210-260 Dump Flashcards
1
Q
Which three ESP fields can be encrypted during transmission?
A
Padding
Pad Length
Next Header
2
Q
What mechanism does asymmetric cryptography use to secure data?
A
a public/private key pair
3
Q
Which feature allows a dynamic PAT pool to select the next address in the PAT pool instead of the next port of an existing address?
A
round robin
4
Q
Which label is given to a person who uses existing computer scripts to hack into computers lacking the expertise to write their own?
A
script kiddy
5
Q
When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a traffic class?
A
pass
inspect
drop
6
Q
Which type of security control is defense-in-depth?
A
Threat mitigation
7
Q
Which statement about a PVLAN isolated port configured on a switch is true?
A
The isolated port can communicate only with the promiscuous port
8
Q
Which statement about Cisco ACS authentication and authorization is true?
A
ACS servers can be clustered to provide scalability
9
Q
If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how will the switch respond?
A
The supplicant will fail to advance beyond the webauth method
10
Q
What configure mode you used for the command ip ospf authentication-key c1$c0?
A
interface
11
Q
Which two features are commonly use CoPP and CPPr to protect the control plane?
A
QoS Traffic classification
12
Q
What is one requirement for locking a wired or wireless device from ISE?
A
The ISE agent must be installed on the device
13
Q
Which three statements are characteristics of DHCP Spoofing?
A
Arp Poisoning modify traffic in transit used to perform man-in-the-middle attack
14
Q
Which statement correctly describes the function of a private VLAN?
A
a private VLAN partitions the layer 2 broadcast domain of a VLAN into subdomains
15
Q
Which feature allows from dynamic NAT pool to choose next IP address and not a port on a used IP address?
A
round robin
16
Q
Which type of encryption technology has the broadcast platform support?
A
Software
17
Q
When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?
A
deny the connection inline
18
Q
Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration Professional IPS Wizard?
A
Select the interface to apply the IPS rule Select the traffic flow direction that should be applied by the IPS rule Specify the signature file and the Cisco public key Specify the configuration location and select the category of signatures to be applied to the selected interface
19
Q
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity?
A
The switch could become the root bridge
20
Q
What is the effect of the given command sequence?
A
It configures IKE Phase 1
21
Q
Which 2 NAT types allows only objects or groups to reference an IP address?
A
dynamic NAT
static NAT
22
Q
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
A
Rate-Based Prevention
23
Q
What is the advantage of implementing a Trusted Platform Module for disk encryption?
A
It provides hardware authentication
24
Q
What is the Cisco preferred countermeasure to mitigate CAM overflows?
A
Dynamic port security
25
Which security measure can protect the control plane of a Cisco router?
CCPr
CoPP
26
![]()All ports on switch 1 have a primary VLAN of 300. Which devices can host 1 reach?
Server
27
If a router configuration includes the line aaa authentication login default group tacacs enable, which events will occur when the tacacs server returns an error?
The user will be prompted to authenticate using the enable password Authentication attempts to the router will be denied
28
What IPSec mode is used to encrypt traffic between a server and VPN endpoint?
Transport
29
Which three statements about host-based IPS are true?
It can view encrypted files It can have more restrictive policies than network-based IPS It can generate alerts based on behavior at the desktop level
30
Which statement about reflexive access lists are true?
Reflexive access lists support UDP sessions Reflexive access lists can be attached to extended named IP ACLs Reflexive access lists support TCP sessions
31
Where OAKLEY and SKEME come to play
IKE
32
Which command helps user1 to use enable, disable, exit & etc commands?
username user1 privilege 0 secret us1pass
33
![]()
The admin user is unable to enter configuration mode on a device with the given configuration. What change can you make to the configuration to correct the problem?
Remove the autocommand keyword and arguments from the username admin privilege line
34
Which network device does NTP authenticate?
Only the time source
35
In which type of attacker attempts to overload the CAM table on a switch so that the switch acts as a hub?
MAC flooding
36
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts a double-tagging attack?
A VLAN hopping attack would be prevented
37
If a switch port goes directly into a blocked state only when a superior BPDU is received, what mechanism must be in use?
STP BPDU guard
38
Which statement provides the best definition of malware?
Malware is unwanted software that is harmful or destructive
39
Which are two valid TCP connection states?
SYN-RCVD
Closed
40
Which option is the cloud-based security service from Cisco that provides URL filtering web browsing content security, and roaming user protection?
Cloud web security
41
![]()What type of firewall would use the given configuration line?
a stateful firewall
42
What is the effect of the ASA command crypto isakmp nat-traversal?
It opens port 4500 on all interfaces that are IPSec enabled
43
![]()What is the effect of the given command sequence?
It defines IPSec policy for traffic sourced from 1.1.1.0/24 with a destination of 2.2.20/24
44
What type of algorithm uses the same key to encrypt and decrypt data?
symmetric algorithm
45
Which type of address translation should be used when a Cisco ASA is in transparent mode?
Static NAT
46
With which technology do apply integrity, confidentially, authenticate the source?
IPSec
47
What is true about the Cisco IOS Resilient Configuration feature?
The feature can be disabled through a remote session
48
Which two characteristics apply to an Intrusion Prevention System (IPS)?
Cabled directly inline with the flow of the network traffic Can drop traffic based on a set of rules
49
What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection?
split tunneling
50
What feature can protect the data plane?
ACLs antispoofing DHCP-snooping
51
What show command can see vpn tunnel establish with traffic passing through?
show crypto ipsec sa
52
What is the effect of the send-lifetime local 23:59:00 31 December 31 2013 infinite command?
It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely
53
What information does the key length provide in an encryption algorithm?
the hash block size
54
Which of the following statements about access lists are true?
Extended access lists should be placed as near as possible to the source Standard access lists should be placed as near as possible to the destination Standard access lists filter on the source address
55
In which two situations should you use in-band management?
when management applications need concurrent access to the device when you require administrator access from multiple locations
56
Which type of layer 2 attack enables the attacker to intercept traffic that is intended for one specific recipient?
MAC address spoofing
57
What are the primary attack methods of VLAN hopping?
Switch spoofing Double tagging
58
What feature defines a campus area network?
It has a single geographic location
59
Which command initializes a lawful intercept view?
li-view cisco user cisco1 password cisco
60
When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops?
STP elects the root bridge
61
A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a security level of 100. The second interface is the DMZ interface with a security level of 50. The third interface is the outside interface with a security level of 0. By default, without any access-list configured, which five types of traffic are permitted?
outbound traffic initiated from the inside to the DMZ outbound traffic initiated from the DMZ to the outside outbound traffic initiated from the inside to the outside HTTP return traffic originating from the inside network and returning via the outside interface HTTP return traffic originating from the inside network and returning via the DMZ interface
62
Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?
object groups
63
What's the technology that you can use to prevent non-malicious program to run on the computer that is disconnected from the network?
Host IPS
64
What are two well-known security terms?
Phishing ransomware
65
What hash type does Cisco use to validate the integrity of downloaded images?
MD5
66
What are the three layers of a hierarchical network design?
access core distribution
67
Which type of attack is directed against the network directly?
Denial of Service
68
Your security team has discovered a malicious program that has been harvesting the CEO's email messages and the company's user database for the last 6 months. What type of attack did your team discover?
advanced persistent threat
69
What type of security support is provided by the Open Web Application Security Project?
Education about common Web site vulnerabilities
70
How to verify that tacacs connectivity to a device?
You connect to the device using SSH and receive the login prompt
71
Which three statements describe DHCP spoofing attacks?
They can modify traffic in transit They are used to perform man-in-the-middle attacks They use ARP poisoning
72
What is a potential drawback to leaving VLAN 1 as the native VLAN?
