ExamTopics Logo
Mail Us[email protected]
Menu
Cisco Discussions
exam questions

Exam 200-301 All Questions

View all questions & answers for the 200-301 exam
Go to Exam

Exam 200-301 topic 1 question 1061 discussion

Actual exam question from Cisco's 200-301
Question #: 1061
Topic #: 1
[All 200-301 Questions]

SIMULATION
-


Guidelines
-

This is a lab item in which tasks will be performed on virtual devices:

• Refer to the Tasks tab to view the tasks for this lab item.
• Refer to the Topology tab to access the device console(s) and perform the tasks.
• Console access is available for all required devices by clicking the device icon or using the tab(s) above the console window.
• All necessary preconfigurations have been applied.
• Do not change the enable password or hostname for any device.
• Save your configurations to NVRAM before moving to the next item.
• Click Next at the bottom of the screen to submit this lab and move to the next question.
• When Next is clicked the lab closes and cannot be reopened.


Topology
-




Tasks
-

Refer to the topology. All physical cabling is in place. Configure local users accounts, modify the Named ACL (NACL), and configure DHCP Snooping. The current contents of the NACL must remain intact.


Task 1
-

Configure a local account on Gw1 with telnet access only on virtual ports 0-4. Use the following information:

• Username: wheel
• Password: lock3path
• Algorithm type: Scrypt
• Privilege level: Exec mode


Task 2
-

Configure and apply a NACL on Gw1 to control network traffic from VLAN 10:

• Name: CORP_ACL
• Allow BOOTP and HTTPS
• Restrict all other traffic and log the ingress interface, source MAC address, the packet’s source and destination IP addresses, and ports


Task 3
-

Configure Sw1:

• Enable DNCP Snooping for VLAN 10
• Disable DHCP Option-82 data insertion
• Enable DHCP Snooping MAC address verification
• Enable trusted interfaces



Show Suggested Answer Hide Answer
Suggested Answer:
by rogi2023 at April 16, 2023, 1:21 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
picho707
Highly Voted 1 year, 4 months ago
Task 1 GW1(config)#username wheel privilege 15 algorithm-type scrypt secret lock3path GW1(config)#line vty 0 4 GW1(config-line)#transport input telnet GW1(config-line)#login local Task 2 GW1(config)#ip access-list extended CORP_ACL GW1(config-ext-nacl)#permit udp any any eq 68 GW1(config-ext-nacl)#permit udp any any eq 67 GW1(config-ext-nacl)#permit tcp any any eq 443 GW1(config-ext-nacl)#deny ip any any log-input GW1(config)#interface gigabitEthernet 0/0.10 => Subinterface assigned to vlan 10 GW1(config-subif)#ip access-group CORP_ACL in Task 3 SW1(config)#ip dhcp snooping vlan 10 SW1(config)#no ip dhcp snooping information option SW1(config)#ip dhcp snooping verify mac-address SW1(config)#interface range gigabitEthernet 0/1-2 SW1(config-if-range)#ip dhcp snooping trust
upvoted 10 times
JulesAZ
1 year, 2 months ago
Ahhh yes, thats the one :) Full marks mate
upvoted 4 times
...
...
rogi2023
Highly Voted 2 years ago
checking on GNS3 with IOS 15.2 GW1: R1(config)#username wheel privilege 15 algorithm-type scrypt secret lock3path line vty 0 4 login local transport input telnet task2 on GW1: bootp = udp; https = tcp access-list CORP_ACL permit udp any any eq bootp (67,68) access-list CORP_ACL permit tcp any any eq https (443) access-list CORP_ACL deny ip any any log on the router Gw1 find the gateway-subinterface for Vlan10 (router ont the stick) and apply ACL Gw1(config-subif)#ip access-group CORP_ACL in task3 on Sw1: (not so sure, correct me if I am wrong pls) Sw1(config)#ip dhcp snooping vlan 10 Sw1(config)#ip dhcp snooping verify mac-address Sw1(config)#no ip dhcp snooping information option Sw1(config)interface e0/2 Sw1(config-if)#ip dhcp snooping trust
upvoted 8 times
rogi2023
2 years ago
just adding also intf e0/1 for ip dhcp snooping trust. :-) In case the STP changes.
upvoted 3 times
studying_1
1 year, 11 months ago
rogi only one thing, ip dhcp snooping needs to commands, dynamic arp only one command ip dhcp snooping ip dhcp snooping vlan 10
upvoted 5 times
studying_1
1 year, 11 months ago
two* typo
upvoted 1 times
...
...
...
Shri_Fcb10
1 year, 9 months ago
Guys how come this ACL is working as standard ACL does not support filtering of packets., so therefore we should be using extended ACL as far as I know.
upvoted 2 times
JulesAZ
1 year, 2 months ago
Totally mate!
upvoted 1 times
...
...
Peter_panda
2 years ago
Thank you, good job! Only one observation regarding the NACL: the task asks specifically to control traffic from VLAN10. It is posible that they expect us to permit traffic sourced by IPs from VLAN10 range instead of "any", i.e. access-list CORP_ACL permit udp 192.168.10.0 0.0.0.255 any eq bootp (VLAN10 ip addressing should be discovered on-the-job with show ip int brief)
upvoted 4 times
rogi2023
2 years ago
I expect that link Gw1-Sw3 is a trunk =>Gw1 is R on the stick. Finding the correct sub-if in config will mean addressing the Gateway for the Vlan10 subnet. Therefore all source IPs on the Gateway are from VLAN 10 so wildcard "any" works just fine.
upvoted 6 times
...
AbdullahMohammad251
1 year, 3 months ago
We have a DHCP server for VLAN 10 and 20, all devices within the same VLAN on both switches will share the same network and gateway, therefore; we can either use the source network or "any" keyword.
upvoted 1 times
...
...
...
Dronep
Most Recent 6 months, 3 weeks ago
GW1(config)#username wheel privilege 15 algorithm-type scrypt secret lock3path did someone executed the comand successful? At least i was not able to test in packet tracer. So i have some doubts. If some can explain in details how the command is used. Thanks in advance.
upvoted 1 times
...
kalitwol
1 year, 1 month ago
bootp means bootpc = udp port 68 the correct entry is permit udp any eq 68 any.........becoz port 68 is the source port of dhcp clients alternatively permit udp any any eq 67 ..........if you want to work with the dhcp server port number
upvoted 1 times
...
FranRig
1 year, 3 months ago
bootp by itself is an ambigous command because you have bootpc and bootps (so, the given answer is wrong). Considering that the diagram says that GW1 is the DHCP Server, I'd do the following: permit udp any eq bootpc any eq bootps Because I don't know how they test it, you could also add the following: permit udp any eq bootps any eq bootpc Whatever you do, it's important to add any as a source and don't a particular network because the source of a DHCP discover will be 0.0.0.0. So, if you write a particular network, it won't work
upvoted 2 times
...
[Removed]
1 year, 4 months ago
Task 1 Gw1(config)#username wheel privilege 15 algorithm-type scrypt secret lock3path Gw1(config)#line vty 0 4 Gw1(config-line)#transport input telnet Gw1(config-line)#login local Task 2 Not sure if this setup is using ROAS or if Sw3 is handling the inter-VLAN routing. If it's using ROAS you can apply the ACL directly to the relevant subinterface; if Sw3 is handling the VLAN routing, you'll need to figure out subnet for VLAN10 to specify in the ACL by verifying the config on the switch. I'm going to assume Sw3 is handling the inter-VLAN routing, since ROAS is pointless here since we have an L3 switch and we're in an enterprise environment ("CORP_ACL"). I'll use "vlan10-ip" and "vlan10-wc" as substitutes for the necessary values: Gw1(config)#ip access-list extended CORP_ACL Gw1(config-nacl)#permit udp vlan10-ip vlan10-wc host any eq bootpc Gw1(config-nacl)#permit udp vlan10-ip vlan10-wc host any eq bootps Gw1(config-nacl)#permit tcp vlan10-ip vlan10-wc host any eq https Gw1(config-nacl)#deny ip vlan10-ip vlan10-wc any log-input Note: You need to specify "log-input", not just "log", as the question asks for the ingress interface to be included in the logs.
