Académique Documents
Professionnel Documents
Culture Documents
Number: 210-260
Passing Score: 860
Time Limit: 110 min
File Version: 3.0
22 Aug 2017
Sources:
+ eke210-260.examcollection.premium.exam.179Q & 31 + 14 new q&a.vce
+ Brad's blog : https://quicktopic.com/52/H/eriUSvUbtanYY
+ http://www.securitytut.com/ccna-security-210-260/share-your-ccna-security-experience-2/
Changes:
v1.1
+ Q149: changed to single option answer and set A. as the correct answer
v1.2
+ Q6/31q+new 14q: more explanations
v1.3
+ Q125: more explanations
v1.4
+ Q41: changed answer and explanation
v1.5
+ Q154: corrected a typo in Brad's answer
v1.6
+ Reviewed and corrected some of Brad's Answers which I wrote wrong
+ Q160: added a link to the explanation
v1.7
+ Q6/Blindman new 7q: reworded the question and added Tullipp's comment from securitytut.com
v1.8
+ Q79: changed answer and explanation
v1.9
+ Q47: added explanation
v1.10
+ Added 2 new questions
+ Q6/31q+new 14q: added to the question "on an interface"
+ Q22/31q+new 14q: added a comment to the question, it is referring to ISAKMP
v2.0
+ Moved all questions together
v2.1
+ Rephrased question 206, according to Mpazoukas' feedback
+ Q200: changed answer after considering wael adel's post
+ Q206: I reconsidered the answer to be A. MAC spoofing
v2.2
+ Q191: rephrased the correct answer according to the errata of the OCG
v2.3
+ Added 5 new questions (kept separately for now) mentioned by test takers
v2.4
+ Users JS and SK from securitytut.com added new questions and details about existing ones
+ Created a Drag&Drop for HIPS and NIPS
v2.5
+ Added new question
v2.6
+ Added 3 new question
v2.7
+ Added new question
v2.8
+ Added new question about User Exec mode right
+ Rephrased the new questions according to users posts (@Race) on securitytut.com and added them to
the main group of questions
v3.0
+ Added new question about weakness in an information system
210-260
by SalsaBrava
271q + SIM
QUESTION 1
Which two services define cloud networks? (Choose two.)
A. Infrastructure as a Service
B. Compute as a Service
C. Security as a Service
D. Platform as a Service
E. Tenancy as a Service
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
BD
The NIST's definition of cloud computing defines the service models as follows:[2]
+ Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s
applications running on a cloud infrastructure. The applications are accessible from various client devices
through either a thin client interface, such as a web browser (e.g., web-based email), or a program
interface. The consumer does not manage or control the underlying cloud infrastructure including network,
servers, operating systems, storage, or even individual application capabilities, with the possible exception
of limited user-specific application configuration settings.
+ Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud
infrastructure consumer-created or acquired applications created using programming languages, libraries,
services, and tools supported by the provider. The consumer does not manage or control the underlying
cloud infrastructure including network, servers, operating systems, or storage, but has control over the
deployed applications and possibly configuration settings for the application-hosting environment.
+ Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing,
storage, networks, and other fundamental computing resources where the consumer is able to deploy and
run arbitrary software, which can include operating systems and applications. The consumer does not
manage or control the underlying cloud infrastructure but has control over operating systems, storage, and
deployed applications; and possibly limited control of select networking components (e.g., host firewalls).
Source: https://en.wikipedia.org/wiki/Cloud_computing#Service_models
QUESTION 2
In which two situations should you use out-of-band management? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Brad
AD
OOB management is used for devices at the headquarters and is accomplished by connecting dedicated
management ports or spare Ethernet ports on devices directly to the dedicated OOB management network
hosting the management and monitoring applications and services. The OOB management network can be
either implemented as a collection of dedicated hardware or based on VLAN isolation.
Source: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap9.html
QUESTION 3
In which three ways does the TACACS protocol differ from RADIUS? (Choose three.)
Explanation/Reference:
BD
Source: Cisco Official Certification Guide, Table 3-2 TACACS+ Versus RADIUS, p.40
QUESTION 4
According to Cisco best practices, which three protocols should the default ACL allow on an access port to
enable wired BYOD devices to supply valid credentials and connect to the network? (Choose three.)
A. BOOTP
B. MAB
C. 802.1x
D. TFTP
E. HTTP
F. DNS
Explanation/Reference:
BD
ACLs are the primary method through which policy enforcement is done at access layer switches for wired
devices within the campus.
ACL-DEFAULT—This ACL is configured on the access layer switch and used as a default ACL on the port.
Its purpose is to prevent un-authorized access.
As seen from the output above, ACL-DEFAULT allows DHCP, DNS, ICMP, and TFTP traffic and denies
everything else.
Source: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/
BYOD_Design_Guide/BYOD_Wired.html
MAB is an access control technique that Cisco provides and it is called MAC Authentication Bypass.
QUESTION 5
Which two next-generation encryption algorithms does Cisco recommend? (Choose two.)
A. AES
B. 3DES
C. DES
D. SHA-384
E. DH-1024
F. MD5
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
BD
The Suite B next-generation encryption (NGE) includes algorithms for authenticated encryption, digital
signatures, key establishment, and cryptographic hashing, as listed here:
+ Elliptic Curve Cryptography (ECC) replaces RSA signatures with the ECDSA algorithm
+ AES in the Galois/Counter Mode (GCM) of operation
+ ECC Digital Signature Algorithm
+ SHA-256, SHA-384, and SHA-512
QUESTION 6
Which three ESP fields can be encrypted during transmission? (Choose three.)
A. Padding
B. Sequence Number
C. Pad Length
D. Security Parameter Index
E. MAC Address
F. Next Header
Explanation/Reference:
BD
The packet begins with two 4-byte fields (Security Parameters Index (SPI) and Sequence Number).
Following these fields is the Payload Data, which has substructure that depends on the choice of encryption
algorithm and mode, and on the use of TFC padding, which is examined in more detail later. Following the
Payload Data are Padding and Pad Length fields, and the Next Header field. The optional Integrity Check
Value (ICV) field completes the packet.
Source: https://tools.ietf.org/html/rfc4303#page-14
QUESTION 7
What are two default Cisco IOS privilege levels? (Choose two.)
A. 0
B. 1
C. 5
D. 7
E. 10
F. 15
Correct Answer: BF
Section: (none)
Explanation
Explanation/Reference:
BD
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands:
user EXEC mode (level 1) and privileged EXEC mode (level 15).
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html
QUESTION 8
Which two authentication types does OSPF support? (Choose two.)
A. Plain text
B. SHA-1
C. HMAC
D. AES 256
E. MD5
F. DES
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
BD
Source: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13697-25.html
QUESTION 9
Which two features do CoPP and CPPr use to protect the control plane? (Choose two.)
A. QoS
B. class maps
C. access lists
D. policy maps
E. traffic classification
F. Cisco Express Forwarding
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
BD
For example, you can specify that management traffic, such as SSH/HTTPS/SSL and so on, can be
ratelimited (policed) down to a specific level or dropped completely.
Another way to think of this is as applying quality of service (QoS) to the valid management traffic and
policing to the bogus management traffic.
Source: Cisco Official Certification Guide, Table 10-3 Three Ways to Secure the Control Plane, p.269
QUESTION 10
Which two statements about stateless firewalls are true? (Choose two.)
A. They compare the 5-tuple of each incoming packet against configurable rules.
B. Cisco IOS cannot implement them because the platform is stateful by nature.
C. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.
D. They cannot track connections..
E. The Cisco ASA is implicitly stateless because it blocks all traffic by default.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
BD
In stateless inspection, the firewall inspects a packet to determine the 5-tuple—source and destination IP
addresses and ports, and protocol—information contained in the packet. This static information is then
compared against configurable rules to determine whether to allow or drop the packet.
In stateless inspection the firewall examines each packet individually, it is unaware of the packets that have
passed through before it, and has no way of knowing if any given packet is part of an existing connection, is
trying to establish a new connection, or is a rogue packet.
Source: http://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/19-0/XMART/PSF/19-PSF-Admin/19-PSF-
Admin_chapter_01.html
QUESTION 11
Which three statements about host-based IPS are true? (Choose three.)
Explanation/Reference:
BD
If the network traffic stream is encrypted, HIPS has access to the traffic in unencrypted form.
HIPS can combine the best features of antivirus, behavioral analysis, signature filters, network firewalls, and
application firewalls in one package.
Host-based IPS operates by detecting attacks that occur on a host on which it is installed. HIPS works by
intercepting operating system and application calls, securing the operating system and application
configurations, validating incoming service requests, and analyzing local log files for after-the-fact
suspicious activity.
Source: http://www.ciscopress.com/articles/article.asp?p=1336425&seqNum=3
QUESTION 12
What three actions are limitations when running IPS in promiscuous mode? (Choose three.)
Explanation/Reference:
BD
In promiscuous mode, packets do not flow through the sensor. The disadvantage of operating in
promiscuous mode, however, is the sensor cannot stop malicious traffic from reaching its intended
target for certain types of attacks, such as atomic attacks (single-packet attacks). The response actions
implemented by promiscuous sensor devices are post-event responses and often require assistance
from other networking devices, for example, routers and firewalls, to respond to an attack.
Source: http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/
cli_interfaces.html
QUESTION 13
When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Deny connection inline: This action terminates the packet that triggered the action and future packets that
are part of the same TCP connection. The attacker could open up a new TCP session (using different port
numbers), which could still be permitted through the inline IPS.
Available only if the sensor is configured as an IPS.
Source: Cisco Official Certification Guide, Table 17-4 Possible Sensor Responses to Detected Attacks,
p.465
QUESTION 14
What is an advantage of implementing a Trusted Platform Module for disk encryption?
A. It allows the hard disk to be transferred to another device without requiring re-encryption.dis
B. It provides hardware authentication.
C. It supports a more complex encryption algorithm than other disk-encryption technologies.
D. It can protect against single points of failure.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a
dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices.
Software can use a Trusted Platform Module to authenticate hardware devices. Since each TPM chip
has a unique and secret RSA key burned in as it is produced, it is capable of performing platform
authentication.
Source: https://en.wikipedia.org/wiki/Trusted_Platform_Module#Disk_encryption
QUESTION 15
What is the purpose of the Integrity component of the CIA triad?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Integrity for data means that changes made to data are done only by authorized individuals/systems.
Corruption of data is a failure to maintain data integrity.
Source: Cisco Official Certification Guide, Confidentiality, Integrity, and Availability, p.6
APPUNTI: Integrity for data means that changes made to data are done only by authorized
individuals/systems. (Cisco Official Certification Guide, Confidentiality, Integrity, and Availability, p.6)
QUESTION 16
In a security context, which action can you take to address compliance?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
In general, compliance means conforming to a rule, such as a specification, policy, standard or law.
Source: https://en.wikipedia.org/wiki/Regulatory_compliance
APPUNTI: Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to
ensure that they are aware of and take steps to comply with relevant laws, polices, and regulations.
QUESTION 17
Which type of secure connectivity does an extranet provide?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
What is an Extranet? In the simplest terms possible, an extranet is a type of network that crosses
organizational boundaries, giving outsiders access to information and resources stored inside the
organization's internal network (Loshin, p. 14).
Source: https://www.sans.org/reading-room/whitepapers/firewalls/securing-extranet-connections-816
QUESTION 18
Which tool can an attacker use to attempt a DDoS attack?
A. virus
B. Trojan horse
C. botnet
D. adware
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Denial-of-service (DoS) attack and distributed denial-of-service (DDoS) attack. An example is using a
botnet to attack a target system.
Source: Cisco Official Certification Guide, Table 1-6 Additional Attack Methods, p.16
APPUNTI: Denial-of-service (DoS) attack and distributed denial-of-service (DDoS) attack. An example is
using a botnet to attack a target system
QUESTION 19
What type of security support is provided by the Open Web Application Security Project?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization
focused on improving the security of software. Our mission is to make software security visible, so that
individuals and organizations are able to make informed decisions. OWASP is in a unique position to
provide impartial, practical information about AppSec to individuals, corporations, universities, government
agencies and other organizations worldwide.
Source: https://www.owasp.org/index.php/Main_Page
QUESTION 20
What type of attack was the Stuxnet virus?
A. botnet
B. hacktivism
C. cyber warfare
D. social engineering
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Stuxnet is a computer worm that targets industrial control systems that are used to monitor and control
large scale industrial facilities like power plants, dams, waste processing systems and similar operations. It
allows the attackers to take control of these systems without the operators knowing. This is the first attack
we’ve seen that allows hackers to manipulate real-world equipment, which makes it very dangerous.
Source: https://us.norton.com/stuxnet
QUESTION 21
What type of algorithm uses the same key to encrypt and decrypt data?
A. an IP security algorithm
B. an asymmetric algorithm
C. a Public Key Infrastructure algorithm
D. a symmetric algorithm
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
A symmetric encryption algorithm, also known as a symmetrical cipher, uses the same key to encrypt the
data and decrypt the data.
How many times was a read-only string used to attempt a write operation?
A. 4
B. 6
C. 9
D. 3
E. 2
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
To check the status of Simple Network Management Protocol (SNMP) communications, use the show
snmp command in user EXEC or privileged EXEC mode.
Illegal operation for community name supplied: Number of packets requesting an operation not allowed for
that community
Source: http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_16.html
QUESTION 23
Refer to the exhibit.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: D:
Confidence level: 100%
Remember: The [.] at the beginning of the time tells us the NTP process has last contact with its servers.
We know the time is authoritative because there would be a [*] at the beginning if not. (RISPOSTA D
MODIFICATA DA ME)
QUESTION 24
How does the Cisco ASA use Active Directory to authorize VPN users?
A. It downloads and stores the Active Directory database to query for future authorization requests.
B. It sends the username and password to retrieve an ACCEPT or REJECT message from the Active
Directory server.
C. It queries the Active Directory server for a specific attribute for the specified user.
D. It redirects requests to the Active Directory server defined for the VPN group.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
?
When ASA needs to authenticate a user to the configured LDAP server, it first tries to login using the login
DN provided. After successful login to the LDAP server, ASA sends a search query for the username
provided by the VPN user. This search query is created based on the naming attribute provided in the
configuration. LDAP replies to the query with the complete DN of the user. At this stage ASA sends a
second login attempt to the LDAP server. In this attempt, ASA tries to login to the LDAP server using the
VPN user's full DN and password provided by the user. A successful login to the LDAP server will indicate
that the credentials provided by the VPN user are correct and the tunnel negotiation will move to the Phase
2.
Source: http://www.networkworld.com/article/2228531/cisco-subnet/using-your-active-directory-for-vpn-
authentication-on-asa.html
QUESTION 25
Which statement about Cisco ACS authentication and authorization is true?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
ACS can join one AD domain. If your Active Directory structure has multi-domain forest or is divided into
multiple forests, ensure that trust relationships exist between the domain to which ACS is connected and
the other domains that have user and machine information to which you need access. So B is not correct.
Source: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-8/ACS-
ADIntegration/guide/Active_Directory_Integration_in_ACS_5-8.pdf
+ You can define multiple authorization profiles as a network access policy result. In this way, you maintain
a smaller number of authorization profiles, because you can use the authorization profiles in combination as
rule results, rather than maintaining all the combinations themselves in individual profiles. So D. is not
correct
+ ACS 5.1 can function both as a RADIUS and RADIUS proxy server. When it acts as a proxy server, ACS
receives authentication and accounting requests from the NAS and forwards the requests to the external
RADIUS server. So C. is nor correct.
Source: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-1/user/
guide/acsuserguide/policy_mod.html
QUESTION 26
Refer to the exhibit.
If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how
will the switch respond?
A. The authentication attempt will time out and the switch will place the port into the unauthorized state
B. The switch will cycle through the configured authentication methods indefinitely.
C. The supplicant will fail to advance beyond the webauth method.
D. The authentication attempt will time out and the switch will place the port into VLAN 101.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Flexible authentication (FlexAuth) is a set of features that allows IT administrators to configure the
sequence and priority of IEEE 802.1X, MAC authentication bypass (MAB), and switch-based web
authentication (local WebAuth).
If next-method failure handling and local WebAuth are both configured after IEEE 802.1X authentication
fails, local WebAuth ignores EAPoL-Start commands from the supplicant.
Source: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-
service/application_note_c27-573287.html
QUESTION 27
Which EAP method uses Protected Access Credentials?
A. EAP-PEAP
B. EAP-TLS
C. EAP-FAST
D. EAP-GTC
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Flexible Authentication via Secure Tunneling (EAP-FAST) is a protocol proposal by Cisco Systems as a
replacement for LEAP. The protocol was designed to address the weaknesses of LEAP while preserving
the "lightweight" implementation. Use of server certificates is optional in EAP-FAST. EAP-FAST uses a
Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified.
Source: https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
QUESTION 28
What is one requirement for locking a wired or wireless device from ISE?
A. The device must be connected to the network when the lock command is executed..
B. The ISE agent must be installed on the device.
C. The user must approve the locking action.
D. The organization must implement an acceptable use policy allowing device locking.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Agents are applications that reside on client machines logging into the Cisco ISE network. Agents can be
persistent (like the AnyConnect, Cisco NAC Agent for Windows and Mac OS X) and remain on the client
machine after installation, even when the client is not logged into the network. Agents can also be temporal
(like the Cisco NAC Web Agent), removing themselves from the client machine after the login session has
terminated.
