Tuesday, April 14, 2009

CCNA v4 - E4 - Module 5 (100%)

http://www.ccna4u.net
1. Refer to the exhibit. What will be the effect of the configuration that is shown?
Users attempting to access hosts in the 192.168.30.0/24 network will be required to telnet to R3.

2. Which three parameters can ACLs use to filter traffic? (Choose three.)

protocol suite
source address
destination address

3. Refer to the exhibit. How does this access list process a packet with the source address 10.1.1.1 and a destination of 192.168.10.13?

It is dropped because it does not match any of the items in the ACL.

4 .Which two statements are correct about extended ACLs? (Choose two)

Extended ACLs evaluate the source and destination addresses.
Port numbers can be used to add greater definition to an ACL.




5. Where should a standard access control list be placed?

close to the destination

6. Which three statements describe ACL processing of packets? (Choose three.)

An implicit deny any rejects any packet that does not match any ACL statement.
A packet can either be rejected or forwarded as directed by the statement that is matched.
Each statement is checked only until a match is detected or until the end of the ACL statement list.

7. Refer to the exhibit. How will Router1 treat traffic matching the time-range requirement of EVERYOTHERDAY?

Telnet traffic entering fa0/0 from 10.1.1.254/24 destined to the 172.16.1.0/24 network is permitted.

8. Which two statements are true regarding the following extended ACL? (Choose two.)
access-list 101 deny tcp 172.16.3.0 0.0.0.255 any eq 20
access-list 101 deny tcp 172.16.3.0 0.0.0.255 any eq 21
access-list 101 permit ip any any


FTP traffic originating from network 172.16.3.0/24 is denied.
Web traffic originating from 172.16.3.0 is permitted.


9. Which two statements are true regarding the significance of the access control list wildcard mask 0.0.0.7? (Choose two.)

The first 29 bits of a given IP address will be ignored.
The last 3 bits of a given IP address will be checked.

10. Refer to the exhibit. When creating an extended ACL to deny traffic from the 192.168.30.0 network destined for the Web server 209.165.201.30, where is the best location for applying the ACL?

R3 Fa0/0 inbound

11. How do Cisco standard ACLs filter traffic?

by source IP address

12. Which three items must be configured before a dynamic ACL can become active on a router? (Choose three.)

extended ACL
authentication
Telnet connectivity

13. A network administrator needs to allow traffic through the firewall router for sessions that originate from within the company network, but the administrator must block traffic for sessions that originate outside the network of the company. What type of ACL is most appropriate?

reflexive

14. Which statement about standard ACLs is true?

They should be placed as close to the destination as possible.

15. Which benefit does an extended ACL offer over a standard ACL?

In addition to the source address, an extended ACL can also filter on destination address, destination port, and source port.

16. The following commands were entered on a router:

Router(config)# access-list 2 deny 172.16.5.24
Router(config)# access-list 2 permit any

The ACL is correctly applied to an interface. What can be concluded about this set of commands?

All nodes on the 172.16.0.0 network will be denied access to other networks.

17. Refer to the exhibit. The administrator wishes to block web traffic from 192.168.1.50 from reaching the default port of the web service on 192.168.3.30. To do this, the access control list name is applied inbound on the router R1 LAN interface. After testing the list, the administrator has noted that the web traffic remains successful. Why is web traffic reaching the destination?

The range of source addresses specified in line 10 does not include host 192.168.1.50.

18. Which feature will require the use of a named ACL rather than a numbered ACL?

the ability to edit the ACL and add additional statements in the middle of the list without removing and re-creating the list

19. By default, how is IP traffic filtered in a Cisco router?

permitted in and out of all interfaces

20. Refer to the exhibit. The network administrator applied an ACL outbound on S0/0/0 on router R1. Immediately after the administrator did so, the users on network 172.22.30.0/24 started complaining that they have intermittent access to the resources available on the server on the 10.10.0.0/16 network. On the basis of the configuration that is provided, what is the possible reason for the problem?

The ACL permits the IP packets for users on network 172.22.30.0/24 only during a specific time range.

21. Interface s0/0/0 already has an IP ACL applied inbound. What happens when the network administrator attempts to apply a second inbound IP ACL?

The second ACL is applied to the interface, replacing the first.

22. A technician is creating an ACL and needs a way to indicate only the subnet 172.16.16.0/21. Which combination of network address and wildcard mask will accomplish the desired task?

172.16.16.0 0.0.7.255

23. Refer to the exhibit. Which statement is true about ACL 110 if ACL 110 is applied in the inbound direction on S0/0/0 of R1?

It will permit any TCP traffic that originated from network 172.22.10.0/24 to return inbound on the S0/0/0 interface.

24. Refer to the exhibit. ACL 120 is configured inbound on the serial0/0/0 interface on router R1, but the hosts on network 172.11.10.0/24 are able to telnet to network 10.10.0.0/16. On the basis of the provided configuration, what should be done to remedy the problem?
Apply the ACL outbound on the serial0/0/0 interface on router R1.

25. Which two statements are true regarding named ACLs? (Choose two.)

Names can be used to help identify the function of the ACL.
Certain complex ACLs, such as reflexive ACLs, must be defined with named ACLs.

CCNA v4 - E4 - Module 4 (100%)

http://www.ccna4u.net/

1. What is the best defense for protecting a network from phishing exploits?

Schedule training for all users.

2. What are three characteristics of a good security policy? (Choose three.)

It defines acceptable and unacceptable use of network resources.
It communicates consensus and defines roles.
It defines how to handle security incidents.

3. The Cisco IOS image naming convention allows identification of different versions and capabilities of the IOS. What information can be gained from the filename c2600-d-mz.121-4? (Choose two.)

The software is version 12.1, 4th revision.
The IOS is for the Cisco 2600 series hardware platform.

4. Refer to the exhibit. What is accomplished when both commands are configured on the router?

The commands disable the services such as echo, discard, and chargen on the router to prevent security vulnerabilities.

5. Which two conditions should the network administrator verify before attempting to upgrade a Cisco IOS image using a TFTP server? (Choose two.)

Verify connectivity between the router and TFTP server using the ping command.
Verify that there is enough flash memory for the new Cisco IOS image using the show flash command.

6. Which two statements regarding preventing network attacks are true? (Choose two.)

Physical security threat mitigation consists of controlling access to device console ports, labeling critical cable runs, installing UPS systems, and providing climate control.
Changing default usernames and passwords and disabling or uninstalling unnecessary services are aspects of device hardening.

7. An IT director has begun a campaign to remind users to avoid opening e-mail messages from suspicious sources. Which type of attack is the IT director trying to protect users from?

virus

8. Users are unable to access a company server. The system logs show that the server is operating slowly because it is receiving a high level of fake requests for service. Which type of attack is occurring?

DoS

9. Refer to the exhibit. What is the purpose of the "ip ospf message-digest-key 1 md5 cisco" statement in the configuration?
to specify a key that is used to authenticate routing updates

10. Which two statements define the security risk when DNS services are enabled on the network? (Choose two.)

The basic DNS protocol does not provide authentication or integrity assurance.
The router configuration does not provide an option to set up main and backup DNS servers.

11. Which two statements are true about network attacks? (Choose two.)

A brute-force attack searches to try every possible password from a combination of characters.
Devices in the DMZ should not be fully trusted by internal devices, and communication between the DMZ and internal devices should be authenticated to prevent attacks such as port redirection.
12. Refer to the exhibit. A network administrator is trying to configure a router to use SDM, but it is not functioning correctly. What could be the problem?

The privilege level of the user is not configured correctly.

13. Refer to the exhibit. The network administrator is trying to back up the Cisco IOS router software and receives the output shown. What are two possible reasons for this output? (Choose two.)

The router cannot connect to the TFTP server.
The TFTP server software has not been started.

14
Which two statements are true regarding network security? (Choose two.)

Both experienced hackers who are capable of writing their own exploit code and inexperienced individuals who download exploits from the Internet pose a serious threat to network security.
Protecting network devices from physical damage caused by water or electricity is a necessary part of the security policy.

15. The password recovery process begins in which operating mode and using what type of connection? (Choose two.)

ROM monitor
Direct connection through the console port

16. Which two objectives must a security policy accomplish? (Choose two.)

Document the resources to be protected
Identify the security objectives of the organization

17. Which statement is true about Cisco Security Device Manager (SDM)?

SDM can be run from router memory or from a PC.

18. Which step is required to recover a lost enable password for a router?

Set the configuration register to bypass the startup configuration.

19. Refer to the exhibit. Security Device Manager (SDM) is installed on router R1. What is the result of opening a web browser on PC1 and entering the URL https://192.168.10.1?

The SDM page of R1 appears with a dialog box that requests a username and password.

20. Intrusion detection occurs at which stage of the Security Wheel?

Monitoring

21. Refer to the exhibit. Security Device Manager (SDM) has been used to configure a required level of security on the router. What would be accomplished when the SDM applies the next step on the security problems that are identified on the router?

SDM will reconfigure the services that are marked in the exhibit as “fix it” to apply the suggested security changes.

22
What are two benefits of using Cisco AutoSecure? (Choose two.)

It gives the administrator detailed control over which services are enabled or disabled.
It allows the administrator to configure security policies without having to understand all of the Cisco IOS software features.