 Which Layer 2 attack will result in legitimate users not getting valid IP addresses?

 ARP spoofing

 DHCP starvation

 IP address spoofing

 MAC address flooding

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
 What is the result of a DHCP starvation attack?

 The attacker provides incorrect DNS and default gateway information to clients.

 The IP addresses assigned to legitimate clients are hijacked.

 Clients receive IP address assignments from a rogue DHCP server.

 Legitimate clients are unable to lease IP addresses.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
 Which two Cisco solutions help prevent DHCP starvation attacks? (Choose two.)

 DHCP Snooping

 IP Source Guard

 Dynamic ARP Inspection

 Port Security

 Web Security Appliance

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
 Refer to the exhibit. PC1 and PC2 should be able to obtain IP address assignments from the
DHCP server. How many ports among switches should be assigned as trusted ports as part
of the DHCP snooping configuration?

 1

 3

 5

 7

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
*
 17. A network administrator needs to configure a standard ACL so that only the workstation
of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the
main router. Which two configuration commands can achieve the task? (Choose two.)

 Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.0

 Router1(config)# access-list 10 permit 192.168.15.23 0.0.0.255

 Router1(config)# access-list 10 permit 192.168.15.23 255.255.255.255

 Router1(config)# access-list 10 permit host 192.168.15.23

 Router1(config)# access-list 10 permit 192.168.15.23 255.255.255.0

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
 Which statement describes a characteristic of standard IPv4 ACLs?

 They are configured in the interface configuration mode.

 They can be configured to filter traffic based on both source IP addresses and source ports.

 They can be created with a number but not with a name.

 They filter traffic based on source IP addresses only.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
 20. Refer to the exhibit. An ACL was configured on R1 with the intention of denying traffic
from subnet 172.16.4.0/24 into subnet 172.16.3.0/24. All other traffic into subnet 172.16.3.0/24
should be permitted. This standard ACL was then applied outbound on interface Fa0/0.
Which conclusion can be drawn from this configuration?

 The ACL should be applied outbound on all interfaces of R1.

 The ACL should be applied to the FastEthernet 0/0 interface of R1 inbound to accomplish the
requirements.

 All traffic will be blocked, not just traffic from the 172.16.4.0/24 subnet.

 Only traffic from the 172.16.4.0/24 subnet is blocked, and all other traffic is allowed.​

 An extended ACL must be used in this situation.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
*
 16. Refer to the exhibit. A network administrator has configured ACL 9 as shown. Users on
the 172.31.1.0 /24 network cannot forward traffic through router CiscoVille. What is the most
likely cause of the traffic failure?

 The established keyword is not specified.

 The sequence of the ACEs is incorrect.

 The port number for the traffic has not been identified with the eq keyword.

 The permit statement specifies an incorrect wildcard mask.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
*
 19. A network administrator is writing a standard ACL that will deny any traffic from the
172.16.0.0/16 network, but permit all other traffic. Which two commands should be used?
(Choose two.)

 Router(config)# access-list 95 deny 172.16.0.0 255.255.0.0

 Router(config)# access-list 95 permit any

 Router(config)# access-list 95 host 172.16.0.0

 Router(config)# access-list 95 deny 172.16.0.0 0.0.255.255

 Router(config)# access-list 95 172.16.0.0 255.255.255.255

 Router(config)# access-list 95 deny any

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
 51. A technician is tasked with using ACLs to secure a router. When would the technician
use the ‘ip access-group 101 in’ configuration option or command?

 to apply an extended ACL to an interface

 to secure management traffic into the router

 to secure administrative access to the router

 to display all restricted traffic

 56. What does the CLI prompt change to after entering the command ip access-list standard
aaa from global configuration mode?
 Router(config-line)#

 Router(config-std-nacl)#

 Router(config)#

 Router(config-router)#

 Router(config-if)# © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
*
 21. Refer to the exhibit. A network administrator needs to add an ACE to the TRAFFIC-
CONTROL ACL that will deny IP traffic from the subnet 172.23.16.0/20. Which ACE will meet
this requirement?

 30 deny 172.23.16.0 0.0.15.255

 15 deny 172.23.16.0 0.0.15.255

 5 deny 172.23.16.0 0.0.15.255

 5 deny 172.23.16.0 0.0.255.255

0.0.00001111.255

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
*
 23. Refer to the exhibit. What can be determined from this output?

 The ACL is missing the deny ip any any ACE.

 The ACL is only monitoring traffic destined for 10.23.77.101 from three specific hosts.

 Because there are no matches for line 10, the ACL is not working.

 The router has not had any Telnet packets from 10.35.80.22 that are destined for 10.23.77.101.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
 42. Which two keywords can be used in an access control list to replace a wildcard mask or
address and wildcard mask pair? (Choose two.)
 host

 most

 gt

 some

 any

 all

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
 62. A technician is tasked with using ACLs to secure a router. When would the technician
use the no access-list 101 configuration option or command?

 to apply an ACL to all router interfaces

 to secure administrative access to the router

 to remove all ACLs from the router

 to remove a configured ACL

 to add a text entry for documentation purposes

 to generate and send an informational message whenever the ACE is matched

 to identify any IP address

 to identify one specific IP address © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
 43. Which statement describes a difference between the operation of inbound and outbound
ACLs?
 Inbound ACLs are processed before the packets are routed while outbound ACLs are processed
after the routing is completed.

 In contrast to outbound ALCs, inbound ACLs can be used to filter packets with multiple criteria.

 On a network interface, more than one inbound ACL can be configured but only one outbound ACL
can be configured.

 Inbound ACLs can be used in both routers and switches but outbound ACLs can be used only on
routers.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15