CISCO CCNA 200-301 Q160

What Cisco Catalyst switch feature can be used to define ports as trusted for DHCP server connections?

A. DHCP snooping
B. port security
C. 802.1x
D. private VLANs

Correct Answer: A

Explanation:
DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP spoofing is an attack that can be used to force user traffic through an attacking device. This is accomplished by an attacker responding to DHCP queries from users. Eliminating the response from the correct DHCP server would make this more effective, but if the attacker’s response gets to the client first, the client will accept it.

The DHCP response from the attacker will include a different gateway or DNS server address. If they define a different gateway, the user traffic will be forced to travel through a device controlled by the attacker. This will allow the attacker to capture traffic and gain company information. If the attacker changes the DNS server in the response, they can use their own DNS server to force traffic to selected hosts to go to a device they control. Again, this would allow the attacker to capture traffic and gain information.

DHCP snooping can be used to determine what ports are able to send DHCP server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK, from the company DHCP server. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.

The three required steps to implement DHCP snooping are:
1. Enable DHCP snooping globally with the ip dhcp snooping command:
switch(config)# ip dhcp snooping
2. Enable DHCP snooping for a VLAN with the vlan parameter:
switch(config)# ip dhcp snooping vlan vlan #
(for example, ip dhcp snooping 10 12 specifies snooping on VLANs 10 and 12)
3. Define an interface as a trusted DHCP port with the trust parameter:
switch(config-if)# ip dhcp snooping trust

When specifying trusted ports, access ports on edge switches should be configured as untrusted, with the exception of any ports that may have company DHCP severs connected. Only ports where DHCP traffic is expected should be trusted. Most certainly, ports in any area of the network where attacks have been detected should be configured as untrusted.

Some additional parameters that can be used with the ip dhcp snooping command are:
switch(config)# ip dhcp snooping verify mac-address – this command enables DHCP MAC address verification.
switch(config)# ip dhcp snooping information option allow-untrusted – this command enables untrusted ports to accept incoming DHCP packets with option 82 information. DHCP option 82 is used to identify the location of a DHCP relay agent operating on a subnet remote to the DHCP server.

When DHCP snooping is enabled, no other relay agent-related commands are available. The disabled commands include:

ip dhcp relay information check global configuration ip dhcp relay information policy global configuration
ip dhcp relay information trust-all global configuration ip dhcp relay information option global configuration
ip dhcp relay information trusted interface configuration

Private VLANs are a method of protecting or isolating different devices on the same port and VLAN. A VLAN can be divided into private VLANs, where some devices are able to access other devices and some are completely isolated from others. This was designed so service providers could keep customers on the same port isolated from each other, even if the customers had the same Layer 3 networks.

Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to define what computer or device can be connected to a port, but not to limit which ports can have DHCP servers connected to them.

802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting who can connect to the switch, but it cannot control which ports are permitted to have a DHCP server attached to it.

CISCO CCNA 200-301 Q159

You execute the ping command from a host, but the router does not have a path to its destination. Which of the following ICMP message types will a client receive from the router?

A. ICMP redirect
B. ICMP time exceeded
C. ICMP destination unreachable
D. ICMP echo-reply

Correct Answer: C

Explanation:
When a router receives a ping packet and has no route to the destination in its routing table, it will respond to the client with an ICMP destination-unreachable message. Internet Control Message Protocol (ICMP) is a Layer 3 protocol used to test the connectivity between hosts in a network.

There are six types of unreachable destination message:
1. Network unreachable
2. Host unreachable
3. Protocol unreachable
4. Port unreachable
5. Fragmentation needed and Don’t Fragment (DF) bit set
6. Source route failed

An ICMP redirect message would not be received. This type of response is received when the router is configured to direct clients to a different router for better routing.

An ICMP time-exceeded message would not be received. This type of response occurs when the router successfully sent the packet but did not receive an answer within the allotted time; in other words, the time-to-live of the ICMP packet has been exceeded.

An ICMP echo-reply message would not be received. This would be the response received if the destination received the ping command and responded successfully.

CISCO CCNA 200-301 Q158

Examine the partial output from two adjacent routers:


Which of the following statements describes why the two routers are NOT forming an OSPF neighbor adjacency?

A. The process IDs do not match
B. The router IDs are misconfigured
C. The distance is misconfigured
D. The reference bandwidth does not match

Correct Answer: B

Explanation:
The output shows that the router IDs for RTR78 and RTR79 are the same value, which should not be the case. One of the two routers has been misconfigured with the other router’s ID. This will prevent an OSPF neighbor adjacency from forming.

Other issues can that can prevent an adjacency are:
– Mismatched OSPF area number
– Mismatched OSPF area type
– Mismatched subnet and subnet mask
– Mismatched OSPF HELLO and dead timer values

The process IDs do not have to match. It does not matter whether they match or do not match because the process ID is only locally significant on the device.

The administrative distance is not misconfigured in the output. Both routers are using the default OSPF administrative distance of 110.

