Cisco CCNA 200-125 Exam Dumps Latest – New Questions & Answers

Section VI: Infrastructure Security

VI.1. Which statement about RADIUS security is true?

  • It supports EAP authentication for connecting to wireless networks.
  • It provides encrypted multiprotocol support.
  • Device-administration packets are encrypted in their entirety.
  • It ensures that user activity is fully anonymous.

VI.2. Which command can you enter to block HTTPS traffic from the whole class A private network range to a host?

  • R1(config)#access-list 105 deny tcp 10.1.0.0 0.0.255.255 40.0.0.2 0.0.0.0 eq 443
  • R1(config)#access-list 105 deny tcp 10.1.0.0 0.0.255.255 40.0.0.2 0.0.0.0 eq 53
  • R1(config)#access-list 105 deny tcp 10.0.0.0 0.255.255.255 40.0.0.2 0.0.0.0 eq 53
  • R1(config)#access-list 105 deny tcp 10.0.0.0 0.255.255.255 40.0.0.2 0.0.0.0 eq 443

VI.3. Which two options are valid numbers for a standard access list? (Choose two.)

  • 50
  • 150
  • 1250
  • 1550
  • 2050

VI.4. Which utility can you use to identify the cause of a traffic-flow blockage between the two devices in a network?

  • ACL path analysis tool in APIC-EM
  • I WAN application
  • ACL analysis tool in APIC-EM
  • APIC-EM automation scheduler
Show (Hide) Explanation/Reference
The ACL Path Analysis tool in APIC-EM can help to identify where the traffic was blocked in the transmission.

Icon means “there are ACLs that permit the traffic applied on the interface”.

Icon  means “traffic may or may not be blocked. For example, if your traffic matches a deny access control entry (ACE), traffic is denied. However, if your traffic matches any other ACEs, it is permitted. You can get this type of results if you leave out the protocol, source port, or destination port when defining a path trace”.

Icon  means “there is an ACL on the device or interface that is blocking the traffic on the path”.

Icon  means “there are no ACLs applied on the interface”.

Reference: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/1-5-x/path_trace/user-guide/b_Cisco_Path_Trace_User_Guide_1_5_0_x/b_Cisco_Path_Trace_User_Guide_1_5_0_x_chapter_0111.html

VI.5. Which set of commands is recommended to prevent the use of a hub in the access layer?

  • switch(config-if)#switchport mode trunk
    switch(config-if)#switchport port-security maximum 1
  • switch(config-if)#switchport mode trunk
    switch(config-if)#switchport port-security mac-address 1
  • switch(config-if)#switchport mode access
    switch(config-if)#switchport port-security maximum 1
  • switch(config-if)#switchport mode access
    switch(config-if)#switchport port-security mac-address 1
Show (Hide) Explanation/Reference
Port security is only used on access port (Which connects to hosts) so we need to set that port to “access” mode, then we need to specify the maximum number of hosts Which are allowed to connect to this port -> C is correct.

Note: If we want to allow a fixed MAC address to connect, use the “switchport port-security mac-address ” command.

VI.6. Which two options are primary responsibilities of the APlC-EM controller? (Choose two.)

  • lt automates network actions between different device types.
  • lt provides robust asset management.
  • lt tracks license usage and Cisco lOS versions.
  • lt automates network actions between legacy equipment.
  • lt makes network functions programmable.
Show (Hide) Explanation/Reference

http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/index.html

Automate network configuration and setup
Deploy network devices faster
Automate device deployment and provisioning across the enterprise.

Provide a programmable network
Enable developers to create new applications that use the network to fuel business growth.

VI.7. Which utility can you use to identify redundant or shadow rules?

  • The ACL trace tool in Cisco APIC-EM.
  • The ACL analysis tool in Cisco APIC-EM.
  • The Cisco APIC-EM automation scheduler.
  • The Cisco IWAN application.
Show (Hide) Explanation/Reference
Cisco APIC-EM supports the following policy analysis features:

+ Inspection, interrogation, and analysis of network access control policies.
+ Ability to trace application specific paths between end devices to quickly identify ACLs in use and problem areas.
Enables ACL change management with easy identification of conflicts and shadows -> Maybe B is the most suitable answer.

Reference: http://www.cisco.com/c/en/us/td/docs/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/1-2-x/config-guide/b_apic-em_config_guide_v_1-2-x/b_apic-em_config_guide_v_1-2-x_chapter_01000.pdf

The ACL trace tool can only help us to identify Which ACL on Which router is blocking or allowing traffic. It cannot help identify redundant/shadow rules.

Note:

Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) is a Cisco Software Defined Networking (SDN) controller, Which uses open APIs for policy-based management and security through a single controller, abstracting the network and making network services simpler. APIC-EM provides centralized automation of policy-based application profiles.

Reference: CCNA Routing and Switching Complete Study Guide

Cisco Intelligent WAN (IWAN) application simplifies the provisioning of IWAN network profiles with simple business policies. The IWAN application defines business-level preferences by application or groups of applications in terms of the preferred path for hybrid WAN links. Doing so improves the application experience over any connection and saves telecom costs by leveraging cheaper WAN links.

Shadow rules are the rules that are never matched (usually because of the first rules). For example two access-list statements:

access-list 100 permit ip any any
access-list 100 deny tcp host A host B

Then the second access-list statement would never be matched because all traffic have been already allowed by the first statement. In this case we call statement 1 shadows statement 2.

VI.8. What will be the result if the following configuration commands are implemented on a Cisco switch?

Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
  • A dynamically learned MAC address is saved in the startup-configuration file.
  • A dynamically learned MAC address is saved in the running-configuration file.
  • A dynamically learned MAC address is saved in the VLAN database.
  • Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
  • Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.

VI.9. Refer to the exhibit. The following commands are executed on interface fa0/1 of 2950Switch.

2950Switch(config-if)#switchport port-security 
2950Switch(config-if)#switchport port-security mac-address sticky 
2950Switch(config-if)#switchport port-security maximum 1

The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two.)

  • The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
  • Only host A will be allowed to transmit frames on fa0/1.
  • This frame will be discarded when it is received by 2950Switch.
  • All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.
  • Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
  • Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.

Show (Hide) Explanation/Reference
The first command 2950Switch(config-if)#switchport port-security is to enable the port-security in a switch port.

In the second command 2950Switch(config-if)#switchport port-security mac-address sticky, we need to know the full syntax of this command is switchport port-security mac-address sticky [MAC]. The STICKY keyword is used to make the MAC address appear in the running configuration and you can save it for later use. If you do not specify any MAC addresses after the STICKY keyword, the switch will dynamically learn the attached MAC Address and place it into your running-configuration. In this case, the switch will dynamically learn the MAC address 0000.00aa.aaaa of host A and add this MAC address to the running configuration.

