Skip to Content

Cisco Certified Network Associate 200-301 CCNA Exam Questions and Answers – Page 6

By: Author Alex Lim

Posted on  - Last updated:

Categories Exam

The latest Cisco Certified Network Associate 200-301 CCNA certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Cisco Certified Network Associate 200-301 CCNA exam and earn Cisco Certified Network Associate 200-301 CCNA certification.

Exam Question 531

You need to cable the network shown below.
You need to cable the network shown below.
Which of the following is the correct cable for each numbered link?

A. 1-crossover, 2-staight-through, 3-rollover, 4- crossover, 5-crossover
B. 1-straight-through, 2-staight-through, 3-rollover, 4- crossover, 5-crossover
C. 1-crossover, 2-crossover, 3-rollover, 4- crossover, 5-crossover
D. 1-rollover, 2-crossover, 3-crossover, 4- straight-through, 5-straight through
Correct Answer:
D. 1-rollover, 2-crossover, 3-crossover, 4- straight-through, 5-straight through
Answer Description:
The correct cabling pattern is 1-rollover, 2-crossover, 3-crossover, 4- straight-through, 5-straight through. When selecting cables, the following rules apply:

  • Router to router- crossover
  • Router to switch- straight- through
  • Management station (PC) to router for console session- rolled cable
  • Switch to switch – crossover
  • PC to switch- straight through

Exam Question 532

You are the senior network administrator for a large corporation. Some new trainees have recently joined the network security team. You are educating them about denial-of-service (DoS) attacks and the risks posed to a network by such attacks.
Which three are risks that a DoS attack poses to a network? (Choose three.)

A. Downtime and productivity loss
B. Spread of viruses
C. Revenue loss
D. Information theft
E. Spread of spyware
Correct Answer:
A. Downtime and productivity loss
C. Revenue loss
D. Information theft
Answer Description:
A DoS attack can result in network downtime and loss of productivity, revenue loss, and information theft.

A DoS attack is an attack in which legitimate users are denied access to networks, systems, or resources. The potential risks posed by a DoS attack are as follows:

  • Downtime and productivity loss: A DoS attack causes downtime in the network, which ultimately results in loss of productivity for the organization.
  • Revenue loss: Organizations that use their Web sites for commerce or vital support services, such as search engines, can incur large revenue losses.
  • Information theft: DoS attacks can also be aimed at stealing important and confidential information from a network.
  • Malicious competition: An organization might launch DoS attacks against their competitors to damage their reputation.

A few methods that can help minimize potential risks from DoS attacks are:

  • Using a firewall, which allows you to block or permit traffic entering into the network, can help to mitigate DoS attacks.
  • Computers vulnerable to attacks can be shifted to another location or a more secure LAN.
  • Intrusion Detection Systems (IDS), such as Network Intrusion Detection Systems (NIDS) and Host Intrusion Detection Systems (HIDS), can be implemented to detect intrusive network or host activity, such as a DoS attack, and raise alerts when any such activity is detected.

A DoS attack does not result in the spread of viruses because viruses are not spread by DoS attacks. Viruses are spread when the network is attacked by a virus or a Trojan horse.

A DoS attack does not result in the spread of spyware. DoS attacks are mainly aimed at exhausting system resources so that legitimate users are denied access to networks, systems, or resources. Spyware is software installed on a computer without the knowledge of the user, and it gathers information about a person or organization. Spyware is generally downloaded through Web sites and e-mail messages.

Exam Question 533

Which of the following methods of tunneling Internet Protocol version 6 (IPv6) traffic through an IPv4 network increases protocol overhead because of IPv6 headers?

A. Protocol translation
B. IPv6 over dedicated WAN links
C. Dual-Stack Backbones
D. IPv6 over IPv4 tunnels
Correct Answer:
D. IPv6 over IPv4 tunnels
Answer Description:
IPv6 over IPv4 tunnels is a method of tunneling IPv6 traffic through an IPv4 network that eliminates the need to create separate circuits to connect to the IPv6 networks. This model increases protocol overhead because of IPv6 headers.

