Security Fundamentals Flashcards

1
Q

An inbound access list has been configured on a serial interface to deny packet entry for TCP and UDP ports 21, 23, and 25. What types of packets will be permitted by this ACL? (Choose three).
A. FTP
B. HTTP
C. Telnet
D. POP3
E. SMTP
F. DNS

A

An inbound access list has been configured on a serial interface to deny packet entry for TCP and UDP ports 21, 23, and 25. What types of packets will be permitted by this ACL? (Choose three).
A. FTP
B. HTTP
C. Telnet
D. POP3
E. SMTP
F. DNS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An administrator has connected devices to a switch and, for security reasons, wants the dynamically learned MAC addresses from the address table added to the running configuration. What must be done to accomplish this?
A. Enable port security and use the keyword sticky.
B. Set the switchport mode to trunk and save the running configuration.
C. Use the switchport protected command to have the MAC addresses added to the configuration.
D. Use the no switchport port-security command to allow MAC addresses to be added to the configuration.

A

An administrator has connected devices to a switch and, for security reasons, wants the dynamically learned MAC addresses from the address table added to the running configuration. What must be done to accomplish this?
A. Enable port security and use the keyword sticky.
B. Set the switchport mode to trunk and save the running configuration.
C. Use the switchport protected command to have the MAC addresses added to the configuration.
D. Use the no switchport port-security command to allow MAC addresses to be added to the configuration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the purpose of the switchport command? Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address 0018.DE8B.4BF8
A. It ensures that only the device with the MAC address 0018.DE8B.4BF8 will be able to connect to the port that is being configured.
B. It informs the switch that traffic destined for MAC address 0018.DE8B.4BF8 should only be sent to the port that is being configured.
C. It will act like an access list and the port will filter packets that have a source or destination MAC of 0018.DE8B.4BF8.
D. The switch will shut down the port of any traffic with source MAC address of 0018.DE8B.4BF8.

A

What is the purpose of the switchport command? Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address 0018.DE8B.4BF8
A. It ensures that only the device with the MAC address 0018.DE8B.4BF8 will be able to connect to the port that is being configured.
B. It informs the switch that traffic destined for MAC address 0018.DE8B.4BF8 should only be sent to the port that is being configured.
C. It will act like an access list and the port will filter packets that have a source or destination MAC of 0018.DE8B.4BF8.
D. The switch will shut down the port of any traffic with source MAC address of 0018.DE8B.4BF8.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why would a network administrator configure port security on a switch?
A. To prevent unauthorized Telnet access to a switch port.
B. To prevent unauthorized hosts from accessing the LAN.
C. To limit the number of Layer 2 broadcasts on a particular switch port.
D. Block unauthorized access to the switch management interfaces.

A

Why would a network administrator configure port security on a switch?
A. To prevent unauthorized Telnet access to a switch port.
B. To prevent unauthorized hosts from accessing the LAN.
C. To limit the number of Layer 2 broadcasts on a particular switch port.
D. Block unauthorized access to the switch management interfaces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How can you ensure that only the MAC address of a server is allowed by switch port Fa0/1?
A. Configure port Fa0/1 to accept connections only from the static IP address of the server.
B. Configure the server MAC address as a static entry of port security.
C. Use a proprietary connector type on Fa0/1 that is incomputable with other host connectors.
D. Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.

A

How can you ensure that only the MAC address of a server is allowed by switch port Fa0/1?
A. Configure port Fa0/1 to accept connections only from the static IP address of the server.
B. Configure the server MAC address as a static entry of port security.
C. Use a proprietary connector type on Fa0/1 that is incomputable with other host connectors.
D. Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A company has placed a networked PC in a lobby so guests can have access to the corporate directory. A security concern is that someone will disconnect the directory PC and re-connect their laptop computer and have access to the corporate network. For the port servicing the lobby, which three configuration steps should be performed on the switch to prevent this? (Choose three).
A. Enable port security.
B. Create the port as a trunk port.
C. Create the port as an access port. D. Create the port as a protected port.
E. Set the port security aging time to 0.
F. Statically assign the MAC address to the address table. G. Configure the switch to discover new MAC addresses after a set time of inactivity.

A

A company has placed a networked PC in a lobby so guests can have access to the corporate directory. A security concern is that someone will disconnect the directory PC and re-connect their laptop computer and have access to the corporate network. For the port servicing the lobby, which three configuration steps should be performed on the switch to prevent this? (Choose three).
A. Enable port security.
B. Create the port as a trunk port.
C. Create the port as an access port.
D. Create the port as a protected port.
E. Set the port security aging time to 0.
F. Statically assign the MAC address to the address table. G. Configure the switch to discover new MAC addresses after a set time of inactivity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which two commands correctly verify whether port security has been configured on port FastEthernet 0/ 12 on a switch? (Choose two).
A. SW1# show port-secure interface FastEthernet 0/ 12 B. SW1# show switchport port-secure interface FastEthernet 0/ 12
C. SW1# show running-config
D. SW1# show port-security interface FastEthernet 0/ 12 E. SW1# show switchport port-security interface FastEthernet 0/ 12

A

Which two commands correctly verify whether port security has been configured on port FastEthernet 0/ 12 on a switch? (Choose two).
A. SW1# show port-secure interface FastEthernet 0/ 12 B. SW1# show switchport port-secure interface FastEthernet 0/ 12
C. SW1# show running-config
D. SW1# show port-security interface FastEthernet 0/ 12
E. SW1# show switchport port-security interface FastEthernet 0/ 12

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What will be the result if the following configuration commands are implemented on a Cisco switch?
Switch( config-if)# switchport port-security
Switch( config-if)# switchport port-security mac-address sticky
A. A dynamically learned MAC address is saved in the startup-configuration file.
B. A dynamically learned MAC address is saved in the running-configuration file.
C. A dynamically learned MAC address is saved in the VLAN database.
D. Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
E. Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.

A

What will be the result if the following configuration commands are implemented on a Cisco switch?
Switch( config-if)# switchport port-security
Switch( config-if)# switchport port-security mac-address sticky
A. A dynamically learned MAC address is saved in the startup-configuration file.
**B. A dynamically learned MAC address is saved in the running-configuration file. **
C. A dynamically learned MAC address is saved in the VLAN database.
D. Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
E. Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two).
A. The network administrator can apply port security to dynamic access ports.
B. The network administrator can apply port security to EtherChannels.
C. When dynamic MAC address learning is enabled on an interface, the switch can learn new addresses, up to the maximum defined.
D. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration.
E. The network administrator can configure static secure or sticky secure MAC addresses in the voice VLAN.

A

A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two).
A. The network administrator can apply port security to dynamic access ports.
B. The network administrator can apply port security to EtherChannels.
C. When dynamic MAC address learning is enabled on an interface, the switch can learn new addresses, up to the maximum defined.
D. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration.
E. The network administrator can configure static secure or sticky secure MAC addresses in the voice VLAN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Refer to the exhibit.
A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/ 1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands. Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two).
A. Port security needs to be globally enabled.
B. Port security needs to be enabled on the interface.
C. Port security needs to be configured to shut down the interface in the event of a violation.
D. Port security needs to be configured to allow only one learned MAC address.
E. Port security interface counters need to be cleared before using the show command.
F. The port security configuration needs to be saved to NVRAM before it can become active.

A

Refer to the exhibit.
A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/ 1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands. Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two).
A. Port security needs to be globally enabled.
B. Port security needs to be enabled on the interface.
C. Port security needs to be configured to shut down the interface in the event of a violation.
D. Port security needs to be configured to allow only one learned MAC address.
E. Port security interface counters need to be cleared before using the show command.
F. The port security configuration needs to be saved to NVRAM before it can become active.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which set of commands is recommended to prevent the use of a hub in the access layer?
A. switch( config-if)# switchport mode trunk
switch( config-if)# switchport port-security maximum 1
B. switch( config-if)# switchport mode trunk
switch( config-if)# switchport port-security mac-address 1
C. switch( config-if)# switchport mode access
switch( config-if)# switchport port-security maximum 1 D. switch( config-if)# switchport mode access
switch( config-if)# switchport port-security mac-address 1

A

Which set of commands is recommended to prevent the use of a hub in the access layer?
A. switch( config-if)# switchport mode trunk
switch( config-if)# switchport port-security maximum 1
B. switch( config-if)# switchport mode trunk
switch( config-if)# switchport port-security mac-address 1
C. switch( config-if)# switchport mode access
switch( config-if)# switchport port-security maximum 1

D. switch( config-if)# switchport mode access
switch( config-if)# switchport port-security mac-address 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Refer to the exhibit.
The following commands are executed on interface fa0/ 1 of 2950Switch.
2950Switch( config-if)# switchport port-security 2950Switch( config-if)# switchport port-security mac-address sticky
2950Switch( config-if)# switchport port-security maximum 1
The Ethernet frame that is shown arrives on interface fa0/ 1. What two functions will occur when this frame is received by 2950Switch? (Choose two).
A. The MAC address table will now have an additional entry of fa0/ 1 FFFF.FFFF.FFFF.
B. Only host A will be allowed to transmit frames on fa0/ 1.
C. This frame will be discarded when it is received by 2950Switch.
D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/ 1.
E. Hosts B and C may forward frames out fa0/ 1 but frames arriving from other switches will not be forwarded out fa0/ 1.
F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/ 1.

A

Refer to the exhibit.
The following commands are executed on interface fa0/ 1 of 2950Switch.
2950Switch( config-if)# switchport port-security 2950Switch( config-if)# switchport port-security mac-address sticky
2950Switch( config-if)# switchport port-security maximum 1
The Ethernet frame that is shown arrives on interface fa0/ 1. What two functions will occur when this frame is received by 2950Switch? (Choose two).
A. The MAC address table will now have an additional entry of fa0/ 1 FFFF.FFFF.FFFF.
B. Only host A will be allowed to transmit frames on fa0/ 1.
C. This frame will be discarded when it is received by 2950Switch.
D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/ 1.
E. Hosts B and C may forward frames out fa0/ 1 but frames arriving from other switches will not be forwarded out fa0/ 1.
F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/ 1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are two recommended ways of protecting network device configuration files from outside network security threats? (Choose two).
A. Allow unrestricted access to the console or VTY ports. B. Use a firewall to restrict access from the outside to the network devices.
C. Always use Telnet to access the device command line because its data is automatically encrypted.
D. Use SSH or another encrypted and authenticated transport to access device configurations.
E. Prevent the loss of passwords by disabling password encryption.

A

What are two recommended ways of protecting network device configuration files from outside network security threats? (Choose two).
A. Allow unrestricted access to the console or VTY ports. B. Use a firewall to restrict access from the outside to the network devices.
C. Always use Telnet to access the device command line because its data is automatically encrypted.
D. Use SSH or another encrypted and authenticated transport to access device configurations.
E. Prevent the loss of passwords by disabling password encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the effect of this configuration?
line vty 0 4 password todd login transport input ssh

A. It configures SSH globally for all logins.
B. It tells the router or switch to try to establish an SSH connection first and if that fails to use Telnet.
C. It configures a Cisco network device to use the SSH protocol on incoming communications via the VTY lines. D. It configures the device to only use only Telnet on the VTY lines.

A

What is the effect of this configuration?
line vty 0 4
password todd
login transport input ssh

A. It configures SSH globally for all logins.
B. It tells the router or switch to try to establish an SSH connection first and if that fails to use Telnet.
C. It configures a Cisco network device to use the SSH protocol on incoming communications via the VTY lines.
D. It configures the device to only use only Telnet on the VTY lines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

On which options are standard access lists based?
A. destination address and wildcard mask
B. destination address and subnet mask
C. source address and subnet mask
D. source address and wildcard mask

A

On which options are standard access lists based?
A. destination address and wildcard mask
B. destination address and subnet mask
C. source address and subnet mask
D. source address and wildcard mask

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Refer to the exhibit.
Statements A, B, C, and D of ACL 10 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet 172.21.1.128/ 28) from accessing the network. But as is, the ACL does not restrict anyone from the network. How can the ACL statements be re-arranged so that the system works as intended?

A. ACDB
B. BADC
C. DBAC
D. CDBA

A

Refer to the exhibit.
Statements A, B, C, and D of ACL 10 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet 172.21.1.128/ 28) from accessing the network. But as is, the ACL does not restrict anyone from the network. How can the ACL statements be re-arranged so that the system works as intended?

A. ACDB
B. BADC
C. DBAC
D. CDBA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Refer to the exhibit.
An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 102?
A. no ip access-class 102 in
B. no ip access-class 102 out
C. no ip access-group 102 in
D. no ip access-group 102 out
E. no ip access-list 102 in

A

Refer to the exhibit.
An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 102?
A. no ip access-class 102 in
B. no ip access-class 102 out
C. no ip access-group 102 in
D. no ip access-group 102 out
E. no ip access-list 102 in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which statement about access lists that are applied to an interface is true?
A. You can place as many access lists as you want on any interface.
B. You can apply only one access list on any interface.
C. You can configure one access list, per direction, per Layer 3 protocol.
D. You can apply multiple access lists with the same protocol or in different directions.

A

Which statement about access lists that are applied to an interface is true?
A. You can place as many access lists as you want on any interface.
B. You can apply only one access list on any interface.
C. You can configure one access list, per direction, per Layer 3 protocol.
D. You can apply multiple access lists with the same protocol or in different directions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which item represents the standard IP ACL?
A. access-list 110 permit ip any any
B. access-list 50 deny 192.168.1.1 0.0.0.255
C. access list 101 deny tcp any host 192.168.1.1
D. access-list 2500 deny tcp any host 192.168.1.1 eq 22

A

Which item represents the standard IP ACL?
A. access-list 110 permit ip any any
B. access-list 50 deny 192.168.1.1 0.0.0.255
C. access list 101 deny tcp any host 192.168.1.1
D. access-list 2500 deny tcp any host 192.168.1.1 eq 22

20
Q

A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two).
A. access-list 10 permit ip 192.168.146.0 0.0.1.255
B. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
E. access-list 10 permit ip 192.168.146.0 0.0.0.255
F. access-list 10 permit ip 192.168.146.0 255.255.255.0

A

A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two).
A. access-list 10 permit ip 192.168.146.0 0.0.1.255
B. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
E. access-list 10 permit ip 192.168.146.0 0.0.0.255
F. access-list 10 permit ip 192.168.146.0 255.255.255.0

21
Q

What can be done to secure the virtual terminal interfaces on a router? (Choose two).
A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.

A

What can be done to secure the virtual terminal interfaces on a router? (Choose two).
A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.

22
Q

Which of the following statements are TRUE regarding Cisco access lists? (Choose two).
A. In an inbound access list, packets are filtered as they enter an interface.
B. In an inbound access list, packets are filtered before they exit an interface.
C. Extended access lists are used to filter protocol-specific packets.
D. You must specify a deny statement at the end of each access list to filter unwanted traffic.
E. When a line is added to an existing access list, it is inserted at the beginning of the access list.

A

Which of the following statements are TRUE regarding Cisco access lists? (Choose two).
A. In an inbound access list, packets are filtered as they enter an interface.
B. In an inbound access list, packets are filtered before they exit an interface.
C. Extended access lists are used to filter protocol-specific packets.
D. You must specify a deny statement at the end of each access list to filter unwanted traffic.
E. When a line is added to an existing access list, it is inserted at the beginning of the access list.

23
Q

Which statement about ACLs is true?
A. An ACL have must at least one permit action, else it just blocks all traffic.
B. ACLs go bottom-up through the entries looking for a match
C. An ACL has an implicit permit at the end of ACL.
D. ACLs will check the packet against all entries looking for a match.

A

Which statement about ACLs is true?
A. An ACL have must at least one permit action, else it just blocks all traffic.
B. ACLs go bottom-up through the entries looking for a match
C. An ACL has an implicit permit at the end of ACL.
D. ACLs will check the packet against all entries looking for a match.

24
Q

A Host is able to ping a web server, but it is not able to do HTTP request. What could be the problem?
A. ACL blocking port 23
B. ACL blocking All ports
C. ACL blocking port 80
D. ACL blocking port 443
E. None of the above

A

A Host is able to ping a web server, but it is not able to do HTTP request. What could be the problem?
A. ACL blocking port 23
B. ACL blocking All ports
C. ACL blocking port 80
D. ACL blocking port 443
E. None of the above

25
Q

Which of the following are the valid numbers of standard ACL? (Choose two).
A. 50
B. 1550
C. 150
D. 1250
E. 2050

A

Which of the following are the valid numbers of standard ACL? (Choose two).
A. 50
B. 1550
C. 150
D. 1250
E. 2050

The range of standard ACL is 1-99, 1300-1999 so 50 and 1550 are two valid numbers.

26
Q

Which command can you enter to block HTTPS traffic from the whole class A private network range to a host? A. R1( config)# access-list 105 deny tcp 10.1.0.0 0.0.255.255 40.0.0.2 0.0.0.0 eq 443
B. R1( config)# access-list 105 deny tcp 10.1.0.0 0.0.255.255 40.0.0.2 0.0.0.0 eq 53
C. R1( config)# access-list 105 deny tcp 10.0.0.0 0.255.255.255 40.0.0.2 0.0.0.0 eq 53
D. R1( config)# access-list 105 deny tcp 10.0.0.0 0.255.255.255 40.0.0.2 0.0.0.0 eq 443

A

Which command can you enter to block HTTPS traffic from the whole class A private network range to a host? A. R1( config)# access-list 105 deny tcp 10.1.0.0 0.0.255.255 40.0.0.2 0.0.0.0 eq 443
B. R1( config)# access-list 105 deny tcp 10.1.0.0 0.0.255.255 40.0.0.2 0.0.0.0 eq 53
C. R1( config)# access-list 105 deny tcp 10.0.0.0 0.255.255.255 40.0.0.2 0.0.0.0 eq 53
D. R1( config)# access-list 105 deny tcp 10.0.0.0 0.255.255.255 40.0.0.2 0.0.0.0 eq 443

27
Q

Which range represents the standard access list?
A. 99
B. 150
C. 299
D. 2000

A

Which range represents the standard access list?
A. 99
B. 150
C. 299
D. 2000

28
Q

Which command is necessary to permit SSH or Telnet access to a cisco switch that is otherwise configured for these vty line protocols?
A. transport type all
B. transport output all
C. transport preferred all
D. transport input all

A

Which command is necessary to permit SSH or Telnet access to a cisco switch that is otherwise configured for these vty line protocols?
A. transport type all
B. transport output all
C. transport preferred all
D. transport input all

29
Q

Which action can change the order of entries in a named access-list?
A. Removing an entry
B. Opening the access-list in notepad
C. Adding an entry
D. Resequencing

A

Which action can change the order of entries in a named access-list?
A. Removing an entry
B. Opening the access-list in notepad
C. Adding an entry
D. Resequencing

30
Q

If you wanted to deny all Telnet connections to only network 192.168.10.0, which command could you use?

A. access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet
B. access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet
C. access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
D. access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23

A

If you wanted to deny all Telnet connections to only network 192.168.10.0, which command could you use?

A. access-list 100 deny tcp 192.168.10.0 255.255.255.0 eq telnet
B. access-list 100 deny tcp 192.168.10.0 0.255.255.255 eq telnet
C. access-list 100 deny tcp any 192.168.10.0 0.0.0.255 eq 23
D. access-list 100 deny 192.168.10.0 0.0.0.255 any eq 23

31
Q

You want to create an extended access list that denies the subnet of the following host: 172.16.50.172/ 20. Which of the following would you start your list with?
A. access-list 110 deny ip 172.16.192.0 0.0.31.255 any
B. access-list 110 deny ip 172.16.50.0 0.0.16.255 any
C. access-list 10 deny ip 172.16.172.0 0.0.31.255 any
D. access-list 110 deny ip 172.16.48.0 0.0.15.255 any

A

You want to create an extended access list that denies the subnet of the following host: 172.16.50.172/ 20. Which of the following would you start your list with?
A. access-list 110 deny ip 172.16.192.0 0.0.31.255 any
B. access-list 110 deny ip 172.16.50.0 0.0.16.255 any
C. access-list 10 deny ip 172.16.172.0 0.0.31.255 any
D. access-list 110 deny ip 172.16.48.0 0.0.15.255 any

32
Q

The following access list has been applied to an interface on a router:
access-list 101 deny tcp 199.111.16.32 0.0.0.31 host 199.168.5.60
Which of the following IP addresses will be blocked because of this single rule in the list? (Choose two).
A. 199.111.16.67
B. 199.111.16.38
C. 199.111.16.65
D. 199.11.16.54

A

The following access list has been applied to an interface on a router:
access-list 101 deny tcp 199.111.16.32 0.0.0.31 host 199.168.5.60
Which of the following IP addresses will be blocked because of this single rule in the list? (Choose two).
A. 199.111.16.67
B. 199.111.16.38
C. 199.111.16.65
D. 199.11.16.54

33
Q

What are two recommended ways of protecting network device configuration files from outside network security threats? (Choose two).
A. Allow unrestricted access to the console or VTY ports. B. Use a firewall to restrict access from the outside to the network devices.
C. Always use Telnet to access the device command line because its data is automatically encrypted.
D. Use SSH or another encrypted and authenticated transport to access device configurations.
E. Prevent the loss of passwords by disabling password encryption.

A

What are two recommended ways of protecting network device configuration files from outside network security threats? (Choose two).
A. Allow unrestricted access to the console or VTY ports. B. Use a firewall to restrict access from the outside to the network devices.
C. Always use Telnet to access the device command line because its data is automatically encrypted.
D. Use SSH or another encrypted and authenticated transport to access device configurations.
E. Prevent the loss of passwords by disabling password encryption.

34
Q

What should be part of a comprehensive network security plan?
A. Allow users to develop their own approach to network security.
B. Physically secure network equipment from potential access by unauthorized individuals.
C. Encourage users to use personal information in their passwords to minimize the likelihood of passwords being forgotten.
D. Delay deployment of software patches and updates until their effect on end-user equipment is well known and widely reported.
E. Minimize network overhead by deactivating automatic antivirus client updates.

A

What should be part of a comprehensive network security plan?
A. Allow users to develop their own approach to network security.
B. Physically secure network equipment from potential access by unauthorized individuals.
C. Encourage users to use personal information in their passwords to minimize the likelihood of passwords being forgotten.
D. Delay deployment of software patches and updates until their effect on end-user equipment is well known and widely reported.
E. Minimize network overhead by deactivating automatic antivirus client updates.

35
Q

Which type of attack is characterized by a flood of packets that are requesting a TCP connection to a server?
A. denial of service
B. brute force
C. reconnaissance
D. Trojan horse

A

Which type of attack is characterized by a flood of packets that are requesting a TCP connection to a server?
A. denial of service
B. brute force
C. reconnaissance
D. Trojan horse

36
Q

The maximum size of a TCP/ IP packet is 65,535 bytes. What type of attack is characterized by oversized packets, causing a device to reboot incessantly, freeze up, or totally crash?
A. denial of service
B. brute force
C. ping of death
D. trojan horse

A

The maximum size of a TCP/ IP packet is 65,535 bytes. What type of attack is characterized by oversized packets, causing a device to reboot incessantly, freeze up, or totally crash?
A. denial of service
B. brute force
C. ping of death
D. trojan horse

37
Q

Refer to the exhibit.
Identify the security threats on RouterA (Choose three).

A. unencrypted password set
B. unsecured message on banner
C. remote access can only be made through telnet or SSH
D. user gets level 15 automatically by default

A

Refer to the exhibit.
Identify the security threats on RouterA (Choose three).

A. unencrypted password set
B. unsecured message on banner
C. remote access can only be made through telnet or SSH
D. user gets level 15 automatically by default

38
Q

Refer to the exhibit.
Which two of the following are true regarding the configuration of RouterA (Choose two).
A. At least 5 simultaneous remote connect are possible.
B. Only telnet protocol connections to Router A are supported.
C. Remotely connection to RouterA using telnet will succeed.
D. Console line connection will never time out due to inactivity.
E. Since DHCP is not used on Fa0/ 1 there is not a need to use the NAT protocol.

A

Refer to the exhibit.
Which two of the following are true regarding the configuration of RouterA (Choose two).
A. At least 5 simultaneous remote connect are possible.
B. Only telnet protocol connections to Router A are supported.
C. Remotely connection to RouterA using telnet will succeed.
D. Console line connection will never time out due to inactivity.
E. Since DHCP is not used on Fa0/ 1 there is not a need to use the NAT protocol.

39
Q

Of the following, identify the numerous kinds of security threats. (Choose three).
A. Hardware threats
B. Access attacks
C. IDS/ IPS
D. Password attacks

A

Of the following, identify the numerous kinds of security threats. (Choose three).
A. Hardware threats
B. Access attacks
C. IDS/ IPS
D. Password attacks

40
Q

To prevent users from plugging a host into a Switch port, which command is used to enable port security on a Switch?
A. Switch# switchport port-security
B. Switch( config)# switchport port-security
C. Switch( config-if)# switchport port-security enable
D. Switch( config-if)# switchport port-security

A

To prevent users from plugging a host into a Switch port, which command is used to enable port security on a Switch?
A. Switch# switchport port-security
B. Switch( config)# switchport port-security
C. Switch( config-if)# switchport port-security enable
D. Switch( config-if)# switchport port-security

41
Q

In order to allow only one host to use a specific port on a Switch, what command will accomplish this?
A. Switch( config-if)# switchport port-security maximum 1
B. Switch( config-if)# switchport port-security 1
C. Switch( config-if)# switchport port-security mac-address 1
D. Switch( config-if)# switchport port-security mac-address sticky

A

In order to allow only one host to use a specific port on a Switch, what command will accomplish this?
A. Switch( config-if)# switchport port-security maximum 1
B. Switch( config-if)# switchport port-security 1
C. Switch( config-if)# switchport port-security mac-address 1
D. Switch( config-if)# switchport port-security mac-address sticky

42
Q

By default, ports on a Cisco Switch are?
A. shutdown
B. enabled
C. secured
D. trunks

A

By default, ports on a Cisco Switch are?
A. shutdown
B. enabled
C. secured
D. trunks

43
Q

What is the effect of using the service password-encryption command?
A. Only the enable password will be encrypted.
B. Only the enable secret password will be encrypted.
C. Only passwords configured after the command has been entered will be encrypted.
D. It will encrypt the secret password and remove the enable secret password from the configuration.
E. It will encrypt all current and future passwords.

A

What is the effect of using the service password-encryption command?
A. Only the enable password will be encrypted.
B. Only the enable secret password will be encrypted.
C. Only passwords configured after the command has been entered will be encrypted.
D. It will encrypt the secret password and remove the enable secret password from the configuration.
E. It will encrypt all current and future passwords.

44
Q

What is the effect of this configuration?
line vty 0 4
password todd login
transport input ssh
A. It configures SSH globally for all logins.
B. It tells the router or switch to try to establish an SSH connection first and if that fails to use Telnet.
C. It configures a Cisco network device to use the SSH protocol on incoming communications via the VTY lines.
D. It configures the device to only use only Telnet on the VTY lines.

A

What is the effect of this configuration?
line vty 0 4
password todd login
transport input ssh
A. It configures SSH globally for all logins.
B. It tells the router or switch to try to establish an SSH connection first and if that fails to use Telnet.
C. It configures a Cisco network device to use the SSH protocol on incoming communications via the VTY lines.
D. It configures the device to only use only Telnet on the VTY lines.

45
Q

What are two characteristics of Telnet?
A. It sends data in clear text.
B. It is no longer supported on Cisco network devices.
C. Is it more secure than SSH. D. It requires that the destination device be configured to support Telnet connections.

A

What are two characteristics of Telnet?
A. It sends data in clear text.
B. It is no longer supported on Cisco network devices.
C. Is it more secure than SSH.
D. It requires that the destination device be configured to support Telnet connections.

46
Q

A company has placed a networked PC in a lobby so guests can have access to the internet. A security concern is that someone will disconnect the Ethernet cable from
the PC and re-connect it to their laptop computer and have access to the corporate network. For the port servicing the lobby, which three configuration steps should be performed on the switch to prevent this? (Choose three).
A. Enable port security.
B. Create the port as a trunk port.
C. Create the port as an access port.
D. Create the port as a protected port.
E. Set the port security aging time to 0.
F. Statically assign the MAC address to the address table.
G. Configure the switch to discover new MAC addresses after a set time of inactivity.

A

A company has placed a networked PC in a lobby so guests can have access to the internet. A security concern is that someone will disconnect the Ethernet cable from
the PC and re-connect it to their laptop computer and have access to the corporate network. For the port servicing the lobby, which three configuration steps should be performed on the switch to prevent this? (Choose three).
A. Enable port security.
B. Create the port as a trunk port.
C. Create the port as an access port.
D. Create the port as a protected port.
E. Set the port security aging time to 0.
F. Statically assign the MAC address to the address table.
G. Configure the switch to discover new MAC addresses after a set time of inactivity.

47
Q

From which of the following attacks can Message Authentication Code (MAC) shield your network?
A. DoS
B. DDoS
C. spoofing
D. SYN floods

A

From which of the following attacks can Message Authentication Code (MAC) shield your network?
A. DoS
B. DDoS
C. spoofing
D. SYN floods