Lesson 6 (U-certified)
VLAN interface
A configuration concept inside Cisco switches, used as an interface between IOS running on the switch and a VLAN supported inside the switch, so that the switch can assign an IP address and send IP packets into that VLAN.
AAA server
A server that holds security information and provides services related to user login, particularly authentication (is the user who they say they are), authorization (once authenticated, what do we allow the user to do), and accounting (tracking the user).
local username
A username (with matching password), configured on a router or switch. It is considered local because it exists on the router or switch, and not on a remote server.
Which of the following line subcommands tells a switch to wait until a show command's output has completed before displaying log messages on the screen? A: logging synchronous B: history size 15 C: exec-timeout 0 0 D: no ip domain-lookup
Answer A is correct The logging synchronous line subcommand synchronizes the log message display with other command output so the log message does not interrupt a show command output. The no IP domain-lookup command is not a line command. The other two incorrect answers are line subcommands but do not configure the function listed in the question.
An engineer wants to set up simple password protection with no usernames for some switches in a lab, for the purpose of keeping curious coworkers from logging in to the lab switches from their desktop PCs. Which of the following commands would be a useful part of that configuration? A: A login vty mode subcommand B: A password password console subcommand C: A login Local vty subcommand D: A transport input ssh vty subcommand
Answer A is correct To answer this question, it might be best to first think of the complete configuration and then find any answers that match the configuration. The commands, in vty line configuration mode, would be Password password and login. Only one answer lists a vty subcommand that is one of these two commands. Of note in the incorrect answers: One answer mentions console subcommands. The console does not define what happens when remote users log in; those details sit in the vty line configuration. One answer mentions the login local command; this command means that the switch should use the local list of configured usernames/passwords. The question stated that the engineer wanted to use passwords only, with no usernames. One answer mentions the transport input ssh command, which, by omitting the telnet keyword, disables Telnet. While that command can be useful, SSH does not work when using passwords only; SSH requires both a username and a password. So, by disabling Telnet (and allowing SSH only), the configuration would allow no one to remotely log in to the switch.
Imagine that you have configured the enable secret command, followed by the enable password command, from the console. You log out of the switch and log back in at the console. Which command defines the password that you had to enter to access privileged mode? A: The password command, if it is configured B: enable secret C: enable password D: None of these
Answer B is correct. If both commands are configured, IOS accepts only the password as configured in the enable secret command.
An engineer had formerly configured a Cisco 2960 switch to allow Telnet access so that the switch expected a password of mypassword from the Telnet user. The engineer then changed the configuration to support Secure Shell. Which of the following commands could have been part of the new configuration? (Choose all the apply) A: A login local vty mode subcommand B: A username name secret password vty mode subcommand C: A transport input ssh global configuration command D: A username name secret password global configuration command
Answers A and D are correct. SSH requires the use of usernames in addition to a password. Using the username global command would be one way to define usernames (and matching passwords) to support SSH. The vty lines would also need to be configured to require the use of usernames, with the login local vty subcommand being one such option. The transport input ssh command could be part of a meaningful configuration, but it is not a global configuration command (as claimed in one wrong answer). Likewise, one answer refers to the username command as a command in vty config mode, which is also the wrong mode.
An engineer's desktop PC connects to a switch at the main site. A router at the main site connects to each branch office through a serial link, with one small router and switch at each branch. Which of the following commands must be configured on the branch office switches, in the listed configuration mode, to allow the engineer to telnet to the branch office switches and supply only a password to login? (Choose all that apply) A: The ip default-gateway command in global configuration mode B: The password command in vty line configuration mode C: The ip address command in global configuration mode D: The ip default-gateway command in VLAN configuration mode E: The password command in console line configuration mode F: The ip address command in interface configuration mode
Answers A, B, and F are correct To allow access through telnet, the switch must have password security enabled, at a minimum using the password vty line configuration subcommand. In addition, the switch needs an IP address (configured under one VLAN interface) and a default gateway when the switch needs to communicate with hosts in a different subnet.
A Layer 2 switch configuration places all its physical ports into VLAN 2. The IP addressing plan shows that address 172.16.2.250 (with mask 255.255.255.0) is reserved for use by this new LAN switch and that 172.16.2.254 is already configured on the router connected to that same VLAN. The switch needs to support SSH connections into the switch from any subnet in the network. Which of the following commands are part of the required configuration in this case? (Choose all that apply) A: The switch cannot support SSH because all its ports connect to VLAN 2, and the IP address must be configured on interface VLAN1. B: The ip address 172.16.2.250 255.255.255.0 command in interface vlan 2 configuration mode. C: The ip default-gateway 172.16.2.254 command in global configuration mode. D: The ip address 172.16.2.250 255.255.255.0 command in interface vlan 1 configuration mode.
Answers B and C are correct To allow SSH or Telnet access, a switch must have a correct IP configuration. That includes the configuration of a correct IP address and mask on a VLAN interface. That VLAN interface then must have a path out of the switch via ports assigned to that VLAN. In this case, with all ports assigned to VLAN 2, the switch must use interface VLAN 2 (using the interface vlan 2 configuration command). To meet the requirement to support login from hosts outside the local subnet, the switch must configure a correct default gateway setting with the ip default-gateway 172,16,2,254 global command in this case.
Authentication, Authorization, and Accounting
Authentication confirms the identity of a user or device. Authorization determines what the user or device is allowed to do. Accounting records information about access attempts, including inappropriate requests.
history buffer
In a Cisco router or switch, the function by which IOS keeps a list of commands that the user has used in this login session, both in EXEC mode and configuration mode. The user can then recall these commands for easier repeating or making small edits and issuing similar commands.
log message
The log message identifies that username if the user logged in with a username.
name resolution
The process by which an IP host discovers an IP address associated with a hostname, often involving sending a DNS request to a DNS server, with the server supplying the IP address used by a host with the listed hostname.