Module 6 Flashcards

Question 1

Q

The Cisco IOS resilient configuration feature allows for faster recovery if someone maliciously or unintentionally reformats flash memory or erases the startup configuration file in ____ The feature maintains a secure working copy of the router IOS image file and a copy of the running configuration file. These secure files cannot be removed by the user and are referred to as the primary bootset.

Answer

A

nonvolatile random-access memory (NVRAM).

Question 2

Q

Here are a few facts about the Cisco IOS resilient configuration:

Answer

A

The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.

The feature secures the smallest working set of files to preserve persistent storage space.

No extra space is required to secure the primary Cisco IOS image file. The feature automatically detects image or configuration version mismatch.

Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.

The feature can be disabled only through a console session.

Question 3

Q

To secure the IOS image and enable Cisco IOS image resilience, use the ____ global configuration mode command.

Answer

A

secure boot-image

Question 4

Q

To take a snapshot of the router running configuration and securely archive it in persistent storage, use the ___ global configuration mode command,

Answer

A

secure boot-config

Question 5

Q

use the ____ command repeatedly to upgrade the configuration archive to a newer version after new configuration commands have been issued.

Answer

A

secure boot-config

Question 6

Q

Secured files do not appear in the output of a ___ command that is issued from the CLI. This is because the Cisco IOS file system prevents secure files from being listed. The running image and running configuration archives are not visible in the___ command output.

Question 7

Q

Use the _____ command to verify the existence of the archive,

Answer

A

show secure bootset

Question 8

Q

The Primary Bootset Image

Answer

A

Step 1. Reload the router using the reload command. If necessary, issue the break sequence to enter ROM monitor (ROMmon) mode.

Step 2. From ROMmon mode, enter the dir command to list the contents of the device that contains the secure bootset file.

Step 3. Boot the router with the secure bootset image using the boot command followed by the flash memory location (e.g. flash0), a colon, and the filename found in Step 2.

Step 4. Enter global configuration mode and restore the secure configuration to a filename of your choice using the secure boot-config restore command followed by the flash memory location (e.g. flash0), a colon, and a filename of your choice. In the figure, the filename rescue-cfg is used.

Step 5. Exit global configuration mode and issue the copy command to copy the rescued configuration file to the running configuration.

Question 9

Q

The Cisco IOS Resilient feature provides a method for securing the IOS image and configuration files locally on the device.

The _____ feature is used to remotely copy these files.

____ provides a secure and authenticated method for copying router configuration or router image files to a remote location.

Answer

A

Secure Copy Protocol (SCP)

Question 10

Q

Secure Copy Protocol (SCP) relies on:

Answer

A

SSH to secure communication
AAA to provide authentication and authorization

Question 11

Q

Use the following steps to configure a router for server-side SCP with local AAA: or

Configure Secure Copy

Answer

A

Step 1. Configure SSH, if not already configured.

Step 2. For local authentication, configure at least one local database user with privilege level 15.

Step 3. Enable AAA with the aaa new-model global configuration mode command.

Step 4. Use the aaa authentication login default local command to specify that the local database be used for authentication.

Step 5. Use the aaa authorization exec default local command to configure command authorization. In this example, all local users will have access to EXEC commands.

Step 6. Enable SCP server-side functionality with the ip scp server enable command.

Question 12

Q

Recover a Router Password

Answer

A

Step 1. Connect to the console port.

Step 2. Use the show version command to display the configuration register setting and document the value (e.g., 0x2102).

Step 3. Power cycle the router.

Step 4. Issue the break sequence (e.g., CTRL-BREAK) to enter ROMMON mode.

Step 5. Change the default configuration register with the confreg 0x2142 command.

Step 6. Reboot the router by using the reset command in ROMMON mode.

Step 7. Press Ctrl-C to skip the initial setup procedure.

Step 8. Enter privileged EXEC mode.

Step 9. Copy the startup configuration to the running configuration using the copy startup-config running-config command.

Step 10. Verify the configuration.

Step 11. Change the enable secret password.

Step 12. Enable all interfaces using the no shutdown command.

Step 13. Return the configuration register setting to the original setting that was documented in Step 2 with the config-register global configuration command. On the next reboot, the router will use these settings and load the new startup configuration file that contains the changed password.

Step 14. Save the configuration changes.

Question 13

Q

This command is a hidden Cisco IOS command and has no arguments or keywords. If a router is configured with the ____ command, all access to ROMmon mode is disabled.

Answer

A

no service password-recovery

Question 14

Q

Released in IOS version 12.3, ____ is a feature that is initiated from the CLI and executes a script. ____ first makes recommendations for fixing security vulnerabilities and then modifies the security configuration of the router.

Answer

A

Cisco AutoSecure

Question 15

Q

AutoSecure can lock down the management plane functions and the forwarding plane services and functions of a router. There are several management plane services and functions:

Answer

A

Secure BOOTP, CDP, FTP, TFTP, PAD, UDP, and TCP small servers, MOP, ICMP (redirects, mask-replies), IP source routing, Finger, password encryption, TCP keepalives, gratuitous ARP, proxy ARP, and directed broadcast

Legal notification using a banner

Secure password and login functions

Secure NTP

Secure SSH access

TCP intercept services

Question 16

Q

There are three forwarding plane services and functions that AutoSecure enables:

Answer

A

Cisco Express Forwarding (CEF)

Traffic filtering with ACLs

Cisco IOS firewall inspection for common protocols

Question 17

Q

autosecure

Answer

A

Router# auto secure {no-interact | full} [forwarding | management] [ntp | login | ssh | firewall | top-intercept]

Question 18

Q

OSPF supports routing protocol authentication using ____. ___ authentication can be enabled globally for all interfaces or on a per interface basis.

Question 19

Q

Enable OSPF MD5 authentication globally:

Answer

A

ip ospf message-digest-key key md5 password interface configuration command.

area area-id authentication message-digest router configuration command.

This method forces authentication on all OSPF enabled interfaces. If an interface is not configured with the ip ospf message-digest-key command, it will not be able to form adjacencies with other OSPF neighbors.

Question 20

Q

Enable MD5 authentication on a per interface basis:

Answer

A

ip ospf message-digest-key key md5 password interface configuration command.

ip ospf authentication message-digest interface configuration command.

Question 21

Q

MD5 is now considered vulnerable to attacks and should only be used when stronger authentication is not available. Cisco IOS release 15.4(1)T added support for ____ authentication, as detailed in RFC 5709. Therefore, the administrator should use SHA authentication as long as all of the router operating systems support ____authentication.

Question 22

Q

OSPF SHA authentication includes two major steps. The syntax for the commands is shown in the figure:

Step 1. Specify an authentication key chain in global configuration mode:

Step 2. Use the following syntax to assign the authentication key to the desired interfaces with the ip ospf authentication key-chain command.

Answer

A

Configure a key chain name with the key chain command.

Router(config)# key chain name

Assign the key chain a number and a password with the key and key-string commands.

Router(config-keychain)# key key-id
Router(config-keychain-key)# key-string string

Specify SHA authentication with the cryptographic-algorithm command.

Router(config-keychain-key)# cryptographic-algorithm {hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512 | md5}

(Optional) Specify when this key will expire with the send-lifetime command.

Router(config-keychain-key)# send-lifetime start-time {infinite | end-time | duration seconds}

step 2

Router(config)# interface type number
Router(config-if)# ip ospf authentication key-chain name

Question 23

Q

Types of Management Access

When logging and managing information, the information flow between management hosts and the managed devices can take two paths:

Answer

A

In-band - Information flows across an enterprise production network, the internet, or both, using regular data channels.

Out-of-band (OOB) - Information flows on a dedicated management network on which no production traffic resides.

Question 24

Q

OOB management guidelines are :

Answer

A

Provide the highest level of security.

Mitigate the risk of passing insecure management protocols over the production network.

Question 25

Q

In-band management guidelines are:

Answer

A

Apply only to devices that need to be managed or monitored.

Use IPsec, SSH, or SSL when possible.

Decide whether the management channel needs to be open at all times.

Question 26

Q

___ is a term used to describe a standard. It is also used to describe the protocol developed for that standard. The ____ protocol was developed for UNIX systems in the 1980s but was first documented as RFC 3164 by IETF in 2001.

Question 27

Q

syslog uses ____ to send event notification messages across IP networks to event message collectors.

Answer

A

UDP port 514

Question 28

Q

The syslog logging service provides three primary functions, as follows:

Answer

A

The ability to gather logging information for monitoring and troubleshooting

The ability to select the type of logging information that is captured

The ability to specify the destinations of captured syslog messages

Question 29

Q

popular destinations for syslog messages include the:

Answer

A

Logging buffer (RAM inside a router or switch)
Console line
Terminal line
Syslog server

Question 30

Q

These messages are error messages about software or hardware malfunctions; these types of messages mean that the functionality of the device is affected. The severity of the issue determines the actual syslog level applied.

Answer

A

Emergency Level 0 - Warning Level 4:

Question 31

Q

This notifications level is for normal, but significant events. For example, interface up or down transitions, and system restart messages are displayed at the notifications level.

Answer

A

Notification Level 5:

Question 32

Q

This is a normal information message that does not affect device functionality. For example, when a Cisco device is booting, you might see the following informational message: %LICENSE-6-EULA_ACCEPT_ALL: The Right to Use End User License Agreement is accepted.

Answer

A

Informational Level 6:

Question 33

Q

This level indicates that the messages are output generated from issuing various debug commands.

Answer

A

Debugging Level 7:

Question 34

Q

System Unusable

Answer

A

Level 0 - Emergency

Question 35

Q

Immediate Action Needed

Answer

A

Level 1 - Alert

Question 36

Q

Critical Condition

Answer

A

Level 2 - Critical

Question 37

Q

Error Condition

Answer

A

Level 3 - Error

Question 38

Q

Warning Condition

Answer

A

Level 4 - Warning

Question 39

Q

Normal, but Significant Condition

Answer

A

Level 5 - Notification

Question 40

Q

Informational Message

Answer

A

Level 6 - Informational

Question 41

Q

Debugging Message

Answer

A

Level 7 - Debugging

Question 42

Q

Some common syslog message facility codes reported on Cisco IOS routers include:

Answer

A

IF - Identifies that the syslog message was generated by an interface.

IP - Identifies that the syslog message was generated by IP.

OSPF - Identifies that the syslog message was generated by the OSPF routing protocol.

SYS - Identifies that the syslog message was generated by the device operating system.

IPSEC - Identifies that the syslog message was generated by the IP Security encryption protocol.

Question 43

Q

%LINK-3-UPDOWN: Interface Port-channel1, changed state to up

Answer

A

%facility-severity-MNEMONIC: description

Question 44

Q

Use the command ___ to force logged events to display the date and time

Answer

A

service timestamps log datetime

Question 45

Q

Syslog implementations always contain two types of systems:

Answer

A

Syslog servers - Also known as log hosts, these systems accept and process log messages from syslog clients.

Syslog clients - Routers or other types of equipment that generate and forward log messages to syslog servers.

Question 46

Q

Also known as log hosts, these systems accept and process log messages from syslog clients.

Answer

A

Syslog servers -

Question 47

Q

Routers or other types of equipment that generate and forward log messages to syslog servers.

Answer

A

Syslog clients -

Question 48

Q

Configure system logging: or Syslog Configuration

Answer

A

Step 1. Set the destination logging host using the logging [host] command.

Router(config)# logging host [hostname | ip-address]

Step 2. (Optional) Set the log severity (trap) level using the logging trap command.

Router(config)# logging trap level

Step 3. (Optional) Set the source interface using the logging source-interface command.

Router(config)# logging source-interface interface-type interface-number

Step 4. (Optional) Enable logging to all enabled destinations with the logging on command.

Router(config)# logging on

Question 49

Q

This identifies a device providing the most authoritative time source. ____ devices including atomic and GPS clocks are the most accurate authoritative time sources.

devices are non-network high-precision timekeeping devices assumed to be accurate and with little or no delay associated with them. In the figure, they are represented by the clock icon.

Answer

A

NTP Stratum 0

Question 50

Q

devices are network devices that are directly connected to the authoritative time sources. They function as the primary network time standard to stratum 2 devices.

Answer

A

NTP Stratum 1`

Question 51

Q

NTP stratum 2 servers are connected on a network to a stratum 1 device. Stratum 2 devices are NTP clients and synchronize their time by using the NTP packets from a stratum 1 server such as a router. They in turn can be NTP servers for stratum 3 devices.

NTP stratum levels are based on a scale of 0 (highest stratum level) to 15 (lowest stratum level).

NTP servers in the same stratum level can be configured as peers to provide redundant time sources for clients or to synchronize each other.

Question 52

Q

The maximum stratum hop count is ___ . Note that an NTP client that is not synchronized with a server is assigned a stratum __ level.

