Vous êtes sur la page 1sur 92

640-554

Number: 640-554
Passing Score: 800
Time Limit: 120 min
File Version: 1.0
Cisco 640-554
IINS v2.0
Sections
1. 1. Common Security Threats
2. 2. Security and Cisco Routers
3. 3.0 AAA
4. 4. IOS ACLs
5. 5. Secure Network Management and Reporting
6. 6. Common Layer 2 Attacks
7. 7. Cisco Firewall Technologies
8. 8.0 Cisco IPS
9. 9.0 VPN Technologies

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Exam A
QUESTION 1
Which two features are supported by Cisco IronPort Security Gateway? (Choose two.)
A.
B.
C.
D.
E.

Spam protection
Outbreak intelligence
HTTP and HTTPS scanning
Email encryption
DDoS protection

Correct Answer: AD
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
IronPort Email Security Appliances and IronPort Web Security Appliances
(WSA): These appliances provide granular control of email and, in the case of web traffic and WSA, can track thousands of applications and enforce
security policies to protect networks against threats.
QUESTION 2
Which two characteristics represent a blended threat? (Choose two.)
A.
B.
C.
D.
E.

man-in-the-middle attack
trojan horse attack
pharming attack
denial of service attack
day zero attack

Correct Answer: BE
Section: 1. Common Security Threats
Explanation
Explanation/Reference:
A blended threat is an exploit that combines elements of multiple types of malware and usually employs multiple attack vectors to increase the severity
of damage and the speed of contagion. Nimda, CodeRed, Bugbear and Conficker are a few well-known examples. Although they may be identified as
viruses, worms or Trojan horses, most current exploits are blended threats.
A blended threat typically includes:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

More than one means of propagation -- for example, sending an email with a hybrid virus/worm that will self-replicate and also infect a Web server so
that contagion will spread through all visitors to a particular site.
Exploitation of vulnerabilities which may be preexisting or may be caused by malware distributed as part of the attack.
The intent to cause real harm, for example, by launching a denial of service (DOS) attack against a target or delivering a Trojan horse that will be
activated at some later date.
Automation that enables increasing contagion without requiring any user action.
To guard against blended threats, experts urge network administrators to be vigilant about patch management, use and maintain good firewall products,
employ server software to detect malware, and educate users about proper e-mail handling and online behavior
A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that
the attack occurs on "day zero" of awareness of the vulnerability.[1] This means that the developers have had zero days to address and patch the
vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of
the target software knows about the vulnerability.
QUESTION 3
Which type of security control is defense in depth?
A.
B.
C.
D.

threat mitigation
risk analysis
botnet mitigation
overt and covert channels

Correct Answer: A
Section: 1. Common Security Threats
Explanation
Explanation/Reference:
QUESTION 4
Which four methods are used by hackers? (Choose four.)
A.
B.
C.
D.
E.
F.

footprint analysis attack


privilege escalation attack
buffer Unicode attack
front door attacks
social engineering attack
Trojan horse attack

Correct Answer: ABEF

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Section: 1. Common Security Threats


Explanation
Explanation/Reference:
QUESTION 5
Which aaa accounting command is used to enable logging of the start and stop records for user terminal sessions on the router?
A.
B.
C.
D.
E.

aaa accounting network start-stop tacacs+


aaa accounting system start-stop tacacs+
aaa accounting exec start-stop tacacs+
aaa accounting connection start-stop tacacs+
aaa accounting commands 15 start-stop tacacs+

Correct Answer: C
Section: 3.0 AAA
Explanation
Explanation/Reference:
QUESTION 6
What is the best way to prevent a VLAN hopping attack?
A.
B.
C.
D.

Encapsulate trunk ports with IEEE 802.1Q.


Physically secure data closets.
Disable DTP negotiations.
Enable BDPU guard.

Correct Answer: C
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
QUESTION 7
If you are implementing VLAN trunking, which additional configuration parameter should be added to the trunking configuration?

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A.
B.
C.
D.

no switchport mode access


no switchport trunk native VLAN 1
switchport mode DTP
switchport nonnegotiate

Correct Answer: D
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
QUESTION 8
Which two countermeasures can mitigate STP root bridge attacks? (Choose two.)
A.
B.
C.
D.

root guard
BPDU filtering
Layer 2 PDU rate limiter
BPDU guard

Correct Answer: AD
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:

The BPDU guard feature is designed to allow network designers to keep the active network topology predictable. BPDU guard
is used to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports that should
not be receiving them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add
a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by
an attacker.
The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the
network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port
receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a rootinconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port.
QUESTION 9
Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.)
A. IP source guard

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

B. port security
C. root guard
D. BPDU guard
Correct Answer: AB
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:

Use the port security feature to mitigate MAC spoofing attacks. Port security provides the capability to specify the MAC
address of the system connected to a particular port. This also provides the ability to specify an action to take if a port security
violation occurs.
IP source guard is a security feature that filters traffic based on the DHCP snooping binding database and on manually
configured IP source bindings in order to restrict IP traffic on nonrouted Layer 2 interfaces. You can use IP source guard to
prevent traffic attacks caused when a host tries to use the IP address of its neighbor. IP source guard prevents IP/MAC
spoofing
Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-seriesswitches/
72846-layer2-secftrs-catl3fixed.html#ipsourceguard
QUESTION 10
Which statement correctly describes the function of a private VLAN?
A.
B.
C.
D.

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains.
A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains.
A private VLAN enables the creation of multiple VLANs using one broadcast domain.
A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major
broadcast domain.

Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the ports on the
switch from each other. A subdomain consists of a primary VLAN and one or more secondary VLANs. All VLANs in a private
VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. The
secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate
among themselves and with their associated promiscuous port but not with ports in other community VLANs.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus4000/nexus4000_i/sw/configuration/guide/rel_4_1_2_E1_1/
n400xi_config/PrivateVLANs.html
QUESTION 11
What are two primary attack methods of VLAN hopping? (Choose two.)
A.
B.
C.
D.

VoIP hopping
switch spoofing
CAM-table overflow
double tagging

Correct Answer: BD
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Switch Spoofing is when a host uses software to act like a switch and connect via a negotiated trunk port.
Double-Tagging is when a host tags frames with two VLAN tags.

There are a number of different types of VLAN attacks in modern switched networks. The VLAN architecture simplifies
network maintenance and improves performance, but it also opens the door to abuse. It is important to understand the
general methodology behind these attacks and the primary approaches to mitigate them.
VLAN hopping enables traffic from one VLAN to be seen by another VLAN. Switch spoofing is a type of VLAN hopping attack
that works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and
pass traffic for multiple VLANs across the same physical link, generally between switches.
Another type of VLAN attack is a double-tagging(or double-encapsulated) VLAN hopping attack. This type of attack takes
advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q deencapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be
forwarded to a VLAN that the original 802.1Q tag did not specify as shown below. An important characteristic of the
doubleencapsulated
VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment
that is not a trunk link.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Reference: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10
QUESTION 12
With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are
assigned to a zone? (Choose three.)
A.
B.
C.
D.
E.

traffic flowing between a zone member interface and any interface that is not a zone member
traffic flowing to and from the router interfaces (the self zone)
traffic flowing among the interfaces that are members of the same zone
traffic flowing among the interfaces that are not assigned to any zone
traffic flowing between a zone member interface and another interface that belongs in a
different zone
F. traffic flowing to the zone member interface that is returned traffic
Correct Answer: BCD
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
QUESTION 13
Which two services are provided by IPsec? (Choose two.)
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A.
B.
C.
D.
E.

Confidentiality
Encapsulating Security Payload
Data Integrity
Authentication Header
Internet Key Exchange

Correct Answer: AC
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
QUESTION 14
Which command verifies phase 2 of an IPsec VPN on a Cisco router?
A.
B.
C.
D.

show crypto map


show crypto ipsec sa
show crypto isakmp sa
show crypto engine connection active

Correct Answer: B
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
The main commands for verifying IPSec connections in cisco are:
show crypto isakmp sa
shows IKE Phase 1
show crypto ipsec sa
Shows IKE Phase 2
WIll show the details from the crypto map, even when the tunnel is down.
show crypto session
Will show as DOWN when the IPSec connection hasn't been made
Shows everything
QUESTION 15

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Which three protocols are supported by management plane protection? (Choose three.)
A.
B.
C.
D.
E.
F.

SNMP
SMTP
SSH
OSPF
HTTPS
EIGRP

Correct Answer: ACE


Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
QUESTION 16
Which statement about rule-based policies in Cisco Security Manager is true?
A. Rule-based policies contain one or more rules that are related to a device's security and
operations parameters.
B. Rule-based policies contain one or more rules that control how traffic is filtered and inspected
on a device.
C. Rule-based policies contain one or more user roles that are related to a device's security and
operations parameters.
D. Rule-based policies contain one or more user roles that control how user traffic is filtered and
inspected on a device.
Correct Answer: B
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
Rule-Based Policies
Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such as the access rules and
inspection rules defined as part of a firewall service. Rule-based policies can contain hundreds or even thousands of rules arranged in a
table, each defining different values for the same set of parameters. The ordering of the rules is very important, as traffic flows are assigned
the first rule whose definition matches the flow (known as first matching).

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/
CSMUserGuide/poman.html
Understanding Policies
In Security Manager, a policy is a set of rules or parameters that define a particular aspect of network configuration. You configure your network by
defining policies on devices (which includes individual devices, service modules, security contexts, and virtual sensors) and VPN topologies (which are
made up of multiple devices), and then deploying the configurations defined by these policies to these devices.
Several types of policies might be required to configure a particular solution. For example, to configure a site-to-site VPN, you might need to configure
multiple policies, such as IPsec, IKE, GRE, and so forth.
Policies are assigned to one or more devices. After a policy is assigned to a device, any changes to the policy definition change the behavior of the
device.
Settings-Based Policies vs. Rule-Based Policies
Rule-Based Policies
Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such as the access rules and inspection rules
defined as part of a firewall service. Rule-based policies can contain hundreds or even thousands of rules arranged in a table, each defining different
values for the same set of parameters. The ordering of the rules is very important, as traffic flows are assigned the first rule whose definition matches
the flow (known as first matching).
Settings-Based Policies
Settings-based policies contain sets of related parameters that together define one aspect of security or device operation. For example, when you
configure a Cisco IOS router, you can define a quality of service (QoS) policy that defines which interfaces are included in the policy, the type of traffic on
which QoS is applied, and the definition of how this traffic should be queued and shaped. Unlike rule-based policies, which can contain hundreds of rules
containing values for the same set of parameters, you can define only one set of parameters for each settings-based policy defined on a device.
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/CSMUserGuide/
poman.html#pgfId-508714
QUESTION 17
Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device
reloads?
A.
B.
C.
D.

aaa accounting network default start-stop group radius


aaa accounting auth-proxy default start-stop group radius
aaa accounting system default start-stop group radius
aaa accounting exec default start-stop group radius

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Correct Answer: C
Section: 3.0 AAA
Explanation
Explanation/Reference:
QUESTION 18
Which option provides the most secure method to deliver alerts on an IPS?
A.
B.
C.
D.

IME
CSM
SDEE
syslog

Correct Answer: C
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
pull pull pull (syslog can only push, sdee can pull, and will use http/https)

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

QUESTION 19
Which syslog level is associated with LOG_WARNING?
A.
B.
C.
D.
E.

1
2
3
4
5

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

F. 6
Correct Answer: D
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
Explanation:
Syslog levels

QUESTION 20
Scenario:
You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions.
Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

What is included in the Network Object Group INSIDE? (Choose two)


A. Host 74.125.224.176
B. Network 175.25.133.0/24
C. Network 10.0.10.0/24

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

D. Host 74.125.224.179
E. Network 192.168.1.0/8
Correct Answer: AD
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
Explanation:
Can't answer from this description/image

QUESTION 21
Which represents a unique link-local address (IPv6)?
A.
B.
C.
D.

FEB0::/8
2002::/16
FED0::/8
2001::/32

Correct Answer: A
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
2002::/16 is for 6 to 4 tunnels.
FEB0::/8 Would be the correct answer then.
FE80::
FE90::
FEA0::
FEB0::
QUESTION 22
How many class map can be configured in a (router) interface?
A.
B.
C.
D.

1
2
3
4

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
I think this question is actually about Policy Maps
You can configure a single service policy on an interface
this service policy references a policy map
A policy map can reference up to 64 class maps, which is the limit of class maps that can be created
QUESTION 23
Which command initializes a lawful intercept view?
A.
B.
C.
D.

username cisco1 view lawful-intercept password cisco


parser view cisco li-view
li-view cisco user cisco1 password cisco
parser view li-view inclusive

Correct Answer: C
Section: 3.0 AAA
Explanation
Explanation/Reference:
Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual (a target) as authorized
by a judicial or administrative order. To facilitate the lawful intercept process, certain legislation and regulations require service providers (SPs) and
Internet service providers (ISPs) to implement their networks to explicitly support authorized electronic surveillance.
SUMMARY STEPS
1. enable view
2. configure terminal
3. li-view li-password user username password password
4. username [lawful-intercept] name [privilege privilege-level | view view-name] password password
5. parser view view-name
6. secret 5 encrypted-password

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

7. name new-name
DETAILED STEPS
Router> enable view
Enables root view.
Enter your privilege level 15 password (for example, root password) if prompted.
Step 2
Router# configure terminal
Enters global configuration mode.
Step 3
li-view li-password user username password password
Router(config)# li-view lipass user li_admin password li_adminpass
Initializes a lawful intercept view with a password of lipass and a user of li_admin whose password is li_adminpass
After the li-view is initialized, you must specify at least one user via user username password password options.
Step 4
username [lawful-intercept [name] [privilege privilege-level | view view-name] password password
Example:
Router(config)# username lawful-intercept li-user1 password li-user1pass
Configures lawful intercept users on a Cisco device.
http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/
sec_role_base_cli.html
QUESTION 24
Which NAT types are used for ASA in transparent mode?
A.
B.
C.
D.

Static NAT
Dynamic NAT
Overload
Dynamic PAT

Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation/Reference:
With a transparent firewall, we still have two interfaces, but we do not assign IP addresses to those interfaces, and those two interfaces act more like a
bridge (or a switch with two ports in the same VLAN). Traffic from one segment of a given subnet is going to be forced through the transparent firewall if
those frames want to reach the second segment behind the firewall. A transparent firewall has a management IP address so that we can remotely
access it, but that is all. Users accessing resources through the firewall will not be aware that it is even present, and one of the biggest advantages of
using a transparent firewall is that we do not have to re-address our IP subnets to put a transparent firewall in-line on the network

QUESTION 25
Which 3 Radius server authentication protocols are supported on cisco ASA firewalls?
A.
B.
C.
D.
E.
F.

EAP
ASCII
PAP
PEAP
MS-CHAPv1
MS-CHAPv2

Correct Answer: CEF


Section: 3.0 AAA
Explanation
Explanation/Reference:
Supported Authentication Methods
The ASA supports the following authentication methods with RADIUS servers:
PAPFor all connection types.
CHAP and MS-CHAPv1For L2TP-over-IPsec connections.
MS-CHAPv2For L2TP-over-IPsec connections, and for regular IPsec remote access connections when the password management feature is enabled.
You can also use MS-CHAPv2 with clientless connections.
Authentication Proxy modesFor RADIUS-to Active-Directory, RADIUS-to-RSA/SDI, RADIUS- to-Token server, and RSA/SDI-to-RADIUS connections,
To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled
in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS
server. See the description of the password-management command for details.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.html
QUESTION 26

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Which wildcard mask is associated with a subnet mask of /27?


A.
B.
C.
D.

0.0.0.31
0.0.0.224
0.0.223.255
0.0.0.27

Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
QUESTION 27
What does NTP authenticate?
A.
B.
C.
D.

Clients device and time source


Time source only
Clients device only
Firewall and clients device

Correct Answer: B
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
QUESTION 28
Which firewall acts on behalf of end user?
A.
B.
C.
D.

Proxy
State
Asa
Application

Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation/Reference:
QUESTION 29
What encryption does Cisco use to protect image downloading?
A.
B.
C.
D.

Sha1
Sha2
Md5
Md1

Correct Answer: C
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
This is referring to the hash that Cisco uses to allow customers to confirm the download of cisco software, including the IPS signature files.
QUESTION 30
How long does the router wait for TACACS+ response before it throws an error?
A.
B.
C.
D.

5 seconds
10 seconds
15 seconds
20 seconds

Correct Answer: A
Section: 3.0 AAA
Explanation
Explanation/Reference:
The TACACS+ timout can be set globally, or server specific.
Configuring the Global TACACS+ Timeout Interval
You can set a global timeout interval that the Nexus 5000 Series switch waits for responses from all TACACS+ servers before declaring a timeout
failure. The timeout interval determines how long the Nexus 5000 Series switch waits for responses from TACACS+ servers before declaring a timeout
failure.
Command
switch# configure terminal

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Enters configuration mode.


Step 2
switch(config)# tacacs-server timeout seconds
Specifies the timeout interval for TACACS+ servers. The default timeout interval is 5 second and the range is from 1 to 60 seconds.
Optional- Per server
switch(config)# switch(config)# tacacs-server host { ipv4-address | ipv6-address | host-name } timeout seconds
Specifies the timeout interval for a specific server. The default is the global value.
Note The timeout interval value specified for a TACACS+ server overrides the global timeout interval value specified for all TACACS+ servers.
Step 3
switch(config)# exit
Exits configuration mode.
Step 4
switch# show tacacs-server
(Optional) Displays the TACACS+ server configuration.
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/CLIConfigurationGuide/sec_tacacsplus.html#pgfId1272743
QUESTION 31
Which information describes the integrity and authentication for HMAC (choose 2)?
A.
B.
C.
D.

Password
Hash
The key
Transform sets

Correct Answer: BC
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
When using HMAC (Hashed Meessage Authentication Code), we combine the integrity checking capability of the hashing algorithm as well as the
authentication by use of a shared key.
QUESTION 32
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration?

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A.
B.
C.
D.

Issue the command anyconnect keep-installer under the group policy or username webvpn mode
Issue the command anyconnect keep-installer installed in the global configuration
Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode
Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode

Correct Answer: C
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
Enabling Permanent Client Installation
Enabling permanent client installation disables the automatic uninstalling feature of the client. The client remains installed on the remote computer for
subsequent connections, reducing the connection time for the remote user.
To enable permanent client installation for a specific group or user, use the svc keep-installer command from group-policy or username webvpn modes:
svc keep-installer installed
The default is that permanent installation of the client is enabled. The client remains on the remote computer at the end of the session. The following
example configures the existing group-policy sales to remove the client on the remote computer at the end of the session:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-policy)# svc keep-installer installed none
QUESTION 33
you are the network manager for your organization. you are looking at your Syslog server reports. Based on the Syslog message shown, which two
statements are true ( choose two )
Feb 1 10:12.08 PST:%SYS-5-CONFIG_I:Configured from console by vty0 (10.2.2.6)

A.
B.
C.
D.

Service timestamps have been globally enabled


this is a normal system-generated information message and does not require further investigation
this message is unimportant and can be ignored
this message is a level 5 notification message

Correct Answer: AD
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

QUESTION 34
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web
page. Which action should you take to begin troubleshooting?
A.
B.
C.
D.

Ensure that the RDP2 plug-in is installed on the VPN gateway


Reboot the VPN gateway
Instruct the user to reconnect to the VPN gateway
Ensure that the RDP plug-in is installed on the VPN gateway

Correct Answer: A
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113600-technote-product-00.html

QUESTION 35
Which tasks is the session management path responsible for? (Choose three.)
A.
B.
C.
D.
E.
F.

Performing the access list checks


Performing route lookups
Allocating NAT translations (xlates)
Session Lookup
TCP Sequence Number Check
NAT Translation based on existing sessions

Correct Answer: ABC


Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
Establishing sessions in the fast path (this last option was not in the exam but is good to know)
A stateful firewall like the ASA, however, takes into consideration the state of a packet:
Is this a new connection?
If it is a new connection, the ASA has to check the packet against access lists and perform other
tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the
session goes through the session management path, and depending on the type of traffic, it might
also pass through the control plane path.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

The session management path is responsible for the following tasks:


Performing the access list checks
Performing route lookups
Allocating NAT translations (xlates)
Establishing sessions in the fast path
Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are
passed on to the control plane path. Layer 7 inspection engines are required for protocols that have
two or more channels: a data channel, which uses well-known port numbers, and a control channel,
which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.
Is this an established connection?
If the connection is already established, the ASA does not need to re-check packets; most matching
packets can go through the fast path in both directions. The fast path is responsible for the
following tasks:
IP checksum verification
Session lookup
TCP sequence number check
NAT translations based on existing sessions
Layer 3 and Layer 4 header adjustments
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/intro.html#wp1047294
QUESTION 36
Which Cisco Security Manager application collects information about device status and uses it to generate notifications and alerts?
A.
B.
C.
D.

Report Manager
Health and Performance Monitoring
Policy Manager
Event Manager

Correct Answer: B
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
Report Manager Collects, displays and exports network usage and security information for ASA and IPS devices, and for remote-access IPsec and
SSL VPNs. These reports aggregate security data such as top sources, destinations, attackers, victims, as well as security information such as top
bandwidth, duration, and throughput users. Data is also aggregated for hourly, daily, and monthly periods.
and
Health and Performance Monitor (HPM) Monitors and displays key health, performance and VPN data for ASA and IPS devices in your network. This
information includes critical and non-critical issues, such as memory usage, interface status, dropped packets, tunnel status, and so on. You also can
categorize devices for normal or priority monitoring, and set different alert rules for the priority devices.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

http://www.cisco.com/c/en/us/products/collateral/security/security-manager/datasheet-c78-735775.html
QUESTION 37
What best describes transport mode in VPN ? (Choose 3)
A.
B.
C.
D.
E.

support multicast
support unicast
used between hosts
used between gateways
used between gateway and host

Correct Answer: BDE


Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
There are two main types of VPN, with numerous subcategories.
Remote Access
IPSec Full-Tunnel
SSL Clientless
SSL Full-Tunnel
Site-to-Site
IPSec
QUESTION 38
Which three features are for data plane protection (choose three)
A.
B.
C.
D.
E.
F.

policing
ACL
IPS
antispoofing
QoS
DHCP-snooping

Correct Answer: BDF


Section: 2. Security and Cisco Routers
Explanation

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation/Reference:
Data Plane Security
Access control lists
Private VLAN
Firewalling
Intrusion Prevention System (IPS)
Layer 2 Data Plane Protection
Port security prevents MAC flooding attacks.
DHCP snooping prevents client attacks on the DHCP server and switch.
Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks.
IP Source Guard prevents IP spoofing addresses by using the DHCP snooping table.

Data Plane Security


Data plane security can be implemented using the following features:

Access control lists


Access control lists (ACLs) perform packet filtering to control which packets move through the network and where.

Antispoofing
ACLs can be used as an antispoofing mechanism that discards traffic that has an invalid source address.

Layer 2 security features


Cisco Catalyst switches have integrated features to help secure the Layer 2 infrastructure.

ACLs
ACLs are used to secure the data plane in a variety of ways, including the following:

Block unwanted traffic or users


ACLs can filter incoming or outgoing packets on an interface, controlling access based on source addresses, destination addresses, or user
authentication.

Reduce the chance of DoS attacks


ACLs can be used to specify whether traffic from hosts, networks, or users can access the network. The TCP intercept feature can also be configured to
prevent servers from being flooded with requests for a connection.

Mitigate spoofing attacks


ACLs enable security practitioners to implement recommended practices to mitigate spoofing attacks.

Provide bandwidth control


ACLs on a slow link can prevent excess traffic.

Classify traffic to protect other planes


ACLs can be applied on vty lines (management plane).
ACLs can control routing updates being sent, received, or redistributed (control plane).

Antispoofing
Implementing the IETF best current practice 38 (BCP38) and RFC 2827 ingress traffic filtering renders the use of invalid source IP addresses
ineffective, forcing attacks to be initiated from valid, reachable IP addresses which could be traced to the originator of an attack.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.

Layer 2 Data Plane Protection


The following are Layer 2 security tools integrated into the Cisco Catalyst switches:

Port security
Prevents MAC address spoofing and MAC address flooding attacks

DHCP snooping
Prevents client attacks on the Dynamic Host Configuration Protocol (DHCP) server and switch

Dynamic ARP inspection (DAI)


Adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks

IP source guard
Prevents IP spoofing addresses by using the DHCP snooping table
QUESTION 39
On which Cisco Configuration Professional screen do you enable AAA?
A.
B.
C.
D.

AAA Summary
AAA Servers and Groups
Authentication Policies
Authorization Policies

Correct Answer: A
Section: 3.0 AAA
Explanation
Explanation/Reference:
QUESTION 40
What command is used to change layer 2 port into layer 3 routed port?
A.
B.
C.
D.

No switchport
switchport port-security
ip routing
sdm prefer lanbase-routing

Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation/Reference:
QUESTION 41
Where is the best place to place the IPS inline ?
A.
B.
C.
D.

Inline, behind the internet router and firewall


Inline, before the internet router and firewall
Promiscuous, behind
Promiscuous, before

Correct Answer: A
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
QUESTION 42
Which syslog severity level is level number 7
A.
B.
C.
D.
E.
F.

Warning
Debug
Critical
Emergency
Notice
Error

Correct Answer: B
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
Explanation:
Syslog levels

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

QUESTION 43
Which statement about the role-based CLI access views on a Cisco router is true?
A.
B.
C.
D.

The maximum number of configurable CLI access views is 10, including one lawful intercept view and excluding the root view.
The maximum number of configurable CLI access views is 10, including one superview.
The maximum number of configurable CLI access views is 15, including one lawful intercept view and excluding the root view.
The maximum number of configurable CLI access views is 15, including one lawful intercept view.

Correct Answer: C
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
Restrictions for Role-Based CLI Access
Lawful Intercept Images Limitation
Because CLI views are a part of the Cisco IOS parser, CLI views are a part of all platforms and Cisco IOS images. However, the lawful
intercept view is available only in images that contain the lawful intercept subsystem.
Maximum Number of Allowed Views
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

The maximum number of CLI views and superviews, including one lawful intercept view, that can be configured is 15. (This does not include
the root view.)
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
QUESTION 44
Which Cisco Security Manager feature enables the configuration of unsupported device features?
A.
B.
C.
D.

Deployment Manager
FlexConfig
Policy Object Manager
Configuration Manager

Correct Answer: B
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
FlexConfig policies allow you to configure device commands that are not otherwise supported by Security Manager. By using Flexconfigs,
you can extend Security Managers control over a device configuration and take advantage of new device features before upgrading the
product.

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/
CSMUserGuide/tmplchap.html#20503
QUESTION 45
Which statement about IPv6 address allocation is true?
A.
B.
C.
D.

IPv6-enabled devices can be assigned only one IPv6 IP address.


A DHCP server is required to allocate IPv6 IP addresses.
IPv6-enabled devices can be assigned multiple IPv6 IP addresses.
ULA addressing is required for Internet connectivity.

Correct Answer: C
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
A major difference between IPv4 and IPv6 is that with IPv6, it is expected that an IPv6 capable device will have more than one IPv6 address.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Most interfaces will have at least a Link-Local address (FE80)and possible a global(2xxx or 3xxx) or unique (fc00::/7) local address.
QUESTION 46
Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback
method?
A.
B.
C.
D.

aaa authentication enable console LOCAL SERVER_GROUP


aaa authentication enable console SERVER_GROUP LOCAL
aaa authentication enable console local
aaa authentication enable console LOCAL

Correct Answer: D
Section: 3.0 AAA
Explanation
Explanation/Reference:
The syntax to create an aaa authentication policy for IOS is
aaa authentication [type] [name] [method list]
if only one method is specified, there is no fallback
However, this question is actually about the ASA, which has a slightly different syntax.
The aaa authentication enable console policy is related to users who are consoled in trying to use the enable command to enter the privileged prompt.
http://www.ciscopress.com/articles/article.asp?p=1552963&seqNum=3
Explanation:
To authenticate users who access the adaptive security appliance CLI over a serial, SSH, HTTPS (ASDM), or Telnet connection, or to authenticate
users who access privileged EXEC mode using the enable command, use the aaa authentication console command in global configuration mode. To
disable authentication, use the no form of this command.
aaa authentication {serial | enable | telnet | ssh | http} console {LOCAL | server_group [LOCAL]}
no aaa authentication {serial | enable | telnet | ssh | http} console {LOCAL | server_group [LOCAL]}
Syntax Description
enable Authenticates users who access privileged EXEC mode when they use the enable command.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

http Authenticates ASDM users who access the adaptive security appliance over HTTPS. You only need to configure HTTPS authentication if you want
to use a RADIUS or TACACS+ server. By default, ASDM uses the local database for authentication even if you do not configure this command.
LOCAL Uses the local database for authentication. LOCAL is case sensitive. If the local database is empty, the following warning message appears:
Warning:local database is empty! Use 'username' command to define local users. If the local database becomes empty when LOCAL is still present in
the configuration, the following warning message appears:
Warning:Local user database is empty and there are still commands using 'LOCAL' for authentication.
server-tag [LOCAL] Specifies the AAA server group tag defined by the aaa-server command.
If you use the LOCAL keyword in addition to the server-tag, you can configure the adaptive security appliance to use the local database as a fallback
method if the AAA server is unavailable. LOCAL is case sensitive. We recommend that you use the same username and password in the local database
as the AAA server because the adaptive security appliance prompt does not give any indication which method is being used.
serial Authenticates users who access the adaptive security appliance using the serial console port.
ssh Authenticates users who access the adaptive security appliance using SSH.
telnet Authenticates users who access the adaptive security appliance using Telnet.
Defaults
By default, fallback to the local database is disabled.
If the aaa authentication telnet console command is not defined, you can gain access to the adaptive security appliance CLI with the adaptive security
appliance login password (set with the password command).
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/a1.html#wp1555520
QUESTION 47
Which command will configure a Cisco router to use a TACACS+ server to authorize network services with no fallback method?
A.
B.
C.
D.

aaa authorization exec default group tacacs+ none


aaa authorization network default group tacacs+ none
aaa authorization network default group tacacs+
aaa authorization network default group tacacs+ local

Correct Answer: C
Section: 3.0 AAA
Explanation

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation/Reference:
On a cisco IOS router, the syntax to define new-model AAA authorization policies is:
aaa authorization [type] [name] [methods-list]
The method list can list a number of different methods to use to authorize. For example: group tacacs+, group radius, local, enable, etc.
The methods are tried in order of the list. If one of the methods is unreachable (for example, the router cannot connect to the Tacas server), the next
method is tried, providing a fallback method.
A FAILED authorization does not try the next method.
When only a single method is listed, there is no fallback in case of an inability to connect with the previous method in the list.
In this case, we are looking to authorize network services so we need
aaa authorization network
Only one answer that starts with aaa authorization network has a single method.
aaa authorization network default group tacacs+
QUESTION 48
Which three statements about RADIUS are true? (Choose three.)
A.
B.
C.
D.
E.
F.