If the reference bandwidths do not match, it will affect the calculation of the path cost, but it will not prevent an adjacency from forming.

CISCO CCNA 200-301 Q157

Which of the following is NOT a characteristic of Open Shortest Path First (OSPF)?

A. Is a Cisco-proprietary routing protocol
B. Has a default administrative distance of 110
C. Supports authentication
D. Uses cost as the default metric

Correct Answer: A

Explanation:
OSPF is not a Cisco-proprietary routing protocol. It is an industry standard protocol supported by a wide range of vendors.

The following are characteristics of OSPF:
– Uses Internet Protocol (IP) protocol 89.
– Has a default administrative distance of 110.
– Is an industry standard protocol (non Cisco-proprietary).
– Supports Non-Broadcast Multi-Access (NBMA) networks such as frame relay, X.25, and Asynchronous Transfer Mode (ATM). The default hello interval for NBMA networks is 30 seconds.
– Supports point-to-point and point-to-multipoint connections. Supports authentication.
– Uses 224.0.0.6 as multicast address for ALLDRouters. Uses 224.0.0.5 as multicast address for ALLSPFRouters.
– Uses link-state updates and SPF calculation that provides fast convergence. Recommended for large networks due to good scalability.
– Uses cost as the default metric.

CISCO CCNA 200-301 Q156

You have a router that is not syncing with its configured time source. Which of the following is NOT a potential reason for this problem?

A. The reported stratum of the time source is 12
B. The IP address configured for the time source is incorrect
C. NTP authentication is failing
D. There is an access list that blocks port 123

Correct Answer: A

Explanation:
A reported stratum of 12 will not cause a router’s inability to synchronize with its configured time source. The stratum value describes the device’s distance from the clock source, measured in NTP server hops. When a router reports a stratum value over 15, it is considered unsynchronized. Therefore, a report of 12 could be normal.

The other options describe potential reasons for a lack of synchronization.

When you are configuring the local router with a time source, if the IP address configured for the time source is incorrect, then no synchronization will occur.

If NTP authentication is configured between the local router and its time source, and that process is failing (for example, due to a non-matching key or hashing algorithm), then synchronization will not occur.

If there were an access list applied to any interface in the path between the local router and its time source that blocks port 123 (the port used for NTP), then synchronization will not occur.

CISCO CCNA 200-301 Q155

Which Cisco IOS command allows you to change the setting of the configuration register?

A. boot config
B. configuration-register edit
C. config-register
D. edit configuration-register

Correct Answer: C

Explanation:
The config-register command is used to change the setting of the configuration register. The configuration register has the boot field setting, which specifies the order in which the router should look for bootstrap information. The router contains a 16-bit software register, which is stored in the non-volatile random access memory (NVRAM). The config-register command is used to modify the default configuration register. The most common use of changing this register is to instruct the router to ignore the stored configuration file and boot as a new router with no configuration. This process is normally used when a router has a password that is not known and must be reset. For security purposes, this procedure can only be performed from the console connection, which means it requires physical access to the router.

Normally the setting of this register is 0x2102, which tells the router to look for a configuration file. If the file exists, it will use it. If none exists, the router will boot into ROM and present the user with a menu-based setup. This would be the default behavior for a new router as well.

The boot config command is incorrect because this command is used to set the device where the configuration file is located (flash, slot, etc.) and file name for the configuration file, which helps the router to configure itself during startup.

The configuration-register edit command and the edit configuration-register commands are incorrect because they are not valid Cisco IOS

CISCO CCNA 200-301 Q154

Which Cisco Internetwork Operating System (IOS) command can be used to configure the location of the configuration file?

A. boot buffersize
B. configure
C. boot config
D. service config

Correct Answer: C

Explanation:
The boot config command will configure the location of the configuration file. It must be followed by the copy run start command to be effective at next reboot. The syntax of the command is as follows:

boot config device:filename

The parameters of the command are as follows:
– Device : Specifies the device that contains the configuration file.
– Filename : Specifies the name of the configuration file.

The boot buffersize command is incorrect because this command is used to modify the buffer size used to load the IOS image. Moreover, this command no longer functions in IOS 12.4.

The configure command is incorrect because this command is used to enter the global configuration mode.
The service config command is incorrect because this command is used to enable autoloading of configuration files from a network server.

CISCO CCNA 200-301 Q153

Refer to the following configuration on a Cisco router to allow Telnet access to remote users:

Router(config)#line vty 0 2
Router(config-line)#login
Router(config-line)#password guest

How many users can Telnet into this router at the same time?

A. 0
B. 1
C. 2
D. 3
E. 5

Correct Answer: D

Explanation:
The given configuration will allow three users to Telnet into the router at the same time. The line vty 0 2 command specifies a range from 0 to 2; therefore, three simultaneous Telnet sessions are allowed on this Cisco router. The commands in the exhibit can be explained as follows:

Router(config)#line vty 0 2 (determines which of the five possible terminal lines are being configured. In this case, they are lines 0 through 2. It also determines the number of lines available, in that any line with no password configured will be unusable.)

Router(config-line)#login (specifies that a password will be required)

Router(config-line)#password guest (specifies the password)

The default configuration allows five simultaneous Telnet sessions on the Cisco router. For the default configuration, you would issue the vty 0 4 command in global configuration mode.

You must configure a password when enabling a router for Telnet access. Without a password, the login access to the router will be disabled and you will receive the following error message if you try to Telnet to the router:

router# telnet 10.10.10.1 Trying 10.10.10.1 … Open Password required, but none set
[Connection to 10.10.10.1 closed by foreign host]

CISCO CCNA 200-301 Q152

Which of the following are characteristics of Enhanced Interior Gateway Routing Protocol (EIGRP)? (Choose all that apply.)

A. Requires a hierarchical physical topology
B. Does not require a hierarchical physical topology
C. Uses Diffusing Update Algorithm (DUAL) to provide loop prevention
D. Uses Bellman-Ford algorithm to provide loop prevention
E. Supports Message-Digest Algorithm 5 (MD5) authentication
F. Does not support Message-Digest Algorithm 5 (MD5) authentication
G. Can differentiate between internal and external routes
H. Uses a 32-bit metric

Correct Answer: B, C, E, G, H

Explanation:
EIGRP does not require a hierarchical physical topology. It uses Diffusing Update Algorithm (DUAL) to provide loop prevention, and it supports Message-Digest Algorithm 5 (MD5) authentication. It can differentiate between internal and external routes, and uses a 32-bit metric.

EIGRP is a classless protocol that allows the use of variable length subnet masks (VLSM) and supports classless interdomain routing (CIDR) for allocation of IP addresses. The following are characteristics of EIGRP:

– Supports large networks due to high scalability
– Provides fast convergence using the Diffusing Update Algorithm (DUAL) Performs equal and unequal load balancing by default
– Supports variable length subnet masks (VLSM) and classless interdomain routing (CIDR)
– Is a hybrid routing protocol (distance-vector protocol) that also provides link-state protocol characteristics Is a classless protocol
– Sends partial route updates only when there are changes, reducing bandwidth usage for routing updates
– Has an administrative distance of 90 for EIGRP internal routes, 170 for EIGRP external routes, and 5 for EIGRP summary routes Is used only with Cisco platforms
– Provides support for IP IPX and AppleTalk protocols Can differentiate between internal and external routes Uses a 32-bit metric

EIGRP can load-balance up to four unequal cost paths. To do so, use the variance n command to instruct the router to include routes with a metric of less than n times the minimum metric route for that destination. The variable n can take a value between 1 and 128. The default is 1, which means equal cost load balancing.

The option stating that EIGRP requires a hierarchical physical topology is incorrect because EIGRP does not require or support a hierarchical routing topology. The option stating that EIGRP uses Bellman-Ford algorithm to provide loop prevention is incorrect. EIGRP uses DUAL to provide loop prevention.

CISCO CCNA 200-301 Q151

You have implemented SNMP v3 in your network. After making the configuration changes, you find that technicians in the TECHS group cannot access the MIB. You execute the show run command and receive the following output that relates to SNMP:


What is preventing the TECHS group from viewing the MIB?

A. The presence of the keyword priv in the command creating the RESTRICTED group
B. A mismatch between the authentication mechanism and the encryption type in the command creating the TECHS user
C. The absence of an access list defining the stations that can used by the TECHS group
D. The presence of the keyword auth in the command creating the TECHS user

Correct Answer: C

Explanation:
The command that creates the TECHS group ends with the parameter access 99:

snmp-server group TECHS v3 priv read TECHS access 99

This indicates that the access list number 99 is specifying the IP addresses of the stations allowed to connect to the MIB for the group. Since the access list is missing from the configuration, no IP addresses will be allowed, and no connections can be made by the group.

The presence of the keyword priv in the command creating the TECHS group is not causing the issue. This keyword indicates that encryption (privacy) and authentication should both be used on all transmissions by the group.

In SMNPv3, there are three combinations of security that can be used:
– noAuthNoPriv- no authentication and no encryption; includes the noauth keyword in the configuration – AuthNoPriv – messages are authenticated but not encrypted; includes the auth keyword in the configuration
– AuthPriv – messages are authenticated and encrypted; includes the priv keyword in the configuration

There is no mismatch between the authentication mechanism and the encryption type in the command creating the TECHS user.

snmp-server user TECHS TECHS v3 auth sha CISCO priv des56 CISCO

In the preceding command, the section auth sha CISCO specified that messages are authenticated using SHA with a key of CISCO. It does not need to the match the section priv des56 CISCO, which indicates that encryption (priv) will be provided using DES56 with a key of CISCO.

The presence of the keyword auth in the command creating the TECHS user is not causing the issue. This line indicates that that messages are authenticated using SHA with a key of CISCO.