Ccna ® Certification Practice Tests Jon Buhagiar
Download 10,86 Mb. Pdf ko'rish
|
CCNA Certification Practice Tests Exam 200-301 2020
|
, you will see the ACL lines but no line numbers. The command show access-list
is incorrect. The command show ip access-list is incorrect. The command show running-configuration is incorrect. 99. A. Extended ACLs should always be placed closest to the source of traffic since they are extremely granular. Standard ACLs should always be placed closest to the destination of traffic since they only specify the source IP address. Dynamic ACLs can be placed in either location because they can be standard or extended access lists, with the addition of traffic-based rules or time of day–based rules. An expanded ACL is not really a type of ACL; it specifies the expanded numbering for standard and extended ACLs. 100. C. The command ip access-list extended
will
create an extended named access list. The command access-
list 101 allow host 192.168.1.5 any is incorrect. The command ip access-list
is incorrect. The command ip access-list 101
is incorrect. 101. B. Standard ACLs should always be placed closest to the destination of traffic since they are broad in the traffic they control. Extended ACLs should always be placed closest to the source of traffic since they are extremely granular. Dynamic ACLs can be placed in either location because they can be standard or extended access lists, with the addition of traffic- based rules or time of day–based rules. An expanded ACL is not really a type of ACL; it specifies the expanded numbering for standard and extended ACLs. 102. A. When you’re trying to diagnose port security, the first command should be show port-security . This will detail all of the ports with port security and their expected behavior when port security is violated. The command show mac address-table is incorrect. The command show interface is incorrect. The command show security is incorrect. 103. B. Since the remote office has no onsite IT personnel, there is a risk of workers plugging in unauthorized equipment such as a WAP. If port security is implemented, the interface can be secured to allow only the MAC address of the computer to pass; all other traffic can be dropped. Dynamic VLANs will not prevent unauthorized equipment from being plugged into the network, such as a WAP. ACLs can mitigate what is accessible on servers but will not prevent unauthorized equipment from being plugged in. VLAN pruning is a good overall practice to minimize traffic across trunk links, but it does nothing for end device security. 104. B. Port security can restrict a port to a single device by MAC address. This will effectively make plugging in a wireless access point (WAP) a non-event for a corporate network. Access control lists (ACLs) cannot restrict a wireless access point from being plugged into the corporate network. Wired Equivalent Privacy (WEP) is a very insecure wireless encryption protocol and will not prevent a wireless access point from being plugged into the corporate network. Static MAC addresses will not stop a wireless access point from being plugged into the corporate network.
105. A. Port security blocks unauthorized access by examining the source address of a network device. The destination MAC address is used for forward filter decisions. The source and destination IP addresses are used by access control lists (ACLs) to filter traffic. 106. C. Port security is enabled by configuring the command switchport port-security . This command must be configured on the interface in which you want to enable port security. The command
switchport port-security is incorrect when it is configured in a global configuration prompt. The command port-security enable is incorrect regardless of where it is configured. 107. A. By default, only a single MAC address is allowed on an interface when port security is enabled. All of the other options are incorrect. 108. C. Port security operates at layer 2 by inspecting the source MAC addresses in frames. It allows the configured number of source MAC addresses to be switched into the port and onto the switch processor. All of the other options are incorrect. 109. C. Configuring port security helps a network administrator prevent unauthorized access by MAC address. VLANs can be allowed or disallowed only on a trunk link and not on an access link. ACLs can be used to allow or disallow IP addresses. Port security cannot be used to prevent unauthorized access by users. 110. C. Port security works best in static environments where there is minimal change to the environment. It does not require any more memory since the results are pulled from the MAC address table. Port security can work in mobile environments, but depending on the configuration, it may become an administrative burden. Port security does not require a higher amount of memory. Port security can be configured so that admin intervention to reset an err-disabled port is not required. 111. B. Both the computer and the VoIP phone have MAC addresses, and therefore you will need to allow the port to have two MAC addresses, one for the phone to communicate and the other for the computer to communicate on the port. All of the other options are incorrect. 112. B. By default, when port security is configured on a port, the violation method is err-disabled shutdown. Administratively shut down ports can only be configured by an administrator. You can configure port security to restrict access to a MAC address with and without logging. 113. C. When port security is configured, the port cannot be in dynamic mode for Dynamic Trunking Protocol (DTP) mode. You must configure the port as an access port first, then turn off DTP with the command switchport nonnegotiate . You can then configure switch port security. The commands no switchport dynamic and
