CCNA 3 v.7 Final Exam
Which two packet filters could a network administrator use on an IPv4 extended ACL?
* Destination UDP port number. * ICMP message type. Explanation: Extended access lists commonly filter on source and destination IPv4 addresses and TCP or UDP port numbers. Additional filtering can be provided for protocol types.
Which two actions are taken if the access list is placed inbound on a router Gigabit Ethernet port that has the IP address 192.168.10.254 assigned?
* Devices on the 192.168.10.0/24 network can successfully ping devices on the 192.168.11.0 network. * A Telnet or SSH session is allowed from any device on the 192.168.10.0 into the router with this access list assigned. Explanation: The first ACE allows the 192.168.10.1 device to do any TCP/IP-based transactions with any other destination. The second ACE stops devices on the 192.168.10.0/24 network from issuing any pings to any other location. Everything else is permitted by the third ACE. Therefore, a Telnet/SSH session or ping reply is allowed from a device on the 192.168.10.0/24 network.
What are two approaches to prevent packet loss due to congestion on an interface?
* Drop lower-priority packets. * Increase link capacity. Explanation: There are three approaches to prevent sensitive traffic from being dropped: * Increase link capacity to ease or prevent congestion. * Guarantee enough bandwidth and increase buffer space to accommodate bursts of traffic from fragile flows. * Prevent congestion by dropping lower-priority packets before congestion occurs.
An administrator wants to replace the configuration file on a Cisco router by loading a new configuration file from a TFTP server. What two things does the administrator need to know before performing this task?
* Name of the configuration file that is stored on the TFTP server. * TFTP server IP address. Explanation: In order to identify the exact location of the desired configuration file, the IP address of the TFTP server and the name of the configuration file are essential information. Because the file is a new configuration, the name of the current configuration file is not necessary.
Which two conclusions can be drawn from this new configuration?
* Ping packets will be permitted. * SSH packets will be permitted. Explanation: After the editing, the final configuration is as follows: Router# show access-listsExtended IP access list 101 5 permit tcp any any eq ssh 10 deny tcp any any 20 deny udp any any 30 permit icmp any any So, only SSH packets and ICMP packets will be permitted.
Which two technologies provide enterprise-managed VPN solutions?
* Remote access VPN * Site-to-site VPN Explanation: VPNs can be managed and deployed as either of two types: * Enterprise VPNs - Enterprise-managed VPNs are a common solution for securing enterprise traffic across the internet. Site-to-site and remote access VPNs are examples of enterprise managed VPNs. * Service Provider VPNs - Service provider managed VPNs are created and managed over the provider network. Layer 2 and Layer 3 MPLS are examples of service provider managed VPNs. Other legacy WAN solutions include Frame Relay and ATM VPNs.
A network administrator is writing a standard ACL that will deny any traffic from the 172.16.0.0/16 network, but permit all other traffic. Which two commands should be used?
* Router(config)# access-list 95 permit any * Router(config)# access-list 95 deny 172.16.0.0 0.0.255.255 Explanation: To deny traffic from the 172.16.0.0/16 network, the access-list 95 deny 172.16.0.0 0.0.255.255 command is used. To permit all other traffic, the access-list 95 permit any statement is added.
A network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router. Which two configuration commands can achieve the task?
* Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0 * Router1(config)# access-list 10 permit host 192.168.15.23 Explanation: To permit or deny one specific IP address, either the wildcard mask 0.0.0.0 (used after the IP address) or the wildcard mask keyword host (used before the IP address) can be used.
What are two reasons to create a network baseline?
* To identify future abnormal network behavior. * To determine if the network can deliver the required policies. Explanation: A network baseline is created to provide a comparison point, at the time that the network is performing optimally, to whatever changes are implemented in the infrastructure. A baseline helps to keep track of the performance, to track the traffic patterns, and to monitor network behavior.
What are three functions provided by the syslog service?
* To select the type of logging information that is captured. * To gather logging information for monitoring and troubleshooting. * To specify the destinations of captured messages. Explanation: There are three primary functions provided by the syslog service: 1. gathering logging information. 2. selection of the type of information to be logged. 3. selection of the destination of the logged information.
What are two characteristics of voice traffic?
* Voice traffic latency should not exceed 150 ms. * Dropped voice packets are not re-transmitted. Explanation: Voice traffic does not consume a lot of network resources, such as bandwidth. However, it is very sensitive to delay and dropped packets cannot be retransmitted. For good voice quality, the amount of latency should always be less than 150 milliseconds.
Which two statements about the relationship between LANs and WANs are true?
* WANs are typically operated through multiple ISPs, but LANs are typically operated by single organizations or individuals. * WANs connect LANs at slower speed bandwidth than LANs connect their internal end devices. Explanation: Although LANs and WANs can employ the same network media and intermediary devices, they serve very different areas and purposes. The administrative and geographical scope of a WAN is larger than that of a LAN. Bandwidth speeds are slower on WANs because of their increased complexity. The Internet is a network of networks, which can function under either public or private management.
Which two types of VPNs are examples of enterprise-managed remote access VPNs?
* clientless SSL VPN * client-based IPsec VPN Explanation: Enterprise managed VPNs can be deployed in two configurations: * Remote Access VPN - This VPN is created dynamically when required to establish a secure connection between a client and a VPN server. Remote access VPNs include client-based IPsec VPNs and clientless SSL VPNs. * Site-to-site VPN - This VPN is created when interconnecting devices are pre-configured with information to establish a secure tunnel. VPN traffic is encrypted only between the interconnecting devices, and internal hosts have no knowledge that a VPN is used. Site-to-site VPNs include IPsec, GRE over IPsec, Cisco Dynamic Multipoint (DMVPN), and IPsec Virtual Tunnel Interface (VTI) VPNs.
By default, what is the OSPF cost for any link with a bandwidth of 100 Mb/s or greater?
1 Explanation: OSPF uses the formula: Cost = 100,000,000 / bandwidth. Because OSPF will only use integers as cost, any bandwidth of 100 Mb/s or greater will all equal a cost of 1.
What is the default router priority value for all Cisco OSPF routers?
1 Explanation: The router priority value is used in a DR/BDR election. The default priority for all OSPF routers is 1 but it can be manually altered to any value 0 to 255.
What is the format of the router ID on an OSPF-enabled router?
A 32-bit number formatted like an IPv4 address Explanation: A router ID is a 32-bit number formatted like an IPv4 address (x.x.x.x) and assigned in order to uniquely identify a router among OSPF peers.
What is a ping sweep?
A network scanning technique that indicates the live hosts in a range of IP addresses. Explanation: A ping sweep is a tool that is used during a reconnaissance attack. Other tools that might be used during this type of attack include a ping sweep, port scan, or Internet information query. A reconnaissance attack is used to gather information about a particular network, usually in preparation for another type of network attack.
If an asymmetric algorithm uses a public key to encrypt data, what is used to decrypt it?
A private key. Explanation: When an asymmetric algorithm is used, public and private keys are used for the encryption. Either key can be used for encryption, but the complementary matched key must be used for the decryption. For example if the public key is used for encryption, then the private key must be used for the decryption.
Which statement describes SNMP operation?
A set request is used by the NMS to change configuration variables in the agent device. Explanation: An SNMP agent that resides on a managed device collects and stores information about the device and its operation. This information is stored by the agent locally in the MIB. An NMS periodically polls the SNMP agents that are residing on managed devices by using the get request to query the devices for data.
What is the function of a QoS trust boundary?
A trust boundary identifies which devices trust the marking on packets that enter a network. Explanation: Network traffic is classified and marked as close to the source device as possible. The trust boundary is the location where the QoS markings on a packet are trusted as they enter an enterprise network.
What algorithm is used with IPsec to provide data confidentiality?
AES. Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms that are used to ensure that data is not intercepted and modified (data integrity) are MD5 and SHA. AES is an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an algorithm that is used for key exchange. RSA is an algorithm that is used for authentication.
Which characteristic would most influence a network design engineer to select a multilayer switch over a Layer 2 switch?
Ability to build a routing table. Explanation: Multilayer switches, also known as Layer 3 switches, can route and build a routing table. This capability is required in a multi-VLAN network and would influence the network designer to select a multilayer switch. The other options are features also available on Layer 2 switches, so they would not influence the decision to select a multilayer switch.
Which set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet?
Access-list 103 permit tcp 192.168.10.0 0.0.0.255 host 172.17.80.1 eq 80access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23 Explanation: For an extended ACL to meet these requirements the following need to be included in the access control entries: * identification number in the range 100-199 or 2000-2699 * permit or deny parameter * protocol * source address and wildcard * destination address and wildcard * port number or name
Which action should be taken when planning for redundancy on a hierarchical network design?
Add alternate physical paths for data to traverse the network. Explanation: One method of implementing redundancy is path redundancy, installing alternate physical paths for data to traverse the network. Redundant links in a switched network supports high availability and can be used for load balancing, reducing congestion on the network.
What is the function of the Diffie-Hellman algorithm within the IPsec framework?
Allows peers to exchange shared keys. Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. DH (Diffie-Hellman) is an algorithm used for key exchange. DH is a public key exchange method that allows two IPsec peers to establish a shared secret key over an insecure channel.
Which situation describes data transmissions over a WAN connection?
An employee shares a database file with a co-worker who is located in a branch office on the other side of the city. Explanation: When two offices across a city are communicating , it is most likely that the data transmissions are over some type of WAN connection. Data communications within a campus are typically over LAN connections.
What will an OSPF router prefer to use first as a router ID?
Any IP address that is configured using the router-id command. Explanation: The first preference for an OSPF router ID is an explicitly configured 32-bit address. This address is not included in the routing table and is not defined by the network command. If a router ID that is configured through the router-id command is not available, OSPF routers next use the highest IP address available on a loopback interface, as loopbacks used as router IDs are also not routable addresses. Lacking either of these alternatives, an OSPF router will use the highest IP address from its active physical interfaces.
When is the most appropriate time to measure network operations to establish a network performance baseline?
At the same time each day across a set period of average working days, so that typical traffic patterns can be established. Explanation: The purpose of establishing a network performance baseline is to provide a reference of normal or average network use to enable data traffic anomalies to be detected and then investigated. Network operations that are not average, or are not normal, cannot be used to establish a network performance baseline.
Which VPN solution allows the use of a web browser to establish a secure, remote-access VPN tunnel to the ASA?
Clientless SSL Explanation: When a web browser is used to securely access the corporate network, the browser must use a secure version of HTTP to provide SSL encryption. A VPN client is not required to be installed on the remote host, so a clientless SSL connection is used.
What is the recommended Cisco best practice for configuring an OSPF-enabled router so that each router can be easily identified when troubleshooting routing issues?
Configure a value using the router-id command. Explanation: A Cisco router is assigned a router ID to uniquely identify it. It can be automatically assigned and take the value of the highest configured IP address on any interface, the value of a specifically-configured loopback address, or the value assigned (which is in the exact form of an IP address) using the router-id command. Cisco recommends using the router-id command.
Which protocol is attacked when a cybercriminal provides an invalid gateway in order to create a man-in-the-middle attack?
DHCP Explanation: A cyber criminal could set up a rogue DHCP server that provides one or more of the following: * Wrong default gateway that is used to create a man-in-the-middle attack and allow the attacker to intercept data. * Wrong DNS server that results in the user being sent to a malicious website. * Invalid default gateway IP address that results in a denial of service attack on the DHCP client.
Which type of OSPFv2 packet contains an abbreviated list of the LSDB of a sending router and is used by receiving routers to check against the local LSDB?
Database description. Explanation: The database description (DBD) packet contains an abbreviated list of the LSDB sent by a neighboring router and is used by receiving routers to check against the local LSDB.
To establish a neighbor adjacency two OSPF routers will exchange hello packets. Which two values in the hello packets must match on both routers?
Dead interval, hello interval. Explanation: The hello and dead interval timers contained in a hello packet must be the same on neighboring routers in order to form an adjacency.
When QoS is implemented in a converged network, which two factors can be controlled to improve network performance for real-time traffic?
Delay, jitter Explanation: Delay is the latency between a sending and receiving device. Jitter is the variation in the delay of the received packets. Both delay and jitter need to be controlled in order to support real-time voice and video traffic.
What is a definition of a two-tier LAN network design?
Distribution and core layers collapsed into one tier, and the access layer on a separate tier. Explanation: Maintaining three separate network tiers is not always required or cost-efficient. All network designs require an access layer, but a two-tier design can collapse the distribution and core layers into one layer to serve the needs of a small location with few users.
What are the three layers of the switch hierarchical design model?
Distribution, access, core Explanation: The access layer is the lowest layer and it provides network access to users. The distribution layer has many functions, but it aggregates data from the access layer, provides filtering, policy control, and sets Layer 3 routing boundaries. The core layer provides high speed connectivity.
In what type of attack is a cyber criminal attempting to prevent legitimate users from accessing network services?
DoS Explanation: In a DoS or denial-of-service attack, the goal of the attacker is to prevent legitimate users from accessing network services.
Which network scenario will require the use of a WAN?
Employees need to connect to the corporate email server through a VPN while traveling. Explanation: When traveling employees need to connect to a corporate email server through a WAN connection, the VPN will create a secure tunnel between an employee laptop and the corporate network over the WAN connection. Obtaining dynamic IP addresses through DHCP is a function of LAN communication. Sharing files among separate buildings on a corporate campus is accomplished through the LAN infrastructure. A DMZ is a protected network inside the corporate LAN infrastructure.
When an OSPF network is converged and no network topology change has been detected by a router, how often will LSU packets be sent to neighboring routers?
Every 30 minutes. Explanation: After all LSRs have been satisfied for a given router, the adjacent routers are considered synchronized and in a full state. Updates (LSUs) are sent to neighbors only under the following conditions: * When a network topology change is detected (incremental updates). * Every 30 minutes.
Which step does an OSPF enabled router take immediately after establishing an adjacency with another router?
Exchanges link-state advertisements. Explanation: The OSPF operation steps are as follows: 1. Establish neighbor adjacencies 2. Exchange link-state advertisements 3. Build the topology table 4. Execute the SPF algorithm 5. Choose the best route
What type of ACL offers greater flexibility and control over network access?
Extended Explanation: The two types of ACLs are standard and extended. Both types can be named or numbered, but extended ACLs offer greater flexibility.
What commonly motivates cybercriminals to attack networks as compared to hactivists or state-sponsored hackers?
Financial gain. Explanation: Cybercriminals are commonly motivated by money. Hackers are known to hack for status. Cyberterrorists are motivated to commit cybercrimes for religious or political reasons.
Which two technologies are categorized as private WAN infrastructures?
Frame Relay, MetroE Explanation: Private WAN technologies include leased lines, dialup, ISDN, Frame Relay, ATM, Ethernet WAN (an example is MetroE), MPLS, and VSAT.
Which two WAN infrastructure services are examples of private connections?
Frame Relay, T1/E1 Explanation: Private WANs can use T1/E1, T3/E3, PSTN, ISDN, Metro Ethernet, MPLS, Frame Relay, ATM, or VSAT technology.
As the network administrator you have been asked to implement EtherChannel on the corporate network. What does this configuration consist of?
Grouping multiple physical ports to increase bandwidth between two switches. Explanation: EtherChannel is utilized on a network to increase speed capabilities by grouping multiple physical ports into one or more logical EtherChannel links between two switches. STP is used to provide redundant links that dynamically block or forward traffic between switches. FHRPs are used to group physical devices to provide traffic flow in the event of failure.
What is the function of the Hashed Message Authentication Code (HMAC) algorithm in setting up an IPsec VPN?
Guarantees message integrity. Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. The Hashed Message Authentication Code (HMAC) is a data integrity algorithm that uses a hash value to guarantee the integrity of a message.
After modifying the router ID on an OSPF router, what is the preferred method to make the new router ID effective?
HQ# clear ip ospf process. Explanation: To modify a router-id on an OSPF-enabled router, it is necessary to reset the OSPF routing process by entering either the clear ip ospf process command or the reload command.
Which type of hacker is motivated to protest against political and social issues?
Hacktivist Explanation: Hackers are categorized by motivating factors. Hacktivists are motivated by protesting political and social issues.
Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair?
Host, any Explanation: The host keyword is used when using a specific device IP address in an ACL. For example, the deny host 192.168.5.5 command is the same is the deny 192.168.5.5 0.0.0.0 command. The any keyword is used to allow any mask through that meets the criteria. For example, the permit any command is the same as permit 0.0.0.0 255.255.255.255 command.
What indicates to a link-state router that a neighbor is unreachable?
If the router no longer receives hello packets Explanation: OSPF routers send hello packets to monitor the state of a neighbor. When a router stops receiving hello packets from a neighbor, that neighbor is considered unreachable and the adjacency is broken.
Which statement describes a difference between the operation of inbound and outbound ACLs?
