Question 1

Drag drop the descriptions from the left on to the correct configuration-management technologies
on the right.

Answer:

Ansible:
+ uses SSH for remote device communication
+ uses YAML for fundamental configuration elements

Chef:
+ uses Ruby for fundamental configuration elements
+ uses TCP port 10002 for configuration push jobs

Puppet:
+ fundamental configuration elements are stored in a manifest
+ uses TCP 8140 for communication

Explanation

The focus of Ansible is to be streamlined and fast, and to require no node agent installation. Thus,
Ansible performs all functions over SSH. Ansible is built on Python, in contrast to the Ruby
foundation of Puppet and Chef.

TCP port 10002 is the command port. It may be configured in the Chef Push Jobs configuration file
. This port allows Chef Push Jobs clients to communicate with the Chef Push Jobs server.

Puppet is an open-source configuration management solution, which is built with Ruby and offers
custom Domain Specific Language (DSL) and Embedded Ruby (ERB) templates to create custom
Puppet language files, offering a declarative-paradigm programming approach.

A Puppet piece of code is called a manifest, and is a file with .pp extension.

Question 2

Drag and drop the description of file-transfer protocols from the left onto the correct protocols on
the right.
 

Answer:

FTP:
+ uses TCP
+ uses ports 20 and 21
+ provides reliability when loading an IOS image upon boot up

TFTP:
+ does not require user authentication
+ uses UDP
+ uses port 69

Question 3

Drag and drop the WLAN components from the left onto the correct descriptions on the right.

Answer:

+ device that manages access points: wireless LAN controller

+ device that provides Wi-Fi devices with a connection to a wired network: access point
+ used for out of band management of a WLC: service port
+ used to support mobility management of the WLC: virtual interface
+ applied to the WLAN for wireless client communication: dynamic interface

Explanation

The service port can be used management purposes, primarily for out-of-band management.

However, AP management traffic is not possible across the service port. In most cases, the service
port is used as a “last resort” means of accessing the controller GUI for management purposes.
For example, in the case where the system distribution ports on the controller are down or their
communication to the wired network is otherwise degraded.

A dynamic interface with the Dynamic AP Management option enabled is used as the tunnel
source for packets from the controller to the access point and as the destination for CAPWAP
packets from the access point to the controller.

The virtual interface is used to support mobility management, Dynamic Host Configuration

Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authentication. It also
maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify
the source of certificates when Layer 3 web authorization is enabled.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-
guide/b_cg85/ports_and_interfaces.html

Question 4

Drag and drop the functions from the left onto the correct network components on the right.

Answer:

DHCP Server:
+ holds the TCP/IP settings to be distributed to the clients
+ assigns a default gateway to a client
+ assigns IP addresses to enabled clients

DNS Server:
+ resolves web URLs to IP addresses
+ stores a list of IP addresses mapped to names

Question 5

Drag and drop the networking parameters from the left on to the correct values on the right.
 

Answer:

Connection Oriented:
+ SMTP
+ SSH
+ FTP

Connectionless:
+ SNMP
+ TFTP
+ VoIP

Explanation

SSH uses TCP port 22 while SNMP uses UDP port 161 and 162.

Question 6

Drag the OSPF parameters to the correct places on the right.

 
Answer:

must be unique:
+ IP address
+ router ID

must match:
+ area ID
+ timers
+ netmask

Question 7

Drag and drop the AAA functions from the left onto the correct AAA services on the right.

Answer:

Authentication:
+ identifies the user
+ verifies the password associated with a user

Authorization:
+ restricts the services that are available to a user
+ controls the actions that a user can perform

Accounting:
+ records user activities
+ provides analytical information for the network administrator

Question 8

Drag and drop the application protocols from the left onto the suitable transport protocols on the
right.
 

Answer:

TCP:
+ SMTP
+ FTP
+ SSH

UDP:
+ SNMP
+ DHCP
+ TFTP

Question 9

Drag and drop the IPv4 network subnets from the left onto the correct usable host ranges on the
right.

Answer:

+ 172.28.228.144/18: 172.28.192.1 – 172.28.255.254

+ 172.28.228.144/21: 172.28.224.1 – 172.28.231.254
+ 172.28.228.144/23: 172.28.228.1 – 172.28.229.254
+ 172.28.228.144/25: 172.28.228.129 – 172.28.228.254
+ 172.28.228.144/29: 172.28.228.145 – 172.28.228.150
Explanation

This subnet question requires us to grasp how to subnet very well. To quickly find out the subnet
range, we have to find out the increment and the network address of each subnet. Let’s take an
example with the subnet 172.28.228.144/18:

From the /18 (= 1100 0000 in the 3rd octet), we find out the increment is 64. Therefore the
network address of this subnet must be the greatest multiple of the increment but not greater
than the value in the 3rd octet (228). We can find out the 3rd octet of the network address is 192
(because 192 = 64 * 3 and 192 < 228) -> The network address is 172.28.192.0. So the first
usable host should be 172.28.192.1 and it matches with the 5th answer on the right. In this case
we don’t need to calculate the broadcast address because we found the correct answer.

Let’s take another example with subnet 172.28.228.144/23 -> The increment is 2 (as /23 = 1111
1110 in 3rd octet) -> The 3rd octet of the network address is 228 (because 228 is the multiply of
2 and equal to the 3rd octet) -> The network address is 172.28.228.0 -> The first usable host is
172.28.228.1. It is not necessary but if we want to find out the broadcast address of this subnet,
we can find out the next network address, which is 172.28.(228 + the increment number).0 or
172.28.230.0 then reduce 1 bit -> 172.28.229.255 is the broadcast address of our subnet.
Therefore the last usable host is 172.28.229.254.

If you are still unclear about how to do subnetting quickly, please read part 3 of our “Subnetting
Tutorial – Subnetting Made Easy” at https://www.9tut.com/subnetting-tutorial/3

Question 10

Drag and drop the Cisco Wireless LAN Controller security settings from the left onto the correct
security mechanism categories on the right.

Answer:

Layer 2 Security Mechanism:

+ WPA+WPA2
+ 802.1X

Layer 3 Security Mechanisms (for WLAN):

+ web policy
+ Passthrough

Explanation

Layer 2 Security Mechanism includes WPA+WPA2, 802.1X, Static WEP, CKIP while Layer 3 Security
Mechanisms (for WLAN) includes IPSec, VPN Pass-Through, Web Passthrough …

Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-
controllers/106082-wlc-compatibility-matrix.html

Question 11
Drag and Drop the benefits of a Cisco Wireless LAN Controller from the left onto the correct
examples on the right

Answer:

+ Dynamic RF Feature: Access points auto adjust signal strength

+ Easy Deployment Process: Controller provides centralized management of users and VLANs
+ Optimized user performance: Controller uses loadbalancing to maximize throughput
+ Easy upgrade process: Controller image auto deployed to access Points

Question 12

Drag and drop the threat-mitigation techniques from the left onto the types of threat or attack
they mitigate on the right.

Answer:

+ 802.1q double tagging: Configure VACL

+ ARP spoofing: Configure dynamic ARP inspection
+ unwanted superior BPDUs: Configure root guard
+ unwanted BPDUs on PortFast-enabled interfaces: Configure BPDU guard

Explanation

Double-Tagging attack:

In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag
matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the
VLAN of a host it wants to attack (VLAN 20).
When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it
matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all
links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it
removes this tag and forwards out to the Victim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the
attacker.

To mitigate this type of attack, you can use VLAN access control lists (VACLs, which applies to all
traffic within a VLAN. We can use VACL to drop attacker traffic to specific victims/servers) or
implement Private VLANs.

ARP attack (like ARP poisoning/spoofing) is a type of attack in which a malicious actor sends
falsified ARP messages over a local area network as ARP allows a gratuitous reply from a host even
if an ARP request was not received. This results in the linking of an attacker’s MAC address with
the IP address of a legitimate computer or server on the network. This is an attack based on ARP
which is at Layer 2. Dynamic ARP inspection (DAI) is a security feature that validates ARP packets
in a network which can be used to mitigate this type of attack.

Question 13

Refer to the exhibit.

[root#HostTime=]#ip route
default via 192.168.1.193 dev eth1 proto static
192.168.1.0/26 dev sth1 proto kernel scope link src 192.168.1.200 metric 1

[root#HostTime=]#ip addr show eth1

eth1:mtu 1500 qdisc pfifo_fast qlan 1000
link/ether 00:0C:22:83:79:A3 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.200/26 hrd 192.168.1.255 scope global eth1
inet6 fe80::20c::29ff:fe89:79b3/64 scope link
valid_lft forever preferred_lft forever

Drag and drop the networking parameters from the left onto the correct values on the right.

