Term
| What is the syntax for applying an IPv6 ACL? |
|
Definition
interface f0/0
ipv6 traffic-filter ACL-NAME in |
|
|
Term
| What is the syntax for applying an ACL to telnet session? |
|
Definition
line vty 0 4
access-class ACL-NAME in |
|
|
Term
| What is the port and protocol used for SMTP? |
|
Definition
|
|
Term
| What is the port and protocol used for Telnet? |
|
Definition
|
|
Term
| What is the IP protocol # for TCP? |
|
Definition
|
|
Term
| What is the IP protocol # for UDP? |
|
Definition
|
|
Term
| What is the confreg settings to boot from flash, ignore nvram and ignore break? |
|
Definition
0x.142
1=ignore break
4=ignore nvram
2=boot from flash |
|
|
Term
| what username and password is used for FTP from a router? |
|
Definition
whatever is configured under:
ip ftp username Joe
ip ftp password Cisco |
|
|
Term
| What is "class-map type inspect" used for? |
|
Definition
| Classifies traffic for zone-based firewall. |
|
|
Term
| Where is a policy-map type inspect applied? |
|
Definition
This is a zone-based fw policy map (type inspect) that is applied to the zone-pair:
zone-pair security security MyPair source LAN destination WAN
service-policy type inspect MYPMAP |
|
|
Term
| What actions can be defined in a policy-map type inspect? |
|
Definition
|
|
Term
| When zone-based firewall is configured, what traffic does the router allow to itself? |
|
Definition
| All traffic is allowed to the "self-zone" |
|
|
Term
| What are the five steps in configuring zone-based firewall? |
|
Definition
1) Create class-map type inspect
2) Create service-policy type inspect
3) Create security zones ("zone security INSIDE")
4) Create a "zone-pair" with the create zones and assign the service-policy
5) Assign interfaces to zones ("zone-member security INSIDE") |
|
|
Term
What is the different the two options?:
(config-if)#ip verify unicast reachable-via [any | rx ] |
|
Definition
"Any" is loose RPF -- drops packet if router has no router at all to source.
"Rx" is strict RPF -- router drops packet if matching route using outgoing interface that is different from the interface on which packet was received. |
|
|
Term
| What happens when "storm-control multicast" is configured and the threshhold is exceeded? |
|
Definition
| All traffic is blocked except STP. |
|
|
Term
| What happens when "storm-control unicast" is configured and the threshhold is exceeded? |
|
Definition
| Only unicast traffic is blocked. |
|
|
Term
| What actions can be taken when a storm-control threshold has been exceeded? |
|
Definition
| Default storm-control is to police, can also trap or shut interface. |
|
|
Term
| What are the four steps to configuring Control Plane Policing? |
|
Definition
1. Define a packet classification criteria
(config)#class-map ...
(config-cmap)#match
*When using the `match protocol' classification criteria, ARP is the only protocol supported. All other protocols need an ACE entry for classification purposes.
2. Define a service policy
(config)#policy-map...
(config-pmap)#class...
(config-pmap-c)# police conform-action exceed-action cir
3. Enter control-plane configuration mode
(config)#control-plane
4. Apply QoS policy service-policy {input | output} input service-policy {input | output} policy-map-name |
|
|
Term
What does the following do? Is any traffic ever allowed in Fa0/1?
access-list 102 deny ip any any
ip inspect name FWRULE tcp
ip inspect name FWRULE udp
int f0/1
description "To Outside"
ip access-group 102 in
ip inspect FWRULE out |
|
Definition
"ip inspect FWRULE out" "handstamps" traffic going out the interface, poking a hole in ACL 102 so return traffic is allowed through. |
|
|
Term
| What must be configured for "crypto key generate rsa" to work? What form of access requires crypto keys? |
|
Definition
Hostname and domain.
SSH requires the "crypto key" command. |
|
|
Term
| Why might you receive an ICMP unroutable when sending NAT traffic? |
|
Definition
when a packet traverses inside to outside, a NAT router checks its routing table for a route to the outside address before it continues to translate the packet. the NAT router must have a valid route for the outside network. The route to the destination network must be known through an interface that is defined as NAT outside in the router configuration.
Remember also that "no ip classless" disables the default route when subnets exist for the major network of the destination. |
|
|
Term
| What two ICMP messages should you allow in an ACL for traceroute to work? |
|
Definition
Time exceeded
Port unreachable (at the destination host)
|
|
|
Term
| What is the syntax for applying a VLAN map named SERVER1_MAP to vlan 10? |
|
Definition
| vlan filter SERVER1_MAP vlan-list 10 |
|
|
Term
How will a user get authenticated when accessing enable mode with the following?
enable secret fred
enable authentication wilma
aaa authentication enable default group radius enable |
|
Definition
Enable password is validated via RADIUS or (if no answer), must be "fred"
"enable authentication wilma" is not a valid command.
"aaa authen enable" trumps "enable secret" |
|
|
