No Result
View All Result
IT Quesion Library
Contribute
No Result
View All Result
No Result
View All Result

You have been tasked with configuring multilayer SwitchC, which has a partial configuration and has been attached to RouterC as shown in the topology diagram. You need to configure SwitchC so that Hosts H1 and H2 can successfully ping the server S1. Also SwitchC needs to be able to ping server S1. Due to administrative restrictions and requirements you should not add/delete vlans or create trunk links. Company policies forbid…

QuestionsCategory: 300-115You have been tasked with configuring multilayer SwitchC, which has a partial configuration and has been attached to RouterC as shown in the topology diagram. You need to configure SwitchC so that Hosts H1 and H2 can successfully ping the server S1. Also SwitchC needs to be able to ping server S1. Due to administrative restrictions and requirements you should not add/delete vlans or create trunk links. Company policies forbid…
0 Vote Up Vote Down
Admin Staff asked 3 months ago 
You have been tasked with configuring multilayer SwitchC, which has a partial configuration and has been attached to RouterC as shown in the topology diagram.
You need to configure SwitchC so that Hosts H1 and H2 can successfully ping the server S1.
Also SwitchC needs to be able to ping server S1.
Due to administrative restrictions and requirements you should not add/delete vlans or create trunk links. Company policies forbid the use of static or default routing. All routes must be learned via EIGRP 65010 routing protocol.
You do not have access to RouteC. RouterC is correctly configured. No trunking has been configured on RouterC.
Routed interfaces should use the lowest host on a subnet when possible. The following subnets are available to implement this solution:
10.10.10.0/24
190.200.250.32/27
190.200.250.64/27
Hosts H1 and H2 are configured with the correct IP address and default gateway.
SwitchC uses Cisco as the enable password.
Routing must only be enabled for the specific subnets shown in the diagram.
Note: Due to administrative restrictions and requirements you should not add or delete VLANs, changes VLAN port assignments or create trunks. Company policies forbid the use of static or default routing. All routes must be learned via the EIGRP routing protocol.
 Image
 Image
 Image
 Image
Answer: There are two ways to configure interVLAN routing in this case:
















 

Suggested Answer: Correct Answer:

+ Use RouterC as a "router on a stick" and SwitchC as a pure Layer2 switch. Trunking must be established between RouterC and SwitchC.
+ Only use SwitchC for interVLAN routing without using RouterC, SwitchC should be configured as a Layer 3 switch (which supports ip routing function as a router). No trunking requires.
The question clearly states "No trunking has been configured on RouterC" so RouterC does not contribute to interVLAN routing of hosts H1 & H2 -> SwitchC must be configured as a Layer 3 switch with SVIs for interVLAN routing.
We should check the default gateways on H1 & H2. Click on H1 and H2 and type the "ipconfig" command to get their default gateways.
C:>ipconfig -
We will get the default gateways as follows:
Host1 -
+ Default gateway: 190.200.250.33
Host2 -
+ Default gateway: 190.200.250.65
Now we have enough information to configure SwitchC (notice the EIGRP AS in this case is 650)
Note: VLAN2 and VLAN3 were created and gi0/10, gi0/11 interfaces were configured as access ports so we dont need to configure them in this sim.
SwitchC# configure terminal -
SwitchC(config)# int gi0/1 -
SwitchC(config-if)#no switchport -> without using this command, the simulator does not let you assign IP address on Gi0/1 interface.
SwitchC(config-if)# ip address 10.10.10.2 255.255.255.0 ->RouterC has used IP 10.10.10.1 so this is the lowest usable IP address.
SwitchC(config-if)# no shutdown -
SwitchC(config-if)# exit -
SwitchC(config)# int vlan 2 -
SwitchC(config-if)# ip address 190.200.250.33 255.255.255.224
SwitchC(config-if)# no shutdown -
SwitchC(config-if)# int vlan 3 -
SwitchC(config-if)# ip address 190.200.250.65 255.255.255.224
SwitchC(config-if)# no shutdown -
SwitchC(config-if)#exit -
SwitchC(config)# ip routing (Notice: MLS will not work without this command)
SwitchC(config)# router eigrp 65010
SwitchC(config-router)# network 10.10.10.0 0.0.0.255
SwitchC(config-router)# network 190.200.250.32 0.0.0.31
SwitchC(config-router)# network 190.200.250.64 0.0.0.31
NOTE: THE ROUTER IS CORRECTLY CONFIGURED, so you will not miss within it in the exam, also dont modify/delete any port just do the above configuration. Also some reports said the "no auto-summary" command can’t be used in the simulator, in fact it is not necessary because the network 190.200.0.0/16 is not used anywhere else in this topology.
In order to complete the lab, you should expect the ping to SERVER to succeed from the MLS, and from the PCs as well.
Also make sure you use the correct EIGRP AS number (in the configuration above it is 650 but it will change when you take the exam) but we are not allowed to access RouterC so the only way to find out the EIGRP AS is to look at the exhibit above. If you use wrong AS number, no neighbor relationship is formed between RouterC and SwitchC.
In fact, we are pretty sure instead of using two commands "network 190.200.250.32 0.0.0.31″ and "network 190.200.250.64 0.0.0.31″ we can use one simple command "network 190.200.0.0″ because it is the nature of distance vector routing protocol like EIGRP: only major networks need to be advertised; even without "no auto-summary" command the network still works correctly. But in the exam the sim is just a flash based simulator so we should use two above commands, just for sure. But after finishing the configuration, we can use "show run" command to verify, only the summarized network 190.200.0.0 is shown.
Question Set 1 -
QUESTION 1 -
A Cisco Catalyst switch that is prone to reboots continues to rebuild the DHCP snooping database. What is the solution to avoid the snooping database from being rebuilt after every device reboot?
A. A DHCP snooping database agent should be configured.
B. Enable DHCP snooping for all VLANs that are associated with the switch.
C. Disable Option 82 for DHCP data insertion.
D. Use IP Source Guard to protect the DHCP binding table entries from being lost upon rebooting.
E. Apply ip dhcp snooping trust on all interfaces with dynamic addresses.
Section: [none]
Explanation -
Minimum DHCP Snooping Configuration
The minimum configuration steps for the DHCP snooping feature are as follows:
1. Define and configure the DHCP server.
2. Enable DHCP snooping on at least one VLAN.
By default, DHCP snooping is inactive on all VLANs.
3. Ensure that DHCP server is connected through a trusted interface. By default, the trust state of all interfaces is untrusted.
4. Configure the DHCP snooping database agent.
This step ensures that database entries are restored after a restart or switchover.
5. Enable DHCP snooping globally.
The feature is not active until you complete this step.
Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/sno
 odhcp.html#wp1090479
QUESTION 2 -
Which portion of AAA looks at what a user has access to?
A. authorization -
B. authentication -
C. accounting -
D. auditing -
Section: [none]
Explanation -
AAA consists of the following three elements:
Authentication: Identifies users by login and password using challenge and response methodology before the user even gains access to the network.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012000001.png" alt="Reference Image" />
Depending on your security options, it can also support encryption. Authorization: After initial authentication, authorization looks at what that authenticated user has access to do. RADIUS or TACACS+ security servers perform authorization for specific privileges by defining attribute-value (AV) pairs, which would be specific to the individual user rights. In the Cisco IOS, you can define AAA authorization with a named list or authorization method.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012000002.png" alt="Reference Image" />
Accounting: The last "A" is for accounting. It provides a way of collecting security information that you can use for billing, auditing, and reporting. You can use
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012000003.png" alt="Reference Image" />
accounting to see what users do once they are authenticated and authorized. For example, with accounting, you could get a log of when users logged in and when they logged out.
Reference: http://www.techrepublic.com/blog/data-center/what-is-aaa-and-how-do-you-
 configure-it-in-the-cisco-ios/
QUESTION 3 -
Which command creates a login authentication method named "login" that will primarily use RADIUS and fail over to the local user database?
A. (config)# aaa authentication login default radius local
B. (config)# aaa authentication login login radius local
C. (config)# aaa authentication login default local radius
D. (config)# aaa authentication login radius local
Section: [none]
Explanation -
In the command "aaa authentication login login radius local" the second login is the name of the AAA method. It also lists radius first then local, so it will primarily use RADIUS for authentication and fail over to the local user database only if the RADIUS server is unreachable.
QUESTION 4 -
A server with a statically assigned IP address is attached to a switch that is provisioned for DHCP snooping. For more protection against malicious attacks, the network team is considering enabling dynamic ARP inspection alongside DHCP snooping. Which solution ensures that the server maintains network reachability in the future?
A. Disable DHCP snooping information option.
B. Configure a static DHCP snooping binding entry on the switch.
C. Trust the interface that is connected to the server with the ip dhcp snooping trust command.
D. Verify the source MAC address of all untrusted interfaces with ip dhcp snooping verify mac- address command.
Section: [none]
Explanation -
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs these activities:
Intercepts all ARP requests and responses on untrusted ports
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012100001.png" alt="Reference Image" />
Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012100002.png" alt="Reference Image" />
the appropriate destination.
Drops invalid ARP packets -
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012100003.png" alt="Reference Image" />
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid. To ensure network reachability to the server, configure a static DHCP snooping binding entry on the switch.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-
 2_55_se/configuration/guide/scg3750/swdynarp.html
QUESTION 5 -
A network engineer wants to ensure Layer 2 isolation of customer traffic using a private VLAN. Which configuration must be made before the private VLAN is configured?
A. Disable VTP and manually assign VLANs.
B. Ensure all switches are configured as VTP server mode.
C. Configure VTP Transparent Mode.
D. Enable VTP version 3.
Section: [none]
Explanation -
You must configure VTP to transparent mode before you can create a private VLAN. Private VLANs are configured in the context of a single switch and cannot have members on other switches. Private VLANs also carry TLVs that are not known to all types of Cisco switches. Reference: http://www.ciscopress.com/articles/
 article.asp?p=29803&seqNum=6
QUESTION 6 -
DHCP snooping and IP Source Guard have been configured on a switch that connects to several client workstations. The IP address of one of the workstations does not match any entries found in the DHCP binding database. Which statement describes the outcome of this scenario?
A. Packets from the workstation will be rate limited according to the default values set on the switch.
B. The interface that is connected to the workstation in question will be put into the errdisabled state.
C. Traffic will pass accordingly after the new IP address is populated into the binding database.
D. The packets originating from the workstation are assumed to be spoofed and will be discarded.
Section: [none]
Explanation -
The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings). An entry in this table has an
IP address, its associated MAC address, and its associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.
You can configure IP source guard with source IP address filtering, or with source IP and MAC address filtering. When IP source guard is enabled with this option,
IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table. When IP source guard is enabled with this option, IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table. If there is no match, the packets are assumed to be spoofed and will be discarded.
Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-
 switches/72846-layer2-secftrs-catl3fixed.html#ipsourceguard
QUESTION 7 -
A DHCP configured router is connected directly to a switch that has been provisioned with DHCP snooping. IP Source Guard with the ip verify source port-security command is configured under the interfaces that connect to all DHCP clients on the switch. However, clients are not receiving an IP address via the DHCP server.
Which option is the cause of this issue?
A. The DHCP server does not support information option 82.
B. The DHCP client interfaces have storm control configured.
C. Static DHCP bindings are not configured on the switch.
D. DHCP snooping must be enabled on all VLANs, even if they are not utilized for dynamic address allocation.
Section: [none]
Explanation -
When you enable both IP Source Guard and Port Security, using the ip verify source port- security interface configuration command, there are two caveats:
The DHCP server must support option 82, or the client is not assigned an IP address.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012300001.png" alt="Reference Image" />
The MAC address in the DHCP packet is not learned as a secure address. The MAC address of the DHCP client is learned as a secure address only when the
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012300002.png" alt="Reference Image" />
switch receives non-DHCP data traffic.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-
 2_25_see/configuration/guide/3550SCG/ swdhcp82.html#wp1069615
QUESTION 8 -
A switch is added into the production network to increase port capacity. A network engineer is configuring the switch for DHCP snooping and IP Source Guard, but is unable to configure ip verify source under several of the interfaces. Which option is the cause of the problem?
A. The local DHCP server is disabled prior to enabling IP Source Guard.
B. The interfaces are configured as Layer 3 using the no switchport command.
C. No VLANs exist on the switch and/or the switch is configured in VTP transparent mode.
D. The switch is configured for sdm prefer routing as the switched database management template.
E. The configured SVIs on the switch have been removed for the associated interfaces.
Section: [none]
Explanation -
IP source guard is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.
You can enable IP source guard when DHCP snooping is enabled on an untrusted interface. After IP source guard is enabled on an interface, the switch blocks all
IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings). An entry in this table has an
IP address, its associated MAC address, and its associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.
IP source guard is supported only on Layer 2 ports, including access and trunk ports. You can configure IP source guard with source IP address filtering or with source IP and MAC address filtering.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-
 2_25_see/configuration/guide/3550SCG/ swdhcp82.html#wp1069615
QUESTION 9 -
The command storm-control broadcast level 75 65 is configured under the switch port connected to the corporate mail server. In which three ways does this command impact the traffic? (Choose three.)
A. SNMP traps are sent by default when broadcast traffic reaches 65% of the lower-level threshold.
B. The switchport is disabled when unicast traffic reaches 75% of the total interface bandwidth.
C. The switch resumes forwarding broadcasts when they are below 65% of bandwidth.
D. Only broadcast traffic is limited by this particular storm control configuration.
E. Multicast traffic is dropped at 65% and broadcast traffic is dropped at 75% of the total interface bandwidth.
F. The switch drops broadcasts when they reach 75% of bandwidth.
CDF -
Section: [none]
Explanation -
storm-control {broad- Configure broadcast, multicast, or unicast storm control. By de- cast | multicast | uni- fault, storm control is disabled. cast} level {level [lev-
The keywords have these meanings:
el-low] | pps pps [pps-
low]}
For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth. The port
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012400001.png" alt="Reference Image" />
blocks traffic when the rising threshold is reached. The range is 0.00 to 100.00.
(Optional) For level-low, specify the falling threshold level as a percentage (up to two decimal places) of the bandwidth. This value must be less than or equal
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012400002.png" alt="Reference Image" />
to the rising suppression value. The port forwards traffic when traffic drops below this level. If you do not configure a falling suppression level, it is set to the rising suppression level. The range is 0.00 to 100.00.
In this case, the broadcast keyword was used so only broadcast traffic is limited. Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/
 software/release/12- 2_25_see/configuration/guide/3550SCG/swtrafc.html
QUESTION 10 -
After port security is deployed throughout an enterprise campus, the network team has been overwhelmed with port reset requests. They decide to configure the network to automate the process of re-enabling user ports. Which command accomplishes this task?
A. switch(config)# errdisable recovery interval 180
B. switch(config)# errdisable recovery cause psecure-violation
C. switch(config)# switchport port-security protect
D. switch(config)# switchport port-security aging type inactivity
E. switch(config)# errdisable recovery cause security-violation
Section: [none]
Explanation -
When a secure port is in the error-disabled state, you can bring it out of this state automatically by configuring the errdisable recovery cause psecure-violation global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. This is the default mode. If a port is in per-VLAN errdisable mode, you can also use clear errdisable interface name vlan range command to re-enable the VLAN on the port. You can also customize the time to recover from the specified error disable cause (default is 300 seconds) by entering the errdisable recovery interval interval command.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-
 2/53SG/configuration/config/port_sec.pdf
QUESTION 11 -
The network monitoring application alerts a network engineer of a client PC that is acting as a rogue DHCP server. Which two commands help trace this PC when the MAC address is known? (Choose two.)
A. switch# show mac address-table
B. switch# show port-security -
C. switch# show ip verify source
D. switch# show ip arp inspection
E. switch# show mac address-table address <mac address>
AE -
Section: [none]
Explanation -
These two commands will show the MAC address table, including the switch port that the particular host is using. Here is an example output:
Switch> show mac-address-table -
Dynamic Addresses Count: 9 -
Secure Addresses (User-defined) Count: 0
Static Addresses (User-defined) Count: 0
System Self Addresses Count: 41 -
Total MAC addresses: 50 -
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- -------------------- 0010.0de0.e289 Dynamic 1 FastEthernet0/1
0010.7b00.1540 Dynamic 2 FastEthernet0/5
0010.7b00.1545 Dynamic 2 FastEthernet0/5
QUESTION 12 -
While troubleshooting a network outage, a network engineer discovered an unusually high level of broadcast traffic coming from one of the switch interfaces.
Which option decreases consumption of bandwidth used by broadcast traffic?
A. storm control -
B. SDM routing -
C. Cisco IOS parser -
D. integrated routing and bridging
E. Dynamic ARP Inspection -
Section: [none]
Explanation -
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on a port. A LAN storm occurs when packets flood the
LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation, mistakes in network configuration, or users issuing a denial-of-service attack can cause a storm. Storm control is configured for the switch as a whole but operates on a per-port basis. By default, storm control is disabled.
Storm control uses rising and falling thresholds to block and then restore the forwarding of broadcast, unicast, or multicast packets. You can also set the switch to shut down the port when the rising threshold is reached.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-
 1_22ea/SCG/scg/swtrafc.html
QUESTION 13 -
Which command globally enables AAA on a device?
A. aaa new-model -
B. aaa authentication -
C. aaa authorization -
D. aaa accounting -
Section: [none]
Explanation -
To configure AAA authentication, enable AAA by using the aaa new-model global configuration command. AAA features are not available for use until you enable
AAA globally by issuing the aaa new-model command.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.ht
 ml
QUESTION 14 -
Which AAA Authorization type includes PPP, SLIP, and ARAP connections?
A. network -
B. IP mobile -
C. EXEC -
D. auth-proxy -
Section: [none]
Explanation -
Method lists for authorization define the ways that authorization will be performed and the sequence in which these methods will be performed. A method list is simply a named list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted.
Method lists are specific to the authorization type requested:
Auth-proxy--Applies specific security policies on a per-user basis. For detailed information on the authentication proxy feature, refer to the chapter "Configuring
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012700001.png" alt="Reference Image" />
Authentication Proxy" in the "Traffic Filtering and Firewalls" part of this book.
Commands--Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/n18888500003.png" alt="Reference Image" />
global configuration commands, associated with a specific privilege level.
EXEC--Applies to the attributes associated with a user EXEC terminal session. Network--Applies to network connections. This can include a PPP, SLIP, or
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/n18888500002.png" alt="Reference Image" />
ARAP connection.
Reverse Access--Applies to reverse Telnet sessions.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012700004.png" alt="Reference Image" />
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathor.ht
 ml
QUESTION 15 -
Which authentication service is needed to configure 802.1x?
A. RADIUS with EAP Extension -
B. TACACS+
C. RADIUS with CoA -
D. RADIUS using VSA -
Section: [none]
Explanation -
With 802.1x, the authentication server--performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. The Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2940/software/release/12-
 1_19_ea1/configuration/guide/2940scg_1/sw8021x.pdf
QUESTION 16 -
Refer to the exhibit.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012800001.png" alt="Reference Image" />
Which login credentials are required when connecting to the console port in this output?
A. none required -
B. username cisco with password cisco
C. no username with password linepass
D. login authentication default -
Section: [none]
Explanation -
Here the console has been configured with the NO_AUTH name, which lists none as the authentication method. None means no authentication, meaning that credentials are not required and all sessions are allowed access immediately.
QUESTION 17 -
Refer to the exhibit.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0012900001.png" alt="Reference Image" />
When a network administrator is attempting an SSH connection to the device, in which order does the device check the login credentials?
A. RADIUS server, local username, line password
B. RADIUS server, line password, local username
C. Line password, local username, RADIUS server
D. Line password, RADIUS server, local username
Section: [none]
Explanation -
SSH sessions use the vty lines, where the configured authentication method is named "default." The AAA default login preference is stated in order from first to last, so here the "aaa authentication login default group radius local line" means to use RADIUS first, then if that fails use the local user database. Finally, if that fails use the line password.
QUESTION 18 -
Which type of information does the DHCP snooping binding database contain?
A. untrusted hosts with leased IP addresses
B. trusted hosts with leased IP addresses
C. untrusted hosts with available IP addresses
D. trusted hosts with available IP addresses
Section: [none]
Explanation -
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:
Validates DHCP messages received from untrusted sources and filters out invalid messages.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/n18888500004.png" alt="Reference Image" />
Rate-limits DHCP traffic from trusted and untrusted sources.  Builds and maintains the DHCP snooping binding database, which contains information about
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013000002.png" alt="Reference Image" />
untrusted hosts with leased IP addresses.
Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013000003.png" alt="Reference Image" />
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
 2SX/configuration/guide/book/snoodhcp.pdf
QUESTION 19 -
Which switch feature determines validity based on IP-to-MAC address bindings that are stored in a trusted database?
A. Dynamic ARP Inspection -
B. storm control -
C. VTP pruning -
D. DHCP snooping -
Section: [none]
Explanation -
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid. Reference: http:// www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series- switches/72846-layer2-secftrs-catl3fixed.html
QUESTION 20 -
Which command is needed to enable DHCP snooping if a switchport is connected to a DHCP server?
A. ip dhcp snooping trust -
B. ip dhcp snooping -
C. ip dhcp trust -
D. ip dhcp snooping information -
Section: [none]
Explanation -
When configuring DHCP snooping, follow these guidelines:
DHCP snooping is not active until you enable the feature on at least one VLAN, and enable DHCP globally on the switch.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013100001.png" alt="Reference Image" />
Before globally enabling DHCP snooping on the switch, make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013100002.png" alt="Reference Image" />
enabled.
If a Layer 2 LAN port is connected to a DHCP server, configure the port as trusted by entering the "ip dhcp snooping trust" interface configuration command.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013100003.png" alt="Reference Image" />
If a Layer 2 LAN port is connected to a DHCP client, configure the port as untrusted by entering the no ip dhcp snooping trust interface configuration command.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013100004.png" alt="Reference Image" />
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
 2SX/configuration/guide/book/snoodhcp.html
QUESTION 21 -
Which private VLAN access port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports?
A. promiscuous port -
B. isolated port -
C. community port -
D. trunk port -
Section: [none]
Explanation -
The types of private VLAN ports are as follows:
Promiscuous--A promiscuous port belongs to the primary VLAN. The promiscuous port can communicate with all interfaces, including the community and
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013200001.png" alt="Reference Image" />
isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several promiscuous ports in a primary VLAN. Each promiscuous port can have several secondary VLANs, or no secondary VLANs, associated to that port. You can associate a secondary VLAN to more than one promiscuous port, as long as the promiscuous port and secondary VLANs are within the same primary VLAN.
You may want to do this for load-balancing or redundancy purposes. You can also have secondary VLANs that are not associated to any promiscuous port.
Isolated--An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete isolation from other ports within the same private
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013200002.png" alt="Reference Image" />
VLAN domain, except that it can communicate with associated promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all other ports in the isolated VLAN.
Community--A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013200003.png" alt="Reference Image" />
community VLAN and with associated promiscuous ports. These interfaces are isolated from all other interfaces in other communities and from all isolated ports within the private VLAN domain.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/
 CLIConfigurationGuide/PrivateVLANs.html
QUESTION 22 -
Which private VLAN can have only one VLAN and be a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports and the gateway?
A. isolated VLAN -
B. primary VLAN -
C. community VLAN -
D. promiscuous VLAN -
Section: [none]
Explanation -
Understanding Primary, Isolated, and Community Private VLANs Primary VLANs and the two types of secondary VLANs (isolated and community) have these characteristics:
Primary VLAN-- The primary VLAN carries traffic from the promiscuous ports to the host ports, both isolated and community, and to other promiscuous ports.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013300001.png" alt="Reference Image" />
Isolated VLAN --An isolated VLAN is a secondary VLAN that carries unidirectional traffic upstream from the hosts toward the promiscuous ports. You can
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013300002.png" alt="Reference Image" />
configure multiple isolated VLANs in a private VLAN domain; all the traffic remains isolated within each one. Each isolated VLAN can have several isolated ports, and the traffic from each isolated port also remains completely separate.
Community VLAN--A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous port and to other host
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013300003.png" alt="Reference Image" />
ports in the same community. You can configure multiple community VLANs in a private VLAN domain. The ports within one community can communicate, but these ports cannot communicate with ports in any other community or isolated VLAN in the private VLAN.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/
 CLIConfigurationGuide/PrivateVLANs.html
QUESTION 23 -
Which database is used to determine the validity of an ARP packet based on a valid IP-to-MAC address binding?
A. DHCP snooping database -
B. dynamic ARP database -
C. dynamic routing database -
D. static ARP database -
Section: [none]
Explanation -
Information About Dynamic ARP Inspection
DAI is used to validate ARP requests and responses as follows:
Intercepts all ARP requests and responses on untrusted ports.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013300004.png" alt="Reference Image" />
Verifies that a packet has a valid IP-to-MAC address binding before updating the ARP cache or forwarding the packet.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013300005.png" alt="Reference Image" />
Drops invalid ARP packets.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013300006.png" alt="Reference Image" />
DAI can determine the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a DHCP snooping binding database. This database is built by DHCP snooping when it is enabled on the VLANs and on the device. It may also contain static entries that you have created.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/hyperv/sw/5_2_1_s_m_1_
 5_2/troubleshooting/configuration/guide/n1000v_troubleshooting/ n1000v_trouble_19dhcp.html
QUESTION 24 -
When IP Source Guard with source IP filtering is enabled on an interface, which feature must be enabled on the access VLAN for that interface?
A. DHCP snooping -
B. storm control -
C. spanning-tree portfast -
D. private VLAN -
Section: [none]
Explanation -
IP Source Guard Configuration Guidelines
You can configure static IP bindings only on nonrouted ports. If you enter the ip source binding mac-address vlan vlan-id ip-address interface interface-id
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013400001.png" alt="Reference Image" />
global configuration command on a routed interface, this error message appears:
Static IP source binding can only be configured on switch port.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013400002.png" alt="Reference Image" />
When IP source guard with source IP filtering is enabled on an interface, DHCP snooping must be enabled on the access VLAN for that interface.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013400003.png" alt="Reference Image" />
If you are enabling IP source guard on a trunk interface with multiple VLANs and DHCP snooping is enabled on all the VLANs, the source IP address filter is
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013400004.png" alt="Reference Image" />
applied on all the VLANs.
You can enable this feature when 802.1x port-based authentication is enabled. Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/

 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013400005.png" alt="Reference Image" />
software/15- 0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960- x_cg_chapter_01110.html
QUESTION 25 -
Which switch feature prevents traffic on a LAN from being overwhelmed by continuous multicast or broadcast traffic?
A. storm control -
B. port security -
C. VTP pruning -
D. VLAN trunking -
Section: [none]
Explanation -
A traffic storm occurs when packets flood the LAN, which creates excessive traffic and degrades network performance. The traffic storm control feature prevents
LAN ports from being disrupted by a broadcast, multicast, or unicast traffic storm on physical interfaces from either mistakes in network configurations or from users issuing a DoS attack. Reference:http://3c3cc.com/c/en/us/td/docs/routers/7600/ios/122SR/configuration/guide/swcg/do
 s.pdf
QUESTION 26 -
Which command would a network engineer apply to error-disable a switchport when a packet- storm is detected?
A. router(config-if)#storm-control action shutdown
B. router(config-if)#storm-control action trap
C. router(config-if)#storm-control action error
D. router(config-if)#storm-control action enable
Section: [none]
Explanation -
Configuring the Traffic Storm Control Shutdown Mode
To configure the traffic storm control shutdown mode on an interface, perform this task:
Command Purpose -
Step 1 Router(config)# interface {{type1 Selects an interface to configure. slot/port} | {port-channel num- ber}}
Step 2 Router(config-if)# storm-control (Optional) Configures traffic storm control to action shutdown error-disable ports when a traffic storm occurs.
Enter the no storm-control action shut-
down command to revert to the default action
(drop).
Use the error disable detection and recov-
ery feature, or the shutdown and no shut-
down commands to reenable ports.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
 2SX/configuration/guide/book/storm.html
QUESTION 27 -
A network engineer configures port security and 802.1x on the same interface. Which option describes what this configuration allows?
A. It allows port security to secure the MAC address that 802.1x authenticates.
B. It allows port security to secure the IP address that 802.1x authenticates.
C. It allows 802.1x to secure the MAC address that port security authenticates.
D. It allows 802.1x to secure the IP address that port security authenticates.
Section: [none]
Explanation -
802.1X and Port Security
You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown
MAC addresses.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-
 os/security/configuration/guide/sec_nx-os-cfg/sec_portsec.html
QUESTION 28 -
Which feature describes MAC addresses that are dynamically learned or manually configured, stored in the address table, and added to the running configuration?
A. sticky -
B. dynamic -
C. static -
D. secure -
Section: [none]
Explanation -
With port security, you can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-
 2/25ew/configuration/guide/conf/port_sec.pdf
QUESTION 29 -
On which interface can port security be configured?
A. static trunk ports -
B. destination port for SPAN -
C. EtherChannel port group -
D. dynamic access point -
Section: [none]
Explanation -
Port Security and Port Types -
You can configure port security only on Layer 2 interfaces. Details about port security and different types of interfaces or ports are as follows:
Access ports--You can configure port security on interfaces that you have configured as Layer 2 access ports. On an access port, port security applies only to
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013700001.png" alt="Reference Image" />
the access VLAN. Trunk ports--You can configure port security on interfaces that you have configured as Layer 2 trunk ports. VLAN maximums are not useful for access ports. The device allows VLAN maximums only for VLANs associated with the trunk port.
SPAN ports--You can configure port security on SPAN source ports but not on SPAN destination ports.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013700002.png" alt="Reference Image" />
Ethernet Port Channels--Port security is not supported on Ethernet port channels. Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/

 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013700003.png" alt="Reference Image" />
sw/4_1/nx- os/security/configuration/guide/sec_nx-os-cfg/sec_portsec.html
QUESTION 30 -
When you configure private VLANs on a switch, which port type connects the switch to the gateway router?
A. promiscuous -
B. community -
C. isolated -
D. trunked -
Section: [none]
Explanation -
There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port. Host port further divides in two types  Isolated port (I-Port) and
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013700004.png" alt="Reference Image" />
Community port (C-port). Promiscuous port (P-Port): The switch port connects to a router, firewall or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN.
Host Ports:
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013700005.png" alt="Reference Image" />
o Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports. o Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.
Reference: http://en.wikipedia.org/wiki/Private_VLAN

QUESTION 31 -
When you configure a private VLAN, which type of port must you configure the gateway router port as?
A. promiscuous port -
B. isolated port -
C. community port -
D. access port -
Section: [none]
Explanation -
There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port. Host port further divides in two types  Isolated port (I-Port) and
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013800001.png" alt="Reference Image" />
Community port (C-port). Promiscuous port (P-Port): The switch port connects to a router, firewall or other common gateway device. This port can communicate with anything else connected to the primary or any secondary VLAN. In other words, it is a type of a port that is allowed to send and receive frames from any other port on the VLAN.
Host Ports:
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0013800002.png" alt="Reference Image" />
o Isolated Port (I-Port): Connects to the regular host that resides on isolated VLAN. This port communicates only with P-Ports. o Community Port (C-Port): Connects to the regular host that resides on community VLAN. This port communicates with P-Ports and ports on the same community VLAN.
Reference: http://en.wikipedia.org/wiki/Private_VLAN

QUESTION 32 -
SIMULATION -
SWITCH.com is an IT company that has an existing enterprise network comprised of two layer 2 only switches; DSW1 and ASW1. The topology diagram indicates their layer 2 mapping. VLAN 20 is a new VLAN that will be used to provide the shipping personnel access to the server. Corporate polices do not allow layer 3 functionality to be enabled on the switches. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:
Users connecting to VLAN 20 via portfO/1 on ASW1 must be authenticated before they are given access to the network. Authentication is to be done via a
Radius server:
Radius server host: 172.120.40.46
Radius key: rad123
Authentication should be implemented as close to the host as possible.  Devices on VLAN 20 are restricted to the subnet of 172.120.40.0/24.  Packets from devices in the subnet of 172.120.40.0/24 should be allowed on VLAN 20.  Packets from devices in any other address range should be dropped on VLAN 20.
Filtering should be implemented as close to the serverfarm as possible. The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/n18888500001.jpg" alt="Reference Image" />
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/n18888500005.png" alt="Reference Image" />
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0014100001.png" alt="Reference Image" />
A.
B.
C.
D.
Section: [none]
Explanation -
Step1: Console to ASW1 from PC console 1
ASW1(config)#aaa new-model -
ASW1(config)#radius-server host 172.120.39.46 key rad123
ASW1(config)#aaa authentication dot1x default group radius
ASW1(config)#dot1x system-auth-control
ASW1(config)#inter fastEthernet 0/1
ASW1(config-if)#switchport mode access
ASW1(config-if)#dot1x port-control auto
ASW1(config-if)#exit -
ASW1#copy run start -
Step2: Console to DSW1 from PC console 2
DSW1(config)#ip access-list standard 10
DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-ext-nacl)#exit -
DSW1(config)#vlan access-map PASS 10
DSW1(config-access-map)#match ip address 10
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit -
DSW1(config)#vlan access-map PASS 20
DSW1(config-access-map)#action drop
DSW1(config-access-map)#exit -
DSW1(config)#vlan filter PASS vlan-list 20
DSW1#copy run start -
QUESTION 33 -
SWITCH.com is an IT company that has an existing enterprise network comprised of two layer 2 only switches; DSW1 and ASW1. The topology diagram indicates their layer 2 mapping. VLAN
20 is a new VLAN that will be used to provide the shipping personnel access to the server.
Corporate polices do not allow layer 3 functionality to be enabled on the switches. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:
Users connecting to VLAN 20 via portfO/1 on ASW1 must be authenticated before they are given access to the network. Authentication is to be done via a Radius server:
Radius server host: 172.120.40.46
Radius key: rad123
Authentication should be implemented as close to the host as possible.
Devices on VLAN 20 are restricted to the subnet of 172.120.40.0/24.
Packets from devices in the subnet of 172.120.40.0/24 should be allowed on VLAN 20.
Packets from devices in any other address range should be dropped on VLAN 20.
Filtering should be implemented as close to the serverfarm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0014400001.jpg" alt="Reference Image" />
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/0014500001.png" alt="Reference Image" />
 <img src="https://www.examtopics.com/assets/media/exam-media/01585/n18888500000.png" alt="Reference Image" />
Section: [none]
Explanation -
Step1: Console to ASW1 from PC console 1
ASW1(config)#aaa new-model -
ASW1(config)#radius-server host 172.120.39.46 key rad123
ASW1(config)#aaa authentication dot1x default group radius
ASW1(config)#dot1x system-auth-control
ASW1(config)#inter fastEthernet 0/1
ASW1(config-if)#switchport mode access
ASW1(config-if)#dot1x port-control auto
ASW1(config-if)#exit -
ASW1#copy run start -
Step2: Console to DSW1 from PC console 2
DSW1(config)#ip access-list standard 10
DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255
DSW1(config-ext-nacl)#exit -
DSW1(config)#vlan access-map PASS 10
DSW1(config-access-map)#match ip address 10
DSW1(config-access-map)#action forward
DSW1(config-access-map)#exit -
DSW1(config)#vlan access-map PASS 20
DSW1(config-access-map)#action drop
DSW1(config-access-map)#exit -
DSW1(config)#vlan filter PASS vlan-list 20
DSW1#copy run start -
Question Set 1

This question is in 300-115 Implementing Cisco IP Switched Networks (SWITCH) Exam
For getting Cisco Certified Network Professional (CCNP) Routing and Switching Certificate





Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by Cisco.
Trademarks, certification & product names are used for reference only and belong to Cisco.
The website does not contain actual questions and answers from Cisco's Certification Exam.

Related Questions

Recommended

No Result
View All Result

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In