1. In order to enhance the security of enterprise network, network administrator use ACL (Access Control List). What are the two reasons that the network administrator would use access list? (Chose two)A. [x]To control vty access into a routerB. [] To filter traffic that originates from the routerC. [x] To filter traffic as it passes through the routerD. [] To prevent the virus from entering network

Explanation: The purpose for setting ACLs on a router are controlling vty into a router and filtering traffic as it passes through the router. Access Control List (ACL) can be used to affect traffic transmitted from one port to another. It acquires its name due to having filtering capability when traffic flows in and out of interface and it also can be used for other purposes, such as:

A. Place restrictions on accessing router Telnet (VTY).B. Filter routing informationC. Distinguish precedence of WAN traffic by queuing technologyD. Trigger calls through the Dial-on-demand routing DDRE. Change administrative distance of routing

2. You are a network administrator. In order to improve the security of switching network, refer to the following options. Which two methods are examples of implementing Layer 2 security on Cisco switch? (Chose two).A. [x ] Disable trunk negotiation on the switchB. [ ] Use only protected Telnet sessions to connect to the Cisco deviceC. [x ] Configure a switch port host where appropriateD. [ ] enable HTTP access to the switch for security troubleshooting.

Explanation: With the popularity and constantly deepening of network applications, the user’s requirements for Layer 2 switching are not only limited to data forwarding performance and Quality of Service (QoS), but also philosophy of network security which is becoming an increasingly important consideration of networking product. How to filter user communications and ensure safe and effective data transmission? How to block the illegal users and make network work safely? How to execute secure network management and detect illegal users, illegal activities and security performance of remote network management information in time? The following methods can accomplish network Layer 2 security by working on switches.

Layer 2 filtering.Now, most new-style switches can achieve various filtering demands by establishing specifications. There are two modes to setup specifications: one is the MAC mode which can effectively achieve data isolation according to the source MAC address or the destination MAC address based on users’ needs; the other is the IP mode (this mode does not belong to Layer 2 filtering), which can filter data packets by use of the source IP, protocols, the source ports and the destination ports; the specifications established must be attached to the appropriate receiving or sending port so that when receiving or forwarding data on this port, the switch can filter data packets based on filtering rules and decide to transmit or discard.

802.1X is port-based access control.In order to prevent illegal users from accessing LAN and guarantee network security, port-based access control protocol 802.1X is widely used in both wired LAN and WLAN.

Traffic controlThe traffic control of switches can prevent abnormal load of switch bandwidth caused by excessive traffic of broadcast data packets, multicast data packet or the wrong destination address of unicast data packet. The traffic control of switches can also improve the whole system performance and maintain security and stability of the network running.

SNMP v3 and SSHSNMP v3 proposed completely new architecture, concentrating all SNMP standards of various versions together to enhance network management security. The security mode proposed by SNMP v3 is based on the User Security Mode, that is USM. SNMP v3 can effectively prevent non-authorized users from modifying, disguising and eavesdropping management information.As for the remote network management through the Telnet, because the Telnet services have a fatal weakness it transfers user name and password in the form of plain text, so it is very easy to steal passwords for those people with ulterior motives. But by use of SSH to communicate both user name and passwords are encrypted to effectively prevent eavesdropping the password, in this way, network administrators can manage remote security network easily.

3. A single 802.11g access point has been configured and installed in the center of a square shaped office. A few wireless users are experiencing slow performance and drops while most users are operating at peak efficiency. From the list below, what are three likely causes of this problem? (Chose three)A. [ ] mismatched TKIP encryptionB. [ ] null SSIDC. [x] cordless phonesD. [ ] mismatched SSIDE. [x] metal file cabinetsF. [x] antenna type or direction

ExplanationsC: If you have cordless phones or other wireless electronics in your home or office, your computer might not be able to “hear” your router over the noise from the other wireless devices. To quit the noise, avoid wireless electronics that use the 2.8GHz frequency. Instead, look for cordless phones that use 5.8GHz or 900 MHz frequencies.

E: The antennas supplied with your router are designed to be omni-directional, meaning they broadcast in all directions around the router. If your router is near an outside wall, half of the wireless signals will be sent outside your office, and much of your router’s power will be wasted.

4. The left describes the security features, while the right describes the specific security risks. Drag the items on the left to the proper locations (Note all items can be used).

A. VTY passwords -- remote access to device consoleB. Service password-encryption -- viewing of passwordsC. Enable secret -- access to privileged modeD. Access group -- access to connected networks or resourcesE. Console password - access to the console 0 line

Explanations:This question is to check the applications of encryption on devices in different modes and in different lines. It is easy if you know the concepts of different modes and lines.

5. An administrator is configuring a router that will act as the hub in a Frame Relay hub-and-spoke technology. What is the advantage of using point-to-point sub-interfaces instead of a multipoint interface on this router?

A. [x] It avoids split-horizon issues with distance vector routing protocols.B. [ ] Only one IP network address needs to be used to communicate with all the spoke devices.C. [ ] Only a single physical interface is needed with point-to-point sub-interfaces, whereas a multiport interface

logically combines multiple physical interfaces.D. [ ] Point-to-point sub-interfaces offer greater security compared to a multiport interface configuration.

ExplanationsSplit horizon indicates that in distance vector routing protocol, once you learn of a route through an interface, advertise it as unreachable back through that same interface in order to avoid routing loops. In a NBMA network such as FR, for the hub-spoke topology, on the point-to-multipoint interface at the hub end, routing information from a PVC is virtually needed to advertise other PVCs, instead, the characteristics of split horizon will not allow for such advertise, which results in split horizon issues. Only refer to IGRP, on the physical interface of FR, split horizon is disabled by default. On the point-to-point sub-interface and point-to-multipoint sub-interface of FR, split horizon is enabled. So, split horizon usually happens to point-to-multipoint sub-interface, there are several solutions to issue this problem: Using no IP split-horizon command to disable split horizon on point-to-multipoint sub-interface, but this method will cause routing loops that can be resolved by distribute-list through transforming point-to-multipoint sub-interface into point-to-point sub-interface, meanwhile, you should notice that each point-to-point sub-interface should use network address respectively.

6. The left describes the types of cables, while the right describes the purposes of the cables. Drag the items on the left to the proper locations. (Note all items can be used).

A. Straight-through -- switch access port to routerB. Crossover -- switch to switchC. Rollover -- PC COM port to switch

ExplanationsCrossover cable is used to connect the same devices. Straight-through cable is used to connect different devices.

7. Refer to the graphic. It has been decided that P4S-workstation1 should be denied access to Server1. Which of the following commands are required to prevent only P4S-workstation1 from accessing Server1 while allowing all other traffic to flow normally? (Chose two).

A. [ ] P4S-RA(config)# interface fa0/0 P4S-RA(config-if)# ip access-group 101 outB. [x] P4S-RA(config)# interface fa0/0 P4S-RA(config-if)# ip access-group 101 inC. [x] P4S-RA(config)# access-list 101 deny ip host 172.16.161.159 host 172.16.162.163

P4S-RA(config)# access-list 101 permit ip any anyD. [ ] P4S-RA(config)# access-list 101 deny ip 172.16.161.150 0.0.0.255 172.16.162.163 0.0.0.0 P4S-RA(config)# access-list 101 permit ip any anyExplanationsTaking security into consideration, the administrator will implement access control on router P$S-RA. When the traffic coming from P4S-workstation1 to Server1 crosses the router P4S-RA, it will be refused, but all other traffic than this can cross P4S-RA normally. Therefore, in the configuration of access list, it is needed to deny datagrams from the specified source to the specified destination and allow all other datagrams to cross.1. The standard Access Control List should be placed near to the destination.2. Extended Access Control List should be placed near to the source.There are two solutions to issue this problem:

1. Apply access list to interface fa0/0 in the inbound direction.P4S-RA(config)# access-list 101 deny Ip host 172.16.161.150 host 172.16.162.163P4S-RA(config)# access-list 101 permit ip any anyP4S-RA(config)# interface fa0/0P4S-RA(config)# ip access-group 101 inP4S-RA(config)# exit

2. Apply access list to interface fa0/1 in the outbound direction.P4S-RA(config)# access-list 101 deny ip host 172.16.161.150 host 172.16.162.163P4S-RA(config)# access-list 101 permit ip any anyP4S-RA(config)# interface fa0/1Ip access-group 101 outP4S-RA(config)# exit

Both methods will be used in the actual work. But an administrator will advise you to use the first method on the basis of saving routing resources. However, in the examination environment, please complete the steps of answering questions according to options provided. We remind you that the examination and the actual environment are not exactly the same.

8. If you are a security administrator of the enterprise network, you will see many different types of attacks that threaten the security of network. Which type of attack is characterized by a flood of packets that are requesting a TCP connection to a server?

A. [ x] denial of serviceB. [ ] Computer virusC. [ ] reconnaissanceD. [ ] Trojan horse

Explanation:DDos is short for Distributed Denial of Service. It can be interpreted that all actions leading to legitimate users being not able to access normal network services are regarded as denial of service attacks, in other words, the purpose of denial of service attack is very clear: that it to block legitimate users from accessing normal network services in order to achieve attacker’s ulterior motives. There are differences between DDoS and DOS, although both of them are denial of service attacks. The attack strategies adopted by DDoS focus on sending a large number of seemingly legitimate network packets to attacked hosts through many “zombie hosts” (hosts are attacked or can be used indirectly), resulting in network congestion or server resources exhausted and finally refusing to provide services. Once distributed denial of service attacks are implemented, attacking network packets will pour into attacked hosts and flood network packets of legitimate users, thus the legitimate users can’t access network resources of servers properly. Denial of service attack is also called “flood attack”. The most common DDoS attack methods are SYN Flood, ACK Flood, UDP Flood, ICMP Flood, Connections Flood, Script Flood, Proxy Flood etc; while DOS emphasizes on using specific loopholes of hosts to make network stack fail, system crash and host crash, thus unable to provide normal network services, and finally deny service.

9. How many subnets can be gained by sub-netting 172.17.32.0/23 into a /27 mask, and how many usable host addresses will be there be per subnet?

A. [ ] 8 subnets, 31 hostsB. [ ] 8 subnets, 32 hostsC. [x] 16 subnets, 30 hostsD. [ ] A Class B address can’t be sub-netted into the fourth octet

10. Part of a WAN is shown below:

The WAN configuration is shown below:Cisco# show ip routeC 192.168.1.0/24 is directly connected to Fa0/1.1C 192.168.2.0/24 is directly connected to Fa0/1.2The network administrator has created a new VLAN on Cisco router and added host P4SC and host P4SD. This administrator has properly configured switch interfaces FastEthernet0/13 through FastEthernet0/14 to be member of the new VLAN. However, after the network administrator completed the configuration, host P4SA could communicate with

host P4SB, but host P4SA could not communicate with host P4SC or P4SD. Which commands are required to resolve this problem?

A. [x] Cisco(config)# interface fastethernet0/1.3 Cisco(config-if)# encapsulation dot1q 3 Cisco(config-if)# ip address 192.168.3.1 255.255.255.0

B. [ ] Cisco(config)# router rip Cisco(config-router)# network 192.168.5.0 Cisco(config-router)# network 192.168.3.0 Cisco(config-router)# network 192.168.8.0

C. [ ] Cisco# vlan database Cisco(vlan)# vtp v2-mode Cisco(vlan)# vtp password cisco Cisco(vlan) vtp server

D. [ ] Cisco(config)# interface fastethernet0/15 Cisco(config-if)# switchport mode trunk Cisco(config-if)# switchport trunk encapsulation dot1q

11. Given partial router configuration in the graphic, why does the P4S-PC1 and P4S-PC2 with the IP address 192.168.1.153/28 fail to access the internet? (chose two)

A. [x] The NAT inside interfaces are not configured properlyB. [ ] The NAT outside interfaces are not configured properlyC. [x] The router is not properly configured to use the access control list for NATD. [ ] The NAT pool is not properly configured to use routable outside addresses

Explanations:On the basis of the output from the partial configuration on border router, NAT technology is applied to this network. When P4S-PC1 and P4S-PC2 access external network, datagram will be translated by NAT on P4S-RA before crossing the router, which then will be routed to Internet. But P4S-PC1 and P4S-PC2 can’t access Internet. After checking NAT configuration on P4S-RA, we discover that inside interface and outside interfaces are not applied to proper interfaces and there is no matching Access Control List when calling address pool.

12. A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet 192.168.1.128/28 to the Server at 192.168.1.5. What command should be issued to accomplish this task?

A. [x] Access-list 101 deny tcp 192.168.1.128 0.0.0.15 192.168.1.5 0.0.0.0 eq 23 Access-list 101 permit ip any any

B. [ ] Access-list 101 deny tcp 192.168.1.128 0.0.0.240 192.168.1.5 0.0.0.0 eq 23 Access-list 101 permit ip any any

C. [ ] Access-list 1 deny tcp 192.168.1.128 0.0.0.255 192.168.1.5 0.0.0.0 eq 23 Access-list permit ip any any

D. [ ] Access-list 1 deny tcp 192.168.1.128 0.0.0.15 host 192.168.1.5 eq 23

Access-list 1 permit ip any any

13. Part of the network is shown below:

In this network segment, the following ACL was configured on the S0/0 interface of router P4S-RA1 in the outbound direction:Access-list 101 deny tcp 192.168.15.32 0.0.0.15 any eq telnetWhich two packets, if routed to the interface will be denied? (Chose two)

A. [ ] source ip address;, 192.168.15.49 destination port: 23B. [ ] source ip address;, 192.168.15.41 destination port: 21C. [ ] source ip address;, 192.168.15.37 destination port: 21D. [x] source ip address;, 192.168.15.36 destination port: 23E. [x] source ip address;, 192.168.15.46 destination port: 23

Explanation:From the access control list, we know that the denied network segment is 192.168.15.32 0.0.0.15, that is, 192.168.15.32/28 -- 192.168.15.32 ~ 192.168.15.47. Telnet requests from a host in this network segment will be denied.

14. Cisco IOS(Internetwork Operating System) is the software used on the vast majority of Cisco Systems routers and all current Cisco Network switches. Which two of the following devices could you configure as a source for the IOS image in the boot system command? (chose two)

A. [ ] HTTP serverB. [ ] Telnet serverC. [x] Flash memoryD. [x] TFTP server

Explanation:This question is to examine the conserved locations of IOS. Only IOS configured on flash memory and TFTP server can be loaded when starting the router.

15. On a network of one department, there are four PCs connected to a switch, as shown in the following figure:

A. [ ] P4S1 will add 192.168.23.12 to the switch tableB. [ ] P4S1 will add 192.168.23.4 to the switch tableC. [x] P4S1 will add 000A.8A47.E612 to the switch tableD. [ ] P4S1 will add 000B.DB95.2EE9 to the switch table

Explanation:P4S1 has just been restarted and has passed the POST routine indicates that the MAC address table of P4S1 is empty. When P4SA sends its initial frame to P4SC, P4S1 records the MAC address of P4SA and the mapping port number in its MAC address table. Note that a switch records the source MAC address rather than the destination MAC address.

16. Look at the network topology exhibited:

Output exhibit:C:\arp –aInterface: 192.168.1.95 --- 0x2Internet address physical Adress Type192.168.1.95 00-60-0f-2e-14-c6 dynamicYou work as a network technician at P4S and you issued the arp –a command from a host named P4SA as shown above. The user of host P4SA wants to ping the DSL modem/router at 192.168.1.254. based on the host P4SA ARP table that is shown in the exhibit, what will host P4SA do?

A. [ ] send unicast ARP packet to the DSL modem/router.B. [x] send unicast ICMP packets to the DSL modem/routerC. [ ] send Layer 3 broadcast packets to which the DSL modem/router respondsD. [ ] send a Layer 2 broadcast that is received by P4S2, the switch, and the DSL modem/router

Explanations:When P4SA sends ICMP packets to the DSL modem/router for the first time, P4S1 checks the mapping between the target IP address and the MAC with APP cache and sends unicast ICMP packets. If P4S1 cannot find the mapping between the target IP address and the MAC, P4S1 sends broadcast frame to find the MAC mapping the target IP address. The ARP cache contains the MAC mapping the target IP address 192.168.1.254, so P4S1 sends unicast ICMP packets to the DSL.

17. Study the exhibit carefully. Each of the four P4S switches has been configured with a hostname, as well as being configured to run RTSP. No other configuration changes have been made. Which switch will have only one forwarding interface?

A. [ ] P4S-SAB. [x] P4S-SBC. [ ] P4S-SCD. [ ] P4S-SD

Explanations:1.1 Judge the root bridge. The election of the root bridge is based on the bridge ID. Bridge ID = Bridge priority = Bridge

MAC address. By default, the bridge priority value is 32768. And you can judge the root bridge only by bridge MAC address. The root bridge of this subject is P4S-SC.

1.2 Identify the root port. After electing the root bridge, it is necessary to select a port of each switch in this network used to reach the root bridge, this port is known as root port (RP). The port that is nearest to the root bridge is RP of non-root bridge. In this subject, ports F0/1 of P4SA, G0/1 of P4SB and G0/2 of P4S-SD are RPs. According to the choice, you will eventually find that a port on P4S-SB will be blocked, that is Gi0/2.