The following deployment models are available for IPv4 to IPv6 migration:

  • IPv6 over IPv4 tunnels: IPv6 traffic is encapsulated into IPv4 packets. Then these packets are transferred over IPv4 WAN. This model eliminates the need to create separate circuits to connect to the IPv6 networks. This model increases protocol overhead because of the IPv6 headers and requires both ends to be capable of both protocols.
  • Protocol translation: A method allowing an IPv6 host to communicate with an IPv4 host. This is accomplished with the help of Network Address Translation – Protocol Translation (NAT-PT) used to configure translation between IPv6 and IPv4 hosts. NAT-PT allows communication between IPv6 hosts and applications, and native IPv4 hosts and applications.
  • IPv6 over dedicated WAN links: A new deployment of IPv6 is created. In this model, IPv6 hierarchy, addressing, and protocols are used by all nodes. However, this model involves cost for creating IPv6 WAN circuits. This solution is not designed for LAN translation but rather translation over WAN links.
  • Dual-Stack Backbones: A hybrid model in which backbone routers have dual-stack functionality, which enables them to route both IPv4 and IPv6 packets. It is suitable for an enterprise that uses both IPv4 and IPv6 applications. Running IPv6 and IPv4 together in a network is known as dual-stack routing.

Exam Question 534

Which of the following statements is NOT true of Cisco ACI?

A. It is a comprehensive SDN architecture.
B. It uses Cisco APIC as the central management system.
C. It provides policy driven automation support.
D. It decreases network visibility.
Correct Answer:
D. It decreases network visibility.
Answer Description:
The Cisco ACI does not decrease network visibility. On the contrary, the Cisco Application Centric Infrastructure (ACI) increases network visibility. It is a policy-driven automaton solution that can keep the network inventory up-to-date automatically whenever a new device is added and provide a graphic representation at all times.

ACI is a comprehensive SDN architecture that integrates physical and virtual environments under one policy model. It uses the Cisco Application Policy Infrastructure Controller (APIC) as the central management system.

It provides policy driven automation support through a business-relevant application policy language.

Exam Question 535

In which of the following IPv6 address assignment methods will the interface receive its IPv6 address from a process native to IPv6, and receive additional parameters from DHCP?

A. Stateless DHCPv6
B. Stateful DHCPv6
C. DHCPv6-PD
D. Stateless autoconfiguration
Correct Answer:
A. Stateless DHCPv6
Answer Description:
Stateless DHCPv6 uses a combination of processes to assign a configuration to an IPv6 interface. It uses Stateless Address Autoconfiguration (SAAC), a process native to IPv6, to assign an IPv6 address to the interface. It uses DHCPv6 to assign other parameters, such as the DNS server and NTP server.

In stateful DHCPv6, the interface will receive the IPv6 address and all other parameters from the DHCP server.

In DHCPv6 Prefix Designation (DHCPv6-PD), the device is assigned a set of IPv6 “subnets.” This assignment will consist of a set of IPv6 addresses in the same subnet (such as the address 2001:db8::/60) that the device can dynamically allocate to its interfaces.

Exam Question 536

Which VLAN can NOT be filtered through the VLAN Trunking Protocol (VTP) Pruning feature of Cisco switches?

A. VLAN 1
B. VLAN 10
C. VLAN 100
D. VLAN 1000
Correct Answer:
A. VLAN 1
Answer Description:
VLAN 1 traffic cannot be pruned. Cisco recommends that VLAN 1 be used for management of VLANs.

VTP pruning is a Cisco VTP feature that allows switches to dynamically delete or add VLANs to a trunk for traffic transmission. It creates an efficient switching network by optimal use of available trunk bandwidth.

The options 10, 100, and 1000 are incorrect because these VLAN numbers can be pruned. By default, VLANs 2 to 1000 are eligible for pruning.

Exam Question 537

A new security policy has been adopted by your company. One of its requirements is that only one host is permitted to attach dynamically to each switch port. The security settings on all of the ports have been altered from the default settings.

You execute the following command on all switch ports of Switch A: SwitchA(config-if)# switchport port-security maximum 1

After executing the command, you discover that users in the Sales department are still successfully plugging a hub into a port and then plugging two or three laptops into the hub.

What did you do wrong?

A. The command should be executed at the global prompt.
B. The command should be executed as switchport port-security maximum 0.
C. You also need to execute the switchport port-security violation shutdown command at the global prompt.
D. You also need to execute the switchport port-security violation shutdown command on each switch port.
Correct Answer:
D. You also need to execute the switchport port-security violation shutdown command on each switch port.
Answer Description:
When configuring switch port security to enforce the policy described in the scenario, two commands are required. One command specifies how many addresses are allowed per switch port and the other tells the switch what to do when a violation occurs. Configuring the first without the second is like creating a rule without enforcing the rule. Both commands must be executed on each switch port, as shown in the following example:

switchA(config)# interface fa0/22
switchA(config-if)# switchport port-security maximum 1
switchA(config-if)# switchport port-security violation shutdown

By default, ports are configured to shut down on a violation, but the scenario states the default settings have been altered.

The switchport port-security violation command can be set to shutdown, restrict, or protect. The shutdown option shuts down the port if there is a security violation, but does not send an SNMP trap logging the violation. The restrict option drops all packets from insecure hosts at the port-security process level and increments the security-violation count, and can send an SNMP trap. The protect option drops all the packets from the insecure hosts at the port-security process level, but does not increment the securityviolation count or send an SNMP trap.

You should not execute either the switchport port-security violation command or the switchport port-security maximum command at the global prompt. Both commands must be executed on each switch port.

You should not execute the command switchport port-security maximum 0. This would tell the switch to not allow any addresses at all per switch port.

Exam Question 538

Which statement is TRUE regarding the switchport protected interface configuration command and its effects?

A. The command is used to configure private VLAN edge ports.
B. The command enables the highest level switch port security.
C. All the traffic through protected port should go via a Layer 2 device such as switch.
D. A protected port can directly communicate with any other port on the same switch.
Correct Answer:
A. The command is used to configure private VLAN edge ports.
Answer Description:
The switchport protected interface configuration command is used to configure private VLAN edge ports on a Cisco Catalyst 2950 switch. A VLAN edge port is another name given to a protected port. Protected ports do not forward any traffic to other protected ports on the same switch. All traffic passing between protected ports on the same switch must be routed through a Layer 3 device. Protected ports have no restrictions on forwarding to non-protected ports, and they forward as usual to all ports on other switches.

Following are the steps to configure a switch port as a protected port:

  1. configure terminal
  2. interface interface-id
  3. switchport protected
  4. end

Use the show interfaces switchport command to verify that the protected port is enabled.

It is incorrect to state that the command enables the highest level of switch port security. It places no additional restrictions on the port other than preventing it from directly forwarding from one protected port to another.

It is incorrect to state that all traffic through protected port should go via a Layer 2 device such as a switch. Traffic through the protected port should go via a Layer 3 device, such as a router.

It is incorrect to state that a protected port can directly communicate with any other port on the same switch. A protected port cannot directly communicate with another protected port on the same switch.

Exam Question 539

Which Cisco IOS interface configuration command is used to configure the private VLAN edge ports on a Cisco Catalyst 2950 switch?

A. switchport protected
B. switchport port-security
C. switchport port-vlan-edge
D. switchport port-security violation
Correct Answer:
A. switchport protected
Answer Description:
The switchport protected interface configuration command is used to configure protected ports (private VLAN edge ports) on a Cisco Catalyst 2950 switch. A protected port cannot directly communicate with any other protected port on the same switch. It is used in cases where an application requires that no traffic be directly passed from port to port on the same switch. All traffic through the protected port must be transmitted via a Layer 3 device, such as a router.

The switchport port-security command enables basic switch port security. With this command, you can define a group of source MAC addresses (called an address table) that are allowed to access the port. The switch will not forward any packets to the port with source addresses that do not match this group. This is one method a network administrator can use to prevent unauthorized access to the LAN by only allowing company-known MAC addresses. Controlling which MAC addresses can access a port has the following advantages:

  • It can ensure full bandwidth on the port if the table is limited to a single source address.
  • It can make the port more secure by preventing access from unknown MAC addresses. It can also be used to prevent access on unused ports to prevent unauthorized hosts from accessing the LAN.

The switchport port-security violation command further defines actions a switch can take on the interface in the event of a security violation by following the command with a choice from the {shutdown | restrict | protect} options.

The switchport port-vlan-edge command is incorrect because this is not a valid Cisco command.

Exam Question 540

What will be the output of the show cdp neighbors detail command issued on Router A? (Click the Exhibit (s) button to view the network diagram.)
What will be the output of the show cdp neighbors detail command issued on Router A?

A. Device ID: RTR2511
Entry address(es):
IP address: 178.10.20.1
Platform: cisco 2511, Capabilities: Router
Interface Serial 0
——————————————
Device ID: RTR2611-Edge
Entry address(es):
IP address: 10.10.1.2
Platform: cisco 2611, Capabilities: Router
Interface Ethernet 0
B. Device ID: RTR2611
Entry address(es):
IP address: 172.10.20.1
Platform: cisco 2611, Capabilities: Router
Interface Ethernet 0
——————————————–
Device ID: C2924C-123
Entry address(es):
IP address: 10.10.1.3
Platform: cisco WS-C2924, Capabilities: Switch
Interface Ethernet 0
C. Device ID: RTR2511
Entry address(es):
IP address: 178.10.20.2
Platform: cisco 2511, Capabilities: Router
Interface Serial 0
——————————————
Device ID: C2924C-123
Entry address(es):
IP address: 10.10.1.3
Platform: cisco WS-C2924, Capabilities: Switch
Interface Ethernet 0
D. Device ID: RTR2611
Entry address(es):
IP address: 172.10.20.1
Platform: cisco 2611, Capabilities: Router
Interface Ethernet 0
E. Device ID: C2924C-123
Entry address(es):
IP address: 10.10.1.3
Platform: cisco WS-C2924, Capabilities: Switch
Interface Ethernet 0
Correct Answer:
C. Device ID: RTR2511
Entry address(es):
IP address: 178.10.20.2
Platform: cisco 2511, Capabilities: Router
Interface Serial 0
——————————————
Device ID: C2924C-123
Entry address(es):
IP address: 10.10.1.3
Platform: cisco WS-C2924, Capabilities: Switch
Interface Ethernet 0
Answer Description:
The following code is the correct partial output of the show cdp neighbors detail command issued on Router
A:
Device ID: RTR2511
Entry address(es):
IP address: 178.10.20.2
Platform: cisco 2511, Capabilities: Router
Interface Serial 0
——————————————
Device ID: C2924C-123
Entry address(es):
IP address: 10.10.1.3
Platform: cisco WS-C2924, Capabilities: Switch
Interface Ethernet 0

The show cdp neighbors detail command displays the Cisco devices directly connected to the router. Therefore, only details of the 2511 router and the Cisco Catalyst 2924 switch will be displayed in the output. The detail keyword in the show cdp neighbor command also displays IP address information for the directly connected devices. The output shows the connected device name, its IP address, its platform, and the local interface through which the device is connected.

All of the other code samples are incorrect, as they include the output of devices that are not connected directly to Router A.

Cisco Discovery Protocol (CDP) is a Cisco proprietary protocol used by all Cisco devices to collect information about neighboring devices. CDP operates at Layer 2 of the OSI model. Therefore, it can collect information about neighboring devices that are running different Network layer protocols. It is also useful for collecting information when IP is not functional.

Some variations of this command include:

  • The show cdp command, which displays global CDP information, including timer and hold time information.
  • The show cdp interface command, which displays information about the interfaces on which CDP is enabled.
  • The show cdp neighbors command, which displays detailed information about neighboring devices discovered by the CDP. However, it does not include the IP address of the neighboring device.