admin | Premium CCNA Exam Questions

CISCO CCNA Exam – Q218

Which three features are added in SNMPv3 over SNMPv2?
A. Message Integrity
B. Compression
C. Authentication
D. Encryption
E. Error Detection

Correct Answers: A, C, D

Explanation:
Cisco IOS software supports the following versions of SNMP:
+ SNMPv1 – The Simple Network Management Protocol: A Full Internet Standard, defined in RFC 1157. (RFC 1157 replaces the earlier versions that were published as RFC 1067 and RFC 1098.) Security is based on community strings.

+ SNMPv2c – The community-string based Administrative Framework for SNMPv2. SNMPv2c (the “c” stands for “community”) is an Experimental Internet Protocol defined in RFC 1901, RFC 1905, and RFC 1906. SNMPv2c is an update of the protocol operations and data types of SNMPv2p (SNMPv2 Classic), and uses the community-based
security model of SNMPv1.

+ SNMPv3 – Version 3 of SNMP. SNMPv3 is an interoperable standards-based protocol defined in RFCs 2273 to 2275. SNMPv3 provides secure access to devices by a combination of authenticating and encrypting packets over the network. The security features provided in SNMPv3 are as follows:

– Message integrity: Ensuring that a packet has not been tampered with in transit.
– Authentication: Determining that the message is from a valid source.
– Encryption: Scrambling the contents of a packet prevent it from being learned by an unauthorized source.

CISCO CCNA Exam – Q217

In a GLBP network, who is responsible for the ARP request?

A. AVF
B. AVG
C. Active Router
D. Standby Router

Correct Answer: B

Explanation:
Members of a GLBP group elect one gateway to be the active virtual gateway (AVG) for that group. Other group members provide backup for the AVG in the event that the AVG becomes unavailable. The AVG assigns a virtual MAC address to each member of the GLBP group. Each gateway assumes responsibility for forwarding packets sent to the virtual MAC address assigned to it by the AVG. These gateways are known as active virtual forwarders (AVFs) for their virtual MAC address.

The AVG is responsible for answering Address Resolution Protocol (ARP) requests for the virtual IP address. Load sharing is achieved by the AVG replying to the ARP requests with different virtual MAC addresses.

CISCO CCNA Exam – Q216

A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two.)

A. The network administrator can apply port security to dynamic access ports.
B. The network administrator can apply port security to EtherChannels.
C. When dynamic MAC address learning is enabled on an interface, the switch can learn new addresses, up to the maximum defined.
D. The sticky learning feature allows the addition of dynamically learned addresses to the running configuration.
E. The network administrator can configure static secure or sticky secure MAC addresses in the voice VLAN.

Correct Answers: C, D

Explanation:
Follow these guidelines when configuring port security:

+ Port security can only be configured on static access ports, trunk ports, or 802.1Q tunnel ports.
+ A secure port cannot be a dynamic access port.
+ A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
+ A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
+ You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.
+ When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two.
+ If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.
+ When a voice VLAN is configured on a secure port that is also configured as a sticky secure port, all addresses seen on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on the access VLAN (to which the port belongs) are learned as sticky secure addresses.
+ The switch does not support port security aging of sticky secure MAC addresses.
+ The protect and restrict options cannot be simultaneously enabled on an interface.

CISCO CCNA Exam – Q215

Drag the security features on the left to the specific security risks they help protect against on the right. (Not all options are used.)
Select and Place:
CISCO CCNA Exam – Q215

CISCO CCNA Exam – Q215b

CISCO CCNA Exam – Q214

Refer to the exhibit.
CISCO CCNA Exam – Q214

A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands.
Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two.)

A. Port security needs to be globally enabled.
B. Port security needs to be enabled on the interface.
C. Port security needs to be configured to shut down the interface in the event of a violation.
D. Port security needs to be configured to allow only one learned MAC address.
E. Port security interface counters need to be cleared before using the show command.
F. The port security configuration needs to be saved to NVRAM before it can become active.

Correct Answers: B, D

Explanation:
From the output we can see that port security is disabled so this needs to be enabled. Also, the maximum number of devices is set to 2 so this needs to be just one if we want the single host to have access and nothing else.

CISCO CCNA Exam – Q213

Which set of commands is recommended to prevent the use of a hub in the access layer?

A. switch(config-if)#switchport mode trunk
switch(config-if)#switchport port-security maximum 1
B. switch(config-if)#switchport mode trunk
switch(config-if)#switchport port-security mac-address 1
C. switch(config-if)#switchport mode access
switch(config-if)#switchport port-security maximum 1
D. switch(config-if)#switchport mode access
switch(config-if)#switchport port-security mac-address 1

Correct Answer: C

Explanation:
This question is to examine the layer 2 security configuration.
In order to satisfy the requirements of this question, you should perform the following configurations in the interface mode:
First, configure the interface mode as the access mode
Second, enable the port security and set the maximum number of connections to 1.

CISCO CCNA Exam – Q212

How does using the service password-encryption command on a router provide additional security?

A. by encrypting all passwords passing through the router
B. by encrypting passwords in the plain text configuration file
C. by requiring entry of encrypted passwords for access to the device
D. by configuring an MD5 encrypted key to be used by routing protocols to validate routing exchanges
E. by automatically suggesting encrypted passwords for use in configuring the router

Correct Answer: B

Explanation:
By using this command, all the (current and future) passwords are encrypted. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file

CISCO CCNA Exam – Q211

Refer to the exhibit.
CISCO CCNA Exam – Q211

Statements A, B, C, and D of ACL 10 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet 172.21.1.128/28) from accessing the network. But as is, the ACL does not restrict anyone from the network. How can the ACL statements be re-arranged so that the system works as intended?

A. ACDB
B. BADC
C. DBAC
D. CDBA

Correct Answer: D
< Explanation:
Routers go line by line through an access list until a match is found and then will not look any further, even if a more specific of better match is found later on in the access list.
So, it it best to begin with the most specific entries first, in this cast the two hosts in line C and D. Then, include the subnet (B) and then finally the rest of the traffic (A).

CISCO CCNA Exam – Q210

Refer to the exhibit.
CISCO CCNA Exam – Q210

An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 102?

A. no ip access-class 102 in
B. no ip access-class 102 out
C. no ip access-group 102 in
D. no ip access-group 102 out
E. no ip access-list 102 in

Correct Answer: D

Explanation:
The “ip access-group” is used to apply and ACL to an interface. From the output shown, we know that the ACL is applied to outbound traffic, so “no ip access-group 102 out” will remove the effect of this ACL.

CISCO CCNA Exam – Q209

Which Cisco Catalyst feature automatically disables the port in an operational PortFast upon receipt of a BPDU?

A. BackboneFast
B. UplinkFast
C. Root Guard
D. BPDU Guard
E. BPDU Filter

Correct Answer: D

Explanation:
We only enable PortFast feature on access ports (ports connected to end stations). But if someone does not know he can accidentally plug that port to another switch and a loop may occur when BPDUs are being transmitted and received on these ports.
With BPDU Guard, when a PortFast receives a BPDU, it will be shut down to prevent a loop.