You are on page 1of 6

1. In order to enhance the security of enterprise network, network administrator use ACL (Access Control List).

What are the two reasons that the network administrator would use access list? (Chose two)
A. [x]To control vty access into a router
B. [] To filter traffic that originates from the router
C. [x] To filter traffic as it passes through the router
D. [] To prevent the virus from entering network
Explanation: The purpose for setting ACLs on a router are controlling vty into a router and filtering traffic as it passes
through the router. Access Control List (ACL) can be used to affect traffic transmitted from one port to another. It acquires
its name due to having filtering capability when traffic flows in and out of interface and it also can be used for other
purposes, such as:
A. Place restrictions on accessing router Telnet (VTY).
B. Filter routing information
C. Distinguish precedence of WAN traffic by queuing technology
D. Trigger calls through the Dial-on-demand routing DDR
E. Change administrative distance of routing

2. You are a network administrator. In order to improve the security of switching network, refer to the following
options. Which two methods are examples of implementing Layer 2 security on Cisco switch? (Chose two).
A. [x ] Disable trunk negotiation on the switch
B. [ ] Use only protected Telnet sessions to connect to the Cisco device
C. [x ] Configure a switch port host where appropriate
D. [ ] enable HTTP access to the switch for security troubleshooting.
Explanation: With the popularity and constantly deepening of network applications, the user’s requirements for Layer 2
switching are not only limited to data forwarding performance and Quality of Service (QoS), but also philosophy of network
security which is becoming an increasingly important consideration of networking product. How to filter user
communications and ensure safe and effective data transmission? How to block the illegal users and make network work
safely? How to execute secure network management and detect illegal users, illegal activities and security performance of
remote network management information in time? The following methods can accomplish network Layer 2 security by
working on switches.

Layer 2 filtering.
Now, most new-style switches can achieve various filtering demands by establishing specifications. There are two modes
to setup specifications: one is the MAC mode which can effectively achieve data isolation according to the source MAC
address or the destination MAC address based on users’ needs; the other is the IP mode (this mode does not belong to
Layer 2 filtering), which can filter data packets by use of the source IP, protocols, the source ports and the destination
ports; the specifications established must be attached to the appropriate receiving or sending port so that when receiving
or forwarding data on this port, the switch can filter data packets based on filtering rules and decide to transmit or discard.

802.1X is port-based access control.


In order to prevent illegal users from accessing LAN and guarantee network security, port-based access control protocol
802.1X is widely used in both wired LAN and WLAN.

Traffic control
The traffic control of switches can prevent abnormal load of switch bandwidth caused by excessive traffic of broadcast
data packets, multicast data packet or the wrong destination address of unicast data packet. The traffic control of switches
can also improve the whole system performance and maintain security and stability of the network running.

SNMP v3 and SSH


SNMP v3 proposed completely new architecture, concentrating all SNMP standards of various versions together to
enhance network management security. The security mode proposed by SNMP v3 is based on the User Security Mode,
that is USM. SNMP v3 can effectively prevent non-authorized users from modifying, disguising and eavesdropping
management information.
As for the remote network management through the Telnet, because the Telnet services have a fatal weakness it
transfers user name and password in the form of plain text, so it is very easy to steal passwords for those people with
ulterior motives. But by use of SSH to communicate both user name and passwords are encrypted to effectively prevent
eavesdropping the password, in this way, network administrators can manage remote security network easily.

3. A single 802.11g access point has been configured and installed in the center of a square shaped office. A few
wireless users are experiencing slow performance and drops while most users are operating at peak efficiency.
From the list below, what are three likely causes of this problem? (Chose three)
A. [ ] mismatched TKIP encryption
B. [ ] null SSID
C. [x] cordless phones
D. [ ] mismatched SSID
E. [x] metal file cabinets
F. [x] antenna type or direction
Explanations
C: If you have cordless phones or other wireless electronics in your home or office, your computer might not be able to
“hear” your router over the noise from the other wireless devices. To quit the noise, avoid wireless electronics that use the
2.8GHz frequency. Instead, look for cordless phones that use 5.8GHz or 900 MHz frequencies.
E: The antennas supplied with your router are designed to be omni-directional, meaning they broadcast in all directions
around the router. If your router is near an outside wall, half of the wireless signals will be sent outside your office, and
much of your router’s power will be wasted.

4. The left describes the security features, while the right describes the specific security risks. Drag the items on
the left to the proper locations (Note all items can be used).
A. VTY passwords -- remote access to device console
B. Service password-encryption -- viewing of passwords
C. Enable secret -- access to privileged mode
D. Access group -- access to connected networks or resources
E. Console password - access to the console 0 line
Explanations:
This question is to check the applications of encryption on devices in different modes and in different lines. It is easy if you
know the concepts of different modes and lines.

5. An administrator is configuring a router that will act as the hub in a Frame Relay hub-and-spoke technology.
What is the advantage of using point-to-point sub-interfaces instead of a multipoint interface on this router?
A. [x] It avoids split-horizon issues with distance vector routing protocols.
B. [ ] Only one IP network address needs to be used to communicate with all the spoke devices.
C. [ ] Only a single physical interface is needed with point-to-point sub-interfaces, whereas a multiport interface
logically combines multiple physical interfaces.
D. [ ] Point-to-point sub-interfaces offer greater security compared to a multiport interface configuration.

Explanations
Split horizon indicates that in distance vector routing protocol, once you learn of a route through an interface, advertise it
as unreachable back through that same interface in order to avoid routing loops. In a NBMA network such as FR, for the
hub-spoke topology, on the point-to-multipoint interface at the hub end, routing information from a PVC is virtually needed
to advertise other PVCs, instead, the characteristics of split horizon will not allow for such advertise, which results in split
horizon issues. Only refer to IGRP, on the physical interface of FR, split horizon is disabled by default. On the point-to-
point sub-interface and point-to-multipoint sub-interface of FR, split horizon is enabled. So, split horizon usually happens
to point-to-multipoint sub-interface, there are several solutions to issue this problem: Using no IP split-horizon command
to disable split horizon on point-to-multipoint sub-interface, but this method will cause routing loops that can be resolved
by distribute-list through transforming point-to-multipoint sub-interface into point-to-point sub-interface, meanwhile, you
should notice that each point-to-point sub-interface should use network address respectively.

6. The left describes the types of cables, while the right describes the purposes of the cables. Drag the items on
the left to the proper locations. (Note all items can be used).
A. Straight-through -- switch access port to router
B. Crossover -- switch to switch
C. Rollover -- PC COM port to switch

Explanations
Crossover cable is used to connect the same devices. Straight-through cable is used to connect different devices.

7. Refer to the graphic. It has been decided that P4S-workstation1 should be denied access to Server1. Which of
the following commands are required to prevent only P4S-workstation1 from accessing Server1 while allowing
all other traffic to flow normally? (Chose two).

A. [ ] P4S-RA(config)# interface fa0/0


P4S-RA(config-if)# ip access-group 101 out
B. [x] P4S-RA(config)# interface fa0/0
P4S-RA(config-if)# ip access-group 101 in
C. [x] P4S-RA(config)# access-list 101 deny ip host 172.16.161.159 host 172.16.162.163
P4S-RA(config)# access-list 101 permit ip any any
D. [ ] P4S-RA(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0
P4S-RA(config)# access-list 101 permit ip any any
Explanations
Taking security into consideration, the administrator will implement access control on router P$S-RA. When the
traffic coming from P4S-workstation1 to Server1 crosses the router P4S-RA, it will be refused, but all other traffic
than this can cross P4S-RA normally. Therefore, in the configuration of access list, it is needed to deny datagrams
from the specified source to the specified destination and allow all other datagrams to cross.
1. The standard Access Control List should be placed near to the destination.
2. Extended Access Control List should be placed near to the source.
There are two solutions to issue this problem:
1. Apply access list to interface fa0/0 in the inbound direction.
P4S-RA(config)# access-list 101 deny Ip host 172.16.161.150 host 172.16.162.163
P4S-RA(config)# access-list 101 permit ip any any
P4S-RA(config)# interface fa0/0
P4S-RA(config)# ip access-group 101 in
P4S-RA(config)# exit
2. Apply access list to interface fa0/1 in the outbound direction.
P4S-RA(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163
P4S-RA(config)# access-list 101 permit ip any any
P4S-RA(config)# interface fa0/1
Ip access-group 101 out
P4S-RA(config)# exit
Both methods will be used in the actual work. But an administrator will advise you to use the first method on the basis of
saving routing resources. However, in the examination environment, please complete the steps of answering questions
according to options provided. We remind you that the examination and the actual environment are not exactly the same.

8. If you are a security administrator of the enterprise network, you will see many different types of attacks that
threaten the security of network. Which type of attack is characterized by a flood of packets that are requesting
a TCP connection to a server?
A. [ x] denial of service
B. [ ] Computer virus
C. [ ] reconnaissance
D. [ ] Trojan horse
Explanation:
DDos is short for Distributed Denial of Service. It can be interpreted that all actions leading to legitimate users being not
able to access normal network services are regarded as denial of service attacks, in other words, the purpose of denial of
service attack is very clear: that it to block legitimate users from accessing normal network services in order to achieve
attacker’s ulterior motives. There are differences between DDoS and DOS, although both of them are denial of service
attacks. The attack strategies adopted by DDoS focus on sending a large number of seemingly legitimate network packets
to attacked hosts through many “zombie hosts” (hosts are attacked or can be used indirectly), resulting in network
congestion or server resources exhausted and finally refusing to provide services. Once distributed denial of service
attacks are implemented, attacking network packets will pour into attacked hosts and flood network packets of legitimate
users, thus the legitimate users can’t access network resources of servers properly. Denial of service attack is also called
“flood attack”. The most common DDoS attack methods are SYN Flood, ACK Flood, UDP Flood, ICMP Flood,
Connections Flood, Script Flood, Proxy Flood etc; while DOS emphasizes on using specific loopholes of hosts to make
network stack fail, system crash and host crash, thus unable to provide normal network services, and finally deny service.

9. How many subnets can be gained by sub-netting 172.17.32.0/23 into a /27 mask, and how many usable host
addresses will be there be per subnet?
A. [ ] 8 subnets, 31 hosts
B. [ ] 8 subnets, 32 hosts
C. [x] 16 subnets, 30 hosts
D. [ ] A Class B address can’t be sub-netted into the fourth octet

10. Part of a WAN is shown below:

The WAN configuration is shown below:


Cisco# show ip route
C 192.168.1.0/24 is directly connected to Fa0/1.1
C 192.168.2.0/24 is directly connected to Fa0/1.2
The network administrator has created a new VLAN on Cisco router and added host P4SC and host P4SD. This
administrator has properly configured switch interfaces FastEthernet0/13 through FastEthernet0/14 to be member of the
new VLAN. However, after the network administrator completed the configuration, host P4SA could communicate with
host P4SB, but host P4SA could not communicate with host P4SC or P4SD. Which commands are required to resolve
this problem?

A. [x] Cisco(config)# interface fastethernet0/1.3


Cisco(config-if)# encapsulation dot1q 3
Cisco(config-if)# ip address 192.168.3.1 255.255.255.0

B. [ ] Cisco(config)# router rip


Cisco(config-router)# network 192.168.5.0
Cisco(config-router)# network 192.168.3.0
Cisco(config-router)# network 192.168.8.0

C. [ ] Cisco# vlan database


Cisco(vlan)# vtp v2-mode
Cisco(vlan)# vtp password cisco
Cisco(vlan) vtp server

D. [ ] Cisco(config)# interface fastethernet0/15


Cisco(config-if)# switchport mode trunk
Cisco(config-if)# switchport trunk encapsulation dot1q

11. Given partial router configuration in the graphic, why does the P4S-PC1 and P4S-PC2 with the IP address
192.168.1.153/28 fail to access the internet? (chose two)

A. [x] The NAT inside interfaces are not configured properly


B. [ ] The NAT outside interfaces are not configured properly
C. [x] The router is not properly configured to use the access control list for NAT
D. [ ] The NAT pool is not properly configured to use routable outside addresses
Explanations:
On the basis of the output from the partial configuration on border router, NAT technology is applied to this network. When
P4S-PC1 and P4S-PC2 access external network, datagram will be translated by NAT on P4S-RA before crossing the
router, which then will be routed to Internet. But P4S-PC1 and P4S-PC2 can’t access Internet. After checking NAT
configuration on P4S-RA, we discover that inside interface and outside interfaces are not applied to proper interfaces and
there is no matching Access Control List when calling address pool.

12. A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on
subnet 192.168.1.128/28 to the Server at 192.168.1.5. What command should be issued to accomplish this
task?
A. [x] Access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
Access-list 101 permit ip any any
B. [ ] Access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
Access-list 101 permit ip any any
C. [ ] Access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 23
Access-list permit ip any any
D. [ ] Access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
Access-list 1 permit ip any any

13. Part of the network is shown below:

In this network segment, the following ACL was configured on the S0/0 interface of router P4S-RA1 in the outbound
direction:
Access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
Which two packets, if routed to the interface will be denied? (Chose two)
A. [ ] source ip address;, 192.168.15.49 destination port: 23
B. [ ] source ip address;, 192.168.15.41 destination port: 21
C. [ ] source ip address;, 192.168.15.37 destination port: 21
D. [x] source ip address;, 192.168.15.36 destination port: 23
E. [x] source ip address;, 192.168.15.46 destination port: 23
Explanation:
From the access control list, we know that the denied network segment is 192.168.15.32 0.0.0.15, that is,
192.168.15.32/28 -- 192.168.15.32 ~ 192.168.15.47. Telnet requests from a host in this network segment will be denied.

14. Cisco IOS(Internetwork Operating System) is the software used on the vast majority of Cisco Systems routers
and all current Cisco Network switches. Which two of the following devices could you configure as a source for
the IOS image in the boot system command? (chose two)
A. [ ] HTTP server
B. [ ] Telnet server
C. [x] Flash memory
D. [x] TFTP server
Explanation:
This question is to examine the conserved locations of IOS. Only IOS configured on flash memory and TFTP server can
be loaded when starting the router.

15. On a network of one department, there are four PCs connected to a switch, as shown in the following figure:

A. [ ] P4S1 will add 192.168.23.12 to the switch table


B. [ ] P4S1 will add 192.168.23.4 to the switch table
C. [x] P4S1 will add 000A.8A47.E612 to the switch table
D. [ ] P4S1 will add 000B.DB95.2EE9 to the switch table
Explanation:
P4S1 has just been restarted and has passed the POST routine indicates that the MAC address table of P4S1 is empty.
When P4SA sends its initial frame to P4SC, P4S1 records the MAC address of P4SA and the mapping port number in its
MAC address table. Note that a switch records the source MAC address rather than the destination MAC address.

16. Look at the network topology exhibited:


Output exhibit:
C:\arp –a
Interface: 192.168.1.95 --- 0x2
Internet address physical Adress Type
192.168.1.95 00-60-0f-2e-14-c6 dynamic
You work as a network technician at P4S and you issued the arp –a command from a host named P4SA as shown above.
The user of host P4SA wants to ping the DSL modem/router at 192.168.1.254. based on the host P4SA ARP table that is
shown in the exhibit, what will host P4SA do?

A. [ ] send unicast ARP packet to the DSL modem/router.


B. [x] send unicast ICMP packets to the DSL modem/router
C. [ ] send Layer 3 broadcast packets to which the DSL modem/router responds
D. [ ] send a Layer 2 broadcast that is received by P4S2, the switch, and the DSL modem/router
Explanations:
When P4SA sends ICMP packets to the DSL modem/router for the first time, P4S1 checks the mapping between the
target IP address and the MAC with APP cache and sends unicast ICMP packets. If P4S1 cannot find the mapping
between the target IP address and the MAC, P4S1 sends broadcast frame to find the MAC mapping the target IP
address. The ARP cache contains the MAC mapping the target IP address 192.168.1.254, so P4S1 sends unicast ICMP
packets to the DSL.

17. Study the exhibit carefully. Each of the four P4S switches has been configured with a hostname, as well as
being configured to run RTSP. No other configuration changes have been made. Which switch will have only
one forwarding interface?

A. [ ] P4S-SA
B. [x] P4S-SB
C. [ ] P4S-SC
D. [ ] P4S-SD
Explanations:
1.1 Judge the root bridge. The election of the root bridge is based on the bridge ID. Bridge ID = Bridge priority = Bridge
MAC address. By default, the bridge priority value is 32768. And you can judge the root bridge only by bridge MAC
address. The root bridge of this subject is P4S-SC.
1.2 Identify the root port. After electing the root bridge, it is necessary to select a port of each switch in this network used
to reach the root bridge, this port is known as root port (RP). The port that is nearest to the root bridge is RP of non-
root bridge. In this subject, ports F0/1 of P4SA, G0/1 of P4SB and G0/2 of P4S-SD are RPs. According to the choice,
you will eventually find that a port on P4S-SB will be blocked, that is Gi0/2.