Chapter 6 - Infrastructure Security

Question 1

1. Which method can restrict a user from plugging a wireless access point into a corporate network?
A. Access control lists
B. Port security
C. WiredEquivalentPrivacy
D. Static MAC addresses

Answer 1

1. B. Port security can restrict a port to a single device by MAC address. This will effectively make plugging in a wireless access point a non-event for a corporate network

Question 2

2. What does port security use to block unauthorized access?
   A. Source MAC addresses
   B. Destination MAC addresses C. Source IP addresses
   D. Destination IP addresses

Answer 2

2. A. Port security blocks unauthorized access by examining the source address of a network device.

Question 3

3. Which command will enable port security?
   A. Switch(config)#switchport port-security
   B. Switch(config)#port-security enable
   C. Switch(config-if)#switchport port-security
   D. Switch(config-if)#port-security enable

Answer 3

3. C. Port security is enabled by configuring the command switchport port-security. This command must be configured on the interface in which you want to enable port security.

Question 4

4. If port security is enabled on an interface, what is the maximum number of MAC
   addresses allowed by default? A. 1 MAC address
   B. 2 MAC addresses
   C. 0 MAC addresses
   D. 10 MAC addresses

Answer 4

4. A. By default, only a single MAC address is allowed on an interface when port security is enabled

Question 5

5. Which layer of the OSI model does port security use for securing a port?
   A. Layer0 B. Layer1 C. Layer2 D. Layer3

Answer 5

5. C. Port security operates at layer 2 by inspecting the source MAC addresses in frames. It allows the configured number of source MAC addresses to be switched into the port and onto the switch processor.

Question 6

6. Why would a network admin choose to configure port security on an interface? A. To allow or disallow VLANs
   B. To allow or disallow IP addresses
   C. To prevent unauthorized access by MAC address D. To prevent unauthorized access by user

Answer 6

6. C. Configuring port security helps a network administrator prevent unauthorized access by MAC address.

Question 7

7. Which statement is correct about port security?
   A. Port security works best in mobile environments.
   B. Port security requires a higher amount of memory. C. Port security works best in static environments.
   D. Port security always results in admin intervention to reset the port.

Answer 7

7. C. Port security works best in static environments where there is minimal change to the environment. It does not require any more memory since the results are pulled from the MAC address table.

Question 8

8. When configuring port security on a port that contains a VoIP phone with a voice VLAN and a computer connected to the phone, how many MAC addresses must you allow?
   A. 1 MAC address
   B. 2 MAC addresses C. 0 MAC addresses
   D. 10 MAC addresses

Answer 8

8. B. Both the computer and the VoIP phone have MAC addresses, and therefore you will need to allow the port to have two MAC addresses, one for the phone to communicate and the other for the computer to communicate on the port.

Question 9

9. What is the default action of port security on the interface when the maximum number of MAC addresses is exceeded?
A. Administrative shutdown
B. Err-disabledshutdown
C. Restricted access without logging
D. Restricted access with logging

Answer 9

9. B. By default, when port security is configured on a port, the violation method is err- disabled shutdown.

Question 10

10. You are configuring a port for port security and receive the error “Command rejected: FastEthernet0/1 is a dynamic port.” Which commands will help you configure the port?
    A. SwitchA(config-if)#no switchport dynamic
    SwitchA(config-if)#switchport
    B. SwitchA(config-if)#switchport SwitchA(config-if)#switchport
    C. SwitchA(config-if)#switchport SwitchA(config-if)#switchport SwitchA(config-if)#switchport
    D. SwitchA(config-if)#switchport SwitchA(config-if)#no dynamic SwitchA(config-if)#switchport
    port-security
    mode access port-security
    mode access nonnegotiate port-security
    mode access
    port-security

Answer 10

10. C. When port security is configured, the port cannot be in dynamic mode for Dynamic Trunking Protocol (DTP) mode. You must configure the port as an access port first, then turn off DTP with the command switchport nonnegotiate. You can then configure switchport port security.

Question 11

11. Which command will allow you to configure two MAC addresses for port security? A. SwitchA(config-if)#switchport maximum 2
    B. SwitchA(config-if)#switchport port-security maximum 2 C. SwitchA(config-if)#port-security maximum 2
    D. SwitchA(config-if)#switchport port-security limit 2

Answer 11

11. B. The command switchport port-security maximum 2 will configure the port with a maximum of two MAC addresses that shall pass through the port.

Question 12

12. Which command will limit devices via port security without disabling the port and
    logging the restricted device?
    A. Switch(config-if)#switchport port-security violation shutdown
    B. Switch(config-if)#switchport port-security restrict
    C. Switch(config-if)#switchport port-security violation protect
    D. Switch(config-if)#switchport port-security violation restrict

Answer 12

12. D. The command switchport port-security violation restrict will set the violation mode to restrict. This will drop frames over the maximum number of learned MAC addresses and will log security violations to the counters.

Question 13

13. Which command will allow you to inspect the status of a port that has been
    configured for port security?
    A. Switch#show running-configuration
    B. Switch#show port-security interface gi 2/13
    C. Switch#show port-security details interface gi 2/13
    D. Switch#show port-security gi 2/13

Answer 13

13. B. The command show port-security interface gi 2/13 will allow you to see a detailed view of an individual port configured for port security.

Question 14

14. Which command will limit devices via port security and send an SNMP trap
    notification?
    A. Switch(config-if)#switchport port-security violation shutdown
    B. Switch(config-if)#switchport port-security restrict
    C. Switch(config-if)#switchport port-security violation protect
    D. Switch(config-if)#switchport port-security violation restrict

Answer 14

14. A. The command switchport port-security violation shutdown puts the interface into the err-disable state immediately and sends an SNMP trap notification to a syslog server

Question 15

15. Which command will limit devices via port security without disabling the port and
    not provide logging for a security violation counter?
    A. Switch(config-if)#switchport port-security violation shutdown
    B. Switch(config-if)#switchport port-security restrict
    C. Switch(config-if)#switchport port-security violation protect
    D. Switch(config-if)#switchport port-security violation restrict

Answer 15

15. C. The command switchport port-security violation protect will set the violation mode to protect. This will drop frames over the maximum number of learned MAC addresses but will not log security violations to the counters.

Question 16

16. Which command will allow you to see logged security violations for port security?
    A. Switch#show violations
    B. Switch#show port-security violations C. Switch#show port-security
    D. Switch#show psec violations

Answer 16

16. C. The command show port-security will show all ports that have logged port security violations.

Question 17

17. You have been tasked to secure ports with port security. You need to make sure that only the computers installed can access the network. The computers are installed already. Which type of configuration for port security would require the least amount of administration?
    A. Static port security
    B. Dynamic port security C. Sticky port security
    D. Time limit port security

Answer 17

17. C. When you configure sticky port security, the first MAC address seen by the switch will become bound to the port. Any other MAC addresses will trip the access violation set.

