Router

Question 1

What command can you enter to configure an enable password that uses an encrypted password from another configuration?

A. enable secret $abc%!e.Cd34$!ao0
B. enable secret 7 Sabc%!e.Cd34$!ao0
C. enable secret 0 Sabc%U*.Cd34$!ao0
D. enable secret 5 $abc%!e.Cd34$!ao0
E. enable secret 15 $abc%ie.Cd34$!ao0
F. enable secret 6 $abc%!e.Cd34$!ao0

Answer: D

الـــــشــــــــــــــــــــــــرح

To determine which scheme has been used to encrypt a specific password, check the digit preceding the encrypted string in the configuration file. If that digit is a 7, the password has been encrypted using the weak algorithm. If the digit is a 5, the password has been hashed using the stronger MD5 algorithm.

For example, in the configuration command:

enable secret 5 $1$iUjJ$cDZ03KKGh7mHfX2RSbDqP.

The enable secret has been hashed with MD5, whereas in the command:

username jdoe password 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D

The password has been encrypted using the weak reversible algorithm.

When we enter the “enable secret” command with a number after that, the IOS can specify that the password has been encrypted so it will not encrypt any more and accept that password.

In new Cisco IOS (v15+), it seems the device does not recognize “enable secret 7” command as encrypted password. We tried on Cisco IOS v15.4 and see this:

When we tried to enter the command “enable secret 7 07362E590E1B1C041B1E124C0A2F2E206832752E1A01134D”, the Cisco IOS automatically change the command to “enable secret 5 $1$dLq2$qgzb4bgdsasX8dx1oHOkD.” (in the running-config file). So if you paste an “enable secret 7 …” command from an old Cisco IOS version, you cannot login any more with your password.

Note: In fact, there is an error with the answer D. As we entered the command in answer D, the router denied the encrypted password because it was not a valid encrypted secret password. That means the router also checked if the password was hashed correctly or not. But it is the best answer in this question.

Question 2

What is the optimal location from which to execute a debug command that produces an excessive amount of information?

A. Vty lines
B. SNMP commands
C. A console port
D. An AUX port

Answer: A

الـــــشــــــــــــــــــــــــرح

Excessive debugs to the console port of a router can cause the router to hang. This is because the router automatically prioritizes console output ahead of other router functions. Hence if the router is processing a large debug output to the console port, it may hang. Hence, if the debug output is excessive use the vty (telnet) ports or the log buffers to obtain your debugs.

Note: By default, logging is enabled on the console port. Hence, the console port always processes debug output even if you are actually using some other port or method (such as Aux, vty or buffer) to capture the output. Hence, Cisco recommends that, under normal operating conditions, you have the no logging console command enabled at all times and use other methods to capture debugs.

To enable logging logging on your virtual terminal connection (telnet), use the “terminal monitor” command under Privileged mode (Router#)

Question 3

Which two options are causes of out-of-order packets? (Choose two)

A. a routing loop
B. a router in the packet flow path that is intermittently dropping packets
C. high latency
D. packets in a flow traversing multiple paths through the network
E. some packets in a flow being process-switched and others being interrupt-switched on a transit Router

Answer: D E

الـــــشــــــــــــــــــــــــرح

Per-packet load-balancing means that the router sends one packet for destination1 over the first path, the second packet for (the same) destination1 over the second path, and so on. Per-packet load balancing guarantees equal load across all links. However, there is potential that the packets may arrive out of order at the destination because differential delay may exist within the network -> Answer D is correct.

When searching the routing table, the router looks for the longest match for the destination IP address prefix. This is done at “process level” (known as process switching), which means that the lookup is considered as just another process queued among other CPU processes

Interrupt-level switching means that when a packet arrives, an interrupt is triggered which causes the CPU to postpone other tasks in order to handle that packet.

In general, process switching is faster then interrupt-level switching and can cause out-of-order packets.

Question 4

Where the output will be shown of the command debug condition interface fa0/1?

A. It will show on interface f0/1
B. It will show on interface f0/0
C. Both interfaces will show debugging ouput
D. An interface cannot be used as condition

Answer: A or C

الـــــشــــــــــــــــــــــــرح

The command “debug condition interface <interface>” command is used to disable debugging messages for all interfaces except the specified interface so in this case the debug output will be shown on Fa0/1 interface only.

Note: If in this question there was another “debug condition interface fa0/0” command configured then the answer should be C (both interfaces will show debugging ouput).

Question 5

Which security feature can you enable to control access to the VTY lines on a router?

A. exec-time out
B. logging
C. username and password
D. transport output

Answer: C

الـــــشــــــــــــــــــــــــرح

There are a few simple steps you can follow to ensure your VTY lines are as secure as possible. The easiest way is to enable username / password authentication. Other ways are to include an access-list to prevent unwanted IP addresses from connecting and use SSH to encrypt the traffic connecting to the device.

Question 6

Under which circumstance will a branch ISR router contain interface vlan configurations?

A. performing inter-VLAN routing
B. performing 802.1Q trunking
C. performing ISL trunking
D. Ethernet Switch Module installed
E. ADSL WIC installed
F. running Call Manager Express

Answer: D

الـــــشــــــــــــــــــــــــرح

An Integrated Services Router(ISR) router can be implemented an Ethernet Switch Module to perform both IP routing and inter-VLAN routing. With this module, an ISR router will contain interface vlan configurations.

Question 7

What is the minimum privilege level to enter all commands in usermode?

A. Level14
B. Level0
C. Level1
D. Level15

Answer: C

Question 8

Which two statements about password-protecting device access are true? (Choose two)

A. The more system:running-config command displays encrypted passwords in clear text
B. The service password-encryption command forces a remote device to encrypt the password
C. A network administrator can recover an encrypted password
D. The privilege level command controls the commands a specific user can execute
E. The password can be encrypted in the running configuration

Answer: D E

الـــــشــــــــــــــــــــــــرح

Which two statements about password-protecting device access are true? (Choose two)

A. The more system:running-config command displays encrypted passwords in clear text
B. The service password-encryption command forces a remote device to encrypt the password
C. A network administrator can recover an encrypted password
D. The privilege level command controls the commands a specific user can execute
E. The password can be encrypted in the running configuration