Answer:

+ 00:0C:22: NIC vendor OUI

+ 00:0C:22:83:79:A3: NIC MAC address
+ 192.168.1.193: default gateway
+ 192.168.1.200: host IP address
+ 255.255.255.192: subnet mask

Explanation
The “ip route” and “ip addr show eth1” are Linux commands.
+ “ip route”: display the routing table
+ “ip addr show eth1”: get depth information (only on eth1 interface) about your network
interfaces like IP Address, MAC Address information

Question 14

Drag and drop the descriptions of IP protocol transmissions from the left onto the correct IP traffic
types on the right.

Answer:

TCP:
+ Sends Transmission in Sequence
+ Uses a lower transmission rate to ensure reliability
+ Transmits packet as stream

UDP:
+ Transmits packets individually
+ Uses higher transmission rate to support latency-sensitive apps
+ Transmissions include an 8-byte header

Explanation

UDP is a simpler message-based connectionless protocol. In connectionless protocols, there is no

effort made to setup a dedicated end-to-end connection.

Datagrams – Packets are sent individually and are guaranteed to be whole if they arrive.
Packets have definite bounds and no split or merge into data streams may exist.

According to https://community.cisco.com/t5/networking-documents/udp/ta-p/3114870

Question 1

Refer to the exhibit. Drag and drop the routing table components on the left onto the
corresponding letter from the exhibit on the right. Not all options are used.
Answer:

A: route source
B: administrative distance
C: metric
D: timestamp
E: outbound interface

Question 2

Drag and drop each broadcast IP address on the left to the Broadcast Address column on the right.
Not all options are used.

Answer:

+ 10.63.255.255/10
+ 172.16.255.39/29
+ 172.20.255.255/16
+ 192.168.255.127/25

Question 3

An interface has been configured with the access list that is shown below.
access-list 107 deny tcp 207.16.12.0.0.0.3.255 any eq
http
access-list 107 permit ip any any

On the basis of that access list, drag each information packet on the left to the appropriate
category on the right.

Answer:

Permitted:
+ source IP: 207.16.32.14,
destination application: http
+ source IP: 207.16.15.9,
destination port: 23
+ source IP: 207.16.16.14,
destination port: 53

Denied:
+ source IP: 207.16.14.7,
destination port: 80
+ source IP: 207.16.13.14,
destination application: http

Explanation

From the ACL:

access-list 107 deny tcp 207.16.12.0.0.0.3.255 any eq http

access-list 107 permit ip any any
We can deduce it block all source hosts in 207.16.12.0/22 range (which ranges from 207.16.12.0
to 207.16.15.255) via HTTP (port 80) while permit any other hosts.

Question 4

Order the DHCP message types as they would occur between a DHCP client and a DHCP server.
 

Answer:

+ First: DHCPDISCOVER
+ Second: DHCPOFFER
+ Third: DHCPREQUEST
+ Fourth: DHCPACK

Explanation

There are four messages sent between the DHCP Client and DHCP Server: DHCPDISCOVER,
DHCPOFFER, DHCPREQUEST and DHCPACKNOWLEDGEMENT. This process is often abbreviated
as DORA (for Discover, Offer, Request, Acknowledgement).

Question 5

Drag each route source from the left to the numbers on the right. Beginning with the lowest and
ending with the highest administrative distance.

Answer:

1: connected
2: static
3: EBGP
4: EIGRP
5 :OSPF
6: RIP

Explanation

1: connected (AD = 0)
2: static (AD = 1)
3: EBGP (AD = 20)
4: EIGRP (AD = 90)
5 :OSPF (AD = 110)
6: RIP (AD = 120)

Question 6

Drag and drop to the characteristics of networking from the left onto the correct networking types
on the right.

Answer:

Controller-Based Networking:
+ focused on network
+ user input is a policy
+ uses white list security model

Traditional Networking:
+ focused on devices
+ user input is a configuration
+ uses black list security model

Explanation

Traditional Networking uses black list model because all traffic is allowed to pass through initially
until we configure an ACL, prefix-list… This model is more lenient, because if no application
knowledge exists, the default network configuration will let everything through. From a security
perspective, it is very dangerous though – every time you allow a protocol that the application
does not need, you are unnecessarily increasing your attack surface, and therefore compromising
the overall application security.

In Controller-Based Networking, everything is denied by default until we explicitly allow them by a

white list.

Question 7

Drag and drop the attack-mitigation techniques from the left onto the types of attack that they
mitigate on the right.
 

Answer:

+ 802.1q double-tagging VLAN-hopping attack: configure the native VLAN with a nondefault VLAN
ID
+ MAC flooding attack: configure 802.1x authenticate
+ man-in-the-middle spoofing attack: configure DHCP snooping
+ switch-spoofing VLAN-hopping attack: disable DTP

Explanation

VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking
device can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN
hopping can be accomplished by switch spoofing or double tagging.

a. Switch spoofing:

The attacker can connect an unauthorized Cisco switch to a Company switch port. The
unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the
attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through
the trunk because all VLANs are allowed on a trunk by default.

(Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).

To mitigate this type of attack, we can disable DTP.

b. Double-Tagging attack:

In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag
matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the
VLAN of a host it wants to attack (VLAN 20).
When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it
matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all
links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it
removes this tag and forwards out to the Victim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the
attacker.

To mitigate this type of attack, we can use VLAN access control lists (VACLs, which applies to all
traffic within a VLAN. We can use VACL to drop attacker traffic to specific victims/servers) or
implement Private VLANs.

Question 8

Match the functions to the corresponding layers. (Not all options are used)

Answer:

Access layer:
+ provides network access to the user
+ represents the network edge

Distribution layer:
+ implements network access policy
+ establishes Layer 3 routing boundaries

Core layer:
+ provides high-speed backbone connectivity
+ functions as an aggregator for all the campus blocks

Explanation

A typical enterprise hierarchical LAN campus network design includes the following three layers:
+ Access layer: Provides workgroup/user access to the network
+ Distribution layer: Provides policy-based connectivity and controls the boundary between the
access and core layers
+ Core layer: Provides fast transport between distribution switches within the enterprise campus

Reference: https://www.ciscopress.com/articles/article.asp?p=2202410&seqNum=4

Question 9
Drag the descriptions of device management from the left onto the types of device management
on the right.

Answer:

Cisco DNA Center Device Management:

+ monitors the cloud for software updates
+ uses CLI templates to apply a consistent configuration to multiple devices at an individual
location
+ uses NetFlow to analyze potential security threats throughout the network and take appropriate
action on that traffic

Traditional Device Management:

+ manages device configurations on a per-device basis
+ security is managed near the perimeter of the network with firewalls, VPNs and IPS
+ implements changes via an SSH terminal

Question 10

An engineer is tasked with verifying network configuration parameters on a client workstation to

report back to the team lead. Drag and drop the node identifiers from the left onto the network
parameters on the right.
 

Answer:

+ broadcast address: 192.168.1.255

+ default gateway: 192.168.1.1
+ host IP address: 192.168.1.20
+ MAC address: B8-76-3F-7C-57-DF
+ last assignable IP address in the subnet: 192.168.1.254

Explanation

In the output above, three lines under “Link-local IPv6 Address” line have been blacked out so we
have to figure out what they are. They are the IP address of the Wireless card and the Default
gateway of this computer.
Question 1

Drag the IPv6 DNS record types from the left onto the description on the right.

Answer:

+ correlates a domain with its authoritative name servers: NS

+ associates the domain serial number with its owner: SOA
+ aliases one name to another: CNAME
+ supports reverse name lookups: PTR
+ correlates a host name with an IP address:  AAAA

Explanation

An AAAA record maps a domain name to the IP address (Version 6) of the computer hosting the
domain. An AAAA record is used to find the IP address of a computer connected to the internet
from a name. The AAAA record is conceptually similar to the A record, but it allows you to specify
the IPv6 address of the server, rather than the IPv4. An example of AAAA is the ‘www’ of 9tut.com
is pointed to 2001:0db8:aaaa:bbbb:cccc:dddd:eeee:ffff.

NS (name server) looks like a website URL, but instead of linking to a website, they link to the
domain names authoritative nameservers. An example of a NS is ‘ns1.9tut.com’.

The Canonical Name record (CNAME) tells anyone visiting that subdomain to use the same DNS
records as another domain / subdomain. If you are already using an A or AAAA record for a
subdomain you wouldn’t use a CNAME. CNAME records must always point to another domain /
subdomain, never directly to an IP address. For example, we can configure the CNAME of
www.9tut.com points to 9tut.com so that they use the same IP address.

As opposed to forward DNS resolution (A and AAAA DNS records), the Reverse-lookup Pointer
(PTR) record is used to look up domain names based on an IP address.

An SOA record or start of authority record specifies the DNS server providing authoritative
information about an Internet domain, the email of the domain administrator, the domain serial
number, and several timers relating to refreshing the zone.

An example of a SOA record is shown below.

; name TTL class rr Nameserver email-address

mydomain.com. 14400 IN SOA ns.mynameserver.com. root.ns.mynameserver.com. (
2004123001 ; Serial number
86000 ; Refresh rate in seconds
7200 ; Update Retry in seconds
3600000 ; Expiry in seconds
600 ; minimum in seconds )
name – mydomain.com is the main name in this zone.

TTL – 14400 – TTL defines the duration in seconds that the record may be cached by client side
programs. If it is set as 0, it indicates that the record should not be cached. The range is defined
to be between 0 to 2147483647 (close to 68 years !) .

Class – IN – The class shows the type of record. IN equates to Internet. Other options are all
historic. So as long as your DNS is on the Internet or Intranet, you must use IN.

Nameserver – ns.nameserver.com. – The nameserver is the server which holds the zone files. It
can be either an external server in which case, the entire domain name must be specified followed
by a dot. In case it is defined in this zone file, then it can be written as “ns” .
Email address – root.ns.nameserver.com. – This is the email of the domain name administrator.
Now, this is really confusing, because people expect an @ to be in an email address. However in
this case, email is sent to [email protected], but written as root.ns.nameserver.com . And
yes, remember to put the dot behind the domain name.

Serial number – 2004123001 – This is a sort of a revision numbering system to show the
changes made to the DNS Zone. This number has to increment , whenever any change is made to
the Zone file. The standard convention is to use the date of update YYYYMMDDnn, where nn is a
revision number in case more than one updates are done in a day. So if the first update done
today would be 2005301200 and second update would be 2005301201.

Refresh – 86000 – This is time(in seconds) when the slave DNS server will refresh from the
master. This value represents how often a secondary will poll the primary server to see if the serial
number for the zone has increased (so it knows to request a new copy of the data for the zone). It
can be written as “23h88M” indicating 23 hours and 88 minutes. If you have a regular Internet
server, you can keep it between 6 to 24 hours.

Retry – 7200 – Now assume that a slave tried to contact the master server and failed to contact it
because it was down. The Retry value (time in seconds) will tell it when to get back. This value is
not very important and can be a fraction of the refresh value.

Expiry – 3600000 – This is the time (in seconds) that a slave server will keep a cached zone file
as valid, if it can’t contact the primary server. If this value were set to say 2 weeks ( in seconds),
what it means is that a slave would still be able to give out domain information from its cached
zone file for 2 weeks, without anyone knowing the difference. The recommended value is between
2 to 4 weeks.

Minimum – 600 – This is the default time(in seconds) that the slave servers should cache the
Zone file. This is the most important time field in the SOA Record. If your DNS information keeps
changing, keep it down to a day or less. Otherwise if your DNS record doesn’t change regularly,
step it up between 1 to 5 days. The benefit of keeping this value high, is that your website speeds
increase drastically as a result of reduced lookups. Caching servers around the globe would cache
your records and this improves site performance.

Question 2

Drag and drop the SNMP components from the left onto the descriptions on the right.

 
Answer:

+ unsolicited message: SNMP trap

+ responds to status requests and requests for information about a device: SNMP agent
+ collection of variables that can be monitored: MIB
+ resides on an NMS: SNMP manager

Explanation

SNMP consists of 3 items:

+ SNMP Manager (sometimes called Network Management System – NMS): a software runs on

the device of the network administrator (in most case, a computer) to monitor the network.
+ SNMP Agent: a software runs on network devices that we want to monitor (router, switch,
server…)
+ Management Information Base (MIB): is the collection of managed objects. This components
makes sure that the data exchange between the manager and the agent remains structured. In
other words, MIB contains a set of questions that the SNMP Manager can ask the Agent (and the
Agent can understand them). MIB is commonly shared between the Agent and Manager.

Question 3

Refer to the exhibit.

An engineer is required to verify that the network parameters are valid for the users wireless LAN
connectivity on a /24 subnet. Drag and drop the values from the left onto the network parameters
on the right. Not all values are used.

Answer:

+ host IP address: 192.168.1.20

+ broadcast address: 192.168.1.255
+ network address: 192.168.1.0
+ default gateway: 192.168.1.1
+ MAC address: B8-76-3F-7C-57-DF
+ last assignable IP address in the subnet: 192.168.1.254

Explanation

Note: The “Wireless LAN adapter Local Area Connection *6” is not physical LAN connection. Those
are just Virtual drivers (simulated network adapters) that are installed by Windows for something
like Hyper-V. Real, physical NICs get numbered “Ethernet ###” (or “Wireless ###”, etc.)

Question 4

An engineer is tasked to configure a switch with port security to ensure devices that forward
unicasts, multicasts, and broadcasts are unable to flood the port. The port must be configured to
permit only two random MAC addresses at a time. Drag and drop the required configuration
commands from the left onto the sequence on the right. (Not all commands are used)

Answer:

1: switchport mode access

2: switchport port-security
3: switchport port-security maximum 2
4: switchport port-security mac-address sticky

Explanation

The full syntax of the second command is:

switchport port-security mac-address sticky [MAC]

If we don’t specify the MAC address (like in this question) then the switch will dynamically learn
the attached MAC Address and place it into your running-configuration

Question 5

Drag the characteristics of network architectures from the left onto the type of architecture on the
right.
 

Answer:

Collapsed Core
+ most appropriate for small network designs
+ single device handles the core and the distribution layer
+ more cost-effective than other options

Three-Tier
+ separate devices handle the core and the distribution layer
+ enhances network availability

Explanation

The three-tier hierarchical design maximizes performance, network availability, and the ability to
scale the network design.
However, many small enterprise networks do not grow significantly larger over time. Therefore, a
two-tier hierarchical design where the core and distribution layers are collapsed into one layer is
often more practical. A “collapsed core” is when the distribution layer and core layer
functions are implemented by a single device. The primary motivation for the collapsed core
design is reducing network cost, while maintaining most of the benefits of the three-tier
hierarchical model.

Reference: https://www.ciscopress.com/articles/article.asp?p=2202410&seqNum=4

A collapsed core network is shown below. The collapsed core network may be deployed with
redundant core/distribution router, or consolidated core/distribution router.
Question 6

Drag and drop the QoS congestion management terms from the left onto the description on the
right.

Answer:

+ services a specified number of bytes in one queue before continuing to the next queue: CQ
+ provides guaranteed bandwidth to a specified class of traffic: CBWFQ
+ places packets into one of four priority-based queues: WFQ
+ provides minimum guaranteed bandwidth to one or more flows:  PQ
+ uses store-and-forward queuing: FIFO

Explanation

First-in, first-out (FIFO): FIFO entails no concept of priority or classes of traffic. With FIFO,
transmission of packets out the interface occurs in the order the packets arrive, which means no
QoS
Priority Queuing (PQ): schedules traffic such that the higher-priority queues “always” get
serviced first
Custom Queuing (CQ): provide specific traffic guaranteed bandwidth at a potential congestion
point, assuring the traffic a fixed portion of available bandwidth and leaving the remaining
bandwidth to other traffic.
Weighted fair queueing (WFQ): offers dynamic, fair queuing that divides bandwidth across
queues of traffic based on weights. In standard WFQ, packets are classified into flows according to
one of four criteria: the source Internet Protocol address (IP address), the destination IP address,
the source Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port, or the
destination TCP or UDP port.
Class-based weighted fair queueing (CBWFQ) extends the standard WFQ functionality to
provide support for user-defined traffic classes. For CBWFQ, you define traffic classes based on
match criteria including protocols, access control lists (ACLs), and input interfaces. Packets
satisfying the match criteria for a class constitute the traffic for that class. A queue is reserved for
each class, and traffic belonging to a class is directed to the queue for that class.
Once a class has been defined according to its match criteria, you can assign it characteristics. To
characterize a class, you assign it bandwidth, weight, and maximum packet limit. The bandwidth
assigned to a class is the guaranteed bandwidth delivered to the class during congestion.

Question 7

Refer to the exhibit.

An engineer is configuring the router to provide static NAT for the webserver. Drag and drop the
configuration commands from the left onto the letters that correspond to its position in the
configuration on the right.
 

Answer:

+ position A: ip address 172.16.1.1 255.255.255.0

+ position B: ip nat inside
+ position C: ip address 45.83.2.214 255.255.255.240
+ position D: ip nat outside
+ position E: ip nat inside source static tcp 172.16.1.2 80 45.83.2.214 80 extendable
+ position F: ip nat inside source list 1 interface s0 overload

Question 8

Drag and drop the DHCP snooping terms from the left onto the descriptions on the right.

Answer:

+ list of hosts on the network that are unknown to the administrative domain: snooping binding
database
+ unknown DHCP server within an administrative domain: spurious DHCP server
+ network component that propagates IP addresses to hosts on the network: DHCP server
+ default state of all interfaces: untrusted
+ internal device under the control of the network administrator: trusted