CCNP 642-825 实验题AAA

CCNP路由实验专题讲解--OSPF篇配套测试题CCNP路由实验专题讲解--OSPF篇配套测试题1.【判断题】10分| 配置OSPF时，必须要使用相同的进程号A对B错2.【单选题】10分| 下列哪一项不是OSPF建立邻居关系的必要条件？A hello计时器一致B 区域一致C RID不同D 进程号一致3.【单选题】10分| 在思科产品上，OSPF路由协议的管理距离是多少？A 90B 100C 110D 1204.【判断题】10分| 配置接口的OSPF优先级为255，可以确保此路由器成为DRA对B错5.【单选题】10分| OSPF通过下列哪一条命令实现外部路由条目的汇总？A ip summary-addressB summary-addressC areaXrangeD areaXsummary-address6.【单选题】10分| 在默认配置下，1000M接口的OSPF的COST是多少？A 100B 10C 1D 0.57.【单选题】10分| 默认条件下，OSPF的外部路由条目在路由表中的类型为？A OB OIAC OE1D OE28.【单选题】10分| OSPF 类型7的LSA代表哪一个特殊区域产生的链路状态通告？A stubB totallystubC NSSAD area 09.【单选题】10分| OSPF的协议号是多少?A 6B 17C 88D 8910.【单选题】10分| 在OSPF协议配置模式中，下列哪一条命令是错误的？A Router(config-router)#distribute-list 1 in fa0/0B Router(config-router)#distribute-list 1 inC Router(config-router)#distribute-list 1 out eigrpD Router(config-router)#distribute-list 1 out fa0/0。

The safer , easier way to help you pass any IT exams.Exam : 642-813Title :Version : DemoImplementing Cisco IP SwitchedNetworks(SWITCH)The safer , easier way to help you pass any IT exams.pany uses layer 3 switches in the Core of their network. Which method of Layer 3 switching uses a forwarding information base (FIB)?A. Topology-based switchingB. Demand-based switchingC. Route cachingD. Flow-based switchingE. None of the other alternatives applyAnswer: A2.You need to design the VLAN scheme for the Company network. Which two statements are true about best practices in VLAN design? (Select two)A. Routing should occur at the access layer ifvoice VLANs are utilized. Otherwise, routing should occur at the distribution layer.B. Routing should always be performed at the distribution layer.C. VLANs should be localized to a switch.D. VLANs should be localized to a single switch unlessvoice VLANs are being utilized.E. Routing should not be performed between VLANs located on separate switches.Answer: B,C3.Refer to the exhibit. On the basis of the information provided in the exhibit, which two sets of procedures are best practices for Layer 2 and 3 failover alignment? (Choose two.)A. Configure the D-SW1 switch as the active HSRP router and the STP root for all VLANs.Configure the D-SW2 switch as the standby HSRP router and backup STP root for all VLANs.B. Configure the D-SW1 switch as the standby HSRP router and the STP root for VLANs 11 and 110. Configure the D-SW2 switch as the standby HSRP router and the STP root for VLANs 12 and 120.C. Configure the D-SW1 switch as the active HSRP router and the STP root for VLANs 11 and 110. Configure the D-SW2 switch as the active HSRP router and the STP root for VLANs 12 and 120.D. Configure the D-SW2 switch as the active HSRP router and the STP root for all VLANs. Configure the D-SW1 switch as the standby HSRP router and backup STP root for all VLANs.E. Configure the D-SW1 switch as the active HSRP router and the backup STP root for VLANs 11 and 110. Configure the D-SW2 switch as the active HSRP router and the backup STP root for VLANs 12 and 120.F. Configure the D-SW1 switch as the standby HSRP router and the backup STP root for VLANs 12a nd 120. Configure the D-SW2 switch as the standby HSRP router and the backup STP rootfor VLANs 11 and 110.Answer: C,F4.If you needed to transport traffic coming from multiple VLANs (connected between switches), and your CTO was insistent on using an open standard, which protocol would you use?A. 802.11BB. spanning-treeC. 802.1QD. ISLE. VTPF. Q.921Answer: C5.Under what circumstances should an administrator prefer local VLANs over end-to-end VLANs?A. Eighty percent of traffic on the network is destined for Internet sites.B. There are common sets of traffic filtering requirements for workgroups located in multiple buildings.C. Eighty percent of a workgroup's traffic is to the workgroup's own local server.D. Users are grouped into VLANs independent of physical location.E. None of the other alternatives applyAnswer: A6.What are some virtues of implementing end-to-end VLANs? (Choose two)A. End-to-end VLANs are easy to manage.B. Users are grouped into VLANs independent of a physical location.C. Each VLAN has a common set of security and resource requirements for all members.D. Resources are restricted to a single location.Answer: B,C7.Which of the following statements is true about the 80/20 rule (Select all that apply)?A. 20 percent of the traffic on a network segment should be localB. no more than 20 percent of the network traffic should be able to move across a backbone.C. no more than 80 percent of the network traffic should be able to move across a backbone.D. 80 percent of the traffic on a network segment should be localAnswer: B,D8.The Company LAN is becoming saturated with broadcasts and multicast traffic. What could you do to help a network with many multicasts and broadcasts?A. Creating smaller broadcast domains by implementing VLANs.B. Separate nodes into different hubs.C. Creating larger broadcast domains by implementing VLANs.D. Separate nodes into different switches.E. All of the above.Answer: A9.The Company LAN switches are being configured to support the use of Dynamic VLANs. Which of the following are true of dynamic VLAN membership? (Select all that apply)A. VLAN membership of a user always remains the same even when he/she is moved to another location.B. VLAN membership of a user always changes when he/she is moved to another location.C. Membership can be static or dynamic.D. Membership can be static only.E. None of the other alternatives apply.Answer: A,C10.The Company LAN switches are being configured to support the use of Dynamic VLANs. What should be considered when implementing a dynamic VLAN solution? (Select two)A. Each switch port is assigned to a specific VLAN.B. Dynamic VLANs require a VLAN Membership Policy Server.C. Devices are in the same VLAN regardless of which port they attach to.D. Dynamic VLAN assignments are made through the command line interface.Answer: B,C11.In the three-layer hierarchical network design model; what's associated with the access layer? (Select two)A. optimized transport structureB. high port densityC. boundary definitionD. data encryptionE. local VLANsF. route summariesAnswer: B,E12.You are assigning VLANs to the ports of switch R1. What VLAN number value is an assigned tothe default VLAN?A. VLAN 1003B. VLAN 1C. VLAN OND. VLAN AE. VLAN 0Answer: B13.The VLANs in switch R1 are being modified. Which of the following are updated in R1 every time a VLAN is modified? (Select all that apply)A. Configuration revision numberB. Configuration revision flag fieldC. Configuration revision reset switchD. Configuration revision databaseE. None of the other alternatives apply.Answer: A,D14.Given the above partial configuration, which two statements are true about VLAN traffic? (Choose two.)A. VLANs 1-5 will use fa0/10 as a backup only.B. VLANs 6-10 will use fa0/10 as a backup only.C. VLANs 1-5 will be blocked if fa0/10 goes down.D. VLANs 1-10 are configured to load share between fa0/10 and fa0/12.E. VLANs 6-10 have a port priority of 128 on fa0/10.Answer: B,D15.What is a characteristic of assigning a static VLAN membership?A. VMPS server lookup is requiredB. Easy to configureC. Easy of adds, moves, and changesD. Based on MAC address of the connected deviceAnswer: B16.Static VLANs are being used on the Company network. What is true about static VLANs?A. Devices use DHCP to request their VLAN.B. Attached devices are unaware of any VLANs.C. Devices are assigned to VLANs based on their MAC addresses.D. Devices are in the same VLAN regardless of which port they attach to.Answer: B17.Two Company switches are connected via a trunk using VTP. Which VTP information does a Catalyst switch advertise on its trunk ports when using VTP? (Select two)A. STP root statusB. VTP modeC. Negotiation statusD. Management domainE. Configuration revision numberAnswer: D,E18.You need to investigate a VTP problem between two Company switches. The lack of which two prevents VTP information from propagating between switches? (Select two)A. A root VTP serverB. A trunk portC. VTP priorityD. VLAN 1E. None of the other alternatives applyAnswer: B,D19.R1 and R2 are switches that communicate via VTP. What is the default VTP advertisement intervals in Catalyst switches that are in server or client mode?A. 30 secondsB. 5 minutesC. 1 minuteD. 10 secondsE. 5 secondsF. None of the other alternatives applyAnswer: B20.Refer to the exhibit. VTP has been enabled on the trunk links between all switches within theTEST domain. An administrator has recently enabled VTP pruning. Port 1 on Switch 1 and port 2 on Switch 4 are assigned to VLAN 2. A broadcast is sent from the host connected to Switch 1. Where will the broadcast propagate?A. Every switch in the network receives the broadcast and will forward it out all ports.B. Every switch in the network receives the broadcast, but only Switch 4 will forward it out port 2.C. Switches 1, 2, and 4 will receive the broadcast, but only Switch 4 will forward it out port 2.D. Only Switch 4 will receive the broadcast and will forward it out port 2.Answer: C21.You want to configure switch R1 to propagate VLAN information across the Company network using VTP. What must be configured on a Cisco switch in order to advertise VLAN information?A. VTP modeB. VTP passwordC. VTP revision numberD. VTP pruningE. VTP domain nameF. None of the other alternatives applyAnswer: E22.The Company switches have all been upgraded to use VTP version 2. What are two benefits provided in VTP Version 2 that are not available in VTP Version 1? (Select two)A. VTP version 2 supports Token Ring VLANsB. VTP version 2 allows VLAN consistency checksC. VTP version 2 allows active redundant links when used with spanning treeD. VTP version 2 reduces the amount of configuration necessaryE. VTP version 2 saves VLAN configuration memoryAnswer: A,B23.The Company network administrator needs to enable VTP pruning within the Company network. What action should a network administrator take to enable VTP pruning on an entire management domain?A. Enable VTP pruning on any switch in the management domainB. Enable VTP pruning on any client switch in the domainC. Enable VTP pruning on a VTP server in the management domainD. Enable VTP pruning on every switch in the domainE. None of the other alternatives applyAnswer: C24.VTP is configured on switch R1. Which of the following features were added in VTP version 2 that were not previously supported in VTP version 1? (Select two)A. Supports Token Ring VLANs.B. Allows VLAN consistency checks.C. Saves VLAN configuration memory.D. Reduces the amount of configuration necessary.E. Allows active redundant links when used with spanning tree.Answer: A,B25.The Company switches are configured to use VTP. What's true about the VLAN trunking protocol (VTP)? (Select two)A. VTP messages will not be forwarded over nontrunk links.B. VTP domain names need to be identical. However, case doesn't matter.C. A VTP enabled device which receives multiple advertisements will ignore advertisements with higher configuration revision numbers.D. A device in "transparent" VTP v.1 mode will not forward VTP messages.E. VTP pruning allows switches to prune VLANs that do not have any active ports associated with them.Answer: A,D26.Switch R1 and R2 both belong to the Company VTP domain. What's true about the switch operation in VTP domains? (Select all that apply)A. A switch can only reside in one management domainB. A switch is listening to VTP advertisements from their own domain onlyC. A switch is listening to VTP advertisements from multi domainsD. A switch can reside in one or more domainsE. VTP is no longer supported on Catalyst switchesAnswer: A,B27.VTP devices in a network track the VTP revision number. What is a VTP configuration revision number?A. A number for identifying changes to the network switch.B. A number for identifying changes to the network router.C. A number for identifying changes to the network topology.D. None of the other alternatives apply.Answer: C28.Switch R1 is configured to use the VLAN Trunking Protocol (VTP). What does R1 advertise in itsVTP domain?A. The VLAN ID of all known VLANs, the management domain name, and the total number oftrunk links on the switch.B. The VLAN ID of all known VLANs, a 1-bit canonical format (CF1 Indicator), and the switch configuration revision number.C. The management domain name, the switch configuration revision number, the known VLANs, and their specific parameters.D. A 2-byte TPID with a fixed value of 0x8100 for the management domain number, the switch configuration revision number, the known VLANs, and their specific parameters.E. None of the other alternatives apply.Answer: C29.VTP switches use advertisements to exchange information with each other. Which of the following advertisement types are associated with VTP? (Select all that apply)A. Domain advertisementsB. Advertisement requests from clientsC. Subset advertisementsD. Summary advertisementsAnswer: B,C,D30.Switch R1 is part of the Company VTP domain. What's true of VTP Pruning within this domain? (Select all that apply)A. It does not prune traffic from VLANs that are pruning-ineligibleB. VLAN 1 is always pruning-eligibleC. it will prune traffic from VLANs that are pruning-ineligibleD. VLAN 2 is always pruning-ineligibleE. None of the other alternatives apply.Answer: A。

