Chapter 17. Answer Key 2

1. A, B, C

2. A, C

3. A, E

4. D

5. B

6. B

7. A

8. B, D

9. D

10. B

11. A

12. B, C

13. A

14. F

15. C

16. D

17. B

18. C

19. C

20. C

21. D

22. C

23. C

24. C

25. B

26. A

27. C

28. B

29. D

30. B, D

31. A, D

32. A

33. A, B, C, D

34. D

35. B, C, D

36. B

37. D

38. B

39. B

40. B

41. D

42. C

43. B

44. D

45. C

46. C

47. B, D

48. A, C

49. B

50. D

51. A, D

52. B, C

53. B

54. A, C

55. C

56. C

57. B, D

58. A

59. A, B

60. B

61. B

62. A, D, E

63. C

64. B

65. C

Question 1

The correct answers are A, B, and C. To establish a session from the access server to a modem that is attached to an asynchronous line, you must use reverse Telnet. You use the telnet command to make this reverse connection. It uses the IP address of an up interface, such as a LAN or loopback interface, followed by port number 2000 + n, where n represents the number of the asynchronous lines to which the modem is attached. Answer D is incorrect; you issue the modem inout command in line configuration mode.

Question 2

The correct answers are A and C. The transport input command specifies protocols allowed for incoming connections on a line. Session establishment might be unsuccessful because the Telnet protocol was not allowed. Connection establishment might also fail if the line is already in use; you can check it using the show users EXEC command, which displays all current active users. Answers B and D are incorrect because neither the rlogin nor the modem dialin command helps establish a successful reverse Telnet session. rlogin is an EXEC command used to establish an rlogin connection to a host, and the modem dialin command specifies that the modem be used for incoming calls only.

Question 3

The correct answers are A and E. When configuring an asynchronous port, you configure logical aspects using the interface async command and physical aspects using the line command. The logical configuration includes protocol parameters such as encapsulation and authentication. Answers B, C, and D are incorrect because the modem inout, speed, and autoselect ppp commands are physical settings configured for the line.

Question 4

The correct answer is D. You create a logical asynchronous interface using the interface group-async command, which provides parameters to the associated physical lines. You assign the physical lines that are members of this interface group using the group-range command. Answers A, B, and C are not used to create a logical asynchronous interfaces; therefore these options are incorrect.

Question 5

The correct answer is B. You can configure a line attaching a modem to an access server or router with the modem dialin line configuration command to specify that the modem accept incoming calls only. Answers C and D are incorrect; the modem callout command configures a line for reverse connections, and the modem inout command configures a line to support both incoming and outgoing calls. The modem accept command is not a valid Cisco IOS command; therefore, Answer A is incorrect.

Question 6

The correct answer is B. You can use the show modemcap command to view the current modemcap entries. To view the attribute values configured for a specific entry, use the show modemcap command followed by the modem-name. Answer A is incorrect because this option displays all modemcap entries. Answers C and D are incorrect because they do not provide the proper syntax to display the contents of a specific modemcap entry.

Question 7

The correct answer is A. The router can automatically configure modems using two methods: through modem autoconfiguration or through modem autodiscovery. Configuring the modem type using the modem autoconfigure type modem_name command is preferred over the discovery option whenever possible; therefore, Answer B is incorrect. With modem discovery, the router attempts to determine the modem type based on the response that is returned to AT commands sent to the modem. This process can create more overhead than autoconfiguration because it tries modem types in the modemcap database until it receives a desired response. It also occasionally results in a modem type assignment that is not the best match for the attached modem. You configure autodiscovery using the modem autoconfigure discovery command.

Question 8

The correct answers are B and D. You can use the modemcap edit command to add new attributes to an existing modemcap entry or to create a new modemcap entry for the database. You remove current modemcap entries or attributes in an existing entry with the no modemcap entry command; therefore, Answer C is incorrect. You use the show modemcap modem-name command to view the contents of a specific modemcap entry, making Answer A an incorrect option.

Question 9

The correct answer is D. The show line command provides information on the physical and, to a certain extend, logical state of a line. To view the parameters of a particular line, use the syntax show line line-number. Information displayed includes settings such as the transmit and receive rate, modem type and state, types of modem signals configured on the line, and statistics about the use of the line. Answers A, B, and C are incorrect because they do not provide information on the physical and logical state of a line.

Question 10

The correct answer is B. A number of modem commands for settings such as hardware flow control, compression, and error correction are nonstandardized and are different from one type of modem to the other. Other commands are common to different modem types, including the AT&F command, which you use to load the factory default settings. The other AT commands provided do not reload the modem default settings; therefore, Answers A, C, and D are incorrect.

Question 11

The correct answer is A. You can use the command priority-list list-number default {high | medium | normal | low} to assign packets that do not match any rules in the priority list to a specific default queue. Answer B is incorrect because undefined traffic is not automatically placed in the low-priority queue. Answer C is incorrect because undefined traffic does not need to be discarded. Answer D is incorrect because undefined traffic is not automatically placed in the high-priority queue.

Question 12

The correct answers are B and C. Custom queuing (CQ) is particularly suitable for environments that require a minimal level of services for a number of different protocols. Queues are processed sequentially, and you can configure each queue with a different percentage of traffic that will be transmitted before the next queue is serviced. With this type of queuing, you can assign time-sensitive traffic a large portion of the available bandwidth while reserving a portion of bandwidth for lower-priority traffic. Answers A and D are incorrect because they do not describe characteristics of CQ methods.

Question 13

The correct answer is A. CQ uses numbered queues. You can configure the size of a particular queue using the queue-list list-number queue queue-number limit limit-number command, where limit-number represents the maximum number of packets that the queue can contain. Answer C is incorrect; you use the queue-list list-number queue queue-number byte-count byte-count-number command to specify the minimum number of bytes to be transferred at a time from a particular custom queue. Answers B and D are incorrect because you use them to configure priority queuing (PQ).

Question 14

The correct answer is F, indicating that each possible answer is correct. Per-interface (or link) compression is often used on point-to-point lines such as an ISDN connection or leased line. This type of compression is protocol independent and effectively compresses the entire data stream transmitted over the WAN link. The per-interface algorithm can use STAC or Predictor to compress the complete packet, including the header and data payload.

Question 15

The correct answer is C. The Cisco IOS quality-of-service (QoS) features provide tail drop and Weighted Random Early Detection (WRED) as congestion-avoidance mechanisms. Answer B is incorrect because the default mechanism used if WRED is not configured is tail drop. Tail drop does not differentiate between types of traffic; if the network experiences congestion and queues reach their maximum capacity, tail drop causes packets to be dropped until congestion subsides and there is once again room in the queue. Cisco IOS QoS does not use Random Early Detection (RED) as its packet-dropping mechanism; therefore, Answer A is incorrect. Answer D is incorrect because it is not a packet-dropping mechanism.

Question 16

The correct answer is D. WRED is the Cisco IOS QoS implementation of the Random Early Detection (RED) congestion-avoidance mechanism. WRED is based on the RED algorithm's features but also adds IP precedence recognition, allowing traffic handling to consider the IP priority of a packet. This way, lower-precedence packets are more likely to be dropped than high-precedence packets. WRED works to anticipate congestion and can discard packets before congestion occurs and before queues become full; this process avoids the occurrence of tail drops, where all packets are dropped once the queue reaches its capacity. Answers A, B, and C are all valid characteristics of WRED; therefore, they are incorrect options.

Question 17

The correct answer is B. When using authentication, authorization, and accounting (AAA) and CiscoSecure, the basic network-access server configuration includes steps such as enabling AAA, specifying the CiscoSecure ACS, and setting the encryption key. You globally enable AAA on the access server using the aaa new-model command; therefore, Answer A is not the correct option. You specify the CiscoSecure ACS by IP address or hostname using the radius-server host command (or tacacs-server host with a TACACS+ server). You then use the radius-server key (or tacacs-server key) command to configure the shared secret encryption key to be used for encrypting data between the network access server and the CiscoSecure ACS, making Answer D an incorrect answer. Answer C is incorrect because it is not used in the CiscoSecure ACS AAA configuration.

Question 18

The correct answer is C. The CiscoSecure three main components include the AAA ACS, the AAA clients, and some type of user database. Authentication information is collected from the AAA-configured clients by the ACS, which is then verified using the user database. Clients are then permitted or denied access based on the information stored in the database. Answers A, B, and D are incorrect options because they represent the three core components of CiscoSecure.

Question 19

The correct answer is C. AAA provides three components: authentication, authorization, and accounting. Authentication is the process of identifying users before they are permitted access to the network and its services. Answer A is incorrect; authorization determines what users are permitted to do once they are authenticated. Answer B is incorrect; accounting is responsible for tracking what services users are accessing for auditing, reporting, or billing purposes. Answer D is incorrect because it is not a valid AAA component.

Question 20

The correct answer is C. When configuring a router or access server for AAA authentication, one of the tasks includes defining the method or list of methods that are used for the authentication process during login. To set the login authentication method, use the aaa authentication login command, which has the following syntax: aaa authentication login {default | list-name} method1 [method2...]. Answer A is incorrect because it is not a valid AAA configuration command. Answer B is incorrect because you use this command to globally enable AAA. Answer D is incorrect because you use this command to set the PPP authentication method.

Question 21

The correct answer is D. Aside from its access control function, CiscoSecure provides a central location for the storage of AAA accounting information. You enable accounting using the aaa accounting command, which presents a variety of auditing options. Some examples include auditing system-level commands using the system keyword, auditing commands at a specified privilege level using the command level option, and auditing outbound connections using the connection keyword. Answers A, B, and C are incorrect because they do not enable auditing for system events.

Question 22

The correct answer is C. Committed information rate (CIR) is the rate in bits per second that the Frame Relay switch commits to transfer data. This rate is generally calculated as an average over a period of time. This period of time is called the Tc or committed rate measurement interval. The bit number for the CIR comes from a value called committed burst, or Bc, which is the maximum number of data bits that the switch agrees to transfer over a period of time. Therefore, the relationship between these three values is CIR = burst size divided by time interval, or CIR = Bc/Tc. Answers A, B, and D are incorrect; they do not include the term used to represent the rate at which a switch agrees to transfer traffic.

Question 23

The correct answer is C. Traffic shaping allows the router to control the output rate of virtual circuits. When configuring an interface for Frame Relay Traffic Shaping (FRTS), you must first enable Frame Relay encapsulation on the interface. You then use the frame-relay traffic-shaping interface configuration command to enable traffic shaping for the interface. Performing these configuration tasks enables both traffic shaping and per-VC (virtual circuit) queuing for all the interface's VCs. Answers A, B, and D are not valid commands used to enable Frame Relay traffic shaping on an interface.

Question 24

The correct answer is C. The map-class frame-relay command specifies a map class name and enters map-class configuration mode to allow the configuration of traffic-shaping parameters for that map class. Once defined, the map class is associated with VCs on the Frame Relay interface using the frame-relay class command. You can map classes to both the interface (all VCs) or to specific subinterfaces (individual VCs). Answers A, B, and D are incorrect because they are not commands used to associate a map class with logical subinterfaces.

Question 25

The correct answer is B. Split horizon enforces that routing updates received on one interface cannot be forwarded out the same interface. A hub router that uses one interface to connect to multiple spokes on the Frame Relay network cannot forward updates received from one spoke onto another because it is equivalent to sending updates received on one interface back out the same interface. However, if you configure the interface with separate virtual connections to each spoke router using subinterfaces, you overcome the split-horizon rule and updates can be forwarded to different spoke routers on the network. Answers A, C, and D are incorrect; you cannot alleviate issues caused by split horizon by configuring Frame Relay map statements, disabling the forwarding of broadcasts, or configuring a loopback address.

Question 26

The correct answer is A. You use the frame-relay adaptive-shaping command to configure the adjustment of sending rates for VCs, which can be based on backward explicit congestion notification (BECN) messages. Although BECN is common, you can also adapt sending rates based on ForeSight notification messages as well as interface congestion. ForeSight is a Cisco proprietary technology, which means that you can implement adaptive-shaping based on this type of notification message only between Cisco IOS devices. Answers B, C, and D are incorrect; you do not use this command to set the CIR, set the excess burst rate, or enable FRTS and per-virtual circuit queuing.

Question 27

The correct answer is C. You can configure the traffic-shaping characteristics of VCs using the frame-relay traffic-rate command. Its syntax is frame-relay traffic-rate average [peak], where the average value is generally equivalent to the CIR. You can also specify a peak rate, which is generally the average rate plus the Excess Information Rate (EIR); however, if no peak is defined, the average rate is used as the peak rate. Answers A, B, and D are incorrect because they are not valid commands used to configure traffic-shaping rate enforcement when defining map class parameters.

