Tag: Cisco Certified Network Associate (200-301 CCNA)

Cisco Certified Network Associate (200-301 CCNA) – Question641


Refer to the exhibit. A network administrator must permit SSH access to remotely manage routers in a network.
The operations team resides on the 10.20.1.0/25 network. Which command will accomplish this task?

A. access-list 2699 permit udp 10.20.1.0 0.0.0.255
B. no access-list 2699 deny tcp any 10.20.1.0 0.0.0.127 eq 22
C. access-list 2699 permit tcp any 10.20.1.0 0.0.0.255 eq 22
D. no access-list 2699 deny ip any 10.20.1.0 0.0.0.255

Correct Answer: D

Explanation:

Explanation:
Already a statement is there in last to allow SSH Traffic for network 10.20.1.0 0.0.0.127, but Second statement says deny ip any 10.20.1.0 0.0.0.255, so how it will work once it is denied. So the right answer is remove the — no access-list 2699 deny ip any 10.20.1.0 0.0.0.255.

Cisco Certified Network Associate (200-301 CCNA) – Question640

What are two recommendations for protecting network ports from being exploited when located in an office space outside of an IT closet? (Choose two.)

A. enable the PortFast feature on ports
B. configure static ARP entries
C. configure ports to a fixed speed
D. implement port-based authentication
E. shut down unused ports

Correct Answer: DE

Cisco Certified Network Associate (200-301 CCNA) – Question639

What is a function of a remote access VPN?

A. establishes a secure tunnel between two branch sites
B. uses cryptographic tunneling to protect the privacy of data for multiple users simultaneously
C. used exclusively when a user is connected to a company's internal network
D. allows the users to access company internal network resources through a secure tunnel

Correct Answer: D

Cisco Certified Network Associate (200-301 CCNA) – Question637

Which goal is achieved by the implementation of private IPv4 addressing on a network?

A. provides an added level of protection against Internet exposure
B. provides a reduction in size of the forwarding table on network routers
C. allows communication across the Internet to other private networks
D. allows servers and workstations to communicate across public network boundaries

Correct Answer: A

Cisco Certified Network Associate (200-301 CCNA) – Question636

In which two ways does a password manager reduce the chance of a hacker stealing a user's password? (Choose two.)

A. It encourages users to create stronger passwords
B. It uses an internal firewall to protect the password repository from unauthorized access
C. It stores the password repository on the local workstation with built-in antivirus and anti-malware functionality
D. It automatically provides a second authentication factor that is unknown to the original user
E. It protects against keystroke logging on a compromised device or web site

Correct Answer: AE

Cisco Certified Network Associate (200-301 CCNA) – Question635


Refer to the exhibit. A network engineer must block access for all computers on VLAN 20 to the web server via HTTP. All other computers must be able to access the web server. Which configuration when applied to switch A accomplishes the task?

A.

B.

C.

D.

Correct Answer: D

Cisco Certified Network Associate (200-301 CCNA) – Question633

DRAG DROP
Drag and drop the threat-mitigation techniques from the left onto the types of threat or attack they mitigate on the right.
Select and Place:

Correct Answer: [img 0633-0001.jpg]

Explanation:

Explanation:
Double-Tagging attack:

In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20).
When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer.
Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker.
To mitigate this type of attack, you can use VLAN access control lists (VACLs, which applies to all traffic within a VLAN. We can use VACL to drop attacker traffic to specific victims/servers) or implement Private VLANs.
ARP attack (like ARP poisoning/spoofing) is a type of attack in which a malicious actor sends falsified ARP messages over a local area network as ARP allows a gratuitous reply from a host even if an ARP request was not received. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. This is an attack based on ARP which is at Layer 2. Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network which can be used to mitigate this type of attack.

Cisco Certified Network Associate (200-301 CCNA) – Question632

Which type of wireless encryption is used for WPA2 in preshared key mode?

A. AES-128
B. TKIP with RC4
C. AES-256
D. RC4

Correct Answer: C

Explanation:

Explanation:
We can see in this picture we have to type 64 hexadecimal characters (256 bit) for the WPA2 passphrase so we can deduce the encryption is AES-256, not AES-128.

Reference:
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wirele…