Flashcards - ccna security 2.pdf

7/24/2019 Flashcards - ccna security 2.pdf

1/12

11/18/2015 Flashcards - ccna security 2

http://www.freezingblue.com/flashcards/print_preview.cgi?cardsetID=304843 1/12

Card Set Information

Author: rkrouse

ID: 304843

Filename: ccna security 2

Updated: 2015-07-07 07:37:57

Tags: ccnasecurity2

Folders:

Description: 2nd ccna security cards

Show Answers:

Home>Flashcards> Print Preview

ccna security 2

The flashcards below are one of many sets on FreezingBlue Flashcards. What would you like to do?

Get the freeFlashcards app for iOS

Get the freeFlashcards app for Android

Learn more

1. QUESTION 161

Which three statements about RADIUS are true? (Choose three.)

A. RADIUS uses TCP port 49.

B. RADIUS uses UDP ports 1645 or 1812.

C. RADIUS encrypts the entire packet.

D. RADIUS encrypts only the password in the Access-Request packet.

E. RADIUS is a Cisco proprietary technology.

F. RADIUS is an open standard.

Answer: BDF

2. QUESTION 162

Which network security framework is used to set up access control on Cisco Appliances?

A. RADIUS

B. AAA

C. TACACS+

D. NASAnswer: B

3. QUESTION 163

Whichtwo protocols are used in a server-based AAA deployment? (Choose two.)

A. RADIUS

B. TACACS+

C. HTTPS

D. WCCPE. HTTPAnswer: AB

4. QUESTION 164

Which Cisco IOS command will verify authentication between a router and a AAA server?

A. debug aaa authentication

B. test aaa group

C. test aaa accounting

D. aaa new-modelAnswer: B

5. QUESTION 165

Which AAA feature can automate record keeping within a network?

A. TACACS+

B. authenticationC. authorization

D. accountingAnswer: D

6. QUESTION 166

Which two statements about IPv6 access lists are true? (Choose two).

A. IPv6 access lists support numbered access lists.

B. IPv6 access lists support wildcard masks.

C. IPv6 access lists support standard access lists.

D. IPv6 access lists support named access lists.

E. IPv6 access lists support extended access lists.Answer: DE

7. QUESTION 167

Which command enables subnet 192.168.8.4/30 to communicate with subnet 192.168.8.32/27 on IP protocol 50?A. permit esp 192.168.8.4 255.255.255.252 192.168.8.32 255.255.255.224