Question 28

The correct answer is B. To display and analyze Frame Relay packets sent on an interface, use the debug frame-relay packet command. To limit the output of packets that are sent, you can indicate a specific interface or data-link connection identifier (DLCI) value. The information displayed includes the destination protocol address of the packet, the decimal value of the DLCI, the type of packet, and the size of the packet. Answer C is incorrect; to view information for packets that are received on a Frame Relay interface, use the debug frame-relay command. Answers A and D are incorrect because they are not valid debug commands used to monitor packet transfer on a Frame Relay interface.

Question 29

The correct answer is D. When ordering ISDN service for your router, the service provider might assign one or two service profile identifiers (SPIDs). Some service providers require SPIDs, whereas others do not use them at all or consider them optional; therefore, Answers A and B are incorrect. SPIDs identify devices that are using the ISDN service. If your ISDN provider does require SPIDs, you should configure them using the isdn spid1 (and isdn spid2) commands because the ISDN device cannot receive or place calls until valid SPIDs are provided to the ISDN switch. SPIDs are not set to use the ISDN D-channel for data transmission; therefore, Answer C is incorrect.

Question 30

The correct answers are B and D. DLCI to IP address mapping can happen statically or dynamically. You use Frame Relay Inverse Address Resolution Protocol (Inverse ARP) for dynamic mapping of a network layer address to the DLCI number of the virtual connections. Destination network protocol addresses are statically mapped to DLCIs using the frame-relay map command, which uses the syntax frame-relay map protocol protocol-address dlci [broadcast][ietf | cisco]. Answer A is incorrect because you use Inverse ARP for dynamic mapping. Answer C is incorrect because you create static mappings using the frame-relay map command.

Question 31

The correct answers are A and D. Static routes are manually entered into the routing table and are by default assigned a low administrative distance parameter, which makes them preferred over routes obtained through a dynamic routing protocol (dynamic routes). Floating static routes are assigned an administrative distance parameter greater than that of the dynamic routing protocols. The purpose of the floating static route is to act as an alternative route to dynamic routes that are only used if the route provided through the dynamic routing protocol is lost. Answers B and C are incorrect because they are not valid characteristics of floating static routes.

Question 32

The correct answer is A. You use the show frame-relay pvc command to obtain statistics on Frame Relay permanent virtual circuits (PVCs). Its syntax is show frame-relay pvc [interface interface][dlci]. Use the command without parameters to view statistics on all PVCs, or specify an interface to view only information for all PVCs on that interface. To view detailed information for PVCs, specify the DLCI number with the command. It will provide such information as the policy map configuration, the priority of the PVC, and the congestion-management configuration for PVCs using traffic shaping. Answers B, C, and D are incorrect because they do not display the required information.

Question 33

The correct answers are A, B, C, and D. As a standard (RFC 1331) encapsulation protocol, Point-to-Point Protocol (PPP) can encapsulate upper-layer protocols for transmission over a range of connection types, including asynchronous and synchronous serial links, ISDN connections, and even broadband technologies. PPP uses the NCP (Network Control Protocol) component to encapsulate multiple protocols and LCP (Link Control Protocol) to negotiate the link options such as compression, an authentication method, and the multilink feature.

Question 34

The correct answer is D. Each WAN technology has a maximum theoretical connection speed. These characteristic WAN speeds might or might not be reached, depending on the technology and the factors that result in lower than theoretical speeds. However, from the technologies listed, a T3 connection provides a DS3 rate of 44.736Mbps and is the fastest connection. Answers A and B are incorrect; cable and DSL technologies can generally offer around 4Mbps and 1Mbps, respectively. Finally, ISDN Primary Rate Interface (PRI) has a theoretical speed comparable to a T1 connection, which is 1.544Mbps, making Answer C an incorrect option.

Question 35

The correct answers are B, C, and D. You can configure dial backup to activate the secondary line based on the primary line's traffic load using the backup-load {enable-threshold | never}{disable-threshold | never} command. The enable-threshold, which is set to 75 in this case, is the percentage of the primary line's available bandwidth. Once 75% of the primary line's bandwidth is used, the secondary line is activated. The disable-threshold specifies when the secondary line is brought down again. This percentage value is the aggregate load of the primary and secondary lines. Therefore, once the aggregate load is equal to, in this example, 5% of the primary line's available bandwidth, the secondary line is brought down. Answer A is incorrect because it is not a true statement about the command provided.

Question 36

The correct answer is B. Once a dial-on-demand routing (DDR) interface is configured to initiate a call, the router must be provided with the information needed to dial the remote host. You provide these dialing parameters using the dialer map command, which maps the next-hop protocol address to a dial-string or phone number. The dialer map command provides a number of parameters, such as name for the remote system's hostname, speed for the speed to be used on the line, and broadcast to specify whether broadcasts are to be forwarded to this destination address. There are also a number of optional parameters, depending on the particular configuration needs. Answers A, C, and D do not provide the correct commands used to configure a router to dial a destination router.

Question 37

The correct answer is D. One of the parameters that you can configure on a DDR interface is the fast-idle timer, which you do using the dialer fast-idle command followed by a time value in seconds. This timer specifies how long the current call should remain idle before it is disconnected when there is another call waiting to use the line. Answers A, B, and C are not used to set the timer that determines how long a line is to remain idle before it is disconnected.

Question 38

The correct answer is B. You use the backup delay command to set two delay times in response to a status change in the primary line: one that is started once the primary line goes down and the other that is started once the primary line comes back up. Therefore, the first number in the backup delay {enable-delay| never} {disable-delay| never} command signifies how much time in seconds should elapse after the primary line goes down until the backup line is brought up. The second number represents the amount of time that should elapse before the backup line is brought back down after the primary line is functional again. Answers A, C, and D are all incorrect statements regarding the backup delay command.

Question 39

The correct answer is B. Dialer watch is a feature that brings up a backup connection in response to primary link failure. A basic dialer-watch configuration includes defining which IP addresses or IP networks are to be placed on the watch list using the dialer watch-list command and enabling the dialer-watch feature on the interface that will serve as the backup link using the dialer watch-group command. As with other backup link configurations, you can optionally configure a delay timer using the dialer watch-disable command, which specifies a delay time in seconds; therefore, Answers A, C, and D are incorrect.

Question 40

The correct answer is B. You can define the dialer hold-queue packets command as part of the callback configuration to create a hold queue that will store a predefined number of packets while the connection is being established. The command specifies a number of packets ranging from 0 to 100. Answer C is incorrect because it is not the command you use to enable queuing of packets until the dialer interface is ready. Answers A and D are not valid Cisco IOS DDR commands.

Question 41

The correct answer is D. A dialer pool is part of the dialer-interface configuration, which is linked to a physical interface. Once you create a dialer pool, you can assign asynchronous, synchronous, or ISDN interfaces to the dialer profile's dialing pool using the dialer pool-member command. The general syntax of the command is dialer pool-member number [priority priority]. The number parameter references the dialer pool, to which you can give a number ranging from 1 to 255. You can also assign the pool member a priority ranging from lowest (0) to highest (255); higher-priority members in the dialer pool are selected first for dialing. Answers A, B, and C are incorrect because they are not commands to assign a physical interface to a dialer pool.

Question 42

The correct answer is C. DDR backup features bring up a secondary link in case the primary WAN connection is lost. A router can use different approaches to initiate a backup connection. It may use a backup interface, which stays in standby mode until the line protocol of the primary interface is detected as down. It can also use floating static routes, which are assigned a higher administrative distance than dynamic routes maintained in the routing table. Should the dynamic route be lost, static floating routes can take over to provide an alternate path using the backup link. Finally, the router can use the dialer watch feature, which combines dial backup with routing capabilities. Using dialer watch, the router configures a set of "watched routes" that define the primary interface. Should a watched route no longer be present according to the routing protocol, the primary interface is considered down and the router starts dialing the backup link. Therefore, interesting traffic is not necessary to trigger a call because dialer watch places a call if there are no longer any viable routes to a destination using the primary interface. Answer A is incorrect because floating static routes do not monitor a list of routes. Answers B and D are incorrect because they are not backup features involved in triggering a call.

Question 43

The correct answer is B. A Cisco router can be one of two types of ISDN end devices: a TE1 (Terminal Equipment type 1) or a TE2 (Terminal Equipment type 2). A TE1 device has a built-in ISDN Basic Rate Interface (BRI). A TE2 is a non-ISDN device, which needs a TA (terminal adapter) to connect to the ISDN network; therefore, Answer A is incorrect. Answers C and D are not used to refer to this ISDN network router component.

