Correct Answers :

[B,D]

Explanation :

Unicast Reverse Path Forwarding (uRPF) can help prevent IP spoofing attacks by checking the source IP address of received traffic and verifying that the traffic is arriving on the interface that would be used to send traffic to that IP address. ACLs can also be used to help prevent IP spoofing attacks by denying traffic coming in on an interface having a source address that lives off of a different interface.
AAA is a technology that is used to authenticate users, authorize what they can do, and keep a log of what they did. However, AAA does not protect against IP spoofing attacks. CAR (Committed Access Rate) is a legacy quality of service (QoS) policing mechanism that does not protect against IP spoofing.

Correct Answers :

[B]

Explanation :

Hot Standby Router Protocol (HSRP) is a first-hop redundancy protocol that provides router redundancy. Specifically, HSRP can have two or more routers capable of servicing a single IP address, and that IP address can be used as the default gateway IP address for devices residing on a subnet connected to the HSRP routers. SNMP is a network management protocol. AAA is a technology that is used to authenticate users, authorize what they can do, and keep a log of what they did. TACACS+ is a type of server that can be used with AAA.

Correct Answers :

[B,C]

Explanation :

A periodic time-based ACL can specify a recurring time period during which the ACL will be active. An absolute time-based ACL can specify a specific starting and ending time and date (or just an ending time and date). A reflexive ACL contains temporary entries that are created when a session begins. There is no “adaptive” ACL.

Correct Answers :

[D]

Explanation :

An infrastructure ACL is typically an extended ACL that is applied to routers residing on the outer edges of an enterprise network. The primary purpose of this ACL is to prevent malicious traffic from entering the enterprise. A time-based ACL is an ACL that specifies a time period during which the ACL is active. A reflexive ACL contains temporary entries that are created when a session begins. “Absolute” is a type of time-based ACL.

Correct Answers :

[A, C]

Explanation :

Of the options listed, only host name and domain name are used by a router when generating an RSA key pair.

Correct Answers :

[D]

Explanation :

Type 7 password encryption is a very weak encryption, and it uses the Vigenere cipher. A Type 0 password has no encryption. A Type 4 password is represented by an SHA-256 hash value, and a Type 5 password is represented by an MD5 hash value

Correct Answers :

[B]

Explanation :

Unicast Reverse Path Forwarding (uRPF) has three modes of operation: strict mode , loose mode , and VRF mode . In strict mode, a router not only checks to make sure that the source IP address of an arriving packet is reachable, based on the router’s FIB, but the packet must also be arriving on the same interface that the router would use to send traffic back to that IP address. In loose mode, a router only verifies that the source IP address of the packet is reachable, based on the router’s FIB. VRF mode is similar to loose mode, in that the source IP addresses are checked against the FIB of a specific VRF. There is no auto or desirable uRPF mode.

Correct Answers :

[B,D]

Explanation :

TACACS+ and RADIUS are each protocols that can be used by a AAA server. TACACS+ uses TCP, while RADIUS uses UDP. TACACS+ encrypts an entire packet, while RADIUS only encrypts a password. TACACS+ offers basic accounting functionality. However, RADIUS offers robust accounting. Also, TACACS+ is a Cisco-proprietary protocol, while RADIUS is an open standard protocol.

Correct Answers :

[A, C]

Explanation :

Cisco IOS supports both plain text and hashing authentication for neighboring routers to authenticate themselves to one another. Plain text authentication sends a shared secret key across a network in clear text. However, hashing authentication sends the hash value of a key across a network, as opposed to the key itself. Therefore, hashing authentication is considered more secure. There is no support for two-factor or biometric authentication to authenticate neighboring routers.

Correct Answers :

[C]

Explanation :

A key string specifies a preshared key to be used between routers. Therefore, the key string must match on two routers for them to mutually authenticate. The key chain name and key number values are locally significant and do not have to match on a neighboring router. Also, as long as a matching key on each router is currently active, the specific send and receive lifetimes do not have to match on mutually authenticating routers.

