Sie sind auf Seite 1von 13

Which type of malicious software can create a back-door into a device or network?

A. Worm
B. Trojan
C. Virus
D. Bot

Which command enables authentication at the OSPFv2 routing process level?

A. area 0 authentication message-digest
B. area 0 authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF
C. ip ospf authentication message-digest
D. ip ospf message-digest-key 1 md5 C1sc0!

switch(config)# router ospf 201

switch(config-router)# area 0 authentication message-digest
switch(config-router)# interface ethernet 1/1
switch(config-if)# no switchport
switch(config-if)# ip ospf area 0
switch(config)-if# ip ospf message-digest-key 10 md5 0 adcdefgh

Command Description
copy running-config startup- Saves the configuration changes to the startup
config configuration file.
ip ospf authentication-key Assigns a password for simple password
authentication for OSPF.
ip ospf message-digest-key Assigns a password for OSPF MD5 authentication.
show ip ospf interface Displays OSPF interface-related information.

What is the maximum number of methods that a single method list can contain?
A. 4
B. 3
C. 2
D. 5

Which IPS detection method examines network traffic for preconfigured patterns?
A. Signature-based detection
B. Policy-based detection
C. Anomaly-based detection
D. Honey-pot detection

Which statement about interface and global access rules is true?

A. Interface access rules are processed before global access rules.
B. The implicit allow is processed after both the global and interface access rules.
C. If an interface access rule is applied, the global access rule is ignored.
D. Global access rules apply only to outbound traffic, but interface access rules can be
applied in either direction.
Which type of firewall monitors and protects a specific system?
A. Proxy firewall
B. Stateless firewall
C. Application Firewall
D. Personal Firewall

Select and Place:

Correct Answer:

When would you configure the ip dhcp snooping trust command on a switch?
A. when the switch is connected to a client system
B. when the switch is connected to a DHCP server
C. when the switch is working in an edge capacity
D. when the switch is serving as an aggregator

What does the policy map do in CoPP?

A. defines service parameters
B. defines the packet filter
C. defines packet selection parameters
D. defines the action to be performed

Which two parameters can you view in the Cisco ASDM Protocol Statistics window? (Choose
A. the number of active tunnels
B. the number of rejected connection attempts
C. the number of tunnels that have been established since the Cisco ASA was rebooted
D. the number of closed tunnels
E. the user attempting the connection
Which two advantages does the on-premise model for MDM deployment have over the cloud-
based model? (Choose two.)
A. The on-premise model is easier and faster to deploy than the cloud-based model
B. The on-premise model is more scalable than the cloud-based model
C. The on-premise model is generally less expensive than the cloud-based model
D. The on-premise model provides more control of the MDM solution than the cloud-based
E. The on-premise model generally has less latency than the cloud-based model

How is management traffic isolated on a Cisco ASR 1002?

A. Traffic is isolated based upon how you configure routing on the device
B. Traffic isolation is done on the VLAN level
C. There is no management traffic isolation on a Cisco ASR 1002
D. The management interface is configured in a special VRF that provides traffic isolation
from the default routing table

Refer to the exhibit. What is the effect of the given configuration?

A. The two devices are able to pass the message digest to one another
B. It enables authentication
C. The two routers receive normal updates from one another
D. It prevents keychain authentication

A user on your network inadvertently activates a botnet program that was received as an email
attachment. Which type of mechanism does Cisco Firepower use to detect and block only the
botnet attack?
A. user-based access control rule
B. reputation-based
C. botnet traffic filter
D. network-based access control rule

Which two attack types can be prevented with the implementation of a Cisco IPS solution?
(Choose two.)
A. VLAN hopping
C. ARP spoofing
D. worms
E. man-in-the-middle
How can you prevent NAT rules from sending traffic to incorrect interfaces?
A. Assign the output interface in the NAT statement
B. Add the no-proxy-arp command to the nat line
C. Configure twice NAT instead of object NAT
D. Use packet-tracer rules to reroute misrouted NAT entries

Which security principle has been violated if data is altered in an unauthorized manner?
A. accountability
B. availability
C. confidentiality
D. integrity

Which STP feature can prevent an attacker from becoming the root bridge by immediately
shutting down the interface when it receives a BPDU?
A. PortFast
B. BPDU guard
C. BPDU filtering
D. root guard

Which IKE Phase 1 parameter can you use to require the site-to-site VPN to use a pre-shared
A. authentication
B. encryption
C. hash
D. group

Which EAP method authenticates a client against Active Directory without the use of client-side
802.1X certificates?

Which technology can you implement to centrally mitigate potential threats when users on your
network download files that might be malicious?
A. Verify that the company IPS blocks all known malicious websites.
B. Implement URL filtering on the perimeter firewall.
C. Enable file-reputation services to inspect all files that traverse the company network
and block files with low reputation scores.
D. Verify that antivirus software is installed and up to date for all users on your network
Which command can you enter to configure OSPF to use hashing to authenticate routing
A. ip ospf authentication message-digest
B. neighbor cost md5
C. ip ospf authentication-key
D. ip ospf priority 1

Which feature of the Cisco Email Security Appliance can mitigate the impact of snowshoe spam
and sophisticated phishing attacks?
A. reputation based filtering
B. signature-based IPS
C. graymail management and filtering
D. contextual analysis

Which four tasks are required when you configure Cisco IOS IPS
using the Cisco Configuration Professional IPS wizard? 210-260
dumps (Choose four.)
A. Select the interface(s) to apply the IPS rule.
B. Select the traffic flow direction that should be applied by the IPS
C. Add or remove IPS alerts actions based on the risk rating.
D. Specify the signature file and the Cisco public key.
E. Select the IPS bypass mode (fail-open or fail-close).
F. Specify the configuration location and select the category of
signatures to be applied to the selected interface(s).
Correct Answer: ABDF
Step 11. At the `Select Interfaces’ screen, select the interface and
the direction that IOS IPS will be applied to, then click `Next’ to
Step 12. At the `IPS Policies Wizard’ screen, in the `Signature File’
section, select the first radio button “Specify the signature file you
want to use with IOS IPS”, then click the “…” button to bring up a
dialog box to specify the location of the signature package file,
which will be the directory specified in Step 6. In this example, we
use tftp to download the signature package to the router.

Step 13. In the `Configure Public Key’ section, enter `realm-’ in the `Name’ text field, then copy and paste the
following public key’s key-string in the `Key’ text field. This public
key can be downloaded from


Which path do you follow to enable AAA through the SDM?

A. Configure > Tasks > AAA

B. Configure > Authentication > AAA
C. Configure > Additioonal Authentication > AAA
D. Configure > Additional Tasks > AAA
E. Configure > AAA

Answer: D


What aims to remove the ability to deny an action?

A. Integrity
B. Deniability
C. Accountability
D. Non-Repudiation

Answer: D


In which two models can the Cisco Web Security Appliance be deployed? (Choose two.)

A. as a transparent proxy using the Secure Sockets Layer Protocol

B. as a transparent proxy using the HyperText Transfer Protocol
C. explicit active mode
D. as a transparent proxy using the Web Cache Communication Protocol
E. explicit proxy mode

Answer: DE


Which two statements about hardware-based encryption are true? (Choose two.)

A. It is potentially easier to compromise than software-based encryption.

B. It requires minimal configuration.
C. It can be implemented without impacting performance.
D. It is widely accessible.
E. It is highly cost-effective.

Answer: CE


What is the main purpose of Control Plane Policing?

A. to prevent exhaustion of route-processor resources

B. to organize the egress packet queues
C. to define traffic classes
D. to maintain the policy map

Answer: A


What is the best definition of hairpinning?

A. ingress traffic that traverses the outbound interface on a device

B. traffic that enters and exits a device through the same interface
C. traffic that enters one interface on a device and that exits through another interface
D. traffic that tunnels through a device interface

Answer: B


How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?

A. Update the IPS signature for HTTPS to validate DCE/RPC connections.

B. Block suspicious hosts from DCE/RPC port 593.
C. Tunnel DCE/RPC traffic through GRE.
D. Configure the DCE/RPC preprocessor.

Answer: B


Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use

A. authPriv
B. authNoPriv
C. noAuthPriv
D. noAuthNoPriv

Answer: B


Which type of firewall can perform deep packet inspection?

A. application firewall
B. stateless firewall
C. packet-filtering firewall
D. personal firewall

Answer: A


Which type of mechanism does Cisco FirePOWER deploy to protect against email threats that are
detected moving across other networks?

A. signature-based
B. reputation-based
C. antivirus scanning
D. policy-based

Answer: B


You have implemented a dynamic blacklist, using security intelligence to block illicit network
activity. However, the blacklist contains several approved connections that users must access for
business purposes. Which action can you take to retain the blacklist while allowing users to access
the approved sites?

A. Create a whitelist and manually add the approved addresses.

B. Edit the dynamic blacklist to remove the approved addresses.
C. Disable the dynamic blacklist and deny the specific address on a whitelist while permitting the
D. Disable the dynamic blacklist and create a static blacklist in its place.

Answer: A


Which command enables port security to use sticky MAC addresses on a switch?

A. switchport port-security mac-address sticky

B. switchport port-security
C. switchport port-security violation protect
D. switchport port-security violation restrict

Answer: A


Which attack can be prevented by OSPF authentication?

A. smurf attack
B. IP spoofing attack
C. Denial of service attack
D. buffer overflow attack

Answer: B


Which mitigation technology for web-based threats prevents the removal of confidential data from
the network?


Answer: C

Drag and Drop

Shutdown – The interface is error-disabled
Shutdown Vlan – The virtual layer 2 segment is disabled
Restrict – When the number of secure MAC address on the port reaches a specified maximum
limit, the port drops packet and sends an SNMP trap
Protect – When the number of secure MAC addresses on the port reaches a special maximum, the
port drops packets without notification.


Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use

A. authPriv
B. authNoPriv
C. noAuthPrsqiv
D. noAuthNoPriv

Answer: B
There’s a question about EAP.
Not exactly but the question is like this:
Which component is responsible for network access policy?
a. RADIUS server
b. authentication server
c. authenticator
d. supplicant

I am not sure of the answer but I answered d. supplicant.

Which component is responsible for network access policy?

a. RADIUS server
b. authentication server
c. authenticator
d. supplicant

I Think the correct answer is B, Authentication Server.

Authentication Server: A server that validates the credentials sent by the supplicant and
determines what level of network access the end user or device should receive. Not only RADIUS is
an authentication server.

I passed with 948/1000

67 q’s , 1 d&d and 1 lab
question from Coachgreece & new question by dk2019 and Alex comments
I found 5 new exams that I have never seen. Questions about
Questions about The table is on the ASA.
I answer is NAT Table
Questions about privilege exec level
I answer is 0-15
Questions about IKE and VPN
I answer is Authorization
Questions about action stateful firewall
I answer is DROP
1 more I can’t remember.

Please help, below are the question which need to verify correct answer. I have an exam on

Q01 Which next-generation encryption algorithms support four variants?

C. MD5
Answer: A

Q43 What are two major considerations when choosing between a SPAN and a TAP when
implementing IPS? (Choose two.)
A. the amount of bandwidth available
B. the way in which dropped packets will be handled
C. the type of analysis the IPS will perform
D. whether RX and TX signals will use separate ports
E. the way in which media errors will be handled
Answer: AB

What are two default Cisco IOS privilege levels? (Choose two)
A. 0
B. 5
C. 1
D. 7
E. 10
F. 15
Answer: CF

Which command can you enter to configure OSPF to use hashing to authenticate routing updates?
A. ip ospf authentication message-digest
B. ip ospf priority 1
C. neighbor cost md5
D. ip ospf authentication-key
Answer: C

Which information can you display by executing the show crypto ipsec sa command?
A. proxy information for the connection between two peers
B. IPsec SAs established between two peers
C. recent changes to the IP address of a peer router
D. ISAKMP SAs that are established between two peers
Answer: B

Which type of VLANs can communicate to PVLANs? (or something like this) (Choose two.)
A. promiscuous
B. isolated
C. community
D. backup
E. secondary
Answer: AB

Which technology can be used to rate data fidelity and to provide an authenticated hash for data?
A. file reputation
B. file analysis
C. signature updates
D. network blocking
Answer: A or C

When an administrator initiates a device wipe command from the ISE, what is the immediate
A. It requests the administrator to choose between erasing all device data or only
managed corporate data.
B. It requests the administrator to enter the device PIN or password before proceeding with the
C. It notifies the device user and proceeds with the erase operation.
D. It immediately erases all data on the device.
Answer: A or D

Which attack can be prevented by OSPF authentication?

A. smurf attack
B. IP spoofing attack
C. Denial of service attack
D. buffer overflow attack
Answer: B
1. Which 802.1x component enforces the network access policy?
a. RADIUS Server
b. Authentication server
c. Supplicant
d. Authenticator

Which type of firewall can perform deep packet inspection?

A. application firewall
B. stateless firewall
C. packet-filtering firewall
D. personal firewall

Answer: C

The five types of firewall are:

Packet filtering firewall

Circuit-level gateway
Stateful inspection firewall
Application-level gateway (aka proxy firewall)
Next-generation firewall (NGFW)