Chapter 22: Quiz – Infrastructure Security (Answers) CCNPv8 ENARSI

1. What is the Control Plane Policing (CoPP) feature designed to accomplish?

  • manage services provided by the control plane
  • prevent unnecessary traffic from overwhelming the route processor
  • disable control plane services to reduce overall traffic
  • direct all excess traffic away from the route processor

Explanation: Control Plane Policing (CoPP) does not manage or disable any services. It does not direct traffic away from the route processor, but rather it prevents unnecessary traffic from getting to the route processor.

2. A network administrator wants to configure a user-defined method list on a Cisco router that uses the database on this device when the external server is not available for authentication. Which command does accomplish this goal?

  • aaa authentication login default local group radius
  • aaa authentication login default group radius local
  • aaa authentication login REMOTE_ACCESS local group radius
  • aaa authentication login MANAGEMENT_ACCESS group radius local

Explanation: The aaa authentication login MANAGEMENT_ACCESS group radius local command creates a AAA method list called MANAGEMENT_ACCESS for login authentication. The first method that will be used is the RADIUS server, and if the RADIUS server is not available, the second method that will be used is the local username and password database.

3. Which operation order should the network administrator follow in order to troubleshoot policy maps?

  • The default class is evaluated first, then the other class maps are evaluated in the order they are listed.
  • The class maps are evaluated from the top down.
  • The class maps are evaluated from the bottom up.
  • The class map with more “match” commands is evaluated first, then the next class map with more “match” commands, and so on.

Explanation: Policy maps are processed from the top down. If there is more than one class specified, the first class listed is evaluated first. If the first class is not matched, then the second listed class is evaluated, and so on down the list until the default class is reached at the end.

4. Which IPv6 First-Hop security feature learns and populates the binding table for stateless autoconfiguration addresses?

  • DHCPv6 Guard
  • Source Guard
  • RA Guard
  • IPv6 neighbor discovery inspection

Explanation: IPv6 neighbor discovery inspection/snooping is a feature that learns and populates the binding table for stateless autoconfiguration addresses. It analyzes ND (neighbor discovery) messages and places valid bindings in the binding table and drops all messages that do not have valid bindings.

5. A user complains about not being able to gain access to the network. What command would be used by the network administrator to determine which AAA method list is being used for this particular user as the user logs on?

  • debug aaa accounting
  • debug aaa authorization
  • debug aaa authentication
  • debug aaa protocol

Explanation: The debug aaa authentication command can be used to verify the AAA authentication process in real time, quickly providing the list of methods being used for a specific user.

6. A network administrator wants to verify the number of packets that have conformed to a specific class map used for CoPP. Which command should the administrator use?

  • show access-list
  • show class-map
  • show policy-map
  • show policy-map control-plane

Explanation: The show policy-map control-plane command provides a large amount of information such as the applied policy map, the class maps in the order they will be applied, the match conditions of the class maps, and the policies that are applied to the traffic that is matched. In addition, values for cir, bc, and be, as well the number of conformed, exceeded, and violated packets can be verified.

7. A junior network engineer needs to configure uRPF on a Cisco router interface to eliminate spoofed IP packets on a network. Which command should be used to configure uRPF mode when using asymmetric routing?

  • ip verify unicast source reachable-via rx allow-default
  • ip verify unicast source reachable-via rx
  • ip verify unicast source reachable-via any
  • ip verify unicast source reachable-via rx allow-self-ping

Explanation: When uRPF is configured on an interface, the uRPF mode should be chosen according to the type of routing. With asymmetric routing, a different path ends up being used for return traffic. Where asymmetric routing occurs, the uRPF loose mode should be configured. The ip verify unicast reachable-via any command configures uRPF in loose mode.

8. What is one function of the binding table for IPv6 First-Hop security?

  • It keeps any router rogue IP addresses filtered by RA Guard.
  • It keeps rogue DHCPv6 servers filtered by DHCPv6 Guard.
  • It keeps IPv6 neighbors that are connected to a device.
  • It keeps Layer 2 addresses filtered by Source Guard.

Explanation: The binding table is a database that lists IPv6 neighbors that are connected to a device. It contains information such as link-layer address, the IPv6 address, and the prefix binding.

9. A junior engineer is learning about uRPF configuration. Which instruction should be followed when a Cisco router is configured with uRPF?

  • Use the show ip interface command to verify that uRPF is enabled on an interface.
  • Configure URPF with loose mode on router interfaces that connect to subnets with end stations.
  • Configure uRPF with strict mode when asymmetric routing occurs.
  • Configure URPF with loose mode on uplinks.

Explanation: The show cef interface command is used to verify that CEF is enabled on an interface. When uRPF is configured on an interface, the correct mode should be chosen. If strict mode is used when asymmetric routing occurs, the legitimate traffic is dropped. Where asymmetric routing might occur, uRPF should be configured with loose mode, and where symmetric routing is guaranteed to occur, the strict mode should be used. On router interfaces that connect to subnets with end stations, strict mode is typically used, and on uplinks, loose mode is typically used.

10. Which IPv6 First-Hop Security feature is used to block unwanted advertisement messages from unauthorized routers?

  • RA Guard
  • DHCPv6 Guard
  • IPv6 ND inspection
  • Source Guard

Explanation: RA Guard is a feature that analyzes RAs and can filter out unwanted RAs from unauthorized devices. RA requires a policy to be configured in RA Guard policy configuration mode, and enabled on an interface-by-interface basis.

11. What is the first step to check when troubleshooting server-based AAA authentication on a Cisco router?

  • Check to verify that AAA is enabled.
  • Check to verify the server IP address is configured.
  • Check to verify a username and password are configured for console access.
  • Check to verify there is connectivity between the router and the server.

Explanation: AAA is disabled by default on Cisco routers and switches. Therefore, AAA needs to be enabled in global configuration mode with the aaa new-model command to allow the use of all AAA elements.

12. Refer to the exhibit. A network administrator configures AAA authentication on R1. When the administrator tests the configuration by telnetting to R1 and no ACS servers can be contacted, which password should the administrator use in order to login successfully?

Chapter 22: Quiz - Infrastructure Security (Answers) CCNPv8 ENARSI 2

  • LetMe1n2
  • Pa$$w0rD
  • authen-radius
  • authen-tacacs

Explanation: The authentication for Telnet connections is defined by AAA method list AUTHEN. The AUTHEN list defines that the first authentication method is through an ACS server using the RADIUS protocol (or RADIUS server). If the RADIUS server cannot be contacted, the second authentication method is to use the local user database. In this scenario, the local user database is used with a username of ADMIN and a password of Pa$$w0rD.

“Do I Know This Already?” Quiz Answers:

1. Which command successfully configures a user-defined method list on a Cisco IOS device that uses the database on the device if the external server is not available for authentication?

  • aaa authentication login default local group radius
  • aaa authentication login default group radius local
  • aaa authentication login REMOTE_ACCESS local group radius
  • aaa authentication login MANAGEMENT_ACCESS group radius local

2. Your Cisco router is configured with the following command:

aaa authentication login default group radius local

What will occur during login if the local database does not contain any username and password when it is checked?

  • The RADIUS server will be used for authentication.
  • Authentication will fail.
  • The user will be granted access.
  • The line password will be used.

3. Your router is configured as follows:

R1# show run | i aaa|username
aaa new-model
username ENARSI password 0 EXAM
R1# show run | s vty
line vty 0 4
password cisco
transport input all
R1#

Based on the configuration, what will occur when someone uses Telnet to reach the router?

  • Authentication will fail because there is no AAA method list.
  • The user will be required to use the line password cisco.
  • The user will be required to use the username ENARSI with the password EXAM.
  • The user will be granted access either with the username ENARSI with the password EXAM or with the line password cisco.

4. Which of the following commands would you use if you needed uRPF to match the return interface with the incoming interface and a default route?

  • ip verify unicast source reachable-via rx allow-default
  • ip verify unicast source reachable-via any allow-default
  • ip verify unicast source reachable-via any allow-default 111
  • ip verify unicast source reachable-via rx allow-self-ping

5. Which of the following commands would you use for uRPF if the traffic flow were asynchronous?

  • ip verify unicast source reachable-via rx allow-default
  • ip verify unicast source reachable-via rx
  • ip verify unicast source reachable-via any
  • ip verify unicast source reachable-via rx allow-self-ping

6. Which of the following commands would you use to verify the number of packets that have conformed to a specific class map that you are using for CoPP?

  • show access-list
  • show class-map
  • show policy-map
  • show policy-map control-plane

7. How is a policy map processed?

  • All at once, matching the best class map.
  • From top down, matching the first class map that applies.
  • From bottom up, matching the first class map that applies.
  • They are not processed; the class map is processed.

8. What happens when traffic does not match any of the user-defined class maps specified in the policy map?

  • It is ignored.
  • It is dropped.
  • It is transmitted.
  • It is subject to the policy defined in the default class.

9. Which IPv6 First-Hop Security feature is used to block unwanted RA messages?

  • RA Guard
  • DHCPv6 Guard
  • IPv6 ND inspection/snooping
  • Source Guard

10. Which IPv6 First-Hop Security feature is able to validate the source of IPv6 traffic and, if the source is not valid, block it?

  • RA Guard
  • DHCPv6 Guard
  • IPv6 ND inspection/snooping
  • Source Guard
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x