CH 6 & 7

Question 1

feature where If BPDUs show up where they should not, the switch protects itself.

Answer 1

BPDU Guard

Question 2

Controls which ports are not allowed to become root ports to remote
root switches

Answer 2

root guard

Question 3

Limits the number of MAC addresses to be learned on an access
switch port

Answer 3

port security

Question 4

Prevents rogue DHCP servers from impacting the network.

Answer 4

DHCP snooping

Question 5

Prevents spoofing of Layer 2 information by hosts.

Answer 5

dynamic arp inspection

Question 6

Prevents spoofing of Layer 3 information by hosts

Answer 6

IP Source Guard

Question 7

you can authenticate
users before allowing their data frames into the network

Answer 7

802.1x

Question 8

Limits the amount of broadcast or multicast traffic flowing through
the switch

Answer 8

storm control

Question 9

Used for traffic control and to enforce policy

Answer 9

ACL’s

Question 10

a security feature that acts like a firewall between untrusted hosts and
trusted DHCP servers

Answer 10

DHCP snooping

Question 11

intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings

Answer 11

DAI (dynamic arp inspection)

Question 12

breaking the infrastructure down into smaller components and then
systematically focusing on how to secure each of those components

Answer 12

Network Foundation Protection
(NFP)

Question 13

what 2 features can be used to protect the control plane

Answer 13

CoPP and CPPr

Question 14

uses UDP port 123, and it allows network devices to
synchronize their time

Answer 14

NTP

Question 15

This feature maintains a secure working copy of the router IOS image and the startup configuration files at all times. Once the
feature is enabled, the administrator cannot disable it remotely (but can if connected directly
on the console)

Answer 15

Secure Bootset

Question 16

IPv6 link local addresses begin with what?

Answer 16

FE80

Question 17

How many bits in an IPv6 Addrss

Answer 17

128

Question 18

What characters are added to the 48 bit MAC address to arrive at a 64 bit host ID in a link local IPv6 address

Answer 18

FFFE

Question 19

::1 what type of IPv6 address is this?

Answer 19

Link local (same as 127.0.0.1in IPv4)

Question 20

The IPv6 multicast group that all IPv6 devices join is

Answer 20

FF02::1

Question 21

In addition to the multicast group address of FF02::1
that is joined by all devices configured for IPv6, routers that have had routing enabled
for IPv6 also join which multicast group?

Answer 21

FF02:2

Question 22

Global
IPv6 unicast addresses have the first four characters in the range of ?

Answer 22

2000 - 3FFF

Question 23

What are the 2 types of process switched traffic

Answer 23

receive adjacency traffic, data plane traffic requiring special processing by CPU

Question 24

List the types of data plane traffic that require special processing by the CPU

Answer 24

ACLs, URPF, IP options, Fragmentations, TTL expired, ICMP unreachable, Traffic requiring ARP request, Non-IP Traffic

Question 25

When creating an ACL for use with a CoPP policy, what does a deny rule in the ACL do?

Answer 25

Packets that match a deny rule are excluded from that class
and cascade to the next class (if one exists) for classification.

Question 26

CPPr can restrict traffic with finer granularity by dividing the aggregate control plane into
three separate control plane categories known as sub-interfaces, what are the 3 subinterfaces

Answer 26

■ Host sub-interface
■ Transit sub-interface
■ CEF-Exception sub-interface

Question 27

List some shortcomings of legacy IPS

Answer 27

■ They often need to be operated in conjunction with other products or tools (firewalls,
analytics, and correlation tools).
■ They are sometimes not very effective and may be ignored.
■ Their operation costs and the operating resources they need are high.
■ They can leave infrastructures imperfectly covered against attackers.

Question 28

List some of the newer capabilities of NGIPS

Answer 28

application awareness and control, content awareness, contextual awareness, host and user awareness, automated tuning and recommendations, impact and vulnerability assessment of the events taking place

Question 29

originally created by SourceFire, is an open source IPS tool that is widely used in the industry

Answer 29

Snort

Question 30

a collection of one or more inline, passive, switched, or routed interfaces
(or ASA interfaces) that you can use to manage and classify traffic in different policies.

Answer 30

security zone

Question 31

a solution that allows you to manage your firewalls from the cloud. You can write a policy once and enforce it consistently across multiple
Cisco ASA and Cisco FTD devices

Answer 31

Cisco Defense Orchestrator (CDO)

Question 32

a stateful firewall used in Cisco
IOS devices

Answer 32

Zone Based Firewall (ZBFW)

Question 33

what type of firewalls can also be implemented in an SD-WAN solution

Answer 33

ZBFW

Question 34

What type of traffic can transparent FW’s inspect that routed FW’s can’t.

Answer 34

Traffic on the same LAN segment

Question 35

Cisco ASA acts as a secured bridge that
switches traffic from one interface to another.

Answer 35

single mode transparent firewall

Question 36

In a multimode transparent firewall (MMTF), Cisco ASA acts in a similar fashion to how it
performs in single mode, with two major exceptions:

Answer 36

1) An interface can’t be shared between 2 context in this mode
2) you must configure an IP address to the bridge virtual interface
(BVI) in each context for administration and management purposes

Question 37

For failover configuration, which device can’t do active/active…ASA or FTD

Answer 37

FTD

Question 38

Which models of FTD can be configured as a cluster

Answer 38

9300 and 4100

Question 39

When you deploy a cluster, the FTD devices create a cluster-control link. By default, what port-channel number is assigned

Answer 39

port-channel 48

Question 40

FTD 9300’s are capable of intra-chassis clustering which utilizes the backplane for cluster communications. When deploying inter-chassis clustering, what is required for cluster communication?

Answer 40

Physical interface in etherchannel configuration.

Question 41

How should the cluster control link be sized?

Answer 41

The cluster control link should be sized to match the throughput of each cluster participant because both data and control traffic are forwarded over the cluster control link.

Question 42

An ACL is a collection of security rules or policies that allows or denies packets after looking at the packet headers and other attributes. Each permit or deny statement in the ACL
is referred to as an?

Answer 42

Access Control Entry (ACE)

Question 43

List the 5 tuples of an ACL

Answer 43

Source port
Source Address
Destination port
Destination Address
Protocol

Question 44

The Cisco ASA supports four different types of ACLs to provide a flexible and scalable
solution to filter unauthorized packets into the network, what are they?

Answer 44

Standard
Extended
Ether-type
Web-type

Question 45

Standard ACLs are used to identify packets based on their destination IP addresses. These
ACLs can be used in which scenarios?

Answer 45

split-tunnel ACL
route-redistribution in route-maps

Question 46

An
EtherType ACL can be configured only if?

Answer 46

ASA is in transparent mode

Question 47

A Webtype ACL allows Cisco ASA administrators to restrict traffic coming through?

Answer 47

SSL VPN Tunnels

Question 48

what can be added to the end of an access-group command to specify an ACL as a management access rule

Answer 48

control-plane

Question 49

True or False. Management-specific protocols provide their own control-plane protection and have
higher precedence than a to-the-box traffic-filtering ACL

Answer 49

True

Question 50

If you deploy interface ACLs to block all ICMP traffic, the security appliance, by default,
does not restrict the ICMP traffic that is destined to its own interface. How can you filter ICMP traffic to the ASA’s interfaces?

Answer 50

ICMP policy or control plan ACLs

Question 51

Cisco ASA supports which 4 methods for translating an address?

Answer 51

■ Static NAT/PAT
■ Dynamic NAT/PAT
■ Policy NAT/PAT
■ Identity NAT

Question 52

examines decoded
packets for attacks based on patterns and can block or alter malicious traffic

Answer 52

intrusion policy

Question 53

attempt to make the streams of packets as much as possible like the
reassembled packets that will be seen by the endpoints receiving them

Answer 53

preprocessor

Question 54

list a few examples of preprocessors that FTD has

Answer 54

DNS, HTTP, SIP, FTP & Telnet, SSH, SMTP, POP & IMAP, Network preprocessors, Threat preprocessors

Question 55

provides next-generation security services that go beyond pointin-time detection. It provides continuous analysis and tracking of files and also retrospective
security alerts so that a security administrator can take action during and after an attack

Answer 55

Cisco AMP for Networks