Exam 200-301 All QuestionsBrowse all questions from this exam
Go to Exam
Question 1060

SIMULATION

-

Guidelines

-

This is a lab item in which tasks will be performed on virtual devices

• Refer to the Tasks tab to view the tasks for this lab item.

• Refer to the Topology tab to access the device console(s) and perform the tasks.

• Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.

• All necessary preconfigurations have been applied.

• Do not change the enable password or hostname for any device.

• Save your configurations to NVRAM before moving to the next item.

• Click Next at the bottom of the screen to submit this lab and move to the next question.

• When Next is clicked the lab closes and cannot be reopened.

Topology

-

Tasks

-

Refer to the topology. All physical cabling is in place. Configure a local user account, a Named ACL (NACL), and security.

Task 1

-

Configure a local account on Sw101 with telnet access only on virtual ports 0-4. Use the following information:

• Username: support

• Password: max2learn

• Privilege level: Exec mode

Task 2

-

Configure and apply a single NACL on Sw101 using the following:

• Name: ENT_ACL

• Restrict only PC2 on VLAN 200 from pinging PC1

• Allow only PC2 on VLAN 200 to telnet to Sw101

• Prevent all other devices from telnetting from VLAN 200

• Allow all other network traffic from VLAN 200

Task 3

-

Configure security on interface Ethernet 0/0 of Sw102:

• Set the maximum number of secure MAC addresses to four.

• Drop packets with unknown source addresses until the number of secure MAC addresses drops below the configured maximum value. No notification action is required.

• Allow secure MAC addresses to be learned dynamically.

    Correct Answer:

Discussion
Junior_Network

1) SW101: username support privilege 1 (or 15, question is not clear) password maz2learn line vty 0 4 > login local > transport input telnet 2) SW101: ip access-list extended ENT_ACL > deny icmp host 192.168.200.10 host 192.168.100.10 permit tcp host 192.168.200.10 any eq 23 permit tcp any any eq 23 permit ip any any int vlan 200 > ip access-group ENT_ACL in //Actually I prefer to apply ACL to interface e0/2 on SW101 if there is a configuration no switchport. Nevermind. 3) SW102: int e0/0 > sw port-se > sw port-se max 4 > sw po vio pro > sw po mac_add sticky //actually there is no need to sticky command because of default but idk Final: copy running-config startup-config

Bugmenot240411

it should be "deny tcp any any eq 23" instead of "permit tcp any any eq 23"

rogi2023

the given solution with errors: Task1+2 is for sw101: username support pass max2learn privi 15 line vt 0 4 login local transport input telnet Task2 says apply a SINGLE NACL, so therefore not another ACL on line vt 0 4 as sugested in solution access-list ENT-ACL deny icmp host 192.168.200.10 host 192.168.100.10 access-list ENT-ACL permit tcp host 192.168.200.10 any eq 23 access-list ENT-ACL deny tcp any any eq 23 access-list ENT-ACL permit ip any any interface Vlan 200 ip access-group ENT_ACL in task3 for Sw102: (the provided solutions is correct) interf e0/0 sw port-sec sw port-sec max 4 sw port-sec violation protect sw port-sec mac-address sticky wr mem

jonathan126

How about this? Question requires EXEC mode, priv 15 is privilege EXEC mode, dynmaic mac addr is enabled by default, the provided answer is for sticky mac addr on dynmaic learned addr. Task 1 username support password max2learn line vty 0 4 login local transport input telnet Task 2 ip access-list extended ENT_ACL deny icmp host 192.168.200.10 192.168.100.10 permit tcp host 192.168.200.10 any eq 23 deny tcp any any eq 23 permit ip any any int vlan 200 ip access-group ENT_ACL in Task 3 int e0/0 switchport port-security switchport port-security maximum 4 switchport port-security voilation protect

ac89l

They should be more clear in those questions: Router> - User EXEC mode Router# - Privileged EXEC mode

ac89l

They asked for named ACL not extended .....there is a difference

studying_1

you need to use protocols and port numbers, it only works when you use extended ACLs

4aynick

username support priv 15 password max2learn

onyia.edward

you cannot directly set a user's privilege level to Exec mode on a Cisco switch. This is because Exec mode (User EXEC mode) is the default access level you enter after logging in to the switch without any special privileges.

FranRig

Considering that the telnet rule does not say anything in particular about the destination address of the SW101 in the telnet, I don't know what is tested on the exam. So, I think the rule should be the following: Sw101(config-nacl)#deny icmp host 192.168.200.10 host 192.168.100.10 Sw101(config-nacl)#permit tcp host 192.168.200.10 host 192.168.200.1 eq 23 Sw101(config-nacl)#permit tcp host 192.168.200.10 host 192.168.100.1 eq 23 Sw101(config-nacl)#permit tcp host 192.168.200.10 host <address of 192.168.3.0/30> eq 23 Sw101(config-nacl)#deny tcp any any eq 23 Sw101(config-nacl)#permit ip any any

FranRig

I correct myself: Considering that the telnet rule does not say anything in particular about the destination address of the SW101 in the telnet, I don't know what is tested on the exam. So, I think the rule should be the following: Sw101(config-nacl)#deny icmp host 192.168.200.10 host 192.168.100.10 Sw101(config-nacl)#permit tcp host 192.168.200.10 host 192.168.200.1 eq 23 Sw101(config-nacl)#permit tcp host 192.168.200.10 host 192.168.100.1 eq 23 Sw101(config-nacl)#permit tcp host 192.168.200.10 host <address of 192.168.3.0/30> eq 23 Sw101(config-nacl)#deny tcp 192.168.200.0 0.0.0.255 any eq 23 Sw101(config-nacl)#permit ip any any

CertBuster

Task 1 Sw101(config)#username support privilege 15 secret max2learn Sw101(config)#line vty 0 4 Sw101(config-line)#login local Sw101(config-line)#transport input telnet Note: It just says exec, so I opted for global exec which is 15. User exec would just be 1. Task 2 Sw101(config)#ip access list extended ENT_ACL Sw101(config-nacl)#deny icmp host 192.168.200.10 host 192.168.100.10 Sw101(config-nacl)#permit tcp host 192.168.200.10 any eq 23 Sw101(config-nacl)#deny tcp any any eq 23 Sw101(config-nacl)#permit ip any any Sw101(config-nacl)#exit Sw101(config)#interface vlan200 Sw101(config-if)#ip access-group ENT_ACL in Task 3 Sw102(config)#interface e0/0 Sw102(config-if)#switchport port-security Sw102(config-if)#switchport port-security maximum 4 Sw102(config-if)#switchport port-security violation protect Sw102(config-if)#switchport port-security mac-address sticky

7fc63f9

I am not sure why you are applying the ACL on VLAN 200 interface as PC2 is in the VLAN 200 and PC1 in VLAN 100

AbdullahMohammad251

An access-list applied outbound to a vlan interface filters traffic going TO machines on that vlan. An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan. https://community.cisco.com/t5/switching/acl-direction-when-applied-to-a-vlan-on-a-switch/td-p/1423652 https://www.arubanetworks.com/techdocs/AOS-CX/10.07/HTML/5200-7830/Content/Chp_ACLs/ACLs_cmds/app-acc-lis-to-int-vla.htm#:~:text=Applies%20an%20ACL%20to%20the,replace%20the%20currently%2Dapplied%20ACL.

picho707

Task 1 => It is not clear the privilege level of the user account (user exec or privilege exec) sw101(config)#username support privilege 15 password max2learn sw101(config)#line vty 0 4 sw101(config-line)#transport input telnet sw101(config-line)#login local Task 2 => It is not clear if sw101 has 2 IP addresses assigned. if it does, the ACL will need to be applied to the remote virtual interfaces in addition to VLAN 200. ip access-list extended ENT_ACL deny icmp host 192.168.200.10 host 192.168.100.10 permit tcp host 192.168.200.10 any eq telnet deny tcp any any eq telnet permit ip any any interface Vlan200 ip access-group ENT_ACL in line vty 0 4 access-class ENT_ACL in Task 3 sw102(config)#interface gigabitEthernet 0/0 sw102(config-if)#switchport port-security sw102(config-if)#switchport port-security maximum 4 sw102(config-if)#switchport port-security violation protect sw102(config-if)#switchport port-security mac-address sticky

PaddyInNZ

Good answers on the ACLs team. I believe that the requirement in Task 1 concerning "privilege level: exec mode" is asking the student to automatically enter privileged exec mode upon Telnetting in. By adding the privilege 15 option, the user is automagically taken to this mode without requiring to enter the privileged exec password.