Chapter1 : Lab 1.3.4 Creating an ACL

Step 1: Analyze the traffic filtering requirements

a. Determine the access and filtering requirements.

For this lab:

1) PC1 is a network administrator's workstation. This host must be permitted FTP and HTTP access to the network server, and telnet access to the router FC-CPE-1.

2) PC2 is a general workstation that is to have HTTP access only. FTP services and Telnet access to the router is not permitted.

b. Having determined specific requirements, decide if all other traffic is to be allowed or denied.

List the benefits and potential problems to the following filtering scenarios:

Benefits of allowing all other traffic:

Jawab  :

layanan yang ada untuk ke depannya tidak dihalangi atau diblokir

Potential problems with allowing all other traffic:

Jawab  :

Trafik berbahaya dan tidak diinginkan tidak diblok

Benefits of denying all other traffic:

Jawab  :

Trafik yang berbahaya dan tidak diinginkan diblok secara otomatis

Potential problems with denying all other traffic:

Jawab  :

Layanan yang diimplementasikan ke depannya akan diblok secara otomatis.

Step 2: Design and create the ACL

a. Review, and then apply, ACL recommended practice.

• Always plan thoroughly before implementation.

• The sequence of the statements is important. Put the more specific statements at the beginning

and the more general statements at the end.

• Statements are added to the end of the ACL as they are written.

• Create and edit ACLs with a text editor and save the file.

• Use Named ACLs wherever possible.

• Use comments (remark option) within the ACL to document the purpose of the statements.

• To take effect, ACLs must be applied to an interface.

• An interface can have one ACL per Network Layer protocol, per direction.

• Although there is an implicit deny any statement at the end of every ACL, it is good practice to

configure this explicitly. This ensures that you remember that the effect is in place and allows

logging of matches to this statement to be used.

• ACLs with many statements take longer to process, which may affect router performance.

• Placement of ACLs:

o Standard: closest to destination (if have administrative authority on that router)

o Extended: closest to source (if have administrative authority on that router)

b. Consider the two approaches to writing ACLs:

• Permit specific traffic first and then deny general traffic.

• Deny specific traffic first and then permit general traffic.

When would it be best to permit specific traffic first and then deny general traffic?

Jawab  :

ACL tanpa banyak statement mengurangi paket latency

When would it be best to deny specific traffic first and then permit general traffic?

Jawab  :

When there is likely to be more traffic of the type to be denied - these packets are matched early in the ACL without having to traverse many statements, minimizing router latency.

c. Select one approach and write the ACL statements that will meet the requirements of this lab.

Allow PC1 to access server http and ftp

access-list 101 permit tcp host 10.0.0.10 host 172.17.1.1 eq www log

access-list 101 permit tcp host 10.0.0.10 host 172.17.1.1 eq ftp log

Allow PC2 to access web server

access-list 101 permit tcp host 10.0.0.201 host 172.17.1.1 eq www log

Allow PC1 ftp access to router Fa0/0

access-list 101 permit tcp host 10.0.0.10 host 10.0.0.1 eq telnet log

Deny all other traffic

access-list 101 ip deny any any log

After an ACL is written and applied to an interface, it is useful to know if the ACL statements are

having the desired effect. The number of packets that meet the conditions of each ACL statement can

be logged by adding the option log at the end of each statement.

Why is it important to know to how many times packets that match an ACL statement are denied?

Jawab  :

This potentially shows the number of attempts at unauthorized access to denied services that may lead to further investigation of network usage.

Step 3: Cable and configure the given network

NOTE: If the PCs used in this lab are also connected to your Academy LAN or to the Internet, ensure that you

record the cable connections and TCP/IP settings so these can be restored at the conclusion of the lab.

a. Referring to the topology diagram, connect the console (or rollover) cable to the console port on the

router and the other cable end to the host computer with a DB-9 or DB-25 adapter to the COM 1 port.

Ensure that power has been applied to both the host computer and router.

b. Connect and configure the devices in accordance with the given topology and configuration. Your

instructor may substitute Discovery Server with an equivalent server for this lab.

c. Establish a HyperTerminal, or other terminal emulation program, from PC1 to Router R1.

d. From the global configuration mode issue the following commands:

Router(config)#hostname FC-CPE-1

FC-CPE-1(config)#interface FastEthernet0/0

FC-CPE-1(config-if)#ip address 10.0.0.1 255.255.255.0

FC-CPE-1(config-if)#no shutdown

FC-CPE-1(config-if)#exit

FC-CPE-1(config)#interface FastEthernet0/1

FC-CPE-1(config-if)#ip address 172.17.0.1 255.255.0.0

FC-CPE-1(config-if)#no shutdown

FC-CPE-1(config-if)#exit

FC-CPE-1(config)#line vty 0 4

FC-CPE-1(config-line)#password telnet

FC-CPE-1(config-line)#login

FC-CPE-1(config-line)#end

e. Ping between PC1 and Discovery Server to confirm network connectivity. Troubleshoot and establish

connectivity if the pings fail.