In the last command 2950Switch(config-if)#switchport port-security maximum 1 you limited the number of secure MAC addresses to one and dynamically assigned it (because no MAC address is mentioned, the switch will get the MAC address of the attached MAC address to interface fa0/1), the workstation attached to that port is assured the full bandwidth of the port.Therefore only host A will be allowed to transmit frames on fa0/1 -> B is correct.

After you have set the maximum number of secure MAC addresses for interface fa0/1, the secure addresses are included in the “Secure MAC Address” table (this table is similar to the Mac Address Table but you can only view it with the show port-security address command). So in this question, although you don’t see the MAC address of host A listed in the MAC Address Table but frames with a destination of 0000.00aa.aaaa will be forwarded out of fa0/1 interface -> D is correct.

VI.10. Refer to the exhibit. A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands. Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two.)

  • Port security needs to be globally enabled.
  • Port security needs to be enabled on the interface.
  • Port security needs to be configured to shut down the interface in the event of a violation.
  • Port security needs to be configured to allow only one learned MAC address.
  • Port security interface counters need to be cleared before using the show command.
  • The port security configuration needs to be saved to NVRAM before it can become active.
Show (Hide) Explanation/Reference
As we see in the output, the “Port Security” is in “Disabled” state (line 2 in the output). To enable Port security feature, we must enable it on that interface first with the command:

SwitchA(config-if)#switchport port-security

-> B is correct.

Also from the output, we learn that the switch is allowing 2 devices to connect to it (switchport port-security maximum 2) but the question requires allowing only PC_A to access the network so we need to reduce the maximum number to 1 -> D is correct.

VI.11. What to do when the router password was forgotten?

  • use default password cisco to reset
  • access router physically
  • use ssl/vpn
  • Type confreg 0x2142 at the rommon 1
Show (Hide) Explanation/Reference
To reset the password we can type “confreg 0x2142” under rommon mode to set the configuration register to 2142 in hexadecimal (the prefix 0x means hexadecimal (base 16)). With this setting when that router reboots, it bypasses the startup-config.

VI.12. A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used?

  • reflexive
  • extended
  • standard
  • dynamic
Show (Hide) Explanation/Reference
We can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here: http://www.cisco.com/en/US/tech/tk583/tk822/technologies_tech_note09186a0080094524.shtml

VI.13. What should be part of a comprehensive network security plan?

  • Allow users to develop their own approach to network security
  • Physically secure network equipment from potential access by unauthorized individuals
  • Encourage users to use personal information in their passwords to minimize the likelihood of passwords being forgotten
  • Delay deployment of software patches and updates until their effect on end-user equipment is well known and widely reported
  • Minimize network overhead by deactivating automatic antivirus client updates
Show (Hide) Explanation/Reference
All other answers are not recommended for a network security plan so only B is the correct answer.

VI.14. Which password types are encrypted?

  • SSH
  • Telnet
  • enable secret
  • enable password
Show (Hide) Explanation/Reference
The “enable secret” password is always encrypted (independent of the “service password-encryption” command) using MD5 hash algorithm.

Note: The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. In general, don’t use enable password, use enable secret instead.

VI.15. Which statement about ACLs is true?

  • An ACL have must at least one permit action, else it just blocks all traffic.
  • ACLs go bottom-up through the entries looking for a match
  • An ACL has a an implicit permit at the end of ACL.
  • ACLs will check the packet against all entries looking for a match.

VI.16. Which three options are benefits of using TACACS+ on a device? (Choose three)

  • It ensures that user activity is untraceable.
  • It provides a secure accounting facility on the device.
  • device-administration packets are encrypted in their entirely.
  • It allows the user to remotely access devices from other vendors.
  • It allows the users to be authenticated against a remote server.
  • It supports access-level authorization for commands.
Show (Hide) Explanation/Reference
TACACS+ (and RADIUS) allow users to be authenticated against a remote server -> E is correct.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header -> C is correct.

TACACS+ supports access-level authorization for commands. That means you can use commands to assign privilege levels on the router -> F is correct.

Note:

By default, there are three privilege levels on the router.
+ privilege level 1 = non-privileged (prompt is router>), the default level for logging in
+ privilege level 15 = privileged (prompt is router#), the level after going into enable mode
+ privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

VI.17. How to verify SSH connections was secured?

  • ssh -v 1 -l admin IP
  • ssh -v 2 -l admin IP
  • ssh -l admin IP
  • ssh -v -l admin IP

VI.18. Which cisco platform can verify ACLs?

  • Cisco Prime Infrastructure
  • Cisco Wireless LAN Controller
  • Cisco APIC-EM
  • Cisco IOS-XE
Show (Hide) Explanation/Reference
The APIC-EM Path Trace ACL Analysis Tool can display the ACLs that are using (by downloading the configurations after a specific period of time and shows them when we do a path trace). Therefore it helps verify the ACLs more easily.

VI.18. Which major component of the network virtualization architecture isolate users according to policy?

  • policy enforcement
  • network access control
  • network services virtualization
  • path isolation
Show (Hide) Explanation/Reference
Network virtualization architecture has three main components:

Network access control and segmentation of classes of users: Users are authenticated and either allowed or denied into a logical partition. Users are segmented into employees, contractors and consultants, and guests, with respective access to IT assets. This component identifies users who are authorized to access the network and then places them into the appropriate logical partition.

+ Path isolation: Network isolation is preserved across the entire enterprise: from the edge to the campus to the WAN and back again. This component maintains traffic partitioned over a routed infrastructure and transports traffic over and between isolated partitions. The function of mapping isolated paths to VLANs and to virtual services is also performed in component.

+ Network Services virtualization: This component provides access to shared or dedicated network services such as security, quality of service (QoS), and address management (Dynamic Host Configuration Protocol [DHCP] and Domain Name System [DNS]). It also applies policy per partition and isolates application environments, if required.

Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11-531522.pdf

VI.20. Which two statements about firewalls are true?

  • They can be used with an intrusion prevention system.
  • They can limit unauthorized user access to protect data.
  • Each wireless access point requires its own firewall.
  • They must be placed only at locations where the private network connects to the internet.
  • They can prevent attacks from the internet only.

