SECURITY FINAL 1

1.

2 points

Which authentication method is available when specifying a method list for group policy lookup using the CCP Easy VPN Server wizard?

Active Directory

Kerberos

Certificate Authority

RADIUS

TACACS+

2.

2 points

Which two configuration requirements are needed for remote access VPNs using Cisco Easy VPN Server, but are not required for site-to-site VPNs? (Choose two.)

group policy lookup

IPsec translations

virtual template interface

IKE policies

transform sets

3.

3 points

Refer to the exhibit. Which three things occur if a user attempts to log in four times within 10 seconds using an incorrect password? (Choose three.)

Subsequent virtual login attempts from the user are blocked for 60 seconds

During the quiet mode, an administrator can virtually log in from any host on network 172.16.1.0/24.

Subsequent console login attempts are blocked for 60 seconds.

A message is generated indicating the username and source IP address of the user.

During the quiet mode, an administrator can log in from host 172.16.1.2.

No user can log in virtually from any host for 60 seconds.

4.

2 points

What can be used as a VPN gateway when setting up a site-to-site VPN?

Cisco Catalyst switch

Cisco router

Cisco Unified Communications Manager

Cisco AnyConnect

5.

2 points

Which statement is true about the One-Step lockdown feature of the CCP Security Audit wizard?

It enables the Secure Copy Protocol (SCP).

It supports AAA configuration.

It enables TCP intercepts.

It sets an access class ACL on vty lines.

It provides an option for configuring SNMPv3 on all routers.

6.

2 points

Which type of encryption algorithm uses public and private keys to provide authentication, integrity, and confidentiality?

IPsec

symmetric

asymmetric

shared secret

7.

2 points

The use of 3DES within the IPsec framework is an example of which of the five IPsec building blocks?

authentication

confidentiality

Diffie-Hellman

integrity

nonrepudiation

8.

2 points

Refer to the exhibit. An administrator has configured a standard ACL on R1 and applied it to interface serial 0/0/0 in the outbound direction. What happens to traffic leaving interface serial 0/0/0 that does not match the configured ACL statements?

The resulting action is determined by the destination IP address.

The resulting action is determined by the destination IP address and port number.

The source IP address is checked and, if a match is not found, traffic is routed out interface serial 0/0/1.

The traffic is dropped.

9.

2 points

Which access list statement permits HTTP traffic that is sourced from host 10.1.129.100 port 4300 and destined to host 192.168.30.10?

access-list 101 permit tcp any eq 4300

access-list 101 permit tcp 192.168.30.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255

access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.30.10 0.0.0.0 eq www

access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 4300 192.168.30.0 0.0.0.15 eq www

access-list 101 permit tcp host 192.168.30.10 eq 80 10.1.0.0 0.0.255.255 eq 4300

10.

3 points

Which three statements describe the IPsec protocol framework? (Choose three.)

AH uses IP protocol 51.

AH provides encryption and integrity.

AH provides integrity and authentication

ESP uses UDP protocol 50.

ESP requires both authentication and encryption.

ESP provides encryption, authentication, and integrity.

11.

3 points

Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)

There is no access control to specific interfaces on a router.

The root user must be assigned to each privilege level defined.

Commands set on a higher privilege level are not available for lower privileged users.

Views are required to define the CLI commands that each user can access.

Creating a user account that needs access to most but not all commands can be a tedious process.

It is required that all 16 privilege levels be defined, whether they are used or not.

12.

2 points

Which statement describes the operation of the IKE protocol?

It uses IPsec to establish the key exchange process.

It uses sophisticated hashing algorithms to transmit keys directly across a network.

It calculates shared keys based on the exchange of a series of data packets.

It uses TCP port 50 to exchange IKE information between the security gateways.

13.

2 points

Why does a worm poses a greater threat than a virus poses?

Worms run within a host program.

Worms are not detected by antivirus programs.

Worms directly attack the network devices.

Worms are more network-based than viruses are.

14.

2 points

Which set of Cisco IOS commands instructs the IPS to compile a signature category named ios_ips into memory and use it to scan traffic?

R1(config)# ip ips signature-category R1(config-ips-category)# category all R1(config-ips-category-action)# retired false

R1(config)# ip ips signature-category R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# retired false

R1(config)# ip ips signature-category R1(config-ips-category)# category all R1(config-ips-category-action)# no retired false

R1(config)# ip ips signature-category R1(config-ips-category)# category ios_ips basic R1(config-ips-category-action)# no retired false

15.

2 points

Refer to the exhibit. An administrator has entered the commands that are shown on router R1. At what trap level is the logging function set?

2

3

5

6

16.

2 points

A network technician is configuring SNMPv3 and has set a security level of auth. What is the effect of this setting?

authenticates a packet using the SHA algorithm only

authenticates a packet by a string match of the username or community string

authenticates a packet by using either the HMAC with MD5 method or the SHA method

authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using either the DES, 3DES or AES algorithms

17.

3 points

What are three common examples of AAA implementation on Cisco routers? (Choose three.)

authenticating administrator access to the router console port, auxiliary port, and vty ports

authenticating remote users who are accessing the corporate LAN through IPsec VPN connections

implementing public key infrastructure to authenticate and authorize IPsec VPN peers using digital certificates

implementing command authorization with TACACS+

securing the router by locking down all unused services

tracking Cisco Netflow accounting statistics

18.

2 points

When configuring a site-to-site IPsec VPN using the CLI, the authentication pre-share command is configured in the ISAKMP policy. Which additional peer authentication configuration is required?

Configure the message encryption algorithm with the encryptiontype ISAKMP policy configuration command.

Configure the DH group identifier with the groupnumber ISAKMP policy configuration command.

Configure a hostname with the crypto isakmp identity hostname global configuration command.

Configure a PSK with the crypto isakmp key global configuration command.

19.

2 points

Which statement describes configuring ACLs to control Telnet traffic destined to the router itself?

The ACL must be applied to each vty line individually.

The ACL is applied to the Telnet port with the ip access-group command.

Apply the ACL to the vty lines without the in or out option required when applying ACLs to interfaces

The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to an unsecured port

20.

2 points

Which action best describes a MAC address spoofing attack?

altering the MAC address of an attacking host to match that of a legitimate host

bombarding a switch with fake source MAC addresses

forcing the election of a rogue root bridge

flooding the LAN with excessive traffic

21.

2 points

Which type of Layer 2 attack makes a host appear as the root bridge for a LAN?

LAN storm

MAC address spoofing

MAC address table overflow

STP manipulation

VLAN attack

22.

2 points

Refer to the exhibit. What conclusion can be drawn from the exhibited window when it is displayed on a remote user computer screen?

The user has connected to a secure web server.

The user has established a client-based VPN connection.

The user has logged out of the AnyConnect VPN client.

The user is installing the AnyConnect VPN client.

The user is using a web browser to connect to a clientless SSL VPN.

23.

3 points

What are three characteristics of the ASA routed mode? (Choose three.)

This mode does not support VPNs, QoS, or DHCP Relay.

The interfaces of the ASA separate Layer 3 networks and require different IP addresses in different subnets.

It is the traditional firewall deployment mode.

NAT can be implemented between connected networks

This mode is referred to as a “bump in the wire.”

In this mode, the ASA is invisible to an attacker.

24.

2 points

When port security is enabled on a Cisco Catalyst switch, what is the default action when the maximum number of allowed MAC addresses is exceeded?

The violation mode for the port is set to restrict.

The MAC address table is cleared, and the new MAC address is entered into the table.

The port remains enabled, but the bandwidth is throttled until the old MAC addresses are aged out.

The port is shut down.

25.

2 points

When logging is enabled for an ACL entry, how does the router switch packets filtered by the ACL?

topology-based switching

autonomous switching

process switching

optimum switching

26.

2 points

If a switch is configured with the storm-control command and the action shutdown and action trap parameters, which two actions does the switch take when a storm occurs on a port? (Choose two.)

The port is disabled

The switch is rebooted

An SNMP log message is sent

The port is placed in a blocking state.

The switch forwards control traffic only.

27.

2 points

Refer to the exhibit. Which two statements are correct regarding the configuration on switch S1? (Choose two.)

Port Fa0/5 storm control for broadcasts will be activated if traffic exceeds 80.1 percent of the total bandwidth

Port Fa0/6 storm control for multicasts and broadcasts will be activated if traffic exceeds 2,000,000 packets per second.

Port Fa0/6 storm control for multicasts will be activated if traffic exceeds 2,000,000 packets per second.

Port Fa0/5 storm control for multicasts will be activated if traffic exceeds 80.1 percent of the total bandwidth.

Port Fa0/5 storm control for broadcasts and multicasts will be activated if traffic exceeds 80.1 percent of 2,000,000 packets per second.

28.

2 points

What is a characteristic of AAA accounting?

Accounting can only be enabled for network connections.

Users are not required to be authenticated before AAA accounting logs their activities on the network.

Possible triggers for the aaa accounting exec default command include start-stop and stop-only.

Accounting is concerned with allowing and disallowing authenticated users access to certain areas and programs on the network.

29.

2 points

Refer to the exhibit. Which interface configuration completes the CBAC configuration on router R1?

R1(config)# interface fa0/0 R1(config-if)# ip inspect INSIDE in R1(config-if)# ip access-group OUTBOUND in

R1(config)# interface fa0/1 R1(config-if)# ip inspect INSIDE in R1(config-if)# ip access-group OUTBOUND in

R1(config)# interface fa0/1 R1(config-if)# ip inspect OUTBOUND in R1(config-if)# ip access-group INSIDE out

R1(config)# interface fa0/0 R1(config-if)# ip inspect OUTBOUND in R1(config-if)# ip access-group INSIDE in

R1(config)# interface fa0/1 R1(config-if)# ip inspect OUTBOUND in R1(config-if)# ip access-group INSIDE in

30.

2 points

Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router using the password cisco123. What is a possible cause of the problem?

The Telnet connection between RouterA and RouterB is not working correctly.

The password cisco123 is wrong

The enable password and the Telnet password need to be the same.

The administrator does not have enough rights on the PC that is being used.