对学习后知识的总结：
对Cisco Encryption Technology (CET)术语理解不到位~~~~
IPSec supports AH, ESP and Anti-Replay which are not available with CET.

aaa accounting what-to-track how-to-track where-to-send-the-information配制AAA的时候记帐可以配置的一些具体类型，
The what-to-track arguments are as follows:

network - With this argument, network accounting logs the information, on a user basis, for PPP, SLIP, or
ARAP sessions. The accounting information provides the time of access and the network resource usage in
packet and byte counts.

connection - With this argument, connection accounting logs the information about outbound connections made
from the router or RAS device, including Telnet and rlogin sessions. The key word is outbound; it enables the
tracking of connections made from the RAS device and where those connections were established.

exec - With this argument, EXEC accounting logs the information about when a user creates an EXEC terminal
session on the router. The information includes the IP address and telephone number, if it is a dial-in user, and
the time and date of the access. This information can be particularly useful for tracking unauthorized access to
the RAS device.

system - With this argument, system accounting logs the information about system-level events. System-level
events include AAA configuration changes and reloads for the device. Again, this information would be useful
to track unauthorized access or tampering with the router.

command - With this argument, command accounting logs information regarding which commands are being
executed on the router. The accounting record contains a list of commands executed for the duration of the
EXEC session, along with the time and date information.

resource - Before AAA resource failure stop accounting, there was no method of providing accounting records
for calls that failed to reach the user authentication stage of a call setup sequence. Such records are necessary
for users employing accounting records to manage and monitor their networks and their wholesale customers.
This command was introduced in Cisco IOS Software Release 12.1(3)T.

Cisco IOS路由器支持三种安全协议:TACACS+,RUDIUS,Kerberos.
ACS+,RUDIUS支持3A--------Authentication, authorization and accounting!而Kerberos使用DES(数据加密标准),只支持Authentication!所以用得不太多,TACACS+是cisco专有,用得也不多,RUDIUS是IETF制定的标准,用得比较多!

IPsec是一组用于确保网络层数据安全的协议和算法.它由两种协议和两种保护模式组成,这两个协议一个是AH,一个是ESP,
ESP提供了:保密性-----Confidentiality,无连接完整性------data integrity,数据来源验证-------data origin authentication,防重发服务---------anti-replay service;
而AH只提供了:无连接完整性------data integrity,数据来源验证-------data origin authentication,防重发服务---------anti-replay service;

给出一些配置异步连接的LINE线路（物理线路）上的一些配置介绍：
(config-line)#exec - Allows the EXEC process on this line.
(config-line)#login - Sets a login password on this line. Without the password, no connection is allowed.
(config-line)#password - password Sets the password to be used when logging in to this line.
(config-line)#flowcontrol hardware - Uses RTS/CTS for flow control.
(config-line)#speed 115200 - Sets the maximum speed (in bits per second) between the modem and the access
server. The speed command sets both the transmit and receive speed.
(config-line)#transport input all - Allows all protocols to be passed to the access server through this line.
(config-line)#stopbits - Sets the number of stop bits transmitted per byte.
(config-line)#modem inout - Uses the modem for both incoming and outgoing calls.
(config-line)#modem dialin - Uses the modem for incoming calls only (the default).

如果要实施异步拨号，不止有异步接口才可以做到，在一些A/S接口（这种接口又可以是异步又可以是同步）上也可以实现，
不过 A/S接口的默认是同步的，那么如果要实行异步的拨号首先要把它声明成异步模式：那么这个时候需要在这个接口的接口
模式下输入命令： physical-layer async

在帧中继的一个VC里。TC = Bc/CIR。。突发量除以CIR就等于时间间隔。

帧中继的CIR如果是默认情况下带宽为56/64K

VPN分两大类:远程接入VPN和场点到场点VPN.
远程接入VPN:    安全地将远程用户连接到企业网络.
场点到场点VPN:   安全将企业或者公司分部分连接到企业网络.
远程接入VPN又分为两类:
客户发起的:远程用户通过使用客户端软件通过ISP共享网络建立的一条到企业网络的安全隧道.
网络接入服务器(NAS)发起的:远程用户拨入ISP,.NAS建立一条到企业私有网络的安全隧道,该隧道支持多个远程用户发起的会话,.
场点到场点VPN又分外An intranet VPN和An extranet VPN.
An intranet VPN主要是指所连的场点都是公司内部的办事处,分支等,是同一个公司的机构.
而An extranet VPN是指连接客户,供应商,合作伙伴等.

IPSEC 的 IKE协商：
在phase 1,有4种:
1.选择密钥的分发方法.
2.选择验证方法.
3.确定IPsce对等体的IP地址和主机名.
4.确定对等体的ISAMKP的policy.
在phase 2,有5种:
1.选择IPsec的算法和参数也获得最佳的安全性和性能;
2.选择变化集.
3.确定IP对等题的细节.
4.选择SA的建立方式.
5.确定要保护的数据流.

题目：

QUESTION NO: 13
You are a technician at TestKing.com. Your newly appointed TestKing trainee wants to know what the
circumstances are where the use of Kerberos authentication system would be necessary because
TACACS+ or RADIUS will not be suitable.
What would your reply be?
A. The usage of various router functions needs to be accounted for by user name.

B. Multiple level of authorization need to be applied to various router commands.
C. DES encrypted authentication is required.
D. Authentication, authorization and accounting need to use a single database.
E. The utilization of authentication functions needs to be authorized by user names and passwords.
Answer: C（完全不明白题目是什么意思，晕）

QUESTION NO: 20
You are a network technician at TestKing. Your newly appointed TestKing trainee wants to know what
is responsible for IKE in the IPSec protocol.
What would your reply be? (Choose all that apply.)
A. Negotiating protocol parameters
B. Integrity checking user hashes
C. Authenticating both sides of a connection
D. Implementing tunnel mode
E. Exchanging public keys
F. Packet encryption
Answer: A, C, E（IPSEC里的IKE的功能）
Internet Key Exchange (IKE) is used to establish all the information needed for a VPN tunnel. Within IKE, you
negotiate your security policies, establish your SAs, and create and exchange your keys that will be used by
other algorithms such as DES.

QUESTION NO: 21
The Frame Relay connection type is the interconnection process between which types of equipment?
(Choose all that apply.)
A. DCE
B. DTE
C. CPE
D. PDN
E. DSLAM
Answer: A, C（争议题目，BC？）

QUESTION NO: 26
Which of the following statements regarding Frame Relay subinterface configurations are true? (Choose
all that apply.)
A. The configuration must be added to the D channel.
B. The physical interface and subinterface can each be configured with IP addresses.
C. Subinterface is configured either multipoint or point-to-point.
D. Any IP address must be removed from the subinterface.
Answer: B, C（错题目，B不对，帧中继如果有子接口就不应该在物理接口上配置IP地址，有冲突）

QUESTION NO: 29
You are the network administrator at TestKing.com. The TestKing network has a DSL service
connection that uses PPPoE. Which process must you perform on the host to establish a PPPoE
SESSION_ID on the PPPoE connection?
A. A DHCP request process to request and IP address and session ID.
B. A Discovery process to identify a PPPoE server and request a session ID.
C. A RARP request process to request a MAC address and session ID.
D. A Bootp process to request a configuration and session ID.
Answer: B
When a router wants to initiate a PPPoE session, it must first perform Discovery to identify the Ethernet MAC
address of the peering device and establish a PPPoE SESSION_ID. Discovery is inherently a client/server
relationship. During Discovery, a router discovers the provider DSLAM. Discovery allows the CPE router to
discover all available DSLAMs, and then select one. When Discovery completes successfully, both the CPE
router and the selected DSLAM have the information they will use to build their point-to-point connection over
Ethernet.

QUESTION NO: 30
You are a network technician at TestKing. Your newly appointed TestKing trainee wants to know what
physical factors will have a negative affect on the maximum available speed of a DSL connection.
What would your reply be? (Choose all that apply.)
A. Number of telephones attached to the local loop.
B. Gauge of wire used on the local loop.
C. Distance between the CPE and the DSLAM.
D. Bridge taps in the local loop.
E. Loading coils in the subscriber’s line.
Answer: B, C（这个题目要注意，其实A也应该算是对的，在本地如果连了分机或者更多的电话会是DSL的速度变慢）

QUESTION NO: 31
You are the network administrator at TestKing.com. TestKing has an ISDN line that you want to use as a
backup for the Frame Relay line connection on interface serial0. The Cisco router is configured as
follows:
interface serial0
ip address 192.168.10.1 255.255.255.0
backup interface bri0
backup delay 5 10
interface bri0
ip address 192.168.11.2 255.255.255.0
dialer idle-timeout 900
dialer-group 1
dialer-group 1 protocol ip permit
With regard to the above configuration, which of the following statements is true?
A. The ISDN BRI line will be in “standby” mode after 900 seconds once the serial interface activates again.
B. The ISDN BRI line will be in “standby” mode after 10 seconds but will be in “up/ip” mode after 900
seconds once the serial interface activates again.
C. The ISDN BRI line will be in “standby” mode after 10 seconds but will be in “standby” mode after 900
seconds once the serial interface activates again.
D. The ISDN BRI line will be in “standby” mode after 10 seconds once the serial interface activates again.
Answer: C（有人说这个题目正确答案应该是D，但是C应该是对的呀。主链路恢复后10秒备份线路才STANDBY，但是有个闲置时间啊，应该考虑在内吧）

QUESTION NO: 35
You are a network technician at TestKing, Inc. You issue the following command on a TestKing router:
TestKingA(config)#aaa authentication login default group tacacs+ non
Your newly appointed TestKing trainee wants to know what this configuration will accomplish.

What would your reply be?
A. It uses the list of servers specified in group “TACACS+”, if none are available, then no access is
permitted.
B. It uses the list of TACACS+ servers for authentication, if TACACS+ fails then uses no authentication.
C. It uses the list of TACACS+ servers for authentication, if TACACS+ fails then no access is permitted.
D. No authentication is required to login.
E. It uses a subset of TACACS+ servers named “group” for authentication as defined by the aaa group
servers tacacs+ command.
Answer: B（这里TestKingA(config)#aaa authentication login default group tacacs+ non，后面的NON参数的意思是说不进行验证）

QUESTION NO: 50
You are a network administrator at TestKing. The TestKing network uses a hub and spoke Frame Relay.
However, no spoke router and ping any other spoke routers, yet all spoke routers are able to ping the hub
router. What gives rise to this situation?
A. Disabled split horizon
B. Spanning-tree loop
C. Inverse ARP issue
D. Poison reverse issue
Answer: C（通过这个题目应该学习到：在HUB-SPOKE的环境里，帧中继的SPOKE的ROUTER如果用的是IN ARP的话是不可以互相PING的，
只能通过静态的MAP语句才可以实现通信。为什么？自己想去吧。呵呵）

QUESTION NO: 51
Which of the following is a Valid Dynamic TEI value assignment range for an ISDN BRI circuit?
A. 128-256
B. 25-62
C. 64-126
D. 1-24
Answer: C（这个题目要死记）64-126

QUESTION NO: 52
You encounter the following information line:
kickin load 60% kickout load 40%
Which router command is responsible for this output?
A. show load
B. show primary
C. show dialer-profile
D. show interface
E. show backup
Answer: D（记忆吧，这个就是经验）

QUESTION NO: 62
You are a technician at TestKing. A computer on the TestKing network is connected to a modem which is
being switched on. Your newly appointed TestKing trainee wants to know how the computer will be
made aware that the DCE is ready for use.
What would your reply be?
A. The modem sets DTE pin 4.
B. The modem sets DTR pin 20.
C. The modem sets DSR pin 6.
D. The modem sets DCE pin 5.
E. The modem sets DTR pin 3.
Answer: C(记忆题目，什么信号用来DCE说明自己准备就绪）

QUESTION NO: 66
With regard to the Multilink PPP protocol, which of the following statements are true? (Choose all that
apply.)
A. MLP can identify bundles only through the authenticated name.
B. MLP can be applied to any link type utilizing PPP encapsulation.
C. MLP is a negotiated option only during the LCP phase of PPP.
D. For MLP to bind links, configuring AAA authentication is a required.
Answer: A, B（B不怎么象。）

QUESTION NO: 67
Snapshot is supported by two protocols. Which two are they? (Choose all that apply.)
A. RIP
B. OSPF
C. BGP
D. IGRP
E. EIGRP
Answer: A, D（对快照陆游的理解，Snapshot）

QUESTION NO: 71
Can you identify which two of the following are T1/E1 line-code options? (Choose all that apply.)
A. CRC4
B. B8ZS
C. AMI
D. ESP
Answer: B, C（T1/E1的线路编码类型）其实还有一种类型：hdb3

QUESTION NO: 76
You are the network administrator at TestKing.com. You need to configure a T1 controller for ISDN PRI
operation. Which T1 controller command would you use?
A. linecode
B. framing
C. pri-group
D. isdn switch-type
E. barcode
Answer: D（正确答案就是C）

QUESTION NO: 83
Which of the following are valid framing types on a T1 controller? (Choose all that apply.)
A. ami
B. esf
C. b8zs
D. sf
E. crc4
Answer: B, D, E（记忆T1控制器的帧类型）esf.sf.crc4，但是有人说正确答案只是DB。为什么？

QUESTION NO: 88
Which one of the following interface configuration combinations will result in inverse ARP to resolve
addresses in a Frame Relay hub and spoke topology?
A. Main interface at the hub router.
Point-to-point subinterface at the spoke routers.
B. Point-to-point subinterface at the hub router.
Multipoint subinterface at the spoke routers.
C. Point-to-point subinterface at the hub router.
Main interface at the spoke routers.
D. Multipoint subinterface at the hub router.
Point-to-point subinterface at the spoke routers.
Answer: BD（但是有人说选择AB？。这个题目真的是一点都不明白啦！。
问的是要实现IN ARP来学习地址。那么谁可以告诉我什么时候它不能用来学习地址啊？）

QUESTION NO: 99
You are a technician at TestKing. Your newly appointed TestKing trainee wants to know what services
AH and ESP provides
What would your reply be?
A. Data origin authentication, confidentiality, and anti-replay service
B. Confidentiality, data integrity, and anti-replay service
C. Data integrity, data origin authentication, and anti-replay service
D. Confidentiality, data integrity, and data origin authentication
E. Confidentiality, data integrity and authorization.
Answer: C（这里的anti-replay service是什么？不明白。我觉得选择D）

QUESTION NO: 125
You are a technician at TestKing. Your newly appointed TestKing trainee wants to know more about
WRED.
What would your reply be?
A. It is effective on UDP packets and will not allow tail drops.

B. It is effective on UDP packets and will allow tail drops.
C. It is effective on TCP packets and will not allow tail drops.
D. It is effective on TCP packets and will allow tail drops.
Answer: D(应该选择D吧。有人说是C。我就奇怪的！！）

QUESTION NO: 128
You are a network technician at TestKing. TestKing makes use of a VNP which has users dial in from
remote locations to an Internet service provider (ISP). The ISP-owned devices then establish a secure
tunnel to the TestKing network. Your newly appointed TestKing trainee wants to know what type of
VPN this is.
What would your reply be?
A. An intranet VPN
B. An extranet VPN
C. A client initiated VPN
D. A Network Access Server initiated VPN
Answer: D（就题目给的这点东西能知道VPN是这种类型的么？）

QUESTION NO: 135
You are the network administrator at TestKing. A TestKing router receives frames with the BECN bit
set every 60 seconds but no frames with the FECN bit set. What does this behavior indicate?
A. Congestion on the Frame Relay switch triggered by too much traffic in both direction.
B. Congestion on the Frame Relay switch triggered by too much traffic within the local network.
C. Congestion on the Frame Relay switch triggered by too much traffic from remote router to local router.
D. Congestion on the Frame Relay switch triggered by too much traffic from local router to remote router.
Answer: C（错误的题目？应该选择D吧）

QUESTION NO: 138
You are a trainee technician at TestKing. Your instructor asks to name the dial feature that provides
reliable connectivity, but does not rely on traffic defined as interesting to trigger outgoing calls to a
remote router, and is triggered by a lost route.
What would your reply be?
A. floating static routes.
B. dialer backup.
C. dialer watch.
D. static routes.
E. dialer route.
Answer: E（这个词儿还不是很了解！哎）

QUESTION NO: 146
Which command must be used in order for PPP authentication to work with a dialer profile?
A. dialer string
B. dialer remote-name
C. dialer pool-member
D. dialer map
Answer: D(拨号原形的PPP验证跟这些有什么关系？还有人说选择B。）

QUESTION NO: 147
Which of the following are true statements about RADIUS and TACACS+ servers regarding ARA
protocol support? (Choose two)
A. RADIUS server supports AppleTalk Remote Access (ARA) protocol.
B. TACACS+ server supports AppleTalk Remote Access (ARA) protocol.
C. RADIUS+ server supports AppleTalk Remote Access (ARA) protocol.
D. TACACS+ server does not support AppleTalk Remote Access (ARA) protocol.
E. Neither TACACS+ or RADIUS servers support AppleTalk Remote Access (ARA) protocol.
Answer: B, C（我觉得应该选择B，该是单选择吧）

