final ccna security a

8/2/2019 Final Ccna Security A

1/20

Cisco CCNA

1. What will be disabled as

aaa new-model glo

change to the confi

password encrypti

ability to access R

2. What occurs after RSA

device management?

All vty ports are auto

The general-purpose

key generate rsa gen

The keys must be zerparameters.

The generated keys c

3. Which action best descri

altering the MAC ad

bombarding a switch

forcing the election o

flooding the LAN wi

4. What functionality is pr

It mitigates MAC ad

It mirrors traffic that

traffic analysis.

It protects the switch

be receiving them.

It inspects voice prot

conform to voice sta

It copies traffic that

to a syslog or SNMP

5. What precaution shouldcommand has been issue

The passwords in th

IOS recovery requir

When the password

The device must us

authentication.

6. A network technician is

Security, final exam.

a result of the no service password-recove

bal configuration command.

uration register.

n service.

Mmon.

eys are generated on a Cisco router to prepa

matically configured for SSH to provide sec

key size must be specified for authentication

ral-keys mo command.

oized to reset secure shell before configuring

an be used by SSH.

be a MAC address spoofing attack?

ress of an attacking host to match that of a l

with fake source MAC addresses.

f a rogue root bridge

h excessive traffic

vided by Cisco SPAN in a switched network

ress overflow attacks.

passes through a switch port or VLAN to an

d network from receiving BPDUs on ports t

cols to ensure that SIP, SCCP, H.323, and

dards.

asses through a switch interface and sends th

server for analysis.

be considered when the no service passwor

d on an IOS device?

e configuration files are in clear text.

s a new system flash with the IOS image.

is lost, access to the device will be terminate

simple password authentication and cannot

onfiguring SNMPv3 and has set a security l

y command ?

e for secure

re management.

with the crypto

other

gitimate host.

?

ther port for

hat should not

GCP requests

e data directly

recovery

.

have user

vel ofauth.


2/20

What is the effect of this

Authenticates a pack



method.Authenticates a pack

algorithms and encry

algorithms.

7.

Refer to the exhibit. Whi

remote-access GR

remote-access IPse

remote-access SSL

site-to-site GRE V

site-to-site IPsec V

site-to-site SSL VP

8. Router(config)# ntp autRouter(config)# ntp aut

Router(config)# ntp tru

Refer to the exhibit. Wh

Authentication with t

from the NTP master


time from the NTP m


NTP master.

Authentication with tthe NTP master.

9. What login enhancement

attacks?

exec-timeout

login block-for

privilege exec level

service password-e

10. What are access attack

setting?

t using the SHA algorithm only.

t by a string match of the username or com

t by using either the HMAC with MD5 met

t by using either the HMAC MD5 or HMA

ts the packet using either the DES, 3DES or

ch type of VPN is implemented?

VPN

VPN

VPN

N

N

N

enticateentication-key 42 md5 aNiceKey

ted-key 2

t will be the effect of the commands that are

he NTP master will be successful, and R1 wi

.

he NTP master will be successful, but R1 wi

aster.

he NTP master will fail, and R1 will get the t

he NTP master will fail, and R1 will not get

configuration command helps successive lo

cryption

?

unity string.

od or the SHA

SHA

AES

shown on R1?

ll get the time

ll not get the

ime from the

he time from

in DoS


3/20

attacks that prevent

attacks that modify

attacks that exploit

attacks that involve

services, and vulner

11. Nov 30 11:00:24 EST:

(10.64.2.2)

Refer to the exhibit. An

What can be determine

This is a notificat

This is an alert m

This is an error m

This is an error m

12. Which three major sub

that meets the security

end-user polici

departmental p

governing polic

human resource

organizational

technical polici

13. R1(config)# logging h

R1(config)# logging tr

R1(config)# logging so

R1(config)# logging o


router R1. At what trap

14. Which mitigation techn

root guard

BPDU guard

storm contro

switchport s

15. An organization requir

IOS commands. Which

TACACS+ becaus

users from accessing network services

r corrupt traffic as that traffic travels across

ulnerabilities to gain access to sensitive info

the unauthorized discovery and mapping of

ability

%SYS-5-CONFIG-I: Configured from cons

administrator is examining the message in a

from the message?

ion message for a normal but significant con

ssage for which immediate action is needed

essage for which warning conditions exist.

essage indicating the system is unusable

olicies should comprise a comprehensive se

eeds of a typical enterprise? (Choose three)

s

licies

ies

policies

olicies

s

st 10.1.1.17

p errors

urce-interface loopback 0

administrator has entered the commands tha

level is the logging function set?

ique can help prevent MAC table overflow a

l

curity

s that individual users be authorized to issue

AAA protocols support this requirement?

e it separates authentication and authorizatio

the network

rmation

ystems,

le by vty0

syslog server.

ition

urity policy

t are shown on

2

3

5

6

ttacks?

specific Cisco

n, allowing for


4/20

more customizatio

RADIUS because

TACACS+ becaus

basis.

RADIUS becauseprocess.

16.

Refer to the exhibit. Ba

statement is true?

The signatures in alThe signatures in al

IPS.

Only the signatures

and used by the IPS

The signatures in th

signatures will be c

17.


examined by the IPS th

Traffic that is ini

http traffic that i

return traffic fro

traffic that is des

no traffic will be

n.

it supports multiple protocols, including AR

e it supports extensive accounting on a per-u

it implements authentication and authorizati

sed on the IPS configuration that is provided

l categories will be retired and not be used bl categories will be compiled into memory an

in the ios_ips basic category will be compile

.

ios_ips basic category will be retired and th

mpiled into memory and used by the IPS.

sed on the provided configuration, which tra

at is configured on router R1?

tiated from LAN 1 and LAN 2

initiated from LAN 1

the web server

tined to LAN 1 and LAN 2

inspected

and NetBEUI.

ser or per-group

n as one

, which

the IPS.d used by the

into memory

e remaining

fic will be


5/20

18.


Firewall Configuration

selects the Finish butto

zone security

zone security

zone member

zone member

19. Which two statements

applying ACLs? (Choo

Multiple ACLs per

If an ACL contains

The most specific A

down sequential nat

Standard ACLs are

placed closest to theIf a single ACL is t

a unique number fo

20. Which three statements

IPsec is a framewor

IPsec is implemente

IPsec ensures data i

IPsec uses digital c

IPsec is bound to spIPsec authenticates

21. Which three additional

in addition to local acc

A legal notice sho

All activity to the

unrestricted.

All configuration a

All administrative

administrator is configuring ZPF using the

wizard. Which command is generated after t

?

Out-zone on interface Fa0/0

Out-zone on interface S0/0/0

security Out-zone on interface Fa0/0

security Out-zone on interface s0/0/0

escribe appropriate general guidelines for c

se two)

rotocol and per direction can be applied to a

no permit statements, all traffic is denied by

CL statements should be entered first becaus

ure of ACLs.

laced closest to the source, whereas Extend

destination.be applied to multiple interfaces, it must be

each interface.

are characteristics of the IPsec protocol? (C

of open standards.

d at Layer 4 of the OSI model.

ntegrity by using a hash algorithm.

rtificates to guarantee confidentiality

ecific encryption algorithms, such as 3DESusers and devices that communicate indepen

precautions should be taken when remote ac

ss of networking devices? (Choose three)

ld not be displayed when access is obtained.

pecified ports that are required for access sh

ctivities should required the use of SSH or H

raffic should be dedicated to the manageme

DM Basic

e administrator

nfiguring and

n interface.

efault.

e of the top-

d ACLs are

configured with

oose three)

nd AES.ently.

ess is required

uld be

TTPS.

t network.


6/20

The number of fail

attempts should.

Packet filtering sh

and protocols can

22. Which statement descri

policy firewall?

An interface can bel

The router always fi

The CBAC ip inspe

interfaces that are i

A zone must be con

be used in the zone-

23. What is a result of secuConfiguration feature?

The Cisco IOS ima

command.

The Cisco IOS ima

server.

The Cisco IOS ima

NVRAM.

When the router bo

location

24. What are three commo

(Choose three)

Authenticating adm

Authenticating rem

VPN connections

Implementing publi

peers using digital c

Implementing com

Securing the routerTracking Cisco Net

25. When port security is e

when the maximum nu

The violation mod

The MAC address

the table.

The port remains

addresses are aged

The port is shut d

d login attempts should not be limited, but t

uld be required so that only identified admin

ain access.

bes a factor to be considered when configuri

ong to multiple zones.

lters the traffic between interfaces in the sam

t command can coexist with ZPF as long as

the same security zones.

figured with the zone security global comma

member security command.

ring the Cisco IOS image using the Cisco IO

e file is not visible in the output of the show

e is encrypted and then automatically backe

e is encrypted and then automatically backe

ts up, the Cisco IOS image is loaded from a

examples of AAA implementation on Cisc

inistrator access to the router console port, a

te users who are accessing the corporate LA

key infrastructure to authenticate and autho

ertificates

and authorization with TACACS+

by locking down all unused serviceslow accounting statistics

abled on a Cisco Catalyst switch, what is th

ber of allowed MAC addresses is exceeded

e for the port is set to restrict.

table is cleared, and the new MAC address i

nabled, but the bandwidth is throttled until t

out.

wn.

he time between

istration hosts

g a zone-based

e zone.

it is used on

nd before it can

S Resilient

flash

up to a TFTP

up to the

secure FTP

routers?

d vty ports

N through IPsec

rize IPsec VPN

default action

?

s entered into

e old MAC


7/20


AH uses IP protoc

AH provides encry

AH provides integ

ESP uses UDP proESP requires both

ESP provides encr


command authorization

There is no access

The root user must

Commands set on

usersViews are required

Creating a user acc

tedious process

It is required that al

28. Which Cisco IOS confi

category named ios_ips

R1(config)# i

R1(config-ips-

R1(config-ips-

R1(config)# i

R1(config-ips-

R1(config-ips-

R1(config)# i

R1(config-ips-

R1(config-ips-

R1(config)# i

R1(config-ips-

R1(config-ips-

29.


However, SDEE messa

Issue the loggin

Issue the ip ips

Issue the ip audiIssue the clear i

describe the IPsec protocol framework? (Ch

l 51.

ption and integrity.

ity and authentication.

tocol 50.authentication and encryption.

ption, authentication, and integrity.

describe limitations in using privilege levels

? (Choose three.)

ontrol to specific interfaces on a router.

be assigned to each privilege level defined.

higher privilege level are not available for l

to define the CLI commands that each user c

unt that needs access to most but not all co

l 16 privilege levels be defined, whether the

guration option instructs the IPS to compile

into memory and use it to scan traffic?

ips signature-category

category)# category all

category-action)# retired falseips signature-category

category)# category ios_ips basic

category-action)# retired false


category)# category all

category-action)# enabled true


category)# category ios_ips basic

category-action)# enabled true

administrator has configured router R1 as in

ges fail to log. Which solution corrects this p

on command in global configuration.

otify sdee command in global configuration

t notify log command in global configuratioips sdee events command to clear the SDE

oose three)

for assigning

wer privileged

an access.

mands can be a

are used

signature

dicated.

roblem?

.

n.buffer.


8/20

30. Which three principles

three.)

adaptability

collaboration

insulation

integration

mitigation

scalability

31. What are two disadvant

Network IPS has a

if an attack was suc

Network IPS is inca

Network IPS is ope

platform.

Network IPS is una

network is being att

Network IPS sensor

32. Which access list state

10.1.129.100 port 4300

access-list 101 per

access-list 101 peraccess-list 101 per

eq www

access-list 101 per

eq www

access-list 101 per

4300

33. Which type of SDM rul

network based on proto

NAC rule

NAT rule

IPsec rule

access rule

are enabled by a Cisco Self-Defending Netw

ages of using network IPS?(Choose two.)

ifficult time reconstructing fragmented traffi

essful.

pable of examining encrypted traffic.

ating system-dependent and must be custom

le to provide a clear indication of the extent

acked.

s are difficult to deploy whennew networks

ent permits HTTP traffic that is sourced fro

and destined to host 192.168.30.10?

mit tcp any eq 4300

mit tcp 192.168.30.10 0.0.0.0 eq 80 10.1.0.0mit tcp 10.1.129.0 0.0.0.255 eq www 192.16

mit tcp 10.1.128.0 0.0.1.255 eq 4300 192.16

mit tcp host 192.168.30.10 eq 80 10.1.0.0 0.

e is created to govern the traffic that can ent

col and port number?

rk? (Choose

c to determine

ized for each

to which the

re added.

host

0.0.255.2558.30.10 0.0.0.0

.30.0 0.0.0.15

.255.255 eq

r and leave the


9/20

34.

Refer to the exhibit. W

Configure menu, which

Choose Additional

Choose Additional

and output protocol

Choose Additional

keys.

Choose Additional

input and output pr

Choose Additional

Choose Additional

SSH as the input an

35.


on switch S1? (Choose

Port Fa0/5 storm co

percent of the total

Port Fa0/6 storm co

exceeds 2,000,000

Port Fa0/6 storm co

2,000,000 packets p

Port Fa0/5 storm co

percent of the total

Port Fa0/5 storm co

exceeds 80.1 percen

36.


within 10 seconds usinSubsequent virtual

en configuring SSH on a router using SDM

two steps are required? (Choose two.)

Tasks > Router Access > SSH to generate th

Tasks > Router Access > VTY to specify SS

.

Tasks > Router Properties > Netflow to gene

Tasks > Router Properties > Logging to spec

tocol.

Tasks > Router Access > AAA to generate t

Tasks > Router Access > Management Acce

d output protocol

ich two statements are correct regarding the

two.)

ntrol for broadcasts will be activated if traffi

andwidth.

ntrol for multicasts and broadcasts will be ac

ackets per second.

ntrol for multicasts will be activated if traffic

er second.

ntrol for multicasts will be activated if traffic

andwidth.

ntrol for broadcasts and multicasts will be ac

t of 2,000,000 packets per second.

ich three things occur if a user attempts to l

an incorrect password? (Choose three.)login attempts from the user are blocked for

from the

RSA keys.

H as the input

rate the RSA

ify SSH as the

e RSA keys.

s to specify

configuration

exceeds 80.1

ivated if traffic

exceeds

exceeds 80.1

ivated if traffic

g in four times

60 seconds.


10/20

During the quiet m

network 172.16.1.

Subsequent consol

A message is gene

user.

During the quiet m

No user can log in

37. Which type of Layer 2

LAN storm

MAC address s

MAC address t

STP manipulati

VLAN attack

38. What occurs after RSA

device management?

All vty ports are aut

management.

The general-purpos

crypto key generate

The keys must be z

parameters.

The generated keys

39. An organization has m

sites to view inventory

securely access all of th

clientless SS

remote-acces

site-to-site I

HTTPS-ena

40. Which two guidelines r

Apply in-band man

production network.

Implement separate

management netwo

Attach all network

Use IPSec, SSH,or

41. Which three commandthree.)

ode, an administrator can virtually log in fro

/24.

e login attempts are blocked for 60 seconds.

rated indicating the username and source IP

ode, an administrator can log in from host 1

virtually from any host for 60 seconds.

attack makes a host appear as the root bridge

poofing

able overflow

on

keys are generated on a Cisco router to prep

omatically configured for SSH to provide se

key size must be specified for authenticatio

rsa general-keys mo command.

roized to reset secure shell before configurin

can be used by SSH.

bile workers who usecorporate-owned lapto

and place orders.Which type of VPN allows

eclient/server applications of the organizatio

VPN

IPsec VPN

sec VPN

led SSL VPN

elate to in-band networkmanagement? (Cho

gement only to devices that must be manage

network segments for the production networ

k.

evices to the same management network.

SL

are required to configure SSH ona Cisco ro

any host on

ddress of the

2.16.1.2.

for a LAN?

re for secure

ure

n with the

g other

s at customer

hese workers to

n?

se two.)

d on the

and the

ter? (Choose


11/20

ip domain-name n

transport input ssh

no ip domain-look

passwordpassword

service password-crypto keygenerat

42. Anadministrator needs

privileged EXEC com

custom account?

privilege exec lev

privilege exec lev

privilege exec lev

privilege exec lev

43.


applied it to interface s

leaving interface serial

The resulting ac

The resulting acportnumber.

The source IP a

out interface se

The traffic is dr


router itself?

The ACL must be a

The ACL is appliedApply the ACL to t

applying ACLs to i

The ACL should be

anunwanted user fr


A symmetric algorit

It is impossible to c

samerouter.

Special-purpose cli

me in global configuration mode

on a vty line

up in global configuration mode

on a vty line

ncryption in global configuration modersa in global configuration mode

o create a user account with custom access t

ands. Which privilege command is used to c

l 0

l 1

l 2

l 15

administrator has configureda standard AC

rial 0/0/0 in the outbounddirection. What ha

0/0/0 that does notmatch the configured AC

tion is determined by the destination IP addr

tion is determined by the destination IP addr

dress is checked and, if a match is not foun

ial 0/0/1.

pped

bes configuring ACLs to controlTelnet traffi

plied to each vty line individually.

to the Telnet port with the ip access-group ce vty lines without thein orout option requir

terfaces.

applied to all vty lines in thein direction to p

m connecting to an unsecured port.

describe SSL-based VPNs? (Choose three.)

hms are used for authentication and key exc

nfigure SSL and IPsec VPNs concurrently o

nt software is required on the client machine

most

reate this

on R1 and

pens to traffic

statements?

ss.

ss and

, traffic isrouted

destined to the

mmand.d when

revent

ange.

n the

.


12/20

Symmetric algorith

The authentication

The application pro

SSLclient software.

The primary restricthardware.

46.


statements?

The authentication

The authentication

The local database i

to the router.

If the TACACS+ A

session with the rou

If the TACACS+ A

authenticated using

47. Which two Cisco IPSm

centrally managedIPS sCisco Adaptive

Cisco IPS Devic

Cisco Router an

Cisco Security

Cisco Security

48.

Refer to the exhibit.Wh

The client is author

The client is author

The client is authen

The client is authen

s are used for bulk encryption.

rocess uses hashing technologies.

ramming interface is used to extensively m

ion of SSL VPNs is that they are currently s

at information can be obtained from the AA

ethod list used for Telnet is named ACCES

ethod list used by the consoleport is named

s checked first whenauthenticating console a

A server is not available, nousers can estab

ter.

A server is not available, consoleaccess to t

the local database.

anagement and monitoring tools are exampl

olutions? (Choose two.)ecurity Device Manager

e Manager

Security Device Manager

anager

onitoring, Analysis, and Response System.

ich AAA function and protocol is in use in t

izing commands using the TACACS+protoc

izing commands using the RADIUS protocol

ticating using the RADIUS protocol.

ticating using the TACACS+protocol

dify the

pported onlyin

Aconfiguration

.

ACCESS.

nd Telnet access

lish a Telnet

he router can be

s of GUI-based,

e network?

l.

.


13/20

49. Which three OSI layers

Layer 2

Layer 3

Layer 4

Layer 5Layer 6

Layer 7

50.


signature take if an atta

Reset the TCP c

Drop the packet

Generatean alar

Drop the packet

Create an ACL t

51. Which three switch sec

portso that it will dynahost with any other M

switchport mode

switchport mode t

switchportport-se

switchport port-se

switchportport-se

switchport port-se

52. Whichstatement descriAfter the wizard ide

feature must be use

After the wizardide

relatedconfiguration

The wizard autosen

todetermine possibl

The wizard is based

The wizard is enabl

53. Which component of A

can be filtered by a stateful firewall? (Choo

sed on the SDM screenshown, which two act

k is detected?(Choose two.)

nnection to terminate the TCP flow.

nd all future packets from thisTCP flow.

message that can be sent to a syslog server.

nd permit remaining packets from this TCP

at denies traffic from the attacker IP address

urity commands are required to enable port s

ically learn a single MAC address and disaC address is connected? (Choose three.)

ccess

runk

urity

curity maximum 2

urity mac-address sticky

curity mac-addressmac-address

es the SDM Security Audit wizard?ntifies the vulnerabilities, theSDM One-Step

to make all security-relatedconfiguration ch

tifies the vulnerabilities, it automatically ma

changes.

es the inside trusted and outside untrusted in

security problems that might exist.

on the Cisco IOS AutoSecure feature.

d using the Intrusion Prevention task.

AA is used to determine which resources a u

e three.)

ions will the

flow.

.

curity on a

le the port if a

Lockdown

anges.

kes all security-

terfaces

ser canaccess


14/20

and which operations t

Auditing

accounting

authorization

authentication

54. Which two protocols al

(Choose two.)

FTP

HTTPS

SDEE

SSH

Syslog

TFTP

55.


aaa accounting

aaa accounting

aaa accounting

aaa accounting

aaa accounting

aaa accounting

56. What is a feature of the

It combines authent

It encrypts theentire

It utilizes UDP to p

It hides passwords

in plain text.

57.

e user is allowed to perform?

low SDM to gather IPS alertsfrom a Cisco I

ich AAA command logs the activity of a PP

onnection start-stop group radius

onnection start-stop group tacacs+

xec start-stop group radius

xec start-stop group tacacs+

etwork start-stop group radius

etwork start-stop group tacacs+

TACACS+ protocol?

ication and authorization as oneprocess.

body of the packet for more secure commun

ovide more efficient packet transfer.

uring transmission using PAP and sends the

R router?

P session?

ications.

rest of thepacket


15/20


CBACconfiguration on

R1(config)# in

R1(config-if)#

R1(config-if)#

R1(config)# in

R1(config-if)#

R1(config-if)#

R1(config)# in

R1(config-if)#

R1(config-if)#

R1(config)# in

R1(config-if)#

R1(config-if)#

R1(config)#int

R1(config-if)#

R1(config-if)#

58.


CBAC firewall

reflexive ACL fire

zone-based policy

AAA access contr

59. Which Cisco IOS privil

IOS image and configu

Router# dirRouter# show a

Router# show se

Router# show fl

60. Which device supports

Cisco NAC

Cisco IronPort

Cisco Security Ag

Cisco Catalyst sw

ich interface configuration completes the

router R1?

terface fa0/0

ip inspect INSIDE in

ip access-group OUTBOUND in

terface fa0/1

ip inspect INSIDE in

ip access-group OUTBOUND in

terface fa0/1

ip inspect OUTBOUND in

ip access-group INSIDE out

terface fa0/0


ip access-group INSIDE in

erface fa0/1


ip access-group INSIDE in

ich Cisco IOS security feature is implement

all

irewall

l firewall

eged EXEC command can be used to verify

ration files have been properly backed up an

chive

cure bootset

sh

the use of SPAN to enable monitoring of ma

ent

itch

d onrouter R2?

hat theCisco

secured?

licious activity?


16/20


interface behavior and t

three.)

An interface can be

Interfaces can be as

Pass, inspect,and dr

If traffic is to flow

member of a zone.

Traffic is implicitly

members of the sa

To permit traffic to

orinspecting traffic

62.


drawn about the IKE p

It will use digit

It will use apre

It will use a ve

It will be the d

63. The use of 3DES withi

IPsec building blocks?

authentication

confidentiality

Diffie-Hellman

integrity

nonrepudiation


It uses IPsec to esta

It uses sophisticated

network.

It calculates shared

It uses TCP port 50

describe zone-based policyfirewall rules tha

he traffic moving betweenzone member inte

assigned to multiple securityzones.

signed to a zone before the zone is created.

op options can only be applied between two

etween all interfaces in arouter, each interfa

prevented from flowing by default among in

e zone.

and from a zone member interface, a policy

must be configured between that zone and a

sed on the SDM screen shown, which twoco

licy being configured? (Choose two.)

al certificates for authentication.

defined key for authentication.

ry strong encryption algorithm.

fault policy with the highest priority.

the IPsec framework is anexample of whic

bes the operation of the IKE protocol?

lish the key exchange process.

hashing algorithms to transmit keys directly

eys based on the exchange of a series of dat

to exchange IKE information between the se

govern

faces? (Choose

zones.

e must be a

terfaces thatare

llowing

y other zone.

clusions can be

of the five

across a

a packets.

urity gateways


17/20

65. Which three types of vi

Access feature? (Choo

superuser view

root view

superviewCLI view

admin view

config view


An attacker alters th

host.

Frames flood the L

performance.

The attacking host

force spanning-tree

A software tool flo

sourceand destinati

67. When configuring a cla

criteria applied when u

Traffic must mat

Traffic must mat

Traffic must matTraffic must mat


command authorization

There is no access

The root user must

Commands set on

users.

Views are requiredCreating a user acc

tediousprocess.

It is required that al

69. What is an important di

prevention?

Host-based IPS is

Host-based IPS can

Network-based IPS

dataflows.

ews are available when configuring the Role

e three.)

bes a MAC address table overflow attack?

e MAC address in a frame to matchthe addre

N, creating excessive traffic and degrading

roadcasts STP configuration and topology c

recalculations.

ds a switch with frames containing randoml

n MAC and IP addresses.

ss map for zone-based policy firewall, how a

ing the match-all parameter?

h all of the match criteria specified in the st

h the first criteria in the statement.

h at least one of the match criteria statementh according to an exclusive disjunction crite

describe limitations in using privilege levels

? (Choose three.)

ontrol to specific interfaces on a router.

be assigned to each privilege level defined.

higher privilege level are not available for l

to define the CLI commands that each user cunt that needs access to most but not all co

l 16 privilege levels be defined, whether the

fference between network-based and host-ba

ore scalable than network-basedIPS.

work in promiscuous mode or inline mode.

is better suited for inspection of SSL and TL

-BasedCLI

ss of a target

etwork

ange BPDUs to

generated

re thematch

tement.

s.ria.

for assigning

wer privileged

an access.mands can be a

are usedor not.

sedintrusion

S encrypted


18/20

Network-based IPS

onhosts and servers.

Network-basedIPS

specializedsoftware

70.


router R1, which three(Choose three.)

A copy of the Ci

A copy of the ro

The Cisco IOS i

deleted.

The Cisco IOS i

isissued on R1.

The copy tftp fla

The secure boot-

71. Which element ofthe C

against attempts toattac

vulnerabilities?

threat control for

threat control for

threat controlfor

threat control for

72.

Refer to the exhibit. Baconclusions can be dra

provides better protection against OS kernel-

an provide protection to hosts without the n

on each one.

sed on the output from the show secure boot

onclusions can be drawn regarding Cisco I

co IOS image file has been made.

ter configuration file has been made.

age file is hidden and cannot be copied, mo

age filename will be listed when the show f

h command was issued on R1.

onfig command was issued on R1.

isco Threat Control and Containment solutio

k servers by exploiting application and oper

email

endpoints

infrastructure

systems

sed on the SDM NTP Server Details screen,n from the information entered and check b

level attacks

ed of installing

et command on

S Resilience?

ified, or

lash command

defends

ting system

which twoxes checked?


19/20

(Choose two.)

NTPv1 is being c

The IP address o

The IP address o

NTP messages wrouter.

NTP routing upd

NTP server.

73. Which two statements

two.)

To conduct an acce

server password.

To conduct an acce

network traffic.

To conduct a recon

a targeted server.

To conduct a DoS a

a Windows server p

To conducta DoS at

number ofICMP re

To conduct a recon

causing the server t

unresponsive.

74. The use of which two o

AH protocols for

Diffie-Hellmanto

IKE to negotiate t

PKI for pre-share

SHA for encrypti

75. Which three security se

authenticatesthe s

authenticates the d

guarantees data h

provides nonrepu

provides nonrepu

provides confiden


router? (Choose three.)

Place generic ACL

onfigured.

the NTP server is 10.1.1.2.

the NTP client is 10.1.1.2.

ill be sent and received on interface Serial0/

tes will be sent and received on interface Se

atch a type of attack with an appropriate ex

s attack, an attacker uses L0phtCrack to obt

s attack, an attacker uses Wireshark to captu

aissance attack, an attacker initiates a ping o

tack, an attacker uses handler systems and z

assword.

tack, an attacker initiates a smurf attack by s

uests to directed broadcast addresses.

aissance attack, an attacker creates a TCP S

spawn many half-open connections and bec

ptions are required for IPsec operation? (Ch

ncryption and authentication

stablish a shared-secret key

e SA

-key authentication

n

rvices are provided by digital signatures? (C

urce

estination

s not changed in transit

iation of transactions

iation using HMAC functions

iality of digitally signed data

should be considered when applying ACLs t

ntries at the top of the ACL.

/0 for this

rial0/0/0 of the

mple?(Choose

in a Windows

re interesting

f death attack to

mbies to obtain

nding a large

N flood

ome

osetwo.)

oose three.)

o aCisco


20/20

Place more specific

Router-generated p

ACLs always searc

action.

A maximum of thre(in or out).

An access list appli

traffic to pass.

77. Which consideration is

Enable the highest l

messages.

Log all messages to

whenaccessing the r

SynchronizeclocksProtocol.

UseSSH to access s

Fuente: http://www.

ACL entries at the top of the ACL.

ckets pass through ACLs on the router with

for the most specific entry before taking an

e IP access lists can be assigned to an interfa

d to any interface without a configured AC

important when implementing syslog in a ne

vel of syslog available to ensurelogging of

the system buffer so that they can be display

outer.

n all network devices with a protocol such a

slog information.

cisconet.es

ut filtering.

filtering

e perdirection

allows all

twork?

ll possible event

ed

s Network Time

final ccna security a

Documents