The latest Cisco Certified Network Associate 200-301 CCNA certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Cisco Certified Network Associate 200-301 CCNA exam and earn Cisco Certified Network Associate 200-301 CCNA certification.
Exam Question 181
Which two features do Cisco routers offer to mitigate distributed denial-of-service (DDoS) attacks? (Choose two.)
A. Anti-DDoS guard
B. Scatter tracing
C. Access control lists (ACLs)
D. Flow control
E. Rate limiting
Correct Answer:
C. Access control lists (ACLs)
E. Rate limiting
Answer Description:
Cisco routers use access control lists (ACLs) and blackholing features to help mitigate distributed denial-ofservice (DDoS) attacks. A DoS attack is an attack in which legitimate users are denied access to networks, systems, or resources. One of the most common DoS attacks is the DDoS attack, which is executed by using multiple hosts to flood the network or send requests to a resource. The difference between DoS and DDoS is that in a DoS attack, an attacker uses a single host to send multiple requests, whereas in DDoS attacks, multiple hosts are used to perform the same task.
Cisco routers offer the following features to mitigate DDoS attacks:
- ACLs: Filter unwanted traffic, such as traffic that spoofs company addresses or is aimed at Windows control ports. However, an ACL is not effective when network address translation (NAT) is implemented in the network.
- Rate limiting: Minimizes and controls the rate of bandwidth used by incoming traffic.
- Traffic-flow reporting: Creates a baseline for the network that is compared with the network traffic flow, helping you detect any intrusive network or host activity.
- Apart from these features offered by Cisco routers, the following methods can also be used to mitigate DDoS attacks:
- Using a firewall, you can block or permit traffic entering a network.
- The systems vulnerable to attacks can be shifted to another location or a more secure LAN. Intrusion Detection Systems (IDS), such as Network Intrusion Detection Systems (NIDS) and Host Intrusion Detection Systems (HIDS), can be implemented to detect intrusive network or host activity such as a DoS attack, and raise alerts when any such activity is detected.
Anti-DDoS guard and scatter tracing are incorrect because these features are not offered by Cisco routers to mitigate DDoS attacks.
Flow control is incorrect because flow control is used to prevent the loss of traffic between two devices.
Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot basic device hardening
Exam Question 182
Which Internet Control Message Protocol (ICMP) message is sent by a host in the network to test connectivity with another host?
A. ICMP redirect message
B. ICMP echo-request message
C. ICMP time-exceeded message
D. ICMP destination-unreachable message
Correct Answer:
B. ICMP echo-request message
Answer Description:
An ICMP echo-request message is sent by a host in the network to test connectivity with another host. An ICMP echo-request message is generated by the ping command. ICMP is a network-layer protocol that uses packets for reporting informational messages. When a host receives an echo-request (a ping), it responds by sending back an echo-reply message.
An ICMP redirect message is sent to the source host by the router to make the routing process more efficient.
An ICMP time-exceeded message indicates that the Time-to-Live (TTL) field of the IP packet has reached zero.
An ICMP destination-unreachable message is sent by the router to indicate that the router is unable to send the packet to its intended destination.
Objective: Network Fundamentals
Sub-Objective: Configure, verify, and troubleshoot IPv4 addressing and subnetting
Exam Question 183
Host A is configured for DHCP, but it is not receiving an IP address when it powers up.
What is the most likely cause? (Click the Exhibit(s) button to view the network diagram.)
What is the most likely cause? (Click the Exhibit(s) button to view the network diagram.)
A. The DHCP server is on the wrong subnet.
B. Routers do not forward broadcast traffic.
C. The DHCP server is misconfigured.
D. Port security is enabled on the switch.
Correct Answer:
B. Routers do not forward broadcast traffic.
Answer Description:
Host A is not receiving a DHCP configuration because its initial DHCP Discover frame is a broadcast, and routers do not forward broadcast frames by default.
A DHCP client sends out a DHCP Discover packet when booting up, enveloped within an Ethernet broadcast frame. The broadcast frame will be flooded by switches, but filtered by routers. There must either be a DHCP server on the local subnet or a DHCP Relay Agent, which will forward the request from the local subnet to the DHCP server.
The DHCP server is not on the wrong subnet. A DHCP server can be centrally located and configured to support multiple remote subnets, as long as those subnets have DHCP Relay Agents configured to forward the DHCP Discover requests.
No information is provided on the DHCP server configuration. The router is the most obvious cause of the problem, so this option is incorrect.
Port security can be configured to restrict hosts based on the MAC address, but the scenario does not provide information on any port security configurations. The router is the most obvious cause of the problem as shown in the network exhibit.
Objective: Infrastructure Services
Sub-Objective: Configure and verify DHCP on a router (excluding static reservations)
Exam Question 184
Which command is used on a Catalyst 2950 series switch to enable basic port security on the interface?
A. set port-security
B. switchport port-security
C. set port-security enable
D. switchport port-security enable
Correct Answer:
B. switchport port-security
Answer Description:
The switchport port-security command is an interface configuration command used on a Catalyst 2950 series switch to enable basic port security on the interface. The syntax of the command is as follows:
switch(config-if)#switchport port-security
Switchport security can be used to:
- Limit the computers that are allowed to connect to the LAN (by specifying the MAC addresses allowed on the port)
- Limit the number of MAC address allowed to be accessing a port
- Set the action the port will take when a violation of the security rule occurs
The set port-security, set port-security enable, and switchport port-security enable commands are incorrect because these are not valid Cisco IOS commands.
Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot port security
Exam Question 185
Which Cisco Internetwork Operating System (IOS) command is used to encrypt passwords on Cisco routers?
A. password secure
B. service encryption-password
C. service password-encryption
D. enable password
Correct Answer:
C. service password-encryption
Answer Description:
The service password-encryption command is used to encrypt passwords on Cisco routers. It is used to encrypt all passwords configured on the router, both current and future. This means all passwords in the plain text configuration file will be encrypted. This command is issued in global configuration mode. The syntax of the command is as follows:
Router(config)# service password-encryption
This command does not have any parameters.
Once executed any password in the configuration file will appear similar to what is shown below when the running or startup configuration files are viewed:
R1#show run
<Output omitted>
line console 0
password 7 09-4f60C0B1C1B
login
<Output omitted>
The password secure and service encryption-password commands are incorrect because they are not valid Cisco IOS commands.
The enable password command is used to set the privileged EXEC mode password, and does not encrypt the password by default.
Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot basic device hardening
Exam Question 186
Which service is denoted by TCP/UDP port number 53?
A. Domain Name Service (DNS)
B. File Transfer Protocol (FTP)
C. Telnet
D. HTTP
Correct Answer:
A. Domain Name Service (DNS)
Answer Description:
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port number 53 is assigned to Domain Name Service (DNS), which is used to convert hostnames into Internet Protocol (IP) addresses.
Some common TCP and UDP port number assignments are as follows:
- port 25: Assigned to Simple Mail Transfer Protocol (SMTP), a TCP protocol used to send and receive email messages.
- port 23: Assigned to Telnet to allow remote logins and command execution.
- port 21: Assigned to File Transfer Protocol (FTP). It is used to control FTP transmissions. Port number 20 is also used by FTP for FTP data.
- port 80: Assigned to Hypertext Transfer Protocol (HTTP), which is the base for transferring Web pages over the Internet.
Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot IPv4 and IPv6 access list for traffic filtering
Exam Question 187
Which of the following is NOT true of APIC-EM?
A. It supports greenfield but not brownfield deployments
B. It provides a single point for network automation
C. It saves time and cost
D. It is open and programmable
Correct Answer:
A. It supports greenfield but not brownfield deployments
Answer Description:
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC_EM) is an SDN controller platform that supports both greenfield implementations, which use no previous code and design from the ground up, and brownfield implementations, which incorporate existing code.
APIC-EM does provide a single point for network automation. This automation leads to both time and cost savings.
APIC-EM uses an open and programmable approach to devices, policies, and analytics.
Objective: Infrastructure Security
Sub-Objective: Verify ACLs using the APIC-EM Path Trace ACL analysis tool
Exam Question 188
You are configuring a Cisco router.
Which command would you use to convey a message regarding the remote access security policy of your organization to a user logging into the router?
A. hostname
B. banner motd
C. description
D. boot system
E. terminal monitor
Correct Answer:
B. banner motd
Answer Description:
The banner motd command is used to specify a message of the day (MOTD) banner to users logging into the router. This is a global configuration mode command and is generally used to communicate routers identification information, display any warning specific to the router, or display a remote access security policy, such as “Unauthorized access to the router is prohibited.” The syntax for this command is as follows:
banner motd [d message d]
d is the delimiter character. It can be any character of the administrator’s choice, with the limitation that the delimiter character cannot be used in the message text.
The hostname command is a global configuration command to assign the router a name for identification. The command syntax is hostname [name].
The description command is an interface configuration mode command that sets a description for that interface.
The boot system command is used to specify the path to the primary IOS file. It is a global configuration command.
The terminal monitor command is used to direct debug and system error message to the monitor when connected to a router using telnet. When you are connected to a router using telnet and you issue the debug command, by default the output can only have been seen through a console session with that router. Executing the terminal monitor command directs that output to the terminal session where it can be viewed.
Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot basic device hardening
Exam Question 189
What switch security configuration requires AAA to be configured on the switch?
A. VACL
B. 802.1x
C. Private VLAN
D. port security
Correct Answer:
B. 802.1x
Answer Description:
802.1x requires AAA to be configured on the switch. 802.1x uses AAA authentication to control access to the port.
The overall steps required to configure a switch for 802.1x are:
- Enable AAA on the switch.
- Define the external RADIUS server(s) and the key to be used for encryption.
- Define the authentication method.
- Enable 802.1x on the switch.
- Configure each switch port that will use 802.1x.
- Optionally allow multiple hosts on the switch port.
Objective: Infrastructure Security
Sub-Objective: Describe device security using AAA with TACACS+ and RADIUS
Exam Question 190
You have been asked to examine the following output to identify any security problems with the router. Its configuration is shown:
You have been asked to examine the following output to identify any security problems with the router.
What problems exist? (Choose all that apply.)
A. unencrypted privileged mode password
B. inappropriate wording in the banner message
C. weak password on the VTY line
D. Telnet users will not be prompted for a password
Correct Answer:
B. inappropriate wording in the banner message
D. Telnet users will not be prompted for a password
Answer Description:
The banner logon message should not contain verbiage that includes the word Welcome. This could potentially supply grounds by a hacker that he was “invited” to access the device.
Also, although a strong password has been configured on the VTY lines, the presence of the no login command instructs the router to NOT prompt for a password.
The login command should be executed under the VTY configuration so that the router will prompt for the password.
The privileged mode password is encrypted because it is listed as an enable secret password.
The password configured on the VTY lines, Cisc0$ell$, is strong in that it contains numbers, letters, and non-numeric characters and it is at least 8 characters in length.
Objective: Infrastructure Security
Sub-Objective: Configure, verify, and troubleshoot basic device hardening