switchport port-security are incorrect. The commands switchport mode access and switchport port- security are incorrect. The commands switchport mode access , no dynamic , and switchport port-security are incorrect. 114. B. The command switchport port-security maximum 2 will
configure the port with a maximum of two MAC addresses that shall pass through the port. The command switchport maximum 2 is incorrect. The command port-security maximum 2 is
incorrect. The command switchport port-security limit 2 is incorrect. 115. D. The command switchport port-security violation will set the violation mode to restrict. This will drop frames over the maximum number of learned MAC addresses and will log security violations to the counters. The command switchport port-security violation shutdown is incorrect; this is the default mode in which it will enter an err-disabled state upon a violation. The command switchport port-security restrict
is incorrect as it is missing the violation argument. The command switchport port-security violation protect is
incorrect because it will not increment the security-violation count while it is dropping frames. 116. B. The command show port-security interface gi 2/13 will allow you to see a detailed view of an individual port configured for port security. The command show running-configuration is incorrect; it will not show the status of a port, only the configuration. The command show port-security details interface gi 2/13 is incorrect. The command show port- security gi 2/13 is incorrect. 117. A. The command switchport port-security violation shutdown
puts the interface into the err-disable state immediately and sends an SNMP trap notification to a syslog server. The command switchport port-security restrict is incorrect. The command switchport port-security violation protect
is incorrect. The command switchport port-security violation restrict is incorrect. 118. C. The command switchport port-security violation protect will set the violation mode to protect. This will drop frames over the maximum number of learned MAC addresses but will not log security violations to the counters. The command switchport port-security violation shutdown is incorrect. The command switchport port-security restrict is incorrect. The command switchport port-security violation restrict is incorrect. 119. C. The command show port-security will show all ports that have logged port security violations. The command show violations is incorrect. The command show port-security violations is incorrect. The command show psec violations is
incorrect. 120. C. When you configure sticky port security, the first MAC address seen by the switch will become bound to the port. Any other MAC addresses will trip the access violation set. Static port security will require you to enter the MAC address of each computer paired with each port. Dynamic port security and time limit port security are not types of port security that can be implemented. 121. B. The default configuration for port security results in an access violation of shutdown. When a port security violation occurs, the port will be shut down in an err-disable status.
Because the port is in an err-disabled state, the exhibit does not support the theory that a port has been administratively shut down. The exhibit also does not support the theory that the port has bad wiring. You cannot tell from the output in the exhibit that the port is configured as a trunk or access link, but neither will place the port into an err-disabled state. 122. A. The command switchport port-security mac-address sticky will configure the port to learn the first MAC address and allow only the first MAC address to pass traffic. The command switchport port-security mac-address dynamic is incorrect. The command
switchport port-security mac-address static is
incorrect. The command switchport port-security mac-address learn is incorrect. 123. D. One way to clear an err-disable status is to issue the shutdown
command and then the no shutdown command on the port. This will reset the port so that traffic can flow again. However, if the access violation still exists, then the port will enter an err- disable status again. The command no port-security is
incorrect and will not clear the err-disable state. The command no shutdown is incorrect and will not clear the err-disable state. The command no switchport port-security is incorrect and will not clear the err-disable state. 124. B. The command switchport port-security mac-address 0334.56f3.e4e4 will configure the interface with a static MAC address of 0334.56f3.e4e4. The command switchport port- security mac-address sticky is incorrect as it will configure itself with the first MAC address learned. The command switchport port-security mac-address static 0334.56f3.e4e4 is incorrect. The command switchport port-security static 0334.56f3.e4e4 is incorrect. 125. D. The command show port-security will show all of the ports that are actively participating in port security. In addition, you can see the maximum number of addresses configured, current addresses, security violations, and action. The command show
port-security details is incorrect. The command show mac
address-table secure is incorrect. The command show port- security address is incorrect. 126. D. The global config command errdisable recovery cause psecure_violation will reset all ports with an err-disable status. The command clear err-disable is incorrect. The command clear switchport port-security is incorrect. The command clear port-security violation is incorrect. 127. A. The command show running-config will show you the learned MAC addresses from port security. The command show port-security is incorrect. The command show port-security details is incorrect. The command show port-security status is incorrect. 128. B. The AAA server will centralize authentication for Cisco routers and switches. AAA stands for authentication, authorization, and accounting. It is pronounced “triple A.” An Active Directory server can be used in conjunction with authentication, but the AAA server will facilitate the authentication. 802.1X is a protocol and not a type of server; therefore, this is incorrect. Terminal servers are servers that extend applications or the server desktop to remote users and have nothing to do with authentication of Cisco routers and switches. 129. B. RADIUS authentication uses the UDP protocol and port 1645 for communications between the switch or router and the AAA server. All of the other options are incorrect. 130. TACACS+ is a protocol used for communications between a switch or router and the AAA server for authenticating users. 802.1X is used to secure ports on a switch or access to wireless access points (WAPs). Active Directory (AD) is a Microsoft directory of computers and users that is used for authentication purposes. Extensible Authentication Protocol (EAP) is a protocol that allows for passwords, certificates, biometrics, and any other extensible method for authentication. 131. A. The command aaa authentication log-in default group tacacs+ local will configure AAA authentication for login using
the default list and a group of TACACS+ servers for TACACS+ login first and a backup of local for authentication. The command authentication login group tacacs+ local is incorrect. The command aaa-authentication login default tacacs+ local is incorrect. The command aaa authentication login tacacs+ local is incorrect. 132. C. The router will lock you out since you have not provided a local account to log in with. The password recovery procedure would need to be performed if the configuration was saved. The enable secret will be overridden by the configuration, since you configured default local and it will not work. The console will also not be available because the default local was configured. Once the default local is configured, the authentication will be based upon the local AAA configuration; if no user exists, then you will be locked out of the router or switch. 133. A. Routinely looking at a log file and discovering that a security incident has occurred is an example of passive detection. Active detection would be if you were actively notified when the incident occurred. Proactive detection is where you find the security incident before it occurs. Auditing is the act of reading through a log file, not detecting an incident. 134. D. Remote Authentication Dial-In User Service (RADIUS) servers are authentication servers. DNS servers perform name resolution for clients. Email servers deliver and receive email on the Internet. Proxy servers fetch requests on behalf of clients. 135. B. Enabling MAC filtering on the access point will allow the devices that she specifies. Enabling WPA2 encryption will not prevent unauthorized access to the SOHO network. Port Security is enabled on wired network switches to prevent unauthorized access. Disabling the SSID from broadcasting will not prevent unauthorized access. 136. B. A certificate infrastructure is required for WPA2-Enterprise mode. WPA2-Enterprise mode is not compatible with a pre- shared key (PSK) method of security. 192-bit key strength was introduced with WPA3-Enterprise mode. WPA2-Enterprise can
be used with any of the 802.11 wireless coverage technologies since it operates independently. 137. B. Message Integrity Check (MIC), also known as Michael, is responsible for the protection of messages by including an integrity check that the other side can verify. Temporal Key Integrity Protocol (TKIP) was used as an encryption protocol for WPA as a quick replacement of Wired Equivalent Privacy (WEP). Advanced Encryption Standard (AES) is an encryption protocol first introduced with WPA2. A cyclic redundancy check (CRC) is a simple calculation to assure that data is not damaged in transit. 138. C. WPA3-Enterprise offers a 192-bit security mode that uses 192-bit minimum strength security protocols. Although WPA3- Enterprise can use the authentication encryption of 256-bit Galois/Counter Mode Protocol (GCMP-256), it employs 192-bit AES for the encryption and transmission of data, which is where it gets its name. All of the other options are incorrect. 139. C. After the weaknesses in WEP encryption were discovered, the Wi-Fi Alliance rushed the release of the WPA security protocol. The WPA security protocol incorporated the 802.11i standard of TKIP, which allowed for better integrity of 802.11 transmissions. The WPA security protocol was released after the WEP security protocol. The WPA security protocol did not address any problems related to coverage. It was not a rebranding of the WEP security protocol; it was intended to be a replacement. 140. B. The 802.11i standard added the feature of per-frame encryption. The use of certificates and pre-shared keys (PSKs) are features of WPA and not the 802.11i standard. CRC checking is part of the 802.11 standard, and therefore, it was not added with 802.11i or the WPA security protocol. 141. C. The 802.11i (WPA2) specification introduced a specific mode of Advanced Encryption Standard (AES) encryption called Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). The Rivest Cipher 4 (RC4) algorithm is used by Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) as an encryption protocol. Message-Digest algorithm 5 (MD5) and Secure Hash Algorithm
1 (SHA1) are popular hashing algorithms but not related to wireless communications. 142. The WPA3 protocol introduced the feature of Simultaneous Authentication of Equals (SAE) authentication, also known as the Dragonfly handshake. Certificate support, per-frame encryption, and Temporal Key Integrity Protocol (TKIP) were all features introduced with the original WPA standard. 143. B. When configuring WAP2-Enterprise mode on a wireless LAN controller, you must configure a RADIUS server for authentication of the users or computers joining wireless. Setting a Network Time Protocol server is optional when configuring WPA2-Enterprise. WPA-Personal uses a pre-shared key (PSK), whereas WPA-Enterprise uses a certificate pair for authentication. Captive portals are not required for WPA2- Enterprise because the user or computer should be authenticated by the certificate pair. 144. C. You should disable the Temporal Key Integrity Protocol (TKIP) when configuring WPA2. This will ensure that the WAP and client do not fall back to the older WPA protocol. 802.1X will operate independently from the WPA2 and WPA fallback mechanism. Advanced Encryption Standard (AES) is an encryption protocol that is used in conjunction with WPA2; therefore, it should not be disabled. MAC filtering is not related to WPA or WPA2 and works independently as a security mechanism. 145. A. A pre-shared key (PSK) is the mechanism used for configuring authentication with WPA2 using a symmetrical key. Advanced Encryption Standard (AES) is an encryption protocol that is used in conjunction with WPA2. AES is not used for authentication of hosts. Certificates are used with WPA2- Enterprise; they are asymmetrical keys used for authentication. The Temporal Key Integrity Protocol (TKIP) is used alongside the RC4 protocol to provide encryption for WPA; it is not used for authentication. 146. D. When the status of a configured WLAN is set to disable or unchecked in the GUI, the SSID will be broadcast and active for clients. SSID beaconing is enabled by default; if it were disabled,
the clients would not see the SSID. Multicast support is used for multimedia applications and would not prevent the SSID from being seen by clients. The Radio Policy could possibly restrict clients from seeing the SSID depending on what it is set to. However, when it is set to all, there are no restrictions. 147. A. A single pre-shared key (PSK) is configured for a WPA2 WLAN. The PSK can be either one hex or one ASCII key, but it cannot be both. If you need multiple keys, then WPA2- Enterprise should be used. Keep in mind that a PSK is symmetrical encryption, whereas WPA2-Enterprise uses certificates and asymmetrical encryption. All of the other options are incorrect. 148. D. The Wi-Fi Protected Access 2 (WPA2) protocol can be configured with Advanced Encryption Standard (AES) encryption to provide the highest level of security. Wi-Fi Protected Access (WPA) cannot be configured with AES encryption; therefore, this is a wrong answer. WPA2 cannot be configured with Temporal Key Integrity Protocol (TKIP); only WPA uses the RC4 encryption algorithm and TKIP. 149. In order to satisfy the requirements of the client, WPA2- Personal should be configured for the wireless network. WPA2- Personal will allow for 128-bit AES-CCMP encryption and work with a pre-shared key (PSK) to minimize infrastructure. WPA- Enterprise and WPA3-Enterprise require certificate services and an AAA server. WPA-Personal is weaker encryption than WPA2- Personal. 150. B. When a WLAN is configured with WPA-TKIP, it will not be able to achieve over 54 Mbps. The Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) is based on of the Advanced Encryption Standard (AES) encryption protocol and will not hinder throughput. Configuring a pre-shared key (PSK) will also not hinder throughput. |
Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha
yuklab olish