QUESTION NO: 161
Which command quickly verifies the Frame Relay configuration and the line, protocol, and LMI status
on a serial interface?
A. show interface
B. show frame-relay pvc
C. show frame-relay map
D. show frame-relay status
E. show frame-relay interface
Answer: B(有人说选择A。谁可以给个正确的答案啊。我觉得B对着的呀）

QUESTION NO: 166
Which three statements are true regarding reachability issues in a multipoint Frame Relay
configuration? (Choose three)
A. Split horizon can cause problems in NBMA environments.
B. Subinterfaces can resolve split horizon issues.
C. Subinterfaces do not apply in Frame Relay networks.
D. Split horizon is an issue with point-to-point subinterfaces.
E. Split horizon is not an issue with multipoint subinterfaces.
F. A single physical interface simulates multiple logical interfaces.
Answer: B, E, F（正确答案应该是ABF吧）

QUESTION NO: 174
As technology has advanced and higher frequencies are employed, which statement is true for a point-topoint
microwave, fixed-wireless system?
A. Less spectrum is available for broadband applications.
B. Smaller antennas can be deployed resulting in lower costs.
C. Propagation distance increases and weather is less a factor.
D. The larger wavelengths require more sophisticated equipment.
Answer: D（B这个题目是一点都不理解了）

QUESTION NO: 178
What is the purpose of CSU/DSU in a leased T1 WAN configuration?
A. It provides encryption and compression for the security of transmitted data.
B. It multiplexes individual 64K channels into a single circuit.
C. It channelizes the leased T1 line into multiple 65K circuits.
D. It provides signal timing for communications and interfaces to the digital transmission facility.
E. It converts the analog T1 signals into digital signals for the router interface.
Answer: B（CSU/DSU的目的是？？能有些资料就好了！难道就是为了使链路多元化到多个64K的CHANNELS？）

QUESTION NO: 184
What are two queuing methods all for strict priority queuing of delay sensitive applications?
A. Flow Base Queuing
B. Class Base Queuing
C. LLQ
D. CQ
E. PQ
Answer: C, E(PQ是啥？）

QUESTION NO: 186（重点看）弱点：

QUESTION NO: 189
Which two commands assign multiple ISDN BRI interfaces to a single hunt group? (Choose two)
A. dialer-group

B. multilink ppp
C. interface dialer
D. dialer hunt-group
E. dialer rotary-group
Answer: B, E（到底是选择CE好点呢还是...?不知道E的意思，感觉只选择B)

QUESTION NO: 216
Which three phrases are correct about IPSec IKE Phase 2? (Choose three)
A. determine the key distribution method
B. negotiate ISAKMP policies for peers
C. select IPSec algorithms and parameters for optimal security and performance
D. identify IPSec peer details
E. select manual or IKE-initiated SAs
F. determine the authentication method
Answer: B, C, E（记忆。IKE的第2阶段任务~不过有人说应该是CDE？？？）

821 TK19 A部分后面没有答案的题整理

QUESTION N 220
TestKing has a unique dial requirements for each branch site that communicates with a central site router.Which two commands permit multiple physical interfaces on a central router to be shared by multiple remote sites while retaining their unique site requirements? (Choose two)
A. dialer pool
B. dialer-list
C. dialer-group
D. dialer hunt-group
E. dialer pool-member
Answer:AE   dialer profile的两个命令

QUESTION N 221 ==q121
Which configuration command defines a rotary group?
A. dialer pool
B. rotary-group
C. interface rotary
D. interface dialer
E. dialer rotary-group
Answer:D  interface dialer是定义，dialer rotary-group是把端口加入组

QUESTION N 222
Given the partial configuration and assuming that all other configuration parameters are correct and
that there are only two BRI interfaces on Router TK1, how many ISDN B channels will form the
multilink PPP bundle from Router TK1 to Router TK2?
A. Two ISDN B channels will form the Multilink PPP bundle.
B. Four ISDN B channels will form the Multilink PPP bundle.
C. No Multilink PPP bundle will be formed because the dialer interface is not associated with the physical
interfaces.
D. No Multilink PPP bundle will be formed because there is no load threshold configured.
Answer:D  和214比较，配置中少了阈值的设定，multilink不会启动