Take Assessment - EWAN Final Exam - CCNA Exploration: Accessing

the WAN (Version 4.0)

By: Iron Hide (Sep 2009 and the result is 89)

SSH is unable to pass through NAT.

*There are incorrect access control list entries.

The access list has the incorrect port number for SSH.

The ip helper command is required on S0/0/0 to allow inbound connections.

Wi-Fi

satellite

*WiMAX

Metro Ethernet

VPN link establishment and maintenance is provided by LCP.

DLCI addresses are used to identify each end of the VPN tunnel.

*VPNs use virtual Layer 3 connections that are routed through the
Internet.

Only IP packets can be encapsulated by a VPN for tunneling through the

Internet

*exploits a known vulnerability

attaches to executable programs

masquerades as a legitmate program

lies dormant until triggered by an event, time, or date

All traffic that originates from 192.168.4.0/24 is permitted.

All TCP traffic is permitted, and all other traffic is denied.

All Telnet traffic from the 192.168.0.0/16 network is permitted.

*All traffic from the 192.168.4.0/22 network is permitted on TCP

port 23

use the copy tftp: flash: command

boot the router to bootROM mode and enter the b command to load the IOS
manually

telnet from another router and issue the show running-config command to
view the password

*boot the router to ROM monitor mode and configure the router to
ignore the startup configuration when it initializes

*The commands overwrite the existing Managers ACL.

The commands are added at the end of the existing Managers ACL.

The network administrator receives an error stating that the ACL already
exists.

The commands will create a duplicate Managers ACL containing only the new
commands being entered

*Security options are build into IPv6.

IPv6 addresses require less router overhead to process.

IPv6 can only be configured on an interface that does not have IPv4 on it.

There is no way to translate between IPv4 addresses and IPv6 addresses.

*When enabled on a router, IPv6 can automatically configure link-local IPv6

addresses on all interfaces

Configure DHCP and static NAT.

Configure dynamic NAT for ten users.

Configure static NAT for all ten users.

*Configure dynamic NAT with overload

Traffic that is destined for 10.10.4.1 and 10.10.4.5 will be dropped by the
router.

Traffic will not be routed from clients with addresses between 10.10.4.1 and
10.10.4.5.

*The DHCP server will not issue the addresses ranging from
10.10.4.1 to 10.10.4.5.

The router will ignore all traffic that comes from the DHCP servers with
addresses 10.10.4.1 and 10.10.4.5

The router matches the incoming packet to the statement that is created by
access-list 201 permit ip any any command

and allows the packet into the router.

The router reaches the end of ACL 101 without matching a condition and
drops the packet because there is no statement that was created by access-
list 101 permit ip any any command.

**The router matches the incoming packet to the statement that

was created by the access-list 101 permit ip any

172.16.1.0 0.0.0.255 command, ignores the remaining statements in ACL

101, and allows the packet into the router.

The router matches the incoming packet to the statement that was created
by the access-list 201 deny icmp 172.16.1.0

0.0.0.255 any command, continues comparing the packet to the remaining

statements in ACL 201 to ensure that no

subsequent statements allow FTP, and then the router drops the packet.

when the remote router is a non-Cisco router

when the local router is configured with subinterfaces

**when globally significant rather than locally significant DLCIs are

being used

when the local router and the remote router are using different LMI protocols
proxy ARP

CDP updates

SNMP services

*RIP authentication

checksum

digital certificates

*encapsulation

*encryption
hashing

Disable IP source routing.

Configure passive interfaces.

*Configure routing protocol authentication.

Secure administrative lines with Secure Shell

When IPv4 and IPv6 are configured on the same interface, all IPv4 addresses
are over-written in favor of the newer

technology.

Incorrect IPv4 addresses are entered on the router interfaces.

RIPng is incompatible with dual-stack technology.

*IPv4 is incompatible with RIPng

The username and password are not configured correctly.

The authentication method is not configured correctly.

The HTTP timeout policy is not configured correctly.

*The vtys are not configured correctly.

interface Fa0/0, inbound

interface Fa0/0, outbound

interface Fa0/1, inbound

**interface Fa0/1, outbound

Named ACLs are less efficient than numbered ACLs.

Standard ACLs should be applied closest to the core layer.

ACLs applied to outbound interfaces are the most efficient.

**Extended ACLs should be applied closest to the source that is
specified by the ACL

queuing strategy

**serial cable type

interface IP address

encapsulation method

A CSU/DSU terminates a digital local loop.

A modem terminates a digital local loop.

A CSU/DSU terminates an analog local loop.

*A modem terminates an analog local loop.

*A router is commonly considered a DTE device.

A router is commonly considered a DCE device

The crossover cable is faulty.

The IP addressing is incorrect.

**There is a Layer 2 problem with the router connection.

The upper layers are experiencing an unspecified problem.

One or both of the Ethernet interfaces are not working correctly.

The serial interfaces are in different subnets.

**The RIPng process is not enabled on interfaces.

The RIPng processes do not match between Router1 and Router2.

The RIPng network command is missing from the IPv6 RIP configuration

PPP
SLIP

**HDLC

Frame Relay

Once a good password is created, do not change it.

**Deliberately misspell words when creating passwords.

**Create passwords that are at least 8 characters in length.

**Use combinations of upper case, lower case, and special

characters.

Write passwords in locations that can be easily retrieved to avoid being

locked out.

Use long words found in the dictionary to make passwords that are easy to
remember

protocol type

**source IP address

source MAC address

destination IP address

destination MAC address

Apply the ACL in the inbound direction.

Apply the ACL on the FastEthernet 0/0 interface.

**Reverse the order of the TCP protocol statements in the ACL.

Modify the second entry in the list to permit tcp host 172.16.10.10 any eq
telnet

demilitarized zone (DMZ)

**demarcation point
local loop

cloud

**There is an implicit deny at the end of all access lists.

One access list per port, per protocol, per direction is permitted.

Access list entries should filter in the order from general to specific.

**The term "inbound" refers to traffic that enters the network from
the router interface where the ACL is applied.

Standard ACLs should be applied closest to the source while extended ACLs
should be applied closest to the

access control list

routing protocol

inbound interface

**ARP cache

Traffic is only forwarded from SDM-trusted Cisco routers.

Security testing is performed and the results are saved as a text file stored in
NVRAM.
**The router is tested for potential security problems and any
necessary changes are made.

All traffic entering the router is quarantined and checked for viruses before
being forwarded

**Scheduling will be easy if the network and software teams work

independently.

It will be difficult to isolate the problem if two teams are implementing

changes independently.

Results from changes will be easier to reconcile and document if each team
works in isolation.
Only results from the software package should be tested as the network is
designed to accommodate the proposed

software platform.

DLCI 123

**DLCI 321

10.10.10.25

10.10.10.26

MAC address of the Orlando router

destination

The 10.1.1.225 host is exchanging packets with the 192.168.0.10 host.

The native 10.1.200.254 address is being translated to 192.168.0.10.

**The 192.168.0.0/24 network is the inside network.

Port address translation is in effect

Inverting the subnet mask will always create the wildcard mask.

A wildcard mask identifies a network or subnet bit by using a "1".

The same function is performed by both a wildcard mask and a subnet mask.

**When a "0" is encountered in a wildcard mask, the IP address bit

must be checked

**application

transport

network

data link

antivirus application

operating system patches

**intrusion prevention system

Cisco Adaptive Security Appliance

**Conduct a performance test and compare with the baseline that

was established previously.

Determine performance on the intranet by monitoring load times of company

web pages from remote sites.

Interview departmental administrative assistants and determine if they think

load time for web pages has improved.

Compare the hit counts on the company web server for the current week to
the values that were recorded in previous

weeks.

The PVC to R3 must be point-to-point.

LMI types cannot be different on each end of a PVC.

A single port can only support one encapsulation type.

**The IETF parameter is missing from the frame-relay map ip

192.168.1.3 203 command
The source addresses are not correctly designated.

**The translated address pool is not correctly sized.

The access-list command is referencing the wrong addresses.

The wrong interface is designated as the source for translations

The clock rate is incorrect.

**The usernames are misconfigured.

The IP addresses are on different subnets.

The clock rate is configured on the wrong end of the link

10.1.1.2:80

10.1.1.2:1234

172.30.20.1:1234

**172.30.20.1:3333

application

transport

network

**data link

physical

EAP

**CHAP

IPCP

CDPCP

**stacker
PPP with PAP

**PPP with CHAP

HDLC with PAP

HDLC with CHAP

The address 192.168.3.17 address is already in use by Fa0/0.

**The pool of addresses for the 192Network pool is configured

incorrectly.
The ip helper-address command should be used on the Fa0/0 interface.

The 192.168.3.17 address has not been excluded from the 192Network pool.

Company 1 only uses microfilters at branch locations.

Company 1 has a lower volume of POTS traffic than company 2 has.

**Company 2 is located farther from the service provider than

company 1 is.

Company 2 shares the connection to the DSLAM with more clients than
company 1 shares with

a new WAN service supporting only IPv6

NAT overload to map inside IPv6 addresses to outside IPv4 address

**a manually configured IPv6 tunnel between the edge routers R1

and R2

static NAT to map inside IPv6 addresses of the servers to an outside IPv4
address and dynamic NAT for the rest of

the inside IPv6 addresses

improper LMI type

interface reset
**PPP negotiation failure

unplugged cable

**PAP uses a two-way handshake.

The password is unique and random.

PAP conducts periodic password challenges.

PAP uses MD5 hashing to keep the password secure.

**The bandwidth has been set to the value of a T1 line.

This interface should be configured for PPP encapsulation.

**There is no failure indicated in an OSI Layer 1 or Layer 2.

The physical connection between the two routers has failed.

The IP address of S0/0/0 is invalid, given the subnet mask being used

**Check that R1 has a route to the 10.10.10.0 network.

Verify that the TFTP server software supports binary file transfers.

Make sure that the TFTP server has 192.168.1.1 as its default gateway.

Ensure that the laptop has an IP address in the 192.168.1.0/24 network.