ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 200-301 All Questions

View all questions & answers for the 200-301 exam
Go to Exam

Exam 200-301 topic 1 question 1334 discussion

Actual exam question from Cisco's 200-301
Question #: 1334
Topic #: 1
[All 200-301 Questions]

SIMULATION
-


Guidelines
-

This is a lab item in which tasks will be performed on virtual devices

• Refer to the Tasks tab to view the tasks for this lab item.
• Refer to the Topology tab to access the device console(s) and perform the tasks.
• Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.
• All necessary preconfigurations have been applied.
• Do not change the enable password or hostname for any device.
• Save your configurations to NVRAM before moving to the next item.
• Click Next at the bottom of the screen to submit this lab and move to the next question.
• When Next is clicked the lab closes and cannot be reopened.


Topology
-




Tasks
-

Refer to the topology. All physical cabling is in place. Configure local users accounts, modify the Named ACL (NACL), and configure DHCP Snooping. The current contents of the NACL must remain intact.

1. Configure a local account on Sw103 with telnet access only on virtual ports 0-4. Use the following information:
• Username: devnet
• Password: access8cli
• Algorithm type: SHA256
• Privilege level: Exec mode

2. Using the minimum number of ACEs, modify the existing NACL "INTERNET_ACL" to control network traffic destined for the Internet, and apply the ACL on R1:
• Allow HTTPS from 172.16.0.0/16
• Allow Telnet only for VLAN 101
• Restrict all other traffic and log the ingress interface, source MAC address, the packet's source and destination IP addresses, and ports

3. Configure Sw101:
• Enable DHCP Snooping for VLAN 101
• Disable DHCP Option-82 data insertion
• Enable DHCP Snooping MAC address verification

Show Suggested Answer Hide Answer
Suggested Answer:
by d5c03de at March 6, 2024, 10:28 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
d5c03de
Highly Voted 1 year, 1 month ago
Task 1: SW103(Config)#user name devnet privilege 15 algorithm-type sha-256 secret access8cli or SW103(Config)#user name devnet privilege 15 secret 8 access8cli Task2: R1# show run | include access[inspect the list and modify to make sure below works] R1(Config)#ip access-list extended INTERNET_ACL R1(Config-ext-nacl)#permit tcp 172.16.0.0 0.0.255.255 any eq 443 R1(Config-ext-nacl)#permit tcp [VLAN 101 Subnet] any eq 23 R1(Config-ext-nacl)#deny ip any any log-input Task 3: Sw101(config)#ip dhcp snooping vlan Sw101(config)#ip dhcp snooping vlan 101 Sw101(config)#no ip dhcp snooping information option Sw101(config)#ip dhcp snooping verify mac-address
upvoted 5 times
[Removed]
10 months, 1 week ago
Task 1 missing: line vty 0 4 login local transport input telnet
upvoted 1 times
...
d5c03de
1 year, 1 month ago
Correct me if I'm wrong but I think the ACL applied for Task 1: R1(config)# int e0/1 R1(config-if)# ip access-group INTERNET_ACL out
upvoted 2 times
d5c03de
1 year, 1 month ago
Correction Task "2" and it wouldn't work because outbound ACL's are applied after routing and NAT. You could apply it inbound to e0/0, e0/3(tested this in packet tracer) but I'm unsure.
upvoted 1 times
tumajay
10 months, 3 weeks ago
you can apply the NACL inbound on e0/1 and e0/3 and outbound on e0/0.
upvoted 1 times
tumajay
10 months, 3 weeks ago
correction!! DO NOT apply the ACL on the inbound interfaces 0/0 and 0/3. it will disabled the neighbour adjacency and hello packets. instead only apply on 0/3 outbound interface since instruction says to control traffic to the internet. int e0/3 ip access-group INTERNET_ACL out
upvoted 1 times
exiledwl
6 months, 4 weeks ago
I think we don't apply it to any interface, it is already applied/configured to the intended interface and we are just modifying it. Even if it isn't applied since the task does not specify to apply it, I would pass but that's just me we out here
upvoted 2 times
...
...
...
...
...
...
ccna2025cisco
Most Recent 2 months ago
Task 2 Using the "!!! minimum number !!!" of ACEs, "!!! modify !!!" the existing NACL "INTERNET_ACL" to control network traffic destined for the Internet, and apply the ACL on R1: ip access-list extended INTERNET_ACL 1 permit tcp 172.16.0.0 0.0.255.255 any eq 433 2 permit tcp 172.16.101.0 0.0.0.255 any eq 23 3 deny ip any any log-input This is what it means to change the access list and use min num of access ENTERY (ACE) "" Using the minimum number of ACEs, modify the existing NACL "INTERNET_ACL" ""
upvoted 1 times
...
Joshua25
6 months, 3 weeks ago
This question has not provided enough information. ACL needs to be applied to an interface, which is not mentioned. Applying to the WAN port is easier, but needs to whitelist other necessary traffic, such as remote SSH/Telnet management. If applying to the 2 LAN ports, need to whitelist some other types of traffic. Cisco intends to test some basic commands, but the poorly designed question is not describing a basic scenario. Instead, it involves too many variables which are not mentioned. However, there is only one 'standard' answer because it's an exam. This is unfair to the examinees who use solutions different than the 'standard' answer. If Cisco keeps doing this, more people will turn to Comptia Network+ etc.
upvoted 1 times
Joshua25
6 months, 3 weeks ago
For task 2, to make it safe, we can consider the below solution: ip access-list extended INTERNET_ACL - permit 172.16.0.0 0.0.255.255 any eq 443 - deny 0.0.0.0 255.255.255.255 any eq 443 - permit any any This allows internet access from only 172.16.0.0/16 range, while not modifying other types of traffic which are not mentioned in the question - causing minimal impact to the existing security profile of the system. For Telnet access from LAN side, it should be configured on the two LAN-facing ports, which require a separate ACL. Also, the task says 'VLAN 101', instead of subnet 172.16.101.0/24. A VLAN and an IP range within the VLAN are two different things, actually. There can be multiple layer 3 subnets co-existing within the same layer 2 VLAN.
upvoted 1 times
...
...
Ras_Al_Ghul
8 months, 2 weeks ago
Task 2 does not specify that you need to apply the ACL to an interface it just say modify acl
upvoted 2 times
...
Essohjay
9 months ago
SW103# conf t SW103(config)# username devnet privilege 15 algorithm-type sha256 password access8cli SW103(config)# line vty 0 4 SW103(config-line)# login local  SW103(config-line)# transport input telnet SW103(config-line)#end  SW103# write memory  R1# conf t R1(config)# ip acces-list extended INTERNET_ACL R1(config-ext-acl)# permit tcp 172.16.0.0 0.0.255.255 any eq 443 R1(config-ext-acl)# permit tcp 17.16.101.0 0.0.0.255 any eq 23 R1(config-ext-acl)# deny ip any any log R1(config-ext-acl)#exit  R1(config)# int e0/1 R1(config-if)# ip access-group INTERNET_ACL out R1(config-if)#end R1# write memory  SW101# conf t  SW101(config)# ip dhcp snooping  SW101(config)# ip dhcp snooping vlan 101 SW101(config)# no ip dhcp snooping information option   SW101(config)# ip dhcp snooping verify mac-address SW101(config)#end  SW101# write memory
upvoted 2 times
Ras_Al_Ghul
8 months, 2 weeks ago
Where is the definition of the vlan 101 subnet
upvoted 1 times
exiledwl
6 months, 4 weeks ago
On exam I think we have to use show vlan brief command to see, he prob grabbed from 'reveal solution'
upvoted 1 times
...
...
...
bymrdas
10 months ago
Correct answer
upvoted 2 times
...
tumajay
10 months, 3 weeks ago
in task 2, under which interface are we supposed to apply the NACL?
upvoted 1 times
...
bymrdas
11 months, 2 weeks ago
SW103 username devnet privelege 15 lgorithm-type sha256 secret access8cli R1 ip access-list extend INTERNET_ACL permit tcp 172.16.0.0 0.0.255.255 any eq https permit tcp 172.16.101.0 0.0.0.255 any eq 23 deny ip any any log SW101 ip dhcp snnoping ip dhcp snooping vlan 101 no ip dhcp snooping information option ip dhcp snooping verify mac-address
upvoted 1 times
bymrdas
10 months ago
username devnet privelege 15 lgorithm-type sha256 secret access8cli line vty 0 4 transport input telnet login local
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago