CCNA security 210-260 - 70Q

Question 1

Which next-generation encryption algorithms support four variants? 
A. SHA2 
B. SHA1 
C. MD5
D. HMAC

Answer 1

Answer: A

Question 2

Which type of malicious software can create a back-door into a device or network? 
A. Worm
B. Trojan 
C. Virus 
D. Bot

Answer 2

Answer: B

Question 3

Which attack can be prevented by OSPF authentication? 
A. Smurf attack 
B. IP spoofing attack 
C. Buffer overflow attack 
D. Denial of service attack

Answer 3

Answer: D

Question 4

Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use encryption? 
A. AuthNoPriv
B. NoAuthNoPriv
C. NoauthPriv
D. authpriv

Answer 4

Answer: A

Question 5

What are two advanced features of the Cisco AMP solution for endpoints? (Choose two) 
A. Reflection
B. Foresight 
C. Sandboxing
D. Contemplation
E. Reputation

Answer 5

Answer: CE

Question 6

What does the DH group refer to:
A. Length of key hashing 
B. Length of key exchange 
C. Tunnel lifetime key
D. Length of key for authentication 
E. Length of key for encryption

Answer 6

Answer: B

Question 7

In which two modes can the Cisco Web Security Appliance be deployed? (Choose two.)
A. Explicit proxy mode
B. As a transparent proxy using secure socket layer protocol
C. As a transparent proxy using the Hyper Text Transfer Protocol
D. As a transparent proxy using the Web Cache Communication Protocol
E. Explicit active mode

Answer 7

Answer:

AD

Question 8

Which type of mechanism does Cisco FirePower deploy to protect against email threats that are detected moving across other networks? 
A. Reputation-based
B. Signature-based 
C. Antivirus-scanning 
D. Policy-based

Answer 8

Answer:

A

Question 9

Which action does standard antivirus software perform as part of the file-analysis process?
A. Execute the file in a simulated environment to examine its behavior
B. Examine the execution instructions in the file
C. Flag the unexamined file as a potential threat
D. Create a backup copy of the file

Answer 9

Answer:

B

Question 10

When you edit an IPS sub-signature, what is the effect on the parent signature and the family of signatures?
A. The changes applies to the parent signature and the sub signature that you edit
B. The changes applies to the parent signature and the entire family of sub signature
C. The changes applies only to sub signature that are numbered sequentially after the sub signature that you edit
D. Other signature are unaffected; the changes applies only to the su signature that you edit

Answer 10

Answer:

D

Question 11

Which two ESA services are available for incoming and outgoing mails? (Choose two.) 
A.DLP
B. Reputación filter
C. Content filter
D. Anti-Dos
E. Antispam

Answer 11

Answer:

CE

Question 12

Which EAP method uses Protected Access Credentials?
A.EAP-FAST
B. EAP-TLS
C. EAP-PEP
D. EAP-GTC

Answer 12

Answer:

A

Question 13

You have implemented a dynamic blacklist, using intelligence to block illicit network activity. However, the blacklist contains several approved connections that users must access for business purposes. Which action can you take to retain the blacklist while allowing users to access the approved sites?
A. Disable the dynamic blacklist and create a static blacklist in its place.
B. Create a whitelist and manually add the approved addresses.
C. Disable the dynamic blacklist and deny the specific address on a whitelist while permitting the others
D. Edit the dynamic blacklist to remove the approved addresses.

Answer 13

Answer:

B

Question 14

Which two configuration can prevent VLAN hopping attack from attackers at VLAN 10? (Choose two)
A. Creating VLAN99 and using switchport trunk native vlan99 command on trunk ports
B. Enabling BPDU guard on all access ports
C. Using switchport trunk native vlan 10 command on trunk ports
D. Using switchport nonegotiate command on dynamic desirable ports
E. Applying ACL between VLANs
F. Using switchport mode access command on all host ports

Answer 14

Answer:

AF

Question 15

What is a limitation of network-based IPS?
A. It is unable to monitor attacks across the entire network
B. It is most effective at the individual host level
C. It must be individually configured to support every operating system on the network
D. Large installations require numerous sensors to fully protect the network

Answer 15

Answer:

D

Question 16

Which statement represents a difference between an access list on an ASA versus an access list on a router?
A. The ASA does not support extended access list
B. The ASA does not support number access list
C. The ASA does not ever use a Wildcard mask
D. The ASA does not support standard access list

Answer 16

Answer:

C

Question 17

Which three descriptions of Radius are true? (Choose three)
A. It supports multiple transport protocols
B. It uses TCP as its transport protocol.
C. Only the password is encrypted
D. It uses UDP as its transport protocol.
E. It separates authentication, authorization and accounting
F. It combines authentication and authorization

Answer 17

Answer:

CDF

Question 18

Which two models of ASA tend to be used in a data center? (Choose two)
A. 5555X
B. ASA services module
C. 5585X 
D. 5540 
E. 5520 
F. 5512X

Answer 18

Answer:

BC

Question 19

Which statement about interface and global access rules is true?
A. Interface access rules are processed before global access rules.
B. The implicit allow is processed after both the global and interface access rules
C. If an interface access rule is applied, the global access rule is ignored
D. Global access rules apply only to outbound traffic, but interface access rules can be applied in either direction

Answer 19

Answer:

A

Question 20

Which security term refers to the likelihood that a weakness will be exploited to cause damage to an asset? 
A. Threat 
B. Vulnerability 
C. Risk 
D. Countermeasure

Answer 20

Answer:

C

Question 21

Which two descriptions of TACACS+ are true? (Choose two)
A. It uses TCP as its transport protocol
B. It combines authentication and authorization
C. Only the password is encrypted
D. The TACACS+ header is unencrypted
E. It uses UDP as its transport protocol

Answer 21

Answer:

AD

Question 22

Which terms refer to the electromagnetic interference that can radiate from network cables? 
A. Emanations 
B. Multimode distortion
C. Gaussian distributions 
D. Doppler waves

Answer 22

Answers:

A

Question 23

Which mitigation technology for web-based threats prevent the removal of confidential data from the network? 
A. AMP
B. DLP
C. DCA
D. CTA

Answer 23

Answer:

B

Question 24

What are two limitations of the self-zones policies on a zone-based firewall? (Choose two)
A. They restrict SNMP traffic
B. They are unable to implement application inspection
C. They are unable to block HTTPS traffic
D. They are unable to support HTTPS traffic
E. They are unable to perform rate limiting

Answer 24

Answer:

BE

Question 25

What are two default behaviors of the traffic on a zone-based firewall? (Choose two)
A. The CBAC rules that are configured on router interfaces apply to zone interfaces.
B. Communication is blocked between interfaces that are members of the same zone
C. Traffic within self zone uses an implicit deny all
D. All traffic between zones is implicitly blocked.
E. Communication is allowed between interfaces that are members of the same zone.

Answer 25

Answer

DE

Question 26

Which two statements about Hardware-Based encryption are true? (Choose two)
A. It is potentially easier to compromise then software-based encryption.
B. It can be implemented without impacting performance.
C. It is widely accessible
D. It is highly cost-effective
E. It requires minimal configuration

Answer 26

Answer:

BE

Question 27

Which path do you follow to enable AAA through SDM?
A. Configure>Task>AAA
B. Configure>Authentication>AAA
C. Configure>Additional Authentication> AAAA
D. Configure>Additional>Task>AAA
E. Configure>AAA

Answer 27

Answer: D

Question 28

Refer to the exhibit. Which type of NAT is configured on a Cisco ASA? 
Nat (ins, any) dynamic interface 
A. Dynamic NAT
B source identity NAT 
C. Dynamic PAT
D. Identity twice NAT

Answer 28

Answer:

C

Question 29

When connecting to an external resource, you must change a source IP address to use one IP address from a range of 207.165.201.1 to 207.165.201.30 which option do you implement?
A. Static destination NAT that uses a subnet as real destination
B. Dynamic source NAT that uses a range as mapped source
C dynamic Source NAT that uses an IP address as a mapped source
D. Static destination NAT that uses a subnet as a real source

Answer 29

Answer:

B

Question 30

Refer to the exhibit. What is the effect of the given configuration?
Device# tunnel group 182.x.x.x ipsec-attributes
Device # pre-shared-key cisco654
A. It establishes the preshared key for the router
B. It establishes the preshared key for the switch
C. It establishes the preshared key for the firewall
D. It establishes the preshared key for the Cisco ISE appliance.

Answer 30

Answer:

C

Question 31

In which type of attack does an attacker overwrite an entry in the CAM table to divert traffic destined to a legitimate host? 
A. MAC spoofing 
B. ARP spoofing 
C. CAM table overflow 
D. DHCP spoofing

Answer 31

Answer:

A

Question 32

What is an advantage of split tunneling?
A. It allows users with a VPN connection to a corporate network to access the internet by using the VPN for security
B. It enables the VPN server to filter traffic more efficiently
C. It allows users with a VPN connection to a Corporate network to access the internet without sending traffic across the corporate network
D. It protects traffic on the private network from users on the public network

Answer 32

Answer:

C

Question 33

What does the policy map do in CoPP? 
A. Defines the action to be performed 
B. Defines packet selection parameters 
C. Defines the packet filter 
D. Defines service parameters

Answer 33

Answer:

A

Question 34

What is the maximum number of methods that a single method list can contain? 
A. 4
B. 3
C. 2
D. 5

Answer 34

Answer: A

Question 35

Which attack involves large numbers of ICMP packets with a spoofed source IP address? 
A. Teardrop attack 
B. Smurf attack 
C. Nuke attack 
D. SYN flood attack

Answer 35

Answer:

B

Question 36

Which type of social engineering attack targets top executives? 
A. Baiting 
B. Vishing 
C. Whaling 
D. Spear phishing

Answer 36

Answer:

C

Question 37

Which command can you enter to verify the statistics of cisco IOS resilient configuration on cisco router? 
A. Show binary file 
B. Show secure bootset 
C. Secure boot-config 
D. Secure boot-image

Answer 37

Answer:

B

Question 38

What aims to remove the ability to deny an action? 
A. Integrity 
B. Deniability 
C. Accountability 
D. Non-Repudiation

Answer 38

Answer:

D

Question 39

You have just deployed SNMPv3 in your environment. Your manager asks you make sure that your agents can only talk to the SNMP Manager. What would you configure on your SNMP agents to satisfy this request?
A. A SNMP view containing the SNMP managers
B. A SNMP View containing the SNMP managers
C. A standard ACL containing the SNMP managers applied to the SNMP configuration
D. A SNMP Group containing the SNMP managers

Answer 39

Answer:

C

Question 40

Which two statements are correct about hardware-based encryption are true? (Choose two)
A. It is potentially easier to compromise than software-based encryption
B. It can be implemented without impacting performance
C. It is widely accessible
D. It is highly cost effective
E. It requires minimal configuration

Answer 40

Answer:

BE

Question 41

Which command do you enter to verify the Phase 1 status of a VPN connection? 
A. Debug crypto isakmp 
B. Sh crypto session 
C. Sh crypto isakmp sa
D. Sh crypto ipsec sa

Answer 41

Answer:

C

Question 42

What are two major considerations when choosing between s SPAN and a TAP when implementing IPS? (Choose two)
A. The amount of bandwidth available
B. The way in which dropped packets will be handled
C. The typed of analysis the IPS will perform
D. Wether RX and TX signals will use separate ports
E. The way in which media errors will be handled

Answer 42

Answer:

BC

Question 43

Which information can you display by executing the SHOW CRYPTO IPSEC SA command?
A. Proxy information for the connection between two peers
B. IPsec SAs established between two peers
C. Recent changes to the IP address of a peer router
D. ISAKMP SAs that are established between two peers

Answer 43

Answer:

B

Question 44

Which command enables port security to use sticky MAC address on a switch?
A. Switchport port-Security
B. Switchport port-security mac-address sticky
C. Switchport port-security violation protect
D. Switchport port-Security violation restrict

Answer 44

Answer:

B

Question 45

When would you configure ip dhcp snooping trust command on a switch?
A. When the switch is connected to DHCP server.
B. When the switch is connected to client system.
C. When the switch is serving as an aggregator
D. When the switch is working in an edge capacity

Answer 45

Answer:

A

Question 46

Which IDS/IPS state misidentifies acceptable behavior as an attack? 
A. False positive 
B. False negative 
C. True positive 
D. True negative

Answer 46

Answer:

A

Question 47

How is management traffic isolated on a Cisco ASR 1002?
A. Traffic is isolated based upon how you configure routing on the device.
B. There is no management traffic isolation on a Cisco ASR 1002
C. The management interface is configured in a special VRF that provides traffic isolation from the default routing table
D. Traffic isolation is done on the VLAN level

Answer 47

Answer:

C

Question 48

There are two versions of IKEv1 and IKEv2. Both IKEv1 and IKEv2 Protocol operate in phases. IKEv1 operate in two phases. Ikev2 operates im how many phases? 
A. 2
B. 3 
C. 4
D. 5

Answer 48

Answer:

A

Question 49

Which command successful creates an administrative user with a password of “cisco” on a Cisco router?
A. Username Operator privilege 7 password Cisco
B. Username Operator privilege 1 password Cisco
C. Username Operator privilege 15 password Cisco
D. Username Operator password cisco privilege 15

Answer 49

Answer:

C

Question 50

Which IPS detection method examines network traffic for preconfigured patterns? 
A. Signature-based detection 
B. Anomaly-based detection 
C. Policy-based detection 
D. Honey-pot detection

Answer 50

Answer:/

C

Question 51

What is the main purpose of Control Plane Policing?
A. To prevent exhaustion of route-processor resources
B. To define traffic classes
C. To organize the egress packet queues
D. To maintain the policy map

Answer 51

Answer:

A

Question 52

What action must you take on the ISE to blacklist a wired device?
A. Issue a COA request for the device’s MAC address to each access switch in the network.
B. Add the devices MAC address to a list of blacklisted devices.
C. Located the switch through which the device is connected and push an ACL restricting all access by the device.
D. Revoke the device’s certificate so it is unable to authenticate to the network

Answer 52

Answer:

B

Question 53

Which term is most closely aligned with the basic purpose of SIEM solution? 
A. Causality 
B. Accountability
C. Non-Repudiation 
D. Repudiation

Answer 53

Answer:

B

Question 54

Which statement about the native VLAN is true?
A. It is the Cisco-recommended VLAN for user traffic
B. It is most secure when it is assigned for VLAN1
C. It is susceptible to VLAN hopping attacks
D. It is the Cisco recommended VLAN for switch-management traffic

Answer 54

Answer:

C

Question 55

How does the 802.1x supplicant communicates with the authentication server?
A. The supplicant creates EAP packets and sends them to the Authenticator, which translates them into RADIUS and forwards them to the authentication server.
B. The supplicant creates EAP packets and sends them to the authenticator. Which encapsulates them into RADIUS and forwards them to the Authentication server.
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates them into EAP and forwards them to the authentication server.
D. The supplicant creates creates RADIUS packets and sends them to the authenticator, which encapsulates them into EAP and forwards them to the authentication server.

Answer 55

Answer:

B

Question 56

Which IKE phase 1 parameter can you use to require the site-to-site VPN to use a pre-shared key? 
A. Group 
B. Hash 
C. Authentication 
D. Encryption

Answer 56

Answer:

C

Question 57

How can you prevent NAT rules from sending traffic to incorrect interfaces?
A. Configure twice NAT instead of object NAT
B. Add the no-proxy-arp command to the nat line.
C. Assign the output interface in the NAT statement
D. Use packet-tracer rules to reroute misrouted NAT entries

Answer 57

Answer:

C

Question 58

What is the minimum Cisco IOS version that supports zone-based firewalls?

A. 12.4(6)
B. 15.1
C. 15.0
D. 12.1T

Answer 58

Answer:

A

Question 59

Which type of firewall can perform deep packet inspection?
A. Stateless firewall
B. Packet-filtering firewall 
C. Application firewall
D. Personal firewall

Answer 59

Answer:

C

Question 60

What is the best definition of hairpinning?
A. Traffic that enters and exits a device through the same interface
B. Traffic that tunnels through a device interface
C. Traffic that enters one interface on a device and that exits through another interface
D. Ingress traffic that traverses the outbound interface on a device

Answer 60

Answer:

A

Question 61

What are two features of transparent firewall mode? (Choose two)
A. It allows some traffic that is blocked in routed mode.
B. It conceals the presence of the firewall from attackers
C. It is configured bu default
D. It acts as a router hop in the network
E. It enables the ASA perform as a router

Answer 61

Answer:

AB