Home > ICND1 – Security Questions

ICND1 – Security Questions

June 7th, 2017 in ICND1 100-105 Go to comments

[am4show have=’p2;’]

Premium Member: You can test your knowledge with these questions first via this link.

[/am4show]

Question 1

[am4show have=’p2;’]An administrator has connected devices to a switch and, for security reasons, wants the dynamically learned MAC addresses from the address table added to the running configuration. What must be done to accomplish this?

A. Enable port security and use the keyword sticky.
B. Set the switchport mode to trunk and save the running configuration.
C. Use the switchport protected command to have the MAC addresses added to the configuration.
D. Use the no switchport port-security command to allow MAC addresses to be added to the configuration.

 

Answer: A[/am4show]

Explanation

This is the full command mentioned in answer A:

switchport port-security mac-address sticky [MAC]

If we don’t specify the MAC address (like in this question) then the switch will dynamically learn the attached MAC Address and place it into your running-configuration.

Question 2

[am4show have=’p2;’]The following commands are entered on the router:

Burbank(config)# enable secret fortress
Burbank(config)# line con 0
Burbank(config-line)# login
Burbank(config-line)# password n0way1n
Burbank(config-line)# exit
Burbank(config)# service password-encryption

What is the purpose of the last command entered?

A. to require the user to enter an encrypted password during the login process
B. to prevent the vty, console, and enable passwords from being displayed in plain text in the configuration files
C. to encrypt the enable secret password
D. to provide login encryption services between hosts attached to the router

 

Answer: B[/am4show]

Explanation

The “service password-encryption” command encrypts passwords used by “enable password” global configuration command, as well as the password line configuration command (VTY, console) that are saved in the router configuration file.

Note: The secret password (configured by the command “enable secret fortress”) is always encrypted even if the “service password-encryption” command is not used.

Also, the “service password-encryption” command encrypts both current and future passwords.

Question 3

[am4show have=’p2;’]Why would a network administrator configure port security on a switch?

A. to prevent unauthorized Telnet access to a switch port
B. to prevent unauthorized hosts from accessing the LAN
C. to limit the number of Layer 2 broadcasts on a particular switch port
D. block unauthorized access to the switch management interfaces

 

Answer: B[/am4show]

Question 4

[am4show have=’p2;’]A company has placed a networked PC in a lobby so guests can have access to the corporate directory. A security concern is that someone will disconnect the directory PC and re-connect their laptop computer and have access to the corporate network. For the port servicing the lobby, which three configuration steps should be performed on the switch to prevent this? (Choose three)

A. Enable port security.
B. Create the port as a trunk port.
C. Create the port as an access port.
D Create the port as a protected port.
E. Set the port security aging time to 0.
F. Statically assign the MAC address to the address table.
G. Configure the switch to discover new MAC addresses after a set time of inactivity.

 

Answer: A C F[/am4show]

Explanation

By configuring the port connected with the directory PC as access port the network administrator will mitigate a lot of security issues because access port does not have as much privilege as a trunk port -> C is correct.

The port security feature can also help mitigate security issue because it can learn the MAC address of the directory PC. When another laptop is plugged into the port, the switch will automatically block or shut down that port (if suitable configuration is used) -> A is correct. But nowadays a hacker can fake the MAC address of the directory PC.

By statically assigning the MAC address to the address table, only that MAC address can access to the network -> F is correct.

Question 5

[am4show have=’p2;’]What is the effect of using the service password-encryption command?

A. Only the enable password will be encrypted.
B. Only the enable secret password will be encrypted.
C. Only passwords configured after the command has been entered will be encrypted.
D. It will encrypt the secret password and remove the enable secret password from the configuration.
E. It will encrypt all current and future passwords.

 

Answer: E[/am4show]

Explanation

The “service password-encryption” command encrypts passwords used by “enable password” global configuration command, as well as the password line configuration command (VTY, console) that are saved in the router configuration file.

The “service password-encryption” command encrypts both current and future passwords.

Question 6

[am4show have=’p2;’]How can you ensure that only the MAC address of a server is allowed by switch port Fa0/1?

A. Configure port Fa0/1 to accept connections only from the static IP address of the server.
B. Configure the server MAC address as a static entry of port security.
C. Use a proprietary connector type on Fa0/1 that is incomputable with other host connectors.
D. Bind the IP address of the server to its MAC address on the switch to prevent other hosts from spoofing the server IP address.

 

Answer: B[/am4show]

Explanation

The command to configure port security on a switch is (in interface configuration mode):

switchport port-security mac-address sticky [MAC]

In this case we will type the server MAC address. That MAC address will be stored in the address table, and added to the switch running configuration.

Note: If we don’t specify the MAC address then the switch will dynamically learn the attached MAC Address and place it into your running-configuration

Question 7

[am4show have=’p2;’]Refer to the exhibit. The network administrator made the entries that are shown and then saved the configuration. From a console connection, what password or password sequence is required for the administrator to access privileged mode on Router1?

Router# configure terminal
Router(config)# hostname Router1
Router1(config)# enable secret sanfran
Router1(config)# enable password cisco
Router1(config)# line vty 0 4
Router1(config-line)# password sanjose
Route r1(config-line)#

 

A. cisco
B. sanfran
C. sanjose
D. either cisco or sanfran
E. either cisco or sanjose
F. sanjose and sanfran

 

Answer: B[/am4show]

Explanation

In the configuration above we have three passwords:

+ The “enable secret” password: sanfran
+ The “enable password” password: cisco
+ The VTY line password: sanjose

The two first “enable secret” and “enable password” are used to set password for entering privilege mode (an example of privilege mode: Router#). Both of them will be stored in the running configuration. But the password in “enable secret” command is always encrypted using MD5 hash while the password in “enable password” is in plain text.

Note: If you want to encrypt “enable password” you can use the command “service password-encryption” but it will be encrypted with a very basic form of encryption called vigenere cipher, which is very weak.

When you configure both an enable and a secret password, the secret password will be used -> B is correct.

Question 8

[am4show have=’p2;’]What should be part of a comprehensive network security plan?

A. Allow users to develop their own approach to network security
B. Physically secure network equipment from potential access by unauthorized individuals
C. Encourage users to use personal information in their passwords to minimize the likelihood of passwords being forgotten
D. Delay deployment of software patches and updates until their effect on end-user equipment is well known and widely reported
E. Minimize network overhead by deactivating automatic antivirus client updates

 

Answer: B[/am4show]

Explanation

All other answers are not recommended for a network security plan so only B is the correct answer.

Question 9

[am4show have=’p2;’]What are two recommended ways of protecting network device configuration files from outside network security threats? (Choose two)

A. Allow unrestricted access to the console or VTY ports.
B. Use a firewall to restrict access from the outside to the network devices.
C. Always use Telnet to access the device command line because its data is automatically encrypted.
D. Use SSH or another encrypted and authenticated transport to access device configurations.
E. Prevent the loss of passwords by disabling password encryption.

 

Answer: B D[/am4show]

Question 10

[am4show have=’p2;’]From which of the following attacks can Message Authentication Code (MAC) shield your network?

A. DoS
B. DDoS
C. spoofing
D. SYN floods

 

Answer: C[/am4show]

Comments (38) Comments
  1. Router47
    October 25th, 2013

    Why is Question # 3 answer B and not A?

  2. jp.ccna
    October 29th, 2013

    Router47, telnet is remote access. You would not telnet via a physical port, but via the vty setup. Port security refers to the physical ports and therefore would prevent physical hosts from plugging into a switchport and gaining access.

  3. bbk
    December 17th, 2013

    i am an Indian……. if any1 of u gave exam in India …would u plz tell me how much exam cost u in rupees????? because yesterday i register for exam …that time exchange rate was 62.54… but they charge me 66 rs. 66*150=9900…. is it ok??? plz guide…

  4. itsme
    December 18th, 2013

    I took xam on 16th. It costs me 96XX. I dont remember the xchange rate on monday.

  5. CCENT Someday
    January 31st, 2014

    Anyone,

    I plan on taking exam next week. What other sims/labs did you get besides the OSPF 6 router?

    Thanks in Advance!

  6. Marco Mwaimu
    February 20th, 2014

    Thank you very much for the dumps it has been so informative for me,im going to sit for my ICND1 exam at the end of March please any one who can give me the link for sample questions help me

  7. Router-On-Stick
    April 10th, 2014

    Router47, port security is configured on a physical interface on the switch to prevent unauthorised acces to unwanted users to the LAN and telnet requires SVI configurations plus its accessed remotely not physically.

  8. Malik
    April 14th, 2014

    I Just Pass my ICND1 today with 973 Marks and these question was there,
    Thank you 9tut for a big help and support …. you guys are awesome …..

    need to pass icnd1 ? study cbt nuggets icnd1 and check everything on 9tut.net you dont need anything else …….

  9. fez
    April 24th, 2014

    Passed my 100-101 exam today and question 2,4 and 6 were there.. all the best

  10. Manohar Tn
    May 16th, 2014

    Got 986/1000 Marks, {5/16/2014} 50 Questions, Ospf Sim, Security simlet, and Router and switch Simlet Was also there…..All questions From 9tut. and Examcollections…..Now Heading For Icnd2 And Blogging…..

    For Any Help.
    Manohar Tn
    Website: http://www.techlinko.com
    G+ : https://plus.google.com/u/0/+ManoharTN9/

  11. sparJ90
    August 17th, 2014

    shudnt the answer to q 4 be A D F.. PLS HELP!

  12. Eng
    September 30th, 2014

    SparJ90, I think you may be on target. Question 4, the decision needs to be made between access port and protected port – we are all in agreement with enabling port security and Statically assigning the MAC address to the address table. Since the question doesn’t seem to be concerned with attaching a rogue switch in this scenario (thus forming a trunk) – and setting the violation to protected better fits the laptop scenario – I believe it should be A, D, and F. No question, all non-trunked Access Layer switch ports should be configured to access ports. I have not taken the exam yet but have been in the field for a while – anxious to hear others thoughts/experiences with regards to this question.

  13. Eng
    September 30th, 2014

    To retract my statement to SparJ90 regarding Question 4, I can see why A, C, and F were chosen. Sorry, all, for the confusion. When you enable port security and statically set the MAC address – the default settings are maximum number of secure MAC addresses = 1 and violation mode = shutdown…. So protect would not be necessary in this case – plus don’t forget default would do logging with SNMP traps. Since this device is in a lobby, it would be wise to remove default dynamic desirable and set to static access (not because of the laptop concern) – which is eliminated in answers A and F when considering default settings for violations and maximum number of MAC addresses allowed, but to prevent rogue switches from possibly forming a trunk – maximum number of MAC addresses default would eliminate the concern of hubs too. Hope this helps – sorry for the long dissertation 🙂

  14. watevah
    September 30th, 2014

    pipo want dumps wen all questions come from 9tut hahaha…jus deal with 9 tut you gp pass

  15. watevah
    September 30th, 2014

    pipo want dumps wen all questions come from 9tut hahaha…jus deal with 9 tut you go pass

  16. Luke
    November 16th, 2014

    Failed the test today 🙁 I got 801/1000 needed 804!!!!!!!!!!!!!!!!!!!!! So unfair, anyway thanks 9tut a lot of learning has come from you and made me get the answers i did get, correct.

  17. Yahia Tariq
    November 22nd, 2014

    Questions 1-3-7 were in exam on 20/11/2014, more than 45 questions were from 9tut !

  18. roger
    March 5th, 2015

    good stuff

  19. Ahmed
    March 28th, 2015

    q1,3,4,5,7 in exam

  20. Anonymous
    April 15th, 2015

    hi guys just did the exam and q2,4,5 and 6 were there. Thanks 9tut.

  21. G-10
    April 26th, 2015

    Q1,4,5,7 is were in the exam, i take it the last friday

  22. G-10
    April 26th, 2015

    Q6,8 in exam

  23. Anonymous
    May 16th, 2015

    This a nice forum

  24. Dude
    June 25th, 2015

    Question #7 answer is not explained correctly. The answer is B because from a “CONSOLE CONNECTION” you will not use the vty lines since you will be directly connected to the device. Now “ENABLE PASSWORD” uses a lower encryption type than “ENABLE SECRET,” because of this, the high encryption type will be used as a password. I tried this using Packet Tracer, used both “ENABLE” types and the “ENABLE SECRET” was the one that worked.

  25. Anonymous
    June 26th, 2015

    get free dumps dumps from this link
    wurl. cc/dumps

  26. 9tut
    July 13th, 2015

    @all: We had to move all the questions and answers out of 9tut. We can only keep the explanation. You can download the questions and answers at: https://mega.co.nz/#!oIdESYbD!yyu33vygrfKPy4rcmcbV6qW2fxINNoTokuDM3CjA_og

  27. Anonymous
    July 20th, 2015

    why is this site not showing the questions anymore?

  28. aramirez
    July 28th, 2015

    Hi, when the site will show the questions?

  29. 9tut
    September 10th, 2015

    can s1 explain more about q3 pls
    Thanks in advance

  30. Dont need anything further
    May 31st, 2016

    please note that if you have both enable password and enable secret, the enable secret TRUMPS!!
    the enable password.

    hahaha – Sorry, I needed to through Trump in there ! 😉

  31. zizou
    August 13th, 2016

    can i have latest dumps please,writing icnd1 in 3 days

  32. Afridi
    August 22nd, 2016

    Can i have dumps of CCNA R&S??

  33. Afridi
    August 22nd, 2016

    Can i have something related to AAA Radius or TACACS+ server or both?? Either labs or theory…

  34. Afridi
    August 22nd, 2016

    My email id is {email not allowed}

  35. Salene
    December 1st, 2016

    Get best offer from Dumps4Download on 100-101 exam or all Cisco exam study material visit this link for more info https://www.dumps4download.us/free-100-101/cisco-question-answers.html

  36. jane woken
    May 16th, 2017

    hi guys,
    can someone send me the dumps according the answers of this site for ICND1???? please please please. I really neeeeeeeeeeeeeeeed it. my email address is jane_woken52 at yahoo dot com . It will be big help. Pleeeeeeeeeeeeeeeease .

    my email address is jane_woken52 @ yahoo . com

  37. vlad
    June 4th, 2017

    please share the security sim

  38. Lance
    July 24th, 2017

    Passed, if you go the exam study the 285q dumps.