CCNA ICND1 Mock

Certification : CCNA Cyber Ops - SECOPS # 210-255

Which protocol list puts the protocols in order of administrative distance, from lowest to highest?

Options are :

  • iBGP, EIGRP, OSPF, IS-IS, RIP, external EIGRP, eBGP
  • OSPF, IS-IS, EIGRP, external EIGRP, RIP, eBGP, iBGP
  • EIGRP, OSPF, IS-IS, RIP, external EIGRP, tie between eBGP and iBGP
  • eBGP, EIGRP, OSPF, IS-IS, RIP, external EIGRP, iBGP (Correct)
  • OSPF, IS-IS, EIGRP, external EIGRP, eBGP, iBGP, RIP
  • EIGRP, OSPF, IS-IS, RIP, external EIGRP, eBGP, iBGP

Answer : eBGP, EIGRP, OSPF, IS-IS, RIP, external EIGRP, iBGP

Explanation The order and their ADs: eBGP, 20. EIGRP, 90. OSPF, 110. IS-IS, 115. RIP, 120. External EIGRP, 170. iBGP, 200. While the BGP versions and IS-IS aren't on the CCENT exam, it's still a good idea for you to know those ADs along with the others if you're taking the two-exam path. Might as well learn them all at one time! : )

What is the net effect of the ACL shown here?

R1#show ip access-list

Extended IP access list 111

    10 deny ip 3.3.3.0 0.0.0.255 44.44.44.0 0.0.0.255


Options are :

  • Traffic sourced from 44.44.44.0 /24 and destined for 3.3.3.0 /24 is denied; all other traffic is permitted.
  • Traffic sourced from 3.3.3.0 /24 and destined for 44.44.44.0 /24 will be permitted; all other traffic is denied.
  • The number "111" cannot be used for an extended ACL so this ACL will have no effect, even if properly applied.
  • All traffic is permitted.
  • All traffic is denied. (Correct)

Answer : All traffic is denied.

Explanation With ACLs, if traffic is not expressly permitted, it's implicitly denied. When you see an ACL with only deny statements, it denies everything. Here, traffic from 3.3.3.0 /24 and destined for 44.44.44.0 /24 is expressly denied, and the implicit deny denies everything else.

How many valid subnets exist on the 172.23.0.0 /20 network?

Options are :

  • 32
  • 16 (Correct)
  • 4
  • 128
  • 8
  • 14
  • 64

Answer : 16

Explanation This is a Class B network, giving it a network mask of /16. The subnet mask is /20, so we have four subnet bits (20 - 16). 2 to the 4th power is 16, so we have 16 valid subnets.

CCNA ICND1 Certification Exam

Your friend is also studying for this exam, and mentions something about "dot1q".   What's he talking about?

Options are :

  • A protocol that prevents switching loops from forming.
  • A protocol that prevents routing loops from forming.
  • A protocol that builds an IP table dynamically.
  • A trunking protocol. (Correct)
  • A protocol that builds a MAC table dynamically.

Answer : A trunking protocol.

Explanation The formal name of dot1q is IEEE 802.1q, and that's one of our two trunking protocols. (The other is the Cisco-proprietary ISL.) IEEE 802.1q is not to be confused with IEEE 802.1d (Spanning Tree Protocol) or IEEE 802.1w (Rapid Spanning Tree Protocol).

How many valid hosts exist on the 150.12.18.0 /29 network?

Options are :

  • 6 (Correct)
  • 8
  • 4
  • 10
  • 2
  • 12

Answer : 6

Explanation For the number of valid hosts, first subtract the number of subnet bits from 32. 32 - 29 = 3, so we have three host bits. For the number of valid hosts, raise 2 to the number of host bits AND subtract two. 2 to the 3rd power is 8; subtract 2 and you have six valid host addresses on that subnet.

CCNA Cyber Ops - SECFND # 210-250

Which two of the following subnet masks will result in exactly 2 valid host addresses -- no more, no less?

Options are :

  • 0.0.0.3
  • /32
  • 255.255.255.248
  • 0.0.0.7
  • 255.255.255.252 (Correct)
  • 255.255.255.255
  • 0.0.0.0
  • /0
  • /30 (Correct)

Answer : 255.255.255.252 /30

Explanation You can express it in dotted decimal as 255.255.255.252 or in prefix notation as /30, but either way, you get exactly 2 usable host IP addresses.

Identify the two acceptable numeric ranges when creating a standard ACL.

Options are :

  • 1200 - 1299
  • 1 - 199
  • 1 - 99 (Correct)
  • 300 - 399
  • 1300 - 1999 (Correct)
  • 100 - 199

Answer : 1 - 99 1300 - 1999

Explanation Be careful with all ACL questions on your exam - always know and always check your standard and extended ACL numeric ranges. The standard ranges are 1 - 99 and 1300 - 1999.

Which two of the following statements are true regarding the word "host" when used in an ACL?

Options are :

  • It represents a wildcard mask of 0.0.0.0. (Correct)
  • It can be used with both standard and extended ACLs. (Correct)
  • It represents a subnet mask of 127.1.1.1.
  • It can be used only with extended ACLs.
  • It represents a subnet mask of 0.0.0.0.
  • It represents a wildcard mask of 255.255.255.255.

Answer : It represents a wildcard mask of 0.0.0.0. It can be used with both standard and extended ACLs.

Explanation "host" represents a wildcard mask of 0.0.0.0, which matches only the specific IP address in that wildcard mask line. For example, "access-list 5 permit host 10.1.1.1" matches only that particular IP address, and it's the same as the line "access-list 5 permit 10.1.1.1 0.0.0.0". You can use "host" with either extended or standard ACLs.

QA : CCNA Cyber Ops - SECOPS # 210-255

In general, which of the following best describes how IPv6 addresses are allocated?

Options are :

  • RIRs allocate blocks of IPv6 addresses to ICANN, which in turn allocates smaller blocks to ISPs, who in turn assign IPv6 addresses from those blocks to end users and clients.
  • ICANN allocates IPv6 address blocks to Regional Internet Registeries (RIRs), and in turn RIRs allocate smaller blocks to ISPs. The ISPs then distribute IPv6 addresses to end users, much like ISPs distribute IPv4 addresses to end users. (Correct)
  • ICANN allocates IPv6 address blocks to ISPs, who in turn subnet those blocks and assign addresses from those blocks to clients and end users.
  • ICANN allocates IPv6 address blocks to ISPs, who then allocate smaller blocks to RIRs, who then allocate addresses to end users and clients.

Answer : ICANN allocates IPv6 address blocks to Regional Internet Registeries (RIRs), and in turn RIRs allocate smaller blocks to ISPs. The ISPs then distribute IPv6 addresses to end users, much like ISPs distribute IPv4 addresses to end users.

Explanation ICANN is at the top of the IPv6 address block food chain. ICANN (the Internet Corporation for Assigned Names and Numbers) allocates large address blocks to the RIRs, who then allocate blocks of those addresses to ISPs, who in turn assign addresses from those assigned blocks to end users and other clients. In short, ICANN > RIR > ISP > You and me.

You just configured a Cisco router to serve as a DHCP server.  You forgot to set a lease duration.  What will happen as a result?

Options are :

  • The lease duration will be one day. (Correct)
  • DHCP clients can receive an address from this router, but they'll have to release and renew their address manually when they lose connectivity at the end of the lease.
  • Addresses cannot be allocated via DHCP on a Cisco router without setting a valid lease length.
  • The lease duration will be 30 days.
  • Address leases are permanent.

Answer : The lease duration will be one day.

Explanation Forgot the lease? No worries, a Cisco router configured as a DHCP server defaults to one-day leases.

Which of the following best describes the required values when creating a standard ACL?

Options are :

  • Only the source IP address is required. (Correct)
  • Only the destination port number is required.
  • Only the source port number is required.
  • Only the source and destination port numbers are required.
  • Only the source and destination IP addresses are required.
  • Only the destination IP address is required.

Answer : Only the source IP address is required.

Explanation Not only does a standard ACL require the source IP address of packets to be filtered, that's literally the only filtering factor we CAN configure with standard ACLs!

CCNA ICND1 Certification Exam

Which two of the following statements are WRONG regarding Class A addresses?

Options are :

  • The default network mask is /8.
  • The reserved range of class A addresses is 10.0.0.0 /8, and these addresses are fully routable. (Correct)
  • The full range of valid host addresses is 1.0.0.1 - 126.255.255.254.
  • The default network mask is 255.0.0.0.
  • The default network mask is 0.0.0.255. (Correct)

Answer : The reserved range of class A addresses is 10.0.0.0 /8, and these addresses are fully routable. The default network mask is 0.0.0.255.

Explanation The full range of Class A host addresses is indeed 1.0.0.1 - 126.255.255.254, and the two ways to express the Class A network mask are /8 (prefix notation) and 255.0.0.0 (dotted decimal). The "wildcard network mask" shown is invalid. The private address range is 10.0.0.0 /8 as shown, but those addresses are not routable.

Which two of the following terms are often used to describe non-routable addresses assigned to hosts inside a LAN?

Options are :

  • Private addresses (Correct)
  • "1918 addresses" (Correct)
  • "1819 addresses"
  • PAT addresses
  • NAT addresses

Answer : Private addresses "1918 addresses"

Explanation These addresses are often called "private addresses", and since they are defined by RFC 1918, we also call 'em "1918 addresses".

You just ran show running-config on a Cisco router, and among other information, you see the following.  Which two passwords will a user have to eventually enter if that user wants to connect via Telnet and access enable mode?

enable secret kler039##

enable password CCNA

line con 0

    password CCENT

line vty 0 4

    login

    password GILMORE

Options are :

  • The config as shown will not allow Telnet access.
  • GILMORE and kler039##
  • GILMORE and CCNA
  • Not enough information is given to answer the question. (Correct)
  • GILMORE and CCENT
  • CCNA and CCENT

Answer : Not enough information is given to answer the question.

Explanation The user will need the VTY line password to enter the router via Telnet, and the enable secret to get into enable mode. Problem is, the enable secret is shown here in its encrypted form, so there is no way of knowing what the actual unencrypted password is.

CCNA ICND1 Certification

To what address class do EIGRP Hello packets belong?

Options are :

  • A
  • C
  • E
  • B
  • D (Correct)

Answer : D

Explanation EIGRP Hellos are multicast to 224.0.0.10, and that address is drawn from the Class D address range, which is reserved for multicasts. That range is 224.0.0.0 - 239.255.255.255.

You're troubleshooting a serial port and acquire the information shown in the exhibit.  Identify the true statements.

Options are :

  • The problem: There's an encapsulation mismatch.
  • This output is the result of "show interface", followed by the name of the serial interface you're checking.
  • The problem: There is a clocking issue.
  • The problem: The cable is missing. (Correct)
  • The problem: The physical port is numbered zero.
  • This output is the result of "show controller", followed by the name of the serial interface you're checking. (Correct)

Answer : The problem: The cable is missing. This output is the result of "show controller", followed by the name of the serial interface you're checking.

Explanation Sometimes troubleshooting is easy - if you know the right command to run! While you should be familiar with the output of all commands shown in the choices, this is the (very) partial output of show controller serial 0/1/0. This is a great command to show you whether the DTE or DCE end of a DTE/DCE cable is attached to the local router. In this case, there IS no cable!

Practice : CCNA Cyber Ops - SECOPS # 210-255

When configuring port security, what's the importance of the sticky option?

Options are :

  • This is an interface-level command, and when a secure address is made sticky, it cannot be moved from one port on the switch to another without reloading the switch.
  • Since this is a global command, the sticky address feature allows all secure addresses learned on this switch to be retained on a reload.
  • This is a globally configured commands, and as such prevents any secure MAC address on this switch from being moved to one port to another.
  • Since this is an interface-level command, the sticky address feature allows addresses dynamically learned on that port to be retained on a reload. (Correct)

Answer : Since this is an interface-level command, the sticky address feature allows addresses dynamically learned on that port to be retained on a reload.

Explanation In port security, sticky MAC addresses are dynamically learned addresses that are retained on a reload. This is a per-interface feature.

What is the net effect of this command?

R1(config)#int serial 0/1/0 

R1(config-if)#ip access-group 111

Options are :

  • You'll get an error message, because the command is incomplete. (Correct)
  • Packets matching 111 will be permitted or denied in accordance with ACL 111.
  • This is an incorrect command; on serial lines, you need to use access-class to apply an ACL.
  • VTY connections will be filtered in accordance with ACL 111.

Answer : You'll get an error message, because the command is incomplete.

Explanation Right command, just not quite done. Use ip access-group to apply an ACL to interfaces, but don't forget to add "in" or "out" at the end of the command to identify the direction of packets to be filtered.

On what subnet will you find the host address 11.22.48.19 /14?

Options are :

  • 11.20.0.0 /14 (Correct)
  • 11.22.0.0 /14
  • 11.12.0.0 /14
  • 11.18.0.0 /14
  • 11.21.0.0 /14

Answer : 11.20.0.0 /14

Explanation Calculating the subnet an IP address rests on is an important real-world skill, and it'll come in handy on your exam, too! Just write the address out in binary until you reach the number of bits in the subnet mask and you're all set. Here, we'll write the first 14 bits of the address and then add those up. We have 00001011 000101xx xxxxxxxx xxxxxxxx, and when you convert that back to decimal it's 11.20.0.0 /14. That's all there is to it!

QA : CCNA Cyber Ops - SECOPS # 210-255

The IP address 87.15.200.3 /19 is on what subnet?

Options are :

  • 87.15.32.0 /19
  • 87.15.200.0 /19
  • 87.15.64.0 /19
  • 87.15.192.0 /19 (Correct)
  • 87.12.0.0 /19
  • 87.15.16.0 /19

Answer : 87.15.192.0 /19

Explanation For this operation, just convert the IP address to decimal until you reach the number of bits in the subnet mask and convert that result back to decimal. The first 19 bits of this address are 01010111 00001111 110xxxxx xxxxxxxx; convert that back to decimal and you have 87.15.192.0 /19.

How many hosts are allowed on the subnet 172.23.16.0 /20?

Options are :

  • 2048
  • 4094 (Correct)
  • 4096
  • 2046
  • 8194
  • 8196

Answer : 4094

Explanation A little bit of extra doubling needed here, but no problem for us. With a subnet mask of /20, we have 12 host bits. 2 to the 12th power is 4096; we then subtract the two unusable hosts and we have 4094.

You've configured a local username / password database to be used for authorizing incoming Telnet connections.    Which two of the following is true of your config?

Options are :

  • To put users straight into enable mode, add "privilege level 15" to the VTY line config.
  • To put users straight into enable mode, you can add "privilege level 15" to the VTY lines, or you can assign that privilege level directly to their username / password entry.
  • To put users straight into enable mode, you can add that privilege level directly to their username / password database entry, but you cannot use "privilege level 15" on the VTY lines to do so. (Correct)
  • You'll need the "login" command on the VTY lines.
  • The "password" command on the VTY lines is invalid; passwords must be individually assigned to users in the username / password database.
  • You'll need the "login local" command on the VTY lines. (Correct)

Answer : To put users straight into enable mode, you can add that privilege level directly to their username / password database entry, but you cannot use "privilege level 15" on the VTY lines to do so. You'll need the "login local" command on the VTY lines.

Explanation Once you enter "login local" on your VTY lines, you'll have to assign privilege level 15 individually to users via the username / password database. The entry will look like "username chris privilege 15 password bryant". The router will accept "privilege level 15" on the VTY lines when "login local" is in effect, but the command will not work.

CCNA Cyber Ops - SECFND # 210-250

You ping an address and get an odd result.  The first packet times out, but the other four return exclamation points.   You send another ping to the same address, and all five packets go through.  What's the most likely reason that firs packet timed out?

Options are :

  • Load balancing between the local and remote hosts is not functioning correctly.
  • There was no ARP entry in the local ARP cache for the pinged host. (Correct)
  • DHCP is not working correctly.
  • There was no entry in the local DNS cache for the pinged host.
  • Suboptimal routing is afoot.

Answer : There was no ARP entry in the local ARP cache for the pinged host.

Explanation This happens regularly in lab work, as my video course students know! If you're pinging a destination for the first time (or the first time in a while), the first packet will likely time out during the ARP process. You usually just see one packet time out; on rare occasion you may see the first two pings die out. Once there's an entry in the local MAC cache for that remote host, the rest of the ping packets in that first five-packet ping will go through, and when you send another ping immediately afterward, they should all go through.

Identify the four correct statements regarding Class B addresses.

Options are :

  • The reserved range of Class B private addresses uses a /16 mask.
  • The default Class B address range of valid host addresses is 128.1.0.1 - 191.255.255.254. (Correct)
  • The reserved range of Class B private addresses uses a /8 mask.
  • The reserved range of Class B private addresses uses a mask not shown in any of these choices. (Correct)
  • The Class B network mask is /16. (Correct)
  • The Class B network mask is 255.255.0.0. (Correct)

Answer : The default Class B address range of valid host addresses is 128.1.0.1 - 191.255.255.254. The reserved range of Class B private addresses uses a mask not shown in any of these choices. The Class B network mask is /16. The Class B network mask is 255.255.0.0.

Explanation The range of valid Class B host IP addresses is 128.1.0.1 - 191.255.255.254. The network mask for Class B addresses is /16, also expressed as 255.255.255.0. The private Class B address range is 172.16.0.0 /12. Watch that mask as opposed to the network mask for the ENTIRE Class B address range.

Which two of the following IP addresses will you NOT find in the 172.14.128.0 /18 subnet?

Options are :

  • 172.14.177.241
  • 172.14.200.1 (Correct)
  • 172.14.188.17
  • 172.14.128.1
  • 172.14.192.1 (Correct)
  • 172.14.191.254

Answer : 172.14.200.1 172.14.192.1

Explanation The first address in this range is 172.14.128.0 /18, the network number itself. The last number in the range, 172.14.191.255, is determined by putting 1s in for the host bits -- in this case, the last 14 bits. The range of valid addresses is everything in between, 172.14.128.1 - 172.14.191.254. The two addresses outside this range are the correct answers.

QA : CCNA Cyber Ops - SECOPS # 210-255

Sometimes you can abbreviate commands at the IOS prompt, and sometimes you can't.   When you see the following annoying message, what does it mean?

R1# show s

% Ambiguous command: "show s"

R1#

Options are :

  • You're just in the wrong mode to run that command.
  • There's no command that begins with "show s".
  • You abbreviated the command a little too much and the router isn't quite sure which command you meant. (Correct)
  • You're working from a running configuration that has not yet been saved.

Answer : You abbreviated the command a little too much and the router isn't quite sure which command you meant.

Explanation I run into this one every once in a while. It just means that there are multiple commands that start with what you typed in, so the router doesn't know which one you actually want. You just need to abbreviate a little less. : )

Assuming our Cisco switch is running at factory defaults, which five of the following statements are true regarding VLAN 1?

Options are :

  • VLAN 1 cannot be deleted. (Correct)
  • Traffic going across a trunk on VLAN 1 is encapsulated by ISL. (Correct)
  • VLAN 1 is the one and only default VLAN on our switch.
  • VLAN 1 is the native VLAN and this is a configurable value. (Correct)
  • VLAN 1 can be deleted.
  • There are other default VLANs besides VLAN 1. (Correct)
  • VLAN 1 is the native VLAN and this cannot be changed.
  • VLAN 1 carries network control traffic, including CDP and VTP. (Correct)
  • Traffic going across a trunk on VLAN 1 is tagged by IEEE 802.1Q.

Answer : VLAN 1 cannot be deleted. Traffic going across a trunk on VLAN 1 is encapsulated by ISL. VLAN 1 is the native VLAN and this is a configurable value. There are other default VLANs besides VLAN 1. VLAN 1 carries network control traffic, including CDP and VTP.

Explanation VLAN 1 can't be deleted, and for good reason -- that's the VLAN that handles our network control traffic, including Cisco Discovery Protocol and the VLAN Trunking Protocol (VTP). VLAN 1 is our default native VLAN, and traffic sent across a trunk running dot1q and destined for the native VLAN will not be tagged. ISL encapsulates everything, though, including native VLAN traffic. The other default VLANs are 1002 - 1005. You'll rarely use them, but they can't be deleted.

You're doing some network troubleshooting and realize the host 111.11.1.100 /26 may have an issue with connectivity.   To test that connectivity, you need to know the subnet from which that address came from.  Which one of these is it?

Options are :

  • 111.11.1.4 /26
  • 111.11.1.8 /26
  • 111.11.1.64 /26 (Correct)
  • 111.11.1.2 /26
  • 111.11.1.0 /26
  • 111.11.1.32 /26

Answer : 111.11.1.64 /26

Explanation To determine the subnet of a given IP address, convert the address to binary until you reach the number of bits in the subnet mask, then convert the result back to binary. 111.11.1.100 converted to binary to the 26th bit is 01101111 00001011 00000001 01xxxxxx. Convert that string to decimal and you have 111.11.1.64 /26.

Certification : CCNA Cyber Ops - SECOPS # 210-255

Which two of the following statements are true regarding the use of the word any in an ACL.

Options are :

  • It represents a subnet mask of 255.255.255.255.
  • You can use "any" in a standard or extended ACL. (Correct)
  • "Any" can be used only in extended ACLs.
  • It represents a wildcard mask of 0.0.0.0.
  • It represents a wildcard mask of 255.255.255.255. (Correct)
  • It represents a subnet mask of 127.1.1.1.

Answer : You can use "any" in a standard or extended ACL. It represents a wildcard mask of 255.255.255.255.

Explanation Often used to negate the implicit deny, "any" represents an all-ones wildcard mask (255.255.255.255), and can be used with standard or extended ACLs.

You just enabled the passive-interface option on an interface that is RIP-enabled.  What is the net effect of this command on that interface?

Options are :

  • The interface cannot receive routing updates, but can send them.
  • The interface cannot send or receive hello packets.
  • The interface cannot send routing updates, but can receive them. (Correct)
  • The interface cannot receive hello packets, but can send them.
  • The interface cannot send hello packets, but can receive them.
  • The interface cannot send or receive routing updates.

Answer : The interface cannot send routing updates, but can receive them.

Explanation When you make a RIP-enabled interface passive, you're preventing it from sending routing updates. Neither version of RIP uses hello packets.

CCNA ICND1 Certification Exam

You just added the following command to your Cisco router.   Identify the two true statements regarding this command.

ip route 100.1.1.0 255.255.255.0 172.12.123.3

Options are :

  • Static routes do not have ADs unless one is explicitly assigned.
  • The AD of this route will be null.
  • The next-hop IP address for this route is 172.12.123.3, and that address is on the router to which this router will forward packets destined for 100.1.1.0 /24. (Correct)
  • The AD of this route will be one. (Correct)
  • The local router's exit interface for packets forwarded to 100.1.1.0 /24 has the IP address 172.12.123.3.

Answer : The next-hop IP address for this route is 172.12.123.3, and that address is on the router to which this router will forward packets destined for 100.1.1.0 /24. The AD of this route will be one.

Explanation When you see an IP address at the end of an "ip route" command, that address is always the next-hop IP address, and it'll be on the downstream router to which the local router forwards packets matching that route. Static routes have a default AD of 1.

Which four of the following host addresses would require NAT in order to communicate with devices outside the local network?

Options are :

  • 192.168.255.254 (Correct)
  • 172.30.255.254 (Correct)
  • 10.255.255.254 (Correct)
  • 172.48.1.1
  • 10.1.1.1 (Correct)
  • 172.32.1.1

Answer : 192.168.255.254 172.30.255.254 10.255.255.254 10.1.1.1

Explanation The four addresses that would require NAT fall into one of the three private IP address ranges, making these addresses unroutable: Class A, 10.0.0.0 /8; Class B, 172.16.0.0 /12; Class C, 192.168.0.0 /16. The resulting valid host ranges are 10.0.0.1 - 10.255.255.254, 172.16.0.1 - 172.31.255.254, and 192.168.0.1 - 192.168.255.254. Be ready to spot addresses within these ranges.

The IP address 20.46.100.4 / 10 is on what subnet?

Options are :

  • 20.8.0.0 /10
  • 20.46.0.0 /10
  • 20.2.0.0 /10
  • 20.32.0.0 /10
  • 20.1.0.0 /10
  • 20.0.0.0 /10 (Correct)
  • 20.16.0.0 /10

Answer : 20.0.0.0 /10

Explanation To determine the subnet of an IP address, just convert the address until you reach the number of subnet bits in the mask, and then convert the result back to decimal. Here, we have 00010100 00xxxxxx xxxxxxxx xxxxxxxx; convert that back to decimal and you have 20.0.0.0 /10.

CCNA ICND1 Test

Name three best practices when it comes to fundamental Cisco network security.

Options are :

  • Disable MD5 password encryption on your Cisco routers.
  • Enable MD5 password encryption on your Cisco routers. (Correct)
  • Allow both SSH and Telnet to be used for remote connections.
  • Use SSH for remote connections, rather than Telnet. (Correct)
  • Add a firewall to your network to protect your internal network from traffic generated by unknown sources outside the network. (Correct)
  • Use Telnet for remote connections, rather than SSH.
  • Require changes to MAC addresses every 30 days.

Answer : Enable MD5 password encryption on your Cisco routers. Use SSH for remote connections, rather than Telnet. Add a firewall to your network to protect your internal network from traffic generated by unknown sources outside the network.

Explanation Firewalls are "must-haves" in today's networks, since they help us filter traffic sourced from outside our network and destined for a host inside our network. We can more closely inspect such traffic rather than rely on simple "permit / deny" operations with ACLs. You're always better off with SSH than Telnet, since Telnet sends EVERYTHING in clear text. Also, while MD5 password encryption isn't very strong, it's better than no encryption at all.

Given the following command, how many internal hosts will be able to draw an address from this pool, assuming none time out?

ip nat pool POOL 100.1.1.10 100.1.1.23 prefix-length 24

Options are :

  • 14 (Correct)
  • 24
  • 2
  • 13
  • 255
  • 23

Answer : 14

Explanation Watch this one, I bumped into it on the job more than once. This is a range of addresses, not a listing of individual addresses, so we know 2 is wrong, and we know by looking that there aren't 255 addresses here. It looks like that range would give you 13 addresses, but it's actually 14, as the range given includes the addresses that define the range. Count on your fingers if you don't believe me. : )

CCNA ICND1 Mock

At what layer of the OSI model should your network security plan begin?

Options are :

  • L5
  • L1 (Correct)
  • L7
  • L6
  • L2
  • L3
  • L4

Answer : L1

Explanation We spend so much time with security at L2 and L3 that it's easy to forget about physically securing our network, so don't forget that. :) Securing your server room with a key card reader is a great way to shore up security. No one should be in there unless they have a pass card!

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions