Drag and Drop

Question 1

Drag and drop the IPv6 NAT characteristic from the left to the matching IPv6 NAT category on the right.

Answer:

NAT64:
+ Use Network-specific prefix
+ Modify session during translation

NPTv6:
+ Modify IP header in transit
+ Map one IPv6 address prefix to another IPv6 prefix

NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network address translation (NAT). NAT64 requires a dedicated prefix, called NAT64 prefix, to recognize which hosts need IPv4-IPv6 translation. NAT64 prefix can be a Network-specific prefix (NSP), which is configured by a network administrator, or a well-known prefix (which is 64:FF9B::/96). When a NAT64 router receives a packet which starts with NAT64 prefix, it will proceed this packet with NAT64.

NAT64 is not as simple as IPv4 NAT which only translates source or destination IPv4 address. NAT64 translates nearly everything (source & destination IP addresses, port number, IPv4/IPv6 headers… which is called a session) from IPv4 to IPv6 and vice versa. So NAT64 “modifies session during translation”.

Question 2

Drag and drop the BGP states from the left to the matching definitions on the right.

Answer:

+ OpenSent: wait for an OPEN message
+ OpenConfirm: wait for a KEEPALIVE or NOTIFICATION message
+ Established: UPDATE, NOTIFICATION and KEEPALIVE messages are exchanged with peers
+ Idle: refuse connections
+ Active: listen for and accept connection
+ Connect: wait for the connection to be completed

The order of the BGP states is: Idle -> Connect -> (Active) -> OpenSent -> OpenConfirm -> Established

+ Idle: No peering; router is looking for neighbor. Idle (admin) means that the neighbor relationship has been administratively shut down.
+ Connect: TCP handshake completed.
+ Active: BGP tries another TCP handshake to establish a connection with the remote BGP neighbor. If it is successful, it will move to the OpenSent state. If the ConnectRetry timer expires then it will move back to the Connect state. Note: Active is not a good state.
+ OpenSent: An open message was sent to try to establish the peering.
+ OpenConfirm: Router has received a reply to the open message.
+ Established: Routers have a BGP peering session. This is the desired state.

Reference: http://www.ciscopress.com/articles/article.asp?p=1565538&seqNum=3

Question 3

Drag and drop the Cisco Express Forwarding adjacency types from the left to the correct type of processing on the right.

Punt Adjacency Packets are discarded
Drop Adjacency Features that require special handling or features that are not yet supported in conjunction with CEF switching paths are forwarded to the next switching layer for handling. Features that are not supported are forwarded to the next higher switching level.
Null Adjacency When a router is connected directly to several hosts, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix.
Discard Adjacency Packets are dropped, but the prefix is checked.
Glean Adjacency Packets destined for a Null0 interface are dropped. This can be used as an effective form of access filtering.

Answer:

Punt Adjacency: Features that require special handling or features that are not yet supported in conjunction with CEF switching paths are forwarded to the next switching layer for handling. Features that are not supported are forwarded to the next higher switching level.
Drop Adjacency: Packets are dropped, but the prefix is checked.
Null Adjacency: Packets destined for a Null0 interface are dropped. This can be used as an effective form of access filtering.
Discard Adjacency: Packets are discarded.
Glean Adjacency: When a router is connected directly to several hosts, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/switch/configuration/guide/fswtch_c/xcfcef.html

Question 4

Drag and drop the challenge Handshake Authentication Protocol steps from the left into the correct order in which they occur on the right.

Answer:

+ Target 1: When the LCP phase is complete and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer
+ Target 2: The peer responds with a value calculated through a one-way hash function (MD5)
+ Target 3: The authenticator checks the response against its own calculation of the expected hash value if the values match the authentication is successful. Otherwise, the connection is terminated

The Challenge Handshake Authentication Protocol (CHAP) verifies the identity of the peer by means of a three-way handshake. These are the general steps performed in CHAP:
1) After the LCP (Link Control Protocol) phase is complete, and CHAP is negotiated between both devices, the authenticator sends a challenge message to the peer.
2) The peer responds with a value calculated through a one-way hash function (Message Digest 5 (MD5)).
3) The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is successful. Otherwise, the connection is terminated.

This authentication method depends on a “secret” known only to the authenticator and the peer. The secret is not sent over the link. Although the authentication is only one-way, you can negotiate CHAP in both directions, with the help of the same secret set for mutual authentication.

Reference: http://www.cisco.com/c/en/us/support/docs/wan/point-to-point-protocol-ppp/25647-understanding-ppp-chap.html

For more information about CHAP challenge please read our PPP tutorial.

Question 5

Drag the descriptions on the left to the appropriate group on the right.

Answer:

Authentication:
+ supports a local database for device access
+ supports encryption

Authorization:
+ specifies a user’s specific access privileges
+ enforces time periods during which a user can access the device

Accounting:
+ not supported with local AAA
+ verifies network usage

AAA offers different solutions that provide access control to network devices. The following services are included within its modular architectural framework:
+ Authentication – The process of validating users based on their identity and predetermined credentials, such as passwords and other mechanisms like digital certificates. Authentication controls access by requiring valid user credentials, which are typically a username and password. With RADIUS, the ASA supports PAP, CHAP, MS-CHAP1, MS-CHAP2, that means Authentication supports encryption.
+ Authorization – The method by which a network device assembles a set of attributes that regulates what tasks the user is authorized to perform. These attributes are measured against a user database. The results are returned to the network device to determine the user’s qualifications and restrictions. This database can be located locally on Cisco ASA or it can be hosted on a RADIUS or Terminal Access Controller Access-Control System Plus (TACACS+) server. In summary, Authorization controls access per user after users authenticate.
+ Accounting – The process of gathering and sending user information to an AAA server used to track login times (when the user logged in and logged off) and the services that users access. This information can be used for billing, auditing, and reporting purposes.

Question 6

Drag the characteristics on the left to the proper authentication protocols on the right.

Answer:

PAP:
+ Provides minimal security
+ Requires a username and password only

CHAP:
+ Generates a unique string for each transaction
+ Supports mid-session re-authentication

Question 7

Drag the items on the left to the proper locations on the right.

Answer:

Radius
+ Uses UDP port 1812 (for authentication/authorization). It encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted.
+ It combines authorization and accounting functions

TACAS+
+ Uses TCP port 49 and encrypts the entire packet
+ It separates authorization and accounting functions

Question 8

Drag the items on the left to the proper locations on the right.

Answer:

+ network-specific stateful NAT64 prefix: IPv6 prefix assigned by an organization
+ NAT64 : supports application layer gateway
+ NPTv6 : translates 2001:1::/64 to 2001:2::/64
+ well-known stateful NAT64 prefix: supports IPv6 prefix 64:FF9B::/96

NAT64 provides communication between IPv6 and IPv4 hosts by using a form of network address translation (NAT). There are two different forms of NAT64, stateless and stateful:

+ Stateless NAT64: maps the IPv4 address into an IPv6 prefix. As the name implies, it keeps no state. It does not save any IP addresses since every v4 address maps to one v6 address. Stateless NAT64 does not conserve IP4 addresses.
+ Stateful NAT64 is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. Like NAT44, it is called stateful because it creates or modifies bindings or session state while performing translation (1:N translation). It supports both IPv6-initiated and IPv4-initiated communications using static or manual mappings. Stateful NAT64 converses IPv4 addresses.

NPTv6 stands for Network Prefix Translation. It’s a form of NAT for IPv6 and it supports one-to-one translation between inside and outside addresses

Question 9

Answer:

+ mGRE: Protocol to connect multiple destinations
+ IPSec: Protocol used to secure connection
+ Keepalive: Used to keep other side if tunnel interface up with local side is up
+ Tunnel Key: Used to authenticate connection
+ MSS: Amount of data that a device can handle as unfragmented piece

Question 10

Drag and drop each frame-relay component on the left to the correct statement on the right.

Answer:

+ SVC: A circuit that provides temporary on-demand connections between DTEs
+ LMI: A signaling mechanism for Frame Relay devices
+ DLCI: A locally significant ID
+ FECN: An indicator of congestion on the network
+ PVC: A logical connection comprising two endpoints and a CIR

Question 11

Answer:

+ DHCPv6 Server:
IPv6 address autoconfig
IPv6 enable

+ Client Interface:
IPv6 address
IPv6 DHCP Relay destination

Question 12

Answer:

RADIUS:
+ combines authentication and authorization functions
+ has no option to authorize router commands

TACAS+:
+ encrypts the entire packet
+ uses TCP port 49

Question 13

Drag and drop each statement about uRPF on the left to the correct uRPF mode on the right.

Answer:

Loose Modes:
+ It supports using the default route as a route reference
+ It requires the source address to be routable

Strict Modes:
+ It can drop legitimate traffic
+ It permits only packets that are received on the same interface as the exit interface for the destination address