[Free] 2017(Apr) Ensurepass Testking Cisco 300-115 Latest Dumps 121-130

Ensurepass
2017 April Cisco Official New Released 300-115 Q&As
100% Free Download! 100% Pass Guaranteed!
http://www.ensurepass.com/300-115.html

Implementing Cisco IP Switched Networks (SWITCH v2.0)

QUESTION 121

Which switch feature determines validity based on IP-to-MAC address bindings that are stored in a trusted database?

 

A.

Dynamic ARP Inspection

B.

storm control

C.

VTP pruning

D.

DHCP snooping

Correct Answer: A

Explanation:

Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html

 

 

QUESTION 122

Which command creates a login authentication method named “login” that will primarily use RADIUS and fail over to the local user database?

 

A.

(config)# aaa authentication login default radius local

B.

(config)# aaa authentication login login radius local

C.

(config)# aaa authentication login default local radius

D.

(config)# aaa authentication login radius local

 

Correct Answer: B

Explanation:

In the command “aaa authentication login login radius local” the second login is the name of the AAA method. It also lists radius fi
rst then local, so it will primarily use RADIUS for authentication and fail over to the local user database only if the RADIUS server is unreachable.

 

 

QUESTION 123

Which authentication service is needed to configure 802.1x?

 

A.

RADIUS with EAP Extension

B.

TACACS+

C.

RADIUS with CoA

D.

RADIUS using VSA

 

Correct Answer: A

Explanation:

With 802.1x, the authentication server–performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not theclien
t is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client.The Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2940/software/release/12-1_19_ea1/configuration/guide/2940scg_1/sw8021x.pdf

 

 

QUESTION 124

Which feature describes MAC addresses that are dynamically learned or manually configured, stored in the address table, and added to the running configuration?

 

A.

sticky

B.

dynamic

C.

static

D.

secure

 

Correct Answer: A

Explanation:

With port security, you can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.pdf

 

 

QUESTION 125

When you configure private VLANs on a switch, which port type connects the switch to the gateway router?

 

A.

promiscuous

B.

community

C.

isolated

D.

trunked

 

Correct Answer: A

Explanation:

There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port.

Host port further divides in two types – Isolated port (I-Port) and Community port (C-port).

Reference: http://en.wikipedia.org/wiki/Private_VLAN

 

 

QUESTION 126

SWITCH.com is an IT company that has an existing enterprise network comprised of two layer 2 only switches; DSW1 and ASW1. The topology diagram indicates their layer 2 mapping. VLAN 20 is a new VLAN that will be used to provide the shipping personnel access to the server. Corporate polices do not allow layer 3 functionality to be enabled on the switches. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:

 

Users connecting to VLAN 20 via portfO/1 on ASW1 must be authenticated before they are given access to the network. Authentication is to be done via a Radius server:

 

Radius server host: 172.120.40.46

 

Radius key: rad123

 

Authentication should be implemented as close to the host as possible.

 

Devices on VLAN 20 are restricted to the subnet of 172.120.40.0/24.

 

Packets from devices in the subnet of 172.120.40.0/24 should be allowed on VLAN 20.

 

Packets from devices in any other address range should be dropped on VLAN 20.

 

Filtering should be implemented as close to the serverfarm as possible.

 

The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.

 

clip_image001

clip_image002

clip_image003

 

Correct Answer:

Step1: Console to ASW1 from PC console 1

ASW1(config)#aaa new-model

ASW1(config)#radius-server host 172.120.39.46 key rad123

ASW1(config)#aaa authentication dot1x default group radius

ASW1(config)#dot1x system-auth-control

ASW1(config)#inter fastEthernet 0/1

ASW1(config-if)#switchport mode access

ASW1(config-if)#dot1x port-control auto

ASW1(config-if)#exit

ASW1#copy run start

Step2: Console to DSW1 from PC console 2

DSW1(config)#ip access-list standard 10

DSW1(config-ext-nacl)#permit 172.120.40.0 0.0.0.255

DSW1(config-ext-nacl)#exit

DSW1(config)#vlan access-map PASS 10

DSW1(config-access-map)#match ip address 10

DSW1(config-access-map)#action forward

DSW1(config-access-map)#exit

DSW1(config)#vlan access-map PASS 20

DSW1(config-access-map)#action drop

DSW1(config-access-map)#exit

DSW1(config)#vlan filter PASS vlan-list 20

DSW1#copy run start

 

 

 

 

 

QUESTION 127

Which private VLAN access port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports?

 

A.

promiscuous port

B.

isolated port

C.

community port

D.

trunk port

 

Correct Answer: A

Explanation:

The types of private VLAN ports are as follows:

Promiscuous–A promiscuous port belongs to the primary VLAN.The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several promiscuous ports in a primary VLAN. Each promiscuous port can have several secondary VLANs, or no secondary VLANs, associated to that port. You can associate a secondary VLAN to more than one promiscuous port, as long as the promiscuous port and secondary VLANs are within the same primary VLAN. You may want to do this for load-balancing or redundancy purposes. You can also have secondary VLANs that are not associated to any promiscuous port.

Isolated–An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete isolation from other ports within the same private VLAN domain, except that it can communicate with associated promiscuous ports. Private VLANs block all traffic to isolatedports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all other ports in the isolated VLAN.

Community–A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports. These interfaces are isolated from all other interfaces in other communities and from all isolated ports within the private VLAN domain.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/PrivateVLANs.html

 

 

QUESTION 128

Which command globally enables AAA on a device?

 

A.

aaa new-model

B.

aaa authentication

C.

aaa authorization

D.

aaa accounting

 

Correct Answer: A

Explanation:

To configure AAA authentication, enable AAA by using the aaa new-model global configuration command. AAA features are not available for use until you enable AAA globally by issuing the aaa new-model command.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.html

 

 

 

 

QUESTION 129

The network monitoring application alerts a network engineer of a client PC that is acting as a rogue DHCP server. Which two commands help trace this PC when the MAC address is known? (Choose two.)

 

A.

switch# show mac address-table

B.

switch# show port-security

C.

switch# show ip verify source

D.

switch# show ip arp inspection

E.

switch# show mac address-table address <mac address>

 

Correct Answer: AE

Explanation:

These two commands will show the MAC address table, including the switch port that the particular host is using. Here is an example output:

Switch>show mac-address-table

 

Dynamic Addresses Count: 9

Secure Addresses (User-defined) Count: 0

Static Addresses (User-defined) Count: 0

System Self Addresses Count: 41

Total MAC addresses: 50

Non-static Address Table:

Destination Address Address Type VLAN Destination Port

——————- ———— —- ——————–

0010.0de0.e289 Dynamic 1 FastEthernet0/1

0010.7b00.1540 Dynamic 2 FastEthernet0/5

0010.7b00.1545 Dynamic 2 FastEthernet0/5

 

 

QUESTION 130

Which type of information does the DHCP snooping binding database contain?

 

A.

untrusted hosts with leased IP addresses

B.

trusted hosts with leased IP addresses

C.

untrusted hosts with available IP addresses

D.

trusted hosts with available IP addresses

 

Correct Answer: A

Explanation:

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

Validates DHCP messages received from untrusted sources and filters out invalid messages.

Rate-limits DHCP traffic from trusted and untrusted sources.

Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.pdf

100% Free Download!
—Download Free Demo:300-115 Demo PDF
100% Pass Guaranteed!
Download 2017 Ensurepass 300-115 Full Exam PDF and VCE Q&As:215
—Get 10% off your purchase! Copy it:8GTC-8UIE-M1SC [2017.04.01-2017.04.30]

Ensurepass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF + VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

2017 Ensurepass IT Certification PDF and VCE

Proudly powered by WordPress   Premium Style Theme by www.gopiplus.com