upvoted 3 times
[Removed]
1 year, 4 months ago
Task 3 Sw1(config)#ip dhcp snooping Sw1(config)#ip dhcp snooping vlan 10 Sw1(config)#no ip dhcp snooping information option Sw1(config)#ip dhcp snooping verify mac-address Sw1(config)#interface range e0/1-2 Sw1(config-if-ra)#ip dhcp snooping trust
upvoted 1 times
...
Karwan1998
11 months, 1 week ago
You are a hero!
upvoted 1 times
...
...
JunsK1e
1 year, 4 months ago
correct me if im wrong Gw1: en conf t username wheel algorithm-type scrypt secret lock3path ! line vty 0 4 login local transport input telnet exit ! ! ip access-list extended CORP_ACL permit udp any any eq 67 permit udp any any eq 68 permit tcp any any eq 443 deny ip any any log exit ! ! int e0/0.10 ip access-group CORP_ACL in exit ! ! do wr end copy running-config startup-config Sw1: en conf t ip dhcp snooping ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping verify mac-address ! int range e0/1 - 2 ip dhcp snooping trust exit ! do wr end copy running-config startup-config
upvoted 1 times
...
Enarsi_Guru
1 year, 4 months ago
Whilst the permit any any is not fasle but its not specific he asked to permit VLAN 10 not permitting all traffic so the access list should be applied as follows:- - permit udp (VLAN 10 + Wild Card Mask) any eq 67 - permit tcp (VLAN 10 + Wild Card Mask) any eq 23 - deny ip any any log
upvoted 1 times
hands
1 year ago
You will need to do it if the int vlan 10 is in the Sw3, but once was not gven this information he considered the router on stick scenario and applied in vlan 10 interface on Gw1
upvoted 1 times
...
...
JunsK1e
1 year, 5 months ago
Gw1: en conf t username wheel privilege 15 password lock3path line vty 0 4 login local transport input telnet ! ! ! ip access-list extended CORP_ACL permit udp any any eq 67 permit tcp any any eq 443 ! ! !(check the interface if there's existing sub-interfaces) int e0/0.10 ip access-group CORP_ACL in Sw1: en conf t ! ! ip dhcp snooping ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping verify mac-address ! ! ! int range e0/1 - 2 ip dhcp snooping trust
upvoted 1 times
...
Nwanna1
1 year, 7 months ago
For the Algorithm: scrypt On GW1 username wheel privilege 15 algorithm-type scrypt secret lock3path line vty 0 4 transport input telnet login local
upvoted 1 times
Nwanna1
1 year, 7 months ago
For TASK 2 ip access-list extended CORP_ACL permit udp any any eq bootpc permit udp any any eq bootps permit tcp 10.10.10.0 0.0.0.255 any eq 443 //there is no "https" keyword so we have to use the port number deny ip 10.10.10.0 0.0.0.255 any log-input interface e0/0 ip access-group CORP_ACL in //confirm the interface NOTE: 1. any any was used for bootpc and bootps since both used broadcast. 2. The “log-input” logs the following information: a. ingress interface b. source MAC address c. source IP address d. destination IP address e. source port f. destination port.
upvoted 4 times
JulesAZ
1 year, 2 months ago
Quality answer. Only thing I am not 100% on in this question is the any/any vs VLan10 specificity noted by CertBuster. Gw1(config-nacl)#permit udp vlan10-ip vlan10-wc host any eq bootpc Gw1(config-nacl)#permit udp vlan10-ip vlan10-wc host any eq bootps What is the relevance of the BOOTP broadcast utilisation and Vlan10? Always with a big TQ ;)
upvoted 1 times
JulesAZ
1 year, 2 months ago
Only other thing is the permit tcp 10.10.10.0 0.0.0.255? Are you supposing that is the Vlan 10 ip address? Why not - permit tcp any any 443 ?
upvoted 1 times
...
...
...
...
Techpro30
1 year, 8 months ago
Router(config)#ip access-list extended CORP_ACL Router(config-ext-nacl)#
upvoted 1 times
...
Techpro30
1 year, 8 months ago
Router(config)#ip access-list extended Corp_ACL
upvoted 1 times
...
dropspablo
1 year, 8 months ago
Gw1 configure terminal username wheel privilege 15 algorithm-type scrypt secret lock3path line vty 0 4 login local transport input telnet exit - do show access-list CORP_ACL  (CORP_ACL  - modify or create?) ip access-list extended CORP_ACL no 10(?) 13(?) permit udp any any bootps (or 67) 14(?) permit udp any any bootpc (or 68) 15(?) permit tcp any any 443 deny ip any any log exit do show ip interface brief do show interface e0/0.10 (confirm Vlan ID 10) interface e0/0.10 ip access-group CORP_ACL in do wr - Sw1 configure terminal ip dhcp snooping ip dhcp snooping vlan 10 no ip dhcp snooping information option ip dhcp snooping verify mac-address interface range e0/1 - 2 ip dhcp snooping trust do wr
upvoted 3 times
dropspablo
1 year, 7 months ago
JUST FIXING FORGOTTEN "EQ" COMMAND: ip access-list extended CORP_ACL permit udp any any eq bootps (67) permit udp any any eq bootpc (68) permit tcp any any eq 443 deny ip any any log
upvoted 2 times
...
...
[Removed]
1 year, 10 months ago
This can't be CCNA 200-301. Some commands (algorithm-tyep scrypt, information option...) are nowhere on Cisco Netacad so if this is a lab during the exam, how are we supposed to know we need to learn these commands ?
upvoted 3 times
Toto86
1 year, 9 months ago
The commands algorithm-type scrypt and snooping information option are listed in CCNA 200-301 Official Cert Guide, Volume 2. Page 94 and page 152
upvoted 3 times
...
Shri_Fcb10
1 year, 9 months ago
Yeah I too felt like that, Because I didn't see in any course where the instuctor show about this algo and also it doesn't work on packet tracer
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago