Exam A
QUESTION 1
Into which two types of areas would an area border router (ABR) inject a default route? (Choose two.)
A. the autonomous system of a different interior gateway protocol (IGP)
B. area 0
C. totally stubby
D. NSSA
E. stub
F. the autonomous system of an exterior gateway protocol (EGP)
Correct Answer: CE
QUESTION 2
Refer to the exhibit. If VLAN 21 does not exist before typing the commands, what is the result of the
configuration applied on switch SW1?
A. A new VLAN 21 is created and port 0/8 is assigned to that VLAN.
B. A new VLAN 21 is created, but no ports are assigned to that VLAN.
C. No VLAN 21 is created and no ports are assigned to that VLAN.
D. Configuration command vlan database should be used first to create the VLAN 21.
Correct Answer: A
QUESTION 3
Which three statements are true regarding Cisco IOS Firewall configurations? (Choose three.)
A. An IP inspection rule can be applied in the inbound direction on a secured interface.
B. An IP inspection rule can be applied in the outbound direction on an unsecured interface.
C. An ACL that is applied in the outbound direction on an unsecured interface must be an extended ACL.
D. An ACL that is applied in the inbound direction on an unsecured interface must be an extended ACL.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the access list for the returning
traffic must be a standard ACL.
F. For temporary openings to be created dynamically by Cisco IOS Firewall, an IP inspection rule must be
applied to the secured interface.
Correct Answer: ABD
QUESTION 4
The ip inspect inspection-name {in | out} command is used to configure which IOS security feature?
A. IPS
B. IPsec site-to-site VPN
C. Cisco IOS Firewall
D. Cisco AutoSecure
E. IDS
F. Easy VPN
Correct Answer: C QUESTION 5
Refer to the exhibit. Which statement about this configuration is true?
A. ACL 101 needs to have at least one permit statement in it or it will not work properly.
B. The ip inspect test out command needs to be used instead of the ip inspect test in command to make the
configuration work.
C. Ethernet 0 is the trusted interface and Ethernet 1 is the untrusted interface.
D. Ethernet 0 needs an inbound access list to make the configuration work.
E. Ethernet 0 needs an outbound access list to make the configuration work.
Correct Answer: C
QUESTION 6
What is the purpose of an explicit “deny any” statement at the end of an ACL?
A. none, since it is implicit
B. to enable Cisco IOS IPS to work properly; however, it is the deny all traffic entry that is actually required
C. to enable Cisco IOS Firewall to work properly; however, it is the deny all traffic entry that is actually
required
D. to allow the log option to be used to log any matches
E. to prevent sync flood attacks
F. to prevent half-opened TCP connections
Correct Answer: D
QUESTION 7
Which Cisco IOS feature can be used to defend against spoofing attacks?
A. Cisco IOS Firewall (CBAC)
B. lock-and-key ACL and/or reflexive ACL
C. IP Source Guard and/or Unicast RPF
D. TCP Intercept
E. Cisco IOS IPS
F. Auth-Proxy
Correct Answer: C
QUESTION 8
Which of these is mandatory when configuring Cisco IOS Firewall?
A. Cisco IOS IPS enabled on the untrusted interface
B. NBAR enabled to perform protocol discovery and deep packet inspection
C. a route map to define the trusted outgoing traffic
D. a route map to define the application inspection rules
E. an inbound extended ACL applied to the untrusted interface
Correct Answer: E
QUESTION 9
For an MPLS label, if the stack bit is set to 1, which of these is correct?
A. The stack bit is reserved for future use.
B. The label is the last entry in the label stack.
C. The stack bit will only be used when LDP is the label distribution protocol.
D. The stack bit is for Cisco implementations exclusively and will only be used when TDP is the label
distribution protocol.
E. The label is the top entry in the label stack and will remain set to 1 until the last entry, the bottom label, is
reached.
Correct Answer: B
QUESTION 10
Which statement correctly describes the disabling of IP TTL propagation in an MPLS network?
A. The TTL field from the IP packet is copied into the TTL field of the MPLS label header at the ingress edge
LSR.
B. TTL propagation cannot be disabled in an MPLS domain.
C. TTL propagation is only disabled on the ingress edge LSR.
D. The TTL field of the MPLS label header is set to 255.
E. The TTL field of the IP packet is set to 0.
Correct Answer: D