Cisco.PracticeTest.300-206.v2016-08-25.by.Robert · A network engineer is troubleshooting and...

http://www.gratisexam.com/

300-206 cisco

Number: 300-206Passing Score: 800Time Limit: 120 min


Exam A

QUESTION 1With Cisco ASA active/standby failover, by default, how many monitored interface failures will cause failover to occur?

A. 1B. 2C. 3D. 4E. 5

Correct Answer: ASection: (none)Explanation

Explanation/Reference:

QUESTION 2Which statement about SNMP support on the Cisco ASA appliance is true?

A. The Cisco ASA appliance supports only SNMPv1 or SNMPv2c.B. The Cisco ASA appliance supports read-only and read-write access.C. The Cisco ASA appliance supports three built-in SNMPv3 groups in Cisco ASDM:

Authentication and Encryption, Authentication Only, and No Authentication, No Encryption.D. The Cisco ASA appliance can send SNMP traps to the network management station only using SNMPv2.

Correct Answer: CSection: (none)Explanation


QUESTION 3Which three options are default settings for NTP parameters on a Cisco device? (Choose three.)

A. NTP authentication is enabled.B. NTP authentication is disabled.


C. NTP logging is enabled.D. NTP logging is disabled.E. NTP access is enabled.F. NTP access is disabled.

Correct Answer: BDESection: (none)Explanation


QUESTION 4A Cisco ASA is configured for TLS proxy. When should the security appliance force remote IP phones connecting to the phone proxy through the internet to be insecured mode?

A. When the Cisco Unified Communications Manager cluster is in non-secure modeB. When the Cisco Unified Communications Manager cluster is in secure mode onlyC. When the Cisco Unified Communications Manager is not part of a clusterD. When the Cisco ASA is configured for IPSec VPN



QUESTION 5Which two features are supported when configuring clustering of multiple Cisco ASA appliances? (Choose two.)

A. NATB. dynamic routing


C. SSL remote access VPND. IPSec remote access VPN

Correct Answer: ABSection: (none)Explanation


QUESTION 6Which two device types can Cisco Prime Security Manager manage in Multiple Device mode? (Choose two.)

A. Cisco ESAB. Cisco ASAC. Cisco WSAD. Cisco ASA CX

Correct Answer: BDSection: (none)Explanation


QUESTION 7Which technology provides forwarding-plane abstraction to support Layer 2 to Layer 7 network services in Cisco Nexus 1000V?

A. Virtual Service NodeB. Virtual Service GatewayC. Virtual Service Data Path


D. Virtual Service Agent



QUESTION 8To which interface on a Cisco ASA 1000V firewall should a security profile be applied when a VM sits behind it?

A. outsideB. insideC. managementD. DMZ

Correct Answer: BSection: (none)Explanation


QUESTION 9You are configuring a Cisco IOS Firewall on a WAN router that is operating as a Trusted Relay Point (TRP) in a voice network. Which feature must you configure toopen data- channel pinholes for voice packets that are sourced from a TRP within the WAN?

A. CACB. ACLC. CBACD. STUN

Correct Answer: DSection: (none)Explanation



QUESTION 10If you encounter problems logging in to the Cisco Security Manager 4.4 web server or client or backing up its databases, which account has most likely beenimproperly modified?

A. admin (the default administrator account)B. casuser (the default service account)C. guest (the default guest account)D. user (the default user account)



QUESTION 11Which component does Cisco ASDM require on the host Cisco ASA 5500 Series or Cisco PIX security appliance?

A. a DES or 3DES licenseB. a NAT policy serverC. a SQL databaseD. a Kerberos keyE. a digital certificate



QUESTION 12Which of the following would need to be created to configure an application-layer inspection of SMTP traffic operating on port 2525?

A. A class-map that matches port 2525 and applying an inspect ESMTP policy-map for that class in the global inspection policyB. A policy-map that matches port 2525 and applying an inspect ESMTP class-map for that policyC. An access-list that matches on TCP port 2525 traffic and applying it on an interface with the inspect optionD. A class-map that matches port 2525 and applying it on an access-list using the inspect option




QUESTION 13Which Cisco ASA object group type offers the most flexibility for grouping different services together based on arbitrary protocols?

A. networkB. ICMPC. protocolD. TCP-UDPE. service

Correct Answer: ESection: (none)Explanation


QUESTION 14Which Cisco ASA show command groups the xlates and connections information together in its output?

A. show connB. show conn detailC. show xlateD. show aspE. show local-host




QUESTION 15When a Cisco ASA is configured in multiple context mode, within which configuration are the interfaces allocated to the security contexts?

A. each security contextB. system configurationC. admin context (context with the "admin" role)D. context startup configuration file (.cfg file)



QUESTION 16Which two parameters must be configured before you enable SCP on a router? (Choose two.)

A. SSHB. authorizationC. ACLsD. NTPE. TACACS+



QUESTION 17A network engineer is troubleshooting and configures the ASA logging level to debugging. The logging-buffer is dominated by %ASA-6-305009 log messages.Which command suppresses those syslog messages while maintaining ability to troubleshoot?

A. no logging buffered 305009B. message 305009 disableC. no message 305009 logging


D. no logging message 305009



QUESTION 18Which option describes the purpose of the input parameter when you use the packet-tracer command on a Cisco device?

A. to provide detailed packet-trace informationB. to specify the source interface for the packet traceC. to display the trace capture in XML formatD. to specify the protocol type for the packet trace



QUESTION 19Which two options are two purposes of the packet-tracer command? (Choose two.)

A. to filter and monitor ingress traffic to a switchB. to configure an interface-specific packet traceC. to inject virtual packets into the data pathD. to debug packet drops in a production networkE. to correct dropped packets in a production network

Correct Answer: CDSection: (none)Explanation



QUESTION 20Which set of commands enables logging and displays the log buffer on a Cisco ASA?

A. enable loggingshow logging

B. logging enableshow logging

C. enable logging int e0/1view logging

D. logging enablelogging view config



QUESTION 21By default, not all services in the default inspection class are inspected. Which Cisco ASA CLI command do you use to determine which inspect actions are appliedto the default inspection class?

A. show policy-map global_policyB. show policy-map inspection_defaultC. show class-map inspection_defaultD. show class-map default-inspection-trafficE. show service-policy global

Correct Answer: ESection: (none)


Explanation


QUESTION 22Which three Cisco ASA configuration commands are used to enable the Cisco ASA to log only the debug output to syslog? (Choose three.)

A. logging list test message 711001B. logging debug-traceC. logging trap debuggingD. logging message 711001 level 7E. logging trap test

Correct Answer: ABESection: (none)Explanation


QUESTION 23Which five options are valid logging destinations for the Cisco ASA? (Choose five.)

A. AAA serverB. Cisco ASDMC. bufferD. SNMP trapsE. LDAP serverF. emailG. TCP-based secure syslog server

Correct Answer: BCDFGSection: (none)Explanation



QUESTION 24When configuring security contexts on the Cisco ASA, which three resource class limits can be set using a rate limit? (Choose three.)

A. address translation rateB. Cisco ASDM session rateC. connections rateD. MAC-address learning rate (when in transparent mode)E. syslog messages rateF. stateful packet inspections rate

Correct Answer: CEFSection: (none)Explanation


QUESTION 25The Cisco ASA must support dynamic routing and terminating VPN traffic. Which three Cisco ASA options will not support these requirements? (Choose three.)

A. transparent modeB. multiple context modeC. active/standby failover modeD. active/active failover modeE. routed modeF. no NAT-control

Correct Answer: ABDSection: (none)Explanation


QUESTION 26Which command displays syslog messages on the Cisco ASA console as they occur?

A. Console logging <level>B. Logging console <level>


C. Logging trap <level>D. Terminal monitorE. Logging monitor <level>



QUESTION 27Which three configurations are needed to enable SNMPv3 support on the Cisco ASA? (Choose three.)

A. SNMPv3 Local EngineIDB. SNMPv3 Remote EngineIDC. SNMP UsersD. SNMP GroupsE. SNMP Community StringsF. SNMP Hosts

Correct Answer: CDFSection: (none)Explanation


QUESTION 28Which two configurations are the minimum needed to enable EIGRP on the Cisco ASA appliance? (Choose two.)

A. Enable the EIGRP routing process and specify the AS number.B. Define the EIGRP default-metric.C. Configure the EIGRP router ID.D. Use the neighbor command(s) to specify the EIGRP neighbors.E. Use the network command(s) to enable EIGRP on the Cisco ASA interface(s).

Correct Answer: AESection: (none)


Explanation


QUESTION 29All 30 users on a single floor of a building are complaining about network slowness. After investigating the access switch, the network administrator notices that theMAC address table is full (10,000 entries) and all traffic is being flooded out of every port. Which action can the administrator take to prevent this from occurring?

A. Configure port-security to limit the number of mac-addresses allowed on each portB. Upgrade the switch to one that can handle 20,000 entriesC. Configure private-vlans to prevent hosts from communicating with one anotherD. Enable storm-control to limit the traffic rateE. Configure a VACL to block all IP traffic except traffic to and from that subnet



QUESTION 30A network printer has a DHCP server service that cannot be disabled. How can a layer 2 switch be configured to prevent the printer from causing network issues?

A. Remove the ip helper-addressB. Configure a Port-ACL to block outbound TCP port 68C. Configure DHCP snoopingD. Configure port-security



QUESTION 31A switch is being configured at a new location that uses statically assigned IP addresses. Which will ensure that ARP inspection works as expected?


A. Configure the 'no-dhcp' keyword at the end of the ip arp inspection commandB. Enable static arp inspection using the command 'ip arp inspection static vlan vlan- numberC. Configure an arp access-list and apply it to the ip arp inspection commandD. Enable port security



QUESTION 32Which two voice protocols can the Cisco ASA inspect? (Choose two.)

A. MGCPB. IAXC. SkypeD. CTIQBE

Correct Answer: ADSection: (none)Explanation


QUESTION 33You have explicitly added the line deny ipv6 any log to the end of an IPv6 ACL on a router interface. Which two ICMPv6 packet types must you explicitly allow toenable traffic to traverse the interface? (Choose two.)

A. router solicitationB. router advertisementC. neighbor solicitationD. neighbor advertisementE. redirect

Correct Answer: CDSection: (none)


Explanation


QUESTION 34Enabling what security mechanism can prevent an attacker from gaining network topology information from CDP?

A. MACsecB. Flex VPNC. Control Plane ProtectionD. Dynamic Arp Inspection



QUESTION 35Which log level provides the most detail on the Cisco Web Security Appliance?

A. DebugB. CriticalC. TraceD. Informational




QUESTION 36What is the lowest combination of ASA model and license providing 1 Gigabit Ethernet interfaces?

A. ASA 5505 with failover license optionB. ASA 5510 Security+ license optionC. ASA 5520 with any license optionD. ASA 5540 with AnyConnect Essentials License option



QUESTION 37Which command is used to nest objects in a pre-existing group?

A. object-groupB. network group-objectC. object-group networkD. group-object



QUESTION 38Which threat-detection feature is used to keep track of suspected attackers who create connections to too many hosts or ports?

A. complex threat detectionB. scanning threat detectionC. basic threat detection


D. advanced threat detection



QUESTION 39What is the default behavior of an access list on the Cisco ASA security appliance?

A. It will permit or deny traffic based on the access-list criteria.B. It will permit or deny all traffic on a specified interface.C. An access group must be configured before the access list will take effect for traffic control.D. It will allow all traffic.



QUESTION 40What is the default behavior of NAT control on Cisco ASA Software Version 8.3?

A. NAT control has been deprecated on Cisco ASA Software Version 8.3.B. It will prevent traffic from traversing from one enclave to the next without proper access configuration.C. It will allow traffic to traverse from one enclave to the next without proper access configuration.D. It will deny all traffic.



QUESTION 41


Which three options are hardening techniques for Cisco IOS routers? (Choose three.)

A. limiting access to infrastructure with access control listsB. enabling service password recoveryC. using SSH whenever possibleD. encrypting the service passwordE. using Telnet whenever possibleF. enabling DHCP snooping

Correct Answer: ACDSection: (none)Explanation


QUESTION 42What command alters the SSL ciphers used by the Cisco Email Security Appliance for TLS sessions and HTTPS access?

A. sslconfigB. sslciphersC. tlsconifgD. certconfig



QUESTION 43What is the CLI command to enable SNMPv3 on the Cisco Web Security Appliance?

A. snmpconfigB. snmpenableC. configsnmpD. enablesnmp




QUESTION 44The Cisco Email Security Appliance can be managed with both local and external users of different privilege levels. What three external modes of authentication aresupported? (Choose three.)

A. LDAP authenticationB. RADIUS AuthenticationC. TACASD. SSH host keysE. Common Access Card AuthenticationF. RSA Single use tokens

Correct Answer: ABDSection: (none)Explanation


QUESTION 45When a Cisco ASA is configured in multicontext mode, which command is used to change between contexts?

A. changeto config contextB. changeto contextC. changeto/config context changeD. changeto/config context 2




QUESTION 46Which statement about the Cisco Security Manager 4.4 NAT Rediscovery feature is true?

A. It provides NAT policies to existing clients that connect from a new switch port.B. It can update shared policies even when the NAT server is offline.C. It enables NAT policy discovery as it updates shared polices.D. It enables NAT policy rediscovery while leaving existing shared polices unchanged.



QUESTION 47When you install a Cisco ASA AIP-SSM, which statement about the main Cisco ASDM home page is true?

A. It is replaced by the Cisco AIP-SSM home page.B. It must reconnect to the NAT policies database.C. The administrator can manually update the page.D. It displays a new Intrusion Prevention panel.



QUESTION 48Which Cisco product provides a GUI-based device management tool to configure Cisco access routers?


A. Cisco ASDMB. Cisco CP ExpressC. Cisco ASA 5500D. Cisco CP



QUESTION 49Which statement about Cisco IPS Manager Express is true?

A. It provides basic device management for large-scale deployments.B. It provides a GUI for configuring IPS sensors and security modules.C. It enables communication with Cisco ASA devices that have no administrative access.D. It provides greater security than simple ACLs.



QUESTION 50Which three options describe how SNMPv3 traps can be securely configured to be sent by IOS? (Choose three.)

A. An SNMPv3 group is defined to configure the read and write views of the group.B. An SNMPv3 user is assigned to SNMPv3 group and defines the encryption and authentication credentials.C. An SNMPv3 host is configured to define where the SNMPv3 traps will be sent.D. An SNMPv3 host is used to configure the encryption and authentication credentials for SNMPv3 traps.E. An SNMPv3 view is defined to configure the address of where the traps will be sent.F. An SNMPv3 group is used to configure the OIDs that will be reported.

Correct Answer: ABC


Section: (none)Explanation


QUESTION 51Cisco Security Manager can manage which three products? (Choose three.)

A. Cisco IOSB. Cisco ASAC. Cisco IPSD. Cisco WLCE. Cisco Web Security ApplianceF. Cisco Email Security ApplianceG. Cisco ASA CXH. Cisco CRS

Correct Answer: ABCSection: (none)Explanation


QUESTION 52When a Cisco ASA is configured in transparent mode, how can ARP traffic be controlled?

A. By enabling ARP inspection; however, it cannot be controlled by an ACLB. By enabling ARP inspection or by configuring ACLsC. By configuring ACLs; however, ARP inspection is not supportedD. By configuring NAT and ARP inspection




QUESTION 53What are two primary purposes of Layer 2 detection in Cisco IPS networks? (Choose two.)

A. identifying Layer 2 ARP attacksB. detecting spoofed MAC addresses and tracking 802.1X actions and data communication after a successful client associationC. detecting and preventing MAC address spoofing in switched environmentsD. mitigating man-in-the-middle attacks



QUESTION 54What is the primary purpose of stateful pattern recognition in Cisco IPS networks?

A. mitigating man-in-the-middle attacksB. using multipacket inspection across all protocols to identify vulnerability-based attacks and to thwart attacks that hide within a data streamC. detecting and preventing MAC address spoofing in switched environmentsD. identifying Layer 2 ARP attacks



QUESTION 55What are two reasons to implement Cisco IOS MPLS Bandwidth-Assured Layer 2 Services? (Choose two.)

A. guaranteed bandwidth and peak rates as well as low cycle periods, regardless of which systems access the deviceB. increased resiliency through MPLS FRR for AToM circuits and better bandwidth utilization through MPLS TEC. enabled services over an IP/MPLS infrastructure, for enhanced MPLS Layer 2 functionalityD. provided complete proactive protection against frame and device spoofing


Correct Answer: BCSection: (none)Explanation


QUESTION 56What is the maximum jumbo frame size for IPS standalone appliances with 1G and 10G fixed or add-on interfaces?

A. 1024 bytesB. 1518 bytesC. 2156 bytesD. 9216 bytes



QUESTION 57Which two statements about Cisco IDS are true? (Choose two.)

A. It is preferred for detection-only deployment.B. It is used for installations that require strong network-based protection and that include sensor tuning.C. It is used to boost sensor sensitivity at the expense of false positives.D. It is used to monitor critical systems and to avoid false positives that block traffic.E. It is used primarily to inspect egress traffic, to filter outgoing threats.



QUESTION 58What are two reasons for implementing NIPS at enterprise Internet edges? (Choose two.)


A. Internet edges typically have a lower volume of traffic and threats are easier to detect.B. Internet edges typically have a higher volume of traffic and threats are more difficult to detect.C. Internet edges provide connectivity to the Internet and other external networks.D. Internet edges are exposed to a larger array of threats.E. NIPS is more optimally designed for enterprise Internet edges than for internal network configurations.



QUESTION 59Which statement about the Cisco ASA configuration is true?

A. All input traffic on the inside interface is denied by the global ACL.B. All input and output traffic on the outside interface is denied by the global ACL.C. ICMP echo-request traffic is permitted from the inside to the outside, and ICMP echo-reply will be permitted from the outside back to inside.D. HTTP inspection is enabled in the global policy.E. Traffic between two hosts connected to the same interface is permitted.



QUESTION 60In the default global policy, which traffic is matched for inspections by default?


A. match anyB. match default-inspection-trafficC. match access-listD. match portE. match class-default



QUESTION 61Which set of commands creates a message list that includes all severity 2 (critical) messages on a Cisco security device?

A. logging list critical_messages level 2console logging critical_messages

B. logging list critical_messages level 2logging console critical_messages

C. logging list critical_messages level 2logging console enable critical_messages

D. logging list enable critical_messages level 2 console logging critical_messages




QUESTION 62An administrator is deploying port-security to restrict traffic from certain ports to specific MAC addresses. Which two considerations must an administrator take intoaccount when using the switchport port-security mac-address sticky command? (Choose two.)

A. The configuration will be updated with MAC addresses from traffic seen ingressing the port.The configuration will automatically be saved to NVRAM if no other changes to the configuration have been made.

B. The configuration will be updated with MAC addresses from traffic seen ingressing the port.The configuration will not automatically be saved to NVRAM.

C. Only MAC addresses with the 5th most significant bit of the address (the 'sticky' bit) set to 1 will be learned.D. If configured on a trunk port without the 'vlan' keyword, it will apply to all vlans.E. If configured on a trunk port without the 'vlan' keyword, it will apply only to the native vlan.

Correct Answer: BESection: (none)Explanation


QUESTION 63Which command configures the SNMP server group1 to enable authentication for members of the access list east?

A. snmp-server group group1 v3 auth access eastB. snmp-server group1 v3 auth access eastC. snmp-server group group1 v3 eastD. snmp-server group1 v3 east access



QUESTION 64Lab Simulation


A.B.C.D.

Correct Answer: Section: (none)Explanation


Explanation/Reference:Please check the steps in explanation part below:(1) Click on Service Policy Rules, then Edit the default inspection rule. (2) Click on Rule Actions, then enable HTTP as shown here:

(3) Click on Configure, then add as shown here:


(4) Create the new map in ASDM like shown:


(5) Edit the policy as shown:


(6) Hit OK

QUESTION 65Hotspot Questions


Which statement about how the Cisco ASA supports SNMP is true?

A. All SNMFV3 traffic on the inside interface will be denied by the global ACLB. The Cisco ASA and ASASM provide support for network monitoring using SNMP Versions 1,2c, and 3, but do not support the use of all three versions

simultaneously.C. The Cisco ASA and ASASM have an SNMP agent that notifies designated management ,.

stations if events occur that are predefined to require a notification, for example, when a link in the network goes up or down.D. SNMPv3 is enabled by default and SNMP v1 and 2c are disabled by default.E. SNMPv3 is more secure because it uses SSH as the transport mechanism.



Explanation/Reference:Explanation:This can be verified by this ASDM screen shot:

QUESTION 66


Hotspot Questions


SNMP users have a specified username, a group to which the user belongs, authentication password, encryption password, and authentication and encryptionalgorithms to use. The authentication algorithm options are MD5 and SHA. The encryption algorithm options are DES, 3DES, andAES (which is available in128,192, and 256 versions). When you create a user, with which option must you associate it?

A. an SNMP groupB. at least one interfaceC. the SNMP inspection in the global_policyD. at least two interfaces



Explanation/Reference:Explanation:This can be verified via the ASDM screen shot shown here:

QUESTION 67Hotspot Questions


An SNMP host is an IP address to which SNMP notifications and traps are sent. To configure SNMFV3 hosts, which option must you configure in addition to thetarget IP address?

A. the Cisco ASA as a DHCP server, so the SNMFV3 host can obtain an IP addressB. a username, because traps are only sent to a configured userC. SSH, so the user can connect to the Cisco ASAD. the Cisco ASA with a dedicated interface only for SNMP, to process the SNMP host traffic.

Correct Answer: B



Explanation/Reference:Explanation:The username can be seen here on the ASDM simulator screen shot:

QUESTION 68Refer to the exhibit. To protect Host A and Host B from communicating with each other, which type of PVLAN port should be used for each host?


A. Host A on a promiscuous port and Host B on a community portB. Host A on a community port and Host B on a promiscuous portC. Host A on an isolated port and Host B on a promiscuous portD. Host A on a promiscuous port and Host B on a promiscuous portE. Host A on an isolated port and host B on an isolated portF. Host A on a community port and Host B on a community port



QUESTION 69Which security operations management best practice should be followed to enable appropriate network access for administrators?

A. Provide full network access from dedicated network administration systemsB. Configure the same management account on every network deviceC. Dedicate a separate physical or logical plane for management trafficD. Configure switches as terminal servers for secure device access




QUESTION 70Which two features block traffic that is sourced from non-topological IPv6 addresses? (Choose two.)

A. DHCPv6 GuardB. IPv6 Prefix GuardC. IPv6 RA GuardD. IPv6 Source Guard



QUESTION 71Which three options correctly identify the Cisco ASA1000V Cloud Firewall? (Choose three.)

A. operates at Layer 2B. operates at Layer 3C. secures tenant edge trafficD. secures intraswitch trafficE. secures data center edge trafficF. replaces Cisco VSGG. complements Cisco VSGH. requires Cisco VSG

Correct Answer: BCGSection: (none)Explanation



QUESTION 72Which two statements about zone-based firewalls are true? (Choose two.)

A. More than one interface can be assigned to the same zone.B. Only one interface can be in a given zone.C. An interface can only be in one zone.D. An interface can be a member of multiple zones.E. Every device interface must be a member of a zone.

Correct Answer: ACSection: (none)Explanation


QUESTION 73An attacker has gained physical access to a password protected router. Which command will prevent access to the startup-config in NVRAM?

A. no service password-recoveryB. no service startup-configC. service password-encryptionD. no confreg 0x2142




QUESTION 74Which command tests authentication with SSH and shows a generated key?

A. show key mypubkey rsaB. show crypto key mypubkey rsaC. show crypto keyD. show key mypubkey



QUESTION 75Which configuration keyword will configure SNMPv3 with authentication but no encryption?

A. AuthB. PrivC. No authD. Auth priv



QUESTION 76In IOS routers, what configuration can ensure both prevention of ntp spoofing and accurate time ensured?

A. ACL permitting udp 123 from ntp serverB. ntp authenticationC. multiple ntp serversD. local system clock




QUESTION 77Which product can manage licenses, updates, and a single signature policy for 15 separate IPS appliances?

A. Cisco Security ManagerB. Cisco IPS Manager ExpressC. Cisco IPS Device ManagerD. Cisco Adaptive Security Device Manager



QUESTION 78Which three statements about private VLANs are true? (Choose three.)

A. Isolated ports can talk to promiscuous and community ports.B. Promiscuous ports can talk to isolated and community ports.C. Private VLANs run over VLAN Trunking Protocol in client mode.D. Private VLANS run over VLAN Trunking Protocol in transparent mode.E. Community ports can talk to each other as well as the promiscuous port.F. Primary, secondary, and tertiary VLANs are required for private VLAN implementation.




QUESTION 79When you set a Cisco IOS Router as an SSH server, which command specifies the RSA public key of the remote peer when you set the SSH server to performRSA-based authentication?

A. router(config-ssh-pubkey-user)#keyB. router(conf-ssh-pubkey-user)#key-stringC. router(config-ssh-pubkey)#key-stringD. router(conf-ssh-pubkey-user)#key-string enable ssh



QUESTION 80Enabling what security mechanism can prevent an attacker from gaining network topology information from CDP via a man-in-the-middle attack?

A. MACsecB. Flex VPNC. Control Plane ProtectionD. Dynamic Arp Inspection



QUESTION 81On an ASA running version 9.0, which command is used to nest objects in a pre-existing group?

A. object-groupB. network group-objectC. object-group networkD. group-object




QUESTION 82Which ASA feature is used to keep track of suspected attackers who create connections to too many hosts or ports?

A. complex threat detectionB. scanning threat detectionC. basic threat detectionD. advanced threat detection



QUESTION 83What is the default behavior of an access list on a Cisco ASA?

A. It will permit or deny traffic based on the access list criteria.B. It will permit or deny all traffic on a specified interface.C. It will have no affect until applied to an interface, tunnel-group or other traffic flow.D. It will allow all traffic.



QUESTION 84When configuring a new context on a Cisco ASA device, which command creates a domain for the context?


A. domain config nameB. domain-nameC. changeto/domain name changeD. domain context 2



QUESTION 85Which statement describes the correct steps to enable Botnet Traffic Filtering on a Cisco ASA version 9.0 transparent-mode firewall with an active Botnet TrafficFiltering license?

A. Enable DNS snooping, traffic classification, and actions.B. Botnet Traffic Filtering is not supported in transparent mode.C. Enable the use of the dynamic database, enable DNS snooping, traffic classification, and actions.D. Enable the use of dynamic database, enable traffic classification and actions.



QUESTION 86Which Cisco switch technology prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast flood on a port?

A. port securityB. storm controlC. dynamic ARP inspectionD. BPDU guardE. root guardF. dot1x




QUESTION 87You are a security engineer at a large multinational retailer. Your Chief Information Officer recently attended a security conference and has asked you to secure thenetwork infrastructure from VLAN hopping.Which statement describes how VLAN hopping can be avoided?

A. There is no such thing as VLAN hopping because VLANs are completely isolated.B. VLAN hopping can be avoided by using IEEE 802.1X to dynamically assign the access VLAN to all endpoints and setting the default access VLAN to an unused

VLAN ID.C. VLAN hopping is avoided by configuring the native (untagged) VLAN on both sides of an ISL trunk to an unused VLAN ID.D. VLAN hopping is avoided by configuring the native (untagged) VLAN on both sides of an IEEE 802.1Q trunk to an unused VLAN ID.



QUESTION 88You are the administrator of a Cisco ASA 9.0 firewall and have been tasked with ensuring that the Firewall Admins Active Directory group has full access to the ASAconfiguration. The Firewall Operators Active Directory group should have a more limited level of access.Which statement describes how to set these access levels?

A. Use Cisco Directory Agent to configure the Firewall Admins group to have privilege level 15 access. Also configure the Firewall Operators group to have privilegelevel 6 access.

B. Use TACACS+ for Authentication and Authorization into the Cisco ASA CLI, with ACS as the AAA server. Configure ACS CLI command authorization sets for theFirewall Operators group.Configure level 15 access to be assigned to members of the Firewall Admins group.

C. Use RADIUS for Authentication and Authorization into the Cisco ASA CLI, with ACS as the AAA server. Configure ACS CLI command authorization sets for theFirewall Operators group.Configure level 15 access to be assigned to members of the Firewall Admins group.

D. Active Directory Group membership cannot be used as a determining factor for accessing the Cisco ASA CLI.




QUESTION 89A router is being enabled for SSH command line access.The following steps have been taken:

- The vty ports have been configured with transport input SSH and login local.- Local user accounts have been created.- The enable password has been configured.

What additional step must be taken if users receive a 'connection refused' error when attempting to access the router via SSH?

A. A RSA keypair must be generated on the routerB. An access list permitting SSH inbound must be configured and applied to the vty portsC. An access list permitting SSH outbound must be configured and applied to the vty portsD. SSH v2.0 must be enabled on the router



QUESTION 90Which two configurations are necessary to enable password-less SSH login to an IOS router? (Choose two.)

A. Enter a copy of the administrator's public key within the SSH key-chainB. Enter a copy of the administrator's private key within the SSH key-chainC. Generate a 512-bit RSA key to enable SSH on the routerD. Generate an RSA key of at least 768 bits to enable SSH on the routerE. Generate a 512-bit ECDSA key to enable SSH on the routerF. Generate a ECDSA key of at least 768 bits to enable SSH on the router

Correct Answer: AD




QUESTION 91Which two features does Cisco Security Manager provide? (Choose two.)

A. Configuration and policy deployment before device discoveryB. Health and performance monitoringC. Event management and alertingD. Command line menu for troubleshootingE. Ticketing management and tracking

Correct Answer: BCSection: (none)Explanation


QUESTION 92An administrator installed a Cisco ASA that runs version 9.1. You are asked to configure the firewall through Cisco ASDM.When you attempt to connect to a Cisco ASA with a default configuration, which username and password grants you full access?

A. admin / adminB. asaAdmin / (no password)C. It is not possible to use Cisco ASDM until a username and password are created via the username usernamepassword password CLI command.D. enable_15 / (no password)E. cisco / cisco



QUESTION 93


Which three options are default settings for NTP parameters on a Cisco ASA? (Choose three.)

A. NTP authentication is enabled.B. NTP authentication is disabled.C. NTP logging is enabled.D. NTP logging is disabled.E. NTP traffic is not restricted.F. NTP traffic is restricted.



QUESTION 94Which two options are purposes of the packet-tracer command? (Choose two.)

A. to filter and monitor ingress traffic to a switchB. to configure an interface-specific packet traceC. to simulate network traffic through a data pathD. to debug packet drops in a production networkE. to automatically correct an ACL entry in an ASA



QUESTION 95Refer to the exhibit. Server A is a busy server that offers these services:

- World Wide Web- DNS

Which command captures http traffic from Host A to Server A?


A. capture traffic match udp host 10.1.1.150 host 10.2.2.100B. capture traffic match 80 host 10.1.1.150 host 10.2.2.100C. capture traffic match ip 10.2.2.0 255.255.255.192 host 10.1.1.150D. capture traffic match tcp host 10.1.1.150 host 10.2.2.100E. capture traffic match tcp host 10.2.2.100 host 10.1.1.150 eq 80



QUESTION 96Your company is replacing a high-availability pair of Cisco ASA 5550 firewalls with the newer Cisco ASA 5555-X models. Due to budget constraints, one Cisco ASA


5550 will be replaced at a time.Which statement about the minimum requirements to set up stateful failover between these two firewalls is true?

A. You must install the USB failover cable between the two Cisco ASAs and provide a 1 Gigabit Ethernet interface for state exchange.B. It is not possible to use failover between different Cisco ASA models.C. You must have at least 1 Gigabit Ethernet interface between the two Cisco ASAs for state exchange.D. You must use two dedicated interfaces. One link is dedicated to state exchange and the other link is for heartbeats.



QUESTION 97In which two modes is zone-based firewall high availability available? (Choose two.)

A. IPv4 onlyB. IPv6 onlyC. IPv4 and IPv6D. routed mode onlyE. transparent mode onlyF. both transparent and routed modes



QUESTION 98You are the administrator of a multicontext transparent-mode Cisco ASA that uses a shared interface that belongs to more than one context. Because the sameinterface will be used within all three contexts, which statement describes how you will ensure that return traffic will reach the correct context?

A. Interfaces may not be shared between contexts in routed mode.B. Configure a unique MAC address per context with the no mac-address auto command.C. Configure a unique MAC address per context with the mac-address auto command.


D. Use static routes on the Cisco ASA to ensure that traffic reaches the correct context.



QUESTION 99A rogue device has connected to the network and has become the STP root bridge, which has caused a network availability issue.Which two commands can protect against this problem? (Choose two.)

A. switch(config)#spanning-tree portfast bpduguard defaultB. switch(config)#spanning-tree portfast bpdufilter defaultC. switch(config-if)#spanning-tree portfastD. switch(config-if)#spanning-tree portfast disableE. switch(config-if)#switchport port-security violation protectF. switch(config-if)#spanning-tree port-priority 0



QUESTION 100According to Cisco best practices, which two interface configuration commands help prevent VLAN hopping attacks? (Choose two.)

A. switchport mode accessB. switchport access vlan 2C. switchport mode trunkD. switchport access vlan 1E. switchport trunk native vlan 1F. switchport protected

Correct Answer: ABSection: (none)


Explanation


QUESTION 101When it is configured in accordance to Cisco best practices, the switchport port-security maximum command can mitigate which two types of Layer 2 attacks?(Choose two.)

A. rogue DHCP serversB. ARP attacksC. DHCP starvationD. MAC spoofingE. CAM attacksF. IP spoofing

Correct Answer: CESection: (none)Explanation


QUESTION 102When configured in accordance to Cisco best practices, the ip verify source command can mitigate which two types of Layer 2 attacks? (Choose two.)

A. rogue DHCP serversB. ARP attacksC. DHCP starvationD. MAC spoofingE. CAM attacksF. IP spoofing

Correct Answer: DFSection: (none)Explanation



QUESTION 103Lab Sim


A. Please check the steps in explanation part below:


Explanation/Reference:(1) Click on Service Policy Rules, then Edit the default inspection rule.(2) Click on Rule Actions, then enable HTTP as shown here:


(3) Click on Configure, then add as shown here:


(4) Create the new map in ASDM like shown:


(5) Edit the policy as shown:


(6) Hit OK

QUESTION 104You have installed a web server on a private network. Which type of NAT must you implement to enable access to the web server for public Internet users?

A. static NATB. dynamic NATC. network object NATD. twice NAT




QUESTION 105Which type of object group will allow configuration for both TCP 80 and TCP 443?

A. serviceB. networkC. time rangeD. user group



QUESTION 106When you configure a Botnet Traffic Filter on a Cisco firewall, what are two optional tasks? (Choose two.)

A. Enable the use of dynamic databases.B. Add static entries to the database.C. Enable DNS snooping.D. Enable traffic classification and actions.E. Block traffic manually based on its syslog information.



QUESTION 107Refer to the exhibit. What is the effect of this configuration?


A. The firewall will inspect IP traffic only between networks 192.168.1.0 and 192.168.2.0.B. The firewall will inspect all IP traffic except traffic to 192.168.1.0 and 192.168.2.0.C. The firewall will inspect traffic only if it is defined within a standard ACL.D. The firewall will inspect all IP traffic.



QUESTION 108When you configure a Cisco firewall in multiple context mode, where do you allocate interfaces?

A. in the system execution spaceB. in the admin contextC. in a user-defined contextD. in the global configuration



QUESTION 109At which layer does Dynamic ARP Inspection validate packets?

A. Layer 2B. Layer 3C. Layer 4D. Layer 7




QUESTION 110Which feature can suppress packet flooding in a network?

A. PortFastB. BPDU guardC. Dynamic ARP InspectionD. storm control



QUESTION 111What is the default violation mode that is applied by port security?

A. restrictB. protectC. shutdownD. shutdown VLAN



QUESTION 112What are two security features at the access port level that can help mitigate Layer 2 attacks? (Choose two.)

A. DHCP snoopingB. IP Source GuardC. Telnet


D. Secure ShellE. SNMP



QUESTION 113What are two high-level task areas in a Cisco Prime Infrastructure life-cycle workflow? (Choose two.)

A. DesignB. OperateC. MaintainD. LogE. Evaluate



QUESTION 114What are three ways to add devices in Cisco Prime Infrastructure? (Choose three.)

A. Use an automated process.B. Import devices from a CSV file.C. Add devices manually.D. Use RADIUS.E. Use the Access Control Server.F. Use Cisco Security Manager.




QUESTION 115Which statement about Cisco Security Manager form factors is true?

A. Cisco Security Manager Professional and Cisco Security Manager UCS Server Bundles support FWSMs.B. Cisco Security Manager Standard and Cisco Security Manager Professional support FWSMs.C. Only Cisco Security Manager Professional supports FWSMs.D. Only Cisco Security Manager Standard supports FWSMs.



QUESTION 116Which Cisco Security Manager form factor is recommended for deployments with fewer than 25 devices?

A. only Cisco Security Manager StandardB. only Cisco Security Manager ProfessionalC. only Cisco Security Manager UCS Server BundleD. both Cisco Security Manager Standard and Cisco Security Manager Professional



QUESTION 117Which two TCP ports must be open on the Cisco Security Manager server to allow the server to communicate with the Cisco Security Manager client? (Choosetwo.)

A. 1741B. 443


C. 80D. 1740E. 8080



QUESTION 118Which command enables the HTTP server daemon for Cisco ASDM access?

A. http server enableB. http server enable 443C. crypto key generate rsa modulus 1024D. no http server enable



QUESTION 119Which function in the Cisco ADSM ACL Manager pane allows an administrator to search for a specfic element?

A. FindB. Device ManagementC. SearchD. Device Setup




QUESTION 120Which two router commands enable NetFlow on an interface? (Choose two.)

A. ip flow ingressB. ip flow egressC. ip route-cache flow infer-fieldsD. ip flow ingress infer-fieldsE. ip flow-export version 9



QUESTION 121Refer to the exhibit. Which two statements about the SNMP configuration are true? (Choose two.)

A. The router's IP address is 192.168.1.1.B. The SNMP server's IP address is 192.168.1.1.C. Only the local SNMP engine is configured.D. Both the local and remote SNMP engines are configured.


E. The router is connected to the SNMP server via port 162.



QUESTION 122To which port does a firewall send secure logging messages?

A. TCP/1500B. UDP/1500C. TCP/500D. UDP/500



QUESTION 123What is a required attribute to configure NTP authentication on a Cisco ASA?

A. Key IDB. IPsecC. AAAD. IKEv2



QUESTION 124


Which function does DNSSEC provide in a DNS infrastructure?

A. It authenticates stored information.B. It authorizes stored information.C. It encrypts stored information.D. It logs stored security information.



QUESTION 125Refer to the exhibit. Which two statements about this firewall output are true? (Choose two.)

A. The output is from a packet tracer debug.B. All packets are allowed to 192.168.1.0 255.255.0.0.C. All packets are allowed to 192.168.1.0 255.255.255.0.D. All packets are denied.E. The output is from a debug all command.



QUESTION 126Which utility can you use to troubleshoot and determine the timeline of packet changes in a data path within a Cisco firewall?


A. packet tracerB. pingC. tracerouteD. SNMP walk



QUESTION 127What can an administrator do to simultaneously capture and trace packets in a Cisco ASA?

A. Install a Cisco ASA virtual appliance.B. Use the trace option of the capture command.C. Use the trace option of the packet-tracer command.D. Install a switch with a code that supports capturing, and configure a trunk to the Cisco ASA.



QUESTION 128Refer to the exhibit. Which command can produce this packet tracer output on a firewall?


A. packet-tracer input INSIDE tcp 192.168.1.100 88 192.168.2.200 3028B. packet-tracer output INSIDE tcp 192.168.1.100 88 192.168.2.200 3028C. packet-tracer input INSIDE tcp 192.168.2.200 3028 192.168.1.100 88D. packet-tracer output INSIDE tcp 192.168.2.200 3028 192.168.1.100 88




QUESTION 129At which firewall severity level will debugs appear on a Cisco ASA?

A. 7B. 6C. 5D. 4



QUESTION 130A Cisco ASA is configured in multiple context mode and has two user-defined contexts-- Context_A and Context_B. From which context are device loggingmessages sent?

A. AdminB. Context_AC. Context_BD. System



QUESTION 131Which three statements about the software requirements for a firewall failover configuration are true? (Choose three.)

A. The firewalls must be in the same operating mode.B. The firewalls must have the same major and minor software version.


C. The firewalls must be in the same context mode.D. The firewalls must have the same major software version but can have different minor versions.E. The firewalls can be in different context modes.F. The firewalls can have different Cisco AnyConnect images.



QUESTION 132What can you do to enable inter-interface firewall communication for traffic that flows between two interfaces of the same security level?

A. Run the command same-security-traffic permit inter-interface globally.B. Run the command same-security-traffic permit intra-interface globally.C. Configure both interfaces to have the same security level.D. Run the command same-security-traffic permit inter-interface on the interface with the highest security level.



QUESTION 133Which Layer 2 security feature validates ARP packets?

A. DAIB. DHCP serverC. BPDU guardD. BPDU filtering




QUESTION 134If you disable PortFast on switch ports that are connected to a Cisco ASA and globally turn on BPDU filtering, what is the effect on the switch ports?

A. The switch ports are prevented from going into an err-disable state if a BPDU is received.B. The switch ports are prevented from going into an err-disable state if a BPDU is sent.C. The switch ports are prevented from going into an err-disable state if a BPDU is received and sent.D. The switch ports are prevented from forming a trunk.



QUESTION 135In a Cisco ASAv failover deployment, which interface is preconfigured as the failover interface?

A. GigabitEthernet0/2B. GigabitEthernet0/4C. GigabitEthernet0/6D. GigabitEthernet0/8



QUESTION 136What are the three types of private VLAN ports? (Choose three.)

A. promiscuousB. isolatedC. community


D. primaryE. secondaryF. trunk



QUESTION 137Which VTP mode supports private VLANs on a switch?

A. transparentB. serverC. clientD. off



QUESTION 138Which technology can be deployed with a Cisco ASA 1000V to segregate Layer 2 access within a virtual cloud environment?

A. Cisco Nexus 1000VB. Cisco VSGC. WSVAD. ESVA




QUESTION 139Refer to the exhibit. Which type of ACL is shown in this configuration?

A. IPv4B. IPv6C. unifiedD. IDFW



QUESTION 140You are the network security engineer for the Secure-X network. The company has recently detected Increase of traffic to malware Infected destinations. The ChiefSecurity Officer deduced that some PCs in the internal networks are infected with malware and communicate with malware infected destinations.The CSO has tasked you with enable Botnet traffic filter on the Cisco ASA to detect and deny further connection attempts from infected PCs to malwaredestinations. You are also required to test your configurations by initiating connections through the Cisco ASA and then display and observe the Real-Time Log Viewer in ASDM.To successfully complete this activity, you must perform the following tasks:

- Download the dynamic database and enable use of it.- Enable the ASA to download of the dynamic database- Enable the ASA to download of the dynamic database.- Enable DNS snooping for existing DNS inspection service policy rules..- Enable Botnet Traffic Filter classification on the outside interface for All Traffic.- Configure the Botnet Traffic Filter to drop blacklisted traffic on the outside interface. Use the default Threat Levelsettings

NOTE: The database files are stored in running memory; they are not stored in flash memory. NOTE: DNS is enabled on the inside interface and set to the HQ-SRV (10.10.3.20). NOTE: Not all ASDM screens are active for this exercise.


- Verify that the ASA indeed drops traffic to blacklisted destinations by doing the following:- From the Employee PC, navigate to http://www.google.com to make sure that access to the Internet is working.- From the Employee PC, navigate to http://bot-sparta.no-ip.org. This destination is classified as malware destinationby the Cisco SIO database.- From the Employee PC, navigate to http://superzarabotok-gid.ru/. This destination is classified as malware destinationby the Cisco SIO database.- From Admin PC, launch ASDM to display and observe the Real-Time Log Viewer.

You have completed this exercise when you have configured and successfully tested Botnet traffic filter on the Cisco ASA.


A. See the explanation for detailed answer to this sim question. First, click on both boxes on the Botnet Database as shown below and hit apply:


Click Yes to send the commands when prompted.Then, click on the box on the DNS Snooping page as shown below and hit apply:


Click Yes to send the commands when prompted.Then, click on the box on the Traffic Settings tab as shown:


At which point this pop-up box will appear when you click on the Add button:


Click OK. Then Apply. Then Send when prompted.Then verify that all is working according to the instructions given in the question.



QUESTION 141You are a network security engineer for the Secure-X network. You have been tasked with implementing dynamic network object NAT with PAT on a Cisco ASA.You must configure the Cisco ASA such that the source IP addresses of all internal hosts are translated to a single IP address (using different ports) when theinternal hosts access the Internet. To successfully complete this activity, you must perform the following tasks:

- Use the Cisco ASDM GUI on the Admin PC to configure dynamic network object NAT with PAT using the followingparameters:- Network object name: Internal-Networks- IP subnet: 10.10.0.0/16- Translated IP address: 192.0.2.100- Source interface: inside- Destination interface: outside

NOTE: The object (TRANSLATED-INSIDE-HOSTS) for this translated IP address has already been created for your use in this activity.NOTE: Not all ASDM screens are active for this exercise. NOTE: Login credentials are not needed for this simulation.

- In the Cisco ASDM, display and view the auto-generated NAT rule.- From the Employee PC, generate traffic to SP-SRV by opening a browser and navigating to http://sp-srv.sp.public.- From the Guest PC, generate traffic to SP-SRV by opening a browser and navigating to http://sp-srv.sp.public.- At the CLI of the Cisco ASA, display your NAT configuration. You should see the configured policy and statistics fortranslated packets.- At the CLI of the Cisco ASA, display the translation table. You should see dynamic translations for the Employee PCand the Guest PC. Both inside IP addresses translate to the same IP address, but using different ports.

You have completed this exercise when you have configured and successfully tested dynamic network object NAT with PAT.


A. See the explanation for detailed answer to this sim question. First, click on Add Network Objects on the Network Objects/Groups tab and fill in the information as shown below:


Then, use the advanced tab and configure it as shown below:


Then hit OK, OK again, Apply, and then Send when prompted. You can verify using the instructions provided in the question



QUESTION 142Refer to the exhibit. What type of attack is being mitigated on the Cisco ASA appliance?

A. HTTP and POST flood attackB. HTTP Compromised-Key Attack


C. HTTP Shockwave Flash exploitD. HTTP SQL injection attack



QUESTION 143Hotspot Question


In your role as network security administrator, you have installed syslog server software on a server whose IP address is 10.10.2.40. According to the exhibits, whyisn't the syslog server receiving any syslog messages?

A. Logging is not enabled globally on the Cisco ASA.B. The syslog server has failed.C. There have not been any events with a severity level of seven.D. The Cisco ASA is not configured to log messages to the syslog server at that IP address.


Explanation/Reference:Explanation:By process of elimination, we know that the other answers choices are not correct so that only leaves us with the server must have failed. We can see from thefollowing screen shots, that events are being generated with severity level of debugging and below, The 10.10.2.40 IP address has been configured as a syslogserver, and that logging has been enabled globally:


According to the logging configuration on the Cisco ASA, what will happen if syslog server 10.10.2.40 fails?

A. New connections through the ASA will be blocked and debug system logs will be sent to the internal buffer.B. New connections through the ASA will be blocked and informational system logs will be sent to the internal buffer.C. New connections through the ASA will be blocked and system logs will be sent to server 10.10.2.41.D. New connections through the ASA will be allowed and system logs will be sent to server 10.10.2.41.E. New connections through the ASA will be allowed and informational system logs will be sent to the internal buffer.F. New connections through the ASA will be allowed and debug system logs will be sent to the internal buffer.


Explanation/Reference:Explanation:This is shown by the following screen shot:


Which statement is true of the logging configuration on the Cisco ASA?

A. The contents of the internal buffer will be saved to an FTP server before the buffer is overwritten.B. The contents of the internal buffer will be saved to flash memory before the buffer is overwritten.C. System log messages with a severity level of six and higher will be logged to the internal buffer.D. System log messages with a severity level of six and lower will be logged to the internal buffer.


Explanation/Reference:Explanation:


QUESTION 146Which statement about Cisco ASA NetFlow v9 (NSEL) is true?

A. NSEL events match all traffic classes in parallelB. NSEL is has a time interval locked at 20 seconds and is not user configurableC. NSEL tracks flow-create, flow-teardown, and flow-denied events and generates appropriate NSEL data recordsD. You cannot disable syslog messages that have become redundant because of NSELE. NSEL tracks the flow continuously and provides updates every 10 secondF. NSEL provides stateless IP flow tracking that exports all record od a specific flow


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_nsel.html

QUESTION 147Which URL downloads a copy of packet-capture named "security" residing on a Cisco ASA adaptive security appliance with IP 10.10.100.11?

A. https://10.10.10.11/security .pcap/downloadB. https://10.10.10.11/asa/security/pcapC. https://10.10.10.11/capture/security.pcapD. https://10.10.10.11/capture/security/pcap




QUESTION 148Which two option are protocol and tools are used by management plane when using cisco ASA general management plane hardening ?

A. Unicast Reverse Path ForwardingB. NetFlowC. Routing Protocol AuthenticationD. Threat detectionE. SyslogF. ICMP unreachablesG. Cisco URL Filtering


Explanation/Reference:http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html


QUESTION 149Which option describes the enhancements that SNMPv3 adds over 1 and 2 versions?

A. Predefined events that generate message from the SNMP agent to the NMSB. Addition of authentication and privacy optionsC. Cleartext transmission of data between SNMP server and SNMP agentD. Addition of the ability to predefine events using trapsE. Pooling of devices using GET-NEXT requestsF. Use of the object identifier


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/configuration/guide/ffun_c/fcf014.html


QUESTION 150When a Cisco ASA CX module is management by Cisco Prime Security Manager in a Multiple Devices Mode, which mode does the firewall use ?

A. Managed ModeB. Unmanaged modeC. Single modeD. Multi mode


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/asacx/9-1/user/guide/b_User_Guide_for_ASA_CX_and_PRSM_9_1b_User_Guide_for_ASA_CX_and_PRSM_9_1_chapter_0110.html#task_7E648F43AD724DA2983699B12E92A528


QUESTION 151Which option is the default logging buffer size In memory of the Cisco ASA adaptive security appliance?

A. 8KBB. 32KBC. 2KBD. 16KBE. 4KB


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/monitor_syslog.html

QUESTION 152What is the best description of a unified ACL on a Cisco Firewall

A. An Ipv4 ACL with Ipv4 supportB. An ACL the support EtherType in additional Ipv6


C. An ACL with both Ipv4 and Ipv6 functionalityD. An Ipv6 ACL with Ipv4 backward compatitiblity


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/intro_intro.html

QUESTION 153Which options lists cloud deployment modes?

A. Private, public, hydrid, community

B. Private, public, hydrid, sharedC. IaaS, PaaS, SaaSD. Private, public, hydrid

Correct Answer: ASection: (none)


Explanation

Explanation/Reference:https://www.ibm.com/developerworks/community/blogs/722f6200-f4ca-4eb3-9d64-8d2b58b2d4e8/entry/4_Types_of_Cloud_Computing_Deployment_Model_You_Need_to_Know1?lang=en

QUESTION 154Where do you apply a control plane services policy to implement Management Plane Protection on a Cisco Router?

A. Control-plane routerB. Control-plane hostC. Control-plane interface management 0/0D. Control-plane service policy


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html


QUESTION 155Which option is a valid action for a port security violation ?

A. RestrictB. RejectC. DisableD. Reset



QUESTION 156Which statement about the configuration of the Cisco ASA NetFlow v9 (NSEL) is true ?

A. To view bandwidth usage for the NetFlow record, you must enable QoS features


B. Use sysopt command to enable NSEL on a specific interfaceC. NSEL can be used without a collector configuredD. NSEL tracks the flow continuously and provides updates every 10 secondsE. You must define a flow-export event type under a policy


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/monitor_nsel.html

QUESTION 157Prior to a software upgrade, which Cisco Prime Infrastructure feature determines if the devices being upgraded have sufficient RAM to support te new software ?

A. Software Upgrade ReportB. Image Management ReportC. Upgrade Analysis ReportD. Image Analysis Report


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-0/user/guide/prime_infra_ug/maint_images.html

Cisco.PracticeTest.300-206.v2016-08-25.by.Robert · A network engineer is troubleshooting and...

Documents

Transcript of Cisco.PracticeTest.300-206.v2016-08-25.by.Robert · A network engineer is troubleshooting and...