[Free] 2019(Nov) EnsurePass Cisco 300-115 Dumps with VCE and PDF 121-130

Get Full Version of the Exam

Question No.121

Which switch feature determines validity based on IP-to-MAC address bindings that are stored in a trusted database?

  1. Dynamic ARP Inspection

  2. storm control

  3. VTP pruning

  4. DHCP snooping Correct Answer: A Explanation:

Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid. Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series- switches/72846-layer2-secftrs-catl3fixed.html

Question No.122

Which command creates a login authentication method named quot;loginquot; that will primarily use RADIUS and fail over to the local user database?

  1. (config)# aaa authentication login default radius local

  2. (config)# aaa authentication login login radius local

  3. (config)# aaa authentication login default local radius

  4. (config)# aaa authentication login radius local

Correct Answer: B


In the command quot;aaa authentication login login radius localquot; the second login is the name of the AAA method. It also lists radius first then local, so it will primarily use RADIUS for authentication and fail over to the local user database only if the RADIUS server is unreachable.

Question No.123

Which authentication service is needed to configure 802.1x?

  1. RADIUS with EAP Extension


  3. RADIUS with CoA

  4. RADIUS using VSA

Correct Answer: A


With 802.1x, the authentication serverperforms the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not theclient is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client.The Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2940/software/release/12- 1_19_ea1/configuration/guide/2940scg_1/sw8021x.pdf

Question No.124

Which feature describes MAC addresses that are dynamically learned or manually configured, stored in the address table, and added to the running configuration?

  1. sticky

  2. dynamic

  3. static

  4. secure

Correct Answer: A


With port security, you can configure MAC addresses to be sticky. These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, it is not recommended.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12- 2/25ew/configuration/guide/conf/port_sec.pdf

Question No.125

When you configure private VLANs on a switch, which port type connects the switch to the gateway router?

  1. promiscuous

  2. community

  3. isolated

  4. trunked

Correct Answer: A


There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port. Host port further divides in two types – Isolated port (I-Port) and Community port (C-port).

Reference: http://en.wikipedia.org/wiki/Private_VLAN

Question No.126

SWITCH.com is an IT company that has an existing enterprise network comprised of two layer 2 only switches; DSW1 and ASW1. The topology diagram indicates their layer 2 mapping. VLAN 20 is a new VLAN that will be used to provide the shipping personnel access to the server.

Corporate polices do not allow layer 3 functionality to be enabled on the switches. For security reasons, it is necessary to restrict access to VLAN 20 in the following manner:

Users connecting to VLAN 20 via portfO/1 on ASW1 must be authenticated before they are given access to the network. Authentication is to be done via a Radius server:

Radius server host: Radius key: rad123

Authentication should be implemented as close to the host as possible. Devices on VLAN 20 are restricted to the subnet of

Packets from devices in the subnet of should be allowed on VLAN 20. Packets from devices in any other address range should be dropped on VLAN 20.

Filtering should be implemented as close to the serverfarm as possible.

The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.



Correct Answer:

Step1: Console to ASW1 from PC console 1 ASW1(config)#aaa new-model

ASW1(config)#radius-server host key rad123 ASW1(config)#aaa authentication dot1x default group radius ASW1(config)#dot1x system-auth-control ASW1(config)#inter fastEthernet 0/1

ASW1(config-if)#switchport mode access ASW1(config-if)#dot1x port-control auto ASW1(config-if)#exit

ASW1#copy run start

Step2: Console to DSW1 from PC console 2 DSW1(config)#ip access-list standard 10 DSW1(config-ext-nacl)#permit DSW1(config-ext-nacl)#exit

DSW1(config)#vlan access-map PASS 10 DSW1(config-access-map)#match ip address 10 DSW1(config-access-map)#action forward DSW1(config-access-map)#exit DSW1(config)#vlan access-map PASS 20 DSW1(config-access-map)#action drop DSW1(config-access-map)#exit DSW1(config)#vlan filter PASS vlan-list 20 DSW1#copy run start

Question No.127

Which private VLAN access port belongs to the primary VLAN and can communicate with all interfaces, including the community and isolated host ports?

  1. promiscuous port

  2. isolated port

  3. community port

  4. trunk port

Correct Answer: A


The types of private VLAN ports are as follows:

PromiscuousA promiscuous port belongs to the primary VLAN.The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN. You can have several promiscuous ports in a primary VLAN. Each promiscuous port can have several secondary VLANs, or no secondary VLANs, associated to that port. You can associate a secondary VLAN to more than one promiscuous port, as long as the promiscuous port and secondary VLANs are within the same primary VLAN. You may want to do this for load- balancing or redundancy purposes. You can also have secondary VLANs that are not associated to any promiscuous port.

IsolatedAn isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete isolation from other ports within the same private VLAN domain, except that it can communicate with associated promiscuous ports. Private VLANs block all traffic to isolatedports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all other ports in the isolated VLAN.

CommunityA community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports. These interfaces are isolated from all other interfaces in other communities and from all isolated ports within the private VLAN domain.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/C LIConfigurationGuide/PrivateVLANs.html

Question No.128

Which command globally enables AAA on a device?

  1. aaa new-model

  2. aaa authentication

  3. aaa authorization

  4. aaa accounting

Correct Answer: A


To configure AAA authentication, enable AAA by using the aaa new-model global configuration command. AAA features are not available for use until you enable AAA globally by issuing the aaa new-model command.

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfathen.html

The network monitoring application alerts a network engineer of a client PC that is acting as a rogue DHCP server. Which two commands help trace this PC when the MAC address is known? (Choose two.)

  1. switch# show mac address-table

  2. switch# show port-security

  3. switch# show ip verify source

  4. switch# show ip arp inspection

  5. switch# show mac address-table address lt;mac addressgt;

Correct Answer: AE


These two commands will show the MAC address table, including the switch port that the particular host is using. Here is an example output:

Switchgt;show mac-address-table

Dynamic Addresses Count: 9

Secure Addresses (User-defined) Count: 0 Static Addresses (User-defined) Count: 0 System Self Addresses Count: 41

Total MAC addresses: 50 Non-static Address Table:

Destination Address Address Type VLAN Destination Port

0010.0de0.e289 Dynamic 1 FastEthernet0/1 0010.7b00.1540 Dynamic 2 FastEthernet0/5 0010.7b00.1545 Dynamic 2 FastEthernet0/5

Question No.129

Which type of information does the DHCP snooping binding database contain?

  1. untrusted hosts with leased IP addresses

  2. trusted hosts with leased IP addresses

  3. untrusted hosts with available IP addresses

  4. trusted hosts with available IP addresses

Correct Answer: A


DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers. The DHCP snooping feature performs the following activities:

Validates DHCP messages received from untrusted sources and filters out invalid messages. Rate-limits DHCP traffic from trusted and untrusted sources.

Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12- 2SX/configuration/guide/book/snoodhcp.pdf

Question No.130

A network engineer wants to ensure Layer 2 isolation of customer traffic using a private VLAN. Which configuration must be made before the private VLAN is configured?

  1. Disable VTP and manually assign VLANs.

  2. Ensure all switches are configured as VTP server mode.

  3. Configure VTP Transparent Mode.

  4. Enable VTP version 3.

Correct Answer: C


You must configure VTP to transparent mode before you can create a private VLAN. Private VLANs are configured in the context of a single switch and cannot have members on other switches. Private VLANs also carry TLVs that are not known to all types of Cisco switches. Reference: http://www.ciscopress.com/articles/article.asp?p=29803amp;seqNum=6


Get Full Version of the Exam
300-115 Dumps
300-115 VCE and PDF