admin | Premium CCNA Exam Questions

CISCO CCNA Exam – Q208

When you are troubleshooting an ACL issue on a router, which command would you use to verify which interfaces are affected by the ACL?

A. show ip access-lists
B. show access-lists
C. show interface
D. show ip interface
E. list ip interface

Correct Answer: D

Explanation:
Incorrect answer:
show ip access-lists does not show interfaces affected by an ACL.

CISCO CCNA Exam – Q207

Refer to exhibit.
CISCO CCNA Exam – Q207
A network administrator cannot establish a Telnet session with the indicated router. What is the cause of this failure?

A. A Level 5 password is not set.
B. An ACL is blocking Telnet access.
C. The vty password is missing.
D. The console password is missing.

Correct Answer: C

Explanation:
The login keyword has been set, but not password. This will result in the “password required, but none set” message to users trying to telnet to this router.

CISCO CCNA Exam – Q206

Which statement about access lists that are applied to an interface is true?

A. You can place as many access lists as you want on any interface.
B. You can apply only one access list on any interface.
C. You can configure one access list, per direction, per Layer 3 protocol.
D. You can apply multiple access lists with the same protocol or in different directions.

Correct Answer: C

Explanation:
We can have only 1 access list per protocol, per direction and per interface. It means:
+ We cannot have 2 inbound access lists on an interface
+ We can have 1 inbound and 1 outbound access list on an interface

CISCO CCNA Exam – Q205

Which item represents the standard IP ACL?

A. access-list 110 permit ip any any
B. access-list 50 deny 192.168.1.1 0.0.0.255
C. access list 101 deny tcp any host 192.168.1.1
D. access-list 2500 deny tcp any host 192.168.1.1 eq 22

Correct Answer: B

Explanation:
The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access list.

CISCO CCNA Exam – Q204

A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only.
Which two ACL statements, when combined, would you use to accomplish this task? (Choose two.)

A. access-list 10 permit ip 192.168.146.0 0.0.1.255
B. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
E. access-list 10 permit ip 192.168.146.0 0.0.0.255
F. access-list 10 permit ip 192.168.146.0 255.255.255.0

Correct Answers: A,C

Explanation:
“access-list 10 permit ip 192.168.146.0 0.0.1.255” would allow only the 192.168.146.0 and 192.168.147.0 networks, and “access-list 10 permit ip 192.168.148.0 0.0.1.255” would allow only the 192.168.148.0 and 192.168.149.0 networks.

CISCO CCNA Exam – Q203

What can be done to secure the virtual terminal interfaces on a router? (Choose two.)

A. Administratively shut down the interface.
B. Physically secure the interface.
C. Create an access list and apply it to the virtual terminal interfaces with the access-group command.
D. Configure a virtual terminal password and login process.
E. Enter an access list and apply it to the virtual terminal interfaces using the access-class command.

Correct Answers: D, E

Explanation:
It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces ->
We cannot physically secure a virtual interface because it is “virtual” ->.
To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -> C is not correct.
The most simple way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login.

CISCO CCNA Exam – Q202

Which two commands correctly verify whether port security has been configured on port FastEthernet 0/12 on a switch? (Choose two.)

A. SW1#show port-secure interface FastEthernet 0/12
B. SW1#show switchport port-secure interface FastEthernet 0/12
C. SW1#show running-config
D. SW1#show port-security interface FastEthernet 0/12
E. SW1#show switchport port-security interface FastEthernet 0/12

Correct Answers: C, D

Explanation:
We can verify whether port security has been configured by using the “show running-config” or “show port-security interface” for more detail. An example of the output of “show port-security interface” command is shown below:
CISCO CCNA Exam – Q202

CISCO CCNA Exam – Q201

Refer to the exhibit.
CISCO CCNA Exam – Q201

The following commands are executed on interface fa0/1 of 2950Switch.
2950Switch(config-if)# switchport port-security
2950Switch(config-if)# switchport port-security mac-address sticky
2950Switch(config-if)# switchport port-security maximum 1
The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two.)

A. The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
B. Only host A will be allowed to transmit frames on fa0/1.
C. This frame will be discarded when it is received by 2950Switch.
D. All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.
E. Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
F. Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.

Correct Answers: B, D

Explanation:
The configuration shown here is an example of port security, specifically port security using sticky addresses. You can use port security with dynamically learned and static MAC addresses to restrict a port’s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.
Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically.
Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.

CISCO CCNA Exam – Q200

What two things will a router do when running a distance vector routing protocol? (Choose two.)

A. Send periodic updates regardless of topology changes.
B. Send entire routing table to all routers in the routing domain.
C. Use the shortest-path algorithm to the determine best path.
D. Update the routing table based on updates from their neighbors.
E. Maintain the topology of the entire network in its database.

Correct Answers: A, D

Explanation:
Distance means how far and Vector means in which direction. Distance Vector routing protocols pass periodic copies of routing table to neighbor routers and accumulate distance vectors. In distance vector routing protocols, routers discover the best path to destination from each neighbor. The routing updates proceed step by step from router to router.

CISCO CCNA Exam – Q199

Which command is used to display the collection of OSPF link states?

A. show ip ospf link-state
B. show ip ospf lsa database
C. show ip ospf neighbors
D. show ip ospf database

Correct Answer: D

Explanation:
The “show ip ospf database” command displays the link states. Here is an example:
Here is the lsa database on R2.
CISCO CCNA Exam – Q199