Security Written - 01-July-17

PASSWRITTENDUMPS.
COM 400-251 1-July-17
M
O
.C
N
E
T
IT
R
W
PassWritten Workbook
S
S
A
400-251
.P
CCIE SECURITY WRITTEN

W
W
W
www.passwritten.com | www.passwrittendumps.com
PASSWRITTENDUMPS.COM 400-251 1-July-17
M
O
.C
N
E
T
IT
This Page is Left Blank Intentionally
R
W
S
S
A
.P
W
W
W
1) What are the two different modes in which Private AMP cloud can be deployed? (Choose two)
A. Cloud Mode
B. Internal Mode
C. Public Mode
D. External Mode
M
E. Proxy Mode
O
F. Air Gap Mode
.C
Answer: E,F
N
E
T
IT
R
W
S
S
A
.P
2)
Refer to the exhibit. Which two effects of this configuration are true? (Choose Two)
W
A. user five can view usernames and password

B. user superuser can view the configuration
W
C. User superuser can change usernames and passwords

D. User superuser can view usernames and passwords
W
E. User five can execute the show run command

F. User cisco can view usernames and passwords
Answer: B,E
3) Which three commands can you use to configure VXLAN on a Cisco ASA firewall?(Choose three)
A. default-mcast-group
B. set ip next-hop verify-availiability
C. sysopt connection tcpmss
M
D. segment-id
E. inspect vxlan
O
F. nve-only
.C
Answer: A,D,F
N
4) Which Cisco ISE profiler service probe can collect information about Cisco Discovery Protocol?
E
A. SNMP Query
T
B. DHCP SPAN
C. DHCP IT
D. HTTP
E. RADIUS
R
F. NetFlow
W
Answer: A
S
S
5) Which type of attack uses a large number of spoofed MAC addresses to emulate wireless clients?
A
A. DoS against an access point

.P
B. DoS against a client station

C. chopchop attack
W
D. Airsnaf attack
E. device-probing attack
W
F. authentication-failure attack
W
Answer: A
6) Which two statements about NetFlow Secure Event logging on a Cisco ASA are true? (Choose two)
A. It is supported only in single context mode
B. It can log different event types on the same device to different collectors
C. It tracks configured collections over TCP
M
D. It can be used without collectors
E. It supports one event type per collector
O
F. It can export templates through NetFlow
.C
Answer: B, F
N
E
T
IT
R
W
S
S
A
.P
7)
Refer to the exhibit. After you applied this EtherChannel configuration to a Cisco ASA, the
W
EtherChannel failed to come up. Which reason for the problem is the most likely?
A. The channel-group modes are mismatched
W
B. The lacp system-priority and lacp port-priority values are same

W
C. The EtherChannel requires three ports, and only two are configured
D. The EtherChannel is disabled
Answer:C
8) Which option best describes RPL?

A. RPL stands for Routing over Low-power Lossy Networks that use link-state LSAs to
determine the best route between leaves and the root border router
B. RPL stands Routing over Low-power Lossy networks that use distance vector DOGAG to
M
determine the best route between leaves and the root border router
C. RPL stands for Routing over low priority links that use link-state LSAs to determine the best
O
route between two root border routers
D. RPL stands for Routing over low priority links that use distance vector DOGAG to determine
.C
the best route between two border routers
N
Answer: B
E
T
9) Which WEP configuration can be exploited by a weak IV attack?
IT
A. When the static WEP password has been given away
B. When the static WEP password has been stored without encryption
R
C. When a per-packet WEP key is in use
W
D. When a 40-bit key is in use

E. When the same WEP key is used to create every packet
S
F. When a 64-bit key is in use

S
Answer: E
A
.P
10) Which OpenStack project has orchestration capabilities?

W
A. Heat
B. Cinder
W
C. Horizon
D. Sahara
W
Answer:A
11) Which three statements about Cisco AnyConnect SSL VPN with the ASA are true? (Choose three)
A. Real-time application performance improves if DTLS is implemented
B. DTLS can fall back to TLS without enabling dead peer detection
C. The ASA will verify the remote HTTPS certificate
M
D. By default, the ASA uses the Cisco AnyConnect Essentials license
E. By default, the VPN connection connects with DTLS
O
F. Cisco AnyConnect connections use IKEv2 by default when it is configured as the primary
protocol on the client
.C
Answer: A,D,F
N
E
12) Which two options are benefits of global ACLs? (Choose two)
T
A. They only operate on logical interfaces
IT
B. They are more efficient because they are processed before interface access rules
C. They can be applied to multiple interfaces
R
D. They are flexible because they match source and destination IP addresses for packets that
W
arrive on any interface

E. They save memory because they work without being replicated on each interface
S
Answer: D,E
S
A
.P
13) Which three statements about 802.1x multiauthentication mode are true? (Choose three)
A. It can be deployed in conjunction with MDA functionality on voice VLANs
W
B. It requires each connected client to authenticate individually

C. Each multiauthentication port can support only one voice VLAN
W
D. It is recommended for auth-fail VLANs

E. On non-802.1x devices, It can support only one authentication method on a single port
W
F. It is recommended for guest VLANs
Answer: A,B,C
M
O
.C
N
E
T
14)
IT
Refer to the exhibit. Which three additional configuration elements must you apply to complete a
functional FlexVPN deployment? (Choose three)
R
W
S
S
A
.P
W
W
W
M
O
Answer: D,E,F
.C
N
E
15) You are considering using RSPAN to capture traffic between several switches. Which two
T
configuration aspects do you need to consider? (Choose two)
IT
A. Not all switches need to support RSPAN for it to work
B. The RSPAN VLAN need to be blocked on all trunk interfaces leading to the destination
R
RSPAN switch
C. All switches need to be running the same IOS version
W
D. All distribution switches need to support RSPAN

S
E. The RSPAN VLAN need to be allow on all trunk interfaces leading to the destination RSPAN
switch
S
A
Answer: D,E
.P
W
W
W
M
O
.C
16)
Refer to the exhibit. You applied this VPN cluster configuration to a Cisco ASA and the cluster failed
N
to form. How do you edit the configuration to correct the problem?
A. Define the maximum allowable number of VPN connections
E
B. Define the master/ slave relationship
T
C. Enable load balancing
D. Configure the cluster IP address
IT
Answer: D
R
W
S
S
A
.P
17)
W
Refer to the exhibit. Which effect of this configuration is true?
A. If the RADIUS server is unreadable, SSH users cannot authenticate

W
B. All commands are validate by the RADIUS server before the device executes them
C. Users accessing the device via SSH and those accessing enable mode are authenticated against the
W
RADIUS server
D. Users must be in the RADIUS server to access the serial console
E. Only SSH users are authenticated against the RADIUS server
Answer: C
M
18)
O
Refer to the exhibit. Which two configurations must you perform to enable the device to use this class
map? (Choose two)
.C
A. Configure PDLM
N
B. Configure the ipnbar custom command
C. Configure the ipnbar protocol discovery command
E
D. Configure teh transport hierarchy
T
E. Configure the DSCP value IT
R
Answer: A, C
W
S
S
19) Which three messages are part of the SSL protocol? (Choose Three)
A
A. Change CipherSpec
.P
B. Alert
C. Record
W
D. Message Authenication
E. CipherSpec
W
F. Handshake
W
Answer: A,B,F
20) Which command is used to enable 802.1x authentication on an interface?
A. authentication port-control auto

B. aaa authorization auth-proxy default
C. aaa authorization network default group tacacs+
M
D. authentication control-direction both
E. authentication open
O
.C
Answer: A
N
21) Which two design options are best to reduce security concerns when adopting IoT into an
E
organization? (Choose two)
T
A. Encrypt data at rest on all devices in the IoT network
IT
B. Implement video analytics on IP cameras
C. Encrypt sensor data in transit
R
D. Segment the Field Area Network form the Data Centre network
W
E. Ensure that applications can gather and analyze data at the edge
S
Answer: C,D
S
A
22) Which encryption type is used by ESA for implementing the Email Encryption?
.P
A. SSL Encryption
B. TLS
W
C. Identity Based Encryption (IBE)

D. PKI
W
E. S/MIME Encryption
W
Answer: E
23)Which two statement about the MACsec security protocol are true? (Choose two)
A. MACsec is not supported in MDA mode

B. Stations broacast an MKA heartbeat that contains the key server priority
C. When switch-to-switch link security is configured in manual mode, the SAP operation mode must
M
be set to GCM
D. MKA heartbeats are sent at a default intercal of 3 seconds
O
E. The SAK is secured by 128-bit AES-GCM by default
.C
Answer: B,E
N
E
24) Which type of header attack is detected by Cisco ASA threat detection?
T
A. failed application inspection IT
B. connection limit exceeded
C. bad packet format
R
D. denial by access list
W
Answer:C
S
S
25) Which two statements about SCEP are true? (Choose two)
A
A. The GetCACaps response message supports DES encryption and the SHA-128 hashing algorithm
.P
B. CA servers must support GetCACaps response messages in order to implement extended

functionality
W
C. The GetCert exchanges is signed and encrypted only in the response direction
D. It is vulnerable to downgrade attacks on its cryptographic capabilities
W
E. The GetCRL exchange is signed and encrypted only in the response direction
W
Answer: B,D
26) Which effect of the ipnhrp map multicast dynamic command is true?
A. It configures a hub router to reflect the routes it learns from a spoke back to other spokes through
the same interface
B. It enables a GRE tunnel to dynamically update the routing tables on the devices at each end of the
tunnel
M
C. It configures a hub router to automatically add spoke routers to the multicast replication list of the
hub
O
D. It enables a GRE tunnel to operate without the IPsec peer or crypto ACLs
.C
Answer: C
N
E
T
IT
R
W
S
27)
S
Refer to the exhibit. A user authenticates to the NAS, Which communicates to the TACACS+ server for
A
authentication. The TACACS+ server then accesses the Active Directory Server through the ASA firewall to
validate the user credentials which protocol-port pair must be allowed access through the ASA firewall?
.P
A. DNS over TCP 53

W
B. global catalog over UDP 3268

C. LDAP over UDP 389
W
D. DNS over UDP 53

E. TACACS+ over TCP 49
W
F. SMB over TCP 455
Answer: C
28) Which effect of the crypto pki authenticate command is true?
A. It sets the certificate enrollment method

B. It retrieves and authenticates a CA certificate
C. It displays the current CA certificate
M
D. It configures a CA trustpoint
O
Answer: B
.C
N
E
T
IT
29)
R
Refer to the exhibit. What is the maximum number of site-to-site VPNs allowed by this configuration?
W
A. 10
S
B. 15
C. unlimited
S
D. 5
A
E. 0
F. 1
.P
Answer: B
W
W
W
30) How does Scavenger-class QoS mitigate DoS and worm attacks?
A. It matches traffic from individual hosts against the specific network characteristics of known attack
types
B. It sets a specific intrusion detection mechanism and applies the appropriate ACL when matching
M
traffic is detected
C. It monitors normal traffic flow and drops burst traffic above the normal rate for a single host
O
D. It monitors normal traffic flow and aggressively drops sustained abnormally high traffic streams
.C
from multiple hosts
N
Answer: D
E
T
31) Which three statements about SXP are true? (Choose three)
IT
A. To enable an access device to use IP device tracking to learn source device IP addresses, DHCP
snooping must be configured
R
B. Each VRF supports only one CTS-SXP connection
W
C. It resides in the control plane, where connections can be initiated from a listener
D. Separate VRFs require different CTS-SXP peers, but they can use the same source IP addresses
S
E. The SGA ZBPF uses the SGT to apply forwarding decisions

S
F. Packets can be tagged with SGTs only with hardware support

A
Answer: B,E,F
.P
W
W
W
M
O
.C
N
32)
E
Refer to the exhibit. Which two effects of this configuration are true? (Choose two)
T
A. Configuration commands on the router are authorized without checking the TACACS+ server
IT
B. When a user logs in to privileged EXEC mode, the router will track all user activity
C. Requests to establish a reverse AUX connection to the router will be authorized against the
R
TACACS+ server
D. When a user attempts to authenticate on the device, the TACACS+ server will prompt the user to
W
enter the username stored in the router's database

S
E. If a user attempts to log in as a level 15 user, the local database will be used for authentication and
the TACACS+ will be used for authorization
S
F. It configures the router's local database as the backup authentication method for all TTY, console,
A
and aux logins

.P
Answer: C,F
W
W
W
33) Which two options are benefits of the cisco ASA Identify Firewall? (Choose two)
A. It can identify threats quickly based on their URLs

B. It can operate completely independently of other services
C. It supports an AD server module to verify identity data
M
D. It decouples security policies from the network topology
E. It can apply security policies on an individual user or user-group basis
O
.C
Answer: D,E
N
E
T
IT
34)
R
W
A. It allows the switch to detect IGMPv2 leave group messages

S
B. It optimizes the use of network bandwidth on the LAN segment

C. IGMPv2 leave group messages are stored in the switch CAM table for faster processing
S
D. Host send leave group messages to the Solicited-Node Address multicast address
A
FF02::1:FF00:0000/104
.P
E. It improves the processing time of CGMP leave messages

F. Hosts send leave group messages to all-router multicast address when they want to stop
W
receiving data for that group
Answer: A,B
W
W
35) Which two statements about the TTL value in an IPv4 header are true? (Choose two)
A. It is a 4-bit value
B. Its maximum value is 128
C. It is a 16-bit value
M
D. It can be used for traceroute operations
E. When it reaches 0, the router sends an ICMP Type 11 messages to the originator
O
.C
Answer: D,E
N
E
T
IT
R
36)
W

S
A. Any VPN user with a session time out of 24 hours can access the device
B. Users attempting to access the console port are authenticated against the TACACS+ server
S
C. If the TACACAS+ authentication fails, the ASA uses cisco 123 as its default password
A
D. The device tries to reach the server every 24 hours and falls back to the LOCAL database if it fails
.P
E. The servers in the TACACS+ group0 are reactivated every 1440 seconds
Answer: B
W
W
37) Which of the following is AMP Endpoints for windows?

W
A. ClamAV
B. ClamAMP
C. TETRA
D. TETRAAMP
Answer: C
38) Which two characteristics of DTLS are true? (Choose two)
A. It includes a retransmission method because it uses an unreliable datagram transport

B. It cannot be used if NAT exists along the path
C. It completes key authentication and bulk data transfer over a single channel
M
D. It includes a congestion control mechanism
E. It supports long data transfers and connections data transfers
O
F. It is used mostly by applications that use application layer object-security protocols
.C
Answer: A,D
N
E
39) A new computer is not getting its IPv6 address assigned by the router. While running WireShark to try
T
to troubleshoot the problem, you find a lot of data that is not helpful to nail down the problem. What two
IT
filters would you apply to WireShark to filter the data that you are looking for? (Choose Two)
A. Icmpv6.type== 136
R
B. Icmpv6.type== 135
W
C. Icmp5.type== 135
D. Icmpv6type== 136
S
E. Icmp6type== 135
S
Answer: A,B
A
.P
40) Which two options are benefits of network summarization? (Choose two)
W
A. It can summarize discontiguous IP addresses

B. It can easily be added to existing networks
W
C. It prevents unnecessary routing updates at the summarization boundary if one of the routes in the
W
summary is unstable
D. It reduces the number of routes
E. It can increase the convergence of the network
Answer: C,D
41) Which statement about VRF-aware GDOI group members is true?
A. IPsec is used only to secure data traffic

B. Registration traffic and rekey traffic must operate on different VRFs
C. Multiple VRFs are used to separate control traffic and data traffic
M
D. The GM cannot route control traffic through the same VRF as Data traffic
O
Answer: C
.C
N
42) Which file extensions are supported on the Firesight Management Center 6.1 file policies that can be
analyzed dynamically using the Threat Grid Sandbox integration?
E
A. MSEXE, MSOLE2, NEW-OFFICE, PDF
T
B. DOCX, WAV, XLS, TXT IT
C. DOC, MSOLE2, WAV, PDF
D. TXT, MSOLE2, WAV, PDF
R
Answer: A
W
S
S
A
.P
W
W
W
M
O
43)
.C
Refer to the exhibit. Which data format is used in this script?
N
A. API
E
B. JSON
C. JavaScript
T
D. YANG IT
E. XML
Answer:E
R
W
44) In which type of multicast does the Cisco ASA forward IGMP messages to the upstream router?
S
S
A. Multicast group concept

B. PIM multicast routing
A
C. Stub multicast routing

.P
D. clustering
W
Answer:C
W
W
45) Which option is a data modeling language used to model configuration and state data of network
elements?
A. NETCONF
B. RESTCONF
M
C. YANG
D. SNMPv4
O
.C
Answer: C
N
46) Which three ESMTP extensions are supported by the Cisco ASA? (Choose three)
E
A. 8BITMIME
T
B. STARTTLS IT
C. NOOP
D. PIPELINING
R
E. SAML
W
F. ATRN
S
Answer: B,C,E
S
A
47) In OpenStack, which two statements about the NOVA component are true? (Choose two)
.P
A. It is considered the cloud computing fabric controller

B. It provides the authentication and authorization services
W
C. It tracks cloud usage statistics for billing purposes

D. It launches virtual machine instances
W
E. It provides persistent block storage to running instances of virtual machines

W
Answer: A,D
48) Which three types of addresses can the Botnet Filter feature of the Cisco ASA monitor? (Choose three)
A. Known allowed addresses

B. Dynamic addresses
C. Internal addresses
M
D. Ambiguous addresses
E. Known malware addresses
O
F. Listed addresses
.C
N
Answer: A,D,E
E
49) Which three authorization technologies does Cisco TrustSec support? (Choose three)
T
A. SGT IT
B. SGACL
C. MAB
R
D. 802.1x
W
E. DACL
F. VLAN
S
Answer: A,E,F
S
A
.P
50) Which two statements about 802.1x components are true? (Choose two)
A. The certificates that are used in the client-server authentication process are stored on the access
W
switch
B. The access layer switch is the policy enforcement point
W
C. The RADIUS server is the policy enforcement point

W
D. The RADIUS server is the policy information point

E. An LDAP server can serve as the policy enforcement point
Answer: B,D
51) Which statements about the cisco AnyConnect VPN Client are true? (Choose two)
A. It enables users to manage their own profiles

B. By default, DTLS connections can fall back to TLS
C. It can be configured to download automatically without prompting the user
M
D. To improve security, keepalives are disabled by default
E. It can use an SSL tunnel and a DTLS tunnel simultaneously
O
.C
Answer: C,E
N
52) Which three transports have been defined for SNMPv3? (Choose three)
E
A. IPsec secured tunnel
T
B. SSL IT
C. TLS
D. SSH
R
E. GET
W
F. DTLS
S
Answer: C,D,F
S
A
53) Which two statements about SPAN sessions are true? (Choose two)
.P
A. A single switch stack can support up to 32 source and RSPAN destination sessions
W
B. They can monitor sent and received packets in the same session
C. Multiple SPAN sessions can use the same destination port
W
D. Source ports and source VLANS can be mixed in the same session
E. They can be configured on ports in the disabled state before enabling the port
W
F. Local SPAN and RSPAN can be mixed in the same session
Answer: B,E
54) Which three ISAKMP SA Message States can be output from the device that initiated an IPsec tunnel?
(Choose three)
A. MM_WAIT_MSG3
B. MM_WAIT_MSG2
M
C. MM_WAIT_MSG1
D. MM_WAIT_MSG4
O
E. MM_WAIT_MSG6
.C
F. MM_WAIT_MSG5
N
E
Answer: B, D, E
T
55) Which three EAP protocols are supported in WPA and WPA2? (Choose three)
IT
A. EAP-FAST
B. EAP-AKA
R
C. EAP-EKE
W
D. EAP-EEE
E. EAP-SIM
S
F. EAP-PSK
S
Answer: A,B,E
A
.P
W
56) Which three Cisco attributes for LDAP authorization are supported on the ASA? (Choose three)
W
A. Authenticated-User-Idle-Timeout
B. Web-VPN-ACL-Filters
W
C. L2TP-Encryption
D. IPsec-Default-Domain
E. Authorized-Type
F. IPsec-Client-Firewall-Filter-Name
Answer: A,B,D
57) AMP for Endpoints is supported on which of these platforms?
A. Windows, ANDROID, Linux (REDHAT, CentOS), MAC

B. Windows, MAC, ANDROID
C. Windows, MAC, LINUX (SuSE, UBUNTU), ANDROID
M
D. Windows, ANDROID, LINUX ( SuSE, REDHAT)
O
.C
Answer: A
N
E
T
58) Which two statements about MAB are true? (Choose two)
IT
A. MAC addresses stored in the MAB database can be spoofed
B. It operates at Layer 2 and Layer 3 of the OSI protocol stack
R
C. It can be used to authenticate network devices and users
W
D. It serves at the primary authentication mechanism when deployed in conjunction with 802.1x
E. It requires the administrator to create and maintain an accurate database of MAC addresses
S
F. It is a strong authentication method

S
A
Answer: A,E
.P
W
W
W
59) Drag and drop the protocols on the left onto their descriptions on the right
M
O
.C
N
E
T
IT
Answer: 1-B , 2-D , 3-A , 4-C
R
W
S
S
A
60)
.P
Refer to the exhibit. Which meaning of this error message on a Cisco ASA is true?
W
A. The route map redistribution is configured incorrectly

B. The host is connected directly to the firewall
W
C. A packet was denied and dropped by an ACL

D. The default route is undefined
W
Answer: D
61) Which three statements about WCCP are true? (Choose three)
A. The minimum WCCP-Fast Timers messages interval is 500 ms

B. If a specific capability is missing from the capabilities Info Component, the router is assumed to
support the default capability
M
C. If the packet return method is missing form a packet return method advertisement, the web cache
uses the Layer 2 rewrite method
O
D. The router must receive a valid receive ID before it negotiates capabilities
.C
E. The assignment method supports GRE encapsulation for sending traffic
F. The web cache transmits its capabilities as soon as it receives a receive ID form a router
N
Answer: A,B,D
E
T
IT
62) Which two options are important considerations when you use wsa for to obtain the full picture of
network traffic? (Choose two)
R
A. It monitors only routed traffic
W
B. It is unable to monitor over time

C. It monitors only ingress traffic on the interface on which it is deployed
S
D. It monitors all traffic on the interface on which it is deployed

S
E. It monitors only TCP connections

A
Answer: A,D
.P
W
63) Which three VSA attributes are present in a RADIUS WLAN Access-accept packet? (Choose three)
A. EAP-Message
W
B. Tunnel-Type
W
C. LEAP Session-Key
D. Tunnel-Private-Group-ID
E. Authorization-Algorithm-Type
F. SSID
Answer: C,E,F
64) Which two options are unicast address types for IPv6 addressing? (Choose two)
A. Global
B. Established
C. Link-local
M
D. Static
E. Dynamic
O
.C
Answer: A,C
N
E
65) A client computer at 10.10.7.4 is trying to access a Linux server (11.0.1.9) that is running a Tomcat
T
Server application. What TCP dump filter would be best to verify that traffic is reaching the Linux Server
IT
eth0 interface?
R
A. tcpdump –i eth0 host 10.10.7.4 and host 11.0.1.9 and port 8080
B. tcpdump –i eth0 host 10.10.7.4 and 11.0.1.9
W
C. tcpdump –i eth0 dst 11.0.1.9 and dst port 8080

S
D. tcpdump –i eth0 src 10.10.7.4 and dst 11.0.1.9 and dst port 8080
S
Answer:D
A
.P
66) Which two statements about uRPF are true? (Choose two)
W
A. The administrator can configure the allow-default command to force the routing table to use only
the default route
W
B. In strict mode, only one routing path can be available to reach network devices on a subnet
C. The administrator can use the show cef interface command to determine whether uRPF is enabled
W
D. The administrator can configure the ip verify unicast source reachable-via any command to enable
the RPF check to work through HSRP routing groups
E. It is not supported on the Cisco ASA security appliance
Answer: A,C
67) Which three options are fields in a CoA Request code packet? (Choose three)
A. Length
B. Calling-station-ID
C. Authenticator
M
D. Acct-session-ID
E. State
O
F. Identifier
.C
Answer: B,D,E
N
E
68) When TCP Intercept is enabled in its default mode, how does it react to a SYN request?
T
A. It drops the connection IT
B. It intercepts the SYN before it reaches the server and responds with a SYN-ACK
C. It allows the connection without inspection
R
D. It monitors the attempted connection and drops it if it fails to establish within 30 seconds
W
E. It monitors the sequence of SYN, SYN-ACK, and ACK message until the connection is fully
established
S
Answer: B
S
A
.P
W
W
W
69)
M
Refer to the exhibit. What are two functionalities of this configuration? (Choose two)
O
A. The encapsulation command is used to do deep scan on dot1q encapsulation traffic
B. Traffic will not be able to pass on gigabitEthernet 0/1
.C
C. The ingress command is used for an IDS to send a reset on Vlan 3 only
D. Traffic will only be sent to gigabitEthernt 0/20
N
E. The source interface should always be a VLAN
E
T
Answer: C,D
IT
R
W
S
S
70)
A
Refer to the exhibit. What are two effects of the given configuration? (Choose two)
.P
A. The connection will remain open if the PASV reply command includes 5 commas
W
B. TCP connections will be completed only to TCP ports from 1 to 1024

C. FTP clients will be able to determine the server’s system type
W
D. The client must always send the PASV reply

E. The connection will remain open if the size of the STOR command is greater than a fixed constant
W
Answer: A,C
M
O
71)
.C
N
A. If the TACACS+ server is unreachable, the switch places hosts on critical ports in VLAN 50
B. The device allows multiple authenticated sessions for a single MAC address in the voice domain
E
C. If multiple hosts have authenticated to the same port, each can be in their own assigned VLAN
T
D. If the authentication priority is changed the order in which authentication is preformed also
IT
changes
E. The switch periodically sends an EAP-Identity-Request to the endpoint supplicant
R
F. The port attempts 802.1x authentication first, and then falls back to MAC authentication bypass
W
Answer: E,F
S
S
A
72) Which two options are normal functionalities for ICMP? (Choose two)
.P
A. Packet filtering
B. Host detection
W
C. Relaying traffic statistics to applications

W
D. Path MTU discovery

E. Router discovery
W
F. Port scanning
Answer: B,D
73) Which command sequence do you enter to add the host 10.2.1.0 to the CISCO object group?
A. Object-group network CISCO

Group-object 10.2.1.0
M
B. Object network CISCO
Network-object object 10.2.1.0
O
C. Object network CISCO
.C
Group-object 10.2.1.0
N
D. Object-group network CISCO
Network-object host 10.2.1.0
E
Answer: D
T
IT
R
W
S
S
74)
A

.P
A. A downloadable ACL is applied after an AV pair ACL

W
B. For all users, entries in a downloadable ACL are given priority over entries in an AV pair ACL
C. The downloadable ACL and the AV pair ACL entries are merged together, one ACE at a time
W
D. The downloadable ACL and AV pair ACL are merged immediately when the RADIUS server is
activated
W
E. The downloadable ACL and AV pair ACL are merged after three connection attempts are made to
the RADIUS server
Answer: A
75) Which two events can cause a failover event on an active/standby setup? (Choose two)
A. The stateful failover link fails

B. The failover link fails
C. The active unit experiences interface failure above the threshold
M
D. The active unit fails
E. The unit that was previously active recovers.
O
.C
Answer: C,D
N
76) Within Platform as a Service, Which two components are managed by the customer? (Choose two)
E
A. Middleware
T
B. Applications IT
C. Data
D. Operating system
R
E. Networking
W
Answer: B,C
S
S
A
.P
W
W
W
M
O
.C
77)
Refer to the exhibit. Which level of encryption is set by this configuration?
N
A. 56-bit
E
B. 168-bit
T
C. 1024-bit IT
D. 192-bit
Answer: B
R
W
78) From the list below, which one is the major benefit of AMP Threat GRID?
S
S
A. AMP Threat Grid analyzes suspicious in your network against exactly 400 behavioral indicators
B. AMP Threat Grid combines Static, and Dynamic Malware analysis with threat intelligence info one
A
combined solution
.P
C. AMP threat Grid learns ONLY form data you pass on your network and not from anything else to
monitor for suspicious behavior. This makes the system much faster and efficient
W
D. AMP Threat Grid collects file information from customer servers and run tests on the, to see if they
are infected with viruses
W
Answer: B
W
79) Which three statements about PKI on Cisco IOS Software are true? (Choose three)
A. The match certificate and allow expired-certificate commands are ignored unless the router clock is
set
B. OSCP enables a PKI to use a CRL without time limitations
M
C. Different OSCP servers can be configured for different groups of client certificates
D. OSCP is well-suited for enterprise PKIs in which CRLs expire frequently
O
E. Certificate-based ACLs can be configured to allow expired certificates if the peer is otherwise valid
.C
F. If a certificate-based ACL specifies more than one filed, any one successful filed-to-value test is
treated as a match
N
Answer: C,D,E
E
T
IT
R
W
S
80)
S
Refer to the exhibit. For which type of user is this downloadable ACL appropriate?
A
A. Onsite contractors
.P
B. Management
W
C. Network administrators
D. Employees
W
E. Guest users
Answer: E
W
81) In which two situations is web authentication appropriate? (Choose two)
A. When a fallback authentication method is necessary

B. When 802.1x authentication is required
C. When WEP encryption must be deployed on a large scale
M
D. When devices outside the control of the organization’s It department are permitted to connect to
the network
O
E. When secure connections to the network are unnecessary
.C
Answer: A,D
N
E
82) Which two statements about Botnet traffic Filter snooping are true? (Choose two)
T
A. It can log and block suspicious connections from previously unknown bad domains and IP addresses
IT
B. It checks inbound and outbound traffic
C. It can inspect both IPv4 and IPv6 traffic
R
D. It requires the Cisco ASA DNS server to perform DNS lookups
W
E. It checks inbound traffic only

F. It requires DNS packet inspection to be enabled to filter domain names in the dynamic database
S
Answer: B,F
S
83) Which command on Cisco ASA you can enter to send debug messages to a syslog server?
A
.P
A. Logging host
B. Logging debug-trace
W
C. Logging traps
D. Logging syslog
W
W
Answer: B
M
O
84)
.C
A. It creates a default class
N
B. It creates a resource class
E
C. It oversubscribes VPN sessions for the given class
D. It allows each context to use all available resources
T
Answer: B
IT
R
85) Which feature does Cisco VSG use to redirect traffic in a Cisco Nexus 1000V Series Switch ?
W
A. VPC
S
B. VDC
S
C. VEM
A
D. vPath
.P
Answer: D
W
W
W
86) Which two statements about ping flood attacks are true? (Choose two)
A. They attack by sending ping requests to the return address of the network
B. The use ICMP packets
C. They attack by sending ping requests to the broadcast address of the network
D. The attack is intended to overwhelm the CPU of the target victim
M
E. They use UDP packets
F. They use SYN packets
O
.C
Answer: B,C
N
E
87) Which best practice can limit inbound TTL expiry attacks?
T
A.
IT
Setting the TTL value to more than the longest path in the network
B. Setting the TTL value to zero
R
C. Setting the TTL value to less than the longest path in the network
D. Setting the TTL value equal to the longest path in the network
W
Answer: A
S
S
A
88) Which two options are benefits of the Cisco ASA transparent firewall mode? (Choose two)
.P
A. It can perform dynamic routing

B. It supports extended ACLs to allow Layer 3 traffic to pass form higher to lower security interfaces
W
C. It provides SSL VPN support

D. It can establish routing adjacencies
W
E. It can be added to an existing network without significant reconfiguration

W
Answer: B,E
89) Which description of SaaS is true?
A. A service offering that allowing developers to build their own applications

B. A service offering a software environment in which applications can be build and deployed
M
C. A service offering on-demand licensed applications for end users
D. A service offering on-demand software downloads
O
Answer: C
.C
N
90) What are two characteristics of RPL, used in loT environments? (Choose two)
E
A. It is an Exterior Gateway Protocol
T
B. It is a Interior Gateway Protocol IT
C. It is a hybrid protocol
D. It is link-state protocol
R
E. It is a distance-vector protocol
W
Answer: B,E
S
S
A
91) Which command is required for bonnet filter on Cisco aASA to function properly
.P
A. dynamic-filter inspecttcp/80
B. dynamic-filter whitelist
W
C. inspect botnet
D. inspect dns dynamic-filter-snoop
W
Answer: D
W
92) Which two statements about Cisco URL Filtering on Cisco IOS Software are true?(Choose Two)
A.By default, it allows all URLs when the connection to the filtering server is down.
B.It Supports Websense and N2H2 filtering at the same time.
M
C.ItSupports local URL lists and third-party URL filtering servers.
O
D.By default, it uses ports 8 and 22.
.C
E.It Supports HTTP and HTTPS traffic.
N
F.It requires minimal CPU time.
E
Answer:C,E
T
IT
93) .Which two options are open-source SDN controllers? (Choose two)
R
W
A) OpenContrail
B) OpenDaylight
S
C) Big Cloud Fabric

S
D) Virtual Application Networks SDN Controller

A
E) Application Policy Infrastructure Controller

.P
W
Answer: A,B
W
W
94) Which two statements about DTLS are true? (Choose two)
A. It uses two simultaneous IPsec tunnels to carry traffic

B. If DPD is enabled. DTLS can fall back to a TLS connection
M
C. It is disabled by default if you enable SSL VPN on the interface
D. If DTLS is disabled on an interface, then SSL VPN connections must use SSL/TLS tunnels
O
E. Because if requires two tunnels, it may experience more latency issues than SSL connections
.C
Answer: B, D
N
E
95) Which three statements about Dynamic ARP inspection on Cisco switches are true? (Choose three)
T
A. The trusted database can be manually configured using the CLI
IT
B. Dynamic ARP inspection is supported only on access ports
C. Dynamic ARP inspection does not perform ingress security checking
R
D. DHCP snooping is used to dynamically build the trusted database
W
E. Dynamic ARP inspection checks ARP packets against the trusted database
F. Dynamic ARP inspection checks ARP packets on trusted and untrusted ports
S
Answer: A, D ,E
S
A
.P
96) Which option is benefit of VRF Selection using Policy-Based Routing for packets to different VPNs?
A. It increases the router performance when longer subnet masks are in use
W
B. It supports more than one VPN per interface

C. It allows bidirectional traffic flow between the service provider and the CEs
W
D. It automatically enables fast switching on all directly connected interfaces

W
E. It can use global routing tables to forward packets if the destination address matches the VRF
configure on the interface
F. Every PE router in the service provider MPLS cloud can reach every customer network
Answer: E
97) Which command is used to enable 802.1x authorizationon an interface?
A. authentication port-control auto

B. aaa authorization auth-proxy default
M
C. aaa authorization network default group tacacs+
D. authentication control-direction both
O
E. authentication open
.C
N
Answer:C
E
T
98) What are the two most common methods that security auditors use to assess an organization’s
IT
security processes? (Choose two)
R
A. Social engineering attempts
W
B. Penetration testing
C. Physical observation
S
D. Document view
E. Interviews
S
F. Policy assessment
A
.P
W
Answer: A,D
W
W
99) Which two statements about Cisco VSG are true? (Choose two)
A. It uses optional IP-to-virtual machine mappings to simplify management of virtual machines
M
B. According to Cisco best practices, the VSG should use the same VLAN for VSM-VEM control
traffic and management traffic
O
C. It has built-in intelligence for redirecting traffic and fast-path offload.
D. Because it is deployed at layer 2, It can be inserted without significant reengineering of the
.C
network .
E. It can be integrated with VMWarevCenter to provide transparent provisioning of policies and
N
profiles.
E
F. It uses the Cisco VSG user agent to register with the Cisco Prime Network Services Controller
T
IT
Answer: C,E
R
W
S
S
100) Which two statements about NVGRE are true? (Choose two)
A
A. It allows a virtual machine to retain its MAC and IP addresses when it is moved to different
hypervisor on a different L3 network
.P
B. The virtual machines reside on a single virtual network regardless of their physical location
W
C. NVGRE endpoints can reside within a virtual machine

D. The network switch handles the addition and removal of NVGRE encapsulation
W
E. It supports up to 32 million virtual segments per instance

W
Answer: B,C
101) Which three statements about RLDP are true? (Choose three )
A. It detects rouge access points that are connected to the wired network
B. It can detect rouge APs operating only on 5 GHz
C. It can detect rouge APs that use WPA encryption
M
D. It can detect rouge APs that use WEP encryption
E. Active Rouge containment can be initiated manually against rouge devices detected on the
O
wired network
F. The AP is unable to serve clients while the RLDP process is active
.C
N
Answer: A,E,F
E
T
IT
R
102)
W
Refer to the exhibit. Which two statements about a device with this configuration are true?
(Choose two)
S
A. When a peer re-establishes a previous connection to the device. CTS retains all existing SGT
S
mapping entries for 3 minutes

A
B. If a peer reconnects to the device within 120 seconds of terminating a CTS-SXP connection, the
reconciliation timer starts
.P
C. If a peer re-establishes a connection to the device before the hold-down tier expires, the
device retains the SGT mapping entries it learned during the previous connection for an
W
additional 3 minutes
D. It sets the internal hold-down timer of the device to 3 minutes
W
E. When a peer establishes a new connection to the device, CTS retains all existing SGT mapping
W
entries for 3 minutes

F. If a peer reconnects to the device within 180 seconds of terminating a CTS-SXP connection, the
reconciliation timer starts
Answer: B,C
103) Which four task items need to be performed for an effective risk assessment and to evaluate
network posture? (Choose four)
A. Scanning
M
B. Mitigation
C. Baselining
O
D. Profiling
.C
E. Notification
F. Validation
N
G.Discovery
H.Escalation
E
T
Answer: A,D,F,G
IT
R
W
S
104) Which two statements about Cisco AMP for Web Security are true? (Choose two)
A. It can detect and block malware and other anomalous traffic before it passes through the Web
S
gateway.
A
B. It can identify anomalous traffic passing through the Web gateway by comparing it to an
established baseline of expected activity
.P
C. It can perform file analysis by sandboxing known malware and comparing unknown files to a
W
local repository of threats

D. It continues monitoring files after they pass the Web gateway
W
E. It can prevent malicious data exfiltration by blocking critical files from exiting through the Web
gateway
W
F. It can perform reputation-based evaluation and blocking by uploading of incoming files to a

cloud-based threat intelligence network
Answer:D,F
105) Drag each component of an Adaptive Wireless IPS deployment on the left to the matching
description on the right
M
O
.C
N
E
T
IT
R
W
S
S
A
.P
W
W
W
Answer: 1-F, 2-E, 3-B, 4-G, 5-D, 6-C, 7-A

106) Which two statements about a wireless access point configured with the guest-mode command
are true? (Choose two)
A. If one device on a network is configured in guest mode, clients can use the guest mode SSID
to connect to any device on the same network
M
B. It supports associations by clients that perform passive scans
C. It allows associated clients to transmit packets using its SSID
O
D. It can support more than one guest-mode SSID
E. It allows clients configured without SSID to associate
.C
N
E
Answer: B,E
T
IT
R
107) What are the major components of a Firepower health monitor alert?
W
A. A health monitor, one or more alert responses, and a remediation policy

S
B. One or more health modules, one more alert responses, and one or more alert actions
C. The severity level, one or more alert responses, and a remediation policy
S
D. One or more health modules, the severity level, and an alert response
A
E. One health module and one or more alert responses

.P
W
Answer: D
W
W
108) Which statement about managing Cisco ISE Guest Services is true?
A. Only a Super Admin or System Admin can delete the default Sponsor portal
B. ISE administrators can view and set a guest’s password to a custom value in the sponsor portal
C. ISE administrators can access the Sponsor portal only if they have valid Sponsor accounts
M
D. By default, an ISE administrator can manage only the guest accounts he or she created in the
Sponsor portal
O
E. Only ISE administrators from an external identity store can be members of a Sponsor group
F. ISE administrator can access the Sponsor portal only from the Guest Access menu
.C
N
Answer: D
E
T
109)
IT
Which two statements about 6to4 tunneling are true?
A. It provides a /48 address block
R
B. The prefix address of the tunnel is determined by the IPv6 configuration to the interface
C. It supports static and BGPv4 routing
W
D. It supports managed NAT along the path of the tunnel

E. It provides a /128 address block
S
F. It supports mutihoming
S
A
Answer: A,C
.P
W
110) Which connection mechanism does the eSTREAMER service use to communicate?
W
A. SSH
B. IPsec tunnels with 3DES encryption only
W
C. TCP over SSL only

D. EAP-TLS tunnels
E. TCP with optional SSL encryption
F. IPsec tunnels with 3DES or AES encryption
Answer: C
111) Which two statements about MPP (Management Plane protection) are true? (Choose two)
A. It is supported on both distributed and hardware-switched platforms
B. Only virtual interfaces associated with physical interfaces are supported
C. It is supported on both active and standby management interfaces
M
D. Only in-band management interfaces are supported
E. Only virtual interfaces associated with sub-interfaces are supported
O
F. Only out-of-band management interface are supported
.C
Answer: B,D
N
E
T
IT
R
W
112) Which two statements about EVPN are true? (Choose two)
S
A. EVPN routes can advertise VLAN membership and verify the reachability of Ethernet
S
segments
B. EVPN route exchange enables PEs to discover one another and elect a DF
A
C. It is a next-generation Ethernet L3VPN solution that simplifies control-plane operations and

.P
enhances scalability
D. EVPN routes can advertise backbone MAC reachability
W
E. EVIs allows you to map traffic on one or more VLANs or ports to a Bridge Domain
F. It is a next-generation Ethernet L2VPN solution that supports load balancing at the individual
W
flow level and provides advanced access redundancy

W
Answer: B,D
113) When applying MD5 route authentication on routers running RIP or EIGRP, which two important
key chain considerations should be accounted for ? (Choose two)
A. Key 0 of all key chains must match for all routers in the autonomous system
M
B. No more than three keys should be configured in any single chain
C. Routers should be configured for NTP to synchronize their clocks
O
D. The Lifetimes of the keys in the chain should overlap
E. Link compression techniques should be disabled on links transporting any MD5 hash
.C
N
Answer: C,D
E
T
IT
R
W
S
S
A
114)
Refer to the exhibit. What are two effects of the given configuration? (Choose two)
.P
A. It enables botnet filtering in multiple context mode

B. It enables botnet filtering in single context mode
W
C. It enables the ASA to download the static botnet filter database

W
D. It enables multiple context mode

E. It enables single context mode
W
F. It enables the ASA to download the dynamic botnet filter database
Answer: A,F
M
O
.C
N
115) Refer to
E
the exhibit. What feature must be implemented on the network to produce the given output?
T
A. NBAR IT
B. CAR
C. WFQ
R
D. PQ
E. CQ
W
S
S
A
Answer: A
.P
W
W
W
116) Which two commands would enable secure logging on a Cisco ASA to a syslog at 10.0.0.1?
(Choose two)
A. Logging host inside 10.0.0.1 TCP/1470 secure
B. Logging host inside 10.0.0.1 UDP/447 secure
M
C. Logging host inside 10.0.0.1 UDP/500 secure
D. Logging host inside 10.0.0.1 UDP/514 secure
O
E. Logging host inside 10.0.0.1 TCP/1500 secure
.C
N
Answer: A, E
E
T
IT
117) In a Cisco ASA multiple-context mode of operation configuration. What three session types are
R
resource-limited by default when their context is a member of the default class? (Choose three)
W
A. ASDM sessions
B. Telnet sessions
S
C. IPsec sessions
S
D. TCP sessions
E. SSH sessions
A
F. SSL VPN sessions

.P
W
Answer: A,B,E
W
W
118) Which statement regarding the routing functions of the Cisco ASA is true running software
version 9.2?
A. The ASA supports policy-based routing with route maps
B. In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF
M
neighbors
C. The translation table cannot override the routing table for new connections
O
D. Routes to the Null0 interface cannot be configured to black-hole traffic
.C
N
Answer: D
E
T
119) Which direct of the crypto key encrypt write rsa command on a router is true ?
IT
A. The device saves the unlocked encrypted key to the NVRAM
B. The device encrypts and locks the key before authenticating it with an external CA server
R
C. The device unlocks the encrypted key, but the key is lost when the router is reloaded
D. The device locks the encrypted key, but the key is lost when the router is reloaded
W
E. The device locks the encrypted key and saves is to the NVRAM
S
S
Answer: A
A
.P
W
120) If an ASA device is configured as a remote access IPsec server with the RADIUS authentication and
password management enabled which type of authentication will it use?
W
A. MS-CHAPv1
W
B. NTLM
C. PAP
D. RSA
E. MS-CHAPv2
Answer: E
121) Which statement about deployment policies with the Firepower Management Center is true?
A. The global domain can deploy changes to individuals subdomains
B. The leaf domain can deploy changes to all subdomains simultaneously
C. Deploy tasks can be scheduled to deploy polices automatically
M
D. All policies are deployed on-demand when the administrator triggers them
E. Polices are deployed automatically when the administrator saves them
O
.C
Answer:C
N
E
T
IT
R
W
S
S
A
.P
W
W
W
122) Which of these command sequences will send an email to holly@invalid.com using SMTP?
A.
MAIL FROM:<david@invalid.com>
M
RCPT TO: <holly@invalid.com>
MESSAGE
O
.C
B.
MAIL FROM:<david@invalid.com>
N
E
DATA
T
IT
C.
HELO invalid.com
R
MAIL FROM : <david@invalid.com>
W

BODY
S
S
D.
HELO invalid.com
A
MAIL TO: <holly@invalid.com>

.P
MESSAGE
END
W
Answer:B
W
W
123) Which two statements about the SeND protocol are true? (Choose two)
A. It counters neighbor discovery threats
B. It logs IPv6-related threats to an external log server
C. It supports numerous custom neighbor discovery messages
M
D. It supports an autoconfiguration mechanism
E. It uses IPsec as a baseline mechanism
O
F. It must be enabled before you can configure IPv6 addresses
.C
N
Answer: A, D
E
T
IT
R
124)
W
Refer to the exhibit. Which effect of this command is true?

A. The current public key of the router is deleted from the cache when the router reboots, and
S
the router generates a new one

S
B. The CA revokes the public key certificate of the router

C. The router sends a request to the CA to delete the router certificate from its configuration
A
D. The router immediately deletes its current public key from the cache and generates a new
.P
one
E. The public key of the remote peer is deleted from the router cache
W
W
W
Answer: E
125) Which statement about MDM with the Cisco ISE is true?
A. The MDM’s server certificate must be imported into the Cisco ISE Certificate Store before the
MDM and ISE can establish a connection
B. MDM servers can generate custom ACLs for the Cisco ISE to apply to networks devices
M
C. The Cisco ISE supports limited built-in MDM functionality
D. The Cisco ISE supports a built-in list of MDM dictionary attributes it can use in authorization
O
policies
E. When a mobile endpoint becomes compliant, the Cisco ISE records the updated device status in
.C
its internal database
F. If mobile endpoint fails posture compliance, both the user and the administrator are notified
N
immediately
E
T
IT
Answer: A
R
W
S
S
A
.P
W
W
W
126) A server with IP address 209.165.202.150 is protected behind the inside interface of a Cisco ASA
and the Internet on the outside Interface. Users on the Internet need to access the server at
anytime, but the firewall administrator does not want to apply NAT to the address of the server
because it is currently a public address. Which three of the following commands can be used to
M
accomplish this ? ( Choose three)
A.
O
static (outside.inside) 209.165.202.150 209.165.202.150 netmask 255.255.255.255
.C
B.
N
access-list no-nat permit ip host 209.165.202.150 any
nat(inside) 0 access-list no-nat
E
T
C. IT
static (inside, outside) 209.165.202.150 209.165.202.150 netmask 255.255.255.255
R
D.
nat (inside) 1 209.165.202.150 255.255.255.255
W
S
E.
nonat-control
S
A
F.
nat(inside) 0 209.165.202.150 255.255.255.255
.P
W
W
W
Answer: B,C,F
127)
Refer to the exhibit. What is the effect of the given command?
M
A. It enables MPP on the FastEthernet 0/0 interface by enforcing rate-limiting for SSH and SNMP
management traffic
O
B. It enables MPP on the FastEthernet 0/0 interface for SSH and SNMP management traffic and
.C
CoPP for all other protocols
C. It enables MPP on the FastEthernet 0/0 interface, allowing only SSH and SNMP management
N
traffic
D. It enables QoS policing on the control plane of the FastEthernet 0/0 interface
E
E. It enables CoPP on the FastEthernet 0/0 interface for SSH and SNMP management traffic
T
IT
R
Answer: C
W
S
S
128) Which three statements about VRF-Aware Cisco Firewall are true? (Choose three)
A
A. It supports both global and per-VRF commands and DoS parameters

.P
B. It can generate syslog messages that are visible only to individual VPNs
C. It enables service providers to deploy firewalls on customer devices
W
D. It can run as more than one instance

E. It enables service providers to implement firewalls on PE devices
W
F. It can support VPN networks with overlapping address ranges without NAT
W
Answer: B, D, E
129) Which two statements about ICMP redirect messages are true? (Choose two)
A. They are generated by the host to inform the router of an alternate route to destination
B. The messages contain an ICMP Type 3 and ICMP code 7
C. Redirects are only punted to the CPU if the packets are also source-routed
M
D. By default. Configuring HSRP on the interface disables ICMP redirect functionality
E. They are generated when a packet enters and exits the same router interface
O
.C
Answer: D,E
N
E
T
IT
R
W
S
S
A
130)
.P
A. The BGP neighbor session tears down after R1 receives 100 prefixes from neighbor 1.1.1.1
B. The BGP neighbor session tears down after R1 receives 200 prefixes from neighbor 2.2.2.2
W
C. The BGP neighbor session between R1 and R2 re-establishes after 50 minutes

D. The BGP neighbor session between R1 and R2 re-establishes after 100 minutes
W
E. A warning message is displayed on R2 after it Receives 100 prefixes from neighbor 1.1.1.1
W
F. A warning message is displayed on R2 after it receives 50 prefixes
Answer: B, E
131) Which are the three scanning engines that the Cisco IronPort dynamic vectoring and streaming
engine can use to protect against malware? (Choose three)
A. Symantec
B. McAfee
M
C. F-Secure
D. TrendMicro
O
E. Sophos
F. Webroot
.C
N
E
Answer: B, E, F
T
IT
R
132) Which are two features that help to mitigate man-in-the-middle attacks? (Choose two)
W
A. ARP spoofing
B. ARP sniffing on specific ports
S
C. DHCP snooping
S
D. Destination MAC ACLs

E. Dynamic ARP inspection
A
.P
W
Answer: C, E
W
W
133) What are three technologies that can be used to trace the source of an attack in a network
environment with multiple exit/entry points? (Choose three)
A. Remotely-triggered destination-based black holing
M
B. ICMP Unreachable messages
C. Sinkholes
O
D. A honey pot
E. Traffic scrubbing
.C
N
Answer: C,D,E
E
T
IT
134) What IOS feature can prevent header attacks by using packet-header information to classify
R
traffic ?
W
A. LLQ
B. TOS
S
C. FPM
S
D. CAR
E. TTL
A
.P
W
Answer: C
W
W
135) Which two statements about the role-based access control are true? (Choose two)
A. Server profile administrators have read and write access to all system logs by default
B. The user profile on an AAA server is configured with the roles that grant user privileges
C. If the same user name is used for a local user account and a remote user account, the roles
M
defined in the remote user account override the local user account
D. A view is created on the Cisco IOS device to leverage role-based access controls.
O
E. Network administrator have read and write access to all system logs by default
.C
N
Answer: B, D
E
T
IT
136) What are two of the valid IPv6 extension headers? (Choose two)
A. Protocol
R
B. Options
W
C. Authentication Header
D. Next Header
S
E. Mobility
S
F. Hop Limit
A
.P
Answer: C, E
W
W
W
137) Which three of these are properties of RC4? (Choose three)

A. It is used in AES
B. It is an asymmetric cipher
C. It is a stream cipher
M
D. It is a symmetric cipher
E. It is used is SSL
O
F. It is a block cipher
.C
N
E
Answer: C, D, E
T
IT
R
138) What are two important guidelines to follow when implementing VTP? (Choose two)
A. Enabling VTP pruning on a server will enable the feature for the entire management domain
W
B. When using secure mode VTP, only configure management domain passwords on VTP servers
S
C. All switches in the VTP domain must run the same version of VTP
D. Use of the VTP multi-domain feature should be restricted to migration and temporary
S
implementation
A
E. CDP must be enabled on all switches in the VTP management domain

.P
W
Answer: A, C
W
W
M
O
.C
N
E
T
139)
IT
Refer to the exhibit, which two statements about the given IPv6 ZBF configuration are true?
R
(Choose two)
A. It inspects TCP, UDP, ICMP, and FTP traffic from z1 to z2
W
B. It passes TCP, UDP, ICMP, and FTP traffic from z1 to z2

S
C. It inspects TCP, UDP, ICMP, and FTP from z2 to z1

D. It passes TCP, UDP, ICMP, and FTP traffic in both directions between z1 and z2
S
E. It provides backward compatibility with legacy IPv4 inspection

A
F. It provides backward compatibility with legacy IPv6 inspection

.P
W
W
Answer: A, F
W
M
O
.C
N
140)
E
Exhibit which service or feature must be enabled on 209.165.200.255 produce the given
T
output?
IT
A) The finger service
B) A BOOTp server
R
C) A TCP small server
W
D) The PAD service

S
S
A
Answer: C
.P
W
W
W
141) Which statement about the Cisco AMP Virtual Private Cloud Appliance is true for deployments in
air-gape mode?
A) The appliance can perform disposition lookup against either the Protect DB or the AMP public
cloud.
M
B) The appliance evaluates files against the threat intelligence and disposition information residing
on the Update Host.
O
C) The Update Host automatically downloads updates and deploys them to the Protect DB on a
.C
daily basis.
D) The appliance can perform disposition lookups against the Protect DB without an Internet
N
Connection.
E) The amp-sync tool syncs the threat-intelligence repository on the appliance directly with AMP
E
public cloud.
T
IT
Answer:D
R
W
S
S
A
.P
W
W
W
142) Which two cipher mechanisms does PCoIP use? (Choose two)
A) Blowfish
B) AES 256
M
C) Suite B
O
D) SEAL
.C
E) autokey
N
F) RC4
E
T
Answer :B,C
IT
R
W
S
S
A
.P
W
W
W
143) What SNMPv3 command disables descriptive error message?
A) snmp-server usm cisco
B)snmp-server inform
M
C)snmp-server infindex persist
O
D)snmp-server trap link switchover
.C
N
Answer :A
E
T
IT
144)Which two statement about ISO 27001 are true? Choose two.
R
A. It is closely aligned to ISO 22000 standard

W
B. it is an ISO 17799 code of practice.

C. It is an information security management systems specification.
S
D. It is a code of practice for informational social management

S
E.It was formerly known as BS7799-2

A
.P
Answer:C,E
W
W
W
145) Which address range is representative of Automatic Private IP Addressing?
A. 10.1.x.x
B. 172.10.1.x
M
C. 169.254.x.x
O
D. 196.245.x.x
.C
E. 128.1.1.x
N
F. 127.1.x.x
E
T
IT
Answer: C
R
W
146)Client MFP supplements rather than replaces infrastructure MFP. Which three are client MFP
S
components? (Choose three.)

S
A
A. key generation and distribution

.P
B. protection and validation of management frames

W
C. error reports
W
D. error generation
W
E. non-management messages protection
Answer: A, B, C
147)Which protocol does 802.1X use between the supplicant and the authenticator to authenticate users
who wish to access the network?
A. SNMP
M
B. TACACS+
O
C. RADIUS
.C
D. EAP over LAN
N
E. PPPoE
E
T
Answer: D IT
R
148)Which SSL protocol takes an application message to be transmitted, fragments the data into
W
manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits
the resulting unit in a TCP segment?
S
S
A. SSL Handshake Protocol

A
.P
B. SSL Alert Protocol
C. SSL Record Protocol

W
D. SSL Change CipherSpec Protocol

W
W
Answer: C
149)
M
O
A) NUD retransmits 1000 Neighbor solicitation messages every 4 hours and 4 minutes.
.C
B) NUD retransmits Neighbor Solicitation messages after 4, 16, 64 and 256 seconds.
C) NUD retransmits Neighbor Solicitation messages every 4 seconds.
N
D) NUD retransmits unsolicited Neighbor advertisements messages every 4 hours.
E
E) NUD retransmits f our Neighbor Solicitation messages every 1000 seconds.
F) NUD retransmits Neighbor Solicitation messages after 1, 4, 16, and 64 seconds.
T
IT
Answer: E
R
W
150)Which command can you enter on the Cisco ASA to disable SSH?
S
A) Crypto key generate ecdsa label

S
B) Crypto key generate rsa usage-keys noconfirm

A
C) Crypto keys generate rsa general-keys modulus 768

.P
D) Crypto keys generate ecdsa noconfirm

E) Crypto keys zeroize rsa noconfirm
W
W
Answer: E
W
151)Which Cisco ASA firewall mode supports ASDM one-time-password authentication using RSA
SecurID?
A. Network translation mode

B. Single-context routed mode
C. Multiple-context mode
M
D. Transparent mode
O
Answer: B
.C
N
E
T
152) Which two options are benefits of the Cisco ASA Identity Firewall? (Choose two)
IT
A. It can apply security policies on an individual user or user-group basis
B. It can identify threats quickly based on their URLs
R
C. It can operate completely independently of other services
W
D. It decouples security policies from the network topology

E. It supports an AD server module to verify identity data
S
S
Answer: A,D
A
.P
W
W
W
ALL OUR ACTIVE CLIENTS CAN GET DIRECT SUPPORT FROM

SKYPE: CCIEWRITTENDUMPS
OUR CCIE WRITTEN ENGINEERS ARE AVAILABLE ON SKYPE CHAT OR LIVE SUPPORT CHAT FROM
WEBSITE
M
http://PASSWRITTEN.COM (LIVE SUPPORT)
O
http://PASSWRITTEN.COM (UPDATED DATE)
.C
YOUR GATEWAY TO SUCCESS TOWARDS CCIE WRITTEN + LAB
N
ACTIVE CLIENTS WILL GET VERY SPECIAL DISCOUNTS ON OTHER CCIE TRACKS
E
KINDLY VISIT FOR FURTHER INFORMATION
T
CCIE R&S --WWW.PASSRNSLABS.COM (PRL)
IT
CCIE SECURITY ---->WWW.PASSSECURITYLABS.COM (PSL)
R
CCIE WIRELESS ---->WWW.PASSWIRELESSLABS.COM (PWL)
W
CCIE DATACENTER ---->WWW.PASSDATACENTERLABS.COM (PDL)
CCIE COLLABORATION ---->WWW.PASSCOLLABORATIONLABS.COM (PCL)

S
S
CCIE SERVICEPROVIDER ----->WWW.PASSSPLABS.COM (PSL)

A
CCDE LABS --WWW.PASSCCDELABS.COM (PCL)

.P
CCIE WRITTEN ----WWW.PASSWRITTEN.COM (PW)

W
VCIX --WWW.VCIXLABS.COM (VL)

W
WORLD FIRST REAL LAB RACK RENTAL FOR ALL CCIE TRACKS
CCIE RACK RENTALS ----->WWW.CCIERACK.RENTALS (CRR)
W
KINDLY CONTACT US AT SALES@PASSWRITTEN.COM FOR FURTHER INFORMATION ON OTHER TRACKS

Security Written - 01-July-17

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Written - 01-July-17

Uploaded by

Copyright:

Available Formats

PASSWRITTENDUMPS.

COM 400-251 1-July-17

CCIE SECURITY WRITTEN

A. user five can view usernames and password

C. User superuser can change usernames and passwords

E. User five can execute the show run command

A. DoS against an access point

B. DoS against a client station

B. The lacp system-priority and lacp port-priority values are same

8) Which option best describes RPL?

D. When a 40-bit key is in use

F. When a 64-bit key is in use

10) Which OpenStack project has orchestration capabilities?

arrive on any interface

B. It requires each connected client to authenticate individually

D. It is recommended for auth-fail VLANs

F. It is recommended for guest VLANs

D. All distribution switches need to support RSPAN

Refer to the exhibit. Which effect of this configuration is true?

A. If the RADIUS server is unreadable, SSH users cannot authenticate

20) Which command is used to enable 802.1x authentication on an interface?

A. authentication port-control auto

C. Identity Based Encryption (IBE)

A. MACsec is not supported in MDA mode

B. CA servers must support GetCACaps response messages in order to implement extended

A. DNS over TCP 53

B. global catalog over UDP 3268

D. DNS over UDP 53

F. SMB over TCP 455

28) Which effect of the crypto pki authenticate command is true?

A. It sets the certificate enrollment method

E. The SGA ZBPF uses the SGT to apply forwarding decisions

F. Packets can be tagged with SGTs only with hardware support

enter the username stored in the router's database

and aux logins

A. It can identify threats quickly based on their URLs

A. It allows the switch to detect IGMPv2 leave group messages

B. It optimizes the use of network bandwidth on the LAN segment

E. It improves the processing time of CGMP leave messages

receiving data for that group

Refer to the exhibit. Which effect of this configuration is true?

37) Which of the following is AMP Endpoints for windows?

38) Which two characteristics of DTLS are true? (Choose two)

A. It includes a retransmission method because it uses an unreliable datagram transport

A. It can summarize discontiguous IP addresses

41) Which statement about VRF-aware GDOI group members is true?

A. IPsec is used only to secure data traffic

A. Multicast group concept

C. Stub multicast routing

A. It is considered the cloud computing fabric controller

C. It tracks cloud usage statistics for billing purposes

E. It provides persistent block storage to running instances of virtual machines

A. Known allowed addresses

C. The RADIUS server is the policy enforcement point

D. The RADIUS server is the policy information point

A. It enables users to manage their own profiles

F. Local SPAN and RSPAN can be mixed in the same session

57) AMP for Endpoints is supported on which of these platforms?

A. Windows, ANDROID, Linux (REDHAT, CentOS), MAC

F. It is a strong authentication method

A. The route map redistribution is configured incorrectly

C. A packet was denied and dropped by an ACL

A. The minimum WCCP-Fast Timers messages interval is 500 ms