Beruflich Dokumente
Kultur Dokumente
QUESTION NO: 1
Which three statements about VXLANs are true? (Choose three.)
A.
It requires that IP protocol 8472 be opened to allow traffic through a firewall.
B.
Layer 2 frames are encapsulated in IP, using a VXLAN ID to identify the source VM.
C.
A VXLAN gateway maps VXLAN IDs to VLAN IDs.
D.
IGMP join messages are sent by new VMs to determine the VXLAN multicast IP.
E.
A VXLAN ID is a 32-bit value.
Answer: B,C,D
Explanation:
Each VXLAN segment, or VNID, is mapped to an IP multicast group in the transport IP network.
Each VTEP device is independently configured and joins this multicast group as an IP host
through the Internet Group Management Protocol (IGMP). The IGMP joins trigger Protocol
Independent Multicast (PIM) joins and signaling through the transport network for the particular
multicast group. The multicast distribution tree for this group is built through the transport network
based on the locations of participating VTEPs.
QUESTION NO: 2
In order to reassemble IP fragments into a complete IP datagram, which three IP header fields are
referenced by the receiver? (Choose three.)
A.
don't fragment flag
B.
packet is fragmented flag
"Pass Any Exam. Any Time." - www.actualtests.com
Answer: C,D,F
Explanation:
QUESTION NO: 3
Which VTP mode allows the Cisco Catalyst switch administrator to make changes to the VLAN
configuration that only affect the local switch and are not propagated to other switches in the VTP
domain?
A.
transparent
B.
server
"Pass Any Exam. Any Time." - www.actualtests.com
Answer: A
Explanation:
VTP transparent network devices do not participate in VTP. A VTP transparent network device
does not advertise its VLAN configuration and does not synchronize its VLAN configuration based
on received advertisements. However, in VTP version 2, a transparent network device will forward
received VTP advertisements from its trunking LAN ports. In VTP version 3, a transparent network
device is specific to an instance.
QUESTION NO: 4
Which type of VPN is based on the concept of trusted group members using the GDOI key
management protocol?
A.
DMVPN
B.
SSLVPN
C.
GETVPN
D.
EzVPN
E.
MPLS VPN
F.
FlexVPN
Answer: C
"Pass Any Exam. Any Time." - www.actualtests.com
QUESTION NO: 5
Based on RFC 4890, what is the ICMP type and code that should never be dropped by the firewall
to allow PMTUD?
A.
ICMPv6 Type 1 Code 0 no route to host
B.
ICMPv6 Type 1 Code 1 communication with destination administratively prohibited
C.
ICMPv6 Type 2 Code 0 packet too big
D.
ICMPv6 Type 3 Code 1 fragment reassembly time exceeded
E.
ICMPv6 Type 128 Code 0 echo request
F.
ICMPv6 Type 129 Code 0 echo reply
Answer: C
Explanation:
Answer: A
Explanation:
Answer: A
Explanation:
Use the HTTP inspection engine to protect against specific attacks and other threats that may be
associated with HTTP traffic. HTTP inspection performs several functions:
QUESTION NO: 8
When a Cisco IOS Router receives a TCP packet with a TTL value less than or equal to 1, what
will it do?
A.
Route the packet normally
B.
Drop the packet and reply with an ICMP Type 3, Code 1 (Destination Unreachable, Host
Unreachable)
C.
Drop the packet and reply with an ICMP Type 11, Code 0 (Time Exceeded, Hop Count Exceeded)
D.
Drop the packet and reply with an ICMP Type 14, Code 0 (Timestamp Reply)
Answer: C
Explanation:
TTL means Time to live & value 1 means once a packet entersa router TTL value decrease by 1.
So TTL value 1 means packets will no forward to next router.
QUESTION NO: 9
In an 802.11 WLAN, which option is the Layer 2 identifier of a basic service set, and also is
typically the MAC address of the radio of the access point?
A.
"Pass Any Exam. Any Time." - www.actualtests.com
Answer: A
Explanation:
Each BSS is uniquely identified by abasic service set identification(BSSID).For a BSS operating in
infrastructure mode, the BSSID is the mac address of the wireless access point (WAP) generated
by combining the 24 bit Organization Unique Identifier (the manufacturer's identity) and the
manufacturer's assigned 24-bit identifier for the radio chipset in the WAP. The BSSID is the formal
name of the BSS and is always associated with only one BSS.
QUESTION NO: 10
What term describes an access point which is detected by your wireless network, but is not a
trusted or managed access point?
A.
rogue
B.
unclassified
C.
interferer
D.
malicious
Answer: A
Explanation:
A rogue access point, also called rogue AP, is any Wi-Fiaccess pointthat is installed on a network
"Pass Any Exam. Any Time." - www.actualtests.com
QUESTION NO: 11
A router has four interfaces addressed as 10.1.1.1/24, 10.1.2.1/24, 10.1.3.1/24, and 10.1.4.1/24.
What is the smallest summary route that can be advertised covering these four subnets?
A.
10.1.2.0/22
B.
10.1.0.0/22
C.
10.1.0.0/21
D.
10.1.0.0/16
Answer: C
Explanation:
Here the interfaces have been assigned an ip address. The ranges on each interface are:
10.1.1.1-10.1.1.255, 10.1.2.1-10.1.2.255, 10.1.3.1-10.1.3.255 & 10.1.4.1-10.1.4.255. Now if we
look at the options, we will be able to get the answers.
Option A: 10.1.2.0/22 is 10.1.0.0 10.1.3.255 i.e. we are not able to get the 10.1.4.1/24 into this.
So this is wrong.
Option B: Same as option A. Wrong answer.
Option C: 10.1.0.0/21 is 10.1.0.0- 10.1.7.255 which covers all the four subnets mentioned in the
question but we have to look for the last one as well.
Option D: 10.1.0.0/16 is 10.1.0.0 10.1.255.255 which also covers the above four subnets but
Option C is more close and correct answer because it is a close match.
10
Answer: C,D
Explanation:
Dynamic NAT with overload - Changes the SOURCE address so traffic going to the internet can
find its way BACK.
Port address translation - Changes the DESTINATION address so traffic from the Internet to an
internal server can get to it.
QUESTION NO: 13
Which authentication mechanism is available to OSPFv3?
A.
simple passwords
B.
MD5
C.
null
D.
"Pass Any Exam. Any Time." - www.actualtests.com
11
Answer: E
Explanation:
In order to ensure that OSPFv3 packets are not altered and re-sent to the device, causing the
device to behave in a way not desired by its system administrators, OSPFv3 packets must be
authenticated. OSPFv3 uses the IPsec secure socket API to add authentication to OSPFv3
packets. This API supports IPv6.
OSPFv3 requires the use of IPsec to enable authentication. Crypto images are required to use
authentication, because only crypto images include the IPsec API needed for use with OSPFv3.
In OSPFv3, authentication fields have been removed from OSPFv3 packet headers. When
OSPFv3 runs on IPv6, OSPFv3 requires the IPv6 authentication header (AH) or IPv6 ESP header
to ensure integrity, authentication, and confidentiality of routing exchanges. IPv6 AH and ESP
extension headers can be used to provide authenticationand confidentiality to OSPFv3.
References: :http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-sy/iro15-sy-book/ip6-route-ospfv3-auth-ipsec.html
QUESTION NO: 14
Which two IPv6 tunnel types support only point-to-point communication? (Choose two.)
A.
manually configured
B.
automatic 6to4
C.
ISATAP
D.
GRE
Answer: A,D
"Pass Any Exam. Any Time." - www.actualtests.com
12
Tunneling Type
Suggested Usage
Usage Notes
Manual
Simple point-to-point tunnels that can be used within a site or between sites
Can carry IPv6 packets only.
GRE- and IPv4-compatible
Simple point-to-point tunnels that can be used within a site or between sites
Can carry IPv6, Connectionless Network Service (CLNS), and many other types of packets.
IPv4-compatible
Point-to-multipoint tunnels
Uses the ::/96 prefix. We do not recommend using this tunnel type.
6to4
Point-to-multipoint tunnels that can be used to connect isolated IPv6 sites
Sites use addresses from the 2002::/16 prefix.
ISATAP
Point-to-multipoint tunnels that can be used to connect systems within a site
Sites can use any IPv6 unicast addresses.
References:
:http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_book/ip6tunnel.html
QUESTION NO: 15
"Pass Any Exam. Any Time." - www.actualtests.com
13
Answer: D,E
Explanation:
Hello Packets- EIGRP sends Hello packets once it has been enabled on a router for a particular
network. These messages are used to identify neighbors and once identified, serve or function as
a keepalive mechanism between neighboring devices. EIGRP Hello packets are sent to the link
local Multicast group address224.0.0.10.Hello packets sent by EIGRP do not require an
Acknowledgment to be sent confirming that they were received. Because they require no explicit
acknowledgment, Hello packets are classified as unreliable EIGRP packets. EIGRP Hello packets
havean OPCode of 5.
Acknowledgement Packets- An EIGRP Acknowledgment (ACK) packet is simply an EIGRP Hello
packet that contains no data. Acknowledgement packets are used by EIGRP to confirm reliable
delivery of EIGRP packets. ACKs are always sent to a Unicast address, which is the source
address of the sender of the reliable packet, and not to the EIGRP Multicast group address. In
addition, Acknowledgement packets will always contain a non-zero acknowledgment number. The
ACK uses the same OPCode as the Hello Packet because it is essentially just a Hello that
contains no information. The OPCode is 5.
QUESTION NO: 16
Before BGP update messages may be sent, a neighbor must stabilize into which neighbor state?
A.
Active
"Pass Any Exam. Any Time." - www.actualtests.com
14
Answer: D
Explanation:
QUESTION NO: 17
Which three statements are correct when comparing Mobile IPv6 and Mobile IPv4 support?
(Choose three.)
A.
Mobile IPv6 does not require a foreign agent, but Mobile IPv4 does.
B.
Mobile IPv6 supports route optimization as a fundamental part of the protocol; IPv4 requires
extensions.
C.
Mobile IPv6 and Mobile IPv4 use a directed broadcast approach for home agent address
discovery.
D.
Mobile IPv6 makes use of its own routing header; Mobile IPv4 uses only IP encapsulation.
E.
Mobile IPv6 and Mobile IPv4 use ARP for neighbor discovery.
F.
Mobile IPv4 has adopted the use of IPv6 ND.
15
QUESTION NO: 18
Which three statements are true about MACsec? (Choose three.)
A.
It supports GCM modes of AES and 3DES.
B.
It is defined under IEEE 802.1AE.
C.
It provides hop-by-hop encryption at Layer 2.
D.
MACsec expects a strict order of frames to prevent anti-replay.
E.
MKA is used for session and encryption key management.
F.
It uses EAP PACs to distribute encryption keys.
Answer: B,C,E
Explanation:
MACsec is the IEEE 802.1AE standard for authenticating and encrypting packets between two
MACsec-capable devices. The Catalyst 4500 series switch supports 802.1AE encryption with
MACsec Key Agreement (MKA) on downlink ports for encryption between the switch and host
devices. The switch also supports MACsec link layer switch-to-switch security by using Cisco
TrustSec Network Device Admission Control (NDAC) and the Security Association Protocol (SAP)
key exchange. Link layer security can include both packet authentication between switches and
MACsec encryption between switches (encryption is optional).
"Pass Any Exam. Any Time." - www.actualtests.com
16
QUESTION NO: 19
Troubleshooting the web authentication fallback feature on a Cisco Catalyst switch shows that
clients with the 802.1X supplicant are able to authenticate, but clients without the supplicant are
not able to use web authentication. Which configuration option will correct this issue?
A.
switch(config)# aaa accounting auth-proxy default start-stop group radius
B.
switch(config-if)# authentication host-mode multi-auth
C.
switch(config-if)# webauth
D.
switch(config)# ip http server
E.
switch(config-if)# authentication priority webauth dot1x
Answer: D
Explanation:
QUESTION NO: 20
Refer to the exhibit.
17
Which route will be advertised by the Cisco ASA to its OSPF neighbors?
A.
10.39.23.0/24
B.
10.40.29.0/24
C.
10.66.42.215/32
D.
10.40.29.0/24
Answer: A
Explanation:
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91
_general_config/route_ospf.html
"Pass Any Exam. Any Time." - www.actualtests.com
18
QUESTION NO: 21
Which three configuration components are required to implement QoS policies on Cisco routers
using MQC? (Choose three.)
A.
class-map
B.
global-policy
C.
policy-map
D.
service-policy
E.
inspect-map
Answer: A,C,D
Explanation:
To configure a traffic policy (sometimes also referred to as a policy map), use thepolicymapcommand. Thepolicy-mapcommand allows you to specify the traffic policy name and also
allows you to enter policy-map configuration mode (a prerequisite for enabling QoS features such
as traffic policing or traffic shaping).
Associate the Traffic Policy with the Traffic Class
After using thepolicy-mapcommand, use theclasscommand to associate the trafficclass with the
traffic policy.
The syntax of theclasscommand is as follows:
classclass-name
no classclass-name
For theclass-nameargument, use the name of the class you created when you used theclassmapcommand to create the traffic class.
After entering theclasscommand, you are automatically in policy-map class configuration mode.
The policy-map class configuration mode is the mode used for enabling the specific QoS features.
19
QUESTION NO: 22
Which type of PVLAN ports can communicate among themselves and with the promiscuous port?
A.
isolated
B.
community
C.
primary
D.
secondary
E.
protected
Answer: B
Explanation:
A promiscuous port can communicate with all interfaces, including the isolated andcommunityports
within aPVLAN.
QUESTION NO: 23
Which of the following provides the features of route summarization, assignment of contiguous
blocks of addresses, and combining routes for multiple classful networks into a single route?
A.
classless interdomain routing
B.
route summarization
C.
supernetting
D.
"Pass Any Exam. Any Time." - www.actualtests.com
20
Answer: A
Explanation:
CIDR (Classless Inter-Domain Routing, sometimes known as supernetting) is a way to allocate
and specify the Internet addresses used in inter-domain routing more flexibly than with the original
system of Internet Protocol (IP) address classes.
QUESTION NO: 24
Aggregate global IPv6 addresses begin with which bit pattern in the first 16-bit group?
A.
000/3
B.
001/3
C.
010/2
D.
011/2
Answer: B
Explanation:
The IPv6 address that is unique to the internet is called aggregate global unicast.The component
are summarized to the bit allocation:
A fixed prefix of 0013 bits
IANA allocated prefix45 bits
Site level aggregator16 bits
Interface64 bits
21
QUESTION NO: 25
Which layer of the OSI reference model typically deals with the physical addressing of interface
cards?
A.
physical layer
B.
data-link layer
C.
network layer
D.
host layer
Answer: B
Explanation:
The media access control methods described by the Data Link layer protocols define the
processes by which network devices can access the network media and transmit frames in diverse
network environments.
QUESTION NO: 26
Which statement best describes a key difference in IPv6 fragmentation support compared to IPv4?
A.
In IPv6, IP fragmentation is no longer needed because all Internet links must have an IP MTU of
1280 bytes or greater.
B.
In IPv6, PMTUD is no longer performed by the source node of an IP packet.
C.
In IPv6, IP fragmentation is no longer needed since all nodes must perform PMTUD and send
packets equal to or smaller than the minimum discovered path MTU.
D.
"Pass Any Exam. Any Time." - www.actualtests.com
22
Answer: E
Explanation:
In IPv6, IP fragmentation is performed only by the source node of a large packet, and not by any
other devices in the data path.
QUESTION NO: 27
Refer to the exhibit.
It shows the format of an IPv6 Router Advertisement packet. If the Router Lifetime value is set to
0, what does that mean?
A.
The router that is sending the RA is not the default router.
B.
The router that is sending the RA is the default router.
C.
The router that is sending the RA will never power down.
D.
The router that is sending the RA is the NTP master.
"Pass Any Exam. Any Time." - www.actualtests.com
23
Answer: A
Explanation:
Router Lifetime:Tells the host receiving this message how long, in seconds, this router should be
used as a default router. If 0, tells the host this router should not be used as a default router
References:
:http://www.tcpipguide.com/free/t_ICMPv6RouterAdvertisementandRouterSolicitationMess-2.htm
QUESTION NO: 28
If a host receives a TCP packet with an SEQ number of 1234, an ACK number of 5678, and a
length of 1000 bytes, what will it send in reply?
A.
a TCP packet with SEQ number: 6678, and ACK number: 1234
B.
a TCP packet with SEQ number: 2234, and ACK number: 5678
C.
a TCP packet with SEQ number: 1234, and ACK number: 2234
D.
a TCP packet with SEQ number: 5678, and ACK number2234
Answer: D
Explanation:
The response will be SEQ number + length of packet i.e. 1234 + 1000 = 2234.
24
QUESTION NO: 29
A network administrator uses a LAN analyzer to troubleshoot OSPF router exchange messages
sent to all OSPF routers. To which one of these MAC addresses are these messages sent?
A.
00-00-1C-EF-00-00
B.
01-00-5E-00-00-05
C.
01-00-5E-EF-00-00
D.
EF-FF-FF-00-00-05
E.
EF-00-00-FF-FF-FF
F.
FF-FF-FF-FF-FF-FF
Answer: B
Explanation:
OSPF used IP multicast to exchange Hello packets and Link State Updates. An IP multicast
address is implemented using class D addresses. A class D address ranges from 224.0.0.0 to
239.255.255.255.
25
QUESTION NO: 30
Which option correctly describes the security enhancement added for OSPFv3?
A.
The AuType field in OSPFv3 now supports the more secure SHA-1 and SHA-2 algorithms in
addition to MD5.
B.
The AuType field is removed from the OSPFv3 header since simple password authentication is no
longer an option.
C.
The Authentication field in OSPFv3 is increased from 64 bits to 128 bits to accommodate more
secure authentication algorithms.
D.
Both the AuType and Authentication fields are removed from the OSPF header in OSPFv3, since
now it relies on the IPv6 Authentication Header (AH) and IPv6 Encapsulating Security Payload
(ESP) to provide integrity, authentication, and/or confidentiality?
E.
The Authentication field is removed from the OSPF header in OSPFv3, because OSPFv3 must
only run inside of an authenticated IPSec tunnel.
Answer: D
Explanation:
OSPF (Open Shortest Path First) Version 2 [N1] defines the fields AuType and Authentication in
its protocol header to provide security. In OSPF for IPv6 (OSPFv3) [N2], both of the authentication
fieldswere removed from OSPF headers.OSPFv3 relies on the IPv6 Authentication Header (AH)
and IPv6 Encapsulating Security Payload (ESP) to provide integrity, authentication, and/or
confidentiality.
References: Reference:https://tools.ietf.org/html/rfc4552
26
QUESTION NO: 31
Which IPv6 tunnel type is a standard that is defined in RFC 4214?
A.
ISATAP
B.
6to4
C.
GREv6
D.
manually configured
Answer: A
Explanation:
ISATAP is an automatic overlay tunneling mechanism that uses the underlying IPv4 network as a
NBMA link layer for IPv6. ISATAP is designed for transporting IPv6 packetswithina site where a
native IPv6 infrastructure is not yet available; for example, when sparse IPv6 hosts are deployed
for testing. ISATAP tunnels allow individual IPv4 or IPv6 dual-stack hosts within a site to
communicate with other such hosts on the same virtual link, basically creating an IPv6 network
using the IPv4 infrastructure.
QUESTION NO: 32
What IP protocol number is used in the protocol field of an IPv4 header, when IPv4 is used to
tunnel IPv6 packets?
A.
6
B.
27
C.
41
"Pass Any Exam. Any Time." - www.actualtests.com
27
Answer: C
Explanation:
IPv4 packets whose IP headers have the IP protocol number set to 41. This protocol number is
specifically designated forIPv6 encapsulation.
QUESTION NO: 33
Which three statements are true about PIM-SM operations? (Choose three.)
A.
PIM-SM supports RP configuration using static RP, Auto-RP, or BSR.
B.
PIM-SM uses a shared tree that is rooted at the multicast source.
C.
Different RPs can be configured for different multicast groups to increase RP scalability.
D.
Candidate RPs and RP mapping agents are configured to enable Auto-RP.
E.
PIM-SM uses the implicit join model.
Answer: A,C,D
Explanation:
Sparse Mode (SM) is one of the operating modes of Protocol Independent Multicast (PIM) which
uses explicit Join/Prune Messages and RP instead of Dense Mode (DM) PIMs or Distance Vector
Multicast Routing Protocol's (DVMRP's) broadcast and prune technique.
Each multicast group has a shared tree via which receivers hear of new sources and new
"Pass Any Exam. Any Time." - www.actualtests.com
28
QUESTION NO: 34
An IPv6 multicast receiver joins an IPv6 multicast group using which mechanism?
A.
IGMPv3 report
B.
IGMPv3 join
C.
MLD report
D.
general query
E.
PIM join
Answer: C
Explanation:
The Multicast Listener Discovery (MLD)protocol is the multicast group management protocol for
IPv6 and is used to exchange group information between multicast hosts and routers. The MLD
protocol was designed based on IGMP, the Internet Group Management Protocol for IPv4, and the
protocol specification is the same in many points. Unlike IGMP, however, MLD is defined as part
of ICMPv6, while IGMP is defined as a separate transport layer protocol.
29
Answer: B
Explanation:
The conversation between DHCP client and DHCP server to get an IP address automatically
completes by exchanging four packets. These packets are
DHCP DISCOVER
DHCP OFFER
DHCP REQUEST
QUESTION NO: 36
Which common FTP client command transmits a direct, byte-for-byte copy of a file?
A.
ascii
B.
binary
C.
"Pass Any Exam. Any Time." - www.actualtests.com
30
Answer: B
Explanation:
To set the mode of file transfer to binary (the binary mode transmits all eight bits per byte and thus
provides less chance of a transmission error and must be used to transmit files other than ASCII
files)
QUESTION NO: 37
Which option is a desktop sharing application, used across a variety of platforms, with default TCP
ports 5800/5801 and 5900/5901?
A.
X Windows
B.
remote desktop protocol
C.
VNC
D.
desktop proxy
Answer: C
Explanation:
VNC enables you to remotely access and control your devices wherever you are in the world,
whenever you need to. VNC has a widespread user base from individuals to the world's largest
multi-national companies utilizing the technology for a range of applications.
31
Answer: D
Explanation:
Bidir-PIM is a variant of the PIM suite of routing protocols for IP multicast. In PIM, packet traffic for
a multicast group is routed according to the rules of the mode configured for that multicast group.
The Cisco IOS implementation of PIM supports three modes for a multicast group:
Bidirectional mode
Dense mode
Sparse mode
QUESTION NO: 39
Which three statements regarding VLANs are true? (Choose three.)
A.
To create a new VLAN on a Cisco Catalyst switch, the VLAN name, VLAN ID and VLAN type must
all be specifically configured by the administrator.
"Pass Any Exam. Any Time." - www.actualtests.com
32
Answer: B,D,E
Explanation:
A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A
VLAN consists of a number of end systems, either hosts or network equipment (such as bridges
and routers), connected by a single bridging domain. The bridging domain is supported on various
pieces of network equipment; for example, LAN switches that operate bridging protocols between
them with a separate bridge group for each VLAN.
VLANs are created to provide the segmentation services traditionally provided by routers in LAN
configurations. VLANs address scalability, security, and network management. Routers in VLAN
topologies provide broadcast filtering, security, address summarization, and traffic flow
management. None of the switches within the defined group will bridge any frames, not even
broadcast frames, between two VLANs. Several key issues described in the following sections
need to be considered when designing and building switched LAN internetworks:
LAN Segmentation
Security
Broadcast Control
Performance
Network Management
33
QUESTION NO: 40
Which technology, configured on the Cisco ASA, allows Active Directory authentication credentials
to be applied automatically to web forms that require authentication for clientless SSL
connections?
A.
one-time passwords
B.
certificate authentication
C.
user credentials obtained during authentication
D.
Kerberos authentication
Answer: C
Explanation:
Clientless SSL VPN connections on the ASA differ from remote access IPSec connections,
particularly with respect to how they interact with SSL-enabled servers, and precautions to follow
to reduce security risks.In a clientless SSL VPN connection, the ASA acts asa proxy between the
end user web browser and target web servers. When a user connects to an SSL-enabled web
server, the ASA establishes a secure connection and validates the server SSL certificate.The
browser never receives the presented certificate, so it cannot examine and validate the
certificate.The current implementation of clientless SSL VPN on the ASA does not permit
communication with sites that present expiredcertificates.Nor does the ASA perform trusted CA
certificate validation to those SSL-enabled sites. Therefore, users do not benefit from certificate
validation of pages delivered from an SSL-enabled web server before they use a web-enabled
service.
"Pass Any Exam. Any Time." - www.actualtests.com
34
QUESTION NO: 41
In what subnet does address 192.168.23.197/27 reside?
A.
192.168.23.0
B.
192.168.23.128
C.
192.168.23.160
D.
192.168.23.192
E.
192.168.23.196
Answer: D
Explanation:
192.168.23.197 ranges from 192.168.23.192 to 192.168.23.223 where 192.168.23.223 is
broadcast address. So Answer is D.
QUESTION NO: 42
Given the IPv4 address 10.10.100.16, which two addresses are valid IPv4-compatible IPv6
addresses? (Choose two.)
A.
:::A:A:64:10
B.
::10:10:100:16
C.
0:0:0:0:0:10:10:100:16
D.
0:0:10:10:100:16:0:0:0
"Pass Any Exam. Any Time." - www.actualtests.com
35
QUESTION NO: 43
What is the size of a point-to-point GRE header, and what is the protocol number at the IP layer?
A.
8 bytes, and protocol number 74
B.
4 bytes, and protocol number 47
C.
2 bytes, and protocol number 71
D.
24 bytes, and protocol number 1
E.
8 bytes, and protocol number 47
Answer: B
Explanation:
36
QUESTION NO: 44
Which mode of operation must be enabled on CSM to support roles such as Network
Administrator, Approver, Network Operator, and Help Desk?
A.
Deployment Mode
B.
Activity Mode
C.
Workflow Mode
D.
User Roles Mode
E.
Administration Mode
F.
Network Mode
Answer: C
Explanation:
Help DeskHelp desk users can view (but not modify) devices, policies, objects, and topology
maps.
"Pass Any Exam. Any Time." - www.actualtests.com
37
Network OperatorIn addition to view permissions, network operators can view CLI commands
and Security Manager administrative settings. Network operators can also modify the configuration
archive and issue commands (such as ping) to devices.
QUESTION NO: 45
Which two ISE Probes would be required to distinguish accurately the difference between an iPad
and a MacBook Pro? (Choose two.)
A.
DHCP or DHCPSPAN
B.
SNMPTRAP
C.
SNMPQUERY
D.
NESSUS
E.
HTTP
F.
DHCP TRAP
Answer: A,E
Explanation:
DHCP Switched Port Analyzer (SPAN) probe, when initialized on a Cisco ISE node, listens to
network traffic, which are coming from network access devices on a specific interface. You need to
configure network access devices to forward DHCP SPAN packets to the Cisco ISE profiler from
the DHCP servers. The profiler receives these DHCP SPAN packets and parses them to capture
the attributes of an endpoint, which can be used for profiling endpoints.
An HTTP session is a sequence of network request-response transactions. The web browser
"Pass Any Exam. Any Time." - www.actualtests.com
38
QUESTION NO: 46
Which option is the correct definition for MAB?
A.
MAB is the process of checking the mac-address-table on the localswitch for the sticky address.If
the mac-address of the device attempting to access the network matches the configured sticky
address, it will be permitted to bypass 802.1X authentication.
B.
MAB is a process where the switch will send an authentication request on behalf of the endpoint
that is attempting to access the network, using the mac-address of the device as the credentials.
The authentication server evaluates that MAC address against a list of devices permitted to
access the network without a stronger authentication.
C.
MAB is a process where the switch will check a local list of MAC addresses to identify systems
that are permitted network access without using 802.1X.
D.
MAB is a process where the supplicant on the endpoint is configured to send the MAC address of
the endpoint as its credentials.
Answer: B
Explanation:
The MAC Authentication Bypass feature is a MAC-address-based authentication mechanism that
allows clients in a network to integrate with the Cisco Identity Based Networking Services (IBNS)
and Network Admission Control (NAC) strategy using the client MAC address. The MAC
Authentication Bypass feature is applicable to the following network environments:
"Pass Any Exam. Any Time." - www.actualtests.com
39
Network environments in which a supplicant code is not available for a given client platform.
Network environments in which the end client configuration is not under administrative control, that
is, the IEEE 802.1X requests are not supported on these networks.
Standalone MAC Authentication Bypass (MAB) is an authentication method that grants network
access to specific MAC addresses regardless of 802.1X capability or credentials. As a result,
devices such as cash registers, fax machines, and printers can be readily authenticated, and
network features that are based on authorization policies can be made available.
QUESTION NO: 47
Review the exhibit.
Which three statements about the Cisco IPS sensor are true? (Choose three.)
A.
A
B.
B
C.
C
"Pass Any Exam. Any Time." - www.actualtests.com
40
Answer: A,C,E
Explanation:
For a given sensing interface, a VLAN can be a member of only one inline VLAN pair. However, a
given VLAN can be a member of an inline VLAN pair on more than one sensing interface.
The order in which you specify the VLANs in an inline VLAN pair is not significant.
A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs.
References: Reference:http://www.cisco.com/c/en/us/td/docs/security/ips/51/configuration/guide/cli/cliguide/cliInter.html
QUESTION NO: 48
Which QoS marking is only locally significant on a Cisco router?
A.
MPLS EXP
B.
DSCP
C.
QoS group
D.
"Pass Any Exam. Any Time." - www.actualtests.com
41
Answer: C
Explanation:
QoS group
Locally significant QoS values that can be manipulated and matched within the system. The range
is from 0 to 126.
References: :http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_2/nxos/qos/configuration/guide/qos_nx-os_book/marking.html
QUESTION NO: 49
Which two VLSM subnets, when taken as a pair, overlap? (Choose two.)
A.
10.22.21.128/26
B.
10.22.22.128/26
C.
10.22.22.0/27
D.
10.22.20.0/23
E.
10.22.16.0/22
Answer: A,D
"Pass Any Exam. Any Time." - www.actualtests.com
42
QUESTION NO: 50
What is the ICMPv6 type and destination IPv6 address for a Neighbor Solicitation packet that is
sent by a router that wants to learn about a newly introduced network device?
A.
ICMP type 136 and the Solicited-Node multicast address
B.
ICMP type 135 and the Broadcast address
C.
ICMP type 136and the All-Routers multicastaddress
D.
ICMP type 135 and the All-Routers multicast address
E.
ICMP type 135 and the Solicited-Node multicast address
F.
ICMP type 136 and the Broadcast address
Answer: E
Explanation:
A value of 135 in the Type field of the ICMP packet header identifies a neighbor solicitation
message. Neighbor solicitation messages are sent on the local link when a node wants to
determine the link-layer address of another node on the same local link (see the figure below).
When a node wants to determine the link-layer address of another node, the source address in a
neighbor solicitation message is the IPv6 address of the node sending the neighbor solicitation
message. The destination address in the neighbor solicitation message is the solicited-node
multicast address that corresponds to the IPv6 address of the destination node. The neighbor
solicitation message also includes the link-layer address of the source node.
43
QUESTION NO: 51
Which three statements are true about Cryptographically Generated Addresses for IPv6? (Choose
three.)
A.
They prevent spoofing and stealing of existing IPv6 addresses.
B.
They are derived by generating a random 128-bit IPv6 address based on the public key of the
node.
C.
They are used for securing neighbor discovery using SeND.
D.
SHA orMD5is used during their computation.
E.
The minimum RSA key length is 512 bits.
F.
The SHA-1 hash function is used during their computation.
Answer: A,C,F
Explanation:
A Cryptographically Generated Address (CGA) is an Internet Protocol Version 6 (IPv6) address
that has a host identifier computed from a cryptographic hash function. This procedure is a method
for binding a public signature key to an IPv6 address in the Secure Neighbor Discovery Protocol
(SEND).A Cryptographically Generated Address is formed by replacing the least-significant 64 bits
of the 128-bit IPv6 address with the cryptographic hash of the public key of the address owner.
The messages are signed with the corresponding private key. Only if the source address and the
public key are known can the verifier authenticate the message from that corresponding sender.
This method requires no public key infrastructure. Valid CGAs may be generated by any sender,
including a potential attacker, but they cannot use any existing CGAs.SHA-1 hash function is used
to during computation:
1 proceduregenerateCGA(Sec,subnetPrefix,publicKey,extFields):
2 modifier:= random(0x00000000000000000000000000000000, // 16 octets (128 bits)
3 0xffffffffffffffffffffffffffffffff)
4
"Pass Any Exam. Any Time." - www.actualtests.com
44
QUESTION NO: 52
Which three options are extension headers that are implemented in IPv6? (Choose three.)
A.
Routing Header.
B.
Generic Tunnel Header.
C.
Quality of Service Header.
D.
Fragment Header.
E.
Encapsulating Security Payload Header.
F.
Path MTU Discovery Header.
"Pass Any Exam. Any Time." - www.actualtests.com
45
Extension Header
Type
Description
Hop-by-Hop Options
0
Options that need to be examined by all devices on the path.
Destination Options(before routing header)
60
Options that need to be examined only by the destination of the packet.
Routing
43
Methods to specify the route for a datagram (used with Mobile IPv6).
Fragment
44
Contains parameters for fragmentation of datagrams.
Authentication Header (AH)
51
Contains information used to verify the authenticity of most parts of the packet.
Encapsulating Security Payload (ESP)
50
Carries encrypted data for secure communication.
Destination Options(before upper-layer header)
60
Options that need to be examined only by the destination of the packet.
"Pass Any Exam. Any Time." - www.actualtests.com
46
QUESTION NO: 53
What is a key characteristic of MSTP?
A.
always uses a separate STP instance per VLAN to increase efficiency
B.
only supports a single STP instance for all VLANs
C.
is a Cisco proprietary standard
D.
several VLANs can be mapped to the same spanning-tree instance
Answer: D
Explanation:
MSTs (IEEE 802.1s) combine the best aspects from both the PVST+ and the 802.1q. The idea is
that several VLANs can be mapped to a reduced number of spanning tree instances because
most networks do not need more than a few logical topologies.
QUESTION NO: 54
Which spanning-tree mode supports a separate spanning-tree instance for each VLAN and also
supports the 802.1w standard that has a faster convergence than 802.1D?
A.
PVST+
B.
"Pass Any Exam. Any Time." - www.actualtests.com
47
Answer: B
Explanation:
802.1D Spanning Tree Protocol (STP) has a drawback of slow convergence. Cisco Catalyst
switches support three types of STPs, which are PVST+, rapid-PVST+ and MST. PVST+ is based
on IEEE802.1D standard and includes Cisco proprietary extensions such as BackboneFast,
UplinkFast, and PortFast. Rapid-PVST+ is based on IEEE 802.1w standard and has a faster
convergence than 802.1D. RSTP (IEEE 802.1w) natively includes most of the Cisco proprietary
enhancements to the 802.1D Spanning Tree, such as BackboneFast and UplinkFast. RapidPVST+ has these unique features:
Rapid-PVST uses RSTP to provide faster convergence. When any RSTP port receives legacy
802.1D BPDU, it falls back to legacy STP and the inherent fast convergence benefits of 802.1w
are lost when itinteracts with legacy bridges.
QUESTION NO: 55
Which three LSA types are used by OSPFv3? (Choose three.)
A.
Link LSA
B.
Intra-Area Prefix LSA
C.
Interarea-prefix LSA for ASBRs
D.
"Pass Any Exam. Any Time." - www.actualtests.com
48
Answer: A,B,D
Explanation:
Link LSA:
A router originates a separate Link LSA for each link it is attached to. These LSAs have link-local
flooding scope and are never flooded beyond a link that they are associated with.These LSAs
have three purposes:
- notify the link-local address of the router's interface to the routers attached to the link
- inform other routers attached to the link of the list of IPv6 prefixes to associate with the link
- allow the router to assert the collection of Option bits to associate with the Network LSA that will
be originated for the link.
The Link-State ID is set to the Interface ID of link of the originating router.
Intra-Area Prefix LSA:
A router uses Intra-Area Prefix LSA to advertise IPv6 prefixes that are associated with
a) the router itself (in IPv4, this was carried in Router LSA)
b) an attached stub network segment (in IPv4, this was carried in Router LSA)
c) an attached transit network segment (in IPv4, this was carried in Network LSA)
A router can originate multiple Intra-Area Prefix LSAs for each router or transit network; each LSA
is distinguished by its Link State ID.
AS-External LSA:
These LSAs are IPv6 equivalent of IPv4's Type-5 External LSAs. These LSAs are originated by
ASBRs describing the destinations external to the AS. Each LSA describe a route to a single IPv6
prefix external to the AS.
AS-External LSAs can be used to describe a default route. Default routes are used when no
specific route exists for a destination.
References: Reference:https://sites.google.com/site/amitsciscozone/home/important-tips/ipv6/ospf
49
QUESTION NO: 56
Which protocol provides the same functions in IPv6 that IGMP provides in IPv4 networks?
A.
ICMPv6
B.
ND
C.
MLD
D.
TLA
Answer: C
Explanation:
MLD is used by IPv6 routers for discovering multicast listeners on a directly attached link, much
like IGMP is used in IPv4. The protocol is embedded in ICMPv6 instead of using a separate
protocol.MLDv1is similar to IGMPv2 andMLDv2similar to IGMPv3
QUESTION NO: 57
Which authentication scheme, that is supported on the Cisco ASA, generates a unique key that is
used in a single password challenge?
A.
one-time passwords
B.
disposable certificates
C.
password management
D.
"Pass Any Exam. Any Time." - www.actualtests.com
50
Answer: A
Explanation:
OTP are the unique keys that are generated by ASA in single password challenge. It is used in
certificate enrollment where ASA is also acting as a CA server.
QUESTION NO: 58
Which label is advertised by an LSR to inform neighboring LSRs to perform the penultimate hop
popping operation?
A.
0x00
B.
php
C.
swap
D.
push
E.
imp-null
Answer: E
Explanation:
51
Answer: A
Explanation:
RSAis an algorithm used by modern computers to encrypt and decrypt messages. It is an
asymmetric cryptographic algorithm. Asymmetric means that there are two different keys. This is
also calledpublic key cryptography, because one of them can be given to everyone. The other key
must be kept private. It is based on the fact that finding the factors of aninteger is hard (the
factoring problem). RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first
publicly described it in 1978. A user of RSA creates and then publishes the product of two large
prime numbers, along with an auxiliary value, as their public key. The prime factors must be kept
secret. Anyone can use the public key to encrypt a message, but with currently published
methods, if the public key is large enough, only someone with knowledge of the prime factors can
feasibly decode the message.
QUESTION NO: 60
Which three statements about triple DES are true? (Choose three.)
"Pass Any Exam. Any Time." - www.actualtests.com
52
Answer: B,C,D
Explanation:
Don't confuse transport issues with key size. Just like a DES key is 56 bits (+8 parity bits) but
always (by defacto convention) transported in 64 bits, a 3DES key is only 168 bits but is it
transported in 192 bits. So 3DES key bundle is 192 bits long and key space is 168 bits. Common
modes of CBC are:
Electronic Codebook (ECB)
Cipher Block Chaining (CBC)
Propagating Cipher Block Chaining (PCBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Counter (CTR)
References: Reference:http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
QUESTION NO: 61
According to RFC-5426, syslog senders must support sending syslog message datagrams to
which port?
53
Answer: B
Explanation:
Syslog receivers MUST support accepting syslog datagrams on the well-known UDP port 514, but
MAY be configurableto listen on a different port.Syslog senders MUST support sending syslog
message datagrams to the UDP port 514, but MAY be configurable to send messages to a
different port.Syslog senders MAY use any source UDP port for transmitting messages.
QUESTION NO: 62
Which three statements about the keying methods used by MACSec are true? (Choose three.)
A.
Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA.
B.
A valid mode for SAP is NULL.
C.
MKA is implemented as an EAPoL packet exchange.
D.
SAP is enabled by default for Cisco TrustSec in manual configuration mode.
E.
SAP is not supported on switch SVIs.
"Pass Any Exam. Any Time." - www.actualtests.com
54
Answer: B,C,E
Explanation:
SAP negotiation can use one of these modes of operation:
Galois Counter Mode (GCM)authentication and encryption
GCM authentication (GMAC) GCM authentication, no encryption
No Encapsulationno encapsulation (clear text)
Nullencapsulation, no authentication or encryption
The EAP framework implements MKA as a newly defined EAP-over-LAN (EAPOL) packet. EAP
authentication produces a master session key (MSK) shared by both partners in the data
exchange.
Cisco TrustSec NDAC SAP is supported on trunk ports because it is intended only for network
device to network device links, that is, switch-to-switchlinks. It is not supported on:
Host facing access ports (these ports support MKA MACsec)
Switch virtual interfaces (SVIs)
SPAN destination ports
References:
Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/relea
se/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf
QUESTION NO: 63
What is the function of this command?
switch(config-if)# switchport port-security mac-address sticky
A.
It allows the switch to restrict the MAC addresses on the switch port, based on the static MAC
addresses configured in the startup configuration.
"Pass Any Exam. Any Time." - www.actualtests.com
55
Answer: E
Explanation:
QUESTION NO: 64
When configuring a switchport for port security that will support multiple devices and that has
already been configured for 802.1X support, which two commands need to be added? (Choose
two.)
A.
The 802.1X port configuration must be extended with the command dot1x multiple-host.
B.
The 802.1X port configuration must be extended with the command dot1x port-security.
C.
The switchport configuration needs to include the command switchport port-security.
D.
The switchport configuration needs to include the port-security aging command.
E.
The 802.1X port configuration needs to remain in port-control force-authorized rather than portcontrol auto.
Answer: A,C
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
56
In this mode, only one of the attached hosts must be authorized for all hosts to be granted network
access. If the port becomes unauthorized (re-authentication fails or an EAPOL-logoff message is
received), all attached clients are denied access to the network.
With the multiple-hosts mode enabled, you can use 802.1X to authenticate the port and port
security to manage network access for all MAC addresses, including that of the client.
Beginning in privileged EXEC mode, follow these steps to allow multiple hosts (clients) and port
security on an 802.1X-authorized port that has thedot1x port-controlinterface configuration
command set toauto.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
interfaceinterface-id
Enter interface configuration mode, and specify the interface to which multiple hosts are indirectly
attached.
Step 3
dot1x multiple-hosts
Allow multiple hosts (clients) and port security on an 802.1X-authorized port.
"Pass Any Exam. Any Time." - www.actualtests.com
57
QUESTION NO: 65
In Cisco IOS, what is the result of the ip dns spoofing command on DNS queries that are coming
from the inside and are destined to DNS servers on the outside?
A.
The router will prevent DNS packets without TSIG information from passing through the router.
"Pass Any Exam. Any Time." - www.actualtests.com
58
Answer: B
Explanation:
The router will act as a proxy to the DNS request and reply to the DNS request with the IP address
of the interface that received the DNS query if the outside interface is down.
References: Reference:http://www.cisco.com/c/en/us/td/docs/iosxml/ios/ipaddr_dns/configuration/12-4t/dns-12-4t-book/dns-config-dns.html#GUID-5C6DC8F015ED-45DB-8D16-88E0198A01E4
QUESTION NO: 66
Which three traffic conditions can be matched when configuring single rate, dual token bucket
traffic policing on Cisco routers? (Choose three.)
A.
conform
B.
normal
C.
violate
D.
peak
E.
exceed
F.
average
"Pass Any Exam. Any Time." - www.actualtests.com
59
Single-rate traffic policing is implemented by tracking the current burst size using token-bucket
mechanics, and discarding packets that exceed CIR. The so-called, Single-rate, Three-Color
Marker (srTCM) is the RFC name for ingress tool used to implement admission control at the
network edge. The three color term means that any incoming burst could be classified as either
conforming (green, under Bc), exceeding (yellow, over Bc but under Be) or violating (red, over Be).
Depending on the implementation, exceeding packets could be admitted, but have their QoS
marking changed to show higher drop precedence in the network core.
QUESTION NO: 67
A frame relay PVC at router HQ has a CIR of 768 kb/s and the frame relay PVC at router branch
office has a CIR of 384 kb/s. Which QoS mechanism can best be used to ease the data
congestion and data loss due to the CIR speed mismatch?
A.
traffic policing at the HQ
B.
traffic policing at the branch office
C.
traffic shaping at the HQ
D.
traffic shaping at the branch office
E.
LLQ at the HQ
F.
LLQ at the branch office
Answer: C
Explanation:
Common implementations of Frame Relay traffic shaping are:
References: Reference:http://www.cisco.com/c/en/us/support/docs/wan/frame-relay/6151-traffic"Pass Any Exam. Any Time." - www.actualtests.com
60
QUESTION NO: 68
Which four options could be flagged as potential issues by a network security risk assessment?
(Choose four.)
A.
router hostname and IP addressing scheme
B.
router filtering rules
C.
route optimization
D.
database connectivity and RTT
E.
weak authentication mechanisms
F.
improperly configured email servers
G.
potential web server exploits
Answer: B,E,F,G
Explanation:
Packet filtering firewalls use routers with packet filtering rules to grant or deny access based on
source address, destination address, and port. They offer minimum security but at a very low cost,
and can be an appropriate choice for a low-risk environment. They are fast, flexible, and
transparent. Filtering rules are not often easily maintained on a router, but there are tools available
to simplify the tasks of creating and maintaining the rules.
Weak Authentication Mechanism can lead to the exposure of resources or functionality to
unintended actors, possibly providing attackers with sensitive information or even execute arbitrary
code.
61
QUESTION NO: 69
Which MPLS label is the signaled value to activate PHP (penultimate hop popping)?
A.
0x00
B.
php
C.
swap
D.
push
E.
imp-null
Answer: E
Explanation:
Theimplicit NULLshould be used whenever possible, as the PHP reduces the amount of lookup
required on the last hop of an LSP (sometimes that could mean the difference between hardware
and software lookup).
QUESTION NO: 70
What action will be taken by a Cisco IOS router if a TCP packet, with the DF bit set, is larger than
the egress interface MTU?
A.
Split the packet into two packets, so that neither packet exceeds the egress interface MTU, and
forward them out.
"Pass Any Exam. Any Time." - www.actualtests.com
62
Answer: B
Explanation:
ICMP type 3 code 4 messages are "fragmentation needed but don't fragment set". This means
your device sent a packet larger than the MTU of the device sending the ICMP message to you.
Normally, the packet could be fragmented, but the DF bit was set. Since you're denying the
inbound ICMP message, the ASA doesn't get notified that its packet wasn't delivered. Dropping
these ICMP messages is generally bad for performance because it essentially results in packet
loss.
QUESTION NO: 71
What will the receiving router do when it receives a packet that is too large to forward, and the DF
bit is not set in the IP header?
A.
Drop the packet, and send the source an ICMP packet, indicating that the packet was too big to
transmit.
B.
Fragment the packet into segments, with all segments having the MF bit set.
C.
Fragment the packet into segments, with all except the last segment having the MF bit set.
D.
Fragment the packet into segments, with all except the first segment having the MF bit set.
Answer: C
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
63
QUESTION NO: 72
Identify three IPv6 extension headers? (Choose three.)
A.
traffic class
B.
flow label
C.
routing
D.
fragment
E.
encapsulating security payload
Answer: C,D,E
Explanation:
Extension Header
Type
Description
Hop-by-Hop Options
"Pass Any Exam. Any Time." - www.actualtests.com
64
QUESTION NO: 73
Which three statements correctly describe the purpose and operation of IPv6 RS and RA
"Pass Any Exam. Any Time." - www.actualtests.com
65
Answer: A,B,E
Explanation:
66
QUESTION NO: 74
Which three statements are true regarding the EIGRP update message? (Choose three.)
A.
Updates require an acknowledgement with an ACK message.
B.
Updates can be sent to the multicast address 224.0.0.10.
C.
Updates are sent as unicasts when they are retransmitted.
D.
Updates always include all routes known by the router with partial updates sent in the Reply
message.
E.
ACKs for updates are handled by TCP mechanisms.
Answer: A,B,C
Explanation:
To Send the updates, EIGRP uses the Reliable Transport Protocol (RTP) to send the EIGRP
updates and confirm their receipt. On point to point topologies such as serial links, MPLS VPNs,
and Frame Relay networks when using point-to-point subinterfaces, the EIGRP Update and ACK
messagees use a simple process of acknowledging each update with an ACK. On multiaccess
data links, EIGRP typically sends Update messages to multicast address 224.0.0.10 and expects
a unicast EIGRP ACK message from each neighbour in reply. RTP manages that process, setting
timers so that the sender of an update waits a reasonable time, but not too long, before deciding
whether all neighbours received the Update or whether one or more neighbours did not reply with
an ACK.
QUESTION NO: 75
Which two EIGRP packet types are considered to be unreliable packets? (Choose two.)
A.
update
"Pass Any Exam. Any Time." - www.actualtests.com
67
Answer: D,E
Explanation:
Hello Packets- EIGRP sends Hello packets once it has been enabled on a router for a particular
network. These messages are used to identify neighbors and once identified, serve or function as
a keepalive mechanism between neighboring devices. EIGRP Hello packets are sent to the link
local Multicast group address 224.0.0.10.Hello packets sent by EIGRP do not require an
Acknowledgment to be sent confirming that they were received. Because they require no explicit
acknowledgment, Hello packets are classified as unreliable EIGRP packets. EIGRP Hello packets
have an OPCode of 5.
Acknowledgement Packets- An EIGRP Acknowledgment (ACK) packet is simply an EIGRP Hello
packet that contains no data. Acknowledgement packets are used by EIGRP to confirm reliable
delivery of EIGRP packets. ACKs are always sent to a Unicast address, which is the source
address of the sender of the reliable packet, and not to the EIGRP Multicast group address. In
addition, Acknowledgement packets will always contain a non-zero acknowledgment number. The
ACK uses the same OPCode as the Hello Packet because it is essentially just a Hello that
contains no information. The OPCode is 5.
QUESTION NO: 76
Which two OSPF network types support the concept of a designated router? (Choose two.)
A.
broadcast
B.
NBMA
C.
"Pass Any Exam. Any Time." - www.actualtests.com
68
Answer: A,B
Explanation:
NBMA: simulates a broadcast model by electing a designated router (DR) and a backup
designated router (BDR). There are two ways to simulate a broadcast model on an NBMA
network: define the network type as broadcast with theip ospf network broadcastinterface subcommand or configure the neighbor statements using therouter ospfcommand.
QUESTION NO: 77
Which IPv6 routing protocol can use IPv6 ESP and AH to provide integrity, authentication, and
confidentiality services to protect the routing information exchange between the adjacent routing
neighbors?
A.
RIPng
B.
EIGRPv6
C.
BGP-4
D.
IS-IS
E.
OSPFv3
Answer: E
Explanation:
69
QUESTION NO: 78
Which three IPv6 tunneling methods are point-to-multipoint in nature? (Choose three.)
A.
automatic 6to4
B.
manually configured
C.
IPv6 over IPv4 GRE
D.
ISATAP
E.
automatic IPv4-compatible
Answer: A,D,E
Explanation:
Tunneling Method
Suggested Usage
Manual
Used to provide a point-to-point IPv6 link over an existing IPv4 network; only supports IPv6 traffic.
GRE
Used to provide a point-to-point IPv6 link over an existing IPV4 network; supports multiple
protocols, including IPv6.
6to4
"Pass Any Exam. Any Time." - www.actualtests.com
70
QUESTION NO: 79
Which additional capability was added in IGMPv3?
A.
leave group messages support
B.
source filtering support
C.
group-specific host membership queries support
D.
IPv6 support
E.
authentication support between the multicast receivers and the last hop router
Answer: B
Explanation:
IGMP is the protocol used by IPv4 systems to report their IP multicast group memberships
toneighboring multicast routers.Version 3 of IGMP adds support for "source filtering", that
is, the ability for a system to report interest in receiving packets *only* from specific source
addresses, or from *all but* specific source addresses, sent to aparticular multicast address.That
information may be used by multicast routing protocols to avoid delivering multicast packets from
specific sources to networks where there are no interested receivers.
"Pass Any Exam. Any Time." - www.actualtests.com
71
QUESTION NO: 80
Beacons, probe request, and association request frames are associated with which category?
A.
management
B.
control
C.
data
D.
request
Answer: A
Explanation:
Three frame types are:
QUESTION NO: 81
Which feature can be implemented to avoid any MPLS packet loss?
A.
IP TTL propagation
B.
LDP IGP sync
C.
label advertisement sync
D.
conditional label advertisement
E.
PHP
"Pass Any Exam. Any Time." - www.actualtests.com
72
Packet loss can occur because the actions of the IGP and LDP are not synchronized. Packet loss
can occur in the following situations:
When an IGP adjacency is established, the router begins forwarding packets using the new
adjacency before the LDP label exchange completesbetween the peers on that link.
If an LDP session closes, the router continues to forward traffic using the link associated with the
LDP peer rather than an alternate pathway with afully synchronized LDP session.
QUESTION NO: 82
Which domain is used for a reverse lookup of IPv4 addresses?
A.
in-addr.arpa
B.
ip4.arpa
C.
in-addr.net
D.
ip4.net
Answer: A
Explanation:
Reverse DNS lookups for IPv4 addresses use areverse IN-ADDR entryin the special domaininaddr.arpa. In this domain, an IPv4 address is represented as a concatenated sequence offour
decimal numbers, separated by dots, to which is appended the second level domain suffix.inaddr.arpa. The four decimal numbers are obtained by splitting the 32-bit IPv4 address into four 8bit portions and converting each 8-bit portion into a decimal number. These decimal numbers are
then concatenated in the order: least significant 8-bit portion first (leftmost), most significant 8-bit
portion last (rightmost). It is important to note thatthis is the reverse order to the usual dotteddecimal convention for writing IPv4 addressesin textual form. For example, an address (A) record
"Pass Any Exam. Any Time." - www.actualtests.com
73
QUESTION NO: 83
Which port or ports are used for the FTP data channel in passive mode?
A.
random TCP ports
B.
TCP port 21 on the server side
C.
TCP port 21 on the client side
D.
TCP port 20 on the server side
E.
TCP port 20 on the client side
Answer: A
Explanation:
FTP has a stateful control connection which maintains a current working directory and other flags,
and each transfer requires a secondary connection through which the data is transferred. In
"passive" mode this secondary connection is from client to server, whereas in the default "active"
mode this connection is from server to client. This apparent role reversal when in active mode, and
random port numbers for all transfers, is why firewalls and NAT gateways have such a hard time
with FTP. HTTP is stateless and multiplexes control and data over a single connection from client
to server on well-known port numbers, which trivially passes through NAT gateways and is simple
for firewalls to manage.
QUESTION NO: 84
Why do firewalls need to specially treat an active mode FTP session?
"Pass Any Exam. Any Time." - www.actualtests.com
74
Answer: A
Explanation:
75
QUESTION NO: 85
Which statement is true about the TFTP protocol?
A.
The client is unable to get a directory listing from the server.
B.
The client is unable to create a new file on a server.
C.
The client needs to log in with a username and password.
D.
The client needs to log in using "anonymous" as a username and specifying an email address as a
password.
Answer: A
Explanation:
TFTP is a simple protocol used to transfer files, and therefore was named the Trivial File Transfer
Protocol or TFTP. The only thing it can do is read and write files from/to a remote server. It cannot
list directories content or change the working directory, and currently has no provisions for user
authentication, so a TFTP server must have set a dedicated working directory from which send
and receive files.
A TFTP server cannot receive a file from a client unless a file with the same name and with full
write permissions already exists in the current working folder. That's why this application has a
toolbar button to create on your Mac the files you plan to upload: such files are created with the
proper permissions already set, so that your TFTP clients may upload their files overwriting those
already existing in the TFTP current folder.
76
Answer: D
Explanation:
NTP uses a hierarchical, semi-layered system of time sources. Each level of this hierarchy is
termed a "stratum" and is assigned a number starting with zero at the top. A server synchronized
to a stratum n server will be running at stratum n + 1. The number represents the distance from
the reference clock and is used to prevent cyclical dependencies in the hierarchy. Stratum is not
always an indication of quality or reliability; it is common to find stratum 3 time sources that are
higher quality than other stratum 2 time sources. Telecommunication systems use a different
definition for clock strata. A brief description of strata 0, 1, 2 and 3 is provided below.
Stratum 0
These are high-precision timekeeping devices such as atomic (cesium, rubidium) clocks, GPs
clocks or other radio clocks. They generate a very accurate pulse per second signal that triggers
an interrupt and timestamp on a connected computer. Stratum 0 devices are also known as
reference clocks.
Stratum 1
These are computers whose system clocks are synchronized to within a few microseconds of their
attached stratum 0 devices. Stratum 1 servers may peer with other stratum 1 servers for sanity
checking and backup. They are also referred to as primary time servers
Stratum 2
These are computers that are synchronized over a network to stratum 1 servers. Often a stratum 2
computer will query several stratum 1 servers. Stratum 2 computers may also peer with other
stratum 2 computers to provide more stable and robust time for all devices in the peer group.
Stratum 3
"Pass Any Exam. Any Time." - www.actualtests.com
77
QUESTION NO: 87
Which statement is true about an NTP server?
A.
It answers using UTC time.
B.
It uses the local time of the server with its time zone indication.
C.
It uses the local time of the server and does not indicate its time zone.
D.
It answers using the time zone of the client.
Answer: A
Explanation:
QUESTION NO: 88
Which statement is true about an SNMPv2 communication?
"Pass Any Exam. Any Time." - www.actualtests.com
78
Answer: A
Explanation:
SNMPv2c messages use different header and protocol data unit (PDU) formats from SNMPv1
messages. SNMPv2c also uses two protocol operations that are not specified in SNMPv1.
Furthermore, RFC 2576 defines two possible SNMPv1/v2c coexistence strategies: proxy agents
and bilingual network-management systems.
QUESTION NO: 89
Which four functionalities are built into the ISE? (Choose four.)
A.
Profiling Server
B.
Profiling Collector
C.
RADIUS AAA for Device Administration
D.
RADIUS AAA for Network Access
E.
TACACS+ for Device Administration
F.
TACACS+ for Network Access
G.
Guest Lifecycle Management
"Pass Any Exam. Any Time." - www.actualtests.com
79
QUESTION NO: 90
Which three routing characteristics are relevant for DMVPN Phase 3? (Choose three.)
A.
Hubs must not preserve the original IP next-hop.
B.
Hubs must preserve the original IP next-hop.
C.
Split-horizon must be turned off for RIP and EIGRP.
D.
Spokes are only routing neighbors with hubs.
E.
Spokes are routing neighbors with hubs and other spokes.
F.
Hubs are routing neighbors with other hubs and must use the same routing protocol as that used
on hub-spoke tunnels.
Answer: A,C,D
Explanation:
80
QUESTION NO: 91
Using Cisco IOS, which two object-group options will permit networks 10.1.1.0/24 and 10.1.2.0/24
to host 192.168.5.1 port 80 and 443? (Choose 2.)
A.
object-group network SOURCErange 10.1.1.0 10.1.2.255object-group network DESTINATIONhost
192.168.5.1object-group service HTTPtcp eq wwwtcp eq 443tcp source gt 1024!access-list 101
permit object-group HTTP object-group SOURCE object-group DESTINATION
B.
object-group network SOURCE10.1.1.0 0.0.0.25510.1.2.0 0.0.0.255object-group network
DESTINATIONhost 192.168.5.1object-group service HTTPtcp eq wwwtcp eq 443!ip access-list
extended ACL-NEWpermit object-group SOURCE object-group DESTINATION object-group
HTTP
C.
object-group network SOURCE10.1.1.0 255.255.255.010.1.2.0 255.255.255.0object-group
network DESTINATIONhost 192.168.5.1object-group service HTTPtcp eq wwwtcp eq 443!ip
"Pass Any Exam. Any Time." - www.actualtests.com
81
Answer: A,D
Explanation:
The configuration needsto permit 10.1.1.0/24 and 10.1.2.0/24 to be able to access host
192.168.5.1 on port 80 and 443. Option A and Option D have configured things correctly. They
have specified 10.1.1.0/24 & 10.1.2.0/24 as source and 192.168.5.1 as the destination and have
permitted services that are defined under the object-group service HTTP.
QUESTION NO: 92
Which two statements about the fragmentation of IPsec packets in routers are true? (Choose two.)
A.
By default, the IP packets that need encryption are first encrypted with ESP. If the resulting
encrypted packet exceeds the IP MTU on the egress physical interface, then the encrypted packet
is fragmented and sent out.
B.
By default, the router knows the IPsec overhead to add to the packet. The router performs a
lookup if the packet will exceed the egress physical interface IP MTU after encryption, then
fragments the packet and encrypts the resulting IP fragments separately.
C.
increases CPU utilization on the decrypting device.
D.
increases CPU utilization on the encrypting device.
Answer: B,C
Explanation:
82
QUESTION NO: 93
crypto gdoi group gdoi_group
identity number 1234
server local
sa receive-only
sa ipsec 1
profile gdoi-p
match address ipv4 120
Which statement about the above configuration is true?
A.
"Pass Any Exam. Any Time." - www.actualtests.com
83
Answer: B
Explanation:
Receive Only SA
For multicast traffic using the GDOI protocol, bidirectional SAs are installed. The Receive Only
feature enables an incremental deployment so that only a few sites can be verified before bringing
up an entire network. To test the sites, one of the group members should send encrypted traffic to
all the other group members and have them decrypt the traffic and forward the traffic in the clear.
Receive Only SA mode allows encryption in only the inbound direction for a period of time. (See
the steps for the Receive Only SA process.) If you configure thesareceive-onlycommand on the
key server, Steps 2 and 3 happen automatically.
This action allows the group members to install SAs in the inbound direction only. Receive-only
SAs can be configured under a crypto group. (See the Configuring the Group ID Server Type and
SA Type section.)
If thesareceive-onlycommand is configured, all TEKs under this group are going to be marked
receive only by the key server when they are sent to the group member.
References: Reference:http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html
QUESTION NO: 94
class-map nbar_rtp
match protocol rtp payload-type "0, 1, 4 - 0x10, 10001b - 10010b, 64"
The above NBAR configuration matches RTP traffic with which payload types?
"Pass Any Exam. Any Time." - www.actualtests.com
84
Answer: A
Explanation:
Real-time Transport Protocol (RTP) is a packet format for multimedia data streams. It can be used
for media-on-demand and for interactive services such as Internet telephony. RTP consists of a
data part and a control part. The control part is called Real-Time Transport Control Protocol
(RTCP). RTCP is a separate protocol that is supported by NBAR. It is important to note that the
NBAR RTP Payload Type Classification feature does not identify RTCP packets and that RTCP
packets run on odd-numbered ports and RTP packets run on even-numbered ports.
The data part of RTP is a thin protocol that provides support for applications with real-time
properties such as continuous media (audio and video), which includes timing reconstruction, loss
detection, and security and content identification. RTP is discussed in RFC 1889
(ATransportProtocolforReal-TimeApplications) and RFC 1890
(RTPProfileforAudioandVideoConferenceswithMinimalControl).
The RTP payload type is the data transported by RTP in a packet, for example, audio samples or
compressed video data.
The NBAR RTP Payload Type Classification feature not only allows real-time audio and video
traffic to be statefully identified, but can also differentiate on the basis of audio and video codecs to
provide more granular QoS. The RTP Payload Type Classification feature, therefore, does a deeppacket inspection into the RTP header to classify RTP packets.
QUESTION NO: 95
Refer to the exhibit.
85
According to this DHCP packet header, which field is populated by a DHCP relay agent with its
own IP address before the DHCPDISCOVER message is forwarded to the DHCP server?
A.
ciaddr
B.
yiaddr
C.
siaddr
"Pass Any Exam. Any Time." - www.actualtests.com
86
Answer: D
Explanation:
In order to allow DHCP clients on subnets not directly served by DHCP servers to communicate
with DHCP servers, DHCP relay agents can be installed on these subnets. The DHCP client
broadcasts on the local link; the relay agent receives the broadcast and transmits it to one or more
DHCP servers usingunicast. The relay agent stores its own IP address in the GIADDR field of the
DHCP packet. The DHCP server uses the GIADDR to determine the subnet on which the relay
agent received the broadcast, and allocates an IP address on that subnet. When the DHCP server
replies to the client, it sends the reply to the GIADDR address, again using unicast. The relay
agent then retransmits the response on the local network.
QUESTION NO: 96
Which two are valid SMTP commands, according to RFC 821? (Choose two.)
A.
EHLO
B.
HELO
C.
RCPT
D.
AUTH
Answer: B,C
Explanation:
HELLO (HELO)
This command is used to identify the sender-SMTP to the receiver-SMTP.The argument field
contains the host name of the sender-SMTP. The receiver-SMTP identifies itself to the senderSMTP in the connection greeting reply, and in the response to this command. This command and
an OK reply to it confirm that both the sender-SMTP and the receiver-SMTP are in the initial state,
that is, there is no transaction in progress and all state tables and buffers are cleared.
"Pass Any Exam. Any Time." - www.actualtests.com
87
QUESTION NO: 97
Which two statements about VTP passwords are true? (Choose two)
A.
The VTP password can only be configured when the switch is in Server mode.
B.
The VTP password is sent in the summary advertisements.
C.
The VTP password is encrypted for confidentiality using 3DES.
D.
VTP is not required to be configured on all switches in the domain.
E.
The VTP password is hashed to preserve authenticity using the MD5 algorithm.
F.
The VTP password can only be configured when the switch is in Client mode.
Answer: B,E
Explanation:
"The general purpose of an MD5 value is to verify the integrity of a received packet and to detect
any changes to the packet or corruption of the packet during transit. When a switch detects a new
revision number that is different from the currently stored value, the switch sends a request
message to the VTP server and requests the VTP subsets. A subset advertisement contains a list
of VLAN information. The switch calculates the MD5 value for the subset advertisements and
"Pass Any Exam. Any Time." - www.actualtests.com
88
QUESTION NO: 98
Which option represents IPv6 address ff02::1?
A.
PIM routers.
B.
RIP routers.
C.
all nodes on the local network.
D.
NTP.
Answer: C
Explanation:
Address
Description
ff02::1
All nodes on the local network segment
ff02::2
All routers on the local network segment
ff02::5
OSPFv3 All SPF routers
ff02::6
OSPFv3 All DR routers
ff02::8
"Pass Any Exam. Any Time." - www.actualtests.com
89
QUESTION NO: 99
Which two statements about IPv6 are true? (Choose two.)
A.
Broadcast is available.
B.
Routing tables are less complicated.
C.
The address pool will eventually deplete.
D.
Data encryption is built into the packet frame.
E.
Increased NAT is required.
F.
Fewer bitsmakeIPv6 easier to configure.
Answer: B,D
Explanation:
In IPv6, IPsecis part ofIP itself. It can span packets, since the ESP header is now a part of IP's
header. And because it's integrated with IP, more parts of the IP header can be protected.
90
Answer: A
Explanation:
IPv6 does not implement traditional IP broadcast, and therefore does not define broadcast
addresses. In IPv6, the same result can be achieved by sending a packet to the link-local all
nodes multicast group which is analogous to IPv4 multicast.
Broadcast addressing as a distinct addressing method is gone in IPv6. Broadcast functionality is
implemented using multicast addressing to groups of devices. A multicast group to which all nodes
belong can be used for broadcasting in a network.
91
Answer: C
Explanation:
IP addresses are assigned to the computers automatically by a ISP provider, network server
(DHC), or APIPA. If you are not connected to any network, an APIPA IP address is assigned
which is private IP address for your computer which is not routable and that is what 169.254.... is
for.
92
Answer: C
Explanation:
Here, the two network objects have this configuration:
Object network obj-10.10.0.0
Subnet 10.10.0.0 255.255.0.0
This means that we have defined an object 10.10.0.0/16
And another one is,
Object network obj-30.30.30.0
Subnet 30.30.30.0 255.255.255.0
This means that we have defined an object 30.30.30.0/24
Now if you look at the options, you will see that only option C is giving you an answer with
combination of /16 and /24.
93
Answer: A
Explanation:
He we created a network object and defined a single host in it. We created a rule for that host
where we mentioned that this host in inside, when goes outside then this should be dynamically
natted to 20.20.20.1.
Answer: C
Explanation:
Type
Code
Description
11 Time Exceeded
"Pass Any Exam. Any Time." - www.actualtests.com
94
Answer: C
Explanation:
This field is an identification field and is primarily used for uniquely identifying the group of
fragments of a single IP datagram.
95
Answer: C
Explanation:
Here the MTU is set to 1500 and size of IP header is 20B. When you set a MTU, you cannot add
anything over it. Packet of larger size is broken into the specified MTU sizes and sent across. Here
MTU is 1500 and size of IP header is 20B, so first three packet will have packet payload size of
1480. We said it will be first three packets because the Size of PDU is 5200B and if we have to
break this packet into packets of maximum size of 1500 then calculation would be:
5200 = 1500 + 1500 + 1500 + 700.
Answer: A
Explanation:
96
Answer: C,D
Explanation:
SNMP uses the UDP port 161 for sending and receiving requests, and port 162 for receiving traps
from managed devices. Every device that implements SNMP must use these port numbers as the
defaults, but some vendors allow you to change the default ports in the agent's configuration. If
these defaults are changed, the NMS must be made aware of the changes so it can query the
device on the correct ports.
97
Answer: A,D
Explanation:
Set theopCodevariable to a new value. This field indicates the type of the question present in the
DNS packet;valcan be one of thevalues QUERY, IQUERY or STATUS.
98
99
Answer: C
Explanation:
100
Answer: B,D,F
Explanation:
CoPP does not support non-IP classes except for the default non-IP class. ACLs can be used
instead of non-IP classes to drop non-IP traffic, and the default non-IP CoPP class can be used to
limit to non-IP traffic that reaches the RP CPU.
In PFC3A mode, egress QoS and CoPP cannot be configured at the same time. A warning
message is displayed to inform you that egress QoS and CoPP cannotbe configured at the same
time.
You must ensure that the CoPP policy does not filter critical traffic such as routing protocols or
interactive access to the switches. Filtering this traffic could prevent remote access to the
switch,requiring a console connection.
The PFC3 supports built-in special-case rate limiters, which are useful for situations where an ACL
"Pass Any Exam. Any Time." - www.actualtests.com
101
Neither egress CoPP nor silent mode is supported. CoPP is only supported on ingress (servicepolicy output CoPP cannot be applied to the control plane interface).
ACE hit counters in hardware are only for ACL logic. You can rely on software ACE hit counters
and theshow access-list,show policy-map control-plane, andshow mls ip qoscommands to
troubleshoot evaluate CPU traffic.
Answer: C
Explanation:
Answer: C
Explanation:
A big advantage of the Flexible NetFlow concept is that the user can define the flow. The userdefined flow records and the component structure of Flexible NetFlow make it easy for you to
create various configurations for traffic analysis and data export on a networking device with a
minimum number of configuration commands.
"Pass Any Exam. Any Time." - www.actualtests.com
103
Answer: C
Explanation:
The traffic storm control threshold numbers and the time interval combination make the traffic
storm control algorithm work with different levels of granularity. A higher threshold allows more
packets to pass through. Traffic storm control is implemented in hardware. The traffic storm control
circuitry monitors packets passing from a LAN interface to the switching bus. Using the
Individual/Group bit in the packet destination address, the traffic storm control circuitry determines
if the packet is unicast or broadcast, keeps track of the current count of packets within the 1second interval and when the threshold is reached, traffic storm control filters out subsequent
packets.
References: Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/122SX/configuration/guide/book/storm.pdf
104
If SW4 is sending superior BPDUs, where should the root guard feature be configured to preserve
SW3 as a root bridge?
A.
SW4 Gi0/0 interface.
B.
Sw3 Gi0/0 interface.
C.
Sw2 Gi0/1 interface.
D.
SW2 Gi0/1 and SW3 Gi0/1
Answer: C
Explanation:
Root guardis a feature that can be used to influence which switches are eligible to become the
root bridge. Although priorities are used to determine who becomes the root bridge, they provide
no mechanism to determine who is eligible to become the root bridge. There is nothing to stop a
new switch being introduced to the network with a lower bridge ID, which allows it to become the
root bridge. The introduction of this new switch can affect the network, as new paths may be
formed that are not ideal for the traffic flows of the network.Figuredemonstrates why you might
need to configure root guard.
105
Switch-C
106
Answer: B,D,F
Explanation:
tunnel protection ipsec profile Hub-Spoke command validates option B as well as F, that says
that tunnel encapsulates multicast traffic andprovides data confidentiality.
107
Answer: D
Explanation:
108
includeAdds a command or an interface to the view and allows the same command or interface
to be added to an additional view.
include-exclusiveAdds a command or an interface to the view and excludes the same command
or interface from being added to all other views.
excludeExcludes a command or an interface from the view; that is, customers cannot access a
command or an interface.
allA "wildcard" that allows every command in a specified configuration mode that begins with the
same keyword or every subinterface for a specified interface to be part of the view.
109
Answer: C
Explanation:
In tunnel mode, AH authenticates the entire original header and builds a new ip header that is
placed at the front of the packet. The only field not authenticated by AH in tunnel mode are fields
in the new IP header that can change in trans it.
110
Answer: C
Explanation:
The Out-of-Band Server Types appear in the dropdown menu when you apply an OOB-enabled
license to a Cisco NAC Appliance deployment. For OOB, the CAS operates as a Virtual or Real-IP
Gateway while client traffic is In-Band (in the Cisco NAC Appliance network) during authentication
and certification. Once clients are authenticated and certified, they are considered out-of-band
(no longer passing through the Cisco NAC Appliance network) and allowed directly onto the
trusted network. Choose one of the following operating modes for the CAS:
111
Answer: C,F
Explanation:
Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The
switch performs these activities:
Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before
updating the local ARP cache or before forwarding the packet to the appropriate destination
112
Answer: C
Explanation:
To control how many prefixes can be received from a neighbor, use theneighbor maximumprefixcommand in router configuration mode. To disable this function, use thenoform of this
command.
neighbor{ip-address|peer-group-name}maximum-prefixmaximum[threshold] [warning-only]
no neighbor{ip-address|peer-group-name}maximum-prefixmaximum
113
Answer: A,D
Explanation:
The addition of authentication to your routers' EIGRP messages ensures that your routers only
accept routing messages from other routers that know the same pre-shared key. Without this
authentication configured, if someone introduces another router with different or conflicting route
information on to the network, the routing tables on your routers could become corrupt and a
denial of service attack could ensue. Thus, when you add authentication to the EIGRP messages
sent between your routers, it prevents someone from purposely or accidentally adding another
router to the network and causing a problem.
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gatewayrouting-protocol-eigrp/82110-eigrp-authentication.html
Answer: C
"Pass Any Exam. Any Time." - www.actualtests.com
114
Answer: C
Explanation:
This field is an identification field and is primarily used for uniquely identifying the group of
fragments of a single IP datagram.
115
Answer: C
Explanation:
Answer: C
Explanation:
116
Answer: C
Explanation:
Address
Description
ff02::1
All nodes on the local network segment
ff02::2
All routers on the local network segment
ff02::5
OSPFv3 All SPF routers
ff02::6
"Pass Any Exam. Any Time." - www.actualtests.com
117
Answer: A
Explanation:
Virtual LANs (VLANs) offer a method of dividing one physical network into multiple broadcast
domains. However, VLAN-enabled switches cannot, by themselves, forward traffic across VLAN
boundaries. For inter-VLAN communication, a Layer 3 router is required.
118
Answer: B,F
Explanation:
119
Answer: A
Explanation:
Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
Higher group numbers are more secure, but require additional time to compute the key. They
become part of the authentication procedure but they never provide authentication.
Answer: B
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
120
Answer: A,E,F
Explanation:
Server administrators choose whether clients use TCP port 25 (SMTP) or port 587
(Submission)for relaying outbound mail to an initial mail server. The specifications and many
servers support both. Although some servers support port 465 for legacysecure SMTPin violation
of the specifications, it is preferable to use standard ports and standard ESMTP commands if a
secure session needs to be used between the client and the server.
TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data
encryption and authentication between applications and servers in scenarios where that data is
being sent across an insecure network, such as checking your email. The terms SSL and TLS are
often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the
predecessor of the other SSL 3.0 served as the basis for TLS 1.0 which, as a result, is
sometimes referred to as SSL 3.1.
121
Answer: D
Explanation:
Set theopCodevariable to a new value. This field indicates the type of the question present in the
DNS packet;valcan be one of the values QUERY, IQUERY or STATUS.
STATUS is used to query the nameserver for its status.
122
Answer: B
Explanation:
The infrastructure ACL is the first line of defence between ones network and the outside world. It
is not meant to be the only defence; but well-maintained infrastructure ACLs can help to protect
your network from seeing or carrying unnecessary traffic, or prevent your network from originating
malicious traffic (such as spoofed packets, where the source address of a customers traffic is
from an allocation that is not your own).
Answer: B
Explanation:
ICMP Fields:
Type
11
"Pass Any Exam. Any Time." - www.actualtests.com
123
Answer: C,D,F
Explanation:
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in
a trusted database, the DHCP snooping binding database. This database is built by DHCP
snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is
received on a trusted interface, the switch forwards the packet without any checks. On untrusted
interfaces, the switch forwards the packet only if it is valid.
DAI can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts
with statically configured IP addresses, i.e. manually configured.
"Pass Any Exam. Any Time." - www.actualtests.com
124
Answer: E
Explanation:
PVLANs provide layer 2 isolation between ports within the same broadcast domain. Thereare
three types of PVLAN ports:
125
Answer: C
Explanation:
Here the MTU is set to 1500 and size of IP header is 20B. When you set a MTU, you cannot add
anything over it. Packet of larger size is broken into the specified MTU sizes and sent across. Here
MTU is 1500 and size of IP header is 20B, so first three packet will have packet payload size of
1480. We said it will be first three packets because the Size of PDU is 5200B and if we have to
break this packet into packets of maximum size of 1500 then calculation would be:
5200 = 1500 + 1500 + 1500 + 700.
126
Answer: C
Explanation:
Here, the two network objects have this configuration:
Object network obj-10.10.0.0
Subnet 10.10.0.0 255.255.0.0
This means that we have defined an object 10.10.0.0/16
And another one is,
Object network obj-30.30.30.0
Subnet 30.30.30.0 255.255.255.0
This means that we have defined an object 30.30.30.0/24
Now if you look at the options, you will see that only option C is giving you an answer with
combination of /16 and /24.
127
Answer: D
Explanation:
128
Answer: C
Explanation:
Explanation
The command that need focus here is:
Object network n2
Nat (inside,outside) dynamic n1
The highlighted command is sub command of the object network n2 i.e.This command is only
applicable for n2. When you configure anything within an object network then it is significant only
for that object. Here it is saying that 172.16.2.0/24 when they go outside, then they will be
translated to ip address specified in the object group n1.
129
Answer: A,C
Explanation:
The CredSSP Protocol then uses the Simple and Protected Generic Security Service Application
Program Interface Negotiation Mechanism (SPNEGO) Protocol Extensions to negotiate a Generic
Security Services (GSS) mechanism that performs mutual authentication and GSS confidentiality
services to securely bind to the TLS channel and encrypt the credentials for the target server.
Its not a necessity to require Network Level Authentication, but doing so makes your computer
more secure by protecting you from Man in the Middle attacks. Systems even as old as Windows
XP can connect to hosts with Network Level Authentication, so theres no reason not to use it.
130
Answer: A
Explanation:
It configures the flow record map name for IPv4, IPv6, or MPLS. Use theipv4-ipv6-fieldskeyword to
collect IPv4 and IPv6 fields in an MPLS-aware NetFlow.
Answer: A
"Pass Any Exam. Any Time." - www.actualtests.com
131
The source interface is used to set the source IP address of the NetFlow exports sent by the
router. Scrutinizer may send SNMP requests to the router using this address. Use the command
below if you experience problems. You can set the source interface to an Ethernet or WAN
interface instead of the loopback.
Answer: B,C
Explanation:
Configuring the Hierarchical Priority Queuing Policy
You can optionally configure priority queuing for a subset of latency-sensitive traffic.
Guidelines
One side-effect of priority queuing is packet re-ordering. For IPsec packets, out-of-order packets
that are not within the anti-replay window generate warning syslog messages. These warnings are
false alarms in the case of priority queuing. You can configure the IPsec anti-replay window size to
"Pass Any Exam. Any Time." - www.actualtests.com
132
For hierarchical priority queuing, you do not need to create a priority queue on an interface.
Restrictions
For hierarchical priority queuing, for encrypted VPN traffic, you can only match traffic based on the
DSCP or precedence setting; you cannot match a tunnel group.
Answer: A,B
Explanation:
There are two types of MAC authentication that are supported on WLCs:
With local MAC authentication, user MAC addresses are stored in a database on the WLC. When
a user tries to access the WLAN that is configured for MAC filtering, the client MAC address is
"Pass Any Exam. Any Time." - www.actualtests.com
133
Answer: A,B,C
Explanation:
Client MFP Components
Client MFP consists of these components:
Key Generation and Distribution
Client MFP does not use the key generation and distribution mechanisms that were derived for
Infrastructure MFP. Instead, client MFP leverages the security mechanisms defined by IEEE
802.11i to also protect class 3 unicast management frames. Stations must support CCXv5 and
must negotiate either TKIP or AES-CCMP to use client MFP. EAP or PSK can be used to obtain
the PMK.
Protection of Management Frames
Unicast class 3 management frames are protected with the application of either AES-CCMP or
TKIP in a similar manner to that already used for data frames. Parts of the frame header are
copied into the encrypted payload component of each frame for added protection, as discussed in
the next sections.
"Pass Any Exam. Any Time." - www.actualtests.com
134
Answer: A,B
Explanation:
An authenticated bind is performed when a root distinguished name (DN) and password are
available. In the absence of a root DN and password, an anonymous bind is performed. In LDAP
deployments, the search operation is performed first and the bind operation later. This is because,
if a password attribute is returned as part of the search operation, the password verification can be
done locally on an LDAP client. Thus, there is no need to perform an extra bind operation. If a
password attribute is not returned, the bind operation can be performed later. Another advantage
of performing a search operation first and a bind operation later is that the DN received in the
"Pass Any Exam. Any Time." - www.actualtests.com
135
Answer: A,B
Explanation:
The trick of a BGP Confederation is to divide an AS into multiple ASs and assign the whole group
to a single confederation. Each AS alone has iBGP fully meshed. To the outside world, the
confederation appears to be a single AS.
Aroute reflector(RR) is a network routing component. It offers an alternative to the logical full-mesh
requirement of internal border gateway protocol (IBGP). A RR acts as a local point for IBGP
sessions. The purpose of the RR is concentration.
136
Answer: A,B,C
Explanation:
Open Shortest Path First (OSPF) authentication which allows the flexibility to authenticate OSPF
neighbors. You can enable authentication in OSPF in order to exchange routing update
information in a secure manner. OSPF authentication can either be none (or null), simple, or MD5.
The authentication method "none" means that no authentication is used for OSPF and it is the
default method. With simple authentication, the password goes in clear-text over the network. With
MD5 authentication, the password does not pass over the network. MD5 is a message-digest
algorithm specified in RFC 1321. MD5 is considered the most secure OSPF authentication mode.
When you configure authentication, you must configure an entire area with the same type of
authentication. Starting with Cisco IOSSoftware Release 12.0(8), authentication is supported on
a per-interface basis.
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-firstospf/13697-25.html
137
Answer: A,B,C
Explanation:
Rekeying Procedure
The following three-step procedure SHOULD be provided to rekey the routers on a link without
dropping OSPFv3 protocol packets or disrupting the adjacency.
(1) For every router on the link, create an additional inbound SA for the interface being rekeyed
using a new SPI and the new key.
(2) For every router on the link, replace the original outbound SA with one using the new SPI and
key values. The SA replacement operation should be atomic with respect to sending OSPFv3
packets on the link so that no OSPFv3 packets are sent without authentication/encryption.
(3) For every router on the link, remove the original inbound SA.
Note that all routers on the link must complete step 1 before any begin step 2.Likewise, all the
routers on the link must complete step 2 before any begin step 3.
One way to control the progression from one step to the next is for each router to have a
configurable time constant KeyRolloverInterval. After the router begins step 1 on a given link, it
waits for this interval and then moves to step 2.Likewise, after moving to step 2, it waits for this
interval and then moves to step 3.
"Pass Any Exam. Any Time." - www.actualtests.com
138
Answer: B
Explanation:
This forces the neighbor session to tear down when the BGP learned routes from the neighbor
exceeds 10.
139
Answer: C,D,F
Explanation:
The client/server packet exchange consists primarily of the following types of RADIUS messages:
140
Answer: A,C,D
Explanation:
Message authentication code (MAC) is used for data integrity. HMAC is used for CBC mode of
block ciphers and stream ciphers. AEAD is used for Authenticated encryption such as GCM mode
and CCM mode. TLS/SSL uses public key encryption to authenticate the server to the client and,
optionally, the client to the server. Public key cryptography is also used to establish a session key.
The session key is used in symmetric algorithms to encrypt the bulk of the data with the faster,
less processor-intensive symmetric key encryption.SSL 3.0 improved upon SSL 2.0 by adding
SHA-1based ciphers and support for certificate authentication.
From a security standpoint, SSL 3.0 should be considered less desirable than TLS 1.0. The SSL
3.0 cipher suites have a weaker key derivation process; half of the master key that is established
is fully dependent on the MD5 hash function, which is not resistant to collisions and is, therefore,
not considered secure. Under TLS 1.0, the master key that is established depends on both MD5
and SHA-1 so its derivation process is not currently considered weak. It is for this reason that SSL
3.0 implementations cannot be validated under FIPS 140-2.
141
Answer: A,C,D
Explanation:
Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides
origin authenticity, integrity and confidentiality protection of packets. ESP also supports
encryption-only and authentication-only configurations, but using encryption without authentication
is strongly discouraged because it is insecure. Unlike Authentication Header (AH), ESP in
transport mode does not provide integrity and authentication for the entire IP packet. However, in
Tunnel Mode, where the entire original IP packet is encapsulated with a new packet header
added, ESP protection is afforded to the whole inner IP packet (including the inner header) while
the outer header (including any outer IPv4 options or IPv6 extension headers) remains
unprotected. ESP operates directly on top of IP, using IP protocol number 50.
142
Answer: B,C,E
Explanation:
Answer: A,B
"Pass Any Exam. Any Time." - www.actualtests.com
143
The ISAKMP parameters are applied at the ISAKMP profile level. The ISAKMP profile can
uniquely identify devices through its concept of match identity criteria. These criteria are based on
the IKE identity that is presented by incoming IKE connections and includes IP address, FQDN,
and group (the VPN remote client grouping).
Group group-name-Matches the group-name with the ID type ID_KEY_ID. It also matches the
group-name with the Organizational Unit (OU) field of the Distinguished Name (DN). Example:
match identity groupvpngroup.
Answer: A,D
Explanation:
802.1X provides rogue access point detection by retrieving information from the controller. The
rogue access point table is populated with any detected BSSID addresses from any frames that
are not present in the neighbor list. A neighbor list contains the known BSSID addresses of
validated APs or neighbors.
To determine whether rogue AP clients are also clients on the enterprise WLAN, the client MAC
address can be compared with MAC addresses collected by the AAA during 802.1X
authentication. This allows for the identification of potential WLAN clients that might have been
compromised or users who are not following security policies.
"Pass Any Exam. Any Time." - www.actualtests.com
144
Answer: A
Explanation:
145
Answer: D
Explanation:
Extensible Authentication Protocol (EAP) over LAN (EAPoL) is a network port authentication
protocol used in IEEE 802.1X (Port Based Network Access Control) developed to give a generic
network sign-on to access network resources. EAPoL, similar to EAP, is a simple encapsulation
that can run over any LAN. The same three main components are defined in EAP and EAPoL to
accomplish the authentication conversation:
References: :http://www.vocal.com/secure-communication/eapol-extensible-authenticationprotocol-over-lan/
Answer: A,D
Explanation:
AES has been adopted by the U.S. government and is now used worldwide. It supersedes the
Data Encryption Standard (DES), which was published in 1977. The algorithm described by AES
"Pass Any Exam. Any Time." - www.actualtests.com
146
Answer: A,B
Explanation:
Mutual EAP authentication: support for EAP-only (i.e., certificate-less) authentication of both of the
IKE peers; the goal is to allow for modern password-based authentication methods to be used
(RFC 5998). NAT traversal: The encapsulation of IKE and ESP in UDP port 4500 enables these
protocols to pass through a device or firewall performing NAT.
