Net Auth 5-10
A network administrator configures an ACL with the command R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255 . Which two IP addresses will match this ACL statement? (Choose two.)
172.16.0.255 172.16.15.36
Which two UDP port numbers may be used for server-based AAA RADIUS authentication? (Choose two.)
1812 1645
What is a requirement to use the Secure Copy Protocol feature?
A command must be issued to enable the SCP server side functionality.
A network administrator is configuring an AAA server to manage TACACS+ authentication. What are two attributes of TACACS+ authentication? (Choose two)
encryption for all communication separate processes for authentication and authorization
When implementing components into an enterprise network, what is the purpose of a firewall?
A firewall is a system that enforces an access control policy between internal corporate networks and external networks.
What are two possible limitations of using a firewall in a network? (Choose two.)
A misconfigured firewall can create a single point of failure. Network performance can slow down.
What are two differences between stateful and stateless firewalls? (Choose two.)
A stateless firewall will examine each packet individually while a stateful firewall observes the state of a connection. A stateful firewall will prevent spoofing by determining whether packets belong to an existing connection while a stateless firewall follows pre-configured rule sets.
What is the result in the self zone if a router is the source or destination of traffic?
All traffic is permitted.
Which three statements describe ACL processing of packets? (Choose three.)
An implicit deny any rejects any packet that does not match any ACE. A packet can either be rejected or forwarded as directed by the ACE that is matched. Each statement is checked only until a match is detected or until the end of the ACE list.
Which two rules about interfaces are valid when implementing a Zone-Based Policy Firewall? (Choose two.)
If neither interface is a zone member, then the action is to pass traffic. If both interfaces are members of the same zone, all traffic will be passed.
Which two characteristics are shared by both standard and extended ACLs? (Choose two.)
Both include an implicit deny as a final statement. Both can be created by using either a descriptive name or number.
What are three characteristics of superviews in the Cisco role-based CLI access feature? (Choose three.)
Commands cannot be configured for a superview. Deleting a superview does not delete the associated CLI views. A single CLI view can be shared within multiple superviews.
What is the biggest issue with local implementation of AAA?
Local implementation does not scale well.
What two steps provide the quickest way to completely remove an ACL from a router? (Choose two.)
Remove the inbound/outbound reference to the ACL from the interface. Use the no access-list command to remove the entire ACL.
Which task is necessary to encrypt the transfer of data between the ACS server and the AAA-enabled router?
Configure the key exactly the same way on the server and the router.
What is the first step in configuring a Cisco IOS zone-based policy firewall via the CLI?
Create zones.
What are two characteristics of ACLs? (Choose two.)
Extended ACLs can filter on destination TCP and UDP ports. Extended ACLs can filter on source and destination IP addresses.
Refer to the exhibit. A student uses the show parser view all command to see a summary of all views configured on router R1. What is indicated by the symbol * next to JR-ADMIN?
It is a superview.
What are two characteristics of the Cisco IOS Resilient Configuration feature? (Choose two.)
It saves a secure copy of the primary image and device configuration that cannot be removed by a user. It minimizes the downtime of a device that has had the image and configuration deleted.
What is the one major difference between local AAA authentication and using the login local command when configuring device access authentication?
Local AAA authentication provides a way to configure backup methods of authentication, but login local does not.
A student is learning role-based CLI access and CLI view configurations. The student opens Packet Tracer and adds a router. Which command should be used first for creating a CLI view named TECH-View?
Router(config)# aaa new-model
Which two statements describe the two configuration models for Cisco IOS firewalls? (Choose two.)
The IOS Classic Firewall and ZPF cannot be combined on a single interface. IOS Classic Firewalls and ZPF models can be enabled on a router concurrently.
Which statement describes Cisco IOS Zone-Based Policy Firewall operation?
The pass action works in only one direction.
What two statements describe characteristics of IPv6 access control lists? (Choose two.)
They include two implicit permit statements by default. They use prefix lengths to indicate how much of an address to match.
When implementing a ZPF, what is the default security setting when forwarding traffic between two interfaces in the same zone?
Traffic between interfaces in the same zone is not subject to any policy and passes freely.
How does a firewall handle traffic when it is originating from the public network and traveling to the private network?
Traffic that is originating from the public network is usually blocked when traveling to the private network.
Which statement describes a typical security policy for a DMZ firewall configuration?
Traffic that originates from the DMZ interface is selectively permitted to the outside interface.
Which two pieces of information are required when creating a standard access control list? (Choose two.)
access list number between 1 and 99 source address and wildcard mask
What single access list statement matches all of the following networks? 192.168.16.0 192.168.17.0 192.168.18.0 192.168.19.0
access-list 10 permit 192.168.16.0 0.0.3.255
Which two keywords can be used in an access control list to replace a wildcard mask or address and wildcard mask pair? (Choose two.)
any host
Which type of firewall makes use of a proxy server to connect to remote servers on behalf of clients?
application gateway firewall
A network engineer is implementing security on all company routers. Which two commands must be issued to force authentication via the password 1A2b3C for all OSPF-enabled interfaces in the backbone area of the company network? (Choose two.)
area 0 authentication message-digest ip ospf message-digest-key 1 md5 1A2b3C
Which AAA component can be established using token cards?
authentication
Because of implemented security controls, a user can only access a server with FTP. Which AAA component accomplishes this?
authorization
What is one benefit of using a stateful firewall instead of a proxy server?
better performance
Which three items are prompted for a user response during interactive AutoSecure setup? (Choose three.)
content of a security banner enable secret password enable password
Which syslog message type is accessible only to an administrator and only via the Cisco CLI?
debugging
A security specialist designs an ACL to deny access to a web server from all sales staff. The sales staff are assigned addressing from the IPv6 subnet 2001:db8:48:2c::/64. The web server is assigned the address 2001:db8:48:1c::50/64. Configuring the WebFilter ACL on the LAN interface for the sales staff will require which three commands? (Choose three.)
deny tcp any host 2001:db8:48:1c::50 eq 80 permit ipv6 any any ipv6 traffic-filter WebFilter in
Designing a ZPF requires several steps. Which step involves dictating the number of devices between most-secure and least-secure zones and determining redundant devices?
design the physical infrastructure
To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?
echo reply
What are two characteristics of the RADIUS protocol? (Choose two.)
encryption of the password only the use of UDP ports for authentication and accounting
Which privilege level is predefined for the privileged EXEC mode?
level 15
What IOS privilege levels are available to assign for custom user-level privileges?
levels 2 through 14
What is the primary function of the aaa authorization command?
limit authenticated user access to AAA client services
Which authentication method stores usernames and passwords in the router and is ideal for small networks?
local AAA
A network administrator is analyzing the features supported by the multiple versions of SNMP. What are two features that are supported by SNMPv3 but not by SNMPv1 or SNMPv2c? (Choose two.)
message encryption message source validation
What is one limitation of a stateful firewall?
not as effective with UDP- or ICMP-based traffic
When a Cisco IOS zone-based policy firewall is being configured, which three actions can be applied to a traffic class? (Choose three.)
pass inspect drop
If the provided ACEs are in the same ACL, which ACE should be listed first in the ACL according to best practice?
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.)
private IP addresses any IP address that starts with the number 127
An administrator needs to create a user account with custom access to most privileged EXEC commands. Which privilege command is used to create this custom account?
privilege exec level 2
When creating an ACL, which keyword should be used to document and interpret the purpose of the ACL statement on a Cisco device?
remark
Which command will move the show access-lists command to privilege level 14?
router(config)# privilege exec level 14 show access-lists
Refer to the exhibit. Based on the output of the show running-config command, which type of view is SUPPORT?
superview, containing SHOWVIEW and VERIFYVIEW views
When using Cisco IOS zone-based policy firewall, where is the inspection policy applied?
to a zone pair
In the creation of an IPv6 ACL, what is the purpose of the implicit final command entries, permit icmp any any nd-na and permit icmp any any nd-ns ?
to allow IPv6 to MAC address resolution
A student is learning about role-based views and role-based view configurations. The student enters the Router(config)# parser view TECH-view command. What is the purpose of this command?
to create a CLI view named TECH-view
What are two characteristics of a stateful firewall? (Choose two.)
uses connection information maintained in a state table analyzes traffic at Layers 3, 4 and 5 of the OSI model