SSH

Question 1

T/F: By default, no password is needed to access the CLI of a Cisco device via console port

Answer 1

T

Question 2

T/F: By default, the password needed to access the Cisco CLI is ‘password’

Answer 2

F

By default, there is no password needed to access the CLI via console port

Question 3

T/F: You can configure a password on the console line, which means that a user will have to enter a password to access the CLI via console port

Answer 3

T

Question 4

How many console lines are there on a Cisco IOS device

Answer 4

1

Question 5

What is the series of commands to enable a password for the CLI via console port

Answer 5

line console 0

password {password}

login

Question 6

What is the series of commands to require users to login using a configured username on the console port

Answer 6

username {username} secret {password}

line console 0

login local

Question 7

What is the command to log a user out after a certain amount of inactivity on a console line

Answer 7

exec-timeout {mins} {seconds}

Question 8

T/F: You can assign an IP address to an SVI to allow remote connections to the switch CLI

Answer 8

T

Question 9

T/F: You can only assign an IP address for remote switch management on L3 switches

Answer 9

F

You can assign an IP address to an SVI on L2 only switches to facilitate remote SSH management

Question 10

T/F: You don’t need to configure a default gateway on a switch for remote SSH management

Answer 10

F

You should always configure a default gateway for this

Question 11

What is the command to assign a default gateway for an L2 Cisco Switch

Answer 11

ip default-gateway [ip-addr]

Question 12

What is the series of commands to assign an IP address to an SVI

Answer 12

interface [svi]
ip address [ip-addr] [subnet-mask]
no shutdown

Question 13

T/F: Telnet is more secure than SSH and should be used instead

Answer 13

F

Telnet is unencrypted and should never be used as it is a security risk

Question 14

T/F: Telnet is unencrypted and should never be used for remote management

Answer 14

T

Question 15

T/F: Telnet is insecure and should be disabled for network management

Answer 15

T

Question 16

What is the protocol and port which a telnet server listens for telnet traffic on

Answer 16

TCP 23

Question 17

List the series of commands for configuring Telnet access on a switch

Answer 17

1. enable secret password
2. username username secret password
3. access-list 1 permit host host-ip
4. line vty 0 15
5. login local
6. exec-timeout minutes seconds
7. transport input telnet
8. access-class 1 in

Question 18

What does VTY stand for

Answer 18

Virtual TeleType

Question 19

What is the command to specify which protocols are allowed to connect to a VTY line

Answer 19

transport input { telnet | ssh | telnet ssh | all | none }

Question 20

What is the difference between the access-class and ip access-group commands

Answer 20

access-class applies an ACL to VTY lines

ip access-group applies an ACL to an interface

Question 21

T/F: SSH is unencrypted and should never be used for remote switch management

Answer 21

F

Question 22

What protocol and port does SSH use

Answer 22

TCP 22

Question 23

T/F: Not all IOS versions support SSH, you should ensure that your version does before configuring SSH

Answer 23

T

IOS images that support SSH will have ‘K9’ in the version name.

Question 24

What is the command to view an overview of SSH information on a device

Answer 24

sh ip ssh

Question 25

T/F: Cisco IOS automatically generates RSA public and private key pairs for SSH on boot

Answer 25

F This must be done manually as part of SSH configuration

Question 26

What is the series of actions required for configuring SSH RSA keys

Answer 26

1. Configure domain name of the switch w/ FQDN 2. Generate the RSA key

Question 27

What is the series of commands required for configuring SSH RSA keys

Answer 27

1. **ip domain name** *fqdn* 2. **crypto key generate rsa modulus** *length* (length must be > 768 bits)

Question 28

What is the series of steps for configuring SSH access on a Cisco device

Answer 28

1. Configure hostname 2. Configure DNS domain name 3. Generate RSA key pair 4. Configure enable PW, username/PW 5. Enable SSH (v2 only) 6. Configure VTY lines

Question 29

What is the series of commands for configuring SSH access on a Cisco device

Answer 29

1. ip default gateway 2. line con 0 3. line vty 0 15 4. crypto key generate rsa 5. ip ssh version 2 6. login local 7. transport input [protocols | all | none] 8. exec-timeout *minutes* *sec* 9. access-class *acl* in

Question 30

You issue the **crypto key generate rsa** command on a Cisco router, but the command is rejected. Which of the following might be the cause? (select multiple) a) A host name hasn't been configured b) The **ip ssh version 2** command hasn't been configured c) The **transport input ssh** command hasn't been configured d) Only switches can generate RSA keys e) A DNS domain name hasn't been configured f) SSH version 1.99 is enabled

Answer 30

A and E

Question 31

Which of the following commands would allow both Telnet and SSH to be used to connect to the VTY lines of a device (select 2) a) transport input default b) transport input none c) transport input telnet ssh d) transport input all

Answer 31

C and D

Question 32

You want to allow only 192.168.1.1 to connect to R1 via SSH. Which configs need to be made to accomplish this?

Answer 32

1. Create an ACL that only allows traffic on port 22 from 192.168.1.1 2. Apply the ACL to all in traffic on all VTY lines

Question 33

Which of the following statements about SSH are true? (pick 2) a) RSA keys are optional but recommended b) K9 IOS images support SSH c) SSH version 1.99 was released between version 1 and 2 d) SSH sends data in plain text e) NPE IOS images support SSH f) A key length of at least 768 bits is required for SSHv2

Answer 33

B and F

Question 34

A network admin using PC1 is remotely configuring SW1 by connecting to the CLI of SW1 via SSH. What is the role of SW1 in this situation? a) SSH peer b) SSH server c) SSH client d) None of the above

Answer 34

B

Question 35

You want to configure SSH for incoming VTY connections on a router with the host name Router1. Router1 is running a K9 IOS image but has not yet been configured with a domain name or RSA key pair. In addition, the VTY lines are not yet configured to accept incoming SSH connections. You issue the **crypto key generate rsa** command from global configuration mode. Which of the following messages will you most likely receive? a) The name for the keys will be: b) Please define a domain-name first c) Please create RSA keys to enable SSH d) Please define a hostname other than Router e) Please enable SSH version 2

Answer 35

B

Question 36

Which of the following commands automatically enables SSH on a router? a) enable secret b) no transport input telnet c) crypto key zeroize rsa d) transport input ssh e) crypto key generate rsa

Answer 36

e) crypto key generate rsa

Question 37

What is the command to remove RSA keys from a router?

Answer 37

**crypto key zeroize rsa**

Question 38

You've done zero SSH setup on a new router so far. You issue the **ip ssh time-out 60** command, what is the message you are likely to receive?

Answer 38

Please create RSA keys to enable SSH