Pages

Tuesday, July 7, 2015

CCIE Security 350-018 Quiz & QA - Application Protocols

Quiz:
1 RFC 1700 defines what well-known ports for DNS?
a. TCP port 21
b. TCP port 23
c. UDP port 21
d. UDP port 53
e. TCP/UDP port 53

DNS is permitted by RFC 1700 to use both TCP/UDP port 53. Typically UDP is
vendor-configured for UDP port 53.

2 What supplies DNS security?
a. A default username/password pairing
b. A TFTP directory
c. A filename
d. A domain name
e. None of the above

DNS has no form of security, so any device can request name-to-IP address
mappings.

3 What IOS command will stop a Cisco router from querying a DNS server when an invalid
IOS command is entered on the EXEC or PRIV prompt?
a. no ip domain-lookup
b. no ip dns-lookup
c. no ip dns-queries
d. no exec

To disable DNS query lookup, the IOS command in global configuration mode is no
ip domain-lookup.

4 What does the following Global IOS configuration line accomplish?
ip host SimonisaCCIE 131.108.1.1 131.108.1.2
a. Defines the router name as SimonisaCCIE
b. Defines a local host name, SimonisaCCIE, mapped to IP addresses 131.108.1.1 and
131.108.1.2
c. Configures the IOS router for remote routing entries 131.108.1.1 and 131.108.1.2
d. Not a valid IOS command
e. Configures the local routers with the IP address 131.108.1.1 and 131.108.1.2 on
boot up

The ip host name ip address1 [ipaddress2 ipaddress3 ipaddress4 ipaddress5 ipaddress6
ipaddress7 ipaddress8] command configures a local address lookup for the name
SimonisaCCIE. Up to 8 addresses can be used. The router will try 131.108.1.1 first
and, if no response is made by the remote host, the second address, 131.108.1.2, will
be attempted from the command-line interface (CLI).

5 TFTP uses what predefined UDP port number?
a. 21
b. 22
c. 23
d. 53
e. 69

TFTP uses UDP port number 69.

6 What IOS command will copy an IOS image from the current system flash to a TFTP
server?
a. copy tftp image:
b. copy flash tftp
c. copy tftp flash
d. copy tftp tftp

To copy an IOS image from the routers to system flash, the correct IOS command is
copy flash tftp.

7 Suppose a client calls and advises you that an FTP data transaction is not allowing him to
view the host’s directory structure. What are the most likely causes of the problem?
(Choose all that apply.)
a. The client’s username/password is wrong.
b. The client’s FTP data port is not connected.
c. The host machine has denied him access because the password is wrong.
d. A serious network outage requires that you reload the router closest to the client.
e. An access list is stopping port 20 from detailing the directory list.

The FTP data port is used to view the directory and could be blocked because of
an access list or a fault with the client’s software when establishing the FTP 20
connection.

8 FTP runs over what Layer 4 protocol?
a. IP
b. TCP
c. TFTP
d. DNS
e. UDP

The FTP application is a connection-orientated protocol and is part of the TCP/IP
protocol suite. FTP ensures data is delivered by running data with a TCP overhead.

9 HTTPS traffic uses what TCP port number?
a. 21
b. 443
c. 334
d. 333
e. 343

HTTPS runs over TCP port 443.

10 SNMP is restricted on Cisco routers by what IOS command?
a. snmp-server enable
b. snmp-server community string
c. snmp-server ip-address
d. snmp-server no access permitted

To restrict SNMP access, the correct IOS command is snmp-server community
string. Without the correct string, NMS stations will not be able to access a router
with SNMP queries. You can disable SNMP on a router and restrict SNMP access
with the IOS command no snmp-server.

11 TFTP protocol uses which of the following?
a. Username/password pairs to authorize transfers
b. Uses TCP port 169
c. Uses UDP port 169
d. Can use UDP/TCP and port 69
e. None of the above

TFTP is defined in RFC 1700 and is permitted to use TCP/UDP port 69 only.

12 Which of the following statements is true regarding SSL?
a. Every packet sent between host and client is authenticated.
b. Encryption is used after a simple handshake is completed.
c. SSL uses port 2246.
d. SSL is not a predefined standard.
e. SSL does not perform any data integrity checks.

After the hosts have negotiated with valid username/password pairs, SSL will start
to encrypt all data. After the handshake, packets are not authenticated. SSL uses
TCP port 443. RFC 2246 defines SSL.

13 What is the HELO SMTP command used for?
a. To authenticate SMTP clients
b. To identify SMTP clients
c. This is an unknown standard
d. The HELO command is used in SNMP (not SMTP)

The HELO command identifies the client to the SMTP server.

14 POP3 clients can do what?
a. Receive SNMP queries
b. Send mail
c. Send SNMP queries
d. The POP3 protocol is a routing algorithm

POP3 clients send mail to POP3 servers. SMTP is not part of the POP3 standard.

15 NTP uses what well-known TCP port?
a. 23
b. 551
c. 21
d. 20
e. 123
f. 321

NTP uses UDP or TCP, and the port number is 123.

16 Secure Shell (SSH) is used to do what?
a. Disable spanning tree on Catalyst 5000 switches
b. Protect the data link layer only from attacks
c. Protect the TCP/IP host
d. Allow TCP/IP access to all networks without any security
e. SSH is used only in the data link layer

SSH is used to protect TCP/IP hosts.

17 Which of the following protocols can be authenticated? (Select the best four answers.)
a. Telnet
b. HTTP
c. HTTPS
d. Spanning tree
e. TFTP
f. FTP


18 What is the community string value when the following IOS commands are entered in
global configuration mode?
snmp-server community publiC RO
snmp-server enable traps config
snmp-server host 131.108.255.254 isdn
a. ISDN
b. Config
c. publiC
d. public
e. Public
f. More data required

The community string is defined by the command snmp-server community
community string, which, in this case, is set to publiC. The community string is
case sensitive.

19 Which of the following best describes an SNMP inform request?
a. Requires no acknowledgment
b. Requires an acknowledgment from the SNMP agent
c. Requires an acknowledgment from the SNMP manager
d. Only SNMP traps can be implemented on Cisco IOS routers

SNMP inform requests require an acknowledgment from the SNMP manager. SNMP
hosts will continue sending the SNMP inform request until an acknowledgment is
received.

20 What UDP port number will SNMP traps be sent from?
a. 21
b. 22
c. 161
d. 162

SNMP traps are sent by SNMP agents (such as routers) over UDP port 162.

21 What TCP port number will an SNMP inform acknowledgment packet be sent to?
a. 21
b. 22
c. 23
d. 161
e. 162
f. None of the above

SNMP inform acknowledgments are sent over UDP (not TCP) port number 161.

22 To restrict SNMP managers from the source network 131.108.1.0/30, what IOS command
is required?
a.
ip http enable 131.108.1.1 131.108.1.2
b.
snmp community 131.108.1.1 131.108.1.2
c.
snmp-server community SimonisCool ro 4
access-list 4 permit 131.108.1.0 0.0.0.252
d.
snmp-server community SimonisCool ro 4
e.
snmp-server community SimonisCool ro 1
access-list 11 permit 131.108.1.0 0.0.0.252

The SNMP server community name must be defined with the following command:
snmp-server community string ro access-list-number
The access list number definition must follow (in this case, number 4). The access list
range is between 1 and 99 only.

Q&A

1 According to RFC 1700, what is the well-known TCP/UDP port used by DNS?
Answer: RFC 1700 defines the well-known ports for the whole TCP/IP protocol
suite. For DNS, the well-known port for TCP/UDP is number 53.

2 What does the IOS command no ip domain-lookup accomplish?
Answer: This IOS command disables DNS queries for network administrators
connected to a Cisco console or vty line.

3 What is the correct IOS syntax to specify local host mapping on a Cisco router?
Answer: Local host mappings to IP addresses are accomplished using the following
IOS command:
ip host name [tcp-port-number] ip address1 [ip address2...ip address8]
Up to eight IP addresses can be assigned to one name.

4 TFTP uses what well-known, defined TCP/UDP port?
Answer: TFTP uses port number 69.

5 What is the correct IOS command to copy a file from a TFTP server to the system flash?
Answer: The IOS command is copy tftp flash. To copy a file from the system flash to
the TFTP server, the IOS command is copy flash tftp.

6 Define the two modes of FTP.
Answer: FTP can be configured for the following two modes:
• Active mode
• Passive mode

7 FTP uses what TCP port numbers?
Answer: FTP uses well-known port numbers 20 and 21.

8 What well-known port do Secure Socket Layer (SSL) and Secure Shell (SSH) use?
Answer: SSL uses well-known port number 443. Secure Shell uses well-known TCP
port 22.

9 Define SNMP and give an example.
Answer: Simple Network Management Protocol (SNMP) is an application layer
protocol that is used to manage IP devices. SNMP is part of the TCP/IP application
layer suite. SNMP allows network administrators the ability to view and change
network parameters and monitor connections locally and remotely. Cisco routers
can be configured to send SNMP traps to network managing stations to alert
administrators. For example, SNMP traps may indicate a router with low memory
or high CPU usage.

10 What well-known UDP ports are used by SNMP?
Answer: RFC 1700 defines the SNMP ports as 161 and 162. TCP can also be used,
but vendors typically only implement SNMP with UDP. SNMP port 161 is used to
query SNMP devices, and SNMP port 162 is used to send SNMP traps. SNMP runs
over UDP and is secured by a well-known community string that is case sensitive.

11 What IOS command enables SNMP on a Cisco IOS router?
Answer: The command syntax is snmp-server community string access-rights. The
access-rights options are RO and RW.

12 Which TCP/UDP port numbers are defined for use by Network Time Protocol or NTP?
Answer: NTP can use TCP and UDP port number 123.

13 When defining a stratum value on a Cisco router, what is the range and what value is
closest to an atomic clock?
Answer: The stratum value ranges from 1 to 15. 1 represents an atomic clock, which
is the most accurate clock available. The default stratum value on Cisco routers is 8.

14 Secure Shell (SSH) allows what to be accomplished when in use?
Answer: Secure Shell (SSH) is a protocol that provides a secure connection to a
router. Cisco IOS supports version 1 of SSH. SSH enables clients to make a secure
and encrypted connection to a Cisco router.

15 What is the difference between an SNMP inform request and an SNMP trap?
Answer: The major difference between a trap and an inform request is that an
SNMP agent (when ending a trap) has no way of knowing if an SNMP trap was
received by the SNMP manager. On the other hand, an SNMP inform request packet
will be sent continually until the sending SNMP manager receives an SNMP
acknowledgment.

16 What does the SNMP MIB refer to?
Answer: The Management Information Base (MIB) is a virtual information storage
area for network management information, which consists of collections of managed
objects. MIB modules are written in the SNMP MIB module language, as defined in
STD 58, RFC 2578, RFC 2579, and RFC 2580.

17 What is the SNMP read-write community string for the following router configuration?
snmp-server community simon ro
snmp-server community Simon rw
Answer: The read-write community string is set to Simon (case sensitive). The readonly
community attribute is set to simon.

18 Before you can TFTP a file from a Cisco router to a UNIX- or Windows-based system,
what is the first step you must take after enabling the TFTP server daemon on both
platforms?
Answer: On a UNIX server where the TFTP server daemon is installed, the file to be
copied must have the appropriate access rights. In UNIX, the Touch command allows
a TFTP request. In other words, to copy a file from a Cisco IOS router to a UNIX
host, the file must already exist on the host. For a Windows-based platform, the
software must be configured to permit file creation on the Windows-based file
system.

19 What IOS command can be implemented to restrict SNMP access to certain networks by
applying access lists? Can you apply standard, extended, or both?
Answer: The IOS command is as follows:
snmp-server community string [view view-name] [ro | rw] [number]
You can only apply a standard access-list list with the above command.
number refers to a standard access list, ranging from 1 to 99 only, that defines
the remote hosts or subnets that are permitted SNMP access. The correct SNMP
community string must also be correctly configured on the SNMP manger and
agent to allow SNMP communication.

20 Does TFTP have a mechanism for username and password authentication?
Answer: TFTP is a connectionless protocol (UDP) that has no method to authenticate
username or password. The TFTP packet format has no field enabling the username
or password to be exchanged between two TCP/IP hosts. TFTP security (configurable
on UNIX and Windows platforms) on the TFTP server is accomplished by allowing
a predefined file on the server to be copied to the host TFTP server.

21 Can you use your Internet browser to configure a Cisco router? If so, how?
Answer: To view the router’s home page, use a Web browser pointed to http://a.b.c.d,
where a.b.c.d is the IP address of your router or access server. If a name has been set,
use http://router-name, and use the DNS server to resolve the IP address.
To enable HTTP on a Cisco router, use the IOS command ip http in global
configuration mode.

22 A network administrator defines a Cisco router to allow HTTP requests but forgets to add
the authentication commands. What is the default username and password pairing that
allows HTTP requests on the default TCP port 80? Can you predefine another TCP port
for HTTP access other than port 80?
Answer: By default Cisco IOS routers configured for HTTP access use the router’s
local host name as the username and the enable or secret password as the password.
The IOS command ip http [0-65535] allows the network administrator to define a
new port number other than 80, which is the default setting.

No comments:

Post a Comment