Chapter 6 - Infrastructure Security Flashcards

1
Q
1. Which method can restrict a user from plugging a wireless access point into a corporate network?
A. Access control lists
B. Port security
C. WiredEquivalentPrivacy
D. Static MAC addresses
A
  1. B. Port security can restrict a port to a single device by MAC address. This will effectively make plugging in a wireless access point a non-event for a corporate network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. What does port security use to block unauthorized access?
    A. Source MAC addresses
    B. Destination MAC addresses C. Source IP addresses
    D. Destination IP addresses
A
  1. A. Port security blocks unauthorized access by examining the source address of a network device.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Which command will enable port security?
    A. Switch(config)#switchport port-security
    B. Switch(config)#port-security enable
    C. Switch(config-if)#switchport port-security
    D. Switch(config-if)#port-security enable
A
  1. C. Port security is enabled by configuring the command switchport port-security. This command must be configured on the interface in which you want to enable port security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. If port security is enabled on an interface, what is the maximum number of MAC
    addresses allowed by default? A. 1 MAC address
    B. 2 MAC addresses
    C. 0 MAC addresses
    D. 10 MAC addresses
A
  1. A. By default, only a single MAC address is allowed on an interface when port security is enabled
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Which layer of the OSI model does port security use for securing a port?
    A. Layer0 B. Layer1 C. Layer2 D. Layer3
A
  1. C. Port security operates at layer 2 by inspecting the source MAC addresses in frames. It allows the configured number of source MAC addresses to be switched into the port and onto the switch processor.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Why would a network admin choose to configure port security on an interface? A. To allow or disallow VLANs
    B. To allow or disallow IP addresses
    C. To prevent unauthorized access by MAC address D. To prevent unauthorized access by user
A
  1. C. Configuring port security helps a network administrator prevent unauthorized access by MAC address.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. Which statement is correct about port security?
    A. Port security works best in mobile environments.
    B. Port security requires a higher amount of memory. C. Port security works best in static environments.
    D. Port security always results in admin intervention to reset the port.
A
  1. C. Port security works best in static environments where there is minimal change to the environment. It does not require any more memory since the results are pulled from the MAC address table.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. When configuring port security on a port that contains a VoIP phone with a voice VLAN and a computer connected to the phone, how many MAC addresses must you allow?
    A. 1 MAC address
    B. 2 MAC addresses C. 0 MAC addresses
    D. 10 MAC addresses
A
  1. B. Both the computer and the VoIP phone have MAC addresses, and therefore you will need to allow the port to have two MAC addresses, one for the phone to communicate and the other for the computer to communicate on the port.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
9. What is the default action of port security on the interface when the maximum number of MAC addresses is exceeded?
A. Administrative shutdown
B. Err-disabledshutdown
C. Restricted access without logging
D. Restricted access with logging
A
  1. B. By default, when port security is configured on a port, the violation method is err- disabled shutdown.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. You are configuring a port for port security and receive the error “Command rejected: FastEthernet0/1 is a dynamic port.” Which commands will help you configure the port?
    A. SwitchA(config-if)#no switchport dynamic
    SwitchA(config-if)#switchport
    B. SwitchA(config-if)#switchport SwitchA(config-if)#switchport
    C. SwitchA(config-if)#switchport SwitchA(config-if)#switchport SwitchA(config-if)#switchport
    D. SwitchA(config-if)#switchport SwitchA(config-if)#no dynamic SwitchA(config-if)#switchport
    port-security
    mode access port-security
    mode access nonnegotiate port-security
    mode access
    port-security
A
  1. C. When port security is configured, the port cannot be in dynamic mode for Dynamic Trunking Protocol (DTP) mode. You must configure the port as an access port first, then turn off DTP with the command switchport nonnegotiate. You can then configure switchport port security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Which command will allow you to configure two MAC addresses for port security? A. SwitchA(config-if)#switchport maximum 2
    B. SwitchA(config-if)#switchport port-security maximum 2 C. SwitchA(config-if)#port-security maximum 2
    D. SwitchA(config-if)#switchport port-security limit 2
A
  1. B. The command switchport port-security maximum 2 will configure the port with a maximum of two MAC addresses that shall pass through the port.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Which command will limit devices via port security without disabling the port and
    logging the restricted device?
    A. Switch(config-if)#switchport port-security violation shutdown
    B. Switch(config-if)#switchport port-security restrict
    C. Switch(config-if)#switchport port-security violation protect
    D. Switch(config-if)#switchport port-security violation restrict
A
  1. D. The command switchport port-security violation restrict will set the violation mode to restrict. This will drop frames over the maximum number of learned MAC addresses and will log security violations to the counters.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Which command will allow you to inspect the status of a port that has been
    configured for port security?
    A. Switch#show running-configuration
    B. Switch#show port-security interface gi 2/13
    C. Switch#show port-security details interface gi 2/13
    D. Switch#show port-security gi 2/13
A
  1. B. The command show port-security interface gi 2/13 will allow you to see a detailed view of an individual port configured for port security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. Which command will limit devices via port security and send an SNMP trap
    notification?
    A. Switch(config-if)#switchport port-security violation shutdown
    B. Switch(config-if)#switchport port-security restrict
    C. Switch(config-if)#switchport port-security violation protect
    D. Switch(config-if)#switchport port-security violation restrict
A
  1. A. The command switchport port-security violation shutdown puts the interface into the err-disable state immediately and sends an SNMP trap notification to a syslog server
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Which command will limit devices via port security without disabling the port and
    not provide logging for a security violation counter?
    A. Switch(config-if)#switchport port-security violation shutdown
    B. Switch(config-if)#switchport port-security restrict
    C. Switch(config-if)#switchport port-security violation protect
    D. Switch(config-if)#switchport port-security violation restrict
A
  1. C. The command switchport port-security violation protect will set the violation mode to protect. This will drop frames over the maximum number of learned MAC addresses but will not log security violations to the counters.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Which command will allow you to see logged security violations for port security?
    A. Switch#show violations
    B. Switch#show port-security violations C. Switch#show port-security
    D. Switch#show psec violations
A
  1. C. The command show port-security will show all ports that have logged port security violations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. You have been tasked to secure ports with port security. You need to make sure that only the computers installed can access the network. The computers are installed already. Which type of configuration for port security would require the least amount of administration?
    A. Static port security
    B. Dynamic port security C. Sticky port security
    D. Time limit port security
A
  1. C. When you configure sticky port security, the first MAC address seen by the switch will become bound to the port. Any other MAC addresses will trip the access violation set.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. Which command will allow the first MAC address learned on the port to be allowed to only pass traffic on the port via port security?
    A. SwitchA(config-if)#switchport port-security mac-address sticky B. SwitchA(config-if)#switchport port-security mac-address dynamic C. SwitchA(config-if)#switchport port-security mac-address static
    D. SwitchA(config-if)#switchport port-security mac-address learn
A
  1. A. The command switchport port-security mac-address sticky will configure the port to learn the first MAC address and allow only the first MAC address to pass traffic.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. Which command will allow you to globally reset all ports with an err-disable state
    with minimal disruption?
    A. Switch#clear err-disable
    B. Switch#clear switchport port-security C. Switch#clear port-security violation
    D. Switch(config)#errdisable recovery cause psecure_violation
A
  1. D. The global config command errdisable recovery cause psecure_violation will reset all ports with an err-disable status.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. You need to verify the sticky MAC addresses learned on a port on the switch.
    Which command will allow you to verify the addresses learned? A. SwitchA#show running-configuration
    B. SwitchA#show port-security
    C. SwitchA#show port-security details
    D. SwitchA#show port-security status
A
  1. A. The command show running-configuration will show you the learned MAC addresses from port security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. Which is a correct statement about sticky MAC addresses learned on a switchport?
    A. Sticky MAC addresses are removed by performing a shutdown on the port. B. Sticky MAC addresses become part of the running-configuration.
    C. Sticky MAC addresses can be explicitly configured manually.
    D. Sticky MAC addresses automatically become part of the startup-configuration
A
  1. B. Sticky MAC addresses become part of the running-configuration. If the running- configuration is saved to the NVRAM, then the sticky MAC address will become part of the startup-configuration
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. You need to change a device on a port with which a sticky MAC address is associated. Which command will allow you to change the device and allow for a new sticky MAC address to be learned?
    A. Switch#clear switchport port-security f 0/0
    B. Switch(config-if)#no switchport port-security
    C. Switch#clear port-security f 0/0
    D. Switch(config-if)#no switchport port-security mac-address sticky 0045.2342.e4c3
A
  1. D. The command no switchport port-security mac-address sticky 0045.2342.e4c3 will remove the entry for the device. The command no switchport port-security mac-address sticky will remain, so the next device learned will create a new sticky entry.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. Which command will allow you to see all the dynamically learned MAC addresses for port security?
    A. SwitchA#show running-configuration B. SwitchA#show mac address-table
    C. SwitchA#show port-security details
    D. SwitchA#show port-security address
A
  1. D. The command show port-security address will allow you to see all of the dynamically learned MAC addresses for port security. The command show running- configuration would allow you to see only dynamically learned MAC addresses that are sticky.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
  1. In which interface mode should you configure port security for end devices? A. Dynamic
    B. Access
    C. Trunk
    D. Voice
A
  1. B. The interface switchport should be in an access mode before port security is applied to the interface. Trunks can participate in port security, but it is rare to use these two functions together.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
  1. You have default configuration on a port, which is also configured for port security. One of your junior admins is switching out equipment on the port. Which command will need to be entered so the port does not go into the violation mode?
    A. Switch#clear port-security dynamic interface gi 2/3 B. Switch(config-if)#no port-security mac-address
    C. Switch(config-if)#switchport port-security maximum 2
    D. Switch#clear port-security interface gi 2/3
A
  1. A. The default configuration for port security is dynamic port security and a violation of shutdown. If a new device is connected to the port, it will enter an err- disable status. Therefore, clearing the dynamic MAC addresses will be required via the command clear port-security dynamic interface gi 2/3. Alternatively, the command clear port-security dynamic would clear all dynamically learned MAC addresses on the entire switch
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
  1. Which command would configure a port to forget the dynamically learned MAC
    address after 24 hours?
    A. Switch(config-if)#switchport port-security aging 1440
    B. Switch(config-if)#switchport port-security aging time 1440 C. Switch(config-if)#switchport port-security time 1440
    D. Switch(config-if)#switchport port-security maximum time 1440
A
  1. B. The command switchport port-security aging time 1440 will configure the port to forget the dynamically learned MAC address after 1,440 minutes. This command is configured in minutes and saves an admin from entering a clear command. However, if a violation of shutdown is configured, the port will need to be manually reset if it enters violation mode within this time period.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
  1. Which term describes the area outside of the corporate firewall?
    A. DMZ area
    B. Perimeterarea C. Internal area
    D. Trustedarea
A
  1. B. The perimeter area, or perimeter network, is outside of the corporate firewall. The perimeter area generally holds equipment necessary for routing to the ISP.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q
  1. How does DHCP snooping track DHCP messages and mitigate attacks?
    A. DHCPfiltering
    B. DHCPbindingtable C. Untrustedports
    D. IOSACLs
A
  1. B. The DHCP binding table tracks all interface, MAC address, VLAN, and IP information. This database is critical in snooping out other ports from using identical information.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
  1. Which term describes the area accessible to the Internet yet protected by the corporate firewall?
    A. DMZ
    B. Perimeter C. Internal
    D. Trusted
A
  1. A. The demilitarized zone (DMZ) is an area that is protected by the corporate firewall. However, it allows servers such as web servers, email servers, and application servers to be accessible via the Internet.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
  1. Which type of device can prevent an intrusion on your network?
    A. Honey pots B. IDS
    C. IPS
    D. HIDS
A
  1. C. An intrusion prevention system, or IPS, can detect and prevent attacks based on their signature. They are commonly found in firewall systems such as Adaptive Security Appliance (ASA) devices.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
  1. When dealing with firewalls, the term trusted network is used to describe what?
    A. Internal network
    B. The Internet C. The DMZ
    D. A network with SSL
A
  1. A. The internal network is defined by the firewall. Anything protected by the firewall on the internal network is considered to be the trusted network.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q
  1. Which is a common attack method used to overwhelm services from traffic from multiple Internet sources?
    A. Denial of service
    B. Distributed denial of service C. IP address spoofing
    D. Session hijacking
A
  1. B. Distributed denial of service, or DDoS, is a common attack technique used to deny others of service. It is performed by overwhelming the service with bogus traffic. When it is performed from multiple hosts on the Internet, it is very difficult to prevent and sto
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q
  1. Which type of device can detect an intrusion on your network?
    A. Honey pots B. IDS
    C. IPS
    D. HIDS
A
  1. B. An intrusion detection system, or IDS, can detect an attack based upon its signature. They are commonly found in firewall systems such as Adaptive Security Appliance (ASA) devices.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q
  1. When you configure DHCP snooping on a network, which mode are clients configured in?
    A. Untrustedmode B. Trustedmode
    C. Client mode
    D. Access mode
A
  1. A. By default, all ports are considered untrusted, which means they should never serve the request of a DHCP client. Only the port put into trusted mode is allowed to answer client requests.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q
  1. What method does DHCP snooping employ to thwart DHCP starvation attacks?
    A. DHCPguard B. DHCPfiltering C. Rate limiting
    D. IOSACLs
A
  1. C. Rate limiting is employed to thwart DHCP starvation attacks by limiting the number of DHCP packets a port can receive per second.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q
  1. Which method will allow you to mitigate from a spurious DHCP attack?
    A. DHCPsnooping B. DHCPfiltering C. Rate limiting
    D. IOSACLs
A
  1. A. A spurious DHCP attack is when a rouge DHCP server is started on the network. It serves clients with incorrect DHCP information. DHCP snooping helps to mitigate this attack.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q
  1. Which method can be used to stop ping sweep scans? A. Deploying host intrusion detection systems
    B. Deploying network intrusion detection systems C. Blocking RFC 1918 addresses at the perimeter
    D. Blocking ICMP echo-requests and echo-replies at the perimeter
A
  1. D. Ping sweep scans are used by attackers to discover hosts on a network. The scan sends a flood of ICMP echo requests to the perimeter network and awaits echo replies. When ICMP is blocked at the perimeter, an attacker would not be able to scan the network via ICMP.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q
  1. Which appliance can be used to mitigate denial of service attacks?
    A. Honey pots B. IDS
    C. IPS
    D. HIDS
A
  1. C. An intrusion prevention system (IPS) will help mitigate denial of service attacks. Common features of IPS can be found in the Cisco Adaptive Security Appliance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q
  1. Which is a common attack method used to attempt to gain access to a system using a false identity?
    A. Denial of service
    B. Distributed denial of service C. IP address spoofing
    D. Session hijacking
A
  1. C. IP address spoofing is a common attack method used to attempt to gain access to a system by spoofing the originating IP address.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q
  1. Which method would prevent tampering of data in transit?
    A. Access control lists B. Spoofing mitigation C. Secure Sockets Layer
    D. Encryption of the data
A
  1. C. Secure Sockets Layer (SSL) communications offer both encryption and authentication of the data via certificate signing. This would prevent tampering of the data end to end.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q
  1. A rouge wireless access point is created with the same SSID as the corporate SSID. The attacker has employees connect to the SSID and watches the information as it’s relayed to the original SSID. What type of attack is described CB here?
    A. Smurf attack
    B. Compromised key attack C. Snifferattack
    D. Man in the middle attack
A
  1. D. This attack is called a man in the middle attack. The attacker sits in the middle of communications and relays it back while capturing it and possibly modifying it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q
  1. What can you use to protect against spoofing of internal IP addresses on the perimeter of your network?
    A. Access control lists
A
  1. A. Access control lists are an effective way to mitigate spoofing of internal IPs from outside the trusted network.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q
  1. Which is a requirement for the use of DHCP snooping to protect a device? A. The device is on a layer 2 switched port on the same VLAN.
    B. The DHCP server is running on the layer 2 switch.
    C. The device is on a layer 3 routed port on the same VLAN.
    D. Configuration of a dedicated IP for monitoring DHCP transactions.
A
  1. A. A requirement of DHCP snooping is that the device is on the VLAN that DHCP snooping is monitoring.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q
  1. What attack vector can be used for a man in the middle attack?
    A. DHCP B. DNS
    C. Wireless
    D. All of the above
A
  1. D. Any service that allows the user to create a connection or access to information can be used as an attack vector. In the case of DHCP, the attacker will set the gateway to their IP address. In the case of DNS, the attacker could spoof a request to redirect the traffic.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q
  1. What is the default mode port configured on a switch for DHCP snooping?
    A. Trusted B. Internal C. External
    D. Untrusted
A
  1. D. The default mode of switchports on a switch configured with DHCP snooping is untrusted. An admin must trust ports manually.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q
  1. Which VLAN is the default native VLAN for Cisco switches?
    A. VLAN1
    B. VLAN2 C. VLAN255
    D. VLAN1024
A
  1. A. The default native VLAN for Cisco switches is VLAN 1.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q
56. You have just configured DHCP snooping. Which ports should be trusted?
A. Ports connecting to clients
B. Ports connecting to web servers
C. Ports connecting to other switches
D. Ports connecting to the DNS server
A
  1. C. Ports that are connecting to trusted infrastructure devices such as routers and switches should be trusted. This is because legitimate DHCP traffic could originate from these ports.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q
  1. Which is a correct statement about how DHCP snooping works?
    A. Untrusted ports allow Discover and Offer messages to be switched.
    B. UntrustedportsdropDiscoverandOffermessages.
    C. UntrustedportsdropOfferandAcknowledgmentmessages.
    D. Untrusted ports allow Offer and Acknowledgment messages to be switched.
A
  1. C. The untrusted ports drop Offer and Acknowledgment DHCP messages. The only device that should offer and acknowledge IP addresses is the DHCP server on a trusted port.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q
  1. Which attack can be used on a native VLAN? A. Double tagging
    B. VLANtraversal
    C. Trunk popping
    D. Denial of service
A
  1. A. Double tagging is an attack that can be used against the native VLAN. The attacker will tag the native VLAN on a frame and then tag another inside that frame for the VLAN that the attacker intends to compromise. When the switch receives the first frame, it removes the default VLAN tag and forwards it to other switches via a trunk port. When the other switch receives the frame with the second VLAN tag, it forwards it to the VLAN which the attacker is targeting the attack upon.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q
59. Which command is used to view the DHCP snooping database?
A. Switch#show dhcp binding
B. Switch#show ip dhcp binding
C. Switch#show ip dhcp snooping database
D. Switch#show ip dhcp snooping binding
A
  1. D. The command show ip dhcp snooping binding will display the DHCP snooping database. This database will have entries for the MAC address, IP address, lease time, VLAN, and interface.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q
  1. Which command is used to configure the port of a switch as trusted for DHCP
    snooping?
    A. Switch(config-if)#ip dhcp snooping trust
    B. Switch(config-if)#dhcp snooping trust
    C. Switch(config)#ip dhcp snooping trust interface gi 2/3
    D. Switch(config-if)#ip dhcp trust
A
  1. A. The command ip dhcp snooping trust will configure the interface as a trusted port.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q
  1. Why should you always change the native VLAN?
    A. The native VLAN contains frames from all VLANs.
    B. The native VLAN is configured on all switches for logging. C. The native VLAN is the default on all switchports.
    D. The native VLAN provides no encryption.
A
  1. C. The native VLAN is the default configuration on all switches. It is very possible that a user could be configured by accident for the native VLAN of 1. This would allow management access to switching and routing.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q
  1. Which technology will give selective access to the network based upon authentication?
    A. 802.1Q B. ACLs C. 802.1x
    D. Firewall
A
  1. C. 802.1x allows selective access to a network at layer 2. It allows this on the switch because the switch acts as an authenticator to an AAA server, only allowing access after the user or device has been authenticated.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q
  1. What is the end device that sends credentials for 802.1x called? A. Authenticator
    B. Supplicant
    C. AAAserver
    D. RADIUSserver
A
  1. B. The end device that sends credentials is called the supplicant. The supplicant is a piece of software in the operating system that supplies the credentials for AAA authentication.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q
  1. What is the switch called in an 802.1x configuration?
    A. Authenticator B. Supplicant
    C. AAAserver
    D. RADIUSserver
A
  1. A. The switch is responsible for communicating with the supplicant and sending information to the authenticating server. This device is called the authenticator.
56
Q
  1. What protocol does the supplicant communicate to the authenticator for 802.1x?
    A. 802.1x layer 2 protocol B. UDP
    C. TCP
    D. IP
A
  1. A. The protocol used to communicate between the supplicants (OS) and the authenticator (switch) is 802.1x. 802.1x is a layer 2 protocol used specifically for authenticating devices to switch ports.
57
Q
  1. What is the attack in which DTP is exploited by a malicious user?
    A. Native VLAN B. VLANhopping C. VLANtraversal
    D. Trunk popping
A
  1. B. VLAN hopping is an attack in which DTP is exploited. The attacker negotiates a trunk with the switch via DTP and can hop from VLAN to VLAN.
58
Q
  1. Which protocol is used by 802.1x for end-to-end authentication from the supplicant to the authentication server?
    A. 802.1x authentication headers B. IPSec
    C. EAP
    D. RADIUS
A
  1. C. EAP, or Extensible Authentication Protocol, is used for authentication between the supplicant and RADIUS server. The EAP frame is first transmitted over the layer 2 connection via EAP over LAN (EAPoL). The switch then sends it to the RADIUS server encapsulated in a UDP packet.
59
Q
  1. Which device is the supplicant during the 802.1x authentication process?
    A. The device requesting access
    B. The server that is providing authentication
    C. The device that is controlling access via 802.1x
    D. The device connecting the layer 3 network
A
  1. A. The device requesting access is the supplicant. The supplicant is built into the operating system in which it is authenticating.
60
Q
  1. Which mechanism is used to authenticate EAP-TLS during the 802.1x authentication process?
    A. MD5
    B. Certificates C. SSH
    D. Passwords
A
  1. B. EAP-TLS, or Extensible Authentication Protocol/Transport Layer Security, uses certificates to authenticate end devices. It also provides a layer of encryption via the certificate infrastructure.
61
Q
  1. Which port must be open to the RADIUS or AAA server for authentication from the authenticator?
    A. UDP/49 B. UDP/1821 C. UDP/1812
    D. UDP/1813
A
  1. C. The AAA server listens for requests on port 1812 UDP for authentication of credentials
62
Q
71. What is the range of a standard access list?
A. 1to99
B. 1to100
C. 100 to 199
D. 100 to 200
A
  1. A. Standard access lists are within the range of 1 to 99.
63
Q
  1. Which statement is correct about a standard access control list?
    A. Conditions can be based upon only the destination address.
    B. Conditions can be based upon only the source address and source port.
    C. Conditions can be based upon only the source address.
    D. Conditions can be based upon the source or destination address and source or destination port.
A
  1. C. Access control lists can be based upon only the source address of the packet.
64
Q
  1. What is the range of an extended access list? A. 1to99
    B. 1to100
    C. 100 to 199
    D. 100 to 200
A
  1. C. Extended access lists are within the range of 100 to 199.
65
Q
74. What is at the end of every access control list?
A. Permit any any
B. Deny any any 
C. Log all
D. End of ACL marker
A
  1. B. At the end of every access list there is a deny any any rule. If a permit is not configured in the access list, the ACL does not serve a purpose. All ACLs must contain at least one permit statement.
66
Q
  1. Which statement is correct about an access control list?
    A. Packets are compared sequentially against each line in an access list, and the
    last matching condition is the action taken.
    B. Packets are compared sequentially against each line in an access list until a match is made.
    C. Packets are compared, and if no matching rule exists, they are allowed.
    D. At the end of the access control list, there is an implicit allow.
A
  1. B. When packets are compared to an access control list, they are compared in a sequential order. When the first rule is found to match, the action is acted upon. There is no further rule processing after the first match.
67
Q
  1. What is an advantage of using a standard access control list? A. More secure
    B. Less processing overhead C. More specific rules
    D. Blocking of applications
A
  1. B. An advantage to a standard access control list is that they require less processing overhead from the ASIC or CPU (depending on the platform). Since they only inspect layer 3 headers, no further decapsulation is required for layer 4.
68
Q
  1. What is the expanded range of a standard access list?
    A. 1000 to 1999 B. 1100 to 1299 C. 1300 to 1999
    D. 2000 to 2699
A
  1. C. The expanded range of a standard access list is 1300 to 1999.
69
Q
  1. You need to filter traffic for the 172.16.0.0/12 network. Which wildcard mask would you use?
    A. 255.240.0.0 B. 0.0.240.255 C. 0.15.255.255
    D. 255.3.0.0
A
  1. C. A wildcard mask is the opposite of a network mask. The easy way to calculate a wildcard mask is to figure out what the subnet is and deduct 1 for the octet. For example, if the network address is 172.16.0.0/12 (Classless Inter-Domain Routing), or 255.240.0.0 (Dotted Decimal Notation), and each network number is a multiple of 16, the wildcard mask should be 0.15.255.255.
70
Q
  1. Which command would configure an ACL to block traffic coming from 192.168.1.0/24?
    A. Router(config)#ip access-list 20 192.168.1.0 0.0.0.255 B. Router(config)#ip access-list 100 192.168.1.0 0.0.0.255 C. Router(config)#ip access-list 1 192.168.1.0/24
    D. Router(config)#ip access-list 2 192.168.1.0 255.255.255.0
A
  1. A. The command ip access-list 20 192.168.1.0 0.0.0.255 will configure an access list of 20, which is a standard access list. The source address of 192.168.1.0 is wildcard masked with 0.0.0.255.
71
Q
  1. If you configure a rule with the address of 0.0.0.0 and wildcard mask of
    255.255.255.255, what are you doing? A. Defining the broadcast address
    B. Defining no addresses
    C. Defining the network address
    D. Defining all addresses
A
  1. D. A rule with an address or 0.0.0.0 and wildcard mask of 255.255.255.255 defines all addresses. Effectively, it is another way to specify the “any” source or destination.
72
Q
  1. Which statement is correct about applying ACLs to an interface?
    A. An access control list can be applied in only one direction.
    B. An access control list can be applied only to a single protocol. C. An access control list can be applied only to a single port.
    D. All of the above
A
  1. D. Access lists can be applied per a port, per a protocol, and per a direction. For example, you could apply only one ACL per the interface of Fast 0/1, per the protocol of IP in the inbound direction.
73
Q
  1. You need to filter an application. Which type of access list will you use to complete the task?
    A. Standard B. Extended C. Dynamic D. Expanded
A
  1. B. An extended access list allows you to filter traffic by port, which defines an application being used, since web traffic is communicated on 80 or 443.
74
Q
  1. What is the expanded range of an extended access list? A. 1000 to 1999
    B. 1100 to 1299
    C. 1300 to 1999
    D. 2000 to 2699
A
  1. D. The expanded range of a standard access list is 2000 to 2699.
75
Q
  1. You need to filter traffic for the 192.168.1.0/25 network. Which wildcard mask would you use?
    A. 255.255.255.128 B. 0.0.0.128
    C. 0.0.0.127
    D. 0.0.0.63
A
  1. C. A wildcard mask is the opposite of a network mask. The easy way to calculate a wildcard mask is to figure out what the subnet is and deduct 1 for the octet. For example, if the network address is 192.168.1.0/25 (Classless Inter-Domain Routing), or 255.255.255.128 (Dotted Decimal Notation), and each network number is a multiple of 128, the wildcard mask should be 0.0.0.127.
76
Q
  1. Which type of access control list allows for removing a single entry without removing the entire ACL?
    A. Standard B. Dynamic C. Extended
    D. Named
A
  1. D. A named access control list allows for removing and adding entries by their line number.
77
Q
  1. Which type of access control list allows you to open a port only after someone has successfully logged into the router?
    A. Standard B. Dynamic C. Extended
    D. Named
A
  1. B. Once a successful login is performed at the router, the dynamic access control list is activated. This is also called lock and key security.
78
Q
  1. Which statement configures a standard access list?
    A. Router(config)#access-list 20 deny 172.16.0.0 0.255.255.255
    B. Router(config)#access-list 180 permit udp any 172.16.0.0 0.255.255.255
    eq 161
    C. Router(config)#access-list 130 permit permit ip any any
    D. Router(config)#access-list 150 deny any 172.16.0.0 0.255.255.255
A
  1. A. The statement access-list 20 deny 172.16.0.0 0.255.255.255 configures a standard access list for two reasons: the first is that the access list number is 20, which falls between the standard access list range of 1 to 99. The second reason is that you are depicting traffic by source address.
79
Q
  1. Which statement can be used in lieu of access-list 5 permit 192.168.1.5
    0.0.0.0?
    A. Router(config)#access-list 5 permit 192.168.1.5
    B. Router(config)#access-list 5 permit 192.168.1.5/24 C. Router(config)#access-list 5 permit host 192.168.1.5
    D. Router(config)#access-list 5 permit 192.168.1.0 0.0.0.255
A
  1. C. The command access-list 5 permit host 192.168.1.5 specifies the traffic coming from the host 192.168.1.5. The statement access-list 5 permit 192.168.1 .5 0.0.0.0 achieves the same thing
80
Q
  1. Which type of access list limits you to describing traffic by source address? A. Extended
    B. Named C. Dynamic D. Standard
A
  1. D. Standard access lists only allow you to describe traffic by source address. This helps the processing of the access list because the router or switch does not need to de-capsulate packets further than layer 3.
81
Q
  1. Which statement will block traffic for a server of 192.168.1.5 for SSH? A. Router(config)#access-list 90 deny ip host 192.168.1.5 eq 22
    B. Router(config)#access-list 90 deny tcp any host 192.168.1.5 eq 22 C. Router(config)#access-list 199 deny tcp host 192.168.1.5 any eq 23 D. Router(config)#access-list 199 deny tcp any host 192.168.1.5 eq 22
A
  1. D. The command access-list 199 deny tcp any host 192.168.1.5 eq 22 will create an extended access list of 199 and deny TCP communication from any computer to the host of 192.168.1.5 for port 22.
82
Q
  1. Which statement configures a valid access list?
    A. Router(config)#access-list 99 deny tcp host 192.168.2.7 eq 443
    B. Router(config)#access-list 189 deny any host 192.168.1.5 eq 22
    C. Router(config)#access-list 143 permit tcp host 192.168.8.3 eq 80 any
    D. Router(config)#access-list 153 permit any host 192.168.4.5 eq 22
A
  1. C. The command access-list 143 permit tcp host 192.168.8.3 eq 80 any is a valid statement. All extended access lists that describe a port must also describe the protocol.
83
Q
  1. You want to apply an access list of 198 to an interface to filter traffic into the
    interface. Which command will achieve this?
    A. Router(config)#ip access-list 198 in fast 0/1
    B. Router(config-if)#ip access-list 198 in C. Router(config-if)#ip access-class 198 in D. Router(config-if)#ip access-group 198 in
A
  1. D. The command ip access-group 198 in will apply access list 198 to the interface in which it is configured in the inbound direction.
84
Q
  1. Which type of ACL should be placed closest to the source of traffic? A. Extended
    B. Standard
    C. Dynamic
    D. Expanded
A
  1. A. Extended ACLs should always be placed closest to the source of traffic since they are extremely granular.
85
Q
  1. Which command will create an extended named access list?
    A. Router(config)#access-list 101 allow host 192.168.1.5 any B. Router(config)#ip access-list named_list
    C. Router(config)#ip access-list extended named_list
    D. Router(config)#ip access-list 101 named_list
A
  1. C. The command ip access-list extended named_list will create an extended named access list.
86
Q
  1. Which type of ACL should be placed closest to the destination of traffic?
    A. Extended B. Standard C. Dynamic
    D. Expanded
A
  1. B. Standard ACLs should always be placed closest to the destination of traffic since they are broad in the traffic they control.
87
Q
  1. After several edits to a named access control list, the numbers are no longer 10, 20, and 30, and you have no room to perform future edits. Which command will fix the problem with no disruption?
    A. Switch(config)#ip access-list named_list renumber B. Switch#clear ip access-list named_list line-numbers C. Switch(config)#ip access-list re-number named_list
    D. Switch(config)#ip access-list resequence named_list 10 10
A
  1. D. The command ip access-list resequence named_list 10 10 will resequence the line numbers for the named access list called named_list. The numbering will start with 10 and increment by 10.
88
Q
  1. Which command will apply the named access control list called named_list to the
    interface in an inbound direction?
    A. Router(config)#ip access-list named_list in fast 0/1
    B. Router(config-if)#ip access-list named_list in C. Router(config-if)#ip access-class named_list in D. Router(config-if)#ip access-group named_list in
A
  1. D. The command ip access-group named_list in configured inside of the interface will apply an access list called named_list to the interface for the inbound direction.
89
Q
  1. Which command will create an IPv6 access list?
    A. Router(config)#ip access-list extended named_list ipv6
    B. Router(config)#ip access-list deny 2100 ipv6 2001:db8::1/64 C. Router(config)#ipv6 access-list extended named_list
    D. Router(config)#ipv6 access-list named_list
A
  1. D. IPv6 access lists are created as named access lists. The command ipv6 access- list named_list will create an IPv6 named access list.
90
Q
  1. What is a difference between IPv6 and IPv4 access control lists?
    A. Implicit allow of any any at the end of the ACL B. Implicit allow of Neighbor Discovery packets C. The use of wildcard masks
    D. All of the above
A
  1. B. IPv6 access control lists implicitly allow Neighbor Discovery packets. This is to facilitate a number of features that IPv6 has built in, such as SLAAC and DAD.
91
Q
106. Which command will help verify that an access control list is applied to an interface?
A. Router#show interface fast 0/1
B. Router#show ip access-list
C. Router#show ip interface fast 0/1
D. Router#show access-list
A
  1. C. The command show ip interface fast 0/1 will show the IP address details of the interface Fast 0/1. Included with these details you will find any outbound and inbound ACLs set on the interface.
92
Q
  1. Which command will allow notes to be added to an access control list?
    A. Router(config-nacl)#remark This is a note about the ACL B. Router(config-nacl)#note This is a note about the ACL
    C. Router(config-nacl)#banner ^This is a note about the ACL^
    D. Router(config-nacl)#info This is a note about the ACL
A
  1. A. Using the command remark followed by the text is a way of adding notes in an ACL. This particular example is a named access list. However, remarks can also be used in traditional ACLs using a similar syntax in lieu of the permit and deny.
93
Q
108. Which command will allow you to see matching statistics for an access control
list?
A. Router#debug ip access-list 2
B. Router#show ip access-list 2
C. Router#show ip interface fast 0/1
D. Router#show access-list
A
  1. D. The command show access-list will show the number of matches for each statement. This command also works for IPv6 access lists.
94
Q
  1. You want to see if a particular rule is matching packets in real time. Which
    command will allow you to do this?
    A. Switch(config)#ip access-list 101 permit tcp host 192.168.1.6 any eq 80
    debug
    B. Switch(config)#ip access-list 101 permit tcp host 192.168.1.6 any eq 80 log
    C. Switch(config)#ip access-list 101 log tcp host 192.168.1.6 any eq 80 debug
    D. Switch(config)#ip access-list 101 debug tcp host 192.168.1.6 any eq 80 debug
A
  1. B. The command ip access-list 101 permit tcp host 192.168.1.6 any eq 80 log will permit traffic from host 192.168.1.6 to any matching packets on port 80. When the log attribute is configured on the end of the command, the router or switch will send a syslog notification each time the packet is matched to the rule.
95
Q
  1. If the Neighbor Discovery Protocol for IPv6 is blocked via an ACL, what is the negative effect?
    A. The gateway of the router will never be used.
    B. A duplicate IPv6 address is possible.
    C. Autoconfiguration of the network will be disabled.
    D. All of the above
A
  1. D. Since NDP (Neighbor Discovery Protocol) is used for finding the gateway, Duplicate Address Detection, and Stateless Address Autoconfiguration, all of these functions would be impacted.
96
Q
  1. What is the earliest version of the APIC-EM (Application Policy Infrastructure Controller Enterprise Module) required to use the Path Trace ACL Analysis tool?
    A. Version 0.9 B. Version 1.0 C. Version 1.1
    D. Version 1.2
A
  1. D. The Path Trace tool was first debuted in version 1.0 of the APIC-EM (Application Policy Infrastructure Controller Enterprise Module). However, the ACL Analysis tool was not added as an option until version 1.2.
97
Q
  1. What will you need to do before performing a path trace ACL analysis?
    A. Perform an ACL detection.
    B. Perform an environment discovery. C. Copy all ACLs into the APIC-EM.
    D. Manually enter all routers and switches into the APIC-EM
A
  1. B. Before performing a path trace ACL analysis, you must perform an environment discovery on your network topology
98
Q
113. What type of application is the Path Trace ACL Analysis tool?
A. Base controller
B. Basic application
C. Solutions application
D. DevNet application
A
  1. B. The Path Trace ACL Analysis tool is a basic application. Basic applications do not require licensing, similar to the APIC-EM itself. Solution applications are licensed apps from Cisco and third parties; both run on top of the base controller.
99
Q
  1. Where do you download the APIC-EM? A. The Cisco software download site
    B. ACiscopartnerdownloadsite C. The Cisco DevNet site
    D. The Cisco Network Academy site
A
  1. C. The APIC-EM is a Cisco Development Network (DevNet) tool. It requires a login to the Cisco DevNet site. This is because the APIC-EM is a tool you can use to create applications for network management.
100
Q
  1. What does the APIC-EM Path Trace ACL Analysis tool perform?
    A. It performs end-to-end analysis of ACLs for a given path. B. It performs analysis of ACLs to make sure they are correct. C. It helps create ACLs for data paths.
    D. All of the above
A
  1. A. The APIC-EM Path Trace ACL Analysis tool is used for end-to-end analysis of ACLs via the path an imaginary packet will take.
101
Q
  1. Which statement is correct about the Path Trace ACL Analysis tool?
    A. When performing an analysis, you must start by selecting the Path Trace option.
    B. When performing an analysis, you must start by selecting the ACL Analysis option.
    C. The Path Trace ACL Analysis tool helps you create ACLs.
    D. The Path Trace ACL Analysis tool helps with what-if scenarios.
A
  1. A. When performing path trace ACL analysis, you first start by selecting the Path Trace option. On the next screen, you select the ACL Analysis option, which will help you perform the ACL analysis.
102
Q
  1. What must be selected when performing a path trace ACL analysis? A. The type of ACL to be examined
    B. The path of the analysis
    C. The egress and ingress ports D. The data payload for the test
A
  1. C. When performing a path trace ACL analysis, you must select the starting device and end device as well at the egress port and ingress port. The path of analysis will be calculated by the tool.
103
Q
  1. If a device is blocking traffic for a path trace ACL analysis, what information does the interface give you to diagnose the problem?
    A. The tool will give you the correction to the ACL.
    B. The tool will allow you to perform a what-if scenario.
    C. The tool will show you the access control entry blocking traffic.
    D. The tool will allow you to create a new ACL.
A
  1. C. If a packet is blocked, the analysis output will show you the access control entry (ACE) in the ACL that is blocking the packet.
104
Q
  1. Which command will configure the enable password for a router or switch?
    A. Router(config)#password enable Password20! B. Router(config)#enable Password20!
    C. Router(config)#enable secret Password20!
    D. Router(config)#secret enable Password20!
A
  1. C. The command enable secret Password20! will set the enable password and encrypt the Password20! password.
105
Q
122. You need to set the login password for Telnet. Which command will you type
first?
A. Switch(config)#interface vlan 1
B. Switch(config)#line console 1
C. Switch(config)#line aux 1
D. Switch(config)#line vty 0 5
A
  1. D. The command line vty 0 5 will enter you into the line for the virtual teletype, which is where you configure your Telnet password.
106
Q
  1. You have set the enable password using enable password Password20!. However, when you try to get to a privileged exec prompt the router states that you are using an incorrect password. What is the problem?
    A. You originally entered the wrong password.
    B. Theenablesecretpasswordissettosomethingelse.
    C. The password Password20! contains a special character.
    D. The password is too long and has been truncated.
A
  1. B. If the enable password is set and the enable secret is set, the enable password will be ignored. Therefore the enable secret is being used to authenticate the user, and you are typing the wrong password. The command enable password exists for backward compatibility with pre 10.3 IOS and should no longer be used.
107
Q
  1. Which command(s) will set a password and require login for a line?
    A. Router(config-line)#set password Password20! Router(config-line)#request login
    B. Router(config-line)#password Password20! Router(config-line)#login password
    C. Router(config-line)#password Password20! Router(config-line)#login
    D. Router(config-line)#login password Password20!
A
  1. C. The command password Password20! will set the login password to Password20!. The sub-command login will require login for the line.
108
Q
  1. You telnet to a switch and receive the error Password required, but none set
    .[Connection to 192.168.1.1 closed by foreign host]. What is the problem? A. The enable secret is not set.
    B. The enable password is not set.
    C. The line login password is not set.
    D. The line is administratively shut down.
A
  1. C. The line login password is not set when you receive the error Password required, but none set. If the enable secret was not set, you would just not be able to get to a privilege exec prompt, but still be able to get to a user exec prompt.
109
Q
  1. What is required before generating the encryption keys for SSH on a router or switch?
    A. Setting the time and date
    B. Setting the hostname and domain name C. Setting the key strength
    D. Setting the key repository
A
  1. B. The hostname and domain name are required before you attempt to generate the encryption keys for SSH.
110
Q
  1. Which command will enable SSH version 2 for logins?
    A. Router(config)#ip ssh version 2 B. Router(config-line)#version 2 C. Router(config-ssh)#version 2
    D. Router(config)#ssh version 2
A
  1. A. The command ip ssh version 2 will set your SSH version to 2. This command is to be entered at a global configuration prompt.
111
Q
  1. Which command will configure the router or switch to allow SSH as a protocol for
    management with a fallback of Telnet? A. Switch(config)#login ssh telnet
    B. Switch(config-line)#login ssh telnet
    C. Switch(config-line)#transport ssh telnet
    D. Switch(config)#transport ssh telnet
A
  1. C. The command transport ssh telnet will configure the VTY line to accept SSH as a login protocol and fallback to Telnet.
112
Q
  1. Why should Telnet be replaced with SSH?
    A. Telnet has weak encryption.
    B. SSH allows for file copy.
    C. SSH makes it easier to create ACLs for access.
    D. SSH is encrypted
A
  1. D. SSH is encrypted and Telnet is in clear text. To keep passwords and configuration safe, SSH should always be used.
113
Q
  1. Which command will create and apply an access list to secure router or switch management?
    A. Switch(config)#access-list 1 permit host Switch(config)#interface vlan 1 Switch(config-if)#ip access-group 1 in
    B. Switch(config)#access-list 1 permit host Switch(config)#line vty 0 5 Switch(config-line)#ip access-group 1 in
    C. Switch(config)#access-list 1 permit host Switch(config)#line vty 0 5 Switch(config-line)#ip access-class 1 in
    D. Switch(config)#access-list 1 permit host Switch(config)#ip access-group 1 in
    192.168.1.5
    192.168.1.5
    192.168.1.5
    192.168.1.5
A
  1. C. You must first create an access list to permit the host that will manage the router or switch with the command access-list 1 permit host 192.168.1.5. Then enter the VTY line in which it will be applied with the command line vty 0 5. Then apply it with the command ip access-class 1 in, which differs from the command ip access-group, which is used on interfaces.
114
Q
  1. You have created the SSH encryption keys, but you cannot enable SSH version 2. What is the problem?
    A. The time and date need to be corrected.
    B. The key strength needs to be 768 bits or higher. C. The DNS server is not configured.
    D. There is no host record for the switch or router.
A
  1. B. When you’re configuring a switch or router for SSH version 2, the key strength must be at least 768 bits for the modulus. The default is 512 bits, and it is standard practice to double the number to 1024 bits.
115
Q
  1. Which command will configure a local user for SSH access?

A. Router(config)#username user1 password Password20!
B. Router(config)#account user1
Router(config-acct)#password Password20!
C. Router(config)#user user1 Password20!
D. Router(config)#user-account user1 password Password20!

A
  1. A. The command username user1 password Password20! will create a user account called user1 with a password of Password20!.
116
Q
  1. You configured the password for Telnet access, but when you perform a show running-configuration, the password shows in clear text. Which command should be run?
    A. Router(config)#password encryption
    B. Router(config)#service password-encryption
    C. Router(config)#service encryption
    D. Router(config)#password-encryption service
A
  1. B. The command service password-encryption should be entered in global config. It should not be kept in the configuration as it will use CPU cycles. So after it is configured, you should perform a show running-configuration to double-check if the encryption worked and then perform a no service password-encryption to turn it off.
117
Q
  1. Which command will generate the encryption keys for SSH?
    A. Router(config)#generate crypto key rsa B. Router(config)#crypto key generate rsa C. Router(config)#crypto generate key rsa
    D. Router#crypto key generate rsa
A
  1. B. The command crypto key generate rsa will generate the encryption keys for SSH. You will be asked for the key strength, called the modulus, which should be over 768 bits to support SSH version 2.
118
Q
  1. Which command will disable auto-disconnect for idle privileged exec sessions?
    A. Switch(config-line)#exec-timeout 0 0 B. Switch(config)#exec-timeout 0
    C. Switch(config-line)#timeout 0 0
    D. Switch(config-line)#no exec-timeout
A
  1. A. The command exec-timeout 0 0 will disable auto-disconnect of idle privileged exec sessions
119
Q
  1. You want to turn on local authentication so that a user must supply a username and password when managing the switch. You have created the username and password combinations on the switch. Which command will direct SSH and Telnet to use this authentication model?
    A. Switch(config)#new aaa model
    B. Switch(config)#local authentication
    C. Switch(config-line)#local authentication
    D. Switch(config-line)#login local
A
  1. D. After configuring the username and password combinations that will be used on the switch or router, you will need to configure the line(s) that will use local authentication. The command used inside of the line is login local. This will apply to all the transport methods configured on the line.
120
Q
  1. During a recent external security audit, it was determined that your enable password should be secured with SHA-256 scrypt. Which command will change the password strength on the switches and routers?
    A. Switch(config)#enable secret 9
    B. Switch(config)#service password-encryption scrypt C. Switch(config)#enable secret algorithm-type scrypt
    D. Switch(config)#enable algorithm-type scrypt secret Password20!
A
  1. D. The command enable algorithm-type scrypt secret Password20! will change the enable password to Password20! and use the scrypt algorithm type.
121
Q
  1. What is the default encryption method for passwords, when you configure a line
    password? A. MD5
    B. SHA-128 C. SHA-256 D. Cleartext
A
  1. D. The default for encryption method for passwords configured for lines is clear text. If you want to encrypt the password, you should use the service password- encryption command.
122
Q
  1. You need to change the default idle time before disconnection of privileged exec mode for network administrators. Which command will change it to 30 minutes?
    A. Switch(config)#exec-timeout 30 0
    B. Switch(config-line)#exec-timeout 30 0 C. Switch(config-line)#exec-timeout 0 30
    D. Switch(config-line)#timeout 30 0
A
  1. B. The command exec-timeout 30 0 will change the idle time to 30 minutes and zero seconds. If a privileged exec session is idle for 30 minutes, the network admin will be disconnected.
123
Q
141. You need to disconnect a network admin from the switch or router. Which
command would you use?
A. Switch(config)#no enable secret
B. Switch#no line vty 2
C. Switch#disconnect line vty 2
D. Switch#clear line vty 2
A
  1. D. The command clear line vty 2 will disconnect a remote admin connected to the switch. Nothing stops the admin from reconnecting to the switch again.
124
Q
142. Which banner can deliver a message only to authenticated users regardless of
connection type?
A. MOTD banner
B. Login banner C. Exec banner
D. Incoming banner
A
  1. C. The exec banner will display a message to authenticated users who have successfully logged in, regardless of whether they are connected via Telnet or SSH.
125
Q
  1. Which banner will be displayed first when a user connects to a Cisco device via SSH?
    A. MOTD banner B. Login banner C. Exec banner
    D. Incoming banner
A
  1. B. The login banner will be displayed during initial connection to a Cisco device via SSH.
126
Q
  1. Which command will configure the login banner to read “CCNA Routing and Switching”?
    A. Router(config)#login banner CCNA Routing and Switching B. Router(config)#banner login CCNA Routing and Switching C. Router(config)#banner login ^CCNA Routing and Switching^
    D. Router(config-line)#banner login ^CCNA Routing and Switching^
A
  1. C. The command banner login ^CCNA Routing and Switching^ will configure the login banner to read “CCNA Routing and Switching.” The marks at the beginning and end of the text are delimiters to mark the beginning and end of the banner.
127
Q
  1. You have configured a message of the day (MOTD) banner, but it only shows up
    after you have logged into the router. What is the problem? A. You are connecting via SSH.
    B. You are connecting via Telnet.
    C. You are connecting via the console.
    D. You do not have an enable password set.
A
  1. A. When a user is connecting to a router via SSH, the MOTD banner is not displayed until after the user has authenticated to the router or switch. A login banner is always displayed pre-login.
128
Q
  1. Which server will centralize authentication for all Cisco routers and switches?
    A. Active Directory server B. AAAserver
    C. 802.1x server
    D. Terminal server
A
  1. B. The AAA server will centralize authentication for Cisco routers and switches. AAA stands for authentication, authorization, and accounting. It is pronounced “triple A.”
129
Q
  1. Which protocol and port does RADIUS authentication use?
    A. UDP/1845 B. UDP/1645 C. TCP/1645
    D. UDP/1911
A
  1. B. RADIUS authentication uses the UDP protocol and port 1645 for communications between the switch or router and the AAA server.
130
Q
  1. Which is an authentication protocol for AAA servers to secure Telnet authentication?
    A. 802.1x
    B. TACACS+ C. AD
    D. EAP
A
  1. B. TACACS+ (Terminal Access Controller Access Control System) is a protocol used for communications between a switch or router and the AAA server for authenticating users.
131
Q
  1. Which port and protocol does TACACS+ use?
    A. UDP/69 B. TCP/74 C. UDP/47
    D. TCP/49
A
  1. D. TACACS+ uses TCP and port 49 for communications between the switch or router and the AAA
132
Q
  1. Which is a benefit of using TACACS+ for authentication of users?
    A. It is an open standard.
    B. It encrypts the password of users.
    C. It supports authenticating a user to a subset of commands.
    D. It supports authenticating a user to a length of time.
A
  1. C. TACACS+ is a Cisco defined protocol. One of the useful features it has is that can authenticate a user and only allow that user to access certain commands on the router or switch.
133
Q
  1. Which command will configure the router to use a TACACS+ server and a backup of local for authentication of logins?
    A. Router(config)#aaa authentication login default group tacacs+ local B. Router(config)#authentication login group tacacs+ local
    C. Router(config)#aaa-authentication login default tacacs+ local
    D. Router(config)#aaa authentication login tacacs+ local
A
  1. A. The command aaa authentication login default group tacacs+ local will configure AAA authentication for login using the default list and a group of TACACS+ servers for TACACS+ login first and a backup of local for authentication.
134
Q
  1. You configured the AAA authentication for login to default local but forgot to
    create a local AAA user. What will happen when you log out? A. The enable secret will work.
    B. The console will still be available. C. The router will lock you out.
    D. Nothing, since a username and password have not been set.
A
  1. C. The router will lock you out since you have not provided a local account to log in with. The password recovery procedure would need to be performed if the configuration was saved.
135
Q
  1. Why should you always provide a second method of local when setting up AAA remote authentication with a router or switch?
    A. To allow for a backdoor
    B. To provide a backup if the TACACS+ server is down or unreachable C. The local second method is required
    D. All of the above
A
  1. B. The local second method should always be configured. This will ensure that if the router’s connection to the AAA server
136
Q
  1. Which command will configure the RADIUS server 192.168.1.5 with a secret of aaaauth?
    A. Router(config)#radius host 192.168.1.5 key aaaauth
    B. Router(config)#radius-server host 192.168.1.5 key aaaauth C. Router(config)#radius-server 192.168.1.5 key aaaauth
    D. Router(config)#radius-server host 192.168.1.5 secret aaaauth
A
  1. B. The command radius-server host 192.168.1.5 key aaaauth will configure the radius server 192.168.1.5 with a secret key of aaaauth.
137
Q
  1. Which protocol will encrypt the entire packet from the switch or router to the
    AAA server? A. 802.1x B. IPSEC
    C. RADIUS D. TACACS+
A
  1. D. The TACACS+ protocol will encrypt the entire packet from the switch or router to the AAA server.