B. permit esp 192.168.8.4 0.0.0.31 192.168.8.32 0.0.0.31

C. permit esp 192.168.8.4 255.255.255.252 224.168.8.32 255.255.255.192

D. permit esp 192.168.8.4 0.0.0.3 192.168.8.32 0.0.0.31Answer: D

XeroAccountingSoftware

Making Accounting Beautiful& Easy. Watch a Demo &

Start a Free Trial.
http://www.googleadservices.com/pagead/aclk?sa=L&ai=Cd7o9TWlMVq2MFMLy9QXJm7noCb-vwN0Hr_mbgb4Cn9Lt-C0QASCzvIwaYKWglYCYAaAB5qGe5QPIAQKoAwHIA8EEqgSzAU_QDLhPVUcD40H7YAcX946dPWJxca7_vMy25_L787yjC2KhA6hEK7iMfZqMmO0pqmtGj8dluoYVmX1ttLJmuR9mreoh9WjI2SbtgfJ6KaZPex6L72V5dYBrxeXkasAZqUjs5zU7EP4jhJYhC7uR4faMndwHYZUoS9hnDIFKlMh2dMTdI_nLESBYokWxrUB_ZCynH1FEmv7-bnxOM7gB8nia2UjbYAo0vz7yApnJ-VB1yphOiAYBoAYCgAfP8aQ1qAemvhvYBwHYEwg&num=1&cid=5GjXHtHI2NNzvVNLpJwVoeRI&sig=AOD64_37TwqQ_NqM5nsNyDYc4GQEMyVe4g&client=ca-pub-3662422323850143&adurl=http://www.zulily.com%3Ftid%3D20114205_au_www.freezingblue.com_85046364543_chttps://play.google.com/store/apps/details?id=com.dskelly.android.iFlashcardsFreehttp://www.freezingblue.com/flashcards/http://void%28window.open%28window.clicktag%29%29/http://www.googleadservices.com/pagead/aclk?sa=L&ai=Cd7o9TWlMVq2MFMLy9QXJm7noCb-vwN0Hr_mbgb4Cn9Lt-C0QASCzvIwaYKWglYCYAaAB5qGe5QPIAQKoAwHIA8EEqgSzAU_QDLhPVUcD40H7YAcX946dPWJxca7_vMy25_L787yjC2KhA6hEK7iMfZqMmO0pqmtGj8dluoYVmX1ttLJmuR9mreoh9WjI2SbtgfJ6KaZPex6L72V5dYBrxeXkasAZqUjs5zU7EP4jhJYhC7uR4faMndwHYZUoS9hnDIFKlMh2dMTdI_nLESBYokWxrUB_ZCynH1FEmv7-bnxOM7gB8nia2UjbYAo0vz7yApnJ-VB1yphOiAYBoAYCgAfP8aQ1qAemvhvYBwHYEwg&num=1&cid=5GjXHtHI2NNzvVNLpJwVoeRI&sig=AOD64_37TwqQ_NqM5nsNyDYc4GQEMyVe4g&client=ca-pub-3662422323850143&adurl=http://www.zulily.com%3Ftid%3D20114205_au_www.freezingblue.com_85046364543_chttp://www.googleadservices.com/pagead/aclk?sa=L&ai=CsNkPTGlMVpzfEpCl9AWEyoS4BorPiZwHsoOgi4YCwI23ARABILO8jBpgpaCVgJgBoAHblNnSA8gBAakCmKDy5mrPpz6oAwHIA8IEqgSyAU_QVVgf18wCu0CiK9b11DGQ-cYhYkDCbZVT7GLxcgBzc4ofN_GYw00-L1k8i7f92lLU0Vx4j17j49HiP2hteFIHHfXD_vm78Aj_xNbtwQCUKR58uWegyoUG33vJhh9ybudxkFmlzl_1Eo5Ab_tInbi_bU9hsVS45X-kwBbc1eqBRrUQkQvtqiDR0p_ly0CQgQNdJKKBg2oAQw0ybjgExn0tVcBQ5x8j5zfR03e-Xm9DF1qIBgGAB9qI3zOoB6a-G9gHAdgTAw&num=1&cid=5Gj_PoSThH-x6T82m3wxFnAm&sig=AOD64_0AAX4SEsi14CqPzqQwIRDbIEXh2w&client=ca-pub-3662422323850143&adurl=https://www.xero.com/au/chris/http://www.googleadservices.com/pagead/aclk?sa=L&ai=CsNkPTGlMVpzfEpCl9AWEyoS4BorPiZwHsoOgi4YCwI23ARABILO8jBpgpaCVgJgBoAHblNnSA8gBAakCmKDy5mrPpz6oAwHIA8IEqgSyAU_QVVgf18wCu0CiK9b11DGQ-cYhYkDCbZVT7GLxcgBzc4ofN_GYw00-L1k8i7f92lLU0Vx4j17j49HiP2hteFIHHfXD_vm78Aj_xNbtwQCUKR58uWegyoUG33vJhh9ybudxkFmlzl_1Eo5Ab_tInbi_bU9hsVS45X-kwBbc1eqBRrUQkQvtqiDR0p_ly0CQgQNdJKKBg2oAQw0ybjgExn0tVcBQ5x8j5zfR03e-Xm9DF1qIBgGAB9qI3zOoB6a-G9gHAdgTAw&num=1&cid=5Gj_PoSThH-x6T82m3wxFnAm&sig=AOD64_0AAX4SEsi14CqPzqQwIRDbIEXh2w&client=ca-pub-3662422323850143&adurl=https://www.xero.com/au/chris/http://void%28window.open%28window.clicktag%29%29/http://www.freezingblue.com/flashcards/https://play.google.com/store/apps/details?id=com.dskelly.android.iFlashcardsFreehttp://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=333253443&mt=8http://www.freezingblue.com/flashcards/http://www.freezingblue.com/http://www.freezingblue.com/flashcards/?page=browse&search=304843&searchType=2http://www.freezingblue.com/flashcards/?page=browse&search=304843&searchType=2http://www.freezingblue.com/flashcards/?page=browse&user=55167


2/12



8. QUESTION 168

Which two types of access lists can be used for sequencing? (Choose two.)

A. reflexive

B. standard

C. dynamic

D. extendedAnswer: BD

9. QUESTION 169

Which command will block IP traffic to the destination 172.16.0.1/32?

A. access-list 101 deny ip host 172.16.0.1 any

B. access-list 101 deny ip any host 172.16.0.1C. access-list 101 deny ip any any

D. access-list 11 deny host 172.16.0.1Answer: B

10. QUESTION 170

Which two considerations about secure network monitoring are important? (Choose two.)

A. log tampering

B. encryption algorithm strength

C. accurate time stamping

D. off-site storage

E. Use RADIUS for router commands authorization. F. Do not use a loopback interface for device management access.Answer: AC

11. QUESTION 171

Which two countermeasures can mitigate STP root bridge attacks? (Choose two.)A. root guard

B. BPDU filtering

C. Layer 2 PDU rate limiter

D. BPDU guardAnswer: AD

12. QUESTION 172

Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.)

A. IP source guard

B. port security

C. root guard

D. BPDU guardAnswer: AB

13. QUESTION 173Which statement correctly describes the function of a private VLAN?

A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains.

B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains.

C. A private VLAN enables the creation of multiple VLANs using one broadcast domain.

D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain.Answer: A

14. QUESTION 174

What are two primary attack methods of VLAN hopping? (Choose two.)

A. VoIP hopping

B. switch spoofing

C. CAM-table overflow

D. double taggingAnswer: BD

15. QUESTION 175

Which type of attack can be prevented by setting the native VLAN to an unused VLAN?

A. VLAN-hopping attacks

B. CAM-table overflow

C. denial-of-service attacks

D. MAC-address spoofingAnswer: A

16. QUESTION 176

What is the purpose of a trunk port?

A. A trunk port carries traffic for multiple VLANs.

B. A trunk port connects multiple hubs together to increase bandwidth.

C. A trunk port separates VLAN broadcast domains.

D. A trunk port provides a physical link specifically for a VPN.Answer: A

17. QUESTION 177

The host A Layer 2 port is configured in VLAN 5 on switch 1, and the host B Layer 2 port is configured in VLAN 10 on switch 1. Which

two actions you can take to enable the two hosts to communicate with each other? (Choose two.)

A. Configure inter-VLAN routing.

B. Connect the hosts directly through a hub.


3/12



C. Configure switched virtual interfaces.

D. Connect the hosts directly through a router.Answer: AC

18. QUESTION 178

Which two pieces of information should you acquire before you troubleshoot an STP loop? (Choose two.)

A. topology of the routed network

B. topology of the switched network

C. location of the root bridge

D. number of switches in the networkAnswer: BC

19. QUESTION 179

Which two options are symmetric-key algorithms that are recommended by Cisco? (Choose two.)

A. Twofish

B. Advanced Encryption Standard

C. Blowfish

D. Triple Data Encryption StandardAnswer: BD

20. QUESTION 180

Which technology provides an automated digital certificate management system for use with IPsec?

A. ISAKMP

B. public key infrastructure

C. Digital Signature Algorithm

D. Internet Key Exchange

Answer: B

21. QUESTION 181

Which two IPsec protocols are used to protect data in motion? (Choose two.)

A. Encapsulating Security Payload Protocol

B. Transport Layer Security Protocol

C. Secure Shell Protocol

D. Authentication Header ProtocolAnswer: AD

22. QUESTION 182

On which protocol number does Encapsulating Security Payload operate?

A. 06

B. 47

C. 50

D. 51Answer: C

23. QUESTION 183

On which protocol number does the authentication header operate?

A. 06

B. 47

C. 50

D. 51Answer: D

24. QUESTION 185

In an IPsec VPN, what determination does the access list make about VPN traffic?

A. whether the traffic should be blocked

B. whether the traffic should be permitted

C. whether the traffic should be encryptedD. the peer to which traffic should be sentAnswer: C

25. QUESTION 186

Which command verifies phase 2 of an IPsec VPN on a Cisco router?

A. show crypto map

B. show crypto ipsec sa

C. show crypto isakmp sa

D. show crypto engine connection activeAnswer: B

26. QUESTION 187

You are troubleshooting a Cisco AnyConnect VPN on a firewall and issue the command show webvpn anyconnect. The output shows the

message "SSL VPN is not enabled" instead of showing the AnyConnect package. Which action can you take to resolve the problem?

A. Issue the enable outside command.B. Issue the anyconnect enable command.

C. Issue the enable inside command.

D. Reinstall the AnyConnect image.Answer: B

27. QUESTION 188


4/12



What is the key difference between host-based and network-based intrusion prevention?

A. Network-based IPS is C SSL and TLS encrypted data flows.

B. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers.

C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized software on the end hosts

and servers.

D. Host-based IPS can work in promiscuous mode or inline mode.

E. Host-based IPS is more scalable then network-based IPS.

F. Host-based IPS deployment requires less planning than network-based IPS.Answer: C

28. QUESTION 189

Which one is the most important based on the following common elements of a network design?A. Business needs

B. Best practices

C. Risk analysis

D. Security policyAnswer: A

29. QUESTION 190

When configuring Cisco IOS login enhancements for virtual connections, what is the "quiet period"?

A. A period of time when no one is attempting to log in

B. The period of time in which virtual logins are blocked as security services fully initialize

C. The period of time in which virtual login attempts are blocked, following repeated failed login attempts

D. The period of time between successive login attemptsAnswer: C

30. QUESTION 191What is a result of securing the Cisco IOS image using the Cisco IOS image resilience feature?

A. The show version command will not show the Cisco IOS image file location.

B. The Cisco IOS image file will not be visible in the output from the show flash command.

C. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location.

D. The running Cisco IOS image will be encrypted and then automatically backed up to the NVRAM.

E. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server.Answer: B

31. QUESTION 192

Which three statements are valid SDM configuration wizards? (Choose three.)

A. Security Audit

B. VPN

C. STP

D. NAT

Answer: ABD

32. QUESTION 193

How do you define the authentication method that will be used with AAA?

A. With a method list

B. With the method command

C. With the method aaa command

D. With a method statementAnswer: A

33. QUESTION 194

Which one of the following commands can be used to enable AAA authentication to determine if a user can access the privilege command

level?

A. aaa authentication enable default local

B. aaa authentication enable level

C. aaa authentication enable method default

D. aaa authentication enable defaultAnswer: D

34. QUESTION 195

Which two ports are used with RADIUS authentication and authorization?(Choose two.)

A. TCP port 2002

B. UDP port 2000

C. UDP port 1645

D. UDP port 1812Answer: CD

35. QUESTION 196

Which type of MAC address is dynamically learned by a switch port and then added to the switch's running configuration?

A. Pervasive secure MAC address

B. Static secure MAC address

C. Sticky secure MAC address

D. Dynamic secure MAC addressAnswer: C

36. QUESTION 197

What command displays all existing IPsec security associations (SA)?


5/12



A. show crypto isakmp sa


C. show crypto ike active

D. show crypto sa activeAnswer: B

37. QUESTION 198

Which of the following is not considered a trustworthy symmetric encryption algorithm?

A. 3DES

B. IDEA

C. EDE

D. AESAnswer: C

38. QUESTION 199

For the following items, which management topology keeps management traffic isolated from production traffic?

A. OOB

B. SAFE

C. MARS

D. OTPAnswer: A

39. QUESTION 200

Which type of cipher achieves security by rearranging the letters in a string of text?

A. Vigenre cipher

B. Stream cipher

C. Transposition cipherD. Block cipherAnswer: C

40. QUESTION 201

Which of the following are techniques used by symmetric encryption cryptography? (Choose all that apply.)

