Académique Documents
Professionnel Documents
Culture Documents
Number: 640-554
Passing Score: 800
Time Limit: 120 min
File Version: 1.0
Cisco 640-554
IINS v2.0
Sections
1. 1. Common Security Threats
2. 2. Security and Cisco Routers
3. 3.0 AAA
4. 4. IOS ACLs
5. 5. Secure Network Management and Reporting
6. 6. Common Layer 2 Attacks
7. 7. Cisco Firewall Technologies
8. 8.0 Cisco IPS
9. 9.0 VPN Technologies
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Exam A
QUESTION 1
Which two features are supported by Cisco IronPort Security Gateway? (Choose two.)
A.
B.
C.
D.
E.
Spam protection
Outbreak intelligence
HTTP and HTTPS scanning
Email encryption
DDoS protection
Correct Answer: AD
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
IronPort Email Security Appliances and IronPort Web Security Appliances
(WSA): These appliances provide granular control of email and, in the case of web traffic and WSA, can track thousands of applications and enforce
security policies to protect networks against threats.
QUESTION 2
Which two characteristics represent a blended threat? (Choose two.)
A.
B.
C.
D.
E.
man-in-the-middle attack
trojan horse attack
pharming attack
denial of service attack
day zero attack
Correct Answer: BE
Section: 1. Common Security Threats
Explanation
Explanation/Reference:
A blended threat is an exploit that combines elements of multiple types of malware and usually employs multiple attack vectors to increase the severity
of damage and the speed of contagion. Nimda, CodeRed, Bugbear and Conficker are a few well-known examples. Although they may be identified as
viruses, worms or Trojan horses, most current exploits are blended threats.
A blended threat typically includes:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
More than one means of propagation -- for example, sending an email with a hybrid virus/worm that will self-replicate and also infect a Web server so
that contagion will spread through all visitors to a particular site.
Exploitation of vulnerabilities which may be preexisting or may be caused by malware distributed as part of the attack.
The intent to cause real harm, for example, by launching a denial of service (DOS) attack against a target or delivering a Trojan horse that will be
activated at some later date.
Automation that enables increasing contagion without requiring any user action.
To guard against blended threats, experts urge network administrators to be vigilant about patch management, use and maintain good firewall products,
employ server software to detect malware, and educate users about proper e-mail handling and online behavior
A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that
the attack occurs on "day zero" of awareness of the vulnerability.[1] This means that the developers have had zero days to address and patch the
vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of
the target software knows about the vulnerability.
QUESTION 3
Which type of security control is defense in depth?
A.
B.
C.
D.
threat mitigation
risk analysis
botnet mitigation
overt and covert channels
Correct Answer: A
Section: 1. Common Security Threats
Explanation
Explanation/Reference:
QUESTION 4
Which four methods are used by hackers? (Choose four.)
A.
B.
C.
D.
E.
F.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: C
Section: 3.0 AAA
Explanation
Explanation/Reference:
QUESTION 6
What is the best way to prevent a VLAN hopping attack?
A.
B.
C.
D.
Correct Answer: C
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
QUESTION 7
If you are implementing VLAN trunking, which additional configuration parameter should be added to the trunking configuration?
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A.
B.
C.
D.
Correct Answer: D
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
QUESTION 8
Which two countermeasures can mitigate STP root bridge attacks? (Choose two.)
A.
B.
C.
D.
root guard
BPDU filtering
Layer 2 PDU rate limiter
BPDU guard
Correct Answer: AD
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
The BPDU guard feature is designed to allow network designers to keep the active network topology predictable. BPDU guard
is used to protect the switched network from the problems that may be caused by the receipt of BPDUs on ports that should
not be receiving them. The receipt of unexpected BPDUs may be accidental or may be part of an unauthorized attempt to add
a switch to the network. BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by
an attacker.
The root guard feature of Cisco switches is designed to provide a way to enforce the placement of root bridges in the
network. Root guard limits the switch ports out of which the root bridge may be negotiated. If a root-guard-enabled port
receives BPDUs that are superior to those that the current root bridge is sending, then that port is moved to a rootinconsistent state, which is effectively equal to an STP listening state, and no data traffic is forwarded across that port.
QUESTION 9
Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.)
A. IP source guard
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
B. port security
C. root guard
D. BPDU guard
Correct Answer: AB
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Use the port security feature to mitigate MAC spoofing attacks. Port security provides the capability to specify the MAC
address of the system connected to a particular port. This also provides the ability to specify an action to take if a port security
violation occurs.
IP source guard is a security feature that filters traffic based on the DHCP snooping binding database and on manually
configured IP source bindings in order to restrict IP traffic on nonrouted Layer 2 interfaces. You can use IP source guard to
prevent traffic attacks caused when a host tries to use the IP address of its neighbor. IP source guard prevents IP/MAC
spoofing
Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-seriesswitches/
72846-layer2-secftrs-catl3fixed.html#ipsourceguard
QUESTION 10
Which statement correctly describes the function of a private VLAN?
A.
B.
C.
D.
A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains.
A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains.
A private VLAN enables the creation of multiple VLANs using one broadcast domain.
A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major
broadcast domain.
Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the ports on the
switch from each other. A subdomain consists of a primary VLAN and one or more secondary VLANs. All VLANs in a private
VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. The
secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate
among themselves and with their associated promiscuous port but not with ports in other community VLANs.
Reference:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus4000/nexus4000_i/sw/configuration/guide/rel_4_1_2_E1_1/
n400xi_config/PrivateVLANs.html
QUESTION 11
What are two primary attack methods of VLAN hopping? (Choose two.)
A.
B.
C.
D.
VoIP hopping
switch spoofing
CAM-table overflow
double tagging
Correct Answer: BD
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Switch Spoofing is when a host uses software to act like a switch and connect via a negotiated trunk port.
Double-Tagging is when a host tags frames with two VLAN tags.
There are a number of different types of VLAN attacks in modern switched networks. The VLAN architecture simplifies
network maintenance and improves performance, but it also opens the door to abuse. It is important to understand the
general methodology behind these attacks and the primary approaches to mitigate them.
VLAN hopping enables traffic from one VLAN to be seen by another VLAN. Switch spoofing is a type of VLAN hopping attack
that works by taking advantage of an incorrectly configured trunk port. By default, trunk ports have access to all VLANs and
pass traffic for multiple VLANs across the same physical link, generally between switches.
Another type of VLAN attack is a double-tagging(or double-encapsulated) VLAN hopping attack. This type of attack takes
advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q deencapsulation, which allows an attacker to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to be
forwarded to a VLAN that the original 802.1Q tag did not specify as shown below. An important characteristic of the
doubleencapsulated
VLAN hopping attack is that it works even if trunk ports are disabled, because a host typically sends a frame on a segment
that is not a trunk link.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Reference: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10
QUESTION 12
With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are
assigned to a zone? (Choose three.)
A.
B.
C.
D.
E.
traffic flowing between a zone member interface and any interface that is not a zone member
traffic flowing to and from the router interfaces (the self zone)
traffic flowing among the interfaces that are members of the same zone
traffic flowing among the interfaces that are not assigned to any zone
traffic flowing between a zone member interface and another interface that belongs in a
different zone
F. traffic flowing to the zone member interface that is returned traffic
Correct Answer: BCD
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
QUESTION 13
Which two services are provided by IPsec? (Choose two.)
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A.
B.
C.
D.
E.
Confidentiality
Encapsulating Security Payload
Data Integrity
Authentication Header
Internet Key Exchange
Correct Answer: AC
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
QUESTION 14
Which command verifies phase 2 of an IPsec VPN on a Cisco router?
A.
B.
C.
D.
Correct Answer: B
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
The main commands for verifying IPSec connections in cisco are:
show crypto isakmp sa
shows IKE Phase 1
show crypto ipsec sa
Shows IKE Phase 2
WIll show the details from the crypto map, even when the tunnel is down.
show crypto session
Will show as DOWN when the IPSec connection hasn't been made
Shows everything
QUESTION 15
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Which three protocols are supported by management plane protection? (Choose three.)
A.
B.
C.
D.
E.
F.
SNMP
SMTP
SSH
OSPF
HTTPS
EIGRP
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/
CSMUserGuide/poman.html
Understanding Policies
In Security Manager, a policy is a set of rules or parameters that define a particular aspect of network configuration. You configure your network by
defining policies on devices (which includes individual devices, service modules, security contexts, and virtual sensors) and VPN topologies (which are
made up of multiple devices), and then deploying the configurations defined by these policies to these devices.
Several types of policies might be required to configure a particular solution. For example, to configure a site-to-site VPN, you might need to configure
multiple policies, such as IPsec, IKE, GRE, and so forth.
Policies are assigned to one or more devices. After a policy is assigned to a device, any changes to the policy definition change the behavior of the
device.
Settings-Based Policies vs. Rule-Based Policies
Rule-Based Policies
Rule-based policies contain one or more rules that govern how to handle traffic on a selected device, such as the access rules and inspection rules
defined as part of a firewall service. Rule-based policies can contain hundreds or even thousands of rules arranged in a table, each defining different
values for the same set of parameters. The ordering of the rules is very important, as traffic flows are assigned the first rule whose definition matches
the flow (known as first matching).
Settings-Based Policies
Settings-based policies contain sets of related parameters that together define one aspect of security or device operation. For example, when you
configure a Cisco IOS router, you can define a quality of service (QoS) policy that defines which interfaces are included in the policy, the type of traffic on
which QoS is applied, and the definition of how this traffic should be queued and shaped. Unlike rule-based policies, which can contain hundreds of rules
containing values for the same set of parameters, you can define only one set of parameters for each settings-based policy defined on a device.
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/CSMUserGuide/
poman.html#pgfId-508714
QUESTION 17
Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device
reloads?
A.
B.
C.
D.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: C
Section: 3.0 AAA
Explanation
Explanation/Reference:
QUESTION 18
Which option provides the most secure method to deliver alerts on an IPS?
A.
B.
C.
D.
IME
CSM
SDEE
syslog
Correct Answer: C
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
pull pull pull (syslog can only push, sdee can pull, and will use http/https)
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 19
Which syslog level is associated with LOG_WARNING?
A.
B.
C.
D.
E.
1
2
3
4
5
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
F. 6
Correct Answer: D
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
Explanation:
Syslog levels
QUESTION 20
Scenario:
You are the security admin for a small company. This morning your manager has supplied you with a list of Cisco ISR and CCP configuration questions.
Using CCP, your job is to navigate the pre-configured CCP in order to find answers to your business question.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
D. Host 74.125.224.179
E. Network 192.168.1.0/8
Correct Answer: AD
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
Explanation:
Can't answer from this description/image
QUESTION 21
Which represents a unique link-local address (IPv6)?
A.
B.
C.
D.
FEB0::/8
2002::/16
FED0::/8
2001::/32
Correct Answer: A
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
2002::/16 is for 6 to 4 tunnels.
FEB0::/8 Would be the correct answer then.
FE80::
FE90::
FEA0::
FEB0::
QUESTION 22
How many class map can be configured in a (router) interface?
A.
B.
C.
D.
1
2
3
4
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
I think this question is actually about Policy Maps
You can configure a single service policy on an interface
this service policy references a policy map
A policy map can reference up to 64 class maps, which is the limit of class maps that can be created
QUESTION 23
Which command initializes a lawful intercept view?
A.
B.
C.
D.
Correct Answer: C
Section: 3.0 AAA
Explanation
Explanation/Reference:
Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual (a target) as authorized
by a judicial or administrative order. To facilitate the lawful intercept process, certain legislation and regulations require service providers (SPs) and
Internet service providers (ISPs) to implement their networks to explicitly support authorized electronic surveillance.
SUMMARY STEPS
1. enable view
2. configure terminal
3. li-view li-password user username password password
4. username [lawful-intercept] name [privilege privilege-level | view view-name] password password
5. parser view view-name
6. secret 5 encrypted-password
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
7. name new-name
DETAILED STEPS
Router> enable view
Enables root view.
Enter your privilege level 15 password (for example, root password) if prompted.
Step 2
Router# configure terminal
Enters global configuration mode.
Step 3
li-view li-password user username password password
Router(config)# li-view lipass user li_admin password li_adminpass
Initializes a lawful intercept view with a password of lipass and a user of li_admin whose password is li_adminpass
After the li-view is initialized, you must specify at least one user via user username password password options.
Step 4
username [lawful-intercept [name] [privilege privilege-level | view view-name] password password
Example:
Router(config)# username lawful-intercept li-user1 password li-user1pass
Configures lawful intercept users on a Cisco device.
http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/
sec_role_base_cli.html
QUESTION 24
Which NAT types are used for ASA in transparent mode?
A.
B.
C.
D.
Static NAT
Dynamic NAT
Overload
Dynamic PAT
Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation/Reference:
With a transparent firewall, we still have two interfaces, but we do not assign IP addresses to those interfaces, and those two interfaces act more like a
bridge (or a switch with two ports in the same VLAN). Traffic from one segment of a given subnet is going to be forced through the transparent firewall if
those frames want to reach the second segment behind the firewall. A transparent firewall has a management IP address so that we can remotely
access it, but that is all. Users accessing resources through the firewall will not be aware that it is even present, and one of the biggest advantages of
using a transparent firewall is that we do not have to re-address our IP subnets to put a transparent firewall in-line on the network
QUESTION 25
Which 3 Radius server authentication protocols are supported on cisco ASA firewalls?
A.
B.
C.
D.
E.
F.
EAP
ASCII
PAP
PEAP
MS-CHAPv1
MS-CHAPv2
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
0.0.0.31
0.0.0.224
0.0.223.255
0.0.0.27
Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
QUESTION 27
What does NTP authenticate?
A.
B.
C.
D.
Correct Answer: B
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
QUESTION 28
Which firewall acts on behalf of end user?
A.
B.
C.
D.
Proxy
State
Asa
Application
Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation/Reference:
QUESTION 29
What encryption does Cisco use to protect image downloading?
A.
B.
C.
D.
Sha1
Sha2
Md5
Md1
Correct Answer: C
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
This is referring to the hash that Cisco uses to allow customers to confirm the download of cisco software, including the IPS signature files.
QUESTION 30
How long does the router wait for TACACS+ response before it throws an error?
A.
B.
C.
D.
5 seconds
10 seconds
15 seconds
20 seconds
Correct Answer: A
Section: 3.0 AAA
Explanation
Explanation/Reference:
The TACACS+ timout can be set globally, or server specific.
Configuring the Global TACACS+ Timeout Interval
You can set a global timeout interval that the Nexus 5000 Series switch waits for responses from all TACACS+ servers before declaring a timeout
failure. The timeout interval determines how long the Nexus 5000 Series switch waits for responses from TACACS+ servers before declaring a timeout
failure.
Command
switch# configure terminal
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Password
Hash
The key
Transform sets
Correct Answer: BC
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
When using HMAC (Hashed Meessage Authentication Code), we combine the integrity checking capability of the hashing algorithm as well as the
authentication by use of a shared key.
QUESTION 32
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration?
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A.
B.
C.
D.
Issue the command anyconnect keep-installer under the group policy or username webvpn mode
Issue the command anyconnect keep-installer installed in the global configuration
Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode
Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode
Correct Answer: C
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
Enabling Permanent Client Installation
Enabling permanent client installation disables the automatic uninstalling feature of the client. The client remains installed on the remote computer for
subsequent connections, reducing the connection time for the remote user.
To enable permanent client installation for a specific group or user, use the svc keep-installer command from group-policy or username webvpn modes:
svc keep-installer installed
The default is that permanent installation of the client is enabled. The client remains on the remote computer at the end of the session. The following
example configures the existing group-policy sales to remove the client on the remote computer at the end of the session:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-policy)# svc keep-installer installed none
QUESTION 33
you are the network manager for your organization. you are looking at your Syslog server reports. Based on the Syslog message shown, which two
statements are true ( choose two )
Feb 1 10:12.08 PST:%SYS-5-CONFIG_I:Configured from console by vty0 (10.2.2.6)
A.
B.
C.
D.
Correct Answer: AD
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 34
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web
page. Which action should you take to begin troubleshooting?
A.
B.
C.
D.
Correct Answer: A
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113600-technote-product-00.html
QUESTION 35
Which tasks is the session management path responsible for? (Choose three.)
A.
B.
C.
D.
E.
F.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Report Manager
Health and Performance Monitoring
Policy Manager
Event Manager
Correct Answer: B
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
Report Manager Collects, displays and exports network usage and security information for ASA and IPS devices, and for remote-access IPsec and
SSL VPNs. These reports aggregate security data such as top sources, destinations, attackers, victims, as well as security information such as top
bandwidth, duration, and throughput users. Data is also aggregated for hourly, daily, and monthly periods.
and
Health and Performance Monitor (HPM) Monitors and displays key health, performance and VPN data for ASA and IPS devices in your network. This
information includes critical and non-critical issues, such as memory usage, interface status, dropped packets, tunnel status, and so on. You also can
categorize devices for normal or priority monitoring, and set different alert rules for the priority devices.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
http://www.cisco.com/c/en/us/products/collateral/security/security-manager/datasheet-c78-735775.html
QUESTION 37
What best describes transport mode in VPN ? (Choose 3)
A.
B.
C.
D.
E.
support multicast
support unicast
used between hosts
used between gateways
used between gateway and host
policing
ACL
IPS
antispoofing
QoS
DHCP-snooping
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation/Reference:
Data Plane Security
Access control lists
Private VLAN
Firewalling
Intrusion Prevention System (IPS)
Layer 2 Data Plane Protection
Port security prevents MAC flooding attacks.
DHCP snooping prevents client attacks on the DHCP server and switch.
Dynamic ARP Inspection (DAI) adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofing attacks.
IP Source Guard prevents IP spoofing addresses by using the DHCP snooping table.
Antispoofing
ACLs can be used as an antispoofing mechanism that discards traffic that has an invalid source address.
ACLs
ACLs are used to secure the data plane in a variety of ways, including the following:
Antispoofing
Implementing the IETF best current practice 38 (BCP38) and RFC 2827 ingress traffic filtering renders the use of invalid source IP addresses
ineffective, forcing attacks to be initiated from valid, reachable IP addresses which could be traced to the originator of an attack.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofing strategy.
Port security
Prevents MAC address spoofing and MAC address flooding attacks
DHCP snooping
Prevents client attacks on the Dynamic Host Configuration Protocol (DHCP) server and switch
IP source guard
Prevents IP spoofing addresses by using the DHCP snooping table
QUESTION 39
On which Cisco Configuration Professional screen do you enable AAA?
A.
B.
C.
D.
AAA Summary
AAA Servers and Groups
Authentication Policies
Authorization Policies
Correct Answer: A
Section: 3.0 AAA
Explanation
Explanation/Reference:
QUESTION 40
What command is used to change layer 2 port into layer 3 routed port?
A.
B.
C.
D.
No switchport
switchport port-security
ip routing
sdm prefer lanbase-routing
Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation/Reference:
QUESTION 41
Where is the best place to place the IPS inline ?
A.
B.
C.
D.
Correct Answer: A
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
QUESTION 42
Which syslog severity level is level number 7
A.
B.
C.
D.
E.
F.
Warning
Debug
Critical
Emergency
Notice
Error
Correct Answer: B
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
Explanation:
Syslog levels
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 43
Which statement about the role-based CLI access views on a Cisco router is true?
A.
B.
C.
D.
The maximum number of configurable CLI access views is 10, including one lawful intercept view and excluding the root view.
The maximum number of configurable CLI access views is 10, including one superview.
The maximum number of configurable CLI access views is 15, including one lawful intercept view and excluding the root view.
The maximum number of configurable CLI access views is 15, including one lawful intercept view.
Correct Answer: C
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
Restrictions for Role-Based CLI Access
Lawful Intercept Images Limitation
Because CLI views are a part of the Cisco IOS parser, CLI views are a part of all platforms and Cisco IOS images. However, the lawful
intercept view is available only in images that contain the lawful intercept subsystem.
Maximum Number of Allowed Views
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
The maximum number of CLI views and superviews, including one lawful intercept view, that can be configured is 15. (This does not include
the root view.)
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
QUESTION 44
Which Cisco Security Manager feature enables the configuration of unsupported device features?
A.
B.
C.
D.
Deployment Manager
FlexConfig
Policy Object Manager
Configuration Manager
Correct Answer: B
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
FlexConfig policies allow you to configure device commands that are not otherwise supported by Security Manager. By using Flexconfigs,
you can extend Security Managers control over a device configuration and take advantage of new device features before upgrading the
product.
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-7/user/guide/
CSMUserGuide/tmplchap.html#20503
QUESTION 45
Which statement about IPv6 address allocation is true?
A.
B.
C.
D.
Correct Answer: C
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
A major difference between IPv4 and IPv6 is that with IPv6, it is expected that an IPv6 capable device will have more than one IPv6 address.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Most interfaces will have at least a Link-Local address (FE80)and possible a global(2xxx or 3xxx) or unique (fc00::/7) local address.
QUESTION 46
Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback
method?
A.
B.
C.
D.
Correct Answer: D
Section: 3.0 AAA
Explanation
Explanation/Reference:
The syntax to create an aaa authentication policy for IOS is
aaa authentication [type] [name] [method list]
if only one method is specified, there is no fallback
However, this question is actually about the ASA, which has a slightly different syntax.
The aaa authentication enable console policy is related to users who are consoled in trying to use the enable command to enter the privileged prompt.
http://www.ciscopress.com/articles/article.asp?p=1552963&seqNum=3
Explanation:
To authenticate users who access the adaptive security appliance CLI over a serial, SSH, HTTPS (ASDM), or Telnet connection, or to authenticate
users who access privileged EXEC mode using the enable command, use the aaa authentication console command in global configuration mode. To
disable authentication, use the no form of this command.
aaa authentication {serial | enable | telnet | ssh | http} console {LOCAL | server_group [LOCAL]}
no aaa authentication {serial | enable | telnet | ssh | http} console {LOCAL | server_group [LOCAL]}
Syntax Description
enable Authenticates users who access privileged EXEC mode when they use the enable command.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
http Authenticates ASDM users who access the adaptive security appliance over HTTPS. You only need to configure HTTPS authentication if you want
to use a RADIUS or TACACS+ server. By default, ASDM uses the local database for authentication even if you do not configure this command.
LOCAL Uses the local database for authentication. LOCAL is case sensitive. If the local database is empty, the following warning message appears:
Warning:local database is empty! Use 'username' command to define local users. If the local database becomes empty when LOCAL is still present in
the configuration, the following warning message appears:
Warning:Local user database is empty and there are still commands using 'LOCAL' for authentication.
server-tag [LOCAL] Specifies the AAA server group tag defined by the aaa-server command.
If you use the LOCAL keyword in addition to the server-tag, you can configure the adaptive security appliance to use the local database as a fallback
method if the AAA server is unavailable. LOCAL is case sensitive. We recommend that you use the same username and password in the local database
as the AAA server because the adaptive security appliance prompt does not give any indication which method is being used.
serial Authenticates users who access the adaptive security appliance using the serial console port.
ssh Authenticates users who access the adaptive security appliance using SSH.
telnet Authenticates users who access the adaptive security appliance using Telnet.
Defaults
By default, fallback to the local database is disabled.
If the aaa authentication telnet console command is not defined, you can gain access to the adaptive security appliance CLI with the adaptive security
appliance login password (set with the password command).
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/a1.html#wp1555520
QUESTION 47
Which command will configure a Cisco router to use a TACACS+ server to authorize network services with no fallback method?
A.
B.
C.
D.
Correct Answer: C
Section: 3.0 AAA
Explanation
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation/Reference:
On a cisco IOS router, the syntax to define new-model AAA authorization policies is:
aaa authorization [type] [name] [methods-list]
The method list can list a number of different methods to use to authorize. For example: group tacacs+, group radius, local, enable, etc.
The methods are tried in order of the list. If one of the methods is unreachable (for example, the router cannot connect to the Tacas server), the next
method is tried, providing a fallback method.
A FAILED authorization does not try the next method.
When only a single method is listed, there is no fallback in case of an inability to connect with the previous method in the list.
In this case, we are looking to authorize network services so we need
aaa authorization network
Only one answer that starts with aaa authorization network has a single method.
aaa authorization network default group tacacs+
QUESTION 48
Which three statements about RADIUS are true? (Choose three.)
A.
B.
C.
D.
E.
F.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 49
Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device
reloads?
A.
B.
C.
D.
Correct Answer: C
Section: 3.0 AAA
Explanation
Explanation/Reference:
On a cisco IOS router, the syntax to define new-model AAA accounting policies is:
aaa accounting [type] [name] [ [methods-list]
The accounting types are
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
networkTo create a method list to enable authorization for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARA protocols),
use the network keyword. For example, to create a method list that provides accounting information for ARAP (network) sessions, use the arap keyword.
execTo create a method list that provides accounting records about user EXEC terminal sessions on the network access server, including username,
date, start and stop times, use the exec keyword.
commandsTo create a method list that provides accounting information about specific, individual EXEC commands associated with a specific
privilege level, use the commands keyword.
connectionTo create a method list that provides accounting information about all outbound connections made from the network access server, use
the connection keyword.
resourceCreates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html#wp1000952
QUESTION 50
Which two accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.)
A.
B.
C.
D.
start-stop
stop-record
stop-only
stop
Correct Answer: AC
Section: 3.0 AAA
Explanation
Explanation/Reference:
The general syntax for accounting is:
Router(config)# aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [method1
[method2...]]
We can account for start and stop or stop only.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfacct.html
QUESTION 51
What is the first command you enter to configure AAA on a new Cisco router?
A. aaa configuration
B. no aaa-configuration
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
C. no aaa new-model
D. aaa new-model
Correct Answer: D
Section: 3.0 AAA
Explanation
Explanation/Reference:
When setting up remote aaa, the new model aa must being turned on.
Be aware, that this will disable the default line vty and line con login defaults.
QUESTION 52
Which three TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
A.
B.
C.
D.
E.
F.
EAP
ASCII
PAP
PEAP
MS-CHAPv1
MS-CHAPv2
0
1
2
15
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: C
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
Similar to Cisco IOS devices, the ASA has 16 privelege levels, from 0 to 15.
The default privilege level for a user is 2.
On IOS, the default privilege level is level 1
Authenticating Users Using the Login Command
From user EXEC mode, you can log in as any username in the local database using the login command.
This feature allows users to log in with their own username and password to access privileged EXEC mode, so you do not have to give out the system
enable password to everyone. To allow users to access privileged EXEC mode (and all commands) when they log in, set the user privilege level to 2 (the
default) through 15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See
the "Configuring Local Command Authorization" section for more information.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/config/guide/config/mgaccess.html#wp1042028
QUESTION 54
Which statement about ACL operations is true?
A.
B.
C.
D.
Correct Answer: B
Section: 4. IOS ACLs
Explanation
Explanation/Reference:
Access Lists are a series of entries
Access Lists Entries are processed in order
When a match is made, the action specified by that entry is performed and no further entries are processed
The last entry on all access lists is the implicit deny all
QUESTION 55
Which three statements about access lists are true? (Choose three.)
A. Extended access lists should be placed as near as possible to the destination.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
B.
C.
D.
E.
F.
QUESTION 56
Which command configures a device to actively watch connection requests and provide immediate protection from DDoS attacks?
A.
B.
C.
D.
Correct Answer: A
Section: 1. Common Security Threats
Explanation
Explanation/Reference:
About TCP Intercept
The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of denial-of-service attack.
A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable
return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and
can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a web site, accessing e-mail, using FTP service,
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
and so on.
The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP
intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list.
The basic configuration requires setting up an ACL that is used to "watch" incoming TCP traffic
Step 1
Router(config)# access-list access-list-number {deny | permit} tcp any destination destination-wildcard
Defines an IP extended access list.
Step 2
Router(config)# ip tcp intercept list access-list-number
Enables TCP intercept.
Step 3- Optional
Router(config)# ip tcp intercept mode {intercept | watch}
You can then set the mode to Intercept or Watch. The default is intercept.
You can also modify the following:
Setting the TCP Intercept Drop Mode (Optional)
Changing the TCP Intercept Timers (Optional)
Changing the TCP Intercept Aggressive Thresholds (Optional)
Monitoring and Maintaining TCP Intercept (Optional)
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfdenl.html
QUESTION 57
Which command will block external spoofed addresses?
A.
B.
C.
D.
Correct Answer: C
Section: 4. IOS ACLs
Explanation
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation/Reference:
Not sure if this is a partial question or mismarked.Spoofed addresses usually refers to addresses that mimic your own internal addressing scheme
Private or Reserved Addresses are defined in RFC 1918
A common set of entries for access lists incoming into a network are as follows:
!--- Filter RFC 1918 space.
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
!--- Deny your space as source from entering your AS. !--- Deploy only at the AS edge.
access-list 110 deny ip YOUR_CIDR_BLOCK any
In this question, denying 10.0.0.0 0.255.255.255 matches one of the common reserved addresses and is the correct answer.
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/43920-iacl.html
QUESTION 58
Which two countermeasures can mitigate ARP spoofing attacks? (Choose two.)
A.
B.
C.
D.
port security
DHCP snooping
IP source guard
dynamic ARP inspection
Correct Answer: BD
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
ARP Spoofing is a common Layer 2 attack. It can be used as part of ARP poisoning, man in the middle attacks or session hijacking, among others.
In this type of attack, the attacker will send false ARP requests and/or replies.
DHCP Snooping allows a Cisco switch to examine all DHCP requests and build an IP to MAC address table based on the addresses given out.
Dynamic ARP inspection checks any ARP traffic against this table to verify the details.
Machines connected that are have statically assigned IPs must be manually added the DHCP Inspection table
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html
QUESTION 59
What is the Cisco preferred countermeasure to mitigate CAM overflows?
A.
B.
C.
D.
port security
dynamic port security
IP source guard
root guard
Correct Answer: B
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Port security helps prevent CAM table overflow attacks by limiting the number of MAC address that can be learned on an interface
switchport port-security maximum 2
spwitchport port-security
After you have set the maximum number of secure MAC addresses on a port, the secure addresses are included in an address table in one of these
ways:
You can configure all secure MAC addresses by using the switchport port-security mac-address mac_address interface configuration command.
You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of connected devices.
You can configure a number of addresses and allow the rest to be dynamically configured.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html
QUESTION 60
What is the most common Cisco Discovery Protocol version 1 attack?
A.
B.
C.
D.
denial of service
MAC-address spoofing
CAM-table overflow
VLAN hopping
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Since CDP is on by default on most routers, it can be used to flood a router and overwhelm the CPU.
This becomes a type of denial of sercice attack.
https://heggel4.wordpress.com/2014/10/11/protect-your-network-against-cdp-attacks/
QUESTION 61
Which option describes a function of a virtual LAN?
A.
B.
C.
D.
A virtual LAN creates a logically partitioned LAN to place switch ports in a separate broadcast domain.
A virtual LAN creates trunks and links two switches together.
A virtual LAN adds every port on a switch to its own collision domain.
A virtual LAN connects many hubs together.
Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Explanation:
QUESTION 62
Which action can you take to add bandwidth to a trunk between two switches and end up with only one logical interface?
A.
B.
C.
D.
Correct Answer: B
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
When you have two connections between switches, this can cause a loop.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
By configuring Etherchannel, the participating interfaces are treated as a single logical interface, a PortChannel.
QUESTION 63
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
A.
B.
C.
D.
Correct Answer: B
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
The native vlan is specified in the 802.1q specification.
In Cisco's implementation, the traffic on the native vlan does not get tagged as it crosses a trunk.
Due to this, if there is a native vlan mismatch between switches, STP updates may not get transferred to the correct devices/STP instances, potentially
causing a loop.
QUESTION 64
Which VTP mode allows you to change the VLAN configuration and will then propagate the change throughout the entire switched network?
A.
B.
C.
D.
VTP server
VTP client
VTP transparent
VTP off
Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Explanation:
There are 3 modes for VTP
Server
Can manage vlan database. Have a vla.dat in nvram can set domain, add, remove, and rename VLANS
Client
get their VLAN list from the server. Can assign ports to VLANS, but cannot change VLAN database. They don't store a vlan.dat in nvram.
Transparent will pass VTP updates through trunk ports, but don't use the information. Manage an independant vlan database
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 65
When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops?
A.
B.
C.
D.
Correct Answer: A
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
The high level steps for STP
1. Elect a root Bridge
2. Non-Root Bridges elect a root port
3. Non-Root paths/redundant paths between switches choose designated and alternate/blocking ports
QUESTION 66
What is the default STP priority on a switch?
A.
B.
C.
D.
4096
24576
16384
32768
Correct Answer: D
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Cisco Switches have their STP priority at 32768 by default
QUESTION 67
Which two options are asymmetric-key algorithms that are recommended by Cisco? (Choose two.)
A. Rivest-Shamir-Adleman Algorithm
B. ElGamal encryption system
C. Digital Signature Algorithm
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
D. Paillier cryptosystem
Correct Answer: AC
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
WHen generating public/private key pairs for SSH, you can use either RSA or DSA
http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-2/security/command/reference/b_syssec_cr42crs/
b_syssec_cr41crs_chapter_0111.html#wp4092742478
QUESTION 68
Which IPsec component takes an input message of arbitrary length and produces a fixed-length output message?
A.
B.
C.
D.
Correct Answer: C
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
One-Way Encryption or Hashing is used to generate a fixed length output message.
Regardless of the size of the original message.
Common has algorithms are
SHA1 and MD5
When setting up IPSec, you specify the following:
H - hash (md5 or sha)
A - authentication (pre shared keys, rsa-sigs (digital certs))
G- dh group (1, 2, 5 etc)
L- lifetime for the IKE phase 1 tunnel
E- encryption to use (des, 3des, aes)
MD5 hash will be 128 bits
SHA-224 224
SHA-256 256
SHA-384 384
SHA-512 512
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
SHA-512/224 224
SHA-512/256 256
QUESTION 69
Which three options are components of Transport Layer Security? (Choose three.)
A.
B.
C.
D.
E.
F.
stateless handshake
stateful handshake
application layer
session layer
pre-shared keys
digital certificates
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 71
Which command provides phase 1 and phase 2 status for all active sessions of an IPsec VPN on a Cisco router?
A. show crypto map
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: B
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
Clientless SSL VPN Security Precautions
By default, the ASA allows all portal traffic to all Web resources (for example HTTPS, CIFS, RDP, and plug-ins). Clientless SSL VPN rewrites each URL
to one that is meaningful only to the ASA. The user cannot use this URL to confirm that they are connected to the website they requested. To avoid
placing users at risk from phishing websites, assign a Web ACL to the policies configured for clientless accessgroup policies, dynamic access
policies, or bothto control traffic flows from the portal. Cisco recommends switching off URL Entry on these policies to prevent user confusion over
what is accessible.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Step 1
webvpn Switches to group policy Clientless SSL VPN configuration mode.
Step 2
url-entry Controls the ability of the user to enter any HTTP/HTTPS URL.
Step 3
(Optional) url-entry disable
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-configure-gateway.html
QUESTION 73
Which Cisco AnyConnect VPN feature enables DTLS to fall back to a TLS connection?
A.
B.
C.
D.
Correct Answer: B
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
Configuring DTLS
Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnelsan SSL
tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with SSL connections and improves the performance of realtime applications that are sensitive to packet delays.
By default, DTLS is enabled when SSL VPN access is enabled on an interface. If you disable DTLS, SSL VPN connections connect with an SSL VPN
tunnel only.
Note In order for DTLS to fall back to a TLS connection, Dead Peer Detection (DPD) must be enabled. If you do not enable DPD, and the DTLS
connection experiences a problem, the connection terminates instead of falling back to TLS.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html
QUESTION 74
Where is the transform set applied in an IOS IPsec VPN?
A. on the WAN interface
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 75
Which authentication protocol does the Cisco AnyConnect VPN password management feature require to operate?
A. MS-CHAPv1
B. MS-CHAPv2
C. CHAP
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
D. Kerberos
Correct Answer: B
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
The password management feature allows users to get warnings and change their authentication passwords through the the ASA SSL VPN.
When you configure the password-management command, the security appliance notifies the remote user at login that the user's current password is
about to expire or has expired. The security appliance then offers the user the opportunity to change the password. If the current password has not yet
expired, the user can still log in using that password.
The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.
The security appliance, releases 7.1 and later, generally supports password management for the AnyConnect VPN Client, the Cisco IPSec VPN Client,
the SSL VPN full-tunneling client, and Clientless connections when authenticating with LDAP or with any RADIUS connection that supportsMSCHAPv2.
Password management is not supported for any of these connection types for Kerberos/AD (Windows password) or NT 4.0 Domain.
Some RADIUS servers that support MS-CHAP do not currently support MS-CHAPv2. The password-management command requires MS-CHAPv2,
so please check with your vendor.
The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another authentication server. However, from the security
appliance perspective, it is talking only to a RADIUS server.
For LDAP, the method to change a password is proprietary for the different LDAP servers on the market. Currently, the security appliance implements
the proprietary password management logic only for Microsoft Active Directory and Sun LDAP servers. Native LDAP requires an SSL connection. You
must enable LDAP over SSL before attempting to do password management for LDAP. By default, LDAP uses port 636.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/vpngrp.html#wp1166214
QUESTION 76
In which stage of an attack does the attacker discover devices on a target network?
A.
B.
C.
D.
reconnaissance
gaining access
maintaining access
covering tracks
Correct Answer: A
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: B
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
Unicast Reverse Path Forwarding verifies the source IP of a packet against the routing table of the router.
Verifying Symmetry means that the packet must be returned along the same path it was received on (can be a problem for multi-homed routers at
edges)
It can be used in Strict or Loose mode
This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded.
When administrators use Unicast RPF in strict mode, the packet must be received on the interface that the router would use to forward the return packet
When administrators use Unicast RPF in loose mode, the source address must appear in the routing table. Administrators can change this behavior
using the allow-default option, which allows the use of the default route in the source verification process.
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html
QUESTION 78
By which kind of threat is the victim tricked into entering username and password information at a disguised website?
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A.
B.
C.
D.
phishing
spam
malware
spoofing
Correct Answer: A
Section: 1. Common Security Threats
Explanation
Explanation/Reference:
the activity of defrauding an online account holder of financial information by posing as a legitimate company.
"phishing exercises in which criminals create replicas of commercial Web sites"
QUESTION 79
Which Cisco product can help mitigate web-based attacks within a network?
A.
B.
C.
D.
Correct Answer: B
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
Get advanced threat defense, advanced malware protection, application visibility and control, insightful reporting, and secure mobility. The Cisco Web
Security Appliance (WSA) combines all of these forms of protection and more in a single solution. The WSA also helps to secure and control web traffic,
while simplifying deployment and reducing costs.
http://www.cisco.com/c/dam/en/us/products/collateral/security/web-security-appliance/at-a-glance-c45-730937.pdf
QUESTION 80
Which type of IPS can identify worms that are propagating in a network?
A.
B.
C.
D.
signature-based IPS
policy-based IPS
anomaly-based IPS
reputation-based IPS
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: C
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
QUESTION 81
When a company puts a security policy in place, what is the effect on the company's business?
A.
B.
C.
D.
minimizing risk
minimizing total cost of ownership
minimizing liability
maximizing compliance
Correct Answer: A
Section: 1. Common Security Threats
Explanation
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation/Reference:
The goal of a security policy is to minimize risk, using the best available knowledge and guided by the balance of security vs. availability.
However, it needs standards, guidelines and procedures in place to actually work.
QUESTION 82
Which IOS feature can limit SSH access to a specific subnet under a VTY line?
A.
B.
C.
D.
access class
access list
route map
route tag
Correct Answer: A
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
You can create an access list and rather than apply it to a specific interface, you can apply it with the access-class command on the line vty.
This allows you to control the source (and possible destination) IP address that is used to access the VTY (telnet or SSH).
QUESTION 83
Which two protocols can SNMP use to send messages over a secure communications channel? (Choose two.)
A.
B.
C.
D.
E.
DTLS
TLS
ESP
AH
ISAKMP
Correct Answer: AB
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
http://www.snmp.com/products/techinfo/secmodels.shtml
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 84
Which two options are for securing NTP? (Choose two.)
A.
B.
C.
D.
E.
a stratum clock
access lists
Secure Shell
authentication
Telnet
Correct Answer: BD
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
The default command to set up a cisco device as an NTP client is
ntp server ip-address | hostname [version number] [key key-id] [source interface] [prefer]
Specifying the key allows you to use authentication
1. config t
2. [no] ntp authentication-key number md5 md5-string
3. (Optional) show ntp authentication-keys
4. [no] ntp trusted-key number
5. (Optional) show ntp trusted-keys
6. [no] ntp authenticate
7. (Optional) show ntp authentication-status
8. (Optional) copy running-config startup-config
Configuring NTP Access Restrictions
ntp access-group
To control access to the Network Time Protocol (NTP) services on the system, use the ntp access-group command in global configuration mode. To
remove access control to the NTP services, use the no form of this command.
ntp access-group {query-only | serve-only | serve | peer} access-list-number
1. config t
2. [no] ntp access-group {peer | serve | serve-only | query-only} access-list-name
3. (Optional) show ntp access-groups
4. (Optional) copy running-config startup-config
http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf012.html#wp1123899
QUESTION 85
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
SSH
AAA
TFTP
FTP
Correct Answer: B
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
The Secure Copy (SCP) feature provides a secure and authenticated method for copying router configuration or router image files. SCP relies on
Secure Shell (SSH), an application and a protocol that provide a secure replacement for the Berkeley r-tools.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa new-model
4. aaa authentication login {default | list-name} method1 [method2...]
5. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [method1 [method2...]]
6. username name [privilege level] {password encryption-type encrypted-password}
7. ip scp server enable
http://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/
sec_secure_copy.html
QUESTION 86
Which two ports does Cisco Configuration Professional use? (Choose two.)
A.
B.
C.
D.
E.
80
8080
443
21
23
Correct Answer: AC
Section: 5. Secure Network Management and Reporting
Explanation
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation/Reference:
These are the ports on the router
When you check the Connect Securely check box, HTTPS port 443 and SSH port 22 information is automatically added to the device.
If you did not check the Connect Securely check box, the HTTP port 80 and Telnet port 23 information is automatically added to the device.
For more detail on ports used on the PC, look at:
http://www.cisco.com/c/dam/en/us/td/docs/net_mgmt/cisco_configuration_professional/v2_7/olh/ccp.pdf
QUESTION 87
Which two options are physical security threats? (Choose two.)
A.
B.
C.
D.
E.
hardware
environment
access lists
device configurations
software version
Correct Answer: AB
Section: 1. Common Security Threats
Explanation
Explanation/Reference:
QUESTION 88
Which command configures stateful packet inspection to inspect a packet after it passes the inbound ACL of the input interface?
A.
B.
C.
D.
ip inspect out
ip inspect in
ip inspect name audit-trail on
ip inspect name audit-trail off
Correct Answer: B
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
The ip inspect command was part of the older CBAC firewall configuration.
Since more communication is 2 way, rather than configuring all the details for both directions, you could set up your Access list to restrict outgoing traffic
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
on an interface.
You would then create an IP inspect rule so that traffic that passed through was "inspected." This meant the router would build a stateful table to watch
outgoing traffic and allow the returned responses.
CBAC Definition
ip inspect name FWOUT tcp
-------inspects all TCP traffic going out. FWOUT is the name of the inspect rule
It is a static NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface.
It is a dynamic NAT configuration that translates a real IP address to a mapped IP address.
It is a static NAT configuration that translates a real IP address to a mapped IP address.
It is a dynamic NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface.
Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
Identity NAT falls into three categories. Dynamic Identity NAT, Static Identity NAT, and Policy based static Identity NAT. NAT Exemption is basically a
similar config to Dynamic Identity NAT, but it restricts it to an access-list.
Dynamic Identity NAT:
Only connections from the inside to elsewhere are translated.
ciscoasa(config)# nat (inside) 0 192.168.0.0 255.255.255.0
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
a zone pair
a site-to-site VPN
a zone list
a zone-based policy
Correct Answer: A
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
When using ZONE based firewalls, which is the new standard, the following rules apply:
In order to communicate between interfaces in different zones, the zone pair AND policy must exist.
R3(config-sec-zone)# zone-pair security in-to-out source inside destination outside ---creates the pair and specifies direction
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 91
With which two NAT types can Cisco ASA implement address translation? (Choose two.)
A.
B.
C.
D.
E.
Correct Answer: AC
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
How NAT is Implemented
The adaptive security appliance can implement address translation in two ways: network object NAT and twice NAT.
Main Differences Between Network Object NAT and Twice NAT
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 92
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Which technology is the most effective choice for locally mirroring ports to support data investigation for a single device at the data layer?
A.
B.
C.
D.
RMON
SPAN
RSPAN
ERSPAN
Correct Answer: B
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
SPAN Sessions define a monitor session
each monitor session has a source and destination
With regular SPAN, both source and destination must be on the same device
QUESTION 93
Which three actions can an inline IPS take to mitigate an attack? (Choose three.)
A.
B.
C.
D.
E.
F.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
RELP
Syslog
SDEE
IMAP
SNMP
CSM
Correct Answer: B
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
UDP port 514 is the old Syslog port
TCP port 1470 is associated with the Kiwi Log Server
Syslog over TLS uses TCP port number 6514.
https://en.wikipedia.org/wiki/Syslog
QUESTION 95
Which statement about the Atomic signature engine is true?
A. It can perform signature matching on a single packet only.
B. It can perform signature matching on multiple packets.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: B
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
QUESTION 97
Which two options are advantages of a network-based Cisco IPS? (Choose two.)
A. It can examine encrypted traffic.
B. It can protect the host after decryption.
C. It is an independent operating platform.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
logging facility
logging enable
logging timestamp
logging buffered debugging
Correct Answer: C
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
QUESTION 99
What is the transition order of STP states on a Layer 2 switch interface?
A.
B.
C.
D.
Correct Answer: C
Section: 6. Common Layer 2 Attacks
Explanation
Explanation/Reference:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 100
Which sensor mode can deny attackers inline?
A.
B.
C.
D.
IPS
Fail-close
IDS
Fail-open
Correct Answer: A
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
Sensors usually operate in Promiscuous mode.
And IPS can deny traffic inline, since it is in the flow of the traffic.
QUESTION 101
Which options are filtering options used to display SDEE message types? (Choose two.)
A.
B.
C.
D.
stop
none
error
all
Correct Answer: CD
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
Options are All, Error, Status, and Alerts
QUESTION 102
Which statements about reflexive access lists are true? (Choose three.)
A. Reflexive access lists create a permanent ACE
B. Reflexive access lists approximate session filtering using the established keyword
C. Reflexive access lists can be attached to standard named IP ACLs
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
interface Serial 1
description Access to the Internet via this interface
ip access-group inboundfilters in
!
ip access-list extended inboundfilters
evaluate iptraffic
the refelxive ACL iptraffic will then be evaluated as well
Reflexive access lists can be defined with extended named IP access lists only.
You cannot define reflexive access lists with numbered or standard named IP access lists or with other protocol access lists.
You can use reflexive access lists in conjunction with other standard access lists and static extended access lists.
http://packetlife.net/blog/2008/nov/25/reflexive-access-lists/
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html
QUESTION 103
Which actions can a promiscuous IDS take to mitigate an attack? (Choose three.)
A. modifying packets
B. requesting connection blocking
C. denying packets
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: B
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
The SSH protocol requires:
a fully qualified domain name
usernames and passwords
a self-signed digitial certificate
The crypto key generate rsa command will generate the needed digital certificate
QUESTION 105
Which protocol provides security to Secure Copy?
A. IPSec
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
B. SSH
C. HTTPS
D. ESP
Correct Answer: B
Section: 5. Secure Network Management and Reporting
Explanation
Explanation/Reference:
Secure Copy is a secure replacement for FTP.
It requires SSH.
QUESTION 106
Which security zone is automatically defined by the system?
A.
B.
C.
D.
Correct Answer: B
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
All traffic to the router itself is considered as going to the self zone.
Zone Pairs
A zone pair allows you to specify a unidirectional firewall policy between two security zones.
To define a zone pair, use the zone-pair security command. The direction of the traffic is specified by source and destination
zones. The source and destination zones of a zone pair must be security zones.
You can select the default or self zone as either the source or the destination zone. The self zone is a systemdefined zone
which does not have any interfaces as members.
A zone pair that includes the self zone, along with the associated policy, applies to traffic directed to the device or traffic
generated by the device. It does not apply to traffic through the device.
The most common usage of firewall is to apply them to traffic through a device, so you need at least two zones (that is, you
cannot use the self zone).
QUESTION 107
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.)
A.
B.
C.
D.
Correct Answer: AD
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
Setting Up a IPSec VPN has two phases
the IKE Phase 1 uses the
Hash
Authentication
DH Group
Lifetime
Encryption
settings to establish a secure, confidential link over which the endpoints can communicate
IKE Phase 2 uses the transform sets to send and possibly encrypt the data.
QUESTION 108
What is a possible reason for the error message?
Router(config)#aaa server?% Unrecognized command
A.
B.
C.
D.
Correct Answer: D
Section: 3.0 AAA
Explanation
Explanation/Reference:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Smart tunnels can be used by clients that do not have administrator privileges
Smart tunnels support all operating systems
Smart tunnels offer better performance than port forwarding
Smart tunnels require the client to have the application installed locally
Correct Answer: AD
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111007-smart-tunnel-asa-00.html
Smart tunnel access allows a client TCP-based application to use a browser-based VPN connection to connect to a service. It offers the following
advantages to users, compared to plugins and the legacy technology, port forwarding:
Smart tunnel offers better performance than plug-ins.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Unlike port forwarding, smart tunnel simplifies the user experience by does not require the user connection of the local application to the local port.
Unlike port forwarding, smart tunnel does not require users to have administrator privileges.
Smart Tunnel Applications
Smart Tunnel allows any TCP-based client-server application to use ASA as a proxy gateway to the private side of a network. Examples of native
applications that work through Smart Tunnel include Outlook, SharePoint, Telnet, Passive FTP, Lotus Sametime, Secure Shell (SSH), Remote Desktop
Protocol (RDP), and Virtual Network Computing (VNC). Smart Tunnel does not support applications that use Universal Datagram Protocol (UDP). Using
the Cisco ASA Device Manager (ASDM), an administrator can define which applications and networks are allowed
access.
Smart Tunnel is also used to provide remote access to web applications that are difficult to rewrite, such as proprietary, non-standards-based Java, Java
Script, or Flash animations. Smart Tunnel also supports Single SignOn to web applications that require either form-based POST parameters, http basic,
FTP, or NTLM authentication Smart Tunnel can also co-exist with a Full-Tunnel VPN Client. For example, an employee can connect to the company
network
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdf
Smart Tunnel is also used to provide remote access to web applications that are difficult to rewrite, such as proprietary, non-standards-based Java, Java
Script, or Flash animations. Smart Tunnel also supports Single Sign-On to web applications that require either form-based POST parameters, http basic,
FTP, or NTLM authentication
Smart Tunnel can also co-exist with a Full-Tunnel VPN Client. For example, an employee can connect to the company network by using Full-Tunnel
VPN Client, while simultaneously connecting to a vendor network by using Smart Tunnel.
Smart Tunnel Advantages over Port-Forwarding, Plug-ins
Smart Tunnel offers better performance than browser plug-ins.
Port forwarding is the legacy technology for supporting TCP-based applications over a Clientless SSL VPN connection. Unlike port forwarding, Smart
Tunnel simplifies the user experience by not requiring the user connection of the local application to the local port.
Smart Tunnel does not require users to have administrator privileges.
Smart Tunnel does not require the administrator to know application port numbers in advance.
QUESTION 110
Which option describes information that must be considered when you apply an access list to a physical interface?
A.
B.
C.
D.
Correct Answer: C
Section: 4. IOS ACLs
Explanation
Explanation/Reference:
You can place one IP access list per interface per direction
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
An access list is applied to an interface with the access-group [listname] in/out command
QUESTION 111
Which source port does IKE use when NAT has been detected between two VPN gateways?
A.
B.
C.
D.
TCP 4500
TCP 500
UDP 4500
UDP 500
Correct Answer: C
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a device or firewall performing NAT.
QUESTION 112
Which command verifies phase 1 of an IPsec VPN on a Cisco router?
A.
B.
C.
D.
sh crypto map
show crypto ipsec sa
show crypto isakmp sa
show crypto engine connection active
Correct Answer: C
Section: 9.0 VPN Technologies
Explanation
Explanation/Reference:
QUESTION 113
What is the purpose of a honeypot IPS?
A.
B.
C.
D.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Correct Answer: D
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
The main commands for verifying IPSec connections in cisco are:
show crypto isakmp sa
shows IKE Phase 1
show crypto ipsec sa
Shows IKE Phase 2
WIll show the details from the crypto map, even when the tunnel is down.
show crypto session
Will show as DOWN when the IPSec connection hasn't been made
Shows everything
QUESTION 114
Which type of mirroring does SPAN technology perform?
A.
B.
C.
D.
Correct Answer: C
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
QUESTION 115
If a router configuration includes the line
aaa authentication login default group tacacs+ enable
which events will occur when the TACACS+ server returns an error? (Choose two.)
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A.
B.
C.
D.
Correct Answer: AD
Section: 3.0 AAA
Explanation
Explanation/Reference:
The fallback methods are only used in case of error, not if a method fails
There may be more than one Tacacs server listed in the group, so it is possible that additional Tacacs servers may be contacted for authentication.
QUESTION 116
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
A.
B.
C.
D.
SDEE
Syslog
SNMP
CSM
Correct Answer: A
Section: 8.0 Cisco IPS
Explanation
Explanation/Reference:
QUESTION 117
Which statement about extended access lists is true?
A.
B.
C.
D.
Extended access lists perform filtering that is based on source and destination and are most effective when applied to the destination
Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source
Extended access lists perform filtering that is based on destination and are most effective when applied to the source
Extended access lists perform filtering that is based on source and are most effective when applied to the destination
Correct Answer: B
Section: 4. IOS ACLs
Explanation
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation/Reference:
Standard ACL
1) Able Restrict, deny & filter packets by Host Ip or subnet only.
2) Best Practice is put Std. ACL restriction near from Source Host/Subnet (Interface-In-bound).
3) No Protocol based restriction. (Only HOST IP).
Extended ACL
1) More flexible then Standard ACL.
2) You can filter packets by Host/Subnet as well as Protocol/TCPPort/UDPPort.
3) Best Practice is put restriction near form Destination Host/Subnet. (Interface-Outbound)
QUESTION 118
Which security measures can protect the control plane of a Cisco router? (Choose two.)
A.
B.
C.
D.
E.
CCPr
Parser views
Access control lists
Port security
CoPP
Correct Answer: AE
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
The control plane tools can be implemented to limit the damage an attacker can attempt to implement directly at one of the routers IP addresses (traffic
addressed directly to the router, which the router must spend CPU resources to process).
Control Plane Policing (CoPP) and Control Plane Protection (CPPr)
Control plane policing. You can configure this as a filter for any traffic destined to an IP address on the router itself. For example, you can specify
that management traffic, such as SSH/HTTPS/SSL and so on, can be ratelimited (policed) down to a specific level or dropped completely. This way, if
an attack occurs that involves an excessive amount of this traffic, the excess traffic above the threshold set could simply be ignored and not have to be
processed directly by the CPU. Another way to think of this is as applying quality of service (QoS) to the valid management traffic and policing to the
bogus management traffic.
This is applied to a logical control plane interface (not directly to any Layer 3 interface) so that the policy can be applied globally to the router.
Control plane protection. This allows for a more detailed classification of traffic (more than CoPP) that is going to use the CPU for handling. The three
specific subinterfaces that can be classified are (1) Host subinterface, which handles traffic to one of the physical or logical interfaces of the router; (2)
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Transit subinterface, which handles certain data plane traffic that requires CPU intervention before forwarding (such as IP options); and Cisco (3)
Express Forwarding (CEF)-Exception traffic (related to network operations, such as keepalives or packets with Time-To-Live [TTL] mechanisms that are
expiring) that has to involve the CPU.
The benefit of CPPr is that you can rate-limit and filter this type of traffic with a more fine-toothed comb than CoPP.
This is also applied to a logical control plane interface, so that regardless of the logical or physical interface on which the packets arrive, the router
processor can still be protected.
Routing Protocol Authentication
ACLs CAN be used, but they are primarily for traffic going through the router, not traffic to the router.
QUESTION 119
Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choose two)
A.
B.
C.
D.
E.
F.
FTP
SSH
Telnet
AAA
HTTPS
HTTP
Correct Answer: BE
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
QUESTION 120
Which three properties are included in the inspection Cisco Map BASICFIREWALL? See the exhibits
(Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be
different, you need to know how to navigate and find the info, like show commands, but an interface)
gui2 (exhibit):
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
gui1 (exhibit):
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A. HTTP
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
B.
C.
D.
E.
F.
HTTPS
FTP
POP
SMTP
DNS
and
Exhibit:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A.
B.
C.
D.
Sdm-cls-http
OUT_SERVICE
RegularTrafficAllowed
Ccp-policy-ccp-cls-2
Correct Answer: C
Section: 7. Cisco Firewall Technologies
Explanation
Explanation/Reference:
Drill down
QUESTION 122
Scenario:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Exhibit:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A.
B.
C.
D.
MailTraffic
Class-map-ccp-cls-2
Web
Class-map SERVICE_IN
Correct Answer: AC
Section: 7. Cisco Firewall Technologies
Explanation
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation/Reference:
Assuming this means the INBOUND policy map.
Drill down
QUESTION 123
Using the lab \Lab Work\Security Labs\GNS3Labs\CCP-Investigate\Topology.net, or the pictures in the exhibit, answer the following question.
What IP address will be used for the inside global when traffic goes through NAT?
(Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be
different, you need to know how to navigate and find the info, like show commands, but an interface)
Exhibit:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A. 192.168.35.1
B. 192.168.100.1
C. Interface fastethernet 0/1
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
QUESTION 124
Using the lab \Lab Work\Security Labs\GNS3Labs\CCP-Investigate\Topology.net, or the pictures in the exhibit, answer the following question.
Which three protocols are included in the Inspection Class Map MailTraffic?
(Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be
different, you need to know how to navigate and find the info, like show commands, but an interface)
Exhibit:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A.
B.
C.
D.
E.
F.
smtp
imap3
imap
http
https
pop3
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation
Explanation/Reference:
drill down
configure - security - c3pl - class map - inspection
QUESTION 125
Using the lab \Lab Work\Security Labs\GNS3Labs\CCP-Investigate\Topology.net, or the pictures in the exhibit, answer the following question.
Which policy map is used for the Zone Pair LAN-To-WAN?
(Scenario means live-data-mine, go look for all these objects, even if by different names, in the CCP, know where to look, and know that yours may be
different, you need to know how to navigate and find the info, like show commands, but an interface)
Exhibit:
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
A.
B.
C.
D.
MailTraffic
Web
RegularTrafficAllowed
http
Correct Answer: C
Section: 7. Cisco Firewall Technologies
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications
Explanation
Explanation/Reference:
drill down, pic has it wrong, hunt it down, look at zone pairs and policy maps, and the zone pairs, configure - security - firewall - firewall components zone pairs (lan-to-wan means and shows as inside to outside) ("in-to-out" shows mail, web, class-default, so looks like "web", but zone pair says policy is
"in-to-out", must hunt this one down and if the zone pair screen does not show an answer choice, hunt it down, it is there)
QUESTION 126
Which represents a unique local address (IPv6)?
A.
B.
C.
D.
FD00:: /8
2002::/16
FED0::/8
2001::/32
Correct Answer: A
Section: 2. Security and Cisco Routers
Explanation
Explanation/Reference:
The address block fc00::/7 is divided into two /8 groups:
The block fc00::/8 has not been defined yet. It has been proposed to be managed by an allocation authority, but this has not gained acceptance in the
IETF.[1][2][3] This block is also used by the cjdns mesh network.
The block fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string. This results in
the format fdxx:xxxx:xxxx:: for a prefix in this range. RFC 4193 offers a suggestion for generating the random identifier to obtain a minimum-quality
result if the user does not have access to a good source of random numbers.
www.vceplus.com - Download A+ VCE (latest) free Open VCE Exams - VCE to PDF Converter - VCE Exam Simulator - VCE Online - IT Certifications