Cisco Network Securit 210-260.172 PDF

Implementing Cisco Network Security
Number: 210-260
Passing Score: 860
Time Limit: 45 min
File Version: 1.0
http://www.gratisexam.com/
CCNA SECURITY 210-260

Implementing Cisco Network Security
Exam A
QUESTION 1
Which SOURCEFIRE logging action should you choose to record the most detail about a connection?
A.
B.
C.
D.
Enable logging at the beginning of the session

Enable logging at the end of the session
Enable alerts via SNMP to log events off-box
Enable eStreamer to log events off-boxx
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 2
What type of algorithm uses the same key to encrypt and decrypt data?
A.
B.
C.
D.
a symmetric algorithm
an asymmetric algorithm
a Public Key infrastructure algorithm
an IP Security algorithm
Correct Answer: A
Section: (none)
Explanation
QUESTION 3
If a packet matches more than one class map in an individual feature type's policy map, how does
the ASA handle the pa
A. The ASA will apply the actions from only the most specific matching class map if finds for
the feature type
B. The ASA will apply the actions from all matching class maps it finds for the feature type
C. The ASA will apply the actions from only the last matching class map it finds for the feature
type
D. The ASA will apply the actions from only the first matching class map it finds for the feature
type
Correct Answer: D
Section: (none)
Explanation
QUESTION 4
You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing
Security Intelligence IP address Reputation. A user calls and is not able to access a certain IP
address. What action can you take to allow the user access to the IP address?
A.
B.
C.
D.
E.
Create a custom blacklist to allow traffic

Create a whitelist and add the appropriate IP address to allow traffic
Create a user based access control rule to allow the traffic
Create a network based access control rule to allow the traffic
Create a rule to bypass inspection to allow the traffic
Correct Answer: B
Section: (none)
Explanation
Whitelisting to eliminate false positiveswhen a blacklist is too broad in scope, or incorrectly
blocks traffic that you want to allow (for example, to vital resources), you can override a
blacklist with a custom whitelist
QUESTION 5
Which EAP method uses protected Access Credentials?
A.
B.
C.
D.
EAP-TLS
EAP-PEAP
EAP-FAST
EAP-CTC
Correct Answer: C
Section: (none)
Explanation
QUESTION 6
In which two situations should you use out-of-band management? (Choose two)
A.
B.
C.
D.
E.
when a network device fails to forward packets

when management applications need concurrent access to the device
when you require ROMMON access
when you require administrator access from multiple locations
when the control plane fails to respond
Correct Answer: AC
Section: (none)
Explanation
the use of a dedicated channel for managing network devices. This allows the network
operator to establish trust boundaries in accessing the management function to apply it to
network resources. It also can be used to ensure management connectivity (including the
ability to determine the status of any network component) independent of the status of
other in-band network components.
QUESTION 7
Which statement about communication over failover interfaces is true?
A. All information that is sent over the failover interface is send as clear text, but the stateful
failover link is encrypted by default
B. All information that is sent over the failover and stateful failover interfaces is encrypted by
default
C. All information that is sent over the failover and stateful failover interfaces is sent as clear
text by default
D. Usernames, password and preshared keys are encrypted by default when they are sent
over the failover and stateful failover interfaces, but other information is in clear text
Correct Answer: C
Section: (none)
Explanation
The failover configuration requires two identical security appliances connected to each
other through a dedicated and, optionally, a Stateful Failover link. The health of the active
interfaces and units is monitored to determine if specific failover conditions are met. If
those conditions are met, failover occurs.
The security appliance supports two failover configurations, Active/Active failover and
Active/Standby failover. Each failover configuration has its own method for determining
and performing failover.
With Active/Active failover, both units can pass network traffic. This also lets you configure
traffic sharing on your network. Active/Active failover is available only on units running in
multiple context mode.
With Active/Standby failover, only one unit passes traffic while the other unit waits in a
standby state. Active/Standby failover is available on units running in either single or
multiple context mode.
Both failover configurations support stateful or stateless (regular) failover.
All information sent over the failover and Stateful Failover links is sent in
clear text unless you secure the communication with a failover key. If the
security appliance is used to terminate VPN tunnels, this information
includes any usernames, passwords and preshared keys used for
establishing the tunnels. Transmitting this sensitive data in clear text could
pose a significant security risk. We recommend securing the failover
communication with a failover key if you are using the security appliance to
terminate VPN tunnels.
QUESTION 8
What features can protect the data plane? (Choose three)
A.
B.
C.
D.
policing
ACLs
IPS
antispoofing
E. QoS
F. DHCP-snooping
Correct Answer: BDF
Section: (none)
Explanation
QUESTION 9
How many crypto map sets can you apply to a router interface?
A.
B.
C.
D.
3
2
4
1
Correct Answer: D
Section: (none)
Explanation
QUESTION 10
What is the transition order of STP states on a Layer 2 switch interface?
A.
B.
C.
D.
listening, learning, blocking, forwarding, disabled

listening, blocking, learning, forwarding, disabled
blocking, listening, learning, forwarding, disabled
forwarding, listening, learning, blocking, diabled
Correct Answer: C
Section: (none)
Explanation
QUESTION 11
Which sensor mode can deny attackers inline?
A.
B.
C.
D.
IPS
fail-close
IDS
fail=open
Correct Answer: A
Section: (none)
Explanation
QUESTION 12
Which options are filtering options used to display SDEE message types?
A.
B.
C.
D.
stop
none
error
all
Correct Answer: CD
Section: (none)
Explanation
SDEE Messages
Choose the SDEE message type to display:
All SDEE error, status, and alert messages are shown.

ErrorOnly SDEE error messages are shown.
StatusOnly SDEE status messages are shown.
AlertsOnly SDEE alert messages are shown.
QUESTION 13
When a company puts a security policy in place, what is the effect on the company's business?
A.
B.
C.
D.
Minimizing risk
Minimizing total cost of ownership
Minimizing liability
Maximizing compliance
Correct Answer: A
Section: (none)
Explanation
QUESTION 14
Refer to the exhibit.
authentication event fail action next-method
authentication event no-response action authorize vlan 101
authentication order mad dotlx webauth
authentication priority dotlx mab
authentication port-control auto
dotlx pae authenticator
If a supplicant supplies incorrect credentials for the authentication methods configured on the switch,
how will the switch respond?
A. The switch will cycle through the configured authentication methods indefinitely
B. The supplicant will fail to advance beyond the webauth method

C. The authentication attempt will time out and the switch will place the port into the
unauthorized state
D. The authentication attempt will time out and the switch will place the port into VLAN 101
Correct Answer: B or C
Section: (none)
Explanation
QUESTION 15
Which wildcard mask is associated with a subnet mask of /27?
A.
B.
C.
D.
0.0.0.31
0.0.0.27
0.0.0.224
0.0.0.225
Correct Answer: A
Section: (none)
Explanation
QUESTION 16
Which statements about reflexive access lists are true?
A.
B.
C.
D.
E.
F.
Reflexive access lists create a permanent ACE

Reflexive access lists approximate session filtering using the established keyword
Reflexive access lists can be attached to standard named IP ACLs
Reflexive access lists support UDP sessions
Reflexive access lists can be attached to extended named IP ACLs
Reflexive access lists support TCP sessions
Correct Answer: DEF

Section: (none)
Explanation
QUESTION 17
According to Cisco best practices, which three protocols should the default ACL allow an
access port to enable wired BYO connect to the network?
A.
B.
C.
D.
E.
BOOTP
TFTP
DNS
MAB
HTTP
F. 802.1X
Correct Answer: ABC
Section: (none)
Explanation
QUESTION 18
Which actions can a promiscuous IPS take to mitigate an attack? (Choose three)
A.
B.
C.
D.
E.
F.
modifying packets
requesting connection blocking
denying packets
resetting the TCP connection
requesting host blocking
denying frames
Correct Answer: BDE

Section: (none)
Explanation
QUESTION 19
Which Cisco Security Manager application collects information about device status and uses it to
generate notification and alerts?
A.
B.
C.
D.
FlexConfig
Device Manager
Report Manager
Health and Performance Monitor
The Health and Performance Monitor is a stand-alone application that you can launch from
the other stand-alone Security Manager applications (Configuration Manager, Event
Viewer, Report Manager, and Image Manager); from the Windows Start menu; or from its
icon on your desktop.
The HPM application complements the Event Viewer and Report Manager applications, as
follows:
Correct Answer: D
Section: (none)
Explanation
QUESTION 20
Which command is needed to enable SSH support on a Cisco Router?
A. crypto key lock rsa
B. crypto key generate rsa

C. crypto key zeroize rsa
D. crypto key unlock rsa
Correct Answer: B
Section: (none)
Explanation
QUESTION 21
In which three ways does the TACACS protocol differ from RADIUS? (Choose three)
A.
B.
C.
D.
E.
F.
TACACS uses TCP to communicate with the NAS

TACACS can encrypt the entire packet that is sent to the NAS
TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted
TACACS uses UDP to communicate with the NAS
TACACS encrypts only the password field in an authentication packet
TACACS supports per-command authorization
Correct Answer: ABF

Section: (none)
Explanation
QUESTION 22
What is the purpose of the Integrity component of the CIA triad?
A.
B.
C.
D.
to ensure that only authorized parties can modify data

to determine whether data is relevant
to create a process for accessing data
to ensure that only authorized parties can view data
Correct Answer: A
Section: (none)
Explanation
CIA refers to Confidentiality, Integrity and Availability. Confidentiality of information,

integrity of information and availability of information. Many security measures are
designed to protect one or more facets of the CIA triad.
Confidentiality of information refers to protecting the information from disclosure to
unauthorized parties.
Integrity of information refers to protecting information from being modified by unauthorized
parties.
Availability of information refers to ensuring that authorized parties are able to access the
information when needed.
QUESTION 23
Which two statements about Telnet access to the ASA are true? (Choose two)
A. You may VPN to the lowest security interface to telnet to an inside interface.
B.
C.
D.
E.
You must configure an AAA server to enable Telnet

You can access all interfaces on an ASA using Telnet.
You must use the command virtual telnet to enable Telnet.
Best practice is to disable Telnet and use SSH
Correct Answer: AE
Section: (none)
Explanation
QUESTION 24
What are the two purposes of the Internet Key Exchange in an IPsec VPN? (Choose two)
A.
B.
C.
D.
The Internet Key Exchange protocol establishes security associations

The Internet Key Exchange protocol provides data confidentiality
The Internet Key Exchange protocol provides replay detection
The internet Key Exchange protocol is responsible for mutual authentication
Correct Answer: AD
Section: (none)
Explanation
QUESTION 25
Which protocol provides security to Secure Copy?
A.
B.
C.
D.
IPsec
SSH
HTTPS
ESP
Correct Answer: B
Section: (none)
Explanation
QUESTION 26
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the
menu option for Remote Desktop Which action should you take to begin troubleshooting?
A.
B.
C.
D.
Ensure that the RDP2 plug-in is installed on the VPN gateway

Reboot the VPN gateway
Instruct the user to reconnect to the VPN gateway
Ensure that the RDP plug-in is installed on the VPN gateway
Correct Answer: A
Section: (none)
Explanation
QUESTION 27
Which security zone is automatically defined by the system?
A.
B.
C.
D.
The source zone

The self zone
The destination zone
The inside zone
Correct Answer: B
Section: (none)
Explanation
QUESTION 28
Which three ESP fields can be encrypted during transmission? (Choose three)
A.
B.
C.
D.
E.
F.
Security Parameter Index

Sequence Number
MAC Address
Padding
Pad Length
Next Header
Correct Answer: DEF

Section: (none)
Explanation
QUESTION 29
Which address block is reserved for locally assigned unique local addresses?
A.
B.
C.
D.
2002::/16
FE00::/8
2001::/32
FB00::/8
Correct Answer: B
Section: (none)
Explanation
QUESTION 30
What is a possible reason for the error message?
Router(config)#aaa server?% Unrecognized command

A.
B.
C.
D.
The command syntax requires a space after the word "server"

The command is invalid on the target device
The router is already running the latest operating system
The router is a new device on which the aaa new-model command must be applied before
continuing
Correct Answer: D
Section: (none)
Explanation
QUESTION 31
Which statements about smart tunnels on a Cisco firewall are true? (Choose two)
A.
B.
C.
D.
Smart tunnels can be used by clients that do not have administrator privileges
Smart tunnels support all operating systems
Smart tunnels offer better performance than port forwarding
Smart tunnels require the client to have the application installed locally
Correct Answer: AD
Section: (none)
Explanation
QUESTION 32
Which option describes information that must be considered when you apply an access list to a
physical interface?
A.
B.
C.
D.
Protocol used for filtering

Direction of the access class
Direction of the access group
Direction of the access list
Correct Answer: C
Section: (none)
Explanation
QUESTION 33
Which source port does IKE use when NAT has been detected between two VPN gateways?
A. TCP 4500
B. TCP 500
C. UDP 4500
D. UDP 500
Correct Answer: C
Section: (none)
Explanation
QUESTION 34
Which of the following are features of IPsec transport mode? (Choose three)
A.
B.
C.
D.
E.
F.
IPsec transport mode is used between end stations

IPsec transport mode is used between gateways
IPsec transport mode supports multicast
IPsec transport mode supports unicast
IPsec transport mode encrypts only the payload
IPsec transport mode encrypts the entire packet
Correct Answer: ADE

Section: (none)
Explanation
Tunnel mode:
Tunnel mode protects the internal routing information by encrypting the IP header of the original
packet. The original packet is encapsulated by another set of IP headers.
It is widely implemented in site-to-site VPN scenarios.
NAT traversal is supported with the tunnel mode.
Additional headers are added to the packet; so the payload MSS is less.
Transport mode:
The transport mode encrypts only the payload and ESP trailer; so the IP header of the original
packet is not encrypted.
The IPsec Transport mode is implemented for client-to-site VPN scenarios.
NAT traversal is not supported with the transport mode.
MSS is higher, when compared to Tunnel mode, as no additional headers are required.
The transport mode is usually used when another tunneling protocol (such as GRE, L2TP) is
used to first encapsulate the IP data packet, then IPsec is used to protect the GRE/L2TP tunnel
packets.
QUESTION 35
Which command causes a Layer 2 switch interface to operate as a Layer 3 interface?
A.
B.
C.
D.
no switchport nonnegotiate
switchport
no switchport mode dynamic auto
no switchport
Correct Answer: D
Section: (none)
Explanation
QUESTION 36
Which command verifies phase 1 of an IPsec VPN on a Cisco router?
A.
B.
C.
D.
show crypto map

show crypto ipsec sa
show crypto isakmp sa
show crypto engine connection active
Correct Answer: C
Section: (none)
Explanation
QUESTION 37
What is the purpose of a honeypot IPS?
A.
B.
C.
D.
To create customized policies