Step 4: Test the network services without ACLs

Perform the following tests on PC1:

a. Open a web browser on PC1 and enter the URL http://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery Server Home Page

b. Open a web browser on PC1 and enter the URL ftp://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery FTP Home Directory

c. On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to

the local Desktop. Did the file copy successfully?

Jawab  :

Ya

d. From the PC1 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client

(HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router.

What response did the router display?

Jawab  :

Prompt untuk password Telnet dan login ke router

e. Exit the Telnet session.

Quit

Perform the following tests on PC2:

a. Open a web browser on PC2 and enter the URL http://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery Server Home Page

b. Open a web browser on PC2 and enter the URL ftp://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery FTP Home Directory

c. On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to

the local Desktop. Did the file copy successfully?

Jawab  :

Ya

d. From the PC2 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client

(HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router.

What response did the router display?

Jawab  :

Prompt untuk password Telnet dan login ke router

e. Exit the Telnet session.

quit

Why was each of the above connections successful?

Jawab  :

There were no data access or filtering controls in place.

Successful connection was expected.

If any of the above connections was not successful, troubleshoot the network and configurations and

establish each type of connection from each host.

Step 5: Configure the network services ACL

From the global configuration mode issue the following commands:

a. Allow PC1 to access the web server and telnet to the router.

FC-CPE-1(config)#ip access-list extended Server-Access

FC-CPE-1(config-ext-nacl)#remark Allow PC1 access to server

FC-CPE-1(config-ext-nacl)#permit tcp host 10.0.0.10 host 172.17.1.1 eq

ftp www log

b. Allow PC2 to access the web server.

FC-CPE-1(config-ext-nacl)#remark Allow PC2 to access web server

FC-CPE-1(config-ext-nacl)#permit tcp host 10.0.0.201 host 172.17.1.1 eq

www log

c. Allow PC1 telnet access to router

FC-CPE-1(config-ext-nacl)#remark Allow PC1 to telnet router

FC-CPE-1(config-ext-nacl)#permit tcp host 10.0.0.10 host 10.0.0.1 eq telnet log

d. Deny all other traffic.

FC-CPE-1(config-ext-nacl)#remark Deny all other traffic

FC-CPE-1(config-ext-nacl)#deny ip any any log

FC-CPE-1(config-ext-nacl)#exit

Step 6: Apply the ACLs

a. Apply the Extended ACL to the router interface closest to the source.

FC-CPE-1(config)#interface FastEthernet0/0

FC-CPE-1(config-if)#ip access-group Server-Access in

FC-CPE-1(config-if)#end

b. From the Privileged EXEC mode, issue the show running-configuration command and

confirm that the ACLs have been configured and applied as required.

Reconfigure if errors are noted.

Step 7: Test the network services with ACLs

Perform the following tests on PC1:

a. Open a web browser on PC1 and enter the URL http://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery Server Home Page

b. Open a web browser on PC1 and enter the URL ftp://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery FTP Home Directory

c. On the Discovery FTP Home Directory, open the Discovery 1 folder. Click and drag a Chapter file to

the local Desktop. Did the file copy successfully?

Jawab  :

Ya

Why is this the outcome?

Jawab  :

Host ini memungkinkan akses FTP

d. From the PC1 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client

(HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router.

What response did the router display?

Jawab  :

Prompt untuk password Telnet dan login ke router

Why is this the outcome?

Jawab  :

Host ini memungkinkan akses Telnet

e. Exit the Telnet session.

Perform the following tests on PC2:

a. Open a web browser on PC2 and enter the URL http://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

Discovery Server Home Page

Why is this the outcome?

Jawab  :

Host ini memungkinkan akses web

b. Open a web browser on PC2 and enter the URL ftp://172.17.1.1 at the address bar.

What web page was displayed?

Jawab  :

error page cannot be displayed

Why is this the outcome?

Jawab  :

Host ini tidak memungkinkan akses FTP

c. From the PC2 command line prompt, issue the command telnet 10.0.0.1, or use a Telnet client

(HyperTerminal or TeraTerm, for example) to establish a Telnet session to the router.

What response did the router display?

Jawab  :

Telnet connection refused.

Why is this the outcome?

Jawab  :

Host tidak memungkinkan akses Telnet

If any of these transactions did not result in the expected outcome, troubleshoot the network and

configurations and retest the ACLs from each host.

Step 8: Observe the number of statement matches

a. From the Privileged EXEC mode, issue the command:

FC-CPE-1#show access-list Server-Access

List the number of matches logged against each ACL statement.

Step 9: Clean up

Erase the configurations and reload the routers and switches. Disconnect and store the cabling. For PC hosts

that are normally connected to other networks (such as the school LAN or to the Internet), reconnect the

appropriate cabling and restore the TCP/IP settings.

Challenge

Rewrite the Server-Access ACL used in this lab so that:

1) Administrator workstations are considered to be in the address range of 10.0.0.10 /24 to

10.0.0.15 /24 instead of a single host; and,

2) The general workstations have the address range of 10.0.0.16 /24 to 10.0.0.254 /24 instead of

being a single host.

Jawab  :

ip access-list extended Server-Access

remark Allow PC1 to access any IP traffic

permit ip host 10.0.0.0 0.0.0.15 172.17.1.1 log

remark Allow PC2 to access web server

permit ip host 10.0.0.0 0.0.0.255 172.17.1.1 eq www log

remark Deny all other traffic

deny ip any any log

Running config of router after lab completion:

FC-CPE-1#show run

Building configuration...

Current configuration : 1309 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname FC-CPE-1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.0

ip access-group Server-Access in

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.17.0.1 255.255.0.0

duplex auto

speed auto

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

!

interface FastEthernet0/0/3

!

interface Serial0/1/0

no ip address

shutdown

clock rate 125000

!

interface Serial0/1/1

no ip address

shutdown

clock rate 125000

!

interface Vlan1

no ip address

!

ip classless

!

ip http server

!

ip access-list extended Server-Access

remark Allow PC1 access to server

permit tcp host 10.0.0.10 host 172.17.1.1 eq ftp www

remark Allow PC2 to access web server

permit tcp host 10.0.0.201 host 172.17.1.1 eq www

remark Allow PC1 to telnet router

permit tcp host 10.0.0.10 host 10.0.0.1 eq telnet

remark Deny all other traffic

deny ip any any

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password telnet

login

!

end

FC-CPE-1#

CCNA Discovery 2 Module 8 Exam Answers Version 4.0

CCNA Discovery 2 Module 8 Exam Answers Version 4.0

1. Which AAA service reduces IT operating costs by providing detailed reporting and monitoring of network user behavior, and also by keeping a record of every access connection and device configuration change across the network?
• authentication
• accreditation
• accounting
• authorization

2. Which three items are normally included when a log message is generated by a syslog client and forwarded to a syslog server? (Choose three.)
• date and time of message
• ID of sending device
• length of message
• message ID
• checksum field
• community ID

3. What is the advantage of using WPA to secure a wireless network?
• It uses a 128-bit pre-shared hexadecimal key to prevent unauthorized wireless access.
• It uses an advanced encryption key that is never transmitted between host and access point.
• It is supported on older wireless hardware, thus providing maximum compatibility with enterprise equipment.
• It requires the MAC address of a network device that is requesting wireless access to be on a list of approved MAC addresses.

4. A company wants to configure a firewall to monitor all channels of communication and allow only traffic that is part of a known connection. Which firewall configuration should be deployed?
• packet filtering
• proxy
• stateful packet inspection
• stateless packet inspection

5. A server log includes this entry: User student accessed host server ABC using Telnet yesterday for 10 minutes. What type of log entry is this?
• authentication
• authorization
• accounting
• accessing

6. What two measures help to verify that server backups have been reliably completed? (Choose two.)
• reviewing backup logs
• performing trial backups
• performing full backups only
• replacing tape backup with hard disk-based backup
• using an autoloader when backups require more than one tape

7. Which means of communication does an SNMP network agent use to provide a network management station with important but unsolicited information?
• query
• broadcast
• ICMP ping
• trap
• poll

8. Which three protocols are used for in-band management? (Choose three.)
• FTP
• HTTP
• SNMP
• Telnet
• TFTP
• DHCP

9. A hacker has gained access to sensitive network files. In analyzing the attack, it is found that the hacker gained access over a wireless segment of the network. It is further discovered that the only security measure in place on the wireless network is MAC Address Filtering. How is it likely that the hacker gained access to the network?
• The hacker used a software tool to crack the shared hexadecimal wireless key.
• The hacker obtained the MAC address of a permitted host, and cloned it on his wireless laptop NIC.
• The attacker mounted a denial of service attack to overwhelm the firewall before penetrating the wireless LAN.
• The hacker gained wireless access to the MAC address database and added his own MAC address to the list of permitted addresses.

10. A network administrator is assigning network permissions to new groups of users and employing the principle of least privilege. Which two actions should the administrator take? (Choose two.)
• Provide users with only the access to resources required to do their jobs.
• Provide the minimum level of permissions required for users to do their jobs.
• Remove all permissions from the users and grant permissions as they are requested.
• Allow users to decide how much permission they need to accomplish their job tasks.
• Provide full access to the users and gradually remove privileges over time.

11. Which three protocols describe methods that can be used to secure user data for transmission across the internet? (Choose three.)
• SMTP
• IPSEC
• SSL
• HTTPS
• FTP
• TFTP

12. Which benefit does SSH offer over Telnet when remotely managing a router?
• encryption
• TCP usage
• authorization
• connection using six VTY lines

13. Which of the following does SNMP use to hold information collected about the network?
• network management station
• network management database
• management information base
• database information agent

14. What are two potential problems with using tape media to back up server data? (Choose two.)
• Tape is not a cost-effective means of backing up data.
• Data tapes are difficult to store offsite.
• Data tapes are prone to failure and must be replaced often.
• Tape drives require regular cleaning to maintain reliability.
• Backup logs are not available with tape backup solutions.

15. What is the term for the public network between the boundary router and the firewall?
• "clean" LAN
• intranet
• DMZ
• extranet

16. Which two characteristics of network traffic are being monitored if a network technician configures the company firewall to operate as a packet filter? (Choose two.)
• applications
• physical addresses
• packet size
• ports
• protocols

17. When is the use of out-of-band network management necessary?
• when a server needs to be monitored across the network
• when the management interface of a device is not reachable across the network
• when enhanced monitoring features are required to gain an overall view of the entire network
• when it is desirable to use the information that is provided by SNMP

18. What network layer security protocol can secure any application layer protocol used for communication?
• HTTPS
• IMAP
• FTPS
• IPSEC
• TLS

19. Before a technician upgrades a server, it is necessary to back up all data. Which type of backup is necessary to ensure that all data is backed up?
• daily
• differential
• full
• incremental
• partial

20. What AAA component assigns varying levels of rights to users of network resources?
• auditing
• accounting
• authorization
• access control
• authentication
• acknowledgement

CCNA Discovery 2 Module 7 Exam Answers Version 4.0

CCNA Discovery 2 Module 7 Exam Answers Version 4.0

1. Which two statements are true about the OSI and TCP/IP models? (Choose two.)
• The two bottom layers of the TCP/IP model make up the bottom layer of the OSI model.
• The TCP/IP model is a theoretical model and the OSI model is based on actual protocols.
• The OSI network layer is comparable to the Internet layer of the TCP/IP model.
• The TCP/IP model specifies protocols for the physical network interconnection.
• The TCP/IP model is based on four layers and the OSI model is based on seven layers.

2. To meet customer expectations, an ISP must guarantee a level of service that is based on what two factors? (Choose two.)
• accessibility
• adaptability
• availability
• reliability
• scalability

3. User1 is sending an e-mail to User2@cisco.com. What are two characteristics of the process of sending this data? (Choose two.)
• It utilizes TCP port 110.
• A TCP connection is established directly between the User1 and User2 client computers in order to send the e-mail message.
• It utilizes a store and forward process.
• The same application layer protocol is used to send the e-mail and retrieve it from the destination server.
• SMTP is used to send the e-mail message to the mail servers.

4. Refer to the exhibit. Host1 is in the process of setting up a TCP session with Host2. Host1 has sent a SYN message to begin session establishment. What happens next?
• Host1 sends an ACK message to Host2.
• Host1 sends a SYN message to Host2.
• Host1 sends a SYN-ACK message to Host2.
• Host2 sends an ACK message to Host1.
• Host2 sends a SYN message to Host1.
• Host2 sends a SYN-ACK message to Host1.

5. What are three characteristics of network reliability? (Choose three.)
• Redundant hardware provides enhanced reliability.
• Reliability is measured as a percent.
• Reliability is the responsibility of the ISP customers.
• Fault tolerance is a measure of reliability.
• The longer the MTBF, the greater the reliability.

6. Which two statements describe the FTP protocol? (Choose two.)
• It uses well-known port 23.
• The protocol interpreter is responsible for the data transfer function.
• In passive data connections, the FTP client initiates the transfer of data.
• It requires two connections between client and server.
• FTP servers open a well-known port on the client machine.

7. What is the function of the TCP three-way handshake?
• It enables the synchronization of port numbers between source and destination hosts.
• It immediately triggers the retransmission of lost data.
• It synchronizes both ends of a connection by allowing both sides to agree upon initial sequence numbers.
• It identifies the destination application on the receiving host.

8. What are three characteristics of HTTPS? (Choose three.)
• It uses a different client request-server response process than HTTP uses.
• It specifies additional rules for passing data between the application and data link layers.
• It supports authentication.
• It allows more simultaneous connections than HTTP allows.
• It encrypts packets with SSL.
• It requires additional server processing time.

9. Which DNS zone resolves an IP address to a qualified domain name?
• dynamic lookup
• forward lookup
• resolution lookup
• reverse lookup

10.

What type of update allows client computers to register and update their resource records with a DNS server whenever changes occur?
• dynamic
• zone transfer
• local recursive query
• root domain query
• top-level domain query

11. Refer to the exhibit. Which two statements are true about this file? (Choose two.)
• If the gateway address changes, the file will be updated dynamically.
• The command ping fileserv will use IP address 172.16.5.10.
• If the ping www.cisco.com command is issued, the file will be checked for the Cisco web server IP address before DNS is queried.
• The file must be created by the user if it is to be used by a workstation.
• Name to IP address mappings are added to the file after they are received from DNS.

12. Which two tasks are the responsibility of the local DNS server? (Choose two.)
• maintaining a large number of cached DNS entries
• maintaining the ISP server
• mapping name-to-IP addresses for internal hosts
• forwarding name resolution requests to a caching-only server
• forwarding all name resolution requests to root servers on the Internet

13. What are three unique characteristics of UDP? (Choose three.)
• connection oriented
• full-duplex operation
• low overhead
• no flow control
• no error-recovery function
• reliable transmission

14. A manufacturing company is looking into subscribing to services from a new ISP. The company requires hosted world wide web, file transfer, and e-mail services. Which three protocols represent the key application services that are required by the company? (Choose three.)
• FTP
• HTTP
• ICMP
• PPP
• Telnet
• SMTP

15. Which two options correctly match protocol and well-known port number? (Choose two.)
• DNS - 25
• FTP - 110
• HTTP - 80
• POP3 - 25
• SMTP - 25

16. Within TCP, what combination makes up a socket pair?
• source port with destination port
• source IP address with destination port
• source IP address and destination IP address
• source IP address and port with a destination IP address and port

17. Which protocol is used to send e-mail, either from a client to a server or from a server to another server?
• SNMP
• FTP
• SMTP
• HTTPS

18. Refer to the exhibit. The PC is requesting HTTP data from the server. What is a valid representation of source and destination sockets for this request?
• Source - 192.168.1.17:80 ; Destination - 192.168.2.39:80
• Source - 192.168.1.17:80 ; Destination - 192.168.2.39:1045
• Source - 192.168.1.17:1045 ; Destination - 192.168.2.39:80
• Source - 192.168.1.17:1045 ; Destination - 192.168.2.39:1061

19. What type of DNS server is typically maintained by an ISP?
• caching-only
• root
• second-level
• top-level

20. A client is communicating with a server on a different segment of the network. How does the server determine what service is being requested by the client?
• The server will apply the default service configured in directory services.
• The server will use ARP to discover the appropriate service from the local router.
• The server will send a request to the client asking for the appropriate service.
• The server will determine the appropriate service from the destination port field.

21.

When a host is communicating with multiple applications on the same server at the same time, which of the following will have the same value for each session? (Choose two.)
• IP address
• MAC address
• session number
• sequence number

CCNA Discovery 2 Module 6 Exam Answers Version 4.0

CCNA Discovery 2 Module 6 Exam Answers Version 4.0

1. Which command is used to view the RIP routing protocol settings and configuration?
• show version
• show ip route
• show interface
• show ip protocols

2.

Refer to the exhibit. What is the maximum number of RIP routers that could separate HostA and HostB and still leave the hosts with connectivity to each other?
• 14
• 15
• 16
• 17

3. In which situation would a company register for its own autonomous system number (ASN)?
• when the company's ISP adds connection points to the Internet
• when additional routers are added to the corporate internetwork
• when more than one interior routing protocol is used
• when the company uses two or more ISPs

4. Consider this routing table entry
• R 172.16.1.0/24 [120/1] via 200.1.1.1 00:00:27 Serial0/1
• What type of route is this?
• a static route
• a default route
• a RIP route
• an OSPF route
• an EIGRP route
• a directly-connected route

5. What is the difference between interior and exterior routing protocols?
• Exterior routing protocols are only used by large ISPs. Interior routing protocols are used by small ISPs.
• Interior routing protocols are used to route on the Internet. Exterior routing protocols are used inside organizations.
• Exterior routing protocols are used to administer a single autonomous system. Interior routing protocols are used to administer several domains.
• Interior routing protocols are used to communicate within a single autonomous system. Exterior routing protocols are used to communicate between multiple autonomous systems.

6. What information is included in RIPv2 routing updates that is not included in RIPv1 updates?
• metric
• subnet mask
• area identification
• hop count
• autonomous system number

7. Which routing protocol is used to exchange data between two different ISPs?
• BGP
• EIGRP
• OSPF
• RIP v2

8.

Refer to the exhibit. Which configuration command or commands contributed to the output that is shown?
• routerA(config-router)# no version 2
• routerA(config)# interface fa0/0
• routerA(config-if)# ip address 172.19.0.0 255.255.0.0
• routerA(config-router)# network 192.168.3.0
• routerA(config)# no ip default-gateway

9.

Refer to the exhibit. If all routers are running RIP and network 10.0.0.0 goes down, when will R3 learn that the network is no longer available?
• in 30 seconds
• in 60 seconds
• in 90 seconds
• Immediately

10. What statement is true regarding an AS number?
• AS numbers are controlled and registered for Internet use.
• Interior routing protocols require registered AS numbers.
• ISPs require all customers to have registered AS numbers.
• All routers at an ISP must be assigned the same AS number.

11. What is the purpose of the network command used when configuring RIP?
• to specify whether RIPv1 or RIPv2 will be used as the routing protocol
• to allow the router to monitor RIP updates that occur on other routers
• to identify which networks on the router will send and receive RIP updates
• to configure the IP address on an interface that will use RIP
• to identify all of the remote networks that should be reachable from the router

12. Which command would a network administrator use to determine if the routers in an enterprise have learned about a newly added network?
• router# show ip address
• router# show ip route
• router# show ip networks
• router# show ip interface brief
• router# debug ip protocol
• router# debug rip update

13. What is the purpose of a routing protocol?
• It is used to build and maintain ARP tables.
• It provides a method for segmenting and reassembling data packets.
• It allows an administrator to devise an addressing scheme for the network.
• It allows a router to share information about known networks with other routers.
• It provides a procedure for encoding and decoding data into bits for packet forwarding.

14. What device enables an ISP to connect with other ISPs to transfer data?
• border gateway router
• DSLAM
• web server
• interior router

15. Which command will display RIP routing updates as they are sent and received?
• show ip route
• show ip rip
• debug ip rip
• show ip protocols
• show ip rip database

16. Which part of an IP packet does the router use to make routing decisions?
• source IP address
• source MAC address
• destination IP address
• destination MAC address

17. What two types of businesses would benefit from registering as their own autonomous systems? (Choose two.)
• a home business with one ISP connection
• a global business with connections to multiple local ISPs
• a medium-sized nationwide business with Internet connectivity through different ISPs
• a large enterprise with two connections to the same ISP
• a small ISP with a single Internet connection through a larger ISP

18. Which command will display RIP activity as it occurs on a router?
• debug ip rip
• show ip route
• show ip interface
• show ip protocols
• debug ip rip config
• show ip rip database

19. Why is fast convergence desirable in networks that use dynamic routing protocols?
• Routers will not allow packets to be forwarded until the network has converged.
• Hosts are unable to access their gateway until the network has converged.
• Routers may make incorrect forwarding decisions until the network has converged.
• Routers will not allow configuration changes to be made until the network has converged.

20. Which two statements describe static routes? (Choose two.)
• They are created in interface configuration mode.
• They require manual reconfiguration to accommodate network changes.
• They automatically become the default gateway of the router.
• They are identified in the routing table with the prefix S
• They are automatically updated whenever an interface is reconfigured or shutdown.

