Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Cisco CCNA > Practice Chapters 6-10 > Flashcards

Practice Chapters 6-10 Flashcards

1
Q

6.1 Which of the following describe the process identifier that is used to run OSPF on a router? (Choose two.)

A. It is locally significant.
B. It is globally significant.
C. It is needed to identify a unique instance of an OSPF database.
D. It is an optional parameter required only if multiple OSPF processes are running on the router.
E. All routes in the same OSPF area must have the same process ID if they are to exchange routing information.

A

A, C. The process ID for OSPF on a router is only locally significant, and you can use the same number on each router, or each router can have a different number—it just doesn’t matter. The numbers you can use are from 1 to 65,535. Don’t get this confused with area numbers, which can be from 0 to 4.2 billion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

6.2 All of the following must match for two OSPF routers to become neighbors except which?

A. Area ID
B. Router ID
C. Stub area flag
D. Authentication password if using one

A

B. The router ID (RID) is an IP address used to identify the router. It need not and should not match.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

6.3 You get a call from a network administrator who tells you that he typed the following into
his router:
Router(config)#router ospf 1
Router(config-router)#network 10.0.0.0 255.0.0.0 area 0
He tells you he still can’t see any routes in the routing table. What configuration error did
the administrator make?

A. The wildcard mask is incorrect.
B. The OSPF area is wrong.
C. The OSPF process ID is incorrect.
D. The AS configuration is wrong.

A

A. The administrator typed in the wrong wildcard mask configuration. The wildcard should have been 0.0.0.255 or even 0.255.255.255.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

6.4 Which of the following statements is true with regard to the output shown?
Corp#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
172.31.1.4 1 FULL/BDR 00:00:34 10.10.10.2 FastEthernet0/0
192.168.20.1 0 FULL/ - 00:00:31 172.16.10.6 Serial0/1
192.168.10.1 0 FULL/ - 00:00:32 172.16.10.2 Serial0/0

A. There is no DR on the link to 192.168.20.1.
B. The Corp router is the BDR on the link to 172.31.1.4.
C. The Corp router is the DR on the link to 192.168.20.1.
D. The link to 192.168.10.1 is 32 hops away.

A

A. A dash (-) in the State column indicates no DR election because they are not required on a point-to-point link such as a serial connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

6.5 What is the administrative distance of OSPF?

A. 90
B. 100
C. 120
D. 110

A

D. By default, the administrative distance of OSPF is 110.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

6.6 In OSPF, Hellos are sent to what IP address?

A. 224.0.0.5
B. 224.0.0.9
C. 224.0.0.10
D. 224.0.0.1

A

A. Hello packets are addressed to multicast address 224.0.0.5.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

6.7 Updates addressed to 224.0.0.6 are destined for which type of OSPF router?

A. DR
B. ASBR
C. ABR
D. All OSPF routers

A

A. 224.0.0.6 is used on broadcast networks to reach the DR and BDR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

6.8 For some reason, you cannot establish an adjacency relationship on a common Ethernet link between two routers. Looking at this output, what is the cause of the problem?
RouterA#
Ethernet0/0 is up, line protocol is up
Internet Address 172.16.1.2/16, Area 0
Process ID 2, Router ID 172.126.1.2, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 172.16.1.2, interface address 172.16.1.1
No backup designated router on this network
Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 5
RouterB#
Ethernet0/0 is up, line protocol is up
Internet Address 172.16.1.1/16, Area 0
Process ID 2, Router ID 172.126.1.1, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State DR, Priority 1
Designated Router (ID) 172.16.1.1, interface address 172.16.1.2
No backup designated router on this network
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
A. The OSPF area is not configured properly.
B. The priority on RouterA should be set higher.
C. The cost on RouterA should be set higher.
D. The Hello and Dead timers are not configured properly.
E. A backup designated router needs to be added to the network.
F. The OSPF process ID numbers must match.

A

D. The Hello and Dead timers must be set the same on two routers on the same link or they will not form an adjacency (relationship). The default timers for OSPF are 10 seconds for the Hello timer and 40 seconds for the Dead timer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

6.9 Given the following output, which statement or statements can be determined to be true? (Choose all that apply.)
RouterA2# show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.23.2 1 FULL/BDR 00:00:29 10.24.4.2 FastEthernet1/0
192.168.45.2 2 FULL/BDR 00:00:24 10.1.0.5 FastEthernet0/0
192.168.85.1 1 FULL/- 00:00:33 10.6.4.10 Serial0/1
192.168.90.3 1 FULL/DR 00:00:32 10.5.5.2 FastEthernet0/1
192.168.67.3 1 FULL/DR 00:00:20 10.4.9.20 FastEthernet0/2
192.168.90.1 1 FULL/BDR 00:00:23 10.5.5.4 FastEthernet0/1
<>
A. The DR for the network connected to Fa0/0 has an interface priority higher than 2.
B. This router (A2) is the BDR for subnet 10.1.0.0.
C. The DR for the network connected to Fa0/1 has a router ID of 10.5.5.2.
D. The DR for the serial subnet is 192.168.85.1

A

A. The default OSPF interface priority is 1, and the highest interface priority determines the designated router (DR) for a subnet. The output indicates that the router with a router ID of 192.168.45.2 is currently the backup designated router (BDR) for the segment, which indicates that another router became the DR. It can be then be assumed that the DR router has an interface priority higher than 2. (The router serving the DR function is not present in the truncated sample output.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

6.10 A(n) is an OSPF data packet containing link-state and routing information that is shared among OSPF routers.

A. LSA
B. TSA
C. Hello
D. SPF

A

A. LSA packets are used to update and maintain the topological database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

7.1 Which of the following statements is not true with regard to layer 2 switching?

A. Layer 2 switches and bridges are faster than routers because they don’t take up time looking at the Network layer header information.
B. Layer 2 switches and bridges look at the frame’s hardware addresses before deciding to forward, flood, or drop the frame.
C. Switches create private, dedicated collision domains and provide independent bandwidth on each port.
D. Switches use application-specific integrated circuits (ASICs) to build and maintain their MAC filter tables.

A

A. Layer 2 switches and bridges are faster than routers because they don’t take up time looking at the Network Layer header information. They do make use of the Data Link layer information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

7.2 What statement(s) is/are true about the output shown here? (Choose all that apply.)
S3#sh port-security int f0/3
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0013:0ca69:00bb3:00ba8:1
Security Violation Count : 1

A. The port light for F0/3 will be amber in color.
B. The F0/3 port is forwarding frames.
C. This problem will resolve itself in a few minutes.
D. This port requires the shutdown command to function.

A

A, D. In the output shown, you can see that the port is in Secure-shutdown mode and the light for the port would be amber. To enable the port again, you’d need to do the following:
S3(config-if)#shutdown
S3(config-if)#no shutdown

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

7.3 Which of the following commands in this configuration is a prerequisite for the other commands to function?
S3#config t
S(config)#int fa0/3
S3(config-if#switchport port-security
S3(config-if#switchport port-security maximum 3
S3(config-if#switchport port-security violation restrict
S3(config-if#Switchport mode-security aging time 10

A. switchport mode-security aging time 10
B. switchport port-security
C. switchport port-security maximum 3
D. switchport port-security violation restrict

A

B. The switchport port-security command enables port security, which is a prerequisite for the other commands to function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

7.4 Which if the following is not an issue addressed by STP?

A. Broadcast storms
B. Gateway redundancy
C. A device receiving multiple copies of the same frame
D. Constant updating of the MAC filter table

A

B. Gateway redundancy is not an issue addressed by STP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

7.5 Which two of the following switch port violation modes will alert you via SNMP that a violation has occurred on a port?

A. Restrict
B. Protect
C. Shutdown
D. Err-disable

A

A, C.
■ Protect—This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed
MAC address limit. When configured with this mode, no notification action is taken when traffic is dropped.
■ Restrict—This mode permits traffic from known MAC addresses to continue to be forwarded while dropping traffic from unknown MAC addresses when over the allowed
MAC address limit. When configured with this mode, a syslog message is logged, a Simple Network Management Protocol (SNMP) trap is sent, and a violation counter is incremented when traffic is dropped.
■ Shutdown—This mode is the default violation mode; when in this mode, the switch will automatically force the switchport into an error disabled (err-disable) state when a violation occurs. While in this state, the switchport forwards no traffic. A Simple Network Management Protocol (SNMP) trap is sent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

7.6 On which default interface have you configured an IP address for a switch?

A. int fa0/0
B. int vty 0 15
C. int vlan 1
D. int s/0/0

A

C. The IP address is configured under a logical interface, called a management domain or VLAN 1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

7.7 Which Cisco IOS command is used to verify the port security configuration of a switch port?

A. show interfaces port-security
B. show port-security interface
C. show ip interface
D. show interfaces switchport

A

B. The show port-security interface command displays the current port security and status of a switch port.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

7.8 Which of the following methods will ensure that only one specific host can connect to port Fa0/3 on a switch? (Choose two. Each correct answer is a separate solution.)

A. Configure port security on F0/3 to accept traffic other than that of the MAC address of the host.
B. Configure the MAC address of the host as a static entry associated with port F0/3.
C. Configure an inbound access control list on port F0/3 limiting traffic to the IP address of the host.
D. Configure port security on F0/3 to accept traffic only from the MAC address of the host.

A

B, D. To limit connections to a specific host, you should configure the MAC address of the host as a static entry associated with the port, although be aware that this host can still connect to any other port but no other port can connect to F0/3 in this example. Another solution would be to configure port security to accept traffic only from the MAC address of the host. By default, an unlimited number of MAC addresses can be learned on a single switch port, whether it is configured as an access port or a trunk port. Switch ports can be secured by defining one or more specific MAC addresses that should be allowed to connect and by defining violation policies (such as disabling the port) to be enacted if additional hosts try to gain a connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

7.9 What will be the effect of executing the following command on port F0/1?
switch(config-if)# switchport port-security mac-address 00C0.35F0.8301

A. The command configures an inbound access control list on port F0/1, limiting traffic to the IP address of the host.
B. The command expressly prohibits the MAC address of 00c0.35F0.8301 as an allowed host on the switch port.
C. The command encrypts all traffic on the port from the MAC address of 00c0.35F0.8301.
D. The command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port.

A

D. The command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port. By default, an unlimited number of MAC addresses can be learned on a single switch port, whether it is configured as an access port or a trunk port. Switch ports can be secured by defining one or more specific MAC addresses that should be allowed to connect and violation policies (such as disabling the port) if additional hosts try to gain a connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

7.10 The conference room has a switch port available for use by the presenter during classes, and each presenter uses the same PC attached to the port. You would like to prevent other PCs from using that port. You have completely removed the former configuration in order to start anew. Which of the following steps is not required to prevent any other PCs from using that port?

A. Enable port security.
B. Assign the MAC address of the PC to the port.
C. Make the port an access port.
D. Make the port a trunk port.

A

D. You would not make the port a trunk. In this example, this switchport is a member of one VLAN. However, you can configure port security on a trunk port, but again, that’s not valid for this question.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

8.1 Which of the following statements is true with regard to VLANs?

A. VLANs greatly reduce network security.
B. VLANs increase the number of collision domains while decreasing their size.
C. VLANs decrease the number of broadcast domains while decreasing their size.
D. Network adds, moves, and changes are achieved with ease by just configuring a port into the appropriate VLAN.

A

D. Here’s a list of ways VLANs simplify network management:
■ Network adds, moves, and changes are achieved with ease by just configuring a port into the appropriate VLAN.
■ A group of users that need an unusually high level of security can be put into its own VLAN so that users outside of the VLAN can’t communicate with them.
■ As a logical grouping of users by function, VLANs can be considered independent from their physical or geographic locations.
■ VLANs greatly enhance network security if implemented correctly.
■ VLANs increase the number of broadcast domains while decreasing their size.

22
Q

8.2 You can only add one data VLAN to a switch port when configured as an Access port. What is the second type of VLAN that can be added to an Access port?

A. Secondary
B. Voice
C. Primary
D. Trunk

A

B. While in all other cases access ports can be a member of only one VLAN, most switches will allow you to add a second VLAN to an access port on a switch port for your voice
traffic; it’s called the voice VLAN. The voice VLAN used to be called the auxiliary VLAN, which allowed it to be overlaid on top of the data VLAN, enabling both types of traffic through the same port.

23
Q

8.3 In the following configuration, what command is missing in the creation of the VLAN interface?
2960#config t
2960(config)#int vlan 1
2960(config-if)#ip address 192.168.10.2 255.255.255.0
2960(config-if)#exit
2960(config)#ip default-gateway 192.168.10.1

A. no shutdown under int vlan 1
B. encapsulation dot1q 1 under int vlan 1
C. switchport access vlan 1
D. passive-interface

A

A. Yes, you need to do a no shutdown on the VLAN interface.

24
Q

8.4 Which of the following statements is true with regard to ISL and 802.1q?

A. 802.1q encapsulates the frame with control information; ISL inserts an ISL field along with tag control information.
B. 802.1q is Cisco proprietary.
C. ISL encapsulates the frame with control information; 802.1q inserts an 802.1q field
along with tag control information.
D. ISL is a standard.

A

C. Unlike ISL, which encapsulates the frame with control information, 802.1q inserts an 802.1q field along with tag control information.

25
Q

8.5 Based on the configuration shown here, what statement is true?
S1(config)#ip routing
S1(config)#int vlan 10
S1(config-if)#ip address 192.168.10.1 255.255.255.0
S1(config-if)#int vlan 20
S1(config-if)#ip address 192.168.20.1 255.255.255.0

A. This is a multilayer switch.
B. The two VLANs are in the same subnet.
C. Encapsulation must be configured.
D. VLAN 10 is the management VLAN.

A

A. With a multilayer switch, by enabling IP routing and creating one logical interface for each VLAN by using the interface vlan number command, you’re now doing inter-VLAN routing on the backplane of the switch!

26
Q

8.6 What is true of the output shown here?
S1#sh vlan
VLAN Name Status Ports
—- ———————- ——— ——————————-
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/19, Fa0/20,
Fa0/22, Fa0/23, Gi0/1, Gi0/2
2 Sales active
3 Marketing active Fa0/21
4 Accounting active
[output cut]

A. Interface F0/15 is a trunk port.
B. Interface F0/17 is an access port.
C. Interface F0/21 is a trunk port.
D. VLAN 1 was populated manually.

A

A. Ports Fa0/15–18 are not present in any VLANs. They are trunk ports.

27
Q

8.7 802.1q untagged frames are members of which VLAN.

A. Auxiliary
B. Voice
C. Native
D. Private

A

C. Untagged frames are members of the native VLAN, which by default is VLAN 1.

28
Q

8.8. In the switch output of question 6 how many broadcast domains are shown?

A. 1
B. 2
C. 4
D. 1001

A

C. A VLAN is a broadcast domain on a layer 2 switch. You need a separate address space (subnet) for each VLAN. There are four VLANs, so that means four broadcast domains/subnets.

29
Q

8.9 What is the purpose of frame tagging in virtual LAN (VLAN) configurations?

A. Inter-VLAN routing
B. Encryption of network packets
C. Frame identification over trunk links
D. Frame identification over access links

A

C. Frame tagging is used when VLAN traffic travels over a trunk link. Trunk links carry frames for multiple VLANs. Therefore, frame tags are used for identification of frames
from different VLANs.

30
Q

8.10 Which statement is true regarding 802.1q frame tagging?

A. 802.1q adds a 26-byte trailer and 4-byte header.
B. 802.1q uses a native VLAN.
C. The original Ethernet frame is not modified.
D. 802.1q only works with Cisco switches.

A

B. 802.1q uses the native VLAN.

31
Q

9.1 You receive the following output from a switch:
S2#sh spanning-tree
VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 0001.42A7.A603
Cost 4
Port 26(GigabitEthernet1/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec [output cut]
Which are true regarding this switch? (Choose two.)

A. The switch is a root bridge.
B. The switch is a non-root bridge.
C. The root bridge is four switches away.
D. The switch is running 802.1w.
E. The switch is running STP PVST+.

A

B, D. The switch is not the root bridge for VLAN 1 or the output would tell us exactly that. The root bridge for VLAN 1 is off of interface G1/2 with a cost of 4, meaning it is directly connected. Use the command show cdp nei to find your root bridge at this point. Also, the switch is running RSTP (802.1w), not STP.

32
Q

9.2 You have configured your switches with the spanning-tree vlan x root primary and spanning-tree vlan x root secondary commands. Which of the following tertiary switch will take over if both switches fail?

A. A switch with priority 4096
B. A switch with priority 8192
C. A switch with priority 12288
D. A switch with priority 20480

A

D. Option A seems like the best answer, and had switches not been configured with the primary and secondary command, then the switch configured with priority 4096 would have been root. However, since the primary and secondary both had a priority of 16384, then the tertiary switch would be a switch with a higher priority in this case.

33
Q

9.3 Which of the following would you use to find the VLANs for which your switch is the root bridge? (Choose two.)

A. show spanning-tree
B. show root all
C. show spanning-tree port root VLAN
D. show spanning-tree summary

A

A, D. It’s important that you can find your root bridge and the show spanning-tree command will help you do this. To quickly find out which VLANs your switch is the root bridge for, use the show spanning-tree summary command.

34
Q

9.4 You want to run the new 802.1w on your switches. Which of the following would enable this protocol?

A. Switch(config)#spanning-tree mode rapid-pvst
B. Switch#spanning-tree mode rapid-pvst
C. Switch(config)#spanning-tree mode 802.1w
D. Switch#spanning-tree mode 802.1w

A

A. 802.1w is the also called Rapid Spanning Tree Protocol. It’s not enabled by default on Cisco switches, but it is a better STP to run because it has all the fixes that the Cisco extensions provide with 802.1d. Remember, Cisco runs RSTP PVST+, not just RSTP.

35
Q

9.5 Which of the following is a layer 2 protocol used to maintain a loop-free network?

A. VTP
B. STP
C. RIP
D. CDP

A

B. The Spanning Tree Protocol is used to stop switching loops in a layer 2 switched network with redundant paths.

36
Q

9.6 Which statement describes a spanning-tree network that has converged?

A. All switch and bridge ports are in the forwarding state.
B. All switch and bridge ports are assigned as either root or designated ports.
C. All switch and bridge ports are in either the forwarding or blocking state.
D. All switch and bridge ports are either blocking or looping.

A

C. Convergence occurs when all ports on bridges and switches have transitioned to either the forwarding or blocking states. No data is forwarded until convergence is complete. Before data can be forwarded again, all devices must be updated.

37
Q

9.7 Which of the following modes enable LACP EtherChannel? (Choose two.)

A. On
B. Prevent
C. Passive
D. Auto
E. Active
F. Desirable

A

C, E. There are two types of EtherChannel: Cisco’s PAgP and the IEEE’s LACP. They are basically the same, and there’s little difference to configuring them. For PAgP, use auto or desirable mode, and with LACP use passive or active. These modes decide which method you’re using, and they must be configured the same on both sides of the EtherChannel bundle.

38
Q

9.8 Which of the following are true regarding RSTP? (Choose three.)

A. RSTP speeds the recalculation of the spanning tree when the layer 2 network topology changes.
B. RSTP is an IEEE standard that redefines STP port roles, states, and BPDUs.
C. RSTP is extremely proactive and very quick, and therefore it absolutely needs the 802.1 delay timers.
D. RSTP (802.1w) supersedes 802.1d while remaining proprietary.
E. All of the 802.1d terminology and most parameters have been changed.
F. 802.1w is capable of reverting to 802.1d to interoperate with traditional switches on a per-port basis.

A

A, B, F. RSTP helps with convergence issues that plague traditional STP. Rapid PVST+ is based on the 802.1w standard in the same way that PVST+ is based on 802.1d. The operation of Rapid PVST+ is simply a separate instance of 802.1w for each VLAN.

39
Q

9.9 What does BPDU Guard perform?

A. Makes sure the port is receiving BPDUs from the correct upstream switch.
B. Makes sure the port is not receiving BPDUs from the upstream switch, only the root.
C. If a BPDU is received on a BPDU Guard port, PortFast is used to shut down the port.
D. Shuts down a port if a BPDU is seen on that port.

A

D. BPDU Guard is used when a port is configured for PortFast, or it should be used, because if that port receives a BPDU from another switch, BPDU Guard will shut that port
down to stop a loop from occurring.

40
Q

9.10 How many bits is the sys-id-ext field in a BPDU?

A. 4
B. 8
C. 12
D. 16

A

C. To allow for the PVST+ to operate, there’s a field inserted into the BPDU to accommodate the extended system ID so that PVST+ can have a root bridge configured on a per-STP instance. The extended system ID (VLAN ID) is a 12-bit field, and we can even see what this field is carrying via the show spanning-tree command output.

41
Q

10.1 Which of the following statements is false when a packet is being compared to an access list?

A. It’s always compared with each line of the access list in sequential order.
B. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.
C. There is an implicit deny at the end of each access list.
D. Until all lines have been analyzed, the comparison is not over.

A

D. It’s compared with lines of the access list only until a match is made. Once the packet matches the condition on a line of the access list, the packet is acted upon and no further comparisons take place.

42
Q

10.2 You need to create an access list that will prevent hosts in the network range of 192.168.160.0 to 192.168.191.0. Which of the following lists will you use?

A. access-list 10 deny 192.168.160.0 255.255.224.0
B. access-list 10 deny 192.168.160.0 0.0.191.255
C. access-list 10 deny 192.168.160.0 0.0.31.255
D. access-list 10 deny 192.168.0.0 0.0.31.255

A

C. The range of 192.168.160.0 to 192.168.191.0 is a block size of 32. The network address is 192.168.160.0, and the mask would be 255.255.224.0, which for an access list must be a
wildcard format of 0.0.31.255. The 31 is used for a block size of 32. The wildcard is always one less than the block size.

43
Q

10.3 You have created a named access list called BlockSales. Which of the following is a valid command for applying this to packets trying to enter interface Fa0/0 of your router?

A. (config)#ip access-group 110 in
B. (config-if)#ip access-group 110 in
C. (config-if)#ip access-group Blocksales in
D. (config-if)#BlockSales ip access-list in

A

C. Using a named access list just replaces the number used when applying the list to the router’s interface. ip access-group Blocksales in is correct.

44
Q

10.4 Which access list statement will permit all HTTP sessions to network 192.168.144.0/24 containing web servers?

A. access-list 110 permit tcp 192.168.144.0 0.0.0.255 any eq 80
B. access-list 110 permit tcp any 192.168.144.0 0.0.0.255 eq 80
C. access-list 110 permit tcp 192.168.144.0 0.0.0.255 192.168.144.0 0.0.0.255 any eq 80
D. access-list 110 permit udp any 192.168.144.0 eq 80

A

B. The list must specify TCP as the Transport layer protocol and use a correct wildcard mask (in this case 0.0.0.255), and it must specify the destination port (80). It also should
specify any as the set of computers allowed to have this access.

45
Q

10.5 Which of the following access lists will allow only HTTP traffic into network 196.15.7.0?

A. access-list 100 permit tcp any 196.15.7.0 0.0.0.255 eq www
B. access-list 10 deny tcp any 196.15.7.0 eq www
C. access-list 100 permit 196.15.7.0 0.0.0.255 eq www
D. access-list 110 permit ip any 196.15.7.0 0.0.0.255
E. access-list 110 permit www 196.15.7.0 0.0.0.255

A

A. The first thing to check in a question like this is the access-list number. Right away, you can see that the second option is wrong because it is using a standard IP access-list number. The second thing to check is the protocol. If you are filtering by upper-layer protocol, then you must be using either UDP or TCP; this eliminates the fourth option. The third and last options have the wrong syntax.

46
Q

10.6 What router command allows you to determine whether an IP access list is enabled on a particular interface?

A. show ip port
B. show access-lists
C. show ip interface
D. show access-lists interface

A

C. Of the available choices, only the show ip interface command will tell you which interfaces have access lists applied. show access-lists will not show you which interfaces have an access list applied.

47
Q

10.7 If you wanted to deny all Telnet connections to only network 192.168.10.0, which command could you use?

A. access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet
B. access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet
C. access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
D. access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23

A

C. The extended access list ranges are 100–199 and 2000–2699, so the access-list number of 100 is valid. Telnet uses TCP, so the protocol TCP is valid. Now you just need to look for the source and destination addresses. Only the third option has the correct sequence of parameters. Option B may work, but the question specifically states only to network
192.168.10.0, and the wildcard in option B is too broad.

48
Q

10.8 If you wanted to deny FTP access from network 200.200.10.0 to network 200.199.11.0 but allow everything else, which of the following command strings is valid?

A. access-list 110 deny 200.200.10.0 to network 200.199.11.0 eq ftp
B. access-list 111 permit ip any 0.0.0.0 255.255.255.255
C. access-list 1 deny ftp 200.200.10.0 200.199.11.0 any any
D. access-list 100 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp
E. access-list 198 deny tcp 200.200.10.0 0.0.0.255 200.199.11.0 0.0.0.255 eq ftp access-list 198 permit ip any 0.0.0.0 255.255.255.255

A

E. Extended IP access lists use numbers 100–199 and 2000–2699 and filter based on source and destination IP address, protocol number, and port number. The last option is correct because of the second line that specifies permit ip any any. (I used 0.0.0.0 255.255.255.255, which is the same as the any option.) The other options does not have this, so they would deny access but not allow everything else.

49
Q

10.9 You want to create an extended access list that denies the subnet of the following host:
172.16.50.172/20. Which of the following would you start your list with?

A. access-list 110 deny ip 172.16.48.0 255.255.240.0 any
B. access-list 110 udp deny 172.16.0.0 0.0.255.255 ip any
C. access-list 110 deny tcp 172.16.64.0 0.0.31.255 any eq 80
D. access-list 110 deny ip 172.16.48.0 0.0.15.255 any

A

D. First, you must know that a /20 is 255.255.240.0, which is a block size of 16 in the third octet. Counting by 16s, this makes our subnet 48 in the third octet, and the wildcard for the third octet would be 15 since the wildcard is always one less than the block size.

50
Q

5.10 Which of the following is the wildcard (inverse) version of a /27 mask?

A. 0.0.0.7
B. 0.0.0.31
C. 0.0.0.27
D. 0.0.31.255

A

B. To find the wildcard (inverse) version of this mask, the zero and one bits are simply reversed as follows: 11111111.11111111.11111111.11100000 (27 one bits, or /27) 00000 000.00000000.00000000.00011111 (wildcard/inverse mask). However, the answer is always one less (-1), and a /27 is a block of 32, so the answer is easily 31 in the fourth octet

Cisco CCNA (36 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions