Ensurepass
2017 July Cisco Official New Released 200-125 Q&As
100% Free Download! 100% Pass Guaranteed!
http://www.ensurepass.com/200-125.html

CCNA Routing and Switching v3.0

QUESTION 261

Refer to the exhibit. An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 102?

 

clip_image001

 

A.

no ip access-class 102 in

B.

no ip access-class 102 out

C.

no ip access-group 102 in

D.

no ip access-group 102 out

E.

no ip access-list 102 in

 

Correct Answer: D

Explanation:

The “ip access-group” is used to apply and ACL to an interface. From the output shown, we know that the ACL is applied to outbound traffic, so “no ip access-group 102 out” will remove the effect of this ACL.

 

 

QUESTION 262

A network administrator needs to configure port security on a switch. Which two statements are true? (Choose two.)

 

A.

The network administrator can apply port security to dynamic access ports.

B.

The network administrator can apply port security to EtherChannels.

C.

When dynamic MAC address learning is enabled on an interface, the switch can learn new addresses, up to the maximum defined.

D.

The sticky learning feature allows the addition of dynamically learned addresses to the running configuration.

E.

The network administrator can configure static secure or sticky secure MAC addresses in the voice VLAN.

 

Correct Answer: CD

Explanation:

Follow these guidelines when configuring port security:

 

clip_image003Port security can only be configured on static access ports, trunk ports, or 802.1Q tunnel ports.

clip_image003[1]A secure port cannot be a dynamic access port.

clip_image003[2]A secure port cannot be a destination port for Switched Port Analyzer (SPAN).

clip_image003[3]A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.

clip_image003[4]You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.

clip_image003[5]When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two.

clip_image003[6]If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.

clip_image003[7]When a voice VLAN is configured on a secure port that is also configured as a sticky secure port, all addresses seen on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on the access VLAN (to which the port belongs) are learned as sticky secure addresses.

clip_image003[8]The switch does not support port security aging of sticky secure MAC addresses.

clip_image003[9]The protect and restrict options cannot be simultaneously enabled on an interface.

 

Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swtrafc.html

 

 

QUESTION 263

How does using the service password-encryption command on a router provide additional security?

 

A.

by encrypting all passwords passing through the router

B.

by encrypting passwords in the plain text configuration file

C.

by requiring entry of encrypted passwords for access to the device

D.

by configuring an MD5 encrypted key to be used by routing protocols to validate routing exchanges

E.

by automatically suggesting encrypted passwords for use in configuring the router

 

Correct Answer: B

Explanation:

By using this command, all the (current and future) passwords are encrypted. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

 

 

QUESTION 264

Which Cisco Catalyst feature automatically disables the port in an operational PortFast upon receipt of a BPDU?

 

A.

BackboneFast

B.

UplinkFast

C.

Root Guard

D.

BPDU Guard

E.

BPDU Filter

 

Correct Answer: D

Explanation:

We only enable PortFast feature on access ports (ports connected to end stations). But if someone does not know he can accidentally plug that port to another switch and a loop may occur when BPDUs are being transmitted and received on these ports. With BPDU Guard, when a PortFast receives a BPDU, it will be shut down to prevent a loop.

 

 

QUESTION 265

Which statement about access lists that are applied to an interface is true?

 

A.

You can place as many access lists as you want on any interface.

B.

You can apply only one access list on any interface.

C.

You can configure one access list, per direction, per Layer 3 protocol.

D.

You can apply multiple access lists with the same protocol or in different directions.

 

Correct Answer: C

Explanation:

We can have only 1 access list per protocol, per direction and per interface. It means:

 

clip_image003[10]We cannot have 2 inbound access lists on an interface

clip_image003[11]We can have 1 inbound and 1 outbound access list on an interface

 

 

QUESTION 266

When you are troubleshooting an ACL issue on a router, which command would you use to verify which interfaces are affected by the ACL?

 

A.

show ip access-lists

B.

show access-lists

C.

show interface

D.

show ip interface

E.

list ip interface

 

Correct Answer: D

Explanation:

Incorrect answer:

show ip access-lists does not show interfaces affected by an ACL.

 

 

 

 

 

 

 

 

 

 

 

 

 

QUESTION 267

Refer to the exhibit. A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands. Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two.)

 

clip_image005

 

A.

Port security needs to be globally enabled.

B.

Port security needs to be enabled on the interface.

C.

Port security needs to be configured to shut down the interface in the event of a violation.

D.

Port security needs to be configured to allow only one learned MAC address.

E.

Port security interface counters need to be cleared before using the show command.

F.

The port security configuration needs to be saved to NVRAM before it can become active.

 

Correct Answer: BD

Explanation:

From the output we can see that port security is disabled so this needs to be enabled. Also, the maximum number of devices is set to 2 so this needs to be just one if we want the single host to have access and nothing else.

 

 

 

 

 

 

 

< span lang="EN-US" style="font-family: ; mso-font-kerning: 0pt; mso-no-proof: yes">QUESTION 268

DRAG DROP

clip_image007

 

Correct Answer:

clip_image009

 

 

QUESTION 269

Which item represents the standard IP ACL?

 

A.

access-list 110 permit ip any any

B.

access-list 50 deny 192.168.1.1 0.0.0.255

C.

access list 101 deny tcp any host 192.168.1.1

D.

access-list 2500 deny tcp any host 192.168.1.1 eq 22

 

Correct Answer: B

Explanation:

The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only access list 50 is a standard access list.

 

 

QUESTION 270

What will be the result if the following configuration commands are implemented on a Cisco switch?

 

Switch(config-if)# switchport port-security

 

Switch(config-if)# switchport port-security mac-address sticky

 

A.

A dynamically learned MAC address is saved in the startup-configuration file.

B.

A dynamically learned MAC address is saved in the running-configuration file.

C.

A dynamically learned MAC address is saved in the VLAN database.

D.

Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.

E.

Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.

 

Correct Answer: B

Explanation:

In the interface configuration mode, the command switchport port-security mac-address sticky enables sticky learning. When entering this command, the interface converts all the dynamic secure MAC addresses to sticky secure MAC addresses.

100% Free Download!
—Download Free Demo:200-125 Demo PDF
100% Pass Guaranteed!
Download 2017 Ensurepass 200-125 Full Exam PDF and VCE Q&As:635
—Get 10% off your purchase! Copy it:TJDN-947R-9CCD [2017.07.01-2017.07.31]

Ensurepass ExamCollection Testking
Lowest Price Guarantee Yes No No
Up-to-Dated Yes No No
Real Questions Yes No No
Explanation Yes No No
PDF + VCE Yes No No
Free VCE Simulator Yes No No
Instant Download Yes No No

2017 Ensurepass IT Certification PDF and VCE