Secure I-50

1.

1 point

What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst switch?

enables the switch to operate as the 802.1X supplicant

globally enables 802.1X and defines ports as 802.1X-capable

globally enables 802.1X on the switch

places the configuration sub-mode into dotix-auth mode, in which you can identify the authentication server parameters

2.

1 point

which define the security protection features of the control plane of the Cisco layer 2/3 multilayer Catalyst switches?

port security

BPDU guard

VLAN ACLs

VTP authentication

routing protocol filtering

routing protocol authentication

3.

1 point

Refer to the IMAGE 27. Based on the partial configuration shown, which the GET VPN group member
GDOI configuration?

local priority

mapping of the IPsec profile to the IPsec SA

key server IP address

mapping of the IPsec transform set to the GDOI group

4.

1 point

Refer to IMAGE 3. Which two Cisco IOS WebVPN features are enabled with the partial configuration shown? (2)

If the Cisco AnyConnect VPN software fails to install on the end-user PC, the end user cannot use other modes.

Clients will be assigned IP addresses in the 10.10.0.0/16 range.

Client based full tunnel access has been enabled.

Traffic destined to the 10.0.0.0/8 network will not be tunneled and will be allowed access via a split tunnel.

The end-user Cisco AnyConnect VPN software will remain installed on the end system

5.

1 point

Refer to the IMAGE 17. The INSIDE zone has been configured and assigned to two separate router
interfaces. All other zones and interfaces have been properly configured. Given the configuration
example shown, what can be determined?

Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol.

This policy configuration is not needed, traffic within the same zone is allowed to pass by default.

If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy.

This is an illegal configuration. You cannot have the same source and destination zones

6.

1 point

You are troubleshooting a problem related to IPsec connectivity issues. You see that there is no ISAKMP security association established between peers. You debug the connection process and see an error message of 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. What does this message indicate?

The time stamp of the message shows that it is one day old. This could indicate a possible mismatch of system clocks and invalidate the connection attempt.

This indicates a policy mismatch

This indicates that the offered attributes did not contain a payload.

IKE has failed initial attempts and will resend policy offerings to the peer router.

7.

1 point

Refer to the IMAGE 32. What can be determined from the output of this show command?

The interface is configured for Private VLAN Edge.

The switch port interface is not a trusted port.

The switch port interface is enabled and operating as a community port

The interface is acting as an isolated switch port operating in VLAN 1.

8.

1 point

Which information is displayed when you enter the Cisco IOS command show epm session?

Encrypted Policy Management sessions

Enhanced Protected Mode sessions

Enforcement Policy Module sessions

External Proxy Mappings, per authenticated sessions

9.

1 point

When using Cisco Easy VPN, what are the three options for entering an XAUTH username and
password for establishing a VPN connection from the Cisco Easy VPN remote router? (Choose
three.)

storing the XAUTH credentials in the router configuration file

using the router local user database

entering the information via the router crypto ipsec client ezvpn connect CLI command in privileged EXEC mode

using an external AAA server

entering the information from the PC via a browser

10.

1 point

Features of the Cisco Secure ACS when implementing 802.1x

endpoint posture assesment

time-based access

ACL management

VLAN Assigment

provisioning for stateful packet filtering ACLs at the switch port level

11.

1 point

Which two types of deployments can be implemented for a zone-based policy firewall? (Choose two.)

fail open mode

interzone mode

routed mode

inspection mode

transparent mode

12.

1 point

Which of these is an implementation guideline when deploying the IP Source Guard feature in an environment with multiple switches?

Do not configure IP Source Guard on interswitch links

IP Source Guard must be configured in the trunk subconfiguration mode to work on interswitch links.

Configure PACLs for DHCP-addressed end devices.

Configure static IP Source Guard mapping for all access ports.

13.

1 point

Which Cisco IOS IPS feature allows to you remove one or more actions from all active signatures
based on the attacker and/or target address criteria, as well as the event risk rating criteria?

signature event risk rating

signature event action filters

signature attack severity rating

signature event action overrides

14.

1 point

A user has requested a connection to an external website. After initiating the connection, a message appears in the user's browser stating that access to the requested website has been
denied by the company usage policy. What is the most likely reason for this message to appear?

The network has been configured with a URL filtering service.

An antivirus software program has blocked the session request due to potential malicious content.

The network has been configured for 802.1X authentication and the user has failed to authenticate

The user's configured policy access level does not contain proper permissions

15.

1 point

Which statement best describes inside policy based NAT?

Policy NAT rules are those that determine which addresses need to be translated per the enterprise security policy

These rules use source addresses as the decision for translation policies.

Policy NAT consists of policy rules based on outside sources attempting to communicate with inside endpoints.

These rules are sensitive to all communicating endpoints.

16.

1 point

Which of these allows you to add event actions globally based on the risk rating of each event, without having to configure each signature individually?

event action override

signature event action processor

event action summarization

event action filter

17.

1 point

When 802.1X is implemented, how do the client (supplicant) and authenticator communicate?

TACACS+

MAB

EAPOL

RADIUS

18.

1 point

1 show crypto map
2 show crypto isakmp sa
3 clear crypto sa
4 show crypto isakmp policy
5 clear crypto isakmp
6 show crypto ipsec sa
7 show crypto ipsec transform-set

a Delete IPsec security association
b Verify cryptographic configurations and show SA lifetimes
c Verify the IPsec protection policy settings
d Verify current IPsec settings in use by the SAs
e Clear active IKE connections

19.

1 point

Refer to the IMAGE 46. Given the partial configuration shown, what can be determined.

Addresses in the 10.10.30.0 network will be exempt from translation when destined for the 10.100.100.0 network.

This is an example of a static policy NAT rule.

The extended access list provides for one-to-one translation mapping of the 10.10.30.0 network to the 10.100.100.0 network

This is an example of a dynamic policy PAT rule.

20.

1 point

Which of these is a result of using the same routing protocol process for routing outside and inside
the VPN tunnel?

This will allow VPN-encapsulated packets to be routed out the correct physical interface used to reach the remote peer

This will provide for routing-protocol-based failover redundancy

Spoke routers will able to dynamically learn routes to peer networks.

The tunnel will constantly flap.

21.

1 point

Which action does the command private-vlan association 100,200 take?

configures VLANs 100 and 200 and associates them as a community

associates VLANs 100 and 200 with the primary VLA

creates two private VLANs with the designation of VLAN 100 and VLAN 200

assigns VLANs 100 and 200 as an association of private VLANs

22.

1 point

What does the command errdisable recovery cause arp-inspection interval 300 provide for?

It will inspect for ARP-disabled ports every 300 seconds.

It will disable a port when the ARP rate limit of 300 packets per second is received and wait a configured interval time before placing the port back in normal operation.

It will recover a disabled port and limit ARP traffic to 300 packets per second to avoid potential ARP attacks from reoccurring.

It will recover a disabled port due to an ARP inspection condition in 5 minutes.

23.

1 point

Refer to the IMAGE 43. What can be determined from the configuration shown?

This SNMP group will only allow read access to interface MIBs.

The community SNMP string is SNMP-MGMT-VIEW.

The SNMP server group is using 128-bit SHA authentication.

All interfaces will be included in the SNMP GETs.

24.

1 point

Which represent mitigation techniques for VLAN hopping

disable DTP

use static access ports

disable VTP

avoid trunk antive VLAN on access ports

use BPDU port guard

25.

1 point

When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zone pairs for a possible pair of zones?

All sessions will pass through the zone without being inspected.

This configuration statelessly allows packets to be delivered to the destination zone.

All sessions will have to pass through the router "self zone" for inspection before being allowed to pass to the destination zone.

All sessions will be denied between these two zones by default.

26.

1 point

Refer to IMAGE 10. What can be determined about the IPS category configuration shown?

All categories are retired

All categories are disabled.

After all other categories were disabled, a custom category named "os ios" was created

Only attacks on the Cisco IOS system result in preventative actions.

27.

1 point

Which two of these are benefits of implementing a zone-based policy firewall in transparent mode

Less firewall management is needed.

It has less impact on data flows.

IP readdressing is unnecessary.

It adds the ability to statefully inspect non-IP traffic.

It can be easily introduced into an existing network.

28.

1 point

When is it most appropriate to choose IPS functionality based on Cisco IOS software?

when traffic rates are low and a complete signature is not required

when accelerated, integrated performance is required using hardware ASIC-based IPS inspections

when promiscuous inspection meets security requirements

when integrated policy virtualization is required

29.

1 point

Given the Cisco IOS command crypto key generate rsa label MY_KEYS modulus 2048, which additional command keyword should be added if you would like to use these keys on another router or have the ability to back them up to another device?

on:USB smart-token

redundancy

usage-keys

exportable

30.

1 point

When Cisco IOS IPS is configured to use SDEE for event notification, how are events managed?

They are stored in the router's event store and will allow authenticated remote systems to pull events from the event store.

When the event store reaches its maximum configured number of event notifications, the stored events are sent via SDEE to a remote authenticated server and a new event store is created.

Events are sent via syslog over a secure SSUTLS communications channel

All events are immediately sent to the remote SDEE server.

31.

1 point

Which of these is correct regarding the configuration of virtual-access interfaces?

They cannot be saved to the startup configuration.

You must use static routes inside the tunnels.

The Virtual-Access 1 interface must be enabled in an up/up state administratively

DVTI interfaces should be assigned a unique IP address range.

32.

1 point

You have configured Management Plane Protection on an interface on a Cisco router. What is the
resulting action on implementing MPP?

Inspection of protected management interfaces is automatically configured to ensure that management protocols comply with standards.

Along with normal user data traffic, management traffic is also allowed only on the protected interface.

Only management protocols are allowed on the protected interface.

The router gives preference to the configured management interface. If that interface becomes unavailable, management protocols will be allowed on alternate interfaces.

33.

1 point

Which best define app inspection and control benefits

filtering inside the protocol and its related content

in-memory reassembly of Layer 4 (TCP UDP) sessions to obtain the sequential stream of bytes exchanged between hosts

dropping application layer protocol units that do not conform to protocol standard

an application-aware method of filtering that works on OSI layers 3 and 4

34.

1 point

Which two of these will match a regular expression with the following configuration parameters?
[a-zA-Z][0-9][a-z] (Choose two.)

aaB132AA

Q3h

c7lm

BBpjnrIT

B4Mn

35.

1 point

NAT IMAGE 39

36.

1 point

Refer to IMAGE 6. What can be determined from the output of this show command?

The IKE status is authenticated.

IKE Quick Mode is in the idle state, indicating a problem with IKE phase 1.

The IKE association is in the process of being set up.

The IPsec connection is in an idle state.

The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters are passed between peers

37.

1 point

You have enabled Cisco IOS IPS on a router in your network. However, you are not seeing expected events on your monitoring system (such as Cisco IME). On the router, you see events being captured. What is the next step in troubleshooting the problem?

verify that syslog is configured to send events to the correct server

verify event action rules

verify SDEE communications

verify that the IPS license is valid

38.

1 point

Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN
hub router?

Only one tunnel can be created per tunnel source interface.

The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub.

You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.

Only one tunnel can be created and should be associated with a loopback interface for dynamic redundancy

39.

1 point

Which command will enable a SCEP interface when you are configuring a Cisco router to be a
certificate server?

ip http server

seep enable (under interface configuration mode)

crypto pki seep enable

grant auto

40.

1 point

Refer to the IMAGE 34- Given the output shown, what can be determined?

The MAC address has matched a deny rule within the ACL.

This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC address on the destination

An attacker has sent a spoofed ARP response that violates a static mapping.

An attacker has sent a spoofed DHCP address.

41.

1 point

You are running Cisco lOS IPS software on your edge router. A new threat has become an issue. The Cisco lOS IPS software has a signature that can address the new threat, but you previously retired the signature. You decide to unretire that signature to regain the desired protection level. How should you act on your decision?

You should re-enable the signature and start inspecting traffic for signs of the new threat.

Unretiring a signature will cause the router to recompile the signature database, which can temporarily affect performance

Retired signatures are not present in the routers memory. You will need to download a new signature package to regain the retired signature.

You cannot unretire a signature. To avoid a disruption in traffic flow, it's best to create a custom signature until you can download a new signature package and reload the router

42.

1 point

When performing NAT, which of these is a limitation you need to account for?

exhaustion of port number translations

security payload identifiers

inability to provide mutual connectivity to networks with overlapping address spaces

embedded IP addresses

43.

1 point

Refer to the IMAGE 28. Given the partial configuration shown, which two statements are correct?
(Choose two.)

The IP route statement to reach the remote network behind the DMVPN peer is incorrect, it should be ip route 192.168.2.0 255.255.255.0 tunnel 0.

This is an example of a static point-to-point VTI tunnel.

The tunnel will use esp-sha-hmac encryption in ESP tunnel mode.

The tunnel will use 128-bit AES encryption in ESP tunnel mode.

The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnel communication with the peer

44.

1 point

Refer to IMAGE 1. Given the partial output of the debug command, what can be determined?

There is no ID payload in the packet, as indicated by the message ID = 0.

This is an IKE quick mode negotiation.

The peer has not matched any offered profiles.

This is normal output of a successful Phase 1 IKE exchange.

45.

1 point

Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts
to exhaust critical router resources and if preventative controls have been bypassed or are not
working correctly?

Control Plane Protection

Management Plane Protection

CPU and memory thresholding

SNMPv3

46.

1 point

Refer to the IMAGE 37. Assuming that all other supporting configurations are correct, what can be determined from the partial IP admission configuration shown?

The local user password is thl3F4ftvA.

The router will forward authentication requests to a AAA server for authentication and authorization.

The attribute type supplicant-group "SUPERUSER" configuration can be used to match criteria in the "inspect" class-map type using the match access-group option.

The router will intercept incoming HTTP sessions on interface G0/0 for authentication.

The SUPERUSER's privilege level is being restricted.

47.

1 point

You are troubleshooting reported connectivity issues from remote users who are accessing corporate headquarters via an IPsec VPN connection. What should be your first step in troubleshooting these issues?

run a traceroute to verify the tunnel path

debug the connection process and look for any error messages in tunnel establishment

ping the tunnel endpoint

issue a show crypto isakmp policy command to verify matching policies of the tunnel endpoints

48.

1 point

You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishment problems. You have verified that matching IKE and IPsec polices exist on both peers. The remote client has also successfully entered authentication credentials. What is the next step to take in troubleshooting this problem?

issue a ping from the client to the router to verify reachability

examine routing tables

verify that the router is able to assign an IP address to the client

verify that the router is not denying traffic from the tunnel

49.

1 point

What information you should collect prior to deploying 802.1x auth in a Cisco IBNS environment (4)

Existing user credentials

Existing transport protocols used in the environment

Existing list of LAN switches

Trustworthiness of the existing transport network

Existing Automated software deployment mechanisms

Existing addressing escheme

50.

1 point

When enabling the Cisco IOS IPS feature, which step should you perform to prevent rogue signature updates from being installed on the router?

manually import signature updates from Cisco to a secure server, and then transfer files from the secure server to the router

use the SDEE protocol for all signature updates from a known secure management station

configure authentication and authorization for maintaining signature updates

install a known RSA public key that correlates to a private key used by Cisco