Phần này bao gồm câu 40 đến 80 trong bộ dump CCNA 200-301 mới nhất.
QUESTION 41: An organization has decided to start using cloud-provided services. Which cloud service allows the organization to install its own operating system on a virtual machine?
A. platform-as-a-service
B. software-as-a-service
C. network-as-a-service
D. infrastructure-as-a-service
Answer: D
Below are the 3 cloud supporting services cloud providers provide to customers:
- SaaS (Software as a Service): SaaS uses the web to deliver applications that are managed by a third-party vendor and whose interface is accessed on the clients’ side. Most SaaS applications can be run directly from a web browser without any downloads or installations required, although some require plugins.
- PaaS (Platform as a Service): are used for applications, and other development, while providing cloud components to software. What developers gain with PaaS is a framework they can build upon to develop or customize applications. PaaS makes the development, testing, and deployment of applications quick, simple, and cost-effective. With this technology, enterprise operations, or a third-party provider, can manage OSes, virtualization, servers, storage, networking, and the PaaS software itself. Developers, however, manage the applications.
- IaaS (Infrastructure as a Service): self-service models for accessing, monitoring, and managing remote datacenter infrastructures, such as compute (virtualized or bare metal), storage, networking, and networking services (e.g. firewalls). Instead of having to purchase hardware outright, users can purchase IaaS based on
consumption, similar to electricity or other utility billing.
In general, IaaS provides hardware so that an organization can install their own operating system.
QUESTION 42: Refer to Exhibit. Which action do the switches take on the trunk link?
A. The trunk does not form and the ports go into an err-disabled status.
B. The trunk forms but the mismatched native VLANs are merged into a single broadcast domain.
C. The trunk does not form, but VLAN 99 and VLAN 999 are allowed to traverse the link.
D. The trunk forms but VLAN 99 and VLAN 999 are in a shutdown state.
Answer: B
The trunk still forms with mismatched native VLANs and the traffic can actually flow between mismatched switches. But it is absolutely necessary that the native VLANs on both ends of a trunk link match; otherwise a native VLAN mismatch occurs, causing the two VLANs to effectively merge. For example with the above configuration, SW1 would send untagged frames for VLAN 999. SW2 receives them but would think they are for VLAN 99 so we can say these two VLANs are merged.
QUESTION 43: Which design element is a best practice when deploying an 802.11b wireless infrastructure?
A. disabling TPC so that access points can negotiate signal levels with their attached wireless devices.
B. setting the maximum data rate to 54 Mbps on the Cisco Wireless LAN Controller
C. allocating non overlapping channels to access points that are in close physical proximity to one another
D. configuring access points to provide clients with a maximum of 5 Mbps
Answer: C
QUESTION 44: Refer to the exhibit. If OSPF is running on this network, how does Router 2 handle traffic from Site B to 10.10.13.128/25 at Site A?
A. It sends packets out of interface Fa0/2 only.
B. It sends packets out of interface Fa0/1 only.
C. It cannot send packets to 10.10.13.128/25
D. It load-balances traffic out of Fa0/1 and Fa0/2
Answer: C
Router2 does not have an entry for the subnet 10.10.13.128/25. It only has an entry for 10.10.13.0/25, which ranges from 10.10.13.0 to 10.10.13.127.
QUESTION 45: A frame that enters a switch fails the Frame Check Sequence. Which two interface counters are incremented? (Choose two)
A. runts
B. giants
C. frame
D. CRC
E. input errors
Answer: D E
Whenever the physical transmission has problems, the receiving device might receive a frame whose bits have changed values. These frames do not pass the error detection logic as implemented in the FCS field in the Ethernet trailer. The receiving device discards the frame and counts it as some kind of input error.
Cisco switches list this error as a CRC error. Cyclic redundancy check (CRC) is a term related to how the FCS math detects an error.
The “input errors” includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts.
