CCIE Security FAQ Cisco IOS Specifics and Security


CCIE Security FAQ Cisco IOS Specifics and Security

Q1. What IOS command will display the System Flash?
a. show flash
b. show system flash
c. show memory
d. show process flash

Answer: a
Explanation: The show flash IOS command displays the System Flash:

Q2. The network administrator has forgotten the enable password and all passwords are encrypted. What should the network administrator do to recover the password without losing the current configuration?
a. Call the TAC and ask for a special back door password.

b. Call the TAC and raise a case to supply the engineering password.

c. Reboot the router, press the break key during the reload, and enter ROM mode and change the configuration register.

d. Reboot the router, press the break key during the reload, enter ROM mode and change the configuration register, and when the router reloads, remove the old configuration.

Answer: c
Explanation: The TAC will not supply any passwords. The steps required include issuing the break key and modifying the configuration register, but the aim is to not lose the initial configuration, so answer d is incorrect.

Q3. What is the enable password for the following router?

a. More data required
b. Simon
c. simon or Simon
d. You cannot set the password to a name; it must also contain digits.

Answer: b
Explanation: The enable password is case-sensitive, so the password is Simon.

Q4. If the configuration register is set to 0x2101, where is the IOS image booted from?
a. slot0:
b. slot1:
c. Flash
d. ROM
e. TFTP server

Answer: d
Explanation: 0×2101 tells the router to load the IOS image from ROM.

Q5. What IOS command will copy the running configuration to a TFTP server? (Select the best two answers.)
a. copy running-config to tftp
b. write network
c. copy running-config tftp
d. write erase

Answer: b and c
Explanation: Write network and copy running-config tftp will save the configuration stored in RAM to a TFTP server.

Q6. What debug command allows an administrator to debug only packets from the network
a. debug ip packet
b. terminal monitor
c. debug ip packet 1
access-list 1 permit
d. debug ip packet 1
access-list 1 permit
e. debug ip packet 1
access-list 1 permit

Answer: d
Explanation: To debug only packets from the source network, or networks ranging from to, the correct access list is access-list 1 permit, followed by the debug ip packet 1 command in privilege EXEC mode.

Q7. After entering debug ip packet, no messages appear on your Telnet session. What is the likely cause?
a. OSPF routing is required.
b. The console port does not support debug output.
c. The terminal monitor command is required.
d. IP packets are not supported with the debug command.

Answer: c
Explanation: Accessing a router via Telnet to enable debug messages to the terminal session requires the terminal monitor IOS command.

Q8. To change the configuration register to 0x2141, what is the correct IOS command?
a. copy running-config register
b. configuration 0×2141
c. config 0×2141 register
d. config-register 0×2142
e. config-register 0×2141

Answer: e

Q9. Where is the startup configuration stored on a Cisco router?
a. In the cam table
c. RAM
d. Flash
e. slot0:

Answer: b
Explanation: The startup configuration is usually stored in the NVRAM. You can store the file on a TFTP server, as well.

Q10. Which of the following statements is true?
a. The enable secret command overrides the enable password command.
b. The enable command overrides the enable secret password command.
c. Enable passwords cannot be used when the secret password is used.
d. Both a and c are true.

Answer: a
Explanation: The enable secret command overrides the enable password command when configured concurrently.

Q11. A Cisco router has the following configuration:

What will happen when you Telnet to the router?
a. You will be prompted for the login password.
b. You will enter EXEC mode immediately.
c. You cannot access the router without the password set.
d. More configuration required.

Answer: c
Explanation: Without the password configured, you cannot enter EXEC mode. The router will advise the Telnet user that the password is not set and disconnect the session, as follows:

Q12. A Cisco router has the following configuration:

When a Telnet user tries to establish a remote Telnet session to this router, what will happen?
a. You will be prompted for the login password cIscO.
b. You will enter EXEC mode immediately.
c. You cannot access the router without the password set.
d. More configuration required.
e. You will be prompted for the login password; password case does not matter.

