Cisco Certified Network Associate 200-301 CCNA Exam Questions and Answers – Page 2

The latest Cisco Certified Network Associate 200-301 CCNA certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Cisco Certified Network Associate 200-301 CCNA exam and earn Cisco Certified Network Associate 200-301 CCNA certification.

Exam Question 191

As part of a new initiative to tighten the security of your Cisco devices, you have configured the firewall to restrict access to the devices from the outside.

What would be other recommended ways of protecting the integrity of the device configuration files on the devices while ensuring your continued ability to manage the devices remotely? (Choose all that apply.)
A. encrypt the configuration files
B. use SSH to connect to the devices for management
C. prevent the loss of administrator passwords by disabling their encryption
D. disable the VTY ports on the devices
E. use an encrypted password for VTY access

Correct Answer:
B. use SSH to connect to the devices for management
E. use an encrypted password for VTY access
Answer Description:
You should use SSH to connect to the devices for management. You should also require an encrypted password for VTY access. Using Telnet for remote management transmits all information, including the username and passwords, in clear text. Using an encrypted password for VTY access ensures that the password cannot be read either in transit or in the configuration file.

Passwords used for access to the console, aux, or VTY connections can be encrypted if desired. When passwords are created with the enable <password> command, the password is saved in clear text. When the enable secret <password> command is used, however the password will be encrypted.

If both types of password are configured for a particular connection type, the system will ignore the enable password and require the enable secret password. For example, if the set of commands shown below were executed, both types of password will be created for console access, but the system will require the password crisco rather than cisco. Also make note that neither of those passwords will required for VTY access. That password is sicso, which is the password configured after accessing the line VTY interface configuration prompt.

Router(config)# enable secret crisco
Router(config)# enable password cisco
Router(config)# line vty 0 4
Router(config-line)# password sisco

Although it is possible to encrypt the password in the configuration files, it is not possible to encrypt the rest of the files.

You should not disable the encryption of the passwords in the configuration files. Password encryption is a good security measure to take, and sloppy password management should not be a reason to change this practice.

You should not disable the VTY ports on the devices. This would certainly enhance security, but it would prevent you from managing the devices remotely

Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot basic device hardening

Exam Question 192

What will be the effect of executing the following command on port F0/1?
switch(config-if)# switchport port-security mac-address 00C0.35F0.8301
A. The command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port.
B. The command expressly prohibits the MAC address of 00c0.35F0.8301 as an allowed host on the switch port.
C. The command configures an inbound access control list on port F0/1 limiting traffic to the IP address of the host.
D. The command encrypts all traffic on the port from the MAC address of 00c0.35F0.8301.

Correct Answer:
A. The command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port.
Answer Description:
The command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port. By default, an unlimited number of MAC addresses can be learned on a single switch port, whether it is configured as an access port or a trunk port. Switch ports can be secured by defining one or more specific MAC addresses that should be allowed to connect, and violation policies (such as disabling the port) if additional hosts try to gain a connection.

The switchport port-security mac-address 00C0.35F0.8301 command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port.

The switchport port-security mac-address 00C0.35F0.8301 command does not expressly prohibit the MAC address of 00c0.35F0.8301 as an allowed host on the switch port. The port-security command is designed to identify allowed MAC addresses not prohibited addresses.

The switchport port-security mac-address 00C0.35F0.8301 command does not configure an inbound access control list on port F0/1 limiting traffic to the IP address of the host. It will accept traffic to the port, but will only allow a device with that MAC address to be connected to the port.

The switchport port-security mac-address 00C0.35F0.8301 command does not encrypt all traffic on the port from the MAC address of 00c0.35F0.8301. The port-security command has nothing to do with encryption.

Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot port security

Exam Question 193

What command disables 802.1x authentication on a port and permits traffic without authentication?
A. dot1x port-control disable
B. dot1x port-control force-unauthorized
C. dot1x port-control auto
D. dot1x port-control force-authorized

Correct Answer:
D. dot1x port-control force-authorized
Answer Description:
The command dot1x port-control force-authorized is used to disable 802.1x on a port and permit traffic without authentication. Dot1x ports are in one of two states, authorized or unauthorized. Authorized ports permit user traffic to flow through the port. This state usually follows successful authentication. Unauthorized ports only permit authorization traffic to flow through the port.

Usually a port begins in the unauthorized state. A user is then allowed to exchange AAA authentication traffic with the port. Once the user has been authenticated successfully, the port is changed to the authorized state and the user is permitted to use the port normally.

Normal use of 802.1x has the port configured with the dot1x port-control auto statement. This places the port in the unauthorized state until successful authentication. After successful authentication, the port is changed to the authorized state.

When 802.1x is initially configured, the default port control of the ports is force-authorized. This forces the port to be in the authorized state without successful authentication. This setting disables the need for authentication and permits all traffic.

The force-unauthorized keyword configures the port as an unauthorized port regardless of authentication traffic. A port configured with this key word would not permit user traffic, not even authentication traffic.

The command dot1x port-control disable is not a valid command due to incorrect syntax.

Objective: Infrastructure Security
Sub-Objective: Describe device security using AAA with TACACS+ and RADIUS

Exam Question 194

Which of the following technologies should be used to prevent a switching loop if a switch is connected to a port configured for PortFast?
A. RSTP
B. BPDU Guard
C. Root Guard
D. PVST

Correct Answer:
B. BPDU Guard
Answer Description:
BPDU Guard prevents switching loops in the case of a switch being connected to a PortFast interface. PortFast is used for ports that connect to host systems, such as workstations and printers, and allows the port to immediately enter a forwarding state. This bypasses the normal 30-second delay that Spanning Tree Protocol would normally use to determine if a switch has been connected to the port. Implementing BPDU Guard will disable the port if a switch is connected and a BPDU is received.

Rapid Spanning Tree Protocol (RSTP) is incorrect because this is an enhanced Spanning Tree standard that operates on the Data Link layer of the OSI model. RSTP was not designed to protect PortFast ports. PortFast and BPDU Guard are supported by RSTP, but they not required or configured by default.

Root Guard is incorrect because it is used to protect the root bridge placement in the Spanning Tree, not to protect PortFast ports.

Per-VLAN Spanning Tree (PVST) is incorrect because this is an implementation of Spanning Tree (the default protocol for Cisco switches), and was not designed to protect PortFast ports. PortFast and BPDU Guard are supported by RSTP, but are not required, and must be configured manually.

Objective: LAN Switching Fundamentals
Sub-Objective: Configure, verify, and troubleshoot STP-related optional features

Exam Question 195

Which of the following cables would be used to connect a router to a switch?
A. v.35
B. crossover
C. rollover
D. straight-through

Correct Answer:
D. straight-through
Answer Description:
A straight-through cable would be used. When connecting “unlike” devices, such as a switch to a router, a straight-through cable is used. This is a cable where the wires are in the same sequence at both ends of the cable.

NOTE: The one exception to this general rule of connecting unlike devices with a straight-through cable is when a computer NIC is connected to an Ethernet port on a router. In that case, a crossover cable is used.

A v.35 cable is used to connect serial connections between routers. This cable has a male DB-60 connector on the Cisco end and a male Winchester connector on the network end. It comes in two types: DCE and DTE. It is often used to simulate a WAN connection in lab environments. In that case, the DCE end acts as the CSU/DSU and is the end where the clock rate is set. A CSU/DSU (Channel Service Unit/Data Service Unit) is a device that connects the router to the T1 or T3 line.

A crossover cable has two wires reversed and is used to connect “like” devices, such as a switch to a switch. It is also used when a computer NIC is connected to an Ethernet port on a router.

A rollover cable is used to connect to the console port of a router to configure the router. It is also called a console cable.

The diagram below illustrates the correct usage of each of the cable types shown using the following legend:

  • SO Ethernet Straight through Cable
  • CO Ethernet Crossover Cable
  • Serial Serial cable
  • RO Rollover cable
The diagram below illustrates the correct usage of each of the cable types.
The diagram below illustrates the correct usage of each of the cable types.
The diagram below illustrates the correct usage of each of the cable types.
The diagram below illustrates the correct usage of each of the cable types.

Objective: Network Fundamentals
Sub-Objective: Select the appropriate cabling type based on implementation requirements

Exam Question 196

You are implementing IP SLA and would like to use it to measure hop-by-hop response time between a Cisco router and any IP device on the network.

Which of the following IP SLA operations would you use for this?
A. ICMP path echo operation
B. Internet Control Message Protocol Echo Operation
C. UDP Jitter Operation for VoIP
D. UDP Jitter Operation

Correct Answer:
A. ICMP path echo operation
Answer Description:
The ICMP path echo operation discovers the path using the traceroute command, and then measures response time between the source router and each intermittent hop in the path. IP SLAs allow users to monitor network performance between Cisco routers or from a Cisco router to a remote IP device.

The Internet Control Message Protocol (ICMP) Echo Operation measures end-to-end response time between a Cisco router and any IP-enabled device. Response time is computed by measuring the time taken between sending an ICMP echo request message to the destination and receiving an ICMP echo reply. It does not measure hop-by-hop response time.

The UDP Jitter Operation for VoIP is an extension to the current jitter operations with specific enhancements for VoIP. The enhancements allow this operation to calculate voice quality scores and simulate the codec’s directly in CLI and the MIB. It does not measure hop-by-hop response time.

The UDP Jitter Operation is designed to measure the delay, delay variance, and packet loss in IP networks by generating active UDP traffic. It does not measure hop-by-hop response time.

Objective: Infrastructure Management
Sub-Objective: Troubleshoot network connectivity issues using ICMP echo-based IP SLA

Exam Question 197

Which metric does the Open Shortest Path First (OSPF) routing protocol use for optimal path calculation?
A. MTU
B. Cost
C. Delay
D. Hop count

Correct Answer:
B. Cost
Answer Description:
OSPF is a link-state routing protocol which uses cost as a metric for optimal path calculation. It is an open standard protocol based on Dijkstra’s Shortest Path First (SPF) algorithm. Metrics are used by routing protocols to determine the lowest cost path to a network number, which is considered the optimal or “fastest” path. Cisco’s implementation of OSPF calculates the cost (metric) of a link as inversely proportional to the bandwidth of that interface. Therefore, a higher bandwidth indicates a lower cost, and a more favorable metric.

For this to work properly, the bandwidth of the link must be configured to allow OSPF to arrive at the cost of the link. This is done with the bandwidth command executed in interface configuration mode, and is entered in kbps. For example, if the link were 64 kbps, you would enter the following command:

Router(config-if)# bandwidth 64

The metric for any OSPF link defaults to 100,000,000/bandwidth. The bandwidth used in the formula is in bits per second. So, in this example the calculation would be 100,000,000 / 64000 = 1562.5. The cost assigned to the link would be 1562. The cost for a network route is the sum of all individual links in the path to that network.

If multiple paths are assigned equal costs, OSPF will load balance across the multiple paths. By default, it will limit this load balance to a maximum of four equal-cost paths. When this occurs, all four equal-cost paths will be placed in the routing table. There are two approaches to allow or prevent load balancing when multiple equal cost paths are available:

  • Use the bandwidth command to make one or more of the paths either less or more desirable.
  • Use the ip ospf cost command to change the cost value assigned to one or more of the paths

Maximum Transmission Unit (MTU), bandwidth, delay, load, and reliability form a composite metric used by Interior Gateway Routing Protocol (IGRP) and Enhanced Interior Gateway Routing Protocol (EIGRP). IGRP is a distance vector routing protocol developed by Cisco Systems. Enhanced IGRP (EIGRP) is a Ciscoproprietary hybrid protocol having features of both distance-vector and link-state protocols.

Hop count is a metric used by Routing Information Protocol (RIP). The fewer hops between the routers, the better the path.

Objective: Routing Fundamentals
Sub-Objective: Compare and contrast distance vector and link-state routing protocols

Exam Question 198

Which commands would be used to enable Enhanced Interior Gateway Routing Protocol (EIGRP) on a router, and configure the IP addresses 10.2.2.2 and 192.168.1.1 as a part of complete EIGRP configuration? (Choose three.)
A. router eigrp 10
B. router eigrp
C. network 10.2.2.2
D. network 10.0.0.0
E. network 192.168.1.0
F. network 192.168.1.1

Correct Answer:
A. router eigrp 10
D. network 10.0.0.0
E. network 192.168.1.0
Answer Description:
The router eigrp 10 command is used to enable EIGRP on a router. The network 10.0.0.0 and network 192.168.1.0 commands are used to activate EIGRP over the interfaces configured with IP addresses 10.2.2.2 and 192.168.1.1. If we were given the subnet mask for the two interfaces, we could include that in the network command as well.

The following command sequence is used to configure EIGRP on a router:

router(config) # router eigrp [autonomous-system]
router (config-router) # network x.x.x.x [wildcard-mask]
router (config-router) # network y.y.y.y [wildcard-mask]

The autonomous-system parameter of the router eigrp command specifies the autonomous system number. To ensure that all the routers in a network can communicate with each other, you should specify the same autonomous system number on all the routers.

The parameters of the network command are:

  • x.x.x.x – This is the major (classful) network number connected to the router.
  • y.y.y.y – This is the other major (classful) network number connected to the router.

If either the AS numbers do not match between two EIGRP routers or one end is not configured with EIGRP, no EIGRP routes will appear in the routing table of either router, because they will not have formed an EIGRP neighbor relationship. In this situation you will be able ping between the routers, but you will not be able to ping LANs attached to the other router.

The router eigrp command is incorrect because you need to specify the autonomous system number after the command to enable EIGRP in a network. The router eigrp 10 command includes the autonomoussystem parameter.

The network 192.168.1.1 and network 10.2.2.2 commands are incorrect because the command must be in terms of the network or subnet ID of the network in which the interfaces reside. It is not entered in terms of the address of the interfaces.

Objective: Routing Fundamentals
Sub-Objective: Configure, verify, and troubleshoot EIGRP for IPv4 (excluding authentication, filtering, manual summarization, redistribution, stub)

Exam Question 199

Which Cisco IOS command will display the following partial output?

Which Cisco IOS command will display the following partial output?
Which Cisco IOS command will display the following partial output?

A. show ip
B. show ip route
C. show ip route summary
D. show route summary

Correct Answer:
B. show ip route
Answer Description:
The show ip route command will display the output in this scenario. The command is used to display the present status of the routing table. The complete command syntax is:

show ip route [[ip-address [mask] [longer-prefixes]] | [protocol [process-id]] | [list access-listnumber | access-list-name]]

The following is a sample partial output:

D 168.28.0.0 [140/8] via 10.212.215.122, 0:03:34, serial0/0

The first letter represents the routing protocol through which the route is learned. In this case, the route is learned by EIGRP. The command output also lists codes used for all the routing protocols.

The routing protocol code is followed by the IP address of the remote network.

The first number in the bracket represents the administrative distance of the routing protocol. The number followed by slash within the bracket represents the cost of the route. Different routing protocol uses different methods to calculate the cost of the route. The IP address followed by the keyword via shows the next router to the remote network. The next set of numbers is the time when the route was last updated, which is 0:03:34 in the example. Lastly, it displays the interface through which the network can be reached, which is serial0/0 in the example.

The show ip command is incorrect because it is not a valid Cisco IOS command.

The show ip route summary command is incorrect because this command is used to view the current state of the routing table.

The show route summary command is incorrect because it is not a valid Cisco IOS command.

Objective: Routing Fundamentals
Sub-Objective: Interpret the components of routing table

Exam Question 200

As part of a new initiative to tighten the security of your Cisco devices, you have configured the firewall to restrict access to the devices from the outside.
What would be other recommended ways of protecting the integrity of the device configuration files on the devices while ensuring your continued ability to manage the devices remotely? (Choose all that apply.)
A. encrypt the configuration files
B. use SSH to connect to the devices for management
C. prevent the loss of administrator passwords by disabling their encryption
D. disable the VTY ports on the devices
E. use an encrypted password for VTY access

Correct Answer:
B. use SSH to connect to the devices for management
Answer Description:
You should use SSH to connect to the devices for management. You should also require an encrypted password for VTY access. Using Telnet for remote management transmits all information, including the username and passwords, in clear text. Using an encrypted password for VTY access ensures that the password cannot be read either in transit or in the configuration file.

Passwords used for access to the console, aux, or VTY connections can be encrypted if desired. When passwords are created with the enable <password> command, the password is saved in clear text. When the enable secret <password> command is used, however the password will be encrypted.

If both types of password are configured for a particular connection type, the system will ignore the enable password and require the enable secret password. For example, if the set of commands shown below were executed, both types of password will be created for console access, but the system will require the password crisco rather than cisco. Also make note that neither of those passwords will required for VTY access. That password is sicso, which is the password configured after accessing the line VTY interface configuration prompt.

Router(config)# enable secret crisco
Router(config)# enable password cisco
Router(config)# line vty 0 4
Router(config-line)# password sisco

Although it is possible to encrypt the password in the configuration files, it is not possible to encrypt the rest of the files.

You should not disable the encryption of the passwords in the configuration files. Password encryption is a good security measure to take, and sloppy password management should not be a reason to change this practice.

You should not disable the VTY ports on the devices. This would certainly enhance security, but it would prevent you from managing the devices remotely

Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot basic device hardening