CCNA Security CH2 Exam Study

What is the default privilege level of user accounts created on Cisco routers? 0 15 1 16

1

What is a requirement to use the Secure Copy Protocol feature? At least one user with privilege level 1 has to be configured for local authentication. A command must be issued to enable the SCP server side functionality. A transfer can only originate from SCP clients that are routers. The Telnet protocol has to be configured on the SCP server side.

A command must be issued to enable the SCP server side functionality.*

What is a characteristic of the Cisco IOS Resilient Configuration feature? It maintains a secure working copy of the bootstrap startup program. Once issued, the secure boot-config command automatically upgrades the configuration archive to a newer version after new configuration commands have been entered. A snapshot of the router running configuration can be taken and securely archived in persistent storage. The secure boot-image command works properly when the system is configured to run an image from a TFTP server.

A snapshot of the router running configuration can be taken and securely archived in persistent storage.*

Which two characteristics apply to role-based CLI access superviews? (Choose two.) A.) A specific superview cannot have commands added to it directly. B.) CLI views have passwords, but superviews do not have passwords. C.) A single superview can be shared among multiple CLI views. D.) Deleting a superview deletes all associated CLI views. E.) Users logged in to a superview can access all commands specified within the associated CLI views.

A specific superview cannot have commands added to it directly. Users logged in to a superview can access all commands specified within the associated CLI views.

If AAA is already enabled, which three CLI steps are required to configure a router with a specific view? (Choose three.) Create a superview using the parser view view-name command. Associate the view with the root view. Assign users who can use the view. Create a view using the parser view view-name command. Assign a secret password to the view. Assign commands to the view.

Create a view using the parser view view-name command.* Assign a secret password to the view.* Assign commands to the view.*

Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.) Creating a user account that needs access to most but not all commands can be a tedious process. Views are required to define the CLI commands that each user can access. Commands set on a higher privilege level are not available for lower privilege users. It is required that all 16 privilege levels be defined, whether they are used or not. There is no access control to specific interfaces on a router. The root user must be assigned to each privilege level that is defined.

Creating a user account that needs access to most but not all commands can be a tedious process. Commands set on a higher privilege level are not available for lower privilege users. There is no access control to specific interfaces on a router.

An administrator defined a local user account with a secret password on router R1 for use with SSH. Which three additional steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.) Enable inbound vty SSH sessions. Generate two-way pre-shared keys. Configure DNS on the router. Configure the IP domain name on the router. Enable inbound vty Telnet sessions. Generate the SSH keys.

Enable inbound vty SSH sessions.* Configure the IP domain name on the router.* Generate the SSH keys.*

Refer to the exhibit. Which statement about the JR-Admin account is true? R1(config)# Privileged exec level 4 ping R1(config)# Privileged exec level 8 reload R1(config)# privileged exec level 12 show R1(config)#username JR-Admin privilege 10 secret cisco 10 JR-Admin can issue only ping commands. JR-Admin can issue show, ping, and reload commands. JR-Admin cannot issue any command because the privilege level does not match one of those defined. JR-Admin can issue debug and reload commands. JR-Admin can issue ping and reload commands

JR-Admin can issue ping and reload commands*

Which recommended security practice prevents attackers from performing password recovery on a Cisco IOS router for the purpose of gaining access to the privileged EXEC Mode? A.) Locate the router in a secure locked room that is accessible only to authorized personnel. B.) Configure secure administrative control to ensure that only authorized personnel can access the router. C.) Keep a secure copy of the router Cisco IOS image and router configuration file as a backup. D.) Provision the router with the maximum amount of memory possible E.) Disable all unused ports and interfaces to reduce the number of ways that the router can be accessed.

Locate the router in a secure locked room that is only accessible to authorized personnel

A network administrator notices that unsuccessful login attempts have caused a router to enter quiet mode. How can the administrator maintain remote access to the networks even during quiet mode? Quiet mode behavior can be enabled via an ip access-group command on a physical interface. Quiet mode behavior will only prevent specific user accounts from attempting to authenticate. Quiet mode behavior can be overridden for specific networks by using an ACL. Quiet mode behavior can be disabled by an administrator by using SSH to connect.

Quiet mode behavior can be overridden for specific networks by using an ACL.

Which set of commands are required to create a username of admin, hash the password using MD5, and force the router to access the internal username database when a user attempts to access the console? R1(config)# username admin password Admin01pa55 R1(config)# line con 0 R1(config-line)# login local R1(config)# username admin secret Admin01pa55 R1(config)# line con 0 R1(config-line)# login local R1(config)# username admin Admin01pa55 encr md5 R1(config)# line con 0 R1(config-line)# login local R1(config)# username admin password Admin01pa55 R1(config)# line con 0 R1(config-line)# login R1(config)# username admin secret Admin01pa55 R1(config)# line con 0 R1(config-line)# login

R1(config)# username admin secret Admin01pa55 R1(config)# line con 0 R1(config-line)# login local

Which three areas of router security must be maintained to secure and edge router at the network perimeter? A.) remote access security B.) zone isolation C.) router hardening D.) operating system security E.) flash security F.) physical security

Router hardening, operating system security, and physical security

Which three types of views are available when configuring the role-based CLI access feature? (Choose three.) A.) superview B.) admin view C.) root view D.) superuser view E.) CLI view F.) config view

Superview root view cli view

What is a characteristic of the MIB? The OIDs are organized in a hierarchical structure. Information in the MIB cannot be changed. A separate MIB tree exists for any given device in the network. Information is organized in a flat manner so that SNMP can access it quickly.

The OIDs are organized in a hierarchical structure.*

What occurs after RSA keys are generated on a Cisco router to prepare for secure device management? The keys must be zeroized to reset Secure Shell before configuring other parameters. All vty ports are automatically configured for SSH to provide secure management. The general-purpose key size must be specified for authentication with the crypto key generate rsa general-keys moduluscommand. The generated keys can be used by SSH.

The generated keys can be used by SSH.

A network engineer is implementing security on all company routers. Which two commands must be issued to force authentication via the password 1A2b3C for all OSPF-enabled interfaces in the backbone area of the company network? (Choose two.) area 0 authentication message-digest ip ospf message-digest-key 1 md5 1A2b3C username OSPF password 1A2b3C enable password 1A2b3C area 1 authentication message-digest

area 0 authentication message-digest* ip ospf message-digest-key 1 md5 1A2b3C*

Which three items are prompted for a user response during interactive AutoSecure setup? (Choose three.) IP addresses of interfaces content of a security banner enable secret password services to disable enable password interfaces to enable

content of a security banner* enable password* enable secret password*

Which three actions are produced by adding Cisco IOS login enhancements to the router login process? (Choose three.) permit only secure console access create password authentication automatically provide AAA authentication create syslog messages slow down an active attack disable logins from specified hosts

create syslog messages* slow down an active attack* disable logins from specified hosts*

Which two options can be configured by Cisco AutoSecure? (Choose two.) enable secret password interface IP address SNMP security banner syslog

enable secret password security banner

What command must be issued to enable login enhancements on a Cisco router? privilege exec level login delay login block-for banner motd

login block-for

What is the Control Plane Policing (CoPP) feature designed to accomplish? disable control plane services to reduce overall traffic prevent unnecessary traffic from overwhelming the route processor direct all excess traffic away from the route process manage services provided by the control plane

prevent unnecessary traffic from overwhelming the route processor*

Which three functions are provided by the syslog logging service? (Choose three.) setting the size of the logging buffer specifying where captured information is stored gathering logging information authenticating and encrypting data sent over the network distinguishing between information to be captured and information to be ignored retaining captured messages on the router when a router is rebooted

specifying where captured information is stored* gathering logging information* distinguishing between information to be captured and information to be ignored*

Refer to the exhibit. ~ Router# show running-config ~<Output Emitted> ~! ~Parser view SUPPORT superview ~ secret 5 $1$Vp10$BBB1N68Z2ekr / aLHledts ~ view SHOWVIEW ~ view VERIFYVIEW A.) CLI view, containing SHOWVIEW and VERIFYVIEW commands B.) superview, containing SHOWVIEW and VERIFYVIEW views C.) secret view, with a level 5 encrypted password D.) root view, with a level 5 encrypted secret password

superview, containing SHOWVIEW and VERIFYVIEW views

What is the purpose of using the ip ospf message-digest-key key md5 password command and the area area-id authentication message-digest command on a router? to configure OSPF MD5 authentication globally on the router to enable OSPF MD5 authentication on a per-interface basis to facilitate the establishment of neighbor adjacencies to encrypt OSPF routing updates

to configure OSPF MD5 authentication globally on the router*

What are two reasons to enable OSPF routing protocol authentication on a network? (Choose two.) to provide data security through encryption to ensure faster network convergence to ensure more efficient routing to prevent data traffic from being redirected and then discarded to prevent redirection of data traffic to an insecure link

to prevent data traffic from being redirected and then discarded to prevent redirection of data traffic to an insecure link