Pages

Tuesday, July 7, 2015

CCIE Security 350-018 Quiz and QA - IOS Specifics

Quiz:
1 What IOS command will display the System Flash?
a. show flash
b. show system flash
c. show memory
d. show process flash

The show flash IOS command displays the System Flash:
R1#show flash
System flash directory:
File Length Name/status
1 11600424 c2600-ik8o3s-mz.122-2.T.bin
[11600488 bytes used, 5176728 available, 16777216 total]
16384K bytes of processor board System flash (Read/Write)
R1#

2 The network administrator has forgotten the enable password and all passwords are
encrypted. What should the network administrator do to recover the password without
losing the current configuration?
a. Call the TAC and ask for a special back door password.
b. Call the TAC and raise a case to supply the engineering password.
c. Reboot the router, press the break key during the reload, and enter ROM mode and
change the configuration register.
d. Reboot the router, press the break key during the reload, enter ROM mode and
change the configuration register, and when the router reloads, remove the old configuration.

The TAC will not supply any passwords. The steps required include issuing the break
key and modifying the configuration register, but the aim is to not lose the initial
configuration, so answer d is incorrect.

3 What is the enable password for the following router?
enable password Simon
a. More data required
b. Simon
c. simon or Simon
d. You cannot set the password to a name; it must also contain digits.

The enable password is case-sensitive, so the password is Simon.

4 If the configuration register is set to 0x2101, where is the IOS image booted from?
a. slot0:
b. slot1:
c. Flash
d. ROM
e. TFTP server

0x2101 tells the router to load the IOS image from ROM.

5 What IOS command will copy the running configuration to a TFTP server? (Select the
best two answers.)
a. copy running-config to tftp
b. write network
c. copy running-config tftp
d. write erase

Write network and copy running-config tftp will save the configuration stored in
RAM to a TFTP server.

6 What debug command allows an administrator to debug only packets from the network
131.108.0.0/16?
a. debug ip packet
b. terminal monitor
c. debug ip packet 1
access-list 1 permit 131.108.0.0
d. debug ip packet 1
access-list 1 permit 131.108.0.0 0.0.255.255
e. debug ip packet 1
access-list 1 permit 131.108.0.0 255.255.0.0

To debug only packets from the source network 131.108.0.0/16, or networks ranging
from 131.108.0.0 to 131.108.255.255, the correct access list is access-list 1 permit
131.108.0.0 0.0.255.255, followed by the debug ip packet 1 command in privilege
EXEC mode.

7 After entering debug ip packet, no messages appear on your Telnet session. What is the
likely cause?
a. OSPF routing is required.
b. The console port does not support debug output.
c. The terminal monitor command is required.
d. IP packets are not supported with the debug command.

Accessing a router via Telnet to enable debug messages to the terminal session
requires the terminal monitor IOS command.

8 To change the configuration register to 0x2141, what is the correct IOS command?
a. copy running-config register
b. configuration 0x2141
c. config 0x2141 register
d. config-register 0x2142
e. config-register 0x2141


9 Where is the startup configuration stored on a Cisco router?
a. In the cam table
b. NVRAM
c. RAM
d. Flash
e. slot0:

The startup configuration is usually stored in the NVRAM. You can store the file on
a TFTP server, as well.

10 Which of the following statements is true?
a. The enable secret command overrides the enable password command.
b. The enable command overrides the enable secret password command.
c. Enable passwords cannot be used when the secret password is used.
d. Both a and c are true.

The enable secret command overrides the enable password command when
configured concurrently.

11 A Cisco router has the following configuration:
line vty 0 4
login
What will happen when you Telnet to the router?
a. You will be prompted for the login password.
b. You will enter EXEC mode immediately.
c. You cannot access the router without the password set.
d. More configuration required.

Without the password configured, you cannot enter EXEC mode. The router will
advise the Telnet user that the password is not set and disconnect the session, as
follows:
R1#131.108.1.1
Trying 131.108.1.1 ... Open
Password required, but none set
[Connection to 131.108.1.1 closed by foreign host]

12 A Cisco router has the following configuration:
line vty 0 4
no login
password cIscO
When a Telnet user tries to establish a remote Telnet session to this router, what will
happen?
a. You will be prompted for the login password cIscO.
b. You will enter EXEC mode immediately.
c. You cannot access the router without the password set.
d. More configuration required.
e. You will be prompted for the login password; password case does not matter.

Because the no login command is configured, the VTY lines allow all Telnet sessions
directly to the EXEC prompt even though a password is set.

13 A Cisco router has the following configuration:
line vty 0 1
no login
password cisco
line vty 2 4
login
password ciSco
When a third Telnet session is established to a remote router with the preceding
configuration, what will happen?
a. You will be prompted for the login password, which is set to cisco.
b. You will be prompted for the login password, which is set to ciSco.
c. You will enter EXEC mode immediately.
d. You cannot access the router without the password set.
e. More configuration required.

The first two telnet sessions (line vty 0 1) will directly enter EXEC mode because of
no login. The third (line vty 2 4) requires the password, ciSco.

14 Which of the following access lists will deny any IP packets sourced from network
131.108.1.0/24 and destined for network 131.108.2.0/24 and permit all other IP-based
traffic?
a. access-list 1 deny 131.108.1.0
b. access-list 1 deny 131.108.1.0 0.0.0.255
c. access-list 100 permit/deny ip 131.108.1.0 0.0.0.255 131.108.2.0 0.0.0.255
d. access-list 100 deny ip 131.108.1.0 0.0.0.255 131.108.2.0 0.0.0.255
access-list 100 permit ip any any

The correct access list is an extended access list because both source and destination
addresses must be configured. To permit all other traffic, you must add the line
access-list permit ip any. Otherwise, all other IP-based traffic will be denied access
by default.

15 An administrator notices a router’s CPU utilization has jumped from 2 percent to 100
percent, and that a CCIE engineer was debugging. What IOS command can the network
administrator enter to stop all debugging output to the console and vty lines without
affecting users on the connected router?
a. no logging console debugging
b. undebug all
c. line vty 0 4
no terminal monitor
d. reload the router

IOS command undebug all stops all configured debug commands. Reloading the
router also stops debugs but will affect users because the router will be unavailable
during the reboot. Entering no logging debugging does not stop the router from
sending debug information nor processing the CPU-intensive requests to any
connecting users via Telnet.

Q & A
1 Where is the running configuration stored on a Cisco router?
Answer: The configuration is stored in the Random Access Memory (RAM). For
all newer Cisco hardware platforms, the memory location where the running
configuration is stored is called the Dynamic Random-Access Memory (DRAM).

2 What IOS command displays the startup configuration?
Answer: The IOS command show startup-config or show config will display the
configuration stored in NVRAM.

3 What IOS command provides the following output?
System flash directory:
File Length Name/status
1 9558976 c2500-ajs40-l.12-17.bin
[9559040 bytes used, 7218176 available, 16777216 total]
16384K bytes of processor board System flash
Answer: The IOS command to display the System Flash is show flash.

4 What configuration register will enable a Cisco router to ignore the startup configuration?
Answer: 0x2142 will set the IOS to ignore the configuration stored in NVRAM;
typically, this configuration register is used for password recovery.

5 To copy the startup configuration to the running configuration, what IOS command or
commands are used?
Answer: copy startup-config running-config.

6 What is the range for standard and extended IP access lists on Cisco IOS routers?
Answer: Standard IP access lists range from 1-99 and 1300-1999. Extended access
lists range from 100-199 and 2000-2699.

7 What command display the IP access lists configured on a Cisco router?
Answer: show ip access-lists will display all configured IP access lists. The show
access-lists IOS command displays all configured access lists, not just IP access lists.

8 How do you disable all debug commands currently enabled on a Cisco router, assuming
you are not sure what debug commands are enabled?
Answer: undebug all (or u all in shorthand). You can also use the [no] debug debug-enabled commands> for each specific debug that has been enabled. To quickly
disable all debug commands, undebug all is typically used.

9 What must you be very careful of when enabling any form of debugging on a Cisco
router?

Answer: You should make the debug command as specific as possible and ensure that
you enable the output to the console (if disabled) and VTY lines with the IOS
command, terminal monitor; this command is entered in privilege EXEC mode only.
By default, Cisco IOS will send all debug output to the console port.
The CPU system on Cisco routers gives the highest priority to debugging output. For
this reason, debugging commands should be turned on only for troubleshooting
specific problems or during troubleshooting sessions with technical support
personnel. Excessive debugging output can render the router inoperable.
Try to use the most specific debug command possible to reduce the load on the CPU.

10 What are the required steps when performing password recovery on a Cisco router?
Answer: The password recovery steps are as follows:
Step 1 Power cycle the router.
Step 2 Issue a control break or the break key command on the application to enter
into boot ROM mode. The control break key sequence must be entered
within 60 seconds of the router restarting after a power cycle.
Step 3 Once you are in ROM mode, change the config register value to ignore the
startup configuration file that is stored in NVRAM. Use the o/r 0x2142
command.
Step 4 Allow the router to reboot by entering the i command.
Step 5 After the router has finished booting up without its startup configuration,
look at the show startup-config command output. If the password is
encrypted, move to Step 6, which requires you to enter the enable mode
(type enable and you will not be required to enter any password) and copy
the startup configuration to the running configuration with the copy
startup-config running-config command. Then, change the password. If the
password is not encrypted and the secret password is not used, you can
simply read the password. Skip Steps 6 and 7 and go to Step 8.
Step 6 Copy the startup configuration to RAM.
Step 7 Enable all active interfaces.
Step 8 Change the configuration register to 0x2102 (default).
Step 9 Reload the router.
Step 10 Check the new password.

11 What is the enable password for the following configuration?
enable password CiscO
Answer: Passwords are case-sensitive, so the password is CiscO. If the secret
password was set, you would not be able to read the password in clear text because
Cisco IOS hashes the password using the md5 encryption algorithm, as in the
following example:
enable secret 5 $1$Aiy2$GGSCYdG57PdRiNg/.D.XI.
➠ Password is not in clear text.
You cannot reverse engineer the hashed password ($1$Aiy2$GGSCYdG57PdRiNg/
.D.XI.). Hashing occurs when plain text data is encrypted into cipertext (unreadable
data) by some form of encryption algorithm.

No comments:

Post a Comment