Answer: A,B 

Explanation: 

While stateful and stateless NAT64 perform the task of translating IPv4 packets into IPv6 packets and vice

versa, there are important differences. The following

table provides a high-level overview of the most relevant differences.

Table 2. Differences Between Stateless NAT64 and Stateful NAT64

Stateless NAT64 Stateful NAT64

1:1 translation 1:N translation

No conservation of IPv4 address Conserves IPv4 address

Assures end-to-end address Uses address overloading, hence transparency and scalability lacks in endto-

end address transparency

No state or bindings created on the State or bindings are created on every translation unique translation

Requires IPv4-translatable IPv6 No requirement on the nature of IPv6 addresses assignment (mandatory

address assignment requirement)

Requires either manual or DHCPv6 Free to choose any mode of IPv6 based address assignment for IPv6

address assignment viz. Manual, hosts DHCPv6, SLAAC Reference: http://www.cisco.com/c/en/us/

products/collateral/ios-nx-os-software/enterprise-ipv6- solution/white_paper_c11-676277.html

Answer: B,C,D 

Explanation: 

TCP Selective Acknowledgment

The TCP Selective Acknowledgment feature improves performance if multiple packets are lost from one

TCP window of data.

Prior to this feature, because of limited information available from cumulative acknowledgments, a TCP

sender could learn about only one lost packet per-round-trip

time. An aggressive sender could choose to resend packets early, but such re-sent segments might have

already been successfully received.

The TCP selective acknowledgment mechanism helps improve performance. The receiving TCP host

returns selective acknowledgment packets to the sender,

informing the sender of data that has been received. In other words, the receiver can acknowledge packets

received out of order. The sender can then resend only

missing data segments (instead of everything since the first missing packet).

Prior to selective acknowledgment, if TCP lost packets 4 and 7 out of an 8-packet window, TCP would

receive acknowledgment of only packets 1, 2, and 3. Packets

4 through 8 would need to be re-sent. With selective acknowledgment, TCP receives acknowledgment of

packets 1, 2, 3, 5, 6, and 8. Only packets 4 and 7 must be

re-sent.

TCP selective acknowledgment is used only when multiple packets are dropped within one TCP window.

There is no performance impact when the feature is

enabled but not used. Use the ip tcp selective-ack command in global configuration mode to enable TCP

selective acknowledgment.

Refer to RFC 2021 for more details about TCP selective acknowledgment.

TCP Time Stamp

The TCP time-stamp option provides improved TCP round-trip time measurements. Because the time

stamps are always sent and echoed in both directions and the time-stamp value in the header is always

changing, TCP header compression will not compress the outgoing packet. To allow TCP header

compression over a serial link, the TCP time-stamp option is disabled. Use the ip tcp timestamp command

to enable the TCP time-stamp option.

TCP Explicit Congestion Notification

The TCP Explicit Congestion Notification (ECN) feature allows an intermediate router to notify end hosts of

impending network congestion. It also provides enhanced support for TCP sessions associated with

applications, such as Telnet, web browsing, and transfer of audio and video data that are sensitive to delay

or packet loss. The benefit of this feature is the reduction of delay and packet loss in data transmissions.

Use the ip tcp ecn command in global configuration mode to enable TCP ECN.

TCP Keepalive Timer

The TCP Keepalive Timer feature provides a mechanism to identify dead connections. When a TCP

connection on a routing device is idle for too long, the device sends a TCP keepalive packet to the peer

with only the Acknowledgment (ACK) flag turned on. If a response packet (a TCP ACK packet) is not

received after the device sends a specific number of probes, the connection is considered dead and the

device initiating the probes frees resources used by the TCP connection. Reference: http://www.cisco.com/

c/en/us/td/docs/ios-xml/ios/ipapp/configuration/xe-3s/asr1000/iap-xe-3s-asr1000-book/iap-tcp.html#GUID-22A82C5F-631F-4390-9838-F2E48FFEEA01

Answer: B 

Explanation: 

A new interface configuration command, dialer persistent, allows a dial-on-demand routing (DDR) dialer

profile connection to be brought up without being triggered by interesting traffic. When configured, the dialer persistent command starts a timer when the dialer interface starts up and starts the connection when the timer expires. If interesting traffic arrives before the timer expires, the connection is still brought up and set as persistent. The command provides a default timer interval, or you can set a custom timer interval. To configure a dialer interface as persistent, use the following commands beginning in global configuration mode:

Command Purpose

Step 1 Router(config)# interface dialer Creates a dialer interface and number enters interface

Configuration mode.

Step 2 Router(config-if)# ip address Specifies the IP address and mask address mask of the dialer

interface as a node in the destination network to be called.

Step 3 Router(config-if)# encapsulation Specifies the encapsulation type.

type

Step 4 Router(config-if)# dialer string Specifies the remote destination to dial-string class class-name call

and the map class that defines characteristics for calls to this destination.

Step 5 Router(config-if)# dialer pool Specifies the dialing pool to use number for calls to this destination.

Step 6 Router(config-if)# dialer-group Assigns the dialer interface to a group-number dialer group.

Step 7 Router(config-if)# dialer-list Specifies an access list by list dialer-group protocol protocol- number or

by protocol and list name {permit | deny | list number to define the interesting access-list-number} packets that can trigger a call. Step 8 Router(config-if)# dialer

(Optional) Specifies the remote-name user-name

authentication name of the remote router on the destination subnetwork for a dialer interface.

Step 9 Router(config-if)# dialer Forces a dialer interface to be persistent [delay [initial] connected at all

times, even in seconds | max-attempts the absence of interesting traffic.

number]

Reference:

http://www.cisco.com/c/en/us/td/docs/ios/dial/configuration/guide/12_4t/dia_12_4t_book/dia_dia

ler_persist.html

Answer: B 

Explanation: 

show flow exporter exporter-name (Optional) Displays the current status of the specified flow exporter.

Example:

Device# show flow exporter

FLOW_EXPORTER-1

Reference: http://www.cisco.com/en/US/docs/ios-xml/ios/fnetflow/configuration/15-mt/cfg-de- fnflowexprts.

html

Answer: A 

Explanation: 

Answer: B 

Explanation: Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a virtual

private network (VPN) supported on Cisco IOS-based routers and Unix-like Operating Systems based on

the standard protocols, GRE, NHRP and IPsec. This DMVPN provides the capability for creating a

dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers,

including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key

Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by

statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is

required to accept new spokes. Using this initial hub-and-spoke network, tunnels between spokes can be

dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This

dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke

networks. DMVPN is combination of the following technologies:

Multipoint GRE (mGRE)

Next-Hop Resolution Protocol (NHRP)

Dynamic Routing Protocol (EIGRP, RIP, OSPF, BGP)

Dynamic IPsec encryption

Cisco Express Forwarding (CEF)

Reference: http://en.wikipedia.org/wiki/Dynamic_Multipoint_Virtual_Private_Network

Topic 5, Infrastructure Security 

53. Which traffic does the following configuration allow? 

ipv6 access-list cisco 

permit ipv6 host 2001:DB8:0:4::32 any eq ssh 

line vty 0 4 

ipv6 access-class cisco in 

A. all traffic to vty 0 4 from source 2001:DB8:0:4::32 

B. only ssh traffic to vty 0 4 from source all 

C. only ssh traffic to vty 0 4 from source 2001:DB8:0:4::32 

D. all traffic to vty 0 4 from source all 

Answer: C 

Explanation: 

Logging-enabled access control lists (ACLs) provide insight into traffic as it traverses the

network or is dropped by network devices. Unfortunately, ACL logging can be CPU intensive and can

negatively affect other functions of the network device. There are two primary factors that contribute to the

CPU load increase from ACL logging: process switching of packets that match log-enabled access control

entries (ACEs) and the generation and transmission of log messages. Reference: http://www.cisco.com/

web/about/security/intelligence/acl-logging.html#4

Answer: C 

Explanation: 

The debug ip packet command generates a substantial amount of output and uses a substantial amount of

system resources. This command should be used with caution in production networks. Always use with the access-list command to apply an extended ACL to the debug output. Reference: http://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-troubleshoot-00.html

Answer: C 

Explanation: 

OSPFv3 uses link-local IPv6 addresses for neighbor discovery and other features, so if any IPv6 traffic

filters are implemented be sure to include the link local address so that it is permitted in the filter list.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx- os/unicast/configuration/

guide/l3_cli_nxos/l3_ospfv3.html

Answer: B 

Explanation: 

Autoconfiguration is performed on multicast-enabled links only and begins when a multicastenabled

interface is enabled (during system startup or manually). Nodes (both, hosts and routers) begin

the process by generating a link-local address for the interface. It is formed by appending the interface

identifier to well-known link-local prefix FE80 :: 0. The interface identifier replaces the right-most zeroes of

the link-local prefix. Before the link-local address can be assigned to the interface, the node performs the

Duplicate Address Detection mechanism to see if any other node is using the same link-local address on

the link. It does this by sending a Neighbor Solicitation message with target address as the "tentative"

address and destination address as the solicited-node multicast address corresponding to this tentative

address. If a node responds with a Neighbor Advertisement message with tentative address as the target

address, the address is a duplicate address and must not be used. Hence, manual configuration is

required. Once the node verifies that its tentative address is unique on the link, it assigns that link-local

address to the interface. At this stage, it has IP-connectivity to other neighbors on this link. The

autoconfiguration on the routers stop at this stage, further tasks are performed only by the hosts. The

routers will need manual configuration (or stateful configuration) to receive site-local or global addresses.

The next phase involves obtaining Router Advertisements from routers if any routers are present on the

link. If no routers are present, a stateful configuration is required. If routers are present, the Router

Advertisements notify what sort of configurations the hosts need to do and the hosts receive a global

unicast IPv6 address. Reference: https://sites.google.com/site/amitsciscozone/home/important-tips/ipv6/

ipv6-stateless- autoconfiguration