CCNA Sec by Ethio

CCNA Security ETHIO

Number: 640-554Passing Score: 895Time Limit: 30 minFile Version: 1

CCNA Security V.2 10/12/2015

Exam A

QUESTION 1What features can protect the data plane? (Choose three.)

A. policing

B. ACLs

C. IPS

D. antispoofing

E. QoS

F. DHCP-snooping

Correct Answer: BDFSection: (none)Explanation

Explanation/Reference:

Data Plane SecurityData plane security can be implemented using the following features:

Access control listsAccess control lists (ACLs) perform packet filtering to control which packets move through the network andwhere.

AntispoofingACLs can be used as an antispoofing mechanism that discards traffic that has an invalid source address.

Layer 2 security featuresCisco Catalyst switches have integrated features to help secure the Layer 2 infrastructure.

ACLsACLs are used to secure the data plane in a variety of ways, including the following:

Block unwanted traffic or usersACLs can filter incoming or outgoing packets on an interface, controlling access based on source addresses,destination addresses, or user authentication.

Reduce the chance of DoS attacksACLs can be used to specify whether traffic from hosts, networks, or users can access the network. The TCPintercept feature can also be configured to prevent servers from being flooded with requests for a connection.

Mitigate spoofing attacksACLs enable security practitioners to implement recommended practices to mitigate spoofing attacks.

Provide bandwidth controlACLs on a slow link can prevent excess traffic.

Classify traffic to protect other planesACLs can be applied on vty lines (management plane).ACLs can control routing updates being sent, received, or redistributed (control plane).

AntispoofingImplementing the IETF best current practice 38 (BCP38) and RFC 2827 ingress traffic filtering renders the useof invalid source IP addresses ineffective, forcing attacks to be initiated from valid, reachable IP addresseswhich could be traced to the originator of an attack.Features such as Unicast Reverse Path Forwarding (uRPF) can be used to complement the antispoofingstrategy.

Layer 2 Data Plane ProtectionThe following are Layer 2 security tools integrated into the Cisco Catalyst switches:

Port securityPrevents MAC address spoofing and MAC address flooding attacks

DHCP snoopingPrevents client attacks on the Dynamic Host Configuration Protocol (DHCP) server and switch

Dynamic ARP inspection (DAI)

Adds security to ARP by using the DHCP snooping table to minimize the impact of ARP poisoning and spoofingattacks

IP source guardPrevents IP spoofing addresses by using the DHCP snooping table

QUESTION 2How many crypto map sets can you apply to a router interface

A. 3

B. 2

C. 4

D. 1

Correct Answer: DSection: (none)Explanation


QUESTION 3What is the transition order of STP states on a Layer 2 switch interface?

A. listening, learning, blocking, forwarding, disabled

B. listening, blocking, learning, forwarding, disabled

C. blocking, listening, learning, forwarding, disabled

D. forwarding, listening, learning, blocking, disabled

Correct Answer: CSection: (none)Explanation

Explanation/Reference:The ports on a switch with enabled Spanning Tree Protocol (STP) are in one of the following five port states.

• Blocking

• Listening

• Learning

• Forwarding

• DisabledA switch does not enter any of these port states immediately except the blocking state. When the SpanningTree Protocol (STP) is enabled, every switch in the network starts in the blocking state and later changes to thelistening and learning states.

Blocking StateThe Switch Ports will go into a blocking state at the time of election process, when a switch receives a BPDUon a port that indicates a better path to the Root Switch (Root Bridge), and if a port is not a Root Port or aDesignated Port. A port in the blocking state does not participate in frame forwarding and also discards frames received from theattached network segment. During blocking state, the port is only listening to and processing BPDUs on itsinterfaces. After 20 seconds, the switch port changes from the blocking state to the listening state.

Listening StateAfter blocking state, a Root Port or a Designated Port will move to a listening state. All other ports will remain ina blocked state. During the listening state the port discards frames received from the attached networksegment and it also discards frames switched from another port for forwarding. At this state, the port receives BPDUs from the network segment and directs them to the switch system module for processing. After 15seconds, the switch port moves from the listening state to the learning state.

