Security

Question 1

What are the first steps in securing user EXEC access to allow for secure network device access?

Answer 1

Configure passwords for local and remote CLI sessions.

Question 2

Which command option on remote CLI sessions is used to limit the session to use only a secure connection method?

Answer 2

transport input ssh

Question 3

What protocol does TACACS+ use for communication between a TACACS+ client (network device) and a TACACS+ server?

Answer 3

TCP port 49

Question 4

What are two of the high-level benefits of using a remote AAA server over local AAA services on each network device individually?

Answer 4

Scalability and standardized authentication methods using RADIUS and TACACS+

Question 5

What type of passwords are not encrypted and are stored in plaintext in the device configuration? The enable password uses this type.

Answer 5

Type 0

Question 6

What type of passwords use an MD5 hashing algorithm? These passwords are easily reversible with tools available on the Internet.

Answer 6

Type 5

Question 7

The enable secret and username username secret commands use what type of passwords?

Answer 7

Type 5

Question 8

What type of password encryption is enabled with the service password encryption command?

Answer 8

Type 7

Question 9

What type of passwords use a Password-Based Key Derivation Function 2 (PBKDF2) with a SHA-256 hashed secret?

Answer 9

Type 8

Question 10

What type of passwords use the SCRYPT hashing algorithm?

Answer 10

Type 9

Question 11

What are the three ways to create a username on a cisco device?

Answer 11

Using the command username username password password configures a plaintext password (type 0).

Using the command username username secret password provides type 5 encryption.

Using the command username username algorithm-type [md5 | sha256 | scrypt] secret password provides type 5, type 8, or type 9 encryption, respectively.

Question 12

To enable username and password authentication on a line, you need what two commands?

Answer 12

Create the user with the username command in global configuration mode, using one of the three options listed earlier in this section.

Use the login local command in line configuration mode.

Question 13

What command allows you to enable password authentication on a line?

Answer 13

password

Question 14

After you enable password authentication on a line, what command enables password checking?

Answer 14

login

Question 15

What command allows for username/password pairs stored locally on the router to be used for the lines?

Answer 15

login local

Question 16

What’s the difference between SSHv1 and SSHv2?

Answer 16

The SSHv2 enhancement for RSA supports RSA-based public key authentication for a client and a network device.

Question 17

What three commands do you need to enable SSH?

Answer 17

hostname hostname
ip domain-name domain-name
crypto key generate rsa

Question 18

What privilege level allows for the use of five commands: enable, disable, help, logout, and exit?

Answer 18

Privilege level 0

Question 19

What privilege level is the user EXEC mode where it’s not possible to make configuration changes?

Answer 19

Privilege level 1

Question 20

What what privilege level are all of the IOS CLI commands are available?

Answer 20

Privilege level 15

Question 21

What command can you use to force the vty lines to only allow remote connections via a protocol that supports encryption?

Answer 21

transport input ssh

Question 22

What type of encryption does the service password encryption command provide?

Answer 22

Type 7

Question 23

True or false: SSH Version 1 implementation is compatible with SSH Version 2 implementation.

Answer 23

False

Question 24

Which part of AAA provides identity verification before access to a network device is granted?

Answer 24

Authentication

Question 25

Which part of AAA provides access control?

Answer 25

Authorization

Question 26

Which part of AAA provides a method for collecting information, logging the information locally on a network device, and sending the information to an AAA server for billing, auditing, and reporting?

Answer 26

Accounting

Question 27

What are some of the high-level benefits of using a remote AAA server over local AAA services?

Answer 27

Increased flexibility and control of access configuration

Scalability

Standardized authentication methods using RADIUS and TACACS+

Ease of setup, since RADIUS and TACACS+ may have already been deployed across the enterprise

More efficiency, since you can create user attributes once centrally and use them across multiple devices

Question 28

What protocol allows for a single access control server to provide authentication, authorization, and accounting to the network access server (NAS) independently?

Answer 28

TACACS+

Question 29

The TACACS+ protocol uses what port for communication between the TACACS+ client (network device) and the TACACS+ server?

Answer 29

TCP port 49

Question 30

What are the two implementations of RADIUS?

Answer 30

Cisco’s implementation and the industry-standard implementation.

Question 31

Which of the following is not one of the benefits of AAA?

A. Increased flexibility and control of access configuration

B. Scalability

C. Standardized authentication methods using RADIUS and TACACS+

D. Complete removal of the need for local user creation on IOS devices

Answer 31

D. Complete removal of the need for local user creation on IOS devices

Question 32

In the industry-standard implementation of the RADIUS protocol, which port is used for accounting?

Answer 32

UDP port 1813

Question 33

Which command is entered to enable AAA on a Cisco IOS device?

Answer 33

aaa new-model

Question 34

Which of the following commands is used for configuring a vty line to use the method list name list1?

A. aaa authentication

B. aaa authorization

C. login authentication list1

D. aaa new-model

Answer 34

C. login authentication list1

Question 35

To add a TACACS+ server in IOS 15.x, what command follows tacacs server name if the IP address is 10.10.10.10?

Answer 35

address ipv4 10.10.10.10

To add a TACACS+ server in IOS 15.x, you need to specify the TACACS+ server name, specify the server IP address with the address ipv4 ip address command (address ipv4 10.10.10.10 in this case), and then specify the key string.

Question 36

What is one of the reasons you would use named access lists over numbered access lists?

Answer 36

Named access lists allow you to reorder statements in or add statements to an access list.

Question 37

What command is used to apply port access control lists (PACLs) to interfaces?

Answer 37

ip access-group access-list in

Question 38

What are the main reasons you would implement the Cisco IOS control plane policing (CoPP) feature?

Answer 38

The Cisco IOS CoPP feature increases security on a router or switch by protecting the RP from unnecessary or denial-of-service (DoS) traffic and prioritizes important control plane and management traffic.

Question 39

Which command is used to verify service policy implementation on the control plane for CoPP?

Answer 39

show policy-map control-plane

Question 40

A wildcard mask bit 0 means what?

Answer 40

0 bit means check the corresponding bit value; these bit values must match.

Question 41

A wildcard mask bit 1 means what?

Answer 41

1 bit means ignore that corresponding bit value; these bit values need not match.

Question 42

Standard ACLs are numbered from what ranges?

Answer 42

1-99 or 1300-1999

Question 43

Standard IP access lists only check what?

Answer 43

source addresses

Question 44

Extended ACLs are numbered from what ranges?

Answer 44

100 to 199 or 2000 to 2699

Question 45

What are some of the packet details extended ACLs can check for?

Answer 45

Source and destination addresses and other IP packet data, such as protocols, TCP or UDP port numbers, type of service (ToS), precedence, TCP flags, and IP options.

Question 46

T/F: Named ACLs can be specified as either standard or extended, with the standard and extended keywords in the ip access-list command.

Answer 46

True

Question 47

What command would you use to apply an access-list on an interface?

Answer 47

ip access-group access-list { number | name } {in | out}.

Question 48

What are some features supported on named access lists but not on numbered?

Answer 48

IP options filtering

Noncontiguous ports

TCP flag filtering

Deletion of entries with the no permit or no deny command

Question 49

What provides the ability to perform access control on specific Layer 2 ports?

Answer 49

Port Access Control Lists (PACLs)

Question 50

What provides access control for all packets bridged within a VLAN or routed into or out of a VLAN?

Answer 50

VLAN Access Control Lists (VACLs)

Question 51

What is a VLAN access map?

Answer 51

A VLAN access map consists of one or more VLAN access map sequences, where each VLAN access map sequence consists of one match and one action statement.

Question 52

What command would you use to apply a VACL?

Answer 52

Vlan filter vlan-access-map-name vlan-list.

vlan filter VACL_50 vlan-list 50

Question 53

How many access lists per protocol and per direction are allowed on an interface?

Answer 53

A is correct. Only one access list per interface, per protocol, and per direction is allowed.

Question 54

Which of the following can a PACL be applied to? (Choose two.)

A. Layer 2 port

B. Layer 3 port

C. Trunk

D. VLAN

Answer 54

A and C are correct. A PACL can be applied to the Layer 2 port of a Catalyst switch, including a physical port or trunk port that belongs to a VLAN.

Question 55

What is a Cisco IOS-wide feature that is designed to allow users to manage the flow of traffic handled by the RP of a network device?

Answer 55

Control Plane Policing (CoPP)

Question 56

What is classified as control plane traffic?

Answer 56

Routing protocol traffic

Packets destined to the local IP address of the router

Simple Network Management Protocol (SNMP) packets

Interactive access protocol traffic, such as Secure Shell (SSH) and Telnet, traffic

Traffic related to protocols such as Internet Control Message Protocol (ICMP) or IP options that might also require handling by the device CPU

Layer 2 protocol packets such as bridge protocol data unit (BPDU) and Cisco Discovery Protocol (CDP) packets

Question 57

What CoPP construct is used to define a traffic class?

Answer 57

class-map

Question 58

What CoPP command is used to associate a traffic class with one or more QoS policies?

Answer 58

policy-map

Question 59

What command would you use to attach the service policy to the control plane interface?

Answer 59

The service-policy {input | output} policy-name command is used to attach a service policy to the control plane.

Question 60

What is the name of the CoPP construct that ties together predefined ACLs?

Answer 60

Class map. Class maps use created ACLs to match known protocols, addresses, IP precedence, DSCP values, CoS, and so on.

Question 61

True or false: The CoPP feature increases security on a router or switch by protecting the RP from unnecessary or denial-of-service (DoS) traffic.

Answer 61

True

Question 62

Which types of ACLs are applied in the Layer 2 switch environment? (Choose two.)

Standard ACLs

Extended ACLs

PACLs

VACLs

Answer 62

PACLs
VACLs

Question 63

What happens when a matching ACE is found in an ACL?

Action is taken, and processing is stopped on the remaining ACE.

Processing continues to the next ACE.

Regardless of matching statements, processing needs to go through all ACEs.

Processing continues through other ACEs when there is a permit statement

Answer 63

Action is taken, and processing is stopped on the remaining ACE.

Question 64

A VACL VLAN list can reference all except which of the following?

A single VLAN

A range of VLANs

A comma-separated list of multiple VLANs

Layer 2 ports

Answer 64

Layer 2 ports

Question 65

What is the difference between the line configuration command login and the line configuration command login local? (Choose two.)

The login command is used to enable line password authentication.

The login command is used to enable username-based authentication.

The login local command is used to enable line and username-based authentication.

The login local command is used to enable username-based authentication.

Answer 65

The login command is used to enable line password authentication.

The login local command is used to enable username-based authentication.

Question 66

Which of these commands are available to a user logged in with privilege level 0? (Choose all that apply.)

disable

enable

show

configure terminal

exit

logout

Answer 66

disable

enable

exit

logout

Question 67

True or false: The command aaa authorization exec default group ISE-TACACS+ if-authenticated enables authorization for all terminal lines on the router, including the console line.

Answer 67

False

Question 68

Which of the following options describe ZBFW? (Choose two.)

Provides high security with stateless inspection functionality

Provides stateful firewall functionality

Is a network interface module

Is an integrated IOS solution

Is a security appliance similar to an ASA 5500-X

Answer 68

Provides stateful firewall functionality

Is an integrated IOS solution

Question 69

What are the two system-built zones for ZBFW? (Choose two.)

Inside zone

Twilight zone

System zone

Outside zone

Self zone

Default zone

Answer 69

Self zone and Default zone

Question 70

Which of the following features was developed specifically to protect the CPU of a router?

ZBFW

AAA

CoPP

ACLs

Answer 70

CoPP

Question 71

True or false: CoPP supports input and output policies to control inbound and outbound traffic.

Answer 71

True

Question 72

Which of the following are features that can be disabled to improve the overall security posture of a router?

Answer 72

LLDP

Question 73

When members of a Marketing team are allowed to access Facebook for marketing purposes, but are denied access to Facebook games, this is an example of which type of NGFW feature?

application visibility control

context awareness

intrusion prevention system

advanced malware protection

Answer 73

Context awareness. Context awareness controls who is connecting, to what, from where, using which device, at what time.

Question 74

Which module works with Cisco AnyConnect to enforce a policy for endpoints that connect to the network via remote-access VPNs?

Cisco WSA AnyConnect

Cisco ISE posture

Cisco ASA posture

Cisco Catalyst AnyConnect

Answer 74

Cisco ASA posture.

Question 75

Which IPS inspection method observes network traffic and acts if a network event outside normal network behavior is detected?

signature-based
policy-based
anomaly-based
protocol verification

Answer 75

anomaly-based

Question 76

Which IPS traffic inspection method observes patterns, traffic rates, protocol mix, and traffic volume over time to build a profile of normal behavior?

signature-based inspection
statistical anomaly detection
protocol verification
policy-based inspection

Answer 76

statistical anomaly detection

Question 77

Where do the Cisco AMP malware detection and analytics engines run?

in the client device
in a Cisco ASA appliance
in a Cisco ISE
in the Cisco Collective Security Intelligence Cloud

Answer 77

in the Cisco Collective Security Intelligence Cloud

Question 78

Which of the following are Cisco SAFE’s PINs in the network? (Choose all that apply.)

Internet
Data center
Branch office
Edge
Campus
Cloud
WAN

Answer 78

Data center
Branch office
Edge
Campus
Cloud
WAN

Question 79

Cisco SAFE includes which of the following secure domains? (Choose all that apply.)

Threat defense
Segmentation
Segregation
Compliance

Answer 79

Threat defense
Segmentation
Compliance

Question 80

Which of the following is the Cisco threat intelligence organization?

Cisco Stealthwatch
Cisco Threat Grid
Cisco Talos
Cisco Threat Research, Analysis, and Communications (TRAC) team

Answer 80

Cisco Talos

Question 81

What is the Threat Grid?

The Cisco threat intelligence organization
The Cisco sandbox malware analysis solution
The Cisco security framework
An aggregator of network telemetry data

Answer 81

The Cisco sandbox malware analysis solution

Question 82

Which of the following EAP methods supports EAP chaining?

EAP-TTLS
EAP-FAST
EAP-GTC
PEAP

Answer 82

EAP-FAST

Question 83

True or false: SGT tags extend all the way down to the endpoints.

Answer 83

False

Question 84

Which of the following three phases are defined by Cisco TrustSec? (Choose all that apply.)

Classification
Enforcement
Distribution
Aggregation
Propagation

Answer 84

Classification
Enforcement
Propagation

Question 85

What are the two MACsec keying mechanisms?

Answer 85

Security Association Protocol (SAP)
MACsec Key Agreement (MKA) protocol

Question 86

What is the proprietary Cisco keying protocol in MACsec used between Cisco switches?

Answer 86

Security Association Protocol (SAP)

Question 87

In MACsec, what provides the required session keys and manages the required encryption keys?

Answer 87

MACsec Key Agreement (MKA) protocol

Question 88

Which of the following password types is the weakest?

Type 5
Type 7
Type 8
Type 9

Answer 88

Type 7

Question 89

What type of encryption does the command service password encryption provide?

Answer 89

Type 7 encryption

Question 90

What is the difference between the line configuration command login and the line configuration command login local? (Choose two.)

The login command is used to enable line password authentication.

The login command is used to enable username-based authentication.

The login local command is used to enable line and username-based authentication.

The login local command is used to enable username-based authentication.

Answer 90

The login command is used to enable line password authentication.

The login local command is used to enable username-based authentication.

Question 91

Which of these commands are available to a user logged in with privilege level 0? (Choose all that apply.)

disable
enable
show
configure terminal
exit
logout

Answer 91

disable
enable
exit
logout

Question 92

True or false: The command aaa authorization exec default group ISE-TACACS+ if-authenticated enables authorization for all terminal lines on the router, including the console line.

Answer 92

False