Download - Final Ccna Security A
-
8/2/2019 Final Ccna Security A
1/20
Cisco CCNA
1. What will be disabled as
aaa new-model glo
change to the confi
password encrypti
ability to access R
2. What occurs after RSA
device management?
All vty ports are auto
The general-purpose
key generate rsa gen
The keys must be zerparameters.
The generated keys c
3. Which action best descri
altering the MAC ad
bombarding a switch
forcing the election o
flooding the LAN wi
4. What functionality is pr
It mitigates MAC ad
It mirrors traffic that
traffic analysis.
It protects the switch
be receiving them.
It inspects voice prot
conform to voice sta
It copies traffic that
to a syslog or SNMP
5. What precaution shouldcommand has been issue
The passwords in th
IOS recovery requir
When the password
The device must us
authentication.
6. A network technician is
Security, final exam.
a result of the no service password-recove
bal configuration command.
uration register.
n service.
Mmon.
eys are generated on a Cisco router to prepa
matically configured for SSH to provide sec
key size must be specified for authentication
ral-keys mo command.
oized to reset secure shell before configuring
an be used by SSH.
be a MAC address spoofing attack?
ress of an attacking host to match that of a l
with fake source MAC addresses.
f a rogue root bridge
h excessive traffic
vided by Cisco SPAN in a switched network
ress overflow attacks.
passes through a switch port or VLAN to an
d network from receiving BPDUs on ports t
cols to ensure that SIP, SCCP, H.323, and
dards.
asses through a switch interface and sends th
server for analysis.
be considered when the no service passwor
d on an IOS device?
e configuration files are in clear text.
s a new system flash with the IOS image.
is lost, access to the device will be terminate
simple password authentication and cannot
onfiguring SNMPv3 and has set a security l
y command ?
e for secure
re management.
with the crypto
other
gitimate host.
?
ther port for
hat should not
GCP requests
e data directly
recovery
.
have user
vel ofauth.
-
8/2/2019 Final Ccna Security A
2/20
What is the effect of this
Authenticates a pack
Authenticates a pack
Authenticates a pack
method.Authenticates a pack
algorithms and encry
algorithms.
7.
Refer to the exhibit. Whi
remote-access GR
remote-access IPse
remote-access SSL
site-to-site GRE V
site-to-site IPsec V
site-to-site SSL VP
8. Router(config)# ntp autRouter(config)# ntp aut
Router(config)# ntp tru
Refer to the exhibit. Wh
Authentication with t
from the NTP master
Authentication with t
time from the NTP m
Authentication with t
NTP master.
Authentication with tthe NTP master.
9. What login enhancement
attacks?
exec-timeout
login block-for
privilege exec level
service password-e
10. What are access attack
setting?
t using the SHA algorithm only.
t by a string match of the username or com
t by using either the HMAC with MD5 met
t by using either the HMAC MD5 or HMA
ts the packet using either the DES, 3DES or
ch type of VPN is implemented?
VPN
VPN
VPN
N
N
N
enticateentication-key 42 md5 aNiceKey
ted-key 2
t will be the effect of the commands that are
he NTP master will be successful, and R1 wi
.
he NTP master will be successful, but R1 wi
aster.
he NTP master will fail, and R1 will get the t
he NTP master will fail, and R1 will not get
configuration command helps successive lo
cryption
?
unity string.
od or the SHA
SHA
AES
shown on R1?
ll get the time
ll not get the
ime from the
he time from
in DoS
-
8/2/2019 Final Ccna Security A
3/20
attacks that prevent
attacks that modify
attacks that exploit
attacks that involve
services, and vulner
11. Nov 30 11:00:24 EST:
(10.64.2.2)
Refer to the exhibit. An
What can be determine
This is a notificat
This is an alert m
This is an error m
This is an error m
12. Which three major sub
that meets the security
end-user polici
departmental p
governing polic
human resource
organizational
technical polici
13. R1(config)# logging h
R1(config)# logging tr
R1(config)# logging so
R1(config)# logging o
Refer to the exhibit. An
router R1. At what trap
14. Which mitigation techn
root guard
BPDU guard
storm contro
switchport s
15. An organization requir
IOS commands. Which
TACACS+ becaus
users from accessing network services
r corrupt traffic as that traffic travels across
ulnerabilities to gain access to sensitive info
the unauthorized discovery and mapping of
ability
%SYS-5-CONFIG-I: Configured from cons
administrator is examining the message in a
from the message?
ion message for a normal but significant con
ssage for which immediate action is needed
essage for which warning conditions exist.
essage indicating the system is unusable
olicies should comprise a comprehensive se
eeds of a typical enterprise? (Choose three)
s
licies
ies
policies
olicies
s
st 10.1.1.17
p errors
urce-interface loopback 0
administrator has entered the commands tha
level is the logging function set?
ique can help prevent MAC table overflow a
l
curity
s that individual users be authorized to issue
AAA protocols support this requirement?
e it separates authentication and authorizatio
the network
rmation
ystems,
le by vty0
syslog server.
ition
urity policy
t are shown on
2
3
5
6
ttacks?
specific Cisco
n, allowing for
-
8/2/2019 Final Ccna Security A
4/20
more customizatio
RADIUS because
TACACS+ becaus
basis.
RADIUS becauseprocess.
16.
Refer to the exhibit. Ba
statement is true?
The signatures in alThe signatures in al
IPS.
Only the signatures
and used by the IPS
The signatures in th
signatures will be c
17.
Refer to the exhibit. Ba
examined by the IPS th
Traffic that is ini
http traffic that i
return traffic fro
traffic that is des
no traffic will be
n.
it supports multiple protocols, including AR
e it supports extensive accounting on a per-u
it implements authentication and authorizati
sed on the IPS configuration that is provided
l categories will be retired and not be used bl categories will be compiled into memory an
in the ios_ips basic category will be compile
.
ios_ips basic category will be retired and th
mpiled into memory and used by the IPS.
sed on the provided configuration, which tra
at is configured on router R1?
tiated from LAN 1 and LAN 2
initiated from LAN 1
the web server
tined to LAN 1 and LAN 2
inspected
and NetBEUI.
ser or per-group
n as one
, which
the IPS.d used by the
into memory
e remaining
fic will be
-
8/2/2019 Final Ccna Security A
5/20
18.
Refer to the exhibit. An
Firewall Configuration
selects the Finish butto
zone security
zone security
zone member
zone member
19. Which two statements
applying ACLs? (Choo
Multiple ACLs per
If an ACL contains
The most specific A
down sequential nat
Standard ACLs are
placed closest to theIf a single ACL is t
a unique number fo
20. Which three statements
IPsec is a framewor
IPsec is implemente
IPsec ensures data i
IPsec uses digital c
IPsec is bound to spIPsec authenticates
21. Which three additional
in addition to local acc
A legal notice sho
All activity to the
unrestricted.
All configuration a
All administrative
administrator is configuring ZPF using the
wizard. Which command is generated after t
?
Out-zone on interface Fa0/0
Out-zone on interface S0/0/0
security Out-zone on interface Fa0/0
security Out-zone on interface s0/0/0
escribe appropriate general guidelines for c
se two)
rotocol and per direction can be applied to a
no permit statements, all traffic is denied by
CL statements should be entered first becaus
ure of ACLs.
laced closest to the source, whereas Extend
destination.be applied to multiple interfaces, it must be
each interface.
are characteristics of the IPsec protocol? (C
of open standards.
d at Layer 4 of the OSI model.
ntegrity by using a hash algorithm.
rtificates to guarantee confidentiality
ecific encryption algorithms, such as 3DESusers and devices that communicate indepen
precautions should be taken when remote ac
ss of networking devices? (Choose three)
ld not be displayed when access is obtained.
pecified ports that are required for access sh
ctivities should required the use of SSH or H
raffic should be dedicated to the manageme
DM Basic
e administrator
nfiguring and
n interface.
efault.
e of the top-
d ACLs are
configured with
oose three)
nd AES.ently.
ess is required
uld be
TTPS.
t network.
-
8/2/2019 Final Ccna Security A
6/20
The number of fail
attempts should.
Packet filtering sh
and protocols can
22. Which statement descri
policy firewall?
An interface can bel
The router always fi
The CBAC ip inspe
interfaces that are i
A zone must be con
be used in the zone-
23. What is a result of secuConfiguration feature?
The Cisco IOS ima
command.
The Cisco IOS ima
server.
The Cisco IOS ima
NVRAM.
When the router bo
location
24. What are three commo
(Choose three)
Authenticating adm
Authenticating rem
VPN connections
Implementing publi
peers using digital c
Implementing com
Securing the routerTracking Cisco Net
25. When port security is e
when the maximum nu
The violation mod
The MAC address
the table.
The port remains
addresses are aged
The port is shut d
d login attempts should not be limited, but t
uld be required so that only identified admin
ain access.
bes a factor to be considered when configuri
ong to multiple zones.
lters the traffic between interfaces in the sam
t command can coexist with ZPF as long as
the same security zones.
figured with the zone security global comma
member security command.
ring the Cisco IOS image using the Cisco IO
e file is not visible in the output of the show
e is encrypted and then automatically backe
e is encrypted and then automatically backe
ts up, the Cisco IOS image is loaded from a
examples of AAA implementation on Cisc
inistrator access to the router console port, a
te users who are accessing the corporate LA
key infrastructure to authenticate and autho
ertificates
and authorization with TACACS+
by locking down all unused serviceslow accounting statistics
abled on a Cisco Catalyst switch, what is th
ber of allowed MAC addresses is exceeded
e for the port is set to restrict.
table is cleared, and the new MAC address i
nabled, but the bandwidth is throttled until t
out.
wn.
he time between
istration hosts
g a zone-based
e zone.
it is used on
nd before it can
S Resilient
flash
up to a TFTP
up to the
secure FTP
routers?
d vty ports
N through IPsec
rize IPsec VPN
default action
?
s entered into
e old MAC
-
8/2/2019 Final Ccna Security A
7/20
26. Which three statements
AH uses IP protoc
AH provides encry
AH provides integ
ESP uses UDP proESP requires both
ESP provides encr
27. Which three statements
command authorization
There is no access
The root user must
Commands set on
usersViews are required
Creating a user acc
tedious process
It is required that al
28. Which Cisco IOS confi
category named ios_ips
R1(config)# i
R1(config-ips-
R1(config-ips-
R1(config)# i
R1(config-ips-
R1(config-ips-
R1(config)# i
R1(config-ips-
R1(config-ips-
R1(config)# i
R1(config-ips-
R1(config-ips-
29.
Refer to the exhibit. An
However, SDEE messa
Issue the loggin
Issue the ip ips
Issue the ip audiIssue the clear i
describe the IPsec protocol framework? (Ch
l 51.
ption and integrity.
ity and authentication.
tocol 50.authentication and encryption.
ption, authentication, and integrity.
describe limitations in using privilege levels
? (Choose three.)
ontrol to specific interfaces on a router.
be assigned to each privilege level defined.
higher privilege level are not available for l
to define the CLI commands that each user c
unt that needs access to most but not all co
l 16 privilege levels be defined, whether the
guration option instructs the IPS to compile
into memory and use it to scan traffic?
ips signature-category
category)# category all
category-action)# retired falseips signature-category
category)# category ios_ips basic
category-action)# retired false
ips signature-category
category)# category all
category-action)# enabled true
ips signature-category
category)# category ios_ips basic
category-action)# enabled true
administrator has configured router R1 as in
ges fail to log. Which solution corrects this p
on command in global configuration.
otify sdee command in global configuration
t notify log command in global configuratioips sdee events command to clear the SDE
oose three)
for assigning
wer privileged
an access.
mands can be a
are used
signature
dicated.
roblem?
.
n.buffer.
-
8/2/2019 Final Ccna Security A
8/20
30. Which three principles
three.)
adaptability
collaboration
insulation
integration
mitigation
scalability
31. What are two disadvant
Network IPS has a
if an attack was suc
Network IPS is inca
Network IPS is ope
platform.
Network IPS is una
network is being att
Network IPS sensor
32. Which access list state
10.1.129.100 port 4300
access-list 101 per
access-list 101 peraccess-list 101 per
eq www
access-list 101 per
eq www
access-list 101 per
4300
33. Which type of SDM rul
network based on proto
NAC rule
NAT rule
IPsec rule
access rule
are enabled by a Cisco Self-Defending Netw
ages of using network IPS?(Choose two.)
ifficult time reconstructing fragmented traffi
essful.
pable of examining encrypted traffic.
ating system-dependent and must be custom
le to provide a clear indication of the extent
acked.
s are difficult to deploy whennew networks
ent permits HTTP traffic that is sourced fro
and destined to host 192.168.30.10?
mit tcp any eq 4300
mit tcp 192.168.30.10 0.0.0.0 eq 80 10.1.0.0mit tcp 10.1.129.0 0.0.0.255 eq www 192.16
mit tcp 10.1.128.0 0.0.1.255 eq 4300 192.16
mit tcp host 192.168.30.10 eq 80 10.1.0.0 0.
e is created to govern the traffic that can ent
col and port number?
rk? (Choose
c to determine
ized for each
to which the
re added.
host
0.0.255.2558.30.10 0.0.0.0
.30.0 0.0.0.15
.255.255 eq
r and leave the
-
8/2/2019 Final Ccna Security A
9/20
34.
Refer to the exhibit. W
Configure menu, which
Choose Additional
Choose Additional
and output protocol
Choose Additional
keys.
Choose Additional
input and output pr
Choose Additional
Choose Additional
SSH as the input an
35.
Refer to the exhibit. W
on switch S1? (Choose
Port Fa0/5 storm co
percent of the total
Port Fa0/6 storm co
exceeds 2,000,000
Port Fa0/6 storm co
2,000,000 packets p
Port Fa0/5 storm co
percent of the total
Port Fa0/5 storm co
exceeds 80.1 percen
36.
Refer to the exhibit. W
within 10 seconds usinSubsequent virtual
en configuring SSH on a router using SDM
two steps are required? (Choose two.)
Tasks > Router Access > SSH to generate th
Tasks > Router Access > VTY to specify SS
.
Tasks > Router Properties > Netflow to gene
Tasks > Router Properties > Logging to spec
tocol.
Tasks > Router Access > AAA to generate t
Tasks > Router Access > Management Acce
d output protocol
ich two statements are correct regarding the
two.)
ntrol for broadcasts will be activated if traffi
andwidth.
ntrol for multicasts and broadcasts will be ac
ackets per second.
ntrol for multicasts will be activated if traffic
er second.
ntrol for multicasts will be activated if traffic
andwidth.
ntrol for broadcasts and multicasts will be ac
t of 2,000,000 packets per second.
ich three things occur if a user attempts to l
an incorrect password? (Choose three.)login attempts from the user are blocked for
from the
RSA keys.
H as the input
rate the RSA
ify SSH as the
e RSA keys.
s to specify
configuration
exceeds 80.1
ivated if traffic
exceeds
exceeds 80.1
ivated if traffic
g in four times
60 seconds.
-
8/2/2019 Final Ccna Security A
10/20
During the quiet m
network 172.16.1.
Subsequent consol
A message is gene
user.
During the quiet m
No user can log in
37. Which type of Layer 2
LAN storm
MAC address s
MAC address t
STP manipulati
VLAN attack
38. What occurs after RSA
device management?
All vty ports are aut
management.
The general-purpos
crypto key generate
The keys must be z
parameters.
The generated keys
39. An organization has m
sites to view inventory
securely access all of th
clientless SS
remote-acces
site-to-site I
HTTPS-ena
40. Which two guidelines r
Apply in-band man
production network.
Implement separate
management netwo
Attach all network
Use IPSec, SSH,or
41. Which three commandthree.)
ode, an administrator can virtually log in fro
/24.
e login attempts are blocked for 60 seconds.
rated indicating the username and source IP
ode, an administrator can log in from host 1
virtually from any host for 60 seconds.
attack makes a host appear as the root bridge
poofing
able overflow
on
keys are generated on a Cisco router to prep
omatically configured for SSH to provide se
key size must be specified for authenticatio
rsa general-keys mo command.
roized to reset secure shell before configurin
can be used by SSH.
bile workers who usecorporate-owned lapto
and place orders.Which type of VPN allows
eclient/server applications of the organizatio
VPN
IPsec VPN
sec VPN
led SSL VPN
elate to in-band networkmanagement? (Cho
gement only to devices that must be manage
network segments for the production networ
k.
evices to the same management network.
SL
are required to configure SSH ona Cisco ro
any host on
ddress of the
2.16.1.2.
for a LAN?
re for secure
ure
n with the
g other
s at customer
hese workers to
n?
se two.)
d on the
and the
ter? (Choose
-
8/2/2019 Final Ccna Security A
11/20
ip domain-name n
transport input ssh
no ip domain-look
passwordpassword
service password-crypto keygenerat
42. Anadministrator needs
privileged EXEC com
custom account?
privilege exec lev
privilege exec lev
privilege exec lev
privilege exec lev
43.
Refer to the exhibit. An
applied it to interface s
leaving interface serial
The resulting ac
The resulting acportnumber.
The source IP a
out interface se
The traffic is dr
44. Which statement descri
router itself?
The ACL must be a
The ACL is appliedApply the ACL to t
applying ACLs to i
The ACL should be
anunwanted user fr
45. Which three statements
A symmetric algorit
It is impossible to c
samerouter.
Special-purpose cli
me in global configuration mode
on a vty line
up in global configuration mode
on a vty line
ncryption in global configuration modersa in global configuration mode
o create a user account with custom access t
ands. Which privilege command is used to c
l 0
l 1
l 2
l 15
administrator has configureda standard AC
rial 0/0/0 in the outbounddirection. What ha
0/0/0 that does notmatch the configured AC
tion is determined by the destination IP addr
tion is determined by the destination IP addr
dress is checked and, if a match is not foun
ial 0/0/1.
pped
bes configuring ACLs to controlTelnet traffi
plied to each vty line individually.
to the Telnet port with the ip access-group ce vty lines without thein orout option requir
terfaces.
applied to all vty lines in thein direction to p
m connecting to an unsecured port.
describe SSL-based VPNs? (Choose three.)
hms are used for authentication and key exc
nfigure SSL and IPsec VPNs concurrently o
nt software is required on the client machine
most
reate this
on R1 and
pens to traffic
statements?
ss.
ss and
, traffic isrouted
destined to the
mmand.d when
revent
ange.
n the
.
-
8/2/2019 Final Ccna Security A
12/20
Symmetric algorith
The authentication
The application pro
SSLclient software.
The primary restricthardware.
46.
Refer to the exhibit. W
statements?
The authentication
The authentication
The local database i
to the router.
If the TACACS+ A
session with the rou
If the TACACS+ A
authenticated using
47. Which two Cisco IPSm
centrally managedIPS sCisco Adaptive
Cisco IPS Devic
Cisco Router an
Cisco Security
Cisco Security
48.
Refer to the exhibit.Wh
The client is author
The client is author
The client is authen
The client is authen
s are used for bulk encryption.
rocess uses hashing technologies.
ramming interface is used to extensively m
ion of SSL VPNs is that they are currently s
at information can be obtained from the AA
ethod list used for Telnet is named ACCES
ethod list used by the consoleport is named
s checked first whenauthenticating console a
A server is not available, nousers can estab
ter.
A server is not available, consoleaccess to t
the local database.
anagement and monitoring tools are exampl
olutions? (Choose two.)ecurity Device Manager
e Manager
Security Device Manager
anager
onitoring, Analysis, and Response System.
ich AAA function and protocol is in use in t
izing commands using the TACACS+protoc
izing commands using the RADIUS protocol
ticating using the RADIUS protocol.
ticating using the TACACS+protocol
dify the
pported onlyin
Aconfiguration
.
ACCESS.
nd Telnet access
lish a Telnet
he router can be
s of GUI-based,
e network?
l.
.
-
8/2/2019 Final Ccna Security A
13/20
49. Which three OSI layers
Layer 2
Layer 3
Layer 4
Layer 5Layer 6
Layer 7
50.
Refer to the exhibit. Ba
signature take if an atta
Reset the TCP c
Drop the packet
Generatean alar
Drop the packet
Create an ACL t
51. Which three switch sec
portso that it will dynahost with any other M
switchport mode
switchport mode t
switchportport-se
switchport port-se
switchportport-se
switchport port-se
52. Whichstatement descriAfter the wizard ide
feature must be use
After the wizardide
relatedconfiguration
The wizard autosen
todetermine possibl
The wizard is based
The wizard is enabl
53. Which component of A
can be filtered by a stateful firewall? (Choo
sed on the SDM screenshown, which two act
k is detected?(Choose two.)
nnection to terminate the TCP flow.
nd all future packets from thisTCP flow.
message that can be sent to a syslog server.
nd permit remaining packets from this TCP
at denies traffic from the attacker IP address
urity commands are required to enable port s
ically learn a single MAC address and disaC address is connected? (Choose three.)
ccess
runk
urity
curity maximum 2
urity mac-address sticky
curity mac-addressmac-address
es the SDM Security Audit wizard?ntifies the vulnerabilities, theSDM One-Step
to make all security-relatedconfiguration ch
tifies the vulnerabilities, it automatically ma
changes.
es the inside trusted and outside untrusted in
security problems that might exist.
on the Cisco IOS AutoSecure feature.
d using the Intrusion Prevention task.
AA is used to determine which resources a u
e three.)
ions will the
flow.
.
curity on a
le the port if a
Lockdown
anges.
kes all security-
terfaces
ser canaccess
-
8/2/2019 Final Ccna Security A
14/20
and which operations t
Auditing
accounting
authorization
authentication
54. Which two protocols al
(Choose two.)
FTP
HTTPS
SDEE
SSH
Syslog
TFTP
55.
Refer to the exhibit. W
aaa accounting
aaa accounting
aaa accounting
aaa accounting
aaa accounting
aaa accounting
56. What is a feature of the
It combines authent
It encrypts theentire
It utilizes UDP to p
It hides passwords
in plain text.
57.
e user is allowed to perform?
low SDM to gather IPS alertsfrom a Cisco I
ich AAA command logs the activity of a PP
onnection start-stop group radius
onnection start-stop group tacacs+
xec start-stop group radius
xec start-stop group tacacs+
etwork start-stop group radius
etwork start-stop group tacacs+
TACACS+ protocol?
ication and authorization as oneprocess.
body of the packet for more secure commun
ovide more efficient packet transfer.
uring transmission using PAP and sends the
R router?
P session?
ications.
rest of thepacket
-
8/2/2019 Final Ccna Security A
15/20
Refer to the exhibit. W
CBACconfiguration on
R1(config)# in
R1(config-if)#
R1(config-if)#
R1(config)# in
R1(config-if)#
R1(config-if)#
R1(config)# in
R1(config-if)#
R1(config-if)#
R1(config)# in
R1(config-if)#
R1(config-if)#
R1(config)#int
R1(config-if)#
R1(config-if)#
58.
Refer to the exhibit. W
CBAC firewall
reflexive ACL fire
zone-based policy
AAA access contr
59. Which Cisco IOS privil
IOS image and configu
Router# dirRouter# show a
Router# show se
Router# show fl
60. Which device supports
Cisco NAC
Cisco IronPort
Cisco Security Ag
Cisco Catalyst sw
ich interface configuration completes the
router R1?
terface fa0/0
ip inspect INSIDE in
ip access-group OUTBOUND in
terface fa0/1
ip inspect INSIDE in
ip access-group OUTBOUND in
terface fa0/1
ip inspect OUTBOUND in
ip access-group INSIDE out
terface fa0/0
ip inspect OUTBOUND in
ip access-group INSIDE in
erface fa0/1
ip inspect OUTBOUND in
ip access-group INSIDE in
ich Cisco IOS security feature is implement
all
irewall
l firewall
eged EXEC command can be used to verify
ration files have been properly backed up an
chive
cure bootset
sh
the use of SPAN to enable monitoring of ma
ent
itch
d onrouter R2?
hat theCisco
secured?
licious activity?
-
8/2/2019 Final Ccna Security A
16/20
61. Which three statements
interface behavior and t
three.)
An interface can be
Interfaces can be as
Pass, inspect,and dr
If traffic is to flow
member of a zone.
Traffic is implicitly
members of the sa
To permit traffic to
orinspecting traffic
62.
Refer to the exhibit. Ba
drawn about the IKE p
It will use digit
It will use apre
It will use a ve
It will be the d
63. The use of 3DES withi
IPsec building blocks?
authentication
confidentiality
Diffie-Hellman
integrity
nonrepudiation
64. Which statement descri
It uses IPsec to esta
It uses sophisticated
network.
It calculates shared
It uses TCP port 50
describe zone-based policyfirewall rules tha
he traffic moving betweenzone member inte
assigned to multiple securityzones.
signed to a zone before the zone is created.
op options can only be applied between two
etween all interfaces in arouter, each interfa
prevented from flowing by default among in
e zone.
and from a zone member interface, a policy
must be configured between that zone and a
sed on the SDM screen shown, which twoco
licy being configured? (Choose two.)
al certificates for authentication.
defined key for authentication.
ry strong encryption algorithm.
fault policy with the highest priority.
the IPsec framework is anexample of whic
bes the operation of the IKE protocol?
lish the key exchange process.
hashing algorithms to transmit keys directly
eys based on the exchange of a series of dat
to exchange IKE information between the se
govern
faces? (Choose
zones.
e must be a
terfaces thatare
llowing
y other zone.
clusions can be
of the five
across a
a packets.
urity gateways
-
8/2/2019 Final Ccna Security A
17/20
65. Which three types of vi
Access feature? (Choo
superuser view
root view
superviewCLI view
admin view
config view
66. Which statement descri
An attacker alters th
host.
Frames flood the L
performance.
The attacking host
force spanning-tree
A software tool flo
sourceand destinati
67. When configuring a cla
criteria applied when u
Traffic must mat
Traffic must mat
Traffic must matTraffic must mat
68. Which three statements
command authorization
There is no access
The root user must
Commands set on
users.
Views are requiredCreating a user acc
tediousprocess.
It is required that al
69. What is an important di
prevention?
Host-based IPS is
Host-based IPS can
Network-based IPS
dataflows.
ews are available when configuring the Role
e three.)
bes a MAC address table overflow attack?
e MAC address in a frame to matchthe addre
N, creating excessive traffic and degrading
roadcasts STP configuration and topology c
recalculations.
ds a switch with frames containing randoml
n MAC and IP addresses.
ss map for zone-based policy firewall, how a
ing the match-all parameter?
h all of the match criteria specified in the st
h the first criteria in the statement.
h at least one of the match criteria statementh according to an exclusive disjunction crite
describe limitations in using privilege levels
? (Choose three.)
ontrol to specific interfaces on a router.
be assigned to each privilege level defined.
higher privilege level are not available for l
to define the CLI commands that each user cunt that needs access to most but not all co
l 16 privilege levels be defined, whether the
fference between network-based and host-ba
ore scalable than network-basedIPS.
work in promiscuous mode or inline mode.
is better suited for inspection of SSL and TL
-BasedCLI
ss of a target
etwork
ange BPDUs to
generated
re thematch
tement.
s.ria.
for assigning
wer privileged
an access.mands can be a
are usedor not.
sedintrusion
S encrypted
-
8/2/2019 Final Ccna Security A
18/20
Network-based IPS
onhosts and servers.
Network-basedIPS
specializedsoftware
70.
Refer to the exhibit. Ba
router R1, which three(Choose three.)
A copy of the Ci
A copy of the ro
The Cisco IOS i
deleted.
The Cisco IOS i
isissued on R1.
The copy tftp fla
The secure boot-
71. Which element ofthe C
against attempts toattac
vulnerabilities?
threat control for
threat control for
threat controlfor
threat control for
72.
Refer to the exhibit. Baconclusions can be dra
provides better protection against OS kernel-
an provide protection to hosts without the n
on each one.
sed on the output from the show secure boot
onclusions can be drawn regarding Cisco I
co IOS image file has been made.
ter configuration file has been made.
age file is hidden and cannot be copied, mo
age filename will be listed when the show f
h command was issued on R1.
onfig command was issued on R1.
isco Threat Control and Containment solutio
k servers by exploiting application and oper
email
endpoints
infrastructure
systems
sed on the SDM NTP Server Details screen,n from the information entered and check b
level attacks
ed of installing
et command on
S Resilience?
ified, or
lash command
defends
ting system
which twoxes checked?
-
8/2/2019 Final Ccna Security A
19/20
(Choose two.)
NTPv1 is being c
The IP address o
The IP address o
NTP messages wrouter.
NTP routing upd
NTP server.
73. Which two statements
two.)
To conduct an acce
server password.
To conduct an acce
network traffic.
To conduct a recon
a targeted server.
To conduct a DoS a
a Windows server p
To conducta DoS at
number ofICMP re
To conduct a recon
causing the server t
unresponsive.
74. The use of which two o
AH protocols for
Diffie-Hellmanto
IKE to negotiate t
PKI for pre-share
SHA for encrypti
75. Which three security se
authenticatesthe s
authenticates the d
guarantees data h
provides nonrepu
provides nonrepu
provides confiden
76. Which three statements
router? (Choose three.)
Place generic ACL
onfigured.
the NTP server is 10.1.1.2.
the NTP client is 10.1.1.2.
ill be sent and received on interface Serial0/
tes will be sent and received on interface Se
atch a type of attack with an appropriate ex
s attack, an attacker uses L0phtCrack to obt
s attack, an attacker uses Wireshark to captu
aissance attack, an attacker initiates a ping o
tack, an attacker uses handler systems and z
assword.
tack, an attacker initiates a smurf attack by s
uests to directed broadcast addresses.
aissance attack, an attacker creates a TCP S
spawn many half-open connections and bec
ptions are required for IPsec operation? (Ch
ncryption and authentication
stablish a shared-secret key
e SA
-key authentication
n
rvices are provided by digital signatures? (C
urce
estination
s not changed in transit
iation of transactions
iation using HMAC functions
iality of digitally signed data
should be considered when applying ACLs t
ntries at the top of the ACL.
/0 for this
rial0/0/0 of the
mple?(Choose
in a Windows
re interesting
f death attack to
mbies to obtain
nding a large
N flood
ome
osetwo.)
oose three.)
o aCisco
-
8/2/2019 Final Ccna Security A
20/20
Place more specific
Router-generated p
ACLs always searc
action.
A maximum of thre(in or out).
An access list appli
traffic to pass.
77. Which consideration is
Enable the highest l
messages.
Log all messages to
whenaccessing the r
SynchronizeclocksProtocol.
UseSSH to access s
Fuente: http://www.
ACL entries at the top of the ACL.
ckets pass through ACLs on the router with
for the most specific entry before taking an
e IP access lists can be assigned to an interfa
d to any interface without a configured AC
important when implementing syslog in a ne
vel of syslog available to ensurelogging of
the system buffer so that they can be display
outer.
n all network devices with a protocol such a
slog information.
cisconet.es
ut filtering.
filtering
e perdirection
allows all
twork?
ll possible event
ed
s Network Time