Question 44

The correct answer is D. Rate adaptation allows an ISDN channel to adjust to a lower speed. In some cases, the destination device might not use or support the full ISDN channel rate of 64Kbps. You can then use rate adaptation to pass the slower rate data stream over the higher-rate ISDN link. Two rate adaptation methods commonly used over ISDN are the V.110 and V.120 International Telecommunications Union (ITU) standards. Answers A, B, and C are incorrect; rate adaptation is not used for load-balancing or needed for a TE1 device to connect to the ISDN network, and it does not address congestion on the ISDN link.

Question 45

The correct answer is C. You can use the passive-interface command to prevent dynamic routing updates on the dialer interface to keep the updates from bringing up a DDR link. Answers A, B, and D are incorrect because they do not describe the purpose of the passive-interface command.

Question 46

The correct answer is C. In situations where you need a large number of IP addresses, as with an access server with many asynchronous interfaces, you can conserve IP addresses by using the ip unnumbered command. Asynchronous point-to-point connections on an access server are not generally all used at the same time, which makes assigning individual IP addresses a waste of the address pool. When you use the ip unnumbered command, the asynchronous interface is not assigned an actual IP address; instead, the interface borrows another interface's address as the source address when transferring packets on the point-to-point connection. The remote host also needs an IP address to participate on the TCP/IP network. Answers B and D are incorrect because you use commands such peer default ip address and ip local-pool dialin to assign dial-in hosts IP addresses. Answer A is incorrect; you use this command to assign an interface an IP address, but it does not help to conserve IP addresses.

Question 47

The correct answers are B and D. The dialer load-threshold command specifies a load value for the link at which the dialer rotary group brings up additional links to add to the Multilink PPP (MLP) bundle. The load value is a fraction of 255, meaning that 255 represents 100%. Therefore, with a load threshold of 128, additional links are brought up and added to the bundle when the bandwidth utilization reaches 50%. This command can also specify whether the threshold applies to outbound, inbound, or either direction of traffic. Answers A and C are incorrect because they are not effects of configuring the dialer load-threshold command.

Question 48

The correct answers are A and C. PPP provides authentication using the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Both protocols use username and password pairs for authentication purposes, but PAP has the disadvantage of sending password information in cleartext making it a less secure authentication method. It is also less secure because, although it uses two-way authentication between routers, it uses a one-way process between a host and a router. For that reason, PAP is generally only used where security is not highly important or where hosts are running legacy software that does not support CHAP. CHAP uses a two-way method; it uses a challenge and response method and hash function between the router and remote host and does not send the actual username and password information across the link. PPP connections established across a leased point-to-point connection do not usually require any authentication process; therefore, Answer D is incorrect. Answer B is incorrect because PAP does not exchange hashed passwords.

Question 49

The correct answer is B. Screening the identification of the caller can provide a measure of security. You can use the isdn caller number command to configure one or multiple allowed caller numbers on an interface. With caller ID screening enabled, the router verifies the identity of callers by their ISDN numbers and accepts calls from numbers that have been configured using the isdn caller command. Answers A, C, and D are incorrect because they are not valid Cisco IOS commands.

Question 50

The correct answer is D. You can set slow-speed serial interfaces to operate in either synchronous or asynchronous mode using the physical-layer {sync | async} command. The default mode is synchronous, so for a low-speed serial interface to support interface configuration commands that apply to high-speed asynchronous serial interfaces, it must first be set to operate in asynchronous mode. Answer A is incorrect because you use this command to configure a line to automatically start a PPP session. Answer B is incorrect because you use this command to place a line in a dedicated asynchronous mode. Answer C is incorrect because you use this command to access configuration mode for an async interface.

Question 51

The correct answers are A and D. Virtual private network (VPN) tunnels can be two types: remote-access connections or site-to-site connections. Remote-access VPNs are secure tunnels established with the corporate network by a remote client such as a telecommuter or mobile user. The remote user first connects to the local ISP to access the public network (for example, the Internet) and then initiates a secure connection with the corporate LAN. Another option is to use a Network Access Server (NAS). In this scenario, the users first connect to the public network and then use a secure tunnel that has been established between the NAS and the corporate network. Answers B and C do not describe valid remote-access scenarios; therefore, they are incorrect.

Question 52

The correct answers are B and C. You can use IPSec protocols in two different modes: transport and tunnel. The basic differences between the modes are in where IPSec is implemented and in the portion of the IP packet that is protected. In transport mode, IPSec encapsulation actually takes place on the end hosts and protection is provided from the transport layer and above. In tunnel mode, end hosts are unaware of the IPSec encapsulation because it is implemented on the gateway devices. Tunnel mode provides security for the whole IP packet by encrypting it and encapsulating it in another IP packet. Answers A and D are incorrect because these statements refer to tunnel-mode operation.

Question 53

The correct answer is B. Using dynamic network address translation (NAT), a pool of public IP addresses is configured to be available for the translation process. You enter the command to define this pool of addresses in global configuration mode, and it has the following syntax: ip nat pool pool-name start-ip end-ip {netmask netmask | prefix-length prefix-length} [type rotary]. Answers A, C, and D are incorrect because they are not valid uses of the ip nat pool command.

Question 54

The correct answers are A and C. IPSec uses Encapsulating Security Payload (ESP) and Authentication Header (AH) as its security protocols. Tunnels based on AH offer authentication, integrity, and replay protection. AH encapsulates the IP packet in another packet; the new packet consists of a new IP header, an AH header, followed by the original IP header and data payload. The data portion is not encrypted, meaning that AH does not provide data confidentiality. ESP, on the other hand, offers authentication, integrity, replay protection, and data confidentiality because it essentially encrypts the original IP packet and then adds new headers and a trailer. This process results in a partially encrypted (the original packet) and partially cleartext (IP header, ESP header, and ESP trailer) packet. Answers B and D are incorrect because they are not valid security protocols.

Question 55

The correct answer is C. NAT where multiple inside unregistered IP addresses are mapped to a single registered IP address is called overloading or port address translation (PAT). As the name suggests, multiple inside global addresses can be associated to one public address by using different port numbers in the mapping. Answer B is incorrect; you use the NAT process referred to as address overlapping when the internal network is using registered IP addresses. With overlapping address spaces, the NAT router maintains a lookup table of the overlapping IPs and replaces them with unique public addresses on the way to the outside and also translates external addresses to unique addresses when passing packets to the internal network. Answers A and D are incorrect; they are not valid terms used to refer to types of address translation.

Question 56

The correct answer is C. To view the NAT translations taking place for packet arriving on the inside and outside interfaces of the NAT-configured router, use the debug ip nat [list | detailed] command. This command is useful for troubleshooting purposes because the output might provide information on translation errors. With the detailed option, debug ip nat not only provides the source, translated, and destination address, it also displays the protocol and port numbers for the inbound and outbound translations. Answers A, B, and D are incorrect because they do not provide valid variations of the debug ip nat command used to view the required information.

Question 57

The correct answers are B and D. IPSec provides authentication, integrity, and confidentiality using several keyed encryption and hash algorithms. Examples of algorithms used for integrity and authentication by AH and ESP include Hash-based Message Authentication Codes with Message Digest 5 (HMAC-MD5), HMAC with Secure Hash Algorithm (HMAC-SHA), Data Encryption Standard (DES), and Triple Data Encryption Standard (3DES). The keys used by IPSec algorithms can be determined in two ways: through manual, preshared keys and through the Internet Key Exchange (IKE). When using preshared keys, tunnel peers are manually configured with the keys prior to the creation of the tunnel. With IKE, tunnel peers negotiate the keys and algorithms for the tunnel in preparation for the creation of the tunnel. Answers A and C are incorrect because the two methods used by IPSec are Answers B and D.

Question 58

The correct answer is A. Asymmetric encryption is also referred to as public-key encryption. It uses a public key and private key and can use the same or different (yet complimentary) algorithms to encrypt and decrypt data. Both communication parties need to generate their own private and public key pairs. Private keys in asymmetric encryption are known only to the receivers, whereas the public key and its distribution is not a secret. In symmetric encryption, cleartext is encrypted and again decrypted at the destination using a shared secret key known to the two parties. Answers B, C, and D are not terms used to describe public-key encryption; therefore, these answers are incorrect.

Question 59

The correct answers are A and B. Aside from configuring the physical PRI controller, ISDN PRI B channels and the D channel interface must also be configured with the necessary parameters. Among these configuration steps is the use of the interface serial {slot/port | unit:}{23 | 15} command, which represents the serial interface for the PRI D channel. The values of 23 or 15 represent the serial port subinterface that is used by the signaling channel; 23 is used for a T1 and 15 for an E1 signaling channel. The numbers 15 and 23 represent PRI channels 16 and 24 because the numbering of serial interfaces on the Cisco router starts at 0. Answer C is incorrect because the command uses slot/port syntax, meaning that the controller is located on port 0 of slot 1. Answer D is incorrect because you do not use this command to access configuration mode for an ISDN B channel.

Question 60

The correct answer is B. You must configure T1 controller parameters to match the digital facility of the provider. One of these parameters is the signaling method used on the line, which you set using the linecode command. The syntax of this command provides the following line-coding types to be configured: linecode {ami | b8zs | hdb3}, b8zs being binary 8-zero substitution, which is commonly used in T1 PRI configurations. You use the framing {sf | esf | crc4 | no-crc4} command to set the frame type used by the service provider and clock source {line | internal} to set the T1/E1 clock source on the router. Answers A, C, D are incorrect because you cannot use them to set the line-coding types of a PRI connection.

Question 61

The correct answer is B. The ITU categorizes ISDN protocols into three general types, including the Q series, E series, and I series. Protocols that begin with the letter Q cover switching and signaling processes; protocols beginning with E deal with ISDN telephone network standards; and protocols beginning with I relate to methods, concepts, and terminology; therefore, Answers A and D are incorrect. Answer C is incorrect because there are no S-series ISDN protocols.

Question 62

The correct answers are A, D, and E. This ISDN interface is configured for DDR using a legacy dialer map and a dialer-list that defines interesting traffic. The dialer-list command references an extended access list that considers Telnet, Internet Control Message Protocol (ICMP), and Simple Network Management Protocol (SNMP) traffic as uninteresting and all other IP traffic as interesting. When it receives interesting traffic, the ISDN BRI places a call to the destination router after which traffic is transmitted over the link. Answer B is incorrect; it is not a Multilink PPP (MLP) configuration excerpt. Answer C is incorrect; ping uses ICMP, which is considered uninteresting traffic.

Question 63

The correct answer is C. Branch offices using DSL connections are multiplexed at a DSL access device, which provides access to the Asynchronous Transfer Mode (ATM) network. You can configure PPP over Ethernet (PPPoE) to allow PPPoE clients to establish a connection with the central office peer router over the ATM network. The configuration excerpt provided is an example of a router being configured for PPPoE over ATM. You configure physical interfaces for the PPPoE sessions using the vpdn enable, vpdn group, accept dialin, protocol pppoe, and pppoe limit per-vc commands.

They are also linked to a predefined virtual template interface using the virtual-template command. Also shown are the pvc, encapsulationall5snap, and protocol pppoe commands, which you use to configure the (ATM) PVC for PPPoE. Answers A, B, and D are incorrect because this configuration specifies parameters for PPPoE over ATM.

Question 64

The correct answer is B. ISDN would provide the most suitable on-demand backup solution for this branch to central site connection. You can monitor the primary Frame Relay connection using the Cisco IOS DDR features and the backup connection initiated in case primary connectivity is lost. You can also use ISDN in a bandwidth-on-demand scenario, where the backup link is brought up when the primary link capacity is approaching a maximum. Answer A is incorrect because a dialup link would not provide adequate bandwidth for a connection to the central site. Answers C and D are incorrect because they are not suitable technologies to be used with DDR.

Question 65

The correct answer is C. A packet-switched connection is the best solution for this customer. The two regional offices' traffic needs a link that provides high utilization and long connection types. Therefore, an on-demand connection is not as suitable as a dedicated link, making Answer B an incorrect option. Packet-switched service is generally available at a lower cost and the offices are separated by a considerable distance, making a dedicated circuit-switched connection such as a leased line less suitable; therefore, Answer D is incorrect. Answer A is incorrect because an asynchronous connection would not provide the necessary bandwidth.




CCNP BCRAN Remote Access Exam Cram 2 (Exam Cram 640 - XXX)
CCNP BCRAN Remote Access Exam Cram 2 (Exam Cram 640 - XXX)
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 183

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net