642-825题库HQ问题详细解答首先5个错误你得心里有数1 默认路由2 ergip AS错误3 tunnel 源4 tunnel 目的5 network发部不完整 mask错误上面的5点想过的都给我背好了！！！拓扑请看题库，解题步骤请看下面（解题不要按第一题到第五题做下来，那样太难了。

其实他们是有前后关系的。

看完步骤你就明白了）左边的叫hq 右边的是1-5 然后一共5个问题第一步：打开所有设备一共6个（包括hq），怎么打开别问我。

不然抽你第二步：全部输入show run （前面要en一下）第三步：看配置从1-5里面先看（考试时候给的名字不同，但也是按1-5排列的）好像叫brance1 branc e2 (5)第四步：从这1-5里面找哪个没有ip route 0.0.0.0 0.0.0.0 .... （默认路由）第五步：因为只有一台没有，找到后比方说branc1上发现他没有就去题目里找brance1关键词，然后就在该题目里选择 miss default route（没有默认路由那个选项）第六步：看hq那台 eigrp as号码跟1-5对比。

哪个不对，参照第5步。

把答案选好第七步：到此做对2题了，然后讲tunnel 源和目的考试的时候你会发现1-5的配置里面全部是tunnel 0 后面有一个tunnel源一个tunnel目的这个结构的!!结构哦。

（源是本地，目的是对端）第八步：这个怎么看呢！！先看hq 的配置它上面一共有五个tunnel配置一般是tunnel11 tunnel12 tunn el13.....5 对应的连到右边拓扑连到对面的5个电脑上的1-5 的tunnel第九步 hq上比方说我们看tunnel 11 对应的是右边第一个brace1 上的配置tunnel0结构里的内容（1-5上都叫tunnel0跟hq不太一样 hq上倒分11-15区别开的）第十步先看brance1看到tunnel0里面写的是 tunnel source s0/2 那么表示用本地接口s0/2做本地源然后去对端hq看tunnel11里面的tunnel目的地址是不是和右边brance1本地s0/2地址匹配如果一样就对了。

A. Switch P2S1 is in server mode.B. Switch P1S1 is in transparent mode.C. The MD5 digests do not match.D. The passwords do not match.E. The VTP domains are different.F. VTP trap generation is disabled on both switches.Answer: B,D,EExplanation:Determine the VTP mode of operation of the switch and include the mode when setting the VTP domain name information on the switch. If you leave the switch in server mode, be sure to verify that the configuration revision number is set to 0 before adding the switch to the VTP domain. It is generally recommended that you have several servers in the domain, with all other switches set to client mode for purposes of controlling VTP information.It is also highly recommended that you use secure mode in your VTP domain. Assigning a password to the domain will accomplish this. This will prevent unauthorized switches fromparticipating in the VTP domain. From the privileged mode or VLAN configuration mode, use the vtp password password command.h t t p://www.ed if y.co m .cn /QUESTION NO: 75Refer to the exhibit. Based upon the output of show vlan on switch CAT2, what can we conclude about interfaces Fa0/13 and Fa0/14?A. that interfaces Fa0/13 and Fa0/14 are in VLAN 1B. that interfaces Fa0/13 and Fa0/14 are downC. that interfaces Fa0/13 and Fa0/14 are trunk interfacesD. that interfaces Fa0/13 and Fa0/14have a domain mismatch with another switchE. that interfaces Fa0/13 and Fa0/14have a duplex mismatch with another switchAnswer: CExplanation:trunk - This setting places the port in permanent trunking mode. The corresponding switch port at the other end of the trunk should be similarly configured because negotiation is not allowed. You should also manually configure the encapsulation mode.show vlan: This commands shows the vlan, ports belonging to VLAN means that port on access mode. It doesn't shows the port on trunk mode.QUESTION NO: 76Refer to the exhibit. On the basis of the output generated by the show commands, which two statements are true? (Choose two.)h t t p://www.ed if y.co m .cn /A. Because it is configured as a trunk interface, interface gigabitethernet 0/1 does not appear in the show vlan output.B. VLAN 1 will not be encapsulated with an 802.1q header.C. There are no native VLANs configured on the trunk.D. VLAN 2 will not be encapsulated with an 802.1q header.E. All interfaces on the switch have been configured as access ports.F. Because it has not been assigned to any VLAN, interface gigabitethernet 0/1 does not appear in the show vlan output.Answer: A,BExplanation:h t t p://www.ed if y.co m .cn /The IEEE 802.1Q protocol can also carry VLAN associations over trunk links. However, this frame identification method is standardized, allowing VLAN trunks to exist and operate between equipment from multiple vendors.In particular, the IEEE 802.1Q standard defines an architecture for VLAN use, services provided with VLANs, and protocols and algorithms used to provide VLAN services.Like Cisco ISL, IEEE 802.1Q can be used for VLAN identification with Ethernet trunks. Instead of encapsulating each frame with a VLAN ID header and trailer, 802.1Q embeds its tagging information within the Layer 2 frame. This method is referred to as single-tagging or internal tagging .802.1Q also introduces the concept of a native VLAN on a trunk. Frames belonging to this VLAN are not encapsulated with any tagging information. In the event that an end station is connected to an 802.1Q trunk link, the end station can receive and understand only the native VLAN frames.This provides a simple way to offer full trunk encapsulation to the devices that can understand it,while giving normal access stations some inherent connectivity over the trunk.show vlan: This commands shows the vlan, ports belonging to VLAN means that port on access mode. It doesn't show the port on trunk mode.QUESTION NO: 77Refer to the exhibit and the show interfaces fastethernet0/1 switchport outputs. Users in VLAN 5on switch SW_A complain that they do not have connectivity to the users in VLAN 5 on switch SW_B. What should be done to fix the problem?A. Configure the same number of VLANs on both switches.h t t p://www.ed if y.co m .cn /B. Create switch virtual interfaces (SVI) on both switches to route the traffic.C. Define VLAN 5 in the allowed list for the trunk port on SW_A.D. Disable pruning for all VLANs in both switches.E. Define VLAN 5 in the allowed list for the trunk port on SW_BAnswer: CExplanation:switchport trunk allowed vlan , defines which VLANs can be trunked over thelink . By default, a switch transports all active VLANs (1 to 4094) over a trunk link. There might be times when the trunk link should not carry all VLANs. For example, broadcasts are forwarded to every switch port on a VLAN-including the trunk link because it, too, is a member of the VLAN.If the VLAN does not extend past the far end of the trunk link, propagating broadcasts across the trunk makes no sense.Section 8: Document results of VLAN implementation and verification (0 Questions)QUESTION NO: 78Refer to the exhibit. An attacker is connected to interface Fa0/11 on switch A-SW2 and attempts to establish a DHCP server for a man-in-middle attack. Which recommendation, if followed, would mitigate this type of attack?A. All switch ports in the Building Access block should be configured as DHCP untrusted ports.B. All switch ports in the Building Access block should be configured as DHCP trusted ports.h t t p://www.ed if y.co m .cn /C. All switch ports connecting to servers in the Server Farm block should be configured as DHCP untrusted ports.D. All switch ports connecting to hosts in the Building Access block should be configured as DHCP trusted ports.E. All switch ports in the Server Farm block should be configured as DHCP untrusted ports.F. All switch ports connecting to hosts in the Building Access block should be configured as DHCP untrusted ports.Answer: FExplanation:One of the ways that an attacker can gain access to network traffic is to spoof responses that would be sent by a valid DHCP server. The DHCP spoofing device replies to client DHCPrequests. The legitimate server may reply also, but if the spoofing device is on the same segment as the client, its reply to the client may arrive first.The intruder's DHCP reply offers an IP address and supporting information that designates the intruder as the default gateway or Domain Name System (DNS) server. In the case of a gateway,the clients will then forward packets to the attacking device, which will in turn send them to the desired destination. This is referred to as a "man-in-the-middle" attack, and it may go entirely undetected as the intruder intercepts the data flow through the network.Untrusted ports are those that are not explicitly configured as trusted. A DHCP binding table is built for untrusted ports. Each entry contains the client MAC address, IP address, lease time,binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses, such as DHCPOFFER, DHCPACK,DHCPNAK .QUESTION NO: 79You are responsible for increasing the security within the Company LAN. Of the following choices listed below, which is true regarding layer 2 security and mitigation techniques?A. Enable root guard to mitigate ARP address spoofing attacks.B. Configure DHCP spoofing to mitigate ARP address spoofing attacks.C. Configure PVLANs to mitigate MAC address flooding attacks.D. Enable root guard to mitigate DHCP spoofing attacks.E. Configure dynamic APR inspection (DAI) to mitigate IP address spoofing on DHCP untrusted ports.F. Configure port security to mitigate MAC address floodingG. None of the other alternatives applyAnswer: Fh t t p://www.ed if y.co m .cn /Explanation:Use the port security commands to mitigate MAC-spoofing attacks. The port security command provides the capability to specify the MAC address of the system connected to a particular port.The command also provides the ability to specify an action to take if a port-security violationoccurs. However, as with the CAM table-overflow attack mitigation, specifying a MAC address on every port is an unmanageable solution. Hold-down timers in the interface configuration menu can be used to mitigate ARP spoofing attacks by setting the length of time an entry will stay in the ARP cache.Reference: /networksecurity/NetworkSecurity.htmlSection 2: Create an implementation plan for the Security solution (3 Questions)QUESTION NO: 80You work as a network technician at . Your boss, Mrs. Tess King, is interested in switch spoofing. She asks you how an attacker would collect information with VLAN hoping through switch spoofing. You should tell her that the attacking station...A. es VTP to collect VLAN information that is sent out and then tags itself with the domain information in order to capture the data.B. ...will generate frames with two 802.1Q headers to cause the switch to forward the frames to a VLAN that would be inaccessible to the attacker through legitimate means.C. es DTP to negotiate trunking with a switch port and captures all traffic that is allowed on the trunk.D. ...tags itself with all usable VLANs to capture data that is passed through the switch, regardless of the VLAN to which the data belongs.E. None of the other alternatives applyAnswer: CExplanation:DTP should be disabled for all user ports on a switch. If the port is left with DTP auto-configured (default on many switches), an attacker can connect and arbitrarily cause the port to start trunking and therefore pass all VLAN information.Reference:/en/US/solutions/ns340/ns517/ns224/ns376/net_design_guidance0900aecd800ebd1e.pdfQUESTION NO: 81h t t p://www.ed if y.co m .cn /The Company security administrator is concerned with layer 2 network attacks. Which two statements about these attacks are true? (Select two)A. ARP spoofing attacks are attempts to redirect traffic to an attacking host by encapsulating a false 802.1Q header on a frame and causing traffic to be delivered to the wrong VLAN.B. ARP spoofing attacks are attempts to redirect traffic to an attacking host by sending an ARP message with a forged identity to a transmitting host.C. MAC address flooding is an attempt to force a switch to send all information out every port by overloading the MAC address table.D. ARP spoofing attacks are attempts to redirect traffic to an attacking host by sending an ARP packet that contains the forged address of the next hop router.E. MAC address flooding is an attempt to redirect traffic to a single port by associating that port with all MAC addresses in the VLAN.Answer: B,CExplanation:Content Addressable Memory ( CAM ) Table Overflow (MAC address Flooding)Content Addressable Memory (CAM) tables are limited in size. If enough entries are entered into the CAM table before other entries are expired, the CAM table fills up to the point that no new entries can be accepted. Typically, a network intruder floods the switch with a large number of invalid source Media Access Control (MAC) addresses until the CAM table fills up. When thatoccurs, the switch floods all ports with incoming traffic because it cannot find the port number for a particular MAC address in the CAM table. The switch, in essence, acts like a hub. If the intruder does not maintain the flood of invalid-source MAC addresses, the switch eventually times out older MAC address entries from the CAM table and begins to act like a switch again. CAM tableoverflow only floods traffic within the local VLAN so the intruder only sees traffic within the local VLAN to which he or she is connected.The CAM table overflow attack can be mitigated by configuring port security on the switch. This option provides for either the specification of the MAC addresses on a particular switch port or the specification of the number of MAC addresses that can be learned by a switch port. When an invalid MAC address is detected on the port, the switch can either block the offending MAC address or shut down the port. The specification of MAC addresses on switch ports is far too unmanageable a solution for a production environment. A limit of the number of MAC addresses on a switch port is manageable. A more administratively scalable solution is the implementation of dynamic port security at the switch. In order to implement dynamic port security, specify a maximum number of MAC addresses that will be learned.Address Resolution Protocol (ARP) SpoofingARP is used to map IP addressing to MAC addresses in a local area network segment where hosts of the same subnet reside. Normally, a host sends out a broadcast ARP request to find the MAC address of another host with a particular IP address, and an ARP response comes from the host whose address matches the request. The requesting host then caches this ARP response.Within the ARP protocol, another provision is made for hosts to perform unsolicited ARP replies.h t t p://www.ed if y.co m .cn /The unsolicited ARP replies are called Gratuitous ARP (GARP). GARP can be exploited maliciously by an attacker to spoof the identity of an IP address on a LAN segment. This istypically used to spoof the identity between two hosts or all traffic to and from a default gateway in a "man-in-the-middle" attack.When an ARP reply is crafted, a network attacker can make his or her system appear to be the destination host sought by the sender. The ARP reply causes the sender to store the MACaddress of the network attacker's system in the ARP cache. This MAC address is also stored by the switch in its CAM table. In this way, the network attacker has inserted the MAC address of his or her system into both the switch CAM table and the ARP cache of the sender. This allows the network attacker to intercept frames destined for the host that he or she is spoofing.Reference:/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807c4101.shtmlQUESTION NO: 82The Company security administrator wants to prevent DHCP spoofing. Which statement is true about DHCP spoofing operation?A. DHCP spoofing and SPAN cannot be used on the same port of a switch.B. To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packet.C. To prevent a DHCP spoofing, the switch must have DHCP server services disabled and a static entry pointing towards the DHCP server.D. DHCP spoofing can be prevented by placing all unused ports in an unused VLAN.E. None of the other alternatives apply.Answer: BExplanation:About DHCP Spoofing:Suppose that an attacker could bring up a rogue DHCP server on a machine in the same subnet as that same client PC. Now when the client broadcasts its DHCP request, the rogue server could send a carefully crafted DHCP reply with its own IP address substituted as the default gateway.When the client receives the reply, it begins using the spoofed gateway address. Packets destined for addresses outside the local subnet then go to the attacker's machine first. The attacker can forward the packets to the correct destination, but in the meantime, it can examine every packet that it intercepts. In effect, this becomes a type of man-in-the-middle attack; the attacker is wedged into the path and the client doesn't realize it.About ARP:h t t p://www.ed if y.co m .cn /Hosts normally use the Address Resolution Protocol (ARP) to resolve an unknown MAC address when the IP address is known. If a MAC address is needed so that a packet can be forwarded at Layer 2, a host broadcasts an ARP request that contains the IP address of the target in question.If any other host is using that IP address, it responds with an ARP reply containing its MAC address.To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot be updated by a dynamic ARP packetSection 3: Create a verification plan for the Security solution (4 Questions)QUESTION NO: 83Refer to the exhibit. What will happen to traffic within VLAN 14 with a source address of 172.16.10.5?A. The traffic will be forwarded to the router processor for further processing.B. The traffic will be dropped.C. The traffic will be forwarded to the TCAM for further processing.D. The traffic will be forwarded without further processing.Answer: BExplanation:VLAN maps, also known as VLAN ACLs or VACLs, can filter all traffic traversing a switch. VLAN maps can be configured on the switch to filter all packets that are routed into or out of a VLAN, or are bridged within a VLAN. VLAN maps are used strictly for security packet filtering. Unlike routerh t t p://www.ed if y.co m .cn /ACLs, VLAN maps are not defined by direction (input or output).To create a VLAN map and apply it to one or more VLANs, perform these steps: Create the standard or extended IP ACLs or named MAC extended ACLs to be applied to the VLAN. This access-list will select the traffic that will be either forwarded or dropped by the access-map. Only traffic matching the 'permit' condition in an access-list will be passed to the access-map for further processing. Enter the vlan access-map access-map-name [ sequence ] global configuration command to create a VLAN ACL map entry. Each access-map can have multiple entries. The order of these entries is determined by the sequence . If no sequence number is entered, access-map entries are added with sequence numbers in increments of 10. In access map configuration mode, optionally enter an action forward or action drop . The default is to forward traffic. Also enter the match command to specify an IP packet or a non-IP packet (with only a known MAC address),and to match the packet against one or more ACLs (standard or extended). Use the vlan filter access-map-name vlan-list vlan-list global configuration command to apply a VLAN map to one or more VLANs. A single access-map can be used on multiple VLANs.QUESTION NO: 84Company is implementing 802.1X in order to increase network security. In the use of 802.1X access control, which three protocols are allowed through the switch port before authentication takes place? (Select three)A. EAP-over-LANB. EAP MD5C. STPD. protocols not filtered by an ACLE. CDPF. TACACS+Answer: A,C,EExplanation:The IEEE 802.1x standard defines a port-based access control and authentication protocol that restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN. Until the workstation is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic through the port to which the workstation is connected. After authentication succeeds, normal traffic can pass through the port.The Authentication server performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether or not the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, theh t t p://www.ed if y.co m .cn /authentication service is transparent to the client. In this release, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP)extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secureauthentication information is exchanged between the RADIUS server and one or more RADIUS clients.Spanning-Tree Protocol (STP) is a Layer 2 protocol that utilizes a special-purpose algorithm to discover physical loops in a network and effect a logical loop-free topology. STP creates a loop-free tree structure consisting of leaves and branches that span the entire Layer 2 network. The actual mechanics of how bridges communicate and how the STP algorithm works will be discussed at length in the following topics. Note that the terms bridge and switch are used interchangeably when discussing STP. In addition, unless otherwise indicated, connections between switches are assumed to be trunks.CDP is a Cisco proprietary protocol that operates at the Data Link layer. One unique feature about operating at Layer 2 is that CDP functions regardless of what Physical layer media you are using (UTP, fiber, and so on) and what Network layer routed protocols you are running (IP, IPX,AppleTalk, and so on). CDP is enabled on all Cisco devices by default, and is multicast every 60seconds out of all functioning interfaces, enabling neighbor Cisco devices to collect information about each other. Although this is a multicast message, Cisco switches do not flood that out to all their neighbors as they do a normal multicast or broadcast.For STP, CDP and EAP-over-LAN are allowed before Authentication.QUESTION NO: 85Refer to the exhibit. The web servers WS_1 and WS_2 need to be accessed by external and internal users. For security reasons, the servers should not communicate with each other,although they are located on the same subnet. The servers do need, however, to communicate with a database server located in the inside network. What configuration will isolate the servers from each other?h t t p://www.ed if y.co m .cn /A. The switch ports 3/1 and 3/2 will be defined as secondary VLAN community ports. The ports connecting to the two firewalls will be defined as primary VLAN promiscuous ports.B. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls will be defined as primary VLAN promiscuous ports.C. The switch ports 3/1 and 3/2 and the ports connecting to the two firewalls will be defined as primary VLAN community ports.D. The switch ports 3/1 and 3/2 will be defined as secondary VLAN isolated ports. The ports connecting to the two firewalls will be defined as primary VLAN promiscuous ports.Answer: DExplanation:Service providers often have devices from multiple clients, in addition to their own servers, on a single Demilitarized Zone (DMZ) segment or VLAN. As security issues proliferate, it becomes necessary to provide traffic isolation between devices, even though they may exist on the same Layer 3 segment and VLAN. Catalyst 6500/4500 switches implement PVLANs to keep some switch ports shared and some switch ports isolated, although all ports exist on the same VLAN.The 2950 and 3550 support "protected ports," which are functionality similar to PVLANs on a per-switch basis.A port in a PVLAN can be one of three types:Isolated: An isolated port has complete Layer 2 separation from other ports within the same PVLAN, except for the promiscuous port. PVLANs block all traffic to isolated ports, except the traffic from promiscuous ports. Traffic received from an isolated port is forwarded to only promiscuous ports.Promiscuous: A promiscuous port can communicate with all ports within the PVLAN, including the community and isolated ports. The default gateway for the segment would likely be hosted on a promiscuous port, given that all devices in the PVLAN will need to communicate with that port. Community: Community ports communicate among themselves and with their promiscuous ports.These interfaces are isolated at Layer 2 from all other interfaces in other communities, or in isolated ports within their PVLAN.QUESTION NO: 86VLAN maps have been configured on switch R1. Which of the following actions are taken in a VLAN map that does not contain a match clause?A. Implicit deny feature at end of list.B. Implicit deny feature at start of list.C. Implicit forward feature at end of listD. Implicit forward feature at start of list.Answer: Ah t t p://www.ed if y.co m .cn /Explanation:Each VLAN access map can consist of one or more map sequences, each sequence with a match clause and an action clause. The match clause specifies IP, IPX, or MAC ACLs for traffic filtering and the action clause specifies the action to be taken when a match occurs. When a flow matches a permit ACL entry the associated action is taken and the flow is not checked against theremaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If a flow does not match any ACL entry and at least one ACL is configured for that packet type, the packet is denied.Reference:/en/US/products/hw/switches/ps700/products_configuration_guide_chapter09186a008007f4d4.htmlSection 4: Configure port security features (6 Questions)QUESTION NO: 87A Company switch was configured as shown below:switchport mode access switchport port-securityswitchport port-security maximum 2switchport port-security mac-address 0002.0002.0002switchport port-security violation shutdownGiven the configuration output shown above, what happens when a host with the MAC address of 0003.0003.0003 is directly connected to the switch port?A. The host will be allowed to connect.B. The port will shut down.C. The host can only connect through a hub/switch where 0002.0002.0002 is already connected.D. The host will be refused access.E. None of the other alternatives applyAnswer: AExplanation:Steps of Implementing Port Security:h t t p://www.ed if y.co m .cn /In Exhibit two MAC addresses are allowed so that host will be allowed to connect.QUESTION NO: 88Refer to the exhibit. Which interface or interfaces on switch SW_A can have the port security feature enabled?A. Ports 0/1 and 0/2B. The trunk port 0/22 and the EtherChannel portsh t t p://www.ed if y.co m .cn /C. Ports 0/1, 0/2 and 0/3D. Ports 0/1, 0/2, 0/3, the trunk port 0/22 and the EtherChannel portsE. Port 0/1F. Ports 0/1, 0/2, 0/3 and the trunk port 0/22Answer: CExplanation:Port security is a feature supported on Cisco Catalyst switches that restricts a switch port to a specific set or number of MAC addresses. Those addresses can be learned dynamically or configured statically. The port will then provide access to frames from only those addresses. If,however, the number of addresses is limited to four but no specific MAC addresses areconfigured, the port will allow any four MAC addresses to be learned dynamically, and port access will be limited to those four dynamically learned addresses. A port security feature called "sticky learning," available on some switch platforms, combines the features of dynamically learned and statically configured addresses. When this feature is configured on an interface, the interface converts dynamically learned addresses to "sticky secure" addresses. This adds them to the running configuration as if they were configured using the switchport port-security mac-address command.QUESTION NO: 89Refer to the exhibit. Based on the running configuration that is shown for interface FastEthernet0/2, what two conclusions can be deduced? (Choose two.)A. Connecting a host with MAC address 0000.0000.4147 will move interface FastEthernet0/2 into error disabled state.B. The host with address 0000.0000.4141 is removed from the secure address list after 5 seconds of inactivity.h t t p://www.ed if y.co m .cn /。