RADIUS uses TCP port 49.


RADIUS uses UDP ports 1645 or 1812.
RADIUS encrypts the entire packet.
RADIUS encrypts only the password in the Access-Request packet.
RADIUS is a Cisco proprietary technology.
RADIUS is an open standard.

Correct Answer: BDF


Section: 3.0 AAA
Explanation
Explanation/Reference:
Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

QUESTION 49
Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device
reloads?
A.
B.
C.
D.

aaa accounting network default start-stop group radius


aaa accounting auth-proxy default start-stop group radius
aaa accounting system default start-stop group radius
aaa accounting exec default start-stop group radius

Correct Answer: C
Section: 3.0 AAA
Explanation
Explanation/Reference:
On a cisco IOS router, the syntax to define new-model AAA accounting policies is:
aaa accounting [type] [name] [ [methods-list]
The accounting types are
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

networkTo create a method list to enable authorization for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARA protocols),
use the network keyword. For example, to create a method list that provides accounting information for ARAP (network) sessions, use the arap keyword.
execTo create a method list that provides accounting records about user EXEC terminal sessions on the network access server, including username,
date, start and stop times, use the exec keyword.
commandsTo create a method list that provides accounting information about specific, individual EXEC commands associated with a specific
privilege level, use the commands keyword.
connectionTo create a method list that provides accounting information about all outbound connections made from the network access server, use
the connection keyword.
resourceCreates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html#wp1000952
QUESTION 50
Which two accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.)
A.
B.
C.
D.

start-stop
stop-record
stop-only
stop

Correct Answer: AC
Section: 3.0 AAA
Explanation
Explanation/Reference:
The general syntax for accounting is:
Router(config)# aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [method1
[method2...]]
We can account for start and stop or stop only.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html
QUESTION 51
What is the first command you enter to configure AAA on a new Cisco router?
A. aaa configuration
B. no aaa-configuration

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

C. no aaa new-model
D. aaa new-model
Correct Answer: D
Section: 3.0 AAA
Explanation
Explanation/Reference:
When setting up remote aaa, the new model aa must being turned on.
Be aware, that this will disable the default line vty and line con login defaults.
QUESTION 52
Which three TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
A.
B.
C.
D.
E.
F.

EAP
ASCII
PAP
PEAP
MS-CHAPv1
MS-CHAPv2

Correct Answer: BCE


Section: 3.0 AAA
Explanation
Explanation/Reference:
TACACS+ Server Support
The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_aaa.html
QUESTION 53
What is the default privilege level for a new user account on a Cisco ASA firewall?
A.
B.
C.
D.

0
1
2
15

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Correct Answer: C
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
Similar to Cisco IOS devices, the ASA has 16 privelege levels, from 0 to 15.
The default privilege level for a user is 2.
On IOS, the default privilege level is level 1
Authenticating Users Using the Login Command
From user EXEC mode, you can log in as any username in the local database using the login command.
This feature allows users to log in with their own username and password to access privileged EXEC mode, so you do not have to give out the system
enable password to everyone. To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the
default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See
the "Configuring Local Command Authorization" section for more information.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/config/guide/config/mgaccess.html#wp1042028
QUESTION 54
Which statement about ACL operations is true?
A.
B.
C.
D.

The access list is evaluated in its entirety.


The access list is evaluated one access-control entry at a time.
The access list is evaluated by the most specific entry.
The default explicit deny at the end of an access list causes all packets to be dropped.

Correct Answer: B
Section: 4. IOS ACLs
Explanation
Explanation/Reference:
Access Lists are a series of entries
Access Lists Entries are processed in order
When a match is made, the action specified by that entry is performed and no further entries are processed
The last entry on all access lists is the implicit deny all
QUESTION 55
Which three statements about access lists are true? (Choose three.)
A. Extended access lists should be placed as near as possible to the destination.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

B.
C.
D.
E.
F.

Extended access lists should be placed as near as possible to the source.


Standard access lists should be placed as near as possible to the destination.
Standard access lists should be placed as near as possible to the source.
Standard access lists filter on the source address.
Standard access lists filter on the destination address.

Correct Answer: BCE


Section: 4. IOS ACLs
Explanation
Explanation/Reference:
ACL Best practices
Standard ACLs can filter only on the source IP address.
Standard ACLS should be closest to the destination (since if they were close to the source, they could block too much traffic)
Extended ACLS can filter on protocol, source and/or destination IP as well as TCP or UDP port
Extended ACLS should be placed as close to the source

QUESTION 56
Which command configures a device to actively watch connection requests and provide immediate protection from DDoS attacks?
A.
B.
C.
D.

router(config)# ip tcp intercept mode intercept


router(config)# ip tcp intercept mode watch
router(config)# ip tcp intercept max-incomplete high 100
router(config)# ip tcp intercept drop-mode random

Correct Answer: A
Section: 1. Common Security Threats
Explanation
Explanation/Reference:
About TCP Intercept
The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack.
A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable
return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and
can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing e-mail, using FTP service,

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

and so on.
The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP
intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list.
The basic configuration requires setting up an ACL that is used to "watch" incoming TCP traffic
Step 1
Router(config)# access-list access-list-number {deny | permit} tcp any destination destination-wildcard
Defines an IP extended access list.
Step 2
Router(config)# ip tcp intercept list access-list-number
Enables TCP intercept.
Step 3- Optional
Router(config)# ip tcp intercept mode {intercept | watch}
You can then set the mode to Intercept or Watch. The default is intercept.
You can also modify the following:
Setting the TCP Intercept Drop Mode (Optional)
Changing the TCP Intercept Timers (Optional)
Changing the TCP Intercept Aggressive Thresholds (Optional)
Monitoring and Maintaining TCP Intercept (Optional)
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfdenl.html
QUESTION 57
Which command will block external spoofed addresses?
A.
B.
C.
D.

access-list 128 deny ip 10.0.0.0 0.0.255.255 any


access-list 128 deny ip 192.168.0.0 0.0.0.255 any
access-list 128 deny ip 10.0.0.0 0.255.255.255 any
access-list 128 deny ip 192.168.0.0 0.0.31.255 any

Correct Answer: C
Section: 4. IOS ACLs
Explanation

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation/Reference:
Not sure if this is a partial question or mismarked.Spoofed addresses usually refers to addresses that mimic your own internal addressing scheme
Private or Reserved Addresses are defined in RFC 1918
A common set of entries for access lists incoming into a network are as follows:
!--- Filter RFC 1918 space.
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
!--- Deny your space as source from entering your AS. !--- Deploy only at the AS edge.
access-list 110 deny ip YOUR_CIDR_BLOCK any
In this question, denying 10.0.0.0 0.255.255.255 matches one of the common reserved addresses and is the correct answer.
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html
QUESTION 58
Which two countermeasures can mitigate ARP spoofing attacks? (Choose two.)
A.
B.
C.
D.

port security
DHCP snooping
IP source guard
dynamic ARP inspection

Correct Answer: BD
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
ARP Spoofing is a common Layer 2 attack. It can be used as part of ARP poisoning, man in the middle attacks or session hijacking, among others.
In this type of attack, the attacker will send false ARP requests and/or replies.
DHCP Snooping allows a Cisco switch to examine all DHCP requests and build an IP to MAC address table based on the addresses given out.
Dynamic ARP inspection checks any ARP traffic against this table to verify the details.
Machines connected that are have statically assigned IPs must be manually added the DHCP Inspection table
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html
QUESTION 59
What is the Cisco preferred countermeasure to mitigate CAM overflows?
A.
B.
C.
D.

port security
dynamic port security
IP source guard
root guard

Correct Answer: B
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Port security helps prevent CAM table overflow attacks by limiting the number of MAC address that can be learned on an interface
switchport port-security maximum 2
spwitchport port-security
After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these
ways:
You can configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.
You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.
You can configure a number of addresses and allow the rest to be dynamically configured.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html
QUESTION 60
What is the most common Cisco Discovery Protocol version 1 attack?
A.
B.
C.
D.

denial of service
MAC-address spoofing
CAM-table overflow
VLAN hopping

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Since CDP is on by default on most routers, it can be used to flood a router and overwhelm the CPU.
This becomes a type of denial of sercice attack.
https://heggel4.wordpress.com/2014/10/11/protect-your-network-against-cdp-attacks/
QUESTION 61
Which option describes a function of a virtual LAN?
A.
B.
C.
D.

A virtual LAN creates a logically partitioned LAN to place switch ports in a separate broadcast domain.
A virtual LAN creates trunks and links two switches together.
A virtual LAN adds every port on a switch to its own collision domain.
A virtual LAN connects many hubs together.

Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Explanation:
QUESTION 62
Which action can you take to add bandwidth to a trunk between two switches and end up with only one logical interface?
A.
B.
C.
D.

Configure another trunk link.


Configure EtherChannel.
Configure an access port.
Connect a hub between the two switches.

Correct Answer: B
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
When you have two connections between switches, this can cause a loop.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

By configuring Etherchannel, the participating interfaces are treated as a single logical interface, a PortChannel.
QUESTION 63
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
A.
B.
C.
D.

The interface on both switches may shut down.


STP loops may occur.
The switch with the higher native VLAN may shut down.
The interface with the lower native VLAN may shut down.

Correct Answer: B
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
The native vlan is specified in the 802.1q specification.
In Cisco's implementation, the traffic on the native vlan does not get tagged as it crosses a trunk.
Due to this, if there is a native vlan mismatch between switches, STP updates may not get transferred to the correct devices/STP instances, potentially
causing a loop.
QUESTION 64
Which VTP mode allows you to change the VLAN configuration and will then propagate the change throughout the entire switched network?
A.
B.
C.
D.

VTP server
VTP client
VTP transparent
VTP off

Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Explanation:
There are 3 modes for VTP
Server
Can manage vlan database. Have a vla.dat in nvram can set domain, add, remove, and rename VLANS
Client
get their VLAN list from the server. Can assign ports to VLANS, but cannot change VLAN database. They don't store a vlan.dat in nvram.
Transparent will pass VTP updates through trunk ports, but don't use the information. Manage an independant vlan database

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

QUESTION 65
When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops?
A.
B.
C.
D.

STP elects the root bridge.


STP selects the root port.
STP selects the designated port.
STP blocks one of the ports.

Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
The high level steps for STP
1. Elect a root Bridge
2. Non-Root Bridges elect a root port
3. Non-Root paths/redundant paths between switches choose designated and alternate/blocking ports
QUESTION 66
What is the default STP priority on a switch?
A.
B.
C.
D.

4096
24576
16384
32768

Correct Answer: D
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Cisco Switches have their STP priority at 32768 by default
QUESTION 67
Which two options are asymmetric-key algorithms that are recommended by Cisco? (Choose two.)
A. Rivest-Shamir-Adleman Algorithm
B. ElGamal encryption system
C. Digital Signature Algorithm

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

D. Paillier cryptosystem
Correct Answer: AC
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
WHen generating public/private key pairs for SSH, you can use either RSA or DSA
http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-2/security/command/reference/b_syssec_cr42crs/
b_syssec_cr41crs_chapter_0111.html#wp4092742478
QUESTION 68
Which IPsec component takes an input message of arbitrary length and produces a fixed-length output message?
A.
B.
C.
D.

the transform set


the group policy
the hash
the crypto map

Correct Answer: C
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
One-Way Encryption or Hashing is used to generate a fixed length output message.
Regardless of the size of the original message.
Common has algorithms are
SHA1 and MD5
When setting up IPSec, you specify the following:
H - hash (md5 or sha)
A - authentication (pre shared keys, rsa-sigs (digital certs))
G- dh group (1, 2, 5 etc)
L- lifetime for the IKE phase 1 tunnel
E- encryption to use (des, 3des, aes)
MD5 hash will be 128 bits
SHA-224 224
SHA-256 256
SHA-384 384
SHA-512 512

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

SHA-512/224 224
SHA-512/256 256
QUESTION 69
Which three options are components of Transport Layer Security? (Choose three.)
A.
B.
C.
D.
E.
F.

stateless handshake
stateful handshake
application layer
session layer
pre-shared keys
digital certificates

Correct Answer: BCF


Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
TLS is the successor to SSL
In many cases the terms are used interchangeably, but they are not directly compatible.
When configuring security for the WebVPN and AnyConnect, you can choose to use SSL or TLS.
Like SSL, TLS uses an authetication handshake where credentials are exchanged. These credentials are based on digital certificates, which contain
public/private key pairs.
TLS is considered an application level tool, although it is sometimes referenced as part of the session and presentation layers in the OSI model.
9.3(2) and later) SSLv3 deprecation and SSL server version default changeSSLv3 is now deprecated. The default for the ssl server-version command
is now tlsv1 instead of any. If you configure any, sslv3, or sslv3-only, the command is accepted with a warning. In the next major ASA release, these
keywords will be removed from the ASA.
QUESTION 70
What are three features of IPsec tunnel mode? (Choose three.)
A.
B.
C.
D.
E.

IPsec tunnel mode supports multicast.


IPsec tunnel mode is used between gateways.
IPsec tunnel mode is used between end stations.
IPsec tunnel mode supports unicast traffic.
IPsec tunnel mode encrypts only the payload.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

F. IPsec tunnel mode encrypts the entire packet.


Correct Answer: BDF
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
IPSec can be run in either tunnel mode or transport mode. Both modes only support Unicast traffic.
Each of these modes has its own particular uses and care should be taken to ensure that the correct one is selected for the solution:
Tunnel mode is most commonly used between gateways, or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it.
Transport mode is used between end-stations or between an end-station and a gateway, if the gateway is being treated as a hostfor example, an
encrypted Telnet session from a workstation to a router, in which the router is the actual destination.
http://www.ciscopress.com/articles/article.asp?p=25477

QUESTION 71
Which command provides phase 1 and phase 2 status for all active sessions of an IPsec VPN on a Cisco router?
A. show crypto map

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

B. show crypto ipsec sa


C. show crypto isakmp sa
D. show crypto session
Correct Answer: D
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
The main commands for verifying IPSec connections in cisco are:
show crypto isakmp sa
shows IKE Phase 1
show crypto ipsec sa
Shows IKE Phase 2
WIll show the details from the crypto map, even when the tunnel is down.
show crypto session
Will show as DOWN when the IPSec connection hasn't been made
Shows everything
QUESTION 72
How can you prevent clientless SSL VPN users from accessing any HTTP or HTTPS URL within the portal?
A.
B.
C.
D.

Configure a web ACL.


Turn off URL entry.
Configure a smart tunnel.
Configure a portal access rule.

Correct Answer: B
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
Clientless SSL VPN Security Precautions
By default, the ASA allows all portal traffic to all Web resources (for example HTTPS, CIFS, RDP, and plug-ins). Clientless SSL VPN rewrites each URL
to one that is meaningful only to the ASA. The user cannot use this URL to confirm that they are connected to the website they requested. To avoid
placing users at risk from phishing websites, assign a Web ACL to the policies configured for clientless accessgroup policies, dynamic access
policies, or bothto control traffic flows from the portal. Cisco recommends switching off URL Entry on these policies to prevent user confusion over
what is accessible.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Step 1
webvpn Switches to group policy Clientless SSL VPN configuration mode.
Step 2
url-entry Controls the ability of the user to enter any HTTP/HTTPS URL.
Step 3
(Optional) url-entry disable

Switches off URL Entry.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-configure-gateway.html
QUESTION 73
Which Cisco AnyConnect VPN feature enables DTLS to fall back to a TLS connection?
A.
B.
C.
D.

perfect forward secrecy


dead peer detection
keep alives
IKEv2

Correct Answer: B
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
Configuring DTLS
Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnelsan SSL
tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with SSL connections and improves the performance of realtime applications that are sensitive to packet delays.
By default, DTLS is enabled when SSL VPN access is enabled on an interface. If you disable DTLS, SSL VPN connections connect with an SSL VPN
tunnel only.
Note In order for DTLS to fall back to a TLS connection, Dead Peer Detection (DPD) must be enabled. If you do not enable DPD, and the DTLS
connection experiences a problem, the connection terminates instead of falling back to TLS.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html
QUESTION 74
Where is the transform set applied in an IOS IPsec VPN?
A. on the WAN interface

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

B. in the ISAKMP policy


C. in the crypto map
D. on the LAN interface
Correct Answer: C
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
The basic steps for an IPSec Site to Site VPN are:
Task 1: Ensure that ACLs are compatible with IPsec.
That ISAKMP and AH/ESP are permitted through the firewall
Task 2: Create ISAKMP (IKE) policy.
crypto isakmp policy priority
Task 2a- Set the PSK if using that authentication method
crypto isakmp key keystring address peer-address
Task 3: Configure IPsec transform set.
crypto ipsec transformset transform-set-name transform1 [transform2] [transform3]
Task 4: Create a crypto ACL.
access-list 110 permit tcp/ip [source range] [destination range]
Task 5: Create and apply the crypto map.
R1(config)# crypto map MYMAP 10 ipsec-isakmp
R1(config-crypto-map)# match address 110
R1(config-crypto-map)# set peer 172.30.2.2 default
R1(config-crypto-map)# set peer 172.30.3.2
R1(config-crypto-map)# set pfs group1
R1(config-crypto-map)# set transform-set mine
R1(config-crypto-map)# set security-association lifetime seconds 86400
R1(config)# interface serial0/0/0
R1(config-if)# crypto map MYMAP

QUESTION 75
Which authentication protocol does the Cisco AnyConnect VPN password management feature require to operate?
A. MS-CHAPv1
B. MS-CHAPv2
C. CHAP

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

D. Kerberos
Correct Answer: B
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
The password management feature allows users to get warnings and change their authentication passwords through the the ASA SSL VPN.
When you configure the password-management command, the security appliance notifies the remote user at login that the user's current password is
about to expire or has expired. The security appliance then offers the user the opportunity to change the password. If the current password has not yet
expired, the user can still log in using that password.
The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.
The security appliance, releases 7.1 and later, generally supports password management for the AnyConnect VPN Client, the Cisco IPSec VPN Client,
the SSL VPN full-tunneling client, and Clientless connections when authenticating with LDAP or with any RADIUS connection that supportsMSCHAPv2.
Password management is not supported for any of these connection types for Kerberos/AD (Windows password) or NT 4.0 Domain.
Some RADIUS servers that support MS-CHAP do not currently support MS-CHAPv2. The password-management command requires MS-CHAPv2,
so please check with your vendor.
The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another authentication server. However, from the security
appliance perspective, it is talking only to a RADIUS server.
For LDAP, the method to change a password is proprietary for the different LDAP servers on the market. Currently, the security appliance implements
the proprietary password management logic only for Microsoft Active Directory and Sun LDAP servers. Native LDAP requires an SSL connection. You
must enable LDAP over SSL before attempting to do password management for LDAP. By default, LDAP uses port 636.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/vpngrp.html#wp1166214
QUESTION 76
In which stage of an attack does the attacker discover devices on a target network?
A.
B.
C.
D.

reconnaissance
gaining access
maintaining access
covering tracks

Correct Answer: A

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Section: 1. Common Security Threats


Explanation
Explanation/Reference:
Explanation:
Reconnaissance- Gathering information about targets- DNS Queries, Whois, etc.
Scanning (addresses, ports, vulnerabilities)- NMAP, MetaSploit, etc.
Gaining access - MetaSploit, scripts, etc.
Maintaining Access
Covering Tracks
QUESTION 77
Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?
A.
B.
C.
D.

Unidirectional Link Detection


Unicast Reverse Path Forwarding
TrustSec
IP Source Guard

Correct Answer: B
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Unicast Reverse Path Forwarding verifies the source IP of a packet against the routing table of the router.
Verifying Symmetry means that the packet must be returned along the same path it was received on (can be a problem for multi-homed routers at
edges)
It can be used in Strict or Loose mode
This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded.
When administrators use Unicast RPF in strict mode, the packet must be received on the interface that the router would use to forward the return packet
When administrators use Unicast RPF in loose mode, the source address must appear in the routing table. Administrators can change this behavior
using the allow-default option, which allows the use of the default route in the source verification process.
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
QUESTION 78
By which kind of threat is the victim tricked into entering username and password information at a disguised website?

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A.
B.
C.
D.

phishing
spam
malware
spoofing

Correct Answer: A
Section: 1. Common Security Threats
Explanation
Explanation/Reference:
the activity of defrauding an online account holder of financial information by posing as a legitimate company.
"phishing exercises in which criminals create replicas of commercial Web sites"
QUESTION 79
Which Cisco product can help mitigate web-based attacks within a network?
A.
B.
C.
D.

