5-Security & Wirelesss_14548711_2023_01_05_20_24

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Question 22 What is the role of a firewall in an enterprise network? A. determines which packets are allowed to cross from unsecured to secured networks B. processes unauthorized packets and allows passage to less secure segments of the network C. forwards packets based on stateless packet inspection D. explicitly denies all packets from entering an administrative domain

A

Question 1 AAA stands for authentication, authorization, and accounting. A. False B. True

B

Question 118 What is one reason to implement LAG on a Cisco WLC? A. to increase security and encrypt management frames B. to provide link redundancy and load balancing C. to allow for stateful and link-state failover D. to enable connected switch ports to failover and use different VLANs

B

Question 127 Which protocol uses the SSL? A. HTTP B. HTTPS C. SSH D. Telnet

B

Question 13 What is a reason to configure a trunk port that connects to a WLC distribution port? A. Eliminate redundancy with a link failure in the data path. B. Allow multiple VLAN to be used in the data path. C. Provide redundancy if there is a link failure for out-of-band management. D. Permit multiple VLANs to provide out-of-band management.

B

Question 1 A network administrator enabled port security on a switch interface connected to a printer. What is the next configuration action in order to allow the port to learn the MAC address of the printer and insert it into the table automatically? A. implement auto MAC address learning B. implement static MAC addressing. C. enable sticky MAC addressing D. enable dynamic MAC address learning

C

Question 106 What provides centralized control of authentication and roaming in an enterprise network? A. a lightweight access point B. a firewall C. a wireless LAN controller D. a LAN switch

C

Question 11 Where does a switch maintain DHCP snooping information? A. in the CAM table B. in the VLAN database C. in the DHCP binding database D. in the MAC address table

C

Question 2 An organization secures its network with secret p@ss1234 using an authenticator app on employee smartphones. How is the application secured in the case of a user's smartphone being lost or stolen? A. The application requires an administrator password to reactivated after a configured interval. B. The application verifies that the user is in a specific location before it provides the second factor. C. The application requires the user to enter a PIN before it provides the second factor. D. The application challenges a user by requiring an administrator password to reactivate when the smartphone is rebooted.

C

Question 26 An engineer is configuring remote access to a router from IP subnet 10.139.58.0/28. The domain name, crypto keys, and SSH have been configured. Which configuration enables the traffic on the destination router? A. interface FastEthernet0/0 ip address 10.122.49.1 255.255.255.248 ip access-group 10 in ip access-list standard 10 permit udp 10.139.58.0 0.0.0.7 host 10.122.49.1 eq 22 B. interface FastEthernet0/0 ip address 10.122.49.1 255.255.255.252 ip access-group 105 in ip access-list standard 105 permit tcp 10.139.58.0 0.0.0.7 eq 22 host 10.122.49.1 C. interface FastEthernet0/0 ip address 10.122.49.1 255.255.255.252 ip access-group 110 in ip access-list extended 110 permit tcp 10.139.58.0 0.0.0.15 host 10.122.49.1 eq 22 D. interface FastEthernet0/0 ip address 10.122.49.1 255.255.255.240 access-group 120 in ip access-list extended 120 permit tcp 10.139.58.0 255.255.255.248 any eq 22

C

Question 3 Which type of security program is violated when a group of employees enters a building using the ID badge of only one person? A. intrusion detection B. user awareness C. physical access control D. network authorization

C

Question 35 How does encryption protect the wireless network? A. via integrity checks to identify wireless forgery attacks in the frame B. via specific ciphers to detect and prevent zero-day network attacks C. via an algorithm to change wireless data so that only the access point and client understand it D. via a policy to prevent unauthorized users from communicating on the wireless network

C

Question 20 Which access point mode relies on a centralized controller tor management, roaming, and SSID configuration? A. repeater mode B. bridge mode C. lightweight mode D. autonomous mode

C Explanation Lightweight: The term 'lightweight' refers to the fact that these devices cannot work independently. A Cisco lightweight AP (LAP) has to join a Wireless LAN Controller (WLC) to function.

Question 17 What is a role of access points in an enterprise network? A. connect wireless devices to a wired network B. support secure user logins to devices or the network C. integrate with SNMP in preventing DDoS attacks D. serve as a first line of defense in an enterprise network

A

Question 18 How does a Cisco Unified Wireless network respond to Wi-Fi channel overlap? A. It alternates automatically between 2.4 GHz and 5 GHz on adjacent access points B. It allows the administrator to assign channels on a per-device or per-interface basis. C. It segregates devices from different manufacturers onto different channels. D. It analyzes client load and background noise and dynamically assigns a channel.

A

Question 34 Refer to the exhibit. An access list is created to deny Telnet access from host PC-1 to RTR-1 and allow access from all other hosts. A Telnet attempt from PC-2 gives this message:"% Connection refused by remote host". Without allowing Telnet access from PC-1, which action must be taken to permit the traffic? A. Add the access-list 10 permit any command to the configuration B. Remove the access-class 10 in command from line vty 0 4. C. Add the ip access-group 10 out command to interface g0/0. D. Remove the password command from line vty 0 4.

A

Question 4 Refer to the exhibit. What configuration on R1 denies SSH access from PC-1 to any R1 interface and allows all other traffic? A. access-list 100 deny tcp host 172.16.1.33 any eq 22 access-list 100 permit ip any any line vty 0 15 access-class 100 in B. access-list 100 deny tcp host 172.16.1.33 any eq 22 access-list 100 permit ip any any interface GigabitEthernet0/0 ip access-group 100 in C. line vty 0 15 access-class 100 in access-list 100 deny tcp host 172.16.1.33 any eq 23 access-list 100 permit ip any any D. access-list 100 deny tcp host 172.16.1.33 any eq 23 access-list 100 permit ip any any line vty 0 15 access-class 100 in

A

Question 58 Which remote access protocol provides unsecured remote CLI access? A. Telnet B. SSH C. console D. Bash

A

Question 7 What is a function of Wireless LAN Controller? A. send LWAPP packets to access points B. use SSIDs to distinguish between wireless clients C. register with a single access point that controls traffic between wired and wireless endpoints D. monitor activity on wireless and wired LANs

A

Question 88 How does authentication differ from authorization? A. Authentication verifies the identity of a person accessing a network, and authorization determines what resource a user can access. B. Authentication is used to determine what resources a user is allowed to access, and authorization is used to track what equipment is allowed access to the network C. Authentication is used to verify a person's identity, and authorization is used to create syslog messages for logins D. Authentication is used to record what resource a user accesses, and authorization is used to determine what resources a user can access

A

Question 33 Which implementation provides the strongest encryption combination for the wireless environment? A. WPA2 + AES B. WPA + AES C. WEP D. WPA + TKIP

A Explanation AES is a more secure encryption protocol introduced with WPA2 and it is currently the strongest encryption type for WPA2-PSK.

Question 100 Which type of network attack overwhelms the target server by sending multiple packets to a port until the half-open TCP resources of the target are exhausted? A. SYN flood B. reflection C. teardrop D. amplification

A Explanation A SYN flood (half-open attack) is a type of denial-of-service (DDoS) attack which aims to make a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.

Question 3 An engineer observes high usage on the 2.4GHz channels and lower usage on the 5GHz channels. What must be configured to allow clients to preferentially use 5GHz access points? A. Client Band Select B. OEAP Split Tunnel C. 11ac MU-MIMO D. Re-Anchor Roamed Clients

A Explanation Band selection works by regulating probe responses to clients and it can be enabled on a per- WLAN basis. It makes 5-GHz channels more attractive to clients by delaying probe responses to clients on 2.4-GHz channels. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config- guide/b_cg83/b_cg83_chapter_011100.html

Question 5 Refer to the exhibit. An administrator configures the following ACL in order to prevent devices on the 192.168.1.0 subnet from accessing the server at 10.1.1.5: Where should the administrator place this ACL for the most efficient use of network resources? A. inbound on router A Fa0/0 B. outbound on router B Fa0/0 C. outbound on router A Fa0/1 D. inbound on router B Fa0/1

A Explanation By placing the ACL closest to the source, we can reduce unnecessary traffic passing between two routers and the processing time of the router.

Question 62 Refer to the exhibit. What must be configured to enable 802.11w on the WLAN? A. Set PMF to Required B. Enable MAC Filtering C. Enable WPA Policy D. Set Fast Transition to Enabled

A Explanation Configuring 802.11w (GUI) Procedure Step 1 Choose WLANs > WLAN ID to open the WLANs > Edit page. Step 2 In the Security tab, choose the Layer 2 security tab. Step 3 From the Layer 2 Security drop-down list, choose WPA+WPA2. The 802.11w IGTK Key is derived using the 4-way handshake, which means that it can only be used on WLANs that are configured for WPA2 security at Layer 2. Note: WPA2 is mandatory and encryption type must be AES. TKIP is not valid. Step 4 Choose the PMF state from the drop-down list The following options are available: Disabled—Disables 802.11w MFP protection on a WLAN Optional—To be used if the client supports 802.11w. Required—Ensures that the clients that do not support 802.11w cannot associate with the WLAN. Reference: https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_01001100.html.xml Note: When you create a MAC address filter on WLCs, users are granted or denied access to the WLAN network based on the MAC address of the client they use Fast Transition is 802.11r, not 802.11w. Therefore "Set PMF to Required" is the best choice.

Question 2 Refer to the exhibit. What is the effect of this configuration? A. The switch port interface trust state becomes untrusted B. The switch port remains administratively down until the interface is connected to another switch C. Dynamic ARP inspection is disabled because the ARP ACL is missing D. The switch port remains down until it is configured to trust or untrust incoming packets

A Explanation Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. After enabling DAI, all ports become untrusted ports.

Question 3 What is a difference between local AP mode and FlexConnet AP mode? A. Local AP mode creates two CAPWAP tunnels per AP to the WLC B. FlexConnect AP mode fails to function if me AP loses connectivity with the WLC C. FlexConnect AP mode bridges the traffic from the AP to the WLC when local switching is configured D. Local AP mode causes the AP to behave as if it were an autonomous AP

A Explanation In Central Switched (Local) mode, an AP creates two CAPWAP tunnels to the Wireless Controller. One tunnel is used for forwarding data traffic and the other is used for forwarding the management traffic.

Question 32 After a recent security breach and a RADIUS failure, an engineer must secure the console port of each enterprise router with a local username and password. Which configuration must the engineer apply to accomplish this task? A. aaa new-model aaa authorization exec default local aaa authentication login default radius username localuser privilege 15 secret plaintextpassword B. username localuser secret plaintextpassword line con 0 login authentication default privilege level 15 C. username localuser secret plaintextpassword line con 0 no login local privilege level 15 D. aaa new-model line con 0 password plaintextpassword privilege level 15

A Explanation In fact there is no correct answer for this question, but we had to choose one best answer. Security Questions January 12th, 2021Go to comments Premium Member: You can test your knowledge with these questions first via this link (via HTML).

Question 9 What is a recommended approach to avoid co-channel congestion while installing access points that use the 2.4 GHz frequency? A. different nonoverlapping channels B. one nonoverlapping channel C. one overlapping channel D. different overlapping channels

A Explanation In the 2.4 GHz band, 1, 6, and 11 are the only non-overlapping channels so they should be chosen while installing APs.

Question 54 Refer to the exhibit. A network engineer is configuring a WLAN to connect with the 172.16.10.0/24 network on VLAN 20. The engineer wants to limit the number of devices that connect to the WLAN on the USERWL SSID to 125. Which configuration must the engineer perform on the WLC? A. In the WLAN configuration, set the Maximum Allowed Clients value to 125. B. In the Advanced configuration, set the DTIM value to 125. C. In the Controller IPv6 configuration, set the Throttle value to 125. D. In the Management Software activation configuration, set the Clients value to 125.

A Explanation In the example below, we can limit the number of clients that can access in a WLAN to 50 with the "Maximum Allowed Clients" field: Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan- controllers/113303-restrict-wlan-clients-00.html Note: DTIM stands for Delivery traffic indication map or message. It is basically an additional message added after the normal beacon broadcast by your router or access point.

Question 59 An engineer must configure R1 for a new user account. The account must meet these requirements: * It must be configured in the local database. * The username is engineer2 * It must use the strongest password configurable. Which command must the engineer configure on the router? A. R1(config)# username engineer2 algorithm-type scrypt secret test2021 B. R1(config)# username engineer2 secret 5 password $1$bUu$kZbBS1Pyh4QzwXyZ C. R1(config)# username engineer2 privilege 1 password 7 test2021 D. R1(config)# username engineer2 secret 4 $1Sb1Ju$kZbBSlFyh4QxwXyZ

A Explanation Secret type 4 was determined to have a flaw and was removed in later versions of iOS. Type 4 Passwords should never be used! Secret type 5 uses MD5 which is not secured. Secret type 9 - Scrypt and PBKDF2 (which can be used with "algorithm-type sha256", but it is just a small part of a much larger crypto algorithm) are much slower to compute and take longer to brute force. Currently it is the strongest password configurable in Cisco devices.

Question 11 Which device tracks the state of active connections in order to make a decision to forward a packet through? A. firewall B. wireless access point C. router D. wireless LAN controller

A Explanation Stateful inspection firewalls keep track of connection status. Ports can be dynamically opened and closed if necessary for completing a transaction. For example, when you make a connection to a server using HTTP, the server will initiate a new connection back to your system on a random port. A stateful inspection firewall will automatically open a port for this return connection.

Question 72 An administrator must use the password complexity not manufacturer-name command to prevent users from adding "cisco" as a password. Which command must be issued before this command? A. Password complexity enable B. confreg 0x2142 C. login authentication my-auth-list D. service password-encryption

A Explanation Step 3. (Optional) To enable the password complexity settings on the switch, enter the following: SG350X(config)#passwords complexity enable Reference: https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300- series-managed-switches/smb5563-configure-password-settings-on-a-switch-through-the- command.html

Question 24 An engineer has configured the domain name, user name, and password on the local router. What is the next step to complete the configuration for a Secure Shell access RSA key? A. crypto key generate rsa B. crypto key pubkey-chain rsa C. crypto key import rsa pem D. crypto key zeroize rsa

A Explanation Steps to configure SSH: 1. Configure the router hostname using command "hostname". 2. Configure the domain name using command "ip domain-name". 3. Generate public and private keys using command "crypto key generate rsa". 4. Create a user in the local database using command "username...secret". 5. Allow only SSH access on VTY lines using command "transport input ssh". Reference: https://ipwithease.com/how-to-configure-ssh-version-2-on-cisco-router/

Question 9 The service password-encryption command is entered on a router. What is the effect of this configuration? A. restricts unauthorized users from viewing clear-text passwords in the running configuration B. prevents network administrators from configuring clear-text passwords C. protects the VLAN database from unauthorized PC connections on the switch D. encrypts the password exchange when a VPN tunnel is established

A Explanation The service password-encryption command will encrypt all current and future passwords so any password existed in the configuration will be encrypted.

Question 28 Refer to the exhibit. Option A ip access-list standard 99 permit 10.100.100.0 0.0.0.255 deny 192.168.0.0 0.0.255.255 Option B ip access-list standard 99 permit 10.100.100.0 0.0.0.255 deny 192.168.0.0 0.255.255.255 Option C Option D ip access-list standard 100 ip access-list standard 199 permit 10.100.100.0 permit 10.100.100.0 0.0.0.255 0.0.0.255 deny 192.168.0.0 deny 192.168.0.0 0.255.255.255 0.0.255.255 An access list is required to permit traffic from any host on interface G0/0 and deny traffic from interface Gi0/1. Which access list must be applied? A. Option A B. Option B C. Option C D. Option D

A Explanation The standard access lists are ranged from 1 to 99 and from 1300 to 1999 so only Option A & B are correct. The subnet on interface Gi0/1 is 192.168.0.0/16 so we have to use the ACL statement "deny 192.168.0.0 0.0.255.255"

Question 10 Which 802.11 frame type is association response? A. management B. protected frame C. control D. action

A Explanation There are three main types of 802.11 frames: the Data Frame, the Management Frame and the Control Frame. Association Response belongs to Management Frame. Association response is sent in response to an association request.

Question 77 A Cisco engineer is configuring a factory-default router with these three passwords: * The user EXEC password for console access is p4ssw0rd1. * The user EXEC password for Telnet access is s3cr3t2. * The password for privileged EXEC mode is priv4t3p4ss. Which command sequence must the engineer configure? Option A Option B enable secret priv4t3p4ss enable secret privilege 15 ! priv4t3p4ss line con 0 ! password p4ssw0rd1 line con 0 login password p4ssw0rdi ! login line vty 0 15 ! password s3cr3t2 line vty 0 15 login password s3cr3t2 login Option C Option D enable secret priv413p4ss ! line con 0 password login p4ssw0rd1 ! line vty 0 15 password login s3cr3t2 login enable secret priv4t3p4ss ! line con 0 password p4ssw0rd1 ! line vty 0 15 password s3cr3t2 A. Option A B. Option B C. Option C D. Option D

A Explanation There is no "enable secret privilege 15 ..." command. If we enter the "enable secret privilege 15 priv4t3p4ss" command then the text "privilege 15 priv4t3p4ss" will be used as password. In both console and vty line we should use the "login" command to enable password checking.

Question 24 How are VLAN hopping attacks mitigated? A. manually implement trunk ports and disable DTP B. configure extended VLANs C. activate all ports and place in the default VLAN D. enable dynamic ARP inspection

A Explanation VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofing or double tagging. a. Switch spoofing: The attacker can connect an unauthorized Cisco switch to a Company switch port. The unauthorized switch can send DTP frames and form a trunk with the Company Switch. If the attacker can establish a trunk link to the Company switch, it receives traffic to all VLANs through the trunk because all VLANs are allowed on a trunk by default. (Instead of using a Cisco Switch, the attacker can use a software to create and send DTP frames). To mitigate this type of attack, we can disable DTP.

Question 7 What is a practice that protects a network from VLAN hopping attacks? A. Change native VLAN to an unused VLAN ID B. Enable dynamic ARP inspection C. Configure an ACL to prevent traffic from changing VLANs D. Implement port security on internet-facing VLANs

A Explanation VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofing or double tagging. One of a popular type of VLAN Hopping is Double-Tagging attack: In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20). When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer. Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker. In other words, this attack is only successful if the attacker belongs to the native VLAN of the trunk link. Another important point is, this attack is strictly one way as it is impossible to encapsulate the return packet. To mitigate this type of attack, we can use VLAN access control lists (VACLs, which applies to all traffic within a VLAN. We can use VACL to drop attacker traffic to specific victims/servers); or implement Private VLANs; or keep the native VLAN of all trunk ports different from user VLANs.

Question 3 How does WPA3 improve security? A. It uses SAE for authentication. B. It uses a 4-way handshake for authentication. C. It uses RC4 for encryption. D. It uses TKIP for encryption.

A Explanation WPA3 incorporates Simultaneous Authentication of Equals (SAE), a secure key establishment protocol between devices. By using a stronger 'handshaking' protocol, users should be protected from password guessing attempts. For home networks, that equates to password-based authentication that's more resilient, even if users choose unsophisticated passwords.

Question 49 Which function is performed by DHCP snooping? A. rate-limits certain traffic B. listens to multicast traffic for packet forwarding C. provides DDoS mitigation D. propagates VLAN information between switches

A Explanation We can use the command "ip dhcp snooping limit rate" to set the number of DHCP request that can be received in a second.

Question 36 Refer to the exhibit. The DHCP server and clients are connected to the same switch. What is the next step to complete the DHCP configuration to allow clients on VLAN 1 to receive addresses from the DHCP server? A. Configure the ip dhcp snooping trust command on the interface that is connected to the DHCP server B. Configure the ip dhcp relay information option command on the interface that is connected to the DHCP server C. Configure the ip dhcp relay information option command on the interface that is connected to the DHCP client D. Configure the ip dhcp snooping trust command on the interface that is connected to the DHCP client

A Explanation We see from the output of the "show ip dhcp snooping statistics detail" command the packets "received on untrusted ports = 32" so maybe the interface connected to DHCP Server is configured untrusted port. Therefore we have to configure the "ip dhcp snooping trust" command on this interface.

Question 9 Which feature on the Cisco Wireless LAN Controller when enabled restricts management access from specific networks? A. CPU ACL B. TACACS C. Flex ACL D. RADIUS

A Explanation Whenever you want to control which devices can talk to the main CPU, a CPU ACL is used. Note: CPU ACLs only filter traffic towards the CPU, and not any traffic exiting or generated by the CPU. Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan- controllers/109669-secure-wlc.html

Question 10 What are two characteristics of an SSID? (Choose two) A. It can be hidden or broadcast in a WLAN B. It uniquely identifies an access point in a WLAN C. It uniquely identifies a client in a WLAN D. It is at most 32 characters long E. It provides secured access to a WLAN

A D Explanation The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. The SSID can consist of up to 32 alphanumeric, case-sensitive, characters. We can hide a SSID by choosing "Disabled" in the Basic Wireless Settings/Wireless/SSID Broadcast section.

Question 13 Refer to the exhibit. A network administrator has been tasked with securing VTY access to a router. Which access-list entry accomplishes this task? A. access-list 101 permit tcp 10.1.10.0 0.0.0.255 172.16.10.0 0.0.0.255 eq ssh B. access-list 101 permit tcp 10.11.0.0 0.0.0.255 172.16.10.0 0.0.0.255 eq scp C. access-list 101 permit tcp 10.11.0.0 0.0.0.255 172.16.10.0 0.0.0.255 eq telnet D. access-list 101 permit tcp 10.1.10.0 0.0.0.255 172.16.10.0 0.0.0.255 eq https

A (?) Explanation Maybe there is something wrong with this question.

Question 4 Which two must be met before SSH can operate normally on a Cisco IOS switch? (Choose two) A. The switch must be running a k9 (crypto) IOS image B. The ip domain-name command must be configured on the switch C. IP routing must be enabled on the switch D. A console password must be configured on the switch E. Telnet must be disabled on the switch

A B

Question 102 Which two wireless security standards use Counter Mode Cipher Block Chaining Message Authentication Code Protocol for encryption and data integrity? (Choose two) A. WPA2 B. WPA3 C. WEP D. WPA E. Wi-Fi 6

A B Explanation WPA2 mandates the use of a new protocol, counter mode with cipher-block chaining message authentication protocol (CCMP). CCMP uses the AES block cipher, replacing the RC4 cipher used in wired equivalent privacy (WEP) and temporal key integrity protocol (TKIP). CCMP is a security protocol. It follows carefully designed steps that include the use of the AES specified algorithm to encrypt sensitive data. CCMP-128 (AES-128 in CCM mode) is used as the minimum encryption algorithm in WPA3- Personal mode.

Question 6 What are two recommendations for protecting network ports from being exploited when located in an office space outside of an IT closet? (Choose two) A. shut down unused ports B. enable the PortFast feature on ports C. implement port-based authentication D. configure ports to a fixed speed E. configure static ARP entries

A C

Question 30 Which two protocols must be disabled to increase security for management connections to a Wireless LAN Controller? (Choose two) A. Telnet B. SSH C. HTTP D. HTTPS E. TFTP

A C Explanation We can connect to Cisco WLC via HTTP/HTTPS and SSH/Telnet so in order to increase security we must disable HTTP and Telnet which are unsecured protocols.

Question 6 Refer to the exhibit. Which two configurations would be used to create and apply a standard access list on R1, so that only the 10.0.70.0/25 network devices are allowed to access the internal database server? (Choose two) A. R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip access-group 5 out B. R1(config)# access-list 5 permit 10.0.54.0 0.0.1.255 C. R1(config)# interface Serial0/0/0 R1(config-if)# ip access-group 5 in D. R1(config)# access-list 5 permit 10.0.70.0 0.0.0.127 E. R1(config)# access-list 5 permit any

A D

Question 97 Which characteristic differentiates the concept of authentication from authorization and accounting? A. user-activity logging (accounting) B. service limitations (authorization) C. consumption-based billing D. identity verification

A chọn lại D

Question 62 Which two functions does a WLC perform in the lightweight access-point architecture that an AP performs independently in an autonomous architecture? (Choose two) A. handling the association, authentication, and roaming of wireless clients B. encrypting and decrypting traffic that uses the WAP protocol family C. preventing collisions between wireless clients on the same RF channel D. managing RF channels, including transmission power E. sending and processing beacon frames

A D Explanation This question asks what the WLC can do for the AP or which functions are moved from AP to WLC in lightweight access-point architecture. The wireless clients encrypt and decrypt the traffic, not the AP -> Answer B is not correct. The wireless clients also run CSMA/CA to prevent collisions between them, not the AP -> Answer C is not correct. With wireless networking, we have real-time and management functions. The AP should handle real-time functions, but everything that is not delay-sensitive can do from a central location. We separate the following management and real-time functions of the AP: + Management functions: ++ Client authentication (-> Answer A is correct) ++ Security management ++ Association and reassociation (roaming) ++ Quality of Service (QoS) + Real-time functions: ++ Transmission of 802.11 frames ++ MAC management ++ Encryption Since these functions are not real-time, we can move them to a central point, the WLC. We take away some of the intelligence of the AP, which is why we call them lightweight APs (LAP). We move this intelligence to the WLC. Reference: https://networklessons.com/cisco/ccna-200-301/cisco-wireless-network-architectures Radio Resource Management (RRM) allows the controller to dynamically control power and channel assignment of APs -> Answer D is correct. Reference: https://what-when-how.com/deploying-and-troubleshooting-cisco-wireless-lan- controllers/lightweight-compared-to-traditional-autonomous-aps-cisco-wireless-lan-controllers/

Question 87 Refer to the exhibit. A guest WLAN must be created that prompts the client for a username and password on the local web page of the WLC. Which two actions must be performed on the Layer 2 tab before enabling the Authentication option on the Layer 3 tab? (Choose two) A. Uncheck the MAC Filtering option check box. B. Set the Security Type option to Personal. C. Change the WPA Encryption option from TKIP to CCMP128(AES). D. Set the Layer 2 Security option to None. E. Uncheck the WPA Policy option check box, and check the WPA2 Policy option check box.

A D Explanation We want to use Layer 3 authentication so we should disable Layer 2 authentication (by setting it to "None"). Reference: https://www.youtube.com/watch?v=6VlPjRdLSsY Also disable "MAC Filtering" as it is not supported with FlexConnect Local Authentication.

Question 74 Which two practices are recommended for an acceptable security posture in a network? (Choose two) A. Maintain network equipment in a secure location B. Backup device configurations to encrypted USB drives for secure retrieval C. Use a cryptographic keychain to authenticate to network devices D. Place internal email and file servers in a designated DMZ E. Disable unused or unnecessary ports, interfaces and services

A E

Question 73 A network engineer is replacing the switches that belong to a managed-services client with new Cisco Catalyst switches. The new switches will be configured for updated security standards, including replacing Telnet services with encrypted connections and doubling the modulus size from 1024. Which two commands must the engineer configure on the new switches? (Choose two) A. transport input ssh B. transport input all C. crypto key generate rsa general-keys modulus 1024 D. crypto key generate rsa usage-keys E. crypto key generate rsa modulus 2048

A E Explanation The command "crypto key generate rsa modulus 2048" generate a 2048 bit RSA key pair (doubling the modulus size from 1024).

Question 11 When configuring a WLAN with WPA2 PSK in the Cisco Wireless LAN Controller GUI, which two formats are available to select? (Choose two) A. ASCII B. base64 C. binary D. decimal E. hexadecimal

A E Explanation When configuring a WLAN with WPA2 Preshared Key (PSK), we can choose the encryption key format as either ASCII or HEX. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config- guide/b_wl_16_10_cg/multi-preshared-key.pdf

Question 3 A port security violation has occurred on a switch port due to the maximum MAC address count being exceeded. Which command must be configured to increment the security-violation count and forward an SNMP trap? A. switchport port-security violation access B. switchport port-security violation restrict C. switchport port-security violation protect D. switchport port-security violation shutdown

B

Question 31 What is a zero-day exploit? A. It is when an attacker inserts malicious code into a SQL server. B. It is when a new network vulnerability is discovered before a fix is available. C. It is when the perpetrator inserts itself in a conversation between two parties and captures or alters data. D. It is when the network is saturated with malicious traffic that overloads resources and bandwidth.

B

Question 59 Refer to the exhibit. An engineer must configure the interface that connects to PC1 and secure it in a way that only PC1 is allowed to use the port. No VLAN tagging can be used except for a voice VLAN. Which command sequence must be entered to configure the switch? A. SW1(config-if)#switchport mode nonegotiate SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security maximum 1 B. SW1(config-if)#switchport mode access SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security mac-address 0050.7966.6800 C. SW1(config-if)#switchport mode dynamic desirable SW1(config-if)#switchport port-security mac-address 0050.7966.6800 SW1 (config-if)#switchport port-security mac-address sticky D. SW1(config-if)#switchport mode dynamic auto SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security violation restrict

B

Question 6 How do AAA operations compare regarding user identification, user services and access control? A. Authorization provides access control and authentication tracks user services B. Authentication identifies users and accounting tracks user services C. Accounting tracks user services, and authentication provides access control D. Authorization identifies users and authentication provides access control

B

Question 7 Which command prevents passwords from being stored in the configuration as plaintext on a router or switch? A. enable secret B. service password-encryption C. username Cisco password encrypt D. enable password

B

Question 2 A network administrator must to configure SSH for remote access to router R1. The requirement is to use a public and private key pair to encrypt management traffic to and from the connecting client. Which configuration, when applied, meets the requirements? A. R1#enable R1#configure terminal R1(config)#ip domain-name cisco.com R1(config)#crypto key generate ec keysize 1024 B. R1#enable R1#configure terminal R1(config)#ip domain-name cisco.com R1(config)#crypto key generate rsa modulus 1024 C. R1#enable R1#configure terminal R1(config)#ip domain-name cisco.com R1(config)#crypto key generate ec keysize 2048 D. R1#enable R1#configure terminal R1(config)#ip domain-name cisco.com R1(config)#crypto key encrypt rsa name myKey A. Option A B. Option B C. Option C D. Option D

B Explanation Both RSA, elliptic curve cryptography (ECC) are asymmetrical encryption so it satisfies the requirement of this question (to use a public and private key pair). Asymmetrical encryption is different from symmetrical encryption in that to send data in a single direction, two associated keys are needed. One of these keys is known as the private key, while the other is called the public key. To generate an Elliptic Curve (EC) key pair, use the crypto key generate ec keysize command in global configuration mode. crypto key generate ec keysize {256 | 384} [exportable] [label key-label] Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr- c4.html -> EC only supports 256 or 384 bit key size -> Answer A and answer C are not correct. The command "crypto key generate rsa modulus 1024" generate a 1024 bit RSA key pair. Although 1024-bit or smaller key pair should not be used but it is the only correct answer in this question. Note: The command "crypto key encrypt rsa name ..." is used to encrypt the RSA key.

Question 6 Which mode allows access points to be managed by Cisco Wireless LAN Controllers? A. autonomous B. lightweight C. bridge D. mobility express

B Explanation A Lightweight Access Point (LAP) is an AP that is designed to be connected to a wireless LAN (WLAN) controller (WLC). APs are "lightweight," which means that they cannot act independently of a wireless LAN controller (WLC). The WLC manages the AP configurations and firmware. The APs are "zero touch" deployed, and individual configuration of APs is not necessary. Reference: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-1200-series/70278-lap- faq.html

Question 95 Which security method is used to prevent man-in-the-middle attack? A. authorization B. authentication C. anti-replay D. accounting

B Explanation A good way to prevent man-in-the-middle attack is using multifactor authentication across the board, as it adds an additional layer of security to online communications.

Question 60 An engineer is installing a new wireless printer with a static IP address on the Wi-Fi network. Which feature must be enabled and configured to prevent connection issues with the printer? A. passive client B. static IP tunneling C. DHCP address assignment D. client exclusion

B Explanation At times you may want to configure static IP addresses for wireless clients. When these wireless clients move about in a network, they could try associating with other controllers. If the clients try to associate with a controller that does not support the same subnet as static IP, the clients fail to connect to the network. With WLC 7.0.116.0 you can enable dynamic tunneling of clients with static IP addresses. Reference: https://mrncciew.com/2013/03/25/static-ip-clients-mobility/

Question 3 Which QoS Profile is selected in the GUI when configuring a voice over WLAN deployment? A. Bronze B. Platinum C. Silver D. Gold

B Explanation Cisco Unified Wireless Network solution WLANs support four levels of QoS: Platinum/Voice, Gold/Video, Silver/Best Effort (default), and Bronze/Background. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7- 4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0 1010111.html

Question 8 An administrator must secure the WLC from receiving spoofed association requests. Which steps must be taken to configure the WLC to restrict the requests and force the user to wait 10 ms to retry an association request? A. Enable Security Association Teardown Protection and set the SA Query timeout to 10 B. Enable the Protected Management Frame service and set the Comeback timer to 10 C. Enable 802.1x Layer 2 security and set the Comeback timer to 10 D. Enable MAC filtering and set the SA Query timeout to 10

B Explanation Comeback timer specifies the time which an associated client must wait before the association can be tried again when first denied with a status code 30. SA query timeout specifies the amount of time the WLC waits for a response from the client for the query process. Reference: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan- wlan/212576-configure-802-11w-management-frame-prote.html Note: We can use either 802.1x or PSK as the authentication key management method so answer C is not correct.

Question 13 After installing a new Cisco ISE server, which task must the engineer perform on the Cisco WLC to connect wireless clients on a specific VLAN based on their credentials? A. Enable the Authorized MIC APs against auth-list or AAA. B. Enable the allow AAA Override C. Disable the LAG Mode or Next Reboot. D. Enable the Event Driven RRM.

B Explanation Dynamic VLAN assignment is one such feature that places a wireless user into a specific VLAN based on the credentials supplied by the user. This task of assigning users to a specific VLAN is handled by a RADIUS authentication server, such as Cisco ISE. This can be used, for example, to allow the wireless host to remain on the same VLAN as it moves within a campus network. ... In order to accomplish dynamic VLAN assignment with WLCs based on ISE to AD group mapping, these steps must be performed: + ISE to AD integration and configuration of authentication and authorization policies for users on ISE + WLC configuration to support dot1x authentication and AAA override for SSID 'office_hq' + End client supplicant configuration Reference: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan- controllers/99121-vlan-acs-ad-config.html

Question 50 Refer to the exhibit. An architect is managing a wireless network with APs from several branch offices connecting to the WLC in the data center. There is a new requirement for a single WLAN to process the client data traffic without sending it to the WLC. Which action must be taken to complete the request? A. Enable local HTTP profiling B. Enable FlexConnect Local Switching C. Enable local DHCP Profiling D. Enable Disassociation Imminent

B Explanation FlexConnect AP can perform standalone client authentication and switch VLAN traffic locally even when it's disconnected to the WLC (Local Switching)

Question 89 Which IPsec transport mode encrypts the IP header and the payload? A. pipe B. tunnel C. control D. transport

B Explanation In tunnel mode, the entire original IP packet is encapsulated to become the payload of a new IP packet. Additionally, a new IP header is added on top of the original IP packet. The main difference in transport mode is that it retains the original IP header. In other words, payload data transmitted within the original IP packet is protected, but not the IP header. Reference: https://www.twingate.com/blog/ipsec-tunnel-mode/

Question 1 Refer to the exhibit. A network engineer must block access for all computers on VLAN 20 to the web server via HTTP. All other computers must be able to access the web server. Which configuration when applied to switch A accomplishes this task? A. config t ip access-list extended wwwblock deny tcp any host 10.30.0.100 eq 80 int vlan 100 ip access-group wwwblock in B. config t ip access-list extended wwwblock deny tcp any host 10.30.0.100 eq 80 permit ip any any int vlan 20 ip access-group wwwblock in C. config t ip access-list extended wwwblock permit ip any any deny tcp any host 10.30.0.100 eq 80 int vlan 30 ip access-group wwwblock in D. config t ip access-list extended wwwblock deny tcp any host 10.30.0.100 eq 80 int vlan 20 ip access-group wwwblock in

B Explanation The "deny tcp any host 10.30.0.100 eq 80" command means "block all (any) traffic from accessing web server at 10.30.0.100 on port 80". And since it is applied to VLAN 20 interface so only computers on VLAN 20 are affected. In summary, just notice that 10.30.0.100 here is the destination IP address, not source address. Note: The traffic flow from hosts in VLAN 20 to the Web Server is: host in VLAN 20 -> Interface VLAN 20 -> Interface VLAN 30 -> Web Server. If we place the ACL: host in VLAN 20 -> (ACL Inbound) Interface VLAN 20 -> Interface VLAN 30 -> Web Server. Therefore the ACL can block traffic from VLAN 20.

Question 129 Which value is the unique identifier that an access point uses to establish and maintain wireless connectivity to wireless network devices? A. VLANID B. SSID C. RFID D. WLANID

B Explanation The SSID is a unique identifier that wireless networking devices use to establish and maintain wireless connectivity. Multiple access points on a network or subnetwork can use the same SSIDs. SSIDs are case sensitive and can contain up to 32 alphanumeric characters.

Question 61 Which interface or port on the WLC is the default for in-band device administration and communications between the controller and access points? A. virtual interface B. management interface C. console port D. service port

B Explanation The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. It is also used for communications between the controller and access points, for all CAPWAP or intercontroller mobility messaging and tunneling traffic. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7- 4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0 10011011.html

Question 53 What is an advantage of using auto mode versus static mode for power allocation when an access point is connected to a PoE switch port? A. The default level is used for the access point B. It detects the device is a powered device C. All four pairs of the cable are used D. Power policing is enabled at the same time

B Explanation The switch supports these PoE modes: auto - The switch automatically detects if the connected device requires power. If the switch discovers a powered device connected to the port and if the switch has enough power, it grants power, updates the power budget, turns on power to the port on a first-come, first-served basis, and updates the LEDs... Reference: https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0 _se/multibook/configuration_guide/b_consolidated_config_guide_3850_chapter_011010.html

Question 6 Which set of action satisfy the requirement for multi-factor authentication? A. The user swipes a key fob, then clicks through an email link B. The user enters a user name and password, and then clicks a notification in an authentication app on a mobile device C. The user enters a PIN into an RSA token, and then enters the displayed RSA key on a login screen D. The user enters a user name and password and then re-enters the credentials on a second screen

B Explanation This is an example of how two-factor authentication (2FA) works: 1. The user logs in to the website or service with their username and password. 2. The password is validated by an authentication server and, if correct, the user becomes eligible for the second factor. 3. The authentication server sends a unique code to the user's second-factor method (such as a smartphone app). 4. The user confirms their identity by providing the additional authentication for their second- factor method.

Question 77 A network administrator plans an update to the Wi-Fi networks in multiple branch offices. Each location is configured with an SSID called "Office". The administrator wants every user who connects to the SSID at any location to have the same access level. What must be set the same on each network to meet the requirement? A. radio policy B. security policies C. NAS-ID configuration D. profile name

B Explanation Two identically named SSIDs with the same password will allow your device to connect to either, without having to add any extra networks on your devices. But make sure to configure them with the same security policies. Note: Four WLAN security policies are available: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, WLAN Authentication and Privacy Infrastructure (WAPI)

Question 15 Which cipher is supported for wireless encryption only with the WPA2 standard? A. AES256 B. AES C. RC4 D. SHA

B Explanation Unlike WEP and WPA, WPA2 uses the AES standard instead of the Rivest Cipher 4 (RC4) stream cipher. WPA3-Enterprice mode uses AES-256 in GCM mode. SHA stands for Secure Hash Algorithm while AES stands for Advanced Encryption Standard. So SHA is a suite of hashing algorithms. It is not a cipher which is used to encrypt.

Question 4 When a WPA2-PSK WLAN is configured in the Wireless LAN Controller, what is the minimum number of characters that is required in ASCII format? A. 6 B. 8 C. 12 D. 18

B Explanation WPA/WPA2 preshared keys must contain 8 to 63 ASCII text characters or 64 hexadecimal characters. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7- 4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0 1010001.html

Question 46 Which wireless security protocol relies on Perfect Forward Secrecy? A. WPA B. WPA3 C. WPA2 D. WEP

B Explanation WPA3 (Wi-Fi Protected Access 3) is the newest wireless security protocol designed to encrypt data using a frequent and automatic encryption type called Perfect Forward Secrecy. It's more secure than its predecessor, WPA2, but it hasn't been widely adopted yet. Not all hardware supports WPA3 automatically, and using this protocol often requires costly upgrades. Reference: https://www.avast.com/c-wep-vs-wpa-or-wpa2

Question 69 An engineer is configuring remote access to a router from IP subnet 10.139.58.0/28. The domain name, crypto keys, and SSH have been configured. Which configuration enables the traffic on the destination router? A. interface FastEthernet0/0 ip address 10.122.49.1 255.255.255.252 ip access-group 10 in ! ip access-list standard 10 permit udp 10.139.58.0 0.0.0.7 host 10.122.49.1 eq 22 B. line vty 0 15 access-class 120 in ! ip access-list extended 120 permit tcp 10.139.58.0 0.0.0.15 any eq 22 C. line vty 0 15 access-group 120 in ! ip access-list extended 120 permit tcp 10.139.58.0 0.0.0.15 any eq 22 D. interface FastEthernet0/0 ip address 10.122.49.1 255.255.255.252 ip access-group 110 in ! ip access-list standard 110 permit tcp 10.139.58.0 0.0.0.15 eq 22 host 10.122.49.1

B Explanation When applying access-list to line vty we must use "access-class", not "access-group". Subnet 10.139.58.0/28 converts to wildcard mask is 10.139.58.0 0.0.0.15. And we have to use port 22 as the destination port.

Question 8 Which protocol prompts the Wireless LAN Controller to generate its own local web administration SSL certificate for GUI access? A. HTTP B. HTTPS C. TACACS+ D. RADIUS

B Explanation When you enable HTTPS, the controller generates its own local web administration SSL certificate and automatically applies it to the GUI. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration- guide/b_cg80/b_cg80_chapter_011.html

Question 57 What is a requirement when configuring or removing LAG on a WLC? A. The incoming and outgoing ports for traffic flow must be specified if LAG is enabled. B. The controller must be rebooted after enabling or reconfiguring LAG. C. The management interface must be reassigned if LAG is disabled. D. Multiple untagged interfaces on the same port must be supported.

B Explanation When you enable LAG or make any changes to the LAG configuration, you must immediately reboot the controller. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7- 4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0 10100001.html

Question 2 An engineer is asked to protect unused ports that are configured in the default VLAN on a switch. Which two steps will fulfill the request? (Choose two) A. Configure the ports in an EtherChannel B. Administratively shut down the ports C. Configure the port type as access and place in VLAN 99 D. Configure the ports as trunk ports E. Enable the Cisco Discovery Protocol

B C

Question 2 Refer to the exhibit. An extended ACL has been configured and applied to router R2. The configuration failed to work as intended. Which two changes stop outbound traffic on TCP ports 25 and 80 to 10.0.20.0/26 from the 10.0.10.0/26 subnet while still allowing all other traffic? (Choose two) A. Add a "permit ip any any" statement to the beginning of ACL 101 for allowed traffic B. Add a "permit ip any any" statement at the end of ACL 101 for allowed traffic C. The source and destination IPs must be swapped in ACL 101 D. The ACL must be configured the Gi0/2 interface inbound on R1 E. The ACL must be moved to the Gi0/1 interface outbound on R2

B C

Question 3 While examining excessive traffic on the network, it is noted that all incoming packets on an interface appear to be allowed even though an IPv4 ACL is applied to the interface. Which two misconfigurations cause this behavior? (Choose two) A. The packets fail to match any permit statement => Deny B. A matching permit statement is too high in the access list C. A matching permit statement is too broadly defined D. The ACL is empty => Deny E. A matching deny statement is too high in the access list => Deny

B C Explanation If we have a matching permit statement too high in the access list then it will be matched first before we can deny it. If a matching permit statement is too broadly defined (for example if we only want to permit TCP traffic then we should not permit "ip" traffic, which includes both TCP and UDP).

Question 38 What are two examples of multifactor authentication? (Choose two) A. single sign-on B. unique user knowledge C. passwords that expire D. soft tokens E. shared password responsibility

B D Explanation A multi-factor authentication example of something the user knows could include: Passwords. PIN (or personal identification numbers). Answers to supposedly secret questions (such as "Where were you born?" or "The name of your first-grade teacher.")

Question 82 SIP-based Call Admission Control must be configured in the Cisco WLC GUI. SIP call-snooping ports are configured. Which two actions must be completed next? (Choose two) A. Set the QoS level to silver or greater for voice traffic B. Enable Media Session Snooping on the WLAN C. Configure two different QoS roles for data and voice traffic D. Set the QoS level to platinum for voice traffic E. Enable traffic shaping for the LAN interface of the WLC

B D Explanation Configuring SIP-Based CAC (CLI) Procedure Step 1 Set the voice to the platinum QoS level Step 2 Enable the call-snooping feature for a particular WLAN ... Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config- guide/b_cg810/wireless_quality_of_service.html

Question 75 Refer to the exhibit. <exhibit missing> What are the two steps an engineer must take to provide the highest encryption and authentication using domain credentials from LDAP? (Choose two) A. Select WPA policy with TKIP Encryption B. Select WPA + WPA2 on layer 2 security C. Select PSK under authentication key management D. Select Static-WEP + 802.1x on Layer 2 security E. Select 802.1x from under authentication key management

B E

Question 90 Refer to the exhibit. Which two commands must be added to update the configuration of router R1 so that it accepts only encrypted connections? (Choose two) A. username CNAC secret R!41!4319115@ B. crypto key generate rsa 1024 C. ip ssh version 2 D. line vty 0 4 E. transport input ssh

B E

Question 42 Refer to the exhibit. A network engineer started to configure port security on a new switch. These requirements must be met: - MAC addresses must be learned dynamically. - Log messages must be generated without disabling the interface when unwanted traffic is seen. Which two commands must be configured to complete this task? (Choose two) A. SW(config-if)#switchport port-security mac-address 0010.7B84.45E6 B. SW(config-if)#switchport port-security maximum 2 C. SW(config-if)#switchport port-security mac-address sticky D. SW(config-if)#switchport port-security violation shutdown E. SW(config-if)#switchport port-security violation restrict

B E Explanation The requirement said MAC addresses must be learned dynamically so we cannot assign a specific MAC address or use the "sticky" keyword -> Answer A and answer C are not correct. Also the requirement said "MAC addresses" in plural so we set the maximum to 2 -> Answer B is correct. "Log messages must be generated without disabling the interface" -> use "restrict" keyword for violation, not "shutdown" keyword -> Answer E is correct. Note: You can configure the interface for one of these violation modes, based on the action to be taken if a violation occurs: + Restrict - A port security violation restricts data, causes the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. + Shutdown - A port security violation causes the interface to shut down immediately. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure_violation global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.

Question 69 Refer to the exhibit. Local access for R4 must be established and these requirements must be met: - Only Telnet access is allowed. - The enable password must be stored securely. - The enable password must be applied in plain text - Full access to R4 must be permitted upon successful login Which configuration script meets the requirements? Option A ! conf t ! username test1 password testpass1 enable password level 1 7 Test123 ! line vty 0 15 accounting exec default transport input all Option B conf t ! username test1 password testpass1 enable secret level 15 0 Test123 ! line vty 0 15 login local transport input telnet Option C ! config t ! username test1 password testpass1 enable secret level 1 0 Test123 ! line vty 0 15 login authentication password Test123 transport input telnet Option D ! config t ! username test1 password testpass1 enable password level 15 0 Test123 ! line vty 0 15 password Test123 transport input all A. Option A B. Option B C. Option C D. Option D

B Explanation "Only Telnet access is allowed" -> Only Option B and Option C are correct. In fact the "login authentication" command in Option C can only be used when AAA is enabled (with the command "aaa new-model"). And we cannot use the "login authentication" without specifying an authentication list: Therefore only option B is left. But in fact option B is not totally correct as "Full access to R4 must be permitted upon successful login" but in option B we have to type the secret password to have full access to R4 after logging in (with username "test1" and password "testpass1").

Question 30 What is recommended for the wireless infrastructure design of an organization? A. group access points together to increase throughput on a given channel B. configure the first three access points are configured to use channels 1, 6, and 11 C. include a least two access points on nonoverlapping channels to support load balancing D. assign physically adjacent access points to the same Wi-Fi channel

B Explanation The 2.4 GHz band is subdivided into multiple channels each allotted 22 MHz bandwidth and separated from the next channel by 5 MHz. -> A best practice for 802.11b/g/n WLANs requiring multiple APs is to use non-overlapping channels such as 1, 6, and 11. If you use channels that overlap, RF interference can occur. Reference: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-340-series/8117- connectivity.html

Question 29 Which 802.11 frame type is indicated by a probe response after a client sends a probe request? A. action B. management C. control D. data

B Explanation There are three main types of 802.11 frames: the Data Frame, the Management Frame and the Control Frame. Association Response belongs to Management Frame. Association response is sent in response to an association request.

Question 130 A network engineer is configuring a switch so that it is remotely reachable via SSH. The engineer has already configured the host name on the router. Which additional command must the engineer configure before entering the command to generate the RSA key? A. password password B. crypto key generate rsa modulus 1024 C. ip domain-name domain D. ip ssh authentication-retries 2

B chọn lại là C

Question 66 Refer to the exhibit. A network engineer configures the Cisco WLC to authenticate local wireless clients against a RADIUS server. Which task must be performed to complete the process? A. Change the Server Status to Disabled B. Select Enable next to Management C. Select Enable next to Network User D. Change the Support for CoA to Enabled

B chọn lại là C Explanation Check the Management button in order to allow the RADIUS Server to authenticate users who login to the the WLC. Reference: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71989- manage-wlc-users-radius.html

Question 4 Which design element is a best practice when deploying an 802.11b wireless infrastructure? A. disabling TPC so that access points can negotiate signal levels with their attached wireless devices. B. setting the maximum data rate to 54 Mbps on the Cisco Wireless LAN Controller C. allocating non overlapping channels to access points that are in close physical proximity to one another D. configuring access points to provide clients with a maximum of 5 Mbps

C

Question 5 What is a difference between RADIUS and TACACS+? A. RADIUS is most appropriate for dial authentication, but TACACS+ can be used for multiple types of authentication B. TACACS+ encrypts only password information and RADIUS encrypts the entire payload C. TACACS+ separates authentication and authorization, and RADIUS merges them D. RADIUS logs all commands that are entered by the administrator, but TACACS+ logs only start, stop, and interim commands

C

Question 7 What is a role of wireless controllers in an enterprise network? A. serve as the first line of defense in an enterprise network B. support standalone or controller-based architectures C. centralize the management of access points in an enterprise network D. provide secure user logins to devices on the network

C

Question 70 Which protocol is used for secure remote CLI access? A. HTTP B. Telnet C. SSH D. HTTPS

C

Question 71 Which action must be taken when password protection is implemented? A. Store passwords as contacts on a mobile device with single-factor authentication. B. Share passwords with senior IT management to ensure proper oversight. C. Include special characters and make passwords as long as allowed. D. Use less than eight characters in length when passwords are complex.

C DAI Questions

Question 122 Refer to the exhibit. Which minimum configuration items are needed to enable Secure Shell version 2 access to R15? A. Router(config)#hostname R15 R15(config)#crypto key generate rsa general-keys modulus 1024 R15(config-line)#line vty 0 15 R15(config-line)# transport input ssh R15(config)#ip ssh source-interface Fa0/0 R15(config)#ip ssh stricthostkeycheck B. Router(config)#ip domain-name cisco.com Router(config)#crypto key generate rsa general-keys modulus 1024 Router(config)#ip ssh version 2 Router(config-line)#line vty 0 15 Router(config-line)# transport input all Router(config)#ip ssh logging events C. Router(config)#hostname R15 R15(config)#ip domain-name cisco.com R15(config)#crypto key generate rsa general-keys modulus 1024 R15(config)#ip ssh version 2 R15(config-line)#line vty 0 15 R15(config-line)# transport input ssh D. Router(config)#crypto key generate rsa general-keys modulus 1024 Router(config)#ip ssh version 2 Router(config-line)#line vty 0 15 Router(config-line)# transport input ssh Router(config)#ip ssh logging events R15(config)#ip ssh stricthostkeycheck

C Explanation Steps to configure SSH: 1. Configure the router hostname using command "hostname". 2. Configure the domain name using command "ip domain-name". 3. Generate public and private keys using command "crypto key generate rsa". 4. Create a user in the local database using command "username...secret". 5. Allow only SSH access on VTY lines using command "transport input ssh". Reference: https://ipwithease.com/how-to-configure-ssh-version-2-on-cisco-router/

Question 5 When a site-to-site VPN is used, which protocol is responsible for the transport of user data? A. IKEv2 B. IKEv1 C. IPsec D. MD5

C Explanation A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. A site-to-site VPN means that two sites create a VPN tunnel by encrypting and sending data between two devices. One set of rules for creating a site-to-site VPN is defined by IPsec. In the topology above, Remote Campus sites can connect to the Main Campus through site-to-site VPNs.

Question 3 What is the primary difference between AAA authentication and authorization? A. Authentication verifies a username and password, and authorization handles the communication between the authentication agent and the user database B. Authentication identifies a user who is attempting to access a system, and authorization validates the users password C. Authentication identifies and verifies a user who is attempting to access a system, and authorization controls the tasks the user can perform D. Authentication controls the system processes a user can access and authorization logs 9ie activities the user initiates

C Explanation AAA stands for Authentication, Authorization and Accounting. + Authentication: Specify who you are (usually via login username & password) + Authorization: Specify what actions you can do, what resource you can access + Accounting: Monitor what you do, how long you do it (can be used for billing and auditing) An example of AAA is shown below: + Authentication: "I am a normal user. My username/password is user_tom/learnforever" + Authorization: "user_tom can access LearnCCNA server via HTTP and FTP" + Accounting: "user_tom accessed LearnCCNA server for 2 hours". This user only uses "show" commands.

Question 2 Refer to the exhibit. Which port security violation mode is configured on interface Fa0/1? A. protect B. shutdown VLAN C. shutdown D. restrict

C Explanation After the port security violation occurs, the Fa0/1 interface was shutdown so the port security is using "shutdown" mode.

Question 95 Which WLC management connection type is vulnerable to man-in-the-middle attacks? A. SSH B. HTTPS C. Telnet D. console

C Explanation As you know, telnet is insecure. By default, telnet is disabled on Cisco WLCs. So, if you want to use telnet, you must enable it.

Question 2 Which unified access point mode continues to serve wireless clients after losing connectivity to the Cisco Wireless LAN Controller? A. sniffer B. mesh C. flex connect D. local

C Explanation In previous releases, whenever a FlexConnect access point disassociates from a controller, it moves to the standalone mode. The clients that are centrally switched are disassociated. However, the FlexConnect access point continues to serve locally switched clients. When the FlexConnect access point rejoins the controller (or a standby controller), all clients are disconnected and are authenticated again. This functionality has been enhanced and the connection between the clients and the FlexConnect access points are maintained intact and the clients experience seamless connectivity. When both the access point and the controller have the same configuration, the connection between the clients and APs is maintained. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7- 4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0 10001101.html

Question 5 Using direct sequence spread spectrum, which three 2.4-GHz channels are used to limit collisions? A. 1,5,10 B. 1,2,3 C. 1,6,11 D. 5,6,7

C Explanation In the 2.4 GHz band, 1, 6, and 11 are the only non-overlapping channels.

Question 10 Which 802.11 management frame type is sent when a client roams between access points on the same SSID? A. Authentication Request B. Probe Request C. Reassociation Request D. Association Request

C Explanation Association request frame - (0x00) Sent from a wireless client, it enables the AP to allocate resources and synchronize. The frame carries information about the wireless connection including supported data rates and SSID of the network to the wireless client that wants to associate. If the request is accepted, the AP reserves memory and establishes an association ID for the device. Association response frame - (0x01) Sent from an AP to a wireless client containing the acceptance or rejection to an association request. If it is an acceptance, the frame contains information, such as an association ID and supported data rates. Reassociation request frame - (0x02) A device sends a reassociation request when it drops from range of the currently associated AP and finds another AP with a stronger signal. The new AP coordinates the forwarding of any information that may still be contained in the buffer of the previous AP. Reassociation response frame - (0x03) Sent from an AP containing the acceptance or rejection to a device reassociation request frame. The frame includes information required for association, such as the association ID and supported data rates. Probe request frame - (0x04) Sent from a wireless client when it requires information from another wireless client. Authentication frame - (0x0B) The sending device sends an authentication frame to the AP containing its identity. Reference: https://www.ii.pwr.edu.pl/~kano/course/module8/8.2.1.4/8.2.1.4.html

Question 34 Refer to the exhibit. Clients on the WLAN are required to use 802.11r. What action must be taken to meet the requirement? A. Enable CCKM under Authentication Key Management B. Under Protected Management Frames, set the PMF option to Required C. Set the Fast Transition option to Enable and enable FT 802.1X under Authentication Key Management D. Set the Fast Transition option and the WPA gtk-randomize State to disable

C Explanation Configuring 802.11r Fast Transition (GUI) Procedure Step 1 Choose WLANs to open the WLANs window. Step 2 Click a WLAN ID to open the WLANs > Edit window. Step 3 Choose Security > Layer 2 tab. Step 4 From the Layer 2 Security drop-down list, choose WPA+WPA2. The Authentication Key Management parameters for Fast Transition are displayed. Step 5 From the Fast Transition drop-down list, choose Fast Transition on the WLAN. Step 6 Check or uncheck the Over the DS check box to enable or disable Fast Transition over a distributed system. This option is available only if you enable Fast Transition or if Fast Transition is adaptive. To use 802.11r Fast Transition over-the-air and over-the-ds must be disabled. Step 7 In the Reassociation Timeout field, enter the number of seconds after which the reassociation attempt of a client to an AP should time out. The valid range is 1 to 100 seconds. Note: This option is available only if you enable Fast Transition. Step 8 Under Authentication Key Management, choose FT 802.1X or FT PSK. Reference: https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/80211r- ft/b-80211r-dg.html Fast BSS Transition (802.11r, often abbreviated to Fast Transition or FT) describes mechanisms by which a mobile device can reestablish existing security and/or QoS parameters prior to reassociating to a new AP. These mechanisms are referred to as "fast" because they seek to significantly reduce the length of time that connectivity is interrupted between a mobile device and Wi-Fi infrastructure when that mobile device is connecting to a new AP. Please note that the process of disconnecting from one AP and connecting to another AP is formally designated as a "BSS transition". Therefore, the protocols established by FT apply to mobile device transitions between APs only within the same mobility domain and within the same ESS (ESS transition is out of scope for FT) Reference: https://blogs.cisco.com/networking/what-is-802-11r-why-is-this-important

Question 58 What is a requirement for nonoverlapping WI-FI channels? A. different security settings B. different transmission speeds C. discontinuous frequency ranges D. unique SSIDs

C Explanation Each channel on the 2.4 GHz spectrum is 20 MHz wide. The channel centers are separated by 5 MHz, and the entire spectrum is only 100 MHz wide. This means the 11 channels have to squeeze into the 100 MHz available, and in the end, overlap. Channels 1, 6, and 11, however, are far enough from each other on the 2.4GHz band that they have sufficient space between their channel centers and do not overlap.

Question 47 What must be considered for a locally switched FlexConnect AP if the VLANs that are used by the AP and client access are different? A. The APs must be connected to the switch with multiple links in LAG mode. B. The native VLAN must match the management VLAN of the AP. C. The switch port mode must be set to trunk. D. IEEE 802.1Q trunking must be disabled on the switch port.

C Explanation FlexConnect VLANs and ACLs You can configure the LAN uplink interface of a FlexConnect AP as either an access port or as a trunk. If you configure the interface as an access port, then the AP's management traffic and all client traffic, whether centrally or locally switched, will be in the same VLAN. For security and reliability reasons, we recommend that you segregate the client traffic from the management VLAN, and so to configure the AP's switchport as a trunk, with separately tagged VLANs for locally switched client traffic. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config- guide/b_cg85/flexconnect.html Answer B is not correct as it should be "The native VLAN must match the native VLAN of the AP" (not the management VLAN).

Question 4 Refer to the exhibit. Which password must an engineer use to enter the enable mode? A. adminadmin123 B. default C. testing1234 D. cisco123

C Explanation If neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console, the console line password serves as the enable password for all VTY sessions -> The "enable secret" will be used first if available, then "enable password" and line password. Reference: https://www.cisco.com/c/en/us/td/docs/optical/cpt/r9_3/configuration/guide/cpt93_co nfiguration/cpt93_configuration_chapter_010000.pdf

Question 58 Refer to the exhibit. A network administrator is configuring a router for user access via SSH. The service-password encryption command has been issued. The configuration must meet these requirements: - Create the username as CCUser. - Create the password as NA!2$cc. - Encrypt the user password. What must be configured to meet the requirements? A. username CCUser password NA!2$cc enable password level 5 NA!2$cc B. username CCUser privilege 15 password NA!2$cc enable secret 0 NA!2$cc C. username CCUser secret NA!2$cc D. username CCUser privilege 10 password NA!2$cc

C Explanation In fact all other answers look good too, but answer C is the best choice as the password of the username is encrypted with highest security level

Question 6 Which type of port is used to connect to the wired network when an autonomous AP maps two VLANs to its WLANs? A. LAG B. EtherChannel C. trunk D. access

C Explanation In this example, we will configure the switch in our Autonomous AP deployment. First, we need to create Vlan 21, which is assigned to Corporate users, and Vlan 22, which is assigned to Guess users. Then we will configure the trunk interface between the AP and the switch to allow multiple Vlans to traverse the link. Reference: https://study-ccna.com/autonomous-ap-access-point-configuration/

Question 1 An engineer must configure a WLAN using the strongest encryption type for WPA2-PSK. Which cipher fulfills the configuration requirement? A. WEP B. RC4 C. AES D. TKIP

C Explanation Many routers provide WPA2-PSK (TKIP), WPA2-PSK (AES), and WPA2-PSK (TKIP/AES) as options. TKIP is actually an older encryption protocol introduced with WPA to replace the very-insecure WEP encryption at the time. TKIP is actually quite similar to WEP encryption. TKIP is no longer considered secure, and is now deprecated. In other words, you shouldn't be using it. AES is a more secure encryption protocol introduced with WPA2 and it is currently the strongest encryption type for WPA2-PSK.

Question 8 Refer to the exhibit. An administrator configures four switches for local authentication using passwords that are stored in a cryptographic hash. The four switches must also support SSH access for administrators to manage the network infrastructure. Which switch is configured correctly to meet these requirements? A. SW1 B. SW2 C. SW3 D. SW4

C Explanation The "login local" command instructs the device to use the username and password in its local database for authentication. The secret is encrypted when it is stored on the local router.

Question 23 Refer to the exhibit. Between which zones do wireless users expect to experience intermittent connectivity? A. between zones 1 and 2 B. between zones 2 and 5 C. between zones 3 and 4 D. between zones 3 and 6

C Explanation The 2.4 GHz band is subdivided into multiple channels each allotted 22 MHz bandwidth and separated from the next channel by 5 MHz. -> A best practice for 802.11b/g/n WLANs requiring multiple APs is to use non-overlapping channels such as 1, 6, and 11. If you use channels that overlap, RF interference can occur. Reference: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-340-series/8117- connectivity.html If other Wi-Fi sources such as neighboring wireless access points are using the same wireless channel, this may cause intermittent connectivity issues. Reference: https://arris.secure.force.com/consumers/articles/General_FAQs/SBG8300- Troubleshooting-Intermittent-Wi-Fi-Connections/?l=en_US&fs=RelatedArticle In this question, both Zone 3 & Zone 4 use Channel 11 so interference can occur.

Question 48 Which command configures the Cisco WLC to prevent a serial session with the WLC CLI from being automatically logged out? A. config sessions maxsessions 0 B. config serial timeout 9600 C. config serial timeout 0 D. config sessions timeout 0

C Explanation The CLI automatically logs you out without saving any changes after 5 minutes of inactivity. You can set the automatic logout from 0 (never log out) to 160 minutes using the config serial timeout command. To prevent SSH or Telnet sessions from timing out, run the config sessions timeout 0 command. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration- guide/b_cg80/b_cg80_chapter_011.html This question asks about the serial session so the first command is the correct answer.

Question 8 Which technology can prevent client devices from arbitrarily connecting to the network without state remediation? A. MAC Authentication Bypass B. IP Source Guard C. 802.1x (PORT-BASED AUTHENTICATION) D. 802.11n

C Explanation The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated. The authentication server authenticates each client connected to a switch port before making available any services offered by the switch or the LAN. Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

Question 84 Refer to the exhibit. A network administrator must permit traffic from the 10.10.0.0/24 subnet to the WAN on interface Serial0. What is the effect of the configuration as the administrator applies the command? A. The sourced traffic from IP range 10.0.0.0 - 10.0.0.255 is allowed on Serial0. B. The permit command fails and returns an error code. C. The router fails to apply the access list to the interface. D. The router accepts all incoming traffic to Serial0 with the last octet of the source IP set to 0.

C Explanation The last command is not correct. We must use the "ip access-group 10 in" command to apply this ACL to the interface. AAA Questions

Question 5 Refer to the exhibit. If the network environment is operating normally, which type of device must be connected to interface FastEthernet 0/1? A. DHCP client B. access point C. router D. PC

C Explanation To configure DHCP snooping feature, at least three steps must be done: Sequence and Description Command 1. Configure global DHCP snooping Switch(config)# ip dhcp snooping 2. Configure trusted ports (as least on 1 port). By default, all ports are untrusted Switch(config-if)# ip dhcp snooping trust 3. Configure DHCP snooping for the selected VLANs Switch(config)# ip dhcp snooping vlan {VLAN- ID | VLAN range} Note: To configure DHCP snooping with Dynamic ARP Inspection we need to add the command "ip arp inspection vlan vlan-id" in global configuration mode and "ip arp inspection trust" in interface mode. In a normal network environment, we should trust interfaces that are connected to routers, not end points.

Question 103 What is a practice that protects a network from VLAN hopping attacks? A. Implement port security on internet-facing VLANs. B. Configure an ACL to prevent traffic from changing VLANs. C. Assign all access ports to VLANs other than the native VLAN. D. Enable dynamic ARP inspection.

C Explanation VLAN Hopping: By altering the VLAN ID on packets encapsulated for trunking, an attacking device can send or receive packets on various VLANs, bypassing Layer 3 security measures. VLAN hopping can be accomplished by switch spoofing or double tagging. One of a popular type of VLAN Hopping is Double-Tagging attack: In this attack, the attacking computer generates frames with two 802.1Q tags. The first tag matches the native VLAN of the trunk port (VLAN 10 in this case), and the second matches the VLAN of a host it wants to attack (VLAN 20). When the packet from the attacker reaches Switch A, Switch A only sees the first VLAN 10 and it matches with its native VLAN 10 so this VLAN tag is removed. Switch A forwards the frame out all links with the same native VLAN 10. Switch B receives the frame with an tag of VLAN 20 so it removes this tag and forwards out to the Victim computer. Note: This attack only works if the trunk (between two switches) has the same native VLAN as the attacker. In other words, this attack is only successful if the attacker belongs to the native VLAN of the trunk link. Another important point is, this attack is strictly one way as it is impossible to encapsulate the return packet. To mitigate this type of attack, we can use VLAN access control lists (VACLs, which applies to all traffic within a VLAN. We can use VACL to drop attacker traffic to specific victims/servers); or implement Private VLANs; or keep the native VLAN of all trunk ports different from user VLANs.

Question 78 What is a feature of WPA? A. 802.1x authentication B. preshared key C. TKIP/MIC encryption D. small Wi-Fi application

C Explanation WPA uses Michael, a special MIC designed to help with TKIP without requiring excessive computation. Reference: https://www.sciencedirect.com/topics/engineering/temporal-key-integrity-protocol WPA supports two authentication modes: - Personal - Enterprise With personal mode, we use a pre-shared key. The pre-shared key is not used directly over the air. Instead, wireless clients and the AP use a four-way handshake that uses the pre-shared key as input to generate encryption keys. Enterprise mode uses 802.1X and an authentication server, usually a RADIUS server. Therefore in this question, TKIP/MIC encryption is the best choice.

Question 36 What is the default port-security behavior on a trunk link? A. It causes a network loop when a violation occurs. B. It disables the native VLAN configuration as soon as port security is enabled. C. It places the port in the err-disabled state if it learns more than one MAC address. D. It places the port in the err-disabled state after 10 MAC addresses are statically configured.

C Explanation We tested it with IOS v15.2 and this is the result: We can see the "Maximum MAC Addresses" is 1 so this port will be put in the err-disabled state if it learns more than one MAC address.

Question 4 When a WLAN with WPA2 PSK is configured in the Wireless LAN Controller GUI which format is supported? A. Unicode B. base64 C. ASCII D. decimal

C Explanation When configuring a WLAN with WPA2 Preshared Key (PSK), we can choose the encryption key format as either ASCII or HEX. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config- guide/b_wl_16_10_cg/multi-preshared-key.pdf

Question 11 What are two purposes of launching a reconnaissance attack on a network? (Choose two) A. to prevent other users from accessing the system B. to escalate access privileges C. to gather information about the network and devices D. to scan for accessibility E. to retrieve and modify data

C D

Question 13 23/7 Several new coverage cells are required to improve the Wi-Fi network of an organization. Which two standard designs are recommended? (Choose two) A. 5GHz provides increased network capacity with up to 23 nonoverlapping channels, B. 5GHz channel selection requires an autonomous access point. C. Cells that overlap one another are configured to use nonoverlapping channels. D. Adjacent cells with overlapping channels use a repeater access point. E. For maximum throughput, the WLC is configured to dynamically set adjacent access points to the same channel.

C E

Question 37 Which two components comprise part of a PKI? (Choose two) A. RSA token B. clear-text password that authenticates connections C. one of more CRLs D. preshared key that authenticates connections E. CA that grants certificates

C E Explanation PKI (or Public Key Infrastructure) is the framework of encryption and cybersecurity that protects communications between the server (your website) and the client (the users). Think about all the information, people, and services that your team communicates and works with. PKI is essential in building a trusted and secure business environment by being able to verify and exchange data between various servers and users. The components of a PKI include: + public key + private key + Certificate Authority (CA) + Certificate Store + Certificate Revocation List (CRL) + Hardware Security Module Certificate Authority (CA) The CA generally handles all aspects of the certificate management for a PKI, including the phases of certificate lifecycle management. A CA issues certificates to be used to confirm that the subject imprinted on the certificate is the owner of the public key. In a PKI system, the client generates a public-private key pair. The public key and information to be imprinted on the certificate are sent to the CA. The CA then creates a digital certificate consisting of the user's public key and certificate attributes. The certificate is signed by the CA with its private key. Certificate Revocation List (CRL) A CRL is a list of certificates that have been revoked by the CA that issued them before they were set to expire. This is a helpful security feature if a device is stolen that contains a certificate. A RADIUS server only rejects a connection request from a device if the device's certificate serial number is contained in the CRL. The Certificate Authority is the one that maintains this list, and the RADIUS server periodically downloads this list by sending a query to the CA. There are two types of CRLs: A Delta CRL and a Base CRL. Reference: https://www.securew2.com/blog/public-key-infrastructure-explained

Question 10 In which two ways does a password manager reduce the chance of a hacker stealing a user's password? (Choose two) A. It automatically provides a second authentication factor that is unknown to the original user B. It uses an internal firewall to protect the password repository from unauthorized access C. It protects against keystroke logging on a compromised device or web site D. It stores the password repository on the local workstation with built-in antivirus and anti- malware functionality E. It encourages users to create stronger passwords

C E Explanation A password manager only helps you remember your chosen passwords without typing them by yourself. It automatically fills into the password textbox for you so it does not provides a second authentication factor. An example of second authentication factor is an one time password (OTP) sent to your phone after typing your password and you have to type this OTP to authenticate. By using a password manager, you are encouraged to create a complex password because you don't need to remember it.

Question 30 Which two protocols are supported on service-port interfaces? (Choose two) A. RADIUS B. TACACS+ C. Telnet D. SCP E. SSH

C E Explanation The service-port interface controls communications through and is statically mapped by the system to the service port. The service port can be used for out-of-band management. The service port can obtain an IPv4 address using DHCP, or it can be assigned a static IPv4 address, but a default gateway cannot be assigned to the service-port interface. Static IPv4 routes can be defined through the controller for remote network access to the service port. If the service port is in use, the management interface must be on a different supernet from the service-port interface. The service-port interface supports the following protocols: + SSH and Telnet + HTTP and HTTPS + SNMP + FTP, TFTP, and SFTP + Syslog + ICMP (ping) + NTP Note: TACACS+ and RADIUS are not supported through the service port.

Question 41 Which two protocols are used by an administrator for authentication and configuration on access points? (Choose two) A. Kerberos B. 802.1Q C. 802.1x D. TACACS+ E. RADIUS

C E Explanation You can configure 802.1X authentication between a lightweight access point and a Cisco switch. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration- guide/b_cg76/b_cg76_chapter_01101000.pdf

Question 23 Refer to the exhibit. Between which zones do wireless users expect to experience intermittent connectivity? A. between zones 1 and 2 B. between zones 2 and 5 C. between zones 3 and 4 D. between zones 3 and 6

C Explanation The 2.4 GHz band is subdivided into multiple channels each allotted 22 MHz bandwidth and separated from the next channel by 5 MHz. -> A best practice for 802.11b/g/n WLANs requiring multiple APs is to use non-overlapping channels such as 1, 6, and 11. If you use channels that overlap, RF interference can occur. Reference: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-340-series/8117- connectivity.html If other Wi-Fi sources such as neighboring wireless access points are using the same wireless channel, this may cause intermittent connectivity issues. Reference: https://arris.secure.force.com/consumers/articles/General_FAQs/SBG8300- Troubleshooting-Intermittent-Wi-Fi-Connections/?l=en_US&fs=RelatedArticle In this question, both Zone 3 & Zone 4 use Channel 11 so interference can occur.

Question 123 Refer to the exhibit. Users need to connect to the wireless network with IEEE 802.11r-compatible devices. The connection must be maintained as users travel between floors or to other areas in the building. What must be the configuration of the connection? A. Select the WPA Policy option with the CCKM option B. Disable AES encryption C. Enable Fast Transition and select the FT 802.1x option D. Enable Fast Transition and select the FT PSK option

C chọn D Explanation 802.11r, which is the IEEE standard for fast roaming, introduces a new concept of roaming where the initial handshake with the new AP is done even before the client roams to the target AP, which is called Fast Transition (FT). The initial handshake allows the client and APs to do the Pairwise Transient Key (PTK) calculation in advance. These PTK keys are applied to the client and AP after the client does the reassociation request or response exchange with new target AP. FT works with both preshared key (PSK) and 802.1X authentication methods. If you check the FT PSK check box, from the PSK Format drop-down list, choose ASCII or Hex and enter the key value -> This question does not mention about "enter the key value" so maybe answer C is the best choice. Reference: https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technotes/80211r- ft/b-80211r-dg.html

Question 49 Which security program element involves installing badge readers on data-center doors to allow workers to enter and exit based on their job roles? A. physical access control B. biometrics C. role-based access control D. multifactor authentication

C chọn lại là A Explanation Badge reader is a small, inexpensive reader connected to the USB port of any PC, which can read the information encoded on a badge (barcode, microchip or RFID, magnetic stripe) and restore it on any computer software. An example of badge reader is shown below: The purpose of access control is to grant entrance to a building or office only to those who are authorized to be there.

Question 9 What is the purpose of an SSID? A. It provides network security B. It differentiates traffic entering access points C. It identities an individual access point on a WLAN D. It identifies a WLAN

C sai, đúng phải là D Explanation Stands for "Service Set Identifier." An SSID is a unique ID that consists of 32 characters and is used for naming wireless networks. When multiple wireless networks overlap in a certain location, SSIDs make sure that data gets sent to the correct destination.

Question 1 How does CAPWAP communicate between an access point in local mode and a WLC? A. The access point must directly connect to the WLC using a copper cable B. The access point must not be connected to the wired network, as it would create a loop C. The access point must be connected to the same switch as the WLC D. The access point has the ability to link to any switch in the network, assuming connectivity to the WLC

D

Question 1 Refer to the exhibit. An engineer booted a new switch and applied this configuration via the console port. Which additional configuration must be applied to allow administrators to authenticate directly to enable privilege mode via Telnet using local username and password? A. R1(config)#username admin R1(config-if)#line vty 0 4 R1(config-line)#password p@ss1234 B. R1(config)#username admin R1(config-if)#line vty 0 4 R1(config-line)#password p@ss1234 R1(config-line)#transport input telnet C. R1(config)#username admin secret p@ss1234 R1(config-if)#line vty 0 4 R1(config-line)#login local R1(config)#enable secret p@ss1234 D. R1(config)#username admin R1(config-if)#line vty 0 4 R1(config-line)#login local

D

Question 12 What is a benefit of using a Cisco Wireless LAN Controller? A. Central AP management requires more complex configurations B. Unique SSIDs cannot use the same authentication method C. It supports autonomous and lightweight APs D. It eliminates the need to configure each access point individually

D

Question 12 Which device controls the forwarding of authentication requests for users when connecting to the network using a lightweight access point? A. TACACS server B. wireless access point C. RADIUS server D. wireless LAN controller

D

Question 2 Which effect does the aaa new-model configuration command have? A. It configures the device to connect to a RADIUS server for AAA. B. It configures a local user on the device. C. It associates to RADIUS server to an AAA group. D. It enables AAA services on the device.

D

Question 24 Refer to exhibit. Which configuration must be applied to the router that configures PAT to translate all addresses in VLAN 200 while allowing devices on VLAN 100 to use their own IP addresses? Option A Router1(config)#access-list 99 permit 209.165.201.2 0.0.0.0 Router1(config)#ip nat inside source list 99 interface gi1/0/0 overload Router1(config)#interface gi2/0/1.200 Router1(config)#ip nat inside Router1(config)#interface gi1/0/0 Router1(config)#ip nat outside Option B Router1(config)#access-list 99 permit 209.165.201.2 255.255.255.255 Router1(config)#ip nat inside source list 99 interface gi1/0/0 overload Router1(config)#interface gi2/0/1.200 Router1(config)#ip nat inside Router1(config)#interface gi1/0/0 Router1(config)#ip nat outside Option C Router1(config)#access-list 99 permit 192.168.100.0 0.0.0.255 Router1(config)#ip nat inside source list 99 interface gi1/0/0 overload Router1(config)#interface gi2/0/1.200 Router1(config)#ip nat inside Router1(config)#interface gi1/0/0 Router1(config)#ip nat outside Option D Router1(config)#access-list 99 permit 192.168.100.32 0.0.0.31 Router1(config)#ip nat inside source list 99 interface gi1/0/0 overload Router1(config)#interface gi2/0/1.200 Router1(config)#ip nat inside Router1(config)#interface gi1/0/0 Router1(config)#ip nat outside A. Option A B. Option B C. Option C D. Option D

D

Question 24 What occurs when overlapping Wi-Fi channels are implemented? A. The wireless network becomes vulnerable to unauthorized access B. Wireless devices are unable to distinguish between different SSIDs C. Network communications are open to eavesdropping D. Users experience poor wireless network performance

D

Question 42 What is a network appliance that checks the state of a packet to determine whether the packet is legitimate? A. Layer 2 switch B. LAN controller C. load balancer D. firewall

D

Question 44 Refer to the exhibit. Which configuration enables DHCP addressing for hosts connected to interface FastEthernet0/1 on router R4? A. interface FastEthernet0/1 ip helper-address 10.0.1.1 ! access-list 100 permit tcp host 10.0.1.1 eq 67 host 10.148.2.1 B. interface FastEthernet0/0 ip helper-address 10.0.1.1 ! access-list 100 permit host 10.0.1.1 host 10.148.2.1 eq bootps C. interface FastEthernet0/0 ip helper-address 10.0.1.1 ! access-list 100 permit udp host 10.0.1.1 eq bootps host 10.148.2.1 D. interface FastEthernet0/1 ip helper-address 10.0.1.1 ! access-list 100 permit udp host 10.0.1.1 eq bootps host 10.148.2.1

D

Question 52 A Cisco engineer at a new branch office is configuring a wireless network with access points that connect to a controller that is based at corporate headquarters. Wireless client traffic must terminate at the branch office and access-point survivability is required in the event of a WAN outage. Which access point mode must be selected? A. Lightweight with local switching disabled B. Local with AP fallback enabled C. OfficeExtend with high availability disabled D. FlexConnect with local switching enabled

D

Question 6 Where does wireless authentication happen? A. SSID B. radio C. band D. Layer 2

D

Question 71 What is the function of Cisco Advanced Malware protection for next-generation IPS? A. authorizing potentially compromised wireless traffic B. URL filtering C. authenticating end users D. inspecting specific files and files types for malware

D

Question 72 What provides centralized control of authentication and roaming in an enterprise network? A. a LAN switch B. a firewall C. a lightweight access point D. a wireless LAN controller

D

Question 88 What is a function of a Next-Generation IPS? A. makes forwarding decisions based on learned MAC addresses B. serves as a controller within a controller-based network C. integrates with a RADIUS server to enforce Layer 2 device authentication rules D. correlates user activity with network events

D

Question 4 Which technology is used to improve web traffic performance by proxy caching? A. Firepower B. FireSIGHT C. ASA D. WSA (Web Security Appliance)

D Explanation The Web Security appliance (WSA) intercepts requests that are forwarded to it by clients or other devices over the network. Proxy caching is a setting in WSA that caches data to increase performance.

Question 63 A company has each office using wireless access with multiple SSIDs while limiting roaming capabilities, covering different locations on the internal office LAN, guest networks, and BYOD access for employees. Which change must be enabled to improve the customer experience during SSID changes? A. Assisted Roaming Prediction Optimization B. Fast Transition C. Neighbor List Dual Band D. Fast SSID Change

D Explanation "When you enable Fast SSID Change, the controller allows clients to move between SSIDs. When the client sends a new association request for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID.

Question 42 What must be considered when using 802.11a? A. It is compatible with 802.11g and 802.11-compliant wireless devices B. It is chosen over 802.11b/g when a lower-cost solution is necessary C. It is susceptible to interference from 2.4 GHz devices such as microwave ovens. D. It is used in place of 802.11b/g when many nonoverlapping channels are required

D Explanation 802.11a offers as many as 12 non-overlapping channels. With more channels, larger number of users can be accommodated with no performance degradation.

Question 55 Which access layer threat-mitigation technique provides security based on identity? A. using a non-default native VLAN B. Dynamic ARP Inspection C. DHCP snooping D. 802.1x

D Explanation 802.1X is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server.

Question 3 Which type of attack can be mitigated by dynamic ARP inspection? A. malware B. DDoS C. worm D. man-in-the-middle

D Explanation ARP attack (like ARP poisoning/spoofing, man-in-the-middle) is a type of attack in which a malicious actor sends falsified ARP messages over a local area network as ARP allows a gratuitous reply from a host even if an ARP request was not received. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. This is an attack based on ARP which is at Layer 2. Dynamic ARP inspection (DAI) is a security feature that validates ARP packets in a network which can be used to mitigate this type of attack.

Question 22 Which enhancement is implemented in WPA3? A. applies 802.1x authentication B. uses TKIP C. employs PKI to identify access points D. protects against brute force attacks

D Explanation Another security enhancement that has been made in WP3 reduces potential for password cracking attacks such as the WPA2 KRACK Attack. WPA2 is vulnerable to brute force and dictionary-based attacks. That is because security relies on the AP provider setting a secure password and many establishments don't. With WPA3, the Pre-Shared Key (PSK) exchange protocol is replaced with Simultaneous Authentication of Equals (SAE) or the Dragonfly Key Exchange, which improves security of the initial key exchange and offers better protection against offline dictionary-based attacks. Reference: https://www.webtitan.com/blog/wpa3-wifi-security-enhancements-will-not-block-all- threats/

Question 6 A wireless administrator has configured a WLAN; however, the clients need access to a less congested 5-GHz network for their voice quality. What action must be taken to meet the requirement? A. enable AAA override B. enable RX-SOP C. enable DTIM D. enable Band Select

D Explanation Band Select or Band Direction is a new feature that encourages dual band clients to connect to 5 G-Hz networks. Band select is disabled by default. The Band Select function provides a better wireless experience for users.

Question 4 Which mode must be set for APs to communicate to a Wireless LAN Controller using the Control and Provisioning of Wireless Access Points (CAPWAP) protocol? A. bridge B. route C. autonomous D. lightweight

D Explanation Cisco Access Points (APs) can operate in one of two modes: autonomous or lightweight + Autonomous: self-sufficient and standalone. Used for small wireless networks. + Lightweight: A Cisco lightweight AP (LAP) has to join a Wireless LAN Controller (WLC) to function. LAP and WLC communicate with each other via a logical pair of CAPWAP tunnels.

Question 40 What does physical access control regulate? A. access to specific networks based on business function B. access to servers to prevent malicious activity C. access to computer networks and file systems D. access to networking equipment and facilities

D Explanation Cisco Physical Access Control is a comprehensive IP-based solution that uses the IP network as a platform for integrated security operations.

Question 1 Refer to the exhibit. What is the effect of this configuration? A. All ARP packets are dropped by the switch B. Egress traffic is passed only if the destination is a DHCP server. C. All ingress and egress traffic is dropped because the interface is untrusted D. The switch discard all ingress ARP traffic with invalid MAC-to-IP address bindings

D Explanation Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.

Question 90 Refer to the exhibit. What is the effect of this configuration? A. Egress traffic is passed only if the destination is a DHCP server. B. All ingress and egress traffic is dropped because the interface is untrusted. C. All ARP packets are dropped by the switch. D. The switch discards all ingress ARP traffic with invalid MAC-to-IP address bindings.

D Explanation Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking. Wireless Questions January 10th, 2021Go to comments Premium Member: You can test your knowledge with these questions first via this link (via HTML). Note: If you are not sure about Wireless, please read our Wireless tutorial. * Infrastructure mode: Connect to a wired LAN, supports two modes (service sets): + Basic Service Set (BSS): uses only a single AP to create a WLAN + Extended Service Set (ESS): uses more than one AP to create a WLAN, allows roaming in a larger area than a single AP. Usually there is an overlapped area between two APs to support roaming. The overlapped area should be more than 10% (from 10% to 15%) to allow users moving between two APs without losing their connections (called roaming). The two adjacent APs should use non-overlapping channels to avoid interference. The most popular non-overlapping channels are channels 1, 6 and 11 (will be explained later). Roaming: The ability to use a wireless device and be able to move from one access point's range to another without losing the connection. Cisco Access Points (APs) can operate in one of two modes: autonomous or lightweight + Autonomous: self-sufficient and standalone. Used for small wireless networks. + Lightweight: A Cisco lightweight AP (LAP) has to join a Wireless LAN Controller (WLC) to function. LAP and WLC communicate with each other via a logical pair of CAPWAP tunnels. - Control and Provisioning for Wireless Access Point (CAPWAP) is an IETF standard protocol which enables a WLC to manage multiple APs. CAPWAP is similar to LWAPP except the following differences: + CAPWAP uses Datagram Transport Layer Security (DTLS) for authentication and encryption to protect traffic between APs and controllers. LWAPP uses AES. + CAPWAP has a dynamic maximum transmission unit (MTU) discovery mechanism. + CAPWAP runs on UDP ports 5246 (control messages) and 5247 (data messages) Signal to Noise Ratio (SNR) is defined as the ratio of the transmitted power from the AP to the ambient (noise floor) energy present. To calculate the SNR value, we add the Signal Value to the Noise Value to get the SNR ratio. A positive value of the SNR ratio is always better. The 2.4 GHz band is subdivided into multiple channels each allotted 22 MHz bandwidth and separated from the next channel by 5 MHz. -> A best practice for 802.11b/g/n WLANs requiring multiple APs is to use non- overlapping channels such as 1, 6, and 11. Types of external antennas: + Omnidirectional: Provide 360-degree coverage. Ideal in houses and office areas + Directional: Focus the radio signal in a specific direction. Examples are the Yagi and parabolic dish + Multiple Input Multiple Output (MIMO) - Uses multiple antennas (up to eight) to increase bandwidth

Question 94 A WLC sends alarms about a rogue AP, and the network administrator verifies that the alarms are caused by a legitimate autonomous AP. How must the alarms be stopped for the MAC address of the AP? A. Place the AP into manual containment. B. Remove the AP from WLC management. C. Manually remove the AP from Pending state. D. Set the AP Class Type to Friendly.

D Explanation If a rogue AP is classified as friendly, it means that the rogue AP exists in the vicinity, is a known AP, and need not be tracked. Therefore, all the rogue clients are either deleted or not tracked if they are associated with the friendly rogue AP. Reference: https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/ wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_0111010.html.xml

Question 3 Which configuration is needed to generate an RSA key for SSH on a router? A. Configure the version of SSH B. Configure VTY access C. Create a user with a password D. Assign a DNS domain name

D Explanation In order to generate an RSA key for SSH, we need to configure the hostname and a DNS domain name on the router (a username and password is also required). Therefore in fact both answer C and answer D are correct.

Question 5 Which device performs stateful inspection of traffic? A. access point B. switch C. wireless controller D. firewall

D Explanation In stateful inspection, the firewall not only inspects packets up through the application layer/layer7 determining a packet's header information and data content, but also monitors and keeps track of the connection's state. For all active connections traversing the firewall, the state information, which may include IP addresses and ports involved, the sequence numbers and acknowledgement numbers of the packets traversing the connection, TCP packet flags, etc. is maintained in a state table.

Question 5 Which statement about Link Aggregation when implemented on a Cisco Wireless LAN Controller is true? A. To pass client traffic two or more ports must be configured B. The EtherChannel must be configured in "mode active" C. When enabled the WLC bandwidth drops to 500 Mbps D. One functional physical port is needed to pass client traffic

D Explanation Link aggregation (LAG) is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller's distribution system ports into a single 802.3ad port channel. Restriction for Link aggregation: + LAG requires the EtherChannel to be configured for 'mode on' on both the controller and the Catalyst switch -> Answer B is not correct. + If the recommended load-balancing method cannot be configured on the Catalyst switch, then configure the LAG connection as a single member link or disable LAG on the controller -> Answer A is not correct while answer D is correct. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration- guide/b_cg75/b_cg75_chapter_0100010.html

Question 59 Which port type does a lightweight AP use to connect to the wired network when configured in FlexConnect mode with local switching and VLAN tagging? A. EtherChannel B. access C. LAG D. trunk

D Explanation Local Switched: Locally-switched WLAN's (the SSID you are connected to) will map their wireless user traffic to a VLAN via 802.1Q trunking to a local switch adjacent to the access point. Reference: https://wlanlessonslearned.wordpress.com/tag/flexconnect/

Question 110 What is a function of Opportunistic Wireless Encryption in an environment? A. offer compression B. increase security by using a WEP connection C. provide authentication D. protect traffic on open networks

D Explanation Opportunistic Wireless Encryption (OWE) is an extension to IEEE 802.11 that provides encryption of the wireless medium. The purpose of OWE based authentication is avoid open unsecured wireless connectivity between the AP's and clients. The OWE uses the Diffie-Hellman algorithms based Cryptography to setup the wireless encryption. Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/16-12/config- guide/b_wl_16_12_cg/wpa3.html

Question 26 To improve corporate security, an organization is planning to implement badge authentication to limit access to the data center. Which element of a security program is being deployed? A. user training B. user awareness C. vulnerability verification D. physical access control

D Explanation Physical access control: Infrastructure locations, such as network closets and data centers, should remain securely locked. Badge access to sensitive locations is a scalable solution, offering an audit trail of identities and timestamps when access is granted. Administrators can control access on a granular basis and quickly remove access when an employee is dismissed.

Question 85 Which field within the access-request packet is encrypted by RADIUS? A. authorized services B. authenticator C. username D. password

D Explanation RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party. Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial- user-service-radius/13838-10.html

Question 72 When an access point is seeking to join a wireless LAN controller, which message is sent to the AP- Manager interface? A. DHCP request B. DHCP discover C. discovery response D. discovery request

D Explanation The LAPs always connect to the management interface address of the controller first with a discovery request. The controller then tells the LAP the Layer 3 AP-manager interface (which can also be the management by default) IP address so the LAP can send a join request to the AP- manager interface next. Reference: https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless- controllers/119286-lap-notjoin-wlc-tshoot.html

Question 37 What is a specification for SSIDS? A. They are a Cisco proprietary security feature. B. They must include one number and one letter. C. They define the VLAN on a switch. D. They are case sensitive.

D Explanation The SSID is limited to a maximum length of 32 bytes. When represented in ASCII form, the characters of the SSID are case-sensitive. This means that "9tut" is a different network than "9TUT".

Question 7 Refer to the exhibit. A network administrator must permit SSH access to remotely manage routers in a network. The operations team resides on the 10.20.1.0/25 network. Which command will accomplish this task? A. access-list 2699 permit udp 10.20.1.0 0.0.0.255 B. no access-list 2699 deny tcp any 10.20.1.0 0.0.0.127 eq 22 C. access-list 2699 permit tcp any 10.20.1.0 0.0.0.255 eq 22 D. no access-list 2699 deny ip any 10.20.1.0 0.0.0.255

D Explanation The operations team resides on 10.20.1.0/25 network which is a part of 10.20.1.0/24 network so we need to remove the "deny" statement of the 10.20.1.0/25 network to allow SSH.

Question 57 Refer to the exhibit. Wireless LAN access must be set up to force all clients from the NA WLAN to authenticate against the local database. The WLAN is configured for local EAP authentication. The time that users access the network must not be limited. Which action completes this configuration? A. Check the Guest User Role check box B. Clear the Lifetime (seconds) value C. Set the Lifetime (seconds) value to 0 D. Uncheck the Guest User check box

D Explanation The users created in the "Local Net Users" are stored in the local database. With the "Guest User" check box enabled, we have to set the time for that user. The "Lifetime" is the amount of time that the guest user account is to remain active. The valid range is 60 to 2,592,000 seconds (30 days) inclusive, and the default setting is 86,400 seconds. If we don't want to limit the time for that user, uncheck the "Guest User" check box. ===============================

Question 1 An email user has been lured into clicking a link in an email sent by their company's security organization. The webpage that opens reports that it was safe but the link could have contained malicious code. Which type of security program is in place? A. Physical access control B. Social engineering attack C. brute force attack D. user awareness

D Explanation This is a training program which simulates an attack, not a real attack (as it says "The webpage that opens reports that it was safe") so we believed it should be called a "user awareness" program. Therefore the best answer here should be "user awareness". This is the definition of "User awareness" from CCNA 200-301 Offical Cert Guide Book: "User awareness: All users should be made aware of the need for data confidentiality to protect corporate information, as well as their own credentials and personal information. They should also be made aware of potential threats, schemes to mislead, and proper procedures to report security incidents. " Note: Physical access control means infrastructure locations, such as network closets and data centers, should remain securely locked.

Question 90 What does WPA3 provide in wireless networking? A. increased security and requirement of a complex configuration B. backward compatibility with WPA and WPA2 C. optional Protected Management Frame negotiation D. safeguards against brute force attacks with SAE

D Explanation WPA3 only backwards compatible with WPA2 but not WPA -> Answer B is not correct. WPA3 increases security but not require a complex configuration -> Answer A is not correct. Simultaneous Authentication of Equals (SAE): SAE provides a more secure, password-based authentication and key agreement mechanism even when passwords are not following complexity requirements. It protects from brute-force attacks and makes unwanted decrypting of sessions (during or after the session) a lot harder - just knowing the passphrase isn't enough to decrypt the session -> Answer D is correct. Reference: https://www.mist.com/wpa3-just-the-essentials-on-the-latest-in-wi-fi-security/

Question 7 Which type of wireless encryption is used for WPA2 in pre-shared key mode? A. TKIP with RC4 B. RC4 C. AES-128 D. AES-256

D Explanation We can see in this picture we have to type 64 hexadecimal characters (256 bit) for the WPA2 passphrase so we can deduce the encryption is AES-256, not AES-128. Reference: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan- wlan/67134-wpa2-config.html

Question 33 An engineer is configuring a switch port that is connected to a VoIP handset. Which command must the engineer configure to enable port security with a manually assigned MAC address of abcd.abcd.abcd on voice VLAN 4? A. switchport port-security mac-address abcd.abcd.abcd B. switchport port-security mac-address abcd.abcd.abcd vlan 4 C. switchport port-security mac-address sticky abcd.abcd.abcd vlan 4 D. switchport port-security mac-address abcd.abcd.abcd vlan voice

D Explanation We tested the port-security configuration under Web-IOU with IOSv15.2 but there is no "vlan voice" keyword: But in this Cisco link, we can find such command: Device(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice So we believe answer D is the best choice. Access-list Questions

Question 47 What causes a port to be placed in the err-disabled state? A. latency B. nothing plugged into the port C. shutdown command issued on the port (administratively down) D. port security violation

D Explanation When a port security is violated, that port can be put into errdisable state.

Question 2 Which WPA3 enhancement protects against hackers viewing traffic on the Wi-Fi network? A. TKIP encryption B. AES encryption C. Scrambled encryption key D. SAE encryption

D Explanation Wi-Fi Protected Access version 3 (WPA3) is a new Wi-Fi Alliance's (WFA) security standard for personal and enterprise networks. It aims to improve overall Wi-Fi security by using modern security algorithms and stronger cipher suites. WPA3 has two parts: + WPA3-Personal: Uses simultaneous authentication of equals (SAE) instead of pre-shared key (PSK), providing users with stronger security protections against attacks such as offline dictionary attacks, key recovery, and message forging. + WPA3-Enterprise: Offers stronger authentication and link-layer encryption methods, and an optional 192-bit security mode for sensitive security environments.

Question 8 Which two values or settings must be entered when configuring a new WLAN in the Cisco Wireless LAN Controller GUI? (Choose two) A. management interface settings B. QoS settings C. ip address of one or more access points D. SSID E. Profile name

D E

Question 112 Which action implements physical access control as part of the security program of an organization? A. setting up IP cameras to monitor key infrastructure B. backing up syslogs at a remote location C. configuring enable passwords on network devices D. configuring a password for the console port

D chọn lại A

Question 25 Which encryption method is used by WPA3? A. TKIP B. SAE C. PSK D. AES

D chọn lại B

Question 101 Which interface mode must be configured to connect the lightweight APs in a centralized architecture? A. WLAN dynamic B. management C. trunk D. access

D chọn lại C


Kaugnay na mga set ng pag-aaral

CST 110 Chapter 12 Organizing your Speech

View Set

Analogies - relationship between words

View Set