It may be susceptible to a VLAN hopping attack
73
Which two actions can a zone-based firewall take when looking at traffic?
Drop
Inspect
74
What technology can you use to provide data confidentiality, data integrity, and data origin authentication
IPSec
75
![]()
What is the effect of the given command?
It merges authentication and encryption methods to traffic that matches an ACL
76
Which countermeasures can mitigate ARP spoofing attacks?
DHCP snooping Dynamic ARP inspection
77
Within an 802.1x enabled network with the Auth Fail feature configured, when does a switch port get placed into a restricted VLAN?
When a connected client fails to authenticate after a certain number of attempts
78
![]()
Which statement about the given configuration is true?
The single-connection command causes the device to establish one connection for all tacacs transactions
79
The first layer of defense which provides real-time preventive solutions against malicious traffic is provided by?
Outbreak Filters
80
In which type of attack does an attacker send email messages that ask the recipient to click a link such as https://www.cisco.net.cc/securelogon?
phishing
81
Which two functions can SIEM provide?
Correlation between logs and events from multiple systems Proactive malware analysis to block malicious traffic
82
On which Cisco Configuration Professional screen do you enable AAA?
AAA Summary
83
Which line in the following OSPF configuration will not be required for MD5 authentication to work? interface g0/1 ip address 1.1.1.1 255.255.255.0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 ccna router ospf 65000 router-id 1.1.1.1 area 20 authentication message-digest
area 20 authentication message-digest
84
How can you detect a false negative on an IPS?
Use a third-party system to perform penetration testing
85
After reloading a router, you issue the dir command to verify the installation and observe that the image file appears to be missing. For what reason could the image file fail to appear in the dir output?
The secure boot-image command is configured
86
When is the best time to perform an anti-virus signature update?
Every time a new update is available
87
In which two situations should you use out-of-band management?
when a network device fails to forward packets when you require ROMMON access
88
Syn flood attack is a form of?
Denial of Service attack
89
Which two features of Cisco Web Reputation tracking can mitigate web-based threats?
outbreak filter web reputation filter
90
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?
ARPs in both directions are permitted in transparent mode only
91
When is the default deny all policy an exception in zone-based firewalls?
When traffic traverses two interfaces in the same zone
92
Which of the following pairs of statements is true in terms of configuring MD authentication?
Router process (only for OSPF) must be configured; key chain in EIGRP
93
Which statements about smart tunnels on a Cisco firewall are true?
Smart tunnels can be used by clients that do not have administrator privileges Smart tunnels offer better performance than port forwarding
94
In which configuration mode do you configure the ip ospf authentication-key 1 command?
Interface
95
Which statement about IOS privilege levels is true?
Each privilege level supports the commands at its own level and all levels below it
96
SSL certificates are issued by Certificate Authority (CA) are?
Trusted root
97
What commands can you use to verify the binding table status?
show ip dhcp snooping database
98
Which two authentication types does OSPF support
plaintext MD5
99
How does a zone-based firewall implementation handle traffic between interfaces in the same zone?
Traffic between interface in the zone is allowed by default
100
Which statement about zone-based firewall configuration is true?
The zone must be configured before a can be assigned
101
Which two statements about Telnet access to the ASA are true?
You may VPN to the lowest security interface to telnet to an inside interface Best practice is to disable Telnet and use SSH
102
Which type of PVLAN port allows hosts in the same VLAN to communicate directly with each other?
community for hosts in the PVLAN
103
Which statement about the communication between interfaces on the same security level is true?
Interfaces on the same security level require additional configuration to permit inter-interface
104
Which statement about personal firewalls is true?
They can protect a system by denying probing requests
105
#nat (inside,outside) dynamic interface Which translation technique does this configuration result in?
Dynamic PAT
106
Which EAP method uses Protected Access Credentials?
EAP-FAST
107
Which NAT option is executed first during in case of multiple nat translations?
static nat with longest prefix
108
Which statement about extended access lists is true?
Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source
109
Which term best describes the concept of preventing the modification of data in transit and in storage?
Integrity
110
![]()
You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel. What action can you take to correct the problem?
Edit the crypto keys on R1 and R2 to match
111
Which Cisco product can help mitigate web-based attacks within a network?
Web Security Appliance
112
Which command verifies phase 1 of an IPSec VPN on a Cisco router?
show crypto isakmp sa
113
Which feature filters CoPP packets?
ACLs
114
How many crypto map sets can you apply to a router interface?
1
115
Which option is the most effective placement of an IPS device within the infrastructure?
Inline, behind the internet router and firewall
116
According to Cisco best practice, which three protocols should the default ACL allow on an access port to enable wired BYOD devices to supply valid credentials and connect to the network?
BOOTP TFTP DNS
117
Which option is a characteristic of the RADIUS protocol?
combines authentication and authorization in one process
118
What do you use when you have a network object or group and want to use an IP address?
Dynamic NAT
119
What are two challenges faced when deploying host-level IPS?
The deployment must support multiple operating systems It does not provide protection for offsite computers
120
What is the only permitted operation for processing multicast traffic on zone-based firewalls?
Only control plane policing can protect the control plane against multicast traffic
121
What is the primary purpose of a defined rule in an IPS?
to configure an event action that takes place when a signature is triggered
122
Which firepower preprocessor blocks traffic based on IP?
Reputation-Based
123
When AAA login authentication is configured on Cisco routers, which two authentication methods should be used as the final method to ensure that the administrator can still log into the router in case the external AAA server fails?
local enable
124
Which two characteristics of an application layer firewall are true?
provides protection for multiple applications provides reverse proxy services
125
Which of the following commands results in a secure bootset?
secure boot-config secure boot-image
126
Which sensor mode can deny attackers inline?
IPS
127
Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?
Unicast Reverse Path Forwarding
128
With Cisco IOS zone-based firewall, by default, which three types of traffic are permitted by the router when some of the router interfaces are assigned to a zone
traffic flowing to and from the router interfaces (the self zone) traffic flowing among the interfaces that are members of the same zone traffic flowing among the interfaces that are not assigned to any zone
129
Which IPS detection method can you use to detect attacks that based on the attackers IP addresses?
Reputation-Based
130
Which statement is a benefit of using Cisco IOS IPS?
It uses the underlying routing infrastructure to provide an additional layer of security
131
If a switch port goes into a blocked state only when a superior BPDU is received, what mechanism must be in uses?
STP root guard
132
Which command do you enter to enable authentication for OSPF on an interface?
router(config-if)#ip ospf authentication message-digest
133
You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security Intelligence IP Address Reputation. A user calls and is not able to access a certain IP. What action can you take to allow the user access to the IP address?
Create a whitelist and add the appropriate IP address to allow the traffic
134
Which type of secure connectivity does an extranet provide?
other company networks to your company network
135
A specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting the URL and becoming infected with the malware?
Enable URL filtering on the perimeter router and add the URLs you want to block to the router's local URL list
136
You have been tasked with blocking user access to websites that violate company policy, but the sites use dynamic IP addresses. What is the best practice for URL filtering to solve the problem?
Enable URL filtering and use URL categorization to block the websites that violate company policy
137
What are two uses of SIEM software?
collecting and archiving syslog data alerting administrators to security events in real time
138
Which address block is reserved for locally assigned unique local addresses?
FD00::/8
139
What is an advantage of placing an IPS on the inside of a network?
It receives traffic that has already been filtered
140
Which accounting notices are used to send a failed authentication attempt record to a AAA server?
start-stop stop-only
141
Which source port does IKE use when NAT has been detected between two VPN gateways?
UDP 4500
142
Which command is needed to enable SSH support on a Cisco router?
crypto key generate rsa
143
Which two option are advantages of an application layer firewall?
makes DoS attacks difficult authenticates individuals
144
Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam and sophisticated phishing attacks?
contextual analysis
145
What security feature allows a private IP address to access the Internet by translating it to a public address?
NAT
146
![]()
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show?
IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5
147
A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for RDP on the portal web page. Which action should you take to begin troubleshooting?
Ensure that the RDP plug-in is installed on the VPN gateway
148
Which components does HMAC use to determine the authenticity and integrity of a message?
the hash the key
149
What is the FirePOWER impact flag used for?
A value that indicates the potential severity of an attack
150
What configuration allows AnyConnect to automatically establish a VPN session when a user logs in to the computer?
always-on
151
What is the actual IOS privilege level of User Exec mode?
1
152
What type of IPS can identify worms that are propagating in a network?
Anomaly-based IPS
153
In what type of attack does an attacker virtually change a device's burned-in address in an attempt to circumvent access lists and mask the device's true identity?
MAC spoofing
154
What three actions are limitations when running IPS in promiscuous mode?
deny attacker deny packet modify packet
155
Which prevents the company data from modification even when data is in transit?
Integrity
156
Which two services define cloud networks?
Infrastructure as a Service Platform as a Service
157
Which two features fo CoPP and CoPPr use to protect the control plane?
QoS traffic classification
158
In which three ways does the TACACS protocol differ from RADIUS?
TACACS uses TCP to communicate TACACS can encrypt the entire packet that is sent TACACS supports per-command authorization
159
What is the best way to confirm that AAA authentication is working properly?
Use the test aaa command
160
How does PAEP protect the EAP exchange?
It encrypts the exchange using the server certificate
161
Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
file reputation
162
How does the Cisco ASA use Active Directory to authorize VPN users?
It queries the Active Directory server for a specific attribute for the specific user
163
You want to allow all your company's users to access the Internet without allowing other Web servers to collect the IP addresses of individual users. What two solutions can you use?
Configure a proxy server to hide users' local IP addresses Configure a firewall to use PAT
164
![]()Using a stateful packet firewall and given an inside ACL entry of permit ip 192.16.1.0 0.0.0.255 any, what would be the resulting dynamically configured ACL for the return traffic on the outside ACL?
permit tcp host 172.16.16.10 eq 80 host 192.16.1.11 eq 2300
165
![]()
How many times was a read-only string used to attampt a write operation?
9
166
Which Sourcefire event action should you choose if you want to block only malicious traffic from a particular end user?
Allow with inspection
167
The stealing of confidential information of a company comes under the scope of?
Social Engineering
168
Which command is used to verify that a VPN connection is established between two endpoints and that the connection is passing?
Firewall#sh crypto ipsec sa
169
If the native VLAN on a truck is different on each of the links, what is a potential consequence?
STP loops may occur
170
Which TACACS server-authentication protocols are supported on Cisco ASA firewalls?
ASCII
PAP
MS-CHAPv1
171
What can the SMTP preprocessor in FirePOWER normalize?
It can extract and decode email attachments in client to server traffic
172
What is an example of social engineering?
gaining access to server room by posing as IT
173
How does a device on a network using ISE receive its digital certificate during the new-device registration process?
ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server
174
Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router?
SDEE
HTTPS
175
Which statement about a college campus is true?
College campus has geographical position
176
Which statement about application blocking is true?
It blocks access to specific programs
177
In a security context, which action can you take to address compliance?
Implement rules to prevent a vulnerability
178
How can FirePOWER block malicious email attachments?
It sends the traffic through a file policy
179
Which two devices are components of the BYOD architectural framework?
Prime Infrastructure
Identity Services Engine
180
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations?
when matching NAT entries are configured
when matching ACL entries are configured
when the firewall receives a SYN packet
181
Which command causes a Layer 2 switch interface to operate as a Layer 3 interface?
no switchport
182
What is the default timeout interval during which a router waits for responses from a TACACS server before declaring a timeout failure?
5 seconds
183
Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method?
aaa authentication enable console LOCAL
184
Which type of firewall can act on the behalf of the end device?
Proxy
185
![]()
While troubleshooting site-to-site VPN, you issue the show crypto isakmp sa command. What does the given output show?
IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5
186
![]()
Which line in the configuration prevents the Helpdesk user from modifying the interface configuration?
Privilege exec level 9 configure terminal
187
Which two NAT types allows only objects or groups to reference an IP address?
dynamic NAT
static NAT
188
Which tool can an attacker use to attempt a DDoS attack?
botnet
189
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
SDEE
190
Which security zone is automatically defined by the system?
the self zone
191
![]()
What are two effects of the given command?
It configures authentication to use MD5 HMAC
It configures encryption to use AES 256
192
What is the most common Cisco Discovery Protocol version 1 attack?
Denial of Service
193
![]()
Which statement about this debug is true?
The TACACS authentication request came from a valid user
194
A proxy firewall protects against which type of attack?
cross-site scripting attack
195
Which type of PVLAN port allows a host in the same VLAN to communicate only with promiscuous hosts?
Isolated host in the PVLAN
196
What is the purpose of a honeypot IPS?
to collect information about attacks
197
What are two ways to prevent eavesdropping when you perform device-management tasks?
use an SSH connection
use SNMPv3
198
What is the purpose of the Integrity component of the CIA triad?
to ensure that only authorized parties can modify data
199
Which IOS command is used to define the authentication key for NTP?
Switch(config)#ntp authenticatioin-key 1 md5 C1sc0
200
What are purposes of the Internet Key Exchange in an IPSec VPN?
The Internet Key Exchange protocol establishes security associations
The Internet Key Exchange protocol is responsible for mutual authentication
201
Which IPS mode provides the maximum number of actions?
inline
202
Which options are filtering options used to display SDEE message types?
error
all
203
Which two next-generation encryption algorithms does Cisco recommend?
AES
SHA-384
204
What type of packet creates and performs network operations on a network device?
control plane packets
205
What port option in a PVLAN that can communicate with every other port?
promiscuous
206
When a company puts a security policy in place, what is the effect on the company's business?
Minimizing risk
207
The command debug crypto isakmp results in?
Troubleshooting ISAKMP (Phase 1) negotiation problems
208
If a packet matches more than one class map in an individual feature type's policy map, how does the ASA handle the packet?
The ASA will apply the actions form the first matching class map it finds for the feature type
209
What type of attacks was the Stuxnet virus?
cyber warfare
210
What is a possible reason for the error message?
Router(config)#aaa server?% Unrecognized command
The router is a new device on which the aaa new-model command must be applied before continuing
211
With which preprocessor do you detect incomplete TCP handshakes?
rate based prevention
212
In which three ways does the RADIUS protocol differ from TACACS?
RADIUS uses UDP to communicate with the NAS
RADIUS encrypts only the password field in an authentication packet
RADIUS authenticates and authorizes simultaneously, causing fewer packets to be transmitted
213
![]()
Which statement about the device time is true?
The time is authoritative, but the NTP process has lost contact with its server
214
Which Sourcefire logging action should you choose to record the most detail about a connection?
Enable logging at the end of the session
215
Which syslog severity level is number 7?
Debugging
216
What are two Cisco IOS privilege levels?
1
15
217
What improvement does EAP-FASTv2 provide over EAP-FAST?
It allows multiple credentials to be passed in a single EAP exchange
218
Which three statements about Cisco host-based IPS solutions are true?
It can view encrypted files
It can have more restrictive policies than network-based IPS
It can generate alerts based on behavior at the desktop level
219
Which actions can a promiscuous IPS take to mitigate an attack?
Requesting connection blocking
Resetting the TCP connection
Requesting host blocking
220
![]()
While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command. What does the given output show?
IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5
221
By which kind of threat is the victim tricked into entering username and password information on a disguised website?
Phishing
222
What VPN feature allows traffic to exit the security appliance through the same interface it entered?
hairpinning
223
Which protocols use encryption to protect the confidentiality of data transmitted between two parties?
SSH
HTTPS
224
Which aaa accounting command is used to enable logging of the start and stop records for user terminal sessions on the router?
aaa accounting exec start-stop tacacs+
225
Which option is a weakness in an information system that an attacker might leverage to gain unauthorized access to the system or its data?
vulnerability
226
What command could you implement in the firewall to conceal internal IP addresses?
no proxy-arp
227
A data breach has occurred and your company database has been copied. Which security principle has been violated?
Confidentiality
228
In which stage of an attack does the attacker discover devices on a target network?
Reconnaissance
229
Which port should (or would) be open in VPN NAT-T was enabled?
port 4500 ipsec
230
Which produced can be used to provide application layer protection for TCP port 25 traffic?
ESA
231
Which RADIUS server authentication protocols are supported on Cisco ASA firewalls?
PAP
MS-CHAMPv1
MS-CHAMPv2
232
Which will auto-nat process first?
static nat longest prefix
233
Which of the following are features of IPSec transport mode?
IPSec transport mode is used between end stations
IPSec transport mode supports unicast
IPSec transport mode encrypts only the payload
234
Which firewall configuration must you perform to allow traffic to flow in both directions between two zones?
You must configure two zone pairs, one for each direction
235
Which two statements about stateless firewalls are true?
They compare the 5-tuple of each incoming packet against configurable rules
They cannot track connections
236
What can cause the state table of a stateful firewall to update?
when a connection is created
when a connection's timer has expired within the state table
237
![]()
With which NTP server has the router synchronized?
192.168.10.7
238
Which Cisco Security Manager application collects information about device status and uses it to generate notifications and alerts?
Health and Performance Monitor
239
What is the transition order of STP states on a Layer 2 switch interface?
blocking, listening, learning, forwarding, disabled
240
On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used?
used to verify the digital signature of the IPS signature file
241
Which type of PVLAN port allows communication from all port types?
Promiscuous
242
What is the reason for an organization to deploy a personal firewall?
To protect endpoints such as desktops from malicious activity
243
Which three options are common examples of AAA implementation on Cisco routers?
authenticating remote users who are accessing the corporate LAN through VPN
authenticating administrator access to the router console port, auxiliary port, and vty ports
performing router commands authorization using TACACS
244
Which type of encryption technology has the broadcast platform support to protect operating systems?
Software
245
Which option describes information that must be considered when you apply an access list to a physical interface?
Direction of the access group
246
![]()
Which statement about this output is true?
The login failed because the password entered was incorrect
247
Which protocol provides security to Secure Copy?
SSH
248
Security well-known terms?
Phishing
Ransomware
249
You are the security administrator for a large enterprise network with many remote locations. You have been given the assignment to deploy a Cisco IPS. Where in the network would be the best place to deploy Cisco IOS IPS?
At remote branch offices
250
Which two characteristics of the TACACS protocol are true
separates AAA functions
encrypts the body of every packet
251
What is a benefit of a web application firewall?
It blocks known vulnerabilities without patching applications
252
Which security term refers to a person, property, or data of value to a company?
Asset
253
Which filter uses in Web reputation to prevent from Web-Based Attacks?
outbreak filter
web reputation
254
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration?
issue the command anyconnect keep-installer installed under the group policy or username webvpn mode
255
Which option is the default value for the Diffie-Hellman group when configuring a site-to-site VPN on an ASA device?
Group 2
256
Which task is the session management path responsible for?
Performing route lookup
Allocating NAT translations
Checking packets against the access list
257
Which wildcard mask is associated with a subnet mask of /27?
0.0.0.31
258
Which type of mirroring does SPAN technology perform?
Local mirroring over Layer 2
259
When an administrator initiates a device wipe command from the ISE, what is the immediate effect?
It requests the administrator to choose between erasing all device data or only managed corporate data
260
![]()
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show?
IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2
261
Which option is the resulting action in a zone-based policy firewall configuration with these conditions?
![]()
Drop
262
The Oakley cryptography protocol is compatible with following for managing security?
ISAKMP
263
Which statement about communication over failover interfaces is true?
All information that is sent over the failover interfaces is sent as clear text by default
264
In the router ospf200 command, what does the value 200 stand for?
the process id
265
For what reason would you configure multiple security contexts on the ASA firewall?
To separate different departments and business units
266
Which option is the default value for the Diffie-Hillman group when configuring a site-to-site VPN on an ASA device?
Group 2
267
Which ports need to be active for AAA server to integrate with Microsoft AD?
Ports 445, 389
268
Protocols supported in contest aware VRF over VRF lite?
EIGRP
Multicast
269
What causes a client to be placed in a great or restricted VLAN on an 802.1x enabled network?
Client entered wrong credentials multiple times
270
What data is transferred during DH for making a public and private key?
Random prime integer
271
Which IPS mode is less secure than other options but allows optimal network throughput?
Promiscuous mode
272
How can you protect CDP from reconnaissance attacks?
Disable CP on ports connected to endpoints
273
What feature defines a campus area network?
It has a single geographic location
274
Which FirePOWER Management Center feature detects and blocks exploits and hack attempts?
File control
275
What is the highest security level that can be configured for an interface on an ASA?
100
276
Which type of social-engineering attacks uses normal telephone service as the attack vector?
Phishing
277
What are two options for running Cisco SDM?
Running SDM from a PC
Running SDM from the Cisco web portal
278
By default, how does zone-based firewall handle traffic to and from the self-zone?
It drops all traffic
279
![]()
For which reason is the tunnel unable to pass traffic?
The local peer is unable to encrypt the traffic
280
Which two statements about the self-zone on a Cisco zone-based policy firewall are true?
It can be either the secure zone or the destination zone
It supports stateful inspection for multicast traffic
281
What does the command crytpo isakmp nat-traversal do?
Enables UDP port 4500 on all IPSec enabled interfaces
282
Which quantifiable item should you consider when your organization adopts new technologies?
Risk
283
Which IPS mode is less secure than other options but allows optional network throughput?
Promiscuous mode
284
Which option is a key security component of an MDM deployment?
Using self-signed certificates to validate the server
285
Which command should be used to enable AAA authentication to determine if a user can access the privileged command level?
aaa authentication enable default local
286
Which type of firewall can serve as the intermediary between a client and a server?
Proxy firewall
287
Which two characteristics of a PVLAN are true?
Promiscuous portscan communicate with PVLAN ports
Community ports have to be a part of the trunk
288
Which two features are supported in a VRF-aware software infrastructure before VRF-lite?
EIGRP
Multicast
289
Which two primary security concerns can you mitigate with a BYOD solution?
Compliance with applicable policies
Securing access to a trusted corporate network
290
Which IDS\IPS solution can monitor system processes and resources?
HIPS
291
Which type of attack can exploit design flaws in the implementation of an application without going noticed?
Low-rate DoS attacks
292
Which type of address translation supports the initiation of communications bidirectionally?
dynamic NAT
293
Which IDS\IPS is used for monitoring systems?
HIPS
294
Referencing the CIA model, in which scenario is a hash-only function most appropriate?
Securing data at rest
295
Which description of the nonsecret numbers that are used to start a DH exchange is true?
They are preconfigured prime integers
296
Which two options are the primary deployment models for device management?
on-premises
cloud-based
297
Which two characteristics of symmetric encryption are true?
It uses a public key and a private key to encrypt and decrypt traffic
It uses the same key to encrypt and decrypt the traffic
298
Drag the hash or algorithm from the left column to its appropriate category on the right?
![]()
![]()
