CCNA Security 640-554
Which one of the following items may be added to a password stored in MD5 to make it more secure? A. Ciphertext B. Salt C. Cryptotext D. Rainbow table
B. Salt
What are the primary attack methods of VLAN hopping? (Choose two.) A. VoIP hopping B. Switch spoofing C. CAM-table overflow D. Double tagging
B. Switch spoofing D. Double tagging
Which monitoring protocol uses TCP port 1470 or UDP port 514? A. RELP B. Syslog C. SDEE D. IMAP E. SNMP F. CSM
B. Syslog
Which statement is true about configuring access control lists to control Telnet traffic destined to the router itself? A. The ACL is applied to the Telnet port with the ip access-group command. B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port. C. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface. D. The ACL must be applied to each vty line individually.
B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port.
Which statement describes a result of securing the Cisco IOS image using the Cisco IOS image resilience feature? A. The show version command does not show the Cisco IOS image file location. B. The Cisco IOS image file is not visible in the output from the show flash command. C. When the router boots up, the Cisco IOS image is loaded from a secured FTP location. D. The running Cisco IOS image is encrypted and then automatically backed up to the NVRAM. E. The running Cisco IOS image is encrypted and then automatically backed up to a TFTP server.
B. The Cisco IOS image file is not visible in the output from the show flash command.
You use Cisco Configuration Professional to enable Cisco IOS IPS. Which state must a signature be in before any actions can be taken when an attack matches that signature? A. Enabled B. Unretired C. Successfully complied D. Successfully complied and unretired E. Successfully complied and enabled F. Unretired and enabled G. Enabled, unretired, and successfully complied
G. Enabled, unretired, and successfully complied
What is the default timeout interval during which a router waits for responses from a TACACS server before declaring a timeout failure? A. 5 seconds B. 10 seconds C. 15 seconds D. 20 seconds
A. 5 seconds
Which two ports does Cisco Configuration Professional use? (Choose two.) A. 80 B. 8080 C. 443 D. 21 E. 23
A. 80 C. 443
Which wildcard mask is associated with a subnet mask of /27? A. 0.0.0.31 B. 0.0.027 C. 0.0.0.224 D. 0.0.0.255
A. 0.0.0.31
Which statement correctly describes the function of a private VLAN? A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains. B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains. C. A private VLAN enables the creation of multiple VLANs using one broadcast domain. D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain.
A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains.
What is the purpose of a trunk port? A. A trunk port carries traffic for multiple VLANs. B. A trunk port connects multiple hubs together to increase bandwidth. C. A trunk port separates VLAN broadcast domains. D. A trunk port provides a physical link specifically for a VPN.
A. A trunk port carries traffic for multiple VLANs.
What is the FirePOWER impact flag used for? A. A value that indicates the potential severity of an attack. B. A value that the administrator assigns to each signature. C. A value that sets the priority of a signature. D. A value that measures the application awareness.
A. A value that indicates the potential severity of an attack.
Which option describes a function of a virtual VLAN? A. A virtual VLAN creates a logically partitioned LAN to place switch ports in a separate broadcast domain. B. A virtual VLAN creates trunks and links two switches together. C. A virtual VLAN adds every port on a switch to its own collision domain. D. A virtual VLAN connects many hubs together.
A. A virtual VLAN creates a logically partitioned LAN to place switch ports in a separate broadcast domain.
On which Cisco Configuration Professional screen do you enable AAA? A. AAA Summary B. AAA Servers and Groups C. Authentication Policies D. Authorization Policies
A. AAA Summary
Which statement about Cisco ACS authentication and authorization is true? A. ACS servers can be clustered to provide scalability. B. ACS can query multiple Active Directory domains. C. ACS uses TACACS to proxy other authentication servers. D. ACS can use only one authorization profile to allow or deny requests.
A. ACS servers can be clustered to provide scalability.
Which two next-generation encryption algorithms does Cisco recommend? (Choose two.) A. AES B. 3DES C. DES D. MD5 E. DH-1024 F. SHA-384
A. AES F. SHA-384
Which statement about communication over failover interfaces is true? A. All information that is sent over the failover and stateful failover interfaces is sent as clear text by default. B. All information that is sent over the failover interface is sent as clear text, but the stateful failover link is encrypted by default. C. All information that is sent over the failover and stateful failover interfaces is encrypted by default. D. User names, passwords, and preshared keys are encrypted by default when they are sent over the failover and stateful failover interfaces, but other information is sent as clear text.
A. All information that is sent over the failover and stateful failover interfaces is sent as clear text by default.
Which two statements about SSL-based VPNs are true? (Choose two.) A. Asymmetric algorithms are used for authentication and key exchange. B. SSL VPNs and IPsec VPNs cannot be configured concurrently on the same router. C. The application programming interface can be used to modify extensively the SSL client software for use in special applications. D. The authentication process uses hashing technologies. E. Both client and clientless SSL VPNs require special-purpose client software to be installed on the client machine.
A. Asymmetric algorithms are used for authentication and key exchange. D. The authentication process uses hashing technologies.
According to Cisco best practices, which three protocols should the default ACL allow on an access port to enable wired BYOD devices to supply valid credentials and connect to the network? (Choose three.) A. BOOTP B. TFTP C. DNS D. MAB E. HTTP F. 802.1x
A. BOOTP B. TFTP C. DNS
Which priority is most important when you plan out access control lists? A. Build ACLs based upon your security policy. B. Always put the ACL closest to the source of origination. C. Place deny statements near the top of the ACL to prevent unwanted traffic from passing through the router. D. Always test ACLs in a small, controlled production environment before you roll it out into the larger production network.
A. Build ACLs based upon your security policy.
Which security measures can protect the control plane of a Cisco router? (Choose two.) A. CCPr B. Parser views C. Access control lists D. Port security E. CoPP
A. CCPr E. CoPP
Which two services are provided by IPsec? (Choose two.) A. Confidentiality B. Encapsulating Security Payload C. Data Integrity D. Authentication Header E. Internet Key Exchange
A. Confidentiality C. Data Integrity
Which three applications comprise Cisco Security Manager? (Choose three.) A. Configuration Manager B. Packet Tracer C. Device Manager D. Event Viewer E. Report Manager F. Syslog Monitor
A. Configuration Manager D. Event Viewer E. Report Manager
What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc files in UNIX? A. Configuration interceptor B. Network interceptor C. File system interceptor D. Execution space interceptor
A. Configuration interceptor
You want to allow all of your company's users to access the Internet without allowing other Web servers to collect the IP addresses of individual users. What two solutions can you use? (Choose two). A. Configure a proxy server to hide users' local IP addresses. B. Assign unique IP addresses to all users. C. Assign the same IP address to all users. D. Install a Web content filter to hide users' local IP addresses. E. Configure a firewall to use Port Address Translation.
A. Configure a proxy server to hide users' local IP addresses. E. Configure a firewall to use Port Address Translation.
The host A Layer 2 port is configured in VLAN 5 on switch 1, and the host B Layer 2 port is configured in VLAN 10 on switch 1. Which two actions you can take to enable the two hosts to communicate with each other? (Choose two.) A. Configure inter-VLAN routing. B. Connect the hosts directly through a hub. C. Configure switched virtual interfaces. D. Connect the hosts directly through a router.
A. Configure inter-VLAN routing. C. Configure switched virtual interfaces.
Which statement about Control Plane Policing is true? A. Control Plane Policing allows QoS filtering to protect the control plane against DoS attacks. B. Control Plane Policing classifies traffic into three categories to intercept malicious traffic. C. Control Plane Policing allows ACL-based filtering to protect the control plane against DoS attacks. D. Control Plane Policing intercepts and classifies all traffic.
A. Control Plane Policing allows QoS filtering to protect the control plane against DoS attacks.
You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security Intelligence IP Address Reputation. A user calls and is not able to access a certain IP address. What action can you take to allow the user access to the IP address? A. Create a whitelist and add the appropriate IP address to allow the traffic. B. Create a custom blacklist to allow the traffic. C. Create a user based access control rule to allow the traffic. D. Create a network based access control rule to allow the traffic. E. Create a rule to bypass inspection to allow the traffic.
A. Create a whitelist and add the appropriate IP address to allow the traffic.
Which two protocols can SNMP use to send messages over a secure communications channel? (Choose two.) A. DTLS B. TLS C. ESP D. AH E. ISAKMP
A. DTLS B. TLS
When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading? A. Deny the connection inline. B. Perform a Layer 6 reset. C. Deploy an antimalware system. D. Enable bypass mode.
A. Deny the connection inline.
Which EAP method uses Protected Access Credentials? A. EAP-FAST B. EAP-TLS C. EAP-PEAP D. EAP-GTC
A. EAP-FAST
What type of security support is provided by the Open Web Application Security Project? A. Education about common Web site vulnerabilities. B. A Web site security framework. C. A security discussion forum for Web site developers. D. Scoring of common vulnerabilities and exposures.
A. Education about common Web site vulnerabilities.
Which Sourcefire logging action should you choose to record the most detail about a connection? A. Enable logging at theend of the session. B. Enable logging at thebeginning of the session. C. Enable alerts via SNMP to log events off-box. D. Enable eStreamer to log events off-box.
A. Enable logging at theend of the session.
A specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting the URL and becoming infected with malware. A. EnableURL filtering on the perimeterrouter and add the URLs you want to block to the router's local URL list. B. Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the router's local URL list. C. EnableURL filtering on the perimeterrouter and add the URLs you want to allow to thefirewall's local URL list. D. Create a blacklist that contains the URL you want toblock and activate the blacklist on theperimeter router. E. Create a whitelist that contains the URLs you want to allow and activate the whitelist on the perimeter router.
A. EnableURL filtering on the perimeterrouter and add the URLs you want to block to the router's local URL list.
Which two IPsec protocols are used to protect data in motion? (Choose two.) A. Encapsulating Security Payload Protocol B. Transport Layer Security Protocol C. Secure Shell Protocol D. Authentication Header Protocol
A. Encapsulating Security Payload Protocol D. Authentication Header Protocol
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting? A. Ensure that the RDP2 plug-in is installed on the VPN gateway B. Reboot the VPN gateway C. Instruct the user to reconnect to the VPN gateway D. Ensure that the RDP plug-in is installed on the VPN gateway
A. Ensure that the RDP2 plug-in is installed on the VPN gateway
When is the best time to perform an anti-virus signature update? A. Every time a new update is available. B. When the local scanner has detected a new virus. C. When a new virus is discovered in the wild. D. When the system detects a browser hook.
A. Every time a new update is available.
Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.) A. IP source guard B. port security C. root guard D. BPDU guard
A. IP source guard B. port security
Which sensor mode can deny attackers inline? A. IPS B. fail-close C. IDS D. fail-open
A. IPS
Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show? dst 10.10.10.2 src 10.1.1.5 state QM_IDLE conn-id 1 slot 0 A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5. B. IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5. C. IPSec Phase 1 is down due to a QM_IDLE state. D.IPSec Phase 2 is down due to a QM_IDLE state.
A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5.
Which statement about the Atomic signature engine is true? A. It can perform signature matching on a single packet only. B. It can perform signature matching on multiple packets. C. It can examine applications independent of the platform. D. It can flexibly match patterns in a session.
A. It can perform signature matching on a single packet only.
Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied? A. to the zone-pair B. to the zone C. to the interface D. to the global service policy
A. to the zone-pair
Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command. What does the given output show? A. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5. B. ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1. C. IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5. D. IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets.
A. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5.
Which of the following are features of IPsec transport mode? (Choose three.) A. IPsec transport mode is used between end stations B. IPsec transport mode is used between gateways C. IPsec transport mode supports multicast D. IPsec transport mode supports unicast E. IPsec transport mode encrypts only the payload F. IPsec transport mode encrypts the entire packet
A. IPsec transport mode is used between end stations D. IPsec transport mode supports unicast E. IPsec transport mode encrypts only the payload
In a security context, which action can you take to address compliance? A. Implement rules to prevent a vulnerability. B. Correct or counteract a vulnerability. C. Reduce the severity of a vulnerability. D. Follow directions from the security appliance manufacturer to remediate a vulnerability.
A. Implement rules to prevent a vulnerability.
Which two services define cloud networks? (Choose two.) A. Infrastructure as a Service B. Platform as a Service C. Security as a Service D. Compute as a Service E. Tenancy as a Service
A. Infrastructure as a Service B. Platform as a Service
Which option is the most effective placement of an IPS device within the infrastructure? A. Inline, behind the internet router and firewall B. Inline, before the internet router and firewall C. Promiscuously, after the Internet router and before the firewall D. Promiscuously, before the Internet router and the firewall
A. Inline, behind the internet router and firewall
Which statement about application blocking is true? A. It blocks access to specific programs. B. It blocks access to files with specific extensions. C. It blocks access to specific network addresses. D. It blocks access to specific network services.
A. It blocks access to specific programs.
What can the SMTP preprocessor in FirePOWER normalize? A. It can extract and decode email attachments in client to server traffic. B. It can look up the email sender. C. It compares known threats to the email sender. D. It can forward the SMTP traffic to anemail filter server. E. It uses the Traffic Anomaly Detector.
A. It can extract and decode email attachments in client to server traffic.
Which three statements about host-based IPS are true? (Choose three.) A. It can view encrypted files. B. It can have more restrictive policies than network-based IPS. C. It can generate alerts based on behavior at the desktop level. D. It can be deployed at the perimeter. E. It uses signature-based policies. F. It works with deployed firewalls.
A. It can view encrypted files. B. It can have more restrictive policies than network-based IPS. C. It can generate alerts based on behavior at the desktop level.
Refer to the exhibit. What is the effect of the given command sequence? crypto ikev1 policy 1 encryption aes hash md5 authentication pre-share group 2 lifetime 14400 A. It configures IKE Phase 1. B. It configures a site-to-site VPN tunnel. C. It configures a crypto policy with a key size of 14400. D. It configures IPSec Phase 2.
A. It configures IKE Phase 1.
Refer to the exhibit. What is the effect of the given command sequence? crypto map mymap 20 match address 201 access-list 201 permit ip 10.10.10.0 255.255.255.0 10.100.100.0 255.255.255.0 A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24. B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24. C. It defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24. D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
Which statement about identity NAT is true? A. It is a static NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface. B. It is a dynamic NAT configuration that translates a real IP address to a mapped IP address. C. It is a static NAT configuration that translates a real IP address to a mapped IP address. D. It is a dynamic NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface.
A. It is a static NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface.
Which statement about an access control list that is applied to a router interface is true? A. It only filters traffic that passes through the router. B. It filters pass-through and router-generated traffic. C. An empty ACL blocks all traffic. D. It filters traffic in the inbound and outbound directions.
A. It only filters traffic that passes through the router.
What is an advantage of implementing a Trusted Platform Module for disk encryption? A. It provides hardware authentication. B. It allows the hard disk to be transferred to another device without requiring re-encryption.dis C. It supports a more complex encryption algorithm than other disk-encryption technologies. D. It can protect against single points of failure.
A. It provides hardware authentication.
How does the Cisco ASA use Active Directory to authorize VPN users? A. It queries the Active Directory server for a specific attribute for the specified user. B. It sends the username and password to retrieve an ACCEPT or REJECT message from the Active Directory server. C. It downloads and stores the Active Directory database to query for future authorization requests. D. It redirects requests to the Active Directory server defined for the VPN group.
A. It queries the Active Directory server for a specific attribute for the specified user.
Which two protocols are used in a server-based AAA deployment? (Choose two.) A. RADIUS B. TACACS+ C. HTTPS D. WCCP E. HTTP
A. RADIUS B. TACACS+
Which statement is a benefit of using Cisco IOS IPS? A. It uses the underlying routing infrastructure to provide an additional layer of security. B. It works in passive mode so as not to impact traffic flow. C. It supports the complete signature database as a Cisco IPS sensor appliance. D. The signature database is tied closely with the Cisco IOS image.
A. It uses the underlying routing infrastructure to provide an additional layer of security.
Information about a managed device's resources and activity is defined by a series of objects. What defines the structure of these management objects? A. MIB B. FIB C. LDAP D. CEF
A. MIB
Which security measure must you take for native VLANs on a trunk port? A. Native VLANs for trunk ports should never be used anywhere else on the switch. B. The native VLAN for trunk ports should be VLAN 1. C. Native VLANs for trunk ports should match access VLANs to ensure that cross-VLAN traffic from multiple switches can be delivered to physically disparate switches. D. Native VLANs for trunk ports should be tagged with 802.1Q.
A. Native VLANs for trunk ports should never be used anywhere else on the switch.
What are three of the security conditions that Cisco Configuration Professional One-Step Lockdown can automatically detect and correct on a Cisco router? (Choose three.) A. One-Step Lockdown can set the enable secret password. B. One-Step Lockdown can disable unused ports. C. One-Step Lockdown can disable the TCP small servers service. D. One-Step Lockdown can enable IP Cisco Express Forwarding. E. One-Step Lockdown can enable DHCP snooping. F. One-Step Lockdown can enable SNMP version 3.
A. One-Step Lockdown can set the enable secret password. C. One-Step Lockdown can disable the TCP small servers service. D. One-Step Lockdown can enable IP Cisco Express Forwarding.
What is the only permitted operation for processing multicast traffic on zone-based firewalls? A. Only control plane policing can protect the control plane against multicast traffic. B. Stateful inspection of multicast traffic is supported only for the self-zone. C. Stateful inspection for multicast traffic is supported only between the self-zone and the internal zone. D. Stateful inspection of multicast traffic is supported only for the internal zone.
A. Only control plane policing can protect the control plane against multicast traffic.
Which network device does NTP authenticate? A. Only the time source B. Only the client device C. The firewall and the client device D. The client device and the time source
A. Only the time source
Which three statements about applying access control lists to a Cisco router are true? (Choose three.) A. Place more specific ACL entries at the top of the ACL. B. Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce "noise" on the network. C. ACLs always search for the most specific entry before taking any filtering action. D. Router-generated packets cannot be filtered by ACLs on the router. E. If an access list is applied but it is not configured, all traffic passes.
A. Place more specific ACL entries at the top of the ACL. D. Router-generated packets cannot be filtered by ACLs on the router. E. If an access list is applied but it is not configured, all traffic passes.
Which two features do CoPP and CPPr use to protect the control plane? (Choose two.) A. QoS B. traffic classification C. access lists D. policy maps E. class maps F. Cisco Express Forwarding
A. QoS B. traffic classification
Which FirePOWER preprocessor engine is used to prevent SYN attacks? A. Rate-Based Prevention B. Portscan Detection C. IP Defragmentation D. Inline Normalization
A. Rate-Based Prevention
Refer to the exhibit. The Admin user is unable to enter configuration mode on a device with the given configuration. What change can you make to the configuration to correct the problem? Username HelpDesk privilege 9 password 0 helpdesk Username Monitor privilege 8 password 0 watcher Username Admin password checkme Username Admin privilege 6 autocommand show running Privilege exec level 6 configure terminal A. Remove the autocommand keyword and arguments from the Username Admin privilege line. B. Change the Privilege exec level value to 15. C. Remove the two Username Admin lines. D. Remove the Privilege exec line.
A. Remove the autocommand keyword and arguments from the Username Admin privilege line.
Which two options are asymmetric-key algorithms that are recommended by Cisco? (Choose two.) A. Rivest-Shamir-Adleman Algorithm B. ElGamal encryption system C. Digital Signature Algorithm D. Paillier cryptosystem
A. Rivest-Shamir-Adleman Algorithm C. Digital Signature Algorithm
In a brute-force attack, what percentage of the keyspace must an attacker generally search through until he or she finds the key that decrypts the data? A. Roughly 50 percent B. Roughly 66 percent C. Roughly 75 percent D. Roughly 10 percent
A. Roughly 50 percent
Which three items are Cisco best-practice recommendations for securing a network? (Choose three.) A. Routinely apply patches to operating systems and applications. B. Disable unneeded services and ports on hosts. C. Deploy HIPS software on all end-user workstations. D. Require strong passwords, and enable password expiration.
A. Routinely apply patches to operating systems and applications. B. Disable unneeded services and ports on hosts. D. Require strong passwords, and enable password expiration.
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors? A. SDEE B. Syslog C. SNMP D. CSM
A. SDEE
Which three protocols are supported by management plane protection? (Choose three.) A. SNMP B. SMTP C. SSH D. OSPF E. HTTPS F. EIGRP
A. SNMP C. SSH E. HTTPS
Which four types of VPN are supported using Cisco ISRs and Cisco ASA appliances? (Choose four.) A. SSL clientless remote-access VPNs B. SSL full-tunnel client remote-access VPNs C. SSL site-to-site VPNs D. IPsec site-to-site VPNs E. IPsec client remote-access VPNs F. IPsec clientless remote-access VPNs
A. SSL clientless remote-access VPNs B. SSL full-tunnel client remote-access VPNs D. IPsec site-to-site VPNs E. IPsec client remote-access VPNs
When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops? A. STP elects the root bridge. B. STP selects the root port. C. STP selects the designated port. D. STP blocks one of the ports.
A. STP elects the root bridge.
In which two modes can Cisco Configuration Professional Security Audit operate? (Choose two.) A. Security Audit wizard B. Lockdown C. One-Step Lockdown D. AutoSecure
A. Security Audit wizard C. One-Step Lockdown
Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration Professional IPS wizard? (Choose four.) A. Select the interface(s) to apply the IPS rule. B. Select the traffic flow direction that should be applied by the IPS rule. C. Add or remove IPS alerts actions based on the risk rating. D. Specify the signature file and the Cisco public key. E. Select the IPS bypass mode (fail-open or fail-close). F. Specify the configuration location and select the category of signatures to be applied to the selected interface(s).
A. Select the interface(s) to apply the IPS rule. B. Select the traffic flow direction that should be applied by the IPS rule. D. Specify the signature file and the Cisco public key. F. Specify the configuration location and select the category of signatures to be applied to the selected interface(s).
Refer to the exhibit. You are a network manager for your organization. You are looking at your Syslog server reports. Based on the Syslog message shown, which two statements are true? (Choose two.) Feb 1 10:12:08 PST: %SYS-5-CONFIG_I: Configured from console by vty0 (10.2.2.6) A. Service timestamps have been globally enabled. B. This is a normal system-generated information message and does not require further investigation. C. This message is unimportant and can be ignored. D. This message is a level 5 notification message.
A. Service timestamps have been globally enabled. D. This message is a level 5 notification message.
Which statements about smart tunnels on a Cisco firewall are true? (Choose two.) A. Smart tunnels can be used by clients that do not have administrator privileges B. Smart tunnels support all operating systems C. Smart tunnels offer better performance than port forwarding D. Smart tunnels require the client to have the application installed locally
A. Smart tunnels can be used by clients that do not have administrator privileges C. Smart tunnels offer better performance than port forwarding
Which two features are supported by Cisco IronPort Security Gateway? (Choose two.) A. Spam protection B. Outbreak intelligence C. HTTP and HTTPS scanning D. Email encryption E. DDoS protection
A. Spam protection D. Email encryption
Which type of address translation should be used when a Cisco ASA is in transparent mode? A. Static NAT B. Dynamic NAT C. Overload D. Dynamic PAT
A. Static NAT
In which three ways does the TACACS protocol differ from RADIUS? (Choose three.) A. TACACS uses TCP to communicate with the NAS. B. TACACS can encrypt the entire packet that is sent to the NAS. C. TACACS supports per-command authorization. D. TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted. E. TACACS uses UDP to communicate with the NAS. F. TACACS encrypts only the password field in an authentication packet.
A. TACACS uses TCP to communicate with the NAS. B. TACACS can encrypt the entire packet that is sent to the NAS. C. TACACS supports per-command authorization.
Which three statements about TACACS+ are true? (Choose three.) A. TACACS+ uses TCP port 49. B. TACACS+ uses UDP ports 1645 and 1812. C. TACACS+ encrypts the entire packet. D. TACACS+ encrypts only the password in the Access-Request packet. E. TACACS+ is a Cisco proprietary technology. F. TACACS+ is an open standard.
A. TACACS+ uses TCP port 49. C. TACACS+ encrypts the entire packet. E. TACACS+ is a Cisco proprietary technology.
If a packet matches more than one class map in an individual feature type's policy map, how does the ASA handle the packet? A. The ASA will apply the actions from only the first matching class map it finds for the feature type. B. The ASA will apply the actions from only the most specific matching class map it finds for the feature type. C. The ASA will apply the actions from all matching class maps it finds for the feature type. D. The ASA will apply the actions from only the last matching class map it finds for the feature type.
A. The ASA will apply the actions from only the first matching class map it finds for the feature type.
Which three statements about the Cisco ASA appliance are true? (Choose three.) A. The DMZ interface(s) on the Cisco ASA appliance most typically use a security level between 1 and 99. B. The Cisco ASA appliance supports Active/Active or Active/Standby failover. C. The Cisco ASA appliance has no default MPF configurations. D. The Cisco ASA appliance uses security contexts to virtually partition the ASA into multiple virtual firewalls. E. The Cisco ASA appliance supports user-based access control using 802.1x. F. An SSM is required on the Cisco ASA appliance to support Botnet Traffic Filtering.
A. The DMZ interface(s) on the Cisco ASA appliance most typically use a security level between 1 and 99. B. The Cisco ASA appliance supports Active/Active or Active/Standby failover. D. The Cisco ASA appliance uses security contexts to virtually partition the ASA into multiple virtual firewalls.
Which two statements about Telnet access to the ASA are true? (Choose two). A. You may VPN to the lowest security interface to telnet to an inside interface. B. You must configure an AAA server to enable Telnet. C. You can access all interfaces on an ASA using Telnet. D. You must use the command virtual telnet to enable Telnet. E. Best practice is to disable Telnet and use SSH.
A. You may VPN to the lowest security interface to telnet to an inside interface. E. Best practice is to disable Telnet and use SSH.
What is one requirement for locking a wired or wireless device from ISE? A. The ISE agent must be installed on the device. B. The device must be connected to the network when the lock command is executed. C. The user must approve the locking action. D. The organization must implement an acceptable use policy allowing device locking.
A. The ISE agent must be installed on the device.
What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.) A. The Internet Key Exchange protocol establishes security associations B. The Internet Key Exchange protocol provides data confidentiality C. The Internet Key Exchange protocol provides replay detection D. The Internet Key Exchange protocol is responsible for mutual authentication
A. The Internet Key Exchange protocol establishes security associations D. The Internet Key Exchange protocol is responsible for mutual authentication
Which statement about a PVLAN isolated port configured on a switch is true? A. The isolated port can communicate only with the promiscuous port. B. The isolated port can communicate with other isolated ports and the promiscuous port. C. The isolated port can communicate only with community ports. D. The isolated port can communicate only with other isolated ports.
A. The isolated port can communicate only with the promiscuous port.
After reloading a router, you issue the dir command to verify the installation and observe that the image file appears to be missing. For what reason could the image file fail to appear in the dir output? A. The secure boot-image command is configured. B. The secure boot-comfit command is configured. C. The confreg 0x24 command is configured. D. The reload command was issued from ROMMON.
A. The secure boot-image command is configured.
Refer to the exhibit. If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how will the switch respond? authentication event fail action next-method authentication event no-response action authorize vlan 101 authentication order mab dotix webauth authentication priority dotix mab authentication port-control auto dotix pae authenticator A. The supplicant will fail to advance beyond the webauth method. B. The switch will cycle through the configured authentication methods indefinitely. C. The authentication attempt will time out and the switch will place the port into the unauthorized state. D. The authentication attempt will time out and the switch will place the port into VLAN 101.
A. The supplicant will fail to advance beyond the webauth method.
Refer to the exhibit. Which statement about the device time is true? R1> show clock detail .22:22:35.123 UTC Tue Feb 26 2013 Time source is NTP A. The time is authoritative, but the NTP process has lost contact with its servers. B. The time is authoritative because the clock is in sync. C. The clock is out of sync. D. NTP is configured incorrectly. E. The time is not authoritative.
A. The time is authoritative, but the NTP process has lost contact with its servers.
If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error? (Choose two.) A. The user will be prompted to authenticate using the enable password B. Authentication attempts to the router will be denied C. Authentication will use the router`s local database D. Authentication attempts will be sent to the TACACS+ server
A. The user will be prompted to authenticate using the enable password D. Authentication attempts will be sent to the TACACS+ server
Which statement about personal firewalls is true? A. They can protect a system by denying probing requests. B. They are resilient against kernel attacks. C. They can protect email messages and private documents in a similar way to a VPN. D. They can protect the network against attacks.
A. They can protect a system by denying probing requests.
Which two statements about stateless firewalls are true? (Choose two.) A. They compare the 5-tuple of each incoming packet against configurable rules. B. They cannot track connections. C. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS. D. Cisco IOS cannot implement them because the platform is stateful by nature. E. The Cisco ASA is implicitly stateless because it blocks all traffic by default.
A. They compare the 5-tuple of each incoming packet against configurable rules. B. They cannot track connections.
What is a reason for an organization to deploy a personal firewall? A. To protect endpoints such as desktops from malicious activity. B. To protect one virtual network segment from another. C. To determine whether a host meets minimum security posture requirements. D. To create a separate, non-persistent virtual environment that can be destroyed after a session. E. To protect the network from DoS and syn-flood attacks.
A. To protect endpoints such as desktops from malicious activity.
For what reason would you configure multiple security contexts on the ASA firewall? A. To separate different departments and business units. B. To enable the use of VRFs on routers that are adjacently connected. C. To provide redundancy and high availability within the organization. D. To enable the use of multicast routing and QoS through the firewall.
A. To separate different departments and business units.
How does a zone-based firewall implementation handle traffic between interfaces in the same zone? A. Traffic between two interfaces in the same zone is allowed by default. B. Traffic between interfaces in the same zone is blocked unless you configure the same- security permit command. C. Traffic between interfaces in the same zone is always blocked. D. Traffic between interfaces in the same zone is blocked unless you apply a service policy to the zone pair.
A. Traffic between two interfaces in the same zone is allowed by default.
Which three statements about the IPsec ESP modes of operation are true? (Choose three.) A. Tunnel mode is used between a host and a security gateway. B. Tunnel mode is used between two security gateways. C. Tunnel mode only encrypts and authenticates the data. D. Transport mode authenticates the IP header. E. Transport mode leaves the original IP header in the clear.
A. Tunnel mode is used between a host and a security gateway. B. Tunnel mode is used between two security gateways. E. Transport mode leaves the original IP header in the clear.
Which type of attack can be prevented by setting the native VLAN to an unused VLAN? A. VLAN-hopping attacks B. CAM-table overflow C. denial-of-service attacks D. MAC-address spoofing
A. VLAN-hopping attacks
Which VTP mode allows you to change the VLAN configuration and will then propagate the change throughout the entire switched network? A. VTP server B. VTP client C. VTP transparent D. VTP off
A. VTP server
Refer to the exhibit. What type of firewall would use the given configuration line? UDP outside 209.165.201.225:53 inside 10.0.0.0:52464, idle 0:00:01, bytes 266, flags - A. a stateful firewall B. a personal firewall C. a proxy firewall D. an application firewall E. a stateless firewall
A. a stateful firewall
What type of algorithm uses the same key to encrypt and decrypt data? A. a symmetric algorithm B. an asymmetric algorithm C. a Public Key Infrastructure algorithm D. an IP security algorithm
A. a symmetric algorithm
Which element must you configure to allow traffic to flow from one security zone to another? A. a zone pair B. a site-to-site VPN C. a zone list D. a zone-based policy
A. a zone pair
Which IOS feature can limit SSH access to a specific subnet under a VTY line? A. access class B. access list C. route map D. route tag
A. access class
Which three options are common examples of AAA implementation on Cisco routers? (Choose three.) A. authenticating remote users who are accessing the corporate LAN through IPsec VPN connections B. authenticating administrator access to the router console port, auxiliary port, and vty ports C. implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates D. tracking Cisco NetFlow accounting statistics E. securing the router by locking down all unused services F. performing router commands authorization using TACACS+
A. authenticating remote users who are accessing the corporate LAN through IPsec VPN connections B. authenticating administrator access to the router console port, auxiliary port, and vty ports F. performing router commands authorization using TACACS+
Which tool can an attacker use to attempt a DDoS attack? A. botnet B. Trojan horse C. virus D. adware
A. botnet
What type of packet creates and performs network operations on a network device? A. control plane packets B. data plane packets C. management plane packets D. services plane packets
A. control plane packets
What type of attack was the Stuxnet virus? A. cyber warfare B. hacktivism C. botnet D. social engineering
A. cyber warfare
What is the most common Cisco Discovery Protocol version 1 attack? A. denial of service B. MAC-address spoofing C. CAM-table overflow D. VLAN hopping
A. denial of service
What three actions are limitations when running IPS in promiscuous mode? (Choose three.) A. deny attacker B. deny packet C. modify packet D. request block connection E. request block host F. reset TCP connection
A. deny attacker B. deny packet C. modify packet
What is the purpose of the Integrity component of the CIA triad? A. to ensure that only authorized parties can modify data B. to determine whether data is relevant C. to create a process for accessing data D. to ensure that only authorized parties can view data
A. to ensure that only authorized parties can modify data
Which two options are characteristics of the Cisco Configuration Professional Security Audit wizard? (Choose two.) A. displays a screen with fix-it check boxes to let you choose which potential security-related configuration changes to implement B. has two modes of operation: interactive and non-interactive C. automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the router D. uses interactive dialogs and prompts to implement role-based CLI E. requires users to first identify which router interfaces connect to the inside network and which connect to the outside network
A. displays a screen with fix-it check boxes to let you choose which potential security-related configuration changes to implement E. requires users to first identify which router interfaces connect to the inside network and which connect to the outside network
Which four methods are used by hackers? (Choose four.) A. footprint analysis attack B. privilege escalation attack C. buffer Unicode attack D. front door attacks E. social engineering attack F. Trojan horse attack
A. footprint analysis attack B. privilege escalation attack E. social engineering attack F. Trojan horse attack
Which three modes of access can be delivered by SSL VPN? (Choose three.) A. full tunnel client B. IPsec SSL C. TLS transport mode D. thin client E. clientless F. TLS tunnel mode
A. full tunnel client D. thin client E. clientless
What VPN feature allows traffic to exit the security appliance through the same interface it entered? A. hairpinning B. NAT C. NAT traversal D. split tunneling
A. hairpinning
Which two options are physical security threats? (Choose two.) A. hardware B. environment C. access lists D. device configurations E. software version
A. hardware B. environment
Which two considerations about secure network management are important? (Choose two.) A. log tampering B. encryption algorithm strength C. accurate time stamping D. off-site storage E. Use RADIUS for router commands authorization. F. Do not use a loopback interface for device management access.
A. log tampering C. accurate time stamping
Which two considerations about secure network monitoring are important? (Choose two.) A. log tampering B. encryption algorithm strength C. accurate time stamping D. off-site storage E. Use RADIUS for router commands authorization. F. Do not use a loopback interface for device management access.
A. log tampering C. accurate time stamping
When a company puts a security policy in place, what is the effect on the company's business? A. minimizing risk B. minimizing total cost of ownership C. minimizing liability D. maximizing compliance
A. minimizing risk
Which three actions can an inline IPS take to mitigate an attack? (Choose three.) A. modifying packets inline B. denying the connection inline C. denying packets inline D. resetting the connection inline E. modifying frames inline F. denying frames inline
A. modifying packets inline B. denying the connection inline C. denying packets inline
With which two NAT types can Cisco ASA implement address translation? (Choose two.) A. network object NAT B. destination NAT C. twice NAT D. source NAT E. double NAT
A. network object NAT C. twice NAT
Which type of secure connectivity does an extranet provide? A. other company networks to your company network B. remote branch offices to your company network C. your company network to the Internet D. new networks to your company network
A. other company networks to your company network
A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a security level of 100. The second interface is the DMZ interface with a security level of 50. The third interface is the outside interface with a security level of 0. By default, without any access list configured, which five types of traffic are permitted? (Choose five.) A. outbound traffic initiated from the inside to the DMZ B. outbound traffic initiated from the DMZ to the outside C. outbound traffic initiated from the inside to the outside D. inbound traffic initiated from the outside to the DMZ E. inbound traffic initiated from the outside to the inside F. inbound traffic initiated from the DMZ to the inside G. HTTP return traffic originating from the inside network and returning via the outside interface H. HTTP return traffic originating from the inside network and returning via the DMZ interface I. HTTP return traffic originating from the DMZ network and returning via the inside interface J. HTTP return traffic originating from the outside network and returning via the inside interface
A. outbound traffic initiated from the inside to the DMZ B. outbound traffic initiated from the DMZ to the outside C. outbound traffic initiated from the inside to the outside G. HTTP return traffic originating from the inside network and returning via the outside interface H. HTTP return traffic originating from the inside network and returning via the DMZ interface
When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a traffic class? (Choose three.) A. pass B. police C. inspect D. drop E. queue F. shape
A. pass C. inspect D. drop
By which kind of threat is the victim tricked into entering username and password information at a disguised website? A. phishing B. spam C. malware D. spoofing
A. phishing
Which two authentication types does OSPF support? (Choose two.) A. plaintext B. MD5 C. HMAC D. AES 256 E. SHA-1 F. DES
A. plaintext B. MD5
In which stage of an attack does the attacker discover devices on a target network? A. reconnaissance B. gaining access C. maintaining access D. covering tracks
A. reconnaissance
Which router management feature provides for the ability to configure multiple administrative views? A. role-based CLI B. virtual routing and forwarding C. secure config privilege {level} D. parser view view name
A. role-based CLI
If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use? A. root guard B. EtherChannel guard C. loop guard D. BPDU guard
A. root guard
Which two countermeasures can mitigate STP root bridge attacks? (Choose two.) A. root guard B. BPDU filtering C. Layer 2 PDU rate limiter D. BPDU guard
A. root guard D. BPDU guard
Which command configures a device to actively watch connection requests and provide immediate protection from DDoS attacks? A. router(config)# ip tcp intercept mode intercept B. router(config)# ip tcp intercept mode watch C. router(config)# ip tcp intercept max-incomplete high 100 D. router(config)# ip tcp intercept drop-mode random
A. router(config)# ip tcp intercept mode intercept
What command can you use to verify the binding table status? A. show ip dhcp snooping database B. show ip dhcp snooping binding C. show ip dhcp snooping statistics D. show ip dhcp pool E. show ip dhcp source binding F. show ip dhcp snooping
A. show ip dhcp snooping database
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection? A. split tunneling B. hairpinning C. tunnel mode D. transparent mode
A. split tunneling
Which two accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.) A. start-stop B. stop-record C. stop-only D. stop
A. start-stop C. stop-only
You want to use the Cisco Configuration Professional site-to-site VPN wizard to implement a site- to-site IPsec VPN using pre-shared key. Which four configurations are required (with no defaults)? (Choose four.) A. the interface for the VPN connection B. the VPN peer IP address C. the IPsec transform-set D. the IKE policy E. the interesting traffic (the traffic to be protected) F. the pre-shared key
A. the interface for the VPN connection B. the VPN peer IP address E. the interesting traffic (the traffic to be protected) F. the pre-shared key
Which type of security control is defense in depth? A. threat mitigation B. risk analysis C. botnet mitigation D. overt and covert channels
A. threat mitigation
When STP mitigation features are configured, where should the root guard feature be deployed? A. toward ports that connect to switches that should not be the root bridge B. on all switch ports C. toward user-facing ports D. Root guard should be configured globally on the switch.
A. toward ports that connect to switches that should not be the root bridge
Which statement about Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later is true? A. uses Cisco IPS 5.x signature format B. requires the Basic or Advanced Signature Definition File C. supports both inline and promiscuous mode D. requires IEV for monitoring Cisco IPS alerts E. uses the built-in signatures that come with the Cisco IOS image as backup F. supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts
A. uses Cisco IPS 5.x signature format
In which two situations should you use out-of-band management? (Choose two.) A. when a network device fails to forward packets B. when you require ROMMON access C. when management applications need concurrent access to the device D. when you require administrator access from multiple locations E. when the control plane fails to respond
A. when a network device fails to forward packets B. when you require ROMMON access
Which authentication protocol does the Cisco AnyConnect VPN password management feature require to operate? A. MS-CHAPv1 B. MS-CHAPv2 C. CHAP D. Kerberos
B. MS-CHAPv2
What are two default Cisco IOS privilege levels? (Choose two.) A. 0 B. 1 C. 5 D. 7 E. 10 F. 15
B. 1 F. 15
When a network transitions from IPv4 to IPv6, how many bits does the address expand to? A. 64 bits B. 128 bits C. 96 bits D. 156 bits
B. 128 bits
What must be configured before Secure Copy can be enabled? A. SSH B. AAA C. TFTP D. FTP
B. AAA
Which network security framework is used to set up access control on Cisco Appliances? A. RADIUS B. AAA C. TACACS+ D. NAS
B. AAA
What features can protect the data plane? (Choose three.) A. policing B. ACLs C. IPS D. antispoofing E. QoS F. DHCP-snooping
B. ACLs D. antispoofing F. DHCP-snooping
Which TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.) A. EAP B. ASCII C. PAP D. PEAP E. MS-CHAPv1 F. MS-CHAPv2
B. ASCII C. PAP E. MS-CHAPv1
Which three TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.) A. EAP B. ASCII C. PAP D. PEAP E. MS-CHAPv1 F. MS-CHAPv2
B. ASCII C. PAP E. MS-CHAPv1
Which two options are symmetric-key algorithms that are recommended by Cisco? (Choose two.) A. Twofish B. Advanced Encryption Standard C. Blowfish D. Triple Data Encryption Standard
B. Advanced Encryption Standard D. Triple Data Encryption Standard
Under which option do you create an AAA authentication policy in Cisco Configuration Professional? A. Authentication Policies B. Authentication Policies - Login C. AAA Servers and Groups D. AAA Summary
B. Authentication Policies - Login
Which type of Layer 2 attack causes a switch to flood all incoming traffic to all ports? A. MAC spoofing attack B. CAM overflow attack C. VLAN hopping attack D. STP attack
B. CAM overflow attack
Which action can you take to add bandwidth to a trunk between two switches and end up with only one logical interface? A. Configure another trunk link. B. Configure EtherChannel. C. Configure an access port. D. Connect a hub between the two switches.
B. Configure EtherChannel.
Which two countermeasures can mitigate ARP spoofing attacks? (Choose two.) A. port security B. DHCP snooping C. IP source guard D. dynamic ARP inspection
B. DHCP snooping D. dynamic ARP inspection
Which statement about extended access lists is true? A. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the destination B. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source C. Extended access lists perform filtering that is based on destination and are most effective when applied to the source D. Extended access lists perform filtering that is based on source and are most effective when applied to the destination
B. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source
Which of the following statements about access lists are true? (Choose three.) A. Extended access lists should be placed as near as possible to the destination B. Extended access lists should be placed as near as possible to the source C. Standard access lists should be placed as near as possible to the destination D. Standard access lists should be placed as near as possible to the source E. Standard access lists filter on the source address F. Standard access lists filter on the destination address
B. Extended access lists should be placed as near as possible to the source C. Standard access lists should be placed as near as possible to the destination E. Standard access lists filter on the source address
Which three statements about access lists are true? (Choose three.) A. Extended access lists should be placed as near as possible to the destination. B. Extended access lists should be placed as near as possible to the source. C. Standard access lists should be placed as near as possible to the destination. D. Standard access lists should be placed as near as possible to the source. E. Standard access lists filter on the source address. F. Standard access lists filter on the destination address.