VI.21. Which three options are types of Layer 2 network attack? (Choose three)

  • Spoofing attacks
  • Vlan Hopping
  • botnet attacks
  • DDOS attacks
  • ARP Attacks
  • Brute force attacks
Show (Hide) Explanation/Reference

(DHCP) Spoofing attack is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofing or double tagging.

1) Switch spoofing:

The attacker can connect an unauthorized Cisco switch to a Company switch port. The unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.

(Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).

2) Double-Tagging:

In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20).

When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.

ARP attack (like ARP poisoning/spoofing) is a type of attack in Which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. This is an attack based on ARP Which is at Layer 2.

VI.22. By default, how many MAC addresses are permitted to be learned on a switch port with port security enabled?

  • 8
  • 2
  • 1
  • 0
Show (Hide) Explanation/Reference
By default, port security limits the MAC address that can connect to a switch port to one. If the maximum number of MAC addresses is reached, when another MAC address attempting to access the port a security violation occurs.

VI.23. Which option is the default switch port port-security violation mode?

  • shutdown
  • protect
  • shutdown vlan
  • restrict
Show (Hide) Explanation/Reference
Shutdown is the default switch port port-security violation mode. When in this mode, the switch will automatically force the switchport into an error disabled (err-disable) state when a violation occurs. While in this state, the switchport forwards no traffic. The switchport can be brought out of this error disabled state by issuing the errdisable recovery cause CLI command or by disabling and re-enabling the switchport.

VI.24. Which three features are represented by the letter A in AAA authentication? (Choose three)

  • authorization
  • accounting
  • authentication
  • accountability
  • accessibility
  • authority

VI.25. What is a possible reason why a host is able to ping a web server but it is not able to do an HTTP request?

  • ACL blocking port 23
  • ACL blocking All ports
  • ACL blocking port 80
  • ACL blocking port 443
  • None of the above

VI.26. Which item represents the standard IP ACL?

  • Access-list 110 permit any any
  • Access-list 50 deny 192.168.1.1 0.0.0.255
  • Access list 101 deny tvp any host 192.168.1.1
  • Access-list 2500 deny tcp any host 192.168.1.1 eq 22
Show (Hide) Explanation/Reference
The range of standard ACL is 1-99, 1300-1999 so 50 is a valid number for standard ACL.

VI.27. Which statement about recovering a password on a Cisco router is true?

  • The default reset password is cisco
  • It requires a secure SSl/VPN connection
  • A factory resset is required if you forget the password
  • It requires physical access to the router
Show (Hide) Explanation/Reference
Other choices are surely incorrect so only “physical access” answer is the correct one. In order to recover a password on a Cisco router, the first thing you have to do is either switch off or shut down the router. For more information about this process, please read http://www.cisco.com/c/en/us/support/docs/routers/2800-series-integrated-services-routers/112033-c2900-password-recovery-00.html

VI.28. Where information about untrusted hosts are stored?

  • CAM table
  • Trunk table
  • MAC table
  • binding database
Show (Hide) Explanation/Reference
The DHCP snooping binding database is also referred to as the DHCP snooping binding table. The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

VI.29. Which two statements about TACACS+ are true? (Choose two.)

  • lt can run on a UNlX server.
  • lt authenticates against the user database on the local device.
  • lt is more secure than AAA authentication.
  • lt is enabled on Cisco routers by default.
  • lt uses a managed database.
Show (Hide) Explanation/Reference

http://tacacs.net/docs/TACACS_Advantages.pdf

Many IT departments choose to use AAA (Authentication, Authorization and Accounting) protocols RADIUS or TACACS+ to address these issues.

http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/13865-tacplus.pdf

This document describes how to configure a Cisco router for authentication with the TACACS+ that runs on
UNIX. TACACS+ does not offer as many features as the commercially available Cisco Secure ACS for
Windows or Cisco Secure ACS UNIX.
TACACS+ software previously provided by Cisco Systems has been discontinued and is no longer supported
by Cisco Systems.

VI.30. Which two passwords must be supplied in order to connect by Telnet to a properly secured Cisco switch and make changes to the device configuration? (Choose two.)

  • tty password
  • enable secret password
  • vty password
  • aux password
  • console password
  • username password

VI.31. In order to comply with new auditing standards, a security administrator must be able to correlate system security alert logs directly with the employee who triggers the alert. Which of the following should the security administrator implement in order to meet this requirement?

  • Access control lists on file servers
  • Elimination of shared accounts
  • Group-based privileges for accounts
  • Periodic user account access reviews

VI.32. Which action can change the order of entries in a named access-list?

  • removing an entry
  • opening the access-list in notepad
  • adding an entry
  • resequencing
Show (Hide) Explanation/Reference
You can check the named access-list with the “show ip access-list” (or “show access-list”) command:

R1#show ip access-list
Standard IP access list nat_traffic
    10 permit 10.1.0.0, wildcard bits 0.0.255.255
    15 permit 10.2.0.0, wildcard bits 0.0.255.255
    20 permit 10.3.0.0, wildcard bits 0.0.255.255

We can resequence a named access-list with the command: “ip access-list resequence access-list-name starting-sequence-number increment“. For example:

R1(config)#ip access-list nat_traffic 100 10

Then we can check this access-list again:

R1#show ip access-list
Standard IP access list nat_traffic
    100 permit 10.1.0.0, wildcard bits 0.0.255.255
    110 permit 10.2.0.0, wildcard bits 0.0.255.255
    120 permit 10.3.0.0, wildcard bits 0.0.255.255

We can see the starting sequence number is now 100 and the increment is 10. But notice that resequencing an access-list cannot change the order of entries inside it but it is the best choice in this question. Adding or removing a n entry does not change the order of entries. Maybe we should understand this question “how to renumber the entries in a named access-list”.

VI.33. What is the effect of using the service password-encryption command?

  • only passwords configured after the command has been entered will be encrypted.
  • Only the enable password will be encrypted.
  • Only the enable secret password will be encrypted
  • It will encrypt the secret password and remove the enable secret password from the configuration.
  • It will encrypt all current and future passwords.

VI.34. Refer to the exhibit. Which user-mode password has just been set?

  • Telnet
  • Auxiliary
  • SSH
  • Console
Show (Hide) Explanation/Reference
When you connect to a switch/router via Telnet, you first need to provide Telnet password first. Then to access Privileged mode (Switch#) you need to provide secret password after typing “enable” before making any changes.

VI.35. What is a difference between TACACS+ and RADIUS in AAA?

