As part of a new initiative to tighten the security of your Cisco devices, you have configured the firewall to restrict access to the devices from the outside.
What would be other recommended ways of protecting the integrity of the device configuration files on the devices while ensuring your continued ability to manage the devices remotely? (Choose all that apply.)
A. encrypt the configuration files
B. use SSH to connect to the devices for management
C. prevent the loss of administrator passwords by disabling their encryption
D. disable the VTY ports on the devices
E. use an encrypted password for VTY access
Correct Answer: B, E
Explanation:
You should use SSH to connect to the devices for management. You should also require an encrypted password for VTY access. Using Telnet for remote management transmits all information, including the username and passwords, in clear text. Using an encrypted password for VTY access ensures that the password cannot be read either in transit or in the configuration file.
Passwords used for access to the console, aux, or VTY connections can be encrypted if desired. When passwords are created with the enable command, the password is saved in clear text. When the enable secret command is used, however the password will be encrypted.
If both types of password are configured for a particular connection type, the system will ignore the enable password and require the enable secret password. For example, if the set of commands shown below were executed, both types of password will be created for console access, but the system will require the password crisco rather than cisco. Also make note that neither of those passwords will required for VTY access. That password is sicso, which is the password configured after accessing the line VTY interface configuration prompt.
Although it is possible to encrypt the password in the configuration files, it is not possible to encrypt the rest of the files.
You should not disable the encryption of the passwords in the configuration files. Password encryption is a good security measure to take, and sloppy password management should not be a reason to change this practice.
You should not disable the VTY ports on the devices. This would certainly enhance security, but it would prevent you from managing the devices remotely .
You have implemented the following IP SLA configuration, as shown in the following partial output of the show run command:
ip sla 1
dns cow.cisco.com name-server 10.52.128.30 ip sla schedule 1 start-time now
Which of the following statements is true of this configuration?
A. It will find the response time to resolve the DNS name cow.cisco.com
B. It will find the response time to connect to the DNS server at 10.52.128.30
C. It will start in one minute
D. It will gather data from one minute
Correct Answer: A
Explanation:
It will find the response time to resolve the DNS name cow.cisco.com. Domain Name System (DNS) response time is computed by calculating the difference between the time taken to send a DNS request and the time a reply is received. The Cisco IOS IP SLAs DNS operation queries for an IP address if the user specifies a hostname, or queries for a hostname if the user specifies an IP address.
It will not find the response time to connect to the DNS server at 10.52.128.30. That is the IP address of the DNS server being used for the operation (10.52.128.30). However, it will measure the response time to resolve the DNS name cow.cisco.com.
It will not start in one minute. It will start immediately, as indicated by the start-time now parameter.
It will not gather data for one minute. The numeral 1 in the first line refers to the IP SLA number, and the numeral 1 in the last line refers to the IP SLA number to be scheduled.
After this command sequence is executed, what routes will be present in the routing table of the router at 172.16.5.2? (Choose all that apply.)
A. 192.168.5.4/29
B. 172.16.5.0/24
C. 192.168.6.0/24
D. 192.168.7.0/24
E. none of these will be present
F. only network addresses beginning with 192 will be present
Correct Answer: A, B, C, D
Explanation:
Despite the inclusion of the command aggregate-address 192.168.5.0 255.255.252.0, all subnets of the aggregate route will also be placed in the routing updates because of the omission of the summary-only keyword. Therefore, 192.168.5.4/29, 172.16.5.0/16, 192.168.6.0/24 and 192.168.7.0/24 will be present.
Had the following command been executed, the subnet addresses would not appear in the routing table of the router at 172.16.5.2:
You are troubleshooting a problem with two routers configured in a HSRP group. You intended to configure the routers so that Router A and Router B would each track their respective Fa0/1 interfaces and decrement their priorities for several VLAN groups if the tracked interface went down. However, you find that Router A is not taking over as the active device for the HSRP group on VLAN 101 when the Fa0/1 interface on Router B fails.
Which command would NOT be useful for discovering the problem?
A. show running-configuration
B. show vlans
C. show standby brief
D. show standby
Correct Answer: B
Explanation:
The show vlans command would NOT be useful for discovering the problem. When troubleshooting a problem with Hot Standby Router Protocol (HSRP), the show vlans command will yield no useful information.
All three of the remaining commands will be useful in discovering information. Each is shown below with an example of its application to troubleshooting. Example A: show running-configuration
Router B is not taking over as the active device for VLAN 101’s HSRP group when the Fa0/1 interface on Router A fails. Below is a partial output of show run for both routers with the output focused on the section concerning VLAN 101’s configuration on each.
The above output displays the source of the problem. Router A has a decrement value of 5 configured for Fa0/1, as shown on the last line of the output after the specification of Fastethernet 0/1. This means that when its Fa0/1 interface goes down, Router A will subtract 5 from its priority for the VLAN 101 group, lowering it to
175. This is still higher than the priority of Router B, which is 170. Therefore, the solution is to change the decrement value for Router A to at least 11. When the interface goes down, Router A’s priority will be decremented to 169, allowing Router B to take the role as active for the HSRP group in VLAN 101.
Example B: show standby brief
Router C is not taking over as the active device for VLAN 102’s HSRP group when the Fa0/1 interface on Router D fails. Below is a partial output of show standby brief for both routers C and D, with the output focused on the section concerning VLAN 102’s configuration on each.
You set up several routers in your lab. Two of them are connected back to back using Data Terminal Equipment (DTE)-to-Data Circuit-terminating Equipment (DCE) cable. You need to configure the clock rate.
On which router would you configure the clock rate?
A. the DCE
B. the DTE
C. The clock rate is set by default
D. The clock rate cannot be configured
Correct Answer: A
Explanation:
The clock rate is set on the Data Circuit-terminating Equipment (DCE) device. DCE is also known as Data Communications Equipment.
DCE terminates a physical WAN connection and provides clocking and synchronization of a connection between two locations and connects to a DTE. The DCE category includes equipment such as CSU/DSUs and modems. If you were connecting a router to a WAN link, the router would be the DTE end and would be connected to a CSU/DSU or a modem. Either of these devices would provide the clocking.
DTE is an end-user device, such as a router or a PC that connects to the WAN via the DCE device.
Other options are incorrect. By default, no clock rate is configured, but can be set on a DCE device by using the clock rate [bps] command.
Which statements are TRUE regarding Internet Protocol version 6 (IPv6) addresses? (Choose three.)
A. An IPv6 address is divided into eight 16-bit groups.
B. A double colon (::) can only be used once in a single IPv6 address.
C. IPv6 addresses are 196 bits in length.
D. Leading zeros cannot be omitted in an IPv6 address.
E. Groups with a value of 0 can be represented with a single 0 in IPv6 address.
Correct Answer: A, B, E
Explanation:
IPv6 addresses are divided into eight 16-bit groups, a double colon (::) can only be used once in an IPv6 address, and groups with a value of 0 can be represented with a single 0 in an IPv6 address.
The following statements are also true regarding IPv6 address:
– IPv6 addresses are 128 bits in length.
– Eight 16-bit groups are divided by a colon (:).
– Multiple consecutive groups of 16-bit 0s can be represented with double colon (::)
– ( only once) Double colons (::) represent only 0s.
– Leading zeros can be omitted in an IPv6 address.
The option stating that IPv6 addresses are 196 bits in length is incorrect. IPv6 addresses are 128 bits in length.
The option stating that leading zeros cannot be omitted in an IPv6 address is incorrect. Leading zeros can be omitted in an IPv6 address.
A new switch is added to the network, and several production VLANs are shut down. Which of the following is a probable cause for this scenario? (Choose two.)
A. The new switch has a lower configuration revision number than existing switches.
B. The new switch has a higher configuration revision number than existing switches.
C. The new switch is operating in transparent mode.
D. The new switch is operating in server mode.
Correct Answer: B, D
Explanation:
The VLAN database of the new switch will overwrite the VLAN databases of the production switches because it is operating in server mode and has a higher VLAN configuration revision number. The VLAN Trunking Protocol (VTP) is used to synchronize VLANs between different switches. The VTP configuration revision number is used to determine which VTP switch has the most current version of the VLAN database, and is incremented whenever a VLAN change is made on a VTP server switch.
The execution of the show interfaces command yields the following as a part of its output:
Ethernet 0/0 is up, line protocol is down
Which of the following can be determined from this output?
A. the link is not functional due to a Data Link layer issue
B. the link is fully functional
C. the link is not functional due to a Physical layer issue
D. the link is not functional due to both a Physical layer and a Data Link layer issue
Correct Answer: A
Explanation:
The command output excerpt indicates that the link is not functional due to a Data Link layer (or “line protocol”) issue, while the Physical layer (Layer 1) is operational. The first (left) column indicates the Physical layer state of the interface, while the second (right) column indicates the Data Link layer state of the interface.
The link is not fully functional. Were it fully functional, the command output would be:
Ethernet0/0 is up, line protocol is up
The link is not suffering a Physical layer issue or a combination of Physical layer and Layer 2 (Data Link) layer issues. Were either the case, the output would be:
Ethernet 0/0 is down, line protocol is down
Note: if a Physical layer issue exists, there will also be a Data Link issue, since the Data Link layer depends on the Physical layer to provide connectivity.
You have a Telnet session established with a switch from a router. You would like to maintain that connection while you return to the session with the router, and then easily return to the switch session after connecting to the router.
What command should you use?
A. <Ctrl-Shift-6>x
B. resume
C. suspend
D. <Ctrl-Shift-6>shift
Correct Answer: A
Explanation:
After typing the Ctrl-Shift-6 sequence, you can tap the x key and return to the previous session, which in this case was the session with the router. Below is the full sequence of commands described in this item:
Router1#telnet 192.168.3.3 Tying 192.168.3.3..Open User Access Verification Password:
Switch2><Ctrl-Shift-6>x Router1#
When you desired to return to the session with the switch, you would use the resume command as shown below:
Router1#resume Switch>
Neither the suspend nor the <Ctrl-Shift-6>shift commands are valid commands.
Which of the following situations could cause a switch to enter initial configuration mode upon booting?
A. Corrupt or missing image file in flash memory
B. Corrupt or missing configuration file in NVRAM memory
C. Corrupt or missing configuration file in flash memory
D. Corrupt or missing configuration file in ROM memory
Correct Answer: B
Explanation:
A missing or corrupt file in the switch’s Non Volatile Random Access Memory (NVRAM) can cause the switch to enter initial configuration mode upon booting. When a Cisco switch boots up and finds no configuration file in NVRAM, it goes into initial configuration mode and prompts the user to enter basic configuration information to make the switch operational. The initial configuration mode of a switch is similar to the initial configuration mode of a router, but the configuration parameters are different.
A corrupt or missing image or configuration file in flash or ROM memory would not cause a switch to enter initial configuration mode upon booting. The IOS image file is stored in flash, and if it is corrupt or missing, the switch goes in to ROMMON mode, in which a limited version of the IOS image from ROM is loaded into RAM.