نمونه سوالات آزمون CCNA Routing & Switching 200-120
Topic 6, Network Device Security
QUESTION NO: 201 Drag and Drop
Answer:
QUESTION NO: 202
Refer to the exhibit.
A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands.
Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two.)
A. Port security needs to be globally enabled.
B. Port security needs to be enabled on the interface.
C. Port security needs to be configured to shut down the interface in the event of a violation.
D. Port security needs to be configured to allow only one learned MAC address.
E. Port security interface counters need to be cleared before using the show command.
F. The port security configuration needs to be saved to NVRAM before it can become active.
Answer: B,D
Explanation:
From the output we can see that port security is disabled so this needs to be enabled. Also, the maximum number of devices is set to 2 so this needs to be just one if we want the single host to have access and nothing else.
QUESTION NO: 203
Which set of commands is recommended to prevent the use of a hub in the access layer?
A. switch(config-if)#switchport mode trunk
switch(config-if)#switchport port-security maximum 1
B. switch(config-if)#switchport mode trunk
switch(config-if)#switchport port-security mac-address 1
C. switch(config-if)#switchport mode access
switch(config-if)#switchport port-security maximum 1
D. switch(config-if)#switchport mode access
switch(config-if)#switchport port-security mac-address 1
Answer: C
Explanation:
This question is to examine the layer 2 security configuration.
In order to satisfy the requirements of this question, you should perform the following
configurations in the interface mode:
First, configure the interface mode as the access mode
Second, enable the port security and set the maximum number of connections to 1.
QUESTION NO: 204
How does using the service password-encryption command on a router provide additional security?
A. by encrypting all passwords passing through the router
B. by encrypting passwords in the plain text configuration file
C. by requiring entry of encrypted passwords for access to the device
D. by configuring an MD5 encrypted key to be used by routing protocols to validate routing exchanges
E. by automatically suggesting encrypted passwords for use in configuring the router
Answer: B
Explanation:
By using this command, all the (current and future) passwords are encrypted. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.
QUESTION NO: 205
Refer to the exhibit.
Statements A, B, C, and D of ACL 10 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet 172.21.1.128/28) from accessing the network. But as is, the ACL does not restrict anyone from the network. How can the ACL statements be re-arranged so that the system works as intended?
A. ACDB
B. BADC
C. DBAC
D. CDBA
Answer: D
Explanation:
Routers go line by line through an access list until a match is found and then will not look any further, even if a more specific of better match is found later on in the access list. So, it it best to begin with the most specific entries first, in this cast the two hosts in line C and D. Then, include the subnet (B) and then finally the rest of the traffic (A).
QUESTION NO: 206
Refer to the exhibit.
An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 102?
A. no ip access-class 102 in
B. no ip access-class 102 out
C. no ip access-group 102 in
D. no ip access-group 102 out
E. no ip access-list 102 in
Answer: D
Explanation:
The “ip access-group” is used to apply and ACL to an interface. From the output shown, we know that the ACL is applied to outbound traffic, so “no ip access-group 102 out” will remove the effect of this ACL.
QUESTION NO: 207
Which Cisco Catalyst feature automatically disables the port in an operational PortFast upon receipt of a BPDU?
A. BackboneFast
B. UplinkFast
C. Root Guard
D. BPDU Guard
E. BPDU Filter
Answer: D
Explanation:
We only enable PortFast feature on access ports (ports connected to end stations). But if someone does not know he can accidentally plug that port to another switch and a loop may occur when BPDUs are being transmitted and received on these ports. With BPDU Guard, when a PortFast receives a BPDU, it will be shut down to prevent a loop.
QUESTION NO: 208 Scenario
A network associate is adding security to the configuration of the Corp1 router. The user on host C should be able to use a web browser to access financial information from the Finance Web Server. No other hosts from the LAN nor the Core should be able to use a web browser to access this server. Since there are multiple resources for the corporation at this location including other resources on the Finance Web Server, all other traffic should be allowed.
The task is to create and apply an access-list with no more than three statements that will allow ONLY host C web access to the Finance Web Server. No other hosts will have web access to the Finance Web Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to "cisco".
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 - 192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 - 172.22.242.30.
The Finance Web Server is assigned an IP address of 172.22.242.23.
Answer:
Select the console on Corp1 router
Configuring ACL:
Corp1>enable
Corp1#configure terminal
comment: To permit only Host C (192.168.33.3){source addr} to access finance server address
(172.22.242.23) {destination addr} on port number 80 (web)
Corp1(config)#access-list 100 permit tcp host 192.168.33.3 host 172.22.242.23 eq 80
comment: To deny any source to access finance server address (172.22.242.23) {destination addr} on port number 80 (web)
Corp1(config)#access-list 100 deny tcp any host 172.22.242.23 eq 80
comment: To permit ip protocol from any source to access any destination because of the implicit
deny any any statement at the end of ACL.
Corp1(config)#access-list 100 permit ip any any
Applying the ACL on the Interface:
comment: Check show ip interface brief command to identify the interface type and number by
checking the IP address configured.
Corp1(config)#interface fa 0/1
If the ip address configured already is incorrect as well as the subnet mask. this should be
corrected in order ACL to work
type this commands at interface mode :
no ip address 192.x.x.x 255.x.x.x (removes incorrect configured ipaddress and subnet mask)
Configure Correct IP Address and subnet mask :
ip address 172.22.242.30 255.255.255.240 ( range of address specified going to server is given as 172.22.242.17 - 172.22.242.30 )
Comment: Place the ACL to check for packets going outside the interface towards the finance web server.
Corp1(config-if)#ip access-group 100 out
Corp1(config-if)#end
Important: To save your running config to startup before exit.
Corp1#copy running-config startup-config
Verifying the Configuration:
Step1: show ip interface brief command identifies the interface on which to apply access list.
Step2: Click on each host A, B, C, & D. Host opens a web browser page, Select address box of the web browser and type the ip address of finance web server (172.22.242.23) to test whether it permits /deny access to the finance web Server.
Step 3: Only Host C (192.168.33.3) has access to the server. If the other host can also access then maybe something went wrong in your configuration. Check whether you configured correctly and in order.
Step 4: If only Host C (192.168.33.3) can access the Finance Web Server you can click on NEXT button to successfully submit the ACL SIM.
QUESTION NO: 209
When you are troubleshooting an ACL issue on a router, which command would you use to verify which interfaces are affected by the ACL?
A. show ip access-lists
B. show access-lists
C. show interface
D. show ip interface
E. list ip interface
Answer: D
Explanation:
Incorrect answer:
show ip access-lists does not show interfaces affected by an ACL.
QUESTION NO: 210
Refer to exhibit.
A network administrator cannot establish a Telnet session with the indicated router. What is the cause of this failure?
A. A Level 5 password is not set.
B. An ACL is blocking Telnet access.
C. The vty password is missing.
D. The console password is missing.
Answer: C
Explanation:
The login keyword has been set, but not password. This will result in the “password required, but
none set” message to users trying to telnet to this router.
QUESTION NO: 211
Which statement about access lists that are applied to an interface is true?
A. You can place as many access lists as you want on any interface.
B. You can apply only one access list on any interface.
C. You can configure one access list, per direction, per Layer 3 protocol.
D. You can apply multiple access lists with the same protocol or in different directions.
Answer: C
Explanation:
We can have only 1 access list per protocol, per direction and per interface. It means:
+ We can not have 2 inbound access lists on an interface
+ We can have 1 inbound and 1 outbound access list on an interface
QUESTION NO: 212
Which item represents the standard IP ACL?
A. access-list 110 permit ip any any
B. access-list 50 deny 192.168.1.1 0.0.0.255
C. access list 101 deny tcp any host 192.168.1.1
D. access-list 2500 deny tcp any host 192.168.1.1 eq 22
Answer: B
Explanation:
The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access list.
QUESTION NO: 213
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two.)
A. access-list 10 permit ip 192.168.146.0 0.0.1.255
B. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
E. access-list 10 permit ip 192.168.146.0 0.0.0.255
F. access-list 10 permit ip 192.168.146.0 255.255.255.0
Answer: A,C
Explanation:
“access-list 10 permit ip 192.168.146.0 0.0.1.255” would allow only the 192.168.146.0 and 192.168.147.0 networks, and “access-list 10 permit ip 192.168.148.0 0.0.1.255” would allow only the 192.168.148.0 and 192.168.149.0 networks.
QUESTION NO: 214
What can be done to secure the virtual terminal interfaces on a router? (Choose two.)
A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
Answer: D,E
Explanation:
It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces.
We can not physically secure a virtual interface because it is “virtual”.
To apply an access list to a virtual terminal interface we must use the “access-class” command.
The “access-group” command is only used to apply an access list to a physical interface -> C is not correct.
The most simple way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login.
QUESTION NO: 215
Which two commands correctly verify whether port security has been configured on port FastEthernet 0/12 on a switch? (Choose two.)
A. SW1#show port-secure interface FastEthernet 0/12
B. SW1#show switchport port-secure interface FastEthernet 0/12
C. SW1#show running-config
D. SW1#show port-security interface FastEthernet 0/12
E. SW1#show switchport port-security interface FastEthernet 0/12
Answer: C,D
Explanation:
We can verify whether port security has been configured by using the “show running-config” or “show port-security interface ” for more detail. An example of the output of “show port-security interface ” command is shown below:
QUESTION NO: 216
Refer to the exhibit.
The following commands are executed on interface fa0/1 of 2950Switch.
2950Switch(config-if)# switchport port-security
2950Switch(config-if)# switchport port-security mac-address sticky
2950Switch(config-if)# switchport port-security maximum 1
The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two.)
A. The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
B. Only host A will be allowed to transmit frames on fa0/1.
C. This frame will be discarded when it is received by 2950Switch.
D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.
E. Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.
Answer: B,D
Explanation:
The configuration shown here is an example of port security, specifically port security using sticky addresses. You can use port security with dynamically learned and static MAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.
Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.
QUESTION NO: 217
What will be the result if the following configuration commands are implemented on a Cisco switch?
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
A. A dynamically learned MAC address is saved in the startup-configuration file.
B. A dynamically learned MAC address is saved in the running-configuration file.
C. A dynamically learned MAC address is saved in the VLAN database.
D. Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
E. Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.
Answer: B
Explanation:
In the interface configuration mode, the command switchport port-security mac-address sticky enables sticky learning. When entering this command, the interface converts all the dynamic secure MAC addresses to sticky secure MAC addresses.
Topic 7, Troubleshooting
QUESTION NO: 218 Drag and Drop
Answer:
Explanation:
A simple way to find out which layer is having problem is to remember this rule: “the first statement is for Layer 1, the last statement is for Layer 2 and if Layer 1 is down then surely Layer 2 will be down too”, so you have to check Layer 1 before checking Layer 2. For example, from the output “Serial0/1 is up, line protocol is down” we know that it is a layer 2 problem because the first statement (Serial0/1 is up) is good while the last statement (line protocol is down) is bad. For the statement “Serial0/1 is down, line protocol is down”, both layers are down so the problem belongs to Layer 1.
There is only one special case with the statement “…. is administrator down, line protocol is down”. In this case, we know that the port is currently disabled and shut down by the administrators.
QUESTION NO: 219
Answer:
Explanation:
The question asks us to “begin with the lowest layer” so we have to begin with Layer 1: verify physical connection; in this case an Ethernet cable connection. For your information, “verify Ethernet cable connection” means that we check if the type of connection (crossover, straightthrough, rollover…) is correct, the RJ45 headers are plugged in, the signal on the cable is acceptable…
Next we “verify NIC operation”. We do this by simply making a ping to the loopback interface 127.0.0.1. If it works then the NIC card (layer 1, 2) and TCP/IP stack (layer 3) are working properly.
Verify IP configuration belongs to layer 3. For example, checking if the IP can be assignable for host, the PC’s IP is in the same network with the gateway…
Verifying the URL by typing in your browser some popular websites like google.com, microsoft.com to assure that the far end server is not down (it sometimes make we think we can’t access to the Internet). We are using a URL so this step belongs to layer 7 of the OSI model.
QUESTION NO: 220
Refer to the exhibit.
A network administrator attempts to ping Host2 from Host1 and receives the results that are shown. What is the problem?
A. The link between Host1 and Switch1 is down.
B. TCP/IP is not functioning on Host1
C. The link between Router1 and Router2 is down.
D. The default gateway on Host1 is incorrect.
E. Interface Fa0/0 on Router1 is shutdown.
F. The link between Switch1 and Router1 is down.
Answer: C
Explanation:
Host1 tries to communicate with Host2. The message destination host unreachable from Router1 indicates that the problem occurs when the data is forwarded from Host1 to Host2. According to the topology, we can infer that the link between Router1 and Router2 is down.
نمونه سوالات آزمونهای سیسکو
CCNA Routing & Switching - exam 200-120
CCNA Collaboration (CICD) - exam 210-060
CCNA Collaboration (CIVND) - exam 210-065
Implementing Cisco IP Routing - exam 300-101
Implementing Cisco IP Switched - exam 300-115
Troubleshooting Cisco Networks - exam 300-135
نمونه سوالات آزمونهای مایکروسافت
Configuring Windows Server 2012 - exam 70-410
Administering Windows Server 2012 - exam 70-411
Advanced Windows Server 2012 - exam 70-412
Designing a Server Infrastructure - exam 70-413
Implementing Server Infrastructure - exam 70-414
اولین کتاب CCNA Voice به زبان فارسی منتشر شد. برای اطلاعات بیشتر و دریافت بخشی از کتاب, بر روی لینک کلیک کنید.