"Pass Any Exam. Any Time." - www.actualtests.com
147
Answer: A
Explanation:
Securing the domain name system is integral to the security of the Internet infrastructure in whole.
When properly maintained, DNSSEC signed zones provide extra security by preventing man-inthe-middle attacks. Any customer with DNSSEC-aware resolver will not be at risk from DNS
spoofing. Customers that are not DNSSEC aware will not see any adverse effect. While they wont
get the protection, theyll continue to access your domain name just as they always have. The
more domain names that are using DNSSEC, the more websites and email addresses will be
protected on the Internet.
References: :https://www.menandmice.com/resources/articles/dnssec/
148
Answer: C
Explanation:
The SSL Record Protocol provides two services for SSL connections: confidentiality, by encrypting
application data; and message integrity, by using amessage authentication code(MAC). The
Record Protocol is a base protocol that can be utilized by some of the upper-layer protocols of
SSL. One of these is the handshake protocol which, as described later, is used to exchange the
encryption and authentication keys. It is vital that this key exchange be invisible to anyone who
may be watching this session.
Figure 1 indicates the overall operation of the SSL Record Protocol. The Record Protocol takes an
application message to be transmitted, fragments the data into manageable blocks, optionally
compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in
a TCP segment. Received data is decrypted, verified, decompressed, and reassembled and then
delivered to the calling application, such as the browser.
Figure 1: SSL Record Protocol Operation
149
The first step is fragmentation. Each upper-layer message is fragmented into blocks of 2 14 bytes
(16,384 bytes) or less. Next, compression is optionally applied. In SLLv3 (as well as the current
version of TLS), no compression algorithm is specified, so the default compression algorithm is
null. However, specific implementations may include a compression algorithm.
The next step in processing is to compute a message authentication code over the compressed
data. For this purpose, a shared secret key is used. In essence, the hash code (for example, MD5)
is calculated over a combination of the message, a secret key, and some padding. The receiver
performs the same calculation and compares the incoming MAC value with the value it computes.
If the two values match, the receiver is assured that the message has not been altered in transit.
An attacker would not be able to alter both the message and the MAC, because the attacker does
not know the secretkey needed to generate the MAC.
Next, the compressed message plus the MAC are encrypted using symmetric encryption. A variety
of encryption algorithms may be used, including the Data Encryption Standard (DES) and triple
DES. The final step of SSL Record Protocol processing is to prepend a header, consisting of the
following fields:
Content Type (8 bits): The higher-layer protocol used to process the enclosed fragment.
Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3.
150
Compressed Length (16 bits): The length in bytes of the plain-text fragment (or compressed
fragment if compression is used).
The content types that have been defined are change_cipher_spec, alert, handshake, and
application_data. The first three are the SSL-specific protocols, mentioned previously. The
application-data type refers to the payload from any application that would normally use TCP but is
now using SSL, which in turn uses TCP. In particular, the HTTP protocol that is used for Web
transactions falls into the application-data category. A message from HTTP is passed down to
SSL, which then wraps this message into an SSL record.
References: :http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html.
Answer: B,C,D
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
151
152
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP,
is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport
Layer Security (TLS) tunnel. The purpose was to correct deficiencies in EAP; EAP assumed a
protected communication channel, such as that provided by physical security, so facilities for
protection of the EAP conversation were not provided.
EAP-FAST (Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco Systems
as a replacement for LEAP. The protocol was designed to address the weaknesses of LEAP while
preserving the "lightweight" implementation. Use of server certificates is optional in EAP-FAST.
EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client
credentials are verified.
EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS. It was
co-developed by Funk Software and Certicom and is widely supported across platforms. Microsoft
did not incorporate native support for the EAP-TTLS protocol in Windows XP, Vista, or 7.
Supporting TTLS on these platforms requires third-party ECP (Encryption Control Protocol)
certified software.
References: :http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol.
Answer: B,E,F
Explanation:
The Secure Shell Protocol (SSH) is a protocol for secure remote login and other secure network
services over an insecure network. This document describes the SSH authentication protocol
framework andpublic key, password, and host-based client authentication methods. The SSH
authentication protocol runs on top of the SSH transport layer protocol and provides a single
authenticated tunnel for the SSH connection protocol.
References: :https://www.ietf.org/rfc/rfc4252.txt
Answer: C,E
Explanation:
154
Answer: B
Explanation:
Subscriber management or DHCP management enables you to specify that DHCP local server
assign a particular address to a client. For example, if a client is disconnected, you might use this
"Pass Any Exam. Any Time." - www.actualtests.com
155
Answer: A,E
Explanation:
An authoritative server indicates its status of supplying definitive answers, deemedauthoritative, by
setting a software flag (a protocol structure bit), called theAuthoritative Answer(AA) bit in its
responses.This flag is usually reproduced prominently in the output of DNS administration query
tools (such asdig) to indicatethat the responding name server is an authority for the domain name
in question.
156
Answer: A,C,F
Explanation:
157
Answer: A
Explanation:
158
Answer: D
Explanation:
TheCommon Criteria for Information Technology Security Evaluation(abbreviated asCommon
CriteriaorCC) is an international standard (ISO/IEC 15408) for computer security certification.
Common Criteria is a framework in which computer system users canspecifytheir
securityfunctionalandassurancerequirements (SFRs and SARs respectively) through the use of
Protection Profiles (PPs), vendors can thenimplementand/or make claims about the security
attributes of their products, and testing laboratories canevaluatethe products to determine if they
actually meet the claims. In other words, Common Criteria provides assurance that the process of
specification, implementation and evaluation of a computer security product has been conducted
in a rigorous and standard and repeatable manner at a level that is commensurate with the target
environment for use.
Common Criteria is used as the basis for a Government driven certification scheme and typically
evaluations are conducted for the use of Federal Government agencies and critical infrastructure.
Ref:http://en.wikipedia.org/wiki/Common_Criteria.
159
160
Answer: C
Explanation:
IPsec provides a secure method for tunnelling data across an IP network, it has limitations. IPsec
does not support IP broadcast or IP multicast, preventing the use of protocols that rely on these
features, such as routing protocols. IPsec also does not support the use of multiprotocol traffic.
Generic Route Encapsulation (GRE) is a protocol that can be used to "carry" other passenger
protocols, such as IP broadcast or IP multicast, as well as non-IP protocols
References:
:http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2
P_GRE_IPSec/2_p2pGRE_Phase2.html.
Answer: A,C,E
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
161
Answer: A,C
Explanation:
162
References: Reference:http://en.wikipedia.org/wiki/SHA-1
Answer: A,C,D
Explanation:
163
A.
LDAP uses UDP port 389 by default.
B.
LDAP is defined in terms of ASN.1 and transmitted using BER.
C.
LDAP is used for accessing X.500 directory services.
D.
An LDAP directory entry is uniquely identified by its DN.
E.
A secure connection via TLS is established via the UseTLS operation.
Answer: B,C,D
"Pass Any Exam. Any Time." - www.actualtests.com
164
LDAP provides access to distributed directory services that act in accordance with X.500 data and
service models. These protocol elements are based on those described in the X.500 Directory
Access Protocol (DAP).
The compilation rules for converting data-types into bits and bytes is called the transfer
syntax.BasicEncodingRules or BER is the transfer syntax for SNMP and LDAP. BER uses the
concept of an 'identifier'. An identifier is a unique code assigned to every data-type. This identifier
acts as the calling code for that data-type.
Answer: C,D,E
Explanation:
The BEAST attack [BEAST] uses issues with the TLS 1.0 implementationof Cipher Block Chaining
(CBC) (that is, the predictable initialization vector) to decrypt parts of a packet, and specifically to
decrypt HTTP cookies when HTTP is run over TLS.
"Pass Any Exam. Any Time." - www.actualtests.com
165
Answer: D
Explanation:
TFTP is a network protocol used to transfer files between remote machines. It is a simple version
of FTP, lacking some of the more advanced features FTP offers, but requiringfewer resourcesthan
FTP.
Because of its simplicity TFTP can be used only to send and receive files. It uses UDP port 69 for
communication. Because of its disadvantages TFTP is not widely used today, but it's used to save
and restore a router configuration or to backup an IOS image. TFTP doesn't support user
authentication and sends all data in clear text
"Pass Any Exam. Any Time." - www.actualtests.com
166
Answer: A,B,E
Explanation:
Chunked transfer encodingis a data transfer mechanism in version 1.1 of the Hypertext Transfer
Protocol (HTTP) in which data is sent in a series of "chunks". It uses the Transfer-Encoding HTTP
header in place of the Content-Length header, which the earlier version of the protocol would
otherwise require. Because the Content-Length header is not used, the sender does not need to
know the length of the content before it starts transmitting a response to the receiver. Senders can
begin transmitting dynamically-generated content before knowing the total size of that content.
The size of each chunk is sent right before the chunk itself so that the receiver can tell when it has
finished receiving data for that chunk. The data transfer is terminated by a final chunk of length
zeroHTTP requests and responses can be pipelined on a connection.Pipelining allows a client to
make multiple requests without waiting for each response, allowing a single TCP connection to be
used much more efficiently, with much lower elapsed time.
HTTP/1.1 phased out support for keep-alive connections, replacing them with an improved design
calledpersistent connections. The goals of persistent connections are the same as those of keepalive connections, but the mechanisms behave better.
167
Answer: A
Explanation:
To display the operational status and configuration parameters for Secure Socket Layer (SSL)
virtual private network (VPN) context configurations, use theshowwebvpncontextcommand in
privileged EXEC mode.VPN1 context has both the status (AS & OS) as down so the VPN1 is not
in service.
168
Answer: A,B,E,F
Explanation:
The management plane is the logical path of all traffic related to the management of a routing
platform. One of three planes in a communication architecture that is structured in layers and
planes, the management plane performs management functions for a network and coordinates
functions among all the planes (management, control, data). The management plane also is used
to manage a device throughits connection to the network.
Examples of protocols processed in the management plane are Simple Network Management
Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols
are used for monitoring and for CLI access. Restricting access to devices to internal sources
(trusted networks) is critical.
References: :http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html
169
Answer: A,C,D
Explanation:
Three definitive response indicators for use in the certificate status value are:
Clients that request OCSP services SHALL be capable of processing responses signed used DSA
keys identified by the DSA sig-alg-oid specified in section 7.2.2 of [RFC2459]. Clients SHOULD
also be capable of processing RSA signatures. OCSP responders SHALL support the SHA1
hashing algorithm.
References: Reference:https://www.ietf.org/rfc/rfc2560.txt
Answer: A
"Pass Any Exam. Any Time." - www.actualtests.com
170
Stateful autoconfiguration is the IPv6 equivalent of DHCP. A new protocol, called DHCPv6 (and
based closely on DHCP), is used to pass out addressing and service information in the same way
that DHCP is used in IPv4. This is called "stateful" because the DHCP server and the client must
both maintain state information to keep addresses from conflicting, to handle leases, and to renew
addresses over time.
Our network does not use DHCPv6. The DHCPv6 protocol is not yet standardized, although there
are several drafts available, including "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"
(by J. Bound and C. Perkins) "Extensions for DHCPv6" (by C. Perkins) which are expected to
move to proposed standard status shortly.
References: :http://www.opus1.com/ipv6/whatisautoconfiguration.html
Answer: B,C
Explanation:
Each syslog UDP datagram MUST contain only one syslog message, which may be complete or
truncated. The message MUST be formatted and truncated according to RFC 5424. Additional
"Pass Any Exam. Any Time." - www.actualtests.com
171
Answer: A
Explanation:
DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key
size being too small; in January, 1999, distributed.net and the Electronic Frontier Foundation
collaborated to publicly break a DES key in 22 hours and 15 minutes (see chronology). There are
also some analytical results which demonstrate theoretical weaknesses in the cipher, although
they are infeasible to mount in practice. The algorithm is believed to be practically secure in the
form of Triple DES, although there are theoretical attacks. In recent years, the cipher has been
superseded by the Advanced Encryption Standard (AES). Furthermore, DES has been withdrawn
as a standard by the National Institute of Standards and Technology (formerly the National Bureau
of Standards).
References: :http://en.wikipedia.org/wiki/Data_Encryption_Standard
"Pass Any Exam. Any Time." - www.actualtests.com
172
Answer: A
Explanation:
In order to decide what protection is to be provided for an outgoing packet, IPsec uses the
Security Parameter Index (SPI), an index to the security association database (SADB), along with
the destination address in a packet header, which together uniquely identify a security association
for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers
decryption and verification keys from the security association database.
References: :http://en.wikipedia.org/wiki/IPsec
173
Answer: A
Explanation:
Authentication Header (AH) provides authentication and integrity to the datagrams passed
between two systems.
It achieves this by applying a keyed one-way hash function to the datagram to create a message
digest. If any part of the datagram is changed during transit, it will be detected by the receiver
when it performs the same one-way hash function on the datagram and compares the value of the
message digest that the sender has supplied. The one-way hash also involves the use of a secret
shared between the two systems, which means that authenticity can be guaranteed.
References: :http://www.ciscopress.com/articles/article.asp?p=24833&seqNum=3
Answer: A
"Pass Any Exam. Any Time." - www.actualtests.com
174
GDOI uses User Datagram Protocol (UDP) 848 to establish its IKE sessions between the key
server and the group members. Upon receiving a registration request, the key server
authenticates the router, performs an optional authorization check, and downloads the policy and
keys to the group member. The group member is ready to use these encryption keys. The key
server pushes new keys to the group (also known as rekeying the group) whenever needed,
similar to SA expiration. The key server can host multiple groups and each group will have a
different group key.
References: :http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/getvpn-solutionmanaged-services/prod_white_paper0900aecd804c363f.html
Answer: A
Explanation:
ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an antireplay service (a form of partial sequence integrity), and limited traffic flow confidentiality. The set
of services provided depends on options selected at the time of Security Association
establishment and on the placement of the implementation. Confidentiality may be selected
independent of allother services. However, use of confidentiality without integrity/authentication
(either in ESP or separately in AH) maysubject traffic to certain forms of active attacks that could
undermine the confidentiality service.
"Pass Any Exam. Any Time." - www.actualtests.com
175
Answer: C,D,F
Explanation:
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP
offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires
additional programmable variables such as re-transmit attempts and time-outs to compensate for
best-effort transport, but it lacks the level of built-in support that a TCP transport offers:
RADIUS combines authentication and authorization. The access-accept packets sent by the
RADIUS server to the client contain authorization information. This makes it difficult to decouple
authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication
solutions that can still use TACACS+ for authorization and accounting. For example, with
TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and
accounting. After a NAS authenticates on a Kerberos server, it requests authorization information
from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server
that it has successfully authenticated on a Kerberos server, and the server then provides
"Pass Any Exam. Any Time." - www.actualtests.com
176
Answer: A
Explanation:
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the
revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet
standards track.
References: :http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
177
Answer: A
Explanation:
Authenticators and supplicants communicate with one another by using the Extensible
Authentication Protocol (EAP, RFC-2284). EAP was originally designed to run over PPP and to
authenticate dial-in users, but 802.1x defines an encapsulation method for passing EAP packets
over Ethernet frames. This method is referred to asEAP over LANs, or EAPOL. Ethernet type of
EAPOL is88-8E, two octets in length. EAPOL encapsulations are described for IEEE 802
compliant environment, such as 802.3 Ethernet, 802.11 Wireless LAN and Token Ring/FDDI.
References: :http://www.zyxeltech.de/SNotep335wt/app/8021x.htm#EAPOL
178
Answer: A
Explanation:
WEP was included as the privacy component of the original IEEE 802.11 standard ratified in
September 1999. WEP uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum
for integrity. It was deprecated in 2004 and is documented in the current standard.
Standard 64-bit WEP uses a 40 bit key (also known as WEP-40), which is concatenated with a 24bit initialization vector (IV) to form the RC4 key. At the time that the original WEP standard was
drafted, the U.S. Government's export restrictions on cryptographic technology limited the key
size. Once the restrictions were lifted, manufacturers of access points implemented an extended
128-bit WEP protocol using a 104-bit key size (WEP-104).
References: :http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy#Encryption_details
Answer: B,C,D
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
179
Answer: A
Explanation:
The Security Group Tag (SGT) Exchange Protocol (SXP) is one of several protocols that supports
CTS and is referred to in this document as CTS-SXP. CTS-SXP is a control protocol for
propagating IP-to-SGT binding information across network devices that do not have the capability
to tag packets. CTS-SXP passes IP to SGT bindings from authentication points to upstream
devices in the network. This process allows security services on switches, routers, or firewalls to
learn identity information from access devices.
"Pass Any Exam. Any Time." - www.actualtests.com
180
Answer: A
Explanation:
Cisco TrustSec (CTS) builds secure networks by establishing domains of trusted network devices.
Each device in the domain is authenticated by its peers. Communication on the links between
devices in the domain is secured with a combination of encryption, message integrity check, and
data-path replay protection mechanisms.
The Security Group Tag (SGT) Exchange Protocol (SXP) is one of several protocols that supports
CTS and is referred to in this document as CTS-SXP. CTS-SXP is a control protocol for
propagating IP-to-SGT binding information across network devices that do not have the capability
to tag packets. CTS-SXP passes IP to SGT bindings from authentication points to upstream
devices in the network. This process allows security services on switches, routers, or firewalls to
learn identity information from access devices.
References: :http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cts/configuration/xe3s/sec-usr-cts-xe-3s-book/cts-sxp-ipv4.html
181
Answer: D
Explanation:
The DHCP employs a connectionless service model, using the User Datagram Protocol (UDP). It
is implemented with two UDP port numbers for its operations which are the same as for the
BOOTP protocol. UDP port number 67 is the destination port of a server, and UDP port number 68
is used by the client.
References: :http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol.
182
References:
Reference:http://www.cisco.com/c/en/us/td/docs/ios/12_4t/qos/configuration/guide/qsnbar1.html#w
p1056828
183
Answer: C
Explanation:
Answer: E
"Pass Any Exam. Any Time." - www.actualtests.com
184
In transport mode, AH is used for end-to-end authentication. For IPv4, AH is placed after the origin
al IP header and before the transport segment or before any other IPsec headers that have been
inserted. The authentication process covers the entire packet, except for mutable fields in the IPv4
header that are set to 0 for MAC calculation [8]. For IPv6, AH is viewed as an end-to-end payload
and is placed after the original IPv6 header and hop-by-hop, routing and fragmentation extension
headers. The destination options extension header(s) could appear either before or after the AH
header depending on the semantics desired. The authentication process covers the entire packet,
except for mutable fields that are set to 0 for MAC calculation.
References:
Reference:http://www.upm.ro/facultati_departamente/stiinte_litere/conferinte/situl_integrare_europ
eana/Lucrari/Crainicu.pdf
Answer: C,F,G
"Pass Any Exam. Any Time." - www.actualtests.com
185
186
Answer: C
Explanation:
There are three common forms of intermediary: proxy, gateway, and tunnel. A proxy is
aforwarding agent, receiving requests for a URI in its absolute form, rewriting all or part of the
message, and forwarding the reformatted request toward the server identified by the URI. A
gateway is a receiving agent, acting as a layer above some other server(s) and, if necessary,
translating the requests to the underlying server's protocol. A tunnel acts as a relay point between
two connections without changing the messages; tunnels are used when the communication
needs to pass through an intermediary (such as a firewall) even when the intermediary cannot
understand the contents of the messages.
References: :http://www.w3.org/Protocols/rfc2616/rfc2616.txt
Answer: C
Explanation:
Internet Message Access Protocol(IMAP) is a protocol for e-mail retrieval and storage developed
"Pass Any Exam. Any Time." - www.actualtests.com
187
Answer: B,E
Explanation:
The DHCP employs a connectionless service model, using the User Datagram Protocol (UDP). It
is implemented with two UDP port numbers for its operations which are the same as for the
BOOTP protocol. UDP port number 67 is the destination port of a server, and UDP port number 68
is used by the client.
When a DHCP server receives a DHCPDISCOVER message from a client, which is an IP address
lease request, the server reserves an IP address for the client and makes a lease offer by sending
a DHCPOFFER message to the client. This message contains the client's MAC address, the IP
address that the server is offering, the subnet mask, the lease duration, and the IP address of the
DHCP server making the offer.
188
Answer: A,B,C
Explanation:
Key management is not specified in the WEP standard. Since without interoperable key
management, keys will tend to be long-lived and of poor quality.
The CRC-32 ICV is a linear function of the message meaning that an attacker can modify an
encrypted message and easily fix the ICV so the message appears authentic. Having able to
modify encrypted packets provides for a nearly limitless number of very simple attacks. An
attacker can easily make the victims wireless access point decrypt packets for him.
Answer: C,D,F
Explanation:
190
Answer: C,D,E
Explanation:
191
Answer: A
Explanation:
During passive scans, the radio listens for beacons and probe responses. If you use only passive
mode, the radio scans once per second, and audits packets on the wireless network. Passive
scans are always enabled and cannot be disabled because this capability is also used to connect
clients to access points.
192
Which message could contain an authenticated initial_contact notify during IKE main mode
negotiation?
A.
message 3
B.
message 5
C.
message 1
D.
none, initial_contact is sent only during quick mode
E.
none, notify messages are sent only as independent message types
Answer: B
Explanation:
193
194
Answer: B,C,E
Explanation:
195
References:
Reference:http://www.cisco.com/c/en/us/td/docs/ios/12_2/configfun/command/reference/ffun_r/frf0
12.html#wp1080718
196
197
As we know to block websites we need to configure the command under class-map type option
Match regex domainlist & order(1 or 2 or).So facebook & twitter are blocked here.
Answer: B
Explanation:
DAP and Endpoint Security
The security appliance obtains endpoint security attributes by using posture assessment methods
that you configure. These include Cisco Secure Desktop and NAC. You can use a match of a
prelogin policy, Basic Host Scan entry, Host Scan Extension, or any combination of these and any
other policy attributes to assign access rights and restrictions. At minimum, configure DAPs to
assign to each prelogin policy and Basic Host Scan entry.
Endpoint Assessment, a Host Scan extension, examines the remote computer for a large
collection of antivirus and antispyware applications, associated definitions updates, and firewalls.
You can use this feature to combine endpoint criteria to satisfy your requirements before the
security appliance assigns a specific DAP to the session.
DAP and Anti-Virus, Anti-Spyware, and Personal Firewall Programs
"Pass Any Exam. Any Time." - www.actualtests.com
198
If the installed program does not support active scan, Host Scan reports the presence of the
software. The DAP system selects DAP records that specify the program.
If the installed program does support active scan, and active scan is enabled for the program, Host
Scan reports the presence of the software. Again the security appliance selects DAP records that
specify the program.
If the installed program does support active scan and active scan is disabled for the program, Host
Scan ignores the presence of the software. The security appliance does not select DAP records
that specify the program. Further, the output of thedebug tracecommand, which includes a lot of
information about DAP, does not indicate the program presence, even though it is installed.
199
Answer: B
Explanation:
200
Which statement about this Cisco Catalyst switch 802.1X configuration is true?
A.
If an IP phone behind the switch port has an 802.1X supplicant, MAC address bypass will still be
used to authenticate the IP Phone.
B.
If an IP phone behind the switch port has an 802.1X supplicant, 802.1X authentication will be used
to authenticate the IP phone.
C.
The authentication host-mode multi-domain command enables the PC connected behind the IP
phone to bypass 802.1X authentication.
D.
Using the authentication host-mode multi-domain command will allow up to eight PCs connected
behind the IP phone via a hub to be individually authentication using 802.1X.
Answer: B
Explanation:
201
Answer: A
Explanation:
These commands say to drop IPv6 headers when matched by using match header routing-type eq
0.
202
With the client protected by the firewall, an HTTP connection from the client to the server on TCP
port 80 will be subject to which action?
"Pass Any Exam. Any Time." - www.actualtests.com
203
Answer: B
Explanation:
Here we have defined two types of traffic to be intercepted. One for HTTP and another for TCP.
When the traffic will go for TCP port 80, it will be intercepted by TCP_CMAP.
204
Answer: A
Explanation:
To display the operational status and configuration parameters for Secure Socket Layer (SSL)
virtual private network (VPN) context configurations, use theshowwebvpncontextcommand in
privileged EXEC mode.VPN1 context has both the status (AS & OS) as down so the VPN1 is not
in service.
205
Which two statements about this Cisco Catalyst switch configuration are correct? (Choose two.)
A.
The default gateway for VLAN 200 should be attached to the FastEthernet 5/1 interface.
B.
Hosts attached to the FastEthernet 5/1 interface can communicate only with hosts attached to the
FastEthernet 5/4 interface.
C.
Hosts attached to the FastEthernet 5/2 interface can communicate with hosts attached to the
FastEthernet 5/3 interface.
"Pass Any Exam. Any Time." - www.actualtests.com
206
Answer: B,C
Explanation:
In Fastethernet 5/1 and 5/4, host association 200 and 400 are common so they can communicate
to each other. In FastEthernet 5/2 & 5/3 host association 200 & 600 are common so that can
communicate to each other.
Answer: E
Explanation:
The Catalystswitches support 802.1AE encryption with MACsec Key Agreement (MKA) on
"Pass Any Exam. Any Time." - www.actualtests.com
207
Answer: D
"Pass Any Exam. Any Time." - www.actualtests.com
208
Answer: E
Explanation:
In an effort to protect routers from various risksboth accidental and maliciousinfrastructure
protection ACLs should be deployed at network ingress points. These IPv4 and IPv6 ACLs deny
access from external sources to all infrastructure addresses, such as router interfaces. At the
same time, the ACLs permit routine transit traffic to flow uninterrupted and provide basicRFC 1918
,RFC 3330
"Pass Any Exam. Any Time." - www.actualtests.com
, and anti-spoof filtering.
209
210
Answer: B
Explanation:
The ASA integrates the HostScan features into dynamic access policies (DAPs). Depending on
the configuration, the ASA uses one or more endpoint attribute values in combination with optional
AAA attribute values as conditions for assigning a DAP. The HostScan features supported by the
endpoint attributes of DAPs include OS detection, policies, basic HostScan results, and endpoint
assessment.
Answer: C
Explanation:
Global access rules allow you to apply a global rule to ingress traffic without the need to specify an
"Pass Any Exam. Any Time." - www.actualtests.com
211
When migrating to the adaptive security appliance from a competitor appliance, you can maintain
a global access rule policy instead of needing to apply an interface-specific policy on each
interface.
Global access control policies are not replicated on each interface, so they save memory space.
Global access rules provides flexibility in defining a security policy. You do not need to specify
which interface a packet comes in on, as long as it matches the source and destination IP
addresses.
Global access rules use the same mtrie and stride tree as interface-specific access rules, so
scalability and performance for global rules are the same as for interface-specific rules.
You can configure global access rules in conjunction with interface access rules, in which case,
the specific interface access rules are always processed before the general global access rules.
Answer: A,B,D
Explanation:
PIM sparse mode (PIM-SM) is reasonably complex in how multicast distribution trees are formed
"Pass Any Exam. Any Time." - www.actualtests.com
212
Answer: A,B,C
Explanation:
Please refer to the link to understand the working of Anyconnect in load balancing cluster.
References: Reference:https://supportforums.cisco.com/document/29886/asa-vpn-loadbalancingclustering-digital-certificates-deployment-guide
213
Answer: A,C,E
Explanation:
By grouping like objects together, you can use the object group in an ACE instead of having to
enter an ACE for each object separately. You can create the following types of object groups:
Protocol
Network
Service
ICMP type
For example, consider the following three object groups:
MyServicesIncludes the TCP and UDP port numbers of the service requests that are allowed
access to the internal network.
TrustedHostsIncludes the host and network addresses allowed access to the greatest range of
services and servers.
PublicServersIncludes the host addresses of servers to which the greatest access is provided.
"Pass Any Exam. Any Time." - www.actualtests.com
214
215
To allow HTTP connections to be included in the state information replication, you need to enable
HTTP replication. Because HTTP connections are typically short-lived, and because THTTP
clients typically retry failed connection attempts, HTTP connections are not automatically included
in the replicated state information.
216
Given the Cisco ASA configuration above, which commands need to be added in order for the
Cisco ASA appliance to deny all IPv6 packets with more than three extension headers?
A.
policy-map type inspect ipv6 IPv6-mapmatch ipv6 headercount > 3
B.
policy-map outside-policyclass outside-classinspect ipv6 header count gt 3
C.
class-map outside-classmatch ipv6 header count greater 3
D.
policy-map type inspect ipv6 IPv6-mapmatch header count gt 3drop
Answer: D
Explanation:
As you can see match header count set to 3, that means message cannot be greater than the
specified number of header fields.
"Pass Any Exam. Any Time." - www.actualtests.com
217
Answer: B
Explanation:
Parameter-maps specify inspection behavior for ZFW, for parameters such as DoS protection,
TCP connection/UDP session timers, and audit-trail logging settings.
218
Answer: A,B,D
Explanation:
Static NATis shown below:
STATIC PAT:Static PAT is the same as static NAT, except that it enables you to specify the
protocol (TCP or UDP) and port for the real and mapped addresses. Static PAT enables you to
identify the same mapped address across many different static statements, provided that the port
is different for each statement. You cannot use the same mapped address for multiple static NAT
statements.
219
Answer: B
Explanation:
Using Cisco IPS Sensor Software Version 6.x, the Cisco AIP-SSM combines inline prevention
services with innovative technologies to improve accuracy. The result is total confidence in the
protection offered by your intrusion prevention system (IPS) solution, without the fear of legitimate
traffic being dropped. When deployed within Cisco ASA 5500 Series appliances, the AIP-SSM
offers comprehensive protection of your network by collaborating with other network security
resources, providing a proactive approach to protecting your network.
References: Reference:http://www.cisco.com/c/en/us/products/interfaces-modules/asa-advancedinspection-prevention-aip-security-services-module/index.html
"Pass Any Exam. Any Time." - www.actualtests.com
220
Answer: B,C
Explanation:
Policies consist mainly of rules that determine the action of the policy. You create access services
to define authentication and authorization policies for requests. A global service selection policy
contains rules that determine which access service processes an incoming request. You can
create a standalone authorization policy for an access service, which is a standard first-match rule
table. You can also create an authorization policy with an exception policy.
The rules can contain any conditions and multiple results:
Authorization profileDefines the user-defined attributes and, optionally, the downloadable ACL
that the Access-Accept message should return.
Security Group Tag (SGT)If you have installed Cisco TrustSec, the authorization rules can
define which SGT to apply to the request.
221
Answer: B,E
Explanation:
Please go through the below mentioned link to get complete understanding about ISE designing
for Wireless LAN controller.
References: Reference:http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/designzone-security/howto_11_universal_wlc_config.pdf
222
To configure the Cisco ASA, what should you enter in the Name field, under the Group
Authentication option for the IPSec VPN client?
A.
group policy name
B.
crypto map name
C.
isakmp policy name
D.
crypto ipsec transform-set name
E.
tunnel group name
Answer: E
Explanation:
223
On R1, encrypt counters are incrementing. On R2, packets are decrypted, but the encrypt counter
is not being incremented. What is the most likely cause of this issue?
A.
a routing problem on R1
B.
a routing problem on R2
C.
incomplete IPsec SA establishment
D.
crypto engine failure on R2
E.
IPsec rekeying is occurring
Answer: B
Explanation:
224
Answer: B,C
Explanation:
Cloud Connection Methods
Includes software for on-premises appliances like Cisco ASA 5500-X Series Next-Generation
Firewalls, Cisco ISR G2 routers, and Cisco WSA devices, redirecting traffic to Cisco CWS for web
security functions.
225
References: Reference:http://www.cisco.com/c/en/us/products/collateral/security/scan-safe-websecurity/data_sheet_c78-729637.html
Answer: A,C,D,E
Explanation:
226
227
Answer: C
"Pass Any Exam. Any Time." - www.actualtests.com
228
Answer: A
Explanation:
The PKCS #7 standard describes a general syntax for data that may havecryptographyapplied to
it, such asdigital signaturesanddigital envelopes. The syntax admits recursion, so that, for
example, one envelope can be nested inside another, or one party can sign digital data that has
already been put into an envelope. It also allows arbitrary attributes, such as signing time, to be
authenticated along with the content of a message. Further, it provides for other attributes, such
ascountersignatures, to be associated with a signature.
229
Answer: A,C
Explanation:
In Active FTP mode, the client connects from a random unprivileged port (N>1023) to the
command port (21) of the FTP server. Then the client starts to listen to port N+1 and sends the
FTP command port N+1 to the FTP server. The server then connects back to the specified data
ports of the client from its local data port, which is port 20.
230
Answer: C,D,E,F
Explanation:
Neighbor solicitation messages (ICMPv6 Type 135) are sent on the local link by nodes attempting
to discover the link-layer addresses of other nodes on the local link. The neighbor solicitation
message is sent to the solicited-node multicast address. The source address in the neighbor
solicitation message is the IPv6 address of the node sending the neighbor solicitation message.
The neighbor solicitation message also includes the link-layer address of the source node.
After receiving a neighbor solicitation message, the destination node replies by sending a neighbor
advertisement message(ICPMv6 Type 136) on the local link. The source address in the neighbor
advertisement message is the IPv6 address of the node sending the neighbor advertisement
message; the destination address is the IPv6 address of the node that sent the neighbor
solicitation message. The data portion of the neighbor advertisement message includes the linklayer address of the node sending the neighbor advertisement message.
After the source node receives the neighbor advertisement, the source node and destination node
can communicate.
Neighbor solicitation messages are also used to verify the reachability of a neighbor after the linklayer address of a neighbor is identified. When a node wants to verifying the reachability of a
neighbor, the destination address in a neighbor solicitation message is the unicast address of the
neighbor.
Neighbor advertisement messages are also sent when there is a change in the link-layer address
of a node on a local link. When there is such a change, the destination address for the neighbor
advertisement is the all-nodes multicast address.
231
Answer: B
Explanation:
Main mode message 3 (MM3) - NAT discovery and Diffie-Hellman exchange.
Includes:
- NAT discovery payload and hash.
- DH exchange initiation.
Here the DH value is not matching the one computed at the host end and this is why the
negotiation is failing.
"Pass Any Exam. Any Time." - www.actualtests.com
232
Answer: A,E
Explanation:
DHCP Switched Port Analyzer (SPAN) probe, when initialized on a Cisco ISE node, listens to
network traffic, which are coming from network access devices on a specific interface. You need to
configure network access devices to forward DHCP SPAN packets to the Cisco ISE profiler from
the DHCP servers. The profiler receives these DHCP SPAN packets and parses them to capture
the attributes of an endpoint, which can be used for profiling endpoints.
HTTP Switched Port Analyzer (SPAN) collects HTTP attributes of an HTTP request-header
message along with IP addresses in the IP header (L3 header), which can be associated to an
endpoint based on the MAC address of an endpoint in the L2 header. This information is useful for
identifying different mobile and portable IP enabled devices such as iPods, iPads and iPhones, as
well as computers with different operating systems.
233
Answer: B
Explanation:
The extendable keyword allows the user to configure several ambiguous static translations, where
an ambiguous translations are translations with the same local or global address.
234
Which three command sets are required to complete this IPv6 IPsec site-to-site VTI? (Choose
three.)
A.
interface Tunnel0tunnel mode ipsec ipv6
B.
crypto isakmp-profilematch identity address ipv6 any
C.
interface Tunnel0ipv6 enable
D.
ipv6 unicast-routing
E.
interface Tunnel0ipv6 enable-ipsec
Answer: A,C,D
Explanation:
235
Which option correctly identifies the point on the exhibit where Control Plane Policing (input) is
applied to incoming packets?
A.
point 6
B.
point 7
C.
point 4
D.
point 1
E.
points 5 and 6
Answer: A
Explanation:
236
Answer: A,B,D
Explanation:
Management Frame Protection provides security for the management messages passed between
access point (AP) and Client stations. MFP consists of two functional components: Infrastructure
MFP and Client MFP.
Infrastructure MFP provides infrastructure support. Infrastructure MFP utilizes a message integrity
check (MIC) across broadcast and directed management frames. This check assists in detecting
of rogue devices and denial-of-service attacks. Client MFP provides client support.
Client MFP protects authenticated clients from spoofed frames, by preventing many of the
common attacks against WLANs from becoming effective.
Management Frame Protection operation requires a wireless domain service (WDS). MFP is
configured at the wireless LAN solution engine (WLSE), but you can manually configure MFP on
an AP and WDS.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/routers/access/3200/software/wireless/3200Wirel
essConfigGuide/ManageFrameProt.html
237
Answer: B
Explanation:
NAT connects two networks and translates the private (inside local) addresses into public
addresses (inside global) before packets are forwarded to another network. In other word Address
translation allows you to translate your internal private addresses to public addresses before these
packets leave your network.
238
A.
that the server will accept only HTTPS traffic
B.
which versions of SSL/TLS the server will accept
C.
which ciphersuites the client may choose from
D.
which cipher suite the server has chosen to use
E.
the PreMaster secret to use in generating keys
Answer: D
"Pass Any Exam. Any Time." - www.actualtests.com
239
The server responds by sending a "Server hello" message to the client, along with the server's
random value. The server sends its certificate to the client for authentication and may request a
certificate from the client. The server sends the "Server hello done" message.
240
Answer: B
Explanation:
241
Answer: A,B,C,F
Explanation:
242
Answer: C
Explanation:
If a packet is received on the outside interface then it will check if there is any existing connection
built for the same packet, if yes then it will be allowed else interface access-list will be looked for
checking the action to be taken.
243
Which three statements about the Cisco ASDM screen seen in the exhibit are true? (Choose
three.)
A.
This access rule is applied to all the ASA interfaces in the inbound direction.
B.
The ASA administrator needs to expand the More Options tag to configure the inbound or
outbound direction of the access rule.
C.
The ASA administrator needs to expand the More Options tag to apply the access rule to an
interface.
D.
The resulting ASA CLI command from this ASDM configuration is access-list global_access line 1
extended permit ip host 1.1.1.1 host 2.2.2.1.
E.
This access rule is valid only on the ASA appliance that is running software release 8.3 or later.
F.
This is an outbound access rule.
"Pass Any Exam. Any Time." - www.actualtests.com
244
The exhibit shows interface as any i.e. this rule is applicable to all the interfaces in inbound
direction. Because it is applicable to all the interfaces, we can also say that it is applied globally
where 1.1.1.1 is the source and 2.2.2.1 is the destination, so we can write:access-list
global_access line 1 extended permit ip host 1.1.1.1 host 2.2.2.1
This access-list is applicable only on 8.3 and later versions of the ASA.
Answer: B
Explanation:
245
Choose the correct description of the implementation that produced this output on the Cisco ASA
appliance.
A.
"Pass Any Exam. Any Time." - www.actualtests.com
246
Answer: A
Explanation:
247
Answer: B,C,D,E
Explanation:
248
Answer: D
Explanation:
249
Answer: A
Explanation:
Option A meets all the requirements that have been asked in the questions. Others fail to meet the
answer because context name is case sensitive.Invisible keyword makes the context hidden.
Correct interfaces have been assigned to the contexts.
250
Answer: A,D,F,G
Explanation:
The below are the configuration tasks that you need to follow.
1. Configure Zones.
2. Assign router interfaces to Zones.
3. Create Zone pairs.
4. Configure Interzone access policy (Class Maps and Policy Maps)
5. Apply Policy Maps to Zone Pairs.
251
The client is protected by a firewall. An IPv6 SMTP connection from the client to the server on
TCP port 25 will be subject to which action?
A.
pass action by the HTTP_CMAP
B.
inspection action by the TCP_CMAP
C.
inspection action by the SMTP_CMAP
"Pass Any Exam. Any Time." - www.actualtests.com
252
Answer: C
Explanation:
SMTP connection will be intercepted by the class map SMTP_CMAP and the action defined is to
inspect.
Answer: D
Explanation:
The Meta engine defines events that occur in a related manner within a sliding time interval. This
engine processes events rather than packets. As signature events are generated, the Meta engine
inspects them to determine if they match any or several Meta definitions. The Meta engine
generates a signature event after all requirements for the event are met.
All signature events are handed off to the Meta engine by the Signature Event Action Processor.
The Signature Event Action Processor hands off the event after processing the minimum hits
option. Summarization and event action are processed after the Meta engine hasprocessed the
component events.
"Pass Any Exam. Any Time." - www.actualtests.com
253
What is the cause of the issue that is reported in this debug output?
A.
The identity of the peer is not acceptable.
B.
There is an esp transform mismatch.
C.
There are mismatched ACLs on remote and local peers.
D.
The SA lifetimes are set to 0.
Answer: C
Explanation:
254
Which shows a partial configuration for the EzVPN server. Which three missing ISAKMP profile
options are required to support EzVPN using DVTI? (Choose three.)
A.
match identity group
B.
trustpoint
C.
virtual-interface
D.
keyring
E.
enable udp-encapsulation
F.
isakmp authorization list
G.
virtual-template
255
256
Answer: A,D,E
Explanation:
SeND technology works by having a pair of private and public keys for each IPv6 node in
combination with the new options (CGA, Nonce, Timestamp, and RSA). Nodes that are using
SeND cannot choose their own interface identifier because the interface identifier is
cryptographically generated based upon the current IPv6 network prefix and the "public" key.
However, the CGA interface identifier alone is not sufficient to guarantee that the CGA address is
used by the appropriate node.
For this purpose SeND messages are signed by usage of the RSA public and private key pair. For
example if node 1 wants to know the MAC address of node 2, it will traditionally send a neighbor
solicitation request to the node 2 solicited node multicast address. Node 2 will respond with a
corresponding neighbor advertisement containing the MAC address to IPv6 address mapping.
Node 2 will in addition add the CGA parameters (which include among others the public key) and
a private key signature of all neighbor advertisement fields. When node 1 receives this neighbor
advertisement it uses the public key to verify with the CGA address the private key signature of
node 2. Once this last step has been successfully completed, the binding on node 1 of the MAC
address and CGA address of node 2 can be successfully finalized.
257
Answer: D
258
A customer has an IPsec tunnel that is configured between two remote offices. The customer is
seeing these syslog messages on Router B:
%CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=x, sequence
number=y
What is the most likely cause of this error?
A.
The customer has an LLQ QoS policy that is configured on the WAN interface of Router A.
B.
A hacker on the Internet is launching a spoofing attack.
C.
Router B has an incorrectly configured IP MTU value on the WAN interface.
"Pass Any Exam. Any Time." - www.actualtests.com
259
Answer: A
Explanation:
The purpose of replay checks is to protect against malicious repetitions of packets. However, there
are some scenarios where a failed replay check might not be due to a malicious reason:
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchangeike/116858-problem-replay-00.html
260
Answer: A,B,C
Explanation:
The home agent is one of three key components in Mobile IPv6. The home agent works with the
correspondent node and mobile node to enable Mobile IPv6 functionality:
References: Reference:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mob_ip/configuration/15mt/mob-ip-15-mt-book/ip6-mobile-home-agent.html
261
Answer: A,B
Explanation:
The RSA algorithm is named after Ron Rivest, Adi Shamir and Len Adleman, who invented it in
1977 [RIVE78]. The basic technique was first discovered in 1973 by Clifford Cocks [COCK73] of
CESG (part of the British GCHQ) but this was a secret until 1997. The patent taken out by RSA
Labs has expired.
The RSA cryptosystem is the most widely-used public key cryptography algorithm in the world. It
can be used to encrypt a message without the need to exchange a secret key separately.
The RSA algorithm can be used for both public key encryption and digital signatures. Its security is
based on the difficulty of factoring large integers.
Party A can send an encrypted message to party B without any prior exchange of secret keys. A
just uses B's public key to encrypt the message and B decrypts it using the private key, which only
he knows. RSA can also be used to sign a message, so A can sign a message using their private
key and B can verify it using A's public key.
262
Answer: A
Explanation:
RSAis one of the first practicable public-key cryptosystems and is widely used for secure data
transmission. In such a cryptosystem, the encryption key is public and differs from the decryption
key which is kept secret. A user of RSA creates and then publishes a public key based on the two
large prime numbers, along with an auxiliary value. The prime numbers must be kept secret.
Anyone can use the public key to encrypt a message, but with currently published methods, if the
public key is large enough, only someone with knowledge of the prime numbers can feasibly
decode the message.
Answer: A
Explanation:
Answer: A
Explanation:
EAP-IKEv2 is an EAP method based on the Internet Key Exchange protocol version 2 (IKEv2). It
provides mutual authentication and session key establishment between an EAP peer and an EAP
server.
Answer: A
"Pass Any Exam. Any Time." - www.actualtests.com
264
Answer: A
Explanation:
Triple DES uses a "key bundle" that comprises three DESkeys, K1, K2and K3, each of 56 bits
(excludingparity bits). The encryption algorithm is:
ciphertext = EK3(DK2(EK1(plaintext)))
"Pass Any Exam. Any Time." - www.actualtests.com
265
Answer: A,C,D
Explanation:
INITIAL_CONTACT: notification to others so that the remote peers would reset any
"Pass Any Exam. Any Time." - www.actualtests.com
266
Answer: A
Explanation:
Group Domain of Interpretation or GDOI is a cryptographic protocol for group key management.
The GDOI protocol is specified in an IETF Standard, RFC 6407, and is based on Internet Security
"Pass Any Exam. Any Time." - www.actualtests.com
267
Answer: A
Explanation:
DTLS is commonly used for delay-sensitive applications(voice & video).The greatest benefit that
DTLS can provide for standard TLS when operating delay-sensitive applications is the use of
UDP, which allows for faster transmission of application data without the additional overhead of
TCP.DTLS was actually invented to achieve a good user experience for delay-sensitive
applications that natively user UDP, once DTLS is enabled & negotiated ,all applications are
actually tunneled over the DTLS VPN session.
268
Answer: A
Explanation:
Symmetric encryption (or pre-shared key encryption) uses a single key to both encrypt and
decrypt data. Both the sender and the receiver need the same key to communicate.
Answer: A,B,D
Explanation:
EAP supports a bunch of authentication methods, only five are commonly used. They are: MD5, a
one-way authentication of supplicant to network using passwords; Ciscos proprietary username"Pass Any Exam. Any Time." - www.actualtests.com
269
Answer: A
Explanation:
It Supports Windows single sign on for Cisco Aironet clients and Cisco Compatible clients.
270
Answer: B,C,D,E
Explanation:
References: Reference:https://www.ietf.org/rfc/rfc3280.txt
Answer: A,B
Explanation:
271
272
DNS spoofing allows a device to act as a proxy DNS server and spoof replies to any DNS
queries using either the configured IP address in the ip dns spoofing command or the IP address
of the incoming interface for the query. This functionality is useful for devices where the interface
toward the ISP is not up. Once the interface to the ISP is up, the device forwards DNS queries to
the real DNS servers.
The device will respond to the DNS query with the configured IP address when queried for any
host name other than its own but will respond to the DNS query with the IP address of the
incoming interface when queried for its own host name.
References: Reference:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddrcr-book/ipaddr-i3.html#wp2060850399
Answer: D
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
273
Answer: B
Explanation:
When VPN is connected with tunnelall option, all your traffic starts flowing through the VPN tunnel
and you lose access to your local LAN. In order to make it to work, you need to specify that you
should not forward your local traffic through the VPN tunnel and you do this by applying splittunnel-policy excludespecified with an access-list that specify the local LAN address.
274
Answer: B,C
Explanation:
The error message is received when the router image is not a k9 image to support the security
features. Also, we can get this error message if the correct syntax is not used while generating key
pairs.
275
Answer: A,C
Explanation:
In the profile configuration, we can see that vrf is used that says that this VPN profile is VRF aware
however the configuration is invalid because under interface Ethernet1/2, we can see crypto map
for the isakmp profile but there is no VRF command configured.
276
Answer: A,D
Explanation:
MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-ofband methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the
required session keys and manages the required encryption keys. MKA and MACsec are
implemented after successfulauthentication using the 802.1x Extensible Authentication Protocol
(EAP) framework. Only host facing links (links between network access devices and endpoint
devices such as a PC or IP phone) can be secured using MACsec.
A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy
associated with the client. MACsec frames are encrypted and protected with an integrity check
value (ICV). When the switch receives frames from the client, it decrypts them and calculates the
correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV
within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds
an ICV to any frames sent over the secured port (the access point used to provide the secure
MAC service to a client) using the current session key.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/37e/c
onsolidated_guide/b_37e_consolidated_3650_cg/b_37e_consolidated_3650_cg_chapter_011101
01.pdf
277
Answer: B,F
Explanation:
Answer: D
"Pass Any Exam. Any Time." - www.actualtests.com
278
The addition of authentication to your routers' EIGRP messages ensures that your routers only
accept routing messages from other routers that know the same pre-shared key. Without this
authentication configured, if someone introduces another router with different or conflicting route
information on to the network, the routing tables on your routers could become corrupt and a
denial of service attack could ensue. Thus, when you add authentication to the EIGRP messages
sent between your routers, it prevents someone from purposely or accidentally adding another
router to the network and causing a problem.
Answer: B
Explanation:
BGP Support for TTL Security Check feature introduces a lightweight security mechanism to
protect external Border Gateway Protocol (eBGP) peering sessions from CPU utilization-based
attacks using forged IP packets. Enabling this feature prevents attempts to hijack the eBGP
peering session by a host on a network segment that is not part of either BGP network or by a
host on a network segment that is not between the eBGP peers.You enable this feature by
configuring a minimum Time To Live (TTL) value for incoming IP packets received from a specific
eBGP peer. When this feature is enabled, BGP will establish and maintain the session only if the
TTL value in the IP packet header is equal to or greater than the TTL value configured for the
"Pass Any Exam. Any Time." - www.actualtests.com
279
Answer: D
Explanation:
The command syntax used in order to configure the BGP Maximum-Prefix feature is:
neighbor{ip-address | peer-group-name}maximum-prefix
maximum [threshold] [restart restart-interval] [warning-only]
"Pass Any Exam. Any Time." - www.actualtests.com
280
281
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems that
can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an
Internet Protocol internetwork. Packet MTU is adjusted to accomodate GRE Overhead.
Answer: B,D
Explanation:
282
283
Answer: B
Explanation:
As Figure 1 illustrates, if an endpoint needs to perform IEEE 802.1X authentication, then it must
fail MAB. Consequently, its MAC address must not be in the databases that are checked for MAB.
In addition, the authentication, authorization, and accounting (AAA) server should not have a
policy that allows unknown MAC addresses to pass MAB (for example, for a dynamic guest VLAN
assignment).
References: Reference:http://www.cisco.com/c/en/us/products/collateral/ios-nx-ossoftware/identity-based-networking-service/application_note_c27-573287.html
284
Answer: D
Explanation:
When a new IP host is connected to the switch port, the router initiates the communication using
Extensible Authentication Protocol over LAN (EAPoL). The supplicant running on the device will
respond to it. Then the router proceeds with further authentication. If there is no response from the
device it is considered as a clientless device. Once the router gathers the credentials from the
device, it is forwarded to the RADIUS server for authentication. If the credentials are valid, the port
becomes enabled and gets attached to the trusted VLAN. If the credentials are invalid, the port is
shut. If the connected device does not respond to EAPoL messages (clientless device), the port is
shut down or assigned to the guest VLAN if it is configured on the port.
References: Reference:http://www.cisco.com/c/en/us/products/collateral/ios-nx-ossoftware/layered-perimeter-security-managed-services/prod_white_paper0900aecd805a5ab5.html
285
Answer: D
Explanation:
When multiple entries of a prefix list match a given prefix, the entry with the lowest sequence
number is used. For efficiency, you may want to put the most common matches or denials near
the top of the list by manually assigning them a lower sequence number. By default, sequence
numbers are automatically generated in increments of 5, beginning with 5.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/a
sdm_64_config/route_maps.html
286
Answer: A,E
Explanation:
Active/Standby failover lets you use a standby security appliance to take over the functionality of a
failed unit. When the active unit fails, it changes to the standby state while the standby unit
changes to the active state. The unit that becomes active assumes the IP addresses (or, for
transparent firewall, the management IP address) and MAC addresses of the failed unit and
begins passing traffic. The unit that is now in standby state takes over the standby IP addresses
and MAC addresses. Because network devices see no change in the MAC to IP address pairing,
no ARP entries change or time out anywhere on the network.
287
Answer: D
Explanation:
The packet is verified for the translation rules. If a packet passes through this check, then a
connection entry is created for this flow, and the packet moves forward. Otherwise, the packet is
dropped and the information is logged.
288
Answer: A,G
Explanation:
Answer: C,E
"Pass Any Exam. Any Time." - www.actualtests.com
289
If you share aninsideinterface and do not use unique MAC addresses, the classifier imposes some
major restrictions. The classifier relies on the address translation configuration to classify the
packet within a context, and you must translate thedestinationaddresses of the traffic. Because
you do not usually perform NAT on outside addresses, sending packets from inside to outside on
a shared interface is not always possible; the outside network is large, (the Web, for example),
and addresses are not predictable for an outside NAT configuration. If you share an inside
interface, we suggest you use unique MAC addresses.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/c
ontexts.html
Answer: A,D
Explanation:
By default, all security contexts have unlimited access to the resources of the ASA, except where
maximum limits per context are enforced; the only exception is VPN resources, which are disabled
"Pass Any Exam. Any Time." - www.actualtests.com
290
Answer: C,E
Explanation:
291
Answer: C
Explanation:
Addresses monitored by the Botnet Traffic Filter include:
References: erence:http://www.cisco.com/c/en/us/td/docs/security/asa/special/botnet/guide/asabotnet.html
292
Why does the EasyVPN session fail to establish between the client and server?
A.
incomplete ISAKMP profile configuration on the server
B.
incorrect IPsec phase-2 configuration on the server
C.
incorrect group configuration on the client
D.
ISAKMP key mismatch
E.
"Pass Any Exam. Any Time." - www.actualtests.com
293
Answer: B
Explanation:
Phase 2 configuration is incomplete. It should be:
Crypto ipsec profile ipsecprof
Set transform-set TS
Set isakmp-profile ezvpnprof
The commands highlighted in red are missing from the configuration.
What is the reason for the failure of the DMVPN session between R1 and R2?
A.
tunnel mode mismatch
"Pass Any Exam. Any Time." - www.actualtests.com
294
Answer: E
Explanation:
The tunnel source interface needs to be FastEthernet0/1.
What is the reason for the failure of the DMVPN session between R1 and R2?
A.
tunnel mode mismatch
"Pass Any Exam. Any Time." - www.actualtests.com
295
Answer: C
Explanation:
There is Phase 1 policy mismatch. Under the crypto isakmp policy 1, on one side it is group 3 and
on another side it is group 2.
296
Answer: C
Explanation:
A DMVPN session will establish between R1 and R2 provided that the BGP and EIGRP
configurations are correct.
297
Answer: C
Explanation:
The first packet will be permitted but the other packets will be dropped because of the top most
access-list that has an action of denying the traffic.
Answer: B
Explanation:
Here the fragments will be allowed but only for the port 80. Other ports are not allowed and
whatever is not allowed is assumed to be denied.
Answer: B
Explanation:
DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs.
You can enable the feature on a single VLAN or a range of VLANs.
299
Answer: B,D
Explanation:
The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies
and procedures intended to optimize the security of credit, debit and cash card transactions and
protect cardholders against misuse of their personal information. The PCI DSS was created jointly
in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.
References: :http://searchfinancialsecurity.techtarget.com/definition/PCI-DSS-Payment-CardIndustry-Data-Security-Standard
300
Why does the EasyVPN session fail to establish between the client and server?
A.
Incomplete IPsec phase-1 configuration on the server
B.
Incorrect IPsec phase-2 configuration on the server
C.
Incorrect group configuration on the client
D.
ISAKMP key mismatch
E.
Incorrect ACL in the ISAKMP client group configuration
Answer: C
Explanation:
On client, the configuration says:group ezvpngrop key ciscohowever the configuration has to
"Pass Any Exam. Any Time." - www.actualtests.com
301
Why does the EasyVPN session fail to establish between the client and server?
A.
Incomplete ISAKMP profile configuration on the server
B.
Incorrect IPsec phase-2 configuration on the server
C.
"Pass Any Exam. Any Time." - www.actualtests.com
302
Answer: A
Explanation:
Under the isakmp configuration on the server, this command is missing:
Isakmp configuration address respond
If this command is not applied then the client will not be able to obtain the ip address from the ip
pool definedon the server.
Which two items are not encrypted by ESP in tunnel mode? (Choose two)
"Pass Any Exam. Any Time." - www.actualtests.com
303
Answer: A,F
Explanation:
The ESP header is inserted into the packet between the IP header and any subsequent packet
contents. However, because ESP encrypts the data, the payload is changed. ESP does not
encrypt the ESP header, nor does it encrypt the ESP authentication.
304
Answer: C,D,F
Explanation:
RSA involves apublic keyand aprivate key.The public key can be known by everyone and is used
for encrypting messages. Messages encrypted with the public key can only be decrypted in a
reasonable amount of time using the private key. The keys for the RSA algorithm are generated
the following way:
Thepublic keyconsists of the modulusnand the public (or encryption) exponente. Theprivate
keyconsists of the modulusnand the private (or decryption) exponentd, which must be kept
secret.p,q, and (n) must also be kept secret because they can be used to calculated.
Ref:http://en.wikipedia.org/wiki/RSA_%28cryptosystem%29.
305
Answer: C
Explanation:
AH provides authentication for as much of the IP header as possible, as well asfor next level
protocol data.However, some IP header fields may change in transit and the value of these fields,
when the packet arrives at the receiver, may not be predictable by the sender. The values of such
fields cannot be protected by AH.Thus, the protection provided to the IP header by AH is
piecemeal. ESP does not protect any IP header fields unless those fields are encapsulated by
ESP (e.g., via use of tunnel mode).
306
Answer: A,D
Explanation:
By default, all securitycontexts have unlimited access to the resources of the ASA, except where
maximum limits per context are enforced; the only exception is VPN resources, which are disabled
by default. If you find that one or more contexts use too many resources, and they cause other
contexts to be denied connections, for example, then you can configure resource management to
limit the use of resources per context. For VPN resources, you must configure resource
management to allow any VPN tunnels.
All contexts belong to the default class if they are not assigned to another class; you do not have
to actively assign a context to the default class.If a context belongs to a class other than the
default class, those class settings always override the default class settings. However, if the other
class has any settings that are not defined, then the member context uses the default class for
those limits. For example, if you create a class with a 2 percent limit for all concurrent connections,
but no other limits, then all other limits are inherited from the default class. Conversely, if you
create a class with a limit for allresources, the class uses no settings from the default class.
References:
:http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/h
a_contexts.html#40167
307
Answer: C
Explanation:
Event action rules are a group of settings you configure for the event action processing component
of the sensor. These rules dictate the actions the sensor performs when an event occurs.
