Module 6: Quiz – Device Monitoring and Management (Answers) Network Security

1. What service or protocol does the Secure Copy Protocol rely on to ensure that secure copy transfers are from authorized users?

  • AAA
  • RADIUS
  • IPsec
  • SNMP

Explanation: Secure Copy Protocol (SCP) is used to securely copy IOS images and configuration files to a SCP server. To perform this, SCP will use SSH connections from users authenticated through AAA.

2. When password recovery on a router is being performed and the settings in NVRAM have been bypassed, which step should be taken next?

  • Copy the contents of RAM to the NVRAM.
  • Copy the contents of NVRAM to the RAM.
  • Reload the router.
  • Reset the router.

Explanation: The password recovery procedures for Cisco devices follow the same principle:

Step 1. Enter the ROMMON mode.
Step 2. Change the config-reg to 0x2142 to ignore the startup config file.
Step 3. Make necessary changes to the original startup config file.
Step 4. Save the new configuration.

3. Which protocol or service is used to automatically synchronize the software clocks on Cisco routers?

  • DHCP
  • NTP
  • DNS
  • SNMP

Explanation: Network Time Protocol (NTP) is used to allow network devices to synchronize their time settings with a centralized time server. DHCP (Dynamic Host Configuration Protocol) is a protocol which assigns IP addresses to hosts. DNS (Domain Name Service) is a service which resolves host names to IP addresses. SNMP (Simple Network Management Protocol) is a protocol which allows administrators to manage network nodes.

4. A network engineer wants to synchronize the time of a router with an NTP server at the IPv4 address 209.165.200.225. The exit interface of the router is configured with an IPv4 address of 192.168.212.11. Which global configuration command should be used to configure the NTP server as the time source for this router?

  • ntp peer 192.168.212.11
  • ntp peer 209.165.200.225
  • ntp server 209.165.200.225
  • ntp server 192.168.212.11

Explanation: The global configuration command ntp server server ip-address will set the server at that address as the time source for the router. The ntp peer command which enables a router to both update the time of another similarly configured router, and also synchronize with that router if necessary, is not appropriate in this case.

5. What are three functions provided by the syslog service? (Choose three.)

  • to specify the destinations of captured messages
  • to provide statistics on packets that are flowing through a Cisco device
  • to periodically poll agents for data
  • to gather logging information for monitoring and troubleshooting
  • to select the type of logging information that is captured
  • to provide traffic analysis

Explanation: There are three primary functions provided by the syslog service:

  1. gathering logging information
  2. selection of the type of information to be logged
  3. selection of the destination of the logged information

6. Which service should be disabled on a router to prevent a malicious host from falsely responding to ARP requests with the intent to redirect the Ethernet frames?

  • LLDP
  • reverse ARP
  • CDP
  • proxy ARP

Explanation: Proxy ARP is a technique used on a device on a network to answer ARP queries for a device on another network. This service should be disabled on a router and the correct default gateway address should be configured (manually or by DHCP) for the normal process of remote network access.  CDP and LLDP are device discovery protocols. Reverse ARP is used to resolve IP addresses.

7. What is the purpose of issuing the ip ospf message-digest-key key md5 password command and the area area-id authentication message-digest command on a router?

  • to enable OSPF MD5 authentication on a per-interface basis
  • to configure OSPF MD5 authentication globally on the router
  • to encrypt OSPF routing updates
  • to facilitate the establishment of neighbor adjacencies

Explanation: To configure OSPF MD5 authentication globally, the ip ospf message-digest-key key md5 password interface configuration command and the area area-id authentication message-digest router configuration command are issued. To configure OSPF MD5 authentication per interface, the ip ospf message-digest-key key md5 password interface configuration command and the ip ospf authentication message-digest interface configuration command are issued. Authentication does not encrypt OSPF routing updates. The requirements to establish OSPF router neighbor adjacencies are separate from authentication.

8. Which service is enabled on a Cisco router by default that can reveal significant information about the router and potentially make it more vulnerable to attack?

  • FTP
  • LLDP
  • CDP
  • HTTP

Explanation: CDP is a Cisco proprietary protocol that gathers information from other connected Cisco devices, and is enabled by default on Cisco devices. LLDP is an open standard protocol which provides the same service. It can be enabled on a Cisco router. HTTP and FTP are Application Layer protocols that do not collect information about network devices.

9. Which statement describes SNMP operation?

  • An SNMP agent that resides on a managed device collects information about the device and stores that information remotely in the MIB that is located on the NMS.
  • A get request is used by the SNMP agent to query the device for data.
  • An NMS periodically polls the SNMP agents that are residing on managed devices by using traps to query the devices for data.
  • A set request is used by the NMS to change configuration variables in the agent device.

Explanation: An SNMP agent that resides on a managed device collects and stores information about the device and its operation. This information is stored by the agent locally in the MIB. An NMS periodically polls the SNMP agents that are residing on managed devices by using the get request to query the devices for data.

10. When SNMPv1 or SNMPv2 is being used, which feature provides secure access to MIB objects?

  • message integrity
  • packet encryption
  • source validation
  • community strings

Explanation: SNMPv1 and SNMPv2 use community strings to control access to the MIB. SNMPv3 uses encryption, message integrity, and source validation.

11. What are two reasons to enable OSPF routing protocol authentication on a network? (Choose two.)

  • to prevent data traffic from being redirected and then discarded
  • to ensure faster network convergence
  • to provide data security through encryption
  • to prevent redirection of data traffic to an insecure link
  • to ensure more efficient routing

Explanation: Enabling OSPF routing protocol authentication prevents data traffic from being redirected to an insecure link or being discarded. It does not provide faster network convergence, more efficient routing, or encryption of data traffic.

12. What are SNMP trap messages?

  • unsolicited messages that are sent by the SNMP agent and alert the NMS to a condition on the network
  • messages that are used by the NMS to change configuration variables in the agent device
  • messages that are used by the NMS to query the device for data
  • messages that are sent periodically by the NMS to the SNMP agents that reside on managed devices to query the device for data

Explanation: A GET request is a message that is used by the NMS to query the device for data. A SET request is a message that is used by the NMS to change configuration variables in the agent device. An NMS periodically polls the SNMP agents residing on managed devices, by querying the device for data by using the GET request.

13. Which technology allows syslog messages to be filtered to different devices based on event importance?​

  • syslog severity levels
  • syslog service timestamps
  • syslog service identifiers
  • syslog facilities

Explanation: Syslog severity levels provide the ability for an administrator to filter out log messages. Syslog service timestamps provide the capability for log messages to be time-stamped. Syslog facilities and service identifiers provide administrators with an event identification and categorization system.

14. What is a characteristic of the Cisco IOS Resilient Configuration feature?​

  • It maintains a secure working copy of the bootstrap startup program.
  • Once issued, the secure boot-configcommand automatically upgrades the configuration archive to a newer version after new configuration commands have been entered.
  • The secure boot-image command works properly when the system is configured to run an image from a TFTP server.
  • A snapshot of the router running configuration can be taken and securely archived in persistent storage.

Explanation: The Cisco IOS Resilient Configuration feature maintains a secure working copy of the router IOS image file and a copy of the running configuration file. The secure boot-image command functions properly only when the system is configured to run an image from a flash drive with an ATA interface. The secure boot-config command has to be used repeatedly to upgrade the configuration archive to a newer version after new configuration commands have been issued. A snapshot of the router running configuration can be taken and securely archived in persistent storage using the secure boot-config command.​


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments