Secure I.1

1.

1 point

Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts to exhaust critical router resources and if preventative controls have been bypassed or are not working correctly?

Control Plane Protection

Management Plane Protection

CPU and memory thresholding

SNMPv3

2.

1 point

Which Cisco IOS IPS feature allows to you remove one or more actions from all active signatures based on the attacker and/or target address criteria, as well as the event risk rating criteria?

signature event action filters

signature attack severity rating

signature event action overrides

signature event risk rating

3.

1 point

What information you should collect prior to deploying 802.1x auth in a Cisco IBNS environment (4)

Existing Automated software deployment mechanisms

Existing transport protocols used in the environment

Existing list of LAN switches

Existing user credentials

Existing addressing escheme

Trustworthiness of the existing transport network

4.

1 point

Which statement best describes inside policy based NAT?

These rules use source addresses as the decision for translation policies.

These rules are sensitive to all communicating endpoints.

Policy NAT rules are those that determine which addresses need to be translated per the enterprise security policy

Policy NAT consists of policy rules based on outside sources attempting to communicate with inside endpoints.

5.

1 point

Refer to the IMAGE 17. The INSIDE zone has been configured and assigned to two separate router
interfaces. All other zones and interfaces have been properly configured. Given the configuration
example shown, what can be determined?

This policy configuration is not needed, traffic within the same zone is allowed to pass by default.

If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy.

This is an illegal configuration. You cannot have the same source and destination zones

Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol.

6.

1 point

Which of these is correct regarding the configuration of virtual-access interfaces?

They cannot be saved to the startup configuration.

DVTI interfaces should be assigned a unique IP address range.

The Virtual-Access 1 interface must be enabled in an up/up state administratively

You must use static routes inside the tunnels.

7.

1 point

What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst switch?

enables the switch to operate as the 802.1X supplicant

globally enables 802.1X and defines ports as 802.1X-capable

globally enables 802.1X on the switch

places the configuration sub-mode into dotix-auth mode, in which you can identify the authentication server parameters

8.

1 point

Refer to IMAGE 10. What can be determined about the IPS category configuration shown?

All categories are disabled.

After all other categories were disabled, a custom category named "os ios" was created

All categories are retired

Only attacks on the Cisco IOS system result in preventative actions.

9.

1 point

When using Cisco Easy VPN, what are the three options for entering an XAUTH username and password for establishing a VPN connection from the Cisco Easy VPN remote router? (3)

using the router local user database

entering the information via the router crypto ipsec client ezvpn connect CLI command in privileged EXEC mode

storing the XAUTH credentials in the router configuration file

entering the information from the PC via a browser

using an external AAA server

10.

1 point

Which two of these will match a regular expression with the following configuration parameters?
[a-zA-Z][0-9][a-z] (Choose two.)

Q3h

B4Mn

aaB132AA

BBpjnrIT

c7lm

11.

1 point

Which action does the command private-vlan association 100,200 take?

associates VLANs 100 and 200 with the primary VLA

configures VLANs 100 and 200 and associates them as a community

assigns VLANs 100 and 200 as an association of private VLANs

creates two private VLANs with the designation of VLAN 100 and VLAN 200

12.

1 point

Which two of these are benefits of implementing a zone-based policy firewall in transparent mode

Less firewall management is needed.

It has less impact on data flows.

It can be easily introduced into an existing network.

IP readdressing is unnecessary.

It adds the ability to statefully inspect non-IP traffic.

13.

1 point

Given the Cisco IOS command crypto key generate rsa label MY_KEYS modulus 2048, which additional command keyword should be added if you would like to use these keys on another router or have the ability to back them up to another device?

redundancy

exportable

on:USB smart-token

usage-keys

14.

1 point

Refer to IMAGE 3. Which two Cisco IOS WebVPN features are enabled with the partial configuration shown? (2)

The end-user Cisco AnyConnect VPN software will remain installed on the end system

Client based full tunnel access has been enabled.

Traffic destined to the 10.0.0.0/8 network will not be tunneled and will be allowed access via a split tunnel.

Clients will be assigned IP addresses in the 10.10.0.0/16 range.

If the Cisco AnyConnect VPN software fails to install on the end-user PC, the end user cannot use other modes.

15.

1 point

When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zone pairs for a possible pair of zones?

All sessions will have to pass through the router "self zone" for inspection before being allowed to pass to the destination zone.

All sessions will be denied between these two zones by default.

All sessions will pass through the zone without being inspected.

This configuration statelessly allows packets to be delivered to the destination zone.

16.

1 point

Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN
hub router?

You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.

Only one tunnel can be created and should be associated with a loopback interface for dynamic redundancy

Only one tunnel can be created per tunnel source interface.

The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub.

17.

1 point

Which two types of deployments can be implemented for a zone-based policy firewall? (Choose two.)

fail open mode

interzone mode

routed mode

inspection mode

transparent mode

18.

1 point

When Cisco IOS IPS is configured to use SDEE for event notification, how are events managed?

They are stored in the router's event store and will allow authenticated remote systems to pull events from the event store.

Events are sent via syslog over a secure SSUTLS communications channel

All events are immediately sent to the remote SDEE server.

When the event store reaches its maximum configured number of event notifications, the stored events are sent via SDEE to a remote authenticated server and a new event store is created.

19.

1 point

You are running Cisco lOS IPS software on your edge router. A new threat has become an issue. The Cisco lOS IPS software has a signature that can address the new threat, but you previously retired the signature. You decide to unretire that signature to regain the desired protection level. How should you act on your decision?

You cannot unretire a signature. To avoid a disruption in traffic flow, it's best to create a custom signature until you can download a new signature package and reload the router

Retired signatures are not present in the routers memory. You will need to download a new signature package to regain the retired signature.

Unretiring a signature will cause the router to recompile the signature database, which can temporarily affect performance

You should re-enable the signature and start inspecting traffic for signs of the new threat.

20.

1 point

Refer to IMAGE 6. What can be determined from the output of this show command?

The IKE association is in the process of being set up.

IKE Quick Mode is in the idle state, indicating a problem with IKE phase 1.

The IPsec connection is in an idle state.

The IKE status is authenticated.

The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters are passed between peers

21.

1 point

REFER IMAGE 7

1 show crypto map
2 show crypto isakmp sa
3 clear crypto sa
4 show crypto isakmp policy
5 clear crypto isakmp
6 show crypto ipsec sa
7 show crypto ipsec transform-set

a Delete IPsec security association
b Verify cryptographic configurations and show SA lifetimes
c Verify the IPsec protection policy settings
d Verify current IPsec settings in use by the SAs
e Clear active IKE connections

numlet numlet.. (números por orden)

22.

1 point

Which of these allows you to add event actions globally based on the risk rating of each event, without having to configure each signature individually?

signature event action processor

event action override

event action filter

event action summarization

23.

1 point

Which best define app inspection and control benefits (3)

an application-aware method of filtering that works on OSI layers 3 and 4

dropping application layer protocol units that do not conform to protocol standard

filtering inside the protocol and its related content

in-memory reassembly of Layer 4 (TCP UDP) sessions to obtain the sequential stream of bytes exchanged between hosts

24.

1 point

Refer to IMAGE 1. Given the partial output of the debug command, what can be determined?

This is an IKE quick mode negotiation.

The peer has not matched any offered profiles.

This is normal output of a successful Phase 1 IKE exchange.

There is no ID payload in the packet, as indicated by the message ID = 0.

25.

1 point

You are troubleshooting reported connectivity issues from remote users who are accessing corporate headquarters via an IPsec VPN connection. What should be your first step in troubleshooting these issues?

run a traceroute to verify the tunnel path

issue a show crypto isakmp policy command to verify matching policies of the tunnel endpoints

ping the tunnel endpoint

debug the connection process and look for any error messages in tunnel establishment