To detect unknown attacks
To normalize streams
To collect information about attacks
Correct Answer: D
Section: (none)
Explanation
QUESTION 38
Which type of firewall can act on behalf of the end device?
A.
B.
C.
D.
Stateful packet
Application
Packet
Proxy
Correct Answer: D
Section: (none)
Explanation
QUESTION 39
Refer to the exhibit.
While troubleshooting site-to-site VPN, you issue the show crypto isakmp sa command. What does
the given output show
A.
B.
C.
D.
IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5

IPSec Phase 1 is down due to a QM_IDLE state
IPSec Phase 2 is down due to a QM_IDLE state
Correct Answer: A
Section: (none)
Explanation
QUESTION 40
What type of attack was the Stuxnet virus?
A.
B.
C.
D.
cyber warfare
hactivism
botnet
social engineering
Correct Answer: A
Section: (none)
Explanation
QUESTION 41
Which type of secure connectivity does an extranet provide?
A.
B.
C.
D.
remote branch offices to your company network

your company network to the Internet
new networks to your company network
other company networks to your company network
Correct Answer: D
Section: (none)
Explanation
QUESTION 42
After reloading a router, you issue the dir command to verify the installation and observe that
the image file appears to be file fail to appear in the dir output?
A.
B.
C.
D.
The secure boot-image command is configured

The secure boot-comfit command is configured
The confreg 0x24 command is configured
The reload comman was issued from ROMMON
Correct Answer: A
Section: (none)
Explanation
QUESTION 43
What is a reason for an organization to deploy a personal firewall?
A.
B.
C.
D.
To protect endpoints such as desktops from malicious activity

To protect one virtual network segment from another
To determine whether a host meets minimum security posture requirements
To create a separate, non-persistent virtual environment that can be destroyed after a
session
E. To protect the network from DoS and syn-flood attacks
Correct Answer: A
Section: (none)
Explanation
QUESTION 44
What VPN feature allows traffic to exit the security appliance through the same interface it entered?
A.
B.
C.
D.
NAT traversal
Hairpinning
split tunneling
NAT
Correct Answer: B
Section: (none)
Explanation
QUESTION 45
When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?
A.
B.
C.
D.
Deploy an antimalware system

Perform a Layer 6 reset
Deny the connection inline
Enable bypass mode
Correct Answer: C
Section: (none)
Explanation
QUESTION 46
Which statement about Cisco ACS authentication and authorization is true?
A.
B.
C.
D.
ACS can query multiple Active Directory domains

ACS servers can be clustered to provide scalability
ACS can use only one authorization profile to allow or deny requests
ACS uses TACACS to proxy other authentication servers
Correct Answer: B
Section: (none)
Explanation
QUESTION 47
What is the only permitted operation for processing multicast traffic on zone-based firewalls?
A. Stateful inspection for multicast traffic is supported only between the self-zone and the internal
zone
B. Only control plane policing can protect the control plane against multicast traffic
C. Stateful inspection of multicast traffic is supported only for the self zone
D. Stateful inspection of multicast traffic is supported only for the internal zone
Correct Answer: B
Section: (none)
Explanation
QUESTION 48
What is one requirement for locking a wired or wireless device from ISE?
A.
B.
C.
D.
The user must approve the locking action

The ISE agent must be installed on the device
The organization must implement an acceptable use policy allowing device locking
The device must be connected to the network when the lock command is executed
Correct Answer: B
Section: (none)
Explanation
QUESTION 49
Refer to the exhibit. What type of firewall would use the given configuration line?
UPD outside 209.165.201.225:53 inside 10.0.0.10:52464, idle 0:00:01, bytes 226 flags A.
B.
C.
D.
E.
a stateless firewall
a stateful firewall
an application firewall
a proxy firewall
a personal firewall
Correct Answer: B
Section: (none)
Explanation
QUESTION 50
For what reason would you configure multiple security contexts on the ASA firewall?
A.
B.
C.
D.
To enable the use of multicast routing and QoS through the firewall
To separate different departments and business units
To enable the use of VFRs on routers that are adjacently connected
To provide redundancy and high availability within the organization
Correct Answer: B
Section: (none)
Explanation
QUESTION 51
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
A.
B.
C.
D.
Portscan Detection
IP Defragmentation
Inline Normalization
Rate-Based Prevention
Correct Answer: D
Section: (none)
Explanation
QUESTION 52
What are two default Cisco IOS privilege levels? (Choose two)
A.
B.
C.
D.
E.
F.
0
5
1
7
10
15
Correct Answer: CF
Section: (none)
Explanation
By default, there are three command levels on the router:
privilege level 0 Includes the disable, enable, exit, help, and logout commands.
privilege level 1 Normal level on Telnet; includes all user-level commands at the
router> prompt.
privilege level 15 Includes all enable-level commands at the router# prompt.
QUESTION 53
What is the effect of the given command sequence?
crypto map mymap 20
match address 201
access-list 201 permit ip 10.10.10.0 255.255.255.0 10.100.100.0 255.255.255.0
A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of
10.100.100.0/24
B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of
10.10.10.0/24
C. It defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of
10.100.100.0/24
D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of
10.10.10.0/24
Correct Answer: A
Section: (none)
Explanation
QUESTION 54
Which tool can an attacker use to attempt a DDoS attack?
A.
B.
C.
D.
Trojan horse
botnet
virus
adware
Correct Answer: B
Section: (none)
Explanation
QUESTION 55
How does the Cisco ASA use Active Directory to authorize VPN users?
A. It sends the username and password to retire an ACCEPT or Reject message from the Active
Directory server
B. It queries the Active Directory server for a specific attribute for the specific user
C. It downloads and stores the Active Directory database to query for future authorization
D. It redirects requests to the Active Directory server defined for the VPN group
Correct Answer: B
Section: (none)
Explanation
QUESTION 56
Which statement about application blocking is true?
A.
B.
C.
D.
It blocks access to files with specific extensions

It blocks access to specific network addresses
It blocks access to specific programs
It blocks access to specific network services
Correct Answer: C
Section: (none)
Explanation
QUESTION 57
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network
connection?
A.
B.
C.
D.
hairpinning
tunnel mode
split tunneling
transparent mode
Correct Answer: C
Section: (none)
Explanation
QUESTION 58
When is the best time to perform an anti-virus signature update?
A.
B.
C.
D.
Every time a new update is available

When the system detects a browser hook
When a new virus is discovered in the wild
When the local scanner has detected a new virus
Correct Answer: A
Section: (none)
Explanation
QUESTION 59
What is the effect of the send-lifetime local 23:59:00 31 December 31 2013 infinite command?
A. It configures the device to begin transmitting the authentication key to other devices
at 00:00:00 local time on January indefinitely
B. It configures the device to begin transmitting the authentication key to other devices
at 23:59:00 local time on December indefinitely
C. It configures the device to begin accepting the authentication key from other devices
immediately
and stop accepting t December 31, 2013
D. It configures the device to generate a new authentication key and transmit it to other devices at
23:59:00 local time on
E. It configures the device to begin accepting the authentication key from other devices at
23:59:00 local time on December key indefinitely
F. It configures the device to begin accepting the authentication key from other devices at
00:00:00 local time on January indefinitely
Correct Answer: B
Section: (none)
Explanation
QUESTION 60
What Statement about personal firewalls is true?
A.
B.
C.
D.
They can protect the network against attacks

They can protect a system by denying probing requests
They are resilient against kernel attacks
They can protect email messages and private documents in a similar way to a VPN
Correct Answer: B
Section: (none)
Explanation
QUESTION 61
Refer to the exhibit. While troubleshooting site-to-site VPN, you issue the show crypto ipsec sa
command.
What does the given output show?
current_peer: 10.1.1.5 PERMIT, flags=[origin_is_acl, }
#pkts encaps: 1205,

#pkts encrypt: 1205,
#pkts digest 1205
#pkts decaps: 1168,
#pkts decrypt: 1168,
#pkts verify 1168
#pkts compressed: 0,
#pkts compr. failed: 0,
#pkts decompress failed: 0,
#send errors 0,
#recv errors 0 local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.5
A.
B.
C.
D.
ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1

IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5
IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets
Correct Answer: B
Section: (none)
Explanation
QUESTION 62
Which statement about a PVLAN isolated port configured on a switch is true?
A.
B.
C.
D.
The isolated port can communicate only with community ports

The isolated port can communicate only with the promiscuous port
The isolated port can communicate with other isolated ports and the promiscuous port
The isolated port can communicate only with other isolated ports
Correct Answer: B
Section: (none)
Explanation
QUESTION 63
Which three statements about host-based IPS are true? (Choose three)
A.
B.
C.
D.
E.
F.
It can view encrypted files

It can be deployed at the perimeter
It uses signature-based polices
It can have more restrictive policies than network-based IPS
It works with deployed firewalls
It can generate alerts based on behavior at the desktop level
Correct Answer: ADF

Section: (none)
Explanation
IPS technology can be network based and host based.
QUESTION 64
What type of security support is provided by the Open Web Application Security Project?
A.
B.
C.
D.
A web site security framework

Education about common Web site vulnerabilities
A security discussion forum for Web site developers
Scoring of common vulnerabilities and exposures
Correct Answer: B
Section: (none)
Explanation
QUESTION 65
Refer to the exhibit. Which statement about the device time is true?
R1> show clock detail
.22:22:35.123 UTC Tue Feb 26 2013 Time source is NTP
A.
B.
C.
D.
E.
The time is authoritative because the clock is in sync

The time is authoritative, but the NTP process has lost contact with its servers
The clock is out of sync
NTP is configured incorrectly
The time is not authoritative
Correct Answer: B
Section: (none)
Explanation
Symbol
Description
Time is not authoritative.
(blank)
Time is authoritative.
Time is authoritative, but NTP is not synchronized.
Examples
QUESTION 66
In what type of attack does an attacker virtually change a device's burned in address in an attempt
to circumvent access list and mask the device's true identity?
A.
B.
C.
D.
gratuitous ARP
ARP poisoning
IP Spoofing
MAC Spoofing
Correct Answer: D
Section: (none)
Explanation
QUESTION 67
How does a zone-based firewall implementation handle traffic between interfaces in the same
zone?
A. Traffic between two interfaces in the same zone is allowed by default
B. Traffic between interfaces in the same zone is blocked unless you apply a service policy to
the zone pair
C. Traffic between interfaces in the same zone is always blocked
D. Traffic between interfaces in the same zone is blocked unless you configure the samesecurity permit command
Correct Answer: A
Section: (none)
Explanation
QUESTION 68
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible
result of this activity?
A.
B.
C.
D.
The switch could offer fake DHCP addresses

The switch could become the root bridge
The switch could be allowed to join the VTP domain
The switch could become a transparent bridge
Correct Answer: B
Section: (none)
Explanation
QUESTION 69
Which two next generation encryption algorithms does Cisco recommend? (Choose two)
A.
B.
C.
D.
E.
F.
AES
3Des
DES
MD5
DH-1024
SHA-384
Correct Answer: AF
Section: (none)
Explanation
QUESTION 70
What three actions are limitations when running IPS in promiscuous mode? (Choose three)
A.
B.
C.
D.
E.
F.
deny attacker
request block connection
deny packet
modify packet
request block host
reset TCP connection
Correct Answer: ACD

Section: (none)
Explanation
A sensor can be deployed either in promiscuous mode or inline mode. In promiscuous mode,
the sensor receives a copy of the data for analysis, while the original traffic still makes its way
to its ultimate destination. By contrast, a sensor working inline analyzes the traffic live and
therefore can actively block the packets before they reach their destination.
QUESTION 71
Which two features do CoPP and CPPR use to protect the control plane? (Choose two)
A.
B.
C.
D.
E.
F.
access lists
traffic classification
policy maps
QoS
class maps
Cisco Express Forwarding
Correct Answer: BD
Section: (none)
Explanation
QUESTION 72
What is an advantage of implementing a Trusted Platform Module for disk encryption?
A.
B.
C.
D.
It supports a more complex encryption algorithm than other disk-encryption technologies

It provides hardware authentication
It can protect against single points of failure
It allows the hard disk to be transferred to another device without requiring re-encryption
Correct Answer: B
Section: (none)
Explanation
Trusted Platform Module (TPM) is an international standard for a secure

cryptoprocessor, which is a dedicated microcontroller designed to secure hardware
by integrating cryptographic keys into devices. TPM's technical specification was
written by a computer industry consortium called Trusted Computing Group (TCG).
QUESTION 73
Refer to the exhibit. What is the effect of the given command sequence?
crypto ikev1 policy 1 encryption aes hash md5
authentication pre-share group 2
lifetime 14400
A.
B.
C.
D.
It configures a site-to-stie VPN Tunnel

It configures IKE Phase 1
It configures a crypto policy with a key size of 14400
It configures IPSec Phase 2
Correct Answer: B
Section: (none)
Explanation
QUESTION 74
A specific URL has been identified as containing malware. What action can you take to block
users from accidentally visiting the URL and becoming infected with malware?
A. Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the
routers local URL list
B. Enable URL filtering on the perimeter router and add the URLs you want to allow to the
firewalls local URL list
C. Create a blacklist that contains the URL you want to block and activate the blacklist on the
perimeter router
D. Enable URL filtering on the perimeter router and add the URLs you want to block to the
routers local URL list
E. Create a whitelist that contains the URLs you want to allow and activate the whitelist on the
perimeter router
Correct Answer: D
Section: (none)
Explanation
Border, or perimeter, routers are responsible for forwarding packets from a trusted
network to an untrusted network which is beyond the control of your organization, and
filtering packet coming FROM the untrusted network. Sometimes called a screening
router, since it is the first line of defenerce, doing filtering.
QUESTION 75
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attack
attempts a double tagging attack?
A.
B.
C.
D.
the attack VLAN will be pruned

A VLAN hopping attack would be successful
The trunk port would go into an error-disable state
A VLAN hopping attack would be prevented
Correct Answer: D
Section: (none)
Explanation
QUESTION 76
What is an advantage of placing an IPS on the inside of a network?
A.
B.
C.
D.
It can provide higher throughput

It receives traffic that has already been filtered
It receives every inbound packet
It can provide greater security
Correct Answer: B
Section: (none)
Explanation
QUESTION 77
Which tasks is the session management path responsible for? (Choose three)
A.
B.
C.
D.
E.
F.
Verifying IP checksums
Performing route lookup
Performing session lookup
Allowing NAT translations
Checking TCP sequence numbers
Checking packets against the access list
Correct Answer: BDF

Section: (none)
Explanation
The session management path is responsible for the following tasks:

Performing the access list checks
Performing route lookups
Allocating NAT translations (xlates)
Establishing sessions in the "fast path"
QUESTION 78
What type of packet creates and performs network operations on a network device?
A.
B.
C.
D.
services plane packets

control plane packets
data plane packets
management plane packets
Correct Answer: B
Section: (none)
Explanation
QUESTION 79
Which two statements about stateless firewalls are true? (Choose two.)
A. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.
B.
C.
D.
E.
They compare the 5-tuple of each incoming packet against configurable rules.
Cisco IOS cannot implement them because the platform is stateful by nature.
They cannot track connections.
The Cisco ASA is implicitly stateless because it blocks all traffic by default.
Correct Answer: BD
Section: (none)
Explanation
A stateless firewall filter, also known as an access control list (ACL), does not statefully
inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the
state of network connections. In contrast, a stateful firewall filter uses connection state
information derived from other applications and past communications in the data flow to
make dynamic control decisions.
The basic purpose of a stateless firewall filter is to enhance security through the use of
packet filtering. Packet filtering enables you to inspect the components of incoming or
outgoing packets and then perform the actions you specify on packets that match the
criteria you specify. The typical use of a stateless firewall filter is to protect the Routing
Engine processes and resources from malicious or untrusted packets.
QUESTION 80
Which syslog severity level is level number 7?
A.
B.
C.
D.
Warning
Debugging
Informational
Notification
Correct Answer: B
Section: (none)
Explanation
QUESTION 81
Which type of mirroring does SPAN technology perform?
A. Local mirroring over Layer 3
B. Local mirroring over Layer 2
C. Remote mirroring over Layer 2
D. Remote mirroring over Layer 3

Correct Answer: B
Section: (none)
Explanation
QUESTION 82
Which network device does NTP authenticate?
A.
B.
C.
D.
Only the client device

Only the time source
The firewall and the client device
The client device and the time source
Correct Answer: B
Section: (none)
Explanation
QUESTION 83
What hash type does Cisco use to validate the integrity of downloaded images?
A.
B.
C.
D.
Sha1
Sha2
MD5
MD1
Correct Answer: C
Section: (none)
Explanation
QUESTION 84
Which option is the most effective placement of an IPS device within the infrastructure?
A.
B.
C.
D.
Promiscuously, before the internet router and the firewall

Promiscuously, after the Internet router and before the firewall
Inline, behind the internet router and firewall
Inline, before the internet router and firewall
Correct Answer: C
Section: (none)
Explanation
QUESTION 85
If a router configuration includes the line aaa authentication login default group tacacs+ enable,
which events will occur when the TACACS+ server returns an error (Choose two)
A.
B.
C.
D.
Authentication will use the router's local database

The user will be prompted to authenticate using the enable password
Authentication attempts will be sent to the TACACS+ server
Authentication attempts to the router will be denied
Correct Answer: BC
Section: (none)
Explanation
QUESTION 86
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
A.
B.
C.
D.
CSM
SDEE
Syslog
SNMP
Correct Answer: B
Section: (none)
Explanation
The Security Device Event Exchange (SDEE) protocol was developed to communicate the
events generated by security devices.
The SDEE client establishes a session with the server by successfully authenticating with
that server. Once authenticated, a session ID or session cookie is given to the client, which
is included with all future requests.
SDEE supports two methods for retrieving events:
a. An event query.
b. Event subscription.
Both methods use SSL to query the SDEE server and retrieve the events.
IPS and SDEE

IPS produces different types of events including intrusion alerts and status
events. IPS communicates events to clients such as management applications
using SDEE.
Systems that use SDEE to communicate events to clients are referred to as SDEE
providers. SDEE specifies that events can be transported using the HTTP or HTTP
over SSL and TLS protocols. When HTTP or HTTPS is used, SDEE providers act
as HTTP servers, while SDEE clients are the initiators of HTTP requests.
IPS includes Web Server, which processes HTTP or HTTPS requests. Web Server
uses run-time loadable servlets to process the different types of HTTP requests.
Each servlet handles HTTP requests that are directed to the URL associated with
the servlet. The SDEE server is implemented as a web server servlet.
The SDEE server only processes authorized requests. A request is authorized if it
originates from a web server to authenticate the identity of the client and determine
the privilege level of the client.
IME uses SDEE to retrieve events from the event store of IPS. Any 3rd party SDEE server
can also connect to the IPS and pull events from it.
QUESTION 87
Which components does HMAC use to determine the authenticity and integrity of a message?
A.
B.
C.
D.
The password
The hash
The key
The transform set
Correct Answer: BC
Section: (none)
Explanation
keyed-hash message authentication code (HMAC) is a specific type of message

authentication code (MAC) involving a cryptographic hash function (hence the 'H') in
combination with a secret cryptographic key.
QUESTION 88
If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must
be in use?
A.
B.
C.
D.
BPDU guard
loop guard
root guard
Etherchannel guard
Correct Answer: C
Section: (none)
Explanation
QUESTION 89
Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose
three)
A.
B.
C.
D.
E.
F.
EAP
ASCII
PAP
PEAP
MS-CHAPv2
MS-CHAPv1
Correct Answer: CEF

Section: (none)
Explanation
QUESTION 90
Which command initializes a lawful intercept view?
A.
B.
C.
D.
username cisco1 view lawful-intercept password cisco

parser view cisco li-view
li-view cisco user cisco1 password cisco
parser view li-view inclusive
Correct Answer: C
Section: (none)
Explanation
QUESTION 91
Which security measures can protect the control plane of a Cisco router? (Choose two)
A.
B.
C.
D.
E.
Port security
CoPP
CPPr
Access control lists
Parser views
Correct Answer: BC
Section: (none)
Explanation
QUESTION 92
Which statement about extended access lists is true?
A. Extended access lists perform filtering that is based on source and are most effective when
applied to the destination.
B. Extended access lists perform filtering that is based on source and destination and are
most effective when applied to the destination.
C. Extended access lists perform filtering that is based on destination and are most effective
when applied to the source.
D. Extended access lists perform filtering that is based on source and destination and are
most effective when applied to the source.
Correct Answer: D
Section: (none)
Explanation
QUESTION 93
Which type of address translation should be used when a Cisco ASA is in transparent mode?
A.
B.
C.
D.
Dynamic PAT
Static NAT
Overload
Dynamic NAT
Correct Answer: B
Section: (none)
Explanation
QUESTION 94
Which protocols use encryption to protect the confidentiality of data transmitted between two
parties? (Choose two)
A.
B.
C.
D.
E.
F.
FTP
SSH
Telnet
AAA
HTTP
HTTPS
Correct Answer: BF
Section: (none)
Explanation
QUESTION 95
What are the primary attack methods of VLAN hopping? (Choose two)
A. VoIP hopping
B. CAM-table overflow
C. Switch spoofing
D. Double tagging
Correct Answer: CD
Section: (none)
Explanation
QUESTION 96
What is the default timeout interval during which a router waits for responses from a TACACS server
before declaring a timeout failure?
A.
B.
C.
D.
20 seconds
5 seconds
15 seconds
10 seconds
Correct Answer: B
Section: (none)
Explanation
QUESTION 97
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN
firewall configuration?
A. Issue the command anyconnect keep-installer installed under the group policy or username
webvpn mode
B. Issue the command anyconnect keep-installer installed in the global configuration
C. Issue the command anyconnect keep-installer under the group policy or username webvpn
mode
D. Issue the command anyconnect keep-installer under the group policy or username webvpn
mode
Correct Answer: C A
Section: (none)
Explanation
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-policy)# anyconnect keep-installer installed none
QUESTION 98
What is the FirePOWER impact flag used for?
A. A value that measures the application awareness
B. A value that indicates the potential severity of an attack.

C. A value that sets the priority of a signature
D. A value that the administrator assigns to each signature
Correct Answer: B
Section: (none)
Explanation
The impact level assigned to the intrusion event. You select any of the following along with
operators that specify is, is not, is greater than, and so on:
0 gray (Unknown)
1 red (Vulnerable)
2 orange (Potentially Vulnerable)
3 yellow (Currently Not Vulnerable)
4 blue (Unknown Target)
QUESTION 99
Which two services define cloud networks? (Choose two)
A.
B.
C.
D.
E.
Infrastructure as a Service
Platform as a Service
Compute as a Service
Security as a Service
Tenancy as a Service
Correct Answer: AB
Section: (none)
Explanation
QUESTION 100
In a security context, which action can you take to address compliance?
A.
B.
C.
D.
Implement rules to prevent a vulnerability

Reduce the severity of a vulnerability
Correct or counteract a vulnerability
Follow directions from the security appliance manufacturer to remediate a vulnerability
Correct Answer: A
Section: (none)
Explanation
QUESTION 101
How many times was a read-only string used to attempt a write operation?
A.
B.
C.
D.
E.
6
2
9
3
4
Correct Answer: C
Section: (none)
Explanation
QUESTION 102
What can the SMTP preprocessor in a FirePOWER normalize?
A.
B.
C.
D.
E.
It can look up the email sender

It uses the Traffic Anomaly Detector
It can extract and decode email attachments in client to server traffic
It compares known threats to the email sender
It can forward the SMTP traffic to an email filter server
Correct Answer: C
Section: (none)
Explanation
QUESTION 103
You want to allow all of your companies users to access the internet without allowing other
web servers to collect the IP addresses of individual users. What two solutions can you use?
(Choose two)
A.
B.
C.
D.
E.
Install a Web content filter to hid users local IP addresses

Configure a firewall to use Port Address Translation
Assign the same IP addresses to all users
Configure a proxy server to hide users local IP addresses
Assign unique IP addresses to all users
Correct Answer: BD
Section: (none)
Explanation
QUESTION 104
Which two authentication types does OSPF support? (Choose two)
A.
B.
C.
D.
E.
F.
plaintext
MD5
HMAC
AES 256
SHA-1
DES
Correct Answer: AB
Section: (none)
Explanation
QUESTION 105
Refer to the exhibit. The Admin user is unable to enter configuration mode on a device with the
given configuration. What to correct the problem?
A. Remove the Autocommand keyword and arguments from the Username Admin privilege line
B. Change the Privilege exec level value to 15

C. Remove the two Username Admin lines
D. Remove the Privilege exec line
Correct Answer: A
Section: (none)
Explanation
QUESTION 106
What command can you use to verify the binding table status?
A.
B.
C.
D.
E.
F.
Show ip dhcp snooping binding

Show ip dhcp snooping database
Show ip dhcp snooping statistics
Show ip dhcp pool
Show ip dhcp source binding
Show ip dhcp snooping
Correct Answer: B -> A

Section: (none)
Explanation
show ip dhcp snooping
Displays the current operating state of the database
database [detail]
agent and statistics associated with the transfers.
show ip dhcp snooping
binding
QUESTION 107
Views the DHCP snooping database.
A.
B.
C.
D.
Correct Answer: ABCD
Section: (none)
Explanation
Step1: Firewall > Configuration > NAT Rules > Add Network Object. Name=http, IP
version=IPv4, IP address = 209.165.201.30, Static NAT = 172.16.1.2
Step2: Firewall > Configuration > NAT Rules > Add Access Rule. Interface=Outside,
Action=Permit, Source=any, Destination=209.165.201.30, Service=tcp/http
Step3: Firewall > Configuration> Service policy Rules > Click Global Policy and edit, Rule
Action tab, Click ICMP and apply
Step4: Ping www.cisco.com from Inside P
QUESTION 108
In this simulation, you have access to ASDM only. Review the various ASA configurations
using ASDM then answer the fi ASA SSL VPN configurations.
Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (Choose four)
A.
B.
C.
D.
E.
F.
IPsec IKEv1
IPsec IKEv2
L2TP/IPsec
Clientless SSL VPN
SSL VPN Client
PPTP
Correct Answer: ABCD

Section: (none)
Explanation
Via - Configuration > Remote Access VPN > Clientless SSL VPN Access > Group Policies
QUESTION 109
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM
then answer the fi ASA SSL VPN configurations.
Which two statements regarding the ASA VPN configurations are correct? (Choose two)
A.
B.
C.
D.
E.
F.
The Inside-SRV bookmark has not been applied to the Sales group policy
The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_Trustpoit1
The Inside-SRV bookmark references the https://192.168.1.2 URL
Any Connect, IPSec IKEv1 and IPSec IKEv2 VPN access is enabled on the outside interface
Only Clientless SSL VPN VPN access is allowed with the Sales group Policy
The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method
Correct Answer: CF
Section: (none)
Explanation
Via - Configuration > Remote Access VPN > Clientless SSL VPN Access > Portal >
Bookmarks AND
Via - Configuration > Remote Access VPN > Certificate Management > Identity Certificates
QUESTION 110
In this simulation, you have access to ASDM only. Review the various ASA configurations using
ASDM then answer the fi ASA SSL VPN configurations.
When users login to the Clientless SSL VPN using https://209.165.201.2/test, which group policy will
be applied?
A.
B.
C.
D.
E.
F.
test
Sales
DefaultRAGroup
DefaultWEBVPNGroup
clientless
DFTGrpPolicy
Correct Answer: B
Section: (none)
Explanation
Via - Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles
> Edit
QUESTION 111
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the fi
ASA SSL VPN configurations.

Which user authentication method is used when users login to the Clientless SSL VPN portal using https://209.165.201.2/
A.
B.
C.
D.
E.
Both Certificate and AAA with LOCAL database

AAA with RADIUS server
Both Certificate and AAA with RADIUS server
AAA with LOCAL database
Certificate
Correct Answer: D
Section: (none)
Explanation
Via - Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles
NEW QUESTION 132

What are two users of SIEM software? (Choose two)
A. performing automatic network audits
B. configuring firewall and IDS devices
C. alerting administrators to security events in real time
D. scanning emails for suspicious attachments
E. collecting and archiving syslog data
Answer: CE
Explanation:
Security information and event management (SIEM) systems are designed to collect security log data
from a wide variety of sources within an organization, including security controls, operating systems
and applications. Once the SIEM has the log data, it processes the data to standardize its format,
performs analysis on the "normalized" data, generates alerts when it detects anomalous activity, and
produces reports upon request of the SIEM's administrators. Some SIEM products can also act to
block malicious activity, such as by running scripts that trigger reconfiguration of firewalls and other
security controls..
NEW QUESTION 134
What statement provides the best definition of malware?

A. Malware is tools and applications that remove unwanted programs.
B. Malware is software used by nation states to commit cyber-crimes.
C. Malware is unwanted software that is harmful or destructive
D. Malware is a collection of worms, viruses and Trojan horses that is distributed as a single.....
Answer: C
NEW QUESTION 138
Which of encryption technology has the broadcast platform support to protect operating systems?
A. Middleware
B. Hardware
C. software
D. file-level
Answer: D
Explanation:
NEW QUESTION 139
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe
spam and sophisticated phishing attack?
A. holistic understanding of threats
B. graymail management and filtering

C. signature-based IPS
D. contextual analysis
Answer: D
NEW QUESTION 140
Which Sourfire secure action should you choose if you want to block only malicious traffic
from a particular end-user?
A. Trust
B. Block
C. Allow without inspection
D. Monitor
E. Allow with inspection
Answer: E
Explanation:
Allow with Inspection allows all traffic except for malicious traffic from a particular end-user.
The other options are too restrictive, too permissive, or don't exist.
NEW QUESTION 141
Q. A proxy firewall protects against which type of attacks?
A. Cross-site scripting
B. DDoS
C. Port scanning
D. Worm traffic
Answer: B
NEW QUESTION 142
What do you use when you have a network object or group and want to use an IP address?
A. Static PAT
B. Dynamic NAT
C. Static NAT
D. Identity NAT
E. Dynamic PAT
Answer: B
Static NATA consistent mapping between a real and mapped IP address. Allows bidirectional
traffic initiation.
Dynamic NATA group of real IP addresses are mapped to a (usually smaller) group of mapped
IP addresses, on a first come, first served basis. Only the real host can initiate traffic.
Dynamic Port Address Translation (PAT)A group of real IP addresses are mapped to a single IP
address using a unique source port of that IP address.
Identity NATStatic NAT lets you translate a real address to itself, essentially bypassing NAT.
You might want to configure NAT this way when you want to translate a large group of addresses,
but then want to exempt a smaller subset of addresses.
NEW QUESTION 143

What are the three layers of a hierarchical network design? (Choose three.)
A. access
B. core
C. distribution
D. user
E. server
F. Internet
Correct Answer: ABC
A typical enterprise hierarchical LAN campus network design includes the following three layers:
Access layer: Provides workgroup/user access to the network

Distribution layer: Provides policy-based connectivity and controls the boundary between the access
and core layers
Core layer: Provides fast transport between distribution switches within the enterprise campus
NEW QUESTION 144

In which two situations should you use in-band management? (Choose two.)
A. when management applications need concurrent access to the device
B. when you require administrator access from multiple locations
C. when a network device fails to forward packets
D. when you require ROMMON access
E. when the control plane fails to respond
Correct Answer: AB
In-band management interfaces are connected to the switching fabric and participate in all the functions of a
switchport including spanning tree, Cisco Discovery Protocol (CDP), and VLAN assignment. Out-of-band
management interfaces are not connected to the switching fabric and do not participate in any of these functions.
NEW QUESTION 145

Which three statements describe DHCP spoofing attacks? (Choose three.)
A. They are used to perform man-in-the-middle attacks.

B. They use ARP poisoning.
C. They can access most network devices.
D. They protect the identity of the attacker by masking the DHCP address.
E. They can modify traffic in transit.

F. They can physically modify the network gateway.
Correct Answer: ABE
Man-in-the-middle attack where the attacker secretly relays and possibly alters the
communication between two parties who believe they are directly communicating with each
other.
NEW QUESTION 146
A data breach has occurred and your company database has been copied. Which security principle
has been violated?
A. availability
B. access
C. confidentiality
D. control
Correct Answer: C
NEW QUESTION 147

In which type of attack does an attacker send email messages that ask the recipient to click a link
such as https://www.cisco.net.cc/securelogon?
A. phishing
B. pharming
C. solicitation
D. secure transaction
Correct Answer: A
NEW QUESTION 148

With which NTP server has the router synchronized?
A. 192.168.10.7
B. 108.61.73.243
C. 209.114.111.1
D. 132.163.4.103
E. 204.2.134.164
F. 241.199.164.101
Correct Answer: A
NEW QUESTION 149

Which statement about the given configuration is true?
A. The single-connection command causes the device to process one TACACS request and then
move to the next server.
B. The timeout command causes the device to move to the next server after 20 seconds of
TACACS inactivity.
C. The router communicates with the NAS on the default port, TCP 1645.
D. The single-connection command causes the device to establish one connection for all TACACS
transactions.
Correct Answer: D
NEW QUESTION 150

What is the best way to confirm that AAA authentication is working properly?
A. Use the test aaa command.
B. Ping the NAS to confirm connectivity.
C. Use the Cisco-recommended configuration for AAA authentication.
Correct Answer: A
NEW QUESTION 151

How does PEAP protect the EAP exchange?
A. It encrypts the exchange using the server certificate.
B. It encrypts the exchange using the client certificate.
C. It validates the server-supplied certificate, and then encrypts the exchange using the client
certificate.
D. It validates the client-supplied certificate, and then encrypts the exchange using the server
certificate.
Correct Answer: A
PEAP authenticates the server with a public key certificate and carries the authentication in
a secure Transport Layer Security (TLS) session, over which the WLAN user, WLAN
stations and the authentication server can authenticate themselves. Each station gets an
individual encryption key. When used in conjunction with Temporal Key Integrity Protocol
(TKIP), each key has a finite lifetime.
NEW QUESTION 152
How does a device on a network using ISE receive its digital certificate during the new-device
registration process?
A. ISE issues a certificate from its internal CA server.
B. ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server.
C. ISE issues a pre-defined certificate from a local database.
D. The device requests a new certificate directly from a central CA.
Correct Answer: B
NEW QUESTION 153

When an administrator initiates a device wipe command from the ISE, what is the immediate
effect?
A. It requests the administrator to choose between erasing all device data or only managed
corporate data.
B. It requests the administrator to enter the device PIN or password before proceeding with the
operation.
C. It notifies the device user and proceeds with the erase operation.
D. It immediately erases all data on the device.
Correct Answer: A
NEW QUESTION 154

What security feature allows a private IP address to access the Internet by translating it to a public
address?
A. NAT
B. hairpinning
C. Trusted Network Detection
D. Certification Authority
Correct Answer: A
NEW QUESTION 155

You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site
VPN tunnel. What action can you take to correct the problem?
A. Set a valid value for the crypto key lifetime on each router.
B. Edit the crypto keys on R1 and R2 to match.
C. Edit the ISAKMP policy sequence numbers on R1 and R2 to match.
D. Edit the crypto isakmp key command on each router with the address value of its own interface.
Correct Answer: B
NEW QUESTION 156

While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What
does the given output show?
A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2.
B. IKE Phase 1 main mode has successfully negotiated between 10.1.1.5 and 10.10.10.2.
C. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with
10.10.10.2.
D. IKE Phase 1 aggressive mode has successfully negotiated between 10.1.1.5 and 10.10.10.2.
Correct Answer: A
NEW QUESTION 157

Which statement about IOS privilege levels is true?
A. Each privilege level is independent of all other privilege levels.
B. Each privilege level supports the commands at its own level and all levels above it.
C. Privilege-level commands are set explicitly for each user.
D. Each privilege level supports the commands at its own level and all levels below it.
Correct Answer: D
NEW QUESTION 158

Which line in this configuration prevents the HelpDesk user from modifying the interface
configuration?
A. Privilege exec level 9 configure terminal
B. Privilege exec level 10 interface
C. Username HelpDesk privilege 6 password help

D. Privilege exec level 7 show start-up
Correct Answer: C
NEW QUESTION 159

In the router ospf 200 command, what does the value 200 stand for?
A. process ID
B. area ID
C. administrative distance value
D. ABR ID
Correct Answer: A
NEW QUESTION 160

Which feature filters CoPP packets?
A. access control lists
B. class maps
C. policy maps
D. route maps
Answer: C
NEW QUESTION 161

Which type of PVLAN port allows hosts in the same VLAN to communicate directly with each other?
A. community for hosts in the PVLAN
B. promiscuous for hosts in the PVLAN
C. isolated for hosts in the PVLAN
D. span for hosts in the PVLAN
Answer: A
NEW QUESTION 162

What is a potential drawback to leaving VLAN 1 as the native VLAN?
A. Gratuitous ARPs might be able to conduct a man-in-the-middle attack.
B. It may be susceptible to a VLAN hoping attack.
C. The CAM might be overloaded, effectively turning the switch into a hub.
D. VLAN 1 might be vulnerable to IP address spoofing.
Correct Answer: B
NEW QUESTION 163

What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
A. Only BPDUs from a higher security interface to a lower security interface are permitted in
transparent mode.
B. Unicast IPv4 traffic from a higher security interface to a lower security interface is permitted in
routed
mode only.
C. Unicast IPv6 traffic from a higher security interface to a lower security interface is permitted in
transparent mode only.
D. ARPs in both directions are permitted in transparent mode only.
E. Only BPDUs from a higher security interface to a lower security interface are permitted in routed
mode.
Correct Answer: D
NEW QUESTION 164

Which statement about the communication between interfaces on the same security level is true?
A. Interfaces on the same security level require additional configuration to permit inter-interface
communication.
B. Configuring interfaces on the same security level can cause asymmetric routing.
C. All traffic is allowed by default between interfaces on the same security level.
D. You can configure only one interface on an individual security level.
Correct Answer: A
NEW QUESTION 165

How can you detect a false negative on an IPS?
A. View the alert on the IPS.
B. Review the IPS log.
C. Review the IPS console.
D. Use a third-party system to perform penetration testing.
E. Use a third-party to audit the next-generation firewall rules.
Correct Answer: D
NEW QUESTION 166

What is the primary purpose of a defined rule in an IPS?
A. to configure an event action that takes place when a signature is triggered
B. to define a set of actions that occur when a specific user logs in to the system
C. to configure an event action that is pre-defined by the system administrator
D. to detect internal attacks
Correct Answer: A
NEW QUESTION 168

How can FirePOWER block malicious email attachments?
A. It forwards email requests to an external signature engine.
B. It scans inbound email messages for known bad URLs.
C. It sends the traffic through a file policy.
D. It sends an alert to the administrator to verify suspicious email messages.
Correct Answer: C
NEW QUESTION 169

You have been tasked with blocking user access to websites that violate company policy, but the
sites use dynamic IP addresses. What is the best practice for URL filtering to solve the problem?
A. Enable URL filtering and use URL categorization to block the websites that violate company
policy.
B. Enable URL filtering and create a blacklist to block the websites that violate company policy.
C. Enable URL filtering and create a whitelist to block the websites that violate company policy.
D. Enable URL filtering and use URL categorization to allow only the websites that company policy
allows
users to access.
E. Enable URL filtering and create a whitelist to allow only the websites that company policy allows
users to access.
Correct Answer: A
NEW QUESTION 170

Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
A. file analysis
B. file reputation
C. signature updates
Correct Answer: B
NEW QUESTION 171

Your security team has discovered a malicious program that has been harvesting the CEOs email
messages and the companys user database for the last 6 months. What are two possible types of
attacks your team discovered? (Choose two.)
A. social activism
B. E Polymorphic Virus
C. advanced persistent threat
D. drive-by spyware
E. targeted malware
Correct Answer: CE
NEW QUESTION 172

What are two effects of the given command? (Choose two.)
A. It configures authentication to use AES 256.
B. It configures authentication to use MD5 HMAC.
C. It configures authorization use AES 256.
D. It configures encryption to use MD5 HMAC.
E. It configures encryption to use AES 256.
Correct Answer: BE

Cisco Network Securit 210-260.172 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Network Securit 210-260.172 PDF

Uploaded by

Copyright:

Available Formats

Implementing Cisco Network Security

CCNA SECURITY 210-260

Enable logging at the beginning of the session

Create a custom blacklist to allow traffic

when a network device fails to forward packets

listening, learning, blocking, forwarding, disabled

Choose the SDEE message type to display:

All SDEE error, status, and alert messages are shown.

B. The supplicant will fail to advance beyond the webauth method

Reflexive access lists create a permanent ACE

Correct Answer: DEF

Correct Answer: BDE

B. crypto key generate rsa

TACACS uses TCP to communicate with the NAS

Correct Answer: ABF

to ensure that only authorized parties can modify data

CIA refers to Confidentiality, Integrity and Availability. Confidentiality of information,

You must configure an AAA server to enable Telnet

The Internet Key Exchange protocol establishes security associations

Ensure that the RDP2 plug-in is installed on the VPN gateway

The source zone

Security Parameter Index

Correct Answer: DEF

Router(config)#aaa server?% Unrecognized command

The command syntax requires a space after the word "server"

Protocol used for filtering

IPsec transport mode is used between end stations

Correct Answer: ADE

It is widely implemented in site-to-site VPN scenarios.

NAT traversal is supported with the tunnel mode.

show crypto map

To create customized policies

the given output show

IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5

remote branch offices to your company network

The secure boot-image command is configured

To protect endpoints such as desktops from malicious activity

Deploy an antimalware system

ACS can query multiple Active Directory domains

The user must approve the locking action

By default, there are three command levels on the router:

It blocks access to files with specific extensions

Every time a new update is available

They can protect the network against attacks

#pkts encaps: 1205,

ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1

The isolated port can communicate only with community ports

It can view encrypted files

Correct Answer: ADF

A web site security framework

The time is authoritative because the clock is in sync

Time is not authoritative.

Time is authoritative, but NTP is not synchronized.

The switch could offer fake DHCP addresses

Correct Answer: ACD

It supports a more complex encryption algorithm than other disk-encryption technologies

Trusted Platform Module (TPM) is an international standard for a secure

It configures a site-to-stie VPN Tunnel

the attack VLAN will be pruned

It can provide higher throughput

Correct Answer: BDF

The session management path is responsible for the following tasks:

services plane packets