21. Which two statements or sets of statements describe differences between link-state and distance vector routing protocols? (Choose two.)
• Link-state routing protocols routinely use more bandwidth for updates than do distance vector routing protocols.
• Distance vector routing protocols update all routers at one time. Link-state routing protocols update one router at a time.
• Link-state routers only know about directly connected routers. Distance vector routers know about every router in the network.
• Link-state routing protocols update when a change is made. A network using distance vector routing protocols only updates at a specific interval.
• Distance vector routing protocols have limited information about the entire network. Link state routing protocols know about all routers in the network.
• In case of similar topologies, networks using link-state routing protocols typically converge more rapidly than do networks using distance vector routing protocols.

22. Which protocol is an exterior routing protocol?
• BGP
• EIGRP
• OSPF
• RIP

23. Hosts on two separate subnets cannot communicate. The network administrator suspects a missing route in one of the routing tables. Which three commands can be used to help troubleshoot Layer 3 connectivity issues? (Choose three.)
• Ping
• show arp
• Traceroute
• show ip route
• show interface
• show cdp neighbor detail

24. What term refers to a group of networks that uses the same internal routing policies and is controlled by a single administrative authority?
• Internet
• intranet
• virtual private network
• autonomous system

CCNA Discovery 3 Module 3 Exam Answers Version 4.0

CCNA Discovery 3 Module 3 Exam Answers Version 4.0

1.

Refer to the exhibit. What two statements can be concluded from the information that is shown in the exhibit? (Choose two.)
• All ports that are listed in the exhibit are access ports.
• ARP requests from Host1 will be forwarded to Host2.
• Attaching Host1 to port 3 will automatically allow communication between both hosts.
• The default gateway for each host must be changed to 192.168.3.250/28 to allow communication between both hosts.
• A router connected to the switch is needed to forward traffic between the hosts.

2.     

A router is configured to connect to a trunked uplink as shown in the exhibit. A packet is received on the FastEthernet 0/1 physical interface from VLAN 10. The packet destination address is 192.168.1.120. What will the router do with this packet?
• The router will forward the packet out interface FastEthernet 0/1.1 tagged for VLAN 10.
• The router will forward the packet out interface FastEthernet 0/1.2 tagged for VLAN 60.
• The router will forward the packet out interface FastEthernet 0/1.3 tagged for VLAN 60.
• The router will forward the packet out interface FastEthernet 0/1.3 tagged for VLAN 120.
• The router will not process the packet since the source and destination are on the same subnet.
• The router will drop the packet since no network that includes the source address is attached to the router.

3.      The information contained in a BPDU is used for which two purposes? (Choose two.)
• to prevent loops by sharing bridging tables between connected switches
• to set the duplex mode of a redundant link
• to determine the shortest path to the root bridge
• to determine which ports will forward frames as part of the spanning tree
• to activate looped paths throughout the network

4.      A router has two serial interfaces and two Fast Ethernet interfaces. This router must be connected to a WAN link and to a switch that supports four VLANs. How can this be accomplished in the most efficient and cost-effective manner to support inter-VLAN routing between the four VLANs?
• Connect a smaller router to the serial interface to handle the inter-VLAN traffic.
• Add two additional Fast Ethernet interfaces to the router to allow one VLAN per interface.
• Connect a trunked uplink from the switch to one Fast Ethernet interface on the router and create logical subinterfaces for each VLAN.
• Use serial-to-Fast Ethernet transceivers to connect two of the VLANs to the serial ports on the router. Support the other two VLANs directly to the available FastEthernet ports.

5.      When are MAC addresses removed from the CAM table?
• at regular 30 second intervals
• when a broadcast packet is received
• when the IP Address of a host is changed
• after they have been idle for a certain period of time

6.     
Refer to the exhibit. Switch1 is not participating in the VTP management process with the other switches. Which two are possible reasons for this? (Choose two.)
• Switch2 is in transparent mode.
• Switch1 is in client mode.
• Switch1 is using VTP version 1 and Switch2 is using VTP version 2.
• Switch2 is in server mode.
• Switch1 is in a different management domain.
• Switch1 has no VLANs.

7.      Which three must be used when a router interface is configured for VLAN trunking? (Choose three.)
• one subinterface per VLAN
• one physical interface for each subinterface
• one IP network or subnetwork for each subinterface
• one trunked link per VLAN
• a management domain for each subinterface
• a compatible trunking protocol encapsulation for each subinterface

8.     

Refer to the exhibit. The switches are connected with trunks within the same VTP management domain. Each switch is labeled with its VTP mode. A new VLAN is added to Switch3. This VLAN does not show up on the other switches. What is the reason for this?
• VLANs cannot be created on transparent mode switches.
• Server mode switches neither listen to nor forward VTP messages from transparent mode switches.
• VLANs created on transparent mode switches are not included in VTP advertisements.
• There are no ports assigned to the new VLAN on the other switches.
• Transparent mode switches do not forward VTP advertisements.

9.      Which two criteria are used by STP to select a root bridge? (Choose two.)
• memory size
• bridge priority
• switching speed
• number of ports
• base MAC address
• switch location

10.  Which three steps should be taken before moving a Catalyst switch to a new VTP management domain? (Choose three.)
• Reboot the switch.
• Reset the VTP counters to allow the switch to synchronize with the other switches in the domain.
• Download the VTP database from the VTP server in the new domain.
• Configure the VTP server in the domain to recognize the BID of the new switch.
• Select the correct VTP mode and version.
• Configure the switch with the name of the new management domain.

11.  Which two items will prevent broadcasts from being sent throughout the network? (Choose two.)
• bridges
• routers
• switches
• VLANs
• hubs

12.  Which two characteristics describe a port in the STP blocking state? (Choose two.)
• provides port security
• displays a steady green light
• learns MAC addresses as BPDUs are processed
• discards data frames received from the attached segment
• receives BPDUs and directs them to the system module

13.  What is the first step in the process of convergence in a spanning tree topology?
• election of the root bridge
• determination of the designated port for each segment
• blocking of the non-designated ports
• selection of the designated trunk port
• activation of the root port for each segment

14.  In which STP state does a switch port transmit user data and learn MAC addresses?
• blocking
• learning
• disabling
• listening
• forwarding

15.  What is the purpose of VTP?
• maintaining consistency in VLAN configuration across the network
• routing frames from one VLAN to another
• routing the frames along the best path between switches
• tagging user data frames with VLAN membership information
• distributing BPDUs to maintain loop-free switched paths

16.  Which statement best describes adaptive cut-through switching?
• The switch initially forwards all traffic using cut-through switching and then changes to store-and-forward switching if errors exceed a threshold value.
• The switch initially forwards all traffic using cut-through switching and then changes to fast-forward switching if errors exceed a threshold value.
• The switch initially forwards all traffic using cut-through switching and then temporarily disables the port if errors exceed a threshold value.
• The switch initially forwards all traffic using store-and-forward switching and then changes to cut-through switching if errors exceed a threshold value.

17.  Using STP, how long does it take for a switch port to go from the blocking state to the forwarding state?
• 2 seconds
• 15 seconds
• 20 seconds
• 50 seconds

18. Refer to the exhibit. The switches are interconnected by trunked links and are configured for VTP as shown. A new VLAN is added to Switch1. Which three actions will occur? (Choose three.)
• Switch1 will not add the VLAN to its database and will pass the update to Switch 2.
• Switch2 will add the VLAN to its database and pass the update to Switch3.
• Switch3 will pass the VTP update to Switch4.
• Switch3 will add the VLAN to its database.
• Switch4 will add the VLAN to its database.
• Switch4 will not receive the update.

19.  Which Catalyst feature causes a switch port to enter the spanning-tree forwarding state immediately?
• backbonefast
• uplinkfast
• portfast
• rapid spanning tree

20.
Refer to the exhibit. Which set of commands would be used on the router to provide communication between the two hosts connected to the switch?
• Router(config)# interface vlan 2
Router(config-if)# ip address 192.168.2.1 255.255.255.0
Router(config-if)# no shutdown
Router(config)# interface vlan 3
Router(config-if)# ip address 192.168.3.1 255.255.255.0
Router(config-if)# no shutdown
• Router(config)# interface fastethernet 0/0
Router(config-if)# no shutdown
Router(config-if)# interface fastethernet 0/0.2
Router(config-subif)# encapsulation dot1q 2
Router(config-subif)# ip address 192.168.2.1 255.255.255.0
Router(config-if)# interface fastethernet 0/0.3
Router(config-subif)# encapsulation dot1q 3
Router(config-subif)# ip address 192.168.3.1 255.255.255.0
• Router(config)# interface vlan 2
Router(config-if)# switchport mode trunk dot1q
Router(config)# interface vlan 3
Router(config-if)# switchport mode trunk dot1q
• Router(config)# interface fastethernet 0/0
Router(config-if)# mode trunk dot1q 2 3
Router(config-if)# ip address 192.168.2.1 255.255.255.0v