210 260.examcollection - Premium.exam.179q
210 260.examcollection - Premium.exam.179q
210 260.examcollection - Premium.exam.179q
179q
Number: 210-260
Passing Score: 800
Time Limit: 120 min
File Version: 7.0
210-260
Implementing Cisco Network Security
Version 7.0
Exam A
QUESTION 1
Which two services define cloud networks? (Choose two.)
A.
B.
C.
D.
E.
Infrastructure as a Service
Platform as a Service
Security as a Service
Compute as a Service
Tenancy as a Service
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
In which two situations should you use out-of-band management? (Choose two.)
A.
B.
C.
D.
E.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 3
In which three ways does the TACACS protocol differ from RADIUS? (Choose three.)
A. TACACS uses TCP to communicate with the NAS.
B. TACACS can encrypt the entire packet that is sent to the NAS.
C. TACACS supports per-command authorization.
BOOTP
TFTP
DNS
MAB
HTTP
802.1x
AES
3DES
DES
MD5
DH-1024
SHA-384
Correct Answer: AF
Section: (none)
Explanation
Explanation/Reference:
QUESTION 6
Which three ESP fields can be encrypted during transmission? (Choose three.)
A.
B.
C.
D.
E.
F.
0
1
5
7
10
15
Correct Answer: BF
Section: (none)
Explanation
Explanation/Reference:
QUESTION 8
Which two authentication types does OSPF support? (Choose two.)
A.
B.
C.
D.
E.
F.
plaintext
MD5
HMAC
AES 256
SHA-1
DES
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 9
Which two features do CoPP and CPPr use to protect the control plane? (Choose two.)
A.
B.
C.
D.
E.
F.
QoS
traffic classification
access lists
policy maps
class maps
Cisco Express Forwarding
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 10
Which two statements about stateless firewalls are true? (Choose two.)
A. They compare the 5-tuple of each incoming packet against configurable rules.
B. They cannot track connections.
www.vce2pdf.com | VCE to PDF Converter
C. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.
D. Cisco IOS cannot implement them because the platform is stateful by nature.
E. The Cisco ASA is implicitly stateless because it blocks all traffic by default.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 11
Which three statements about host-based IPS are true? (Choose three.)
A.
B.
C.
D.
E.
F.
deny attacker
deny packet
modify packet
request block connection
request block host
reset TCP connection
Section: (none)
Explanation
Explanation/Reference:
QUESTION 13
When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 14
What is an advantage of implementing a Trusted Platform Module for disk encryption?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 15
What is the purpose of the Integrity component of the CIA triad?
A. to ensure that only authorized parties can modify data
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 17
Which type of secure connectivity does an extranet provide?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 18
Which tool can an attacker use to attempt a DDoS attack?
A.
B.
C.
D.
botnet
Trojan horse
virus
adware
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 19
What type of security support is provided by the Open Web Application Security Project?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 20
What type of attack was the Stuxnet virus?
A.
B.
C.
D.
cyber warfare
hacktivism
botnet
social engineering
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 21
What type of algorithm uses the same key to encrypt and decrypt data?
A.
B.
C.
D.
a symmetric algorithm
an asymmetric algorithm
a Public Key Infrastructure algorithm
an IP security algorithm
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 22
Refer to the exhibit.
How many times was a read-only string used to attempt a write operation?
A.
B.
C.
D.
E.
9
6
4
3
2
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 23
The time is authoritative, but the NTP process has lost contact with its servers.
The time is authoritative because the clock is in sync.
The clock is out of sync.
NTP is configured incorrectly.
The time is not authoritative.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 24
How does the Cisco ASA use Active Directory to authorize VPN users?
A.
B.
C.
D.
It queries the Active Directory server for a specific attribute for the specified user.
It sends the username and password to retrieve an ACCEPT or REJECT message from the Active Directory server.
It downloads and stores the Active Directory database to query for future authorization requests.
It redirects requests to the Active Directory server defined for the VPN group.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 26
Refer to the exhibit.
If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how will the switch respond?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 27
Which EAP method uses Protected Access Credentials?
A.
B.
C.
D.
EAP-FAST
EAP-TLS
EAP-PEAP
EAP-GTC
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 28
What is one requirement for locking a wired or wireless device from ISE?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 29
What VPN feature allows traffic to exit the security appliance through the same interface it entered?
A.
B.
C.
D.
hairpinning
NAT
NAT traversal
split tunneling
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 30
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection?
A.
B.
C.
D.
split tunneling
hairpinning
tunnel mode
transparent mode
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 31
Refer to the exhibit.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 32
Refer to the exhibit.
It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
It defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 33
Refer to the exhibit.
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show?
A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5.
While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command. What does the given output show?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 35
Refer to the exhibit.
The Admin user is unable to enter configuration mode on a device with the given configuration. What change can you make to the configuration to
correct the problem?
A.
B.
C.
D.
Remove the autocommand keyword and arguments from the Username Admin privilege line.
Change the Privilege exec level value to 15.
Remove the two Username Admin lines.
Remove the Privilege exec line.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 36
After reloading a router, you issue the dir command to verify the installation and observe that the image file appears to be missing. For what reason
could the image file fail to appear in the dir output?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 37
What is the effect of the send-lifetime local 23:59:00 31 December 31 2013 infinite command?
A. It configures the device to begin transmitting the authentication key to other devices at 00:00:00 local time on January 1, 2014 and continue using the
key indefinitely.
B. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using
the key indefinitely.
C. It configures the device to begin accepting the authentication key from other devices immediately and stop accepting the key at 23:59:00 local time
on December 31, 2013.
D. It configures the device to generate a new authentication key and transmit it to other devices at 23:59:00 local time on December 31, 2013.
E. It configures the device to begin accepting the authentication key from other devices at 23:59:00 local time on December 31, 2013 and continue
accepting the key indefinitely.
F. It configures the device to begin accepting the authentication key from other devices at 00:00:00 local time on January 1, 2014 and continue
accepting the key indefinitely.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 38
What type of packet creates and performs network operations on a network device?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 39
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity?
A.
B.
C.
D.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 40
In what type of attack does an attacker virtually change a device's burned-in address in an attempt to circumvent access lists and mask the device's true
identity?
A.
B.
C.
D.
gratuitous ARP
ARP poisoning
IP spoofing
MAC spoofing
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 41
What command can you use to verify the binding table status?
A.
B.
C.
D.
E.
F.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 42
If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use?
A.
B.
C.
D.
root guard
EtherChannel guard
loop guard
BPDU guard
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 43
Which statement about a PVLAN isolated port configured on a switch is true?
A.
B.
C.
D.
The isolated port can communicate only with the promiscuous port.
The isolated port can communicate with other isolated ports and the promiscuous port.
The isolated port can communicate only with community ports.
The isolated port can communicate only with other isolated ports.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 44
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts a double-tagging attack?
A.
B.
C.
D.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45
What is a reason for an organization to deploy a personal firewall?
A.
B.
C.
D.
E.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 46
Which statement about personal firewalls is true?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 47
Refer to the exhibit.
a stateful firewall
a personal firewall
a proxy firewall
an application firewall
a stateless firewall
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 48
What is the only permitted operation for processing multicast traffic on zone-based firewalls?
A.
B.
C.
D.
Only control plane policing can protect the control plane against multicast traffic.
Stateful inspection of multicast traffic is supported only for the self-zone.
Stateful inspection for multicast traffic is supported only between the self-zone and the internal zone.
Stateful inspection of multicast traffic is supported only for the internal zone.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 49
How does a zone-based firewall implementation handle traffic between interfaces in the same zone?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 50
Which two statements about Telnet access to the ASA are true? (Choose two).
A.
B.
C.
D.
E.
You may VPN to the lowest security interface to telnet to an inside interface.
You must configure an AAA server to enable Telnet.
You can access all interfaces on an ASA using Telnet.
You must use the command virtual telnet to enable Telnet.
Best practice is to disable Telnet and use SSH.
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 51
Which statement about communication over failover interfaces is true?
A.
B.
C.
D.
All information that is sent over the failover and stateful failover interfaces is sent as clear text by default.
All information that is sent over the failover interface is sent as clear text, but the stateful failover link is encrypted by default.
All information that is sent over the failover and stateful failover interfaces is encrypted by default.
User names, passwords, and preshared keys are encrypted by default when they are sent over the failover and stateful failover interfaces, but other
information is sent as clear text.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 52
If a packet matches more than one class map in an individual feature type's policy map, how does the ASA handle the packet?
A.
B.
C.
D.
The ASA will apply the actions from only the first matching class map it finds for the feature type.
The ASA will apply the actions from only the most specific matching class map it finds for the feature type.
The ASA will apply the actions from all matching class maps it finds for the feature type.
The ASA will apply the actions from only the last matching class map it finds for the feature type.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 53
For what reason would you configure multiple security contexts on the ASA firewall?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 54
What is an advantage of placing an IPS on the inside of a network?
A. It can provide higher throughput.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 56
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
A.
B.
C.
D.
Rate-Based Prevention
Portscan Detection
IP Defragmentation
Inline Normalization
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 57
Which Sourcefire logging action should you choose to record the most detail about a connection?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 58
What can the SMTP preprocessor in FirePOWER normalize?
A.
B.
C.
D.
E.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 59
You want to allow all of your company's users to access the Internet without allowing other Web servers to collect the IP addresses of individual users.
What two solutions can you use? (Choose two).
A.
B.
C.
D.
Create a whitelist and add the appropriate IP address to allow the traffic.
Create a custom blacklist to allow the traffic.
Create a user based access control rule to allow the traffic.
Create a network based access control rule to allow the traffic.
Create a rule to bypass inspection to allow the traffic.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 61
A specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting the URL and becoming
infected with malware.
A.
B.
C.
D.
E.
Enable URL filtering on the perimeter router and add the URLs you want to block to the router's local URL list.
Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the router's local URL list.
Enable URL filtering on the perimeter router and add the URLs you want to allow to the firewall's local URL list.
Create a blacklist that contains the URL you want to block and activate the blacklist on the perimeter router.
Create a whitelist that contains the URLs you want to allow and activate the whitelist on the perimeter router.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 62
When is the best time to perform an anti-virus signature update?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 63
Which statement about application blocking is true?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 64
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions
about the ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation.
To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.
Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (Choose four)
A.
B.
C.
D.
E.
F.
Explanation
Explanation/Reference:
Explanation:
By clicking one the Configuration-> Remote Access -> Clientless CCL VPN Access-> Group Policies tab you can view the DfltGrpPolicy protocols as
shown below:
QUESTION 65
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions
about the ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation.
To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.
Which user authentication method is used when users login to the Clientless SSLVPN portal using https://209.165.201.2/test?
A.
B.
C.
D.
E.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
This can be seen from the Connection Profiles Tab of the Remote Access VPN configuration, where the alias of test is being used,
QUESTION 66
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions
about the ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation.
To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.
Which two statements regarding the ASA VPN configurations are correct? (Choose two)
A.
B.
C.
D.
E.
F.
The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_TrustPoint1.
The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS server method.
The Inside-SRV bookmark references the https://192.168.1.2 URL
Only Clientless SSL VPN access is allowed with the Sales group policy
AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outside interface
The Inside-SRV bookmark has not been applied to the Sales group policy
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
For B:
Not A, as this is listed under the Identity Certificates, not the CA certificates:
Note E:
QUESTION 67
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions
about the ASA SSLVPN configurations.
To access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation.
To see all the menu options available on the left navigation pane, you may also need to un-expand the expanded menu first.
When users login to the Clientless SSLVPN using https://209.165.201.2/test, which group policy will be applied?
A.
B.
C.
D.
E.
F.
test
clientless
Sales
DfltGrpPolicy
DefaultRAGroup
DefaultWEBVPNGroup
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
First navigate to the Connection Profiles tab as shown below, highlight the one with the test alias:
Then hit the edit button and you can clearly see the Sales Group Policy being applied.
QUESTION 68
SIMULATION
Scenario
Given the new additional connectivity requirements and the topology diagram, use ASDM to accomplish the required ASA configurations to meet the
requirements.
New additional connectivity requirements:
Currently, the ASA configurations only allow on the Inside and DMZ networks to access any hosts on the Outside. Your task is to use ASDM to
configure the ASA to also allow any host only on the Outside to HTTP to the DMZ server. The hosts on the Outside will need to use the
209.165.201.30 public IP address when HTTPing to the DMZ server.
Currently, hosts on the ASA higher security level interfaces are not able to ping any hosts on the lower security level interfaces. Your task in this
simulation is to use ASDM to enable the ASA to dynamically allow the echo-reply responses back through the ASA.
Once the correct ASA configurations have been configured:
You can test the connectivity to http://209.165.201.30 from the Outside PC browser.
You can test the pings to the Outside (www.cisco.com) by opening the inside PC command prompt window. In this simulation, only testing pings to
www.cisco.com will work.
To access ASDM, click the ASA icon in the topology diagram.
To access the Firefox Browser on the Outside PC, click the Outside PC icon in the topology diagram.
To access the Command prompt on the Inside PC, click the Inside PC icon in the topology diagram.
Note:
After you make the configuration changes in ASDM, remember to click Apply to apply the configuration changes.
Not all ASDM screens are enabled in this simulation, if some screen is not enabled, try to use different methods to configure the ASA to meet the
requirements.
In this simulation, some of the ASDM screens may not look and function exactly like the real ASDM.
Correct Answer: Follow the explanation part to get answer on this sim question.
Section: (none)
Explanation
Explanation/Reference:
Explanation:
First, for the HTTP access we need to creat a NAT object. Here I called it HTTP but it can be given any name.
And then check the ICMP box only as shown below, then hit Apply.
QUESTION 69
What features can protect the data plane? (Choose three.)
A.
B.
C.
D.
E.
F.
policing
ACLs
IPS
antispoofing
QoS
DHCP-snooping
3
2
4
1
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 71
What is the transition order of STP states on a Layer 2 switch interface?
A. listening, learning, blocking, forwarding, disabled
B. listening, blocking, learning, forwarding, disabled
C. blocking, listening, learning, forwarding, disabled
IPS
fail-close
IDS
fail-open
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 73
Which options are filtering options used to display SDEE message types? (Choose two.)
A.
B.
C.
D.
stop
none
error
all
Correct Answer: CD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 74
When a company puts a security policy in place, what is the effect on the companys business?
www.vce2pdf.com | VCE to PDF Converter
A.
B.
C.
D.
Minimizing risk
Minimizing total cost of ownership
Minimizing liability
Maximizing compliance
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 75
Which wildcard mask is associated with a subnet mask of /27?
A.
B.
C.
D.
0.0.0.31
0.0.027
0.0.0.224
0.0.0.255
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 76
Which statements about reflexive access lists are true? (Choose three.)
A.
B.
C.
D.
E.
F.
Section: (none)
Explanation
Explanation/Reference:
QUESTION 77
Which actions can a promiscuous IPS take to mitigate an attack? (Choose three.)
A.
B.
C.
D.
E.
F.
Modifying packets
Requesting connection blocking
Denying packets
Resetting the TCP connection
Requesting host blocking
Denying frames
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 79
Which Cisco Security Manager application collects information about device status and uses it to generate notifications and alerts?
A.
B.
C.
D.
FlexConfig
Device Manager
Report Manager
Health and Performance Monitor
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 80
Which accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.)
A.
B.
C.
D.
start-stop
stop-record
stop-only
stop
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 81
Which command is needed to enable SSH support on a Cisco Router?
A.
B.
C.
D.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 82
Which protocol provides security to Secure Copy?
A.
B.
C.
D.
IPsec
SSH
HTTPS
ESP
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 83
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web
page. Which action should you take to begin troubleshooting?
A.
B.
C.
D.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 84
Which security zone is automatically defined by the system?
A. The source zone
B. The self zone
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 86
Which address block is reserved for locally assigned unique local addresses?
A.
B.
C.
D.
2002::/16
FD00::/8
2001::/32
FB00::/8
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 87
What is a possible reason for the error message?Router(config)#aaa server?% Unrecognized command
A.
B.
C.
D.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 88
Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
A.
B.
C.
D.
Smart tunnels can be used by clients that do not have administrator privileges
Smart tunnels support all operating systems
Smart tunnels offer better performance than port forwarding
Smart tunnels require the client to have the application installed locally
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 89
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
A.
B.
C.
D.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 90
Which option describes information that must be considered when you apply an access list to a physical interface?
A.
B.
C.
D.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 91
Which source port does IKE use when NAT has been detected between two VPN gateways?
A.
B.
C.
D.
TCP 4500
TCP 500
UDP 4500
UDP 500
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 92
Which of the following are features of IPsec transport mode? (Choose three.)
A. IPsec transport mode is used between end stations
B. IPsec transport mode is used between gateways
C.
D.
E.
F.
no switchport nonnegotiate
switchport
no switchport mode dynamic auto
no switchport
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 94
Which TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
A.
B.
C.
D.
E.
F.
EAP
ASCII
PAP
PEAP
MS-CHAPv1
MS-CHAPv2
Explanation
Explanation/Reference:
QUESTION 95
Which type of IPS can identify worms that are propagating in a network?
A.
B.
C.
D.
Policy-based IPS
Anomaly-based IPS
Reputation-based IPS
Signature-based IPS
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 96
Which command verifies phase 1 of an IPsec VPN on a Cisco router?
A.
B.
C.
D.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 97
What is the purpose of a honeypot IPS?
A. To create customized policies
B. To detect unknown attacks
C. To normalize streams
D. To collect information about attacks
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 98
Which type of firewall can act on the behalf of the end device?
A.
B.
C.
D.
Stateful packet
Application
Packet
Proxy
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 99
Which syslog severity level is level number 7?
A.
B.
C.
D.
Warning
Informational
Notification
Debugging
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 100
By which kind of threat is the victim tricked into entering username and password information at a disguised website?
A.
B.
C.
D.
Spoofing
Malware
Spam
Phishing
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 101
Which type of mirroring does SPAN technology perform?
A.
B.
C.
D.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 102
Which tasks is the session management path responsible for? (Choose three.)
A.
B.
C.
D.
E.
F.
Verifying IP checksums
Performing route lookup
Performing session lookup
Allocating NAT translations
Checking TCP sequence numbers
Checking packets against the access list
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 104
Which Cisco product can help mitigate web-based attacks within a network?
A.
B.
C.
D.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 105
Which statement correctly describes the function of a private VLAN?
A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains
B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains
C. A private VLAN enables the creation of multiple VLANs using one broadcast domain
D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 106
What hash type does Cisco use to validate the integrity of downloaded images?
A.
B.
C.
D.
Sha1
Sha2
Md5
Md1
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 107
Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?
A.
B.
C.
D.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 108
What is the most common Cisco Discovery Protocol version 1 attack?
A.
B.
C.
D.
Denial of Service
MAC-address spoofing
CAM-table overflow
VLAN hopping
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 109
What is the Cisco preferred countermeasure to mitigate CAM overflows?
A.
B.
C.
D.
Port security
Dynamic port security
IP source guard
Root guard
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 110
Which option is the most effective placement of an IPS device within the infrastructure?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 111
If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server
returns an error? (Choose two.)
A.
B.
C.
D.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 112
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
A.
B.
C.
D.
SDEE
Syslog
SNMP
CSM
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 113
When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops?
A. STP elects the root bridge
Static NAT
Dynamic NAT
Overload
Dynamic PAT
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 115
Which components does HMAC use to determine the authenticity and integrity of a message? (Choose two.)
A.
B.
C.
D.
The password
The hash
The key
The transform set
Correct Answer: BC
Section: (none)
Explanation
Explanation/Reference:
QUESTION 116
What is the default timeout interval during which a router waits for responses from a TACACS server before declaring a timeout failure?
A.
B.
C.
D.
5 seconds
10 seconds
15 seconds
20 seconds
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 117
Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
A.
B.
C.
D.
E.
F.
EAP
ASCII
PAP
PEAP
MS-CHAPv1
MS-CHAPv2
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 119
Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)
A.
B.
C.
D.
Port security
DHCP snooping
IP source guard
Dynamic ARP inspection
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 120
Which of the following statements about access lists are true? (Choose three.)
A.
B.
C.
D.
E.
F.
QUESTION 121
Which statement about extended access lists is true?
A.
B.
C.
D.
Extended access lists perform filtering that is based on source and destination and are most effective when applied to the destination
Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source
Extended access lists perform filtering that is based on destination and are most effective when applied to the source
Extended access lists perform filtering that is based on source and are most effective when applied to the destination
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 122
Which security measures can protect the control plane of a Cisco router? (Choose two.)
A.
B.
C.
D.
E.
CCPr
Parser views
Access control lists
Port security
CoPP
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 123
In which stage of an attack does the attacker discover devices on a target network?
A.
B.
C.
D.
Reconnaissance
Covering tracks
Gaining access
Maintaining access
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 124
Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choose two.)
A.
B.
C.
D.
E.
F.
FTP
SSH
Telnet
AAA
HTTPS
HTTP
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 125
What are the primary attack methods of VLAN hopping? (Choose two.)
A.
B.
C.
D.
VoIP hopping
Switch spoofing
CAM-table overflow
Double tagging
Correct Answer: BD
Section: (none)
Explanation
Explanation/Reference:
QUESTION 126
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration?
A.
B.
C.
D.
Issue the command anyconnect keep-installer under the group policy or username webvpn mode
Issue the command anyconnect keep-installer installed in the global configuration
Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode
Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 127
Which type of security control is defense in depth?
A.
B.
C.
D.
Threat mitigation
Risk analysis
Botnet mitigation
Overt and covert channels
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 128
On which Cisco Configuration Professional screen do you enable AAA
A.
B.
C.
D.
AAA Summary
AAA Servers and Groups
Authentication Policies
Authorization Policies
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 129
What are two uses of SIEM software? (Choose two.)
A.
B.
C.
D.
E.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 130
What are the three layers of a hierarchical network design? (Choose three.)
A.
B.
C.
D.
E.
F.
access
core
distribution
user
server
Internet
B.
C.
D.
E.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 132
What are two ways to prevent eavesdropping when you perform device-management tasks? (Choose two.)
A.
B.
C.
D.
E.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
QUESTION 133
In which three ways does the RADIUS protocol differ from TACACS? (Choose three.)
A.
B.
C.
D.
E.
F.
Section: (none)
Explanation
Explanation/Reference:
QUESTION 134
Which three statements describe DHCP spoofing attacks? (Choose three.)
A.
B.
C.
D.
E.
F.
confidentiality
availability
access
control
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 136
In which type of attack does an attacker send email messages that ask the recipient to click a link such as https://www.cisco.net.cc/securelogon?
A.
B.
C.
D.
phishing
pharming
solicitation
secure transaction
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 137
Your security team has discovered a malicious program that has been harvesting the CEO's email messages and the company's user database for the
last 6 months. What type of attack did your team discover?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 138
Which statement provides the best definition of malware?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 139
What mechanism does asymmetric cryptography use to secure data?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 140
Refer to the exhibit.
192.168.10.7
108.61.73.243
209.114.111.1
132.163.4.103
204.2.134.164
241.199.164.101
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 141
Refer to the exhibit.
The single-connection command causes the device to establish one connection for all TACACS transactions.
The single-connection command causes the device to process one TACACS request and then move to the next server.
The timeout command causes the device to move to the next server after 20 seconds of TACACS inactivity.
The router communicates with the NAS on the default port, TCP 1645.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 142
What is the best way to confirm that AAA authentication is working properly?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 143
How does PEAP protect the EAP exchange?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 144
What improvement does EAP-FASTv2 provide over EAP-FAST?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 145
How does a device on a network using ISE receive its digital certificate during the new-device registration process?
A.
B.
C.
D.
ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server.
ISE issues a certificate from its internal CA server.
ISE issues a pre-defined certificate from a local database.
The device requests a new certificate directly from a central CA.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 146
When an administrator initiates a device wipe command from the ISE, what is the immediate effect?
A.
B.
C.
D.
It requests the administrator to choose between erasing all device data or only managed corporate data.
It requests the administrator to enter the device PIN or password before proceeding with the operation.
It notifies the device user and proceeds with the erase operation.
It immediately erases all data on the device.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 147
What configuration allows AnyConnect to automatically establish a VPN session when a user logs in to the computer?
A.
B.
C.
D.
always-on
proxy
transparent mode
Trusted Network Detection
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 148
What security feature allows a private IP address to access the Internet by translating it to a public address?
A.
B.
C.
D.
NAT
hairpinning
Trusted Network Detection
Certification Authority
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 149
Refer to the exhibit.
You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel. What action can you take to correct the
problem?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 150
Refer to the exhibit.
It merges authentication and encryption methods to protect traffic that matches an ACL.
It configures the network to use a different transform set between peers.
It configures encryption for MD5 HMAC.
It configures authentication as AES 256.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 151
Refer to the exhibit.
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show?
A.
B.
C.
D.
IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2.
IKE Phase 1 main mode has successfully negotiated between 10.1.1.5 and 10.10.10.2.
IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2.
IKE Phase 1 aggressive mode has successfully negotiated between 10.1.1.5 and 10.10.10.2.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 152
Which statement about IOS privilege levels is true?
A.
B.
C.
D.
Each privilege level supports the commands at its own level and all levels below it.
Each privilege level supports the commands at its own level and all levels above it.
Privilege-level commands are set explicitly for each user.
Each privilege level is independent of all other privilege levels.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 153
Refer to the exhibit.
Which line in this configuration prevents the HelpDesk user from modifying the interface configuration?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 154
In the router ospf 200 command, what does the value 200 stand for?
A.
B.
C.
D.
process ID
area ID
administrative distance value
ABR ID
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 155
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 156
In which type of attack does the attacker attempt to overload the CAM table on a switch so that the switch acts as a hub?
A.
B.
C.
D.
MAC spoofing
gratuitous ARP
MAC flooding
DoS
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 157
Which type of PVLAN port allows hosts in the same VLAN to communicate directly with each other?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 158
What is a potential drawback to leaving VLAN 1 as the native VLAN?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 159
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three).
A.
B.
C.
D.
E.
F.
B. You can configure a single zone pair that allows bidirectional traffic flows for any zone.
C. You can configure a single zone pair that allows bidirectional traffic flows for any zone except the self zone.
D. You can configure a single zone pair that allows bidirectional traffic flows only if the source zone is the less secure zone.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 161
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
A.
B.
C.
D.
E.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 162
Which statement about the communication between interfaces on the same security level is true?
A.
B.
C.
D.
Interfaces on the same security level require additional configuration to permit inter-interface communication.
Configuring interfaces on the same security level can cause asymmetric routing.
All traffic is allowed by default between interfaces on the same security level.
You can configure only one interface on an individual security level.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 163
Which IPS mode provides the maximum number of actions?
A.
B.
C.
D.
E.
inline
promiscuous
span
failover
bypass
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 164
How can you detect a false negative on an IPS?
A.
B.
C.
D.
E.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 165
What is the primary purpose of a defined rule in an IPS?
A. to configure an event action that takes place when a signature is triggered
B. to define a set of actions that occur when a specific user logs in to the system
C. to configure an event action that is pre-defined by the system administrator
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 167
How can FirePOWER block malicious email attachments?
A.
B.
C.
D.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 168
You have been tasked with blocking user access to websites that violate company policy, but the sites use dynamic IP addresses. What is the best
practice for URL filtering to solve the problem?
A.
B.
C.
D.
E.
Enable URL filtering and use URL categorization to block the websites that violate company policy.
Enable URL filtering and create a blacklist to block the websites that violate company policy.
Enable URL filtering and create a whitelist to block the websites that violate company policy.
Enable URL filtering and use URL categorization to allow only the websites that company policy allows users to access.
Enable URL filtering and create a whitelist to allow only the websites that company policy allows users to access.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 169
Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
A.
B.
C.
D.
file reputation
file analysis
signature updates
network blocking
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 170
Which type of encryption technology has the broadest platform support to protect operating systems?
A.
B.
C.
D.
software
hardware
middleware
file-level
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 171
A proxy firewall protects against which type of attack?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 172
What is a benefit of a web application firewall?
A.
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 173
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam and sophisticated phishing attacks?
A. contextual analysis
dynamic NAT
dynamic PAT
static NAT
identity NAT
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 175
Which feature allows a dynamic PAT pool to select the next address in the PAT pool instead of the next port of an existing address?
A.
B.
C.
D.
next IP
round robin
dynamic rotation
NAT address rotation
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 176
Your security team has discovered a malicious program that has been harvesting the CEOs email messages and the company's user database for the
last 6 months. What are two possible types of attacks your team discovered? (Choose two.)
A.
B.
C.
D.
E.
social activism
E Polymorphic Virus
advanced persistent threat
drive-by spyware
targeted malware
Correct Answer: CE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 177
Refer to the exhibit.
Correct Answer: BE
Section: (none)
Explanation
Explanation/Reference:
QUESTION 178
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three).
A.
B.
C.
D.
E.
F.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference: