Professional Documents
Culture Documents
What are the two reasons that the network administrator would use access list? (Chose two)
A. [x]To control vty access into a router
B. [] To filter traffic that originates from the router
C. [x] To filter traffic as it passes through the router
D. [] To prevent the virus from entering network
Explanation: The purpose for setting ACLs on a router are controlling vty into a router and filtering traffic as it passes
through the router. Access Control List (ACL) can be used to affect traffic transmitted from one port to another. It acquires
its name due to having filtering capability when traffic flows in and out of interface and it also can be used for other
purposes, such as:
A. Place restrictions on accessing router Telnet (VTY).
B. Filter routing information
C. Distinguish precedence of WAN traffic by queuing technology
D. Trigger calls through the Dial-on-demand routing DDR
E. Change administrative distance of routing
2. You are a network administrator. In order to improve the security of switching network, refer to the following
options. Which two methods are examples of implementing Layer 2 security on Cisco switch? (Chose two).
A. [x ] Disable trunk negotiation on the switch
B. [ ] Use only protected Telnet sessions to connect to the Cisco device
C. [x ] Configure a switch port host where appropriate
D. [ ] enable HTTP access to the switch for security troubleshooting.
Explanation: With the popularity and constantly deepening of network applications, the user’s requirements for Layer 2
switching are not only limited to data forwarding performance and Quality of Service (QoS), but also philosophy of network
security which is becoming an increasingly important consideration of networking product. How to filter user
communications and ensure safe and effective data transmission? How to block the illegal users and make network work
safely? How to execute secure network management and detect illegal users, illegal activities and security performance of
remote network management information in time? The following methods can accomplish network Layer 2 security by
working on switches.
Layer 2 filtering.
Now, most new-style switches can achieve various filtering demands by establishing specifications. There are two modes
to setup specifications: one is the MAC mode which can effectively achieve data isolation according to the source MAC
address or the destination MAC address based on users’ needs; the other is the IP mode (this mode does not belong to
Layer 2 filtering), which can filter data packets by use of the source IP, protocols, the source ports and the destination
ports; the specifications established must be attached to the appropriate receiving or sending port so that when receiving
or forwarding data on this port, the switch can filter data packets based on filtering rules and decide to transmit or discard.
Traffic control
The traffic control of switches can prevent abnormal load of switch bandwidth caused by excessive traffic of broadcast
data packets, multicast data packet or the wrong destination address of unicast data packet. The traffic control of switches
can also improve the whole system performance and maintain security and stability of the network running.
3. A single 802.11g access point has been configured and installed in the center of a square shaped office. A few
wireless users are experiencing slow performance and drops while most users are operating at peak efficiency.
From the list below, what are three likely causes of this problem? (Chose three)
A. [ ] mismatched TKIP encryption
B. [ ] null SSID
C. [x] cordless phones
D. [ ] mismatched SSID
E. [x] metal file cabinets
F. [x] antenna type or direction
Explanations
C: If you have cordless phones or other wireless electronics in your home or office, your computer might not be able to
“hear” your router over the noise from the other wireless devices. To quit the noise, avoid wireless electronics that use the
2.8GHz frequency. Instead, look for cordless phones that use 5.8GHz or 900 MHz frequencies.
E: The antennas supplied with your router are designed to be omni-directional, meaning they broadcast in all directions
around the router. If your router is near an outside wall, half of the wireless signals will be sent outside your office, and
much of your router’s power will be wasted.
4. The left describes the security features, while the right describes the specific security risks. Drag the items on
the left to the proper locations (Note all items can be used).
A. VTY passwords -- remote access to device console
B. Service password-encryption -- viewing of passwords
C. Enable secret -- access to privileged mode
D. Access group -- access to connected networks or resources
E. Console password - access to the console 0 line
Explanations:
This question is to check the applications of encryption on devices in different modes and in different lines. It is easy if you
know the concepts of different modes and lines.
5. An administrator is configuring a router that will act as the hub in a Frame Relay hub-and-spoke technology.
What is the advantage of using point-to-point sub-interfaces instead of a multipoint interface on this router?
A. [x] It avoids split-horizon issues with distance vector routing protocols.
B. [ ] Only one IP network address needs to be used to communicate with all the spoke devices.
C. [ ] Only a single physical interface is needed with point-to-point sub-interfaces, whereas a multiport interface
logically combines multiple physical interfaces.
D. [ ] Point-to-point sub-interfaces offer greater security compared to a multiport interface configuration.
Explanations
Split horizon indicates that in distance vector routing protocol, once you learn of a route through an interface, advertise it
as unreachable back through that same interface in order to avoid routing loops. In a NBMA network such as FR, for the
hub-spoke topology, on the point-to-multipoint interface at the hub end, routing information from a PVC is virtually needed
to advertise other PVCs, instead, the characteristics of split horizon will not allow for such advertise, which results in split
horizon issues. Only refer to IGRP, on the physical interface of FR, split horizon is disabled by default. On the point-to-
point sub-interface and point-to-multipoint sub-interface of FR, split horizon is enabled. So, split horizon usually happens
to point-to-multipoint sub-interface, there are several solutions to issue this problem: Using no IP split-horizon command
to disable split horizon on point-to-multipoint sub-interface, but this method will cause routing loops that can be resolved
by distribute-list through transforming point-to-multipoint sub-interface into point-to-point sub-interface, meanwhile, you
should notice that each point-to-point sub-interface should use network address respectively.
6. The left describes the types of cables, while the right describes the purposes of the cables. Drag the items on
the left to the proper locations. (Note all items can be used).
A. Straight-through -- switch access port to router
B. Crossover -- switch to switch
C. Rollover -- PC COM port to switch
Explanations
Crossover cable is used to connect the same devices. Straight-through cable is used to connect different devices.
7. Refer to the graphic. It has been decided that P4S-workstation1 should be denied access to Server1. Which of
the following commands are required to prevent only P4S-workstation1 from accessing Server1 while allowing
all other traffic to flow normally? (Chose two).
8. If you are a security administrator of the enterprise network, you will see many different types of attacks that
threaten the security of network. Which type of attack is characterized by a flood of packets that are requesting
a TCP connection to a server?
A. [ x] denial of service
B. [ ] Computer virus
C. [ ] reconnaissance
D. [ ] Trojan horse
Explanation:
DDos is short for Distributed Denial of Service. It can be interpreted that all actions leading to legitimate users being not
able to access normal network services are regarded as denial of service attacks, in other words, the purpose of denial of
service attack is very clear: that it to block legitimate users from accessing normal network services in order to achieve
attacker’s ulterior motives. There are differences between DDoS and DOS, although both of them are denial of service
attacks. The attack strategies adopted by DDoS focus on sending a large number of seemingly legitimate network packets
to attacked hosts through many “zombie hosts” (hosts are attacked or can be used indirectly), resulting in network
congestion or server resources exhausted and finally refusing to provide services. Once distributed denial of service
attacks are implemented, attacking network packets will pour into attacked hosts and flood network packets of legitimate
users, thus the legitimate users can’t access network resources of servers properly. Denial of service attack is also called
“flood attack”. The most common DDoS attack methods are SYN Flood, ACK Flood, UDP Flood, ICMP Flood,
Connections Flood, Script Flood, Proxy Flood etc; while DOS emphasizes on using specific loopholes of hosts to make
network stack fail, system crash and host crash, thus unable to provide normal network services, and finally deny service.
9. How many subnets can be gained by sub-netting 172.17.32.0/23 into a /27 mask, and how many usable host
addresses will be there be per subnet?
A. [ ] 8 subnets, 31 hosts
B. [ ] 8 subnets, 32 hosts
C. [x] 16 subnets, 30 hosts
D. [ ] A Class B address can’t be sub-netted into the fourth octet
11. Given partial router configuration in the graphic, why does the P4S-PC1 and P4S-PC2 with the IP address
192.168.1.153/28 fail to access the internet? (chose two)
12. A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on
subnet 192.168.1.128/28 to the Server at 192.168.1.5. What command should be issued to accomplish this
task?
A. [x] Access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23
Access-list 101 permit ip any any
B. [ ] Access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23
Access-list 101 permit ip any any
C. [ ] Access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 23
Access-list permit ip any any
D. [ ] Access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23
Access-list 1 permit ip any any
In this network segment, the following ACL was configured on the S0/0 interface of router P4S-RA1 in the outbound
direction:
Access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnet
Which two packets, if routed to the interface will be denied? (Chose two)
A. [ ] source ip address;, 192.168.15.49 destination port: 23
B. [ ] source ip address;, 192.168.15.41 destination port: 21
C. [ ] source ip address;, 192.168.15.37 destination port: 21
D. [x] source ip address;, 192.168.15.36 destination port: 23
E. [x] source ip address;, 192.168.15.46 destination port: 23
Explanation:
From the access control list, we know that the denied network segment is 192.168.15.32 0.0.0.15, that is,
192.168.15.32/28 -- 192.168.15.32 ~ 192.168.15.47. Telnet requests from a host in this network segment will be denied.
14. Cisco IOS(Internetwork Operating System) is the software used on the vast majority of Cisco Systems routers
and all current Cisco Network switches. Which two of the following devices could you configure as a source for
the IOS image in the boot system command? (chose two)
A. [ ] HTTP server
B. [ ] Telnet server
C. [x] Flash memory
D. [x] TFTP server
Explanation:
This question is to examine the conserved locations of IOS. Only IOS configured on flash memory and TFTP server can
be loaded when starting the router.
15. On a network of one department, there are four PCs connected to a switch, as shown in the following figure:
17. Study the exhibit carefully. Each of the four P4S switches has been configured with a hostname, as well as
being configured to run RTSP. No other configuration changes have been made. Which switch will have only
one forwarding interface?
A. [ ] P4S-SA
B. [x] P4S-SB
C. [ ] P4S-SC
D. [ ] P4S-SD
Explanations:
1.1 Judge the root bridge. The election of the root bridge is based on the bridge ID. Bridge ID = Bridge priority = Bridge
MAC address. By default, the bridge priority value is 32768. And you can judge the root bridge only by bridge MAC
address. The root bridge of this subject is P4S-SC.
1.2 Identify the root port. After electing the root bridge, it is necessary to select a port of each switch in this network used
to reach the root bridge, this port is known as root port (RP). The port that is nearest to the root bridge is RP of non-
root bridge. In this subject, ports F0/1 of P4SA, G0/1 of P4SB and G0/2 of P4S-SD are RPs. According to the choice,
you will eventually find that a port on P4S-SB will be blocked, that is Gi0/2.