D is correct, but for this reason. Note the !A in the output. This means that the response was administratively prohibited by an ACL. This limits the answer to either A or D. Given we see the !A at fa0/1 of R3, the D is the answer.
Its clearly D and !A gives it away. The ! indicates that .6 did reply and the A means it was administratively prohibited.. Hence ACL... https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12778-ping-traceroute.html
Put the ACL to the loopback interface will not work
The loopback interface is a control-plane interface so because is a logical interface the ACL will not block the traffic.
R3#show access-lists
Standard IP access list 1
10 deny 1.1.1.1
20 permit any
R3#
R3#show running-config interface lo0
Building configuration...
Current configuration : 85 bytes
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip access-group 1 in
end
R1#ping 3.3.3.3 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
R1#
The only way in this scenario is to apply the ACL in the physical interface facing R2 to the R3 router:
R3#show running-config interface ethernet 0/1
Building configuration...
Current configuration : 103 bytes
!
interface Ethernet0/1
ip address 10.99.69.6 255.255.255.252
ip access-group 1 in
duplex auto
end
R1#traceroute
Protocol [ip]: ip
Target IP address: 3.3.3.3
Ingress traceroute [n]: n
Source address: 1.1.1.1
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 3.3.3.3
VRF info: (vrf in name/id, vrf out name/id)
1 10.99.69.2 1 msec 1 msec 0 msec
2 10.99.69.6 !A !A *
As you can see the traffic is now blocked
What you can do instead is doing some policing to the control plane instead? Why? Because the loopback interface is a logical interface so is an interface controlled by the Control Plane (The control plane is generally considered to be where a router or switch makes its decisions. This is software based, and uses the CPU rather than specialised hardware, such as an ASIC).
Here the config:
class-map match-all DENY-TRAFFIC-TO-LOOPBACK
match access-group 1
policy-map DENY-TRAFFIC-TO-LOOPBACK
class DENY-TRAFFIC-TO-LOOPBACK
police 8000 conform-action transmit exceed-action drop
control-plane
service-policy input DENY-TRAFFIC-TO-LOOPBACK
In this case in the ACL we don't use the deny statement but the permit statement because we permit to the traffic sourced by the host 1.1.1.1 to be policed.
R3#show access-lists 1
Standard IP access list 1
10 permit 1.1.1.1 (5234 matches)
20 permit any (77 matches)
Ref: what !A in traceroute output - Cisco Community
Post by glen.grant
“…
Administratively unreachable. Usually, this output indicates that an access list is blocking traffic.”
A. An ACL applied inbound on loopback0 of R2 is dropping the traffic.
Wrong answer.
B. The loopback on R3 is in a shutdown state.
Wrong answer.
C. Redistribution of connected routes into OSPF is not configured.
Wrong answer.
D. An ACL applied inbound on fa0/1 of R3 is dropping the traffic.
Correct answer.
A is the correct answer and there is why:
B - if loopback on R3 would be in shutdown state then 3.3.3.3 would not be in the routing table of R1. OSPF does not propagate networks configured on shutdown interfaces. In the result there would not be any hops in the output.
C - from perspective of R3, network configured on loopback interface is in "Connected" state, so if redistribution of connected routes would not be configured then 3.3.3.3 would not be propagated to R1. The result would be the same as in B
D - if ACL would drop inbound traffic of Fa0/1 then in the output would not be adress 10.99.69.6 (second hop). Remember, if router decrement TTL to 0 then it have to send respond to the source of the packet. In the header of the response is an IP address of the router which hit TTL = 0.
Sorry for any mistakes, English is not my native language :/
I would say that the loopback int in R3 is in a shutdown state (answer B), because if answer D is true as supposed (All traffic entering fa0/1 in R3 is droped) than we should not see the ip 10.99.69.6 in our traceroute result
D is correct. The reason we see 10.99.69.6 in the output is that we ping the Lo 3.3.3.3 of R3 with his add, so off course we will see the connected add of the Lo 3.3.3.3
This section is not available anymore. Please use the main Exam Page.350-401 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
RhJ72
Highly Voted 3 years, 8 months agonopenotme123
Highly Voted 2 years, 8 months agodg6
Most Recent 8 months, 2 weeks ago[Removed]
11 months, 1 week ago[Removed]
1 year, 10 months agoDataset
2 years agorami_mma
2 years, 1 month agoXBfoundX
2 years, 3 months agoXBfoundX
2 years, 3 months agoXBfoundX
2 years, 3 months agoXBfoundX
2 years, 3 months agoXBfoundX
2 years, 3 months agoXBfoundX
2 years, 3 months agoJohn13121
2 years, 3 months ago[Removed]
2 years, 10 months agoAltimusOn
3 years, 1 month agokierownikk0
3 years, 6 months agokierownikk0
3 years, 6 months ago[Removed]
3 years, 11 months agoamgue
3 years, 11 months agoAliMo123
3 years, 11 months agoAliMo123
3 years, 11 months agobaid
3 years, 2 months ago