Adaptive Security Appliance


Web Security Appliance
Email Security Appliance
Identity Services Engine

Correct Answer: B
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
Get advanced threat defense, advanced malware protection, application visibility and control, insightful reporting, and secure mobility. The Cisco Web
Security Appliance (WSA) combines all of these forms of protection and more in a single solution. The WSA also helps to secure and control web traffic,
while simplifying deployment and reducing costs.
http://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/at-a-glance-c45-730937.pdf
QUESTION 80
Which type of IPS can identify worms that are propagating in a network?
A.
B.
C.
D.

signature-based IPS
policy-based IPS
anomaly-based IPS
reputation-based IPS

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Correct Answer: C
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:

QUESTION 81
When a company puts a security policy in place, what is the effect on the company's business?
A.
B.
C.
D.

minimizing risk
minimizing total cost of ownership
minimizing liability
maximizing compliance

Correct Answer: A
Section: 1. Common Security Threats
Explanation
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation/Reference:
The goal of a security policy is to minimize risk, using the best available knowledge and guided by the balance of security vs. availability.
However, it needs standards, guidelines and procedures in place to actually work.
QUESTION 82
Which IOS feature can limit SSH access to a specific subnet under a VTY line?
A.
B.
C.
D.

access class
access list
route map
route tag

Correct Answer: A
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
You can create an access list and rather than apply it to a specific interface, you can apply it with the access-class command on the line vty.
This allows you to control the source (and possible destination) IP address that is used to access the VTY (telnet or SSH).
QUESTION 83
Which two protocols can SNMP use to send messages over a secure communications channel? (Choose two.)
A.
B.
C.
D.
E.

DTLS
TLS
ESP
AH
ISAKMP

Correct Answer: AB
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:

http://www.snmp.com/products/techinfo/secmodels.shtml

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

QUESTION 84
Which two options are for securing NTP? (Choose two.)
A.
B.
C.
D.
E.

a stratum clock
access lists
Secure Shell
authentication
Telnet

Correct Answer: BD
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
The default command to set up a cisco device as an NTP client is
ntp server ip-address | hostname [version number] [key key-id] [source interface] [prefer]
Specifying the key allows you to use authentication
1. config t
2. [no] ntp authentication-key number md5 md5-string
3. (Optional) show ntp authentication-keys
4. [no] ntp trusted-key number
5. (Optional) show ntp trusted-keys
6. [no] ntp authenticate
7. (Optional) show ntp authentication-status
8. (Optional) copy running-config startup-config
Configuring NTP Access Restrictions
ntp access-group
To control access to the Network Time Protocol (NTP) services on the system, use the ntp access-group command in global configuration mode. To
remove access control to the NTP services, use the no form of this command.
ntp access-group {query-only | serve-only | serve | peer} access-list-number
1. config t
2. [no] ntp access-group {peer | serve | serve-only | query-only} access-list-name
3. (Optional) show ntp access-groups
4. (Optional) copy running-config startup-config
http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf012.html#wp1123899
QUESTION 85

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

What must be configured before Secure Copy can be enabled?


A.
B.
C.
D.

SSH
AAA
TFTP
FTP

Correct Answer: B
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
The Secure Copy (SCP) feature provides a secure and authenticated method for copying router configuration or router image files. SCP relies on
Secure Shell (SSH), an application and a protocol that provide a secure replacement for the Berkeley r-tools.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login {default | list-name} method1 [method2...]
5. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [method1 [method2...]]
6. username name [privilege level] {password encryption-type encrypted-password}
7. ip scp server enable
http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/
sec_secure_copy.html
QUESTION 86
Which two ports does Cisco Configuration Professional use? (Choose two.)
A.
B.
C.
D.
E.

80
8080
443
21
23

Correct Answer: AC
Section: 5. Secure Network Management and Reporting
Explanation

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation/Reference:
These are the ports on the router
When you check the Connect Securely check box, HTTPS port 443 and SSH port 22 information is automatically added to the device.
If you did not check the Connect Securely check box, the HTTP port 80 and Telnet port 23 information is automatically added to the device.
For more detail on ports used on the PC, look at:
http://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/cisco_configuration_professional/v2_7/olh/ccp.pdf
QUESTION 87
Which two options are physical security threats? (Choose two.)
A.
B.
C.
D.
E.

hardware
environment
access lists
device configurations
software version

Correct Answer: AB
Section: 1. Common Security Threats
Explanation
Explanation/Reference:
QUESTION 88
Which command configures stateful packet inspection to inspect a packet after it passes the inbound ACL of the input interface?
A.
B.
C.
D.

ip inspect out
ip inspect in
ip inspect name audit-trail on
ip inspect name audit-trail off

Correct Answer: B
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
The ip inspect command was part of the older CBAC firewall configuration.
Since more communication is 2 way, rather than configuring all the details for both directions, you could set up your Access list to restrict outgoing traffic

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

on an interface.
You would then create an IP inspect rule so that traffic that passed through was "inspected." This meant the router would build a stateful table to watch
outgoing traffic and allow the returned responses.
CBAC Definition
ip inspect name FWOUT tcp

-------inspects all TCP traffic going out. FWOUT is the name of the inspect rule

ip access-list extended OUTBOUND


permit ip any any
ip access-list extended INBOUND
deny ip any any
interface serial0/0/0
ip inspect FWOUT out
ip access-group OUTBOUND out
ip access-group INBOUND in
https://learningnetwork.cisco.com/docs/DOC-7832
QUESTION 89
Which statement about identity NAT is true?
A.
B.
C.
D.

It is a static NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface.
It is a dynamic NAT configuration that translates a real IP address to a mapped IP address.
It is a static NAT configuration that translates a real IP address to a mapped IP address.
It is a dynamic NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface.

Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
Identity NAT falls into three categories. Dynamic Identity NAT, Static Identity NAT, and Policy based static Identity NAT. NAT Exemption is basically a
similar config to Dynamic Identity NAT, but it restricts it to an access-list.
Dynamic Identity NAT:
Only connections from the inside to elsewhere are translated.
ciscoasa(config)# nat (inside) 0 192.168.0.0 255.255.255.0

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Static Identity NAT:


If the interface ACL's allow the traffic, this can be used in either direction. Traffic to/from 192.168.0.0/24 (on the inside) is not translated
ciscoasa(config)# static (inside,outside) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
Static Identity Policy NAT:
Also, if the interface ACL's allow the traffic, connections between 192.168.0.0 and 172.31.0.0 can use this translation in either direction.
ciscoasa(config)# access-list NAT ex permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.255.0
ciscoasa(config)# static (inside,outside) 192.168.0.0 access-list NAT
Think of the above as the following-static (inside,outside) 192.168.0.0 192.168.0.0 if going to 172.31.0.0/24
NAT Exemption:
Again, if ACL allows it, connections between 192.168.0.0 and 172.31.0.0 can use this translation in either direction. Actually it's not a translation, but a
"non" translation.
ciscoasa(config)# access-list NAT_EXEMPT extended permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list NAT_EXEMPT
Think of the above as disable translaton of 192.168.0.0 to any interface if going to 172.31.0.0/24
QUESTION 90
Which element must you configure to allow traffic to flow from one security zone to another?
A.
B.
C.
D.

a zone pair
a site-to-site VPN
a zone list
a zone-based policy

Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
When using ZONE based firewalls, which is the new standard, the following rules apply:
In order to communicate between interfaces in different zones, the zone pair AND policy must exist.
R3(config-sec-zone)# zone-pair security in-to-out source inside destination outside ---creates the pair and specifies direction
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

R3(config-sec-zone-pair)# service-policy type inspect MY-POLICY-MAP

---specifies which policy to use on the pair

QUESTION 91
With which two NAT types can Cisco ASA implement address translation? (Choose two.)
A.
B.
C.
D.
E.

network object NAT


destination NAT
twice NAT
source NAT
double NAT

Correct Answer: AC
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
How NAT is Implemented
The adaptive security appliance can implement address translation in two ways: network object NAT and twice NAT.
Main Differences Between Network Object NAT and Twice NAT

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

The main differences between these two NAT types are:


How you define the real address.
Network object NATYou define NAT as a parameter for a network object; the network object definition itself provides the real address. This method
lets you easily add NAT to network objects. The objects can also be used in other parts of your configuration, for example, for access rules or even in
twice NAT rules.
Twice NATYou identify a network object or network object group for both the real and mapped addresses. In this case, NAT is not a parameter of
the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address
means that twice NAT is more scalable.
How source and destination NAT is implemented.
Network object NAT Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address,
and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.
Twice NATA single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked.
Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and
destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/
destinationA can have a different translation than sourceA/destinationB.
Order of NAT Rules.
Network object NATAutomatically ordered in the NAT table.
Twice NATManually ordered in the NAT table (before or after network object NAT rules).
We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and
might be more reliable for applications such as Voice over IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might
see a failure in the translation of indirect addresses that do not belong to either of the objects.)
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html#wp1118634
Cisco ASA network objects let us refer to an IP or multiple IPs as an object, simplifying our ability to make rules.
The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of outside addresses 10.2.2.1 through 10.2.2.10:
hostname(config)# object network my-range-obj
hostname(config-network-object)# range 10.2.2.1 10.2.2.10
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_objects.html

QUESTION 92

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Which technology is the most effective choice for locally mirroring ports to support data investigation for a single device at the data layer?
A.
B.
C.
D.

RMON
SPAN
RSPAN
ERSPAN

Correct Answer: B
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
SPAN Sessions define a monitor session
each monitor session has a source and destination
With regular SPAN, both source and destination must be on the same device
QUESTION 93
Which three actions can an inline IPS take to mitigate an attack? (Choose three.)
A.
B.
C.
D.
E.
F.

modifying packets inline


denying the connection inline
denying packets inline
resetting the connection inline
modifying frames inline
denying frames inline

Correct Answer: ABC


Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
These answers are made true or false due to the work inline. As Cisco defines it, inline mode event actions are different from promiscuous mode event
actions
Inline Mode Event Actions
Deny connection inline: This action prevents further communication for the specific TCP flow. This action is appropriate when there is the potential for a
false alarm or spoofing and when an administrator wants to prevent the action but not deny further communication.
Deny packet inline: This action prevents the specific offending packet from reaching its intended destination. Other communication between the attacker
and victim or victim network may still exist. This action is appropriate when there is the potential for a false alarm or spoofing. Note that for this action,

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

the default time has no effect.


Modify packet inline: This action enables the IPS device to modify the offending part of the packet. However, it forwards the modified packet to the
destination. This action is appropriate for packet normalization and other anomalies, such as TCP segmentation and IP fragmentation re-ordering.
Promiscuous Mode Event Actions
Reset TCP connection: This action is TCP specific, and in instances where the attack requires several TCP packets, this can be a successful action.
However, in some cases where the attack only needs one packet it may not work as well. Additionally, TCP resets are not very effective with protocols
such as SMTP that consistently try to establish new connections, nor are they effective if the reset cannot reach the destination host in time.
IPS's dont generally look at Frames, just packets.
http://www.cisco.com/web/about/security/intelligence/ipsmit.html
QUESTION 94
Which monitoring protocol uses TCP port 1470 or UDP port 514?
A.
B.
C.
D.
E.
F.

RELP
Syslog
SDEE
IMAP
SNMP
CSM

Correct Answer: B
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
UDP port 514 is the old Syslog port
TCP port 1470 is associated with the Kiwi Log Server
Syslog over TLS uses TCP port number 6514.
https://en.wikipedia.org/wiki/Syslog
QUESTION 95
Which statement about the Atomic signature engine is true?
A. It can perform signature matching on a single packet only.
B. It can perform signature matching on multiple packets.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

C. It can examine applications independent of the platform.


D. It can flexibly match patterns in a session.
Correct Answer: A
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
Signature Engine
Atomic
Simplest form
Consists of a single packet, activity, or event
Does not require intrusion system to maintain state information
Easy to identify
Composite
Also called a stateful signature
Identifies a sequence of operations distributed across multiple hosts
Signature must maintain a state known as the event horizon
QUESTION 96
What is the function of an IPS signature?
A.
B.
C.
D.

It determines the best course of action to mitigate a threat.


It detects network intrusions by matching specified criteria.
It provides logging data for allowed connections.
It provides threat-avoidance controls.

Correct Answer: B
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
QUESTION 97
Which two options are advantages of a network-based Cisco IPS? (Choose two.)
A. It can examine encrypted traffic.
B. It can protect the host after decryption.
C. It is an independent operating platform.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

D. It can observe bottom-level network events.


E. It can block traffic
Correct Answer: CD
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
QUESTION 98
Which command configures logging on a Cisco ASA firewall to include the date and time?
A.
B.
C.
D.

logging facility
logging enable
logging timestamp
logging buffered debugging

Correct Answer: C
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
QUESTION 99
What is the transition order of STP states on a Layer 2 switch interface?
A.
B.
C.
D.

listening, learning, blocking, forwarding, disabled


listening, blocking, learning, forwarding, disabled
blocking, listening, learning, forwarding, disabled
forwarding, listening, learning, blocking, disabled

Correct Answer: C
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

QUESTION 100
Which sensor mode can deny attackers inline?
A.
B.
C.
D.

IPS
Fail-close
IDS
Fail-open

Correct Answer: A
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
Sensors usually operate in Promiscuous mode.
And IPS can deny traffic inline, since it is in the flow of the traffic.

QUESTION 101
Which options are filtering options used to display SDEE message types? (Choose two.)
A.
B.
C.
D.

stop
none
error
all

Correct Answer: CD
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
Options are All, Error, Status, and Alerts
QUESTION 102
Which statements about reflexive access lists are true? (Choose three.)
A. Reflexive access lists create a permanent ACE
B. Reflexive access lists approximate session filtering using the established keyword
C. Reflexive access lists can be attached to standard named IP ACLs

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

D. Reflexive access lists support UDP sessions


E. Reflexive access lists can be attached to extended named IP ACLs
F. Reflexive access lists support TCP sessions
Correct Answer: DEF
Section: 4. IOS ACLs
Explanation
Explanation/Reference:
Router(config)# ip access-list extended Egress
Router(config-ext-nacl)# permit ip any any reflect iptraffic
Router(config-ext-nacl)# interface f0/1
Router(config-if)# ip access-group out Egress

interface Serial 1
description Access to the Internet via this interface
ip access-group inboundfilters in
!
ip access-list extended inboundfilters
evaluate iptraffic
the refelxive ACL iptraffic will then be evaluated as well
Reflexive access lists can be defined with extended named IP access lists only.

You cannot define reflexive access lists with numbered or standard named IP access lists or with other protocol access lists.
You can use reflexive access lists in conjunction with other standard access lists and static extended access lists.
http://packetlife.net/blog/2008/nov/25/reflexive-access-lists/
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html
QUESTION 103
Which actions can a promiscuous IDS take to mitigate an attack? (Choose three.)
A. modifying packets
B. requesting connection blocking
C. denying packets

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

D. resetting the TCP connection


E. requesting host blocking
F. denying frames
Correct Answer: BDE
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
An IDS that is not inline can be configured to request another security device to block traffic on its behalf.
An inline IPS can deny traffic inline.
QUESTION 104
Which command is needed to enable SSH support on a Cisco Router?
A.
B.
C.
D.

crypto key lock rsa


crypto key generate rsa
crypto key zeroize rsa
crypto key unlock rsa

Correct Answer: B
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
The SSH protocol requires:
a fully qualified domain name
usernames and passwords
a self-signed digitial certificate
The crypto key generate rsa command will generate the needed digital certificate

QUESTION 105
Which protocol provides security to Secure Copy?
A. IPSec

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

B. SSH
C. HTTPS
D. ESP
Correct Answer: B
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
Secure Copy is a secure replacement for FTP.
It requires SSH.
QUESTION 106
Which security zone is automatically defined by the system?
A.
B.
C.
D.

The source zone


The self zone
The destination zone
The inside zone

Correct Answer: B
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
All traffic to the router itself is considered as going to the self zone.

Zone Pairs
A zone pair allows you to specify a unidirectional firewall policy between two security zones.
To define a zone pair, use the zone-pair security command. The direction of the traffic is specified by source and destination
zones. The source and destination zones of a zone pair must be security zones.
You can select the default or self zone as either the source or the destination zone. The self zone is a systemdefined zone
which does not have any interfaces as members.
A zone pair that includes the self zone, along with the associated policy, applies to traffic directed to the device or traffic
generated by the device. It does not apply to traffic through the device.
The most common usage of firewall is to apply them to traffic through a device, so you need at least two zones (that is, you
cannot use the self zone).
QUESTION 107

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.)
A.
B.
C.
D.

The Internet Key Exchange protocol establishes security associations


The Internet Key Exchange protocol provides data confidentiality
The Internet Key Exchange protocol provides replay detection
The Internet Key Exchange protocol is responsible for mutual authentication

Correct Answer: AD
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
Setting Up a IPSec VPN has two phases
the IKE Phase 1 uses the
Hash
Authentication
DH Group
Lifetime
Encryption
settings to establish a secure, confidential link over which the endpoints can communicate
IKE Phase 2 uses the transform sets to send and possibly encrypt the data.

QUESTION 108
What is a possible reason for the error message?
Router(config)#aaa server?% Unrecognized command
A.
B.
C.
D.

The command syntax requires a space after the word server


The command is invalid on the target device
The router is already running the latest operating system
The router is a new device on which the aaa new-model command must be applied before continuing

Correct Answer: D
Section: 3.0 AAA
Explanation
Explanation/Reference:

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

This is the sytax for an ASA


For example, to add one TACACS+ group with one primary and one backup server, one RADIUS group with a single server, and an NT domain server,
enter the following commands:
hostname/contexta(config)# aaa-server AuthInbound protocol tacacs+
hostname/contexta(config-aaa-server-group)# max-failed-attempts 2
hostname/contexta(config-aaa-server-group)# reactivation-mode depletion deadtime 20
hostname/contexta(config-aaa-server-group)# exit
hostname/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname/contexta(config-aaa-server-host)# key TACPlusUauthKey
hostname/contexta(config-aaa-server-host)# exit
hostname/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.2
hostname/contexta(config-aaa-server-host)# key TACPlusUauthKey2
hostname/contexta(config-aaa-server-host)# exit
hostname/contexta(config)# aaa-server AuthOutbound protocol radius
hostname/contexta(config-aaa-server-group)# exit
hostname/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.3
hostname/contexta(config-aaa-server-host)# key RadUauthKey
hostname/contexta(config-aaa-server-host)# exit
hostname/contexta(config)# aaa-server NTAuth protocol nt
hostname/contexta(config-aaa-server-group)# exit
hostname/contexta(config)# aaa-server NTAuth (inside) host 10.1.1.4
hostname/contexta(config-aaa-server-host)# nt-auth-domain-controller primary1
hostname/contexta(config-aaa-server-host)# exit
QUESTION 109
Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
A.
B.
C.
D.

Smart tunnels can be used by clients that do not have administrator privileges
Smart tunnels support all operating systems
Smart tunnels offer better performance than port forwarding
Smart tunnels require the client to have the application installed locally

Correct Answer: AD
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111007-smart-tunnel-asa-00.html
Smart tunnel access allows a client TCP-based application to use a browser-based VPN connection to connect to a service. It offers the following
advantages to users, compared to plugins and the legacy technology, port forwarding:
Smart tunnel offers better performance than plug-ins.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Unlike port forwarding, smart tunnel simplifies the user experience by does not require the user connection of the local application to the local port.
Unlike port forwarding, smart tunnel does not require users to have administrator privileges.
Smart Tunnel Applications
Smart Tunnel allows any TCP-based client-server application to use ASA as a proxy gateway to the private side of a network. Examples of native
applications that work through Smart Tunnel include Outlook, SharePoint, Telnet, Passive FTP, Lotus Sametime, Secure Shell (SSH), Remote Desktop
Protocol (RDP), and Virtual Network Computing (VNC). Smart Tunnel does not support applications that use Universal Datagram Protocol (UDP). Using
the Cisco ASA Device Manager (ASDM), an administrator can define which applications and networks are allowed
access.
Smart Tunnel is also used to provide remote access to web applications that are difficult to rewrite, such as proprietary, non-standards-based Java, Java
Script, or Flash animations. Smart Tunnel also supports Single SignOn to web applications that require either form-based POST parameters, http basic,
FTP, or NTLM authentication Smart Tunnel can also co-exist with a Full-Tunnel VPN Client. For example, an employee can connect to the company
network
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdf
Smart Tunnel is also used to provide remote access to web applications that are difficult to rewrite, such as proprietary, non-standards-based Java, Java
Script, or Flash animations. Smart Tunnel also supports Single Sign-On to web applications that require either form-based POST parameters, http basic,
FTP, or NTLM authentication
Smart Tunnel can also co-exist with a Full-Tunnel VPN Client. For example, an employee can connect to the company network by using Full-Tunnel
VPN Client, while simultaneously connecting to a vendor network by using Smart Tunnel.
Smart Tunnel Advantages over Port-Forwarding, Plug-ins
Smart Tunnel offers better performance than browser plug-ins.
Port forwarding is the legacy technology for supporting TCP-based applications over a Clientless SSL VPN connection. Unlike port forwarding, Smart
Tunnel simplifies the user experience by not requiring the user connection of the local application to the local port.
Smart Tunnel does not require users to have administrator privileges.
Smart Tunnel does not require the administrator to know application port numbers in advance.
QUESTION 110
Which option describes information that must be considered when you apply an access list to a physical interface?
A.
B.
C.
D.