B. Extended access lists should be placed as near as possible to the source. C. Standard access lists should be placed as near as possible to the destination. E. Standard access lists filter on the source address.
Which address block is reserved for locally assigned unique local addresses? A. 2002::/16 B. FD00::/8 C. 2001::/32 D. FB00::/8
B. FD00::/8
Which Cisco Security Manager feature enables the configuration of unsupported device features? A. Deployment Manager B. FlexConfig C. Policy Object Manager D. Configuration Manager
B. FlexConfig
What are three features of IPsec tunnel mode? (Choose three.) A. IPsec tunnel mode supports multicast. B. IPsec tunnel mode is used between gateways. C. IPsec tunnel mode is used between end stations. D. IPsec tunnel mode supports unicast traffic. E. IPsec tunnel mode encrypts only the payload. F. IPsec tunnel mode encrypts the entire packet.
B. IPsec tunnel mode is used between gateways. D. IPsec tunnel mode supports unicast traffic. F. IPsec tunnel mode encrypts the entire packet.
You are troubleshooting a Cisco AnyConnect VPN on a firewall and issue the command "show webvpn anyconnect." The output shows the message "SSL VPN is not enabled" instead of showing the AnyConnect package. Which action can you take to resolve the problem? A. Issue the enable outside command. B. Issue the anyconnect enable command. C. Issue the enable inside command. D. Reinstall the AnyConnect image.
B. Issue the anyconnect enable command.
Which characteristic is a potential security weakness of a traditional stateful firewall? A. It cannot support UDP flows. B. It cannot detect application-layer attacks. C. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake. D. It works only in promiscuous mode. E. The status of TCP sessions is retained in the state table after the sessions terminate. F. It has low performance due to the use of syn-cookies.
B. It cannot detect application-layer attacks.
What is the effect of the send-lifetime local 23:59:00 31 December 31 2013 infinite command? A. It configures the device to begin transmitting the authentication key to other devices at 00:00:00 local time on January 1, 2014 and continue using the key indefinitely. B. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely. C. It configures the device to begin accepting the authentication key from other devices immediately and stop accepting the key at 23:59:00 local time on December 31, 2013. D. It configures the device to generate a new authentication key and transmit it to other devices at 23:59:00 local time on December 31, 2013. E. It configures the device to begin accepting the authentication key from other devices at 23:59:00 local time on December 31, 2013 and continue accepting the key indefinitely. F. It configures the device to begin accepting the authentication key from other devices at 00:00:00 local time on January 1, 2014 and continue accepting the key indefinitely.
B. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely.
What is the function of an IPS signature? A. It determines the best course of action to mitigate a threat. B. It detects network intrusions by matching specified criteria. C. It provides logging data for allowed connections. D. It provides threat-avoidance controls.
B. It detects network intrusions by matching specified criteria.
What is an advantage of placing an IPS on the inside of a network? A. It can provide higher throughput. B. It receives traffic that has already been filtered. C. It receives every inbound packet. D. It can provide greater security.
B. It receives traffic that has already been filtered.
Which tasks is the session management path responsible for? (Choose three.) A. Verifying IP checksums B. Performing route lookup C. Performing session lookup D. Allocating NAT translations E. Checking TCP sequence numbers F. Checking packets against the access list
B. Performing route lookup D. Allocating NAT translations F. Checking packets against the access list
Which three statements about RADIUS are true? (Choose three.) A. RADIUS uses TCP port 49. B. RADIUS uses UDP ports 1645 or 1812. C. RADIUS encrypts the entire packet. D. RADIUS encrypts only the password in the Access-Request packet. E. RADIUS is a Cisco proprietary technology. F. RADIUS is an open standard.
B. RADIUS uses UDP ports 1645 or 1812. D. RADIUS encrypts only the password in the Access-Request packet. F. RADIUS is an open standard.
What will be disabled as a result of the no service password-recovery command? A. changes to the config-register setting B. ROMMON C. password encryption service D. aaa new-model global configuration command E. the xmodem privilege EXEC mode command to recover the Cisco IOS image
B. ROMMON
Which statement about rule-based policies in Cisco Security Manager is true? A. Rule-based policies contain one or more rules that are related to a device's security and operations parameters. B. Rule-based policies contain one or more rules that control how traffic is filtered and inspected on a device. C. Rule-based policies contain one or more user roles that are related to a device's security and operations parameters. D. Rule-based policies contain one or more user roles that control how user traffic is filtered and inspected on a device.
B. Rule-based policies contain one or more rules that control how traffic is filtered and inspected on a device.
Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router? (Choose two.) A. syslog B. SDEE C. FTP D. TFTP E. SSH F. HTTPS
B. SDEE F. HTTPS
Which technology is the most effective choice for locally mirroring ports to support data investigation for a single device at the data layer? A. RMON B. SPAN C. RSPAN D. ERSPAN
B. SPAN
Which protocol provides security to Secure Copy? A. IPsec B. SSH C. HTTPS D. ESP
B. SSH
Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choose two.) A. FTP B. SSH C. Telnet D. AAA E. HTTPS F. HTTP
B. SSH E. HTTPS
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence? A. The interface on both switches may shut down. B. STP loops may occur. C. The switch with the higher native VLAN may shut down. D. The interface with the lower native VLAN may shut down.
B. STP loops may occur.
Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure device management? A. You must then zeroize the keys to reset secure shell before configuring other parameters. B. The SSH protocol is automatically enabled. C. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa general-keys modulus command. D. All vty ports are automatically enabled for SSH to provide secure management.
B. The SSH protocol is automatically enabled.
Which statement about ACL operations is true? A. The access list is evaluated in its entirety. B. The access list is evaluated one access-control entry at a time. C. The access list is evaluated by the most specific entry. D. The default explicit deny at the end of an access list causes all packets to be dropped.
B. The access list is evaluated one access-control entry at a time.
Refer to the exhibit. Which statement about the aaa configurations is true? router(config)# username admin privilege level 15 secret hardt0ckRackPw router(config)# aaa new-model router(config)# aaa authentication login default tacacs+ router(config)# aaa authentication login test tacacs+ local router(config)# line vty 0 4 router(config-line)# login authentication test router(config-line)# line con 0 router(config-line)# end A. The authentication method list used by the console port is named test. B. The authentication method list used by the vty port is named test. C. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the router. D. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the local database. E. The local database is checked first when authenticating console and vty access to the router.
B. The authentication method list used by the vty port is named test.
Which components does HMAC use to determine the authenticity and integrity of a message? (Choose two.) A. The password B. The hash C. The key D. The transform set
B. The hash C. The key
When port security is enabled on a Cisco Catalyst switch, what is the default action when the configured maximum number of allowed MAC addresses value is exceeded? A. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out. B. The port is shut down. C. The MAC address table is cleared and the new MAC address is entered into the table. D. The violation mode of the port is set to restrict.
B. The port is shut down.
Which security zone is automatically defined by the system? A. The source zone B. The self zone C. The destination zone D. The inside zone
B. The self zone
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity? A. The switch could offer fake DHCP addresses. B. The switch could become the root bridge. C. The switch could be allowed to join the VTP domain. D. The switch could become a transparent bridge.
B. The switch could become the root bridge.
Which statement about PVLAN Edge is true? A. PVLAN Edge can be configured to restrict the number of MAC addresses that appear on a single port. B. The switch does not forward any traffic from one protected port to any other protected port. C. By default, when a port policy error occurs, the switchport shuts down. D. The switch only forwards traffic to ports within the same VLAN Edge.
B. The switch does not forward any traffic from one protected port to any other protected port.
Which Cisco AnyConnect VPN feature enables DTLS to fall back to a TLS connection? A. perfect forward secrecy B. dead peer detection C. keepalives D. IKEv2
B. dead peer detection
How can you prevent clientless SSL VPN users from accessing any HTTP or HTTPS URL within the portal? A. Configure a web ACL. B. Turn off URL entry. C. Configure a smart tunnel. D. Configure a portal access rule.
B. Turn off URL entry.
Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path? A. Unidirectional Link Detection B. Unicast Reverse Path Forwarding C. TrustSec D. IP Source Guard
B. Unicast Reverse Path Forwarding
Which Cisco product can help mitigate web-based attacks within a network? A. Adaptive Security Appliance B. Web Security Appliance C. Email Security Appliance D. Identity Services Engine
B. Web Security Appliance
Which two options are for securing NTP? (Choose two.) A. a stratum clock B. access lists C. Secure Shell D. authentication E. Telnet
B. access lists D. authentication
Which command will block IP traffic to the destination 172.16.0.1/32? A. access-list 101 deny ip host 172.16.0.1 any B. access-list 101 deny ip any host 172.16.0.1 C. access-list 101 deny ip any any D. access-list 11 deny host 172.16.0.1
B. access-list 101 deny ip any host 172.16.0.1
Which access list permits HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 192.168.1.10? A. access-list 101 permit tcp any eq 3030 B. access-list 101 permit tcp 10.1.128.0 0.0.1 .255 eq 3030 192.1 68.1 .0 0.0.0.15 eq www C. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www D. access-list 101 permit tcp host 192.1 68.1 .10 eq 80 10.1.0.0 0.0.255.255 eq 3030 E. access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255 F. access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.10 eq 80
B. access-list 101 permit tcp 10.1.128.0 0.0.1 .255 eq 3030 192.1 68.1 .0 0.0.0.15 eq www
Which option is a characteristic of a stateful firewall? A. can analyze traffic at the application layer B. allows modification of security rule sets in real time to allow return traffic C. will allow outbound communication, but return traffic must be explicitly permitted D. supports user authentication
B. allows modification of security rule sets in real time to allow return traffic
Which option is a feature of Cisco ScanSafe technology? A. spam protection B. consistent cloud-based policy C. DDoS protection D. RSA Email DLP
B. consistent cloud-based policy
Which command is needed to enable SSH support on a Cisco Router? A. crypto key lock rsa B. crypto key generate rsa C. crypto key zeroize rsa D. crypto key unlock rsa
B. crypto key generate rsa
Which type of NAT is used where you translate multiple internal IP addresses to a single global, routable IP address? A. policy NAT B. dynamic PAT C. static NAT D. dynamic NAT E. policy PAT
B. dynamic PAT
What is the Cisco preferred countermeasure to mitigate CAM overflows? A. port security B. dynamic port security C. IP source guard D. root guard
B. dynamic port security
Which type of Cisco IOS access control list is identified by 100 to 199 and 2000 to 2699? A. standard B. extended C. named D. IPv4 for 100 to 199 and IPv6 for 2000 to 2699
B. extended
Which command configures stateful packet inspection to inspect a packet after it passes the inbound ACL of the input interface? A. ip inspect out B. ip inspect in C. ip inspect name audit-trail on D. ip inspect name audit-trail off
B. ip inspect in
Which two options are advantages of an application layer firewall? (Choose two.) A. provides high-performance filtering B. makes DoS attacks difficult C. supports a large number of applications D. authenticates devices E. authenticates individuals
B. makes DoS attacks difficult E. authenticates individuals
Which two options are two of the built-in features of IPv6? (Choose two.) A. VLSM B. native IPsec C. controlled broadcasts D. mobile IP E. NAT
B. native IPsec D. mobile IP
Which single Cisco IOS ACL entry permits IP addresses from 172.16.80.0 to 172.16.87.255? A. permit 172.16.80.0 0.0.3.255 B. permit 172.16.80.0 0.0.7.255 C. permit 172.16.80.0 0.0.248.255 D. permit 176.16.80.0 255.255.252.0 E. permit 172.16.80.0 255.255.248.0 F. permit 172.16.80.0 255.255.240.0
B. permit 172.16.80.0 0.0.7.255
Which option can be used to authenticate the IPsec peers during IKE Phase 1? A. Diffie-Hellman Nonce B. pre-shared key C. XAUTH D. integrity check value E. ACS F. AH
B. pre-shared key
Which technology provides an automated digital certificate management system for use with IPsec? A. ISAKMP B. public key infrastructure C. Digital Signature Algorithm D. Internet Key Exchange
B. public key infrastructure
Which actions can a promiscuous IPS take to mitigate an attack? (Choose three.) A. modifying packets B. requesting connection blocking C. denying packets D. resetting the TCP connection E. requesting host blocking F. denying frames
B. requesting connection blocking D. resetting the TCP connection E. requesting host blocking
Which two characteristics of the TACACS+ protocol are true? (Choose two.) A. uses UDP ports 1645 or 1812 B. separates AAA functions C. encrypts the body of every packet D. offers extensive accounting capabilities E. is an open RFC standard protocol
B. separates AAA functions C. encrypts the body of every packet
Which command verifies phase 2 of an IPsec VPN on a Cisco router? A. show crypto map B. show crypto ipsec sa C. show crypto isakmp sa D. show crypto engine connection active
B. show crypto ipsec sa
Which Cisco IOS command is used to verify that either the Cisco IOS image, the configuration files, or both have been properly backed up and secured? A. show archive B. show secure bootset C. show flash D. show file systems E. dir F. dir archive
B. show secure bootset
Which two types of access lists can be used for sequencing? (Choose two.) A. reflexive B. standard C. dynamic D. extended
B. standard D. extended
Which three options are components of Transport Layer Security? (Choose three.) A. stateless handshake B. stateful handshake C. application layer D. session layer E. pre-shared keys F. digital certificates
B. stateful handshake C. application layer F. digital certificates
What are two primary attack methods of VLAN hopping? (Choose two.) A. VoIP hopping B. switch spoofing C. CAM-table overflow D. double tagging
B. switch spoofing D. double tagging
Which Cisco IOS command will verify authentication between a router and a AAA server? A. debug aaa authentication B. test aaa group C. test aaa accounting D. aaa new-model
B. test aaa group
When using a stateful firewall, which information is stored in the stateful session flow table? A. the outbound and inbound access rules (ACL entries) B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session C. all TCP and UDP header information only D. all TCP SYN packets and the associated return ACK packets only E. the inside private IP address and the translated inside global IP address
B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags for each TCP or UDP connection associated with a particular session
For what purpose is the Cisco ASA appliance web launch SSL VPN feature used? A. to enable split tunneling when using clientless SSL VPN access B. to enable users to login to a web portal to download and launch the AnyConnect client C. to enable smart tunnel access for applications that are not web-based D. to optimize the SSL VPN connections using DTLS E. to enable single-sign-on so the SSL VPN users need only log in once
B. to enable users to login to a web portal to download and launch the AnyConnect client
Which two pieces of information should you acquire before you troubleshoot an STP loop? (Choose two.) A. topology of the routed network B. topology of the switched network C. location of the root bridge D. number of switches in the network
B. topology of the switched network C. location of the root bridge
With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are assigned to a zone? (Choose three.) A. traffic flowing between a zone member interface and any interface that is not a zone member B. traffic flowing to and from the router interfaces (the self zone) C. traffic flowing among the interfaces that are members of the same zone D. traffic flowing among the interfaces that are not assigned to any zone E. traffic flowing between a zone member interface and another interface that belongs in a different zone F. traffic flowing to the zone member interface that is returned traffic
B. traffic flowing to and from the router interfaces (the self zone) C. traffic flowing among the interfaces that are members of the same zone D. traffic flowing among the interfaces that are not assigned to any zone
Which two characteristics represent a blended threat? (Choose two.) A. man-in-the-middle attack B. trojan horse attack C. pharming attack D. denial of service attack E. day zero attack
B. trojan horse attack E. day zero attack
On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used? A. used for SSH server/client authentication and encryption B. used to verify the digital signature of the IPS signature file C. used to generate a persistent self-signed identity certificate for the ISR so administrators can authenticate the ISR when accessing it using Cisco Configuration Professional D. used to enable asymmetric encryption on IPsec and SSL VPNs E. used during the DH exchanges on IPsec VPNs
B. used to verify the digital signature of the IPS signature file
What hash type does Cisco use to validate the integrity of downloaded images? A. Sha1 B. Sha2 C. Md5 D. Md1
C. Md5
What is the default privilege level for a new user account on a Cisco ASA firewall? A. 0 B. 1 C. 2 D. 15
C. 2
On which protocol number does Encapsulating Security Payload operate? A. 06 B. 47 C. 50 D. 51
C. 50
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts a double-tagging attack? A. The trunk port would go into an error-disabled state. B. A VLAN hopping attack would be successful. C. A VLAN hopping attack would be prevented. D. The attacked VLAN will be pruned.
C. A VLAN hopping attack would be prevented.
Which statement best represents the characteristics of a VLAN? A. Ports in a VLAN will not share broadcasts amongst physically separate switches. B. A VLAN can only connect across a LAN within the same building. C. A VLAN is a logical broadcast domain that can span multiple physical LAN segments. D. A VLAN provides individual port security.
C. A VLAN is a logical broadcast domain that can span multiple physical LAN segments.
Which Cisco IPS product offers an inline, deep-packet inspection feature that is available in integrated services routers? A. Cisco iSDM B. Cisco AIM C. Cisco IOS IPS D. Cisco AIP-SSM
C. Cisco IOS IPS
Which Cisco management tool provides the ability to centrally provision all aspects of device configuration across the Cisco family of security products? A. Cisco Configuration Professional B. Security Device Manager C. Cisco Security Manager D. Cisco Secure Management Server
C. Cisco Security Manager
Which option describes information that must be considered when you apply an access list to a physical interface? A. Protocol used for filtering B. Direction of the access class C. Direction of the access group D. Direction of the access list
C. Direction of the access group
What is the best way to prevent a VLAN hopping attack? A. Encapsulate trunk ports with IEEE 802.1Q. B. Physically secure data closets. C. Disable DTP negotiations. D. Enable BDPU guard.
C. Disable DTP negotiations.
When configuring SSL VPN on the Cisco ASA appliance, which configuration step is required only for Cisco AnyConnect full tunnel SSL VPN access and not required for clientless SSL VPN? A. user authentication B. group policy C. IP address pool D. SSL VPN interface E. connection profile
C. IP address pool
Which statement about IPv6 address allocation is true? A. IPv6-enabled devices can be assigned only one IPv6 IP address. B. A DHCP server is required to allocate IPv6 IP addresses. C. IPv6-enabled devices can be assigned multiple IPv6 IP addresses. D. ULA addressing is required for Internet connectivity.
C. IPv6-enabled devices can be assigned multiple IPv6 IP addresses.
Which two options are advantages of a network-based Cisco IPS? (Choose two.) A. It can examine encrypted traffic. B. It can protect the host after decryption. C. It is an independent operating platform. D. It can observe bottom-level network events. E. It can block traffic
C. It is an independent operating platform. D. It can observe bottom-level network events.
Refer to the exhibit. What does the option secret 5 in the username global configuration mode command indicate about the user password? router#sh run | username username test secret 5 $1$knm.$GOGQBIL8TK77P0LWxvX4O0 A. It is hashed using SHA. B. It is encrypted using DH group 5. C. It is hashed using MD5. D. It is encrypted using the service password-encryption command. E. It is hashed using a proprietary Cisco hashing algorithm. F. It is encrypted using a proprietary Cisco encryption algorithm.
C. It is hashed using MD5.
What is the key difference between host-based and network-based intrusion prevention? A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows. B. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers. C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers. D. Host-based IPS can work in promiscuous mode or inline mode. E. Host-based IPS is more scalable then network-based IPS. F. Host-based IPS deployment requires less planning than network-based IPS.
C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts and servers.
Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose three.) A. EAP B. ASCII C. PAP D. PEAP E. MS-CHAPv1 F. MS-CHAPv2
C. PAP E. MS-CHAPv1 F. MS-CHAPv2
Which option provides the most secure method to deliver alerts on an IPS? A. IME B. CSM C. SDEE D. syslog
C. SDEE
Which option is a key difference between Cisco IOS interface ACL configurations and Cisco ASA appliance interface ACL configurations? A. The Cisco IOS interface ACL has an implicit permit-all rule at the end of each interface ACL. B. Cisco IOS supports interface ACL and also global ACL. Global ACL is applied to all interfaces. C. The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard masks. D. The Cisco ASA appliance interface ACL also applies to traffic directed to the IP addresses of the Cisco ASA appliance interfaces. E. The Cisco ASA appliance does not support standard ACL. The Cisco ASA appliance only support extended ACL.
C. The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard masks.
Which statement about the role-based CLI access views on a Cisco router is true? A. The maximum number of configurable CLI access views is 10, including one lawful intercept view and excluding the root view. B. The maximum number of configurable CLI access views is 10, including one superview. C. The maximum number of configurable CLI access views is 15, including one lawful intercept view and excluding the root view. D. The maximum number of configurable CLI access views is 15, including one lawful intercept view.
C. The maximum number of configurable CLI access views is 15, including one lawful intercept view and excluding the root view.
Which statement describes how the sender of the message is verified when asymmetric encryption is used? A. The sender encrypts the message using the sender's public key, and the receiver decrypts the message using the sender's private key. B. The sender encrypts the message using the sender's private key, and the receiver decrypts the message using the sender's public key. C. The sender encrypts the message using the receiver's public key, and the receiver decrypts the message using the receiver's private key. D. The sender encrypts the message using the receiver's private key, and the receiver decrypts the message using the receiver's public key. E. The sender encrypts the message using the receiver's public key, and the receiver decrypts the message using the sender's public key.
C. The sender encrypts the message using the receiver's public key, and the receiver decrypts the message using the receiver's private key.
Which statement about disabled signatures when using Cisco IOS IPS is true? A. They do not take any actions, but do produce alerts. B. They are not scanned or processed. C. They still consume router resources. D. They are considered to be "retired" signatures.
C. They still consume router resources.
Which statement about asymmetric encryption algorithms is true? A. They use the same key for encryption and decryption of data. B. They use the same key for decryption but different keys for encryption of data. C. They use different keys for encryption and decryption of data. D. They use different keys for decryption but the same key for encryption of data.
C. They use different keys for encryption and decryption of data.
Which source port does IKE use when NAT has been detected between two VPN gateways? A. TCP 4500 B. TCP 500 C. UDP 4500 D. UDP 500
C. UDP 4500
Which aaa accounting command is used to enable logging of the start and stop records for user terminal sessions on the router? A. aaa accounting network start-stop tacacs+ B. aaa accounting system start-stop tacacs+ C. aaa accounting exec start-stop tacacs+ D. aaa accounting connection start-stop tacacs+ E. aaa accounting commands 15 start-stop tacacs+
C. aaa accounting exec start-stop tacacs+
Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device reloads? A. aaa accounting network default start-stop group radius B. aaa accounting auth-proxy default start-stop group radius C. aaa accounting system default start-stop group radius D. aaa accounting exec default start-stop group radius
C. aaa accounting system default start-stop group radius
Which command will configure a Cisco router to use a TACACS+ server to authorize network services with no fallback method? A. aaa authorization exec default group tacacs+ none B. aaa authorization network default group tacacs+ none C. aaa authorization network default group tacacs+ D. aaa authorization network default group tacacs+ local
C. aaa authorization network default group tacacs+
During role-based CLI configuration, what must be enabled before any user views can be created? A. multiple privilege levels B. usernames and passwords C. aaa new-model command D. secret password for the root user E. HTTP and/or HTTPS server F. TACACS server group
C. aaa new-model command
Which command will block external spoofed addresses? A. access-list 128 deny ip 10.0.0.0 0.0.255.255 any B. access-list 128 deny ip 192.168.0.0 0.0.0.255 any C. access-list 128 deny ip 10.0.0.0 0.255.255.255 any D. access-list 128 deny ip 192.168.0.0 0.0.31.255 any
C. access-list 128 deny ip 10.0.0.0 0.255.255.255 any
Which type of IPS can identify worms that are propagating in a network? A. signature-based IPS B. policy-based IPS C. anomaly-based IPS D. reputation-based IPS
C. anomaly-based IPS
Refer to the exhibit. Which traffic is permitted by this ACL? access-list 100 permit tcp 172.26.26.16 0.0.0.7 host 192.168.1.2 eq 443 access-list 100 permit tcp 172.26.26.16 0.0.0.7 host 192.168.1.2 eq 80 access-list 100 deny tcp any host 192.168.1.2 eq telnet access-list 100 deny tcp any host 192.168.1.2 eq www access-list 100 permit ip any any A. TCP traffic sourced from any host in the 172.26.26.8/29 subnet on any port to host 192.168.1.2 port 80 or 443 B. TCP traffic sourced from host 172.26.26.21 on port 80 or 443 to host 192.168.1.2 on any port C. any TCP traffic sourced from host 172.26.26.30 destined to host 192.168.1.1 D. any TCP traffic sourced from host 172.26.26.20 to host 192.168.1.2
C. any TCP traffic sourced from host 172.26.26.30 destined to host 192.168.1.1
What is the transition order of STP states on a Layer 2 switch interface? A. listening, learning, blocking, forwarding, disabled B. listening, blocking, learning, forwarding, disabled C. blocking, listening, learning, forwarding, disabled D. forwarding, listening, learning, blocking, disabled
C. blocking, listening, learning, forwarding, disabled
Which option is a characteristic of the RADIUS protocol? A. uses TCP B. offers multiprotocol support C. combines authentication and authorization in one process D. supports bi-directional challenge
C. combines authentication and authorization in one process
Which IPsec transform set provides the strongest protection? A. crypto ipsec transform-set 1 esp-3des esp-sha-hmac B. crypto ipsec transform-set 2 esp-3des esp-md5-hmac C. crypto ipsec transform-set 3 esp-aes 256 esp-sha-hmac D. crypto ipsec transform-set 4 esp-aes esp-md5-hmac E. crypto ipsec transform-set 5 esp-des esp-sha-hmac F. crypto ipsec transform-set 6 esp-des esp-md5-hmac
C. crypto ipsec transform-set 3 esp-aes 256 esp-sha-hmac
Which option is the resulting action in a zone-based policy firewall configuration with these conditions? Source: Zone 1 Destination: Zone 2 Zone pair exists?: Yes Policy exists?: No A. no impact to zoning or policy B. no policy lookup (pass) C. drop D. apply default policy
C. drop
Which two options represent a threat to the physical installation of an enterprise network? (Choose two.) A. surveillance camera B. security guards C. electrical power D. computer room access E. change control
C. electrical power D. computer room access
Which options are filtering options used to display SDEE message types? (Choose two.) A. stop B. none C. error D. all
C. error D. all
Where is the transform set applied in an IOS IPsec VPN? A. on the WAN interface B. in the ISAKMP policy C. in the crypto map D. on the LAN interface
C. in the crypto map
Which command initializes a lawful intercept view? A. username cisco1 view lawful-intercept password cisco B. parser view cisco li-view C. li-view cisco user cisco1 password cisco D. parser view li-view inclusive
C. li-view cisco user cisco1 password cisco
When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log in to the router in case the external AAA server fails? (Choose two.) A. group RADIUS B. group TACACS+ C. local D. krb5 E. enable F. if-authenticated
C. local E. enable
Which command configures logging on a Cisco ASA firewall to include the date and time? A. logging facility B. logging enable C. logging timestamp D. logging buffered debugging
C. logging timestamp
Which type of management reporting is defined by separating management traffic from production traffic? A. IPsec encrypted B. in-band C. out-of-band D. SSH
C. out-of-band
Under which higher-level policy is a VPN security policy categorized? A. application policy B. DLP policy C. remote access policy D. compliance policy E. corporate WAN policy
C. remote access policy
Which type of firewall technology is considered the versatile and commonly used firewall technology? A. static packet filter firewall B. application layer firewall C. stateful packet filter firewall D. proxy firewall E. adaptive layer firewall
C. stateful packet filter firewall
What does the secure boot-config global configuration accomplish? A. enables Cisco IOS image resilience B. backs up the Cisco IOS image from flash to a TFTP server C. takes a snapshot of the router running configuration and securely archives it in persistent storage D. backs up the router running configuration to a TFTP server E. stores a secured copy of the Cisco IOS image in its persistent storage
C. takes a snapshot of the router running configuration and securely archives it in persistent storage
What does the MD5 algorithm do? A. takes a message less than 2^64 bits as input and produces a 160-bit message digest B. takes a variable-length message and produces a 168-bit message digest C. takes a variable-length message and produces a 128-bit message digest D. takes a fixed-length message and produces a 128-bit message digest
C. takes a variable-length message and produces a 128-bit message digest
Which IPsec component takes an input message of arbitrary length and produces a fixed-length output message? A. the transform set B. the group policy C. the hash D. the crypto map
C. the hash
Which two functions are required for IPsec operation? (Choose two.) A. using SHA for encryption B. using PKI for pre-shared key authentication C. using IKE to negotiate the SA D. using AH protocols for encryption and authentication E. using Diffie-Hellman to establish a shared-secret key
C. using IKE to negotiate the SA E. using Diffie-Hellman to establish a shared-secret key
In an IPsec VPN, what determination does the access list make about VPN traffic? A. whether the traffic should be blocked B. whether the traffic should be permitted C. whether the traffic should be encrypted D. the peer to which traffic should be sent
C. whether the traffic should be encrypted
How many crypto map sets can you apply to a router interface? A. 3 B. 2 C. 4 D. 1
D. 1
Which option is the correct representation of the IPv6 address 2001:0000:150C:0000:0000:41B1:45A3:041D? A. 2001::150c::41b1:45a3:041d B. 2001:0:150c:0::41b1:45a3:04d1 C. 2001:150c::41b1:45a3::41d D. 2001:0:150c::41b1:45a3:41d
D. 2001:0:150c::41b1:45a3:41d
What is the default STP priority on a switch? A. 4096 B. 24576 C. 16384 D. 32768
D. 32768
Which syslog level is associated with LOG_WARNING? A. 1 B. 2 C. 3 D. 4 E. 5 F. 6 G. 7 H. 0
D. 4
On which protocol number does the authentication header operate? A. 06 B. 47 C. 50 D. 51
D. 51
How are Cisco IOS access control lists processed? A. Standard ACLs are processed first. B. The best match ACL is matched first. C. Permit ACL entries are matched first before the deny ACL entries. D. ACLs are matched from top down. E. The global ACL is matched first before the interface ACL.
D. ACLs are matched from top down.
You are the security administrator for a large enterprise network with many remote locations. You have been given the assignment to deploy a Cisco IPS solution. Where in the network would be the best place to deploy Cisco IOS IPS? A. Inside the firewall of the corporate headquarters Internet connection B. At the entry point into the data center C. Outside the firewall of the corporate headquarters Internet connection D. At remote branch offices
D. At remote branch offices
Which item is the great majority of software vulnerabilities that have been discovered? A. Stack vulnerabilities B. Heap overflows C. Software overflows D. Buffer overflows
D. Buffer overflows
When configuring role-based CLI on a Cisco router, which step is performed first? A. Log in to the router as the root user. B. Create a parser view called "root view." C. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command. D. Enable the root view on the router. E. Enable AAA authentication and authorization using the local database. F. Create a root local user in the local database.
D. Enable the root view on the router.
Which Cisco Security Manager application collects information about device status and uses it to generate notifications and alerts? A. FlexConfig B. Device Manager C. Report Manager D. Health and Performance Monitor
D. Health and Performance Monitor
Which two statements about IPv6 access lists are true? (Choose two). A. IPv6 access lists support numbered access lists. B. IPv6 access lists support wildcard masks. C. IPv6 access lists support standard access lists. D. IPv6 access lists support named access lists. E. IPv6 access lists support extended access lists.
D. IPv6 access lists support named access lists. E. IPv6 access lists support extended access lists.
Which statement is true about vishing? A. Influencing users to forward a call to a toll number (for example, a long distance or international number) B. Influencing users to provide personal information over a web page C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long distance or international number) D. Influencing users to provide personal information over the phone
D. Influencing users to provide personal information over the phone
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration? A. Issue the command anyconnect keep-installer under the group policy or username webvpn mode B. Issue the command anyconnect keep-installer installed in the global configuration C. Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode D. Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode
D. Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode
Which description of the Diffie-Hellman protocol is true? A. It uses symmetrical encryption to provide data confidentiality over an unsecured communications channel. B. It uses asymmetrical encryption to provide authentication over an unsecured communications channel. C. It is used within the IKE Phase 1 exchange to provide peer authentication. D. It provides a way for two peers to establish a shared-secret key, which only they will know, even though they are communicating over an unsecured channel. E. It is a data integrity algorithm that is used within the IKE exchanges to guarantee the integrity of the message of the IKE exchanges.
D. It provides a way for two peers to establish a shared-secret key, which only they will know, even though they are communicating over an unsecured channel.
In what type of attack does an attacker virtually change a device's burned-in address in an attempt to circumvent access lists and mask the device's true identity? A. gratuitous ARP B. ARP poisoning C. IP spoofing D. MAC spoofing
D. MAC spoofing
Which three ESP fields can be encrypted during transmission? (Choose three.) A. Security Parameter Index B. Sequence Number C. MAC Address D. Padding E. Pad Length F. Next Header
D. Padding E. Pad Length F. Next Header
Which option represents a step that should be taken when a security policy is developed? A. Perform penetration testing. B. Determine device risk scores. C. Implement a security monitoring system. D. Perform quantitative risk analysis.
D. Perform quantitative risk analysis.
Which statements about reflexive access lists are true? (Choose three.) A. Reflexive access lists create a permanent ACE B. Reflexive access lists approximate session filtering using the established keyword C. Reflexive access lists can be attached to standard named IP ACLs D. Reflexive access lists support UDP sessions E. Reflexive access lists can be attached to extended named IP ACLs F. Reflexive access lists support TCP sessions
D. Reflexive access lists support UDP sessions E. Reflexive access lists can be attached to extended named IP ACLs F. Reflexive access lists support TCP sessions
Which IPS technique commonly is used to improve accuracy and context awareness, aiming to detect and respond to relevant incidents only and therefore, reduce noise? A. Attack relevancy B. Target asset value C. Signature accuracy D. Risk rating
D. Risk rating
Which protocol secures router management session traffic? A. SSTP B. POP C. Telnet D. SSH
D. SSH
Which Layer 2 protocol provides loop resolution by managing the physical paths to given network segments? A. root guard B. port fast C. HSRP D. STP
D. STP
In which type of Layer 2 attack does an attacker broadcast BDPUs with a lower switch priority? A. MAC spoofing attack B. CAM overflow attack C. VLAN hopping attack D. STP attack
D. STP attack
What does level 5 in this enable secret global configuration mode command indicate? router#enable secret level 5 password A. The enable secret password is hashed using MD5. B. The enable secret password is hashed using SHA. C. The enable secret password is encrypted using Cisco proprietary level 5 encryption. D. Set the enable secret command to privilege level 5. E. The enable secret password is for accessing exec privilege level 5.
D. Set the enable secret command to privilege level 5.
You suspect that an attacker in your network has configured a rogue Layer 2 device to intercept traffic from multiple VLANs, which allows the attacker to capture potentially sensitive data. Which two methods will help to mitigate this type of activity? (Choose two.) A. Turn off all trunk ports and manually configure each VLAN as required on each port. B. Place unused active ports in an unused VLAN. C. Secure the native VLAN, VLAN 1, with encryption. D. Set the native VLAN on the trunk ports to an unused VLAN. E. Disable DTP on ports that require trunking.
D. Set the native VLAN on the trunk ports to an unused VLAN. E. Disable DTP on ports that require trunking.
Which type of NAT would you configure if a host on the external network required access to an internal host? A. Outside global NAT B. NAT overload C. Dynamic outside NAT D. Static NAT
D. Static NAT
Which step is important to take when implementing secure network management? A. Implement in-band management whenever possible. B. Implement telnet for encrypted device management access. C. Implement SNMP with read/write access for troubleshooting purposes. D. Synchronize clocks on hosts and devices. E. Implement management plane protection using routing protocol authentication.
D. Synchronize clocks on hosts and devices.
You have been tasked by your manager to implement syslog in your network. Which option is an important factor to consider in your implementation? A. Use SSH to access your syslog information. B. Enable the highest level of syslog function available to ensure that all possible event messages are logged. C. Log all messages to the system buffer so that they can be displayed when accessing the router. D. Synchronize clocks on the network with a protocol such as Network Time Protocol.
D. Synchronize clocks on the network with a protocol such as Network Time Protocol.
What is a possible reason for the error message? Router(config)#aaa server?% Unrecognized command A. The command syntax requires a space after the word "server" B. The command is invalid on the target device C. The router is already running the latest operating system D. The router is a new device on which the aaa new-model command must be applied before continuing
D. The router is a new device on which the aaa new-model command must be applied before continuing
You have configured a standard access control list on a router and applied it to interface Serial 0 in an outbound direction. No ACL is applied to Interface Serial 1 on the same router. What happens when traffic being filtered by the access list does not match the configured ACL statements for Serial 0? A. The resulting action is determined by the destination IP address. B. The resulting action is determined by the destination IP address and port number. C. The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1. D. The traffic is dropped.
D. The traffic is dropped.
Refer to the exhibit. Which statement is correct based on the show login command output shown? router# show login A default login delay of 1 seconds is applied. No Quiet-Mode access list has been configured. All successful login is logged and generate SNMP traps. All failed login is logged and generated SNMP traps. Router enabled to watch for login Attacks. If more than 2 login failures occur in 100 seconds or less, logins will be disabled for 100 seconds. Router presently in Quiet-Mode, will remain in Quiet-Mode for 93 seconds. Denying logins from all sources. A. When the router goes into quiet mode, any host is permitted to access the router via Telnet, SSH, and HTTP, since the quiet-mode access list has not been configured. B. The login block-for command is configured to block login hosts for 93 seconds. C. All logins from any sources are blocked for another 193 seconds. D. Three or more login requests have failed within the last 100 seconds.
D. Three or more login requests have failed within the last 100 seconds.
Which location is recommended for extended or extended named ACLs? A. an intermediate location to filter as much traffic as possible B. a location as close to the destination traffic as possible C. when using the established keyword, a location close to the destination point to ensure that return traffic is allowed D. a location as close to the source traffic as possible
D. a location as close to the source traffic as possible
Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method? A. aaa authentication enable console LOCAL SERVER_GROUP B. aaa authentication enable console SERVER_GROUP LOCAL C. aaa authentication enable console local D. aaa authentication enable console LOCAL
D. aaa authentication enable console LOCAL
What is the first command you enter to configure AAA on a new Cisco router? A. aaa configuration B. no aaa-configuration C. no aaa new-model D. aaa new-model
D. aaa new-model
Which AAA feature can automate record keeping within a network? A. TACACS+ B. authentication C. authorization D. accounting
D. accounting
Which command causes a Layer 2 switch interface to operate as a Layer 3 interface? A. no switchport nonnegotiate B. switchport C. no switchport mode dynamic auto D. no switchport
D. no switchport
Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement? A. nested object-class B. class-map C. extended wildcard matching D. object groups
D. object groups
Which command enables subnet 192.168.8.4/30 to communicate with subnet 192.168.8.32/27 on IP protocol 50? A. permit esp 192.168.8.4 255.255.255.252 192.168.8.32 255.255.255.224 B. permit esp 192.168.8.4 0.0.0.31 192.168.8.32 0.0.0.31 C. permit esp 192.168.8.4 255.255.255.252 224.168.8.32 255.255.255.192 D. permit esp 192.168.8.4 0.0.0.3 192.168.8.32 0.0.0.31
D. permit esp 192.168.8.4 0.0.0.3 192.168.8.32 0.0.0.31
Which command enables Cisco IOS image resilience? A. secure boot-<IOS image filename> B. secure boot-running-config C. secure boot-start D. secure boot-image
D. secure boot-image
Which characteristic is the foundation of Cisco Self-Defending Network technology? A. secure connectivity B. threat control and containment C. policy management D. secure network platform
D. secure network platform
Which command provides phase 1 and phase 2 status for all active sessions of an IPsec VPN on a Cisco router? A. show crypto map B. show crypto ipsec sa C. show crypto isakmp sa D. show crypto session
D. show crypto session
Which type of intrusion prevention technology is the primary type used by the Cisco IPS security appliances? A. profile-based B. rule-based C. protocol analysis-based D. signature-based E. NetFlow anomaly-based
D. signature-based
If you are implementing VLAN trunking, which additional configuration parameter should be added to the trunking configuration? A. no switchport mode access B. no switchport trunk native VLAN 1 C. switchport mode DTP D. switchport nonnegotiate
D. switchport nonnegotiate
Which option describes the purpose of Diffie-Hellman? A. used between the initiator and the responder to establish a basic security policy B. used to verify the identity of the peer C. used for asymmetric public key encryption D. used to establish a symmetric shared key via a public key exchange process
D. used to establish a symmetric shared key via a public key exchange process
Which type of network masking is used when Cisco IOS access control lists are configured? A. extended subnet masking B. standard subnet masking C. priority masking D. wildcard masking
D. wildcard masking
Which statement describes a best practice when configuring trunking on a switch port? A. Disable double tagging by enabling DTP on the trunk port. B. Enable encryption on the trunk port. C. Enable authentication and encryption on the trunk port. D. Limit the allowed VLAN(s) on the trunk to the native VLAN only. E. Configure an unused VLAN as the native VLAN.
E. Configure an unused VLAN as the native VLAN.
Refer to the exhibit. Which statement about this partial CLI configuration of an access control list is true? access-list 2 permit 10.10.0.10 access-list 2 deny 10.10.0.0 0.0.255.255 access-list 2 permit 10.0.0.0 0.255.255.255 interface FastEthernet0/0 ip access-group 2 in A. The access list accepts all traffic on the 10.0.0.0 subnets. B. All traffic from the 10.10.0.0 subnets is denied. C. Only traffic from 10.10.0.10 is allowed. D. This configuration is invalid. It should be configured as an extended ACL to permit the associated wildcard mask. E. From the 10.10.0.0 subnet, only traffic sourced from 10.10.0.10 is allowed; traffic sourced from the other 10.0.0.0 subnets also is allowed. F. The access list permits traffic destined to the 10.10.0.10 host on FastEthernet0/0 from any source.
E. From the 10.10.0.0 subnet, only traffic sourced from 10.10.0.10 is allowed; traffic sourced from the other 10.0.0.0 subnets also is allowed.
Which statement describes how VPN traffic is encrypted to provide confidentiality when using asymmetric encryption? A. The sender encrypts the data using the sender's private key, and the receiver decrypts the data using the sender's public key. B. The sender encrypts the data using the sender's public key, and the receiver decrypts the data using the sender's private key. C. The sender encrypts the data using the sender's public key, and the receiver decrypts the data using the receiver's public key. D. The sender encrypts the data using the receiver's private key, and the receiver decrypts the data using the receiver's public key. E. The sender encrypts the data using the receiver's public key, and the receiver decrypts the data using the receiver's private key. F. The sender encrypts the data using the receiver's private key, and the receiver decrypts the data using the sender's public key.
E. The sender encrypts the data using the receiver's public key, and the receiver decrypts the data using the receiver's private key.
Which kind of table do most firewalls use today to keep track of the connections through the firewall? A. dynamic ACL B. reflexive ACL C. netflow D. queuing E. state F. express forwarding
E. state