Source: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/
b_ise_admin_guide_20_chapter_010101.html
QUESTION 29
What VPN feature allows traffic to exit the security appliance through the same interface it entered?
A. NAT
B. Hair-pinning
C. NAT traversal
D. split tunneling
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
In network computing, hairpinning (or NAT loopback) describes a communication between two hosts behind
the same NAT device using their mapped endpoint. Because not all NAT devices support this
communication configuration, applications must be aware of it.
Hairpinning is where a machine on the LAN is able to access another machine on the LAN via the external
IP address of the LAN/router (with port forwarding set up on the router to direct requests to the appropriate
machine on the LAN).
Source:
GRAPHIC EXAMPLE OF HAIR PINNING
QUESTION 30
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection?
A. tunnel mode
B. hairpinning
C. split tunneling
D. transparent mode
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Split tunneling is a computer networking concept which allows a mobile user to access dissimilar security
domains like a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same
or different network connections. This connection state is usually facilitated through the simultaneous use
of, a Local Area Network (LAN) Network Interface Card (NIC), radio NIC, Wireless Local Area Network
(WLAN) NIC, and VPN client software application without the benefit of access control.
Source: https://en.wikipedia.org/wiki/Split_tunneling
QUESTION 31
Refer to the exhibit.
What is the effect of the given command sequence?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
QUESTION 32
Refer to the exhibit.
A. It defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
C. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
A crypto ACL is a case for an extended ACL where we specify the source and destination address of the
networks to be encrypted.
QUESTION 33
Refer to the exhibit.
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the
given output show?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
This is the output of the #show crypto isakmp sa command. This command shows the Internet Security
Association Management Protocol (ISAKMP) security associations (SAs) built between peers - IPsec
Phase1. The "established" clue comes from the state parameter QM_IDLE - this is what we want to see.
More on this
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-
00.html
QUESTION 34
Refer to the exhibit.
While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command. What does the
given output show?
A. IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5.
B. ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1.
C. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5.
D. IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
This command shows IPsec SAs built between peers - IPsec Phase2. The encrypted tunnel is build
between 10.1.1.5 and 10.1.1.1 (the router from which we issued the command).
QUESTION 35
Refer to the exhibit.
The Admin user is unable to enter configuration mode on a device with the given configuration. What
change can you make to the configuration to correct the problem?
A. Remove the autocommand keyword and arguments from the Username Admin privilege line.
B. Change the Privilege exec level value to 15.
C. Remove the two Username Admin lines.
D. Remove the Privilege exec line.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
autocommand: (Optional) Causes the specified command to be issued automatically after the user logs in.
When the command is complete, the session is terminated. Because the command can be any length and
can contain embedded spaces, commands using the autocommand keyword must be the last option on the
line.
So after successfully logs in the Admin user sees the running configuration and immediately after is
disconnected by the router. So removing the command lets keeps him connected.
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-xe-3se-3850-cr-book/sec-s1-
xe-3se-3850-cr-book_chapter_0110.html
QUESTION 36
After reloading a router, you issue the dir command to verify the installation and observe that the image file
appears to be missing. For what reason could the image file fail to appear in the dir output?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
#secure boot-image
This command enables or disables the securing of the running Cisco IOS image. Because this command
has the effect of "hiding" the running image, the image file will not be included in any directory listing of the
disk.
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-
s1.html#wp3328121947
QUESTION 37
What is the effect of the send-lifetime local 23:59:00 31 December 2013 infinite command?
A. It configures the device to begin transmitting the authentication key to other devices at 00:00:00 local
time on January 1, 2014 and continue using the key indefinitely.
B. It configures the device to generate a new authentication key and transmit it to other devices at 23:59:00
local time on December 31, 2013.
C. It configures the device to begin accepting the authentication key from other devices immediately and
stop accepting the key at 23:59:00 local time on December 31, 2013.
D. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local
time on December 31, 2013 and continue using the key indefinitely.
E. It configures the device to begin accepting the authentication key from other devices at 23:59:00 local
time on December 31, 2013 and continue accepting the key indefinitely.
F. It configures the device to begin accepting the authentication key from other devices at 00:00:00 local
time on January 1, 2014 and continue accepting the key indefinitely.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
To send the valid key and to authenticate information from the local host to the peer, use the send-lifetime
command in keychain-key configuration mode.
send-lifetime start-time [ duration duration value | infinite | end-time ]
start-time: Start time, in hh:mm:ss day month year format, in which the key becomes valid. The range is
from 0:0:0 to 23:59:59.
infinite: (Optional) Specifies that the key never expires once it becomes valid.
Source: http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-2/security/command/reference/
b_syssec_cr42crs/b_syssec_cr41crs_chapter_0100.html#wp2198915138
QUESTION 38
What type of packet creates and performs network operations on a network device?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
Control plane: This includes protocols and traffic that the network devices use on their own without direct
interaction from an administrator. An example is a routing protocol.
Source: Cisco Official Certification Guide, The Network Foundation Protection Framework, p.264
QUESTION 39
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of
this activity?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
If a switch receives an inferior BPDU, nothing changes. Receiving a superior BPDU will kick off a
reconvergence of the STP topology. So the rogue switch may become a root bridge.
Source: http://www.networkpcworld.com/what-are-inferior-and-superior-bpdus-of-stp/
QUESTION 40
In what type of attack does an attacker virtually change a device's burned-in address in an attempt to
circumvent access lists and mask the device's true identity?
A. gratuitous ARP
B. ARP poisoning
C. IP spoofing
D. MAC spoofing
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
A device's burned-in address is its MAC address. So by changing it to something else may trick hosts on
the network into sending packets to it.
QUESTION 41
What command can you use to verify the binding table status?
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: E
If not E is not the correct answer, then the answer is A. However, I'm pretty sure it is E based on these two
quotes:
"Use the show ip dhcp snooping binding command in EXEC mode to display the DHCP snooping binding
database and configuration information for all interfaces on a switch."
"Use the show ip dhcp snooping database command in EXEC mode to display the status of the DHCP
snooping binding database agent.
BD
@Answer on securitytut.com made a valid comment on the fact that it's not asking about the database
agent, as Brad's reference, but on the status (not statistics) of the binding table
So, what is DHCP Snooping bindings and what is the status of binding table? Aren’t they the same. An if so
it clearly says “verify”.
QUESTION 42
If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in
use?
A. loop guard
B. EtherChannel guard
C. STP root guard
D. STP BPDU guard
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: A
Confidence level: 100%
Remember: The phrase "only superior BPDUs" is the key to the correct answer. BPDU guard will block a
port if *ANY* BPDU is received.
BD
Root guard allows the device to participate in STP as long as the device does not try to become the root. If
root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending
device ceases to send superior BPDUs.
Source: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html
QUESTION 43
Which statement about a PVLAN isolated port configured on a switch is true?
A. The isolated port can communicate with other isolated ports and the promiscuous port.
B. The isolated port can communicate only with the promiscuous port.
C. The isolated port can communicate only with community ports.
D. The isolated port can communicate only with other isolated ports.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Isolated — An isolated port is a host port that belongs to an isolated secondary VLAN. This port has
complete isolation from other ports within the same private VLAN domain, except that it can communicate
with associated promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from
promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can
have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all
other ports in the isolated VLAN.
Source: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/
CLIConfigurationGuide/PrivateVLANs.html
QUESTION 44
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts
a double-tagging attack?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN
(VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain
access to traffic on other VLANs that would normally not be accessible. There are two primary methods of
VLAN hopping: switch spoofing and double tagging.
Double Tagging can only be exploited when switches use "Native VLANs". Double Tagging can be
mitigated by either one of the following actions:
+ Simply do not put any hosts on VLAN 1 (The default VLAN)
+ Change the native VLAN on all trunk ports to an unused VLAN ID
Source: https://en.wikipedia.org/wiki/VLAN_hopping
QUESTION 45
What is a reason for an organization to deploy a personal firewall?
A. To create a separate, non-persistent virtual environment that can be destroyed after a session.
B. To protect one virtual network segment from another.
C. To determine whether a host meets minimum security posture requirements.
D. To protect endpoints such as desktops from malicious activity.
E. To protect the network from DoS and syn-flood attacks.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
The term personal firewall typically applies to basic software that can control Layer 3 and Layer 4 access to
client machines. HIPS provides several features that offer more robust security than a traditional personal
firewall, such as host intrusion prevention and protection against spyware, viruses, worms, Trojans, and
other types of malware.
Source: Cisco Official Certification Guide, Personal Firewalls and Host Intrusion Prevention Systems , p.499
QUESTION 46
Which statement about personal firewalls is true?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Features
+ Block or alert the user about all unauthorized inbound or outbound connection attempts
+ Allows the user to control which programs can and cannot access the local network and/or Internet and
provide the user with information about an application that makes a connection attempt
+ Hide the computer from port scans by not responding to unsolicited network traffic
+ Monitor applications that are listening for incoming connections
+ Monitor and regulate all incoming and outgoing Internet users
+ Prevent unwanted network traffic from locally installed applications
+ Provide information about the destination server with which an application is attempting to communicate
+ Track recent incoming events, outgoing events, and intrusion events to see who has accessed or tried to
access your computer.
+ Personal Firewall blocks and prevents hacking attempt or attack from hackers
Source: https://en.wikipedia.org/wiki/Personal_firewall
QUESTION 47
Refer to the exhibit.
A. a stateful firewall
B. a personal firewall
C. a proxy firewall
D. an application firewall
E. a stateless firewall
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
The output is from "show conn" command on an ASA. This is another example output I've simulated
UDP OUTSIDE 172.16.0.100:53 INSIDE 10.10.10.2:59655, idle 0:00:06, bytes 39, flags -
QUESTION 48
What is the only permitted operation for processing multicast traffic on zone-based firewalls?
A. Only control plane policing can protect the control plane against multicast traffic.
B. Stateful inspection of multicast traffic is supported only for the self-zone.
C. Stateful inspection for multicast traffic is supported only between the self-zone and the internal zone.
D. Stateful inspection of multicast traffic is supported only for the internal zone.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Neither Cisco IOS ZFW or Classic Firewall include stateful inspection support for multicast traffic.
So the only choice is A.
Source: http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
QUESTION 49
How does a zone-based firewall implementation handle traffic between interfaces in the same zone?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
For interfaces that are members of the same zone, all traffic is permitted by default.
Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380
QUESTION 50
Which two statements about Telnet access to the ASA are true? (Choose two).
A. You may VPN to the lowest security interface to telnet to an inside interface.
B. You must configure an AAA server to enable Telnet.
C. You can access all interfaces on an ASA using Telnet.
D. You must use the command virtual telnet to enable Telnet.
E. Best practice is to disable Telnet and use SSH.
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
BD
The ASA allows Telnet and SSH connections to the ASA for management purposes. You cannot use Telnet
to the lowest security interface unless you use Telnet inside an IPSec tunnel.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/
access_management.html#wp1054101
QUESTION 51
Which statement about communication over failover interfaces is true?
A. All information that is sent over the failover and stateful failover interfaces is sent as clear text by default.
B. All information that is sent over the failover interface is sent as clear text, but the stateful failover link is
encrypted by default.
C. All information that is sent over the failover and stateful failover interfaces is encrypted by default.
D. User names, passwords, and preshared keys are encrypted by default when they are sent over the
failover and stateful failover interfaces, but other information is sent as clear text.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the
communication with a failover key. If the security appliance is used to terminate VPN tunnels, this
information includes any usernames, passwords and preshared keys used for establishing the tunnels.
Transmitting this sensitive data in clear text could pose a significant security risk. We recommend securing
the failover communication with a failover key if you are using the security appliance to terminate VPN
tunnels.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/failover.html
QUESTION 52
If a packet matches more than one class map in an individual feature type's policy map, how does the ASA
handle the packet?
A. The ASA will apply the actions from all matching class maps it finds for the feature type.
B. The ASA will apply the actions from only the most specific matching class map it finds for the feature
type.
C. The ASA will apply the actions from only the first matching class map it finds for the feature type.
D. The ASA will apply the actions from only the last matching class map it finds for the feature type.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
I suppose this could be an explanation. Not 100% confident about this. The explanation refers to an
interface, but the question doesn't specify that.
See the following information for how a packet matches class maps in a policy map for a given interface:
1. A packet can match only one class map in the policy map for each feature type.
2. When the packet matches a class map for a feature type, the ASA does not attempt to match it to
any subsequent class maps for that feature type.
3. If the packet matches a subsequent class map for a different feature type, however, then the ASA also
applies the actions for the subsequent class map, if supported. See the "Incompatibility of Certain Feature
Actions" section for more information about unsupported combinations.
If a packet matches a class map for connection limits, and also matches a class map for an application
inspection, then both actions are applied.
If a packet matches a class map for HTTP inspection, but also matches another class map that
includes HTTP inspection, then the second class map actions are not applied.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/
mpf_service_policy.html
QUESTION 53
For what reason would you configure multiple security contexts on the ASA firewall?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
You can partition a single ASA into multiple virtual devices, known as security contexts. Each context is an
independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar
to having multiple standalone devices.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/
mode_contexts.html
QUESTION 54
What is an advantage of placing an IPS on the inside of a network?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Firewalls are generally designed to be on the network perimeter and can handle dropping a lot of the non-
legitimate traffic (attacks, scans etc.) very quickly at the ingress interface, often in hardware.
An IDS/IPS is, generally speaking, doing more deep packet inspections and that is a much more
computationally expensive undertaking. For that reason, we prefer to filter what gets to it with the firewall
line of defense before engaging the IDS/IPS to analyze the traffic flow.
In an even more protected environment, we would also put a first line of defense in ACLs on an edge router
between the firewall and the public network(s).
Source: https://supportforums.cisco.com/discussion/12428821/correct-placement-idsips-network-
architecture
QUESTION 55
What is the FirePOWER impact flag used for?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Impact Flag: Choose the impact level assigned to the intrusion event.
Because no operating system information is available for hosts added to the network map from NetFlow
data, the system cannot assign Vulnerable (impact level 1: red) impact levels for intrusion events involving
those hosts. In such cases, use the host input feature to manually set the operating system identity for the
hosts.
Source: http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-
v60/Correlation_Policies.html
Impact
The impact level in this field indicates the correlation between intrusion data, network discovery data, and
vulnerability information.
Impact Flag
See Impact.
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-
firepower-module-user-guide-v541/ViewingEvents.html
QUESTION 56
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
A. IP Defragmentation
B. Portscan Detection
C. Rate-Based Prevention
D. Inline Normalization
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: A
Confidence level: 0%
BD
Rate-based attack prevention identifies abnormal traffic patterns and attempts to minimize the impact of
that traffic on legitimate requests. Rate-based attacks usually have one of the following characteristics:
+ any traffic containing excessive incomplete connections to hosts on the network, indicating a SYN flood
attack
+ any traffic containing excessive complete connections to hosts on the network, indicating a TCP/IP
connection flood attack
+ excessive rule matches in traffic going to a particular destination IP address or addresses or coming from
a particular source IP address or addresses.
+ excessive matches for a particular rule across all traffic.
The SYN attack prevention option helps you protect your network hosts against SYN floods. You can
protect individual hosts or whole networks based on the number of packets seen over a period of time. If
your device is deployed passively, you can generate events. If your device is placed inline, you can also
drop the malicious packets. After the timeout period elapses, if the rate condition has stopped, the event
generation and packet dropping stops.
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-
firepower-module-user-guide-v541/Intrusion-Threat-Detection.html
QUESTION 57
Which Sourcefire logging action should you choose to record the most detail about a connection?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-
firepower-module-user-guide-v541/AC-Connection-Logging.html#15726
QUESTION 58
What can the SMTP preprocessor in FirePOWER normalize?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-
firepower-module-user-guide-v541/NAP-App-Layer.html#85623
QUESTION 59
You want to allow all of your company's users to access the Internet without allowing other Web servers to
collect the IP addresses of individual users.
What two solutions can you use? (Choose two).
Explanation/Reference:
BD
In computer networks, a proxy server is a server (a computer system or an application) that acts as an
intermediary for requests from clients seeking resources from other servers.[1] A client connects to the
proxy server, requesting some service, such as a file, connection, web page, or other resource available
from a different server and the proxy server evaluates the request as a way to simplify and control its
complexity. Proxies were invented to add structure and encapsulation to distributed systems.[2] Today,
most proxies are web proxies, facilitating access to content on the World Wide Web and providing
anonymity.
Source: https://en.wikipedia.org/wiki/Proxy_server
Port Address Translation (PAT) is a subset of NAT, and it is still swapping out the source IP address as
traffic goes through the NAT/PAT device, except with PAT everyone does not get their own unique
translated address. Instead, the PAT device keeps track of individual sessions based on port numbers and
other unique identifiers, and then forwards all packets using a single source IP address, which is shared.
This is often referred to as NAT with overload; we are hiding multiple IP addresses on a single global
address.
QUESTION 60
You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security
Intelligence IP Address Reputation. A user calls and is not able to access a certain IP address. What action
can you take to allow the user access to the IP address?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: B
Confidence level: 100%
BD
In addition to a blacklist, each access control policy has an associated whitelist, which you can also
populate with Security Intelligence objects. A policy’s whitelist overrides its blacklist. That is, the system
evaluates traffic with a whitelisted source or destination IP address using access control rules, even if the IP
address is also blacklisted. In general, use the whitelist if a blacklist is still useful, but is too broad in scope
and incorrectly blocks traffic that you want to inspect.
