Topic 5: MC

Question No : 449 - Topic 5 Which option is the Cisco recommended method to secure access to the console port? A. Configure the activation-character command. B. Configure a very short timeout (less than 100 milliseconds) for the port. C. Set the privilege level to a value less than 15. D. Configure an ACL.

Answer : A Explanation: The activation-character command defines a session activation character. Entering this character at a vacant terminal begins a terminal session. The default activation character is the Return key To secure the console port, you should change this character to a different one as most people simply hit the enter key when trying to access the console.

Question No : 467 - Topic 5 Which two protocols are not protected in an edge router by using control plane policing? (Choose two.) A. SMTP B. RPC C. SSH D. Telnet

Answer : A,B Explanation: A CoPP policy can limit a number of different packet types that are forwarded to the control plane. Traffic destined for the switch CPU includes: Address Resolution Protocol (ARP) First-hop redundancy protocol packets Layer 2 control packets Management packets (telnet, Secure Shell [SSH] Protocol, Simple Network Management Protocol [SNMP]) <--- C and D are not correct. Multicast control packets Routing protocol packets Packets with IP options Packets with time to live (TTL) set to 1 Packets that require ACL logging Packets that require an initial lookup (first packet in a flow: FIB miss) Packets that have don't support hardware switching/routing Reference: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series- switches/white_paper_c11_553261.html

Question No : 459 - Topic 5 Which two features are used for inspection when IPv6 address glean is enabled? (Choose two.) A. DHCP messages B. ND messages C. ICMPv6 messages D. UDP messages E. TCP messages

Answer : A,B Explanation: IPv6 address glean is the foundation for many other IPv6 features that depend on an accurate binding table. It inspects ND and DHCP messages on a link to glean addresses, and then populates the binding table with these addresses. This feature also enforces address ownership and limits the number of addresses any given node is allowed to claim. Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_fhsec/configuration/15- s/ip6f-15-s-book/ip6-snooping.html

Question No : 468 - Topic 5 Under Cisco IOS Software, which two features are supported in RADIUS Change of Authorization requests? (Choose two.) A. session identification B. session reauthentication C. session termination D. host termination

Answer : A,C Explanation: CoA requests, as described in RFC 5176, are used in a pushed model to allow for session identification, host reauthentication, and session termination. The model comprises one request (CoA-Request) and two possible response codes. Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15- sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html

Question No : 461 - Topic 5 Which two features does the show ipv6 snooping features command show information about? (Choose two.) A. RA guard B. DHCP guard C. ND inspection D. source guard

Answer : A,C Explanation: The show ipv6 snooping features command displays the first-hop features that are configured on the router. Examples The following example shows that both IPv6 NDP inspection and IPv6 RA guard are configured on the router: Router# show ipv6 snooping features Feature name priority state RA guard 100 READY NDP inspection 20 READY Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr- book/ipv6-s5.html

Question No : 446 - Topic 5 Which two statements are true about unicast RPF? (Choose two.) A. Unicast RPF requires CEF to be enabled. B. Unicast RPF strict mode works better with multihomed networks. C. Unicast RPF strict mode supports symmetric paths. D. Unicast RPF strict mode supports asymmetric paths. E. CEF is optional with Unicast RPF, but when CEF is enabled it provides better performance.

Answer : A,C Explanation: Unicast RPF requires Cisco express forwarding (CEF) to function properly on the router. Strict Versus Loose Checking Mode The Unicast RPF in Strict Mode feature filters ingress IPv4 traffic in strict checking mode and forwards packets only if the following conditions are satisfied. An IPv4 packet must be received at an interface with the best return path (route) to the packet source (a process called symmetric routing). There must be a route in the Forwarding Information Base (FIB) that matches the route to the receiving interface. Adding a route in the FIB can be done via static route, network statement, or dynamic routing. IPv4 source addresses at the receiving interface must match the routing entry for the interface. References: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrpf. html http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/srpf_gsr.html

Question No : 454 - Topic 5 Which three types of traffic are allowed by IEEE 802.1X access control prior to getting authenticated? (Choose three.) A. EAPOL B. VTP C. STP D. ARP E. CDP F. HTTP

Answer : A,C,E Explanation: Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication, normal traffic passes through the port. Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15- 0_2_se/configuration/guide/scg3750/sw8021x.pdf

Question No : 453 - Topic 5 Which two statements about private VLANs are true? (Choose two.) A. Only one isolated VLAN can be mapped to a primary VLAN. B. Only one community VLAN can be mapped to a primary VLAN. C. Multiple isolated VLANs can be mapped to a primary VLAN. D. Multiple community VLANs can be mapped to a primary VLAN.

Answer : A,D Explanation: An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports. You can configure only one isolated VLAN in a PVLAN domain. An isolated VLAN can have several isolated ports. The traffic from each isolated port also remains completely separate. Only one isolated VLAN can be mapped under a given primary VLAN. A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port and to other host ports in the same community. You can configure multiple community VLANs in a PVLAN domain. The ports within one community can communicate, but these ports cannot communicate with ports in any other community or isolated VLAN in the private VLAN. Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus6000/sw/layer2/6x/b_6k_L ayer2_Config_6x/b_6k_Layer2_Config_602N12_chapter_011.html

Question No : 442 - Topic 5 Which two Cisco IOS AAA features are available with the local database? (Choose two.) A. command authorization B. network access authorization C. network accounting D. network access authentication

Answer : A,D Explanation: Configuring the Local Database This section describes how to manage users in the local database. You can use the local database for CLI access authentication, privileged mode authentication, command authorization, network access authentication, and VPN authentication and authorization. You cannot use the local database for network access authorization. The local database does not support accounting. Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/aaa.h tml

Question No : 444 - Topic 5 Which two advantages does CoPP have over receive path ACLs? (Choose two.) A. Only CoPP applies to IP packets and non-IP packets. B. Only CoPP applies to receive destination IP packets. C. A single instance of CoPP can be applied to all packets to the router, while rACLs require multiple instances. D. Only CoPP can rate-limit packets.

Answer : A,D Explanation: Control Plane Policing CoPP is the Cisco IOS-wide route processor protection mechanism. As illustrated in Figure 2, and similar to rACLs, CoPP is deployed once to the punt path of the router. However, unlike rACLs that only apply to receive destination IP packets, CoPP applies to all packets that punt to the route processor for handling. CoPP therefore covers not only receive destination IP packets, it also exceptions IP packets and non-IP packets. In addition, CoPP is implemented using the Modular QoS CLI (MQC) framework for policy construction. In this way, in addition to simply permit and deny functions, specific packets may be permitted but rate-limited. This behavior substantially improves the ability to define an effective CoPP policy. (Note: that Control Plane Policing is something of a misnomer because CoPP generally protects the punt path to the route processor and not solely the control plane.) Reference: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

Question No : 441 - Topic 5 Which two statements about MAC ACLs are true? (Choose two.) A. They support only inbound filtering. B. They support both inbound and outbound filtering. C. They are configured with the command mac access-list standard. D. They can filter non-IP traffic on a VLAN and on a physical interface. question_answerVIEW ANSWER SHOW COMMENTS 0

Answer : A,D Explanation: MAC ACL, also known as Ethernet ACL, can filter non-IP traffic on a VLAN and on a physical Layer 2 interface by using MAC addresses in a named MAC extended ACL. The steps to configure a MAC ACL are similar to those of extended named ACLs. MAC ACL supports only inbound traffic filtering. Reference: http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=4

Question No : 451 - Topic 5 Which two statements about port ACLs are true? (Choose two.) A. Port ACLs are supported on physical interfaces and are configured on a Layer 2 interface on a switch. B. Port ACLs support both outbound and inbound traffic filtering. C. When it is applied to trunk ports, the port ACL filters only native VLAN traffic. D. When it is applied to a port with voice VLAN, the port ACL filters both voice and data VLAN traffic.

Answer : A,D Explanation: PACLs filter incoming traffic on Layer 2 interfaces, using Layer 3 information, Layer 4 header information, or non-IP Layer 2 information The port ACL (PACL) feature provides the ability to perform access control on specific Layer 2 ports. A Layer 2 port is a physical LAN or trunk port that belongs to a VLAN. Port ACLs perform access control on all traffic entering the specified Layer 2 port, including voice and data VLANs that may be configured on the port. Port ACLs are applied only on the ingress traffic. Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12- 2SY/configuration/guide/sy_swcg/port_acls.html

Question No : 466 - Topic 5 Which two statements about the protected ports feature and the private VLAN feature are true? (Choose two.) A. The protected ports feature is limited to the local switch. B. The protected ports feature can isolate traffic between two "protected" ports on different switches. C. The private VLAN feature is limited to the local switch. D. The private VLAN feature prevents interhost communication within a VLAN across one or more switches.

Answer : A,D Explanation: Protected Ports (PVLAN Edge) In some network environments, there is a requirement for no traffic to be seen or forwarded between host(s) on the same LAN segment, thereby preventing interhost communications. The PVLAN edge feature provisions this isolation by creating a firewall-like barrier, thereby blocking any unicast, broadcast, or multicast traffic among the protected ports on the switch. Note that the significance of the protected port feature is limited to the local switch, and there is no provision in the PVLAN edge feature to isolate traffic between two "protected" ports located on different switches. For this purpose, the PVLAN feature can be used. Reference: http://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=2

Question No : 458 - Topic 5 Which three condition types can be monitored by crypto conditional debug? (Choose three.) A. Peer hostname B. SSL C. ISAKMP D. Flow ID E. IPsec F. Connection ID

Answer : A,D,F Explanation: Supported Condition Types The new crypto conditional debug CLIs--debug crypto condition, debug crypto condition unmatched, and show crypto debug-condition--allow you to specify conditions (filter values) in which to generate and display debug messages related only to the specified conditions. The table below lists the supported condition types. Table 1 Supported Condition Types for Crypto Debug CLI Condition Type (Keyword) Description connid 1 An integer between 1-32766. Relevant debug messages will be shown if the current IPSec operation uses this value as the connection ID to interface with the crypto engine. flowid 1 An integer between 1-32766. Relevant debug messages will be shown if the current IPSec operation uses this value as the flow-ID to interface with the crypto engine. FVRF The name string of a virtual private network (VPN) routing and forwarding (VRF) instance. Relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its front-door VRF (FVRF). IVRF The name string of a VRF instance. Relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its inside VRF (IVRF). peer group A Unity group-name string. Relevant debug messages will be shown if the peer is using this group name as its identity. peer hostname A fully qualified domain name (FQDN) string. Relevant debug messages will be shown if the peer is using this string as its identity; for example, if the peer is enabling IKE Xauth with this FQDN string. peeripaddress A single IP address. Relevant debug messages will be shown if the current IPSec operation is related to the IP address of this peer. peer subnet A subnet and a subnet mask that specify a range of peer IP addresses. Relevant debug messages will be shown if the IP address of the current IPSec peer falls into the specified subnet range. peer username A username string. Relevant debug messages will be shown if the peer is using this username as its identity;

Question No : 469 - Topic 5 Which three features are considered part of the IPv6 first-hop security suite? (Choose three.) A. DNS guard B. destination guard C. DHCP guard D. ICMP guard E. RA guard F. DoS guard

Answer : B,C,E Explanation: Cisco IOS has (at least) these IPv6 first-hop security features: IPv6 RA Guard rejects fake RA messages coming from host (non-router) ports (not sure whether it handles all possible IPv6 header fragmentation attacks). Interestingly, it can also validate the contents of RA messages (configuration flags, list of prefixes) received through router-facing ports, potentially giving you a safeguard against an attack of fat fingers. DHCPv6 Guard blocks DHCPv6 messages coming from unauthorized DHCPv6 servers and relays. Like IPv6 RA Guard it also validates the DHCPv6 replies coming from authorized DHCPv6 servers, potentially providing protection against DHCPv6 server misconfiguration. IPv6 Snooping and device tracking builds a IPv6 First-Hop Security Binding Table (nicer name for ND table) by monitoring DHCPv6 and ND messages as well as regular IPv6 traffic. The binding table can be used to stop ND spoofing (in IPv4 world wed call this feature DHCP Snooping and Dynamic ARP Inspection). IPv6 Source Guard uses the IPv6 First-Hop Security Binding Table to drop traffic from unknown sources or bogus IPv6 addresses not in the binding table. The switch also tries to recover from lost address information, querying DHCPv6 server or using IPv6 neighbor discovery to verify the source IPv6 address after dropping the offending packet(s). IPv6 Prefix Guard is denies illegal off-subnet traffic. It uses information gleaned from RA messages and IA_PD option of DHCPv6 replies (delegated prefixes) to build the table of valid prefixes. IPv6 Destination Guard drops IPv6 traffic sent to directly connected destination addresses not in IPv6 First-Hop Security Binding Table, effectively stopping ND exhaustion attacks. Reference: http://blog.ipspace.net/2013/07/first-hop-ipv6-security-features-in.html

Question No : 456 - Topic 5 Which two statements are true about AAA? (Choose two.) A. AAA can use RADIUS, TACACS+, or Windows AD to authenticate users. B. If RADIUS is the only method configured in AAA, and the server becomes unreachable, the user will be able to log in to the router using a local username and password. C. If the local keyword is not included and the AAA server does not respond, then authorization will never be possible and the connection will fail. D. AAA can be used to authenticate the enable password with a AAA server.

Answer : C,D Explanation: AAA can be used to authenticate user login and the enable passwords. Example 1: Same Exec Authentication Methods for All Users Once authenticated with: aaa authentication login default group radius local All users who want to log in to the access server have to be authorized using Radius (first method) or local database (second method). We configure: aaa authorization exec default group radius local Note. On the AAA server, Service-Type=1 (login) must be selected. Note. With this example, if the local keyword is not included and the AAA server does not respond, then authorization will never be possible and the connection will fail. Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access- controller-access-control-system-tacacs-/10384-security.html

Question No : 464 - Topic 5 What is the goal of Unicast Reverse Path Forwarding? A. to verify the reachability of the destination address in forwarded packets B. to help control network congestion C. to verify the reachability of the destination address in multicast packets D. to verify the reachability of the source address in forwarded packets

Answer : D Explanation: Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Reference: http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

Question No : 463 - Topic 5 Which technology can be used to secure the core of an STP domain? A. UplinkFast B. BPDU guard C. BPDU filter D. root guard

Answer : D Explanation: Since STP does not implement any authentication or encryption to protect the exchange of BPDUs, it is vulnerable to unauthorized participation and attacks. Cisco IOS offers the STP Root Guard feature to enforce the placement of the root bridge and secure the core of the STP domain. STP root guard forces a port to become a designated port so that no switch on the other end of the link can become a root switch. If a port configured for root guard receives a superior BPDU, the port it is received on is blocked. In this way, STP root guard blocks other devices from trying to become the root bridge. STP root guard should be enabled on all ports that will never connect to a root bridge, for example, all end user ports. This ensures that a root bridge will never be negotiated on those ports. Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/secur ebasebook/sec_chap7.html

Question No : 445 - Topic 5 What is the ip dhcp snooping information option command used for? A. It displays information about the DHCP snooping table. B. It sends a syslog and an SNMP trap for a DHCP snooping violation. C. It enables the DHCP snooping host tracking feature. D. It enables DHCP option 82 data insertion.

Answer : D Explanation: To enable DHCP option-82 data insertion, perform this task: Command Purpose Step 1 Router(config)# ip dhcp snooping information option Enables DHCP option-82 data insertion. Step 2 Router(config)# ip dhcp snooping information option replace Or: Router(config-if)# ip dhcp snooping information option replace (Optional) Replaces the DHCP relay information option received in snooped packets with the switch's option-82 data. Step 3 Router(config)# do show ip dhcp snooping | include 82 Verifies Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12- 2SX/configuration/guide/book/snoodhcp.html

Question No : 460 - Topic 5 Which command drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value, and also causes the Security Violation counter to increment? A. switchport port-security violation protect B. switchport port-security violation drop C. switchport port-security violation shutdown D. switchport port-security violation restrict

Answer : D Explanation: When configuring port security violation modes, note the following information: protectDrops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value. restrictDrops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment. shutdownPuts the interface into the error-disabled state immediately and sends an SNMP trap notification. Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12- 2SX/configuration/guide/book/port_sec.html