Cisco 300-410 Online Practice Questions and Exam Preparation

Cisco 300-410 Online Questions & Answers

• Question 801:

  Refer to the exhibit.

  

  The router is redistributing a prefix 172.16.10.0/24 that should have been filtered. Which action resolves the issue?

  A. Add the route in access-list 10.
  B. Match the tag 666 for the route in the route map.
  C. Remove route-map sequence 20.
  D. Permit the route in route-map sequence 20.
  C. Remove route-map sequence 20.

• Question 802:

  Refer to the exhibit. An engineer is trying to add an encrypted user password that should not be visible in the router configuration. Which two configuration commands resolve the issue? (Choose two)

  

  A. service password-encryption
  B. username Admin password 5 Cisco@123
  C. no service password-encryption
  D. username Admin password Cisco@123
  E. password encryption aes
  F. username Admin secret Cisco@123
  A. service password-encryption
  F. username Admin secret Cisco@123

  ---

  We can use the "service password-encryption" to encrypt all current and future passwords. Or we can use the "secret" keyword to encrypt the password with MD5 (although MD5 is not secured nowadays).

  Note: The command "service password-encryption" enables the AES password encryption feature (type 6) but we have to converts existing plain or weakly encrypted passwords to type-6 encrypted passwords with the "encryption re-encrypt obfuscated" command.

  You can enable the AES password encryption feature without a primary key, but encryption starts only when a primary key is present in the system with the command key config-key password-encrypt super-secret-password.

  https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3400s/sw/93x/security/configuration/guide/Cisco-n3400-nx-ossecurity-configuration-guide-93x/m-configuring-password-encryption-922.pdf

• Question 803:

  Refer to the exhibit. Bangkok is using ECMP to reach to the 192.168.5.0/24 network. The administrator must configure Bangkok in such a way that Telnet traffic from 192.168.3.0/24 and 192.168.4.0/24 networks uses the Hong Kong router as the preferred router. Which set of configurations accomplishes this task?

  

  A. access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 ! route-map PBR1 permit 10 match ip address 101 set ip next-hop 172.18.1.2 interface Ethernet0/3 ip policy route-map PBR1
  B. access-list 101 permit tcp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 23 access-list 101 permit tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 23 route-map PBR1 permit 10 match ip address 101 set ip next-hop 172.18.1.2 interface Ethernet0/1 ip policy route-map PBR1
  C. access-list 101 permit tcp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 23 access-list 101 permit tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 23 route-map PBR1 permit 10 match ip address 101 set ip next-hop 172.18.1.2 interface Ethernet0/3 ip policy route-map PBR1
  D. access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 route-map PBR1 permit 10 match ip address 101 set ip next-hop 172.18.1.2 interface Ethernet0/1 ip policy route-map PBR1
  C. access-list 101 permit tcp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 23 access-list 101 permit tcp 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255 eq 23 route-map PBR1 permit 10 match ip address 101 set ip next-hop 172.18.1.2 interface Ethernet0/3 ip policy route-map PBR1

  ---

  We need to use Policy Based Routing (PBR) here on Bangkok router to match the traffic from 192.168.3.0/24 and 192.168.4.0/24 and "set ip next-hop" to HongKong router(172.18.1.2 in this case). Note: Please notice that we have to apply the PBR on incoming interface e0/3 to receive traffic from 192.168.3.0/24 and 192.168.4.0/24.

• Question 804:

  What is the output of the following command: show ip vrf

  A. Show's default RD values
  B. Displays IP routing table information associated with a VRF
  C. Show's routing protocol information associated with a VRF.
  D. Displays the ARP table (static and dynamic entries) in the specified VRF
  A. Show's default RD values

• Question 805:

  Refer to the Exhibit.

  

  The access-lists are configured on the network device. There is a server behind the network device. User are trying to access the server securely however they are not able to access it. What changes would you recommend to the above configuration?

  A. Permit tcp port 465
  B. Permit tcp port 3389
  C. Permit tcp port 443
  D. Permit tcp any any
  C. Permit tcp port 443

  ---

• Question 806:

  Which two components are required for MPLS Layer 3 VPN configuration? (Choose two)

  A. Use MP-BGP for customer routes.
  B. Use LDP for customer routes.
  C. Use a unique RD per customer VRF.
  D. Use pseudowire for Layer 2 routes
  E. Use OSPF between PE and CE
  A. Use MP-BGP for customer routes.
  C. Use a unique RD per customer VRF.

• Question 807:

  Which of the following commands is used to verify the link-local, global unicast, and multicast addresses of an IPv6 router?

  A. show ipv6 neighbors (only link-local addresses)
  B. show ipv6 route
  C. show ipv6 protocols
  D. show ipv6 interface
  D. show ipv6 interface

  ---

  The show ipv6 interface command is used to verify the link-local, global unicast, and multicast addresses assigned to an IPv6-enabled router interface. The show ipv6 interface command displays information regarding that interface, such as the physical state, MTU, and IPv6 enable/disable state.