Correct Answers :

[B, C]

Explanation :

Plain text authentication is not supported by Named EIGRP, nor is Password Authentication Protocol (PAP), which might be found on WAN connections using the Point-to-Point Protocol (PPP). Named EIGRP does support both MD5 and SHA hashing authentication. Traditional EIGRP does not support SHA hashing authentication, but does support MD5 hashing authentication.

Correct Answers :

[A]

Explanation :

A key chain, which consists of one or more key numbers each of which can be assigned a key string, can be viewed with the show key chain Cisco IOS command. None of the other options are valid Cisco IOS commands.

Correct Answers :

[B]

Explanation :

OSPF can have authentication enabled at the area level (in router configuration mode) or at the interface level (in interface configuration mode). The question states that authentication is functioning and is using MD5 hashing, but there is no area 0 authentication message-digest command in router configuration mode. Therefore, OSPF MD5 authentication must be enabled in interface configuration mode, which is done with the ip ospf authentication message-digest command.

Correct Answers :

[A, B]

Explanation :

Authentication is not a feature natively built into OSPFv3. However, OSPFv3 can leverage IPsec for authentication (and even encryption). As a result, both the MD5 and SHA hashing algorithms can be used. Plain text authentication is not supported by OSPFv3, nor is Password Authentication Protocol (PAP), which might be found on WAN connections using the Point-to-Point Protocol (PPP).

Correct Answers :

[C]

Explanation :

BGP only supports MD5 for neighbor authentication. Neither plain text nor SHA is supported, and Diffie Hellman Group 1 is an approach to exchanging shared secret keys over an untrusted network.

Correct Answers :

[C]

Explanation :

Unlike OSPF and EIGRP, which can dynamically find neighbors through multicast, BGP requires neighbors to be statically configured. Therefore, BGP is less susceptible to a malicious user adding a router to a network and using that router to corrupt the routing table of production routers. However, after a session (which is TCPbased) is established between two BGP neighbors, a malicious user could attempt to do session hijacking to take over the existing BGP neighborship.

Correct Answers :

[A]

Explanation :

The show ip ospf database external command displays information only about external LSAs (Type 5 LSAs). Below is an example of the show ip ospf database external command Notice the line LS Type: AS External Link, which means LSA Type 5. For your information, the Link State ID: 143.105.0.0 indicates the network being advertised; the Advertising Router: 10.187.70.6 indicates the router that originated this LSA.

Correct Answers :

[B]

Explanation :

The point of this question is about the redistribution of OSPF. To redistribute routes from one routing domain into another routing domain, use the redistribute command in router configuration mode. redistribute protocol [process-id] {level- 1 | level-1-2 | level-2} [as-number] [metric {metric-value | transparent}] [metric-type type- value] [match {internal | external 1 |
external 2}] [tag tag-value] [route-map map-tag] [subnets] The subnets keyword tells OSPF to redistribute all subnet routes. Without the subnets keyword, only networks that are not subnetted are redistributed by OSPF.

Correct Answers :

[B]

Explanation :

Correct Answers :

[A, D]

Explanation :

In an OSPF Point-to-Multipoint environment, DB/BDR elections do not take place. The neighbor command became somewhat obsolete with the introduction of the capability to configure other network modes for the interface, regardless of the underlying physical topology. Reference: Building Scalable Cisco Networks (Cisco Press) page 130 and 181 Point-to-Multipoint Network: Point-to-multipoint is a single interface that connects to multiple destinations. The underlying network treats the network as a series of point-to-point circuits. It replicates LSA packets for each circuit. OSPF traffic is sent as multicast. There is no DR or BDR election. This technology uses one IP subnet for all endpoints on the network.
By default, the network is considered to be a series of point-to-point interfaces. There is no need to specify neighbors, because the neighbors will see each other and simply become adjacent, with no need for the election of a DR or a BDR. Point-to-multipoint does not try to reduce adjacencies using a DR. Instead, it accepts the extra overhead of having a full set of adjacencies for the sake of stability. Point-to-multipoint forms an adjacency automatically along any PVC, which causes more overhead but is more resilient than NBMA.