Protocol used for filtering


Direction of the access class
Direction of the access group
Direction of the access list

Correct Answer: C
Section: 4. IOS ACLs
Explanation
Explanation/Reference:
You can place one IP access list per interface per direction
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

An access list is applied to an interface with the access-group [listname] in/out command
QUESTION 111
Which source port does IKE use when NAT has been detected between two VPN gateways?
A.
B.
C.
D.

TCP 4500
TCP 500
UDP 4500
UDP 500

Correct Answer: C
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a device or firewall performing NAT.
QUESTION 112
Which command verifies phase 1 of an IPsec VPN on a Cisco router?
A.
B.
C.
D.

sh crypto map
show crypto ipsec sa
show crypto isakmp sa
show crypto engine connection active

Correct Answer: C
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
QUESTION 113
What is the purpose of a honeypot IPS?
A.
B.
C.
D.

To create customized policies


To detect unknown attacks
To normalize streams
To collect information about attacks

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Correct Answer: D
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
The main commands for verifying IPSec connections in cisco are:
show crypto isakmp sa
shows IKE Phase 1
show crypto ipsec sa
Shows IKE Phase 2
WIll show the details from the crypto map, even when the tunnel is down.
show crypto session
Will show as DOWN when the IPSec connection hasn't been made
Shows everything
QUESTION 114
Which type of mirroring does SPAN technology perform?
A.
B.
C.
D.

Remote mirroring over Layer 2


Remote mirroring over Layer 3
Local mirroring over Layer 2
Local mirroring over Layer 3

Correct Answer: C
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
QUESTION 115
If a router configuration includes the line
aaa authentication login default group tacacs+ enable
which events will occur when the TACACS+ server returns an error? (Choose two.)

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A.
B.
C.
D.

The user will be prompted to authenticate using the enable password


Authentication attempts to the router will be denied
Authentication will use the router`s local database
Authentication attempts will be sent to the TACACS+ server

Correct Answer: AD
Section: 3.0 AAA
Explanation
Explanation/Reference:
The fallback methods are only used in case of error, not if a method fails
There may be more than one Tacacs server listed in the group, so it is possible that additional Tacacs servers may be contacted for authentication.
QUESTION 116
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
A.
B.
C.
D.

SDEE
Syslog
SNMP
CSM

Correct Answer: A
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
QUESTION 117
Which statement about extended access lists is true?
A.
B.
C.
D.

Extended access lists perform filtering that is based on source and destination and are most effective when applied to the destination
Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source
Extended access lists perform filtering that is based on destination and are most effective when applied to the source
Extended access lists perform filtering that is based on source and are most effective when applied to the destination

Correct Answer: B
Section: 4. IOS ACLs
Explanation

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation/Reference:
Standard ACL
1) Able Restrict, deny & filter packets by Host Ip or subnet only.
2) Best Practice is put Std. ACL restriction near from Source Host/Subnet (Interface-In-bound).
3) No Protocol based restriction. (Only HOST IP).
Extended ACL
1) More flexible then Standard ACL.
2) You can filter packets by Host/Subnet as well as Protocol/TCPPort/UDPPort.
3) Best Practice is put restriction near form Destination Host/Subnet. (Interface-Outbound)
QUESTION 118
Which security measures can protect the control plane of a Cisco router? (Choose two.)
A.
B.
C.
D.
E.

CCPr
Parser views
Access control lists
Port security
CoPP

Correct Answer: AE
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
The control plane tools can be implemented to limit the damage an attacker can attempt to implement directly at one of the routers IP addresses (traffic
addressed directly to the router, which the router must spend CPU resources to process).
Control Plane Policing (CoPP) and Control Plane Protection (CPPr)
Control plane policing. You can configure this as a filter for any traffic destined to an IP address on the router itself. For example, you can specify
that management traffic, such as SSH/HTTPS/SSL and so on, can be ratelimited (policed) down to a specific level or dropped completely. This way, if
an attack occurs that involves an excessive amount of this traffic, the excess traffic above the threshold set could simply be ignored and not have to be
processed directly by the CPU. Another way to think of this is as applying quality of service (QoS) to the valid management traffic and policing to the
bogus management traffic.
This is applied to a logical control plane interface (not directly to any Layer 3 interface) so that the policy can be applied globally to the router.
Control plane protection. This allows for a more detailed classification of traffic (more than CoPP) that is going to use the CPU for handling. The three
specific subinterfaces that can be classified are (1) Host subinterface, which handles traffic to one of the physical or logical interfaces of the router; (2)

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Transit subinterface, which handles certain data plane traffic that requires CPU intervention before forwarding (such as IP options); and Cisco (3)
Express Forwarding (CEF)-Exception traffic (related to network operations, such as keepalives or packets with Time-To-Live [TTL] mechanisms that are
expiring) that has to involve the CPU.
The benefit of CPPr is that you can rate-limit and filter this type of traffic with a more fine-toothed comb than CoPP.
This is also applied to a logical control plane interface, so that regardless of the logical or physical interface on which the packets arrive, the router
processor can still be protected.
Routing Protocol Authentication
ACLs CAN be used, but they are primarily for traffic going through the router, not traffic to the router.
QUESTION 119
Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choose two)
A.
B.
C.
D.
E.
F.

FTP
SSH
Telnet
AAA
HTTPS
HTTP

Correct Answer: BE
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
QUESTION 120
Which three properties are included in the inspection Cisco Map BASICFIREWALL? See the exhibits
(Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be
different, you need to know how to navigate and find the info, like show commands, but an interface)
gui2 (exhibit):

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

gui1 (exhibit):

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A. HTTP

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

B.
C.
D.
E.
F.

HTTPS
FTP
POP
SMTP
DNS

Correct Answer: ABE


Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
You must find the C3PL area under Security and investigate the Inspection class maps and policy maps.
If you cannot find the MAP under the class map, look at the policy to find the correct class MAP.
Drill down

and

the map names may vary


QUESTION 121
Scenario:
You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions.
Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question.
Which policy is assigned to Zone Pair LAN-TO-WAN?
(Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be
different, you need to know how to navigate and find the info, like show commands, but an interface)

Exhibit:

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A.
B.
C.
D.

Sdm-cls-http
OUT_SERVICE
RegularTrafficAllowed
Ccp-policy-ccp-cls-2

Correct Answer: C
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
Drill down

QUESTION 122
Scenario:

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Using the pictures in the exhibit, answer the following question.


You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions.
Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question.
Which Class Maps are used by the INBOUND Rule?
(Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be
different, you need to know how to navigate and find the info, like show commands, but an interface)

Exhibit:

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A.
B.
C.
D.

MailTraffic
Class-map-ccp-cls-2
Web
Class-map SERVICE_IN

Correct Answer: AC
Section: 7. Cisco Firewall Technologies
Explanation

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation/Reference:
Assuming this means the INBOUND policy map.
Drill down
QUESTION 123
Using the lab \Lab Work\Security Labs\GNS3Labs\CCP-Investigate\Topology.net, or the pictures in the exhibit, answer the following question.
What IP address will be used for the inside global when traffic goes through NAT?
(Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be
different, you need to know how to navigate and find the info, like show commands, but an interface)

Exhibit:

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A. 192.168.35.1
B. 192.168.100.1
C. Interface fastethernet 0/1

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

D. interface serial 0/0


Correct Answer: B
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
Drill down

QUESTION 124
Using the lab \Lab Work\Security Labs\GNS3Labs\CCP-Investigate\Topology.net, or the pictures in the exhibit, answer the following question.
Which three protocols are included in the Inspection Class Map MailTraffic?
(Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be
different, you need to know how to navigate and find the info, like show commands, but an interface)

Exhibit:

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A.
B.
C.
D.
E.
F.

smtp
imap3
imap
http
https
pop3

Correct Answer: ABF


Section: 7. Cisco Firewall Technologies

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation
Explanation/Reference:
drill down
configure - security - c3pl - class map - inspection
QUESTION 125
Using the lab \Lab Work\Security Labs\GNS3Labs\CCP-Investigate\Topology.net, or the pictures in the exhibit, answer the following question.
Which policy map is used for the Zone Pair LAN-To-WAN?
(Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be
different, you need to know how to navigate and find the info, like show commands, but an interface)
Exhibit:

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

A.
B.
C.
D.

MailTraffic
Web
RegularTrafficAllowed
http

Correct Answer: C
Section: 7. Cisco Firewall Technologies

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Explanation
Explanation/Reference:
drill down, pic has it wrong, hunt it down, look at zone pairs and policy maps, and the zone pairs, configure - security - firewall - firewall components zone pairs (lan-to-wan means and shows as inside to outside) ("in-to-out" shows mail, web, class-default, so looks like "web", but zone pair says policy is
"in-to-out", must hunt this one down and if the zone pair screen does not show an answer choice, hunt it down, it is there)
QUESTION 126
Which represents a unique local address (IPv6)?
A.
B.
C.
D.

FD00:: /8
2002::/16
FED0::/8
2001::/32

Correct Answer: A
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
The address block fc00::/7 is divided into two /8 groups:
The block fc00::/8 has not been defined yet. It has been proposed to be managed by an allocation authority, but this has not gained acceptance in the
IETF.[1][2][3] This block is also used by the cjdns mesh network.
The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string. This results in
the format fdxx:xxxx:xxxx:: for a prefix in this range. RFC 4193 offers a suggestion for generating the random identifier to obtain a minimum-quality
result if the user does not have access to a good source of random numbers.

www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications

Vous aimerez peut-être aussi