  A partial output of the show ipv6 interface command on an IPv6-enabled router named rtrA is as follows:

  

  In the given sample output, you can see that the Fa0/1 interface of rtrA has the link-local address FE80::6339:7BFF:FE5D:A031/64 and the global unicast address 2001:7067:90D1:1::1. The global unicast address is not in EUI-64 format because when the ipv6 address command was issued, the eui64 keyword was not used. If EUI-64 format had been specified with the eui64 keyword, the global unicast address would have been 2001:7067:90D1:1:6339:7BFF:FE5D:A031.

  An IPv6-enabled interface has not only a link-local and global unicast address, but also one or more multicast addresses. A multicast address is an IPv6 address that has the prefix FF00::/8. These addresses are assigned to interfaces of different nodes such that they appear as a logical group. This implies that when a packet is destined for a multicast address, that packet is delivered to all the interfaces that have the same multicast address. The various multicast groups are as follows:

  FF02::1 Indicates the group of all the nodes on the local segment FF02::2 Indicates the group of all the routers on the local segment FF02::1:FF00:0/104 Indicates a solicited-node multicast group for every unicast or anycast address assigned to the interface

  You can also notice in the sample output that the Fa0/1 interface belongs to three multicast groups: FF02::1, FF02::2, and FF02::1:FF5D:A031. The first two multicast groups refer to the all-host and all-router multicast groups, respectively. The third group, FF02::1:FF5D:A031, is the solicited-node multicast address. This address is created for every unicast or anycast address. A solicited-node multicast address is determined by assigning the least significant 24 bits of the unicast address to the least

  significant 24 bits of the FF02::1:FF00:0 address.

  The show ipv6 neighbors command displays the link-local /global unicast addresses of the neighbors, including other information such as state and the next-hop interface.

  The show ipv6 route command is used to view the IPv6 routing table on the router. This command displays the prefixes, administrative distance, metric, and next-hop addresses for various IPv6 networks.

  The show ipv6 protocols command is used to view the active routing protocols for IPv6 on the router. This command shows the interfaces, redistribution status, and summarization status about each of the routing protocols enabled on the router.

  Objective:

  Layer 3 Technologies

  Sub-Objective:

  Identify IPv6 addressing and subnetting

  References:

  Cisco IOS IPv6 Command Reference > show ipv6 eigrp topology through show ipv6 nat statistics > show ipv6 interface

  Cisco IOS IPv6 Command Reference > show ipv6 nat translations through show ipv6 protocols > show ipv6 neighbors

  Cisco IOS IPv6 Command Reference > show ipv6 nat translations through show ipv6 protocols > show ipv6 protocols

  Cisco > Products and Services > Cisco IOS and NX-OS Software > Cisco IOS Technologies > IPv6 > Product Literature > White Papers > Cisco IOS IPv6 Multicast Introduction Cisco > IPv6 Implementation Guide, Release 15.2MandT > Implementing IPv6 Multicast

• Question 808:

  An associate of yours configured a PPPoE connection. You have been alerted by a vulnerability tester that by using a sniffer, he was able to learn the connection credentials. What type of authentication must your associate have configured on the connection?

  A. PAP
  B. 802.1x
  C. CHAP
  D. IPsec
  A. PAP

  ---

  The method used must have been Password Authentication Protocol (PAP). This method transmits the credentials in clear text, which makes it a poor choice.

  There are only two methods available to authenticate a PPP connection, PAP and Challenge-Handshake Authentication Protocol (CHAP). CHAP never sends the password across the link. Rather, the authenticating end of the connection sends random text and other information to the requester. The requester encrypts this data with its password and sends it back. The authenticating end of the connection reverses the encryption using the same password and compares the result with what was originally

  sent. If it matches, the authenticating end of the connection is assured that the requesting end knows the password.

  The connection could not have used either 802.1x or IPsec, as neither method would transmit the credentials in clear text.

  The connection could not have used CHAP. If it had, the credentials could not have been captured with a sniffer.

  Objective:

  Layer 2 Technologies

  Sub-Objective:

  Configure and verify PPP

  References:

  Cisco > Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15MandT > Configuring Authentication > Non-AAA Authentication Methods > Enabling CHAP or PAP Authentication Cisco > Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15MandT (PDF)

• Question 809:

  Which feature minimizes DoS attacks on an IPv6 network?

  A. IPv6 Binding Security Table
  B. IPv6 Router Advertisement Guard
  C. IPv6 Prefix Guard
  D. IPv6 Destination Guard
  D. IPv6 Destination Guard

  ---

  The Destination Guard feature helps in minimizing denial-of-service (DoS) attacks. It performs address resolutions only for those addresses that are active on the link, and requires the FHS binding table to be populated with the help of the IPv6 snooping feature.The feature enables the filtering of IPv6 traffic based on the destination address, and blocks the NDP resolution for destination addresses that are not found in the binding table. By default, the policy drops traffic coming for an unknown destination.

• Question 810:

  Refer to the exhibit. Which action resolves the failed authentication attempt to the router?

  

  A. Configure aaa authorization login command on line vty 0 4
  B. Configure aaa authorization login command on line console 0
  C. Configure aaa authorization console global command
  D. Configure aaa authorization console command on line vty 0 4
  C. Configure aaa authorization console global command

  ---

  In the debug output, we see that the Authorization (not Authentication) failed so we need to correct the authorization. In order to enable authorization, we must use the global command "aaa authorization console" first. Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a1.html