 4 bits representing the number of 32-bit words. The minimum value is 5 (20 bytes) and the maximum is 15 (60 bytes) since it is a 4-bit field.


What are the values of the fragment flags in the IPv4 header?
Bit 0: Reserved, must be 0
Bit 1: Don't Fragment (DF)
Bit 2: More Fragments (MF)

The DF bit is commonly used for Path MTU Discovery
Fragmented packets have the MF bit set except for the final fragment


What is the EtherType of ARP?
0x0806


Where are static ARP entries stored?
Both static and dynamic entries are stored in the local ARP cache.


How does the ARP process work?
Source knows Destination IP, but needs MAC. Is the IP on the same subnet?

-Source checks ARP cache first
-If no entry, Source broadcasts ARP Request for destination MAC if IP is on the same subnet, or MAC of default gateway
-Destination (or default gateway) adds Source's MAC to its ARP cache, and sends unicast ARP Reply to Source
-Source updates its ARP cache

-Devices that heard the ARP Request broadcast may update their own caches with the Source's MAC/IP so they do not have to send their own ARP Request later.
-If the Destination IP must pass through the default gateway, the DG begins its own ARP process, if necessary.


How does Proxy ARP work?
A router can use Proxy ARP when the Source needs to reach a Destination that is not on the local network segment, but can be reached through the router.

For example, if Device A is in the 10.1.0.0/16 network, and Device B is in the 10.1.100.0/24 network, and both segments are connected to different interfaces on the same router, Device A believes it is on the same network as Device B. Device A sends an ARP Request for Device B, and the router replies back to A on behalf of B.


What is the general process of a DHCP client receiving an appropriate IP address from a DHCP server on another subnet?
-Client broadcasts DHCPDISCOVER request
-Router forwards request to DHCP server IP address configured on the receiving interface with ip helper-address ip and sets its own interface IP address in the giaddr (gateway IP address) field
-DHCP server uses giaddr field to determine appropriate IP address to offer, and to which IP address to send the DHCPOFFER to
-Router receives DHCPOFFER message from server and broadcasts it to the client
-Client broadcasts DHCPREQUEST, router unicast forwards it to the DHCP server
-Server unicasts DHCPACK to router, router forwards to client


How do you prevent the IOS DHCP server from handing out specific addresses?
Globally:
ip dhcp excluded-address ip


How do you configure a basic DHCP server on IOS?
ip dhcp excluded-address start-ip end-ip

ip dhcp pool name
  network network mask
  dns-server ip
  default-router ip


What are the default HSRP Hello and Dead intervals?
3s Hello
10s Dead


What is the HSRP priority range, and default value?
1 - 255
100


HSRP preemption is ___ by default.
Disabled


How many HSRP groups can be configured per-interface?
255


What is the HSRP vMAC?
0000.0C07.ACxx where xx is the HSRP group in hexadecimal


True or False: The HSRP VIP does not have to be in the same subnet as the router interface.
False


True or False: The HSRP VIP must be different from any of the routers' individual interface IP addresses.
True


What types of authentication does HSRP support?
Cleartext
MD5 via key-chain


How do you configure HSRP to automatically decrease its priority based on the state of a tracked object?
Interface:
standby group track number decrement number


How do you view the HSRP state, VIP, vMAC, and timers for a particular interface?
show standby interface


How does MHSRP work?
MHRSP works by creating two or more HSRP groups within the same IP subnet, and assigning groups of clients to different VIPs with the intention of multiple routers serving as the default gateway for different groups of clients, but still allowing for failover.


What is the vMAC used by VRRP?
0000.5E00.01xx where XX is the group number in hexadecimal.


VRRP preemption is ___ by default.
Enabled


HSRP uses the term Active router. What is the VRRP equivalent?
Master


What is the vMAC used by GLBP?
0007.B40X.xxyy where Xxx is the 10-bit GLBP group number, and yy is the AVF number.


How does GLBP work, at a high level?
The Active Virtual Gateway (AVG) assigns a vMAC for up to four Active Virtual Forwarders (AVFs). When a client ARPs for the VIP of the default gateway, the AVG hands out a different AVF vMAC for each request.


How many GLBP groups can be configured on an interface?
1024


How do you configure a router to advertise itself as an NTP server?
Interface:
ntp broadcast


How do you configure MD5-based authentication for NTP?
Globally:
ntp authentication-key number md5 password
ntp authenticate
ntp trusted-key number


How do you configure the NTP server stratum level?
Globally:
ntp master level


How do you display the NTP servers in use by the device?
show ntp associations


How do you configure a device to be an NTP client?
Globally:
ntp server ip


How do you configure NTP symmetric active mode?
Globally:
ntp peer ip


With SNMP, what is the device being managed referred to as?
The SNMP Agent


What is the SNMP Manager?
The management software polling the SNMP agent on the device.


What are the four major functional areas to support the core function of allowing SNMP mangers to manage SNMP agents?
-Data definition
-MIBs
-Protocols
-Security/Administration


The SNMP data definition refers to syntax conventions for how to define the data to an agent or manager. What are these specifications referred to as?
Structure of Management Information (SMI)


SNMP MIB definitions conform to the appropriate ___ version.
SMI


Which ports are used by SNMP?
UDP 161
UDP 162 for traps


What does the "c" refer to for SNMP v2c?
SNMP v2c is a pseudo-release (RFC 1905) that allowed SNMP v1-style communities with SNMP v2, but is otherwise equivalent to SNMP v2.


What does SNMP refer to the cleartext passwords as?
community strings


What is the purpose of the SNMP Response message?
Both to supply SNMP information and acknowledge receipt of other SNMP messages.


What are the three SNMP messages used to request information from an SNMP Agent?
Get
GetNext
GetBulk


Which SNMP messages are typically sent by an SNMP Agent?
Response
Trap


True or False: The SNMP manager produces a Response message when receiving a Trap message from an SNMP agent.
False, Traps are unsolicited and unacknowledged.


What is the difference between the SNMP Get, GetNext, and GetBulk messages?
Get is a request for a single variable's value.

GetNext is a request for the next single MIB leaf variable in the MIB tree.

GetBulk is a request for multiple consecutive MIB variables with one request, which is useful for getting complex structures such as an IP routing table.


True or False: An SNMP Agent replies to an SNMP Set message from an SNMP Manager with an SNMP Response message.
True


What is the purpose of the SNMP Trap message?
To allow SNMP Agents to send unsolicited information to SNMP Managers. 


What is the SNMP Inform message used for?
The SNMP Inform message is used between SNMP managers to allow MIB data to be exchanged.


What are the two new message types introduced in SNMP v2?
GetBulk
Inform


What is the name of the process of viewing large portions of an SNMP MIB from an SNMP Agent?
MIB walk


How can you configure IOS to allow SNMP access from only specific IP addresses?
Define an ACL and reference it with the SNMP configuration.

Example:
access-list 1 permit 10.1.1.0 0.0.0.255
snmp-server community community RO 1


How do you configure an IOS device to send specific SNMP traps?
Globally:
snmp-server enable traps trap-type


How do you specify which SNMP Manager for IOS to send SNMP traps to?
Globally:
snmp-server host ip community


True or False: Cisco devices do not log events to NVRAM by default.
True, but can be configured to do so with logging buffered


What is the default Syslog port?
UDP 514


What is the general purpose of Syslog?
To provide real-time event notification by sending messages that enter the event log to a specified Syslog server.


By default, what events are sent to a configured Syslog server from IOS?
All events that enter the event log are sent by default.


How do you enable an IOS device to send events to a Syslog server?
Globally:
logging host syslog-server


How do you configure the severity level of Syslog messages to be sent to the Syslog server?
Globally:
logging trap level


What are the eight Syslog severity levels?
0 emergency
1 alert
2 critical
3 error
4 warning
5 notification
6 informational
7 debugging


What is the default Syslog logging level?
0 - 6

7 debugging is excluded by default.


How do you edit a configured IP SLA monitor type?
IP SLA monitor types cannot be edited after creation, and must be deleted and re-created, along with any associated schedules.


How do you configure an IP SLA responder?
Globally:
ip sla responder


How do you configure MD5 authentication for IP SLA?
Globally:
ip sla key-chain keychain


How do you view the results of IP SLA?
show ip sla statistics


What are the four components of NetFlow?
Records
Flow monitors
Flow exporters
Flow samplers


What are NetFlow records?
A set of predefined and user-defined key fields (such as source/destination IP and port) for network monitoring.


What are NetFlow flow monitors?
Flow monitors collect information about flows and are applied to an interface and include records, a cache, and optionally a flow exporter.


What are NetFlow exporters?
NetFlow exporters export the cached flow information to outside systems, which is typically a server running a NetFlow collector.


What is a NetFlow flow sampler?
Flow samplers allow specifying the sample size of traffic in order to reduce the load on the NetFlow-enabled device.


What is the configurable range of NetFlow flow sampling?
1/2 - 1/32768


How do you define a destination NetFlow collector?
Globally:
flow exporter name
  destination ip
  transport udp port


How do you define a NetFlow flow monitor?
Globally:
flow monitor name
  options


How do you attach a NetFlow flow monitor to an interface?
Interface:
ip flow monitor name direction


What are the two major components of Embedded Event Manager?
Event detectors
Actions


How do you configure IOS to be an FTP server?
IOS does not support being configured as an FTP server. You can configure IOS to be a TFTP server, and you can use IOS as an FTP client.


How do you configure IOS to send an exception dump to an FTP server in the event of a crash/exception?
Globally:
ip ftp username username
ip ftp password password

exception protocol ftp
exception region-size 65536
exception dump ftp-server-ip


How do you configure IOS to make a file available via TFTP with an alternate filename, and only to specific clients?
Globally:
tftp-server filename alias alias-name acl

Example:
tftp-server flash:file1.bin alias file2.bin 10
where 10 is the referenced ACL


What is a requirement before using SCP on IOS?
AAA must be enabled first via aaa new-model and aaa authorization exec


How do you enable the SCP server on IOS?
AAA must be enabled first.

Globally:
ip scp server enable


How do you enable HTTPS access to an IOS device?
Globally:
ip http secure-server


How can you restrict HTTP/S access to an IOS device by ACL?
Globally:
ip http access-class acl


How do you change the port on which HTTP/S access is available for IOS?
Globally:
ip http port port


How do you configure a simple username/password for HTTP/S access on IOS?
Globally:
ip http client username name
ip http client password password


How do you configure the mode of authentication for HTTP/S access on IOS?
Globally:
ip http authentication mode

Modes include aaa, local, enable, tacacs


What must be configured on a VTY line to allow for Telnet access?
The login command must be configured, otherwise access is refused.


How do you apply an ACL to a VTY line?
line interface:
access-class acl in


What are the four steps required to enable SSH access on IOS?
hostname hostname
ip domain-name domain
crypto key gen rsa
VTY lines: transport input ssh


How do you verify IOS DHCP server leases?
show ip dhcp binding


How do you enter EEM applet configuration mode?
event manager applet name


How do you configure an EEM applet to match a CLI command string?
event cli pattern regex


What is the general IP forwarding process for a router?
-Router receives frame and checks FCS, discarding if errors
-Router decapsulates IP packet from Layer 2 frame, and verifies header checksum if IPv4
-Router checks if it is the destination. If not, the IP Protocol field is used to determine how to handle the upper-layer protocol
-If TTL > 1, check IP routing table for most specific route
-Update TTL, recalculate IPv4 header checksum, and encapsulate packet in appropriate Layer 2 frame for the interface toward the next-hop


What is referenced by the phrase "route once, forward many"?
fast-switching path


What is the router Layer 2 frame rewrite process?
A packet arrives at a router, and the router rewrites the Layer 2 frame by encapsulating the packet appropriately, and sends the packet toward the next hop.


During the IP forwarding process, what is common about all frames sent out the same egress interface toward the next-hop?
All destinations reachable through a particular next-hop use the same Layer 2 rewrite information.


What is the relationship between the FIB and the CEF adjacency table?
The FIB stores destination prefixes, the adjacency table stores Layer 2 rewrite information, and entries in the FIB point to appropriate entries in the adjacency table.


How do you enable CEF for IPv6?
Globally:
ipv6 cef


How do you view the FIB?
show ip cef


How do you view the CEF neighbors?
show adjacency


How do you view the CEF Layer 2 rewrite information?
show adjacency interface detail

An Ethernet interface, for example, will have a long string made up of the destination MAC, source MAC, EtherType, and VLAN tag (if present).


True or False: IPv6 CEF requires IPv4 CEF to be enabled.
True, you can enable IPv4 CEF but not IPv6 CEF, but not vice-versa.


How do you disable CEF on a particular interface?
Interface:
no ip route-cache cef


What are the two high-level components of CEF?
FIB
Adjacency table


What load-sharing methods are available with CEF?
Per-packet
Per-destination


How do you change the CEF load-sharing method?
Interface:
ip load-share {per-destination | per-packet}

This command is only available for interfaces that support it. Per-destination is the default.


How does CEF implement per-destination load sharing?
A loadshare table containing 16 pointers is placed between the FIB and the adjacency table. The loadshare table entries are populated so that the counts of loadshare pointers to particular adjacency entries are proportional to the costs of parallel routes toward the same destination.

For example, two equal-cost paths each have 8 entries, three equal-cost paths each use five entries.


What is CEF polarization?
When multiple routers in the path toward a destination all use the same CEF load-sharing method, they will all calculate the same hash and therefore not use all available links.

Newer versions of IOS use a random 32-bit number called the Universal ID as a seed to the hashing function to avoid CEF polarization.


How is CEF polarization avoided on newer versions of IOS?
The CEF load sharing hashing function is seeded with a random 32-bit Universal ID. Each router in the path will have a different Universal ID, so each router will calculate a different hash result for each particular packet flow.


What are the four CEF load-sharing algorithms?
Original
Universal
Tunnel
L4 Port


How do you change the CEF load-sharing algorithm?
Globally:
ip cef load-sharing algorithm algorithm


How do you view the current CEF load-sharing algorithm?
show cef state


How do you adjust the CEF load-sharing algorithm on the Catalyst 6500 and related platforms?
Globally:
mls ip cef load-sharing algorithm


What would cause an SVI to be in the "Down / line protocol down" state?
The corresponding VLAN does not exist, or is not active (e.g. state suspend or shutdown on the VLAN itself)


What would cause an SVI to be in the "Up / line protocol down" state?
The corresponding VLAN exists, but is not allowed and in an STP forwarding state on any Layer 2 switch port (access or trunk).


True or False: Most Catalyst platforms cannot configure a routed port with subinterfaces.
True


What is a caveat of using VTPv3 with regard to internal usage VLANs?
If any switches in the VTPv3 domain are using a particular VLAN internally (VLAN 1006 for example), when that VLAN is created on the VTPv3 Primary Server, the VLAN will be created on all switches in the VTPv3 domain that are not currently using that particular VLAN. However, for any switches that are using it internally, the conflict is logged locally only, and there may be connectivity issues across the VTPv3 domain.


How is a routed port handled internally on a Layer 3 switch?
A routed port is a single port associated with a dedicated internal usage VLAN with its Layer 2 control plane protocols deactivated (such as STP and MAC learning).


How do you convert a switch port to routed?
Interface:
no switchport


What is the purpose of Policy-Based Routing?
To make routing decisions based on information besides the destination IP address.


How do you verify a switch's current SDM template?
show sdm prefer


How do you change the SDM template?
Globally:
sdm prefer template

A reload is required for the setting to take effect.


On a Catalyst switch, what can cause certain commands (such as those related to routing and PBR) to not appear in the CLI, even though the switch supports the features?
The SDM template might need to be changed with the sdm prefer command.


How do you enable PBR?
Interface:
ip policy route-map route-map


For PBR, what are the two types of supported match statements?
match ip address to reference an ACL
match length min-bytes max-bytes to specify matched packet length in bytes


For PBR, what is the difference between set ip next-hop and set ip default next-hop?
The default keyword changes the logic so that PBR first attempts to forward based on the normal routing table, and if no entry exists, the packet is handled by PBR.


With PBR, when is it appropriate to use the set interface command?
Only when the outgoing interface is a point-to-point link.


True or False: PBR route-maps can contain multiple set commands within a single clause.
True. For example, you can set both the next-hop and QoS treatment simultaneously.


If a PBR route-map clause has multiple set statements specifying where the packet is to be forwarded, in what order are the statements evaluated?
set ip next-hop
set interface
set ip default next-hop
set default interface


When migrating routing protocols, if the current IGP is a link-state protocol, what is a recommended practice for migration?
Migrate per-area, with the backbone area the final area to migrate.


When migrating to another routing protocol, what should the AD value be set to?
The AD should be set higher than the current routing protocol until after migration is complete.


During routing protocol migration, what must be configured on each router if the new IGP is RIP or EIGRP?
Each router must be configured with redistribution from the current IGP into the new IGP.


During routing protocol migration, the new protocol's database should be verified before transitioning. Why is this potentially an issue with RIP and EIGRP?
Distance-Vector protocols advertise a learned route only if it is also installed in the routing table by the same protocol, based on the logic that the router should not advertise a route that it is not using itself. As a result, RIP and EIGRP databases may be incomplete until after the transition.


During routing protocol migration, what is the general process of deactivating the old protocol?
The old routing protocol should be disabled or removed one router at a time among contiguous sets of routers. During deactivation, there should never be more than two contiguous regions (migrated and unmigrated).


During a routing protocol migration, what is the consequence of changing the EIGRP AD?
EIGRP adjancies will be dropped and re-established, causing a transient disruption, and therefore should be performed during a maintenance window.


When migrating from OSPF or IS-IS to either RIP or EIGRP, what must be performed on every router during the migration?
Each router in the topology must redistribute from OSPF/IS-IS into RIP/EIGRP. When OSPF/IS-IS is deactivated on the router, the RIP/EIGRP routes take over. This assumes that the RIP/EIGRP AD was modified to be higher than OSPF/IS-IS during the migration.


Why do technologies like MPLS-TE and MPLS-FRR depend on a link-state routing protocol, as opposed to distance-vector?
Since link-state protocols contain information about all routers and links within an area, this detailed information is critical for applications like MPLS-TE and MPLS-FRR, which is not possible with traditional distance-vector protocols who only know what their direct neighbors told them.


What is the primary reason for multi-area topologies with link-state routing protocols in modern networks?
Route summarization, filtering, offset lists, and failure domain containment can only be performed on area boundaries with link-state routing protocols. Areas were originally used to separate complexity due to low router resources, but this is no longer true. Areas are now primarily used to enforce policies.


What does RIPv2 use for transport?
UDP 520


What is RIPv2's infinite metric?
16


To where are RIPv2 updates sent by default?
224.0.0.9


How frequently are RIPv2 updates sent?
30 seconds


What forms of authentication does RIPv2 support?
Cleartext
MD5


How do you configure RIPv2 to send broadcast updates instead of multicast?
Per-interface:
ip rip v2-broadcast


What are the two types of RIPv2 messages?
Request
Reponse


How many routing entries can be placed into a single RIPv2 message?
25


What is a RIPv2 Request message used for?
To ask a neighbor to send a partial or full RIP update immediately instead of waiting for the Update timer to expire.


How is a full RIPv2 update requested?
A full RIPv2 update is requested by a Request message containing exactly one routing entry with the AF_ID set to 0 and metric set to 16.


How is a partial RIPv2 update requested?
A partial RIPv2 update is requested by a Request message listing one or more particular networks.


When do Cisco routers send RIPv2 Request messages?
Full Request is sent when the RIP process is started, a RIP-interface comes up, or when clear ip route * is issued.


RIPv2 increments the metric when ___ updates. RIPng increments the metric when ___ updates.
Sending
Receiving


How many RIPv2 ECMP routes can be installed by default?
4


How do you configure the number of ECMP routes that RIPv2 can install in the routing table?
router rip
  maxium-paths number

Default 4


What is RIPv2 route poisoning?
When a route fails, a RIPv2 router can advertise the route with an infinite metric to more rapidly remove it from routing tables.


What is a RIPv2 triggered update?
The immediate sending of a new update when routing information changes, instead of waiting for the normal Update timer to expire. Only the changed network is sent in the triggered update.


What are the four RIPv2 timers, and what are their default values?
Update: 30 seconds
Invalid After: 180 seconds
Holddown: 180 seconds
Flushed After: 240 seconds


What is the RIPv2 Invalid After timer?
The Invalid After timer defaults to 180-seconds and is reset after an update about a route is received from its next-hop. If the updates stop being received within 180 seconds, the route is declared invalid, and the 180-second Holddown timer for the particular route begins.


What is the RIPv2 Holddown timer?
After a route has been declared Invalid (the 180-second Invalid After timer has expired), the router starts advertising the route as unreachable, does not accept any updated information, and does not modify the routing table entry for that route until the Holddown timer expires (180 seconds) for that particular route.


What is the RIPv2 Flushed After timer?
A 240-second per-route timer that is reset and begins after an update about a route has been received from its next hop. If updates stop being received and the Flushed After timer expires, the router removes the route from the routing table completely.


How do you verify the state of RIPv2 split horizon?
show ip interface interface


True or False: Cisco's implementation of RIPv2 does not use poisoned reverse.
True


How do you verify the RIPv2 RIB?
show ip rip database


When a RIPv2 route is removed from the routing table, how long does it remain in the RIB, and why?
When a RIPv2 route is removed from the routing table, it remains in the RIB for Flushed After - Invalid After seconds. During this time, the route is repeatedly advertised as unreachable. This is done because RIPv2 is UDP-based with no acknowledgements.


What is another term for RIPv2 Triggered Updates?
Flash updates


What is the effective RIPv2 holddown period?
60 seconds

While the holddown timer is 180 seconds, it is preceded by the Invalid After timer. The Flushed After timer is 240 seconds and begins after the last route update. The Flushed After and Invalid After times are reset together, and increment together. Flushed After - Invalid After = 60 seconds of effective holddown.


When is the RIPv2 Flushed After timer taken into account?
The Flushed After timer is reset with each route update. It counts down simultaneously with the Invalid After timer. However, the Flushed After timer is not taken into account until after the Invalid After timer expires. This means if the Flushed After timer is less than the Invalid After timer, the route will not be removed from the routing table until the Invalid After timer expires first.


True or False: If the next-hop RIPv2 router for a destination network suddenly advertises a higher distance than previously, the advertisement is accepted immediately.
True, only a subsequent arrival of an update from a different neighbor with a lower total metric would cause the router to change the next hop. The logic is that if the next-hop router is suddenly more distant to the destination network than before, so must all other routers that traverse the next-hop.


What is the main purpose of the RIPv2 Holddown timer?
To delay processing updates about a network whose reachability has become questionable because any received updates might not have accurate information. By delaying processing of updates for a period of time, there is a better chance of accurate information being propagated when the Holddown timer expires.


What happens when the RIPv2 Invalid After timer expires?
The router declares the network to be invalid (e.g. the route is "possibly down"), and starts the Holddown timer while advertising the network with an infinite metric (route poisoning) to force its neighbors to find an alternate route if possible. After 60 seconds, the Flushed After timer expires, and the route is removed from the routing table.


When the RIPv2 Invalid After timer expires, the Holddown timer begins, where the route (including the next-hop) is kept in the routing table, but advertised with an infinite metric, and no updates to the route are accepted from any neighbors. Why are these actions performed?
RIPv2 takes the approach that it is better the temporarily blackhole traffic than to cause a routing loop by prematurely using a different neighbor that claims to have a route toward the failed network, because that neighbor might not yet have accurate information.


What is the default version of RIP used on Cisco IOS?
Send: v1
Receive: v1 and v2


What is the RIPv2 triggered extensions?
When triggered extensions are enabled, RIPv2 sends full updates only once, and then is silent, to support on-demand circuits. This feature is enabled on the interface with ip rip triggered.


How do you configure RIP timers?
Under the RIP process:
timers basic update invalid holddown flush


What is a potential consequence of lowering RIP timers?
Smaller values increase the chance of transient routing loops being formed during convergence.


What does the RIP version 2 command do?
The version 2 RIP command causes the router to send and receive only RIPv2 updates, and to ignore RIPv1 updates.


What is the default behavior of RIPv2 on Cisco IOS, classful or classless?
classful


With the default configuration of RIP, what happens if you enter a subnetwork with the network command?
The subnet is converted automatically to its classful network, and all interfaces within that classful network are enabled for RIP.

For example, if you enter network 10.10.10.0 the CLI automatically converts it to 10.0.0.0 and all interfaces with 10 in the first octet of the IP address are enabled for RIP.


How do you enable RIPv2, but disable sending updates on an interface?
RIP process:
passive-interface interface


How do you enable RIPv2 to send updates out of an interface, but disable receiving updates?
Filter all incoming routes with a distribute-list or filter incoming RIPv2 packets using a per-interface ACL.


How do you prevent a RIPv2 router from advertising a connected subnet?
Filter the outbound advertisements of the subnet on the other interfaces using distribute lists. 


How do you configure RIPv2 to use unicast updates?
router rip
  neighbor ip


How does the defaut autosummarization work with RIPv2?
Automatic summarization applies whenever a router intends to advertise a subnetwork of a particular classful network out an interface that is itself in a different classful network.

For example, if one interface has the IP address 10.1.1.1/24, and another interface has the IP address 192.168.1.1/24, the classful network 10.0.0.0/8 is advertised out of the 192.168.1.1 interface, not 10.1.1.0/24.


What is a requirement for RIPv2 when using discontiguous networks?
Autosummarization must be disabled with no auto-summary under the RIP process.

10.1.0.0/16 and 10.2.0.0/16 are considered contiguous because they are in the same classful network 10.0.0.0/8. 10.1.0.0/16 and 192.168.10.0/24 are considered discontiguous because they are in different classful networks.


True or False: RIPv2 supports multiple authentication keys.
True, multiple keys are supported through key-chains.


How are key chains with multiple valid keys used for authentication?
The valid key with the lowest sequence number is used, except for OSPF which always uses the key last added.


How do you configure RIPv2 authentication?
Authentication is based on key-chains, whether encrypted or not. Authentication is configured per-interface:

ip rip authentication key-chain keychain
ip rip authentication mode {text | md5}

text is the default.


How does RIPv2 authentication affect RIP update messages?
RIPv2 updates can carry a maximum of 25 prefixes, unless authentication is enabled, in which case only 24 can be carried. The first route entry in each RIPv2 message carries 20 bytes of authentication data. When cryptographic authentication is used, the remaining authentication data is placed after the 25th entry.


What is the RIPv2 update next-hop field set to by default, and when would this value be changed?
The default next-hop field value is set to 0.0.0.0, which indicates that the next-hop is the source of the update. Cisco IOS does not allow you to directly change this value. The only time the value is changed to a non-zero address is when RIPv2 is run over NBMA interfaces to facilitate direct spoke-to-spoke routing.


How do you configure a RIPv2 distribute list?
Under the RIP process:
distribute-list {acl | prefix prefix-list} {in | out} [interface]

ACL permit statements allow the routes through, and deny statements filter those particular routes.


What transport is used for RIPng?
UDP 521


To which address are RIPng updates sent to?
FF02::9


How many prefixes can the RIPng update message contain?
Whereas RIP is limited to 25 entries, RIPng updates can support as many updates as will fit within the link MTU.


How is authentication handled with RIPng on Cisco IOS?
RFC-based RIPng supports authentication via IPsec, similar to OSPFv3, however Cisco does not implement this.


How does Cisco IOS handle split-horizon with RIPng?
Split horizon can be enabled/disabled per-process only, not per-interface.


How does RIPng handle passive interfaces in Cisco IOS?
Cisco RIPng does not support passive interfaces.


True or False: Static neighbors cannot be configured with RIPng on Cisco IOS.
True


True or False: RIPng supports per-process offset lists in Cisco IOS.
False, only per-interface


How many RIPng processes are supported in Cisco IOS?
Four


What is the purpose of the interface metric-offset in RIPng?
Interfaces can be configured with a metric-offset value that is added to the metric in all received advertisements over that interface, which effectively allows RIPng to operate with link costs instead of hop counts.


How does RIPng handle the origination of default routes in Cisco IOS?
The default route can be originated per-interface, including an option of suppressing all other updates over that interface.

Interface:
ipv6 rip process default-information only


How do you enable RIPng on an interface?
ipv6 rip process enable


How do you configure the RIPng metric-offset?
Interface:
ipv6 rip process metric-offset metric


How do you verify RIPng?
show ipv6 rip


How do you enable RIPng poison reverse?
ipv6 router rip process
  poison-reverse


How do you create a manual summary in RIPv2?
Interface:
ip summary-address rip address netmask


How do you display the details of the RIP process?
debug ip rip


While multiple RIPng processes can run simultaneously, they cannot operate on the same UDP port simultaneously. How do you configure this?
ipv6 router rip process
  port udp-port multicast-group group-address


How do you configure a manual summary for RIPng?
Interface:
ipv6 rip process summary-address ipv6-prefix/length


What does EIGRP use for transport?
IP Protocol 88, Reliable Transport Protocol


Where are EIGRP Updates sent to?
224.0.0.10 or FF02::A

Retransmissions are unicast.


What makes EIGRP's use of a Hello protocol superior to RIP?
With RIP, building and maintaining adjacencies is based on sending the entire routing table with each Update. With EIGRP's use of a Hello protocol, neighborship is independent of routing information.


With EIGRP, the lack of Updates from a neighbor indicates what?
Since EIGRP uses a Hello protocol to maintain neighbor adjacencies, a lack of updates indicates a stable network that is not changing, and is considered normal.


What is the EIGRP hop count range, and default setting?
1 - 255
100


How do you modify the EIGRP hop count setting?
EIGRP process:
metric maximum-hops hopcount


What components can be used to calculate the EIGRP classic composite metric?
Bandwidth, Delay, Reliability, Load

MTU and hop count are metric components, but are not used in the calculation of the composite metric.


When calculating the composite metric, EIGRP takes the ___ bandwidth along the route into account.
Lowest


When calculating the composite metric, how does EIGRP account for a neighbor's advertising bandwidth versus the bandwidth of the interface toward the advertising neighbor?
EIGRP uses the lower of the two values for the bandwidth component of the composite metric calculation. For example, the neighbor advertises a bandwidth of 10 Mbps, but the link toward that neighbor is 1.5 Mbps, the value of 1.5 Mbps is used in the local computation.


What is the range of the available bandwidth metric for EIGRP classic metric calculation?
1 kbps - 10 Gbps


For the EIGRP bandwidth metric component calculation, what value is used if the bandwidth is not explicitly set on the interface?
The bandwidth is assumed based on the interface, which may or may not reflect the actual bandwidth. For example, serial and tunnel interfaces typically have different default values that do not reflect the actual value.


What is the interface delay intended to represent?
The estimated average serialization delay for the interface. The value is static, but represents an estimated average due to varying frame sizes.


What is the interface delay value measured in?
Tens of microseconds. delay 10 means 100 microseconds.


How does EIGRP process delay as part of the composite metric?
The total delay of the path to the destination is used for the metric component. The delay advertised by a neighbor is added to the delay of the interface toward the advertising neighbor.


What delay value is used by EIGRP using classic metrics to indicate infinite distance, and what is this value used for?
16,777,215 tens of microseconds (24-bit value) indicates an infinite distance and is used to advertise an unreachable network, which is used with split horizon with poisoned reverse, route poisoning, and route withdrawal.


What does EIGRP use to indicate an unreachable route?
Maximum delay value, 16,777,215 (24-bit value).


True or False: While EIGRP does not use the Reliability metric component by default to calculate the composite metric, EIGRP still sends a triggered update when an interface's reliability changes.
False: A change in an interface's reliability does not trigger the sending of an EIGRP Update message. The reliability metric of a route is only a snapshot of its then-current reliability when the route was last advertised.


IGRP was a ___-driven protocol, whereas EIGRP is a ___-driven protocol.
timer
event


What is the range of values for the EIGRP classic Reliability metric?
1 - 255, where 255 = 100% reliable.


How does EIGRP derive the classic Reliability metric?
The minimum reliability of the path is used by comparing the reliability advertised by the neighbor and the reliability of the interface toward the neighbor and using the lower of the two values.


How does EIGRP derive the classic Load metric?
While interfaces maintain separate Rx and Tx load counters, only the Tx counter is used for EIGRP calculations. 

Similar to Reliability, EIGRP uses the value of the maximum load value across the entire path, which is derived by comparing the advertised Tx load of the EIGRP Update with the Tx load of the interface toward the neighbor, and using the higher of the two values.


What is the range of values for the EIGRP classic Load metric?
1 - 255, 1 = 0% load


True or False: Link MTU is advertised in EIGRP Updates, but is not factored into the composite metric or used for tiebreakers.
True, MTU is not factored in any way for the EIGRP best-path selection algorithm.


What is the purpose of the EIGRP hop count value?
The hop count is not factored into the composite metric calculation and therefore does not impact the best-path selection. However, EIGRP can be configured to advertise routes over a configured threshold to be unreachable (default 100, range 1 - 255).


Why must the EIGRP K-values match across the entire EIGRP AS?
Each router calculates the EIGRP composite metric independently using individual metric components. If routers used different K-values within the same AS, the calculated metrics will not be proportional to each other, and therefore lose meaning between each router. 


What scaling factor does the EIGRP classic composite metric use for bandwidth and delay, and why?
The scaling factor is 256, and is so because the metrics are 32-bit values, whereas the IGRP values were 24-bit.


How is the EIGRP composite metric calculated when the default K-values are used?
(Minimum bandwidth + summed delay) * 256

BW = 10,000,000 Kbps / minimum bandwidth along path in Kbps
Delay = Sum of all delays in 10s of µs


What is the EIGRP classic metric limitation with regard to bandwidth?
EIGRP classic metrics cannot distinguish between links that are faster than 10 Gbps.


What is the EIGRP classic metric limitation with regard to delay?
EIGRP classic metrics cannot distinguish between interfaces over 1 Gbps with regard to delay, because the delay of a 1 Gbps is the lowest value of 1  (one 10's of microseconds = 10 µsec)


What is a negative consequence of the scaling factor in EIGRP classic metrics?
Loss of precision over time.

Bandwidth and delay metric values are carried in EIGRP Updates in their scaled form, so each router must descale them, then re-scale them when computing the composite metric and advertising the values to neighbors. Because the calculations are performed via integer arithmetic, round-off errors introduce a gradual loss of resolution.

EIGRP Wide Metrics distribute the values in their raw form to avoid the loss of precision.


How can you determine if a router supports EIGRP wide metrics?
show eigrp plugins

eigrp-release >= 8.0 supports wide metrics

show ip protocols also reveals the K6 constant, which classic metrics do not support.


How is the EIGRP wide metric Throughput represented?
65536 * 10,000,000 / interface bandwidth in kbps

The Throughput component tells how many times slower the interface is than a 655.36 Tbps link


How is the EIGRP wide metric latency calculated?
(65536 * interface delay in picoseconds) / 1,000,000


For EIGRP wide metrics, how is the interface delay (not the overall latency component metric) calculated for 1 Gbps and slower interfaces without bandwidth and delay commands issued?
Default interface delay converted to picoseconds

Example, 1 Gpbs link default delay is 10 µsec, so the converted value is 10,000,000


For EIGRP wide metrics, how is the interface delay (not the overall latency component metric) calculated for interfaces faster than 1 Gbps without bandwidth and delay commands issued?
10,000,000,000,000 / interface default bandwidth

Example: 10 Gbps link

10,000,000,000,000 / 10,000,000 kbps = 1,000,000 picosecond delay


For EIGRP wide metrics, how is the interface delay (not the overall latency component metric) calculated for interfaces configured with bandwidth but not delay?
Default interface delay converted to picoseconds


For EIGRP wide metrics, how is the interface delay (not the overall latency component metric) calculated for interfaces with delay configured?
The specified delay value converted to picoseconds


How are the EIGRP Reliability, Load, MTU, and Hop Count values used for wide metrics?
These values are identical, and used identically, to EIGRP classic metrics.


What are EIGRP wide metrics extended metrics?
The extended metrics are considered a placeholder for potential future extensions to the composite metric calculation. Three metrics were originally defined: jitter, energy, quiescent energy, but are not supported for use.


How do you enable EIGRP wide metrics?
Wide metrics are enabled automatically with EIGRP named mode, and their activation cannot be controlled.

EIGRP routers running wide metrics automatically detect if the neighbor supports it, and adjusts accordingly if not.


How do EIGRP routers using wide metrics deal with mixed neighbors (those supporting wide metrics, and those supporting only classic metrics) on a common link?
The EIGRP routers supporting wide metrics will use both metric formats in their messages and each neighbor will process the metric format it supports.


How is the EIGRP wide metrics composite value scaled for the RIB?
The scale value is adjusted with the EIGRP command metric rib-scale with a range of 1 - 255, with a default of 128.


EIGRP uses up to __ of a link's bandwidth by default.
Up to 50% of the configured bandwidth value


What is the value of the EIGRP header Version field?
Version = 2 and has not changed since EIGRP was introduced.


What six EIGRP Opcode values are used in the header?
1 Update
3 Query
4 Reply
5 Hello/Ack
10 SIA Query
11 SIA Reply


What four flags are used in the EIGRP/RTP header?
0x1 Init (using during initial adjacency buildup)
0x2 Conditional Receive (used by RTP to control who can receive the packet)
0x4 Restart
0x8 End-of-Table (transmission of entire database is complete)


How does EIGRP differentiate between a Hello and an ACK packet?
An ACK packet has the ACK field set to the sequence number of the last packet received from the neighbor to which the ACK is being sent. ACKs are also always unicast, never multicast.

A Hello packet has the ACK field set to 0.


What is the Virtual Router ID field in the EIGRP/RTP header?
0x1 = Unicast Address Family
0x2 = Multicast Address Family
0x8000 = Unicast Service Address Family (for Service Advertisement Framework)


How is NLRI carried in EIGRP?
Within TLVs in the EIGRP packets.


How many route entries are contained in EIGRP TLVs?
Each internal and external route TLV contains a single route entry.


What are the seven EIGRP packets used when communicating with neighbors?
Hello
Acknowledgement
Update
Query
Reply
SIA-Query
SIA-Reply


How can you view statistics about EIGRP packets?
show ip eigrp traffic


What three functions do EIGRP Hello packets serve?
Identify neighbors
Verify neighbor compatibility
Neighbor keepalive


What four items determine EIGRP neighbor compatibility?
Same IP subnet
Same ASN
Same K-values
Same authentication

The EIGRP router must also be using their primary IP addresses on the interface for the EIGRP neighbor relationship.


What is the default EIGRP Hello interval?
5 seconds
60 seconds on NBMA interfaces with 1544 kbps or less bandwidth


True or False: EIGRP Hello packets are acknowledged.
False


To which EIGRP packets are Acknowledgement packets sent in response to (e.g. delivered reliably)?
Update
Query
Reply
SIA-Query
SIA-Reply


How are EIGRP Acknowledgement packets delivered?
EIGRP ACKs are always unicast to the sender of the acknowledged packet


What are the contents of an EIGRP acknowledgement?
EIGRP ACKs are Hello packets with no TLVs that have the Acknowledgement number field set to the value of the Sequence number of the reliable packet being acknowledged.


When can EIGRP send an acknowledgement along with other information in a single packet?
A standalone acknowledgment is not required if a router also has a unicast reliable packet to send to a neighbor in addition to needing to acknowledge a previously-received reliable packet from that neighbor. Since all EIGRP packets carry an Acknowledgement number field, this allows both types of information to be sent with a single packet. The received packet is processed both as an ACK and as its original intended type.


What four reasons would cause EIGRP Updates be sent as unicast?
Point-to-point interfaces
Statically configured neighbors
Neighbors that did not acknowledge a previously-sent Update
During a new adjacency buildup, unless there are many simultaneously-discovered neighbors


When are EIGRP Updates sent as multicast?
After routers have fully synchronized (unless P2P/static)
During a new adjacency buildup if many routers are detected simultaneously


What is the general purpose of an EIGRP Query packet?
To involve the neighbor in the task of searching for the best route toward a destination.


When is an EIGRP Query packet multicast, and when is it unicast?
Multicast on multiaccess interfaces with only dynamic neighbors
Unicast in all other cases


True or False: EIGRP Query messages must receive an ACK, which constitutes a response to the Query message.
False: EIGRP Query messages do require an ACK, but the EIGRP Reply packet is the response to the Query.


How are EIGRP Reply packets sent?
Always unicast to the initiator of the Query, and always delivered reliably (requiring an ACK)


What are EIGRP Reply messages used for?
Reply messages are a response to Query messages


What are EIGRP SIA-Query and SIA-Reply messages used for?
SIA-Query messages are sent to a neighbor that has not sent a Reply to a previous Query message in attempt to see if the neighbor is still reachable and working on the original Query. If it is, the neighbor responds immediately with a SIA-Reply messaage the timeout for working on the diffusing computation is reset to allow more time.


How are EIGRP SIA-Query and SIA-Reply packets sent?
Unicast


What is an EIGRP packet sequence number?
A global value maintained on each router per-EIGRP process and incremented whenever a packet is sent reliably. The EIGRP process expects to have a packet returned by the neighbor with the Acknowledgment field set to the same value as the received sequence number to indicate successful receipt.


How is the EIGRP packet sequence number used with Hello and ACK packets?
Hello and ACK packets are not delivered reliably, meaning their sequence number is set to zero and does not cause the EIGRP process global sequence number to increase.


What is EIGRP Conditional Receive?
Conditional Receive is a method for which EIGRP can send reliable multicast packets on a multiaccess interface where at least one neighbor is performing poorly. It allows EIGRP to partition all its neighbors on the multiaccess interface into two groups: well-behaved routers who have ACK'd all multicast messages so far, and those routers who failed to ACK at least one reliable EIGRP packet.


How does EIGRP Conditional Receive work?
The router sends a "Sequenced Hello" containing a Sequence TLV and a Next Multicast Sequence TLV on a multiaccess interface with both well-behaved and poorly-performing routers.

The Sequence TLV contains the IPs of lagging neighbors, The NMS TLV contains the Seq of the upcoming next reliable multicast message.

Routers not listed in the Sequence TLV place themselves into CR mode, and wait to receive the next packet with the CR flag set. Those routers process the packet as normal, and exit CR mode.

Routers not in CR mode (those contained in the Sequence TLV) ignore the packet (if they receive it at all).


What is the EIGRP SRTT?
The Smooth Round-Trip Time is the average elapsed time in milliseconds between when a reliable EIGRP packet is sent to when an ACK is received.


What is the EIGRP multicast flow timer?
The multicast flow timer is the time to wait for an ACK before declaring a neighbor as lagging and switching from multicast to unicast transmissions.


How does EIGRP dynamically discover neighbors?
EIGRP sends multicast Hellos to 224.0.0.10 / FF02::A as soon as EIGRP is activated on an interface.


What is a caveat of configuring a static EIGRP neighbor on an interface?
All EIGRP multicasts on the interface through which the neighbor is reachable are disabled. This means if one neighbor is statically configured on an interface, all neighbors reachable by that interface on the common network segment must also be statically configured.


True or False: EIGRP can form neighborships using secondary IP addresses.
False, neighbors must use primary IP addresses to form neighborships.


True or False: Timers must match between EIGRP neighbors for neighborships to be formed and maintained.
False, timers are not required to match.


How do you modify the EIGRP Hello timer?
Interface:
ip hello-interval eigrp asn seconds


How do you modify the EIGRP hold time?
Interface:
ip hold-time eigrp asn seconds


The default EIGRP hold time is 3x the Hello time. What happens if you modify the EIGRP Hello time with regard to the hold time?
Nothing, the timer settings are independent.


What causes the EIGRP hold timer to be reset?
The EIGRP Hold timer is reset every time an acceptable EIGRP packet is received from a neighbor. 


How is the EIGRP neighbor adjacency process similar to the TCP 3-way handshake?
After discovering each other, the EIGRP neighbors are placed into a pending state, and a Null Update is sent with the Init flag set, and a particular Seq number. This is similar to the initial TCP SYN.

The other EIGRP neighbor sends its own Null Update with the Init flag set, a particular Seq number, and the Ack field set to the received Seq number from the other neighbor. This is similar to the TCP SYN/ACK.

The other neighbor sends a Null Update with the Init flag set, and the Ack field set to the received Seq from the other neighbor. This is similar to the final TCP ACK.

When this process is completed, the neighbors are adjacent and database synchronization begins.


What is the first thing that happens when an EIGRP router receives a Hello packet from a potential new neighbor?
It expedites sending its own Hello packet in response to allow for the other router to quickly discover it.


While EIGRP neighbors are in the Pending state, what are the only packets that can be exchanged?
Hello
Ack
Null Update with the Init flag set


Under what conditions is the full EIGRP database exchanged between adjacent neighbors?
When EIGRP is restarted, or resynchronization is manually invoked.


How do you view the contents of the EIGRP neighbor table?
show ip eigrp neighbors


What is the EIGRP neighbor Handle?
The internal number that EIGRP assigns to each neighbor to identify neighbors in an address-family independent way.


With EIGRP, what does a non-zero "Q Cnt" value indicate when viewing the output of show ip eigrp neighbors?
In a stable network, the "Q Cnt" field should be zero, indicating no reliable packets are waiting in queue to be sent.  Nonzero values are normal during intial synchronization and reconvergence events, but if it remains nonzero for a long period of time, it indicates a communication problem with the neighbor.


What does the sequence number in the output of the command show ip eigrp neighbors represent?
The sequence number of the last reliable packet received from the particular neighbor.


What is the EIGRP RIB referred to as?
The topology table


What is the difference between the EIGRP Passive and Active states?
Passive means the shortest path to the destination network has been found and is considered current.

Active means EIGRP is currently searching for a new shortest path to the destination.


What must occur for an EIGRP route to move from Active state back to Passive?
The router must receive a Reply (in response to a Query) from all its neighbors.


What does the all-links keyword do for the show ip eigrp topology command?
The all-links command also displays entries that fail to meet the Feasibility Condition.


How can you view detailed information about a particular EIGRP destination network?
show ip eigrp topology network


What is the EIGRP Reported Distance?
The metric to a particular destination as received from a particular neighbor. This is the metric that the neighbor reports in a sent EIGRP message.


What is the EIGRP Computed Distance?
The Reported Distance + cost of the link to the advertising neighbor


In the output of show ip eigrp topology each destination prefix lists the neighbor (as "via"). What are the two numbers in the parenthesis?
(Computed Distance / Reported Distance)


What is the EIGRP Feasible Distance?
The FD is a historical record of the smallest known Computed Distance toward a particular destination since its last transition from Active to Passive.


True or False: The EIGRP Feasible Distance is not advertised to adjacent neighbors.
True, the FD is an internal variable maintained for each network known to EIGRP whose value is never advertised to another router.


Why is the EIGRP Feasible Distance value maintained?
The FD is the lowest known metric to a destination since the last time the route went Passive, so any neighbor whose Reported Distance is less than the FD cannot cause a routing loop because they are closer to the destination (this is the Feasibility Condition).


What is the EIGRP Feasibility Condition?
If a neighbor's Reported Distance to a destination is less than the current router's Feasible Distance to the same destination, the neighbor can be used as a loop-free path to reach the destination.


True or False: Every neighbor satisfying the EIGRP Feasibility Condition provides a loop-free path, however not every loop-free path satisfies the Feasibility Condition.
True. The FC guarantees a loop-free path, but not all loop-free paths can be guaranteed due to the nature of distance-vector routing protocols.


What is the term for an EIGRP neighbor that meets the Feasibility Condition for a particular destination?
Feasible Successor

This applies to all neighbors that can guarantee a loop-free path toward the destination.


What is the difference between EIGRP Successors and Feasible Successors?
Successors are also Feasible Successors, as they both meet the Feasibility Condition. Successors are neighbors with the lowest Computed Distance toward the destination.


For EIGRP, what constitutes a topology change?
A topology change occurs whenever the distance to a network changes or a new neighbor comes online that advertises the network.


With regard to the topology, how does EIGRP process the event of a neighbor going down?
The router sets the Computed Distance / Reported Distance of all networks reachable through that neighbor to infinity.


What is the EIGRP local computation process when a Feasible Successor is present?
-The FS providing the least Computed Distance is made the new Successor
-The FD is updated if the CD of the new Successor is less than the current FD
-The routing table is updated to point toward the new Successor
-An Update is sent to all neighbors if the current distance to the destination has changed as a result of switching to the new Successor


Why might an EIGRP diffusing computation be necessary after detecting a topology change?
If there are no Feasible Successors, the diffusing computation must be performed so that a new loop-free path can be guaranteed.


What four events consist of the EIGRP diffusing computation process when a route becomes Active?
Route locked > FD set to CD > Active / Query > Neighbors process

-The entry in the routing table (pointing to the current unchanged Successor) is locked and cannot be changed until the route returns to Passive
-The FD is set to the current (possibly increased) Computed Distance through the current unchanged Successor
-The route is put into Active state and a Query is sent to all neighbors with the current CD
-Each neighbor receiving the Query updates its own topology table and reevaluates its own Successor/FSs. If the neighbor still has a Successor, it sends back a Reply, otherwise it starts its own Query process.


When an EIGRP route goes Active, what happens to the entry in the routing table?
When an EIGRP route goes Active, Query messages are sent to all neighbors, and the entry is locked and cannot be changed or removed until the router has received back a Reply from all neighbors, and the route has been moved back into the Passive state again.


When an EIGRP route goes Active, what happens to the Feasible Distance of the route?
It is set to the current (and possibly increased) calculated distance through the current unchanged Successor.


What happens when an EIGRP router that previously had to send out a Query message receives back a Reply from all of its neighbors?
The router can put the Active route back into the Passive state and choose the neighbor with the lowest computed distance as the new Successor. The FD is reinitialized to the current computed distance, and the routing table entry is updated and the router can send EIGRP Update messages.

If the router itself became Active by receiving a Query, it can send back its own Reply and possibly Update packets.


When an EIGRP router receives a Query packet from a neighbor, what determines if that router must become Active for the route and send its own Query?
When the EIGRP router receives a Query, it uses the distance value for the route to determine if its own current Successor and Feasible Successors are still valid. If they are not, then the router becomes Active for the route, and starts its own Query process.


What happens with EIGRP when the Successor of a route fails, but a Feasible Successor is available?
The FS is NOT automatically promoted to the Successor.

EIGRP always tries to choose the shortest path to the destination, but must verify the FC.

When EIGRP detects a topology change, it updates the CD/RD of the neighbor that advertised the change (or was influenced by it, such as with a link metric change). EIGRP then identifies the route from all neighbors providing the least CD (taking updated CDs into account). EIGRP then verifies if the neighbor with the least CD meets the FC. If it does, the FS is promoted to Successor, otherwise the route is put into Active state.


How do you display EIGRP's DUAL finite state machine events?
debug eigrp fsm


What are the names of the four EIGRP FSM Active states, and what do the names refer to?
A0: Local Origin with Distance Increase
A1: Local Origin
A2: Multiple Origins
A3: Successor Origin

The names refer to the origin of the diffusing computation, e.g. which router appears to have started it. 


What is the default EIGRP Active time?
3 minutes


How do you modify the EIGRP Active timer?
EIGRP process:
timers active-time {minutes | disabled}


When is an EIGRP SIA-Query message sent?
If a neighbor does not respond with a Reply within half of the Active timer time (90 seconds by default)


What happens when an EIGRP SIA-Reply is received?
The Active timer is reset, which gives the diffusing computation additional time to complete.


How many EIGRP SIA-Query messages can be sent to a neighbor?
A maximum of three SIA-Query messages can be sent to a neighbor. If the neighbor still has not responded with a Reply message (not a SIA-Reply message) after receiving three SIA-Query messages plus the remainder of the Active time (a total default of 360 seconds), the neighbor adjacency is torn down.


After a router sends an EIGRP SIA-Query message, what is the maximum wait time for a SIA-Reply message?
SIA-Query messages are sent at half the Active time if a regular Reply message is not received. The router to which the SIA-Query was sent has until the Active timer expires to send a SIA-Reply message back, otherwise the neighbor adjacency is dropped.


Assuming an EIGRP router receives all SIA-Reply messages in response to SIA-Query messages, at what point is the neighbor adjacency torn down?
360 seconds by default

SIA-Query messages are sent at half the Active time (90 seconds by default). When an SIA-Reply is received, the Active time is reset. A maximum of three SIA-Query messages can be sent, and if a regular Reply (not an SIA-Reply) is not received after the third SIA-Query, the neighbor adjacency is torn down after the Active timer expires.


How do you quickly view routes for which EIGRP is currently in the Active state?
show ip eigrp topology active


What happens if an EIGRP router receives a Query for a route that is currently in the Active state for which the same router has already sent another Query to?
The router responds immediately with a Reply containing its current distance to the route in question.


True or False: You cannot run EIGRP in classic mode and in named mode on the same router simultaneously.
False, on a single router you can run multiple EIGRP processes, some configured with classic mode, and some configured with named mode.


How does EIGRP named mode handle interface-level commands?
Interface-level EIGRP commands are handled under the EIGRP named process. If interface-level commands are configured on the interface itself, they are ignored when EIGRP named mode is used.


What are the three main components of EIGRP named mode?
-Address Family (AF) section
-Per-AF-interface section
-Per-AF-topology section


How do you enter the EIGRP named mode Address Family configuration section?
router eigrp name
  address-family afi safi autonomous-system asn

Example:
address-family ipv4 unicast autonomous-system 1


How do you configure interface-level commands in EIGRP named mode?
With the af-interface {default | interface} command under the EIGRP address-family

Example:
router eigrp name
  address-family afi safi autonomous-system asn
    af-interface {default | interface}


What is the af-interface default section in EIGRP named mode?
Settings that apply to all interfaces within the AFI ASN.


With EIGRP named mode, what happens when settings are configured both in the af-interface default and af-interface interface sections?
The af-interface interface settings take precedence for that particular interface.


What is the per-AF-topology section in EIGRP named mode used for?
Multi Topology Routing (MTR)

However, topology base is always present, even if MTR is not supported or used.


With EIGRP named mode, what happens when you enter the configuration mode for the IPv6 address family, and how do you modify this behavior?
EIGRPv6 is enabled automatically on all IPv6-enabled interfaces.

This can be disabled under the af-interface default section.


What is the relationship with EIGRP named mode processes and address family instances?
There is a 1:1 correspondence between an EIGRP named process and an address family instance with a particular AS.

For example, you cannot have multiple IPv4 unicast ASNs under a single process, and you cannot have the same IPv4 unicast ASN under multiple processes.


After configuring EIGRPv6 in classic mode, what final step must be performed?
Unlike with named mode, EIGRPv6 in classic mode is shutdown by default when configured, so no shutdown must be issued under the ipv6 router eigrp process.


How does MTR (Multi Topology Routing) compare to VRF (Virtual Routing and Forwarding)?
MTR is defined as a subset of routers and links in a network for which a separate set of routes is calculated. MTR includes the base topology which is the entire network, and additional topologies are class-specific, which are a subset of the base topology. Each class-specific topology carries a class of traffic and has independent NLRI used to maintain separate RIBs and FIBs, which allows the router to perform independent calculations and forwarding for each topology.

However, MTR topologies are subsets of a base topology and uses the same address space, whereas VRFs do not share a common address space and are completely independent of each other.


True or False: Each EIGRP address family instance has its own independent Router ID and multiple EIGRP processes and AFIs on the same router can use the same RID.
True


What are three ways to modify the existing EIGRP RID?
-Remove and reinitialize the EIGRP process
-Manually configure the RID
-Remove the RID manual configuration

RID configuration order is:
-Manually configured
-Highest IP of nonshutdown loopback
-Highest IP of up/up nonloopback interface


When manually configuring the EIGRP RID, which values are specifically disallowed?
0.0.0.0
255.255.255.255


What happens if the EIGRP RID is changed?
All neighbor adjacencies are dropped and re-established


What happens to the EIGRP RID if you change the IP address of the interface on which the RID was based?
The RID stays the same until EIGRP is restarted. This can lead to inadvertent duplicate RIDs on the network.


What is the relationship between the EIGRP variance setting, and maximum-paths?
You can adjust the variance setting to enable unequal-cost load-sharing, but the number of available links is still bound by the maximum-paths setting, whose default is 4.


How does the EIGRP Add-Path feature work with unequal cost load balancing?
Add-Path and unequal cost load balancing are mutually-exclusive features and cannot be configured together. Add-Path only supports ECMP links.


What is the primary use case for the EIGRP Add-Path feature?
DMVPN deployments where multiple branch offices are dual-homed. The hub router normally can only advertise a single path toward a destination, but when the Add-Path feature is configured on the DMVPN hub, it can advertise multiple ECMP paths to the spokes.


What are the five requirements for using the EIGRP Add-Path feature?


What is the mandatory argument for the EIGRP Add-Path feature?
The number of paths to add, with the range of 1 - 4


How do you configure the EIGRP Add-Path feature?
In named mode, under the DMVPN tunnel af-interface section:
no split-horizon
no next-hop-self
add-paths 1-4


With a DMVPN deployment, when should you use the no next-hop-self no-ecmp-mode command?
This command should be used in conjunction with the Add-Path feature when the hub router is dual-homed. This causes EIGRP to retain all Successor's addresses as the next-hop in EIGRP advertisements, not just the first entry in the topology table.


What does the EIGRP no next-hop-self no-ecmp-mode command do?
When no next-hop-self is used, the command only applies to the first entry in the EIGRP topology table, and if there are multiple ECMP entries, the command is not applied to the subsequent entries. The no-ecmp-mode keyword forces EIGRP to honor the no next-hop-self command for all entries and keep the Successor's address in the advertisements.


How does EIGRP advertise itself as a stub router?
The EIGRP Hello contains an additional TLV indicating stub status.


True or False: An EIGRP stub router does not propagate routes learned through EIGRP to its neighbors.
True, with the exception of EIGRP-learned routes that are explicitly selected using the leak-map keyword.


How is an EIGRP stub router prevented from becoming a transit router?
Since the stub router does not propagate routes learned through EIGRP to its neighbors, the stub router cannot become a Feasible Successor and cannot become a transit router for remote networks.


True or False: EIGRP neighbors of a stub router who are aware of its stub status will never send a Query to the stub router.
True, this prevents the neighbors from converging through a stub router to reach networks that are remote to the stub router.


How does an EIGRP stub router handle generating Query messages when a route goes Active?
EIGRP stub routers generate Query messages exactly the same way as normal EIGRP routers.


How does an EIGRP stub router process a received Query?
If the stub is allowed to advertise the network (summary, connected, static, redistributed, leak-map), the router processes the Query like a normal EIGRP router.

If the Query is about a network the EIGRP stub knows about, but is not allowed to advertise, the Reply always contains an infinte metric, regardless of what the stub router truly knows about the network.

Both EIGRP stubs and regular EIGRP routers immediately respond to a Query for an unknown network with a Reply with an infinite distance.


What two conditions cause an EIGRP stub router to receive Query messages?
-Older EIGRP routers can form adjacencies, but do not recognize the stub TLV
-If multiple routers are on a common network segment and they are ALL configured as stubs, when any of the stubs needs to send a Query, it sends it to all the neighbors


How are Query messages handled when both regular EIGRP and stub EIGRP routers exist on a common network segment?
Query messages are sent as unicasts to nonstub routers, or the RTP Conditional Receive feature is used to multicast Query messages so that nonstub routers will not process them.

This is common for hub and spoke routers connected by DMVPN or VPLS.


What are two caveats of using the eigrp stub receive-only command?
-The keyword cannot be used with any other keyword
-To reach networks behind the router, neighbors must use static routing, or the stub router must use NAT


What are the EIGRP stub advertisement options?
connected
summary
static
redistributed
leak-map
receive-only

connected and summary are the defaults when eigrp stub is issued.


How do you verify the EIGRP stub settings?
show ip protocols


How do you verify if an EIGRP neighbor is configured as a stub?
show ip eigrp neighbors detail


How does summarization bound the EIGRP Query domain?
EIGRP neighbors of a router performing summarization do not have information about the specific component subnets of the summary, so they immediately send a Reply indicating an unreachable destination (infinte metric) without having to go Active and propagate the Query further.


True or False: You can configure multiple overlapping summary addresses on a single interface with EIGRP.
True, each summary is advertised as long as at least one component subnet exists. This allows for hierarchical summaries where, for example, two routers can advertise the same less-specific summary, and they can each advertise a separate, more-specific summary for traffic engineering.


What is the purpose of a discard route with summarization?
A discard route (a local route to Null0) prevents suboptimal routing or routing loops when a summarizing router does not have knowledge of a more specific prefix for which it is advertising a summary. For example, if a router is advertising 10.1.0.0/22 and has more specific routes to 10.1.0.0/24, 10.1.1.0/24, and 10.1.2.0/24, but not 10.1.3.0/24, any traffic destined for 10.1.3.0/24 would be discarded.


What is the default administrative distance of an EIGRP discard route?
5


With an EIGRP router performing summarization, what is a potential issue with regard to an automatically installed discard route?
If the router is configured to advertise a manual summary route that exactly matches a route that is already learned by the router from another source, the discard route can possibly replace the route learned in the routing table due to the default AD of 5. For example, if EIGRP is configured to advertise a summarized default 0.0.0.0/0, but the router has the same route learned from another source, it may no longer be able to reach that default route because of the automatic discard route.

The solution is to adjust the AD of the summary with the EIGRP summary-metric summary mask distance distance command.


What happens if you set the AD of a discard route to 255?
It prevents the router from installing the discard route into the routing table, as well as stops the router from advertising the summary route. Neither the summary nor the component routes will be advertised to neighbors.


How do you view all configured EIGRP summary addresses, and the interfaces they are placed on?
show ip protocols


How do you configure EIGRP passive interface in classic mode?
router eigrp asn
  [nopassive-interface {default | interface}

This allows you to set all interfaces as passive by default, and then allow specific interfaces with no passive-interface interface

You can also configure configure individual interfaces as passive.


How do you configure EIGRP passive interface in named mode?
With the [nopassive-interface command under either af-interface default or af-interface interface


How does EIGRP Graceful Shutdown work?
Graceful shutdown (which occurs when the EIGRP shutdown command is used) sends a Goodbye message, which is a Hello message with all K-values set to 255.


What is a requirement of configuring SHA-256 authentication for EIGRP?
It can only be performed in named mode.


What is an advantage of configuring EIGRP authentication in named mode instead of classic mode with regard to interfaces?
EIGRP named mode allows configuring authentication simultaneously on all interfaces with the af-interface default section, of which there is no equivalent in classic mode.


How do you configure EIGRP authentication in classic mode?
Interface:
ip authentication mode eigrp asn md5
ip authentication key-chain eigrp asn key-chain


How do you configure EIGRP SHA-256 authentication?
af-interface interface
  authentication mode hmac-sha-256 password

Note: you can optionally use a key-chain, but the password must still be configured. Both will be sent when using key-chains.


With EIGRP named mode, if authentication is configured under the af-interface default, how do you disable it for a particular interface?
af-interface interface
  no authentication mode


If a key-chain is configured with multiple valid keys, which key is used?
The valid key with the lowest key ID is used to sign egress packets


How do you seamlessly change the keys in a key-chain?
-Add the new key with a higher key ID into the key-chain on all routers
-Configure the send-lifetime of the old key to some time in the past, which causes the key to stop being sent
-Remove the old key from the key-chain on all routers


True or False: EIGRP has no dedicated command to inject a default route into the EIGRP domain.
True, a default route must be either redistributed into EIGRP, or manual summarization must be used.


If you have a static default route pointing toward an interface, you can cause EIGRP to advertise it with the network 0.0.0.0 command. Why should you never do this?
network 0.0.0.0 causes all IPv4-enabled interfaces to be enabled for EIGRP. Additionally, if the static default route is not configured specifically with an interface (as opposed to an IP address), the network 0.0.0.0 command has no effect and it will not be advertised.


How does EIGRP use Split Horizon?
EIGRP uses Split Horizon with Poisoned Reverse to advertise learned networks out the interface toward the Successor with an infinite metric.


How do you configure split horizon for EIGRP classic mode?
Interface:
[no] ip split-horizon eigrp


What are the EIGRP logging defaults?
router eigrp
  event-log-size 500
  event-logging
  log-neighbor-changes
  log-neighbor-warnings


How do you view the EIGRP event log?
show eigrp address-family ipv4 events


What three options are available for filtering via distribute-list with EIGRP?
ACLs
Prefix lists
Route maps


How do you configure a distribute-list for EIGRP?
EIGRP process, topology-base:
  distribute-list method direction optional-interface


How do EIGRP distribute-lists work in the out direction?
All outgoing Updates, Queries, Replies, SIA-Queries, and SIA-Replies indicate the correct metric for permitted prefixes, and infinite metric for denied prefixes.


How do EIGRP distribute-lists work in the in direction?
In all incoming Updates, Replies, and SIA-Replies, permitted prefixes are processed normally, while denied prefixes are ignored.

Received Queries and SIA-Queries are unaffected and processed normally.


How do offset lists work with EIGRP?
Offset lists refer to an ACL to match routes which will have the specified offset added to their Delay metric component.

Offset lists also specify the direction, and optionally the interface.


How do you perform an EIGRP graceful restart?
clear eigrp address-family ipv4 neighbors soft

Topology databases between the router and its neighbors are resynchronized without the neighbor relationship being torn down. Without the soft keyword, adjacencies must be re-established.


How do you convert from EIGRP classic mode to named mode?
router eigrp asn
  eigrp upgrade-cli process-name


How do you view EIGRP traffic statistics?
show ip eigrp traffic asn


How are EIGRP OTP and LISP related?
With EIGRP OTP, the LISP control plane (native LISP mapping and resolving mechanisms) are replaced by EIGRP, while the LISP data plane is not modified.


How does EIGRP OTP compare with DMVPN?
DMVPN uses mGRE to encapsulate both data and control plane traffic, whereas OTP uses LISP UDP-based encapsulation for the data plane while running EIGRP natively without additional encapsulation. This means no tunnel interfaces are required for OTP.

All OTP traffic can be encrypted with GETVPN, whereas DMVPN relies on IPsec tunnel configuration.

DMVPN relies on NHRP for mappings, whereas OTP uses EIGRP for the mapping and no other control plane protocol is required.


What is the LISP EID and RLOC?
EID = Endpoint Identifier, an IPv4 or IPv6 address
RLOC = Routing Locator, outside address of a router

EIDs reside behind RLOCs, and the LISP control plane registers and maps EIDs to RLOCs.


How does EIGRP OTP replace the LISP control plane?
Instead of doing dynamic EID-to-RLOC mappings with native LISP-mapping services, EIGRP routers running OTP create targeted sessions over the WAN and use the WAN IP addresses as RLOCs, and exchange routes as EIDs.


When EIGRP OTP is used, a LISP0 interface is created automatically. What is the default bandwidth setting of this interface?
56 kbps

Adjust with the following:
interface LISP0
  bandwidth kbps


How do you enable EIGRP OTP?
router eigrp process
  address-family ipv4 unicast autonomous-system asn
    neighbor ip interface remote hops lisp-encap


What is a caveat of using EIGRP OTP with an Ethernet WAN interface?
Since the EIGRP remote neighbor is configured with a static IP address, the router must send ARP requests for the neighbor. This relies on Proxy ARP from the service provider, and if it is disabled on the SP edge, the OTP peering will not come up unless static ARP mappings are configured on the OTP router.


How do you configure an EIGRP OTP router to be a route reflector?
router eigrp process
  address-family ipv4 unicast autonomous-system asn
    remote-neighbors source interface unicast-listen lisp-encap
    af-interface source-interface
      no next-hop-self
      no split-horizon

no next-hop-self enables spoke-to-spoke traffic
no split-horizon allows learned routes to be reflected back out to the spokes


With EIGRP OTP, how can you control which routers are allowed to connect to the route reflector?
On the router configured as the route reflector, the remote-neighbors EIGRP command can reference an ACL with the allow-list acl keyword.


How does OSPF choose a RID?
-Manually-configured with router-id under the OSPF process
-Highest IP of any non-shutdown loopbacks that have not been allocated as a RID by any other OSPF processes
-Highest IP of any non-shutdown non-loopback interfaces that have not yet been allocated as a RID by any other OSPF processes


Two OSPF processes are started on a router, neither of which manually configures a router ID. How are the router IDs chosen for each process?
The first process to start chooses the highest IP address of any non-shutdown loopback interface, or regular non-shutdown interface is there are no loopbacks.

The second process chooses the next-highest IP address of any non-shutdown loopback interfaces, the next-highest IP address of a regular non-shutdown interface if there were no loopbacks, or the highest IP address of a regular non-shutdown interface if there was only a single non-shutdown loopback interface and the first OSPF process claimed it for its router ID.


True or False: The interface from which the OSPF RID is taken does not have to be matched by an OSPF network command.
True


True or False: An IP address configured on an interface in the down/down state can still be considered for use as the OSPF RID.
True. The interface cannot be administratively shutdown but if it happens to be down for other reasons, it can still be considered.


True or False: OSPF must advertise a route to reach the RID's subnet when an interface IP address is used as the RID.
False, the RID is just an identifier, and does not even require reachability per the IP routing table.


What happens to the router ID when the OSPF process is restarted?
If the RID is not manually configured, the choice of RID based on available IP addresses is re-evaluated. If a different RID is chosen, all routers in the same are must perform a new SPF calculation, even if the actual topology has not changed.


What does OSPF use for transport?
IP Protocol 89


What are the five different types of OSPF messages?
Hello
Database Description (DD/DBD)
Link-State Request (LSR)
Link-State Update (LSU)
Link-State Acknowledgement (LSAck)


What three things are OSPF Hello messages used for?
-Discover neighbors
-Bring a neighbor relationship to 2-Way state
-Monitor neighbor's continuous liveliness


What are OSPF Database Description (DD/DBD) messages used for?
They are used to exchange LSA headers during the initial topology exchange so that a router knows a list of that neighbor's LSAs, including their versions.


What are OSPF Link-State Request (LSR) messages used for?
A LSR is a packet that identifies one or more LSAs that the sending router would like the neighbor to supply full details about.


What are OSPF Link-State Update (LSU) messages used for?
An LSU is a packet that contains fully detailed LSAs and is sent in response to an LSR, or in the event of a topological change.


What are OSPF Link-State Acknowledgement (LSAck) messages used for?
LSAcks are sent to confirm receipt of LSUs.


True or False: Link State Advertisements (LSAs) are not considered OSPF messages.
True: LSAs are data structures held inside a router's LSDB and exchanged inside LSU messages.


What is an indication of how an OSPF router treats a particular neighbor?
The OSPF neighbor state


True or False: Two OSPF neighbors building an adjacency can temporarily consider each other to be in a different neighbor state.
True, though this is a temporary condition. Ultimately, both routers must arrive at the same state.


What are the eight OSPF neighbor states?
Down
Attempt
Init
2-Way
ExStart
Exchange
Loading
Full


What are two common reasons to see an OSPF neighbor in the Down state?
When a working adjacency to the neighbor is torn down, such as when no valid OSPF packets are received before the Dead interval expires.

The other common case is when a manually-configured neighbor does not respond to initial Hello packets.


What is a requirement for an OSPF router to consider a neighbor in the Down state?
The router must already know about the neighbor's IP address, either manually or through previous discovery.


What is the initial state of an OSPF neighbor?
Down


For which network types is the OSPF Attempt neighbor state valid for?
This state is valid only on NBMA and P2MP NBMA networks. On these networks, a neighbor is placed immediately into the Attempt state and contact by Hello packets sent at usual intervals. If the neighbor does not respond within the Dead interval, it is placed back into the Down state.


When is an OSPF neighbor placed into the Init state?
A valid Hello has been received from the neighbor, but the list of "Seen Routers" in the received Hello packet does not contain the receiving router's RID. If a neighbor stays in the Init state for a long period of time, it indicates that the neighbor router is not properly receiving this router's Hellos.


What causes an OSPF router to reach the 2-Way state with a neighbor?
A valid Hello packet containing this router's RID in the list of seen neighbors from the neighbor, indicating bidirectional visibility between the two routers.


When is the OSPF 2-Way neighbor state considered stable?
The 2-Way state is a stable state between routers on multiaccess networks that do not intend to become fully adjacent.


What four circumstances cause an OSPF router to move from the Init or 2-Way neighbor state to ExStart?
After bidirectional visibility is confirmed, routers move into the ExStart state in these circumstances:

-The network type is P2P
-The network type is P2MP
-The network type is virtual link
-The router itself or its neighbor is a DR or BDR


What two things happen during the OSPF ExStart neighbor state?
-Compare RIDs to determine Master/Slave roles
-Establish common starting sequence number for DBD packets


When does an OSPF neighbor state move from ExStart to Exchange?
After the Master/Slave relationship is established.


What occurs during the OSPF Exchange neighbor state?
DBDs are exchanged between the neighbors to build the list of LSAs known by each router. Actual LSAs are not exchanged at this time.


What is the OSPF Loading neighbor state?
After a router receives the complete list of LSAs via DBD exchange during the Exchange state, the Loading state is when the actual LSAs are exchanged between the neighbors.


What is the OSPF Full neighbor state?
All required LSAs have been exchanged between neighbors, and the neighbors are now considered fully adjacent.


What are the stable OSPF neighbor states?
2-Way
Full


What are the four major functions of OSPF Hello messages?
-Discover OSPF routers on common subnets
-Check for agreement on configuration parameters
-Verify bidirectional visibility between neighbors
-Monitor neighbor liveliness and react accordingly


What must be true for OSPF to advertise secondary IP addresses?
The primary IP address for an interface must also be advertised into OSPF, either directly at the interface or through the OSPF network command. Even if the secondary IP address is explicitly configured for advertisement, it will not be advertised if the primary IP address is not also advertised.


Which address is used for OSPF neighbor discovery?
224.0.0.5 All OSPF Routers


What five parameter checks must be passed for OSPF routers to become neighbors?
-Same primary IP subnet
-Nonduplicate RIDs
-Authentication
-Same OSPF area and type
-Same Hello/Dead timers

MTU must match for DBD packets to be successfully processed, but this parameter check is not part of the Hello process and would not prevent routers from reaching the 2-Way state.


True or False: The MTU must match between OSPF neighbors to form a neighborship.
False: MTU checking is not part of the Hello process and does not prevent neighbors from forming. However, mismatched MTUs prevent routers from moving past the 2-Way state.


What is the default OSPF Hello time?
10s on broadcast and P2P network type
30s on nonbroadcast and P2MP network type


What is the default OSPF Dead time?
4x the Hello time:

40s on broadcast and P2P network type
120s on nonbroadcast and P2MP network type


How can you verify that OSPF Hello parameters are mismatched between neighbors?
debug ip ospf hello will reveal "Mistached hello parameters from RID"


How can you view the OSPF settings applied to an interface?
show ip ospf interface interface


How can you verify information about a particular OSPF neighbor?
show ip ospf neighbor RID


How does OSPF perform error recovery when exchanging DBD packets?
Each DBD packet has a sequence number, and the receiver acknowledges the DBD packet by sending back a DBD packet with the same sequence number. When a DBD packet is sent, another DBD packet is not sent until the previous packet was acknowledged.


During OSPF database exchange, what is the role of the Master, and what is the role of the Slave?
The Master sends DBD packets on its own accord, and sets the contained sequence numbers.

The Slave sends DBD packets only as a response to DBD packets received from the Master, and must use the same sequence number set by the Master.


What are the three flags present in the OSPF DBD packet?
-Master (MS) - set in all DBD packets sent by the Master, cleared in all sent by the Slave
-More (M) - router intends to send an additional DBD packet after this one
-Init (I) - Initial DBD packet that starts the exchange with subsequent DBD packets having the I flag cleared


What are the two rules governing the sending of OSPF DBD packets?
-Each DBD packet sent from the Master must be replied to by the slave
-A slave can send a DBD packet only as a response to receiving a Master's DBD packet


During the OSPF database exchange, since the Slave router can only send DBD packets as a response to DBD packets sent by the Master, what happens when the Slave has additional LSAs to send to the Master?
When the Slave sends its response DBD packet, it sets the M (More) flag if it has additional LSAs to send to the Master.

If the Master has no additional LSAs to send, but it receives the DBD response with the M flag set, it polls the Slave with an empty DBD packet.


During the OSPF database exchange, when does the Master stop sending DBD packets to the Slave?
The Master stops sending DBD packets to the Slave when both it has no more LSA headers to advertise, and the Slave's last DBD packet has the M (More) flag cleared, indicating the Slave has advertised its entire list of LSA headers.


During the OSPF database exchange, how does the Master/Slave election work?
Both start out considering themselves to be the Master and send an empty DBD packet with a random sequence number and MS, M, and I flags set to 1.

The router with the lower RID becomes the Slave, and responds with a DBD packet with the MS and I flags cleared, and the sequence number received from the other router.


How does an OSPF router determine if a received LSA is newer than the existing LSA in the LSDB?
A newer LSA will have a later sequence number compared to the existing LSA in the local LSDB. 

LSA sequence numbers are incremented whenever the LSA changes or is reoriginated.


True or False: Re-originating an OSPF LSA causes its sequence number to increment.
True, the sequence number is incremented whenever there is a change to the LSA, or the LSA is reoriginated.


How do OSPF sequence numbers work, and what is the starting number?
The sequence number space is a signed 32-bit integer from -2^31+1 (-2B) to 2^31-1 (+2B).

The starting value is 0x80000001 because most computer systems store negative numbers in two's complement.

0x80000001 increments to 0xFFFFFFFF, then to 0x00000000, 0x00000001 on up to 0x7FFFFFFF.

0x80000000 is a reserved value. When an LSA reaches 0x7FFFFFFF and needs to be incremented, the LSA is instead flushed from the LSDB and re-originated with sequence 0x80000001.


What is the difference between the OSPF Exchange and Loading neighbor states?
During the Exchange state, DBD packets are exchanged with contain LSA headers.

During the Loading state, full LSAs are exchanged via LSR and LSU packets.


What two methods are available for OSPF routers to acknowledge successful LSR/LSU exchange?
-An LSU can be acknowledged by the receiver sending back the exact same LSU to the sender (as in the case of the DR)
-A router can send back an LSAck packet containing a list of acknowledged LSA headers


What are the two primary functions of the OSPF DR?
-DR floods LSAs to adjacent neighbors, instead of all routers in a multiaccess segment flooding directly to each other
-DR generates Type 2 LSAs to represent the multiaccess network segment


How does an OSPF DR send an update for a multiaccess network segment?
The LSU is sent to 224.0.0.5, and each neighbor sends a unicast LSAck back to the DR.


On an OSPF multiaccess network segment with a DR, where do non-DR/BDR routers send updates to?
LSU packets are sent to 224.0.0.6, All OSPF DR Routers


When an OSPF DR receives an LSU from a neighbor, how does it acknowledge its receipt?
When a DR receives an LSU from a non-DR/BDR neighbor, the LSU is then flooded by the DR to all neighbors, which serves as an implicit acknowledgement.

All other routers send a normal unicast LSAck to the DR after the LSU has been flooded.


In OSPF network segments that do not have a DR/BDR, where are LSU packets typically sent?
224.0.0.5, All OSPF Routers


At what point during the OSPF neighbor adjacency process is the DR/BDR elected?
The election occurs after the 2-Way state, but before the ExStart state.


What is the OSPF Wait Time?
The OSPF Wait Time is set to the same value as the Dead Time, and is a period of time that must expire before the DR is elected. The goal is to allow all routers on the network segment to finish initializing after a failure so that all routers can participate in the DR election, otherwise the first router to become active would always become the DR. During the Wait Time, the priorities and RIDs of neighbors are collected, and each router independently calculates the DR/BDR, though they all arrive at the same conclusion.

This occurs when the OSPF router receives a Hello with the DR set to 0.0.0.0, indicating the DR has not yet been elected.


What happens when an OSPF router on a multiaccess network segment receives a Hello packet with the DR field set to 0.0.0.0?
This indicates the DR has not yet been elected, and the router starts the OSPF Wait Time (set to same value as Dead Time). When the timer expires, the DR can be elected.


How does an OSPF router know that a DR has already been elected?
The received Hello packet will have the RID of the DR.


Which is elected first, the OSPF DR or BDR?
The BDR is elected first, and then promoted to DR. This process allows a BDR to always be promoted to the DR if the DR fails.


What determines the OSPF DR when none has yet been elected?
Highest priority, with highest RID as the tiebreaker


What is the exception to the OSPF DR/BDR non-preemption rule?
When a stable network that has already elected the DR/BDR becomes partitioned, new elections occur if necessary for each partition (normal OSPF rules), and re-elections occur when the partitions are collapsed. 


What three behaviors are determined by the OSPF network type?
-Whether the router tries to elect a DR on the interface
-Whether the router must statically configure a neighbor, or use multicast
-Whether more than two neighbors should be allowed on the same subnet


How do you configure the OSPF network type?
Interface:
ip ospf network type


What are the six OSPF network types?
Broadcast
Point-to-Point
Non-Broadcast
Point-to-Multipoint
Point-to-Multipoint Non-Broadcast
Loopback


Which OSPF network types elect a DR?
Broadcast
Non-Broadcast (NBMA)


Which OSPF network types require static configuration of neighbors?
Non-Broadcast (NBMA)
Point-to-Multipoint Non-Broadcast

"Nonbroadcast Needs Neighbors"


Which OSPF network types do not permit more than two routers on the subnet?
Point-to-Point
Loopback


For which OSPF network types is the default Hello interval set to 10 seconds?
Broadcast
Point-to-Point


For which OSPF network types is the default Hello interval set to 30 seconds?
Non-Broadcast (NBMA)
Point-to-Multipoint
Point-to-Mulitpoint Non-Broadcast


While certain OSPF network types can be mixed together, what are the caveats to watch out for?
-Matching Hello/Dead timers
-Whether or not a DR is expected to be elected, and if so, it must have reachability to all routers in the common subnet


What is the default OSPF priority?
1


When manually configuring OSPF neighbors, what is the purpose of specifying the priority on the neighbor statement?
This is an optimization.

The default neighbor priority is 0. When there are multiple neighbor statements configured and at least one of them has a nonzero priority specified, the router first sends Hellos only to those neighbors, and only after the DR/BDR elections have occurred between those neighbors will the router start sending Hellos to the remaining neighbors.

If the interface is set to priority 0 with ip ospf priority 0 the neighbor priority setting has no effect.


What is the default OSPF LSRefresh interval?
30 minutes


What is the default value of the OSPF LSA MaxAge timer?
60 minutes


After convergence, what four items entail the OSPF steady-state operation?
-Each router sends Hellos based on per-interface Hello intervals
-Each router expects to receive Hellos from neighbors within the per-interface Dead interval
-Each router refloods each LSA it originates (after incrementing the seq by 1) per LSA LSRefresh interval (30 min)
-Each router expects to have its LSA refreshed before the LSA MaxAge timer expires (60 min)


What makes a Cisco OSPF router an ABR?
It has one more more connections to Area 0 and one or more connections to any other Area.

Other vendors may have different interpretations of the RFC.


True or False: OSPF ABRs maintain a single LSDB.
False: ABRs keep independent separate LSDBs for each connected Area. Likewise, SPF is run independently in each Area, and the results are combined into a single routing table subject to OSPF path preference rules.


How does an OSPF ABR maintain its local IP routing table?
SPF is run independently in each area, and the results are placed into the IP routing table based on OSPF path preference rules.


True or False: OSPF chooses intra-area routes over inter-area routes for a given prefix, unless the inter-area route has a better metric.
False: OSPF always chooses intra-area routes over inter-area routes for the same prefix, regardless of the metric.


How do ABRs handle Type 3 LSAs learned from nonbackbone areas during SPF calculation?
ABRs ignore Type 3 LSAs learned in nonbackbone areas during SPF calculation, which prevents an ABR from choosing a route that goes into a nonbackbone area, and then back into the backbone.


Under what circumstances can an OSPF router modify or withdraw an LSA if that router did not originate the LSA itself?
None. Only routers originating a particular LSA can modify or withdraw it.


What is true of an OSPF router with regard to processing LSAs that it did not itself originate?
The router must process and flood the LSA within the LSA's defined flooding scope if the router recognizes the LSA's type and contents. The router must not ever change the LSA's contents, block it, or drop it before its maximum lifetime has expired.

This ensures all OSPF routers in the area have the same LSDB contents and a consistent view of the network.


Which two OSPF LSA types are not supported on Cisco routers?
Type 6: MOSPF Group Membership
Type 8: BGP External Attributes (designed to carry BGP information during BGP-to-OSPF redistribution)


What is OSPF LSA Type 1?
Router: one per router per area, listing the router's RID and all interface IPs within the area.

Flooded only within the area of origin.


What is OSPF LSA Type 2?
Network: one Type 2 LSA per transit network, created by the DR on the subnet and represents the subnet and the router interfaces connected to the subnet.

Flooded only within its area of origin.


What is OSPF LSA Type 3?
Net Summary: created by ABRs to represent networks present in one area when being advertised into another area. Type 3 LSAs define the subnets and cost in the origin area, but no topology data.

Flooded only within its area of origin, reoriginated on ABRs.


What is OSPF LSA Type 4?
ASBR Summary: similar to Type 3 LSA, but advertises a host route used to reach the ASBR.

Flooded only within its area of origin, reoriginated on ABRs.


What is OSPF LSA Type 5?
AS External: created by ASBRs for external routes injected into OSPF.

Flooded to all regular areas.


What is OSPF LSA Type 7?
NSSA External: created by ASBRs inside an NSSA instead of Type 5. 

Flooded only within its area of origin and converted to Type 5 LSA on an ABR toward other areas.


What is OSPF LSA Type 9?
Opaque: Generic LSA with link-local flooding scope


What is OSPF LSA Type 10?
Opaque: Generic LSA with area-local flooding scope. Used for MPLS-TE


What is OSPF LSA Type 11?
Opaque: Generic LSA with autonomous-system flooding scope similar to Type 5 - flooded into normal areas but not into stubby areas and NSSAs.


What is an OSPF stub network?
A subnet on which a router has not formed any neighbor relationships.

This is different from a stub area.


What is an OSPF transit network?
A network over which two or more OSPF routers have become neighbors and elected a DR so that traffic can transit from one to the other.


How do you view an individual OSPF LSA?
show ip ospf database lsa-type lsa-id


What are two ways that OSPF can distribute information that a particular network that is no longer reachable?
The appropriate Type 1 or Type 2 LSA can be reoriginated with the disconnected network removed from the LSA, or the LSA can be prematurely aged out by setting its age to 3600 seconds and flooding it, causing it to immediately expire from all LSDBs.


What basic information is described in an OSPF Type 1 LSA?
-The originating router, and it's interfaces in that area
-List of neighboring routers in that area on each interface


What three things are described in an OSPF Type 3 LSA?
The subnet, mask, and the ABR's cost to reach that subnet


How do you view which OSPF routers are ABRs or ASBRs?
show ip ospf border-routers


How can you view how many times the OSPF SPF algorithm has executed for each area?
show ip ospf statistics


What is the term used to describe an OSPF router updating its computed shortest path tree based on updated costs from routers in other areas?
partial run, partial SPF, or partial route calculation

This is different from incremental SPF (iSPF)


How do OSPF routers handle a Type 3 LSA being removed from the area?
The routers check if another Type 3 LSA for the same network is available, and if not, the affected networks are removed from their routing tables without requiring an SPF run.


How does the information in a Type 3 LSA originated in one nonbackbone area get transmitted to another nonbackbone area?
Type 3 LSAs are flooded only within the area originated by ABRs. A Type 3 LSA from one nonbackbone area is re-originated at the ABR into the backbone area. Other attached nonbackbone areas receive the re-originated Type 3 LSA at their respective ABRs, which then re-originate the Type 3 LSA into their respective nonbackbone areas.

nonbackbone originated > backbone re-originated > nonbackbone re-originated


When an OSPF ABR performs a SPF calculation, which Type 3 LSAs are used in the calculation?
Only Type 3 LSAs received over the backbone area. Type 3 LSAs received over nonbackbone areas are skipped during the ABR's SPF computation, though they are stored in the ABR's LSDB and flooded within the nonbackbone area.


What is the difference between OSPF route types E1 and E2, and which is used by default in Cisco IOS?
E1 = both external and internal metrics added together
E2 = only external metric is considered by SPF when choosing best routes

E2 = default


With OSPF, if there are both E1 and E2 routes to the same external network, which is preferred?
E1 is always preferred over E2


What general information is contained in an OSPF Type 5 LSA?
Subnet
Metric
Metric Type (E1/E2)


How does OSPF decide which path to use when there are multiple E1 routes to the same destination?
The cost of E1 routes are calculated as the cost to reach the ASBR, plus the cost of the external route. When multiple E1 routes are present for the same destination, the lowest total cost path is used. If multiple equal-cost paths are present, all are used.


How does OSPF decide which path to use when there are multiple E2 routes to the same destination?
E2 routes only take the external metric into consideration. If there are multiple E2 routes available to the same destination network, the lowest cost E2 metric is used. If there are multiple E2 routes with the same metric, the path through the closest ASBR is used. If multiple equal-cost paths route through the same closest ASBR, all of them are used.


What is the OSPF E1/E2 route path selection process?
-Prefer E1 over E2
-E1:
  -If multiple, use lowest cost
  -If multiple lowest cost, use all
-E2:
  -If multiple, use lowest cost
  -If multiple lowest cost, use closest ASBR
  -If multiple lowest cost through closest ASBR, use all


What are OSPF Type 4 LSAs used for?
When an ABR floods a Type 5 LSA into another area, it also creates a Type 4 LSA. Routers in other areas use the Type 4 LSAs to know what ASBRs in other areas exist, what ABRs can be used to reach them, and what is the distance of each ABR to a particular ASBR.

For a router in a different area from the ASBR, the cost of reaching the ASBR is the cost between the router and the ABR, plus the cost indicated in the Type 4 LSA toward a particular ASBR.


What is the cost of an internal OSPF router in a nonbackbone area to reach an E1 route?
Cost from internal router to ABR + cost from ABR to ASBR as advertised in the Type 4 LSA + external cost of route as advertised by the ASBR in the Type 5 LSA


What are the OSPF stub area types?
Stubby
Totally stubby
NSSA
Totally NSSA


What is common across all OSPF stub area types with regard to LSAs?
Type 4 and Type 5 LSAs are not injected into any variation of a stub area, and are replaced with default routes instead.


What is the difference between an OSPF stubby and totally stubby area?
Both stop the injection of Type 4 and Type 5 LSAs and replace them with a default route. Totally stubby areas take this a step further and replace all Type 3 LSAs with a default route as well.


What makes an OSPF area not-so-stubby?
NSSA's have an ASBR present and inject Type 7 LSAs into the area, which are converted to Type 5 by the ABRs as the information leaves the area.


How do you configure an OSPF stub area?
OSPF process on all routers in the area:
area area stub


How do you configure an OSPF totally stubby area?
OSPF process on the ABR:
area area stub no-summary

OSPF process on internal routers:
area area stub

The no-summary keyword is configured only on the ABR, because only the ABR is permitted to filter Type 3 LSAs.


How do you configure an OSPF NSSA?
OSPF process on all routers in the area:
area area nssa


How do you configure an OSPF Totally NSSA?
OSPF process on ABR:
area area nssa no-summary

OSPF process on internal routers:
area area nssa

The no-summary keyword is configured only on the ABR, because only the ABR is permitted to filter Type 3 LSAs.


What is the purpose of an OSPF NSSA?
The NSSA is used for areas where an ASBR is located, but the routers within the area do not need specific information about external networks located in other areas.


Why does the OSPF LSA Type 7 exist?
Since Type 5 LSAs are not allowed inside any kind of OSPF stub area, Type 7 LSAs are used to distinguish the external information from normal Type 5 LSAs. By default, the ABR with the highest RID translates the Type 7 LSAs to Type 5 as the information leaves the area.


By default, which OSPF ABR performs Type 7 to Type 5 LSA translation for an NSSA?
The ABR with the highest RID.


ABRs in OSPF stub areas automatically inject default routes, except for which variation?
NSSA ABRs must be configured with area area nssa default-information-originate to advertise a default route.

This applies to NSSAs only. Stubby, Totally stubby, and NSSA-TS areas all inject default routes automatically.


True or False: OSPF considers E1 routes equivalent to N1 routes, and E2 equivalent to N2, with regard to path selection.
True


Why does an OSPF ABR originating Type 3 LSAs translate only intra-area routes from a nonbackbone area and flood them into the backbone, or conversely, translate both intra- and inter-area routes from the backbone and flood them into a nonbackbone area?
This process ensures the only valid way of an area learning about routes from another area is through the the backbone, and that the backbone is never fed a route that has already traversed the backbone.


Why does an OSPF ABR ignore all Type 3 LSAs received over nonbackbone areas when running the SPF algorithm?
To ensure that an ABR does not traverse a nonbackbone area to reach a network that is located in the backbone or another nonbackbone area. An ABR never uses a nonbackbone area to reach an inter-area network.


What path will OSPF router R2 use to reach subnet S1 and why?
R2 > R4 > R5, even though the cost through R3 is less. This is because ABRs ignore Type 3 LSAs from nonbackbone areas for loop prevention. Since the link between R3 and R4 is within Area 1, R4 ignores the route to S1 through R3 and prefers its own more-costly route directly to R5.


What path will OSPF router R2 use to reach subnet S1, and why?
R2 > R4 > R3 > R5, even though R4 has a direct link to R5. Because all of the links between R3, R4 and R5 reside within the same area, normal SPF rules apply whereby the lowest cost path is used to exit the area.


What path will traffic coming from subnet S1 use to reach OSPF router R2 and why?
R5 > R3 > R4 > R2. Both R3 and R4 inject Type 3 LSAs into the backbone area to describe nonbackbone area 1. R5 then chooses the path with the least cost to reach area 1. However, traffic will be asymmetrically routed, because the return traffic will take the path R2 > R4 > R5 since Type 3 LSAs originated in nonbackbone areas are ignored by ABRs. Therefore, R4 ignores R3's Type 3 LSA describing subnet S1, even though it has a lower-cost path.


How do you configure the OSPF Fast Hello feature?
Interface:
ip ospf dead-interval minimal hello-multiplier hellos

Where the dead-interval becomes fixed at one second, and hellos refers to the number of hellos to be sent every second.


What are two ways that you can activate an interface for OSPF?
OSPF process:
network ip wildcard area area

Interface:
ip ospf process area area


How do you configure OSPF to create a log message for each state change?
OSPF process:
log-adjacency-changes detail


How do you restart the OSPF process on a router?
clear ip ospf process


How do you view the costs currently assigned to OSPF interfaces?
show ip ospf interface brief


What information is provided in the output of show ip ospf interface brief?
Per-interface details:
-PID
-Area
-IP/mask
-Cost
-State (P2P, DR, etc)
-Neighbors


How do you configure the default OSPF cost calculation?
OSPF process:
auto-cost reference-bandwidth Mbps


True or False: When adjusting the OSPF reference-bandwidth cost, this value must match on all routers.
False, though it is recommended to use the same values.


When calculating OSPF costs, the resulting value is rounded ___ to the nearest integer.
Down

Example: The default reference bandwidth is 100 Mbps. The cost of a serial link with its default bandwidth of 1.544 Mbps is 100 / 1.544 = 64.77, which is rounded down to an OSPF cost of 64.


How do you set the OSPF cost for a particular neighbor?
OSPF process:
neighbor ip cost cost

This is valid only on OSPF point-to-multipoint nonbroadcast network types.


How do you set the OSPF cost value on an interface?
Interface:
ip ospf cost cost


With regard to advertising secondary IP addresses, what is the difference between the OSPF process network command, and the interface ip ospf area command?
OSPF process network command advertises stub networks for any secondary IP subnets matched by the network command

Interface ip ospf area command includes all secondary subnets by default, unless the secondaries none parameter is used at the end of the command.


What does the following command do?

ip ospf pid area area secondaries none
By default, when using the ip ospf area command on an interface, all secondary IP subnets are advertised as stub networks. Including the secondaries none parameter at the end causes only the primary IP subnet to be advertised.


What is the difference between the way the distribute-list command works for RIP and EIGRP, versus OSPF and IS-IS?
With RIP and EIGRP, the routes are filtered from the respective protocol's update messages.

With OSPF and IS-IS, the LSDB within an area must be identical, so the distribute-list prevents the routes from being installed in the local IP routing table, but remain within the LSDB.


With OSPF, how does the distribute-list command work differently in the inbound and outbound directions?
The inbound direction applies to the results of SPF - LSAs are not filtered, but routes that SPF would choose to install into the local routing table are.

The outbound direction applies only to redistributed routes, and only on an ASBR. It selects which redistributed routes will be advertised.


How do you use a route-map to match on a router's RID?
access-list num permit RID

Route-map:
match ip route-source acl-num


What are the two ways to filter OSPF Type 3 LSA generation at the ABR?
area filter-list
area range


How do you configure OSPF to filter Type 3 LSAs at the ABR based on a prefix-list?
OSPF process on ABR:
area area filter-list prefix prefix-list direction

Where direction references whether the prefix list is applied to routes entering or leaving the specified area.


How do you configure an OSPF inter-area summary to filter all included routes?
OSPF process:
area area range ip mask not-advertise

The not-advertise keyword causes both the subnets and the summary itself to be filtered, and is equivalent ot the area filter-list command with the out keyword.


What does the not-advertise keyword of the OSPF area range command do?
The not-advertise keyword causes both the included subnets and the summary itself to not be advertised, effectively filtering the routes.


Why must an OSPF virtual link pass through a regular OSPF area and not any variation of stub areas?
Virtual links are not tunnels, but targeted OSPF sessions that allow two remote routers within a single area to become fully adjacent and synchronize their LSDBs. The transit area must be a regular area because packets routed through the transit area are forwarded based on their true destination addresses (as opposed to tunneling), which requires the transit area to know all networks in the OSPF domain (intra-area, inter-area, and external).


True or False: OSPF virtual links are always members of Area 0.
True. When configuring virtual links, you specify the transit area, but the virtual link itself always belongs to Area 0.


How do you configure an OSPF virtual link?
OSPF process:
area transit-area virtual-link remote-RID


How do you view the status of OSPF virtual links?
show ip ospf virtual-links


How are OSPF virtual links represented internally to IOS?
Unnumbered point-to-point interfaces


What happens if a nonbackbone area becomes partitioned due to link failure, but each partition has a reachable ABR?
OSPF treats each partition as a separate area and overall connectivity is not disrupted.


How do you enable OSPF Type 0 authentication?
Interface:
ip ospf authentication null


How do you enable OSPF Type 1 authentication for an interface?
Interface:
ip ospf authentication
ip ospf authentication-key value


How do you enable OSPF Type 2 authentication?
Interface:
ip ospf authentication message-digest
ip ospf message-digest-key number md5 value


What is the default OSPF authentication type?
Type 0: Null


How does OSPF graceful authentication key rollover work?
Multiple MD5 keys with different key IDs are allowed per interface. When signing sent packets, OSPF uses the key that was last added to the interface (regardless of key number). When authenticating received packets, it uses the key ID indicated in the packet. 

When a neighbor detects a different key number from the receiving router, OSPF enters a key migration phase where all packets are sent as many times as the number of configured keys. After all neighbors are using the same key number, the migration phase ends.


How can you verify the OSPF authentication processes?
debug ip ospf adj


What is the purpose of the OSPF area authentication command?
This changes the area's default authentication type. The default unconfigured authentication type is 0: Null. You can configure the area to default to Type 1 or Type 2 authentication with the area area authentication [message-digest] command. When this command is used, routers within the area will not form neighborships unless authentication is specifically configured.


Why must you configure OSPF virtual link authentication with the area virtual-link command?
Virtual links have no underlying interfaces on which to configure authentication, as normal OSPF interfaces do. Virtual links are internal unnumbered point-to-point interfaces.


How do you configure authentication on OSPF virtual links?
Type 0: area area virtual-link router-id authentication null
Type 1: area area virtual-link router-id authentication authentication-key value
Type 2: area area virtual-link router-id authentication message-digest message-digest-key key-num md5 key-value


How does OSPF using cryptographic authentication with key chains use multiple keys?
When multiple keys have a valid send-lifetime the key with the highest ID is used, which is the opposite of RIPv2 and EIGRP, which use the lowest ID key.


True or False: OSPF routers using MD5 authentication cannot interoperate with routers using the newer key-chain based cryptographic authentication.
False: While you must use the newer key-chain based syntax to configure SHA authentication, you can specify MD5 as the authentication method associated with a particular key.


How do you configure extended cryptographic authentication on an OSPF virtual link?
OSPF process:
area area virtual-link RID key-chain key-chain 


What happens if you have both classic OSPF MD5 authentication and newer extended cryptographic authentication with key-chains configured on a router?
The ip ospf message-digest-key commands are ignored.


How do you configure extended cryptographic authentication with OSPF?
key chain name
  key num
    cryptographic-algorithm algorithm
    key-string string

interface interface
  ip ospf authentication key-chain name


What is the general premise of the OSPF TTL security check feature?
OSPF routers send their packets with the TTL set to 255. With the exception of virtual and sham links, OSPF routers should always receive OSPF packets with the TTL still set to 255 based on direct router-to-router communications. Packets received with a TTL of less than 255, outside of a virtual or sham link, should therefore be dropped because they could be malicious.


How do you enable the OSPF TTL security check mechanism?
Interface:
ip ospf ttl-security

OSPF process:
ttl-security all-interfaces


If the OSPF TTL security mechanism is enabled for all interfaces under the OSPF process, how do you disable it for specific interfaces?
Interface:
ip ospf ttl-security disable


How do you enable the OSPF TTL security mechanism, but relax the strict hop count of 255?
Either at the interface or at the process level with the hops count parameter. The check will be against 255 - count and any received OSPF packets outside the range are dropped.

Interface:
ip ospf ttl-security hops count

OSPF process:
ttl-security all-interfaces hops count


When configuring the OSPF TTL security mechanism, you can relax the setting by adjusting the hop count. Why is the minimum value for this setting 1?
When IOS processes received OSPF packets, the TTL is decremented by one before handing the packet to the OSPF process, unless the TTL is already one, in which case the number is not decremented. 

This is considered a peculiarity of IOS and is not considered standard behavior.


When OSPF is configured for the TTL security mechanism either under the OSPF process or directly on an interface, how are OSPF virtual and sham links affected?
OSPF virtual and sham links are unaffected by these settings. Virtual and sham links can be protected with the TTL security mechanism directly with the area virtual-link ttl-security hops or area sham-link ttl-security hops commands. The hops parameter is mandatory.


What is the recommended process of migrating OSPF routers to use the TTL security mechanism?
First activate the feature with the hop count set to 254, which effectively configures but does not enforce the feature. After routers have been migrated, set the hop count to the default of 1.

For interfaces toward routers that do not support the TTL security check, configure ip ospf ttl-security disable


What is SPF throttling?
A variable-length wait interval between two consecutive SPF runs.


What three parameters control SPF throttling?
SPF-start
SPF-hold
SPF-max-wait


What is the SPF throttling SPF-start parameter?
The initial wait interval before an SPF computation, if the network has been stable for a prolonged period of time.


What is the SPF throttling SPF-hold parameter?
The wait time between subsequent SPF runs, whose value doubles for each consecutive SPF run.


What is the SPF throttling SPF-max-wait parameter?
The maximum time between two SPF runs. During consecutive SPF runs, the SPF-hold parameter value doubles, up to the limit of the SPF-max-wait parameter value.

The SPF-max-wait value also defines the amount of time during which the network must be stable for the wait interval to be set back to SPF-start and the SPF-hold back to is preconfigured value.


With SPF throttling, if the network has been stable for the last SPF-hold period, but not for the entire SPF-max-wait time since the last SPF run, what happens?
The wait interval returns to the SPF-start value, but the subsequent wait is still set to twice the previous SPF-hold value.


With SPF throttling, assuming the network has been stable for a prolonged period of time, what happens when an updated LSA arrives?
The router schedules an SPF run for the value of SPF-start seconds in the future. For example, if the value is set to 10, an SPF run will occur 10 seconds after the LSA is received. Any other updates LSAs received within the 10 seconds are included in the SPF run.


With SPF throttling, what happens when the first SPF run occurs?
The router sets the next wait interval to the initial SPF-hold value. If any updated LSAs arrive during the next seconds until the SPF-hold value, SPF will run at the expiration of the SPF-hold value.


With SPF throttling, when is the network considered stable?
The network is considered stable if no updated LSAs are received with SPF-max-wait seconds after the last SPF run.


With SPF throttling, what happens if updated LSAs are received after a second consecutive SPF run, but before the SPF-max-wait timer expires?
After each SPF run (except for the initial run), the SPF-hold value is doubled, and the next scheduled SPF run occurs when that value expires.

For example, if the SPF-hold value is 20 seconds after the second consecutive SPF run, it is doubled to 40 seconds. Any received updated LSAs within the next 40 seconds are included in the next scheduled SPF run.


With SPF throttling, after an SPF run, what happens if an updated LSA arrives after the SPF-hold time expires, but before the SPF-max-wait time expires?
After the SPF-hold time expires, if an updated LSA arrives before the SPF-max-wait time expires, the next SPF run will be in the number of seconds defined by the SPF-start value, but the SPF-hold time remains at its current value until SPF-max-wait seconds have passed without an LSA update.


With SPF throttling, what happens to the SPF-hold timer if SPF-max-wait seconds have elapsed with no updated LSAs?
The SPF-hold timer is reset to its configured value if SPF-max-wait seconds have passed with no updates.


How do you configure the OSPF SPF throttling timers?
OSPF process:
timers throttle spf spf-start spf-hold spf-max-wait


How do you verify the current OSPF SPF throttling timer values?
show ip ospf
debug ip ospf spf statistic


What is OSPF LSA Throttling?
LSA throttling works exactly like SPF throttling. Whereas SPF throttling controls how often SPF runs are performed, LSA throttling controls how frequently updated LSAs are allowed to be re-originated.


How do you configure OSPF LSA throttling?
OSPF process:
timers throttle lsa all start-interval hold-interval max-interval


How can you verify the current OSPF LSA throttling wait intervals?
debug ip ospf database-timer rate-limit


How do you throttle received OSPF LSAs?
OSPF process:
timers lsa arrival milliseconds

The default is 1 second (1000ms). If two more more identical LSAs arrive within 1 second, only the first one is accepted, and the remaining are dropped.

The minimum LSA arrival interval should be less than the neighbors' intial hold interval in LSA throttling, otherwise a neighbor would be allowed to send updated LSAs faster than the router would be willing to accept them.


With OSPF LSA throttling, why should the minimum LSA arrival interval be less than the neighbors' initial LSA throttling hold value?
The neighbor would be allowed to send an updated LSA sooner than the router would be willing to accept it.


What is OSPF Incremental SPF?
Incremental SPF causes the router to maintain more information in the SPT about transit nodes' parent and neighbor nodes, which allows SPF to recalculate only those portions of the SPT that are affected by a topology change.

For example, if a topology change occurs several hops away within the same area, but the router must still use the same path(s) to reach the changed topology, iSPF only needs to recalculate the affected changes instead of the entire SPT.


How do you configure OSPF Incremental SPF?
OSPF process:
ispf


True or False: OSPF Incremental SPF must be configured on all OSPF routers within an area.
False. It can be enabled/disabled individually. ISPF is essentially a local optimization.


What are the four possible link types that can be described by an OSPF Type 1 LSA?
-Point-to-point link to another router (other router's RID)
-Link to a transit network (IP of DR)
-Stub network
-Virtual link


How does OSPFv2 prefix suppression work with Type 1 LSAs?
Transit link prefixes are suppressed by omitting stub network entries that contain prefixes on point-to-point interfaces to other routers.


How does OSPFv2 signal prefix suppression with Type 2 LSAs?
The netmask in the LSA is set to 255.255.255.255 to signal to compatible routers that the LSA contains no prefix information. Incompatible routers simply install a /32 host route.


How do you configure OSPFv3 prefix suppression?
OSPF process:
prefix-suppression

Optionally per-interface:
ip ospf prefix-suppression

Disable per-interface when enabled globally:
ip ospf prefix-suppression disable


When an OSPFv2 router has prefix suppression enabled, what exactly is suppressed?
All prefixes on all OSPF-enabled interfaces are suppressed except for loopbacks, secondary IPs, and prefixes on passive interfaces, since all of those are considered nontransit prefixes.


What is the purpose of the OSPF stub router feature?
To prevent the router from becoming a transit router.


How does the OSPF stub router feature work?
When configured, the OSPF stub router advertises its own Type 1 LSAs with an infinite metric (16M) for all transit-type adjacencies, while stub network adjacencies continue to be advertised with their normal metrics.


What is a common use case for the OSPF stub router feature?
An ASBR redistributing BGP routes into the OSPF domain is a good candidate for the OSPF stub router feature because BGP usually converges slower than OSPF. For example, if OSPF is advertising a default route, but depends on BGP for actual reachability, OSPF will still advertise the default route before BGP has converged, causing traffic blackholing. The OSPF stub router feature uses timers to prevent this situation.


How do you configure the OSPF stub router feature?
Two variations under the OSPF process:
max-metric router-lsa on-startup seconds
max-metric router-lsa on-startup wait-for-bgp

The first variation activates the stub router feature for the specified number of seconds after the OSPF process starts. The second variation waits for BGP to converge, up to a maximum of 10 minutes.


What is OSPF graceful restart?
The router can restart the OSPF process while packets continue to be forwarded.

Graceful Restart is the standardized version of Cisco's Non Stop Forwarding (NSF).


How do you enable OSPF Graceful Restart or Cisco Non Stop Forwarding (NSF)?
OSPF process:
nsf


What is the difference between Cisco NSF-capable and NSF-aware devices?
NSF-capable devices have forwarding hardware independent from the main CPU.

NSF-aware devices can act as helpers to NSF-capable devices to allow them to perform a graceful restart of a supported routing protocol process while maintaining the adjacency.


What is the role of an NSF-aware device during a neighbor's routing protocol graceful restart?
The NSF-aware device maintains the neighbor adjacency and continues to use the neighbor for forwarding traffic, despite the lack of Hellos, during the neighbor's restart of the routing protocol process.


How does an OSPF router signal that it is about to perform a graceful restart?
The router whose OSPF process is restarting notifies its neighbors with a Type 9 "grace" LSA (opaque, link-local scope) containing the estimated duration of the restart (the grace period), the reason of the restart, and the IP of the restarting router if on a multiaccess network.


True or False: Graceful Restart / NSF helper mode must be explicitly enabled.
False: It is enabled by default for platforms that support the feature. It can be disabled under the routing protocol process with:
nsf helper disable


What is a neighbor requirement for successful routing protocol graceful restart?
All neighboring fully-adjacent routers must operate in helper mode.


How do you enable OSPF graceful shutdown?
OSPF process:
shutdown

Alternatively, you can issue the command per-interface:
ip ospf shutdown


How do you enable regular OSPFv3?
Directly on the interface:
ipv6 ospf pid area area

This automatically instantiates the ipv6 router ospf pid process globally.


With OSPFv3, what is the default with regard to advertising IPv6 addresses on an interface?
All IPv6 networks on an interface are advertised by default.


True or False: The OSPFv3 RID must always be set manually.
False: OSPFv3 can set its 32-bit RID automatically based on the same rules as OSPFv2, however the RID must be set manually if no IPv4 addresses are available.


What are the three OSPFv3 LSA flooding scopes?
-Link-local, used for Link LSAs
-Area, used for Router, Network, Inter-Area Prefix, Inter-Area Router, Intra-Area Prefix LSAs
-AS, used for AS External LSAs


How do you configure multiple OSPFv3 instances?
Interface:
ipv6 ospf pid area area instance instance


An OSPFv3 link is equivalent to an OSPFv2 ___?
network


With the exception of virtual links, which address does OSPFv3 use to source OSPFv3 packets from?
The link-local address of the interface.

Virtual links use globally-scoped IPv6 addresses.


OSPFv2 expresses networks in LSAs as the network address and mask. How does OSPFv3 express networks in LSAs?
Prefix, Length


How does OSPFv3 handle Type 1 and Type 2 LSAs differently than OSPFv2?
OSPFv3 separates the topology from the NLRI. With OSPFv2, Type 1 & 2 LSAs contain addressing information as well as RIDs. OSPFv3 moves the addressing information to Type 8 & 9 LSAs. By doing this, if the NLRI changes, but the topology remains the same, SPF does not need to be recalculated.


With OSPFv3, what are Type 9 LSAs used for?
IPv6 prefixes on individual interfaces of a router are carried in Type 9 LSAs with area flooding scope. 

IPv6 prefixes associated with a transit network are pointed to a Type 2 Network LSA.

IPv6 prefixes associated with a router are pointed to a Type 1 Router LSA.

Type 9 LSAs allow for separation of NLRI from topology.


What are OSPFv3 Type 8 LSAs used for?
IPv6 unicast routing uses link-local addresses for the next-hop. Each router advertises its link-local address in a Type 8 LSA, which has link-local flooding scope and is never flooded beyond the receiving neighbor on the link.


What is the requirement when manually configuring OSPFv3 neighbors?
You must use link-local addresses. All other addresses are rejected.


What is true of configuring both OSPFv2 and OSPFv3 on NBMA networks?
Nonbroadcast networks need manual neighbor configuration.

"Nonbroadcast Needs Neighbors"


What does the command ipv6 ospf network point-to-point do when configured on a loopback interface?
It makes the network appear as a /64 instead of a /128 in the routing table.


How do you configure OSPFv3 authentication on a link?
Interface:
ipv6 ospf authentication parameters

The parameters must match on both ends of the link.


How do you configure OSPFv3 encryption on a link?
Interface:
ipv6 ospf encryption parameters

The parameters must match on both ends of the link.


How do you configure OSPFv3 authentication or encryption for an area?
OSPFv3 process:
area area {authentication | encryption} parameters

The parameters must match on all routers in the area. Interface-level commands override area-level commands.


How do you configure OSPFv3 Authentication Trailer?
Interface:
ospfv3 authentication key-chain keychain


How is multi-AF OSPFv3 configured in IOS?
Global:
router ospfv3 pid

Interface:
ospfv3 pid afi area area


What are the OSPFv3 base instance ID values?
0: IPv6 Unicast
32: IPv6 Multicast
64: IPv4 Unicast
96: IPv4 Multicast

128-191 = Unassigned
192-255 = Private


What is the purpose of the OSPFv3 instance ID?
The instance ID allows multiple OSPFv3 processes to communicate over the same link while remaining separate.


What do OSPFv3 instance ID values indicate?
The types of addresses advertised in Type 8 & 9 LSAs.


When configuring OSPFv3 multiple address family support, what instance ID is automatically chosen, if not specified manually?
The base instance ID for the address family type:

0 IPv6 Unicast
32 IPv6 Multicast
64 IPv4 Unicast
96 IPv4 Multicast


When running multiple OSPFv3 instances under a single OSPFv3 process, what is shared among the instances?
The instances are each run completely independent of each other, even under the same OSPFv3 process. In addition to addresses being separated, the topology is calculated seperately per-instance as well.


When is the OSPFv3 AF-bit set?
The AF-bit in the Options bitfield inside OSPFv3 Hello, DBD, and LSA packets is set when the sending router supports the AF extension and the particular instance is not an IPv6 unicast instance.

An OSPFv3 router supporting address families keeps the bit cleared for IDs 0 - 31, and sets it for all other instance IDs.


What happens if an OSPFv3 router receives a packet with the AF-bit cleared in instances other than 0 - 31?
It indicates the router does not support multiple address families, and both routers must use instance IDs within 0 - 31 to form an IPv6 unicast adjacency.


True or False: OSPFv3 using non-IPv6 address families still requires full IPv6 addressing and support between neighbors.
True. All OSPFv3 packets are encapsulated into IPv6 using link-local addresses between routers, even if carrying only IPv4 reachability information (for example).


True or False: OSPFv3 supports virtual links only for the IPv6 unicast address family.
True. This is because all OSPFv3 packets are encapsulated in IPv6 packets using link-local addressing, regardless of the address family contained in the NLRI.


How does OSPFv3 prefix suppression compare to OSPFv2?
Prefix suppression in OSPFv3 works by omitting suppressed transit link prefixes from the Type 8 & 9 LSAs, whereas with OSPFv2 this information is carried in Type 1 & 2 LSAs.

OSPFv2 and OSPFv3 prefix suppression both apply to all interfaces except loopbacks, passive interfaces, and secondary IPv4 addresses.


How does graceful shutdown work with OSPFv3?
The shutdown occurs over the Dead interval.

-Hello packets are sent with priority 0
-Hello packets are no longer accepted
-All originated LSAs except Type 1 are flushed
-Type 1 LSAs are flooded with max cost 65K
-After Dead interval, flush all Type 1 LSAs
-Stop sending and processing OSPFv3 packets


What is the OSPF flood pacing timer?
The interval between successive LSUs when flooding LSAs. Configured per-interface, default 33ms


What is the OSPF retransmission pacing timer?
The interval between retransmitted packets as part of a single retransmission event. Configured per-interface, default 66ms


What is the range of values for OSPF single interface cost?
1 - 65535


What is the range of values for OSPF complete route cost?
1 - 16M


What cost value is considered infinite for an OSPF route?
16M


What is the range of values for the OSPF reference bandwidth?
1 - 4B in units of Mbps (default 100)


What is the ISO OSI term for an interface?
Circuit


What type of addressing is used in OSI networks?
NSAP, Network Service Access Point, which represents an address of a particular network service on a particular network node.


TCP/IP uses per-___ addressing, whereas NSAP addressing is per-___.
interface
node


What are the two main parts of an NSAP address?
IDP Initial Domain Part
DSP Domain Specific Part


What two fields are in the Initial Domain Part (IDP) of an NSAP address?
AFI (Authority and Format Identifier)
IDI (Initial Domain Identifier)

Together, they indicate the routing domain (autonomous system) in which the node is located.


What three fields are in the Domain Specific Part (DSP) of an NSAP address?
-HO-DSP (High-Order DSP), indicates area of domain where the node is located
-System ID, unique identifier of the node itself
-SEL/NSEL/NSAP Selector, identifies service in or above the network layer


What is the size range of NSAP addressing?
8 - 20 octets


What is the name of an NSAP address where the SEL octet is 0?
NET Network Entity Title

When the SEL is 0, no particular service is being addressed, and the entire NSAP address identifies the destination node itself without referring to any particular service.


How are NSAP addresses usually formatted?
A dot after the first octet (2 hex digits), and dots between two-octet groups:

49.0001.0000.1111.2222.00

Dots are arbitrary, carry no significance, and are not required.


What is the typical format for NSAP addresses used with IS-IS?
49.xxxx.yyyy.yyyy.yyyy.00

x = area ID
y = system ID


With IS-IS, there is no concept of a subnet. How is routing between two networks accomplished?
Each IS assembles a list of all attached ES nodes and advertises the list to its neighbors. When a packet is routed, it is encapsulated into a frame addressed to the next directly attached hop identified by its Layer 2 address.


What are Layer 2 addresses referred to in OSI networks?
SNPA Sub Network Point of Attachment


How does IS-IS distinguish between interfaces on the same node in Cisco IOS?
Each IS enumerates its interfaces with a locally-significant 1-octet number called the Local Circuit ID, which increments by 1 with every interface added to the IS-IS instance, beginning with 0 on Cisco routers.


What are the four levels of routing in OSI networks?
-Level 0: between two ES nodes on the same link, or between an ES node and its nearest IS
-Level 1: between ES nodes in a single area of a domain
-Level 2: between ES nodes in different areas of a domain
-Level 3: between ES nodes in different domains


How is OSI Level 0 routing established and maintained?
ES nodes send ESH ES Hello messages
IS nodes send ISH IS Hello messages

Level 0 routing is also known as ES-IS routing. This is similar in concept to IPv6 RA and NA messages.


How does OSI Level 2 routing work?
At Level 2, IS nodes do not advertise the list of connected ES nodes. Instead, they exchange area prefixes. 

When a Level 1 IS determines that the destination ES is in a different area, the packet is forwarded toward the nearest IS capable of Level 2 routing, regardless of the destination area. 

The packet is then forwarded by Level 2-capable IS nodes until it reaches the destination area, where it is again forwarded by Level 1 IS nodes.


OSI Level 1 routes by ___, whereas Level 2 routes by ___.
System ID
Area prefix


OSI Level 3 routing was originally accomplished with ___, but is being replaced by MP-BGP.
IDRP Inter Domain Routing Protocol


What are the four metric types defined in the original IS-IS specification?
Default
Delay
Expense
Error

Each metric is intended to be evaluated individually, creating four independent SPTs

Most IS-IS implementations only support the Default metric.


What is the default metric assigned to all IS-IS interfaces in Cisco IOS?
10, regardless of bandwidth


How do you change the IS-IS metric on an interface?
Interface:
isis metric metric [level]


What is the range of metric values for IS-IS narrow metrics?
Attached network: 1 - 63 (6-bit)
Complete path: 1 - 1023 (10-bit)


What is the range of values of IS-IS wide metrics?
Interface: 1 - 16M (24-bit)
Path: 1 - 4B (32-bit)


True or False: All IS-IS routers in an area must use the same type of metrics (narrow or wide).
True


What types of adjacencies are established between Level 1 and Level 2 routers in IS-IS?
-Two Level 1 routers form a Level 1 adjacency if the area matches
-Two Level 2 routers form a Level 2 adjacency
-Two Level 1 + Level 2 routers for a separate adjacency for Level 1 and Level 2
-A Level 1 and a Level 2 router do not form adjacencies
-A Level 1 + Level 2 router forms a single adjacency with a Level 2 router, or a Level 1 router in the same area


How many areas can an IS-IS Level 1 router belong to?
One


How many LSDBs are maintained for IS-IS routers?
One for each participating Level (so a Level 1 + Level 2 router maintains two LSDBs).


IS-IS Link State PDUs (LSPs) are equivalent to what in OSPF?
Link State Updates containing LSAs


What are the four basic IS-IS packet types?
Hello
LSP Link State PDU
CSNP Complete Sequence Numbers PDU
PSNP Partial Sequence Numbers PDU


With IS-IS, what is the difference between Hello packets on broadcast interfaces versus point-to-point?
Broadcast interfaces use separate Hello packet types for L1 and L2 adjacencies

P2P interfaces use a single L1L2 Hello, aka a P2P Hello


What is the default IS-IS Hello interval?
10 seconds


How is the IS-IS hold time specified?
The Hold time is specified as the Hello Multiplier, whose default is 3 (30 seconds)


True or False: IS-IS timers must match between nodes for adjacency.
False


How are timers calculated on an IS-IS DIS?
Timers are always 1/3 of their configured values (Hello 3.3s and Hold 10s by default), so that detecting a DIS or a DIS outage occurs more quickly.


OSPF uses LSAs inside the LSDB to convey link-state information. How is this done with IS-IS?
IS-IS uses LSPs (Link State PDUs) containing TLVs


How are IS-IS LSPs uniquely identified?
LSPID = System ID + Pseudonode ID + LSP Number

System ID is taken from the router's NET
Pseudonode ID is 0 when the LSP describes the router itself
LSP Number is the fragment number


How do IS-IS LSP sequence numbers work?
32-bit unsigned integer starting at 0x00000001 - 0xFFFFFFFF and incremented each time the LSP is modified


What happens when an IS-IS LSP reaches its maximum sequence value?
Unlike OSPF, the number does not wrap around and the LSP must be expired and re-originated, though this is uncommon due to the size of the LSP sequence number space.


What is the default IS-IS LSP remaining lifetime value?
20 minutes, with IS-IS routers refreshing self-originated LSPs every 15 minutes


What is the process of the IS-IS LSP Purge?
When an LSP's remaining lifetime reaches 0 (whether by actually timing out or set purposely), the router deletes the LSP's body from the LSDB, but keeps its header and advertises the empty LSP with the remaining lifetime set to 0.

The expired LSP is finally purged from the LSDB after the ZeroAgeLifetime which is 60 seconds by default, though Cisco routers hold the empty LSP for an additional 20 minutes.


Why must the MTU match between all routers in an IS-IS flooding scope (Level 1 area, or all Level 2 routers)?
LSPs are fragmented based on the originating router's MTU, and only the originating router is allowed to fragment or otherwise modify LSPs. 

The MTU must be set to be equal to or smaller than the lowest MTU link within the flooding scope. The originating router can adjust the MTU under the IS-IS process with lsp-mtu mtu whose default value is 1497.


True or False: IS-IS node hostnames are carred within LSPs.
True. You can view adjacent neighbors hostnames with show isis hostname which also displays the neighbors' System ID.


How do you view the contents of the IS-IS LSDB?
show isis database


How do you view the contents of an IS-IS LSP?
show isis database detail


With IS-IS, how many LSPs are generated by each router?
Each IS-IS router generates a single (possibly fragmented) LSP describing itself and all relevant topological information.

The DIS on multiaccess networks also generates a Pseudonode LSP for each network for which it is the DIS, which contains topological information about the network itself, and the list of connected routers.


With IS-IS, what happens if a single TLV needs to be modified within an LSP?
The originating router must regenerate and reflood the entire LSP.


IS-IS CSNPs and PSNPs are equivalent to what in OSPF?
IS-IS CSNPs are equivalent to OSPF DBDs
IS-IS PSNPs are equivalent to OSPF LSRs and LSAcks


What is contained in an IS-IS CSNP?
A complete list of LSPs in the sender's LSDB.


True or False: A single IS-IS PSNP can request or acknowlege multiple LSPs.
True


What network types are recognized by IS-IS?
Broadcast / multiaccess
Point-to-Point

Partial-mesh (such as hub-and-spoke) is not directly supported and should be run as a collection of point-to-point links.


What are the IS-IS adjacency states?
-Down - no IIHs have been received from the neighbor
-Initializing - IIHs have been received, but it is not yet certain of the neighbor is receiving IIHs from this router
-Up - both routers have received each other's IIHs and bidirectional communications are established

Verifiying adjacencies, as well as synchronization and flooding is different depending on if the network is P2P or broadcast.


How did IS-IS originally establish neighbors on P2P links, what was the issue with this, and how was it resolved?
The original IS-IS specification said that an adjacency on P2P links could be formed as soon as a P2P IIH was received from the neighbor. The issue with this is that bidirectional communications are not confirmed. This was resolved with a newer three-way handshake process which included router and interface IDs.


How can an IS-IS router support more than 256 point-to-point interfaces?
The Local Circuit ID is a 1-octet field. Newer implementations of IS-IS are capable of the point-to-point three-way handshake, which introduces the 4-octet Extended Local Circuit ID field.


The IS-IS P2P three-way handshake is based on each router on a P2P link advertising an adjacency state TLV in its packets. What fields are in the adjacency state?
-Adjacency Three-Way State - the state as seen by the sending router
-Extended Local Circuit ID - ID of sending router's interface
-Neighbor System ID - value of neighbor whose IIHs have been received
-Neighbor Extended Local Circuit ID - value from received IIHs


How do you enable the IS-IS point-to-point three-way handshake?
Interface:
isis three-way-handshake ietf


How do you configure IS-IS CSNPs to be sent periodically on P2P interfaces?
Interface:
isis csnp-interval interval [level]

Cisco routers do not send CSNPs on P2P links after the initial adjacency buildup by default, but some IS-IS implementations do.


What is the Ethernet frame format for IS-IS packets?
LLC format frames with DSAP and SSAP both set to 0xFE


Which MAC address are IS-IS frames sent to on Ethernet networks?
0180.c200.0014 Level 1
0180.c200.0015 Level 2


How is a DIS elected in IS-IS?
Highest interface priority
Highest SNPA (MAC address)
Highest System ID (in case SNPAs are not comparable, such as with FR and ATM)


For IS-IS DIS elections, how do you configure the interface priority value?
Interface:
isis priority priority [level]


True or False: IS-IS DIS elections are always preemptive.
True. DIS elections are performed with each received IIH.


True or False: An IS-IS router with an interface priority of 0 is ineligible for DIS election on a broadcast link.
False. Unlike OSPF, IS-IS priority 0 is simply the lowest priority, but does not exempt a router from participating in the DIS election.


How are adjacencies handled in IS-IS on a broadcast link?
The routers all become fully adjacent with each other, regardless of the DIS.


What two operations are the responsibility of the IS-IS DIS?
-Helping routers on the broadcast segment to synchronize by sending CSNPs periodically
-Representing the broadcast segment in the LSDB as a standalone object (Pseudonode)


How does synchronization of IS-IS routers on a broadcast segment work?
The DIS sends a CSNP reflecting the contents of its LSDB every 10 seconds by default. When the other routers receive the CSNP, they compare it against their own LSDB, and either create a PSNP request, or flood missing LSPs onto the segment.


How does IS-IS DIS implicit acknowledgement work?
The DIS acts as a reference point of comparison. If the DIS is missing an LSP, the originating router floods it to the DIS. The DIS should then advertise it with its next regular CSNP advertisement (10s default). If the CSNP does not contain the LSP, the originating router floods it again.


With IS-IS pseudonode LSPs, what is the System ID and Pseudonode ID set to?
System ID = the System ID of the DIS
Pseudonode ID = Local Circuit ID of the DIS's interface in the network


How can you verify IS-IS adjacencies?
show isis neighbors


How can you view interface-level details for IS-IS?
show clns interface interface


Why does IS-IS not require a backup DIS?
The router acting as the DIS uses Hello/Hold times of 1/3 of the configured values. Since all routers are adjacent with each other, if the DIS fails, another router can become the DIS by simply replacing the old Pseudonode LSP with one that it generates, and flooding the LSP to the neighbors.


True or False: IS-IS routers belong to a single area only, but can have multiple NSAP addresses assigned.
True. Up to three NSAP addresses can be assigned to a single IS-IS instance, with the requirement of the System ID being identical, but with a different area ID. IS-IS routers are intended to have a single NSAP address, so adding multiple causes the areas to merge.

Assigning multiple NSAP addresses to a router is a temporary situation used to facilitate splitting or merging areas.


How does IS-IS advertise IP networks between areas?
Each Level 2 router advertises its directly connected IP networks as well as all other Level 1 routes from its own area (with appropriate metrics).

IP routing information flows from L1 into L2, but not from L2 into L1 unless specfically configured, and L2 routers establish adjacencies regardless of their areas.


IS-IS Level 1 routers operate similar to routers in what type of OSPF area?
NSSA-TS. Level 1 routers can perform redistribution from external sources, but can see routes within their own area and nothing more.


What is the default IS-IS level on Cisco routers?
Both Level 1 and Level 2 are enabled by default.


What is the IS-IS ATT flag?
When an L1L2 router determines (though L2 SPF) that it can reach areas other than its own, it sets the ATT (attachment) flag on its L1 LSP.

L1 routers in the area can use any router with the ATT flag set to reach other areas, and automatically install a default route pointing toward the nearest L2 router advertising the ATT flag.


What is the IS-IS P-bit?
Partition repair. The functionality is similar to OSPF virtual links. The value is always set to 0 because Cisco and most other IS-IS implementations, do not use this feature.


What is the IS-IS Overload bit?
When the O-bit is set in the LSP, it signals to other routers in the area to not use it for transit when calculating SPF. Directly-attached networks can still be reached through the router, though.

Setting the O-bit allows a router to join the IS-IS area without altering existing paths in the network. This is useful for waiting for BGP to converge, and then clearing afterward. 


By default, which Level is an external route redistributed into on an IS-IS L1L2 router?
Level 2, but can be configured for either or both.


Where is address summarization configured in IS-IS?
L1L2 routers


With IS-IS, why are IIH packets authenticated seperately from LSPs?
IIH packets are used for individual adjacencies.

LSPs cannot be modified except by their originating router, therefore all L1 LSPs must use the same area password, and all L2 LSPs must use the same domain password.


How do you configure IIH authentication in IS-IS?
Interface:
isis authentication mode {text | md5} [level]
isis authentication key-chain keychain [level]


How do you configure LSP/CSNP/PSNP authentication in IS-IS?
IS-IS process:
isis authentication mode {text md5} level
isis authentication key-chain keychain level


What two commands are recommended for new IS-IS deployments?
metric-style wide
log-adjacency-changes all


How do you enable an interface for IS-IS?
Interface:
ip router isis


How do you configure the NET on an IS-IS router?
router isis
  net 49.xxxx.yyyy.yyyy.yyyy.00

Where xxxx is the area, and yyyy.yyyy.yyyy is the System ID.


How do you change the IS-IS router level?
IS-IS process:
is-type level


How do you control which types of adjacencies are allowed over an interface in IS-IS?
Interface:
isis circuit-type


How do you configure passive interfaces in IS-IS?
IS-IS process:
passive-interface interface


How do you configure summarization in IS-IS?
IS-IS process:
summary-address network mask


What is the effect of the IS-IS command passive-interface default on a router?
All local interfaces' networks are advertised into IS-IS


How do you configure IS-IS for IPv6?
Interface:
ipv6 router isis


How do you make IPv6-specific configurations in IS-IS?
router isis
  address-family ipv6
    commands

Example, IPv6 summarization is configured with summary-prefix under the address-family.


How can you display basic information about IS-IS on a router?
show clns


How do you disable IS-IS without removing its configuration?
IS-IS process:
protocol shutdown


How do you configure IS-IS to treat a broadcast link as point-to-point?
Interface:
isis network point-to-point


What condition would cause the STP root bridge to have ports in the blocking state?
If the bridge is looped back to itself.


How can you verify Spanning-Tree related events in real time?
debug spanning-tree events


With classic STP, if issuing the command show spanning-tree vlan vlan interface interface detail reveals few BPDUs sent, and many BPDUs received, what does this indicate?
The other end of the link is a designated port, because STP Designated ports source BPDUs, while Root and blocking ports receive BPDUs.


What is the Spanning-Tree diameter?
The maximum number of switches that could possibly be in the path between two end hosts.


True or False: Changing the STP timers constitutes a topology change event.
False. The timers set on the root bridge are used throughout the classic STP domain, and changing the timers does not create a topology change event.


Using the spanning-tree port-priority parameter, how can you change the root port on a switch?
The port priority is sent with BPDUs downstream, which means to change the root port of a switch, the port-priority needs to be modified on the upstream switch.


How are the STP port IDs and port costs evaluated differently?
Port IDs (port priority + port number) are evaluated on received BPDUs, not the locally-configured value, though the local value is considered when sending BPDUs further downstream.

Port costs are evaluated based on adding the cost in the BPDU to the locally-configured value.


With STP, what value do you configure to influence the downstream neighbor's choice of root port?
The local port ID (with the port-priority parameter)


With STP, what do you configure to change the local root port?
The local STP interface cost


How do you use TCL to perform a command on multiple IP addresses (such as ping)?
EXEC: tclsh
foreach var {
ip1
ip2} { command $var parameters }

Example:
foreach var {
10.1.1.10
10.1.1.20} { ping $var repeat 2 }


What is the range of configurable values for the MST configuration revision number?
0 - 65535


How are the Root Path Cost and Message Age values of a BPDU treated when traversing an MST region?
At the boundary of the MST region, the RPC and MA values are incremented as though the BPDU had traversed only a single switch.


How can you change the priority of an interface with MST?
Interface:
spanning-tree mst instance port-priority priority


When BPDU Guard is enabled, how many BPDUs must be received before the port is placed into err-disable state?
One


How do you configure a router to act as a bridge and send BPDUs?
bridge num protocol ieee

interface interface
  bridge-group num

This may be useful in lab environments to test features like BPDU Guard.


What happens if you enable BPDU Guard and BPDU Filter on the same interface?
BPDU Guard has no effect because BPDU Filter takes precedence.


How do you verify which ports have been blocked by Spanning-Tree?
show spanning-tree blockedports


What is a recommended best practice with enabling Root Guard?
It is recommended to enable Root Guard on all access ports so that a root bridge cannot be elected out of those ports.


What is the significance of the PPP Type field as compared to older serial data link standards?
Having a Type field allows multiple higher-layer protocols to be used simultaneously over the link. Previous standards required either proprietary extensions (like Cisco's version of HDLC or Frame Relay), or required static configurations between sender and receiver to know what was expected to be sent over the link.


What are the three phases of initiating a PPP session between two devices?
Link Establishment
Authentication
Network Layer Protocol


At a high level, what occurs during the PPP Link Establishment Phase?
Two devices verify whether they speak PPP and negotiate basic link operation parameters using LCP.


What five main functions are provided by PPP LCP?
-Verify devices speak PPP
-Verify link is not looped
-Negotiate basic parameters
-Verify session liveliness
-Tear down session if either device requests it


What are the four Configure messages used by PPP LCP?
Configure-Request
Configure-Ack
Configure-Nak
Configure-Reject


What is the PPP "magic number" used for?
During link-establishment, LCP sends a CONFREQ message containing a random "magic" number. If the sender receives a CONFREQ with the same number once, it is possible that both sender and receiver chose the same number, and a different number is chosen. If the received CONFREQ message has the same magic number again, the link is most likely looped.


What are four of the capabilities exchanged during PPP link establishment?
MTU
Authentication type
Link Quality Monitoring
Selected frame header compression (IP, RTP, etc)


During PPP link establishment, when a device receives a CONFREQ message and agrees with all of the parameters, how does it respond?
With a CONFACK Configure-Ack message


What is contained in a PPP CONFACK message?
A CONFACK is an exact duplicate of an accepted CONFREQ message. A CONFACK means both PPP devices agree on the link establishment parameters.


What is the purpose of the PPP CONFNAK message?
A CONFNAK message is the response to a CONFREQ message where some of the parameters are not acceptable, but can be negotiated. 


What is contained in the PPP CONFNAK message?
CONFNAK message contain a list of all unacceptable options from the received CONFREQ message, with values set to the device's own acceptable values for the options.


What's the difference between a PPP CONFNAK and CONFREJ message?
CONFNAK is used when certain parameters are unacceptable, but negotiable.

CONFREJ is used when certain paramaters are unacceptable and nonnegotiable.


True or False: A PPP device receiving a CONFREJ message is unable to establish a PPP session with its neighbor.
False: CONFREJ lists the parameters and values that are unacceptable and nonnegotiable by the neighbor. The sending PPP device has the option of operating without the nonnegotiable features to allow the PPP session to come up.


At a high level, how does authentication work with PPP?
PPP authentication is a one-way procedure where one device proves its identity to the other device. Mutual authentication is two independent one-way authentications.


After a PPP link has been established and authentication passed, what must occur before any data can be transmitted?
Both devices must negotiate and agree on Network Control Protocols for each upper-layer data type to be transferred. For example, if both devices support IPv4 (via IPCP), but only one device supports IPv6 (via IPv6CP), IPv6 data will not be transmitted over the link.


What are the two stages of PPPoE?
Discovery
PPP Session


What is the PPPoE Discovery Stage used for?
To allow the client to discover an access concentrator and associate with it.


What are the four steps of the PPPoE Discovery Stage?
-PADI PPPoE Active Discovery Initiation
-PADO PPPoE Active Discover Offer
-PADR PPPoE Active Discovery Request
-PADS PPPoE Active Discovery Session-confirmation

Similar in concept to DHCP DORA


What is the PPPoE Active Discovery Initiation (PADI) used for?
PPPoE client broadcasts a PADI frame to solicit access concentrators in the same broadcast domain.


What is the PPPoE Active Discovery Offer (PADO) used for?
PPPoE access concentrator receiving a PADI responds with a unicast PADO frame containing the name of the access concentrator to the client.


What is the PPPoE Active Discovery Request (PADR) used for?
PPPoE client chooses a particular access concentrator and unicasts a PADR frame to associate with it.


What is the PPPoE Active Discovery Session-confirmation (PADS) used for?
A PPPoE access concentrator willing to handle a particular client (by receipt of PADR) responds with a unicst PADS frame and assigns a unique Session ID to the particular client's session.


What occurs during the PPPoE Session Stage?
Clients send and receive PPP frames using the same PPPoE Session ID assigned by the access concentrator. During this stage, all PPP operations are the same as if PPP was running over a serial link in HDLC framing.


What are the EtherTypes of PPPoE control (discovery) frames, and PPPoE data (session) frames?
0x8863 (discovery)
0x8864 (session)


What happens to the IP routing table when a PPP link is established?
IPCP adds a /32 neighbor route to the IP routing table.


How do you prevent a PPP-encapsulated link from automatically adding a neighbor route upon successful connection?
Interface:
no peer neighbor-route


How do you configure PPP to install a default route to the neighbor?
Interface:
ppp ipcp route default


How do you configure a PPP session so that one device assigns a static IP address to the other side?
Assigning device interface:
peer default ip address ip

Assigned device interface:
ip address negotiated


When configuring a PPP interface to provide a static IP address to the peer device, how is the IP address installed in the peer device's IP routing table?
As a /32 host route


How do you configure a router using PPP to request the peer device to authenticate itself with PAP?
Interface:
ppp authentication pap


How do you configure a router running PPP to provide authentication information to a requesting device via PAP?
Interface:
ppp pap sent-username username password password


When configuring a router to ask the peer device to provide authentication via PAP, what additional information must be configured?
The global username user password password for the authenticated peer device.


How can you view what PPP options have been established for a particular interface?
show ppp interface interface


What are the three packets exchanged during CHAP authentication?
Challenge
Response
Success/Failure


Why does PPP CHAP one-way authentication require a username and password configured on both devices?
With one-way authentication, even though only one device is asking the other device to authenticate itself, each device sends its hostname (corresponding to the username) in the CHAP message, which the opposite device uses for reference when calculating the MD5 hash.


With regard to configuration, what is the difference between PPP CHAP one-way and two-way authentication?
For both one-way and two-way authentication, a username and password must be configured on both devices. With one-way authentication, ppp authentication chap is configured on one device, and with two-way authentication, it is configured on both devices.


How do you configure PPP to send a CHAP username that is different from the default hostname?
Interface:
ppp chap hostname username


For devices acting as PPPoE concentrators, each PPPoE concentrator instance is represented by what construct?
bba-group


For PPPoE, what is contained in the bba-group?
The bba-group contains the configuration details of a particular PPPoE concentrator instance, such as the concentrator name presented to clients, maximum number of attached clients, and a reference to the Virtual-Template.


What is a Virtual Template interface?
A Virtual Template interface is a placeholder for the configuration of per-client Virtual-Access interfaces that are created when the client connects. The configuration of the Virtual Template interface is cloned to the Virtual-Access interfaces as they are instantiated.


With PPPoE, what are Virtual Template interfaces applied to?
bba-group


With PPPoE, what are bba-groups applied to?
Ethernet interfaces (or subinterfaces)


What is the default encapsulation of virtual-template interfaces?
PPP


What is a recommended configuration for virtual-template interfaces with regard to sourcing an IP address?
It is recommended to create a loopback interface, and then reference it from the virtual-template interface with ip unnumbered loopback

This was due to a limitation in older versions of IOS with using the same IP address on more than a certain number of interfaces.


When configuring PPPoE on the server side, where do you specify the MTU and MSS settings?
Under the virtual-template interface


When configuring PPPoE on the client side, where do you specify the MTU and MSS settings?
Under the dialer interface


What is the default encapsulation of Dialer interfaces?
HDLC


How do you view the status of locally-configured IP address pools?
show ip local pool


What is the difference between DMVPN Phase 1 and Phase 2?
Phase 1 only allows hub-to-spoke traffic, not spoke-to-spoke, and the spoke tunnel interfaces are configured as regular point-to-point GRE.

Phase 2 allows dynamic spoke-to-spoke traffic with the spoke tunnel interfaces configured as multipoint GRE, just as the hub is.


What is the process of a DMVPN Phase 2 spoke learning the NHRP mapping of another spoke?
-Spoke1 sends NHRP resolution request for Spoke2 to the tunnel IP of the Hub
-Hub relays request to Spoke2
-Spoke2 adds its own mapping to the received request and sends NHRP reply directly to Spoke1
-Spoke2 sends NHRP resolution request for Spoke1 to Hub
-Hub relays request to Spoke1
-Spoke1 adds its own mapping to the received request and sends NHRP reply directly to Spoke2


During the buildup of DMVPN Phase 2 spoke-to-spoke communications, how is bidirectional communication between the spokes established?
The first spoke sends a NHRP resolution request to the hub for the second spoke. The hub forwards the request to the second spoke, which then replies directly to the original spoke. The second spoke then sends its own NHRP resolution request to the hub for the first spoke. The hub forwards the request to the first spoke, which then replies directly to the second spoke, completing verified bidirectional communications.


When establishing spoke-to-spoke DMVPN Phase 2 tunnels, why does the second spoke perform its own NHRP resolution request, even though it already received information about the originating spoke from the hub?
By repeating the NHRP resolution process on the second spoke, both spokes acknowledge each other's requests were received, and spoke-to-spoke NBMA reachability is confirmed.


What are the three primary restrictions of DMVPN Phase 2?
-Summarization is not allowed on the hub
-Default routing is not allowed on the hub
-Spokes must always maintain next-hop reachability


What is the significance of the DMVPN NHRP network ID?
The network ID is locally-significant and distinguishes between different DMVPNs on the same device. It makes operational sense to configure the same ID across all devices in the same DMVPN, but it is not required.


From a DMVPN spoke router, how do you configure reachability to the hub?
Tunnel interface:
ip nhrp nhs hub-tunnel-ip
ip nhrp map hub-tunnel-ip hub-nbma-ip


What two features enable DMVPN Phase 3?
NHRP Redirect
NHRP Shortcut


What three major restrictions are removed in DMVPN Phase 3, as opposed to Phase 2?
-Summarization is allowed on the hub
-Default routing is allowed on the hub
-Next-hop values on the spokes are always modified


What two configurations are added to enable DMVPN Phase 3?
Hub tunnel interface:
ip nhrp redirect

Spoke tunnel interface:
ip nhrp shortcut


With regard to DMVPN Phase 3, what does the ip nhrp redirect command do?
This command enables the hub router to send out NHRP Traffic Indication messages, which let the originating spoke know that there is a better way to reach it's destination.


With regard to DMVPN Phase 3, what does the ip nhrp shortcut command do?
This command enables a spoke router to accept incoming NHRP Traffic Indication messages, which causes the spoke to send an NHRP Resolution Request message for the original packet's destination address, then install the destination network (with the destination spoke as the next hop) in the local IP routing table after receiving the NHRP Resolution Reply from the destination spoke.


For which DMVPN Phase(s) is summarization on the hub allowed?
Phase 1 & 3

DMVPN Phase 1 does not establish spoke-to-spoke tunnels, and summarization is not an issue. Summarization on the hub is not allowed in DMVPN Phase 2 because the next-hop address cannot be modified. Phase 3 allows summarization on the hub due to the behavior of the NHRP redirect / shortcut.


Why is summarization allowed on the hub in DMVPN Phase 1?
DMVPN Phase 1 does not establish spoke-to-spoke tunnels, and summarization is not an issue.


Why is summarization on the hub not allowed in DMVPN Phase 2?
Summarization on the hub is not allowed in DMVPN Phase 2 because the next-hop address cannot be modified.


Why is summarization allowed on the hub with DMVPN Phase 3?
Phase 3 allows summarization on the hub due to the behavior of the NHRP redirect / shortcut.


What is the process of building spoke-to-spoke communication with DMVPN Phase 3?
-1st spoke sends packet destined for 2nd spoke with hub as next-hop
-Hub forwards packet to 2nd spoke, and sends NHRP Redirect to 1st spoke
-1st spoke receives NHRP Redirect and sends NHRP Resolution Request toward the hub for the 2nd spoke, which the hub then forwards to the 2nd spoke
-2nd spoke responds to inital packet with reply packet destined for 1st spoke with hub as next-hop, which the hub then forwards to 1st spoke, and sends NHRP Redirect to 2nd spoke
-2nd spoke receives NHRP Redirect and sends NHRP Resolution Request to the hub for the 1st spoke, which the hub then forwards to the 1st spoke
-2nd spoke sends NHRP Resolution Reply directly to 1st spoke
-1st spoke receives NHRP Resolution Request and sends NHRP Resolution Reply directly to 2nd spoke


What is another term for the NHRP Redirect message?
Traffic Indication message


With DMVPN Phase 3, what is returned with NHRP Resolution Reply messages?
The entire destination prefix, not just the destination (next-hop) IP address.


How do you configure a prefix-list to match all Class A addresses that are not subnetted?
ip prefix-list name permit 0.0.0.0/1 ge 8 le 8

Class A addresses have the first bit set to 0, and are in the range of 1 - 126 inclusive. Class A addresses have a prefix length of 8, therefore any prefix length of 9 or greater means the Class A network has been subnetted.


How do you configure a prefix-list to match all Class B addresses that are not subnetted?
ip prefix-list name permit 128.0.0.0/2 ge 16 le 16

Class B addresses are in the range of 128 - 191, inclusive, whose first two bits are 1 0. All non-subnetted Class B addresses have a prefix length of 16.


How do you configure a prefix-list to match all Class C addresses that are not subnetted?
ip prefix-list name permit 192.0.0.0/3 ge 24 le 24

The range of Class C addresses is 192 - 223, inclusive. The first three bits of all Class C addresses is 1 1 0. Non-subnetted Class C networks have a prefix length of exactly 24.


What is the process to create a single prefix-list entry matching two or more ranges of IP addresses?
Determine the common network bits, and the minimum and maximum prefix lengths.

For example, to create a single prefix-list entry matching 10.1.204.0/28 and 10.1.203.0/26, you can see immediately that the first 16 bits are common. 203 in binary is 11001011 and 204 is 11001100, so there are a total of 16 + 5 = 21 bits in common. This translates to a base prefix of 10.1.200.0 with a minimum length of 21 and a maximum length of 28:

ip prefix-list name permit 10.1.200.0/21 ge 21 le 28


How do you configure a prefix list to deny only host routes?
ip prefix-list name deny 0.0.0.0/0 ge 32
ip prefix-list name permit 0.0.0.0/0 le 32


What are the configuration requirements for using EIGRP over DMVPN?
Tunnel interface:
ip nhrp map multicast
no ip split-horizon eigrp asn

Phase 2 also requires:
no ip next-hop-self eigrp asn


What is a caveat of manually configuring a neighbor in EIGRP?
The other neighbor must also be manually configured. Additionally, for broadcast interfaces, if one neighbor is manually configured, all neighbors must be manually configured.


Where is redistribution configured for EIGRP named mode?
Under topology base


How do you configure classic EIGRP third-party next-hop?
Interface:
no ip next-hop-self eigrp asn


How do you configure named EIGRP third-party next-hop?
AF-interface:
no next-hop-self


How do you configure summarization for multiple interfaces in EIGRP named mode?
You cannot configure summarization under af-interface default, you must configure it under the individual af-interfaces.


How do you configure EIGRP named mode to limit the number of prefixes allowed to be learned from a particular neighbor, and issue a syslog message when a certain percentage threshold has been crossed?
AF global:
neighbor neighbor maximum-prefix maxpfx percent


When configuring a maximum number of prefixes allowed to be received from a particular EIGRP neighbor, what happens if the warning-only keyword is not used?
With the warning-only keyword, a syslog message is generated whenever the limit has been reached, and no new prefixes can be received from the neighbor. Without the keyword, the neighbor adjacency is torn down when the limit is crossed.


What is a good practice before configuring an ACL?
View existing ACLs first: 
show access-lists


How do you manually calculate the default EIGRP classic metric?
10,000,000 Kbps / lowest bandwidth along the path in Kbps
+ Sum of all delays along the path in 10s of microseconds
* 256

Example: Path contains a 1 Gbps link and a 100 Mbps link, with 10µs and 100µs delay, respectively. 100 Mbps is the lowest value along the path, so the formula is [ (10,000,000 / 100,000) + (1 + 10) ] * 256 = 111 * 256 = 28,416


How do you manually calculate the EIGRP wide default composite metric?
Throughput + Latency

Throughput = 10,000,000 * 65,536 / minimum bandwidth in Kbps
Latency = Total delay in picoseconds * 65,536 / 1,000,000

Example: 100 Mbps link as slowest, with total delay of 101,250,000 picoseconds

Throughput: 10,000,000 * 65,536 / 100,000 Kbps = 6,553,600
Latency = 101,250,000 * 65,536 / 1,000,000 = 6,635,520

Metric = 13,189,120 = 6,553,600 + 6,635,520

Value placed in the RIB is 103,040 = 13,189,120 / 128


How can you view received EIGRP routes for which there are no Successors?
show ip eigrp topology zero-successors


Why would the EIGRP wide metric rib-scale need to be adjusted?
EIGRP wide metrics are 64-bit, and the current IOS RIB is 32-bit. With slower links, such as 10 Mbps Ethernet, the default rib-scale value of 128 is too small, and would cause the metric for those slower links to be larger than what can fit in the RIB (and therefore, the route would be seen as having an infinite metric and unusable). By increasing the metric rib-scale value, slower links can be used.

In the future, the rib-scale value may need to be adjusted downward to accomodate faster-speed links.


If you adjust the EIGRP wide metric rib-scale value on one router, do you have to change it on all routers?
No, the rib-scale value has local significance only in the sense that the calculation is performed locally, and the resulting value is stored only in the local RIB and not advertised.

However, you should make sure all routers use the same value, unless you are adjusting the value purposely to filter routes. If the value is adjusted so that, for example, a slower link can be used (and not seen as having an infinite metric), then every router in a path that must use that link must also have its rib-scale value adjusted as well.


With EIGRP, what happens if you configure a leak-map to reference a route-map that does not exist?
Only the summary route is advertised


With EIGRP, what happens if you configure a leak-map to reference a route-map that references an ACL that does not exist?
The summary route and all specific routes are advertised


On Cisco IOS, how do you enter a ? as part of a character string (such as a password)?
Esc, q, ?


How does Cisco define "cloud"?
IT resources and services that are abstracted from the underlying infrastructure and provided on-demand and at-scale in a multitenant environment.


What are the three components of Cisco's definition of "cloud"?
On-demand resources
At-scale meaning illusion of infinite resource availability
Multitenant Environment


What are the four general cloud architectures?
Public
Private
Virtual Private
Inter-Cloud


What are the three components of Cisco's definition of private cloud?
Automation / Orchestration
Workload Mobility
Compartmentalization


What is Cisco's definition of a virtual private cloud?
A combination of public and private clouds, sometimes referred to as a hybrid cloud.


What are the four critical service layers of cloud computing as defined by Cisco?
IT Foundation
SaaS Software as a Service
PaaS Platform as a Service
Iaas Infrastructure as a Service


A hosted web-based word processor is an example of what?
Software as a Service


The interface (typically APIs) between a hosted application and a development/scripting environment that supports it is known as what?
Platform as a Service


What is the model of having compute, network, and storage delivered over the network on a pay-as-you-go basis?
Infrastructure as as Service


When referring to XaaS, what is the IT Foundation?
The basis of the other types of delivered services. A collection of core technologies that evolve over time, such as virtualization, and the evolution of physical networks from 3-tier to leaf/spine.


What are some performance and reliability tradeoffs to consider with cloud environments?
-The speed of access to a private cloud may be slower than a private cloud
-The reliability of a public cloud may be higher than a private cloud


What is a potentially major security consideration with data storage in a public cloud?
The physical location of the data. For example, sensitive data stored in "unfriendly" locations, or areas prone to natural disasters.


How is privacy typically achieved with cloud computing?
Multitenancy. Customers are logically (and sometimes physically) separated from each other.


What is the difference in scalability among the four cloud models?
Private cloud involves the highest cost to expand scalability. The other models provide extreme scalability, with the inter-cloud model providing the highest level of scalability.


What is a potential issue of cloud interoperability with applications?
With public cloud, it is up to the developer to use the cloud-provided APIs. However, custom in-house applications may be better suited to private cloud.


What are the three main cloud network access methods?
Private WAN
Internet Exchange Point (IXP)
Internet VPN


What is the difference between automation and orchestration?
Automation refers to completing a single task.
Orchestration is an ordered set of tasks with conditions.


What is workload mobility?
The capability of distributing various resources (computer, storage, network, etc) in an abstracted manner. For example, geographically-based anycast solutions.


What is NETCONF?
A protocol by which configurations are installed and changed. YANG represents the meaning of the data, and NETCONF delivers the data itself in XML format.


What is YANG?
A modeling language used to represent device configurations and state, which defines the structure of the data, but not the data itself.


How are NETCONF and YANG related?
NETCONF is the transport vessel for YANG information to be transferred from a NMS to a network device, similar in concept to HTTP (NETCONF) being used to transport HTML (YANG). Another analogy is YANG is to NETCONF as MIBs are to SNMP.


What are four common data representation formats for network programmability?
YANG
YAML
JSON
XML


What is the codename for the OpenStack compute component?
Nova


What is the OpenStack codename Nova component?
Nova manages pools of compute resources, such as VMs, containers, and bare-metal servers.


What is the codename for the OpenStack networking component?
Neutron


What is the OpenStack codename Neutron component?
Neutron manages networks and IP addresses, and provides network abstraction.


What is the codename for the OpenStack block storage component?
Cinder


What is the OpenStack codename Cinder component?
Cinder is an API that manages creating, attaching and detaching block storage devices to servers. Many storage vendors include a Cinder plug-in that translates the API to vendor-specific interfaces.


What is the codename for the OpenStack identity component?
Keystone


What is the OpenStack codename Keystone component?
Keystone is the identity component that provides a directory service with users mapped to the services they can access.


What is the codename for the OpenStack imaging component?
Glance


What is the OpenStack codename Glance component?
Glance provides discovery, registration, and retrieval of VM images


What is the codename for the OpenStack object storage component?
Swift


What is the OpenStack codename Swift component?
Swift provides object storage with built-in data replication and integrity.


What is the codename for the OpenStack dashboard component?
Horizon


What is the OpenStack codename Horizon component?
Horizon provides a dashboard/GUI for administering various aspects of OpenStack.


What is the codename for the OpenStack orchestration component?
Heat


What is the OpenStack codename Heat component?
Heat provides orchestration for cloud applications via templates using APIs


What is the codename for the OpenStack workflow component?
Mistral


What is the OpenStack codename Mistral component?
Mistral manages user-created workflows, which can be event-driven or triggered manually.


What is the codename for the OpenStack telemetry component?
Ceilometer


What is the OpenStack codename Ceilometer component?
Ceilometer is used for telemetry and provides a single point of contact for billing systems used within the cloud environment.


What is the codename for the OpenStack database component?
Trove


What is the OpenStack codename Trove component?
Trove is a database-as-a-service provisioning engine.


What is the codename for the OpenStack Elastic MapReduce component?
Sahara


What is the OpenStack codename Sahara component?
Sahara provides Elastic MapReduce functionality, which is an automated way to provision Hadoop clusters.


What is the codename for the OpenStack bare metal provisioning component?
Ironic


What is the OpenStack codename Ironic component?
Ironic provisions bare metal machines rather than VMs


What is the codename for the OpenStack messaging component?
Zaqar


What is the OpenStack codename Zaqar component?
Zaqar provides a cloud messaging service for web developments used to communicate between SaaS and mobile applications.


What is the codename for the OpenStack shared file system component?
Manila


What is the OpenStack codename Manila component?
Manila provides an API to manage file shares in a vendor agnostic fashion


What is the codename for the OpenStack DNS component?
Designate


What is the OpenStack codename Designate component?
Designate provides a multi-tenant REST API for managing DNS-as-a-service


What is the codename for the OpenStack search component?
Searchlight


What is the OpenStack codename Searchlight component?
Searchlight provides search capabilities across various cloud services, such as searching for compute instance status or storage system names.


What is the codename for the OpenStack key manager component?
Barbican


What is the OpenStack codename Barbican component?
Barbican is a key manager that provides secure storage, provisioning and management of passwords.


What are the four primary SDN models?
Distributed
Augmented
Hybrid
Centralized


What is the distributed SDN model?
The distributed SDN model is most similar to traditional networking with the control plane distributed among devices (as in traditional routing protocols).


What is the augmented SDN model?
The augmented SDN model builds on the distributed model by including a centralized controller that adjusts various policies as they are needed, but otherwise relies on the traditional distributed control plane. An example of this is Cisco's PfR.


What is the hybrid SDN model?
The hybrid SDN model is similar to the augmented SDN model in that there is a traditional distributed control plane operating underneath, however the hybrid model can implement policy at any point in the network. Cisco's ACI is an example of this model.


What is the centralized SDN model?
The centralized model relies on a single central controller to program the forwarding plane of all network devices.


What is an SDN controller?
The SDN controller is the component responsible for programming the forwarding tables of data-plane devices.


What is an API?
Application Programmability Interface defines a standard way of interfacing with a software application or operating system. Examples are REST and RESTCONF available in IOS-XE.


What are northbound protocols?
Northbound protocols are typically APIs that applications can use to make requests of the network. For example, a specific QoS treatment could be specified by the application.


What is an example of a northbound interface?
a REST API


What is a southbound interface?
The control plane protocol(s) between the centralized controller and the network forwarding hardware. An example is OpenFlow.


What is an example of a southbound protocol?
OpenFlow


What are the three common software development models?
Waterfall
Iterative
Agile / DevOps


What is service function chaining?
Sequencing virtualized network services (VNFs) in a particular order to solve a particular business problem. Examples include placing virtual routers, firewalls, and IPS in a particular order.


With regard to IoT, what are LLNs?
Low-Power and Lossy Networks


With regard to IoT, what is RPL?
IPv6 Routing Protocol for LLNs, which is a distance-vector routing protocol specifically designed to support IoT. RPL borrows ideas from traditional IP routing, multi-topology routing (MTR), and MPLS-TE.


What is 6LoWPAN?
IPv6 over Low Power WPANs. 

6LoWPAN is an adaptation layer for IPv6 using IEEE 802.15.4 wireless networks.


How does 6LoWPAN adapt IPv6 for IEEE 802.15.4 wireless networks?
MTU correction - fragments IPv6 minimum 1280 byte MTU to 802.15.4 127 byte MTU
Header compression - assumes common fields to compress IPv6 (40B) + UDP (8B) to 7B
Mesh routing
MAC-level retransmissions - instead of higher-layer responsibility


What is CoAP?
Constrained Application Protocol

Similar to (but simpler than) HTTP, designed to support machine-to-machine communications over UDP for Low-power and Lossy Networks (LLNs)


What is MQTT?
Message Queuing Telemetry Transport

Lightweight machine-to-machine communications over TCP


What standards body has defined the NFV architectural framework?
ETSI European Telecommunications Standards Institute


What was the intended use for GLOP addressing?
To provide an interoperable /24 multicast address space for every 16-bit ASN in the 233/8 range.


What type of route has the default AD of 0?
Connected


What type of route has the default AD of 1?
Static


What type of route has the default AD of 5?
EIGRP summary route


What type of route has the default AD of 20?
eBGP


What type of route has the default AD of 90?
EIGRP internal


What type of route has the default AD of 100?
IGRP


What type of route has the default AD of 110?
OSPF


What type of route has the default AD of 115?
IS-IS


What type of route has the default AD of 120?
RIP


What type of route has the default AD of 170?
EIGRP external


What type of route has the default AD of 200?
iBGP
BGP Local (locally-injected)


What type of route has the default AD of 160?
ODR


What type of route has the default AD of 255?
Discard / infinite / unreachable routes


When redistributing connected interfaces into OSPF that have IP addresses within an OSPF network statement, what happens?
The routes for those interfaces are injected as OSPF Intra-Area routes, while the other interfaces are redistributed as OSPF External Type 2 routes (by default).


What is the default OSPF network type for tunnel interfaces?
point-to-point


What two special considerations must you give to OSPF when using DMVPN tunnel interfaces?
OSPF treats tunnel interfaces as network type point-to-point by default, and the OSPF network type setting may need to be changed, depending on the network design. Likewise, timers may also need to be adjusted.


What is the result of an interface configured as OSPF network type broadcast on an NBMA network where multicast capabilities have been provided through mapping, but not L2 address resolution?
OSPF neighbors will be formed by way of multicast, but next-hops will not be reachable until the NBMA addresses are mapped.


When authentication is configured for an OSPF area, how can you exempt particular neighbors?
On the interfaces between the neighbors, enable null authentication with ip ospf authentication null


When OSPF authentication is enabled for an area, what happens if you disable the authentication on a particular link?
Downstream neighbors will not require authentication.


Why does OSPF suppress hello and refresh messages on virtual links?
Virtual links are treated like demand circuits in OSPF


What does the ip ospf demand-circuit command do?
With links that are not intended to be up 100% of the time, OSPF hello and refresh messages would cause the link to remain up indefinitely. The ip ospf demand-circuit command causes OSPF to suppress hello and refresh while still maintaining the neighbor adjacency. The link comes back up when there is an OSPF topology change.


With OSPF, what is the difference between area range and summary-address?
area-range is used to summarize internal routes
summary-address is used to summarize external routes


What is automatically generated when you issue the OSPF area range command, and what are two ways to prevent it?
An internal discard route to Null0 is automatically injected along with the summary address.

You can prevent this under the OSPF process with either of the following:
no discard-route internal
discard-route internal 255


What are two ways to prevent an external OSPF discard route from being installed on an ASBR?
OSPF process:
no discard-route external
discard-route external 255


How do you prevent an OSPF Type 3 LSA from being generated?
ABR OSPF process:
area area range prefix mask not-advertise


How can you prevent an OSPF Type 5 or Type 7 LSA from being generated?
ASBR OSPF process:
summary-address prefix mask not-advertise


How can you prevent OSPF from advertising LSAs on a particular interface?
Interface:
ip ospf database-filter all out


What happens if you prevent OSPF from advertising LSAs on an interface?
OSPF neighborships will remain, but the routers connected over the interface will not receive LSAs.


What determines the OSPF cost value of a virtual link?
The OSPF cost of a virtual link is based on the total OSPF cost between the two endpoints.


OSPF virtual links are not allowed to traverse stub areas. What is a workaround for this issue?
GRE tunnels


What is the OSPF "P" bit?
The "P" bit is set by the ASBR in an NSSA to indicate whether or not to propagate the redistributed route beyond the local area. If the bit is not set, the redistributed route remains within the NSSA and is not translated to a Type 5 LSA by the ABR.


How do you manually configure the OSPF cost of injected default routes (such as for stub areas)?
OSPF process:
area area default-cost cost


What is the OSPF area area default-cost cost command used for?
To set the OSPF cost of an injected default route (such as for stub areas).


What does the interface command ip ospf database-filter all out do?
Prevents OSPF from advertising LSAs on the interface for which the command is configured.


What does the OSPF command summary-address prefix mask not-advertise do?
Prevents OSPF Type 5 or Type 7 LSAs from being generated.


What does the OSPF command area area range prefix mask not-advertise do?
Prevents OSPF Type 3 LSAs from being generated.


How can you prevent OSPF from sending periodic hello or refresh messages on a link, but maintain the neighbor adjacency?
Interface:
ip ospf demand-circuit

This must be configured on both ends of the link.


What does a forwarding address of 0.0.0.0 in an OSPF LSA mean?
To reach the next hop, go the the advertising router, as described in the LSA.


What does the OSPF command area area nssa translate type7 suppress-fa do?
When an ASBR in an NSSA generates a Type 7 LSA, the forwarding address it itself, and remains so when the ABR translates the Type 7 LSA to a Type 5 LSA when reoriginating into the backbone. This command causes the Type 5 LSA to have the forwarding address set to 0.0.0.0 (the ABR) instead of that of the NSSA ASBR.


What is OSPF forwarding address suppression?
When an ASBR in an NSSA generates a Type 7 LSA, the forwarding address is itself, and remains so when the ABR translates the Type 7 LSA to a Type 5 LSA when reoriginating into the backbone. FA suppression causes the Type 5 LSA to have the forwarding address set to 0.0.0.0 (the ABR) instead of that of the NSSA ASBR.


What is the primary use case for OSPF forwarding address suppression?
The ASBR in an NSSA originates a Type 7 LSA for each redistributed route, which the ABR then re-originates as Type 5 in area 0, with the forwarding address set to the originating ASBR. It may be undesirable to inject all of the external routes directly into the backbone, so the ABR can filter them out, but in doing so, the reachability to the ASBR outside the NSSA may be filtered as well. OSPF forwarding address suppression causes the ABR to set the forwarding address to 0.0.0.0 as it originates the translated Type 5 LSAs into the backbone.


What is the result of configuring OSPF forwarding address suppression when there are multiple ABRs in the NSSA?
When there are multiple ABRs in an NSSA, the ABR with the highest RID is elected to perform the Type 7 to Type 5 translation. FA suppression may lead to suboptimal routing when there are multiple exit points because enabling it causes traffic to always flow through the translating ABR.


How does RFC 3101 NSSA behavior prefer two LSAs with the same destination, cost, and non-zero forwarding address?
Type 7 LSA with P-bit set
Type 5 LSA
LSA with higher RID


How does RFC 1587 NSSA behavior prefer two LSAs with the same destination, cost, and non-zero forwarding address?
Type 5 LSA
Type 7 LSA with P-bit set and non-zero forwarding address
Type 7 LSA


Newer versions of Cisco IOS use the RFC 3101 OSPF NSSA LSA selection rules. How do you modify OSPF to use the older RFC 1587 rules?
OSPF process:
compatible rfc1587


What does the OSPF command compatible rfc1587 do?
Newer versions of Cisco IOS use the RFC 3101 NSSA LSA selection rules. Issuing this command causes IOS to use the older RFC 1587 rules.


When configuring a route-map, how can you select a particular routing protocol?
match source-protocol protocol pid


When configuring a route-map, how do you select a range of metric values?
With the match metric option, you can either match multiple individual metric values, or you can match a range by entering the value range midpoint, the +- modifier, and the positive and negative range.

For example, to match a range of metric values from 500 - 1500, the command would be:
match metric 1000 +- 500


What is the process of determining the midpoint and derivation values for configuring a range of metric values?
Mid value = (min + max) / 2
Derivation value = (max - min) / 2


How do you disable Ethernet autonegotiation?
Change BOTH speed and duplex to something other than auto


When VTP Pruning is enabled, which VLANs become prune eligible?
2 - 1001


What is the IP Protocol for IGMP?
2


What is the IP Protocol for IP-in-IP encapsulation?
4


What is the IP Protocol for IPv6?
41


What is the IP Protocol for RSVP?
46


What is the IP Protocol for GRE?
47


What is the IP Protocol for Encapsulating Security Payload (ESP)?
50


What is the IP Protocol for Authentication Header (AH)?
51


What is the IP Protocol for Protocol Independent Multicast (PIM)?
103


What is IP Protocol 1?
ICMP


What is IP Protocol 2?
IGMP


What is IP Protocol 4?
IP-in-IP encapsulation


What is IP Protocol 6?
TCP


What is IP Protocol 17?
UDP


What is IP Protocol 41?
IPv6


What is IP Protocol 46?
RSVP


What is IP Protocol 47?
GRE


What is IP Protocol 50?
ESP


What is IP Protocol 51?
AH


What is IP Protocol 88?
EIGRP


What is IP Protocol 89?
OSPF


What is IP Protocol 103?
PIM


What is IP Protocol 115?
L2TPv3


What are the two Ethernet pseudowire modes?
Raw mode
Tagged mode


What is the difference between tagged and raw mode Ethernet pseudowires?
Tagged mode requires a service-delimiting VLAN tag, while raw mode removes any service-delimiting VLAN tags, when sending data across the pseudowire.

Both modes transparently pass customer VLAN tags across the pseudowire.


What is another name for an Ethernet pseudowire in Tagged mode?
VLAN-based


What is another name for an Ethernet pseudowire in Raw mode?
Port-based


What is the pseudowire type of tagged-mode Ethernet?
0x0004


What is the pseudowire type of raw-mode Ethernet?
0x0005


What is the pseudowire type 0x0004?
Tagged-mode Ethernet


What is the pseudowire type 0x0005?
Raw-mode Ethernet


What is the EtherType for IPv4?
0x0800


What is the EtherType for IPv6?
0x86DD


What is the EtherType for LLDP?
0x88CC


What is EtherType 0x0800?
IPv4


What is EtherType 0x0806?
ARP


What is EtherType 0x8100?
802.1Q-tagged frame


What is EtherType 0x86DD?
IPv6


What is EtherType 0x8863?
PPPoE Discovery


What is EtherType 0x8864?
PPPoE Session


What is EtherType 0x88CC?
LLDP


When using PAgP or LACP on an EtherChannel, what happens to the the local port if it cannot negotiate an EtherChannel with the remote port?
The local port is put into an independent state and continues to carry traffic like a regular single link. The port configuration does not change, but the port does not participate in the EtherChannel.


What is a limitation of using PAgP with StackWise?
PAgP does not support cross-stack EtherChannels.


Where does a Layer 2 EtherChannel obtain its MAC address from?
The first port in the channel that comes up.


True or False: EtherChannel member ports with different STP path costs will be suspended from the EtherChannel.
False. Ports with different STP path costs can form an EtherChannel if they are otherwise compatibly configured.


How does Administrative Distance affect routing optimality when performing mutual routing protocol redistribution on multiple routers?
Redistributed routes should be marked with a higher AD so that the redistributing routers will use the source protocol when routing.


With the default classless routing configuration, when is the default route used?
When the packet's destination does not match any specific route in the IP routing table.


With a classful routing configuration, when is the default route used?
The default route is used only if the packet's destination does not exist in any classful network in the IP routing table.


What must be true for RIP to advertise a default route via the ip default-network command?
The classful network must be in the local router's IP routing table.


What must be true for EIGRP to advertise a default route via the ip default-network command?
The classful network must be advertised by the local router into EIGRP through any means.


How does RIP utilize the ip default-network setting?
RIP advertises a route to 0.0.0.0/0


How does EIGRP utilize the ip default-network setting?
EIGRP advertises the classful network flagged as the candidate default. 


What is the AD of an EIGRP Summary route?
5


How do you modify the default AD of an EIGRP summary route?
EIGRP process:
summary-metric summary distance distance


During which PfR phase are flows that have high latency and throughput learned, and Monitored Traffic Classes assembled?
Profile phase


During which PfR phase are performance metrics collected and computed for the traffic previously identified in the Monitored Traffic Classes (MTC) list?
Measure phase


During which PfR phase are low and high thresholds defined for in-policy and out-of-policy performance categories?
Apply Policy phase


During which PfR phase is traffic influenced by manipulating routing or using PBR?
Control phase


During which PfR phase is out-of-policy traffic performance re-evaluated and adjusted if necessary?
Verify phase


What is the term for PfR interfaces that connect to the network for communication with the Master Controller?
Internal


What is the term for PfR interfaces that are used to transmit packets out of the local network?
External


On which PfR interfaces are prefixes and link performance monitored?
External


How many External interfaces are required for PfR?
At least two


Which PfR interface is used as the source to communicate with the Master Controller?
Local


What are IP addresses in the range of 224.0.0.0 - 224.0.1.255 referred to as?
Permanent multicast groups


What are IP addresses in the range of 232/8 referred to as?
Source-Specific Multicast


What are IP addresses in the range of 233/8 referred to as?
GLOP addressing


What are IP addresses in the range of 239/8 referred to as?
Private / Administratively-scoped multicast


What is a transient multicast address?
An IP multicast address that does not reside within a reserved range.


How are IP addresses in the 224.0.0.0/24 subnet intended to be handled by routers?
Multicast addresses in this range usually have a TTL of 1 and are not intended to be forwarded by routers.


What protocol is used to inform a local multicast router that a host wants to receive multicast traffic for a specific group, or to leave that group?
IGMP


Membership Query, v1 Membership Report, v2 Membership Report, and Leave Group refer to what?
Message types defined in the IGMPv2 Type field


What is the IGMPv2 Membership Query message type used for?
It is used by multicast routers to discover the presence of group members on a subnet.


When is an IGMPv2 Membership Query sent?
It is sent by a multicast router after it receives an IGMPv2 Leave Group message from a host to determine if any other hosts exist on the segment.


What is the Group Address field set to in an IGMPv2 General Membership Query?
0.0.0.0


To which address is an IGMPv2 Group-Specific Query message sent to?
The multicast IP address of the group being queried.


What is the range of the IGMPv2 Maximum Response Time?
1 - 255, each value represents 1/10th of a second


What is the default value of the IGMPv2 Maximum Response Time?
100 (10 seconds)


When is the IGMPv2 Maximum Response Time used?
The field is used only in Query messages.


What causes a host to send a solicited IGMPv2 Host Membership Report?
When the host receives an IGMPv2 Query from the local router, the host sends a MR for all the multicast groups for which it wants to receive traffic from, which is a solicited host MR.


What causes a host to send an unsolicited IGMPv2 Host Membership Report?
When a host joins a new group, it immediately sends a host MR to the local router that it wants to recieve multicast traffic for the group it just joined, which an unsolicited host MR.


What does a host do when it receives an IGMPv2 Query from the local multicast router?
The host sends a solicited Membership Report for all multicast groups it wishes to receive traffic from.


How does an IGMPv2 host signal to a router that it wishes to receive traffic for a particular multicast group?
With an unsolicited Host Membership Report message


What determines how long it takes a multicast router to determine that all hosts on a LAN have left a particular multicast group?
The IGMPv2 Last Member Query Interval, and the Last Member Query Count


What is the default IGMPv2 Last Member Query Interval?
1 second


What is the default IGMPv2 Last Member Query Count?
2


What happens when a multicast router receives an IGMPv2 Leave Group message?
The router sends a Group-Specific Query to determine if there are any remaining hosts on the segment interested in receiving the multicast traffic.


What happens after a multicast router sends an IGMPv2 Group-Specific Query message?
If no Membership Report message is received within 1 second, a second Query is sent. If a Membership Report is still not received, the router stops forwarding multicast traffic for that group.


What is the default value of the host IGMPv1 Router Present timeout?
400 seconds


What is the multicast address for IGMPv3?
224.0.0.22


What is the multicast address 224.0.0.22 used for?
IGMPv3


What would cause a router to ignore IGMP Leave messages?
When the router running IGMPv2 detects a host running IGMPv1 on the segment.


How long will a triggered IGMPv2 router ignore Leave messages?
180 seconds, the IGMPv1 Host Present countdown timer


What feature enables hosts not directly connected to a downstream device to join a multicast group sourced from an upstream network (such as with UDLR)?
IGMP Proxy


What is the term for defining boundaries that determine how far multicast traffic can travel in the network?
Multicast scoping


What is multicast scoping?
A definition of boundaries that determine how far multicast traffic will travel in the network.


What are the two methods of multicast scoping?
TTL
Administrative (239/8)


What is multicast TTL scoping?
Limiting the TTL of multicast packets. For example, 224.0.0.0/24 packets typically have a TTL of 1 to keep the traffic in the local scope.


What is multicast adminstrative scoping?
Filtering of multicast routes in the 239/8 range.


PIMv2 Hello messages use IP Protocol ___.
103


PIMv2 Hello messages use which multicast address?
224.0.0.13 (All-PIM-Routers)


What does the multicast notation (S,G) refer to?
A particular shortest-path tree


How frequently are PIM-DM State Refresh messages sent?
60 seconds


How do downstream PIM-DM routers remain pruned?
Downstream PIM-DM routers send PIM-DM State Refresh messsages upstream every 60 seconds to indicate they wish to remain pruned.


What is the PIM-SM Register-Stop message used for?
Register-Stop is used by an RP to indicate there are no interested receivers for a particular multicast group.


What is the PIM-SM Register-Suppression timer?
A timer that is reset to 60 seconds upon receipt of a Register-Stop message from an RP do indicate that no further Regster messages should be sent.


How does a multicast router inform an RP that is has a local source for a particular multicast group?
Register message


What is the default frequency of PIM-SM Join messages?
60 seconds


What is required for the steady-state operation of a PIM-SM router?
The router must sent a PIM Join message to the upstream router within the default timeout of 3 minutes, otherwise the upstream router will prune the group.


What does the "J" flag indicate in the IP multicast routing table?
The group has switched over from the RPT to the SPT.


To which address are RP-Announce messages sent?
224.0.1.39


What is sent to the multicast address 224.0.1.39?
RP-Announce messages


How frequently are RP-Announce messages sent?
60 seconds


What is sent to multicast address 224.0.1.40?
RP-Discovery messages


How is PIM sparse-dense-mode used with Auto-RP?
The purpose of Auto-RP is to automatically distribute RP information, but a router cannot reach the RP without sending a PIM Join, and it cannot send a PIM Join without knowing the RP. Sparse-dense-mode allows the RP to be discovered with dense-mode. After the RP is discovered, sparse-mode is used.


How can multiple PIM-SM BSRs coexist on the network?
The single Preferred BSR is elected by highest priority, then highest IP, and continues to send Boostrap messages while the other candidate BSRs monitor and re-elect if the Preferred BSR's messages stop.


What protocol provides a method of RPs in different multicast domains to register multicast sources with each other?
MSDP


How frequently are MSDP SA messages sent?
60 seconds


How are MSDP SA messages exchanged?
Unicast TCP between peer RPs


What is a restriction of the default SSM IP range?
Shared trees are not allowed, and (*,G) joins are dropped.


Query, Report, and Done are three types of messages used by which protocol?
MLD


What type of IPv6 address is FF70::/12?
IPv6 Embedded RP


What is represented in the following address format?

FF7<scope>:0<RP interface ID><hex prefix length>:<64-bit RP prefix>:<32-bit group ID>:<1-F>
IPv6 Embedded RP


Routine, Priority, Immediate, Flash, Flash Override, Critical, Internetwork Control, and Network Control are the names for what?
IP Precedence values


With the AFxy PHBs, what does x signify?
Higher values of x receive better queuing treatment.


With the AFxy PHBs, what does y signify?
Higher values of y have a higher probability of being dropped.


With the AFxy PHBs, how does AF11 compare to AF33?
AF33 will have better queuing treament, but have a higher probability of being dropped.


What does the PHB value 46 indicate?
Expedited Forwarding


What are two PHB actions associated with EF?
-Queue EF packets so they get scheduled quickly, for low latency
-Police EF packets so they do not consume all bandwith on the link or starve other queues


What is the default time interval over which IOS measures packet and bit rates on an interface?
5 minutes


What type of traffic does Cisco recommend be marked with CoS / IPP / DSCP values of 5 / 5 / EF?
Voice payload


What type of traffic does Cisco recommend be marked with CoS / IPP / DSCP values of 4 / 4 / AF41?
Video payload


What type of traffic does Cisco recommend be marked with CoS / IPP / DSCP values of 3 / 3 / CS3?
Voice and video signaling


What type of traffic does Cisco recommend be marked with CoS / IPP / DSCP values of 3 / 3 / AF31,AF32,AF33?
Mission-critical


What type of traffic does Cisco recommend be marked with CoS / IPP / DSCP values of 2 / 2 / AF21,AF22,AF23?
Transactional


What type of traffic does Cisco recommend be marked with CoS / IPP / DSCP values of 1 / 1 / AF11,AF12,AF13?
Bulk


What type of traffic does Cisco recommend be marked with CoS / IPP / DSCP values of 0 / 0 / BE?
Best-Effort


What type of traffic does Cisco recommend be marked with CoS / IPP / DSCP values of 0 / 0 / 2,4,6?
Scavenger


How does Cisco IOS QoS pre-classification work?
QoS pre-classification works by keeping the original unencrypted traffic in memory until the egress QoS actions are taken.


What Cisco IOS feature permits routers to make egress QoS decisions based on the original traffic before encapsulation.
QoS pre-classification


What is the QoS drop policy?
The rules used to choose which packets to drop as queues begin to fill.


What is QoS scheduling?
The logic used to determine which packet should be dequeued next.


With CBWFQ and LLQ, what queue requires no configuration?
class-default

This queue always exists even if no configuration for it is defined.


What happens if a packet does not match any explicitly configured classes in a policy-map?
It is placed into the class-default class.


What happens with the CBWFQ scheduler if some queue classes are empty and do not need their bandwidth for a short period?
The bandwidth is proportionally allocated across the other classes.


What is the term for when a queue is full and there is no place to put newly-arriving packets?
Tail drop


What is a WRED Full Drop?
A WRED Full Drop occurs when the average queue depth is higher than the configured maximum threshold, and all new packets are discarded.


Minimum and Maximum thresholds, and the Mark Probability Denominator (MPD) are components of what?
WRED traffic profile


What is the Modified Deficit Round-Robin (MDRR) PQ strict priority mode?
Strict priority mode serves the PQ whenever traffic is present in the queue.


What is an issue with the Modified Deficit Round-Robin (MDRR) PQ strict priority mode?
The PQ is always serviced first, which can lead to starvation of the other queues.


How does Modified Deficit Round-Robin (MDRR) PQ alternate mode work?
Alternate mode serves the PQ in between servicing each of the other queues: 0, P, 1, P, 2, P, etc.


What is a caveat of using Modified Deficit Round-Robin (MDRR) PQ alternate mode?
Alternate mode prevents queue starvation at the expense of jitter and latency as compared to strict priority mode.


What is the Modified Deficit Round-Robin (MDRR) Quantum Value?
The Quantum Value is the number of bytes the queue holds.


What is the Modified Deficit Round-Robin (MDRR) Deficit Count?
The Deficit Count is the number of bytes beyond the Quantum Value that were transmitted in a single round-robin pass.


What is a feature of Weighted Tail Drop?
WTD allows configuration per-queue.


With RSVP, what is the default total and per-flow bandwidth reservation?
The default total bandwidth reservation is 75% of the interface bandwidth, and any single flow can reserve the entire bandwidth.


What is the shaper static time interval (Tc) measured in?
Milliseconds


What is the formula for calculating Tc?
Tc = Bc / CIR


What does committed burst (Bc) refer to?
The number of bits that a shaper can send within a time interval (Tc)


What defines the rate for a virtual circuit based on a business contract?
CIR Committed Information Rate


What is the CIR?
Committed Information Rate defines the rate for a virtual circuit based on a business contract.


What is burst excess (Be)?
Be is the number of bits beyond the Bc that are allowed to be sent during a given Tc


With single-rate, two-color policing, what state is the traffic considered if the size of the packet to be transmitted is equal to or less than the number of tokens available in the Bc bucket?
Conforming


With single-rate, two-color policing, what does this notation indicate?

Xp <= Xb
Traffic is conforming


With single-rate, two-color policing, what state is the traffic considered if the size of the packet to be transmitted is greater than the number of tokens available in the Bc bucket?
Exceeding


With single-rate, two-color policing, how many tokens are drained from the Bc bucket when traffic is exceeding?
None, traffic cannot be transmitted until tokens have been replenished


With single-rate, two-color policing, what does this notation indicate?

Xp > Xb
Traffic is exceeding


With single-rate, three-color policing, what state is the traffic considered if the size of the packet to be transmitted is greater than the number of tokens available in both Bc and Be buckets?
Violating


With single-rate, three-color policing, what does this notation indicate?

Xp > Xbc + Xp > Xbe
Traffic is violating


With single-rate, three-color policing, how many tokens are drained from the Bc and Be buckets when traffic is violating?
None, traffic cannot be transmitted until tokens have been replenished


With dual-rate, three-color policing, how are the token buckets replenished?
The Bc bucket is replenished at the CIR
The Be bucket is replenished at the PIR


When the Bc bucket is replenished at the CIR, and the Be bucket is replenished at the PIR, what type of policing is this?
dual-rate, three-color policing


With dual-rate, three-color policing, how does a conforming packet affect the token buckets?
A conforming packet drains tokens equally from both Bc and Be buckets. That is, the same packet uses double the number of tokens with the dual-rate model.


With dual-rate, three-color policing, what state is traffic considered to be if a packet drains tokens equally from both Bc and Be buckets?
Conforming


With dual-rate, three-color policing, when is traffic considered to be conforming?
When there are enough tokens in both the Bc and Be buckets, as a conforming packet drains tokens equally from both buckets.


With dual-rate, three-color policing, what happens when traffic is considered to be exceeding?
An exceeding packet drains tokens from the Be bucket


With dual-rate, three-color policing, what is the state of traffic that drains tokens from the Be bucket only?
Exceeding


What is multi-action policing?
When multiple fields in the same packet are marked during class-based policing.


Single-rate, two-color policing is used by what legacy technology?
CAR Committed Access Rate


What is the term for breaking up larger packets and sending delay-sensitive packets between the larger packets?
LFI Link Fragmentation and Interleaving


Where is the use of LFI most effective?
Links with 768k or less bandwidth


What happens after PPP compression is enabled on a link?
PPP starts the CCP Compression Control Protocol NCP


What does the PPP NCP CCP Compression Control Protocol do?
Negotiates and manages the compression process


How do you configure PPP TCP or RTP header compression on an interface?
Interface:
ip {tcp rtpheader-compression

This is considered legacy, and class-based policy-maps should be used instead.


When DAI is enabled, what is the default rate limit of ARP messages accepted per port per second?
15


What is the default rate at which a port enabled for DHCP Snooping will accept DHCP messages?
Unlimited by default


True or False: IP Source Guard using static bindings does not depend on DHCP Snooping.
False, DHCP Snooping must be enabled, even if static bindings are used.


When enabling IP Source Guard, what does the port-security keyword do?
The port-security keyword enables verification of both IP and MAC.


What devices exchange EAPoL frames?
802.1X supplicant and authenticator


With 802.1X enabled, how do you configure a port for authentication?
Interface:
authentication port-control {auto force-authorized force-unauthorized}


How do you enable a device for 802.1X authentication?
Globally:
aaa authentication dot1x default group radius
dot1x system-auth-control


How do you adjust the parameters for individual traffic types with Storm Control?
Interface:
storm-control traffic-type level rising [falling]

traffic-type is either broadcast, multicast, or unicast, and is set individually with multiple statements.

The level refers to the rate of packets as either a percentage of the link bandwidth, bps, or pps, and can have separate rising and falling thresholds.


What types of ACLs use the numbered range of 1-99 and 1300-1999?
IP Standard


What types of ACLs use the numbered range of 100-199 and 2000-2699?
IP Extended


What is uRPF strict mode?
Strict mode uses the rx keyword, and causes the router to check incoming packets to see if the router has a route back to the source IP address out of the interface the packet was received on.


What is uRPF loose mode?
When a router receives a packet, it examines the source IP address and verifies that it has any route in its routing table to reach the source (ignoring the default route by default).


What are the two modes of operation for Cisco IOS TCP Intercept?
Watch mode
Intercept mode


How does Cisco IOS TCP Intercept operate in Watch mode?
In Watch mode, it keeps state information for TCP connections that match an ACL, and if TCP does not complete the 3-way handshake within a particular time period, TCP Intercept sends a TCP RST to the destination to clean up the connection. Watch mode also temporarily denies new TCP requests if more than 1100 occur in one second.


How does Cisco IOS TCP Intercept operate in Intercept mode?
In Intercept mode, the router replies to TCP SYNs instead of forwarding them. If the 3-Way Handshake completes, the router creates a TCP connection to the destination, then stitches the two connections together.


What is the purpose of the ip nhrp network-id command?
On the DMVPN Tunnel Interface, ip nrhp network-id id enables NHRP, which is critical to the operation of DMVPN. All routers and interfaces configured with the same ID belong to the same DMVPN.


When configuring an ISAKMP PSK for use with DMVPN, what value should the address be set to?
0.0.0.0


When configuring an ISAKMP PSK for use with DMVPN, why should the address be set to 0.0.0.0?
With DMVPN, use 0.0.0.0 for the address since the configuration relies on dynamic IP addresses on the spoke routers.


What is adding DMVPN spokes without changing configuration on the hub referred to as?
Zero-touch provisioning


What is the IPv6 address format of an automatic 6to4 tunnel border router?
2002:border-router-IPv4-address::/48


Which type of IPv6 address is represented?

2001:0db8:0abc:0def:0000:5efe:ac14:1401
ISATAP


Which type of IPv6 addressing is represented here?

64-bit-prefix:0000:5efe:ipv4-in-hex
ISATAP


True or False: RAs are enabled by default on tunnel interfaces.
False, RAs are disabled by default on tunnel interfaces.


What is the relationship between ISATAP tunnel interfaces and IPv6 RAs?
RAs are disabled by default on tunnel interfaces, but must be enabled on ISATAP tunnels.


How do you verify which VLANs have been pruned?
show interfaces pruning


What happens if VTP pruning is enabled, and a device attached to a trunk port either does not support VTP, is in a different VTP domain, or is in VTP Transparent mode?
VTP pruning is effectively disabled across the VTP domain because it is unclear as to which VLANs might be needed across the port.


If VTP pruning is enabled, and a device attached to a trunk port either does not support VTP, is in a different VTP domain, or is in VTP Transparent mode, how can you allow VTP pruning to operate correctly without modifying any VTP settings?
Manually configure the allowed VLANs on the trunk


What three things can cause VTP pruning to be effectively disabled?
A trunk port connecting to either:
-Device that doesn't support VTP
-Device in a different VTP domain
-Device in VTP Transparent mode


With class-based shaping, what is the Tc value when the rate is more than 320 kbps?
25 ms


With class-based shaping, what is the Bc value when the rate is more than 320 kbps?
Tc (25 ms) * shaping rate


What allows more than two devices to exchange traffic securely without requiring a high number of SAs?
GET VPN


With GET VPN, what is generated by the Key Server and used by the Group Members to encrypt data?
TEK Transport Encryption Key


With GET VPN, what is used to encrypt information between the Key Server and the Group Members?
Key Encryption Key


What is the difference between forwarded and local TTL propagation in MPLS networks?
Forwarded TTL propagation carries the original packet's TTL value through the MPLS network, decrementing the value at each hop.

Local TTL propagation carries the TTL generated by packets sourced from the MPLS router itself, staying inside the MPLS network.


What are the two types of MPLS TTL propagation in Cisco IOS?
TTL propagation can be enabled/disabled individually for forwarded traffic, and for locally-originated traffic. For example, you can disable TTL propagation for forwarded traffic, which effectively hides the internals of the MPLS network between the CEs, but still have locally-originated traffic propagate the TTL in order to use tools like traceroute internally to the MPLS network.


When establishing TCP connections in LDP, what IP address is used if the transport address is not specified?
The LDP ID


What happens after LDP neighbors are discovered?
TCP connections are established over port 646, and local label bindings are advertised.


How is LDP neighbor discovery performed?
Hellos are multicast to 224.0.0.2 UDP port 646


After LDP neighbor discovery, what is the responsibility of the neighbor with the highest LDP ID?
Initiate the TCP connection between neighbors to exchange label bindings


What neighbor state is BGP in after Open messages have been exchanged?
Established


How do you adjust BGP keepalive and hold timers for a neighbor?
neighbor ip-address timers keepalive holdtime


How do you modify the source IP address used to reach a BGP neighbor?
neighbor ip-address update-source interface


When performing basic neighbor authentication in BGP, what algorithm is used?
MD5


What is a best configuration practice for BGP when there is more than one route through which the BGP router can reach a peer?
Use loopback interfaces


What is the default state of BGP synchronization?
Disabled


What state is BGP in when BGP has been enabled, but neighbors have not yet been configured?
Idle


What state is BGP in when BGP has been enabled, but is not listening for any TCP connections?
Idle


What is the BGP state when the BGP process detects that a peer is trying to establish a TCP connection?
Connect


During which state is BGP trying to establish a TCP session with a neighbor?
Active


Open, Keepalive, Update, and Notification refer to what?
The four basic BGP message types


What BGP message is used to establish neighbor relationships and exchange basic parameters?
Open


What BGP message is used to maintain neighbor relationships?
Keepalive


What BGP message is used to exchange NLRI?
Update


What type of BGP message is sent if an error or configuration change affects the peering session?
Notification


What information is included with a BGP Notification message?
FSM error code


True or False: When BGP auto-summary is enabled, and the network command is used, subnets are still injected into the BGP table if they exist in the IP routing table.
True

This does not occur with the redistribute command and auto-summary


AS_SEQ, AS_SET, AS_CONFED_SEQ, and AS_CONFED_SET are components of what?
BGP AS_PATH path attribute


What is the BGP AS_SET path attribute?
An unordered list of ASNs


What BGP construct represents an unordered list of ASNs?
AS_SET path attribute


When using the BGP aggregate-address summary mask as-set command, what causes the AS_SET value to be filled?
The AS_SET is generated only if the AS_SEQ is null.


When using the BGP aggregate-address command, what keyword causes only the summary route to be advertised?
The summary-only keyword


When using the BGP aggregate-address command, what can be used to filter some of the component subnets?
The suppress-map keyword


Withdrawn routes, PAs for each route, and prefix/length for each NLRI, are the three main components of what?
BGP Update message


With BGP, what are confederations, route reflectors, and a full mesh of iBGP peerings an alternative to?
Enabling synchronization


Why do BGP confederation peers need to be identified?
Confederation peers need to be identified because while the connections appear as eBGP, they do not work as true eBGP connections do. Confederations modify the AS_PATH PA with AS_CONFED_SEQ and AS_CONFED_SET attributes, which are used to prevent loops between the confederations sub-ASes. 

When the routes are advertised to a true eBGP peer, the AS_CONFED information is removed.


What happens when BGP routes from a confederation are advertised to a true eBGP peer?
The AS_CONFED information is removed.


How do you revert a router participating in a BGP confederation back to a regular BGP router?
A BGP confederation router is defined with the regular router bgp asn command, which means you must remove and re-apply the BGP configuration to leave the confederation.


With BGP route reflectors, what is the default cluster ID?
The BGP RID of the RR


In a BGP route reflector environment, how can you verify which router originated a particular prefix?
Originator in show ip bgp prefix


What type of attributes are MP_REACH_NLRI and MP_UNREACH_NLRI?
Optional nontransitive


What is contained inside BGP MP_REACH_NLRI and MP_UNREACH_NLRI?
AFI
Next_Nop
NLRI


How do you enable soft reconfiguration for inbound BGP Updates?
BGP process:
neighbor ip soft-reconfiguration inbound


What is the regex metacharacter for the start of a line?
^


What is the regex metacharacter for the end of a line?
$


What is the regex metacharacter for a logical OR applied between the preceeding and succeeding characters?
|  (pipe)


How do you apply a regex logical OR comparison between two strings?
(string1)|(string2)

Strings enclosed in parenthesis separated by a pipe


What is the regex metacharacter for any delimter, such as a blank, comma, start of line, end of line?
_    (underscore)


What is the regex metacharacter for any single character?
.   (period)


What is the regex metacharacter for zero or one instance of a preceeding character?
?


What is the regex metacharacter for zero or more instances of the preceeding character?
*  (asterisk)


What is the regex metacharacter for one or more instances of the preceding character?
+


What is the regex metacharacter to reference a string?
(string)   string enclosed in parenthesis


What is the regex metacharacter for referencing a set of characters in any order?
[string]    characters enclosed in square brackets


What is the BGP regex .* useful for?
Matching all AS_PATHs, which is useful as a final match in an as_path access-list to change the default from deny to permit.


What does this regex match?

^$
null


What BGP regex matches NLRIs originated in the same AS?
^$


What does this BGP regex match?

^123$
An AS_PATH containing only the single ASN 123


What BGP regex matches an AS_PATH containing only a single ASN?
^asn$  where asn is the AS to be matched


What does this BGP regex match?

^123
An AS_PATH whose first ASN begins with (or is) 123


What does this BGP regex match?

^123_45$
An AS_PATH with two ASNs, beginning with 123 and ending with 45


What does this BGP regex match?

^123_.*_45$
An AS_PATH beginning with AS 123, ending in AS 45, with at least one other AS in between


What does this BGP regex match?

^123_.*45
An AS_PATH beginning with AS 123 with zero or more ASNs and delimiters, and ending with any AS whose last two digits are 45 (including AS 45 itself)


What does this BGP regex match?

^{
An AS_PATH beginning with either an AS_SET or an AS_CONFED_SET


Within a single BGP AS, where can the Weight PA be assigned?
The administrative weight can be assigned to each NLRI locally on the router, and is not passed on in Update messages. It is set either directly with neighbor ip weight or within a route-map.


Within a BGP AS, where can the LOCAL_PREF value be set?
This well-known discretionary PA can be set on any router inside the AS, and is not distributed outside the AS.


Within the BGP AS_PATH, how is an AS_SET treated with regard to bestpath calculation?
As a single ASN, regardless of the number of ASNs in the set


How do you configure a router to disregard the AS_PATH lengh when calculating the BGP best path?
BGP process:
bgp bestpath as-path ignore


What does the following command do?

bgp besthpath as-path ignore
This command causes BGP to disregard the AS_PATH length when calculating the BGP best path


What is the default BGP Weight for learned routes?
0


How do you automatically remove private BGP ASNs in outbound Updates?
BGP process:
neighbor ip remove-private-as


How do you configure BGP to take the MED value into consideration when multiple routes to a single NLRI pass through different neighboring ASNs?
BGP process:
bgp always-compare-med


What is a caveat of enabling the bgp always-compare-med command?
If you implement this command, you should implement it on all routers in an AS, otherwise routing loops can occur.


What is the default BGP behavior with regard to the MED value when multiple routes to a single NLRI pass through different neighboring ASNs?
Ignore the MED value unless configured with bgp always-compare-med


If a BGP router has a current best route installed from an eBGP neighbor, but receives an otherwise identical route from an eBGP neighbor with a smaller RID, how do you configure the router to accept and use the new route?
BGP process:
bgp bestpath compare-routerid


If a BGP router has a current route for a prefix through an eBGP neighbor, but receives an otherwise identical route from another eBGP neighbor with a lower BGP RID, why is the existing route kept?
To avoid route flaps. This behavior can be changed with bgp besthpath compare-routerid

This applies only to eBGP routes. iBGP routes always use the lowest RID as the tiebreaker.


What causes the lowest BGP neighbor ID (IP address) to be used as the final best path tiebreaker?
This is used when the route is coming from a router who has multiple separate neighbor relationships, as opposed to a single relationship using loopback addresses.


What is the value of the BGP NO_EXPORT community?
FFFF:FF01


What BGP community has the value FFFF:FF01?
NO_EXPORT


What is the value of the BGP NO_ADVERT community?
FFFF:FF02


What BGP community has the value FFFF:FF02?
NO_ADVERT


What is the value of the BGP LOCAL_AS / NO_EXPORT_SUBCONFED community?
FFFF:FF03


What BGP community has the value FFFF:FF03?
LOCAL_AS / NO_EXPORT_SUBCONFED


What is the default Update interval for iBGP peers?
5 seconds


What BGP term is used for the process of directly-connected neighbors being torn down when the connected subnet is lost, BGP routes immediately being flushed, and BGP immediately looking for alternate routes?
BGP fast external fall-over


How do you enable BGP fast peering session deactivation?
BGP process:
neighbor ip fall-over [route-map map]

Fast external fall-over is automatic. This command must be enabled for iBGP sessions or when the fall-over needs to be conditional.


Why would you disable the default BGP external fast fall-over detection?
A common use case for disabling fast external fall-over detection is when you want to control the behavior per-neighbor with the BGP command neighbor ip fall-over [route-map map]


When more-specific BGP routes have been filtered via the aggregate-address command, how do you selectively re-advertise more specific routes per-neighbor?
BGP process:
neighbor ip unsuppress-map


Errors and collisions on an Ethernet link are typically an indication of what?
Duplex mismatch


Protocols invented by the IEEE typically use which Ethernet frame format?
IEEE 802.3 + 802.2 LLC


Vendor-proprietary Layer 2 protocols such as CDP typically use which type of Ethernet frame format?
IEEE 802.3 SNAP


How do you prevent a VSS standby switch from coming up in RPR mode?
The port channel numbers for the VSL must be different on each switch and must be available for use.


What happens to the switch interfaces after VSS mode is enabled?
When in VSS mode, interfaces follow the naming convention:
switch-number/slot/port


What is the IOS-XE Forwarding Engine Driver (FED)?
The FED allows the drivers to affect the data plane, and is provided by the platform (similar to a network card driver in a traditional operating system)


What is the IEEE 802.3u standard?
100 Mbps Ethernet over copper and optical cabling


What is the IEEE 802.3z standard?
Gigabit Ethernet over optical cabling


What is the IEEE 802.3ab standard?
Gigabit Ethernet over twisted-pair copper cabling


What is cut-through switching?
Cut-through switching performs the address-table lookup as soon as the Destination Address field in the header is received which results in lower latency, but does not allow the switch to discard frames that fail the FCS.


What is fragment-free switching?
Fragment-free switching is similar to cut-through, but waits until the first 64 bytes of the frame are received before switching, since Ethernet collisions should be detected within the first 64 bytes of the frame.


What two Layer 2 technologies separate switch ports as if they were on different VLANs while consuming only a single IP subnet?
Private VLANs
Protected ports (aka PVLAN Edge)


How is the VLAN tag manipulated with a promiscuous Private VLAN trunk?
Traffic from secondary VLANs have their tags rewritten as the primary VLAN tag when being sent over the trunk. No tag manipulation is performed for received frames.


How is the VLAN tag manipulated with an isolated Private VLAN trunk?
When traffic is sent across the isolated PVLAN trunk, the primary VLAN ID is changed to the isolated secondary VLAN ID. When frames are received, no tag manipulation is performed.


What is a protected port?
A protected port is similar to a private VLAN Isolated port. Protected ports are essentially a subset of private VLAN functionality. Protected ports cannot communicate with other protected ports on the same switch.


Why will DTP not negotiate a trunk link if the VTP domain names are different?
This design decision was chosen because different VTP domains may use the same VLANs, but for different purposes, so bridging them together should not be automatic.


Why is it common to tag the native VLAN in a QinQ environment?
This prevents the issue of a customer's untagged frames from being misforwarded or blackholed when the S-tag is added.


How to you enable Layer 2 management protocols to be forwarded across a QinQ tunnel?
Interface:
l2protocol-tunnel  <-- enables all
l2protocol-tunnel [cdp] [lldp] [stp] [vtp]


What does the command l2protocol-tunnel do?
Permits Layer 2 management protocols, such as CDP, STP, etc, across a QinQ tunnel.


How does VTPv1 handle unknown TLVs?
VTPv1 drops all unrecognized TLVs from received messages


How does VTPv2 handle unknown TLVs?
VTPv2 propagates all TLVs even if they are unrecognized


How frequently are VTP Summary Advertisement messages generated?
Every 5 minutes, and after each modification to the VLAN database


With VTP, what type of message is generated with each modification to the VLAN database?
VTP Summary Advertisement


Which VTP messages contain the full contents of the VLAN database?
VTP Subset Advertisement


How many VLAN entries can be contained in a VTP Subset Advertisement message?
One message can hold multiple VLAN database entries, but multiple messages might be required if the VLAN database is large.


What VTP message is used to request VTP neighbors to send all or part of their VTP database?
VTP Advertisement Request


What type of VTP message is sent under the following circumstances:

-When a VTP Client switch is restarted
-When a switch enters VTP Client mode
-When a Server or Client receives a Summary Advertisement with a higher revision number than its own
VTP Advertisement Request


How frequently are VTP Join messages sent?
6 seconds


When are VTP Join message used?
When VTP Pruning is enabled


Which IP address is used as the VTP Updater address by default?
The IP of the lowest-numbered SVI


How do you disable VTP completely for switches that support VTPv3?
Globally:
vtp mode off


How did PVST operate prior to the 802.1t amendment?
Prior to the 802.1t amendment, Per-VLAN Spanning-Tree required a separate unique MAC address for the BID for each VLAN, which consumed a large number of reserved MAC addresses on each switch.


What is IEEE 802.1t referred to as?
MAC address reduction


What is the default STP cost method?
The short (802.1D-1998) method is used by default for (R)PVST.

The long (802.1D-2004) method is used by default for MST.


What is an RSTP Alternate port?
Replacement Root port using event-driven operations


What RSTP port serves as an event-driven replacement for the Root port?
Alternate port


What is an RSTP Backup port?
Replacement Designated port with timer-driven operation


What RSTP port serves as a timer-driven replacement for a Designated port?
Backup port


What happens if an RSTP Edge port receives a BPDU?
It begins operating as a Non-Edge port


What are the RSTP link types?
Point-to-point
Shared


Which MST port provides connectivity toward the CIST Root?
Master port


If the BPDUs sent by the MST boundary port are superior to all received PVST+ BPDUs on the port, what is the port type?
Designated


If the MST boundary port receives PVST+ BPDUs that are identical or superior to the received PVST+ BPDU for VLAN 1, what is the port type?
Root


If the incoming VLAN 1 PVST+ BPDU is superior to its own BPDUs, but not superior enough to make it become a Root port, what is the MST boundary port type?
Non-Designated (blocked)


With MST, if the Root Bridge for the CIST is in a non-MST region, the STP priority of VLANs 2 and above within that region must be ___ to that of VLAN 1 to prevent PVST Simulation Inconsistent / Root Inconsistent errors.
superior


With MST, if the Root Bridge for the CIST is within a MST region, the STP priority of VLANs 2 and above in the non-MST regions must be ___ than that of the CIST root to prevent PVST Simulation Inconsistent / Root Inconsistent errors.
inferior


When issuing the show spanning-tree mst configuration digest command, one MD5 digest is listed. What does this indicate?
If a single MD5 value is listed, the switch only supports pre-standard MST. Two MD5 digests indicate support for both standard and pre-standard MST.


What feature err-disables a port immediately upon receipt of any BPDU?
BPDU Guard


What is a limitation of enabling BPDU Guard globally?
Only ports operating as PortFast are affected.


What do UDLD, Loop Guard, Bridge Assurance, and the RSTP Dispute mechanism have in common?
They are all designed to detect and avoid issues caused by unidirectional links.


The switch / port pair identity and a list of all neighboring switch / port pairs heard on the same segment are transmitted in what?
UDLD messages


What prevents Root and Alternate ports from becoming Designated due to total loss of incoming BPDUs?
Loop Guard


What is the difference between configuring Loop Guard globally or per-port?
Global configuration protects point-to-point links. Port configuration additionally protects shared links.


What causes a Designated port to keep its role but move to a Discarding state if it receives an inferior BPDU from another port that claims to be Designated Learning or Designated Forwarding?
RSTP Dispute mechanism


What information does the RSTP Dispute mechanism use to determine what action to take?
Port Role and Port State flags in the RSTP BPDU


What is the default state of EtherChannel Misconfig Guard?
Enabled by default


What technology disables an entire port-channel bundle if BPDUs with different MAC addresses are received on the port-channel interface?
EtherChannel Misconfig Guard disables an entire port-channel bundle if it receives BPDUs sources from different MAC addresses on a port-channel interface, indicating that the neighbor is treating some of the links as individual and not bundled together. 


IEEE 802.1AX is the standard for what?
LACP

Previously 802.3ad


What is the frequency of PAgP messages in normal mode?
30 seconds


What is the frequency of PAgP messages in fast mode?
1 second


IEEE 802.1AB is the standard for what?
LLDP


What type of STP inconsistency is caused when PVST+ BPDUs are received on a non-802.1Q port?
Type (*TYPE_Inc)


What type of STP inconsistency occurs when PVST+ BPDUs are received in a different VLAN than they were originated in?
Port VLAN ID (*PVID_Inc)


What typically causes the STP PVID inconsistency error?
Native VLAN mismatch


What type of STP inconsistency is caused when PVST+ BPDUs received on an MST boundary port do not meet the PVST Simulation consistency criteria?
PVST Simulation (*PVST_Inc)


What type of STP inconsistency is caused when a Loop Guard protected Root or Alternate port was prevented from becoming Designated after BPDUs stopped arriving?
Loop (*LOOP_Inc)


What type of STP inconsistency is caused when a Root Guard protected port receives superior BPDUs?
Root (*ROOT_Inc)


What type of STP inconsistency is caused when a Bridge Assurance protected port stops receiving BPDUs?
Bridge Assurance (*BA_Inc)


What does "MD5 digest checksum mismatch" mean when issuing the show vtp status command?
Mismatched VTP password


What is the DF bit in the IPv4 header commonly used for?
Path MTU Discovery


What mechanism facilitates Path MTU Discovery?
The DF (don't fragment) bit in the IPv4 header


What is the MF bit in the IPv4 header?
The MF bit is set in all packet fragments except for the final fragment.


What does this MAC address correspond to?

0000.0C07.AC01
HSRP group 1


What does this MAC address correspond to?

0000.5E00.0101
VRRP group 1


What does this MAC address correspond to?

0007.B400.0101
GLBP group 1 AVF 1

0007.B40X.xxyy where Xxx is the 10-bit GLBP group number, and yy is the AVF number.


How does GLBP addressing work?
0007.B40X.xxyy where Xxx is the 10-bit GLBP group number, and yy is the AVF number.


What is the SNMP Agent?
The device being managed


What is the term for the management software polling the SNMP agent on a device?
SNMP Manager


What is SNMP SMI?
Structure of Management Information (SMI), the SNMP data definition refers to syntax conventions for how to define the data to an agent or manager.


What is associated with UDP port 161?
SNMP


What is associated with UDP port 162?
SNMP traps


What is used to supply SNMP information and acknowledge the receipt of other SNMP messages?
SNMP Response message


Response and Trap are two SNMP messages typically sent by what?
SNMP Agent


What is used to send unsolicited information to SNMP Managers?
SNMP Trap


Which message is used between SNMP managers to allow MIB data to be exchanged?
SNMP Inform


What is associated with UDP port 514?
Syslog


A set of predefined and user-defined key fields (such as source/destination IP and port) for network monitoring are defined in what?
Netflow records


What collects information about flows and is applied to an interface and includes records, a cache, and optionally a flow exporter.
Netflow monitor


What transfers the cached flow information to outside systems, which is typically a server running a NetFlow collector?
Netflow exporter


What allows specifying the sample size of traffic in order to reduce the load on the NetFlow-enabled device?
Netflow sampler


If a corresponding VLAN does not exist, or is not active (e.g. state suspend or shutdown on the VLAN itself), what is the status of the SVI?
Down / Line Protocol Down


If the corresponding VLAN exists, but is not allowed and in an STP forwarding state on any Layer 2 switch port (access or trunk), what is the state of the SVI?
Up / Line Protocol Down


During routing protocol migration, when must you configure redistribution from the current IGP into the new IGP on each router?
If the new IGP is RIP or EIGRP


What is associated with UDP port 520?
RIPv2


What uses multicast address 224.0.0.9?
RIPv2


What does RIPv2 use to ask a neighbor to send a partial or full RIP update immediately, instead of waiting for the Update timer to expire?
Request message


What is the term for advertising a route with an infinite metric in effort to more rapidly remove it from routing tables?
Route poisoning


What is the term for immediately sending a new update when routing information changes?
Triggered / flash update


What information is sent in a RIPv2 triggered update?
Only the changed networks


What is the default RIPv2 Update timer?
30 seconds


What happens if the RIPv2 Flushed After timer is set to less than the Invalid After timer?
The Flushed After timer is not taken into consideration until after the Invalid After timer has expired. The route is not removed from the routing table until the Invalid After timer has expired.


What is the term for when RIPv2 sends a full update only once, and then is silent until changes are made?
Triggered extensions


How do you enable RIPv2 triggered extensions?
Interface:
ip rip triggered


With RIPv2, there is an increased chance of transient routing loops being formed during convergence as a result of what?
Lowering the RIP timers


What is associated with UDP port 521?
RIPng


What is associated with multicast address FF02::9?
RIPng


What is associated with multicast address 224.0.0.10?
EIGRP


What is associated with multicast address FF02::A?
EIGRP


Why is the EIGRP wide metrics composite value scaled for the RIB?
The IOS RIB supports only 32-bit metrics, so the EIGRP 64-bit wide metrics composite value must be scaled down. EIGRP makes all path selection decisions based on the full metric, and the metric is only scaled down when it is placed in the local RIB.


What is contained in an EIGRP Reply message?
The sender's current distance to the destination after taking into account the topology change that prompted the Query.


The EIGRP sender's current distance to the destination after taking into account the topology change that prompted the Query is contained in what message?
EIGRP Reply


What is the EIGRP SRTT used for?
It is used as part of the calculation of the neighbor multicast flow timer, and the RTO retransmission timeout.


What is the EIGRP RTO?
The RTO retransmission timeout is the time between subsequent unicasts to be sent after normal multicasts have failed.


What controls the amount of time before EIGRP messages are unicast after normal multicasts have failed?
The EIGRP RTO retransmission timeout


What timer controls how long to wait for an ACK before declaring an EIGRP neighbor as lagging, and switching from multicast to unicast transmissions?
The EIGRP multicast flow timer


What is the basis for the EIGRP multicast flow timer and RTO values?
Both timers are calculated based on the SRTT of the neighbor. This allows for each neighbor to have different automatically-calculated timers.


What two EIGRP timers are based on the SRTT of a neighbor?
Multicast flow timer
RTO retransmission timeout


What is the result of the EIGRP neighbor hold timer expiring?
The neighbor is declared unreachable and DUAL is informed of the loss of a neighbor.


EIGRP Hello, Ack, and Null Update with the Init flag set are the only packets that can be exchanged during which EIGRP neighbor state?
Pending


What is the internal number EIGRP assigns to each neighbor for reference?
Handle


What is the EIGRP metric to a particular destination as received from a particular neighbor.
Reported Distance


What is the result of the EIGRP Reported Distance + cost of the link to the advertising neighbor?
Computed Distance


What is the historical record of the smallest known EIGRP Computed Distance toward a particular destination since its last transition from Active to Passive?
Feasible Distance


What is the EIGRP term for a neighbor's Reported Distance being less than the current Feasible Distance to a destination?
Feasibility Condition


What is an EIGRP Feasible Successor?
Any neighbor that can guarantee a loop-free path toward a particular destination is said to have met the Feasibility Condition and is therefore a Feasible Successor.


What happens if an EIGRP router receives a Query and determines its current Feasible Successors are still valid?
The router sends a Reply back to the neighbor with its information about the destination


What happens if an EIGRP router receives a Query and determines its current Feasible Successors are no longer valid?
The route becomes Active and the router starts its own Query process


What does the following refer to?

A0: Local Origin with Distance Increase
A1: Local Origin
A2: Multiple Origins
A3: Successor Origin
The four EIGRP FSM Active states. The names refer to the origin of the diffusing computation, e.g. which router appears to have started it. 


What happens if the EIGRP Active time expires?
If all expected Replies are not received before the Active timer expires, the route is designated SIA and the neighbor(s) that did not send back a Reply are removed from the neighbor table and their adjacencies are torn down.


What happens if an EIGRP neighbor does not respond with a Reply within half of the Active timer time (90 seconds by default)?
An SIA-Query message is sent


What happens if you issue EIGRP commands on an interface when using EIGRP named mode?
The commands are ignored, and must be configured under the EIGRP af-interface, not directly on the interface itself.


What configuration causes EIGRP to retain all Successor's addresses as the next-hop in EIGRP advertisements, and not just the first entry in the topology table?
Interface:
no next-hop-self no-ecmp-mode


What does the EIGRP interface no next-hop-self no-ecmp-mode command do?
This causes EIGRP to retain all Successor's addresses as the next-hop in EIGRP advertisements, not just the first entry in the topology table.


When the eigrp stub command is used, what are the default advertisement options?
connected and summary are used if the options are not explicitly set.


How is encryption performed differently between DMVPN and EIGRP OTP?
DMVPN relies on IPsec tunnel encryption, whereas EIGRP OTP uses GETVPN.


How do DMVPN and EIGRP OTP perform encapsulation differently?
DMVPN encapsulates both data plane and control plane traffic inside mGRE.

OTP uses LISP UDP encapsulation for the data plane, and the control plane uses native EIGRP without encapsulation.


What is an EIGRP Goodbye message?
A Hello message with all K-values set to 255


What type of EIGRP message has all K-values set to 255?
Goodbye message


What happens during an EIGRP graceful restart?
Topology databases between the router and its neighbors are resynchronized without the neighbor relationship being torn down.


The identity of one or more OSPF LSAs that the sending router would like the neighbor to supply full details about are contained in what?
LSR Link-State Request message


What OSPF packet type contains fully detailed LSAs?
LSU Link-State Update


What OSPF packet type is sent as a response to an LSR, or in the event of a topological change?
LSU


What is the first step in OSPF neighborship on NBMA and P2MP NBMA networks?
On these network types, a neighbor is placed immediately into the Attempt state and contact by Hello packets sent at usual intervals. If the neighbor does not respond within the Dead interval, it is placed back into the Down state.


What is the OSPF neighbor state when a valid Hello has been received from the neighbor, but the list of "Seen Routers" in the received Hello packet does not contain the receiving router's RID?
Init


What is the cause of an OSPF neighbor remaining in the Init state?
The neighbor router is not properly receiving this router's Hellos.


What is an indication of bidirectional visibility between two OSPF routers?
2-Way neighbor state


What is the OSPF neighbor state when a valid Hello packet containing this router's RID is in the list of seen neighbors from the neighbor?
2-Way


The comparison of RIDs to determine Master/Slave roles, and the establishment of a common starting sequence number for DBD packets occurs during which OSPF neighbor state?
ExStart


What OSPF neighbor state is entered after the Master/Slave relationship is established?
Exchange


During which OSPF neighbor state are DBDs transmitted between the neighbors to build the list of LSAs known by each router?
Exchange


True or False: OSPF LSAs are transmitted during the Exchange neighbor state.
False: DBDs are transmitted during the Exchange state. LSAs are transmitted during the Loading state.


What is associated with mulitcast address 224.0.0.5?
All OSPF Routers


What happens if two OSPF routers have mismatched MTU settings?
They will not proceed past the 2-Way neighbor state, however they will still be considered neighbors.


The Master (MS), More (M), and Init (I) flags are present in what OSPF packet?
DBD


How does the MS flag work in OSPF DBD packets?
All packets sent by the Master have the MS flag set, and all packets sent by the Slave have the MS flag cleared.


How does the M flag work in OSPF DBD packets?
The sending router sets the M flag if it has an additional DBD packet to send. The M flag is how the Slave indicates it has more DBD packets to send, since it can only send packets as a response to the Master.


How does the I flag work in OSPF DBD packets?
The first DBD packet that starts the exchange is set with the I flag, and all other DBD packets have the flag cleared.


What happens if an OSPF LSA has a sequence number of 0x7FFFFFFF and a change is made?
0x80000000 is a reserved value, so the LSA is flushed from the LSDB and re-originated with sequence 0x80000001


What is associated with multicast address 224.0.0.6?
All OSPF DR Routers


What triggers the OSPF Wait Time?
Receipt of a Hello with the DR set to 0.0.0.0, indicating the DR has not yet been elected.


What happens during the OSPF Wait Time?
The priorities and RIDs of neighbors are collected, and each router independently calculates the DR/BDR, though they all arrive at the same conclusion.


What is the purpose of the OSPF Wait Time?
The goal is to allow all routers on the network segment to finish initializing after a failure so that all routers can participate in the DR election, otherwise the first router to become active would always become the DR.


Why must a non-originating OSPF router never modify an LSA?
Only the router originating an LSA can modify it, which ensures all OSPF routers in an area have the same LSDB contents and a consistent view of the network.


What is the flooding scope of OSPF LSA Type 1?
Area


What is the flooding scope of OSPF LSA Type 2?
Area


What is the flooding scope of OSPF LSA Type 3?
Area; re-originated between areas by ABRs


What is the flooding scope of OSPF LSA Type 4?
Area; re-originated between areas by ABRs


What is the flooding scope of OSPF LSA Type 5?
All regular areas


What is the flooding scope of OSPF LSA Type 7?
Area; re-originated as Type 5 by the ABR


What is the flooding scope of OSPF LSA Type 9?
Link-local


What is the flooding scope of OSPF LSA Type 10?
Area


What is the flooding scope of OSPF LSA Type 11?
All regular areas


Which OSPF LSA type lists the router's RID and all interface IPs with the area?
LSA Type 1


Which OSPF LSA type represents a subnet and the router interfaces connected to it?
LSA Type 2


Which OSPF LSA type represents networks present in one area when being advertised into another area?
LSA Type 3


Which OSPF LSA type advertises a host route to reach an ASBR?
LSA Type 4


Which OSPF LSA type describes routes external to the AS in regular areas?
LSA Type 5


Which OSPF LSA type describes routes external to the AS inside an NSSA?
LSA Type 7


Which OSPF LSA type is considered generic with a link-local flooding scope?
LSA Type 9


Which OSPF LSA type is considered generic with an area-local flooding scope?
LSA Type 10


Which OSPF LSA type is considered generic with a flooding scope including all regular areas?
LSA Type 11


Within OSPF, what is an advertised subnet for which a router has not formed any neighbor relationships?
A stub network


What is a network over which two or more OSPF routers have become neighbors and traffic is neither sourced or destined locally?
Transit network


How is the OSPF link cost calculated by default?
100,000 Kbps (100 Mbps) / interface bandwidth in Kbps


What is the requirement for configuring per-neighbor costs in OSPF?
This is valid only on OSPF point-to-multipoint nonbroadcast network types.


What are the restrictions for using an OSPF distribute-list in the outbound direction?
It can only be applied on an ASBR, and only to redistributed routes.


When signing sent packets, which key does OSPF use?
OSPF uses the last key to be added to the interface, regardless of the key number.


What is the result of configuring authentication under the OSPF process?
Routers within the area will not form neighborships unless authentication is specifically configured, even if the authentication type is just null.


What is the variable-length wait interval between two consecutive SPF runs?
SPF throttling


With SPF throttling, what is the initial wait interval before an SPF computation called?
SPF-start


With SPF throttling, what is the wait time between subsequent SPF runs?
SPF-hold


With SPF throttling, what is the amount of time during which the network must be stable for the wait interval to be set back to SPF-start and the SPF-hold back to is preconfigured value?
SPF-max-wait


Controlling how frequently updated LSAs are allowed to be re-originated is referred to as what?
LSA throttling


What are the default IOS settings for OSPF LSA throttling?
Originate updated LSAs immediately, and delay subsequent origination by 5 seconds, but do not progressively increase the interval.


How does OSPF LSA arrival throttling work?
If two more more identical LSAs arrive within 1 second, only the first one is accepted, and the remaining are dropped.


What should the minimum OSPF LSA arrival throttling timer be set to?
The minimum LSA arrival interval should be less than the neighbors' intial hold interval in LSA throttling, otherwise a neighbor would be allowed to send updated LSAs faster than the router would be willing to accept them.


What is the interval between successive OSPF LSUs when flooding LSAs referred to as?
flood pacing


What is the default OSPF flood pacing timer?
33 ms


What is the interval between restransmitted OSPF packets as part of a single retransmission event?
OSPF retransmission pacing


What is the default OSPF retransmission pacing timer?
66 ms


If an OSPF Type 2 LSA has the mask of a prefix set to 255.255.255.255, what does this indicate?
Prefix suppression - the LSA contains no prefix information to be used.


What feature is used to prevent an OSPF router from becoming a transit router?
OSPF stub router


What are the two variations of the OSPF stub router feature?
One variation activates the stub router feature for the specified number of seconds, while the other variation waits for BGP to converge first (up to a maximum of 10 minutes)


OSPF graceful restart is a standardized version of what?
Cisco NSF Non Stop Forwarding


How do you disable OSPF graceful restart / NSF helper mode?
OSPF process:
nsf helper disable


What happens when OSPF graceful shutdown is enabled?
-All adjacencies are dropped
-All originated LSAs are flushed (age set to 3600 seconds)
-Hello sent to all neighbors with DR/BDR set to 0.0.0.0 with no neighbors
-Stop sending/receiving OSPF packets


What is the purpose of OSPFv3 supporting multiple instances on a link?
To selectively enable adjacencies. For example, there can be multiple reachable routers over a link, but you can form specific adjacencies.


Which address is used to source OSPFv3 packets on virtual links?
Virtual links use globally-scoped IPv6 addresses.


What is OSPFv3 Authentication Trailer?
OSPFv3 Authentication Trailer is an alternative to regular OSPFv3 IPsec authentication, and operates similar to OSPFv2 extended cryptographic authentication by referencing a key-chain.


What is an indication that an OSPFv3 router does not support multiple address families?
The AF-bit in OSPFv3 packets is cleared in all instances (not just 0 - 31)


What does an NSAP address represent?
An address of a particular network service on a particular network node


What do the fields in the IDP of an NSAP address indicate?
Together, they indicate the routing domain (autonomous system) in which the node is located.


With NSAP addressing, what indicates the routing domain (AS) in which the node is located?
The IDP Initial Domain Part, which consists of the AFI Authority and Format Identifier, and the IDI Initial Domain Identifier.


What does the OSI NET Network Entity Title identify?
When the SEL is 0, no particular service is being addressed, and the entire NSAP address identifies the destination node itself without referring to any particular service.


OSI Level 0 routing is similar to what in IPv6?
Level 0 routing is also known as ES-IS routing. This is similar in concept to IPv6 RA and NA messages.


With IS-IS, the MTU must be set to what on a Level 1 or Level 2 router?
The MTU must be set to be equal to or smaller than the lowest MTU link within the flooding scope.


What is the IS-IS LSP default MTU?
1497


A list of all IS-IS LSPs in the sender's LSDB are contained in what?
CSNP Complete Sequence Number PDU


How are hub-and-spoke topologies handled in IS-IS?
As a collection of point-to-point links


True or False: IS-IS CSNPs are sent periodically on P2P interfaces.
Cisco routers do not send CSNPs on P2P links after the initial adjacency buildup by default, but some IS-IS implementations do.


0180.c200.0014 is the MAC address for what?
IS-IS Level 1 frames


0180.c200.0015 is the MAC address for what?
IS-IS Level 2 frames


For IS-IS DIS elections, what is the interface priority value range?
0 - 127 inclusive, default 64


What is the reason for assigning multiple IS-IS NSAP addresses to a router?
Assigning multiple NSAP addresses to a router is a temporary situation used to facilitate splitting or merging areas.


What is the requirement of assigning multiple NSAP addresses to an IS-IS router?
The System ID must be identical, with a different Area ID.


What is the result of having multiple NSAP addresses assigned to an IS-IS router?
Since the requirement of multiple NSAP addresses is the System ID must be the same, but the Area IDs must be different, the end result is that the areas are merged together while the IS-IS router has multiple NSAP addresses assigned to it.


In what way do IS-IS Level 1 routers operate similar to an OSPF NSSA-TS area?
Level 1 routers can perform redistribution from external sources, but can see routes within their own area and nothing more.


How does an IS-IS L1L2 router indicate that it can reach areas other than its own?
It sets the ATT (attachment) flag on its L1 LSP


How do IS-IS L1 routers respond to receiving an LSP with the ATT flag?
L1 routers install a default route toward the nearest L2 router advertising the ATT flag.


The maximum number of switches that could possibly be in the path between two end hosts is known as what?
Spanning-Tree diameter


What does changing the STP local port ID influence?
The downstream neighbor's choice of root port


What does changing the local STP interface cost influence?
The local choice of the root port


The following are characteristics of which DMVPN phase?

-Summarization is not allowed on the hub
-Default routing is not allowed on the hub
-Spokes must always maintain next-hop reachability
DMVPN Phase 2


The following are characteristics of which DMVPN phase?

-Summarization is allowed on the hub
-Default routing is allowed on the hub
-Next-hop values on the spokes are always modified
DMVPN Phase 3


What is automatically generated when you issue the OSPF summary-address command?
An external discard route to Null0 is automatically injected along with the summary address.


How does OSPF indicate that an external route installed in an NSSA should not leave the area?
With the "P" (propagate) bit. If the bit is not set, the redistributed route remains within the NSSA and is not translated to a Type 5 LSA by the ABR.


During which phase do two devices verify whether they speak PPP and negotiate basic link operation parameters?
Link Establishment Phase


The following functions are provided by what aspect of PPP?

-Verify devices speak PPP
-Verify link is not looped
-Negotiate basic parameters
-Verify session liveliness
-Tear down session if either device requests it
LCP Link Control Protocol


What PPP message is sent when certain parameters of unacceptable, but negotiable?
CONFNAK


What PPP message is sent when certain parameters of unacceptable, and nonnegotiable?
CONFREJ


The configuration details of a particular PPPoE concentrator instance, such as the concentrator name presented to clients, maximum number of attached clients, and a reference to the Virtual-Template, are contained in what?
bba-group


What is the limit to the number of BGP ASes an advertised prefix can pass through?
255


How do you view information about BGP peer groups?
show ip bgp peer-group


A BGP route reflector is not allowed to change which four attributes of reflected routes?
NEXT_HOP
AS_PATH
LOCAL_PREF
MED


How does a BGP route reflector handle the NEXT_HOP, AS_PATH, LOCAL_PREF, and MED attributes in reflected routes?
BGP route reflectors are not allowed to change those attributes.


How can you determine the reason for a BGP RIB failure?
show ip bgp rib-failure


What four tools are available with BGP for conditional route advertisement?
advertise-map
non-exist-map
exist-map
inject-map


The BGP tools advertise-map, non-exist-map, exist-map, and inject-map, are associated with what?
Conditional route advertisement


How does the BGP advertise-map conditional route tool work together with exist-map and non-exist-map?
The advertise-map specifies the routes to be advertised to the neighbor when the condition of the exist-map or non-exist-map is met.

With the exist-map the condition is met when the prefix exists both in the advertise-map and the exist-map.

With the non-exist-map the condition is met when the prefix exists in the advertise-map but not in the non-exist-map.


What causes the BGP exist-map condition to be met?
When the prefix exists in both the advertise-map and the exist-map.


What causes the BGP non-exist-map condition to be met?
When the prefix exists in the advertise-map, but not in the non-exist-map.


What is the difference between the BGP no-advertise and no-export communities?
Routes with the no-advertise community attached should not be advertised to any BGP neighbor, whereas no-export routes should not be advertised to any eBGP neighbor.


What are the three well-known BGP communities?
local-as
no-advertise
no-export


How do you advertise BGP communities to a neighbor?
BGP process:
neighbor ip send-community


With Cisco IOS, how are BGP communities propagated by default?
By default IOS routers strip the community attribute of a route when advertising to neighbors unless specifically configured with neighbor ip send-community

If a route is tagged with the no-export (or any other) community, that information is lost unless the router is specifically configured to send communities.


How do you change BGP attributes for an advertised prefix?
Reference a route-map with the network statement under the BGP process.


How do the BGP no-export and local-as communities work with BGP confederations?
no-export ignores the BGP confederation identifier, and keeps the prefixes local to the overall BGP ASN.

local-as takes the BGP confederation identifier into account and keeps the routes local to the sub-AS if the confederation identifier is configured. Otherwise it behaves identically to the no-export community.


What is the internet BGP community?
The internet community is essentially an "advertise to all" setting, commonly used to override previously-set advertising restrictions.


How do you view BGP prefixes that have passed through a particular AS?
show ip bgp regexp _ASN_


How do you view which BGP prefixes originated from a particular ASN?
show ip bgp regexp _ASN$


How do you view which BGP prefixes originated in the local AS?
show ip bgp regexp ^$


How can you configure an AS_PATH access list to deny prefixes originated from the local AS?
ip as-path access-list num deny ^$
ip as-path access-list num permit .*


What is the result of this configuration?

ip as-path access-list num deny ^$
ip as-path access-list num permit .*
All prefixes from the local BGP AS are denied


How can you view BGP prefixes which have been prepended?
show ip bgp regexp ^([0-9]+)(_\1)+$


How can you match with an AS_PATH access list BGP routes that have been prepended?
ip as-path access-list num permit ^([0-9]+)(_\1)+$


Why are classic STP TCN BPDUs necessary?
Normal Configuration BPDUs flow from the root bridge downstream in classic STP. TCN BPDUs are necessary for downstream bridges to notify upstream bridges of a topology change. 


How do classic STP TCN BPDUs get processed in the network?
The switch detecting the topology change sends a TCN BPDU on its root port toward the designated switch. The designated switch responds back with a normal configuration BPDU with the TCAck bit set. The process repeats with the designated switch sending a TCN BPDU on its own root port and expecting to receive a TCAck from it's designated bridge. When the TCN reaches the root, the root sends out configuration BPDUs with the TC bit set, which then flows downstream to all switches in the topology.


What is the effect of a switch running classic STP receiving a configuration BPDU with the TC bit set?
The switch becomes aware of a topology change and reduces its CAM aging time to the forward delay, which is 15 seconds by default.


With classic STP, when the root bridge is notified of a topology change, how does it react?
The root bridge sends out configuration BPDUs with the TC bit set for max age + forward delay (20+15=35) seconds. Downstream bridges receiving the BPDU with the TC bit set reduce their CAM aging time to the forward delay.


With classic STP, when the root bridge is notified of a topology change, how long does it send out configuration BPDUs with the TC bit set?
Max Age + Forward Delay seconds

20 + 15 = 35 seconds by default


What function replaces ARP in IPv6?
Neighbor Solicitation


What three main functions are performed by IPv6 Neighbor Solicitation?
-Discover link-layer IPv6 address of neighbor (replaces ARP)
-Duplicate Address Detection
-Determine reachability of neighbor


With IPv6, the following three functions are performed by what?

-Discover link-layer IPv6 address of neighbor (replaces ARP)
-Duplicate Address Detection
-Determine reachability of neighbor
Neighbor Solicitation


What is the IPv6 All Nodes multicast address?
FF02::1


What is the IPv6 address FF02::1 associated with?
All Nodes


What is the IPv6 All Routers multicast address?
FF02::2


What is the IPv6 address FF02::2?
All Routers


What are the two high-level steps of the SLAAC process?
-Host receives RA message and updates its default router list, neighbor cache, and prefix list
-Host uses info from RA to create modified EUI-64 IPv6 address for all received prefixes


How do you enable a Cisco IOS device to configure an IPv6 address via SLAAC?
Interface:
ipv6 enable
ipv6 address autoconfig


How do you view the addresses and interfaces on which IPv6 RA messages have been received?
show ipv6 routers


How are multicast MAC addresses generated from multicast IPv6 addresses?
33:33 + Last four bytes of multicast IPv6 address

Example: FF02::1 = 3333.0000.0001
Example: FF02::1:FF11:1111 = 3333.FF11.1111


What does the following command do?

ipv6 address autoconfig default
This interface command uses SLAAC to configure the IPv6 address on the interface based on received RA messages, and to install a default route automatically to the routers advertising the RA messages.


True or False: IPv6 RA messages are sent by default on Serial and Ethernet interfaces after IPv6 unicast-routing is enabled.
False: They are sent on Ethernet interfaces automatically, but must be explicitly enabled on Serial interfaces with:

no ipv6 nd ra suppress


How do you enable the sending of IPv6 RA messages on a serial interface?
Interface:
no ipv6 nd ra suppress


How do you set the "M" flag in outgoing IPv6 RA messages?
Interface:
ipv6 nd managed-config-flag


How do you set the "O" flag in outgoing IPv6 RA messages?
Interface:
ipv6 nd other-config-flag


What is the IPv6 RA "M" flag?
The "M" flag indicates to the receiver that it should receive its entire IPv6 configuration using DHCP, with the exception of the default gateway address, since that is already conveyed in the RA message.


How do IPv6 routers indicate to hosts that they should receive their entire IPv6 addressing information from a DHCPv6 server?
By setting the "M" flag in outgoing RA messages.


What is the IPv6 RA "O" flag?
The "O" flag indicates that a host should obtain its IPv6 address and gateway from SLAAC, and use DHCPv6 to acquire all other information (such as DNS servers).


What is an indication in an IPv6 RA message that the receiving device should set its IPv6 address and default gateway via SLAAC, but use DHCPv6 for all other settings, such as DNS servers?
Setting the "O" flag


What happens if an IPv6 host receives RA messages with either the "M" or "O" flags set?
It is up to the host as to whether or not the flags will be honored. For example, a router can send an RA with either of the flags set, but it will be ignored if the host already has a static configuration.


In Cisco IOS, what does the interface command ipv6 enable do?
This command allows the interface to have a link-local address.


How do you view the parameters received from a DHCPv6 server?
show ipv6 dhcp interface


What is the DHCPv6 four-stage process?
Solicit
Advertise
Request
Reply


How do you configure DHCPv6 relay?
Interface:
ipv6 dhcp relay destination ipv6-address interface


What is the DHCPv6 Rapid Commit feature?
Rapid Commit allows a DHCPv6 client to obtain its information from the DHCPv6 server with the exchange of two messages, instead of four. This feature must be configured on both the server and client.


What messages are exchanged during DHCPv6 Rapid Commit?
Solicit
Reply


How do you enable the DHCPv6 Rapid Commit feature on the client side?
Interface:
ipv6 address dhcp rapid-commit


How do you enable the DHCPv6 Rapid Commit feature on the server side?
Interface:
ipv6 dhcp server pool rapid-commit


What is IPv6 prefix delegation?
Prefix delegation is a mechanism to assign entire prefixes to a downstream router, which can then be further subnetted at will.


What is the IPv6 mechanism to assign an entire prefix to a downstream router, which can then be further subnetted at will?
IPv6 prefix delegation


For IPv6 prefix delegation, how do you configure the pool of prefixes available for assignment?
Global:
ipv6 local pool pool ipv6-prefix/length sublength

Example:
ipv6 local pool Pool1 2001:1:1::/48 56

This example provides assignment for up to 256 /56's within the parent /48


For IPv6 prefix delegation, how can you view how many prefixes have been assigned for each pool?
show ipv6 local pool


How do you configure a DHCPv6 pool to permanently assign delegated prefixes?
ipv6 dhcp pool name
  prefix-delegation pool pfx-pool lifetime infinite infinite


How do you configure an interface to request a DHCPv6 delegated prefix?
Interface:
ipv6 dhcp client pd tag

Where tag is assigned locally and used for reference in other configuration commands (such as for further subnetting the prefix on another interface).


How do you configure an IPv6 address to be assigned based on a previously-received delegated prefix?
Interface:
ipv6 address tag prefix/length

Where tag refers to the DHCP-requested delegated prefix from a different interface, and prefix/length is the value appended to the delegated prefix.

Example: ipv6 address Pfx1 ::2:0:0:0:20/64

If Pfx1 = 2001:0:1, the final prefix would be 2001:0:1:2::20/64


How do you configure IPv6 prefix delegation on the upstream router?
ipv6 local pool Pfx1 pfx/len delegated-length
ipv6 dhcp pool Pool1
  prefix-delegation pool Pfx1 lifetime valid-lifetime preferred-lifetime
interface interface
  ipv6 dhcp server Pool1


How do you configure an OSPFv3 external summary?
router ospfv3 pid
  address-family ipv6 unicast
    summary-prefix prefix/length

summary-prefix is used instead of summary-address


Within the context of OSPFv3 LSAs, what is the V6-Bit?
The V6-Bit indicates that the router has the capability of forwarding transit IPv6 packets.


Within the context of OSPFv3 LSAs, what is the E-Bit?
The E-Bit indicates the capability of the local router to accept external LSAs.


Within the context of OSPFv3 LSAs, what is the R-Bit?
The R-Bit indicates that the router can be used to route transit traffic.


Within the context of OSPFv3 LSAs, what is the DC-Bit?
The DC-Bit indicates that the router is capable of running demand circuits.


Within the context of OSPFv3 LSAs, what identifies the router's capability to forward transit IPv6 packets?
V6-Bit


Within the context of OSPFv3 LSAs, what identifies the router's capability to accept external LSAs?
E-bit


Within the context of OSPFv3 LSAs, what identifies the router's capability to route transit traffic?
R-bit


Within the context of OSPFv3 LSAs, what identifies the router's capability to run demand circuits?
DC-bit


How does OSPFv3 use interface IDs in LSAs?
Interface IDs are used instead of IPv6 addresses to indicate interfaces that are connected together. Each interface on a router is assigned an interface ID, and the local router can learn about its neighbor's interface ID from the received OSPFv3 Hello packets.


How many Type-9 LSAs are generated by an OSPFv3 router?
One Type-9 LSA containing all stub networks
One Type-9 LSA for each transit network for which the router is a DR and has originated a corresponding Network LSA.


What is the minimum configuration for enabling EIGRP for IPv6 in named mode?
ipv6 unicast-routing
router eigrp name
  address-family ipv6 unicast as asn
    eigrp router-id rid

EIGRP is automatically enabled on all interfaces at this point.


How can you filter out all EIGRP External routes without using a route-map or prefix-list?
EIGRP process:
distance eigrp 90 255


How does configuring a static IPv6 address on an interface affect IPv6 autoconfiguration features?
All autoconfiguration features are disabled when a static IPv6 address is configured.


How does an RSTP designated discarding port react to not receiving an agreement after sending a proposal?
If the other end of the link does not understand RSTP BPDUs, or if the remote bridge is blocking, the RSTP designated discarding port falls back to classic STP timers and proceeds through listening and learning into forwarding.


What is the default match type in a class-map if not specified?
match-all


Where do you apply Generic Traffic Shaping?
Directly on the interface


True or False: Generic Traffic Shaping supports selectively shaping via ACLs.
True


How does HSRP preemption work?
HSRP members configured with standby preempt will attempt to become the active device if its priority is higher than the current active device. Without preemption, the current HSRP active device remains active (regardless of interface tracking) unless there is loss of reachability between HSRP members.


What are the three main entities of SNMPv3?
-Users
-Groups
-Views


What are SNMPv3 Views?
SNMPv3 Views define subsets of MIBs visible to groups.


What are the three SNMPv3 security levels?
-NoAuthNoPriv
-AuthNoPriv
-AuthPriv


With SNMPv3, what is a requirement for sending traps?
With SNMPv3, traps must have a user associated with them.


What are the three types of SNMPv3 Views?
-Read
-Write
-Notify


What two things are common between RARP, BOOTP, and DHCP?
All three protocols require the client host to send a broadcast to begin discovery, and all three protocols rely on a server to hear the request and supply an IP address to the client.


How does RARP work?
A client sends an ARP request containing its MAC as the target, with the target IP 0.0.0.0. The RARP server, if configured with the host's MAC address in its lookup table, sends an ARP reply with the host's IP address in the Source IP address field.


Where in the network must a RARP server be placed?
RARP works based on normal ARP messages, and therefore must be on the same L2 network segment as the RARP clients.


What is the major limitation of BOOTP?
BOOTP includes many features over RARP, most of which were later included or improved in DHCP. However, BOOTP still requires the server to be preconfigured with the MAC and IP addresses of each participating client.


True or False: Like RARP, the BOOTP server must reside on the same L2 network segment as the client.
False. BOOTP uses UDP packets, and is able to support a centrally-located BOOTP server.


Switchport port-security cannot work with which five types of ports?
-Dynamic: must be set to static access or trunk
-Routed
-SPAN destination
-EtherChannel
-PVLAN


To which addresses are ISL encapsulated frames sent to?
0100.0C00.0000 or 0300.0C00.0000 for Ethernet


What range of VLANs are supported by ISL?
Both normal and extended range


How are the bits and bytes of MAC addresses in Ethernet frames transmitted?
The bytes are sent left-to-right, with the least significant bit in each byte transmitted first.

A MAC address beginning with "12" is 0001 0010 in binary, but would be transmitted as 0100 1000. 


How does the OSPF Fast Hello feature work?
The dead interval becomes fixed at one second, and a hello multiplier is used to specify the number of hellos to be sent every second.


With OSPF Fast Hellos, how is the hello interval advertised in hello packets?
With the OSPF Fast Hello feature, the hello interval advertised in hello packets is set to 0, and the hello interval is ignored in received hello packets on the interface.


True or False: When using OSPF Fast Hellos, the hello multiplier value must match between devices.
False. With fast hellos, the hello interval value is ignored in received hello packets. The value does not need to match between neighbors as long as at leats one hello packet is sent and received within the deal interval (1 second).


What are the four main NSAP address formats?
39 Data Country Code
45 E.164
47 International Code Designator
49 Locally Defined


What causes the BGP Origin code to be IGP?
Prefixes learned via:
-network
-neighbor ip default-originate
-aggregate-address without as-set
-aggregate-address with as-set if all components use IGP code


What causes the BGP Origin code to be Incomplete?
Prefixes learned via:
-redistribute
-default-information originate (not neighbor default originate)
-aggregate-address with as-set where at least one component has Incomplete code


All packets belonging to the same MPLS FEC have the same ___.
Label

However, not all packets with the same label belong to the same FEC


What is the default behavior with regard to marked traffic on Catalyst switches when mls qos is enabled?
The markings on all incoming traffic is dropped unless the interface is configured to trust the existing markings.


With class-based policing, if the Bc value is not specified, what is the default?
CIR / 32 or 1500 bytes, whichever is higher.


What happens if you configure a Bc size to be less than the CIR / 32?
IOS does not allow the burst size to be less than CIR / 32 or 1500 bytes. 

For example, if you attempt to configure a CIR of 10 Mbps with a Bc of 1000 bytes, IOS notifies you that it is automatically increasing the burst size to 5000 bytes.


How can you match on an IP or MAC address in a class-map without using match source-address [mac]?
Create an IP or MAC ACL and reference it in the class-map with match access-group ACL


With class-based shaping, what is the Be value if not specified?
The Be value is equal to the Bc value, unless explicitly configured.


What is the result of Bc / CIR?
Tc


What is the key exchange protocol used by Cisco inside IKE?
OAKLEY


OAKLEY is the key exchange protocol that Cisco uses inside what?
IKE


What are the two modes defined by ISAKMP?
Main mode
Aggressive mode


To enable IKE Phase 1, what must be configured?
ISAKMP policy


To enable IKE Phase 2, what must be configured?
IPsec transform set


What port is associated with IKE?
UDP 500


Port UDP 500 is associated with what technology?
IKE


What are the four main parameters exchanged during IKE Phase 1?
-Authentication method
-Diffie-Hellman group
-Encryption type
-Hash algorithm


Authentication method, Diffie-Hellman group, Encryption type, and Hash algorithm are exchanged during which IKE phase?
IKE Phase 1


During ISAKMP policy exchange between peers, which policy is chosen?
Multiple ISAKMP policies can be exchanged, and the first match is used based on the lowest local priority value.


What are the four main parameters exchanged during IKE Phase 2?
-Security protocol (ESP or AH)
-Encapuslation mode (Transport or Tunnel)
-Encryption
-Authentication

The combination is referred to as the IPsec Transform Set


What is the IPsec transform set?
The set of parameters used to define IKE Phase 2:

-Security protocol (ESP or AH)
-Encapsulation mode (Transport or Tunnel)
-Encryption
-Authentication


The security protocol, encapsulation mode, encryption, and authentication, are the four main parameters of which IKE phase?
IKE Phase 2


What are the combination of security protocol, encapsulation mode, encryption, and authentication parameters referred to as?
IPsec transform set


How are Diffie-Hellman group numbers related to each other?
Higher numbers indicate a stronger level of cryptography.


What mode is IKE Phase 2 referred to as?
Quick Mode


How do you configure a basic crypto map for IPsec-ISAKMP?
crypto map name seq ipsec-isakmp
  set peer ip
  match address ACL
  set transform-set transform-set

interface interface
  crypto map name


How do you verify the custom or default IKE Phase 1 policies?
show crypto isakmp [default] policy


How do you verify ISAKMP PSKs?
show crypto isakmp key


How do you verify custom or default IKE Phase 2 policies?
show crypto ipsec transform-set name


How do you verify the crypo map configuration for an interface?
show crypto map interface interface


How do you view the result of the IKE Phase 1 negotiation?
show crypto isakmp sa


How do you view realtime details about IKE Phase 1?
debug crypto isakmp


How do you view realtime details about IKE Phase 2?
debug crypto ipsec


How do you view the results of IKE Phase 2 negotiations?
show crypto ipsec sa


Before a device sends IKE packets to a peer, what is checked first?
The device first checks to see if there is an existing local IPsec SA (Phase 2 SA) matching the particular traffic.


How many packets are exchanged for the IKE Phase 1 SA in Main mode?
Six


How many packets are exchanged for the IKE Phase 1 SA in Aggressive mode?
Three


How many packets are exchanged for the IKE Phase 2 SA Quick Mode?
Three


What is contained in the first packet of the IKE Phase 1 Main Mode SA?
The first packet is sent by the IPsec tunnel initiator, and contains the ISAKMP policy.


What is contained in the second packet of the IKE Phase 1 Main Mode SA?
The second packet is sent from the responder back to the initiator containing the exact same information matching the ISAKMP policy sent in the first packet (assuming a matching policy is configured on the responder).


What do the vendor-IDs exchanged during the IKE Phase 1 setup refer to?
Various features such as NAT-Traversal and Dead Peer Detection


What is the default ISAKMP SA lifetime?
86400 seconds (1 day)


What is contained in the third packet of the IKE Phase 1 Main Mode SA?
Sent from the initiator to the responder containing the Key Exchange information with the purpose of generating the information for the Diffie-Hellman secret key.


What is contained in the fourth packet of the IKE Phase 1 Main Mode SA?
Sent from the responder back to the initiator containing Key-Exchange information so that both peers can generate a common session key based on the locally-configured PSK.


What is contained in the fifth packet of the IKE Phase 1 Main Mode SA?
Sent to responder and protected by the common shared secret, the fifth message is used for sending authentication information to the peer.


What is contained in the sixth packet of the IKE Phase 1 Main Mode SA?
The sixth and final packet is sent from the responder back to the initiator containing matching authentication information.


What is contained in the first packet of the IKE Phase 1 Aggressive Mode SA?
The first packet is sent from initiator to responder and contains enough information for the responder to generate its Diffie-Hellman secret. This single packet is equivalent to the first four Main Mode packets.


What is contained in the second packet of the IKE Phase 1 Aggressive Mode SA?
The second packet is sent from the responder back to the initiator, and contains the Diffie-Hellman key.


What is contained in the third packet of the IKE Phase 1 Aggressive Mode SA?
Sent from the initiator to the responder, conatins the identity and hash payloads. If the information matches on the responder, the IKE Phase 1 SA is established.


With IPsec, what is the "interesting" traffic referred to as?
Proxy ID


When configuring ACLs to be used as Proxy IDs for IPsec, what is the configuration requirement of both peers?
The ACLs must mirror each other between peers.


What differentiates different IPsec SAs?
Security Parameter Index (SPI) values


How many SPI values are generated for each IPsec tunnel?
Two - one SPI for the inbound SA, and one SPI for the outbound SA


What are the two major benefits of using GRE tunnels with IPsec as opposed to legacy crypto maps?
Crypto maps require mirrored ACLs for each SA, whereas GRE tunnels with IPsec protect all traffic. This allows for the second major benefit, the ability to run dynamic routing protocols instead of using static routes.


How can you view information about PIM on the configured interfaces?
show ip pim interface


How can you view information (versions, timers, etc.) about IGMP on the configured interfaces?
show ip igmp interface interface


How do you configure the maximum number of mroute states created as a result of IGMP host membership reports?
Global or per-interface:
ip igmp limit number


How do you manually configure the LDP RID?
Globally:
mpls ldp router-id


True or False: The value used for the LDP RID must be reachable on the network.
True. Unlike OSPF, the LDP RID represents an actual IP address, and is used for transport. If not set manually, it follows the same auto-assignment rules as other protocols (highest loopback IP, etc), but whether set manually or not, it must be reachable on the network.


How can you verify IGMP timers?
show ip igmp interface interface


How can you verify which multicast router is the DR on a segment?
show ip igmp interface interface


How can you verify which multicast groups have been joined on a network segment, and how many users are participating in the groups?
show ip igmp interface interface


How do you modify the IGMP query interval?
Interface:
ip igmp query-interval seconds


How do you modify the IGMP querier timeout?
Interface:
ip igmp querier-timeout

Default is 2x query-interval, and is automatically adjusted when the query-interval is adjusted unless set manually.


What is the effect of changing the IGMP query interval on an interface?
The querier-timeout value is automatically set to 2x the value of the query interval, unless configured manually.


How do you change the IGMP query max response time?
Interface:
ip igmp query-max-response-time


Why is a DR used with IGMPv1?
IGMPv1 does not support querier election, so the multicast routing protocol elects a DR for that purpose.


What is the difference between ip igmp static-group and ip igmp join-group?
The static-group command causes the router to maintain multicast state for the particular group so that multicast traffic can flow through the router to the particular group. 

The join-group command causes the router to act as a multicast client and participate in group membership, such as the ability to send pings.


How do you limit which multicast groups can be joined from a network segment?
Interface:
ip igmp access-group ACL


How do you modify the IGMP last member query count?
Interface:
ip igmp last-member-query-count number


How do you modify the IGMP last member query interval on a network segment?
Interface:
ip igmp last-member-query-interval ms


What is used in newer IOS versions to register with the RP instead of unicast-encapsulated multicast register messages?
Automatic PIM-SM tunnel interfaces.


How can you view information about automatic PIM-SM tunnels?
show ip pim tunnel

Displays type (PIM Encap or PIM Decap), RP address, source address


What is the purpose of the ip multicast boundary command?
This interface command can reference an ACL to prevent state from specified multicast groups from being installed.


What does the command ip pim dm-fallback do?
When an interface is configured for sparse-dense mode, if an RP is not found for a particular multicast group, the interface attempts to locate the multicast source via PIM-DM.


What is the default behavior of an interface configured for PIM sparse-dense-mode if it cannot find the RP for a particular multicast group?
The default ip pim dm-fallback command instructs the router to attempt to find the multicast source via PIM-DM.


What are the default LDP Hello and Hold timers?
5 / 15 seconds


How do you perform conditional debugging?
Specify the desired traffic with an ACL, then reference it with:
debug ip packet detail acl


What does the Peer LDP Ident 1.2.3.4:0 indicate?
The peer IP address is 1.2.3.4 and its label space is platform-wide (indicated by :0, any other value indicates per-interface label space).


What is the difference between the two types of LDP neighbor discovery?
Basic is used to discover directly-connected neighbors.

Extended uses targeted IP addresses to discover neighbors that are not directly connected.


How do you adjust the LDP discovery timers?
Globally:
mpls ldp discovery hello {interval | holdtime} seconds


How do you adjust the LDP session timers?
Globally:
mpls ldp holdtime seconds

The keepalive time is automatically set to 1/3 the value.


When manually configuring the LDP router ID, what does the force keyword do?
The force keyword causes all LDP TCP sessions to be reset.


How do you verify which range of MPLS labels are available for assignment?
show mpls label range

Default 16 - 100,000


What is the default range of MPLS label values on IOS?
16 - 100,000


How do you adjust the range of MPLS labels available for assignment?
Global:
mpls label range start end

Note: adjusting this value requires a reload before taking effect.


What is the reserved MPLS label value for implicit null?
3


Why does the default MPLS label value range begin at 16?
Values 0 - 15 are reserved by IANA and are never to be made available for allocation.


How do you prevent LDP from advertising labels, without completely disabling LDP?
Global:
no mpls ldp advertise-labels


How do you conditionally advertise MPLS labels?
Global:
mpls ldp advertise-labels for ACL1 to ACL2

Where ACL1 indicates prefixes for which labels will be generated, and ACL2 indicates prefixes for which the labels will be advertised to.


How can you disable LDP for a particular interface?
Interface:
no mpls ldp igp autoconfig


What does the mpls ldp autoconfig command do?
Enables LDP for a particular OSPF or IS-IS process. You can optionally specify the OSPF area or IS-IS level as part of the command.


What is LDP session protection?
LDP session protection is a targeted session between two LDP neighbors (typically via loopback interfaces) so that if a link between the two neighbors goes down, the TCP session and neighborship remains active.


How do you enable LDP session protection?
Globally:
mpls ldp session protection


How do you configure a router to participate in LDP session protection without enabling LDP session protection on the router itself?
Global:
mpls ldp discovery targeted-hello accept


What is a consequence of entering the no bgp default ipv4-unicast command?
Prefixes are not exchanged between neighbors unless activated until the respective address family.


What type of OSPF routers are MPLS PE's considered?
ABR


What is the MPLS OSPF SuperBackbone?
When using OSPF, the MPLS PE's are considered ABRs, and the internal MPLS network is considered the OSPF SuperBackbone.


What is the OSPF Domain ID?
The Domain ID is used when redistributing OSPF routes into BGP VPNv4. The Domain ID is attached to BGP updates as an extended community, and is used to determine the LSA type to be generated. Type 5 LSAs are generated if the Domain IDs do not match between MPLS PEs, and Type 3 LSAs are generated if the Domain IDs do match.


How is the OSPF Domain ID determined?
The OSPF Domain ID is either based on the local OSPF process ID, or configured manually.


How do you configure the OSPF Domain ID?
MPLS PE:
router ospf pid vrf vrf
  domain-id id


What are the two main methods of supporting intra-area OSPF routes across the MPLS SuperBackbone?
OSPF Sham Link
GRE tunnels between PE routers


What is the purpose of an OSPF Sham Link?
To connect discontiguous OSPF backbones together over an MPLS network so that routes between sites appear as intra-area.


How do you configure an OSPF Sham Link?
router ospf pid vrf vrf
  area 0 sham-link src dst cost cost


How do you verify OSPF Sham Links?
show ip ospf sham-links


What is the MPLS OSPF Sham Link equivalent to?
The sham link operates similar to a regular OSPF virtual link in that it has specific endpoints, traverses a single area, has an adjustable cost, and operates as a demand circuit. 


When configuring the same BGP ASN between multiple sites across an MPLS L3VPN, what else must be configured?
Normal BGP loop prevention mechanisms are in place by default, so either the CE must be configured with BGP allowas-in or the PE must be configured with BGP as-override


What is the purpose of the BGP allowas-in feature?
This allows a BGP router to accept an advertisement containing its own ASN, which is normally dropped due to BGP loop prevention rules.

This is commonly used across MPLS L3VPN when the customer has the same BGP ASN at multiple sites.


How does the BGP as-override feature work?
Commonly used with MPLS L3VPN, as-override causes the peer's ASN to be replaced with the local ASN and prepended. This is used on the PE router side if the CE router is using the same BGP ASN at multiple sites within the VPN.

Peers must accept prepended routes for this to work.


How can you verify which VLANs have a VACL applied?
show vlan filter


True or False: VLANs 1 and 1002-1005 can be manually pruned from trunks.
True, however those VLANs cannot be deleted, and they cannot be pruned by VTP.


What two things are automatically instantiated when a new VLAN is created?
MAC address table
Spanning-Tree instance


How does the upstream STP switch port ID affect a downstream switch's choice of root port?
The root port is elected based on the lowest root path cost. If there is a tie in cost, the link through the switch with the lower BID is used. If there is a tie for the BID, the lowest upstream port ID is used.


When forwarding to a destination, what is a requirement for multipoint interfaces that does not apply to point-to-point interfaces?
Layer 3 to Layer 2 resolution


How can you verify the NHRP cache?
show ip nhrp


With PBR, what does a route-map deny clause indicate?
The matched criteria should use normal forwarding, not policy routing.


How do you verify if PBR is working?
debug ip policy


What are the two primary causes of tunnel recursive routing errors?
Metric or AD errors


What is the limitation of creating summary routes with RIPv2?
The summary cannot be larger than the major network. For example, you cannot create a summary address including both 4.0.0.0/8 and 5.0.0.0/8.

EIGRP does not have this limitation.


What's the difference between an OSPF Type 8 and Type 9 LSA?
Both have a link-local scope.

Type 8 "Link LSA" provides all the IPv6 addresses on the link

Type 9 "Intra-Area-Prefix LSA" is defined as opaque and contains prefixes for stub and transit networks


True or False: EIGRP maintains completely separate topologies and performs separate DUAL calculations when both IPv4 and IPv6 are used simultaneously.
True


Which OSPF network types use a Type 2 LSA?
Broadcast
Non-broadcast


Which OSPF network types do not use a Type 2 LSA?
Point-to-point
Point-to-multipoint
Point-to-multipoint non-broadcast


If the OSPF reference bandwidth is set to a high value, what could prevent a virtual link from initializing?
The virtual link must have a total path cost of less than 65535. If the reference bandwidth is set to a high value, and the virtual link must traverse a comparatively low speed interface, the total cost could exceed the limit.

Example: Reference bandwidth set to 100 Gbps, but virtual link crossing a T1.


What is a caveat of enabling authentication on an OSPF virtual link?
Because the VL runs as a demand circuit, you must clear the VL after authentication is applied for it to take effect.


For DMVPN Phase2, what is the next-hop IP address advertised by the hub for a particular spoke?
The spoke's overlay IP address


For DMVPN Phase3, what is the next-hop IP address advertised by the hub for a particular spoke?
The hub's overlay address. For spoke-to-spoke traffic, the hub sends an NHRP redirect to inform the source spoke of the destination spoke's NBMA address.


If multiple EIGRP processes are running and there are multiple equal matches to the same prefix, which one is installed in the RIB?
The prefix from the lowest EIGRP ASN


If multiple OSPF processes are running and there are multiple equal matches to the same prefix, which one is installed in the RIB?
The prefix from the lowest OSPF PID


What is the AD of NHRP?
250


What protocol has the AD 250?
NHRP


During redistribution into BGP, how are OSPF routes handled by default?
When redistributing from OSPF into BGP, external routes are denied by default. This is changed with redistribute ospf pid match internal external


How do you configure BGP redistribution to allow OSPF external routes?
BGP process:
redistribute ospf pid match internal external


What is the default behavior of redistributing BGP routes into an IGP?
Only eBGP routes are redistributed by default. Configure bgp redistribute internal under the BGP process to allow iBGP routes to be redistributed as well.

Use this with caution as routing loops can occur.


What does the BGP command bgp redistribute internal do?
By default, when redistributing BGP routes into an IGP, only eBGP routes are redistributed. This command also permits iBGP routes to be redistributed.


How do you enable redistribution of iBGP routes into an IGP?
BGP process:
bgp redistribute internal

This behavior is disabled by default to prevent routing loops.


What is IP event dampening?
A configurable exponential delay that causes a flapping interface to be removed from use by routing protocols until the link has been stable for a period of time. This prevents distributed routing protocols from constantly having to recalculate due to the rapid presence and removal of the flapping link.


How can you troubleshoot LDP adjacencies in realtime?
debug mpls ldp transport events


How can you verify the VRF RT import/export policy?
show vrf detail


How can you view realtime MPLS label binding information?
debug mpls ldp binding


How can you force re-import/export of route targets in a VRF?
clear ip route vrf *


How many crypto maps can be applied on an interface?
One per physical (sub)interface

One crypto map can be applied to multiple interfaces.


What is the relationship between crypto maps and interfaces?
One crypto map per (sub) interface. However, one crypto map can be applied to multiple interfaces.


How do crypto maps interact with routing and NAT?
Crypto maps are applied to outbound traffic on an interface, after NAT and routing have occurred. This means static routing and/or NAT exemption may be required.

Routing, NAT, and crypto are independent of each other.


When multiple ISAKMP policies are configured between two devices, what is the result of this configuration:

Router A:
 -Priority 10: Higher requirements
 -Priority 20: Lower requirements

Router B:
 -Priority 10: Lower requirements
 -Priority 20: Higher requirements
ISAKMP priorities are processed top-down until a match occurs with the lower priority value having a higher precedence. In this case, the "lower requirements" would be used due to it having a higher priority on Router B.


When using crypto maps with GRE tunnels, where should the crypto map be applied?
The crypto map should be applied to the physical interface, not the tunnel interface, for GRE over IPsec. Traffic is GRE encapsulated first, and encrypted second. This allows for a single Proxy ACL entry to permit GRE traffic between the endpoints.


How does GRE over IPsec work?
By applying the crypto map to the physical interface instead of the tunnel interface, traffic is GRE encapsulated first, and encrypted second. This allows for a single Proxy ACL entry to permit GRE traffic between the endpoints.


How does GRE over IPsec break PMTUD?
The MTU value is not copied between headers, so the MTU of the GRE tunnel must be adjusted downward accordingly (1400 bytes is standard, with 1360 TCP MSS).


What are IPv6 Unique Local addresses?
FC00::/7  (1111 110)

Equivalent to RFC 1918 private addressing, not routable via global BGP


What type of IPv6 address is this?

FC00::/7
Unique Local


What is an IPv6 general prefix?
The general prefix allows multiple longer IPv6 addresses to be defined from a single shorter base prefix, which acts as a shortcut for renumbering scenarios.


How do you configure an IPv6 general prefix?
Globally:
ipv6 general-prefix name prefix/length

Example:
ipv6 general-prefix GenPfx 2001:db8:1234::/48


How do you configure a more specific IPv6 address based on a general prefix?
Interface:
ipv6 address gen-pfx-name address/length

Example:
Configured general prefix: 2001:db8:1234::/48
ipv6 address GenPfx 0:0:0:5678::1/64
Results in final address 2001:db8:1234:5678::1/64


How do you convert from an IPv4-only VRF to one that supports multiple address families?
vrf upgrade-cli


What is the general premise of both 6PE and 6VPE?
Tunnel IPv6 traffic over MPLS IPv4 core


What is the difference between 6PE and 6VPE?
6PE tunnels IPv6 traffic from the global routing table over the MPLS IPv4 core

6VPE tunnels IPv6 traffic from VRFs over the MPLS IPv4 core using the VPNv6 AF


What is the purpose of creating a static mroute?
To attempt to force multicast traffic to use a different RPF than would otherwise be generated via PIM.


What does HSRP use for transport?
UDP 1985 to 224.0.0.2


UDP 1985 to 224.0.0.2 is associated with what?
HSRP


What is IP Protocol 112?
VRRP


What IP Protocol is used by VRRP?
112


The sending of messages to 224.0.0.18 using IP Protocol 112 is associated with what?
VRRP


Where do VRRP messages get sent to?
224.0.0.18 using IP Protocol 112 for transport


What is associated with IP address 224.0.0.102 port UDP 3222?
GLBP


Where does GLBP send its messages to?
224.0.0.102 UDP 3222


What is the NAT/routing order of operations for inside addressing?
Packets are first routed, and then have sources translated since the destination addresses are global.


What is the NAT/routing order of operations for outside addressing?
Packets have destinations that are untranslated first, so routing occurs after translation, which allows proper routing for returning packets with translated sources.


What is a lightweight keepalive protocol designed to reduce dead peer detection time across Layer 2 networks?
BFD Bidirectional Forwarding Detection


How do you enable BFD on an interface?
Interface:
bfd interval ms min_rx ms multiplier multiplier

Example:
bfd interval 50 min_rx 50 multiplier 5
This causes BFD echoes to be sent at 50ms, and BFD expects to receive the echo back within 50ms. If five consecutive echoes are missed, the upper-layer protocol is notified of the failure.


How do you verify BFD?
show bfd neighbors


How do you register a routing protocol with BFD?
Routing process:
bfd interface interface

or

bfd all-interfaces


What happens if BFD is enabled, but not registered to any upper-layer protocol?
BFD does not detect neighbors, and relies on the neighborship formed by upper-layer protocols. Without the neighborship, BFD is idle.


What features must be disabled for BFD echoes to work?
uRPF and IP redirects must be disabled


True or False: BFD supports both authentication and event dampening.
True, via the BFD authentication and dampening commands


What is a BFD template?
A BFD template is similar to a BGP peer group where you can define common attributes, such as timers, authentication, dampening, and then apply them to an interface via bfd template name


How is the BFD echo setting different for template versus interface configuration?
BFD echo is enabled by default when BFD's parameters are configured directly on the interface, and disabled by default when configured via BFD template.

Enable under the template with the echo command.


What are the two different packet types used by BFD?
Control
Echo


What is the source and destination of BFD echo packets?
The sending device. This allows the receiving device to immediately redirect the packet back out the interface without processing it.


How does the exchange of BFD hello timers between neighbors work?
BFD timers are unidirectional and can differ between neighbors. The local min_tx value is compared against the received min_rx value from the peer, and the higher (slower) value is used as the local router's BFD hello interval.


What are the two types of BGP peer templates?
Peer policy
Peer session


What is the difference between BGP peer policy and peer session templates?
Peer policy templates contain common attributes and filters to be applied to all peer members.

Peer session templates contain common neighbor settings such as timers and remote ASNs to be applied to all peer members.


True or False: A BGP neighbor can both be a member of a peer group and inherit policies from peer templates.
False. BGP can be configured with both peer groups and peer templates, but individual neighbors can be configured only by one method or the other, not both simultaneously.


What is a major advantage of BGP peer templates over peer groups with regard to flexibility?
Unlike peer groups, peer templates can inherit other peer templates.


A BGP peer session template can be applied to which AFI and NLRI configuration modes?
Peer session templates are used to group and apply the configuration of general session commands that are common to all address family and Network Layer Reachability Information (NLRI) configuration modes.


A BGP peer policy template can be applied to which AFI and NLRI configuration modes?
Peer policy templates are used to group and apply the configuration of commands that are applied within specific address-families and NLRI configuration modes.


How do you configure a BGP peer policy or session template?
BGP process:
template {peer-policy | session-policy} name

neighbor ip inherit {peer-policy | session-policy} name


What is the BGP dynamic neighbors feature?
BGP dynamic neighbors allows BGP peering to a group of remote neighbors that are defined by a range of IP addresses and peer groups.


What is the bgp listen command used for?
bgp listen is used to configure the BGP dynamic neighbors feature.


How do you configure BGP dynamic neighbors for a particular subnet?
BGP process:
bgp listen range prefix/length peer-group group

Where prefix/length represents the source IP range of the dynamic neighbors.

Note: this command requires the configuration of a peer-group, with a minimum configuration indicating the remote-as. 


What is the BGP neighbor remote-as alternate-as keyword used for?
With BGP dynamic neighbors, you must configure potential neighbors using a peer-group. With the neighbor peer-group remote-as asn alternate-as as1 as2 as3 as4 as5 command, you can configure a total of six (one regular and five alternate) ASNs from which the dynamic neighbor connection is allowed.


What option controls whether or not a Type 7 LSA is propagated to the rest of the OSPF domain?
The "P" bit (propagate)

This is controlled by various OSPF commands with the nssa-only keyword. With the nssa-only keyword, the Type 7 LSA is not converted to Type 5 at the ABR and remains within the NSSA.


What is the relationship between ARP entries, the switch CAM table, and unicast flooding?
You can reduce unicast flooding by ensuring ARP entries time out before CAM entries, so that the ARP table can be repopulated before the CAM entires expire.


How do you prevent a switch from flooding unknown unicast frames?
Interface:
switchport block unicast


What are two common causes of traffic "microbursts"?
When traffic enters a higher-speed interface and exits a lower-speed interface

When traffic from multiple ports are trying to reach a single port


What is the IP Record Route option?
When the source sets the Record Route IP option, an empty list is created in the header, and each router along the path adds its IPv4 address to the list.


What is the IP Strict Source Route option?
With the strict source route IP option, the sender can specify the complete path the packet must take to reach its destination.


What is the IP Loose Source Route option?
The loose source route IP option allows the sender to specify a list of routers that the packet must pass through toward the destination, though additional unspecified routers may also be in the path.


What is the IP Router Alert option?
The Router Alert option causes each router along the path to examine the packet, even if the router is not the ultimate destination.


How do intermediate IPv6 routers handle packets with extension headers?
Intermediate routers ignore all extension headers, unless the Next Header is set to 0 Hop By Hop Options, in which case all routers along the path examine the extension headers.


How do intermediary devices handle IP packet fragmentation differently for IPv4 and IPv6?
With IPv6, only the sending device may fragment the packet, whereas any device in the path can fragment IPv4 packets unless the DF bit is set.


How does the IP Fragment Offset field work?
The FO field indicates the position of the fragment within the overall packet, with each value representing 8 bytes. If the FO field has a value of 100, it means the fragment begins 800 bytes into the payload.


What ICMP response may be sent if the TTL of a packet reaches 0?
Time Exceeded


What usually triggers the ICMP Time Exceeded message?
When a packet's TTL reaches 0.


What is the TCP window size?
The number of bytes that may be sent before an ACK is required.


What is the bandwidth delay product?
The amount of data that can be in transit at any time between hosts.

BDP is measured as the capacity of the link multiplied by the round-trip delay time.


What is a Long Fat Network?
Networks with large bandwidth delay products, such as high-speed satellite links. These networks have a high bandwidth capacity, but also have large delay values, which can cause issues with TCP windowing.


What causes TCP global synchronization?
Global synchronization occurs due to the combination of TCP slow-start, windowing, and tail-drop queuing on the router. TCP keeps expanding the window size until traffic drops due to link congestion, which begins the slow-start process again. 


How can you alleviate the symptoms of TCP global synchronization?
Congestion avoidance algorithms like WRED randomly drop TCP packets for different TCP sessions, which causes TCP to use slow-start for each session. Since sessions are affected individually instead of simultaneously (as in the case of a tail drop), global synchronization is avoided.


How do you prevent TCP starvation / UDP dominance?
Create separate queues for TCP and UDP traffic.


What does RTP (Real-time Transport Protocol) add over UDP?
Sequence numbers and timestamps which can be used for re-ordering packets if necessary. RTP also conveys the format of the payload carried in the stream.


What is the purpose of RTCP (Real-time Transport Control Protocol)?
RTCP works in conjunction with RTP, and carries additional information about the RTP stream, such as quality and synchronization. The information is provided through Report messages.


How does RTP and RTCP use individual UDP ports?
RTP uses even-numbered ports, and RTCP uses the next-higher odd-numbered port.


What is the StackWise switch responsible for operations referred to as?
Stack Master


What's the primary difference between 6in4 and 6to4?
6in4 relies on static tunnel configuration, and works by encapsulating the IPv6 payload directly after the IPv4 header.

6to4 automatically generates the tunnel endpoints based on the IPv6 address, and uses 6in4 for transport.


What is 6RD?
6RD is IPv6 Rapid Deployment tunneling, which is similar to 6to4, but more flexible.


What are the two main differences between 6RD and 6to4?
6RD does not require addresses to have a 2002::/16 prefix

6RD does not require all 32 bits of the IPv4 destination to be carried in the IPv6 payload header


What is MAC Authentication Bypass?
Switch ports can be protected with 802.1X, but allow devices matching a particular MAC address to bypass the authentication. This is useful for devices like printers.


How does MAC Authentication Bypass work?
When the switch detects a connection from the client device, it uses the MAC address as the client identity and sends the authentication server a RADIUS access/request frame with a username and password based on the MAC address.

This is useful for devices like printers that do not support 802.1X authentication.


What is the BGP Add Path feature?
The BGP Additional Paths feature is a BGP extension that allows the advertisement of multiple paths for the same prefix without the new paths implicitly replacing any previous paths. This behavior promotes path diversity and reduces MED oscillations.


What are the three high-level steps needed to enable BGP add-path?
-Enable the sending and/or receiving of additional paths
-Select the candidate paths to advertise
-Advertise the selected additional paths


What is the neighbor requirement for the BGP add-path feature?
The add-path feature is a negotiated capability. Both BGP neighbors must be explicitly configured to send and/or receive additional paths with the BGP process bgp additional-paths {send [receive] | receive}


What is the basic BGP add-path configuration to accept additional paths, and advertise all available paths?
BGP process:
bgp additional-paths select all
neighbor ip additional-paths send receive
neighbor ip advertise additional-paths all


What is the BGP add-path path identifier?
The BGP Additional Paths feature is implemented by adding a path identifier to each path in the NLRI. The path identifier (ID) can be considered as something similar to a route distinguisher (RD) in VPNs, except that a path ID can apply to any address family. Path IDs are unique to a peering session and are generated for each network. The path identifier is used to prevent a route announcement from implicitly withdrawing the previous one. 


What is the requirement of the multiple available paths for BGP PIC to work?
Each multiple path must have a different next-hop address in order to be considered


How do you enable BGP PIC?
BGP process:
bgp additional-paths install


How does BGP PIC work?
Backup/alternate paths are calculated and stored in the RIB and FIB so that when a failure is detected, the backup path can immediately take over.


With EIGRP, how is FRR different from backups via Feasible Successors?
While EIGRP has fast convergence when feasible successors are present, FRR takes the extra step of calculating a Loop-Free Alternate backup route, which is then entered into the FIB. Feasible Successors must be promoted to the Successor, whereas FRR places the FS into the FIB preemptively. 


How do you enable EIGRP FRR?
Topology base:
fast-reroute per-prefix {all | route-map route-map}


How can you view the list of configured EIGRP LFAs?
show ip eigrp topology frr


How do you enable basic OSPF FRR?
OSPF process:
fast-reroute per-prefix enable area area prefix-priority low


What is OSPF Remote LFA?
Remote LFA uses targeted MPLS LDP sessions to calculate alternate paths if direct LFA does not result in any backups.


How do you enable OSPF Remote LFA?
OSPF process:
fast-reroute per-prefix remote-lfa tunnel mpls-ldp

Requires MPLS with targeted LDP session capability:
Interface: mpls ldp discovery targeted-hello accept


What is BGP ORF?
Outbound Route Filtering is a negotiable capability whereby one neighbor can request only a portion of routes to be received from the other neighbor.


When defining a NAT pool, what does the match-host keyword do?
When the match-host keyword is used, the mapping between the local and global addresses must use the same host number. For example, 10.10.10.5 could match to 20.20.20.5.

The default is rotary


What allows static NAT mappings of one inside local address to multiple inside global addresses?
The extendable keyword:

ip nat inside source static IL IG extendable


How do you configure multiple address ranges in a single NAT pool?
ip nat pool name prefix-length length
  address start end
  address start end


What is the base algorithm for IPv4/IPv6 translation called?
Stateless IP/ICMP Translation (SIIT), formerly NAT-PT


What is the purpose of Stateless IP/ICMP Translation (SIIT)?
To translate IPv4 packets into IPv6, and vice-versa


What happens to the TTL when an IPv4 or IPv6 packet passes through a device performing SIIT?
The IPv4 TTL or IPv6 Hop Limit field is decremented by one since the translator counts as a router


When using SIIT to translate from IPv4 to IPv6, which IPv4 header fields are discarded?
Header Length
Fragment fields (Identification, Flags, Fragment Offset)
Header Checksum
Options / Padding


When SIIT is used to translate from IPv6 to IPv4, which fields are dropped from the IPv6 header?
Only the Flow Label field is discarded, all other IPv6 header fields are translated to the IPv4 header.


With SIIT, how is the Version field in the IPv4 header translated?
The IPv4 Version field value of 4 is changed to the IPv6 Version field value of 6.


With SIIT, how is the ToS field in the IPv4 header translated?
The IPv4 ToS bits are copied to the IPv6 Traffic Class field, or set to 0


With SIIT, how is the Flow Label field in the IPv6 header handled?
IPv4 > IPv6 = 0
IPv6 > IPv4 = Discard


With SIIT, how is the Protocol field in the IPv4 header translated?
The IPv4 value is copied to the IPv6 Next Header field, unless it is for ICMP (IP Protocol 1), in which case the IPv6 Next Header value is 58 (ICMPv6)


With SIIT, how are the Source and Destination fields translated?
The addresses is dependent on the type of translation being performed, such as NAT-PT, MAP-T, or Stateless or Stateful NAT64.


With SIIT, how is the IPv4 Header Length field treated when translating from IPv6 to IPv4?
The Header Length field is set to 5


With SIIT, how is the Traffic Class field in the IPv6 header translated?
The value is copied to the IPv4 ToS bits


With SIIT, how is the IPv4 Payload Length field handled when translating from IPv6?
Add 5 (IPv4 Header Length) to the IPv6 Total Length field


With SIIT, how are the IPv4 Fragment fields handled when translating from IPv6?
Identification = 0
More Fragments = 0
Don't Fragment = 1
Fragment Offset = 0


With SIIT, how is the Next Header field in the IPv6 header translated?
The value is copied to the IPv4 Protocol field, with the following exceptions:

58 (ICMPv6) is changed to 1 (ICMP)
0, 43, 60 = skip to next Next Header value because these extensions are meaningless to IPv4


NAT-PT has been replaced by what?
NAT64


How does NAT64 compare to NAT-PT with regard to DNS?
NAT64 does not support DNS-ALG, and the DNS translation is a separate DNS64 function.


What is a limitation of NAT64 with regard to session initiation?
With NAT64, IPv4 devices cannot initiate sessions to IPv6 devices without a static address mapping in the translator. IPv6 devices can initiate sessions to IPv4 devices, however.


True or False: Both NAT-PT and NAT64 support multicast translation.
False, IP multicast is not yet supported by any translation method.


How does Stateless NAT64 work?
IPv4 addresses are embedded in the IPv6 address. The translator recognizes the address format and converts as appropriate.

The addresses are typically maintained in a DNS64 server, and can be assigned either manually or via DHCPv6.


What is the IPv6 Well-Known Prefix used for IPv4 translation?
64:ff9b::/96

The IPv4 address is encoded into the final 32 bits.


How are locally-designated prefixes used with NAT64?
The IPv6 prefix can be either 32, 40, 48, 56, 64, or 96 bits in length.

The embedded IPv4 address begins directly after the prefix, with the exception of bits 64-71 which are always set to 0 (except for the 96-bit prefix length which does not have any null bits).

With a prefix length of 32, all of the IPv4 address bits come before the null bits 64-71. With a prefix length of 64, all IPv4 address bits are after the null bits. Prefix lengths 40, 48, and 56 divide the IPv4 address bits around the null bits.


What is an advantage of Stateful NAT64 with regard to addressing?
Stateless NAT64 requires a 1:1 mapping between IPv4 and IPv6 addresses. However, Stateful NAT64 can map multiple IPv6 addresses to a single IPv4 address.


Why is it important for BGP to send keepalive messages to ensure the neighbor connection is maintained?
BGP exchanges the entire route table once per session, and only changed information afterward. The keepalive function keeps the session open so that the changed information can be exchanged, instead of the entire routing tabling with each update.


What is the destination address for an IGMP General Query for all three IGMP versions?
224.0.0.1


Which IGMP versions support Report Suppression?
IGMPv1
IGMPv2


Which IGMP versions support group-specific queries?
IGMPv2
IGMPv3


Which IGMP versions support querier elections?
IGMPv2
IGMPv3


Which router is elected the IGMP querier by default?
The router on the segment with the lowest IP address


What is the default IGMP query interval?
60s for all IGMP versions, though the RFC standard is 125s.


What is the default IGMP querier timeout?
120s  (2x query interval)


What is the group address for an IGMP Report for all three IGMP versions?
IGMPv1 = Joining multicast group address
IGMPv2 = Joining multicast group address
IGMPv3 = 224.0.0.22


What is the destination address for the IGMP Leave Group message for all three IGMP versions?
IGMPv1 = not supported
IGMPv2 = 224.0.0.2
IGMPv3 = 224.0.0.22


What is another name for Catalyst protected switch ports?
PVLAN Edge


The VSS Link Management Protocol (LMP) and Role Resolution Protocol (RRP) are two components of which protocol?
Virtual Switch Link Protocol (VSLP)


What are the two subcomponents of the Virtual Switch Link Protocol (VSLP)?
Link Management Protocol (LMP)
Role Resolution Protocol (RRP)


What actions are performed by the VSS Link Management Protocol (LMP)?
Verify VSL link integrity
Reject unidirectional links
Establish bidirectional communication between chassis
Exchange switch IDs for duplicate detection


What actions are performed by the VSS Role Resolution Protocol (RRP)?
Check hardware and software versions
Check VSL configuration compatibility
Assign active and standby virtual switch roles


When configuring a static route, what does the global keyword do?
The global keyword is used in combination with vrf name to indicate that the next hop is in the global IP routing table, not within the specified VRF.


When configuring a static route, what does the permanent keyword do?
The permanent keyword causes the static route to remain in the routing table even if the interface shuts down.


What are the major BGP attributes and their associated categories?


Which Catalyst 3560 queues use Shaped Round Robin?
Egress only


Which Catalyst 3560 queues use Shared Round Robin?
Both egress and ingress


What is the difference between Shared and Shaped Round Robin queuing?
Shared RR guarantees bandwidth but does not limit other queues

Shaped RR guarantees bandwidth and rate-limits other queues even if they are empty


How does the BGP command neighbor ip ttl-security hops hops work?
The hops parameter inverts the TTL. For example, a neighbor that is 4 hops away should have a setting of 251, and a neighbor that is 251 hops away should have a setting of 4.

255 - hops = hops value


Without additional configuration, what is the default version of SNMP used on Cisco IOS?
SNMPv1


Which is performed first, NAT or routing, from the inside to the outside?
Inside = Routing then NAT


Which is performed first, NAT or routing, from the outside to the inside?
Outside = NAT then Routing


What are the names of the nodes in the 3-node OpenStack architecture?
Controller node
Network node
Compute node


What are the three primary causes of unicast flooding?
Asymmetric routing
STP topology changes
Forwarding table overflow


What is contained inside the Cisco ACI Tenant construct?
Contexts


What is a Cisco ACI Context?
A collection of VRFs and IP address spaces. Each ACI Tenant can have one or more contexts, and the EPs and EPGs define the application within each context


What is a Cisco ACI EPG?
End Point Group, a collection of EPs that provide a similar function. EPGs are defined by NIC, vNIC, port group, IP address, and DNS names


What is a Cisco ACI ANP?
Application Network Profile, a collection of EPGs, their connections, and related policies


What is the cluster of controllers that provide a single point of control, a central API, a central repository of global data, and a repository of policy data for Cisco ACI?
Cisco APIC Application Policy Infrastructure Controller


What is the primary function of the Cisco APIC?
To provide policy authority and policy resolution mechanisms for Cisco ACI and devices attached to Cisco ACI.


What is the EPC capture point?
The traffic transit point where a packet is captured and associated with a buffer, such as the IPv4/IPv6 CEF switching path with interface input and output.


What are the two requirements for configuring EPC?
A capture buffer and a capture point need to be defined. The capture point should be associated with the capture buffer.


What are the four major steps of capturing data with EPC?
-Create the buffer (traffic to be captured)
-Define the capture point
-Associate the capture point with the buffer
-Start the capture point (and optionally stop)


How do you configure an EPC capture buffer?
monitor capture buffer name options

options include clearing or exporting the buffer, filtering, and limiting by duration, packet count, packets per second, and size


How do you configure an EPC capture point?
CEF:
monitor capture point {ip | ipv6} cef name interface {in | out | both}

Process Switched:
monitor capture point {ip ipv6process-switched name {in out both from-us}


How do you configure an EPC association?
monitor capture point associate capture-point-name capture-buffer-name


How do you activate an EPC session?
monitor capture point start {capture-point-name | all}

Stop the capture with the same command, replacing start for stop


How do you export an EPC session?
monitor capture buffer name export location


What is the difference between an EEM applet and an EEM script?
An applet is a form of policy defined within the CLI configuration

A script is a form of policy written in TCL


What is the EEM component that monitors the system for particular conditions?
Event Detector, of which there are multiple types (CLI event, IP SLA event, Syslog event, etc).


What is the EEM response to a detected event?
EEM Actions, such as executing particular CLI commands, sending an email, generating SNMP trap, etc.


What is the BGP Site-of-Origin (SoO) attribute?
The SoO is an extended community used to identify routes originating from a particular site for the purpose of preventing readvertisement back into the source site to prevent routing loops.


How does BGP per-neighbor SoO work?
The configuration is performed on the PE router, the VPN entry point, which tags the incoming routes with the SoO extended community. The PE forwards prefixes to the CPE only when the SoO tag of the prefix does not match the SoO tag configured for the CPE.


How do you configure a BGP Site-of-Origin (SoO) value?
neighbor ip soo value

The SoO can also be configured via peer groups and policy templates.


What are the general use cases for the EIGRP Site-of-Origin (SoO) feature?
EIGRP SoO is used for per-site VPN filtering:
-MPLS VPNs with backdoor links
-CE routers dual-homed to different PE routers
-PE routers that support CE routers from different sites in the same VRF


What is the difference between PIMv1 and PIMv2 with regard to transport?
PIMv1 uses IGMP for transport
PIMv2 uses IP Protocol 103


What is the PIM requirement of using BSR?
PIMv2 is required


When calculating the EIGRP classic composite metric, what are the delay values measured in?
10s of µs

1 Gbps = 1  (one 10s of µs)
100 Mbps = 10 (ten 10s of µs)
10 Mbps = 100 (one hundred 10s of µs)


When calculating the EIGRP classic composite metric, how is the delay component calculated?
Sum of delays along the path in 10s of µs, multiplied by 256

Example: one 10 Mbps link + one 1 Gbps link + one 100 Mbps link =
( 100 + 1 + 10 ) * 256 = 28,416    (111 * 256)


When calculating the EIGRP classic composite metric, how is the bandwidth component calculated?
Divide 10,000,000 kbps by the lowest bandwidth link along the path in kbps, then multiply by 256.

Example, if the slowest link in the path is 100 Mbps:

10,000,000 kbps / 100,000 kbps * 256 = 25,600


How does a router handle a packet destined to an IP address belonging to one of its locally-configured interfaces if the TTL is 1?
If the interface is in the Up/Up state, the router identifies the upper-layer protocol and passes the packet to the appropriate upper-layer protocol driver.


What is the default CEF load-sharing method used on the Catalyst 6500?
Source IP, Destination IP, Universal ID


What is included with the mls ip cef load-sharing full command?
Source and Destination Layer 3 and 4 information with multiple adjacencies


What is included with the mls ip cef load-sharing full simple command?
Source and Destination Layer 3 and 4 information without multiple adjacencies


What is included with the mls ip cef load-sharing simple command?
Source and Destination Layer 3 information without multiple adjacencies


What is included with the mls ip cef load-sharing full exclude-port destination command?
This command excludes destination Layer 4 ports and both source and destination IP addresses from the load-balancing algorithm.

This command includes source Layer 4 ports only


What is included with the mls ip cef load-sharing full exclude-port source command?
This command excludes source Layer 4 ports and both source and destination IP addresses from the load-balancing algorithm.

This command includes destination Layer 4 ports only


Why is the DHCPREQUEST packet broadcast from the DHCP client?
DHCPREQUEST is used when a DHCP client has chosen a specific DHCP server. The packet is broadcast instead of unicast so that other DHCP servers can reallocate the IP address they offered to the client.


What is a DHCPDECLINE message?
The DHCPDECLINE message is broadcast from the DHCP client to formally reject a DHCPOFFER from a DHCP server. This packet is usually sent when the IP configuration is not valid for the client.


What is a DHCPNAK message?
The DHCPNAK is broadcast from the DHCP server to inform the DHCP client that the IP address in the previous DHCPREQUEST message is no longer valid for use, which can happen if the client is slow to respond to the server.


What is IPsec Perfect Forward Secrecy (PFS)?
With PFS, each negotiation of a new Phase 2 SA requires regeneration of new Phase 1 Diffie-Hellman keys. This ensures that when the Phase 2 SAs have expired (or need to be re-keyed), new keying material is used in case the old keys have been compromised.

Without PFS, the DH keys calculated during Phase 1 are used over and over again.

PFS is also known as a session key.


What is the primary cause of bandwidth starvation?
Bandwidth starvation occurs when higher-priority queues monopolize an interface's bandwidth so that traffic from lower-priority queues is never sent.


What class of QoS tools mitigate bandwidth starvation?
Queuing


Assuming multiple registered upper-layer protocols, how many sessions does BFD create?
One session per address family per interface, regardless of the number of registered upper-layer protools


When creating a policy map, what unit of value is used when specifying the priority or bandwidth if the percent keyword is not used?
Kbps


When creating a PQ with the priority command, what is the default burst size if not specified?
200ms of traffic at the configured bandwidth rate

Example: priority 1000 sets up a priority queue for 1,000 Kbps, with a burst size of 200,000 bytes


What is indicated by this policy-map command: priority 256 512
A PQ with 256 Kbps guaranteed bandwidth, with a 512 byte burst


What rate values are used with the police command?
The policed rate is defined in bps, and the burst rates are defined in bytes.

Example: police 100000 10000 5000 indicates a rate of 100,000 bps, with a normal burst of 10,000 bytes, and a max burst of 5,000 bytes.


What values are indicated by this command: police 256000 15000 10000
This command indicates a policed rate of 256,000 bps, with a normal burst of 15,000 bytes, and a max burst of 10,000 bytes.


What does the RIP default-information originate on-passive command do?
This command causes a default route to be sent on RIP interfaces marked as passive.


What metrics are monitored by both PfR active and passive mode?
Reachability
Delay


Which PfR mode monitors delay, packet loss, reachability, and throughput?
Passive mode via NetFlow


Which PfR mode monitors delay, jitter, MOS, and reachability?
Active mode via IP SLA


What is the difference between PfR Active mode and Fast mode?
Active mode monitors the active exit path, whereas Fast mode continuously generates IP SLA probes for all possible exit paths.


Within MPLS labels, what is the name of the field that used to be referred to as the EXP bits?
Traffic Class (TC)


What is the MPLS TC field?
Traffic Class, which is a field in the MPLS header/label that used to be referred to as the EXP bits


What are the PfR link policies?
Traffic Load (Utilization)
Range
Cost


What is the PfR traffic load (utilization) policy?
The traffic load (utilization) policy specifies an upper threshold on the amount of traffic that a particular link can carry, and can be defined for both ingress and egress links.


What is the PfR range policy?
The range policy maintains all links within a certain utilization range relative to each other to ensure that the traffic load is distributed.


What is the PfR cost policy?
The cost policy allows you to specify link usage based on the monetary cost of each exit link. The most cost-effective link will be used while remaining within the desired performance level.


What is the IPv6 address range for SSM?
FF3x::/32, where x indicates the scope


What type of IPv6 address is FF30::1/32?
IPv6 Source-Specific Multicast


What are the five IPv6 multicast scopes?
FF01::/16 Node-local
FF02::/16 Link-local
FF05::/16 Site-local
FF08::/16 Organization-local
FF0E::/16 Global


What is the prefix for an IPv6 node-local multicast address?
FF01::/16


What is the prefix for an IPv6 link-local multicast address?
FF02::/16


What is the prefix for an IPv6 site-local multicast address?
FF05::/16


What is the prefix for an IPv6 organization-local multicast address?
FF08::/16


What is the prefix for an IPv6 global multicast address?
FF0E::/16


What type of IPv6 multicast address has the prefix FF01::/16?
node-local


What type of IPv6 multicast address has the prefix FF02::/16?
link-local


What type of IPv6 multicast address has the prefix FF05::/16?
site-local


What type of IPv6 multicast address has the prefix FF08::/16?
organization-local


What type of IPv6 multicast address has the prefix FF0E::/16?
global


What is the prefix range for IPv6 multicast addressing?
FF00 - FFFF

FF00::/8


What is the IPv6 prefix ::FFFF:0:0/96 used for?
IPv4-mapped IPv6 addresses.

Example: 10.10.10.1 = ::FFFF:10.10.10.1


What is the range of IPv6 link-local addresses?
FE80::/10

FE80 - FEBF


What does the IPv6 prefix range of FE80 - FEBF correspond to?
Link-local addressing


What is the prefix range of globally-routable IPv6 addresses?
2000::/3

2000 - 3FFF


What type of IPv6 addresses correspond to a prefix of FC00 - FDFF?
Unique local


What is the range of IPv6 unique local addressing?
FC00::/7

FC00 - FDFF


IPv6 ND packets should be generated with what TTL value?
255 - routers expect to see a value of 255, and drop ND packets that are less.


What is an Ethernet frame with fewer than 64 bytes?
A runt frame. Runt frames are discarded.


What is adaptive cut-through switching?
Adaptive cut-through switching uses an error threshold. Cut-through switching is used until the error threshold is crossed, upon which time the switch reverts to store-and-forward switching. The switch reverts to cut-through switching when the error rate falls below the threshold.


What is the difference between "private" and "virtual private" Metro Ethernet services?
Private is port-based
Virtual-private is a VLAN-based multiplexed service where the virtual circuit is identified by a VLAN ID


What is IEEE 802.1ad?
Q-in-Q


What is the IEEE standard for Q-in-Q?
802.1ad


What is the MEF term for a port-based point-to-point Ethernet virtual circuit?
EPL Ethernet Private Line


What is the MEF term for a VLAN-based point-to-point Ethernet virtual circuit?
EVPL Ethernet Virtual Private Line


What is the MEF term for a port-based multipoint-to-multipoint Ethernet virtual circuit?
EP-LAN Ethernet Private LAN


What is the MEF term for a VLAN-based multipoint-to-multipoint Ethernet virtual circuit?
EVP-LAN Ethernet Virtual Private LAN


What is a MEF EPL?
Ethernet Private Line, a port-based P2P Ethernet virtual circuit which preserves CE-VLAN IDs and associated CoS markings across the EVC


What is a MEF EVPL?
Ethernet Virtual Private Line, a VLAN-based P2P Ethernet virtual circuit which allows service multiplexing and CoS parameters assigned per-EVC. CE-VLAN IDs and associated CoS markings do not have to be preserved across the EVC, meaning C-VLAN rewrite operations are permitted.


What is a MEF EP-LAN?
Ethernet Private LAN, a port-based MP2MP EVC where every node has "root" status and can talk to every other node directly. CE-VLAN IDs and CoS values are preserved across the service.


What is a MEF EVP-LAN?
Ethernet Virtual Private LAN, a VLAN-based MP2MP service where every node is set to "root" status and can talk to every other node directly. Bundling and service multiplexing are possible, and C-VLAN IDs and CoS values do not require preservation across the service.


When using EIGRP as the MPLS PE-CE routing protocol, what causes EIGRP routes to be internal or external between sites?
EIGRP routes are considered internal between sites if the EIGRP ASN matches, otherwise the routes are considered external.


What is the MPLS L3VPN EIGRP pre-bestpath Point of Insertion (POI)?
The POI is automatically configured when using EIGRP for the PE-CE routing protocol, and is set when EIGRP is redistributed into BGP. The POI compares EIGRP metrics before BGP makes a best path decision.


What is the difference between NBAR active and passive mode?
Active mode is configured within a class-map with match protocol

Passive mode is configured directly on an interface with ip nbar protocol-discovery


When does an IP SLA operation begin if the scheduling start-time is not specified?
The IP SLA operation is automatically scheduled in a "pending" state and is essentially configured but suspended. The operation will never start unless start-time is explicitly configured.


What is the default lifetime of a scheduled IP SLA operation if not specified?
One hour (3600 seconds)


What is the default IP SLA operation frequency, if not specified?
Every 60 seconds


How do you capture multicast packets with EPC?
The capture point must be process-switched on the ingress direction:

monitor capture point ip process-switched buffer in


What are the five high-level steps of configuring Cisco Performance Monitor?
Create a flow record
Configure a flow monitor
Create one or more classes
Create a policy
Associate the policy with an interface


With Cisco Performance Monitor, how do you configure a flow record?
flow record type performance-monitor

You then define interesting traffic with match and what particular statistics to collect with collect


With Cisco Performance Monitor, how do you configure a flow monitor?
flow monitor type performance-monitor

The flow monitor is used to associate a flow record with a flow exporter


With Cisco Performance Monitor, how do you configure a performance monitor policy?
policy-map type performance-monitor

The policy-map associates the class with a flow monitor


What is the final step in implementing Cisco Performance Monitoring?
Associate the performance monitor policy with an interface:
service-policy type performance-monitor


What are the decimal values for the corresponding eight Class Selector / IP Precedence values?
0 CS0 / Routine
8 CS1 / Priority
16 CS2 / Immediate
24 CS3 / Flash
32 CS4 / Flash Override
40 CS5 / Critical
48 CS6 / Internetwork Control
56 CS7 / Network Control

NIC-F-FIPR


What is Cisco Managment Plane Protection (MPP)?
MPP restricts the interfaces and protocols for which remote administration can be performed. Management protocols not permitted by the MPP policy, or received on a non-mangement interface, are dropped.


How do you configure Management Plane Protection (MPP)?
control-plane host
  management-interface interface allow protocol1 protocol2...

Example:
management-interface g0/1 allow ssh snmp


What is the requirement of IS-IS System IDs for router adjacencies?
System IDs must be unique within an area for L1 adjacency, and must be unique within the domain for L2 adjacency.

IS-IS will not establish an adjacency between two routers with the same System ID.


What is the order of operations for NAT inside-to-outside translation?
-If IPSec then check input access list
-decryption
-check input access list
-check input rate limits
-input accounting
-redirect to web cache

-policy routing
-routing
-NAT inside to outside (local to global translation)

-crypto (check map and mark for encryption)
-check output access list
-inspect (Context-based Access Control (CBAC))
-TCP intercept
-encryption
-Queueing


What is the order of operations for NAT outside-to-inside translation?
-If IPSec then check input access list
-decryption
-check input access list
-check input rate limits
-input accounting
-redirect to web cache

-NAT outside to inside (global to local translation)
-policy routing
-routing

-crypto (check map and mark for encryption)
-check output access list
-inspect (Context-based Access Control (CBAC))
-TCP intercept
-encryption
-Queueing


With inside-to-outside (local to global) NAT, which is performed first, routing or NAT?
Route first, then NAT


With outside-to-inside (global to local) NAT, which is performed first, routing or NAT?
NAT first, then routing


Which CEF load-sharing algorithm is appropriate for environments with a small number of source and destination pairs?
ip cef load-sharing algorithm tunnel


EEM publishes events to which subsystem number?
798


What is the IOS Watchdog System Monitor used for?
Monitoring memory and processor usage


How can you determine which EIGRP neighbors have not yet responded to a Query?
show ip eigrp topology active


What is the difference between the ip options drop and ip options ignore commands with regard to downstream devices?
With ip options ignore the router does not process any options that may be present in the IPv4 header, but keeps the options in the header when sending the packet onward.

The ip options drop command causes the router to discard any packets with options set in the IPv4 header, and therefore downstream devices will not receive these packets.


What is the use case and caveat for configuring ip options {ignore | drop}?
Both versions of the command protect the router from exploits based on IPv4 header options, but breaks certain control plane protocols like RSVP and IGMPv2.

The drop option also protects downstream devices by discarding packets with options present in the IPv4 header.


What happens if both ip options drop and ip options ignore are configured on a router?
The ip options ignore command takes precedence.


When issuing the show ip nhrp detail command, what does the authoritative flag indicate?
The mapping was obtained directly from the next-hop router or server.


When issuing the show ip nhrp detail command, what does the implicit flag indicate?
The mapping was obtained from an NHRP resolution request or packet.


When issuing the show ip nhrp detail command, what does the local flag indicate?
The mapping is for networks that are local to the router.


When issuing the show ip nhrp detail command, what does the nat flag indicate?
The remove device supports NHRP NAT extensions


When issuing the show ip nhrp detail command, what does the negative flag indicate?
A mapping could not be obtained for negative caching.


When issuing the show ip nhrp detail command, what does the registered flag indicate?
The mapping was created in response to an NHRP registration


When issuing the show ip nhrp detail command, what does the router flag indicate?
The mappings for a remote router are marked with the router flag.


When issuing the show ip nhrp detail command, what does the unique flag indicate?
The mapping cannot be overwritten by a different NBMA entry with the same IP address.


When issuing the show ip nhrp detail command, what does the used flag indicate?
Data packets are being process-switched for the given mapping.


When issuing the show ip nhrp detail command, which flag indicates that the mapping was obtained directly from the next-hop router or server?
authoritative


When issuing the show ip nhrp detail command, which flag indicates the mapping was obtained from an NHRP resolution request or packet?
implicit


When issuing the show ip nhrp detail command, which flag indicates the mapping is for networks that are local to the router?
local


When issuing the show ip nhrp detail command, which flag indicates the remote device supports NHRP NAT extensions?
nat


When issuing the show ip nhrp detail command, which flag indicates that a mapping could not be obtained for negative caching?
negative


When issuing the show ip nhrp detail command, which flag indicates the mapping was created in response to an NHRP registration?
registered


When issuing the show ip nhrp detail command, which flag indicates the mappings for a remote router are marked with the router flag?
router


When issuing the show ip nhrp detail command, which flag indicates the mapping cannot be overwritten by a different NBMA entry with the same IP address?
unique


When issuing the show ip nhrp detail command, which flag indicates data packets are being process-switched for the given mapping?
used


When an IS-IS L1 router receives an IIH packet on a network segment, what five things are verified before forming an adjacency?
Network type
Routing level
Area
MTU
Authentication


When an IS-IS L2 router receives an IIH packet on a network segment, what four things are verified before forming an adjacency?
Network type
Routing level
MTU
Authentication

L2 does not require the Area to match, unlike L1


What happens if an IS-IS router configured for the broadcast network type on a link receives a point-to-point IIH packet?
P2P IIH packets are ignored on broadcast network types, and vice-versa.

The network type (broadcast or P2P) must match between routers for an adjacency to form.


What happens if the IS-IS process no hello padding or interface no isis hello padding command is configured?
IIH packets are padded to the full MTU size by default. If either of these commands are configured, only the first five IIH packets are padded (for the purposes of forming a neighbor adjacency).


If two IS-IS neighbors fail to form either an L1 or L2 adjacency, what might be the results of the show clns neighbors command?
The two routers may still form an ES-IS adjacency.


How long do incomplete ARP entries remain in the ARP and CEF adjacency tables?
60 seconds


Why is CEF required for MPLS on Cisco platforms?
The LFIB is derived from information in the FIB (CEF table) and the LIB.


How are local host routes handled during redistribution?
Local host routes (/32 and /128) cannot be redistributed into a dynamic routing protocol.

A Local host route is marked as "L" in the output of show ip route

Connected /32 and /128 routes can be redistributed.


When configuring logging for an ACL, what does the log-input keyword provide that the log keyword does not?
log-input provides all of the details provided by the log keyword, but adds source MAC and ingress interface information.


What is IGMPv3 source filtering?
IGMPv3 source filtering enables a multicast receiver to signal to a router which groups it wants to receive multicast traffic from, and from which sources the traffic is expected.


What are the two IGMPv3 source filtering modes?
INCLUDE, where the receiver joins a group and lists the IPs from which it wants to receive traffic

EXCLUDE, where the receiver joins a group and lists the IPs from which id does not want to receive traffic (an empty EXCLUDE list indicates all sources are acceptable)


Which end of a serial link must provide clocking?
DCE data communications equipment


Which end of a serial link receives the clocking information?
DTE data terminal equipment


How do you determine if a serial interface is the DCE or DTE end?
show controllers serial


What's the difference between the switchport port security violation modes?
Protect: silently discard offending traffic

Restrict: discard offending traffic, log, SNMP trap, increment SecurityViolation counter

Shutdown: discard offending traffic, log, SNMP trap, increment SecurityViolation counter, err-disable port


When switchport port-security is configured, what is the default violation action if not configured?
shutdown

The port is err-disabled.


With EEM, what's the difference between the sync yes and sync no keywords?
When sync yes is configured with the event cli command, the event is processed synchronously, which means the EEM applet must finish before the CLI command can be executed. With sync no the CLI command is executed immediately.


With EEM, when configuring asynchronous processing with the sync no keyword, what other keyword must also be included?
skip no or skip yes which indicates whether or not the detected CLI event should be executed.


With EEM, when using synchronous processing, what determines if the CLI event is executed or not?
set num _exit_status {0 | 1}

When set to 0, the detected CLI command is skipped. When set to 1, the CLI command is executed.


What MAC address does IS-IS use to send to All Intermediate Systems?
0900.2B00.0005


What MAC address does IS-IS to send to All End Systems?
0900.2B00.0004


What is associated with the MAC address 0900.2B00.0005?
IS-IS All Intermediate Systems


What is associated with the MAC address 0900.2B00.0004?
IS-IS All End Systems


Which routing protocols are used with PfR PIRO (Protocol Independent Routing Optimization)?
OSPF and IS-IS


What is PfR PIRO (Protocol Independent Routing Optimization)?
When PfR modifies a path for a traffic class, it searches for a parent route (exact or less-specific) in the order of BGP RIB, EIGRP RIB, static route RIB.

With PIRO, PfR can also examine the RIBs of OSPF and IS-IS after BGP, EIGRP, and static RIBs have been searched.


What two additional TLVs are advertised by LLDP to support LLDP-MED?
Port VLAN ID
MAC/PHY Configuration Status


Why would LLDP advertise the additional TLVs, Port VLAN ID and MAC/PHY configuration status?
To advertise support for LLDP-MED


What are the five TLVs advertised by LLDP-MED?
LLDP-MED Capabilities
Network policy
Power management
Inventory Management
Location


How does EIGRP auto-summary work with external routes?
EIGRP External routes are not automatically summarized unless there is an internal route within the same classful network.


What are the three main methods of transport for NETCONF?
SSH support is required
TLS
SOAP


What is NPTv6?
Network Prefix Translation v6

NPTv6 translates unique IPv6 prefixes to other unique IPv6 prefixes and creates a one-to-one relationship between addresses on each side of the translating device. NTPv6 does not modify the interface identifier portion of an IPv6 address.


How do you configure the IOS Master Key feature?
Globally:
key config-key password-encryption key-string
password encrpytion aes

All plaintext keys are now stored in secure Type 6 format.


Which LISP component stores the registered EID prefixes?
The MS (Map Server) contains the mapping database of EID-to-RLOC mappings.


What is the function of the LISP Map Resolver (MR)?
The MR receives map-request queries from LISP site Ingress Tunnel Routers (ITRs) when they attempt to populate the local map-cache of resolved EID-to-RLOC mappings.


What is a LISP ITR, ETR, and xTR?
ITR Ingress Tunnel Router receives packets from internal hosts and forwards them to external sites.

ETR Egress Tunnel Router receives packets from external sites and forwards them to internal hosts.

Edge devices performing both duties are xTRs.


Which LISP device receives packets from internal hosts and forwards them to external sites?
ITR Ingress Tunnel Router


Which LISP device receives packets from external sites and forwards them to internal hosts?
ETR Egress Tunnel Router


True or False: LISP must be running on both ends of a tunnel.
False: LISP is designed to communicate with networks that are not using LISP.


How do you add timestamps to log entries?
Globally:
service timestamps log {uptime | datetime}


With Cisco IOS, at which logging level are error messages about software or hardware malfunctions indicating functionality of the device is affected logged at?
4 Warning
3 Errors
2 Critical
1 Alerts
0 Emergencies


With Cisco IOS, at which logging level are interface up/down and system restart messages logged at?
5 Notifications


With Cisco IOS, at which logging level are reload requests and low-process stack messages logged at?
6 Informational


With Cisco IOS, what is logged by default at the 4 Warning - 0 Emergencies level?
Error messages about software or hardware malfunctions that affect functionality of the device


With Cisco IOS, what is logged by default at the 5 Notifications level?
Interface up/down transitions and system restart messages


With Cisco IOS, what is logged by default at the 6 Informational level?
Reload requests and low-process stack messages


How can you enable ECMP with multicast routing?
Globally:
ip multicast multipath [s-g-hash {basic | next-hop-based}]


When configuring multicast routing ECMP, what three load splitting options are available?
Configuring ip multicast multipath without keywords performs load splitting based on the source address only.

s-g-hash basic where a simple hash is performed on both the source and group address

s-g-hash next-hop-based where a hash is performed on the source, group, and next-hop addresses


What are the two different operating modes of BFD?
Asynchronous
Demand


What is BFD Asynchronous mode?
With asynchronous mode, BFD control packets are sent frequently, and if control packets are not received from a neighbor in a timely fashion, the neighbor is assumed to be down.


What is BFD Demand mode?
With demand mode, the system can ask neighbors to stop sending BFD control packets except when necessary, which allows BFD to support a large number of sessions at the expense of slower failure detection.


With BFD, what is an advantage of using Asynchronous mode for failure detection?
Asynchronous mode requires half as many packets to detect a failure as compared to the Echo function (which can be used with either Asynchronous or Demand mode)


What is the default order of the OSPF LFA FRR path selection policy when a primary path fails?
SRLG
Primary path
Interface disjoint
Lowest metric
Linecard disjoint
Node protecting
Broadcast interface disjoint


What are the two mandatory and four optional components of an EEM policy?
Mandatory:
-Event register keyword
-Body

Optional:
-Environmental must defines
-Namespace import
-Entry status
-Exit status


With an IPsec VPN, where can you configure the tunnel mode auto command?
tunnel mode auto can be used on the responder's tunnel interface to automatically use GRE or IPsec encapsulation depending on the parameters sent by the tunnel initiator. 


What is the default TCP MSS value when a Cisco router originates data destined for a remote network?
536 bytes


What is the 7-byte format for the client-identifier command for DHCP pools?
DHCP pool:
client-identifier 01aa.aabb.bbcc.cc

Where 01 identifies Ethernet media, and aa.aabb.bbcc.cc is the client's MAC address.


How do you change the key to be pressed to initiate terminal access?
Line configuration mode:
activation-character ascii-code

The default is 13, which is the Enter key.


With RIP triggered extensions, what causes the full RIP database to be sent?
When the router is first powered on
When the router receives a specific request for the full routing table


With RIP triggered extensions, when is a partial RIP database sent?
When the configured interface comes up or goes down
When information from another interface modifies the routing table


What is the default hello time for the OSPF broadcast network type?
10s


What is the default hello time for the OSPF point-to-point network type?
10s


What is the default hello time for the OSPF nonbroadcast network type?
30s


What is the default hello time for the OSPF point-to-multipoint network type?
30s


What is the default hello time for the OSPF point-to-multipoint nonbroadcast network type?
30s


How do you prevent OSPF from performing "PE checks"?
The capability vrf-lite command issued inside OSPF VRF configuration mode causes OSPF to ignore the DN bit and domain tag.


What is the OSPF DN bit?
When OSPF is used as the MP-BGP PE-CE routing protocol, this bit is set when the VPNv4 routes are redistributed back into OSPF for Type 3, 5 and 7 LSAs. When the LSAs are to be redistributed back into VPNv4 (such as when a site is multihomed to the same SP), LSAs with the DN bit are not considered for the OSPF route calculation to prevent loops.


What is the OSPF Domain Tag?
When OSPF is used as the MP-BGP PE-CE routing protocol, the Domain Tag is set for external routes (Type 5 and Type 7) when redistributing VPNv4 routes into OSPF. This tag is then examined upon redistribution from OSPF back into VPNv4 and routes are not redistributed if the domain tag matches.


When do you need to use the OSPF capability vrf-lite command?
When using OSPF inside VRFs that are not redistributing into BGP. The capability vrf-lite command disables the PE checks, causing the router to ignore the DN bit and domain tag present in any LSAs.


What are the three fields of a Route Distinguisher?
2-byte Type field
Administrator field
Assigned number field


What are the three types of Route Distinguisher?
Type 0: ASN:nn
Type 1: IP:nn
Type 2: 4-byte ASN:nn


What is the format of the Type 0 RD?
ASN:nn where ASN is a 16-bit value, and nn is a 32-bit value


What is the format of a Type 1 RD?
IP:nn where IP is a 32-bit value, and nn is a 16-bit value


What is the format of a Type 2 RD?
4-byte ASN:nn where ASN is a 32-bit value, and nn is a 16-bit value


What is another name for BGP ASN 23456?
AS_TRANS, which is used by BGP router supporting 4-byte ASNs to peer with BGP routers that only support 2-byte ASNs.


What are the new optional transitive BGP PAs used to support 32-bit ASN?
AS4_PATH, which is used if any of the ASNs in the path are newer 4-byte ASNs

AS4_AGGREGATOR may also be present


How does a BGP router supporting only 2-byte ASNs peer with one that has a 4-byte ASN?
The router supporting only 2-byte ASNs peers with ASN 23456


What is the default BGP 4-byte ASN display format in Cisco IOS, and how do you change it?
asplain is the default format, where the ASN is a 32-bit decimal value

BGP process:
bgp asnotation dot 

This changes the display to two 16-bit decimal values separated by a dot.


How is the RP for PIM BiDir different than for PIM-SM?
With PIM-SM, the RP is responsible for the registration process and creation of source trees between multicast sources and the RP. PIM BiDir does not use either of those functions, so the RP is merely a meeting point and can be any arbitrary routable (reachable) IP address. It does not need to be a multicast router.


Why would you use BFD instead of OSPF Fast Hellos to detect a failed link in less than one second?
With OSPF Fast Hellos, the Dead interval is fixed at one second. This means the failure detection time will always be a minimum of one second, and never sub-second as in the case of BFD.


What are the three methods of plaintext authentication in IS-IS?
Interface: isis password
Area: area-password
Domain: domain-password


How do you configure plaintext authentication for IS-IS hellos?
Interface:
isis password password [level-1 | level-2]

If not specified, the password is used for both levels.


How do you configure plaintext authentication for IS-IS L1 LSPs, CSNPs, and PSNPs?
IS-IS process:
area-password password


How do you configure plaintext authentication for IS-IS L2 LSPs, CSNPs, and PSNPs?
IS-IS process:
domain-password password


What is the default seed metric of routes redistributed into EIGRP if the source protocol does not have a compatible metric, such as RIP and OSPF?
Infinite

The metric must be set during redistribution or with the default-metric command.


What type of IS-IS neighbor adjacency is formed between two routers connected to the same IP subnet where the NET of one router is 45.1234.000a.0003.00 and the other is 49.4567.0000.0000.000b.00 when all other settings are at their defaults on Cisco IOS?
The two routers are considered to be in different areas, and with the default setting of L1/L2, a L2 IS-IS adjacency is formed.


How does 802.1X multi-host mode work?
With multi-host mode, you can attach multiple hosts to a single 802.1X-enabled port. Only one of the attached supplications must be authorized for all supplicants to be granted access. If the port becomes unauthorized for any reason, access is denied to all attached supplicants.


What is the IPv6 fragment header?
A 64-bit header used by an IPv6 source to indicate that a packet exceeds the path MTU size.


Which VSS VSLP subprotocol is responsible for exchanging switch IDs, verifying link integrity, rejecting unidirectional links, and establishing communication between chassis?
LMP Link Management Protocol


Which VSS VSLP subprotocol is responsible for checking VSL configurations for compatibility, checking hardware and software version compatibility, and assigning the active/standby virtual switch roles?
RRP Role Resolution Protocol


What specific value in an MPLS label indicates it is the last label in a stack?
The S bit (Bottom of Stack field) is set to 1 to indicate it is the last label in the stack.


What is the VRF VPN ID?
The VPN ID is a standards-based (RFC 2685) method of identifying a VRF on a router, which is independent of the assigned VRF name.

The VPN ID format is a 3-byte OUI, and a 4-byte VPN index, separated by a colon. The VPN ID can be used with other services such as DHCP and RADIUS.

Configured under the VRF:
vpn id oui:vpn-index


When a switch running STP receives a BPDU with the TC bit set, what is the CAM aging time adjusted to?
Forward delay, 15 seconds by default


How do you apply a QoS policy-map to a DMVPN spoke?
Create an NHRP group on the interface:
ip nhrp group name

Assign the group to the policy-map on the interface:
ip nhrp map group name service-policy output policy-map

Only the output direction is supported.


What MAC address is used by LLDP?
0180.C200.000E


What technology uses the MAC address 0180.C200.000E?
LLDP


What is the MAC address used by 802.1X?
0180.C200.0003


What technology uses the MAC address 0180.C200.0003?
802.1X


What is the Cisco term "Fog" computing?
Associated with IoT, some devices generate a very large amount of telemetry data. With Fog Computing, the data is collected and analyzed locally, and the most important information is then passed onto the cloud.


What is the difference between BPDU Guard and Loop Guard with how ports react to error conditions?
BPDU Guard errdisables the interface when BPDUs are received. 

Loop Guard suspends the port in a "loop-inconsistent" state when BPDUs stop being received, but automatically transitions the port back into the normal STP states when BPDUs arrive again.


What is included with the TCP small servers feature?
Discard (TCP 9)
Echo (TCP