Your assistant has been assigned the task of configuring one end of a WAN link between two offices. The link is a serial connection and the router on the other end is a non-Cisco router. The router in the other office has an IP address of 192.168.8.6/24. The connection will not come up, so you ask your assistant to show you the commands he configured on the Cisco router. The commands he executed are shown below.
Ciscorouter(config)# interface serial0/0
Ciscorouter(config-if)# ip address 192.168.8.5 255.255.255.0
Ciscorouter(config-if)# no shut
What command(s) should he run to correct the configuration?
A.
Ciscorouter(config-if)# no ip address 192.168.8.5
Ciscorouter(config-if)# ip address 192.168.8.10
B. Ciscorouter(config-if)# encapsulation ppp
C. Ciscorouter(config-if)# encapsulation ansi
D. Ciscorouter(config-if)# authentication chap
Correct Answer: B
Explanation:
There are three encapsulation types available for a serial connection: High-Level Data Link Control (HDLC), Point-To-Point (PPP), and Frame Relay.
HDLC is the default on Cisco routers and the form of HDLC used on a Cisco router is incompatible with routers from other vendors. Since the encapsulation command was not run, the router is set for HDLC. To correct this, you should execute the encapsulation ppp command. Frame Relay could also be used if the other router were running Frame Relay, since it also is an industry standard.
The IP address does not need to be changed. It is currently set for 192.168.8.5/24. This is correct since it is in the same subnet as the IP address of the other end,192.168.8.6/24.
The command authentication chap should not be run because the scenario does not indicate that authentication is configured on the other end. If it is set on one end, it must be set on the other as well.
The command encapsulation ansi should not be run because ANSI is not an encapsulation type. It is an LMI type used in Frame Relay. The three LMI options available are Cisco, ANSI, and ITU.
Which is the valid IP address range that can be assigned to hosts on the subnet that includes the address 172.16.4.6/23?
A. 172.16.2.1 – 172.16.4.254
B. 172.16.3.1 – 172.16.5.254
C. 172.16.4.1 – 172.16.5.254
D. 172.16.4.1 – 172.16.4.254
Correct Answer: C
Explanation:
172.16.4.1 – 172.16.5.254 is the valid IP address range that can be assigned to hosts on the subnet that includes the address 172.16.4.6/23.
To determine the range of addresses that can be assigned in a subnet, you must first determine the network ID and broadcast address of the subnetwork. All addresses that can be assigned to hosts will lie between these two endpoints. The network ID can be obtained by determining the interval between subnet IDs. With a 23-bit mask, the decimal equivalent of the mask will be 255.255.254.0. The interval between subnets can be derived by subtracting the value of the last octet of the mask from 256. In this case that operation would be 256 – 254. Therefore, the interval is 2, and it is applied in the third octet where the subnet mask ends.
The first network ID will always be the classful network you started with (in this case 172.16.0.0). Then each subnetwork ID will fall at 16-bit intervals as follows:
172.16.0.0
172.16.2.0
172.16.4.0
172.16.6.0
At 172.16.6.0 we can stop because the address that we are given in the scenario, 172.16.4.6, is in the network with a subnet ID of 172.16.4.0. Therefore, since the broadcast address for this network will be 1 less than the next subnet ID, or 172.16.5.255, the valid range is 172.16.4.1 – 172.16.5.254.
All the other options are incorrect because these are not valid IP address ranges for this
You are working with an Internet Service Provider (ISP) as network manager. A corporate client approaches you to lease a public IP subnet that can accommodate 250 users. You have assigned him the 192.25.27.0 subnet.
What subnet mask should be assigned to this IP address so that it can accommodate the number of users required by the corporate client?
A. 255.255.255.0
B. 255.255.255.128
C. 255.255.255.224
D. 255.255.255.252
Correct Answer: A
Explanation:
The 192.25.27.0 subnet should be assigned the subnet mask of 255.255.255.0 to accommodate 250 users. This subnet mask can accommodate a maximum of 254 hosts. The number of hosts that can reside on a subnet can be calculated using the formula 2^n – 2 = x, where n is equal to the number of hosts bits in the mask and x is the resulting number of hosts. 2 is subtracted from the results to represent the two address, the network ID and the broadcast address, that cannot be assigned to computers in the subnet. Since the 255.255.255.0 mask leaves 8 bits at the end of the mask, the formula will be 2^8 – 2, which is 256 – 2, which equals 254.
