200-301: Cisco Certified Network Associate (CCNA) Part 11
Question #: 601
Topic #: 1
How does TFTP operate in a network?
A. Provides secure data transfer
B. Relies on the well-known TCP port 20 to transmit data
C. Uses block numbers to identify and mitigate data-transfer errors
D. Requires two separate connections for control and data traffic
Selected Answer: C
Question #: 602
Topic #: 1
Refer to the exhibit. Which plan must be implemented to ensure optimal QoS marking practices on this network?
A. Trust the IP phone markings on SW1 and mark traffic entering SW2 at SW2
B. As traffic traverses MLS1 remark the traffic, but trust all markings at the access layer
C. Remark traffic as it traverses R1 and trust all markings at the access layer.
D. As traffic enters from the access layer on SW1 and SW2, trust all traffic markings.
Selected Answer: A
Question #: 603
Topic #: 1
How does QoS optimize voice traffic?
A. by reducing bandwidth usage
B. by reducing packet loss
C. by differentiating voice and video traffic
D. by increasing jitter
Selected Answer: B
Question #: 604
Topic #: 1
Which QoS tool can you use to optimize voice traffic on a network that is primarily intended for data traffic?
A. WRED
B. FIFO
C. PQ
D. WFQ
Selected Answer: C
Question #: 605
Topic #: 1
Refer to the exhibit. Users on existing VLAN 100 can reach sites on the Internet. Which action must the administrator take to establish connectivity to the Internet for users in VLAN 200?
A. Define a NAT pool on the router.
B. Configure the ip nat outside command on another interface for VLAN 200
C. Configure static NAT translations for VLAN 200.
D. Update the NAT_INSIDE_RANGES ACL.
Selected Answer: D
Question #: 606
Topic #: 1
An organization secures its network with multi-factor authentication using an authenticator app on employee smartphones. How is the application secured in the case of a user’s smartphone being lost or stolen?
A. The application requires the user to enter a PIN before it provides the second factor
B. The application requires an administrator password to reactivate after a configured interval
C. The application verifies that the user is in a specific location before it provides the second factor
D. The application challenges a user by requiring an administrator password to reactivate when the smartphone is rebooted
Selected Answer: A
Question #: 607
Topic #: 1
Which device performs stateful inspection of traffic?
A. switch
B. firewall
C. access point
D. wireless controller
Selected Answer: B
Question #: 608
Topic #: 1
A network administrator enabled port security on a switch interface connected to a printer. What is the next configuration action in order to allow the port to learn the MAC address of the printer and insert it into the table automatically?
A. enable dynamic MAC address learning
B. implement static MAC addressing
C. enable sticky MAC addressing
D. implement auto MAC address learning
Selected Answer: C
Question #: 609
Topic #: 1
Refer to the exhibit. An engineer booted a new switch and applied this configuration via the console port. Which additional configuration must be applied to allow administrators to authenticate directly to enable privilege mode via Telnet using a local username and password?
A. R1(config)#username admin R1(config-if)#line vty 0 4 R1(config-line)#password p@ss1234 R1(config-line)#transport input telnet
B. R1(config)#username admin privilege 15 secret p@ss1234 R1(config-if)#line vty 0 4 R1(config-line)#login local
C. R1(config)#username admin secret p@ss1234 R1(config-if)#line vty 0 4 R1(config-line)#login local R1(config)#enable secret p@ss1234
D. R1(config)#username admin R1(config-if)#line vty 0 4 R1(config-line)#password p@ss1234
Selected Answer: B
Question #: 610
Topic #: 1
Which effect does the aaa new-model configuration command have?
A. It enables AAA services on the device.
B. It configures the device to connect to a RADIUS server for AAA.
C. It associates a RADIUS server to the group.
D. It configures a local user on the device.
Selected Answer: A
Question #: 611
Topic #: 1
Refer to the exhibit. Which two events occur on the interface, if packets from an unknown Source address arrive after the interface learns the maximum number of secure MAC address? (Choose two.)
A. The security violation counter dose not increment
B. The port LED turns off
C. The interface is error-disabled
D. A syslog message is generated
E. The interface drops traffic from unknown MAC address
Selected Answer: AE
Question #: 612
Topic #: 1
Which technology must be implemented to configure network device monitoring with the highest security?
A. IP SLA
B. syslog
C. NetFlow
D. SNMPv3
Selected Answer: D
Question #: 613
Topic #: 1
Refer to the exhibit. Which two statements about the interface that generated the output are true? (Choose two.)
A. learned MAC addresses are deleted after five minutes of inactivity
B. the interface is error-disabled if packets arrive from a new unknown source address
C. it has dynamically learned two secure MAC addresses
D. it has dynamically learned three secure MAC addresses
E. the security violation counter increments if packets arrive from a new unknown source address
Selected Answer: C
Question #: 614
Topic #: 1
Refer to the exhibit. Which statement about the interface that generated the output is true?
A. A syslog message is generated when a violation occurs.
B. One secure MAC address is manually configured on the interface.
C. One secure MAC address is dynamically learned on the interface.
D. Five secure MAC addresses are dynamically learned on the interface.
Selected Answer: B
Question #: 615
Topic #: 1
Refer to the exhibit. What is the effect of this configuration?
A. The switch port remains administratively down until the interface is connected to another switch.
B. Dynamic ARP Inspection is disabled because the ARP ACL is missing.
C. The switch port interface trust state becomes untrusted.
D. The switch port remains down until it is configured to trust or untrust incoming packets.
Selected Answer: C
Question #: 616
Topic #: 1
What is the difference between AAA authentication and authorization?
A. Authentication identifies and verifies a user who is attempting to access a system, and authorization controls the tasks the user performs.
B. Authentication controls the system processes a user accesses, and authorization logs the activities the user initiates.
C. Authentication verifies a username and password, and authorization handles the communication between the authentication agent and the user database.
D. Authentication identifies a user who is attempting to access a system, and authorization validates the user’s password.
Selected Answer: A
Question #: 617
Topic #: 1
When configuring a WLAN with WPA2 PSK in the Cisco Wireless LAN Controller GUI, which two formats are available to select? (Choose two.)
A. decimal
B. ASCII
C. hexadecimal
D. binary
E. base64
Selected Answer: BC
Question #: 618
Topic #: 1
DRAG DROP –
Drag and drop the AAA functions from the left onto the correct AAA services on the right.
Select and Place:
Suggestion Answer:
Question #: 619
Topic #: 1
An engineer is asked to protect unused ports that are configured in the default VLAN on a switch. Which two steps will fulfill the request? (Choose two.)
A. Configure the ports as trunk ports.
B. Enable the Cisco Discovery Protocol.
C. Configure the port type as access and place in VLAN 99.
D. Administratively shut down the ports.
E. Configure the ports in an EtherChannel.
Selected Answer: CD
Question #: 620
Topic #: 1
An email user has been lured into clicking a link in an email sent by their company’s security organization. The webpage that opens reports that it was safe, but the link may have contained malicious code.
Which type of security program is in place?
A. user awareness
B. brute force attack
C. physical access control
D. social engineering attack
Selected Answer: A
Question #: 621
Topic #: 1
DRAG DROP –
Drag and drop the Cisco Wireless LAN Controller security settings from the left onto the correct security mechanism categories on the right.
Select and Place:
Suggestion Answer:
Question #: 622
Topic #: 1
Which feature on the Cisco Wireless LAN Controller when enabled restricts management access from specific networks?
A. TACACS
B. CPU ACL
C. Flex ACL
D. RADIUS
Selected Answer: C
Question #: 623
Topic #: 1
Which set of actions satisfy the requirement for multifactor authentication?
A. The user enters a user name and password, and then re-enters the credentials on a second screen.
B. The user swipes a key fob, then clicks through an email link.
C. The user enters a user name and password, and then clicks a notification in an authentication app on a mobile device.
D. The user enters a PIN into an RSA token, and then enters the displayed RSA key on a login screen.
Selected Answer: C
Question #: 624
Topic #: 1
Which configuration is needed to generate an RSA key for SSH on a router?
A. Configure VTY access.
B. Configure the version of SSH.
C. Assign a DNS domain name.
D. Create a user with a password.
Selected Answer: C
Question #: 625
Topic #: 1
Refer to the exhibit. An extended ACL has been configured and applied to router R2. The configuration failed to work as intended.
Which two changes stop outbound traffic on TCP ports 25 and 80 to 10.0.20.0/26 from the 10.0.10.0/26 subnet while still allowing all other traffic? (Choose two.)
A. Add a ג€permit ip any anyג€ statement at the end of ACL 101 for allowed traffic.
B. Add a ג€permit ip any anyג€ statement to the beginning of ACL 101 for allowed traffic.
C. The ACL must be moved to the Gi0/1 interface outbound on R2.
D. The source and destination IPs must be swapped in ACL 101.
E. The ACL must be configured the Gi0/2 interface inbound on R1.
Selected Answer: AD
Question #: 626
Topic #: 1
An engineer must configure a WLAN using the strongest encryption type for WPA2-PSK. Which cipher fulfills the configuration requirement?
A. WEP
B. AES
C. RC4
D. TKIP
Selected Answer: B
Question #: 627
Topic #: 1
DRAG DROP –
Drag and drop the attack-mitigation techniques from the left onto the types of attack that they mitigate on the right.
Select and Place:
Suggestion Answer:
Question #: 628
Topic #: 1
While examining excessive traffic on the network, it is noted that all incoming packets on an interface appear to be allowed even though an IPv4 ACL is applied to the interface. Which two misconfigurations cause this behavior? (Choose two.)
A. The ACL is empty
B. A matching permit statement is too broadly defined
C. The packets fail to match any permit statement
D. A matching deny statement is too high in the access list
E. A matching permit statement is too high in the access list
Selected Answer: BE
Question #: 629
Topic #: 1
The service password-encryption command is entered on a router. What is the effect of this configuration?
A. restricts unauthorized users from viewing clear-text passwords in the running configuration
B. prevents network administrators from configuring clear-text passwords
C. protects the VLAN database from unauthorized PC connections on the switch
D. encrypts the password exchange when a VPN tunnel is established
Selected Answer: B
Question #: 630
Topic #: 1
Which WPA3 enhancement protects against hackers viewing traffic on the Wi-Fi network?
A. SAE encryption
B. TKIP encryption
C. scrambled encryption key
D. AES encryption
Selected Answer: A
Question #: 631
Topic #: 1
Refer to the exhibit. If the network environment is operating normally, which type of device must be connected to interface fastethernet 0/1?
A. DHCP client
B. access point
C. router
D. PC
Selected Answer: C
Question #: 632
Topic #: 1
Refer to the exhibit. An administrator configures four switches for local authentication using passwords that are stored as a cryptographic hash. The four switches must also support SSH access for administrators to manage the network infrastructure. Which switch is configured correctly to meet these requirements?
A. SW1
B. SW2
C. SW3
D. SW4
Selected Answer: C
Question #: 633
Topic #: 1
Refer to the exhibit. What is the effect of this configuration?
A. The switch discards all ingress ARP traffic with invalid MAC-to-IP address bindings.
B. All ARP packets are dropped by the switch.
C. Egress traffic is passed only if the destination is a DHCP server.
D. All ingress and egress traffic is dropped because the interface is untrusted.
Selected Answer: A
Question #: 634
Topic #: 1
When a site-to-site VPN is used, which protocol is responsible for the transport of user data?
A. IPsec
B. IKEv1
C. MD5
D. IKEv2
Selected Answer: A
Question #: 635
Topic #: 1
Which type of wireless encryption is used for WPA2 in preshared key mode?
A. AES-128
B. TKIP with RC4
C. AES-256
D. RC4
Selected Answer: A
Question #: 636
Topic #: 1
What is the difference between an IPv6 link-local address and a unique local address?
A. The scope of an IPv6 link-local address is limited to a directly attached interface, but an IPv6 unique local address is used throughout a company site or network.
B. The scope of an IPv6 link-local address is global, but the scope of an IPv6 unique local address is limited to a loopback address.
C. The scope of an IPv6 link-local address can be used throughout a company site or network, but an IPv6 unique local address is limited to a loopback address.
D. The scope of an IPv6 link-local address is limited to a loopback address, and an IPv6 unique local address is limited to a directly attached interface.
Selected Answer: A
Question #: 637
Topic #: 1
Which command prevents passwords from being stored in the configuration as plain text on a router or switch?
A. enable secret
B. enable password
C. service password-encryption
D. username cisco password encrypt
Selected Answer: C
Question #: 638
Topic #: 1
In which two ways does a password manager reduce the chance of a hacker stealing a user’s password? (Choose two.)
A. It encourages users to create stronger passwords
B. It uses an internal firewall to protect the password repository from unauthorized access
C. It stores the password repository on the local workstation with built-in antivirus and anti-malware functionality
D. It automatically provides a second authentication factor that is unknown to the original user
E. It protects against keystroke logging on a compromised device or web site
Selected Answer: AE
Question #: 639
Topic #: 1
Which goal is achieved by the implementation of private IPv4 addressing on a network?
A. provides an added level of protection against Internet exposure
B. provides a reduction in size of the forwarding table on network routers
C. allows communication across the Internet to other private networks
D. allows servers and workstations to communicate across public network boundaries
Selected Answer: A
Question #: 640
Topic #: 1
Which type of attack is mitigated by dynamic ARP inspection?
A. DDoS
B. malware
C. man-in-the-middle
D. worm
Selected Answer: A
Question #: 641
Topic #: 1
What is a function of a remote access VPN?
A. establishes a secure tunnel between two branch sites
B. uses cryptographic tunneling to protect the privacy of data for multiple users simultaneously
C. used exclusively when a user is connected to a company’s internal network
D. allows the users to access company internal network resources through a secure tunnel
Selected Answer: D
Question #: 642
Topic #: 1
What are two recommendations for protecting network ports from being exploited when located in an office space outside of an IT closet? (Choose two.)
A. enable the PortFast feature on ports
B. configure static ARP entries
C. configure ports to a fixed speed
D. implement port-based authentication
E. shut down unused ports
Selected Answer: BE
Question #: 643
Topic #: 1
Refer to the exhibit. A network administrator must permit SSH access to remotely manage routers in a network. The operations team resides on the 10.20.1.0/25 network. Which command will accomplish this task?
A. access-list 2699 permit udp 10.20.1.0 0.0.0.255
B. no access-list 2699 deny tcp any 10.20.1.0 0.0.0.127 eq 22
C. access-list 2699 permit tcp any 10.20.1.0 0.0.0.255 eq 22
D. no access-list 2699 deny ip any 10.20.1.0 0.0.0.255
Selected Answer: C
Question #: 644
Topic #: 1
A port security violation has occurred on a switch port due to the maximum MAC address count being exceeded. Which command must be configured to increment the security-violation count and forward an SNMP trap?
A. switchport port-security violation access
B. switchport port-security violation protect
C. switchport port-security violation restrict
D. switchport port-security violation shutdown
Selected Answer: C
Question #: 645
Topic #: 1
What is a practice that protects a network from VLAN hopping attacks?
A. Enable dynamic ARP inspection
B. Configure an ACL to prevent traffic from changing VLANs
C. Change native VLAN to an unused VLAN ID
D. Implement port security on internet-facing VLANs
Selected Answer: C
Question #: 646
Topic #: 1
Where does a switch maintain DHCP snooping information?
A. In the CAM table
B. In the frame forwarding database
C. In the MAC address table
D. In the binding database
Selected Answer: D
Question #: 647
Topic #: 1
A network administrator must configure SSH for remote access to router R1. The requirement is to use a public and private key pair to encrypt management traffic to and from the connecting client. Which configuration, when applied, meets the requirements?
A. R1#enable R1#configure terminal R1(config)#ip domain-name cisco.com R1(config)#crypto key generate ec keysize 1024
B. R1#enable R1#configure terminal R1(config)#ip domain-name cisco.com R1(config)#crypto key generate ec keysize 2048
C. R1#enable R1#configure terminal R1(config)#ip domain-name cisco.com R1(config)#crypto key encrypt rsa name myKey
D. R1#enable R1#configure terminal R1(config)#ip domain-name cisco.com R1(config)#crypto key generate rsa modulus 1024
Selected Answer: D
Question #: 648
Topic #: 1
When a WLAN with WPA2 PSK is configured in the Wireless LAN Controller GUI, which format is supported?
A. decimal
B. ASCII
C. unicode
D. base64
Selected Answer: B
Question #: 649
Topic #: 1
Refer to the exhibit. A network administrator has been tasked with securing VTY access to a router. Which access-list entry accomplishes this task?
A. access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq telnet
B. access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq scp
C. access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq https
D. access-list 101 permit tcp 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 eq ssh
Selected Answer: A
Question #: 650
Topic #: 1
Which two protocols must be disabled to increase security for management connections to a Wireless LAN Controller? (Choose two.)
A. HTTPS
B. SSH
C. HTTP
D. Telnet
E. TFTP
Selected Answer: CD
Question #: 651
Topic #: 1
Which security program element involves installing badge readers on data-center doors to allow workers to enter and exit based on their job roles?
A. physical access control
B. biometrics
C. role-based access control
D. multifactor authentication
Selected Answer: A
Question #: 652
Topic #: 1
Which function is performed by DHCP snooping?
A. listens to multicast traffic for packet forwarding
B. rate-limits certain traffic
C. propagates VLAN information between switches
D. provides DDoS mitigation
Selected Answer: B
Question #: 653
Topic #: 1
DRAG DROP –
An engineer is configuring an encrypted password for the enable command on a router where the local user database has already been configured. Drag and drop the configuration commands from the left into the correct sequence on the right. Not all commands are used.
Select and Place:
Suggestion Answer:
Question #: 654
Topic #: 1
Which protocol is used for secure remote CLI access?
A. Telnet
B. HTTP
C. HTTPS
D. SSH
Selected Answer: D
Question #: 655
Topic #: 1
Which implementation provides the strongest encryption combination for the wireless environment?
A. WEP
B. WPA + TKIP
C. WPA + AES
D. WPA2 + AES
Selected Answer: D
Question #: 656
Topic #: 1
What does physical access control regulate?
A. access to networking equipment and facilities
B. access to servers to prevent malicious activity
C. access to specific networks based on business function
D. access to computer networks and file systems
Selected Answer: A
Question #: 657
Topic #: 1
A network engineer is asked to configure VLANS 2, 3, and 4 for a new implementation. Some ports must be assigned to the new VLANS with unused ports remaining. Which action should be taken for the unused ports?
A. configure in a nondefault native VLAN
B. configure ports in the native VLAN
C. configure ports in a black hole VLAN
D. configure ports as access ports
Selected Answer: C
Question #: 658
Topic #: 1
When a WPA2-PSK WLAN is configured in the Wireless LAN Controller, what is the minimum number of characters that is required in ASCII format?
A. 6
B. 8
C. 12
D. 18
Selected Answer: B
Question #: 659
Topic #: 1
What mechanism carries multicast traffic between remote sites and supports encryption?
A. ISATAP
B. IPsec over ISATAP
C. GRE
D. GRE over IPsec
Selected Answer: D
Question #: 660
Topic #: 1
Refer to the exhibit. An access-list is required to permit traffic from any host on interface Gi0/0 and deny traffic from interface Gi0/1. Which access list must be applied?
A. ip access-list standard 99 permit 10.100.100.0 0.0.0.255 deny 192.168.0.0 0.0.255.255
B. ip access-list standard 99 permit 10.100.100.0 0.0.0.255 deny 192.168.0.0 0.255.255.255
C. ip access-list standard 199 permit 10.100.100.0 0.0.0.255 deny 192.168.0.0 0.255.255.255
D. ip access-list standard 199 permit 10.100.100.0 0.0.0.255 deny 192.168.0.0 0.0.255.255
Selected Answer: A