A. Block ciphers

B. Message Authentication Codes (MAC)

C. One-time pad

D. Stream ciphers

E. Vigenre cipherAnswer: ABD

41. QUESTION 202

Which two statements are true about the differences between IDS and IPS? (Choose two.)

A. IPS operates in promiscuous mode.B. IPS receives a copy of the traffic to be analyzed.

C. IPS operates in inline mode.

D. IDS receives a copy of the traffic to be analyzed.Answer: CD

42. QUESTION 203

Which option is a desirable feature of using symmetric encryption algorithms?

A. they are often used for wire-speed encryption in data networks

B. they are based on complex mathematical operations and can easily be accelerated by hardware

C. they offer simple key management properties

D. they are best used for one-time encryption needsAnswer: A

43. QUESTION 204

Which option is true of using cryptographic hashes?A. they are easily reversed to decipher the message context

B. they convert arbitrary data into fixed length digits

C. they are based on a two-way mathematical function

D. they are used for encrypting bulk data communicationsAnswer: B

44. QUESTION 205

When implementing network security, what is an important configuration task that you should perform to assist in correlating network and

security events?

A. configure network time protocol

B. configure synchronized syslog reporting

C. configure a common repository of all network events for ease of monitoring

D. configure an automated network monitoring system for event correlationAnswer: A

45. QUESTION 206

Which of these options is a Cisco IOS feature that lets you more easily configure security features on your router?

A. cisco self-defending network

B. implementing AAA command authorization

C. the auto secure CLI command

D. performing a security audit via SDM


6/12



Answer: C

46. QUESTION 207

What is the most common Cisco Discovery Protocol version 1 attack?

A. denial of service

B. MAC-address spoofing

C. CAM-table overflow

D. VLAN hoppingAnswer: A

47. QUESTION 208

Which option describes a function of a virtual VLAN?

A. A virtual VLAN creates a logically partitioned LAN to place switch ports in a separate broadcast domain.

B. A virtual VLAN creates trunks and links two switches together.

C. A virtual VLAN adds every port on a switch to its own collision domain.

D. A virtual VLAN connects many hubs together.Answer: A

48. QUESTION 209

Which action can you take to add bandwidth to a trunk between two switches and end up with only one logical interface?

A. Configure another trunk link.

B. Configure EtherChannel.

C. Configure an access port.

D. Connect a hub between the two switches.Answer: B

49. QUESTION 210

If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?

A. The interface on both switches may shut down.

B. STP loops may occur.

C. The switch with the higher native VLAN may shut down.

D. The interface with the lower native VLAN may shut down.Answer: B

50. QUESTION 211

Which VTP mode allows you to change the VLAN configuration and will then propagate the change throughout the entire switched

network?

A. VTP server

B. VTP client

C. VTP transparent

D. VTP off

Answer: A

51. QUESTION 212

When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops?

A. STP elects the root bridge.

B. STP selects the root port.

C. STP selects the designated port.

D. STP blocks one of the ports.Answer: A

52. QUESTION 213

What is the default STP priority on a switch?

A. 4096

B. 24576

C. 16384

D. 32768Answer: D

53. QUESTION 214

Which two options are asymmetric-key algorithms that are recommended by Cisco? (Choose two.)

A. Rivest-Shamir-Adleman Algorithm

B. ElGamal encryption system

C. Digital Signature Algorithm

D. Paillier cryptosystemAnswer: AC

54. QUESTION 215

Which IPsec component takes an input message of arbitrary length and produces a fixed-length output message?

A. the transform set

B. the group policy

C. the hashD. the crypto mapAnswer: C

55. QUESTION 216

Which three options are components of Transport Layer Security? (Choose three.)

A. stateless handshake


7/12



B. stateful handshake

C. application layer

D. session layer

E. pre-shared keys

F. digital certificatesAnswer: BCF

56. QUESTION 217

What are three features of IPsec tunnel mode? (Choose three.)

A. IPsec tunnel mode supports multicast.

B. IPsec tunnel mode is used between gateways.

C. IPsec tunnel mode is used between end stations.D. IPsec tunnel mode supports unicast traffic.

E. IPsec tunnel mode encrypts only the payload.

F. IPsec tunnel mode encrypts the entire packet.Answer: BDF

57. QUESTION 218

Which command provides phase 1 and phase 2 status for all active sessions of an IPsec VPN on a Cisco router?

A. show crypto map


C. show crypto isakmp sa

D. show crypto sessionAnswer: D

58. QUESTION 219

How can you prevent clientless SSL VPN users from accessing any HTTP or HTTPS URL within the portal?A. Configure a web ACL.

B. Turn off URL entry.

C. Configure a smart tunnel.

D. Configure a portal access rule.Answer: B

59. QUESTION 220

Which Cisco AnyConnect VPN feature enables DTLS to fall back to a TLS connection?

A. perfect forward secrecy

B. dead peer detection

C. keepalives

D. IKEv2Answer: B

60. QUESTION 221Where is the transform set applied in an IOS IPsec VPN?

A. on the WAN interface

B. in the ISAKMP policy

C. in the crypto map

D. on the LAN interfaceAnswer: C

61. QUESTION 222

Which authentication protocol does the Cisco AnyConnect VPN password management feature require to operate?

A. MS-CHAPv1

B. MS-CHAPv2

C. CHAP

D. KerberosAnswer: B

62. QUESTION 223

In which stage of an attack does the attacker discover devices on a target network?

A. reconnaissance

B. gaining access

C. maintaining access

D. covering tracksAnswer: A

63. QUESTION 224

Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?

A. Unidirectional Link Detection

B. Unicast Reverse Path Forwarding

C. TrustSec

D. IP Source GuardAnswer: B

64. QUESTION 225

By which kind of threat is the victim tricked into entering username and password information at a disguised website?

A. phishing

B. spam

C. malware


8/12



D. spoofingAnswer: A

65. QUESTION 226

Which Cisco product can help mitigate web-based attacks within a network?

A. Adaptive Security Appliance

B. Web Security Appliance

C. Email Security Appliance

D. Identity Services EngineAnswer: B

66. QUESTION 227

Which type of IPS can identify worms that are propagating in a network?A. signature-based IPS

B. policy-based IPS

C. anomaly-based IPS

D. reputation-based IPSAnswer: C

67. QUESTION 228

When a company puts a security policy in place, what is the effect on the company's business?

A. minimizing risk

B. minimizing total cost of ownership

C. minimizing liability

D. maximizing complianceAnswer: A

68. QUESTION 229

Which IOS feature can limit SSH access to a specific subnet under a VTY line?

A. access class

B. access list

C. route map

D. route tagAnswer: A

69. QUESTION 230

Which command configures logging on a Cisco ASA firewall to include the date and time?

A. logging facility

B. logging enable

C. logging timestamp

D. logging buffered debugging

Answer: C

70. QUESTION 231

Which two protocols can SNMP use to send messages over a secure communications channel? (Choose two.)

A. DTLS

B. TLS

C. ESP

D. AH

E. ISAKMPAnswer: AB

71. QUESTION 232

Which two options are for securing NTP? (Choose two.)

A. a stratum clock

B. access lists

C. Secure ShellD. authentication

E. TelnetAnswer: BD

72. QUESTION 233

What must be configured before Secure Copy can be enabled?

A. SSH

B. AAA

C. TFTP

D. FTPAnswer: B

73. QUESTION 234

Which two ports does Cisco Configuration Professional use? (Choose two.)

A. 80B. 8080

C. 443

D. 21

E. 23Answer: AC


9/12



74. QUESTION 235

Which two options are physical security threats? (Choose two.)

A. hardware

B. environment

C. access lists

D. device configurations

E. software versionAnswer: AB

75. QUESTION 236

Which command configures stateful packet inspection to inspect a packet after it passes the inbound ACL of the input interface?

A. ip inspect outB. ip inspect in

C. ip inspect name audit-trail on

D. ip inspect name audit-trail offAnswer: B

76. QUESTION 237

Which statement about identity NAT is true?

A. It is a static NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface.

B. It is a dynamic NAT configuration that translates a real IP address to a mapped IP address.

C. It is a static NAT configuration that translates a real IP address to a mapped IP address.

D. It is a dynamic NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress

interface.Answer: A

77. QUESTION 238Which element must you configure to allow traffic to flow from one security zone to another?

A. a zone pair

B. a site-to-site VPN

C. a zone list

D. a zone-based policyAnswer: A

78. QUESTION 239

With which two NAT types can Cisco ASA implement address translation? (Choose two.)

A. network object NAT

B. destination NAT

C. twice NAT

D. source NAT

E. double NAT

Answer: AC

79. QUESTION 240

Which technology is the most effective choice for locally mirroring ports to support data investigation for a single device at the data layer?

A. RMON

B. SPAN

C. RSPAN

D. ERSPANAnswer: B

80. QUESTION 241

Which three actions can an inline IPS take to mitigate an attack? (Choose three.)

A. modifying packets inline

B. denying the connection inline

C. denying packets inline

D. resetting the connection inline

E. modifying frames inline

F. denying frames inlineAnswer: ABC

81. QUESTION 242

Which monitoring protocol uses TCP port 1470 or UDP port 514?

A. RELP

B. Syslog

C. SDEE

D. IMAP

E. SNMP

F. CSMAnswer: B

82. QUESTION 243

Which option provides the most secure method to deliver alerts on an IPS?

A. IME

B. CSM

C. SDEE

D. syslog


10/12



Answer: C

83. QUESTION 244

Which statement about the Atomic signature engine is true?

A. It can perform signature matching on a single packet only.

B. It can perform signature matching on multiple packets.

C. It can examine applications independent of the platform.

D. It can flexibly match patterns in a sessionAnswer: A

84. QUESTION 245

What is the function of an IPS signature?

A. It determines the best course of action to mitigate a threat.B. It detects network intrusions by matching specified criteria.

C. It provides logging data for allowed connections.

D. It provides threat-avoidance controls.Answer: B

85. QUESTION 246

Which two options are advantages of a network-based Cisco IPS? (Choose two.)

A. It can examine encrypted traffic.

B. It can protect the host after decryption.

C. It is an independent operating platform.

D. It can observe bottom-level network events.

E. It can block trafficAnswer: CD

86. QUESTION 247

Which statement about the role-based CLI access views on a Cisco router is true?

A. The maximum number of configurable CLI access views is 10, including one lawful intercept view and excluding the root view.

B. The maximum number of configurable CLI access views is 10, including one superview.

C. The maximum number of configurable CLI access views is 15, including one lawful intercept view and excluding the root view.

D. The maximum number of configurable CLI access views is 15, including one lawful intercept view.Answer: C

87. QUESTION 248

Which three protocols are supported by management plane protection? (Choose three.)

A. SNMP

B. SMTP

C. SSH

D. OSPF

E. HTTPSF. EIGRPAnswer: ACE

88. QUESTION 249

Which statement about rule-based policies in Cisco Security Manager is true?

A. Rule-based policies contain one or more rules that are related to a device's security and operations parameters.

B. Rule-based policies contain one or more rules that control how traffic is filtered and inspected on a device.

C. Rule-based policies contain one or more user roles that are related to a device's security and operations parameters.

D. Rule-based policies contain one or more user roles that control how user traffic is filtered and inspected on a device.Answer: B

89. QUESTION 250

Which Cisco Security Manager feature enables the configuration of unsupported device features?

A. Deployment Manager

B. FlexConfigC. Policy Object Manager

D. Configuration ManagerAnswer: B

90. QUESTION 251

Which statement about IPv6 address allocation is true?

A. IPv6-enabled devices can be assigned only one IPv6 IP address.

B. A DHCP server is required to allocate IPv6 IP addresses.

C. IPv6-enabled devices can be assigned multiple IPv6 IP addresses.

D. ULA addressing is required for Internet connectivity.Answer: C

91. QUESTION 252

Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with

no fallback method?A. aaa authentication enable console LOCAL SERVER_GROUP

B. aaa authentication enable console SERVER_GROUP LOCAL

C. aaa authentication enable console local

D. aaa authentication enable console LOCALAnswer: D


11/12



92. QUESTION 253

Which command will configure a Cisco router to use a TACACS+ server to authorize network services with no fallback method?

A. aaa authorization exec default group tacacs+ none

B. aaa authorization network default group tacacs+ none

C. aaa authorization network default group tacacs+

D. aaa authorization network default group tacacs+ localAnswer: C

93. QUESTION 254

Which three statements about RADIUS are true? (Choose three.)

A. RADIUS uses TCP port 49.

B. RADIUS uses UDP ports 1645 or 1812.C. RADIUS encrypts the entire packet.

D. RADIUS encrypts only the password in the Access-Request packet.

E. RADIUS is a Cisco proprietary technology.

F. RADIUS is an open standard.Answer: BDF

94. QUESTION 255

Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when

the device reloads?

A. aaa accounting network default start-stop group radius

B. aaa accounting auth-proxy default start-stop group radius

C. aaa accounting system default start-stop group radius

D. aaa accounting exec default start-stop group radiusAnswer: C

95. QUESTION 256

Which two accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.)

A. start-stop

B. stop-record

C. stop-only

D. stopAnswer: AC

96. QUESTION 257

What is the first command you enter to configure AAA on a new Cisco router?

A. aaa configuration

B. no aaa-configuration

C. no aaa new-model

D. aaa new-model

Answer: D

97. QUESTION 258

Which three TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.)

A. EAP

B. ASCII

C. PAP

D. PEAP

E. MS-CHAPv1

F. MS-CHAPv2Answer: BCE

98. QUESTION 259

What is the default privilege level for a new user account on a Cisco ASA firewall?

A. 0

B. 1

C. 2

D. 15Answer: C

99. QUESTION 260

Which statement about ACL operations is true?

A. The access list is evaluated in its entirety.

B. The access list is evaluated one access-control entry at a time.

C. The access list is evaluated by the most specific entry.

D. The default explicit deny at the end of an access list causes all packets to be dropped.Answer: B

100. QUESTION 261

Which three statements about access lists are true? (Choose three.) A. Extended access lists should be placed as near as possible to the

destination.

B. Extended access lists should be placed as near as possible to the source.

C. Standard access lists should be placed as near as possible to the destination.

D. Standard access lists should be placed as near as possible to the source.

E. Standard access lists filter on the source address.

F. Standard access lists filter on the destination address.


12/12


Answer: BCE

101. QUESTION 262

Which command configures a device to actively watch connection requests and provide immediate protection from DDoS attacks?

A. router(config)# ip tcp intercept mode intercept

B. router(config)# ip tcp intercept mode watch

C. router(config)# ip tcp intercept max-incomplete high 100

D. router(config)# ip tcp intercept drop-mode randomAnswer: A

102. QUESTION 263

Which command will block external spoofed addresses?

A. access-list 128 deny ip 10.0.0.0 0.0.255.255 anyB. access-list 128 deny ip 192.168.0.0 0.0.0.255 any

C. access-list 128 deny ip 10.0.0.0 0.255.255.255 any

D. access-list 128 deny ip 192.168.0.0 0.0.31.255 anyAnswer: C

103. QUESTION 264

Which two countermeasures can mitigate ARP spoofing attacks? (Choose two.)

A. port security

B. DHCP snooping

C. IP source guard

D. dynamic ARP inspectionAnswer: BD

104. QUESTION 265

What is the Cisco preferred countermeasure to mitigate CAM overflows?

A. port security

B. dynamic port security

C. IP source guard

D. root guardAnswer: B

What would you like to do?

Get the freeFlashcards app for iOS

Get the freeFlashcards app for Android

Learn more

Home>Flashcards> Print Preview
http://void%28window.open%28window.clicktag%29%29/http://www.freezingblue.com/flashcards/http://www.freezingblue.com/http://www.freezingblue.com/flashcards/https://play.google.com/store/apps/details?id=com.dskelly.android.iFlashcardsFreehttp://itunes.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=333253443&mt=8

Flashcards - ccna security 2.pdf

Documents

Transcript of Flashcards - ccna security 2.pdf