Secure III

1.

1 point

To prevent a spanning-tree attack, which command should be configured on a distribution switch port that is connected to an access switch?

spanning-tree guard root

spanning-tree backbone fast

spanning-tree portfast bpduguard default

spannning-tree bpduguard enable

2.

1 point

In a GETVPN solution, which two ways can the key server distribute the new keys to the group members during the rekey process?

unicast UDP transmission

unicast TCP transmission

multicast TCP transmission

multicast UDP transmission

3.

1 point

You are a network administrator and are moving a web server from inside the company network to a DMZ segment that is located on a Cisco router. The web server was located at IP address 172.16.10.50 on the inside and changed to the IP address 172.20.10.5 on the DMZ. Additionally, you are moving the web port to 8080 but do not want your inside users to be affected. Which NAT statement should you configure on your router to support the change?

hostname(config)# ip nat static outside source tcp 172.20.10.5 80 172.16.10.50 8080

hostname(config)# ip nat outside source static tcp 172.16.10.50 80 172.20.10.5 8080

hostname(config)# ip nat inside source static tcp 172.16.10.50 80 172.20.10.5 8080

hostname(config)# ip nat static inside source udp 172.20.10.50 172.20.10.5

hostname(config)# ip nat inside source static 172.16.10.50 172.20.10.5

4.

1 point

When configuring NAT, and your solution requires the ability to see the inside local and outside global address entries and any TCP or UDP port in the show ip nat command output, how should
NAT be configured on the router?

configure the ip nat inside command to an extended ACL

include both static and dynamic NAT configuration on the router

tie the ip nat inside command to a dynamic NAT pool

use the overload option on the end of your static NAT statement

attach a route-map to the ip nat inside command

5.

1 point

Refer to the exhibit 105

You are working for a corporation that has connected its network to a partner network. Based on this partial configuration that is supplied in the exhibit, which two things happen to traffic that is inbound from the partner network (outside is 10.10.30.0/24) and the return traffic from the inside as it travels through this router? (Choose two.)

IP traffic that is flowing from 10.10.19.0/24 to 10.10.30.0/24 has the source address translated to 172.19.1.0/24.

The destination address of IP packets that are traveling from 10.10.19.0/24 to any IP network is translated to 172.19.1.0/24.

The source address of the IP packets that are traveling from the 10.10.30.0/24 network to 10.10.19.0/24 are translated to 172.19.1.0/24.

The destination address of IP packets that are traveling from 10.10.19.0/24 to 10.10.30.0/24 are translated to 172.19.1.0/24.

The destination address of IP packets that are traveling from 10.10.30.0/24 to 10.10.19.0/24 are translated to 172.19.1.0/24.

6.

1 point

You are a network administrator that is deploying a Cisco router that needs to support both PAT and site-to-site VPN on one public IP address. In order to make both work simultaneously, how should the NAT configuration be set up?

A route-map should be used with the nat command to support the use of AH and ESP.

The ip nat inside command needs to exclude the VPN source address in the NAT pool.

Because PAT does support AH, the VPN tunnel must not be configured with Encapsulating Security Payload (ESP).

The nat configuration command needs to include a range of IP addresses with the overload word on the end.

The VPN configuration should be set up with a static NAT configuration

An ACL should be attached to the nat command to permit the NAT traffic and deny the VPN traffic.

7.

1 point

Refer to the exhibit 107

Based on the configuration that is shown in the exhibit, select the three answers that apply.
(Choose three.)

Non-802.1X devices are supported on this port by setting up the host for MAC address authentication in the endpoint database

The configuration supports multidomain authentication, which allows one MAC address on the voice VLAN and one on the data VLAN.

Registration and DHCP traffic will flow on either the data or voice VLAN before authentication

Traffic will not flow for either the phone or the host computer until one device completes the 802.1X authentication process

MAC Authentication Bypass will be attempted only after 802.1X authentication times out.

The port will only require the 802.1X supplicant to authenticate one time.

8.

1 point

You are finding that the 802.1X-configured ports are going into the error-disable state. Which command will show you the reason why the port is in the error-disable state, and which command will automatically be re-enabled after a specific amount of time? (Choose two.)

show error-disable flap-status

error-disable recovery cause security-violation

error-disable recovery cause l2ptguard

error-disable recovery cause dot1x

show error-disable status

show error-disable recovery

9.

1 point

Your company has a requirement that if security is compromised on phase 1 of a Diffie-Hellman key exchange that a secondary option will strengthen the security on the IPsec tunnel. What should you implement to ensure a higher degree of key material security?

Diffie-Hellman Group 5 Phase I

XAUTH with AAA authentication

PFS Group 5

Transform-set SHA-256

Diffie-Hellman Phase II ESP

10.

1 point

Which solution on a Cisco router requires the loading of a protocol header definition file (PHDF)?

reflexive access control lists

Flexible Packet Matching

Control Plane Policing

NetFlow

11.

1 point

You are troubleshooting a problem for which end users are reporting connectivity issues. Your network has been configured with Layer 2 protection controls. You have determined that the DHCP snooping database is correct and that proper static addressing maps have been configured. Which of these should be your next step in troubleshooting this problem?

Generate a proxy ARP request and verify that the DHCP database has been updated as expected.

Clear the ARP tables and have end users release and renew their DHCP-learned addressing.

Temporarily disable DHCP snooping and test connectivity again.

Use a protocol analyzer to determine if there are malformed DHCP or ARP packets.

12.

1 point

You are troubleshooting a reported connectivity issue from a remote office whose users are accessing corporate headquarters via an IPsec VPN connection. You issued a show crypto isakmp sa command on the headend router, and the state has MM_NO_STATE. Which debug command should you enter next, and which part of the VPN tunnel establishment process is failing? (Choose two.)

ISAKMP Phase II

debug crypto isakm

ISAKMP Phase I

debug crypto ipsec

debug crypto isakmp sa

13.

1 point

You are installing a brand-new, site-to-site VPN tunnel and notice that it is not working correctly. When connecting to the corporate router and issuing a show crypto ipsec sa command, you notice that for this particular SA that packets are being encrypted but not decrypted. What are two potential reasons for this problem? (Choose two.)

The NAT exception on the corporate side is filtering the return packets.

The transform-set needs to be set to transport mode.

XAUTH needs to be enabled

The access-list attached to the crypto map at the remote site is incorrect.

The remote site is failing Diffie-Hellman Phase I negotiation

Inbound and outbound IP 50 packets are being filtered at the remote site.

14.

1 point

Which two of these are features of control plane security on a Cisco ISR? (Choose two.)

RBAC

FPM

CPPr

CoPP

AAA

uRPF

15.

1 point

Which additional configuration steps are required for a zone-based policy firewall to operate in a VRF scenario?

Separate zones must be defined for each virtual zone-based policy firewall instance.

No special zone-based policy firewall configurations are needed.

Separate zone-based policy firewall policies must be defined for each VRF environment.

You must assign zone-based policy firewall bridge groups to work in the virtual environment.

16.

1 point

You are troubleshooting an IPsec VPN problem. During debugging of IPsec operations, you see the message "attributes not acceptable" on the IKE responder after issuing the debug crypto
isakmp command. Which step should you take next?

verify matching ISAKMP policies on each peer

verify that an IKE security association has been established between peers

verify that IPsec transform sets match on each peer

verify if default IPsec attributes are in place on each peer

17.

1 point

Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated action even if it has been successfully compiled?

retired

unsupported

disabled

inactive

18.

1 point

Which CLI command would you use to verify installed SSL VPN licensing on a Cisco 1900, 2900, or 3900 Series ISR?

show webvpn gateway

show crypto webvpn details

show webvpn license

show webvpn ssl license count all

show crypto ssl license

19.

1 point

Which statement is correct regarding GRE tunnel endpoints when you are configuring GRE over IPsec?

For high availability, the GRE tunnel interface should be configured with a primary and a backup tunnel destination IP address.

The tunnel interfaces of both endpoints must be in the same IP subnet.

A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting enduser traffic between the GRE endpoints.

The tunnel interfaces of both endpoints should be configured to use the outside IP address of the router as the unnumbered IP address.

20.

1 point

Refer to the exhibit 120

Which of these is correct regarding the configuration parameters shown?

The router is configured as a certificate server

The RSA key pair is valid for five hours before being revoked

Certificate lifetimes are mismatched and will cause intermittent connectivity errors.

Complete certificates will be written to and stored in NVRAM

The router has enrolled to the MY-TRUSTPOINT PKI server, which is an external CA server.

21.

1 point

Refer to the exhibit 121

When you are using dynamic IPsec VTI tunnels, what can you determine about virtual-access
interfaces from the output shown?

The Virtual-Access2 interface does not yet have an IPsec peer defined.

The Virtual-Access1 interface currently does not have an IPsec peer connection establishe

The Virtual-Access1 interface is in the down/down state, because the virtual tunnel source physical interface is down.

The Virtual-Access1 interface, which is used internally by the Cisco IOS software, is always down.

22.

1 point

Refer to the exhibit 122

Based on the partial configuration shown, which additional configuration parameter is needed under the GET VPN group member GDOI configuration?

mapping of the IPsec profile to the IPsec SA

local priority

key server IP address

mapping of the IPsec transform set to the GDOI group