Chapter 26: Quiz- Network Device Access Control and Infrastructure Security (Answers) CCNPv8 ENCOR

14. A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255. Which two IP addresses will match this ACL statement? (Choose two.)

  • 172.16.0.255
  • 172.16.15.36
  • 172.16.16.12
  • 172.16.31.24
  • 172.16.65.21

Explanation: The wildcard mask indicates that any IP address within the range of 172.16.0.0 to 172.16.15.255 matches.

15. Which service can be disabled to help mitigate man-in-the-middle intrusion attacks that exploit spoofed MAC addresses?

  • proxy ARP
  • IP redirects
  • service configuration
  • maintenance operation protocol

Explanation: Proxy ARP permits a router to reply to ARP requests intended for a different router. An attacker can exploit this technique to spoof the MAC address of a router to capture traffic. Disabling proxy ARP can help to mitigate this threat.

16. What is the result in the self zone if a router is the source or destination of traffic?

  • No traffic is permitted.
  • All traffic is permitted.
  • Only traffic that originates in the router is permitted.
  • Only traffic that is destined for the router is permitted.

Explanation: All traffic is permitted in the self zone if the traffic originates from, or is destined for, the router.

17. Which command uses the MD5 hashing algorithm to configure a secure encrypted password?

  • enable password {password}
  • enable secret {password}
  • service password-encryption
  • username {username} password {password}

Explanation: The enable secret command encrypts passwords by using the MD5 hashing algorithm. The service password-encryption command uses a Cisco proprietary Vignere cypher algorithm. Both enable password and username password commands create passwords in clear text.

18. Which two password types are considered insecure and should be avoided whenever possible? (Choose two.)

  • type 0
  • type 5
  • type 7
  • type 8
  • type 9

Explanation: Type 0 and type 7 passwords are both considered insecure. Type 0 passwords are not encrypted. Type 7 passwords are encrypted with a weak Vigenere cypher, which is easily deciphered in seconds.

19. What is the purpose of AAA accounting?

  • to collect and report application usage
  • to determine which resources the user can access
  • to prove users are who they say they are
  • to determine which operations the user can perform

Explanation: AAA accounting collects and reports application usage data. This data can be used for such purposes as auditing or billing. AAA authentication is the process of verifying users are who they say they are. AAA authorization is what the users can and cannot do on the network after they are authenticated.

20. Where is a CoPP policy map applied?

  • to the control plane
  • to the self zone
  • to the VTY lines
  • to the interfaces receiving control plane traffic

Explanation: CoPP protects the CPU of a router from unexpected extreme rates of traffic by applying QoS policies to router traffic to or sourced by the router control plane CPU. Therefore, CoPP policy maps must be applied to the router control plane.

21. Which ACL would be processed first if all were applied on a device?

  • Inbound PACL on a switch port in VLAN 10
  • Inbound VACL on VLAN 10
  • Inbound ACL on the VLAN 10 SVI
  • Outbound VACL on VLAN 20
  • Outbound ACL on the VLAN 20 SVI

Explanation: PACLs, VACLs, and RACLs have a specific order in which they are processed. For routed traffic across VLANs, the processing order is as follows:

  1. Inbound PACL on a switch port in VLAN x
  2. Inbound VACL on VLAN x
  3. Inbound ACL on the VLAN x SVI
  4. Outbound VACL on VLAN y
  5. Outbound ACL on the VLAN y SVI

22. Which zone is a system-level ZBFW zone that permits inbound and outbound traffic by default?

  • self
  • inside
  • default
  • demilitarized

Explanation: The self zone is a system-level zone and includes all device IP addresses. By default, all traffic sourced from or with a destination to the self zone is permitted.

23. What IOS privilege levels are available to assign for custom user-level privileges?

  • levels 1 through 15
  • levels 0, 1, and 15
  • levels 2 through 14
  • levels 0 and 1

Explanation: There are 16 privilege levels that can be applied to user accounts. Levels 0, 1, and 15 have predefined settings. This leaves levels 2 through 14 available for creating custom levels of access.

24. Which packet type is user-generated and forwarded by a router?

  • data plane packet
  • control plane packet
  • management plane packet
  • routing protocol update packet

Explanation: Data plane packets are user generated. Control plane packets and management plane packets are generated by the network devices. Routing protocol update packets are network device generated to keep the network converged and operating properly.

25. What are two protocols that are used by AAA to authenticate users against a central database of usernames and password? (Choose two.)

  • NTP
  • TACACS+
  • SSH
  • HTTPS
  • RADIUS

Explanation: By using TACACS+ or RADIUS, AAA can authenticate users from a database of usernames and passwords stored centrally on a server such as a Cisco ACS or ISE server.


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments