Youki PDF

Untitled Exam
Number: 000-000
Passing Score: 800
Time Limit: 120 min
File Version: 1.0
24 May 2019 - by Youki New questions are included
Number: 210-260
Passing Score: 860
Time Limit: 110 min
File Version: 1.0
Please let me know if questions are duplicated or references are not convenient enough
My Advises:
Dumps are not the way of your success just use it to practice on Cisco's questions methodoly nd how the
questioner is thinking.
Study the concepts very well this is the way you will get knowledge
Do not memories the answers if you feel that the question is new to you just review the concepts and get more
than one resource
Use the Official Guide + 31 days before CCNA Security Exam + Cisco resources to get the best answer
Some questions has no direct answers and clear answers, it depends what you understood from the article
Read Read Read the question again and again and again before you select the answer
In real work life dumps will not help you but knowledge gained byonde the dumps will absolutly
Hands on experience is your friend if you are going to be successful in this career
Resources:
Here you will get all you need to do all above advises
http://www.mediafire.com/folder/l6v353zta3jo9/CCNA%20%20Security%20210-260%20IINS
Contents:
– Exam Lab (Sim + Config)
– Official Guide Labs for Practice (GNS3)
– GNS3 Labs VMs torrent Files
– CCNA 210-260 dumps (Latest)
– All other dumps (old for practice – Old is Gold)
– All Drag and Drops (collected from 9tut commentator)
– CCNA 210-260 all you need download links for all resources
– CCNA 210-260 official e-Book and PDF
– CCNA 210-260 Official Lab Guide ( Step by step CCNA labs objectives)
– CCNA 210-260 tools (SecureCRT + ASA981 for GNS3 + ASDM Popular Versions + .bin files)
– CCNA 210-260 Study Group
– Helpful Docx (Hand notes + Configuration + Logs)
Assistance:
If you need assistance regarding setting up the lab enviroment or configuration you can communicate with me
on the following
1. Youky.Youk.Youky@gmail.com
2. Whatsapp study group link https://chat.whatsapp.com/HWRoHU69f2y8HeLQfupQh6
Regards,
Youki
Exam A
QUESTION 1
Which two services define cloud networks? (Choose two.)
A. Infrastructure as a Service
B. Platform as a Service
C. Security as a Service
D. Compute as a Service
E. Tenancy as a Service
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
The diagram below depicts the Cloud Computing stack – it shows three distinct categories within Cloud
Computing: Software as a Service, Platform as a Service and Infrastructure as a Service.
A simplified way of differentiating these flavors of Cloud Computing is as follows;

SaaS applications are designed for end-users, delivered over the web
PaaS is the set of tools and services designed to make coding and deploying those applications quick and
efficient
IaaS is the hardware and software that powers it all – servers, storage, networks, operating systems
Reference: https://support.rackspace.com/white-paper/understanding-the-cloud-computing-stack-saas-paas-
iaas/
QUESTION 2
In which two situations should you use out-of-band management? (Choose two.)
A. when a network device fails to forward packets

B. when you require ROMMON access
C. when management applications need concurrent access to the device
D. when you require administrator access from multiple locations
E. when the control plane fails to respond
Correct Answer: AB
Section: (none)
Explanation
OOB management is used for devices at the headquarters and is accomplished by connecting dedicated
management ports or spare Ethernet ports on devices directly to the dedicated OOB management network
hosting the management and monitoring applications and services. The OOB management network can be
either implemented as a collection of dedicated hardware or based on VLAN isolation.
Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap9.html
QUESTION 3
In which three ways does the TACACS protocol differ from RADIUS? (Choose three.)
A. TACACS uses TCP to communicate with the NAS.

B. TACACS can encrypt the entire packet that is sent to the NAS.
C. TACACS supports per-command authorization.
D. TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted.
E. TACACS uses UDP to communicate with the NAS.
F. TACACS encrypts only the password field in an authentication packet.
Correct Answer: ABC

Section: (none)
Explanation
Reference: Cisco Official Certification Guide, Table 3-2 TACACS+ Versus RADIUS, p.40
QUESTION 4
According to Cisco best practices, which three protocols should the default ACL allow on an access port to
enable wired BYOD devices to supply valid credentials and connect to the network? (Choose three.)
A. BOOTP
B. TFTP
C. DNS
D. MAB
E. HTTP
F. 802.1x
Correct Answer: ABC

Section: (none)
Explanation
An example of a default ACL on a campus access layer switch is shown below:
Extended IP access list ACL-DEFAULT
10 permit udp any eq bootpc any eq bootps log (2604 matches) 20 permit udp any host 10.230.1.45 eq domain
30 permit icmp any any
40 permit udp any any eq tftp
50 deny ip any any log (40 matches)
As seen from the output above, ACL-DEFAULT allows DHCP, DNS, ICMP, and TFTP traffic and denies
everything else.
Reference: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/
BYOD_Design_Guide/BYOD_Wired.html
QUESTION 5
Which two next-generation encryption algorithms does Cisco recommend? (Choose two.)
A. AES
B. 3DES
C. DES
D. MD5
E. DH-1024
F. SHA-384
Correct Answer: AF
Section: (none)
Explanation
The Suite B next-generation encryption (NGE) includes algorithms for authenticated encryption, digital
signatures, key establishment, and cryptographic hashing, as listed here:
+ Elliptic Curve Cryptography (ECC) replaces RSA signatures with the ECDSA algorithm + AES in the Galois/
Counter Mode (GCM) of operation
+ ECC Digital Signature Algorithm
Reference: Cisco Official Certification Guide, Next-Generation Encryption Protocols, p.97
QUESTION 6
Which three ESP fields can be encrypted during transmission? (Choose three.)
A. Security Parameter Index

B. Sequence Number
C. MAC Address
D. Padding
E. Pad Length
F. Next Header
Correct Answer: DEF
Section: (none)
Explanation
The remaining four parts of the ESP are all encrypted during transmission across the network. Those parts are
as follows:
The Payload Data is the actual data that is carried by the packet.
The Padding, from 0 to 255 bytes of data, allows certain types of encryption algorithms to require the data to
be a multiple of a certain number of bytes. The padding also ensures that the text of a message terminates ona
four-byte boundary (an architectural requirement within IP).
The Pad Length field specifies how much of the payload is padding rather than data.
The Next Header field, like a standard IP Next Header field, identifies the type of data carried and the
protocol.
Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/
guide/IPsecPG1.html
QUESTION 7
What are two default Cisco IOS privilege levels? (Choose two.)
A. 0
B. 1
C. 5
D. 7
E. 10
F. 15
Correct Answer: BF
Section: (none)
Explanation
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user
EXEC mode (level 1) and privileged EXEC mode (level 15).
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html
QUESTION 8
Which two authentication types does OSPF support? (Choose two.)
A. Plain text
B. MD5
C. HMAC
D. AES 256
E. SHA-1
F. DES
Correct Answer: AB
Section: (none)
Explanation
These are the three different types of authentication supported by OSPF
+ Null Authentication--This is also called Type 0 and it means no authentication information is included in the
packet header. It is the default.
+ Plain Text Authentication--This is also called Type 1 and it uses simple clear-text passwords.
+ MD5 Authentication--This is also called Type 2 and it uses MD5 cryptographic passwords.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/13697-25.html
QUESTION 9
Which two features do CoPP and CPPr use to protect the control plane? (Choose two.)
A. QoS
B. traffic classification
C. access lists
D. policy maps
E. class maps
F. Cisco Express Forwarding
Correct Answer: AB
Section: (none)
Explanation
You can specify that management traffic, such as SSH/HTTPS/SSL and so on, can be rate limited (policed)
down to a specific level or dropped completely.
Another way to think of this is as applying quality of service (QoS) to the valid management traffic and
policing to the bogus management traffic.(CoPP)
Just as with CoPP, it is necessary to develop a CPPr policy that is based on a traffic classification
methodology. Because CPPr filters traffic destined to the route processor, it is critical to have a thorough
understanding of the types of traffic that traverse the network, in particular the traffic that will terminate on the
Cisco IOS device being protected by CPPr. Because the CEF-exception and transit subinterfaces will each
filter transit traffic, this traffic should simply be rate limited at a conservative rate so that it does not impact any
customer applications. In other words, the only type of traffic that should be tightly controlled is the traffic that is
directed to the network device itself, that is, the traffic that will flow through to the CPPr host subinterface.
Source: Cisco Official Certification Guide, Table 10-3 Three Ways to Secure the Control Plane, p.269
https://www.cisco.com/c/en/us/about/security-center/understanding-cppr.html
QUESTION 10
Which two statements about stateless firewalls are true? (Choose two.)
A. They compare the 5-tuple of each incoming packet against configurable rules.
B. They cannot track connections.
C. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.
D. Cisco IOS cannot implement them because the platform is stateful by nature.
E. The Cisco ASA is implicitly stateless because it blocks all traffic by default.
Correct Answer: AB
Section: (none)
Explanation
In stateless inspection, the firewall inspects a packet to determine the 5-tuple--source and destination IP
addresses and ports, and protocol--information contained in the packet. This static information is then
compared against configurable rules to determine whether to allow or drop the packet.
In stateless inspection the firewall examines each packet individually, it is unaware of the packets that have
passed through before it, and has no way of knowing if any given packet is part of an existing connection, is
trying to establish a new connection, or is a rogue packet.
Source: http://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/19-0/XMART/PSF/19-PSF-Admin/19-PSF-
Admin_chapter_01.html
QUESTION 11
Which three statements about host-based IPS are true? (Choose three)
A. It can view encrypted files.

B. It can have more restrictive policies than network-based IPS.
C. It can generate alerts based on behavior at the desktop level.
D. It can be deployed at the perimeter.
E. It uses signature-based policies.
F. It works with deployed firewalls.
Correct Answer: ABC

Section: (none)
Explanation
If the network traffic stream is encrypted, HIPS has access to the traffic in unencrypted form.
HIPS can combine the best features of antivirus, behavioral analysis, signature filters, network firewalls, and
application firewalls in one package.
Host-based IPS operates by detecting attacks that occur on a host on which it is installed. HIPS works by
intercepting operating system and application calls, securing the operating system and application
configurations, validating incoming service requests, and analyzing local log files for after-the-fact suspicious
activity.
Source: http://www.ciscopress.com/articles/article.asp?p=1336425&seqNum=3
QUESTION 12
What three actions are limitations when running IPS in promiscuous mode? (Choose three.)
A. deny attacker
B. deny packet
C. modify packet
D. request block connection
E. request block host
F. reset TCP connection
Correct Answer: ABC

Section: (none)
Explanation
In promiscuous mode, packets do not flow through the sensor. The disadvantage of operating in promiscuous
mode, however, is the sensor cannot stop malicious traffic from reaching its intended target for certain types of
attacks, such as atomic attacks (single-packet attacks). The response actions implemented by promiscuous
sensor devices are post-event responses and often require assistance from other networking devices, for
example, routers and firewalls, to respond to an attack.
Source: http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/
cli_interfaces.html
QUESTION 13
When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?
A. Deny the connection inline.

B. Perform a Layer 6 reset.
C. Deploy an antimalware system.
D. Enable bypass mode.
Correct Answer: A
Section: (none)
Explanation
Deny connection inline: This action terminates the packet that triggered the action and future packets that are
part of the same TCP connection. The attacker could open up a new TCP session (using different port
numbers), which could still be permitted through the inline IPS.
Available only if the sensor is configured as an IPS.
Source: Cisco Official Certification Guide, Table 17-4 Possible Sensor Responses to Detected Attacks, p.465
QUESTION 14
What is an advantage of implementing a Trusted Platform Module for disk encryption?
A. It provides hardware authentication.

B. It allows the hard disk to be transferred to another device without requiring re-encryption.dis
C. It supports a more complex encryption algorithm than other disk-encryption technologies.
D. It can protect against single points of failure.
Correct Answer: A
Section: (none)
Explanation
The Trusted Platform Module (TPM) is a component that can securely store artifacts that are used to
authenticate the server. These artifacts can include passwords, certificates, or encryption keys. A TPM can
also be used to store platform measurements that help ensure that the platform remains trustworthy.
Authentication (ensuring that the platform can prove that it is what it claims to be) and attestation (a process
helping to prove that a platform is trustworthy and has not been breached) are necessary steps to ensure safer
computing in all environments. It is a requirement for the Intel Trusted Execution Technology (TXT) security
feature, which must be enabled in the BIOS settings for a server equipped with a TPM. Only the modular
servers in Cisco UCSME-2814 compute cartridges include support for TPM. TPM is enabled by default on
these servers
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-5/
b_UCSM_GUI_Quick_Reference_Guide_2_5/
b_UCSM_GUI_Quick_Reference_Guide_2_5_chapter_0110.html
QUESTION 15
What is the purpose of the Integrity component of the CIA triad?
A. to ensure that only authorized parties can modify data

B. to determine whether data is relevant
C. to create a process for accessing data
D. to ensure that only authorized parties can view data
Correct Answer: A
Section: (none)
Explanation
Integrity for data means that changes made to data are done only by authorized individuals/systems.
Corruption of data is a failure to maintain data integrity.
Source: Cisco Official Certification Guide, Confidentiality, Integrity, and Availability, p.6
QUESTION 16
In a security context, which action can you take to address compliance?
A. Implement rules to prevent a vulnerability.

B. Correct or counteract a vulnerability.
C. Reduce the severity of a vulnerability.
D. Follow directions from the security appliance manufacturer to remediate a vulnerability.
Correct Answer: A
Section: (none)
Explanation
Addressing compliance is an integral part of security context. It implement rules to prevent vulnerability.
Reference: http://www.cisco.com/security/
QUESTION 17
Which type of secure connectivity does an extranet provide?
A. other company networks to your company network

B. remote branch offices to your company network
C. your company network to the Internet
D. new networks to your company network
Correct Answer: A
Section: (none)
Explanation
What is an Extranet? In the simplest terms possible, an extranet is a type of network that crosses
organizational boundaries, giving outsiders access to information and resources stored inside the
organization's internal network (Loshin, p. 14).
Reference: https://www.sans.org/reading-room/whitepapers/firewalls/securing-extranet-connections-816
QUESTION 18
Which tool can an attacker use to attempt a DDoS attack?
A. botnet
B. Trojan horse
C. virus
D. adware
Correct Answer: A
Section: (none)
Explanation
Denial-of-service (DoS) attack and distributed denial-of-service (DDoS) attack. An example is using a botnet to
attack a target system.
Reference: Cisco Official Certification Guide, Table 1-6 Additional Attack Methods, p.16
QUESTION 19
What type of security support is provided by the Open Web Application Security Project?
A. Education about common Web site vulnerabilities.

B. A Web site security framework.
C. A security discussion forum for Web site developers.
D. Scoring of common vulnerabilities and exposures.
Correct Answer: A
Section: (none)
Explanation
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization
focused on improving the security of software. Our mission is to make software security visible, so that
individuals and organizations are able to make informed decisions . OWASP is in a unique position to provide
impartial, practical information about AppSec to individuals, corporations, universities, government agencies
and other organizations worldwide.
Reference:https://www.owasp.org/index.php/Main_Page
QUESTION 20
What type of attack was the Stuxnet virus?
A. cyber warfare
B. hacktivism
C. botnet
D. social engineering
Correct Answer: A
Section: (none)
Explanation
Stuxnet virus is part of cyber warfare unleashed by governments to hinder their opponents computer systems
and steal vital information.
Reference: https://en.wikipedia.org/wiki/Stuxnet
QUESTION 21
What type of algorithm uses the same key to encrypt and decrypt data?
A. a symmetric algorithm
B. an asymmetric algorithm
C. a Public Key Infrastructure algorithm
D. an IP security algorithm
Correct Answer: A
Section: (none)
Explanation
A symmetric encryption algorithm, also known as a symmetrical cipher, uses the same key to encrypt the data
and decrypt the data.
Source: Cisco Official Certification Guide, p.93
QUESTION 22
Refer to the exhibit
########################
R1#show snmp
Chassis: FTX123456789
0 SNPM packets input
6 Bad SNMP version errors
3 Unknown community name
9 Illegal operation for community name supplied
4 Encoding errors
2 Number of requested variables
0 Number of altered variables
98 Get-request PDUs
12 Get-next PDUs
2 Set-request PDUs
0 Input queue packet drops (Maximum queue size 1000)
0 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name erorrs
0 Bad value errors
0 General errors
31 Response PDUs
1 Trap PDUs
#######################
How many times was a read-only string used to attempt a write operation?
A. 9
B. 6
C. 4
D. 3
E. 2
Correct Answer: A
Section: (none)
Explanation
The read-only string attempted a write operation nine times as seen in the exhibit. It says, 9 illegal operations to
community name supplied which means the read-only string attempted 9 write operations.
Reference: http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
QUESTION 23
####################
R1>show clock detail

.22:22:35:123 UTC Tue Feb 26 2013
Time source NTP
####################
Which statement about the device time is true?
A. The time is authoritative, but the NTP process has lost contact with its servers.
B. The time is authoritative because the clock is in sync.
C. The clock is out of sync.
D. NTP is configured incorrectly.
E. The time is not authoritative.
Correct Answer: A
Section: (none)
Explanation
Reference
QUESTION 24
How does the Cisco ASA use Active Directory to authorize VPN users?
A. It queries the Active Directory server for a specific attribute for the specified user.
B. It sends the username and password to retrieve an ACCEPT or REJECT message from the Active
Directory server.
C. It downloads and stores the Active Directory database to query for future authorization requests.
D. It redirects requests to the Active Directory server defined for the VPN group.
Correct Answer: A
Section: (none)
Explanation
When user LDAP authentication for VPN access has succeeded, the ASA queries the LDAP server which
returns LDAP attributes. These attributes generally include authorization data that applies to the VPN session.
Thus, using LDAP accomplishes authentication and authorization in a single step.
Reference: //www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_aaa.html
(Authorization with LDAP for VPN)
QUESTION 25
Which statement about Cisco ACS authentication and authorization is true?
A. ACS servers can be clustered to provide scalability.

B. ACS can query multiple Active Directory domains.
C. ACS uses TACACS to proxy other authentication servers.
D. ACS can use only one authorization profile to allow or deny requests.
Correct Answer: A
Section: (none)
Explanation
Cisco Secure ACS 5.5 supports distributed deployment to provide high availability and scalability. A
deployment can be composed of multiple Cisco Secure ACS instances that are managed together in a single
distributed deployment. One system is designated as primary, and that system accepts configuration changes
and propagates them to the secondary instances. For the smallest deployments, one primary and one
secondary instance are recommended for redundancy. Larger deployments can add additional secondary
servers as dictated by network design. Release 5.5 officially supports up to 22 instances: one primary and 21
secondaries (one of which can work as a hot, or active, standby that can be manually promoted to primary in
case of primary failure), including a log collector, in a single cluster. All the Cisco Secure ACS instances are
identical in the sense that a full Cisco Secure ACS software version is installed on each of them. Yet part of the
functionality (AAA, management interface, or monitoring and reporting) can be disabled on these instances,
allowing each Cisco Secure ACS instance to play a specific role or roles in the deployment.
Reference: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/secure-access-
control-server-view/q-and-a-c67-730034.html
QUESTION 26
####################
Authentication event fail action next-method

Authentication event no-response action authorize vlan 101
Authentication order mab dot1x web auth
Authentication priority dot1x mab
Authentication port-control auto
Dot1x pas authenticator
####################
If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how will
the switch respond?
A. The supplicant will fail to advance beyond the webauth method.

B. The switch will cycle through the configured authentication methods indefinitely.
C. The authentication attempt will time out and the switch will place the port into the unauthorized state.
D. The authentication attempt will time out and the switch will place the port into VLAN 101.
Correct Answer: A
Section: (none)
Explanation
Flexible authentication (FlexAuth) is a set of features that allows IT administrators to configure the sequence
and priority of IEEE 802.1X, MAC authentication bypass (MAB), and switch-based web authentication (local
WebAuth).
Case 2: Order MAB Dot1x and Priority Dot1x MAB
If you change the order so that MAB comes before IEEE 802.1X authentication and change the default priority
so that IEEE 802.1X authentication precedes MAB, then every device in the network will still be subject to
MAB, but devices that pass MAB can subsequently go through IEEE 802.1X authentication.
Special consideration must be paid to what happens if a device fails IEEE 802.1X authentication after
successful MAB. First, the device will have temporary network access between the time MAB succeeds and
IEEE 802.1X authentication fails. What happens next depends on the configured event-fail behavior.
If next-method is configured and a third authentication method (such as WebAuth) is not enabled, then the
switch will return to the first method (MAB) after the held period. MAB will succeed, and the device will again
have temporary access until and unless the supplicant tries to authenticate again.
If next-method failure handling and local WebAuth are both configured after IEEE 802.1X authentication fails,
local WebAuth ignores EAPoL-Start commands from the supplicant.
MAB -->MAB Pass--> Port Authorized by MAB --> EAPoL-Start Received --> IEEE 802.1x
MAB -->MAB Fail--> IEEE 802.1x
(config-if)#authentication order mab dot1x
(config-if)#authentication priority dot1x mab
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-
service/ application_note_c27-573287.html
QUESTION 27
Which EAP method uses Protected Access Credentials?
A. EAP-FAST
B. EAP-TLS
C. EAP-PEAP
D. EAP-GTC
Correct Answer: A
Section: (none)
Explanation
EAP-FAST is an EAP method that enables secure communication between a client and an authentication
server by using Transport Layer Security (TLS) to establish a mutually authenticated tunnel. Within the tunnel,
data in the form of type, length, and value (TLV) objects are used to send further authentication-related data
between the client and the authentication server.
EAP-FAST supports the TLS extension as defined in RFC 4507 to support the fast re-establishment of the
secure tunnel without having to maintain per-session state on the server. EAP-FAST-based mechanisms are
defined to provision the credentials for the TLS extension. These credentials are called Protected Access
Credentials (PACs).
Reference: http://www.cisco.com/c/en/us/td/docs/wireless/wlan_adapter/cb21ag/user/vista/1-0/configuration/
guide/cb21ag10vistaconfigguide/eap_types.html
QUESTION 28
What is one requirement for locking a wired or wireless device from ISE?
A. The ISE agent must be installed on the device.

B. The device must be connected to the network when the lock command is executed.
C. The user must approve the locking action.
D. The organization must implement an acceptable use policy allowing device locking.
Correct Answer: A
Section: (none)
Explanation
Agents are applications that reside on client machines logging into the Cisco ISE network. Agents can be
persistent (like the AnyConnect, Cisco NAC Agent for Windows and Mac OS X) and remain on the client
machine after installation, even when the client is not logged into the network. Agents can also be temporal
(like the Cisco NAC Web Agent), removing themselves from the client machine after the login session has
terminated.
Reference: http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/
b_ise_admin_guide_20_chapter_010101.html
QUESTION 29
What VPN feature allows traffic to exit the security appliance through the same interface it entered?
A. Hair-pinning
B. NAT
C. NAT traversal
D. split tunneling
Correct Answer: A
Section: (none)
Explanation
This feature is useful for VPN traffic that enters an interface, but is then routed out of that same interface. For
example, if you have a hub-and-spoke VPN network where the security appliance is the hub and the remote
VPN networks are spokes, in order for one spoke to communicate with another spoke traffic must go to the
security appliance and then out again to the other spoke.
Enter the same-security-traffic command in order to allow traffic to enter and exit the same interface.
ciscoasa(config)#same-security-traffic permit intra-interface
Reference: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/100918-asa-sslvpn-00.html
QUESTION 30
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection?
A. split tunneling
B. hairpinning
C. tunnel mode
D. transparent mode
Correct Answer: A
Section: (none)
Explanation
With split tunneling, the ASA notifies the Cisco AnyConnect Secure Mobility Client about
the secured subnets. The
VPN client encrypts only those packets that are destined for the networks behind the ASA.
All other traffic is sent
normally (in clear text) to the Internet. A split tunnel is not considered to be as secure,
because an attacker on the
Internet may potentially have access to the remote machine, which in turn has access to
the internal network through
the VPN. Personal firewall, antivirus, and antimalware software become very important in
this scenario.
Reference: 31 Days Before Your CCNA Security Exam
Youki Resources: http://www.mediafire.com/
file/3ao2l508qxyk73f/31_Days_Before_Your_CCNA_Security_Exam_%25282016%2529.pdf/file
QUESTION 31
#####################
Crypto ikev1 policy 1

Encryption aes
Hash md5
Authentication pre-share
Group 2
Lifetime 14400
####################
What is the effect of the given command sequence?
A. It configures IKE Phase 1.

B. It configures a site-to-site VPN tunnel.
C. It configures a crypto policy with a key size of 14400.
D. It configures IPSec Phase 2.
Correct Answer: A
Section: (none)
Explanation
Reference: OCG (Official Certification Guide Page: 137
QUESTION 32
Refer to the exhibit.
#####################
Crypto map mymap 20 match address 201

Access-list 201 permit ip 10.10.10.0 255.255.255.0 10.100.100.0 255.255.255.0
####################
What is the effect of the given command sequence?
A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
C. It defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
Correct Answer: A
Section: (none)
Explanation
Reference: OCG Page 163

QUESTION 33
####################
Dst src state conn-id slot

10.10.10.2 10.1.1.5 QM_IDLE 1 0
####################
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given
output show?
A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5.

B. IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5.
C. IPSec Phase 1 is down due to a QM_IDLE state.
D. IPSec Phase 2 is down due to a QM_IDLE state.
Correct Answer: A
Section: (none)
Explanation
Reference:OCG Page 169
QUESTION 34
####################
Current_peer: 10.1.1.5
Permit, flags={origin_is_acl,}
#pkts encaps: 1205, #pkts encrypt: 1025, #pkts digest 1205
#pkts decaps: 1168, #pkts decrypt: 1168, #pkts verify 1168
#pkts compressed: 0, #pkts decompressed: 0
#pkts not ocmpressed: 0, #pkts compr. Failed: 0,
#pkts decompress failed: 0, #send errors 0, #recv errors 0
Local crypto endpt.: 10.1.1.1, report ctypto endpt.: 10.1.1.5
####################
While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command. What does the given
output show?
A. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5.

B. ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1.
C. IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5.
D. IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets.
Correct Answer: A
Section: (none)
Explanation
#pkts encaps: 1205 : Means Local peer encapsulated packets successfully
#pkts encrypt: 1025: Means Local peer encrypted packets successfully
So packets or traffic initiated from local peer appears fine.
#pkts decaps: 1168 : Means Local peer decapsulated packets successfully from
remote peer
#pkts decrypt: 1168: Means Local peer decrypted packets successfully from remote
peer
You can see the two Encapsulating Security Payload (ESP) SAs built inbound and outbound
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-
ipsec-debug-00.html (Sample)
QUESTION 35
####################
Username HelpDesk privilege 9 password 0 helpdesk

Username Monitor privilege 9 password 0 watcher
Username Admin password checkme
Username Admin privilege 6 autocommand show running
Privilege exec level 6 configure terminal
####################
The Admin user is unable to enter configuration mode on a device with the given configuration. What change
can you make to the configuration to correct the problem?
A. Remove the autocommand keyword and arguments from the Username Admin privilege line.
B. Change the Privilege exec level value to 15.
C. Remove the two Username Admin lines.
D. Remove the Privilege exec line.
Correct Answer: A
Section: (none)
Explanation
Causes the specified command to be issued automatically after the user logs in. When the command is
complete, the session is terminated. Because the command can be any length and can contain embedded
spaces, commands using the autocommand keyword must be the last option on the line.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-xe-3se-3850-cr-book/sec-s1-
xe-3se-3850-cr-book_chapter_0110.html
QUESTION 36
After reloading a router, you issue the dir command to verify the installation and observe that the image file
appears to be missing. For what reason could the image file fail to appear in the dir output?
A. The secure boot-image command is configured.

B. The secure boot-config command is configured.
C. The confreg 0x24 command is configured.
D. The reload command was issued from ROMMON.
Correct Answer: A
Section: (none)
Explanation
#secure boot-image
• Secured files will not appear on the output of a dir command issued from an executive shell because
the IFS prevents secure files in a directory from being listed. ROM monitor (ROMMON) mode does
not have any such restriction and can be used to list and boot secured files. The running image and
running configuration archives will not be visible in the Cisco IOS dir command output. Instead, use
the show secure bootset command to verify archive existence.
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-sy/sec-usr-cfg-15-
sy-book/sec-resil-config.pdf
QUESTION 37
What is the effect of the send-lifetime local 23:59:00 31 December 2013 infinite command?
A. It configures the device to begin transmitting the authentication key to other devices at 00:00:00 local time
on January 1, 2014 and continue using the key indefinitely.
B. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time
on December 31, 2013 and continue using the key indefinitely.
C. It configures the device to begin accepting the authentication key from other devices immediately and stop
accepting the key at 23:59:00 local time on December 31, 2013.
D. It configures the device to generate a new authentication key and transmit it to other devices at 23:59:00
local time on December 31, 2013.
E. It configures the device to begin accepting the authentication key from other devices at 23:59:00 local time
on December 31, 2013 and continue accepting the key indefinitely.
F. It configures the device to begin accepting the authentication key from other devices at 00:00:00 local time
on January 1, 2014 and continue accepting the key indefinitely.
Correct Answer: B
Section: (none)
Explanation
To send the valid key and to authenticate information from the local host to the peer, use the send-lifetime
command in keychain-key configuration mode.
Reference: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-2/security/command/reference/
b_syssec_cr42crs/b_syssec_cr41crs_chapter_0100.html
QUESTION 38
What type of packet creates and performs network operations on a network device?
A. control plane packets

B. data plane packets
C. management plane packets
D. services plane packets
Correct Answer: A
Section: (none)
Explanation
Control plane: This includes protocols and traffic that the network devices use on their own without direct
interaction from an administrator. An example is a routing protocol.
Reference: Cisco Official Certification Guide, The Network Foundation Protection Framework, p.264
QUESTION 39
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of
this activity?
A. The switch could offer fake DHCP addresses.

B. The switch could become the root bridge.
C. The switch could be allowed to join the VTP domain.
D. The switch could become a transparent bridge.
Correct Answer: B
Section: (none)
Explanation
If a switch receives an inferior BPDU, nothing changes. Receiving a superior BPDU will kick off a
reconvergence of the STP topology. So the rogue switch may become a root bridge.
Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/5234-5.html
QUESTION 40
In what type of attack does an attacker virtually change a device's burned-in address in an attempt to
circumvent access lists and mask the device's true identity?
A. gratuitous ARP
B. ARP poisoning
C. IP spoofing
D. MAC spoofing
Correct Answer: D
Section: (none)
Explanation
MAC spoofing attacks involve the use of a known MAC address of another host to attempt
to make the target switch
forward frames that are destined for the remote host to the network attacker. By sending a
single frame with the
source Ethernet address of the other host, the network attacker overwrites the Content
Addressable Memory (CAM)
table entry so that the switch forwards packets that are destined for the host to the network
attacker. Until the host
sends traffic, it does not receive any traffic. When the host sends out traffic, the CAM table
entry is rewritten once
more so that it moves back to the original port
http://www.mediafire.com/file/3ao2l508qxyk73f/31_Days_Before_Your_CCNA_Security_Exam_%25282016%
2529.pdf/file
QUESTION 41
What command can you use to verify the binding table status?
A. "show ip dhcp snooping binding"

B. "show ip dhcp pool"
C. "show ip dhcp source binding"
D. "show ip dhcp snooping"
E. "show ip dhcp snooping database"
F. "show ip dhcp snooping statistics"
Correct Answer: A
Section: (none)
Explanation
Confidence level: 100%
Note: Debatable Question this answer is from my perspective (You might use your skills to find the best
answer)
Simply the question ask about binding table

Cisco staright forward sentence
Use the show ip dhcp snooping binding command to display the DHCP binding table
References:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-
os-cfg/sec_dhcpsnoop.html
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/
snoodhcp.html#wp1084436
QUESTION 42
If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use?
A. STP root guard

B. EtherChannel guard
C. loop guard
D. STP BPDU guard
Correct Answer: A
Section: (none)
Explanation
BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the port upon BPDU
reception if PortFast is enabled on the port. The disablement effectively denies devices behind such ports from
participation in STP. You must manually reenable the port that is put into errdisable state or configure
errdisable-timeout.
Root guard allows the device to participate in STP as long as the device does not try to become the root. If root
guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device
ceases to send superior BPDUs.
Reference: https//www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html
More info: https://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml
Another Explanation:
The root guard feature protects the network against such issues.
The configuration of root guard is on a per-port basis. Root guard does not allow the port to become an STP
root port, so the port is always STP-designated. If a better BPDU arrives on this port, root guard does not take
the BPDU into account and elect a new STP root. Instead, root guard puts the port into the root-inconsistent
STP state. You must enable root guard on all ports where the root bridge should not appear. In a way, you can
configure a perimeter around the part of the network where the STP root is able to be located.
In the following figure, enable root guard on the Switch C port that connects to Switch D.
Switch C in figure below blocks the port that connects to Switch D, after the switch receives a superior BPDU.
Root guard puts the port in the root-inconsistent STP state. No traffic passes through the port in this state.
After device D ceases to send superior BPDUs, the port is unblocked again. Via STP, the port goes from the
listening state to the learning state, and eventually transitions to the forwarding state. Recovery is automatic; no
human intervention is necessary.
This message appears after root guard blocks a port:
%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77.

Moved to root-inconsistent state
QUESTION 43
Which statement about a PVLAN isolated port configured on a switch is true?
A. The isolated port can communicate only with the promiscuous port.
B. The isolated port can communicate with other isolated ports and the promiscuous port.
C. The isolated port can communicate only with community ports.
D. The isolated port can communicate only with other isolated ports.
Correct Answer: A
Section: (none)
Explanation
Isolated port—An isolated port is a host port that belongs to an isolated secondary VLAN. This port has
complete isolation from other ports within the same PVLAN domain, except that it can communicate
with associated promiscuous ports. PVLANs block all traffic to isolated ports except traffic from
promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You
can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated
from all other ports in the isolated VLAN.
An isolated port can be configured an access port
Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/layer2/503_U2_1/
b_Cisco_n3k_layer2_config_guide_503_U2_1/b_Cisco_n3k_layer2_config_gd_503_U2_1_chapter_0101.pdf
QUESTION 44
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts a
double-tagging attack?
A. The trunk port would go into an error-disabled state.

B. A VLAN hopping attack would be successful.
C. A VLAN hopping attack would be prevented.
D. The attacked VLAN will be pruned.
Correct Answer: C
Section: (none)
Explanation
Step 1. The attacker sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN tag
of the attacker, which is the same as the native VLAN of the trunk port. The assumption is that the switch
processes the frame received from the attacker as if it were on a trunk port or a port with a voice VLAN. (A
switch should not receive a tagged Ethernet frame on an access port.) For the purposes of this example,
assume that the native VLAN is VLAN 10. The inner tag is the victim VLAN; in this case, it is VLAN 20.
Step 2. The frame arrives on the switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the
frame is destined for VLAN 10, which is the native VLAN. The switch forwards the packet out on all VLAN 10
ports after stripping the VLAN 10 tag. On the trunk port, the VLAN 10 tag is stripped, and the packet is not
retagged because it is part of the native VLAN. At this point, the VLAN 20 tag is still intact and has not been
inspected by the first switch.
Step 3. The second switch looks only at the inner 802.1Q tag that the attacker sent and sees that the frame is
destined for VLAN 20, the target VLAN. The second switch sends the frame on to the victim port or floods it,
depending on whether there is an existing MAC address table entry for the victim host.
This type of attack is unidirectional and works only when the attacker is connected to a port residing in the
same VLAN as the native VLAN of the trunk port. Thwarting this type of attack is not as easy as stopping basic
VLAN hopping attacks.
Reference: http://www.ciscopress.com/articles/article.asp?p=2181837&seqNum=10
QUESTION 45
What is a reason for an organization to deploy a personal firewall?
A. To protect endpoints such as desktops from malicious activity.

B. To protect one virtual network segment from another.
C. To determine whether a host meets minimum security posture requirements.
D. To create a separate, non-persistent virtual environment that can be destroyed after a session.
E. To protect the network from DoS and syn-flood attacks.
Correct Answer: A
Section: (none)
Explanation
Personal firewalls protect a single host, in contrast to traditional firewalls. Traditional
firewalls are installed at policy
enforcement points between networks. Therefore, traditional firewalls control traffic arriving
at and leaving networks,
whereas personal firewalls control traffic arriving at and leaving individual hosts. Originally,
personal firewalls were
add-on systems for PC operating systems, but they have now been integrated into most
modern operating systems.
Pervasive use of personal firewalls can be used to implement a distributed firewall. A
distributed firewall requires that
the personal firewall policies are controlled by a centralized administration system. A
distributed firewall can provide
similar protection as a traditional firewall. If all the hosts on a network are configured to
deny inbound HTTP, it is
similar to a traditional firewall denying inbound HTTP to that network.
Personal firewalls can be important in the protection of systems that can be moved between
networks. A laptop may
be well protected by firewalls of an organization when it is within the campus network. But
that laptop needs to
protect itself when it is connected to an Internet service at an airport, hotel, coffee shop, or
home of the user. Personal
firewalls are an important tool when split tunneling is used for remote-access VPN. If the
VPN client can access the Internet outside of the VPN tunnel, then likewise the Internet can
access the client outside of the VPN tunnel. If there
is a back door running on the VPN client, without a properly configured personal firewall, an
attacker can access that
back door and use the client VPN tunnel to access the internal network.
Personal firewalls have the ability to permit and deny traffic based on the application,
regardless of the protocols and
ports. Traffic is allowed to and from whitelisted applications and denied to and from
blacklisted applications. When a
new application attempts to use the network, the personal firewall may query the user
whether the application should
be whitelisted or blacklisted. This provides a level of protection against malware running as
an executable program.
Personal firewalls may also have the ability to define policies for different classes of
networks, such as work, home,
and public. When the personal firewall finds itself on a new network, it queries the user to
identify the class of the
network.
Source: 31 Days Before Your CCNA Security Exam Personal Firewalls p.470
QUESTION 46
Which statement about personal firewalls is true?
A. They can protect a system by denying probing requests.

B. They are resilient against kernel attacks.
C. They can protect email messages and private documents in a similar way to a VPN.
D. They can protect the network against attacks.
Correct Answer: A
Section: (none)
Explanation
Personal firewalls protect a single host, in contrast to traditional firewalls. Traditional
firewalls are installed at policy
enforcement points between networks. Therefore, traditional firewalls control traffic arriving
at and leaving networks,
whereas personal firewalls control traffic arriving at and leaving individual hosts. Originally,
personal firewalls were
add-on systems for PC operating systems, but they have now been integrated into most
modern operating systems.
Pervasive use of personal firewalls can be used to implement a distributed firewall. A
distributed firewall requires that
the personal firewall policies are controlled by a centralized administration system. A
distributed firewall can provide
similar protection as a traditional firewall. If all the hosts on a network are configured to
deny inbound HTTP, it is
similar to a traditional firewall denying inbound HTTP to that network.
Personal firewalls can be important in the protection of systems that can be moved between
networks. A laptop may
be well protected by firewalls of an organization when it is within the campus network. But
that laptop needs to
protect itself when it is connected to an Internet service at an airport, hotel, coffee shop, or
home of the user. Personal
firewalls are an important tool when split tunneling is used for remote-access VPN. If the
VPN client can access the Internet outside of the VPN tunnel, then likewise the Internet can
access the client outside of the VPN tunnel. If there
is a back door running on the VPN client, without a properly configured personal firewall, an
attacker can access that
back door and use the client VPN tunnel to access the internal network.
Personal firewalls have the ability to permit and deny traffic based on the application,
regardless of the protocols and
ports. Traffic is allowed to and from whitelisted applications and denied to and from
blacklisted applications. When a
new application attempts to use the network, the personal firewall may query the user
whether the application should
be whitelisted or blacklisted. This provides a level of protection against malware running as
an executable program.
Personal firewalls may also have the ability to define policies for different classes of
networks, such as work, home,
and public. When the personal firewall finds itself on a new network, it queries the user to
identify the class of the
network.
Source: 31 Days Before Your CCNA Security Exam Personal Firewalls p.470
QUESTION 47
#####################
UDP outside 209.165.201.225:53 inside 10.0.0.10:52464, idle 0:00:01, bytes 266,

flags –
#####################
What type of firewall would use the given configuration line?
A. a stateful firewall
B. a personal firewall
C. a proxy firewall
D. an application firewall
E. a stateless firewall
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/113602-ptn-113602.pdf (Sample)
QUESTION 48
What is the only permitted operation for processing multicast traffic on zone-based firewalls?
A. Only control plane policing can protect the control plane against multicast traffic.
B. Stateful inspection of multicast traffic is supported only for the self-zone.
C. Stateful inspection for multicast traffic is supported only between the self-zone and the internal zone.
D. Stateful inspection of multicast traffic is supported only for the internal zone.
Correct Answer: A
Section: (none)
Explanation
Stateful inspection support for multicast traffic is not supported between any zones, including the self zone.
Use Control Plane Policing for protection of the control plane against multicast traffic
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-
xe-book/sec-zone-pol-fw.html
QUESTION 49
How does a zone-based firewall implementation handle traffic between interfaces in the same zone?
A. Traffic between two interfaces in the same zone is allowed by default.

B. Traffic between interfaces in the same zone is blocked unless you configure the same-security permit
command.
C. Traffic between interfaces in the same zone is always blocked.
D. Traffic between interfaces in the same zone is blocked unless you apply a service policy to the zone pair.
Correct Answer: A
Section: (none)
Explanation
Reference: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380
QUESTION 50
Which two statements about Telnet access to the ASA are true? (Choose two).
A. You may VPN to the lowest security interface to telnet to an inside interface.
B. You must configure an AAA server to enable Telnet.
C. You can access all interfaces on an ASA using Telnet.
D. You must use the command virtual telnet to enable Telnet.
E. Best practice is to disable Telnet and use SSH.
Correct Answer: AE
Section: (none)
Explanation
firewalls/118075-configure-asa-00.pdf
QUESTION 51
Which statement about communication over failover interfaces is true?
A. All information that is sent over the failover and stateful failover interfaces is sent as clear text by default.
B. All information that is sent over the failover interface is sent as clear text, but the stateful failover link is
encrypted by default.
C. All information that is sent over the failover and stateful failover interfaces is encrypted by default.
D. User names, passwords, and preshared keys are encrypted by default when they are sent over the failover
and stateful failover interfaces, but other information is sent as clear text.
Correct Answer: A
Section: (none)
Explanation
QUESTION 52
If a packet matches more than one class map in an individual feature type's policy map, how does the ASA
handle the packet?
A. The ASA will apply the actions from only the first matching class map it finds for the feature type.
B. The ASA will apply the actions from only the most specific matching class map it finds for the feature type.
C. The ASA will apply the actions from all matching class maps it finds for the feature type.
D. The ASA will apply the actions from only the last matching class map it finds for the feature type.
Correct Answer: A
Section: (none)
Explanation
Reference: 31 Days Before Your CCNA Security Exam P373

2529.pdf/file
QUESTION 53
For what reason would you configure multiple security contexts on the ASA firewall?
A. To separate different departments and business units.

B. To enable the use of VRFs on routers that are adjacently connected.
C. To provide redundancy and high availability within the organization.
D. To enable the use of multicast routing and QoS through the firewall.
Correct Answer: A
Section: (none)
Explanation
QUESTION 54
What is an advantage of placing an IPS on the inside of a network?
A. It can provide higher throughput.

B. It receives traffic that has already been filtered.
C. It receives every inbound packet.
D. It can provide greater security.
Correct Answer: B
Section: (none)
Explanation
Reference: https://flylib.com/books/en/2.52.1.70/1/
QUESTION 55
What is the FirePOWER impact flag used for?
A. A value that indicates the potential severity of an attack.

B. A value that the administrator assigns to each signature.
C. A value that sets the priority of a signature.
D. A value that measures the application awareness.
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/api/eStreamer/
EventStreamerIntegrationGuide/IS-DCRecords.html
QUESTION 56
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
A. Rate-Based Prevention
B. Portscan Detection
C. IP Defragmentation
D. Inline Normalization
Correct Answer: A
Section: (none)
Explanation
QUESTION 57
Which Sourcefire logging action should you choose to record the most detail about a connection?
A. Enable logging at the end of the session.

B. Enable logging at the beginning of the session.
C. Enable alerts via SNMP to log events off-box.
D. Enable eStreamer to log events off-box.
Correct Answer: A
Section: (none)
Explanation
QUESTION 58
What can the SMTP preprocessor in FirePOWER normalize?
A. It can extract and decode email attachments in client to server traffic.

B. It can look up the email sender.
C. It compares known threats to the email sender.
D. It can forward the SMTP traffic to an email filter server.
E. It uses the Traffic Anomaly Detector.
Correct Answer: A
Section: (none)
Explanation
QUESTION 59
You want to allow all of your company's users to access the Internet without allowing other Web servers to
collect the IP addresses of individual users.
What two solutions can you use? (Choose two).
A. Configure a proxy server to hide users' local IP addresses.

B. Assign unique IP addresses to all users.
C. Assign the same IP address to all users.
D. Install a Web content filter to hide users' local IP addresses.
E. Configure a firewall to use Port Address Translation.
Correct Answer: AE
Section: (none)
Explanation
Reference:https://community.cisco.com/t5/networking-documents/proxy-server/ta-p/3115081
QUESTION 60
You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security
Intelligence IP Address Reputation. A user calls and is not able to access a certain IP address. What action
can you take to allow the user access to the IP address?
A. Create a custom blacklist to allow traffic

B. Create a whitelist and add the appropriate IP address to allow traffic
C. Create a user-based access control rule to allow the traffic
D. Create a network-based access control rule to allow the traffic
E. Create a rule to bypass inspection to allow the traffic
Correct Answer: B
Section: (none)
Explanation
QUESTION 61
A specific URL has been identified as containing malware. What action can you take to block users from
accidentally visiting the URL and becoming infected with malware.
A. Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the router's local URL
list
B. Enable URL filtering on the perimeter router and add the URLs you want to allow to the firewall's local URL
list
C. Create a blacklist that contains the URL you want to block and activate the blacklist on the perimeter router
D. Enable URL filtering on the perimeter router and add the URLs you want to block to the router's local URL
list
E. Create a whitelist that contains the URLs you want to allow and activate the whitelist on the perimeter
router
Correct Answer: D
Section: (none)
Explanation
QUESTION 62
When is the best time to perform an antivirus signature update?
A. Every time a new update is available.

B. When the local scanner has detected a new virus.
C. When a new virus is discovered in the wild.
D. When the system detects a browser hook.
Correct Answer: A
Section: (none)
Explanation

2529.pdf/file
QUESTION 63
Which statement about application blocking is true?
A. It blocks access to specific programs.

B. It blocks access to files with specific extensions.
C. It blocks access to specific network addresses.
D. It blocks access to specific network services.
Correct Answer: A
Section: (none)
Explanation
OCG page 491
QUESTION 64
What features can protect the data plane? (Choose three.)
A. policing
B. ACLs
C. IPS
D. antispoofing
E. QoS
F. DHCP-snooping
Correct Answer: BDF
Section: (none)
Explanation
Data Plane Security
Access control lists
Antispoofing
Layer 2 security features Such as:
Port security
DHCP snooping
Dynamic ARP inspection (DAI)
IP source guard
QUESTION 65
How many crypto map sets can you apply to a router interface?
A. 3
B. 2
C. 4
D. 1
Correct Answer: D
Section: (none)
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/20/IPSec/b_20_IPSec/
b_20_IPSec_chapter_0110.pdf
QUESTION 66
What is the transition order of STP states on a Layer 2 switch interface?
A. listening, learning, blocking, forwarding, disabled

B. listening, blocking, learning, forwarding, disabled
C. blocking, listening, learning, forwarding, disabled
D. forwarding, listening, learning, blocking, disabled
Correct Answer: C
Section: (none)
Explanation
Reference:https://learningnetwork.cisco.com/docs/DOC-27086
QUESTION 67
Which sensor mode can deny attackers inline?
A. IPS
B. fail-close
C. IDS
D. fail-open
Correct Answer: A
Section: (none)
Explanation
Reference:31 Days Before Your CCNA Security Exam

2529.pdf/file
Reference: OCG P.465
QUESTION 68
Which options are filtering options used to display SDEE message types? (Choose two.)
A. stop
B. none
C. error
D. all
Correct Answer: CD
Section: (none)
Explanation
Reference:https://www.cisco.com/c/en/us/td/docs/routers/access/
cisco_router_and_security_device_manager/24/software/user/guide/IPS.html
QUESTION 69
When a company puts a security policy in place, what is the effect on the company's business?
A. Minimizing risk
B. Minimizing total cost of ownership
C. Minimizing liability
D. Maximizing compliance
Correct Answer: A
Section: (none)
Explanation
Reference: https://www.cisco.com/c/dam/global/hr_hr/assets/Cisco_Security-Brosura.pdf
QUESTION 70
Which wildcard mask is associated with a subnet mask of /27?
A. 0.0.0.31
B. 0.0.0.27
C. 0.0.0.224
D. 0.0.0.255
Correct Answer: A
Section: (none)
Explanation
Use your skills to understand the concept and get the answer
QUESTION 71
Which statements about reflexive access lists are true? (Choose three.)
A. Reflexive access lists create a permanent ACE

B. Reflexive access lists approximate session filtering using the established keyword
C. Reflexive access lists can be attached to standard named IP ACLs
D. Reflexive access lists support UDP sessions
E. Reflexive access lists can be attached to extended named IP ACLs
F. Reflexive access lists support TCP sessions
Correct Answer: DEF

Section: (none)
Explanation
Reflexive access lists can be defined with extended named IP access lists only. You cannot define reflexive
access lists with numbered or standard named IP access lists or with other protocol access lists.
However, reflexive access lists have significant differences from other types of access lists. Reflexive access
lists contain only temporary entries; these entries are automatically created when a new IP session begins (for
example, with an outbound packet), and the entries are removed when the session ends. Reflexive access lists
are not themselves applied directly to an interface, but are “nested” within an extended named IP access list
that is applied to the interface. (For more information about this, see the section “Reflexive Access Lists
Configuration Task List” later in this chapter.) Also, reflexive access lists do not have the usual implicit “deny all
traffic” statement at the end of the list, because of the nesting.
A reflexive access list is triggered when a new IP upper-layer session (such as TCP or UDP) is initiated from
inside your network, with a packet traveling to the external network. When triggered, the reflexive access list
generates a new, temporary entry. This entry will permit traffic to enter your network if the traffic is part of the
session, but will not permit traffic to enter your network if the traffic is not part of the session.
Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html
QUESTION 72
Which actions can a promiscuous IPS take to mitigate an attack? (Choose three.)
A. Reset the TCP connection

B. Request connection blocking
C. Deny packets
D. Modify packets
E. Request host blocking
F. Deny frames
Correct Answer: ABE

Section: (none)
Explanation
Note: Be aware that there is a reverse version of this question, worded such as "What actions are limited when
running IPS in promiscuous mode?".
IPS Actions
When an IPS sensor detects malicious activity, it can choose from any or all the following actions:
Deny attacker inline: This action terminates the current packet and future packets from this attacker address
for a specified period of time. The sensor maintains a list of the attackers currently being denied by the system.
You can remove entries from the list or wait for the timer to expire. The timer is a sliding timer for each entry.
Therefore, if attacker A is currently being denied, but issues another attack, the timer for attacker A is reset,
and attacker A remains on the denied attacker list until the timer expires. If the denied attacker list is at
capacity and cannot add a new entry, the packet is still denied.
Deny connection inline: This action terminates the current packet and future packets on this TCP flow. This is
also referred to as deny flow.
Deny packet inline: This action terminates the packet.
Log attacker packets: This action starts IP logging on packets that contain the attacker address and sends an
alert. This action causes an alert to be written to the event store, which is local to the IOS router, even if the
produce-alert action is not selected. Produce alert is discussed later in a bullet.
Log pair packets: This action starts IP logging on packets that contain the attacker and victim address pair.
This action causes an alert to be written to the event store, even if the produce-alert action is not selected.
Log victim packets: This action starts IP logging on packets that contain the victim address and sends an alert.
This action causes an alert to be written to the event store, even if the produce-alert action is not selected.
Produce alert: This action writes the event to the event store as an alert.
Produce verbose alert: This action includes an encoded dump of the offending packet in the alert. This action
causes an alert to be written to the event store, even if the produce-alert action is not selected.
Request block connection: This action sends a request to a blocking device to block this connection.
Request block host: This action sends a request to a blocking device to block this attacker host.
Request SNMP trap: This action sends a request to the notification application component of the sensor to
perform Simple Network Management Protocol (SNMP) notification. This action causes an alert to be written to
the event store, even if produce-alert action is not selected.
Reset TCP connection: This action sends TCP resets to hijack and terminate the TCP flow.
Reference:http://www.ciscopress.com/articles/article.asp?p=1336425
QUESTION 73
Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax
using the local database with no fallback method?
A. "aaa authentication enable console LOCAL SERVER_GROUP"

B. "aaa authentication enable console SERVER_GROUP LOCAL"
C. "aaa authentication enable console LOCAL"
D. "aaa authentication enable console local"
Correct Answer: C
Section: (none)
Explanation
Remember: The local database must be referenced in all capital letters when AAA is in use. If lower case
letters are used, the ASA will look for an AAA server group called "local".
QUESTION 74
Which Cisco Security Manager application collects information about device status and uses it to generate
notifications and alerts?
A. FlexConfig
B. Device Manager
C. Report Manager
D. Health and Performance Monitor
Correct Answer: D
Section: (none)
Explanation
Health and Performance Monitor (HPM) periodically polls monitored ASA devices, IPS devices, and ASA-
hosted VPN services for key health and performance data, including critical and non-critical issues, such as
memory usage, interface status, dropped packets, tunnel status, and so on. This information is used for alert
generation and email notification, and to display trends based on aggregated data, which is available for hourly,
daily, and weekly periods.
Reference: http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/
security_manager/4-4/user/guide/CSMUserGuide_wrapper/wfplan.html
QUESTION 75
Which accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose
two.)
A. Stop
B. Stop-record
C. Stop-only
D. Start-stop
Correct Answer: CD
Section: (none)
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3s/sec-usr-aaa-
xe-3s-book/sec-cfg-accountg.html
QUESTION 76
Which command is needed to enable SSH support on a Cisco Router?
A. crypto key lock rsa

B. crypto key generate rsa
C. crypto key zeroize rsa
D. crypto key unlock rsa
Correct Answer: B
Section: (none)
Explanation
Reference:https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-shell-ssh/4145-ssh.html
QUESTION 77
Which protocol provides security to Secure Copy?
A. IPsec
B. SSH
C. HTTPS
D. ESP
Correct Answer: B
Section: (none)
Explanation
The Secure Copy (SCP) feature provides a secure and authenticated method for copying device configurations
or device image files. SCP relies on Secure Shell (SSH), an application and protocol that provide a secure
replacement for the Berkeley r-tools suite (Berkeley university’s own set of networking applications).
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-
book/sec-secure-copy.html
QUESTION 78
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for
Remote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting?
A. Ensure that the RDP plug-in is installed on the VPN gateway

B. Ensure that the RDP2 plug-in is installed on the VPN gateway
C. Reboot the VPN gateway
D. Instruct the user to reconnect to the VPN gateway
Correct Answer: B
Section: (none)
Explanation
firewalls/113600-technote-product-00.html
QUESTION 79
Which security zone is automatically defined by the system?
A. The source zone

B. The self zone
C. The destination zone
D. The inside zone
Correct Answer: B
Section: (none)
Explanation
The self zone is a system-defined zone which does not have any interfaces as members. A zone pair that
includes the self zone, along with the associated policy, applies to traffic directed to the device or traffic
generated by the device. It does not apply to traffic through the device.
The most common usage of firewall is to apply them to traffic through a device, so you need at least two zones
(that is, you cannot use the self zone).
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-zone-pol-
fw.html
QUESTION 80
What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.)
A. The Internet Key Exchange protocol establishes security associations

B. The Internet Key Exchange protocol provides data confidentiality
C. The Internet Key Exchange protocol provides replay detection
D. The Internet Key Exchange protocol is responsible for mutual authentication
Correct Answer: AD
Section: (none)
Explanation
IPsec uses the Internet Key Exchange (IKE) protocol to negotiate and establish secured site-to-site or remote
access virtual private network (VPN) tunnels. IKE is a framework provided by the Internet Security Association
and Key Management Protocol (ISAKMP) and parts of two other key management protocols, namely Oakley
and Secure Key Exchange Mechanism (SKEME).
In IKE Phase 1 IPsec peers negotiate and authenticate each other. In Phase 2 they negotiate keying materials
and algorithms for the encryption of the data being transferred over the IPsec tunnel.
Reference: Cisco Official Certification Guide, p.123
Using the channel created in phase 1, this phase establishes IPSec security associations and negotiates
information needed for the IPSec tunnel. This phase can be seen in the above figure as “IPsec-SA
established.” Note that two phase 2 events are shown, this is because a separate SA is used for each subnet
configured to traverse the VPN.
Reference: https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/
Networking_Fundamentals%3A_IPSec_and_IKEv
QUESTION 81
Which address block is reserved for locally assigned unique local addresses?
A. 2002::/16
B. 2001::/32
C. FD00::/8
D. FB00::/8
Correct Answer: C
Section: (none)
Explanation
Using one of the common Unique Local IPv6 global prefix generators, the Acme corporate network was
assigned the global prefix of 6D8D64AF0C; when pushed together with the common unique local locally
assigned prefix (FD00::/8) the prefix expands to FD6D:8D64:AF0C::/48; this leaves Acme with an additional 16
bits of space to use for subnetting across their sites.
Reference: http://www.ciscopress.com/articles/article.asp?p=2154678&seqNum=2
QUESTION 82
What is a possible reason for the error message?
Router(config)#aaa server?% Unrecognized command
A. The command syntax requires a space after the word "server"

B. The command is invalid on the target device
C. The router is already running the latest operating system
D. The router is a new device on which the aaa new-model command must be applied before continuing
Correct Answer: D
Section: (none)
Explanation
Reference: https://community.cisco.com/t5/policy-and-access/cannot-configure-radius/td-p/3364790
Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-
control-system-tacacs-/10384-security.html
QUESTION 83
Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
A. Smart tunnels can be used by clients that do not have administrator privileges
B. Smart tunnels require the client to have the application installed locally
C. Smart tunnels offer better performance than port forwarding
D. Smart tunnels support all operating systems
Correct Answer: AC
Section: (none)
Explanation
Tunnel offers better performance than browser plug-ins.
Port forwarding is the legacy technology for supporting TCP-based applications over a Clientless SSL VPN
connection. Unlike port forwarding, Smart Tunnel simplifies the user experience by not requiring the user
connection of the local application to the local port.
Smart Tunnel does not require users to have administrator privileges.
Smart Tunnel does not require the administrator to know application port numbers in advance.
Reference: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdf
QUESTION 84
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
A. The interface on both switches may shut down

B. STP loops may occur
C. The switch with the higher native VLAN may shut down
D. The interface with the lower native VLAN may shut down
Correct Answer: B
Section: (none)
Explanation
The traffic from mis-matched VLANs is restricted to the end of the trunk port where the mis-match occurs.
This is the result of Spanning Tree Protocols operation.
The point to be considered is that Spanning Tree Protocols operations, take into account the native vlan that is
configured on the trunk link.
Reference: https://learningnetwork.cisco.com/docs/DOC-25797
QUESTION 85
Which option describes information that must be considered when you apply an access list to a physical
interface?
A. Protocol used for filtering

B. Direction of the access class
C. Direction of the access group
D. Direction of the access list
Correct Answer: C
Section: (none)
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-
xe-3s-book/sec-create-ip-apply.html
QUESTION 86
Which source port does IKE use when NAT has been detected between two VPN gateways?
A. TCP 4500
B. TCP 500
C. UDP 4500
D. UDP 500
Correct Answer: C
Section: (none)
Explanation
QUESTION 87
Which of the following are features of IPsec transport mode? (Choose three.)
A. IPsec transport mode is used between gateways

B. IPsec transport mode is used between end stations
C. IPsec transport mode supports multicast
D. IPsec transport mode supports unicast
E. IPsec transport mode encrypts only the payload
F. IPsec transport mode encrypts the entire packet
Correct Answer: BDE

Section: (none)
Explanation
OCG p.153, 138
QUESTION 88
Which command causes a Layer 2 switch interface to operate as a Layer 3 interface?
A. no switchport nonnegotiate
B. switchport
C. no switchport mode dynamic auto
D. no switchport
Correct Answer: D
Section: (none)
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/
configuration/guide/scg3750/swint.html
QUESTION 89
Which TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
A. EAP
B. ASCII
C. PAP
D. PEAP
E. MS-CHAPv1
F. MS-CHAPv2
Correct Answer: BCE

Section: (none)
Explanation
Reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/asdm72/general/asa-general-asdm/aaa-
tacacs.html
QUESTION 90
Which type of IPS can identify worms that are propagating in a network?
A. Policy-based IPS
B. Anomaly-based IPS
C. Reputation-based IPS
D. Signature-based IPS
Correct Answer: B
Section: (none)
Explanation
Reference: Cisco Official Certification Guide, Anomaly-Based IPS/IDS, p.464
QUESTION 91
Which command verifies phase 1 of an IPsec VPN on a Cisco router?
A. show crypto map

B. show crypto ipsec sa
C. show crypto isakmp sa
D. show crypto engine connection active
Correct Answer: C
Section: (none)
Explanation
31 Days Before Your CCNA Security Exam P.207
QUESTION 92
What is the purpose of a honeypot IPS?
A. To create customized policies

B. To detect unknown attacks
C. To normalize streams
D. To collect information about attacks
Correct Answer: D
Section: (none)
Explanation
Reference: https://www.ciscopress.com/articles/article.asp?p=1336425
QUESTION 93
Which type of firewall can act on the behalf of the end device?
A. Stateful packet
B. Application
C. Packet
D. Proxy
Correct Answer: D
Section: (none)
Explanation
Reference: 31 Days Before Your CCNA Security Exam P.331
QUESTION 94
Which syslog severity level is level number 7?
A. Warning
B. Informational
C. Notification
D. Debugging
Correct Answer: D
Section: (none)
Explanation
"Every Awesome Cisco Engineer Will Need Icecream Daily" or "EACE WNID"
0 - Emergency
1 - Alert
2 - Critical
3 - Error
4 - Warning
5 - Notification
6 - Informational
7 - Debugging
QUESTION 95
By which kind of threat is the victim tricked into entering username and password information at a disguised
website?
A. Spoofing
B. Malware
C. Spam
D. Phishing
Correct Answer: D
Section: (none)
Explanation
Reference: Cisco Official Certification Guide, Table 1-5 Attack Methods, p.13
QUESTION 96
Which type of mirroring does SPAN technology perform?
A. Remote mirroring over Layer 2

B. Remote mirroring over Layer 3
C. Local mirroring over Layer 2
D. Local mirroring over Layer 3
Correct Answer: C
Section: (none)
Explanation
The traffic for each RSPAN session is carried as Layer 2 nonroutable traffic over a user-specified RSPAN
VLAN that is dedicated for that RSPAN session in all participating switches. All participating switches must be
trunk-connected at Layer 2.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/
book/span.html
QUESTION 97
Which tasks is the session management path responsible for? (Choose three.)
A. Verifying IP checksums
B. Performing route lookup
C. Performing session lookup
D. Allocating NAT translations
E. Checking TCP sequence numbers
F. Checking packets against the access list
Correct Answer: BDF

Section: (none)
Explanation
The session management path is responsible for the following tasks:
– Performing the access list checks
– Performing route lookups
– Allocating NAT translations (xlates)
– Establishing sessions in the "fast path"
Reference: https://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm31/configuration/guide/fwsm_cfg/
intro_f.html
QUESTION 98
Which network device does NTP authenticate?
A. Only the time source
B. Only the client device
C. The firewall and the client device
D. The client device and the time source
Correct Answer: A
Section: (none)
Explanation
BD
You can configure the device to authenticate the time sources to which the local clock is synchronized. When
you enable NTP authentication, the device synchronizes to a time source only if the source carries one of the
authentication keys specified by the ntp trusted-key command. The device drops any packets that fail the
authentication check and prevents them from updating the local clock. NTP authentication is disabled by
default.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/
configuration/guide/sm_nx_os_cg/sm_3ntp.html#wp1100303
QUESTION 99
Which Cisco product can help mitigate web-based attacks within a network?
A. Adaptive Security Appliance

B. Email Security Appliance
C. Identity Security Appliance
D. Web Security Appliance
Correct Answer: D
Section: (none)
Explanation
To protect against the growing breadth and diversity of threats in today’s business climate, you need a modern
approach. That means a variety of protections that can block hidden malware from both suspicious and
legitimate sites before it reaches you. We think the best Web security solutions today should be backed by the
best real-time security intelligence available to help you stay abreast of this changing threat landscape and
prevent the latest exploits from turning into issues. And modern Web security should be able to support
policies that give employees access to the sites they need to use to do their jobs while selectively denying the
use of undesired sites and features like web-based file-sharing.
You get all of those features and more with the Cisco® Web Security Appliance (WSA), Figure 1. Cisco WSA
safeguards businesses through broad threat intelligence, multiple layers of malware defense, and vital data
loss prevention (DLP) capabilities across the attack continuum. It’s an all-in-one web gateway that brings you
broad protection, extensive controls, and investment value. It also offers an array of competitive web security
deployment options, each of which includes Cisco’s market-leading global threat intelligence infrastructure.
Reference: https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/solution-
overview-c22-732948.html
QUESTION 100
Which statement correctly describes the function of a private VLAN?
A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains
B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains
C. A private VLAN enables the creation of multiple VLANs using one broadcast domain
D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast
domain
Correct Answer: A
Section: (none)
Explanation
A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the
ports on the switch from each other. A subdomain consists of a primary VLAN and one or more secondary
VLANs
Reference: 31 Days Before Your CCNA Security Exam P.331

Reference: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/
CLIConfigurationGuide/PrivateVLANs.pdf
QUESTION 101
What hash type does Cisco use to validate the integrity of downloaded images?
A. Sha1
B. Sha2
C. MD5
D. Md1
Correct Answer: C
Section: (none)
Explanation
QUESTION 102
Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?
A. Unidirectional Link Detection

B. Unicast Reverse Path Forwarding
C. TrustSec
D. IP Source Guard
Correct Answer: B
Section: (none)
Explanation
BD
Unicast Reverse Path Forwarding (uRPF) can mitigate spoofed IP packets. When this feature is enabled on an
interface, as packets enter that interface the router spends an extra moment considering the source address of
the packet. It then considers its own routing table, and if the routing table does not agree that the interface that
just received this packet is also the best egress interface to use for forwarding to the source address of the
packet, it then denies the packet.
This is a good way to limit IP spoofing.
Source: Cisco Official Certification Guide, Table 10-4 Protecting the Data Plane, p.270
QUESTION 103
What is the most common Cisco Discovery Protocol version 1 attack?
A. Denial of Service
B. MAC-address spoofing
C. CAM-table overflow
D. VLAN hopping
Correct Answer: A
Section: (none)
Explanation
BD
CDP contains information about the network device, such as the software version, IP address, platform,
capabilities, and the native VLAN. When this information is available to an attacker computer, the attacker from
that computer can use it to find exploits to attack your network, usually in the form of a Denial of Service (DoS)
attack.
Source: https://howdoesinternetwork.com/2011/cdp-attack
QUESTION 104
What is the Cisco preferred countermeasure to mitigate CAM overflows?
A. Port security
B. Root guard
C. IP source guard
D. Dynamic port security
Correct Answer: D
Section: (none)
Explanation
Brad
Note: According to multiple links, port security is used to mitigate CAM overflow attacks. However, I found the
following statement on a Cisco page: "A more administratively scalable solution is the implementation of
dynamic port security at the switch". Because of this, I believe the verbiage "Cisco preferred" would point to
answer D.
Brad's source link (maybe): http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-

switches/72846-layer2-secftrs-catl3fixed.html
BD
User @Answer on securitytut.com considers A. as the correct answer.
QUESTION 105
Which option is the most effective placement of an IPS device within the infrastructure?
A. Inline, behind the internet router and firewall

B. Inline, before the internet router and firewall
C. Promiscuously, after the Internet router and before the firewall
D. Promiscuously, before the Internet router and the firewall
Correct Answer: A
Section: (none)
Explanation
BD
Firewalls are generally designed to be on the network perimeter and can handle dropping a lot of the non-
legitimate traffic (attacks, scans etc.) very quickly at the ingress interface, often in hardware.
An IDS/IPS is, generally speaking, doing more deep packet inspections and that is a much more
computationally expensive undertaking. For that reason, we prefer to filter what gets to it with the firewall line of
defense before engaging the IDS/IPS to analyze the traffic flow.
Source: https://supportforums.cisco.com/discussion/12428821/correct-placement-idsips-network-architecture
QUESTION 106
If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events
will occur when the TACACS+ server returns an error? (Choose two.)
A. Authentication attempts to the router will be denied

B. The user will be prompted to authenticate using the enable password
C. Authentication will use the router's local database
D. Authentication attempts will be sent to the TACACS+ server
Correct Answer: BD
Section: (none)
Explanation
Brad
B and C
Notes: This is a widely debated question. See below:
- D is known incorrect. The router will eventually attempt to communicate with the TACACS server again, but
not immediately.
- We know B is correct based on the command line
- Cisco devices store the enable password locally, and default behavior is for Cisco devices to fallback to local
authentication when a TACACS/Radius server is down or returns an error. This is why I choose answer C.
- A user on the securitytut forums said that they labbed this scenario up and that A is a correct answer, not C. I
have no way of verifying whether that user made a mistake or not, so I am sticking with the answer my
research turned up.
BD
Two things I need to say. One, local database has nothing to do with enable secret/password as it is literally
created using username/password command combinations. Second there is no fallback safety failover with
aaa if you specify exact methods. Those exact methods are the only methods used, nothing else.
On the previous post I pasted an output for the authentication process with TACACS+ and enable. At a point
there was a timeout message which resulted in switching to the second authentication method, ENABLE. "Use
the timeout integer argument to specify the period of time (in seconds) the router will wait for a response from
the daemon before it times out and declares an error."
As a reference I used http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/
scftplus.html
What concerns me is ,,If an ERROR response is received, the network access server will typically try to use an
alternative method for authenticating the user." It doesn't specifically say ,,The router retries to connect with the
TACACS+".
QUESTION 107
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
A. SDEE
B. Syslog
C. SNMP
D. CSM
Correct Answer: A
Section: (none)
Explanation
BD
IPS produces various types of events including intrusion alerts and status events. IPS communicates events to
clients such as management applications using the proprietary RDEP2. We have also developed an IPS-
industry leading protocol, SDEE, which is a product-independent standard for communicating security device
events. SDEE is an enhancement to the current version of RDEP2 that adds extensibility features that are
needed for communicating events generated by various types of security devices.
Source: http://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/ime/imeguide/
ime_system_architecture.html
QUESTION 108
When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to
prevent loops?
A. STP elects the root bridge

B. STP selects the root port
C. STP selects the designated port
D. STP blocks one of the ports
Correct Answer: A
Section: (none)
Explanation
BD
First when the switches are powered on all the ports are in Blocking state (20 sec), during this time the + Root
Bridge is elected by exchanging BPDUs
+ The other switches will elect their Root ports
+ Every network segment will choosee their Designated port
Source: https://learningnetwork.cisco.com/thread/7677
QUESTION 109
Which components does HMAC use to determine the authenticity and integrity of a message? (Choose two.)
A. The password
B. The hash
C. The key
D. The transform set
Correct Answer: BC
Section: (none)
Explanation
BD
In cryptography, a keyed-hash message authentication code (HMAC) is a specific type of message
authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. It may be
used to simultaneously verify both the data integrity and the authentication of a message.
Source: https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
QUESTION 110
What is the default timeout interval during which a router waits for responses from a TACACS server before
declaring a timeout failure?
A. 5 seconds
B. 10 seconds
C. 15 seconds
D. 20 seconds
Correct Answer: A
Section: (none)
Explanation
BD
To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout command
in global configuration mode. To restore the default, use the no form of this command.
If the command is not configured, the timeout interval is 5.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command
Explanation/Reference/srftacs.html
QUESTION 111
Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
A. EAP
B. ASCII
C. PAP
D. PEAP
E. MS-CHAPv1
F. MS-CHAPv2
Correct Answer: CEF

Section: (none)
Explanation
BD
The ASA supports the following authentication methods with RADIUS servers:
+ PAP -- For all connection types.
+ CHAP and MS-CHAPv1 -- For L2TP-over-IPsec connections.
+ MS-CHAPv2 - For L2TP-over-IPsec connections
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/general/asdm_71_general_config/
aaa_radius.pdf
There is an alternate version of this question that replaces RADIUS with TACACS. In that case, B is correct
and F is not.
QUESTION 112
Which command initializes a lawful intercept view?
A. username cisco1 view lawful-intercept password cisco

B. parser view cisco li-view
C. li-view cisco user cisco1 password cisco
D. parser view li-view inclusive
Correct Answer: C
Section: (none)
Explanation
BD
Like a CLI view, a lawful intercept view restricts access to specified commands and configuration information.
Specifically, a lawful intercept view allows a user to secure access to lawful intercept commands that are held
within the TAP-MIB, which is a special set of simple network management protocol (SNMP) commands that
store information about calls and users.
#li-view li-password user username password password
Source: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
Before you initialize a lawful intercept view, ensure that the privilege level is set to 15 via the privilege
command.
SUMMARY STEPS
1. enable view
2. configure terminal
3. li-view li-password user username password password
4. username lawful-intercept [name] [privilege privilege-level| view view-name] password password
5. parser view view-name
6. secret 5 encrypted-password
7. name new-name
QUESTION 113
Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)
A. Port security
B. DHCP snooping
C. IP source guard
D. Dynamic ARP inspection
Correct Answer: BD
Section: (none)
Explanation
BD
+ ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from a
host even if an ARP request was not received.
+ DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP
packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-
middle attacks.
+ DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted
database, the DHCP snooping binding database.
Source: Cisco Official Certification Guide, Dynamic ARP Inspection, p.254
QUESTION 114
Which of the following statements about access lists are true? (Choose three.)
A. Extended access lists should be placed as near as possible to the destination

B. Extended access lists should be placed as near as possible to the source
C. Standard access lists should be placed as near as possible to the destination
D. Standard access lists should be placed as near as possible to the source
E. Standard access lists filter on the source address
F. Standard access lists filter on the destination address
Correct Answer: BCE

Section: (none)
Explanation
BD
Source: http://www.ciscopress.com/articles/article.asp?p=1697887
Standard ACL
1) Able Restrict, deny & filter packets by Host Ip or subnet only.
2) Best Practice is put Std. ACL closest to destination Source Host/Subnet (Interface-In-bound).
3) No Protocol based restriction. (Only HOST IP).
Extended ACL
1) More flexible then Standard ACL.
2) You can filter packets by Host/Subnet as well as Protocol/TCPPort/UDPPort.
3) Best Practice is put Extended ACL closest to Host/Subnet. (Interface-Outbound)
https://learningnetwork.cisco.com/thread/87593
You can place standard or extended ACL where you want in your network. The ACL rules are set to avoid
some disagreements in your network base on the following reasons:
Standard ACL"Should be placed closest to the destination network." because it filter traffic base on the source
IP address. As ACL work in sequence, when standard ACL is placed closest to the source it may stop the host
to access other resources in the network that you do want to stop. Therefore it make sense to place it closest
to the destination that you want to block access.
Extended ACL"Should be placed closest to the source network."because it filter base on much more specific
criteria such as source, destination ip address, protocol and port number. Therefore by placing it closest to the
source will only affect the specific host you are pointing and also will avoid the unwanted traffic to consume the
bandwidth in your network.
QUESTION 115
Which statement about extended access lists is true?
A. Extended access lists perform filtering that is based on source and destination and are most effective when
applied to the destination
B. Extended access lists perform filtering that is based on source and destination and are most effective when
applied to the source
C. Extended access lists perform filtering that is based on destination and are most effective when applied to
the source
D. Extended access lists perform filtering that is based on source and are most effective when applied to the
destination
Correct Answer: B
Section: (none)
Explanation
BD
Source: http://www.ciscopress.com/articles/article.asp?p=1697887
Standard ACL
1) Able Restrict, deny & filter packets by Host Ip or subnet only.
2) Best Practice is put Std. ACL closest to destination Source Host/Subnet (Interface-In-bound).
3) No Protocol based restriction. (Only HOST IP).
Extended ACL
1) More flexible then Standard ACL.
2) You can filter packets by Host/Subnet as well as Protocol/TCPPort/UDPPort.
3) Best Practice is put Extended ACL closest to Host/Subnet. (Interface-Outbound)
You can place standard or extended ACL where you want in your network. The ACL rules are set to avoid
some disagreements in your network base on the following reasons:
Standard ACL"Should be placed closest to the destination network." because it filter traffic base on the source
IP address. As ACL work in sequence, when standard ACL is placed closest to the source it may stop the host
to access other resources in the network that you do want to stop. Therefore it make sense to place it closest
to the destination that you want to block access.
Extended ACL"Should be placed closest to the source network."because it filter base on much more specific
criteria such as source, destination ip address, protocol and port number. Therefore by placing it closest to the
source will only affect the specific host you are pointing and also will avoid the unwanted traffic to consume the
bandwidth in your network.
QUESTION 116
Which security measures can protect the control plane of a Cisco router? (Choose two.)
A. CPPr
B. Parser views
C. Access control lists
D. Port security
E. CoPP
Correct Answer: AE
Section: (none)
Explanation
BD
Three Ways to Secure the Control Plane
+ Control plane policing (CoPP): You can configure this as a filter for any traffic destined to an IP address on
the router itself.
+ Control plane protection (CPPr): This allows for a more detailed classification of traffic (more than CoPP) that
is going to use the CPU for handling.
+ Routing protocol authentication
For example, you could decide and configure the router to believe that SSH is acceptable at 100 packets per
second, syslog is acceptable at 200 packets per second, and so on. Traffic that exceeds the thresholds can be
safely dropped if it is not from one of your specific management stations.
You can specify all those details in the policy.
You learn more about control plane security in Chapter 13, “Securing Routing Protocols and the Control Plane.”
Selective Packet Discard (SPD) provides the ability to Although not necessarily a security feature, prioritize
certain types of packets (for example, routing protocol packets and Layer 2 keepalive messages, route
processor [RP]). SPD provides priority of critical control plane traffic which are received by the over traffic that
is less important or, worse yet, is being sent maliciously to starve the CPU of resources required for the RP.
Source: Cisco Official Certification Guide, Table 10-3 Three Ways to Secure the Control Plane , p.269
QUESTION 117
In which stage of an attack does the attacker discover devices on a target network?
A. Reconnaissance
B. Covering tracks
C. Gaining access
D. Maintaining access
Correct Answer: A
Section: (none)
Explanation
BD
Reconnaissance: This is the discovery process used to find information about the network. It could include
scans of the network to find out which IP addresses respond, and further scans to see which ports on the
devices at these IP addresses are open. This is usually the first step taken, to discover what is on the network
and to determine potential vulnerabilities.
Source: Cisco Official Certification Guide, Table 1-5 Attack Methods, p.13
QUESTION 118
Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choose
two.)
A. FTP
B. SSH
C. Telnet
D. AAA
E. HTTPS
F. HTTP
Correct Answer: BE
Section: (none)
Explanation
BD
+ Secure Shell (SSH) provides the same functionality as Telnet, in that it gives you a CLI to a router or switch;
unlike Telnet, however, SSH encrypts all the packets that are used in the session.
+ For graphical user interface (GUI) management tools such as CCP, use HTTPS rather than HTTP because,
like SSH, it encrypts the session, which provides confidentiality for the packets in that session.
Source: Cisco Official Certification Guide, Encrypted Management Protocols, p.287
QUESTION 119
What are the primary attack methods of VLAN hopping? (Choose two.)
A. VoIP hopping
B. Switch spoofing
C. CAM-table overflow
D. Double tagging
Correct Answer: BD
Section: (none)
Explanation
BD
VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN
(VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access
to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN
hopping: switch spoofing and double tagging.
+ In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and trunking
protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, Dynamic Trunking Protocol) used in
maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.
+ In a double tagging attack, an attacking host connected on a 802.1q interface prepends two VLAN tags to
packets that it transmits.
Source: https://en.wikipedia.org/wiki/VLAN_hopping
QUESTION 120
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall
configuration?
A. Issue the command "anyconnect keep-installer" under the group policy or username webvpn mode
B. Issue the command "anyconnect keep-installer installed" in the global configuration
C. Issue the command "anyconnect keep-installer installed" under the group policy or username webvpn mode
D. Issue the command "anyconnect keep-installer installer" under the group policy or username webvpn
mode
Correct Answer: C
Section: (none)
Explanation
@day-2 on securitytut.com
Dumps, Brad etc.. say the correct answer is " C " !
But as we figured out and also verified here :
http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/vpn/asa-vpn-cli/vpn-anyconnect.html To
enable permanent client installation for a specific group or user, use the anyconnect keep-installer command
from group-policy or username webvpn modes:
anyconnect keep-installer installer
The default is that permanent installation of the client is enabled. The client remains on the remote computer at
the end of the session. The following example configures the existing group-policy sales to remove the client
on the remote computer at the end of the session:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-policy)# anyconnect keep-installer installed none So.. the command to enable it is
"anyconnect keep-installer installeR" , right ? BUT, to disable the feature of permanent client installation the
command is referred as "anyconnect keep- installer installeD none"
Doesn't look good to me but IF we assume that it's not a typo, the correct answer should be " D " , right ??
Take a look on the URL above that says "../asa/asa93/" !!! ASA93 ... keep that in mind please..
I checked every version of cisco configuration guide for the ASA anyconnect remote access VPN.
Every cisco configuration guide beyond v9.3 (9.4, 9.5, 9.6, 9.7 .. latest) doesn't refer the ACTUAL command to
enable the feature. Only how to disable it which is the same..
However, on EVERY cisco confifuration guide BEFORE v9.3 (9.2, 9.1 .. and all the way down) the command is
referred as :
anyconnect keep-installer installed
which indicates that "C" is the correct answer !
According to other pages i got from a simple google search e.g. : h???s://www.cisco????/c/en/us/support/
docs/ security/asa-5500-x-series-next-generation-firewalls/100597-technote-anyconnect-00.??ml in some point
it says :
Uninstall Automatically
Problem
The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep
installed is set to disabled.
Solution
AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device
Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command under
group-policy.
Indicates that none of the answers is correct as "svc keep-installer installed" was valid for v8.3 and below ! Also
here : h??ps:?/networklessons.??m/cisco/asa-firewall/cisco-asa-anyconnect-remote-access-vpn/ i'm copying/
pasting from the url :
ASA1(config)# group-policy ANYCONNECT_POLICY attributes
ASA1(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless ASA1(config-group-policy)# split-tunnel-
policy tunnelspecified ASA1(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL ASA1(config-
group-policy)# dns-server value 8.8.8.8
ASA1(config-group-policy)# webvpn
ASA1(config-group-webvpn)# anyconnect keep-installer installed Indicates that "C" is correct too.. (but the asa
version is not referred..)
===========
BD
On my virtual ASA version 9.6(2) in my group policy I have
ciscoasa(config)# group-policy GroupPolicy_SecurityTut attributes Entering webvpn
ciscoasa(config-group-policy)# webvpn
And for the anyconnect keep-installer command it only shows me this ciscoasa(config-group-webvpn)#
anyconnect keep-installer ?
config-group-webvpn mode commands/options:
installed Keep the install enabler
none Do not keep the install enabler
ciscoasa(config-group-webvpn)# anyconnect keep-installer
So the command should be
ciscoasa(config-group-webvpn)# anyconnect keep-installer installed I guess that sets it straight, right?
QUESTION 121
Which type of security control is defense in depth?
A. Threat mitigation
B. Risk analysis
C. Botnet mitigation
D. Overt and covert channels
Correct Answer: A
Section: (none)
Explanation
BD
Defense in-depth is the key to stopping most, but not all, network and computer related attacks. It's a concept
of deploying several layers of defense that mitigate security threats.
Source: http://security2b.blogspot.ro/2006/12/what-is-defense-in-depth-and-why-is-it.html
QUESTION 122
On which Cisco Configuration Professional screen do you enable AAA
A. Authentication Policies
B. Authorization Policies
C. AAA Summary
D. AAA Servers and Groups
Correct Answer: C
Section: (none)
Explanation
Brad
Note: Never bothered to research this question. Screenshot of interface shows AAA Summary page with
“Enable AAA” button.
http://www.omnisecu.com/ccna-security/cisco-router-switch-aaa-login-authentication-configuration-using-
tacacs+-and-radius-protocols-through-ccp.php
Note that the screen actually showing the "Enable AAA" button shows a path of Configure -> Router -> AAA ->
AAA Summary
QUESTION 123
What are two uses of SIEM software? (Choose two.)
A. Performing automatic network audits

B. Alerting administrators to security events in real time
C. Configuring firewall and IDS devices
D. Scanning emails for suspicious attachments
E. Collecting and archiving syslog data
Correct Answer: BE
Section: (none)
Explanation
Brad
B and E
Note: C and D are definitely incorrect, and E is definitely right. I'm not completely sure about A and B.
BD
Security Information Event Management SIEM

+ Log collection of event records from sources throughout the organization provides important forensic tools
and helps to address compliance reporting requirements.
+ Normalization maps log messages from different systems into a common data model, enabling the
organization to connect and analyze related events, even if they are initially logged in different source formats.
+ Correlation links logs and events from disparate systems or applications, speeding detection of and reaction
to security threats.
+ Aggregation reduces the volume of event data by consolidating duplicate event records. + Reporting
presents the correlated, aggregated event data in real-time monitoring and long-term summaries.
Source: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-
architecture/sbaSIEM_deployG.pdf
QUESTION 124
What are the three layers of a hierarchical network design? (Choose three.)
A. access
B. core
C. distribution
D. user
E. server
F. Internet
Correct Answer: ABC

Section: (none)
Explanation
BD
A typical enterprise hierarchical LAN campus network design includes the following three layers:
+ Access layer: Provides workgroup/user access to the network + Distribution layer: Provides policy-based
connectivity and controls the boundary between the access and core layers
+ Core layer: Provides fast transport between distribution switches within the enterprise campus Source: http://
www.ciscopress.com/articles/article.asp?p=2202410&seqNum=4
QUESTION 125
In which two situations should you use in-band management? (Choose two.)
A. When a network device fails to forward packets

B. When management applications need concurrent access to the device
C. When you require administrator access from multiple locations
D. When you require ROMMON access
E. When the control plane fails to respond
Correct Answer: BC
Section: (none)
Explanation
Brad
B and C
QUESTION 126
What are two ways to prevent eavesdropping when you perform device-management tasks? (Choose two.)
A. Use an SSH connection.

B. Use SNMPv3.
C. Use out-of-band management.
D. Use SNMPv2.
E. Use in-band management.
Correct Answer: AB
Section: (none)
Explanation
BD
Both SSH and SNMPv3 provide security of the packets through encryption
QUESTION 127
In which three ways does the RADIUS protocol differ from TACACS? (Choose three.)
A. RADIUS uses UDP to communicate with the NAS.

B. RADIUS encrypts only the password field in an authentication packet.
C. RADIUS authenticates and authorizes simultaneously, causing fewer packets to be transmitted.
D. RADIUS uses TCP to communicate with the NAS.
E. RADIUS can encrypt the entire packet that is sent to the NAS.
F. RADIUS supports per-command authorization.
Correct Answer: ABC

Section: (none)
Explanation
BD
Source: Cisco Official Certification Guide, Table 3-2 TACACS+ Versus RADIUS, p.40
QUESTION 128
Which three statements describe DHCP spoofing attacks? (Choose three.)
A. They can modify traffic in transit.

B. They are used to perform man-in-the-middle attacks.
C. They use ARP poisoning.
D. They can access most network devices.
E. They protect the identity of the attacker by masking the DHCP address.
F. They can physically modify the network gateway.
Correct Answer: ABC
Section: (none)
Explanation
BD
DHCP spoofing occurs when an attacker attempts to respond to DHCP requests and trying to list themselves
(spoofs) as the default gateway or DNS server, hence, initiating a man in the middle attack. With that, it is
possible that they can intercept traffic from users before forwarding to the real gateway or perform DoS by
flooding the real DHCP server with request to choke ip address resources.
Source: https://learningnetwork.cisco.com/thread/67229
https://learningnetwork.cisco.com/docs/DOC-24355
Also when i took the exam, it asked me for only 2 options. AB is correct
QUESTION 129
A data breach has occurred and your company database has been copied. Which security principle has been
violated?
A. confidentiality
B. availability
C. access
D. control
Correct Answer: A
Section: (none)
Explanation
BD
Confidentiality: There are two types of data: data in motion as it moves across the network; and data at rest,
when data is sitting on storage media (server, local workstation, in the cloud, and so forth). Confidentiality
means that only the authorized individuals/ systems can view sensitive or classified information.
QUESTION 130
In which type of attack does an attacker send an email message that asks the recipient to click a link such as
https://www.cisco.net.cc/securelogs?
A. phishing
B. pharming
C. solicitation
D. secure transaction
Correct Answer: A
Section: (none)
Explanation
BD
Phishing presents a link that looks like a valid trusted resource to a user. When the user clicks it, the user is
prompted to disclose confidential information such as usernames/passwords.
Phishing elicits secure information through an e-mail message that appears to come from a legitimate source
such as a service provider or financial institution. The e-mail message may ask the user to reply with the
sensitive data, or to access a website to update information such as a bank account number.
Source: Cisco Official Certification Guide, Confidentiality, Table 1-5 Attack Methods, p.13; Social Engineering
Tactics, p.29
QUESTION 131
Your security team has discovered a malicious program that has been harvesting the CEO's email messages
and the company's user database for the last 6 months. What type of attack did your team discover? (Choose
two)
A. advanced persistent threat

B. targeted malware
C. drive-by spyware
D. social activism
Correct Answer: AB
Section: (none)
Explanation
BD
An Advanced Persistent Threat (APT) is a prolonged, aimed attack on a specific target with the intention to
compromise their system and gain information from or about that target.
The target can be a person, an organization or a business.
Source: https://blog.malwarebytes.com/cybercrime/malware/2016/07/explained-advanced-persistent-threat-apt/
One new malware threat has emerged as a definite concern, namely, targeted malware. Instead of blanketing
the Internet with a worm, targeted attacks concentrate on a single high-value target.
Source: http://crissp.poly.edu/wissp08/panel_malware.htm
QUESTION 132
Which statement provides the best definition of malware?
A. Malware is unwanted software that is harmful or destructive.

B. Malware is software used by nation states to commit cyber crimes.
C. Malware is a collection of worms, viruses, and Trojan horses that is distributed as a single package.
D. Malware is tools and applications that remove unwanted programs.
Correct Answer: A
Section: (none)
Explanation
BD
Malware, short for malicious software, is any software used to disrupt computer or mobile operations, gather
sensitive information, gain access to private computer systems, or display unwanted advertising.[1] Before the
term malware was coined by Yisrael Radai in 1990, malicious software was referred to as computer viruses.
Source: https://en.wikipedia.org/wiki/Malware
QUESTION 133
What mechanism does asymmetric cryptography use to secure data?
A. a public/private key pair

B. shared secret keys
C. an RSA nonce
D. an MD5 hash
Correct Answer: A
Section: (none)
Explanation
BD
Public key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys:
public keys which may be disseminated widely, and private keys which are known only to the owner. This
accomplishes two functions: authentication, which is when the public key is used to verify that a holder of the
paired private key sent the message, and encryption, whereby only the holder of the paired private key can
decrypt the message encrypted with the public key.
Source: https://en.wikipedia.org/wiki/Public-key_cryptography
QUESTION 134
####################
209.114.111.1 configured, ipv4, sane, valid, stratum 2

ref ID 132.163.4.103 , time D7AD124D.9DEFT576 (03:17:33.614 UTC Sun Aug 31 2014)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
toot delay 46.34 user, root disp 23.52, reach 1, sync dist 268.59
delay 63.27 msec, offset 7.5817 *sec, dispersion 187.56, jitter 2.07 msec
precision 2**23, version 4
204.2.134.164 configured, ipv4, sane, valid, stroll=

ref ID 241.199.164.101, time D7AD1419.9E8S2728 103:25:13.619 UTC Sun Aug 31
2014)
our mode client, peer mode server, out poll intvl 64, peer poll intvl 256
root delay 30.83 msec, toot disp 4.88, reach 1, sync dist 223.80
delay 28.69 msec, offset 6.4331 met, dispersion 187.55, jitter 1.39 msec
192.168.10.7 configured, ipv4, our_master, sane, valid, stratum 3

ref ID 108.61.73.243 , time D7ADOD8F.AE79123k (02:57:19.681 UTC Sun Aug 31 2014)
our mode client, peer node server, our poll intvl 64, peer poll intvl 64
toot delay 86.45 msec, toot disp 87.82, teach 377, sync dist 134.25
delay 0.89 msec, offset 19.5087 user, dispersion 1.69, jitter 0.84 msec
####################
With which NTP server has the router synchronized?
A. 192.168.10.7
B. 108.61.73.243
C. 209.114.111.1
D. 132.163.4.103
E. 204.2.134.164
F. 241.199.164.101
Correct Answer: A
Section: (none)
Explanation
BD
The output presented is generated by the show ntp association detail command. Attributes:
+ configured: This NTP clock source has been configured to be a server. This value can also be dynamic,
where the peer/server was dynamically discovered.
+ our_master: The local client is synchronized to this peer
+ valid: The peer/server time is valid. The local client accepts this time if this peer becomes the master.
Source: http://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/116161-trouble-ntp-00.html
QUESTION 135
####################
tacacs server tacacs1

address ipv4 1.1.1.1
timeout 20
single-connection
timeout 20
single-connection
timeout 20
single-connection
####################
Which statement about the given configuration is true?
A. The single-connection command causes the device to establish one connection for all TACACS
transactions.
B. The single-connection command causes the device to process one TACACS request and then move to the
next server.
C. The timeout command causes the device to move to the next server after 20 seconds of TACACS
inactivity.
D. The router communicates with the NAS on the default port, TCP 1645.
Correct Answer: A
Section: (none)
Explanation
BD
tacacs-server host host-name [port integer] [timeout integer] [key string] [single-connection] [nat] The single-
connection keyword specifies a single connection (only valid with CiscoSecure Release 1.0.1 or later). Rather
than have the router open and close a TCP connection to the server each time it must communicate, the
single-connection option maintains a single open connection between the router and the server. The single
connection is more efficient because it allows the server to handle a higher number of TACACS operations.
Explanation/Reference
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srftacs.html
QUESTION 136
What is the best way to confirm that AAA authentication is working properly?
A. Use the test aaa command.

B. Ping the NAS to confirm connectivity.
C. Use the Cisco-recommended configuration for AAA authentication.
D. Log into and out of the router, and then check the NAS authentication log.
Correct Answer: A
Section: (none)
Explanation
BD
#test aaa group tacacs+ admin cisco123 legacy - A llow verification of the authentication function working
between the AAA client (the router) and the ACS server (the AAA server).
Source: Cisco Official Certification Guide, Table 3-6 Command Reference, p.68
QUESTION 137
How does PEAP protect the EAP exchange?
A. It encrypts the exchange using the server certificate.

B. It encrypts the exchange using the client certificate.
C. It validates the server-supplied certificate, and then encrypts the exchange using the client certificate.
D. It validates the client-supplied certificate, and then encrypts the exchange using the server certificate.
Correct Answer: A
Section: (none)
Explanation
BD
PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS
tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It
then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations,
the keys for this encryption are transported using the server's public key.
Source: https://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol
QUESTION 138
What improvement does EAP-FASTv2 provide over EAP-FAST?
A. It allows multiple credentials to be passed in a single EAP exchange.

B. It supports more secure encryption protocols.
C. It allows faster authentication by using fewer packets.
D. It addresses security vulnerabilities found in the original protocol.
Correct Answer: A
Section: (none)
Explanation
BD
As an enhancement to EAP-FAST, a differentiation was made to have a User PAC and a Machine PAC. After
a successful machine-authentication, ISE will issue a Machine-PAC to the client. Then, when processing a
user- authentication, ISE will request the Machine-PAC to prove that the machine was successfully
authenticated, too. This is the first time in 802.1X history that multiple credentials have been able to be
authenticated within a single EAP transaction, and it is known as "EAP Chaining".
Source: http://www.networkworld.com/article/2223672/access-control/which-eap-types-do-you-need-for-which-
identity-projects.html
QUESTION 139
How does a device on a network using ISE receive its digital certificate during the new-device registration
process?
A. ISE issues a pre-defined certificate from a local database

B. The device requests a new certificate directly from a central CA
C. ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server
D. ISE issues a certificate from its internal CA server
Correct Answer: C
Section: (none)
Explanation
Brad
Note: Never bothered to research this question.
BD
SCEP Profile Configuration on ISE

Within this design, ISE is acting as a Simple Certificate Enrollment Protocol (SCEP) proxy server, thereby
allowing mobile clients to obtain their digital certificates from the CA server. This important feature of ISE
allows all endpoints, such as iOS, Android, Windows, and MAC, to obtain digital certificates through the ISE.
This feature combined with the initial registration process greatly simplifies the provisioning of digital
certificates on endpoints.
Source: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/
BYOD_Design_Guide/BYOD_ISE.html
QUESTION 140
When an administrator initiates a device wipe command from the ISE, what is the immediate effect?
A. It requests the administrator to choose between erasing all device data or only managed corporate data.
B. It requests the administrator to enter the device PIN or password before proceeding with the operation.
C. It notifies the device user and proceeds with the erase operation.
D. It immediately erases all data on the device.
Correct Answer: A
Section: (none)
Explanation
BD
Cisco ISE allows you to wipe or turn on pin lock for a device that is lost. From the MDM Access drop-down list,
choose any one of the following options:
+ Full Wipe -- Depending on the MDM vendor, this option either removes the corporate apps or resets the
device to the factory settings.
+ Corporate Wipe -- Removes applications that you have configured in the MDM server policies + PIN Lock --
Locks the device
Source: http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/
b_ise_admin_guide_14_chapter_01001.html#task_820C9C2A1A6647E995CA5AAB01E1CDEF
QUESTION 141
What configuration allows AnyConnect to automatically establish a VPN session when a user logs in to the
computer?
A. always-on
B. proxy
C. transparent mode
D. Trusted Network Detection
Correct Answer: A
Section: (none)
Explanation
BD
You can configure AnyConnect to establish a VPN session automatically after the user logs in to a computer.
The VPN session remains open until the user logs out of the computer, or the session timer or idle session
timer expires. The group policy assigned to the session specifies these timer values. If AnyConnect loses the
connection with the ASA, the ASA and the client retain the resources assigned to the session until one of these
timers expire. AnyConnect continually attempts to reestablish the connection to reactivate the session if it is still
open; otherwise, it continually attempts to establish a new VPN session.
Source: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/
guide/anyconnectadmin30/ac03vpn.pdf
QUESTION 142
What security feature allows a private IP address to access the Internet by translating it to a public address?
A. NAT
B. hairpinning
C. Trusted Network Detection
D. Certification Authority
Correct Answer: A
Section: (none)
Explanation
BD
Now the router itself does not have a problem with IP connectivity to the Internet because the router has a
globally reachable IP address (34.0.0.3) in this example. The users are not so fortunate, however, because
they are using private IP address space, and that kind of address is not allowed directly on the Internet by the
service providers. So, if the users want to access a server on the Internet, they forward their packets to the
default gateway, which in this case is R1, and if configured to do so, R1 modifies the IP headers in those
packets and swaps out the original source IP addresses with either its own global address or a global address
from a pool of global addresses (which R1 is responsible for managing, meaning that if a packet was destined
to one of those addresses, the routing to those addresses on the Internet would forward the packets back to
R1). These are global addresses assigned by the service provider for R1's use.
Source: Cisco Official Certification Guide, NAT Is About Hiding or Changing the Truth About Source
Addresses,
E. 366
QUESTION 143
####################
R1
Interface GigabitEthernet 0/0
Ip address 10.20.20.4 255.255.255.0
crypto iaakmp policy 1

authentication pre-share
Lifetime 84600
crypto Limbo key test67890 address 10.20.20.4
R2
Interface Gigabiathernet 0/0
Ip address 10.20.20.4 255.255.255.0
crypto isakmp policy 10

authentication pre-share
lifetime 84600
crypto isakmp key test12345 address 10.30.30.5
####################
You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel.
What action can you take to correct the problem?
A. Edit the crypto keys on R1 and R2 to match.

B. Edit the ISAKMP policy sequence numbers on R1 and R2 to match.
C. Set a valid value for the crypto key lifetime on each router.
D. Edit the crypto isakmp key command on each router with the address value of its own interface.
Correct Answer: A
Section: (none)
Explanation
BD
Five basic items need to be agreed upon between the two VPN devices/gateways (in this case, the two routers)
for the IKE Phase 1 tunnel to succeed, as follows:
+ Hash algorithm
+ Encryption algorithm
+ Diffie-Hellman (DH) group
+ Authentication method: sed for verifying the identity of the VPN peer on the other side of the tunnel. Options
include a pre-shared key (PSK) used only for the authentication or RSA signatures (which leverage the public
keys contained in digital certificates).
+ Lifetime
The PSK used on the routers are different: test67890 and test12345 Source: Cisco Official Certification Guide,
The Play by Play for IPsec, p.124
QUESTION 144
####################
Crypto ipsec transform-set myset esp-md5-hmac esp-aes-256
####################
What is the effect of the given command?
A. It merges authentication and encryption methods to protect traffic that matches an ACL.
B. It configures the network to use a different transform set between peers.
C. It configures encryption for MD5 HMAC.
D. It configures authentication as AES 256.
Correct Answer: A
Section: (none)
Explanation
BD
A transform set is an acceptable combination of security protocols, algorithms and other settings to apply to IP
Security protected traffic. During the IPSec security association negotiation, the peers agree to use a particular
transform set when protecting a particular data flow.
Explanation/Reference/srfipsec.html#wp1017694 To define a transform set -- an acceptable combination of

security protocols and algorithms -- use the crypto ipsec transform-set global configuration command.
ESP Encryption Transform
+ esp-aes 256: ESP with the 256-bit AES encryption algorithm.
ESP Authentication Transform
+ esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm. (No longer recommended)
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-
c3.html#wp2590984165
QUESTION 145
####################
Dst src state conn-id slot

10.10.10.2 10.1.1.5 MM_NO_STATE 1 0
####################
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given
output show?
A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2.
B. IKE Phase 1 main mode has successfully negotiated between 10.1.1.5 and 10.10.10.2.
C. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2.
D. IKE Phase 1 aggressive mode has successfully negotiated between 10.1.1.5 and 10.10.10.2.
Correct Answer: A
Section: (none)
Explanation
BD
This is the output of the #show crypto isakmp sa command. This command shows the Internet Security
Association Management Protocol (ISAKMP) security associations (SAs) built between peers - IPsec Phase1.
MM_NO_STATE means that main mode has failed. QM_IDLE - this is what we want to see.
More on this
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-
00.html
QUESTION 146
Which statement about IOS privilege levels is true?
A. Each privilege level supports the commands at its own level and all levels below it.
B. Each privilege level supports the commands at its own level and all levels above it.
C. Privilege-level commands are set explicitly for each user.
D. Each privilege level is independent of all other privilege levels.
Correct Answer: A
Section: (none)
Explanation
QUESTION 147
#####################
Username Engineer privilege 9 password 0 configure

Username Monitor privilege 8 password 0 vatcher
Username HelpDesk privilege 6 password help
Privilege exec level 6 show running
Privilege exec level 7 show start-up
Privilege exec level 9 configure terminal
Privilege exec level 10 interface
#####################
Which line in this configuration prevents the HelpDesk user from modifying the interface configuration?
A. Privilege exec level 9 configure terminal

B. Privilege exec level 7 show start-up
C. Privilege exec level 10 interface
D. Username HelpDesk privilege 6 password help
Correct Answer: A
Section: (none)
Explanation
Brad
Note: I have seen a lot of claims that D is the correct answer, but this is wrong. The only thing command D
does is create the user "HelpDesk" with a privilege level of 6, and sets the password for that user to "help".
Command A sets the "configure terminal" command at privilege level 9, which is a higher level than HelpDesk
has access to.
Also, some of the dumps say "Privilege exec level 9 show configure terminal" in the config and the answer
options. This is not a different version of the question, it is a mistake. The line "show configure terminal" is not
a valid command in Cisco IOS.
QUESTION 148
In the router “ospf 200" command, what does the value 200 stand for?
A. process ID
B. area ID
C. administrative distance value
D. ABR ID
Correct Answer: A
Section: (none)
Explanation
BD
Enabling OSPF
SUMMARY STEPS
1. enable
3. router ospf process-id
4. network ip-address wildcard-mask area area-id
5. end
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/12-4t/iro-12-4t-book/iro-
cfg.html
QUESTION 149
Which feature filters CoPP packets?
A. Policy maps
B. Class maps
C. Access control lists
D. Route maps
Correct Answer: C
Section: (none)
Explanation
Brad
Note: All the dumps say C is the correct answer. I have never been able to find anything concrete on this, but
some people say A is correct.
Runbuh - it's C
QUESTION 150
In which type of attack does the attacker attempt to overload the CAM table on a switch so that the switch acts
as a hub?
A. MAC spoofing
B. gratuitous ARP
C. MAC flooding
D. DoS
Correct Answer: C
Section: (none)
Explanation
BD
MAC address flooding is an attack technique used to exploit the memory and hardware limitations in a switch's
CAM table.
Source: http://hakipedia.com/index.php/CAM_Table_Overflow
QUESTION 151
Which type of PVLAN port allows a host in the same VLAN to communicate directly with another?
A. community for hosts in the PVLAN

B. promiscuous for hosts in the PVLAN
C. isolated for hosts in the PVLAN
D. span for hosts in the PVLAN
Correct Answer: A
Section: (none)
Explanation
BD
The types of private VLAN ports are as follows:
+ Promiscuous - The promiscuous port can communicate with all interfaces, including the community and
isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated
with the primary VLAN
+ Isolated - This port has complete isolation from other ports within the same private VLAN domain, except that
it can communicate with associated promiscuous ports.
+ Community -- A community port is a host port that belongs to a community secondary VLAN. Community
ports communicate with other ports in the same community VLAN and with associated promiscuous ports.
These interfaces are isolated from all other interfaces in other communities and from all isolated ports within
the private VLAN domain.
Source: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/
CLIConfigurationGuide/PrivateVLANs.html#42874
QUESTION 152
What is a potential drawback to leaving VLAN 1 as the native VLAN?
A. It may be susceptible to a VLAN hopping attack.

B. Gratuitous ARPs might be able to conduct a man-in-the-middle attack.
C. The CAM might be overloaded, effectively turning the switch into a hub.
D. VLAN 1 might be vulnerable to IP address spoofing.
Correct Answer: A
Section: (none)
Explanation
BD
VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN
(VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access
to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN
hopping: switch spoofing and double tagging.
+ In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and trunking
protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, Dynamic Trunking Protocol) used in
maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.
+ In a double tagging attack, an attacking host connected on a 802.1q interface prepends two VLAN tags to
packets that it transmits.
Double Tagging can only be exploited when switches use "Native VLANs". Ports with a specific access VLAN
(the native VLAN) don't apply a VLAN tag when sending frames, allowing the attacker's fake VLAN tag to be
read by the next switch. Double Tagging can be mitigated by either one of the following actions:
+ Simply do not put any hosts on VLAN 1 (The default VLAN). i.e., assign an access VLAN other than VLAN 1
to every access port
+ Change the native VLAN on all trunk ports to an unused VLAN ID.
+ Explicit tagging of the native VLAN on all trunk ports. Must be configured on all switches in network
autonomy.
Source: https://en.wikipedia.org/wiki/VLAN_hopping
QUESTION 153
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations?
(Choose three).
A. When matching ACL entries are configured

B. When the firewall requires strict HTTP inspection
C. When matching NAT entries are configured
D. When the firewall recieves a FIN packet
E. When the firewall requires HTTP inspection
F. When the firewall already has a TCP connection
Correct Answer: ACF

Section: (none)
Explanation
Brad
Note: The dumps say the correct answers are A, C, E. This is incorrect. See the following links:
https://supportforums.cisco.com/discussion/11809846/asa-5505-using-nat-allowing-incoming-traffic-https
https://supportforums.cisco.com/discussion/12473551/asa-what-allowing-return-http-traffic
Also, there is a modified version of this question where answers D and F are replaced with "When the firewall
receives a SYN packet" and "When the firewall receives a SYN-ACK packet". The a SYN-ACK packet coming
back from the web server establishes the TCP connection and allows requests to come through, so this is a
correct answer.
QUESTION 154
Which firewall configuration must you perform to allow traffic to flow in both directions between two zones?
A. You must configure two zone pairs, one for each direction.
B. You can configure a single zone pair that allows bidirectional traffic flows for any zone.
C. You can configure a single zone pair that allows bidirectional traffic flows for any zone except the self zone.
D. You can configure a single zone pair that allows bidirectional traffic flows only if the source zone is the less
secure zone.
Correct Answer: A
Section: (none)
Explanation
BD
If you want to allow traffic between two zones, such as between the inside zone (using interfaces facing the
inside network) and the outside zone (interfaces facing the Internet or less trusted networks), you must create
a policy for traffic between the two zones, and that is where a zone pair comes into play. A zone pair, which is
just a configuration on the router, is created identifying traffic sourced from a device in one zone and destined
for a device in the second zone. The administrator then associates a set of rules (the policy) for this
unidirectional zone pair, such as to inspect the traffic, and then applies that policy to the zone pair.
Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380
QUESTION 155
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
A. Unicast IPv6 traffic from a higher security interface to a lower security interface is permitted in transparent
mode only
B. Only BPDUs from a higher security interface to a lower security interface are permitted in routed mode
C. Unicast IPv4 traffic from a higher security interface to a lower security interface is permitted in routed mode
only
D. Only BPDUs from a higher security interface to a lower security interface are permitted in transparent mode
E. ARPs in both directions are permitted in transparent mode only
Correct Answer: E
Section: (none)
Explanation
BD
ARPs are allowed through the transparent firewall in both directions without an ACL. ARP traffic can be
controlled by ARP inspection.
It is missing the only word.
More reading here

Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/intro-
fw.html
QUESTION 156
Which statement about the communication between interfaces on the same security level is true?
A. Interfaces on the same security level require additional configuration to permit inter-interface
communication.
B. Configuring interfaces on the same security level can cause asymmetric routing.
C. All traffic is allowed by default between interfaces on the same security level.
D. You can configure only one interface on an individual security level.
Correct Answer: A
Section: (none)
Explanation
BD
By default, if two interfaces are both at the exact same security level, traffic is not allowed between those two
interfaces.
To permit communication between interfaces with equal security levels, or to allow traffic to enter and exit the
same interface, use the same-security-traffic command in global configuration mode.
#same-security-traffic permit {inter-interface | intra-interface} Source: Cisco Official Certification Guide, The
Default Flow of Traffic, p.422 http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/
cmd_ref/s1.html
QUESTION 157
Which IPS mode provides the maximum number of actions?
A. inline
B. promiscuous
C. span
D. failover
E. bypass
Correct Answer: A
Section: (none)
Explanation
BD
The first option is to put a sensor inline with the traffic, which just means that any traffic going through your
network is forced to go in one physical or logical port on the sensor.
Because the sensor is inline with the network, and because it can drop a packet and deny that packet from
ever reaching its final destination (because it might cause harm to that destination), the sensor has in fact just
prevented that attack from being carried out. That is the concept behind intrusion prevention systems (IPS).
Whenever you hear IPS mentioned, you immediately know that the sensor is inline with the traffic, which
makes it possible to prevent the attack from making it further into the network.
Source: Cisco Official Certification Guide, Difference Between IPS and IDS, p.460
QUESTION 158
How can you detect a false negative on an IPS?
A. View the alert on the IPS.

B. Review the IPS log.
C. Review the IPS console.
D. Use a third-party system to perform penetration testing.
E. Use a third-party to audit the next-generation firewall rules.
Correct Answer: D
Section: (none)
Explanation
BD
A false negative, however, is when there is malicious traffic on the network, and for whatever reason the IPS/
IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that anything
negative is going on. In the case of a false negative, you must use some third-party or external system to alert
you to the problem at hand, such as syslog messages from a network device.
Source: Cisco Official Certification Guide, Positive/Negative Terminology, p.463
QUESTION 159
What is the primary purpose of a defined rule in an IPS?
A. To detect internal attacks

B. To define a set of actions that occur when a specific user logs in to the system
C. To configure an event action that is pre-defined by the system administrator
D. To configure an event action that takes place when a signature is triggered
Correct Answer: D
Section: (none)
Explanation
Brad
Note: I suspect this is one of the questions I answered incorrectly on my exam. I answered C, which is the
answer I have in my study guide. However, things I have seen since have led me to believe the correct answer
is D.
runbuh:
https://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/
cli_event_action_rules.html
The correct answer is D
Event action rules are a group of settings you configure for the event action processing component of the
sensor. These rules dictate the actions the sensor performs when an event occurs.
The event action processing component is responsible for the following functions:
•Calculating the risk rating
•Adding event action overrides
•Filtering event action
•Executing the resulting event action
•Summarizing and aggregating events
•Maintaining a list of denied attackers
QUESTION 160
Which Sourcefire secure action should you choose if you want to block only malicious traffic from a particular
end-user?
A. Allow with inspection

B. Allow without inspection
C. Block
D. Trust
E. Monitor
Correct Answer: A
Section: (none)
Explanation
BD
A file policy is a set of configurations that the system uses to perform advanced malware protection and file
control, as part of your overall access control configuration.
A file policy, like its parent access control policy, contains rules that determine how the system handles files
that match the conditions of each rule. You can configure separate file rules to take different actions for
different file types, application protocols, or directions of transfer.
You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or
Interactive Block with reset. The system then uses that file policy to inspect network traffic that meets the
conditions of the access control rule.
Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-
firepower- module-user-guide-v541/AMP-Config.html
QUESTION 161
How can FirePOWER block malicious email attachments?
A. It forwards email requests to an external signature engine.

B. It scans inbound email messages for known bad URLs.
C. It sends the traffic through a file policy.
D. It sends an alert to the administrator to verify suspicious email messages.
Correct Answer: C
Section: (none)
Explanation
BD
A file policy is a set of configurations that the system uses to perform advanced malware protection and file
control, as part of your overall access control configuration.
A file policy, like its parent access control policy, contains rules that determine how the system handles files
that match the conditions of each rule. You can configure separate file rules to take different actions for
different file types, application protocols, or directions of transfer.
You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or
Interactive Block with reset. The system then uses that file policy to inspect network traffic that meets the
conditions of the access control rule.
firepower- module-user-guide-v541/AMP-Config.html
QUESTION 162
You have been tasked with blocking user access to websites that violate company policy, but the sites use
dynamic IP addresses. What is the best practice for URL filtering to solve the problem?
A. Enable URL filtering and create a blacklist to block the websites that violate company policy
B. Enable URL filtering and create a whitelist to allow only the websites the company policy allow users to
access
C. Enable URL filtering and use URL categorization to allow only the websites the company policy allow users
to access
D. Enable URL filtering and use URL categorization to block the websites that violate company policy
E. Enable URL filtering and create a whitelist to block the websites that violate company policy
Correct Answer: D
Section: (none)
Explanation
Brad
Remember: A whitelist does not block URLs, and a blacklist will not always work when a URL uses dynamic IP
addresses.
BD
Each website defined in the URL filtering database is assigned one of approximately 60 different URL
categories. There are two ways to make use of URL categorization on the firewall:
Block or allow traffic based on URL category --You can create a URL Filtering profile that specifies an action
for each URL category and attach the profile to a policy. Traffic that matches the policy would then be subject
to the URL filtering settings in the profile. For example, to block all gaming websites you would set the block
action for the URL category games in the URL profile and attach it to the security policy rule(s) that allow web
access.
See Configure URL Filtering for more information.
Match traffic based on URL category for policy enforcement --If you want a specific policy rule to apply only to
web traffic to sites in a specific category, you would add the category as match criteria when you create the
policy rule. For example, you could use the URL category streaming-media in a QoS policy to apply bandwidth
controls to all websites that are categorized as streaming media. See URL Category as Policy Match Criteria
for more information.
By grouping websites into categories, it makes it easy to define actions based on certain types of websites.
Source: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/url-filtering/url-categories
QUESTION 163
Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
A. Signature updates
B. File reputation
C. Network blocking
D. File analysis
Correct Answer: B
Section: (none)
Explanation
Brad

Note: Most of the dumps indicate A is the correct answer, but answer B has been verified by securitytut users
who have received perfect scores.
QUESTION 164
Which type of encryption technology has the broadest platform support to protect operating systems?
A. software
B. hardware
C. middleware
D. file-level
Correct Answer: A
Section: (none)
Explanation
BD
Much commercial and free software enables you to encrypt files in an end-user workstation or mobile device.
The following are a few examples of free solutions:
+ GPG: GPG also enables you to encrypt files and folders on a Windows, Mac, or Linux system. GPG is free.
+ The built-in MAC OS X Disk Utility: D isk Utility enables you to create secure disk images by encrypting files
with AES 128-bit or AES 256-bit encryption.
+ TrueCrypt: A free encryption tool for Windows, Mac, and Linux systems.
+ AxCrypt: A f ree Windows-only file encryption tool.
+ BitLocker: Full disk encryption feature included in several Windows operating systems.
+ Many Linux distributions such as Ubuntu: A llow you to encrypt the home directory of a user with built-in
utilities.
+ MAC OS X FileVault: Supports full disk encryption on Mac OS X systems.
The following are a few examples of commercial file encryption software:
+ Symantec Endpoint Encryption
+ PGP Whole Disk Encryption
+ McAfee Endpoint Encryption (SafeBoot)
+ Trend Micro Endpoint Encryption
Source: Cisco Official Certification Guide, Encrypting Endpoint Data at Rest, p.501
QUESTION 165
A proxy firewall protects against which type of attack?
A. cross-site scripting attack

B. DDoS attacks
C. port scanning
D. Worm traffic
Correct Answer: A
Section: (none)
Explanation
Brad
Note: There has been some debate on this question recently. If you google "proxy protection DDoS", you will
find a number of results. However, if you read more carefully you will see that the majority of these refer to
proxy servers, not firewalls.
One of the biggest threats from XSS is injection attacks (SQL injection/buffer overflow), and this is one of the
types of attacks that proxy firewalls are designed to protect against.
BD
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS
enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting
vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site
scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by
Symantec as of 2007.
Source: https://en.wikipedia.org/wiki/Cross-site_scripting
A proxy firewall is a network security system that protects network resources by filtering messages at the
application layer. A proxy firewall may also be called an application firewall or gateway firewall. Proxy firewalls
are considered to be the most secure type of firewall because they prevent direct network contact with other
systems.
Source: http://searchsecurity.techtarget.com/definition/proxy-firewall
QUESTION 166
What is the benefit of a web application firewall?
A. It blocks known vulnerabilities without patching applications.

B. It simplifies troubleshooting.
C. It accelerates web traffic.
D. It supports all networking protocols.
Correct Answer: A
Section: (none)
Explanation
BD
A Web Application Firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A
WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web
applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can
prevent attacks stemming from web application security flaws, such as SQL injection, Cross-Site Scripting
(XSS) and security misconfigurations.
Source: https://en.wikipedia.org/wiki/Web_application_firewall
QUESTION 167
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam and
sophisticated phishing attacks?
A. contextual analysis
B. holistic understanding of threats
C. graymail management and filtering
D. signature-based IPS
Correct Answer: A
Section: (none)
Explanation
BD
Snowshoe spamming is a strategy in which spam is propagated over several domains and IP addresses to
weaken reputation metrics and avoid filters. The increasing number of IP addresses makes recognizing and
capturing spam difficult, which means that a certain amount of spam reaches their destination email inboxes.
Specialized spam trapping organizations are often hard pressed to identify and trap snowshoe spamming via
conventional spam filters.
The strategy of snowshoe spamming is similar to actual snowshoes that distribute the weight of an individual
over a wide area to avoid sinking into the snow. Likewise, snowshoe spamming delivers its weight over a wide
area to remain clear of filters.
Source: https://www.techopedia.com/definition/1713/snowshoe-spamming Snowshoe spam, as mentioned
above, is a growing concern as spammers distribute spam attack origination across a broad range of IP
addresses in order to evade IP reputation checks. The newest AsyncOS 9 for ESA enables enhanced anti-
spam scanning through contextual analysis and enhanced automation, as well as automatic classification, to
provide a stronger defense against snowshoe campaigns and phishing attacks.
Source: http://blogs.cisco.com/security/cisco-email-security-stays-ahead-of-current-threats-by-adding-stronger-
snowshoe-spam-defense-amp-enhancements-and-more
QUESTION 168
Which NAT type allows only objects or groups to reference an IP address?
A. Static NAT
B. Dynamic NAT
C. Dynamic PAT
D. Identity NAT
Correct Answer: B
Section: (none)
Explanation
runbuh - note that this question has only one answer, while question 184 has two answer, but appear to be the
same question.
Brad
Note: A lot of people are claiming that Dynamic PAT is the correct answer. This is also wrong. When using
dynamic PAT, you can also configure an inline host address or specify the interface address to be assigned to
an IP.
BD
Adding Network Objects for Mapped Addresses

For dynamic NAT, you must use an object or group for the mapped addresses. Other NAT types have the
option of using inline addresses, or you can create an object or group according to this section.
* Dynamic NAT:
+ You cannot use an inline address; you must configure a network object or group. + The object or group
cannot contain a subnet; the object must define a range; the group can include hosts and ranges.
+ If a mapped network object contains both ranges and host IP addresses, then the ranges are used for
dynamic NAT, and then the host IP addresses are used as a PAT fallback.
* Dynamic PAT (Hide):

+ Instead of using an object, you can optionally configure an inline host address or specify the interface
address.
+ If you use an object, the object or group cannot contain a subnet; the object must define a host, or for a PAT
pool, a range; the group (for a PAT pool) can include hosts and ranges.
* Static NAT or Static NAT with port translation:

+ Instead of using an object, you can configure an inline address or specify the interface address (for static
NAT-with-port-translation).
+ If you use an object, the object or group can contain a host, range, or subnet.
* Identity NAT
+ Instead of using an object, you can configure an inline address. + If you use an object, the object must match
the real addresses you want to translate.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/
nat_objects.html#61711
QUESTION 169
Which feature allows a dynamic PAT pool to select the next address in the PAT pool instead of the next port of
an existing address?
A. next IP
B. round robin
C. dynamic rotation
D. NAT address rotation
Correct Answer: B
Section: (none)
Explanation
BD
The round-robin keyword enables round-robin address allocation for a PAT pool. Without round robin, by
default all ports for a PAT address will be allocated before the next PAT address is used. The round-robin
method assigns an address/port from each PAT address in the pool before returning to use the first address
again, and then the second address, and so on.
QUESTION 170
#####################
Crypto ipsec transform-set myset esp-md5-hmac esp-aes-256
####################
What are two effects of the given command? (Choose two.)
A. It configures authentication to use AES 256.

B. It configures authentication to use MD5 HMAC.
C. It configures authorization use AES 256.
D. It configures encryption to use MD5 HMAC.
E. It configures encryption to use AES 256.
Correct Answer: BE
Section: (none)
Explanation
BD
To define a transform set -- an acceptable combination of security protocols and algorithms -- use the crypto
ipsec transform-set global configuration command.
ESP Encryption Transform
+ esp-aes 256: ESP with the 256-bit AES encryption algorithm.
ESP Authentication Transform
+ esp-md5-hmac: ESP with the MD5 (HMAC variant) authentication algorithm. (No longer recommended)
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-
c3.html#wp2590984165
QUESTION 171
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations?
(Choose three).
A. when a matching TCP connection is found

B. when the firewall requires strict HTTP inspection
C. when the firewall receives a FIN packet
D. when matching ACL entries are configured
E. when the firewall requires HTTP inspection
F. when matching NAT entries are configured
Correct Answer: ADF

Section: (none)
Explanation
Duplicate of question 153 - see that question for the explanation
QUESTION 172
Which Auto NAT policies are processed first ?
A. Dynamic with longest prefix

B. Dynamic with shortest prefix
C. Static with longest prefix
D. Static with shortest prefix
Correct Answer: C
Section: (none)
Explanation
BD
All packets processed by the ASA are evaluated against the NAT table. This evaluation starts at the top
(Section 1) and works down until a NAT rule is matched. Once a NAT rule is matched, that NAT rule is applied
to the connection and no more NAT policies are checked against the packet.
+ Section 1 - Manual NAT policies: These are processed in the order in which they appear in the configuration.
+ Section 2 - Auto NAT policies: These are processed based on the NAT type (static or dynamic) and the prefix
(subnet mask) length in the object.
+ Section 3 - After-auto manual NAT policies: These are processed in the order in which they appear in the
configuration.
Source: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/116388-technote-nat-00.html
QUESTION 173
Which security term refers to a person, property, or data of value to a company?
A. Risk
B. Asset
C. Threat prevention
D. Mitigation technique
Correct Answer: B
Section: (none)
Explanation
BD
This is an exact question from the Cisco Official Certification Guide 210-260.
Source: Cisco Official Certification Guide, Table 1-1 "Do I Know This Already?" Section-to-Question Mapping,
E. 3
QUESTION 174
What's the technology that you can use to prevent non malicious program to run in the computer that is
disconnected from the network?
A. Firewall
B. Software Antivirus
C. Network IPS
D. Host IPS.
Correct Answer: D
Section: (none)
Explanation
QUESTION 175
What command could you implement in the firewall to conceal internal IP address?
A. no source-route
B. no cdp run
C. no broadcast…
D. no proxy-arp
Correct Answer: D
Section: (none)
Explanation
BD
I believe these are not negating commands.
The Cisco IOS software uses proxy ARP (as defined in RFC 1027) to help hosts with no knowledge of routing
determine the media addresses of hosts on other networks or subnets. For example, if the router receives an
ARP request for a host that is not on the same interface as the ARP request sender, and if the router has all of
its routes to that host through other interfaces, then it generates a proxy ARP reply packet giving its own local
data-link address. The host that sent the ARP request then sends its packets to the router, which forwards
them to the intended host. Proxy ARP is enabled by default.
Router(config-if)# ip proxy-arp - Enables proxy ARP on the interface.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfipadr.html#wp1001233
QUESTION 176
Which statement about college campus is true?
A. College campus has geographical position.

B. College campus Hasn`t got internet access.
C. College campus Has multiple subdomains.
D. College campus Has very beautiful girls
Correct Answer: A
Section: (none)
Explanation
QUESTION 177
Which firepower preprocessor block traffic based on IP?
A. Signature-Based
B. Policy-Based
C. Anomaly-Based
D. Reputation-Based
Correct Answer: D
Section: (none)
Explanation
BD
Access control rules within access control policies exert granular control over network traffic logging and
handling. Reputation-based conditions in access control rules allow you to manage which traffic can traverse
your network, by contextualizing your network traffic and limiting it where appropriate. Access control rules
govern the following types of reputation-based control:
+ Application conditions allow you to perform application control, which controls application traffic based on not
only individual applications, but also applications' basic characteristics: type, risk, business relevance,
categories, and tags.
+ URL conditions allow you to perform URL filtering, which controls web traffic based on individual websites, as
well as websites' system-assigned category and reputation.
The ASA FirePOWER module can perform other types of reputation-based control, but you do not configure
these using access control rules. For more information, see:
+ Blacklisting Using Security Intelligence IP Address Reputation explains how to limit traffic based on the
reputation of a connection's origin or destination as a first line of defense.
+ Tuning Intrusion Prevention Performance explains how to detect, track, store, analyze, and block the
transmission of malware and other types of prohibited files.
firepower- module-user-guide-v541/AC-Rules-App-URL-Reputation.html
QUESTION 178
Which command enable ospf authentication on an interface?
A. ip ospf authentication message-digest

B. network 192.168.10.0 0.0.0.255 area 0
C. area 20 authentication message-digest
D. ip ospf message-digest-key 1 md5 CCNA
Correct Answer: A
Section: (none)
Explanation
BD
This question might be incomplete. Both ip ospf authentication message-digest and area 20 authentication
message-digest command enable OSPF authentication through MD5.
Use the ip ospf authentication-key interface command to specify this password. If you enable MD5
authentication with the message-digest keyword, you must configure a password with the ip ospf message-
digest-key interface command.
interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA
Source: Cisco Official Certification Guide, Implement Routing Update Authentication on OSPF, p.348 To
enable authentication for an OSPF area, use the area authentication command in router configuration mode.
To remove an authentication specification of an area or a specified area from the configuration, use the no
form of this command.
area area-id authentication [message-digest]
no area area-id authentication [message-digest]
Read more here
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/command
Explanation/Reference/fiprrp_r/1rfospf.html An overall guide:

Source: https://supportforums.cisco.com/document/22961/ospf-authentication
QUESTION 179
Which component of CIA triad relate to safe data which is in transit?
A. Confidentiality
B. Integrity
C. Availability
D. Scalability
Correct Answer: B
Section: (none)
Explanation
BD
Integrity: Integrity for data means that changes made to data are done only by authorized individuals/systems.
QUESTION 180
Which command help user1 to use enable,disable,exit&etc commands?
A. catalyst1(config)#username user1 privilege 0 secret us1pass

B. catalyst1(config)#username user1 privilege 1 secret us1pass
C. catalyst1(config)#username user1 privilege 2 secret us1pass
D. catalyst1(config)#username user1 privilege 5 secret us1pass
Correct Answer: A
Section: (none)
Explanation
BD
To understand this example, it is necessary to understand privilege levels. By default, there are three
command levels on the router:
+ privilege level 0 -- Includes the disable, enable, exit, help, and logout commands.
+ privilege level 1 -- Normal level on Telnet; includes all user-level commands at the router> prompt.
+ privilege level 15 -- Includes all enable-level commands at the router# prompt.
Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-
system-tacacs-/23383-showrun.html
QUESTION 181
Command ip ospf authentication key 1 is implemented in which level.
A. Interface
B. process
C. global
D. enable
Correct Answer: A
Section: (none)
Explanation
BD
Use the ip ospf authentication-key interface command to specify this password. If you enable MD5
authentication with the message-digest keyword, you must configure a password with the ip ospf message-
digest-key interface command.
ip address 192.168.10.1 255.255.255.0
Source: Cisco Official Certification Guide, Implement Routing Update Authentication on OSPF, p.348 The
OSPFv2 Cryptographic Authentication feature allows you to configure a key chain on the OSPF interface to
authenticate OSPFv2 packets by using HMAC-SHA algorithms. You can use an existing key chain that is being
used by another protocol, or you can create a key chain specifically for OSPFv2.
If OSPFv2 is configured to use a key chain, all MD5 keys that were previously configured using the ip ospf
message-digest-key command are ignored.
Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet0/0/0
Device (config-if)# ip ospf authentication key-chain sample1 Device (config-if)# end
Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/iro-
ospfv2-crypto-authen-xe.html
In both cases OSPF and OSPFv1 the ip ospf authentication is inserted at interface level
QUESTION 182
Which line in the following OSPF configuration will not be required for MD5 authentication to work?
####################
ip address 192.168.10.1 255.255.255.0
!
router ospf 65000
router-id 192.168.10.1
area 20 authentication message-digest
network 10.1.1.0 0.0.0.255 area 10
network 192.168.10.0 0.0.0.255 area 0
!
####################
A. ip ospf authentication message-digest

B. network 192.168.10.0 0.0.0.255 area 0
C. area 20 authentication message-digest
D. ip ospf message-digest-key 1 md5 CCNA
Correct Answer: C
Section: (none)
Explanation
BD
E. 342
QUESTION 183
Which of the following pairs of statements is true in terms of configuring MD authentication?
A. Interface statements (OSPF, EIGRP) must be configured; use of key chain in OSPF
B. Router process (OSPF, EIGRP) must be configured; key chain in EIGRP
C. Router process or interface statement for OSPF must be configured; key chain in EIGRP
D. Router process (only for OSPF) must be configured; key chain in OSPF
Correct Answer: C
Section: (none)
Explanation
BD
E. 343
SOURCE: http://www.ciscopress.com/store/ccna-security-210-260-official-cert-guide-9781587205668 (Update
TAB > Download the errata ) < this is updates for cert guide The correct answer changed from "Router process
(only for OSPF) must be configured; key chain in EIGRP" to "Router process or interface statement for OSPF
must be configured; key chain in EIGRP"
QUESTION 184
Which two NAT types allows only objects or groups to reference an IP address? (choose two)
A. dynamic NAT
B. dynamic PAT
C. static NAT
D. identity NAT
Correct Answer: AC
Section: (none)
Explanation
BD
Adding Network Objects for Mapped Addresses
For dynamic NAT, you must use an object or group for the mapped addresses. Other NAT types have the
option of using inline addresses, or you can create an object or group according to this section.
* Dynamic NAT:
+ You cannot use an inline address; you must configure a network object or group.
+ The object or group cannot contain a subnet; the object must define a range; the group can include hosts
and ranges.
+ If a mapped network object contains both ranges and host IP addresses, then the ranges are used for
dynamic NAT, and then the host IP addresses are used as a PAT fallback.
* Dynamic PAT (Hide):
+ Instead of using an object, you can optionally configure an inline host address or specify the interface
address.
+ If you use an object, the object or group cannot contain a subnet; the object must define a host, or for a PAT
pool, a range; the group (for a PAT pool) can include hosts and ranges.
* Static NAT or Static NAT with port translation:
+ Instead of using an object, you can configure an inline address or specify the interface address (for static
NAT-with-port-translation).
+ If you use an object, the object or group can contain a host, range, or subnet.
* Identity NAT
+ Instead of using an object, you can configure an inline address.
+ If you use an object, the object must match the real addresses you want to translate.
According to this A seems to be the only correct answer. Maybe C is correct because it allows the use of a
subnet too.
QUESTION 185
What port option in a PVLAN that can communicate with every other port?
A. Promiscuous ports
B. Community ports
C. Ethernet ports
D. Isolate ports
Correct Answer: A
Section: (none)
Explanation
BD
+ Promiscuous -- A promiscuous port belongs to the primary VLAN. The promiscuous port can communicate
with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs
associated to the promiscuous port and associated with the primary VLAN.
+ Isolated -- An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete
isolation from other ports within the same private VLAN domain, except that it can communicate with
associated promiscuous ports
ports communicate with other ports in the same community VLAN and with associated promiscuous ports
CLIConfigurationGuide/PrivateVLANs.html
QUESTION 186
Which are two valid TCP connection states (pick 2) is the gist of the question.
A. SYN-RCVD
B. Closed
C. SYN-WAIT
D. RCVD
E. SENT
Correct Answer: AB
Section: (none)
Explanation
BD
TCP Finite State Machine (FSM) States, Events and Transitions
+ CLOSED: This is the default state that each connection starts in before the process of establishing it begins.
The state is called "fictional" in the standard.
+ LISTEN
+ SYN-SENT
+ SYN-RECEIVED: The device has both received a SYN (connection request) from its partner and sent its own
SYN. It is now waiting for an ACK to its SYN to finish connection setup.
+ ESTABLISHED
+ CLOSE-WAIT
+ LAST-ACK
+ FIN-WAIT-1
+ FIN-WAIT-2
+ CLOSING
+ TIME-WAIT
Source: http://tcpipguide.com/free/t_TCPOperationalOverviewandtheTCPFiniteStateMachineF-2.htm
QUESTION 187
Which of the following commands result in a secure bootset? (Choose all that apply.) This could also be a
question about Cisco IOS Resilient Configuration
A. secure boot-set
B. secure boot-config
C. secure boot-files
D. secure boot-image
Correct Answer: BD
Section: (none)
Explanation
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/
sec-resil-config.html
Archiving a Router Configuration
This task describes how to save a primary bootset to a secure archive in persistent storage.
SUMMARY STEPS
1. enable
3. secure boot-image
4. secure boot-config
5. end
6. show secure bootset
BD
E. 276
QUESTION 188
What are two well known Security terms? (Choose two)
A. Trojan
B. Phishing
C. Something LC
D. Ransomware
Correct Answer: BD
Section: (none)
Explanation
BD
The following are the most common types of malicious software:
+ Computer viruses
+ Worms
+ Mailers and mass-mailer worms
+ Logic bombs
+ Trojan horses
+ Back doors
+ Exploits
+ Downloaders
+ Spammers
+ Key loggers
+ Rootkits
+ Ransomware
Source: Cisco Official Certification Guide, Antivirus and Antimalware Solutions, p.498 If the question is asking
about software then A and D are correct. But as it asks about security terms that are well known I suppose B
and D could be chosen.
QUESTION 189
What is example of social engineering
A. Gaining access to a building through an unlocked door.

B. something about inserting a random flash drive.
C. gaining access to server room by posing as IT
D. Watching other user put in username and password (something around there)
Correct Answer: C
Section: (none)
Explanation
QUESTION 190
Which port should (or would) be open if VPN NAT-T was enabled
A. port 4500 outside interface
B. port 4500 in all interfaces where ipsec uses
C. port 500
D. port 500 outside interface
Correct Answer: B
Section: (none)
Explanation
BD
NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these protocols to pass through a
device or firewall performing NAT.
Source: https://en.wikipedia.org/wiki/Internet_Key_Exchange
Also a good reference
Source: https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec
QUESTION 191
Diffie-Hellman key exchange question
A. IKE
B. IPSEC
C. SPAN
D. STP
Correct Answer: A
Section: (none)
Explanation
BD
Source: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
QUESTION 192
Which filter uses in Web reputation to prevent from web based attackts? (Choose two)
A. outbreak filter
B. buffer overflow filter
C. bayesian overflow filter
D. web reputation
E. exploit filtering
Correct Answer: AE
Section: (none)
Explanation
BD
wael adel on securitytut.com
"in the EKE answer was AD but when i did some digging
check this out http://www.cisco.com/c/en/us/products/security/web-security-appliance/web_rep_index.html so i
guess A E is correct"
======
I suppose given the question that D is correct. As for A all I find is related to Email security through Cisco
IronPort
Cisco IronPort Outbreak Filters provide a critical first layer of defense against new outbreaks. With this proven
preventive solution, protection begins hours before signatures used by traditional antivirus solutions are in
place. Real-world results show an average 14-hour lead time over reactive antivirus solutions.
SenderBase, the world's largest email and web traffic monitoring network, provides real-time protection. The
Cisco IronPort SenderBase Network captures data from over 120,000 contributing organizations around the
world.
Source: http://www.cisco.com/c/en/us/products/security/email-security-appliance/outbreak_filters_index.html
QUESTION 193
What show command can see vpn tunnel establish with traffic passing through.
A. show crypto ipsec sa

B. show crypto session
C. show crypto isakmp sa
D. show crypto ipsec transform-set
Correct Answer: A
Section: (none)
Explanation
BD
#show crypto ipsec sa - This command shows IPsec SAs built between peers In the output you see
which means packets are encrypted and decrypted by the IPsec peer.
Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-
debug-00.html#ipsec_sa
QUESTION 194
Which standard is a hybrid protocol that uses Oakley and Skeme key exchanges in an ISAKMP framework?
A. IPSec
B. SHA
C. DES
D. IKE
Correct Answer: D
Section: (none)
Explanation
BD
The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to
exchange keying material across an insecure connection using the DiffieHellman key exchange algorithm.
The protocol was proposed by Hilarie K. Orman in 1998, and formed the basis for the more widely used
Internet key exchange protocol
Source: https://en.wikipedia.org/wiki/Oakley_protocol
IKE (Internet Key Exchange)
A key management protocol standard that is used in conjunction with the IPSec standard. IPSec is an IP
security feature that provides robust authentication and encryption of IP packets. IPSec can be configured
without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for
the IPSec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key
exchange inside of the Internet Security Association and Key Management Protocol (ISAKMP) framework.
ISAKMP, Oakley, and Skeme are security protocols implemented by IKE Source: https://www.symantec.com/
security_response/glossary/define.jsp?letter=i&word=ike-internet-key- exchange
QUESTION 195
What information does the key length provide in an encryption algorithm?
A. the packet size

B. the number of permutations
C. the hash block size
D. the cipher block size
Correct Answer: B
Section: (none)
Explanation
BD
In cryptography, an algorithm's key space refers to the set of all possible permutations of a keys.
If a key were eight bits (one byte) long, the keyspace would consist of 28 or 256 possible keys. Advanced
Encryption Standard (AES) can use a symmetric key of 256 bits, resulting in a key space containing 2256 (or
1.1579 × 1077) possible keys.
Source: https://en.wikipedia.org/wiki/Key_space_(cryptography)
QUESTION 196
Which type of attack is directed against the network directly:
A. Denial of Service
B. phishing
C. trojan horse
D. ...
Correct Answer: A
Section: (none)
Explanation
BD
Denial of service refers to willful attempts to disrupt legitimate users from getting access to the resources they
intend to. Although no complete solution exists, administrators can do specific things to protect the network
from a DoS attack and to lessen its effects and prevent a would-be attacker from using a system as a source
of an attack directed at other systems. These mitigation techniques include filtering based on bogus source IP
addresses trying to come into the networks and vice versa. Unicast reverse path verification is one way to
assist with this, as are access lists. Unicast reverse path verification looks at the source IP address as it comes
into an interface, and then looks at the routing table. If the source address seen would not be reachable out of
the same interface it is coming in on, the packet is considered bad, potentially spoofed, and is dropped.
Source: Cisco Official Certification Guide, Best Practices Common to Both IPv4 and IPv6, p.332
QUESTION 197
With which technology do apply integrity, confidentially and authenticate the source
A. IPSec
B. IKE
C. Certificate authority
D. Data encryption standards
Correct Answer: A
Section: (none)
Explanation
BD
IPsec is a collection of protocols and algorithms used to protect IP packets at Layer 3 (hence the name of IP
Security [IPsec]). IPsec provides the core benefits of confidentiality through encryption, data integrity through
hashing and HMAC, and authentication using digital signatures or using a pre-shared key (PSK) that is just for
the authentication, similar to a password.
Source: Cisco Official Certification Guide, IPsec and SSL, p.97
QUESTION 198
With which type of Layer 2 attack can you intercept traffic that is destined for one host?
A. MAC spoofing
B. CAM overflow....
C. ?
D. ?
Correct Answer: A
Section: (none)
Explanation
BD
Edit: I'm reconsidering the answer for this question to be A. MAC spoofing.
Cisco implemented a technology into IOS called Port Security that mitigates the risk of a Layer 2 CAM overflow
attack.
Port Security on a Cisco switch enables you to control how the switch port handles the learning and storing of
MAC addresses on a per-interface basis. The main use of this command is to set a limit to the maximum
number of concurrent MAC addresses that can be learned and allocated to the individual switch port.
If a machine starts broadcasting multiple MAC addresses in what appears to be a CAM overflow attack, the
default action of Port Security is to shut down the switch interface Source: http://www.ciscopress.com/articles/
article.asp?p=1681033&seqNum=2
QUESTION 199
I had the "nested" question (wording has been different). Two answers ware related to hierarchy:
A. there are only two levels of hierarchy possible

B. the higher level hierarchy becomes the parent for lower one parent
C. inspect something is only possible with in a hierachy...
D. some command question....
Correct Answer: C
Section: (none)
Explanation
QUESTION 200
How would you verify that TACACS+ is working?
A. SSH to the device and login promt appears
B. loging to the device using enable password
C. login to the device using ASC password
D. console the device using some thing
Correct Answer: A
Section: (none)
Explanation
QUESTION 201
What are two challenges faced when deploying host-level IPS? (Choose Two)
A. The deployment must support multiple operating systems.

B. It does not provide protection for offsite computers.
C. It is unable to provide a complete network picture of an attack.
D. It is unable to determine the outcome of every attack that it detects.
E. It is unable to detect fragmentation attacks.
Correct Answer: AC
Section: (none)
Explanation
BD
Advantages of HIPS: The success or failure of an attack can be readily determined. A network IPS sends an
alarm upon the presence of intrusive activity but cannot always ascertain the success or failure of such an
attack. HIPS does not have to worry about fragmentation attacks or variable Time to Live (TTL) attacks
because the host stack takes care of these issues. If the network traffic stream is encrypted, HIPS has access
to the traffic in unencrypted form.
Limitations of HIPS: There are two major drawbacks to HIPS:
+ HIPS does not provide a complete network picture: Because HIPS examines information only at the local
host level, HIPS has difficulty constructing an accurate network picture or coordinating the events happening
across the entire network.
+ HIPS has a requirement to support multiple operating systems: HIPS needs to run on every system in the
network. This requires verifying support for all the different operating systems used in your network.
Source: http://www.ciscopress.com/articles/article.asp?p=1336425&seqNum=3
QUESTION 202
Which statement about command authorization and security contexts is true?
A. If command authorization is configured, it must be enabled on all contexts

B. The changeto command invokes a new context session with the credentials of the currently logged-in user
C. AAA settings are applied on a per-context basis
D. The enable_15 user and admins with changeto permissions have different command authorization levels
per context
Correct Answer: B
Section: (none)
Explanation
BD
The capture packet function works on an individual context basis. The ACE traces only the packets that belong
to the context where you execute the capture command. You can use the context ID, which is passed with the
packet, to isolate packets that belong to a specific context. To trace the packets for a single specific context,
use the changeto command and enter the capture command for the new context.
To move from one context on the ACE to another context, use the changeto command Only users authorized
in the admin context or configured with the changeto feature can use the changeto command to navigate
between the various contexts. Context administrators without the changeto feature, who have access to
multiple contexts, must explicitly log in to the other contexts to which they have access.
Source: http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/
reference/ACE_cr/execmds.html
* AAA settings are discrete per context, not shared between contexts.
When configuring command authorization, you must configure each context separately.
* New context sessions started with the changeto command always use the default value “enable_15”
username as the administrator identity, regardless of what username was used in the previous context session.
to read more, here’s the link

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/
access_management.html#30969
QUESTION 203
What encryption technology has broadest platform support
A. hardware
B. middleware
C. Software
D. File level
Correct Answer: C
Section: (none)
Explanation
QUESTION 204
With which preprocesor do you detect incomplete TCP handshakes
A. ?
B. rate based prevention
C. ?
D. portscan detection
Correct Answer: B
Section: (none)
Explanation
BD
Rate-based attack prevention identifies abnormal traffic patterns and attempts to minimize the impact of that
traffic on legitimate requests. Rate-based attacks usually have one of the following characteristics:
+ any traffic containing excessive incomplete connections to hosts on the network, indicating a SYN flood
attack
+ any traffic containing excessive complete connections to hosts on the network, indicating a TCP/IP
connection flood attack
+ excessive rule matches in traffic going to a particular destination IP address or addresses or coming from a
particular source IP address or addresses.
+ excessive matches for a particular rule across all traffic.
firepower- module-user-guide-v541/Intrusion-Threat-Detection.html
QUESTION 205
Which type of PVLAN port allows a host in the same VLAN to communicate only with promiscuous hosts?
A. Community host in the PVLAN

B. Isolated host in the PVLAN
C. Promiscuous host in the PVLAN
D. Span for host in the PVLAN
Correct Answer: B
Section: (none)
Explanation
BD
+ Promiscuous - The promiscuous port can communicate with all interfaces, including the community and
+ Isolated - This port has complete isolation from other ports within the same private VLAN domain, except that
QUESTION 206
Which type of encryption technology has the broadest platform support to protect operating systems?
A. Middleware
B. Hardware
C. Software
D. File-level
Correct Answer: C
Section: (none)
Explanation
Much commercial and free software enables you to encrypt files in an end-user workstation or
mobile device.
The following are a few examples of free solutions:
+ GPG: GPG also enables you to encrypt files and folders on a Windows, Mac, or Linux system. GPG is
free.
+ The built-in MAC OS X Disk Utility: D isk Utility enables you to create secure disk images by
encrypting files with AES 128-bit or AES 256-bit encryption.
+ TrueCrypt: A free encryption tool for Windows, Mac, and Linux systems.
+ AxCrypt: A f ree Windows-only file encryption tool.
+ BitLocker: Full disk encryption feature included in several Windows operating systems.
+ Many Linux distributions such as Ubuntu: A llow you to encrypt the home directory of a user with
built-in utilities.
+ MAC OS X FileVault: Supports full disk encryption on Mac OS X systems.
The following are a few examples of commercial file encryption software:
+ Symantec Endpoint Encryption
+ PGP Whole Disk Encryption
+ McAfee Endpoint Encryption (SafeBoot)
+ Trend Micro Endpoint Encryption
Source:
Cisco Official Certification Guide, Encrypting Endpoint Data at Rest, p.501
QUESTION 207
The first layer of defense which provides real-time preventive solutions against malicious traffic is provided by?
A. Banyan Filters
B. Explicit Filters
C. Outbreak Filters
D. ?
Correct Answer: C
Section: (none)
Explanation
https://www.cisco.com/c/en/us/products/security/web-security-appliance/web_rep_index.html
QUESTION 208
SSL certificates are issued by Certificate Authority(CA) are?
A. Trusted root
B. Not trusted
C. ?
D. ?
Correct Answer: A
Section: (none)
Explanation
QUESTION 209
SYN flood attack is a form of ?
A. Reconnaissance attack
B. Denial of Service attack
C. Spoofing attack
D. Man in the middle attack
Correct Answer: B
Section: (none)
Explanation
BD
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a
target's system in an attempt to consume enough server resources to make the system unresponsive to
legitimate traffic.
Source: https://en.wikipedia.org/wiki/SYN_flood
QUESTION 210
The command debug crypto isakmp results in ?
A. Troubleshooting ISAKMP (Phase 1) negotiation problems

B. ?
C. ?
D. ?
Correct Answer: A
Section: (none)
Explanation
BD
#debug crypto isakmp
This output shows an example of the debug crypto isakmp command.
processing SA payload. message ID = 0
Checking ISAKMP transform against priority 1 policy
encryption 3DES
hash SHA
default group 2
auth pre-share
life type in seconds
life duration (basic) of 240
atts are acceptable. Next payload is 0
processing KE payload. message ID = 0
processing NONCE payload. message ID = 0
processing ID payload. message ID = 0
SKEYID state generated
processing HASH payload. message ID = 0
SA has been authenticated
processing SA payload. message ID = 800032287
Contains the IPsec Phase1 information. You can view the HAGLE (Hash, Authentication, DH Group, Lifetime,
Encryption) process in the output.
QUESTION 211
Which prevent the company data from modification even when the data is in transit?
A. Confidentiality
B. Integrity
C. Viability
D. Scalability
Correct Answer: B
Section: (none)
Explanation
BD
Integrity: Integrity for data means that changes made to data are done only by authorized individuals/systems.
QUESTION 212
The stealing of confidential information of a company comes under the scope of:
A. Reconnaissance
B. Spoofing attack
C. Social Engineering
D. Denial of Service
Correct Answer: C
Section: (none)
Explanation
BD
Social engineering
This is a tough one because it leverages our weakest (very likely) vulnerability in a secure system (data,
applications, devices, networks): the user. If the attacker can get the user to reveal information, it is much
easier for the attacker than using some other method of reconnaissance. This could be done through e-mail or
misdirection of web pages, which results in the user clicking something that leads to the attacker gaining
information. Social engineering can also be done in person or over the phone.
Source: Cisco Official Certification Guide, Table 1-5 Attack Methods, p.13
QUESTION 213
The Oakley cryptography protocol is compatible with following for managing security?
A. IPSec
B. ISAKMP
C. Port security
D. ?
Correct Answer: B
Section: (none)
Explanation
BD
IKE (Internet Key Exchange)
A key management protocol standard that is used in conjunction with the IPSec standard. IPSec is an IP
security feature that provides robust authentication and encryption of IP packets. IPSec can be configured
without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for
the IPSec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key
exchange inside of the Internet Security Association and Key Management Protocol (ISAKMP) framework.
ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.
Source: https://www.symantec.com/security_response/glossary/define.jsp?letter=i&word=ike-internet-key-
exchange
QUESTION 214
Unicast Reverse Path Forwarding definition:
A. Unicast Reverse Path Forwarding (uRPF) can mitigate spoofed IP packets
B. ?
C. ?
D. ?
Correct Answer: A
Section: (none)
Explanation
BD
Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (uRPF) can mitigate spoofed IP packets. When this feature is enabled on an
interface, as packets enter that interface the router spends an extra moment considering the source address of
the packet. It then considers its own routing table, and if the routing table does not agree that the interface that
just received this packet is also the best egress interface to use for forwarding to the source address of the
packet, it then denies the packet.
This is a good way to limit IP spoofing.
Source: Cisco Official Certification Guide, Table 10-4 Protecting the Data Plane, p.270
QUESTION 215
The NAT traversal definition:
A. Pending?
B. ?
C. ?
D. ?
Correct Answer: A
Section: (none)
Explanation
BD
NAT-T (NAT Traversal)
If both peers support NAT-T, and if they detect that they are connecting to each other through a Network
Address Translation (NAT) device (translation is happening), they may negotiate that they want to put a fake
UDP port 4500 header on each IPsec packet (before the ESP header) to survive a NAT device that otherwise
may have a problem tracking an ESP session (Layer 4 protocol 50).
Source: Cisco Official Certification Guide, Table 7-2 Protocols That May Be Required for IPsec, p.153 Also a
good reference
Source: https://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec
QUESTION 216
Man-in-the-middle attack definition:
A. Someone or something is between the two devices who believe they are communicating directly with each
other.
B. ?
C. ?
D. ?
Correct Answer: A
Section: (none)
Explanation
BD
Man-in-the-middle attacks: Someone or something is between the two devices who believe they are
communicating directly with each other. The "man in the middle" may be eavesdropping or actively changing
the data that is being sent between the two parties. You can prevent this by implementing Layer 2 dynamic
ARP inspection (DAI) and Spanning Tree Protocol (STP) guards to protect spanning tree. You can implement it
at Layer 3 by using routing protocol authentication. Authentication of peers in a VPN is also a method of
preventing this type of attack.
Source: Cisco Official Certification Guide, Threats Common to Both IPv4 and IPv6, p.333
QUESTION 217
Which privileged level is ... by default? for user exec mode
A. 0
B. 1
C. 2
D. 5
E. 15
Correct Answer: B
Section: (none)
Explanation
BD
User EXEC mode commands are privilege level 1
Privileged EXEC mode and configuration mode commands are privilege level 15.
Explanation/Reference/fsecur_r/srfpass.html
QUESTION 218
When is "Deny all" policy an exception in Zone Based Firewall
A. traffic traverses 2 interfaces in same zone

B. traffic sources from router via self zone
C. traffic terminates on router via self zone
D. traffic traverses 2 interfaces in different zones
E. traffic terminates on router via self zone
Correct Answer: A
Section: (none)
Explanation
BD
+ There is a default zone, called the self zone, which is a logical zone. For any packets directed to the router
directly (the destination IP represents the packet is for the router), the router automatically considers that traffic
to be entering the self zone. In addition, any traffic initiated by the router is considered as leaving the self zone.
By default, any traffic to or from the self zone is allowed, but you can change this policy.
+ For the rest of the administrator-created zones, no traffic is allowed between interfaces in different zones.
+ For interfaces that are members of the same zone, all traffic is permitted by default.
Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380
QUESTION 219
What is true about the Cisco IOS Resilient Configuration Feature?
A. There is additional space required to secure the primary Cisco IOS Image file
B. Remote storage required to save IOS image
C. Can be disabled through a remote session
D. Automatically detects image or configuration version mismatch
Correct Answer: D
Section: (none)
Explanation
BD
The following factors were considered in the design of Cisco IOS Resilient Configuration:
+ The configuration file in the primary bootset is a copy of the running configuration that was in the router when
the feature was first enabled.
+ The feature secures the smallest working set of files to preserve persistent storage space. No extra space is
required to secure the primary Cisco IOS image file.
+ The feature automatically detects image or configuration version mismatch .
+ Only local storage is used for securing files, eliminating scalability maintenance challenges from storing
multiple images and configurations on TFTP servers.
+ The feature can be disabled only through a console session Source: http://www.cisco.com/c/en/us/td/docs/
ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt- book/sec-resil-config.html
QUESTION 220
What are the two characteristics of IPS?
A. Can drop traffic

B. Does not add delay to traffic
C. It is cabled directly inline
D. Can`t drop packets on its own
Correct Answer: AC
Section: (none)
Explanation
BD
+ Position in the network flow: Directly inline with the flow of network traffic and every packet goes through the
sensor on its way through the network.
+ Mode: Inline mode
+ The IPS can drop the packet on its own because it is inline. The IPS can also request assistance from
another device to block future packets just as the IDS does.
Source: Cisco Official Certification Guide, Table 17-2 IDS Versus IPS, p.461
QUESTION 221
What can cause the state table of a stateful firewall to update? (choose two)
A. when connection is created

B. connection timer expired within state table
C. when packet is evaluated against the inbound access list and is ...
D. outbound packets forwarded to inbound interface
E. when rate limiting is applied
Correct Answer: AB
Section: (none)
Explanation
BD
Stateful inspection monitors incoming and outgoing packets over time, as well as the state of the connection,
and stores the data in dynamic state tables. This cumulative data is evaluated, so that filtering decisions would
not only be based on administrator-defined rules, but also on context that has been built by previous
connections as well as previous packets belonging to the same connection.
Entries are created only for TCP connections or UDP streams that satisfy a defined security policy.
In order to prevent the state table from filling up, sessions will time out if no traffic has passed for a certain
period. These stale connections are removed from the state table.
Source: https://en.wikipedia.org/wiki/Stateful_firewall
QUESTION 222
What IPSec mode is used to encrypt traffic between client and server vpn endpoints?
A. tunnel
B. Trunk
C. Aggregated
D. Quick
E. Transport
Correct Answer: E
Section: (none)
Explanation
BD
16.02.2017
@Tullipp on securitytut.com commented:
"the IPSEC Mode question did come up. It has been been very badly worded in the dumps and I knew It cant
be right.
The question that comes in the exam is "between client and server vpn endpoints".
So the keyword here is vpn endpoints. Not the end points like its worded in the dumps.
So the answer is transport mode."
+ IPSec Transport mode is used for end-to-end communications, for example, for communication between a
client and a server or between a workstation and a gateway (if the gateway is being treated as a host). A good
example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.
+ IPsec supports two encryption modes: Transport mode and Tunnel mode. Transport mode encrypts only the
data portion (payload) of each packet and leaves the packet header untouched. Transport mode is applicable
to either gateway or host implementations, and provides protection for upper layer protocols as well as selected
IP header fields.
Source: http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html http://www.cisco.com/c/en/us/
td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/ IPsecPG1.html
Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the following:
+ IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be
supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP
packets.
+ IPmc is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol between
two and only two devices, so a service such as multicast is problematic. An IPsec peer encrypts a packet so
that only one other IPsec peer can successfully perform the de-encryption. IPmc is not compatible with this
mode of operation.
Source: https://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/
ccmigration_09186a008074f26a.pdf
QUESTION 223
Which command is used to verify a VPN connection is operational?
A. sh crypto ipsec sa
B. sh crypto isakmp sa
C. debug crypto isakmp
D. sh crypto session
Correct Answer: A
Section: (none)
Explanation
BD
#show crypto ipsec sa - This command shows IPsec SAs built between peers In the output you see
which means packets are encrypted and decrypted by the IPsec peer.
Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-
debug-00.html#ipsec_sa
QUESTION 224
What is the command to authenticate an NTP time source? (something in those lines)
A. #ntp authentication-key 1 md5 141411050D 7

B. #ntp authenticate
C. #ntp trusted-key 1
D. #ntp trusted-key 2
Correct Answer: B
Section: (none)
Explanation
ntp authentication-key,,,,Defines the authentication keys.

ntp authenticate,,,Enables or disables the NTP authentication feature.
ntp trusted-key #,,, Specifies one or more keys that a time source must provide in its NTP packets in order for
the device to synchronize to it
BD
ntp authentication-key 1 md5 141411050D 7
ntp authenticate
ntp trusted-key 1
ntp update-calendar
ntp server 192.168.1.96 key 1 prefer source FastEthernet0/1
Source: Cisco Official Certification Guide, Example 11-15 Using Authentication via Keys with NTPv3, p.314
QUESTION 225
How can you allow bidirational traffic? (something in those lines)
A. static NAT
B. dynamic NAT
C. dynamic PAT
D. multi-NAT
Correct Answer: A
Section: (none)
Explanation
BD
Bidirectional initiation--Static NAT allows connections to be initiated bidirectionally, meaning both to the host
and from the host.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html
QUESTION 226
Which option is the default value for the DiffieHellman group when configuring a site-to-site VPN on an ASA
device?
A. Group 1
B. Group 2
C. Group 7
D. Group 5
Correct Answer: B
Section: (none)
Explanation
QUESTION 227
What two devices are components of the BYOD architecture framework? (Choose two)
A. Identity Service Engine

B. Cisco 3845 Router
C. Wireless Access Points
D. Nexus 7010 Switch
E. Prime Infrastructure
Correct Answer: AE
Section: (none)
Explanation
https://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/m-en-07282014-byod-security-
architecture.html
The architecture includes the following elements:

●MDM solution: Each time a device attempts to connect, the MDM tool checks to make sure the device is
registered and still complies with security posture. Requirements include an approved OS version, 4-digit PIN,
10-minute timeout, remote wipe enabled, contents encrypted, and antimalware enabled.
●Cisco ISE: After the MDM solution validates that the mobile device complies with security policy; Cisco ISE
applies a more nuanced policy for network access. The policy considers who, where, when, and how the
mobile device is connecting, and what applications it is trying to access. Cisco ISE denies access to devices
that are out of compliance.
●Cisco AnyConnect Secure Mobile Client: Employees who want to access the intranet from trusted devices
need to download AnyConnect from the Cisco eStore. AnyConnect supports a secure connection to Cisco
using IPSec Internet Key Exchange (IKEv2) and Secure Sockets Layer (SSL) protocols. The client connects
through the Cisco Adaptive Security Appliance (ASA) 5585. The ASA authenticates the user and encrypts the
mobile data stream so that it cannot be read if intercepted. After initial authentication, AnyConnect can
reconnect automatically whenever the employee roams to a different network.
●Cisco WSA: We use Cisco WSA to screen all requests for external websites, whether the employee uses a
fixed or mobile device. Cisco WSA evaluates websites based on reputation as well as content. It enforces
Cisco internal security policy by blocking or monitoring access to certain websites or by blocking certain
features such as chat, messaging, video, and audio. Within Cisco, the WSA blocks only about 2 percent of
website requests, but this level amounts to approximately 6 to 7 million requests daily. Most sites are blocked
because of web reputation information, while 2 percent (500,000 daily) are blocked because of malware such
as Trojans or Trojandownloaders.
●Cisco ESA: Cisco ESA screens all mail to Cisco that originates outside of our company, regardless of the
device used to access the email. It blocks email from known spam providers. It also looks for suspicious
content or other email irregularities. Of the 5.6 million emails that Cisco receives daily, almost two-thirds are
blocked. Many are spearphishing emails. About 15 percent of email with some marketing content is allowed
through, but is marked “Marketing” or “Possible Spam” by the Cisco ESA server.
●Cisco Prime™ Infrastructure: We use Cisco Prime Infrastructure to view network connections all the way from
the device to the data center, across wired and wireless networks. End-to-end visibility helps us understand,
troubleshoot, and fix issues that affect the user experience.
●Cisco Prime Service Catalog and Cisco Process Orchestrator: We used these applications to build the Cisco
eStore. Employees visit the eStore to download mobile applications such as Cisco Jabber and Cisco WebEx.
The eStore also automates our provisioning process. This process includes screening for eligibility, generating
an approval request, configuring the mobile device for remote wipe, provisioning the service, and managing the
service lifecycle.
QUESTION 228
Which option is the cloud based security service from Cisco that provides URL filtering web browsing content
security, and roaming user protection?
A. Cloud web security

B. Cloud web Protection
C. Cloud web Service
D. Cloud advanced malware protection
Correct Answer: A
Section: (none)
Explanation
https://www.cisco.com/c/en_au/products/security/cloud-web-security/index.html
QUESTION 229
Which product can be used to provide application layer protection for TCP port 25 traffic?
A. ESA
B. CWS
C. WSA
D. ASA
Correct Answer: A
Section: (none)
Explanation
Official Cert Guide, Chapter 18, p. 477
QUESTION 230
Which two actions can a zone-based firewall take when looking at traffic? (Choose two)
A. Filter
B. Forward
C. Drop
D. Broadcast
E. Inspect
Correct Answer: CE
Section: (none)
Explanation
QUESTION 231
Which label is given to a person who uses existing computer scripts to hack into computers lacking the
expertise to write their own?
A. script kiddy
B. white hat hacker
C. phreaker
D. hacktivist
Correct Answer: A
Section: (none)
Explanation
QUESTION 232
Regarding PVLAN diagram question:
All ports on switch 1 have a primary VLAN of 300. Which devices can host 1 reach?
A. Host 2 (Host is part of community PVLAN).

B. Other devices on VLAN 303 (VLAN were isolated host is connected, in my case it was Host 1).
C. Server
D. Host 4 (Host is part of community PVLAN)
Correct Answer: C
Section: (none)
Explanation
JS
Host 3 is not part of anyh PVLAN. It is also connected to switch.
So, Host 3 was not an option otherwise it could also be an answer.
QUESTION 233
#nat (inside,outside) dynamic interface

Refer to the above. Which translation technique does this configuration result in?
A. static PAT
B. static NAT
C. dynamic PAT
D. dynamic NAT
Correct Answer: C
Section: (none)
Explanation
Mr.W
Configuring Dynamic NAT
nat (inside,outside) dynamic my-range-obj
Configuring Dynamic PAT (Hide)
nat (inside,outside) dynamic interface
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_objects.html
QUESTION 234
Which two characteristics of an application layer firewall are true? (Choose two)
A. provides reverse proxy services

B. is immune to URL manipulation
C. provides protection for multiple applications
D. provides stateful firewall functionality
E. has low processor usage
Correct Answer: AC
Section: (none)
Explanation
Brad
1. supports revers proxy Definitely true
2. is immune to URL manupulation Definitely false
3. supprts multiple application Definitely true
4. provide statefull firewall security
5. saves processing usage.
I'm not sure about the last two.
http://www.ciscopress.com/articles/article.asp?p=1888110
Application Layer Gateways

Application layer firewalls(also calledproxy firewallsorapplication gateways) operate at Layers 3, 4, 5, and 7 of
the OSI model. Proxy services are specific to the protocol that they are designed to forward and can provide
increased access control, provide careful detailed checks for valid data, and generate audit records about the
traffic they transfer. Sometimes, application layer firewalls support only a limited number of applications.
Application layer firewalls offer advantages:
Authenticate individuals, not devices
Make it harder for hackers to spoof and implement denial-of-service (DoS) attacks
Can monitor and filter application data
Can provide detailed logging
The disadvantages are as follows:
Process packets in software
Support a small number of applications
Sometimes require special client software
Are memory- and disk-intensive
QUESTION 235
Which two functions can SIEM provide? (Choose Two)
A. Correlation between logs and events from multiple systems.

B. event aggregation that allows for reduced log storage requirements.
C. proactive malware analysis to block malicious traffic.
D. dual-factor authentication.
E. centralized firewall management.
Correct Answer: AB
Section: (none)
Explanation
BD
Security Information Event Management SIEM
+ Log collection of event records from sources throughout the organization provides important forensic tools
and helps to address compliance reporting requirements.
+ Normalization maps log messages from different systems into a common data model, enabling the
organization to connect and analyze related events, even if they are initially logged in different source formats.
+ Correlation links logs and events from disparate systems or applications, speeding detection of and reaction
to security threats.
+ Aggregation reduces the volume of event data by consolidating duplicate event records.
+ Reporting presents the correlated, aggregated event data in real-time monitoring and long-term summaries.
Source: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-
businessarchitecture/sbaSIEM_deployG.pdf
QUESTION 236
Within an 802.1X enabled network with the Auth Fail feature configured, when does a switch port get placed
into a restricted VLAN?
A. When user failed to authenticate after certain number of attempts

B. When 802.1X is not globally enabled on the Cisco catalyst switch
C. When AAA new-model is enabled
D. If a connected client does not support 802.1X
E. After a connected client exceeds a specific idle time
Correct Answer: A
Section: (none)
Explanation
QUESTION 237
In which configuration mode do you configure the ip ospf authentication-key 1 command?
A. global
B. priviliged
C. in-line
D. interface
Correct Answer: D
Section: (none)
Explanation
BD
ip ospf authentication-key is used under interface configuration mode, so it's in interface level, under global
configuration mode. If it asks about interface level then choose that.
interface Serial0
ip address 192.16.64.1 255.255.255.0
ip ospf authentication-key c1$c0
QUESTION 238
What is the actual IOS privilege level of User Exec mode?
A. 1
B. 0
C. 5
D. 15
Correct Answer: A
Section: (none)
Explanation
BD
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user
EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of
access to commands, called privilege levels, to meet the needs of your users while protecting the system from
unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted
level, to level 15, which is the least restricted level.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html
QUESTION 239
Which option is a weakness in an information system that an attacker might leverage to gain unauthorized
access to the system or its data?
A. hack
B. mitigation
C. risk
D. vulnerability
E. exploit
Correct Answer: D
Section: (none)
Explanation
BD
vulnerability A flaw or weakness in a system's design or implementation that could be exploited.
Source: CCNA Security 210-260 Official Cert Guide, GLOSSARY, p. 530 20 newq
QUESTION 240
Referring to CIA (confidentiality,Integrity and Availability), where would a hash-only make more sense.
A. Data at Rest
B. Data on File
C. ...
D. ...
Correct Answer: A
Section: (none)
Explanation
QUESTION 241
At which Layer Data Center Operate
A. Data Center
B. ...
C. ...
D. ...
Correct Answer: A
Section: (none)
Explanation
QUESTION 242
How can you stop reconnaissance attack with cdp.
A. disable CDP on ports connected to end points (or Disable CPD on edfe ports)
B. enable dot1x on all ports that are connected to other switches
C. disable CDP on trunk ports
D. enable dynamic ARP inspection on all untrusted ports
Correct Answer: A
Section: (none)
Explanation
QUESTION 243
For Protecting FMC what/which is used.
A. AMP
B. ...
C. ...
D. ...
Correct Answer: A
Section: (none)
Explanation
QUESTION 244
What ips feature that is less secure among than the other option permit a better throughput ?
A. Promiscuous
B. ...
C. ...
D. ...
Correct Answer: A
Section: (none)
Explanation
QUESTION 245
Zone based firewall
A. enable zones first

B. zones must be made before applying interfaces.
C. ...
D. ...
Correct Answer: AB
Section: (none)
Explanation
QUESTION 246
What is the effect of the ASA command crypto isakmp nat-traversal?
A. It opens port 4500 only on the outside interface.

B. It opens port 500 only on the inside interface.
C. It opens port 500 only on the outside interface.
D. It opens port 4500 on all interfaces that are IPSec enabled.
Correct Answer: D
Section: (none)
Explanation
QUESTION 247
####################
local ident (addr/mask/prot/port): …

remote ident (addr/mask/prot/port): …
current_peer: x.x.x.x
#pkts encaps: 7065, #pkts encrypt: 7065, #pkts digest: 7065
#pkts decaps: x (I can’t remember if it was 0),#pkts decrypt: 0, #pkts verify: 0
…..
local crypto endpt.: x.x.x.x remote crypto endpt.: y.y.y.y
####################
While troubleshooting a VPN, you issued the show crypto ipsec sa command. rsaWhy ipsec tunnel is not
working.
A. because the ASA can’t receive packets from remote endpoint

B. the peers are not on the same network subnet
C. udp port 500 it’s blocked (or something similar)
D. …
Correct Answer: A
Section: (none)
Explanation
QUESTION 248
What data is transferred during DH for making public and private key?
A. Random prime Integer

B. Encrypted data transfer
C. Prime integer
D. Random number
Correct Answer: A
Section: (none)
Explanation
QUESTION 249
Which of the following is a DOS attack that is difficult to discover?
A. Syn-flood attack
B. Peer-to-peer attacks
C. Low-rate dos attack
D. Trojan
Correct Answer: C
Section: (none)
Explanation
QUESTION 250
question about show crypto isakmp sa ?
A. Remote peer was not able to encrypt the packet

B. ...
C. ...
D. ...
Correct Answer: A
Section: (none)
Explanation
QUESTION 251
A question about MDM – See question 299.
A. deployed certificates.
B. ...
C. ...
D. ...
Correct Answer: A
Section: (none)
Explanation
QUESTION 252
what causes a client to be placed in a guest or restricted VLAN on an 802.1x enabled network.
A. client entered wrong credentials multiple times.

B. client entered wrong credentials the first time
C. When 802.1X is not globally enabled on the Cisco catalyst switch
D. When AAA new-model is enabled
Correct Answer: A
Section: (none)
Explanation
QUESTION 253
Self zone (2 option)?
A. can be source or destination zone.

B. can be use stateful filtering during multicast.
C. all interfaces will be used for self zone
D. ...
Correct Answer: AB
Section: (none)
Explanation
AC has also been seen
QUESTION 254
Which IDS/IPS is used for monitoring system health and…?
A. HIPS
B. WIPS
C. visibility tool
D. ...
Correct Answer: A
Section: (none)
Explanation
QUESTION 255
Which type of PVLAN port allows a host in the same VLAN to communicate only with promiscuous hosts
A. Community host in the PVLAN

B. Isolated host in the PVLAN
C. Promiscuous host in the PVLAN
D. Span for host in the PVLAN
E.
Correct Answer: B
Section: (none)
Explanation
+ Promiscuous – The promiscuous port can communicate with all interfaces, including the community and
+ Isolated – This port has complete isolation from other ports within the same private VLAN domain, except
that
+ Community — A community port is a host port that belongs to a community secondary VLAN. Community
QUESTION 256
Which type of PVLAN port allows communication from all port types?
A. Community
B. Promiscuous
C. In-line
D. Isolated
Correct Answer: B
Section: (none)
Explanation

+ Promiscuous – The promiscuous port can communicate with all interfaces, including the community and
+ Isolated – This port has complete isolation from other ports within the same private VLAN domain, except
that
+ Community — A community port is a host port that belongs to a community secondary VLAN. Community
QUESTION 257
Which type of Layer 2 attack enables the attacker to intercept traffic that is intended for one specific recipient?
A. BPDU attack
B. DHCP Starvation
C. CAM table overflow
D. MAC address spoofing
Correct Answer: D
Section: (none)
Explanation
QUESTION 258
Which command initializes a lawful intercept view?
A. username cisco1 view lawful-intercept password cisco

B. parser view cisco li-view
C. li-view cisco user cisco1 password cisco
Parser view li-view inclusive
Correct Answer: C
Section: (none)
Explanation
QUESTION 259
Which two NAT types allows only objects or groups to reference an IP address? (choose two)
A. dynamic NAT
B. dynamic PAT
C. static NAT
D. identity NAT
Correct Answer: AC
Section: (none)
Explanation
QUESTION 260
Which IOS command do you enter to test authentication against a AAA server?
A. dialer aaa suffix <suffix> password <password>

B. ppp authentication chap pap test
C. aaa authentication enable default test group tacacs+
D. test aaa-server authentication dialergroup username <user> password
Correct Answer: D
Section: (none)
Explanation
QUESTION 261
Which option is a characteristic of the RADIUS protocol
A. uses TCP
B. offers multiprotocol support
C. combines authentication and authorization in one process
D. supports bi-directional challenge
Correct Answer: C
Section: (none)
Explanation
QUESTION 262
What are characteristics of the Radius Protocol? choose Two
A. Uses TCP port 49

B. Uses UDP Port 49
C. Uses TCP 1812/1813
D. Uses UDP 1812/1813
E. Comines authentication and authorization
Correct Answer: DE
Section: (none)
Explanation
QUESTION 263
Which aaa accounting command is used to enable logging of the start and stop records for user terminal
sessions on the router?
A. aaa accounting network start-stop tacacs+

B. aaa accounting system start-stop tacacs+
C. aaa accounting exec start-stop tacacs+
D. aaa accounting connection start-stop tacacs+
E. aaa accounting commands 15 start-stop tacacs+
Correct Answer: C
Section: (none)
Explanation
QUESTION 264
Which quantifiable item should you consider when your organization adopts new technologies?
A. theats
B. vulnerability
C. risk
D. exploits
Correct Answer: C
Section: (none)
Explanation
QUESTION 265
what are the quantifiable things you would verify before introducing new technology in your company?
A. theats
B. vulnerability
C. risk
D. exploits
Correct Answer: C
Section: (none)
Explanation
QUESTION 266
Protocols supported in contest aware VRF over VRF lite? (2 choices)
A. EIGRP
B. Multicast
C. OSPF
D. UNICAST
Correct Answer: AB
Section: (none)
Explanation
QUESTION 267
Which three ESP fields can be encrypted during transmission?
A. Security Parameter Index

B. Sequence Number
C. MAC Address
D. Padding
E. Pad Length
F. Next Header
Correct Answer: DEF

Section: (none)
Explanation
BD
The packet begins with two 4-byte fields (Security Parameters Index (SPI) and Sequence Number). Following
these fields is the Payload Data, which has substructure that depends on the choice of encryption algorithm
and mode, and on the use of TFC padding, which is examined in more detail later. Following the Payload Data
are Padding and Pad Length fields, and the Next Header field. The optional Integrity Check Value (ICV) field
completes the packet.
Source: https://tools.ietf.org/html/rfc4303#page-14
QUESTION 268
Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router?
(Choose two.)
A. syslog
B. SDEE
C. FTP
D. TFTP
E. SSH
F. HTTPS
Correct Answer: BF
Section: (none)
Explanation
QUESTION 269
Which two characteristics apply to an Intrusion Prevention System (IPS) ? (Choose two)
A. Does not add delay to the original traffic.

B. Cabled directly inline with the flow of the network traffic.
C. Can drop traffic based on a set of rules.
D. Runs in promiscuous mode.
E. Cannot drop the packet on its own
Correct Answer: BC
Section: (none)
Explanation
QUESTION 270
When is the default deny all policy an exception in zone-based firewalls?
A. When traffic sources from the router via the self zone
B. When traffic traverses two interfaces in the same zone
C. When traffic terminates on the router via the self zone
D. When traffic traverses two interfaces in different zones
Correct Answer: B
Section: (none)
Explanation
QUESTION 271
Which NAT option is executed first during in case of multiple NAT translations
A. dynamic nat with shortest prefix

B. dynamic nat with longest prefix
C. static nat with shortest prefix
D. static nat with longest prefix
Correct Answer: D
Section: (none)
Explanation
QUESTION 272
Which three options are common examples of AAA implementation on Cisco routers? (Choose three.)
A. authenticating remote users who are accessing the corporate LAN through IPsec VPN connections
B. authenticating administrator access to the router console port, auxiliary port, and vty ports
C. implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates
D. tracking Cisco NetFlow accounting statistics
E. securing the router by locking down all unused services
F. performing router commands authorization using TACACS+
Correct Answer: ABF

Section: (none)
Explanation
QUESTION 273
What type of address translation supports the initiation of communications bidirectionally
A. multi-session PAT
B. Static NAT
C. Dynamic PAT
D. Dynamic NAT.
Correct Answer: B
Section: (none)
Explanation
QUESTION 274
Which two features are supported in a VRF-aware software infrastructure before VRF-lite? (Choose two)
A. priority queuing
B. EIGRP
C. multicast
D. WCCP
E. fair queuing
Correct Answer: BC
Section: (none)
Explanation
QUESTION 275
Which two characteristics of the TACACS+ protocol are true? (Choose two.)
A. uses UDP ports 1645 or 1812

B. separates AAA functions
C. encrypts the body of every packet
D. offers extensive accounting capabilities
E. is an open RFC standard protocol
Correct Answer: BC
Section: (none)
Explanation
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder
of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can
be captured by a third party. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+
header. Within the header is a field that indicates whether the body is encrypted or not. For debugging
purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body
of the packet is fully encrypted for more secure communications. Authentication and Authorization RADIUS
combines authentication and authorization. The access- accept packets sent by the RADIUS server to the
client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that
can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use
Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos
server, it requests authorization information from a TACACS+ server without having to re-authenticate. The
NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server
then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+
server to determine if the user is granted permission to use a particular command. This provides greater
control over the commands that can be executed on the access server while decoupling from the
authentication mechanism.
QUESTION 276
Which two options are advantages of an application layer firewall? (Choose two.)
A. provides high-performance filtering
B. makes DoS attacks difficult
C. supports a large number of applications
D. authenticates devices
E. authenticates individuals
Correct Answer: BE
Section: (none)
Explanation
http://www.ciscopress.com/articles/article.asp?p=1888110
Application Layer Gateways
Application layer firewalls(also calledproxy firewallsorapplication gateways) operate at Layers 3, 4, 5, and 7 of
the OSI model. Proxy services are specific to the protocol that they are designed to forward and can provide
Application layer firewalls offer advantages:
Authenticate individuals, not devices
Make it harder for hackers to spoof and implement denial-of-service (DoS) attacks
Can monitor and filter application data
Can provide detailed logging
The disadvantages are as follows:
Process packets in software
Support a small number of applications
Sometimes require special client software
Are memory- and disk-intensive
QUESTION 277
Which ports need to be active for AAA server to integrate with Microsoft AD
A. 445 & 8080

B. 443 & 389
C. 445 & 389
D. 443 & 8080
Correct Answer: C
Section: (none)
Explanation
QUESTION 278
Which IPS mode is less secure than other options but allows optimal network throughput?
A. promiscuous mode
B. inline mode
C. inline-bypass mode
D. transparent mode
Correct Answer: A
Section: (none)
Explanation
QUESTION 279
Which ids/ips solution can monitor system processes and resources?
A. IDS
B. HIPS
C. proxy
D. IPS
Correct Answer: B
Section: (none)
Explanation
QUESTION 280
What IPSec mode is used to encrypt traffic between client / server and vpn endpoints?
A. tunnel
B. Trunk
C. Aggregated
D. Quick
E. Transport
Correct Answer: E
Section: (none)
Explanation
QUESTION 281
Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?
A. nested object-class
B. class-map
C. extended wildcard matching
D. object groups
Correct Answer: D
Section: (none)
Explanation
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/objectgroups.html Information About
Object Groups
By grouping like objects together, you can use the object group in an ACE instead of having to enter an ACE
for each object separately. You can create the following types of object groups:
+ Protocol
+ Network
+ Service
+ ICMP type
For example, consider the following three object groups:
MyServices–Includes the TCP and UDP port numbers of the service requests that are allowed access to the
internal network.
TrustedHosts–Includes the host and network addresses allowed access to the greatest range of services and
servers.
PublicServers–Includes the host addresses of servers to which the greatest access is provided. After creating
these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of
public servers.
You can also nest object groups in other object groups.
QUESTION 282
Which statement is a benefit of using Cisco IOS IPS?
A. It uses the underlying routing infrastructure to provide an additional layer of security.

B. It works in passive mode so as not to impact traffic flow.
C. It supports the complete signature database as a Cisco IPS sensor appliance.
D. The signature database is tied closely with the Cisco IOS image.
Correct Answer: A
Section: (none)
Explanation
QUESTION 283
Which statement about zone-based firewall configuration is true?
A. Traffic is implicitly denied by default between interfaces the same zone

B. Traffic that is desired to or sourced from the self-zone is denied by default
C. The zone must be configured before it can be assigned
D. You can assign an interface to more than one interface
Correct Answer: C
Section: (none)
Explanation
QUESTION 284
What technology can you use to provide data confidentiality, data integrity and data origin authentication on
your network?
A. Certificate Authority
B. IKE
C. IPSec
D. Data Encryption Standards
Correct Answer: C
Section: (none)
Explanation
QUESTION 285
With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router
when some of the router interfaces are assigned to a zone? (Choose three.)
A. traffic flowing between a zone member interface and any interface that is not a zone member
B. traffic flowing to and from the router interfaces (the self zone)
C. traffic flowing among the interfaces that are members of the same zone
D. traffic flowing among the interfaces that are not assigned to any zone
E. traffic flowing between a zone member interface and another interface that belongs in a different zone
F. traffic flowing to the zone member interface that is returned traffic
Correct Answer: BCD

Section: (none)
Explanation
QUESTION 286
Which two statements about self-zone on cisco zone based firewall are true? (Choose two)
A. More than one interface can be assigned to the same zone.

B. Only one interface can be in a given zone.
C. An interface can only be in one zone.
D. An interface can be a member of multiple zones.
E. Every device interface must be a member of a zone.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 287
Which two statements about the self zone on Cisco zone based policy firewall are true ? (Choose two)
A. multiple interfaces can be assigned to the self zone .

B. traffic entering the self zone must match a rule.
C. zone pairs that include the self zone apply to traffic transiting the device.
D. it can be either the source zone or destination zone .
E. it supports stateful inspection for multicast traffic
Correct Answer: AD
Section: (none)
Explanation
Some have said it is E vs D. Need to research
runbuh:
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
This eliminates E
"Neither Cisco IOS ZFW or Classic Firewall include stateful inspection support for multicast traffic."
Rules For Applying Zone-Based Policy Firewall
Router network interfaces’ membership in zones is subject to several rules that govern interface behavior, as is
the traffic moving between zone member interfaces:
A zone must be configured before interfaces can be assigned to the zone.
An interface can be assigned to only one security zone.
All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except
traffic to and from other interfaces in the same zone, and traffic to any interface on the router.
Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.
In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be
configured between that zone and any other zone.
The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until
traffic is explicitly denied.
Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass,
inspect, and drop actions can only be applied between two zones.
Interfaces that have not been assigned to a zone function as classical router ports and might still use classical
stateful inspection/CBAC configuration.
If it is required that an interface on the box not be part of the zoning/firewall policy. It might still be necessary to
put that interface in a zone and configure a pass all policy (sort of a dummy policy) between that zone and any
other zone to which traffic flow is desired.
From the preceding it follows that, if traffic is to flow among all the interfaces in a router, all the interfaces must
be part of the zoning model (each interface must be a member of one zone or another).
The only exception to the preceding deny by default approach is the traffic to and from the router, which will be
permitted by default. An explicit policy can be configured to restrict such traffic.
QUESTION 288
You are the security administrator for a large enterprise network with many remote locations. You have been
given the assignment to deploy a Cisco IPS solution.
Where in the network would be the best place to deploy Cisco IOS IPS?
A. Inside the firewall of the corporate headquarters Internet connection

B. At the entry point into the data center
C. Outside the firewall of the corporate headquarters Internet connection
D. At remote branch offices
Correct Answer: D
Section: (none)
Explanation
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/
product_data_sheet0900aecd803137cf.html
Product Overview
In today's business environment, network intruders and attackers can come from outside or inside
the network.
They can launch distributed denial-of-service attacks, they can attack Internet connections, and they
can exploit network and host vulnerabilities. At the same time, Internet worms and viruses can
spread across the world in a matter of minutes. There is often no time to wait for human
intervention-the network itself must possess the intelligence to recognize and mitigate these attacks,
threats, exploits, worms and viruses.
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based solution that
enables Cisco IOS Software to effectively mitigate a wide range of network attacks. While it is
common practice to defend against attacks by inspecting traffic at data centers and corporate
headquarters, distributing the network level defense to stop malicious traffic close to its entry point
at branch or telecommuter offices is also critical.
Cisco IOS IPS: Major Use Cases and Key Benefits
IOS IPS helps to protect your network in 5 ways (as seen in the figure below):
Key Benefits:
• Provides network-wide, distributed protection from many attacks, exploits, worms and viruses
exploiting vulnerabilities in operating systems and applications.
• Eliminates the need for a standalone IPS device at branch and telecommuter offices as well as
small and medium-sized business networks.
• Unique, risk rating based signature event action processor dramatically improves the ease of
management of IPS policies.
• Offers field-customizable worm and attack signature set and event actions.
• Offers inline inspection of traffic passing through any combination of router LAN and WAN
interfaces in both directions.
• Works with Cisco IOS® Firewall, control-plane policing, and other Cisco IOS Software security
features to protect the router and networks behind the router.
• Supports more than 3700 signatures from the same signature database available for Cisco Intrusion
Prevention System (IPS) appliances.
QUESTION 289
What are two uses of SIEM software? (Choose two.)
A. correlation between logs and events from multiple sys

B. event aggregation that allows reduced logs storage
C. combined management access to firewalls
D. …
Correct Answer: AB
Section: (none)
Explanation
This is the same question but has different available answers.
QUESTION 290
What do you use when you have a network object or group and want to use an IP address?
A. static nat
B. dynamic nat
C. identity nat
D. static pat
Correct Answer: B
Section: (none)
Explanation
QUESTION 291
Which type of address translation should be used when a cisco asa is in transparent mode?
A. static nat
B. dynamic nat
C. overload
D. dynamic pat
Correct Answer: A
Section: (none)
Explanation
Section: (none)
Explanation
+ Because the transparent firewall does not have any interface IP addresses, you cannot use interface PAT.
Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/
cfgnat.html#wp1102744%0A
QUESTION 292
Which command do you enter to enable authentication for OSPF on an interface?
A. router(config-if)#ip ospf message-digest-key 1 md5 CISCOPASS

B. router(config-router)#area 0 authentication message-digest
C. router(config-router)#ip ospf authentication-key CISCOPASS
D. router(config-if)#ip ospf authentication message-digest
Correct Answer: D
Section: (none)
Explanation
QUESTION 293
Which IPS detection method can you use to detect attacks that is based on the attackers IP address?
A. policy-based
B. anomaly-based
C. reputation-based
D. signature-based
Correct Answer: C
Section: (none)
Explanation
QUESTION 294
Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration Professional
IPS wizard? (Choose four.)
A. Select the interface(s) to apply the IPS rule.

B. Select the traffic flow direction that should be applied by the IPS rule.
C. Add or remove IPS alerts actions based on the risk rating.
D. Specify the signature file and the Cisco public key.
E. Select the IPS bypass mode (fail-open or fail-close).
F. Specify the configuration location and select the category of signatures to be applied to the selected
interface(s).
Correct Answer: ABDF

Section: (none)
Explanation
QUESTION 295
What feature defines a campus area network?
A. it has a single geographic location

B. it has a limited or restricted internet access
C. it has a limited number of segments
D. it lacks external connectivity
Correct Answer: A
Section: (none)
Explanation
QUESTION 296
Which Firepower Management Center feature detects and blocks exploits and hack attempts?
A. intrusion prevention
B. advanced malware protection (AMP)
C. content blocker
D. file control
Correct Answer: A
Section: (none)
Explanation
I think the answer is A. See the Table 24-1 in the link below. Quite a few references cite AMP being the correct
answer.
https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-
module-user-guide-v541/AMP-Config.pdf
QUESTION 297
When CISCO IOS zone-based policy firewall is configured, which three actions can be applied to a traffic
class? (Choose three)
A. pass
B. police
C. inspect
D. drop
E. queue
F. shape
Correct Answer: ACD

Section: (none)
Explanation
QUESTION 298
Which type of social-engineering attacks uses normal telephone service as the attack vector?
A. vishing
B. phising
C. smishing
D. war dialing
Correct Answer: A
Section: (none)
Explanation
QUESTION 299
Which is a key security component of MDM deployment?
A. Using network-specific installer package

B. Using self-signed certificates to validate the server – generate self-signed certificate to connect to server
(Deployed certificates ;Issued certificate to the server likely)
C. Using application tunnel
D. Using MS-CHAPv2 as primary EAP method
Correct Answer: B
Section: (none)
Explanation
QUESTION 300
A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a security
level of 100. The second interface is the DMZ interface with a security level of 50. The third interface is the
outside interface with a security level of 0.
By default, without any access list configured, which five types of traffic are permitted? (Choose five.)
A. outbound traffic initiated from the inside to the DMZ

B. outbound traffic initiated from the DMZ to the outside
C. outbound traffic initiated from the inside to the outside
D. inbound traffic initiated from the outside to the DMZ
E. inbound traffic initiated from the outside to the inside
F. inbound traffic initiated from the DMZ to the inside
G. HTTP return traffic originating from the inside network and returning via the outside interface
H. HTTP return traffic originating from the inside network and returning via the DMZ interface
I. HTTP return traffic originating from the DMZ network and returning via the inside interface
J. HTTP return traffic originating from the outside network and returning via the inside interface
Correct Answer: ABCGH

Section: (none)
Explanation
QUESTION 301
Which IOS command is used to define the authentication key for NTP?
A. Switch(config)#ntp authentication-key 1 md5 C1sc0

B. Switch(config)#ntp authenticate
C. Switch(config)#ntp source 192.168.0.1
D. Switch(config)#ntp trusted-key 1
Correct Answer: A
Section: (none)
Explanation
QUESTION 302
Which feature allow from dynamic NAT pool to choose the next IP address and not a port on a used IP
address?
A. next IP
B. round robin
C. dynamic rotation
D. dynamic PAT rotation
Correct Answer: B
Section: (none)
Explanation
QUESTION 303
When AAA login authentication is configured on Cisco routers, which two authentication methods should be
used as the final method to ensure that the administrator can still log in to the router in case the external AAA
server fails? (Choose two.)
A. group RADIUS
B. group TACACS+
C. local
D. krb5
E. enable
F. if-authenticated
Correct Answer: CE
Section: (none)
Explanation
QUESTION 304
On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used?
A. used for SSH server/client authentication and encryption

B. used to verify the digital signature of the IPS signature file
C. used to generate a persistent self-signed identity certificate for the ISR so administrators can authenticate
the ISR when accessing it using Cisco Configuration
Professional
D. used to enable asymmetric encryption on IPsec and SSL VPNs
E. used during the DH exchanges on IPsec VPNs
Correct Answer: B
Section: (none)
Explanation
QUESTION 305
Which two features of Cisco Web Reputation tracking can mitigate web-based threats? (Choose Two)
A. outbreak filter
B. buffer overflow filter
C. bayesian filter
D. web reputation filter
E. exploit filtering
Correct Answer: AE
Section: (none)
Explanation
This one is a bit tricky aswell .. I think Exploit filtering should be one of the answers.
https://www.cisco.com/c/en/us/products/security/web-security-appliance/web_rep_index.html
QUESTION 306
Which type of attach can exploit design flaws in the implementation of an application without going noticed?
A. volume-based DDoS attacks

B. application DDoS flood attacks
C. DHCP starvation attacks
D. low-rate DDoS attacks
Correct Answer: D
Section: (none)
Explanation
QUESTION 307
Which option is the resulting action in a zone-based policy firewall configuration with these conditions?
####################
source: zone1
destination: zone2
zone pair exists? Yes
policy exists? No
####################
A. no impact to zoning or policy

B. no policy lookup (pass)
C. drop
D. apply default policy
Correct Answer: C
Section: (none)
Explanation
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-zone-pol- fw.html
Zone Pairs
A zone pair allows you to specify a unidirectional firewall policy between two security zones.
To define a zone pair, use the zone-pair security command. The direction of the traffic is specified by source
and destination zones. The source and destination zones of a zone pair must be security zones.
You can select the default or self zone as either the source or the destination zone. The self zone is a
systemdefined zone which does not have any interfaces as members. A zone pair that includes the self zone,
along with the associated policy, applies to traffic directed to the device or traffic generated by the device. It
does not apply to traffic through the device.
The most common usage of firewall is to apply them to traffic through a device, so you need at least two zones
(that is, you cannot use the self zone).
To permit traffic between zone member interfaces, you must configure a policy permitting (or inspecting) traffic
between that zone and another zone. To attach a firewall policy map to the target zone pair, use the
servicepolicy type inspect command.
The figure below shows the application of a firewall policy to traffic flowing from zone Z1 to zone Z2, which
means that the ingress interface for the traffic is a member of zone Z1 and the egress interface is a member of
zone Z2.
Figure 2. Zone Pairs
If there are two zones and you require policies for traffic going in both directions (from Z1 to Z2 and Z2 to Z1),
you must configure two zone pairs (one for each direction).
If a policy is not configured between zone pairs, traffic is dropped. However, it is not necessary to configure a
zone pair and a service policy solely for the return traffic. By default, return traffic is not allowed. If a service
policy inspects the traffic in the forward direction and there is no zone pair and service policy for the return
traffic, the return traffic is inspected. If a service policy passes the traffic in the forward direction and there is no
zone pair and service policy for the return traffic, the return traffic is dropped. In both these cases, you need to
configure a zone pair and a service policy to allow the return traffic. In the above figure, it is not mandatory that
you configure a zone pair source and destination for allowing return traffic from Z2 to Z1. The service policy on
Z1 to Z2 zone pair takes care of it.
QUESTION 308
####################
Router#show crypto ipsec sa

Interface: fastethernet0
Crypto map tag: SUM_CMAP _1, local addr 172.1.17.1.1
Protected vrf: (none)
Local idnet (addr/mask/prot/port) : (10.40.20.0/255.255.255.0/0/0)
Remote ident (addr/mask/prot/port) : (10.50.30.0/255.255.255.0/0/0)
Current_peer 192.168.1.1 port 500
PERMIT, flags=(origin_is_acl,)
#pkts encaps: 68, #pkts encrypt: 68, #pkts digest: 68

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
####################
For which reason is the tunnel unable to pass traffic?
A. UDP port 500 is blocked.

B. The IP address of the remote peer is incorrect.
C. The tunnel is failing to receive traffic from the remote peer.
D. The local peer is unable to encrypt the traffic.
Correct Answer: C
Section: (none)
Explanation
QUESTION 309
Which description of the nonsecret numbers that are used to start a Diffie-Hellman exchange is true?
A. They are large pseudorandom numbers.

B. They are very small numbers chosen from a table of known values
C. They are numeric values extracted from hashed system hostnames.
D. They are preconfigured prime integers
Correct Answer: D
Section: (none)
Explanation
QUESTION 310
Using a stateful Packet firewall and given an inside ACL entry of permit ip 192.16 1.0 0.0.0.255 any, what
would be the resulting dynamically configured ACL for the return traffic on the outside ACL?
A. permit tcp host 172.16.16.10 eq 80 host 192.168.1.11 eq 2300

B. permit ip 172.16.16.10 eq 80 192.168.1.0 0.0.0.255 eq 2300
C. permit tcp any eq 80 host 192 168.1.11 eq 2300
D. permit ip host 172.16.16.10 eq 80 host 192.168.1.0 0.0.0.255 eq 2300
Correct Answer: A
Section: (none)
Explanation
QUESTION 311
####################
Oct 13 19:46:06.170: AAA/MEMORY: create_user (0x4C5E1F60)user=”tecteam”

ruser=’NULL’ ds0=0 port=’tty515’ rern_addr=’10.0.2.13'autthen_type=ASCII
service=ENABLE priv=15 initial_task_id= 0 , vrf=(id=0)
Oct 13 19:46:06.170: AAA/AUTHEN/START(2600878790): port=’tty515' list=
action= LOGIN service=ENABLE
Oct 13 19:46:06.170: AAA/AUTHEN/START(2600878790): console enable - default to
Enable password (if any)
Oct 13 19:46:06.170: AAA/AUTHEN/START(2600878790): Method= ENABLE
Oct 13 19:46:06.170: AAA/AUTHEN(2600878790):status=GETPASS
Oct 13 19:46:07.266: AAA/Al ITHEN/CONT(2600878790):contintie_login
(user=:’(undef)’)
Oct 13 19:46:07.266: AAA/AUTHEN(2600878790):status=GETPASS
Oct 13 19:46:07.266: AAA/AUTHEN/CONT(2600878790):Method=ENABLE
Oct 13 19:46:07.266: AAA/AUTHEN(2600878790):password incorrect
Oct 13 19:46:07.266: AAA/AUTHEN(2600878790):status=FAIL
Oct 13 19:46:07.266: AAA/MEMORY:free_user(0x4C5E1F60)user=’NULL’
ruser=’NULL’ port=’tty515' rem_addr=’10.0.2.13'authen_type=ASCII service=ENABLE
priv=15 vrf=(id=0)
####################
Which statement about this output is true?
A. The user logged into the router with the incorrect username and password.
B. The login failed because there was no default enable password.
C. The login failed because the password entered was incorrect.
D. The user logged in and was given privilege level 15.
Correct Answer: C
Section: (none)
Explanation
QUESTION 312
Refer to the below.
####################
Routerg# debug tacacs

14:00:09: TAC+: Opening TCP/IP connection to 192.168.60.15 using source
10.116.0.79
14:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 192.168.60.15
(AUTHEN/START)
14:00:09: TAC+. Receiving TCP/IP packet number 383258052-2 from 192.168.60.15
14:00:09: TAC+ (383258052): received authen response status = GETUSER
14:00:10: TAC+: send AUTHEN/CONT packet
14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 192.168.60.15
(AUTHEN/CONT)
14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 192.168.60.15
14:00:10: TAC+ (383258052): received authen response status = GETPASS
14:00 :14: TAC+ : send AUTHEN/CONT packet
14:00:14: TAC+ : Sending TCP/IP packet number 383258052-5 to 192.168.60.15
(AUTHEN/CONT)
14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 192.168.60.15
14:00:14: TAC+ (383258052): received authen response status = PASS
14:00:14: T.AC+ : Closing TCP/IP connection to 192.168.60.15
####################
Which statement about this debug output is true?
A. The requesting authentication request came from username GETUSER.

B. The TACACS+ authentication request came from a valid user.
C. The TACACS+ authentication request passed, but for some reason the user's connection was
closed immediately.
D. The initiating connection request was being spoofed by a different source address.
Correct Answer: B
Section: (none)
Explanation
QUESTION 313
What is symmetric encryption? (Choose two)
A. it faster the asymmetric

B. it slower then asymmetric
C. use the certificate
D. use key pair to encript
E. uses the same key to encript and decrypt
Correct Answer: AE
Section: (none)
Explanation
Have seen references to only choosing one answer, and Tut posts have said A would be the correct answer.
QUESTION 314
Which command is to make sure that AAA Authentication is configured and to make sure that user can access
the exec level to configure?
A. AAA authentication enable default local

B. AAA authentication enable local
C. AAA authentication enable tacacs+ default
D. ……..
Correct Answer: A
Section: (none)
Explanation
Some questions were listed as Privilege level vs Exec level, is this the same?whi
QUESTION 315
Which primary security attributes can be achieved by BYOD Architecture?
A. Trusted enterprise network

B. public wireless network
C. checking compliance with policy
D. pushing patches
Correct Answer: AC
Section: (none)
Explanation
I think this supports A & C, and rules out B. Might rule out D, too.
https://www.cisco.com/c/en/us/solutions/collateral/enterprise/cisco-on-cisco/m-en-07282014-byod-security-
architecture.html
We Care About Three Things for BYOD Security
1 - Data That Is Stored or Entered on the Device
To secure email, contacts, and other data at rest, we use the native encryption in each device’s operating
system. One reason is that we know native encryption works. We enforce the use of a PIN to unlock the device
and to enable remote wiping of content.
2 - Secure Access to the Cisco Network
To connect to the intranet, employees need the Cisco AnyConnect Secure Mobility Client, available in the
Cisco eStore. Cisco AnyConnect automatically sets up a secure VPN connection whenever an employee
opens other applications, such as the browser, Cisco Jabber, or Cisco WebEx Social. AnyConnect launches in
only 1-2 seconds, without the employee having to log in. This capability makes the user experience as simple
as it would be without a VPN connection.
3 – Maintaining the Device’s Compliance with Policy
It’s one thing to make sure a device is compliant when employees register them. It’s another to make sure they
maintain their integrity over time. For example, clicking a link to a malicious website could infect the device by
depositing malware that exfiltrates data. It could result in a poor user experience by slowing performance or
displaying unwanted ads. Or it could result in hackers locking data and refusing to unlock it until they receive
payment. We protect personal devices from malware the same way we protect company-owned devices. That
is, we use Cisco Web Security Appliance (WSA) to block access to websites. We use Cisco Email Security
Appliance (ESA) to block spam that can contain malware.
Currently, we’re working on a fourth BYOD security capability. We will control access based on device identity,
connection type, and network access privilege. Cisco Identity Services Engine (ISE) is the technology behind
this capability.
QUESTION 316
A user reports difficulties accessing certain external web pages, When examining traffic to and from the
external domain in full packet captures, you notice many SYNs that have the same sequence number, source,
and destination IP address, but have different payloads.
Which problem is a possible explanation of this situation?
A. insufficient network resources

B. failure of full packet capture solution
C. misconfiguration of web filter
D. TCP injection
Correct Answer: D
Section: (none)
Explanation
QUESTION 317
Which of the following are IKE modes? (choose all and apply)
A. Main Mode
B. Fast Mode
C. Aggressive Mode
D. Quick Mode
E. Diffie-Hellman Mode
Correct Answer: ACD

Section: (none)
Explanation
https://supportforums.cisco.com/t5/security-documents/main-mode-vs-aggressive-mode/ta-p/3123382
Main Mode - An IKE session begins with the initiator sending a proposal or proposals to the responder. The
proposals define what encryption and authentication protocols are acceptable, how long keys should remain
active, and whether perfect forward secrecy should be enforced, for example. Multiple proposals can be sent in
one offering. The first exchange between nodes establishes the basic security policy; the initiator proposes the
encryption and authentication algorithms it is willing to use. The responder chooses the appropriate proposal
(we'll assume a proposal is chosen) and sends it to the initiator. The next exchange passes Diffie-Hellman
public keys and other data. All further negotiation is encrypted within the IKE SA. The third exchange
authenticates the ISAKMP session. Once the IKE SA is established, IPSec negotiation (Quick Mode) begins.
Aggressive Mode - Aggressive Mode squeezes the IKE SA negotiation into three packets, with all data required
for the SA passed by the initiator. The responder sends the proposal, key material and ID, and authenticates
the session in the next packet. The initiator replies by authenticating the session. Negotiation is quicker, and
the initiator and responder ID pass in the clear.
Quick Mode - IPSec negotiation, or Quick Mode, is similar to an Aggressive Mode IKE negotiation, except
negotiation must be protected within an IKE SA. Quick Mode negotiates the SA for the data encryption and
manages the key exchange for that IPSec SA.
Main and Aggresive Mode - IKE phase 1?

Quick mode - IKE phase 2 (IPSec)?
QUESTION 318
Which of Diffie-Hellman group(s) is/are support(ed) by CISCO VPN Product (Choose all that apply?
A. Group1
B. Group2
C. Group3
D. Group5
E. Group7
F. Group8
G. Group9
Correct Answer: ABDE

Section: (none)
Explanation
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/glossary.html
Diffie-Hellman Group 1, Group 2, Group 5, Group 7Diffie-Hellman refers to a type of public key cryptography
using asymmetric encryption based on large prime numbers to establish both Phase 1 and Phase 2SAs. Group
1 provides a smaller prime number than Group 2 but may be the only version supported by someIPSecpeers.
Diffe-Hellman Group 5 uses a 1536-bit prime number, is the most secure, and is recommended for use
withAES. Group 7 has an elliptical curve field size of 163 bits and is for use with the Movian VPN client, but
works with any peer that supports Group 7 (ECC). See alsoVPNandencryption.
NoteThegroup 7command option wasdeprecatedin ASA version 8.0(4). Attempts to configure group 7 will
generate an error message and use group 5 instead.
QUESTION 319
Which option is the default value for the Diffie–Hellman group when configuring a site-to-site VPN on an ASA
device?
A. Group 1
B. Group 2
C. Group 7
D. Group 5
Correct Answer: B
Section: (none)
Explanation
QUESTION 320
What type of Diffie-Hellman group would you expect to be utiliazed on a wireless device?
A. Group4
B. Group7
C. Group5
D. Group3
Correct Answer: B
Section: (none)
Explanation
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/glossary.html
Diffie-Hellman Group 1, Group 2, Group 5, Group 7Diffie-Hellman refers to a type of public key cryptography
using asymmetric encryption based on large prime numbers to establish both Phase 1 and Phase 2SAs. Group
1 provides a smaller prime number than Group 2 but may be the only version supported by someIPSecpeers.
Diffe-Hellman Group 5 uses a 1536-bit prime number, is the most secure, and is recommended for use
withAES. Group 7 has an elliptical curve field size of 163 bits and is for use with the Movian VPN client, but
works with any peer that supports Group 7 (ECC). See alsoVPNandencryption.
NoteThegroup 7command option wasdeprecatedin ASA version 8.0(4). Attempts to configure group 7 will
generate an error message and use group 5 instead.
QUESTION 321
What are two options for running Cisco SDM? (Choose two.)
A. Running SDM from a router’s flash

B. Running SDM from the Cisco web portal
C. Running SDM from within CiscoWorks
D. Running SDM from a PC
Correct Answer: AD
Section: (none)
Explanation
QUESTION 322
How will the traffic be affected if policy from the self-zone is removed ?
A. all traffic will be inspected.

B. traffic will not be inspected.
C. traffic will be passed with logging action.
D. ……………..
Correct Answer: B
Section: (none)
Explanation
QUESTION 323
What is the primary purpose of the Integrated Services Routers (ISR) in the BYOD solution?
A. Provide connectivity in the home office environment back to the corporate campus
B. Provide WAN and Internet access for users on the corporate campus
C. Enforce firewall-type filtering in the data center
D. Provide connectivity for the mobile phone environment back to the corporate campus
Correct Answer: A
Section: (none)
Explanation
CCNA Security 210-260 Official Cert Guide
This question came directly out of the book, but here is the explanation from the book:
BYOD Solution Components:

"Integrated Services Routers (ISR): Cisco ISRs will be used in the Cisco BYOD solution to provide WAN and
Internet access for the branch offices and Internet access for home office environments. In addition, the ISR
will provide both wired and WLAN connectivity in the branch office environments. Finally, the USRs can be
leveraged to provide VPN connectivity for mobile devices that are part of the BYOD solution. (runbuh: NOTICE
THAT THIS DOESN'T SAY "MOBILE PHONE"!!!!)
QUESTION 324
Which is not a function of mobile device management (MDM)?
A. Enforce strong passwords on BYOD devices

B. Deploy software updates to BYOD devices
C. Remotely wipe data from BYOD devices
D. Enforce data encryption requirements on BYOD devices
Correct Answer: B
Section: (none)
Explanation
QUESTION 325
The purpose of the certificate authority (CA) is to ensure what?
A. BYOD endpoints are posture checked

B. BYOD endpoints belong to the organization
C. BYOD endpoints have no malware installed
D. BYOD users exist in the corporate LDAP directory
Correct Answer: B
Section: (none)
Explanation
QUESTION 326
The purpose of the RSA SecureID server/application is to provide what?
A. Authentication, authorization, accounting (AAA) functions

B. One-time password (OTP) capabilities
C. 802.1X enforcement
D. VPN access
Correct Answer: B
Section: (none)
Explanation
QUESTION 327
What does ASA Transparent mode support?
A. it supports OSPF
B. it supports the use dynamic NAT
C. IP for each interface
D. requires a management IP address.
Correct Answer: B
Section: (none)
Explanation
If the question is written correctly the answer is "It supports the use of Dynamic NAT". Although the
configuration of an ASA in transparent mode does require a management IP address to pass traffic it is not
something that is "supported" but rather configured in order to work. In the same sense, you cannot assign IP
addresses to interfaces in Transparent mode so this is not supported. Options that can be supported are
therefore OSPF and NAT. As referenced below OSPF does not work with ASA's in transparent mode so the
only option left is NAT.
No - OSPF supports routed firewall mode only. OSPF does not support transparent firewall mode.
Yes - NAT can be configured on the transparent ASA, but there are certain things to note. The first is that
interface PAT cannot be configured because interfaces in transparent mode do not have IP addresses. The
management IP address can also not be used as the mapped address.
Another thing to keep in mind is that if you configure NAT and the mapped address is not on the same subnet
as the connected network, then you must add a static route on upstream device pointing to the ASA’s
management IP address.
Yes - For IPv4, a management IP address is required for each bridge group for both management traffic and
for traffic to pass through the ASA. For IPv6, at a minimum you need to configure link-local addresses for each
interface for through traffic.
No - Interfaces in transparent mode do not have IP address assignments.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/route_ospf.
QUESTION 328
What will happen with traffic if zone-pair created, but policy did not applied?
A. All traffic will be droped.

B. All traffic will be passed with logging.
C. All traffic will be passed without logging.
D. All traffic will be inspected.
Correct Answer: A
Section: (none)
Explanation
After much discussion, test experience and recent comments on SecurityTut, the correct answer appears to be
A. Traffic will be Dropped.
You also have the rule of same zone that can come into play here also since it’s not specified in the question
To use Fredbee’s breakout:
Same Zone:
Source interface member of zone(A): YES
Destination member of zone(A): YES
Zone pair exists: YES
Policy exists: NO
RESULT: Forward
Different Zones:
Source interface member of zone: YES
Destination member of zone: YES
Zone pair exists: YES
Policy exists: NO
RESULT: DROP
However the text below the table that Bacon referenced states:
“If there is a zone pair that identifies traffic between two zones, and the policy is not applied to the zone pair,
the default behavior is to drop traffic as if no zone pair even existed.” (Different Zone example)
I believe I had this question and I did not get a 100% in this area so I am inclined to say that the answer should
be “All traffic will be dropped” since that is the default action and the question does not say that they are not in
the same zone
===========
Previous EKE explination for historical reference:
I strongly believe, that answer is C, because of information in CCNA Security curriculum where was explained,
that zone-pair without applied policy will pass all the traffic without any inspection. What confuses me is two
variants off passing traffic in this question – with logging, and without. What logging is? Counters, syslog
messages? Nontheless I am choosing C as the right answer.
QUESTION 329
Which cisco IOS device support firewall, antispyware, anti-phishing, protection, etc.
A. Cisco IOS router

B. Cisco 4100 IOS IPS appliance
C. Cicso 5500 series ASA
D. Cisco 5500x next generation ASA
Correct Answer: D
Section: (none)
Explanation
QUESTION 330
What configs are under crypto map? (Choose two)
A. set peer
B. set host
C. set transform-set
D. inerface
Correct Answer: AC
Section: (none)
Explanation
User reported a choose two, C was the other one chosen

Cert Guide, Chapter 6, p. 139
runbuh:
https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/20/IPSec/b_20_IPSec/
b_20_IPSec_chapter_0110.pdf
Use the following example to create the ISAKMP crypto map:

configure
context ctxt_name
crypto map map_name ipsec-isakmp
set peer agw_address
set isakmp preshared-key isakmp_key
set mode { aggressive | main }
set pfs { group1 | group2 | group5 }
set transform-set transform_name
match address acl_name [ preference ]
match
Use the following example to create the dynamic crypto map on your system:
configure
context ctxt_name
crypto map map_name ipsec-dynamic
set pfs { group1 | group2 | group5 }
set tran
Use the following example to create the manual crypto map on your system:
configure
context ctxt_name
crypto map map_name ipsec-manual
set peer agw_address
match address acl_name [ preference ]
set transform-set transform_name
set session-key { inbound | outbound } { ah ah_spi [ encrypted ] key ah_key | esp esp_spi
[ encrypted ] her encryption_key [ encrypted ] authenticator auth_key }
end
QUESTION 331
Which two options are Private-VLAN secondary VLAN types?
A. Isolated
B. Secured
C. Community
D. Common
E. Segregated
Correct Answer: AC
Section: (none)
Explanation
QUESTION 332
Which type of VLANs can communicate to PVLANs? (something like this) (choose 2)
A. promiscuous
B. isolated
C. community
D. backup
E. secondary
Correct Answer: AB
Section: (none)
Explanation
I think Secondary was red herring (as PVLAN Terms can be Primary & Secondary)
I think there was a word or 2 missing from the above Q that helped. – but made me stop for a min or 2…
QUESTION 333
Choose two PVLAN VLAN types:
A. Community
B. Isolated
C. promiscuous
D. Secondary
Correct Answer: AB
Section: (none)
Explanation
There are mainly two types of ports in a Private VLAN: Promiscuous port (P-Port) and Host port. Host port
further divides in two types – Isolated port (I-Port) and Community port (C-port).
QUESTION 334
NAT option on ASA to stop address translation?
A. NAT none
B. NAT zero
C. NAT forward
D. NAT allow
Correct Answer: B
Section: (none)
Explanation
QUESTION 335
How does Zone-Based Firewall Handle traffic to and from self-zone ?
A. Drop
B. Inspect with logging
C. Inspect without logging
D. Another option that I can’t recall
Correct Answer: B
Section: (none)
Explanation
QUESTION 336
What Firewall technology operates at 4 layer and above ?
A. static filtering
B. applications firewall
C. statefull filtering
D. Circuit Level
Correct Answer: B
Section: (none)
Explanation
Possible choose 2. If so C is also correct
Application layer firewalls (also called proxy firewalls or application gateways) operate at Layers 3, 4, 5, and 7
of the OSI model. Proxy services are specific to the protocol that they are designed to forward and can provide
QUESTION 337
What protocol provides CIA ?
A. HA
B. ESP
C. IKEV1
D. IKEV2
Correct Answer: B
Section: (none)
Explanation
Encapsulating Security Payload or ESP refers to the protocol which offers confidentiality on top of integrity and
authentication to the IPSec data.
QUESTION 338
What is the highest security level can be applied to an ASA interface?
A. 0
B. 50
C. 100
D. 200
Correct Answer: C
Section: (none)
Explanation
QUESTION 339
Something about MDM distribution platform for BYOD. (Choose two)
A. On Premise
B. Cloud
C. Hybrid Cloud
D. Don't Remember
Correct Answer: AB
Section: (none)
Explanation
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/
BYOD_Design_Guide/BYOD_MDMs.html
MDM Deployment Options and Considerations

With MDM solutions, there are two main deployment models:
On-Premise—In this model, MDM software is installed on servers in the corporate DMZ or data center, which
are supported and maintained by the enterprise IT staff.
Cloud-based—In this model-also known as a MDM Software-as-a-Service (SaaS) model-MDM software is
hosted, supported and maintained by a provider at a remote Network Operation Center (NOC); customers
subscribe on a monthly or yearly basis and are granted access to all MDM hardware/software via the Internet.
QUESTION 340
Which of the following are Legacy? (Choose three) This is a Drag and drop question paired with Avoid on the
actual exam.
A. 3DES
B. SHA-1
C. HMAC-MD5
D. AES
E. TKIP
Correct Answer: ABC

Section: (none)
Explanation
https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html
QUESTION 341
Which of the following do you Avoid? (Choose two) This is a Drag and Drop question paired with Legacy on the
actual exam.
A. DES
B. SHA-1
C. MD5
D. AES
E. TKIP
Correct Answer: AC
Section: (none)
Explanation
QUESTION 342
Which of the following are Secure? (Choose three) This is a Drag and Drop question paired with Insecure on
the actual exam.
A. 3DES
B. SHA-1
C. HMAC-MD5
D. AES
E. TKIP
Correct Answer: ABD

Section: (none)
Explanation
QUESTION 343
Which of the following are insecure? (Choose two) This is a Drag and Drop question paired with Secure on the
actual exam.
A. DES
B. SHA-1
C. MD5
D. AES
E. TKIP
Correct Answer: AC
Section: (none)
Explanation
QUESTION 344
Which of these are HIPS functions? (choose four) Drag and drop question paired with NIPS functions on actual
exam.
A. Alert and administrator

B. protect multiple devices
C. protect one device
D. placed on the perimiter
E. installed on individual system
F. looks for changes in files
G. looks for traffic patterns
Correct Answer: ACEF

Section: (none)
Explanation
QUESTION 345
Which of these are NIPS functions? (choose four) Drag and drop question paired with HIPS functions on actual
exam.
A. Alert and administrator

B. protect multiple devices
C. protect one device
D. placed on the perimeter
E. installed on individual system
F. looks for changes in files
G. looks for traffic patterns
Correct Answer: ABDG

Section: (none)
Explanation
QUESTION 346
Where does the Datacenter operate? (Diagram on exam only has letters not names associated)
#####################
(A) L2Switch L2Switch L2Switch

(A) L3 Switch L3Switch
(B) L3 Switch L3Switch
(C) L3 Switch L3Switch
(D) L2Switch L2Switch L2Switch
#####################
A. Data Center
B. Campus Core
C. Building Distribution
D. Building Access
Correct Answer: A
Section: (none)
Explanation
Some users on tut have stated that the answer should be Distro layer. However, acording to this link
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap5.pdf
It is in the Data Center / Campus Services section.
QUESTION 347
What are the two main MDM deployment models for BYOD? (choose two)
A. On-Premise
B. Cloud-based
C. BYOD
D. Remote
Correct Answer: AB
Section: (none)
Explanation
With MDM solutions, there are two main deployment models:
On-Premise—In this model, MDM software is installed on servers in the corporate DMZ or data center,
which are supported and maintained by the enterprise IT staff.
Cloud-based—In this model-also known as a MDM Software-as-a-Service (SaaS) model-MDM software is
hosted, supported and maintained by a provider at a remote Network Operation Center (NOC); customers
subscribe on a monthly or yearly basis and are granted access to all MDM hardware/software via the Internet.
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/
BYOD_Design_Guide/BYOD_MDMs.html
QUESTION 348
The ‘”show nat” question with 3 sections. remarkably. It looks something like this:
###################
ASA# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic Users1 NATPool1
translate_hits = 0, untranslate_hits = 98329
2 (inside) to (outside) source static ServerReal ServerTrans
Auto NAT Policies (Section 2)

1 (inside) to (outside) source static SecureServ 203.0.113.82

2 (inside) to (outside) source static Servers ServersTrans
#####################
A. statement about Section 1 static NAT (like …static nat on interface…)

B. only reverse translations are occuring on dynamic Section 1
C. statement about Section 2 dynamic NAT (like … dynamic nat for interface …)
D. applying Section 3 only after no matches for Section 1 & 2.
Correct Answer: B
Section: (none)
Explanation
Here’s a link that sort of shows the format I’m talking about (purple/grey exhibits)
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/116388-
technote-nat-00.html#anc8
QUESTION 349
Scenario
In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then
answer the five multiple choice questions about the ASA SSLVPN configurations. To access ASDM, click the
ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabled in this simulation. To see all
the menu options available on the left navigation pane, you may also need to un-expand the expanded menu
first.
##################
---------------
|Inside PC|
---------------
| .3
|
| 192.168.1.0/24
Inside |
Gi0/1 | .1
--------- Gi0/2 172.16.1.0/24 ---------
| ASA |-------------------------------|DMZ|
|5512x| .1 dmz .2 |SRV|
--------- --------
Outside | .2
Gi0/0 |
|
209.165.201.0/27 |
-------------------------------------
Fa0/0.1x |
|
------------ .129 209.165.202.128/27 ------------
|2610xm|-------------------------------------------|Outside|
------------ | .130 | SRV |
|.226 | -------------
Fa0/0.9x | |
| | .131 ------------
209.165.200 | -------------|Outside|
.224/27 | | PC |
| -------------
|
Gi0/0.9x | .225
---
|R|
---
| Gi0/1
| -------------
------------------|Internet|
------------
##################
Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (choose four)
A. IPsec IKEv1
B. IPsec IKEv2
C. L2TP/IPsec
D. Clientless SSL VPN
E. SSL VPN Client
F. PPTP
Correct Answer: ABCD

Section: (none)
Explanation
By clicking on the
Configuration --> Remote Access VPN --> Clientless SSL VPN Access --> Group Policies tab
you can view the DfltGrpPolicy protocols.
QUESTION 350
Scenario
first.
##################
---------------
|Inside PC|
---------------
| .3
|
| 192.168.1.0/24
Inside |
Gi0/1 | .1
--------- Gi0/2 172.16.1.0/24 ---------
| ASA |-------------------------------|DMZ|
|5512x| .1 dmz .2 |SRV|
--------- --------
Outside | .2
Gi0/0 |
|
209.165.201.0/27 |
-------------------------------------
Fa0/0.1x |
|
------------ .129 209.165.202.128/27 ------------
|2610xm|-------------------------------------------|Outside|
------------ | .130 | SRV |
|.226 | -------------
Fa0/0.9x | |
| | .131 ------------
209.165.200 | -------------|Outside|
.224/27 | | PC |
| -------------
|
Gi0/0.9x | .225
---
|R|
---
| Gi0/1
| -------------
------------------|Internet|
------------
##################
When users login to the Clientless SSL VPN using https://209.165.201.2/test, which group policy will be
applied?
A. test
B. Sales
C. DefaultRAGroup
D. DefaultWEBVPNGroup
E. clientless
F. DFTGrpPolicy
Correct Answer: B
Section: (none)
Explanation
Navigate to the Connection Profiles tab and highlight the one with the “Test” alias:
Configuration --> Remote Access VPN --> Clientless SSL VPN Access --> Connection Profile
Select the line that has the “Test” alias and click edit. You will see the Policy that is being applied. In this case it
is the “Sales Group”
QUESTION 351
Scenario
first.
##################
---------------
|Inside PC|
---------------
| .3
|
| 192.168.1.0/24
Inside |
Gi0/1 | .1
--------- Gi0/2 172.16.1.0/24 ---------
| ASA |-------------------------------|DMZ|
|5512x| .1 dmz .2 |SRV|
--------- --------
Outside | .2
Gi0/0 |
|
209.165.201.0/27 |
-------------------------------------
Fa0/0.1x |
|
------------ .129 209.165.202.128/27 ------------
|2610xm|-------------------------------------------|Outside|
------------ | .130 | SRV |
|.226 | -------------
Fa0/0.9x | |
| | .131 ------------
209.165.200 | -------------|Outside|
.224/27 | | PC |
| -------------
|
Gi0/0.9x | .225
---
|R|
---
| Gi0/1
| -------------
------------------|Internet|
------------
##################
Which user authentication method is used when users login to the Clientless SSL VPN portal using
https://209.165.201.2/test ?
A. Both Certificate and AAA with LOCAL database

B. AAA with RADIUS server
C. Both Certificate and AAA with RADIUS server
D. AAA with LOCAL database
E. Certificate
Correct Answer: D
Section: (none)
Explanation
Navigate to the Connection Profiles tab where the “Test” alias is being used
Identify the line the “Test” alias is on and the Authentication Method is listed on that line.
QUESTION 352
Scenario
first.
##################
---------------
|Inside PC|
---------------
| .3
|
| 192.168.1.0/24
Inside |
Gi0/1 | .1
--------- Gi0/2 172.16.1.0/24 ---------
| ASA |-------------------------------|DMZ|
|5512x| .1 dmz .2 |SRV|
--------- --------
Outside | .2
Gi0/0 |
|
209.165.201.0/27 |
-------------------------------------
Fa0/0.1x |
|
------------ .129 209.165.202.128/27 ------------
|2610xm|-------------------------------------------|Outside|
------------ | .130 | SRV |
|.226 | -------------
Fa0/0.9x | |
| | .131 ------------
209.165.200 | -------------|Outside|
.224/27 | | PC |
| -------------
|
Gi0/0.9x | .225
---
|R|
---
| Gi0/1
| -------------
------------------|Internet|
------------
##################
Which two statements regarding the ASA VPN configurations are correct? (Choose two)
A. The Inside-SRV bookmark has not been applied to the Sales group policy
B. The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_Trustpoint1
C. The Inside-SRV bookmark references the https://192.168.1.2 URL
D. AnyConnect, IPSec IKEv1 and IPSec IKEv2 VPN access is enabled on the outside interface
E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy
F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method
Correct Answer: CE
Section: (none)
Explanation
Select the line that has the “Test” alias, it will show the authentication method to the right
Configuration --> Remote Access VPN --> Clientless SSL VPN Access --> Portal --> Bookmarks
Select the line that has the “Inside-SRV” and click edit to see the IP address associated.
There are a couple of versions with one answer the same and the other being different.
DefaultWEBVPNGroup… is the definite
The other will depend upon the question that is asked, if the IP address is “192” (as in this case it was) then the
“bookmark reference…is the other correct answer if the IP address is in any other range, then “Only clientless
SSL…”
The exam says test user 10.10.1.2 but when you go to the bookmark, it is 192.168.1.2 in ASDM. so this is
wrong. Since bookmark is wrong, when you check Sales Group, it is only using Clientless SSL VPN for
tunneling.
QUESTION 353
###################
ASA#show nat
1 (inside) to (outside) source dynamic LOCALUSERS GLBPOOL

translate_hits=3218, untranslate_hjits = 0
2 (inside) to (outside) source static REAL_SERVER GLB_SERVER
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static SSL_SERVER 88.1.115.1

1 (inside) to (outside) source dynamic NEW_USERS GLBPOOL2

####################
What is false?
A. Translation in section 3 used when a connection does not match any entries in first two sections
B. First policy in section 1 is a dynamic nat entry defined in the object configuration
C. NAT policy in section 2 is a static entry defined in the object configuration
D. There are only reverse translations matches for the REAL_SERVER object
Correct Answer: B
Section: (none)
Explanation
Explanation:
NAT Section 1 is for Manual NAT only and Manual NAT is not configured under any “object network” or “object-
group network”.
QUESTION 354
How can you mitigate attacks in which the attacker attaches more than one VLAN tag to a packet?
A. Disable EtherChannel
B. Enable transparent VTP on the switch
C. Explicity identify each VLAN allowed across the trunk
D. Assign an access VLAN to every active port on the switch
Correct Answer: C
Section: (none)
Explanation
Explanation:
Other users on SecurityTut say that D. is correct. In some CISCO links there are references to making ports
"Access ports".
This is the real answer from cisco here: http://www.ciscopress.com/articles/article.asp?

p=2181837&seqNum=10
The best approach to mitigating double-tagging attacks is to ensure that the native VLAN of the trunk ports is
different from the VLAN of any user ports. In fact, it is considered a security best practice to use a fixed VLAN
that is distinct from all user VLANs in the switched network as the native VLAN for all 802.1Q trunks.
This here is the rational behind choosing C. https://supportforums.cisco.com/t5/lan-switching-and-routing/

double-tagging-through-access-ports-why/td-p/2505162 where a cisco employee stated “We need to be sure of
configuring the Trunk ports to make sure which vlans are to be allowed over it.”
QUESTION 355
You are configuring a NAT rule on a Cisco ASA. Which description of a mapped interface is true?
A. It is mandatory for identify NAT only

B. It is optional in routed mode
C. It is mandatory for all firewall modes
D. It is optional in transparent mode
Correct Answer: B
Section: (none)
Explanation
Explanation:
QUESTION 356
What is the effect of the ip scp server enable command?
A. It allows the router to initiate requests to an SCP server
B. It references an access list that allows specific SCP servers
C. It adds SCP to the list of allowed copy functions
D. It allows the router to become an SCP server
Correct Answer: D
Section: (none)
Explanation
Explanation:
The actual command info from CISCO says it "Enables Server-Side Functionality". While it does allow the copy
function, it does not place it in any kind of list so C is wrong.
Use this command to enable secure copying of files from systems using the Secure Shell (SSH) application.
This secure copy function is accomplished by an addition to the copy command in the Cisco IOS software,
which takes care of using the secure copy protocol (scp) to copy to and from a router while logged in to the
router itself. Because copying files is generally a restricted operation in the Cisco IOS software, a user
attempting to copy such files needs to be at the correct enable level.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-xe-3se-3850-cr-book/sec-d1-xe-3se-
3850-cr-book_chapter_0101.html
Also page 315 of the CCNA Security 210-260 Official Cert Guide.
QUESTION 357
Which technology can you implement to centrally mitigate potential threats when users on your network
download files that might be malicious?
A. Implement URL filtering on the perimeter firewall

B. Verify that are company IPS blocks all known malicious websites
C. Enable file-reputation services to inspect all files that traverse the company network and block files with low
reputation scores
D. Verify that antivirus software is installed and up to date for all users on your network
Correct Answer: C
Section: (none)
Explanation
Explanation:
verification of the file-reputation can be done with Cisco ESA and WSA centrally as requested in the question.
https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_11-1/
b_ESA_Admin_Guide_ces_11_1/b_ESA_Admin_Guide_chapter_010000.pdf
QUESTION 358
When using the Adaptive Security Device Manager (ASDM), which two options are available to add a new add
a new root certificate (choose two)
A. use LDAP
B. use SCEP
C. install from a file
D. install from SFTP server
E. use HTTPS
Correct Answer: BC
Section: (none)
Explanation
Explanation:
within ASDM Navigate to Configuration > Remote Access VPN > Certificate Management, and choose CA
Certificates.
There are technically three ways: Install from a file, Paste certificate in PEM format, and Use SCEP.
refer to Section 1.1 here:

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-
SSL-Digital-Certificate-I.html
QUESTION 359
Which two SNMPv3 services support its capabilities as a secure network management protocol?(Choose two)
A. accounting
B. authentication
C. the shared secret key
D. access control
E. authorization
Correct Answer: BD
Section: (none)
Explanation
Explanation:
SNMPv3 includes three important services: authentication, privacy, and access control (Figure 1). To deliver
these services in a flexible and efficient manner, SNMPv3 introduces the concept of a principal, which is the
entity on whose behalf services are provided or processing takes place. A principal can be an individual acting
in a particular role; a set of individuals, with each acting in a particular role; an application or set of applications;
or combinations thereof. In essence, a principal operates from a management station and issues SNMP
commands to agent systems. The identity of the principal and the target agent together determine the security
features that will be invoked, including authentication, privacy, and access control. The use of principals allows
security policies to be tailored to the specific principal, agent, and information exchange, and gives human
security managers considerable flexibility in assigning network authorization to users.
https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-20/
snmpv3.html
QUESTION 360
Which description of the use of a private key is true?
A. the sender signs a message using their private key

B. the sender signs a message using thereceiver’s private key
C. the sender encrypts a message using the receiver’s private key
D. the receiver decrypts a message using the sender’s private key
Correct Answer: A
Section: (none)
Explanation
Explanation:
Keys - Keys are used to create digital signatures. For every signature, there is a public key and a private key.
Private key - The private key is the portion of the key you use to actually sign an email message. The private
key is protected by a password, and you should never give your private key to anyone.
Public key - The public key is the portion of the key that is available to other people. Whether you upload it to
a public key ring or send it to someone, this is the key other people can use to check your signature. A list of
other people who have signed your key is also included with your public key. You will only be able to see their
identities if you already have their public keys on your key ring.
https://www.us-cert.gov/ncas/tips/ST04-018
QUESTION 361
Which component of a BYOD architecture provides AAA services for endpoint access?
A. access point
B. Integrated Services Router
C. Identity Services Engine
D. ASA
Correct Answer: C
Section: (none)
Explanation
Explanation:
Cisco Identity Services Engine (ISE) is a core component of the Cisco BYOD solution architecture. It delivers
the necessary services required by enterprise networks, such as Authentication, Authorization, and Accounting
(AAA), profiling, posture, and guest management on a common platform. The ISE provides a unified policy
platform that ties organizational security policies to business components.
https://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/
Design_Overview.pdf
QUESTION 362
Which two statements about routed firewall mode are true? (Choose two)
A. this mode conceals the presence of the firewall

B. By default, this mode permits most traffic to pass through the firewall
C. the firewall acts as a routed hop in the network
D. the firewall requires a unique IP address for each interface
E. this mode allows the firewall to be added to an existing network with minimal additional configuration
Correct Answer: CD
Section: (none)
Explanation
Explanation:
QUESTION 363
What is the most common implementation of PAT in a standard networked environment?
A. configuring multiple internal hosts to communicate outside of the network using the outside interface IP
address
B. configuring multiple internal hosts to communicate outside of the network by using the inside interface IP
address
C. configuring multiple external hosts to join the self zone and to communicate with one another
D. configuring an any any rule to enable external hosts to communicate inside the network
Correct Answer: A
Section: (none)
Explanation
Explanation:
If you want inside hosts to share a single public address for translation, use Port Address Translation (PAT).
One of the simplest PAT configurations involves the translation of all internal hosts to look like the outside
interface IP address. This is the typical PAT configuration that is used when the number of routable IP
addresses available from the ISP is limited to only a few, or perhaps just one.
https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html
QUESTION 364
Which network topology describes multiple LANs in a geographically limited areas?
A. SOHO
B. CAN
C. MAN
D. PAN
Correct Answer: B
Section: (none)
Explanation
Explanation:
Campus Network (CAN) A network of multiple interconnected local area networks (LAN) in a limited
geographical area.
https://www.techopedia.com/definition/25931/campus-area-network-can
QUESTION 365
Which mechanism does the FireAMP Connector use to avoid conflicts with other security applications such as
antivirus products?
A. exclusions
B. sandboxing
C. containers
D. virtualization
Correct Answer: A
Section: (none)
Explanation
Explanation:
From the Sourcefire FireAMP Private Cloud Quick Start Guide v4.5 page 4:
To prevent conflicts between the FireAMP Connector and antivirus or other

security software, you must create exclusions so that the Connector doesn’t scan
your antivirus directory and your antivirus doesn’t scan the Connector directory.
https://www.cisco.com/c/dam/en/us/td/docs/security/sourcefire/fireamp/fireamp-private-cloud/
FireAMPPrivateCloudQuickStartGuide.pdf
=============== New Topics from Exams around 10 Apr 2018 =======================
4. . AAA authentication command question (Chapter 11 “Official study guide”, there are few new questions
from this chapter)
5. what type of Firewall works at layer 4 or higher (choose two)
10. What is the default action for port security? A. Restrict B. Shutdown C.? D.?
11. What is the format of the test aaa comand or something close to that wording:
#test aaa group tacacs+ admin cisco123 legacy --- This allows verification of the authentication function
working between the AAA client (the router) and the ACS server (the AAA server).
Source: Cisco Official Certification Guide, Table 3-6 Command Reference, p.68
QUESTION 366
Drag the recommendations on the left to the Cryptographic Algorithms on the right. Options will be used more
than once.
Select and Place:
Correct Answer:
Section: (none)
Explanation
QUESTION 367
Drag the hash or algorithm from the left column to its appropriate category on the right.
Select and Place:
Correct Answer:
Section: (none)
Explanation
QUESTION 368
HIPS and NIPS
Place the 7 options into HIPS and NIPS. Each section has 4 choices which means one of these 7 options
goes into both.
Select and Place:
Correct Answer:
Section: (none)
Explanation
QUESTION 369
Which filters does ESA use for both incoming and outgoing mail?
A. Content Filter
B. Outbreak Filter
C. Reputation Filter
D. Spam
Correct Answer: AB
Section: (none)
Explanation
QUESTION 370
Which EAP protocol does Active Directory interrogation but does not use 802.1x certificates?
A. EAP-PEAP
B. EAP-MSCHAPv2
C. Don't Remember
D. Don't Remember
Correct Answer: B
Section: (none)
Explanation
QUESTION 371
What are the self zone policies limitations in a Zone Based Firewall setup? (choose 2)
A. Does not support inspection (policing?)

B. Does not support rate limiting
C. Don't Remember
D. Don't Remember
Correct Answer: AB
Section: (none)
Explanation
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/sec-
zone-pol-fw.html
You need two security zones to create a zone pair. However, you can create only one security zone and use a
system-defined security zone called “self.” Note that if you select a self zone, you cannot configure inspect
policing.
Stateful inspection support for multicast traffic is not supported between any zones, including the self zone.
Use Control Plane Policing for protection of the control plane against multicast traffic.
You can select the default or self zone as either the source or the destination zone. The self zone is a system-
defined zone which does not have any interfaces as members. A zone pair that includes the self zone, along
with the associated policy, applies to traffic directed to the device or traffic generated by the device. It does not
apply to traffic through the device.
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html#topic2
Self-Zone Policy Limitations

Self-zone policy has limited functionality as compared to the policies available for transit-traffic zone-pairs:
As was the case with classical stateful inspection, router-generated traffic is limited to TCP, UDP, ICMP, and
complex-protocol inspection for H.323.
Application Inspection is not available for self-zone policies.
Session and rate limiting cannot be configured on self-zone policies.
QUESTION 372
Which Phase 1 parameter of VPN requires the pre-shared key
A. Hash
B. Authentication
C. Group
D. Encryption
Correct Answer: B
Section: (none)
Explanation
IKE phase 1 has three methods to authenticate IPSec peers in Cisco products:
1. Pre-shared keys. A key value entered into each peer manually (out of band) and used to authenticate the
peer.
2. RSA signatures. Uses a digital certificate authenticated by an RSA signature.
3. RSA encrypted nonces. Uses RSA encryption to encrypt a nonce value (a random number generated by
the peer) and other values.
Reference: http://www.ciscopress.com/articles/article.asp?p=25474
QUESTION 373
What is the difference between ASA and router access-lists?
A. ASA never uses wildcard masks

B. ASA doesn't support extended access lists
C. ASA doesn't support standard access lists
D. Something not useful
Correct Answer: A
Section: (none)
Explanation
unknown/unverified
QUESTION 374
What is a network IPS limitation?
A. Large network deployments require numerous sensors

B. Unable to monitor attacks across entire network
C. Something not useful
D. Something not useful
Correct Answer: A
Section: (none)
Explanation
http://www.ciscopress.com/articles/article.asp?p=1336425&seqNum=3
The advantages and limitations of network IPS are as follows:

Advantages of network IPS: A network-based monitoring system has the benefit of easily seeing
attacks that are occurring across the entire network. Seeing the attacks against the entire network gives a clear
indication of the extent to which the network is being attacked. Furthermore, because the monitoring system is
examining only traffic from the network, it does not have to support every type of operating system that is used
on the network.
Limitations of network IPS: Encryption of the network traffic stream can essentially blind network IPS.
Reconstructing fragmented traffic can also be a difficult problem to solve. Possibly the biggest drawback to
network-based monitoring is that as networks become larger (with respect to bandwidth), it becomes more
difficult to place network IPS at a single location in the network and successfully capture all the traffic.
Eliminating this problem requires the use of more sensors throughout the network. However, this solution
increases costs.
QUESTION 375
Drag and Drop to pair the security tool with the appropriate definition. (See the Explanation for longer
descriptions)
Select and Place:
Correct Answer:
Section: (none)
Explanation
This is a version of the answer using longer descriptions.
QUESTION 376
What are the default settings when you enable port-security?
A. Max MAC = 1
B. Mac MAC = 2
C. Violation = Restricted
D. Violation = Shutdown
Correct Answer: AD
Section: (none)
Explanation
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/
port_sec.html
QUESTION 377
Put the steps in the right order to initially setup a Cisco WSA
Select and Place:
Correct Answer:
Section: (none)
Explanation
https://www.cisco.com/c/dam/en/us/products/collateral/security/cloud-web-security/cws_wsa_wsav.pdf
Introduction....................................................................................................................................................1
Cloud Deployment.....................................................................................................................................1
Additional Redirect Methods .....................................................................................................................1
Prepare..........................................................................................................................................................2
Verify connection to a tower......................................................................................................................2
Create authentication license key .............................................................................................................3
Deploy ...........................................................................................................................................................5
Configure WSA Connector........................................................................................................................5
Run the System Setup
Wizard...............................................................................................................5
Add an Authentication Realm
................................................................................................................9
Configure Identity
Management...........................................................................................................12
Configure Directory Groups
.................................................................................................................13
Configure WSAv Connector....................................................................................................................14
Test .............................................................................................................................................................16
Verify web redirection to the cloud..........................................................................................................16
QUESTION 378
What firewall types work at Layer 4 and above
A. NAT
B. Application
C. Stateful
D. Don't remember
E. Static Packet Filter
Correct Answer: BC
Section: (none)
Explanation
I have seen some people point to the Static Packet Filter as an answer. The question is asking about firewall
types, not filter types.
QUESTION 379
Which two attack types can be prevented with the implementation of a Cisco IPS solution? (Choose two)
A. ARP Spoofing
B. DDoS
C. VLAN Hopping
D. Man-in-the-Middle
E. Worms
Correct Answer: DE
Section: (none)
Explanation
https://www.cisco.com/c/en/us/products/collateral/security/ips-4200-series-sensors/qa_c67-458612.html
(no mention of DOS at this link, and this link talks about an IPS module, not an entire IPS "Solution" (which can
include other components beyond just IPS)
Q. What is the Cisco ® ASA AIP-SSM-40?

A. The Cisco ASA Advanced Inspection and Prevention Security Services Module 40 (AIP-SSM-40) is a
hardware module that plugs into a Cisco ASA device and runs Cisco IPS Sensor Software, a comprehensive
inline network-based defense system that is designed to accurately identify, classify, and stop malicious traffic,
including worms, spyware, adware, and application abuse, before they affect your business or network
assets.
Q. Can the Cisco ASA AIP-SSM-40 protect my IP telephony infrastructure, such as my Cisco Unified
CallManager server?
A. The Cisco ASA AIP-SSM-40 solution is ideal for protecting protocols and data streams that are used for IP
telephony, and for protecting the operating system and applications on a Cisco Unified CallManager server.
Cisco IPS features include specific signatures for protecting IP telephony call setup, preventing Layer 2
man in the middle attacks, and stopping malicious code that can infect or exploit the Cisco Unified
CallManager Server.
QUESTION 380
Something about SNMPv2 and SNMPv3
A. SNMPv3 is a Cisco Proprietary Protocol

B. SNMPv3 is Not Encrypted/Sends in Clear Text
C. SNMPv2 is Not Encrypted/Sends in Clear Text
D. SNMPv2 use encryption and privacy
E. SNMPv3 use encryption and privacy
Correct Answer: BCE

Section: (none)
Explanation
Explanation:
https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-20/
snmpv3.html
SNMPv3 includes three important services: authentication, privacy, and access control (Figure 1). To deliver
these services in a flexible and efficient manner, SNMPv3 introduces the concept of a principal, which is the
entity on whose behalf services are provided or processing takes place. A principal can be an individual acting
in a particular role; a set of individuals, with each acting in a particular role; an application or set of applications;
or combinations thereof. In essence, a principal operates from a management station and issues SNMP
commands to agent systems. The identity of the principal and the target agent together determine the security
features that will be invoked, including authentication, privacy, and access control. The use of principals allows
security policies to be tailored to the specific principal, agent, and information exchange, and gives human
security managers considerable flexibility in assigning network authorization to users.
http://blog.ine.com/2008/07/19/snmpv3-tutorial/
The following security models exist: SNMPv1, SNMPv2, SNMPv3. The following security levels exits:
“noAuthNoPriv” (no authentiation and no encryption – noauth keyword in CLI), “AuthNoPriv” (messages are
authenticated but not encrypted – auth keyword in CLI), “AuthPriv” (messages are authenticated and encrypted
– priv keyword in CLI). SNMPv1 and SNMPv2 models only support the “noAuthNoPriv” model since they
use plain community string to match the incoming packets. The SNMPv3 implementations could be
configured to use either of the models on per-group basis (in case if “noAuthNoPriv” is configured, username
serves as a replacement for community string). All users sharing a group utilize the same security model,
however, the specific model settings (password, encryption key) are sep per-user. Note that SNMPv3 does not
send passwords in clear-text and uses hash-based authentication with either MD5 or SHA1 functions (HMAC
authentication – the packet conted is hashed along with authentication key to produce the authentication
string). For encryption, statically configured keys are used along with DES56 symmetric cipher (that mean the
same key should be configured on NMS for the particular user).
QUESTION 381
Something about Data at Rest
A. Whole Disk Encryption

B. Network IPS
C. Router ACL
D. IPSec Tunnel
Correct Answer: A
Section: (none)
Explanation
Question incomplete/not verified
QUESTION 382
Something about protecting a router or switch from attack
A. Control Plane Policing

B. Service Policy
C. Cisco Express Forwarding
D. Policy Map
Correct Answer:
Section: (none)
Explanation
Incomplete/Unverified
Probably want to understand Control Plane Policing (CoPP) and Control Plane Protection (CPPr)
https://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html
https://www.cisco.com/c/en/us/about/security-center/understanding-cppr.html
QUESTION 383
What are valid RADIUS ports
A. TCP ports 1812/1813

B. UDP ports 1812/1813
C. TCP port 43
D. UDP port 43
Correct Answer: B
Section: (none)
Explanation
https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/
acsuserguide/rad_tac_phase.html
QUESTION 384
What are two feature of transparent firewall mode ?
A. Layer 2
B. Can be placed in the network to monitor the traffic
C.
D.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 385
Which two configurations can prevent vlan hopping attack from attackers at vlan 10
A. Create vlan 99 and change native vlan on trunk to 99

B. Change native vlan on trunk to vlan 10
C. Configure host facing ports with the command ‘switchport mode access’
D.
Correct Answer: AC
Section: (none)
Explanation
QUESTION 386
What aims to remove the ability to deny an action
A. Integrity
B. Deniability
C. Accountability
D. non - repudiation
Correct Answer: D
Section: (none)
Explanation
QUESTION 387
Which terms refer to the electromagnetic interference that can radiate from network cables
A. Eminiation
B. Doppler waves
C. Gaussian distributions
D. Multimode
Correct Answer: A
Section: (none)
Explanation
CompTIA Network+ N10-006 Cert Guide: Comp Netw N100 Cert Guide_c1, p 405
QUESTION 388
What are two major consideration when choosing between a span and a tap when implementing IPS
A. Depends on that bandwidth availability

B. How will they handle with the dropped packets
C. How will they handle with the error detected packets
D.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 389
What are the direct to tower methods for redirecting web traffic to cisco web security
A. Cisco ISE
B. 3rd party proxies
C. PAC file
D. NAC
Correct Answer: BC
Section: (none)
Explanation
QUESTION 390
IKEV2 operates in how many phases
A. Two Phases (like IKEV1)

B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
QUESTION 391
Which two models of ASA tend to be used in a data center
A. ASA 5585-X
B. ASA Services Module
C.
D.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 392
What is a network IPS limitation
A. Large network deployments require numerous sensors

B. Unable to monitor attacks across entire network
C.
D.
Correct Answer: A
Section: (none)
Explanation
QUESTION 393
Which next-generation encryption algorithms supports four variants
A. sha1
B. sha2
C. md5
D. hmac
Correct Answer: B
Section: (none)
Explanation
QUESTION 394
Which command do you enter to enable authentication for OSPF on an interface?
A. ip ospf message-digest-key 1 md5 CISCOPASS

B. area 0 authentication message-digest
C. ip ospf authentication-key CISCOPASS
D. ip ospf authentication message-digest
Correct Answer: D
Section: (none)
Explanation
QUESTION 395
Which two 802.1x features can you enable by running the IOS authentication priority command? (Choose two.)
A. forced authorized port state

B. Telnet authentication
C. automatic selection
D. Web authentication
E. MAC authentication bypass
Correct Answer: DE
Section: (none)
Explanation
QUESTION 396
Which path do you follow to enable aaa through the sdm
A. Configure > additional task > AAA

B. Configure > task > AAA
C. Configure > tools > AAA
D. Configure > additional task > Configuration Management
Correct Answer: A
Section: (none)
Explanation
QUESTION 397
What does the dh group refer to
A. tunnel lifetime key

B. length of key for authentication
C. length of key for key exchange
D. length of key for hashing
E. length of key for encryption
Correct Answer: C
Section: (none)
Explanation
QUESTION 398
SNMP V3 access control how to control access of clients & managers
A. Routing Filtering
B. Create access list
C. Make managers view
D. Authentication
Correct Answer: BD
Section: (none)
Explanation
QUESTION 399
The difference between SHA1 and SHA2
A. Output lenght
B.
C.
D.
Correct Answer: A
Section: (none)
Explanation
QUESTION 400
When a switch receives a BPDU on non-trunk interface and this interface goes to err-disable, what feature is
configured on this port?
A. BPDU filter
B. BPDU guard
C. Root guard
D. Port Fast
Correct Answer: B
Section: (none)
Explanation
BPDU Guard - BPDU Guard puts an interface configured for STP PortFast into the err-disable state upon
receipt of a BPDU. The BPDU Guard disables interfaces as a preventive step to avoid a potential bridging loop.
The BPDU Guard feature is used to protect the Spanning Tree domain from external influence. BPDU Guard is
disabled by default but is recommended for all ports on which the Port Fast feature has been enabled. This
prevents false information from being injected into the Spanning Tree domain on ports that have Spanning
Tree disabled.
BPDU Filter - When PortFast is enabled on a port, the port will send out BPDUs and will accept and process
received BPDUs. The BPDU Guard feature prevents the port from receiving any BPDUs but does not prevent it
from sending them. If any BPDUs are received, the port will be errdisabled. The BPDU Filter feature effectively
disables STP on the selected ports by preventing them from sending or receiving any BPDUs.
BPDU filtering supports the ability to prevent switches from sending BPDUs on PortFast-enabled interfaces.
Ports configured for the PortFast feature typically connect to host devices. Hosts do not participate in STP and
hence drop the received BPDUs. As a result, BPDU filtering prevents unnecessary BPDUs from being
transmitted to host devices.
When enabled on an individual port, BPDU filtering has the following affects;
It ignores all BPDUs received.
It sends no BPDUs.
Root Guard - Root Guard is useful in avoiding Layer 2 loops during network anomalies. The Root Guard
feature forces an interface to become a designated port to prevent surrounding switches from becoming a root
switch. In other words, Root Guard provides a way to enforce the root bridge placement in the network. The
Root Guard feature prevents a Designated Port from becoming a Root Port. If a port on which the Root Guard
feature receives a superior BPDU, it moves the port into a root-inconsistent state (effectively equal to a
listening state), thus maintaining the current Root Bridge status.
http://ericleahy.com/index.php/bpdu-guard-bpdu-filter-root-guard-loop-guard-udld/
QUESTION 401
Some new questions one of them about encryption protocol using in MPLS VPN Confidentiality
A. IPsec
B. SSL
C. AES
D. 3DES
Correct Answer: A
Section: (none)
Explanation
QUESTION 402
VRF-VRF Lite question (chose two)
A. Multicast
B. EIGRP
C.
D.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 403
What are the quantifiable things you would verify before introducing new technology in your company?
A. risk
B. vulnerability
C. exploit
D. virus
Correct Answer: B
Section: (none)
Explanation
QUESTION 404
Also had the Diffie-Hellmann question – What known number/sequence something like that) starts off the key ?
A. pseudo random number

B. Prime integers
C. small number
D. Random prime integer
Correct Answer: D
Section: (none)
Explanation
QUESTION 405
WSA modes (Choose Two)
A. Explicit proxy mode

B. Transparent proxy
C.
D.
Correct Answer: AB
Section: (none)
Explanation
QUESTION 406
Why does ISE require its own certification issued by a trusted CA?
A. ISE certificate allow guest device to validate it as a trusted network device

B. ISE certificate allow it to join the network security framework
C. It request certificates for guest device from the CA server based on its own certificate
D. It generate certificates for guest device based on it own certificate
Correct Answer:
Section: (none)
Explanation
QUESTION 407
Which term is most closely aligned with the basic purpose of SIEM solution?
A. Repudation
B. Non-Repudation
C. something
D. Accountability
Correct Answer: D
Section: (none)
Explanation
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-architecture/
sbaSIEM_deployG.pdf
QUESTION 408
What are two feature of transparent firewall mode
A. Enabled by default
B. Allow more connections than routed firewall
C. An attacker not see this type of firewall
D. Acts as a network hop in the network
E. Cisco ASA with this feature can route packets
Correct Answer: BC
Section: (none)
Explanation
QUESTION 409
What do you need to configure an SNMPv3 Agent connect only with SNMP manager ?
A. STANDARD ACL
B. ROUTING
C. SNMP VIEW
D. SNMP ROUT
Correct Answer: A
Section: (none)
Explanation

Youki PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Youki PDF

Uploaded by

Copyright:

Available Formats

Untitled Exam

24 May 2019 - by Youki New questions are included

A simplified way of differentiating these flavors of Cloud Computing is as follows;

A. when a network device fails to forward packets

A. TACACS uses TCP to communicate with the NAS.

Correct Answer: ABC

Correct Answer: ABC

A. Security Parameter Index

A. It can view encrypted files.

Correct Answer: ABC

Correct Answer: ABC

A. Deny the connection inline.

A. It provides hardware authentication.

A. to ensure that only authorized parties can modify data

A. Implement rules to prevent a vulnerability.

A. other company networks to your company network

A. Education about common Web site vulnerabilities.

Source: Cisco Official Certification Guide, p.93

R1>show clock detail

Which statement about the device time is true?

A. ACS servers can be clustered to provide scalability.

Authentication event fail action next-method

A. The supplicant will fail to advance beyond the webauth method.

A. The ISE agent must be installed on the device.

Crypto ikev1 policy 1

What is the effect of the given command sequence?

A. It configures IKE Phase 1.

Crypto map mymap 20 match address 201

What is the effect of the given command sequence?

Reference: OCG Page 163

Dst src state conn-id slot

A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5.

Reference:OCG Page 169

A. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5.

Username HelpDesk privilege 9 password 0 helpdesk

A. The secure boot-image command is configured.

A. control plane packets

A. The switch could offer fake DHCP addresses.

A. "show ip dhcp snooping binding"

Simply the question ask about binding table

A. STP root guard

More info: https://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008009482f.shtml

This message appears after root guard blocks a port:

%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77.

A. The trunk port would go into an error-disabled state.

A. To protect endpoints such as desktops from malicious activity.

A. They can protect a system by denying probing requests.

UDP outside 209.165.201.225:53 inside 10.0.0.10:52464, idle 0:00:01, bytes 266,

What type of firewall would use the given configuration line?

A. Traffic between two interfaces in the same zone is allowed by default.

Reference: 31 Days Before Your CCNA Security Exam P373

A. To separate different departments and business units.

A. It can provide higher throughput.

A. A value that indicates the potential severity of an attack.

A. Enable logging at the end of the session.

A. It can extract and decode email attachments in client to server traffic.

A. Configure a proxy server to hide users' local IP addresses.

A. Create a custom blacklist to allow traffic

A. Every time a new update is available.

Reference: 31 Days Before Your CCNA Security Exam

A. It blocks access to specific programs.

OCG page 491

A. listening, learning, blocking, forwarding, disabled