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-
UserGuide-v5401/AC-Secint-Blacklisting.pdf
QUESTION 61
A specific URL has been identified as containing malware. What action can you take to block users from
accidentally visiting the URL and becoming infected with malware.
A. Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the router’s local
URL list
B. Enable URL filtering on the perimeter router and add the URLs you want to allow to the firewall’s local
URL list
C. Create a blacklist that contains the URL you want to block and activate the blacklist on the perimeter
router
D. Enable URL filtering on the perimeter router and add the URLs you want to block to the router’s local
URL list
E. Create a whitelist that contains the URLs you want to allow and activate the whitelist on the perimeter
router
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: D
Confidence level: 100%
Remember: A and B are not correct answers because you cannot use a router's URL list to filter URLs on a
firewall, and vice versa. E is not correct because whitelists are used to allow websites, not block, and that is
not what the question is asking for.
BD
URL Filtering
URL filtering allows you to control access to Internet websites by permitting or denying access to specific
websites based on information contained in an URL list. You can maintain a local URL list on the router.
If the Cisco IOS image on the router supports URL filtering but does not support Zone-based Policy Firewall
(ZPF), you can maintain one local URL list on the router to add or edit an URLs. Enter a full domain name
or a partial domain name and choose whether to Permit or Deny requests for this URL.
Source: http://www.cisco.com/c/en/us/td/docs/routers/access/
cisco_router_and_security_device_manager/24/software/user/guide/URLftr.html#wp999509
QUESTION 62
When is the best time to perform an antivirus signature update?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Obvious answer
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
If Application Visibility Controls (AVC) are enabled (Under GUI > Security Services > Web Reputation and
Anti-Malware), then we can block access based on application types like Proxies, File Sharing, Internet
utilities. We can do this under Web Security Manager > Access Policies > 'Applications' column <for the
required access policy>.
Source: http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/118486-technote-wsa-
00.html
QUESTION 64
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then
answer the five multiple choice questions about the ASA SSLVPN configurations.
Explanation/Reference:
Correct Answer: ADEF
Section: (none)
By clicking one the Configuration-> Remote Access -> Clientless CCL VPN Access-> Group Policies tab
you can view the DfltGrpPolicy protocols as shown below:
QUESTION 65
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then
answer the five multiple choice questions about the ASA SSLVPN configurations.
A. Certificate
B. AAA with RADIUS server
C. AAA with LOCAL database
D. Both Certificate and AAA with LOCAL database
E. Both Certificate and AAA with RADIUS server
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Correct Answer: A
Section: (none)
Explanation
This can be seen from the Connection Profiles Tab of the Remote Access VPN configuration, where the
alias of test is being used.
QUESTION 66
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then
answer the five multiple choice questions about the ASA SSLVPN configurations.
A. The ASA has a certificate issued by an external Certificate Authority associated to the
ASDM_TrustPoint1.
B. The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS server method.
C. The Inside-SRV bookmark references the https://192.168.1.2 URL
D. Only Clientless SSL VPN access is allowed with the Sales group policy
E. AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outside interface
F. The Inside-SRV bookmark has not been applied to the Sales group policy
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Correct Answer: BC
Section: (none)
Explanation
For B:
=============================
For C, Navigate to the Bookmarks tab:
A. test
B. clientless
C. Sales
D. DfltGrpPolicy
E. DefaultRAGroup
F. DefaultWEBVPNGroup
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Correct Answer: C
Section: (none)
Explanation
First navigate to the Connection Profiles tab as shown below, highlight the one with the test alias:
Then hit the “edit” button and you can clearly see the Sales Group Policy being applied.
QUESTION 68
What features can protect the data plane? (Choose three.)
A. policing
B. ACLs
C. IPS
D. antispoofing
E. QoS
F. DHCP-snooping
Explanation/Reference:
BD
+ Block unwanted traffic at the router. If your corporate policy does not allow TFTP traffic, just implement
ACLs that deny traffic that is not allowed.
+ Reduce spoofing attacks. For example, you can filter (deny) packets trying to enter your network (from the
outside) that claim to have a source IP address that is from your internal network.
+ Dynamic Host Configuration Protocol (DHCP) snooping to prevent a rogue DHCP server from handing
out incorrect default gateway information and to protect a DHCP server from a starvation attack
Source: Cisco Official Certification Guide, Best Practices for Protecting the Data Plane , p.271
QUESTION 69
How many crypto map sets can you apply to a router interface?
A. 3
B. 2
C. 4
D. 1
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
You must assign a crypto map set to an interface before that interface can provide IPSec services. Only
one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map-
name but a different seq-num, they are considered to be part of the same set and will all be applied to the
interface.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/
srfipsec.html#wp1018126
QUESTION 70
What is the transition order of STP states on a Layer 2 switch interface?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
+ Blocking - A port that would cause a switching loop if it were active. No user data is sent or received over
a blocking port, but it may go into forwarding mode if the other links in use fail and the spanning tree
algorithm determines the port may transition to the forwarding state. BPDU data is still received in blocking
state. Prevents the use of looped paths.
+ Listening - The switch processes BPDUs and awaits possible new information that would cause it to
return to the blocking state. It does not populate the MAC address table and it does not forward frames.
+ Learning - While the port does not yet forward frames it does learn source addresses from frames
received and adds them to the filtering database (switching database). It populates the MAC address table,
but does not forward frames.
+ Forwarding - A port receiving and sending data, normal operation. STP still monitors incoming BPDUs
that would indicate it should return to the blocking state to prevent a loop.
+ Disabled - Not strictly part of STP, a network administrator can manually disable a port
Source: https://en.wikipedia.org/wiki/Spanning_Tree_Protocol
QUESTION 71
Which sensor mode can deny attackers inline?
A. IDS
B. fail-close
C. IPS
D. fail-open
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Deny attacker inline: This action denies packets from the source IP address of the attacker for a
configurable duration of time, after which the deny action can be dynamically removed.
Available only if the sensor is configured as an IPS.
Source: Cisco Official Certification Guide, Table 17-4 Possible Sensor Responses to Detected Attacks ,
p.465
QUESTION 72
Which options are filtering options used to display SDEE message types? (Choose two.)
A. stop
B. none
C. error
D. all
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
BD
SDEE Messages
Source: http://www.cisco.com/c/en/us/td/docs/routers/access/
cisco_router_and_security_device_manager/24/software/user/guide/IPS.html#wp1083698
QUESTION 73
When a company puts a security policy in place, what is the effect on the company's business?
A. Minimizing risk
B. Minimizing total cost of ownership
C. Minimizing liability
D. Maximizing compliance
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
The first step in protecting a business network is creating a security policy. A security policy is a formal,
published document that defines roles, responsibilities, acceptable use, and key security practices for a
company. It is a required component of a complete security framework, and it should be used to guide
investment in security defenses.
Source: http://www.cisco.com/warp/public/cc/so/neso/sqso/secsol/setdm_wp.htm
QUESTION 74
Which wildcard mask is associated with a subnet mask of /27?
A. 0.0.0.31
B. 0.0.0.27
C. 0.0.0.224
D. 0.0.0.255
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Further reading
Source: https://en.wikipedia.org/wiki/Wildcard_mask
QUESTION 75
Which statements about reflexive access lists are true? (Choose three.)
Explanation/Reference:
BD
To define a reflexive access list, you use an entry in an extended named IP access list. This entry must
use the reflect keyword.
A reflexive access list is triggered when a new IP upper-layer session (such as TCP or UDP) is initiated
from inside your network, with a packet traveling to the external network.
Moreover, the previous method of using the established keyword was available only for the TCP upper-
layer protocol. So, for the other upper-layer protocols (such as UDP, ICMP, and so forth), you would have to
either permit all incoming traffic or define all possible permissible source/destination host/port address pairs
for each protocol. (Besides being an unmanageable task, this could exhaust NVRAM space.)
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/
scfreflx.html#54908
QUESTION 76
Which actions can a promiscuous IPS take to mitigate an attack? (Choose three.)
Explanation/Reference:
Brad
Answer:A, B and E
Confidence level: 100%
Note: Be aware that there is a reverse version of this question, worded such as "What actions are limited
when running IPS in promiscuous mode?".
BD
Source: http://www.cisco.com/c/en/us/about/security-center/ips-mitigation.html#7
QUESTION 77
Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable
syntax using the local database with no fallback method?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: C
Confidence level: 100%
Remember: The local database must be referenced in all capital letters when AAA is in use. If lower case
letters are used, the ASA will look for an AAA server group called "local".
QUESTION 78
Which Cisco Security Manager application collects information about device status and uses it to generate
notifications and alerts?
A. FlexConfig
B. Device Manager
C. Report Manager
D. Health and Performance Monitor
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
Health and Performance Monitor (HPM) – Monitors and displays key health, performance and VPN data for
ASA and IPS devices in your network. This information includes critical and non-critical issues, such as
memory usage, interface status, dropped packets, tunnel status, and so on. You also can categorize
devices for normal or priority monitoring, and set different alert rules for the priority devices.
Source: http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/
security_manager/4-4/user/guide/CSMUserGuide_wrapper/HPMchap.pdf
QUESTION 79
Which accounting notices are used to send a failed authentication attempt record to a AAA server?
(Choose two.)
A. Stop-record
B. Stop
C. Stop-only
D. Start-stop
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: C and D
Confidence level: 50%
Note: This is a widely debated question and my research did not turn up a concrete answer. Some users on
the securitytut forums have said that A is a correct answer.
BD
aaa accounting { auth-proxy | system | network | exec | connection | commands level | dot1x } { default | list-
name | guarantee-first } [ vrf vrf-name ] { start-stop | stop-only | none } [broadcast] { radius | group group-
name }
+ stop-only: Sends a stop accounting record for all cases including authentication failures regardless of
whether the aaa accounting send stop-record authentication failure command is configured.
+ stop-record: Generates stop records for a specified event.
For minimal accounting, include the stop-only keyword to send a “stop” accounting record for all cases
including authentication failures. For more accounting, you can include the start-stop keyword, so that
RADIUS or TACACS+ sends a “start” accounting notice at the beginning of the requested process and a
“stop” accounting notice at the end of the process.
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a1.html
On securitytut. com you can find a full description of the simulation test I did.
QUESTION 80
Which command is needed to enable SSH support on a Cisco Router?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
There are four steps required to enable SSH support on a Cisco IOS router:
+ Configure the hostname command.
+ Configure the DNS domain.
+ Generate the SSH key to be used.
+ Enable SSH transport support for the virtual type terminal (vtys).
!--- Step 1: Configure the hostname if you have not previously done so.
hostname carter
!--- The aaa new-model command causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Step 2: Configure the DNS domain of the router.
ip domain-name rtp.cisco.com
!--- Step 3: Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 2
!--- Step 4: By default the vtys' transport is Telnet. In this case,
!--- Telnet is disabled and only SSH is supported.
line vty 0 4
transport input SSH
Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-
ssh.html#settingupaniosrouterasssh
QUESTION 81
Which protocol provides security to Secure Copy?
A. IPsec
B. SSH
C. HTTPS
D. ESP
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
The SCP is a network protocol, based on the BSD RCP protocol,[3] which supports file transfers between
hosts on a network. SCP uses Secure Shell (SSH) for data transfer and uses the same mechanisms for
authentication, thereby ensuring the authenticity and confidentiality of the data in transit.
Source: https://en.wikipedia.org/wiki/Secure_copy
QUESTION 82
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for
Remote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting?
Explanation/Reference:
Brad
Answer: B
Confidence level: 100%
Note: This question has been verified by posters on securitytut who scored perfect scores on the exam.
While it is fact that the newest version of the RDP plug-in is compatible with RDP2, this question specifically
asks about Windows Vista. This is one of those "choose the best answer" scenarios.
BD
+ RDP plug-in: This is the original plug-in created that contains both the Java and ActiveX Client.
+ RDP2 plug-in: Due to changes within the RDP protocol, the Proper Java RDP Client was updated in order
to support Microsoft Windows 2003 Terminal Servers and Windows Vista Terminal Servers.
Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/113600-technote-product-00.html
QUESTION 83
Which security zone is automatically defined by the system?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
A zone is a logical area where devices with similar trust levels reside. For example, we could define a DMZ
for devices in the DMZ in an organization. A zone is created by the administrator, and then interfaces can
be assigned to zones. A zone can have one or more interfaces assigned to it. Any given interface can
belong to only a single zone. There is a default zone, called the self zone, which is a logical zone.
Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380
QUESTION 84
What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
BD
IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or
remote access virtual private network (VPN) tunnels. IKE is a framework provided by the Internet Security
Association and Key Management Protocol (ISAKMP) and parts of two other key management protocols,
namely Oakley and Secure Key Exchange Mechanism (SKEME).
In IKE Phase 1 IPsec peers negotiate and authenticate each other. In Phase 2 they negotiate keying
materials and algorithms for the encryption of the data being transferred over the IPsec tunnel.
Source: Cisco Official Certification Guide, The Internet Key Exchange (IKE) Protocol, p.123
QUESTION 85
Which address block is reserved for locally assigned unique local addresses?
A. 2002::/16
B. 2001::/32
C. FD00::/8
D. FB00::/8
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: C
Confidence level: 100%
BD
Prefixes in the fd00::/8 range have similar properties as those of the IPv4 private address ranges:
+ They are not allocated by an address registry and may be used in networks by anyone without outside
involvement.
+ They are not guaranteed to be globally unique.
+ Reverse Domain Name System (DNS) entries (under ip6.arpa) for fd00::/8 ULAs cannot be delegated in
the global DNS.
Source: https://en.wikipedia.org/wiki/Unique_local_address
QUESTION 86
What is a possible reason for the error message?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
Before you can use any of the services AAA network security services provide, you must enable AAA.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfaaa.html
QUESTION 87
Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
A. Smart tunnels can be used by clients that do not have administrator privileges
B. Smart tunnels require the client to have the application installed locally
C. Smart tunnels offer better performance than port forwarding
D. Smart tunnels support all operating systems
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: A and C
Confidence level: 90%
Note: Smart tunnels are clientless, which is why I am pretty sure B is an incorrect answer.
BD
Smart Tunnel is an advanced feature of Clientless SSL VPN that provides seamless and highly secure
remote access for native client-server applications.
Clientless SSL VPN with Smart Tunnel is the preferred solution for allowing access from non-corporate
assets as it does not require the administrative rights.
Port forwarding is the legacy technology for supporting TCP based applications over a Clientless SSL VPN
connection. Unlike port forwarding, Smart Tunnel simplifies the user experience by not requiring the
user connection of the local application to the local port.
Source: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdf
QUESTION 88
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Source: https://learningnetwork.cisco.com/docs/DOC-25797
http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/24063-pvid-inconsistency-
24063.html
QUESTION 89
Which option describes information that must be considered when you apply an access list to a physical
interface?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-
3s-book/sec-create-ip-apply.html
QUESTION 90
Which source port does IKE use when NAT has been detected between two VPN gateways?
A. TCP 4500
B. TCP 500
C. UDP 4500
D. UDP 500
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Source: https://en.wikipedia.org/wiki/Internet_Key_Exchange
QUESTION 91
Which of the following are features of IPsec transport mode? (Choose three.)
Explanation/Reference:
Brad
Answer: B, D and E
Confidence level: 100%
Note: Be aware that there is a reverse version of this question, worded such as "Which of the following are
features of IPsec tunnel mode?".
BD
+ IPSec Transport mode is used for end-to-end communications, for example, for communication
between a client and a server or between a workstation and a gateway (if the gateway is being treated as a
host). A good example would be an encrypted Telnet or Remote Desktop session from a workstation to a
server.
+ IPsec supports two encryption modes: Transport mode and Tunnel mode. Transport mode encrypts
only the data portion (payload) of each packet and leaves the packet header untouched. Transport mode
is applicable to either gateway or host implementations, and provides protection for upper layer protocols as
well as selected IP header fields.
Source: http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html
http://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/
IPsecPG1.html
Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the
following:
+ IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be
supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP
packets.
+ IPmc is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol
between two and only two devices, so a service such as multicast is problematic. An IPsec peer encrypts a
packet so that only one other IPsec peer can successfully perform the de-encryption. IPmc is not
compatible with this mode of operation.
Source: https://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/
ccmigration_09186a008074f26a.pdf
QUESTION 92
Which command causes a Layer 2 switch interface to operate as a Layer 3 interface?
A. no switchport nonnegotiate
B. switchport
C. no switchport mode dynamic auto
D. no switchport
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
Source: http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41860-howto-L3-
intervlanrouting.html
QUESTION 93
Which TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
A. EAP
B. ASCII
C. PAP
D. PEAP
E. MS-CHAPv1
F. MS-CHAPv2
The ASA supports TACACS+ server authentication with the following protocols: ASCII, PAP, CHAP, and
MS-CHAPv1.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/
asa_91_general_config/aaa_tacacs.pdf
QUESTION 94
Which type of IPS can identify worms that are propagating in a network?
A. Policy-based IPS
B. Anomaly-based IPS
C. Reputation-based IPS
D. Signature-based IPS
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
An example of anomaly-based IPS/IDS is creating a baseline of how many TCP sender requests are
generated on average each minute that do not get a response. This is an example of a half-opened
session. If a system creates a baseline of this (and for this discussion, let’s pretend the baseline is an
average of 30 half-opened sessions per minute), and then notices the half-opened sessions have increased
to more than 100 per minute, and then acts based on that and generates an alert or begins to deny packets,
this is an example of anomaly-based IPS/IDS. The Cisco IPS/IDS appliances have this ability (called
anomaly detection), and it is used to identify worms that may be propagating through the network.
QUESTION 95
Which command verifies phase 1 of an IPsec VPN on a Cisco router?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: C
Confidence level: 100%
Remember: Commands using the term "isakmp" refer to IKE phase 1. Commands using "ipsec" refer to
phase 2.
BD
A show crypto isakmp sa command shows the ISAKMP SA to be in MM_NO_STATE. This also means
that main mode has failed.
Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-
debug-00.html#isakmp_sa
QUESTION 96
What is the purpose of a honeypot IPS?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
Honeypot systems use a dummy server to attract attacks. The purpose of the honeypot approach is to
distract attacks away from real network devices. By staging different types of vulnerabilities in the honeypot
server, you can analyze incoming types of attacks and malicious traffic patterns.
Source: http://www.ciscopress.com/articles/article.asp?p=1336425
QUESTION 97
Which type of firewall can act on the behalf of the end device?
A. Stateful packet
B. Application
C. Packet
D. Proxy
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
Application firewalls, as indicated by the name, work at Layer 7, or the application layer of the OSI model.
These devices act on behalf of a client (aka proxy) for requested services.
Because application/proxy firewalls act on behalf of a client, they provide an additional "buffer" from port
scans, application attacks, and so on. For example, if an attacker found a vulnerability in an application, the
attacker would have to compromise the application/proxy firewall before attacking devices behind the
firewall. The application/proxy firewall can also be patched quickly in the event that a vulnerability is
discovered. The same may not hold true for patching all the internal devices.
Source: http://www.networkworld.com/article/2255950/lan-wan/chapter-1--types-of-firewalls.html
QUESTION 98
Which syslog severity level is level number 7?
A. Warning
B. Informational
C. Notification
D. Debugging
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: D
Confidence level: 100%
Remember: There is a mnemonic device for remembering the order of the eight syslog levels:
0 - Emergency
1 - Alert
2 - Critical
3 - Error
4 - Warning
5 - Notification
6 - Informational
7 - Debugging
QUESTION 99
By which kind of threat is the victim tricked into entering username and password information at a disguised
website?
A. Spoofing
B. Malware
C. Spam
D. Phishing
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
Phishing presents a link that looks like a valid trusted resource to a user. When the user clicks it, the user
is prompted to disclose confidential information such as usernames/passwords.
Source: Cisco Official Certification Guide, Table 1-5 Attack Methods, p.13
QUESTION 100
Which type of mirroring does SPAN technology perform?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to send a copy
of the traffic to another port on the switch or on another switch that has been connected to a network
analyzer or other monitoring or security device.
Local SPAN supports a SPAN session entirely within one switch; all source ports or source VLANs and
destination ports are in the same switch or switch stack.
Each local SPAN session or RSPAN destination session must have a destination port (also called a
monitoring port) that receives a copy of traffic from the source ports or VLANs and sends the SPAN packets
to the user, usually a network analyzer:
+ If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at
Layer 2.
Source: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/
configuration/guide/scg_2960/swspan.html
QUESTION 101
Which tasks is the session management path responsible for? (Choose three.)
A. Verifying IP checksums
B. Performing route lookup
C. Performing session lookup
D. Allocating NAT translations
E. Checking TCP sequence numbers
F. Checking packets against the access list
Explanation/Reference:
BD
The ASA has to check the packet against access lists and perform other tasks to determine if the packet is
allowed or denied. To perform this check, the first packet of the session goes through the "session
management path," and depending on the type of traffic, it might also pass through the "control plane
path."
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/intro.html
QUESTION 102
Which network device does NTP authenticate?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
You can configure the device to authenticate the time sources to which the local clock is synchronized.
When you enable NTP authentication, the device synchronizes to a time source only if the source carries
one of the authentication keys specified by the ntp trusted-key command. The device drops any packets
that fail the authentication check and prevents them from updating the local clock. NTP authentication is
disabled by default.
Source: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/
configuration/guide/sm_nx_os_cg/sm_3ntp.html#wp1100303%0A
QUESTION 103
Which Cisco product can help mitigate web-based attacks within a network?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: D
Confidence level: 0%
BD
Web-based threats continue to rise. To protect your network you need a solution that prevents them. Cisco
Advanced Malware Protection (AMP) for Web Security goes beyond the basics in threat detection, URL
filtering, and application control. It provides continuous file analysis, retrospective security, and sandboxing
to help your security team catch even the stealthiest threats.
Source: http://www.cisco.com/c/en/us/products/security/advanced-malware-protection/amp-for-web-
security.html
QUESTION 104
Which statement correctly describes the function of a private VLAN?
A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains
B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains
C. A private VLAN enables the creation of multiple VLANs using one broadcast domain
D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast
domain
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Private VLAN divides a VLAN (Primary) into sub-VLANs (Secondary) while keeping existing IP subnet and
layer 3 configuration. A regular VLAN is a single broadcast domain, while private VLAN partitions one
broadcast domain into multiple smaller broadcast subdomains.
Source: https://en.wikipedia.org/wiki/Private_VLAN
QUESTION 105
What hash type does Cisco use to validate the integrity of downloaded images?
A. Sha1
B. Sha2
C. MD5
D. Md1
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
The MD5 File Validation feature, added in Cisco IOS Software Releases 12.2(4)T and 12.0(22)S, allows
network administrators to calculate the MD5 hash of a Cisco IOS software image file that is loaded on a
device. It also allows administrators to verify the calculated MD5 hash against that provided by the user.
Once the MD5 hash value of the installed Cisco IOS image is determined, it can also be compared with the
MD5 hash provided by Cisco to verify the integrity of the image file.
Source: http://www.cisco.com/c/en/us/about/security-center/ios-image-verification.html#11
QUESTION 106
Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Unicast Reverse Path Forwarding (uRPF) can mitigate spoofed IP packets. When this feature is
enabled on an interface, as packets enter that interface the router spends an extra moment considering the
source address of the packet. It then considers its own routing table, and if the routing table does not agree
that the interface that just received this packet is also the best egress interface to use for forwarding to the
source address of the packet, it then denies the packet.
This is a good way to limit IP spoofing.
Source: Cisco Official Certification Guide, Table 10-4 Protecting the Data Plane, p.270
QUESTION 107
What is the most common Cisco Discovery Protocol version 1 attack?
A. CAM-table overflow
B. MAC-address spoofing
C. Denial of Service
D. VLAN hopping
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
CDP contains information about the network device, such as the software version, IP address, platform,
capabilities, and the native VLAN. When this information is available to an attacker computer, the attacker
from that computer can use it to find exploits to attack your network, usually in the form of a Denial of
Service (DoS) attack.
Source: https://howdoesinternetwork.com/2011/cdp-attack
QUESTION 108
What is the Cisco preferred countermeasure to mitigate CAM overflows?
A. Port security
B. Root guard
C. IP source guard
D. Dynamic port security
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: D
Confidence level: 75%
Note: According to multiple links, port security is used to mitigate CAM overflow attacks. However, I found
the following statement on a Cisco page: "A more administratively scalable solution is the implementation of
dynamic port security at the switch". Because of this, I believe the verbiage "Cisco preferred" would point to
answer D.
BD
QUESTION 109
Which option is the most effective placement of an IPS device within the infrastructure?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Firewalls are generally designed to be on the network perimeter and can handle dropping a lot of the non-
legitimate traffic (attacks, scans etc.) very quickly at the ingress interface, often in hardware.
An IDS/IPS is, generally speaking, doing more deep packet inspections and that is a much more
computationally expensive undertaking. For that reason, we prefer to filter what gets to it with the firewall
line of defense before engaging the IDS/IPS to analyze the traffic flow.
Source: https://supportforums.cisco.com/discussion/12428821/correct-placement-idsips-network-
architecture
QUESTION 110
If a router configuration includes the line aaa authentication login default group tacacs+ enable, which
events will occur when the TACACS+ server returns an error? (Choose two.)
A. Authentication attempts to the router will be denied
B. The user will be prompted to authenticate using the enable password
C. Authentication will use the router’s local database
D. Authentication attempts will be sent to the TACACS+ server
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: B and C
Confidence level: 60%
- D is known incorrect. The router will eventually attempt to communicate with the TACACS server again,
but not immediately.
- Cisco devices store the enable password locally, and default behavior is for Cisco devices to fallback to
local authentication when a TACACS/Radius server is down or returns an error. This is why I choose
answer C.
- A user on the securitytut forums said that they labbed this scenario up and that A is a correct answer, not
C. I have no way of verifying whether that user made a mistake or not, so I am sticking with the answer my
research turned up.
BD
Two things I need to say. One, local database has nothing to do with enable secret/password as it is literally
created using username/password command combinations. Second there is no fallback safety failover with
aaa if you specify exact methods. Those exact methods are the only methods used, nothing else.
On the previous post I pasted an output for the authentication process with TACACS+ and enable. At a
point there was a timeout message which resulted in switching to the second authentication method,
ENABLE.
“Use the timeout integer argument to specify the period of time (in seconds) the router will wait for a
response from the daemon before it times out and declares an error.”
As a reference I used http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/
scftplus.html
What concerns me is „If an ERROR response is received, the network access server will typically try to use
an alternative method for authenticating the user.” It doesn’t specifically say „The router retries to connect
with the TACACS+”.
QUESTION 111
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
A. SNMP
B. Syslog
C. SDEE
D. CSM
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
IPS produces various types of events including intrusion alerts and status events. IPS communicates
events to clients such as management applications using the proprietary RDEP2. We have also developed
an IPS-industry leading protocol, SDEE, which is a product-independent standard for communicating
security device events. SDEE is an enhancement to the current version of RDEP2 that adds extensibility
features that are needed for communicating events generated by various types of security devices.
Source: http://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/ime/imeguide/
ime_system_architecture.html
QUESTION 112
When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to
prevent loops?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
First when the switches are powered on all the ports are in Blocking state (20 sec), during this time the
+ Root Bridge is elected by exchanging BPDUs
+ The other switches will elect their Root ports
+ Every network segment will choosee their Designated port
Source: https://learningnetwork.cisco.com/thread/7677
QUESTION 113
Which type of address translation should be used when a Cisco ASA is in transparent mode?
A. Static NAT
B. Dynamic NAT
C. Overload
D. Dynamic PAT
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
+ Because the transparent firewall does not have any interface IP addresses, you cannot use interface
PAT.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/
cfgnat.html#wp1102744%0A
QUESTION 114
Which components does HMAC use to determine the authenticity and integrity of a message? (Choose
two.)
A. The password
B. The hash
C. The key
D. The transform set
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
BD
Source: https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
QUESTION 115
What is the default timeout interval during which a router waits for responses from a TACACS server before
declaring a timeout failure?
A. 10 seconds
B. 5 seconds
C. 15 seconds
D. 20 seconds
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout
command in global configuration mode. To restore the default, use the no form of this command.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srftacs.html
QUESTION 116
Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
A. EAP
B. ASCII
C. PAP
D. PEAP
E. MS-CHAPv1
F. MS-CHAPv2
Explanation/Reference:
BD
The ASA supports the following authentication methods with RADIUS servers:
+ PAP — For all connection types.
+ CHAP and MS-CHAPv1 — For L2TP-over-IPsec connections.
+ MS-CHAPv2 - For L2TP-over-IPsec connections
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/
asdm_71_general_config/aaa_radius.pdf
There is an alternate version of this question that replaces RADIUS with TACACS. In that case, B is correct
and F is not.
QUESTION 117
Which command initializes a lawful intercept view?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Like a CLI view, a lawful intercept view restricts access to specified commands and configuration
information. Specifically, a lawful intercept view allows a user to secure access to lawful intercept
commands that are held within the TAP-MIB, which is a special set of simple network management protocol
(SNMP) commands that store information about calls and users.
Source: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
QUESTION 118
Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)
A. Port security
B. DHCP snooping
C. IP source guard
D. Dynamic ARP inspection
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
BD
+ ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from a
host even if an ARP request was not received.
+ DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP
packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-
the-middle attacks.
+ DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a
trusted database, the DHCP snooping binding database.
QUESTION 119
Which of the following statements about access lists are true? (Choose three.)
Explanation/Reference:
BD
Source: http://www.ciscopress.com/articles/article.asp?p=1697887
QUESTION 120
Which statement about extended access lists is true?
A. Extended access lists perform filtering that is based on source and destination and are most effective
when applied to the destination
B. Extended access lists perform filtering that is based on source and destination and are most effective
when applied to the source
C. Extended access lists perform filtering that is based on destination and are most effective when applied
to the source
D. Extended access lists perform filtering that is based on source and are most effective when applied to
the destination
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Source: http://www.ciscopress.com/articles/article.asp?p=1697887
QUESTION 121
Which security measures can protect the control plane of a Cisco router? (Choose two.)
A. CPPr
B. Parser views
C. Access control lists
D. Port security
E. CoPP
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
BD
Source: Cisco Official Certification Guide, Table 10-3 Three Ways to Secure the Control Plane , p.269
QUESTION 122
In which stage of an attack does the attacker discover devices on a target network?
A. Reconnaissance
B. Covering tracks
C. Gaining access
D. Maintaining access
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Reconnaissance: This is the discovery process used to find information about the network. It could include
scans of the network to find out which IP addresses respond, and further scans to see which ports on the
devices at these IP addresses are open. This is usually the first step taken, to discover what is on the
network and to determine potential vulnerabilities.
Source: Cisco Official Certification Guide, Table 1-5 Attack Methods, p.13
QUESTION 123
Which protocols use encryption to protect the confidentiality of data transmitted between two parties?
(Choose two.)
A. FTP
B. SSH
C. Telnet
D. AAA
E. HTTPS
F. HTTP
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
BD
+ Secure Shell (SSH) provides the same functionality as Telnet, in that it gives you a CLI to a router or
switch; unlike Telnet, however, SSH encrypts all the packets that are used in the session.
+ For graphical user interface (GUI) management tools such as CCP, use HTTPS rather than HTTP
because, like SSH, it encrypts the session, which provides confidentiality for the packets in that session.
QUESTION 124
What are the primary attack methods of VLAN hopping? (Choose two.)
A. VoIP hopping
B. Switch spoofing
C. CAM-table overflow
D. Double tagging
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
BD
VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN
(VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain
access to traffic on other VLANs that would normally not be accessible. There are two primary methods of
VLAN hopping: switch spoofing and double tagging.
+ In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and
trunking protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, Dynamic Trunking Protocol)
used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.
+ In a double tagging attack, an attacking host connected on a 802.1q interface prepends two VLAN tags
to packets that it transmits.
Source: https://en.wikipedia.org/wiki/VLAN_hopping
QUESTION 125
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall
configuration?
A. Issue the command “anyconnect keep-installer” under the group policy or username webvpn mode
B. Issue the command ”anyconnect keep-installer installed” in the global configuration
C. Issue the command “anyconnect keep-installer installed” under the group policy or username webvpn
mode
D. Issue the command “anyconnect keep-installer installer” under the group policy or username webvpn
mode
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
@day-2 on securitytut.com
To enable permanent client installation for a specific group or user, use the anyconnect keep-installer
command from group-policy or username webvpn modes:
The default is that permanent installation of the client is enabled. The client remains on the remote
computer at the end of the session. The following example configures the existing group-policy sales to
remove the client on the remote computer at the end of the session:
Doesn’t look good to me but IF we assume that it’s not a typo, the correct answer should be ” D ” , right ??
Take a look on the URL above that says “../asa/asa93/” !!! ASA93 … keep that in mind please..
I checked every version of cisco configuration guide for the ASA anyconnect remote access VPN.
Every cisco configuration guide beyond v9.3 (9.4, 9.5, 9.6, 9.7 .. latest) doesn’t refer the ACTUAL command
to enable the feature. Only how to disable it which is the same..
However, on EVERY cisco confifuration guide BEFORE v9.3 (9.2, 9.1 .. and all the way down)
the command is referred as :
According to other pages i got from a simple google search e.g. : h???s://www.cisco????/c/en/us/support/
docs/security/asa-5500-x-series-next-generation-firewalls/100597-technote-anyconnect-00.??ml
Uninstall Automatically
Problem
The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep
installed is set to disabled.
Solution
AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security
Device Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command
under group-policy.
Indicates that none of the answers is correct as “svc keep-installer installed” was valid for v8.3 and below !
Indicates that “C” is correct too.. (but the asa version is not referred..)
=====================================================
BD
Entering webvpn
ciscoasa(config-group-policy)# webvpn
QUESTION 126
Which type of security control is defense in depth?
A. Threat mitigation
B. Risk analysis
C. Botnet mitigation
D. Overt and covert channels
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Defense in-depth is the key to stopping most, but not all, network and computer related attacks. It’s a
concept of deploying several layers of defense that mitigate security threats.
Source: http://security2b.blogspot.ro/2006/12/what-is-defense-in-depth-and-why-is-it.html
QUESTION 127
On which Cisco Configuration Professional screen do you enable AAA
A. Authentication Policies
B. Authorization Policies
C. AAA Summary
D. AAA Servers and Groups
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: C
Confidence level: 0%
BD
QUESTION 128
What are two uses of SIEM software? (Choose two.)
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: B and E
Confidence level: 70%
Note: C and D are definitely incorrect, and E is definitely right. I'm not completely sure about A and B.
BD
Source: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-
architecture/sbaSIEM_deployG.pdf
QUESTION 129
What are the three layers of a hierarchical network design? (Choose three.)
A. access
B. core
C. internet
D. user
E. server
F. distribution
Explanation/Reference:
BD
A typical enterprise hierarchical LAN campus network design includes the following three layers:
+ Access layer: Provides workgroup/user access to the network
+ Distribution layer: Provides policy-based connectivity and controls the boundary between the access and
core layers
+ Core layer: Provides fast transport between distribution switches within the enterprise campus
Source: http://www.ciscopress.com/articles/article.asp?p=2202410&seqNum=4
QUESTION 130
In which two situations should you use in-band management? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: B and C
Confidence level: 90%
QUESTION 131
What are two ways to prevent eavesdropping when you perform device-management tasks? (Choose two.)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
BD
Both SSH and SNMPv3 provide security of the packets through encryption
QUESTION 132
In which three ways does the RADIUS protocol differ from TACACS? (Choose three.)
Explanation/Reference:
BD
Source: Cisco Official Certification Guide, Table 3-2 TACACS+ Versus RADIUS, p.40
QUESTION 133
Which three statements describe DHCP spoofing attacks? (Choose three.)
Explanation/Reference:
BD
Se le scelte sono tre allora sono A D F se sono due A e D la risposta F sarà ARP POISONING e non They
use ARP Poisoning
DHCP spoofing occurs when an attacker attempts to respond to DHCP requests and trying to list
themselves (spoofs) as the default gateway or DNS server, hence, initiating a man in the middle attack.
With that, it is possible that they can intercept traffic from users before forwarding to the real gateway or
perform DoS by flooding the real DHCP server with request to choke ip address resources.
Source: https://learningnetwork.cisco.com/thread/67229
https://learningnetwork.cisco.com/docs/DOC-24355
QUESTION 134
A data breach has occurred and your company database has been copied. Which security principle has
been violated?
A. confidentiality
B. availability
C. access
D. control
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Confidentiality: There are two types of data: data in motion as it moves across the network; and data at rest,
when data is sitting on storage media (server, local workstation, in the cloud, and so forth). Confidentiality
means that only the authorized individuals/ systems can view sensitive or classified information.
Source: Cisco Official Certification Guide, Confidentiality, Integrity, and Availability, p.6
QUESTION 135
In which type of attack does an attacker send an email message that asks the recipient to click a link such
as https://www.cisco.net.cc/securelogs?
A. phishing
B. pharming
C. solicitation
D. secure transaction
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Phishing presents a link that looks like a valid trusted resource to a user. When the user clicks it, the user is
prompted to disclose confidential information such as usernames/passwords.
Phishing elicits secure information through an e-mail message that appears to come from a legitimate
source such as a service provider or financial institution. The e-mail message may ask the user to reply with
the sensitive data, or to access a website to update information such as a bank account number.
Source: Cisco Official Certification Guide, Confidentiality, Table 1-5 Attack Methods, p.13; Social
Engineering Tactics, p.29
QUESTION 136
Your security team has discovered a malicious program that has been harvesting the CEO's email
messages and the company's user database for the last 6 months. What type of attack did your team
discover? (Choose two)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
BD
An Advanced Persistent Threat (APT) is a prolonged, aimed attack on a specific target with the intention
to compromise their system and gain information from or about that target.
The target can be a person, an organization or a business.
Source: https://blog.malwarebytes.com/cybercrime/malware/2016/07/explained-advanced-persistent-threat-
apt/
One new malware threat has emerged as a definite concern, namely, targeted malware. Instead of
blanketing the Internet with a worm, targeted attacks concentrate on a single high-value target.
Source: http://crissp.poly.edu/wissp08/panel_malware.htm
QUESTION 137
Which statement provides the best definition of malware?
A. Malware is a collection of worms, viruses, and Trojan horses that is distributed as a single package.
B. Malware is software used by nation states to commit cyber crimes.
C. Malware is unwanted software that is harmful or destructive.
D. Malware is tools and applications that remove unwanted programs.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Malware, short for malicious software, is any software used to disrupt computer or mobile operations,
gather sensitive information, gain access to private computer systems, or display unwanted advertising.[1]
Before the term malware was coined by Yisrael Radai in 1990, malicious software was referred to as
computer viruses.
Source: https://en.wikipedia.org/wiki/Malware
QUESTION 138
What mechanism does asymmetric cryptography use to secure data?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Public key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of
keys: public keys which may be disseminated widely, and private keys which are known only to the
owner. This accomplishes two functions: authentication, which is when the public key is used to verify that a
holder of the paired private key sent the message, and encryption, whereby only the holder of the paired
private key can decrypt the message encrypted with the public key.
Source: https://en.wikipedia.org/wiki/Public-key_cryptography
QUESTION 139
Refer to the exhibit.
A. 192.168.10.7
B. 108.61.73.243
C. 209.114.111.1
D. 132.163.4.103
E. 204.2.134.164
F. 241.199.164.101
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
The output presented is generated by the show ntp association detail command. Attributes:
+ configured: This NTP clock source has been configured to be a server. This value can also be dynamic,
where the peer/server was dynamically discovered.
+ our_master: The local client is synchronized to this peer
+ valid: The peer/server time is valid. The local client accepts this time if this peer becomes the master.
Source: http://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/116161-trouble-ntp-00.html
QUESTION 140
Refer to the exhibit.
A. The single-connection command causes the device to establish one connection for all TACACS
transactions.
B. The single-connection command causes the device to process one TACACS request and then move to
the next server.
C. The timeout command causes the device to move to the next server after 20 seconds of TACACS
inactivity.
D. The router communicates with the NAS on the default port, TCP 1645.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
tacacs-server host host-name [port integer] [timeout integer] [key string] [single-connection] [nat]
The single-connection keyword specifies a single connection (only valid with CiscoSecure Release 1.0.1
or later). Rather than have the router open and close a TCP connection to the server each time it must
communicate, the single-connection option maintains a single open connection between the router and
the server. The single connection is more efficient because it allows the server to handle a higher number
of TACACS operations.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srftacs.html
QUESTION 141
What is the best way to confirm that AAA authentication is working properly?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
#test aaa group tacacs+ admin cisco123 legacy - A llow verification of the authentication function
working between the AAA client (the router) and the ACS server (the AAA server).
Source: Cisco Official Certification Guide, Table 3-6 Command Reference, p.68
QUESTION 142
How does PEAP protect the EAP exchange?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS
tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server.
It then creates an encrypted TLS tunnel between the client and the authentication server. In most
configurations, the keys for this encryption are transported using the server's public key.
Source: https://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
QUESTION 143
What improvement does EAP-FASTv2 provide over EAP-FAST?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
As an enhancement to EAP-FAST, a differentiation was made to have a User PAC and a Machine PAC.
After a successful machine-authentication, ISE will issue a Machine-PAC to the client. Then, when
processing a user-authentication, ISE will request the Machine-PAC to prove that the machine was
successfully authenticated, too. This is the first time in 802.1X history that multiple credentials have been
able to be authenticated within a single EAP transaction, and it is known as “EAP Chaining".
Source: http://www.networkworld.com/article/2223672/access-control/which-eap-types-do-you-need-for-
which-identity-projects.html
QUESTION 144
How does a device on a network using ISE receive its digital certificate during the new-device registration
process?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: C
Confidence level: 0%
BD
Source: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/
BYOD_Design_Guide/BYOD_ISE.html
QUESTION 145
When an administrator initiates a device wipe command from the ISE, what is the immediate effect?
A. It notifies the device user and proceeds with the erase operation.
B. It requests the administrator to enter the device PIN or password before proceeding with the operation.
C. It requests the administrator to choose between erasing all device data or only managed corporate data.
D. It immediately erases all data on the device.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Cisco ISE allows you to wipe or turn on pin lock for a device that is lost. From the MDM Access drop-down
list, choose any one of the following options:
+ Full Wipe — Depending on the MDM vendor, this option either removes the corporate apps or resets the
device to the factory settings.
+ Corporate Wipe — Removes applications that you have configured in the MDM server policies
+ PIN Lock — Locks the device
Source: http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/
b_ise_admin_guide_14_chapter_01001.html#task_820C9C2A1A6647E995CA5AAB01E1CDEF
QUESTION 146
What configuration allows AnyConnect to automatically establish a VPN session when a user logs in to the
computer?
A. always-on
B. proxy
C. transparent mode
D. Trusted Network Detection
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
You can configure AnyConnect to establish a VPN session automatically after the user logs in to a
computer. The VPN session remains open until the user logs out of the computer, or the session timer or
idle session timer expires. The group policy assigned to the session specifies these timer values. If
AnyConnect loses the connection with the ASA, the ASA and the client retain the resources assigned to the
session until one of these timers expire. AnyConnect continually attempts to reestablish the connection to
reactivate the session if it is still open; otherwise, it continually attempts to establish a new VPN session.
Source: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/
guide/anyconnectadmin30/ac03vpn.pdf
QUESTION 147
What security feature allows a private IP address to access the Internet by translating it to a public
address?
A. NAT
B. hairpinning
C. Trusted Network Detection
D. Certification Authority
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Now the router itself does not have a problem with IP connectivity to the Internet because the router has a
globally reachable IP address (34.0.0.3) in this example. The users are not so fortunate, however, because
they are using private IP address space, and that kind of address is not allowed directly on the Internet by
the service providers. So, if the users want to access a server on the Internet, they forward their packets to
the default gateway, which in this case is R1, and if configured to do so, R1 modifies the IP headers in
those packets and swaps out the original source IP addresses with either its own global address or a global
address from a pool of global addresses (which R1 is responsible for managing, meaning that if a packet
was destined to one of those addresses, the routing to those addresses on the Internet would forward the
packets back to R1). These are global addresses assigned by the service provider for R1’s use.
Source: Cisco Official Certification Guide, NAT Is About Hiding or Changing the Truth About Source
Addresses, p.366
QUESTION 148
Refer to the exhibit.
You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel.
What action can you take to correct the problem?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Five basic items need to be agreed upon between the two VPN devices/gateways (in this case, the two
routers) for the IKE Phase 1 tunnel to succeed, as follows:
+ Hash algorithm
+ Encryption algorithm
+ Diffie-Hellman (DH) group
+ Authentication method: sed for verifying the identity of the VPN peer on the other side of the tunnel.
Options include a pre-shared key (PSK) used only for the authentication or RSA signatures (which
leverage the public keys contained in digital certificates).
+ Lifetime
The PSK used on the routers are different: test67890 and test12345
Source: Cisco Official Certification Guide, The Play by Play for IPsec, p.124
QUESTION 149
Refer to the exhibit.
Explanation/Reference:
BD
A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to
IP Security protected traffic. During the IPSec security association negotiation, the peers agree to use a
particular transform set when protecting a particular data flow.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/
srfipsec.html#wp1017694
To define a transform set — an acceptable combination of security protocols and algorithms — use the
crypto ipsec transform-set global configuration command.
ESP Encryption Transform
+ esp-aes 256: ESP with the 256-bit AES encryption algorithm.
ESP Authentication Transform
+ esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm. (No longer recommended)
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-
c3.html#wp2590984165
QUESTION 150
Refer to the exhibit.
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the
given output show?
A. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2.
B. IKE Phase 1 main mode has successfully negotiated between 10.1.1.5 and 10.10.10.2.
C. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2.
D. IKE Phase 1 aggressive mode has successfully negotiated between 10.1.1.5 and 10.10.10.2.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
This is the output of the #show crypto isakmp sa command. This command shows the Internet Security
Association Management Protocol (ISAKMP) security associations (SAs) built between peers - IPsec
Phase1.
MM_NO_STATE means that main mode has failed. QM_IDLE - this is what we want to see.
More on this
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-
00.html
QUESTION 151
Which statement about IOS privilege levels is true?
A. Each privilege level supports the commands at its own level and all levels below it.
B. Each privilege level supports the commands at its own level and all levels above it.
C. Privilege-level commands are set explicitly for each user.
D. Each privilege level is independent of all other privilege levels.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 152
Refer to the exhibit.
Which line in this configuration prevents the HelpDesk user from modifying the interface configuration?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: A
Confidence level: 100%
Note: I have seen a lot of claims that D is the correct answer, but this is wrong. The only thing command D
does is create the user "HelpDesk" with a privilege level of 6, and sets the password for that user to "help".
Command A sets the "configure terminal" command at privilege level 9, which is a higher level than
HelpDesk has access to.
Also, some of the dumps say "Privilege exec level 9 show configure terminal" in the config and the answer
options. This is not a different version of the question, it is a mistake. The line "show configure terminal" is
not a valid command in Cisco IOS.
QUESTION 153
In the “router ospf 200” command, what does the value 200 stand for?
A. process ID
B. area ID
C. administrative distance value
D. ABR ID
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Enabling OSPF
SUMMARY STEPS
1. enable
2. configure terminal
3. router ospf process-id
4. network ip-address wildcard-mask area area-id
5. end
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/12-4t/iro-12-4t-book/
iro-cfg.html
QUESTION 154
Which feature filters CoPP packets?
A. Policy maps
B. Class maps
C. Access control lists
D. Route maps
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: C
Confidence level: 60%
Note: All the dumps say C is the correct answer. I have never been able to find anything concrete on this,
but some people say A is correct.
QUESTION 155
In which type of attack does the attacker attempt to overload the CAM table on a switch so that the switch
acts as a hub?
A. MAC spoofing
B. gratuitous ARP
C. MAC flooding
D. DoS
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
MAC address flooding is an attack technique used to exploit the memory and hardware limitations in a
switch's CAM table.
Source: http://hakipedia.com/index.php/CAM_Table_Overflow
QUESTION 156
Which type of PVLAN port allows a host in the same VLAN to communicate directly with another?
Explanation/Reference:
BD
Source: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/
CLIConfigurationGuide/PrivateVLANs.html#42874
QUESTION 157
What is a potential drawback to leaving VLAN 1 as the native VLAN?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN
(VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain
access to traffic on other VLANs that would normally not be accessible. There are two primary methods of
VLAN hopping: switch spoofing and double tagging.
+ In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and
trunking protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, Dynamic Trunking Protocol)
used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.
+ In a double tagging attack, an attacking host connected on a 802.1q interface prepends two VLAN tags
to packets that it transmits.
Double Tagging can only be exploited when switches use "Native VLANs". Ports with a specific access
VLAN (the native VLAN) don't apply a VLAN tag when sending frames, allowing the attacker's fake VLAN
tag to be read by the next switch. Double Tagging can be mitigated by either one of the following actions:
+ Simply do not put any hosts on VLAN 1 (The default VLAN). i.e., assign an access VLAN other than
VLAN 1 to every access port
+ Change the native VLAN on all trunk ports to an unused VLAN ID.
+ Explicit tagging of the native VLAN on all trunk ports. Must be configured on all switches in network
autonomy.
Source: https://en.wikipedia.org/wiki/VLAN_hopping
QUESTION 158
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations?
(Choose three).
Explanation/Reference:
Brad
Answer: A, C and F
Confidence level: 100%
Note: The dumps say the correct answers are A, C, E. This is incorrect. See the following links:
https://supportforums.cisco.com/discussion/11809846/asa-5505-using-nat-allowing-incoming-traffic-https
https://supportforums.cisco.com/discussion/12473551/asa-what-allowing-return-http-traffic
Also, there is a modified version of this question where answers D and F are replaced with "When the
firewall receives a SYN packet" and "When the firewall receives a SYN-ACK packet". The a SYN-ACK
packet coming back from the web server establishes the TCP connection and allows requests to come
through, so this is a correct answer.
QUESTION 159
Which firewall configuration must you perform to allow traffic to flow in both directions between two zones?
A. You must configure two zone pairs, one for each direction.
B. You can configure a single zone pair that allows bidirectional traffic flows for any zone.
C. You can configure a single zone pair that allows bidirectional traffic flows for any zone except the self
zone.
D. You can configure a single zone pair that allows bidirectional traffic flows only if the source zone is the
less secure zone.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
If you want to allow traffic between two zones, such as between the inside zone (using interfaces facing the
inside network) and the outside zone (interfaces facing the Internet or less trusted networks), you must
create a policy for traffic between the two zones, and that is where a zone pair comes into play. A zone pair,
which is just a configuration on the router, is created identifying traffic sourced from a device in one zone
and destined for a device in the second zone. The administrator then associates a set of rules (the policy)
for this unidirectional zone pair, such as to inspect the traffic, and then applies that policy to the zone pair.
Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380
QUESTION 160
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
A. Unicast IPv6 traffic from a higher security interface to a lower security interface is permitted in
transparent mode only
B. Only BPDUs from a higher security interface to a lower security interface are permitted in routed mode
C. Unicast IPv4 traffic from a higher security interface to a lower security interface is permitted in routed
mode only
D. Only BPDUs from a higher security interface to a lower security interface are permitted in transparent
mode
E. ARPs in both directions are permitted in transparent mode only
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: E
Confidence level: 0%
BD
ARPs are allowed through the transparent firewall in both directions without an ACL. ARP traffic can be
controlled by ARP inspection.
QUESTION 161
Which statement about the communication between interfaces on the same security level is true?
A. Configuring interfaces on the same security level can cause asymmetric routing.
B. Interfaces on the same security level require additional configuration to permit inter-interface
communication.
C. All traffic is allowed by default between interfaces on the same security level.
D. You can configure only one interface on an individual security level.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
By default, if two interfaces are both at the exact same security level, traffic is not allowed between those
two interfaces.
To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit
the same interface, use the same-security-traffic command in global configuration mode.
Source: Cisco Official Certification Guide, The Default Flow of Traffic, p.422
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s1.html
QUESTION 162
Which IPS mode provides the maximum number of actions?
A. inline
B. promiscuous
C. span
D. failover
E. bypass
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
The first option is to put a sensor inline with the traffic, which just means that any traffic going through
your network is forced to go in one physical or logical port on the sensor.
Because the sensor is inline with the network, and because it can drop a packet and deny that packet from
ever reaching its final destination (because it might cause harm to that destination), the sensor has in fact
just prevented that attack from being carried out. That is the concept behind intrusion prevention systems
(IPS). Whenever you hear IPS mentioned, you immediately know that the sensor is inline with the traffic,
which makes it possible to prevent the attack from making it further into the network.
Source: Cisco Official Certification Guide, Difference Between IPS and IDS, p.460
QUESTION 163
How can you detect a false negative on an IPS?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
A false negative, however, is when there is malicious traffic on the network, and for whatever reason the
IPS/IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that
anything negative is going on. In the case of a false negative, you must use some third-party or external
system to alert you to the problem at hand, such as syslog messages from a network device.
QUESTION 164
What is the primary purpose of a defined rule in an IPS?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: D
Confidence level: 80%
Note: I suspect this is one of the questions I answered incorrectly on my exam. I answered C, which is the
answer I have in my study guide. However, things I have seen since have led me to believe the correct
answer is D.
QUESTION 165
Which Sourcefire secure action should you choose if you want to block only malicious traffic from a
particular end-user?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
A file policy is a set of configurations that the system uses to perform advanced malware protection and file
control, as part of your overall access control configuration.
A file policy, like its parent access control policy, contains rules that determine how the system handles files
that match the conditions of each rule. You can configure separate file rules to take different actions for
different file types, application protocols, or directions of transfer.
You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or
Interactive Block with reset. The system then uses that file policy to inspect network traffic that meets the
conditions of the access control rule.
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-
firepower-module-user-guide-v541/AMP-Config.html
QUESTION 166
How can FirePOWER block malicious email attachments?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
A file policy is a set of configurations that the system uses to perform advanced malware protection and file
control, as part of your overall access control configuration.
A file policy, like its parent access control policy, contains rules that determine how the system handles files
that match the conditions of each rule. You can configure separate file rules to take different actions for
different file types, application protocols, or directions of transfer.
You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or
Interactive Block with reset. The system then uses that file policy to inspect network traffic that meets the
conditions of the access control rule.
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-
firepower-module-user-guide-v541/AMP-Config.html
QUESTION 167
You have been tasked with blocking user access to websites that violate company policy, but the sites use
dynamic IP addresses. What is the best practice for URL filtering to solve the problem?
A. Enable URL filtering and create a blacklist to block the websites that violate company policy
B. Enable URL filtering and create a whitelist to allow only the websites the company policy allow users to
access
C. Enable URL filtering and use URL categorization to allow only the websites the company policy allow
users to access
D. Enable URL filtering and use URL categorization to block the websites that violate company policy
E. Enable URL filtering and create a whitelist to block the websites that violate company policy
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: D
Confidence level: 100%
Remember: A whitelist does not block URLs, and a blacklist will not always work when a URL uses
dynamic IP addresses.
BD
Each website defined in the URL filtering database is assigned one of approximately 60 different URL
categories. There are two ways to make use of URL categorization on the firewall:
Block or allow traffic based on URL category —You can create a URL Filtering profile that specifies an
action for each URL category and attach the profile to a policy. Traffic that matches the policy would then be
subject to the URL filtering settings in the profile. For example, to block all gaming websites you would set
the block action for the URL category games in the URL profile and attach it to the security policy rule(s)
that allow web access. See Configure URL Filtering for more information.
Match traffic based on URL category for policy enforcement —If you want a specific policy rule to apply only
to web traffic to sites in a specific category, you would add the category as match criteria when you create
the policy rule. For example, you could use the URL category streaming-media in a QoS policy to apply
bandwidth controls to all websites that are categorized as streaming media. See URL Category as Policy
Match Criteria for more information.
By grouping websites into categories, it makes it easy to define actions based on certain types of websites.
Source: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url-filtering/url-categories
QUESTION 168
Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
A. Signature updates
B. File reputation
C. Network blocking
D. File analysis
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: B
Confidence level: 100%
Note: Most of the dumps indicate A is the correct answer, but answer B has been verified by securitytut
users who have received perfect scores.
QUESTION 169
Which type of encryption technology has the broadest platform support to protect operating systems?
A. software
B. hardware
C. middleware
D. file-level
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Much commercial and free software enables you to encrypt files in an end-user workstation or mobile
device. The following are a few examples of free solutions:
+ GPG: GPG also enables you to encrypt files and folders on a Windows, Mac, or Linux system. GPG is
free.
+ The built-in MAC OS X Disk Utility: D isk Utility enables you to create secure disk images by encrypting
files with AES 128-bit or AES 256-bit encryption.
+ TrueCrypt: A free encryption tool for Windows, Mac, and Linux systems.
+ AxCrypt: A f ree Windows-only file encryption tool.
+ BitLocker: Full disk encryption feature included in several Windows operating systems.
+ Many Linux distributions such as Ubuntu: A llow you to encrypt the home directory of a user with built-in
utilities.
+ MAC OS X FileVault: Supports full disk encryption on Mac OS X systems.
The following are a few examples of commercial file encryption software:
+ Symantec Endpoint Encryption
+ PGP Whole Disk Encryption
+ McAfee Endpoint Encryption (SafeBoot)
+ Trend Micro Endpoint Encryption
Source: Cisco Official Certification Guide, Encrypting Endpoint Data at Rest, p.501
QUESTION 170
A proxy firewall protects against which type of attack?
A. Port Scanning
B. DDoS attacks
C. cross-site scripting attack
D. Worm traffic
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: A
Confidence level: 100%
Note: There has been some debate on this question recently. If you google "proxy protection DDoS", you
will find a number of results. However, if you read more carefully you will see that the majority of these refer
to proxy servers, not firewalls.
One of the biggest threats from XSS is injection attacks (SQL injection/buffer overflow), and this is one of
the types of attacks that proxy firewalls are designed to protect against.
BD
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications.
XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site
scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities
documented by Symantec as of 2007.
Source: https://en.wikipedia.org/wiki/Cross-site_scripting
A proxy firewall is a network security system that protects network resources by filtering messages at the
application layer. A proxy firewall may also be called an application firewall or gateway firewall. Proxy
firewalls are considered to be the most secure type of firewall because they prevent direct network contact
with other systems.
Source: http://searchsecurity.techtarget.com/definition/proxy-firewall
QUESTION 171
What is the benefit of a web application firewall?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
A Web Application Firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web
application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of
specific web applications while regular firewalls serve as a safety gate between servers. By inspecting
HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection,
Cross-Site Scripting (XSS) and security misconfigurations.
Source: https://en.wikipedia.org/wiki/Web_application_firewall
QUESTION 172
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam and
sophisticated phishing attacks?
A. contextual analysis
B. holistic understanding of threats
C. graymail management and filtering
D. signature-based IPS
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Snowshoe spamming is a strategy in which spam is propagated over several domains and IP addresses to
weaken reputation metrics and avoid filters. The increasing number of IP addresses makes recognizing and
capturing spam difficult, which means that a certain amount of spam reaches their destination email
inboxes. Specialized spam trapping organizations are often hard pressed to identify and trap snowshoe
spamming via conventional spam filters.
The strategy of snowshoe spamming is similar to actual snowshoes that distribute the weight of an
individual over a wide area to avoid sinking into the snow. Likewise, snowshoe spamming delivers its weight
over a wide area to remain clear of filters.
Source: https://www.techopedia.com/definition/1713/snowshoe-spamming
Snowshoe spam, as mentioned above, is a growing concern as spammers distribute spam attack
origination across a broad range of IP addresses in order to evade IP reputation checks. The newest
AsyncOS 9 for ESA enables enhanced anti-spam scanning through contextual analysis and enhanced
automation, as well as automatic classification, to provide a stronger defense against snowshoe campaigns
and phishing attacks.
Source: http://blogs.cisco.com/security/cisco-email-security-stays-ahead-of-current-threats-by-adding-
stronger-snowshoe-spam-defense-amp-enhancements-and-more
QUESTION 173
Which NAT type allows only objects or groups to reference an IP address?
A. Static NAT
B. Dynamic NAT
C. Dynamic PAT
D. Identity NAT
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: B
Confidence level: 100%
Note: A lot of people are claiming that Dynamic PAT is the correct answer. This is also wrong. When using
dynamic PAT, you can also configure an inline host address or specify the interface address to be assigned
to an IP.
BD
* Dynamic NAT:
+ You cannot use an inline address; you must configure a network object or group.
+ The object or group cannot contain a subnet; the object must define a range; the group can include hosts
and ranges.
+ If a mapped network object contains both ranges and host IP addresses, then the ranges are used for
dynamic NAT, and then the host IP addresses are used as a PAT fallback.
* Identity NAT
+ Instead of using an object, you can configure an inline address.
+ If you use an object, the object must match the real addresses you want to translate.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/
nat_objects.html#61711
QUESTION 174
Which feature allows a dynamic PAT pool to select the next address in the PAT pool instead of the next
port of an existing address?
A. next IP
B. round robin
C. dynamic rotation
D. NAT address rotation
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
The round-robin keyword enables round-robin address allocation for a PAT pool. Without round robin, by
default all ports for a PAT address will be allocated before the next PAT address is used. The round-robin
method assigns an address/port from each PAT address in the pool before returning to use the first
address again, and then the second address, and so on.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/
nat_objects.html#61711
QUESTION 175
Your security team has discovered a malicious program that has been harvesting the CEO's email
messages and the company's user database for the last 6 months. What are two possible types of attacks
your team discovered? (Choose two.)
A. social activism
B. Polymorphic Virus
C. advanced persistent threat
D. drive-by spyware
E. targeted malware
Correct Answer: CE
Section: (none)
Explanation
Explanation/Reference:
BD
An Advanced Persistent Threat (APT) is a prolonged, aimed attack on a specific target with the intention
to compromise their system and gain information from or about that target.
The target can be a person, an organization or a business.
Source: https://blog.malwarebytes.com/cybercrime/malware/2016/07/explained-advanced-persistent-threat-
apt/
One new malware threat has emerged as a definite concern, namely, targeted malware. Instead of
blanketing the Internet with a worm, targeted attacks concentrate on a single high-value target.
Source: http://crissp.poly.edu/wissp08/panel_malware.htm
QUESTION 176
Refer to the exhibit.
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
BD
To define a transform set — an acceptable combination of security protocols and algorithms — use the
crypto ipsec transform-set global configuration command.
ESP Encryption Transform
+ esp-aes 256: ESP with the 256-bit AES encryption algorithm.
ESP Authentication Transform
+ esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm. (No longer recommended)
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-
c3.html#wp2590984165
QUESTION 177
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations?
(Choose three).
Explanation/Reference:
QUESTION 178
If a switch port goes directly into a blocked state only when a superior BPDU is received, what mechanism
must be in use?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Brad
Answer: A
Confidence level: 100%
Remember: The phrase "only superior BPDUs" is the key to the correct answer. BPDU guard will block a
port if *ANY* BPDU is received.
BD
Root guard allows the device to participate in STP as long as the device does not try to become the root. If
root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending
device ceases to send superior BPDUs.
Source: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html
QUESTION 179
Which Auto NAT policies are processed first ?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
All packets processed by the ASA are evaluated against the NAT table. This evaluation starts at the top
(Section 1) and works down until a NAT rule is matched. Once a NAT rule is matched, that NAT rule is
applied to the connection and no more NAT policies are checked against the packet.
+ Section 1 - Manual NAT policies: These are processed in the order in which they appear in the
configuration.
+ Section 2 - Auto NAT policies: These are processed based on the NAT type (static or dynamic) and the
prefix (subnet mask) length in the object.
+ Section 3 - After-auto manual NAT policies: These are processed in the order in which they appear in the
configuration.
Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/116388-technote-nat-00.html
QUESTION 180
Scenario
Given the new additional connectivity requirements and the topology diagram, use ASDM to accomplish the
required ASA configurations to meet the requirements.
Note:
After you make the configuration changes in ASDM, remember to click Apply to apply the configuration
changes.
Not all ASDM screens are enabled in this simulation, if some screen is not enabled, try to use different
methods to configure the ASA to meet the requirements.
In this simulation, some of the ASDM screens may not look and function exactly like the real ASDM.
A.
B.
C.
D.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Follow the explanation part to get answer on this sim question.
First, for the HTTP access we need to creat a NAT object. Here I called it HTTP but it can be given any
name.
Then, create the firewall rules to allow the HTTP access:
You can verify using the outside PC to HTTP into 209.165.201.30.
===================================
For step two, to be able to ping hosts on the outside, we edit the last service policy shown below:
And then check the ICMP box only as shown below, then hit Apply.
After that is done, we can ping www.cisco.com again to verify:
QUESTION 181
Which security term refers to a person, property, or data of value to a company?
A. Risk
B. Asset
C. Threat prevention
D. Mitigation technique
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
This is an exact question from the Cisco Official Certification Guide 210-260.
Source: Cisco Official Certification Guide, Table 1-1 “Do I Know This Already?” Section-to-Question
Mapping, p.3
QUESTION 182
What’s the technology that you can use to prevent non malicious program to run in the computer that is
disconnected from the network?
A. Firewall
B. Software Antivirus
C. Network IPS
D. Host IPS.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 183
What command could you implement in the firewall to conceal internal IP address?
A. no source-route
B. no cdp run
C. no broadcast….
D. no proxy-arp
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
The Cisco IOS software uses proxy ARP (as defined in RFC 1027) to help hosts with no knowledge of
routing determine the media addresses of hosts on other networks or subnets. For example, if the router
receives an ARP request for a host that is not on the same interface as the ARP request sender, and if the
router has all of its routes to that host through other interfaces, then it generates a proxy ARP reply packet
giving its own local data-link address. The host that sent the ARP request then sends its packets to the
router, which forwards them to the intended host. Proxy ARP is enabled by default.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/
fipr_c/1cfipadr.html#wp1001233
QUESTION 184
Which statement about college campus is true?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 185
Which firepower preprocessor block traffic based on IP?
A. Signature-Based
B. Policy-Based
C. Anomaly-Based
D. Reputation-Based
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
Access control rules within access control policies exert granular control over network traffic logging and
handling. Reputation-based conditions in access control rules allow you to manage which traffic can
traverse your network, by contextualizing your network traffic and limiting it where appropriate. Access
control rules govern the following types of reputation-based control:
+ Application conditions allow you to perform application control, which controls application traffic based on
not only individual applications, but also applications’ basic characteristics: type, risk, business relevance,
categories, and tags.
+ URL conditions allow you to perform URL filtering, which controls web traffic based on individual websites,
as well as websites’ system-assigned category and reputation.
The ASA FirePOWER module can perform other types of reputation-based control, but you do not configure
these using access control rules. For more information, see:
+ Blacklisting Using Security Intelligence IP Address Reputation explains how to limit traffic based on the
reputation of a connection’s origin or destination as a first line of defense.
+ Tuning Intrusion Prevention Performance explains how to detect, track, store, analyze, and block the
transmission of malware and other types of prohibited files.
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-
firepower-module-user-guide-v541/AC-Rules-App-URL-Reputation.html
QUESTION 186
Which command enable ospf authentication on an interface?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
This question might be incomplete. Both ip ospf authentication message-digest and area 20
authentication message-digest command enable OSPF authentication through MD5.
Use the ip ospf authentication-key interface command to specify this password. If you enable MD5
authentication with the message-digest keyword, you must configure a password with the ip ospf
message-digest-key interface command.
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA
Source: Cisco Official Certification Guide, Implement Routing Update Authentication on OSPF, p.348
To enable authentication for an OSPF area, use the area authentication command in router configuration
mode. To remove an authentication specification of an area or a specified area from the configuration, use
the no form of this command.
An overall guide:
Source: https://supportforums.cisco.com/document/22961/ospf-authentication
QUESTION 187
Which component of CIA triad relate to safe data which is in transit?
A. Confidentiality
B. Integrity
C. Availability
D. Scalability
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Integrity: Integrity for data means that changes made to data are done only by authorized individuals/
systems. Corruption of data is a failure to maintain data integrity.
Source: Cisco Official Certification Guide, Confidentiality, Integrity, and Availability, p.6
QUESTION 188
Which command help user1 to use enable,disable,exit&etc commands?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
To understand this example, it is necessary to understand privilege levels. By default, there are three
command levels on the router:
+ privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
+ privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
+ privilege level 15 — Includes all enable-level commands at the router# prompt.
Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-
system-tacacs-/23383-showrun.html
QUESTION 189
Command ip ospf authentication key 1 is implemented in which level.
A. Interface
B. process
C. global
D. enable
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Use the ip ospf authentication-key interface command to specify this password. If you enable MD5
authentication with the message-digest keyword, you must configure a password with the ip ospf
message-digest-key interface command.
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA
Source: Cisco Official Certification Guide, Implement Routing Update Authentication on OSPF, p.348
The OSPFv2 Cryptographic Authentication feature allows you to configure a key chain on the OSPF
interface to authenticate OSPFv2 packets by using HMAC-SHA algorithms. You can use an existing key
chain that is being used by another protocol, or you can create a key chain specifically for OSPFv2.
If OSPFv2 is configured to use a key chain, all MD5 keys that were previously configured using the ip ospf
message-digest-key command are ignored.
Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet0/0/0
Device (config-if)# ip ospf authentication key-chain sample1
Device (config-if)# end
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/
iro-ospfv2-crypto-authen-xe.html
In both cases OSPF and OSPFv1 the ip ospf authentication is inserted at interface level
QUESTION 190
Which line in the following OSPF configuration will not be required for MD5 authentication to work?
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA
!
router ospf 65000
router-id 192.168.10.1
area 20 authentication message-digest
network 10.1.1.0 0.0.0.255 area 10
network 192.168.10.0 0.0.0.255 area 0
!
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
This is an exact question from the Cisco Official Certification Guide 210-260.
Source: Cisco Official Certification Guide, Table 13-1 “Do I Know This Already?” Section-to-Question
Mapping, p.342
QUESTION 191
Which of the following pairs of statements is true in terms of configuring MD authentication?
A. Interface statements (OSPF, EIGRP) must be configured; use of key chain in OSPF
B. Router process (OSPF, EIGRP) must be configured; key chain in EIGRP
C. Router process or interface statement for OSPF must be configured; key chain in EIGRP
D. Router process (only for OSPF) must be configured; key chain in OSPF
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
This is an exact question from the Cisco Official Certification Guide 210-260.
Source: Cisco Official Certification Guide, Table 13-1 “Do I Know This Already?” Section-to-Question
Mapping, p.343
SOURCE: http://www.ciscopress.com/store/ccna-security-210-260-official-cert-guide-9781587205668
(Update TAB > Download the errata ) < this is updates for cert guide
The correct answer changed from "Router process (only for OSPF) must be configured; key chain in
EIGRP" to "Router process or interface statement for OSPF must be configured; key chain in EIGRP"
QUESTION 192
Which two NAT types allows only objects or groups to reference an IP address? (choose two)
A. dynamic NAT
B. dynamic PAT
C. static NAT
D. identity NAT
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
BD
* Dynamic NAT:
+ You cannot use an inline address; you must configure a network object or group.
+ The object or group cannot contain a subnet; the object must define a range; the group can include hosts
and ranges.
+ If a mapped network object contains both ranges and host IP addresses, then the ranges are used for
dynamic NAT, and then the host IP addresses are used as a PAT fallback.
* Identity NAT
+ Instead of using an object, you can configure an inline address.
+ If you use an object, the object must match the real addresses you want to translate.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/
nat_objects.html#61711
According to this A seems to be the only correct answer. Maybe C is correct because it allows the use of a
subnet too.
QUESTION 193
What port option in a PVLAN that can communicate with every other ports…
A. Promiscuous ports
B. Community ports
C. Ethernet ports
D. Isolate ports
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
+ Promiscuous — A promiscuous port belongs to the primary VLAN. The promiscuous port can
communicate with all interfaces, including the community and isolated host ports, that belong to those
secondary VLANs associated to the promiscuous port and associated with the primary VLAN.
+ Isolated — An isolated port is a host port that belongs to an isolated secondary VLAN. This port has
complete isolation from other ports within the same private VLAN domain, except that it can communicate
with associated promiscuous ports
+ Community — A community port is a host port that belongs to a community secondary VLAN. Community
ports communicate with other ports in the same community VLAN and with associated promiscuous ports
Source: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/
CLIConfigurationGuide/PrivateVLANs.html
QUESTION 194
which are two valid TCP connection states (pick 2) is the gist of the question.
A. SYN-RCVD
B. RCVD
C. SYN-WAIT
D. Closed
E. SENT
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
BD
Source: http://tcpipguide.com/free/t_TCPOperationalOverviewandtheTCPFiniteStateMachineF-2.htm
QUESTION 195
Which of the following commands result in a secure bootset? (Choose all that apply.)
A. secure boot-set
B. secure boot-config
C. secure boot-files
D. secure boot-image
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
BD
This is an exact question from the Cisco Official Certification Guide 210-260.
Source: Cisco Official Certification Guide, Table 11-1 “Do I Know This Already?” Section-to-Question
Mapping, p.276
QUESTION 196
Security well known terms Choose 2
A. Trojan
B. Phishing
C. Something LC
D. Ransomware
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
BD
Source: Cisco Official Certification Guide, Antivirus and Antimalware Solutions, p.498
If the question is asking about software then A and D are correct. But as it asks about security terms that
are well known I suppose B and D could be chosen.
QUESTION 197
What is example of social engineering
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 198
Which port should (or would) be open if VPN NAT-T was enabled
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass
through a device or firewall performing NAT.
Source: https://en.wikipedia.org/wiki/Internet_Key_Exchange
QUESTION 199
Diffie-Hellman key exchange question
A. SPAN
B. IPSEC
C. IKE
D. STP
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Source: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
QUESTION 200
Which filter uses in Web reputation to prevent from web based attackts (somthing similar)?
A. outbreak filter
B. buffer overflow filter
C. bayesian overflow filter
D. web reputation
E. exploit filtering
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
BD
=============================
I suppose given the question that D is correct. As for A all I find is related to Email security through Cisco
IronPort
Cisco IronPort Outbreak Filters provide a critical first layer of defense against new outbreaks. With this
proven preventive solution, protection begins hours before signatures used by traditional antivirus solutions
are in place. Real-world results show an average 14-hour lead time over reactive antivirus solutions.
SenderBase, the world's largest email and web traffic monitoring network, provides real-time protection.
The Cisco IronPort SenderBase Network captures data from over 120,000 contributing organizations
around the world.
Source: http://www.cisco.com/c/en/us/products/security/email-security-appliance/
outbreak_filters_index.html
QUESTION 201
What show command can see vpn tunnel establish with traffic passing through.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
#show crypto ipsec sa - This command shows IPsec SAs built between peers
In the output you see
#pkts encaps: 345, #pkts encrypt: 345, #pkts digest 0
#pkts decaps: 366, #pkts decrypt: 366, #pkts verify 0
which means packets are encrypted and decrypted by the IPsec peer.
Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-
debug-00.html#ipsec_sa
QUESTION 202
Where OAKLEY and SKEME come to play? (on the exam the question asked about inside ISAKM protocol)
A. IPSec
B. IKE
C. ISAKMP
D. DES
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to
exchange keying material across an insecure connection using the Diffie–Hellman key exchange algorithm.
The protocol was proposed by Hilarie K. Orman in 1998, and formed the basis for the more widely used
Internet key exchange protocol
Source: https://en.wikipedia.org/wiki/Oakley_protocol
Source: https://www.symantec.com/security_response/glossary/define.jsp?letter=i&word=ike-internet-key-
exchange
QUESTION 203
What does the key length represent
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
In cryptography, an algorithm's key space refers to the set of all possible permutations of a keys.
If a key were eight bits (one byte) long, the keyspace would consist of 28 or 256 possible keys. Advanced
Encryption Standard (AES) can use a symmetric key of 256 bits, resulting in a key space containing 2256
(or 1.1579 × 1077) possible keys.
Source: https://en.wikipedia.org/wiki/Key_space_(cryptography)
QUESTION 204
Which type of attack is directed against the network directly:
A. Denial of Service
B. phishing
C. trojan horse
D. …
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Denial of service refers to willful attempts to disrupt legitimate users from getting access to the resources
they intend to. Although no complete solution exists, administrators can do specific things to protect the
network from a DoS attack and to lessen its effects and prevent a would-be attacker from using a system
as a source of an attack directed at other systems. These mitigation techniques include filtering based on
bogus source IP addresses trying to come into the networks and vice versa. Unicast reverse path
verification is one way to assist with this, as are access lists. Unicast reverse path verification looks at the
source IP address as it comes into an interface, and then looks at the routing table. If the source address
seen would not be reachable out of the same interface it is coming in on, the packet is considered bad,
potentially spoofed, and is dropped.
Source: Cisco Official Certification Guide, Best Practices Common to Both IPv4 and IPv6, p.332
QUESTION 205
With which technology do apply integrity, confidentially and authenticate the source
A. Certificate authority
B. IKE
C. IPSec
D. Data encryption standards
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
IPsec is a collection of protocols and algorithms used to protect IP packets at Layer 3 (hence the name of
IP Security [IPsec]). IPsec provides the core benefits of confidentiality through encryption, data integrity
through hashing and HMAC, and authentication using digital signatures or using a pre-shared key (PSK)
that is just for the authentication, similar to a password.
QUESTION 206
With which type of Layer 2 attack can you intercept traffic that is destined for one host?
A. MAC spoofing
B. CAM overflow….
C. ?
D. ?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Edit: I'm reconsidering the answer for this question to be A. MAC spoofing.
Cisco implemented a technology into IOS called Port Security that mitigates the risk of a Layer 2 CAM
overflow attack.
Port Security on a Cisco switch enables you to control how the switch port handles the learning and storing
of MAC addresses on a per-interface basis. The main use of this command is to set a limit to the maximum
number of concurrent MAC addresses that can be learned and allocated to the individual switch port.
If a machine starts broadcasting multiple MAC addresses in what appears to be a CAM overflow attack, the
default action of Port Security is to shut down the switch interface
Source: http://www.ciscopress.com/articles/article.asp?p=1681033&seqNum=2
QUESTION 207
I had the “nested” question (wording has been different). Two answers ware related to hierarchy:
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 208
How to verify that TACACS+ is working?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 209
What are the challenges faced when deploying host based IPS?
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
BD
Advantages of HIPS: The success or failure of an attack can be readily determined. A network IPS sends
an alarm upon the presence of intrusive activity but cannot always ascertain the success or failure of such
an attack. HIPS does not have to worry about fragmentation attacks or variable Time to Live (TTL) attacks
because the host stack takes care of these issues. If the network traffic stream is encrypted, HIPS has
access to the traffic in unencrypted form.
Source: http://www.ciscopress.com/articles/article.asp?p=1336425&seqNum=3
QUESTION 210
Which statement about command authorization and security contexts is true?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
The capture packet function works on an individual context basis. The ACE traces only the packets that
belong to the context where you execute the capture command. You can use the context ID, which is
passed with the packet, to isolate packets that belong to a specific context. To trace the packets for a single
specific context, use the changeto command and enter the capture command for the new context.
To move from one context on the ACE to another context, use the changeto command
Only users authorized in the admin context or configured with the changeto feature can use the changeto
command to navigate between the various contexts. Context administrators without the changeto feature,
who have access to multiple contexts, must explicitly log in to the other contexts to which they have
access.
Source: http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/
command/reference/ACE_cr/execmds.html
QUESTION 211
What encryption technology has broadest platform support
A. hardware
B. middleware
C. Software
D. File level
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 212
With which preprocesor do you detect incomplete TCP handshakes
A. ?
B. rate based prevention
C. ?
D. portscan detection
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Rate-based attack prevention identifies abnormal traffic patterns and attempts to minimize the impact of
that traffic on legitimate requests. Rate-based attacks usually have one of the following characteristics:
+ any traffic containing excessive incomplete connections to hosts on the network, indicating a SYN flood
attack
+ any traffic containing excessive complete connections to hosts on the network, indicating a TCP/IP
connection flood attack
+ excessive rule matches in traffic going to a particular destination IP address or addresses or coming from
a particular source IP address or addresses.
+ excessive matches for a particular rule across all traffic.
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-
firepower-module-user-guide-v541/Intrusion-Threat-Detection.html
QUESTION 213
Which type of PVLAN port allows a host in the same VLAN to communicate only with promiscuous hosts?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Source: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/
CLIConfigurationGuide/PrivateVLANs.html#42874
QUESTION 214
Which type of encryption technology has the broadcast platform support?
A. Middleware
B. Hardware
C. Software
D. File-level
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 215
The first layer of defense which provides real-time preventive solutions against malicious traffic is provided
by?
A. Banyan Filters
B. Explicit Filters
C. Outbreak Filters
D. ?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 216
SSL certificates are issued by Certificate Authority(CA) are?
A. Trusted root
B. Not trusted
C. ?
D. ?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 217
SYN flood attack is a form of ?
A. Reconnaissance attack
B. Denial of Service attack
C. Spoofing attack
D. Man in the middle attack
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN
requests to a target's system in an attempt to consume enough server resources to make the system
unresponsive to legitimate traffic.
Source: https://en.wikipedia.org/wiki/SYN_flood
QUESTION 218
The command debug crypto isakmp results in ?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Contains the IPsec Phase1 information. You can view the HAGLE (Hash, Authentication, DH Group,
Lifetime, Encryption) process in the output.
QUESTION 219
Which prevent the company data from modification even when the data is in transit?
A. Confidentiality
B. Integrity
C. Vailability
D. Scalability
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Integrity: Integrity for data means that changes made to data are done only by authorized individuals/
systems. Corruption of data is a failure to maintain data integrity.
Source: Cisco Official Certification Guide, Confidentiality, Integrity, and Availability, p.6
QUESTION 220
The stealing of confidential information of a company comes under the scope of:
A. Reconnaissance
B. Spoofing attack
C. Social Engineering
D. Denial of Service
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
Social engineering
This is a tough one because it leverages our weakest (very likely) vulnerability in a secure system (data,
applications, devices, networks): the user. If the attacker can get the user to reveal information, it is much
easier for the attacker than using some other method of reconnaissance. This could be done through e-mail
or misdirection of web pages, which results in the user clicking something that leads to the attacker gaining
information. Social engineering can also be done in person or over the phone.
Source: Cisco Official Certification Guide, Table 1-5 Attack Methods, p.13
QUESTION 221
The Oakley cryptography protocol is compatible with following for managing security?
A. IPSec
B. ISAKMP
C. Port security
D. ?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Source: https://www.symantec.com/security_response/glossary/define.jsp?letter=i&word=ike-internet-key-
exchange
QUESTION 222
Unicast Reverse Path Forwarding definition:
A. ?
B. ?
C. ?
D. ?
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
BD
Source: Cisco Official Certification Guide, Table 10-4 Protecting the Data Plane, p.270
QUESTION 223
The NAT traversal definition:
A. ?
B. ?
C. ?
D. ?
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
BD
Source: Cisco Official Certification Guide, Table 7-2 Protocols That May Be Required for IPsec, p.153
QUESTION 224
Man-in-the-middle attack definition:
A. ?
B. ?
C. ?
D. ?
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
BD
Man-in-the-middle attacks: Someone or something is between the two devices who believe they are
communicating directly with each other. The “man in the middle” may be eavesdropping or actively
changing the data that is being sent between the two parties. You can prevent this by implementing Layer 2
dynamic ARP inspection (DAI) and Spanning Tree Protocol (STP) guards to protect spanning tree. You
can implement it at Layer 3 by using routing protocol authentication. Authentication of peers in a VPN is
also a method of preventing this type of attack.
Source: Cisco Official Certification Guide, Threats Common to Both IPv4 and IPv6, p.333
QUESTION 225
Which privileged level is … by default? for user exec mode
A. 0
B. 1
C. 2
D. 5
E. 15
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
BD
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfpass.html
QUESTION 226
When is “Deny all” policy an exception in Zone Based Firewall
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
+ There is a default zone, called the self zone, which is a logical zone. For any packets directed to the
router directly (the destination IP represents the packet is for the router), the router automatically considers
that traffic to be entering the self zone. In addition, any traffic initiated by the router is considered as leaving
the self zone. By default, any traffic to or from the self zone is allowed, but you can change this policy.
+ For the rest of the administrator-created zones, no traffic is allowed between interfaces in different zones.
+ For interfaces that are members of the same zone, all traffic is permitted by default.
Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380
QUESTION 227
Cisco Resilient Configuration Feature:
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
The following factors were considered in the design of Cisco IOS Resilient Configuration:
+ The configuration file in the primary bootset is a copy of the running configuration that was in the router
when the feature was first enabled.
+ The feature secures the smallest working set of files to preserve persistent storage space. No extra
space is required to secure the primary Cisco IOS image file.
+ The feature automatically detects image or configuration version mismatch.
+ Only local storage is used for securing files, eliminating scalability maintenance challenges from storing
multiple images and configurations on TFTP servers.
+ The feature can be disabled only through a console session
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-
mt-book/sec-resil-config.html
QUESTION 228
What are the two characteristics of IPS?
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
BD
+ Position in the network flow: Directly inline with the flow of network traffic and every packet goes through
the sensor on its way through the network.
+ Mode: Inline mode
+ The IPS can drop the packet on its own because it is inline. The IPS can also request assistance from
another device to block future packets just as the IDS does.
Source: Cisco Official Certification Guide, Table 17-2 IDS Versus IPS, p.461
QUESTION 229
What can cause the state table of a stateful firewall to update? (choose two)
A. when connection is created
B. connection timer expired within state table
C. when packet is evaluated against the inbound access list and is …
D. outbound packets forwarded to inbound interface
E. when rate limiting is applied
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
BD
Stateful inspection monitors incoming and outgoing packets over time, as well as the state of the
connection, and stores the data in dynamic state tables. This cumulative data is evaluated, so that filtering
decisions would not only be based on administrator-defined rules, but also on context that has been built by
previous connections as well as previous packets belonging to the same connection.
Entries are created only for TCP connections or UDP streams that satisfy a defined security policy.
In order to prevent the state table from filling up, sessions will time out if no traffic has passed for a
certain period. These stale connections are removed from the state table.
Source: https://en.wikipedia.org/wiki/Stateful_firewall
QUESTION 230
What IPSec mode is used to encrypt traffic between client and server vpn endpoints?
A. tunnel
B. Trunk
C. Aggregated
D. Quick
E. Transport
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
BD
16.02.2017
@Tullipp on securitytut.com commented:
"the IPSEC Mode question did come up. It has been been very badly worded in the dumps and I knew It
cant be right.
The question that comes in the exam is “between client and server vpn endpoints”.
So the keyword here is vpn endpoints. Not the end points like its worded in the dumps.
So the answer is transport mode."
+ IPSec Transport mode is used for end-to-end communications, for example, for communication
between a client and a server or between a workstation and a gateway (if the gateway is being treated as a
host). A good example would be an encrypted Telnet or Remote Desktop session from a workstation to a
server.
+ IPsec supports two encryption modes: Transport mode and Tunnel mode. Transport mode encrypts
only the data portion (payload) of each packet and leaves the packet header untouched. Transport mode
is applicable to either gateway or host implementations, and provides protection for upper layer protocols as
well as selected IP header fields.
Source: http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html
http://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/
IPsecPG1.html
Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the
following:
+ IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be
supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP
packets.
+ IPmc is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol
between two and only two devices, so a service such as multicast is problematic. An IPsec peer encrypts a
packet so that only one other IPsec peer can successfully perform the de-encryption. IPmc is not
compatible with this mode of operation.
Source: https://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/
ccmigration_09186a008074f26a.pdf
QUESTION 231
Which command is used to verify VPN connection is operational (or something like that) ?
A. crypto ipsec sa
B. show crypto isakmp sa
C. show crypto ipsec sa
D. show crypto generate rsa
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
#show crypto ipsec sa - This command shows IPsec SAs built between peers
which means packets are encrypted and decrypted by the IPsec peer.
Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-
debug-00.html#ipsec_sa
QUESTION 232
What is the command to authenticate an NTP time source? (something in those lines)
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Source: Cisco Official Certification Guide, Example 11-15 Using Authentication via Keys with NTPv3, p.314
QUESTION 233
How can you allow bidirational traffic? (something in those lines)
A. static NAT
B. dynamic NAT
C. dynamic PAT
D. multi-NAT
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
BD
Bidirectional initiation—Static NAT allows connections to be initiated bidirectionally, meaning both to the
host and from the host.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/
nat_overview.html
QUESTION 234
Which option is the default value for the Diffie–Hellman group when configuring a site-to-site VPN on an
ASA device?
A. Group 1
B. Group 2
C. Group 7
D. Group 5
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 235
What two devices are components of the BYOD architecture framework? (Choose two)
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 236
Where does the Datacenter operate ?
A. Distribution
B. Access
C. Core
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 237
Which option is the cloud based security service from Cisco that provides URL filtering web browsing
content security, and roaming user protection?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 238
Which product can be used to provide application layer protection for TCP port 25 traffic?
A. ESA
B. CWS
C. WSA
D. ASA
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 239
HIPS and NIPS
You need to place these 7 options into HIPS and NIPS. Each section has 4 choices which means one out of
these 7 options goes into both.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
User JS from securitytut.com
QUESTION 240
What two actions would the zone base firewall when looking at the traffic?
A. drop
B. inspect
C. forward
D. ...
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 241
Which label is given to a person who uses existing computer scripts to hack into computers lacking the
expertise to write their own?
A. script kiddy
B. white hat hacker
C. phreaker
D. hacktivist
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 242
Regarding PVLAN diagram question:
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
JS
Host 3 is not part of anyh PVLAN. It is also connected to switch.
So, Host 3 was not an option otherwise it could also be an answer.
QUESTION 243
nat (inside,outside) dynamic interface
A. static PAT
B. static NAT
C. dynamic PAT
D. dynamic NAT
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Mr.W
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/
nat_objects.html
QUESTION 244
Which two characteristics of an application layer firewall are true? (Choose two)
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Brad
QUESTION 245
SIEM Functions (Choose two)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
BD
QUESTION 246
Within an 802.1X enabled network with the Auth Fail feature configured, when does a switch port get placed
into a restricted VLAN?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Il sito vceguide riporta come risposta esatta
"When 802.1X is not globally enabled on the Cisco catalyst switch"
http://vceguide.com/when-does-a-switch-port-get-placed-into-a-restricted-vlan/
QUESTION 247
What configure mode you used for the command ip ospf authentication-key (something) ?
A. global
B. priviliged
C. in-line
D. interface
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
ip ospf authentication-key is used under interface configuration mode, so it’s in interface level, under
global configuration mode. If it asks about interface level then choose that.
interface Serial0
ip address 192.16.64.1 255.255.255.0
ip ospf authentication-key c1$c0
Example:
Router(config-if)# ip ospf authentication-key 1
Assigns a password to be used by neighboring OSPF routers on a network segment that is using the OSPF
simple password authentication.
QUESTION 248
What is the actual IOS privilege level of User Exec mode?
A. 5
B. 0
C. 1
D. 15
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
BD
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands:
user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional
levels of access to commands, called privilege levels, to meet the needs of your users while protecting the
system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the
most restricted level, to level 15, which is the least restricted level.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html
QUESTION 249
Which option is a weakness in an information system that an attacker might leverage to gain unauthorized
access to the system or its data?
A. hack
B. mitigation
C. risk
D. vulnerability
E. exploit
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
BD
QUESTION 250
which of the Diffie-Hellman group are support by cisco VPN Product (Choose all that apply?
A. Group1
B. Group2
C. Group3
D. Group5
E. Group7
F. Group8
G. Group9
Explanation/Reference:
QUESTION 251
what type of Diffie-Hellman group would you expect to be utiliazed on a wireless device ?
A. Group4
B. Group7
C. Group5
D. Group3
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 252
which of the following are IKE modes? (choose all and apply)
A. Main Mode
B. Fast Mode
C. Aggressive Mode
D. Quick Mode
E. Diffie-Hellman Mode
Explanation/Reference:
Answer A - C and E are correct. Main mode and aggressive mode are in IKE phase 1 negotiation and quick
mode is in IKE phase 2
https://books.google.it/books?id=Qj3cDnFEezwC&pg=PA26&lpg=PA26&dq=A+Main+Mode+B+Fast+Mode
+C+Aggressive+Mode+D+Quick+Mode+E+Diffie-Hellman
+Mode&source=bl&ots=wtOjtQ_1YX&sig=oy53zgxqRf3MR7wkMWjb4ypXses&hl=it&sa=X&ved=0ahUKEwi
7hcX7iozWAhVMvBQKHWHWA6QQ6AEIJjAA#v=onepage&q&f=false
QUESTION 253
which IPS deployment is not most secure but best for network throughput?
A. ??
B. Promiscuous
C. ??
D. ??
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 254
which ports need to be active for AAA server to integrate with Microsoft AD
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 255
phising method on the phone
A. mishing
B. vishing
C. phishing
D. ??
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 256
Referring to CIA (confidentiality,Integrity and Availability), where would a hash-only make more sense.
A. Data on File
B. Data at Rest
C. ??
D. ??
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Confidentiality
Confidentiality ensures that data is only viewable by authorized users. In other words, the goal of
confidentiality is to prevent the unauthorized disclosure of information. Loss of confidentiality indicates that
unauthorized users have been able to access information.
If there is a risk of sensitive data falling into the wrong hands, it should be encrypted to make it unreadable.
This includes encrypting data at rest and data in motion. Data at rest is any data stored as a file on a
hard drive, mobile device, or even a USB flash drive. Data in motion is any data traveling over a
network. AES is the most common symmetric encryption protocol used to encrypt data at rest. SSH, IPsec,
SSL, and TLS are some common encryption protocols used to encrypt data in motion.
Additionally, data should be protected with access controls to enforce confidentiality.
QUESTION 257
At which Layer Data Center Operate?
A. ??
B. Data Center
C. ??
D. ??
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 258
How can you stop reconnaissance attack with cdp? In order to protect the switch from reconnaissance
attack when using CDP?
A. ??
B. Disable CDP on ports connected to end points (or Disable CPD on edfe ports)
C. Disable CPD on trunk ports
D. ??
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 259
which Firepower Management Center feature detects and blocks exploits and hack attempts
A. content blocker
B. AMP - Advance Malware Protection
C. file control
D. intrusion prevention
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 260
IPS mode for best n/w throughput?
A. ??
B. ??
C. Promiscuous
D. ??
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 261
What is the best way to confirm that AAA authentication is working properly?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 262
Zone based firewall
A. ??
B. zones must be made before applying interfaces
C. enable zones first
D. ??
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 263
What does the command crypto isakmp nat-traversal do?
A. ??
B. Enables udp port 4500 on all IPsec enabled interfaces
C. ??
D. ??
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 264
Why ipsec tunnel is not working?
A. ??
B. because the ASA can’t receive packets from remote endpoint
C. ??
D. ??
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 265
What data is transferred during DH for making pub/prive key (something similar) - What known number/
sequence something like that) starts off the key
A. Prime Integer
B. Random number
C. ??
D. ??
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Si parla di scelta del Secret Random Number da parte degli interlocutori che dovranno scambiarsi le chiavi
pubbliche.
https://www.slideshare.net/samehelhakim/introduction-to-vpn-47256821
QUESTION 266
Dos attack difficult to discover?
A. Syn-flood attack
B. Peer-to-peer attacks
C. Low-rate dos attack
D. Trojan
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 267
Protocols supported in contest aware VRF over VRF lite?
A. Multicast
B. EIGRP
C. OSPF
D. Unicast
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 268
question about show crypto isakmp sa ?
A. ??
B. Remote peer was not able to encrypt the packet,
C. ??
D. ??
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 269
what are the quantifiable things you would verify before introducing new technology in your company?
A. exploit
B. Risk
C. vulnerability
D. virus
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 270
Which is a key security component of MDM deployment?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 271
Which three statements about Cisco host-based IPS solution are true? (Choose three)
Explanation/Reference:
Answer: ADF
Explanation:
The key word here is 'Cisco', and Cisco's host-based IPS, CSA, is NOT signature-based and
CAN view encrypted files.
QUESTION 272
Which two statements describe DHCP spoofing attacks? (Choose Two.)
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Replica della domanda Q133 sorgente "http://vceguide.com/which-two-statements-describe-dhcp-spoofing-
attacks/"
BD
DHCP spoofing occurs when an attacker attempts to respond to DHCP requests and trying to list
themselves (spoofs) as the default gateway or DNS server, hence, initiating a man in the middle attack.
With that, it is possible that they can intercept traffic from users before forwarding to the real gateway or
perform DoS by flooding the real DHCP server with request to choke ip address resources.
Source: https://learningnetwork.cisco.com/thread/67229
https://learningnetwork.cisco.com/docs/DOC-24355
QUESTION 273
Within an 802.1X enabled network with the Auth Fail feature configured, when does a switch port get placed
into a restricted VLAN?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Replica della Q246
Il sito vceguide riporta come risposta esatta
"When 802.1X is not globally enabled on the Cisco catalyst switch"
http://vceguide.com/when-does-a-switch-port-get-placed-into-a-restricted-vlan/
QUESTION 274
Self zone (2 option)?
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Replica della domanda Q133 sorgente "http://vceguide.com/which-two-statements-describe-dhcp-spoofing-
attacks/"
BD
DHCP spoofing occurs when an attacker attempts to respond to DHCP requests and trying to list
themselves (spoofs) as the default gateway or DNS server, hence, initiating a man in the middle attack.
With that, it is possible that they can intercept traffic from users before forwarding to the real gateway or
perform DoS by flooding the real DHCP server with request to choke ip address resources.
Source: https://learningnetwork.cisco.com/thread/67229
https://learningnetwork.cisco.com/docs/DOC-24355
QUESTION 275
Which two ESP fields can be encrypted during transmission? (Choose Two.)
A. Padding
B. Sequence Number
C. Pad Length
D. Security Parameter Index
E. MAC Address
F. Next Header
Correct Answer: CF
Section: (none)
Explanation
Explanation/Reference:
BD
The packet begins with two 4-byte fields (Security Parameters Index (SPI) and Sequence Number).
Following these fields is the Payload Data, which has substructure that depends on the choice of encryption
algorithm and mode, and on the use of TFC padding, which is examined in more detail later. Following the
Payload Data are Padding and Pad Length fields, and the Next Header field. The optional Integrity Check
Value (ICV) field completes the packet.
Source: https://tools.ietf.org/html/rfc4303#page-14
QUESTION 276
What is a benefit of a web application firewall?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Replica della Q246
Il sito vceguide riporta come risposta esatta
"When 802.1X is not globally enabled on the Cisco catalyst switch"
http://vceguide.com/when-does-a-switch-port-get-placed-into-a-restricted-vlan/
QUESTION 277
Which two characteristics of the TACACS+ protocol are true? (Choose two.)
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 278
You are the security administrator for a large enterprise network with many remote locations. You have
been given the assignment to deploy a Cisco IPS solution.
Where in the network would be the best place to deploy Cisco IOS IPS?
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 279
Refer to the exhibit. Which statement about this output is true?
A. The user logged into the router with the incorrect username and password.
B. The login failed because there was no default enable password.
C. The login failed because the password entered was incorrect.
D. The user logged in and was given privilege level 15.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 280
Which three options are common examples of AAA implementation on Cisco routers? (Choose three.)
A. authenticating remote users who are accessing the corporate LAN through IPsec VPN connections
B. authenticating administrator access to the router console port, auxiliary port, and vty ports
C. implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates
D. tracking Cisco NetFlow accounting statistics
E. securing the router by locking down all unused services
F. performing router commands authorization using TACACS+
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/products/ps6638/products_data_sheet09186a00804fe332.htm l
Need for AAA Services
Security for user access to the network and the ability to dynamically define a user's profile to gain access
to network resources has a legacy dating back to
asynchronous dial access. AAA network security services provide the primary framework through which a
network administrator can set up access control on
network points of entry or network access servers, which is usually the function of a router or access server.
Authentication identifies a user; authorization determines what that user can do; and accounting monitors
the network usage time for billing purposes. AAA
information is typically stored in an external database or remote server such as RADIUS or TACACS+.
The information can also be stored locally on the access server or router. Remote security servers, such as
RADIUS and TACACS+, assign users specific
privileges by associating attribute-value (AV) pairs, which define the access rights with the appropriate user.
All authorization methods must be defined through
QUESTION 281
On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 282
Which aaa accounting command is used to enable logging of the start and stop records for user terminal
sessions on the router?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 283
Refer to the below. Which statement about this debug output is true?
A. A. The requesting authentication request came from username GETUSER.
B. B. The TACACS+ authentication request came from a valid user.
C. C. The TACACS+ authentication request passed, but for some reason the user's connection was closed
immediately.
D. D. The initiating connection request was being spoofed by a different source address.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 284
Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router?
(Choose two.)
A. A. syslog
B. B. SDEE
C. C. FTP
D. D. TFTP
E. E. SSH
F. F. HTTPS
Correct Answer: BF
Section: (none)
Explanation
Explanation/Reference:
Explanation:
B-F
QUESTION 285
Refer to the exhibit. Using a stateful packet firewall and given an inside ACL entry of permit ip 192.16.1.0
0.0.0.255 any, what would be the resulting dynamically
configured ACL for the return traffic on the outside ACL?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 286
Which two options are advantages of an application layer firewall? (Choose two.)
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
Explanation:
B-E
QUESTION 287
With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router
when some of the router interfaces are assigned to a
zone? (Choose three.)
A. A. traffic flowing between a zone member interface and any interface that is not a zone member
B. B. traffic flowing to and from the router interfaces (the self zone)
C. C. traffic flowing among the interfaces that are members of the same zone
D. D. traffic flowing among the interfaces that are not assigned to any zone
E. E. traffic flowing between a zone member interface and another interface that belongs in a different
zone
F. F. traffic flowing to the zone member interface that is returned traffic
Correct Answer: BCD
Section: (none)
Explanation
Explanation/Reference:
BCD
QUESTION 288
Which statement is a benefit of using Cisco IOS IPS?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 289
When AAA login authentication is configured on Cisco routers, which two authentication methods should be
used as the final method to ensure that the
administrator can still log in to the router in case the external AAA server fails? (Choose two.)
A. A. group RADIUS
B. B. group TACACS+
C. C. local
D. D. krb5
E. E. enable
F. F. if-authenticated
Correct Answer: CE
Section: (none)
Explanation
Explanation/Reference:
CE
QUESTION 290
What are two challenges faced when deploying host-level IPS? (Choose Two)
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
AB
QUESTION 291
Which option is a characteristic of the RADIUS protocol?
A. A. uses TCP
B. B. offers multiprotocol support
C. C. combines authentication and authorization in one process
D. D. supports bi-directional challenge
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
C
QUESTION 292
Which statement about zone-based firewall configuration is true?
A. A. nested object-class
B. B. class-map
C. C. extended wildcard matching
D. D. object groups
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
D
QUESTION 293
Which statement about zone-based firewall configuration is true?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
C
QUESTION 294
What are two challenges faced when deploying host-level IPS? (Choose Two)
Explanation/Reference:
ABCGH
QUESTION 295
Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration
Professional IPS wizard? (Choose four.)
Explanation/Reference:
ABDF
QUESTION 296
What’s the highest security level can be applied to an ASA interface?
A. 0
B. 50
C. 100
D. 200
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
C
QUESTION 297
How will the traffic be affected if policy from the self zone is removed ?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Da verificare
QUESTION 298
How will SDM be accessed ?
A. from pc
B. from mobile
C. from router flash
D. from some cisco web portal
E. ..............
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
a
da verificare
QUESTION 299
Drag and Drop with hashing and encryption technologies obsoletes and legacy
DES/3DES/MD5/HMAC-MD5/SHA1
Explanation/Reference: