| Question 1 | Which of the following is not a reason to be concerned with accurate timekeeping on your network systems? |
| A1: | Answer B is correct. Users have many sources of time, but it is unlikely that they depend on accurate network time. Cron jobs (answer A) are system tasks scheduled to run at a certain time; scheduling takes into account system use and bandwidth management (among other factors). If cron jobs do not run at the correct time, they can interfere with each other or fail because of resource conflicts. Logs (answer C) are a primary troubleshooting reference, and their usefulness depends in part on the accuracy of their time stamps (to correctly sequence events on the network). The financial industry, medical services, and litigation (answer D) often reference matters recorded by computer systems. The accuracy of the time at which something is known to have occurred makes that item a reference point in the event history. |
| Question 2 |  | Why does system time matter to access list implementation? | -
A. Time determines which access list will be employed. -
B. Certain protocols should be permitted only during off-peak hours. -
C. An access list can restrict source-destination-protocol combinations based on the time of day. -
D. All of these are correct. |
| A2: | Answer C is correct. You can create an access list (it must be a named IP or IPX extended access list) that references a time range. This could be a range that specifies certain days of the week, all weekdays, and certain hours. The named time range is an option on the access list. Access lists are applied or not applied to an interface; no system at this time conditions the application of an access list to an interface based on time (answer A). Whether certain protocols should be permitted at given times (answer B) is a policy matter, but the question asks about access list implementation. Because answers A and B are not correct, answer D cannot be, either. |
| Question 3 | | | What is the most accurate level of time that an NTP-enabled device can reference? | -
A. Stratum 0 -
B. Stratum 1 -
C. Stratum 3 -
D. Stratum 15 |
| A3: | Answer B is correct. Network Time Protocol (NTP) devices have several layers of device. Those with a direct connection to an atomic clock or a GPS timer reference are called stratum 1 devices; they are the most accurate NTP-enabled devices. A stratum 2 device is one hop away from a stratum 1 device, while a stratum 3 device is one hop farther away, and so forth. There is no limit to the stratum levels in the RFCs; however, in practical terms, stratum 3 is the lowest level you will normally see referenced. There is no stratum 0. |
| Question 4 | NTP traffic uses what protocol to exchange information? |
| A4: | Answer D is correct. NTP uses UDP over IP. TCP (answer B) has too much latency. SNMP (answer A) is used for other network devicemanagement purposes. NNTP (answer C) is the Network News Transport Protocol, used for news servers and newsgroups. |
| Question 5 | Which of the following is correct? (Choose two.) -
A. Routers can be NTP peers and clients . -
B. Switches can be NTP peers and clients. -
C. Routers can be NTP clients only. -
D. Switches can be NTP clients only. |
| A5: | Answers A and D are correct. Although routers can be NTP peers (exchanging information with other NTP-enabled devices), switches can be only NTP clients (they cannot offer their time to another device). Thus, answer B is not valid because it states that switches can be peers, and answer C is incorrect because it does not include the peer capability of routers. |
| Question 6 | Which of the following is a means to secure NTP? (Choose two.) |
| A6: | Answers C and D are correct. Access lists (answer C) can be used to secure NTP by establishing a limited number of IP addresses from which the router will accept NTP messages. Answer D is correct because NTPv3 implemented security features such as message authentication and encryption. NTP is not a feature authenticated by either RADIUS (answer A) or TACACS+ (answer B). Although placement inside a secured perimeter helps (answer E), when the device accepts NTP traffic, it accepts packets from the other device. Unless you have a stratum 1 device in your network, you must get at least one time reference from an outside source; your device receiving those packets is open unless the other device's address is limited and/or you implement the security features of NTPv3. |
| Question 7 | SNMP uses which transport protocol(s) and port(s)? (Choose four.) -
A. TCP -
B. UDP -
C. ARP -
D. ICMP -
E. 160 -
F. 161 -
G. 162 |
| A7: | Answers A, B, F, and G are correct. SNMP uses both TCP and UDP (answers A and B) and operates on port 161 for gets and sets (answer F), and port 162 for traps (answer G). ARP (answer C) is not a transport-layer protocol (if you had any doubt, that should have helped). To quote RFC 792, "ICMP uses the basic support of IP as if it were a higher level protocol; however, ICMP is actually an integral part of IP and must be implemented by every IP module." Thus, ICMP (answer D) could not be correct because it, too, is not a transport-layer protocol. Knowing the layer at which a protocol operates can help you eliminate incorrect answers. Port 160 (answer E) is assigned to SGMP, the Simple Gateway Monitoring Protocol. |
| Question 8 | What is the default SNMP community string? -
A. cisco -
B. sanjose -
C. private -
D. public |
| A8: | Answer D is correct. The default community string for SNMP is public ; some network administrators change this to private (answer C), but both are well known to hackers. cisco (answer A) is often a default setting, but not in SNMP. Likewise, some people use sanjose (answer B) as a password, probably thinking that its association with Cisco Systems will jog their memory, but, of course, that trick is old and well known, too. |
| Question 9 | | | In the command snmp-server community met#$%dfw ro 88 , what does the number 88 represent? | -
A. The extended access list number with the acceptable community server IP addresses -
B. The maximum number of members allowed in the community -
C. The time to live (TTL) of SNMP traps for the community -
D. The standard access list number with the acceptable community server addresses |
| A9: | Answer D is correct. This is an example of the need to read the answers as closely as you read the questions. Standard IP access lists are numbered 199, while extended IP access lists are numbered 100199 and 20002699 (also known as expanded IP access lists). The number of the access list (88) tells you that it must be a standard IP access list (answer D), not an extended IP access list (answer A). The number has nothing to do with either a membership limit in the community (answer B) or a TTL on the SNMP traps sent (answer C). |
| Question 10 | What does Cisco recommend in the SAFE Blueprint concerning CDP? -
A. Disable CDP everywhere, if possible. -
B. Disable CDP on all perimeter routers and the interfaces of all devices directly connected to the perimeter devices. -
C. Both of these are correct. -
D. None of these is correct. |
| A10: | Answer C is correct. Although CDP can be useful when you need to derive the topology of an unknown network, that is also what makes it dangerous to leave running. If a hacker manages to penetrate one network device, he could use the plentiful information in show cdp neighbors and even more plentiful information in show cdp neighbors detail to derive that same information about your network. Therefore, Cisco recommends disabling CDP everywhere, if possible (answer A); if you need to use it in the network, at the minimum, you should disable it on all perimeter devices and on all interfaces directly connected to those devices (answer B). |
| Question 11 | The SAFE Blueprint Validation Lab used which forms of AAA? (Choose two.) -
A. TACACS+ -
B. RADIUS -
C. Kerberos5 -
D. Local databases |
| A11: | Answers A and D are correct. The local database (answer D) is used as a back door, just in case problems develop. For the rest of AAA, in the SAFE Blueprint as implemented in the Cisco Validation Lab, TACACS+ was used (answer A). Neither RADIUS (answer B) nor Kerberos5 (answer C) was used. If you study the implementations in the Appendix A of the SAFE Blueprint, that will help you on a number of questions on the actual exam. |
| Question 12 | | | What does Cisco recommend concerning the use of TFTP for network-management file transfers? | -
A. Use it, but tunnel it through GRE to mask its presence. -
B. Use it, but encrypt it in an IPSec tunnel to prevent data from being read by a sniffer. -
C. Switch to FTP, which uses TCP and requires a username and password before the session will commence. -
D. Use it, but authenticate with TACACS+. |
| A12: | Answer B is correct. Cisco recognizes the utility of TFTP and appreciates the advantage of low overhead that it has over FTP during large file transfers such as image upgrades. However, it is important not to expose the contents of TFTP file transfers, especially configuration files, so Cisco recommends tunneling TFTP sessions in IPSec, with payload encryption (answer B). Tunneling through GRE (answer A) adds an outer header but does nothing to protect the payload from snooping. Although FTP does require a username and password to initiate a session (and, presumably, you would not allow anonymous FTP for such sessions), the username and password are passed from client to server in plain textthey are not encrypted. Thus, answer C is not a security improvement. Because TFTP does not require authentication, there is no practical means of using AAA (TACACS+ or any other method) to ensure legitimate sessions, eliminating answer D. In addition, the question referred to using TFTP for file transfers: Authentication validates the two parties communicating but does nothing to protect the contents of the communication. |
