CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

ĐÁP ÁN: key và đáp án là những từ bôi vàng nhé ^^

Chúc các bạn ôn thi tốt!!!

PHẦN 1
Question 1
Etherchannel question: You are given sw1 and sw2. The output of show etherchannel summary
and show interface fa0/1. What is the cause of the problem? in exhibit, switch a cable is 100mb/s
speed and b is 10mb/s. If you can look very carefully, there is speed mismatched to cause that
problem. I selected “speed mismatch”

Question 2
Refer to the exhibit. Etherchannel has been configured on Switch1 as shown.
Switch1# conf t
Switch1(config)# interface range gigabitethernet 1/1
Switch1(config-if-range)# Channel-group 5 Mode “AUTO”
Switch1#
Switch1(config)# interface range gigabitethernet 1/2
Switch1(config-if-range)# Channel-group 5 Mode “AUTO”
Which is the correct command set to configure etherchannel on Switch2?
A. Switch2# configure terminal
Switch2(config)# interface range gigabitethernet3/1 -2
Switch2(config-if-range)# channel-group 5 mode auto
B. Switch2# configure terminal
Switch2(config)# interface range gigabitethemet3/1 -2
Switch2(config-if-range)# channel-group 5 mode passive
C. Switch2# configure terminal
Switch2(config)# interface range gigabitethernet3/1 -2
Switch2(config-if-range)# channel-group 5 mode desirable
D. Switch2# configure terminal
Switch2(config)# interface range gigabitethernet3/1 -2
Switch2(config-if-range)# channel-group 5 mode ACTIVE

Question 3
Which OSPF command turn OSPF on all interfaces of a router?
Answer: network 0.0.0.0 255.255.255.255

LÊ NGỌC BÁCH 1
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

Question 4
Network admin creates a layer 3 Etherchannel, bounding 4 interfaces into channel group 1. On
what interface is the IP address configured?
A. the port-channel 1 interface
B. the highest number member interface
C. all member interfaces
D. the lowest number member interface

Question 5
3. What is the authentication type of SNMPv2?
Answer: Community string

Question 6
What parameters can be different on ports with an Etherchannel?
A. speed
B. trunk encapsulation
C. DTP negotiation setting
D. duplex

LÊ NGỌC BÁCH 2
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

Note : đây là 1 số câu mới mà mình vừa mới thi xong. Câu hỏi cũng không khó nhưng mọi
người cũng nên chú ý, không nên nhìn đáp án thấy quen và cứ thế tích luôn nhé!
Question 7

Câu hỏi tương tự như câu này, nhưng người ta cho địa chỉ IP đúng, lỗi nằm ở chỗ kiểu đóng gói.
Một bên là HDLC còn một bên là PPP  đáp án sẽ là “incompatible encapsulation”.

Question 8
Người ta cho một cái bảng ( về phần etherchannel) khi đã được show. Và người ta hỏi với cái
này thì command cấu hình của nó là gì?
Cái bảng show đó có ghi mode là “PASSIVE”
Các đáp án được đưa ra:
A. interface FastEthernet0/3
channel-group 1 mode active
switchport trunk encapsulation dot1q
switchport mode trunk

B. interface FastEthernet0/3
channel-group 1 mode auto
switchport trunk encapsulation dot1q
switchport mode trunk
C. interface FastEthernet0/3
channel-group 1 mode passive

LÊ NGỌC BÁCH 3
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

switchport trunk encapsulation dot1q

switchport mode trunk

D. interface FastEthernet0/3
channel-group 1 mode desiable
switchport trunk encapsulation dot1q
switchport mode trunk

(Question 2 ở trên hỏi cái đầu bên kia của con switch phải ở mode nào?
Các bạn chú ý trong etherchannel có 2 giao thức là PAgP và LACP

Những trường hợp trên đều không thể thương lượng thành công EtherChannel. Những trường
hợp còn lại đều lên EtherChannel (tất nhiên là phải cùng giao thức nhé, cùng PAgP or cùng
LACP, mỗi thằng 1 kiểu là không được đâu).

LÊ NGỌC BÁCH 4
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

Question 9
Báo động (alerts) trong SNMP được gửi trong bản tin nào?
A. GET
B. GET NEXT
C. TRAP
D. SET REQUEST
E. GET RESPONSE

PHẦN 2: LAB
CÂU 1: ACL LAB
.

A network associate is adding security to the configuration of the Corp1 router. The user on host
B should be able to use a web browser to access financial information from the Finance Web
Server. Other access from host B to Finance Web Server should be denied. No other hosts from
the LAN nor the Core should be able to access the Finance Web Server. All othertraffic should
be allowed.
The task is to create and apply a numbered access-list with no more than three statements that
will allow ONLY host B web access to the Finance Web Server. Also host B should be denied to

LÊ NGỌC BÁCH 5
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

access any other services of Finance Web Server. No other hosts will access to the Finance Web
Server. All other traffic is permitted.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords have been temporarily set to “cisco”.
The Core connection uses an IP address of 198.18.196.65
The computers in the Hosts LAN have been assigned addresses of 192.168.33.1 –
192.168.33.254
Host A 192.168.33.1
Host B 192.168.33.2
Host C 192.168.33.3
Host D 192.168.33.4
The servers in the Server LAN have been assigned addresses of 172.22.242.17 – 172.22.242.30
The Finance Web Server is assigned an IP address of 172.22.242.23.
The Public Web Server is assigned an IP address of 172.22.242.17.

Corp1>enable
Password: cisco
We should create an access-list and apply it to the interface which is connected to the Servers
LAN interface, because it can filter out traffic from both Sw-Hosts and Core networks. The
Server LAN network has been assigned addresses of 172.22.242.17 – 172.22.242.30 so we can
guess the interface connected to them has an IP address of 172.22.242.30 (.30 is the number
shown in the figure). Use the “show ip interface brief” command to check which interface has
the IP address of 172.22.242.30.
Corp1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.33.254 YES manual up up
FastEthernet0/1 172.22.242.30 YES manual up up
Serial0/0 198.18.196.65 YES manual up up
We learn that interface FastEthernet0/1 is the interface connected to Server LAN network. It is
the interface we will apply our access-list (for outbound direction).
Corp1#configure terminal
Our access-list needs to allow host B – 192.168.33.2 to the Finance Web Server 172.22.242.23
via web (port 80)

LÊ NGỌC BÁCH 6
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

access-list 100 permit tcp host 192.168.33.2 host 172.22.242.23 eq 80

Deny other hosts access to the Finance Web Server and Other access from host B to Finance
Web Server should be denied.
access-list 100 deny ip any host 172.22.242.23
All other traffic is permitted
Corp1(config)#access-list 100 permit ip any any
Apply this access-list to Fa0/1 interface (outbound direction)
Corp1(config)#interface fa0/1
Corp1(config-if)#ip access-group 100 out
Notice: We have to apply the access-list to Fa0/1 interface (not Fa0/0 interface) so that the
access-list can filter traffic coming from both the LAN and the Core networks. If we apply
access list to the inbound interface we can only filter traffic from the LAN network.
In the real exam, just click on host B and open its web browser. In the address box type
http://172.22.242.23 to check if you are allowed to access Finance Web Server or not. If your
configuration is correct then you can access it. Click on other hosts (A, C and D) and check to
make sure you can’t access Finance Web Server from these hosts. Finally, save the
configuration.
Corp1(config-if)#end
Corp1#copy running-config startup-config
This configuration only prevents hosts from accessing Finance Web Server via web but if this
server supports other traffic – like FTP, SMTP… then other hosts can access it, too.
Notice: In the real exam, you might be asked to allow other host (A, C or D) to access the
Finance Web Server so please read the requirement carefully.
CÂU 2: EIGRP LAB
After adding Interior router, no routing updates are being exchanged between Perimeter and the
new location. All other inter connectivity and Internetaccess for the existing locations of the
company are working properly.

LÊ NGỌC BÁCH 7
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

The Task is to identify the fault(s) and correct the router configurations to provide full
connectivity between the routers.
Access to the router CLI can be gained by clicking on the appropriate host.
All passwords on all routers are cisco.
IP Address are listed in the chart below .

Answer:
Commands
First we should check the configuration of the Interior Router.

LÊ NGỌC BÁCH 8
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

Click the console PC “F” and enter the following commands.

Interior> enable
Password: cisco
Interior# show running-config
Building configuration...
Current configuration : 770 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Interior
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
interface FastEthernet0/0
ip address 192.168.77.34 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.60.65 255.255.255.240
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 192.168.60.81 255.255.255.240
duplex auto
speed auto
!
router eigrp 22
network 192.168.77.0
network 192.168.60.0
no auto-summary
!
ip classless
!
line con 0
line vty 0 4
login
!
end
Interior#

LÊ NGỌC BÁCH 9
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

From the output above, we know that this router was wrongly configured with
an autonomous number (AS) of 22. When the AS numbers among routers are mismatched, no
adjacency is formed. (You should check the AS numbers on other routers for sure).
To solve this problem, we simply re-configure router Interior router with the following
commands:
Interior# conf t
Interior(config)# no router eigrp 22
Interior(config)# router eigrp 222
Interior(config-router)# network 192.168.60.0
Interior(config-router)# network 192.168.77.0
Interior(config-router)# no auto-summary
Interior(config-router)# end
Interior# copy running-config startup-config
Second we should check the configuration of the Perimeter Router.
Click the console PC “G” and enter the following commands.
Perimeter> enable
Password: cisco
Perimeter# show running-config
Building configuration...
Current configuration : 1029 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Perimeter
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
interface FastEthernet0/0
ip address 192.168.77.33 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.36.13 255.255.255.252
clock rate 64000
!
interface Serial0/1
ip address 192.168.60.25 255.255.255.252
clock rate 64000
!

LÊ NGỌC BÁCH 10
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

interface Serial1/0
ip address 198.0.18.6 255.255.255.252
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
router eigrp 222
network 192.168.36.0
network 192.168.60.0
network 192.168.85.0
network 198.0.18.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 198.0.18.5
!
line con 0
line vty 0 4
login
!
end
Perimeter#
Notice that it is missing a definition to the network Interior. Therefore we have to add it so that it
can recognize Interior router
Perimeter# conf t
Perimeter(config)# router eigrp 222
Perimeter(config-router)# network 192.168.77.0
Perimeter(config-router)# end
Perimeter# copy running-config startup-config
Now the whole network will work well. You should check again with ping command from router
Interior to other routers!
In Short:
Interior Router

LÊ NGỌC BÁCH 11
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

Interior>enable
Password: cisco Interior# conf t
Interior(config)# no router eigrp 22
Interior(config)# router eigrp 222
Interior(config-router)# network 192.168.60.0
Interior(config-router)# network 192.168.77.0
Interior(config-router)# no auto-summary
Interior(config-router)# end
Interior# copy running-config startup-config
Perimeter Router
Perimeter>enable
Password: cisco Perimeter# conf t
Perimeter(config)# router eigrp 222
Perimeter(config-router)# network 192.168.77.0
Perimeter(config-router)# end
Perimeter# copy running-config startup-config
Note:
 Nếu kết nối ra internet không làm việc ( show ip route sẽ không thấy S* trên router
Perimeter) thì ra cần phải thêm default route và default-network trên router Perimeter.
Perimeter(config)# ip route 0.0.0.0 0.0.0.0 198.0.18.5
Perimeter(config)# ip default-network 198.0.18.0
Perimeter(config)# exit
Sau đó save cấu hình lại nhé.
 Nếu khi show run trên router Interior mà ta thấy có:
!
router eigrp 22
network 192.168.77.0
network 192.168.60.0
passive-interface FastEthernet 0/0
passive-interface Serial 1/0
no auto-summary
!
Khi này EIGRP sẽ ko thể gửi các bản tin update ra các cồng f0/0 và s1/0 nên khi đó ta show ip
route lên thì các tuyến đường chạy EIGRP vẫn chưa có (chưa thiết lập đc quan hệ). Khi đó ta cần
tắt tính năng PASSIVE-INTERFACE đi nhé bằng bằng cách them từ “NO” trước command đó.

Perimeter(config)#router eigrp 222

LÊ NGỌC BÁCH 12
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

Perimeter(config-router)#no passive-interface Fa0/0

Perimeter(config-router)#end
Trừ int S1/0 (interface nối với ISP kết nối ra ngoài internet). Nếu show run mà thấy interface này
có bị PASSIVE-INTERFACE thì đừng hoảng sợ quá nhé. Nó không ảnh hưởng gì đến việc
ping thông của các bạn đâu :D. Chỉ các interface trong nội miền chạy EIGRP như f0/0, s0/0, s0/1
mà bị passive-interface thì mới cần phải tắt nó đi bằng “no passive-interface [tên interface]”

LÊ NGỌC BÁCH 13
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

CÂU 3: ACL QUESTION

An administrator is trying to ping and telnet from Switch to Router with the results shown
below:

Question 1
Which will fix the issue and allow ONLY ping to work while keeping telnet disabled?
A. Remove access-group 102 out from interface s0/0/0 and add access-group 114 in .
B. Correctly assign an IP address to interface fa0/1
C. Remove access-group 106 in from interface fa0/0 and add access-group 104 in.
D. Change the ip access-group command on fa0/0 from “in” to “out”
E. Remove access-group 106 in from interface fa0/0 and add access-group 115 in.
Answer: C
Giải thích:

LÊ NGỌC BÁCH 14
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

The question was not about FTP so skip line #1 and line #2.
The line #3 denies telnet traffic and line #4 permits icmp-echo traffic.
Line #5 denies echo-reply traffic. If any device pings a device that attached to Fa0/0, the packet
will be denied.
Line #6 permits all other traffic.

Question 2:
What would be the effect of issuing the command ip access-group 114 in to the fa0/0 interface?
A. IP traffic would be passed through the interface but TCP and UDP traffic would not
B. Attempts to telnet to the router would fail
C. Routing protocol updates for the 10.4.4.0 network would not be accepted from the fa0/0
interface.
D. It would allow all traffic from the 10.4.4.0 network .
Giải thích:

There is only one command that is associated with access-list 114 and it is access-list 114
permit ip 10.4.4.0 0.0.0.255 any. This command will permit traffic from 10.4.4.0 /24
network.
Question 3:
What would be the effect of issuing the command access-group 115 in on the s0/0/1
interface?
A. FTP, FTP-DATA, echo, and www would work but telnet would fail.
B. Telnet and ping would work but routing updates would fail.
C. No host could connect to Router through s0/0/1
D. Only traffic from the 10.4.4.0 network would pass through the interface.

LÊ NGỌC BÁCH 15
CCNA 200-120 CÁC CÂU HỎI THÊM VÀ LAB

The above command will only the IP (0.0.0.0). Also there is no such IP address exists.
The wildcard mask of access-list 115 is 255.255.255.0, means that only host with IP addresses
x.x.x.0 will be accepted. If the 4th part of an IP address is 0, then definitely it would be a
network address. So no host can communicate with other network using S0/0/1 interface.
But it will accept the packet with source IP address – 10.10.0.0/8. The 4th octet is 0, and is not a
network address but a valid IP address. So confusion... confusion... Anyhow other 3 choices (A,
B, D) will definitely not the answer and Choice C is closest to the result, So the Answer is C

LÊ NGỌC BÁCH 16