ccna security 2

Card Set Information

Author:
rkrouse
ID:
304843
Filename:
ccna security 2
Updated:
2015-07-07 07:37:57
Tags:
ccnasecurity2
Folders:

Description:
2nd ccna security cards
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user rkrouse on FreezingBlue Flashcards. What would you like to do?


  1. QUESTION 161
    Which three statements about RADIUS are true? (Choose three.) 
    A. RADIUS uses TCP port 49.
    B. RADIUS uses UDP ports 1645 or 1812.
    C. RADIUS encrypts the entire packet.
    D. RADIUS encrypts only the password in the Access-Request packet.
    E. RADIUS is a Cisco proprietary technology.
    F. RADIUS is an open standard.
    Answer: BDF
  2. QUESTION 162
    Which network security framework is used to set up access control on Cisco Appliances? 
    A. RADIUS
    B. AAA
    C. TACACS+
    D. NAS
    Answer: B
  3. QUESTION 163
    Which two protocols are used in a server-based AAA deployment? (Choose two.) 
    A. RADIUS
    B. TACACS+
    C. HTTPS
    D. WCCP
    E. HTTP
    Answer: AB
  4. QUESTION 164
    Which Cisco IOS command will verify authentication between a router and a AAA server? 
    A. debug aaa authentication
    B. test aaa group
    C. test aaa accounting
    D. aaa new-model
    Answer: B
  5. QUESTION 165
    Which AAA feature can automate record keeping within a network? 
    A. TACACS+
    B. authentication
    C. authorization
    D. accounting
    Answer: D
  6. QUESTION 166
    Which two statements about IPv6 access lists are true? (Choose two). 
    A. IPv6 access lists support numbered access lists.
    B. IPv6 access lists support wildcard masks.
    C. IPv6 access lists support standard access lists.
    D. IPv6 access lists support named access lists.
    E. IPv6 access lists support extended access lists.
    Answer: DE
  7. QUESTION 167
    Which command enables subnet 192.168.8.4/30 to communicate with subnet 192.168.8.32/27 on IP protocol 50? 
    A. permit esp 192.168.8.4 255.255.255.252 192.168.8.32 255.255.255.224
    B. permit esp 192.168.8.4 0.0.0.31 192.168.8.32 0.0.0.31
    C. permit esp 192.168.8.4 255.255.255.252 224.168.8.32 255.255.255.192
    D. permit esp 192.168.8.4 0.0.0.3 192.168.8.32 0.0.0.31
    Answer: D
  8. QUESTION 168
    Which two types of access lists can be used for sequencing? (Choose two.)
    A. reflexive
    B. standard
    C. dynamic
    D. extended
    Answer: BD
  9. QUESTION 169
    Which command will block IP traffic to the destination 172.16.0.1/32? 
    A. access-list 101 deny ip host 172.16.0.1 any
    B. access-list 101 deny ip any host 172.16.0.1
    C. access-list 101 deny ip any any
    D. access-list 11 deny host 172.16.0.1
    Answer: B
  10. QUESTION 170
    Which two considerations about secure network monitoring are important? (Choose two.) 
    A. log tampering
    B. encryption algorithm strength
    C. accurate time stamping
    D. off-site storage
    E. Use RADIUS for router commands authorization. F. Do not use a loopback interface for device management access.
    Answer: AC
  11. QUESTION 171
    Which two countermeasures can mitigate STP root bridge attacks? (Choose two.) 
    A. root guard
    B. BPDU filtering
    C. Layer 2 PDU rate limiter
    D. BPDU guard
    Answer: AD
  12. QUESTION 172
    Which two countermeasures can mitigate MAC spoofing attacks? (Choose two.) 
    A. IP source guard
    B. port security
    C. root guard
    D. BPDU guard
    Answer: AB
  13. QUESTION 173
    Which statement correctly describes the function of a private VLAN? 
    A. A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains.
    B. A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains.
    C. A private VLAN enables the creation of multiple VLANs using one broadcast domain.
    D. A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain.
    Answer: A
  14. QUESTION 174
    What are two primary attack methods of VLAN hopping? (Choose two.) 
    A. VoIP hopping
    B. switch spoofing
    C. CAM-table overflow
    D. double tagging
    Answer: BD
  15. QUESTION 175
    Which type of attack can be prevented by setting the native VLAN to an unused VLAN? 
    A. VLAN-hopping attacks
    B. CAM-table overflow
    C. denial-of-service attacks
    D. MAC-address spoofing
    Answer: A
  16. QUESTION 176
    What is the purpose of a trunk port? 
    A. A trunk port carries traffic for multiple VLANs.
    B. A trunk port connects multiple hubs together to increase bandwidth.
    C. A trunk port separates VLAN broadcast domains.
    D. A trunk port provides a physical link specifically for a VPN.
    Answer: A
  17. QUESTION 177
    The host A Layer 2 port is configured in VLAN 5 on switch 1, and the host B Layer 2 port is configured in VLAN 10 on switch 1. Which two actions you can take to enable the two hosts to communicate with each other? (Choose two.) 
    A. Configure inter-VLAN routing.
    B. Connect the hosts directly through a hub.
    C. Configure switched virtual interfaces.
    D. Connect the hosts directly through a router.
    Answer: AC
  18. QUESTION 178
    Which two pieces of information should you acquire before you troubleshoot an STP loop? (Choose two.) 
    A. topology of the routed network
    B. topology of the switched network
    C. location of the root bridge
    D. number of switches in the network
    Answer: BC
  19. QUESTION 179
    Which two options are symmetric-key algorithms that are recommended by Cisco? (Choose two.) 
    A. Twofish
    B. Advanced Encryption Standard
    C. Blowfish
    D. Triple Data Encryption Standard
    Answer: BD
  20. QUESTION 180
    Which technology provides an automated digital certificate management system for use with IPsec? 
    A. ISAKMP
    B. public key infrastructure
    C. Digital Signature Algorithm
    D. Internet Key Exchange
    Answer: B
  21. QUESTION 181
    Which two IPsec protocols are used to protect data in motion? (Choose two.) 
    A. Encapsulating Security Payload Protocol
    B. Transport Layer Security Protocol
    C. Secure Shell Protocol
    D. Authentication Header Protocol
    Answer: AD
  22. QUESTION 182
    On which protocol number does Encapsulating Security Payload operate? 
    A. 06
    B. 47
    C. 50
    D. 51
    Answer: C
  23. QUESTION 183
    On which protocol number does the authentication header operate? 
    A. 06
    B. 47
    C. 50
    D. 51
    Answer: D
  24. QUESTION 185
    In an IPsec VPN, what determination does the access list make about VPN traffic? 
    A. whether the traffic should be blocked
    B. whether the traffic should be permitted
    C. whether the traffic should be encrypted
    D. the peer to which traffic should be sent
    Answer: C
  25. QUESTION 186
    Which command verifies phase 2 of an IPsec VPN on a Cisco router? 
    A. show crypto map
    B. show crypto ipsec sa
    C. show crypto isakmp sa
    D. show crypto engine connection active
    Answer: B
  26. QUESTION 187
    You are troubleshooting a Cisco AnyConnect VPN on a firewall and issue the command show webvpn anyconnect. The output shows the message "SSL VPN is not enabled" instead of showing the AnyConnect package. Which action can you take to resolve the problem? 
    A. Issue the enable outside command.
    B. Issue the anyconnect enable command.
    C. Issue the enable inside command.
    D. Reinstall the AnyConnect image.
    Answer: B
  27. QUESTION 188
    What is the key difference between host-based and network-based intrusion prevention? 
    A. Network-based IPS is C SSL and TLS encrypted data flows.
    B. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers.
    C. Network-based IPS can provide protection to desktops and servers without the need of installing  specialized software on the end hosts and servers.
    D. Host-based IPS can work in promiscuous mode or inline mode.
    E. Host-based IPS is more scalable then network-based IPS.
    F. Host-based IPS deployment requires less planning than network-based IPS.
    Answer: C
  28. QUESTION 189
    Which one is the most important based on the following common elements of a network design?