In situations where the same subnet mask must be used for multiple interfaces on a router, the subnet mask that is chosen must provide capacity sufficient for the largest number of hosts on any single interface while also providing the required number of subnets. For example, in the diagram below, the three interfaces on the router R2 have 16, 32 and 58 users respectively on each interface:
If each interface must have the same subnet mask, the subnet mask would need to be one that yields at least 58 addresses to support the interface with the highest host count and yields at least 3 subnets as well.
If the chosen classful networks were 128.107.4.0/24, the correct mask would be 255.255.255.192. Since the mask is currently 255.255.255.0 (/24), by borrowing 2 bits to /26 or 255.255.255.192, we will get 4 subnets (2^2 = 4) and each subnet will yield 62 hosts (2^6 – 2 = 62).
With a subnet mask of 255.255.255.128, the 192.25.27.0 subnet can accommodate only 126 hosts. The mask 255.255.255.128 leaves 7 host bits in the mask and when we plug that into the formula we get 2^7 – 2, which equals 126.
With a subnet mask of 255.255.255.224, the 192.25.27.0 subnet can accommodate only 30 hosts. The mask 255.255.255.224 leaves 5 host bits in the mask and when we plug that into the formula we get 2^5 – 2, which equals 30.
With a subnet mask of 255.255.255.252, the IP address 192.25.27.24 can accommodate only two hosts. The mask 255.255.255.252 leaves 2 host bits in the mask and when we plug that into the formula we get 2^2 – 2, which equals 2.
Which two features do Cisco routers offer to mitigate distributed denial-of-service (DDoS) attacks? (Choose two.)
A. Anti-DDoS guard
B. Scatter tracing
C. Access control lists (ACLs)
D. Flow control
E. Rate limiting
Correct Answer: C, E
Explanation:
Cisco routers use access control lists (ACLs) and blackholing features to help mitigate distributed denial-of-service (DDoS) attacks. A DoS attack is an attack in which legitimate users are denied access to networks, systems, or resources. One of the most common DoS attacks is the DDoS attack, which is executed by using multiple hosts to flood the network or send requests to a resource. The difference between DoS and DDoS is that in a DoS attack, an attacker uses a single host to send multiple requests, whereas in DDoS attacks, multiple hosts are used to perform the same task.
Cisco routers offer the following features to mitigate DDoS attacks:
– ACLs: Filter unwanted traffic, such as traffic that spoofs company addresses or is aimed at Windows control ports. However, an ACL is not effective when network address translation (NAT) is implemented in the network.
– Rate limiting: Minimizes and controls the rate of bandwidth used by incoming traffic.
– Traffic-flow reporting: Creates a baseline for the network that is compared with the network traffic flow, helping you detect any intrusive network or host activity.
Apart from these features offered by Cisco routers, the following methods can also be used to mitigate DDoS attacks:
– Using a firewall, you can block or permit traffic entering a network.
– The systems vulnerable to attacks can be shifted to another location or a more secure LAN.
– Intrusion Detection Systems (IDS), such as Network Intrusion Detection Systems (NIDS) and Host Intrusion Detection Systems (HIDS), can be implemented to detect intrusive network or host activity such as a DoS attack, and raise alerts when any such activity is detected.
Anti-DDoS guard and scatter tracing are incorrect because these features are not offered by Cisco routers to mitigate DDoS attacks.
Flow control is incorrect because flow control is used to prevent the loss of traffic between two devices.
Which Internet Control Message Protocol (ICMP) message is sent by a host in the network to test connectivity with another host?
A. ICMP redirect message
B. ICMP echo-request message
C. ICMP time-exceeded message
D. ICMP destination-unreachable message
Correct Answer: B
Explanation:
An ICMP echo-request message is sent by a host in the network to test connectivity with another host. An ICMP echo-request message is generated by the ping command. ICMP is a network-layer protocol that uses packets for reporting informational messages. When a host receives an echo-request (a ping), it responds by sending back an echo-reply message.
An ICMP redirect message is sent to the source host by the router to make the routing process more efficient.
An ICMP time-exceeded message indicates that the Time-to-Live (TTL) field of the IP packet has reached zero.
An ICMP destination-unreachable message is sent by the router to indicate that the router is unable to send the packet to its intended destination.
Which command is used on a Catalyst 2950 series switch to enable basic port security on the interface?
A. set port-security
B. switchport port-security
C. set port-security enable
D. switchport port-security enable
Correct Answer: B
Explanation:
The switchport port-security command is an interface configuration command used on a Catalyst 2950 series switch to enable basic port security on the interface. The syntax of the command is as follows:
switch(config-if)#switchport port-security
Switchport security can be used to:
– Limit the computers that are allowed to connect to the LAN (by specifying the MAC addresses allowed on the port)
– Limit the number of MAC address allowed to be accessing a port
– Set the action the port will take when a violation of the security rule occurs
The set port-security, set port-security enable, and switchport port-security enable commands are incorrect because these are not valid Cisco IOS commands.
Which Cisco Internetwork Operating System (IOS) command is used to encrypt passwords on Cisco routers?
A. password secure
B. service encryption-password
C. service password-encryption
D. enable password
Correct Answer: C
Explanation:
The service password-encryption command is used to encrypt passwords on Cisco routers. It is used to encrypt all passwords configured on the router, both current and future. This means all passwords in the plain text configuration file will be encrypted. This command is issued in global configuration mode. The syntax of the command is as follows:
Router(config)# service password-encryption
This command does not have any parameters.
Once executed any password in the configuration file will appear similar to what is shown below when the running or startup configuration files are viewed:
R1#show run
The password secure and service encryption-password commands are incorrect because they are not valid Cisco IOS commands. The enable password command is used to set the privileged EXEC mode password, and does not encrypt the password by default.
Which service is denoted by TCP/UDP port number 53?
A. Domain Name Service (DNS)
B. File Transfer Protocol (FTP)
C. Telnet
D. HTTP
Correct Answer: A
Explanation:
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port number 53 is assigned to Domain Name Service (DNS), which is used to convert hostnames into Internet Protocol (IP) addresses.
Some common TCP and UDP port number assignments are as follows:
– port 25: Assigned to Simple Mail Transfer Protocol (SMTP), a TCP protocol used to send and receive e-mail messages.
– port 23: Assigned to Telnet to allow remote logins and command execution.
– port 21: Assigned to File Transfer Protocol (FTP). It is used to control FTP transmissions. Port number 20 is also used by FTP for FTP data.
– port 80: Assigned to Hypertext Transfer Protocol (HTTP), which is the base for transferring Web pages over the Internet.
A. It supports greenfield but not brownfield deployments
B. It provides a single point for network automation
C. It saves time and cost
D. It is open and programmable
Correct Answer: A
Explanation:
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC_EM) is an SDN controller platform that supports both greenfield implementations, which use no previous code and design from the ground up, and brownfield implementations, which incorporate existing code.
APIC-EM does provide a single point for network automation. This automation leads to both time and cost savings. APIC-EM uses an open and programmable approach to devices, policies, and analytics.
You are configuring a Cisco router. Which command would you use to convey a message regarding the remote access security policy of your organization to a user logging into the router?
A. hostname
B. banner motd
C. description
D. boot system
E. terminal monitor
Correct Answer: B
Explanation:
The banner motd command is used to specify a message of the day (MOTD) banner to users logging into the router. This is a global configuration mode command and is generally used to communicate routers identification information, display any warning specific to the router, or display a remote access security policy, such as “Unauthorized access to the router is prohibited.” The syntax for this command is as follows:
banner motd [d message d]
d is the delimiter character. It can be any character of the administrator’s choice, with the limitation that the delimiter character cannot be used in the message text.
The hostname command is a global configuration command to assign the router a name for identification. The command syntax is hostname [name].
The description command is an interface configuration mode command that sets a description for that interface.
The boot system command is used to specify the path to the primary IOS file. It is a global configuration command.
The terminal monitor command is used to direct debug and system error message to the monitor when connected to a router using telnet. When you are connected to a router using telnet and you issue the debug command, by default the output can only have been seen through a console session with that router. Executing the terminal monitor command directs that output to the terminal session where it can be viewed.