  • Only TACACS+ allows for separate authentication.
  • Only RADIUS encrypts the entire access-request packet.
  • Only RADIUS uses TCP
  • Only TACACS+ couples authentication and authorization.
Show (Hide) Explanation/Reference
TACACS+ is an AAA protocol developed by Cisco. TACACS+ separates the authentication, authorization, and accounting steps. This architecture allows for separate authentication solutions while still using TACACS+ for authorization and accounting. For example, it is possible to use the Kerberos Protocol for authentication and TACACS+ for authorization and accounting. After an AAA client passes authentication through a Kerberos server, the AAA client requests authorization information from a TACACS+ server without the necessity to re-authenticate the AAA client by using the TACACS+ authentication mechanism.

Authentication and authorization are not separated in a RADIUS transaction. When the authentication request is sent to a AAA server, the AAA client expects to have the authorization result sent back in reply.

Reference: http://www.cisco.com/c/dam/en/us/products/collateral/security/secure-access-control-server-windows/prod_white_paper0900aecd80737943.pdf

VI.36. Which port security violation mode allows traffic from valid mac address to pass but block traffic from invalid mac address?

  • protect
  • shutdown
  • shutdown vlan
  • restrict
Show (Hide) Explanation/Reference
In fact both “protect” and “restrict” mode allows traffic from passing with a valid MAC address so this question is not good. This is a quote from Cisco for these two modes:

protect: drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict: drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.pdf

Therefore the only difference between these two modes is “restrict” mode causes the SecurityViolation counter to increment (only useful for statistics).

VI.37. Which command can you enter in a network switch configuration so that learned mac addresses are saved in configuration as they connect?

  • Switch(config-if)#Switch port-security
  • Switch(config-if)#Switch port-security Mac-address stcky
  • Switch(config-if)#Switch port-security maximum 10
  • Switch(config-if)#Switch mode access
Show (Hide) Explanation/Reference
The full command should be “switchport port-security mac-address sticky” but we can abbreviate in Cisco command.

VI.38. Which major component of the Cisco network virtualization architecture isolates users according to policy?

  • network services virtualization
  • policy enforcement
  • access control
  • path isolation

VI.39. DRAG DROP. Drag the security features on the left to the specific security risks they help protect against on the right. (Not all options are used.)

Select and Place:

Correct Answer:

VI.40. On Which combinations are standard access lists based?

  • destination address and wildcard mask
  • destination address and subnet mask
  • source address and subnet mask
  • source address and wildcard mask
Show (Hide) Explanation/Reference

Standard ACL’s only examine the source IP address/mask to determine if a match is made. Extended ACL’s
examine the source and destination address, as well as port information.

VI.41. Which statement about access lists that are applied to an interface is true?

  • You can place as many access lists as you want on any interface.
  • You can apply only one access list on any interface.
  • You can configure one access list, per direction, per Layer 3 protocol.
  • You can apply multiple access lists with the same protocol or in different directions.
Show (Hide) Explanation/Reference
We can have only 1 access list per protocol, per direction and per interface. It means:
+ We cannot have 2 inbound access lists on an interface + We can have 1 inbound and 1 outbound access
list on an interface

VI.42. A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two.)

  • access-list 10 permit ip 192.168.146.0 0.0.1.255
  • access-list 10 permit ip 192.168.147.0 0.0.255.255
  • access-list 10 permit ip 192.168.148.0 0.0.1.255
  • access-list 10 permit ip 192.168.149.0 0.0.255.255
  • access-list 10 permit ip 192.168.146.0 0.0.0.255
  • access-list 10 permit ip 192.168.146.0 255.255.255.0
Show (Hide) Explanation/Reference
access-list 10 permit ip 192.168.146.0 0.0.1.255 will include the 192.168.146.0 and 192.168.147.0 subnets,
while access-list 10 permit ip 192.168.148.0 0.0.1.255 will include

VI.43. What can be done to secure the virtual terminal interfaces on a router? (Choose two.)

  • Administratively shut down the interface.
  • Physically secure the interface.
  • Create an access list and apply it to the virtual terminal interfaces with the access-group command.
  • Configure a virtual terminal password and login process.
  • Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
Show (Hide) Explanation/Reference
It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -> We cannot physically secure a virtual interface because it is “virtual” -> To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -> C is not correct. The simplest way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login.

VI.44. How does using the service password-encryption command on a router provide additional security?

  • by encrypting all passwords passing through the router
  • by encrypting passwords in the plain text configuration file
  • by requiring entry of encrypted passwords for access to the device
  • by configuring an MD5 encrypted key to be used by routing protocols to validate routing exchanges
  • by automatically suggesting encrypted passwords for use in configuring the router
Show (Hide) Explanation/Reference
By using this command, all the (current and future) passwords are encrypted. This command is primarily
useful for keeping unauthorized individuals from viewing your password in your configuration file.

VI.A network administrator needs to allow only one Telnet connection to a router. For anyone viewing the configuration and issuing the show run command, the password for Telnet access should be encrypted. Which set of commands will accomplish this task?

Correct Answer: A

Show (Hide) Explanation/Reference
Only one VTY connection is allowed Which is exactly what’s requested.
Incorrect answer: command.
line vty0 4
would enable all 5 vty connections.

VI.45. Refer to the exhibit. What is the effect of the configuration that is shown?

  • It configures SSH globally for all logins.
  • It tells the router or switch to try to establish an SSh connection first and if that fails to use Telnet.
  • It configures the virtual terminal lines with the password 030752180500.
  • It configures a Cisco network device to use the SSH protocol on incoming communications via the virtual terminal ports.
  • It allows seven failed login attempts before the VTY lines are temporarily shutdown.
Show (Hide) Explanation/Reference

Secure Shell (SSH) is a protocol Which provides a secure remote access connection to network devices.
Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. If you want to prevent non-SSH connections, add the “transport input ssh” command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused.
Reference: www.cisco.com/warp/public/707/ssh.shtml

VI.46. Which command encrypts all plaintext passwords?

  • Router# service password-encryption
  • Router(config)# password-encryption
  • Router(config)# service password-encryption
  • Router# password-encryption
Show (Hide) Explanation/Reference
The “service password-encryption” command allows you to encrypt all passwords on your router so they cannot be easily guessed from your running-config. This command uses a very weak encryption because the router has to be very quickly decode the passwords for its operation. It is meant to prevent someone from looking over your shoulder and seeing the password, that is all. This is configured in global configuration mode.

VI.47. What will be the result if the following configuration commands are implemented on a Cisco switch?

  • A dynamically learned MAC address is saved in the startup-configuration file.
  • A dynamically learned MAC address is saved in the running-configuration file.
  • A dynamically learned MAC address is saved in the VLAN database.
  • Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
  • Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.
Show (Hide) Explanation/Reference
In the interface configuration mode, the command switchport port-security mac-address sticky enables sticky learning. When entering this command, the interface converts all the dynamic secure MAC addresses to sticky secure MAC addresses.

VI.48. Refer to exhibit. A network administrator cannot establish a Telnet session with the indicated router. What is the cause of this failure?

  • A Level 5 password is not set.
  • An ACL is blocking Telnet access.
  • The vty password is missing.
  • The console password is missing.
Show (Hide) Explanation/Reference
The login keyword has been set, but not password. This will result in the “password required, but none set”
message to users trying to telnet to this router.

VI.49. When you are troubleshooting an ACL issue on a router, Which command would you use to verify Which interfaces are affected by the ACL?

  • show ip access-lists
  • show access-lists
  • show interface
  • show ip interface
  • list ip interface
Show (Hide) Explanation/Reference
show ip access-lists does not show interfaces affected by an ACL.

VI.50. Refer to the exhibit. An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 102?

  • no ip access-class 102 in
  • no ip access-class 102 out
  • no ip access-group 102 in
  • no ip access-group 102 out
  • no ip access-list 102 in
Show (Hide) Explanation/Reference
Now let’s find out the range of the networks on serial link:
For the network 192.168.1.62/27:
Increment: 32
Network address: 192.168.1.32
Broadcast address: 192.168.1.63
For the network 192.168.1.65/27:Increment: 32
Network address: 192.168.1.64
Broadcast address: 192.168.1.95
-> These two IP addresses don’t belong to the same network and they can’t see each other

VI.51. Refer to the exhibit. Statements A, B, C, and D of ACL 10 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet 172.21.1.128/28) from accessing the network. But as is, the ACL does not restrict anyone from the network. How can the ACL statements be re-arranged so that the system works as intended?

  • ACDB
  • BADC
  • DBAC
  • CDBA
Show (Hide) Explanation/Reference
Routers go line by line through an access list until a match is found and then will not look any further, even if a more specific of better match is found later on in the access list. So, it it best to begin with the most specific entries first, in this cast the two hosts in line C and D. Then, include the subnet (B) and then finally the rest of the traffic (A).

VI.52. What are two characteristics of SSH? (Choose two.)

  • most common remote-access method
  • unsecured
  • encrypted
  • uses port 22
  • operates at the transport layer

VI.53. Refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two.)

  • source ip address: 192.168.15.5; destination port: 21
  • source ip address:, 192.168.15.37 destination port: 21
  • source ip address:, 192.168.15.41 destination port: 21
  • source ip address:, 192.168.15.36 destination port: 23
  • source ip address: 192.168.15.46; destination port: 23
  • source ip address:, 192.168.15.49 destination port: 23

VI.54. Refer to the graphic. It has been decided that Workstation 1 should be denied access to Server1. Which of the following commands are required to prevent only Workstation 1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two.)

Correct Answer: BC

VI.55. An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?

  • access-list 10 permit 172.29.16.0 0.0.0.255
  • access-list 10 permit 172.29.16.0 0.0.1.255
  • access-list 10 permit 172.29.16.0 0.0.3.255
  • access-list 10 permit 172.29.16.0 0.0.15.255
  • access-list 10 permit 172.29.0.0 0.0.255.255

VI.56. A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the server at 192.168.1.5. What command should be issued to accomplish this task?

  • access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23 access-list 101 permit ip any any
  • access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23 access-list 101 permit ip any any
  • access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 21 access-list 1 permit ip any any
  • access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23 access-list 1 permit ip any any

VI.57. As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?

  • access-list 101 in
  • access-list 101 out
  • ip access-group 101 in
  • ip access-group 101 out

VI.58. The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two.)

  • from host A to host 5.1.1.10
  • from host A to host 5.1.3.10
  • from host B to host 5.1.2.10
  • from host B to host 5.1.3.8
  • from host C to host 5.1.3.10
  • from host F to host 5.1.1.10

VI.59. The following access list below was applied outbound on the E0 interface connected to the 192.169.1.8/29 LAN: access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 20 any access-list 135 deny tcp 192.169.1.8 0.0.0.7 eq 21 any How will the above access lists affect traffic?

  • FTP traffic from 192.169.1.22 will be denied
  • No traffic, except for FTP traffic will be allowed to exit E0
  • FTP traffic from 192.169.1.9 to any host will be denied
  • All traffic exiting E0 will be denied
  • All FTP traffic to network 192.169.1.9/29 will be denied

VI.60. The following configuration line was added to router R1 Access-list 101 permit ip 10.25.30.0 0.0.0.255 any. What is the effect of this access list configuration?

  • permit all packets matching the first three octets of the source address to all destinations
  • permit all packet matching the last octet of the destination address and accept all source addresses
  • permit all packet matching the host bits in the source address to all destinations
  • permit all packet from the third subnet of the network address to all destinations

VI.61. This graphic shows the results of an attempt to open a Telnet connection to router ACCESS1 from router Remote27

Which of the following command sequences will correct this problem?

Correct Answer: C

VI.62. What are two recommended ways of protecting network device configuration files from outside network security threats? (Choose two.)

  • Allow unrestricted access to the console or VTY ports.
  • Use a firewall to restrict access from the outside to the network devices.
  • Always use Telnet to access the device command line because its data is automatically encrypted.
  • Use SSH or another encrypted and authenticated transport to access device configurations.
  • Prevent the loss of passwords by disabling password encryption.

VI.63. Refer to the exhibit. What is the result of setting the no login command?

Router#config t
Router(config)#line vty 0 4 
Router(config-line)#password c1sc0
Router(config-line)#no login
  • Telnet access is denied.
  • Telnet access requires a new password at the first login.
  • Telnet access requires a new password.
  • no password is required for telnet access.
Show (Hide) Explanation/Reference
This configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).

VI.64. Which identification number is valid for an extended ACL?

  • 1
  • 64
  • 99
  • 100
  • 299
  • 1099
Show (Hide) Explanation/Reference
Below is the range of standard and extended access list:

Access list type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699

In most cases we only need to remember 1-99 is dedicated for standard access lists while 100 to 199 is dedicated for extended access lists.

VI.65. Which statement about named ACLs is true?

  • They support standard and extended ACLs.
  • They are used to filter usernames and passwords for Telnet and SSH.
  • They are used to filter Layer 7 traffic.
  • They support standard ACLs only.
  • They are used to rate limit traffic destined to targeted networks.
Show (Hide) Explanation/Reference
Named Access Control Lists (ACLs) allows standard and extended ACLs to be given names instead of numbers. Unlike in numbered Access Control Lists (ACLs), we can edit Named Access Control Lists. Another benefit of using named access configuration mode is that you can add new statements to the access list, and insert them wherever you like. With the legacy syntax, you must delete the entire access list before reapplying it using the updated rules

VI.66. Which two values are needed to run the APIC-EM ACL Analysis tool ?(choose two)

  • destination address
  • destination port
  • periodic refresh intervlan
  • source address
  • protocol
  • source port

VI.67. Which command sets and automatically encrypts the privileged enable mode password?

  • enable password cisco
  • secret enable cisco
  • password enable cisco
  • enable secret cisco

VI.68. The enable secret command is used to secure access to Which CLI mode?

  • user EXEC mode
  • global configuration mode
  • privileged EXEC mode
  • auxiliary setup mode

VI.69. Which two statements about stateful firewalls in an enterprise network are true?

  • They can use information about previous packets to make decisions about future packets.
  • They are most effective when placed in front of the router connected to the Internet.
  • they are more susceptible to DoS attacks than stateless firewalls.
  • they can track the number of active TCP connections.
  • They can filter HTTP and HTTPS traffic in the inbound direction only.

VI.70. Which type of access list compares source and destination IP addresses?

  • standard
  • extended
  • reflexive
  • IP named

VI.71. Which two descriptions of TACACS+ are true? (Choose two.)

  • It encrypts only the password.
  • It can authorize specific router commands.
  • It separates authentication, authorization, and accounting functions.
  • It uses UDP as its transport protocol.
  • It combines authentication and authorization.

VI.72. Which condition indicates that service password-encryption is enabled?

  • The local username password is in clear text in the configuration.
  • The enable secret is in clear text in the configuration.
  • The local username password is encrypted in the configuration.
  • The enable secret is encrypted in the configuration.
Show (Hide) Explanation/Reference
The service password-encryption command will encrypt all current and future passwords so any password existed in the configuration will be encrypted.

VI.73. Which command can you use to test whether a switch supports secure connections and strong authentication?

  • Router#ssh –v 1 –l admin 10.1.1.1
  • Switch>ssh –v 1 –l admin 10.1.1.1
  • Switch#ssh –l admin 10.1.1.1
  • Router>ssh –v 2 –l admin10.1.1.1

VI.74. Which port security mode can assist with troubleshooting by keeping count of violations?

  • access.
  • protect.
  • restrict.
  • shutdown.

VI.75. DRAG DROP. An interface has been configured with the access list that is shown below. On the basis of that access list,drag each information packet on the left to the appropriate category on the right.

Select and Place:

Correct Answer:

VI.76. Which range represents the standard access list?

  • 99
  • 150
  • 299
  • 2000
Show (Hide) Explanation/Reference
Below is the range of standard and extended access list

Access list type Range
Standard 1-99, 1300-1999
Extended 100-199, 2000-2699

VI.77. Which of the following encrypts the traffic on a leased line?

  • telnet
  • ssh
  • vtp
  • vpn
  • dmvpn
Show (Hide) Explanation/Reference
SSH, or secure shell, is a secure protocol that provides a built-in encryption mechanism for establishing a secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth.

Note: Virtual Private Networks (VPNs) are only secure if encrypted. The word “private” only means a given user’s virtual network is not shared with others. In reality a VPN still runs on a shared infrastructure and is not secured if not encrypted. VPNs are used over a connection you already have. That might be a leased line. It might be an ADSL connection. It could be a mobile network connection.

Therefore answer “SSH” is still better than the answer “VPN”.

VI.78. A security administrator wants to profile endpoints and gain visibility into attempted authentications. Which 802.1x mode allows these actions?

  • Monitor mode
  • High-Security mode
  • Low-impact mode
  • Closed mode
Show (Hide) Explanation/Reference
There are three authentication and authorization modes for 802.1x:

+ Monitor mode
+ Low impact mode
+ High security mode

Monitor mode allows for the deployment of the authentication methods IEEE 802.1X without any effect to user or endpoint access to the network. Monitor mode is basically like placing a security camera at the door to monitor and record port access behavior.

With AAA RADIUS accounting enabled, you can log authentication attempts and gain visibility into who and what is connecting to your network with an audit trail. You can discover the following:
+ Which endpoints such as PCs, printers, cameras, and so on, are connecting to your network
+ Where these endpoints connected
+ Whether they are 802.1X capable or not
+ Whether they have valid credentials
+ In the event of failed MAB attempts, whether the endpoints have known, valid MAC addresses

Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features enabled, as follows:
sw(config-if)#authentication open
sw(config-if)#authentication host-mode multi-auth

For more information about each mode, please read this article: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Phased_Deploy/Phased_Dep_Guide.html

VI.79. What are two statements for SSH? (Choose two.)

  • use port 22
  • unsecured
  • encrypted
  • most common remote-access method
  • operate at transport

VI.80. Which command shows your active Telnet connections?

  • show cdp neigbors
  • show session
  • show users
  • show vty logins
Show (Hide) Explanation/Reference
The “show users” shows telnet/ssh connections to your router while “show sessions” shows telnet/ssh connections from your router (to other devices). The question asks about “your active Telnet connections”, meaning connections from your router

VI.81. Which IPsec security protocol should be used when confidentiality is required?

  • MD5
  • PSK
  • AH
  • ESP
Show (Hide) Explanation/Reference
IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), Which provide security services for IP datagrams.

ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header).

AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.

VI.82. What are two characteristics of Telnet? (Choose two.)

  • It sends data in clear text format.
  • It is no longer supported on Cisco network devices.
  • It is more secure than SSH.
  • It requires an enterprise license in order to be implemented.
  • It requires that the destination device be configured to support Telnet connections.

VI.83. Which protocol authenticates connected devices before allowing them to access the LAN?

  • 802.1d
  • 802.11
  • 802.1w
  • 802.1x
Show (Hide) Explanation/Reference

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term ‘supplicant’ is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity hasbeen validated and authorized. An analogy to this is providing a valid visa at the airport’s arrival immigration before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

VI.84. Refer to the exhibit. You have determined that computer A cannot ping computer B. Which reason for the problem is most likely true?

  • The computer B default gateway address is incorrect.
  • The computer B subnet mask is incorrect.
  • The computer A subnet mask is incorrect.
  • The computer A default gateway address is incorrect.

VI.85. Which IEEE mechanism is responsible for the authentication of devices when they attempt to connect to a local network?

  • 802.1x
  • 802.11
  • 802.2x
  • 802.3x
Show (Hide) Explanation/Reference
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN

VI.86. Which two values must you specify to perform an ACL-based Path Trace using APIC-EM? (Choose two.)

  • source IP address
  • destination port
  • destination IP address
  • source interface
  • source port

VI.87. Which two services can be provided by a wireless controller? (Choose two.)

  • Layer 3 routing between wired and wireless devices
  • providing authentication services to users
  • mitigating threats from the Internet
  • issuing IP addresses to wired devices
  • managing interference in a dense network

VI.88. Which of the following privilege level is the most secured?

  • Level 0
  • Level 1
  • Level 15
  • Level 16
Show (Hide) Explanation/Reference
By default, the Cisco IOS CLI has two privilege levels enabled, level 1 and level 15.

+ User EXEC mode (privilege level 1): provides the lowest EXEC mode user privileges and allows only user-level commands available at the Router> prompt.
+ Privileged EXEC mode (privilege level 15): includes all enable-level commands at the Router# prompt. Level 15 users can execute all commands and this is the most secured and powerful privilege level.

However, there are actually 16 privilege levels available on the CLI, from 0 to 15 and you can assign users to any of those levels. Zero-level access allows only five commands -logout, enable, disable, help, and exit. User level (level 1) provides very limited read-only access to the router, and privileged level (level 15) provides complete control over the router.


Related Articles

113
Leave a Reply

avatar
62 Comment threads
51 Thread replies
17 Followers
 
Most reacted comment
Hottest comment thread
66 Comment authors
Null0NarcisAlexGaboAndreas Recent comment authors
newest oldest most voted
Null0
Guest
Null0

For everyone that is gonna take the test these days, just wanna say that more that 80% of the questions in here where in the test that i took today. Just pay attention to details. About LAB i had ACL one and EIGRP, but careful because configuration at EIGRP was a bit diffrent. Cheers

Narcis
Guest
Narcis

Question VII.15…the correct answer is c. hop-by-hop response time

Alex
Guest
Alex

VI.A network administrator needs to allow only one Telnet connection to a router. For anyone viewing the configuration and issuing the show run command, the password for Telnet access should be encrypted. Which set of commands will accomplish this task?

Answer: C

Null0
Guest
Null0

145. Question is wrong, you need to switch single homed with single multihomed…multihomed means two or more different ISP and homed mean to only one ISP.

Null0
Guest
Null0

VIII.136. Which access layer threat mitigation technique provides security by acting as a filter between trusted and untrusted traffic sources?

DHCP snooping
dynamic packet inspection
a nondefault native VLAN
802.1X

It is DHCP Snooping and not 802.1X the correct answer.

” DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities: ….
The DHCP snooping feature determines whether traffic sources are trusted or untrusted….” from cisco site.

alex
Guest
alex

II.112 Refer to the exhibit. The two exhibited devices are the only Cisco devices on the network. The serial network between the two devices has a mask of 255.255.255.252. Given the output that is shown, what three statements are true of these devices? (Choose three.)

correct answer:

The Manchester serial address is 10.1.1.1
The London router is a Cisco 2610
The CDP information was received on port Serial0/0 of the Manchester router

Andreas
Guest
Andreas

qestion II.24 Which three commands MUST you enter
we cant enter 2 modes. in layer 3 switches we have to put switchport trunk encapsulation dot1q but the question doesnt mention layer 3. any suggestions?

Andreas
Guest
Andreas

question I.71 the answer is different than the explanation. pls be more specific

Adam
Guest
Adam

what does these sections means which pages is current and valid?

Germán Castro
Guest
Germán Castro

hi, guys. I believe the ansewer to the first question “. Which three statements about DWDM are true?” is wrong. It seems to me that the correct ones are A B D, instead of C D E as shown. Could you please comment on that?

Gabo
Guest
Gabo

I think the same too. That question appear in Sect II and IV. In the 2nd is answered correct.

****************************************************
DWDM circuits are used in all modern submarine communications cable systems and other long-haul circuits.

Specifically, DWDM

Enables bidirectional communications over one strand of fiber
Assigns incoming optical signals to specific wavelengths of light (i.e., frequencies)
Each channel is capable of carrying a 10-Gbps multiplexed signal
Can multiplex more than 80 different channels of data (i.e., wavelengths) onto a single fiber
Can amplify these wavelengths to boost the signal strength
Supports SONET and SDH standards

Alin
Guest
Alin

Question 159 the correct answer is 2 no 3 . I’m right?

Null0
Guest
Null0

Nope, its 3… 3 host to one port of a switch with a hub ( one collision), 2 hosts in another port ( two collision) and one port of the switch to the router and we have 3 collision, because it is asking how many collision are seen from the router and the router should be connected to the switch. Hope it helps

Khan
Guest
Khan

did anyone attempt the Cisco 200-125 exam in feb? Plz help out with the lab that came?

Bart
Guest
Bart

I.124. Which three are characteristics of an IPv6 anycast address? (Choose three.)

in that question you have only 2 answers marked instead of 3.

alex
Guest
alex

the third answer is: one-to-nearest communication model

Robin Hatton
Guest
Robin Hatton

I.34. – SA is the only possible answer as DA (although 6bytes) does not have to be a unique address as it can also be a broadcast address.

– Robin

Meek Mars
Guest
Meek Mars

Question 32

Why is not switch 1 the Root as it has the lowest priority?

Is it because switch 3 is at the distribution level?

Festus Morumbasi
Guest
Festus Morumbasi

VIII.232. Which port security violation mode drop traffic from unknown MAC addresses and sends an SNMP trap?

Correct answer: restrict

wasd22
Guest
wasd22

question 201 and 232 are the same with different answers.
VIII.232. Which port security violation mode drop traffic from unknown MAC addresses and sends an SNMP trap?

Protect
Resrict
Shutdown
Shutdown VLAN

still not sure about the answer, becuase the snmp trap is sent on different IOS version of the catalyst series ( https://community.cisco.com/t5/switching/snmp-trap-port-security-violation-shutdown-problem-stumper/td-p/1894494 )
3560X and 3750X, 3570 sent the snmp trap only on restrict, don’t know about newer models.

can somebody please clarify this? even in the netacad platform there isn’t a clear explanation (5.2.2.3 CCNA module 2)

hmm
Guest
hmm

I think #214 is wrong

should be Verify that the devices of interest are included in the device inventory

source: https://www.econfigs.com/ccna-6-4-verify-acls-using-the-apic-em-path-trace-acl-analysis-tool/

Before You Begin
Make sure that you have devices in your inventory. If not, discover devices using the Discovery function.
Ensure that the controller has SSH or Telnet access to the device

Abeer
Guest
Abeer

is it updated ?

vinoth
Guest
vinoth

hi i study CCNA version 6 .next month i will sit for the exam which dump is perfect for me please can you tell me

Alex
Guest
Alex

In qestion 221 I think the corect annswerd is pc to router crossover and sw to hub strait I think

Tanvir
Guest
Tanvir

Someones told me ccna dumps change today last dumps didn’t work, can you give me the latest dumps please

Sabbir
Guest
Sabbir

Q221: PC to Router cable is Crossover and Switch to Wireless Point is Staright-Through.

Farid
Guest
Farid

Hey guys, I wanted to ask a question on if we will get exact same questions on the real exam, and if this is made for practice only?

soni.ritika220@gmail.com
Guest
soni.ritika220@gmail.com

72. Which two statements about VTP are true? (Choose two.)

All switches must be configured with the same VTP domain name*
All switches must be configured to perform trunk negotiation.
All switches must be configured with a unique VTP domain name
The VTP server must have the highest revision number in the domain*
All switches must use the same VTP version.

The answer should be
All switches must be configured with the same VTP domain name*
All switches must use the same VTP version.
Please correct me if I am wrong

Abdi
Guest
Abdi

hey guys. the current CCNA is version 6. but the dump is i think its version 3 how can its compatible? please reply.

Abdi
Guest
Abdi

no one reply?

harlock
Guest
harlock

Is it still vaild?

Jin Kas
Guest
Jin Kas

Hi, is this still valid the questions and labs?

Nirmesh
Guest
Nirmesh

Is it still relevant?

John
Guest
John

Hello,
Can you please provide a downloaded pdf version?
Thank you.

Sasi
Guest
Sasi

Are these questions still valid

xhh
Guest
xhh

are the exams strick about mobile phone in room

Kamil
Guest
Kamil

VIII. 113. Show license udi and show version are correct. There is no command like show license status at all.

Ron
Guest
Ron

I don’t see IP SLA questions in this website. Does anyone know which session it belongs to ?
Thanks,

*.onion
Guest
*.onion

VIII.147
Correct Answer are:
–>Define a dialer interface*
–>**Create a dialer pool and bind it to the physical interface**

(Create a dialer pool and bind it to the virtual template* its not a correct anwser)

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/bbdsl/configuration/xe-3s/bba-xe-3s-book/bba-pppoe-client-xe.html

*.onion
Guest
*.onion

VIII.108
corrects answer are:
–>The interface is error-disabled if packets arrive from a new unknown source address*
–>**It has dynamically learned two secure MAC addresses.**

When violation-mode is protect, violation counter does NOT increment.

(The security violation counter increments if packets arrive from a new unknown source address* its not a correct anwser)

https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/l2/switchport-port-security-violation.html

Mati
Guest
Mati

–>The interface is error-disabled if packets arrive from a new unknown source address* INCORRECT

–>**It has dynamically learned two secure MAC addresses.** CORRECT

*.onion
Guest
*.onion

VIII.92.
I think, the correct answer is strict:
Strict is used to specify the hop(s) that you want the packet to go through, but no other hop(s) are allowed to be visited.

Record is a very useful option because it displays the address(es) of the hops (up to nine) the packet goes through.

https://www.cisco.com/c/en/us/support/docs/ip/routing-information-protocol-rip/13730-ext-ping-trace.html

Joseph
Guest
Joseph

VIII.147.Which two actions must you take to correctly configure PPPoE on a client? (Choose two.)
The right answer is a : Define a dialer interface and Create a dialer pool and bind it to the physical
interface.

Rey
Guest
Rey

III.42. According to the routing table, where will the router send a packet destined for 10.1.5.65? – The multiple choice answers given in the VCE file needs to be corrected to the ones displayed here. III.15. Based on the exhibited routing table, how will packets from a host within the 192.168.10.192/26 LAN be forwarded to 192.168.10.1? – No routing table is displayed 🙁 III.109. Which two are advantages of static routing when compared to dynamic routing? (Choose two.) – In the VCE file it only lets you choose one option even though it says choose two. III.65. A router receives… Read more »

Andrew
Guest
Andrew

VIII.25. Which two statements about configuring an Ether Channel on a Cisco switch are true?(Choose two)

The right answers are:
The interfaces configured in the Ether Channel must operate at the same speed and duplex mode*
The interfaces configured in the Ether Channel must be part of the same VLAN or trunk

But not:
The interfaces configured in the Ether Channel must be on the same physical switch*

Kevin
Guest
Kevin

Thank you for the information on your site, it really is very useful. About the file in VCE format please update it with all questions.

Andrew
Guest
Andrew

The question:
I.87. Which protocol does ipv6 use to discover other ipv6 nodes on the same segment?

The right answer is a NDP, not an ARP

Andrey
Guest
Andrey

Question:
I.87.Which protocol does ipv6 use to discover other ipv6 nodes on the same segment?
Right answer is NDP, not an ARP!!!

Tony
Guest
Tony

Are these questions still valid as i will be writing the exam in 2weeks time?

Rey
Guest
Rey

Routing Technologies – III.123. You have configured a router with an OSPF router ID, but its IP address still reflects the physical interface. Which action can you take to correct the problem in the least disruptive way?

Reload the OSPF process
Reboot the router
Specify a loopback address*
Save the router configuration

This one is really confusing. I think the correct answer is Reload the OSPF process.

Rey
Guest
Rey

Section V: Infrastructure Services, Q51: What statement is true about this configuration?

The answer should be C: the number 1 referred to in the ip inside source command references access-list number 1.

Agustin
Guest
Agustin

I had the exam last week. I gave it wrong. But 80% or more of the questions are here. Especially in section 8. My recommendation is to study a lot of labs, section 8 and all drag and drop

Andreea
Guest
Andreea

Hello,

I will go to the exam on 4 November. Could you please tell me if these dumps are still available?

Thank you very much!

tom
Guest
tom

Did you pass it?

Andreea
Guest
Andreea

Yes

tom
Guest
tom

Did you use another source except this website? Or just this questions are enough to pass it? Becase I’ll go memorize it. Thank you

ivan
Guest
ivan

Passed my exam past weekend. This site is very good, highly reccomend.

T.G.
Guest
T.G.

This is a great piece of job. I thank you all for taking the time to put this together. Very helpful. 🙂