1. Into which two types of areas would an area border router (ABR) inject a default route? (Choose two.)
A. the autonomous system of a different interior gateway protocol (IGP)
B. area 0
C. totally stubby
D. NSSA
E. stub
F. the autonomous system of an exterior gateway protocol (EGP)
Answer: CE

2. Refer to the exhibit. If VLAN 21 does not exist before typing the commands, what is the result of the configuration applied on switch SW1?
 
A. A new VLAN 21 is created and port 0/8 is assigned to that VLAN.
B. A new VLAN 21 is created, but no ports are assigned to that VLAN.
C. No VLAN 21 is created and no ports are assigned to that VLAN.
D. Configuration command vlan database should be used first to create the VLAN 21.
Answer: A

3. Which three statements are true regarding Cisco IOS Firewall configurations? (Choose three.)
A. An IP inspection rule can be applied in the inbound direction on a secured interface.
B. An IP inspection rule can be applied in the outbound direction on an unsecured interface.
C. An ACL that is applied in the outbound direction on an unsecured interface must be an extended ACL.
D. An ACL that is applied in the inbound direction on an unsecured interface must be an extended ACL.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the access list for the returning traffic must be a standard ACL.
F. For temporary openings to be created dynamically by Cisco IOS Firewall, an IP inspection rule must be applied to the secured interface.
Answer: ABD

4. The ip inspect inspection-name {in | out} command is used to configure which IOS security feature?
A. IPS
B. IPsec site-to-site VPN
C. Cisco IOS Firewall
D. Cisco AutoSecure
E. IDS
F. Easy VPN
Answer: C

5. Refer to the exhibit. Which statement about this configuration is true?
 
A. ACL 101 needs to have at least one permit statement in it or it will not work properly.
B. The ip inspect test out command needs to be used instead of the ip inspect test in command to make the configuration work.
C. Ethernet 0 is the trusted interface and Ethernet 1 is the untrusted interface.
D. Ethernet 0 needs an inbound access list to make the configuration work.
E. Ethernet 0 needs an outbound access list to make the configuration work.
Answer: C

6. What is the purpose of an explicit "deny any" statement at the end of an ACL?
A. none, since it is implicit
B. to enable Cisco IOS IPS to work properly; however, it is the deny all traffic entry that is actually required
C. to enable Cisco IOS Firewall to work properly; however, it is the deny all traffic entry that is actually required
D. to allow the log option to be used to log any matches
E. to prevent sync flood attacks
F. to prevent half-opened TCP connections
Answer: D

7. Which Cisco IOS feature can be used to defend against spoofing attacks?
A. Cisco IOS Firewall (CBAC)
B. lock-and-key ACL and/or reflexive ACL
C. IP Source Guard and/or Unicast RPF
D. TCP Intercept
E. Cisco IOS IPS
F. Auth-Proxy
Answer: C

8. Which of these is mandatory when configuring Cisco IOS Firewall?
A. Cisco IOS IPS enabled on the untrusted interface
B. NBAR enabled to perform protocol discovery and deep packet inspection
C. a route map to define the trusted outgoing traffic
D. a route map to define the application inspection rules
E. an inbound extended ACL applied to the untrusted interface
Answer: E

9. For an MPLS label, if the stack bit is set to 1, which of these is correct?
A. The stack bit is reserved for future use.
B. The label is the last entry in the label stack.
C. The stack bit will only be used when LDP is the label distribution protocol.
D. The stack bit is for Cisco implementations exclusively and will only be used when TDP is the label distribution protocol.
E. The label is the top entry in the label stack and will remain set to 1 until the last entry, the bottom label, is reached.
Answer: B

10. Which statement correctly describes the disabling of IP TTL propagation in an MPLS network?
A. The TTL field from the IP packet is copied into the TTL field of the MPLS label header at the ingress edge LSR.
B. TTL propagation cannot be disabled in an MPLS domain.
C. TTL propagation is only disabled on the ingress edge LSR.
D. The TTL field of the MPLS label header is set to 255.
E. The TTL field of the IP packet is set to 0.
Answer: D

11. Which of these statements about OSPF external LSAs (type 5) is correct?
A. External LSAs (type 5) are automatically changed to type 1 LSAs at ASBRs.
B. Type 5 LSAs are route summaries describing routes to networks outside the OSPF Autonomous System.
C. OSPF external LSAs are automatically flooded into all OSPF areas, unlike type 7 LSAs, which require that redistribution be configured.
D. External network LSAs (type 5) redistributed from other routing protocols into OSPF are not permitted to flood into a stub area.
E. OSPF external LSAs can be flooded into an NSSA area if redistributed from other routing protocols into OSPF and if the subnets parameter is used with the redistribute command.
Answer: D