Home > Security Testlet

Security Testlet

May 20th, 2015 in ICND1, ICND1 100-101 Go to comments





Not sure about the requirement of this question but it is something like this:

Before this switch and router can be put to use in the network, what security risks can be found…

We are still not sure about the configurations in this sim but we got some information to share with you (updated on December-07-2011. Thanks Joe Mendola, xallax and many candidates who share the information!):

Maybe this is the configurations on Router and Switch (but notice that they are surely missing something):


no service password-encryption
enable password cisco
username ciscouser privilege 15 password 0 cisco
banner motd ^CWelcome! If you encountered any problem, please consult the administrator^C
line vty 0 4
password 4t&34rkf
login local
transport input telnet ssh



no service password-encryption
hostname switch1
enable password cisco
username ciscouser password 0 cisco
ip domain-name cisco.com

banner login ^c
************ welcome to Switch1. If you encountered any problem, please consult the administrator ************* ^c

line con 0
line vty 0 4
login login local
transport input ssh
line vty 5 15
login local
transport input ssh

Note: This is just what we gather and guess. In the exam the configurations may be different so make sure you understand about “enable secret”, “enable password”, “login”, “login local”, “transport input”, “line vty”, “service password-encryption”, “bannder motd”, “privilege” before taking this exam!

This sim has 4 questions:

Question 1

Guideline to answer this question:

Because the “service password-encryption” is not set on RouterA so the password to access privileged mode (via the command “enable password cisco”) is unencrypted. Also, the password for VTY is unencrypted (notice that the password “4t&34rkf” is in fact unencrypted) -> A is correct.

Although the banner says “Welcome …” but it does not leak any security information so it is still safe -> B is not correct.

From the command “transport input telnet ssh” we learn that remote access can be mad through telnet or SSH. This is also the default setting of Cisco router -> C is correct.

In the “line vty 0 4” configuration, the type of login is specified as “login local”. It means that the router will not use the password configured under “line vty 0 4” (in this case “4t&34rkf”) but it will use the user & password configured in “username ciscouser privilege 15 password cisco” command. The command “username ciscouser privilege 15 password cisco” will grant the privilege of 15 for “ciscouser” user -> D is correct.

Question 2

Guideline to answer this question:

A is correct as we can telnet from line 0 to line 4 (line vty o 4).

We can use both telnet and SSH to connect to this router (transport input telnet ssh) -> B is not correct.

C is correct as we can telnet to it.

D is not correct because by default, the timeout is set to 10 minutes on both the console and the vty ports.

E is not correct as NAT can be used even DHCP is not used.

Question 3

Guideline to answer this question:

Privilege mode on RouterA is protected with unencrypted password (via “enable password” command) -> A is correct.

B is not correct as mentioned above.

The password of VTY lines is “4t&34rkf”. Although it is unencrypted but it is not a weak password because it has number & special characters inside -> C is not correct.

Although a password of “4t&34rkf” is configured but with the command “login local”, router will use the username of “ciscouser” & password of “cisco” (configured in “username ciscouser privilege 15 password 0 cisco” command) -> D is correct.

By checking the configuration of routerA with the “show run” command. To support web server access it must have the command “ip http server” but it does not -> E is not correct.

Question 4

Guideline to answer this question:

We haven’t had enough information about switch configuration so we can’t be sure about the correct answers but the below is a guideline:

Answer B is surely not correct as the wording in banner does not leak any security information.

If under “line vty 0 4” you see the “login” command but it does not have a password then maybe answer C is correct. In this case if we try to telnet/ssh to the switch then we will receive a message “Password required, but none set” then we are kicked out ^^.

If you see popular username and password then maybe answer D is correct.

If the command “transport input …” specifies “telnet” as a method then answer E is correct.

For answer F, if you see something like this:

line vty 0 4
privilege level 15

or these lines:

username ciscouser privilege 15 password cisco


login local (in “line vty 0 4”)

then answer F is correct.


Hope you will contribute your experience about this sim after taking the ICND1 exam. We will post here when we get new information about this sim as soon as possible.

Comments (23) Comments
Comment pages
1 4 5 6 115
  1. Anonymous
    July 26th, 2016

    But it get you a job and its upto the person to learn the trade, I bet your one of those people with work experience but can’t pass any test/ just because you at the company so long? Get a life

  2. Anonymous
    August 1st, 2016

    i have register 9 tut but the is question and answer can any one help

  3. Anonymous
    August 4th, 2016

    in the router part, at the login local, the real command is “no login local”

  4. Anonymous
    August 6th, 2016

    for question 4, I think the answer should be:

    A. privilege mode is protected with an un-encrypted password “enable password cisco” and no service-password encryption
    D. both the username and password are weak
    F. Cisco user will be granted privilege level 15 by default, because there is no setting of privilege mode, and by default the privilege level is set to 15

    I disagree with “C” because since there is login local under line vty 0 4, ssh login can be achieved using the given username and password

  5. JimitheMan
    August 11th, 2016

    icnd1 next week and im shitting meself!!! I took it last year and got 802!!!needed 804 to pass…sickenerorwhat!

  6. Anonymous
    August 14th, 2016

    I had this lab I got like a 50% on it so I don’t understand what they were looking for

    enable password cisco
    username ciscouser o password cisco
    line vty 0 4
    password 4!oneGO
    answer I choose was priv mode password was unencrypted and weak
    able to login with 5 virtual lines

    Not really sure

  7. naina
    August 16th, 2016

    Toammrrow i m going for exame 9 tut questions r enough for me if anyone has other dumps plz suggest me or mail me at {email not allowed}

  8. JimitheMan
    August 16th, 2016

    exam 2day wish me luck,I will let u know how i got on,9 tut has been a great help over the years and I will be sorry to see it go,THANKS 9 TUT !!!

  9. Mohamed Yasser
    August 16th, 2016

    ur answer is right, priv. mode password is unencrypted, also the password below u can make it secret to for more remote access security, its better if that choice exist
    i ve the exam tmw wish me luck πŸ™‚

  10. Hana ISe
    August 18th, 2016

    I have exam today wish me luck πŸ™‚

  11. Jaduco
    August 18th, 2016

    Good luck @Hana ISE

  12. Afridi
    August 22nd, 2016

    Hana ISe may you have failed in ur exams πŸ™‚

  13. James
    August 31st, 2016

    HI all ;

    I took exam today 8-31-2016 and I Passed ICND1 exam . 897/1000 .The Sim was similar to this one that shows here ( about router and Switch Secuirty) . so read it carefully . Another Sims had R1,R2,R3 with RIP configuration and then they had problem in DHCP scope , (which was configured wrong) ; they put ACL in one of the routers that was blocking the people to access Server ; and another Topic was in NAT ( the Interesting traffic was wrong) and another Concet of NTP . No need to do any configuration only show commands . It was time consuming and Had to use a lot of show run and Show ip int brief to find answer, I had two Sim with only show commands on ICND1 Exams. I studies old ICND1 exam PDF and I was able to pass it. Few Questions on Ip address , but some more question about NTP server.

  14. Vicky
    September 10th, 2016

    Hello everyone….anyone have idea about ICND 1 V3?

  15. rich carner
    September 21st, 2016

    hi james…. excuse… did you see somthing about ospf in the 100-105 exam?

  16. Smithk331
    September 23rd, 2016

    Thank you for some other informative website. Where else may just I am getting that kind of info written in such an ideal means? I’ve a venture that I am just now working on, and I have been on the glance out for such info. gafakfgeeadefeke

  17. Anonymous
    October 7th, 2016

    What are your thoughts on the questions below:

    Which option is a valid hostname for a switch?

    Which MTU size can cause a baby giant error?

    Which statement about native VLAN traffic is true?

    A.Cisco Discovery Protocol traffic travels on the native VLAN by default.
    B.Traffic on the native VLAN is tagged with 1 by default.
    C.Control plane traffic is blocked on the native VLAN.
    D.The native VLAN is typically disabled for security reasons.

    Which value is indicated by the next hop in a routing table?
    A.preference of the route source
    B.IP address of the remote router for forwarding the packets
    C.how the route was learned
    D.exit interface IP address for forwarding the packets

    Which RFC was created to alleviate the depletion of IPv4 public addresses

    A.RFC 4193
    B.RFC 1519
    C.RFC 1518
    D.RFC 1918

    Which NTP command configures the local device as an NTP reference clock source?
    A.ntp peer
    B.ntp broadcast
    C.ntp master
    D.ntp server

  18. Anonymous:
    November 19th, 2016

    1) Hostnames can’t start with a number, and can’t have special characters (bangs/exclamation) (but can have a dash). A) starts with a number. B) has a bang at the end. C) starts with a number. Only D) is correct.

    2) a standard frame is 1500 bytes. Baby Jumbo Frames are anything SLIGHTLY larger than 1500, up to 1600 bytes. Jumbo Frames are between 1600 and 9000 bytes. Super Jumbo frames are lager than 9000 bytes of payload. So, to answer this question: Just look at which MTU setting is slightly larger than 1500 MTUs, and that would be D) 1518.

    3) This question is about Native VLAN. The native VLAN is the VLAN that is configured for packets that don’t have a tag. The default native VLAN on all Cisco Switches is VLAN 1. It is always enabled by default. These settings can all be changed: That is: you can designate a different VLAN as the native VLAN, disable VLAN 1, etc. Knowing that, we can eliminate D) as the correct answer because it is enabled by default. We can also eliminate B) because Native VLAN packets don’t get tags by default (you can change this). Finally, Control Plane traffic is never blocked on Native VLAN 1, and even if you change the Native VLAN, the control plane traffic still comes across VLAN 1. That eliminated answer C) – leaving A) as the only answer.

    4) The next hop is the IP address of the next router that the packet has to be forwarded to, in order for it to eventually reach it’s destination. This pretty much leaves us with only one logical answer: B)

    RFC 4193 is about Unique Local IPv6 Unicast Addresses.
    RFC 1519: Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy .
    RFC 1518: An Architecture for IP Address Allocation with CIDR.
    And RFC 1918: Address Allocation for Private Internets.

    Since we’re talking about Public, not private addresses, we can eliminate answer D. Since we’re talking about IPv4, we can also eliminate Answer A. Answer C can also be eliminated because the RFC is about the architecture for IP address allocation… leaving just Answer B as the correct choice.

    6) Last- NTP: NTP is the Network Time Protocol, which is how devices get time updates. A Master server (If you’re using public NTP, there are several of them) uses an atomic clock or GPS signal to keep itself on time. It also passes that time info down to properly configured NTP Peers. An NTP Server, is a router or other device that is authorized to pass on the time info to other devices. They can be several layers deep – meaning: The master passes time data to Router’s 1 and 2. Router 1 is a server, and passes that same data on to Router A and B. Router A passes the info onto a switch. and so on. All the servers, usually have several peers they refer to (other servers) to compare the times across the board. Any that are “insane” are rejected outright. Anyway the command to make a router a server is simply Answer D) which tells the router it is the source of NTP on it’s network. Note: It will have a master for NTP unless it is the master (meaning it has an atomic clock or GPS attached to it.)

  19. Anonymous
    December 1st, 2016

    Latest valid passing exam questions available at only 13$ at below link. With free updates for 3 month. Money back guarantee.

    remove asteriks

  20. Arch
    December 19th, 2016

    Get best offer from Dumps4Download.com on 100-101 exam visit this link for more info http://www.dumps4download.com/100-101-dumps.html

  21. Message for Arch
    January 13th, 2017

    The ICND1 is 100-105 so you can shove your best offer on an old exam

  22. tolssekimix
    February 6th, 2017

    Hello! I really like your blog! Continue to write more! Very interesting!

  23. Test
    February 17th, 2017

    Question 2,

    Answer A’s wording is stupid… it said ” ‘at least’ 5 simultaneous remote connect are possible”

    To normal people “At least”= Minimum.. In this situation, 5 simultaneous connections is maximum. This isn’t even testing us on our knowledge of the subject. Its word play to screw us up.

Comment pages
1 4 5 6 115