Cisco CCNA 200-125 Exam Dumps Latest – New Questions & Answers

Section VI: Infrastructure Security

VI.1. Which statement about RADIUS security is true?

  • It supports EAP authentication for connecting to wireless networks.
  • It provides encrypted multiprotocol support.
  • Device-administration packets are encrypted in their entirety.
  • It ensures that user activity is fully anonymous.

VI.2. Which command can you enter to block HTTPS traffic from the whole class A private network range to a host?

  • R1(config)#access-list 105 deny tcp eq 443
  • R1(config)#access-list 105 deny tcp eq 53
  • R1(config)#access-list 105 deny tcp eq 53
  • R1(config)#access-list 105 deny tcp eq 443

VI.3. Which two options are valid numbers for a standard access list? (Choose two.)

  • 50
  • 150
  • 1250
  • 1550
  • 2050

VI.4. Which utility can you use to identify the cause of a traffic-flow blockage between the two devices in a network?

  • ACL path analysis tool in APIC-EM
  • I WAN application
  • ACL analysis tool in APIC-EM
  • APIC-EM automation scheduler
Show (Hide) Explanation/Reference
The ACL Path Analysis tool in APIC-EM can help to identify where the traffic was blocked in the transmission.

Icon means “there are ACLs that permit the traffic applied on the interface”.

Icon  means “traffic may or may not be blocked. For example, if your traffic matches a deny access control entry (ACE), traffic is denied. However, if your traffic matches any other ACEs, it is permitted. You can get this type of results if you leave out the protocol, source port, or destination port when defining a path trace”.

Icon  means “there is an ACL on the device or interface that is blocking the traffic on the path”.

Icon  means “there are no ACLs applied on the interface”.


VI.5. Which set of commands is recommended to prevent the use of a hub in the access layer?

  • switch(config-if)#switchport mode trunk
    switch(config-if)#switchport port-security maximum 1
  • switch(config-if)#switchport mode trunk
    switch(config-if)#switchport port-security mac-address 1
  • switch(config-if)#switchport mode access
    switch(config-if)#switchport port-security maximum 1
  • switch(config-if)#switchport mode access
    switch(config-if)#switchport port-security mac-address 1
Show (Hide) Explanation/Reference
Port security is only used on access port (Which connects to hosts) so we need to set that port to “access” mode, then we need to specify the maximum number of hosts Which are allowed to connect to this port -> C is correct.

Note: If we want to allow a fixed MAC address to connect, use the “switchport port-security mac-address ” command.

VI.6. Which two options are primary responsibilities of the APlC-EM controller? (Choose two.)

  • lt automates network actions between different device types.
  • lt provides robust asset management.
  • lt tracks license usage and Cisco lOS versions.
  • lt automates network actions between legacy equipment.
  • lt makes network functions programmable.
Show (Hide) Explanation/Reference

Automate network configuration and setup
Deploy network devices faster
Automate device deployment and provisioning across the enterprise.

Provide a programmable network
Enable developers to create new applications that use the network to fuel business growth.

VI.7. Which utility can you use to identify redundant or shadow rules?

  • The ACL trace tool in Cisco APIC-EM.
  • The ACL analysis tool in Cisco APIC-EM.
  • The Cisco APIC-EM automation scheduler.
  • The Cisco IWAN application.
Show (Hide) Explanation/Reference
Cisco APIC-EM supports the following policy analysis features:

+ Inspection, interrogation, and analysis of network access control policies.
+ Ability to trace application specific paths between end devices to quickly identify ACLs in use and problem areas.
Enables ACL change management with easy identification of conflicts and shadows -> Maybe B is the most suitable answer.


The ACL trace tool can only help us to identify Which ACL on Which router is blocking or allowing traffic. It cannot help identify redundant/shadow rules.


Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) is a Cisco Software Defined Networking (SDN) controller, Which uses open APIs for policy-based management and security through a single controller, abstracting the network and making network services simpler. APIC-EM provides centralized automation of policy-based application profiles.

Reference: CCNA Routing and Switching Complete Study Guide

Cisco Intelligent WAN (IWAN) application simplifies the provisioning of IWAN network profiles with simple business policies. The IWAN application defines business-level preferences by application or groups of applications in terms of the preferred path for hybrid WAN links. Doing so improves the application experience over any connection and saves telecom costs by leveraging cheaper WAN links.

Shadow rules are the rules that are never matched (usually because of the first rules). For example two access-list statements:

access-list 100 permit ip any any
access-list 100 deny tcp host A host B

Then the second access-list statement would never be matched because all traffic have been already allowed by the first statement. In this case we call statement 1 shadows statement 2.

VI.8. What will be the result if the following configuration commands are implemented on a Cisco switch?

Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address sticky
  • A dynamically learned MAC address is saved in the startup-configuration file.
  • A dynamically learned MAC address is saved in the running-configuration file.
  • A dynamically learned MAC address is saved in the VLAN database.
  • Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
  • Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.

VI.9. Refer to the exhibit. The following commands are executed on interface fa0/1 of 2950Switch.

2950Switch(config-if)#switchport port-security 
2950Switch(config-if)#switchport port-security mac-address sticky 
2950Switch(config-if)#switchport port-security maximum 1

The Ethernet frame that is shown arrives on interface fa0/1. What two functions will occur when this frame is received by 2950Switch? (Choose two.)

  • The MAC address table will now have an additional entry of fa0/1 FFFF.FFFF.FFFF.
  • Only host A will be allowed to transmit frames on fa0/1.
  • This frame will be discarded when it is received by 2950Switch.
  • All frames arriving on 2950Switch with a destination of 0000.00aa.aaaa will be forwarded out fa0/1.
  • Hosts B and C may forward frames out fa0/1 but frames arriving from other switches will not be forwarded out fa0/1.
  • Only frames from source 0000.00bb.bbbb, the first learned MAC address of 2950Switch, will be forwarded out fa0/1.

Show (Hide) Explanation/Reference
The first command 2950Switch(config-if)#switchport port-security is to enable the port-security in a switch port.

In the second command 2950Switch(config-if)#switchport port-security mac-address sticky, we need to know the full syntax of this command is switchport port-security mac-address sticky [MAC]. The STICKY keyword is used to make the MAC address appear in the running configuration and you can save it for later use. If you do not specify any MAC addresses after the STICKY keyword, the switch will dynamically learn the attached MAC Address and place it into your running-configuration. In this case, the switch will dynamically learn the MAC address 0000.00aa.aaaa of host A and add this MAC address to the running configuration.

In the last command 2950Switch(config-if)#switchport port-security maximum 1 you limited the number of secure MAC addresses to one and dynamically assigned it (because no MAC address is mentioned, the switch will get the MAC address of the attached MAC address to interface fa0/1), the workstation attached to that port is assured the full bandwidth of the port.Therefore only host A will be allowed to transmit frames on fa0/1 -> B is correct.

After you have set the maximum number of secure MAC addresses for interface fa0/1, the secure addresses are included in the “Secure MAC Address” table (this table is similar to the Mac Address Table but you can only view it with the show port-security address command). So in this question, although you don’t see the MAC address of host A listed in the MAC Address Table but frames with a destination of 0000.00aa.aaaa will be forwarded out of fa0/1 interface -> D is correct.

VI.10. Refer to the exhibit. A junior network administrator was given the task of configuring port security on SwitchA to allow only PC_A to access the switched network through port fa0/1. If any other device is detected, the port is to drop frames from this device. The administrator configured the interface and tested it with successful pings from PC_A to RouterA, and then observes the output from these two show commands. Which two of these changes are necessary for SwitchA to meet the requirements? (Choose two.)

  • Port security needs to be globally enabled.
  • Port security needs to be enabled on the interface.
  • Port security needs to be configured to shut down the interface in the event of a violation.
  • Port security needs to be configured to allow only one learned MAC address.
  • Port security interface counters need to be cleared before using the show command.
  • The port security configuration needs to be saved to NVRAM before it can become active.
Show (Hide) Explanation/Reference
As we see in the output, the “Port Security” is in “Disabled” state (line 2 in the output). To enable Port security feature, we must enable it on that interface first with the command:

SwitchA(config-if)#switchport port-security

-> B is correct.

Also from the output, we learn that the switch is allowing 2 devices to connect to it (switchport port-security maximum 2) but the question requires allowing only PC_A to access the network so we need to reduce the maximum number to 1 -> D is correct.

VI.11. What to do when the router password was forgotten?

  • use default password cisco to reset
  • access router physically
  • use ssl/vpn
  • Type confreg 0x2142 at the rommon 1
Show (Hide) Explanation/Reference
To reset the password we can type “confreg 0x2142” under rommon mode to set the configuration register to 2142 in hexadecimal (the prefix 0x means hexadecimal (base 16)). With this setting when that router reboots, it bypasses the startup-config.

VI.12. A network engineer wants to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used?

  • reflexive
  • extended
  • standard
  • dynamic
Show (Hide) Explanation/Reference
We can use a dynamic access list to authenticate a remote user with a specific username and password. The authentication process is done by the router or a central access server such as a TACACS+ or RADIUS server. The configuration of dynamic ACL can be read here:

VI.13. What should be part of a comprehensive network security plan?

  • Allow users to develop their own approach to network security
  • Physically secure network equipment from potential access by unauthorized individuals
  • Encourage users to use personal information in their passwords to minimize the likelihood of passwords being forgotten
  • Delay deployment of software patches and updates until their effect on end-user equipment is well known and widely reported
  • Minimize network overhead by deactivating automatic antivirus client updates
Show (Hide) Explanation/Reference
All other answers are not recommended for a network security plan so only B is the correct answer.

VI.14. Which password types are encrypted?

  • SSH
  • Telnet
  • enable secret
  • enable password
Show (Hide) Explanation/Reference
The “enable secret” password is always encrypted (independent of the “service password-encryption” command) using MD5 hash algorithm.

Note: The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. In general, don’t use enable password, use enable secret instead.

VI.15. Which statement about ACLs is true?

  • An ACL have must at least one permit action, else it just blocks all traffic.
  • ACLs go bottom-up through the entries looking for a match
  • An ACL has a an implicit permit at the end of ACL.
  • ACLs will check the packet against all entries looking for a match.

VI.16. Which three options are benefits of using TACACS+ on a device? (Choose three)

  • It ensures that user activity is untraceable.
  • It provides a secure accounting facility on the device.
  • device-administration packets are encrypted in their entirely.
  • It allows the user to remotely access devices from other vendors.
  • It allows the users to be authenticated against a remote server.
  • It supports access-level authorization for commands.
Show (Hide) Explanation/Reference
TACACS+ (and RADIUS) allow users to be authenticated against a remote server -> E is correct.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header -> C is correct.

TACACS+ supports access-level authorization for commands. That means you can use commands to assign privilege levels on the router -> F is correct.


By default, there are three privilege levels on the router.
+ privilege level 1 = non-privileged (prompt is router>), the default level for logging in
+ privilege level 15 = privileged (prompt is router#), the level after going into enable mode
+ privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout

VI.17. How to verify SSH connections was secured?

  • ssh -v 1 -l admin IP
  • ssh -v 2 -l admin IP
  • ssh -l admin IP
  • ssh -v -l admin IP

VI.18. Which cisco platform can verify ACLs?

  • Cisco Prime Infrastructure
  • Cisco Wireless LAN Controller
  • Cisco APIC-EM
  • Cisco IOS-XE
Show (Hide) Explanation/Reference
The APIC-EM Path Trace ACL Analysis Tool can display the ACLs that are using (by downloading the configurations after a specific period of time and shows them when we do a path trace). Therefore it helps verify the ACLs more easily.

VI.18. Which major component of the network virtualization architecture isolate users according to policy?

  • policy enforcement
  • network access control
  • network services virtualization
  • path isolation
Show (Hide) Explanation/Reference
Network virtualization architecture has three main components:

Network access control and segmentation of classes of users: Users are authenticated and either allowed or denied into a logical partition. Users are segmented into employees, contractors and consultants, and guests, with respective access to IT assets. This component identifies users who are authorized to access the network and then places them into the appropriate logical partition.

+ Path isolation: Network isolation is preserved across the entire enterprise: from the edge to the campus to the WAN and back again. This component maintains traffic partitioned over a routed infrastructure and transports traffic over and between isolated partitions. The function of mapping isolated paths to VLANs and to virtual services is also performed in component.

+ Network Services virtualization: This component provides access to shared or dedicated network services such as security, quality of service (QoS), and address management (Dynamic Host Configuration Protocol [DHCP] and Domain Name System [DNS]). It also applies policy per partition and isolates application environments, if required.


VI.20. Which two statements about firewalls are true?

  • They can be used with an intrusion prevention system.
  • They can limit unauthorized user access to protect data.
  • Each wireless access point requires its own firewall.
  • They must be placed only at locations where the private network connects to the internet.
  • They can prevent attacks from the internet only.

VI.21. Which three options are types of Layer 2 network attack? (Choose three)

  • Spoofing attacks
  • Vlan Hopping
  • botnet attacks
  • DDOS attacks
  • ARP Attacks
  • Brute force attacks
Show (Hide) Explanation/Reference

(DHCP) Spoofing attack is a type of attack in that the attacker listens for DHCP Requests from clients and answers them with fake DHCP Response before the authorized DHCP Response comes to the clients. The fake DHCP Response often gives its IP address as the client default gateway -> all the traffic sent from the client will go through the attacker computer, the attacker becomes a “man-in-the-middle”.

The attacker can have some ways to make sure its fake DHCP Response arrives first. In fact, if the attacker is “closer” than the DHCP Server then he doesn’t need to do anything. Or he can DoS the DHCP Server so that it can’t send the DHCP Response.

VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofing or double tagging.

1) Switch spoofing:

The attacker can connect an unauthorized Cisco switch to a Company switch port. The unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default.

(Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames).

2) Double-Tagging:

In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20).

When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer.

Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.

ARP attack (like ARP poisoning/spoofing) is a type of attack in Which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. This is an attack based on ARP Which is at Layer 2.

VI.22. By default, how many MAC addresses are permitted to be learned on a switch port with port security enabled?

  • 8
  • 2
  • 1
  • 0
Show (Hide) Explanation/Reference
By default, port security limits the MAC address that can connect to a switch port to one. If the maximum number of MAC addresses is reached, when another MAC address attempting to access the port a security violation occurs.

VI.23. Which option is the default switch port port-security violation mode?

  • shutdown
  • protect
  • shutdown vlan
  • restrict
Show (Hide) Explanation/Reference
Shutdown is the default switch port port-security violation mode. When in this mode, the switch will automatically force the switchport into an error disabled (err-disable) state when a violation occurs. While in this state, the switchport forwards no traffic. The switchport can be brought out of this error disabled state by issuing the errdisable recovery cause CLI command or by disabling and re-enabling the switchport.

VI.24. Which three features are represented by the letter A in AAA authentication? (Choose three)

  • authorization
  • accounting
  • authentication
  • accountability
  • accessibility
  • authority

VI.25. What is a possible reason why a host is able to ping a web server but it is not able to do an HTTP request?

  • ACL blocking port 23
  • ACL blocking All ports
  • ACL blocking port 80
  • ACL blocking port 443
  • None of the above

VI.26. Which item represents the standard IP ACL?

  • Access-list 110 permit any any
  • Access-list 50 deny
  • Access list 101 deny tvp any host
  • Access-list 2500 deny tcp any host eq 22
Show (Hide) Explanation/Reference
The range of standard ACL is 1-99, 1300-1999 so 50 is a valid number for standard ACL.

VI.27. Which statement about recovering a password on a Cisco router is true?

  • The default reset password is cisco
  • It requires a secure SSl/VPN connection
  • A factory resset is required if you forget the password
  • It requires physical access to the router
Show (Hide) Explanation/Reference
Other choices are surely incorrect so only “physical access” answer is the correct one. In order to recover a password on a Cisco router, the first thing you have to do is either switch off or shut down the router. For more information about this process, please read

VI.28. Where information about untrusted hosts are stored?

  • CAM table
  • Trunk table
  • MAC table
  • binding database
Show (Hide) Explanation/Reference
The DHCP snooping binding database is also referred to as the DHCP snooping binding table. The DHCP snooping feature dynamically builds and maintains the database using information extracted from intercepted DHCP messages. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts connected through trusted interfaces.


VI.29. Which two statements about TACACS+ are true? (Choose two.)

  • lt can run on a UNlX server.
  • lt authenticates against the user database on the local device.
  • lt is more secure than AAA authentication.
  • lt is enabled on Cisco routers by default.
  • lt uses a managed database.
Show (Hide) Explanation/Reference

Many IT departments choose to use AAA (Authentication, Authorization and Accounting) protocols RADIUS or TACACS+ to address these issues.

This document describes how to configure a Cisco router for authentication with the TACACS+ that runs on
UNIX. TACACS+ does not offer as many features as the commercially available Cisco Secure ACS for
Windows or Cisco Secure ACS UNIX.
TACACS+ software previously provided by Cisco Systems has been discontinued and is no longer supported
by Cisco Systems.

VI.30. Which two passwords must be supplied in order to connect by Telnet to a properly secured Cisco switch and make changes to the device configuration? (Choose two.)

  • tty password
  • enable secret password
  • vty password
  • aux password
  • console password
  • username password

VI.31. In order to comply with new auditing standards, a security administrator must be able to correlate system security alert logs directly with the employee who triggers the alert. Which of the following should the security administrator implement in order to meet this requirement?

  • Access control lists on file servers
  • Elimination of shared accounts
  • Group-based privileges for accounts
  • Periodic user account access reviews

VI.32. Which action can change the order of entries in a named access-list?

  • removing an entry
  • opening the access-list in notepad
  • adding an entry
  • resequencing
Show (Hide) Explanation/Reference
You can check the named access-list with the “show ip access-list” (or “show access-list”) command:

R1#show ip access-list
Standard IP access list nat_traffic
    10 permit, wildcard bits
    15 permit, wildcard bits
    20 permit, wildcard bits

We can resequence a named access-list with the command: “ip access-list resequence access-list-name starting-sequence-number increment“. For example:

R1(config)#ip access-list nat_traffic 100 10

Then we can check this access-list again:

R1#show ip access-list
Standard IP access list nat_traffic
    100 permit, wildcard bits
    110 permit, wildcard bits
    120 permit, wildcard bits

We can see the starting sequence number is now 100 and the increment is 10. But notice that resequencing an access-list cannot change the order of entries inside it but it is the best choice in this question. Adding or removing a n entry does not change the order of entries. Maybe we should understand this question “how to renumber the entries in a named access-list”.

VI.33. What is the effect of using the service password-encryption command?

  • only passwords configured after the command has been entered will be encrypted.
  • Only the enable password will be encrypted.
  • Only the enable secret password will be encrypted
  • It will encrypt the secret password and remove the enable secret password from the configuration.
  • It will encrypt all current and future passwords.

VI.34. Refer to the exhibit. Which user-mode password has just been set?

  • Telnet
  • Auxiliary
  • SSH
  • Console
Show (Hide) Explanation/Reference
When you connect to a switch/router via Telnet, you first need to provide Telnet password first. Then to access Privileged mode (Switch#) you need to provide secret password after typing “enable” before making any changes.

VI.35. What is a difference between TACACS+ and RADIUS in AAA?

  • Only TACACS+ allows for separate authentication.
  • Only RADIUS encrypts the entire access-request packet.
  • Only RADIUS uses TCP
  • Only TACACS+ couples authentication and authorization.
Show (Hide) Explanation/Reference
TACACS+ is an AAA protocol developed by Cisco. TACACS+ separates the authentication, authorization, and accounting steps. This architecture allows for separate authentication solutions while still using TACACS+ for authorization and accounting. For example, it is possible to use the Kerberos Protocol for authentication and TACACS+ for authorization and accounting. After an AAA client passes authentication through a Kerberos server, the AAA client requests authorization information from a TACACS+ server without the necessity to re-authenticate the AAA client by using the TACACS+ authentication mechanism.

Authentication and authorization are not separated in a RADIUS transaction. When the authentication request is sent to a AAA server, the AAA client expects to have the authorization result sent back in reply.


VI.36. Which port security violation mode allows traffic from valid mac address to pass but block traffic from invalid mac address?

  • protect
  • shutdown
  • shutdown vlan
  • restrict
Show (Hide) Explanation/Reference
In fact both “protect” and “restrict” mode allows traffic from passing with a valid MAC address so this question is not good. This is a quote from Cisco for these two modes:

protect: drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict: drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.


Therefore the only difference between these two modes is “restrict” mode causes the SecurityViolation counter to increment (only useful for statistics).

VI.37. Which command can you enter in a network switch configuration so that learned mac addresses are saved in configuration as they connect?

  • Switch(config-if)#Switch port-security
  • Switch(config-if)#Switch port-security Mac-address stcky
  • Switch(config-if)#Switch port-security maximum 10
  • Switch(config-if)#Switch mode access
Show (Hide) Explanation/Reference
The full command should be “switchport port-security mac-address sticky” but we can abbreviate in Cisco command.

VI.38. Which major component of the Cisco network virtualization architecture isolates users according to policy?

  • network services virtualization
  • policy enforcement
  • access control
  • path isolation

VI.39. DRAG DROP. Drag the security features on the left to the specific security risks they help protect against on the right. (Not all options are used.)

Select and Place:

Correct Answer:

VI.40. On Which combinations are standard access lists based?

  • destination address and wildcard mask
  • destination address and subnet mask
  • source address and subnet mask
  • source address and wildcard mask
Show (Hide) Explanation/Reference

Standard ACL’s only examine the source IP address/mask to determine if a match is made. Extended ACL’s
examine the source and destination address, as well as port information.

VI.41. Which statement about access lists that are applied to an interface is true?

  • You can place as many access lists as you want on any interface.
  • You can apply only one access list on any interface.
  • You can configure one access list, per direction, per Layer 3 protocol.
  • You can apply multiple access lists with the same protocol or in different directions.
Show (Hide) Explanation/Reference
We can have only 1 access list per protocol, per direction and per interface. It means:
+ We cannot have 2 inbound access lists on an interface + We can have 1 inbound and 1 outbound access
list on an interface

VI.42. A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks,,, and only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two.)

  • access-list 10 permit ip
  • access-list 10 permit ip
  • access-list 10 permit ip
  • access-list 10 permit ip
  • access-list 10 permit ip
  • access-list 10 permit ip
Show (Hide) Explanation/Reference
access-list 10 permit ip will include the and subnets,
while access-list 10 permit ip will include

VI.43. What can be done to secure the virtual terminal interfaces on a router? (Choose two.)

  • Administratively shut down the interface.
  • Physically secure the interface.
  • Create an access list and apply it to the virtual terminal interfaces with the access-group command.
  • Configure a virtual terminal password and login process.
  • Enter an access list and apply it to the virtual terminal interfaces using the access-class command.
Show (Hide) Explanation/Reference
It is a waste to administratively shut down the interface. Moreover, someone can still access the virtual terminal interfaces via other interfaces -> We cannot physically secure a virtual interface because it is “virtual” -> To apply an access list to a virtual terminal interface we must use the “access-class” command. The “access-group” command is only used to apply an access list to a physical interface -> C is not correct. The simplest way to secure the virtual terminal interface is to configure a username & password to prevent unauthorized login.

VI.44. How does using the service password-encryption command on a router provide additional security?

  • by encrypting all passwords passing through the router
  • by encrypting passwords in the plain text configuration file
  • by requiring entry of encrypted passwords for access to the device
  • by configuring an MD5 encrypted key to be used by routing protocols to validate routing exchanges
  • by automatically suggesting encrypted passwords for use in configuring the router
Show (Hide) Explanation/Reference
By using this command, all the (current and future) passwords are encrypted. This command is primarily
useful for keeping unauthorized individuals from viewing your password in your configuration file.

VI.A network administrator needs to allow only one Telnet connection to a router. For anyone viewing the configuration and issuing the show run command, the password for Telnet access should be encrypted. Which set of commands will accomplish this task?

Correct Answer: A

Show (Hide) Explanation/Reference
Only one VTY connection is allowed Which is exactly what’s requested.
Incorrect answer: command.
line vty0 4
would enable all 5 vty connections.

VI.45. Refer to the exhibit. What is the effect of the configuration that is shown?

  • It configures SSH globally for all logins.
  • It tells the router or switch to try to establish an SSh connection first and if that fails to use Telnet.
  • It configures the virtual terminal lines with the password 030752180500.
  • It configures a Cisco network device to use the SSH protocol on incoming communications via the virtual terminal ports.
  • It allows seven failed login attempts before the VTY lines are temporarily shutdown.
Show (Hide) Explanation/Reference

Secure Shell (SSH) is a protocol Which provides a secure remote access connection to network devices.
Communication between the client and server is encrypted in both SSH version 1 and SSH version 2. If you want to prevent non-SSH connections, add the “transport input ssh” command under the lines to limit the router to SSH connections only. Straight (non-SSH) Telnets are refused.

VI.46. Which command encrypts all plaintext passwords?

  • Router# service password-encryption
  • Router(config)# password-encryption
  • Router(config)# service password-encryption
  • Router# password-encryption
Show (Hide) Explanation/Reference
The “service password-encryption” command allows you to encrypt all passwords on your router so they cannot be easily guessed from your running-config. This command uses a very weak encryption because the router has to be very quickly decode the passwords for its operation. It is meant to prevent someone from looking over your shoulder and seeing the password, that is all. This is configured in global configuration mode.

VI.47. What will be the result if the following configuration commands are implemented on a Cisco switch?

  • A dynamically learned MAC address is saved in the startup-configuration file.
  • A dynamically learned MAC address is saved in the running-configuration file.
  • A dynamically learned MAC address is saved in the VLAN database.
  • Statically configured MAC addresses are saved in the startup-configuration file if frames from that address are received.
  • Statically configured MAC addresses are saved in the running-configuration file if frames from that address are received.
Show (Hide) Explanation/Reference
In the interface configuration mode, the command switchport port-security mac-address sticky enables sticky learning. When entering this command, the interface converts all the dynamic secure MAC addresses to sticky secure MAC addresses.

VI.48. Refer to exhibit. A network administrator cannot establish a Telnet session with the indicated router. What is the cause of this failure?

  • A Level 5 password is not set.
  • An ACL is blocking Telnet access.
  • The vty password is missing.
  • The console password is missing.
Show (Hide) Explanation/Reference
The login keyword has been set, but not password. This will result in the “password required, but none set”
message to users trying to telnet to this router.

VI.49. When you are troubleshooting an ACL issue on a router, Which command would you use to verify Which interfaces are affected by the ACL?

  • show ip access-lists
  • show access-lists
  • show interface
  • show ip interface
  • list ip interface
Show (Hide) Explanation/Reference
show ip access-lists does not show interfaces affected by an ACL.

VI.50. Refer to the exhibit. An attempt to deny web access to a subnet blocks all traffic from the subnet. Which interface command immediately removes the effect of ACL 102?

  • no ip access-class 102 in
  • no ip access-class 102 out
  • no ip access-group 102 in
  • no ip access-group 102 out
  • no ip access-list 102 in
Show (Hide) Explanation/Reference
Now let’s find out the range of the networks on serial link:
For the network
Increment: 32
Network address:
Broadcast address:
For the network 32
Network address:
Broadcast address:
-> These two IP addresses don’t belong to the same network and they can’t see each other

VI.51. Refer to the exhibit. Statements A, B, C, and D of ACL 10 have been entered in the shown order and applied to interface E0 inbound, to prevent all hosts (except those whose addresses are the first and last IP of subnet from accessing the network. But as is, the ACL does not restrict anyone from the network. How can the ACL statements be re-arranged so that the system works as intended?

  • ACDB
  • BADC
  • DBAC
  • CDBA
Show (Hide) Explanation/Reference
Routers go line by line through an access list until a match is found and then will not look any further, even if a more specific of better match is found later on in the access list. So, it it best to begin with the most specific entries first, in this cast the two hosts in line C and D. Then, include the subnet (B) and then finally the rest of the traffic (A).

VI.52. What are two characteristics of SSH? (Choose two.)

  • most common remote-access method
  • unsecured
  • encrypted
  • uses port 22
  • operates at the transport layer

VI.53. Refer to the exhibit. The access list has been configured on the S0/0 interface of router RTB in the outbound direction. Which two packets, if routed to the interface, will be denied? (Choose two.)

  • source ip address:; destination port: 21
  • source ip address:, destination port: 21
  • source ip address:, destination port: 21
  • source ip address:, destination port: 23
  • source ip address:; destination port: 23
  • source ip address:, destination port: 23

VI.54. Refer to the graphic. It has been decided that Workstation 1 should be denied access to Server1. Which of the following commands are required to prevent only Workstation 1 from accessing Server1 while allowing all other traffic to flow normally? (Choose two.)

Correct Answer: BC

VI.55. An access list was written with the four statements shown in the graphic. Which single access list statement will combine all four of these statements into a single statement that will have exactly the same effect?

  • access-list 10 permit
  • access-list 10 permit
  • access-list 10 permit
  • access-list 10 permit
  • access-list 10 permit

VI.56. A network administrator wants to add a line to an access list that will block only Telnet access by the hosts on subnet to the server at What command should be issued to accomplish this task?

  • access-list 101 deny tcp eq 23 access-list 101 permit ip any any
  • access-list 101 deny tcp eq 23 access-list 101 permit ip any any
  • access-list 1 deny tcp eq 21 access-list 1 permit ip any any
  • access-list 1 deny tcp host eq 23 access-list 1 permit ip any any

VI.57. As a network administrator, you have been instructed to prevent all traffic originating on the LAN from entering the R2 router. Which the following command would implement the access list on the interface of the R2 router?

  • access-list 101 in
  • access-list 101 out
  • ip access-group 101 in
  • ip access-group 101 out

VI.58. The access control list shown in the graphic has been applied to the Ethernet interface of router R1 using the ip access-group 101 in command. Which of the following Telnet sessions will be blocked by this ACL? (Choose two.)

  • from host A to host
  • from host A to host
  • from host B to host
  • from host B to host
  • from host C to host
  • from host F to host

VI.59. The following access list below was applied outbound on the E0 interface connected to the LAN: access-list 135 deny tcp eq 20 any access-list 135 deny tcp eq 21 any How will the above access lists affect traffic?

  • FTP traffic from will be denied
  • No traffic, except for FTP traffic will be allowed to exit E0
  • FTP traffic from to any host will be denied
  • All traffic exiting E0 will be denied
  • All FTP traffic to network will be denied

VI.60. The following configuration line was added to router R1 Access-list 101 permit ip any. What is the effect of this access list configuration?

  • permit all packets matching the first three octets of the source address to all destinations
  • permit all packet matching the last octet of the destination address and accept all source addresses
  • permit all packet matching the host bits in the source address to all destinations
  • permit all packet from the third subnet of the network address to all destinations

VI.61. This graphic shows the results of an attempt to open a Telnet connection to router ACCESS1 from router Remote27

Which of the following command sequences will correct this problem?

Correct Answer: C

VI.62. What are two recommended ways of protecting network device configuration files from outside network security threats? (Choose two.)

  • Allow unrestricted access to the console or VTY ports.
  • Use a firewall to restrict access from the outside to the network devices.
  • Always use Telnet to access the device command line because its data is automatically encrypted.
  • Use SSH or another encrypted and authenticated transport to access device configurations.
  • Prevent the loss of passwords by disabling password encryption.

VI.63. Refer to the exhibit. What is the result of setting the no login command?

Router#config t
Router(config)#line vty 0 4 
Router(config-line)#password c1sc0
Router(config-line)#no login
  • Telnet access is denied.
  • Telnet access requires a new password at the first login.
  • Telnet access requires a new password.
  • no password is required for telnet access.
Show (Hide) Explanation/Reference
This configuration will let someone telnet to that router without the password (so the line “password c1sco” is not necessary).

VI.64. Which identification number is valid for an extended ACL?

  • 1
  • 64
  • 99
  • 100
  • 299
  • 1099
Show (Hide) Explanation/Reference
Below is the range of standard and extended access list:

Access list typeRange
Standard1-99, 1300-1999
Extended100-199, 2000-2699

In most cases we only need to remember 1-99 is dedicated for standard access lists while 100 to 199 is dedicated for extended access lists.

VI.65. Which statement about named ACLs is true?

  • They support standard and extended ACLs.
  • They are used to filter usernames and passwords for Telnet and SSH.
  • They are used to filter Layer 7 traffic.
  • They support standard ACLs only.
  • They are used to rate limit traffic destined to targeted networks.
Show (Hide) Explanation/Reference
Named Access Control Lists (ACLs) allows standard and extended ACLs to be given names instead of numbers. Unlike in numbered Access Control Lists (ACLs), we can edit Named Access Control Lists. Another benefit of using named access configuration mode is that you can add new statements to the access list, and insert them wherever you like. With the legacy syntax, you must delete the entire access list before reapplying it using the updated rules

VI.66. Which two values are needed to run the APIC-EM ACL Analysis tool ?(choose two)

  • destination address
  • destination port
  • periodic refresh intervlan
  • source address
  • protocol
  • source port

VI.67. Which command sets and automatically encrypts the privileged enable mode password?

  • enable password cisco
  • secret enable cisco
  • password enable cisco
  • enable secret cisco

VI.68. The enable secret command is used to secure access to Which CLI mode?

  • user EXEC mode
  • global configuration mode
  • privileged EXEC mode
  • auxiliary setup mode

VI.69. Which two statements about stateful firewalls in an enterprise network are true?

  • They can use information about previous packets to make decisions about future packets.
  • They are most effective when placed in front of the router connected to the Internet.
  • they are more susceptible to DoS attacks than stateless firewalls.
  • they can track the number of active TCP connections.
  • They can filter HTTP and HTTPS traffic in the inbound direction only.

VI.70. Which type of access list compares source and destination IP addresses?

  • standard
  • extended
  • reflexive
  • IP named

VI.71. Which two descriptions of TACACS+ are true? (Choose two.)

  • It encrypts only the password.
  • It can authorize specific router commands.
  • It separates authentication, authorization, and accounting functions.
  • It uses UDP as its transport protocol.
  • It combines authentication and authorization.

VI.72. Which condition indicates that service password-encryption is enabled?

  • The local username password is in clear text in the configuration.
  • The enable secret is in clear text in the configuration.
  • The local username password is encrypted in the configuration.
  • The enable secret is encrypted in the configuration.
Show (Hide) Explanation/Reference
The service password-encryption command will encrypt all current and future passwords so any password existed in the configuration will be encrypted.

VI.73. Which command can you use to test whether a switch supports secure connections and strong authentication?

  • Router#ssh –v 1 –l admin
  • Switch>ssh –v 1 –l admin
  • Switch#ssh –l admin
  • Router>ssh –v 2 –l admin10.1.1.1

VI.74. Which port security mode can assist with troubleshooting by keeping count of violations?

  • access.
  • protect.
  • restrict.
  • shutdown.

VI.75. DRAG DROP. An interface has been configured with the access list that is shown below. On the basis of that access list,drag each information packet on the left to the appropriate category on the right.

Select and Place:

Correct Answer:

VI.76. Which range represents the standard access list?

  • 99
  • 150
  • 299
  • 2000
Show (Hide) Explanation/Reference
Below is the range of standard and extended access list

Access list typeRange
Standard1-99, 1300-1999
Extended100-199, 2000-2699

VI.77. Which of the following encrypts the traffic on a leased line?

  • telnet
  • ssh
  • vtp
  • vpn
  • dmvpn
Show (Hide) Explanation/Reference
SSH, or secure shell, is a secure protocol that provides a built-in encryption mechanism for establishing a secured connection between two parties, authenticating each side to the other, and passing commands and output back and forth.

Note: Virtual Private Networks (VPNs) are only secure if encrypted. The word “private” only means a given user’s virtual network is not shared with others. In reality a VPN still runs on a shared infrastructure and is not secured if not encrypted. VPNs are used over a connection you already have. That might be a leased line. It might be an ADSL connection. It could be a mobile network connection.

Therefore answer “SSH” is still better than the answer “VPN”.

VI.78. A security administrator wants to profile endpoints and gain visibility into attempted authentications. Which 802.1x mode allows these actions?

  • Monitor mode
  • High-Security mode
  • Low-impact mode
  • Closed mode
Show (Hide) Explanation/Reference
There are three authentication and authorization modes for 802.1x:

+ Monitor mode
+ Low impact mode
+ High security mode

Monitor mode allows for the deployment of the authentication methods IEEE 802.1X without any effect to user or endpoint access to the network. Monitor mode is basically like placing a security camera at the door to monitor and record port access behavior.

With AAA RADIUS accounting enabled, you can log authentication attempts and gain visibility into who and what is connecting to your network with an audit trail. You can discover the following:
+ Which endpoints such as PCs, printers, cameras, and so on, are connecting to your network
+ Where these endpoints connected
+ Whether they are 802.1X capable or not
+ Whether they have valid credentials
+ In the event of failed MAB attempts, whether the endpoints have known, valid MAC addresses

Monitor mode is enabled using 802.1X with the open access and multiauth mode Cisco IOS Software features enabled, as follows:
sw(config-if)#authentication open
sw(config-if)#authentication host-mode multi-auth

For more information about each mode, please read this article:

VI.79. What are two statements for SSH? (Choose two.)

  • use port 22
  • unsecured
  • encrypted
  • most common remote-access method
  • operate at transport

VI.80. Which command shows your active Telnet connections?

  • show cdp neigbors
  • show session
  • show users
  • show vty logins
Show (Hide) Explanation/Reference
The “show users” shows telnet/ssh connections to your router while “show sessions” shows telnet/ssh connections from your router (to other devices). The question asks about “your active Telnet connections”, meaning connections from your router

VI.81. Which IPsec security protocol should be used when confidentiality is required?

  • MD5
  • PSK
  • AH
  • ESP
Show (Hide) Explanation/Reference
IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH), Which provide security services for IP datagrams.

ESP can provide the properties authentication, integrity, replay protection, and confidentiality of the data (it secures everything in the packet that follows the IP header).

AH provides authentication, integrity, and replay protection (but not confidentiality) of the sender.

VI.82. What are two characteristics of Telnet? (Choose two.)

  • It sends data in clear text format.
  • It is no longer supported on Cisco network devices.
  • It is more secure than SSH.
  • It requires an enterprise license in order to be implemented.
  • It requires that the destination device be configured to support Telnet connections.

VI.83. Which protocol authenticates connected devices before allowing them to access the LAN?

  • 802.1d
  • 802.11
  • 802.1w
  • 802.1x
Show (Hide) Explanation/Reference

802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server. The supplicant is a client device (such as a laptop) that wishes to attach to the LAN/WLAN. The term ‘supplicant’ is also used interchangeably to refer to the software running on the client that provides credentials to the authenticator. The authenticator is a network device, such as an Ethernet switch or wireless access point; and the authentication server is typically a host running software supporting the RADIUS and EAP protocols.

The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity hasbeen validated and authorized. An analogy to this is providing a valid visa at the airport’s arrival immigration before being allowed to enter the country. With 802.1X port-based authentication, the supplicant provides credentials, such as user name/password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.

VI.84. Refer to the exhibit. You have determined that computer A cannot ping computer B. Which reason for the problem is most likely true?

  • The computer B default gateway address is incorrect.
  • The computer B subnet mask is incorrect.
  • The computer A subnet mask is incorrect.
  • The computer A default gateway address is incorrect.

VI.85. Which IEEE mechanism is responsible for the authentication of devices when they attempt to connect to a local network?

  • 802.1x
  • 802.11
  • 802.2x
  • 802.3x
Show (Hide) Explanation/Reference
IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN

VI.86. Which two values must you specify to perform an ACL-based Path Trace using APIC-EM? (Choose two.)

  • source IP address
  • destination port
  • destination IP address
  • source interface
  • source port

VI.87. Which two services can be provided by a wireless controller? (Choose two.)

  • Layer 3 routing between wired and wireless devices
  • providing authentication services to users
  • mitigating threats from the Internet
  • issuing IP addresses to wired devices
  • managing interference in a dense network

VI.88. Which of the following privilege level is the most secured?

  • Level 0
  • Level 1
  • Level 15
  • Level 16
Show (Hide) Explanation/Reference
By default, the Cisco IOS CLI has two privilege levels enabled, level 1 and level 15.

+ User EXEC mode (privilege level 1): provides the lowest EXEC mode user privileges and allows only user-level commands available at the Router> prompt.
+ Privileged EXEC mode (privilege level 15): includes all enable-level commands at the Router# prompt. Level 15 users can execute all commands and this is the most secured and powerful privilege level.

However, there are actually 16 privilege levels available on the CLI, from 0 to 15 and you can assign users to any of those levels. Zero-level access allows only five commands -logout, enable, disable, help, and exit. User level (level 1) provides very limited read-only access to the router, and privileged level (level 15) provides complete control over the router.

Related Articles

Oldest Most Voted
Inline Feedbacks
View all comments