This action might not be possible to undo. Are you sure you want to continue?
CCNA® INTERVIEW QUESTIONS
100 Interview Questions and Answers based on CCNA® concepts Includes Topology and Scenario based Questions and Answers www.tcpipguru.com
Copyright 2013 @ www.tcpipguru.com
The CCNA® certification is one of the most reputed and respected courses in the computer networking industry. This EBook is ideal for candidates who have completed or pursing CCNA® certification and intending to go for an interview, which requires the CCNA® certification. The questions in the EBook would help you to perform a self assessment of the concepts learnt during the CCNA® course and how well you have understood the same. Scenario and topology based questions with answers are also included in the eBook.
Copyright 2013 @ www.tcpipguru.com
In the above diagram, three computers with IP address 192.168.1.2 , 192.168.1.3 and 192.168.2.1 is connected to a layer 2 switch. Can the computer with IP address 192.168.1.2, ping the computer with IP address 192.168.2.1? Explanation The computer with IP address 192.168.1.2, belongs to the network address of 192.168.1.0. The computer with IP address 192.168.2.1 belongs to the network address of 192.168.2.0. Since both the computers belong to different network addresses, communication between them is possible only if a layer 3 device or a router is required. Computers require the mac-address of the peer for sending out the packet. ARP is used on an ethernet segment to find out the mac-address of the peer. ARP can be used to find out the mac-addresses of devices belonging to the same network address. If the destination is on a different network address, the ARP request is sent to the gateway. So in this case, there is no gateway configured.
Copyright 2013 @ www.tcpipguru.com
In the above diagram, the computer with IP address 192.168.1.2 pings the router with IP address 192.168.1.1. Explain how the packet is processed by the router and whether routing is involved in the scenario. Explanation The computer constructs the IP header with source IP address as 192.168.1.2 and destination IP address as 192.168.1.3. The IP header would be encapsulated in an ethernet frame with source mac-address as that of the computer’s mac-address and destination mac-address as the router’s mac-address. When the frame reaches the router, the router looks into the destination mac-address of the frame. On a match, the FCS value of the frame is calculated and verified. The router then looks into the destination IP address of the IP header. Since the IP address is intended for itself, the router prepares a response. There is no routing involved since the destination IP address is on the same physical segment.
Copyright 2013 @ www.tcpipguru.com
Question 3 Two interfaces of a router is configured with IP addresses 192.168.1.1, subnet mask 255.255.255.0 and IP address 192.168.2.1, subnet mask 255.255.255.0. Would the routing table of the router contain any information? Explanation When the interfaces are configured with the respective IP addresses and subnet mask, the router would perform an ANding operation with the IP address and subnet mask. This would ultimately yield the network address for the interface. Once the interfaces are configured with the IP addresses and subnet masks, two entries would be available in the routing tables which are 192.168.1.0 (Network address of 192.168.1.1) and 192.168.2.0 (Network address of 192.168.2.1), which would be listed as directly connected networks. Question 4
Copyright 2013 @ www.tcpipguru.com
In the above diagram, PC1 pings PC2 and a response is received by PC1. Explain the end to end communication. Explanation When PC1 pings PC2, the destination IP address is 192.168.2.2. The routing table on PC1 understands that 192.168.2.2 is on a different network. Due to this, the packet needs to be sent to the gateway. The corresponding gateway for PC1 is 192.168.1.1 and is configured on the TCP/IP adapter. An ARP request is sent out on the network to discover the mac-address of 192.168.1.1. Once the mac-address is received, an ethernet frame is created with the source mac-address as PC1 and destination mac-address as that of the router’s interface configured with the IP address 192.168.1.1. The frame encapsulates the IP header with source IP address as 192.168.1.2 and destination IP address as 192.168.2.2. When the frame reaches the router, the router would look into the destination mac-address inside the frame. On a match, the FCS value of the frame is verified and then the frame stripped. The router then looks into the destination IP address in the IP header. It then verifies if the destination network is known to it. Since the destination network, which is 192.168.2.0, is a directly connected network on the other interface, a frame with the source mac-address as the 192.168.2.1 interface and destination mac-address as PC2 mac-address is created. The IP packet header is then encapsulated in the frame and sent out to the destination. For the response, the same procedure is followed. The difference would be the source IP address in the IP header would be 192.168.2.2 and the destination IP address is 192.168.1.2. Question 5 Give two reasons as to why Rip v2 should be used instead of Rip v1. Explanation Rip v1 is broadcast in nature. So the performance of the network would be affected. Rip v2 is multicast. So, only devices / routers which support Rip v2 would participate in the communication. Rip v2 also supports password for authentication, which Rip v1 does not have.
Copyright 2013 @ www.tcpipguru.com
Since in internet bound packets.tcpipguru. The switch is powered on. After the switch boots. In the above scenario. Question 8 Copyright 2013 @ www. Question 7 What type of route entry can be provided for routing internet traffic? Explanation A default route entry can be provided for routing internet traffic. how many entries would be available in the mac-address table of the switch? Explanation Mac-address table is populated when a communication is initiated from any of the computers. A default route entry is provided when the route to the destination is not known. So there would not be any entries in the mac-address table. the destination networks always vary.Question 6 There are two computers connected to a switch. a communication has not yet been initiated by any of the computers.com . a default route is recommended.
When PC1 initiates an ARP request to find the mac-address of PC2 (since both reside on the same network). For ex:. which require communication with each other. When VLAN is not used. PC1 is connected to a port which is a member of VLAN 2 on the switch and PC2 is connected to a port which is a member of VLAN 3 on the switch. the communication would not be successful. Can PC1 ping PC2? Explanation PC1 and PC2 are connected to ports which are members of different VLANs. where different VLANs can be created and mapped with specific IP network addresses of the departments. What strategy and technology can be used for achieving the same? Explanation The organization can use a VLAN based network. since broadcasts in one VLAN would not be sent to a different vlan. So. The router then checks its routing table to look for corresponding routing entries for the network address of the destination IP address. 5 physical interfaces on the router are required. it looks into the destination IP address in it. The organization has 5 departments each of which has different network addresses. the ARP request would not reach PC2 .tcpipguru. Inter routing can be configured for communication between the networks. When inter vlan routing is used. Question 9 A network has to be designed for an organization. though the computers reside on the same network.In the above diagram. if the destination IP Copyright 2013 @ www. just a single interface on the router is required. Question 10 How does a router forward an IP packet to appropriate destination? Explanation When a router receives an IP packet.com .
tcpipguru. the switch would add the source mac-address in the response frame to its mac-address table relevant to the port which sent the response.1. Would the info in the mac-address table be available after re-boot? Explanation The info in the mac-address table would not be available since it would be cleared on a re-boot.0/24. Copyright 2013 @ www.2. class C etc. class B. when it is unaware of the destination mac-address in a frame? Explanation The switch would flood the frame to all ports. The routing protocol supports only classful addressing like class A. The switch is powered off and re-booted after some time. In classless routing. If not available. The router forwards the packet to the appropriate interface on which the network is connected or aware of the destination. the packet is dropped. apart from the port on which the frame was received.168. Once the response is received. Question 11 What does a switch do.2. Question 13 What is the fundamental difference between classful and classless routing protocols? Explanation In classful routing. Question 12 A switch has built its mac-address table dynamically.address is 192.168.com . subnet mask information is carried inside the routing protocol packets as opposed to classful routing where this information is not available. the router checks in the routing table if a matching route entry is available for the network 192. there is no concept of subnets.
R1 and R2 are directly connected to each other. Question 16 Does spanning tree protocol require IP address to be configured between switches? Explanation Spanning tree is a layer 2 protocol.com .tcpipguru. Would a response be received if PC1 pings 172.16. So a hub cannot make any differentiation between a unicast and broadcast frame as it understands only signals. the signal would be sent to all ports. The default gateway on PC1 is configured as 192.2. It does not understand frames.Question 14 How does a hub differentiate between a unicast and broadcast frame? Explanation A hub works on layer 1 of the OSI model. Question 17 In the below topology.168.1. Irrespective of the type of frame. Question 15 What command can be used on a Cisco router to disallow RIP packet updates on a specific interface? Explanation Passive-interface can be used on an interface for disallowing RIP packets on the interface.1.1. ? Copyright 2013 @ www. It does not require IP addresses to be configured on the switches.
184.108.40.206.2.tcpipguru.com . the packet would reach R2 but R2 does not have information related to the network 192.Explanation PC1 would not receive a response. This information has to be provided on R2 with a static route for the network 192. When PC1 pings the IP address 172.0 to which PC1 belongs.0/24 or using dynamic routing protocols between R1 and R2.168. So the response packet to PC1 would be dropped. Question 18 Copyright 2013 @ www.1.
The router Copyright 2013 @ www. VLAN 2. Question 19 In the above topology.168. which is 192.1. The other PC’s should also be respectively configured for the sub interface IP address for the respective default gateways. The TCP/IP adapters of the respective computers are configured with IP address. VLAN3 and VLAN 4 are configured on the switches. subnet mask and gateway values as shown. two interfaces on the router are configured with IP addresses as shown.com . PC1 should be configured with sub interface IP address of VLAN 2 for which it is a member. In the above topology is it required that the PC’s should be configured with appropriate default gateway on the respective TCP/IP adapter to reach the other PC’s? Explanation It can be observed that the PC’s are on different networks.tcpipguru.An inter -vlan based infrastructure is shown above. with appropriate inter -vlan routing on the router. Appropriate sub interface IP addresses are configured on the router.1. For systems on different networks to communicate. a default gateway is required.
168. the TCP/IP adapter settings of the computers are configured with the IP addresses as shown in the diagram. In the above topology.0 as directly connected networks.1. For a computer to respond to a device on a different network.168. What Copyright 2013 @ www. Identify. a gateway is required. Question -20 In the above topology.1 and 192.2.1 with mask 255. This would be automatically populated by the router when the interfaces are configured with the respective IP addresses. Gateways should always belong to the network on which the computer resides as well as being aware of the destination network.1 and that of PC2 should be 220.127.116.11. Explanation The router would contain the route entries for the networks 192.2.0 and 18.104.22.168.168. It is observed that PC1 is unable to ping PC2.tcpipguru. So additional type of routing is not required. The IP addresses of the interfaces of the routers are 192.com .1 and not vice versa.1.168.168. the router is the gateway for both the computers.is not configured for any type of routing (Static or Dynamic). The gateway for PC1 should be 192. It can be observed that gateway settings on the computers are incorrect.
168. So the value of 192.168. the router has two interfaces. the ping packet would be dropped on PC1 since the computer does not know whom to contact for sending a packet destined for a different network. If the gateway is not configured. Copyright 2013 @ www. The interface IP address of 22.214.171.124.168.2. In this case.tcpipguru.1 from PC1).1.1.com . The gateway should be a device which is accessible to the source and also be aware of the destination. What additional configuration should be setup on PC1 for a ping to be successful from PC1 to the router? (ping 192.should be the gateway address configured on PC1 for a user to ping the interface of the router with IP address 192.1.1 and the source PC1 belongs to the same network address. The router is gateway for PC1.1.168. a gateway needs to be configured.1 should be configured as the gateway IP address for PC1.1 resides on a different network from the source which is 192. Question – 21 In the above topology.168. PC1 is connected to a switch to which the router is connected.1 and receive a response? Explanation The destination which is 192. To access a device or a computer which resides on a different network.
In the above topology.ARP Request . when PC1 pings the routers interface IP address of 192. At what duplex setting can the hub operate? Explanation Hubs use a shared medium for communication.com .1. A gateway is a device which belongs to the same network and is also aware of other networks.168.1.tcpipguru. Question 22 A PC is connected to a 5 port ethernet hub operating at 100 Mbps. Question 23 On a layer 2 switch.Explanation PC1 and PC2 belong to the same network address of 192.Unicast Explanation: PC1 and PC2 are on different VLAN's. It uses the CSMA/CD protocol and can work only in half duplex mode irrespective of the number of clients connected to it. Layer 2 switch does Copyright 2013 @ www. Which of the following traffic type initiated by PC1 will not be visible to PC2? .Unicast packets will cross VLAN's only if inter-vlan communication is enabled.1 as both belong to the same network. Other ports of the hub are free and not connected to any other devices.1.168.Two PC's. the gateway need not be configured on the TCP/IP adapter setting. two ports are members of VLAN 5 and VLAN 6.DHCP Discover . ARP Request and DHCP Discover are broadcast packets which will not cross any VLAN segment. a gateway is not required. an ARP request would be triggered to find the mac-address of 192. PC1 and PC2 are connected to the respective ports.1. So it can be observed that to ping a gateway.0/24. following which the ping packet would be sent.168. For devices on same networks to communicate.
1.2? Explanation The ping response packet would contain the initiator’s IP address in the destination IP address field in the IP header .1/24.1.0 network. which would be 192.168.168. So none of the packets would be visible to PC2.2/24 and its default gateway is 192.1.0 255.255.5 would be "And ed" with 255.The route table contains the following entry. Question 26 Which of the following fields in an ethernet frame would be modified when it moves from port 1 to port 2 of a switch? -Destination mac-address -Source mac-address -Data Copyright 2013 @ www.126.96.36.199.1.168. The user on the PC pings an IP address which is on a different network (IP address: 192.255.0 and determined that the destination IP address is a member of the 192.2.com .168. Default gateway: 192.168.255. What would be the destination IP address in the IP header in the ping response packet coming from the IP address 192.not have the capacity for inter-vlan communication.255.1. Assume that an IP packet has arrived with the destination IP address as 192.2. Question 24 The IP address of a PC is 192.2.tcpipguru.1). Question 25 What is the use of a subnet mask in the routing table of a router? Explanation The subnet mask is used to identify the network address corresponding to the received IP packets on the router.2. 192.168.1. 192.168.168.1.0.
So the path which the static route points to would be taken by the packet. every port is a collision domain. none of the fields above would be modified. Question 28 How many collision domains are available respectively on 5 port and 8 port hub? Explanation On a hub. the Destination mac-address would be the receiver’s mac-address and not the switch port’s address. Question 27 A router has two paths to a network with a static route and dynamic routing protocol.com . The AD (Administrative Distance) of static route is lower than that of dynamic routing protocols. Copyright 2013 @ www.tcpipguru. Which path would a packet bound to the network take when it reaches the router? Explanation When there are two paths to the same network. all the ports belong to only one collision domain. So on a 24 port switch. When the frame passes through the port.Explanation When an Ethernet frame is generated. So irrespective of the number of ports on the hub. there is only one collision domain on both the hubs. the path with the lower administrative distance would be used for forwarding the packet. Question 29 How many collision domains are available on switch which has three vlans and 24 ports? Explanation On a switch. there are 24 collision domains.
a router would be required for internetwork communication.Question 30 PC1 is configured on a port on switch 1. which is a member of VLAN 2. Question 32 Which VLAN protocol can be used to setup VLAN trunking between switches from different manufacturers? Explanation 802. So although they reside on the same VLAN. Can PC1 ping PC2? Explanation The link between the switches should be configured as a trunk link. PC2 is connected to a port on switch 2.2/24 respectively.168.1Q is a vendor neutral VLAN standard. PC1 and PC2 are connected to the ports on the switch respectively.168. PC1 and PC2 belong to the same network address.com .1Q can be used for VLAN trunking between switches from different manufacturers. Can PC1 ping PC2? Explanation It can be observed that PC1 and PC2 are residing on different networks. Switch 1 and Switch 2 are interconnected with each other. PC1 can ping PC2. Question 31 On a switch. So 802. which is also a member of VLAN 2.2.1. port 2 and port 3 are configured as members of VLAN 2. Protocols like ISL are proprietary to Cisco. Once the trunk link is setup. Copyright 2013 @ www.tcpipguru. The IP address of PC1 is 192.2/24 and of PC2 is 192. This would allow VLAN traffic from one switch to reach the other switch.
Question 34 Two RIP routers are configured on a point to point link. Unlike IP. UDP 520 should be opened on the firewall. So the port. Question 36 What is the Spanning Tree Protocol used for? Explanation Spanning tree protocol is used to prevent looping of frames. Which port on the firewall needs to be opened for RIP communication to be successful? Explanation RIP messages between RIP enabled routers communicate on UDP port 520. which has a TTL value field in the packet which is decremented every time the packet passes Copyright 2013 @ www. OSPF has a lower administrative distance (110) than RIP (120).com .Question 33 How many VLANs can a switch port be a member of if the port is configured as an access port? Explanation A port can only be a member of one VLAN. when configured as an access port. Question 35 A router is configured with RIP and OSPF routing protocols. So the path learnt by OSPF would be taken by the packet to reach the destination. One of the RIP routers is behind a firewall. It has learnt a path to a specific network through both the protocols.tcpipguru. Which path would a packet bound to the network take and why? Explanation The path with the lower administrative distance would be taken by the packet.
com . One of the switches is from Cisco and the other two switches are from another vendor. Question 39 Two switches have priority values 30000 and 20000. both links would be used for data packet forwarding. This makes STP inter-operable with any switch which implements the protocol.1d standard. Can they use STP? Explanation STP uses the IEEE 802. Question 37 A root switch has two links connected to two other switches. Question 38 In a topology. the frame would not automatically time-out. What would be the destination mac-address of the STP BPDU packet sent from SW1 to SW2? Explanation Copyright 2013 @ www. the frame does not have any similar field. The spanning tree protocol is used for preventing the looping. So if a scenario arises where a frame is looping in a switched environment. Question 40 Two switches. which is vendor neutral.tcpipguru.through a router and is dropped once the value reaches 0. Which ports on the root switch would be used for data packet forwarding? Explanation On a root switch. Which switch would be elected as the non root bridge? Explanation The switch with the higher priority would be elected as the non root bridge. there are three switches connected to each other. SW1 and SW2 are interconnected to each other which are enabled for STP.
STP election process is in the learning state. switches would not able to forward data frames.The STP BPDU packet would have the destination mac-address of 01:80:C2:00:00:00. The switches are connected to each other using two different links and undergoing the STP election process. Copyright 2013 @ www. PC1 and PC2 are connected to each other to switches SW1 and SW2.tcpipguru. Would PC1 be able to ping PC2 in this period? Explanation During the STP learning state. which is a reserved multicast address for STP protocol. So PC1 would not be able to communicate with PC2 during this time. This is possible only after switches have progressed to the forwarding state. Question 42 Two computers.com . Question 41 Which type of BPDU packet would be sent if there is a new switch on the network with a lower priority value than the existing root switch? Explanation A TCN (Topology change notification) BPDU message would be sent .
a router is setup for internet sharing. This implies that the router is aware of whom to contact for name resolutions. Explanation DNS servers are required for computers to access internet.168.com . The computers which require access to the internet needs to be configured with the respective DNS server IP address.tcpipguru. The LAN IP address of the router is 192. the internet provided DNS server IP address is configured on the router.1.1. The DNS server provided by the ISP is configured on the router. The default gateway also needs to be configured as internet bound packets reside on different networks. Identify the required additional parameter which needs to be configured on the TCP/IP adapter of the PC’s. Copyright 2013 @ www.Question 43 In the above topology. The TCP/IP adapter setting on the computers are presently configured with the respective IP address and subnet masks. DNS servers are responsible for resolving URL into IP address which is mandatory for network communication. In the above topology.
it can copy the configuration. Solar Winds TFTP server is an example of the same. What would be the sequence number of the TCP connection for the TCP SYN segment for the first browser window? Copyright 2013 @ www. Question 46 Two browser windows are opened on a PC and the webpage www.168.com . 192.1. Question 44 Can a router create a backup configuration on a TFTP server which is in a different location but reachable via IP network? Give an example of a TFTP server.com is accessed simultaneously. For ex.tcpipguru. The port number maps with a corresponding application. When a user on the computer types a website name. This packet is sent to the router from where the DNS request packet is sent to the ISP provided DNS server. The gateway address for the computers needs to be configured with the LAN IP address of the router. as IP connectivity is available.1.The DNS server IP addresses for the respective computers are configured with the routers IP address. TCP port 80 corresponds to HTTP server and UDP port 53 corresponds to DNS servers. If the router can access the TFTP server via IP. a DNS request packet is generated for identifying the IP address of the URL corresponding to the website name. Question 45 Which field in the TCP or UDP header identifies the application which is being requested? Explanation The destination port field in the TCP and UDP header corresponds to the application for which request is being initiated. Explanation TFTP uses client server architecture.tcpipguru.
tcpipguru. Copyright 2013 @ www. the DNS request would fail as the PC would be unaware of DNS server IP address and internet access would fail. Is it required to configure the DNS server IP address on the computer as well for internet access? Explanation It is required for the DNS server IP address to be configured on the computer.Explanation Sequence numbers are generated by the operating system of the PC . for which the URL name has to be sent to a DNS server. for DHCP servers on the network. When the user opens the browser and types the URL name of the website. Question 47 How does a DHCP client contact a DHCP server on the network to receive a dynamic IP address? Explanation DHCP clients are unaware of DHCP servers on the network as there is no information configured on the DHCP clients which provide information about DHCP servers on the network. If not configured. A random number generated by the operating systems TCP/IP implementation would be the sequence number which would be used. The PC has to initiate the DNS request for which the DNS server IP address has to be configured on the PC. which is targeted on UDP port 67. A DHCP client initiates a DHCP Discover packet which is a broadcast packet.com . The DHCP servers on the network would receive and respond to the request from the clients appropriately. Question 48 A computer is connected to the internet via an ADSL router. The ADSL router is configured with appropriate DNS server IP address. a DNS resolution has to take place. Take an example where the user wishes to browse a website.
Question 51 Which is the protocol which is used by both traceroute and ping? Explanation ICMP is used by both the protocols at the network layer.tcpipguru. Question 50 Telnet uses TCP port 23. the TCP header in the connection would have a source port and destination port number. The destination port number would be port 23 indicating that the request is being initiated to the telnet server service which is identified by port 23. The source would be a random port number assigned by the TCP/IP on the operating system of the computer. What tool can be used to identify the location where the connection is dropped? Explanation The admin can use trace-route command line tool to the router and check the location where the packets are being dropped. Question 52 Name the two fields in the TCP header which is unavailable in a UDP header and is used for tracking the received and transmitted data. When the user initiates a connection to the router.com . Copyright 2013 @ www. Does this imply that the telnet connection initiated by a user connecting to the router from a computer uses TCP port 23? Explanation This is not true.Question 49 An administrator of an organization is unable to telnet to a router which is 10 hops away from the admin PC.
com .2 and the IP address of the router is 192. Routers do not forward broadcast packets to another network.Explanation Sequence and acknowledgement numbers are used for tracking the receipt and transmission of data in the TCP header. Port-security on a switch can be used to limit the allowed number of mac-addresses on a switch port. Copyright 2013 @ www.1. Question 53 A PC is connected to a switch to which a router is also connected.1. The management IP address of the switch is 192. for it to access a remote network? Explanation The default gateway IP address of the PC should be the IP address of the router since routers are used for forwarding packets belonging to a different network. Would an ARP request from one network reach the other network? Explanation ARP request packets are broadcast packets. which would then thwart the attempt of the attacker to craft the attack.168.1.tcpipguru. Question 55 A router has two directly connected networks on its interfaces.168. the attacker sends large number of frames with different source mac-addresses to overflow the cam table of the switch. Question 54 Name one method by which cam flooding attack can be defended using features on a switch. Explanation In a cam flooding attack. What should the default gateway of the PC be.
Question 58 Does IP fragment reassembly take place at intermediate routers or at the destination? Explanation IP fragmentation reassembly takes place at the destination only. it would be IP.tcpipguru. Copyright 2013 @ www. They would wait for a specific time and then trigger a timeout if the response has not been received. Question 57 If an ARP entry is available on the local cache of a computer. would an ARP request be triggered? Explanation No. In this case since it is an IP packet. The computer would first check its ARP entry before sending out an ARP request frame.Question 56 What would be the type value in an ethernet frame which is encapsulating an IP packet? Explanation The type value would be IP.com . Question 59 How does a UDP based application know that a packet has been lost in transit? Explanation UDP based applications uses a time out mechanism. The type value in an ethernet frame refers to the protocol which is encapsulated by the ethernet frame.
ping and Custom applications. All these types of traffic require internet access. The values are used by the IPSEC peers to track duplicate packets. It is not used for public communication (Internet).255? Explanation The destination IP address. Question 63 How do the IPSEC protocols. 192. If a packet with an Copyright 2013 @ www.1. So this is possible.com . Telnet. HTTP (browsing).Question 60 What is the destination mac-address of a frame whose destination IP address is 192. What would be the best technique the network administrator can use for achieving the same? Explanation The organization can use Natting.tcpipguru.1. Question 62 In a company network.168. This is a broadcast packet and the corresponding destination mac-address in the frame would be FF-FF-FF-FF-FF-FF Question 61 Can two organizations have networks belonging to the same private IP address range? Explanation Private IP addresses are used by organizations for devices which reside within their network. which specifically does port address translation on a router for the purpose. the following types of traffic is initiated from the clients namely FTP. ESP and AH provide replay protection? Explanation ESP and AH include the sequence number fields in the respective headers.255 is a directed broadcast.168.
is the data packet which needs to be protected. Question 66 In WEP. out of which 40 and 104 bit respectively is used by the shared key and 24 bits used by a value called Initialization Vector. it would be rejected. why is AH required? Explanation ESP does not provide authentication to the outer IP header. which would then be encrypted by the client using the shared key with WEP algorithm.tcpipguru. An attacker on the network can passively monitor the communication between the client and the access point and capture the challenge and encrypted text which can then be used to derive the shared key. the access point sends a challenge text to the client in clear. which AH does. The access point would decrypt the same with the shared key and verify. Question 64 If ESP provides both encryption and authentication. Question 65 What is the security vulnerability in using a shared key authentication with WEP? Explanation In a shared key authentication.com . thus providing replay protection.already received sequence number arrives. Question 67 Which two wireless standards are inter-operable with each other and on what is the frequency on which they work? Copyright 2013 @ www. The initialization vector is created randomly and is combined with the actual WEP key for data encryption. encrypted with only the shared key on the client or are any other parameters used along with shared key? Explanation The total key size in WEP is 64 or 128 bit.
Explanation 802.com . The attacker then spoofs with the valid mac-address to gain access to the access point and on the network. Give one reason Copyright 2013 @ www. Question 70 Would ARP protocol work on a frame relay network? Explanation ARP protocol is used to find the mac-address corresponding to a known IP address. the mac-address of the client requiring access is configured on the access point.11 b and 802. which would make ARP not workable on the network. an attacker can passively sniff for packets on the network and retrieve information related to valid mac-address. Question 71 An organization has a main office and 5 branch offices. In wireless communication. It uses layer 2 broadcast for the same.4 GHz range.11 g are inter-operable with each other and they both work on the 2. Question 68 Which encryption protocols are used by WEP and WPA? Explanation WEP uses RC4 and WPA uses TKIP and AES for encryption.tcpipguru. Question 69 Why is mac-address authentication not recommended to be used for providing secure authentication? Explanation In mac-address authentication. Frame relay does not support broadcast traffic. It is required to connect the offices with options of using leased lines and frame relay.
from a business perspective. Question 73 In the below diagram. a frame relay point to multi point network is configured to link up between branch 1. branch 2 and main site.tcpipguru. The costing for linking up the offices with frame relay networks would be significantly lower as compared with leased lines. frame relay would be a cost effective solution for the organization. So. Explanation Leased lines are very expensive. Can the FTP client access the FTP server on a point to multipoint frame relay network? Copyright 2013 @ www. Question 72 Which networking concept is common in the use of inter-vlan routing and frame relay technology? Explanation Both technologies use virtual interfaces. why the organization should use frame relay for its WAN design.com .
Once the frame relay links are configured and appropriate routing for the networks are configured. how many physical interfaces would be required on the main site router if the organization were to consider the WAN options. . So only one physical interface would be Copyright 2013 @ www.Explanation FTP uses TCP at the transport layer for communication.com .Question 74 In the above topology diagram.tcpipguru. frame relay and vpn? Explanation Leased lines use dedicated lines. leased line. So two physical interfaces would be required for the main site router for leased line deployment. A frame relay network uses virtual circuits / interfaces for connection. the FTP client can access the FTP server without any issues. The FTP packet is encapsulated in an IP header.
an IP packet. which are connected to different interfaces on the router.1.required which would be used to create virtual interfaces. On a Frame relay network. On a leased line.168.2.168.com .tcpipguru.like leased lines and frame relay cannot transmit data. encapsulation protocols like PPP. encapsulation protocols like Cisco (For Cisco routers ) or ietf are used. three computers belonging to different networks are connected to respective switches. WAN link. the appropriate configuration would be performed on one physical interface. Question 76 In the above diagram.2 should not access the computer with IP address 192. but should be able to access the Copyright 2013 @ www. HDLC can be used. If a VPN were to be used. is an encapsulation method required for the WAN link? Explanation Without an encapsulation type or protocol.2. Question 75 To transmit an IP packet over a WAN link -like frame relay or leased line. It is required that the computer with the IP address 192. in this case .
168.com .168.2.2. configure an inbound extended access list which would deny IP traffic originating from the host 192. which would deny packets originating from the source network 192. The access list should contain the last entry as to permit any to allow all other communication.0 network.2.3. it is required that PC1 should not have access to 192.2. 192.0 to the destination network.0.168. Provide explanation as to how appropriate access control lists can be used for achieving the solution.188.8.131.52.168.168. Explanation An inbound extended access control list is to be configured on the E0 interface of the router.1. The above configuration would ensure that requirement is achieved.1.1.2 to the host 192. PC1 should have access to PC2 and PC3. Question 77 In the above diagram.168. The ACL would also contain an entry which would allow packets originating from the source network 192.1. Copyright 2013 @ www.tcpipguru.2.1. How can this requirement achieved? Explanation On the router interface which is configured with IP address 192.computer with IP address 192.3.0 to the network 192.
Question 78 On an internet router.com . What should be configured to achieve the required solution? Copyright 2013 @ www.168. Question 79 In the above topology.0/24 network.0/24 and 192.2.168. the router has three interfaces.2. 192.tcpipguru. The S0 interface is connected to the internet.184.108.40.206/24 respectively. The access list should be configured as inbound on the interface which is exposed to the internet.0/24 network should not have access to the internet but have access to computers belonging to 192. it is observed that a continuous stream of ping packets from a specific source address is being initiated from the internet.168. It is required that computers belonging to the 192. E0 and E1 interfaces are connected to the networks. What type of access list can be used to deny the packets and how should it be applied on the router? Explanation A standard access list can be configured which would block the specific source IP address in the ping packet.
In the above example. Packets originating from the subnet 192. whether permit or deny.1.0. Explanation Take an example where a router has a wild card mask of 0.1 and the 255 would imply to ignore the values in the last octet.168. If the ACL is configured as inbound on E0.1.0/24.tcpipguru.168. Question 80 How is a wild card mask interpreted by a router? Explain with an example.2.168. An access control list which would deny the subnet 192. there is no restriction on E0 interface.0/24 network as there is no restriction on E0 interface but internet bound packets would be dropped at S0 interface as the source IP address in the packet would contain IP addresses belonging to 192. The 0 in the wild card mask implies that when a packet is received.0/24 subnet.168. the packets would be dropped on E0 interface and would not have access to the 192.168. Inbound ACL on S1 would block packets originating from the internet in which case the source would never have IP addresses belonging to 192.168.255.168. Question 81 How can ping be blocked with an ACL? Explanation An extended ACL can be used to block ICMP protocol Copyright 2013 @ www. When this is configured.1.0/24 should be configured as outbound on the S0 interface. packets can reach the 192. the three octets corresponding to the 0 in the wild card mask is 192.0/24 network.0. would look for the network address 220.127.116.11.0. So this ACL.1. which is associated with an IP address 192.168.Explanation If the ACL is configured as inbound on E1.com . the octet corresponding to the value 0 in wild card mask should be verified.168.1.0/24 to the internet would pass through the E0 interface and exit out S0.
1.0.tcpipguru.168.Question 82 Which TCP protocols should be used to block incoming traffic on a FTP server? Explanation TCP protocols 20 and 21 are used by FTP servers.com . Question 84 Can an ACL be used to block a DOS based IP spoofing attack from random source addresses? Explanation An ACL can only be used if the source or destination addresses or networks are pre-defined. Question 83 An ACL is configured on a router. Question 85 If ping is blocked on a system using ACL. access-list 101 deny ip 192. TCP port 20 is used for data connection and TCP port 21 is used for FTP control connection. The configuration is shown below.1.0. So the above acl would deny the ip address 192.0 is a wild card mask. which signifies a host.1 0.0.0.0. What it the goal of the ACL? Explanation The 0.168. does it imply that other communication like TCP or UDP is also disallowed on that specific system? Copyright 2013 @ www.1. an ACL would be ineffective in defending against the attack. If the source addresses are random. So both ports should be used to block incoming traffic on a FTP server.
Explanation Putty is an application which can be used as a SSH client for connecting to the SSH service on the router.com . Explanation Telnet and SSH can be used to remotely manage a router. Copyright 2013 @ www. Question 87 Name one Windows based SSH client which can be used to connect to a router which is configured as a SSH server. which makes it susceptible to eavesdropping attacks. SSH should always be used for remote management wherever possible. IP connectivity is not required to configure the router using console cable.Explanation Ping uses ICMP for communication. Blocking ping does not imply that TCP or UDP communication is disallowed. Question 88 Name two protocols which can be used to remotely manage a router and your suggestion on which to use from a security perspective. Question 86 How can a Cisco router be configured if IP connectivity is not available? Explanation A console cable can be used to connect to the router and configure using the Hyper Terminal from a PC.tcpipguru. Telnet does not encrypt the communication. provided the access list allows for the required protocols for communication.
What address can be used to send a broadcast to PC’s which are on the 192.32/27 and PC2 belongs to the network.tcpipguru. As both reside on different networks.168. Question 90 On a 24 port switch.1. What could be the possible reason? Serial interface is up. line protocol is down.168.Question 89 Two serial interfaces on Cisco routers are connected to each other using a DTEDCE cable. 192.168.64/18.104.22.168/24 can be used for the same. After connection. a router would be required for communication between PC1 and PC2.168. which is the broadcast address of the network 192. Question 91 Two PCs are connected to a switch. 5 PC’s belong to the 192.168.33/27 and the IP address of PC2 is 192. So in the current topology. Copyright 2013 @ www.2. 192.0/22.214.171.124/27.1. The IP address of PC1 is 192.2.com . data communication fails and the following message is observed with the appropriate show command.168. there are 10 PC’s connected.1.0/24 network? Explanation The address. PC1 would not be able to ping PC2.168.0/24 network and the other 5 PC’s belong to 192.2. Can PC1 ping PC2? Explanation It can be observed that PC1 belongs to the network address of 192. Explanation The clock rate on the router which is configured as the DCE end would not have been configured.1.168. This could trigger the above message.
32 /27.168.224? Explanation The corresponding IP address for the above subnet mask would be the broadcast address for the network 192.1. So.tcpipguru.126.96.36.199.168.255. out of which. 254 computers can be configured using the available IP addresses. Question 93 How many computers can be setup with the network address 192.63 and subnet mask of 255.Question 92 Can a PC be configured with an IP address 192.0 and 192. Question 94 In the above topology. 254 IP addresses can be used. How can the configuration be achieved? Copyright 2013 @ www.1. So it is not permitted to be used as an IP address to be configured on a host. it is required that the server residing on the LAN should be accessible by users residing on the internet.255.0/24 network? Explanation The number of IP addresses in the network is 256.168. Excluding the addresses.com . the addresses 192.255 cannot be used as it is reserved for the network address and the broadcast address.1.
Question 95 Which field in an IP header is modified by a NAT router in all types of NAT like static NAT.Explanation Static NAT is a feature which is available on routers to map public ip addresses with lan private ip addresses.tcpipguru. the organization can purchase a public ip address and use static nat feature to map the private ip address of the server. Question 96 NAT Copyright 2013 @ www.com . The option of connecting the server to the internet through the modem is also a viable solution but not recommended due to lack of security in the design . In the above scenario. Dynamic NAT and PAT? Explanation The source IP address in the IP header is modified and is re-written with routers IP address in all types of NAT.
Based on this information. the correct entry in the NAT table would be used and forwarded to the actual recipient. The translated packet is sent to the Web server. When the response from the Web server reaches the router. The NAT router. If the three PC’s simultaneously initiate a HTTP session with the web server. how does the NAT router differentiate two simultaneous connections which are initiated from PC1 to the web server? Explanation The two simultaneous connections from PC1 would be two distinct TCP connections. The packet would be looked into and based on the destination port number. every packet would contain the same destination IP address (NAT routers IP address). The TCP header would contain the source port number. but the destination port number would be unique. When an http based communication is initiated to the web server. explain how the NAT router would handle the communication? Explanation HTTP is based on TCP. based on the routers implementation and the source IP address as the NAT routers IP address. Question 97 In the above topology.com . PC2 and PC3 are connected to the internet via a NAT router which does port address translation. the TCP/IP on the operating systems would initiate a TCP 3way handshake initially with the Web server. Copyright 2013 @ www. PC1. the NAT router would differentiate the connection.tcpipguru. which is used by the operating system and would be unique. which would contain different source port numbers for each connection.In the above topology. three PC’s. on receipt of the TCP header would maintain an entry in the NAT table which would contain the source port number and the source IP address of the actual system which has initiated the connection with a translated mapping which would contain the source port as the same or different number.
tcpipguru. Copyright 2013 @ www. which it has translated. Explanation Ping does not use a transport layer protocol like TCP or UDP.com .Question 98 If NAT is configured for internet sharing on a router. A default route would ensure that all unknown packets are forwarded to the internet. Question 99 Can static nat and port address translation be used on a Cisco router simultaneously? Explanation This configuration is possible. NAT would not perform routing for the packet. is it required to setup additional routing for forwarding packets to the internet or would NAT take care of the same? Explanation NAT and routing are two different concepts. Question 100 Name one troubleshooting too which does not use a transport layer protocol. The router should be setup for additional routing as to how to forward the packet. It uses ICMP protocol at the network layer.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.