- (Exam Topic 3)
The network administrator configured R1 to authenticate Telnet connections based on Cisco ISE using TACACS+. ISE has been configured with an IP address of 192.168.1.5 and with a network device pointing toward R1(192.168.1.1) with a shared secret password of Cisco123.

The administrator cannot authenticate to R1 based on ISE. Which configuration fixes the issue?

1. A. ip tacacs-server host 192.168.1.5 key Cisco123
2. B. line vty 0 4login authentication TAC-SERV
3. C. line vty 0 4login authentication telnet
4. D. tacacs-server host 192.168.1.5 key Cisco123

Correct Answer: C
The last command “aaa authentication login telnet group TAC-SERV” created the method list name telnet so we need to assign it to line vty.
Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208- Configure-ISE-2-0-IOS-TACACS-Authentic.html

- (Exam Topic 1)
What is a limitation of IPv6 RA Guard?

1. A. It is not supported in hardware when TCAM is programmed
2. B. It does not offer protection in environments where IPv6 traffic is tunneled.
3. C. It cannot be configured on a switch port interface in the ingress direction
4. D. Packets that are dropped by IPv6 RA Guard cannot be spanned

Correct Answer: B
Restrictions for IPv6 RA Guard
The IPv6 RA Guard feature does not offer protection in environments where IPv6 traffic is tunneled.
This feature is supported only in hardware when the ternary content addressable memory (TCAM) is programmed.
This feature can be configured on a switch port interface in the ingress direction.
This feature supports host mode and router mode.
This feature is supported only in the ingress direction; it is not supported in the egress direction.
This feature is not supported on EtherChannel and EtherChannel port members.
This feature is not supported on trunk ports with merge mode.
This feature is supported on auxiliary VLANs and private VLANs (PVLANs). In the case of PVLANs, primary VLAN features are inherited and merged with port features.
Packets dropped by the IPv6 RA Guard feature can be spanned. Reference:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-16-10/ip6f-xe-16-10-book/ip6-r

- (Exam Topic 3)
Which IPv6 feature enables a device to reject traffic when it is originated from an address that is not stored in the device binding table?

1. A. IPv6 Snooping
2. B. IPv6 Source Guard
3. C. IPv6 DAD Proxy
4. D. IPv6 RA Guard

Correct Answer: B
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/xe-3s/ip6f-xe-3s-book/ip6-src-guar

- (Exam Topic 3)
The network administrator is tasked to configure R1 to authenticate telnet connections based on Cisco ISE using RADIUS. ISE has been configured with an IP address of 192.168.1.5 and with a network device pointing towards R1 (192.168.1.1) with a shared secret password of Cisco123. If ISE is down, the administrator should be able to connect using the local database with a username and password combination of admin/cisco123.
The administrator has configured the following on R1:

ISE has gone down. The Network Administrator is not able to Telnet to R1 when ISE went down. Which two configuration changes will fix the issue? (Choose two.)

1. A. Option A
2. B. Option B
3. C. Option C
4. D. Option D
5. E. Option E

Correct Answer: CE

- (Exam Topic 1)
Refer to the following output:
Router#show ip nhrp detail 10.1.1.2 /8 via 10.2.1.2, Tunnel1 created 00:00:12, expire 01:59:47 TypE. dynamic, Flags: authoritative unique nat registered used NBMA address: 10.12.1.2
What does the authoritative flag mean in regards to the NHRP information?

1. A. It was obtained directly from the next-hop server.
2. B. Data packets are process switches for this mapping entry.
3. C. NHRP mapping is for networks that are local to this router.
4. D. The mapping entry was created in response to an NHRP registration request.
5. E. The NHRP mapping entry cannot be overwritten.

Correct Answer: A