The event action processing component is responsible for the following functions:
308
Answer: C
Explanation:
Here are a few important limitations to be aware of:
References: :http://www.enterprisenetworkingplanet.com/netsp/article.php/3769801/IOSTransparent-Firewalling-Simplifies-Your-Network.htm
309
Answer: C
Explanation:
AtomicThe Atomic engines are now combined into four engines with multi-level selections. You
can combine Layer 3 and Layer 4 attributes within one signature, for example IP + TCP. The
Atomic engine uses the standardized Regex support.
310
Answer: D
Explanation:
All TACACS+ values are strings. The concept of value "type" does not exist in TACACS+ as it
does in Remote Access Dial-In User Service (RADIUS).
References:
:http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0
080204ccc.html
311
Answer: B
Explanation:
The HTTP Inspection Engine feature allows users to configure their Cisco IOS Firewall to detect
and prohibit HTTP connections--such as tunneling over port 80, unauthorized request methods,
and non-HTTP compliant file transfers--that are not authorized within the scope of the security
policy configuration. Tunneling unauthorized protocols through port 80 and over HTTP exposes a
network to significant security risks.
References: :http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/configuration/15-mt/https-15mt-book/nm-https-inspection-engine.html
312
Which option describes the behavior of the ACL if it is applied inbound on E0/0?
A.
The ACL will drop both initial and noninitial fragments for port 80 only.
B.
The ACL will pass both initial and noninitial fragments for port 80 only.
C.
The ACL will pass the initial fragment for port 80 but drop the noninitial fragment for any port.
D.
The ACL will drop the initial fragment for port 80 but pass the noninitial fragment for any port.
Answer: C
Explanation:
The first packet will be permitted but the other packets will be dropped because of the top most
access-list that has an action of denying the traffic.
313
Answer: A,D
Explanation:
A traffic storm occurs when packets flood the LAN, creating excessive traffic and degrading
network performance. The traffic storm control feature prevents LAN ports from being disrupted by
a broadcast, multicast, or unicast traffic storm on physical interfaces.
Traffic storm control (also called traffic suppression) monitors incoming traffic levels over a 1second traffic storm control interval, and during the interval it compares the traffic level with the
traffic storm control level that you configure. The traffic storm control level is a percentage of the
total available bandwidth of the port. Each port has a single traffic storm control level that is used
for all types of traffic (broadcast, multicast, and unicast).
Traffic storm control monitors the level of each traffic type for which you enable traffic storm
control in 1-second traffic storm control intervals.
References: :http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/122SX/configuration/guide/book/storm.html
314
Why does the Easy VPN session fail to establish between the client and server?
A.
Incomplete ISAKMP profile configuration on the server
B.
Incorrect IPsec phase-2 configuration on the server
C.
Incorrect group configuration on the client
D.
ISAKMP key mismatch
E.
Incorrect virtual-template configuration on the sever
Answer: A
Explanation:
Under the isakmp configuration on the server, this command is missing:
"Pass Any Exam. Any Time." - www.actualtests.com
315
316
Answer: E
Explanation:
The phase one of the tunnel is coming up however the phase 2 is not negotiating. It is because of
the incorrect group configuration on the server.
Answer: B,D,E
Explanation:
References: Reference:http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
317
318
Which option describes the behavior of the ACL if it is applied inbound on E0/0?
A.
The ACL will drop both initial and noninitial fragments for port 80 only.
B.
The ACL will pass both initial fragments for port 80 and non-initial fragments.
C.
The ACL will pass the initial fragment for port 80 but drop the noninitial fragment for any port.
D.
The ACL will drop the initial fragment for port 80 but pass the noninitial fragment for any port.
Answer: B
Explanation:
The first packet will be permitted but the other packets will be dropped because of the top most
access-list that has an action of denying the traffic.
319
Which AS-PATH access-list regular expression should be applied on R2 to allow only updates that
originate from AS-65001 or an AS that attaches directly to AS-65001?
A.
^65001_[0-9]*$
B.
_65001^[0-9]*
C.
65001_[0.9]$
D.
^65001_*$
Answer: A
Explanation:
Please refer to the link given to understand the regular expressions and permitting of updates.
References: Reference:http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol"Pass Any Exam. Any Time." - www.actualtests.com
320
Answer: A
Explanation:
Dynamic authorization allows an external policy server to dynamically send updates to a device.
Once theaaaserverradiusdynamic-authorcommand is configured, dynamic authorization local
server configuration mode is entered. Once in this mode, the RADIUS application commands can
be configured.
References: Reference:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-xe3se-3850-cr-book/sec-a1-xe-3se-3850-cr-book_chapter_01.html
321
Answer: A
Explanation:
General-keys:Specifies that a general-purpose key pair will be generated, which is the default.
Usage-keys:Specifies that two RSA special-usage key pairs, one encryption pair and one
signature pair, will be generated.
If you generate special-usage keys, two pairs of RSA keys are generated. One pair is used with
any IKE policy that specifies RSA signatures as the authentication method. The other pair is used
with any IKE policy that specifies RSA encrypted keys as the authentication method.
322
Answer: D
Explanation:
The TCP intercept feature is a mechanism to protect the end hosts from TCP SYN-flooding
attacks, a type of DoS attack.
A SYN-flooding attack occurs when a hacker floods aserver with a barrage of requestsfor
connection. Because thesemessages have unreachable return addresses, the connections cannot
beestablished. The resulting volumeof unresolved open connectionseventually overwhelms the
server and can cause it to deny service tovalid requests, thereby preventing legitimate users from
connecting to aweb site, accessing e-mail, using FTP service, and so on.
The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP
connection requests.
References: Reference:https://supportforums.cisco.com/document/12021641/tcp-interceptfeature-asa-device
Which set of commands is required on an ASA to fix the problem that the exhibit shows?
A.
"Pass Any Exam. Any Time." - www.actualtests.com
323
Answer: B
Explanation:
The message on the client shows that the Anyconnect configuration has been done but it has not
been enabled on the ASA. To enable this, we enable it at two locations. First is by entering the
command, anyconnect enable and second one is by entering into webvpn and selecting the
interface on which you want to enable it.
Client1 has an IPsec VPN tunnel established to a Cisco ASA adaptive security appliance in
Chicago. The remote access VPN client wants to access www.cisco.com, but split tunneling is
disabled. Which of these is the appropriate configuration on the Cisco ASA adaptive security
appliance if the VPN client's public IP address is 209.165.201.10 and it is assigned a private
address from 192.168.1.0/24?
A.
same-security-traffic permit intra-interfaceip local pool ippool 192.168.1.1-192.168.1.254global
"Pass Any Exam. Any Time." - www.actualtests.com
324
Answer: B
Explanation:
This command same-security-traffic permit intra-interface enables the traffic to leave the same
interface from which it came. If this command is not applied, then the ASA will drop the packet
assuming it to be a malicious traffic. Command for the pool configuration is same for all the
options. For the traffic that is coming in as 192.168.1.0/24, you need to specify the global ip so that
they can go out to the internet taking the public ip 209.165.200.230. You can do this by using the
commands:
global (outside) 1 209.165.200.230
nat (outside) 1 192.168.1.0 255.255.255.0
Here nat (outside) is used because the VPN user is sitting on the outside interface and is trying to
access cisco website which is reachable through the same interface.
References: Reference:http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-seriesnext-generation-firewalls/67986-pix7x-asa-client-stick.html
325
Answer: A
Explanation:
You can configure a scan for antivirus, personal firewall, and antispyware applications and
updates as a condition for the completion of a Cisco AnyConnect or clientless SSL VPN
connection. Following the prelogin assessment, CSD loads Endpoint Assessment checks and
reports the results back to the security appliance for use in assigning a DAP.
To enableor disable Host Scan Extensions
Step 1
ChooseSecure Desktop Manager > Host Scan.
Step 2
Check one of the following options in the Host Extensions area of the Host Scan window:
Endpoint AssessmentIf you check this option the remote PC scans for a large collection of
antivirus, antispyware, and personal firewall applications, and associated updates.
Advanced Endpoint AssessmentThis option is present only if the configuration includes a key for
an Advanced Endpoint Assessment license. It includes all of the Endpoint Assessment features,
and lets you configure an attempt to update noncompliant PCs to meet the version requirements
you specify. To turn on this option after acquiring a key from Cisco, chooseConfiguration>Device
Management>System Image/Configuration>Activation Key, enter the key in the New Activation
Key field, and clickUpdate Activation Key.
"Pass Any Exam. Any Time." - www.actualtests.com
326
Answer: B
Explanation:
hostname(config-load-balancing)#cluster portport_number
hostname(config-load-balancing)#
This command specifies the UDP port for the virtual cluster in which this device is participating.
The default value is 9023. If another application is using this port, enter the UDP destination port
number you want to use for load balancing.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/vpn
sysop.html
"Pass Any Exam. Any Time." - www.actualtests.com
327
Answer: A,C,D
Explanation:
Unlike the IPsec VPN client, AnyConnect can recover from VPN session disruptions and can
reestablish a session, regardless of the media used for the initial connection. For example, it can
reestablish a session on wired, wireless, or 3G. The auto reconnectfunction is enabled by default.
You can also define the reconnect behavior during and aftersystem suspend or system resume.
Asystem suspendis a low-power standby, Windows hibernation, or Mac OS or Linux sleep.
Asystem resumeis a recovery following a system suspend.Cisco AnyConnect reconnects when
the network interface changes, whether the IP of the NIC changes or whether connectivity
switches from one NIC to another; for example, wireless to wired or vice versa.
328
Answer: C
Explanation:
The error message in the debug says QM FSM error (P2 struct) i.e. Phase 2 negotiation failed. In
phase 2, there can be various reasons for non negotiation.
Furthermore, here another log says that Tunnel RejecteD. Conflicting protocols specified by
tunnel-group and group-policy i.e. IPSec is not defined as the tunnel policy on one end.
329
Answer: E
Explanation:
Whenever a change is planned, stake holder needs to be updated about the same. Once you
share the complete scenario with the stakeholder, it totally depends upon the stakeholder where
he wantsto get involved.
330
Answer: A,B,C,D
Explanation:
Although all six options are good enough to be selected as answers, the closest ones are
Physical, Host, User and Document.
331
Answer: C
Explanation:
The output mentions one line i.e. in use settings = {Tunnel UDP-Encaps, }, this UDP
encapsulation is used whenever there is a natting device inbetween.
332
Answer: D
Explanation:
1328 will be the correct answer.GRE adds 28 bytes of overhead because of the additional 4-byte
Key field (which is not typically included in the GRE header when using a point-to-point tunnel).
Answer: D
Explanation:
Port-to-application Mapping, existing in Cisco IOS, allows you to customize TCP or UDP port
numbers for network services or applications. Using the port information, PAM establishes a table
of default port-toapplication mapping information at the firewall. The information in the PAM table
enables Context-based Access Control (CBAC) supported services to run on nonstandard ports.
PAM also supports host or subnet specific port mapping, which allows you to apply PAM to a
single host or subnet using standard ACLs. Host or subnet specific port mapping is done using
standard ACL. Eg: create an access-list and then apply it:
Router1(config)#ipv6 port-map application-name port port[list acl-name]
333
Answer: A,B,C
Explanation:
Device Identities
Cisco TrustSec does not use IP addresses or MAC addresses as device identities. Instead, you
assign a name (device ID) to each Cisco TrustSec-capable switch to identify it uniquely in the
Cisco TrustSec domain. This device ID is used for the following:
Answer: A
Explanation:
The Control Plane Protection feature is an extension of the policing functionality provided by the
existing Control-plane Policing feature. The Control-plane Policing feature allows Quality of
Service (QoS) policing of aggregate control-plane traffic destined to the route processor. The
Control Plane Protection feature extends this policing functionality by allowing finer policing
granularity.
References: Reference:http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
335
Answer: A
Explanation:
Enables fast-switching for packets that are forwarded using Policy Based Routing (PBR) - Not
required if CEF is enabled, since modern IOS codes do PBR in CEF - No special configuration is
required to enable CEF-switched PBR, it is on by default since IOS 12.0 as soon as you enable
CEF and PBR on the router.
336
Answer: A
Explanation:
Answer: A
Explanation:
The correct answer to this question is1, however students often disagree with that answer choice.
The rationale behind the answer is simply, The correct order is given in the diagram in the
incident management process, and in the subsections of [SO] 4.2.5. In this post, I will provide a
better explanation of why choiceais the correct answer.
First of all, the flow of activities in the incident management process is described in the Service
Operation book section 4.2.5, andshown visually in Figure 4.3.Figure 4.3 shows the following flow
of activities for incident management:
337
As shown in Figure 4.3, the correct flow of activities in the incident management process begins
with identification, which is followed by logging, which in turn is followed by categorization. Initial
diagnosis occurs later in the process flow following prioritization.
While the Service Operation book is clear about the flow of activities, the logic behind why the
activities are in this order is not completely clear. Very few people disagree that the incident
management process begins with identification, which in turn is followed by logging. The
disagreement primarily exists in what follows logging, whether it is categorization or initial
diagnosis. A good way to summarize the flow of activities is that they flow from general to specific.
It often helps to clarify what the steps in the process do. Categorization allocates the type of
"Pass Any Exam. Any Time." - www.actualtests.com
338
339
Answer: A,B
Explanation:
PEAP uses a TLS channel to protect the user credentials. Other Password based methods such
as EAP-MD5 & LEAP do not create TLS channel and are exposed to offline dictionary attacks on
the user credentials.Using the TLS channel from the client to the authentication server, PEAP offer
end-to-end protection, not just over the wireless datalink.
340
Which three fields of the IP header labeled can be used in a spoofing attack? (Choose one.)
A.
6, 7, 11
B.
6, 11, 12
C.
3, 11, 12
D.
4, 7, 11
Answer: A
Explanation:
On the internet, information circulates thanks to theIP protocol, which ensures data encapsulation
in structures called packets (or more preciselyIP datagrams). Here is the structure of a datagram:
Version
Header length
"Pass Any Exam. Any Time." - www.actualtests.com
341
342
QoS enabled networks are vulnerable to QoS marking attacks.Basically, with the QoS marking
attack , hacker attampts to obtain enhanced service by changing the markings on the packet to
gain a better class of service treatment than what they are paying or subscribing for.
Answer: C
Explanation:
Privilege escalationis the act of exploiting a bug, design flaw or configuration oversight in an
operating system or software application to gain elevated access to resources that are normally
protected from an application or user. The result is that an application with more privileges than
intended by the application developer or system administrator can perform unauthorized actions.
343
Answer: D,E
Explanation:
IPSec prevents packet modification to thwart man-in-the-middle attacks. However, this strong
security feature also generates operational problems. NAT frequently breaks IPSec because it
modifies packets by substituting public IP addresses for private ones. Many IPSec products
implement NAT traversal extensions, but support for this feature isn't universal, and
interoperability is still an issue.
SSL is almost as tough against man-in-the-middle attacks, without IPSec's NAT conflict. SSL rides
on TCP, so it's insulated from IP and port modifications, and thus passes easily through NAT. SSL
carries sequence numbers inside encrypted packets to prevent packet injection, and TLS uses
message authentication to detect payload changes.
Answer: A,C,F
Explanation:
A mobile node can identify itself using its home address as an identifier. The Mobile IPv6 protocol
messages use this identifier in their registration messages. However, for certain deployments it is
essential that the mobile node has the capability to identify itself using a logical identifier, such as
NAI, rather than a network address. The mobile node identifier option for Mobile IPv6 allows a
mobile node to be identified by NAI rather than IPv6 address. This feature enables the network to
give a dynamic IPv6 address to a mobile node and authenticate the mobile node using
authentication, authorization, and accounting (AAA). This option should be used when either
Internet Key Exchange (IKE) or IPsec is not used for protecting BUs or binding acknowledgments
(BAs).
n order to provide roaming services, a standardized method, such as NAI or a mobile node home
address, is needed for identifying users. Roaming may be loosely defined as the ability to use any
one of multiple Internet service providers (ISPs) while maintaining a formal, customer-vendor
relationship with only one. Examples of where roaming capabilities might be required include ISP
confederations and ISP-provided corporate network access support. Other entities interested in
roaming capability may include the following:
References: Reference:http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/152mt/ipv6-15-2mt-book/ip6-mobile.html
345
Answer: B,C,E
Explanation:
DES uses a 64-bit key, but eight of those bits are used for parity checks, effectively limiting the key
to 56-bits. Hence, it would take a maximum of 2^56, or 72,057,594,037,927,936, attempts to find
the correct key.
To encrypt a plaintextmessage, DES groups it into 64-bit blocks. Each block is enciphered using
the secret key into a 64-bit ciphertextby means of permutation and substitution. The process
involves 16 rounds and can run in four different modes, encrypting blocks individually or making
each cipher block dependent on all the previous blocks.
346
Answer: A,D,E
Explanation:
In IKEv1, there was a clearly demarcated Phase 1 exchange, which contains six packets followed
by a Phase 2 exchange is made up of three packets; the IKEv2 exchange is variable. At best, it
can exchange as few as four packets. At worst, this can increase to as many as 30 packets (if not
more), depending on the complexity of authentication, the number of Extensible Authentication
Protocol (EAP) attributes used, as well as the number of SAs formed. IKEv2 combines the Phase
2 information in IKEv1 into the IKE_AUTH exchange, and it ensures that after the IKE_AUTH
exchange is complete, both peers already have one SA built and ready to encrypt traffic. This SA
is only built for the proxy identities that match the trigger packet. Any subsequent traffic that
matches other proxy identities then triggers the CREATE_CHILD_SA exchange, which is the
equivalent of the Phase 2 exchange in IKEv1. There is no Aggressive Mode or Main Mode.
References: Reference:http://www.cisco.com/image/gif/paws/115936/understanding-ikev2-packetexch-debug.pdf
347
Answer: B,C,D
Explanation:
348
Answer: C
Explanation:
The Cisco IOS disables theservice tcp-small-serverscommand by default. Enabling this command
turns on the following services on the router: Echo, Discard, Chargen, and Daytime.
Answer: A
"Pass Any Exam. Any Time." - www.actualtests.com
349
An AAAA-record is used to specify the IPv6 address for a host (equivalent of the A-record type for
IPv4).
Answer: C
Explanation:
A wireless sniffer is a type of packet analyzer. A packet analyzer (also known as a packet sniffer)
is a piece of software or hardware designed to intercept data as it is transmitted over a network
and decode the data into a format that is readable for humans. Wireless sniffers are packet
analyzers specifically created for capturing data on wireless networks. Wireless sniffers are also
commonly referred to as wireless packet sniffers or wireless network sniffers.
350
Answer: A
Explanation:
Scavenger class is intended for undesirable traffic (i.e., virus, worms, etc.) and non-productive or
employee-distracting applications. The scavenger class of traffic will reside in the same queue as
the default class of traffic. Some switches (with adjustable thresholds) will allow you to have
multiple classes in each queue and still penalize one class more than another. You need to check
the capabilities of your switches to determine if you have adjustable thresholds on your queues;
otherwise it doesnt do us much good.
Answer: A
Explanation:
351
Answer: D
Explanation:
Anti-replay protection is an important security service that IPSec protocol offers. IPSec anti-replay
disablement has security implications, and should only be used with caution.
Here are the steps to process incoming IPSec traffic on the receiving tunnel endpoint with antireplay enabled:
352
When configuring a Cisco IPS custom signature, what type of signature engine must you use to
block podcast clients from accessing the network?
A.
service HTTP
B.
service TCP
C.
string TCP
D.
fixed TCP
E.
service GENERIC
Answer: A
Explanation:
A signature micro-engine is a component of an IDS and IPS sensor that supports a group of
signatures that are in a common category. Each engine is customized for the protocol and fields
that it is designed to inspect and defines a set of legal parameters that have allowable ranges or
sets of values. The signature micro-engines look for malicious activity in a specific protocol.
Signatures can be defined for any of the supported signature micro-engines using the parameters
offered by the supporting micro-engine. Packets are scanned by the micro-engines that
understand the protocols contained in the packet.
353
Answer: A
Explanation:
354
Answer: B
Explanation:
Privilege escalationis the act of exploiting a bug, design flaw or configuration oversight in an
operating system or software application to gain elevated access to resources that are normally
protected from an application or user.
355
Answer: D
Explanation:
ASA uses regular expressions (regex) together with Modular Policy Framework to inspect specific
HTTP data patterns in order to detect the SQL injection attack. It will basically check for the SQL
command UNION ALL SELECT. i.e.egex SQL_regex_1
"Pass Any Exam. Any Time." - www.actualtests.com
356
Answer: A,B,C,D
Explanation:
Risk rating is a quantitative measure of your network's threat level before IPS mitigation. For each
event fired by IPS signatures, Cisco IPS Sensor Software calculates a risk rating number. The
factors used to calculate risk rating are:
Signature fidelity rating: This IPS-generated variable indicates the degree of attack certainty.
Attack severity rating: This IPS-generated variable indicates the amount of damage an attack
can cause.
Target value rating: This user-defined variable indicates the criticality of the attack target. This is
the only factor in risk rating that is routinely maintained by the user. You can assign a target value
rating per IP address in Cisco IPS Device Manager or Cisco Security Manager. The target value
rating can raise or lower the overall risk rating for a network device. You can assign the following
target values:
"Pass Any Exam. Any Time." - www.actualtests.com
357
Risk rating can help enhance your productivity as it intelligently assesses the level of risk of each
event and helps you focus on high-risk events.
References: Reference:http://www.cisco.com/c/en/us/products/collateral/security/ips-4200-seriessensors/prod_white_paper0900aecd806e7299.html
358
Answer: B
Explanation:
359
Answer: A
Explanation:
The Cisco RADIUS implementation supports one vendor-specific option using the format
recommended in the specification. Ciscos vendor-ID is 9, and the supported option has vendortype 1, which is named cisco-avpair. The value is a string of the following format: protocol :
attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of
authorization; protocols that can be used include IP, IPX, VPDN, VOIP, SHELL, RSVP, SIP,
AIRNET, OUTBOUND. Attribute and value are an appropriate attribute-value (AV) pair defined
in the Cisco TACACS+ specification, and sep is = for mandatory attributes and * for optional
attributes. This allows the full set of features available for TACACS+ authorization to also be used
for RADIUS.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scf
rdat3.pdf
360
Answer: A,B,D,G
Explanation:
With pre-configured Cisco checks and rules, or custom checks and rules that you configure, the
Agent can check if any application or service is running, whether a registry key exists, and/or the
value of a registry key. Cisco pre-configured rules provide support for Critical Windows OS
hotfixes.
Users download and install the Cisco NAC Agent/Clean Access Agent (read-only client software),
which can check the host registry, processes, applications, and services. The Clean Access Agent
can be used to perform antivirus or antispyware definition updates, distribute files uploaded to the
Clean Access Manager, distribute website links to websites in order for users to download files to
fix their systems, or simply distribute information/instructions.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/461/c
am/461cam-book/m_agntd.pdf
361
Answer: A
Explanation:
A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses.
This is easily achieved with attack tools such as the gobbler. If enough requests are sent, the
network attacker can exhaust the address space available to the DHCP servers for a period of
time. This is a simple resource starvation attack just like a synchronization (SYN) flood attack.
Network attackers can then set up a rogue DHCP server on their system and respond to new
DHCP requests from clients on the network.
Answer: B
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
362
Answer: B
Explanation:
The Network Edge Access Topology (NEAT) feature extends identity to areas outside the wiring
closet (such as conference rooms). This allows any type of device to authenticate on the port.
You can enable MDA or multiauth mode on the authenticator switch interface that connects to one
more supplicant switches. Multihost mode is not supported on the authenticator switch interface.
Use the dot1x supplicant force-multicast global configuration command on the supplicant switch
for Network Edge Access Topology (NEAT) to work in all host modes.
Figure 11-6Authenticator and Supplicant Switch using CISP
363
1
Workstations (clients)
2
Supplicant switch (outside wiring closet)
3
Authenticator switch
4
Access control server (ACS)
5
Trunk port
364
Answer: A,C,D,E
Explanation:
365
Answer: A,C,D
Explanation:
Remotely triggered black hole (RTBH) filtering is a technique that provides the ability to drop
undesirable traffic before it enters a protected network.
Source-based black holes provide the ability to drop traffic at the network edge based on a specific
source address or range of source addresses. With destination-based black holing, all traffic to a
specific destination is dropped once the black hole has been activated, regardless of where it is
coming from. Obviously, this could include legitimate traffic destined for the target.
If the source address (or range of addresses) of the attack can be identified (spoofed or not), it
would be better to drop all traffic at the edge based on the source address, regardless of the
destination address. This would permit legitimate traffic from other sources to reach the target.
Implementation of source-based black hole filtering depends on Unicast Reverse Path Forwarding
(URPF), most often loose mode URPF.
366
Answer: C
Explanation:
Forensic analysis of the Windows NT File System (NTFS) could provide useful information leading
towards malware detection and presentation of digital evidence for the court of law. Since NTFS
records every event of the system, forensic tools are required to process an enormous amount of
information related to user / kernel environment, buffer overflows, trace conditions, network stack,
etc. This has led to imperfect forensic tools that are practical for implementation and hence
become popular, but are not comprehensive and effective. Many existing techniques have failed to
identify malicious code in hidden data of the NTFS disk image.
367
Its Based on a combination of traditional inspection and network reputation information. The risk
rating mechanism combines the two threat signals.
Answer: B,D,E
Explanation:
Host subinterface:This interface receives all control plane IP traffic that is directly destined for one
of the router interfaces (physical and loopback). Examples of control plane host IP traffic include
tunnel termination traffic; management traffic; and routing protocols such as SSH, SNMP, internal
BGP (iBGP), and EIGRP. All host traffic terminates on and is processed by the router.
Transit subinterface:This subinterface receives all control plane IP traffic that is software switched
by the route processor. This traffic consists of packets that are not directly destined to the router
itself but rather are traffic traversing through the router. Nonterminating tunnels handled by the
router are an example of this type of control plane traffic. Control Plane Protection allows specific
"Pass Any Exam. Any Time." - www.actualtests.com
368
What service is enabled on the router for a remote attacker to obtain this information?
A.
TCP small services
B.
finger
C.
maintenance operation protocol
D.
chargen
E.
Telnet
F.
CEF
Answer: B
Explanation:
369
Answer: A
Explanation:
The deauthentication/disassociation flood attack targets one or all users on a specific BSSID
(MAC address of the access point).
References: Reference:http://www.sans.org/reading-room/whitepapers/wireless/80211-denialservice-attacks-mitigation-2108
370
Answer: A
Explanation:
Wired Equivalent Privacy(WEP) is a security algorithm for IEEE 802.11 wireless networks.Its
intention was to provide data confidentiality comparable to that of a traditional wired network. WEP
uses the stream cipher RC4 for confidentiality, and the CRC-32 checksum for integrity.
371
There are three used with anomaly detection. Each zone have different traffic pattern, and as a
result, thresholds in each zone are very likely to be different. It is the IP addresses that define
which networks are part of which zone. By default, all IP addresses are assigned to the external
zone. The internal zone should be configured with IP address range of internal networks. We can
also configure the illegal zone with IP addresses and address range that are not valid.
Answer: B,C,E,F
Explanation:
372
373
Answer: A
Explanation:
EAP-FAST (Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco Systems
as a replacement for LEAP. The protocol was designed to address the weaknesses of LEAP while
preserving the "lightweight" implementation. Use of server certificates is optional in EAP-FAST.
EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client
credentials are verified. EAP is an authentication framework providing for the transport and usage
of keying material and parameters generated by EAP methods.
Answer: B,C,D
Explanation:
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols
and security certification programs developed by the Wi-Fi Alliance to secure wireless computer
networks. The Alliance defined these in response to serious weaknesses researchers had found in
the previous system, WEP (Wired Equivalent Privacy).
"Pass Any Exam. Any Time." - www.actualtests.com
374
Answer: A,C,D
Explanation:
You should contact Security Incident Response team in below mentioned situations:
"Pass Any Exam. Any Time." - www.actualtests.com
375
Answer: A
Explanation:
If any condition is not met, the RADIUS server sends an "Access-Reject" response indicating that
this user request is invalid.If desired, the server MAY include a text message in the Access-Reject
which MAY be displayed by the client to the user.No other
Attributes (except Proxy-State) are permitted in an Access-Reject.
376
Answer: A
Explanation:
RADIUS is a client/server protocol that runs in the application layer, using UDP as transport. The
Remote Access Server, the Virtual Private Network server, the Network switch with port-based
authentication, and the Network Access Server (NAS), are all gateways that control access to the
network, and all have a RADIUS client component that communicates with the RADIUS server.
References: Reference:http://en.wikipedia.org/wiki/RADIUS
Answer: A
Explanation:
377
Answer: A
Explanation:
The basic idea of the URL integrity check is that the server certificates identity must match the
server host name. This integrity check has an important impact on how you generate X.509
certificates for HTTPS:the certificate identity (usually the certificate subject DNs common name)
must match the host name on which the HTTPS server is deployed.
378
Answer: C
Explanation:
The Cisco ASA appliance with the Botnet Traffic Filter should be deployed at the edge of the
enterprise Internet edge, as the botnet database only contains information about external botnets.
It is also best to address the external threat as close to the source as possible. This feature is
restricted to IPv4 traffic.
The Botnet Traffic Filter is supported in all firewall modes (single and multiple), and in routed and
transparent modes.
The Cisco ASA appliance supports Botnet Traffic Filter in High Availability (HA) mode
"Pass Any Exam. Any Time." - www.actualtests.com
379
380
Answer: C
Explanation:
MPF provides a consistent and flexible way to configure security appliance features. For example,
you can use MPF to create a timeout configuration that is specific to a particular TCP application,
as opposed to one that applies to all TCP applications.
MPF supports these features:
The configuration of the MPF consists of four tasks:
References: Reference:http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-seriesnext-generation-firewalls/110572-asa-pix-mpf-00.html
381
Answer: A,E
Explanation:
Destination-Based Remotely Triggered Black Hole Filtering With a denial-of-service (DoS) attack,
in addition to service degradation of the target, there is possible collateral damage such as
bandwidth consumption, processor utilization, and potential service loss elsewhere in the network.
One method to mitigate the damaging effects of such an attack is to black hole (drop) traffic
destined to the IP address or addresses being attacked and to filter the infected host traffic at the
edge of the network closest to the source of the attack. The challenge is to find a way to quickly
drop the offending traffic at the network edge, document and track the black holed destination
addresses, and promptly return these addresses to service once the threat disappears.
Destination-based IP black hole filtering with remote triggering allows a network-wide destinationbased black hole to be propagated by adding a simple static route to the triggering device (trigger).
The trigger sends a routing update for the static route using iBGP to the other edge routers
configured for black hole filtering. This routing update sets the next hop IP address to another
preconfigured static route pointing to the null interface. This process is illustrated inFigure 1.
"Pass Any Exam. Any Time." - www.actualtests.com
382
The three steps in destination-based black hole filtering are summarized below. Step 1. The setup
(preparation) A trigger is a special device that is installed at the NOC exclusively for the purpose of
triggering a black hole. The trigger must have an iBGP peering relationship with all the edge
routers, or, if using route reflectors, it must have an iBGP relationship with the route reflectors in
every cluster. The trigger is also configured to redistribute static routes to its iBGP peers. It sends
the static route by means of an iBGP routing update. The Provider Edges (PEs) must have a static
route for an unused IP address space. For example, 192.0.2.1/32 is set to Null0. The IP address
192.0.2.1 is reserved for use in test networks and is not used as a deployed IP address.
The three steps in destination-based black hole filtering are summarized below.
Step 1. The setup (preparation) A trigger is a special device that is installed at the NOC
exclusively for the purpose of triggering a black hole. The trigger must have an iBGP peering
relationship with all the edge routers, or, if using route reflectors, it must have an iBGP relationship
with the route reflectors in every cluster. The trigger is also configured to redistribute static routes
to its iBGP peers. It sends the static route by means of an iBGP routing update. The Provider
Edges (PEs) must have a static route for an unused IP address space. For example, 192.0.2.1/32
is set to Null0. The IP address 192.0.2.1 is reserved for use in test networks and is not used as a
deployed IP address.
Step 2. The trigger An administrator adds a static route to the trigger, which redistributes the route
by sending a BGP update to all its iBGP peers, setting the next hop to the target destination
address under attack as 192.0.2.1 in the current example. The PEs receive their iBGP update and
set their next hop to the target to the unused IP address space 192.0.2.1. The route to this
address is set to null0 in the PE, using a static routing entry in the router configuration. The next
hop entry in the forwarding information base (FIB) for the destination IP (target) is now updated to
"Pass Any Exam. Any Time." - www.actualtests.com
383
Answer: A
Explanation:
ISO 27001:2013is an information security standard that was published on the 25th September
2013. It supersedes ISO/IEC 27001:2005, and is published by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO
and IEC subcommittee, ISO/IEC JTC 1/SC 27. It is a specification for an information security
management system (ISMS).Organisations which meet the standard may gain an official
certification issued by an independent and accredited certification body on successful completion
of a formal audit process.
"Pass Any Exam. Any Time." - www.actualtests.com
384
Answer: A
Explanation:
385
Answer: A
Explanation:
386
Which two statements correctly describe the debug output that is shown in the exhibit? (Choose
two.)
A.
The request is from NHS to NNC.
B.
The request is from NHC to NHS.
C.
69.1.1.2 is the local non-routable address.
D.
192.168.10.2 is the remote NBMA address.
E.
192.168.10.1 is the local VPN address.
F.
This debug output represents a failed NHRP request.
Answer: B,E
Explanation:
Please refer to the link given in reference to understand the debugging of DMVPN.
References: Reference:http://www.cisco.com/c/en/us/support/docs/security-vpn/dynamic-multipoint-vpn-dmvpn/116957-technote-dmvpn-00.html
387
Answer: C
Explanation:
A ping sweep (also known as an ICMP sweep) is a basic network scanning technique used to
determine which of a range of IP addresses map to live hosts (computers). Whereas a single ping
will tell you whether one specified host computer exists on the network, a ping sweep consists of
ICMP (Internet Control Message Protocol) ECHO requests sent to multiple hosts. If a given
address is live, it will return an ICMP ECHO reply. Ping sweeps are among the older and slower
methods used to scan a network.
388
Answer: C
Explanation:
TheInternet Control Message Protocol(ICMP) is one of the main protocols of the Internet Protocol
Suite. It is used by network devices, like routers, to send error messages indicating, for example,
that a requested service is not available or that a host or router could not be reached. ICMP can
also be used to relay query messages. It is assigned protocol number 1. ICMP differs from
transport protocols such as TCP and UDP in that it is not typically used to exchange data between
systems, nor is it regularly employed by end-user network applications (with the exception of some
diagnostic tools like ping and traceroute).
Answer: C
Explanation:
Traceroute is a networking utility designed to list the routers involved in making a connection from
one host to another across a network. It lists the number of hops the packets take and the IP
addresses of each router along the way. In order to determine this information traceroute relies on
"Pass Any Exam. Any Time." - www.actualtests.com
389
Many firewalls are configured to block traceroute and ping traffic from the outside to prevent
attackers from learning the details of the internal networks and hosts. The following example
shows the tracert.exe output when a firewall or router access control list blocks the ping traffic:
390
As you can see we are unable to complete the trace and begin receiving timeout messages at the
host which drops the ping packets. We are unable to determine any information beyond this
system.
Answer: D
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
391
Answer: C
Explanation:
The word Botnet is formed from the words robot and network. Cybercriminals use special Trojan
viruses to breach the security of several users computers, take control of each computer, and
"Pass Any Exam. Any Time." - www.actualtests.com
392
Answer: C
Explanation:
Depleting the backlog is the goal of the TCP SYN flooding attack, which attempts to send enough
SYN segments to fill the entire backlog. The attacker uses source IP addresses in the SYNs that
are not likely to trigger any response that would free the TCBs from theSYN-RECEIVEDstate.
Because TCP attempts to be reliable, the target host keeps its TCBs stuck inSYN-RECEIVEDfor a
relatively long time before giving up on the half connection and reaping them. In the meantime,
service is denied to the application process on the listener for legitimate new TCP connection
initiation requests.
393
Answer: A,B,D
Explanation:
394
Answer: C
Explanation:
Deny connection inline:This action prevents further communication for the specific TCP flow. This
action is appropriate when there is the potential for a false alarm or spoofing and when an
administrator wants to prevent the action but not deny further communication.
Answer: C
Explanation:
The Atomic IP Advanced engine parses and interprets the IPv6 header and its extensions, the
"Pass Any Exam. Any Time." - www.actualtests.com
395
Answer: C
Explanation:
DDoS attacks can be broadly divided into three different types. The first,Application Layer DDoS
Attacksinclude Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or
OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the
goal of these attacks is to crash the web server, and the magnitude is measured in Requests per
second.
The second type of DDoS attack,Protocol DDoS Attacks,including SYN floods, fragmented packet
attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server
resources, or those of intermediate communication equipment, such as firewalls and load
balancers, and is measured in Packets per second.
The third type of DDoS attack is generally considered to most dangerous.Volume-based DDoS
Attacksinclude UDP floods, ICMP floods, and other spoofed-packet floods. The volume-based
attacks goal is to saturate the bandwidth of the attacked site, and magnitude is measured in Bits
per second.
396
Answer: C
Explanation:
Prelogin assessment is the assessment done when the administrator creates a rule on the firewall
to allow only those users to connect, who meet the predefined criteria. For example, if user is
connecting and admin has configured a rule that allow only those who have a file named as
test.txt with a value 123123123, then only those users will be able to connect who will have this
file at the specified location with the same value mentioned in it.
397
Answer: D
Explanation:
Inverse Mapping is a technique used to map internal networks or hosts that are protected by a
filtering device. Usually some of those systems are not reachable from the Internet. We use
routers, which will give away internal architecture information of a network, even if the question
they were asked does not make any sense, for this scanning type.
Answer: D
Explanation:
398
Answer: C
Explanation:
Answer: C
Explanation:
The termpostureis used to refer to the collection of attributes that play a role in the conduct and
"health" of the endpoint device that is seeking access to the network.Posture validation, or posture
assessment, refers to the act of applying a set of rules to the posture data to provide an
"Pass Any Exam. Any Time." - www.actualtests.com
399
Answer: A,B,C
Explanation:
To secure the control plane, we harden MSDP via three basic security measures:
1) MSDP SA Filters
It is a best common practice to filter the content of MSDP messages via MSDP SA filters. The
main idea of this filter is to avoid propagating multicast state for applications and groups that are
not Internet-wide applications and do not need to be forwarded beyond the source domain. Ideally,
from a security point of view, the filters should only allow known groups (and potentially senders),
and deny any unknown senders and/or groups.
2) MSDP State Limitation
When MSDP is enabled between ASs it is recommended to limit the amount of state that will be
built in the router due to Source-Active (SA) messages received from neighbors.
3) MSDP MD5 Neighbor Authentication
"Pass Any Exam. Any Time." - www.actualtests.com
400
Answer: A,B,C
Explanation:
401
Answer: B,C
Explanation:
The Secure Trusted Network Detection feature detects when an endpoint is on the corporate LAN,
either physically or by means of a VPN connection. If the Secure Trusted Network Detection
feature is enabled, any network traffic originating from the corporate LAN bypasses Cisco Cloud
Web Security scanning proxies. The security of that traffic gets managed by other methods and
devices sitting on the corporate LAN rather than Cisco Cloud Web Security. TND is detected with
the domain name. If you are in your companies domain, you will be marked as if you are in trusted
network and when someone intercepts your traffic, and start acting as your trusted DHCP server
and sharing the domain details, you will keep on passing details to the users and he will be using it
to understand the internal network.
402
Answer: A,B
Explanation:
DefaultRAGroup and DefaultL2LGroup are the two groups that are created by default on the ASA.
If you do not specify any policy in the manually created groups then it is going to inherit all the
policies from these default groups and it will behave unexpectedly. Whenever there is something
that is not specified properly or there is no match then Default groups are looks upon. When these
groups are looked and if there is no configuration is specified for any specific peer then, it is going
to look up on the default group.
Answer: B
403
Answer: D
Explanation:
IPSec provides anti-replay protection against an attacker who duplicates encrypted packets with
the assignment of a monotonically increasing sequence number to each encrypted packet. The
receiving IPSec endpoint keeps track of which packets it has already processed on the basis of
these numbers with the use of a sliding window of all acceptable sequence numbers. Currently,
the default anti-replay window size in Cisco IOSimplementation is 64 packets.
404
Answer: A,B,E
Explanation:
The user community is the linchpin in any antivirus deployment. Never underestimate the value of
educating users about using email clients, using common sense in the Internet experience, and
noticing suspicious behavior. While many security programs emphasizes that security is
everyones responsibility, organizations are well advised to be balance the burden placed on your
user community in the overall antivirus effort. The less manual effort involved, the less security
contributes to the general overhead of an organization. Some security management capabilities
that you need to think about at Layer 6 are:
The advantage of installing virus signature updates without user intervention
The advantage of automatically repairing viruses, ifthey are repairable
The advantage of automatically setting aside infected files that cannot be repaired so that skilled
practitioners can analyze them and users dont propagate the infected files
The level of effort, and the errors introduced, by users renaming documents affected by the
Sanitizer, noted in the Layer 2Scanning Content section, to defang attachments
"Pass Any Exam. Any Time." - www.actualtests.com
405
Answer: B
Explanation:
A hard disk image is interpreted by aVirtual Machine Monitoras a systemhard disk drive. IT
administrators and software developers administer them through offline operations using built-in or
"Pass Any Exam. Any Time." - www.actualtests.com
406
Answer: A,B,C
Explanation:
Each TCP connection has two ISNs: one generated by the client and one generated by the server.
The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound
directions.Randomizing the ISN of the protected host prevents an attacker frompredictingthe next
ISN for a new connection and potentially hijacking the new session.
407
Answer: B
Explanation:
The Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC-SSM)
delivers industry-leading threat protection and content control at the Internet edge providing
comprehensive antivirus, anti-spyware, file blocking, anti-spam, anti-phishing, URL blocking and
filtering, and content filtering-all available in a comprehensive easy-to-manage solution delivered
by industry leaders. The CSC-SSM bolsters the Cisco ASA 5500 Series' strong security
capabilities providing customers with additional protection and control over the content of their
business communications.
408
Cisco IOS NetFlow efficiently provides a key set of services for IP applications, including network
traffic accounting, usage-based network billing, network planning, security, Denial of Service
monitoring capabilities, and network monitoring. NetFlow provides valuable information about
network users and applications, peak usage times, and traffic routing. Cisco invented NetFlow and
is the leader in IP traffic flow technology.
The basic output of NetFlow is a flow record. Several different formats for flow records have
evolved as NetFlow has matured. The most recent evolution of the NetFlow flow-record format is
known as NetFlow version 9. The distinguishing feature of the NetFlow Version 9 format, which is
the basis for an IETF standard, is that it is template-based. Templates provide an extensible
design to the record format, a feature that should allow future enhancements to NetFlow services
without requiring concurrent changes to the basic flow-record format. Using templates provides
several key benefits:
Answer: B
Explanation:
ASA only allows unicast traffic across the VPN tunnel. You can send multicast traffic over GRE
tunnel but ASA does not support GRE VPN. GRE is supported on routers.
"Pass Any Exam. Any Time." - www.actualtests.com
409
Answer: B
Explanation:
LLQ priority queuing lets you prioritize certain traffic flows (such as latency-sensitive traffic like
voice and video) ahead of other traffic. Priority queueing uses an LLQpriority queue on an
interface, while all other traffic goes into the "best effort" queue. Because queues are not of infinite
size, they can fill and overflow. When a queue is full, any additional packets cannot get into the
queue and are dropped. This is calledtail drop. To avoid having the queue fill up, you can increase
the queue buffer size. You can also fine-tune the maximum number of packets allowed into the
transmit queue. These options let you control the latency and robustness of the priority queuing.
Packets in the LLQ queue are always transmitted before packets in the best effort queue.
410
Answer: B,C,E
Explanation:
Flexible authentication (FlexAuth) is a set of features that allows IT administrators to configure the
sequence and priority of IEEE 802.1X, MAC authentication bypass (MAB), and switch-based web
authentication (local WebAuth).
Answer: E
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
411
Answer: A,B,D
Explanation:
You can now create named network objects that you can use in place of a host, a subnet, or a
range of IP addresses in your configuration and named service objects that you can use in place
of a protocol and port in your configuration. You can then change the object definition in one place,
without having to change any other part of your configuration.
This release introduces support for network and service objects in the following features:
412
Answer: A,B,C
Explanation:
The adaptive security appliance connects the same network on its inside and outside interfaces.
Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an
existing network.
IPv4 and IPv6 traffic is allowed through the transparent firewall automatically from a higher
security interface to a lower security interface, without an access list. ARPs are allowed through
the transparent firewall in both directions without an access list. You can add static routes on the
ASA when it is running on transparent mode.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/c
onfig/fwmode.pdf
413
Answer: B,C,D
Explanation:
Each route is created on the basis of the remote proxy network and mask, with the next hop to this
network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN)
router as the next hop, the traffic is forced through the crypto process to be encrypted. Each route
is created on the basis of the remote proxy network and mask, with the next hop to this network
being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the
next hop, the traffic is forced through the crypto process to be encrypted. After the static route is
created on the VPN router, this information is propagated to upstream devices, allowing them to
determine the appropriate VPN router to which to send returning traffic in order to maintain IPsec
state flows. Being able to determine the appropriate VPN router is particularly useful if multiple
VPN routers are used at a site to provide load balancing or failover or if the remote VPN devices
are not accessible via a default route. Routes are created in either the global routing table or the
appropriate virtual route forwarding (VRF) table.
414
Answer: A,B,C,F
Explanation:
Flex is a way to combine multiple frameworks (crypto maps, ezvpn, DMVPN) into single,
comprehendible set of CLI and bind it together with something offering more flexibility and means
to extend functionality in future.
Answer: A
Explanation:
When NAT translations are done on the ASA then it can override the routing table for new
connections.
"Pass Any Exam. Any Time." - www.actualtests.com
415
Answer: A,C,D
Explanation:
This rule says that the ips 10.1.100.4 to 10.1.100.10 are the ips assigned to hosts sitting on the
outside interface of the ASA and this is configured for hairpinning of the VPN traffic so that they
can access the internet. The hosts will access the internet using the public ip of the ASA.
416
Answer: A,C,D
Explanation:
The Discovery Host is the fully qualified domain name (FQDN) or untrusted interface IP address
used by the Cisco NAC Agent to discover the Cisco NAC Server located multiple hops away on
the network. The Agent initiates the discovery process by sending UDP packets to the known
Discovery Host address. Discovery packets must reach the NAC Server untrusted interface to
receive a response.
In a Layer 3 OOB with VRF model, the Discovery Host is typically set to be the DNS name or IP
address of the Cisco NAC Manager. The Manager exists in the clean network. Because all traffic
from the dirty networks is routed by default through the Cisco NAC Server, the Discovery packets
automatically flow through the Server. The traffic flow described here is one of the benefits to the
VRF Method. This traffic flow provides for a consistent, predictable experience.
417
Answer: C,D,E
Explanation:
Object tracking is an independent process that monitors objects such as the following:
References: Reference:http://www.cisco.com/c/en/us/td/docs/iosxml/ios/iproute_pi/configuration/15-s/iri-15-s-book/iri-pbr-mult-track.html
Answer: A,B,C,D
"Pass Any Exam. Any Time." - www.actualtests.com
418
Cisco IOS supports following features to implement First Hop Security in IPv6:
References:
Reference:http://www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/guide/12_4t/ipv6_12_4t_bo
ok/ip6-first_hop_security.html
Answer: B,C,E
Explanation:
TheISO/IEC 27001certification process is essentially the same as that for ISO 9000and other
management systems.It is an external audit of the organizations ISMS (Information Security
Management System) in three main phases:
References: Reference:http://www.iso27001security.com/html/audit___certification.html
"Pass Any Exam. Any Time." - www.actualtests.com
419
Answer: A,B,C
Explanation:
Because, in general:
- Theyre internationally designed and tested tools that have effective actions for the assurance IT.
- As standards and practices, enabling organizations, based on its particularities, adjust according
to their needs.
- Faced to regulatory entities and contractual, enable theaction and effective response.
In particular, COBIT framework geared to General Managements, give sponsors and IT
responsible elements to control and manage of IT governance, the basis for design the information
security planning. As the information and technology the most important assets is the
management who is the strategic guidelines, approves and provides the necessary resources for
establishing the plan.
ISO 27002, best practice that give to information security responsible, the elements needed to
manage security, guidelines for structuring the information security planning and control objectives
and controls necessary to implement security in the organization, key actions to minimize the risks
that jeopardize the information security.
"Pass Any Exam. Any Time." - www.actualtests.com
420
Answer: C
Explanation:
421
Answer: C
Explanation:
Control Plane Protection depends on Cisco Express Forwarding (CEF) for IP packet redirection. If
you disable CEF globally, this will remove all active protect and policing policies configured on the
control-plane subinterfaces. Aggregate control-plane interface policies will continue to function as
normal.
422
If you want to create a custom signature that is similar to an existing signature, you can create a
clone, or copy, of the signature. You can then edit the parameters to make the clone perform
according to your requirements. For example, you might want to create a clone of a Cisco-defined
signature to customize it to your needs. You might find this preferable to converting the Cisco
signature to a Local or shared policy signature and directly editing its parameters.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_m
anager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/ipsvchap.pdf
Answer:
Explanation:
423
424
Answer:
Explanation:
425
Answer:
Explanation:
426
RequestURL
It assigns the Uri object of the current request to an object variable and displays the value of two
properties of the URL object to the HTTP output.
https443
HTTPS URLs begin with "https://" and use port 443 by default, whereas HTTP URLs begin with
"http://" and use port 80 by default.
A forward proxy is an Internet-facing proxy used to retrieve from a wide range of sources (in most
cases anywhere on the Internet).
Answer:
"Pass Any Exam. Any Time." - www.actualtests.com
427
Explanation:
The Internet Message Access Protocol (IMAP) allows users to keep messages on the server,
flagging them as appropriate. An MUA using IMAP displays messages directly from the server,
although a download option for archive purposes is usually also available. One advantage this
gives IMAP is that the same messages are visible from any computer accessing the email
account, since messages aren't routinely downloaded and deleted from the server. If set up
properly, sent mail can be saved to the server also, in contrast with POP mail, where sent
messages exist only in the local MUA and are not visible by other MUAs accessing the same
account.
A mail server (also known as a mail transfer agent or MTA, a mail transport agent, a mail router or
an Internet mailer) is an application that receives incoming e-mail from local users (people within
the same domain) and remote senders and forwards outgoing e-mail for delivery.
Anemail client,email readeror more formallymail user agent(MUA) is a computer program used to
access and manage a user's email.
Mail Submission Agent(MSA): a relatively new term in the e-mail field. This is the component of an
MTA which accepts new mail messages from an MUA, using SMTP. (Traditional Unix MUAs send
their mail using a pipe to one of the MTA's component programs on the same host. Most Windows
MUAs use SMTP to talk to an MSA because there is no MTA on the Windows host.) Most MTA
implementations use the same program as both their MSA and the part which accepts incoming
mail from other hosts. In other cases, these functions are implemented separately. The official
TCP port number for an MSA is 587 (although in many cases it's run on port 25).
Mail Delivery Agent(MDA): the component of an MTA which is responsible for the final delivery of
"Pass Any Exam. Any Time." - www.actualtests.com
428
Answer:
Explanation:
429
Answer:
Explanation:
430
431
Answer:
432
Answer:
Explanation:
433
Answer:
Explanation:
434
A security policy is a living document that allows an organization and its management team to
draw very clear and understandable objectives, goals, rules and formal procedures that help to
define the overall security posture and architecture for organization.
Answer:
Explanation:
435
Each SNMP message contains a protocol data unit (PDU). These SNMP PDUs are used for
communication between SNMP managers and SNMP agents. The SNMP Version 1 architecture
defines the following types of PDUs that flow between SNMP managers and SNMP agents:
GETREQUEST PDU
Sent by the SNMP manager to retrieve one or more requested MIB variables specified in the PDU.
GETNEXTREQUEST PDU
Sent by the SNMP manager to retrieve the next MIB variable that is specified in the PDU. You can
have multiple requests in the PDU. This PDU is primarily used by the SNMP manager to walk
through the SNMP agent MIB.
SETREQUEST PDU
Sent by the SNMP manager to set one or more MIB variables specified in the PDU with the value
specified in the PDU.
GETRESPONSE PDU
Sent by the SNMP agent in response to a GETREQUEST, GETNEXTREQUEST, or
SETREQUEST PDU.
TRAP PDU
An unsolicited message sent by the SNMP agent to notify the SNMP manager about a significant
event that occurred in the agent.
436
Answer: A,C,E
Explanation:
Inline VLAN Interface Pairs
437
Answer: A,B,C,D
Explanation:
Answer: C,D
Explanation:
The Cisco TrustSec System is an advanced Network Access Control and Identity Solution that is
integrated into the Network Infrastructure. It is a fully tested, validated solution where all the
components within the solution are thoroughly vetted and rigorously tested as an integrated
system.
438
Answer: A,C,D
Explanation:
Creating and Configuring Permissions for a New Standard Authorization Profile
Use this procedure to create a new standard authorization profile and configure its permissions.
To create a new standard authorization profile and permissions, complete the following steps:
Step 1
ChoosePolicy > Policy Elements > Results > Authorization > Authorization Profiles.
The Authorization Profiles window appears listing all existing configured authorization profiles.
Step 2
To create a new profile, choose one of the two following methods:
439
Authorization Profile
Access TypeChoose from the two drop-down list access type options
(ACCESS_ACCEPTorACCESS_REJECT).
Note
The Name and Access Type fields are required and are marked with an asterisk (*).
Common Tasks
DACL NameTo choose, select the check box and choose existing downloadable ACL options
from the drop-down list (for example, Cisco ISE provides two default values in the drop-down
list:PERMIT_ALL_TRAFFICorDENY_ALL_TRAFFIC). The drop-down list will include all current
DACLs in the local database.
VLANTo choose, select the check box and enter an attribute value that identifies a virtual LAN
(VLAN) ID that you want associated with the new authorization profile you are creating (both
integer and string values are supported for the VLAN ID). The format for this entry would
beTunnel-Private-Group-ID:VLANnumber.
Note
If you do not select a a VLAN ID, Cisco ISE uses a default value of VLAN ID = 1. For example, if
you only entered 123 as your VLAN number, the Attributes Details pane would reflect the following
value: Tunnel-Private-Group-ID = 1:123.
Voice Domain PermissionTo choose, select the check box to enable the vendor-specific
"Pass Any Exam. Any Time." - www.actualtests.com
440
Posture DiscoveryTo choose, select the check box to enable a redirection process used for
Posture discovery in Cisco ISE, and enter an ACL on the device that you want to associate with
this authorization profile. For example, if the value you entered is acl119, this is reflected in the
Attributes Details pane as: cisco-av-pair = url-redirect-acl = acl119. The Attributes Details pane
also displays: cisco-av-pair = urlredirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cpp.
Centralized Web AuthenticationTo choose, select the check box to enable a redirection process
that is similar to Posture discovery, but it redirects guest user access requests to the Guest server
in Cisco ISE. Enter an ACL on the device that you want to associate with this authorization profile,
and select the Default or Manual option from the Redirect drop-down list. For example, if the value
you entered is acl-999, this is reflected in the Attributes Details pane as: cisco-av-pair = urlredirect-acl = acl-99. The Attributes Details pane also displays: cisco-av-pair = urlredirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.
Auto SmartPortTo choose, select the check box to enable Auto SmartPort functionality and
enter a corresponding event name value in the text box. This enables the VSA cisco-av-pair with a
value for this option as "auto-smart-port=event_name". Your choice is reflected in the Attributes
Details pane.
Filter-IDTo choose, select the check box to enable a RADIUS filter attribute that sends the ACL
name that you define in the text box (which is automatically appended with ".in"). Your choice is
reflected in the Attributes Details pane.
ReauthenticationTo choose, select the check box and enter a value in seconds for maintaining
connectivity during reauthentication. You can also choose attribute values from the Timer dropdown list. You choose to maintain connectivity during reauthentication by selecting to use either
the default (a value of 0) or RADIUS-Request (a value of 1) from the drop-down list. Setting this to
the RADIUS-Request value maintains connectivity during the reauthentication process.
MACSec PolicyTo choose, select the check box to enable the MACSec encryption policy
whenever a MACSec-enabled client connects to Cisco ISE, and choose one of the following three
options in the corresponding drop-down list: must-secure, should-secure, or must-not-secure. For
example, your choice is reflected in the Attributes Details pane as: cisco-av-pair = linksecpolicy=must-secure.
NEATTo choose, select the check box to enable Network Edge Access Topology (NEAT), a
feature that extends identity recognition between networks. Selecting this check box displays the
"Pass Any Exam. Any Time." - www.actualtests.com
441
Web Authentication (Local Web Auth)To choose, select the check box to enable local web
authentication for this authorization profile. This value lets the switch recognize authorization for
web authentication by Cisco ISE sending a VSA along with a DACL. The VSA is cisco-av-pair =
priv-lvl=15 and this is reflected in the Attributes Details pane.
Wireless LAN Controller (WLC)To choose, select the check box and enter an ACL name in the
text field. This value is used in a required Airespace VSA to authorize the addition of a locally
defined ACL to a connection on the WLC. For example, if you entered rsa-1188, this would be
reflected in the Attributes Details pane as: Airespace-ACL-Name = rsa-1188.
ASA VPNTo choose, select the check box to enable an Adaptive Security Appliances (ASA)
VPN group policy. From a drop-down Attributes list, click a value to configure this setting. For
example, if you selected Cisco-BBSM, and then selected CBBSM-Bandwidth, this would be
reflected in the Attributes Details pane as: Class = Cisco-BBSM:CBBSM-Bandwidth.
References:
Reference:http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html
#wp1082757
442
It supports IPv4 and IPv6 packet fields and tracks all fields of an IPv4 header as well as sections
of the data payload.
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network
traffic monitoring. Flow data is collected from the network traffic and added to the flow monitor
cache during the monitoring process based on the key and nonkey fields in the flow record.
Flexible NetFlow can be used to perform different types of analysis on the same traffic.
Answer: A,C,D
Explanation:
RFC 5176 defines Change of Authorization (CoA) and Disconnect Message (DM) behavior for
RADIUS.
References: Reference:https://tools.ietf.org/html/draft-dekok-radext-coa-proxy-00
443
Answer: A,C,D
Explanation:
The Cisco Security Group Access (SGA) solution establishes clouds of trusted network devices to
build secure networks. Each device in the Cisco SGA cloud is authenticated by its neighbors
(peers). Communication between the devices in the SGA cloud is secured with a combination of
encryption, message integrity checks, and data-path replay protection mechanisms.The tag, also
called the security group tag (SGT), allows ISE to enforce access control policies by enabling the
endpoint device to act upon the SGT to filter traffic.
The key features of the SGA solution include:
Network Device Admission Control (NDAC)In a trusted network, during authentication, each
network device (for exampleEthernetswitch) in an SGA cloud is verified for its credential and
trustworthiness by its peer device. NDAC uses the IEEE 802.1x port-based authentication and
uses Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST)
as its Extensible Authentication Protocol (EAP) method. Successful authentication and
authorization in the NDAC process results in Security Association Protocol negotiation for IEEE
802.1AE encryption.
Endpoint Admission Control (EAC)An authentication process for an endpoint user or a device
"Pass Any Exam. Any Time." - www.actualtests.com
444
Security Group (SG)A grouping of users, endpoint devices, and resources that share access
control policies. SGs are defined by the administrator in Cisco ISE. As new users and devices are
added to the SGA domain, Cisco ISE assigns these new entities to the appropriate security
groups.
Security Group Tag (SGT)SGA service assigns to each security group a unique 16-bit security
group number whose scope is global within an SGA domain. The number of security groups in the
switch is limited to the number of authenticated network entities. You do not have to manually
configure security group numbers. They are automatically generated, but you have the option to
reserve a range of SGTs for IP-to-SGT mapping.
Security Group Access Control List (SGACL)SGACLs allow you to control the access and
permissions based on the SGTs that are assigned. The grouping of permissions into a role
simplifies the management of security policy. As you add devices, you simply assign one or more
security groups, and they immediately receive the appropriate permissions. You can modify the
security groups to introduce new privileges or restrict current permissions.
Security Exchange Protocol (SXP)SGT Exchange Protocol (SXP) is a protocol developed for
SGA service to propagate the IP-to-SGT binding table across network devices that do not have
SGT-capable hardware support to hardware that supports SGT/SGACL.
Environment Data DownloadThe SGA device obtains its environment data from Cisco ISE when
it first joins a trusted network. You can also manually configure some of the data on the device.
The device must refresh the environment data before it expires. The SGA device obtains the
following environment data from Cisco ISE:
Server listsList of servers that the client can use for future RADIUS requests (for both
authentication and authorization)
445
Expiry timeoutInterval that controls how often the SGA device should download or refresh its
environment data
Identity-to-Port MappingA method for a switch to define the identity on a port to which an
endpoint is connected, and to use this identity to look up a particular SGT value in the Cisco ISE
server.
Answer: C,E
Explanation:
Manual cut-and-paste-- The router displays the certificate request on the console terminal,
allowing the user to enter the issued certificate on the console terminal. A user may manually cutand-paste certificate requests and certificates when there is no network connection between the
"Pass Any Exam. Any Time." - www.actualtests.com
446
Answer: B,E
Explanation:
447
Answer: B,D
Explanation:
RC4 symmetric key algorithm is used identically for encryption and decryption such that the data
stream is simply XORed with the generated key sequence. The algorithm is serial as it requires
successive exchanges of state entries based on the key sequence. Hence implementations can
be very computationally intensive. The RC4 encryption algorithm is used by standards such as
IEEE 802.11 within WEP (Wireless Encryption Protocol) using 40 and 128-bit keys. Published
procedures exist for cracking the security measures as implemented in WEP
Answer: C,D,F
"Pass Any Exam. Any Time." - www.actualtests.com
448
Answer: B,E
Explanation:
The MD5 message-digest algorithm is a widely used cryptographic hash function producing a 128bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. MD5
has been utilized in a wide variety of cryptographic applications, and is also commonly used to
verify data integrity.
449
Answer: B,E
Explanation:
450
Answer: C,E
Explanation:
Data Encryption Standard (DES) developed in 1970 is symmetric-key algorithm for the encryption
of electronic data. It was highly influential in the advancement of modern cryptography in the
academic world. DES is now considered to be insecure for many applications. This is chiefly due
to the 56-bit key size being too small; in January, 1999, distributed.net and the Electronic Frontier
Foundation collaborated to publicly break a DES key in 22 hours and 15 minutes.
Answer: C
Explanation:
451
Answer: B,D
Explanation:
Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process.
Higher group numbers are more secure, but require additional time to compute the key.
Fireware XTM supports these Diffie-Hellman groups:
Both peers in a VPN exchange must use the same DH group, which is negotiated during Phase 1
of the IPSec negotiation process
452
Answer: B,D
Explanation:
453
Answer: D,F
Explanation:
Prerequisites for BVI Configuration
If a BVI is not configured, you must disable IP routing (via the no ip routing command) for the
bridging operation to take effect.
If configured, a BVI must be configured with an IP address in the same subnet.
You must configure a BVI if more than two interfaces are placed in a bridge group
Answer: C
Explanation:
MainApp includes all IPS components except SensorApp and the CLI. It is loaded by the operating
system at startup and loads SensorApp. MainApp then brings the following subsystem
components up:
Authentication, Logger,ARC,Web Server,Notification (SNMP),External Product Interface,Interface
"Pass Any Exam. Any Time." - www.actualtests.com
454
Answer: C
Explanation:
All TACACS+ values are strings. The concept of valuetypedoes not exist in TACACS+ as it does
in Remote Access Dial-In User Service (RADIUS)
455
Answer: B,C,E
Explanation:
0.0.0.0/8-- Used for broadcast messages to the current ("this") network as specified by RFC 1700.
203.0.113.0/24-- Assigned as "TEST-NET-3" in RFC 5737 for use solely in documentation and
example source code and should not be used publicly.
172.16.0.0/12-- Used for local communications within a private network as specified by RFC 1918.
Answer: C
Explanation:
ISO/IEC 27001 formally specifies a management system that is intended to bring information
security under explicit management control. Being a formal specification means that it mandates
"Pass Any Exam. Any Time." - www.actualtests.com
456
Answer: B,D
Explanation:
457
Answer: B,C,E
Explanation:
0.0.0.0/8--Used for broadcast messages to the current ("this") network as specified by RFC 1700.
203.0.113.0/24--Assigned as "TEST-NET-3" in RFC 5737 for use solely in documentation and
example source code and should not be used publicly.
172.16.0.0/12--Used for local communications within a private network as specified by RFC 1918.
458
Answer: B
Explanation:
The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S.
Congress to protect shareholders and the general public from accounting errors and fraudulent
practices in the enterprise, as well as improve the accuracy of corporate disclosures. The U.S.
Securities and Exchange Commission (SEC) administers the act, which sets deadlines for
compliance and publishes rules on requirements.
Answer: A,C
Explanation:
Authentication via Secure Tunneling (EAP-FAST), an EAP type from Cisco Systems. Extensible
Authentication Protocol-Flexible Authentication via Secure Tunneling (EAP-FAST) is a publicly
"Pass Any Exam. Any Time." - www.actualtests.com
459
Answer: C
Explanation:
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site,
email, blog, instant message, or program causes a users Web browser to perform an unwanted
action on a trusted site for which the user is currently authenticated. The impact of a successful
cross-site request forgery attack is limited to the capabilities exposed by the vulnerable
application. For prevention, remember that all cookies, even the secret ones, will be submitted
with every request. All authentication tokens will be submitted regardless of whether or not the
end-user was tricked into submitting the request. Furthermore, session identifiers are simply used
by the application container to associate the request with a specific session object.
460
Answer: B,C,D
Explanation:
The Internet Assigned Numbers Authority (IANA) is a department of ICANN, a nonprofit private
American corporation, which oversees global IP address allocation, autonomous system number
allocation, root zone management in the Domain Name System (DNS), media types, and other
Internet Protocol-related symbols and numbers. IANA is responsible for the operation and
maintenance of a number of key aspects of the DNS, including the root zone, and the .int and
.arpa domains. IANA is the global coordinator of the DNS root.
461
Answer: B
Explanation:
Answer: C
Explanation:
RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP
Source Address Spoofing
462
Answer: A
Explanation:
This version of the IKE specification combines the contents of what were previously separate
documents, including Internet Security Association and Key Management Protocol (ISAKMP, RFC
2408), IKE (RFC 2409), the Internet Domain of Interpretation (DOI, RFC 2407), Network Address
Translation (NAT) Traversal, Legacy authentication, and remote address acquisition.
463
Answer: B,D
Explanation:
The SarbanesOxley Act of 2002 also known as the "Public Company Accounting Reform and
Investor Protection Act" (in the Senate) and "Corporate and Auditing Accountability and
Responsibility Act" (in the House) and more commonly called SarbanesOxley, Sarbox or SOX, is
a United States federal law that set new or enhanced standards for all U.S. public company
boards, management and public accounting firms. There are also a number of provisions of the
Act that also apply to privately held companies, for example the wilful destruction of evidence to
impede a Federal investigation.
Answer: A
Explanation:
BCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by
denying traffic with spoofed addresses access to the network, and to help ensure that traffic is
traceable to its correct source network.
"Pass Any Exam. Any Time." - www.actualtests.com
464
Answer: A,B
Explanation:
RFC 5156 and RFC 5735 are the ones that can be used as a checklist of invalid routing prefixes
for IPv4 and IPv6 addresses
465
Answer: A,B,C,D
Explanation:
The DNS Security Extensions (DNSSEC) introduce four new DNS resource record types: DNS
Public Key (DNSKEY), Resource Record Signature (RRSIG), Next Secure (NSEC), and
Delegation Signer (DS).
References: Reference:https://tools.ietf.org/html/rfc4034
Answer: A
Explanation:
DNSSEC uses public key cryptography to sign and authenticate DNSresource record sets
(RRsets).The public keys are stored in DNSKEY resource records and are used in the DNSSEC
authentication process described in RFC4035. A zone signs its authoritative RRsets by using a
private key and stores the corresponding public key in a DNSKEY RR.A resolver can then use the
"Pass Any Exam. Any Time." - www.actualtests.com
466
Answer: A,D,E
Explanation:
IANA manages the DNS Root Zone (assignments of ccTLDs and gTLDs) along with other
functions such as the .int and .arpa zones. IANA coordinates allocations from the global IP and AS
number spaces, such as those made to Regional Internet Registries. IANA is the central repository
for protocol name and number registries used in many Internet protocols.
467
Answer: B,D
Explanation:
RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP
Source Address Spoofing (BCP 38)
Answer: B,E
Explanation:
468
Answer: C
Explanation:
Cisco IOS GET VPN uses Group Domain of Interpretation (GDOI) as the keying protocol and
IPSec for encryption.
469
Answer: C
Explanation:
A role-based access control list bound to a range of SGTs and DGTs forms an SGACL
References: Reference:
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_conf
ig.html
470
MainAppInitializes the system, starts and stops the other applications, configures the OS, and
performs upgrades. It contains the following components:
Event StoreAn indexed store used to store IPS events (error, status, and alert system
messages) that is accessible through the CLI, IDM, IME, ASDM, or SDEE.
References: Reference: http://www.cisco.com/c/en/us/td/docs/security/ips/70/configuration/guide/cli/cliguide7/cli_system_architecture.html#wp1009053
Which two statements about this debug output are true? (Choose two.)
A.
The request is from NHC to NHS.
B.
The request is from NHS to NNC.
"Pass Any Exam. Any Time." - www.actualtests.com
471
Answer: A,D
Explanation:
Answer: D
Explanation:
472
Answer: B
Explanation:
References: Reference: https://supportforums.cisco.com/document/33011/asa-botnetconfiguration
473
Answer:
Explanation:
Collection of similar programs that work together to execute specific tasks botnet
Independent malicious program copies itself from one host to another host over a network and
carries other programs Viruses
Programs that appear to have one function but actually perform a different function Trojan horse
Programs that modify other programs and that attach themselves to other programs on execution Worms
References: Reference: http://www.cisco.com/web/about/security/intelligence/virus-wormdiffs.html
474
Answer: C
Explanation:
References: Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-ossoftware/identity-based-networking-service/application_note_c27-573287.html
475
Answer: C,D
Explanation:
After setting the replay window size on your Cisco router, you received the given system message.
What is the reason for the message?
A.
The replay window size is set too low for the number of packets received.
B.
The IPSec anti-replay feature is enabled, but the window size feature is disabled.
C.
The IPSec anti-replay feature is disabled.
D.
The replay window size is set too high for the number of packets received.
476
Answer: D,F
Explanation:
"Pass Any Exam. Any Time." - www.actualtests.com
477
Answer: A
Explanation:
An RSA key pair consists of a public key and a private key. When setting up your PKI, you must
include the public key in the certificate enrollment request. After the certificate has been granted,
the public key will be included in the certificate so that peers can use it to encrypt data that is sent
to the router. The private key is kept on the router and used both to decrypt the data sent by peers
and to digitally sign transactions when negotiating with peers.
References: Reference: http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-pki-overview.html
478
Answer: D
Explanation:
The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve
traffic amplification over a remote path for the purposes of generating denial-of-service traffic. This
document updates the IPv6 specification to deprecate the use of IPv6 Type 0 Routing Headers, in
light of this security concern.
References: Reference: https://tools.ietf.org/html/rfc5095
479
Which option is the reason for the failure of the DMVPN session between R1 and R2?
A.
incorrect tunnel source interface on R1
B.
IPsec phase-1 policy mismatch
C.
tunnel mode mismatch
D.
IPsec phase-2 policy mismatch
E.
IPsec phase-1 configuration missing peer address on R2
Answer: B
Explanation:
480
Answer: C
Explanation:
An RSA key pair may need to be removed for one of the following reasons:
References: Reference: http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-deploy-rsa-pki.html
Answer: C
Explanation:
VXLAN is a MAC in IP/UDP(MAC-in-UDP) encapsulation technique with a 24-bit segment
identifier in the form of a VXLAN ID.
References: Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nxos/vxlan/configuration/guide/b_NX-OS_VXLAN_Configuration_Guide/overview.pdf
"Pass Any Exam. Any Time." - www.actualtests.com
481
Answer: A,E
Explanation:
The Atomic IP Advanced engine contains the following restrictions:
Cannot detect the Layer 4 field of the packets if the packets are fragmented so that the Layer 4
identifier does not appear in the first packet.
Cannot detect Layer 4 attacks in flows with packets that are fragmented by IPv6 because there is
no fragment reassembly.
Cannot detect attacks with tunneled flows.
Limited checks are provided for the fragmentation header.
There is no support for IPv6 on the management (command and control) interface. With
ASA 8.2(1), the ASA 5500 AIP SSM support IPv6 features.
If there are illegal duplicate headers, a signature fires, but the individual headers cannot be
separately inspected.
Anomaly detection does not support IPv6 traffic; only IPv4 traffic is directed to the anomaly
detection processor.
Rate limiting and blocking are not supported for IPv6 traffic. If a signature is configured with a
block or rate limit event action and is triggered by IPv6 traffic, an alert is generated but the action
is not carried out.
"Pass Any Exam. Any Time." - www.actualtests.com
482
Answer: A,E
Explanation:
SNMPv3 contains all the functionality of SNMPv1 and SNMPv2, but SNMPv3 has significant
enhancements to administration and security. SNMPv3 is an interoperable standards-based
protocol. SNMPv3 provides secure access to devices by authenticating and encrypting packets
over the network.
The security features provided in SNMPv3 are as follows:
Message integrityEnsuring that a packet has not been tampered with in transit
AuthenticationDetermining that the message is from a valid source
EncryptionScrambling contents of a packet to prevent it from being seen by an unauthorized
source
References: Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4000/82glx/configuration/guide/snmp.pdf
483
Answer: A,C
Explanation:
484
Answer: B,C
Explanation:
Restrictions for Network Edge Authentication Topology
References: Reference: http://www.cisco.com/en/US/docs/iosxml/ios/sec_usr_8021x/configuration/15-2mt/sec-ieee-neat.html
485
Answer: A,F,G
Explanation:
486
Answer:
Explanation:
MTA Is the component responsible to move email from sending mail server to the recipient mail
server.
MUA Is the component that interacts with the end user
POP/IMAP Is the component responsible to fetch email from the recipient mail server mailbox to
recipient MUA
MDA Is the component responsible to move the email from MTA to the user mailbox in the
recipient mail server
The following terminology is important in understanding the operation of a mail server.
References: Reference:http://xmodulo.com/how-mail-server-works.html
487
Answer: B
Explanation:
Answer: D,E
"Pass Any Exam. Any Time." - www.actualtests.com
488
Answer: B
Explanation:
When configuring a Cisco device as NTP master its clock becomes a reference clock for time
synchronization to other devices. The stratum of the NTP master can be configured in the range 115, but will usually be configured as stratum-1
References: Reference: https://seriousnetworks.wordpress.com/2013/08/08/configuring-ntp-oncisco-ios-devices/
489
Answer: B
Explanation:
References: Reference: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Answer: D,E,F
Explanation:
The following AH packet diagram shows how an AH packet is constructed and interpreted:[8][9]
"Pass Any Exam. Any Time." - www.actualtests.com
490
491
492
Answer:
Explanation:
Cisco TrustSec SGT Exchange Protocol Control protocol for propagating IP-to-SGT binding
information across network device
SGACL Associates SGT with a policy
Cisco Trustsec Build secure networks by establishing domains of trusted network devices
References: Reference:
http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/arch_over.
html
"Pass Any Exam. Any Time." - www.actualtests.com
493
Answer: D
Explanation:
The CIDR prefix representation is used to represent the IPv6 address. An example of this notation
is: 2001:DB8:130F::870:0:140B/64
The /64 indicates that the first 64 bits are being used to represent the network and the last 64 bits
are being used to represent the interface identifier.
References: Reference: https://www.cisco.com/web/strategy/docs/gov/IPv6_WP.pdf
494
Answer: C
Explanation:
You can monitor up to 250 interfaces (in multiple mode, divided between all contexts). You should
monitor important interfaces. For example in multiple mode, you might configure one context to
monitor a shared interface. (Because the interface is shared, all contexts benefit from the
monitoring.)
References: Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_c
onfig/ha_failover.html
Answer: A,E
Explanation:
ESMTP is an enhancement to the SMTP protocol and is similar is most respects to SMTP. For
"Pass Any Exam. Any Time." - www.actualtests.com
495
496
Answer: A
Explanation:
497
With the client attempting an implicit SFTP connection to the SFTP server, which mode works by
default?
A.
passive
B.
neither passive nor active
C.
active
D.
both passive and active
Answer: B
Explanation:
The ASA firewall has issues in regards of handling this type of connections. Normally when regular
FTP is used, the ASA sees the payload on the FTP control channel and does the proper NAT
translations when using passive mode, when using active, he sees the IP addresses and let the
"Pass Any Exam. Any Time." - www.actualtests.com
498
Answer: A,E
Explanation:
499
Answer: A,C
Explanation:
Restrictions for Cisco IOS SSL VPN Smart Tunnels Support
References: Reference: http://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-15-mt-book/sec-conn-sslvpn-smarttunnels-support.html
Answer: C,E
Explanation:
500
What is the purpose of the command in the NAT-PT for IPv6 implementation on a Cisco IOS
device?
A.
It defines address pool used by the IPv6 access-list.
B.
It defines the IPv4 address pool used by the NAT-PT for dynamic address mapping.
C.
It defines address pool used by the IPv4 access-list.
D.
It defines the IPv6 address pool used by the NAT-PT for dynamic address mapping.
E.
It defines the IPv4 address pool used by the NAT-PT for static address mapping
Answer: B
Explanation:
ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-length prefix-length Example:
Device(config)# ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24
Specifies a pool of IPv4 addresses to be used by NAT-PT for dynamic address mapping.
501
Answer: C
Explanation:
Answer: A
Explanation:
An SDF has definitions for each signature it contains. After signatures are loaded and complied
"Pass Any Exam. Any Time." - www.actualtests.com
502
Answer: C
Explanation:
503
Answer: D
Explanation:
Here is a diagram of how the Cisco ASA processes the packet that it receives:
504
Answer: C
Explanation:
505
Answer: D,E,F
Explanation:
SSH-1 and SSH-2 Differences
SSH-2
SSH-1
Separate transport, authentication, and connection protocols.
One monolithic protocol.
Strong cryptographic integrity check.
Weak CRC-32 integrity check.
Supports password changing.
N/A
Any number of session channels per connection (including none).
Exactly one session channel per connection (requires issuing a remote command even when you
don't want one).
Full negotiation of modular cryptographic and compression algorithms, including bulk encryption,
MAC, and public-key.
Negotiates only the bulk cipher; all others are fixed.
Encryption, MAC, and compression are negotiated separately for each direction, with independent
keys.
The same algorithms and keys are used in both directions (although RC4 uses separate keys,
since the algorithm's design demands that keys not be reused).
Extensible algorithm/protocol naming scheme allows local extensions while preserving
interoperability.
Fixed encoding precludes interoperable additions.
User authentication methods:
Supports a wider variety:
"Pass Any Exam. Any Time." - www.actualtests.com
506
Answer: A
Explanation:
References: Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-ossoftware/identity-based-networking-service/application_note_c27-573287.html
Answer: D
Explanation:
mac-address-table notification threshold
To enable content-addressable memory (CAM) table usage monitoring notification, use the macaddress-table notification threshold command in global configuration mode. To disable CAM table
usage monitoring notification, use the no form of this command.
References: Reference:
http://www.cisco.com/c/en/us/td/docs/ios/lanswitch/command/reference/lsw_book/lsw_m1.html
508
Answer: B
Explanation:
Attacks can originate from multicast receivers. Any receiver sending an IGMP/MLD report will
typically create state on the first-hop router. There is no equivalent mechanism in unicast.
References: Reference:
http://www.cisco.com/web/about/security/intelligence/multicast_toolkit.html
509
Answer: D
Explanation:
DNSSEC supplements the hierarchical nature of the DNS with cryptographic characteristics that
make it possible to verify the authenticity of information stored in the DNS. This validation makes it
possible for resolvers to be assured that when they request a particular piece of information from
the DNS, that they do in fact receive the correct information as published by the authoritative
source.
This assurance is made possible using cryptographic signatures included in the DNS by a source
organization. These signatures are calculated on a complete Resource Record set, not individual
Resource Records. The signatures are published in a DNSSEC-specific resource record type
called RRSIG. For example, setting aside the requisite infrastructure, by publishing the signature
for an A record, the source organization makes it possible for resolvers on the Internet to verify
that the A record contains authentic data and is correct as published. A DNS server is only signing
data for which it is authoritative, for example, the DNS server does not sign NS records that
delegate subdomains from its zone.
References: Reference: http://www.cisco.com/web/about/security/intelligence/dnssec.html#5
Answer: D
Explanation:
510
Answer: C
Explanation:
ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker
sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network.
Generally, the aim is to associate the attacker's MAC address with the IP address of another host,
such as the default gateway, causing any traffic meant for that IP address to be sent to the
attacker instead.
References: Reference: https://en.wikipedia.org/wiki/ARP_spoofing
511
Answer: A,B
Explanation:
References: Reference: https://supportforums.cisco.com/document/66011/using-hostnames-dnsaccess-lists-configuration-steps-caveats-and-troubleshooting
Answer: C
Explanation:
References: Reference: https://en.wikipedia.org/wiki/Syslog
512
Answer: B
Explanation:
The SarbanesOxley Act of 2002 (Pub.L. 107204, 116 Stat. 745, enacted July 30, 2002), also
known as the "Public Company Accounting Reform and Investor Protection Act" (in the Senate)
and "Corporate and Auditing Accountability and Responsibility Act" (in the House) and more
commonly called SarbanesOxley, Sarbox or SOX, is a United States federal law that set new or
expanded requirements for all U.S. public company boards, management and public accounting
firms. There are also a number of provisions of the Act that also apply to privately held companies,
for example the willful destruction of evidence to impede a Federal investigation.
References: Reference: https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act
513
Answer: C,E
Explanation:
References: Reference: http://www.lightchange.com/configuring-snmp-v3-on-cisco-asa-and-ios/
Answer: D
Explanation:
The RA only has the power to accept registration requests and forward them to the CA. It is not
allowed to issue certificates or publish CRLs. The CA is responsible for these functions.
References:
Reference:http://www.cisco.com/en/US/tech/tk1132/technologies_white_paper09186a00800e79cb
"Pass Any Exam. Any Time." - www.actualtests.com
514
Answer: B
Explanation:
ICMP Type
Literal
0
echo-reply
3
destination unreachable code 0 = net unreachable 1 = host unreachable 2 = protocol unreachable
3 = port unreachable 4 = fragmentation needed and DF set 5 = source route failed
4
source-quench
5
redirect code 0 = redirect datagrams for the network 1 = redirect datagrams for the host 2 =
redirect datagrams for the type of service and network 3 = redirect datagrams for the type of
service and host
"Pass Any Exam. Any Time." - www.actualtests.com
515
516
Answer: D
Explanation:
Using Cisco Centralized Key Management (CCKM), an access point configured to provide
Wireless Domain Services (WDS) takes the place of the RADIUS server and authenticates the
client so quickly that there is no perceptible delay in voice or other time-sensitive applications
References: Reference: http://www.cisco.com/c/en/us/td/docs/wireless/access_point/122_13_JA/configuration/guide/s12213sc/s13roamg.html
517
Answer: B,F
Explanation:
Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass
through the security appliance unless you explicitly permit it with an extended access list. The only
traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can
be controlled by ARP inspection.
These features are not supported in transparent mode:
NAT is performed on the upstream router.
You can add static routes for traffic that originates on the security appliance. You can also allow
dynamic routing protocols through the security appliance with an extended access list.
Note: IS-IS is IP protocol 124 (is-is over ipv4). IS-IS transient packets can be allowed through the
transparent mode by the form of an ACL that permits protocol 124. The transparent mode
supports all 255 IP protocols.
The transparent firewall can act as a DHCP server, but it does not support the DHCP relay
commands. DHCP relay is not required because you can allow DHCP traffic to pass through with
an extended access list.
You can allow multicast traffic through the security appliance if you allow it in an extended access
list. In a transparent firewall, access-lists are required to pass the multicast traffic from higher to
lower, as well as from lower to higher security zones. In normal firewalls, higher to lower security
zones are not required.
"Pass Any Exam. Any Time." - www.actualtests.com
518
Answer: B
Explanation:
519
Answer: D
Explanation:
VXLAN traffic is encapsulated in a UDP packet when sent out to the physical network. This
encapsulation imposes the following overhead on each packet:
Outer Ethernet Header (14) + UDP header (8) + IP header (20) + VXLAN header (8) = 50 bytes
To avoid fragmentation and possible performance degradation, all the physical network devices
transporting the VXLAN traffic need to handle 50 bytes greater than the maximum transmission
unit (MTU) size expected for the frame. Therefore, adjust the MTU settings for all these devices,
which will transport the VXLAN traffic.
References: Reference: http://www.cisco.com/c/en/us/products/collateral/switches/nexus-1000vswitch-vmware-vsphere/guide_c07-702975.html
Answer: D
520
In which two parts should the multicast boundary command be applied? (Choose two.)
A.
A
B.
B
C.
C
"Pass Any Exam. Any Time." - www.actualtests.com
521
Answer: A,F
Explanation:
You define a multicast boundary to prevent Auto-RP messages from entering the PIM domain.
You create an access list to deny packets destined for 224.0.1.39 and 224.0.1.40, which carry
Auto-RP information.
References:
Reference:http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/relea
se/152_2_e/multicast/configuration_guide/b_mc_1522e_3750x_3560x_cg/b_mc_3750x_3560x_chapter
_010.html#task_33BF7D47C052413ABF8ACFCE9C871DD2
Answer: B,C
"Pass Any Exam. Any Time." - www.actualtests.com
522
523
Answer: A,E,F
Explanation:
The Secure Socket Layer (SSL) protocol and Transport Layer Security (TLS) are application-level
protocols that provide for secure communication between a client and server by allowing mutual
authentication, the use of hash for integrity, and encryption for privacy. SSL and TLS rely on
certificates, public keys, and private keys.
References: Reference: http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r42/security/configuration/guide/b_syssec_cg42crs/b_syssec_cg42crs_chapter_01010.html
"Pass Any Exam. Any Time." - www.actualtests.com
524
Answer: A,C
Explanation:
On October 31, 2002, the Wi-Fi Alliance endorsed TKIP under the name Wi-Fi Protected Access
(WPA).
TKIP and the related WPA standard implement three new security features to address security
problems encountered in WEP protected networks. First, TKIP implements a key mixing function
that combines the secret root key with the initialization vector before passing it to the RC4
initialization. WEP, in comparison, merely concatenated the initialization vector to the root key, and
passed this value to the RC4 routine. This permitted the vast majority of the RC4 based WEP
related key attacks. Second, WPA implements a sequence counter to protect against replay
attacks. Packets received out of order will be rejected by the access point. Finally, TKIP
implements a 64-bit Message Integrity Check (MIC).
References: Reference: https://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol
525
Answer: B,C,E
Explanation:
References: Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/configuration/15mt/https-15-mt-book/nm-https-inspection-engine.html
526
Answer: D
Explanation:
ipv6 nd secured key-length [[minimum | maximum] v alue Example:
Router(config)# ipv6 nd secured key-length minimum 512
References: Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/configuration/152mt/ipv6-15-2mt-book/ip6-first-hop-security.html
527
Answer: B
Explanation:
References: Reference: https://supportforums.cisco.com/blog/149481/introduction-regularexpressions-ips
528
Answer: B
Explanation:
Verify that shared secret passwords are synchronized between the access point and the
authentication server. Otherwise, you can receive this error message:
Invalid message authenticator in EAP request
The shared secret entry for the access point on the RADIUS server must contain the same shared
secret password as those previously mentioned.
References: Reference: http://www.cisco.com/c/en/us/support/docs/wireless/aironet-1100series/44844-leapserver.html
529
Answer: C
Explanation:
Transparent Firewall Guidelines
References: Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_c
onfig/intro_fw.html
530