Question 18

19. Which command will allow the first MAC address learned on the port to be allowed to only pass traffic on the port via port security?
    A. SwitchA(config-if)#switchport port-security mac-address sticky B. SwitchA(config-if)#switchport port-security mac-address dynamic C. SwitchA(config-if)#switchport port-security mac-address static
    D. SwitchA(config-if)#switchport port-security mac-address learn

Answer 18

19. A. The command switchport port-security mac-address sticky will configure the port to learn the first MAC address and allow only the first MAC address to pass traffic.

Question 19

23. Which command will allow you to globally reset all ports with an err-disable state
    with minimal disruption?
    A. Switch#clear err-disable
    B. Switch#clear switchport port-security C. Switch#clear port-security violation
    D. Switch(config)#errdisable recovery cause psecure_violation

Answer 19

23. D. The global config command errdisable recovery cause psecure_violation will reset all ports with an err-disable status.

Question 20

24. You need to verify the sticky MAC addresses learned on a port on the switch.
    Which command will allow you to verify the addresses learned? A. SwitchA#show running-configuration
    B. SwitchA#show port-security
    C. SwitchA#show port-security details
    D. SwitchA#show port-security status

Answer 20

24. A. The command show running-configuration will show you the learned MAC addresses from port security.

Question 21

25. Which is a correct statement about sticky MAC addresses learned on a switchport?
    A. Sticky MAC addresses are removed by performing a shutdown on the port. B. Sticky MAC addresses become part of the running-configuration.
    C. Sticky MAC addresses can be explicitly configured manually.
    D. Sticky MAC addresses automatically become part of the startup-configuration

Answer 21

25. B. Sticky MAC addresses become part of the running-configuration. If the running- configuration is saved to the NVRAM, then the sticky MAC address will become part of the startup-configuration

Question 22

26. You need to change a device on a port with which a sticky MAC address is associated. Which command will allow you to change the device and allow for a new sticky MAC address to be learned?
    A. Switch#clear switchport port-security f 0/0
    B. Switch(config-if)#no switchport port-security
    C. Switch#clear port-security f 0/0
    D. Switch(config-if)#no switchport port-security mac-address sticky 0045.2342.e4c3

Answer 22

26. D. The command no switchport port-security mac-address sticky 0045.2342.e4c3 will remove the entry for the device. The command no switchport port-security mac-address sticky will remain, so the next device learned will create a new sticky entry.

Question 23

28. Which command will allow you to see all the dynamically learned MAC addresses for port security?
    A. SwitchA#show running-configuration B. SwitchA#show mac address-table
    C. SwitchA#show port-security details
    D. SwitchA#show port-security address

Answer 23

28. D. The command show port-security address will allow you to see all of the dynamically learned MAC addresses for port security. The command show running- configuration would allow you to see only dynamically learned MAC addresses that are sticky.

Question 24

31. In which interface mode should you configure port security for end devices? A. Dynamic
    B. Access
    C. Trunk
    D. Voice

Answer 24

31. B. The interface switchport should be in an access mode before port security is applied to the interface. Trunks can participate in port security, but it is rare to use these two functions together.

Question 25

34. You have default configuration on a port, which is also configured for port security. One of your junior admins is switching out equipment on the port. Which command will need to be entered so the port does not go into the violation mode?
    A. Switch#clear port-security dynamic interface gi 2/3 B. Switch(config-if)#no port-security mac-address
    C. Switch(config-if)#switchport port-security maximum 2
    D. Switch#clear port-security interface gi 2/3

Answer 25

34. A. The default configuration for port security is dynamic port security and a violation of shutdown. If a new device is connected to the port, it will enter an err- disable status. Therefore, clearing the dynamic MAC addresses will be required via the command clear port-security dynamic interface gi 2/3. Alternatively, the command clear port-security dynamic would clear all dynamically learned MAC addresses on the entire switch

Question 26

35. Which command would configure a port to forget the dynamically learned MAC
    address after 24 hours?
    A. Switch(config-if)#switchport port-security aging 1440
    B. Switch(config-if)#switchport port-security aging time 1440 C. Switch(config-if)#switchport port-security time 1440
    D. Switch(config-if)#switchport port-security maximum time 1440

Answer 26

35. B. The command switchport port-security aging time 1440 will configure the port to forget the dynamically learned MAC address after 1,440 minutes. This command is configured in minutes and saves an admin from entering a clear command. However, if a violation of shutdown is configured, the port will need to be manually reset if it enters violation mode within this time period.

Question 27

36. Which term describes the area outside of the corporate firewall?
    A. DMZ area
    B. Perimeterarea C. Internal area
    D. Trustedarea

Answer 27

36. B. The perimeter area, or perimeter network, is outside of the corporate firewall. The perimeter area generally holds equipment necessary for routing to the ISP.

Question 28

37. How does DHCP snooping track DHCP messages and mitigate attacks?
    A. DHCPfiltering
    B. DHCPbindingtable C. Untrustedports
    D. IOSACLs

Answer 28

37. B. The DHCP binding table tracks all interface, MAC address, VLAN, and IP information. This database is critical in snooping out other ports from using identical information.

Question 29

38. Which term describes the area accessible to the Internet yet protected by the corporate firewall?
    A. DMZ
    B. Perimeter C. Internal
    D. Trusted

Answer 29

38. A. The demilitarized zone (DMZ) is an area that is protected by the corporate firewall. However, it allows servers such as web servers, email servers, and application servers to be accessible via the Internet.

Question 30

39. Which type of device can prevent an intrusion on your network?
    A. Honey pots B. IDS
    C. IPS
    D. HIDS

Answer 30

39. C. An intrusion prevention system, or IPS, can detect and prevent attacks based on their signature. They are commonly found in firewall systems such as Adaptive Security Appliance (ASA) devices.

Question 31

40. When dealing with firewalls, the term trusted network is used to describe what?
    A. Internal network
    B. The Internet C. The DMZ
    D. A network with SSL

Answer 31

40. A. The internal network is defined by the firewall. Anything protected by the firewall on the internal network is considered to be the trusted network.

Question 32

41. Which is a common attack method used to overwhelm services from traffic from multiple Internet sources?
    A. Denial of service
    B. Distributed denial of service C. IP address spoofing
    D. Session hijacking

Answer 32

41. B. Distributed denial of service, or DDoS, is a common attack technique used to deny others of service. It is performed by overwhelming the service with bogus traffic. When it is performed from multiple hosts on the Internet, it is very difficult to prevent and sto

Question 33

42. Which type of device can detect an intrusion on your network?
    A. Honey pots B. IDS
    C. IPS
    D. HIDS

Answer 33

42. B. An intrusion detection system, or IDS, can detect an attack based upon its signature. They are commonly found in firewall systems such as Adaptive Security Appliance (ASA) devices.

Question 34

43. When you configure DHCP snooping on a network, which mode are clients configured in?
    A. Untrustedmode B. Trustedmode
    C. Client mode
    D. Access mode

Answer 34

43. A. By default, all ports are considered untrusted, which means they should never serve the request of a DHCP client. Only the port put into trusted mode is allowed to answer client requests.

Question 35

44. What method does DHCP snooping employ to thwart DHCP starvation attacks?
    A. DHCPguard B. DHCPfiltering C. Rate limiting
    D. IOSACLs

Answer 35

44. C. Rate limiting is employed to thwart DHCP starvation attacks by limiting the number of DHCP packets a port can receive per second.

Question 36

45. Which method will allow you to mitigate from a spurious DHCP attack?
    A. DHCPsnooping B. DHCPfiltering C. Rate limiting
    D. IOSACLs

Answer 36

45. A. A spurious DHCP attack is when a rouge DHCP server is started on the network. It serves clients with incorrect DHCP information. DHCP snooping helps to mitigate this attack.

Question 37

46. Which method can be used to stop ping sweep scans? A. Deploying host intrusion detection systems
    B. Deploying network intrusion detection systems C. Blocking RFC 1918 addresses at the perimeter
    D. Blocking ICMP echo-requests and echo-replies at the perimeter

Answer 37

46. D. Ping sweep scans are used by attackers to discover hosts on a network. The scan sends a flood of ICMP echo requests to the perimeter network and awaits echo replies. When ICMP is blocked at the perimeter, an attacker would not be able to scan the network via ICMP.

Question 38

47. Which appliance can be used to mitigate denial of service attacks?
    A. Honey pots B. IDS
    C. IPS
    D. HIDS

Answer 38

47. C. An intrusion prevention system (IPS) will help mitigate denial of service attacks. Common features of IPS can be found in the Cisco Adaptive Security Appliance.

Question 39

48. Which is a common attack method used to attempt to gain access to a system using a false identity?
    A. Denial of service
    B. Distributed denial of service C. IP address spoofing
    D. Session hijacking

Answer 39

48. C. IP address spoofing is a common attack method used to attempt to gain access to a system by spoofing the originating IP address.

Question 40

49. Which method would prevent tampering of data in transit?
    A. Access control lists B. Spoofing mitigation C. Secure Sockets Layer
    D. Encryption of the data

Answer 40

49. C. Secure Sockets Layer (SSL) communications offer both encryption and authentication of the data via certificate signing. This would prevent tampering of the data end to end.

Question 41

50. A rouge wireless access point is created with the same SSID as the corporate SSID. The attacker has employees connect to the SSID and watches the information as it’s relayed to the original SSID. What type of attack is described CB here?
    A. Smurf attack
    B. Compromised key attack C. Snifferattack
    D. Man in the middle attack

Answer 41

50. D. This attack is called a man in the middle attack. The attacker sits in the middle of communications and relays it back while capturing it and possibly modifying it.

Question 42

51. What can you use to protect against spoofing of internal IP addresses on the perimeter of your network?
    A. Access control lists

Answer 42

51. A. Access control lists are an effective way to mitigate spoofing of internal IPs from outside the trusted network.

Question 43

52. Which is a requirement for the use of DHCP snooping to protect a device? A. The device is on a layer 2 switched port on the same VLAN.
    B. The DHCP server is running on the layer 2 switch.
    C. The device is on a layer 3 routed port on the same VLAN.
    D. Configuration of a dedicated IP for monitoring DHCP transactions.

Answer 43

52. A. A requirement of DHCP snooping is that the device is on the VLAN that DHCP snooping is monitoring.

Question 44

53. What attack vector can be used for a man in the middle attack?
    A. DHCP B. DNS
    C. Wireless
    D. All of the above

Answer 44

53. D. Any service that allows the user to create a connection or access to information can be used as an attack vector. In the case of DHCP, the attacker will set the gateway to their IP address. In the case of DNS, the attacker could spoof a request to redirect the traffic.

Question 45

54. What is the default mode port configured on a switch for DHCP snooping?
    A. Trusted B. Internal C. External
    D. Untrusted

Answer 45

54. D. The default mode of switchports on a switch configured with DHCP snooping is untrusted. An admin must trust ports manually.

Question 46

55. Which VLAN is the default native VLAN for Cisco switches?
    A. VLAN1
    B. VLAN2 C. VLAN255
    D. VLAN1024

Answer 46

55. A. The default native VLAN for Cisco switches is VLAN 1.

Question 47

56. You have just configured DHCP snooping. Which ports should be trusted?
A. Ports connecting to clients
B. Ports connecting to web servers
C. Ports connecting to other switches
D. Ports connecting to the DNS server

Answer 47

56. C. Ports that are connecting to trusted infrastructure devices such as routers and switches should be trusted. This is because legitimate DHCP traffic could originate from these ports.

Question 48

57. Which is a correct statement about how DHCP snooping works?
    A. Untrusted ports allow Discover and Offer messages to be switched.
    B. UntrustedportsdropDiscoverandOffermessages.
    C. UntrustedportsdropOfferandAcknowledgmentmessages.
    D. Untrusted ports allow Offer and Acknowledgment messages to be switched.

Answer 48

57. C. The untrusted ports drop Offer and Acknowledgment DHCP messages. The only device that should offer and acknowledge IP addresses is the DHCP server on a trusted port.

Question 49

58. Which attack can be used on a native VLAN? A. Double tagging
    B. VLANtraversal
    C. Trunk popping
    D. Denial of service

Answer 49

58. A. Double tagging is an attack that can be used against the native VLAN. The attacker will tag the native VLAN on a frame and then tag another inside that frame for the VLAN that the attacker intends to compromise. When the switch receives the first frame, it removes the default VLAN tag and forwards it to other switches via a trunk port. When the other switch receives the frame with the second VLAN tag, it forwards it to the VLAN which the attacker is targeting the attack upon.

Question 50

59. Which command is used to view the DHCP snooping database?
A. Switch#show dhcp binding
B. Switch#show ip dhcp binding
C. Switch#show ip dhcp snooping database
D. Switch#show ip dhcp snooping binding

Answer 50

59. D. The command show ip dhcp snooping binding will display the DHCP snooping database. This database will have entries for the MAC address, IP address, lease time, VLAN, and interface.

Question 51

60. Which command is used to configure the port of a switch as trusted for DHCP
    snooping?
    A. Switch(config-if)#ip dhcp snooping trust
    B. Switch(config-if)#dhcp snooping trust
    C. Switch(config)#ip dhcp snooping trust interface gi 2/3
    D. Switch(config-if)#ip dhcp trust

Answer 51

60. A. The command ip dhcp snooping trust will configure the interface as a trusted port.

Question 52

61. Why should you always change the native VLAN?
    A. The native VLAN contains frames from all VLANs.
    B. The native VLAN is configured on all switches for logging. C. The native VLAN is the default on all switchports.
    D. The native VLAN provides no encryption.

Answer 52

61. C. The native VLAN is the default configuration on all switches. It is very possible that a user could be configured by accident for the native VLAN of 1. This would allow management access to switching and routing.

Question 53

62. Which technology will give selective access to the network based upon authentication?
    A. 802.1Q B. ACLs C. 802.1x
    D. Firewall

Answer 53

62. C. 802.1x allows selective access to a network at layer 2. It allows this on the switch because the switch acts as an authenticator to an AAA server, only allowing access after the user or device has been authenticated.

Question 54

63. What is the end device that sends credentials for 802.1x called? A. Authenticator
    B. Supplicant
    C. AAAserver
    D. RADIUSserver

Answer 54

63. B. The end device that sends credentials is called the supplicant. The supplicant is a piece of software in the operating system that supplies the credentials for AAA authentication.

Question 55

64. What is the switch called in an 802.1x configuration?
    A. Authenticator B. Supplicant
    C. AAAserver
    D. RADIUSserver

Answer 55

64. A. The switch is responsible for communicating with the supplicant and sending information to the authenticating server. This device is called the authenticator.

Question 56

65. What protocol does the supplicant communicate to the authenticator for 802.1x?
    A. 802.1x layer 2 protocol B. UDP
    C. TCP
    D. IP

Answer 56

65. A. The protocol used to communicate between the supplicants (OS) and the authenticator (switch) is 802.1x. 802.1x is a layer 2 protocol used specifically for authenticating devices to switch ports.

Question 57

66. What is the attack in which DTP is exploited by a malicious user?
    A. Native VLAN B. VLANhopping C. VLANtraversal
    D. Trunk popping

Answer 57

66. B. VLAN hopping is an attack in which DTP is exploited. The attacker negotiates a trunk with the switch via DTP and can hop from VLAN to VLAN.

Question 58

67. Which protocol is used by 802.1x for end-to-end authentication from the supplicant to the authentication server?
    A. 802.1x authentication headers B. IPSec
    C. EAP
    D. RADIUS

Answer 58

67. C. EAP, or Extensible Authentication Protocol, is used for authentication between the supplicant and RADIUS server. The EAP frame is first transmitted over the layer 2 connection via EAP over LAN (EAPoL). The switch then sends it to the RADIUS server encapsulated in a UDP packet.

Question 59

68. Which device is the supplicant during the 802.1x authentication process?
    A. The device requesting access
    B. The server that is providing authentication
    C. The device that is controlling access via 802.1x
    D. The device connecting the layer 3 network

Answer 59

68. A. The device requesting access is the supplicant. The supplicant is built into the operating system in which it is authenticating.

Question 60

69. Which mechanism is used to authenticate EAP-TLS during the 802.1x authentication process?
    A. MD5
    B. Certificates C. SSH
    D. Passwords

Answer 60

69. B. EAP-TLS, or Extensible Authentication Protocol/Transport Layer Security, uses certificates to authenticate end devices. It also provides a layer of encryption via the certificate infrastructure.

Question 61

70. Which port must be open to the RADIUS or AAA server for authentication from the authenticator?
    A. UDP/49 B. UDP/1821 C. UDP/1812
    D. UDP/1813

Answer 61

70. C. The AAA server listens for requests on port 1812 UDP for authentication of credentials

Question 62

71. What is the range of a standard access list?
A. 1to99
B. 1to100
C. 100 to 199
D. 100 to 200

Answer 62

71. A. Standard access lists are within the range of 1 to 99.

Question 63

72. Which statement is correct about a standard access control list?
    A. Conditions can be based upon only the destination address.
    B. Conditions can be based upon only the source address and source port.
    C. Conditions can be based upon only the source address.
    D. Conditions can be based upon the source or destination address and source or destination port.

Answer 63

72. C. Access control lists can be based upon only the source address of the packet.

Question 64

73. What is the range of an extended access list? A. 1to99
    B. 1to100
    C. 100 to 199
    D. 100 to 200

Answer 64

73. C. Extended access lists are within the range of 100 to 199.

Question 65

74. What is at the end of every access control list?
A. Permit any any
B. Deny any any 
C. Log all
D. End of ACL marker

Answer 65

74. B. At the end of every access list there is a deny any any rule. If a permit is not configured in the access list, the ACL does not serve a purpose. All ACLs must contain at least one permit statement.

Question 66

75. Which statement is correct about an access control list?
    A. Packets are compared sequentially against each line in an access list, and the
    last matching condition is the action taken.
    B. Packets are compared sequentially against each line in an access list until a match is made.
    C. Packets are compared, and if no matching rule exists, they are allowed.
    D. At the end of the access control list, there is an implicit allow.

Answer 66

75. B. When packets are compared to an access control list, they are compared in a sequential order. When the first rule is found to match, the action is acted upon. There is no further rule processing after the first match.

Question 67

76. What is an advantage of using a standard access control list? A. More secure
    B. Less processing overhead C. More specific rules
    D. Blocking of applications

Answer 67

76. B. An advantage to a standard access control list is that they require less processing overhead from the ASIC or CPU (depending on the platform). Since they only inspect layer 3 headers, no further decapsulation is required for layer 4.

Question 68

77. What is the expanded range of a standard access list?
    A. 1000 to 1999 B. 1100 to 1299 C. 1300 to 1999
    D. 2000 to 2699

Answer 68

77. C. The expanded range of a standard access list is 1300 to 1999.

Question 69

78. You need to filter traffic for the 172.16.0.0/12 network. Which wildcard mask would you use?
    A. 255.240.0.0 B. 0.0.240.255 C. 0.15.255.255
    D. 255.3.0.0

Answer 69

78. C. A wildcard mask is the opposite of a network mask. The easy way to calculate a wildcard mask is to figure out what the subnet is and deduct 1 for the octet. For example, if the network address is 172.16.0.0/12 (Classless Inter-Domain Routing), or 255.240.0.0 (Dotted Decimal Notation), and each network number is a multiple of 16, the wildcard mask should be 0.15.255.255.

Question 70

79. Which command would configure an ACL to block traffic coming from 192.168.1.0/24?
    A. Router(config)#ip access-list 20 192.168.1.0 0.0.0.255 B. Router(config)#ip access-list 100 192.168.1.0 0.0.0.255 C. Router(config)#ip access-list 1 192.168.1.0/24
    D. Router(config)#ip access-list 2 192.168.1.0 255.255.255.0

Answer 70

79. A. The command ip access-list 20 192.168.1.0 0.0.0.255 will configure an access list of 20, which is a standard access list. The source address of 192.168.1.0 is wildcard masked with 0.0.0.255.

Question 71

80. If you configure a rule with the address of 0.0.0.0 and wildcard mask of
    255.255.255.255, what are you doing? A. Defining the broadcast address
    B. Defining no addresses
    C. Defining the network address
    D. Defining all addresses

Answer 71

80. D. A rule with an address or 0.0.0.0 and wildcard mask of 255.255.255.255 defines all addresses. Effectively, it is another way to specify the “any” source or destination.

Question 72

81. Which statement is correct about applying ACLs to an interface?
    A. An access control list can be applied in only one direction.
    B. An access control list can be applied only to a single protocol. C. An access control list can be applied only to a single port.
    D. All of the above

Answer 72

81. D. Access lists can be applied per a port, per a protocol, and per a direction. For example, you could apply only one ACL per the interface of Fast 0/1, per the protocol of IP in the inbound direction.

Question 73

82. You need to filter an application. Which type of access list will you use to complete the task?
    A. Standard B. Extended C. Dynamic D. Expanded

Answer 73

82. B. An extended access list allows you to filter traffic by port, which defines an application being used, since web traffic is communicated on 80 or 443.

Question 74

83. What is the expanded range of an extended access list? A. 1000 to 1999
    B. 1100 to 1299
    C. 1300 to 1999
    D. 2000 to 2699

Answer 74

83. D. The expanded range of a standard access list is 2000 to 2699.

Question 75

84. You need to filter traffic for the 192.168.1.0/25 network. Which wildcard mask would you use?
    A. 255.255.255.128 B. 0.0.0.128
    C. 0.0.0.127
    D. 0.0.0.63

Answer 75

84. C. A wildcard mask is the opposite of a network mask. The easy way to calculate a wildcard mask is to figure out what the subnet is and deduct 1 for the octet. For example, if the network address is 192.168.1.0/25 (Classless Inter-Domain Routing), or 255.255.255.128 (Dotted Decimal Notation), and each network number is a multiple of 128, the wildcard mask should be 0.0.0.127.

Question 76

85. Which type of access control list allows for removing a single entry without removing the entire ACL?
    A. Standard B. Dynamic C. Extended
    D. Named

Answer 76

85. D. A named access control list allows for removing and adding entries by their line number.

Question 77

86. Which type of access control list allows you to open a port only after someone has successfully logged into the router?
    A. Standard B. Dynamic C. Extended
    D. Named

Answer 77

86. B. Once a successful login is performed at the router, the dynamic access control list is activated. This is also called lock and key security.

Question 78

87. Which statement configures a standard access list?
    A. Router(config)#access-list 20 deny 172.16.0.0 0.255.255.255
    B. Router(config)#access-list 180 permit udp any 172.16.0.0 0.255.255.255
    eq 161
    C. Router(config)#access-list 130 permit permit ip any any
    D. Router(config)#access-list 150 deny any 172.16.0.0 0.255.255.255

Answer 78

87. A. The statement access-list 20 deny 172.16.0.0 0.255.255.255 configures a standard access list for two reasons: the first is that the access list number is 20, which falls between the standard access list range of 1 to 99. The second reason is that you are depicting traffic by source address.

Question 79

88. Which statement can be used in lieu of access-list 5 permit 192.168.1.5
    0.0.0.0?
    A. Router(config)#access-list 5 permit 192.168.1.5
    B. Router(config)#access-list 5 permit 192.168.1.5/24 C. Router(config)#access-list 5 permit host 192.168.1.5
    D. Router(config)#access-list 5 permit 192.168.1.0 0.0.0.255

Answer 79

88. C. The command access-list 5 permit host 192.168.1.5 specifies the traffic coming from the host 192.168.1.5. The statement access-list 5 permit 192.168.1 .5 0.0.0.0 achieves the same thing

Question 80

90. Which type of access list limits you to describing traffic by source address? A. Extended
    B. Named C. Dynamic D. Standard

Answer 80

90. D. Standard access lists only allow you to describe traffic by source address. This helps the processing of the access list because the router or switch does not need to de-capsulate packets further than layer 3.

Question 81

91. Which statement will block traffic for a server of 192.168.1.5 for SSH? A. Router(config)#access-list 90 deny ip host 192.168.1.5 eq 22
    B. Router(config)#access-list 90 deny tcp any host 192.168.1.5 eq 22 C. Router(config)#access-list 199 deny tcp host 192.168.1.5 any eq 23 D. Router(config)#access-list 199 deny tcp any host 192.168.1.5 eq 22

Answer 81

91. D. The command access-list 199 deny tcp any host 192.168.1.5 eq 22 will create an extended access list of 199 and deny TCP communication from any computer to the host of 192.168.1.5 for port 22.

Question 82

93. Which statement configures a valid access list?
    A. Router(config)#access-list 99 deny tcp host 192.168.2.7 eq 443
    B. Router(config)#access-list 189 deny any host 192.168.1.5 eq 22
    C. Router(config)#access-list 143 permit tcp host 192.168.8.3 eq 80 any
    D. Router(config)#access-list 153 permit any host 192.168.4.5 eq 22

Answer 82

93. C. The command access-list 143 permit tcp host 192.168.8.3 eq 80 any is a valid statement. All extended access lists that describe a port must also describe the protocol.

Question 83

94. You want to apply an access list of 198 to an interface to filter traffic into the
    interface. Which command will achieve this?
    A. Router(config)#ip access-list 198 in fast 0/1
    B. Router(config-if)#ip access-list 198 in C. Router(config-if)#ip access-class 198 in D. Router(config-if)#ip access-group 198 in

Answer 83

94. D. The command ip access-group 198 in will apply access list 198 to the interface in which it is configured in the inbound direction.

Question 84

97. Which type of ACL should be placed closest to the source of traffic? A. Extended
    B. Standard
    C. Dynamic
    D. Expanded

Answer 84

97. A. Extended ACLs should always be placed closest to the source of traffic since they are extremely granular.

Question 85

98. Which command will create an extended named access list?
    A. Router(config)#access-list 101 allow host 192.168.1.5 any B. Router(config)#ip access-list named_list
    C. Router(config)#ip access-list extended named_list
    D. Router(config)#ip access-list 101 named_list

Answer 85

98. C. The command ip access-list extended named_list will create an extended named access list.

Question 86

99. Which type of ACL should be placed closest to the destination of traffic?
    A. Extended B. Standard C. Dynamic
    D. Expanded

Answer 86

99. B. Standard ACLs should always be placed closest to the destination of traffic since they are broad in the traffic they control.

Question 87

101. After several edits to a named access control list, the numbers are no longer 10, 20, and 30, and you have no room to perform future edits. Which command will fix the problem with no disruption?
     A. Switch(config)#ip access-list named_list renumber B. Switch#clear ip access-list named_list line-numbers C. Switch(config)#ip access-list re-number named_list
     D. Switch(config)#ip access-list resequence named_list 10 10

Answer 87

101. D. The command ip access-list resequence named_list 10 10 will resequence the line numbers for the named access list called named_list. The numbering will start with 10 and increment by 10.

Question 88

102. Which command will apply the named access control list called named_list to the
     interface in an inbound direction?
     A. Router(config)#ip access-list named_list in fast 0/1
     B. Router(config-if)#ip access-list named_list in C. Router(config-if)#ip access-class named_list in D. Router(config-if)#ip access-group named_list in

Answer 88

102. D. The command ip access-group named_list in configured inside of the interface will apply an access list called named_list to the interface for the inbound direction.

Question 89

104. Which command will create an IPv6 access list?
     A. Router(config)#ip access-list extended named_list ipv6
     B. Router(config)#ip access-list deny 2100 ipv6 2001:db8::1/64 C. Router(config)#ipv6 access-list extended named_list
     D. Router(config)#ipv6 access-list named_list

Answer 89

104. D. IPv6 access lists are created as named access lists. The command ipv6 access- list named_list will create an IPv6 named access list.

Question 90

105. What is a difference between IPv6 and IPv4 access control lists?
     A. Implicit allow of any any at the end of the ACL B. Implicit allow of Neighbor Discovery packets C. The use of wildcard masks
     D. All of the above

Answer 90

105. B. IPv6 access control lists implicitly allow Neighbor Discovery packets. This is to facilitate a number of features that IPv6 has built in, such as SLAAC and DAD.

Question 91

106. Which command will help verify that an access control list is applied to an interface?
A. Router#show interface fast 0/1
B. Router#show ip access-list
C. Router#show ip interface fast 0/1
D. Router#show access-list

Answer 91

106. C. The command show ip interface fast 0/1 will show the IP address details of the interface Fast 0/1. Included with these details you will find any outbound and inbound ACLs set on the interface.

Question 92

107. Which command will allow notes to be added to an access control list?
     A. Router(config-nacl)#remark This is a note about the ACL B. Router(config-nacl)#note This is a note about the ACL
     C. Router(config-nacl)#banner ^This is a note about the ACL^
     D. Router(config-nacl)#info This is a note about the ACL

Answer 92

107. A. Using the command remark followed by the text is a way of adding notes in an ACL. This particular example is a named access list. However, remarks can also be used in traditional ACLs using a similar syntax in lieu of the permit and deny.

Question 93

108. Which command will allow you to see matching statistics for an access control
list?
A. Router#debug ip access-list 2
B. Router#show ip access-list 2
C. Router#show ip interface fast 0/1
D. Router#show access-list

Answer 93

108. D. The command show access-list will show the number of matches for each statement. This command also works for IPv6 access lists.

Question 94

109. You want to see if a particular rule is matching packets in real time. Which
     command will allow you to do this?
     A. Switch(config)#ip access-list 101 permit tcp host 192.168.1.6 any eq 80
     debug
     B. Switch(config)#ip access-list 101 permit tcp host 192.168.1.6 any eq 80 log
     C. Switch(config)#ip access-list 101 log tcp host 192.168.1.6 any eq 80 debug
     D. Switch(config)#ip access-list 101 debug tcp host 192.168.1.6 any eq 80 debug

Answer 94

109. B. The command ip access-list 101 permit tcp host 192.168.1.6 any eq 80 log will permit traffic from host 192.168.1.6 to any matching packets on port 80. When the log attribute is configured on the end of the command, the router or switch will send a syslog notification each time the packet is matched to the rule.

Question 95

110. If the Neighbor Discovery Protocol for IPv6 is blocked via an ACL, what is the negative effect?
     A. The gateway of the router will never be used.
     B. A duplicate IPv6 address is possible.
     C. Autoconfiguration of the network will be disabled.
     D. All of the above

Answer 95

110. D. Since NDP (Neighbor Discovery Protocol) is used for finding the gateway, Duplicate Address Detection, and Stateless Address Autoconfiguration, all of these functions would be impacted.

Question 96

111. What is the earliest version of the APIC-EM (Application Policy Infrastructure Controller Enterprise Module) required to use the Path Trace ACL Analysis tool?
     A. Version 0.9 B. Version 1.0 C. Version 1.1
     D. Version 1.2

Answer 96

111. D. The Path Trace tool was first debuted in version 1.0 of the APIC-EM (Application Policy Infrastructure Controller Enterprise Module). However, the ACL Analysis tool was not added as an option until version 1.2.

Question 97

112. What will you need to do before performing a path trace ACL analysis?
     A. Perform an ACL detection.
     B. Perform an environment discovery. C. Copy all ACLs into the APIC-EM.
     D. Manually enter all routers and switches into the APIC-EM

Answer 97

112. B. Before performing a path trace ACL analysis, you must perform an environment discovery on your network topology

Question 98

113. What type of application is the Path Trace ACL Analysis tool?
A. Base controller
B. Basic application
C. Solutions application
D. DevNet application

Answer 98

113. B. The Path Trace ACL Analysis tool is a basic application. Basic applications do not require licensing, similar to the APIC-EM itself. Solution applications are licensed apps from Cisco and third parties; both run on top of the base controller.

Question 99

114. Where do you download the APIC-EM? A. The Cisco software download site
     B. ACiscopartnerdownloadsite C. The Cisco DevNet site
     D. The Cisco Network Academy site

Answer 99

114. C. The APIC-EM is a Cisco Development Network (DevNet) tool. It requires a login to the Cisco DevNet site. This is because the APIC-EM is a tool you can use to create applications for network management.

Question 100

116. What does the APIC-EM Path Trace ACL Analysis tool perform?
     A. It performs end-to-end analysis of ACLs for a given path. B. It performs analysis of ACLs to make sure they are correct. C. It helps create ACLs for data paths.
     D. All of the above

Answer 100

116. A. The APIC-EM Path Trace ACL Analysis tool is used for end-to-end analysis of ACLs via the path an imaginary packet will take.

Question 101

117. Which statement is correct about the Path Trace ACL Analysis tool?
     A. When performing an analysis, you must start by selecting the Path Trace option.
     B. When performing an analysis, you must start by selecting the ACL Analysis option.
     C. The Path Trace ACL Analysis tool helps you create ACLs.
     D. The Path Trace ACL Analysis tool helps with what-if scenarios.

Answer 101

117. A. When performing path trace ACL analysis, you first start by selecting the Path Trace option. On the next screen, you select the ACL Analysis option, which will help you perform the ACL analysis.

Question 102

118. What must be selected when performing a path trace ACL analysis? A. The type of ACL to be examined
     B. The path of the analysis
     C. The egress and ingress ports D. The data payload for the test

Answer 102

118. C. When performing a path trace ACL analysis, you must select the starting device and end device as well at the egress port and ingress port. The path of analysis will be calculated by the tool.

Question 103

120. If a device is blocking traffic for a path trace ACL analysis, what information does the interface give you to diagnose the problem?
     A. The tool will give you the correction to the ACL.
     B. The tool will allow you to perform a what-if scenario.
     C. The tool will show you the access control entry blocking traffic.
     D. The tool will allow you to create a new ACL.

Answer 103

120. C. If a packet is blocked, the analysis output will show you the access control entry (ACE) in the ACL that is blocking the packet.

Question 104

121. Which command will configure the enable password for a router or switch?
     A. Router(config)#password enable Password20! B. Router(config)#enable Password20!
     C. Router(config)#enable secret Password20!
     D. Router(config)#secret enable Password20!

Answer 104

121. C. The command enable secret Password20! will set the enable password and encrypt the Password20! password.

Question 105

122. You need to set the login password for Telnet. Which command will you type
first?
A. Switch(config)#interface vlan 1
B. Switch(config)#line console 1
C. Switch(config)#line aux 1
D. Switch(config)#line vty 0 5

Answer 105

122. D. The command line vty 0 5 will enter you into the line for the virtual teletype, which is where you configure your Telnet password.

Question 106

123. You have set the enable password using enable password Password20!. However, when you try to get to a privileged exec prompt the router states that you are using an incorrect password. What is the problem?
     A. You originally entered the wrong password.
     B. Theenablesecretpasswordissettosomethingelse.
     C. The password Password20! contains a special character.
     D. The password is too long and has been truncated.

Answer 106

123. B. If the enable password is set and the enable secret is set, the enable password will be ignored. Therefore the enable secret is being used to authenticate the user, and you are typing the wrong password. The command enable password exists for backward compatibility with pre 10.3 IOS and should no longer be used.

Question 107

124. Which command(s) will set a password and require login for a line?
     A. Router(config-line)#set password Password20! Router(config-line)#request login
     B. Router(config-line)#password Password20! Router(config-line)#login password
     C. Router(config-line)#password Password20! Router(config-line)#login
     D. Router(config-line)#login password Password20!

Answer 107

124. C. The command password Password20! will set the login password to Password20!. The sub-command login will require login for the line.

Question 108

125. You telnet to a switch and receive the error Password required, but none set
     .[Connection to 192.168.1.1 closed by foreign host]. What is the problem? A. The enable secret is not set.
     B. The enable password is not set.
     C. The line login password is not set.
     D. The line is administratively shut down.

Answer 108

125. C. The line login password is not set when you receive the error Password required, but none set. If the enable secret was not set, you would just not be able to get to a privilege exec prompt, but still be able to get to a user exec prompt.

Question 109

126. What is required before generating the encryption keys for SSH on a router or switch?
     A. Setting the time and date
     B. Setting the hostname and domain name C. Setting the key strength
     D. Setting the key repository

Answer 109

126. B. The hostname and domain name are required before you attempt to generate the encryption keys for SSH.

Question 110

127. Which command will enable SSH version 2 for logins?
     A. Router(config)#ip ssh version 2 B. Router(config-line)#version 2 C. Router(config-ssh)#version 2
     D. Router(config)#ssh version 2

Answer 110

127. A. The command ip ssh version 2 will set your SSH version to 2. This command is to be entered at a global configuration prompt.

Question 111

128. Which command will configure the router or switch to allow SSH as a protocol for
     management with a fallback of Telnet? A. Switch(config)#login ssh telnet
     B. Switch(config-line)#login ssh telnet
     C. Switch(config-line)#transport ssh telnet
     D. Switch(config)#transport ssh telnet

Answer 111

128. C. The command transport ssh telnet will configure the VTY line to accept SSH as a login protocol and fallback to Telnet.

Question 112

129. Why should Telnet be replaced with SSH?
     A. Telnet has weak encryption.
     B. SSH allows for file copy.
     C. SSH makes it easier to create ACLs for access.
     D. SSH is encrypted

Answer 112

129. D. SSH is encrypted and Telnet is in clear text. To keep passwords and configuration safe, SSH should always be used.

Question 113

130. Which command will create and apply an access list to secure router or switch management?
     A. Switch(config)#access-list 1 permit host Switch(config)#interface vlan 1 Switch(config-if)#ip access-group 1 in
     B. Switch(config)#access-list 1 permit host Switch(config)#line vty 0 5 Switch(config-line)#ip access-group 1 in
     C. Switch(config)#access-list 1 permit host Switch(config)#line vty 0 5 Switch(config-line)#ip access-class 1 in
     D. Switch(config)#access-list 1 permit host Switch(config)#ip access-group 1 in
     192.168.1.5
     192.168.1.5
     192.168.1.5
     192.168.1.5

Answer 113

130. C. You must first create an access list to permit the host that will manage the router or switch with the command access-list 1 permit host 192.168.1.5. Then enter the VTY line in which it will be applied with the command line vty 0 5. Then apply it with the command ip access-class 1 in, which differs from the command ip access-group, which is used on interfaces.

Question 114

131. You have created the SSH encryption keys, but you cannot enable SSH version 2. What is the problem?
     A. The time and date need to be corrected.
     B. The key strength needs to be 768 bits or higher. C. The DNS server is not configured.
     D. There is no host record for the switch or router.

Answer 114

131. B. When you’re configuring a switch or router for SSH version 2, the key strength must be at least 768 bits for the modulus. The default is 512 bits, and it is standard practice to double the number to 1024 bits.

Question 115

132. Which command will configure a local user for SSH access?

A. Router(config)#username user1 password Password20!
B. Router(config)#account user1
Router(config-acct)#password Password20!
C. Router(config)#user user1 Password20!
D. Router(config)#user-account user1 password Password20!

Answer 115

132. A. The command username user1 password Password20! will create a user account called user1 with a password of Password20!.

Question 116

133. You configured the password for Telnet access, but when you perform a show running-configuration, the password shows in clear text. Which command should be run?
     A. Router(config)#password encryption
     B. Router(config)#service password-encryption
     C. Router(config)#service encryption
     D. Router(config)#password-encryption service

Answer 116

133. B. The command service password-encryption should be entered in global config. It should not be kept in the configuration as it will use CPU cycles. So after it is configured, you should perform a show running-configuration to double-check if the encryption worked and then perform a no service password-encryption to turn it off.

Question 117

134. Which command will generate the encryption keys for SSH?
     A. Router(config)#generate crypto key rsa B. Router(config)#crypto key generate rsa C. Router(config)#crypto generate key rsa
     D. Router#crypto key generate rsa

Answer 117

134. B. The command crypto key generate rsa will generate the encryption keys for SSH. You will be asked for the key strength, called the modulus, which should be over 768 bits to support SSH version 2.

Question 118

135. Which command will disable auto-disconnect for idle privileged exec sessions?
     A. Switch(config-line)#exec-timeout 0 0 B. Switch(config)#exec-timeout 0
     C. Switch(config-line)#timeout 0 0
     D. Switch(config-line)#no exec-timeout

Answer 118

135. A. The command exec-timeout 0 0 will disable auto-disconnect of idle privileged exec sessions

Question 119

137. You want to turn on local authentication so that a user must supply a username and password when managing the switch. You have created the username and password combinations on the switch. Which command will direct SSH and Telnet to use this authentication model?
     A. Switch(config)#new aaa model
     B. Switch(config)#local authentication
     C. Switch(config-line)#local authentication
     D. Switch(config-line)#login local

Answer 119

137. D. After configuring the username and password combinations that will be used on the switch or router, you will need to configure the line(s) that will use local authentication. The command used inside of the line is login local. This will apply to all the transport methods configured on the line.

Question 120

138. During a recent external security audit, it was determined that your enable password should be secured with SHA-256 scrypt. Which command will change the password strength on the switches and routers?
     A. Switch(config)#enable secret 9
     B. Switch(config)#service password-encryption scrypt C. Switch(config)#enable secret algorithm-type scrypt
     D. Switch(config)#enable algorithm-type scrypt secret Password20!

Answer 120

138. D. The command enable algorithm-type scrypt secret Password20! will change the enable password to Password20! and use the scrypt algorithm type.

Question 121

139. What is the default encryption method for passwords, when you configure a line
     password? A. MD5
     B. SHA-128 C. SHA-256 D. Cleartext

Answer 121

139. D. The default for encryption method for passwords configured for lines is clear text. If you want to encrypt the password, you should use the service password- encryption command.

Question 122

140. You need to change the default idle time before disconnection of privileged exec mode for network administrators. Which command will change it to 30 minutes?
     A. Switch(config)#exec-timeout 30 0
     B. Switch(config-line)#exec-timeout 30 0 C. Switch(config-line)#exec-timeout 0 30
     D. Switch(config-line)#timeout 30 0

Answer 122

140. B. The command exec-timeout 30 0 will change the idle time to 30 minutes and zero seconds. If a privileged exec session is idle for 30 minutes, the network admin will be disconnected.

Question 123

141. You need to disconnect a network admin from the switch or router. Which
command would you use?
A. Switch(config)#no enable secret
B. Switch#no line vty 2
C. Switch#disconnect line vty 2
D. Switch#clear line vty 2

Answer 123

141. D. The command clear line vty 2 will disconnect a remote admin connected to the switch. Nothing stops the admin from reconnecting to the switch again.

Question 124

142. Which banner can deliver a message only to authenticated users regardless of
connection type?
A. MOTD banner
B. Login banner C. Exec banner
D. Incoming banner

Answer 124

142. C. The exec banner will display a message to authenticated users who have successfully logged in, regardless of whether they are connected via Telnet or SSH.

Question 125

143. Which banner will be displayed first when a user connects to a Cisco device via SSH?
     A. MOTD banner B. Login banner C. Exec banner
     D. Incoming banner

Answer 125

143. B. The login banner will be displayed during initial connection to a Cisco device via SSH.

Question 126

144. Which command will configure the login banner to read “CCNA Routing and Switching”?
     A. Router(config)#login banner CCNA Routing and Switching B. Router(config)#banner login CCNA Routing and Switching C. Router(config)#banner login ^CCNA Routing and Switching^
     D. Router(config-line)#banner login ^CCNA Routing and Switching^

Answer 126

144. C. The command banner login ^CCNA Routing and Switching^ will configure the login banner to read “CCNA Routing and Switching.” The marks at the beginning and end of the text are delimiters to mark the beginning and end of the banner.

Question 127

145. You have configured a message of the day (MOTD) banner, but it only shows up
     after you have logged into the router. What is the problem? A. You are connecting via SSH.
     B. You are connecting via Telnet.
     C. You are connecting via the console.
     D. You do not have an enable password set.

Answer 127

145. A. When a user is connecting to a router via SSH, the MOTD banner is not displayed until after the user has authenticated to the router or switch. A login banner is always displayed pre-login.

Question 128

146. Which server will centralize authentication for all Cisco routers and switches?
     A. Active Directory server B. AAAserver
     C. 802.1x server
     D. Terminal server

Answer 128

146. B. The AAA server will centralize authentication for Cisco routers and switches. AAA stands for authentication, authorization, and accounting. It is pronounced “triple A.”

Question 129

147. Which protocol and port does RADIUS authentication use?
     A. UDP/1845 B. UDP/1645 C. TCP/1645
     D. UDP/1911

Answer 129

147. B. RADIUS authentication uses the UDP protocol and port 1645 for communications between the switch or router and the AAA server.

Question 130

148. Which is an authentication protocol for AAA servers to secure Telnet authentication?
     A. 802.1x
     B. TACACS+ C. AD
     D. EAP

Answer 130

148. B. TACACS+ (Terminal Access Controller Access Control System) is a protocol used for communications between a switch or router and the AAA server for authenticating users.

Question 131

149. Which port and protocol does TACACS+ use?
     A. UDP/69 B. TCP/74 C. UDP/47
     D. TCP/49

Answer 131

149. D. TACACS+ uses TCP and port 49 for communications between the switch or router and the AAA

Question 132

150. Which is a benefit of using TACACS+ for authentication of users?
     A. It is an open standard.
     B. It encrypts the password of users.
     C. It supports authenticating a user to a subset of commands.
     D. It supports authenticating a user to a length of time.

Answer 132

150. C. TACACS+ is a Cisco defined protocol. One of the useful features it has is that can authenticate a user and only allow that user to access certain commands on the router or switch.

Question 133

151. Which command will configure the router to use a TACACS+ server and a backup of local for authentication of logins?
     A. Router(config)#aaa authentication login default group tacacs+ local B. Router(config)#authentication login group tacacs+ local
     C. Router(config)#aaa-authentication login default tacacs+ local
     D. Router(config)#aaa authentication login tacacs+ local

Answer 133

151. A. The command aaa authentication login default group tacacs+ local will configure AAA authentication for login using the default list and a group of TACACS+ servers for TACACS+ login first and a backup of local for authentication.

Question 134

152. You configured the AAA authentication for login to default local but forgot to
     create a local AAA user. What will happen when you log out? A. The enable secret will work.
     B. The console will still be available. C. The router will lock you out.
     D. Nothing, since a username and password have not been set.

Answer 134

152. C. The router will lock you out since you have not provided a local account to log in with. The password recovery procedure would need to be performed if the configuration was saved.

Question 135

153. Why should you always provide a second method of local when setting up AAA remote authentication with a router or switch?
     A. To allow for a backdoor
     B. To provide a backup if the TACACS+ server is down or unreachable C. The local second method is required
     D. All of the above

Answer 135

153. B. The local second method should always be configured. This will ensure that if the router’s connection to the AAA server

Question 136

154. Which command will configure the RADIUS server 192.168.1.5 with a secret of aaaauth?
     A. Router(config)#radius host 192.168.1.5 key aaaauth
     B. Router(config)#radius-server host 192.168.1.5 key aaaauth C. Router(config)#radius-server 192.168.1.5 key aaaauth
     D. Router(config)#radius-server host 192.168.1.5 secret aaaauth

Answer 136

154. B. The command radius-server host 192.168.1.5 key aaaauth will configure the radius server 192.168.1.5 with a secret key of aaaauth.

Question 137

155. Which protocol will encrypt the entire packet from the switch or router to the
     AAA server? A. 802.1x B. IPSEC
     C. RADIUS D. TACACS+

Answer 137

155. D. The TACACS+ protocol will encrypt the entire packet from the switch or router to the AAA server.