Chapter 26: Quiz- Network Device Access Control and Infrastructure Security (Answers) CCNPv8 ENCOR

14. A network administrator configures an ACL with the command R1(config)# access-list 1 permit Which two IP addresses will match this ACL statement? (Choose two.)


Explanation: The wildcard mask indicates that any IP address within the range of to matches.

15. Which service can be disabled to help mitigate man-in-the-middle intrusion attacks that exploit spoofed MAC addresses?

  • proxy ARP
  • IP redirects
  • service configuration
  • maintenance operation protocol

Explanation: Proxy ARP permits a router to reply to ARP requests intended for a different router. An attacker can exploit this technique to spoof the MAC address of a router to capture traffic. Disabling proxy ARP can help to mitigate this threat.

16. What is the result in the self zone if a router is the source or destination of traffic?

  • No traffic is permitted.
  • All traffic is permitted.
  • Only traffic that originates in the router is permitted.
  • Only traffic that is destined for the router is permitted.

Explanation: All traffic is permitted in the self zone if the traffic originates from, or is destined for, the router.

17. Which command uses the MD5 hashing algorithm to configure a secure encrypted password?

  • enable password {password}
  • enable secret {password}
  • service password-encryption
  • username {username} password {password}

Explanation: The enable secret command encrypts passwords by using the MD5 hashing algorithm. The service password-encryption command uses a Cisco proprietary Vignere cypher algorithm. Both enable password and username password commands create passwords in clear text.

18. Which two password types are considered insecure and should be avoided whenever possible? (Choose two.)

  • type 0
  • type 5
  • type 7
  • type 8
  • type 9

Explanation: Type 0 and type 7 passwords are both considered insecure. Type 0 passwords are not encrypted. Type 7 passwords are encrypted with a weak Vigenere cypher, which is easily deciphered in seconds.

19. What is the purpose of AAA accounting?

  • to collect and report application usage
  • to determine which resources the user can access
  • to prove users are who they say they are
  • to determine which operations the user can perform

Explanation: AAA accounting collects and reports application usage data. This data can be used for such purposes as auditing or billing. AAA authentication is the process of verifying users are who they say they are. AAA authorization is what the users can and cannot do on the network after they are authenticated.

20. Where is a CoPP policy map applied?

  • to the control plane
  • to the self zone
  • to the VTY lines
  • to the interfaces receiving control plane traffic

Explanation: CoPP protects the CPU of a router from unexpected extreme rates of traffic by applying QoS policies to router traffic to or sourced by the router control plane CPU. Therefore, CoPP policy maps must be applied to the router control plane.

21. Which ACL would be processed first if all were applied on a device?

  • Inbound PACL on a switch port in VLAN 10
  • Inbound VACL on VLAN 10
  • Inbound ACL on the VLAN 10 SVI
  • Outbound VACL on VLAN 20
  • Outbound ACL on the VLAN 20 SVI

Explanation: PACLs, VACLs, and RACLs have a specific order in which they are processed. For routed traffic across VLANs, the processing order is as follows:

  1. Inbound PACL on a switch port in VLAN x
  2. Inbound VACL on VLAN x
  3. Inbound ACL on the VLAN x SVI
  4. Outbound VACL on VLAN y
  5. Outbound ACL on the VLAN y SVI

22. Which zone is a system-level ZBFW zone that permits inbound and outbound traffic by default?

  • self
  • inside
  • default
  • demilitarized

Explanation: The self zone is a system-level zone and includes all device IP addresses. By default, all traffic sourced from or with a destination to the self zone is permitted.

23. What IOS privilege levels are available to assign for custom user-level privileges?

  • levels 1 through 15
  • levels 0, 1, and 15
  • levels 2 through 14
  • levels 0 and 1

Explanation: There are 16 privilege levels that can be applied to user accounts. Levels 0, 1, and 15 have predefined settings. This leaves levels 2 through 14 available for creating custom levels of access.

24. Which packet type is user-generated and forwarded by a router?

  • data plane packet
  • control plane packet
  • management plane packet
  • routing protocol update packet

Explanation: Data plane packets are user generated. Control plane packets and management plane packets are generated by the network devices. Routing protocol update packets are network device generated to keep the network converged and operating properly.

25. What are two protocols that are used by AAA to authenticate users against a central database of usernames and password? (Choose two.)

  • NTP
  • SSH

Explanation: By using TACACS+ or RADIUS, AAA can authenticate users from a database of usernames and passwords stored centrally on a server such as a Cisco ACS or ISE server.

“Do I Know This Already?” Quiz Answers:

1. Which command is used to apply an ACL to an interface?

  • ip access-group {access-list-number | name} {in|out}
  • ip access-class {access-list-number | name} {in|out}
  • ip access-list {access-list-number | name} {in|out}

Explanation: ACLs are applied to interfaces with the command ip access-group {access-listnumber | name} {in|out}.

2. Which of the following password types is the weakest?

  • Type 5
  • Type 7
  • Type 8
  • Type 9

Explanation: Type 7 passwords use a Cisco proprietary Vigenere cypher encryption algorithm that is very weak and can be easily decrypted using multiple online password decryption utilities.

3. What type of encryption does the command service password encryption provide?

  • Type 0 encryption
  • Type 5 encryption
  • Type 7 encryption

Explanation: The command service password encryption encrypts plaintext passwords in the configuration and Telnet sessions with type 7 password encryption.

4. What is the difference between the line configuration command login and the line configuration command login local? (Choose two.)

  • The login command is used to enable line password authentication.
  • The login command is used to enable username-based authentication.
  • The login local command is used to enable line and username-based authentication.
  • The login local command is used to enable username-based authentication.

Explanation: The login command is used to enable line password authentication, and the login local command is used to enable username-based authentication.

5. Which of these commands are available to a user logged in with privilege level 0? (Choose all that apply.)

  • disable
  • enable
  • show
  • configure terminal
  • exit
  • logout

Explanation: Privilege level 0 makes available the disable, enable, exit, help, and logout commands.

6. Which of the following options can be used to only allow inbound SSH access to the vty lines of a router? (Choose two.)

  • line vty 0 4
    transport output ssh
  • line vty 0 4
    transport input all
  • line vty 0 4
    transport input ssh
  • ip access-list extended SSH
    permit tcp any any eq 22
    line vty 0 4
    access-class SSH in

Explanation: Using the command transport input ssh and applying an ACL to the line that only allows port 22 are valid options to allow only SSH traffic into the line. The other two options are not valid because the command transport output ssh does not affect inbound connections, and the command transport input all allows all inbound SSH and Telnet sessions.

7. True or false: The command aaa authorization exec default group ISE-TACACS+ if-authenticated enables authorization for all terminal lines on the router, including the console line.

  • True
  • False

Explanation: This is false because AAA authorization for the console is disabled by default to prevent unexperienced users from locking themselves out. Authorization for the console is enabled with the command aaa authorization console.

8. Which of the following AAA functions can help log the commands executed by a user on a network device?

  • AAA next-generation logging
  • Authorization
  • Accounting
  • Auditing

Explanation: Accounting provides the ability to track and log user access, including user identities, start and stop times, executed commands (that is, CLI commands), and so on. In other words, it maintains a security log of events.

9. What is the protocol of choice for network device access control?

  • SSHv2
  • Telnet

Explanation: TACACS+ is preferred for device access control because it can individually authorize every command that a user tries to execute after logging in to a device. In contrast, RADIUS requires those commands to be sent in the initial authentication response, and because there could be thousands of CLI command combinations, a large authorization result list could trigger memory exhaustion on the network device.

10. Which of the following options describe ZBFW? (Choose two.)

  • Provides high security with stateless inspection functionality
  • Provides stateful firewall functionality
  • Is a network interface module
  • Is an integrated IOS solution
  • Is a security appliance similar to an ASA 5500-X

Explanation: ZBFW is an integrated IOS solution that provides router stateful firewall functionality.

11. What are the two system-built zones for ZBFW? (Choose two.)

  • Inside zone
  • Twilight zone
  • System zone
  • Outside zone
  • Self zone
  • Default zone

Explanation: Within the ZBFW architecture, there are two system-built zones: self and default.

12. Which of the following features was developed specifically to protect the CPU of a router?

  • ZBFW
  • AAA
  • CoPP
  • ACLs

Explanation: Control plane policing (CoPP) was created with the sole purpose of protecting the CPU or control plane of a router.

13. True or false: CoPP supports input and output policies to control inbound and outbound traffic.

  • True
  • False

Explanation: CoPP supports inbound and outbound policies; however, outbound policies are not commonly used.

14. Which of the following are features that can be disabled to improve the overall security posture of a router?

  • CoPP
  • CDP
  • ZBFW
  • LLDP
  • LDP

Explanation: Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) can provide unnecessary information to routers outside of the organization and should be disabled where applicable.

Notify of

Inline Feedbacks
View all comments