    A. Business needs
    B. Best practices
    C. Risk analysis
    D. Security policy
    Answer: A
  29. QUESTION 190
    When configuring Cisco IOS login enhancements for virtual connections, what is the "quiet period"? 
    A. A period of time when no one is attempting to log in
    B. The period of time in which virtual logins are blocked as security services fully initialize
    C. The period of time in which virtual login attempts are blocked, following repeated failed login  attempts
    D. The period of time between successive login attempts
    Answer: C
  30. QUESTION 191
    What is a result of securing the Cisco IOS image using the Cisco IOS image resilience feature? 
    A. The show version command will not show the Cisco IOS image file location.
    B. The Cisco IOS image file will not be visible in the output from the show flash command.
    C. When the router boots up, the Cisco IOS image will be loaded from a secured FTP location.
    D. The running Cisco IOS image will be encrypted and then automatically backed up to the NVRAM.
    E. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP server.
    Answer: B
  31. QUESTION 192
    Which three statements are valid SDM configuration wizards? (Choose three.) 
    A. Security Audit
    B. VPN
    C. STP
    D. NAT
    Answer: ABD
  32. QUESTION 193
    How do you define the authentication method that will be used with AAA? 
    A. With a method list
    B. With the method command
    C. With the method aaa command
    D. With a method statement
    Answer: A
  33. QUESTION 194
    Which one of the following commands can be used to enable AAA authentication to determine if a user can access the privilege command level? 
    A. aaa authentication enable default local
    B. aaa authentication enable level
    C. aaa authentication enable method default
    D. aaa authentication enable default
    Answer: D
  34. QUESTION 195
    Which two ports are used with RADIUS authentication and authorization?(Choose two.) 
    A. TCP port 2002
    B. UDP port 2000
    C. UDP port 1645
    D. UDP port 1812
    Answer: CD
  35. QUESTION 196
    Which type of MAC address is dynamically learned by a switch port and then added to the switch's running configuration? 
    A. Pervasive secure MAC address
    B. Static secure MAC address
    C. Sticky secure MAC address
    D. Dynamic secure MAC address
    Answer: C
  36. QUESTION 197
    What command displays all existing IPsec security associations (SA)? 
    A. show crypto isakmp sa
    B. show crypto ipsec sa
    C. show crypto ike active
    D. show crypto sa active
    Answer: B
  37. QUESTION 198
    Which of the following is not considered a trustworthy symmetric encryption algorithm? 
    A. 3DES
    B. IDEA
    C. EDE
    D. AES
    Answer: C
  38. QUESTION 199
    For the following items, which management topology keeps management traffic isolated from production traffic? 
    A. OOB
    B. SAFE
    C. MARS
    D. OTP
    Answer: A
  39. QUESTION 200
    Which type of cipher achieves security by rearranging the letters in a string of text? 
    A. Vigenère cipher
    B. Stream cipher
    C. Transposition cipher
    D. Block cipher
    Answer: C
  40. QUESTION 201
    Which of the following are techniques used by symmetric encryption cryptography? (Choose all that apply.) 
    A. Block ciphers
    B. Message Authentication Codes (MAC)
    C. One-time pad
    D. Stream ciphers
    E. Vigenère cipher
    Answer: ABD
  41. QUESTION 202
    Which two statements are true about the differences between IDS and IPS? (Choose two.) 
    A. IPS operates in promiscuous mode.
    B. IPS receives a copy of the traffic to be analyzed.
    C. IPS operates in inline mode.
    D. IDS receives a copy of the traffic to be analyzed.
    Answer: CD
  42. QUESTION 203
    Which option is a desirable feature of using symmetric encryption algorithms? 
    A. they are often used for wire-speed encryption in data networks
    B. they are based on complex mathematical operations and can easily be accelerated by hardware
    C. they offer simple key management properties
    D. they are best used for one-time encryption needs
    Answer: A
  43. QUESTION 204
    Which option is true of using cryptographic hashes? 
    A. they are easily reversed to decipher the message context
    B. they convert arbitrary data into fixed length digits
    C. they are based on a two-way mathematical function
    D. they are used for encrypting bulk data communications
    Answer: B
  44. QUESTION 205
    When implementing network security, what is an important configuration task that you should perform to assist in correlating network and security events? 
    A. configure network time protocol
    B. configure synchronized syslog reporting
    C. configure a common repository of all network events for ease of monitoring
    D. configure an automated network monitoring system for event correlation
    Answer: A
  45. QUESTION 206
    Which of these options is a Cisco IOS feature that lets you more easily configure security features on your router? 
    A. cisco self-defending network
    B. implementing AAA command authorization
    C. the auto secure CLI command
    D. performing a security audit via SDM
    Answer: C
  46. QUESTION 207
    What is the most common Cisco Discovery Protocol version 1 attack? 
    A. denial of service
    B. MAC-address spoofing
    C. CAM-table overflow
    D. VLAN hopping
    Answer: A
  47. QUESTION 208
    Which option describes a function of a virtual VLAN? 
    A. A virtual VLAN creates a logically partitioned LAN to place switch ports in a separate broadcast domain.
    B. A virtual VLAN creates trunks and links two switches together.
    C. A virtual VLAN adds every port on a switch to its own collision domain.
    D. A virtual VLAN connects many hubs together.
    Answer: A
  48. QUESTION 209
    Which action can you take to add bandwidth to a trunk between two switches and end up with only one logical interface? 
    A. Configure another trunk link.
    B. Configure EtherChannel.
    C. Configure an access port.
    D. Connect a hub between the two switches.
    Answer: B
  49. QUESTION 210
    If the native VLAN on a trunk is different on each end of the link, what is a potential consequence? 
    A. The interface on both switches may shut down.
    B. STP loops may occur.
    C. The switch with the higher native VLAN may shut down.
    D. The interface with the lower native VLAN may shut down.
    Answer: B
  50. QUESTION 211
    Which VTP mode allows you to change the VLAN configuration and will then propagate the change throughout the entire switched network? 
    A. VTP server
    B. VTP client
    C. VTP transparent
    D. VTP off
    Answer: A
  51. QUESTION 212
    When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops? 
    A. STP elects the root bridge.
    B. STP selects the root port.
    C. STP selects the designated port.
    D. STP blocks one of the ports.
    Answer: A
  52. QUESTION 213
    What is the default STP priority on a switch? 
    A. 4096
    B. 24576
    C. 16384
    D. 32768
    Answer: D
  53. QUESTION 214
    Which two options are asymmetric-key algorithms that are recommended by Cisco? (Choose two.) 
    A. Rivest-Shamir-Adleman Algorithm
    B. ElGamal encryption system
    C. Digital Signature Algorithm
    D. Paillier cryptosystem
    Answer: AC
  54. QUESTION 215
    Which IPsec component takes an input message of arbitrary length and produces a fixed-length output message? 
    A. the transform set
    B. the group policy
    C. the hash
    D. the crypto map
    Answer: C
  55. QUESTION 216
    Which three options are components of Transport Layer Security? (Choose three.) 
    A. stateless handshake
    B. stateful handshake
    C. application layer
    D. session layer
    E. pre-shared keys
    F. digital certificates
    Answer: BCF
  56. QUESTION 217
    What are three features of IPsec tunnel mode? (Choose three.) 
    A. IPsec tunnel mode supports multicast.
    B. IPsec tunnel mode is used between gateways.
    C. IPsec tunnel mode is used between end stations.
    D. IPsec tunnel mode supports unicast traffic.
    E. IPsec tunnel mode encrypts only the payload.
    F. IPsec tunnel mode encrypts the entire packet.
    Answer: BDF
  57. QUESTION 218
    Which command provides phase 1 and phase 2 status for all active sessions of an IPsec VPN on a Cisco router? 
    A. show crypto map
    B. show crypto ipsec sa
    C. show crypto isakmp sa
    D. show crypto session
    Answer: D
  58. QUESTION 219
    How can you prevent clientless SSL VPN users from accessing any HTTP or HTTPS URL within the portal? 
    A. Configure a web ACL.
    B. Turn off URL entry.
    C. Configure a smart tunnel.
    D. Configure a portal access rule.
    Answer: B
  59. QUESTION 220
    Which Cisco AnyConnect VPN feature enables DTLS to fall back to a TLS connection? 
    A. perfect forward secrecy
    B. dead peer detection
    C. keepalives
    D. IKEv2
    Answer: B
  60. QUESTION 221
    Where is the transform set applied in an IOS IPsec VPN? 
    A. on the WAN interface
    B. in the ISAKMP policy
    C. in the crypto map
    D. on the LAN interface
    Answer: C
  61. QUESTION 222
    Which authentication protocol does the Cisco AnyConnect VPN password management feature require to operate? 
    A. MS-CHAPv1
    B. MS-CHAPv2
    C. CHAP
    D. Kerberos
    Answer: B
  62. QUESTION 223
    In which stage of an attack does the attacker discover devices on a target network? 
    A. reconnaissance
    B. gaining access
    C. maintaining access
    D. covering tracks
    Answer: A
  63. QUESTION 224
    Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path? 
    A. Unidirectional Link Detection
    B. Unicast Reverse Path Forwarding
    C. TrustSec
    D. IP Source Guard
    Answer: B
  64. QUESTION 225
    By which kind of threat is the victim tricked into entering username and password information at a disguised website? 
    A. phishing
    B. spam
    C. malware
    D. spoofing
    Answer: A
  65. QUESTION 226
    Which Cisco product can help mitigate web-based attacks within a network? 
    A. Adaptive Security Appliance
    B. Web Security Appliance
    C. Email Security Appliance
    D. Identity Services Engine
    Answer: B
  66. QUESTION 227
    Which type of IPS can identify worms that are propagating in a network? 
    A. signature-based IPS
    B. policy-based IPS
    C. anomaly-based IPS
    D. reputation-based IPS
    Answer: C
  67. QUESTION 228
    When a company puts a security policy in place, what is the effect on the company's business? 
    A. minimizing risk
    B. minimizing total cost of ownership
    C. minimizing liability
    D. maximizing compliance
    Answer: A
  68. QUESTION 229
    Which IOS feature can limit SSH access to a specific subnet under a VTY line? 
    A. access class
    B. access list
    C. route map
    D. route tag
    Answer: A
  69. QUESTION 230
    Which command configures logging on a Cisco ASA firewall to include the date and time?
    A. logging facility
    B. logging enable
    C. logging timestamp
    D. logging buffered debugging
    Answer: C
  70. QUESTION 231
    Which two protocols can SNMP use to send messages over a secure communications channel? (Choose two.) 
    A. DTLS
    B. TLS
    C. ESP
    D. AH
    E. ISAKMP
    Answer: AB
  71. QUESTION 232
    Which two options are for securing NTP? (Choose two.) 
    A. a stratum clock
    B. access lists
    C. Secure Shell
    D. authentication
    E. Telnet
    Answer: BD
  72. QUESTION 233
    What must be configured before Secure Copy can be enabled? 
    A. SSH
    B. AAA
    C. TFTP
    D. FTP
    Answer: B
  73. QUESTION 234
    Which two ports does Cisco Configuration Professional use? (Choose two.) 
    A. 80
    B. 8080
    C. 443
    D. 21
    E. 23
    Answer: AC
  74. QUESTION 235
    Which two options are physical security threats? (Choose two.) 
    A. hardware
    B. environment
    C. access lists
    D. device configurations
    E. software version
    Answer: AB
  75. QUESTION 236
    Which command configures stateful packet inspection to inspect a packet after it passes the inbound ACL of the input interface? 
    A. ip inspect out
    B. ip inspect in
    C. ip inspect name audit-trail on
    D. ip inspect name audit-trail off
    Answer: B
  76. QUESTION 237
    Which statement about identity NAT is true? 
    A. It is a static NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface.
    B. It is a dynamic NAT configuration that translates a real IP address to a mapped IP address.
    C. It is a static NAT configuration that translates a real IP address to a mapped IP address.
    D. It is a dynamic NAT configuration that translates the real IP address on the ingress interface to the same IP address on the egress interface.
    Answer: A
  77. QUESTION 238
    Which element must you configure to allow traffic to flow from one security zone to another? 
    A. a zone pair
    B. a site-to-site VPN
    C. a zone list
    D. a zone-based policy
    Answer: A
  78. QUESTION 239
    With which two NAT types can Cisco ASA implement address translation? (Choose two.) 
    A. network object NAT
    B. destination NAT
    C. twice NAT
    D. source NAT
    E. double NAT
    Answer: AC
  79. QUESTION 240
    Which technology is the most effective choice for locally mirroring ports to support data investigation for a single device at the data layer? 
    A. RMON
    B. SPAN
    C. RSPAN
    D. ERSPAN
    Answer: B
  80. QUESTION 241
    Which three actions can an inline IPS take to mitigate an attack? (Choose three.) 
    A. modifying packets inline
    B. denying the connection inline
    C. denying packets inline
    D. resetting the connection inline
    E. modifying frames inline
    F. denying frames inline
    Answer: ABC
  81. QUESTION 242
    Which monitoring protocol uses TCP port 1470 or UDP port 514? 
    A. RELP
    B. Syslog
    C. SDEE
    D. IMAP
    E. SNMP
    F. CSM
    Answer: B
  82. QUESTION 243
    Which option provides the most secure method to deliver alerts on an IPS?
    A. IME
    B. CSM
    C. SDEE
    D. syslog
    Answer: C
  83. QUESTION 244
    Which statement about the Atomic signature engine is true? 
    A. It can perform signature matching on a single packet only.
    B. It can perform signature matching on multiple packets.
    C. It can examine applications independent of the platform.
    D. It can flexibly match patterns in a session
    Answer: A
  84. QUESTION 245
    What is the function of an IPS signature? 
    A. It determines the best course of action to mitigate a threat.
    B. It detects network intrusions by matching specified criteria.
    C. It provides logging data for allowed connections.
    D. It provides threat-avoidance controls.
    Answer: B
  85. QUESTION 246
    Which two options are advantages of a network-based Cisco IPS? (Choose two.) 
    A. It can examine encrypted traffic.
    B. It can protect the host after decryption.
    C. It is an independent operating platform.
    D. It can observe bottom-level network events.
    E. It can block traffic
    Answer: CD
  86. QUESTION 247
    Which statement about the role-based CLI access views on a Cisco router is true? 
    A. The maximum number of configurable CLI access views is 10, including one lawful intercept view and excluding the root view.
    B. The maximum number of configurable CLI access views is 10, including one superview.
    C. The maximum number of configurable CLI access views is 15, including one lawful intercept view and excluding the root view.
    D. The maximum number of configurable CLI access views is 15, including one lawful intercept view.
    Answer: C
  87. QUESTION 248
    Which three protocols are supported by management plane protection? (Choose three.) 
    A. SNMP
    B. SMTP
    C. SSH
    D. OSPF
    E. HTTPS
    F. EIGRP
    Answer: ACE
  88. QUESTION 249
    Which statement about rule-based policies in Cisco Security Manager is true? 
    A. Rule-based policies contain one or more rules that are related to a device's security and operations parameters.
    B. Rule-based policies contain one or more rules that control how traffic is filtered and inspected on a device.
    C. Rule-based policies contain one or more user roles that are related to a device's security and operations parameters.
    D. Rule-based policies contain one or more user roles that control how user traffic is filtered and inspected on a device.
    Answer: B
  89. QUESTION 250
    Which Cisco Security Manager feature enables the configuration of unsupported device features? 
    A. Deployment Manager
    B. FlexConfig
    C. Policy Object Manager
    D. Configuration Manager
    Answer: B
  90. QUESTION 251
    Which statement about IPv6 address allocation is true? 
    A. IPv6-enabled devices can be assigned only one IPv6 IP address.
    B. A DHCP server is required to allocate IPv6 IP addresses.
    C. IPv6-enabled devices can be assigned multiple IPv6 IP addresses.
    D. ULA addressing is required for Internet connectivity.
    Answer: C
  91. QUESTION 252
    Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method? 
    A. aaa authentication enable console LOCAL SERVER_GROUP
    B. aaa authentication enable console SERVER_GROUP LOCAL
    C. aaa authentication enable console local
    D. aaa authentication enable console LOCAL
    Answer: D
  92. QUESTION 253
    Which command will configure a Cisco router to use a TACACS+ server to authorize network services with no fallback method? 
    A. aaa authorization exec default group tacacs+ none
    B. aaa authorization network default group tacacs+ none
    C. aaa authorization network default group tacacs+
    D. aaa authorization network default group tacacs+ local
    Answer: C
  93. QUESTION 254
    Which three statements about RADIUS are true? (Choose three.) 
    A. RADIUS uses TCP port 49.
    B. RADIUS uses UDP ports 1645 or 1812.
    C. RADIUS encrypts the entire packet.
    D. RADIUS encrypts only the password in the Access-Request packet.
    E. RADIUS is a Cisco proprietary technology.
    F. RADIUS is an open standard.
    Answer: BDF
  94. QUESTION 255
    Which command will configure AAA accounting using the list of all RADIUS servers on a device to generate a reload event message when the device reloads? 
    A. aaa accounting network default start-stop group radius
    B. aaa accounting auth-proxy default start-stop group radius
    C. aaa accounting system default start-stop group radius
    D. aaa accounting exec default start-stop group radius
    Answer: C
  95. QUESTION 256
    Which two accounting notices are used to send a failed authentication attempt record to a AAA server? (Choose two.)
    A. start-stop
    B. stop-record
    C. stop-only
    D. stop
    Answer: AC
  96. QUESTION 257
    What is the first command you enter to configure AAA on a new Cisco router? 
    A. aaa configuration
    B. no aaa-configuration
    C. no aaa new-model
    D. aaa new-model
    Answer: D
  97. QUESTION 258
    Which three TACACS+ server-authentication protocols are supported on Cisco ASA firewalls? (Choose three.) 
    A. EAP
    B. ASCII
    C. PAP
    D. PEAP
    E. MS-CHAPv1
    F. MS-CHAPv2
    Answer: BCE
  98. QUESTION 259
    What is the default privilege level for a new user account on a Cisco ASA firewall? 
    A. 0
    B. 1
    C. 2
    D. 15
    Answer: C
  99. QUESTION 260
    Which statement about ACL operations is true? 
    A. The access list is evaluated in its entirety.
    B. The access list is evaluated one access-control entry at a time.
    C. The access list is evaluated by the most specific entry.
    D. The default explicit deny at the end of an access list causes all packets to be dropped.
    Answer: B
  100. QUESTION 261
    Which three statements about access lists are true? (Choose three.)  A. Extended access lists should be placed as near as possible to the destination.
    B. Extended access lists should be placed as near as possible to the source.
    C. Standard access lists should be placed as near as possible to the destination.
    D. Standard access lists should be placed as near as possible to the source.
    E. Standard access lists filter on the source address.
    F. Standard access lists filter on the destination address.
    Answer: BCE
  101. QUESTION 262
    Which command configures a device to actively watch connection requests and provide immediate protection from DDoS attacks? 
    A. router(config)# ip tcp intercept mode intercept
    B. router(config)# ip tcp intercept mode watch
    C. router(config)# ip tcp intercept max-incomplete high 100
    D. router(config)# ip tcp intercept drop-mode random
    Answer: A
  102. QUESTION 263
    Which command will block external spoofed addresses? 
    A. access-list 128 deny ip 10.0.0.0 0.0.255.255 any
    B. access-list 128 deny ip 192.168.0.0 0.0.0.255 any
    C. access-list 128 deny ip 10.0.0.0 0.255.255.255 any
    D. access-list 128 deny ip 192.168.0.0 0.0.31.255 any
    Answer: C
  103. QUESTION 264
    Which two countermeasures can mitigate ARP spoofing attacks? (Choose two.) 
    A. port security
    B. DHCP snooping
    C. IP source guard
    D. dynamic ARP inspection
    Answer: BD
  104. QUESTION 265
    What is the Cisco preferred countermeasure to mitigate CAM overflows?

    A. port security
    B. dynamic port security
    C. IP source guard
    D. root guard
    Answer: B

What would you like to do?

Home > Flashcards > Print Preview