Vendor: Cisco Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network Security

Vendor: Cisco
Exam Code: 300-206
Exam Name: Implementing Cisco Edge Network Security

Solutions
Version: 16.031
QUESTION 1
Which three commands can be used to harden a switch? (Choose three.)
A. switch(config-if)# spanning-tree bpdufilter enable

B. switch(config)# ip dhcp snooping
C. switch(config)# errdisable recovery interval 900
D. switch(config-if)# spanning-tree guard root
E. switch(config-if)# spanning-tree bpduguard disable
F. switch(config-if)# no cdp enable
Answer: BDF
QUESTION 2
What are three features of the Cisco ASA 1000V? (Choose three.)
A. cloning the Cisco ASA 1000V

B. dynamic routing
C. the Cisco VNMC policy agent
D. IPv6
E. active/standby failover
F. QoS
Answer: ACE
QUESTION 3
If the Cisco ASA 1000V has too few licenses, what is its behavior?
A. It drops all traffic.

B. It drops all outside-to-inside packets.
C. It drops all inside-to-outside packets.
D. It passes the first outside-to-inside packet and drops all remaining packets.
Answer: D
QUESTION 4
A network administrator is creating an ASA-CX administrative user account with the following
parameters:
- The user will be responsible for configuring security policies on

network devices.
- The user needs read-write access to policies.
- The account has no more rights than necessary for the job.
What role will the administrator assign to the user?
A. Administrator
B. Security administrator
C. System administrator
D. Root Administrator
E. Exec administrator
Get Latest & Actual 300-206 Exam's Question and Answers from Passleader. 2
http://www.passleader.com
Answer: B
QUESTION 5
Which two web browsers are supported for the Cisco ISE GUI? (Choose two.)
A. HTTPS-enabled Mozilla Firefox version 3.x

B. Netscape Navigator version 9
C. Microsoft Internet Explorer version 8 in Internet Explorer 8-only mode
D. Microsoft Internet Explorer version 8 in all Internet Explorer modes
E. Google Chrome (all versions)
Answer: AC
QUESTION 6
With Cisco ASA active/standby failover, by default, how many monitored interface failures will
cause failover to occur?
A. 1
B. 2
C. 3
D. 4
E. 5
Answer: A
QUESTION 7
Which statement about SNMP support on the Cisco ASA appliance is true?
A. The Cisco ASA appliance supports only SNMPv1 or SNMPv2c.

B. The Cisco ASA appliance supports read-only and read-write access.
C. The Cisco ASA appliance supports three built-in SNMPv3 groups in Cisco ASDM:
Authentication and Encryption, Authentication Only, and No Authentication, No Encryption.
D. The Cisco ASA appliance can send SNMP traps to the network management station only using SNMPv2.
Answer: C
QUESTION 8
Which statement about Cisco ASA multicast routing support is true?
A. The Cisco ASA appliance supports PIM dense mode, sparse mode, and BIDIR-PIM.
B. The Cisco ASA appliance supports only stub multicast routing by forwarding IGMP messages from
multicast receivers to the upstream multicast router.
C. The Cisco ASA appliance supports DVMRP and PIM.
D. The Cisco ASA appliance supports either stub multicast routing or PIM, but both cannot be enabled
at the same time.
E. The Cisco ASA appliance supports only IGMP v1.
Answer: D
QUESTION 9
How many interfaces can a Cisco ASA bridge group support and how many bridge groups can a
Cisco ASA appliance support?
A. up to 2 interfaces per bridge group and up to 4 bridge groups per Cisco ASA appliance
B. up to 2 interfaces per bridge group and up to 8 bridge groups per Cisco ASA appliance
C. up to 4 interfaces per bridge group and up to 4 bridge groups per Cisco ASA appliance
D. up to 4 interfaces per bridge group and up to 8 bridge groups per Cisco ASA appliance
E. up to 8 interfaces per bridge group and up to 4 bridge groups per Cisco ASA appliance
F. up to 8 interfaces per bridge group and up to 8 bridge groups per Cisco ASA appliance
Answer: D
QUESTION 10
Which addresses are considered "ambiguous addresses" and are put on the greylist by the Cisco
ASA botnet traffic filter feature?
A. addresses that are unknown

B. addresses that are on the greylist identified by the dynamic database
C. addresses that are blacklisted by the dynamic database but also are identified by the static whitelist
D. addresses that are associated with multiple domain names, but not all of these domain names are
on the blacklist
Answer: D
QUESTION 11
For which purpose is the Cisco ASA CLI command aaa authentication match used?
A. Enable authentication for SSH and Telnet connections to the Cisco ASA appliance.
B. Enable authentication for console connections to the Cisco ASA appliance.
C. Enable authentication for connections through the Cisco ASA appliance.
D. Enable authentication for IPsec VPN connections to the Cisco ASA appliance.
E. Enable authentication for SSL VPN connections to the Cisco ASA appliance.
F. Enable authentication for Cisco ASDM connections to the Cisco ASA appliance.
Answer: C
QUESTION 12
A network engineer is asked to configure NetFlow to sample one of every 100 packets on a
router's fa0/0 interface. Which configuration enables sampling, assuming that NetFlow is already
configured and running on the router's fa0/0 interface?
A. flow-sampler-map flow1
mode random one-out-of 100
interface fas0/0
flow-sampler flow1
B. flow monitor flow1
mode random one-out-of 100
interface fas0/0
ip flow monitor flow1
C. flow-sampler-map flow1
one-out-of 100
interface fas0/0
flow-sampler flow1
D. ip flow-export source fas0/0 one-out-of 100
Answer: A
QUESTION 13
What is the default log level on the Cisco Web Security Appliance?
A. Trace
B. Debug
C. Informational
D. Critical
Answer: C
QUESTION 14
Which command sets the source IP address of the NetFlow exports of a device?
A. ip source flow-export
B. ip source netflow-export
C. ip flow-export source
D. ip netflow-export source
Answer: C
QUESTION 15
Which two SNMPv3 features ensure that SNMP packets have been sent securely?" Choose two.
A. host authorization
B. authentication
C. encryption
D. compression
Answer: BC
QUESTION 16
Which three logging methods are supported by Cisco routers? (Choose three.)
A. console logging
B. TACACS+ logging
C. terminal logging
D. syslog logging
E. ACL logging
F. RADIUS logging
Answer: ACD
QUESTION 17
Which three options are default settings for NTP parameters on a Cisco device? (Choose three.)
A. NTP authentication is enabled.

B. NTP authentication is disabled.
C. NTP logging is enabled.
D. NTP logging is disabled.
E. NTP access is enabled.
F. NTP access is disabled.
Answer: BDE
QUESTION 18
A Cisco ASA is configured for TLS proxy. When should the security appliance force remote IP
phones connecting to the phone proxy through the internet to be in secured mode?
A. When the Cisco Unified Communications Manager cluster is in non-secure mode

B. When the Cisco Unified Communications Manager cluster is in secure mode only
C. When the Cisco Unified Communications Manager is not part of a cluster
D. When the Cisco ASA is configured for IPSec VPN
Answer: A
QUESTION 19
Which two features are supported when configuring clustering of multiple Cisco ASA appliances?
(Choose two.)
A. NAT
B. dynamic routing
C. SSL remote access VPN
D. IPSec remote access VPN
Answer: AB
QUESTION 20
Which two device types can Cisco Prime Security Manager manage in Multiple Device mode?
(Choose two.)
A. Cisco ESA
B. Cisco ASA
C. Cisco WSA
D. Cisco ASA CX
Answer: BD
QUESTION 21
Which technology provides forwarding-plane abstraction to support Layer 2 to Layer 7 network
services in Cisco Nexus 1000V?
A. Virtual Service Node

B. Virtual Service Gateway
C. Virtual Service Data Path
D. Virtual Service Agent
Answer: C
QUESTION 22
To which interface on a Cisco ASA 1000V firewall should a security profile be applied when a VM
sits behind it?
A. outside
B. inside
C. management
D. DMZ
Answer: B
QUESTION 23
You are configuring a Cisco IOS Firewall on a WAN router that is operating as a Trusted Relay
Point (TRP) in a voice network. Which feature must you configure to open data- channel pinholes
for voice packets that are sourced from a TRP within the WAN?
A. CAC
B. ACL
C. CBAC
D. STUN
Answer: D
QUESTION 24
If you encounter problems logging in to the Cisco Security Manager 4.4 web server or client or
backing up its databases, which account has most likely been improperly modified?
A. admin (the default administrator account)

B. casuser (the default service account)
C. guest (the default guest account)
D. user (the default user account)
Answer: B
QUESTION 25
Which component does Cisco ASDM require on the host Cisco ASA 5500 Series or Cisco PIX
security appliance?
A. a DES or 3DES license
B. a NAT policy server
C. a SQL database
D. a Kerberos key
E. a digital certificate
Answer: A
QUESTION 26
Which of the following would need to be created to configure an application-layer inspection of
SMTP traffic operating on port 2525?
A. A class-map that matches port 2525 and applying an inspect ESMTP policy-map for that class in
the global inspection policy
B. A policy-map that matches port 2525 and applying an inspect ESMTP class-map for that policy
C. An access-list that matches on TCP port 2525 traffic and applying it on an interface with the inspect option
D. A class-map that matches port 2525 and applying it on an access-list using the inspect option
Answer: A
QUESTION 27
A network administrator is creating an ASA-CX administrative user account with the following
parameters:
- The user will be responsible for configuring security policies on

network devices.
- The user needs read-write access to policies.
- The account has no more rights than necessary for the job.
What role will be assigned to the user?
A. Administrator
B. Security administrator
C. System administrator
D. Root Administrator
E. Exec administrator
Answer: B
QUESTION 28
Which tool provides the necessary information to determine hardware lifecycle and compliance
details for deployed network devices?
A. Prime Infrastructure
B. Prime Assurance
C. Prime Network Registrar
D. Prime Network Analysis Module
Answer: A
QUESTION 29
Which three compliance and audit report types are available in Cisco Prime Infrastructure?
(Choose three.)
A. Service
B. Change Audit
C. Vendor Advisory
D. TAC Service Request
E. Validated Design
F. Smart Business Architecture
Answer: ABC
QUESTION 30
Which statement about the Cisco ASA botnet traffic filter is true?
A. The four threat levels are low, moderate, high, and very high.
B. By default, the dynamic-filter drop blacklist interface outside command drops traffic with a threat
level of high or very high.
C. Static blacklist entries always have a very high threat level.
D. A static or dynamic blacklist entry always takes precedence over the static whitelist entry.
Answer: C
QUESTION 31
Where in the Cisco ASA appliance CLI are Active/Active Failover configuration parameters
configured?
A. admin context
B. customer context
C. system execution space
D. within the system execution space and admin context
E. within each customer context and admin context
Answer: C
QUESTION 32
Which Cisco ASA object group type offers the most flexibility for grouping different services
together based on arbitrary protocols?
A. network
B. ICMP
C. protocol
D. TCP-UDP
E. service
Answer: E
QUESTION 33
Which Cisco ASA show command groups the xlates and connections information together in its
output?
A. show conn
B. show conn detail
C. show xlate
D. show asp
E. show local-host
Answer: E
QUESTION 34
When a Cisco ASA is configured in multiple context mode, within which configuration are the
interfaces allocated to the security contexts?
A. each security context

B. system configuration
C. admin context (context with the "admin" role)
D. context startup configuration file (.cfg file)
Answer: B
QUESTION 35
When troubleshooting redundant interface operations on the Cisco ASA, which configuration
should be verified?
A. The nameif configuration on the member physical interfaces are identical.

B. The MAC address configuration on the member physical interfaces are identical.
C. The active interface is sending periodic hellos to the standby interface.
D. The IP address configuration on the logical redundant interface is correct.
E. The duplex and speed configuration on the logical redundant interface are correct.
Answer: D
QUESTION 36
On the Cisco ASA, where are the Layer 5-7 policy maps applied?
A. inside the Layer 3-4 policy map

B. inside the Layer 3-4 class map
C. inside the Layer 5-7 class map
D. inside the Layer 3-4 service policy
E. inside the Layer 5-7 service policy
Answer: A
QUESTION 37
A Cisco ASA requires an additional feature license to enable which feature?
A. transparent firewall
B. cut-thru proxy
C. threat detection
D. botnet traffic filtering
E. TCP normalizer
Answer: D
QUESTION 38
Which four are IPv6 First Hop Security technologies? (Choose four.)
A. Send
B. Dynamic ARP Inspection
C. Router Advertisement Guard
D. Neighbor Discovery Inspection
E. Traffic Storm Control
F. Port Security
G. DHCPv6 Guard
Answer: ACDG
QUESTION 39
IPv6 addresses in an organization's network are assigned using Stateless Address
Autoconfiguration. What is a security concern of using SLAAC for IPv6 address assignment?
A. Man-In-The-Middle attacks or traffic interception using spoofed IPv6 Router Advertisements

B. Smurf or amplification attacks using spoofed IPv6 ICMP Neighbor Solicitations
C. Denial of service attacks using TCP SYN floods
D. Denial of Service attacks using spoofed IPv6 Router Solicitations
Answer: A
QUESTION 40
Which two parameters must be configured before you enable SCP on a router? (Choose two.)
A. SSH
B. authorization
C. ACLs
D. NTP
E. TACACS+
Answer: AB
QUESTION 41
A network engineer is troubleshooting and configures the ASA logging level to debugging.
The logging-buffer is dominated by %ASA-6-305009 log messages. Which command suppresses
those syslog messages while maintaining ability to troubleshoot?
A. no logging buffered 305009
B. message 305009 disable
C. no message 305009 logging
D. no logging message 305009
Answer: D
QUESTION 42
Which option describes the purpose of the input parameter when you use the packet-tracer
command on a Cisco device?
A. to provide detailed packet-trace information

B. to specify the source interface for the packet trace
C. to display the trace capture in XML format
D. to specify the protocol type for the packet trace
Answer: B
QUESTION 43
Which two options are two purposes of the packet-tracer command? (Choose two.)
A. to filter and monitor ingress traffic to a switch

B. to configure an interface-specific packet trace
C. to inject virtual packets into the data path
D. to debug packet drops in a production network
E. to correct dropped packets in a production network
Answer: CD
QUESTION 44
Which set of commands enables logging and displays the log buffer on a Cisco ASA?
A. enable logging
show logging
B. logging enable
show logging
C. enable logging int e0/1
view logging
D. logging enable
logging view config
Answer: B
QUESTION 45
By default, not all services in the default inspection class are inspected. Which Cisco ASA CLI
command do you use to determine which inspect actions are applied to the default inspection
class?
A. show policy-map global_policy
B. show policy-map inspection_default
C. show class-map inspection_default
D. show class-map default-inspection-traffic
E. show service-policy global
Answer: E
QUESTION 46
Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only
the debug output to syslog? (Choose three.)
A. logging list test message 711001

B. logging debug-trace
C. logging trap debugging
D. logging message 711001 level 7
E. logging trap test
Answer: ABE
QUESTION 47
Which five options are valid logging destinations for the Cisco ASA? (Choose five.)
A. AAA server
B. Cisco ASDM
C. buffer
D. SNMP traps
E. LDAP server
F. email
G. TCP-based secure syslog server
Answer: BCDFG
QUESTION 48
When configuring security contexts on the Cisco ASA, which three resource class limits can be
set using a rate limit? (Choose three.)
A. address translation rate

B. Cisco ASDM session rate
C. connections rate
D. MAC-address learning rate (when in transparent mode)
E. syslog messages rate
F. stateful packet inspections rate
Answer: CEF
QUESTION 49
The Cisco ASA must support dynamic routing and terminating VPN traffic. Which three Cisco
ASA options will not support these requirements? (Choose three.)
A. transparent mode
B. multiple context mode
C. active/standby failover mode
D. active/active failover mode
E. routed mode
F. no NAT-control
Answer: ABD
QUESTION 50
Which command displays syslog messages on the Cisco ASA console as they occur?
A. Console logging <level>

B. Logging console <level>
C. Logging trap <level>
D. Terminal monitor
E. Logging monitor <level>
Answer: B
QUESTION 51
Which three configurations are needed to enable SNMPv3 support on the Cisco ASA? (Choose
three.)
A. SNMPv3 Local EngineID

B. SNMPv3 Remote EngineID
C. SNMP Users
D. SNMP Groups
E. SNMP Community Strings
F. SNMP Hosts
Answer: CDF
QUESTION 52
Which two configurations are the minimum needed to enable EIGRP on the Cisco ASA
appliance? (Choose two.)
A. Enable the EIGRP routing process and specify the AS number.

B. Define the EIGRP default-metric.
C. Configure the EIGRP router ID.
D. Use the neighbor command(s) to specify the EIGRP neighbors.
E. Use the network command(s) to enable EIGRP on the Cisco ASA interface(s).
Answer: AE
QUESTION 53
All 30 users on a single floor of a building are complaining about network slowness. After
investigating the access switch, the network administrator notices that the MAC address table is
full (10,000 entries) and all traffic is being flooded out of every port. Which action can the
administrator take to prevent this from occurring?
A. Configure port-security to limit the number of mac-addresses allowed on each port

B. Upgrade the switch to one that can handle 20,000 entries
C. Configure private-vlans to prevent hosts from communicating with one another
D. Enable storm-control to limit the traffic rate
E. Configure a VACL to block all IP traffic except traffic to and from that subnet
Answer: A
QUESTION 54
A network printer has a DHCP server service that cannot be disabled. How can a layer 2 switch
be configured to prevent the printer from causing network issues?
A. Remove the ip helper-address

B. Configure a Port-ACL to block outbound TCP port 68
C. Configure DHCP snooping
D. Configure port-security
Answer: C
QUESTION 55
A switch is being configured at a new location that uses statically assigned IP addresses. Which
will ensure that ARP inspection works as expected?
A. Configure the 'no-dhcp' keyword at the end of the ip arp inspection command
B. Enable static arp inspection using the command 'ip arp inspection static vlan vlan- number
C. Configure an arp access-list and apply it to the ip arp inspection command
D. Enable port security
Answer: C
QUESTION 56
Which two voice protocols can the Cisco ASA inspect? (Choose two.)
A. MGCP
B. IAX
C. Skype
D. CTIQBE
Answer: AD
QUESTION 57
You have explicitly added the line deny ipv6 any log to the end of an IPv6 ACL on a router
interface. Which two ICMPv6 packet types must you explicitly allow to enable traffic to traverse
the interface? (Choose two.)
A. router solicitation
B. router advertisement
C. neighbor solicitation
D. neighbor advertisement
E. redirect
Answer: CD
QUESTION 58
Enabling what security mechanism can prevent an attacker from gaining network topology
information from CDP?
A. MACsec
B. Flex VPN
C. Control Plane Protection
D. Dynamic Arp Inspection
Answer: A
QUESTION 59
Which log level provides the most detail on the Cisco Web Security Appliance?
A. Debug
B. Critical
C. Trace
D. Informational
Answer: C
QUESTION 60
What is the lowest combination of ASA model and license providing 1 Gigabit Ethernet
interfaces?
A. ASA 5505 with failover license option

B. ASA 5510 Security+ license option
C. ASA 5520 with any license option
D. ASA 5540 with AnyConnect Essentials License option
Answer: B
QUESTION 61
Which URL matches the regex statement "http"*/"www.cisco.com/"*[^E]"xe"?
A. https://www.cisco.com/ftp/ios/tftpserver.exe
B. https://cisco.com/ftp/ios/tftpserver.exe
C. http:/www.cisco.com/ftp/ios/tftpserver.Exe
D. https:/www.cisco.com/ftp/ios/tftpserver.EXE
Answer: A
QUESTION 62
Which two statements about Cisco IOS Firewall are true? (Choose two.)
A. It provides stateful packet inspection.

B. It provides faster processing of packets than Cisco ASA devices provide.
C. It provides protocol-conformance checks against traffic.
D. It eliminates the need to secure routers and switches throughout the network.
E. It eliminates the need to secure host machines throughout the network.
Answer: AC
QUESTION 63
Which two VPN types can you monitor and control with Cisco Prime Security Manager? (Choose
two.)
A. AnyConnect SSL
B. site-to-site
C. clientless SSL
D. IPsec remote-access
Answer: AD
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asacx/9-
1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1.pdf
QUESTION 64
What are three attributes that can be applied to a user account with RBAC? (Choose three.)
A. domain
B. password
C. ACE tag
D. user roles
E. VDC group tag
F. expiry date
Answer: BDF
QUESTION 65
Which command is used to nest objects in a pre-existing group?
A. object-group
B. network group-object
C. object-group network
D. group-object
Answer: D
QUESTION 66
Which threat-detection feature is used to keep track of suspected attackers who create
connections to too many hosts or ports?
A. complex threat detection

B. scanning threat detection
C. basic threat detection
D. advanced threat detection
Answer: B
QUESTION 67
What is the default behavior of an access list on the Cisco ASA security appliance?
A. It will permit or deny traffic based on the access-list criteria.

B. It will permit or deny all traffic on a specified interface.
C. An access group must be configured before the access list will take effect for traffic control.
D. It will allow all traffic.
Answer: C
QUESTION 68
What is the default behavior of NAT control on Cisco ASA Software Version 8.3?
A. NAT control has been deprecated on Cisco ASA Software Version 8.3.
B. It will prevent traffic from traversing from one enclave to the next without proper access configuration.
C. It will allow traffic to traverse from one enclave to the next without proper access configuration.
D. It will deny all traffic.
Answer: A
QUESTION 69
Which three options are hardening techniques for Cisco IOS routers? (Choose three.)
A. limiting access to infrastructure with access control lists

B. enabling service password recovery
C. using SSH whenever possible
D. encrypting the service password
E. using Telnet whenever possible
F. enabling DHCP snooping
Answer: ACD
QUESTION 70
What command alters the SSL ciphers used by the Cisco Email Security Appliance for TLS
sessions and HTTPS access?
A. sslconfig
B. sslciphers
C. tlsconifg
D. certconfig
Answer: A
QUESTION 71
What is the CLI command to enable SNMPv3 on the Cisco Web Security Appliance?
A. snmpconfig
B. snmpenable
C. configsnmp
D. enablesnmp
Answer: A
QUESTION 72
The Cisco Email Security Appliance can be managed with both local and external users of
different privilege levels. What three external modes of authentication are supported? (Choose
three.)
A. LDAP authentication
B. RADIUS Authentication
C. TACAS
D. SSH host keys
E. Common Access Card Authentication
F. RSA Single use tokens
Answer: ABD
QUESTION 73
When a Cisco ASA is configured in multicontext mode, which command is used to change
between contexts?
A. changeto config context

B. changeto context
C. changeto/config context change
D. changeto/config context 2
Answer: B
QUESTION 74
Which statement about the Cisco Security Manager 4.4 NAT Rediscovery feature is true?
A. It provides NAT policies to existing clients that connect from a new switch port.
B. It can update shared policies even when the NAT server is offline.
C. It enables NAT policy discovery as it updates shared polices.
D. It enables NAT policy rediscovery while leaving existing shared polices unchanged.
Answer: D
QUESTION 75
When you install a Cisco ASA AIP-SSM, which statement about the main Cisco ASDM home
page is true?
A. It is replaced by the Cisco AIP-SSM home page.

B. It must reconnect to the NAT policies database.
C. The administrator can manually update the page.
D. It displays a new Intrusion Prevention panel.
Answer: D
QUESTION 76
Which Cisco product provides a GUI-based device management tool to configure Cisco access
routers?
A. Cisco ASDM
B. Cisco CP Express
C. Cisco ASA 5500
D. Cisco CP
Answer: D
QUESTION 77
Which statement about Cisco IPS Manager Express is true?
A. It provides basic device management for large-scale deployments.

B. It provides a GUI for configuring IPS sensors and security modules.
C. It enables communication with Cisco ASA devices that have no administrative access.
D. It provides greater security than simple ACLs.
Answer: B
QUESTION 78
Which three options describe how SNMPv3 traps can be securely configured to be sent by IOS?
(Choose three.)
A. An SNMPv3 group is defined to configure the read and write views of the group.
B. An SNMPv3 user is assigned to SNMPv3 group and defines the encryption and authentication credentials.
C. An SNMPv3 host is configured to define where the SNMPv3 traps will be sent.
D. An SNMPv3 host is used to configure the encryption and authentication credentials for SNMPv3 traps.
E. An SNMPv3 view is defined to configure the address of where the traps will be sent.
F. An SNMPv3 group is used to configure the OIDs that will be reported.
Answer: ABC
QUESTION 79
Cisco Security Manager can manage which three products? (Choose three.)
A. Cisco IOS
B. Cisco ASA
C. Cisco IPS
D. Cisco WLC
E. Cisco Web Security Appliance
F. Cisco Email Security Appliance
G. Cisco ASA CX
H. Cisco CRS
Answer: ABC
QUESTION 80
When a Cisco ASA is configured in transparent mode, how can ARP traffic be controlled?
A. By enabling ARP inspection; however, it cannot be controlled by an ACL

B. By enabling ARP inspection or by configuring ACLs
C. By configuring ACLs; however, ARP inspection is not supported
D. By configuring NAT and ARP inspection
Answer: A
QUESTION 81
What are two primary purposes of Layer 2 detection in Cisco IPS networks? (Choose two.)
A. identifying Layer 2 ARP attacks

B. detecting spoofed MAC addresses and tracking 802.1X actions and data communication after a
successful client association
C. detecting and preventing MAC address spoofing in switched environments
D. mitigating man-in-the-middle attacks
Answer: AD
QUESTION 82
What is the primary purpose of stateful pattern recognition in Cisco IPS networks?
A. mitigating man-in-the-middle attacks

B. using multipacket inspection across all protocols to identify vulnerability-based attacks and to
thwart attacks that hide within a data stream
C. detecting and preventing MAC address spoofing in switched environments
D. identifying Layer 2 ARP attacks
Answer: B
QUESTION 83
What are two reasons to implement Cisco IOS MPLS Bandwidth-Assured Layer 2 Services?
(Choose two.)
A. guaranteed bandwidth and peak rates as well as low cycle periods, regardless of which systems access
the device
B. increased resiliency through MPLS FRR for AToM circuits and better bandwidth utilization through MPLS TE
C. enabled services over an IP/MPLS infrastructure, for enhanced MPLS Layer 2 functionality
D. provided complete proactive protection against frame and device spoofing
Answer: BC
QUESTION 84
What is the maximum jumbo frame size for IPS standalone appliances with 1G and 10G fixed or
add-on interfaces?
A. 1024 bytes
B. 1518 bytes
C. 2156 bytes
D. 9216 bytes
Answer: D
QUESTION 85
Which two statements about Cisco IDS are true? (Choose two.)
A. It is preferred for detection-only deployment.

B. It is used for installations that require strong network-based protection and that include sensor tuning.
C. It is used to boost sensor sensitivity at the expense of false positives.
D. It is used to monitor critical systems and to avoid false positives that block traffic.
E. It is used primarily to inspect egress traffic, to filter outgoing threats.
Answer: AD
QUESTION 86
What are two reasons for implementing NIPS at enterprise Internet edges? (Choose two.)
A. Internet edges typically have a lower volume of traffic and threats are easier to detect.
B. Internet edges typically have a higher volume of traffic and threats are more difficult to detect.
C. Internet edges provide connectivity to the Internet and other external networks.
D. Internet edges are exposed to a larger array of threats.
E. NIPS is more optimally designed for enterprise Internet edges than for internal network configurations.
Answer: CD
QUESTION 87
Which statement about the Cisco ASA configuration is true?
A. All input traffic on the inside interface is denied by the global ACL.
B. All input and output traffic on the outside interface is denied by the global ACL.
C. ICMP echo-request traffic is permitted from the inside to the outside, and ICMP echo-reply will be
permitted from the outside back to inside.
D. HTTP inspection is enabled in the global policy.
E. Traffic between two hosts connected to the same interface is permitted.
Answer: B
QUESTION 88
In the default global policy, which traffic is matched for inspections by default?
A. match any
B. match default-inspection-traffic
C. match access-list
D. match port
E. match class-default
Answer: B
QUESTION 89
Which set of commands creates a message list that includes all severity 2 (critical) messages on
a Cisco security device?
A. logging list critical_messages level 2

console logging critical_messages
B. logging list critical_messages level 2
logging console critical_messages
C. logging list critical_messages level 2
logging console enable critical_messages
D. logging list enable critical_messages level 2 console logging critical_messages
Answer: B
QUESTION 90
An administrator is deploying port-security to restrict traffic from certain ports to specific MAC
addresses. Which two considerations must an administrator take into account when using the
switchport port-security mac-address sticky command? (Choose two.)
A. The configuration will be updated with MAC addresses from traffic seen ingressing the port.
The configuration will automatically be saved to NVRAM if no other changes to the configuration have
been made.
B. The configuration will be updated with MAC addresses from traffic seen ingressing the port.
The configuration will not automatically be saved to NVRAM.
C. Only MAC addresses with the 5th most significant bit of the address (the 'sticky' bit) set to 1 will be learned.
D. If configured on a trunk port without the 'vlan' keyword, it will apply to all vlans.
E. If configured on a trunk port without the 'vlan' keyword, it will apply only to the native vlan.
Answer: BE
QUESTION 91
Which command configures the SNMP server group1 to enable authentication for members of the
access list east?
A. snmp-server group group1 v3 auth access east
B. snmp-server group1 v3 auth access east
C. snmp-server group group1 v3 east
D. snmp-server group1 v3 east access
Answer: A
QUESTION 92
Lab Simulation
Answer:
Please check the steps in explanation part below:
(1) Click on Service Policy Rules, then Edit the default inspection rule.
(2) Click on Rule Actions, then enable HTTP as shown here:
(3) Click on Configure, then add as shown here:
(4) Create the new map in ASDM like shown:
(5) Edit the policy as shown:
(6) Hit OK
QUESTION 93
Hotspot Questions
Which statement about how the Cisco ASA supports SNMP is true?
A. All SNMFV3 traffic on the inside interface will be denied by the global ACL
B. The Cisco ASA and ASASM provide support for network monitoring using SNMP Versions 1,2c,
and 3, but do not support the use of all three versions simultaneously.
C. The Cisco ASA and ASASM have an SNMP agent that notifies designated management ,.
stations if events occur that are predefined to require a notification, for example, when a link in
the network goes up or down.
D. SNMPv3 is enabled by default and SNMP v1 and 2c are disabled by default.
E. SNMPv3 is more secure because it uses SSH as the transport mechanism.
Answer: C
Explanation:
This can be verified by this ASDM screen shot:
QUESTION 94
Hotspot Questions
SNMP users have a specified username, a group to which the user belongs, authentication
password, encryption password, and authentication and encryption algorithms to use. The
authentication algorithm options are MD5 and SHA. The encryption algorithm options are DES,
3DES, andAES (which is available in 128,192, and 256 versions). When you create a user, with
which option must you associate it?
A. an SNMP group
B. at least one interface
C. the SNMP inspection in the global_policy
D. at least two interfaces
Answer: A
Explanation:
This can be verified via the ASDM screen shot shown here:
QUESTION 95
Hotspot Questions
An SNMP host is an IP address to which SNMP notifications and traps are sent. To configure
SNMFV3 hosts, which option must you configure in addition to the target IP address?
A. the Cisco ASA as a DHCP server, so the SNMFV3 host can obtain an IP address
B. a username, because traps are only sent to a configured user
C. SSH, so the user can connect to the Cisco ASA
D. the Cisco ASA with a dedicated interface only for SNMP, to process the SNMP host traffic.
Answer: B
Explanation:
The username can be seen here on the ASDM simulator screen shot:
QUESTION 96
Refer to the exhibit. To protect Host A and Host B from communicating with each other, which
type of PVLAN port should be used for each host?
A. Host A on a promiscuous port and Host B on a community port

B. Host A on a community port and Host B on a promiscuous port
C. Host A on an isolated port and Host B on a promiscuous port
D. Host A on a promiscuous port and Host B on a promiscuous port
E. Host A on an isolated port and host B on an isolated port
F. Host A on a community port and Host B on a community port
Answer: E
QUESTION 97
Which security operations management best practice should be followed to enable appropriate
network access for administrators?
A. Provide full network access from dedicated network administration systems

B. Configure the same management account on every network device
C. Dedicate a separate physical or logical plane for management traffic
D. Configure switches as terminal servers for secure device access
Answer: C
QUESTION 98
Which two features block traffic that is sourced from non-topological IPv6 addresses? (Choose
two.)
A. DHCPv6 Guard
B. IPv6 Prefix Guard
C. IPv6 RA Guard
D. IPv6 Source Guard
Answer: BD
QUESTION 99
Which three options correctly identify the Cisco ASA1000V Cloud Firewall? (Choose three.)
A. operates at Layer 2
B. operates at Layer 3
C. secures tenant edge traffic
D. secures intraswitch traffic
E. secures data center edge traffic
F. replaces Cisco VSG
G. complements Cisco VSG
H. requires Cisco VSG
Answer: BCG
QUESTION 100
Which two options are private-VLAN secondary VLAN types? (Choose two)
A. Isolated
B. Secured
C. Community
D. Common
E. Segregated
Answer: AC
Explanation:
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/
CLIConfigurationGuide/PrivateVLANs.html
QUESTION 101
Which two statements about zone-based firewalls are true? (Choose two.)
A. More than one interface can be assigned to the same zone.

B. Only one interface can be in a given zone.
C. An interface can only be in one zone.
D. An interface can be a member of multiple zones.
E. Every device interface must be a member of a zone.
Answer: AC
QUESTION 102
An attacker has gained physical access to a password protected router. Which command will
prevent access to the startup-config in NVRAM?
A. no service password-recovery
B. no service startup-config
C. service password-encryption
D. no confreg 0x2142
Answer: A
QUESTION 103
Which command tests authentication with SSH and shows a generated key?
A. show key mypubkey rsa

B. show crypto key mypubkey rsa
C. show crypto key
D. show key mypubkey
Answer: B
QUESTION 104
Which configuration keyword will configure SNMPv3 with authentication but no encryption?
A. Auth
B. Priv
C. No auth
D. Auth priv
Answer: A
QUESTION 105
In IOS routers, what configuration can ensure both prevention of ntp spoofing and accurate time
ensured?
A. ACL permitting udp 123 from ntp server

B. ntp authentication
C. multiple ntp servers
D. local system clock
Answer: B
QUESTION 106
Which product can manage licenses, updates, and a single signature policy for 15 separate IPS
appliances?
A. Cisco Security Manager

B. Cisco IPS Manager Express
C. Cisco IPS Device Manager
D. Cisco Adaptive Security Device Manager
Answer: A
QUESTION 107
Which three statements about private VLANs are true? (Choose three.)
A. Isolated ports can talk to promiscuous and community ports.

B. Promiscuous ports can talk to isolated and community ports.
C. Private VLANs run over VLAN Trunking Protocol in client mode.
D. Private VLANS run over VLAN Trunking Protocol in transparent mode.
E. Community ports can talk to each other as well as the promiscuous port.
F. Primary, secondary, and tertiary VLANs are required for private VLAN implementation.
Answer: BDE
QUESTION 108
When you set a Cisco IOS Router as an SSH server, which command specifies the RSA public
key of the remote peer when you set the SSH server to perform RSA-based authentication?
A. router(config-ssh-pubkey-user)#key
B. router(conf-ssh-pubkey-user)#key-string
C. router(config-ssh-pubkey)#key-string
D. router(conf-ssh-pubkey-user)#key-string enable ssh
Answer: B
QUESTION 109
Enabling what security mechanism can prevent an attacker from gaining network topology
information from CDP via a man-in-the-middle attack?
A. MACsec
B. Flex VPN
C. Control Plane Protection
D. Dynamic Arp Inspection
Answer: A
QUESTION 110
On an ASA running version 9.0, which command is used to nest objects in a pre-existing group?
A. object-group
B. network group-object
C. object-group network
D. group-object
Answer: D
QUESTION 11
Which ASA feature is used to keep track of suspected attackers who create connections to too
many hosts or ports?
A. complex threat detection
B. scanning threat detection
C. basic threat detection
D. advanced threat detection
Answer: B
QUESTION 112
What is the default behavior of an access list on a Cisco ASA?
A. It will permit or deny traffic based on the access list criteria.

B. It will permit or deny all traffic on a specified interface.
C. It will have no affect until applied to an interface, tunnel-group or other traffic flow.
D. It will allow all traffic.
Answer: C
QUESTION 113
When configuring a new context on a Cisco ASA device, which command creates a domain for
the context?
A. domain config name

B. domain-name
C. changeto/domain name change
D. domain context 2
Answer: B
QUESTION 114
Which statement describes the correct steps to enable Botnet Traffic Filtering on a Cisco ASA
version 9.0 transparent-mode firewall with an active Botnet Traffic Filtering license?
A. Enable DNS snooping, traffic classification, and actions.

B. Botnet Traffic Filtering is not supported in transparent mode.
C. Enable the use of the dynamic database, enable DNS snooping, traffic classification, and actions.
D. Enable the use of dynamic database, enable traffic classification and actions.
Answer: C
QUESTION 115
Which Cisco switch technology prevents traffic on a LAN from being disrupted by a broadcast,
multicast, or unicast flood on a port?
A. port security
B. storm control
C. dynamic ARP inspection
D. BPDU guard
E. root guard
F. dot1x
Answer: B
QUESTION 116
You are a security engineer at a large multinational retailer. Your Chief Information Officer
recently attended a security conference and has asked you to secure the network infrastructure
from VLAN hopping.
Which statement describes how VLAN hopping can be avoided?
A. There is no such thing as VLAN hopping because VLANs are completely isolated.
B. VLAN hopping can be avoided by using IEEE 802.1X to dynamically assign the access VLAN to
all endpoints and setting the default access VLAN to an unused VLAN ID.
C. VLAN hopping is avoided by configuring the native (untagged) VLAN on both sides of an ISL
trunk to an unused VLAN ID.
D. VLAN hopping is avoided by configuring the native (untagged) VLAN on both sides of an IEEE
802.1Q trunk to an unused VLAN ID.
Answer: D
QUESTION 117
You are the administrator of a Cisco ASA 9.0 firewall and have been tasked with ensuring that the
Firewall Admins Active Directory group has full access to the ASA configuration. The Firewall
Operators Active Directory group should have a more limited level of access.
Which statement describes how to set these access levels?
A. Use Cisco Directory Agent to configure the Firewall Admins group to have privilege level 15
access. Also configure the Firewall Operators group to have privilege level 6 access.
B. Use TACACS+ for Authentication and Authorization into the Cisco ASA CLI, with ACS as the AAA
server. Configure ACS CLI command authorization sets for the Firewall Operators group.
Configure level 15 access to be assigned to members of the Firewall Admins group.
C. Use RADIUS for Authentication and Authorization into the Cisco ASA CLI, with ACS as the AAA
server. Configure ACS CLI command authorization sets for the Firewall Operators group.
Configure level 15 access to be assigned to members of the Firewall Admins group.
D. Active Directory Group membership cannot be used as a determining factor for accessing the
Cisco ASA CLI.
Answer: B
QUESTION 118
A router is being enabled for SSH command line access.
The following steps have been taken:
- The vty ports have been configured with transport input SSH and login
local.
- Local user accounts have been created.
- The enable password has been configured.
What additional step must be taken if users receive a 'connection refused' error when attempting
to access the router via SSH?
A. A RSA keypair must be generated on the router

B. An access list permitting SSH inbound must be configured and applied to the vty ports
C. An access list permitting SSH outbound must be configured and applied to the vty ports
D. SSH v2.0 must be enabled on the router
Answer: A
QUESTION 119
Which two configurations are necessary to enable password-less SSH login to an IOS router?
(Choose two.)
A. Enter a copy of the administrator's public key within the SSH key-chain
B. Enter a copy of the administrator's private key within the SSH key-chain
C. Generate a 512-bit RSA key to enable SSH on the router
D. Generate an RSA key of at least 768 bits to enable SSH on the router
E. Generate a 512-bit ECDSA key to enable SSH on the router
F. Generate a ECDSA key of at least 768 bits to enable SSH on the router
Answer: AD
QUESTION 120
Which two features does Cisco Security Manager provide? (Choose two.)
A. Configuration and policy deployment before device discovery

B. Health and performance monitoring
C. Event management and alerting
D. Command line menu for troubleshooting
E. Ticketing management and tracking
Answer: BC
QUESTION 121
An administrator installed a Cisco ASA that runs version 9.1. You are asked to configure the
firewall through Cisco ASDM.
When you attempt to connect to a Cisco ASA with a default configuration, which username and
password grants you full access?
A. admin / admin
B. asaAdmin / (no password)
C. It is not possible to use Cisco ASDM until a username and password are created via the
username usernamepassword password CLI command.
D. enable_15 / (no password)
E. cisco / cisco
Answer: D
QUESTION 122
Which three options are default settings for NTP parameters on a Cisco ASA? (Choose three.)
A. NTP authentication is enabled.

B. NTP authentication is disabled.
C. NTP logging is enabled.
D. NTP logging is disabled.
E. NTP traffic is not restricted.
F. NTP traffic is restricted.
Answer: BDE
QUESTION 123
Which two options are purposes of the packet-tracer command? (Choose two.)
A. to filter and monitor ingress traffic to a switch

B. to configure an interface-specific packet trace
C. to simulate network traffic through a data path
D. to debug packet drops in a production network
E. to automatically correct an ACL entry in an ASA
Answer: CD
QUESTION 124
Refer to the exhibit. Server A is a busy server that offers these services:
- World Wide Web

- DNS
Which command captures http traffic from Host A to Server A?
A. capture traffic match udp host 10.1.1.150 host 10.2.2.100

B. capture traffic match 80 host 10.1.1.150 host 10.2.2.100
C. capture traffic match ip 10.2.2.0 255.255.255.192 host 10.1.1.150
D. capture traffic match tcp host 10.1.1.150 host 10.2.2.100
E. capture traffic match tcp host 10.2.2.100 host 10.1.1.150 eq 80
Answer: D
QUESTION 125
Your company is replacing a high-availability pair of Cisco ASA 5550 firewalls with the newer
Cisco ASA 5555-X models. Due to budget constraints, one Cisco ASA 5550 will be replaced at a
time.
Which statement about the minimum requirements to set up stateful failover between these two
firewalls is true?
A. You must install the USB failover cable between the two Cisco ASAs and provide a 1 Gigabit
Ethernet interface for state exchange.
B. It is not possible to use failover between different Cisco ASA models.
C. You must have at least 1 Gigabit Ethernet interface between the two Cisco ASAs for state
exchange.
D. You must use two dedicated interfaces. One link is dedicated to state exchange and the other link
is for heartbeats.
Answer: B
QUESTION 126
In which two modes is zone-based firewall high availability available? (Choose two.)
A. IPv4 only
B. IPv6 only
C. IPv4 and IPv6
D. routed mode only
E. transparent mode only
F. both transparent and routed modes
Answer: CD
QUESTION 127
You are the administrator of a multicontext transparent-mode Cisco ASA that uses a shared
interface that belongs to more than one context. Because the same interface will be used within
all three contexts, which statement describes how you will ensure that return traffic will reach the
correct context?
A. Interfaces may not be shared between contexts in routed mode.

B. Configure a unique MAC address per context with the no mac-address auto command.
C. Configure a unique MAC address per context with the mac-address auto command.
D. Use static routes on the Cisco ASA to ensure that traffic reaches the correct context.
Answer: C
QUESTION 128
A rogue device has connected to the network and has become the STP root bridge, which has
caused a network availability issue.
Which two commands can protect against this problem? (Choose two.)
A. switch(config)#spanning-tree portfast bpduguard default
B. switch(config)#spanning-tree portfast bpdufilter default
C. switch(config-if)#spanning-tree portfast
D. switch(config-if)#spanning-tree portfast disable
E. switch(config-if)#switchport port-security violation protect
F. switch(config-if)#spanning-tree port-priority 0
Answer: AC
QUESTION 129
According to Cisco best practices, which two interface configuration commands help prevent
VLAN hopping attacks? (Choose two.)
A. switchport mode access

B. switchport access vlan 2
C. switchport mode trunk
D. switchport access vlan 1
E. switchport trunk native vlan 1
F. switchport protected
Answer: AB
QUESTION 130
When it is configured in accordance to Cisco best practices, the switchport port-security
maximum command can mitigate which two types of Layer 2 attacks? (Choose two.)
A. rogue DHCP servers

B. ARP attacks
C. DHCP starvation
D. MAC spoofing
E. CAM attacks
F. IP spoofing
Answer: CE
QUESTION 131
When configured in accordance to Cisco best practices, the ip verify source command can
mitigate which two types of Layer 2 attacks? (Choose two.)
A. rogue DHCP servers

B. ARP attacks
C. DHCP starvation
D. MAC spoofing
E. CAM attacks
F. IP spoofing
Answer: DF
QUESTION 132
Lab Sim
Answer:
Please check the steps in explanation part below:
(1) Click on Service Policy Rules, then Edit the default inspection rule.
(2) Click on Rule Actions, then enable HTTP as shown here:
(3) Click on Configure, then add as shown here:
(4) Create the new map in ASDM like shown:
(5) Edit the policy as shown:
(6) Hit OK
QUESTION 133
You have installed a web server on a private network. Which type of NAT must you implement to
enable access to the web server for public Internet users?
A. static NAT
B. dynamic NAT
C. network object NAT
D. twice NAT
Answer: A
QUESTION 134
Which type of object group will allow configuration for both TCP 80 and TCP 443?
A. service
B. network
C. time range
D. user group
Answer: A
QUESTION 135
When you configure a Botnet Traffic Filter on a Cisco firewall, what are two optional tasks?
(Choose two.)
A. Enable the use of dynamic databases.

B. Add static entries to the database.
C. Enable DNS snooping.
D. Enable traffic classification and actions.
E. Block traffic manually based on its syslog information.
Answer: BE
QUESTION 136
Refer to the exhibit. What is the effect of this configuration?
A. The firewall will inspect IP traffic only between networks 192.168.1.0 and 192.168.2.0.
B. The firewall will inspect all IP traffic except traffic to 192.168.1.0 and 192.168.2.0.
C. The firewall will inspect traffic only if it is defined within a standard ACL.
D. The firewall will inspect all IP traffic.
Answer: A
QUESTION 137
When you configure a Cisco firewall in multiple context mode, where do you allocate interfaces?
A. in the system execution space

B. in the admin context
C. in a user-defined context
D. in the global configuration
Answer: A
QUESTION 138
At which layer does Dynamic ARP Inspection validate packets?
A. Layer 2
B. Layer 3
C. Layer 4
D. Layer 7
Answer: A
QUESTION 139
Which feature can suppress packet flooding in a network?
A. PortFast
B. BPDU guard
C. Dynamic ARP Inspection
D. storm control
Answer: D
QUESTION 140
What is the default violation mode that is applied by port security?
A. restrict
B. protect
C. shutdown
D. shutdown VLAN
Answer: C
QUESTION 141
What are two security features at the access port level that can help mitigate Layer 2 attacks?
(Choose two.)
A. DHCP snooping
B. IP Source Guard
C. Telnet
D. Secure Shell
E. SNMP
Answer: AB
QUESTION 142
At which layer does MACsec provide encryption?
A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4
Answer: B
QUESTION 143
What are two enhancements of SSHv2 over SSHv1? (Choose two.)
A. VRF-aware SSH support

B. DH group exchange support
C. RSA support
D. keyboard-interactive authentication
E. SHA support
Answer: AB
QUESTION 144
What is the result of the default ip ssh server authenticate user command?
A. It enables the public key, keyboard, and password authentication methods.
B. It enables the public key authentication method only.
C. It enables the keyboard authentication method only.
D. It enables the password authentication method only.
Answer: A
QUESTION 145
What are three of the RBAC views within Cisco IOS Software? (Choose three.)
A. Admin
B. CLI
C. Root
D. Super Admin
E. Guest
F. Super
Answer: BCF
QUESTION 146
Which Cisco TrustSec role does a Cisco ASA firewall serve within an identity architecture?
A. Access Requester
B. Policy Decision Point
C. Policy Information Point
D. Policy Administration Point
E. Policy Enforcement Point
Answer: E
QUESTION 147
What are two high-level task areas in a Cisco Prime Infrastructure life-cycle workflow? (Choose
two.)
A. Design
B. Operate
C. Maintain
D. Log
E. Evaluate
Answer: AB
QUESTION 148
What are three ways to add devices in Cisco Prime Infrastructure? (Choose three.)
A. Use an automated process.

B. Import devices from a CSV file.
C. Add devices manually.
D. Use RADIUS.
E. Use the Access Control Server.
F. Use Cisco Security Manager.
Answer: ABC
QUESTION 149
Which statement about Cisco Security Manager form factors is true?
A. Cisco Security Manager Professional and Cisco Security Manager UCS Server Bundles support
FWSMs.
B. Cisco Security Manager Standard and Cisco Security Manager Professional support FWSMs.
C. Only Cisco Security Manager Professional supports FWSMs.
D. Only Cisco Security Manager Standard supports FWSMs.
Answer: A
QUESTION 150
Which Cisco Security Manager form factor is recommended for deployments with fewer than 25
devices?
A. only Cisco Security Manager Standard

B. only Cisco Security Manager Professional
C. only Cisco Security Manager UCS Server Bundle
D. both Cisco Security Manager Standard and Cisco Security Manager Professional
Answer: A
QUESTION 151
Which two TCP ports must be open on the Cisco Security Manager server to allow the server to
communicate with the Cisco Security Manager client? (Choose two.)
A. 1741
B. 443
C. 80
D. 1740
E. 8080
Answer: AB
QUESTION 152
Which command enables the HTTP server daemon for Cisco ASDM access?
A. http server enable

B. http server enable 443
C. crypto key generate rsa modulus 1024
D. no http server enable
Answer: A
QUESTION 153
Which function in the Cisco ADSM ACL Manager pane allows an administrator to search for a
specfic element?
A. Find
B. Device Management
C. Search
D. Device Setup
Answer: A
QUESTION 154
Which two router commands enable NetFlow on an interface? (Choose two.)
A. ip flow ingress
B. ip flow egress
C. ip route-cache flow infer-fields
D. ip flow ingress infer-fields
E. ip flow-export version 9
Answer: AB
QUESTION 155
Refer to the exhibit. Which two statements about the SNMP configuration are true? (Choose two.)
A. The router's IP address is 192.168.1.1.

B. The SNMP server's IP address is 192.168.1.1.
C. Only the local SNMP engine is configured.
D. Both the local and remote SNMP engines are configured.
E. The router is connected to the SNMP server via port 162.
Answer: BD
QUESTION 156
To which port does a firewall send secure logging messages?
A. TCP/1500
B. UDP/1500
C. TCP/500
D. UDP/500
Answer: A
QUESTION 157
What is a required attribute to configure NTP authentication on a Cisco ASA?
A. Key ID
B. IPsec
C. AAA
D. IKEv2
Answer: A
QUESTION 158
Which function does DNSSEC provide in a DNS infrastructure?
A. It authenticates stored information.

B. It authorizes stored information.
C. It encrypts stored information.
D. It logs stored security information.
Answer: A
QUESTION 159
Refer to the exhibit. Which two statements about this firewall output are true? (Choose two.)
A. The output is from a packet tracer debug.

B. All packets are allowed to 192.168.1.0 255.255.0.0.
C. All packets are allowed to 192.168.1.0 255.255.255.0.
D. All packets are denied.
E. The output is from a debug all command.
Answer: AC
QUESTION 160
Which utility can you use to troubleshoot and determine the timeline of packet changes in a data
path within a Cisco firewall?
A. packet tracer
B. ping
C. traceroute
D. SNMP walk
Answer: A
QUESTION 161
What can an administrator do to simultaneously capture and trace packets in a Cisco ASA?
A. Install a Cisco ASA virtual appliance.

B. Use the trace option of the capture command.
C. Use the trace option of the packet-tracer command.
D. Install a switch with a code that supports capturing, and configure a trunk to the Cisco ASA.
Answer: B
QUESTION 162
Refer to the exhibit. Which command can produce this packet tracer output on a firewall?
A. packet-tracer input INSIDE tcp 192.168.1.100 88 192.168.2.200 3028

B. packet-tracer output INSIDE tcp 192.168.1.100 88 192.168.2.200 3028
C. packet-tracer input INSIDE tcp 192.168.2.200 3028 192.168.1.100 88
D. packet-tracer output INSIDE tcp 192.168.2.200 3028 192.168.1.100 88
Answer: A
QUESTION 163
At which firewall severity level will debugs appear on a Cisco ASA?
A. 7
B. 6
C. 5
D. 4
Answer: A
QUESTION 164
A Cisco ASA is configured in multiple context mode and has two user-defined contexts--
Context_A and Context_B. From which context are device logging messages sent?
A. Admin
B. Context_A
C. Context_B
D. System
Answer: A
QUESTION 165
Which three statements about the software requirements for a firewall failover configuration are
true? (Choose three.)
A. The firewalls must be in the same operating mode.

B. The firewalls must have the same major and minor software version.
C. The firewalls must be in the same context mode.
D. The firewalls must have the same major software version but can have different minor versions.
E. The firewalls can be in different context modes.
F. The firewalls can have different Cisco AnyConnect images.
Answer: ABC
QUESTION 166
What can you do to enable inter-interface firewall communication for traffic that flows between
two interfaces of the same security level?
A. Run the command same-security-traffic permit inter-interface globally.

B. Run the command same-security-traffic permit intra-interface globally.
C. Configure both interfaces to have the same security level.
D. Run the command same-security-traffic permit inter-interface on the interface with the highest
security level.
Answer: A
QUESTION 167
How many bridge groups are supported on a firewall that operate in transparent mode?
A. 8
B. 16
C. 10
D. 6
Answer: A
QUESTION 168
In which way are management packets classified on a firewall that operates in multiple context
mode?
A. by their interface IP address

B. by the routing table
C. by NAT
D. by their MAC addresses
Answer: A
QUESTION 169
Where on a firewall does an administrator assign interfaces to contexts?
A. in the system execution space

B. in the admin context
C. in a user-defined context
D. in the console
Answer: A
QUESTION 170
Which kind of Layer 2 attack targets the STP root bridge election process and allows an attacker
to control the flow of traffic?
A. man-in-the-middle
B. denial of service
C. distributed denial of service
D. CAM overflow
Answer: A
QUESTION 171
Which Layer 2 security feature validates ARP packets?
A. DAI
B. DHCP server
C. BPDU guard
D. BPDU filtering
Answer: A
QUESTION 172
If you disable PortFast on switch ports that are connected to a Cisco ASA and globally turn on
BPDU filtering, what is the effect on the switch ports?
A. The switch ports are prevented from going into an err-disable state if a BPDU is received.
B. The switch ports are prevented from going into an err-disable state if a BPDU is sent.
C. The switch ports are prevented from going into an err-disable state if a BPDU is received and
sent.
D. The switch ports are prevented from forming a trunk.
Answer: C
QUESTION 173
In a Cisco ASAv failover deployment, which interface is preconfigured as the failover interface?
A. GigabitEthernet0/2
B. GigabitEthernet0/4
C. GigabitEthernet0/6
D. GigabitEthernet0/8
Answer: D
QUESTION 174
What are the three types of private VLAN ports? (Choose three.)
A. promiscuous
B. isolated
C. community
D. primary
E. secondary
F. trunk
Answer: ABC
QUESTION 175
Which VTP mode supports private VLANs on a switch?
A. transparent
B. server
C. client
D. off
Answer: A
QUESTION 176
Which technology can be deployed with a Cisco ASA 1000V to segregate Layer 2 access within a
virtual cloud environment?
A. Cisco Nexus 1000V

B. Cisco VSG
C. WSVA
D. ESVA
Answer: A
QUESTION 177
Which cloud characteristic is used to describes the sharing of physical resources between various
entities ?
A. Elasticity
B. Ubiquitous access
C. Multitenancy
D. Resiliency
Answer: C
Explanation:
Resource pooling/Multi-Tenancy: The provider's computing resources are pooled to serve
multiple consumers using a multi-tenant model, with different physical and virtual resources
dynamically assigned and reassigned according to consumer demand. There is a sense of
location independence in that the customer generally has no control or knowledge over the exact
location of the provided resources but may be able to specify location at a higher level of
abstraction (e.g., country, state or datacenter). Examples of resources include storage,
processing, memory and network bandwidth.
QUESTION 178
Refer to the exhibit. Which type of ACL is shown in this configuration?
A. IPv4
B. IPv6
C. unified
D. IDFW
Answer: C
QUESTION 179
You are the network security engineer for the Secure-X network. The company has recently
detected Increase of traffic to malware Infected destinations. The Chief Security Officer deduced
that some PCs in the internal networks are infected with malware and communicate with malware
infected destinations.
The CSO has tasked you with enable Botnet traffic filter on the Cisco ASA to detect and deny
further connection attempts from infected PCs to malware destinations. You are also required to
test your configurations by initiating connections through the Cisco ASA and then display and
observe the Real-Time Log Viewer in ASDM.
To successfully complete this activity, you must perform the following tasks:
- Download the dynamic database and enable use of it.

- Enable the ASA to download of the dynamic database
- Enable the ASA to download of the dynamic database.
- Enable DNS snooping for existing DNS inspection service policy
rules..
- Enable Botnet Traffic Filter classification on the outside interface
for All Traffic.
- Configure the Botnet Traffic Filter to drop blacklisted traffic on
the outside interface. Use the default Threat Level settings
NOTE: The database files are stored in running memory; they are not stored in flash memory.
NOTE: DNS is enabled on the inside interface and set to the HQ-SRV (10.10.3.20).
NOTE: Not all ASDM screens are active for this exercise.
- Verify that the ASA indeed drops traffic to blacklisted destinations

by doing the following:
- From the Employee PC, navigate to http://www.google.com to make sure
that access to the Internet is working.
- From the Employee PC, navigate to http://bot-sparta.no-ip.org. This
destination is classified as malware destination by the Cisco SIO
database.
- From the Employee PC, navigate to http://superzarabotok-gid.ru/. This
destination is classified as malware destination by the Cisco SIO
database.
- From Admin PC, launch ASDM to display and observe the Real-Time Log
Viewer.
You have completed this exercise when you have configured and successfully tested Botnet
traffic filter on the Cisco ASA.
See the explanation for detailed answer to this sim question.
First, click on both boxes on the Botnet Database as shown below and hit apply:
Click Yes to send the commands when prompted.
Then, click on the box on the DNS Snooping page as shown below and hit apply:
Click Yes to send the commands when prompted.

Then, click on the box on the Traffic Settings tab as shown:
At which point this pop-up box will appear when you click on the Add button:
Click OK. Then Apply. Then Send when prompted.
Then verify that all is working according to the instructions given in the question.
QUESTION 180
You are a network security engineer for the Secure-X network. You have been tasked with
implementing dynamic network object NAT with PAT on a Cisco ASA. You must configure the
Cisco ASA such that the source IP addresses of all internal hosts are translated to a single IP
address (using different ports) when the internal hosts access the Internet.
To successfully complete this activity, you must perform the following tasks:
- Use the Cisco ASDM GUI on the Admin PC to configure dynamic network
object NAT with PAT using the following parameters:
- Network object name: Internal-Networks
- IP subnet: 10.10.0.0/16
- Translated IP address: 192.0.2.100
- Source interface: inside
- Destination interface: outside
NOTE: The object (TRANSLATED-INSIDE-HOSTS) for this translated IP address has already
been created for your use in this activity.
NOTE: Not all ASDM screens are active for this exercise.
NOTE: Login credentials are not needed for this simulation.
- In the Cisco ASDM, display and view the auto-generated NAT rule.
- From the Employee PC, generate traffic to SP-SRV by opening a browser
and navigating to http://sp-srv.sp.public.
- From the Guest PC, generate traffic to SP-SRV by opening a browser
and navigating to http://sp-srv.sp.public.
- At the CLI of the Cisco ASA, display your NAT configuration. You
should see the configured policy and statistics for translated packets.
- At the CLI of the Cisco ASA, display the translation table. You
should see dynamic translations for the Employee PC and the Guest PC.
Both inside IP addresses translate to the same IP address, but using
different ports.
You have completed this exercise when you have configured and successfully tested dynamic
network object NAT with PAT.
Answer:
See the explanation for detailed answer to this sim question.
First, click on Add Network Objects on the Network Objects/Groups tab and fill in the information
as shown below:
Then, use the advanced tab and configure it as shown below:
Then hit OK, OK again, Apply, and then Send when prompted. You can verify using the
instructions provided in the question
QUESTION 181
Refer to the exhibit. What type of attack is being mitigated on the Cisco ASA appliance?
A. HTTP and POST flood attack
B. HTTP Compromised-Key Attack
C. HTTP Shockwave Flash exploit
D. HTTP SQL injection attack
Answer: D
QUESTION 182
Hotspot Question
In your role as network security administrator, you have installed syslog server software on a
server whose IP address is 10.10.2.40. According to the exhibits, why isn't the syslog server
receiving any syslog messages?
A. Logging is not enabled globally on the Cisco ASA.

B. The syslog server has failed.
C. There have not been any events with a severity level of seven.
D. The Cisco ASA is not configured to log messages to the syslog server at that IP address.
Answer: B
Explanation:
By process of elimination, we know that the other answers choices are not correct so that only
leaves us with the server must have failed. We can see from the following screen shots, that
events are being generated with severity level of debugging and below, The 10.10.2.40 IP
address has been configured as a syslog server, and that logging has been enabled globally:
QUESTION 183
Hotspot Question
According to the logging configuration on the Cisco ASA, what will happen if syslog server
10.10.2.40 fails?
A. New connections through the ASA will be blocked and debug system logs will be sent to the
internal buffer.
B. New connections through the ASA will be blocked and informational system logs will be sent to
the internal buffer.
C. New connections through the ASA will be blocked and system logs will be sent to server
10.10.2.41.
D. New connections through the ASA will be allowed and system logs will be sent to server
10.10.2.41.
E. New connections through the ASA will be allowed and informational system logs will be sent to
the internal buffer.
F. New connections through the ASA will be allowed and debug system logs will be sent to the
internal buffer.
Answer: B
Explanation:
This is shown by the following screen shot:
QUESTION 184
Hotspot Question
Which statement is true of the logging configuration on the Cisco ASA?
A. The contents of the internal buffer will be saved to an FTP server before the buffer is overwritten.
B. The contents of the internal buffer will be saved to flash memory before the buffer is overwritten.
C. System log messages with a severity level of six and higher will be logged to the internal buffer.
D. System log messages with a severity level of six and lower will be logged to the internal buffer.
Answer: C
Explanation:
QUESTION 185
Which statement about Cisco ASA NetFlow v9 (NSEL) is true?
A. NSEL events match all traffic classes in parallel
B. NSEL is has a time interval locked at 20 seconds and is not user configurable
C. NSEL tracks flow-create, flow-teardown, and flow-denied events and generates appropriate NSEL
data records
D. You cannot disable syslog messages that have become redundant because of NSEL
E. NSEL tracks the flow continuously and provides updates every 10 second
F. NSEL provides stateless IP flow tracking that exports all record od a specific flow
Answer: C
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_nsel.
html
QUESTION 186
Which URL downloads a copy of packet-capture named "security" residing on a Cisco ASA
adaptive security appliance with IP 10.10.100.11?
A. https://10.10.10.11/security .pcap/download
B. https://10.10.10.11/asa/security/pcap
C. https://10.10.10.11/capture/security.pcap
D. https://10.10.10.11/capture/security/pcap
Answer: D
Explanation:
QUESTION 187
Which two options are protocols and tools that are used by the management plane when
discussing Cisco ASA general management plane hardening? ( Choose two )
A. Unicast Reverse Path Forwarding

B. NetFlow
C. Routing Protocol Authentication
D. Threat detection
E. Syslog
F. ICMP unreachables
G. Cisco URL Filtering
Answer: BE
Explanation:
http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html
QUESTION 188
Which option describes the enhancements that SNMPv3 adds over 1 and 2 versions?
A. Predefined events that generate message from the SNMP agent to the NMS
B. Addition of authentication and privacy options
C. Cleartext transmission of data between SNMP server and SNMP agent
D. Addition of the ability to predefine events using traps
E. Pooling of devices using GET-NEXT requests
F. Use of the object identifier
Answer: B
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/configuration/guide/ffun_c/fcf014.html
QUESTION 189
When a Cisco ASA CX module is management by Cisco Prime Security Manager in a Multiple
Devices Mode, which mode does the firewall use ?
A. Managed Mode
B. Unmanaged mode
C. Single mode
D. Multi mode
Answer: A
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asacx/9-
1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1b_User_Guide_for_ASA_CX_and_PR
SM_9_1_chapter_011 0.html#task_7E648F43AD724DA2983699B12E92A528
QUESTION 190
Prior to a software upgrade, which Cisco Prime Infrastructure feature determines if the devices
being upgraded have sufficient RAM to support te new software ?
A. Software Upgrade Report

B. Image Management Report
C. Upgrade Analysis Report
D. Image Analysis Report
Answer: C
Explanation:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-
0/user/guide/prime_infra_ug/maint_images.html
QUESTION 191
Which option is the default logging buffer size In memory of the Cisco ASA adaptive security
appliance?
A. 8KB
B. 32KB
C. 2KB
D. 16KB
E. 4KB
Answer: E
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_c
onfig/ monitor_syslog.html
QUESTION 192
What is the best description of a unified ACL on a Cisco Firewall
A. An IPv4 ACL with Ipv4 support

B. An ACL the support EtherType in additional Ipv6
C. An ACL with both Ipv4 and Ipv6 functionality
D. An IPv6 ACL with Ipv4 backward compatitiblity
Answer: C
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/
intro_intro.html
QUESTION 193
Which options lists cloud deployment modes?
A. Private, public, hydrid, community

B. Private, public, hydrid, shared
C. IaaS, PaaS, SaaS
D. Private, public, hydrid
Answer: A
Explanation:
https://www.ibm.com/developerworks/community/blogs/722f6200-f4ca-4eb3-9d64-
8d2b58b2d4e8/entry/4_Types_of_Cloud_Computing_Deployment_Model_You_Need_to_Know1
?lang=en
QUESTION 194
Where do you apply a control plane services policy to implement Management Plane Protection
on a Cisco Router?
A. Control-plane router
B. Control-plane host
C. Control-plane interface management 0/0
D. Control-plane service policy
Answer: B
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html
QUESTION 195
Which option is a valid action for a port security violation ?
A. Restrict
B. Reject
C. Disable
D. Reset
Answer: A
QUESTION 196
Which statement about the configuration of the Cisco ASA NetFlow v9 (NSEL) is true ?
A. To view bandwidth usage for the NetFlow record, you must enable QoS features.
B. Use sysopt command to enable NSEL on a specific interface.
C. NSEL can be used without a collector configured.
D. NSEL tracks the flow continuously and provides updates every 10 seconds.
E. You must define a flow-export event type under a policy.
Answer: E
Explanation:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/
monitor_nsel.html
QUESTION 197
How much storage is allotted to maintain system, configuration, and image files on the Cisco ASA
1000V during OVF template file deployment?
A. 1GB
B. 5GB
C. 2GB
D. 10GB
Answer: C
QUESTION 198
Which feature is a limitation of a Cisco ASA 5555-X running 8.4.5 version with multiple contexts?
A. Deep packet inspection

B. Packet tracer
C. IPsec
D. Manual/auto NAT
E. Multipolicy packet capture
Answer: C
QUESTION 199
When access rule properties are configured within ASDM, which traffic direction type is required
by global and management access rule?
A. Any
B. Both in and out
C. In
D. Out
Answer: C
QUESTION 200
Which option is a different type of secondary VLAN?
A. Transparent
B. Promiscuous
C. Virtual
D. Community
Answer: D
QUESTION 201
Refer to the exhibit. Which statement about this access list is true?
A. This access list does not work without 6to4 NAT

B. IPv6 to IPv4 traffic permitted on the Cisco ASA by default
C. This access list is valid and works without additional configuration
D. This access list is not valid and does not work at all
E. We can pass only IPv6 to IPv6 and IPv4 to IPv4 traffic
Answer: A
Explanation:
ASA 9.0(1) code introduced the Unified ACL for IPv4 and IPv6. ACLs now support IPv4 and IPv6
addresses. You can even specify a mix of IPv4 and IPv6 addresses for the source and
destination. The any keyword was changed to represent IPv4 and IPv6 traffic. The any4 and any6
keywords were added to represent IPv4-only and IPv6-only traffic, respectively. The IPv6-specific
ACLs are deprecated. Existing IPv6 ACLs are migrated to extended ACLs.
QUESTION 202
Which option must be configured on a transparent Cisco ASA adaptive security appliance for it to
be managed over Layer 3 networks?
A. Static routes
B. Routed interface
C. Security context
D. BVI
Answer: D
QUESTION 203
Which statement about Dynamic ARP Inspection is true ?
A. In a typical network, you make all ports as trusted expect for the ports connection to switches ,
which are untrusted
B. DAI associates a trust state with each switch
C. DAI determines the validity of an ARP packet based on valid IP to MAC address binding from the
DHCP snooping database
D. DAI intercepts all ARP requests and responses on trusted ports only
E. DAI cannot drop invalid ARP packets
Answer: C
QUESTION 204
Which command is the first that you enter to check whether or not ASDM is installed on the ASA?
A. Show ip
B. Show running-config asdm
C. Show running-config boot
D. Show version
E. Show route
Answer: D
QUESTION 205
Which option is the Cisco ASA on-box graphical management solution?
A. SSH
B. ASDM
C. Console
D. CSM
Answer: B
QUESTION 206
Which action is needed to set up SSH on the Cisco ASA firewall?
A. Create an ACL to aloew the SSH traffic to the Cisco ASA.

B. Configure DHCP for the client that will connect via SSH.
C. Generate a crypto key
D. Specify the SSH version level as either 1 or 2.
E. Enable the HTTP server to allow authentication.
Answer: C
QUESTION 207
At which layer does MACsecprovide encryption?
A. Layer 1
B. Layer 2
C. Layer 3
D. Layer 4
Answer: B
QUESTION 208
Which command is used to disable Cisco Discovery Protocol globally on a router?
A. Cdp disable
B. No cdp enable
C. No cdp
D. No cdp run
Answer: D
QUESTION 209
Refer to the exhibit. This command is used to configure the SNMP server on a Cisco router.
Which option is the encryption password for the SNMP server?
A. sha
B. snmp
C. group-1
D. snmpv3
Answer: D
QUESTION 210
How much storage is allotted to maintain system,configuration, and image files on the Cisco ASA
1000V during OVF template file deployment?
A. 1GB
B. 5GB
C. 2GB
D. 10GB
Answer: C
QUESTION 211
Which action is considered a best practice for the Cisco ASA firewall?
A. Use threat detection to determine attacks

B. Disable the enable password
C. Disable console logging
D. Enable ICMP permit to monitor the Cisco ASA interfaces
E. Enable logging debug-trace to send debugs to the syslog server
Answer: A
QUESTION 212
Which option lists cloud deployment models?
A. Private, public, hybrid, shared

B. Private, public, hybrid
C. IaaS, PaaS, SaaS
D. Private, public, hybrid, community
Answer: D
Explanation:
https://www.ibm.com/developerworks/community/blogs/722f6200-f4ca-4eb3- 9d64-
8d2b58b2d4e8/entry/4_Types_of_Cloud_Computing_Deployment_Model_You_Need_to_K now1
?lang=en
QUESTION 213
Which statement about traffic storm control behavior is true?
A. Traffic storm control cannot determine if the packet is unicast or broadcast.

B. If you enable broadcast and multicast traffic storm control and the combined broadcast and
multicast traffic exceeds the level within a 1 second traffic storm interval, storm control drops all
broadcast and multicast traffic until the end of the storm interval
C. Traffic storm control uses the Individual/Group bit in the packet source address to determine if the
packet is unicast or broadcast.
D. Traffic storm control monitors incoming traffic levels over a 10 second traffic storm control interval
Answer: B
QUESTION 214
Which policy map action makes a Cisco router behave as a stateful firewall for matching traffic?
A. Log
B. Inspect
C. Permit
D. Deny
Answer: B
QUESTION 215
Refer to the exhibit. Which option describes the expected result of the capture ACL?
A. The capture is applied, but we cannot see any packets in the capture
B. The capture does not get applied and we get an error about mixed policy.
C. The capture is applied and we can see the packets in the capture
D. The capture is not applied because we must have a host IP as the source
Answer: B
QUESTION 216
Which configuration on a switch would be unsuccessful in preventing a DHCP starvation attack?
A. DHCP snooping
B. Port security
C. Source Guard
D. Rate Limiting
Answer: D
QUESTION 217
Refer to the exhibit. What traffic is being captured by the Cisco ASA adaptive security appliance?
A. UDP traffic sourced from host 10.10.0.12 on port 80

B. TCP traffic destined to host 10.10.0.12 on port 80
C. TCP traffic sourced from host 10.10.0.12 on port 80
D. UDP traffic destined to host 10.10.0.12 on port 80
Answer: C
QUESTION 218
When a traffic storm threshold occurs on a port, into which state can traffic storm control put the
port?
A. Disabled
B. Err-disabled
C. Disconnected
D. Blocked
E. Connected
Answer: B
QUESTION 219
Which Layer 2 security feature prevents traffic on a LAN from being disrupted by a
broadcast,multicat, or unicast storm on one physical interface?
A. Bridge protocol Data Unit Guard

B. Storm Control
C. Embedded event monitoring
D. Access control lists
Answer: B
QUESTION 220
Which three statements about transparent firewall are true? ( Choose three)
A. Transparent firewall works at Layer 2

B. Both interfaces must be configured with private IP Addresses
C. It can have only a management IP address
D. It does not support dynamic routing protocols
E. It only support PAT
Answer: ACD
QUESTION 221
Which information is NOT replicated to the secondary Cisco ASA adaptive security appliance in
an active/standby configuration with stateful failover links ?
A. TCP sessions
B. DHCP lease
C. NAT translations
D. Routing tables
Answer: B
QUESTION 222
Which Cisco prime Infrastructure features allows you to assign templates to a group of wireless
LAN controllers with similar configuration requirements?
A. Lightweight access point configuration template

B. Composite template
C. Controller configuration group
D. Shared policy object
Answer: C
QUESTION 223
For which management session types does ASDM allow a maximum simultaneous connection
limit to be set?
A. ASDM, Telnet, SSH

B. ASDM, Telnet, SSH, console
C. ASDM, Telnet, SSH, VTY
D. ASDM, Telnet, SSH, other
Answer: A

Vendor: Cisco Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network Security

Uploaded by

Vendor: Cisco Exam Code: 300-206 Exam Name: Implementing Cisco Edge Network Security

Uploaded by

Vendor: Cisco

Exam Code: 300-206

Exam Name: Implementing Cisco Edge Network Security

A. switch(config-if)# spanning-tree bpdufilter enable

A. cloning the Cisco ASA 1000V

A. It drops all traffic.

- The user will be responsible for configuring security policies on

What role will the administrator assign to the user?

A. HTTPS-enabled Mozilla Firefox version 3.x

A. The Cisco ASA appliance supports only SNMPv1 or SNMPv2c.

A. addresses that are unknown

A. NTP authentication is enabled.

A. When the Cisco Unified Communications Manager cluster is in non-secure mode

A. Virtual Service Node

A. admin (the default administrator account)

- The user will be responsible for configuring security policies on

What role will be assigned to the user?

A. each security context

A. The nameif configuration on the member physical interfaces are identical.

A. inside the Layer 3-4 policy map

A. Man-In-The-Middle attacks or traffic interception using spoofed IPv6 Router Advertisements

A. to provide detailed packet-trace information

A. to filter and monitor ingress traffic to a switch

A. show policy-map global_policy

A. logging list test message 711001

A. address translation rate

A. Console logging <level>

A. SNMPv3 Local EngineID

A. Enable the EIGRP routing process and specify the AS number.

A. Configure port-security to limit the number of mac-addresses allowed on each port

A. Remove the ip helper-address

A. ASA 5505 with failover license option

A. It provides stateful packet inspection.

A. complex threat detection

A. It will permit or deny traffic based on the access-list criteria.

A. limiting access to infrastructure with access control lists

A. changeto config context

A. It is replaced by the Cisco AIP-SSM home page.

A. It provides basic device management for large-scale deployments.

A. By enabling ARP inspection; however, it cannot be controlled by an ACL

A. identifying Layer 2 ARP attacks

A. mitigating man-in-the-middle attacks

A. It is preferred for detection-only deployment.

A. logging list critical_messages level 2

A. snmp-server group group1 v3 auth access east

(3) Click on Configure, then add as shown here:

(5) Edit the policy as shown:

A. Host A on a promiscuous port and Host B on a community port

A. Provide full network access from dedicated network administration systems

A. More than one interface can be assigned to the same zone.

A. show key mypubkey rsa

A. ACL permitting udp 123 from ntp server

A. Cisco Security Manager

A. Isolated ports can talk to promiscuous and community ports.

A. complex threat detection

A. It will permit or deny traffic based on the access list criteria.

A. domain config name

A. Enable DNS snooping, traffic classification, and actions.

A. A RSA keypair must be generated on the router

A. Configuration and policy deployment before device discovery

A. NTP authentication is enabled.

A. to filter and monitor ingress traffic to a switch

- World Wide Web

Which command captures http traffic from Host A to Server A?

A. capture traffic match udp host 10.1.1.150 host 10.2.2.100

A. Interfaces may not be shared between contexts in routed mode.

A. switchport mode access

A. rogue DHCP servers

A. rogue DHCP servers

(3) Click on Configure, then add as shown here:

(5) Edit the policy as shown:

A. Enable the use of dynamic databases.

A. in the system execution space

A. VRF-aware SSH support

A. Use an automated process.

A. only Cisco Security Manager Standard