Cisco CCNA 200-301 Questions & Answers

• Question 1231:

  Which set of actions satisfy the requirement for multifactor authentication?

  A. The user enters a user name and password, and then re-enters the credentials on a second screen.

  B. The user swipes a key fob, then clicks through an email link.

  C. The users enters a user name and password, and then clicks a notification in an authentication app on a mobile device.

  D. The user enters a PIN into an RSA token, and then enters the displayed RSA key on a login screen.

  Correct Answer: C

  This is an example of how two-factor authentication (2FA) works:

  1.

  The user logs in to the website or service with their username and password.

  2.

  The password is validated by an authentication server and, if correct, the user becomes eligible for the second factor.

  3.

  The authentication server sends a unique code to the user's second-factor method (such as a smartphone app).

  4.

  The user confirms their identity by providing the additional authentication for their second-factor method.

• Question 1232:

  Which configuration is needed to generate an RSA key for SSH on a router?

  A. Configure VTY access.

  B. Configure the version of SSH.

  C. Assign a DNS domain name.

  D. Create a user with a password.

  Correct Answer: C

• Question 1233:

  Refer to the exhibit.

  

  An extended ACL has been configured and applied to router R2. The configuration failed to work as intended.

  Which two changes stop outbound traffic on TCP ports 25 and 80 to 10.0.20.0/26 from the 10.0.10.0/26 subnet while still allowing all other traffic? (Choose two.)

  A. Add a "permit ip any any" statement at the end of ACL 101 for allowed traffic.

  B. Add a "permit ip any any" statement to the beginning of ACL 101 for allowed traffic.

  C. The ACL must be moved to the Gi0/1 interface outbound on R2.

  D. The source and destination IPs must be swapped in ACL 101.

  E. The ACL must be configured the Gi0/2 interface inbound on R1.

  Correct Answer: AD

  All ACLs have a implicit deny at the end which blocks all traffic so we need to add a permit to allow that traffic through

• Question 1234:

  An email user has been lured into clicking a link in an email sent by their company's security organization. The webpage that opens reports that it was safe, but the link could have contained malicious code. Which type of security program is in place?

  A. user awareness

  B. brute force attack

  C. physical access control

  D. social engineering attack

  Correct Answer: A

  This is a training program which simulates an attack, not a real attack (as it says “The webpage that opens reports that it was safe”) so we believed it should be called a “user awareness” program. Therefore the best answer here should be “user awareness”. This is the definition of “User awareness” from CCNA 200-301 Offical Cert Guide Book:

  “User awareness: All users should be made aware of the need for data confidentiality to protect corporate information, as well as their own credentials and personal information. They should also be made aware of potential threats, schemes to mislead, and proper procedures to report security incidents. “

  Note: Physical access control means infrastructure locations, such as network closets and data centers, should remain securely locked.

• Question 1235:

  What is the primary difference between AAA authentication and authorization?

  A. Authentication identifies and verifies a user who is attempting to access a system, and authorization controls that tasks the user can perform.

  B. Authentication controls the system processes a user can access, and authorization logs the activities the user initiates.

  C. Authentication verifies a username and password, and authorization handles the communication between the authentication agent and the user database.

  D. Authentication identifies a user who is attempting to access a system, and authorization validates the user's password.

  Correct Answer: A

  AAA stands for Authentication, Authorization and Accounting.

  1.

  Authentication: Specify who you are (usually via login username and password)

  2.

  Authorization: Specify what actions you can do, what resource you can access

  3.

  Accounting: Monitor what you do, how long you do it (can be used for billing and auditing) An example of AAA is shown below:

  -

  Authentication: “I am a normal user. My username/password is user_tom/learnforever“

  -

  Authorization: “user_tom can access LearnCCNA server via HTTP and FTP“

  -

  Accounting: “user_tom accessed LearnCCNA server for 2 hours“. This user only uses “show” commands.

• Question 1236:

  When configuring a WLAN with WPA2 PSK in the Cisco Wireless LAN Controller GUI, which two formats are available to select? (Choose two.)

  A. decimal

  B. ASCII

  C. hexadecimal

  D. binary

  E. base64

  Correct Answer: BC

  Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01010001.html

• Question 1237:

  An engineer is asked to protect unused ports that are configured in the default VLAN on a switch. Which two steps will fulfill the request? (Choose two.)

  A. Configure the ports as trunk ports.

  B. Enable the Cisco Discovery Protocol.

  C. Configure the port type as access and place in VLAN 99.

  D. Administratively shut down the ports.

  E. Configure the ports in an EtherChannel.

  Correct Answer: CD

  C. Configuring the port type as access and placing the unused ports in a specific VLAN (such as VLAN 99) ensures that any connected devices will not have access to the default VLAN, thereby protecting it.

  D. Administratively shutting down the unused ports completely disables them, preventing any traffic from passing through and enhancing security. The other options are not directly related to protecting unused ports in the default VLAN:

  A. Configuring the ports as trunk ports is used for carrying multiple VLANs across a single link.

  B. Enabling the Cisco Discovery Protocol (CDP) is a network protocol used by Cisco devices for discovering and sharing information about neighboring devices.

  E. Configuring the ports in an EtherChannel is a technique for bundling multiple physical links into a logical link for increased bandwidth and redundancy.

• Question 1238:

  Refer to the exhibit.

  

  What is the effect of this configuration?

  A. The switch discards all ingress ARP traffic with invalid MAC-to-IP address bindings.

  B. All ARP packets are dropped by the switch.

  C. Egress traffic is passed only if the destination is a DHCP server.

  D. All ingress and egress traffic is dropped because the interface is untrusted.

  Correct Answer: A

  Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.

• Question 1239:

  When a site-to-site VPN is used, which protocol is responsible for the transport of user data?

  A. IPsec

  B. IKEv1

  C. MD5

  D. IKEv2

  Correct Answer: A

  A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. A site-to-site VPN means that two sites create a VPN tunnel by encrypting and sending data between two devices. One set of rules for creating a site-to-site VPN is defined by IPsec.

• Question 1240:

  Which type of wireless encryption is used for WPA2 in pre-shared key mode?

  A. AES-128

  B. TKIP with RC4

  C. AES-256

  D. RC4

  Correct Answer: A

  The shared key may be 256 bits long but the encryption is 128 bits. https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access#:~:text=Each%20wireless%20network%20device%20encrypts,to%2063%20printable%20ASCII%20characters.