目录实验一路由器基本配置............................................ 错误!未指定书签。

实验二静态路由......................................................... 错误!未指定书签。

实验三缺省路由......................................................... 错误!未指定书签。

实验四静态路由&缺省路由&CDP协议............... 错误!未指定书签。

实验五三层交换机实现VLAN间通信................. 错误!未指定书签。

实验六Vtp ................................................................... 错误!未指定书签。

实验七生成树STP ..................................................... 错误!未指定书签。

实验八RIP路由协议1 ............................................. 错误!未指定书签。

实验九RIP路由协议2 ............................................. 错误!未指定书签。

实验十OSPF单区域1 .............................................. 错误!未指定书签。

实验十一OSPF单区域2 ......................................... 错误!未指定书签。

实验十二OSPF单区域3 ......................................... 错误!未指定书签。

实验十三EIGRP ........................................................ 错误!未指定书签。

1. Drag the wireless 802.1e priority level groupings on the left to the appropriate Wi-Fi Multimedia(WMM) access categories on the right. (Not all groupings will be used.)priority levels 0 or 1 Voicepriority levels 0 or 3 Videopriority levels 1 or 2 Backgroundpriority levels 2 or 3 Best Effortpriority levels 4 or 5priority levels 6 or 7Answer:priority levels 6 or 7priority levels 4 or 5priority levels 1 or 2priority levels 0 or 32. Drag each term on the left to its time definition on the right. There will be one term unused.processing delay time for packet to cross the link from one end to the othertransmission delay time to move a packet from an input interface to the outputqueue of the output interfaceend-to-end delay time to place a frame on the physical medium for transport queuing delay Time that a packet resides in the output queue of a routerserialization delay time for packet to move from the beginning of transmission tobeing receivedpropagation delayAnswer:propagation delayprocessing delayserialization delayqueuing delayend-to-end delay3. Add a new wireless LAN controller (WLC) to the WCS wireless management server. From the left,drag each procedure to its step sequence on the right.Choose GO Step 1Enter the IP address Step 2 Choose the Add Controller...drop down option Step 3Choose Configure > Controllers Step 4Log into WCS Step 5Choose OK. Step 6Answer:Log into WCSChoose Configure > ControllersChoose the Add Controller...drop down optionChoose GOEnter the IP addressChoose OK.4. Drag each wireless EAP authentication protocol on the left to its definition on the right.LEAP client and server digital certificate required for authentication EAP-FAST server only digital certificate required for authenticationEAP-TLS user ID and password required for authenticationEAP-PEAP protected access credentials for client and serverauthenticationAnswer:EAP-TLSEAP-PEAPLEAPEAP-FAST5. Using the fewest commands possible, drag the commands on the left to the blanks on the right toconfigure and apply a QoS policy that guarantees that voice packets receive 20 percent of the bandwidth on the S0/1/0 interface.int s0/1/0policy-map voice-policymatch ip dscp efmatch ip protocol rtppriority percent 20class-map voice-packetsbandwidth percent 20service-policy output voice-policyclass voice-packetsAnswer:class-map voice-packetsmatch ip dscp efpolicy-map voice-policyclass voice-packetspriority percent 20int s0/1/0service-policy output voice-policy6. To configure Control Plan Policing (CoPP) to deny Telnet access only from 10.1.1.1, drag thecommands on the left to the boxes on the right and place the commands in the proper order.class-map telnet-classdropclass telnet-classservice-policy input control-plane-inaccess-list 140 deny tcp host 10.1.1.1any eq telnetaccess-list 140 permit tcp any any eqtelnetcontrol-planematch access-group 140policy-map control-plane-inAnswer:access-list 140 deny tcp host 10.1.1.1 any eq telnetaccess-list 140 permit tcp any any eq telnetclass-map telnet-classmatch access-group 140policy-map control-plane-inclass telnet-classdropcontrol-planeservice-policy input control-plane-in7. Drag each descriptor on the left to the QoS model on the right to which the descriptor applies. Not alldescriptors apply.limited scalability IntServ Modelhighly scalableuses DSCP to identify QoS levelno QoSuses RSVPeasy to offer many levels of QoS DiffServ Modelused to provide CACcomplex mechanisms for QoSassured QoStimely arrival of packets not importantAnswer:IntServ Modellimited scalabilityuses RSVPused to provide CACassured QoSDiffServ Modelhighly scalableuses DSCP to identify QoS leveleasy to offer many levels of QoScomplex mechanisms for QoS8. Drag each WLSE feature on the left to its benefit on the right.centralized configuration, firmware, and radiohelps in capacity planning and troubleshooting managementautoconfiguration of new APs allows the use of autoconfiguration of new APsAP utilization and client association simplifies large-scale deploymentproactively monitor AP/bridges and 802.1Ximproves WLAN uptimeEAP serverstemplates required to manage large numbers of APsAnswer:AP utilization and client associationtemplatesautoconfiguration of new APsproactively monitor AP/bridges and 802.1XEAP serverscentralized configuration, firmware, and radiomanagement9. Drag each WLSE feature above to its benefit below.tempaltes Helps in capacity planning and troubleshootingautoconfiguration of new APS Allows the use of autoconfiguration of new ApsAP utilization and client association Simplifies large-scale deploymentproactively monitor AP/bridges andImproves WLAN uptime 802.1x EAP serverscentralized configuration, firmware,Required to management large nembers of Aps and radio managementAnswer:AP utilization and client associationtempaltesautoconfiguration of new APSproactively monitor AP/bridges and 802.1x EAP servers centralized configuration, firmware, and radio management10. Drag the steps required to convert compressed digital signals to analog signals to their correct orderon the right.decompression Step 1 sampling Step 2 decodingStep 3 reconstruction encodingAnswer:decompression decoding reconstruction11. This item contains several questions that you must answer. You can view these questions byclicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left each question. In order to complete the question, you will need to refer to the SDM and the topology, neither of which is currently visible.To gain access to either the topology or the SDM, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology or the SDM, you can return to your questions by clicking on the Questions button to the left.Your Money, Inc. is a large worldwide investment firm. Using the SDM QoS wizard, the company has recently implemented QoS policies at one of their Branch locations. As a recent addition to the network engineering team, you have been tasked with documenting the active QoS configuration at the branch router using the Cisco Router and Security Device Manager (SDM) utility. Using the SDM output from the Edit QoS Policy Tab in the Quality of Service Tasks under the Configure button, answer the following questions:Question#1Which DSCP value will the Branch router apply to voice traffic destined for the Central from the IP Phone on the local network?A. 46 (ef)B. 48 (vc6)C. 50D. 56 (cs7)E. 70Answer: AQuestion#2Which DSCP value will the Branch router apply to voice traffic destined for the IP Phone on the local network from the Central site?A. 46 (ef)B. 48 (cs6)C. 50D. 56 (cs7)E. 70Answer: BQuestion#3Which QoS model has been implemented on the Branch router by the SDM wizard for the various expected traffic types?A. Best EffortB. IntServC. DiffServD. Priority QueuingAnswer: CQuestion#4During periods of congestion which queuing method will be applied to outbound traffic on the Serial0/3/0 interface?A. Low Latency QueuingB. Class-based Weighted Fair QueuingC. Weighted Round RobinD. Round RobinE. No queuing is applied to outbound traffic on this interfaceAnswer: A12. This item contains several questions that you must answer. You can view these questions byclicking on the Questions button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the output and the topology, neither of which is currently visible.To gain access to either the topology or the output, click on the button to left side of the screen that corresponds to the section you wish to access. When you have finished viewing the topology or the output, you can return to your questions by clicking on the Questions button to the left.Law Solutions, Inc. is a large, worldwide law firm. Using the AutoQoS feature of IOS, the company recently implemented QoS policies at one of their Branch locations. As a recent addition to the network engineering team, you have been tasked with documenting the active QoS configuration at the branch router. Additionally, the firm is experiencing poor video quality with newly installed video-conferencing equipment. The video problems at the branch location seem to occur only during peak hours when some network congestion is expected. Using the show run output of the branch router, answer the following questions:Question#1Which DSCP value will the Branch router apply to video traffic destined for the Central site from the video equipment on the local network?A. 8 (cs1)B. 10 (af11)C. 18 (af21)D. 24 (cs3)E. 46 (ef)F. No valueAnswer: EQuestion#2Which two statements most accurately identify what has caused the occasional poor video quality experienced by the Law Solutions, Inc.? (Choose two.)A. Insufficient bandwidth is creating a bottleneck transiting from the FastEthernet0/0 to the Serial0/3/0 interface.B. Auto-Discovery did not have an opportunity to detect the video traffic.C. AutoQoS was implemented on the incorrect interface.D. A policy matching DSCP value 46 (ef) was not applied on the outbound interface.Answer: BDQuestion#3Which QoS model has been implemented on the Branch router by Auto QoS for the various expected traffic types?A. Best EffortB. IntServC. DiffServD. Priority QueuingAnswer: CQuestion#4During periods of congestion, how has AutoQoS configured the router to facilitate outbound video traffic on the Serial0/3/0 interface?A. Video traffic will be associated with the priority queue by using a DSCP value of 46 (ef).B. Video traffic will be associated with the AutoQoS-Signaling-Se0/3/0 class and its related policy through use of the H.323 protocol.C. Video traffic will only be queued on the local FastEthernet0/0 interface using a DSCP value of 45 (ef).D. Video traffic will be associated with the "class-default" and use WFQ.Answer: D13. Exhibit:This item contains several questions that you must answer. You can view these questions by clicking on the corresponding button to the left. Changing questions can be accomplished by clicking the numbers to the left of each question. In order to complete the questions, you will need to refer to the topology.To gain access to the topology, click on the topology button at the bottom of the screen. When you have finished viewing the topology, you can return to your questions by clicking on the Questions button to the left.Each of the windows can be minimized by clicking on the [-]. You can also reposition a window by dragging it by the title bar.Ferrous Plastics, Inc. Is a medium sized company, with two locations connected through a serial WAN link. The WAN routers should be configured to only use NBAR to classify traffic through interface Fa0/1 prior to using low latency queuing on the outgoing interface s0/1/0. Recently configuration changes were made to the inter-connecting routers WAN-R1 and WAN-R2. The company is now experiencing QoS related problems which they believe are associated with these changes.You have been asked to use supported show commands to identify the correct answer to questions that the network administrator has asked.WAN-R1 Running Configuration (by typing “sh run”):WAN-R2 Running Configuration (by typing “sh run”):Question#1Router WAN-R2 is not marking traffic correctly on Fa0/1 based on NBAR classification. Which of the following is correct?A. Protocol discovery is applied to the incorrect interfaceB. CEF is not configuredC. The service-policy is applied in the wrong directionD. The service-policy configured on interface Fa0/1 should be policy1Question#2The network administrator has asked how FTP traffic is being classified on router WAN-R1. Which of the following is correct?A. FTP traffic is marked correctly, but no other active protocols are marked correctlyB. FTP traffic is marked correctly based on NBAR classificationC. FTP traffic is marked correctly, but it is not using NBAR for classificationD. FTP traffic is not marked correctly based on NBAR classification as protocol discovery is applied to the incorrect interfaceE. FTP traffic is not being marked because it is not included in a configured service-policy Answer: BQuestion#3On router WAN-R1, which protocol is being marked as af21?A. CITRIXB. ExchangeC. FTPD. HTTPF. SQLNETAnswer: AQuestion#4On router WAN-R1, which protocol is being classified as mission critical?A. CITRIXB. ExchangeC. FTPD. HTTPE. SQLNETAnswer: E14. CaseWhat will happen if the incoming mission-critical class traffic rate arriving at the fa0/0 interface is higher than the normal burst rate (CIR) but not exceeding the exceeding the excess burst rate?A. DroppedB. Marked as AF31 then transmittedC. Marked as AF32 then transmittedD. Marked as AF33 then transmittedE. Queued in the CBWFQAnswer: CQuestion#2What will happen if the incoming bulk class traffic rate arriving at the fa0/0 interface is higher than the normal burst rate (CIR)?A. DroppedB. Marked as AF11 then transmittedC. Marked as DSCP 0 then transmittedD. Queued in the excess token bucketE. Queued in the CBWFQAnswer: AQuestion#3All traffic belonging to the class-default traffic class on the s0/0 interface will be queued by a class queue that uses which type of queuing?A. FIFOB. LLQC. WFQD. Round RobinE. PQAnswer: AQuestion#4Which type of traffic receives the least amount of guaranteed bandwidth when exiting the S0/0 interface?A. ftpB. httpC. telnetD. citrixE. sqlnetAnswer: AQuestion#5Which type of software queue is used on the s0/0 interface?A. LLQB. CBWFQC. FIFOAnswer: B。

