What are two descriptions of AES encryption are true?

Answer :
 AES is more secure than 3DES.
 AES can use a 256-bit key for encryption.
What are two descriptions of AES encryption are true?
Answer :
 AES is more secure than 3DES.
 AES can use a 256-bit key for encryption.
An engineer must force an endpoint to re-authenticate an already authenticated session
without disrupting the endpoint to apply a new or updated policy from ISE. Which CoA type
achieves this goal?
Answer :
 CoA Reauth
Which feature of Cisco ASA allows VPN users to be postured against Cisco ISE without
requiring an inline posture node?
Answer :
 RADIUS Change of Authorization
Which risks is a company vulnerable to if it does not have a well-established patching
solution for endpoints?
A malicious user gained network access by spoofing printer connections that were authorized
using MAB on four different switch ports at the same time. Which two catalyst switch
security features will prevent further violations?
Answer :
 DHCP Snooping
 Dynamic ARP inspection
When wired 802.1X authentication is implemented, what are two components required?
IANA is responsible for which three IP resources? (Choose three.)
Answer :
 IP address allocation
 Autonomous system number allocation
 Root zone management in DNS
Which three IP resources is IANA responsible for? (Choose three.)
Answer :
 IP address allocation
 autonomous system number allocation
 root zone management in DNS
Which Cisco product is open, scalable, and built on IETF standards to allow multiple security
products from Cisco and other vendors to share data and interoperate with each other?
Answer :
 Platform Exchange Grid
When Cisco and other industry organizations publish and inform users of known security
findings and vulnerabilities, which name is used?
Answer :
 Common Vulnerabilities and Exposures
Which Cisco platform ensures that machines that connect to organizational networks have the
recommended antivirus definitions and patches to help prevent an organizational malware
outbreak?
Answer :
 Cisco ISE
Which Dos attack uses fragmented packets to crash a target machine?
An engineer needs a solution for TACACS+ authentication and authorization for device
administration. The engineer also wants to enhance wired and wireless network security by
requiring users and endpoints to use 802.1X, MAB, or WebAuth. Which product meets the
engineer's needs?
Answer :
 Cisco Identity Services Engine
What are two benefits of using IKEv2 instead of IKEv1 when deploying remote-access IPsec
VPNs? (Choose two.)
A network administrator is configuring a switch to use Cisco ISE for 802.1X. An endpoint is
failing authentication and is unable to access the network. Where should the administrator
begin troubleshooting to verify the authentication details?
Answer :
 RADIUS Live Logs
Which two options represent definitions that are found in the syslog protocol (RFC 5426)?
(Choose two.)
Answer :
 Each syslog datagram must contain only one message.
 IPv6 syslog receivers must be able to receive datagrams of up to 1180
bytes.
Which PKCS is invoked during IKE MM5 and MM6 when digital certificates are used as the
authentication method?
Answer :
 PKCS#7
Which NTP stratum level means that the clock is unsynchronized?
Answer :
 16
Which option is representative of automatic IP addressing in IPv4?
Answer :
 169.254.x.x
Which three options describe the interface and direction on which ACL capture can be
applied on a Cisco Nexus 7000 switch? (Choose three.)
Answer :
 In a VLAN interface
 In the ingress direction on all interfaces
 In the egress direction on all Layer 3 interfaces
Which three statements about the configuration of vPC+ are true? (Choose three.)
Answer :
 The FabricPath switch ID must be configured under the vPC domain.
 On the Cisco Nexus 7000 switch, F1 interfaces must be used as the vPC+
peer links.
 The vPC+ peer link must be configured as a Cisco FabricPath core port.
Which three options are valid ACE probes? (Choose three.)
How many traffic monitoring sessions can you create on Cisco UCS Manager?
Answer :
  16
Your organization is purchasing Cisco devices as well as non-Cisco devices for switching.
Which three statements are correct about connecting Cisco devices to a non-Cisco 802.1Q
cloud? (Choose three.)
Which of the following is an advanced networking function performed by VEM?
Answer :
 QoS
Which two methods can be used in communications between the Cisco Nexus 1000V VEM
and the VSM? (Choose two.)
Answer :
 Routed UDP traffic using port 4785
 Layer 2 direct traffic using MAC addresses
Which three options describe benefits of the global load-balancing solution? (Choose three.)
Answer :
 Device status within the data center
 Performance granularity
 Intelligent traffic management
What is the benefit of the Priority-Based Flow control feature in Data Center Bridging?
Answer :
 provides the capability to manage a bursty, single traffic source on a
multiprotocol link
In the basic DNS resolution process, which component receives the query and sends it to the
location that knows the IP address for the destination?
Answer :
 D-proxy
Which three options are valid SPAN sources? (Choose three.)
Answer :
 VLANs, because when a VLAN is specified as a SPAN source, all
supported interfaces in the VLAN are SPAN sources
 fabric port channels connected to the Cisco Nexus 2000 Series Fabric
Extender
 satellite ports and host interface port channels on the Cisco Nexus 2000
Series Fabric Extender
What two endpoint measures are used to minimize the chances of falling victim to phishing
and social engineering attacks?
Answer :
 Install a spam and virus email filter.
 Protect systems with an up-to-date antimalware program
What are two rootkit types? (Choose two)
Which algorithm provides encryption and authentication for data plane communication?
Answer :
 AES-GCM
What is the result of running the crypto isakmp key ciscXXXXXXXX address 172.16.0.0
command?
A malicious user gained network access by spoofing printer connections that were authorized
using MAB on four different switch ports at the same time. What two catalyst switch security
features will prevent further violations? (Choose two)
Answer :
 DHCP Snooping
 Dynamic ARP inspection
An MDM provides what are two advantages to an organization with regards to device
management?
Answer :
 asset inventory management
 allowed application management
Which benefit does endpoint security provide the overall security posture of an organization?
Answer :
 It allows the organization to detect and mitigate threats that the perimeter
security devices do not detect.
Which two kinds of attacks are prevented by multifactor authentication? (Choose two)
Answer :
 brute force
 man-in-the-middle
Which kind of attacks are prevented by multifactor authentication?
Answer :
 man-in-the-middle
An engineer wants to automatically assign endpoints that have a specific OUI into a new
endpoint group. Which probe must be enabled for this type of profiling to work?
Answer :
 NMAP
A company is experiencing exfiltration of credit card numbers that are not being stored on-
premise.The company needs to be able to protect sensitive data throughout the full
environment.Which tool should be used to accomplish this goal?
Answer :
 Cloudlock
What is the purpose of the My Devices Portal in a Cisco ISE environment?
A Cisco ESA network administrator has been tasked to use a newly installed service to help
create policy based on the reputation verdict. During testing, it is discovered that the Cisco
ESA is not dropping files that have an undetermined verdict. What is
Answer :
 The policy was created to disable file analysis
Which two statements about ASA transparent mode are true? (Choose two.)
Which three types of traffic are processed by CoPP configured on the device? (Choose three.)
Answer :
 routing protocol traffic
 traffic that is destined to the device interface
 traffic from a management protocol such as Telnet or SNMP
In Cisco IOS firewall the HTTP inspection engine has the ability to protect against which of
the following?
Answer :
 Tunneling over port 80.
Which statement correctly describes a category for the ASA Botnet Traffic Filter feature?
Answer :
  Known malware addresses: These addresses are identified as blacklist
addresses in the dynamic database and static list
Which three statements about Dynamic ARP Inspection on Cisco Switches are true? (Choose
three.)
Answer :
 Dynamic ARP inspection checks ARP packets against the trusted database.
 The trusted database can be manually configured using the CLI.
 DHCP snooping is used to dynamically build the trusted database.
Which two statements about the storm control implementation on the switch are true?
(Choose two.)
Answer :
 Traffic storm level is the percentage of total available bandwidth of the port.
 Traffic storm control monitors the broadcast, multicast, and unicast traffic.
Which three types of traffic are generally policed via CoPP policies? (Choose three.)
Answer :
 Transit traffic
 Traffic that is destined to any of the device's interfaces.
 Traffic from a management protocol such as Telnet or SNMP
Which statement about the PVLAN is true?
Answer :
 Promiscuous ports can communicate with all the other type of ports.
Which three addresses are special use as defined in RFC 5735? (Choose three.)
Which statement about Sarbanes-Oxley (SOX) is true?
Answer :
 SOX is a US law.
Which VPN technology is based on GDOI (RFC 3547)?
Which three basic security measures are used to harden MSDP? (Choose three.)
Answer :
 MSDP SA filters
 MSDP state limitation
 MSDP MD5 neighbor authentication
What is the purpose of aaa server radius dynamic-author command?
Answer :
 Enables the device to dynamically receive updates from a policy server
Which of the following two statements apply to EAP-FAST? (Choose two.)
Answer :
 EAP-FAST is useful when a strong password policy cannot be enforced and
an 802.1X EAP type that does not require digital certificates can be
deployed.
 EAP-FAST provides protection from authentication forging and packet
forgery (replay attack).
In an operating system environment, which three attacks give a user elevated privileges to
access resources that are otherwise blocked? (Choose three.)
Answer :
 backdoor
 rootkit
  privilege escalation
Cisco firewalls and routers can respond to a TCP SYN packet that is destined for a protected
resource, by using a SYN-ACK packet to validate the source of the SYN packet. What is this
feature called?
Answer :
 TCP intercept
Which statement about the Cisco Secure Desktop hostscan endpoint assessment feature is
true?
Answer :
 Advanced endpoint assessment gives you the ability to turn on an antivirus
active scan function if it has been disabled.
Which port is used by default to communicate between VPN load-balancing ASAs?
Answer :
 UDP 9023
Which switch is not a valid Cisco Nexus 7000 Series model?
Which three statements apply to the behavior of Cisco AnyConnect client auto-reconnect?
(Choose three.)
Answer :
 By default, Cisco AnyConnect attempts to re-establish a VPN connection
when you lose connectivity to the secure gateway.
 Cisco AnyConnect reconnects when the network interface changes, whether
the IP of the NIC changes or whether connectivity switches from one NIC to
another; for example, wireless to wired or vice versa.
 With respect to VPN load balancing and Cisco AnyConnect reconnect, the
client reconnects directly to the cluster member to which it was previously
connected.
Which two statements about the Cisco AnyConnect client Trusted Network Detection feature
are true? (Choose two.)
Which two statements apply to the method that ASA uses for tunnel-group lookup for LAN-
to- LAN IPSec connections when using PSK-based authentication? (Choose two.)
Answer :
 If the configuration does not contain the tunnel-group with the IKE ID or
peer IP address DefaultRAGroup, DefaultL2LGroup is used instead.
 DefaultL2LGroup is used only if the PSK check in DefaultRAGroup fails.
Hierarchical priority queuing is used on the interfaces on which you enable a traffic-shaping
queue. Which two statements about hierarchical priority queuing are true? (Choose two.)
Answer :
 For IPsec-encrypted packets, you can match traffic based only on the DSCP
or precedence setting.
 IPsec over TCP is not supported for priority traffic classification.
Which two MAC authentication methods are supported on WLCs? (Choose two.)
Answer :
 local MAC authentication
 MAC authentication using a RADIUS server
Client MFP supplements rather than replaces infrastructure MFP. Which three are client MFP
components? (Choose three.)
Answer :
 key generation and distribution
 protection and validation of management frames
 error reports
When you work on a change-management process, you generally identify potential change,
review the change request, implement change, then review the change and close the process.
In which step should the stakeholder be involved?
Answer :
 Depends on the stakeholder request
Many guidelines can be used to identify the areas that security policies should cover. In
which four areas is coverage most important? (Choose three).
Answer :
 Physical
 Host
 User
Which two items are required for LDAP authenticated bind operations? (Choose two.)
Answer :
 Root DN
 Password
Which three steps are required to rekey the routers on a link without dropping OSPFv3
protocol packets or disturbing the adjacency? (Choose three.)
Which command can be used on a Cisco IOS device to prevent it from being used as an
amplifier in a fraggle attack?
Answer :
 no service udp-small-servers
Which option is used for anti-replay prevention in a Cisco IOS IPsec implementation using
tunnel protection?
You run the show ipv6 port-map telnet command and you see that the port 23 (system-
defined) message and the port 223 (user-defined) message are displayed. Which command is
in the router configuration?
Answer :
 ipv6 port-map telnet port 223
Which statement about the Cisco NAC CAS is true?
Answer :
 The Cisco NAC CAS can operate as an out-of-band virtual gateway.
Which statement about the prelogin assessment module in Cisco Secure Desktop is true?
Answer :
 It checks the presence or absence of specified files on the remote device.
Which two statements about dynamic ARP inspection are true? (Choose two.)
Answer :
 Dynamic ARP inspection checks invalid ARP packets against the trusted
database.
 DHCP snooping must be enabled.
Which statement about DHCP snooping is true?
Answer :
 It blocks traffic from DHCP servers on untrusted interfaces.
Which command enables fast-switched PBR?
Answer :
 Router(config-if)# ip route-cache policy
Which of these configurations shows how to configure MPP when only SSH, SNMP, and
HTTP are allowed to access the router through the Gigabit Ethernet 0/3 interface and only
HTTP is allowed to access the router through the Gigabit Ethernet 0/2 interface?
Answer :
 Router(config-cp-host)# management-interface GigabitEthernet 0/3 allow
http ssh snmp Router(config-cp-host)# management-interface
GigabitEthernet 0/2 allow http
Which series of steps illustrates the correct flow for incident management?
Which statement about the DH group is true?
Answer :
 It does not provide data authentication.
Which statement about Cisco ASA operations using software versions 8.3 and later is true?
You plan to add a new VLAN to your updating service profile template. Assuming that the
default maintenance policy is configured, which statement about applying this change is true?
Answer :
 The change will be applied immediately with no disruption to any bound
service profiles.
What are the three benefits of SSL offload? (Choose three.)
Answer :
 Total offload of encryption from the servers
 Layer 5 to 7 awareness for Layer 7 switching
 Public certificate required only on load balancer

