CCIE Security FAQ Application Protocols
Q1. RFC 1700 defines what well-known ports for DNS?
a. TCP port 21
b. TCP port 23
c. UDP port 21
d. UDP port 53
e. TCP/UDP port 53
Explanation: DNS is permitted by RFC 1700 to use both TCP/UDP port 53. Typically UDP is vendor configured for UDP port 53.
Q2. What supplies DNS security?
a. A default username/password pairing
b. A TFTP directory
c. A filename
d. A domain name
e. None of the above
Explanation: DNS has no form of security, so any device can request name-to-IP address mappings.
Q3. What IOS command will stop a Cisco router from querying a DNS server when an invalid IOS command is entered on the EXEC or PRIV prompt?
a. no ip domain-lookup
b. no ip dns-lookup
c. no ip dns-queries
d. no exec
Explanation: To disable DNS query lookup, the IOS command in global configuration mode is no ip domain-lookup.
Q4. What does the following Global IOS configuration line accomplish?
ip host SimonisaCCIE 220.127.116.11 18.104.22.168
a. Defines the router name as SimonisaCCIE
b. Defines a local host name, SimonisaCCIE, mapped to IP addresses 22.214.171.124 and 126.96.36.199
c. Configures the IOS router for remote routing entries 188.8.131.52 and 184.108.40.206
d. Not a valid IOS command
e. Configures the local routers with the IP address 220.127.116.11 and 18.104.22.168 on boot up
Explanation: The ip host name ip address1 [ipaddress2 ipaddress3 ipaddress4 ipaddress5 ipaddress6 ipaddress7 ipaddress8] command configures a local address lookup for the name SimonisaCCIE. Up to 8 addresses can be used. The router will try 22.214.171.124 first and, if no response is made by the remote host, the second address, 126.96.36.199, will be attempted from the command-line interface (CLI).
Q5. TFTP uses what predefined UDP port number?
Explanation: TFTP uses UDP port number 69.
Q6. What IOS command will copy an IOS image from the current system flash to a TFTP server?
a. copy tftp image:
b. copy flash tftp
c. copy tftp flash
d. copy tftp tftp
Explanation: To copy an IOS image from the routers to system flash, the correct IOS command is copy flash tftp.
Q7. Suppose a client calls and advises you that an FTP data transaction is not allowing him to view the host’s directory structure. What are the most likely causes of the problem? (Choose all that apply.)
a. The client’s username/password is wrong.
b. The client’s FTP data port is not connected.
c. The host machine has denied him access because the password is wrong.
d. A serious network outage requires that you reload the router closest to the client.
e. An access list is stopping port 20 from detailing the directory list.
Explanation: The FTP data port is used to view the directory and could be blocked because of an access list or a fault with the client’s software when establishing the FTP 20 connection.
Q8. FTP runs over what Layer 4 protocol?
Explanation: The FTP application is a connection-orientated protocol and is part of the TCP/IP protocol suite. FTP ensures data is delivered by running data with a TCP overhead.
Q9. HTTPS traffic uses what TCP port number?
Explanation: HTTPS runs over TCP port 443.
Q10. SNMP is restricted on Cisco routers by what IOS command?
a. snmp-server enable
b. snmp-server community string
c. snmp-server ip-address
d. snmp-server no access permitted
Explanation: To restrict SNMP access, the correct IOS command is snmp-server community string. Without the correct string, NMS stations will not be able to access a router with SNMP queries. You can disable SNMP on a router and restrict SNMP access with the IOS command no snmp-server.
Q11. TFTP protocol uses which of the following?
a. Username/password pairs to authorize transfers
b. Uses TCP port 169
c. Uses UDP port 169
d. Can use UDP/TCP and port 69
e. None of the above
Explanation: TFTP is defined in RFC 1700 and is permitted to use TCP/UDP port 69 only.
Q12. Which of the following statements is true regarding SSL?
a. Every packet sent between host and client is authenticated.
b. Encryption is used after a simple handshake is completed.
c. SSL uses port 2246.
d. SSL is not a predefined standard.
e. SSL does not perform any data integrity checks.
Explanation: After the hosts have negotiated with valid username/password pairs, SSL will start to encrypt all data. After the handshake, packets are not authenticated. SSL uses TCP port 443. RFC 2246 defines SSL.
Q13. What is the HELO SMTP command used for?
a. To authenticate SMTP clients
b. To identify SMTP clients
c. This is an unknown standard
d. The HELO command is used in SNMP (not SMTP)
Explanation: The HELO command identifies the client to the SMTP server.
Q14. POP3 clients can do what?
a. Receive SNMP queries
b. Send mail
c. Send SNMP queries
d. The POP3 protocol is a routing algorithm
Explanation: POP3 clients send mail to POP3 servers. SMTP is not part of the POP3 standard.
Q15. NTP uses what well-known TCP port?
Explanation: NTP uses UDP or TCP, and the port number is 123.
Q16. Secure Shell (SSH) is used to do what?
a. Disable spanning tree on Catalyst 5000 switches
b. Protect the data link layer only from attacks
c. Protect the TCP/IP host
d. Allow TCP/IP access to all networks without any security
e. SSH is used only in the data link layer
Explanation: SSH is used to protect TCP/IP hosts.
Q17. Which of the following protocols can be authenticated? (Select the best four answers.)
d. Spanning tree
Q18. What is the community string value when the following IOS commands are entered in global configuration mode?
snmp-server community publiC RO
snmp-server enable traps config
snmp-server host 188.8.131.52 isdn
f. More data required
Explanation: The community string is defined by the command snmp-server community community string, which, in this case, is set to publiC. The community string is case sensitive.
Q19. Which of the following best describes an SNMP inform request?
a. Requires no acknowledgment
b. Requires an acknowledgment from the SNMP agent
c. Requires an acknowledgment from the SNMP manager
d. Only SNMP traps can be implemented on Cisco IOS routers
Explanation: SNMP inform requests require an acknowledgment from the SNMP manager. SNMP hosts will continue sending the SNMP inform request until an acknowledgment is received.
Q20. What UDP port number will SNMP traps be sent from?
Explanation: SNMP traps are sent by SNMP agents (such as routers) over UDP port 162.
Q21. What TCP port number will an SNMP inform acknowledgment packet be sent to?
f. None of the above
Explanation: SNMP inform acknowledgments are sent over UDP (not TCP) port number 161.
Q22. To restrict SNMP managers from the source network 184.108.40.206/30, what IOS command is required?
ip http enable 220.127.116.11 18.104.22.168
snmp community 22.214.171.124 126.96.36.199
snmp-server community SimonisCool ro 4
access-list 4 permit 188.8.131.52 0.0.0.252
snmp-server community SimonisCool ro 4
snmp-server community SimonisCool ro 1
access-list 11 permit 184.108.40.206 0.0.0.252
Explanation: The SNMP server community name must be defined with the following command:
snmp-server community string ro access-list-number
The access list number definition must follow (in this case, number 4). The access list range is between 1 and 99 only.
Q23. According to RFC 1700, what is the well-known TCP/UDP port used by DNS?
Q24. What does the IOS command no ip domain-lookup accomplish?
Q25. What is the correct IOS syntax to specify local host mapping on a Cisco router?
ip host name [tcp-port-number] ip address1 [ip address2...ip address8]
Up to eight IP addresses can be assigned to one name.
Q26. TFTP uses what well-known, defined TCP/UDP port?
Q27. What is the correct IOS command to copy a file from a TFTP server to the system flash?
the TFTP server, the IOS command is copy flash tftp.
Q28. Define the two modes of FTP.
Answer: FTP can be configured for the following two modes:
- Active mode
- Passive mode
Q29. FTP uses what TCP port numbers?
Q30. What well-known port do Secure Socket Layer (SSL) and Secure Shell (SSH) use?
Q31. Define SNMP and give an example.
Q32. What well-known UDP ports are used by SNMP?
Q33. What IOS command enables SNMP on a Cisco IOS router?
Q34. Which TCP/UDP port numbers are defined for use by Network Time Protocol or NTP?
Q35. When defining a stratum value on a Cisco router, what is the range and what value is closest to an atomic clock?
Q36. Secure Shell (SSH) allows what to be accomplished when in use?
Q37. What is the difference between an SNMP inform request and an SNMP trap?
Q38. What does the SNMP MIB refer to?
Q39. What is the SNMP read-write community string for the following router configuration?
snmp-server community simon ro
snmp-server community Simon rw
Q40. Before you can TFTP a file from a Cisco router to a UNIX- or Windows-based system, what is the first step you must take after enabling the TFTP server daemon on both platforms?
Q41. What IOS command can be implemented to restrict SNMP access to certain networks by applying access lists? Can you apply standard, extended, or both?
Answer: The IOS command is as follows:
snmp-server community string [view view-name] [ro | rw] [ number]
You can only apply a standard access-list list with the above command.
number refers to a standard access list, ranging from 1 to 99 only, that defines the remote hosts or subnets that are permitted SNMP access. The correct SNMP community string must also be correctly configured on the SNMP manger and agent to allow SNMP communication.
Q42. Does TFTP have a mechanism for username and password authentication?
Q43. Can you use your Internet browser to configure a Cisco router? If so, how?
Q44. A network administrator defines a Cisco router to allow HTTP requests but forgets to add the authentication commands. What is the default username and password pairing that allows HTTP requests on the default TCP port 80? Can you predefine another TCP port for HTTP access other than port 80?
Q45. What happens when a network administrator types the host name Router1 at the router prompt? (Select the best two answers.)
a. DNS queries are disabled; nothing will be translated.
b. The name Router1 is mapped to the IP address 220.127.116.11.
c. The administrator could also type CCIE to reach the same IP address (18.104.22.168).
d. Because DNS is disabled with the command no ip domain-lookup, the router assumes this is an invalid IOS command and returns the error “% Unknown command or computer name, or unable to find computer address.”
e. Local DNSs are case-sensitive so you can only type Router1 to map to 22.214.171.124.
Therefore, if a user types Router1 or CCIE, they will be return to the same router.The following sample display demonstrates this fact:
Trying Router1 (126.96.36.199)... Open
User Access Verification
! quit commands exit Telnet session and you return
! to the first Telnet connection on R1
[Connection to router1 closed by foreign host]
Trying CCIE (188.8.131.52)... Open
User Access Verification
Both the DNS names, CCIE and Router1, are translated to the same IP address,184.108.40.206.
Q46. The following commands are entered on the router named R1. What are the TFTP server address and TFTP filename stored on the router on board flash?
R1#copy tftp flash
Address or name of remote host ? 220.127.116.11
Source filename ? c2600-jo3s56i-mz.121-5.T10.bin
Destination filename [c2600-jo3s56i-mz.121-5.T10.bin]? c2600-c1
Q47. R1 supplies an NTP clock source to a remote router. What is the NTP’s peer IP address,and what is the MD5 password used to ensure that NTP sessions are authenticated?
Q48. What is the SNMP read-write access community string for the following configuration?
snmp-server community public RO
snmp-server community publiC RW