100-105 NetCert: Interconnecting Cisco Networking Devices Part 1 (ICND1) v3.0
What will be the effect of executing the following command on port F0/1?
switch(config-if)# switchport port-security mac-address 00C0.35F0.8301
A. The command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port.
B. The command expressly prohibits the MAC address of 00c0.35F0.8301 as an allowed host on the switch port.
C. The command configures an inbound access control list on port F0/1 limiting traffic to the IP address of the host.
D. The command encrypts all traffic on the port from the MAC address of 00c0.35F0.8301.
Correct Answer: A
The command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the switch port. By default, an unlimited number of MAC
addresses can be learned on a single switch port, whether it is configured as an access port or a trunk port. Switch ports can be secured by defining one
or more specific MAC addresses that should be allowed to connect, and violation policies (such as disabling the port) if additional hosts try to gain a
The switchport port-security mac-address 00C0.35F0.8301 command statically defines the MAC address of 00c0.35F0.8301 as an allowed host on the
The switchport port-security mac-address 00C0.35F0.8301 command does not expressly prohibit the MAC address of 00c0.35F0.8301 as an allowed
host on the switch port. The port-security command is designed to identify allowed MAC addresses not prohibited addresses.
The switchport port-security mac-address 00C0.35F0.8301 command does not configure an inbound access control list on port F0/1 limiting traffic to the
IP address of the host. It will accept traffic to the port, but will only allow a device with that MAC address to be connected to the port.
The switchport port-security mac-address 00C0.35F0.8301 command does not encrypt all traffic on the port from the MAC address of 00c0.35F0.8301.
The port-security command has nothing to do with encryption.
LAN Switching Fundamentals
Configure, verify, and troubleshoot port security
You have configured a router as shown in the following output:
Hosts on the LAN cannot receive an IP address. What is wrong?
A. The IP address on the serial interface is incorrect.
B. The default-router command in the DHCP pool is incorrect.
C. An IP address needs to be configured on the FastEthernet interface.
D. The NAT pool is not large enough.
Correct Answer: C
An IP address needs to be configured on the FastEthernet interface. Dynamic Host Control Protocol (DHCP) is used to dynamically provide IP network
configurations to workstations as they are booted up. DHCP minimizes network administration overload, allowing devices to be added to the network
with little or no manual configuration.
The router configuration in the scenario has created a DHCP address pool called POOLNAME. The network statement in the exhibit, network 10.2.10.0
255.255.255.0, identifies the range of IP addresses that the pool will provide to host systems (10.2.10.0 /24). However, a DHCP pool can only provide IP addresses over a subnet to which it is directly connected. Because neither of the interfaces in the exhibit has an IP address on the 10.2.10.0 /24 subnet,
the solution is to assign the FastEthernet0/0 interface the IP address specified in the default-router statement, 10.2.10.254 /24.
The IP address on the serial interface has no impact on the DHCP pool.
The default-router statement is correctly providing the IP address that DHCP hosts will use as their default gateway. The problem is not with the defaultrouter
statement, but with the lack of a correct IP address assigned to the FastEthernet0/0 interface.
The NAT configuration in the exhibit has no impact on the DHCP pool. If the NAT pool were not large enough, the result would be that some of the hosts
would be able to get to the Internet and others would not. For example, the output from the diagram shown below indicates that there are fourteen
addresses in the pool (18.104.22.168 to 22.214.171.124). If the network contained 30 computers, only fourteen would be able to use the Internet at the same time
because of the number of public addresses in the pool:
ip nat pool NATPOOL 126.96.36.199 188.8.131.52 netmask 255.255.255.240
ip nat inside source list 1 pool NATPOOL
Configure and verify DHCP ona router (excluding static reservations)
Which Cisco Internetwork Operating System (IOS) command would be used to define a static route for network 192.168.11.0 through default gateway
A. router(config)# ip route 192.168.11.0 255.255.255.0 192.168.43.1
B. router# ip route 192.168.11.0 255.255.255.0 192.168.43.1
C. router(config)# ip classless 192.168.43.1
D. router(config)# ip default gateway 192.168.11.0 255.255.255.0 192.168.43.1
E. router# ip default gateway 192.168.43.1
Correct Answer: A
The router(config)# ip route 192.168.11.0 255.255.255.0 192.168.43.1 command would be used to define a static route for network 192.168.11.0
through default gateway 192.168.43.1. Static routing is used to manually configure routes to remote networks. The syntax of the ip route command is as
ip route [destination_network] [mask] [next-hop_address or exit interface] [administrative_distance] [permanent]
The parameters of the command are as follows:
– destination_network: Defines the network that needs to be added in the routing table.
– mask: Defines the subnet mask used on the network.
– next-hop_address: Defines the default gateway or next hop router that receives and forwards the packets to the remote network.
– administrative_distance (AD): Static routes have an AD of 1, which can be changed to change the priority of the route.
Static routing is often implemented in small yet stable networks where the number of routes is small and manageable, and the network can benefit from
the elimination of the traffic that dynamic routing protocols would introduce. If this is the case, it is important that all routes be statically created, or else
networking problems can occur. For example, if in the diagram below no route to the 192.168.110.128/26 network on Router 2 exists on Router 1, Host
1 will be unable to ping Host 2. The fact that Host 1 would still be able to ping the S0/0 interface on Router 2 could obscure this missing route.
Host 1 will be able to ping the S0/0 interface of Router 2 because the 184.108.40.206/30 network will be in the routing table of Router 1, being directly
connected to Router 1. Directly connected routes are automatically placed in the routing table. However, if you executed the show run command on
Router 1, the output would indicate that no route to the 192.168.110.128/26 exists:
The option router# ip route 192.168.11.0 255.255.255.0 192.168.43.1 is incorrect because the ip route command should be configured in the global
The option router(config)# ip classless 192.168.43.1 is incorrect because the ip classless global configuration mode command allows a router to accept
and forward packets for subnets that are not directly connected. The packets are forwarded to the best available supernet route.
The option router(config) # ip default gateway 192.168.11.0 255.255.255.0 192.168.43.1 is incorrect because the ip default gateway command is used
to define the default gateway address when IP routing is disabled in the network.
Configure, verify, and troubleshoot IPv4 and IPv6 static routing
Which Cisco command keeps unauthorized users from viewing passwords in the router configuration file?
A. enable secret
B. enable password
C. enable encryption
D. service encryption
E. service password-encryption
Correct Answer: E
The service password-encryption global configuration mode command keeps unauthorized users from viewing passwords in the router configuration file.
The service password-encryption command encrypts all current and future passwords configured on the router, including the line password, virtual
terminal password, console password, user name password, routing protocol passwords such as BGP neighbor passwords, the privileged command
password, and authentication key passwords. Moreover, it encrypts any future passwords created on the router.
The encryption process occurs whenever the current configuration is built or a password is configured. The service password-encryption command will
cause the router configuration file to display encrypted characters instead of passwords when the running-configuration or startup-configuration files are
The enable password command creates a password that will be required to enter privileged EXEC mode, but the password will not be encrypted.
The enable secret command provides encryption to the enable mode passwords but does not apply globally to all passwords configured on the router. It
also does not encrypt any future passwords created on the router.
The enable encryption and service encryption commands are invalid.
Configure, verify, and troubleshoot basic device hardening
Which of the following commands will enable a link-local address based on the Modified EUI-64 format interface ID?
A. ipv6 address 5000::2222:1/64
B. ipv6 address autoconfig
C. ipv6 address 2001:db8:2222:7272::72/64 link-local
D. ipv6 enable
Correct Answer: B
To configure the interface to create a link-local address based on the Modified EUI-64 format interface ID, you must enable stateless autoconfiguration.
In stateless autoconfiguration, the interface will receive the network prefix from the router advertisement (RA) and generate a full IPv6 address by
spreading the 48-bit MAC address of the interface across 64 bits to complete the address. This can all be done simply by executing the ipv6 address
autoconfig command at the interface configuration prompt.
The command ipv6 address 5000::2222:1/64 is used to manually assign a full IPv6 address to the interface without using stateless autoconfiguration or
the eui-64 keyword to manually specify the first 64 bits and allow the last 64 bits to be generated from the MAC address of the interface.
The command ipv6 address 2001:db8:2222:7272::72/64 link local is used to configure a link-local address manually without allowing the system to
generate one from the MAC address, which is the default method.
The command ipv6 enable is used to allow the system to generate a link-local address from the MAC address. Because this is the default behavior, the
command is not required if any other ipv6 commands have been issued. Regardless of how many manual IPv6 addresses you configure, a link local
address is always generated by default.
Configure, verify, and troubleshoot IPv6 addressing