Answer :
 RADIUS Change of Authorization
Which risks is a company vulnerable to if it does not have a well-established patching
solution for endpoints?
Answer :
 malware
A malicious user gained network access by spoofing printer connections that were authorized
using MAB on four different switch ports at the same time. Which two catalyst switch
security features will prevent further violations?
Answer :
 DHCP Snooping
 Dynamic ARP inspection
When wired 802.1X authentication is implemented, what are two components required?
Answer :
 authentication server: Cisco Identity Service Engine
 authenticator: Cisco Catalyst switch
IANA is responsible for which three IP resources? (Choose three.)
Answer :
 IP address allocation
  Autonomous system number allocation
 Root zone management in DNS
Which flaw does an attacker leverage when exploiting SQL injection vulnerabilities?
Answer :
 user input validation in a web page or web application

Which two risks is a company vulnerable to if it does not have a well-established patching
solution for endpoints? (Choose two)
Answer :
 exploits
 malware

IANA is responsible for which three IP resources? (Choose three.)

Answer :
 IP address allocation
 Autonomous system number allocation
 Root zone management in DNS

What two risks is a company vulnerable to if it does not have a well-established patching
solution for endpoints?
Answer :
 exploits
 malware

Which threat involves software being used to gain unauthorized access to a computer system?
Answer :
 virus

What are two descriptions of AES encryption are true?

Answer :
 AES is more secure than 3DES.
 AES can use a 256-bit key for encryption.

An engineer must force an endpoint to re-authenticate an already authenticated session

without disrupting the endpoint to apply a new or updated policy from ISE. Which CoA type
achieves this goal?
Answer :
 CoA Reauth
Which feature of Cisco ASA allows VPN users to be postured against Cisco ISE without
requiring an inline posture node?
Answer :
 RADIUS Change of Authorization

A malicious user gained network access by spoofing printer connections that were authorized
using MAB on four different switch ports at the same time. Which two catalyst switch
security features will prevent further violations?
Answer :
 DHCP Snooping
 Dynamic ARP inspection

When wired 802.1X authentication is implemented, what are two components required?
Answer :
 authentication server: Cisco Identity Service Engine
 authenticator: Cisco Catalyst switch