Test 1

1.

1 point

What are purposes of the Internet Key Exchange in an IPsec VPN? (Choose two.)

The Internet Key Exchange protocol establishes security associations

The Internet Key Exchange protocol provides replay detection

The Internet Key Exchange protocol provides data confidentiality

The Internet Key Exchange protocol is responsible for mutual authentication

2.

1 point

Which syslog level is associated with LOG_WARNING?

3

2

6

4

1

5

3.

1 point

Which TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.)

ASCII

MS-CHAPv2

MS-CHAPv1

EAP

PAP

PEAP

4.

1 point

Which security zone is automatically defined by the system?

The inside zone

The source zone

The destination zone

The self zone

5.

1 point

How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration?

Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode

Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode

Issue the command anyconnect keep-installer installed in the global configuration

Issue the command anyconnect keep-installer under the group policy or username webvpn mode

6.

1 point

Which of the following statements about access lists are true? (Choose three.)

Extended access lists should be placed as near as possible to the destination

Standard access lists should be placed as near as possible to the destination

Standard access lists filter on the source address

Standard access lists should be placed as near as possible to the source

Standard access lists filter on the destination address

Extended access lists should be placed as near as possible to the source

7.

1 point

Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)

IP source guard

Dynamic ARP inspection

Port security

DHCP snooping

8.

1 point

Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)

Smart tunnels offer better performance than port forwarding

Smart tunnels support all operating systems

Smart tunnels can be used by clients that do not have administrator privileges

Smart tunnels require the client to have the application installed locally

9.

1 point

What features can protect the data plane? (Choose three.)

QoS

antispoofing

IPS

DHCP-snooping

policing

ACLs

10.

1 point

Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose three.)

PAP

ASCII

MS-CHAPv1

EAP

MS-CHAPv2

PEAP

11.

1 point

Which actions can a promiscuous IPS take to mitigate an attack? (Choose three.)

Requesting host blocking

Denying packets

Resetting the TCP connection

Modifying packets

Denying frames

Requesting connection blocking

12.

1 point

Which two characteristics represent a blended threat? (Choose two.)

man-in-the-middle attack

trojan horse attack

pharming attack

denial of service attack

day zero attack

13.

1 point

Which command initializes a lawful intercept view?

parser view cisco li-view

username cisco1 view lawful-intercept password cisco

li-view cisco user cisco1 password cisco

parser view li-view inclusive

14.

1 point

Which command verifies phase 2 of an IPsec VPN on a Cisco router?

show crypto map

show crypto isakmp sa

show crypto ipsec sa

show crypto engine connection active

15.

1 point

Which command verifies phase 1 of an IPsec VPN on a Cisco router?

show crypto isakmp sa

show crypto engine connection active

show crypto map

show crypto ipsec sa

16.

1 point

On which Cisco Configuration Professional screen do you enable AAA

Authentication Policies

AAA Servers and Groups

Authorization Policies

AAA Summary

17.

1 point

What are the primary attack methods of VLAN hopping? (Choose two.)

VoIP hopping

Switch spoofing

CAM-table overflow

Double tagging

18.

1 point

Which source port does IKE use when NAT has been detected between two
VPN gateways?

UDP 4500

TCP 500

UDP 500

TCP 4500

19.

1 point

Which three protocols are supported by management plane protection? (Choose three.)

EIGRP

SSH

SNMP

SMTP

OSPF

HTTPS

20.

1 point

Which components does HMAC use to determine the authenticity and integrity of a message? (Choose two.)

The transform set

The key

The hash

The password

21.

1 point

Which type of security control is defense in depth?

Risk analysis

Threat mitigation

Botnet mitigation

Overt and covert channels

22.

1 point

QUESTION 6
What is the best way to prevent a VLAN hopping attack?

Disable DTP negotiations

Encapsulate trunk ports with IEEE 802.1Q.

Enable BDPU guard.

Physically secure data closets.

23.

1 point

Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.)

root guard

IP source guard

port security

BPDU guard

24.

1 point

Which two countermeasures can mitigate STP root bridge attacks? (Choose two.)

BPDU guard

root guard

Layer 2 PDU rate limiter

BPDU filtering

25.

1 point

What is a possible reason for the error message?Router(config)#aaa server?% Unrecognized command

The command is invalid on the target device

The router is already running the latest operating system

The command syntax requires a space after the word “server”

The router is a new device on which the aaa new-model command must be applied before continuing

26.

1 point

Which type of mirroring does SPAN technology perform?

Remote mirroring over Layer 2

Local mirroring over Layer 2

Local mirroring over Layer 3

Remote mirroring over Layer 3

27.

1 point

Which address block is reserved for locally assigned unique local addresses?

2002::/16

FB00::/8

2001::/32

FD00::/8

28.

1 point

Which statement about rule-based policies in Cisco Security Manager is true?

Rule-based policies contain one or more rules that are related to a device's security and operations parameters.

Rule-based policies contain one or more rules that control how traffic is filtered and inspected on a device.

Rule-based policies contain one or more user roles that control how user traffic is filtered and inspected on a device

Rule-based policies contain one or more user roles that are related to a device's security and operations parameters.

29.

1 point

Which statements about reflexive access lists are true? (Choose three.)

Reflexive access lists can be attached to standard named IP ACLs

Reflexive access lists create a permanent ACE

Reflexive access lists can be attached to extended named IP ACLs

Reflexive access lists support TCP sessions

Reflexive access lists support UDP sessions

Reflexive access lists approximate session filtering using the established keyword

30.

1 point

Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?

Unicast Reverse Path Forwarding

Unidirectional Link Detection

TrustSec

IP Source Guard

31.

1 point

In which stage of an attack does the attacker discover devices on a target network?

Maintaining access

Reconnaissance

Gaining access

Covering tracks

32.

1 point

If you are implementing VLAN trunking, which additional configuration parameter should be added to the
trunking configuration?

no switchport mode access

switchport mode DTP

no switchport trunk native VLAN 1

switchport nonnegotiate

33.

1 point

Which accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.)

start-stop

stop-record

stop

stop-only

34.

1 point

What is the Cisco preferred countermeasure to mitigate CAM overflows?

Dynamic port security

Port security

Root guard

IP source guard

35.

1 point

Which aaa accounting command is used to enable logging of the start and stop records for user terminal
sessions on the router?

aaa accounting exec start-stop tacacs+

aaa accounting connection start-stop tacacs+

aaa accounting network start-stop tacacs+

aaa accounting commands 15 start-stop tacacs+

aaa accounting system start-stop tacacs+

36.

1 point

Which option describes information that must be considered when you apply an access list to a physical interface?

Direction of the access list

Protocol used for filtering

Direction of the access group

Direction of the access class

37.

1 point

Which represents a unique link-local address (IPv6)?

2001::/32

FEB0::/8

2002::/16

FED0::/8

38.

1 point

Which options are filtering options used to display SDEE message types? (Choose two.)

error

all

none

stop

39.

1 point

Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choose two.)

FTP

SSH

Telnet

AAA

HTTPS

HTTP

40.

1 point

Which security measures can protect the control plane of a Cisco router? (Choose two.)

CCPr

Parser views

Access control lists

Port security

CoPP

41.

1 point

Which type of IPS can identify worms that are propagating in a network?

Anomaly-based IPS

Reputation-based IPS

Policy-based IPS

Signature-based IPS

42.

1 point

Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a
reload event message when the device reloads?

aaa accounting network default start-stop group radius

aaa accounting system default start-stop group radius

aaa accounting exec default start-stop group radius

aaa accounting auth-proxy default start-stop group radius

43.

1 point

Which tasks is the session management path responsible for? (Choose three.)

Performing route lookup

Performing session lookup

Checking TCP sequence numbers

Verifying IP checksums

Checking packets against the access list

Allocating NAT translations

44.

1 point

Which sensor mode can deny attackers inline?

fail-close

IPS

fail-open

IDS

45.

1 point

Which option is the most effective placement of an IPS device within the infrastructure?

Promiscuously, before the Internet router and the firewall

Promiscuously, after the Internet router and before the firewall

Inline, before the internet router and firewall

Inline, behind the internet router and firewall

46.

1 point

Which two features are supported by Cisco IronPort Security Gateway? (Choose two.)

Spam protection

Outbreak intelligence

HTTP and HTTPS scanning

Email encryption

DDoS protection

47.

1 point

Which statement about extended access lists is true?

Extended access lists perform filtering that is based on destination and are most effective when applied to the source

Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source

Extended access lists perform filtering that is based on source and are most effective when applied to the destination

Extended access lists perform filtering that is based on source and destination and are most effective when applied to the destination

48.

1 point

If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error? (Choose two.)

Authentication attempts to the router will be denied

Authentication will use the router`s local database

The user will be prompted to authenticate using the enable password

Authentication attempts will be sent to the TACACS+ server

49.

1 point

A clientless SSL VPN user who is connecting on a Windows Vista computer is missing the menu option for Remote Desktop Protocol on the portal web page. Which action should you take to begin troubleshooting?

Ensure that the RDP plug-in is installed on the VPN gateway

Instruct the user to reconnect to the VPN gateway

Ensure that the RDP2 plug-in is installed on the VPN gateway

Reboot the VPN gateway

50.

1 point

Which two services are provided by IPsec? (Choose two.)

Data Integrity

Confidentiality

Internet Key Exchange

Encapsulating Security Payload

Authentication Heade