Answer

A

15 (i.e., 0 – 15) ; 16

Question 53

Q

Before NTP is configured on the network, the ____ command displays the current time on the software clock,

Answer

A

show clock

Question 54

Q

With the ____ option, notice that the time source is user configuration. That means the time was manually configured with the ____ command.

Answer

A

detail ; clock

Question 55

Q

a local network device could be selected as the NTP authoritative time source using the ____ global configuration command.

Answer

A

ntp master [stratum]

Question 56

Q

the ____ and ____ commands are used to verify

Answer

A

show ntp associations ; show ntp status

Question 57

Q

he SNMP system consists of three elements:

Answer

A

SNMP manager
SNMP agents (managed node)
Management Information Base (MIB)

Question 58

Q

The SNMP manager is part of a ____

Answer

A

network management system (NMS)

Question 59

Q

the SNMP manager can collect information from an SNMP agent by using the ____ action.

Answer

A

“get”

Question 60

Q

It can change configurations on an agent by using the ____ action.

Answer

A

“set”

Question 61

Q

In addition, SNMP agents can forward information directly to a network manager by using ___

Answer

A

“traps”.

Question 62

Q

the SNMP manager polls the agents and queries the MIB for SNMP agents on ____

SNMP agents send any SNMP traps to the SNMP manager on

Answer

A

UDP port 161 ; UDP port 162.

Question 63

Q

There are two primary SNMP manager requests:

Answer

A

get request - Used by the NMS to query the device for data.

set request - Used by the NMS to change configuration variables in the agent device. A set request can also initiate actions within a device. For example, a set request can cause a router to reboot, send a configuration file, or receive a configuration file.

Question 64

Q

Retrieves a value from a specific variable.

Answer

A

get-request

Answer 60

A

get-next-request

Answer 61

A

get-bulk-request

Answer 62

A

get-response

Answer 63

A

set-request

Answer 64

A

Get an MIB variable - The SNMP agent performs this function in response to a GetRequest-PDU from the network manager. The agent retrieves the value of the requested MIB variable and responds to the network manager with that value.

Set an MIB variable - The SNMP agent performs this function in response to a SetRequest-PDU from the network manager. The SNMP agent changes the value of the MIB variable to the value specified by the network manager. An SNMP agent reply to a set request includes the new settings in the device.

Answer 65

A

SNMPv1 - This is the Simple Network Management Protocol, a Full Internet Standard, that is defined in RFC 1157.

SNMPv2c - This is defined in RFCs 1901 to 1908. It uses a community-string-based Administrative Framework.

SNMPv3 - This is an interoperable standards-based protocol originally defined in RFCs 2273 to 2275. It provides secure access to devices by authenticating and encrypting packets over the network. It includes these security features: message integrity to ensure that a packet was not tampered with in transit, authentication to determine that the message is from a valid source, and encryption to prevent the contents of a message from being read by an unauthorized source.

Answer 66

A

SNMPv1 and SNMPv2

Answer 67

A

SNMPv3 noAuthNoPriv

Answer 68

A

SNMPv3 authNoPriv

Answer 69

A

SNMPv3 authPriv

Answer 70

A

Message integrity and authentication - Ensures that a packet has not been tampered with in transit, and is from a valid source.

Encryption - Scrambles the contents of a packet to prevent it from being seen by an unauthorized source.

Access control - Restricts each principal to certain actions on specific portions of data.

Answer 71

A

Step 1. Configure an ACL that will permit access to authorized SNMP managers.

Router(config)# ip access-list acl-name
Router(config-std-nacl)# permit source_net

Step 2. Configure an SNMP view with the snmp-server view command to identify the MIB OIDs that the SNMP manager will be able to read. Configuring a view is required to limit SNMP messages to read-only access.

Router(config)# snmp-server view view-name oid-tree

Step 3. Configure SNMP group features with the snmp-server group command:

Configure a name for the group.
Set the SNMP version to 3 with the v3 keyword.
Require authentication and encryption with the priv keyword.
Associate a view to the group and give it read only access with the read command.
Specify the ACL configured in Step 1.

Router(config)# snmp-server group group-name v3 priv read view-name access [acl-number | acl-name]

Step 4. Configure SNMP group user features with the snmp-server user command:

Configure a username and associate the user with the group name configured in Step 3.
Set the SNMP version to 3 with the v3 keyword.
Set the authentication type to either md5 or sha and configure an authentication password. SHA is preferred and should be supported by the SNMP management software.
Require encryption with the priv keyword and configure an encryption password.

Router(config)# snmp-server user username group-name v3 auth {md5 | sha} auth-password priv {des | 3des | aes {128 | 192 | 256}} priv-password

Answer 72

A

Secure Copy Protocol (SCP) is used to securely copy IOS images and configuration files to a SCP server. To perform this, SCP will use SSH connections from users authenticated through AAA.

Answer 73

A

The password recovery procedures for Cisco devices follow the same principle:

Step 1. Enter the ROMMON mode.
Step 2. Change the config-reg to 0x2142 to ignore the startup config file.
Step 3. Make necessary changes to the original startup config file.
Step 4. Save the new configuration.

Answer 74

A

Network Time Protocol (NTP) is used to allow network devices to synchronize their time settings with a centralized time server. DHCP (Dynamic Host Configuration Protocol) is a protocol which assigns IP addresses to hosts. DNS (Domain Name System) is a service which resolves host names to IP addresses. SNMP (Simple Network Management Protocol) is a protocol which allows administrators to manage network nodes.

Answer 75

A

The global configuration command ntp server server ip-address will set the server at that address as the time source for the router. The ntp peer command which enables a router to both update the time of another similarly configured router, and also synchronize with that router if necessary, is not appropriate in this case.

ntp server 209.165.200.225

Answer 76

A

There are three primary functions provided by the syslog service:

gathering logging information

selection of the type of information to be logged

selection of the destination of the logged information

Answer 77

A

Proxy ARP is a technique used on a device on a network to answer ARP queries for a device on another network. This service should be disabled on a router and the correct default gateway address should be configured (manually or by DHCP) for the normal process of remote network access. CDP and LLDP are device discovery protocols. Reverse ARP is used to resolve IP addresses.

Answer 78

A

To configure OSPF MD5 authentication globally, the ip ospf message-digest-key key md5 password interface configuration command and the area area-id authentication message-digest router configuration command are issued. To configure OSPF MD5 authentication per interface, the ip ospf message-digest-key key md5 password interface configuration command and the ip ospf authentication message-digest interface configuration command are issued. Authentication does not encrypt OSPF routing updates. The requirements to establish OSPF router neighbor adjacencies are separate from authentication.

Answer 79

A

CDP is a Cisco proprietary protocol that gathers information from other connected Cisco devices, and is enabled by default on Cisco devices. LLDP is an open standard protocol which provides the same service. It can be enabled on a Cisco router. HTTP and FTP are Application Layer protocols that do not collect information about network devices.

Answer 80

A

An SNMP agent that resides on a managed device collects and stores information about the device and its operation. This information is stored by the agent locally in the MIB. An NMS periodically polls the SNMP agents that are residing on managed devices by using the get request to query the devices for data.

Answer 81

A

SNMPv1 and SNMPv2 use community strings to control access to the MIB. SNMPv3 uses encryption, message integrity, and source validation.

Answer 82

A

Enabling OSPF routing protocol authentication prevents data traffic from being redirected to an insecure link or being discarded. It does not provide faster network convergence, more efficient routing, or encryption of data traffic.

Answer 83

A

A GET request is a message that is used by the NMS to query the device for data. A SET request is a message that is used by the NMS to change configuration variables in the agent device. An NMS periodically polls the SNMP agents residing on managed devices, by querying the device for data by using the GET request.

Answer 84

A

Syslog severity levels provide the ability for an administrator to filter out log messages. Syslog service timestamps provide the capability for log messages to be time-stamped. Syslog facilities and service identifiers provide administrators with an event identification and categorization system.

Answer 85

A

The Cisco IOS Resilient Configuration feature maintains a secure working copy of the router IOS image file and a copy of the running configuration file. The secure boot-image command functions properly only when the system is configured to run an image from a flash drive with an ATA interface. The secure boot-config command has to be used repeatedly to upgrade the configuration archive to a newer version after new configuration commands have been issued. A snapshot of the router running configuration can be taken and securely archived in persistent storage using the secure boot-config command.

Answer 86

A

Startup configuration files

Brainscape's Knowledge GenomeTM

Module 6 Flashcards

Brainscape's Knowledge Genome^TM