Inbound ACLs are processed before the packets are routed while outbound ACLs are processed after the routing is completed. Explanation: With an inbound ACL, incoming packets are processed before they are routed. With an outbound ACL, packets are first routed to the outbound interface, then they are processed. Thus processing inbound is more efficient from the router perspective. The structure, filtering methods, and limitations (on an interface, only one inbound and one outbound ACL can be configured) are the same for both types of ACLs.
What are two benefits of extending access layer connectivity to users through a wireless medium?
Increased flexibility, reduced costs. Explanation: Wireless connectivity at the access layer provides increased flexibility, reduced costs, and the ability to grow and adapt to changing business requirements. Utilizing wireless routers and access points can provide an increase in the number of central points of failure. Wireless routers and access points will not provide an increase in bandwidth availability.
Which three OSPF states are involved when two routers are forming an adjacency?
Init, Two-way, Down Explanation: OSPF operation progresses through 7 states for establishing neighboring router adjacency, exchanging routing information, calculating the best routes, and reaching convergence. The Down, Init, and Two-way states are involved in the phase of neighboring router adjacency establishment.
Which is a characteristic of a Type 1 hypervisor?
Installed directly on a server. Explanation: Type 1 hypervisors are installed directly on a server and are known as "bare metal" solutions giving direct access to hardware resources. They also require a management console and are best suited for enterprise environments.
Which IPsec security function provides assurance that the data received via a VPN has not been modified in transit?
Integrity Explanation: Integrity is a function of IPsec and ensures data arrives unchanged at the destination through the use of a hash algorithm. Confidentiality is a function of IPsec and utilizes encryption to protect data transfers with a key. Authentication is a function of IPsec and provides specific access to users and devices with valid authentication factors. Secure key exchange is a function of IPsec and allows two peers to maintain their private key confidentiality while sharing their public key.
Which requirement of secure communications is ensured by the implementation of MD5 or SHA hash generating algorithms?
Integrity Explanation: Integrity is ensured by implementing either MD5 or SHA hash generating algorithms. Many modern networks ensure authentication with protocols, such as HMAC. Data confidentiality is ensured through symmetric encryption algorithms, including DES, 3DES, and AES. Data confidentiality can also be ensured using asymmetric algorithms, including RSA and PKI.
Which statement accurately characterizes the evolution of threats to network security?
Internal threats can cause even greater damage than external threats. Explanation: Internal threats can be intentional or accidental and cause greater damage than external threats because the internal user has direct access to the internal corporate network and corporate data.
What is the purpose of the overload keyword in the ip nat inside source list 1 pool NAT_POOL overload command?
It allows many inside hosts to share one or a few inside global addresses. Explanation: Dynamic NAT uses a pool of inside global addresses that are assigned to outgoing sessions. If there are more internal hosts than public addresses in the pool, then an administrator can enable port address translation with the addition of the overload keyword. With port address translation, many internal hosts can share a single inside global address because the NAT device will track the individual sessions by Layer 4 port number.
Which statement describes an important characteristic of a site-to-site VPN?
It must be statically set up. Explanation: A site-to-site VPN is created between the network devices of two separate networks. The VPN is static and stays established. The internal hosts of the two networks have no knowledge of the VPN.
Which is a requirement of a site-to-site VPN?
It requires a VPN gateway at each end of the tunnel to encrypt and decrypt traffic. Explanation: Site-to-site VPNs are static and are used to connect entire networks. Hosts have no knowledge of the VPN and send TCP/IP traffic to VPN gateways. The VPN gateway is responsible for encapsulating the traffic and forwarding it through the VPN tunnel to a peer gateway at the other end which decapsulates the traffic.
In an OSPFv2 configuration, what is the effect of entering the command network 192.168.1.1 0.0.0.0 area 0?
It tells the router which interface to turn on for the OSPF routing process. Explanation: Entering the command network 192.168.1.1 0.0.0.0 area 0 will turn on only the interface with that IP address for OSPF routing. It does not change the router ID. Instead, OSPF will use the network that is configured on that interface.
A network administrator is deploying QoS with the ability to provide a special queue for voice traffic so that voice traffic is forwarded before network traffic in other queues. Which queuing method would be the best choice?
LLQ. Explanation: Low latency queuing (LLQ) allows delay-sensitive data, such as voice traffic, to be defined in a strict priority queue (PQ) and to always be sent first before any packets in any other queue are forwarded.
What is the benefit of deploying Layer 3 QoS marking across an enterprise network?
Layer 3 marking can carry the QoS information end-to-end. Explanation: Marking traffic at Layer 2 or Layer 3 is very important and will affect how traffic is treated in a network using QoS. * Layer 2 marking of frames can be performed for non-IP traffic. * Layer 2 marking of frames is the only QoS option available for switches that are not "IP aware." * Layer 3 marking will carry the QoS information end-to-end.
Which OSPF data structure is identical on all OSPF routers that share the same area?
Link-state database Explanation: Regardless of which OSPF area a router resides in, the adjacency database, routing table, and forwarding database are unique for each router. The link-state database lists information about all other routers within an area and is identical across all OSPF routers participating in that area.
Which attack involves threat actors positioning themselves between a source and destination with the intent of transparently monitoring, capturing, and controlling the communication?
Man-in-the-middle attack. Explanation: The man-in-the-middle attack is a common IP-related attack where threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication.
In which step of gathering symptoms does the network engineer determine if the problem is at the core, distribution, or access layer of the network?
Narrow the scope. Explanation: In the "narrow the scope" step of gathering symptoms, a network engineer will determine if the network problem is at the core, distribution, or access layer of the network. Once this step is complete and the layer is identified, the network engineer can determine which pieces of equipment are the most likely cause.
How is "tunneling" accomplished in a VPN?
New headers from one or more VPN protocols encapsulate the original packets. Explanation: Packets in a VPN are encapsulated with the headers from one or more VPN protocols before being sent across the third party network. This is referred to as "tunneling". These outer headers can be used to route the packets, authenticate the source, and prevent unauthorized users from reading the contents of the packets.
In NAT terms, what address type refers to the globally routable IPv4 address of a destination host on the Internet?
Outside Global Explanation: From the perspective of a NAT device, inside global addresses are used by external users to reach internal hosts. Inside local addresses are the addresses assigned to internal hosts. Outside global addresses are the addresses of destinations on the external network. Outside local addresses are the actual private addresses of destination hosts behind other NAT devices.
What does NAT overloading use to track multiple internal hosts that use one inside global address?
Port numbers Explanation: NAT overloading, also known as Port Address Translation (PAT), uses port numbers to differentiate between multiple internal hosts.
Which troubleshooting tool would a network administrator use to check the Layer 2 header of frames that are leaving a particular host?
Protocol analyzer. Explanation: A protocol analyzer such as Wireshark is capable of displaying the headers of data at any OSI Layer.
What is a basic function of the Cisco Borderless Architecture access layer?
Provides access to the user. Explanation: A function of the Cisco Borderless Architecture access layer is providing network access to the users. Layer 2 broadcast domain aggregation, Layer 3 routing boundaries aggregation, and high availability are distribution layer functions. The core layer provides fault isolation and high-speed backbone connectivity.
An OSPF router has three directly connected networks; 172.16.0.0/16, 172.16.1.0/16, and 172.16.2.0/16. Which OSPF network command would advertise only the 172.16.1.0 network to neighbors?
Router(config-router)# network 172.16.1.0 255.255.255.0 area 0. Explanation: To advertise only the 172.16.1.0/16 network the wildcard mask used in the network command must match the first 16-bits exactly. To match bits exactly, a wildcard mask uses a binary zero. This means that the first 16-bits of the wildcard mask must be zero. The low order 16-bits can all be set to 1.
What are two hashing algorithms used with IPsec AH to guarantee authenticity?
SHA, MD5 Explanation: The IPsec framework uses various protocols and algorithms to provide data confidentiality, data integrity, authentication, and secure key exchange. Two popular algorithms used to ensure that data is not intercepted and modified (data integrity and authenticity) are MD5 and SHA.
What configuration scenario would offer the most protection to SNMP get and set messages?
SNMPv3 configured with the auth security level. Explanation: SNMPv3 supports authentication and encryption with the auth and priv security levels. SNMPv1 and SNMPv2 do not support authentication or encryption. Using a default community string is not secure because the default string of "public" is well known and would allow anyone with SNMP systems to read device MIBs.
In which TCP attack is the cybercriminal attempting to overwhelm a target host with half-open TCP connections?
SYN flood attack Explanation: In a TCP SYN flood attack, the attacker sends to the target host a continuous flood of TCP SYN session requests with a spoofed source IP address. The target host responds with a TCP-SYN-ACK to each of the SYN session requests and waits for a TCP ACK that will never arrive. Eventually the target is overwhelmed with half-open TCP connections.
Which command will a network engineer issue to verify the configured hello and dead timer intervals on a point-to-point WAN link between two routers that are running OSPFv2?
Show ip ospf interface serial 0/0/0 Explination: The show ip ospf interface serial 0/0/0 command will display the configured hello and dead timer intervals on a point-to-point serial WAN link between two OSPFv2 routers. The show ipv6 ospf interface serial 0/0/0 command will display the configured hello and dead timer intervals on a point-to-point serial link between two OSPFv3 routers. The show ip ospf interface fastethernet 0/1 command will display the configured hello and dead timer intervals on a multiaccess link between two (or more) OSPFv2 routers. The show ip ospf neighbor command will display the dead interval elapsed time since the last hello message was received, but does not show the configured value of the timer.
What command would be used to determine if a routing protocol-initiated relationship had been made with an adjacent router?
Show ip ospf neighbor Explanation: While the show ip interface brief and ping commands can be used to determine if Layer 1, 2, and 3 connectivity exists, neither command can be used to determine if a particular OSPF or EIGRP-initiated relationship has been made. The show ip protocols command is useful in determining the routing parameters such as timers, router ID, and metric information associated with a specific routing protocol. The show ip ospf neighbor command shows if two adjacent routers have exchanged OSPF messages in order to form a neighbor relationship.
Which command is used to verify that OSPF is enabled and also provides a list of the networks that are being advertised by the network?
Show ip protocols. Explanation: The command show ip ospf interface verifies the active OSPF interfaces. The command show ip interface brief is used to check that the interfaces are operational. The command show ip route ospf displays the entries that are learned via OSPF in the routing table. The command show ip protocols checks that OSPF is enabled and lists the networks that are advertised.
A user receives a phone call from a person who claims to represent IT services and then asks that user for confirmation of username and password for auditing purposes. Which security threat does this phone call represent?
Social engineering Explanation: Social engineering attempts to gain the confidence of an employee and convince that person to divulge confidential and sensitive information, such as usernames and passwords. DDoS attacks, spam, and keylogging are all examples of software based security threats, not social engineering.
The command ntp server 10.1.1.1 is issued on a router. What impact does this command have?
Synchronizes the system clock with the time source with IP address 10.1.1.1 Explanation: The ntp server ip-address global configuration command configures the NTP server for IOS devices.
A network technician issues the following commands when configuring a router: R1(config)# router ospf 11 R1(config-router)# network 10.10.10.0 0.0.0.255 area 0 What does the number 11 represent?
The OSPF process ID on R1. Explanation: There is no autonomous system number to configure on OSPF. The area number is located at the end of the network statement. The cost of a link can be modified in the interface configuration mode. The process ID is local to the router.
A computer can access devices on the same network but cannot access devices on other networks. What is the probable cause of this problem?
The computer has an invalid default gateway address. Explanation: The default gateway is the address of the device a host uses to access the Internet or another network. If the default gateway is missing or incorrect, that host will not be able to communicate outside the local network. Because the host can access other hosts on the local network, the network cable and the other parts of the IP configuration are working.
A network engineer has manually configured the hello interval to 15 seconds on an interface of a router that is running OSPFv2. By default, how will the dead interval on the interface be affected?
The dead interval will now be 60 seconds. Explanation: Cisco IOS automatically modifies the dead interval to four times the hello interval.
What network design would contain the scope of disruptions on a network should a failure occur?
The deployment of distribution layer switches in pairs and the division of access layer switch connections between them. Explanation: One way to contain the impact of a failure on the network is to implement redundancy. One way this is accomplished is by deploying redundant distribution layer switches and dividing the access layer switch connections between the redundant distribution layer switches. This creates what is called a switch block. Failures in a switch block are contained to that block and do not bring down the whole network.
A network designer is considering whether to implement a switch block on the company network. What is the primary advantage of deploying a switch block?
The failure of a switch block will not impact all end users. Explanation: The configuration of a switch block provides redundancy so that the failure of a single network device generally has little or no effect on end users.
A network administrator configures a router with the command sequence: R1(config)# boot system tftp://c1900-universalk9-mz.SPA.152-4.M3.bin R1(config)# boot system rom What is the effect of the command sequence?
The router will load IOS from the TFTP server. If the image fails to load, it will load the IOS image from ROM. Explanation: The boot system command is a global configuration command that allows the user to specify the source for the Cisco IOS Software image to load. In this case, the router is configured to boot from the IOS image that is stored on the TFTP server and will use the ROMMON image that is located in the ROM if it fails to locate the TFTP server or fails to load a valid image from the TFTP server.
What is used to facilitate hierarchical routing in OSPF?
The use of multiple areas. Explanation: OSPF supports the concept of areas to prevent larger routing tables, excessive SPF calculations, and large LSDBs. Only routers within an area share link-state information. This allows OSPF to scale in a hierarchical fashion with all areas that connect to a backbone area.
In what way are zombies used in security attacks?
They are infected machines that carry out a DDoS attack. Explanation: Zombies are infected computers that make up a botnet. The zombies are used to deploy a distributed denial of service (DDoS) attack.
Which statement describes a characteristic of standard IPv4 ACLs?
They filter traffic based on source IP addresses only. Explanation: A standard IPv4 ACL can filter traffic based on source IP addresses only. Unlike an extended ACL, it cannot filter traffic based on Layer 4 ports. However, both standard and extended ACLs can be identified with either a number or a name, and both are configured in global configuration mode.
What is the reason for a network engineer to alter the default reference bandwidth parameter when configuring OSPF?
To more accurately reflect the cost of links greater than 100 Mb/s. Explanation: By default, Fast Ethernet, Gigabit, and 10 Gigabit Ethernet interfaces all have a cost of 1. Altering the default reference bandwidth alters the cost calculation, allowing each speed to be more accurately reflected in the cost.
What is the function of the MIB element as part of a network management system?
To store data about a device. Explanation: The Management Information Base (MIB) resides on a networking device and stores operational data about the device. The SNMP manager can collect information from SNMP agents. The SNMP agent provides access to the information.
What are the two purposes of an OSPF router ID?
To uniquely identify the router within the OSPF domain.. To facilitate router participation in the election of the designated router. Explanation: OSPF router ID does not contribute to SPF algorithm calculations, nor does it facilitate the transition of the OSPF neighbor state to Full. Although the router ID is contained within OSPF messages when router adjacencies are being established, it has no bearing on the actual convergence process.
What is a benefit of multiarea OSPF routing?
Topology changes in one area do not cause SPF recalculations in other areas. Explanation: With multiarea OSPF, only routers within an area share the same link-state database. Changes to the network topology in one area do not impact other areas, which reduces the number of SPF algorithm calculations and the of link-state databases.
Which type of hypervisor would most likely be used in a data center?
Type 1 Explanation: The two type of hypervisors are Type 1 and Type 2. Type 1 hypervisors are usually used on enterprise servers. Enterprise servers rather than virtualized PCs are more likely to be in a data center.
Which type of network traffic cannot be managed using congestion avoidance tools?
UDP. Explanation: Queuing and compression techniques can help to reduce and prevent UDP packet loss, but there is no congestion avoidance for User Datagram Protocol (UDP) based traffic.
What is the quickest way to remove a single ACE from a named ACL?
Use the no keyword and the sequence number of the ACE to be removed. Explanation: Named ACL ACEs can be removed using the no command followed by the sequence number.
Which statement describes a VPN?
VPNs use virtual connections to create a private network through a public network. Explanation: A VPN is a private network that is created over a public network. Instead of using dedicated physical connections, a VPN uses virtual connections routed through a public network between two network devices.
Why is QoS an important issue in a converged network that combines voice, video, and data communications?
Voice and video communications are more sensitive to latency. Explanation: Without any QoS mechanisms in place, time-sensitive packets, such as voice and video, will be dropped with the same frequency as email and web browsing traffic.
Which circumstance would result in an enterprise deciding to implement a corporate WAN?
When its employees become distributed across many branch locations. Explanation: WANs cover a greater geographic area than LANs do, so having employees distributed across many locations would require the implementation of WAN technologies to connect those locations. Customers will access corporate web services via a public WAN that is implemented by a service provider, not by the enterprise itself. When employee numbers grow, the LAN has to expand as well. A WAN is not required unless the employees are in remote locations. LAN security is not related to the decision to implement a WAN.
In an OSPF network when are DR and BDR elections required?
When the routers are interconnected over a common Ethernet network. Explanation: When the routers are interconnected over a common Ethernet network, then a designated router (DR) and a backup DR (BDR) must be elected.
