CCNA Cisco Certified Network Associate CCNA (v3.0)
Question No: 271 – (Topic 6)
Refer to the exhibit.
The following commands are executed on interface fa0/1 of 2950Switch. 2950Switch(config-if)# switchport port-security
2950Switch(config-if)# switchport port-security mac-address sticky 2950Switch(config-if)# switchport port-security maximum 1
The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two.)
The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
Only host A will be allowed to transmit frames on fa0/1.
This frame will be discarded when it is received by 2950Switch.
All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be
forwarded out fa0/1.
Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.
Answer: B,D Explanation:
The configuration shown here is an example of port security, specifically port security using sticky addresses. You can use port security with dynamically learned and static MAC addresses to restrict a port#39;s ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.
Port security with sticky MAC addresses provides many of the same benefits as port security with static MAC addresses, but sticky MAC addresses can be learned dynamically. Port security with sticky MAC addresses retains dynamically learned MAC addresses during a link-down condition.
Question No: 272 – (Topic 6)
Which Cisco Catalyst feature automatically disables the port in an operational PortFast upon receipt of a BPDU?
Answer: D Explanation:
We only enable PortFast feature on access ports (ports connected to end stations). But if someone does not know he can accidentally plug that port to another switch and a loop
may occur when BPDUs are being transmitted and received on these ports.
With BPDU Guard, when a PortFast receives a BPDU, it will be shut down to prevent a loop.
Question No: 273 – (Topic 6)
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 192.168.146.0, 192.168.147.0, 192.168.148.0, and 192.168.149.0 only. Which
two ACL statements, when combined, would you use to accomplish this task? (Choose two.)
A. access-list 10 permit ip 192.168.146.0 0.0.1.255
B. access-list 10 permit ip 192.168.147.0 0.0.255.255
C. access-list 10 permit ip 192.168.148.0 0.0.1.255
D. access-list 10 permit ip 192.168.149.0 0.0.255.255
E. access-list 10 permit ip 192.168.146.0 0.0.0.255
F. access-list 10 permit ip 192.168.146.0 255.255.255.0
Answer: A,C Explanation:
“access-list 10 permit ip 192.168.146.0 0.0.1.255” would allow only the 192.168.146.0 and
192.168.147.0 networks, and “access-list 10 permit ip 192.168.148.0 0.0.1.255” would allow only the 192.168.148.0 and 192.168.149.0 networks.
Question No: 274 – (Topic 6)
Which statement about access lists that are applied to an interface is true?
You can place as many access lists as you want on any interface.
You can apply only one access list on any interface.
You can configure one access list, per direction, per Layer 3 protocol.
You can apply multiple access lists with the same protocol or in different directions.
Answer: C Explanation:
We can have only 1 access list per protocol, per direction and per interface. It means:
We cannot have 2 inbound access lists on an interface
We can have 1 inbound and 1 outbound access list on an interface
Question No: 275 – (Topic 6)
Refer to the exhibit.
Statements A, B, C, and D of ACL 10 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet 172.21.1.128/28) from accessing the network. But as is, the ACL does not restrict anyone from the network. How can the ACL statements be re-arranged so that the system works as intended?
Answer: D Explanation:
Routers go line by line through an access list until a match is found and then will not look any further, even if a more specific of better match is found later on in the access list. So, it it best to begin with the most specific entries first, in this cast the two hosts in line C and D.
Then, include the subnet (B) and then finally the rest of the traffic (A).
Question No: 276 – (Topic 6)
What can be done to secure the virtual terminal interfaces on a router? (Choose two.)
Administratively shut down the interface.
Physically secure the interface.
Create an access list and apply it to the virtual terminal interfaces with the access-group command.
Configure a virtual terminal password and login process.
Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
Answer: D,E Explanation:
It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -gt;
We cannot physically secure a virtual interface because it is “virtual” -gt;.
To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -gt; C is not correct.
The most simple way to secure the virtual terminal interface is to configure a username amp; password to prevent unauthorized login.
Question No: 277 – (Topic 6)
Which set of commands is recommended to prevent the use of a hub in the access layer?
switch(config-if)#switchport mode trunk switch(config-if)#switchport port-security maximum 1
switch(config-if)#switchport mode trunk
switch(config-if)#switchport port-security mac-address 1
switch(config-if)#switchport mode access switch(config-if)#switchport port-security maximum 1
switch(config-if)#switchport mode access switch(config-if)#switchport port-security mac-address 1
Answer: C Explanation:
This question is to examine the layer 2 security configuration.
In order to satisfy the requirements of this question, you should perform the following configurations in the interface mode:
First, configure the interface mode as the access mode
Second, enable the port security and set the maximum number of connections to 1.
Question No: 278 – (Topic 6)
What will be the result if the following configuration commands are implemented on a Cisco switch?
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
A dynamically learned MAC address is saved in the startup-configuration file.
A dynamically learned MAC address is saved in the running-configuration file.
A dynamically learned MAC address is saved in the VLAN database.
Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.
Answer: B Explanation:
In the interface configuration mode, the command switchport port-security mac-address sticky enables sticky learning. When entering this command, the interface converts all the dynamic secure MAC addresses to sticky secure MAC addresses.
Topic 7, Infrastructure Management
Question No: 279 – (Topic 7)
Which protocol can cause overload on a CPU of a managed device?
Answer: D Explanation:
Sometimes, messages like this might appear in the router console:
%SNMP-3-CPUHOG: Processing [chars] of [chars]
They mean that the SNMP agent on the device has taken too much time to process a request.
You can determine the cause of high CPU use in a router by using the output of the show process cpu command.
Note: A managed device is a part of the network that requires some form of monitoring and management (routers, switches, servers, workstations, printers…).
Question No: 280 – (Topic 7)
Refer to the topology. Your company has decided to connect the main office with three other remote branch offices using point-to-point serial links.
You are required to troubleshoot and resolve OSPF neighbor adjacency issues between the main office and the routers located in the remote branch offices.
An OSPF neighbor adjacency is not formed between R3 in the main office and R4 in the Branch1 office. What is causing the problem?
There is an area ID mismatch.
There is a Layer 2 issue; an encapsulation mismatch on serial links.
There is an OSPF hello and dead interval mismatch.
The R3 router ID is configured on R4.
Answer: A Explanation:
A show running-config command on R3 and R4 shows that R4 is incorrectly configured for area 2:
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|