Académique Documents
Professionnel Documents
Culture Documents
1 question.
2) The question was about mixed ACLs and object groups – I choose “You can mix IPv4 and
IPv6 addresses in the sa) Hacker is intercepting CDP packets in the network. Which info he can
get from captured CDP packets? I choose “VTP Domain”, “Hardware Platform”, “Device ID or
something like this”. You can find that info in “show cdp neighbors detail” output or get more
info on CDP protocol from Cisco docs to be confident with that me ACE” and “You can mix
IPv4 and IPv6 entries in network object group”. So, get confident with that topic as well.
3) Prime Infrastructure admin discovers the network and wants to use Web Services
Management Agent for configuring devices. Which protocol allows use of WSMA?
– Telnet
– SSHv2
– SNMPv2
– SNMPv3
I choose “SSHv2” as it is valid protocol supporting WSMA on PI. (you can find some info on
that on following link: https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-
3/user/guide/bk_CiscoPrimeInfrastructure_3_3_0_UserGuide/bk_CiscoPrimeInfrastructure_3_3
_0_UserGuide_chapter_0100010.html#task_1114937)
–2
–4
–6
–8
I choose “2” as I have experience with PI in HA deployment mode and there is just Primary and
Secondary PI. (BTW, check it out for more confidence)
5) D&D question with ASA capture parameters. You must map correct options (from left
column) to “asp-drop”, “data_path”, and “ethertype” (on right column). I can’t recall all options
from left column, so get more info on ASA capture options to be confident with that question.
6) You are going to add ASA to CSM (Cisco Security Manager). Which port on ASA must be
reachable for CSM to succeed?
– 21
– 22
– 80
– 443
I choose “443”. Again, get more info on that topic.
7) You are network engineer at some company. There are issues with Internet access. Which
capture ACL must be used in order to capture only return web traffic?
I choose “permit tcp any eq 80 10.10.1.0 255.255.255.0” (network IP I choosed just for example)
There were two options that exactly match word by word to what is in Cisco doc
(https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
2SX/configuration/guide/book/snoodhcp.html)
Again, read carefully about DHCP Snooping topic in order to feel confident on that.
9) There is web server that runs on TCP 1521 port. Assuming ASA uses default inspection
policy, which protocol inspection will be used?
– MGCP
– HTTP
– HTTPS
– SQL*Net
I choose “HTTP” and now I know that I made mistake. The correct one must be “SQL*Net” as
TCP/1521 is its port.
(https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_confi
g/inspect_overview.html#wp1536127)
10) There was question abou Storm Control best practises, I can’t recall my second answer, but
first was “Enable it on PortChannel interface instead of physical”. The question was simple and
if you read and understand Storm Control topic carefully – you will win.
11) There is some custom application that on first communication channel negotiates second data
channel for data transfer. What allows for allowing traffic from second negotiated data channel?
I choose “inspection”. The question was quite simple.
12) SSHv2 is not explicitly allowed on router by command “ip ssh version 2”. Which statement
is true? I choose “both SSHv1 and SSHv2 are allowed”.
Extremely simple and intuitive D&D – even don’t worry about it.
14) There was some question about Nexus1000V (I can’t exactly recall it, something about
where to apply security policies for group of VMs instead of applying it directly on interface):
– port group
– port profile
– security group
– security profile
I choose “port profile” as this was the only thing familiar to me about Nexus1000V. Again, get
more info on that topic as well.
15) Which command enables URPF on router’s interface? I choose “ip verify unicast source
reachable-via interface_name”.
16) D&D about Syslog levels, but there were just 4-to-4 options:
– 1 –> Alert
– 2 –> Critical
– 5 –> Notification
– 6 –> Informational (or 7 –> Debugging)
NEW QUESTION 301
When will a Cisco ASA that is operating in transparent firewall mode perform a routing table
lookup instead of a MAC address table lookup to determine the outgoing interface of a packet?
Answer: D
A. uRPF
B. TCP intercept
C. botnet traffic filter
D. scanning threat detection
E. IPS (IP audit)
Answer: A
A. TCP normalizer
B. TCP intercept
C. ip verify command
D. established command
E. tcp-map and tcp-options commands
Answer: D
Answer: BC
Answer: AD
A. Remove all the pre 8.3 NAT configurations in the startup configuration.
B. Upgrade the memory on the Cisco ASA appliance to meet the memory requirement of Cisco
ASA Software Version 8.3.
C. Request new Cisco ASA licenses to meet the 8.3 licensing requirement.
D. Upgrade Cisco ASDM to version 6.2.
E. Migrate interface ACL configurations to include interface and global ACLs.
Answer: B
A. telnet 192.168.1.1 22
B. ssh -l username 192.168.1.1
C. traceroute 192.168.1.1 22
D. ping tcp 192.168.1.1 22
E. packet-tracer input inside tcp 10.0.1.1 2043 192.168.4.1 ssh
Answer: D
NEW QUESTION 308
By default, which traffic can pass through a Cisco ASA that is operating in transparent mode
without explicitly allowing it using an ACL?
A. ARP
B. BPDU
C. CDP
D. OSPF multicasts
E. DHCP
Answer: A
Answer: C
Answer: D
Hacker is intercepting CDP packets in the network. Which info he can get from captured CDP packets?
you want to enable sshv2 but you did not configure correction what will the response be....
Prime Infrastructure admin discovers the network and wants to use Web Services Management Agent
for configuring devices. Which protocol allows use of WSMA?
– Telnet
– SSHv2
– SNMPv2
– SNMPv3
–2
–4
–6
–8
D&D question with ASA capture parameters. You must map correct options (from left column) to “asp-
drop”, “data_path”, and “ethertype” (on right column). I can’t recall all options from left column, so get
more info on ASA capture options to be confident with that question.
6) You are going to add ASA to CSM (Cisco Security Manager). Which port on ASA must be reachable for
CSM to succeed?
– 21
– 22
– 80
– 443
7) You are network engineer at some company. There are issues with Internet access. Which capture
ACL must be used in order to capture only return web traffic?
I choose access-list capture permit tcp host x.x.x.x any eq 80 (x.x.x.x is host ip address)
In which cases DHCP Snooping will drop DHCP packets?
someone suggest this but didnt check before my exam. There were two options that exactly match word
by word to what is in Cisco doc
(https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
2SX/configuration/guide/book/snoodhcp.html)
– The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in
the DHCP snooping binding table, and the interface information in the binding table does not match the
interface on which the message was received.
that is all i remenber, i was statured with the lap a bit. looking for where the access is. just click on the
Admin PC