Learning StateA port changes to learning state after listening state. During the learning state, the port is listening for andprocessing BPDUs . In the listening state, the port begins to process user frames and start updating the MACaddress table. But the user frames are not forwarded to the destination. After 15 seconds, the switch portmoves from the learning state to the forwarding state.

Forwarding StateA port in the forwarding state forwards frames across the attached network segment. In a forwarding state, theport will process BPDUs , update its MAC Address table with frames that it receives, and forward user trafficthrough the port. Forwarding State is the normal state. Data and configuration messages are passed throughthe port, when it is in forwarding state.

Disabled StateA port in the disabled state does not participate in frame forwarding or the operation of STP because a port inthe disabled state is considered non-operational.

QUESTION 4Which sensor mode can deny attackers inline?

A. IPS

B. fail-close

C. IDS

D. fail-open

Correct Answer: ASection: (none)Explanation


QUESTION 5Which options are filtering options used to display SDEE message types?

A. stop

B. none

C. error

D. all

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:Options are All, Error, Status, and Alerts

QUESTION 6When a company puts a security policy in place, what is the effect on the company’s business?

A. Minimizing risk

B. Minimizing total cost of ownership

C. Minimizing liability

D. Maximizing compliance

Correct Answer: ASection: (none)

Explanation


QUESTION 7Which wildcard mask is associated with a subnet mask of /27?

A. 0.0.0.31

B. 0.0.0.27

C. 0.0.0.224

D. 0.0.0.255



QUESTION 8Which statements about reflexive access lists are true?

A. Reflexive access lists create a permanent ACE

B. Reflexive access lists approximate session filtering using the established keyword

C. Reflexive access lists can be attached to standard named IP ACLs

D. Reflexive access lists support UDP sessions

E. Reflexive access lists can be attached to extended named IP ACLs

F. Reflexive access lists support TCP sessions

Correct Answer: DEFSection: (none)Explanation


QUESTION 9Which actions can a promiscuous IPS take to mitigate an attack?

A. modifying packets

B. requesting connection blocking

C. denying packets

D. resetting the TCP connection

E. requesting host blocking

F. denying frames

Correct Answer: BDESection: (none)Explanation

Explanation/Reference:Promiscuous Mode Event Actions

The following event actions can be deployed in Promiscuous mode. These actions are in affect for a user-configurable default time of 30 minutes. Because the IPS sensor must send the request to another device orcraft a packet, latency is associated with these actions and could allow some attacks to be successful. Blockingthrough usage of the Attack Response Controller (ARC) has the potential benefit of being able to perform to thenetwork edge or at multiple places within the network. Request block host: This event action will send an ARC request to block the host for a specified time frame,preventing any further communication. This is a severe action that is most appropriate when there is minimalchance of a false alarm or spoofing. Request block connection: This action will send an ARC response to block the specific connection. Thisaction is appropriate when there is potential for false alarms or spoofing. Reset TCP connection: This action is TCP specific, and in instances where the attack requires several TCPpackets, this can be a successful action. However, in some cases where the attack only needs one packet itmay not work as well. Additionally, TCP resets are not very effective with protocols such as SMTP thatconsistently try to establish new connections, nor are they effective if the reset cannot reach the destinationhost in time. Event actions can be specified on a per signature basis, or as an event action override (based on risk ratingvalues – event action override only). In the case of event action override, specific event actions are performedwhen specific risk rating value conditions are met. Event action overrides offer consistent and simplifiedmanagement. IPS version 6.0 contains a default event action override with a deny-packet-inline action forevents with a risk rating between 90 and 100. For this action to occur, the device must be deployed in Inlinemode. Protection from unintended automated action responsesAutomated event actions can have unintended consequences when not carefully deployed. The most severeconsequence can be a self denial of service (DoS) of a host or network. The majority of these unintendedconsequences can be avoided through the use of Event Action Filters, Never Block Addresses, Networkspoofing protections, and device tuning. The following provides an overview of methods used to preventunintended consequences from occurring.Using Event Action Filters and Never BlockBy using these capabilities, administrators may prevent a miscreant from spoofing critical IP addresses,causing a self inflicted DoS condition on these critical IP addresses. Note that Never Block capabilities onlyapply to ARC actions. Actions that are performed inline will still be performed as well as rate limiting if they areconfigured. Minimize spoofingAdministrators can minimize spoofed packets that enter the network through the use of Unicast Reverse PathForwarding. Administrators can minimize spoofing within their network through the use of IP Source Guard. Thewhite paper titled Understanding Unicast Reverse Path Forwarding provides details on configuration of thisfeature. More information on IP Source Guard is available in the document titled Configuring DHCP Featuresand IP Source Guard. Careful Use of Event ActionsBy judicious use of event actions that block unwanted traffic, such as using the high signature fidelity rating, andnot using automated actions on signatures that are easily spoofed, administrators can reduce the probability ofan unintended result. For an event to have a high risk rating, it must have a high signature fidelity rating unlessthe risk rating is artificially increased through the use of Target Value Rating or Watch List Rating, which are IPspecific increases. TuningBy tuning the signature set to minimize false positive events, administrators can reduce the chance of an eventaction that has an unintended consequence. High Base Risk Rating EventsIn most cases, events with a high base risk rating or a high signature fidelity rating are strong candidates forautomated event actions. Care should be taken with protocols that are easily spoofed in order to prevent selfDoS conditions.

QUESTION 10Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntaxusing the local database with no fallback method?

A. aaa authentication enable console LOCAL SERVER_GROUP

B. aaa authentication enable console SERVER_GROUP LOCAL

C. aaa authentication enable console local

D. aaa authentication enable console LOCAL



QUESTION 11Which Cisco Security Manager application collects information about device status and uses it to generatenotifications and alerts?

A. FlexConfig

B. Device Manager

C. Report Manager

D. Health and Performance Monitor


Explanation/Reference:“Report Manager – Collects, displays and exports network usage and security information for ASA and IPSdevices, and for remote-access IPsec and SSL VPNs. These reports aggregate security data such as topsources, destinations, attackers, victims, as well as security information such as top bandwidth, duration, andthroughput users. Data is also aggregated for hourly, daily, and monthly periods.”and “Health and Performance Monitor (HPM) – Monitors and displays key health, performance and VPN data forASA and IPS devices in your network. This information includes critical and non-critical issues, such as memoryusage, interface status, dropped packets, tunnel status, and so on. You also can categorize devices for normalor priority monitoring, and set different alert rules for the priority devices.”

QUESTION 12Which accounting notices are used to send a failed authentication attempt record to a AAA server? (Choosetwo.)

A. start-stop

B. stop-record

C. stop-only

D. stop

Correct Answer: ACSection: (none)Explanation


QUESTION 13Which command is needed to enable SSH support on a Cisco Router?

A. crypto key lock rsa

B. crypto key generate rsa

C. crypto key zeroize rsa

D. crypto key unlock rsa

Correct Answer: BSection: (none)Explanation


QUESTION 14Which protocol provides security to Secure Copy?

A. IPsec

B. SSH

C. HTTPS

D. ESP



QUESTION 15A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option forRemote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting?

A. Ensure that the RDP2 plug-in is installed on the VPN gateway

B. Reboot the VPN gateway

C. Instruct the user to reconnect to the VPN gateway

D. Ensure that the RDP plug-in is installed on the VPN gateway



QUESTION 16Which security zone is automatically defined by the system?

A. The source zone

B. The self zone

C. The destination zone

D. The inside zone



QUESTION 17What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.)

A. The Internet Key Exchange protocol establishes security associations

B. The Internet Key Exchange protocol provides data confidentiality

C. The Internet Key Exchange protocol provides replay detection

D. The Internet Key Exchange protocol is responsible for mutual authentication

Correct Answer: ADSection: (none)Explanation


QUESTION 18Which address block is reserved for locally assigned unique local addresses?

A. 2002::/16

B. FD00::/8

C. 2001::/32

D. FB00::/8


Explanation/Reference:The address block fc00::/7 is divided into two /8 groups:The block fc00::/8 has not been defined yet. It has been proposed to be managedby an allocation authority, but this has not gained acceptance inthe IETF.[1][2][3] This block is also used by the cjdns mesh network. Theblock fd00::/8 is defined for /48 prefixes, formed by setting the 40 least-significant bits of the prefix to a randomly generated bit string.This results in the format fdxx:xxxx:xxxx:: for a prefix in thisrange. RFC 4193 offers a suggestion for generating the randomidentifier to obtain a minimum-quality result if the user does nothave access to a good source of random numbers

Example[edit]As an example, a routing prefix in the fd00::/8 range would be constructed by generating a random 40-bithexadecimal string, taken to be e48dba82e1 in this example. This 40-bit string is appended to the fd00::/8 prefix. This forms the 48-bit routing prefix fde4:8dba:82e1::/48. With this prefix, 65536 subnets of size /64 areavailable for the private network: fde4:8dba:82e1::/64 to fde4:8dba:82e1:ffff::/64.

QUESTION 19What is a possible reason for the error message?Router(config)#aaa server?% Unrecognized command

A. The command syntax requires a space after the word “server”

B. The command is invalid on the target device

C. The router is already running the latest operating system

D. The router is a new device on which the aaa new-model command must be applied before continuing



QUESTION 20Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)

A. Smart tunnels can be used by clients that do not have administrator privileges

B. Smart tunnels support all operating systems

C. Smart tunnels offer better performance than port forwarding

D. Smart tunnels require the client to have the application installed locally


Explanation/Reference:Smart Tunnel is also used to provide remote access to web applications that are difficult to rewrite, such asproprietary, non-standards-based Java, Java Script, or Flash animations. Smart Tunnel also supports SingleSign-On to web applications that require either form-based POST parameters, http basic, FTP, or NTLMauthentication Smart Tunnel can also co-exist with a Full-Tunnel VPN Client. For example, an employee can connect to thecompany network by using Full-Tunnel VPN Client, while simultaneously connecting to a vendor network byusing Smart Tunnel. Smart Tunnel Advantages over Port-Forwarding, Plug-ins

● Smart Tunnel offers better performance than browser plug-ins. ● Port forwarding is the legacy technology for supporting TCP-based applications over a Clientless SSL VPNconnection. Unlike port forwarding, Smart Tunnel simplifies the user experience by not requiring the userconnection of the local application to the local port. ● Smart Tunnel does not require users to have administrator privileges. ● Smart Tunnel does not require the administrator to know application port numbers in advance.

QUESTION 21If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?

A. The interface on both switches may shut down

B. STP loops may occur

C. The switch with the higher native VLAN may shut down

D. The interface with the lower native VLAN may shut down



QUESTION 22Which option describes information that must be considered when you apply an access list to a physicalinterface?

A. Protocol used for filtering

B. Direction of the access class

C. Direction of the access group

D. Direction of the access list



QUESTION 23Which source port does IKE use when NAT has been detected between two VPN gateways?

A. TCP 4500

B. TCP 500

C. UDP 4500

D. UDP 500



QUESTION 24Which of the following are features of IPsec transport mode? (Choose three.)

A. IPsec transport mode is used between end stations

B. IPsec transport mode is used between gateways

C. IPsec transport mode supports multicast

D. IPsec transport mode supports unicast

E. IPsec transport mode encrypts only the payload

F. IPsec transport mode encrypts the entire packet

Correct Answer: ADESection: (none)Explanation


IPSec Transport ModeIPSec Transport mode is used for end-to-end communications, for example, for communication between aclient and a server or between a workstation and a gateway (if the gateway is being treated as a host). A goodexample would be an encrypted Telnet or Remote Desktop session from a workstation to a server.

Transport mode provides the protection of our data, also known as IP Payload, and consists of TCP/UDPheader + Data, through an AH or ESP header. The payload is encapsulated by the IPSec headers and trailers.The original IP headers remain intact, except that the IP protocol field is changed to ESP (50) or AH (51), andthe original protocol value is saved in the IPsec trailer to be restored when the packet is decrypted.IPSec transport mode is usually used when another tunneling protocol (like GRE) is used to first encapsulatethe IP data packet, then IPSec is used to protect the GRE tunnel packets. IPSec protects the GRE tunnel trafficin transport mode.

QUESTION 25Which command causes a Layer 2 switch interface to operate as a Layer 3 interface?

A. no switchport nonnegotiate

B. switchport

C. no switchport mode dynamic auto

D. no switchport



QUESTION 26Which TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.)

A. EAP

B. ASCII

C. PAP

D. PEAP

E. MS-CHAPv1

F. MS-CHAPv2

Correct Answer: BCESection: (none)Explanation


QUESTION 27Which type of IPS can identify worms that are propagating in a network?

A. Policy-based IPS

B. Anomaly-based IPS

C. Reputation-based IPS

D. Signature-based IPS



QUESTION 28Which command verifies phase 1 of an IPsec VPN on a Cisco router?

A. show crypto map

B. show crypto ipsec sa

C. show crypto isakmp sa

D. show crypto engine connection active


Explanation/Reference:show crypto ipsec sa verifies Phase 2 of the tunnel.

QUESTION 29What is the purpose of a honeypot IPS?

A. To create customized policies

B. To detect unknown attacks

C. To normalize streams

D. To collect information about attacks



QUESTION 30Which type of firewall can act on the behalf of the end device?

A. Stateful packet

B. Application

C. Packet

D. Proxy



QUESTION 31Which syslog severity level is level number 7?

A. Warning

B. Informational

C. Notification

D. Debugging

Correct Answer: DSection: (none)

Explanation

Explanation/Reference:The list of severity Levels:0 Emergency: system is unusable 1 Alert: action must be taken immediately 2 Critical: critical conditions 3 Error: error conditions 4 Warning: warning conditions 5 Notice: normal but significant condition 6 Informational: informational messages 7 Debug: debug-level messages

QUESTION 32By which kind of threat is the victim tricked into entering username and password information at a disguisedwebsite?

A. Spoofing

B. Malware

C. Spam

D. Phishing



QUESTION 33Which type of mirroring does SPAN technology perform?

A. Remote mirroring over Layer 2

B. Remote mirroring over Layer 3

C. Local mirroring over Layer 2

D. Local mirroring over Layer 3



QUESTION 34Which tasks is the session management path responsible for? (Choose three.)

A. Verifying IP checksums

B. Performing route lookup

C. Performing session lookup

D. Allocating NAT translations

E. Checking TCP sequence numbers

F. Checking packets against the access list

Correct Answer: BDFSection: (none)

Explanation


QUESTION 35Which network device does NTP authenticate?

A. Only the time source

B. Only the client device

C. The firewall and the client device

D. The client device and the time source



QUESTION 36Which statement correctly describes the function of a private VLAN?

A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains

B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains

C. A private VLAN enables the creation of multiple VLANs using one broadcast domain

D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain



QUESTION 37Which statement correctly describes the function of a private VLAN?

A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains

B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains

C. A private VLAN enables the creation of multiple VLANs using one broadcast domain

D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain



QUESTION 38What hash type does Cisco use to validate the integrity of downloaded images?

A. Sha1

B. Sha2

C. Md5

D. Md1



QUESTION 39Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?

A. Unidirectional Link Detection

B. Unicast Reverse Path Forwarding

C. TrustSec

D. IP Source Guard



QUESTION 40What is the most common Cisco Discovery Protocol version 1 attack?

A. Denial of Service

B. MAC-address spoofing

C. CAM-table overflow

D. VLAN hopping



QUESTION 41What is the Cisco preferred countermeasure to mitigate CAM overflows?

A. Port security

B. Dynamic port security

C. IP source guard

D. Root guard



QUESTION 42Which option is the most effective placement of an IPS device within the infrastructure?

A. Inline, behind the internet router and firewall

B. Inline, before the internet router and firewall

C. Promiscuously, after the Internet router and before the firewall

D. Promiscuously, before the Internet router and the firewall



QUESTION 43If a router configuration includes the line aaa authentication login default group tacacs+ enable, which eventswill occur when the TACACS+ server returns an error? (Choose two.)

A. The user will be prompted to authenticate using the enable password

B. Authentication attempts to the router will be denied

C. Authentication will use the router`s local database

D. Authentication attempts will be sent to the TACACS+ server



QUESTION 44Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?

A. SDEE

B. Syslog

C. SNMP

D. CSM



QUESTION 45When a switch has multiple links connected to a downstream switch, what is the first step that STP takes toprevent loops?

A. STP elects the root bridge

B. STP selects the root port

C. STP selects the designated port

D. STP blocks one of the ports



QUESTION 46Which type of address translation should be used when a Cisco ASA is in transparent mode?

A. Static NAT

B. Dynamic NAT

C. Overload

D. Dynamic PAT



QUESTION 47Which components does HMAC use to determine the authenticity and integrity of a message?

A. The password

B. The hash

C. The key

D. The transform set

Correct Answer: BCSection: (none)Explanation


QUESTION 48What is the default timeout interval during which a router waits for responses from a TACACS server beforedeclaring a timeout failure?

A. 5 seconds

B. 10 seconds

C. 15 seconds

D. 20 seconds


Explanation/Reference:Router(config)#tacacs-server timeout ? <1-1000> Wait time (default 5 seconds)

QUESTION 49Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose three.)

A. EAP

B. ASCII

C. PAP

D. PEAP

E. MS-CHAPv1

F. MS-CHAPv2

Correct Answer: CEFSection: (none)Explanation


QUESTION 50Which command initializes a lawful intercept view?

A. username cisco1 view lawful-intercept password cisco

B. parser view cisco li-view

C. li-view cisco user cisco1 password cisco

D. parser view li-view inclusive


Explanation/Reference:Before you initialize a lawful intercept view, ensure that the privilege level is set to 15 via the privilegecommand.SUMMARY STEPS1. enable view 2. configure terminal 3. li-view li-password user username password password 4. username lawful-intercept [name] [privilege privilege-level| view view-name] password password5. parser view view-name 6. secret 5 encrypted-password 7. name new-name

QUESTION 51Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)

A. Port security

B. DHCP snooping

C. IP source guard

D. Dynamic ARP inspection

Correct Answer: BDSection: (none)Explanation


QUESTION 52Which of the following statements about access lists are true? (Choose three.)

A. Extended access lists should be placed as near as possible to the destination

B. Extended access lists should be placed as near as possible to the source

C. Standard access lists should be placed as near as possible to the destination

D. Standard access lists should be placed as near as possible to the source

E. Standard access lists filter on the source address

F. Standard access lists filter on the destination address

Correct Answer: BCESection: (none)Explanation


QUESTION 53Which security measures can protect the control plane of a Cisco router? (Choose two.)

A. CCPr

B. Parser views

C. Access control lists

D. Port security

E. CoPP

Correct Answer: AESection: (none)Explanation


Table 10-3 Three Ways to Secure the Control PlaneUsing CoPP or CPPr, you can specify which types of management traffic are acceptable at which levels. Forexample, you could decide and configure the router to believe that SSH is acceptable at 100 packets persecond, syslog is acceptable at 200 packets per second, and so on. Traffic that exceeds the thresholds can besafely dropped if it is not from one of your specific management stations. You can specify all those details in thepolicy.You learn more about control plane security in Chapter 13, “Securing Routing Protocols and the Control Plane.”

Although not necessarily a security feature, Selective Packet Discard (SPD) provides the ability toprioritize certain types of packets (for example, routing protocol packets and Layer 2 keepalive messages,

which are received by the route processor [RP]). SPD provides priority of critical control plane traffic overtraffic that is less important or, worse yet, is being sent maliciously to starve the CPU of resources required forthe RP.

QUESTION 54Which statement about extended access lists is true?

A. Extended access lists perform filtering that is based on source and destination and are most effective whenapplied to the destination

B. Extended access lists perform filtering that is based on source and destination and are most effective whenapplied to the source

C. Extended access lists perform filtering that is based on destination and are most effective when applied to

the source

D. Extended access lists perform filtering that is based on source and are most effective when applied to thedestination


Explanation/Reference:Standard ACL 1) Able Restrict, deny & filter packets by Host Ip or subnet only.2) Best Practice is put Std. ACL restriction near from Source Host/Subnet (Interface-In-bound).3) No Protocol based restriction. (Only HOST IP).

Extended ACL1) More flexible then Standard ACL.2) You can filter packets by Host/Subnet as well as Protocol/TCPPort/UDPPort.3) Best Practice is put restriction near form Destination Host/Subnet. (Interface-Outbound)

QUESTION 55In which stage of an attack does the attacker discover devices on a target network?

A. Reconnaissance

B. Covering tracks

C. Gaining access

D. Maintaining access



QUESTION 56Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choosetwo.)

A. FTP

B. SSH

C. Telnet

D. AAA

E. HTTPS

F. HTTP

Correct Answer: BESection: (none)Explanation


QUESTION 57What are the primary attack methods of VLAN hopping? (Choose two.)

A. VoIP hopping

B. Switch spoofing

C. CAM-table overflow

D. Double tagging

Correct Answer: BDSection: (none)Explanation


QUESTION 58How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewallconfiguration?

A. Issue the command anyconnect keep-installer under the group policy or username webvpn mode

B. Issue the command anyconnect keep-installer installed in the global configuration

C. Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode

D. Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode



Note AnyConnect versions 3.0 and later do no support permanent clientinstallation. The CLI is still available to support older versionsof AnyConnect.

To enable permanent client installation for a specific group oruser, use the anyconnect keep-installer command from group-policy orusername webvpn modes:

anyconnect keep-installer installer

The default is that permanent installation of the client is enabled.The client remains on the remote computer at the end of the session.The following example configures the existing group-policy sales toremove the client on the remote computer at the end of the session:

hostname(config)# group-policy sales attributes

hostname(config-group-policy)# webvpn

hostname(config-group-policy)# anyconnect keep-installer installed none

QUESTION 59Which Cisco product can help mitigate web-based attacks within a network?

A. Adaptive Security Appliance

B. Web Security Appliance

C. Email Security Appliance

D. Identity Services Engine



QUESTION 60Which type of security control is defense in depth?

A. Threat mitigation

B. Risk analysis

C. Botnet mitigation

D. Overt and covert channels



QUESTION 61Refer to the exhibit. Scenario: You are the security admin for a small company. This morning your manager hassupplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate thepre-configured CCP in order to find answers to your business question. Which properties are included in theinspection Cisco Map OUT_SERVICE? (Choose four.)

A. FTP

B. HTTP

C. HTTPS

D. SMTP

E. P2P

F. ICMP

Correct Answer: ABEFSection: (none)Explanation


QUESTION 62Refer to the exhibit. Scenario: You are the security admin for a small company. This morning your manager hassupplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate thepre-configured CCP in order to find answers to your business question. What NAT address will be assigned byACL 1?

A. 192.168.1.0/25

B. GlobalEthernet0/0 interface address.

C. 172.25.223.0/24

D. 10.0.10.0/24



QUESTION 63Refer to the exhibit. Scenario: You are the security admin for a small company. This morning your manager hassupplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate thepre-configured CCP in order to find answers to your business question. Which Class Map is used by theINBOUND Rule?

A. SERVICE_IN

B. Class-map-ccp-cls-2

C. Ccp-cls-2

D. Class-map SERVICE_IN



QUESTION 64Refer to the exhibit. Scenario: You are the security admin for a small company. This morning your manager hassupplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate thepre-configured CCP in order to find answers to your business question. Which policy is assigned to Zone Pairsdm-zip-OUT-IN?

A. Sdm-cls-http

B. OUT_SERVICE

C. Ccp-policy-ccp-cls-1

D. Ccp-policy-ccp-cls-2



QUESTION 65Refer to the exhibit. Scenario: You are the security admin for a small company. This morning your manager hassupplied you with a list of Cisco ISR and CCP configuration questions. Using CCP, your job is to navigate thepre-configured CCP in order to find answers to your business question. What is included in the Network ObjectGroup INSIDE? (Choose two.)

A. Network 192.168.1.0/24

B. Network 175.25.133.0/24

C. Network 10.0.10.0/24

D. Network 10.0.0.0/8

E. Network 192.168.1.0/8

Correct Answer: BC

Section: (none)Explanation


Date post:	09-Feb-2016
Category:	Documents
Upload:	maria-de-la-o-pequena
View:	186 times
Download:	0 times

CCNA Sec by Ethio

Documents