1.

An administrator defined a local user account with a secret password

on router R1 for use with SSH. Which three additional steps are required
to configure R1 to accept only encrypted SSH connections? (Choose
three.)
▪ Configure DNS on the router.
▪ Configure the IP domain name on the router.
▪ Generate two-way pre-shared keys.
▪ Configure a host name other than “Router”.
▪ Enable inbound vty Telnet sessions.
▪ Generate crypto keys.
Explanation: There are three steps to configure SSH support on a Cisco
router:
Step 1: Configure a hostname.
Step 2: Configure a domain name.
Step 3: Generate crypto keys.
2. Which command will block login attempts on RouterA for a period of 30
seconds if there are 2 failed login attempts within 10 seconds?
▪ RouterA(config)# login block-for 10 attempts 2 within 30
▪ RouterA(config)# login block-for 30 attempts 2 within 10
▪ RouterA(config)# login block-for 2 attempts 30 within 10
▪ RouterA(config)# login block-for 30 attempts 10 within 2
Explanation: The correct syntax is RouterA(config)# login block-for (number
of seconds) attempts (number of attempts) within (number of seconds).
3. Which two practices are associated with securing the features and
performance of router operating systems? (Choose two.)
▪ Install a UPS.
▪ Keep a secure copy of router operating system images.
▪ Configure the router with the maximum amount of memory possible.
▪ Disable default router services that are not necessary.
▪ Reduce the number of ports that can be used to access the router.
Explanation: Configuring a router with maximum available memory allows
support for the widest range of security services and can help to protect
against certain DoS attacks. Secure copies of router operating system images
and configuration files provide backups needed for device recovery. Installing
a UPS device provides physical security for networking devices but does not
affect the security of their operating systems. Disabling unnecessary ports and
services is part of the process of router hardening, and does not specifically
involve the router operating system.
4. Passwords can be used to restrict access to all or parts of the Cisco IOS.
Select the modes and interfaces that can be protected with passwords.
(Choose three.)
▪ VTY interface
▪ console interface
▪ Ethernet interface
 ▪ boot IOS mode
▪ privileged EXEC mode
▪ router configuration mode
Explanation: Access to the VTY and console interfaces can be restricted
using passwords. Out-of-band management of the router can be restricted in
both user EXEC and privileged EXEC modes.
5. A network administrator enters the service password-encryption
command into the configuration mode of a router. What does this command
accomplish?
▪ This command encrypts passwords as they are transmitted across serial
WAN links.
▪ This command prevents someone from viewing the running
configuration passwords.
▪ This command enables a strong encryption algorithm for the enable
secret password command.
▪ This command automatically encrypts passwords in configuration files
that are currently stored in NVRAM.
▪ This command provides an exclusive encrypted password for external
service personnel who are required to do router maintenance.
Explanation: The startup-config and running-config files display most
passwords in plaintext. Use the service password-encryption global config
command to encrypt all plaintext passwords in these files.
6. On which two interfaces or ports can security be improved by configuring
executive timeouts? (Choose two.)
▪ Fast Ethernet interfaces
▪ console ports
▪ serial interfaces
▪ vty ports
▪ loopback interfaces
Explanation: Executive timeouts allow the Cisco device to automatically
disconnect users after they have been idle for the specified time. Console, vty,
and aux ports can be configured with executive timeouts.
7. A security service company is conducting an audit in several risk areas
within a major corporation. What statement describes an attack vector?
▪ data loss through access to personal or corporate instant messaging
and social media sites
▪ the path by which a threat actor can gain access to a server, host, or
network
▪ intercepted emails that reveal confidential corporate or personal
information
▪ the unauthorized transfer of data containing valuable corporate
information to a USB drive
8. What is the purpose of mobile device management (MDM) software?
▪ It is used to create a security policy.
 ▪ It is used to implement security policies, setting, and software
configurations on mobile devices.
▪ It is used to identify potential mobile device vulnerabilities.
▪ It is used by threat actors to penetrate the system.
Explanation: Mobile device management (MDM) software is used with mobile
devices so that corporate IT personnel can track the devices, implement
security settings, as well as control software configurations.
9. Which security implementation will provide management plane
protection for a network device?
▪ antispoofing
▪ routing protocol authentication
▪ role-based access control
▪ access control lists
Explanation: Management plane processes typically use protocols such as
Telnet and SSH. Role-based access control ensures that only authorized
users have management privileges. ACLs perform packet filtering and
antispoofing functions on the data plane to secure packets generated by
users. Routing protocol authentication on the control plane ensures that a
router does not accept false routing updates from neighbor routers.
10. A security service company is conducting an audit in several risk areas
within a major corporation. What statement describes the risk of access to
cloud storage devices?
▪ intercepted emails that reveal confidential corporate or personal
information
▪ gaining illegal access to corporate data by stealing passwords or
cracking weak passwords
▪ sensitive data lost through access to the cloud that has been
compromised due to weak security settings
▪ the retrieval of confidential or personal information from a lost or stolen
device that was not configured to use encryption software
11. Which security measure is best used to limit the success of a
reconnaissance attack from within a campus area network?
▪ Implement restrictions on the use of ICMP echo-reply messages.
▪ Implement a firewall at the edge of the network.
▪ Implement access lists on the border router.
▪ Implement encryption for sensitive traffic.
Explanation: The implementation of an access list may provide extra security
by permitting denying a flow of traffic, but it will not provide a direct response
to limit the success of the attack. The implementation of a firewall on the
network edge may prevent reconnaissance attacks from the Internet, but
attacks within the local network are not prevented. By implementing
restrictions on the sending of ICMP echo-reply messages within a local
network, devices may not respond to ping messages, but port scans are not
prevented and clear-text data sent on the network are still vulnerable. The best
security measure is to encrypt as much network traffic as possible, both user
data and network management traffic.
12. What are two evasion methods used by hackers? (Choose two.)
▪ scanning
▪ access attack
▪ resource exhaustion
▪ phishing
▪ encryption
Explanation: The following methods are used by hackers to avoid
detection:Encryption and tunneling – hide or scramble the malware content
Resource exhaustion – keep the host device too busy to detect the invasion
Traffic fragmentation – split the malware into multiple packets
Protocol-level misinterpretation – sneak by the firewall
Pivot – use a compromised network device to attempt access to another
device
Rootkit – allow the hacker to avoid detection as well as hide software installed
by the hacker
13. Match the security concept to the description.
14. Which attack involves threat actors positioning themselves between a
source and destination with the intent of transparently monitoring,
capturing, and controlling the communication?
▪ man-in-the-middle attack
▪ SYN flood attack
▪ DoS attack
▪ ICMP attack
Explanation: The man-in-the-middle attack is a common IP-related attack
where threat actors position themselves between a source and destination to
transparently monitor, capture, and control the communication.
15. What is the motivation of a white hat attacker?
▪ fine tuning network devices to improve their performance and efficiency
▪ taking advantage of any vulnerability for illegal personal gain
▪ studying operating systems of various platforms to develop a new
system
▪ discovering weaknesses of networks and systems to improve the
security level of these systems
Explanation: White hat attackers break into networks or computer systems in
order to discover weaknesses for the purpose of improving the security of
these systems. These break-ins are done with permission from the owner or
the organization. Any results are reported back to the owner or the
organization.
16. A user is curious about how someone might know a computer has been
infected with malware. What are two common malware behaviors? (Choose
two.)
▪ The computer emits a hissing sound every time the pencil sharpener is
used.
▪ The computer beeps once during the boot process.
▪ The computer gets increasingly slower to respond.
▪ No sound emits when an audio CD is played.
▪ The computer freezes and requires reboots.
Explanation: Common symptoms of computers infected with malware:
Appearance of files, applications, or desktop icons
Security tools such as antivirus software or firewalls turned off or changed
System crashes
Emails spontaneously sent to others
Modified or missing files
Slow system or browser response
Unfamiliar processes or services running
Unknown TCP or UDP ports open
Connections made to unknown remote devices
17. Which security feature or device would more likely be used within a
CAN than a SOHO or data center?
▪ security trap
 ▪ ESA/WSA
▪ virtual security gateway
▪ wireless router
▪ exit sensors
Explanation: A Cisco Email Security Appliance (ESA) and Web Security
Appliance (WSA) provide advanced threat defense, application visibility and
control, reporting, and secure mobility to secure and control email and web
traffic at within a campus area network (CAN). A wireless router is a common
defense mechanism used in a SOHO. Exit sensors and a security trap are
features used within a data center. A virtual security gateway is integrated into
Cisco Nexus switches and is used for inter-virtual machine security.
18. A company has several sales offices distributed within a city. Each sales
office has a SOHO network. What are two security features that are
commonly found in such a network configuration? (Choose two.)
▪ biometric verifications
▪ WPA2
▪ Virtual Security Gateway within Cisco Nexus switches
▪ Cisco ASA firewall
▪ port security on user facing ports
Explanation: Small Office and Home Office (SOHO) networks are typically
protected using a consumer grade wireless router that includes both wired and
wireless connections. WPA2 is commonly used for wireless encryption and
port security is used to ensure non-company devices are not plugged into the
wired network.
19. What are two data protection functions provided by MDM? (Choose
two.)
▪ remote wiping
▪ PIN locking
▪ inoculation
▪ quarantine
▪ physical security
Explanation: Data protection functions include PIN locking, encryption, and
remote data wiping. In contrast, data loss prevention prevents authorized
users from doing careless or malicious things with data important to the
organization.
20. Which condition describes the potential threat created by Instant On in
a data center?
▪ when the primary firewall in the data center crashes
▪ when an attacker hijacks a VM hypervisor and then launches attacks
against other devices in the data center
▪ when the primary IPS appliance is malfunctioning
▪ when a VM that may have outdated security policies is brought online
after a long period of inactivity.
Explanation: The phrase Instant On describes a potential threat to a VM when
it is brought online after it has not been used for a period of time. Because it is
offline for a while, it may have outdated security policies that deviate from the
baseline security and can introduce security vulnerabilities.
21. What functional area of the Cisco Network Foundation Protection
framework is responsible for device-generated packets required for
network operation, such as ARP message exchanges and routing
advertisements?
▪ data plane
▪ control plane
▪ management plane
▪ forwarding plane
Explanation: There are three functional areas of the Cisco Network
Foundation Protection (NFP) framework:
Control plane: Responsible for routing functions. Consists of the traffic
generated by network devices to operate the network.
Management plane: Responsible for managing network devices.
Data (Forwarding) plane: Responsible for forwarding user data.
22. A security service company is conducting an audit in several risk areas
within a major corporation. What statement describes the risk of using
social networking?
▪ sensitive data lost through access to the cloud that has been
compromised due to weak security settings
▪ gaining illegal access to corporate data by stealing passwords or
cracking weak passwords
▪ data loss through access to personal or corporate instant messaging
and social media sites
▪ the retrieval of confidential or personal information from a lost or stolen
device that was not configured to use encryption software
23. A security service company is conducting an audit in several risk areas
within a major corporation. What statement describes the risk of access to
removable media?
▪ the potential of causing great damage because of direct access to the
building and its infrastructure devices
▪ intercepted emails that reveal confidential corporate or personal
information
▪ the unauthorized transfer of data containing valuable corporate
information to a USB drive
▪ data loss through access to personal or corporate instant messaging
and social media sites
24. What is the purpose of a reconnaissance attack on a computer network?
▪ to gather information about the target network and system
▪ to redirect data traffic so that it can be monitored
▪ to prevent users from accessing network resources
▪ to steal data from the network servers
Explanation: Curriculum Reference: Module 1.1
This item is based on information contained in the presentation.
Preventing users from accessing network resources is a denial of service
attack. Being able to steal data from the network servers may be the objective
after a reconnaissance attack gathers information about the target network
and system. Redirecting data traffic so it can be monitored is a man-in-the
middle attack.
25. A security service company is conducting an audit in several risk areas
within a major corporation. What statement describes an internal threat?
▪ data loss through access to personal or corporate instant messaging
and social media sites
▪ the unauthorized transfer of data containing valuable corporate
information to a USB drive
▪ the potential of causing great damage because of direct access to the
building and its infrastructure devices
▪ gaining illegal access to corporate data by stealing passwords or
cracking weak passwords

1. Which privilege level is predefined for the privileged EXEC mode?

▪ level 0
▪ level 1
▪ level 15
▪ level 16
Explanation: Privileged EXEC mode (privilege level 15) is reserved for the
enable mode privileges (all enable-level commands). Users can change
configurations and view configuration files.
2. What is a requirement to use the Secure Copy Protocol feature?
▪ At least one user with privilege level 1 has to be configured for local
authentication.
▪ A command must be issued to enable the SCP server side
functionality.
▪ A transfer can only originate from SCP clients that are routers.
▪ The Telnet protocol has to be configured on the SCP server side.
Explanation: The Secure Copy Protocol feature relies on SSH and requires
that AAA authentication and authorization be configured so that the router can
determine whether the user has the correct privilege level. For local
authentication, at least one user with privilege level 15 has to be configured.
Transfers can originate from any SCP client whether that client is another
router, switch, or workstation. The ip scp server enable command has to be
issued to enable the SCP server side functionality.
3. Which three items are prompted for a user response during interactive
AutoSecure setup? (Choose three.)
▪ IP addresses of interfaces
▪ content of a security banner
 ▪ enable secret password
▪ services to disable
▪ enable password
▪ interfaces to enable
Explanation: During AutoSecure setup, the following steps occur:
– The auto secure command is entered.
– The wizard gathers information about the outside interfaces.
– AutoSecure secures the management place by disabling unnecessary
services.
– AutoSecure prompts for a security banner.
– AutoSecure prompts for passwords and enables password and login
features.
– Interfaces are secured.
– The forwarding plane is secured.
4. Which syslog message type is accessible only to an administrator and
only via the Cisco CLI?
▪ errors
▪ alerts
▪ debugging
▪ emergency
Explanation: Syslog messages can be sent to the logging buffer, the console
line, the terminal line, or to a syslog server. However, debug-level messages
are only forwarded to the internal buffer and only accessible through the Cisco
CLI.
5. Refer to the exhibit. What two statements describe the NTP status of the
router? (Choose two.)

▪ The router is serving as an authoritative time source.

▪ The software clock for the router must be configured with the set clock
command so that NTP will function properly.
▪ The router is attached to a stratum 2 device.
▪ The router is serving as a time source for the device at 192.168.1.1.
▪ The IP address of the time source for the router is 192.168.1.1.
Explanation: The show ntp status command displays information about how
NTP is operating on the device. The output shows that the router clock is
synchronized with the NTP server with the address of 192.168.1.1. NTP is
hierarchical. The router is a stratum 3 device, therefore it’s time source is a
stratum 2 device. Authoritative time sources in the NTP system are located at
stratum 0.
6. An administrator needs to create a user account with custom access to
most privileged EXEC commands. Which privilege command is used to
create this custom account?
▪ privilege exec level 15
▪ privilege exec level 0
▪ privilege exec level 1
▪ privilege exec level 2
Explanation: In Cisco IOS software, there are 16 privilege levels:
Level 0 : Predefined for user-level access privileges.
Level 1 : The default level for login with the router prompt Router>.
Levels 2 -14 : May be customized for user-level privileges. Commands from
lower levels may be moved up to another higher level, or commands from
higher levels may be moved down to a lower level.
Level 15 : Reserved for the enable mode privileges (enable command).
To configure a privilege level with specific commands for a customized user
level, use the privilege exec level level [ command ], where level could be
between 2 to 14.
7. A network administrator is analyzing the features supported by the
multiple versions of SNMP. What are two features that are supported by
SNMPv3 but not by SNMPv1 or SNMPv2c? (Choose two.)
▪ message encryption
▪ community-based security
▪ SNMP trap mechanism
▪ message source validation
▪ bulk retrieval of MIB information
Explanation: SNMPv3 provides message integrity to ensure that a packet was
not tampered with and authentication to determine if the message is from a
valid source. SNMPv3 also supports message encryption. SNMPv1 and
SNMPv2 do not support message encryption, but do support community
strings. SNMPv2c supports bulk retrieval operation. All SNMP versions
support the SNMP trap mechanism.
8. A network administrator is configuring an AAA server to manage
TACACS+ authentication. What are two attributes of TACACS+
authentication? (Choose two.)
▪ TCP port 40
▪ encryption for all communication
▪ single process for authentication and authorization
▪ UDP port 1645
▪ encryption for only the password of a user
▪ separate processes for authentication and authorization
Explanation: TACACS+ authentication includes the following attributes:
Separates authentication and authorization processes
Encrypts all communication, not just passwords
Utilizes TCP port 49
9. What are two characteristics of the RADIUS protocol? (Choose two.)
▪ encryption of the entire body of the packet
▪ encryption of the password only
▪ the use of UDP ports for authentication and accounting
▪ the separation of the authentication and authorization processes
▪ the use of TCP port 49
Explanation: RADIUS is an open-standard AAA protocol using UDP port 1645
or 1812 for authentication and UDP port 1646 or 1813 for accounting. It
combines authentication and authorization into one process.
10. What is the one major difference between local AAA authentication and
using the login local command when configuring device access
authentication?
▪ The login local command requires the administrator to manually
configure the usernames and passwords, but local AAA authentication
does not.
▪ Local AAA authentication allows more than one user account to be
configured, but login local does not.
▪ Local AAA authentication provides a way to configure backup
methods of authentication, but login local does not.
▪ The login local command uses local usernames and passwords stored
on the router, but local AAA authentication does not.
Explanation: Local AAA authentication works very similar to the login local
command, except that it allows you to specify backup authentication methods
as well. Both methods require that local usernames and passwords be
manually configured on the router.
11. Which two UDP port numbers may be used for server-based AAA
RADIUS authentication? (Choose two.)
▪ 1812
▪ 1645
▪ 1813
▪ 1646
▪ 49
Explanation: RADIUS authentication and accounting utilize the following UDP
port numbers:
UDP port 1645 or 1812 for authentication
UDP port 1646 or 1813 for accounting
TACACS+ uses TCP port 49.
12. Which command will move the show access-lists command to privilege
level 14?
▪ router(config)# privilege level 14 command show access-lists
▪ router(config)# privilege exec level 14 show access-lists
▪ router(config)# set privilege level 14 show access-lists
▪ router(config)# show access-lists privilege level 14
Explanation: To configure a privilege level with specific commands, use
the privilege exec level level [ command ].
13. Which authentication method stores usernames and passwords in the
router and is ideal for small networks?
▪ server-based AAA over TACACS+
▪ local AAA over RADIUS
▪ server-based AAA
▪ local AAA over TACACS+
▪ local AAA
▪ server-based AAA over RADIUS
Explanation: In a small network with a few network devices, AAA
authentication can be implemented with the local database and with
usernames and passwords stored on the network devices. Authentication
using the TACACS+ or RADIUS protocol will require dedicated ACS servers
although this authentication solution scales well in a large network.
14. What are three characteristics of superviews in the Cisco role-based CLI
access feature? (Choose three.)
▪ A user uses the command enable view superview-name to enter a
superview.
▪ A user uses a superview to configure commands inside associated CLI
views.
▪ Commands cannot be configured for a superview.
▪ Level 15 privilege access is used to configure a new superview.
▪ Deleting a superview does not delete the associated CLI views.
▪ A single CLI view can be shared within multiple superviews.
Explanation: Cisco role-based Superviews have several specific
characteristics:
– A single CLI view can be shared within multiple superviews.
– Commands cannot be configured for a superview. An administrator must add
commands to the CLI view and add that CLI view to the superview.
– Users who are logged into a superview can access all the commands that
are configured for any of the CLI views that are part of the superview.
– Each superview has a password that is used to switch between superviews
or from a CLI view to a superview.
– Deleting a superview does not delete the associated CLI views. The CLI
views remain available to be assigned to another superview.
– Only a root view user can configure a new view and add or remove
commands from the existing views.
15. A student is learning about role-based views and role-based view
configurations. The student enters the Router(config)# parser view TECH-
view command. What is the purpose of this command?
▪ to create a CLI view named TECH-view
▪ to enter the superview named TECH-view
▪ to check the current setup of the CLI view named TECH-view
 ▪ toenter the CLI view named TECH-view
Explanation: The command Router(config)# parser view [ view-name ] is used
to create a new CLI view. The command Router(config)# parser view [ view-
name ] superview is used to create a new superview view.
16. Refer to the exhibit. A student uses the show parser view all command
to see a summary of all views configured on router R1. What is indicated by
the symbol * next to JR-ADMIN?

▪ It is a root view.
▪ It is a CLI view without a command configured.
▪ It is a superview.
▪ It is a CLI view.
Explanation: From the root view, a network administrator can see a summary
of all role-based views by using the show parser view all command. An
asterisk identifies a superview.
17. What are two characteristics of the Cisco IOS Resilient Configuration
feature? (Choose two.)
▪ It maintains a mirror image of the configuration file in RAM.
▪ It sends a backup copy of the IOS image to a TFTP server.
▪ It saves a secure copy of the primary image and device configuration
that cannot be removed by a user.
▪ It minimizes the downtime of a device that has had the image and
configuration deleted.
▪ It is a universal feature that can be activated on all Cisco devices.
Explanation: The Cisco IOS Resilient Configuration stores a secure copy of
the primary image file and device configuration. These secure files cannot be
removed by a user. Its main function is to speed up the recovery time if a
device has been compromised and the image file and the device configuration
have been deleted. This feature is only available on platforms that support a
PCMCIA ATA disk with enough storage space.
18. What IOS privilege levels are available to assign for custom user-level
privileges?
▪ levels 1 through 15
▪ levels 0, 1, and 15
▪ levels 2 through 14
▪ levels 0 and 1
Explanation: There are 16 privilege levels that can be applied to user
accounts. Levels 0, 1, and 15 have predefined settings. This leaves levels 2
through 14 available for creating custom levels of access.
19. Refer to the exhibit. What information in the syslog message identifies
the facility?

▪ ADJCHG
▪ Loading Done
▪ OSPF
▪ level 5
Explanation: The facility is a service identifier used to categorize and identify
the messages being generated by a device using syslog. The facility of OSPF
identifies this syslog message as being from the OSPF protocol. Level 5 is the
severity level of this message. ADJCHG is the mnemonic to describe the
action occurring. Loading Done is part of the description of the event that
occurred.
20. What is the biggest issue with local implementation of AAA?
▪ Local implementation supports only TACACS+ servers.
▪ Local implementation cannot provide secure authentication.
▪ Local implementation does not scale well.
▪ Local implementation supports only RADIUS servers.
Explanation: One of the purposes of AAA is to provide secure authentication
to network devices. Local implementation does not use RADIUS or TACACS+
servers. It relies on a local database to authenticate all users. This can be a
problem in a network that has many devices with hundreds of users or more.
21. Which task is necessary to encrypt the transfer of data between the ACS
server and the AAA-enabled router?
▪ Configure the key exactly the same way on the server and the router.
▪ Specify the single-connection keyword.
▪ Create a VPN tunnel between the server and the router.
▪ Use identical reserved ports on the server and the router.
Explanation: The key command is used to configure the shared secret key
that is used for encryption. The key must be configured the exact same way on
the router and on the ACS server. The creation of a VPN tunnel is
unnecessary. Neither the configuration of ports nor the use of the single-
connection command has any effect on encryption.
22. Refer to the exhibit. Based on the output of the show running-config
command, which type of view is SUPPORT?

▪ CLI view, containing SHOWVIEW and VERIFYVIEW commands

▪ superview, containing SHOWVIEW and VERIFYVIEW views
▪ secret view, with a level 5 encrypted password
▪ root view, with a level 5 encrypted secret password
Explanation: The superview role-based CLI view named SUPPORT has been
configured on the router. The SUPPORT suerview consists of two CLI views
called SHOWVIEW and VERIFYVIEW.
23. A student is learning role-based CLI access and CLI view configurations.
The student opens Packet Tracer and adds a router. Which command
should be used first for creating a CLI view named TECH-View?
▪ Router# enable view
▪ Router(config)# aaa new-model
▪ Router# enable view TECH-view
▪ Router(config)# parser view TECH-view
Explanation: Before an administrator can create a view for role-based CLI
access, AAA must be enabled using the aaa new-model command.
24. A network engineer is implementing security on all company routers.
Which two commands must be issued to force authentication via the
password 1A2b3C for all OSPF-enabled interfaces in the backbone area of
the company network? (Choose two.)
▪ area 0 authentication message-digest
▪ ip ospf message-digest-key 1 md5 1A2b3C
▪ username OSPF password 1A2b3C
▪ enable password 1A2b3C
▪ area 1 authentication message-digest
Explanation: The two commands that are necessary to configure
authentication via the password 1A2b3C for all OSPF-enabled interfaces in the
backbone area (Area 0) of the company network would be ip ospf message-
digest-key 1 md5 1A2b3C and area 0 authentication message-digest. The
option area 1 authentication message-digest is incorrect because it refers to
Area 1, not Area 0. The option enable password 1A2b3C is incorrect because
it would set the privileged EXEC mode password instead of the OSPF
authentication password. The option username OSPF password 1A2b3C is
required to create a username database in a router, which is not required with
OSPF authentication.
25. Because of implemented security controls, a user can only access a
server with FTP. Which AAA component accomplishes this?
▪ accessibility
▪ accounting
▪ auditing
▪ authentication
▪ authorization
Explanation: One of the components in AAA is authorization. After a user is
authenticated through AAA, authorization services determine which resources
the user can access and which operations the user is allowed to perform.
26. Which AAA component can be established using token cards?
▪ accounting
▪ authorization
▪ auditing
▪ authentication
Explanation: The authentication component of AAA is established using
username and password combinations, challenge and response questions,
and token cards. The authorization component of AAA determines which
resources the user can access and which operations the user is allowed to
perform. The accounting and auditing component of AAA keeps track of how
network resources are used.
27. What is the primary function of the aaa authorization command?
▪ permit AAA server access to AAA client services
▪ limit authenticated user access to AAA client services
▪ permit authenticated user access to AAA client services
▪ limit AAA server access to AAA client services
Explanation: Authorization is concerned with allowing and disallowing
authenticated users access to certain areas and programs on the network as
well as specific services. Controlling access to configuration commands
greatly simplifies the infrastructure security in large enterprise networks.

1. When creating an ACL, which keyword should be used to document

and interpret the purpose of the ACL statement on a Cisco device?
▪ remark
▪ description
▪ established
▪ eq
Explanation: In order to document the purpose of an ACL and identify its
function more easily, the remark keyword is used when building the ACL.
The established keyword is used to allow connections that were initially
sourced from the current device. The eq operator is used to specify a port
number for denying or permitting traffic. The description keyword is used when
configuring and documenting interfaces.
2. Which two pieces of information are required when creating a standard
access control list? (Choose two.)
▪ access list number between 1 and 99
▪ source address and wildcard mask
▪ destination address and wildcard mask
▪ subnet mask and wildcard mask
▪ access list number between 100 and 199
Explanation: Standard ACLs can be numbered 1 to 99 and 1300 to 1999.
Standard IP ACLs filter only on the source IP address.
3. What two steps provide the quickest way to completely remove an ACL
from a router? (Choose two.)
▪ Removal of the ACEs is the only step required.
▪ Modify the number of the ACL so that it doesn’t match the ACL
associated with the interface.
▪ Copy the ACL into a text editor, add no before each ACE, then copy the
ACL back into the router.
▪ Remove the inbound/outbound reference to the ACL from the
interface.
▪ Use the no access-list command to remove the entire ACL.
▪ Use the no keyword and the sequence number of every ACE within the
named ACL to be removed.
Explanation: To completely remove an ACL from a router requires two steps.
Removing the actual ACL with the no access-list command and removing the
association of the ACL from the appropriate interface.
4. Which two types of addresses should be denied inbound on a router
interface that attaches to the Internet? (Choose two.)
▪ private IP addresses
▪ any IP address that starts with the number 127
▪ any IP address that starts with the number 1
▪ NAT translated IP addresses
▪ public IP addresses
Explanation: The following addresses should not be permitted inbound from
the Internet in order to mitigate IP spoofing and DoS attacks:
All zero address
Broadcast addresses
Local host addresses that start with 127
Reserved private addresses
IP multicast addresses
5. In the creation of an IPv6 ACL, what is the purpose of the implicit final
command entries, permit icmp any any nd-na and permit icmp any any nd-
ns ?
▪ to allow forwarding of ICMPv6 packets
▪ to allow automatic address configuration
▪ to allow IPv6 to MAC address resolution
 ▪ to allow forwarding of IPv6 multicast packets
Explanation: IPv6 address to MAC address resolution is performed through
the exchange of ICMPv6 neighbor discovery packets comprised of neighbor
solicitation and neighbor advertisement packets. Unless these packets are
permitted on a router interface, the interface will not be able to perform MAC
address resolution.
6. What two statements describe characteristics of IPv6 access control lists?
(Choose two.)
▪ They permit ICMPv6 router advertisements by default.
▪ They can be named or numbered.
▪ They include two implicit permit statements by default.
▪ They are applied to an interface with the ip access-group command .
▪ They use prefix lengths to indicate how much of an address to match.
Explanation: IPv6 access lists have distinct characteristics that are different
than IPv4 access lists:
They use prefix lengths instead of wildcard masks to match network bits.
They permit two ICMPv6 message types: neighbor solicitations and neighbor
advertisements by default.
They are only created as named access lists.
They use the command ipv6 taffic-filter when applied to an interface.
7. Refer to the exhibit. A network administrator created an IPv6 ACL to
block the Telnet traffic from the 2001:DB8:CAFE:10::/64 network to the
2001:DB8:CAFE:30::/64 network. What is a command the administrator
could use to allow only a single host 2001:DB8:CAFE:10::A/64 to telnet to
the 2001:DB8:CAFE:30::/64 network?

▪ permit tcp 2001:DB8:CAFE:10::A/64 2001:DB8:CAFE:30::/64 eq 23

▪ permit tcp 2001:DB8:CAFE:10::A/64 eq 23 2001:DB8:CAFE:30::/64
▪ permit tcp host 2001:DB8:CAFE:10::A eq 23 2001:DB8:CAFE:30::/64
▪ permit tcp host 2001:DB8:CAFE:10::A 2001:DB8:CAFE:30::/64 eq 23
sequence 5
Explanation: When an IPv6 ACE is created and is to be processed before an
existing ACE is processed, the next command entered must use the sequence
argument with a number lower than the existing ACE. This allows an entry to
be placed before an existing entry, as the default sequence numbers are
commonly numbered by increments of 10. Thus, using a sequence number of
5 on an ACE will place it in front of a prior existing entry with a sequence
number of 10.
8. When implementing components into an enterprise network, what is the
purpose of a firewall?
▪ A firewall is a system that inspects network traffic and makes forwarding
decisions based solely on Layer 2 Ethernet MAC addresses.
▪ A firewall is a system that is designed to secure, monitor, and manage
mobile devices, including corporate-owned devices and employee-
owned devices.
▪ A firewall is a system that stores vast quantities of sensitive and
business-critical information.
▪ A firewall is a system that enforces an access control policy between
internal corporate networks and external networks.
Explanation: A firewall is a system that enforces an access control policy and
prevents the exposure of sensitive hosts, resources, and applications to
untrusted users.
9. What are two possible limitations of using a firewall in a network?
(Choose two.)
▪ It provides accessibility of applications and sensitive resources to
external untrusted users.
▪ It increases security management complexity by requiring off-loading
network access control to the device.
▪ A misconfigured firewall can create a single point of failure.
▪ Network performance can slow down.
▪ It cannot sanitize protocol flows.
Explanation: Firewalls have some limitations:
– A misconfigured firewall can have serious consequences for the network,
such as becoming a single point of failure.
– The data from many applications cannot be passed over firewalls securely.
– Users might proactively search for ways around the firewall to receive
blocked material, which exposes the network to potential attack.
– Network performance can slow down.
– Unauthorized traffic can be tunneled or hidden as legitimate traffic through
the firewall.
10. Which type of firewall makes use of a proxy server to connect to remote
servers on behalf of clients?
▪ stateful firewall
▪ stateless firewall
▪ packet filtering firewall
▪ application gateway firewall
Explanation: An application gateway firewall, also called a proxy firewall,
filters information at Layers 3, 4, 5, and 7 of the OSI model. It uses a proxy
server to connect to remote servers on behalf of clients. Remote servers will
see only a connection from the proxy server, not from the individual clients.
11. How does a firewall handle traffic when it is originating from the public
network and traveling to the private network?
 ▪ Traffic that is originating from the public network is not inspected when
traveling to the private network.
▪ Traffic that is originating from the public network is usually blocked
when traveling to the private network.
▪ Traffic that is originating from the public network is usually permitted
with little or no restrictions when traveling to the private network.
▪ Traffic that is originating from the public network is selectively permitted
when traveling to the private network.
Explanation: When traffic is originating from the public network it will usually
be blocked when traveling to the private network. Traffic that originates from
the private network will be selectively allowed to be returned to the public
network.
12. Which two statements describe the two configuration models for Cisco
IOS firewalls? (Choose two.)
▪ ZPF must be enabled in the router configuration before enabling an IOS
Classic Firewall.
▪ The IOS Classic Firewall and ZPF cannot be combined on a single
interface.
▪ IOS Classic Firewalls and ZPF models can be enabled on a router
concurrently.
▪ Both IOS Classic Firewall and ZPF models require ACLs to define traffic
filtering policies.
▪ IOS Classic Firewalls must be enabled in the router configuration before
enabling ZPF.
Explanation: There are two configuration models for Cisco IOS Firewalls, IOS
Classic Firewalls and zone-based policy firewalls (ZPF). Both configuration
models can be enabled concurrently on a router but they cannot be combined
on a single interface. One benefit of using ZPF is that ZPF is not dependent on
ACLs.
13. Designing a ZPF requires several steps. Which step involves dictating
the number of devices between most-secure and least-secure zones and
determining redundant devices?
▪ determine the zones
▪ design the physical infrastructure
▪ establish policies between zones
▪ identify subsets within zones and merge traffic requirements
Explanation: Designing ZPFs involves several steps:
Step 1 . Determine the zones – The administrator focuses on the separation of
the network into zones. Zones establish the security borders of a network.
Step 2 . Establish policies between zones – For each pair of “source-
destination” zones, define the sessions that clients in the source zones can
request from servers in destination zones.
Step 3 . Design the physical infrastructure – After the zones have been
identified, and the traffic requirements between them documented, the
administrator must design the physical infrastructure. This includes dictating
the number of devices between most-secure and least-secure zones and
determining redundant devices.
Step 4 . Identify subsets within zones and merge traffic requirements – For
each firewall device in the design, the administrator must identify zone subsets
that are connected to its interfaces and merge the traffic requirements for
those zones.
14. When a Cisco IOS zone-based policy firewall is being configured, which
three actions can be applied to a traffic class? (Choose three.)
▪ pass
▪ shape
▪ reroute
▪ queue
▪ inspect
▪ drop
Explanation: The inspect CCP action is similar to the classic firewall ip
inspect command in that it inspects traffic going through the firewall and
allowing return traffic that is part of the same flow to pass through the firewall.
The drop action is similar to the deny parameter in an ACL. This action drops
whatever traffic fits the defined policy. The pass action is similar to a permit
ACL statement–traffic is allowed to pass through because it met the criteria of
the defined policy statement.
15. When using Cisco IOS zone-based policy firewall, where is the inspection
policy applied?
▪ to a global service policy
▪ to a zone
▪ to an interface
▪ to a zone pair
Explanation: After configuring the firewall policy, apply the policy to traffic that
would flow between a pair of zones. Use the zone-pair security command in
global configuration mode.
16. What is the first step in configuring a Cisco IOS zone-based policy
firewall via the CLI?
▪ Define traffic classes.
▪ Assign router interfaces to zones.
▪ Define firewall policies.
▪ Assign policy maps to zone pairs.
▪ Create zones.
Explanation: The steps for configuring a Cisco IOS zone-based policy firewall
are as follows:
1. Create zones.
2. Define traffic classes.
3. Define firewall policies.
4. Apply policy maps to zone pairs.
5. Assign router interfaces to zones.
17. What is one benefit of using a stateful firewall instead of a proxy server?
▪ ability to perform user authentication
▪ better performance
▪ ability to perform packet filtering
▪ prevention of Layer 7 attacks
Explanation: A stateful firewall performs better than a proxy server. A stateful
firewall cannot authenticate users or prevent Layer 7 attacks. Both a stateful
firewall and a proxy server can filter packets.
18. Which statement describes a typical security policy for a DMZ firewall
configuration?
▪ Traffic that originates from the DMZ interface is selectively permitted
to the outside interface.
▪ Return traffic from the inside that is associated with traffic originating
from the outside is permitted to traverse from the inside interface to
the outside interface.
▪ Return traffic from the outside that is associated with traffic originating
from the inside is permitted to traverse from the outside interface to
the DMZ interface.
▪ Traffic that originates from the inside interface is generally blocked
entirely or very selectively permitted to the outside interface.
▪ Traffic that originates from the outside interface is permitted to traverse
the firewall to the inside interface with few or no restrictions.
Explanation:
With a three interface firewall design that has internal, external, and DMZ
connections, typical configurations include the following:
Traffic originating from DMZ destined for the internal network is normally
blocked.
Traffic originating from the DMZ destined for external networks is typically
permitted based on what services are being used in the DMZ.
Traffic originating from the internal network destined from the DMZ is normally
inspected and allowed to return.
Traffic originating from external networks (the public network) is typically
allowed in the DMZ only for specific services.
19. What is one limitation of a stateful firewall?
▪ weak user authentication
▪ cannot filter unnecessary traffic
▪ not as effective with UDP- or ICMP-based traffic
▪ poor log information
Explanation: Limitations of stateful firewalls include the following:
Stateful firewalls cannot prevent application layer attacks.
Protocols such as UDP and ICMP are not stateful and do not generate
information needed for a state table.
An entire range of ports must sometimes be opened in order to support
specific applications that open multiple ports.
Stateful firewalls lack user authentication.
20. Which statement describes Cisco IOS Zone-Based Policy Firewall
operation?
▪ The pass action works in only one direction.
▪ Router management interfaces must be manually assigned to the self
zone.
▪ A router interface can belong to multiple zones.
▪ Service policies are applied in interface configuration mode.
Explanation: The pass action allows traffic only in one direction. Interfaces
automatically become members of the self zone. Interfaces are assigned to
zones in interface configuration mode, but most configuration takes place in
global configuration mode and associated submodes. Interfaces can belong to
only one zone at any time.
21. What is the result in the self zone if a router is the source or destination
of traffic?
▪ No traffic is permitted.
▪ All traffic is permitted.
▪ Only traffic that originates in the router is permitted.
▪ Only traffic that is destined for the router is permitted.
Explanation: All traffic is permitted in the self zone if the traffic originates from,
or is destined for, the router.
22. What are two characteristics of ACLs? (Choose two.)
▪ Extended ACLs can filter on destination TCP and UDP ports.
▪ Standard ACLs can filter on source TCP and UDP ports.
▪ Extended ACLs can filter on source and destination IP addresses.
▪ Standard ACLs can filter on source and destination IP addresses.
▪ Standard ACLs can filter on source and destination TCP and UDP ports.
Explanation: Standard ACLs can only filter on source addresses. That is why
they are normally placed closest to the destination. Extended ACLs can filter
on source and destination IP addresses, port numbers, and specific message
types within a particular protocol such as echo request within the ICMP
protocol.
23. Which three statements describe ACL processing of packets? (Choose
three.)
▪ An implicit deny any rejects any packet that does not match any ACE.
▪ A packet can either be rejected or forwarded as directed by the ACE
that is matched.
▪ A packet that has been denied by one ACE can be permitted by a
subsequent ACE.
▪ A packet that does not match the conditions of any ACE will be
forwarded by default.
▪ Each statement is checked only until a match is detected or until the
end of the ACE list.
▪ Each packet is compared to the conditions of every ACE in the ACL
before a forwarding decision is made.
Explanation: When a packet comes into a router that has an ACL configured
on the interface, the router compares the condition of each ACE to determine if
the defined criteria has been met. If met, the router takes the action defined in
the ACE (allows the packet through or discards it). If the defined criteria has
not been met, the router proceeds to the next ACE. An implicit deny any
statement is at the end of every standard ACL.
24. A network administrator configures an ACL with the command
R1(config)# access-list 1 permit 172.16.0.0 0.0.15.255 . Which two IP
addresses will match this ACL statement? (Choose two.)
▪ 172.16.0.255
▪ 172.16.15.36
▪ 172.16.16.12
▪ 172.16.31.24
▪ 172.16.65.21
Explanation: The wildcard mask indicates that any IP address within the range
of 172.16.0.0 to 172.16.15.255 matches.
25. What single access list statement matches all of the following networks?
▪ 192.168.16.0
▪ 192.168.17.0
▪ 192.168.18.0
▪ 192.168.19.0
▪ access-list 10 permit 192.168.16.0 0.0.3.255
▪ access-list 10 permit 192.168.16.0 0.0.0.255
▪ access-list 10 permit 192.168.16.0 0.0.15.255
▪ access-list 10 permit 192.168.0.0 0.0.15.255
Explanation: The ACL statement access-list 10 permit 192.168.16.0 0.0.3.255
will match all four network prefixes. All four prefixes have the same 22 high
order bits. These 22 high order bits are matched by the network prefix and
wildcard mask of 192.168.16.0 0.0.3.255.
26. Which two characteristics are shared by both standard and extended
ACLs? (Choose two.)
▪ Both kinds of ACLs can filter based on protocol type.
▪ Both can permit or deny specific services by port number.
▪ Both include an implicit deny as a final statement.
▪ Both filter packets for a specific destination host IP address.
▪ Both can be created by using either a descriptive name or number.
Explanation: Standard ACLs filter traffic based solely on a specified source IP
address. Extended ACLs can filter by source or destination, protocol, or port.
Both standard and extended ACLs contain an implicit deny as a final
statement. Standard and extended ACLs can be identified by either names or
numbers.
27. Refer to the exhibit. What is the result of adding the established
argument to the end of the ACE?

▪ Any traffic is allowed to reach the 192.168.254.0 255.255.254.0 network.

▪ Any IP traffic is allowed to reach the 192.168.254.0 255.255.254.0
network as long as it is in response to an originated request.
▪ 192.168.254.0 /23 traffic is allowed to reach any network.
▪ Any TCP traffic is allowed to reach the 192.168.254.0 255.255.254.0
network if it is in response to an originated request.
Explanation: The established argument allows TCP return traffic from
established connections to be sent on an outgoing interface to a network.
28. Which two keywords can be used in an access control list to replace a
wildcard mask or address and wildcard mask pair? (Choose two.)
▪ most
▪ host
▪ all
▪ any
▪ some
▪ gt
Explanation: The host keyword is used when using a specific device IP
address in an ACL. For example, the deny host 192.168.5.5 command is the
same is the deny 192.168.5.5 0.0.0.0 command. The any keyword is used to
allow any mask through that meets the criteria. For example, the permit any
command is the same as permit 0.0.0.0 255.255.255.255 command.
29. If the provided ACEs are in the same ACL, which ACE should be listed
first in the ACL according to best practice?
▪ permit ip any any
▪ permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
▪ permit tcp 172.16.0.0 0.0.3.255 any established
▪ permit udp any any range 10000 20000
▪ deny udp any host 172.16.1.5 eq snmptrap
▪ deny tcp any any eq telnet
Explanation: A best practice for configuring an extended ACL is to ensure that
the most specific ACE is placed higher in the ACL. Consider the two permit
UDP statements. If both of these were in an ACL, the SNMP ACE is more
specific than the UDP statement that permits a range of 10,001 UDP port
numbers. The SNMP ACE would be entered before the other UDP ACE. The
ACEs from most specific to least specific are as follows: permit udp 172.16.0.0
0.0.255.255 host 172.16.1.5 eq snmptrap
deny udp any host 172.16.1.5 eq snmptrap
permit tcp 172.16.0.0 0.0.3.255 any established
deny tcp any any eq telnet
permit udp any any range 10000 20000
permit ip any any
30. To facilitate the troubleshooting process, which inbound ICMP message
should be permitted on an outside interface?
▪ echo request
▪ echo reply
▪ time-stamp request
▪ time-stamp reply
▪ router advertisement
Explanation: By allowing the ICMP echo reply message inbound to the
organization, internal users are allowed to ping external addresses (and the
reply message allowed to return).
31. A security specialist designs an ACL to deny access to a web server from
all sales staff. The sales staff are assigned addressing from the IPv6 subnet
2001:db8:48:2c::/64. The web server is assigned the address
2001:db8:48:1c::50/64. Configuring the WebFilter ACL on the LAN interface
for the sales staff will require which three commands? (Choose three.)
▪ permit tcp any host 2001:db8:48:1c::50 eq 80
▪ deny tcp host 2001:db8:48:1c::50 any eq 80
▪ deny tcp any host 2001:db8:48:1c::50 eq 80
▪ permit ipv6 any any
▪ deny ipv6 any any
▪ ip access-group WebFilter in
▪ ipv6 traffic-filter WebFilter in
Explanation: The ACL requires an ACE denying Telnet access from all users
in the LAN to the file server at 2001:db8:48:1c::50/64. The IPv6 ACL also has
an implicit deny, so a permit statement is required to allow all other traffic. With
IPv6, the ipv6 traffic filter command is used to bind the ACL to the interface.
32. What are two characteristics of a stateful firewall? (Choose two.)
▪ uses static packet filtering techniques
▪ uses connection information maintained in a state table
▪ analyzes traffic at Layers 3, 4 and 5 of the OSI model
▪ uses complex ACLs which can be difficult to configure
▪ prevents Layer 7 attacks
Explanation: Stateful firewalls are the most versatile and the most common
firewall technologies in use. Stateful firewalls provide stateful packet filtering
by using connection information maintained in a state table. Stateful filtering is
a firewall architecture that is classified at the network layer. It also analyzes
traffic at OSI Layers 4 and 5. Stateful firewalls cannot prevent application layer
attacks because they do not examine the actual contents of an HTTP
connection.
33. What are two differences between stateful and stateless firewalls?
(Choose two.)
▪ A stateless firewall is able to filter sessions that use dynamic port
negotiations while a stateful firewall cannot.
 ▪ A stateless firewall will examine each packet individually while a
stateful firewall observes the state of a connection.
▪ A stateless firewall will provide more logging information than a stateful
firewall.
▪ A stateful firewall will prevent spoofing by determining whether
packets belong to an existing connection while a stateless firewall
follows pre-configured rule sets.
▪ A stateless firewall provides more stringent control over security than a
stateful firewall.
Explanation: There are many differences between a stateless and stateful
firewall.
Stateless firewalls:
are susceptible to IP spoofing
do not reliably filter fragmented packets
use complex ACLs, which can be difficult to implement and maintain
cannot dynamically filter certain services
examine each packet individually rather than in the context of the state of a
connection
Stateful firewalls:
are often used as a primary means of defense by filtering unwanted,
unnecessary, or undesirable traffic
strengthen packet filtering by providing more stringent control over security
improve performance over packet filters or proxy servers
defend against spoofing and DoS attacks by determining whether packets
belong to an existing connection or are from an unauthorized source
provide more log information than a packet filtering firewall
34. When implementing a ZPF, what is the default security setting when
forwarding traffic between two interfaces in the same zone?
▪ Traffic between interfaces in the same zone is selectively forwarded
based on Layer 3 information.
▪ Traffic between interfaces in the same zone is not subject to any
policy and passes freely.
▪ Traffic between interfaces in the same zone is blocked.
▪ Traffic between interfaces in the same zone is selectively forwarded
based on the default policy restrictions.
Explanation: A zone-based policy firewall uses the concept of zones to specify
where firewall rules and policies should be applied. By default, the traffic
between interfaces that exist in the same zone is not subject to any policy and
passes freely.
35. Which two rules about interfaces are valid when implementing a Zone-
Based Policy Firewall? (Choose two.)
▪ If neither interface is a zone member, then the action is to pass traffic.
▪ If one interface is a zone member, but the other is not, all traffic will be
passed.
 ▪ If both interfaces belong to the same zone-pair and a policy exists, all
traffic will be passed.
▪ If both interfaces are members of the same zone, all traffic will be
passed.
▪ If one interface is a zone member and a zone-pair exists, all traffic will
be passed.
Explanation: The rules for traffic transiting through the router are as follows:If
neither interface is a zone member, then the resulting action is to pass the
traffic.
If both interfaces are members of the same zone, then the resulting action is to
pass the traffic.
If one interface is a zone member, but the other is not, then the resulting action
is to drop the traffic regardless of whether a zone-pair exists.
If both interfaces belong to the same zone-pair and a policy exists, then the
resulting action is inspect, allow, or drop as defined by the policy.
1. What are two characteristics of both IPS and IDS sensors? (Choose
two.)
▪ neither introduce latency or jitter
▪ both use signatures to detect patterns
▪ both are deployed inline in the data stream
▪ both can stop trigger packets
▪ both can detect atomic patterns
Explanation: IDS sensors work off line and are passive. They add very little
latency, however they cannot stop trigger packets. An IPS can stop trigger
packets but because they are installed inline they add some latency and jitter
to the traffic.
2. What is an advantage of using an IPS?
▪ It is installed outside of the data traffic flow.
▪ It does not impact network traffic if there is a sensor overload.
▪ It can stop trigger packets.
▪ It has no impact on network latency.
Explanation: An IPS can stop trigger packets but because they are installed
inline they add some latency and jitter to the traffic. IDS sensors work off line
and are passive. They add very little latency. However they cannot stop trigger
packets.
3. What is a characteristic of an IDS?
▪ It can affect network performance by introducing latency and jitter.
▪ It often requires assistance from other network devices to respond to
an attack.
▪ It is installed inline with the network traffic flow.
▪ It can be configured to drop trigger packets that are associated with a
connection.
Explanation: An IDS often requires assistance from other networking devices,
such as routers and firewalls, to respond to an attack.
4. What are two characteristics of an IPS operating in promiscuous mode?
(Choose two.)
▪ It can stop malicious traffic from reaching the intended target for all
types of attacks.
▪ It sits directly in the path of the traffic flow.
▪ It requires the assistance of another network device to respond to an
attack.
▪ It does not impact the flow of packets in forwarded traffic.
▪ It sends alerts and drops any malicious packets.
Explanation: An advantage of an IPS operating in promiscuous mode is that
the sensor does not affect the packet flow with the forwarded traffic. A
disadvantage is that the sensor cannot stop malicious traffic from reaching its
intended target for certain types of attacks, such as atomic attacks (single-
packet attacks).
5. Which tool can perform real-time traffic and port analysis, and can also
detect port scans, fingerprinting and buffer overflow attacks?
▪ SIEM
▪ Nmap
▪ Snort
▪ Netflow
Explanation: Snort is an open source intrusion protection system (IPS) that is
capable of performing real-time traffic and port analysis, packet logging,
content searching and matching, as well as detecting probes, attacks, port
scans, fingerprinting, and buffer overflow attacks.
6. Which Snort IPS feature enables a router to download rule sets directly
from cisco.com or snort.org?
▪ Snort rule set pull
▪ Signature allowed listing
▪ Snort rule set push
▪ Snort rule set updates
Explanation: With the Snort rule set pull feature, a router can download rule
sets directly from cisco.com or snort.org to a local server. The download can
occur using one-time commands or periodic automated updates.
7. What is a minimum system requirement to activate Snort IPS
functionality on a Cisco router?
▪ at least 4 GB RAM
▪ at least 4 GB flash
▪ ISR 2900 or higher
▪ K9 license
Explanation: The requirements to run Snort IPS include ISR 4300 or higher,
K9 license, 8 GB RAM, and 8 GB flash.
8. What is PulledPork?
▪ an open source network IPS that performs real-time traffic analysis and
generates alerts when threats are detected on IP networks
 ▪a centralized management tool to push the rule sets based on
preconfigured policy, to Cisco routers
▪ a virtual service container that runs on the Cisco ISR router operating
system
▪ a rule management application that can be used to automatically
download Snort rule updates
Explanation: PulledPork is a rule management application that can be used to
automatically download Snort rule updates. Using PulledPork requires an
authorization code, called an oinkcode, obtained from a snort.org account.
9. What are two actions that an IPS can perform whenever a signature
detects the activity for which it is configured? (Choose two.)
▪ disable the link
▪ reconverge the network
▪ drop or prevent the activity
▪ allow the activity
▪ restart the infected device
Explanation: Depending on the signature type and the platform, whenever a
signature detects the activity for which it is configured the IPS may:
log the activity
drop or prevent the activity
reset a TCP connection
block future activity
allow the activity
10. Which IPS signature trigger category uses a decoy server to divert
attacks away from production devices?
▪ honey pot-based detection
▪ policy-based detection
▪ pattern-based detection
▪ anomaly-based detection
Explanation: Honey pot-based detection uses a decoy server to attract attacks
and to divert attacks away from production devices. Use of a honey pot can
give administrators time to analyze incoming attacks and malicious traffic
patterns to tune sensor signatures.
11. What situation will generate a true negative IPS alarm type?
▪ normal traffic that generates a false alarm
▪ a verified security incident that is detected
▪ a known attack that is not detected
▪ normal traffic that is correctly being ignored and forwarded
Explanation: The true negative alarm type is used when normal network traffic
flows through an interface. Normal traffic should not, and does not generate an
actual alarm. A true negative indicates that benign normal traffic is correctly
being ignored and forwarded without generating an alert.
12. Match each intrusion protection service with the description.
13. Match each Snort IPS rule action with the description.

14. What is provided by the fail open and close functionality of Snort IPS?
▪ provides the ability to automatically disable problematic signatures that
routinely cause false positives and pass traffic
▪ blocks the traffic flow or bypasses IPS checking in the event of an IPS
engine failure
▪ keeps Snort current with the latest threat protection and term-based
subscriptions
▪ keeps track of the health of the Snort engine that is running in the
service container
Explanation: The Snort IPS fail open and close functionality can be configured
to block the traffic flow or to bypass IPS checking in the event of IPS engine
failure.
15. What is a characteristic of the Community Rule Set type of Snort term-
based subscriptions?
▪ it has 60-day delayed access to updated signatures
▪ it uses Cisco Talos to provide coverage in advance of exploits
▪ it is fully supported by Cisco
▪ it is available for free
Explanation: There are two types of Snort term-based subscriptions:
Community Rule Set – Available for free and provides limited coverage against
threats. There is also a 30-day delayed access to updated signatures and
there is no Cisco customer support available.
Subscriber Rule Set – Available for a fee and provides the best protection
against threats. It includes coverage in advance of exploits by using the
research work of the Cisco Talos security experts. This subscription is fully
supported by Cisco.
16. What is a characteristic of the connectivity policy setting when
configuring Snort threat protection?
▪ it attempts to balance network security with network performance
▪ it prioritizes security over connectivity
▪ it provides the lowest level of protection
▪ it enables the highest number of signatures to be verified
Explanation: One of the functionalities of Snort IPS is that it provides three
levels of signature protection.
Connectivity – The least secure option.
Balanced – The mid-range option of security.
Security – The most secure option.
17. What is contained in an OVA file?
▪ a current compilation of known threats and prevention mechanisms
▪ an installable version of a virtual machine
▪ a list of atomic and composite signatures
▪ a set of rules for an IDS or IPS to detect intrusion activity
Explanation: Step 1 of the configuration of Snort IPS is to download an Open
Virtualization Archive (OVA) file. This file contains a compressed, installable
version of a virtual machine.
18. What is a network tap?
▪ a Cisco technology that provides statistics on packets flowing through a
router or multilayer switch
▪ a technology used to provide real-time reporting and long-term analysis
of security events
▪ a feature supported on Cisco switches that enables the switch to copy
frames and forward them to an analysis device
▪ a passive device that forwards all traffic and physical layer errors to
an analysis device
Explanation: A network tap is used to capture traffic for monitoring the
network. The tap is typically a passive splitting device implemented inline on
the network and forwards all traffic, including physical layer errors, to an
analysis device.
19. Which statement describes the function of the SPAN tool used in a Cisco
switch?
▪ It is a secure channel for a switch to send logging to a syslog server.
▪ It provides interconnection between VLANs over multiple switches.
▪ It supports the SNMP trap operation on a switch.
 ▪ It copies the traffic from one switch port and sends it to another
switch port that is connected to a monitoring device.
Explanation: To analyze network traffic passing through a switch, switched
port analyzer (SPAN) can be used. SPAN can send a copy of traffic from one
port to another port on the same switch where a network analyzer or
monitoring device is connected. SPAN is not required for syslog or SNMP.
SPAN is used to mirror traffic, while syslog and SNMP are configured to send
data directly to the appropriate server.
20. A network administrator is trying to download a valid file from an
internal server. However, the process triggers an alert on a NMS tool. What
condition describes this alert?
▪ false negative
▪ false positive
▪ true negative
▪ true positive
Explanation: Alerts can be classified as follows:
True Positive: The alert has been verified to be an actual security incident.
False Positive: The alert does not indicate an actual security incident. Benign
activity that results in a false positive is sometimes referred to as a benign
trigger.
An alternative situation is that an alert was not generated. The absence of an
alert can be classified as:
True Negative: No security incident has occurred. The activity is benign.
False Negative: An undetected incident has occurred.
21. What is an advantage of HIPS that is not provided by IDS?
▪ HIPS provides quick analysis of events through detailed logging.
▪ HIPS deploys sensors at network entry points and protects critical
network segments.
▪ HIPS monitors network processes and protects critical files.
▪ HIPS protects critical system resources and monitors operating
system processes.
Explanation: Network-based IDS (NIDS) sensors are typically deployed in
offline mode. They do not protect individual hosts. Host-based IPS (HIPS) is
software installed on a single host to monitor and analyze suspicious activity. It
can monitor and protect operating system and critical system processes that
are specific to that host. HIPS can be thought of as a combination of antivirus
software, antimalware software, and a firewall.
22. What information must an IPS track in order to detect attacks matching
a composite signature?
▪ the total number of packets in the attack
▪ the state of packets related to the attack
▪ the attacking period used by the attacker
▪ the network bandwidth consumed by all packets
Explanation: A composite signature is called a stateful signature. It identifies a
sequence of operations distributed across multiple hosts over an arbitrary
period of time. Because this type of attack involves multiple packets, an IPS
sensor must maintain the state information. However, an IPS sensor cannot
maintain the state information indefinitely. A composite signature is configured
with a time period to maintain the state for the specific attack when it is first
detected. Thus, an IPS may not be able to maintain all the information related
to an attack such as total number of packets, total length of attack time, and
the amount of bandwidth consumed by the attack.

Modules 13 – 14: Layer 2 and Endpoint Security

Group Exam Answers Full
May 20, 2021 Last Updated: Aug 29, 2021 Network Security 1.0 No Comments
ShareTweetSharePin it
How to find: Press “Ctrl + F” in the browser and fill in whatever wording is in
the question to find that question/answer. If the question is not here, find it
in Questions Bank.
NOTE: If you have the new question on this test, please comment Question
and Multiple-Choice list in form below this article. We will update answers
for you in the shortest time. Thank you! We truly value your contribution to
the website.

Network Security (Version 1.0) Modules 13 – 14: Layer 2

and Endpoint Security Group Exam Answers
1. Why are traditional network security perimeters not suitable for the
latest consumer-based network endpoint devices?
▪ These devices are not managed by the corporate IT department.
▪ These devices pose no risk to security as they are not directly
connected to the corporate network.
▪ These devices connect to the corporate network through public wireless
networks.
▪ These devices are more varied in type and are portable.
Explanation: Traditional network security has two major focuses: (1) end point
protection using antivirus software and enabling the personal firewall, and (2)
network border protection with firewalls, proxy servers, and network packet
scanning devices or software. This type of protection is not suited for the new
network devices that are mobile, frequently access cloud storage, and may be
a personal device.
2. What two internal LAN elements need to be secured? (Choose two.)
▪ edge routers
▪ IP phones
▪ fiber connections
▪ switches
 ▪ cloud-based hosts
Explanation: Internal network protection is just as important as securing the
network perimeter. Internal LAN elements can be broken up into endpoints
and network infrastructure devices. Common endpoints include laptops,
desktops, servers, and IP phones. LAN infrastructure devices include switches
and access points.
3. What are two examples of traditional host-based security measures?
(Choose two.)
▪ host-based IPS
▪ NAS
▪ 802.1X
▪ antimalware software
▪ host-based NAC
Explanation: Traditional host-based security measures include
antivirus/antimalware software, host-based IPS, and host-based firewall.
Antivirus and antimalware software detects and mitigates viruses and
malware. A host-based IPS is used to monitor and report on the system
configuration and application activity, security events, policy enforcement,
alerting, and rootkit detection. A host-based firewall restricts incoming and
outgoing connections for a particular host.
4. In an 802.1x deployment, which device is a supplicant?
▪ RADIUS server
▪ access point
▪ switch
▪ end-user station
Explanation: In 802.1x, a supplicant is the end-user device (such as a laptop)
that is attempting to attach to the WLAN.
5. A company implements 802.1X security on the corporate network. A PC is
attached to the network but has not authenticated yet. Which 802.1X state
is associated with this PC?
▪ err-disabled
▪ disabled
▪ unauthorized
▪ forwarding
Explanation: When a port is configured for 802.1X, the port starts in the
unauthorized state and stays that way until the client has successfully
authenticated.
6. An 802.1X client must authenticate before being allowed to pass data
traffic onto the network. During the authentication process, between which
two devices is the EAP data encapsulated into EAPOL frames? (Choose two.)
▪ data nonrepudiation server
▪ authentication server (TACACS)
▪ supplicant (client)
▪ authenticator (switch)
 ▪ ASA Firewall
Explanation: When a client supplicant is starting the 802.1X message
exchange, an EAPOL-Start message is sent between the supplicant and the
authenticator, which is the switch. EAP data between the supplicant and the
authenticator is encapsulated in EAPOL frames.
7. Which command is used as part of the 802.1X configuration to designate
the authentication method that will be used?
▪ dot1x system-auth-control
▪ aaa authentication dot1x
▪ aaa new-model
▪ dot1x pae authenticator
Explanation: The aaa authentication dot1x default group radius command
specifies that RADIUS is used as the method for 802.1X port-based
authentication.
8. What is involved in an IP address spoofing attack?
▪ A rogue node replies to an ARP request with its own MAC address
indicated for the target IP address.
▪ Bogus DHCPDISCOVER messages are sent to consume all the
available IP addresses on a DHCP server.
▪ A rogue DHCP server provides false IP configuration parameters to
legitimate DHCP clients.
▪ A legitimate network IP address is hijacked by a rogue node.
Explanation: In an IP address spoofing attack, the IP address of a legitimate
network host is hijacked and used by a rogue node. This allows the rogue
node to pose as a valid node on the network.
9. At which layer of the OSI model does Spanning Tree Protocol operate?
▪ Layer 1
▪ Layer 2
▪ Layer 3
▪ Layer 4
Explanation: Spanning Tree Protocol (STP) is a Layer 2 technology for
preventing Layer 2 loops between redundant switch paths.
10. A network administrator uses the spanning-tree loopguard default
global configuration command to enable Loop Guard on switches. What
components in a LAN are protected with Loop Guard?
▪ All Root Guard enabled ports.
▪ All PortFast enabled ports.
▪ All point-to-point links between switches.
▪ All BPDU Guard enabled ports.
Explanation: Loop Guard can be enabled globally using the spanning-tree
loopguard default global configuration command. This enables Loop Guard
on all point-to-point links.
11. Which procedure is recommended to mitigate the chances of ARP
spoofing?
▪ Enable DHCP snooping on selected VLANs.
▪ Enable IP Source Guard on trusted ports.
▪ Enable DAI on the management VLAN.
▪ Enable port security globally.
Explanation: To mitigate the chances of ARP spoofing, these procedures are
recommended:
– Implement protection against DHCP spoofing by enabling DHCP snooping
globally.
– Enable DHCP snooping on selected VLANs.
– Enable DAI on selected VLANs.
– Configure trusted interfaces for DHCP snooping and ARP inspection.
Untrusted ports are configured by default.
12. Which two ports can send and receive Layer 2 traffic from a community
port on a PVLAN? (Choose two.)
▪ community ports belonging to other communities
▪ promiscuous ports
▪ isolated ports within the same community
▪ PVLAN edge protected ports
▪ community ports belonging to the same community
Explanation: Community ports can send and receive information with ports
within the same community, or with a promiscuous port. Isolated ports can
only communicate with promiscuous ports. Promiscuous ports can talk to all
interfaces. PVLAN edge protected ports only forward traffic through a Layer 3
device to other protected ports.
13. Which protocol should be used to mitigate the vulnerability of using
Telnet to remotely manage network devices?
▪ SNMP
▪ TFTP
▪ SSH
▪ SCP
Explanation: Telnet uses plain text to communicate in a network. The
username and password can be captured if the data transmission is
intercepted. SSH encrypts data communications between two network
devices. TFTP and SCP are used for file transfer over the network. SNMP is
used in network management solutions.
14. How can DHCP spoofing attacks be mitigated?
▪ by disabling DTP negotiations on nontrunking ports
▪ by implementing port security
▪ by the application of the ip verify source command to untrusted ports
▪ by implementing DHCP snooping on trusted ports
Explanation: One of the procedures to prevent a VLAN hopping attack is to
disable DTP (auto trunking) negotiations on nontrunking ports. DHCP spoofing
attacks can be mitigated by using DHCP snooping on trusted ports. The ip
verify source interface configuration command is used to enable IP Source
Guard on untrusted ports to protect against MAC and IP address spoofing.
15. Refer to the exhibit. The network administrator is configuring the port
security feature on switch SWC. The administrator issued the command
show port-security interface fa 0/2 to verify the configuration. What can be
concluded from the output that is shown? (Choose three.)

▪ Three security violations have been detected on this interface.

▪ This port is currently up.
▪ The port is configured as a trunk link.
▪ Security violations will cause this port to shut down immediately.
▪ There is no device currently connected to this port.
▪ The switch port mode for this interface is access mode.
Explanation: Because the security violation count is at 0, no violation has
occurred. The system shows that 3 MAC addresses are allowed on port fa0/2,
but only one has been configured and no sticky MAC addresses have been
learned. The port is up because of the port status of secure-up. The violation
mode is what happens when an unauthorized device is attached to the port. A
port must be in access mode in order to activate and use port security.
16. Two devices that are connected to the same switch need to be totally
isolated from one another. Which Cisco switch security feature will provide
this isolation?
▪ PVLAN Edge
▪ DTP
▪ SPAN
▪ BPDU guard
Explanation: The PVLAN Edge feature does not allow one device to see traffic
that is generated by another device. Ports configured with the PVLAN Edge
feature are also known as protected ports. BPDU guard prevents unauthorized
connectivity to a wired Layer 2 switch. SPAN is port mirroring to capture data
from one port or VLAN and send that data to another port. DTP (Dynamic
Trunking Protocol) is automatically enabled on some switch models to create a
trunk if the attached device is configured for trunking. Cisco recommends
disabling DTP as a best practice.
17. What is the behavior of a switch as a result of a successful CAM table
attack?
▪ The switch will drop all received frames.
▪ The switch interfaces will transition to the error-disabled state.
▪ The switch will forward all received frames to all other ports.
▪ The switch will shut down.
Explanation: As a result of a CAM table attack, a switch can run out of
memory resources to store MAC addresses. When this happens, no new MAC
addresses can be added to the CAM table and the switch will forward all
received frames to all other ports. This would allow an attacker to capture all
traffic that is flooded by the switch.
18. Which protocol defines port-based authentication to restrict
unauthorized hosts from connecting to the LAN through publicly accessible
switch ports?
▪ RADIUS
▪ TACACS+
▪ 802.1x
▪ SSH
Explanation: 802.1x is an IEEE standard that defines port-based access
control. By authenticating each client that attempts to connect to the LAN,
802.1x provides protection from unauthorized clients.
19. What device is considered a supplicant during the 802.1X
authentication process?
▪ the router that is serving as the default gateway
▪ the authentication server that is performing client authentication
▪ the client that is requesting authentication
▪ the switch that is controlling network access
Explanation: The devices involved in the 802.1X authentication process are
as follows:
▪ The supplicant, which is the client that is requesting network access
▪ The authenticator, which is the switch that the client is connecting to and
that is actually controlling physical network access
▪ The authentication server, which performs the actual authentication

20. Which term describes the role of a Cisco switch in the 802.1X port-based
access control?
▪ agent
▪ supplicant
▪ authenticator
▪ authentication server
Explanation: 802.1X port-based authentication defines specific roles for the
devices in the network:
Client (Supplicant) – The device that requests access to LAN and switch
services
Switch (Authenticator) – Controls physical access to the network based on
the authentication status of the client
Authentication server – Performs the actual authentication of the client
21. What type of data does the DLP feature of Cisco Email Security Appliance
scan in order to prevent customer data from being leaked outside of the
company?
▪ inbound messages
▪ outbound messages
▪ messages stored on a client device
▪ messages stored on the email server
Explanation: Cisco ESAs control outbound messages through data-loss
prevention (DLP), email encryption, and optional integration with the RSA
Enterprise Manager. This control helps ensure that the outbound messages
comply with industry standards and are protected in transit.
22. What is the goal of the Cisco NAC framework and the Cisco NAC
appliance?
▪ to ensure that only hosts that are authenticated and have had their
security posture examined and approved are permitted onto the
network
▪ to monitor data from the company to the ISP in order to build a real-time
database of current spam threats from both internal and external
sources
▪ to provide anti-malware scanning at the network perimeter for both
authenticated and non-authenticated devices
▪ to provide protection against a wide variety of web-based threats,
including adware, phishing attacks, Trojan horses, and worms
Explanation: The NAC framework uses the Cisco network infrastructure and
third-party software to ensure the wired and wireless endpoints that want to
gain access to the network adheres to the requirements defined by the
security policy. The Cisco NAC Appliance is the device that enforces security
policy compliance.
23. Which Cisco solution helps prevent MAC and IP address spoofing
attacks?
▪ Port Security
▪ DHCP Snooping
▪ IP Source Guard
▪ Dynamic ARP Inspection
Explanation: Cisco provides solutions to help mitigate Layer 2 attacks
including:
 ▪ IPSource Guard (IPSG) – prevents MAC and IP address spoofing
attacks
▪ Dynamic ARP Inspection (DAI) – prevents ARP spoofing and ARP
poisoning attacks
▪ DHCP Snooping – prevents DHCP starvation and SHCP spoofing
attacks
▪ Port Security – prevents many types of attacks including MAC table
overflow attacks and DHCP starvation attacks
24. What Layer 2 attack is mitigated by disabling Dynamic Trunking
Protocol?
▪ VLAN hopping
▪ DHCP spoofing
▪ ARP poisoning
▪ ARP spoofing
Explanation: Mitigating a VLAN hopping attack can be done by disabling
Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links
to VLANs not in use.
25. What is the result of a DHCP starvation attack?
▪ Legitimate clients are unable to lease IP addresses.
▪ Clients receive IP address assignments from a rogue DHCP server.
▪ The attacker provides incorrect DNS and default gateway information to
clients.
▪ The IP addresses assigned to legitimate clients are hijacked.
Explanation: DCHP starvation attacks are launched by an attacker with the
intent to create a DoS for DHCP clients. To accomplish this goal, the attacker
uses a tool that sends many DHCPDISCOVER messages to lease the entire
pool of available IP addresses, thus denying them to legitimate hosts.
26. A network administrator is configuring DAI on a switch with the
command ip arp inspection validate dst-mac . What is the purpose of this
configuration command?
▪ to check the destination MAC address in the Ethernet header against
the MAC address table
▪ to check the destination MAC address in the Ethernet header against
the user-configured ARP ACLs
▪ to check the destination MAC address in the Ethernet header against
the target MAC address in the ARP body
▪ to check the destination MAC address in the Ethernet header against
the source MAC address in the ARP body
Explanation: DAI can be configured to check for both destination or source
MAC and IP addresses:
Destination MAC – Checks the destination MAC address in the Ethernet
header against the target MAC address in the ARP body.
Source MAC – Checks the source MAC address in the Ethernet header
against the sender MAC address in the ARP body.
IP address – Checks the ARP body for invalid and unexpected IP addresses
including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

1. Which algorithm can ensure data integrity?

▪ RSA
▪ AES
▪ MD5
▪ PKI
Explanation: Data integrity guarantees that the message was not altered in
transit. Integrity is ensured by implementing either of the Secure Hash
Algorithms (SHA-2 or SHA-3). The MD5 message digest algorithm is still
widely in use.
2. What is the keyspace of an encryption algorithm?
▪ the set of all possible values used to generate a key
▪ the set of procedures used to calculate asymmetric keys
▪ the set of hash functions used to generate a key
▪ the mathematical equation that is used to create a key
Explanation: The keyspace of an encryption algorithm is the set of all possible
key values. Keys with n bits produce a keyspace with 2^ n possible key values.
3. Alice and Bob are using a digital signature to sign a document. What key
should Alice use to sign the document so that Bob can make sure that the
document came from Alice?
▪ private key from Bob
▪ private key from Alice
▪ public key from Bob
▪ username and password from Alice
Explanation: Alice and Bob are used to explain asymmetric cryptography used
in digital signatures. Alice uses a private key to encrypt the message digest.
The message, encrypted message digest, and the public key are used to
create the signed document and prepare it for transmission.
4. Which three security services are provided by digital signatures? (Choose
three.)
▪ provides nonrepudiation using HMAC functions
▪ guarantees data has not changed in transit
▪ provides data encryption
▪ authenticates the source
▪ provides confidentiality of digitally signed data
▪ authenticates the destination
Explanation: Digital signatures are a mathematical technique used to provide
three basic security services. Digital signatures have specific properties that
enable entity authentication and data integrity. In addition, digital signatures
provide nonrepudiation of the transaction. In other words, the digital signature
serves as legal proof that the data exchange did take place.
5. What is another name for confidentiality of information?
▪ consistency
▪ trustworthiness
▪ accuracy
▪ privacy
Explanation: Privacy is another name for confidentiality. Accuracy,
consistency, and trustworthiness describe integrity of data.
6. As data is being stored on a local hard disk, which method would secure
the data from unauthorized access?

▪a duplicate hard drive copy

▪ deletion of sensitive files
▪ two factor authentication
▪ data encryption
Explanation: Data encryption is the process of converting data into a form
where only a trusted, authorized person with a secret key or password can
decrypt the data and access the original form.
7. What popular encryption algorithm requires that both the sender and
receiver know a pre-shared key?
▪ PKI
▪ MD5
▪ AES
▪ HMAC
Explanation: MD5 is a hashing algorithm that guarantees that no one
intercepted the message and altered it. Advanced Encryption Standard (AES)
is a popular symmetric encryption algorithm where each communicating party
needs to know the pre-shared key. Public key infrastructure (PKI) is an
asymmetric encryption algorithm based on the assumption that the two
communicating parties have not previously shared a secret key. HMAC is a
hash message authentication code that guarantees that the message is not a
forgery and actually comes from the authentic source.
8. In which method used in cryptanalysis does the attacker know a portion
of the plaintext and the corresponding ciphertext?
▪ meet-in-the-middle
▪ brute-force
▪ chosen-plaintext
▪ ciphertext
Explanation: There are several methods used in cryptanalysis:
Brute-force – The attacker tries every possible key knowing that eventually
one of them will work.
Ciphertext – The attacker has the ciphertext of several messages encrypted
but no knowledge of the underlying plaintext.
Known-Plaintext – The attacker has access to the ciphertext of several
messages and knows something about the plaintext underlying that ciphertext.
Chosen-Plaintext – The attacker chooses which data the encryption device
encrypts and observes the ciphertext output.
Chosen-Ciphertext – The attacker can choose different ciphertext to be
decrypted and has access to the decrypted plaintext.
Meet-in-the-Middle – The attacker knows a portion of the plaintext and the
corresponding ciphertext.
9. Match the disciplines or roles to the descriptions.

10. What technology supports asymmetric key encryption used in IPsec

VPNs?
▪ 3DES
▪ IKE
▪ SEAL
▪ AES
Explanation: IKE, or Internet Key Exchange, is a protocol to support
asymmetric encryption algorithms. It is used to securely exchange encryption
keys in the setup of IPsec VPNs.
11. What are two symmetric encryption algorithms? (Choose two.)
▪ 3DES
▪ MD5
▪ AES
▪ HMAC
▪ SHA
Explanation: MD5, HMAC, and SHA are hashing algorithms.
12. Which two items are used in asymmetric encryption? (Choose two.)
 ▪a token
▪ a TPM
▪ a private key
▪ a DES key
▪ a public key
Explanation: A token is something that is used to provide two-factor
authentication. DES is using an identical key to encrypt and decrypt.
Asymmetric encryption uses a private key associated with a public key.
13. What are two properties of a cryptographic hash function? (Choose
two.)
▪ Complex inputs will produce complex hashes.
▪ Hash functions can be duplicated for authentication purposes.
▪ The hash function is one way and irreversible.
▪ The input for a particular hash algorithm has to have a fixed size.
▪ The output is a fixed length.
Explanation: A cryptographic hash function should have the following
properties:The input can be any length.
The output has a fixed length.
The hash value is relatively easy to compute for any given input.
The hash is one way and not reversible.
The hash is collision free, meaning that two different input values will result in
different hash values
14. Which statement describes asymmetric encryption algorithms?
▪ They have key lengths ranging from 80 to 256 bits.
▪ They include DES, 3DES, and AES.
▪ They are also called shared-secret key algorithms.
▪ They are relatively slow because they are based on difficult
computational algorithms.
Explanation: DES, 3DES, and AES are examples of symmetric encryption
algorithms (also known as shared secret key algorithms). The usual key length
for symmetric algorithms is 80-256 bits. Asymmetric algorithms are relatively
slow because they are based on difficult computational algorithms.
15. An IT enterprise is recommending the use of PKI applications to
securely exchange information between the employees. In which two cases
might an organization use PKI applications to securely exchange
information between users? (Choose two.)
▪ HTTPS web service
▪ 802.1x authentication
▪ local NTP server
▪ FTP transfers
▪ file and directory access permission
Explanation: The Public Key Infrastructure (PKI) is a third party-system
referred to as a certificate authority or CA. The PKI is the framework used to
securely exchange information between parties. Common PKI applications are
as follows:
SSL/TLS certificate-based peer authentication
Secure network traffic using IPsec VPNs
HTTPS Web traffic
Control access to the network using 802.1x authentication
Secure email using the S/MIME protocol
Secure instant messaging
Approve and authorize applications with Code Signing
Protect user data with the Encryption File System (EFS)
Implement two-factor authentication with smart cards
Securing USB storage devices
16. Two users must authenticate each other using digital certificates and a
CA. Which option describes the CA authentication procedure?
▪ The users must obtain the certificate of the CA and then their own
certificate.
▪ The CA is always required, even after user verification is complete.
▪ CA certificates are retrieved out-of-band using the PSTN, and the
authentication is done in-band over a network.
▪ After user verification is complete, the CA is no longer required, even if
one of the involved certificates expires.
Explanation: When two users must authenticate each other using digital
certificates and CA, both users must obtain their own digital certificate from a
CA. They submit a certificate request to a CA, and the CA will perform a
technical verification by calling the end user (out-of-band). Once the request is
approved, the end user retrieves the certificate over the network (in-band) and
installs the certificate on the system. After both users have installed their
certificate, they can perform authentication by sending their certificate to each
other. Each site will use the public key of the CA to verify the validity of the
certificate; no CA is involved at this point. If both certificates are verified, both
users can now authenticate each other.
17. The following message was encrypted using a Caesar cipher with a key
of 2:
fghgpf vjg ecuvng
What is the plaintext message?
▪ invade the castle
▪ defend the castle
▪ defend the region
▪ invade the region
Explanation: The Caesar cipher was a simple substitution cipher. In this
example, if the key is 2, the letter d was moved two spaces to the right,
resulting in an encoded message that used the letter f in place of the letter d.
The letter g would be the substitute for the letter e, and so on. So, the resulting
plaintext is f=d, g=e, h=f, g=e, p=n, f=d, v=t, j=h, g=e, e=c, c=a, u=s, v=t, n=l,
g=e.
18. In a hierarchical CA topology, where can a subordinate CA obtain a
certificate for itself?
▪ from the root CA or another subordinate CA at a higher level
▪ from the root CA or another subordinate CA at the same level
▪ from the root CA or from self-generation
▪ from the root CA only
▪ from the root CA or another subordinate CA anywhere in the tree
Explanation: In a hierarchical CA topology, CAs can issue certificates to end
users and to subordinate CAs, which in turn issue their certificates to end
users, other lower level CAs, or both. In this way, a tree of CAs and end users
is built in which every CA can issue certificates to lower level CAs and end
users. Only the root CA can issue a self-signing certificate in a hierarchical CA
topology.
19. What is the purpose for using digital signatures for code signing?
▪ to establish an encrypted connection to exchange confidential data with
a vendor website
▪ to verify the integrity of executable files downloaded from a vendor
website
▪ to authenticate the identity of the system with a vendor website
▪ to generate a virtual ID
Explanation: Code signing is used to verify the integrity of executable files
downloaded from a vendor website. Code signing uses digital certificates to
authenticate and verify the identity of a website.
20. What technology has a function of using trusted third-party protocols to
issue credentials that are accepted as an authoritative identity?
▪ digital signatures
▪ hashing algorithms
▪ PKI certificates
▪ symmetric keys
Explanation: Digital certificates are used to prove the authenticity and integrity
of PKI certificates, but a PKI Certificate Authority is a trusted third-party entity
that issues PKI certificates. PKI certificates are public information and are
used to provide authenticity, confidentiality, integrity, and nonrepudiation
services that can scale to large requirements.
21. Which requirement of secure communications is ensured by the
implementation of MD5 or SHA hash generating algorithms?
▪ nonrepudiation
▪ authentication
▪ integrity
▪ confidentiality
Explanation: Integrity is ensured by implementing either MD5 or SHA hash
generating algorithms. Many modern networks ensure authentication with
protocols, such as HMAC. Data confidentiality is ensured through symmetric
encryption algorithms, including DES, 3DES, and AES. Data confidentiality
can also be ensured using asymmetric algorithms, including RSA and PKI.
22. What is an example of the one-time pad cipher?
▪ RC4
▪ rail fence
▪ Caesar
▪ Vigenère
Explanation: RC4 is an example of the one-time pad cipher, and it is widely
used on the Internet. The Caesar cipher is a simple substitution cipher, and
the Vigenère cipher is based on the Caesar cipher. An example of a
transposition cipher is the rail fence cipher.
23. A company is developing a security policy for secure communication. In
the exchange of critical messages between a headquarters office and a
branch office, a hash value should only be recalculated with a
predetermined code, thus ensuring the validity of data source. Which aspect
of secure communications is addressed?
▪ data integrity
▪ non-repudiation
▪ data confidentiality
▪ origin authentication
Explanation: Secure communications consists of four elements: Data
confidentiality – guarantees that only authorized users can read the message
Data integrity – guarantees that the message was not altered
Origin authentication – guarantees that the message is not a forgery and does
actually come from whom it states
Data nonrepudiation – guarantees that the sender cannot repudiate, or refute,
the validity of a message sent
24. What is the purpose of a digital certificate?
▪ It guarantees that a website has not been hacked.
▪ It provides proof that data has a traditional signature attached.
▪ It ensures that the person who is gaining access to a network device is
authorized.
▪ It authenticates a website and establishes a secure connection to
exchange confidential data.
Explanation: Digital signatures commonly use digital certificates that are used
to verify the identity of the originator in order to authenticate a vendor website
and establish an encrypted connection to exchange confidential data. One
such example is when a person logs into a financial institution from a web
browser.

1. Which two statements describe the IPsec protocol framework? (Choose

two.)
▪ AH uses IP protocol 51.
 ▪ AH provides integrity and authentication.
▪ AH provides encryption and integrity.
▪ ESP uses UDP protocol 51.
▪ AH provides both authentication and encryption.
Explanation: The two primary protocols used with IPsec are AH and ESP. AH
is protocol number 51 and provides data authentication and integrity for IP
packets that are exchanged between the peers. ESP, which is protocol
number 50, performs packet encryption.
2. What technology is used to negotiate security associations and calculate
shared keys for an IPsec VPN tunnel?
▪ PSK
▪ SHA
▪ 3DES
▪ IKE
Explanation: The Internet Key Exchange (IKE) protocol is a key management
protocol standard used when creating an IPsec VPN tunnel. IKE negotiates
security associations (SAs) and calculates shared keys.
3. What are the two modes used in IKE Phase 1? (Choose two.)
▪ passive
▪ primary
▪ main
▪ secondary
▪ aggressive
Explanation: The two modes for IKE Phase 1 are main and aggressive. Main
mode takes more time because the identity of the IKE peers are hidden from
eavesdroppers.
4. What takes place during IKE Phase 2 when establishing an IPsec VPN?
▪ Traffic is exchanged between IPsec peers.
▪ IPsec security associations are exchanged.
▪ ISAKMP security associations are exchanged.
▪ Interesting traffic is identified.
Explanation: During IKE Phase 2, IPsec peers exchange the IPsec security
associations (SAs) that each peer is willing to use to establish the IPsec
tunnel.
5. A site-to-site IPsec VPN is to be configured. Place the configuration steps
in order.
6. Refer to the exhibit. A VPN tunnel is configured on the WAN between R1
and R2. On which R1 interface(s) would a crypto map be applied in order to
create a VPN between R1 and R2?

▪ G0/0 and G0/1

▪ G0/0
▪ all R1 interfaces
▪ S0/0/0
Explanation: The crypto map command is used to finish creating the IPsec
security policy by doing the following
binding the interesting traffic ACL and transform set to the crypto map
specifying the IP address of the remote VPN site
configuring the Diffie-Hellman group
configuring the IPsec tunnel lifetime
The crypto map is bound to the S0/0/0 R1 interface.
7. Router R1 has configured ISAKMP policies numbered 1, 5, 9, and 203.
Router R2 only has default policies. How will R1 attempt to negotiate the
IKE Phase 1 ISAKMP tunnel with R2?
▪ R1 and R2 cannot match policies because the policy numbers are
different.
▪ R1 will attempt to match policy #1 with the most secure matching
policy on R2.
▪ R1 will try to match policy #203 with the most secure default policy on
R2.
▪ R1 will begin to try to match policy #1 with policy #65514 on R2.
Explanation: Peers will attempt to negotiate using the policy with the lowest
number (highest priority). Peers do not require matching priority numbers. R1
will attempt to use the most secure default policy (policy #1). If R2 has a
matching policy, then R1 and R2 can successfully negotiate the IKE Phase 1
ISAKMP tunnel. If there is no agreement to use the most secure default policy,
R1 will attempt to use the next most secure policy.
8. When the CLI is used to configure an ISR for a site-to-site VPN connection,
what is the purpose of the crypto map command in interface configuration
mode?
▪ to configure the transform set
▪ to bind the interface to the ISAKMP policy
▪ to force IKE Phase 1 negotiations to begin
▪ to negotiate the SA policy
Explanation: The crypto map command, along with the name of the policy, is
used to bind the interface to the ISAKMP policy created previously. A
transform set is configured using the crypto ipsec transform-set command.
Interesting traffic between peers forces IKE Phase 1 negotiations to begin.
Peers negotiate the ISAKMP SA policy in step 2 of IPsec negotiations.
9. Which statement describes the effect of key length in deterring an
attacker from hacking through an encryption key?
▪ The length of a key does not affect the degree of security.
▪ The shorter the key, the harder it is to break.
▪ The length of a key will not vary between encryption algorithms.
▪ The longer the key, the more key possibilities exist.
Explanation: While preventing brute-force attacks and other forced decryption
concerns, the longer the key length, the harder it is to break. A 64-bit key can
take one year to break with a sophisticated computer, while a 128-bit key may
take 1019 years to decrypt. Different encryption algorithms will provide varying
key lengths for implementation.
10. Which two statements describe a remote access VPN? (Choose two.)
▪ It may require VPN client software on hosts.
▪ It requires hosts to send TCP/IP traffic through a VPN gateway.
▪ It connects entire networks to each other.
▪ It is used to connect individual hosts securely to a company network
over the Internet.
▪ It requires static configuration of the VPN tunnel.
Explanation: Remote access VPNs can be used to support the needs of
telecommuters and mobile users by allowing them to connect securely to
company networks over the Internet. To connect hosts to the VPN server on
the corporate network, the remote access VPN tunnel is dynamically built by
client software that runs on the hosts.
11. Which protocol creates a virtual point-to-point connection to tunnel
unencrypted traffic between Cisco routers from a variety of protocols?
▪ IKE
▪ IPsec
▪ OSPF
▪ GRE
Explanation: Generic Routing Encapsulation (GRE) is a tunneling protocol
developed by Cisco that encapsulates multiprotocol traffic between remote
Cisco routers. GRE does not encrypt data. OSPF is a open source routing
protocol. IPsec is a suite of protocols that allow for the exchange of information
that can be encrypted and verified. Internet Key Exchange (IKE) is a key
management standard used with IPsec.
12. How is “tunneling” accomplished in a VPN?
▪ New headers from one or more VPN protocols encapsulate the original
packets.
▪ All packets between two hosts are assigned to a single physical medium
to ensure that the packets are kept private.
▪ Packets are disguised to look like other types of traffic so that they will
be ignored by potential attackers.
▪ A dedicated circuit is established between the source and destination
devices for the duration of the connection.
Explanation: Packets in a VPN are encapsulated with the headers from one or
more VPN protocols before being sent across the third party network. This is
referred to as “tunneling”. These outer headers can be used to route the
packets, authenticate the source, and prevent unauthorized users from
reading the contents of the packets.
13. Which two scenarios are examples of remote access VPNs? (Choose
two.)
▪ All users at a large branch office can access company resources
through a single VPN connection.
 ▪A small branch office with three employees has a Cisco ASA that is
used to create a VPN connection to the HQ.
▪ A toy manufacturer has a permanent VPN connection to one of its parts
suppliers.
▪ A mobile sales agent is connecting to the company network via the
Internet connection at a hotel.
▪ An employee who is working from home uses VPN client software on
a laptop in order to connect to the company network.
Explanation: Remote access VPNs connect individual users to another
network via a VPN client that is installed on the user device. Site-to-site VPNs
are “always on” connections that use VPN gateways to connect two sites
together. Users at each site can access the network on the other site without
having to use any special clients or configurations on their individual devices.
14. Which statement accurately describes a characteristic of IPsec?
▪ IPsec works at the application layer and protects all application data.
▪ IPsec is a framework of standards developed by Cisco that relies on OSI
algorithms.
▪ IPsec is a framework of proprietary standards that depend on Cisco
specific algorithms.
▪ IPsec works at the transport layer and protects data at the network
layer.
▪ IPsec is a framework of open standards that relies on existing
algorithms.
Explanation: IPsec can secure a path between two network devices. IPsec
can provide the following security functions:
Confidentiality – IPsec ensures confidentiality by using encryption.
Integrity – IPsec ensures that data arrives unchanged at the destination using
a hash algorithm, such as MD5 or SHA.
Authentication – IPsec uses Internet Key Exchange (IKE) to authenticate users
and devices that can carry out communication independently. IKE uses
several types of authentication, including username and password, one-time
password, biometrics, pre-shared keys (PSKs), and digital certificates.
Secure key exchange- IPsec uses the Diffie-Hellman (DH) algorithm to provide
a public key exchange method for two peers to establish a shared secret key.
15. Which is a requirement of a site-to-site VPN?
▪ It requires hosts to use VPN client software to encapsulate traffic.
▪ It requires the placement of a VPN server at the edge of the company
network.
▪ It requires a VPN gateway at each end of the tunnel to encrypt and
decrypt traffic.
▪ It requires a client/server architecture.
Explanation: Site-to-site VPNs are static and are used to connect entire
networks. Hosts have no knowledge of the VPN and send TCP/IP traffic to
VPN gateways. The VPN gateway is responsible for encapsulating the traffic
and forwarding it through the VPN tunnel to a peer gateway at the other end
which decapsulates the traffic.
16. Consider the following configuration on a Cisco ASA:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
What is the purpose of this command?
▪ to define the ISAKMP parameters that are used to establish the tunnel
▪ to define the encryption and integrity algorithms that are used to
build the IPsec tunnel
▪ to define what traffic is allowed through and protected by the tunnel
▪ to define only the allowed encryption algorithms
Explanation: The transform set is negotiated during Phase 2 of the IPsec VPN
connection process. The purpose of the transform set is to define what
encryption and authentication schemes can be used. The device doing the
VPN initiation offers the acceptable transform sets in order of preference, in
this case, ESP authentication using DES for encryption or ESP authentication
using SHA-HMAC authentication and integrity for the data payload. Remember
that ESP provides confidentiality with encryption and integrity with
authentication. The ESP-DES-SHA is the name of the transform set. The
parameters that follow (esp-des and esp-sha-hmac) are the specific types of
encryption or authentication that is supported by the ASA for the VPN tunnel
that uses this transform set.
17. What is needed to define interesting traffic in the creation of an IPsec
tunnel?
▪ security associations
▪ hashing algorithm
▪ access list
▪ transform set
Explanation: In order to bring up an IPsec tunnel, an access list must be
configured with a permit statement that will identify interesting traffic. Once
interesting traffic is detected by matching the access list, the tunnel security
associations can be negotiated.
18. What is a function of the GRE protocol?
▪ to configure the set of encryption and hashing algorithms that will be
used to transform the data sent through the IPsec tunnel
▪ to encapsulate multiple OSI Layer 3 protocol packet types inside an IP
tunnel
▪ to configure the IPsec tunnel lifetime
▪ to provide encryption through the IPsec tunnel
Explanation: The transform set is the set of encryption and hashing algorithms
that will be used to transform the data sent through the IPsec tunnel. GRE
supports multiprotocol tunneling. It can encapsulate multiple OSI Layer 3
protocol packet types inside an IP tunnel. Routing protocols that are used
across the tunnel enable dynamic exchange of routing information in the virtual
network. GRE does not provide encryption.
19. Refer to the exhibit. What HMAC algorithm is being used to provide data
integrity?

▪ MD5
▪ AES
▪ SHA
▪ DH
Explanation: Two popular algorithms that are used to ensure that data is not
intercepted and modified (data integrity) are MD5 and SHA. The command
Router1(config-isakmp)# hash sha indicates that SHA is being used. AES is
an encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is
an algorithm that is used for key exchange. RSA is an algorithm used for
authentication.
20. Two corporations have just completed a merger. The network engineer
has been asked to connect the two corporate networks without the expense
of leased lines. Which solution would be the most cost effective method of
providing a proper and secure connection between the two corporate
networks?
▪ Cisco AnyConnect Secure Mobility Client with SSL
▪ Cisco Secure Mobility Clientless SSL VPN
▪ Frame Relay
▪ remote access VPN using IPsec
▪ site-to-site VPN
Explanation: The site-to-site VPN is an extension of a classic WAN network
that provides a static interconnection of entire networks. Frame Relay would
be a better choice than leased lines, but would be more expensive than
implementing site-to-site VPNs. The other options refer to remote access
VPNs which are better suited for connecting users to the corporate network
versus interconnecting two or more networks.
21. Refer to the exhibit. What show command displays whether the
securityk9 software is installed on the router and whether the EULA license
has been activated?

▪ show running-config
▪ show version
▪ show interfaces s0/0/0
▪ show crypto isakmp policy 1
Explanation: The show version command displays the status of technology
packages on the router. Based on the partial output shown, the router software
already includes ipbasek9 and securityk9. The EvalRightToUse parameter
shows that the license is active thereby giving access to the cryptographic
features, IPsec and ISAKMP, required to create an IPsec VPN.
22. What type of traffic is supported by IPsec?
▪ IPsec supports all IPv4 traffic.
▪ IPsec supports layer 2 multicast traffic.
▪ IPsec supports all traffic permitted through an ACL.
▪ IPsec only supports unicast traffic.
Explanation: IPsec only supports unicast traffic. If multicast traffic needs to
travel through a tunnel, a GRE tunnel will need to be configured between the
peers.

1. A network analyst wants to monitor the activity of all new interns. Which
type of security testing would track when the interns sign on and sign off
the network?
▪ vulnerability scanning
▪ password cracking
▪ network scanning
▪ integrity checker
Explanation: An integrity checking system can report login and logout
activities. Network scanning can detect user names, groups, and shared
resources by scanning listening TCP ports. Password cracking is used to test
and detect weak passwords. Vulnerability scanning can detect potential
weaknesses in a system, such as misconfigurations, default passwords, or
DoS attack targets.
2. What are three characteristics of SIEM? (Choose three.)
▪ can be implemented as software or as a service
▪ Microsoft port scanning tool designed for Windows
▪ examines logs and events from systems and applications to detect
security threats
▪ consolidates duplicate event data to minimize the volume of gathered
data
▪ uses penetration testing to determine most network vulnerabilities
▪ provides real-time reporting for short-term security event analysis
Explanation: Security Information Event Management (SIEM) is a technology
that provides real-time reporting and long-term analysis of security events.
SIEM provides the ability to search logs and events from disparate systems or
applications to detect threats. SIEM aggregates duplicate events to reduce the
volume of event data. SIEM can be implemented as software or as a
managed.service. SuperScan is a Microsoft Windows port scanning tool that
runs on most versions of Windows.Tools, such as Nmap and SuperScan, can
provide effective penetration testing on a network and determine network
vulnerabilities while helping to anticipate possible attack mechanisms.
3. What testing tool is available for network administrators who need a GUI
version of Nmap?
▪ SuperScan
▪ SIEM
▪ Nessus
▪ Zenmap
Explanation: Nmap and Zenmap are low-level network scanners available to
the public. Zenmap is the GUI version of Nmap. SuperScan is a Microsoft port
scanning software that detects open TCP and UDP ports on systems. Nessus
can scan systems for software vulnerabilities. SIEM is used to provide real-
time reporting of security events.
4. What is the goal of network penetration testing?
▪ determining the feasibility and the potential consequences of a
successful attack
▪ detecting potential weaknesses in systems
▪ detecting configuration changes on network systems
▪ detecting weak passwords
Explanation: There are many security tests that can be used to assess a
network. Penetration testing is used to determine the possible consequences
of successful attacks on the network. Vulnerability scanning can detect
potential weaknesses in systems. Password cracking can detect weak
passwords. Integrity checkers can detect and report configuration changes.
5. How does network scanning help assess operations security?
▪ It can detect open TCP ports on network systems.
▪ It can detect weak or blank passwords.
▪ It can simulate attacks from malicious sources.
 ▪ It
can log abnormal activity.
Explanation: Network scanning can help a network administrator strengthen
the security of the network and systems by identifying open TCP and UDP
ports that could be targets of an attack.
6. What are three characteristics of the ASA routed mode? (Choose three.)
▪ This mode is referred to as a “bump in the wire.”
▪ In this mode, the ASA is invisible to an attacker.
▪ The interfaces of the ASA separate Layer 3 networks and require
different IP addresses in different subnets.
▪ It is the traditional firewall deployment mode.
▪ This mode does not support VPNs, QoS, or DHCP Relay.
▪ NAT can be implemented between connected networks.
Explanation: Routed mode is the traditional mode for deploying a firewall
where there are two or more interfaces that separate Layer 3 networks. The
ASA is considered to be a router hop in the network and can perform NAT
between connected networks. Routed mode supports multiple interfaces. Each
interface is on a different subnet and requires an IP address on that subnet.
7. In which two instances will traffic be denied as it crosses the ASA 5505
device? (Choose two.)
▪ traffic originating from the inside network going to the DMZ network
▪ traffic originating from the inside network going to the outside network
▪ traffic originating from the outside network going to the DMZ network
▪ traffic originating from the DMZ network going to the inside network
▪ traffic originating from the outside network going to the inside
network
Explanation: When an ASA 5505 device is being utilized, traffic is denied as it
travels from a lower security zone to a higher security zone. The highest
security zone is the internal network, the DMZ is usually the next highest, and
the outside network is the lowest. Traffic is only allowed to move from a lower
security level to a higher if it is in response to originating traffic within the
higher security zone.
8. Refer to the exhibit. Based on the security levels of the interfaces on the
ASA, what statement correctly describes the flow of traffic allowed on the
interfaces?

▪ Traffic that is sent from the LAN and the Internet to the DMZ is
considered inbound.
▪ Traffic that is sent from the DMZ and the Internet to the LAN is
considered outbound.
▪ Traffic that is sent from the LAN to the DMZ is considered inbound.
▪ Traffic that is sent from the LAN to the DMZ is considered is considered
inbound.
▪ Traffic that is sent from the DMZ and the LAN to the Internet is
considered outbound.
Explanation: When traffic moves from an interface with a higher security level
to an interface with a lower security level, it is considered outbound traffic.
Conversely, traffic that moves from an interface with a lower security level to
an interface with a higher security level is considered inbound traffic.
9. Refer to the exhibit. A network administrator is configuring the security
level for the ASA. Which statement describes the default result if the
administrator tries to assign the Inside interface with the same security
level as the DMZ interface?

▪ The ASA allows inbound traffic initiated on the Internet to the DMZ, but
not to the Inside interface.
▪ The ASA console will display an error message.
▪ The ASA will not allow traffic in either direction between the Inside
interface and the DMZ.
▪ The ASA allows traffic from the Inside to the DMZ, but blocks traffic
initiated on the DMZ to the Inside interface.
Explanation: Multiple interfaces in an ASA can be assigned the same security
level. To allow connectivity between interfaces with the same security levels,
the same-security-traffic permit inter-interface global configuration command is
required. Traffic from the higher level network to the lower level network is
allowed by default. However, traffic initiated on the lower level network is
denied access to the higher level network by default.
10. What can be configured as part of a network object?
▪ interface type
▪ IP address and mask
▪ upper layer protocol
▪ source and destination MAC address
Explanation: There are two types of objects that can be configured on the
Cisco ASA 5505: network objects and service objects. Network objects can be
configured with an IP address and mask. Service objects can be configured
with a protocol or port ranges.
11. What is the function of a policy map configuration when an ASA firewall
is being configured?
▪ binding a service policy to an interface
▪ binding class maps with actions
▪ identifying interesting traffic
▪ using ACLs to match traffic
Explanation: Policy maps are used to bind class maps with actions Class
maps are configured to identify Layer 3 and 4 traffic. Service policies are
configured to attach the policy map to an interface.
12. What is the purpose of configuring an IP address on an ASA device in
transparent mode?
▪ management
▪ routing
▪ NAT
▪ VPN connectivity
Explanation: An ASA device configured in transparent mode functions like a
Layer 2 device and does not support dynamic routing protocols, VPNs, QoS,
or DHCP.
13. Which license provides up to 50 IPsec VPN users on an ASA 5506-X
device?
▪ the most commonly pre-installed Base license
▪ a purchased Security Plus upgrade license
▪ a purchased Base license
▪ a purchased AnyConnect Premium license
Explanation: The ASA 5506-X commonly has a pre-installed Base license that
has the option to upgrade to the Security Plus license. The Security Plus
license supports a higher connection capacity and up to 50 IPsec VPN users.
14. What mechanism is used by an ASA device to allow inspected outbound
traffic to return to the originating sender who is on an inside network?
▪ access control lists
▪ Network Address Translation
 ▪ security zones
▪ stateful packet inspection
Explanation: Stateful packet inspection allows return traffic that is sourced on
the outside network to be received by the originating sender on the internal
network.
15. When configuring interfaces on an ASA, which two pieces of information
must be included? (Choose two.)
▪ group association
▪ service level
▪ FirePower version
▪ security level
▪ access list
▪ name
Explanation: When configuring an ASA, each operational interface must have
a name and a security level from 0 (lowest) to 100 (highest) assigned.
16. Refer to the exhibit. A network administrator is verifying the security
configuration of an ASA. Which command produces the exhibited output?

▪ show vlan
▪ show ip interface brief
▪ show interface ip brief
▪ show switch vlan
Explanation: Use the show interface ip brief command to verify IP address
assignment and interface status on an ASA.
17. What interface configuration command is used on an ASA to request an
IP address from an upstream DSL device?
▪ ip address ip-address netmask
▪ ip address dhcp setroute
▪ dhcpd address IP_address1 [ -IP_address2 ] if_name
▪ ip address pppoe
Explanation: Configuring IP addresses on interfaces can be done manually
using the ip address command. It can also be accomplished by using DHCP
when an interface is connecting to an upstream device providing DHCP
services. PPPoE is used when an interface is connecting to an upstream DSL
device providing point-to-point connectivity over Ethernet services. The dhcpd
address IP_address1 [ -IP_address2 ] if_name command is used to establish the
IP address pool on a DHCP server.
18. Refer to the exhibit. What kind of NAT is configured on the ASA device?

▪ dynamic NAT
▪ Twice NAT
▪ dynamic PAT
▪ static NAT
Explanation: From the configuration, the source of IP address translation is
the subnet 192.168.5.0/27 and the mapped address is the outside interface.
This is an example of dynamic PAT. Dynamic NAT, dynamic PAT, and static
NAT are referred to as “network object NAT” because the configuration
requires network objects to be configured. Twice NAT identifies both the
source and destination address in a single rule ( nat command), and it is used
when configuring remote-access IPsec and SSL VPNs.
19. What is the purpose of the Tripwire network testing tool?
▪ to perform vulnerability scanning
▪ to provide information about vulnerabilities and aid in penetration testing
and IDS signature development
▪ to assess configuration against established policies, recommended
best practices, and compliance standards
▪ to detect unauthorized wired network access
▪ to provide password auditing and recovery
Explanation: The Nesus tool provides remote vulnerability scanning that
focuses on remote access, password misconfiguration, and DoS against the
TCP/IP stack. L0phtcrack provides password auditing and recovery. Metasploit
provides information about vulnerabilities and aids in penetration testing and
IDS signature development.
20. A network analyst is testing the security of the systems and networks of
a corporation. What tool could be used to audit and recover passwords?
▪ L0phtCrack
▪ SuperScan
▪ Nessus
▪ Metasploit
Explanation: Some of the software tools that can be used to perform network
testing include:
SuperScan – port scanning software designed to detect open TCP and UDP
ports and to determine what services are running on those ports
Nessus – vulnerability scanning software that focuses on remote access,
misconfigurations, and DoS against the TCP/IP stack
L0phtCrack – a password auditing and recovery application
Metasploit – provides information about vulnerabilities and aids in penetration
testing and IDS signature development
21. In which two instances will traffic be denied as it crosses the ASA 5506-X
device? (Choose two.)
▪ traffic originating from the inside network going to the outside network
▪ traffic originating from the inside network going to the DMZ network
▪ traffic originating from the outside network going to the inside
network
▪ traffic originating from the outside network going to the DMZ network
▪ traffic originating from the DMZ network going to the inside network
Explanation: When an ASA 5506-X device is being utilized, traffic is denied as
it travels from a lower security zone to a higher security zone. The highest
security zone is the internal network, the DMZ is usually the next highest, and
the outside network is the lowest. Traffic is only allowed to move from a lower
security level to a higher if it is in response to originating traffic within the
higher security zone.
1. Match the type of ASA ACLs to the description. (Not all options are used.)

2. Which statement describes a difference between the Cisco ASA IOS CLI
feature and the router IOS CLI feature?
▪ ASA uses the ? command whereas a router uses the help command to
receive help on a brief description and the syntax of a command.
▪ To use a show command in a general configuration mode, ASA can use
the command directly whereas a router will need to enter the do
command before issuing the show command.
 ▪ To complete a partially typed command, ASA uses the Ctrl+Tab key
combination whereas a router uses the Tab key.
▪ To indicate the CLI EXEC mode, ASA uses the % symbol whereas a
router uses the # symbol.
Explanation: The ASA CLI is a proprietary OS which has a similar look and
feel to the Cisco router IOS. Although it shares some common features with
the router IOS, it has its unique features. For example, an ASA CLI command
can be executed regardless of the current configuration mode prompt. The
IOS do command is not required or recognized. Both the ASA CLI and the
router CLI use the # symbol to indicate the EXEC mode. Both CLIs use the
Tab key to complete a partially typed command. Different from the router IOS,
the ASA provides a help command that provides a brief command description
and syntax for certain commands.
3. Refer to the exhibit. A network administrator is configuring AAA
implementation on an ASA device. What does the option link3 indicate?

▪ the network name where the AAA server resides

▪ the specific AAA server name
▪ the sequence of servers in the AAA server group
▪ the interface name
4. What provides both secure segmentation and threat defense in a Secure
Data Center solution?
▪ Cisco Security Manager software
▪ AAA server
▪ Adaptive Security Appliance
▪ intrusion prevention system
5. What are the three core components of the Cisco Secure Data Center
solution? (Choose three.)
▪ mesh network
▪ secure segmentation
▪ visibility
▪ threat defense
▪ servers
▪ infrastructure
Explanation: Secure segmentation is used when managing and organizing
data in a data center. Threat defense includes a firewall and intrusion
prevention system (IPS). Data center visibility is designed to simplify
operations and compliance reporting by providing consistent security policy
enforcement.
6. What are three characteristics of ASA transparent mode? (Choose three.)
▪ This mode does not support VPNs, QoS, or DHCP Relay.
▪ It is the traditional firewall deployment mode.
 ▪ This mode is referred to as a “bump in the wire.”
▪ NAT can be implemented between connected networks.
▪ In this mode the ASA is invisible to an attacker.
▪ The interfaces of the ASA separate Layer 3 networks and require IP
addresses in different subnets.
7. What is needed to allow specific traffic that is sourced on the outside
network of an ASA firewall to reach an internal network?
▪ ACL
▪ NAT
▪ dynamic routing protocols
▪ outside security zone level 0
Explanation: In order to explicitly permit traffic from an interface with a lower
security level to an interface with a higher security level, an ACL must be
configured. By default, traffic will only flow from a higher security level to a
lower.
8. What will be the result of failed login attempts if the following command
is entered into a router?
login block-for 150 attempts 4 within 90

▪ All login attempts will be blocked for 150 seconds if there are 4 failed
attempts within 90 seconds.
▪ All login attempts will be blocked for 90 seconds if there are 4 failed
attempts within 150 seconds.
▪ All login attempts will be blocked for 1.5 hours if there are 4 failed
attempts within 150 seconds.
▪ All login attempts will be blocked for 4 hours if there are 90 failed
attempts within 150 seconds.
Explanation: The components of the login block-for 150 attempts 4 within 90
command are as follows:
The expression block-for 150 is the time in seconds that logins will be blocked.
The expression attempts 4 is the number of failed attempts that will trigger the
blocking of login requests.
The expression within 90 is the time in seconds in which the 4 failed attempts
must occur.
9. Which two tasks are associated with router hardening? (Choose two.)
▪ placing the router in a secure room
▪ disabling unused ports and interfaces
▪ installing the maximum amount of memory possible
▪ securing administrative access
▪ using uninterruptible power supplies
10. Which threat protection capability is provided by Cisco ESA?
▪ web filtering
▪ cloud access security
▪ spam protection
 ▪ Layer4 traffic monitoring
Explanation: Email is a top attack vector for security breaches. Cisco ESA
includes many threat protection capabilities for email such as spam protection,
forged email detection, and Cisco advanced phishing protection.
11. What are two security measures used to protect endpoints in the
borderless network? (Choose two.)
▪ denylisting
▪ Snort IPS
▪ DLP
▪ DMZ
▪ rootkit
Explanation:

Measure Purpose

antimalware
software Protect endpoints from malware.

spam filtering Prevent spam emails from reaching endpoints.

Prevent endpoints from connecting to websites with bad reputations by

blocklisting immediately blocking connections based on the latest reputation intelligence.

data loss
prevention (DLP) Prevent sensitive information from being lost or stolen.
12. Which three types of traffic are allowed when the authentication port-
control auto command has been issued and the client has not yet been
authenticated? (Choose three.)
▪ CDP
▪ 802.1Q
▪ IPsec
▪ TACACS+
▪ STP
▪ EAPOL
Explanation: Until the workstation is authenticated, 802.1X access control
enables only Extensible Authentication Protocol over LAN (EAPOL), Cisco
Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through
the port to which the workstation is connected. After authentication succeeds,
normal traffic can pass through the port.
13. Which statement describes a characteristic of the IKE protocol?
▪ It uses UDP port 500 to exchange IKE information between the
security gateways.
▪ IKE Phase 1 can be implemented in three different modes: main,
aggressive, or quick.
▪ It allows for the transmission of keys directly across a network.
 ▪ The purpose of IKE Phase 2 is to negotiate a security association
between two IKE peers.
14. Which action do IPsec peers take during the IKE Phase 2 exchange?
▪ exchange of DH keys
▪ negotiation of IPsec policy
▪ negotiation of IKE policy sets
▪ verification of peer identity
Explanation: The IKE protocol executes in two phases. During Phase 1 the
two sides negotiate IKE policy sets, authenticate each other, and set up a
secure channel. During the second phase IKE negotiates security associations
between the peers.
15. What are two hashing algorithms used with IPsec AH to guarantee
authenticity? (Choose two.)
▪ SHA
▪ RSA
▪ DH
▪ MD5
▪ AES
Explanation: The IPsec framework uses various protocols and algorithms to
provide data confidentiality, data integrity, authentication, and secure key
exchange. Two popular algorithms used to ensure that data is not intercepted
and modified (data integrity and authenticity) are MD5 and SHA.
16. Which command raises the privilege level of the ping command to 7?
▪ user exec ping level 7
▪ authorization exec ping level 7
▪ accounting exec level 7 ping
▪ privilege exec level 7 ping
17. What is a characteristic of a role-based CLI view of router configuration?
▪ A CLI view has a command hierarchy, with higher and lower views.
▪ When a superview is deleted, the associated CLI views are deleted.
▪ A single CLI view can be shared within multiple superviews.
▪ Only a superview user can configure a new view and add or remove
commands from the existing views.
Explanation: A CLI view has no command hierarchy, and therefore, no higher
or lower views. Deleting a superview does not delete the associated CLI
views. Only a root view user can configure a new view and add or remove
commands from the existing views.
18. What is a limitation to using OOB management on a large enterprise
network?
▪ Production traffic shares the network with management traffic.
▪ Terminal servers can have direct console connections to user devices
needing management.
▪ OOB management requires the creation of VPNs.
▪ All devices appear to be attached to a single management network.
Explanation: OOB management provides a dedicated management network
without production traffic. Devices within that network, such as terminal
servers, have direct console access for management purposes. Because in-
band management runs over the production network, secure tunnels or VPNs
may be needed. Failures on the production network may not be communicated
to the OOB network administrator because the OOB management network
may not be affected
19. Refer to the exhibit. A corporate network is using NTP to synchronize
the time across devices. What can be determined from the displayed
output?

▪ Router03 is a stratum 2 device that can provide NTP service to other

devices in the network.
▪ The time on Router03 may not be reliable because it is offset by more
than 7 seconds to the time server.
▪ The interface on Router03 that connects to the time sever has the IPv4
address 209.165.200.225.
▪ Router03 time is synchronized to a stratum 2 time server.
20. Refer to the exhibit. Which two conclusions can be drawn from the
syslog message that was generated by the router? (Choose two.)

▪ This message resulted from an unusual error requiring reconfiguration of

the interface.
▪ This message indicates that service timestamps have been configured.
▪ This message indicates that the interface changed state five times.
▪ This message is a level 5 notification message.
▪ This message indicates that the interface should be replaced.
Explanation: The message is a level 5 notification message as shown in the
%LINEPROTO-5 section of the output. Messages reporting the link status are
common and do not require replacing the interface or reconfiguring the
interface. The date and time displayed at the beginning of the message
indicates that service timestamps have been configured on the router.
21. Which two types of hackers are typically classified as grey hat hackers?
(Choose two.)
▪ hacktivists
▪ cyber criminals
▪ vulnerability brokers
 ▪ script kiddies
▪ state-sponsored hackers
Explanation: Grey hat hackers may do unethical or illegal things, but not for
personal gain or to cause damage. Hacktivists use their hacking as a form of
political or social protest, and vulnerability brokers hack to uncover
weaknesses and report them to vendors. Depending on the perspective one
possesses, state-sponsored hackers are either white hat or black hat
operators. Script kiddies create hacking scripts to cause damage or disruption.
Cyber criminals use hacking to obtain financial gain by illegal means.
22. When describing malware, what is a difference between a virus and a
worm?

Network Security (Version 1) – Network Security 1.0 Final Exam

▪A virus focuses on gaining privileged access to a device, whereas a
worm does not.
▪ A virus replicates itself by attaching to another file, whereas a worm
can replicate itself independently.
▪ A virus can be used to launch a DoS attack (but not a DDoS), but a
worm can be used to launch both DoS and DDoS attacks.
▪ A virus can be used to deliver advertisements without user consent,
whereas a worm cannot.
Explanation: Malware can be classified as follows:
Virus (self-replicates by attaching to another program or file)
Worm (replicates independently of another program)
Trojan horse (masquerades as a legitimate file or program)
Rootkit (gains privileged access to a machine while concealing itself)
Spyware (collects information from a target system)
Adware (delivers advertisements with or without consent)
Bot (waits for commands from the hacker)
Ransomware (holds a computer system or data captive until payment
isreceived)
23. Which type of packet is unable to be filtered by an outbound ACL?
▪ multicast packet
▪ ICMP packet
▪ broadcast packet
 ▪ router-generated packet
Explanation: Traffic that originates within a router such as pings from a
command prompt, remote access from a router to another device, or routing
updates are not affected by outbound access lists. The traffic must flow
through the router in order for the router to apply the ACEs.
24. Consider the access list command applied outbound on a router serial
interface.
access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo
reply

What is the effect of applying this access list command?

▪ The only traffic denied is echo-replies sourced from the 192.168.10.0/24
network. All other traffic is allowed.
▪ The only traffic denied is ICMP-based traffic. All other traffic is allowed.
▪ No traffic will be allowed outbound on the serial interface.
▪ Users on the 192.168.10.0/24 network are not allowed to transmit traffic
to any other destination.
25. Which command is used to activate an IPv6 ACL named ENG_ACL on an
interface so that the router filters traffic prior to accessing the routing
table?
▪ ipv6 access-class ENG_ACL in
▪ ipv6 traffic-filter ENG_ACL out
▪ ipv6 traffic-filter ENG_ACL in
▪ ipv6 access-class ENG_ACL out
Explanation: For the purpose of applying an access list to a particular
interface, the ipv6 traffic-filter IPv6 command is equivalent to the access-group
IPv4 command. The direction in which the traffic is examined (in or out) is also
required.
26. What technology has a function of using trusted third-party protocols to
issue credentials that are accepted as an authoritative identity?
▪ digital signatures
▪ hashing algorithms
▪ PKI certificates
▪ symmetric keys
Explanation: Digital certificates are used to prove the authenticity and integrity
of PKI certificates, but a PKI Certificate Authority is a trusted third-party entity
that issues PKI certificates. PKI certificates are public information and are
used to provide authenticity, confidentiality, integrity, and nonrepudiation
services that can scale to large requirements.
27. What are two methods to maintain certificate revocation status?
(Choose two.)
▪ subordinate CA
▪ OCSP
▪ DNS
 ▪ LDAP
▪ CRL
Explanation: A digital certificate might need to be revoked if its key is
compromised or it is no longer needed. The certificate revocation list (CRL)
and Online Certificate Status Protocol (OCSP), are two common methods to
check a certificate revocation status.
28. Which protocol is an IETF standard that defines the PKI digital
certificate format?
▪ SSL/TLS
▪ X.500
▪ LDAP
▪ X.509
Explanation: To address the interoperability of different PKI vendors, IETF
published the Internet X.509 Public Key Infrastructure Certificate Policy and
Certification Practices Framework (RFC 2527). The standard defines the
format of a digital certificate.
29. A network administrator is configuring DAI on a switch. Which
command should be used on the uplink interface that connects to a router?
▪ ip arp inspection trust
▪ ip dhcp snooping
▪ ip arp inspection vlan
▪ spanning-tree portfast
Explanation: In general, a router serves as the default gateway for the LAN or
VLAN on the switch. Therefore, the uplink interface that connects to a router
should be a trusted port for forwarding ARP requests.
30. What is the best way to prevent a VLAN hopping attack?
▪ Disable trunk negotiation for trunk ports and statically set nontrunk
ports as access ports.
▪ Disable STP on all nontrunk ports.
▪ Use VLAN 1 as the native VLAN on trunk ports.
▪ Use ISL encapsulation on all trunk links.
Explanation: VLAN hopping attacks rely on the attacker being able to create a
trunk link with a switch. Disabling DTP and configuring user-facing ports as
static access ports can help prevent these types of attacks. Disabling the
Spanning Tree Protocol (STP) will not eliminate VLAN hopping attacks.
31. What would be the primary reason an attacker would launch a MAC
address overflow attack?
▪ so that the switch stops forwarding traffic
▪ so that legitimate hosts cannot obtain a MAC address
▪ so that the attacker can see frames that are destined for other hosts
▪ so that the attacker can execute arbitrary code on the switch
32. What is the main difference between the implementation of IDS and IPS
devices?
▪ An IDS can negatively impact the packet flow, whereas an IPS can not.
 ▪ An IDS needs to be deployed together with a firewall device, whereas
an IPS can replace a firewall.
▪ An IDS would allow malicious traffic to pass before it is addressed,
whereas an IPS stops it immediately.
▪ An IDS uses signature-based technology to detect malicious packets,
whereas an IPS uses profile-based technology.
Explanation: An IPS is deployed in inline mode and will not allow malicious
traffic to enter the internal network without first analyzing it. An advantage of
this is that it can stop an attack immediately. An IDS is deployed in
promiscuous mode. It copies the traffic patterns and analyzes them offline,
thus it cannot stop the attack immediately and it relies on another device to
take further actions once it detects an attack. Being deployed in inline mode,
an IPS can negatively impact the traffic flow. Both IDS and IPS can use
signature-based technology to detect malicious packets. An IPS cannot
replace other security devices, such as firewalls, because they perform
different tasks.
33. Which attack is defined as an attempt to exploit software vulnerabilities
that are unknown or undisclosed by the vendor?
▪ zero-day
▪ Trojan horse
▪ brute-force
▪ man-in-the-middle
34. Match the network monitoring technology with the description.
35. What are the three signature levels provided by Snort IPS on the 4000
Series ISR? (Choose three.)
▪ security
▪ drop
▪ reject
▪ connectivity
▪ inspect
▪ balanced
36. What are three attributes of IPS signatures? (Choose three.)
▪ action
▪ length
▪ trigger
▪ type
▪ depth
▪ function
Explanation: IPS signatures have three distinctive attributes:
▪ type
▪ trigger (alarm)
▪ action

37. Match each IPS signature trigger category with the description.
Other case:

▪ pattern-based detection: simplest triggering mechanism which

searches for a specific and pre-defined atomic or composite pattern
▪ anomaly-based detection: involves first defining a profile of what is
considered normal network or host activity
▪ honey pot-based detection: uses a decoy server to divert attacks away
from production devices
38. Which two features are included by both TACACS+ and RADIUS
protocols? (Choose two.)
▪ SIP support
▪ password encryption
▪ 802.1X support
▪ separate authentication and authorization processes
▪ utilization of transport layer protocols
Explanation: Both TACACS+ and RADIUS support password encryption
(TACACS+ encrypts all communication) and use Layer 4 protocol (TACACS+
uses TCP and RADIUS uses UDP). TACACS+ supports separation of
authentication and authorization processes, while RADIUS combines
authentication and authorization as one process. RADIUS supports remote
access technology, such as 802.1x and SIP; TACACS+ does not.
39. What function is provided by the RADIUS protocol?
 ▪ RADIUS provides encryption of the complete packet during transfer.
▪ RADIUS provides separate AAA services.
▪ RADIUS provides separate ports for authorization and accounting.
▪ RADIUS provides secure communication using TCP port 49.
Explanation: When an AAA user is authenticated, RADIUS uses UDP port
1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting.
TACACS provides separate authorization and accounting services. When a
RADIUS client is authenticated, it is also authorized. TACACS provides secure
connectivity using TCP port 49. RADIUS hides passwords during transmission
and does not encrypt the complete packet.
40. What are three characteristics of the RADIUS protocol? (Choose three.)
▪ utilizes TCP port 49
▪ uses UDP ports for authentication and accounting
▪ supports 802.1X and SIP
▪ separates the authentication and authorization processes
▪ encrypts the entire body of the packet
▪ is an open RFC standard AAA protocol
Explanation: RADIUS is an open-standard AAA protocol using UDP port 1645
or 1812 for authentication and UDP port 1646 or 1813 for accounting. It
combines authentication and authorization into one process; thus, a password
is encrypted for transmission while the rest of the packet will be sent in plain
text. RADIUS offers the expedited service and more comprehensive
accounting desired by remote-access providers but provides lower security
and less potential for customization than TACACS+.
41. Which zone-based policy firewall zone is system-defined and applies to
traffic destined for the router or originating from the router?
▪ local zone
▪ inside zone
▪ self zone
▪ system zone
▪ outside zone
42. What are two benefits of using a ZPF rather than a Classic Firewall?
(Choose two.)
▪ ZPF allows interfaces to be placed into zones for IP inspection.
▪ The ZPF is not dependent on ACLs.
▪ Multiple inspection actions are used with ZPF.
▪ ZPF policies are easy to read and troubleshoot.
▪ With ZPF, the router will allow packets unless they are explicitly blocked.
Explanation: There are several benefits of a ZPF:
– It is not dependent on ACLs.
– The router security posture is to block unless explicitly allowed.
– Policies are easy to read and troubleshoot with C3PL.
– One policy affects any given traffic, instead of needing multiple ACLs and
inspection actions.
In addition, an interface cannot be simultaneously configured as a security
zone member and for IP inspection.
43. Place the steps for configuring zone-based policy (ZPF) firewalls in
order from first to last. (Not all options are used.)

44. How does a firewall handle traffic when it is originating from the private
network and traveling to the DMZ network?
▪ The traffic is selectively denied based on service requirements.
▪ The traffic is usually permitted with little or no restrictions.
▪ The traffic is selectively permitted and inspected.
▪ The traffic is usually blocked.
Explanation: With a three interface firewall design that has internal, external,
and DMZ connections, typical configurations include the following:
– Traffic originating from DMZ destined for the internal network is normally
blocked.
– Traffic originating from the DMZ destined for external networks is typically
permitted based on what services are being used in the DMZ.
– Traffic originating from the internal network destined from the DMZ is
normally inspected and allowed to return.
– Traffic originating from external networks (the public network) is typically
allowed in the DMZ only for specific services.
45. Which two protocols generate connection information within a state
table and are supported for stateful filtering? (Choose two.)
▪ ICMP
▪ UDP
▪ DHCP
▪ TCP
▪ HTTP
46. Which type of firewall is supported by most routers and is the easiest to
implement?
▪ next generation firewall
▪ stateless firewall
▪ stateful firewall
▪ proxy firewall
Explanation: Packet Filtering (Stateless) Firewall uses a simple policy table
look-up that filters traffic based on specific criteria and is considered the
easiest firewall to implement.
47. What network testing tool would an administrator use to assess and
validate system configurations against security policies and compliance
standards?
▪ Tripwire
▪ L0phtcrack
▪ Nessus
▪ Metasploit
Explanation: Tripwire – This tool assesses and validates IT configurations
against internal policies, compliance standards, and security best practices.
48. What type of network security test can detect and report changes made
to network systems?
▪ vulnerability scanning
▪ network scanning
▪ integrity checking
▪ penetration testing
Explanation: Integrity checking is used to detect and report changes made to
systems. Vulnerability scanning is used to find weaknesses and
misconfigurations on network systems. Network scanning is used to discover
available resources on the network.
49. What network security testing tool has the ability to provide details on
the source of suspicious network activity?
▪ SIEM
▪ SuperScan
▪ Zenmap
▪ Tripwire
50 How do modern cryptographers defend against brute-force attacks?
▪ Use statistical analysis to eliminate the most common encryption keys.
▪ Use a keyspace large enough that it takes too much money and too
much time to conduct a successful attack.
▪ Use an algorithm that requires the attacker to have both ciphertext and
plaintext to conduct a successful attack.
▪ Use frequency analysis to ensure that the most popular letters used in
the language are not used in the cipher message.
Explanation: In a brute-force attack, an attacker tries every possible key with
the decryption algorithm knowing that eventually one of them will work. To
defend against the brute-force attacks, modern cryptographers have as an
objective to have a keyspace (a set of all possible keys) large enough so that it
takes too much money and too much time to accomplish a brute-force attack.
A security policy requiring passwords to be changed in a predefined interval
further defend against the brute-force attacks. The idea is that passwords will
have been changed before an attacker exhausts the keyspace.
51. How does a Caesar cipher work on a message?
▪ Letters of the message are replaced by another letter that is a set
number of places away in the alphabet.
▪ Letters of the message are rearranged randomly.
▪ Letters of the message are rearranged based on a predetermined
pattern.
▪ Words of the message are substituted based on a predetermined
pattern.
52. What is the main factor that ensures the security of encryption of
modern algorithms?
▪ complexity of the hashing algorithm
▪ the use of 3DES over AES
▪ secrecy of the keys
▪ secrecy of the algorithm
Explanation: With most modern algorithms, successful decryption requires
knowledge of the appropriate cryptographic keys. This means that the security
of encryption lies in the secrecy of the keys, not the algorithm.
53 What is the next step in the establishment of an IPsec VPN after IKE
Phase 1 is complete?
▪ negotiation of the ISAKMP policy
▪ negotiation of the IPsec SA policy
▪ detection of interesting traffic
▪ authentication of peers
Explanation: Establishing an IPsec tunnel involves five steps:
detection of interesting traffic defined by an ACL
IKE Phase 1 in which peers negotiate ISAKMP SA policy
IKE Phase 2 in which peers negotiate IPsec SA policy
Creation of the IPsec tunnel
Termination of the IPsec tunnel
54. Refer to the exhibit. What algorithm will be used for providing
confidentiality?

▪ RSA
▪ Diffie-Hellman
▪ DES
▪ AES
Explanation: The IPsec framework uses various protocols and algorithms to
provide data confidentiality, data integrity, authentication, and secure key
exchange. Two popular algorithms that are used to ensure that data is not
intercepted and modified (data integrity) are MD5 and SHA. AES is an
encryption protocol and provides data confidentiality. DH (Diffie-Hellman) is an
algorithm that is used for key exchange. RSA is an algorithm used for
authentication.
55. After issuing a show run command, an analyst notices the following
command:
crypto ipsec transform-set MYSET esp-aes 256 esp-md5-hmac

What is the purpose of this command?

▪ It establishes the set of encryption and hashing algorithms used to
secure the data sent through an IPsec tunnel.
▪ It defines the default ISAKMP policy list used to establish the IKE Phase
1 tunnel.
▪ It establishes the criteria to force the IKE Phase 1 negotiations to begin.
▪ It indicates that IKE will be used to establish the IPsec tunnel for
protecting the traffic.
56. Which algorithm can ensure data integrity?
▪ RSA
▪ AES
▪ MD5
▪ PKI
Explanation: Data integrity guarantees that the message was not altered in
transit. Integrity is ensured by implementing either of the Secure Hash
Algorithms (SHA-2 or SHA-3). The MD5 message digest algorithm is still
widely in use.
57. A company implements a security policy that ensures that a file sent
from the headquarters office to the branch office can only be opened with a
predetermined code. This code is changed every day. Which two algorithms
can be used to achieve this task? (Choose two.)
▪ HMAC
▪ MD5
▪ 3DES
▪ SHA-1
▪ AES
Explanation: The task to ensure that only authorized personnel can open a file
is data confidentiality, which can be implemented with encryption. AES and
3DES are two encryption algorithms. HMAC can be used for ensuring origin
authentication. MD5 and SHA-1 can be used to ensure data integrity.
58. A network technician has been asked to design a virtual private network
between two branch routers. Which type of cryptographic key should be
used in this scenario?
▪ hash key
▪ symmetric key
▪ asymmetric key
▪ digital signature
Explanation: A symmetric key requires that both routers have access to the
secret key that is used to encrypt and decrypt exchanged data.
59. Which two options can limit the information discovered from port
scanning? (Choose two.)
▪ intrusion prevention system
▪ firewall
▪ authentication
▪ passwords
▪ encryption
Explanation: Using an intrusion prevention system (IPS) and firewall can limit
the information that can be discovered with a port scanner. Authentication,
encryption, and passwords provide no protection from loss of information from
port scanning.
60. An administrator discovers that a user is accessing a newly established
website that may be detrimental to company security. What action should
the administrator take first in terms of the security policy?
▪ Ask the user to stop immediately and inform the user that this
constitutes grounds for dismissal.
▪ Create a firewall rule blocking the respective website.
▪ Revise the AUP immediately and get all users to sign the updated AUP.
▪ Immediately suspend the network privileges of the user.
61. If AAA is already enabled, which three CLI steps are required to
configure a router with a specific view? (Choose three.)
▪ Create a superview using the parser view view-name command.
▪ Associate the view with the root view.
▪ Assign users who can use the view.
 ▪ Create a view using the parser view view-name command.
▪ Assign a secret password to the view.
▪ Assign commands to the view.
Explanation: There are five steps involved to create a view on a Cisco router.
1) AAA must be enabled.
2) the view must be created.
3) a secret password must be assigned to the view.
4) commands must be assigned to the view.
5) view configuration mode must be exited.
62. Refer to the exhibit. A network administrator configures a named ACL
on the router. Why is there no output displayed when the show command is
issued?

A network administrator configures a named ACL on the router

▪ The ACL is not activated.
▪ The ACL name is case sensitive.
▪ The ACL has not been applied to an interface.
▪ No packets have matched the ACL statements yet.
63. ACLs are used primarily to filter traffic. What are two additional uses of
ACLs? (Choose two.):
▪ specifying internal hosts for NAT
▪ identifying traffic for QoS
▪ specifying source addresses for authentication
▪ reorganizing traffic into VLANs
▪ filtering VTP packets
Explanation: ACLs are used to filter traffic to determine which packets will be
permitted or denied through the router and which packets will be subject to
policy-based routing. ACLs can also be used to identify traffic that requires
NAT and QoS services. Prefix lists are used to control which routes will be
redistributed or advertised to other routers.
64. What two features are added in SNMPv3 to address the weaknesses of
previous versions of SNMP? (Choose two.)
▪ authentication
▪ authorization with community string priority
 ▪ bulk MIB objects retrieval
▪ ACL management filtering
▪ encryption
65. What network testing tool is used for password auditing and recovery?
▪ Nessus
▪ Metasploit
▪ L0phtcrack
▪ SuperScan
66. Which type of firewall makes use of a server to connect to destination
devices on behalf of clients?
▪ packet filtering firewall
▪ proxy firewall
▪ stateless firewall
▪ stateful firewall
Explanation: An application gateway firewall, also called a proxy firewall,
filters information at Layers 3, 4, 5, and 7 of the OSI model. It uses a proxy
server to connect to remote servers on behalf of clients. Remote servers will
see only a connection from the proxy server, not from the individual clients.
67. Refer to the exhibit. What will be displayed in the output of the show
running-config object command after the exhibited configuration
commands are entered on an ASA 5506-X?

▪ host 192.168.1.4
▪ range 192.168.1.10 192.168.1.20
▪ host 192.168.1.3, host 192.168.1.4, and range 192.168.1.10
192.168.1.20
▪ host 192.168.1.3
▪ host 192.168.1.3 and host 192.168.1.4
▪ host 192.168.1.4 and range 192.168.1.10 192.168.1.20
Explanation: The show running-config object command is used to display or
verify the IP address/mask pair within the object. There can only be one
statement in the network object. Entering a second IP address/mask pair will
replace the existing configuration.
68. Refer to the exhibit. According to the command output, which three
statements are true about the DHCP options entered on the ASA? (Choose
three.)

▪ The dhcpd address [ start-of-pool ]-[ end-of-pool ] inside command

was issued to enable the DHCP server.
▪ The dhcpd address [ start-of-pool ]-[ end-of-pool ] inside command was
issued to enable the DHCP client.
▪ The dhcpd enable inside command was issued to enable the DHCP
server.
▪ The dhcpd auto-config outside command was issued to enable the
DHCP client.
▪ The dhcpd auto-config outside command was issued to enable the
DHCP server.
▪ The dhcpd enable inside command was issued to enable the DHCP
client.
69. Which two statements describe the characteristics of symmetric
algorithms? (Choose two.)
▪ They are commonly used with VPN traffic.
▪ They use a pair of a public key and a private key.
▪ They are commonly implemented in the SSL and SSH protocols.
▪ They provide confidentiality, integrity, and availability.
▪ They are referred to as a pre-shared key or secret key.
Explanation: Symmetric encryption algorithms use the same key (also called
shared secret) to encrypt and decrypt the data. In contrast, asymmetric
encryption algorithms use a pair of keys, one for encryption and another for
decryption.
70. A web server administrator is configuring access settings to require
users to authenticate first before accessing certain web pages. Which
requirement of information security is addressed through the
configuration?
▪ availability
▪ integrity
▪ scalability
▪ confidentiality
Explanation: Confidentiality ensures that data is accessed only by authorized
individuals. Authentication will help verify the identity of the individuals.
71. The use of 3DES within the IPsec framework is an example of which of
the five IPsec building blocks?
▪ authentication
 ▪ nonrepudiation
▪ integrity
▪ Diffie-Hellman
▪ confidentiality
Explanation: The IPsec framework consists of five building blocks. Each
building block performs a specific securty function via specific protocols. The
function of providing confidentiality is provided by protocols such as DES,
3DES, and AES.
72. What function is provided by Snort as part of the Security Onion?
▪ to generate network intrusion alerts by the use of rules and
signatures
▪ to normalize logs from various NSM data logs so they can be
represented, stored, and accessed through a common schema
▪ to display full-packet captures for analysis
▪ to view pcap transcripts generated by intrusion detection tools
Explanation: Snort is a NIDS integrated into Security Onion. It is an important
source of the alert data that is indexed in the Sguil analysis tool. Snort uses
rules and signatures to generate alerts.
73. What are two drawbacks to using HIPS? (Choose two.)
▪ With HIPS, the success or failure of an attack cannot be readily
determined.
▪ With HIPS, the network administrator must verify support for all the
different operating systems used in the network.
▪ HIPS has difficulty constructing an accurate network picture or
coordinating events that occur across the entire network.
▪ If the network traffic stream is encrypted, HIPS is unable to access
unencrypted forms of the traffic.
▪ HIPS installations are vulnerable to fragmentation attacks or variable
TTL attacks.
74. In an AAA-enabled network, a user issues the configure terminal
command from the privileged executive mode of operation. What AAA
function is at work if this command is rejected?
▪ authorization
▪ authentication
▪ auditing
▪ accounting
Explanation: Authentication must ensure that devices or end users are
legitimate. Authorization is concerned with allowing and disallowing
authenticated users access to certain areas and programs on the network. The
configure terminal command is rejected because the user is not authorized to
execute the command.
75. A company has a file server that shares a folder named Public. The
network security policy specifies that the Public folder is assigned Read-
Only rights to anyone who can log into the server while the Edit rights are
assigned only to the network admin group. Which component is addressed
in the AAA network service framework?
▪ automation
▪ accounting
▪ authentication
▪ authorization
Explanation: After a user is successfully authenticated (logged into the
server), the authorization is the process of determining what network
resources the user can access and what operations (such as read or edit) the
user can perform.
76. What is a characteristic of a DMZ zone?
▪ Traffic originating from the inside network going to the DMZ network is
not permitted.
▪ Traffic originating from the outside network going to the DMZ
network is selectively permitted.
▪ Traffic originating from the DMZ network going to the inside network is
permitted.
▪ Traffic originating from the inside network going to the DMZ network is
selectively permitted.
Explanation: The characteristics of a DMZ zone are as follows:
Traffic originating from the inside network going to the DMZ network is
permitted.
Traffic originating from the outside network going to the DMZ network is
selectively permitted.
Traffic originating from the DMZ network going to the inside network is denied.
77. Which measure can a security analyst take to perform effective security
monitoring against network traffic encrypted by SSL technology?
▪ Use a Syslog server to capture network traffic.
▪ Deploy a Cisco SSL Appliance.
▪ Require remote access connections through IPsec VPN.
▪ Deploy a Cisco ASA.
78. Refer to the exhibit. Port security has been configured on the Fa 0/12
interface of switch S1. What action will occur when PC1 is attached to switch
S1 with the applied configuration?

▪ Frames from PC1 will be forwarded since the switchport port-security

violation command is missing.
▪ Frames from PC1 will be forwarded to its destination, and a log entry will
be created.
▪ Frames from PC1 will be forwarded to its destination, but a log entry will
not be created.
▪ Frames from PC1 will cause the interface to shut down immediately,
and a log entry will be made.
 ▪ Frames from PC1 will be dropped, and there will be no log of the
violation.
▪ Frames from PC1 will be dropped, and a log message will be created.
Explanation: Manual configuration of the single allowed MAC address has
been entered for port fa0/12. PC1 has a different MAC address and when
attached will cause the port to shut down (the default action), a log message to
be automatically created, and the violation counter to increment. The default
action of shutdown is recommended because the restrict option might fail if an
attack is underway.
79. What security countermeasure is effective for preventing CAM table
overflow attacks?
▪ DHCP snooping
▪ Dynamic ARP Inspection
▪ IP source guard
▪ port security
Explanation: Port security is the most effective method for preventing CAM
table overflow attacks. Port security gives an administrator the ability to
manually specify what MAC addresses should be seen on given switch ports.
It provides a method for limiting the number of MAC addresses that can be
dynamically learned over a switch port.
80. What are two examples of DoS attacks? (Choose two.)
▪ port scanning
▪ SQL injection
▪ ping of death
▪ phishing
▪ buffer overflow
Explanation: The buffer overflow and ping of death DoS attacks exploit
system memory-related flaws on a server by sending an unexpected amount
of data or malformed data to the server.
81. Which method is used to identify interesting traffic needed to create an
IKE phase 1 tunnel?
▪ transform sets
▪ a permit access list entry
▪ hashing algorithms
▪ a security association
82. When the CLI is used to configure an ISR for a site-to-site VPN
connection, which two items must be specified to enable a crypto map
policy? (Choose two.)
▪ the hash
▪ the peer
▪ encryption
▪ the ISAKMP policy
▪ a valid access list
▪ IP addresses on all active interfaces
 ▪ theIKE Phase 1 policy
Explanation: After the crypto map command in global configuration mode has
been issued, the new crypto map will remain disabled until a peer and a valid
access list have been configured.
83. How does a firewall handle traffic when it is originating from the public
network and traveling to the DMZ network?
▪ Traffic that is originating from the public network is inspected and
selectively permitted when traveling to the DMZ network.
▪ Traffic that is originating from the public network is usually permitted
with little or no restriction when traveling to the DMZ network.
▪ Traffic that is originating from the public network is usually forwarded
without inspection when traveling to the DMZ network.
▪ Traffic that is originating from the public network is usually blocked when
traveling to the DMZ network.
84. A client connects to a Web server. Which component of this HTTP
connection is not examined by a stateful firewall?
▪ the source IP address of the client traffic
▪ the destination port number of the client traffic
▪ the actual contents of the HTTP connection
▪ the source port number of the client traffic
Explanation: Stateful firewalls cannot prevent application layer attacks
because they do not examine the actual contents of the HTTP connection.
85. Which network monitoring technology uses VLANs to monitor traffic on
remote switches?
▪ IPS
▪ IDS
▪ TAP
▪ RSPAN
Explanation: Remote SPAN (RSPAN) enables a network administrator to use
the flexibility of VLANs to monitor traffic on remote switches.
86. Which rule action will cause Snort IPS to block and log a packet?
▪ log
▪ drop
▪ alert
▪ Sdrop
Explanation: Snort IPS mode can perform all the IDS actions plus the
following:
– Drop – Block and log the packet.
– Reject – Block the packet, log it, and then send a TCP reset if the protocol is
TCP or an ICMP port unreachable message if the protocol is UDP.
– Sdrop – Block the packet but do not log it.
87. What is typically used to create a security trap in the data center
facility?
▪ IDs, biometrics, and two access doors
 ▪ high resolution monitors
▪ redundant authentication servers
▪ a server without all security patches applied
Explanation: Security traps provide access to the data halls where data center
data is stored. As shown in the figure below, a security trap is similar to an air
lock. A person must first enter the security trap using their badge ID proximity
card. After the person is inside the security trap, facial recognition, fingerprints,
or other biometric verifications are used to open the second door. The user
must repeat the process to exit the data hall.
88. A company is concerned with leaked and stolen corporate data on hard
copies. Which data loss mitigation technique could help with this situation?
▪ strong PC security settings
▪ strong passwords
▪ shredding
▪ encryption
Explanation: Confidential data should be shredded when no longer required.
Otherwise, a thief could retrieve discarded reports and gain valuable
information.
89. Upon completion of a network security course, a student decides to
pursue a career in cryptanalysis. What job would the student be doing as a
cryptanalyst?
▪ cracking code without access to the shared secret key
▪ creating hashing codes to authenticate data
▪ making and breaking secret codes
▪ creating transposition and substitution ciphers
Explanation: Cryptanalysis is the practice and study of determining the
meaning of encrypted information (cracking the code), without access to the
shared secret key. This is also known as codebreaking.
90. What command is used on a switch to set the port access entity type so
the interface acts only as an authenticator and will not respond to any
messages meant for a supplicant?
▪ dot1x pae authenticator
▪ authentication port-control auto
▪ aaa authentication dot1x default group radius
▪ dot1x system-auth-control
Explanation: Sets the Port Access Entity (PAE) type.
dot1x pae [supplicant | authenticator | both]
▪ supplicant—The interface acts only as a supplicant and does not
respond to messages that are meant for an authenticator.
▪ authenticator-—The interface acts only as an authenticator and does not
respond to any messages meant for a supplicant.
▪ both—The interface behaves both as a supplicant and as an
authenticator and thus does respond to all dot1x messages.
91. What are two disadvantages of using an IDS? (Choose two.)
 ▪ The IDS does not stop malicious traffic.
▪ The IDS works offline using copies of network traffic.
▪ The IDS has no impact on traffic.
▪ The IDS analyzes actual forwarded packets.
▪ The IDS requires other devices to respond to attacks.
Explanation: The disadvantage of operating with mirrored traffic is that the
IDS cannot stop malicious single-packet attacks from reaching the target
before responding to the attack. Also, an IDS often requires assistance from
other networking devices, such as routers and firewalls, to respond to an
attack. An advantage of an IDS is that by working offline using mirrored traffic,
it has no impact on traffic flow.
92. Refer to the exhibit. The ip verify source command is applied on
untrusted interfaces. Which type of attack is mitigated by using this
configuration?

▪ DHCP spoofing
▪ DHCP starvation
▪ STP manipulation
▪ MAC and IP address spoofing
Explanation: To protect against MAC and IP address spoofing, apply the IP
Source Guard security feature, using the ip verify source command, on
untrusted ports.
93. What ports can receive forwarded traffic from an isolated port that is
part of a PVLAN?
▪ other isolated ports and community ports
▪ only promiscuous ports
▪ all other ports within the same community
▪ only isolated ports
Explanation: PVLANs are used to provide Layer 2 isolation between ports
within the same broadcast domain. The level of isolation can be specified
with three types of PVLAN ports:
– Promiscuous ports that can forward traffic to all other ports
– Isolated ports that can only forward traffic to promiscuous ports
– Community ports that can forward traffic to other community ports and
promiscuous ports
94. A user complains about being locked out of a device after too many
unsuccessful AAA login attempts. What could be used by the network
administrator to provide a secure authentication access method without
locking a user out of a device?
▪ Use the login delay command for authentication attempts.
▪ Use the login local command for authenticating user access.
▪ Use the aaa local authentication attempts max-fail global configuration
mode command with a higher number of acceptable failures.
▪ Use the none keyword when configuring the authentication method list.
Explanation: The login delay command introduces a delay between failed
login attempts without locking the account. This provides a user with unlimited
attempts at accessing a device without causing the user account to become
locked and thus requiring administrator intervention.
95. What are two drawbacks in assigning user privilege levels on a Cisco
router? (Choose two.)
▪ Only a root user can add or remove commands.
▪ Privilege levels must be set to permit access control to specific device
interfaces, ports, or slots.
▪ Assigning a command with multiple keywords allows access to all
commands using those keywords.
▪ Commands from a lower level are always executable at a higher level.
▪ AAA must be enabled.
Explanation: Privilege levels may not provide desired flexibility and specificity
because higher levels always inherit commands from lower levels, and
commands with multiple keywords give the user access to all commands
available for each keyword. Privilege levels cannot specify access control to
interfaces, ports, or slots. AAA is not required to set privilege levels, but is
required in order to create role-based views. The role of root user does not
exist in privilege levels.
96. Refer to the exhibit. Which conclusion can be made from the show
crypto map command output that is shown on R1?

▪ The crypto map has not yet been applied to an interface.

▪ The current peer IP address should be 172.30.2.1.
▪ There is a mismatch between the transform sets.
 ▪ The tunnel configuration was established and can be tested with
extended pings.
Explanation: According to the show crypto map command output, all required
SAs are in place, but no interface is currently using the crypto map. To
complete the tunnel configuration, the crypto map has to be applied to the
outbound interface of each router.
97. What are two reasons to enable OSPF routing protocol authentication on
a network? (Choose two.)
▪ to prevent data traffic from being redirected and then discarded
▪ to ensure faster network convergence
▪ to provide data security through encryption
▪ to prevent redirection of data traffic to an insecure link
▪ to ensure more efficient routing
Explanation: The reason to configure OSPF authentication is to mitigate
against routing protocol attacks like redirection of data traffic to an insecure
link, and redirection of data traffic to discard it. OSPF authentication does not
provide faster network convergence, more efficient routing, or encryption of
data traffic.
98. Which three functions are provided by the syslog logging service?
(Choose three.)
▪ gathering logging information
▪ authenticating and encrypting data sent over the network
▪ retaining captured messages on the router when a router is rebooted
▪ specifying where captured information is stored
▪ distinguishing between information to be captured and information
to be ignored
▪ setting the size of the logging buffer
Explanation: Syslog operations include gathering information, selecting which
type of information to capture, and directing the captured information to a
storage location. The logging service stores messages in a logging buffer that
is time-limited, and cannot retain the information when a router is rebooted.
Syslog does not authenticate or encrypt messages.
99. What two ICMPv6 message types must be permitted through IPv6 access
control lists to allow resolution of Layer 3 addresses to Layer 2 MAC
addresses? (Choose two.)
▪ neighbor solicitations
▪ echo requests
▪ neighbor advertisements
▪ echo replies
▪ router solicitations
▪ router advertisements
100. Which three services are provided through digital signatures? (Choose
three.)
▪ accounting
 ▪ authenticity
▪ compression
▪ nonrepudiation
▪ integrity
▪ encryption
Explanation: Digital signatures use a mathematical technique to provide three
basic security services:Integrity; Authenticity; Nonrepudiation
101. A technician is to document the current configurations of all network
devices in a college, including those in off-site buildings. Which protocol
would be best to use to securely access the network devices?
▪ FTP
▪ HTTP
▪ SSH
▪ Telnet
Explanation: Telnet sends passwords and other information in clear text, while
SSH encrypts its data. FTP and HTTP do not provide remote device access
for configuration purposes.
102. An administrator is trying to develop a BYOD security policy for
employees that are bringing a wide range of devices to connect to the
company network. Which three objectives must the BYOD security policy
address? (Choose three.)
▪ All devices must be insured against liability if used to compromise the
corporate network.
▪ All devices must have open authentication with the corporate network.
▪ Rights and activities permitted on the corporate network must be
defined.
▪ Safeguards must be put in place for any personal device being
compromised.
▪ The level of access of employees when connecting to the corporate
network must be defined.
▪ All devices should be allowed to attach to the corporate network
flawlessly.
103. What is the function of the pass action on a Cisco IOS Zone-Based Policy
Firewall?
▪ logging of rejected or dropped packets
▪ inspecting traffic between zones for traffic control
▪ tracking the state of connections between zones
▪ forwarding traffic from one zone to another
Explanation: The pass action performed by Cisco IOS ZPF permits forwarding
of traffic in a manner similar to the permit statement in an access control list.
104. Refer to the exhibit. Based on the security levels of the interfaces on
ASA1, what traffic will be allowed on the interfaces?

▪ Traffic from the Internet and DMZ can access the LAN.
 ▪ Traffic from the Internet and LAN can access the DMZ.
▪ Traffic from the Internet can access both the DMZ and the LAN.
▪ Traffic from the LAN and DMZ can access the Internet.
Explanation: ASA devices have security levels assigned to each interface that
are not part of a configured ACL. These security levels allow traffic from more
secure interfaces, such as security level 100, to access less secure interfaces,
such as level 0. By default, they allow traffic from more secure interfaces
(higher security level) to access less secure interfaces (lower security level).
Traffic from the less secure interfaces is blocked from accessing more secure
interfaces.
105. What network testing tool can be used to identify network layer
protocols running on a host?
▪ SIEM
▪ Nmap
▪ L0phtcrack
▪ Tripwire
106. In the implementation of security on multiple devices, how do ASA
ACLs differ from Cisco IOS ACLs?
▪ Cisco IOS routers utilize both named and numbered ACLs and Cisco
ASA devices utilize only numbered ACLs.
▪ Cisco IOS ACLs are configured with a wildcard mask and Cisco ASA
ACLs are configured with a subnet mask.
▪ Cisco IOS ACLs are processed sequentially from the top down and
Cisco ASA ACLs are not processed sequentially.
▪ Cisco IOS ACLs utilize an implicit deny all and Cisco ASA ACLs end
with an implicit permit all.
Explanation: The Cisco IOS ACLs are configured with a wildcard mask and
the Cisco ASA ACLs are configured with a subnet mask. Both devices use an
implicit deny, top down sequential processing, and named or numbered ACLs.
107. Which statement describes an important characteristic of a site-to-site
VPN?
▪ It must be statically set up.
▪ It is ideally suited for use by mobile workers.
▪ It requires using a VPN client on the host PC.
▪ After the initial connection is established, it can dynamically change
connection information.
▪ It is commonly implemented over dialup and cable modem networks.
Explanation: A site-to-site VPN is created between the network devices of two
separate networks. The VPN is static and stays established. The internal hosts
of the two networks have no knowledge of the VPN.
108. Which two options are security best practices that help mitigate BYOD
risks? (Choose two.)
▪ Use paint that reflects wireless signals and glass that prevents the
signals from going outside the building.
 ▪ Keep the device OS and software updated.
▪ Only allow devices that have been approved by the corporate IT team.
▪ Only turn on Wi-Fi when using the wireless network.
▪ Decrease the wireless antenna gain level.
▪ Use wireless MAC address filtering.
Explanation: Many companies now support employees and visitors attaching
and using wireless devices that connect to and use the corporate wireless
network. This practice is known as a bring-your-own-device policy or BYOD.
Commonly, BYOD security practices are included in the security policy. Some
best practices that mitigate BYOD risks include the following:
Use unique passwords for each device and account.
Turn off Wi-Fi and Bluetooth connectivity when not being used. Only connect
to trusted networks.
Keep the device OS and other software updated.
Backup any data stored on the device.
Subscribe to a device locator service with a remote wipe feature.
Provide antivirus software for approved BYODs.
Use Mobile Device Management (MDM) software that allows IT teams to track
the device and implement security settings and software controls.
109. Refer to the exhibit. A network administrator configures AAA
authentication on R1. Which statement describes the effect of the keyword
single-connection in the configuration?

▪ R1 will open a separate connection to the TACACS+ server for each

user authentication session.
▪ The authentication performance is enhanced by keeping the
connection to the TACACS+ server open.
▪ The TACACS+ server only accepts one successful try for a user to
authenticate with it.
▪ R1 will open a separate connection to the TACACS server on a per
source IP address basis for each authentication session.
Explanation: The single-connection keyword enhances TCP performance with
TACACS+ by maintaining a single TCP connection for the life of the session.
Without the single-connection keyword, a TCP connection is opened and
closed per session.
110. A recently created ACL is not working as expected. The admin
determined that the ACL had been applied inbound on the interface and
that was the incorrect direction. How should the admin fix this issue?
▪ Delete the original ACL and create a new ACL, applying it outbound on
the interface.
▪ Add an association of the ACL outbound on the same interface.
▪ Fix the ACE statements so that it works as desired inbound on the
interface.
▪ Remove the inbound association of the ACL on the interface and
reapply it outbound.
111. What characteristic of the Snort term-based subscriptions is true for
both the community and the subscriber rule sets?
▪ Both have a 30-day delayed access to updated signatures.
▪ Both use Cisco Talos to provide coverage in advance of exploits.
▪ Both are fully supported by Cisco and include Cisco customer support.
▪ Both offer threat protection against security threats.
Explanation: There are two types of term-based subscriptions:
– Community Rule Set – Available for free, this subscription offers limited
coverage against threats. The community rule set focuses on reactive
response to security threats versus proactive research work. There is also a
30-day delayed access to updated signatures meaning that newest rule will be
a minimum of 30 days old. In addition, there is no Cisco customer support
available.
– Subscriber Rule Set – Available for a fee, this service provides the best
protection against threats. It includes coverage of advance exploits by using
the research work of the Cisco Talos security experts. The Subscriber Rule
Set also provides the fastest access to updated signatures in response to a
security incident or the proactive discovery of a new threat. This subscription is
fully supported by Cisco.
112. A security analyst is configuring Snort IPS. The analyst has just
downloaded and installed the Snort OVA file. What is the next step?
▪ Verify Snort IPS.
▪ Configure Virtual Port Group interfaces.
▪ Enable IPS globally or on desired interfaces.
▪ Activate the virtual services.
Explanation: To deploy Snort IPS on supported devices, perform the following
steps:
– Step 1. Download the Snort OVA file.
– Step 2. Install the OVA file.
– Step 3. Configure Virtual Port Group interfaces.
– Step 4. Activate the virtual services.
– Step 5. Configure Snort specifics.
– Step 6. Enable IPS globally or on desired interfaces.
– Step 7. Verify Snort IPS.
113. The security policy in a company specifies that employee workstations
can initiate HTTP and HTTPS connections to outside websites and the
return traffic is allowed. However, connections initiated from outside hosts
are not allowed. Which parameter can be used in extended ACLs to meet
this requirement?
▪ dscp
▪ precedence
▪ eq
▪ established
114. A researcher is comparing the differences between a stateless firewall
and a proxy firewall. Which two additional layers of the OSI model are
inspected by a proxy firewall? (Choose two.)
▪ Layer 3
▪ Layer 4
▪ Layer 5
▪ Layer 6
▪ Layer 7
Explanation: Packet filtering firewalls are usually part of a router firewall,
which permits or denies traffic based on Layer 3 and Layer 4 information. They
are stateless firewalls that use a simple policy table look-up that filters traffic
based on specific criteria.
115. Refer to the exhibit. A network administrator is configuring a VPN
between routers R1 and R2. Which commands would correctly configure a
pre-shared key for the two routers?

R1(config)# username R2 password 5tayout!

R2(config)# username R1 password 5tayout!
R1(config)# crypto isakmp key 5tayout! address 64.100.0.2
R2(config)# crypto isakmp key 5tayout! address 64.100.0.1
R1(config)# crypto isakmp key 5tayout! hostname R1
R2(config)# crypto isakmp key 5tayout! hostname R2
R1(config-if)# ppp pap sent-username R1 password 5tayout!
R2(config-if)# ppp pap sent-username R2 password 5tayout!
116. Refer to the exhibit. Which statement is true about the effect of this
Cisco IOS zone-based policy firewall configuration?

▪ The firewall will automatically drop all HTTP, HTTPS, and FTP traffic.
▪ The firewall will automatically allow HTTP, HTTPS, and FTP traffic from
s0/0/0 to g0/0 and will track the connections. Tracking the connection
allows only return traffic to be permitted through the firewall in the
opposite direction.
▪ The firewall will automatically allow HTTP, HTTPS, and FTP traffic from
s0/0/0 to g0/0, but will not track the state of connections. A
corresponding policy must be applied to allow return traffic to be
permitted through the firewall in the opposite direction.
▪ The firewall will automatically allow HTTP, HTTPS, and FTP traffic
from g0/0 to s0/0/0 and will track the connections. Tracking the
connection allows only
▪ return traffic to be permitted through the firewall in the opposite
direction.
▪ The firewall will automatically allow HTTP, HTTPS, and FTP traffic from
g0/0 to s0/0/0, but will not track the state of connections. A
corresponding policy must be applied to allow return traffic to be
permitted through the firewall in the opposite direction.
117. Which privilege level has the most access to the Cisco IOS?
▪ level 0
▪ level 15
▪ level 7
▪ level 16
▪ level 1
118. Refer to the exhibit. A network administrator has configured NAT on
an ASA device. What type of NAT is used?

▪ inside NAT
▪ static NAT
▪ bidirectionalNAT
▪ outside NAT
Explanation: NAT can be deployed on an ASA using one of these methods:
inside NAT – when a host from a higher-security interface has traffic destined
for a lower-security interface and the ASA translates the internal host address
to a global address
outside NAT – when traffic from a lower-security interface destined for a host
on the higher-security interface is translated
bidirectional NAT – when both inside NAT and outside NAT are used together
Because the nat command is applied so that the inside interface is mapped to
the outside interface, the NAT type is inside. Also, the dynamic keyword in the
nat command indicates that it is a dynamic mapping.
119. A network analyst is configuring a site-to-site IPsec VPN. The analyst
has configured both the ISAKMP and IPsec policies. What is the next step?
▪ Configure the hash as SHA and the authentication as pre-shared.
▪ Apply the crypto map to the appropriate outbound interfaces.
▪ Issue the show crypto ipsec sa command to verify the tunnel.
▪ Verify that the security feature is enabled in the IOS.
120. When an inbound Internet-traffic ACL is being implemented, what
should be included to prevent the spoofing of internal networks?
▪ ACEs to prevent traffic from private address spaces
▪ ACEs to prevent broadcast address traffic
▪ ACEs to prevent ICMP traffic
▪ ACEs to prevent HTTP traffic
▪ ACEs to prevent SNMP traffic
Explanation: Common ACEs to assist with antispoofing include blocking
packets that have a source address in the 127.0.0.0/8 range, any private
address, or any multicast addresses. Furthermore, the administrator should
not allow any outbound packets with a source address other than a valid
address that is used in the internal networks of the organization.
121. Match the security term to the appropriate description. (Not all options
are used.)
 Match the security term to the appropriate description
122. Which two types of attacks are examples of reconnaissance attacks?
(Choose two.)
▪ brute force
▪ port scan
▪ ping sweep
▪ man-in-the-middle
▪ SYN flood
Explanation: Reconnaissance attacks attempt to gather information about the
targets. Ping sweeps will indicate which hosts are up and responding to pings,
whereas port scans will indicate on which TCP and UDP ports the target is
listening for incoming connections. Man-in-the-middle and brute force attacks
are both examples of access attacks, and a SYN flood is an example of a
denial of service (DoS) attack.
123. Which Cisco solution helps prevent ARP spoofing and ARP poisoning
attacks?
▪ Dynamic ARP Inspection
▪ IP Source Guard
▪ DHCP Snooping
▪ Port Security
124. When the Cisco NAC appliance evaluates an incoming connection from
a remote device against the defined network policies, what feature is being
used?
▪ posture assessment
▪ remediation of noncompliant systems
▪ authentication and authorization
▪ quarantining of noncompliant systems
125. Which two steps are required before SSH can be enabled on a Cisco
router? (Choose two.)
▪ Give the router a host name and domain name.
▪ Create a banner that will be displayed to users when they connect.
▪ Generate a set of secret keys to be used for encryption and decryption.
▪ Set up an authentication server to handle incoming connection requests.
▪ Enable SSH on the physical interfaces where the incoming connection
requests will be received.
Explanation: There are four steps to configure SSH on a Cisco router. First,
set the host name and domain name. Second, generate a set of RSA keys to
be used for encrypting and decrypting the traffic. Third, create the user IDs
and passwords of the users who will be connecting. Lastly, enable SSH on the
vty lines on the router. SSH does not need to be set up on any physical
interfaces, nor does an external authentication server need to be used. While it
is a good idea to configure a banner to display legal information for connecting
users, it is not required to enable SSH.
126. The network administrator for an e-commerce website requires a
service that prevents customers from claiming that legitimate orders are
fake. What service provides this type of guarantee?
▪ confidentiality
▪ authentication
▪ integrity
▪ nonrepudiation
127. Match the security technology with the description.

128. What functionality is provided by Cisco SPAN in a switched network?

▪ It mirrors traffic that passes through a switch port or VLAN to another
port for traffic analysis.
▪ It prevents traffic on a LAN from being disrupted by a broadcast storm.
▪ It protects the switched network from receiving BPDUs on ports that
should not be receiving them.
▪ It copies traffic that passes through a switch interface and sends the
data directly to a syslog or SNMP server for analysis.
▪ It inspects voice protocols to ensure that SIP, SCCP, H.323, and MGCP
requests conform to voice standards.
▪ It mitigates MAC address overflow attacks.
Explanation: SPAN is a Cisco technology used by network administrators to
monitor suspicious traffic or to capture traffic to be analyzed.
129. Which three statements are generally considered to be best practices
in the placement of ACLs? (Choose three.)
▪ Filter unwanted traffic before it travels onto a low-bandwidth link.
▪ Place standard ACLs close to the destination IP address of the traffic.
▪ Place standard ACLs close to the source IP address of the traffic.
▪ Place extended ACLs close to the destination IP address of the traffic.
▪ Place extended ACLs close to the source IP address of the traffic.
▪ For every inbound ACL placed on an interface, there should be a
matching outbound ACL.
Explanation: Extended ACLs should be placed as close as possible to the
source IP address, so that traffic that needs to be filtered does not cross the
network and use network resources. Because standard ACLs do not specify a
destination address, they should be placed as close to the destination as
possible. Placing a standard ACL close to the source may have the effect of
filtering all traffic, and limiting services to other hosts. Filtering unwanted traffic
before it enters low-bandwidth links preserves bandwidth and supports
network functionality. Decisions on placing ACLs inbound or outbound are
dependent on the requirements to be met.
130. What function is performed by the class maps configuration object in
the Cisco modular policy framework?
▪ identifying interesting traffic
▪ applying a policy to an interface
▪ applying a policy to interesting traffic
▪ restricting traffic through an interface
Explanation: There are three configuration objects in the MPF; class maps,
policy maps, and service policy. The class maps configuration object uses
match criteria to identify interesting traffic.
131. In an attempt to prevent network attacks, cyber analysts share unique
identifiable attributes of known attacks with colleagues. What three types
of attributes or indicators of compromise are helpful to share? (Choose
three.)
▪ IP addresses of attack servers
▪ changes made to end system software
▪ netbios names of compromised firewalls
▪ features of malware files
▪ BIOS of attacking systems
▪ system ID of compromised systems
Explanation: Many network attacks can be prevented by sharing information
about indicators of compromise (IOC). Each attack has unique identifiable
attributes. Indicators of compromise are the evidence that an attack has
occurred. IOCs can be identifying features of malware files, IP addresses of
servers that are used in the attack, filenames, and characteristic changes
made to end system software.
132. What two assurances does digital signing provide about code that is
downloaded from the Internet? (Choose two.)
▪ The code is authentic and is actually sourced by the publisher.
▪ The code contains no errors.
▪ The code has not been modified since it left the software publisher.
▪ The code contains no viruses.
▪ The code was encrypted with both a private and public key.
Explanation: Digitally signing code provides several assurances about the
code:
The code is authentic and is actually sourced by the publisher.
The code has not been modified since it left the software publisher.
The publisher undeniably published the code. This provides nonrepudiation of
the act of publishing.
133. Refer to the exhibit. What algorithm is being used to provide public key
exchange?

▪ SHA
▪ RSA
▪ Diffie-Hellman
▪ AES
Explanation: The IPsec framework uses various protocols and algorithms to
provide data confidentiality, data integrity, authentication, and secure key
exchange. DH (Diffie-Hellman) is an algorithm used for key exchange. DH is a
public key exchange method and allows two IPsec peers to establish a shared
secret key over an insecure channel.
134. Which two statements describe the use of asymmetric algorithms?
(Choose two.)
▪ Public and private keys may be used interchangeably.
▪ If a public key is used to encrypt the data, a public key must be used to
decrypt the data.
▪ If a private key is used to encrypt the data, a public key must be used to
decrypt the data.
▪ If a public key is used to encrypt the data, a private key must be used to
decrypt the data.
▪ If a private key is used to encrypt the data, a private key must be used
to decrypt the data.
Explanation: Asymmetric algorithms use two keys: a public key and a private
key. Both keys are capable of the encryption process, but the complementary
matched key is required for decryption. If a public key encrypts the data, the
matching private key decrypts the data. The opposite is also true. If a private
key encrypts the data, the corresponding public key decrypts the data.
135. Which statement is a feature of HMAC?
▪ HMAC uses a secret key that is only known to the sender and defeats
man-in-the-middle attacks.
▪ HMAC uses protocols such as SSL or TLS to provide session layer
confidentiality.
 ▪ HMAC uses a secret key as input to the hash function, adding
authentication to integrity assurance.
▪ HMAC is based on the RSA hash function.
Explanation: A keyed-hash message authentication code (HMAC or KHMAC)
is a type of message authentication code (MAC). HMACs use an additional
secret key as input to the hash function, adding authentication to data integrity
assurance.
136. What is the purpose of the webtype ACLs in an ASA?
▪ to inspect outbound traffic headed towards certain web sites
▪ to restrict traffic that is destined to an ASDM
▪ to monitor return traffic that is in response to web server requests that
are initiated from the inside interface
▪ to filter traffic for clientless SSL VPN users
Explanation: The webtype ACLs are used in a configuration that supports
filtering for clientless SSL VPN users.
137. Which two statements describe the effect of the access control list
wildcard mask 0.0.0.15? (Choose two.)
▪ The first 28 bits of a supplied IP address will be matched.
▪ The last four bits of a supplied IP address will be matched.
▪ The first 28 bits of a supplied IP address will be ignored.
▪ The last four bits of a supplied IP address will be ignored.
▪ The last five bits of a supplied IP address will be ignored.
▪ The first 32 bits of a supplied IP address will be matched.
Explanation: A wildcard mask uses 0s to indicate that bits must match. 0s in
the first three octets represent 24 bits and four more zeros in the last octet,
represent a total of 28 bits that must match. The four 1s represented by the
decimal value of 15 represents the four bits to ignore.
138. Which type of firewall is the most common and allows or blocks traffic
based on Layer 3, Layer 4, and Layer 5 information?
▪ stateless firewall
▪ packet filtering firewall
▪ next generation firewall
▪ stateful firewall
139. Which protocol or measure should be used to mitigate the
vulnerability of using FTP to transfer documents between a teleworker and
the company file server?
▪ SCP
▪ TFTP
▪ ACLs on the file server
▪ out-of-band communication channel
Explanation: File transfer using FTP is transmitted in plain text. The username
and password would be easily captured if the data transmission is intercepted.
Secure Copy Protocol (SCP) conducts the authentication and file transfer
under SSH, thus the communication is encrypted. Like FTP, TFTP transfers
files unencrypted. ACLs provide network traffic filtering but not encryption.
Using an out-of-band communication channel (OOB) either requires physical
access to the file server or, if done through the internet, does not necessarily
encrypt the communication.
140. Refer to the exhibit. The IPv6 access list LIMITED_ACCESS is applied on
the S0/0/0 interface of R1 in the inbound direction. Which IPv6 packets
from the ISP will be dropped by the ACL on R1?

▪ HTTPS packets to PC1

▪ ICMPv6 packets that are destined to PC1
▪ packets that are destined to PC1 on port 80
▪ neighbor advertisements that are received from the ISP router
Explanation: The access list LIMITED_ACCESS will block ICMPv6 packets
from the ISP. Both port 80, HTTP traffic, and port 443, HTTPS traffic, are
explicitly permitted by the ACL. The neighbor advertisements from the ISP
router are implicitly permitted by the implicit permit icmp any any nd-na
statement at the end of all IPv6 ACLs.
141. What tool is available through the Cisco IOS CLI to initiate security
audits and to make recommended configuration changes with or without
administrator input?
▪ Control Plane Policing
▪ Cisco AutoSecure
▪ Cisco ACS
▪ Simple Network Management Protocol
142. Refer to the exhibit. Which pair of crypto isakmp key commands would
correctly configure PSK on the two routers?

▪ R1(config)# crypto isakmp key cisco123 address 209.165.200.227

R2(config)# crypto isakmp key cisco123 address 209.165.200.226
▪ R1(config)# crypto isakmp key cisco123 address 209.165.200.226
R2(config)# crypto isakmp key cisco123 address 209.165.200.227
▪ R1(config)# crypto isakmp key cisco123 hostname R1
R2(config)# crypto isakmp key cisco123 hostname R2
▪ R1(config)# crypto isakmp key cisco123 address 209.165.200.226
R2(config)# crypto isakmp key secure address 209.165.200.227
Explanation: The correct syntax of the crypto isakmp key command is as
follows:
crypto isakmp key keystring address peer-address
or
crypto isakmp keykeystring hostname peer-hostnameSo, the correct answer
would be the following:
R1(config)# crypto isakmp key cisco123 address 209.165.200.227
R2(config)# crypto isakmp key cisco123 address 209.165.200.226
143. Which two technologies provide enterprise-managed VPN solutions?
(Choose two.)
▪ Layer 3 MPLS VPN
▪ Frame Relay
▪ site-to-site VPN
▪ Layer 2 MPLS VPN
▪ remote access VPN
144. What are the three components of an STP bridge ID? (Choose three.)
▪ the date and time that the switch was brought online
▪ the hostname of the switch
▪ the MAC address of the switch
▪ the extended system ID
▪ the bridge priority value
▪ the IP address of the management VLAN
145. What are two differences between stateful and packet filtering
firewalls? (Choose two.)
▪ A packet filtering firewall will prevent spoofing by determining whether
packets belong to an existing connection while a stateful firewall
follows pre-configured rule sets.
▪ A stateful firewall provides more stringent control over security than
a packet filtering firewall.
▪ A packet filtering firewall is able to filter sessions that use dynamic port
negotiations while a stateful firewall cannot.
▪ A stateful firewall will provide more logging information than a
packet filtering firewall.
▪ A statefull firewall will examine each packet individually while a packet
filtering firewall observes the state of a connection.
Explanation: There are many differences between a stateless and stateful firewall.
Stateless firewalls (packet filtering firewalls):
– are susceptible to IP spoofing
– do not reliably filter fragmented packets
– use complex ACLs, which can be difficult to implement and maintain
– cannot dynamically filter certain services
– examine each packet individually rather than in the context of the state of a
connection
Stateful firewalls:
– are often used as a primary means of defense by filtering unwanted,
unnecessary, or undesirable traffic
– strengthen packet filtering by providing more stringent control over security
– improve performance over packet filters or proxy servers
– defend against spoofing and DoS attacks by determining whether packets
belong to an existing connection or are from an unauthorized source
– provide more log information than a packet filtering firewall
146. Which portion of the Snort IPS rule header identifies the destination
port?
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS

any
$HTTP_PORTS
$HOME_NET
tcp
147. Match each SNMP operation to the corresponding description. (Not all
options are used.)

148. What port state is used by 802.1X if a workstation fails authorization?

▪ disabled
▪ down
▪ unauthorized
▪ blocking
149. Match the ASA special hardware modules to the description.
 Network Security 1.0 Final Exam Answers
Explanation: The advanced threat control and containment services of an
ASA firewall are provided by integrating special hardware modules with the
ASA architecture. These special modules include:
– Advanced Inspection and Prevention (AIP) module – supports advanced IPS
capability.
– Content Security and Control (CSC) module – supports antimalware
capabilities.
– Cisco Advanced Inspection and Prevention Security Services Module (AIP-
SSM) and Cisco Advanced Inspection and Prevention Security Services Card
(AIP-SSC) – support protection against tens of thousands of known exploits.
150. Refer to the exhibit. Which two ACLs, if applied to the G0/1 interface of
R2, would permit only the two LAN networks attached to R1 to access the
network that connects to R2 G0/1 interface? (Choose two.)
 Network Security 1.0 Final Exam Answers
access-list 3 permit 192.168.10.128 0.0.0.63
access-list 1 permit 192.168.10.0 0.0.0.127
access-list 4 permit 192.168.10.0 0.0.0.255
access-list 2 permit host 192.168.10.9
access-list 2 permit host 192.168.10.69
access-list 5 permit 192.168.10.0 0.0.0.63
access-list 5 permit 192.168.10.64 0.0.0.63
Explanation: The permit 192.168.10.0 0.0.0.127 command ignores bit
positions 1 through 7, which means that addresses 192.168.10.0 through
192.168.10.127 are allowed through. The two ACEs of permit 192.168.10.0
0.0.0.63 and permit 192.168.10.64 0.0.0.63 allow the same address range
through the router.
151. Which two characteristics apply to role-based CLI access superviews?
(Choose two.)
▪ A specific superview cannot have commands added to it directly.
▪ CLI views have passwords, but superviews do not have passwords.
▪ A single superview can be shared among multiple CLI views.
▪ Deleting a superview deletes all associated CLI views.
▪ Users logged in to a superview can access all commands specified
within the associated CLI views.
Explanation: By using a superview an administrator can assign users or
groups of users to CLI views which contain a specific set of commands those
users can access. Commands cannot be added directly to a superview but
rather must be added to a CLI view and the CLI view added to the superview.
152. Match the IPS alarm type to the description.