Answer: b
Explanation: Because the no login command is configured, the VTY lines allow all Telnet sessions directly to the EXEC prompt even though a password is set.

Q13. A Cisco router has the following configuration:

When a third Telnet session is established to a remote router with the preceding configuration, what will happen?
a. You will be prompted for the login password, which is set to cisco.
b. You will be prompted for the login password, which is set to ciSco.
c. You will enter EXEC mode immediately.
d. You cannot access the router without the password set.
e. More configuration required.

Answer: b
Explanation: The first two telnet sessions (line vty 0 1) will directly enter EXEC mode because of no login. The third (line vty 2 4) requires the password, ciSco.

Q14. Which of the following access lists will deny any IP packets sourced from network and destined for network and permit all other IP-based traffic?
a. access-list 1 deny
b. access-list 1 deny
c. access-list 100 permit/deny ip
d. access-list 100 deny ip
access-list 100 permit ip any any

Answer: d
Explanation: The correct access list is an extended access list because both source and destination addresses must be configured. To permit all other traffic, you must add the line access-list permit ip any. Otherwise, all other IP-based traffic will be denied access by default.

Q15. An administrator notices a router’s CPU utilization has jumped from 2 percent to 100 percent, and that a CCIE engineer was debugging. What IOS command can the network administrator enter to stop all debugging output to the console and vty lines without affecting users on the connected router?
a. no logging console debugging
b. undebug all
c. line vty 0 4
no terminal monitor
d. reload the router

Answer: b
Explanation: IOS command undebug all stops all configured debug commands. Reloading the router also stops debugs but will affect users because the router will be unavailable during the reboot. Entering no logging debugging does not stop the router from sending debug information nor processing the CPU-intensive requests to any connecting users via Telnet.

Q16. Where is the running configuration stored on a Cisco router?

Answer: The configuration is stored in the Random Access Memory (RAM). For all newer Cisco hardware platforms, the memory location where the running configuration is stored is called the Dynamic Random-Access Memory (DRAM).

Q17. What IOS command displays the startup configuration?

Answer: The IOS command show startup-config or show config will display the configuration stored in NVRAM.

Q18. What IOS command provides the following output?

Answer: The IOS command to display the System Flash is show flash.

Q19. What configuration register will enable a Cisco router to ignore the startup configuration?

Answer: 0x2142 will set the IOS to ignore the configuration stored in NVRAM; typically, this configuration register is used for password recovery.

Q20. To copy the startup configuration to the running configuration, what IOS command or commands are used?

Answer: copy startup-config running-config.

Q21. What is the range for standard and extended IP access lists on Cisco IOS routers?

Answer: Standard IP access lists range from 1-99 and 1300-1999. Extended access lists range from 100-199 and 2000-2699.

Q22. What command display the IP access lists configured on a Cisco router?

Answer: show ip access-lists will display all configured IP access lists. The show access-lists IOS command displays all configured access lists, not just IP access lists.

Q23. How do you disable all debug commands currently enabled on a Cisco router, assuming you are not sure what debug commands are enabled?

Answer: undebug all (or u all in shorthand). You can also use the [no] debug <specific debug-enabled commands> for each specific debug that has been enabled. To quickly disable all debug commands, undebug all is typically used.

Q24. What must you be very careful of when enabling any form of debugging on a Cisco router?

Answer: You should make the debug command as specific as possible and ensure that you enable the output to the console (if disabled) and VTY lines with the IOS command, terminal monitor; this command is entered in privilege EXEC mode only. By default, Cisco IOS will send all debug output to the console port.

The CPU system on Cisco routers gives the highest priority to debugging output. Forthis reason, debugging commands should be turned on only for troubleshooting specific problems or during troubleshooting sessions with technical support personnel. Excessive debugging output can render the router inoperable.Try to use the most specific debug command possible to reduce the load on the CPU.

Q25. What are the required steps when performing password recovery on a Cisco router?

Answer: The password recovery steps are as follows:
Step 1 Power cycle the router.

Step 2 Issue a control break or the break key command on the application to enter into boot ROM mode. The control break key sequence must be entered within 60 seconds of the router restarting after a power cycle.

Step 3 Once you are in ROM mode, change the config register value to ignore the startup configuration file that is stored in NVRAM. Use the o/r 0×2142 command.

Step 4 Allow the router to reboot by entering the i command.

Step 5 After the router has finished booting up without its startup configuration,look at the show startup-config command output. If the password is encrypted, move to Step 6, which requires you to enter the enable mode (type enable and you will not be required to enter any password) and copythe startup configuration to the running configuration with the copy startup-config running-config command. Then, change the password. If the password is not encrypted and the secret password is not used, you cansimply read the password. Skip Steps 6 and 7 and go to Step 8.

Step 6 Copy the startup configuration to RAM.

Step 7 Enable all active interfaces.

Step 8 Change the configuration register to 0x2102 (default).

Step 9 Reload the router.

Step 10 Check the new password.

Q26. What is the enable password for the following configuration?

Answer:Passwords are case-sensitive, so the password is CiscO. If the secret password was set, you would not be able to read the password in clear text because Cisco IOS hashes the password using the md5 encryption algorithm, as in the following example:

➠ Password is not in clear text.
You cannot reverse engineer the hashed password ($1$Aiy2$GGSCYdG57PdRiNg/ .D.XI.). Hashing occurs when plain text data is encrypted into cipertext (unreadable data) by some form of encryption algorithm.

Q27. The network administrator enables the debug ip packet command on Router R1, but no output is seen when connected to the console. IP traffic is following correctly from Ethernet0/0 to Ethernet0/1. What is the likely problem? What IOS configuration change is required to rectify the fault?

Answer: Line 4 in Example 4-39 has disabled the debug output from being visible. To enable debug messages to be sent to the console port, the command logging console debugging must be configured in global configuration mode. Alternatively, telneting to the router and enabling the terminal monitor command via the VTY line enables the network administrator to view the debug output.

Q28. There are a number of configured aliases. What alias will display the Ethernet interface statistics for the Ethernet interface labeled Ethernet0/1?

Answer: Line 17 displays the alias, eth1, which is the command show interface ethernet0/1.

Q29. When the following command is entered at the privilege EXEC prompt, what will the output be?

Answer: Line 16 defines an alias, eth0, which will be used as a shortcut to the show interface ethernet0/0 command. This IOS command displays the statistics of interface Ethernet0/0.

Q30. What is the password of Router 1 that enables a network administrator to make configuration changes?

Answer: Line 6 (enable password ciscO) defines the enable password as ciscO. However, because a secret password exists on line 5, that is the password required to enter enable mode, and because the secret password is encrypted, you cannot decipher the password.

Q31. What debug command can be used to debug IP packets’ source from the address to the PC with the IP address of

Answer: Access list 100 defines an Access-list with the source address to the destination IP address You can apply the debug command, debug ip packet 100, with the optional keyword detail to view IP packets sent from the server to the IP address

Q32. A user telnets to Router R1 and runs the debug command, debug ip packet.
IP data travels from the PC to the server but no output is displayed on the router.What is the likely problem?

Answer: The Telnet user must be in privilege EXEC mode and must enable the terminal monitor command to ensure debug output is sent to the VTY line.

Q33. What is the configuration register of the router?

Answer: The configuration in Example 4-38 does not include a configuration register, so the default register (0x2102) is enabled.

Q34. What is the VTY password required for Telnet clients logging into R1?

Answer: Line 24 configures the router for no VTY login, so there is no password; any Telnet users will be directed to the router at the EXEC prompt level.

Q35. What does access list 1 accomplish in line 12?

Answer: Access list 1 is not defined on any interface and can be used when debug ip packet is turned on. Because it is a standard access list, it can be used to debug packets’ source from network to

Q36. What Global IOS command would encrypt all passwords configured on R1?

Answer: The Global IOS command, service password-encryption, encrypts all passwords, including the enable and VTY password, if any.

More Resources

About the author


Leave a Comment