思科认证CCNA认证试题与答案中文版思科认证CCNA认证试题与答案中文版思科认证的考试内容包括笔试和实验。

笔试在全球认证的考试中心进行，时间为两个小时。

实验考试只限于思科在全世界范围内指定的6个考点，分别位于美国、澳大利亚、比利时、日本、北京的新世纪饭店以及香港。

实验室考试分为2天，第一天要求学生利用实验室提供的设备建立网络。

第二天由考官故意破坏学员的网络，学员则要想办法查出故障并加以解决。

下面是店铺为大家搜集的相关试题，供大家参考练习。

21、一个B类网络，有5位掩码加入缺省掩码用来划分子网，每个子网最多( )台主机(A) 510(B) 512(C) 1022(D) 2046答案：D22、在路由器中，能用以下命令察看路由器的路由表( )(A) arp -a(B) traceroute(C) route print(D) display ip routing-table答案：D23、DHCP客户端是使用地址( )来申请一个新的IP地址的(A) 0.0.0.0(B) 10.0.0.1(C) 127.0.0.1(D) 255.255.255.255答案：D注释:255.255.255.255是全网广播,DHCP客户端发送全网广播来查找DHCP服务器.24、下面有关NAT叙述正确的是( )(A) NAT是英文“地址转换”的缩写，又称地址翻译(B) NAT用来实现私有地址与公用网络地址之间的转换(C) 当内部网络的主机访问外部网络的时候，一定不需要NAT(D) 地址转换的.提出为解决IP地址紧张的问题提供了一个有效途径答案：ABD25、以下属于正确的主机的IP地址的是( )(A) 224.0.0.5(B) 127.32.5.62(C) 202.112.5.0(D) 162.111.111.111答案：D注释:这个题目不是太严谨,应该加上子网掩码.A:224.0.0.5是多播地址B:127.0.0.0保留作为测试使用C:网络地址26、设置主接口由up转down后延迟30秒切换到备份接口，主接口由down转up后60秒钟切换回主接口的配置为( )(A) standby timer 30 60(B) standby timer 60 30(C) standby timer enable-delay 60 disable-delay 30(D) standby timer enable-delay 30 disable-delay 60答案：D27、在一个以太网中，30台pc通过Quidway R2501路由器s0口连接internet，Quidway R2501路由器配置如下：[Quidway-Ethernet0]ip address 192.168.1.1 255.255.255.0 [Quidway-Ethernet0]quit[Quidway]interface s0[Quidway-Serial0]ip address 211.136.3.6 255.255.255.252[Quidway-Serial0]link-protocol ppp一台PC机默认网关为192.168.2.1,路由器会怎样处理发自这台PC 的数据包?(A) 路由器会认为发自这一台PC的数据包不在同一网段，不转发数据包(B) 路由器会自动修正这一台PC机的IP地址，转发数据包(C) 路由器丢弃数据包，这时候需要重启路由器，路由器自动修正误配(D) 路由器丢弃数据包，不做任何处理，需要重配PC网关为192.168.1.1答案：D注释:PC的默认网关要指向路由器的以太网口的IP地址.28、ISDN B信道速率是()(A) 16kbps(B) 64kbps(C) 144kbps(D) 2048kbps答案:B参考知识点：综合数字业务网(ISDN)由数字电话和数据传输服务两部分组成，一般由电话局提供这种服务。

cisco认证介绍考试编号：640-802考试时间：90分钟考题数目：50∙60题及格分数：825考试题型：模拟题；少数连线题；多项选择题及单项选择题。

新版的认证内容包含：WAN的连接；网络安全实施；网络类型；网络介质；路由与交换原理；TCP/IP与。

Sl参考模型等旧版CCNA网络基础知识的内容，此外，还新增加了关于无线局域网的基础知识。

除此之外，新版CCNA还能够通过下列两个途径的任意一个来通过认证：一、通过64 0-822 ICND1 (CCENT )新课程与640-816 ICND2 课程二、直接通过640∙802综合认证课程新版CCNA 640-802考试要紧考点：1 .描述网络工作的原理♦清晰要紧网络设备的用途与功能♦能够根据网络规格需求选择组件♦用OSl与TCP/IP模型与有关的协议来解释数据是如何在网络中传输的♦描述常见的网络应用程序包含网页应用程序♦描述OSl与TCP模型下协议的用途与基本操作♦描述基于网络的应用程序(IP音频与IP视频)的效果♦解释网络拓扑图♦决定跨越网络的两个主机间的网络路径♦描述网络与互联通信的结构♦用分层模型的方法识别与改正位于1、2、3与七层的常见网络故障♦区分广域网与局域网的作用与特征2 .配置、检验与检修VLAN与处于交换通信环境的交换机♦选择适当的介质、线缆、端口与连接头来连接交换机跟主机或者者其他网络设备♦解释以太网技术与介质访问操纵方法♦解释网络分段与基础流量管理的概念♦解释基础交换的概念与思科交换机的作用♦完成并检验最初的交换配置任务包含远程访问操纵♦用基本的程序(包含：ping, traceroute, telnet.SSH, arp, ipconfig) -⅛ SHOW&DEBUG命令检验网络与交换机的工作状态♦识别、指定与解决常见交换网络的介质问题、配置问题、自动协商与交换硬件故障♦描述高级的交换技术(包含：VTP, RSTP, VLAN, PVSTP, 802.1q)♦描述VLANs如何创建逻辑隔离网络与它们之间需要路由的必要性♦配置、检验与检修VLANS♦配置、检验与检修思科交换机的trunking♦配置、检验与检修VLAN间路由♦配置、检验与检修VTP♦配置、检验与检修RSTP功能♦通过解释各类情况下SHOW与DEBUG命令的输出来确定思科交换网络的工作状态♦实施基本的交换机安全策略（包含：端口安全、聚合访问、除VLAN1之外的其他VLAN 的管理等等）3.在中等规模的公司分支办公室网络中实现满足网络需求的IP地址规划及IP服务♦描述使用私有IP与公有IP的作用与好处♦解释DHCP与DNS的作用与优点♦在路由器上配置、检验与排错DHCP与DNS操作（包含命令行方式与SDM方式）♦为局域网环境的主机实施静态与动态IP地址服务♦在支持VLSM （变长子网掩码）的网络中计算并应用IP地址规划♦使用VLSM与地址汇总决定合适的无类地址规划，以满足不一致局域网/广域网的地址规划要求♦描述在与IPv4网络共存情况下实施IPv6的技术要求（包含协议放式，双栈方式，隧道方式）♦描述IPv6地址♦鉴定并纠正普通的IP地址与主机配置问题4 .基本的路由器操作与思科设备路由的配置，检查与排错♦描述路由的基本改概念（包含IP数据包转发，路由查询）♦描述思科路由器的运作过程（包含路由器初起过程，POST加电自检，路由器的物理构成）♦选择适当的介质、线缆、端口与连接器将路由器连接到其他的网络设备与主机♦RIPV2的配置，检查与排错♦访问路由器并配置基本的参数（包含命令行方式与SDM方式）♦连接，配置并检查设备接口的工作状态♦检查设备的配置并使用ping, traceroute, telnet, SSH等命令检验网络连接性♦在给定的路由需求下实施并检验静态路由与默认路由的配置♦管理IoS配置文件（包含储存，修改，更新与恢复）♦管理思科IOS♦比较不一致的路由实现方法与路由协议♦OSPF配置，检查与排错♦ElGRP配置，检查与排错♦检查网络连接性（包含使用Ping, traceroute, telnet, SSH等命令）♦路由故障排错♦使用show与debug命令检查路由器的硬件及软件运作状态♦实施静态路由器安全5 .解释并选择适当的可管理无线局域网（WLAN）任务♦描述跟无线有关的标准（包含IEEE, WlFl联盟，ITU/FCC）♦识别与描述小型无限网络构成结构的用途（包含：SSID, BSS, ESS）♦确定无线网络设备的基本配置以保证它连接到正确的介入点♦比较不一致无线安全协议的特性及性能（包含：开放,WPA, WEP-1/2）♦认识在无线局域网实施过程中的常见问题（包含接口，配置错误）6 .识别网络安全威胁与描述减轻这些威胁的通常方法♦描述当前的网络安全威胁并解释实施全面的安全策略以降低安全威胁的必要性♦解释降低网络设备、主机与应用所遭受安全威胁的通常方法♦描述安全设备与应用软件的功能♦描述安全操作规程建议（包含网络设备的的初起安全配置）7.在中小型企业分支办公网络中实施、检验与检修NAT与ACLs♦描述ACLS的作用与类型♦配置与应用基于网络过滤要求的ALCS （包含命令行方式与SDM方式）♦配置与应用ALCS以限制对路由器的telnet与SSH访问（包含命令行方式与SD M方式）♦检查与监控网络环境中的ACLS♦ACL排错♦描述NAT基本运作原理♦配置基于给定网络需求的NAT （包含命令行方式与SDM方式）♦NAT排错8.实施与校验WAN连接♦描述连接到广域网的不一致方式♦配置并检查基本的广域网串行链接♦在思科路由器上配置并检查帧中继♦广域网实施故障排错♦描述VPN （虚拟专用网）技术（包含重要性，优点，影响，构成）♦在思科路由器间配置并检查PPP链接或者者通过640-822 ICND1 （CCENT 新课程）与640-816 ICND2六、CCNA认证的有效期CCNA证书的有效期为三年，如想持续有效，需要在过期前参加重认证（ReCertifiCa tion）的考试，假如你再三年年内考取了更高级别的CiSCo认证，则CCNA认证的有效期自动更新。

C C N A考试题(总9页) -CAL-FENGHAI.-(YICAI)-Company One1-CAL-本页仅作为文档封面，使用请直接删除第一部分：选择题1：提供可靠数据传输、流控的是OSI的第几层（）A、表示层B、网络层C、传输层D、会话层E、链路层2：子网掩码产生在那一层（）A、表示层B、网络层C、传输层D、会话层3：当路由器接收的IP报文的目的地址不是本路由器的接口IP地址，并且在路由表中未找到匹配的路由项，采取的策略是（）A、丢掉该分组B、将该分组分片C、转发该分组D、以上答案均不对4：当一台主机从一个网络移到另一个网络时，以下说法正确的是（）A、必须改变它的IP地址和MAC地址B、必须改变它的IP地址，但不需改动MAC地址C、必须改变它的MAC地址，但不需改动IP地址D、MAC地址、IP地址都不需改动5：ISO提出OSI的关键是（）A、系统互联B、提高网络速度C、为计算机制定标准D、经济利益6：OSI参考模型按顺序有哪些层（）A、应用层、传输层、网络层、物理层B、应用层、表示层、会话层、网络层、传输层、数据链路层、物理层C、应用层、表示层、会话层、传输层、网络层、数据链路层、物理层D、应用层、会话层、传输层、物理层7：LAN的拓扑形式一般以（）为主。

A、总线型B、环型C、令牌环D、载波侦听与冲突检测CSMA/CD8：网段地址154.27.0.0的网络，若不做子网划分，能支持（）台主机A、254B、1024C、65,534D、16,777,2069：路由器网络层的基本功能是（）。

A、配置IP地址B、寻找路由和转发报文C、将MAC地址解释成IP地址10：选出基于TCP协议的应用程序（）。

A、PINGB、TFTPC、TELNETD、OSPF11：某公司申请到一个C类IP地址，但要连接6个的子公司，最大的一个子公司有26台计算机，每个子公司在一个网段中，则子网掩码应设为（）。

A、255.255.255.0B、255.255.255.128C、255.255.255.192D、255.255.255.22412：B类地址的缺省掩码是（）。

培训大讲堂官方YY 频道：3660mCCNA题库考试代号： 640-802考试时间：英文110+30=140分钟通过分数： 825鸿鹄论坛招募CCNA、CCNP答疑讲师答疑地点：鸿鹄官方YY频道3660V104系列是官方的终结版本，以后不会再出V105 V106 V108等等========================================更新内容：增加5道新题，分别是519、520、521、522、523题修改176题、375题、443题、482题答案错误修改59题、88题、453题、107题、270题注释错误增加个别疑难拖图题注释，优化实验题=============================================QUESTION 1When you are logged into a switch, which prompt indicates that you are in privileged mode(当您登录到交换机，哪种提示表明你在特权模式？)A. %B. @C. >D. $E. #Answer: ESection: Chapter 4: Introduction to Cisco IOSExplanation/Reference:特权模式就是#提示符QUESTION 2Which command shows system hardware and software version information(哪些命令显示系统硬件和软件的版本信息？)A. show configurationB. show environmentC. show inventoryD. show platformE. show versionAnswer: ESection: Chapter 4: Introduction to Cisco IOSExplanation/Reference:查看系统的软件和硬件信息使用的命令是show versionQUESTION 3Cisco Catalyst switches CAT1 and CAT2 have a connection between them using ports FA0/13. An 802. 1Q trunk is configured between the two switches. On CAT1, VLAN 10 is chosen as native, but on CAT2 the(思科Catalyst 交换机CAT1 和CAT2 有它们之间的连接使用端口FA0/13。

CCNA大综合实验环境背景中小型企业.有两个部门,销售部(vlan 10)与行政部(vlan 20).同部门之间采用二层交换网络相连;不同部门之间采用单臂路由方式互访.企业有一台内部web服务器,承载着内部网站,方便员工了解公司的即时信息.局域网路由器启用多种路由协议(静态路由、动态路由协议),并实施路由控制、负载均衡、链路认证、访问限制等功能.企业有一条专线接到运营商用以连接互联网,采用Frame-Relay封装,需要手工设置DLCI与IP的映射.由于从运营商只获取到一个公网IP地址,所以企业员工上网需要做NAT网络地址转换.PS:由于实验需要涵盖CCNA所有知识点,所以设计的验环境与现实工程考虑并不完全一致.一．Basic基础配置按照拓扑搭建网络：1.为R1/R2/R3/R4/Sw1/Sw2命名.2.在Sw1/Sw2上设置特权密文密码cisco.关闭远程访问登陆密码.3.配置R1的F0/0,S0/0接口.4.配置R2的F0/0,S0/0接口.5.配置R3的F0/0,F0/1接口.6.配置R4的F0/0,F0/1接口.7.配置PC1/PC2/PC3/PC4/Server的IP地址以及默认网关.(R4/R5的S0/0接口、R1的、R3的接口先不配置)二、交换部分1. [Trunk]Sw1与Sw2的F0/11,F0/12接口封装为Trunk.2. [STP]观察生成树:指出哪个Switch是根桥;哪个接口是根端口;哪个接口是指定端口;哪个接口是非指定端口.请用PT的注释功能在拓扑相应地方标记.(标记题)3. [Etherchannel]做Etherchannel捆绑Sw1与Sw2的F0/11,F0/12接口.要求使用Cisco PAGP协议中的主动协商模式.4. [VTP]在Sw1与Sw2上配置VTP, 域名为作为Server;Sw2作为Client,设置密码为cisco.5. [VLAN]创建vlan 10,命名为sales; vlan 20,命名为Admin.并把相应的接口划分到所属vlan中.6. [管理vlan/访问控制]在Sw1上设置管理vlan 10,地址为192.168.1.10/24; 管理vlan 20,地址为做ACL访问控制,要求只有PC1/PC2可以远程访问Sw1.7.[单臂路由]配置单臂路由:vlan 10以R1的作为出口网关;vlan 20以R3的作为出口网关.三．路由部分[路由部分必须每完成一步检查现象]1. [默认路由]在R4上配置默认路由,出口指向运营商.2. [RIP]在R1/R2/R3/R4上配置RIPv2(关闭自动汇总),使得全网互通[R4与运营商R5的S0/0接口不宣告].3. [等价负载均衡]在R1上观察去往网络的等价负载均衡现象,请写出实现RIP负载均衡的条件,RIP的Metric是什么.(简答题1)4. [路由控制/浮动静态路由]在R1上为网络配置浮动静态路由,权值为119,要求所走路径为R1-R4-R3.5. [OSPF]在R1/R2/R3/R4上配置单区域(area 0)OSPF,使得全网互通[R4与运营商R5的S0/0接口不宣告].6. [OSPF]观察R1/R2/R3/R4路由表协议标识:现在是通过什么协议学习到路由信息?为什么?请写出.(简答题2)7. [OSPF]在R1/R2的串行链路上做OSPF链路认证,密码为cisco.8. [OSPF]在R1上观察去往网络只有一条路径.指出是哪一条路径?为什么只有这一条路径?OSPF的Metric是什么?(简答题3)9. [OSPF]在R1上实现去往网络的负载均衡.10. [EIGRP]在R1/R2/R3/R4上配置EIGRP(关闭自动汇总),使得全网互通.要求使用反掩码宣告准确的接口地址[R4与运营商R5的S0/0接口不宣告].11. [EIGRP-非等价负载均衡]在R1上实现去往网络的非等价负载均衡.12. [ACL]在R1上做ACL访问限制:所有用户都可以ping通Server; 除PC1和PC4以外,其他用户都可以访问内部网站.至此:内网PC全部互联,PC2/PC3可以访问内部网站三．广域网部分1.[PPP]R1/R2的串行链路封装为PPP,做PAP认证.R1为R2创建用户名BBB,密码为222;R2为R1创建用户名AAA,密码为111.2. [Frame-Relay]在R4/R5上配置Frame-Relay.要求使用静态匹配方式.R5使用PVC 504,R4使用类型使用Ansi.3. [OSPF]在R4上做OSPF默认路由宣告(default-information originate),使得其他OSPF路由器得知有一默认路由指向运营商.4. [NAT]在R4上配置NAT,使得企业内部所有PC都能上网(ping通运营商的200.1.1.2), Server不能连接外网最终效果:内网PC全部互联,PC2/PC3可以访问内部网站.内网PC全部能上网(ping通运营商的200.1.1.2)参考答案：一．Basic基础配置1. 为R1/R2/R3/R4/Sw1/Sw2命名.(略)2. 在Sw1/Sw2上设置特权密文密码cisco.关闭远程访问登陆密码.Sw1/Sw2#config terminalSw1/Sw2(config)#enable secret cisco /密文密码Sw1/Sw2(config)#line vty 0 15Sw1/Sw2(config-line)#no login /关闭远程密码功能3. 配置R1的F0/0,S0/0接口. (略)4. 配置R2的F0/0,S0/0接口. (略)5. 配置R3的F0/0,F0/1接口. (略)6. 配置R4的F0/0,F0/1接口. (略)7. 配置PC1/PC2/PC3/PC4/Server的IP地址以及默认网关. (略)二．交换部分1. [Trunk]Sw1与Sw2的F0/11,F0/12接口封装为Trunk.Sw1/Sw2(config)#interface range f0/11 – 12Sw1/Sw2(config-if-range)#switchport mode trunk2. [STP]观察生成树:指出哪个Switch是根桥;哪个接口是根端口;哪个接口是指定端口;哪个接口是非指定端口.请用PT的注释功能在拓扑相应地方标记.(标记题)a. 根桥的条件:一个交换网络中,Bridge-ID最小的交换机成为根桥.Bridge-ID组成: 优先级+MAC地址.可以show spanning-tree查看.b. 选择根端口:根端口是非根桥去往根桥cost最小的端口,每个非根桥上有且只有一个根端口.c. 选择指定端口:指定端口是每段链路去往根桥cost最小的端口,每段链路上有且只有一个指定端口.d. 选择非指定端口:最后选剩下的就是非指定端口.非指定端口不转发数据.3. [Etherchannel]做Etherchannel捆绑Sw1与Sw2的F0/11,F0/12接口.要求使用Cisco PAGP协议中的主动协商模式.Etherchannel端口间协商使用PAGP(Port Aggregation Protocol，cisco专有)或LACP (Link Aggregation Control Protocol，802.3AD ) PAGP的三种模式:• desirable 表示该端口会主动发PAGP数据包与对端进行协商• auto 表示该端口不会主动发PAGP数据包与对端进行协商• on 表示强制将该端口加入etherchannel，不需用PAGP协议与对端进行协商LACP的两种模式:• active 表示该端口会主动发LACP数据包与对端进行协商• passive 表示该端口不会主动发LACP数据包与对端进行协商Sw1/2(config)#interface range f0/11 – 12Sw1/2(config-if-range)#channel-group 1 mode desirable检查命令:Sw1/2#show ip interface brief4. [VTP]在Sw1与Sw2上配置VTP, 域名为作为Server;Sw2作为Client,设置密码为cisco.Sw1(config)#vtp domain CCNA /VTP域名Sw1(config)#vtp mode server /VTP模式Sw1(config)#vtp password cisco /VTP密码Sw2(config)#vtp domain CCNASw2(config)#vtp mode clientSw2(config)#vtp password cisco检查命令: Sw1/2#show vtp status Sw1/2#show vtp password5. [VLAN]创建vlan 10,命名为sales; vlan20命名为Admin.并把相应的接口划分到所属vlan中.Sw1(config)#vlan 10Sw1(config-vlan)#name salesSw1(config)#vlan 20Sw1(config-vlan)#name AdminSw1/2(config)#int f0/1Sw1/2(config-if)#switchport mode accessSw1/2(config-if)#switchport access vlan 10Sw1/2(config)#int f0/2Sw1/2(config-if)#switchportmode accessSw1/2(config-if)#switchport access vlan 206. [管理vlan/访问控制]在Sw1上设置管理vlan 10,地址为192.168.1.10/24;管理vlan 20,地址为做ACL访问控制,要求只有PC1/PC2可以远程访问Sw1.Sw1(config)#interface vlan 10Sw1(config)#interface vlan 20line vty 0 15access-class 1 in7. [单臂路由]配置单臂路由:vlan 10以R1的作为出口网关;vlan 20以R3的作为出口网关.Sw1/3(config)#int f0/3Sw1/3(config-if)#switchportmode trunkR1(config)#interface f1/0R1(config-if)#no shutdownR1(config)#intR1(config-subif)#encapsulation dot1Q 10R3(config)#interface f1/0R3(config-if)#no shutdownR3(config)#int /子接口不需要开启R3(config-subif)#encapsulation dot1Q 20三．路由部分[路由部分必须每完成一步检查现象]1. [默认路由]在R4上配置默认路由,出口指向运营商.R4(config)#ip route 0.0.0.0 0.0.0.0 s0/02. [RIP]在R1/R2/R3/R4上配置RIPv2(关闭自动汇总),使得全网互通[R4与运营商R5的S0/0接口不宣告].R1(config)#router ripR1(config-router)#version 2R1(config-router)#no auto-summaryR2(config)#router ripR2(config-router)#version 2R2(config-router)#no auto-summaryR3(config)#router ripR3(config-router)#version 2R3(config-router)#no auto-summaryR4(config)#router ripR4(config-router)#version 2R4(config-router)#no auto-summary3. [等价负载均衡]在R1上观察去往网络的等价负载均衡现象,请写出实现RIP负载均衡的条件,RIP的Metric是什么. (简答题1)RIP负载均衡的条件是两条路径到达目标网络具有相同跳数.RIP的Metric是跳数.4. [路由控制/浮动静态路由]在R1上为网络配置浮动静态路由,权值为119,要求所走路径为R1-R4-R3.R1(config)#ip route 192.168.2.0 255.255.255.0 f0/0 1195. [OSPF]在R1/R2/R3/R4上配置单区域(area 0)OSPF,使得全网互通[R4与运营商R5的S0/0接口不宣告].R1(config)#router ospf 1R1(config-router)#network 10.0.0.0 0.255.255.255 area 0R1(config-router)#network 172.16.1.1 0.0.0.0 area 0R1(config-router)#network 192.168.1.0 0.0.0.255 area 0R2(config)#router ospf 1R2(config-router)#network 10.0.0.0 0.255.255.255 area 0R3(config)#router ospf 1R3(config-router)#network 10.0.0.0 0.255.255.255 area 0R3(config-router)#netowrk 172.16.2.3 0.0.0.0 area 0R3(config-router)#network 192.168.2.0 0.0.0.255 area 0R4(config)#router ospf 1R4(config-router)network 172.16.0.0 0.0.255.255 area 06. [OSPF]观察R1/R2/R3/R4路由表协议标识:现在是通过什么协议学习到路由信息?为什么?请写出. (简答题2)现在是通过OSPF学习到的路由信息.因为OSPF的管理距离是110,比RIP的120,还有浮动静态路由的119权值都要低.所以优选OSPF.7. [OSPF]在R1/R2的串行链路上做OSPF链路认证,密码为cisco.R1/2(config)#int s0/0R1/2(config-if)#ip ospf authentication-key cisco /设密码R1/2(config-if)#ip ospf authentication /启用认证8. [OSPF]在R1上观察去往网络只有一条路径.指出是哪一条?为什么只有这一条路径?OSPF的Metric是什么? (简答题3)OSPF中从R1去往网络的路径是R1-R4-R3.因为R1与R4之间链路是100M链路,而R1与R2之间的链路是的串行链路.所以R1-R4-R3的cost值要比R1-R2-R3的cost值小.因此,OSPF中R1去往网络只有一条路径,优选的Metric是cost.9. [OSPF]在R1上实现去往网络的负载均衡.OSPF只支持等价负载均衡,要想实现去往网络的负载均衡,需要把OSPF两条路径的cost值设置为相同.有两种方法:①修改接口带宽计算值.cost=参考带宽/接口带宽,参考带宽不变,修改R1S0/0的接口带宽计算值R1(config)#int s0/0R1(config-if)# bandwidth 100000 /修改带宽为100M,与F0/0接口带宽一致.注意此带宽并非修改物理带宽.只是用于计算Metric值.②直接修改接口的cost值R1(config)#int s0/0R1(config-if)#ip ospf cost 1 / F0/0口的cost值是1,所以需要把s0/0口的cost也改为1.两种方法都可以,建议使用第一种.因为以下需求所作EIGRP不等价负载均衡也需要修改接口带宽计算值.10. [EIGRP]在R1/R2/R3/R4上配置EIGRP(关闭自动汇总),使得全网互通.要求使用反掩码宣告准确的接口地址[R4与运营商R5的S0/0接口不宣告].R1(config)#router eigrp 1R1(config-router)#no auto-summaryR2(config)#router eigrp 1R2(config-router)#no auto-summaryR3(config)#router eigrp 1R3(config-router)#no auto-summaryR4(config)#router eigrp 1R4(config-router)#no auto-summaryPS:使用反掩码准确宣告接口地址.11. [EIGRP-非等价负载均衡]在R1上实现去往网络的非等价负载均衡.由于FS的FD远远大于Successor的FD,即使使用最大阀值variance 128也无法实现不等价负载均衡.所以,必须缩小FS在EIGRP拓扑表中的Metric值.可以通过修改R1的s0/0接口带宽计算值来实现.(OSPF部分已经把s0/0接口的带宽计算值改为100M)R1#show ip eigrp topology可以查看FS与Successor的FD.计算出来variance为17就可实现EIGRP不等价负载均衡.R1(config)#router eigrp 1R1(config-router)# variance 1712. [ACL]在R1上做ACL访问限制:所有用户都可以ping通Server; 除PC1和PC4以外,其他用户都可以访问内部网站.R1(config)#access-list 100 deny host 192.168.1.1 host 10.10.10.10 eq 80 /拒绝访问的TCP 80号端口.R1(config)#access-list 100 deny host 192.168.2.2 host 10.10.10.10 eq 80 /拒绝访问的TCP 80号端口.R1(config)#access-list 100 permit ip any any /允许其他所有的IP流量.R1(config)#int f0/1R1(config-if)# ip access-group 100 out有人会先写上access-list 100 permit icmp XXXXXXX, 其实没有必要,最后permit ip any any就不会影响其他流量.至此:内网PC全部互联,PC2/PC3可以访问内部网站.三．广域网部分1. [PPP]R1/R2的串行链路封装为PPP,做PAP认证.R1为R2创建用户名BBB,密码为222;R2为R1创建用户名AAA,密码为111. R1(config)#username BBB password 222R2(config)#username AAA password 111R1(config)#int s0/0R1(config-if)#encapsulation pppR1(config-if)#ppp authentication papR1(config-if)#ppp pap sent-username AAA password 111R2(config)#int s0/0R2(config-if)#encapsulation pppR2(config-if)#ppp authentication papR2(config-if)#ppp pap sent-username BBB password 2222. [Frame-Relay]在R4/R5上配置Frame-Relay.要求使用静态匹配方式.R5使用PVC 504,R4使用类型使用Ansi.R4(config)#int s0/0R4(config-if)#encapsulation frame-relayR4(config-if)#frame-relay map ip 200.1.1.2 405 broadcastR4(config-if)#frame-relay lmi-type ansiR5(config)#int s0/0R5(config-if)#encapsulation frame-relayR5(config-if)#frame-relay map ip 200.1.1.1 504 broadcastR5(config-if)#frame-relay lmi-type ansi如已存在动态map,可用clear frame-relay inarp刷新匹配表无法关闭FR的动态学习功能.3. [OSPF]在R4上做OSPF默认路由宣告(default-information originate),使得其他OSPF路由器得知有一默认路由指向运营商.R4(config)#router ospf 1R4(config-router)#default-information originate/检查R1/2/3上路由表有路由,说明默认宣告成功.4. [NA T]在R4上配置NA T,使得企业内部所有PC都能上网(ping通运营商的200.1.1.2), Server不能连接外网.R4(config)#access-list 1 permit anyR4(config)#ip nat inside source list 1 int S0/0 overloadR4(config)int range f0/0 – 1R4(config-if-range)#ip nat insideR4(config)#int s0/0R4(config-if)#ip nat outside测试:在PC1/2/3/4和Server上ping一下运营商的地址最终效果:内网PC全部互联,PC2/PC3可以访问内部网站.内网PC全部能上网(ping通运营商的200.1.1.2)。

ccnp测试题及答案1. 在CCNP认证中，关于VLAN的以下哪个说法是正确的？A. VLAN是将交换机端口划分为多个广播域B. VLAN是将路由器端口划分为多个广播域C. VLAN是将无线接入点划分为多个广播域D. VLAN是将服务器划分为多个广播域答案：A2. 在Cisco网络设备中，哪个命令用于创建一个新的VLAN？A. `switchport mode access`B. `switchport mode trunk`C. `vlan database`D. `configure terminal`答案：C3. 以下哪个协议用于在不同VLAN之间路由？A. EIGRPB. OSPFC. RIPD. VTP答案：A4. 在Cisco设备上，如何将接口配置为Trunk模式？A. `switchport mode access`B. `switchport mode trunk`C. `interface vlan 1`D. `interface fastethernet 0/1`答案：B5. 以下哪个命令用于在Cisco设备上查看VLAN信息？A. `show vlan`B. `show interfaces`C. `show ip interface brief`D. `show running-config`答案：A6. 在CCNP考试中，关于EIGRP协议的以下哪个说法是错误的？A. EIGRP是一个距离矢量路由协议B. EIGRP使用DUAL算法计算最短路径C. EIGRP支持VLSM和CIDRD. EIGRP仅在Cisco设备上可用答案：D7. 在Cisco设备上，如何配置EIGRP的自动汇总？A. `router eigrp 100`B. `no auto-summary`C. `ip summary-address eigrp 100 0.0.0.0 0.0.0.0`D. `metric weights 0 1 1 1 0 0 0 1`答案：C8. 以下哪个命令用于在Cisco设备上查看EIGRP邻居？A. `show ip eigrp neighbors`B. `show ip ospf neighbors`C. `show ip rip neighbors`D. `show ip eigrp interface`答案：A9. 在CCNP考试中，关于OSPF协议的以下哪个说法是正确的？A. OSPF仅在Cisco设备上可用B. OSPF使用RIP算法计算最短路径C. OSPF支持VLSM和CIDRD. OSPF使用广播来发现邻居答案：C10. 在Cisco设备上，如何配置OSPF的Hello和Dead间隔？A. `ip ospf hello-interval 10`B. `ip ospf dead-interval 40`C. `timers 10 40`D. `ospf hello-interval 10 dead-interval 40`答案：C结束语：以上是CCNP测试题及答案，希望对您的学习和准备有所帮助。

CCNP相关题库大集合、全搜索，绝对便于查找。

（持续更新新题库）互联神州test ccnp 825 845 892 最新题库可打印 9月29日更新/thread-26194-1-1.html最新642-901 v 3.10 （353题）/thread-40433-1-1.html642-825 全新P4S3.10 上传完成/thread-43635-1-1.html最新 2008 4月10日 pass4sure 8923.23/thread-35203-1-1.html845新版P4S 217Q /thread-31290-1-2.html892中文解释/thread-32344-1-2.html(关注)总结最近考了NP（８９２＿＿８４５＿＿８２５）的诸多网友所看题库如下/thread-31157-1-3.html642_892P4A3.23考试题库之经验总结(包括所有试验及CASE题)/thread-35484-1-3.html08年2月21日更新，最新新CCNP Pass4sure(P4S) 下载帖(642-901、812、825、845、892)/thread-10901-1-5.html642-892 pass4sure 2.93 修订版/thread-30046-1-7.html3月 testinside p4s ccna&ccnp全套题库/thread-32576-1-8.htmlTestKing(TK) 642-901 v12(2007年7月12日更新)/thread-23115-1-11.htmlCCNP642————845考试部分CASE题及选择题题解（全是考试网友的经验总结）/thread-34853-1-12.html642-845最新P4Sv3.10_312Q /thread-38915-1-21.html642——825P4S2.93考试经验之总结（包含所有CASE题）/thread-35483-1-21.htmlP4S 642-845 2.95 PDF打印版/thread-35447-1-3.html892 P4 2.93不加密版本/thread-28916-1-7.html642_892p4s3.27 /thread-40501-1-7.ht ml08.3月 testinside p4s ccna&ccnp全套题库/thread-32576-1-8.htmlPass4sure+642-812+3[1].10 /thread-40683-1-1.html642—901P4S.3.83题库/thread-42299-1-1.html 642——812pass4side3.57/thread-4 2942-1-1.html包含了8道新题和case的战报/thread-43032-1-5.html 642——845p4s-109题/thread-42314-1-4.html如何解决Pass4sure 3.10 需要订单号的问题/thread-43789-1-1.html。

CCNA640-802 V13题库试题分析题库讲解：吴老师（艾迪飞CCIE实验室首发网站：1. What are two reasons that a network administrator would use access lists? (Choose two.)A. to control vty access into a routerB. to control broadcast traffic through a routerC. to filter traffic as it passes through a routerD. to filter traffic that originates from the routerE. to replace passwords as a line of defense against security incursionsAnswer: AC解释一下：在VTY线路下应用ACL，可以控制从VTY线路进来的telnet的流量。

也可以过滤穿越一台路由器的流量。

2. A default Frame Relay WAN is classified as what type of physical network?A. point-to-pointB. broadcast multi-accessC. nonbroadcast multi-accessD. nonbroadcast multipointE. broadcast point-to-multipointAnswer: C解释一下：在默认的情况下，帧中继为非广播多路访问链路。

但是也可以通过子接口来修改他的网络的类型。

3．Refer to the exhibit. How many broadcast domains exist in the exhibited topology?A. oneB. twoC. threeD. fourE. fiveF. sixAnswer: C解释一下：广播域的问题，在默认的情况下，每个交换机是不能隔离广播域的，所以在同一个区域的所有交换机都在同一个广播域中，但是为了减少广播的危害，将广播限制在一个更小的范围，有了VLAN的概念，VLAN表示的是一个虚拟的局域网，而他的作用就是隔离广播。

CCNA实验指导书技术成就梦想，态度决定一切！Cisco 640-802Cisco Certified Network Associate主编孙通刘监旗宋家伟杨晓烨顾杰朱晓邓敏姚世通杨振宇2010年3月1日技术交流QQ群：12580312（企业网集训队专用）序言本实验指导书为无锡立信职教中心校计算机网络技术专业学生使用。

本实验指导书由于CDP协议，EIGRP等都是思科特有的，通用性不强，所以在做教程的时候这些都简化。

实验中不写出ping，show等结果，主要考虑到有些学生看到一个实验好几页，就害怕，其实真正要打的命令也没多少，本书立足点是用最少的纸张讲究最详细的实验。

本实验教程配套的PT实验文件里大部分都是已经配置过的了，请大家在做实验的时候利用命令：erase stratup-config 再reload重启来清除配置后再做实验。

技术学习推荐论坛：CHINAITLAB NET130 56CTO 51CTO 菊花ciscohuawei 91lab 誉天孙通2010.4.7CCIE语录1有人说我们是一群傻子有人说我们是一群智者有人说我们是一群赌徒有人说我们是一群勇士其实我们只不过就是这样一群人我们是一群不甘平庸和无为的人我们是一群不怕挫折与失败的人我们是一群为了理想接受挑战的人我们是一群为了事业玩命苦干的人不管过去或现在别人怎样称呼我们我们都不会在意，不敢在意，更没有资格去在意因为我们毕竟还没有成功但我们坚信在不久的将来我们一定会让世界铭记我们，就是传说中的C C I E！！！为了C C I E，我们放弃了安逸的工作离开了昔日的恋人撇下了年迈的父母只身来到了另一个陌生的城市在无数个漆黑的夜里，我们孤军奋战在昏暗潮湿的地下室，我们卧薪尝胆在噪音吵杂的实验室，我们和交换机切磋技艺在情人节浪漫的夜里，我们和T C P/I P相偎相依我们苦过，我们累过，但却从未后悔过我们伤过，我们痛过，但却从未退缩过一路走来，我们早已深知钢铁是怎样炼成的我们默默地接受着考验与磨难，无怨无悔只期待有一天我们能够对着世界放声呐喊我们，就是传说中的C C I E！！！CCIE语录2✧如今的CCIE所代表不但是网络行业专家，更是一种精神、一种个人综合素质的集中体现，成为一名CCIE的过程更像是一部混合着泪水和汗水的艰辛的奋斗历程。

C C N P考试心得 work Information Technology Company.2020YEARCCNP考试总结及心得体会紧张而又刺激的cisco认证CCNP（Route and Switch）考证终于宣告一段落，总共用时六个月，以下是我的三门的考试成绩：CCNP ROUTE（642-902）—— 815分CCNP SWITCH（642-813）—— 934分CCNP TSHOOT（642-832）——1000分总的来说，CCNP的考试还是比较简单的，当然题量略多，尤其是路由部分，主要是考验一个人的耐心、毅力！所谓贵在坚持，我记得有人曾经说过这样一句话：“人不去逼自己，永远不知道自己有多强大！”。

话不多说，接下来介绍一下我考NP的一些心得和方法，仅供参考(*^__^*) 嘻嘻……首先是CCNP ROUTE（642-902）路由部分：1> 个人认为路由部分是最简单的，虽说我考的分数是最低的，但是考过的人都知道，路由虽说题库给的题量很多，背起来非常辛苦，很累。

但是，考试的时候就会发现，真的很简单。

我背题库的方法，跟大多数人大同小异，首先解决的当然是数量最多的选择题，NP路由选择题总共是380道，全英文，不解释，谁让他是美国佬的东西呢！我背这380道题的方法就是按照题库给的分类的方法：先背第一个Routing部分，不要直接去看题库（PDF文件），从这里面打开，一个部分一个部分按照上面的顺序依次往下背，全部背完之后再回过头来总的看一遍，然后全部画上对号，整体做一遍，不要在乎得了多少分，关键是做错的题，点击Eed Exan交卷之后，左下角打开Retake 会看到下面这个被红色区域圈起来的部分就是做错的题，记住错题要反复去做，当你做题的正确率达到95%以上（所有的选择题加在一起），时间不超过40分钟，那么此时说明选择题已经ok，可以看拖图题了。

（我这个方法只适合于急着拿证书的，想完全弄懂每一题，建议去鸿鹄论坛，下载相应的解题视频，边看边记）。