The output below show the interface counters with the “show interface s0/0/0
” command:
QUESTION 46: Which two must be met before SSH can operate normally on a Cisco IOS switch? (Choose two)
A. The switch must be running a k9 (crypto) IOS image
B. The Ip domain-name command must be configured on the switch
C. IP routing must be enabled on the switch
D. A console password must be configured on the switch
E. Telnet must be disabled on the switch
Answer: A B
QUESTION 47: Refer to the exhibit. If configuring a static default route on the router with the ip route 0.0.0.0 0.0.0.0 10.13.0.1 120
command, how does the router respond?
A. It ignores the new static route until the existing OSPF default route is removed
B. It immediately replaces the existing OSPF route in the routing table with the newly configured static route
C. It starts load-balancing traffic between the two default routes
D. It starts sending traffic without a specific matching entry in the routing table to Gigabit EthernetO/1
Answer: A
Our new static default route has the Administrative Distance (AD) of 120, which is bigger than the AD of OSPF External route (OE2) so it will not be pushed into the routing table until the current OSPF External route is removed. For your information, if you don’t type the AD of 120 (using the command “ip route 0.0.0.0 0.0.0.0 10.13.0.1”) then the new static default route would replace the OSPF default route as the default AD of static route is 1. You will see such line in the routing table:
S 0.0.0.0/0 [1/0] via 10.13.0.1
QUESTION 48: Refer to the exhibit. A network engineer must block access for all computers on VLAN 20 to the web server via HTTP. All other computers must be able to access the web server. Which configuration when applied to switch A accomplishes this task?
A.
config t
ip access-list extended wwblock
permit ip any any
deny tcp any host 10.30.0.100 eq 80
int vlan 20
ip access-group wwwblock in
B.
config t
ip access-list extended wwwblock
permit ip any any
deny tcp any host 10.30.0.100 eq 80
int vlan 30
ip access-group wwwblock in
C.
config t
ip access-list extended wwwblock
deny tcp any host 10.30.0.100 eq 80
int vlan 10
ip access-group wwwblock in
D.
config t
ip access-list extended wwwblock
deny top any host 10.30.0.100 eq 80
permit ip any any
int vlan 20
ip access-group wwwblock in
Answer: D
QUESTION 49: A router running EIGRP has learned the same route from two different paths. Which parameter does the router use to select the best path?
A. cost
B. administrative distance
C. metric
D. as-path
Answer: C
If a router learns two different paths for the same network from the same routing protocol, it has to decide which route is better and will be placed in the routing table. Metric is the measure used to decide which route is better (lower number is better). Each routing protocol uses its own metric. For example, RIP uses hop counts as a metric, while OSPF uses cost.
https://study-ccna.com/administrative-distance-metric/
QUESTION 50: Refer to the exhibit. An extended ACL has been configured and applied to router R2 The configuration farted to work as intended.
Which two changes stop outbound traffic on TCP ports 25 and 80 to 10.0.20.0/26 from the 10.0.10 0/26 subnet while still allowing all other traffic? (Choose two)
A. Add a “permit ip any any
” statement to the beginning of ACL 101 for allowed traffic.
B. Add a “permit ip any any
” statement at the end of ACL 101 for allowed traffic
C. The source and destination IPs must be swapped in ACL 101
D. The ACL must be configured the Gi0/2 interface in bound on R1
E. The ACL must be moved to the Gi0/1interface outbound onR2
Answer: B C
QUESTION 51: What is the primary different between AAA authentication and authorization?
A. Authentication verifies a username and password, and authorization handles the communication between the authentication agent and the user database.
B. Authentication identifies a user who is attempting to access a system, and authorization validates the users password
C. Authentication identifies and verifies a user who is attempting to access a system, and authorization controls the tasks the user can perform.
D. Authentication controls the system processes a user can access and authorization logs the activities the user initiates
Answer: C
AAA stands for Authentication, Authorization and Accounting.
- Authentication: Specify who you are (usually via login username & password)
- Authorization: Specify what actions you can do, what resource you can access
- Accounting: Monitor what you do, how long you do it (can be used for billing and auditing)
An example of AAA is shown below:
- Authentication: “I am a normal user. My username/password is user_tom/learnforever”
- Authorization: “user_tom can access LearnCCNA server via HTTP and FTP”
- Accounting: “user_tom accessed LearnCCNA server for 2 hours”. This user only uses “show” commands.
QUESTION 52: When a floating static route is configured, which action ensures that the backup route is used when the primary route fails?
A. The floating static route must have a higher administrative distance than the primary route so it is used as a backup
B. The administrative distance must be higher on the primary route so that the backup route becomes secondary.
C. The floating static route must have a lower administrative distance than the primary route so it is used as a backup
D. The default-information originate command must be configured for the route to be installed into the routing table
Answer: A
QUESTION 53: Which two outcomes are predictable behaviors for HSRP? (Choose two)
A. The two routers share a virtual IP address that is used as the default gateway for devices on the LAN.
B. The two routers negotiate one router as the active router and the other as the standby router
C. Each router has a different IP address both routers act as the default gateway on the LAN, and traffic is load balanced between them.
D. The two routers synchronize configurations to provide consistent packet forwarding
E. The two routed share the same IP address, and default gateway traffic is load-balanced between them
Answer: A B
QUESTION 54: Refer to the exhibit. Which password must an engineer use to enter the enable mode?
A. adminadmin123
B. default
C. testing1234
D. cisco123
Answer: C
If neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console, the console line password serves as the enable password for all VTY sessions -> The “enable secret” will be used first if available, then “enable password” and line password.
Reference: https://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_3/configuration/guide/cpt93_configuration/ cpt93_configuration_chapter_0100
QUESTION 55: How do TCP and UDP differ in the way that they establish a connection between two endpoints?
A. TCP uses synchronization packets, and UDP uses acknowledgment packets.
B. UDP uses SYN.SYN ACK and FIN bits in the frame header while TCP uses SYN,SYN ACK and ACK bits
C. UDP provides reliable message transfer and TCP is a connectionless protocol
D. TCP uses the three-way handshake and UDP does not guarantee message delivery
Answer: D
QUESTION 56: When a site-to-site VPN is used, which protocol is responsible for the transport of user data?
A. IKEv2
B. IKEv1
C. IPsec
D. MD5
Answer: C
A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. A site-to-site VPN means that two sites create a VPN tunnel by encrypting and sending data between two devices. One set of rules for creating a site-to-site VPN is defined by IPsec.
QUESTION 57: What is the primary effect of the spanning-tree port fast command?
A. it enables BPDU messages
B. It minimizes spanning-tree convergence time
C. It immediately puts the port into the forwarding state when the switch is reloaded
D. It immediately enables the port in the listening state
Answer: B
The purpose of Port Fast is to minimize the time interfaces must wait for spanning-tree to converge, it is effective only when used on interfaces connected to end stations.
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swstpopt.html
QUESTION 58: Which statement about Link Aggregation when implemented on a Cisco Wireless LAN Controller is true?
A. To pass client traffic two or more ports must be configured.
B. The EtherChannel must be configured in “mode active”
C. When enabled the WLC bandwidth drops to 500 Mbps
D. One functional physical port is needed to pass client traffic
Answer: D
Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller’s distribution system ports into a single 802.3ad port channel. Restriction for Link aggregation:
- LAG requires the EtherChannel to be configured for ‘mode on’ on both the controller and the Catalyst switch. So Answer B is not correct.
- If the recommended load-balancing method cannot be configured on the Catalyst switch, then configure the LAG connection as a single member link or disable LAG on the controller. Answer A is not correct while Answer D is correct.
QUESTION 59: Refer to the exhibit. Which route does R1 select for traffic that is destined to 192 168.16.2?
A. 192.168.16.0/21
B. 192.168.16.0/24
C. 192.168 26.0/26
D. 192.168.16.0/27
Answer: D
The destination IP addresses match all four entries in the routing table but the 192.168.16.0/27 has the longest prefix so it will be chosen. This is called the “longest prefix match” rule.
QUESTION 60: Which two tasks must be performed to configure NTP to a trusted server in client mode on a single network device? (Choose two)
A. Enable NTP authentication.
B. Verify the time zone.
C. Disable NTP broadcasts
D. Specify the IP address of the NTP server
E. Set the NTP server private key
Answer: AD
To configure authentication, perform this task in privileged mode:
- Step 1: Configure an authentication key pair for NTP and specify whether the key will be trusted or untrusted.
- Step 2: Set the IP address of the NTP server and the public key.
- Step 3: Enable NTP client mode.
- Step 4: Enable NTP authentication.
- Step 5: Verify the NTP configuration.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/8-2glx/configuration/guide/ ntp.html
QUESTION 61: Refer to the exhibit. Which command provides this output?
A. show ip route
B. show ip interface
C. show interface
D. show cdp neighbor
Answer: D
QUESTION 62: Which set of action satisfy the requirement for multi-factor authentication?
A. The user swipes a key fob, then clicks through an email link
B. The user enters a user name and password, and then clicks a notification in an authentication app on a mobile device
C. The user enters a PIN into an RSA token, and then enters the displayed RSA key on a login screen
D. The user enters a user name and password and then re-enters the credentials on a second screen
Answer: B
This is an example of how two-factor authentication (2FA) works:
- The user logs in to the website or service with their username and password.
- The password is validated by an authentication server and, if correct, the user becomes eligible for the second factor.
- The authentication server sends a unique code to the user’s second-factor method (such as a smartphone app).
- The user confirms their identity by providing the additional authentication for their second-factor method.
QUESTION 63: Which mode allows access points to be managed by Cisco Wireless LAN Controllers?
A. autonomous
B. lightweight
C. bridge
D. mobility express
Answer: B
A Lightweight Access Point (LAP) is an AP that is designed to be connected to a wireless LAN (WLAN) controller (WLC). APs are “lightweight,” which means that they cannot act independently of a wireless LAN controller (WLC). The WLC manages the AP configurations and firmware. The APs are “zero touch” deployed, and individual configuration of APs is not necessary.
Reference: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/70278-lap- faq.html
QUESTION 64: Router A learns the same route from two different neighbors, one of the neighbor routers is an OSPF neighbor and the other is an EIGRP neighbor. What is the administrative distance of the route that will be installed in the routing table?
A. 20
B. 90
C. 110
D. 115
Answer: B
The Administrative distance (AD) of EIGRP is 90 while the AD of OSPF is 110 so EIGRP route will be chosen to install into the routing table.
QUESTION 65: Refer to the exhibit. What is the effect of this configuration?
A. The switch port interface trust state becomes untrusted
B. The switch port remains administratively down until the interface is connected to another switch
C. Dynamic ARP inspection is disabled because the ARP ACL is missing
D. The switch port remains down until it is configured to trust or untrust incoming packets
Answer: A
Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.
QUESTION 66: Refer to the exhibit. Which prefix does Router 1 use for traffic to Host A?
A. 10.10.10.0/28
B. 10.10.13.0/25
C. 10.10.13.144/28
D. 10.10.13.208/29
Answer: D
Host A address fall within the address range. However, if more than one route to the same subnet exist (router will use the longest stick match, which match more specific route to the subnet). If there are route 10.10.13.192/26 and 10.10.13.208/29, the router will forward the packet to /29 rather than /28.
QUESTION 67: What are two characteristics of a controller-based network? (Choose two)
A. The administrator can make configuration updates from the CLI
B. It uses northbound and southbound APIs to communicate between architectural layers
C. It moves the control plane to a central point.
D. It decentralizes the control plane, which allows each device to make its own forwarding decisions
E. It uses Telnet to report system issues.
ANSWER: BC
QUESTION 68: Refer to exhibit. Which statement explains the configuration error message that is received?
A. It is a broadcast IP address
B. The router does not support /28 mask.
C. It belongs to a private IP address range.
D. IT is a network IP address.
Answer: A
QUESTION 69: Drag and drop the application protocols from the left onto the transport protocols that is uses on the right.
Answer:
QUESTION 70: Which command must you enter to guarantee that an HSRP router with higher priority becomes the HSRP primary router after it is reloaded?
A. standby 10 preempt
B. standby 10 version 1
C. standby 10 priority 150
D. standby 10 version 2
Answer: A
The “preempt” command enables the HSRP router with the highest priority to immediately become the active router.
QUESTION 71: Which command should you enter to verify the priority of a router in an HSRP group?
A. show hsrp
B. show sessions
C. show interfaces
D. show standby
Answer: D
The following is sample output from the show standby command:
QUESTION 72: Which command should you enter to configure a device as an NTP sever?
A. ntp sever
B. ntp peer
C. ntp authenticate
D. ntp master
Answer: D
To configure a Cisco device as an Authoritative NTP Server, use the ntp master [stratum]
command.
To configure a Cisco device as a NTP client, use the command ntp server
. For example:
Router(config)# ntp server 192.168.1.1
This command will instruct the router to query 192.168.1.1 for the time.
QUESTION 73: Which two pieces of information can you determine from the output of the show ntp status command? (Choose two)
A. whether the NTP peer is statically configured
B. the IP address of the peer to which the clock is synchronized
C. the configured NTP servers
D. whether the clock is synchronized
E. the NTP version number of the peer
Answer: BD
Below is the output of the show ntp status
command. From this output we learn that R1 has a stratum of 10 and it is getting clock from 10.1.2.1.
QUESTION 74: Which effete does the aaa new-model configuration command have?
A. It enables AAA services on the device
B. It configures the device to connect to a RADIUS server for AAA
C. It associates a RADIUS server to an group.
D. It configures a local user on the device.
Answer: A
QUESTION 75: Refer to the exhibit. Which command would you use to configure a static route on Router1 to network 192.168.202.0/24 with a non-default administrative distance?
A. router1(config)#ip route 192.168.202.0 255.255.255.0 192.168.201.2 1
B. router1(config)#ip route 192.168.202.0 255.255.255.0 192.168.201.2 5
C. router1(config)#ip route 1 192.168.201.1 255.255.255.0 192.168.201.2
D. router1 (config)#ip route 5 192.168.202.0 255.255.255.0 192.168.201.2
Answer: B
The default AD of static route is 1 so we need to configure another number for the static route.
QUESTION 76: What is the destination MAC address of a broadcast frame?
A. 00:00:0c:07:ac:01
B. ff:ff:ff:ff:ff:ff
C. 43:2e:08:00:00:0c
D. 00:00:0c:43:2e:08
E. 00:00:0c:ff:ff:ff
Answer: B
QUESTION 77: Which command is used to enable LLDP globally on a Cisco IOS ISR?
A. lldp run
B. lldp enable
C. lldp transmit
D. cdp run
E. cdp enable
Answer: A
Link Layer Discovery Protocol (LLDP) is a industry standard protocol that allows devices to advertise, and discover connected devices, and there capabilities (same as CDP of Cisco). To enable it on Cisco devices, we have to use this command under global configuration mode:
Sw(config)# lldp run
QUESTION 78: Which of the following dynamic routing protocols are Distance Vector routing protocols?
A. IS-IS
B. EIGRP
C. OSPF
D. BGP
E. RIP
Answer: BE
QUESTION 79: You have configured a router with an OSPF router ID, but its IP address still reflects the physical interface. Which action can you take to correct the problem in the least disruptive way?
A. Reload the OSPF process.
B. Specify a loopback address
C. Reboot the router.
D. Save the router configuration
Answer: A
Once an OSPF Router ID selection is done, it remains there even if you remove it or configure another OSPF Router ID. So the least disruptive way is to correct it using the command “clear ip ospf process
”.
QUESTION 80: Drag and drop the benefits of a cisco wireless Lan controller from the left onto the correct examples on the right.
Answer: