Implementing Cisco IP Routing (ROUTE v2.0)

 

QUESTION 51

Which three characteristics are shared by subinterfaces and associated EVNs? (Choose three.)

 

A.

IP address

B.

routing table

C.

forwarding table

D.

access control lists

E.

NetFlow configuration

 

Correct Answer: ABC

Explanation:

A trunk interface can carry traffic for multiple EVNs. To simplify the configuration process, all the subinterfaces and associated EVNs have the same IP address assigned. In other words, the trunk interface is identified by the same IP address in different EVN contexts. This is accomplished as a result of each EVN having a unique routing and forwarding table, thereby enabling support for overlapping IP addresses across multiple EVNs.

Reference:

http://www.cisco.com/en/US/docs/ios-xml/ios/evn/configuration/xe-3sg/evn-overview.pdf

 

 

QUESTION 52

A user is having issues accessing file shares on a network. The network engineer advises the user to open a web browser, input a prescribed IP address, and follow the instructions. After doing this, the user is able to access company shares. Which type of remote access did the engineer enable?

 

A.

EZVPN

B.

IPsec VPN client access

C.

VPDN client access

D.

SSL VPN client access

 

Correct Answer: D

Explanation:

The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for remote users. Without a previously installed client, remote users enter the IP address in their browser of an interface configured to accept SSL VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>.

After entering the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the client, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure SSL connection and either remains or uninstalls itself (depending on the security appliance configuration) when the connection terminates.

Reference:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100936-asa8x-split-tunnel-anyconnect-config.html

 

 

QUESTION 53

Which Cisco IOS VPN technology leverages IPsec, mGRE, dynamic routing protocol, NHRP, and Cisco Express Forwarding?

 

A.

FlexVPN

B.

DMVPN

C.

GETVPN

D.

Cisco Easy VPN

 

Correct Answer: B

Explanation:

Dynamic Multipoint Virtual Private Network (DMVPN) is a dynamic tunneling form of a virtual private network (VPN) supported on Cisco IOS-based routers and Unix-like Operating Systems based on the standard protocols, GRE, NHRP and IPsec. This DMVPN provides the capability for creating a dynamic-mesh VPN network without having to pre-configure (static) all possible tunnel end-point peers, including IPsec (Internet Protocol Security) and ISAKMP (Internet Security Association and Key Management Protocol) peers. DMVPN is initially configured to build out a hub-and-spoke network by statically configuring the hubs (VPN headends) on the spokes, no change in the configuration on the hub is required to accept new spokes. Using this initial hub- and-spoke network, tunnels between spokes can be dynamically built on demand (dynamic-mesh) without additional configuration on the hubs or spokes. This dynamic-mesh capability alleviates the need for any load on the hub to route data between the spoke networks.

DMVPN is combination of the following technologies:

Reference:

http://en.wikipedia.org/wiki/Dynamic_Multipoint_Virtual_Private_Network

 

 

QUESTION 54

Which traffic does the following configuration allow?

 

ipv6 access-list cisco

permit ipv6 host 2001:DB8:0:4::32 any eq s
sh

line vty 0 4

ipv6 access-class cisco in

 

A.

all traffic to vty 0 4 from source 2001:DB8:0:4::32

B.

only ssh traffic to vty 0 4 from source all

C.

only ssh traffic to vty 0 4 from source 2001:DB8:0:4::32

D.

all traffic to vty 0 4 from source all

 

Correct Answer: C

Explanation:

Here we see that the IPv6 access list called “cisco” is being applied to incoming VTY connections to the router. IPv6 access list has just one entry, which allows only the single IPv6 IP address of 2001:DB8:0:4::32 to connect using SSH only.

 

 

QUESTION 55

For troubleshooting purposes, which method can you use in combination with the “debug ip packet” command to limit the amount of output data?

 

A.

You can disable the IP route cache globally.

B.

You can use the KRON scheduler.

C.

You can use an extended access list.

D.

You can use an IOS parser.

E.

You can use the RITE traffic exporter.

 

Correct Answer: C

Explanation:

The debug ip packet command generates a substantial amount of output and uses a substantial amount of system resources. This command should be used with caution in production networks. Always use with the access-list command to apply an extended ACL to the debug output.

Reference:

http://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-troubleshoot-00.html

 

 

 

 

 

 

 

 

 

 

QUESTION 56

Refer to the following access list.

 

access-list 100 permit ip any any log

 

After applying the access list on a Cisco router, the network engineer notices that the router CPU utilization has risen to 99 percent. What is the reason for this?

 

A.

A packet that matches access-list with the “log” keyword is Cisco Express Forwarding switched.

B.

A packet that matches access-list with the “log” keyword is fast switched.

C.

A packet that matches access-list with the “log” keyword is process switched.

D.

A large amount of IP traffic is being permitted on the router.

 

Correct Answer: C

Explanation:

Logging-enabled access control lists (ACLs) provide insight into traffic as it traverses the network or is dropped by network devices. Unfortunately, ACL logging can be CPU intensive and can negatively affect other functions of the network device. There are two primary factors that contribute to the CPU load increase from ACL logging: process switching of packets that match log-enabled access control entries (ACEs) and the generation and transmission of log messages.

Reference:

http://www.cisco.com/web/about/security/intelligence/acl-logging.html#4

 

 

QUESTION 57

Which address is used by the Unicast Reverse Path Forwarding protocol to validate a packet against the routing table?

 

A.

source address

B.

destination address

C.

router interface

D.

default gateway

 

Correct Answer: A

Explanation:

The Unicast RPF feature helps to mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address. For example, a number of common types of denial-of-service (DoS) attacks, including Smurf and Tribal Flood Network (TFN), can take advantage of forged or rapidly changing source IP addresses to allow attackers to thwart efforts to locate or filter the attacks. For Internet service providers (ISPs) that provide public access, Unicast RPF deflects such attacks by forwarding only packets that have source addresses that are valid and consistent with the IP routing table. This action protects the network of the ISP, its customer, and the rest of the Internet.

Reference:

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfrpf.html

 

 

QUESTION 58

What are the three modes of Unicast Reverse Path Forwarding?

 

A.

strict mode, loose mode, and VRF mode

B.

strict mode, loose mode, and broadcast mode

C.

strict mode, broadcast mode, and VRF mode

D.

broadcast mode, loose mode, and VRF mode

 

Correct Answer: A

Explanation:

Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works in one of three different modes: strict mode, loose mode, or VRF mode. Note that not all network devices support all three modes of operation. Unicast RPF in VRF mode will not be covered in this document.

When administrators use Unicast RPF in strict mode, the packet must be received on the interface that the router would use to forward the return packet. Unicast RPF configured in strict mode may drop legitimate traffic that is received on an interface that was not the router’s choice for sending return traffic. Dropping this legitimate traffic could occur when asymmetric routing paths are present in the network.

When administrators use Unicast RPF in loose mode, the source address must appear in the routing table. Administrators can change this behavior using the allow-default option, which allows the use of the default route in the source verification process. Additionally, a packet that contains a source address for which the return route points to the Null 0 interface will be dropped. An access list may also be specified that permits or denies certain source addresses in Unicast RPF loose mode.

Care must be taken to ensure that the appropriate Unicast RPF mode (loose or strict) is configured during the deployment of this feature because it can drop legitimate traffic. Although asymmetric traffic flows may be of concern when deploying this feature, Unicast RPF loose mode is a scalable option for networks that contain asymmetric routing paths.

Reference:

http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

 

 

QUESTION 59

What does the following access list, which is applied on the external interface FastEthernet 1/0 of the perimeter router, accomplish?

 

router(config)#access-list 101 deny ip 10.0.0.0 0.255.255.255 any log

router (config)#access-list 101 deny ip 192.168.0.0 0.0.255.255 any log

router (config)#access-list 101 deny ip 172.16.0.0 0.15.255.255 any log

router (config)#access-list 101 permit ip any any

router (config)#interface fastEthernet 1/0

router (config-if)#ip access-group 101 in

 

A.

It prevents incoming traffic from IP address ranges 10.0.0.0-10.0.0.255, 172.16.0.0- 172.31.255.255, 192.168.0.0-192.168.255.255 and logs any intrusion attempts.

B.

It prevents the internal network from being used in spoofed denial of service attacks and logs any exit to the Internet.

C.

It filters incoming traffic from private addresses in order to prevent spoofing and logs any intrusion attempts.

D.

It prevents private internal addresses to be accessed directly from outside.

 

Correct Answer: C

Explanation:

The private IP address ranges defined in RFC 1918 are as follows:

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255

These IP addresses should never be allowed from external networks into a corporate network as they would only be able to reach the network from the outside via routing problems or if the IP addresses were spoofed. This ACL is used to prevent all packets with a spoofed reserved private source IP address to enter the network. The log keyword also enables logging of this intrusion attempt.

 

 

QUESTION 60

Refer to the following command:

 

router(config)# ip http secure-port 4433

 

Which statement is true?

 

A.

The router will listen on port 4433 for HTTPS traffic.

B.

The router will listen on port 4433 for HTTP traffic.

C.

The router will never accept any HTTP and HTTPS traffic.

D.

The router will listen to HTTP and HTTP traffic on port 4433.

 

Correct Answer: A

Explanation:

To set the secure HTTP (HTTPS) server port number for listening, use the ip http secure-port command in global configuration mode. To return the HTTPS server port number to the default, use the no form of this command.

ip http secure-port port-number

no ip http secure-port

Syntax Description

port-number

Integer in the range of 0 to 65535 is accepted, but the port number must be higher than 1024 unless the default is used. The default is 443.

Reference:

http://www.cisco.com/en/US/docs/ios-xml/ios/https/command/nm-https-cr-cl-sh.html#wp3612805529

 

Free VCE & PDF File for Cisco 300-101 Practice Test

Instant Access to Free VCE Files: CCNA | CCNP | CCIE …
Instant Access to Free PDF Files: CCNA | CCNP | CCIE …