cisco.braindumps.350-018.v2016-07-22.by.dodo.140q - gratis … · 2019-11-09 · what cisco ios...

http://www.gratisexam.com/

CCIE 350-018

Number: 350-018Passing Score: 800Time Limit: 120 minFile Version: 1.0


Exam A

QUESTION 1Which of the following statements are true regarding hashing? (choose two)

A. Changing 1 bit of the input SHA-1 changes 1 bit of the output.B. SHA-1 is stronger than MD5 because it can be used with a key to prevent modification.C. MD5 produces a 160-bit result.D. MD5 takes more CPU cycles to compute than SHA-1.E. SHA-256 is an extension to SHA-1 with a longer output.

Correct Answer: BESection: (none)Explanation

Explanation/Reference:a is wrong : changing one bit change the whole hashb is wrong because both don't use a key for hashc is wrong because md5 is 128bitc is wrong MD5 is somewhat less CPU-intensived is wrong because sha-256 is based on sha 2 not sha 1

QUESTION 2Which statement about the effect of this command is true?

Refer to the exhibit.

A. It lists the current protocol-to-port mappings of NBAR.B. It lists traffic that is packet switched and bypassed by NBAR.C. It lists the number of packets processed for unknown and unclassified flows.D. It lists the attributes configured for unknown and unclassified flows.


E. It displays the link age for unknown and unclassified flows.

Correct Answer: DSection: (none)Explanation

Explanation/Reference:show ip nbar protocol-attribute unknown (Optional) Displays list of configured attributes for unknown and unclassified traffic.

QUESTION 3Which four of these attacks or wireless tools can the standard IDS signatures on a wireless LAN controller detect? (Choose four.)

A. long HTTP requestB. SYN floodC. Deauthorization floodD. NetStumblerE. WellenreiterF. Association floodG. AirSnortH. Fragment Overlap attack

Correct Answer: CDEGSection: (none)Explanation

Explanation/Reference:When a management frame flood signature is used to detect such an attack, the access point identifies management frames matching the entire characteristic ofthe signature. If the frequency of these frames is greater than the value of the frequency set in the signature, an access point that hears these frames triggers analarm. The controller generates a trap and forwards it to Cisco Prime Infrastructure.

The management frame flood signatures are as follows:

Assoc flood (precedence 4)

Auth flood (precedence 5)

Reassoc flood (precedence 6)

Broadcast probe flood (precedence 7)


Disassoc flood (precedence 8)

Deauth flood (precedence 9)

Reserved mgmt 7 (precedence 10)

Reserved mgmt F (precedence 11)

The reserved management frame signatures 7 and F are reserved for future use.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01000001.html

QUESTION 4What Cisco IOS feature prevents an attacker from filling up the MTU cache for locally generated traffic when using path MTU discovery?

A. Use NetFlow information to export data to a workstation.B. Force all traffic to send 1280-byte Packets by hard coding the MSS.C. Enable flow-label marking to track packet destination.D. Enable flow-label switching to track IPv6 packets in the MPLS cloud.E. Always use packets of 1500-byte size or larger.

Correct Answer: CSection: (none)Explanation

Explanation/Reference:How to Configure IPv6 MTU Path Discovery


Enabling Flow-Label Marking in Packets that Originate from the Device

Enabling Flow-Label Marking in Packets that Originate from the Device

This feature allows the device to track destinations to which the device has sent packets that are 1280 bytes or larger.

Seems we are talking here about Path MTU discovery: in IPv6 it allows a host to dynamically discover and adjust to differences in the MTU size of every link alonga given data path.

Enabling Flow-Label Marking in Packets that Originate from the DeviceThis feature allows the device to track destinations to which the device has sent packets that are 1280 bytes or larger.SUMMARY STEPS1. enable2. configure terminal3. ipv6 flowset4. exit5. clear ipv6 mtu

QUESTION 5What technology can you implement on your network to allow Independent applications to work with IPv6-capable applications?

A. DS-LiteB. NAT-PTC. ISATAPD. NAT 6to4E. NAT64

Correct Answer: ESection: (none)Explanation

Explanation/Reference:This Transition method could be useful when IPv6 is be the predominant connectivity type with a need to connect to specific IPv4 nodes, in their way to die out. Although this method is deprecated, it could be an excelent introduction to understand NAT64/DNS64.

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-676278.html

QUESTION 6Which three of these statements about a zone-based policy firewall are correct? (Choose three.)


A. An interface can be assigned to only one security zone.B. By default, all traffic to and from an interface that belongs to a security zone is dropped unless explicitly allowed in the zone-pair policy.C. Firewall policies, such as the pass, inspect, and drop actions, can only be applied between two zones.D. In order to pass traffic between two interfaces that belong to the same security zone, you must configure a pass action using class-default.E. Traffic cannot flow between a zone member interface and any interface that is not a zone member.

Correct Answer: ACESection: (none)Explanation

Explanation/Reference:http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

A -> An interface can be assigned to only one security zone. so it is correctB -> is just partially correct: All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from otherinterfaces in the same zone, and traffic to any interface on the routerC -> Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass, inspect, and drop actions can only be appliedbetween two zones.D -> Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone; so D is not correctE -> Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass, inspect, and drop actions can only be appliedbetween two zones.

QUESTION 7What is the maximum number of hops from the device that generated the given output to its BGP neighbor at 4.4.4.4?Refer to the exhibit.


A. 3B. 252C. 5D. 255E. 2F. 254

Correct Answer: A


Section: (none)Explanation

Explanation/Reference:same as example:https://supportforums.cisco.com/document/86776/securing-ebgp-sessions-ttl-security-feature

the missing part from output is (so that is the answer)External BGP neighbor may be up to 3 hops away.

command applied on that appliance is: neighbor 4.4.4.4 ttl-security hops 3

This feature is configured using neighbor <ip-address> ttl-security hops <count> BGP configuration command. The TTL value is calculated by the router from theconfigured hop count i.e. TTL = 255 - (hop count).

This feature has few limitationsOn enabling neighbor ttl-security feature, neighbor ebgp-multihop is not required.The feature is only for EBGP and not IBGP.

4.4.4.4 is originating BGP packets with a TTL of 255, and R expects the packets it receives from 4.4.4.4 to have at least 252 (as in BGP configuration of R hasneighbor 4.4.4.4 ttl-security hops 3, so a TTL value 255-3=252).

The BGP will establish and maintain the session only if the TTL value in the IP packet is equal to or greater than the TTL value configured for the peer.

QUESTION 8Which two statements about 802.1x authentication with port security are true? (Choose two.)

A. If any client causes a security violation, the port is immediately placed in spanning-tree disabled mode.B. An entry is created in the secure host table for any client that is authenticated and manually configured for port security, even if the table is full.C. 802.1x manages network access for all authorized MAC addresses.D. If a client is authenticated and the port security table is full, the oldest client is aged out.E. If any host causes a security violation, the port is immediately error-disabled.



Explanation/Reference:If 802.1X detects the violation, the action is to err-disable the port.If port security detects the violation, the action is to shutdown or restrict the port (the action is configurable).

When a client is authenticated, and the port security table is not full, the client's MAC address is added to the port security list of secure hosts. The port thenproceeds to come up normally.

When a client is authenticated and manually configured for port security, it is guaranteed an entry in the secure host table (unless port security static aging hasbeen enabled)

The following describes when port security and 802.1X security violations occur:In single host mode, after the port is authorized, any MAC address received other than the client's causes a 802.1X security violation.In single host mode, if installation of an 802.1X client's MAC address fails because port security has already reached its limit (due to a configured secure MACaddresses), a port security violation is triggered.In multi host mode, once the port is authorized, any additional MAC addresses that cannot be installed because the port security has reached its limit triggers a portsecurity violation.

In addition to setting up dynamic learning of secure MAC addresses, you may configure static secure MAC address entries using the interface-level commandswitchport port-security mac-address <mac-address>. The static entries also count against the maximum number of allowed MAC addresses on an interface. Youmay configure a port to age static secure MAC address entries as well by using the interface-level command switchport port-security aging static. This may beuseful when you need to set up guaranteed access for a specific MAC address for some amount of time.

QUESTION 9Which as-path access-list regular expression should be applied on R2 as a neighbor filter list to only allow updates with an origin of AS 65503?



A. _65503.?$B. ^65503 .*C. 65503D. _65503_E. _65503$F. ^65503$

Correct Answer: BSection: (none)


Explanation

Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/ios/12_2/termserv/configuration/guide/ftersv_c/tcfaapre.html

QUESTION 10If an ASA device is configured as a remote access IPsec server with RADIUS authentication and password management enabled, which type of authentication willit use?

A. MS-CHAFV2B. MS-CHAPv1C. RSAD. NTLME. PAP


Explanation/Reference:NTLM Auth (Active Directory) with PAP - Wiki - FreeRADIUSPAP is clear text authentication

QUESTION 11What SNMPv3 command disables descriptive error messages?

A. snmp-server usm CiscoB. snmp-server ifindex persistC. snmp-server trap link switchoverD. snmp-server inform


Correct Answer: ASection: (none)Explanation

Explanation/Reference:You can use the snmp-server usm cisco command to disable the descriptive messages, thus preventing malicious users from misusing the information shown in the error messages.The table below describes the Cisco-specific error messages shown when the snmp-server usm cisco command is used, and the table compares these messageswith the corresponding RFC 3414-compliant error messages.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/xe-3se/3850/snmp-xe-3se-3850-book/nm-snmp-snmpv3.html

QUESTION 12Which statement about SNMP control plane policing is true?

A. The SNMP management plane always has a source IP addressB. SNMP traffic is processed via CEF in the data plane.C. The CoPP SNMP feature can forward and manage traffic during heavy traffic load.D. SNMP traps are processed by the data plane.


Explanation/Reference:The management plane is the logical path of all traffic related to the management of a routing platform. One of three planes in a communication architecture that is structured in layers and planes, the management plane performs management functions fora network and coordinates functions among all the planes (management, control, data).The management plane also is used to manage a device through its connection to the network.

Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS),and SSH. These management protocols are used for monitoring and for CLI access. Restricting access to devices to internal sources (trusted networks) iscritical.

Control-plane host subinterface—Subinterface that receives all control-plane IP traffic that is directly destined for one of the router interfaces. Examples of control-plane host IP traffic include tunnel termination traffic, management traffic or routing protocols such as SSH, SNMP, BGP, OSPF, and EIGRP. All host traffic terminates on and is processed by the router.


Most control-plane protection features and policies operate strictly on the control-plane host subinterface. Since most critical router control-plane services, such as routing protocols and management traffic, is received on the control-plane host subinterface, it is criticalto protect this traffic through policing and protection policies. CoPP, port-filtering, and per-protocol queue thresholding protection features can be applied on thecontrol-plane host subinterface.

•Control-plane transit subinterface—Subinterface that receives all control-plane IP traffic that is software switched by the route processor. This means packets not directly destined to the router itself but rather traffic traversing through the router. Non-terminating tunnels handled by the router are an example of this type of control-plane traffic. Control-plane protection allows specific aggregate policing of all traffic received at this subinterface.

•Control-plane CEF-exception subinterface—Subinterface that receives all traffic that is either redirected as a result of a configured input feature in the CEF packetforwarding path for process switching or directly enqueued in the control-plane input queue by the interface driver (for example, ARP, L2 Keepalives and all non-IPhost traffic). Control-plane protection allows specific aggregate policing of this specific type of control-plane traffic.

QUESTION 13Which two statements about IPv6 path MTU discovery are true? (Choose two.)

A. During the discovery process, the DF bit is set to 1.B. The initial path MTU is the same as the MTU of the original node's link layer interface.C. The discover packets are dropped if there is congestion on the link.D. I can allow fragmentation when the minimum MTU is below a configured value.E. If the destination host receives an ICMPv6 Packet Too Big message from a router, it reduces its path MTU.F. If the source host receives an ICMPv6 Packet Too Big message from a router, it reduces its path MTU.

Correct Answer: BFSection: (none)Explanation

Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6_basic/configuration/xe-3s/ip6b-xe-3s-book/ip6-mtu-path-disc.html

QUESTION 14Which two of these are things an attacker can do with an encrypted RC4 data stream? (Choose two.)


A. calculate the checksum of the encrypted streamB. filter out the keystream if the attacker gets two streams encrypted with the same RC4 keyC. use XOR to match the encrypted stream to itself, in order to retrieve the keyD. retrieve the private key if the attacker has access to the public keyE. flip a bit of the encrypted text, which will flip a corresponding bit in the cleartext once it is decrypted


Explanation/Reference:

QUESTION 15Refer to the exhibit.

You have configured two route-map instances on R1. which passes traffic from switch 1 on both VLAN 1 and VLAN 2 You wish to ensure that * The first route-map


instance matches packets from VLAN 1 and sets the next hop to 3232:2/128. * The second route-map instance matches packets from VLAN 2 and sets the nexthop to 3232:3/128. What feature can you implement on R1 to make this configuration possible?

A. BGP next-hopB. BGP local-preferenceC. PBRD. VSSPE. GLBP



QUESTION 16When configuring Cisco IOS Firewall CBAC operations on Cisco routers, the "inspection rule" can be applied at which two locations? (Choose two)

A. at the untrusted interface in the inbound directionB. at the trusted and untrusted interfaces in the inbound directionC. at the untrusted interface in the outbound directionD. at the trusted interface in the outbound directionE. at the trusted and untrusted interfaces in the outbound directionF. at the trusted interface in the inbound direction



Explanation/Reference:http://packetlife.net/blog/2009/mar/10/ios-context-based-access-control-cbac/



You have received an advisory that your organization could be running a vulnerable product. Using the Cisco Systems Rapid Risk Vulnerability Response Model,you determine that * Your organization is running an affected product on a vulnerable version of code * The vulnerable component is enabled and there is nofeasible workaround. * There is medium confidence of an attack without significant collateral damage to the organization. According to the model, what is theappropriate urgency level for remediation?

A. contact ISP to trace attackB. priority maintenance processC. no action requiredD. remove vulnerable device from serviceE. standard maintenance processF. immediate mitigation process


Explanation/Reference:http://www.cisco.com/c/en/us/about/security-center/vulnerability-risk-triage.html


QUESTION 18The SSL VPN implementation on a Cisco ASA adaptive security appliance supports which three of these features? (Choose three)

A. sending TCP-only traffic through port forwardingB. sending TCP-only traffic through a smart tunnelC. sending TCP and UDP traffic through a smart tunnelD. establishing a Winsock 2 connection between the client and the server through smart tunnelsE. establishing a Winsock 2 connection between the client and the server through port forwardingF. sending TCP and UDP traffic through port forwarding

Correct Answer: ABDSection: (none)Explanation

Explanation/Reference:http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/tunnel.pdf

QUESTION 19Which one of the following Cisco ASA adapts security appliance rule samples will send HTTP data to the AIP-SSM module to evaluate and stop HTTP attacks?

A.


B.

C.

D.


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ssm.html

QUESTION 20What are two actions you can take to Protect against DDoS attacks on Cisco routers and switches? (Choose two.)


A. Implement MAC address filtering.B. Filter the RFC 1918 address space.C. Configure PIM-SM.D. Rate limit SYN packets.E. Configure IP snooping.

Correct Answer: BDSection: (none)Explanation


Setting embryonic and max connection limits per client on ASA1 can protect R1 from potential TCPSYN attacks. This type of DoS attack is prevented by rate limiting TCP connections and not allowingincomplete TCP handshakes to consume resources on R1.


You executed the show crypto key mypubkey rsa command to verify that the RSA key is protected and it generated the given output. What command must youhave entered to protect the key?

A. crypto key decrypt rsa name pki.cisco.com passphrase CiscoPKIB. crypto key zeroize rsa CiscoPKIC. crypto key export rsa pki.cisco.com pem url flash: 3des CiscoPKID. crypto key lock rsa name pki.cisco.com passphrase CiscoPKI


E. crypto key import rsa pki.cisco.com pem url nvram: CiscoPKI



QUESTION 22What IPS form factor is best suited to handling heavy traffic between virtualized servers in a data center?

A. FirePOWER NGIPSvB. FirePOWER ApplianceC. IOS with FirePOWER seivicesD. ASA with FirePOWER services


Explanation/Reference:Product OverviewThe modern network is diverse, resulting in a wide variety of throughput, connectivity, and security requirements within a single organization. Data centerconstraints on space, power, and cooling just add to your challenges of finding the right network security device. The Cisco FirePOWER™ 7000 Series solvesthese challenges by providing leading threat protection appliances with scalability, energy efficiency, and a low total cost of ownership. The Cisco FirePOWER 7000Series Appliances are the base platform for the Cisco FirePOWER next-generation Intrusion Prevention System (NGIPS) threat protection solution. They integratereal-time contextual awareness, full-stack visibility, and intelligent security automation to deliver effective security, reliable performance, and a lower cost ofownership. Threat protection can be expanded with optional subscription licenses to provide Advanced Malware Protection (AMP) and application visibility andcontrol.Optimized for network security processing, FirePOWER delivers breakthrough performance with purpose-built hardware acceleration technology and by using threeseparate data processing stages, each custom designed for particular workloads. With eight throughput models (from 50 Mbps to 1.25 Gbps) and up to 12available ports to support mixed media, the Cisco FirePOWER 7000 Series enables you to deploy security appliances based on network link and organizational usecase requirement

QUESTION 23When you configure an ASA with RADIUS authentication and authorization, which attribute is used to differentiate user roles?


A. cisco-priv-levelB. service-typeC. termination-actionD. tunnel-typeE. login-ip-host


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.html#23109

Cisco VSA (Cisco-Priv-Level), which provides a standard 0-15 numeric ranking of privileges, with 1 being the lowest level and 15 being the highest level. A zerolevel indicates no privileges. The first level (login) allows privileged EXEC access for the commands available at this level. The second level (enable) allows CLIconfiguration privileges.

IETF-Radius-Service-Type6IntegerSingleSeconds. Possible Service Type values:.Administrative—User is allowed access to the configure prompt..NAS-Prompt—User is allowed access to the exec prompt..remote-access—User is allowed network access

QUESTION 24Which two statements about MPP (Management Plane Protection) are true? (Choose two.)

A. Only out-of-band management interfaces are supported


B. Only virtual interfaces associated with physical interfaces are supportedC. Only virtual interfaces associated with sub-interfaces are supportedD. It is supported on both distributed and hardware-switched platformsE. Only in-band management interfaces are supportedF. It is supported on both active and standby management interfaces.


Explanation/Reference:https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-0/security/configuration/guide/b_sc40asr9kbook/b_sc40asr9kbook_chapter_0101.pdf

QUESTION 25Which two options are Cisco-recommended best practices for provisioning QoS for Scavenger- class traffic? (Choose two.)

A. It should be assigned a higher CBWFQ percentage than bulk data.B. It should be marked as DSCP CS1 to mitigate DoS attacks.C. It should be assigned a higher CBWFQ percentage than best effort.D. It should be assigned a lower DSCP value than best effort.E. It should be assigned a higher CoS than bulk data.F. It should be assigned the lowest possible CBWFQ value.


Explanation/Reference:http://www.ciscopress.com/articles/article.asp?p=357102&seqNum=5

Scavenger traffic should be marked to DSCP CS1.

Scavenger traffic should be assigned the lowest configurable queuing service; for instance, in Cisco IOS, this means assigning a CBWFQ of 1 percent toScavenger.

QUESTION 26


Which statement is true about SYN cookies?

A. The state is kept on the server machine TCP stack.B. A system has to check every incoming ACK against state tables.C. SYN cookies do not help to protect against SYN flood attacks.D. No state is kept on the server machine state but is embedded in the initial sequence number.


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-3s/sec-data-zbf-xe-book/conf-fw-tcp-syn-cookie.htmlThe Firewall TCP SYN Cookie feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. The firewall intercepts TCPSYN packets that are sent from clients to servers. When the TCP SYN cookie is triggered, it acts on all SYN packets that are destined to the configured VPNRouting and Forwarding (VRF) or zone. The TCP SYN cookie establishes a connection with the client on behalf of the destination server and another connectionwith the server on behalf of the client and knits together the two half-connections transparently. Thus, connection attempts from unreachable hosts will never reachthe server. The TCP SYN cookie intercepts and forwards packets throughout the duration of the connection.

QUESTION 27You have discovered that a router on your network is experiencing high CPU when management server 10.11.10.12 queries OID IIdpMIB. Assuming managementstations access to OID is not critical, what configuration can you apply to the router to prevent high CPU usage when the OID is queried?

A.


B.

C.

D.


Explanation/Reference:https://bst.cloudapps.cisco.com/bugsearch/bug/CSCue32333/?referring_site=bugquickviewredir

3750X CPU spick relates to lldpMIB pollingCSCue32333DescriptionSymptom:We observed a CPU spike on 3750X(12.2(58)SE2 and 15.0.2-SE1), when polling all OID on SNMP server.The high process is "SNMP ENGINE". We did not see


CPU spike after excluded LLDP-MED-MIB lldpMIB.But when polling lldpMIB only(Did not exclude lldpMIB), we did not see CPU spike either.

Conditions:3750X-------SNMP server

Workaround:-----------------------------------snmp-server view LLDP-MED-MIB iso includedsnmp-server view LLDP-MED-MIB lldpMIB excludedsnmp-server community view LLDP-MED-MIB RO 10-----------------------------------

Further Problem Description:

QUESTION 28Which two statements about the TACACS+ protocol are true? (Choose two.)

A. Because it uses UDP for transport. TACACS+ can detect server crashes out-of-band.B. TACACS+ takes advantage of the UDP protocol's connectionless network transport.C. The entire body of a TACACS+ packet is encrypted with the exception of the standard clear-text TACACS+ header.D. TACACS+ combines the authentication and authorization functions.E. VSAs allow products from other vendors to interoperate with Cisco routers that support TACACS+.F. TACACS+ can handle different AAA services on separate servers.

Correct Answer: CFSection: (none)Explanation

Explanation/Reference:http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encryptedor not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fullyencrypted for more secure communications.

TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and


accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on aKerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it hassuccessfully authenticated on a Kerberos server, and the server then provides authorization information.

QUESTION 29Referring to the DMVPN topology diagram shown in the exhibit, which two statements are correct? (Choose two.)


A. The hub router tunnel interface must have the EIGRP next hop self-enabled.B. Before a spoke-to-spoke tunnel can be built, the spoke router needs to send an NHRP query to the hub to resolve the remote spoke router physical interface IP

address.


C. The hub router needs to have EIGRP split horizon disabled.D. The spoke routers act as the NHRP servers for resolving the remote spoke physical interface IP address.E. At the Spoke A router, the next hop to reach the 192 168.0.0/24 network should be 172.17.0.1.F. At the Spoke A router, the next hop to reach the 192.168.2.0/24 network should be 10.0.0.1.

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/43067-dmvpn-gre-eigrp.html

!--- This is the mGRE interface for dynamic GRE tunnels.

interface Tunnel1 description MULTI-POINT GRE TUNNEL for BRANCHES bandwidth 1000 ip address 172.16.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp authentication dmvpn ip nhrp map multicast dynamic ip nhrp network-id 99 ip nhrp holdtime 300 no ip split-horizon eigrp 1 no ip mroute-cache delay 1000 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile dmvpnprof

QUESTION 30Which two statements about fast SSID changing on a WLC are true? (Choose two.)

A. It enables a controller to rapidly cycle its SSID to drop rogue connections.B. It enables a client to move to a new SSID before its previous entry in the controller connection table is cleared.C. If it is disabled while clients are connected to the controller, the client loses communication with other hosts in the same VLAN.D. If it is disabled while clients are connected to the controller, the client loses communication with hosts in other VLANs.E. It enables a client to move faster between SSIDs


F. It enforces MIMO on clients.


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01001.html

Information About Configuring Fast SSID ChangingWhen fast SSID changing is enabled, the controller allows clients to move faster between SSIDs. When fast SSID is enabled, the client entry is not cleared and thedelay is not enforced.

When fast SSID changing is disabled, the controller enforces a delay before clients are allowed to move to a new SSID. When fast SSID is disabled and the clientsends a new association for a different SSID, the client entry in the controller connection table is cleared before the client is added to the new SSID.

Configuring Fast SSID Changing (GUI)Step 1 Choose Controller to open the General page.Step 2 From the Fast SSID Change drop-down list, choose Enabled to enable this feature or Disabled to disable it. The default value is disabled.Step 3 Click Apply to commit your changes.Step 4 Click Save Configuration to save your changes.Configuring Fast SSID Changing (CLI)Step 1 Enable or disable fast SSID changing by entering this command:config network fast-ssid-change {enable | disable}Step 2 Save your changes by entering this command: save config

QUESTION 31Which three options are methods of load-balancing data in an ASA cluster environment? (Choose three.)

A. ECMPB. floating static routesC. PBRD. HSRPE. distance-vector routingF. spanned EtherChannel

Correct Answer: ACF



Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html

Redundant Interface (PBR or ECMP)Spanned EtherChannel With Backup Links

QUESTION 32Which configuration is required to enable the exporter? Refer to the exhibit.

A. cache timeout active 60B. next-hop addressC. cache timeout inactive 60D. source Loopback0


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-2/netflow/configuration/guide/b_netflow_cg42crs/b_netflow_cg42asr_chapter_00.html#task_1068377

Exporter Map Overview

An exporter map contains user network specification and transport layer details for the NetFlow export packet. The flow exporter-map command allows you toconfigure collector and version attributes. You can configure the following collector information:

Export destination IP addressDSCP value for export packetSource interface


UDP port number (This is where the collector is listening for NetFlow packets.)Transport protocol for export packets

QUESTION 33Which two statements about IPv6 Neighbor Solicitation Messages are true? (Choose two.)

A. They are sent at a regular interval through the interfaces on a IPv6 device.B. They are identified by Type value 133 in the ICMP packet header.C. They solicit neighbor advertisement message from the destination device.D. They include the link-layer address of the source device.E. They are identified by Type value 134 in the ICMP packet header.F. They are sent to the link-layer address of the destination node.

Correct Answer: CDSection: (none)Explanation

Explanation/Reference:https://supportforums.cisco.com/document/77521/ipv6-neighbor-discovery-protocol-ndphttp://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/15-2mt/ip6-15-2mt-book/ip6-neighb-disc.html

ICMPv6 Type Name of MessageType 133 Router Solicitation (RS)Type 134 Router Advertisement (RA)Type 135 Neighbor Solicitation (NS)Type 136 Neighbor Advertisement (NA)Type 137 Redirect Message


QUESTION 34Which three statements about remotely triggered black hole filtering are true? (Choose three.)

A. Three key components of an RTBH filtering solution are: uRPF, iBGP and a null0 interface.B. It supports both source-based and destination-based filtering.C. It can be used to mitigate DDoS and worm attacks.D. ICMP unreachable messages must not be disabled on all edge PE routers peered with the trigger router.E. It requires loose uRPF for destination based filtering.F. It uses BGP or OSPF to trigger a network-wide remotely controlled response to attacks.

Correct Answer: BCDSection: (none)Explanation

Explanation/Reference:Black holes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Once an attack has been detected, black holingcan be used to drop all attack traffic at the edge of an Internet service provide (ISP) network, based on either destination or source IP addresses.

RTBH filtering provides a method for quickly dropping undesirable traffic at the edge of the network, based on either source addresses or destination addresses byforwarding it to a null0 interface. Null0 is a pseudointerface that is always up and can never forward or receive traffic. Forwarding packets to null0 is a common wayto filter packets to a specific destination.


Typically, when an IP datagram is dropped, an Internet Control Message Protocol (ICMP) unreachable message is sent back to the source giving the reason whythe packet could not be delivered to its final destination. In most cases, when traffic is deliberately dropped by being forwarded to a null interface, you do not wantto overburden the router by making it send this unreachable message to the source address. Also, these messages would create additional traffic on the networkand inform the source that the packets are being dropped. So, it is recommended that when a Null0 interface is created at the edges, the ICMP unreachablemessage is disabled for this interface.

If the source address (or range of addresses) of the attack can be identified (spoofed or not), it would be better to drop all traffic at the edge based on the sourceaddress, regardless of the destination address. This would permit legitimate traffic from other sources to reach the target. Implementation of source-based blackhole filtering depends on Unicast Reverse Path Forwarding (URPF), most often loose mode URPF.

The edge routers essentially drop suspicious traffic by forwarding it to a Null0 interface. Null0 is an invalid interface in Cisco® Express Forwarding tables, so alltraffic forwarded to a null interface will be dropped by Cisco Express Forwarding and does not require process switching. Hence, using Null0 as a way to filter trafficadds minimal overhead to the edge routers. A static route is configured at the edge, and the next hop is set to Null0.

QUESTION 35Which two ICMP types must be allowed in a firewall to enable traceroutes through the firewall? (Choose two.)

A. ICMP type=5.code=1B. ICMP type=11, code=0C. ICMP type=5.code=0D. ICMP type=11.code=1E. ICMP type=3, code=12F. ICMP type=3, code=3

Correct Answer: BFSection: (none)


Explanation

Explanation/Reference:http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-121-mainline/12778-ping-traceroute.html#traceroute

This is the first sequence of packets we send with a TTL=1. The first router, in this case Router2 (12.0.0.2), drops the packet, and sends back to the source(12.0.0.1) a type=11 ICMP message. This corresponds to the Time Exceeded Message.Jan 20 16:42:48.707: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 28, sendingJan 20 16:42:48.711: UDP src=35734, dst=33437Jan 20 16:42:48.743: IP: s=23.0.0.3 (Serial0), d=12.0.0.1 (Serial0), len 56, rcvd 3 Jan 20 16:42:48.747: ICMP type=11, code=0

!--- ICMP Time Exceeded Message from Router3.

Jan 20 16:42:48.751: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 28, sendingJan 20 16:42:48.755: UDP src=36753, dst=33438Jan 20 16:42:48.787: IP: s=23.0.0.3 (Serial0), d=12.0.0.1 (Serial0), len 56, rcvd 3Jan 20 16:42:48.791: ICMP type=11, code=0Jan 20 16:42:48.795: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 28, sendingJan 20 16:42:48.799: UDP src=36561, dst=33439Jan 20 16:42:48.827: IP: s=23.0.0.3 (Serial0), d=12.0.0.1 (Serial0), len 56, rcvd 3Jan 20 16:42:48.831: ICMP type=11, code=0The same process occurs for Router3 (23.0.0.3) with a TTL=2:Jan 20 16:42:48.839: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 28, sendingJan 20 16:42:48.843: UDP src=34327, dst=33440Jan 20 16:42:48.887: IP: s=34.0.0.4 (Serial0), d=12.0.0.1 (Serial0), len 56, rcvd 3Jan 20 16:42:48.891: ICMP type=3, code=3

!--- Port Unreachable message from Router4. Jan 20 16:42:48.895: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 28, sendingJan 20 16:42:48.899: UDP src=37534, dst=33441Jan 20 16:42:51.895: IP: s=12.0.0.1 (local), d=34.0.0.4 (Serial0), len 28,


sendingJan 20 16:42:51.899: UDP src=37181, dst=33442Jan 20 16:42:51.943: IP: s=34.0.0.4 (Serial0), d=12.0.0.1 (Serial0), len 56, rcvd 3Jan 20 16:42:51.947: ICMP type=3, code=3

QUESTION 36Which two cipher mechanisms does PColP use? (Choose two.)

A. autokeyB. RC4C. SEALD. BlowfishE. AES 256F. Suite B

Correct Answer: EFSection: (none)Explanation

Explanation/Reference:http://www.teradici.com/pcoip-technology

Secure Your DataBecause the protocol transfers images only, in the form of pixel location information, no business information ever leaves the data center.

In addition, because all software lies safely inside central systems, no one can tamper with service quality or introduce malware based on application infiltration.The PCoIP security module leverages the AES 256 and NSA Suite B cyphers, which meet the highest level of security required by governments.

QUESTION 37Which protocol is an extension to SSH 2.0 that provides security for data traffic?

A. AESB. SFTPC. KerberosD. TKIP

Correct Answer: BSection: (none)


Explanation

Explanation/Reference:http://www.snailbook.com/docs/sftp.txt

SSH File Transfer Protocol draft-ietf-secsh-filexfer-13.txt

The SSH File Transfer Protocol provides secure file transfer functionality over any reliable, bidirectional octect stream. It is the standard file transfer protocol for use with the SSH2 protocol. This document describes the file transfer protocol and its interface to the SSH2 protocol suite.

QUESTION 38All of these are predefined reports in the Cisco IPS Manager Express (Cisco IME) GUI except which one?

A. Top Signature ReportB. Top Application ReportC. Attacks Overtime ReportD. Top victims ReportE. Top Attacker Report

Correct Answer: BSection: (none)Explanation

Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/ime/imeguide71/ime_reports.html

These are the IME report types:

Top Attacker Reports—Shows top attacker IP addresses for a specified time. You specify the top number of attacker IP addresses. There are four predefined topattacker reports:– Basic Top Attacker– Top 10 Attackers Last 1 Hour– Top 10 Attackers Last 8 Hours with High Severity– Top 20 Critical Attackers Last 24 Hours


Top Victim Reports—Shows top victim IP addresses for a specified time. You specify the top number of victim IP addresses. There are four predefined top victimreports:– Basic Top Victim– Top 10 Victims Last 1 Hour– Top 10 Victims Last 8 Hours with High Severity– Top 20 Victims with Action Denied Attacker

Top Signature Reports—Shows top signatures fired for a specified time. You specify the top number of signatures. There are four predefined top signature reports:– Basic Top Signature– Top 10 Signatures Last 1 Hour– Top 10 Signatures Last 8 Hours with High Severity– Top 20 Critical Signatures Last 24 Hours

Attacks Over Time Reports—Shows the attacks over a specified time. There are five predefined reports:– Basic Over Time Attack– Attacks Blocked in Last 24 Hours– Attacks Dropped in Last 24 Hours– Attacks Over Time Last 1 Hour– Critical Attacks Over Last 24 Hours

Filtered Events vs. All Events Reports—Displays a set of events against the total events for a specified time period. There is one predefined report:– Negative Reputation Events

Global Correlation Reports—Displays the global correlation reports since the sensor has been running. There are two predefined global correlation reports:– Reputation Filter– Global Correlation

Specialized Reports—Displays the specialized reports. There is one predefined specialized report:– Obfuscated Traffic/Attacks—This report contains statistics on suspect and explicit traffic obfuscation activity. It combines a top attacker report with a top eventreport. Traffic obfuscation is way of getting attacks through the security device. With the strong obfuscation detection and cleansing capabilities of the Cisco IPS,you can detect traffic obfuscation and deal with potential threats.

Note The Obfuscated Traffic/Attacks report is available in IME 7.2.3 and later.

Configuring and Generating Reports

Note The Filter tab and Add Filter dialog box fields now support IPv6 and IPv4 addresses.

QUESTION 39



Which two statements about the effects of the given Cisco IOS configuration are true? (Choose two.)

A. The maximum number of half-open sessions is 400.B. The maximum number of half-open sessions is 600C. The idle timeout for UDP connections is 20 minutes.D. The half-open session timeout is 20 minutesE. The software will delete half-open sessions if more than 600 new sessions are established per minute.

Correct Answer: AESection: (none)Explanation

Explanation/Reference:ip inspect max-incomplete high: To define the number of existing half-open sessions that will cause the software to start deleting half-open sessions, use the ipinspect max-incomplete highcommand in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of thiscommand.

ip inspect one-minute high: To define the rate of new unestablished sessions that will cause the software to start deleting half-open sessions, use the ip inspectone-minute highcommand in global configuration mode. To reset the threshold to the default of 500 half-open sessions, use the no form of this command.

ip inspect tcp idle-time: To specify the TCP idle timeout (the length of time a TCP session will still be managed while there is no activity), use the ip inspect tcp idle-timecommand in global configuration mode. To reset the timeout to the default of 3600 seconds (1 hour), use the no form of this command.


http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i2.html#wp9025888050

QUESTION 40Which two options are operating modes of Security Group Tag (SGT) Exchange Protocol (SXP) peers? (Choose two.)

A. listenerB. broadcastC. neighborD. transmitterE. speaker


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sxp_config.html

the mode keyword specifies the role of the remote peer device: local —The specified mode refers to the local device. peer —The specified mode refers to the peer device. speaker —Default. Specifies that the device is the speaker in the connection. listener —Specifies that the device is the listener in the connection.

QUESTION 41What IPS risk rating allows the user to assign a risk weighting based on the relative importance of the system involved?

A. Signature Fidelity RatingB. Mack Relevancy RatingC. Target Value RatingD. Alert Severity Rating


Explanation/Reference: the TVR is a user-defined value that represents the user's perceived value of the target host. This allows the user to increase the risk of an event associated with a


critical system and to de-emphasize the risk of an event on a low-value target.

http://www.cisco.com/c/en/us/products/collateral/security/ips-4200-series-sensors/prod_white_paper0900aecd80191021.html

QUESTION 42What protocol format is illustrated? Refer to the exhibit.

A. IPB. ESPC. GRED. AH




QUESTION 43What are too important guidelines to follow when implementing VTP? (Choose two.)

A. When using secure-mode VTP, configure management domain passwords only on VTP servers.B. Use of the VTP multidomain feature should be restricted to migration and temporary implementation.C. Enabling VTP pruning on a server will enable the feature for the entire management domain.D. All switches in the VTP domain must run the same version of VTP.E. CDP must be enabled on all switches in the VTP management domain.


Explanation/Reference:Enabling VTP pruning on a VTP server enables pruning for the entire management domain. Making VLANs pruning-eligible or pruning-ineligible affects pruningeligibility for those VLANs on that trunk only (not on all switches in the VTP domain).

•All switches in a VTP domain must have the same domain name, but they do not need to run the same VTP version.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swvtp.html#wp1225071

QUESTION 44


Which statement about the effect of this configuration is true? Refer to the exhibit.

A. It prevents man-in-the-middle attacks.B. Replay protection is disabled.C. Out-of-order frames are dropped.D. The replay window size is set to infinity.


Explanation/Reference: Replay protection. You can configure MACsec window size, as defined by the number of out-of-order frames that are accepted. This value is used while installingthe security associationsin the MACsec. A value of 0 means that frames are accepted only in the correct order.

Enable replay protection, and configure the window size in number of frames. The range is from 0 to 4294967295. The default window size is 0.Entering a window size of 0 is not the same as entering the no replay-protection command. Configuring a window size of 0 uses replay protection with a strictordering of frames. Entering no replay-protection turns off MACsec replay-protection.

QUESTION 45Which two U.S. government entities are authorized to execute and enforce the penalties for violations of the Sarbanes-Oxley (SOX) act? (Choose two)

A. Office of Civil Rights (OCR)B. Securities and Exchange Commission (SEC)C. Federal Reserve BoardD. United States Citizenship and Immigration Services (USCIS)E. Federal Trade Commission (FTC)


F. Internal Revenue Service (IRS)


Explanation/Reference:The Securities and Exchange Commission (SEC) and the Federal Reserve Board are charged to execute and enforce the SOX Act.

***From the following Book : CCIE Professional Development Series Network Security Technologies and Solutions

QUESTION 46Which ISMS provides the basis for an optional business certification logo program?

A. HIPAAB. NIST 800-53C. ISO 27001D. TOGAFE. ISO 27002F. COBIT 5




QUESTION 47What protocol does MSDP use to communicate?

A. UDP 639B. TCP 389C. IP protocol 90D. TCP 639E. IP protocol 87F. UDP 389



https://tools.ietf.org/html/rfc3618MSDP uses TCP as its transport protocol. In a peering relationship, one MSDP peer listens for new TCP connections on the well-known port 639.

https://en.wikipedia.org/wiki/Multicast_Source_Discovery_Protocol


Router# clear ip msdp peer [peer-address | peer-name]Clears the TCP connection to the specified MSDP peer, resetting all MSDP message counters.

QUESTION 48What technique can an attacker use to obfuscate a malware application payload, allowing it to bypass standard security mechanisms?

A. BASE64B. steganographyC. a PE32 headerD. decryptionE. Teredo tunneling


Explanation/Reference:Base64 is a group of similar binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation.The term Base64 originates from a specific MIME content transfer encoding.

Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. The word steganography combines theGreek words steganos (στεγανός), meaning "covered, concealed, or protected", and graphein (γράφειν) meaning "writing".

In computer networking, Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no nativeconnection to an IPv6 network. Unlike similar protocols, it can perform its function even from behind network address translation (NAT) devices such as homerouters.

QUESTION 49Which three of these are true statements about TLS? (Choose three.)

A. It can be used to secure SIP.B. It allows for client authentication via certificates.C. If a third-party (man-in-the-middle) observes the entire handshake between client and server, the third-party can decrypt the encrypted data that passes

between them.D. It is a secure protocol encapsulated within SSL.E. It is a more recent version of SSL.F. It cannot be used for HTTPS.


Correct Answer: ABESection: (none)Explanation


QUESTION 50What Context-Based Access Control (CBAC) command sets the maximum time that a router running Cisco IOS will wait for a new TCP session to reach theestablished state?

A. ip inspect max-incompleteB. ip inspect tcp idle-timeC. ip inspect tcp finwait-timeD. ip inspect udp idle-timeE. ip inspect tcp synwait-time


Explanation/Reference:ip inspect tcp synwait-timeTo define how long the software will wait for a TCP session to reach the established state before dropping the session, use the ip inspect tcp synwait-timecommandin global configuration mode. To reset the timeout to the default of 30 seconds, use the no form of this command.

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i2.html#wp2405804691

QUESTION 51What are two security controls you can implement to protect your organization's internal network from virus and worm outbreaks? (Choose two.)

A. Implement routing protocols with strong interface authentication.B. Quarantine hosts that fail to meet your organization's IT security requirements.C. Implement Cisco Identity Service Engine (ISE) for network security.D. Deploy Cisco Prime LMS to manage network security,E. Require users to authenticate before accessing the network.

Correct Answer: BC



Explanation/Reference:Identify

•Identity-based network solutions (802.1x, NAC, and so on)•Authentication, Authorization, and Accounting (AAA)—Authentication•Biometric recognition•Routing authentication (MD5)•Secure messaging (encrypted E-mail)•VPN authentication–Digital certificates–Pre-shared keys–User authentication

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/CiscoSCF.html#wp1050631

QUESTION 52Which two IP multicast addresses belong to the group represented by the MAC address 0x01- 00-5E-15-6A-2C? (Choose two).

A. 224.21.106.44

B. 239.153.106.44C. 224.25.106.44D. 236.25.106.44E. 233.149.106.44



Explanation/Reference:https://networklessons.com/multicast/multicast-ip-address-to-mac-address-mapping/http://nettools.aqwnet.com/macipcalc/macipcalc.php

MAC Address 01:00:5e:15:6a:2c converts to:

Matched multicast IP group addresses

224.21.106.44224.149.106.44225.21.106.44225.149.106.44226.21.106.44226.149.106.44227.21.106.44227.149.106.44228.21.106.44228.149.106.44229.21.106.44229.149.106.44230.21.106.44230.149.106.44231.21.106.44231.149.106.44232.21.106.44232.149.106.44233.21.106.44233.149.106.44234.21.106.44234.149.106.44235.21.106.44235.149.106.44236.21.106.44236.149.106.44237.21.106.44237.149.106.44238.21.106.44238.149.106.44239.21.106.44239.149.106.44


QUESTION 53What action can you take to prevent an amplification attack on an IPv6 network?

A. Disable the processing of IPv6 type 1 routing headers on the interface.B. Disable the processing of IPv6 type 1 routing headers globally.C. Disable the processing of IPv6 type 2 routing headers between remote routers.D. Disable the processing of IPv6 type 0 routing headers globally.E. Disable the processing of IPv6 type 2 routing headers globally.


Explanation/Reference:Since December 2007, source routing with routing header type 0 (RH0) is disabled by default in IPv6, it is therefore identical to IPv4. Source routing cannot be usedby an attacker to bypass some security policies or to mount an amplification attack.

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-678658.html

QUESTION 54Which two features are supported in CBAC on IPv6? (Choose two.)

A. Intrusion Detection System inspectionB. inspection of encrypted packetsC. inspection of tunneled packets in transitD. inspection of packets on nonstandard portsE. inspection of fragmented packets

Correct Answer: DESection: (none)Explanation

Explanation/Reference:IPv6 packets tunneled in IPv4 are not inspected. If a tunnel terminates on a router, and IPv6 traffic exiting the tunnel is nonterminating, then the traffic is inspected.

Using the port information, PAM establishes a table of default port-to-application mapping information at the firewall. The information in the PAM table enablesContext-based Access Control (CBAC) supported services to run on nonstandard ports


When Virtual Fragment Reassembly is enabled, VFR processing begins after ACL input lists are checked against incoming packets. The incoming packets aretagged with the appropriate VFR information.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_cbac_fw/configuration/15-2mt/ip6-firewall.html#GUID-183AE99F-284F-4152-9443-B13AEA0DBB29

QUESTION 55What is the effect of the given command? Refer to the exhibit.

A. It enables CoPP on the FastEthernet 0/0 interface for SSH and SNMP management traffic.B. It enables MPP on the FastEthernet 0/0 interface for SSH and SNMP management traffic and CoPP for all other protocols.C. It enables MPP on the FastEthernet 0/0 interface, allowing only SSH and SNMP management traffic.D. It enables QoS policing on the control plane of the FasEthernet 0/0 interface.E. It enables MPP on the FastEthernet 0/0 interface by enforcing rate-limiting for SSH and SNMP management traffic.


Explanation/Reference:Configures an interface to be a management interface, which will accept management protocols, and specifies which management protocols are allowed.interface—Name of the interface that you are designating as a management interface.protocols—Management protocols you want to allow on the designated management interface.•BEEP•FTP•HTTP•HTTPS•SSH, v1 and v2•SNMP, all versions•Telnet•TFTP


http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html

QUESTION 56What message does the TACACS+ daemon send during the AAA authentication process to request additional authentication information?

A. ACCEPTB. CONTINUEC. REJECTD. ERRORE. REPLY


Explanation/Reference:TACACS+ defines 7 type of packets (or "messages"):

Authentication START (It describes the type of authentication to be performed, and may contain the username and some authentication data. The START packet isonly ever sent as the first message in a TACACS+ authentication session.).Authentication REPLY (It indicates whether the authentication is finished, or whether it should continue. If the REPLY indicates that authentication should continue,then it will also indicate what new information is requested.).Authentication CONTINUE (It is sent from the NAS to the server following the receipt of a REPLY packet and possibly contains requested information.).Authorization REQUEST (It contains a fixed set of fields that describe the authenticity of the user or process, and a variable set of arguments that describes theservices and options for which authorization is requested.).Authorization RESPONSE (It contains a variable set of response arguments (attribute-value pairs) which can restrict or modify the client actions.).Accounting REQUEST (It conveys information used to provide accounting for a service provided to a user.).Accounting REPLY (It is used to indicate that the accounting function on the server has completed and securelycommitted the record.).

QUESTION 57Which two statements about PIM-DM are true? (Choose two.)

A. It forwards data packets on the shared distribution tree.B. It delivers multicast traffic only when the data is explicitly requested.C. It uses a unicast routing table to perform the RPF check.D. It is most efficient when the network uses active receivers on every subnet.E. It requires a rendezvous point.



Explanation/Reference:PIM DM

Dense mode: we forward multicast traffic on all interfaces until a downstream router requests us to stop fowarding.PIM dense mode is a push method where we use source based trees.

https://networklessons.com/multicast/multicast-pim-dense-mode/PIM dense mode doesn’t use RPs so there is no reason at all for our routers to listen to the 224.0.1.40 group address. For whatever reason, as soon as you enablePIM then autoRP is also enabled and the router will listen to this group address. You can ignore this entry completely when you are working with PIM dense mode.

http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/ip_multicast/White_papers/rps.html#wp1030914A rendezvous point (RP) is required only in networks running Protocol Independent Multicast sparse mode (PIM-SM).

http://www.cisco.com/c/en/us/td/docs/ios/solutions_docs/ip_multicast/White_papers/mcst_ovr.html#wp1009036RPF Check

When a multicast packet arrives at a router, the router performs an RPF check on the packet. If the RPF check succeeds, the packet is forwarded. Otherwise, it isdropped.For traffic flowing down a source tree, the RPF check procedure works as follows:1. The router looks up the source address in the unicast routing table to determine if the packet has arrived on the interface that is on the reverse path back to thesource.2. If the packet has arrived on the interface leading back to the source, the RPF check succeeds and the packet is forwarded.3. If the RPF check in Step 2 fails, the packet is dropped.

QUESTION 58How can the tail drop algorithm support traffic shaping when the queue is filled?

A. It drops older TCP packets that are set to be redelivered due to errors on the link until the queue has room for more traffic,B. It drops older packets with a size of 64 bytes or more until the queue has room for more traffic,C. It drops new packets with a size of less than 64 bytes until the queue has room for more traffic.D. It drops all new packets until the queue has room for more traffic.



Explanation/Reference:https://en.wikipedia.org/wiki/Tail_drop

Tail Drop, or Drop Tail, is a very simple queue management algorithm used by Internet routers, e.g. in the network schedulers, and network switches to decidewhen to drop packets. In contrast to the more complex algorithms like RED and WRED, in Tail Drop the traffic is not differentiated. Each packet is treatedidentically. With tail drop, when the queue is filled to its maximum capacity, the newly arriving packets are dropped until the queue has enough room to acceptincoming traffic.

QUESTION 59You have configured an authenticator switch in access mode on a network configured with NEAT. What RADIUS attribute must the ISE server return to change theswitch's port mode to trunk?

A. EAP-Message=switchB. Acct-Authentic=RADIUSC. device-traffic-class=trunkD. Authenticate=AdministrativeE. Framed-Protocol=1F. device-traffic-class=switch

Correct Answer: FSection: (none)Explanation

Explanation/Reference:http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html

Supplicant Switch Authentication to Authenticator Switch

In this example, the supplicant authenticates to the authenticator. The steps in the process are:The supplicant is configured and plugged into port fastethernet0/6. The dot1x exchange causes the supplicant to use EAP in order to send a pre-configuredusername and password to the authenticator.The authenticator performs a RADIUS exchange and provides credentials for ISE validation.If the credentials are correct, the ISE returns attributes required by NEAT (device-traffic-class=switch), and the authenticator changes its switchport mode fromaccess to trunk.

QUESTION 60IKEv2 provides greater network attack resiliency against a DoS attack than IKEv1 by utilizing which two functionalities? (Choose two)

A. An IKEv2 responder does not initiate a DH exchange until the initiator responds with a cookie.B. IKEv2 interoperates with IKEv1 to increase security in IKEv1.


C. IKEv2 only allows certificates for peer authentication.D. With cookie challenge, IKEv2 does not track the state of the initiator until the initiator responds with a cookie.E. IKEv2 only allows symmetric keys for peer authentication.F. IKEv2 performs TCP intercept on all secure connections.

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.htmlIKEv2 provides better network attack resilience. IKEv2 can mitigate a DoS attack on the network when it validates the IPsec initiator. In order to make DoSvulnerability difficult to exploit, the responder can ask for a cookie to the initiator who has to assure the responder that this is a normal connection. In IKEv2, theresponder cookies mitigate the DoS attack so that the responder does not keep a state of the IKE initiator or does not perform a D-H operation unless the initiatorreturns the cookie sent by the responder. The responder uses minimal CPU and commits no state to a Security Association (SA) until it can completely validate theinitiator.

https://tools.ietf.org/html/rfc4306

To accomplish this, a responder SHOULD -- when it detects a large number of half-open IKE_SAs -- reject initial IKE messages unless they contain a Notify payload of type COOKIE. It SHOULD instead send an unprotected IKE message as a response and include COOKIE Notify payload with the cookie data to be returned. Initiators who receive such responses MUST retry the IKE_SA_INIT with a Notify payload of type COOKIE containing the responder supplied cookie data as the first payload and all other payloads unchanged. The initial exchange will then be as follows:

Initiator Responder ----------- ----------- HDR(A,0), SAi1, KEi, Ni -->

<-- HDR(A,0), N(COOKIE)

HDR(A,0), N(COOKIE), SAi1, KEi, Ni -->

<-- HDR(A,B), SAr1, KEr, Nr, [CERTREQ]


HDR(A,B), SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr} -->

<-- HDR(A,B), SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}

QUESTION 61Which two statements about the multicast addresses query messages are true? (Choose two.)

A. They are solicited when a node initializes the multicast process.B. They are sent when a node discovers a multicast group.C. They are used to discover whether a specified multicast address has listeners.D. They are sent unsolicited when a node initializes the multicast process.E. They are used to discover the multicast groups to which listeners on a link are subscribedF. They are usually sent only by a single router on a link

Correct Answer: CFSection: (none)Explanation


he query message sent by the multicast routers can be one of three forms:

General Query - group address and source address fields are zeroGroup-Specific Query - group address field contains the group address, whereas the address fields are zeroGroup-and_Source-Specific Query - group address field contains the group address, and the source address fields contain the sources that are emanating themulticast streams

QUESTION 62What are four technologies that can be used to trace the source of an attack in a network environment with multiple exit/entry points? (Choose four.)

A. Remotely-triggered destination-based black holingB. ICMP Unreachable messagesC. SinkholesD. Traffic scrubbing


E. A honey potF. NetFlowv9

Correct Answer: CDEFSection: (none)Explanation

Explanation/Reference:DDoS mitigation is a set of techniques for resisting distributed denial-of-service (DDoS) attacks on networks attached to the Internet by protecting the target andrelay networks.[1] This is done by passing network traffic addressed to the attacked network through high-capacity networks with "traffic scrubbing" filters.[2] DDoSmitigation requires correctly identifying incoming traffic to separate human traffic from human-like bots and hijacked web browsers. The process is done bycomparing signatures and examining different attributes of the traffic, including IP addresses, cookie variations, HTTP headers, and Javascript footprints.

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use ofinformation systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolatedand monitored, and that seems to contain information or a resource of value to attackers, which are then blocked. This is similar to the police baiting a criminal andthen conducting undercover surveillance, and finally punishing the criminal.

QUESTION 63You have configured an NDAC seed switch as shown, but the switch is failing to allow other switches to securely join the domain What command must you add tothe seed switch's configuration to enable secure RADIUS communication? Refer to the exhibit.


A. Seed-Switch(config)#radius.server host 10.1.1.2 auth-port 1812 acct-port 1813 test username ndac-test pac key Cisco123B. Seed-Switch(config)#radius-server vsa send accountingC. Seed-Switch(config)#aaa preauthD. Seed-Switch(config)#no dot1x system-auth-controlE. Seed-Switch(config)#radius-server host non-standardF. Seed-Switch(config)#aaa authentication dot1x default group local


Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/ident-conn_config.htmlConfiguration Examples for Seed Device

Catalyst 6500 configured as a Cisco TrustSec seed device:

Router# cts credentials id Switch1 password Cisco123Router# configure terminalRouter(config)# aaa new-modelRouter(config)# aaa authentication dot1x default group radiusRouter(config)# aaa authorization network MLIST group radiusRouter(config)# cts authorization list MLISTRouter(config)# aaa accounting dot1x default start-stop group radiusRouter(config)# radius-server host 10.20.3.1 auth-port 1812 acct-port 1813 pac key AbCe1234Router(config)# radius-server vsa send authenticationRouter(config)# dot1x system-auth-controlRouter(config)# exit

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3e/sec-usr-cts-xe-3e-book/sec-cts-ndac.pdfExample: Configuring AAA on Cisco TrustSec Seed Devices

Device> enableDevice# cts credentials id CTS-One password cisco123Device# configure terminalDevice(config)# aaa new-modelDevice(config)# aaa session-id commonDevice(config)# radius server cts-aaa-server


Device(config-radius-server)# address ipv4 192.0.2.1 auth-port 1812 acct-port 1813Device(config-radius-server)# pac key cisco123Device(config-radius-server)# exitDevice(config)# radius-server vsa send authenticationDevice(config)# aaa group server radius cts_sgDevice(config-sg-radius)# server name cts-aaa-serverDevice(config-sg-radius)# exitDevice(config)# aaa authentication dot1x default group cts_sgDevice(config)# aaa authorization network default group cts_sgDevice(config)# aaa authorization network cts-mlist group cts_sgDevice(config)# cts authorization list cts-mlistDevice(config)# exit

QUESTION 64What Protocol provides security for datagram protocols?

A. LDPB. MABC. GETD. SCEPE. DTLS


Explanation/Reference:In information technology, the Datagram Transport Layer Security (DTLS) communications protocol provides communications security for datagram protocols.DTLS allows datagram-based applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.WIKI

QUESTION 65What are two effects of the given configuration? (Choose two.) Refer to the exhibit.


A. It permits Parameter Problem messages that indicate an error in the header.B. It permits Destination Unreachable messages that indicate a problem delivering the datagram to the destination address specified in the datagram.C. It permits Time Exceeded messages that indicate the fragment assembly time was exceeded.D. It permits Destination Unreachable messages that indicate the host specified in the datagram rejected the message due to filtering.E. It permits Parameter Problem messages that indicate an unrecognized value in the Next Header field.F. It permits Destination Unreachable messages that indicate an invalid port on the host specified m the datagram.


Explanation/Reference:Destination unreachable is generated by the host or its inbound gateway[3] to inform the client that the destination is unreachable for some reason. A DestinationUnreachable message may be generated as a result of a TCP, UDP or another ICMP transmission. Unreachable TCP ports notably respond with TCP RST ratherthan a Destination Unreachable type 3 as might be expected.

3 address unreachable4 port unreachable

RFC 4890 ICMPv6 Filtering Recommendations May 2007

https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Destination_unreachable

QUESTION 66Which two statements about the anti-replay feature are true? (Choose two)

A. By default, the receiver uses a single 64-packet sliding window.


B. The replay error counter is incremented only when a packet is dropped.C. The receiver performs a hash of each packet in the window to detect replays.D. The sender assigns two unique sequence numbers to each encrypted packet.E. The sender assigns two unique sequence numbers to each clear-text packet.F. By default, the sender uses a single 1024-packet sliding window.

Correct Answer: ABSection: (none)Explanation

Explanation/Reference:IPSec provides anti-replay protection against an attacker who duplicates encrypted packets with the assignment of a monotonically increasing sequence number toeach encrypted packet. The receiving IPSec endpoint keeps track of which packets it has already processed on the basis of these numbers with the use of a slidingwindow of all acceptable sequence numbers. Currently, the default anti-replay window size in Cisco IOS® implementation is 64 packets. This is illustrated in thisfigure:

If the sequence number falls within the window and was previously received, the packet is dropped, and the replay counter is incremented.

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html

QUESTION 67What are two protocols that HTTP can use to secure sessions? (Choose two.)

A. AHB. AESC. SSLD. HTTPSE. TLS

Correct Answer: CESection: (none)Explanation


QUESTION 68What command can you use to protect a router from TCP SYN-flooding attacks?


A. ip igmp snoopingB. rate-limit input <bps> <burst-normal> <burst-max>C. ip tcp intercept list < access-list>D. police <bps>E. ip dns spoofing <ip-address>



QUESTION 69What is the effect of the Cisco Application Contra Engine (ACE) command ipv6 fragment min- mtu 1024?

A. It configures the interface to fragment packets on connections with MTUs of 1024 or less.B. It sets the MTU to 1024 bytes for an IPv6 VLAN interface that accepts fragmented packets.C. It configures the interface to attempt to reassemble only IPv6 fragments that are at least 1024 bytes.D. It configures the interface to attempt to reassemble only IPv6 fragments that are less than 1024 bytes.E. It configures the interface to fragment packets on connections with MTUs of 1024 or greater.


Explanation/Reference:to configure the minimum IPv6 fragment size that the ACE accepts for reassembly, enter the following command:host1/C1(config-if)# ipv6 fragment min-mtu 1024To reset the minimum fragment size to the default value of 1280 bytes, enter the following command:

host1/C1(config-if)# no ipv6 fragment min-mtu

http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/ACE_cr/if.html

QUESTION 70Which two parameters can the HostScan feature scan before users login? (Choose two)


A. whether specific files are presentB. whether a proxy service is configured on a Linux hostC. whether specific IPv4 and IPv6 addresses are assignedD. whether specific certificate authorities are configuredE. whether a specific keychain entry exists on an OS X host

Correct Answer: ACSection: (none)Explanation

Explanation/Reference: A prelogin assessment checks for the following on the remote computer:

– Operating system

– Presence or absence of any files you specify.

– Presence or absence of any registry keys you specify. This check applies only if the computer is running Microsoft Windows.

– Presence of any digital certificates you specify. This check also applies only if the computer is running Microsoft Windows.

– IP address within a range you specify.

QUESTION 71Which line in the given configuration contains a locally significant value? Refer to the exhibit.


A. ip nhrp holdtime 60B. ip nhrp map multicast 150.1.1.1C. ip nhrp network-id 123D. tunnel key 123E. ip nhrp authentication cisco



http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp.html

The NHRP network ID is a local only parameter. It is significant only to the local router and it is not transmitted in NHRP packets to other NHRP nodes. For thisreason the actual value of the NHRP network ID configured on a router need not match the same NHRP network ID on another router where both of these routersare in the same NHRP domain. As NHRP packets arrive on a GRE interface, they are assigned to the local NHRP domain in the NHRP network ID that is


configured on that interface.

QUESTION 72What are the three flag bits in an IPv4 header? (Choose three.)

A. TTLB. UnusedC. Record RouteD. DFE. MFF. Timestamp

Correct Answer: BDESection: (none)Explanation

Explanation/Reference:http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/ip-packet.html

QUESTION 73Drag and drop the step in the Cisco ASA packet processing flow on the left into the correct order of operations on the right.

Select and Place:


Correct Answer:




QUESTION 74Drag and drop the web attack types from the left to the corresponding descriptions of the attack on the right.

Select and Place:


Correct Answer:

Section: (none)


Explanation


QUESTION 75Drag each OSPF security feature on the left to its description on the right.

Select and Place:

Correct Answer:




QUESTION 76Drag each IPSec term on the left to the definition on the right.

Select and Place:


Correct Answer:




QUESTION 77Drag each Cisco TrustSec feature on the left to its description on the right.

Select and Place:


Correct Answer:




QUESTION 78Drag each step in the IPS anomaly detection configuration process on the left into the correct order of operations on the right.

Select and Place:

Correct Answer:




QUESTION 79Drag each goal of PCI DS5 on the left to the corresponding PCI DSS requirement on the right.

Select and Place:


Correct Answer:




QUESTION 80Drag each ISE probe on the left to the matching statement on the right.

Select and Place:


Correct Answer:



Explanation/Reference:http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_prof_pol.html#pgfId-2017188

DHCP Probe

The Dynamic Host Configuration Protocol probe in your Cisco ISE deployment, when enabled, allows the Cisco ISE profiling service to reprofile endpoints basedonly on new requests of INIT-REBOOT, and SELECTING message types. Though other DHCP message types such as RENEWING and REBINDING areprocessed, they are not used for profiling endpoints. Any attribute parsed out of DHCP packets is mapped to endpoint attributes

DHCP SPAN Probe

The DHCP Switched Port Analyzer (SPAN) probe, when initialized in a Cisco ISE node, listens to network traffic, which are coming from network access devices ona specific interface. You need to configure network access devices to forward DHCP SPAN packets to the Cisco ISE profiler from the DHCP servers.


HTTP Probe

In HTTP probe, the identification string is transmitted in an HTTP request-header field User-Agent, which is an attribute that can be used to create a profilingcondition of IP type, and to check the web browser information. The profiler captures the web browser information from the User-Agent attribute along with otherHTTP attributes from the request messages, and adds them to the list of endpoint attributes.

HTTP SPAN Probe

The HTTP probe in your Cisco ISE deployment, when enabled with the Switched Port Analyzer (SPAN) probe, allows the profiler to capture HTTP packets from thespecified interfaces. You can use the SPAN capability on port 80, where the Cisco ISE server listens to communication from the web browsers

DNS Probe

The Domain Name Service (DNS) probe in your Cisco ISE deployment allows the profiler to lookup an endpoint and get the fully qualified domain name (FQDN).After an endpoint is detected in your Cisco ISE-enabled network, a list of endpoint attributes is collected from the NetFlow, DHCP, DHCP SPAN, HTTP, RADIUS,or SNMP probes.

Cisco Discovery Protocol Support with SNMP Query

When you configure SNMP settings on the network devices, you must ensure that the Cisco Discovery Protocol is enabled (by default) on all the ports of thenetwork devices. If you disable the Cisco Discovery Protocol on any of the ports on the network devices, then you may not be able to profile properly because youwill miss the Cisco Discovery Protocol information of all the connected endpoints.

QUESTION 81All of these are available from cisco IPS Manager (cisco IDM) except which one

A. Top SignaturesB. Sensor InformationC. Interface StatusD. Global Correlation ReportsE. CPU Memory and Load




QUESTION 82Which statement regarding the routing function of the Cisco ASA is true

A. the ASA supports policy-based routing with route mapsB. The translation table can override the routing table for new connectionsC. In a failover paire of ASAs, the stanby firewall establishes a peer relationship with OSPF neighborsD. Routes to the Null0 interface can be configured to black-hole traffic



QUESTION 83What feature on Cisco IOS router enables user identification and authorization based on per-user policies

A. Netflow9B. EEMC. CBACD. IPsecE. zone-based firewallF. authentication proxy



QUESTION 84Which three options are components of mobile IPv6? (choose three)

A. home agentB. correspondent node


C. binding nodeD. discovery nodeE. mobile node

Correct Answer: ABESection: (none)Explanation


QUESTION 85Which three statements correctly describe the purpose and operation of IPv6 RS and RA messages? (choose three)

A. RS and RA packets are always sent to an all-nodes multicast address.B. IPv6 RA messages can help host devices perform statefull or stateless address autoconfiguration. RS messages are sent by hosts to determine the addresses

of routersC. IPv6 hosts learn connected router information from RA messages which may be sent in response to an RS messageD. both IPv6 RS and RA packets are ICMPv6 messagesE. RS and RA packets are used for IPv6 nodes to perform address resolution that is similar to ARP in IPv4F. RS and RA packets are used by the duplicate address detection function of IPv6

Correct Answer: BCDSection: (none)Explanation


QUESTION 86Which four statements about SeND for IPv6 are correct? (choose four)

A. It is facilitated by the Certification Path Request and Certification Path Response ND messagesB. It defines secure extentions for NDPC. It protects against rogue RAsD. It authorizes routers to advertise certain prefixesE. Neighbor identity protection is provided by Cryptographically Generated Addresses that are derived from Diffie-Helman key exchangeF. It provides a method for secure default router election on hosts


G. NDP exchanges are protected by IPsec SAs and provide for anti-replay

Correct Answer: BCDFSection: (none)Explanation


QUESTION 87


A. A NAT/PAT device is transiating the local VPN endpointB. No NAT/PAT device exist in the path between VPN endpointsC. A NAT/PAT device is translating the remote VPN endpointD. A NAT/PAT device exists in the path between VPN endpoints



QUESTION 88Which three nonpropriatary EAP methods do not require the use of a client-side certificate for mutual authentication? (choose three)

A. EAP-FASTB. EAP-TTLSC. LEAPD. PEAPE. EAP-TLS

Correct Answer: ABDSection: (none)Explanation


QUESTION 89

Select and Place:


Correct Answer:


QUESTION 90Whcih three EAP methods require a server-side certificate? (choose Three)

A. EAP-FASTB. EAP-TLSC. PEAP with MS-CHAPv2D. AP-GTPE. EAP-TTLS

Correct Answer: BCESection: (none)Explanation


QUESTION 91Using Cisco IOS, which two object-group options will permit networks 10.1.1.0/24 to host 192.168.5.1 port 80 and 443? (choose two)

A. object-group network SOURCErange 10.1.1.0 10.1.2.255 object-group network DESTINATIONhost 192.168.5.1 object-group service HTTPtcp eq www tcp wq 443 tcp source gt 1024!access-list 101 permit object-group HTTP object-group SOURCE object-group DESTINATION

B. object-group network SOURCE10.1.1.0 255.255.255.010.1.2.0 10.1.2.255 object-group network DESTINATIONhost 192.168.5.1 object-group service HTTPtcp eq www tcp wq 443 tcp source gt 1024!ip access-list extended ACL-NEWpermit object-group HTTP object-group SOURCE object-group DESTINATION

C. object-group network SOURCE 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 object-group network DESTINATIONhost 192.168.5.1 bject-group service HTTP tco eq www tcp wq 443!ip access-list extended ACL-NEW


permit object-group SOURCE object-group DESTINATION object-group HTTPD. object-group network SOURCE

10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 object-group network DESTINATIONhost 192.168.5.1 object-group service HTTP tcp eq www-tcp wq 443ip access-list extended ACL-NEWpermit object-group SOURCE object-group DESTINATION object-group HTTP



QUESTION 92Which signature is used to create a custom IPS signature on a Cisco IPS appliance that triggers when a vulnerable web application identified by the "/runscript.php"URI is run?

A. Service HTTPB. Multi-stringC. AIC HTTPD. Atomic IPE. String TCP 6. META



QUESTION 93Which of the following two options can you configure to avoid iBGP full mesh? (choose two)

A. BGP NHTB. confederationC. route reflectorsD. local preferenceE. virtual peering




QUESTION 94Given the IPv4 address 10.10.100.16, which two address are valid IPv4-compatible IPv6 address? (choose two)

A. ::10:10:10:16B. 0:0:0:0:0:10:10:100:16C. ::A:A:64:10D. 0:0:10:10:100:16:0:0:0



QUESTION 95Whcih four Cisco IOS features are used to implement First Hop Security in IPv6? (choose four)

A. IPv6 First-Hop Security Binding TableB. IPv6 Device TrackingC. IPv6 RA GuardD. SeNDE. IPv6 Source GuradF. IPv6 Selective Packet Discard

Correct Answer: ABCDSection: (none)Explanation



QUESTION 96Which Category to Protocol mapping for NBAR is correct?

A. Category: Network Mail ServicesProtocol: MAPI,POP3,SMTP

B. Category: Entreprise ApplicationsProtocol: Citrix ICA, PCAnywhere,SAP,IMAP

C. Category: Network ManagementProtocol: ICMP,SNMP,SSH,Telent

D. Category: InternetProtocol: FTP,HTTP,TFTP



QUESTION 97You run the show ipv6 port-map telnet command and you see that the port 23 (system-defined) message and the port 223 (user-defined) message are displayed.Which command is in the router configuration?

A. ipv6 port-map port 23 port 23223B. ipv6 port-map port telnet 223C. ipv6 port-map telnet port 23 233D. ipv6 port-map telnet port 223



QUESTION 98What is an RFC 2827 recommendation for protecting your network against Dos attack with IP address spoofing?


A. Broweser based application should be filtered on the source to protect your network from known advertised prefixesB. Advertise only assigned global IP adddress to the internetC. Use ingress filtering to limit traffic from downstream network to known advertised prefixesD. Use the TLS protocol to secure the network against easedropping



QUESTION 99In RFC 4034, DNSSEC introduced which four new resource record type? (choose four)

A. Zone Signing Key (ZSK)B. Top Level Domain (TLD)C. Delegation Signer (DS)D. Next Secure (NSEC)E. Ressource Record Signature (RRSIG)F. DNS Public Key (DNSKEY)

Correct Answer: CDEFSection: (none)Explanation


QUESTION 100In Cisco Wireless LAN Controller (WLC), which web policy enables failed Layer 2 authentication to fall back to Web Auth authentication with a user name andpassword?

A. Splash Page Web RedirectB. PassthroughC. On MAC Filter FailureD. AuthenticationE. Conditional Web Redirect




QUESTION 101Which ASA device is designated as the cluster master?

A. The ASA with highest MAC addressB. The ASA with the lowest MAC addressC. The ASA configured with highest priority valueD. The ASA configured with the lowest priority value


Explanation/Reference:Q52 is probably wrong:

Which ASA device is designated as the cluster master?A. the ASA with the highest MAC addressB. the ASA with the lowest MAC addressC. the ASA configured with the highest priority valueD. the ASA configures with lowest priority valueAnswer: D instead of C.

The master unit is determined by the priority setting in the bootstrap configuration; the priority is set between 1 and 100, where 1 is the highest priority.

QUESTION 102Which configuration is the correct way to change a GET VPN Key Encryption Key ;lifetime to 10800 seconds on the key server

A. crypto ipsec security association life-time seconds 10800B. crypto ipsec profile getvpn-profile

set security-association lifetime seconds 10800!crypto gdoi group GET-Group


identity number 1234server local sa ipsec 1profile getvpn-profile

C. crypto isakmp policy 1lifetime 10800

D. crypto gdoi group FETP-Groupidentity number 1234server localset security association lifetime seconds 10800

E. crypto gdoi group GET Groupiidentity 123server local rekey lifetime seconds 10800



QUESTION 103Why do you use a disk image backup to perform forensic investigation?

A. The backup includes areas that are used for the data storeB. The backup creates a bit-level copy of the entire diskC. The backup timestamps the files with the date and time during copy operationsD. The issecure way to perform a file copy



QUESTION 104


A. a SYNC floodB. spoofingC. a duplicate ACKD. TCP congestion controlE. a shrew attack



QUESTION 105Which three statements about RLDP are true? (choose three)

A. It can detect rogue APs that use WPA encryption


B. It detects rogue access points that are connected to the wired networkC. The AP is unable to serve clients while the RLDP process is activeD. It can detect rogue APs operation only on 5 GHzE. Active Rogue Containment can be initiated manually against rogue devices detected on the wired networkF. It can detect rogue APs that use WEP encryption



QUESTION 106What Cisco IOS feature prevents an attacker from filling up the MTU cache for locally genrated traffic when using path MTU discovery

A. Force all traffic to send 1280-bytes packets by hard coding the MSSB. Use netflow information to export data to a workstationC. Enable flow-label marking to track packet destinationD. Enable flow-label switching to track IPv6 packets in the MPLS cloudE. Always use packets of 1500 bytes size or larger



QUESTION 107Which three statements are true regarding the EIGRP update message? (choose three)


A. Update can be sent to the multicast address 224.0.0.10B. ACK for updates are handled by TCP mechanismsC. Updates always include all routers known by the router with partial updates sent in the Reply messageD. Updates are sent as unicasts when they are retransmittedE. Updates require an acknowledgment with an ACK message

Correct Answer: ADESection: (none)Explanation


QUESTION 108Which command enables fast-switched PBR?

A. router(config-if)# ip policy route-map map-tagB. router(config-if)# no ip policy route-map map-tagC. router(config-if)# ip route-cache policyD. router(config-if)# no ip route-cache policy



QUESTION 109Which two address translation type can map a group of private addresses to a smaller group of public addresses? (Choose two)

A. static NATB. dynamic NAT with overloadingC. VATD. PATE. dynamic NAT


Correct Answer: BDSection: (none)Explanation


QUESTION 110Which three basic security measures are used to harden MSDP? (choose three)

A. Loopback interface as MSDP originitor-IDB. MSDP SA filtersC. MSDP neighbor limitationD. MSDP state limitationE. MSDP MD5 neighbor authentication

Correct Answer: BDESection: (none)Explanation


QUESTION 111flow exporter-map Genie 1 version v9 transport udp 11000 destination 10.0..255.150Refer to the exhibit. Which configuration is required to enable the exporter?

A. cache timeout active 60B. source loopback0C. cache timeout inactive 60D. next-hop address




QUESTION 112Which three statements are true about Cryptographically generated addresses for IPv6? (Choose three)

A. The minimum RSA key length is 512 bitsB. SHA or MD5 is used during their computationC. They are used for securing neighbor discovery using SeNDD. They are derived by generating a random 128-bit IPv6 address based on the public key of the nodeE. They prevent spoofing and stealing of exising IPv6 addressesF. The SHA-1 hash function is used during their computation

Correct Answer: CEFSection: (none)Explanation


QUESTION 113Which three routing characteristics are relevant for DMVPN Phase 3? (choose three)

A. Spokes are only routing neighbors with hubsB. Split-horizon must be turned off for RIP and EIGRPC. Spoke are routing neighbors with hubs and other spokesD. Hubs are routing neighbors with other hubs and must use the same routing protocol as that used on hub-spoke tunnelsE. Hubs must not preserve the original IP next-hopF. Hubs must preserve the original IP next-hop

Correct Answer: ADESection: (none)Explanation


QUESTION 114


A. It was generated by an access point when it received a join request message from a LAN controllerB. It was generated by a LAN controller when it responded to a join request from an access pointC. It was generated by an access point when it send a join reply message to a LAN controllerD. It was generated by a LAN controller when it generated a join request to an access point



QUESTION 115Which three multicast features are supported on the Cisco ASA? (choose three)

A. IGMP forwardingB. Auto-RPC. PIM sparse modeD. PIM dense modeE. NAT of multicast traffic

Correct Answer: ACE




QUESTION 116Refer to the exhibit. You have determined that RouterA is sending a high number of fragmented packets from the s0 interface to the web server causingperformance issues on RouterA. What configuration can you perform to send the fragmented packets to the workstation at 10.0.0.2 for analysis?

A.


B.

C.

D.


E.

F.



QUESTION 117Which two statements about port security are true? (choose two)

A. the secure port can belong to an etherchannelB. When a violation occurs on a port in switchport port-security violation shutdown mode the switchport will be taken out of service and placed in the err-disabled

state.C. The secure port must be an access portD. The secure port can be a SPAN destination portE. When a violation occurs on a port in switchport port-security violation restrict mode. data is restricted and the switch writes the violation to a log fileF. When a violation occurs on a port in switchport port-security violation restrict mode. The switchport will be taken out of service and placed in the err-disabled

state

Correct Answer: BE




QUESTION 118What are two of the valid IPv6 extension headers? (choose two)

A. Authentication HeaderB. OptionsC. ProtocolD. Next HeaderE. MobilityF. Hop Limit



QUESTION 119What are the three response types for SCEP enrollment requests? (choose three)

A. PKCS#7B. RejectC. PendingD. PKCS#10E. SuccessF. Renewal




QUESTION 120Which of the following are two valid TLS message content types? (choose two)

A. AlertB. Application dataC. ProxyD. IdentityE. Notification DynamiD



QUESTION 121What are the two most common methods that security auditors use to assess an organization's security processes? (choose two)

A. social engineering attemptsB. interviewsC. policy assessmentD. penetration testingE. document review



QUESTION 122What command can you use to display the number of malformed messages received by DHCP server

A. show ip dhcp relay information trusted-sourcesB. show ip dhcp server statistics


C. show ip dhcp conflictD. show ip dhcp bindingE. show ip dhcp database



QUESTION 123Which two statements about Network Edge Authentication Technology (NEAT) are true? (choose two)

A. It can be configured on both access and trunk portsB. It allows you to configure redundant links between authenticator and supplicant switchesC. It can be configured on both access ports and Etherchannel portsD. It supports port-based authentication on the authenticator switchE. It conflict with auto-configurationF. It requires a standard ACL on the switch port

Correct Answer: ADSection: (none)Explanation


QUESTION 124

Select and Place:


Correct Answer:




QUESTION 125Which option describe the purpose of the RADIUS VAP-ID attribute?

A. It sets the minimum bandwith for the connectionB. It identified VLAN interface to which the client will be associatedC. It specifies the WLAN ID of the wireless LAN to which the client belongsD. It sets the maximum bandwith for the connectionE. It specifies the ACL ID to be matches against the client


F. It specifies the priority of the client



QUESTION 126What is the first step in performing a risk assessment?

A. Identifying critical services and network vulnerabilities and determining the potential impact of their compromise or failureB. Investigatin reports of data theft or security breaches and assigning responsabilityC. Terminating any employee believed to be responsible for compromising securityD. Evaluating the effectiveness and appropriateness of the organization current risk-management activitiesE. Establishing a security team to perform forensic examinations of previews known attacks



QUESTION 127

Select and Place:


Correct Answer:




QUESTION 128Which of the following Cisco IPS signature engine has relatively high memory usage

A. The STRING-TCP engineB. The NORMALIZER engineC. The STRING-UDP engineD. The STRING-ICMP engine



QUESTION 129Which two commands would enable secure logging on Cisco ASA to a syslog server at 10.0.0.1? (choose two)

A. logging host inside 10.0.0.1 UDP/514 secureB. logging host inside 10.0.0.1 TCP/1470 secureC. logging host inside 10.0.0.1 UDP/500 secureD. logging host inside 10.0.0.1 UDP/447 secureE. logging host inside 10.0.0.1 TCP/1500 secure



QUESTION 130


What are two functions that ESMTP application inspection provides when enabled on the ASA? (choose two)

A. It generates an audit trail when it rejects invalid commandsB. It scans MAIL and RCPT commands for invalid characters and other anomaliesC. It supports both SMTP and ESMTP sessionsD. It supports private extensionsE. It support extended SMTP commands, such as ONEX and VERBF. It protects the network from SMTP application inspection and phishing attacks



QUESTION 131What protocol is responsible for issuing certificates?

A. SCEPB. AHC. GETD. ESPE. DTLS



QUESTION 132Two routers are trying to establish an OSPFv3 adjacency over an Ethernet link, but the adjacency is not forming. Which two options are possible reasons thatprevent OSPFv3 to form between these two routers? (Choose two.)

A. mismatch area typesB. mismatch of subnet masks


C. mismatch of network typesD. mismatch of authentication typesE. mismatch of instance IDs



QUESTION 133

Select and Place:

Correct Answer:



Explanation/Reference:Notes:posture-remediation permit udp any any eq domain permit icmp any anypermit tcp any any eq 80permit tcp any any eq 443

（以以以以以以以通通通通，以以以以为）permit tcp any host ise eq 8443 ISEpermit tcp any host ise eq 8905permit tcp any host gw eq 8905permit tcp anh host ise 8909 permit udp any host ise eq 8905 permit udp any host gw eq 8905permit udp any host ise eq 8906permit udp any host ise eq 8909、，，是通呈现。122 Drag and Drop About theory on ISE web Auth. Memorize the port numbers ACL host 10.10.10.1 ISE

DNS 53DHCP bootps bootpc• UDP/TCP 8905: Used for posture communication between NAC Agent and ISE (Swiss port).• UDP/TCP 8909: Used for client provisioning.• TCP 8443: Used for guest and posture discovery.


Note: ISE no longer uses legacy port TCP 8906.

QUESTION 134

Select and Place:

Correct Answer:



Explanation/Reference:There are four major roles involved with the change management process, each with separate and distinct responsibilities. In the order of their involvement in anormal change, the roles are:

• Change initiator: The change initiator is the person who initially perceives the need for the change and develops, plans, and executes the steps necessary to meetthe initial requirements for a Request for Change (RFC). like product manager, network architect, network engineer, service manager, security manager or supporttier 1,2,3

• Change manager: Larger organizations require a dedicated change manager who is responsible for all changes• Updating and communicating change procedures• Leading a team to review and accept completed change requests with a focus on higher-risk changes• Managing and conducting periodic change review meetings• Compiling and archiving change requests• Auditing network changes to ensure that:– Change was recorded correctly with work matching the RFC– Change had appropriate risk level– Configuration items were updated appropriately– Documentation was updated appropriately


• Change communication and notification• Managing change postmortems• Creating and compiling change management metrics

• Change advisory board: The change advisory board (CAB) is a body that exists to support the authorization of changes and to assist change management in theassessment and prioritization of changes. When a CAB is convened, members should be chosen who are capable of ensuring that all changes within the scope ofthe CAB are adequately assessed from both a business and a technical viewpoint.The CAB may be asked to consider and recommend the adoption or rejection of changes appropriate for higher-level authorization and then recommendations willbe submitted to the appropriate change authority.Potential members include: Customers User managers User group representatives Applications developers/maintainers Specialists/technical consultants Services and operations staff, such as service desk, test management, continuity management, security, and capacity Facilities/office services staff (where changes may affect moves/accommodation and vice versa) Contractors' or third parties' representatives, in outsourcing situations, for example Other parties as applicable to specific circumstances (such as marketing if public products are affected).

• Change implementation team (operations)

http://www.cisco.com/c/en/us/products/collateral/services/high-availability/white_paper_c11-458050.html

QUESTION 135same security level interface inter-traffic communication.

A. asa support 101 security level and mort than 101 interface (include sub-interface)B. ASA can assign different interface to the same security level C. by default, same security level port inter-traffic is not allowedD. ASA should activate inter-interface communication by default

Correct Answer: ABCSection: (none)Explanation



QUESTION 136

A. AHB. ESPC. GRED. IP

Correct Answer: B




QUESTION 137WPA 2 with CCMP encryption? (choose three)

A. AES Counter Mode is a block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption keyB. AES Counter Mode is a block cipher that encrypts 256-bit blocks of data at a time with a 256-bit encryption keyC. it encrypt all traffic from the AP to the hostD. The CCMP algorithm produces a message integrity code (MIC) that provides data origin authentication and data integrity for the wireless frame.E. CCMP is also referred to as CBC-IN-MAC.

Correct Answer: ACDSection: (none)Explanation


QUESTION 138OSPFv3 mechanism of authentication? (choose two)

A. AHB. ESPC. MD5D. SHAE. IPF. GRE




QUESTION 139when you configure ip-port-map http port 8080 whats the output

A.

B.

C.

D.



QUESTION 140ASA v9.2 new feature

A. not possible to point to null0B. support for policy based routing with route-mapC. backup ASA does ospf neighborD. bla bla

cisco.braindumps.350-018.v2016-07-22.by.dodo.140q - gratis … · 2019-11-09 · what cisco ios...

Documents