CCIE Security FAQ Cisco IOS Specifics and Security
Q1. What IOS command will display the System Flash?
a. show flash
b. show system flash
c. show memory
d. show process flash
Explanation: The show flash IOS command displays the System Flash:
R1#show flash
System flash directory:
File Length Name/status
1 11600424 c2600-ik8o3s-mz.122-2.T.bin
[11600488 bytes used, 5176728 available, 16777216 total]
16384K bytes of processor board System flash (Read/Write)
R1#
Q2. The network administrator has forgotten the enable password and all passwords are encrypted. What should the network administrator do to recover the password without losing the current configuration?
a. Call the TAC and ask for a special back door password.
b. Call the TAC and raise a case to supply the engineering password.
c. Reboot the router, press the break key during the reload, and enter ROM mode and change the configuration register.
d. Reboot the router, press the break key during the reload, enter ROM mode and change the configuration register, and when the router reloads, remove the old configuration.
Explanation: The TAC will not supply any passwords. The steps required include issuing the break key and modifying the configuration register, but the aim is to not lose the initial configuration, so answer d is incorrect.
Q3. What is the enable password for the following router?
enable password Simon
a. More data required
b. Simon
c. simon or Simon
d. You cannot set the password to a name; it must also contain digits.
Explanation: The enable password is case-sensitive, so the password is Simon.
Q4. If the configuration register is set to 0x2101, where is the IOS image booted from?
a. slot0:
b. slot1:
c. Flash
d. ROM
e. TFTP server
Explanation: 0×2101 tells the router to load the IOS image from ROM.
Q5. What IOS command will copy the running configuration to a TFTP server? (Select the best two answers.)
a. copy running-config to tftp
b. write network
c. copy running-config tftp
d. write erase
Explanation: Write network and copy running-config tftp will save the configuration stored in RAM to a TFTP server.
Q6. What debug command allows an administrator to debug only packets from the network 131.108.0.0/16?
a. debug ip packet
b. terminal monitor
c. debug ip packet 1
access-list 1 permit 131.108.0.0
d. debug ip packet 1
access-list 1 permit 131.108.0.0 0.0.255.255
e. debug ip packet 1
access-list 1 permit 131.108.0.0 255.255.0.0
Explanation: To debug only packets from the source network 131.108.0.0/16, or networks ranging from 131.108.0.0 to 131.108.255.255, the correct access list is access-list 1 permit 131.108.0.0 0.0.255.255, followed by the debug ip packet 1 command in privilege EXEC mode.
Q7. After entering debug ip packet, no messages appear on your Telnet session. What is the likely cause?
a. OSPF routing is required.
b. The console port does not support debug output.
c. The terminal monitor command is required.
d. IP packets are not supported with the debug command.
Explanation: Accessing a router via Telnet to enable debug messages to the terminal session requires the terminal monitor IOS command.
Q8. To change the configuration register to 0x2141, what is the correct IOS command?
a. copy running-config register
b. configuration 0×2141
c. config 0×2141 register
d. config-register 0×2142
e. config-register 0×2141
Q9. Where is the startup configuration stored on a Cisco router?
a. In the cam table
b. NVRAM
c. RAM
d. Flash
e. slot0:
Explanation: The startup configuration is usually stored in the NVRAM. You can store the file on a TFTP server, as well.
Q10. Which of the following statements is true?
a. The enable secret command overrides the enable password command.
b. The enable command overrides the enable secret password command.
c. Enable passwords cannot be used when the secret password is used.
d. Both a and c are true.
Explanation: The enable secret command overrides the enable password command when configured concurrently.
Q11. A Cisco router has the following configuration:
line vty 0 4 login
What will happen when you Telnet to the router?
a. You will be prompted for the login password.
b. You will enter EXEC mode immediately.
c. You cannot access the router without the password set.
d. More configuration required.
Explanation: Without the password configured, you cannot enter EXEC mode. The router will advise the Telnet user that the password is not set and disconnect the session, as follows:
R1#131.108.1.1
Trying 131.108.1.1 ... Open
Password required, but none set
[Connection to 131.108.1.1 closed by foreign host]
Q12. A Cisco router has the following configuration:
line vty 0 4 no login password cIscO
When a Telnet user tries to establish a remote Telnet session to this router, what will happen?
a. You will be prompted for the login password cIscO.
b. You will enter EXEC mode immediately.
c. You cannot access the router without the password set.
d. More configuration required.
e. You will be prompted for the login password; password case does not matter.
Explanation: Because the no login command is configured, the VTY lines allow all Telnet sessions directly to the EXEC prompt even though a password is set.
Q13. A Cisco router has the following configuration:
line vty 0 1 no login password cisco line vty 2 4 login password ciSco
When a third Telnet session is established to a remote router with the preceding configuration, what will happen?
a. You will be prompted for the login password, which is set to cisco.
b. You will be prompted for the login password, which is set to ciSco.
c. You will enter EXEC mode immediately.
d. You cannot access the router without the password set.
e. More configuration required.
Explanation: The first two telnet sessions (line vty 0 1) will directly enter EXEC mode because of no login. The third (line vty 2 4) requires the password, ciSco.
Q14. Which of the following access lists will deny any IP packets sourced from network 131.108.1.0/24 and destined for network 131.108.2.0/24 and permit all other IP-based traffic?
a. access-list 1 deny 131.108.1.0
b. access-list 1 deny 131.108.1.0 0.0.0.255
c. access-list 100 permit/deny ip 131.108.1.0 0.0.0.255 131.108.2.0 0.0.0.255
d. access-list 100 deny ip 131.108.1.0 0.0.0.255 131.108.2.0 0.0.0.255
access-list 100 permit ip any any
Explanation: The correct access list is an extended access list because both source and destination addresses must be configured. To permit all other traffic, you must add the line access-list permit ip any. Otherwise, all other IP-based traffic will be denied access by default.
Q15. An administrator notices a router’s CPU utilization has jumped from 2 percent to 100 percent, and that a CCIE engineer was debugging. What IOS command can the network administrator enter to stop all debugging output to the console and vty lines without affecting users on the connected router?
a. no logging console debugging
b. undebug all
c. line vty 0 4
no terminal monitor
d. reload the router
Explanation: IOS command undebug all stops all configured debug commands. Reloading the router also stops debugs but will affect users because the router will be unavailable during the reboot. Entering no logging debugging does not stop the router from sending debug information nor processing the CPU-intensive requests to any connecting users via Telnet.
Q16. Where is the running configuration stored on a Cisco router?
Q17. What IOS command displays the startup configuration?
Q18. What IOS command provides the following output?
System flash directory: File Length Name/status 1 9558976 c2500-ajs40-l.12-17.bin [9559040 bytes used, 7218176 available, 16777216 total] 16384K bytes of processor board System flash
Q19. What configuration register will enable a Cisco router to ignore the startup configuration?
Q20. To copy the startup configuration to the running configuration, what IOS command or commands are used?
Q21. What is the range for standard and extended IP access lists on Cisco IOS routers?
Q22. What command display the IP access lists configured on a Cisco router?
Q23. How do you disable all debug commands currently enabled on a Cisco router, assuming you are not sure what debug commands are enabled?
Q24. What must you be very careful of when enabling any form of debugging on a Cisco router?
The CPU system on Cisco routers gives the highest priority to debugging output. Forthis reason, debugging commands should be turned on only for troubleshooting specific problems or during troubleshooting sessions with technical support personnel. Excessive debugging output can render the router inoperable.Try to use the most specific debug command possible to reduce the load on the CPU.
Q25. What are the required steps when performing password recovery on a Cisco router?
Step 1 Power cycle the router.Step 2 Issue a control break or the break key command on the application to enter into boot ROM mode. The control break key sequence must be entered within 60 seconds of the router restarting after a power cycle.Step 3 Once you are in ROM mode, change the config register value to ignore the startup configuration file that is stored in NVRAM. Use the o/r 0×2142 command.Step 4 Allow the router to reboot by entering the i command.
Step 5 After the router has finished booting up without its startup configuration,look at the show startup-config command output. If the password is encrypted, move to Step 6, which requires you to enter the enable mode (type enable and you will not be required to enter any password) and copythe startup configuration to the running configuration with the copy startup-config running-config command. Then, change the password. If the password is not encrypted and the secret password is not used, you cansimply read the password. Skip Steps 6 and 7 and go to Step 8.
Step 6 Copy the startup configuration to RAM.
Step 7 Enable all active interfaces.
Step 8 Change the configuration register to 0x2102 (default).
Step 9 Reload the router.
Step 10 Check the new password.
Q26. What is the enable password for the following configuration?
enable password CiscO
Answer:Passwords are case-sensitive, so the password is CiscO. If the secret password was set, you would not be able to read the password in clear text because Cisco IOS hashes the password using the md5 encryption algorithm, as in the following example:
enable secret 5 $1$Aiy2$GGSCYdG57PdRiNg/.D.XI.
➠ Password is not in clear text.
You cannot reverse engineer the hashed password ($1$Aiy2$GGSCYdG57PdRiNg/ .D.XI.). Hashing occurs when plain text data is encrypted into cipertext (unreadable data) by some form of encryption algorithm.
Q27. The network administrator enables the debug ip packet command on Router R1, but no output is seen when connected to the console. IP traffic is following correctly from Ethernet0/0 to Ethernet0/1. What is the likely problem? What IOS configuration change is required to rectify the fault?
Q28. There are a number of configured aliases. What alias will display the Ethernet interface statistics for the Ethernet interface labeled Ethernet0/1?
Q29. When the following command is entered at the privilege EXEC prompt, what will the output be?
R1#eth0
Q30. What is the password of Router 1 that enables a network administrator to make configuration changes?
Q31. What debug command can be used to debug IP packets’ source from the address 131.108.2.100 to the PC with the IP address of 131.108.1.100.
Q32. A user telnets to Router R1 and runs the debug command, debug ip packet.
IP data travels from the PC to the server but no output is displayed on the router.What is the likely problem?
R2#R1 Trying 131.108.255.1 ... Open R1>debug ip packet ^ % Invalid input detected at '^' marker. R1>
Q33. What is the configuration register of the router?
Q34. What is the VTY password required for Telnet clients logging into R1?
Q35. What does access list 1 accomplish in line 12?
Q36. What Global IOS command would encrypt all passwords configured on R1?
More Resources