210-260.examcollection - Premium.exam.274q: Number: 210-260 Passing Score: 800 Time Limit: 120 Min File Version: 1.0

210-260.examcollection.premium.exam.
274q
Number: 210-260
Passing Score: 800
Time Limit: 120 min
File Version: 1.0
210-260
Implementing Cisco Network Security
Version 1.0
Exam A
QUESTION 1
You are using ASDM to verify a clientless SSL VPN configuration made by a junior administrator on an
ASA. Please click exhibit to answer the following questions.
Exhibit:
Which of the following user accounts will be able to connect to the ASA by using ASDM? (Select the best
answer.)
A. only john
B. only boson
C. only jane
D. both john and jane
E. both jane and boson
F. john, jane, and boson
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Both the jane and the boson user accounts will be able to connect to the Cisco Adaptive Security Appliance
(ASA) by using Cisco Adaptive Security Device Manager (ASDM). When you add a user to the local
Authentication, Authorization, and Accounting (AAA) database on an ASA, you can specify security
parameters for the user. One security option you can specify is whether the user can establish a
management connection to the ASA. This option is configured in the Add or Edit User Account dialog box in
ASDM. Under Access Restriction, you can select Full Access (ASDM, SSH, Telnet and Console), CLI login
prompt for SSH, Telnet and console (no ASDM access), or No ASDM, SSH, Telnet or Console access. The
Full Access (ASDM, SSH, Telnet and Console) option will let the user use ASDM or the command line
interface (CLI) to administer the ASA. In this scenario, this option is selected for both the jane and the
boson user accounts, as shown in the following exhibits:
You can access the Add or Edit User Account dialog box in ASDM by clicking Configuration, clicking the
Remote Access VPN button, expanding AAA/Local Users, and clicking Local Users. To open the Edit User
Account dialog box, you should double click the user account that you want to open.
The john user account is configured with the No ASDM, SSH, Telnet or Console access option. This option
will prevent the user from establishing a management connection to the device by using ASDM, SSH,
Telnet, or the console.
Reference:
Cisco: Configuring AAA Servers and the Local Database: Adding a User Account
QUESTION 2
Which of the following tunneling protocols will the jane user account be able to use when establishing a
clientless SSL VPN connection by using the boson tunnel group? (Select the best answer.)
Exhibit:
A. only clientless SSL VPN
B. only SSL VPN client
C. only IPSec
D. only L2TP/IPSec
E. both client and clientless SSL VPN
F. both clientless SSL VPN and IPSec
Correct Answer: A
Section: (none)
Explanation
Explanation:
The jane user account will be able to use only the clientless Secure Sockets Layer (SSL) virtual private
network (VPN) tunneling protocol when establishing a clientless SSL VPN connection by using the boson
tunnel group. You can specify the tunneling protocols that can be used to establish a connection to a tunnel
group, which is also known as a connection profile, either in a group policy or within a user account,
depending on whether the tunneling protocol configuration should be applied to a group or to a single user.
When you configure a tunneling protocol, you can specify one or more of the following four options:
Clientless SSL VPN, SSL VPN Client, IPSec, or L2TP/IPSec.
In this scenario, you can view the tunneling protocols that are configured for the jane user account by
accessing her user account information in Cisco Adaptive Security Device Manager (ASDM) by clicking
Configuration, clicking the Remote Access VPN button, expanding AAA/Local Users, clicking Local Users,
and doubleclicking the jane user account, which will open the Edit User Account dialog box. You should
then click VPN Policy, which will display a pane that includes a Tunneling Protocols entry. This entry for the
jane user account is configured with the Inherit option, which means that the tunneling protocols that the
jane user account can use will be inherited from a group policy that is associated with the jane user
account. In this scenario, the jane user account is associated with the boson_grp group policy.
To view the tunneling protocols that are associated with the boson_grp group policy in ASDM, you should
click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, select
Group Policies, and doubleclick boson_grp, which will open the Edit Internal Group Policy dialog box. The
More Options section on the General pane displays the Tunneling Protocols entry. Only the Clientless SSL
VPNoption is selected, as shown in the following exhibit:
Reference:
Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attributes
QUESTION 3
Exhibit:
Which of the following statements are true regarding clientless SSL VPN connections that are made by
using the boson tunnel group? (Select 3 choices.)
A. VPN clients will be authenticated using the local AAA database.

B. VPN clients will be authenticated using digital certificates.
C. The DfltGrpPolicy group policy will be applied to the VPN connections.
D. The boson_grp group policy will be applied to the VPN connections.
E. No welcome banner will be displayed to VPN clients.
F. A welcome banner will be displayed to VPN clients.
Correct Answer: ADF
Section: (none)
Explanation
Explanation:
Virtual private network (VPN) clients will be authenticated using the local Authentication, Authorization, and
Accounting (AAA) database, the boson_grp group policy will be applied to the VPN connections, and a
welcome banner will be displayed to VPN clients. When configuring a tunnel group, which is also known as
a connection profile, in Cisco Adaptive Security Device Manager (ASDM), you can specify a number of
parameters. For example, you can specify the type of authentication to use and the default group policy to
use for VPN connections made by using the tunnel group. This information can be configured or modified
on the Add or Edit Clientless SSL VPN Connection Profile dialog box in ASDM. To access this dialog box in
ASDM, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN
Access, and click Connection Profiles. You should then doubleclick a connection profile, which will open the
Edit Clientless SSL VPN Connection Profile dialog box for the selected connection profile. The Edit
Clientless SSL VPN Connection Profile dialog box for the boson tunnel group is shown in the following
exhibit:
The Authentication section of the Basic screen of the Edit Clientless SSL VPN Connection Profile dialog
box indicates that the tunnel group will use the local AAA database for user authentication. Thus any VPN
connections made by using this tunnel group will be authenticated against the AAA database.
The Default Group Policy section indicates that the boson_grp group policy will be applied to this connection
profile. That is, the settings in the boson_grp group policy will apply to VPN users who connect by using the
boson tunnel group.
You can view the details of the boson_grp group policy to determine whether a banner message will be
displayed to VPN clients. This information is displayed on the Generalpane of the Add or Edit Internal Group
Policy dialog box. To view the details of an existing group policy for clientless SSL VPN users in ASDM, you
should click Configuration, expand Clientless SSL VPN Access, and click Group Policies. You can then
doubleclick boson_grp, which will open the Edit Internal Group Policy dialog box, which is shown in the
following exhibit:
The Banner entry contains a value of Welcome to Boson Software! Because VPN connections made by
using the boson tunnel group will use the boson_grp group policy, you can determine that VPN users will be
shown a welcome banner in this scenario.
Reference:
Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profiles
QUESTION 4
Exhibit:
Which of the following statements is true regarding VPN connections made by a user who is using the john
user account? (Select the best answer.)
A. The user will be unable to establish a VPN connection by using the boson tunnel group.
B. The user will be able to establish a connection by using any tunnel group.
C. The DfltGrpPolicy group policy will be applied to any VPN connection that the user established.
D. The user will be able to establish only clientless SSL VPN connections.
Correct Answer: D
Section: (none)
Explanation
Explanation:
The user will be able to establish only clientless Secure Sockets Layer (SSL) virtual private network (VPN)
connections. The tunneling protocols that a user can use to establish a VPN connection can be configured
in the user profile or in a group policy. To configure the tunneling protocols in a user profile, you should
access the VPN Policy pane of the Add or Edit User Account dialog box. To access this pane, you should
click Configuration, click the Remote Access VPN button, expand AAA/Local Users, click Local Users,
doubleclick john, and then click VPN Policy. The VPN Policy pane of the john user account is shown in the
following exhibit:
The Tunneling Protocols entry indicates that the john user account is inheriting the tunneling protocol
settings from a group policy. The Group Policy entry indicates that the group policy associated with the john
user account is boson_grp. Therefore, you must view the details of the boson_grp group policy to determine
the tunneling protocols that the john user account can use.
To view the details of the boson_grp group policy, you should click Configuration, expand Clientless SSL
VPN Access, click Group Policies, and doubleclick boson_grp, which will open the Edit Internal Group
Policy dialog box, as shown in the following exhibit:
The Tunneling Protocols entry indicates that the group policy allows only clientless SSL VPN connections.
Because the john user account inherits this setting, the john user account will be able to establish a VPN
connection by using only a clientless SSL VPN connection.
Reference:
QUESTION 5
Exhibit:
Which of the following connection profiles will use the boson_grp group policy? (Select the best answer.)
A. only the boson connection profile

B. only the DefaultRAGroup connection profile
C. only the DefaultWEBVPNGroup connection profile
D. both the boson connection profile and the DefaultWEBVPNGroup connection profile
E. both the DefaultRAGroup connection profile and the DefaultWEBVPNGroup
Correct Answer: A
Section: (none)
Explanation
Explanation:
Only the boson connection profile will use the boson_grp group policy. To determine which connection
profiles will use the boson_grp group policy, you should access the Connection Profiles pane in Cisco
Adaptive Security Device Manager (ASDM). To access this pane, you should click Configuration, click the
Remote Access VPN button, expand Clientless SSL VPN Access, and click Connection Profiles, which will
open the Connection Profiles configuration pane, as shown in the following exhibit:
This pane displays a summary of the connection profiles that are configured on the Cisco Adaptive Security
Appliance (ASA). In this scenario, there are three connection profiles. There are two default profiles,
DefaultRAGroup and DefaultWEBVPNGroup, and one userspecified connection profile, boson. To view
which group policy is associated with which connection profile, you should doubleclick the connection
profiles to open the Edit Clientless SSL VPN Connection Profile dialog box. The default group policy that is
associated with a connection profile is displayed on the Basic pane of this dialog box. By viewing this
information, you can determine that only the boson connection profile uses the boson_grp group policy. The
Basic pane of the boson connection profile is shown in the following exhibit:
The two default connection profiles use the default group policy, which is DfltGrpPolicy.
Reference:
QUESTION 6
Which of the following is typically used to manage a Cisco router in-band? (Select the best answer.)
A. a VTY port
B. a serial port
C. a console port
D. an auxiliary port
Correct Answer: A
Section: (none)
Explanation
Explanation:
A virtual terminal (VTY) port is typically used to manage a Cisco router in-band. When a Cisco device is
operating in its normal state, another device can connect to it by using VTY application protocols such as
Telnet or Secure Shell (SSH). The use of VTY lines typically allows multiple administrators or management
applications to concurrently access a device from more than one location.
You would not use a console port or an auxiliary (AUX) port to manage a Cisco router in-band. You are
most likely to use either an AUX port or a console port to manage a Cisco router out-of-band, such as when
the router is in read-only memory (ROM) monitor (ROMmon) mode. The AUX port on a Cisco router is
typically capable of supporting most of the features available on a console port. Cisco switches either do not
have AUX ports or do not support certain features, such as system recovery, on their AUX ports if they have
them.
ROMmon is a management mode that Cisco routers and switches revert to when the system cannot find a
software image, the software image is corrupted, or the configuration register has been set to manually
enter ROMmon mode. Because ROMmon is an out-of-band management method, it can be used to
recover system software images, passwords, or other configuration data even when the router or switch is
in a state where it can no longer forward packets.
You would not use a serial port to manage a Cisco router in-band. Serial ports and Ethernet ports are used
to directly connect Cisco routers to other network devices. For example, you might use a serial port to
directly connect a Cisco router to other data terminal equipment (DTE) or data circuit-terminating equipment
(DCE) devices. You would also use a serial port to connect a router to a Channel Service Unit/Data Service
Unit (CSU/DSU).
Reference:
Cisco: Cisco Guide to Harden Cisco IOS Devices: Management Interface Use
QUESTION 7
Which of the following enables the validation of both user and device credentials in a single EAP
transaction? (Select the best answer.)
A. PEAP
B. EAP-FAST
C. EAP-FAST with EAP chaining
D. EAP-MD5
Correct Answer: C
Section: (none)
Explanation
Explanation:
Extensible Authentication Protocol (EAP)Flexible Authentication via Secure Tunneling (FAST) with EAP
chaining, which is also sometimes called EAPFAST version 2 (EAPFASTv2), enables the validation of both
user and device credentials in a single EAP transaction. EAP chaining enables a Cisco security device to
validate authentication credentials for both a user and the user’s device. In order to enable EAP chaining,
both the Cisco security device and the supplicant device must support EAP chaining. The Cisco security
device will assign a different level of authorization access depending on one of four success and failure
possibilities, as shown in the following table:
EAPFAST is an authentication protocol that can be used for point-to-point connections and for both wired
and wireless links. The EAPFAST authentication process consists of three phases. The first phase, which is
optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital credential
that is used for authentication. A PAC can be manually configured on a client, in which case phase 0 is not
required. The second phase, which is referred to as phase 1, involves creating a secure tunnel between the
client and the server. The final phase, which is referred to as phase 2, involves authenticating the client. If
the client is authenticated, the client will be able to access the network.
EAPTransport Layer Security (TLS) is an Internet Engineering Task Force (IETF) standard that is defined in
Request for Comments (RFC) 5216. It does not support EAP chaining. Protected EAP (PEAP) is an open
standard developed by Cisco, Microsoft, and RSA? it does not support EAP chaining.
EAPMessage Digest 5 (MD5) uses an MD5 hash function to provide security and is therefore considered
weak when compared to later methods. EAP is an IETF standard that was originally defined in RFC 2284? it
does not support EAP chaining.
Reference:
Cisco: Cisco Identity Services Engine Administrator Guide, Release 1.3: Allowed Protocols
QUESTION 8
Which of the following features protects the control plane by classifying traffic into three separate control
plane subinterfaces? (Select the best answer.)
A. CoPP
B. CPPr
C. RBAC
D. uRPF
Correct Answer: B
Section: (none)
Explanation
Explanation:
Control Plane Protection (CPPr) protects the control plane by classifying control plane traffic into three
separate subinterfaces: the host subinterface, the transit subinterface, and the Cisco Express Forwarding
(CEF)exception subinterface. The host subinterface contains control plane IP traffic that is destined for a
router interface, including traffic from the following sources and protocols:
- Terminating tunnels
- Secure Shell (SSH)
- Simple Network Management Protocol (SNMP)
- Internal Border Gateway Protocol (iBGP)
- Enhanced Interior Gateway Routing Protocol (EIGRP)
The transit subinterface contains control plane IP traffic that is traversing the router, including the following
traffic:
- Nonterminating tunnel traffic
- Traffic that is softwareswitched by the route processor
The CEFexception subinterface contains control plane traffic that is redirected by CEF for process
switching, as well as traffic from the following sources and protocols:
- NonIP hosts
- Address Resolution Protocol (ARP)
- External BGP (eBGP)
- Open Shortest Path First (OSPF)
- Label Distribution Protocol (LDP)
- Layer 2 keepalives
CPPr is used to protect the control plane by filtering and rate limiting traffic in order to prevent excessive
CPU and memory consumption. To configure CPPr, you must perform the following steps:
- Create access control lists (ACLs) to identify traffic.
- Create a traffic class.
- Create a traffic policy, and associate the traffic class to the policy
- Apply the policy to the specific control plane subinterface.
Control Plane Policing (CoPP) is similar to CPPr, except CoPP does not separate control plane traffic into
three subinterfaces. To configure CoPP, you must perform the following steps:
- Create ACLs to identify traffic.
- Create a traffic policy, and associate the traffic class to the policy.
- Apply the policy to the control plane interface.
Both CoPP and CPPr use class maps to filter and ratelimit traffic. However, CPPr separates control plane
traffic into three subinterfaces: the host subinterface, the transit subinterface, and the Cisco Express
Forwarding (CEF)exception subinterface. For this reason, Cisco recommends that you use CPPr instead of
CoPP whenever possible.
RoleBased Access Control (RBAC) does not protect the control plane. RBAC protects the management
plane by granting limited access to administrators so that they can perform only the tasks required for their
job. For example, you can configure permissions on an administrator's account so that the administrator
can issue only certain commands, which will prevent the administrator from making unauthorized
configuration changes or from viewing restricted information.
Unicast Reverse Path Forwarding (uRPF) does not protect the control plane. uRPF protects the data plane
by checking the source IP address of a packet to determine whether an inbound packet arrived on the best
path back to the source based on routing table information. If the uRPF check passes, the packet is
transmitted? if the uRPF check fails, the packet is dropped.
Reference:
Cisco: Control Plane Protection
QUESTION 9
Which of the following is an outputspreading technique that spammers use to manipulate reputation scores
and defeat filters? (Select the best answer.)
A. phishing
B. snowshoe spam
C. waterfalling
D. listwashing
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the available choices, snowshoe spam is an outputspreading technique that spammers use to
manipulate reputation scores and defeat filters. Snowshoe spammers establish many false company
names and identities, often with unique post office addresses and telephone numbers, so that reputation
filters do not perceive the source of the spam as a threat. In addition, the spam output is spread across
multiple IP addresses and domain names in order to defeat blacklists.
The Cisco Context Adaptive Scanning Engine (CASE) on a Cisco Email Security Appliance (ESA) is a
contextual analysis technology that is intended to detect email threats, such as snowshoe spam, as they are
received. CASE checks the reputation of email senders, scans the content of email messages, and
analyzes the construction of email messages. As part of this process, CASE submits the email sender to
the Cisco SenderBase Network, which contains data on hundreds of thousands of email networks. The
sender is assigned a score based on this information. The content of the email messaging is scanned
because it could contain language, links, or a call to action that is indicative of a phishing scam.
Phishing is a social engineering technique in which a malicious person uses a seemingly legitimate
electronic communication, such as email or a webpage, in an attempt to dupe a user into submitting
personal information, such as a Social Security number (SSN), account login information, or financial
information. To mitigate the effects of a phishing attack, users should use email clients and web browsers
that provide phishing filters. In addition, users should also be wary of any unsolicited email or web content
that requests personal information. The CASE on a Cisco ESA appliance is capable of detecting phishing
scams.
Listwashing is a spammer technique of cleaning lists of email recipients who complain about spam but
without stopping the spam from being sent to other recipients who do not complain. Listwashing is similar to
an optout address policy, meaning that email addresses are included in the list without the permission of the
email address owner and only removed if the owner complains.
Waterfalling is a spammer technique of cleaning lists of email recipients by sending the lists through
multiple email service providers. Spammers with bad lists use this technique to uncover email addresses
that bounce or that result in complaints against the spammer. The spammer can then remove those email
addresses from the list, which increases the likelihood that spam will be delivered to the remaining
recipients.
Reference:
Cisco: Cisco Email Security Appliance Data Sheet
Spamhaus: Frequently Asked Questions (FAQ): Snowshoe Spamming
QUESTION 10
You are configuring dynamic PAT on a Cisco ASA 5500 using the CLI. The ASA is running software version
8.3.
Which of the following IP addresses can you configure inline? (Select the best answer.)
A. inside global
B. outside global
C. inside local
D. outside local
Correct Answer: A
Section: (none)
Explanation
Explanation:
You can configure an inside global address inline if you are configuring dynamic Port Address Translation
(PAT) on a Cisco Adaptive Security Appliance (ASA) using the commandline interface (CLI). A global
address is a source or destination IP address as seen from the perspective of a host on the outside
network. An inside global address is an IP address that represents an internal host to the outside network?
it can be configured inline by using the nat command or defined within a network object.
On a Cisco ASA, a network object is a data structure that is used in place of inline IP information. You might
use a network object in place of configuring IP addresses, subnet masks, protocols, and port numbers if
you must configure that same information in multiple places. If the information you configure within the
object ever changes, you then need only modify the single object instead of locating and modifying each
instance of the inline IP information.
An object group is simply a group of network objects. By grouping network objects, you can enable the use
of a single application control engine (ACE) to make requests of multiple devices.
Inside global addresses are typically public IP addresses assigned by the administrator of the outside
network. Dynamic PAT can translate many inside local IP addresses to a single inside global IP address. In
ASA terms, the inside global address is also known as the mapped address, because it is the IP address
that you want to map to.
You are more likely to configure an inside local address in a network object or object group, not inline. A
local address is a source or destination IP address as seen from the perspective of a host on the inside
network. An inside local address is an IP address that represents an internal host to the inside network.
Inside local addresses are typically private IP addresses defined by Request for Comments (RFC) 1918.
When a NAT router receives a packet from a local host destined for the Internet, the router changes the
inside local address to an inside global address and forwards the packet to its destination.
You would not necessarily configure an outside local address in this scenario. An outside local address is
an IP address that represents an external host to the inside network. The outside local address is often the
same as the outside global address, particularly when inside hosts attempt to access resources on the
Internet. However, in some configurations, it is necessary to configure a NAT translation that allows a local
address on the internal network to identify an outside host.
You would not configure an outside global address in this scenario. An outside global address is an IP
address that represents an external host to the outside network. Outside global addresses are typically
public IP addresses assigned to an Internet host by the host’s operator. The outside global address is
usually the address registered with the Domain Name System (DNS) server that maps a host’s public IP
address to a friendly name, such as www.example.com.
Reference:
Cisco: Cisco ASA 5500 Series Configuration Guide Using the CLI, 8.3: Configuring Dynamic PAT (Hide)
QUESTION 11
Your company’s active ASA currently shares its stateful failover link with a regular data interface. Your
supervisor asks you to configure a failover key on both the active ASA and the standby ASA.
Which of the following is most likely the reason? (Select the best answer.)
A. so that the risk of exposure of VPN configuration information is mitigated

B. so that both ASA devices forward traffic for a given group of security contexts
C. so that the active ASA can monitor the status of the standby ASA
D. so that the stateful failover link cannot use a regular data interface
Correct Answer: A
Section: (none)
Explanation
Explanation:
Most likely, you would configure a failover key on both the active Cisco Adaptive Security Appliance (ASA)
and the standby ASA so that the risk of exposure of virtual private network (VPN) configuration is mitigated.
An ASA can share its stateful failover link with a regular data interface only when the unit is operating in
single context, routed mode. However, Cisco strongly recommends using a dedicated Ethernet interface or
sharing a LAN failover link instead because stateful failover traffic can increase the possibility of congestion
and can negatively impact the performance of the shared data interface. In addition, all LAN failover and
stateful failover information is transmitted as clear text by default. Therefore, sharing the stateful failover link
with a regular data interface can unnecessarily expose VPN configuration information, such as user names,
passwords, and preshared keys (PSKs) to malicious users on the shared network segment. You can
mitigate this risk by configuring a failover key on both the active unit and the standby unit to protect failover
information.
You would not configure a failover key so that the active ASA can monitor the status of the standby ASA. An
ASA can be configured to participate in either an active/standby or an active/active failover configuration. In
an active/standby configuration, one ASA serves as the active unit and forwards traffic. A second ASA
functions as a standby unit, which monitors the status of the active unit. If a failover event is triggered, the
standby unit takes on the role of the active unit.
You would not configure a failover key so that both ASA devices forward traffic for a given group of security
contexts. An active/active failover configuration enables both ASAs to forward traffic for a select group of
security contexts. With active/active failover, two failover groups exist as security contexts on each ASA.
When a failover event is triggered, a failover group can become active on a standby unit or the entire
standby unit can become the new active unit. Because an active/active failover configuration relies on
security contexts, both ASAs must be in multiple context mode before active/active failover can be
implemented. The failover configuration for each unit in an active/active failover configuration is managed
from within the system context. Unlike user contexts, the system context does not contain any normal data
interfaces.
You would not configure a failover key so that the stateful failover link cannot use a regular data interface.
Instead, you would configure an ASA to operate in multiple context, routed mode or multiple context,
transparent mode. An ASA operating in multiple context, routed mode or multiple context, transparent mode
does not support using a regular data interface as the stateful failover link. When an ASA is operating in
multiple context mode, the stateful failover link resides in the system context, which does not contain any
regular data interfaces. Thus the stateful failover link cannot be a shared data link.
The implementation of the failover process between the active and standby units can be either stateless or
stateful. In a stateless failover implementation, the standby unit of a failover pair takes on the IP and Media
Access Control (MAC) addresses of the old active unit during a failover event. This mechanism enables
network clients to maintain their existing network configurations? however, because no network state
information is retained, the clients must reestablish their network connections through the new active unit.
By contrast, the active unit in a stateful failover implementation transmits certain types of state information
through a stateful failover link to the standby unit. This exchange of state information ensures that the
standby unit can preserve the state information for open connections during the failover process. Because
the state information is preserved, the impact of a failover event on network hosts with open connections
can be mitigated.
Reference:
Cisco: Information About High Availability: Stateful Failover Link
QUESTION 12
You have configured a BYOD implementation at a branch location, including an extended ACL named
DEFAULTACL on the Layer 2 ports of each access switch. BYOD clients are able to obtain IP addresses,
but connectivity to other network services seems to be sporadic or nonexistent, depending on the service.
You issue the show ip accesslist command on the switch and receive the following partial output:
Extended IP access list DEFAULTACL
10 permit icmp any any
20 permit udp any eq bootpc any eq bootpc
30 permit udp any any eq tftp
40 deny ip any any log
According to Cisco BYOD best practices, which of the following should you perform on the ACL to fix the
problem? (Select the best answer.)
A. Add a rule to permit DNS traffic before rule 40.

B. Add a rule to deny ICMP traffic after rule 40.
C. Add a rule to deny TFTP traffic after rule 40.
D. Remove rule 40.
Correct Answer: A
Section: (none)
Explanation
Explanation:
According to Cisco best practices, you should add a rule to permit Domain Name System (DNS) traffic
before rule 40 in the access control list (ACL) that has been applied to the Layer 2 ports of the access
switch. In a Bring Your Own Device (BYOD) environment, 802.1X, Web Authentication (WebAuth), or
Media Access Control (MAC) Authentication Bypass (MAB) are used to authenticate and authorize the user
and the user’s associated device for network access. Once a wired device authenticates with the Cisco
Identity Services Engine (ISE), a downloadable ACL (dACL) is typically applied to the appropriate access
port on the Layer 2 switch to which the device is attached. Cisco recommends applying a default ACL to the
access ports of Layer 2 switches to mitigate situations where a configuration error might prevent a dACL
from being applied to the appropriate port during the authorization/authentication process. The default ACL
should permit Bootstrap Protocol (BOOTP), DNS, Trivial File Transfer Protocol (TFTP), and Internet Control
Message Protocol (ICMP). In addition, the default ACL should explicitly deny and log all other IP traffic. For
example, the following ACL complies with Cisco’s best common practices (BCP) as outlined in the BYOD
Design Guide:
switch(config)#ip accesslist extended DEFAULTACL switch(configextnacl)#permit icmp any any
switch(configextnacl)#permit udp any eq bootpc any eq bootps switch(configextnacl)#permit udp any any eq
domain switch(configextnacl)#permit udp any any eq tftp switch(configextnacl)#deny ip any any log
You do not need to add any rules after rule 40 in this scenario. In addition, you should not remove rule 40
from the ACL in this scenario. Rule 40 denies and logs all IP traffic that has not already been matched by
the preceding rules. Both ICMP traffic and TFTP traffic should be and already are permitted by the ACL.
Reference:
Cisco: Cisco Bring Your Own Device (BYOD) CVD: ACL Design at Branch Location
QUESTION 13
You enable logging at the end of the session in Cisco FireSIGHT Management Center.
Which of the following is true? (Select the best answer.)
A. The log will contain less information than at the beginning of the session.
B. You will not be able to log connections handled by an SSL policy.
C. Information will be based on only the first few packets of a connection.
D. The log will contain information from throughout the course of a connection.
Correct Answer: D
Section: (none)
Explanation
In Cisco FireSIGHT Management Center, the log will contain information from throughout the course of a
connection if you enable logging at the end of the session, which is also known as endofconnection logging.
Endofconnection events are generated when a connection closes, times out, or can no longer be tracked
because of memory constraints. Endofconnection events contain significantly more information than
beginningofconnection events because they can draw upon data collected throughout the course of a
connection. This additional information can be used to create traffic profiles, generate connection
summaries, or graphically represent connection data. In addition, the data can be used for detailed analysis
or to trigger correlation rules based on session data. Endofconnection events are also required to log
encrypted connections that are handled by a Secure Sockets Layer (SSL) policy because there is not
enough information in the first few packets to indicate that a connection is encrypted.
Beginningofconnection events contain less information than endofconnection events. Cisco FireSIGHT
Management Center, which was formerly called Sourcefire Defense Center, can log beginningofconnection
events and endofconnection events for various types of network traffic. Although most network traffic will
generate both kinds of events, blocked or blacklisted traffic is typically denied without further processing
and therefore only generates beginningofconnection events. Beginningofconnection events contain a limited
amount of information because they are generated based on the information contained in the first few
packets of a connection.
Reference:
Cisco: Logging Connections in Network Traffic: Logging the Beginning or End of Connections
QUESTION 14
Which of the following MPF elements can be used to configure Application layer protocol inspection?
(Select the best answer.)
A. a class map
B. a policy map
C. a service policy
D. a global policy
E. an extended access list
F. a standard access list
Correct Answer: B
Section: (none)
Explanation
Explanation:
A policy map can be used to configure Application layer protocol inspection. Modular Policy Framework
(MPF) is a Cisco Adaptive Security Appliance (ASA) feature that provides a flexible method of enabling
security policies on an interface. This framework consists of three basic components: class maps, policy
maps, and service policies. A class map identifies a specific flow of traffic, a policy map determines the
action that will be performed on the traffic, and a service policy ties this action to a specific interface.
Application inspection is one of the actions that can be applied to traffic with a policy map. Services that
embed IP addresses in the packet or utilize dynamically assigned ports for secondary channels require
deep packet inspection, which is provided by Application layer protocol inspection. Some traffic, such as
File Transfer Protocol (FTP) traffic, might be dropped if inspection for that protocol is not enabled.
Application inspection can be configured within the global service policy and within an interface service
policy. Service policies can be applied to an individual interface or globally to all interfaces? if traffic
matches both an interface policy and a global policy, only the interface policy will be applied to that
particular traffic flow.
A class map cannot be used to configure Application layer protocol inspection. Class maps identify traffic by
matching a variable characteristic that you specify, such as traffic going to a unique IP address or traffic
using a specific port. Generally, each class map can contain only a single match statement, and a packet
can match only a single class map within the policy map of a particular feature type. For example, if a
packet matched a class map for FTP inspection and a class map for traffic policing, the ASA would apply
both policy map actions to the packet. However, if a packet matched a class map for FTP inspection and a
second, different class map that included FTP inspection, the ASA would apply only the actions of the first
matching policy map. Class maps are assigned to a policy map, which defines the action or actions to be
performed on the traffic.
A service policy cannot be used to configure Application layer protocol inspection. Service policies tie the
policy map to the interface and can be applied to an individual interface or globally to all interfaces? if traffic
particular traffic flow. Service policies can be configured by using Cisco Adaptive Security Device Manager
(ASDM) or by commandline interface (CLI) configuration. Neither an extended access list nor a standard
access list can be used to configure Application layer protocol inspection. Access control lists (ACLs) can
be used to filter traffic based on a set of configured rules. You can create either standard or extended
ACLs. Whereas standard ACLs can be used to filter based only on source IP addresses, extended ACLs
can be used to filter based on source and destination IP addresses, protocols, and ports. A class map can
match traffic to an extended ACL that is specified as a parameter to the accesslist keyword in a match
statement.
Reference:
Cisco: Using Modular Policy Framework: Information About Inspection Policy Maps
Cisco: Getting Started With Application Layer Protocol Inspection: Configuring Application Layer Protocol
Inspection
QUESTION 15
To which of the following are you most likely to connect to manage a Cisco router in ROMmon mode?
(Select 2 choices.)
A. an auxiliary port
B. a console port
C. a serial port
D. an Ethernet port
E. a VTY port
Correct Answer: AB
Section: (none)
Explanation
Explanation:
Of the available choices, you are most likely to use either an auxiliary (AUX) port or a console port to
manage a Cisco router in readonly memory (ROM) monitor (ROMmon) mode. ROMmon is a management
mode that Cisco routers and switches revert to when the system cannot find a software image, the software
image is corrupted, or the configuration register has been set to manually enter ROMmon mode. Because
ROMmon is an outofband management method, it can be used to recover system software images,
passwords, or other configuration data even when the router or switch is in a state where it can no longer
forward packets. On a Cisco router, you could use either the console port or the AUX port for outofband
access if the router is in ROMmon mode. The AUX port on a Cisco router is typically capable of supporting
most of the features available on a console port. Cisco switches either do not have AUX ports or do not
support certain features, such as system recovery, on their AUX ports if they have them.
You are not likely to use a serial port, an Ethernet port, or a virtual terminal (VTY) port to manage a Cisco
router in ROMmon mode. Serial ports and Ethernet ports are used to directly connect Cisco routers to other
network devices. However, you cannot access ROMmon mode by using any of these ports. Management
applications and administrators who want to manage a Cisco device when it is operating in its normal state
could connect to the device by using VTY application protocols such as telnet or Secure Shell (SSH).
Reference:
Cisco: ROM Monitor: Entering the ROM Monitor
QUESTION 16
RADIUS and TACACS+ have which of the following in common? (Select the best answer.)
A. They communicate by using the same transport protocol.

B. They are AAA protocols.
C. They are Ciscoproprietary protocols.
D. They encrypt the entire packet.
Correct Answer: B
Section: (none)
Explanation
Explanation:
Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication DialIn
User Service (RADIUS) are both Authentication, Authorization, and Accounting (AAA) protocols. However,
there are some important differences between TACACS+ and RADIUS.
TACACS+ encrypts the entire body of a packet and provides router command authorization capabilities.
TACACS+ is a Ciscoproprietary protocol that uses Transmission Control Protocol (TCP) for transport during
AAA operations. TACACS+ provides more security and flexibility than other authentication protocols, such
as RADIUS, which is an open standard protocol commonly used as an alternative to TACACS+. Because
TACACS+ can be used to encrypt the entire body of a packet, users who intercept the encrypted packet
cannot view the user name or contents of the packet. In addition, TACACS+ provides flexibility by
separating the authentication, authorization, and accounting functions of AAA. This enables granular control
of access to resources. For example, TACACS+ gives administrators control over access to configuration
commands? users can be permitted or denied access to specific configuration commands. Because of this
flexibility, TACACS+ is used with Cisco Secure Access Control Server (ACS), which is a software tool that
is used to manage user authorization for router access.
RADIUS was developed as an Internet Engineering Task Force (IETF) standard protocol. Like TACACS+,
RADIUS is a protocol used with AAA operations. However, RADIUS uses User Datagram Protocol (UDP)
for packet delivery and is less secure and less flexible than TACACS+. RADIUS encrypts only the password
of a packet? the rest of the packet would be viewable if the packet were intercepted by a malicious user.
With RADIUS, the authentication and authorization functions of AAA are combined into a single function,
which limits the flexibility that administrators have when configuring these functions. Furthermore, RADIUS
does not provide router command authorization capabilities.
Reference:
Cisco: TACACS+ and RADIUS Comparison: Compare TACACS+ and RADIUS
QUESTION 17
Which of the following is most likely to protect the availability component of the CIA triad? (Select the best
answer.)
A. data encryption B. an IPS

B. a virus scanner
C. a VPN
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the available choices, an Intrusion Prevention System (IPS) is most likely to protect the availability
component of the confidentiality, integrity, availability (CIA) triad. The availability component of the CIA triad
ensures the protection of systems against unplanned downtime as a result of security breaches. For
example, a Distributed Denial of Service (DDoS) attack is a security threat that attacks availability. An IPS
can help protect availability by ensuring that attacks and threats are detected and intercepted before they
have a chance to cause harm.
Data encryption and a virtual private network (VPN) protect confidentiality, not availability. The
confidentiality component of the CIA triad ensures that transmitted data cannot be read by an unauthorized
party if the data is intercepted before it reaches its destination. IP Security (IPSec), which is a security
protocol often used in VPNs, can use either Advanced Encryption Standard (AES) or Data Encryption
Standard (DES) to provide the confidentiality component of the CIA triad. Depending on the amount of
confidentiality desired, IPSec can use AES or DES with Encapsulating Security Payload (ESP) in either
transport mode or tunnel mode. In transport mode, ESP uses AES or DES to encrypt only the original
payload data and the resultant ESP trailer, leaving the original IP header unencrypted. The following
diagram illustrates the components of an ESP packet in transport mode:
A virus scanner protects integrity, not availability. The integrity component of the CIA triad ensures that
unauthorized parties have not modified data as it was transmitted over the network. Data integrity can also
be provided by using algorithms such as Message Digest 5 (MD5) or Secure Hash Algorithm (SHA) to
produce checksums on each end of a connection. If the data generates the same checksum value on each
end of the connection, the data was not modified in transit.
Reference:
Cisco: How to Secure Your Business (PDF)
QUESTION 18
Which of the following ISAKMP states indicates that the IKE peers have negotiated security parameters and
exchanged keys using aggressive mode during phase 1 of the IKE process? (Select the best answer.)
A. AG_INIT_EXCH
B. MM_KEY_EXCH
C. MM_SA_SETUP
D. QM_IDLE
Correct Answer: A
Section: (none)
Explanation
Explanation:
The AG_INIT_EXCH Internet Security Association and Key Management Protocol (ISAKMP) state indicates
that the Internet Key Exchange (IKE) peers have negotiated security parameters and exchanged keys using
aggressive mode during phase 1 of the IKE process. Aggressive mode uses only three transactions to
perform the same IKE security negotiations that main mode performs in six transactions.
The QM_IDLE state does not indicate that the IKE peers have negotiated security parameters and
exchanged keys using aggressive mode during phase 1 of the IKE process. The QM_IDLE state indicates
that an IKE security association (SA) has been authenticated. You can issue the show crypto isakmp sa
command from privileged EXEC mode to determine the status of current IKE SAs on the router. You can
specify the active or standby keywords to limit the type of SA displayed in the output. Standby SAs are
present when fault tolerance is configured? however, they are inactive until a failover occurs. The status of
an IKE SA is reflected in the state field of the command output as shown below:
dst src state connid slot status
10.1.2.3 10.1.2.4 QM_IDLE 2 0 STDBY
10.3.2.1 10.3.2.4 QM_IDLE 1 0 ACTIVE
The QM_IDLE state indicates that IKE phase 1 negotiations have successfully completed and that an IKE
SA has been authenticated and is available for use. IKE SAs are used during the quick mode of the IKE
process, which is also referred to as IKE phase 2, to facilitate the creation of IP Security (IPSec) SAs. IPSec
SA status is not displayed by the show crypto isakmp sa command? you can issue the show crypto ipsec sa
command to determine the status of the IPSec SAs created during phase 2 negotiations.
The MM_SA_SETUP state does not indicate that the IKE peers have negotiated security parameters and
exchanged keys using aggressive mode during phase 1 of the IKE process. The MM_SA_SETUP state
indicates that the IKE peers are using main mode for phase 1 negotiations and that they have successfully
negotiated security parameters. IKE has two modes for phase 1 security negotiation: main mode and
aggressive mode. Main mode uses six transactions for IKE peers to negotiate security parameters,
generate a shared secret, and authenticate. Aggressive mode performs the same actions in three
consolidated transactions.
Similarly, the MM_KEY_EXCH state indicates that the IKE peers are using main mode for phase 1
negotiations? it does not indicate that the IKE peers have negotiated security parameters and exchanged
keys using aggressive mode during phase 1 of the IKE process. The MM_KEY_EXCH state indicates that
the IKE peers have exchanged keys and have generated a shared secret. IKE peers use the DiffieHellman
(DH) algorithm to exchange public keys and to generate a shared secret. The shared secret and public
keys are used during the authentication process, which is the final part of phase 1 main mode.
Reference:
Cisco: Cisco IOS Security Command Reference: show crypto isakmp sa
QUESTION 19
You have been asked to enable the Cisco IOS Resilient Configuration feature on a Cisco router. You issue
the following commands on the router:
Router#configure terminal
Router(config)#secure boot-image
Which of the following commands are you most likely to issue next to complete the configuration? (Select
the best answer.)
A. reload
B. confreg 0x2102
C. secure boot-config
D. secure boot-config restore
Correct Answer: C
Section: (none)
Explanation
Explanation:
Most likely, you will next issue the secure boot-config command if you are enabling the Cisco IOS Resilient
Configuration feature on a Cisco router. The Resilient Configuration feature is designed to protect system
and configuration files from tampering and accidental deletion. You can issue the following block of
commands to enable the Resilient Configuration feature:
Router(config)#secure boot-config
When the feature is enabled, the primary system image file and associated running configuration are
securely archived in local persistent storage? you cannot select a remote storage location. The secure boot-
image command enables the image resilience component of the Resilient Configuration feature and
effectively hides the system image from the directory structure. This means that the system image will no
longer be displayed when the dir command is issued from the command prompt of an EXEC shell? you can
issue the show secure bootset command to verify that the system image has been archived. In addition,
because the system image file is not copied to a secure location, extra storage is not required to secure it.
By contrast, the secure bootconfig command creates a hidden copy of the running configuration file. The
secured versions of the system image and running configuration are referred to as the primary bootset.
Once the system image and running configuration have been secured, the router will track version
mismatches and produce a console message if the system image or running configuration have
mismatched versions. Once the Resilient Configuration feature is enabled, it can only be disabled from the
console.
You would not issue the confreg 0x2102 command. The confreg 0x2102 command configures the router to
load an IOS image from flash memory. This is the factory default setting on a Cisco router. You would not
issue the secure boot-config restore command. You would issue the secure boot-config restore filename
command, where filename is the filesystem and file name under which you want to save the restored file,
only if you were attempting to recover the hidden running configuration. The secure boot-config command
should be issued from global configuration mode.
You would not issue the reload command. The reload command reloads the startup configuration into the
running configuration. Issuing the reload command is not required to enable the Cisco IOS Resilient
Configuration feature.
Reference:
Cisco: Cisco IOS Resilient Configuration: Feature Design of Cisco IOS Resilient Configuration
QUESTION 20
Which of the following threats has a dedicated FirePOWER preprocessor engine? (Select the best answer.)
A. Back Orifice
B. distributed port scan
C. port sweep
D. SYN flood
Correct Answer: A
Section: (none)
Explanation
Explanation:
Of the choices provided, only Back Orifice is a threat that has a dedicated FirePOWER preprocessor
engine. A FirePOWER Intrusion Prevention System (IPS) has several predefined preprocessor engines that
can be used in network policies to detect specific threats? the preprocessors focus on detecting Back
Orifice attacks, detecting port scan attacks, preventing ratebased attacks, and detecting sensitive data.
Back Orifice and its variants exploit a vulnerability in Microsoft Windows hosts to gain complete
administrative control of the host. Back Orifice traffic can be identified by the presence of a specific token,
known as a magic cookie, in the first eight bytes of a User Datagram Protocol (UDP) packet.
The ratebased prevention preprocessor detects traffic abnormalities, including SYN flood attacks, based on
the frequency of certain types of traffic. The following traffic patterns can trigger ratebased attack
prevention:
- Traffic containing excessive incomplete Transmission Control Protocol (TCP) connections

- Traffic containing excessive complete TCP connections
- Excessive rule matches for a particular IP address or range of IP addresses
- Excessive rule matches for one particular rule regardless of IP address
Distributed port scan traffic and port sweep traffic can be detected by the portscan detection preprocessor.
Port scanning traffic can be an indicator that an attacker is conducting network reconnaissance prior to an
attack. Although legitimate port scanning traffic can periodically exist on a network, the portscan detection
preprocessor can distinguish between legitimate scanning and potentially malicious traffic based on the
activity patterns found in the analysis of port scanning traffic.
Reference:
Cisco: Detecting Specific Threats: Detecting Back Orifice
QUESTION 21
Which of the following devices are least likely to deny a connection inline when an attack is detected?
(Select 2 choices.)
A. an IPS
B. a router
C. an IDS
D. a Layer 3 switch
E. a Layer 2 switch
Correct Answer: CE
Section: (none)
Explanation
Explanation:
A Layer 2 switch and an Intrusion Detection System (IDS) are least likely to deny a connection inline when
an attack is detected. An IDS is a network monitoring device that does not sit inline with the flow of network
traffic? an IDS passively monitors a copy of network traffic, not the actual packet. Typically, an IDS has one
promiscuous network interface attached to each monitored network. A promiscuous device listens to all
data flowing past it regardless of the destination. Because traffic does not flow through the IDS, the IDS
cannot mitigate singlepacket attacks and is unable to directly block malicious traffic, like a virus, before it
passes onto the network. However, an IDS can actively send alerts to a management station when it
detects malicious traffic.
A Layer 2 switch is a device that operates at Layer 2 of the Open Systems Interconnection (OSI) network
model. Although a Layer 2 switch can implement security controls, such as port security and virtual LAN
(VLAN) access control lists (ACLs), a Layer 2 switch by itself is not typically configured to detect and
mitigate external security threats.
An Intrusion Prevention System (IPS) sits inline with the flow of traffic, thus actively monitoring network
traffic and blocking malicious traffic, such as an atomic or singlepacket attack, before it passes onto the
network. Blocking an attack inline can prevent the attack from spreading further into the network. An IPS
requires at least two interfaces for each monitored network: one interface listens to traffic entering the IPS,
and the other listens to traffic leaving the IPS. In addition, an IPS acts similarly to a Layer 2 bridge in that it
passes traffic through to destinations on the same subnet? an IPS cannot route to destinations on a
different subnet. An interface of an IPS can be put in promiscuous mode? when this happens, the device
operates as an IDS on that interface. However, an IPS does not require that a physical interface be in
promiscuous mode in order to monitor network traffic.
A router is a device that connects multiple subnets of the same or different networks and passes
information between them. The functionality of a router can vary depending on the size of the network on
which it is deployed. For example, a Cisco IPS Advanced Integration Module (AIM) can be installed in a
router to integrate IPS functionality at the hardware level. Alternatively, an IOS feature set with IPS
capabilities can be installed to provide IPS functionality at the software level. A router operating as an IPS
can serve as a part of the network security structure as well as a bridge between two segments of the
network.A Layer 3 switch is a device that can operate at both Layer 2 and Layer 3 of the OSI model. Layer 3
switches perform switching operations at Layer 2 but are also capable of forwarding traffic at Layer 3.
Although a Layer 3 switch by itself is not typically configured to detect and mitigate external security threats,
some chassisbases Layer 3 switches, such as Cisco Catalyst 6500 series switches, support hardware
modules that can provide IPS functionality.
Reference:
Cisco: Cisco IPS Mitigation Capabilities
QUESTION 22
Which of the following traffic can be statefully inspected by Cisco IOS ZFW? (Select the best answer.)
A. IPv6 unicast traffic

B. IPv6 multicast traffic
C. IPv4 unicast traffic
D. IPv4 multicast traffic
Correct Answer: C
Section: (none)
Explanation
Explanation:
In a Cisco IOS zonebased policy firewall (ZFW) configuration, IP version 4 (IPv4) unicast traffic can be
statefully inspected. As of IOS ZFW 12.4(15), ZFW is not capable of stateful inspection of any type of IPv6
traffic, nor is it capable of stateful inspection of IPv4 multicast traffic. ZFW is the latest iteration of Cisco’s
stateful firewall implementation, which was formerly called ContextBased Access Control (CBAC). With
ZFW, virtual security zones are specified and then interfaces are assigned to the appropriate zone. By
default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same
zone? however, all traffic between zones is blocked. In addition, all traffic to and from an interface is
implicitly blocked by default when the interface is assigned to a zone, but there are a few exceptions. Traffic
to or from other interfaces in the same zone is permitted as is traffic to or from the router itself.
In order for traffic to flow between zones, stateful packet inspection policies must be configured to explicitly
permit traffic between zones. The basic process is as follows:
1. Define the required zones.
2. Create zonepairs for zones that will pass traffic between themselves.
3. Define class maps to match the appropriate traffic for each zonepair.
4. Define policy maps to specify the actions that should be performed on matching traffic.
5. Apply the policy maps to the zonepairs.
6. Assign interfaces to their appropriate zones.
Inspection rules can be created for a large number of traffic types, including the following:
- Domain Name System (DNS)
- Internet Control Message Protocol (ICMP)
- Network Basic Input/Output System (NetBIOS)
- Sun Remote Procedure Call (RPC)
However, stateful inspection of multicast traffic, such as Internet Group Management Protocol (IGMP), is
not supported by ZFW and must be handled by other security features, such as Control Plane Policing
(CoPP).
Reference:
Cisco: ZoneBased Policy Firewall Design and Application Guide: IntroductionCisco: ZoneBased Policy
Firewall Design and Application Guide: Rules For Applying ZoneBased Policy Firewall
QUESTION 23
Which of the following are Cisco IOS privilege levels that are not typically assigned by default? (Select 3
choices.)
A. 1
B. 5
C. 7
D. 10
E. 15
Correct Answer: BCD

Section: (none)
Explanation
Explanation:
Of the available choices, privilege levels 5, 7, and 10 are custom privilege levels and are not typically
assigned by default. Privilege levels can be used to limit the IOS commands that a user can access.
However, you are limited to 16 privilege levels, some of which are used by default by the IOS. For example,
privilege levels 1 and 15 are default IOS privilege levels. Privilege level 1 allows a user to issue any
command that is available at the user EXEC > prompt. Privilege level 15 allows a user to issue any
command that is available at the privileged EXEC # prompt. The highest level of access on a Cisco router is
provided by IOS privilege level 15.
Each privilege level is associated with a list of commands that are available at that level. Users assigned to
a privilege level have access to all of the commands at that privilege level and all lower privilege levels.
Changing the commands that are available to a privilege level might provide access to a user who should
not be allowed access to the command, or it might restrict access to another user who should be allowed
access to the command.
Because the default privilege level for a newly created local user account is 1, a newly created user will
always have access to the disable, enable, exit, help, and logoutcommands? These commands are
associated with a privilege level of 0. However, peruser privilege levels can sometimes conflict with the
privilege levels set for virtual terminal (VTY) interfaces. In the event of a conflict, per user privileges override
the privileges configured for the VTY line causing the conflict.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 11, Custom Privilege Levels, p. 287
Cisco: IOS Privilege Levels Cannot See Complete Running Configuration: Privilege Levels
QUESTION 24
A Cisco ASA queries an LDAP server for a VPN user OU attribute of bsnsw and receives multiple results.
Which of the following is the ASA most likely to match? (Select the best answer.)
A. the last result in the list of results containing the attribute
B. the first result in the list of results containing the attribute
C. the most specific result in the list of results containing the attribute
D. the shortest result in the list of results beginning with the lowest alphanumeric character
Correct Answer: D
Section: (none)
Explanation
Explanation:
Of the choices provided, the Cisco Adaptive Security Appliance (ASA) is most likely to match the shortest
Lightweight Directory Access Protocol (LDAP) result beginning with the lowest alphanumeric character in
the list of results containing the organizational unit (OU) attribute of bsnsw. When using LDAP attribute
maps on an ASA, there is a limit on the number of Active Directory (AD) multivalued attributes matched by
an LDAP attribute map. LDAP attribute maps are used to authorize virtual private network (VPN) users
based on specified AD attributes, such as group membership or department name. If an LDAP query
returns a multivalued attribute, such as the list of groups of which a user is a member, the ASA will match
only one of the returned values to the appropriate group policy. The ASA will select the matching group
policy with the least number of characters in the name and that starts with the lowest alphanumeric
character.
The following sample output from a running configuration defines five group policy mappings:
ldap attributemap ExampleMap mapname memberOf GroupPolicy mapvalue memberOf
CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com Group5 mapvalue memberOf
CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com Group4 mapvalue memberOf
CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com Group3 mapvalue memberOf
CN=Engineers,CN=Users,OU=bsnsw,DC=boson,DC=com Group2 mapvalue memberOf
CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com Group1
The ldap attributemap ExampleMap command creates an LDAP attribute map named ExampleMap. The
LDAP attribute map contains a mapname statement, which maps the AD memberOf attribute to the ASA
GroupPolicy attribute, and a series of mapvaluecommands, which map matching LDAP response strings to
ASA attributes. The mapvalue commands specify the mapping between AD group membership attributes in
an LDAP response and the ASA group policy to which they should be applied. When the ASA receives a
reply to an LDAP authorization query for the VPN user in this scenario, the following multiattribute response
is compared to the mapvalue statements in the LDAP attribute map:
memberOf: value = CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com

memberOf: value = CN=Marketing,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Employees,CN=Users,OU=bsnsw,DC=boson,DC=com
memberOf: value = CN=Finance,CN=Users,OU=bsnsw,DC=boson,DC=com
If an LDAP query returns a multivalued attribute, the ASA will match only one of the returned values to the
appropriate group policy. The ASA will select the matching group policy with the least number of characters
in the name and that starts with the lowest alphanumeric character. In this scenario, four of the five
configured mapvalue statements will match the LDAP query response. Because the group policies in the
matched statement have names of identical length, the ASA will select the name based on its alphabetical
preference. Alphabetically, the name Group1 comes before any of the other matching group policy names:
Group3, Group4, and Group5.
Reference:
Cisco: ASA Use of LDAP Attribute Maps Configuration Example: FAQ
QUESTION 25
Which of the following is a type of phishing attack that specifically targets highranking corporate executives?
A. vishing
B. pharming
C. whaling
D. dumpster diving
Correct Answer: C
Section: (none)
Explanation
Explanation:
Whaling is a type of spear phishing attack used to retrieve sensitive information from highranking
executives of a corporation. Phishing is a social engineering technique in which a malicious person uses a
seemingly legitimate electronic communication, such as email or a webpage, in an attempt to dupe a user
into submitting personal information, such as a Social Security number (SSN), account login information, or
financial information. Spear phishing is a form of phishing that targets specific individuals. Spear phishing is
considered whaling when it specifically targets highranking executives of a corporation, such as chief
executive officers (CEOs) or chief financial officers (CFOs). To mitigate the effects of a phishing attack,
users should use email clients and web browsers that provide phishing filters. In addition, users should also
be wary of any unsolicited email or web content that requests personal information.
Pharming is another form of phishing that is used to retrieve sensitive information by directing users to fake
websites. Malicious users can direct users to fake websites through Domain Name System (DNS)
poisoning or host file manipulation. Both DNS and host files are used to crossreference Uniform Resource
Locators (URLs) and IP addresses. When a user specifies a URL, either a DNS server or the local host file
converts it to an IP address so that requests can be forwarded to the correct location. Both a DNS server
and a host file can be altered so that users are directed to websites that appear authentic but instead are
used for malicious information gathering. These phony websites often ask users for passwords or other
sensitive information. A pharming attack is not effective unless a user voluntarily provides information to the
website.
Like whaling and pharming, vishing is another form of phishing that is used to obtain sensitive information.
Vishing accomplishes its goal through the use of voice communication networks. Perpetrators of vishing
attacks use a variety of methods to retrieve information. For example, an attacker might spoof phone
numbers of legitimate businesses in order to deceive a victim. An attacker might also use a misleading
voice or email message that instructs the potential victim to contact a phony call center that is masked as a
legitimate business. After telephone communications are established, the perpetrators will attempt to coax
sensitive information from users, such as credit card or bank account numbers.
Dumpster diving is an attack in which malicious users obtain information that has been thrown in the trash.
Dumpster divers seek to recover discarded documents that might contain sensitive information such as
account login credentials, passwords, or bank account numbers. To prevent unauthorized users from
obtaining information from discarded documents, individuals and companies should shred documents
containing confidential data before disposing of such documents.
Reference:
Trend Micro: whale phishing
QUESTION 26
The Serial 0/0 interfaces on Router1 and Router2 are directly connected on the 192.168.51.48/30 network.
You issue the following commands on Router1:
interface serial 0/0 ip ospf
authenticationkey b0s0n router
ospf 1 routerid 1.1.1.1
network 10.10.10.0 0.0.0.255 area 1
network 192.168.51.48 0.0.0.3 area 1
area 0 authentication

ospf 2routerid 2.2.2.2 network
10.10.20.0 0.0.0.255 area 2
network 192.168.51.48 0.0.0.3
area 0 area 0 authentication
Router1 and Router2 do not form an OSPF adjacency.

Which of the following is most likely the problem? (Select the best answer.)
A. an OSPF area mismatch

B. an OSPF authentication mismatch
C. an OSPF process ID mismatch
D. an OSPF router ID mismatch
Correct Answer: A
Section: (none)
Explanation
Explanation:
Of the available choices, an Open Shortest Path First (OSPF) area mismatch is most likely the reason that
Router1 and Router2 do not form an adjacency in this scenario. In order to establish an adjacency, OSPF
routers must be configured with the same area ID, Hello timer value, Dead timer value, and authentication
password. In this scenario, the Serial 0/0 interface on Router1 has been configured to operate in area 1.
The Serial 0/0 interface on Router2 has been configured to operate in area 0, which is also known as the
backbone area.
A mismatched process ID will not prevent an OSPF router from establishing an adjacency with a neighbor.
An OSPF process ID is used to identify the OSPF process only to the local router. In this scenario, the
router ospf 1 command has been issued on Router1, which configures Router1 with an OSPF process ID of
1. The router ospf 2 command has been issued on Router2, which configures Router2 with an OSPF
process ID of 2.
Although a mismatched authentication key or a mismatched authentication type could cause two OSPF
routers to not form an adjacency, the OSPF authentication type and key in this scenario are correctly
configured. The Serial 0/0 interface on Router1 is configured to use an authentication key of b0s0n. The
Serial 0/0 interface on Router1 is also configured to use an authentication key of b0s0n. In addition, each
router’s OSPF process is configured to use plaintext authentication in OSPF Area 0. If the correct area were
configured between the Serial 0/0 interfaces on the routers, OSPF authentication would succeed.
OSPF router IDs should never match between routers. A router ID is a unique 32bit identifier that resembles
an IP address. A router ID conflict could cause routers to not form an adjacency. If you do not manually
configure a router ID on an OSPF router, then the router ID is the highest IP address configured among
loopback interfaces on the router, even if a physical interface is configured with a higher IP address. Cisco
recommends using a loopback interface instead of a physical interface for the router ID? a loopback
interface is never in the down state, thus OSPF is considered to be more stable when the router ID is
configured from the IP address of a loopback interface. In this scenario, the router IDs on Router1 and
Router2 have been manually configured by using the routerid ipaddresscommand.
Reference:
Cisco: Sample Configuration for Authentication in OSPF: Configurations for Plain Text Authentication
QUESTION 27
EAPFASTv2 implemented a requirement to support which of the following cryptographic protocols? (Select
the best answer.)
A. TLS 1.0
B. TLS 1.1
C. TLS 1.2
D. TLS 1.3
Correct Answer: C
Section: (none)
Explanation
Explanation:
Extensible Authentication ProtocolFlexible Authentication via Secure Tunneling Version 2 (EAPFASTv2)
implemented a requirement to support Transport Layer Security (TLS) 1.2. EAPFAST is an authentication
protocol that can be used for pointtopoint connections and for both wired and wireless links. EAPFAST
Version 1 (EAPFASTv1) supported TLS 1.0 and higher. However, EAPFASTv2 made support of TLS 1.2 a
requirement, thereby providing EAPFASTv2 with a stronger encryption algorithm than EAPFASTv1.
The EAPFAST authentication process consists of three phases. The first phase, which is optional and is
considered phase 0, consists of provisioning a client with a Protected Access Credential (PAC), which is a
digital credential that is used for authentication. A PAC can be manually configured on a client, in which
case phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure
tunnel between the client and the server. The final phase, which is referred to as phase 2, involves
authenticating the client. If the client is authenticated, the client will be able to access the network.
Neither EAPFASTv1 nor EAPFASTv2 is specifically required to support TLS 1.3. TLS 1.3 is a working draft
that is based on TLS 1.2. Some of the proposed changes to TLS in TLS 1.3 include the removal of support
for Elliptic Curve Cryptography (ECC), Message Digest 5 (MD5), and Secure Hash Algorithm 224
(SHA224).
Reference:
IETF: Flexible Authentication via Secure Tunnel Extension Authentication Protocol (EAPFAST) Version 2:
1.2. Major Differences from Version 1
QUESTION 28
You issue the show ntp associations detail command on Router2 and receive the following output:
Router2#show ntp associations detail
10.0.12.1 configured, authenticated, our_master, sane, valid, stratum 3
ref ID 127.127.1.1, time BF6C06E0.55040FD5 (09:02:04.717 UTC Thu Jul 25 2013) <output omitted>
A. Router2 has successfully authenticated the NTP clients connected to Router2.

B. NTP on Router2 is synchronized with a master on another device.
C. NTP on Router2 is synchronized with itself.
D. Router2 has been configured with an NTP stratum level of 3.
Correct Answer: B
Section: (none)
Explanation
Explanation:
Network Time Protocol (NTP) on Router2 is synchronized with an NTP master on another device.
Specifically, NTP on Router2 is synchronized with the NTP peer that has the IP address of 10.0.12.1. The
show ntp associations command displays both the address of the NTP server from which the client obtains
its time and the address of the reference clock to which the NTP server is synchronized. When issued with
the detail keyword, you can additionally determine the IP address of the NTP peer from which time was
synchronized, the NTP source authentication status, the NTP hierarchical status of the server from which
time was obtained, whether the NTP peer passes basic sanity checks, whether NTP believes the time is
valid, and the stratum of the NTP peer.
NTP on Router2 is not synchronized with itself. If Router2 were the NTP master in this scenario, the output
of the show ntp associations detail command would display the peer’s IP address as 127.127.1.1. The IP
address of 127.127.1.1 typically indicates the local NTP server. Furthermore, the presence of our_master in
the output indicates the status of the device at the NTP peer IP address of 10.0.12.1, not the status of the
local device. Finally, the ref ID field in the output in this scenario indicates a reference clock of 127.127.1.1.
The ref ID field contains the IP address of the NTP peer’s source of time, not the local device. Therefore,
the device with the IP address of 10.0.12.1 has obtained its time from its own local NTP server.
There is no information in this scenario that indicates whether Router2 has successfully authenticated the
NTP clients connected to Router2. The presence of the term authenticated in the output of the show ntp
associations detail command in this scenario indicates that the time source has been authenticated, not the
client.
Router2 has not been configured with an NTP stratum level of 3. The stratum field in the output specifies
the NTP stratum level of the NTP peer, not the local device. NTP uses stratum to establish a hierarchy of
authoritative time sources. The stratum value is typically a representation of the difference in accuracy, or
network delay, between the NTP client and Universal Coordinated Time (UTC). An NTP client that receives
its time from an NTP server is usually operating with a higher stratum value, and thus lower accuracy, than
the NTP server from which the client obtained the time.
Reference:
Cisco: Cisco IOS Basic System Management Command Reference: show ntp associations
QUESTION 29
Which of the following is most likely to indicate that the configured main mode ISAKMP policy does not
match the policy proposed by the remote peer? (Select the best answer.)
A. AG_NO_STATE
B. MM_NO_STATE
C. AG_AUTH
D. MM_KEY_AUTH
E. QM_IDLE
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the available choices, the MM_NO_STATE state is most likely to indicate that the configured main mode
Internet Security Association and Key Management Protocol (ISAKMP) policy does not match the policy
proposed by the remote peer. The MM_NO_STATE state is the first transaction to occur when setting up
Internet Key Exchange (IKE) security associations (SAs) in main mode. The show crypto isakmp
sacommand displays the status of current IKE SAs on the router. MM_NO_STATE indicates that the
ISAKMP peers have created their SAs. However, an exchange that does not move past this stage indicates
that main mode has failed. The following states are used during main mode:
MM_NO_STATE - The peers have created the SA.
MM_SA_SETUP - The peers have negotiated SA parameters.
MM_KEY_EXCH - The peers have exchanged DiffieHellman (DH) keys and have generated a shared
secret.
MM_KEY_AUTH - The peers have authenticated the SA.
The following states are used during aggressive mode:

AG_NO_STATE - The peers have created the SA.
AG_INIT_EXCH - The peers have negotiated SA parameters and exchanged keys.
AG_AUTH - The peers have authenticated the SA.
Quick mode is used during IKE phase 2. The only state in quick mode is QM_IDLE, which indicates that IKE
phase 1 has completed successfully and that there is an active IKE SA between peers.
Reference:
Cisco: Most Common DMVPN Troubleshooting Solutions
QUESTION 30
Which of the following could be best described as an advanced persistent attack? (Select the best answer.)
A. a DDoS attack
B. Operation Aurora
C. the Heartbleed vulnerability
D. POODLE
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the available choices, Operation Aurora could be best described as an advanced persistent threat. An
advanced persistent threat is an intrusion in which the attacker has advanced knowledge of intrusion tools
and techniques, is fully intent on using the intrusion to achieve a specific mission or goals, and has
organizational backing, funding, and motivation. For example, an attacker who obtains access to an
organization's network and remains there for an extended period of time to collect data that can then be
used to the attacker’s advantage can be considered an advanced persistent threat.
Operation Aurora was a monthslong attack in 2009 that was carried out against multiple companies,
including Google and Adobe? it began with a targeted email spear phishing attack. The email delivered
malware that was capable of exploiting an Internet Explorer vulnerability to obtain access to the contents of
partially freed memory. After compromising company workstations, the attackers used those workstations
to obtain access to other company resources and information, which eventually resulted in the loss of
intellectual property. The attack was eventually traced to two Chinese education facilities that were thought
to have ties to a Google competitor in China.
A Distributed Denial of Service (DDoS) attack is less likely to be described as an advanced persistent threat
than Operation Aurora. A DDoS attack is a coordinated Denial of Service (DoS) attack that uses multiple
attackers to target a single host. For example, a large number of zombie hosts in a botnet could flood a
target device with packets. Because the flood of packets originates from multiple hosts and typically targets
public services, such as the web service, the target device might not detect the attack. If enough packets
are sent to the target device within a short period of time, the target will be unable to respond to legitimate
packets because it is waiting for a response to each of the requests originated by the attacker. Although a
DDoS attack might be organized, it is unlikely to persist for an extended period of time and is not as likely
as an advanced persistent threat to result in the collection of data that can be used to the attacker’s
advantage.
Heartbleed is a vulnerability, not an advanced persistent attack. Heartbleed is the OpenSSL vulnerability
that could allow an attacker to obtain approximately 64 kilobytes (KB) of information from a web server's
memory at regular intervals. The Heartbleed bug, which was discovered in 2014, was a memoryhandling
bug present in OpenSSL from version 1.0.1 through version 1.0.1f. OpenSSL 1.0.1g was the first version to
fix the bug. By exploiting this vulnerability, an attacker can obtain a server's private key, which could in turn
allow the attacker to decrypt communications with the server or perform maninthemiddle attacks against the
server. Although Heartbleed could be used as a component of an attack in an advanced persistent threat, it
is not itself an advanced persistent threat.
Padding Oracle On Downgraded Legacy Encryption (POODLE) was originally a maninthemiddle attack that
was designed to exploit vulnerabilities in security protocol fallback mechanisms. This technique caused the
encryption system to fall back from Transport Layer Security (TLS) to Secure Sockets Layer (SSL) 3.0. That
variant of the POODLE attack could decrypt a single byte of an encrypted message by making up to 256
SSL 3.0 requests while eavesdropping on an encrypted connection. A later variant of POODLE discovered
in 2014 is capable of exploiting bugs in the implementation of block cipher mode in TLS from version 1.0
through version 1.2. The POODLE attack is not by itself an advanced persistent threat.
Reference:
SANS: Assessing Outbound Traffic to Uncover Advanced Persistent Threat (PDF)
QUESTION 31
Which of the following SNMP versions was the first version to offer both authentication and encryption?
A. SNMPv1
B. SNMPv2
C. SNMPv3
D. SNMPv4
Correct Answer: C
Section: (none)
Explanation
Explanation:
Simple Network Management Protocol version 3 (SNMPv3) was the first version to offer both authentication
and encryption. Simple Network Management Protocol (SNMP) is used to remotely monitor and manage
network devices. SNMP version 1 (SNMPv1) and SNMPv2 use community strings to provide authentication.
However, neither SNMPv1 nor SNMPv2 uses encryption? all data and community strings are sent in clear
text. A malicious user can sniff an SNMP community string and use it to access and modify network
devices. SNMPv3 is an enhancement to the SNMP protocol that uses encryption to provide confidentiality,
integrity, and authentication. SNMPv4 is not currently recognized as a standard.
Reference:
Cisco: Simple Network Management Protocol: Versions of SNMP
QUESTION 32
Which of the following commands will configure a static pointtopoint VTI tunnel to use 128bit encryption?
A. crypto ipsec transform-set set1 esp-aes esp-sha-hmac

B. crypto ipsec transform-set set1 esp-des esp-sha-hmac
C. crypto ipsec transform-set set1 esp-3des esp-sha-hmac
D. crypto ipsec transform-set set1 esp-seal esp-sha-hmac
E. crypto ipsec transform-set set1 esp-null esp-sha-hmac
Correct Answer: A
Section: (none)
Explanation
Explanation:
The crypto ipsec transform-set set1 esp-aes esp-sha-hmac command will configure a static pointtopoint
virtual tunnel interface (VTI) tunnel to use 128bit encryption. The syntax of the crypto ipsec transformset
command is crypto ipsec transform-set transformname transform1 [transform2] [transform3] [transform4].
Up to four transforms can be specified in an IP Security (IPSec) transform set: one Encapsulating Security
Payload (ESP) authentication transform, one authentication header (AH) transform, one ESP encryption
transform, and one IP compression transform. For example, the crypto ipsec transformset set1 esp-aes
esp-sha-hmac command specifies one ESP encryption transform and one ESP authentication transform?
an AH transform and an IP compression transform could also be specified.
The following keywords can be used to specify the ESP encryption transform:
- esp-aes
- esp-aes 192
- esp-aes 256
- esp-des
- esp-3des
- esp-seal
- esp-null
When the esp-aes keyword is issued without additional parameters, the 128bit Advanced Encryption
Standard (AES) encryption algorithm is used. When the esp-aes 192 or esp-aes 256 keyword is issued,
192bit AES or 256bit AES is used, respectively.
The esp-des keyword does not configure a static pointtopoint VTI tunnel to use 128bit encryption. Data
Encryption Standard (DES) offers only 56bit encryption.
The esp-3des keyword does not configure a static pointtopoint VTI tunnel to use 128bit encryption. Triple
DES (3DES) offers 168bit encryption.
The esp-seal keyword does not configure a static pointtopoint VTI tunnel to use 128bit encryption.
Softwareoptimized Encryption ALgorithm (SEAL) offers 160bit encryption.
The esp-null keyword does not configure a static pointtopoint VTI tunnel to use 128bit encryption. The esp-
null keyword configures ESP to use null encryption.
Reference:
Cisco: Cisco IOS Security Command Reference: crypto ipsec transformset
QUESTION 33
Which of the following is true of BPDU traffic on a Cisco zonebased firewall in transparent mode? (Select
the best answer.)
A. It is denied by default.
B. It is permitted only in the inbound direction.
C. It is permitted only in the outbound direction.
D. It is permitted in both inbound and outbound directions.
E. It can be controlled by ARP inspection but not by access rules.
Correct Answer: D
Section: (none)
Explanation
Explanation:
Bridge protocol data unit (BPDU) traffic is permitted in both inbound and outbound directions when a Cisco
zonebased firewall, such as a Cisco Adaptive Security Appliance (ASA), is operating in transparent mode.
In addition, Address Resolution Protocol (ARP) is permitted in both inbound and outbound directions when
operating in transparent mode. The default bidirectional flow of ARP traffic in transparent mode is known as
an implicit permit. All of the following traffic is implicitly permitted when a Cisco zonebased firewall is
operating in transparent mode:
- IP version 4 (IPv4) traffic from a higher security interface to a lower security interface
- IPv6 traffic from a higher security interface to a lower security interface
- ARP traffic in both directions
- BPDU traffic in both directions
Thus a Cisco zonebased firewall operating in transparent mode implicitly permits certain types of traffic at
both Layer 2 and Layer 3 of the Open Systems Interconnection (OSI) network model. However, when a
Cisco zonebased firewall is operating in routed mode, only Layer 3 IPv4 and IPv6 traffic from a higher
security interface to a lower security interface are implicitly permitted.
In either mode, an extended access rule is required to permit additional types of IPv4 traffic. To permit
additional types of IPv6 traffic, an IPv6 access rule is required. ARP traffic, not BPDU traffic, can be
controlled by ARP inspection but not by access rules. To permit other types of Layer 2 traffic, an EtherType
rule is required.
Reference:
Cisco: Configuring Access Rules: General Information About Rules
QUESTION 34
You issue the following command on a Cisco device: test aaa group radius user1 b0s0n newcode profile
profile1
A. The command will fail.

B. The command will succeed but report an error.
C. The command will succeed without error.
D. There is not enough information to determine the success or failure of the command.
Correct Answer: D
Section: (none)
Explanation
Explanation:
There is not enough information in this scenario to determine the success or failure of the command. In
order to determine whether the command would succeed or fail, you would need to know whether the
profile named profile1 had been configured in this scenario. In addition, you would need to know whether
the Remote Authentication DialIn User Service (RADIUS) server in this scenario is operational on the
network.
The test aaa group command is used to verify an Authentication, Authorization, and Accounting (AAA)
server configuration. However, the command works only with a RADIUS configuration, not with a Terminal
Access Controller Access Control System Plus (TACACS+) configuration. The syntax of the test aaa
command is test aaa {groupname | radius} username password newcode [profile profilename], where
groupname is a subset of RADIUS servers, username is the name for the test user, and password is the
test user's password.
The test aaa group command can associate a Dialed Number Identification Service (DNIS) or Caller Line
Identification (CLID) named user profile with a record sent to the server. The newcode keyword configures
the command to support a CLID or DNIS user profile association with the RADIUS server. The profile
profilename keyword associates the user profile specified by profilename with the RADIUS server.
The test aaa group command can generate either a "User rejected" message or a "User successfully
authenticated" message if the RADIUS server is alive. In order to generate either of those messages, the
test aaa command must be able to connect to the RADIUS server.
Reference:
Cisco: Demystifying RADIUS Server Configurations
Cisco: Enhanced Test Command: Restrictions for the Enhanced Test Command
QUESTION 35
Which of the following is least likely to be a function of a Cisco ESA? (Select the best answer.)
A. protecting against phishing

B. protecting against spam
C. protecting against a DDoS attacks
D. protecting against malicious files
Correct Answer: C
Section: (none)
Explanation
Explanation:
Protecting against a Distributed Denial of Service (DDoS) attack is least likely to be a function of a Cisco
Email Security Appliance (ESA). A DDoS attack is a security threat that attacks availability by overwhelming
a device or network with traffic from many varying sources. An ESA is designed to protect against email
threats, such as malware attachments, phishing scams, and spam.
The Cisco Context Adaptive Scanning Engine (CASE) on an ESA is a technology that is intended to detect
email threats as they are received. CASE checks the reputation of email senders, scans the content of
email messages, and analyzes the construction of email messages. As part of this process, CASE submits
the email sender to the Cisco SenderBase Network, which contains data on hundreds of thousands of email
networks. The sender is assigned a score based on this information. The content of the email messaging is
scanned because it could contain language, links, or a call to action that is indicative of a phishing scam.
Reference:
Cisco: Secure solutions for advanced email threats (PDF)
Cisco: User Guide for AsyncOS 11.0 for Cisco Email Security Appliances: Context Adaptive Scanning
Engine
QUESTION 36
You upload a file named isitbad.zip to AMP for analysis. While reviewing the AMP logs, you receive the
following output:
Wed Feb 17 12:41:05 2015 Info: File reputation query initiating. File Name =
'isitbad.zip', MID = 852, File Size = 174401 bytes, File Type = application/zipWed
Feb 17 12:41:10 2015 Info: Response received for file reputation query from Cloud.
File Name = 'isitbad.zip', MID = 852, Disposition = unscannable,
Malware = None, Reputation Score = 0, sha256 =
78d80f8fb0e6eaa2988d11607ec6a00840147f8188f6db8b7d00d907440d7aaa, upload_action = 1
A. The file was uploaded to the cloud and determined to be clean.

B. The file was not uploaded to the cloud, and its disposition is unknown.
C. The file was uploaded to the cloud, but its disposition is unknown.
D. The file was uploaded to the cloud and was determined to be malware.
E. The file was not uploaded to the cloud but was determined to be clean.
F. The file was not uploaded to the cloud but was determined to be malware.
Correct Answer: B
Section: (none)
Explanation
Explanation:
The file named isitbad.zip was not uploaded to Advanced Malware Protection (AMP) for analysis, and its
disposition is unknown. AMP is a feature of the Cisco Email Security Appliance (ESA) that can be used to
test a given file against a file reputation service in the cloud. The file reputation service that is used by AMP
attempts to authenticate a Secure Hash Algorithm 256 (SHA256) hash for the file that is being uploaded
against the file reputation database. The service also rates the data fidelity of the uploaded file by assigning
it a reputation score.
The AMP log output in this scenario indicates that the file named isitbad.zip has been determined to be
174,401 bytes and is a ZIP application file. The file was not uploaded to the cloud service, which is indicated
by the value of the Disposition field, which is unscannable. If the file had been uploaded, the upload_action
field would contain the same value, which is 1, and the Disposition field would contain a phrase that
indicates that the file was either unknown, or malicious. If the file that is being analyzed is already known to
the file reputation service, the upload_action field will contain a value of either 0 or 2 and will not be
uploaded to the cloud.
Reference:
Cisco: ESA File Analysis Through AMP Verification Procedures
Cisco: Blocking Malware and Prohibited Files: Understanding Malware Protection and File Control
QUESTION 37
You are troubleshooting IPSec VPN connectivity between two sites. From the local router, you are able to
ping the remote tunnel endpoint.
Which of the following steps should you perform next? (Select the best answer.)
A. Issue the traceroute command to trace the route to the tunnel endpoint.
B. Verify that the IKE policies match on both peers.
C. Verify that the peers successfully authenticate each other.
D. Reboot both devices.
Correct Answer: B
Section: (none)
Explanation
Explanation:
If you are able to ping the remote tunnel endpoint, you should verify that the Internet Key Exchange (IKE)
policies match on both peers. Issuing the show crypto isakmp policycommand will display the IKE phase 1
policy settings that are configured on the router, including the encryption algorithm, hash algorithm,
authentication method, DiffieHellman (DH) key exchange mechanism, and security association (SA)
lifetime. The following displays sample output from the show crypto isakmp policy command:
RouterA#show crypto isakmp policy
Global IKE policy
Protection suite of priority 20
encryption algorithm: AES Advanced Encryption Standard (128 bit keys) hash algorithm:
Secure Hash Standard authentication method: PreShared Key
DiffieHellman group: #14 (2048 bit) lifetime:
3600 seconds, no volume limit
In order for virtual private network (VPN) peers to successfully negotiate a key management tunnel during
IKE phase 1, the peers must agree on security parameters. For example, when RouterA sends an IKE
policy proposal to RouterB, the IKE policy is compared with the IKE policies defined on RouterB. The
proposed policy must be an exact match to one of RouterB's locally defined policies? otherwise, it will be
rejected. The one exception to this rule is the value of the IKE lifetime parameter. An IKE lifetime is
considered a match if the value is less than or equal to the IKE lifetime defined in the local policy. If the IKE
lifetime value is less than that of the local policy, the router will use the lesser of the two values. For
example, when RouterA initiates a connection to RouterB, RouterA will only consider lifetime values from
RouterB’s policies as matching if they are less than or equal to 14,400 seconds.
You can also issue the debug crypto isakmp command to determine whether an IKE phase 1 policy
mismatch is occurring. The debug error message 1d00h: ISAKMP (0:1): atts are not acceptable. Next
payload is 0 will appear when there is a phase 1 policy mismatch between the peers. To configure IKE
phase 1 policy parameters, issue the crypto isakmp policy priority command to enter Internet Security
Association and Key Management Protocol (ISAKMP) policy configuration mode, where you can issue the
following commands:
- authentication
- encryption
- group
- hash
- lifetime
If the IKE phase 1 policies match, you should issue the debug crypto isakmp command to verify that the SA
authenticates. If there is a preshared key (PSK) mismatch between the peers, you will see the 1d00h:%
CRYPTO4IKMP_BAD_MESSAGE: IKE message from 10.11.12.13 failed its sanity check or is malformed
debug error message. If a PSK is missing on one of the peers, you will see the
1d00h:#CRYPTO4IKMP_NO_PRESHARED_KEY: Preshared key for remote peer at 10.11.12.13 is missing
debug error message. To create a PSK, issue the crypto isakmp key key {address | ipaddress [mask] |
hostname name} [noxauth] command.
If you can ping the remote tunnel endpoint, there is no need to issue the traceroutecommand to trace the
route to the tunnel endpoint. A successful ping indicates that connectivity between the peers exists. If the
ping is not successful, you can issue the traceroute command to see where the fault is occurring along the
path between the two peers.
Rebooting peer routers should not be among the first actions you perform when troubleshooting IP Security
(IPSec) VPN connectivity between two sites. If you have performed the other troubleshooting steps but are
still unable to establish a VPN connection, you might consider rebooting the routers. However, rebooting is
not likely to solve the connectivity problems.
Reference:
Cisco: Internet Key Exchange Security Protocol Commands: show crypto isakmp policy
QUESTION 38
You have configured a Cisco ESA with a URL Category action that redirects the URLs of adult content sites
to the Cisco Cloud Web Security proxy service. You receive a report that users are successfully accessing
some adult content sites from the company network. However, you are able to verify that known adult sites
are being redirected.
Which of the following could be the problem? (Select the best answer.)
A. You did not specify any text to replace the URL.

B. You did not defang the URL so that it cannot be clicked.
C. The connection to the Cisco Cloud Web Security proxy service timed out.
D. The adult content sites being visited are uncategorized.
Correct Answer: D
Section: (none)
Explanation
Explanation:
The problem could be that the adult content sites being visited are uncategorized if users are able to access
some adult sites while other known adult sites are being redirected. The Cisco Email Security Appliance
(ESA) supports Uniform Resource Locator (URL) filtering, which can be used to test the reputation of URL
links in email messages or to compare the content of the URL to a list of categories of sites that violate
company policy. By using URL filtering with URL categorization, it is possible to limit user access to a given
site without relying on a blacklist of the site's possible IP addresses.
There are three options for action when a link in an email message matches a given URL category or its
reputation score falls within a specified range:
- Defang the URL - renders the URL unclickable, although the user can still copy and paste the URL
- Redirect the URL to the Cisco Cloud Web Security proxy service - redirects the URL to a proxy, which
blocks the site if it is malicious and displays a message to the user
- Replace the URL with specific text or the URL to thirdparty proxy service - replaces the link in the original
email message with specific warning text provided by the administrator or with a link that redirects to a
thirdparty proxy service
You can also choose to apply any of those actions to sites that are not yet categorized in the URL database.
In this scenario, sites that fit into the adult URL category should be redirected to the Cisco Cloud Web
Security proxy service. However, there is nothing in the scenario to indicate that sites that are uncategorized
have been configured to redirect to the Cisco Cloud Web Security proxy service. Therefore, users will be
connected to the links as they appear in the original email message.
The connection to the Cisco Cloud Web Security proxy service is not timing out in this scenario, because
connections to some sites in the URL category are being redirected. If a connection to the Cisco Cloud Web
Security proxy service times out, URL filtering will automatically allow the user to connect to the target site
by using the link in the original email message. Therefore, known adult sites in this scenario would be
accessible to users if the connection to the Cisco Cloud Web Security proxy service was timing out. You do
not need to defang the URL. In this scenario, you have chosen to redirect adult site content to the Cisco
Cloud Web Security proxy. In addition, you do not need to specify text to replace the URL.
Reference:
Cisco: Cisco AsyncOS 8.5.6 for Email User Guide: Redirected URLs: What Does the End User
Experience? (PDF)
QUESTION 39
An inbound TCP packet arrives at the ingress interface of a Cisco ASA 8.2 firewall. The packet is part of an
established session. The packet reaches the interface’s internal buffer and the input counter is
incremented.
Which of the following actions will occur next? (Select the best answer.)
A. The packet will be processed by interface ACLs.

B. The packet is forwarded to the outbound interface.
C. The packet is subjected to an inspection check.
D. The packet's IP header is translated by NAT/PAT.
Correct Answer: C
Section: (none)
Explanation
Explanation:
Because the Transmission Control Protocol (TCP) packet in this scenario is part of an established session,
the packet will be subjected to an inspection check after it reaches the interface's internal buffer and the
input counter is incremented. A Cisco Adaptive Security Appliance (ASA) 8.2 performs all of the following
checks when a packet arrives on the inbound interface:
- Increments the input counter
- Determines whether the packet is part of an established connection
- If not an established connection, processes the packet by using the interface access control lists (ACLs)
- If not an established connection, verifies the packet for translation rules
- Conducts an inspection of the packet to determine protocol compliance
- Translates the IP header according to Network Address Translation (NAT) rules
- Forwards the packet to the outbound interface
It is important to note that the Cisco ASA 8.3 and later modify the ASA packet process algorithm. When
configuring NAT for the ASA 8.3 and later, you should use the client's real IP address instead of the ASA's
public IP address. Thus, if the ASA in this scenario were an ASA 8.3 or later, the packet's IP header would
be translated by NAT or Port Address Translation (PAT) prior to being processed by interface ACLs.
Inbound TCP packets that are not part of an established connection should be SYN packets, which is the
first packet that is sent during TCP's three-way handshake. Inbound TCP SYN packets are permitted by the
ASA as long as the packet is permitted by an interface ACL rule and is successfully translated by NAT or
PAT. The TCP SYNACK packet is the second phase of the TCP three-way handshake? it is sent by the
host that received the SYN packet to the host that is attempting to establish a connection. Therefore, an
ASA will permit an inbound TCP SYNACK packet only if it is part of an established connection.
Reference:
Cisco: ASA 8.2: Packet Flow through an ASA Firewall: Cisco ASA Packet Process Algorithm
QUESTION 40
Which of the following is not an attribute on which an ISE MDM policy can be based? (Select the best
answer.)
A. the encryption status of the disk

B. the jailbreak status of the operating system
C. the revision of the operating system
D. the status of the PIN lock configuration
E. the status of the Bluetooth interface
Correct Answer: E
Section: (none)
Explanation
Explanation:
The status of the Bluetooth interface is not an attribute on which a Cisco Identity Services Engine (ISE).
Mobile Device Management (MDM) policy can be based. ISE is a nextgeneration Authentication,
Authorization, and Accounting (AAA) platform with integrated posture assessment, network access control,
and client provisioning. ISE integrates with a number of MDM frameworks, such as MobileIron and
AirWatch. MDM policies can be based on the following attributes:
- DeviceRegisterStatus
- DeviceCompliantStatus
- DiskEncryptionStatus
- PinLockStatus
- JailBrokenStatus
- Manufacturer
- IMEI
- SerialNumber
- OsVersion
- PhoneNumber
From ISE, you can easily provision network devices with native supplicants available for Microsoft Windows,
Mac OS X, Apple IOS, and Google Android. The supplicants act as agents that enable you to perform
various functions on the network device, such as installing software or locking the screen with a personal
identification number (PIN) lock.
For devices like phones, ISE relies on MDM servers to carry out the specific administrative actions selected
in ISE. For example, when a selective wipe is selected for a device in ISE, a request is made to the
appropriate MDM server to carry out the action. The MDM server communicates with its corresponding
agent on the phone and removes all corporate applications and installed profiles, including any subprofiles.
The selective wipe also removes the MDM agent, which is typically an installed application. Through an
MDM server, ISE can perform a full wipe, a selective wipe, or a PIN lock depending on the severity of the
security risk of the lost phone.
Reference:
Cisco: Managing Network Devices: Supported MDM Use CasesCategory:
Secure Access
QUESTION 41
Which of the following features are supported on a Cisco ASA operating in multiple context mode? (Select 2
choices.)
A. RIP
B. active/active failover
C. active/standby failover
D. QoS
E. multicast routing
Correct Answer: BC
Section: (none)
Explanation
Explanation:
Active/active failover and active/standby failover are supported on a Cisco Adaptive Security Appliance
(ASA) operating in multiple context mode. In multiple context mode, you can divide a single ASA into
multiple security contexts, which function as individual virtual devices with unique policies, even though they
reside on a single piece of hardware. Multiple context mode enables the separation of different departments
or business units that share a single physical ASA. When an ASA operating in transparent firewall mode is
placed into multiple context mode, each context will also operate in transparent mode.
The following features are not supported when an ASA is operating in multiple context mode:
- Routing Information Protocol (RIP)
- Open Shortest Path First version 3 (OSPFv3)
- Threat detection
- Multicast routing
- Unified Communication Services
- Quality of Service (QoS)
In an active/standby configuration, one ASA serves as the active unit and forwards traffic for network
clients. A second ASA functions as a standby unit, which monitors the status of the active unit but does not
forward traffic for network clients. If a failover event is triggered, the standby unit takes on the role of the
active unit. By contrast, an active/active failover configuration enables both ASAs to forward traffic for a
select group of security contexts. With active/active failover, two failover groups exist on each ASA. When a
failover event is triggered, the corresponding failover group on a standby unit can become active or the
entire standby unit can become the new active unit. The type of failover resolution depends on the nature of
the failover event.
In multiple context mode, as in single context mode, an ASA can also be configured to run in either routed
firewall mode or transparent firewall mode. In routed mode, the firewall acts as a Layer 3 device by routing
traffic between different subnets. In transparent mode, the firewall acts as a Layer 2 bridge by passing
traffic through to destinations on the same subnet but not routing traffic to a destination on a different
subnet. In addition to the unsupported features listed above, the following features are not supported on an
ASA operating in transparent firewall mode:
- Dynamic Domain Name System (DNS)
- Dynamic Host Configuration Protocol (DHCP) relay
Reference:
Cisco: PIX/ASA Active/Standby Failover Configuration Example: Introduction (PDF)
Cisco: PIX/ASA: Active/Active Failover Configuration Example: Introduction
Cisco: CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide: Unsupported Features
QUESTION 42
Refer to the following partial sample output from the show crypto ipsec sa command:
<output omitted>
interface: FastEthernet0/0
Crypto map tag: aesmap, local addr 10.10.10.2
protected vrf: (none)
local ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0) remote ident
(addr/mask/prot/port): (172.16.17.0/255.255.255.0/0/0)
current_peer 10.20.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.2, remote crypto endpt.:
10.20.20.2 path mtu 1500, ip mtu 1500, ip mtu idb
FastEthernet0/0 current outbound spi:
0x82E64150(2196128080)
PFS (Y/N): N, DH group: none
<output omitted>
Which of the following statements is true? (Select the best answer.)
A. There is a configuration mismatch between the local peer IP address and the local subnet address.
B. No DH group is configured in the IKE policy.
C. All encrypted traffic will be tagged with the value “aesmap”.
D. At least one IPSec SA is established and operational.
Correct Answer: D
Section: (none)
Explanation
Explanation:
The following partial output from the show crypto ipsec sa command indicates that at least one IP Security
(IPSec) security association (SA) is established and operational:
<output omitted>
interface: FastEthernet0/0
Crypto map tag: aesmap, local addr 10.10.10.2
protected vrf: (none) local ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0) remote ident
(addr/mask/prot/port): (172.16.17.0/255.255.255.0/0/0)
current_peer 10.20.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2243, #pkts encrypt: 2243, #pkts digest: 2243
#pkts decaps: 2210, #pkts decrypt: 2210, #pkts verify: 2210
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.2, remote crypto endpt.:
10.20.20.2 path mtu 1500, ip mtu 1500, ip mtu idb
FastEthernet0/0
current outbound spi: 0x82E64150(2196128080)
PFS (Y/N): N, DH group: none
<output omitted>
The show crypto ipsec sa command displays detailed information about IPSec SAs, including the IP
addresses of the crypto endpoints (IPSec peers), the number of packets encrypted and decrypted, the
security protocol, and the corresponding Security Parameter Indices (SPIs). In this scenario, the partial
command output indicates that the router should use the outbound SPI with a value of 0x82E64150
(2196128080) when sending encrypted packets from the local peer, 10.10.10.2, to the remote peer
10.20.20.2. The SPI is one of the components used to uniquely identify an IPSec SA.
Each IPSec SA is uniquely identified by its corresponding IPSec peer address, security protocol, and SPI.
Because IPSec SAs are unidirectional, two SAs are required between active IPSec peers: an inbound SA
and an outbound SA. The SPI associated with the outbound SA is generated by the local peer during phase
2 of the Internet Key Exchange (IKE) negotiation process and is used by the remote peer as the inbound
SPI associated with this SA. Likewise, the SPI associated with the inbound SA on the local peer
corresponds to the outbound SPI that was generated by the remote peer during its portion of phase 2
negotiations. Once phase 2 negotiations are complete and at least one IPSec SA is operational, the router
can begin sending and receiving encrypted traffic. In this scenario, the partial command output indicates
that 2,243 packets have been encrypted and 2,210 packets have been decrypted since IKE phase 2
negotiations completed and the IPSec SA was created.
The command output in this scenario does not indicate that a DiffieHellman (DH) group is not configured in
the IKE policy. Although the output contains a field named DH groupwith a value of none, this field
corresponds to the DH group configured for perfect forward secrecy (PFS), not to the DH group configured
in an IKE policy. PFS is used to optionally encrypt IKE keying data during phase 1 negotiations. The PFS
(Y/N): N field in the partial output indicates that PFS has not been configured and thus no corresponding DH
can be found.
The command output does not indicate that all encrypted traffic will be tagged with the value “aesmap”. The
Crypto map tag: aesmap field in the partial command output indicates the name of the IPSec crypto map
that is associated with the displayed interface. A crypto map describes which traffic should be encrypted,
the remote peer IP address, and the transform set that should be used to encrypt the data.
QUESTION 43
Which of the following statements is true regarding a HIDS? (Select the best answer.)
A. It can monitor the network for port scans.

B. It can identify spoofing attacks.
C. It can analyze OSspecific protocols, such as SMB.
D. It can delay packets during reassembly.
Correct Answer: C
Section: (none)
Explanation
Explanation:
A Hostbased Intrusion Detection System (HIDS) can analyze operating system (OS)specific protocols, such
as Server Message Block (SMB). Intrusion Detection Systems (IDSs) are primarily used for monitoring
network traffic and do not sit inline with traffic flow. Because IDS devices do not sit inline, they do not delay
the flow of packets during reassembly and analysis. A HIDS can be used to monitor traffic on a single host,
whereas a Networkbased IDS (NIDS) can be used to monitor all network traffic.
A hostbased solution, such as a HIDS or a Hostbased Intrusion Preventions System (HIPS), has direct
access to the host OS and can typically understand OSspecific protocols and applications based on the
behavior identified in kernellevel audit trails. By contrast, a networkbased solution, such as a NIDS or a
Networkbased IPS (NIPS), has limited information about the host OS and its applications.
The detailed information about a particular host, its applications, and its behaviors enables a HIDS to
implement policies that can be tailored to the host and that can be much more restrictive than policies
implemented by a NIDS, most of which implement policies that impact the entire network. In addition, a
HIDS can analyze traffic from encrypted sessions that are initiated by or terminated on the host.
By contrast, a NIDS does not have access to OSspecific information and cannot analyze OSspecific
protocols and applications. However, because a NIDS is not installed on a single host, it can gather
intelligence about threats such as port scans and spoofing attacks, which can affect multiple hosts
throughout the network. In addition, because a NIDS is not installed on a host, it is immune to attacks that
might compromise a host and its HIDS.
Reference:
SANS: SANS Institute InfoSec Reading Room: How to Choose Intrusion Detection Solution(PDF)
QUESTION 44
Which of the following statements is true regarding OWASP? (Select the best answer.)
A. It is exclusively a North American nonprofit organization.

B. It endorses products from HP and Symantec.
C. It releases security materials under FLOSS licenses.
D. It requires membership to download security tools such as ZAP.
Correct Answer: C
Section: (none)
Explanation
Explanation:
The Open Web Application Security Project (OWASP) releases security materials under Free/Libre and
Open Source Software (FLOSS) licenses. OWASP is a multinational, notforprofit organization that provides
frameworks, documentation, tools, and community forums with a focus on application security. For
example, one of the OWASP Flagship projects is the Software Assurance Maturity Model (SAMM), which is
an open framework used to guide an organization in making software security decisions that are in
alignment with the organization’s risk profile. Like all OWASP documentation, the SAMM is licensed under
the Creative Commons AttributionShare Alike 3.0 License, which is a common FLOSS license that allows
redistribution and modification of the original content with the appropriate attribution and the requirement to
distribute the derivative work under the same license as the original.
Although OWASP has many financial supporters, including Adobe, Akamai, HP, and Symantec, it does not
endorse any particular company or product. According to the code of ethics published in its bylaws,
OWASP must maintain and affirm its objectivity and reject inappropriate pressure from the technology
industry. Therefore, OWASP strives to avoid affiliation with any technology company and to maintain its
presence as an unbiased source of information about application security.
OWASP offers several different membership levels, each of which offers various benefits, such as reduced
advertising costs, discounted conference sponsorship rates, and the ability to vote in OWASP elections.
However, membership is not required to access or download any of the documentation or tools offered by
OWASP, including Flagship projects such as the OWASP Zed Attack Proxy (ZAP). ZAP is an integrated
penetration testing tool for web applications.
Reference:
OWASP: OWASP Licenses
OWASP: Project Licensing
QUESTION 45
Which of the following best describes a MAC spoofing attack? (Select the best answer.)
A. using GARP messages to associate an attacker's MAC address with the IP address of a valid host on
the network
B. sending forged frames with the intention of overwhelming a switch's CAM table
C. replacing the IP address of a legitimate website with the IP address of a malicious website
D. using the MAC address of another host on the network in order to bypass port security measures
Correct Answer: D
Section: (none)
Explanation
Explanation:
Of the choices available, using the Media Access Control (MAC) address of another host on the network in
order to bypass port security measures best describes a MAC spoofing attack. Normally, the MAC address
associated with a host corresponds to the unique, burnedin address (BIA) of its network interface. However,
in a MAC spoofing attack, a malicious user virtually modifies the BIA to match the MAC address of the
legitimate host on the network. Mimicking the MAC address of a known host can be used to overcome
simple security measures such as Layer 2 access control lists (ACLs).
Using gratuitous Address Resolution Protocol (GARP) messages to associate an attacker's MAC address
with the IP address of a valid host on the network best describes an ARP poisoning attack, not a MAC
spoofing attack. In an ARP poisoning attack, the attacker sends GARP messages to a host. The GARP
messages associate the attacker's MAC address with the IP address of a valid host on the network.
Subsequently, traffic sent to the valid host address will go through the attacker's computer rather than
directly to the intended recipient.
Sending forged frames with the intention of overwhelming a switch's content addressable memory (CAM)
table best describes a MAC flooding attack, not a MAC spoofing attack. In a MAC flooding attack, a
malicious user generates thousands of forged frames with the intention of overwhelming the switch's CAM
table, which stores learned MAC addresses. Once this table is flooded, the switch can no longer make
intelligent forwarding decisions and all traffic is flooded. This allows the attacker to view all data sent
through the switch because all traffic will be sent out each port. Implementing port security can help mitigate
MAC flooding attacks.
Replacing the IP address of a legitimate website with the IP address of a malicious website best describes
a Domain Name System (DNS) poisoning attack, not a MAC spoofing attack. DNS poisoning is an attack
that modifies the DNS cache by providing invalid information. In a DNS poisoning attack, a malicious user
attempts to exploit a DNS server by replacing the IP addresses of legitimate hosts with the IP address of
one or more malicious hosts. Because the DNS cache of the attacked server is poisoned, it will reply to
DNS requests with the IP address of the malicious hosts rather than the IP address of the legitimate hosts.
Reference:
Cisco: Layer 2 Security Features on Cisco Catalyst Layer 3 Fixed Configuration Switches Configuration
Example: Background Information
QUESTION 46
You issue the show zone security command on a Cisco router and receive the following command output:
RouterA#show zone security
zone self
Description: System defined zone
zone inside
Member Interfaces:
FastEthernet0/0
FastEthernet0/1
zone outside
Member Interfaces:
Serial0/0/0
zone dmz
Member Interfaces:
Serial0/0/1
Based on the command output, to which zones can the S0/1/0 interface send traffic? (Select the best
answer.)
A. S0/1/0 can send traffic to the dmz zone.

B. S0/1/0 can send traffic to the outside zone.
C. S0/1/0 can send traffic to the inside zone, but only in response to traffic initiated from the inside zone.
D. S0/1/0 can send traffic to any zone.
E. S0/1/0 cannot send traffic to any configured zones.
Correct Answer: E
Section: (none)
Explanation
Explanation:
In this scenario, the S0/1/0 interface cannot send traffic to any configured zones. S0/1/0 is not a member of
any zones, as shown by the following output from the show zone security command:
RouterA#show zone security
zone self
Description: System defined zone
zone inside
Member Interfaces:
FastEthernet0/0
FastEthernet0/1
zone outside
Member Interfaces:
Serial0/0/0
zone dmz
Member Interfaces:
Serial0/0/1
Traffic cannot flow between an interface that does not belong to a security zone and an interface that does
belong to a security zone. Therefore, S0/1/0 cannot send traffic to Fa0/0, Fa0/1, S0/0/0, or S0/0/1.
However, S0/1/0 can send traffic to S0/1/1 because S0/1/1 is not a member of any security zone.
Even if S0/1/0 were a member of the outside zone, S0/1/0 would not be able to send traffic to the inside
zone or dmz zone. When no zone pair exists for a pair of zones, traffic is blocked by default. Traffic is
allowed to pass freely between interfaces within the same zone.
If S0/1/0 were a member of the dmz zone, S0/1/0 would be able to send traffic to the inside zone only in
response to traffic initiated from the inside zone. RouterA is configured to allow Telnet traffic and traffic sent
to 10.2.2.3 from the inside zone to the dmz zone and to allow return traffic from the dmz zone to the inside
zone for these sessions.
Reference:
Cisco: Cisco IOS Security Command Reference: show zone security
Cisco: Configuring Zone Policy Firewalls: ZoneBased Policy General Rules
QUESTION 47
Which of the following features can cause a switch port to enter the errdisable state? (Select the best
answer.)
A. BPDU guard
B. PortFast
C. root guard
D. loop guard
Correct Answer: A
Section: (none)
Explanation
Explanation:
The BPDU guard feature can cause a switch port to enter the errdisable state. The BPDU guard feature
should be enabled on PortFastenabled ports so that BPDU guard can prevent a rogue switch from
modifying the Spanning Tree Protocol (STP) topology and becoming the root bridge. When such a port
receives a bridge protocol data unit (BPDU), BPDU guard immediately puts that port into the errdisable
state and shuts down the port. The port must then be manually reenabled, or it can be recovered
automatically through the errdisable timeout function. BPDU guard should not be enabled on ports that are
connected to other switches.
PortFast is a feature that should be used only on switch ports that are connected to end devices, such as
user workstations or print devices. Because PortFast immediately transitions a port to the STP forwarding
state, skipping over the listening and learning states, steps should be taken to ensure that a switch that is
inadvertently or intentionally connected to the port cannot influence the STP topology.
The root guard feature, when enabled on a port, prevents superior BPDUs received on a neighbor switch
connected to that port from becoming the root bridge. If superior BPDUs are received on a port enabled
with root guard, the port enters the rootinconsistent state and no data will flow through that port until the port
stops receiving superior BPDUs.
The loop guard feature prevents nondesignated ports from inadvertently forming bridging loops if the steady
flow of BPDUs is interrupted. When the port stops receiving BPDUs, loop guard puts the port into the
loopinconsistent state, which keeps the port in a blocking state. After the port starts receiving BPDUs again,
loop guard enables the port to transition through the normal STP states.
Reference:
Cisco: Spanning Tree PortFast BPDU Guard Enhancement: Feature Description
QUESTION 48
Which of the following are not considered NGE cryptographic algorithms and should be avoided according
to Cisco? (Select 2 choices.)
A. DH768
B. SHA256
C. ECDH384
D. SHA512
E. DH1024
Correct Answer: AE
Section: (none)
Explanation
Explanation:
DiffieHellman (DH) with a 768bit modulus (DH768) and DH with a 1,024bit modulus (DH1024) are not
considered Next Generation Encryption (NGE) cryptographic algorithms and should be avoided according
to Cisco. NGE algorithms are a collection of cryptographic technologies that are efficient, scalable, and
expected to provide reliable security for at least the next decade. Because of recent advances in computing
power, many cryptographic algorithms no longer provide adequate security. DH768 and DH1024 do not
provide a level of security that is likely to meet the confidentiality requirements of the enterprise over the
next decade.
Increasing the modulus size used by an algorithm can provide a higher level of security? however, if the
algorithm is inherently inefficient, the increased modulus size can adversely affect the performance of the
device using the algorithm. For maximum security without using an NGE, Cisco recommends using DH with
a 3,072bit modulus (DH3072)? however, because DH is not particularly efficient when configured with a
large modulus, Cisco considers a 2,048 bit modulus as an acceptable compromise between security and
efficiency. Any modulus size less than 2,048 bits, such as 1,024 bits or 758 bits, is not considered to
provide an acceptable level of security.
ECDH384, Secure Hash Algorithm (SHA) with a 256bit digest (SHA256), and SHA with a 512bit digest
(SHA512) are all considered NGE cryptographic algorithms according to Cisco. SHA256 and SHA512 are
components of the set of cryptographic algorithms known as SHA2.
Reference:
Cisco: Next Generation Encryption: Recommendations for Cryptographic Algorithms
QUESTION 49
You want to configure a router so that networkbased CLI access is limited to SSH connections that are
received on a specified interface.
Which of the following Cisco IOS features should you configure to achieve your goal? (Select the best
answer.)
A. CoPP
B. CPPr
C. MPP
D. uRPF
Correct Answer: C
Section: (none)
Explanation
Explanation:
You should configure Management Plane Protection (MPP) on a Cisco router to ensure that networkbased
commandline interface (CLI) access is limited to Secure Shell (SSH) connections that are received on a
specified interface. MPP enables you to specify one or more interfaces as management interfaces. A
management interface is an interface that is permitted to receive management traffic, which is traffic from a
specific set of network protocols that is destined for the router. Once MPP is enabled, only specified types
of management traffic are permitted on their respective management interfaces. For example, you could
configure a router’s FastEthernet 0/0 interface to permit SSH and Secure Hypertext Transfer Protocol
(HTTPS) traffic and its FastEthernet 0/1 interface to permit Trivial File Transfer Protocol (TFTP) traffic.
Without MPP, you would need to create the appropriate access control lists (ACLs) and apply them in the
inbound direction to every interface on the router if you wanted to limit access to one or more interfaces and
management protocols.
You should not configure Control Plane Policing (CoPP). CoPP is a Quality of Service (QoS) feature that
can be used to limit the type and amount of traffic that reaches the control plane. Control plane traffic is
traffic that is destined to the router and that requires CPU intervention for processing. Examples of control
plane traffic are routing protocol updates, SSH sessions, and Hypertext Transfer Protocol (HTTP)
connections. Because control plane traffic requires CPU intervention, it is possible to overload the CPU with
a surge of traffic. When the CPU is overloaded, the router might be unable to update its routing information
and transit traffic can be affected. CoPP enables you to configure QoS rates for various traffic types to
ensure that sufficient processing time is available for critical protocols. CoPP policies are applied globally
and cannot be limited to a single router interface.
You should not configure Control Plane Protection (CPPr). CPPr enhances the capabilities of CoPP by
providing more granular control over control plane traffic. With CPPr, traffic is classified into three levels of
control instead of the single level of control provided by CoPP. In addition, CPPr provides the ability to drop
packets that are destined to Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) router
ports that are either close or not listening. CPPr can also limit the number of packets from a particular
protocol that are permitted into the control plane IP input queue. Like CoPP, CPPr policies are applied
globally and cannot be limited to a single router interface. You should not configure unicast Reverse Path
Forwarding (uRPF). uRPF is an antispoofing mechanism that verifies that the source address of a packet is
reachable from the interface on which the packet was received. If uRPF is used in conjunction with an ACL,
it can cause packets to become packetswitched. Packet switching requires CPU intervention and can
create a burden on the control plane.
Reference:
Cisco: Management Plane Protection
QUESTION 50
Which of the following describes a TPM? (Select the best answer.)
A. an independent cryptographic processor embedded into computers

B. a system of assigning data to various categories
C. a system used to provide services on demand from remote locations
D. a process of remotely initiating the deletion of data stored on a device
Correct Answer: A
Section: (none)
Explanation
Explanation:
An independent cryptographic processor embedded into computers describes a Trusted Platform Module
(TPM). A TPM provides hardwarebased authentication and full disk encryption services. Because the
encryption keys are stored in the TPM module, any data stored on the drive cannot be decrypted once the
drive is removed from the original device. TPM uses an encrypted memory module, which provides an
additional security layer for properties such as passwords, digital certificates, and encryption keys.
Classification of information, also known as data classification, can be described as a system of assigning
data to various categories. Each category should possess a unique policy outlining how data is to be stored,
protected, accessed, and disposed of. The policy should also indicate who has permission to participate in
the storage, protection, access, and disposal of the data within that category.
Cloud computing can be described as a system used to provide services on demand from remote locations.
Cloud computing allows for computer processes that are typically hosted internally to be moved to an
external provider, which can reduce the burden on system and network resources. When a provider cloud is
used, access to applications, storage space, and other services can be provided on demand without
requiring the services to be installed on individual workstations. The use of cloudbased services can
simplify IT management by reducing or eliminating the time required to install, upgrade, and manage
services.
A remote wipe can be described as the process of remotely initiating the deletion of data stored on a
device. A remote wipe works by sending a command to the device through the Internet? after the device
establishes a connection to the Internet, the device receives the command and the process of deleting the
data is initiated. A user whose laptop or smart phone has been stolen may perform a remote wipe to
prevent the thief from accessing confidential information.
Reference:
Trusted Computing Group: Trusted Platform Module (TPM) Summary
QUESTION 51
Which of the following are not default values in an IKE policy on an ASA running software version 8.4 or
higher? (Select 2 choices.)
A. PSKbased authentication method

B. 168bit DES encryption algorithm
C. 1024bit DH group
D. MD5 hash algorithm
E. 14,400second lifetime
Correct Answer: DE
Section: (none)
Explanation
Explanation:
The Message Digest 5 (MD5) algorithm and a 14,400second lifetime are not default values in an Internet
Key Exchange (IKE) policy on a Cisco Adaptive Security Appliance (ASA) running software version 8.2.
Virtual private network (VPN) peers establish a connection through a series of negotiations and
authentications. Initially, the VPN peers negotiate an IKE security association (SA) and establish a tunnel for
key management and authentication. This initial phase is referred to as IKE phase 1. The key management
tunnel is used to protect the subsequent negotiation of IP Security (IPSec) SAs. This secondary negotiation
phase is referred to as IKE phase 2.
Each VPN peer defines a collection of security parameters in an IKE policy. These parameters are used to
negotiate the creation of the key management tunnel in IKE phase 1. There are six required parameters in
an IKE policy:
- Policy priority - specifies the order in which policies are negotiated with a peer
- Authentication method - indicates whether a preshared key (PSK) or an RSA digital certificate is used
to verify the identity of an IKE peer
- Encryption algorithm - indicates the data protection method used to secure IKE traffic
- Hashbased Message Authentication Code (HMAC) algorithm - indicates the data integrity method used to
verify the integrity of IKE traffic
- DiffieHellman (DH) group - specifies how keying material is generated between IKE peers
-Lifetime - specifies the length of time that a key is considered valid? the default is 86,400 seconds, or 24
hours
If an IKE policy does not specify a parameter and its associated value, the ASA will use the default value.
The default IKE policy settings are shown below:
The default IKE policy settings are combined with the configuration parameters specified in the running
configuration. For example, because the following block of commands does not specify an HMAC
algorithm, an ASA running software revision 8.4 or higher would use the default value, which is SHA1:
ASA(config)#crypto ikev1 policy 1
ASA(configikev1policy)#authentication rsasig
ASA(configikev1policy)#encryption aes 192
ASA(configikev1policy)#group 1
ASA(configikev1policy)#lifetime 14400
In order for VPN peers to successfully negotiate a key management tunnel during IKE phase 1, the peers
must agree on security parameters. For example, when ASA1 sends an IKE policy proposal to ASA2, the
IKE policy is compared with the IKE policies defined on ASA2. The proposed policy must be an exact match
to one of ASA2's locally defined policies? otherwise, it will be rejected. The one exception to this rule is the
value of the IKE lifetime parameter. An IKE lifetime is considered a match if the value specified by the
remote peer is less than or equal to the IKE lifetime defined in the local policy. If the IKE lifetime value is
less than that of the local policy, the ASA will use the lesser of the two values.
Reference:
Cisco: Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2: ISAKMP Overview
QUESTION 52
Which of the following is specifically filtered by a URL filtering subscription service on a Cisco router?
A. traffic sent from specific domains

B. traffic that contains specific keywords
C. traffic that contains malicious software
D. traffic that matches predefined categories
Correct Answer: D
Section: (none)
Explanation
Explanation:
On a Cisco router, traffic that matches predefined categories is filtered by a Uniform Resource Locator
(URL) filtering subscription service. URL filtering inspects Hypertext Transfer Protocol (HTTP) requests and
blocks access to websites that match certain criteria. Subscriptionbased URL filtering services, which are
offered by Trend Micro, Websense, and Secure Computing, assign websites to categories, which are used
by administrators to limit or block access to these sites. URL filtering is commonly configured on perimeter
routers to prevent users from inadvertently accessing URLs that have been deemed inappropriate or
identified as containing malware.
Although a URL filtering subscription service does not specifically filter traffic that contains malicious
software as a payload, you can configure the local URL filtering service so that access to websites known to
distribute malicious software is filtered. For example, if a particular URL is known to harbor malware, you
could filter that specific URL or the entire domain. However, to filter traffic that contains malicious software
as a payload, you should install an Intrusion Prevention System (IPS).
Reference:
Cisco: Subscriptionbased Cisco IOS Content Filtering
Cisco: Cisco IOS Content Filtering Configuration Guide
QUESTION 53
Which of the following actions could you take to mitigate VLAN hopping attacks? (Select the best answer.)
A. Implement sticky MAC addresses.

B. Change the native VLAN on trunk ports to an unused VLAN.
C. Implement DAI.
D. Limit the number of MAC addresses permitted on a port.
Correct Answer: B
Section: (none)
Explanation
Explanation:
You should change the native virtual LAN (VLAN) on trunk ports to an unused VLAN to mitigate VLAN
hopping attacks. In a VLAN hopping attack, an attacker sends doubletagged 802.1Q frames over a trunk
link. A doubletagged frame is an Ethernet frame containing two distinct 802.1Q headers. Although
doubletagging can be used as a legitimate way to tunnel traffic through a network and is commonly used by
service providers, it can also be used by an attacker to circumvent security controls on an access switch. In
a VLAN hopping attack, the attacker attempts to inject packets into other VLANs by accessing the native
VLAN on a trunk and sending doubletagged 802.1Q frames to the switch. The switch strips the outer
802.1Q header from the received frame and then forwards the frame, which still includes an 802.1Q
header, across a trunk port to the VLAN of the target host. A successful VLAN hopping attack enables an
attacker to send unidirectional traffic to other VLANs without the use of a router.
Implementing sticky secure Media Access Control (MAC) addresses can help mitigate MAC spoofing
attacks. In a MAC spoofing attack, an attacker uses the MAC address of another known host on the
network in order to bypass port security measures. MAC spoofing can also be used to impersonate another
host on the network.
Limiting the number of MAC addresses permitted on a port can help mitigate MAC flooding attacks. In a
MAC flooding attack, an attacker generates thousands of forged frames every minute with the intention of
overwhelming the switch's MAC address table. Once this table is flooded, the switch can no longer make
through the switch because all traffic will be sent out each port. A MAC flooding attack is also known as a
content addressable memory (CAM) table overflow attack.
Implementing Dynamic ARP Inspection (DAI) can help mitigate Address Resolution Protocol (ARP)
poisoning attacks. In an ARP poisoning attack, which is also known as an ARP spoofing attack, the attacker
sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker's MAC
address with the IP address of a valid host on the network. Subsequently, traffic sent to the valid host
address will go through the attacker's computer rather than directly to the intended recipient.
Reference:
Cisco: Implementation of Security: VLAN Hopping
QUESTION 54
Which of the following devices typically sits inline? (Select the best answer.)
A. a HIDS
B. a HIPS
C. a NIDS
D. a NIPS
Correct Answer: D
Section: (none)
Explanation
Explanation:
A Networkbased Intrusion Prevention System (NIPS) typically sits inline, which means that all traffic from
the external network must flow through and be analyzed by the NIPS before the traffic can enter the internal
network. Therefore, a NIPS can detect and drop malicious traffic, which prevents malicious traffic from
infiltrating the internal network. A NIPS can work in conjunction with a network firewall? however, Cisco
recommends deploying a NIPS on the inside interface of the firewall in order to prevent the NIPS from
wasting resources by analyzing traffic that will ultimately be blocked by the firewall. This enables the NIPS to
efficiently analyze the traffic that the firewall permits onto the network, rather than processing every inbound
packet.
A Hostbased Intrusion Prevention System (HIPS) is software that is installed on a host device and analyzes
traffic that enters the host. Any traffic that is suspected to be malicious is blocked before it can affect the
host device. Many modern, hostbased firewall applications include components that provide HIPS
functionality.
A Networkbased Intrusion Detection System (NIDS) typically does not sit inline in the flow of traffic. Instead,
a NIDS merely sniffs the network traffic by using a promiscuous network interface. Because network traffic
does not flow through a NIDS, the NIDS can detect malicious traffic but cannot prevent it from infiltrating the
network. When a NIDS detects malicious traffic, it can alert other network devices in the traffic path so that
further traffic can be blocked. In addition, a NIDS can be configured to send a Transmission Control
Protocol (TCP) reset notification or an Internet Control Message Protocol (ICMP) unreachable message to
the source and destination addresses.
A Hostbased Intrusion Detection System (HIDS) is software that is installed on a host device and analyzes
changes made to the device. The primary difference between a HIDS and a HIPS is that a HIPS can detect
and block malicious traffic before the traffic can affect the host? a HIDS can detect a threat only after it has
already affected the host. Two examples of HIDS applications are Tripwire and OSSEC. Tripwire monitors
the integrity of critical files and sends alerts if changes are made to them. OSSEC is an opensource
application that monitors logs, registries, and critical files. In addition, OSSEC can detect rootkits, which are
malware processes that actively hide their presence from the host operating system.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460462Cisco:
Cisco IPS Mitigation Capabilities
QUESTION 55
Which of the following statements is true regarding a stateless packetfiltering firewall? (Select the best
answer.)
A. It can operate at Layer 4 of the OSI model.

B. It is more secure than a stateful packetfiltering firewall.
C. It tracks packets as a part of a stream.
D. It is not susceptible to IP spoofing attacks.
Correct Answer: A
Section: (none)
Explanation
Explanation:
A stateless packetfiltering firewall can operate at Layer 4 of the Open Systems Interconnection (OSI) model.
A stateless packetfiltering firewall, which is also referred to as a static packetfiltering firewall, evaluates and
either blocks or allows individual packets based on the Layer 3 and Layer 4 information in the packet
header. Specifically, stateless packetfiltering firewalls can use the source and destination IP addresses,
source and destination port numbers, and protocol type listed in the packet header? these values are
commonly known as the 5tuple. Because a stateless packetfiltering firewall allows all traffic from an
approved IP address, stateless packetfiltering firewalls are susceptible to IP spoofing attacks? an IP
spoofing attack is a type of attack wherein an attacker uses the source IP address of a trusted host to send
messages to other computers. This allows the attacker to send messages that appear to come from
legitimate hosts on the network. In addition, because a stateless packetfiltering firewall evaluates packets
individually, it cannot evaluate data streams or track connections.
By contrast, stateful packetfiltering firewalls traditionally operate at Layers 3, 4, and 5 of the OSI model.
Stateful packetfiltering firewalls are more secure than stateless packetfiltering firewalls and are commonly
used because of their versatility and ability to dynamically monitor and filter packets. Session information is
maintained and tracked by stateful packetfiltering firewalls in order to determine whether packets should be
permitted or blocked. For example, when monitoring Transmission Control Protocol (TCP) traffic, the
stateful packet filter adds an entry to the state table when a TCP session is permitted. Subsequent packets
are verified against the state table to ensure that the packets are in the expected sequence. If the TCP
packet sequence numbers are not in the expected range, the packets are dropped.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 14, Static Packet Filtering, p. 362
QUESTION 56
An SNMP readonly community named READONLY is configured on a Cisco router.
Which of the following fields in the output of the show snmp command on the router will increment if an
NMS makes a set request to the READONLY community? (Select the best answer.)
A. Unknown community name

B. Illegal operation for community name supplied
C. Input queue packet drops
D. No such name errors
Correct Answer: B
Section: (none)
Explanation
Explanation:
In this scenario, the Illegal operation for community name supplied field in the output of the show snmp
command on the router will increment if a network management station (NMS) makes a Simple Network
Management Protocol (SNMP) set request to the READONLY community. SNMP communities can be
configured to be either readonly or readwrite. Readonly communities enable an NMS to retrieve
Management Information Base (MIB) data from a community, whereas readwrite communities enable an
NMS to modify and retrieve MIB data. The show snmp command displays accumulated SNMP statistics, as
shown in the following sample output:
Chassis: 42792565171230
SNMP packets input
2 Bad SNMP version errors
5 Unknown community name
4 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables 680 Getrequest PDU
479 Getnext PDUs
60 Setrequest PDUs
0 Input queue packet drops (Maximum queue size 1000)
1230 SNMP packets output
0 Too big errors (Maximum packet size 1500)
No such name errors
Bad values errors
0 General errors
762 Response PDUs
0 Trap PDUs
SNMP logging: disabled
The Illegal operation for community name supplied field in the sample output indicates that four SNMP
packets requested an operation that was not allowed for the associated community, such as a set request
for a community that permits only get requests. The Unknown community name field indicates that five
SNMP packets were received with unknown community strings. The Input queue packet drops field
indicates that no packets were dropped because the input queue had reached its maximum size. The No
such name errors field indicates that five SNMP packets were received for MIBs that did not exist on the
router. The sample output also indicates the number of get, getNext, and set requests that have been
received by the router as well as statistics on the number of various types of SNMP packets the router has
sent in response to NMS queries.
Reference:
Cisco: Cisco IOS SNMP Support Command Reference: show snmp
QUESTION 57
Which of the following statements is true of all firewalls? (Select the best answer.)
A. They maintain a state table.

B. They hide the source of network connections.
C. They operate at Layer 7 of the OSI model.
D. They are multihomed devices.
Correct Answer: D
Section: (none)
Explanation
Explanation:
All firewalls are multihomed devices. A multihomed device is a device that connects to more than one
network segment. The purpose of a firewall is to block undesired network traffic and to allow desired
network traffic to pass from one network interface to another.
Some firewalls, such as proxy firewalls, can be configured to hide the source of network connections.
However, stateful firewalls and packet filtering firewalls are not typically configured to hide the source of
network connections. A proxy firewall terminates the connection with the source device and initiates a new
connection with the destination device, thereby hiding the true source of the traffic. When the reply comes
from the destination device, the proxy firewall forwards the reply to the original source device. Network
Address Translation (NAT) and Port Address Translation (PAT) can also be used to hide the source of
network connections.
Some firewalls, such as stateful firewalls, maintain a state table. However, other firewalls, such as packet
filtering firewalls, do not. A stateful firewall makes filtering decisions based on the state of each session.
When an outbound session is initiated, the stateful firewall will create an entry in the firewall’s state table
and dynamically allow the return traffic in the inbound direction. Inbound traffic from other sources will be
blocked unless there is a corresponding outbound session listed in the state table.
A packet filtering firewall makes simple filtering decisions based on each individual packet. As a result,
packet filtering firewalls are not particularly flexible. For example, if you want to configure traffic on a port to
flow inbound as well as outbound, you must open up the port in both directions. However, doing so might
expose the internal network to undesirable inbound traffic on that port. Therefore, stateful firewalls are more
secure than packet filtering firewalls.
Some firewalls, such as applicationlevel proxy firewalls, operate at Layer 7 of the Open Systems
Interconnection (OSI) model, which is called the Application layer. However, stateful firewalls and packet
filtering firewalls operate at the Network and Transport layers. An applicationlevel proxy firewall can make
filtering decisions based on Application layer data. However, to do so, the firewall must be able to
understand the corresponding Application layer protocol. As a result, applicationlevel proxy firewalls are
often designed to filter data for a particular Application layer protocol, such as Hypertext Transfer Protocol
(HTTP) or File Transfer Protocol (FTP). For example, an HTTP proxy can block malicious or otherwise
undesirable web traffic, but it might not be able to block malicious FTP traffic.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 14, Firewall Technologies, p. 358
QUESTION 58
You issue the following block of commands on a Cisco router:
RouterA(config)#privilege exec level 10 show users
RouterA(config)#username boson password cisco
RouterA(config)#username boson privilege 15
RouterA(config)#username boson autocommand show users
RouterA(config)#line vty 0 4
RouterA(configline)#login local
RouterA(configline)#privilege level 7
Which of the following statements accurately describes what happens when the user boson successfully
initiates a Telnet session to RouterA? (Select the best answer.)
A. The autocommand command fails, and the user is disconnected.

B. The autocommand command fails, and the user is not disconnected.
C. The autocommand command succeeds, and the user is disconnected.
D. The autocommand command succeeds, and the user is not disconnected.
Correct Answer: C
Section: (none)
Explanation
Explanation:
When the user boson successfully initiates a Telnet session to RouterA in this scenario, the autocommand
command succeeds and the user is disconnected from the router. When issued with the username
command, the autocommand keyword can execute a specific command immediately after a user
successfully logs in to a Cisco router. In this scenario, the autocommand specifies that the show users
command should execute immediately after the user logs in. The command output is displayed to the user
terminal, and then the user’s session is terminated. You can prevent the user session from being
terminated either by using the nohangup keyword or by issuing the no username username autocommand
command to remove the autocommand keyword. However, the no username username autocommand
command will delete both the autocommandkeyword and the specified user name from the local database?
therefore, you will need to issue the username username password password again to recreate the user
entry. By contrast, the nohangup keyword does not affect the autocommand keyword but instead changes
the default behavior so that the user session is not disconnected.
The privilege exec level 10 show users command in this scenario changes the required privilege level of the
show users command to level 10. The default EXEC privilege level is level 1? therefore, this command
removes the show users command from the EXEC shells of all users with privilege levels less than 10. The
default enable privilege level is level 15? therefore, any user could enter privileged EXEC mode and
execute the command. The username boson privilege 15 command in this scenario configures the user
boson with a privilege level of 15. Because the user’s base privilege level is already 15, the user is not
required to issue the enable command to enter privileged EXEC mode. The following block of commands
configures the four default virtual terminal (VTY) interfaces on RouterA to use the local database for
authentication and to assign user sessions a default privilege level of 7:
RouterA(config)#line vty 0 4
RouterA(configline)#login local
RouterA(configline)#privilege level 7
Although Telnet users are assigned a default privilege level of 7 in this scenario, peruser privileges override
the privileges configured for the VTY line. Therefore, the user boson will be granted privilege level 15 when
connected to a VTY line through a Telnet session. By contrast, a user without a specified privilege level will
be granted privilege level 7 in this scenario. Because the show users command has been assigned a
required privilege level of 10, the boson user will be able to execute the command, whereas a Telnet user
with the default privilege level would be unable to execute the command without first issuing the enable
command to enter privileged EXEC mode.
If the boson user was assigned a privilege level that was insufficient to execute the show users command,
the autocommand keyword would still attempt to execute the command. The autocommand keyword does
not verify that a user has sufficient privileges to execute the specified command. However, the command
would cause the router to display an error message instead of the expected command output. The user
session would be disconnected after the error message was displayed.
In no case would the user session remain connected. The nohangup keyword must be used with the
username command to change the default behavior so that a user session is not disconnected after the
command specified by the autocommand command is executed.
Reference:
Cisco: RoleBased CLI Access: username
QUESTION 59
You administer the network shown above. SwitchE is the root bridge for the network. You connect SwitchF
to a port on SwitchB. SwitchF has a priority value of 0 and the MAC address 0000.0c42.0729.
Which statement is most accurate regarding root bridge selection after SwitchF is connected to SwitchB?
A. SwitchB will immediately become the root bridge.

B. SwitchE will remain the root bridge.
C. SwitchF will immediately become the root bridge.
D. SwitchE will remain the root bridge until it is powered down, and then SwitchF will become the root
bridge.
Correct Answer: C
Section: (none)
Explanation
Explanation:
After you connect SwitchF to a port on SwitchB, SwitchF will become the root bridge because it has the
lowest possible priority value and it has a lower Media Access Control (MAC) address than any of the other
switches with a priority value of 0. The root bridge is the switch with the lowest bridge ID (BID), which is
composed of a 2byte bridge priority and a 6byte MAC address. The bridge priority is considered first in the
determination of the lowest BID. When two or more switches have the lowest priority, the switch with the
lowest MAC address will become the root bridge. Because SwitchF has a lower MAC address than
SwitchE, SwitchF will become the root bridge.
SwitchE will not remain the root bridge, because SwitchF has the same priority and a lower MAC address.
When a switch is powered on, it sends out bridge protocol data units (BPDUs) that contain the switch's BID.
As soon as a switch receives a BPDU with a lower BID than the current root switch BID, the switch will
consider that BPDU to be superior, replace the root switch BID with the BID from the BPDU, and recalculate
the root port and port costs. This can have an undesired effect on how packets are sent through a switched
network. Therefore, when connecting a switch to a switched network, you must ensure that the switch has a
higher priority value than the root bridge, unless you want the switch to assume the root bridge role. This is
especially true if the switch is older or contains inferior technology, such as ports that are capable of only
10megabits per second (Mbps) transmission or halfduplex operation. Alternatively, you can issue the
spanningtree guard root command to enable the root guard feature. The root guard feature, when enabled
on a port, prevents superior BPDUs received on a neighbor switch connected to that port from becoming
the root bridge. If superior BPDUs are received on a port enabled with root guard, the port enters the
rootinconsistent state and the port is blocked until the port stops receiving superior BPDUs.
SwitchB will not become the root bridge. SwitchB has a priority value of 65535, which is the highest possible
priority value. The root bridge is the switch with the lowest priority value. You can set the bridge priority by
issuing the spanningtree priority value command, where value is a number from 0 through 65535? the
default priority is 32768.
SwitchE will not remain the root bridge until it is powered down? SwitchF will immediately replace SwitchE
as the root bridge. Root bridges do not behave the same as Open Shortest Path First (OSPF) designated
routers (DRs) and backup DRs (BDRs) do. A DR is not replaced by another DR even if a router with a
higher OSPF priority is introduced. A DR remains the DR until it fails or is powered down? then the BDR
becomes the DR and a new BDR is selected.
Reference:
Cisco: Understanding and Configuring Spanning Tree Protocol (STP) on Catalyst Switches Cisco: Spanning
Tree Protocol Root Guard Enhancement
QUESTION 60
Which of the following statements is true regarding the outbreak control feature of AMP for Endpoints?
A. It cannot block polymorphic malware.

B. It must wait for a content update before blocking specific files.
C. It cannot whitelist specific applications.
D. It can use application blocking lists to contain compromised applications.
Correct Answer: D
Section: (none)
Explanation
Explanation:
The outbreak control feature of Cisco Advanced Malware Protection (AMP) for Endpoints can use
application blocking lists to contain compromised applications. AMP for Endpoints is a hostbased malware
detection and prevention platform that runs on Microsoft Windows, Mac OS X, Linux, and Google Android.
Like many other antimalware packages, AMP for Endpoints monitors network traffic and application
behavior to protect a host from malicious traffic. However, unlike many of its competitors, AMP for
Endpoints continues its analysis after a disposition has been assigned to a file or traffic flow. When malware
is detected, the outbreak control feature of AMP for Endpoints can use application blocking to ensure that a
compromised application is contained and that it does not spread the infection. Outbreak control provides
for granular control over which applications are blocked and can use whitelists to ensure that missioncritical
software continues to run even during an outbreak.
The outbreak feature works in conjunction with the continuous analysis, continuous detection, and
retrospective security features of AMP for Endpoints to quickly contain and control the spread of malware.
Once a file or application has been detected as malicious, the outbreak control feature can use custom
detection rules to quickly block the specific file or application without waiting for a signature file content
update. In addition, custom signatures can be created to detect polymorphic malware, which is malicious
software than can evolve its code or behavior as it propagates.
Reference:
Cisco: Cisco Advanced Malware Protection Solution Overview
Cisco: Cisco Advanced Malware Protection for Endpoints Data Sheet
QUESTION 61
You want to use ASDM to create an inspection rule that will drop and log SHOUTcast media streams.
Which of the following inspection rules should you configure to achieve your goal? (Select the best answer.)
A. H.323 H.225
B. H.323 RAS
C. HTTP
D. RTSP
E. IM
Correct Answer: C
Section: (none)
Explanation
Explanation:
You should configure a Hypertext Transfer Protocol (HTTP) inspection rule to drop and log SHOUTcast
media streams on a Cisco Adaptive Security Appliance (ASA). When HTTP inspection is enabled in a
service policy, such as the global service policy, you can opt to use the default inspection rules or you can
customize the inspection rules by applying an HTTP inspect map. You can select a custom HTTP inspect
map from the Select HTTP Inspect Map dialog box, as shown below:
You can modify the configuration of an HTTP inspect map from the Configuration > Firewall > Objects >
Inspect Maps > HTTP pane of Cisco Adaptive Security Device Manager (ASDM). This pane enables you to
add, delete, and modify HTTP inspect maps. To modify an existing map, you should first click the
Customize button, which opens the Edit HTTP Inspect Map dialog box, as shown in the following exhibit:
You can reset the inspection map to its default security level by clicking the Default Level button, or you can
slide the Security Level slider to select a predefined setting. Alternatively, you can click the Details button to
expand the Edit HTTP Inspect Map dialog box into a larger window with more options, as shown below:
You can use the Parameters tab of the expanded Edit HTTP Inspect Map dialog box to enable protocol
violation checks and to select the actions that the ASA should take if protocol violations are found. You can
also use the tab to configure server string spoofing and the maximum body length for HTTP request and
response searches. The Inspections tab of the expanded Edit HTTP Inspect Map dialog box displays the
details of the inspection map, as shown in the exhibit below:
The Inspections tab displays the inspection rules that apply to the current inspect map. The Match Type
column indicates whether traffic must match or not match the criterion specified in the remaining columns.
The Criterion column specifies what type of inspection is being performed. If the traffic is being inspected
for a value, that value is indicated in the Value column. The Action column indicates what action will be
applied to sessions that meet the rules requirements, and the Log column indicates whether the action
triggers a system log (syslog) message. If you wanted to add an inspection rule that dropped and logged
SHOUTcast media streams, you could click the Add button to open the Add HTTP Inspect dialog box and
then select the _default_shoutcasttunnelingprotocol item from the HTTP Traffic Class dropdown list box, as
shown in the following exhibit:
The items listed in the dropdown list are class maps that have been defined on the ASA. Names that begin
with _default are predefined in the system default configuration and can be referenced directly from ASDM
or by the class command in a policy map. The _default_shoutcasttunnelingprotocol class map is a
predefined class map that can identify SHOUTcast media streams by their HTTP metadata, as shown in the
following exhibit:
You cannot configure H.323 H.225; H.323 Registration, Admission, and Status (RAS); Instant Messaging
(IM); or RealTime Streaming Protocol (RTSP) inspection rules to drop and log SHOUTcast media streams
on an ASA. SHOUTcast media streams use HTTP, not H.323 or H.225. H.323 H.225 and H.323 RAS
inspection rules provide support for International Telecommunication Union (ITU) H.323compliant
applications such as Cisco CallManager. IM inspection rules provide the ASA with the ability to enforce
security policies for a variety of mainstream IM applications. RTSP inspection rules enable an ASA to
process media streams that are commonly produced by RealAudio, Apple QuickTime, and Cisco IP
television (IPTV) connections.
Reference:
Cisco: Configuring Application Layer Protocol Inspection: HTTP Class Map
Cisco: Configuring Inspection of Basic Internet Protocols: Configuring an HTTP Inspection Policy Map for
Additional Inspection Control
Cisco: Configuring Application Layer Protocol Inspection: Add/Edit HTTP Map
QUESTION 62
On which of the following screens in ASDM can you enable users to select which connection profile they will
use when they establish a clientless SSL VPN connection? (Select the best answer.)
A. the Edit User Account dialog box for each user who should be able to select a connection profile
B. the Edit Internal Group Policy dialog box for each group policy that is associated with the clientless SSL
VPN connection profiles
C. the main Connection Profiles pane
D. the main Group Policies pane
E. the main Local Users pane
Correct Answer: C
Section: (none)
Explanation
Explanation:
You can enable users to select which connection profile they will use on the portal login page on the main
Connection Profiles pane for clientless Secure Sockets Layer (SSL) virtual private network (VPN)
connections in Cisco Adaptive Security Device Manager (ASDM). When you configure a clientless SSL
VPN connection, you can require that a user use a specific connection profile or you can allow users to
select the connection profile to use on the login page of the clientless SSL VPN portal. You can select the
Allow user to select connection profile, identified by its alias, on the login page option on the Connection
Profiles pane in ASDM to allow users to select which connection profile they will use. This option is shown in
the following exhibit:
When this option is selected, a dropdown list will be displayed on the login page of the clientless SSL VPN
portal. The dropdown list will contain a list of the connection profiles from which the user can select.
You cannot configure the main Group Policies pane or the main Local Users pane to enable users to select
connection profiles on the clientless SSL VPN portal. On these panes, you can view a basic summary of
information for any configured group policies or user accounts, respectively. To configure group policy or
user account information, you must select a group policy or a user account and click the Edit button to
configure them. The resulting configuration dialog boxes-Edit User Account for users and Edit Internal
Group Policy for group policies-enable you to make configuration changes, but neither of these dialog
boxes contains an option for enabling users to select the connection profile on the clientless SSL VPN
portal.
Reference:
Cisco: General VPN Setup: About Connection Profiles
QUESTION 63
Which of the following can be configured on the General screen of the Add Internal Group Policy dialog box
in ASDM when creating a group policy for clientless SSL VPN users? (Select 3 choices.)
A. a banner message for VPN clients

B. the bookmark list to apply to VPN clients
C. the tunneling protocols that clients can use to establish a VPN connection
D. the name of the group policy
E. a group URL that VPN users can access
F. the portal customization object to apply to VPN connections
Correct Answer: ACD

Section: (none)
Explanation
Explanation:
Of the choices available, you can configure a banner message for virtual private network (VPN) clients, the
tunneling protocols that clients can use to establish VPN connections, and the name of the group policy on
the General screen of the Add Internal Group Policydialog box in Cisco Adaptive Security Device Manager
(ASDM) when creating a group policy for clientless Secure Sockets Layer (SSL) VPN users. You can create
a group policy on a Cisco Adaptive Security Appliance (ASA) to specify security policies and network
settings that are used when remote VPN users log in to the ASA. To create a group policy for clientless SSL
VPN users in ASDM, you should click Configuration, click the Remote Access VPN button, expand
Clientless SSL VPN Access, and click Group Policies. You can then create a new group policy by clicking
Add, which will open the Add Internal Group Policy dialog box. The dialog box opens to the General screen,
on which you can configure general properties for the group policy, including the name of the group policy, a
banner message to be displayed to VPN users, the tunneling protocols that clients can use to establish a
VPN connection, the VPN access hours, a web access control list (ACL), the number of simultaneous
logins, a virtual LAN (VLAN) restriction, the connection profile to use for the connection, the maximum
connect time, and the idle timeout time. The General screen of the Add Internal Group Policy dialog box,
with the name, banner message, and tunneling protocols configured, is shown in the following exhibit:
The bookmark list to apply to VPN clients is not configured on the General screen of the Add Internal Group
Policy dialog box. You can specify the bookmark list on the Portalscreen of the Add Internal Group Policy
dialog box.
The portal customization object to apply to VPN clients is not configured on the Generalscreen of the Add
Internal Group Policy dialog box. You can specify the portal customization object on the Customization
screen of the Add Internal Group Policydialog box.
A group Uniform Resource Locator (URL) that VPN users can access is not configured on the General
screen of the Add Internal Group Policy dialog box. You configure a group URL in a connection profile, not
in a group policy. To configure a group URL, you should access the SSL VPN screen of the Add SSL VPN
Connection Profile dialog box in ASDM.
Reference:
QUESTION 64
Which of the following show clock command output symbols indicates that time reported by the software
clock is authoritative but not synchronized with the configured time source? (Select the best answer.)
A. #
B. *
C. ~
D. .
E. +
Correct Answer: D
Section: (none)
Explanation
Explanation:
The period (.) is the show clock command output symbol that indicates that time reported by the software
clock is authoritative but not synchronized with the configured time source. The show clock command
displays the current time as reported by the system software clock. The time can be configured manually or
derived from an external time source, such as a Network Time Protocol (NTP) server. If the software clock
is configured to use an external time source and that source becomes unreachable, the time might become
unsynchronized due to clock drift. When this happens, the show clockcommand uses the . symbol to
indicate that the time is still considered authoritative but is no longer guaranteed to be synchronized with the
external time source. The following command output indicates that the software clock is authoritative but
not synchronized with its time source:
.10:06:40.603 UTC Tue Jan 13 2015
The asterisk (*) is displayed in the output of the show clock command to indicate that time reported by the
software clock is not authoritative. If the software clock is not set by a timing source, the system will flag the
time as not authoritative and the output of the show clock command will indicate the flag with the * symbol,
as shown in the following command output:
*10:06:40.603 UTC Tue Jan 13 2015
By contrast, if the time is set by a timing source and is synchronized with that source, the time is considered
authoritative and the output of the show clock command will not display any additional symbols. For
example, the absence of additional symbols in the following command output indicates that the software
clock is authoritative and synchronized with its time source:
10:06:40.603 UTC Tue Jan 13 2015
The pound sign (#), tilde (~), and plus sign (+) are displayed in the output of the show ntp associations
command, not the show clock command. The output of the show ntp associations command shows the IP
addresses of configured NTP servers and their respective clock sources, strata, and reachability statistics.
For example, in the following command output, the NTP server at IP address 128.227.205.3 is a stratum 1
server that uses a global positioning system (GPS) time source as its time source:
address ref clock st when poll reach delay offset disp
*~128.227.205.3 .GPS. 1 17 64 377 0.000 0.000 0.230
~71.40.128.157 204.9.54.119 2 18 64 377 0.000 321 1.816
~184.22.97.162 132.163.4.101 2 5 64 377 0.000 314 1.134
* sys.peer, # selected, + candidate, outlyer, x falseticker, ~ configured
The * next to the IP address in the command output indicates that this server is an NTP master time source
to which the Cisco device is synched. A # next to the IP address indicates that the server is an NTP master
time source to which the Cisco device is not yet synched. A + next to the IP address indicates that the
server is an NTP master time source that is selected for synchronization but the synchronization process
has not yet begun. A ~next to an IP address indicates that the address was manually configured.
Reference:
Cisco: Cisco IOS Basic System Management Command Reference: show clock
QUESTION 65
Which of the following statements are true regarding policies in Cisco Security Manager? (Select 2
choices.)
A. Rule-based policies can contain hundreds of rules containing values for the same set of parameters.
B. Settings-based policies can define only one set of parameters for each settings based policy defined on
a device.
C. Local policies are well-suited to smaller networks and to devices requiring standard configurations.
D. Any changes that you make to a shared policy are not automatically applied to all the devices to which it
is assigned.
E. The Default section of a shared policy contains rules that cannot be overridden by local rules.
Correct Answer: AB
Section: (none)
Explanation
Explanation:
In Cisco Security Manager (CSM), rulebased policies can contain hundreds of rules containing values for
the same set of parameters and settingsbased policies can define only one set of parameters for each
settingsbased policy defined on a device. CSM is a graphicsbased management application that can be
used to configure a wide variety of Cisco devices, such as routers, switches, firewall appliances, Intrusion
Prevention System (IPS) appliances, and Catalyst service modules. One of the advantages of CSM is its
ability to centralize the administration of security policies across a large number of Cisco devices. CSM
categorizes policies into two general types: rulebased policies and settingsbased policies. Rulesbased
policies, such as access control lists (ACLs) and inspection rules, are stored in a tabular fashion and can
contain many different values for the same set of parameters. These policies are processed in order and
the first matching table entry will be applied, even if there are other matching table entries farther down the
table. Because of the nature in which rulesbased policies are processed, they can contain hundreds of rules
with values for the same set of parameters. By contrast, settingsbased policies can define only a single set
of parameters for each settingsbased policy defined on a device. Settingsbased policies, such as Quality of
Service (QoS) policies and IP Security (IPSec) policies, contain a set of parameters that, as a whole, define
a particular hardware or security configuration feature.
CSM policies can be either local or shared. A local policy is specific to a particular device, and any changes
affect only its associated device. By contrast, a shared policy is applicable to a group of devices and any
changes are automatically applied to all of its associated devices. Because local policies are specific to
individual devices, it can become cumbersome to manage the policies in a network with a large number of
devices? therefore, local policies are better suited to smaller networks and shared policies are better suited
to larger networks.
Shared policies use an inheritance hierarchy to determine which policy rules are implemented on a
particular device. There are two kinds of shared policy rules: mandatory and default. Mandatory rules
cannot be overridden by either child policy rules or local rules. By contrast, default rules can be overridden
by both child policy rules and local rules. Inheritance enables you to nest multiple shared rules and ensure
that certain policies cannot be overridden while still maintaining the flexibility to override some default
settings.
Reference:
Cisco: Managing Policies: Understanding Policies
QUESTION 66
Which of the following authentication methods are supported by both RADIUS and TACACS+ server groups
on a Cisco ASA firewall? (Select 3 choices.)
A. ASCII
B. CHAP
C. MSCHAPv1
D. MSCHAPv2
E. PAP
Correct Answer: BCE

Section: (none)
Explanation
Explanation:
Remote Authentication DialIn User Service (RADIUS) and Terminal Access Controller Access Control
System Plus (TACACS+) server groups on a Cisco Adaptive Security Appliance (ASA) support Challenge
Handshake Authentication Protocol (CHAP), Microsoft CHAP version 1 (MSCHAPv1), and Password
Authentication Protocol (PAP). A Cisco ASA supports a number of different Authentication, Authorization,
and Accounting (AAA) server types, such as RADIUS, TACACS+, Lightweight Directory Access Protocol
(LDAP), Kerberos, and RSA Security Dynamics, Inc. (SDI) servers.
When authenticating with a TACACS+ server, a Cisco ASA can use the following authentication protocols:
- ASCII
- PAP
- CHAP
- MSCHAPv1
When authenticating with a RADIUS server, a Cisco ASA can use the following authentication protocols:
- PAP
- CHAP
- MSCHAPv1
- MSCHAPv2
- Authentication Proxy Mode (for example, RADIUS to RSA/SDI, RADIUS to Active Directory, and others)
Reference:
Cisco: Configuring AAA Servers and the Local Database: Radius Server Support
Cisco: Configuring AAA Servers and the Local Database: TACACS+ Server Support
QUESTION 67
Which of the following statements is true regarding ZFW traffic action characteristics? (Select the best
answer.)
A. The pass action is bidirectional and automatically permits return traffic.

B. The inspect action is unidirectional and can be used to maintain state information.
C. The drop action silently discards packets and does not generate ICMP host unreachable messages.
D. The pass action can provide an audit trail including session start, stop, and duration values.
Correct Answer: C
Section: (none)
Explanation
Explanation:
The drop action in a zonebased policy firewall (ZFW) configuration silently discards packets and does not
generate Internet Control Message Protocol (ICMP) host unreachable messages. ZFWs include many of
the features of previous firewall versions, including stateful packet inspection and Uniform Resource
Locator (URL) filtering. However, several new firewall features are also included, such as the ability to
create security zones to which security policies can be applied. With ZFWs, policies are applied to a
security zone pair rather than to an interface. This provides for more granular implementation of firewall
policies? different policies can be applied to hosts connected to the same interface. Before a policy can be
applied to an interface, the interface must be added to a zone. To permit traffic from one zone to another,
you must create a zone pair between the zones. Once you have configured zones and zone pairs, you can
apply one of three actions, pass, drop, or inspect, to the traffic between the zones.
The drop action is the default action that is applied to traffic sent from one zone to another on a router that
is configured with a ZFW. Unless a policy has been configured to allow traffic to be sent between two
zones, the traffic will be dropped.
The pass action can be applied to permit traffic from one zone to another. However, because the pass
action is unidirectional, no return traffic will be allowed by the pass action. Another policy would need to be
applied in the destination zone to allow return traffic to the originating zone.
The inspect action can be used to maintain state information for a connection sent through a ZFW.
Consequently, unlike the pass action, the inspect action is bidirectional and will allow return traffic to the
zone from the destination. For example, if a ZFW is used in between an internal network and the Internet,
the inspect action can be used to allow the internal hosts to retrieve information from the Internet. That is,
data from the Internet will be permitted by the inspect action. In addition, the inspect action can provide an
audit trail including session start time, stop time, duration, quantity of data transferred, and source and
destination IP addresses.
Reference:
Cisco: ZoneBased Policy Firewall Design and Application Guide: Configuring ZoneBased Policy Firewall
PolicyMapsCategory:
Cisco Firewall Technologies
QUESTION 68
You have configured an ASA to accept SSL VPN connections. DTLS and DPD are configured on the ASA.
Which of the following is most likely to occur if a Cisco AnyConnect client that is not configured for DTLS
attempts to connect to the ASA? (Select the best answer.)
A. The client will be unable to establish a connection to the ASA.

B. The client will still be able to connect by using DTLS and will be able to communicate on the remote
network.
C. The client will be able to connect by using TLS and will be able to communicate on the remote network.
D. The client will be able to establish a connection to the ASA but will be unable to communicate on the
remote network.
Correct Answer: C
Section: (none)
Explanation
Explanation:
The client will be able to connect by using Transport Layer Security (TLS) and will be able to communicate
on the remote network. Datagram TLS (DTLS) is the default transport method for Secure Sockets Layer
(SSL) virtual private network (VPN) connections on Cisco Adaptive Security Appliance (ASA) devices.
However, if DTLS is not enabled on the VPN client, TLS can be used as a fallback method for data
transport. In such a scenario, the client will establish a TLS connection and will be able to communicate on
the remote network, provided that the user has access to the client network. In order for an ASA to fall back
to TLS, Dead Peer Detection (DPD) must be enabled on the ASA. DPD is a feature that can determine
whether the other end of a link is not responding and the connection has failed. If DPD determines that the
client is not responding, the connection will revert to using TLS as the transport method.
Reference:
Cisco: Configuring AnyConnect VPN Client Connections: Configuring DTLS
QUESTION 69
Refer to the exhibit.
You want to use network object NAT to configure the ASA to perform PAT on traffic that originates from the
192.168.13.0/24 network attached to the INSIDE interface and that is destined to any networks connected
to OUTSIDE interface.
Which of the following blocks of commands should you issue to achieve your goal? (Select the best
answer.)
A. asa(config)#object network INSIDENetwork

asa(confignetworkobject)#subnet 192.168.13.0 255.255.255.0
asa(confignetworkobject)#nat (INSIDE,OUTSIDE) dynamic interface
B. asa(config)#object network OUTSIDENetwork
asa(confignetworkobject)#nat (any,INSIDE) dynamic interface
C. asa(config)#object network INSIDENetwork
asa(confignetworkobject)#nat (OUTSIDE,INSIDE) dynamic interface
D. asa(config)#object network INSIDENetwork
asa(confignetworkobject)#nat (any,OUTSIDE) dynamic interface
Correct Answer: A
Section: (none)
Explanation
Explanation:
You should issue the following block of commands to achieve your goal in this scenario:
asa(config)#object network INSIDENetwork
asa(confignetworkobject)#nat (INSIDE, OUTSIDE) dynamic interface
When the nat command is issued from network object configuration mode, it is referred to as the nat
(object) command and it can be used to configure network object Network Address Translation (NAT) on
the Cisco Adaptive Security Appliance (ASA). Network object NAT enables you to easily specify a mapping
for the source address in a packet. The command block in this scenario configures a network object named
INSIDENetwork, defines a subnet IP address and network mask for the INSIDENetwork object, and
specifies that the real source IP address of packets from the INSIDE interface should be dynamically
translated to the mapped IP address corresponding to the IP address assigned to the OUTSIDE interface.
The effect of the translation on matching packets is illustrated by the following graphic:
The nat (object) command can be used to create a dynamic NAT rule which translates traffic for a particular
network object. The abbreviated syntax to create a dynamic NAT rule with the nat (object) command is nat
(real_interface,mapped_interface) dynamic {mapped_object | mapped_ host_IP | interface}
[fallthrough_interface], where real_interface represents the source interface of the original packet and
mapped_interfacerepresents the source interface of the translated packet. The source IP address of the
original packet is based on the definition of the network object? in this scenario, the network object is a
network subnet. The dynamic keyword is used to specify a dynamic NAT rule and the interface parameter is
used to specify a Port Address Translation (PAT) rule. An optional fallthrough interface can be specified if
dynamic NAT is configured to use a pool of addresses to ensure that translation continues even if every IP
address in the pool has been assigned a translation.
Alternatively, you could use Adaptive Security Device Manager (ASDM) instead of the command line to
configure the network object NAT rule in this scenario. You can create a network object rule in ASDM by
accessing the Configuration > Firewall > NAT Rules pane, clicking the Add dropdown list, and selecting the
Add “Network Object” NAT ruleoption to open the Add Network Object dialog box. The following sample
Add Network Object dialog box corresponds to the block of commands in this scenario:
You should not issue the following block of commands to achieve your goal in this scenario:
asa(confignetworkobject)#nat (any,OUTSIDE) dynamic interface
The nat (any,OUTSIDE) dynamic interface command in this block of commands maps the source IP
address of traffic that originates from the 192.168.13.0/24 subnet, from any interface, to the IP address
assigned to the OUTSIDE interface. Although this block of commands would configure the ASA to perform
the required translation for traffic originating from the INSIDE interface, it would also perform the translation
for any traffic from the 192.168.13.0/24 subnet originating from any other interface. Because the scenario
requires the translation to occur only for traffic originating from the INSIDE interface, you should not issue
this block of commands.
asa(confignetworkobject)#nat (OUTSIDE, INSIDE) dynamic interface
The nat (OUTSIDE, INSIDE) dynamic interface command maps the source IP address of traffic that
originates from the 192.168.13.0/24 subnet, from only the OUTSIDE interface, to the IP address assigned
to the INSIDE interface. Because the 192.168.13.0/24 network is directly connected to the INSIDE interface
and not the OUTSIDE interface, this translation rule would not achieve the requirements of the scenario.
asa(confignetworkobject)#nat (OUTSIDE, INSIDE) dynamic interface
This block of commands creates a network object that corresponds to the network directly connected to the
OUTSIDE interface. The nat (any,INSIDE) dynamic interface command maps the source IP address of
traffic that originates from the 198.51.100.0/24 subnet, from any interface, to the IP address assigned to the
INSIDE interface.
Reference:
Cisco: Configuring Network Object NAT: Configuring Dynamic PAT (Hide)
Cisco: Cisco ASA Series Command Reference: nat (object)
QUESTION 70
Exhibit:
When a user logs in to the clientless SSL VPN portal by using extranet tunnel group, which of the following
statements is true regarding the appearance of the portal? (Select the best answer.)
A. No text will be displayed in the title portion of the portal screen.

B. The text “SSL VPN Service” will be displayed in the title portion of the portal screen.
C. The text “Boson Extranet” will be displayed in the title portion of the portal screen.
D. The text “Boson SSL VPN Service” will be displayed in the title portion of the portal screen.
Correct Answer: C
Section: (none)
Explanation
Explanation:
When a user logs in to the clientless Secure Sockets Layer (SSL) virtual private network (VPN) portal by
using the extranet tunnel group, the text “Boson Extranet” will be displayed in the title portion of the portal
screen. When users log in to a clientless SSL VPN session, the users are presented with a portal screen
that contains information and links to resources to which the user has access. You can customize the
appearance of the portal by modifying the DfltCustomization customization object or by creating a new
customization object and linking it to the appropriate tunnel group (s). You can then link a customization
object to a specific tunnel group, which is also known as a connection profile.
To determine which customization object has been applied to a tunnel group, you should click
Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access, click Connection
Profiles, and then select the appropriate connection profile from the list. For this scenario, you want to
determine the customization object that will be applied to the extranet tunnel group, so you should
doubleclick extranet in the list of connection profiles, expand Advanced, and click Clientless SSL VPN. The
Portal Page Customization entry indicates that this connection profile uses the extranet_customization
customization object, as shown in the following exhibit:
To view the details of a customization object in Cisco Adaptive Security Device Manager (ASDM), you
should click Configuration, click the Remote Access VPN button, expand Clientless SSL VPN Access,
expand Portal, and click Customization, which will display the Customization Objects pane. In this scenario,
two customization objects have been created: boson_customization and extranet_customization. To view
the details of a customization object, you should doubleclick the customization object, which will open the
SSL VPN Customization Editor in a browser window. To determine the text that will be displayed in the title
portion of the portal screen, you should navigate to the Portal area of the SSL VPN Customization Editor by
clicking the Portal tab and then click Title Panel, as shown in the following exhibit:
The text that will be displayed in the title portion of the portal is displayed in the Text entry of the Title Panel
pane; the Text entry contains the text “Boson Extranet”, which is the text that will be displayed in the title
portion of the portal when users establish a VPN connection, as shown in the following exhibit.
The text “SSL VPN Service” is the default text that will be displayed if you do not customize the Text entry of
the Title Panel. In this scenario, the text has been customized, so the text “SSL VPN Service” will not be
displayed.
The text “Boson SSL VPN Service” will be displayed only for tunnel groups that use the
boson_customization customization object. This text will not be displayed for the extranet tunnel group.
Reference:
Cisco: Customizing Clientless SSL VPN: Customizing the External Portal Page
QUESTION 71
Exhibit:
Which of the following statements is true regarding how the on-screen keyboard will be displayed when a
user establishes a clientless SSL VPN session by using the boson connection profile? (Select the best
answer.)
A. The on-screen keyboard will not be displayed on any pages.

B. The on-screen keyboard will be displayed only on the login page.
C. The on-screen keyboard will be displayed on any portal page that requires authentication.
D. The on-screen keyboard will be displayed on every portal page.
Correct Answer: B
Section: (none)
Explanation
Explanation:
In this scenario, the onscreen keyboard will be displayed only on the login page when a user establishes a
clientless Secure Sockets Layer (SSL) virtual private network (VPN) session by using the boson connection
profile. When users log in to a clientless SSL VPN session, you can configure an onscreen keyboard to be
displayed in certain areas of the portal. The onscreen keyboard enables users to enter information, such as
passwords, by using the onscreen keyboard instead of a physical keyboard. For example, you can
configure the onscreen keyboard to be displayed on the login page, and users can use this keyboard to
enter their login information. By default, the onscreen keyboard is disabled. To enable the onscreen
keyboard, you should click Configuration, click the Remote Access VPN button, expand Clientless SSL
VPN Access, expand Portal, and click Customization, which will display the Customization Objects pane.
This pane contains an OnScreen Keyboard area that provides several options for configuring the onscreen
keyboard. You can select from the following onscreen keyboard options:
- Do not show OnScreen keyboard - This option disables the onscreen keyboard.
- Show only for the login page - This option enables the onscreen keyboard for the login page.
- Show for all portal pages requiring authentication - This option enables the onscreen keyboard for any
page that requires that the user be authenticated.
In this scenario, the Show only for the login page option is selected, as shown in the following exhibit:
This setting will apply to any customization object that you create. Therefore, selecting the Show only for the
login page option will configure the onscreen keyboard to be displayed on the login page for all
customization objects and for any connection profiles associated with those customization objects.
Reference:
CCNP Security VPN 210260 Quick Reference, Chapter 4, Deploying Basic Navigation Customization, pp.
153-154
QUESTION 72
Exhibit:
Which of the following statements are true regarding the extranet connection profile? (Select three.)
A. It will use the boson_grp group policy.

B. It will use the DfltGrpPolicy group policy.
C. It will use the local AAA database for authentication.
D. It will use digital certificates for authentication.
E. It will use the DfltCustomization customization object.
F. It will use the boson_customization customization object.
G. It will use the extranet_customization customization object.
Correct Answer: BCG

Section: (none)
Explanation
Explanation:
The extranet connection profile will use the DfltGrpPolicy group policy, the local Authentication,
Authorization, and Accounting (AAA) database for authentication, and the extranet_customization
customization object. When creating a connection profile in Cisco Adaptive Security Device Manager
(ASDM), you can specify a number of parameters. For example, you can specify the type of authentication
to use and the default group policy to use for VPN connections made by using the connection profile. This
information can be configured or modified on the Add or Edit Clientless SSL VPN Connection Profile dialog
box in ASDM. To access this dialog box in ASDM, you should click Configuration, click the Remote Access
VPN button, expand Clientless SSL VPN Access, and click Connection Profiles. You can then doubleclick a
connection profile to open the Edit Clientless SSL VPN Connection Profile dialog box for the selected
connection profile. The Edit Clientless SSL VPN Connection Profile dialog box for the extranet tunnel group
is shown in the following exhibit:
The Authentication section of the Basic screen of the Edit Clientless SSL VPN Connection Profile dialog
box indicates that the tunnel group will use the local AAA database for user authentication. Thus any VPN
connections made by using this tunnel group will be authenticated against the AAA database.
The Default Group Policy section indicates that the DfltGrpPolicy group policy will be applied to this
connection profile. That is, the settings in the DfltGrpPolicy group policy will apply to VPN users who
connect by using the extranet tunnel group.
The Clientless SSL VPN screen of the Edit Clientless SSL VPN Connection Profiledialog box indicates that
the extranet connection profile will use the extranet_customization customization object. This screen is
Reference:
QUESTION 73
Exhibit:
Which of the following statements is true regarding the display of a banner message when users establish a
clientless SSL VPN session by using the extranet connection profile? (Select the best answer.)
A. No banner message will be displayed.

B. A generic banner message will be displayed that states “Welcome to SSL VPN Service.”
C. A custom banner message will be displayed that states “Welcome to Boson Software!”
D. For each user, a custom banner message will be displayed for each user that states “Welcome user-
name.”
Correct Answer: A
Section: (none)
Explanation
Explanation:
No banner message will be displayed when users establish a clientless Secure Sockets Layer (SSL) virtual
private network (VPN) session by using the extranet connection profile. You can configure a banner
message to be displayed when users establish a clientless SSL VPN connection. This information is
configured in the group policy that is associated with the connection profile used to create the connection.
In this scenario, you want to determine whether a banner message will be displayed when the extranet
connection profile is used. The extranet connection profile uses the DfltGrpPolicy group policy, so you
should view the details of that group policy. To view the details of the DfltGrpPolicy group policy, you should
click Configuration, expand Clientless SSL VPN Access, and click Group Policies. You can then doubleclick
DfltGrpPolicy (System Default), which will open the Edit Internal Group Policy dialog box, which is shown in
The Banner entry contains no value. As a result, clientless SSL VPN connections made by using connection
profiles that use the DfltGrpPolicy group policy will not display a banner to users when they establish a
connection.
VPN connections made by using the boson connection profile will display the message “Welcome to Boson
Software!” This message will not be displayed for connections made by using the extranet connection
profile.
No group policy has been configured with a banner of “Welcome to SSL VPN Service.” In addition, no group
policy has been configured with a banner of “Welcome username.” Thus no VPN connections in this
scenario will display either of these banner messages.
Reference:
QUESTION 74
Exhibit:
A. No bookmarks will be displayed.
B. The boson.com and files.boson.com bookmarks will be displayed.
C. The extranet.boson.com and projects.boson.com bookmarks will be displayed.
D. The boson.com, files.boson.com, extranet.boson.com, and projects.boson.com bookmarks will be
displayed.
Correct Answer: C
Section: (none)
Explanation
Explanation:
The extranet.boson.com and projects.boson.com bookmarks will be displayed to users who establish a
clientless Secure Sockets Layer (SSL) virtual private network (VPN) session by using the extranet
connection profile. You can create a bookmark list to specify a list of Uniform Resource Locators (URLs)
that will be displayed to users when they establish a clientless SSL VPN connection. To configure a
bookmark list, you should access the Bookmarks pane of Cisco Adaptive Security Device Manager (ASDM)
by clicking Configuration, clicking the Remote Access VPN button, expanding Clientless SSL VPN Access,
expanding Portal, and clicking Bookmarks. In this scenario, two bookmark lists have been created: URLs
and Extranet. The URLs bookmark list contains two URLs, which are boson.com and files.boson.com. The
Extranet bookmark list also contains two URLs, which are extranet.boson.com and projects.boson.com.
The bookmark list that will be applied to a tunnel group is specified in the group policy that is associated
with the tunnel group. In this scenario, the extranet tunnel group is linked to the DfltGrpPolicy group policy.
Thus you should view the details of this group policy to determine which links will be displayed. This is
accomplished by clicking Configuration, clicking the Remote Access VPN button, expanding Clientless SSL
VPN Access, selecting Group Policies, and doubleclicking DfltGrpPolicy (System Default). You should then
click Portal, which will display the Portal pane of the Edit Internal Group Policy dialog box, as shown in the
following exhibit:
The Bookmark List entry indicates that the Extranet bookmark list is associated with the DfltGrpPolicy group
policy. Because this list contains the extranet.boson.com and projects.boson.com URLs, you can conclude
that these URLs will be displayed to users who connect by using the extranet tunnel group.
Reference:
Cisco: Configuring Clientless SSL VPN: Configuring Bookmarks
QUESTION 75
Which of the following are inband management tools that do not use encryption? (Select 3 choices.)
A. SNMPv1
B. SNMPv2
C. SNMPv3
D. Telnet
E. SSH
Correct Answer: ABD

Section: (none)
Explanation
Explanation:
Of the available choices, Simple Network Management Protocol version 1 (SNMPv1), SNMP version 2
(SNMPv2), and Telnet are all inband management tools that do not use encryption. Encryption is a method
of encoding network traffic so that it cannot be read intransit. Thus encryption can be used to defeat
eavesdropping attacks.
Simple Network Management Protocol (SNMP) is used to remotely monitor and manage network devices.
Telnet is used to create a terminal connection to remote devices. When a Cisco device is operating in its
normal state, another device can connect to it by using inband methods, such as virtual terminal (VTY)
application protocols.
Three versions of SNMP currently exist. SNMPv1 and SNMPv2 do not provide encryption? password
information, known as community strings, is sent as plain text with messages. SNMPv3 improves upon
SNMPv1 and SNMPv2 by providing encryption, authentication, and message integrity to ensure that the
messages are not tampered with during transmission.
Secure Shell (SSH) is a VTY protocol that can be used to securely replace Telnet. Telnet is considered to
be an insecure method of remote connection because it sends credentials over the network in clear text.
Therefore, you should replace Telnet with an encrypted application, such as SSH, where possible.
Reference:
Cisco: SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches): Versions of
SNMP
Cisco: Cisco Guide to Hardening IOS Devices: Use Secure Protocols When Possible
QUESTION 76
Your company’s Cisco ISE device and all of its supplicants support EAPFASTv2. A user’s authentication
fails. However, the user’s device attempts to authenticate and succeeds.
A. The user will have no access.

B. The user will have restricted access.
C. The user will have full access.
D. The device will have full access but the user will have no access.
Correct Answer: B
Section: (none)
Explanation
Explanation:
The user will have restricted access if user authentication to the Cisco Identity Services Engine (ISE) fails
but the user’s device authentication succeeds. Extensible Authentication Protocol (EAP)Flexible
Authentication via Secure Tunneling (FAST) with EAP chaining, which is also sometimes called EAPFAST
version 2 (EAPFASTv2), enables the validation of both user and device credentials in a single EAP
transaction. EAP chaining enables a Cisco security device to validate authentication credentials for both a
user and the user’s device. In order to enable EAP chaining, both the Cisco security device and the
supplicant device must support EAP chaining.
The Cisco ISE will assign a different level of authorization access depending on one of four success and
failure possibilities, as shown in the following table:
EAP-FAST is an authentication protocol that can be used for pointtopoint connections and for both wired
and wireless links. The EAP-FAST authentication process consists of three phases. The first phase, which
is optional and is considered phase 0, consists of provisioning a client with a PAC, which is a digital
credential that is used for authentication. A PAC can be manually configured on a client, in which case
phase 0 is not required. The second phase, which is referred to as phase 1, involves creating a secure
tunnel between the client and the server. The final phase, which is referred to as phase 2, involves
authenticating the client. If the client is authenticated, the client will be able to access the network.
Reference:
Cisco: Cisco Identity Services Engine Administrator Guide, Release 1.3: Simple Authentication Policy
Configuration Settings
QUESTION 77
Which of the following features prevent attacks that consume CPU and memory resources? (Select 2
choices.)
A. CoPP
B. CPPr
C. CPU Threshold Notifications
D. Memory Threshold Notifications
Correct Answer: AB
Section: (none)
Explanation
Explanation:
Control Plane Policing (CoPP) and Control Plane Protection (CPPr) prevent attacks that consume CPU and
memory resources. Both CoPP and CPPr use class maps to filter and ratelimit traffic. However, CPPr
separates control plane traffic into three subinterfaces: the host subinterface, the transit subinterface, and
the Cisco Express Forwarding (CEF)exception subinterface. For this reason, Cisco recommends that you
use CPPr instead of CoPP whenever possible. To configure CPPr, you must perform the following steps:
- Create access control lists (ACLs) to identify traffic.
- Apply the policy to the specific control plane subinterface.
CoPP is similar to CPPr, except CoPP does not separate control plane traffic into three subinterfaces. To
configure CoPP, you must perform the following steps:
- Create ACLs to identify traffic.
- Apply the policy to the control plane interface.
The host subinterface contains control plane IP traffic that is destined for a router interface, including traffic
from the following sources and protocols:
- Terminating tunnels
- Secure Shell (SSH)
- Simple Network Management Protocol (SNMP)
- Internal Border Gateway Protocol (iBGP)
- Enhanced Interior Gateway Routing Protocol (EIGRP)
The transit subinterface contains control plane IP traffic that is traversing the router, including the following
traffic:
- Nonterminating tunnel traffic
- Traffic that is softwareswitched by the route processor
The CEFexception subinterface contains control plane traffic redirected by CEF for process switching,
including traffic from the following sources and protocols:
- NonIP hosts
- Address Resolution Protocol (ARP)
- External BGP (eBGP)
- Open Shortest Path First (OSPF)
- Label Distribution Protocol (LDP)
- Layer 2 keepalives
CPU Threshold Notifications and Memory Threshold Notifications do not prevent attacks that consume CPU
and memory resources. However, these features can automatically send notifications if excessive CPU or
memory consumption is detected. Excessive resource consumption could occur if CoPP or CPPr protection
features have been circumvented or are misconfigured. Notifications are typically sent as SNMP trap
messages.
Reference:
Cisco: Control Plane Protection
QUESTION 78
Which of the following can be detected by the Cisco ESA CASE? (Select 2 choices.)
A. snowshoe spam
B. phishing attacks
C. DDoS attacks
D. MAC spoofing attacks
E. DNS poisoning attacks
Correct Answer: AB
Section: (none)
Explanation
Explanation:
A Cisco Email Security Appliance (ESA) is designed to protect against email threats, such as malware
attachments, phishing scams, and spam. The Cisco Context Adaptive Scanning Engine (CASE) on an ESA
is a contextual analysis technology that is intended to detect email threats as they are received. CASE
checks the reputation of email senders, scans the content of email messages, and analyzes the
construction of email messages. As part of this process, CASE submits the email sender to the Cisco
SenderBase Network, which contains data on hundreds of thousands of email networks. The sender is
assigned a score based on this information. The content of the email messaging is scanned because it
could contain language, links, or a call to action that is indicative of a phishing scam.
Snowshoe spammers establish many false company names and identities, often with unique post office
addresses and telephone numbers, so that reputation filters do not perceive the source of the spam as a
threat. In addition, the spam output is spread across multiple IP addresses and domain names in order to
defeat blacklists.
Phishing is a social engineering technique in which a malicious person uses a seemingly legitimate
electronic communication, such as email or a webpage, in an attempt to dupe a user into submitting
personal information, such as a Social Security number (SSN), account login information, or financial
information. To mitigate the effects of a phishing attack, users should use email clients and web browsers
that provide phishing filters. In addition, users should also be wary of any unsolicited email or web content
that requests personal information. The CASE on a Cisco ESA appliance is capable of detecting phishing
scams.
The Cisco ESA CASE does not protect against Distributed Denial of Service (DDoS) attacks. A DDoS
attack is a coordinated Denial of Service (DoS) attack that uses multiple attackers to target a single host.
For example, a large number of zombie hosts in a botnet could flood a target device with packets.
The Cisco ESA CASE does not protect against Media Access Control (MAC) spoofing attacks. A MAC
spoofing attack uses the MAC address of another host on the network in order to bypass port security
measures.
The Cisco ESA CASE does not protect against Domain Name System (DNS) poisoning attacks. DNS
poisoning is an attack that modifies the DNS cache by providing invalid information. In a DNS poisoning
attack, a malicious user attempts to exploit a DNS server by replacing the IP addresses of legitimate hosts
with the IP address of one or more malicious hosts.
Reference:
Cisco: Cisco Email Security Appliance Data Sheet
Spamhaus: Frequently Asked Questions (FAQ): Snowshoe Spamming
QUESTION 79
You are configuring dynamic PAT on a Cisco ASA 5500 using the CLI. The ASA is running software version
8.3.
Which of the following IP addresses must be configured within a network object or object group? (Select the
best answer.)
A. inside global
B. outside global
C. inside local
D. outside local
Correct Answer: A
Section: (none)
Explanation
Explanation:
Of the available options, an inside local address must be configured within a network object or object group
if you are configuring dynamic Port Address Translation (PAT) on a Cisco Adaptive Security Appliance
(ASA) 5500 using the commandline interface (CLI) if the ASA is running software version 8.3. A local
address is a source or destination IP address as seen from the perspective of a host on the inside network.
On a Cisco ASA, a network object is a data structure that is used in place of inline IP information. You might
use a network object in place of configuring IP addresses, subnet masks, protocols, and port numbers if
you must configure that same information in multiple places. If the information you configure within the
object ever changes, you then need only modify the single object instead of locating and modifying each
instance of the inline IP information.
An object group is simply a group of network objects. By grouping network objects, you can enable the use
of a single application control engine (ACE) to make requests of multiple devices.
An inside local address is an IP address that represents an internal host to the inside network. Inside local
addresses are typically private IP addresses defined by Request for Comments (RFC) 1918. When a NAT
router receives a packet from a local host destined for the Internet, the router changes the inside local
address to an inside global address and forwards the packet to its destination.
You can configure an inside global address inline or as part of a network object or object group on an ASA
running software version 8.3. An inside global address is an IP address that represents an internal host to
the outside network. Inside global addresses are typically public IP addresses assigned by the administrator
of the outside network.
You would not configure an outside global address in this scenario. An outside global address is an IP
address that represents an external host to the outside network. Outside global addresses are typically
public IP addresses assigned to an Internet host by the host’s operator. The outside global address is
usually the address registered with the Domain Name System (DNS) server that maps a host’s public IP
address to a friendly name, such as www.example.com.You are not likely to configure an outside local
address in this scenario. An outside local address is an IP address that represents an external host to the
inside network. The outside local address is often the same as the outside global address, particularly when
inside hosts attempt to access resources on the Internet. However, in some configurations, it is necessary
to configure a NAT translation that allows a local address on the internal network to identify an outside host.
Reference:
Cisco: Cisco ASA 5500 Series Configuration Guide Using the CLI, 8.3: Configuring Dynamic PAT (Hide)
QUESTION 80
Which of the following phishing techniques is most likely to occur as a result of DNS poisoning? (Select the
best answer.)
A. vishing
B. pharming
C. whaling
D. dumpster diving
Correct Answer: B
Section: (none)
Explanation
Explanation:
Pharming is the phishing technique that is most likely to occur as a result of Domain Name System (DNS)
poisoning. Phishing is a social engineering technique in which a malicious person uses a seemingly
legitimate electronic communication, such as email or a webpage, in an attempt to dupe a user into
submitting personal information, such as a Social Security number (SSN), account login information, or
financial information. Pharming is used to retrieve sensitive information by directing users to fake websites.
Malicious users can direct users to fake websites through DNS poisoning or host file manipulation. Both
DNS and host files are used to crossreference Uniform Resource Locators (URLs) and IP addresses.
When a user specifies a URL, either a DNS server or the local host file converts it to an IP address so that
requests can be forwarded to the correct location. Both a DNS server and a host file can be altered so that
users are directed to websites that appear authentic but instead are used for malicious information
gathering. These phony websites often ask users for passwords or other sensitive information. A pharming
attack is not effective unless a user voluntarily provides information to the website.
Whaling is a type of spear phishing attack used to retrieve sensitive information from highranking
executives of a corporation. Spear phishing is a form of phishing that targets specific individuals. Spear
phishing is considered whaling when it specifically targets highranking executives of a corporation, such as
chief executive officers (CEOs) or chief financial officers (CFOs). To mitigate the effects of a phishing
attack, users should use email clients and web browsers that provide phishing filters. In addition, users
should also be wary of any unsolicited email or web content that requests personal information.
Like whaling and pharming, vishing is another form of phishing that is used to obtain sensitive information.
Vishing accomplishes its goal through the use of voice communication networks. Perpetrators of vishing
attacks use a variety of methods to retrieve information. For example, an attacker might spoof phone
numbers of legitimate businesses in order to deceive a victim. An attacker might also use a misleading
voice or email message that instructs the potential victim to contact a phony call center that is masked as a
legitimate business. After telephone communications are established, the perpetrators will attempt to coax
sensitive information from users, such as credit card or bank account numbers.
Dumpster diving is an attack in which malicious users obtain information that has been thrown in the trash.
Dumpster divers seek to recover discarded documents that might contain sensitive information such as
account login credentials, passwords, or bank account numbers. To prevent unauthorized users from
obtaining information from discarded documents, individuals and companies should shred documents
containing confidential data before disposing of such documents.
Reference:
Cisco: Protect Against Social Engineering: Security Awareness Is a Vital Defense
QUESTION 81
The Serial 0/0 interfaces on Router1 and Router2 are directly connected on the 192.168.51.48/30 network.
messagedigestkey 1 md5 b0s0n router
10.10.10.0 0.0.0.255 area 1 network
192.168.51.48 0.0.0.3 area 0 area 0
authentication

10.10.20.0 0.0.0.255 area 2
network 192.168.51.48 0.0.0.3
area 0 area 0 authentication
Router1 and Router2 do not form an OSPF adjacency.
Which of the following is most likely the problem? (Select the best answer.)
A. an OSPF area mismatch

B. an OSPF authentication mismatch
C. an OSPF process ID mismatch
D. an OSPF router ID mismatch
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the available choices, a mismatched authentication type is most likely to be the cause of the problem in
this scenario. A mismatched authentication key or a mismatched authentication type could cause two Open
Shortest Path First (OSPF) routers to not form an adjacency. In this scenario, the Serial 0/0 interface on
Router1 is configured to use a Message Digest 5 (MD5) authentication key of b0s0n. The Serial 0/0
interface on Router2, on the other hand, is configured to use a plaintext authentication key of b0s0n. If the
correct authentication type were configured between the Serial 0/0 interfaces on the routers, OSPF
authentication would succeed and an adjacency would be formed.
A mismatched process ID will not prevent an OSPF router from establishing an adjacency with a neighbor.
An OSPF process ID is used to identify the OSPF process only to the local router. In this scenario, the
router ospf 1 command has been issued on Router1, which configures Router1 with an OSPF process ID of
1. The router ospf 2 command has been issued on Router2, which configures Router2 with an OSPF
process ID of 2. An OSPF area mismatch is not the reason that Router1 and Router2 do not form an
adjacency in this scenario. In order to establish an adjacency, OSPF routers must be configured with the
same area ID, Hello timer value, Dead timer value, and authentication password. In this scenario, the Serial
0/0 interface on Router1 has been configured to operate in area 0, which is also known as the backbone
area. Similarly, the Serial 0/0 interface on Router2 has been configured to operate in area 0.
OSPF router IDs should never match between routers. A router ID is a unique 32bit identifier that resembles
an IP address. A router ID conflict could cause routers to not form an adjacency. If you do not manually
configure a router ID on an OSPF router, then the router ID is the highest IP address configured among
loopback interfaces on the router, even if a physical interface is configured with a higher IP address. Cisco
recommends using a loopback interface instead of a physical interface for the router ID? a loopback
interface is never in the down state, thus OSPF is considered to be more stable when the router ID is
configured from the IP address of a loopback interface. In this scenario, the router IDs on Router1 and
Router2 have been manually configured by using the routerid ipaddresscommand.
Reference:
Cisco: Sample Configuration for Authentication in OSPF: Configurations for Plain Text Authentication
QUESTION 82
In which of the following authentication protocols is support for TLS 1.2 specifically required? (Select the
best answer.)
A. EAPFASTv1
B. EAPFASTv2
C. EAPMD5
D. EAPTLS
E. EAPPEAP
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the available choices, only Extensible Authentication ProtocolFlexible Authentication via Secure
Tunneling Version 2 (EAPFASTv2) is specifically required to support Transport Layer Security (TLS) 1.2.
EAPFAST is an authentication protocol that can be used for pointtopoint connections and for both wired and
wireless links. EAPFAST Version 1 (EAPFASTv1) supported TLS 1.0 and higher. However, EAPFASTv2
made support of TLS 1.2 a requirement, thereby providing EAPFASTv2 with a stronger encryption algorithm
than EAPFASTv1.
EAPTransport Layer Security (EAPTLS) does not specifically require support for TLS 1.2, although EAPTLS
is designed to support TLS 1.0 and higher. EAPTLS is an Internet Engineering Task Force (IETF) standard
that is defined in Request for Comments (RFC) 5216.
Protected EAP (PEAP) does not specifically require support for TLS 1.2. PEAP is an open standard
developed by Cisco, Microsoft, and RSA. PEAP and other later variants of EAP, such as EAPTLS, and
EAPTunneled TLS (EAPTTLS), are replacing Lightweight EAP (LEAP). PEAP supports TLS 1.0 and higher.
EAP Message Digest 5 (EAPMD5) does not specifically require support for TLS 1.2. EAPMD5 uses an MD5
hash function to provide security and is therefore considered weak when compared to later methods. EAP
is an IETF standard that was originally defined in RFC 2284. It does not support TLS at all.
Reference:
IETF: Flexible Authentication via Secure Tunnel Extension Authentication Protocol (EAPFAST) Version 2:
1.2. Major Differences from Version 1
QUESTION 83
Router2 is configured to obtain time from three different NTP servers. You want to determine from which of
the three servers Router2 is currently synchronizing time.
Which of the following commands would not achieve your goal? (Select the best answer.)
A. show clock detail
B. show ntp associations
C. show ntp associations detail
D. show ntp status
Correct Answer: A
Section: (none)
Explanation
Explanation:
Of the available choices, only the show clock detail command would not enable you to determine from
which of the three Network Time Protocol (NTP) servers Router2 is synchronizing time. The show clock
detail command displays the date and time as it is configured on the device and general information about
the source of the configuration. However, this command does not reveal the IP address or NTP peer status
of an NTP source. The following is sample output from the show clock detail command:
Router2#show clock detail
09:12:20.299 UTC Sat Jul 4 2015
Time source is NTP
The show ntp associations command and the show ntp associations detail command would both enable
you to determine from which of the three NTP servers Router2 is synchronizing time. The show ntp
associations command displays both the address of the NTP server from which the client obtains its time
and the address of the reference clock to which the NTP server is synchronized. When issued with the
detail keyword, you can additionally determine the IP address of the NTP peer from which time was
synchronized, the NTP source authentication status, the NTP hierarchical status of the server from which
time was obtained, whether the NTP peer passes basic sanity checks, whether NTP believes the time is
valid, and the stratum of the NTP peer. The following is sample output from both the show ntp associations
command and the show ntp associations detail command:
The presence of our_master in the output of the show ntp associations detail command indicates the status
of the device at the NTP peer IP address of 203.0.113.1. Similarly, the asterisk (*) in the output of the show
ntp associations command indicates that Router2’s NTP master is the device with the IP address of
203.0.113.1.
The show ntp status command would enable you to determine from which of the three NTP servers Router2
is synchronizing time. The show ntp status command displays no information when NTP is not running on a
device. When NTP is running, the show ntp status command provides information about whether the local
clock is synchronized, the local clock’s stratum level, and the IP address of the NTP peer that the local
device is using as a reference clock. The following is sample output from the show ntp status command:
Reference:
Cisco: Cisco IOS Basic System Management Command Reference: show clock
QUESTION 84
Which of the following indicates that aggressive mode ISAKMP peers have created SAs? (Select the best
answer.)
A. AG_NO_STATE
B. MM_NO_STATEC. AG_AUTH
C. MM_KEY_AUTH
D. QM_IDLE
Correct Answer: A
Section: (none)
Explanation
Explanation:
Of the available choices, the AG_NO_STATE state is most likely to indicate that aggressive mode Internet
Security Association and Key Management Protocol (ISAKMP) peers have created security associations
(SAs). The show crypto isakmp sa command displays the status of current IKE SAs on the router. The
following states are used during aggressive mode:
- AG_NO_STATE - The peers have created the SA.
- AG_INIT_EXCH - The peers have negotiated SA parameters and exchanged keys.
- AG_AUTH - The peers have authenticated the SA.
The MM_NO_STATE state is the first transaction to occur when setting up Internet Key Exchange (IKE)
SAs in main mode MM_NO_STATE indicates that the ISAKMP peers have created their SAs. However, an
exchange that does not move past this stage indicates that main mode has failed. The following states are
used during main mode:
- MM_NO_STATE - The peers have created the SA.
- MM_SA_SETUP - The peers have negotiated SA parameters.
- MM_KEY_EXCH - The peers have exchanged DiffieHellman (DH) keys and have generated a shared
secret.
- MM_KEY_AUTH - The peers have authenticated the SA.
Reference:
Cisco: Most Common DMVPN Troubleshooting Solutions
QUESTION 85
Which of the following is least likely to be considered an advanced persistent threat? (Select the best
answer.)
A. Operation Aurora
B. Heartbleed
C. the 2011 RSA breach
D. Stuxnet
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the available options, Heartbleed is least likely to be considered an advanced persistent threat. An
advanced persistent threat is an intrusion in which the attacker has advanced knowledge of intrusion tools
and techniques, is fully intent on using the intrusion to achieve a specific mission or goals, and has
organizational backing, funding, and motivation. For example, an attacker who obtains access to an
organization’s network and remains there for an extended period of time to collect data that can then be
used to the attacker’s advantage can be considered an advanced persistent threat.
Heartbleed is a vulnerability, not an advanced persistent attack. Heartbleed is the OpenSSL vulnerability
that could allow an attacker to obtain approximately 64 kilobytes (KB) of information from a web server's
memory at regular intervals. The Heartbleed bug, which was discovered in 2014, was a memoryhandling
bug present in OpenSSL from version 1.0.1 through version 1.0.1f. OpenSSL 1.0.1g was the first version to
fix the bug. By exploiting this vulnerability, an attacker can obtain a server's private key, which could in turn
allow the attacker to decrypt communications with the server or perform maninthemiddle attacks against the
server. Although Heartbleed could be used as a component of an attack in an advanced persistent threat, it
is not itself an advanced persistent threat.
Operation Aurora could be considered an advanced persistent threat. Operation Aurora was a monthslong
attack in 2009 that was carried out against multiple companies, including Google and Adobe? it began with
a targeted email spear phishing attack. The email delivered malware that was capable of exploiting an
Internet Explorer vulnerability to obtain access to the contents of partially freed memory. After
compromising company workstations, the attackers used those workstations to obtain access to other
company resources and information, which eventually resulted in the loss of intellectual property. The attack
was eventually traced to two Chinese education facilities that were thought to have ties to a Google
competitor in China.
The 2011 RSA breach could be considered an advanced persistent threat. The RSA breach was an attack
against RSA's SecurID twofactor authentication system. Similar to Operation Aurora, the 2011 RSA breach
began with a targeted phishing email that contained a Microsoft Excel attachment. The Excel attachment
contained a zeroday exploit that was able to install a back door on a user’s workstation. From there, the
attacker compromised other workstations in what appeared to be an effort to retrieve information related to
SecurID, such as source code or customer information.
Stuxnet is more likely than Heartbleed to be considered an advanced persistent threat. Stuxnet exploited
vulnerabilities in both the printer spooler service and the processing of .lnk files. Stuxnet was used in an act
of cyber warfare against Iranian industrial control systems (ICSs). It was written to target specific ICSs by
modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited vulnerabilities in the
printer spooler service? however, later variants exploited a vulnerability in the way that Windows processes
shortcuts (.lnk files). Research from Symantec published in 2011 indicated that at the time, over 60%
percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its variants and
discovered that five organizations were the primary targets of infection and that further infections were likely
collateral damage from the aggressive manner in which the worm spreads throughout the network. Given
the considerable cost in resources and manhours that would have been required to craft the Stuxnet worm,
it was theorized that it was likely intended to sabotage highvalue targets such as nuclear materials
refinement facilities.
Reference:
SANS: Assessing Outbound Traffic to Uncover Advanced Persistent Threat (PDF)
Security Tracker: Cisco Unified Communications Manager OpenSSL TLS Heartbeat Buffer Overread Lets
Remote Users Obtain Potentially Sensitive Information
National Vulnerability Database: Vulnerability Summary for CVE20140160
Common Vulnerabilities and Exposures: CVE20140160
QUESTION 86
Which of the following best describes the purpose of SNMP? (Select the best answer.)
A. to manage network devices

B. to send email
C. to create VPNs
D. to transfer files
Correct Answer: A
Section: (none)
Explanation
Explanation:
Simple Network Management Protocol (SNMP) is used to manage network devices. SNMP can be used to
remotely monitor and configure a wide variety of network devices, such as routers, switches, and network
printers. SNMP version 1 (SNMPv1) and SNMPv2 use community strings to provide authentication.
However, neither SNMPv1 nor SNMPv2 uses encryption? all data and community strings are sent in clear
text. A malicious user can sniff an SNMP community string and use it to access and modify network
devices. SNMPv3 is an enhancement to the SNMP protocol that uses encryption to provide confidentiality,
integrity, and authentication.
SNMP is not used to send email. Simple Mail Transfer Protocol (SMTP) is used to send email. Post Office
Protocol 3 (POP3) and Internet Message Access Protocol 4 (IMAP4) are used to receive email.
SNMP is not used to create virtual private networks (VPNs). To create a VPN, you would typically use a
protocol that can encrypt the data on the virtual network, such as IP Security (IPSec). A VPN is often used
when it is necessary to connect two locations that are separated by a public network, such as the Internet.
SNMP is not used to transfer files. To transfer files between computers, you should use File Transfer
Protocol (FTP), Trivial FTP (TFTP), or Secure FTP (SFTP).
Reference:
Cisco: Simple Network Management Protocol: Versions of SNMP
QUESTION 87
You create a static pointtopoint VTI tunnel on RouterA. Afterward, you issue the show runningconfig
command and receive the following output:
Which of the following is the authentication transform that will be used by the static VTI tunnel? (Select the
best answer.)
A. ESP with 128bit AES

B. ESP with 256bit AES
C. ESP with 56bit DES
D. ESP with 168bit 3DES
E. ESP with MD5
F. ESP with SHA
G. AH with MD5
H. AH with SHA
Correct Answer: F
Section: (none)
Explanation
Explanation:
The static virtual tunnel interface (VTI) tunnel will use Encapsulating Security Payload (ESP) with Secure
Hash Algorithm (SHA) as the authentication transform, as indicated by the crypto ipsec transformset
command. The syntax of the crypto ipsec transformset command is crypto ipsec transformset
transformname transform1 [transform2] [transform3] [transform4]. Up to four transforms can be specified in
an IP Security (IPSec) transform set: one ESP authentication transform, one authentication header (AH)
transform, one ESP encryption transform, and one IP compression transform.
ESP can use the Message Digest 5 (MD5) and SHA algorithms for authentication. The following keywords
can be used to specify the ESP authentication transform:
- espmd5hmac
- espshahmac
AH can also use the MD5 and SHA algorithms for authentication. The following keywords can be used to
specify the AH transform:
- ahmd5hmac
- uses AH with MD5

- ahshahmac
- uses AH with SHA
ESP can use the following encryption methods:

-128bit, 192bit, and 256bit Advanced Encryption Standard (AES)
- 56bit Data Encryption Standard (DES)
- 168bit Triple DES (3DES)
-160bit Softwareoptimized Encryption ALgorithm (SEAL)
-Null encryption
The following keywords can be used to specify the ESP encryption transform:
- espies
- espaes 192
- espaes 256
- espdes
- esp3des
- espseal
- espnull
The LempelZivStac (LZS) algorithm is the only IP compression method that can be used in an IPSec
transform set. To configure a transform set to use LZS IP compression, you should use the complzs
keyword.
Reference:
Cisco: Cisco IOS Security Command Reference: crypto ipsec transformset
QUESTION 88
To ease administrative overhead, you want to add a third party feed to a Security Intelligence device so that
the IP addresses of known malicious hosts are automatically blacklisted. However, you have not
determined whether the feed is valid.
Which of the following are you most likely to do? (Select the best answer.)
A. Implement the feed, and add IP addresses to a custom whitelist as necessary.

B. Enforce Security Intelligence filtering by Security Zone.
C. Configure the monitor-only setting, and examine the logs.
D. Configure a custom blacklist that contains only malicious IP addresses.
Correct Answer: C
Section: (none)
Explanation
Explanation:
Most likely, you will configure the monitor-only setting and examine the logs if you want to add a thirdparty
feed to a Security Intelligence device but you have not determined whether the feed is valid. Security
Intelligence devices, such as a Cisco Sourcefire Intrusion Prevention System (IPS), are capable of
accepting manually imported lists of network addresses or feeds from third parties. Such devices can block
IP addresses or networks based on their reputation, which mitigates device overhead that comes from
having to analyze traffic from those networks.
The monitor-only setting enables traffic from networks that are listed within a given feed to be analyzed by
the Security Intelligence device but also logs the fact that the given network matches the thirdparty feed.
This enables an administrator to review the logs and the analysis of traffic from networks on the feed to
determine the validity of the feed.
Although you could implement the feed and add IP addresses to a custom whitelist as necessary, doing so
might increase administrative overhead if the feed turns out to be invalid. On Security Intelligence devices,
whitelists can be used to override blacklisted IP addresses. Whitelists can thus be used to enable
communication with legitimate IP addresses that are listed on third-party feeds or other blacklists that might
be too broadly defined. From an administrative overhead standpoint, you are more likely to validate the
feed, then implement the feed, and finally add IP addresses or networks to the whitelist as necessary.
You are less likely to enforce Security Intelligence filtering by Security Zone than configure the monitor only
setting in this scenario, because doing so would neither validate nor invalidate the IP addresses that are
contained on the third-party feed. Enforcing blacklisting by security zone can be used to enhance the
performance of a Security Intelligence device by limiting the blacklisting to the specific security zones that
process the given traffic. For example, the blacklisting of IP addresses that send email traffic could be
restricted to a Security Zone that handles only email traffic.
You are not likely to configure a custom blacklist that contains only malicious IP addresses, because doing
so defeats the purpose of easing administrative overhead in this scenario. Security Intelligence devices
allow the creation of custom blacklists so that you can manually block specific IP addresses or networks.
However, compiling and validating such a list would require more administrative overhead in this scenario
than simply validating a third-party feed prior to implementing it.
Reference:
Cisco: Blacklisting Using Security Intelligence IP Address Reputation: Choosing a Security Intelligence
Strategy
QUESTION 89
Which of the following is primarily true of SEM systems? (Select the best answer.)
A. They perform real-time analysis and detection.

B. They focus on policy and standards compliance.
C. They consolidate logs to a central server.
D. They analyze log data and report findings.
Correct Answer: A
Section: (none)
Explanation
Explanation:
Security Event Management (SEM) systems perform realtime analysis and detection. SEM systems
typically analyze log data from a number of sources. Some systems also incorporate incident handling tools
that enable administrators to more effectively mitigate threats when they occur.
Security Information Management (SIM) systems, on the other hand, are focused more on the collection
and analysis of logs in a nonrealtime fashion. For example, a SIM system might centralize logging on a
single device for review and analysis. Some SIM systems also provide assessment tools that can flag
potentially threatening events.
A Security Information and Event Management (SIEM) system combines both the realtime aspects of a
SEM system and the indepth analysis and timeline generation of a SIM system. Therefore, a SIEM system
is a hybrid of a SIM system and a SEM system.
Reference:
SANS: IDFAQ: What is The Role of a SIEM in Detecting Events of Interest?
Search Security: Tech Target: security information and event management (SIEM)
QUESTION 90
You want to configure Cisco ISE as a SCEP proxy to a Microsoft Windows 2008 R2 Server root CA. Which
of the following also needs to be configured? (Select the best answer.)
A. AD on the CA
B. a root CA on the Cisco ISE
C. a manually installed certificate on the connecting BYOD device
D. NDES on a CA or domain member server
Correct Answer: D
Section: (none)
Explanation
Explanation:
Microsoft Network Device Enrollment Service (NDES) on a certificate authority (CA) or domain member
server also needs to be configured if you want to configure Cisco Identity Services Engine (ISE) as a Simple
Certificate Enrollment Protocol (SCEP) proxy to a Microsoft Windows 2008 R2 Server root CA.
Implementing ISE as a SCEP proxy enables bring your own device (BYOD) users to register their devices
on their own, without administrative overhead from the IT department.
You are not required to configure a root CA on the Cisco ISE. Configuring ISE as a SCEP proxy indicates
that ISE communicates with the CA on the behalf of its client devices. However, the ISE does need to be
configured with a SCEP CA profile. When configured with a SCEP CA profile, the ISE will contain a SCEP
NDES server registration authority (RA) certificate in the Certificate Store. RAs verify requests for
certificates and enable the CA to issue them.
You are not required to configure Active Directory (AD) on the CA. AD is typically configured on domain
controllers, although member servers and workstations can connect to the AD domain.
You are not required to manually install a certificate on the connecting BYOD device. Manually installing a
client certificate on the BYOD device would defeat the purpose of configuring the ISE as a SCEP proxy,
because administrative intervention would be required.
Reference:
Cisco: ISE SCEP Support for BYOD Configuration Example: Background Information
QUESTION 91
You issue the following commands on a Cisco router:
tacacsserver host ts1 single-connection timeout 20
tacacsserver timeout 30
Which of the following are true about how the Cisco router communicates with the TACACS+ server?
(Select 2 choices.)
A. The router will maintain an open TCP connection.

B. The router will maintain an open TCP connection for no more than 20 seconds.
C. The router will maintain an open TCP connection for no more than 30 seconds.
D. The router will wait 20 seconds for the server to reply before declaring an error.
E. The router will wait 30 seconds for the server to reply before declaring an error.
Correct Answer: AD
Section: (none)
Explanation
Explanation:
The router will maintain an open Transmission Control Protocol (TCP) connection. In addition, the router will
wait 20 seconds for the server to reply before declaring an error. The tacacsserver host ts1
singleconnection timeout 20 command in this scenario configures a router to connect to a Terminal Access
Controller Access Control System Plus (TACACS+) server named ts1. The singleconnection keyword
configures the router to maintain an open connection to the TACACS+ server. The timeout 20 keyword
configures the router to wait 20 seconds for the TACACS+ server to reply before declaring an error with the
connection.
The router will not wait 30 seconds for the server to reply before declaring an error. The tacacsserver host
ts1 singleconnection timeout 20 command in this scenario configures the router to wait only 20 seconds for
the server to reply before declaring an error. If the timeout 20 keyword had not been specified in this
scenario, the tacacsserver timeout 30 command would have configured the router to wait 30 seconds for
the server to reply before declaring an error. The timeout 20 keyword in this scenario overrides the value
assigned by the tacacsserver timeout command.
The router will maintain an open connection for an indeterminate amount of time, not for a 20second or
30second interval. When the singleconnection keyword is not configured, a Cisco router will open and close
a TCP connection to the TACACS+ server each time it needs to perform an operation. When the
singleconnection keyword is configured, the router connects to the TACACS+ server and maintains that
connection even when it is not performing an operation. This setting enhances the efficiency of the
communications between the router and the TACACS+ server because the router is not having to
constantly close and open connections.
Reference:
Cisco: Configuring TACACS+: Identifying the TACACS+ Server Host
QUESTION 92
You want to implement a VPN with an alwayson fail close policy for Cisco AnyConnect clients.
Which of the following does Cisco recommend that you do? (Select the best answer.)
A. Start with a fail open policy, and implement fail close in phases.
B. Start with the fail close policy, and implement fail open as necessary.
C. Implement always-on, and leave the failure policy at the default setting.
D. Implement always-on with a fail open policy, and enable the Disconnect button.
Correct Answer: A
Section: (none)
Explanation
Explanation:
Cisco recommends that you start with a fail open policy and implement fail close in phases if you want to
implement a virtual private network (VPN) with an always on fail close policy. The always on feature enables
Cisco AnyConnect clients to establish a VPN session automatically whenever the client detects that the
host is connected to an untrusted network. For example, a laptop that is used both on a corporate LAN and
for remote work might be configured to automatically connect to the corporate VPN whenever the laptop is
not directly connected to the corporate LAN. However, any number of problems could prevent the client
from actually establishing a connection to the VPN.
There are two types of connect failure policies that you can enable for Cisco AnyConnect always on clients.
The fail open policy allows the client to complete a connection to the local network for access to the Internet
or local resources. However, because a VPN session has not been established, the security of the
AnyConnect device that is connected to the remote network could be compromised.
The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client
except to local devices and devices that are available by using split tunneling. This extra layer of security
could prevent the user from accessing the Internet and thus could compromise productivity if the user relies
on Internet access to complete work related tasks. Because the fail closed policy is so restrictive, Cisco
recommends implementing it by using a phased approach that includes initially implementing fail open and
surveying user activity for AnyConnect issues that might prevent seamless connections.
There is no need to enable the Disconnect button, because the button is enabled by default when the
always on feature is enabled. The Disconnect button enables users to manually disconnect from a VPN
session that has been automatically established by the AnyConnect client. The Disconnect button can be
disabled by an administrator.
Cisco does not recommend leaving the failure policy at the default setting if you want to implement a fail
close policy. The fail close policy is the default failure policy when connect failure policies are enabled.
Reference:
Cisco: Configuring VPN Access: Connect Failure Policy for Always on VPNCategory:
VPN
QUESTION 93
Your company is using a shopping cart web application that is known to be vulnerable to a code injection
attack. Your company has no support agreement for the application, and the application is no longer
updated by its author. Modifying the code would require the hiring of additional help and an extensive
interview process.
Which of the following should your company do in the meantime to most quickly mitigate the threat? (Select
the best answer.)
A. Use the grep command to examine web logs for evidence of an attack.
B. Shut down the site.
C. Replace the shopping cart application with a different one.
D. Implement a WAF.
Correct Answer: D
Section: (none)
Explanation
Explanation:
Your company should implement a web application firewall (WAF) to mitigate the shopping cart web
application threat. A WAF sits between a web application and the end user in order to protect the
application from malicious activity and known vulnerabilities. Therefore, by installing a WAF, it is possible to
protect a vulnerable web application without modifying the application code.
Although you should issue the grep command to examine web application logs for evidence of an attack,
doing so would not quickly mitigate the threat posed by the unpatched vulnerability. Searching for evidence
of an attack takes time. Even if evidence of an attack were found in the log, discovering that evidence does
not mitigate the threat.
Although you should consider replacing the shopping cart application with a different one that is supported
and regularly updated, doing so would not be the quickest way to mitigate the threat. Depending on the
complexity of the data and the availability of conversion tools, it could take many weeks or months to
successfully migrate a shopping cart from one web application to another.
You should not shut down the site. Shutting down the site would cause a severe business interruption
because users would no longer be able to purchase products by using the shopping cart.
Reference:
OWASP: Category:OWASP Best Practices: Use of Web Application Firewalls
QUESTION 94
Which of the following is a Cisco IPS appliance feature that analyzes normal network activity to detect hosts
that are infected with worms? (Select the best answer.)
A. anomaly detection
B. global correlation
C. reputation filtering
D. a signature definition
E. a threat rating
Correct Answer: A
Section: (none)
Explanation
Explanation:
Anomaly detection is a Cisco Intrusion Prevention System (IPS) appliance feature that analyzes normal
network activity to detect hosts that are infected with worms. The IPS anomaly detection feature enables
IPS to learn what type of network activity is normal activity for the network that is being protected. If a
network starts to become congested by traffic that is generated by a worm or if a host that is infected with a
worm connects to the network and attempts to infect other hosts, the anomaly detection feature can trigger
a specific response, such as denying traffic from the infected host or alerting an administrator.
Signature definitions do not analyze normal network activity to detect hosts that are infected with worms. A
signature definition is a set of rules to which a Cisco IPS appliance can compare network traffic to
determine whether an attack is occurring. If the network activity matches a signature definition, IPS can
trigger a specific response from other defined event action rule sets, such as denying traffic from a host or
alerting an administrator. IPS administrators can manually configure signature definitions in Cisco IPS
Device Manager (IDM) or use the Signature Wizard to create custom signature definitions.
Global correlation does not analyze normal network activity to detect hosts that are infected with worms.
Global correlation enables IPS sensors to allow or deny traffic based on the reputation of the sending
device. When you enable global correlation, IPS devices will periodically receive updates that include
information about known malicious devices on the Internet from the Cisco SensorBase Network. In addition,
global correlation will send statistical information about attacks against your company's network to the Cisco
SensorBase Network. Cisco uses that information to detect threat patterns on the Internet.
Reputation filtering does not analyze normal network activity to detect hosts that are infected with worms.
Reputation filtering denies packets from hosts that are considered to have a malicious reputation based on
the global correlation information that is available from the Cisco SensorBase Network. Reputation filtering
is different from global correlation inspection in that reputation filtering denies traffic before the traffic is
compared to any signature definitions. In addition, reputation filtering does not generate alerts.
Threat ratings do not analyze normal network activity to detect hosts that are infected with worms. A threat
rating is an event action risk rating that has been lowered because of a specific action taken by IPS. A risk
rating is a numerical representation of the risk presented to a network by a specific attack. Risk ratings can
range from 0 through 100. Depending on the actions IPS has taken in response to an event, IPS will
subtract a value from the threat rating of the event. For example, if IPS responds to a specific event by
issuing a request to block the attacking host, a value of 20 will be subtracted from the threat rating.
Reference:
Cisco: Configuring Anomaly Detections: Understanding Anomaly Detection
QUESTION 95
Which of the following can be used to encrypt email messages, files, and disk drives? (Select the best
answer.)
A. L2TP
B. PEM
C. PGP
D. S/MIME
Correct Answer: C
Section: (none)
Explanation
Explanation:
Pretty Good Privacy (PGP) is software that can be used to encrypt email messages, files, and disk drives.
PGP can be used to provide confidentiality, integrity, and nonrepudiation. PGP uses an asymmetric
encryption method to encrypt information. To encrypt a file or a message by using PGP, you must use the
recipient's public key. The recipient will then use his or her private key to decrypt the file or message. Many
modern operating systems (OSs) offer their own builtin support for file level and disk level encryption.
Therefore, third-party software is often no longer necessary for encrypting files.
Privacy Enhanced Mail (PEM) and Secure/Multipurpose Internet Mail Extensions (S/MIME) can be used to
encrypt email messages, but they cannot be used to encrypt files or disk drives. PEM is defined in
Requests for Comments (RFCs) 1421 through 1424 but was never widely used. S/MIME, which was
created by RSA Data Security, is now an RFC standard defined in RFCs 3369, 3370, 3850, and 3851.
Although Layer 2 Tunneling Protocol (L2TP) can be used along with an encryption protocol to encrypt files
and email messages while they are sent over a virtual private network (VPN), L2TP is not used to encrypt
disk drives. L2TP does not offer any security on its own but provides the tunnel by which IP packets
encapsulated in User Datagram Protocol (UDP) packets can travel.
Reference:
Search Security: Tech Target: Pretty Good Privacy (PGP)
Microsoft TechNet: Understanding S/MIME
QUESTION 96
Refer to the exhibit:
You have created a network object NAT rule in ASDM to translate the real IP address of a DMZ web server,
DMZWWWINT, to an IP address in the OUTSIDE network, DMZWWWEXT. The DMZ interface has a
security level of 50, and the OUTSIDE interface has a security level of 0. In addition, the ASA is running
system software version 8.4.
Which of the following statements are true regarding the ACL that will be required to enable hosts in the
OUTSIDE network to communicate with the DMZ web server? (Select 2 choices.)
A. The ACL should be applied to the OUTSIDE interface.

B. The ACL should be applied to the DMZ interface.
C. The ACL should reference the DMZWWWEXT object as its source address.
D. The ACL should reference the DMZWWWINT object as its source address.
E. The ACL should reference the DMZWWWEXT object as its destination address.
F. The ACL should reference the DMZWWWINT object as its destination address.
Correct Answer: AF
Section: (none)
Explanation
Explanation:
In this scenario, the access control list (ACL) should be applied to the OUTSIDE interface and should
reference the DMZWWWINT object as its destination address. The Network Address Translation (NAT)
rule in this scenario creates a static mapping between the address of the web server in the DMZ network,
which has been defined as an object named DMZWWWINT, and an address in the OUTSIDE network,
which has been defined as an object named DMZWWWEXT. This static mapping enables hosts on the
outside network to communicate with the DMZ web server by using the DMZWWWEXT address. However,
the Cisco Adaptive Security Appliance (ASA) will deny inbound traffic from the OUTSIDE interface by
default unless it is return traffic from an existing connection or an ACL exists which explicitly permits the
traffic.
You can view, edit, and add ACLs from the Configuration > Firewall > Access Rules pane in Adaptive
Security Device Manager (ASDM). By default, the Access Rules pane contains implicit rules that permit
traffic from higher security interfaces to lower security interfaces and that deny all traffic that has not been
otherwise permitted, as shown in the following exhibit:
You can click the Add button in the Access Rules pane to create a new ACL. When you click the Add
button, ASDM will display the Add Access Rule dialog box, as shown in the following exhibit:
In the Add Access Rule dialog box, you should click the Interface dropdown and select the OUTSIDE
interface if it is not already selected. The ACL should be applied to the OUTSIDE interface? otherwise, the
traffic from the OUTSIDE network would be denied before reaching any of the other ASA interfaces. You
should ensure that the Permit radio button is selected in order to permit the traffic specified by the ACL. The
Source Criteriasection of the Add Access Rule dialog box can maintain its default values because traffic
from any source and user should be permitted to access the DMZ web server. The network object
corresponding to the DMZ web server should be specified in the Destination field of the Destination
Criteria section. Because the ASA is running a system software revision that is greater than or equal to
version 8.3, the ACL required for this scenario must use the object named DMZWWWINT as its destination
and not the object named DMZWWWEXT, as would be the case for system software revisions less than
version 8.3. Finally, the Service field should be used to specify the protocols that will be permitted by the
ACL. By default, all IP traffic is permitted? however, as this rule will apply to a web server, it is more secure
to limit the permitted protocols to Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS). You can
either type the protocol object names into the field, or click the browse button to select protocols from a list.
By default, the Add Access Rules dialog box enables the rule in the inbound direction, which is precisely
what is needed in this scenario. The following exhibit shows the Add Access Rules dialog box with sample
values that would be suitable for this scenario:
When you click the OK button, the Access Rules pane will automatically update to display the newly created
ACL, as shown in the following exhibit:
You would not apply an ACL to the DMZ interface. Although you could apply a similar ACL to the DMZ
interface in the outbound direction, traffic from the OUTSIDE interface would be denied by the implicit
Global policy before it had a chance to reach the DMZ interface. There is no need to apply an ACL to the
DMZ interface in the inbound direction because traffic from higher security interfaces is permitted to lower
security interfaces by default. You would not need to supply a source address to the ACL in this scenario,
because all traffic passing through the OUTSIDE interface in the inbound direction is specified instead.
Although you could specify individual hosts or subnets in a similar ACL, it is significantly more efficient to
specify any traffic on the OUTSIDE interface. Typically, the OUTSIDE interface of an ASA connects to the
greatest number of additional networks, such as the Internet, and it would quickly become impractical to
specify all permitted hosts or subnets.
Reference:
Cisco: Configuring Access Rules: Configuring Access Rules
QUESTION 97
According to the branch location ACL design guidelines in the Cisco BYOD Design Guide, which protocols
should not be permitted by the default ACL that is applied to the access ports of a Layer 2 switch? (Select 2
choices.)
A. BOOTP
B. DNS
C. HTTP
D. HTTPS
E. ICMP
F. TFTP
Correct Answer: CD
Section: (none)
Explanation
Explanation:
According to the branch location access control list (ACL) design guidelines in the Cisco Bring Your Own
Device (BYOD) Design Guide, Hypertext Transfer Protocol (HTTP) and Secure HTTP (HTTPS) should not
be permitted by the default ACL that is applied to the access ports of a Layer 2 switch. In a BYOD
environment, 802.1X, Web Authentication (WebAuth), or Media Access Control (MAC) Authentication
Bypass (MAB) are used to authenticate and authorize the user and the user’s associated device for network
access. Once a wired device authenticates with the Cisco Identity Services Engine (ISE), a downloadable
ACL (dACL) is typically applied to the appropriate access port on the Layer 2 switch to which the device is
attached. HTTP and HTTPS traffic should be permitted by an ACL that is used to redirect web traffic to the
ISE for browserbased authentication if 802.1x or MAB authentication are unavailable. Cisco recommends
denying Domain Name System (DNS) traffic or specifically excluding the IP address of the ISE to prevent
redirection loops. For example, the following ACL denies DNS traffic and permits HTTP and HTTPS traffic
for redirection to the ISE:
switch(config)#ip accesslist extended REDIRECT-ACL

switch(configextnacl)#deny udp any any eq domain
switch(configextnacl)#permit tcp any any eq www
switch(configextnacl)#permit tcp any any eq 443
Cisco recommends applying a default ACL to the access ports of Layer 2 switches to mitigate against
situations where a configuration error might prevent a dACL from being applied to the appropriate access
port during the authorization/authentication process. The default ACL should permit Bootstrap Protocol
(BOOTP), DNS, Trivial File Transfer Protocol (TFTP), and Internet Control Message Protocol (ICMP). In
addition, the default ACL should explicitly deny and log all other IP traffic. For example, the following ACL
complies with Cisco’s best common practices (BCP) as outlined in the BYOD Design Guide:
switch(config)#ip accesslist extended DEFAULT-ACL
switch(configextnacl)#permit icmp any any
switch(configextnacl)#permit udp any eq bootpc any eq bootps
switch(configextnacl)#permit udp any any eq domain
switch(configextnacl)#permit udp any any eq tftp
switch(configextnacl)#deny ip any any log
Reference:
Cisco: Cisco Bring Your Own Device (BYOD) CVD: ACL Design at Branch Location
QUESTION 98
You have issued the following commands to modify the 802.1X configuration on a switch port:
switch(configif)#authentication order mab dot1x
switch(configif)#authentication priority dot1x mab
switch(configif)#authentication event fail action nextmethod
switch(configif)#authentication event noresponse action authorize
vlan 1313
A new host is attached to the switch port. The host’s MAC address is in the authentication database, but the
host’s certificate for 802.1X authentication is expired.
Which of the following statements is true regarding the host in this scenario? (Select the best answer.)
A. MAB will authorize the host for network access, and the switch port will ignore the host’s 802.1X
authentication attempts.
B. MAB will authorize the host for network access? however, the host will lose network access when it
attempts to authenticate with 802.1X.
C. The host will fail 802.1X authentication and will be assigned to VLAN 1313.
D. The host will fail 802.1X authentication, and the switch will place the port into an unauthorized state.
Correct Answer: B
Section: (none)
Explanation
Explanation:
In this scenario, Media Access Control (MAC) Authentication Bypass (MAB) will authorize the host for
network access? however, the host will lose network access when it attempts to authenticate with 802.1X. A
switch port can be configured to use 802.1X, MAB, or Web Authentication (WebAuth) to authenticate
clients. The authentication order command is used to specify the order in which the switch should attempt
the configured authentication methods. By default, a switch will attempt 802.1X authentication before other
authentication methods. The authentication order mab dot1x command configures the switch to first use
MAB to authenticate a client based on its MAC address. If the client’s MAC address is not in the
authentication database, the switch will then attempt to authenticate the client with 802.1X. In this scenario,
the client’s MAC address is in the authentication database and MAB will authorize the client for network
access.
Normally, the configured authentication order is mirrored by the priority of each authentication method?
however, you can use the authentication priority command to change the priority. If the priority mirrored the
authentication order in this scenario, the switch would ignore Extensible Authentication Protocol over LAN
(EAPoL) messages after the client was authenticated by MAB and the client would continue to have
authorized network access. However, the authentication priority dot1x mab command changes the default
priority behavior and assigns a higher priority to 802.1X authentication than it does to MAB. This enables a
client to use 802.1X authentication even if it has successfully been authenticated by MAB. Unfortunately,
the client will lose network access when it attempts 802.1X authentication because its certificate is
expired.The authentication event fail action command specifies how the switch should react if an 802.1X
client is detected and the client fails to authenticate. There are two configurable parameters: nextmethod
and authorize vlanid. The authorize vlanid parameter configures the port to a specific restricted virtual LAN
(VLAN). The nextmethod parameter configures the switch to attempt authentication by using the next
authentication method specified in the authentication order command. If the nextmethod parameter is
configured, the switch will indefinitely cycle through authentication methods unless WebAuth is configured.
If WebAuth is configured, the authentication process will not loop back to other authentication methods and
the switch will ignore EAPoL messages on the port.
The authentication event noresponse action authorize vlan 1313 command specifies the VLAN into which a
switch should place a port if it does not receive a response to the EAPoL messages it sends on that port.
This enables devices that do no support 802.1X to be assigned to a guest VLAN. When a guest VLAN is
configured, the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an
802.1Xcapable device is detected, the switch will place the port into an unauthorized state and will deny
access to all devices on the port.
Reference:
Cisco: Flexible Authentication Order, Priority, and Failed Authentication: Case 2: Order MAB Dot1x and
Priority Dot1x MAB
QUESTION 99
Which of the following are symmetric encryption algorithms? (Select 3 choices.)
A. AES
B. RC4
C. 3DES
D. ECC
E. DH
F. DSA
Correct Answer: ABC

Section: (none)
Explanation
Explanation:
Advanced Encryption Standard (AES), RC4, and Triple Data Encryption Standard (3DES) are symmetric
encryption algorithms. When symmetric encryption algorithms are used, the same encryption key is used to
encrypt and decrypt data. In addition, because symmetric encryption algorithms use less complex
mathematics than asymmetric encryption algorithms when encrypting and decrypting data, they often
perform faster than asymmetric encryption algorithms.
Two types of symmetric encryption algorithms exist: block ciphers and stream ciphers. Block ciphers derive
their name from the fact that they encrypt fixedlength blocks of data. For example, AES encrypts 128bit
blocks of data. By contrast, stream ciphers are typically faster than block ciphers because stream ciphers
can encrypt text of variable length depending on the size of the frame to be encrypted? stream ciphers are
not limited to specific block sizes. For example, RC4, a stream cipher, can encrypt data in streams of 8
through 2,048 bits. Other examples of symmetric encryption algorithms include International Data
Encryption Algorithm (IDEA), Skipjack, and Blowfish.
DiffieHellman (DH), Digital Signature Algorithm (DSA), and Elliptical Curve Cryptography (ECC) are
asymmetric algorithms. DH is an asymmetric key exchange method. DSA and ECC are asymmetric
encryption algorithms. Asymmetric encryption, also known as public key encryption, uses a public key to
encrypt data and a different, yet mathematically related, private key to decrypt data. Public key
infrastructure (PKI) uses a certificate authority (CA) to tie a public key to a user ID to further ensure the
confidentiality of data. Other examples of asymmetric encryption algorithms include RSA and ElGamal.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 5, Symmetric and Asymmetric Algorithms, pp. 92-94
QUESTION 100
Which of the following statements is correct regarding the traffic types that can be matched in a class map
on a Cisco ASA? (Select the best answer.)
A. A class map can match traffic by TCP port number but not by UDP port number.
B. A class map can match traffic by UDP port number but not by IP precedence.
C. A class map can match traffic by TCP port number but not by IP precedence.
D. A class map can match traffic by UDP port number but not by TCP port number.
E. A class map can match traffic by TCP port number, by UDP port number, and by IP precedence.
Correct Answer: E
Section: (none)
Explanation
Explanation:
A class map can match traffic by Transmission Control Protocol (TCP) port number, by User Datagram
Protocol (UDP) port number, and by IP precedence on a Cisco Adaptive Security Appliance (ASA). A class
map is one of the three basic components of Modular Policy Framework (MPF)? policy maps and service
policies are the other two components. MPF is a Cisco ASA feature that provides a flexible method of
enabling security policies on an interface. A class map identifies a specific flow of traffic, a policy map
determines the action that will be performed on the traffic, and a service policy ties this action to a specific
interface. Generally, each class map can contain only a single match statement, and a packet can match
only a single class map within the policy map of a particular feature type. For example, if a packet matched
a class map for File Transfer Protocol (FTP) inspection and a class map for traffic policing, the ASA would
apply both policy map actions to the packet. However, if a packet matched a class map for FTP inspection
and a second, different class map that included FTP inspection, the ASA would apply only the actions of the
first matching policy map.
You can use the match command from class map configuration mode to identify traffic based on specified
characteristics. The keywords you can use to identify traffic in a class map are closely tied to their
respective characteristics. The match command supports the following key words: accesslist, port,
defaultinspectiontraffic, dscp, precedence, rtp, tunnelgroup, and any.
For example, you could issue the following commands to create a class map named CLASSMAP that
identifies traffic using TCP port 25:
asa(config)#classmap CLASSMAP
asa(configcmap)#match port tcp eq 25
Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A
policy map typically contains references to one or more class maps and defines actions that should be
performed on traffic matched by the specified class maps. If traffic matches multiple class maps for
different actions within a policy map-for instance, if traffic matches a class map for application inspection as
well as a class map for priority queuing-the actions of both class maps will be applied to the traffic. To
continue the example from above, you could issue the following commands to configure a policy map
named POLICYMAP that matches traffic specified by the class map named CLASSMAP and then
processes the traffic with the Hypertext Transfer Protocol (HTTP) inspection engine:
asa(config)#policymap POLICYMAP
asa(configpmap)#class CLASSMAP
asa(configpmapc)#inspect http
A policy map does not act on traffic until the map has been applied to an interface by a service policy. A
service policy can be applied globally to all interfaces, which will apply application inspection to only traffic
entering the appliance? alternatively, a service policy can be applied to a single interface, which will apply
application inspection to traffic entering and exiting the interface. An interface service policy overrides a
global service policy: if traffic matches both an interface policy and a global policy, only the interface policy
will be applied to that particular traffic flow. To complete the example, you could issue the following
commands to apply the POLICYMAP policy map to the inside interface:
asa(config)#servicepolicy POLICYMAP interface inside
Reference:
Cisco: Service Policy Using the Modular Policy Framework: Feature Matching Within a Service Policy
QUESTION 101
Which of the following EAP authentication protocols requires both a client and a server digital certificate?
A. LEAP
B. PEAP
C. EAP-FAST
D. EAP-TLS
Correct Answer: D
Section: (none)
Explanation
Explanation:
Extensible Authentication Protocol (EAP)Transport Layer Security (TLS) requires both a client and a server
digital certificate. EAPTLS is an authentication protocol that can be used for pointtopoint connections and
for both wired and wireless links. EAPTLS performs mutual authentication to secure the authentication
process. When EAPTLS is used, a digital certificate must be installed on the authentication server and each
client that must authenticate with the server. The digital certificate used on clients and the server must be
obtained from the same certificate authority (CA).
Protected EAP (PEAP) does not require that clients be configured with digital certificates. When EAPPEAP
is used, only servers are required to be configured with digital certificates. Clients can use alternative
authentication methods, such as onetime passwords (OTPs).
Lightweight EAP (LEAP) does not require either the server or the client to be configured with a digital
certificate. When LEAP is used, the client initiates an authentication attempt with a Remote Authentication
DialIn User Service (RADIUS) server. The RADIUS server responds with a challenge response. If the
challenge/response process is successful, the client then validates that the RADIUS server is correct for the
network. If the RADIUS server is validated, the client will connect to the network.
Similar to LEAP, EAPFlexible Authentication via Secure Tunneling (FAST) does not require either the
server or the client to be configured with a digital certificate. When EAPFAST is used, Protected Access
Credentials (PACs) are used to authenticate users. The EAPFAST authentication process consists of three
phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a
PAC, which is a digital credential that is used for authentication. A PAC can be manually configured on a
client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves
creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2,
involves authenticating the client. If the client is authenticated, the client will be able to access the network.
Reference:
Cisco: EAPTLS Deployment Guide for Wireless LAN Networks: 5.2 Certificate Requirements
QUESTION 102
The system software on a Cisco Catalyst 3750 series switch was corrupted during a failed upgrade, and
now the switch no longer passes the POST on restart. You want to use the Xmodem Protocol to recover the
system software.
To which of the following ports on the switch could you connect? (Select the best answer.)
A. an Ethernet port in the management VLAN

B. the auxiliary port
C. the console port
D. the highest numbered Ethernet port on the switch
E. the lowest numbered Ethernet port on the switch
Correct Answer: C
Section: (none)
Explanation
Explanation:
You should connect to the console port of a Cisco Catalyst 3750 series switch to use the Xmodem Protocol
for system software recovery. Xmodem is a simple, errorcorrecting transfer protocol that can be used to
transfer an IOS software image from a PC to Cisco switch or router through its console port. When the
system software image on a switch or router becomes corrupted, the system will fail the poweron self-test
(POST) when it reloads and it will typically halt in an administrative mode, which is commonly called
readonly memory (ROM) monitor (ROMmon) mode. You can identify this mode on a switch or router by the
command prompt that is displayed at the console: switch: on a switch and rommon1> on a router. When in
ROMmon mode, a switch or router will no longer forward packets and thus can no longer be reached
through traditional inband management methods, such as through a management virtual LAN (VLAN) or an
active network interface. Instead, you must use an outofband management method to access a switch or
router in ROMmon mode. The only outofband access method available on a Cisco 3750 series switch that
supports Xmodem for system software recovery is the console port.
On a Cisco router, you could use either the console port or the auxiliary (AUX) port for outofband access if
the router is in ROMmon mode. The AUX port on a Cisco router is typically capable of supporting most of
the features available on a console port. Cisco switches either do not have AUX ports or do not support
certain features, such as system recovery, on their AUX ports if they have them.
Reference:
Cisco: Recovering Catalyst Fixed Configuration Switches from a Corrupted or Missing Image
QUESTION 103
Which of the following security functions is associated with the control plane? (Select the best answer.)
A. device configuration protection

B. device resource protection
C. traffic accounting
D. traffic filtering
Correct Answer: B
Section: (none)
Explanation
Explanation:
Device resource protection is a security function that is associated with the control plane. Cisco devices are
generally divided into three planes: the control plane, the management plane, and the data plane. Each
plane is responsible for different operations, and each plane can be secured by implementing various
security methods.
The control plane is responsible for the creation and maintenance of structures related to routing and
forwarding. These functions are heavily dependent on the CPU and memory availability. Therefore, control
plane security methods protect against unauthorized traffic destined for the router, which can modify route
paths and consume excessive resources. Path modification can be caused by manipulating the traffic
generated by routing protocols, VLAN Trunking Protocol (VTP), and Spanning Tree Protocol (STP). Path
modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP
authentication, and STP protection features. In addition, excessive CPU and memory consumption can be
caused by control plane flooding. Resource consumption attacks can be mitigated by implementing control
plane filtering and rate limiting with Control Plane Policing (CoPP) and Control Plane Protection (CPPr).
Traffic accounting and traffic filtering are security features that are associated with the data plane. The data
plane is responsible for traffic passing through the router, which is referred to as transit traffic. Therefore,
data plane security protects against unauthorized packet transmission and interception. Threats such as IP
spoofing, Media Access Control (MAC) address spoofing, Address Resolution Protocol (ARP) spoofing,
Dynamic Host Configuration Protocol (DHCP) spoofing, unauthorized traffic interception, and unauthorized
network access can be mitigated and monitored by implementing features such as the following:
-ARP inspection
- Antispoofing access control lists (ACLs)
- DHCP snooping - Port ACLs (PACLs)
- Private virtual LANs (VLANs)
- Unicast Reverse Path Forwarding (uRPF)
- VLAN ACLs (VACLs)
Device configuration protection is associated with the management plane. Management plane security
protects against unauthorized device access and configuration. Unauthorized access can be mitigated by
implementing a strong Authentication, Authorization, and Accounting (AAA) solution and by implementing
Management Plane Protection (MPP), which creates protected management channels over which
administrators must connect in order to access device administration features. Management traffic can be
encrypted by implementing Secure Shell (SSH). You can mitigate unauthorized configuration of a device by
implementing RoleBased Access Control (RBAC), whereby administrators are limited to using only the
features they need to accomplish their jobs. Detection and logging of management plane access can be
performed by implementing Simple Network Management Protocol version 3 (SNMPv3) and Syslog
servers.
Reference:
Cisco: Cisco Guide to Harden Cisco IOS Devices
QUESTION 104
Which of the following statements are true regarding IDS devices? (Select 2 choices.)
A. They can send alerts.

B. They do not sit inline with the flow of network traffic.
C. They can directly block a virus before it infiltrates the network.
D. They can detect malicious traffic only by signature matching.
E. They function identically to IPS devices.
Correct Answer: AB
Section: (none)
Explanation
Explanation:
Intrusion Detection System (IDS) devices can send alerts and do not sit inline with the flow of network
traffic. An IDS is a network monitoring device that passively monitors network traffic and actively sends
alerts to a management station when it detects malicious traffic. An IDS typically has one promiscuous
network interface attached to each monitored network. Because traffic does not flow through the IDS, the
IDS is unable to directly block malicious traffic? however, an IDS can do any of the following:
- Request that another device block a connection
- Request that another device block a particular host
- Reset TCP connections
An IDS can prevent further instances of previously detected malicious traffic from passing onto the network
by creating access control lists (ACLs) on routers in the traffic path or by configuring other security devices
that reside in the flow of traffic. Although signaturebased pattern matching is the primary method used by an
IDS to detect malicious traffic, an IDS can also consider policy definitions and historical traffic behavior
when analyzing network packets.
By contrast, an Intrusion Prevention System (IPS) typically sits inline with the flow of traffic and can
therefore block malicious traffic before it passes onto the network. An inline IPS can perform the following
actions:
- Block traffic from a particular host
- Block a particular connection
- Modify traffic
However, if an IPS sits inline with traffic, a failed IPS device can cause all traffic to be dropped. Analyzing all
of the traffic that passes through the IPS can cause latency and jitter. Alternatively, an IPS can be
configured to operate in promiscuous mode, which would make it functionally similar to an IDS. Typically, an
IPS is configured to use signaturebased pattern matching to block traffic that has been definitively marked
as malicious. Traffic that is suspect but has not been confirmed as malicious is referred to as gray area
traffic and is not discarded by an IPS. If an IDS is used in conjunction with an IPS, the IDS can be
configured to monitor the gray area traffic in greater detail without affecting the flow of traffic through the
IPS.
Reference:
Cisco: Managed Security Services Partnering for Network Security: Managed Intrusion Detection and
Prevention Systems
QUESTION 105
Which of the following statements are true regarding TACACS+? (Select 2 choices.)
A. It encrypts the entire body of a packet.

B. It combines authorization and authentication functions.
C. It provides router command authorization capabilities.
D. It uses UDP for packet delivery.
E. It was developed as an IETF standard protocol.
Correct Answer: AC
Section: (none)
Explanation
Explanation:
Terminal Access Controller Access Control System Plus (TACACS+) encrypts the entire body of a packet
and provides router command authorization capabilities. TACACS+ is a Ciscoproprietary protocol that uses
Transmission Control Protocol (TCP) for transport during Authentication, Authorization, and Accounting
(AAA) operations. TACACS+ provides more security and flexibility than other authentication protocols, such
as Remote Authentication DialIn User Service (RADIUS), which is an open standard protocol commonly
used as an alternative to TACACS+. Because TACACS+ can be used to encrypt the entire body of a
packet, users who intercept the encrypted packet cannot view the user name or contents of the packet. In
addition, TACACS+ provides flexibility by separating the authentication, authorization, and accounting
functions of AAA. This enables granular control of access to resources. For example, TACACS+ gives
administrators control over access to configuration commands? users can be permitted or denied access to
specific configuration commands. Because of this flexibility, TACACS+ is used with Cisco Secure Access
Control Server (ACS), which is a software tool that is used to manage user authorization for router access.
RADIUS, not TACACS+, was developed as an Internet Engineering Task Force (IETF) standard protocol.
Like TACACS+, RADIUS is a protocol used with AAA operations. However, RADIUS uses User Datagram
Protocol (UDP) for packet delivery and is less secure and less flexible than TACACS+. RADIUS encrypts
only the password of a packet? the rest of the packet would be viewable if the packet were intercepted by a
malicious user. With RADIUS, the authentication and authorization functions of AAA are combined into a
single function, which limits the flexibility that administrators have when configuring these functions.
Furthermore, RADIUS does not provide router command authorization capabilities.
Reference:
QUESTION 106
Which of the following protocols can IPSec use to provide the integrity component of the CIA triad? (Select
2 choices.)
A. GRE
B. AH
C. AES
D. ESP
E. DES
Correct Answer: BD
Section: (none)
Explanation
Explanation:
IP Security (IPSec) can use either Authentication Header (AH) or Encapsulating Security Payload (ESP) to
provide the integrity component of the confidentiality, integrity, and availability (CIA) triad. The integrity
component of the CIA triad ensures that data is not modified in transit by unauthorized parties. AH and ESP
are integral parts of the IPSec protocol suite and can be used to ensure the integrity of a packet. Data
integrity is provided by using checksums on each end of the connection. If the data generates the same
checksum value on each end of the connection, the data was not modified in transit. In addition, AH and
ESP can authenticate the origin of transmitted data. Data authentication is provided through various
methods, including user name/password combinations, preshared keys (PSKs), digital certificates, and
onetime passwords (OTPs). Although AH and ESP perform similar functions, ESP provides additional
security by encrypting the contents of the packet. AH does not encrypt the contents of the packet.
In addition to data authentication and data integrity, IPSec can provide confidentiality, which is another
component of the CIA triad. IPSec uses encryption protocols, such as Advanced Encryption Standard (AES)
or Data Encryption Standard (DES), to provide data confidentiality. Because the data is encrypted, an
attacker cannot read the data if he or she intercepts the data before it reaches the destination. IPSec does
not use either AES or DES for data authentication or data integrity.
Generic Routing Encapsulation (GRE) is a protocol designed to tunnel any Layer 3 protocol through an IP
transport network. Because the focus of GRE is to transport many different protocols, it has very limited
security features. By contrast, IPSec has strong data confidentiality and data integrity features, but it can
transport only IP traffic. GRE over IPSec combines the best features of both protocols to securely transport
any protocol over an IP network. However, GRE itself does not provide data integrity or data authentication.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 1, Confidentiality, Integrity, and Availability, pp. 14-15
IETF: RFC 4301: Security Architecture for the Internet Protocol: 3.2. How IPsec Works
QUESTION 107
RouterA is configured to establish an IKE tunnel with RouterB. You issue the show crypto isakmp sa
command on RouterA and receive the following output:
dst src state connid slot
10.1.2.3 10.1.2.4 MM_SA_SETUP 1 0
Which of the following statements is true? (Select the best answer.)
A. RouterA has negotiated ISAKMP SA parameters with RouterB.

B. RouterA has exchanged keys with RouterB.
C. RouterA has generated a shared secret.
D. RouterA uses three transactions to negotiate an ISAKMP SA.
E. RouterA has established an active IKE SA.
Correct Answer: A
Section: (none)
Explanation
Explanation:
RouterA has negotiated Internet Security Association and Key Management Protocol (ISAKMP) security
association (SA) parameters with RouterB. The show crypto isakmp sa command displays the status of
current Internet Key Exchange (IKE) SAs on the router. The MM_SA_SETUP state indicates that the IKE
peers are using main mode for phase 1 negotiations and that they have successfully negotiated security
parameters. IKE has two modes for phase 1 security negotiation: main mode and aggressive mode. The
following states are used during main mode:
- MM_NO_STATE - The peers have created the SA.
- MM_SA_SETUP - The peers have negotiated SA parameters.
- MM_KEY_EXCH - The peers have exchanged DiffieHellman (DH) keys and have generated a shared
secret.
- MM_KEY_AUTH - The peers have authenticated the SA.
The following states are used during aggressive mode:
- AG_NO_STATE - The peers have created the SA.
- AG_INIT_EXCH - The peers have negotiated SA parameters and exchanged keys.
- AG_AUTH - The peers have authenticated the SA.
Because RouterA is using main mode, RouterA requires six transactions, not three, to negotiate an
ISAKMP SA. Main mode requires six transactions for IKE peers to negotiate security parameters, generate
a shared secret, and mutually authenticate. Aggressive mode requires only three transactions to negotiate
security parameters, establish a key management tunnel, and mutually authenticate.
RouterA has not yet exchanged keys with RouterB or generated a shared secret. Key exchange and shared
secret generation occurs during the MM_KEY_EXCH state.
Reference:
QUESTION 108
Which of the following worms was used in an act of cyber warfare against Iranian ICSs? (Select the best
answer.)
A. Blaster
B. Nachi
C. Stuxnet
D. Welchia
Correct Answer: C
Section: (none)
Explanation
Explanation:
The Stuxnet worm was used in an act of cyber warfare against Iranian industrial control systems (ICSs).
Stuxnet is a Microsoft Windows worm that was discovered in the wild as early as 2008. It was written to
target specific ICSs by modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited
vulnerabilities in the printer spooler service? however, later variants exploited a vulnerability in the way that
Windows processes shortcuts. Research from Symantec published in 2011 indicated that at the time, more
than 60% percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its
variants and discovered that five organizations were the primary targets of infection and that further
infections were likely collateral damage from the aggressive manner in which the worm spreads throughout
the network. Given the considerable cost in resources and manhours that would have been required to craft
the Stuxnet worm, it was theorized that it was likely intended to sabotage highvalue targets such as nuclear
materials refinement facilities.
Blaster is a worm that targeted a vulnerability in the Distributed Component Object Model (DCOM) Remote
Procedure Call (RPC) service on Microsoft Windows hosts. The worm carried a destructive payload that
configured the target host to engage in Denial of Service (DoS) attacks on Microsoft update servers.
Like Blaster, Welchia is a worm that targeted a vulnerability in the DCOM RPC service. In fact, Welchia
exploited the exact same vulnerability as the Blaster worm. Welchia was developed to scan the network for
vulnerable machines, infect them, and then remove the Blaster worm if present. It was even designed to
download and install the appropriate patch from Microsoft to fix the vulnerability that it and Blaster initially
exploited to infect the target machine. However, despite the goodnatured design intentions of the Welchia
worm, its networkscanning component inadvertently caused DoS attacks on several large networks,
including those of the United States armed forces. Welchia was also referred to by the name Nachi.
Reference:
Cisco: Protecting Industrial Control Systems with Cisco IPS Industrial Signatures
Symantec: Security Response: W32.Stuxnet Dossier (PDF)
QUESTION 109
Which of the following statements is true regarding the Cisco IOS Resilient Configuration feature? (Select
the best answer.)
A. Extra space is not required to secure the primary IOS image file.
B. Image or configuration mismatches are not automatically detected.
C. Only remote storage can be used for securing configuration files.
D. The feature can be disabled remotely.
Correct Answer: A
Section: (none)
Explanation
Explanation:
Extra space is not required to secure the primary IOS image file with the Cisco IOS Resilient Configuration
feature. The Resilient Configuration feature is designed to protect system and configuration files from
tampering and accidental deletion. You can issue the following block of commands to enable the Resilient
Configuration feature:
Router(config)#secure boot-config
securely archived in local persistent storage? you cannot select a remote storage location. The secure
bootimage command enables the image resilience component of the Resilient Configuration feature and
longer be displayed when the dir command is issued from the command prompt of an EXEC shell? you can
issue the show secure bootset command to verify that the system image has been archived. In addition,
because the system image file is not copied to a secure location, extra storage is not required to secure it.
By contrast, the secure bootconfig command creates a hidden copy of the running configuration file. The
secured versions of the system image and running configuration are referred to as the primary bootset.
You can restore either or both components of the primary bootset at any time. The system image can be
restored from readonly memory (ROM) monitor (ROMmon) mode and the running configuration can be
restored from the global configuration mode by using the restore parameter of the secure bootconfig
command. Once the system image and running configuration have been secured, the router will track
version mismatches and produce a console message if the system image or running configuration have
console.
Reference:
Cisco: Cisco IOS Resilient Configuration: Feature Design of Cisco IOS Resilient Configuration
QUESTION 110
Which of the following can be installed on a host to analyze and prevent malicious traffic on that host?
A. antivirus software
B. a HIPS
C. a personal firewall
D. a proxy server
Correct Answer: B
Section: (none)
Explanation
Explanation:
A Hostbased Intrusion Prevention System (HIPS) can be installed on a host to analyze and prevent
malicious traffic on that host. An Intrusion Prevention System (IPS) can be used to actively monitor,
analyze, and block malicious traffic before it infects devices. HIPS software can be installed on a host
computer to protect that computer against malicious traffic. By contrast, a Networkbased IPS (NIPS) is an
independent operating platform, often a standalone appliance or a hardware module installed in a chassis.
A NIPS device can be installed inline on a network to monitor and prevent malicious traffic from being sent
to other devices on the network. One advantage of using a NIPS over a HIPS is that a NIPS can detect
lowlevel network events, such as the scanning of random hosts on the network? a HIPS can only detect
scans for which it is the target. A HIPS and a NIPS can be used together to provide an additional layer of
protection.
Although you could install a personal firewall to protect a host from malicious traffic, a personal firewall does
not perform traffic analysis. However, a personal firewall can work in conjunction with other software, such
as a HIPS or a NIPS, to protect a host from a wider array of malicious activities. For example, Cisco
Advanced Malware Protection (AMP) for Endpoints can work in conjunction with a personal firewall to
provide threat protection and advanced analytics.
You could not install antivirus software to analyze and prevent malicious traffic on that host. Antivirus
software monitors the file system and memory space on a host for malicious code. Although the antivirus
software might protect the host from malicious file execution, it would be unable to protect the host from
malicious traffic. Some antivirus vendors offer integrated security suites, which feature personal firewall,
HIPS, antivirus, and antimalware components.
You could not install a proxy server on a host to analyze and prevent malicious traffic on that host. A proxy
server is typically an application layer gateway that provides resource caching and traffic filtering for a
particular class of traffic, such as web content. Although you could install a proxy server locally on a host, it
would not have a significant effect on malicious traffic directed at the host nor would it be able to analyze its
content.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 19, Mitigation Technologies for Endpoint Threats, pp.
498-499
QUESTION 111
Which of the following traffic types can be detected by the FirePOWER ratebased prevention preprocessor
engine? (Select the best answer.)
A. Back Orifice traffic

B. distributed port scan traffic
C. port sweep traffic
D. SYN flood traffic
Correct Answer: D
Section: (none)
Explanation
Explanation:
The FirePOWER ratebased prevention preprocessor engine can detect SYN flood traffic. A FirePOWER
Intrusion Prevention System (IPS) has several predefined preprocessor engines that can be used in
network policies to detect specific threats? the preprocessors focus on detecting Back Orifice attacks,
detecting port scan attacks, preventing ratebased attacks, and detecting sensitive data. The ratebased
prevention preprocessor detects traffic abnormalities based on the frequency of certain types of traffic. The
following traffic patterns can trigger ratebased attack prevention:
-Traffic containing excessive incomplete Transmission Control Protocol (TCP) connections

-Traffic containing excessive complete TCP connections
-Excessive rule matches for a particular IP address or range of IP addresses
-Excessive rule matches for one particular rule regardless of IP address
Distributed port scan traffic and port sweep traffic can be detected by the portscan detection preprocessor.
Port scanning traffic can be an indicator that an attacker is conducting network reconnaissance prior to an
attack. Although legitimate port scanning traffic can periodically exist on a network, the portscan detection
preprocessor can distinguish between legitimate scanning and potentially malicious traffic based on the
activity patterns found in the analysis of port scanning traffic.
The FirePOWER IPS has a preprocessor dedicated to Back Orifice traffic. Back Orifice and its variants
exploit a vulnerability in Microsoft Windows hosts to gain complete administrative control of the host. Back
Orifice traffic can be identified by the presence of a specific token, known as a magic cookie, in the first
eight bytes of a User Datagram Protocol (UDP) packet.
Reference:
Cisco: Detecting Specific Threats: Understanding RateBased Attack Prevention
QUESTION 112
Which of the following commands should you issue to allow a packet to exit an ASA through the same
interface through which it entered the ASA? (Select the best answer.)
A. samesecuritytraffic permit interinterface

B. samesecuritytraffic permit intrainterface
C. securitylevel 0
D. securitylevel 100
E. established
Correct Answer: B
Section: (none)
Explanation
Explanation:
To allow a packet to exit a Cisco Adaptive Security Appliance (ASA) through the same interface through
which it entered, which is also known as hairpinning, you should issue the samesecuritytraffic permit
intrainterface command. By default, an ASA does not allow packets to enter and exit through the same
physical interface. However, because multiple logical virtual LANs (VLANs) can be assigned to the same
physical interface, it is sometimes necessary to allow a packet to enter and exit through the same interface.
The samesecuritytraffic permit intrainterface command allows packets to be sent and received from the
same interface even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for
which you would need to use the samesecuritytraffic permit intrainterface command is if multiple users need
to connect via virtual private network (VPN) through the same physical interface. These users will not be
able communicate with one another unless the samesecuritytraffic permit intrainterface command has been
issued from global configuration mode.
You should not issue the samesecuritytraffic permit interinterface command to allow a packet to exit
through the same interface through which it entered. The samesecuritytraffic permit interinterface command
is used to allow communication between different interfaces that share the same security level. Typically,
interfaces with the same security level are not allowed to communicate with each other.
You should not issue either the securitylevel 0 command or the securitylevel 100command to allow a
packet to exit through the same interface through which it entered. The securitylevel command is used to
set the security level on a physical interface. Security level 0 should be used to achieve the lowest security
level possible, whereas security level 100 should be used to achieve the highest security level available.
You should not issue the established command to allow a packet to exit through the same interface through
which it entered. The established command is used to allow inbound traffic on any interface that has already
established an outbound connection with the ASA. For example, you could issue the established tcp 4567 0
command to configure the ASA to allow an external host to initiate a connection through the ASA to an
internal host after the internal host has first established a Transmission Control Protocol (TCP) connection
to port 4567 on the external host. The established command is often used to support protocols such as
streaming media protocols that negotiate the ports for return traffic.Reference: Cisco: Configuring
Interfaces: Allowing Same Security Level Communication
QUESTION 113
Which of the following devices requires that a physical interface be in promiscuous mode in order to monitor
network traffic? (Select the best answer.)
A. an IPS
B. a firewall
C. a router
D. an IDS
E. an ASA
Correct Answer: D
Section: (none)
Explanation
Explanation:
An Intrusion Detection System (IDS) requires that a physical interface be in promiscuous mode in order to
monitor network traffic. An IDS is a network monitoring device that does not sit inline with the flow of
network traffic? an IDS passively monitors a copy of network traffic, not the actual packet. Typically, an IDS
has one promiscuous network interface attached to each monitored network. A promiscuous device listens
to all data flowing past it regardless of the destination. Because traffic does not flow through the IDS, the
IDS cannot mitigate singlepacket attacks and is unable to directly block malicious traffic, like a virus, before
it passes onto the network. However, an IDS can actively send alerts to a management station when it
detects malicious traffic.
An Intrusion Prevention System (IPS) sits inline with the flow of traffic, thus actively monitoring network
traffic and blocking malicious traffic, such as an atomic or singlepacket attack, before it passes onto the
network. Blocking an attack inline can prevent the attack from spreading further into the network. An IPS
requires at least two interfaces for each monitored network: one interface listens to traffic entering the IPS,
and the other listens to traffic leaving the IPS. In addition, an IPS acts similarly to a Layer 2 bridge in that it
passes traffic through to destinations on the same subnet? an IPS cannot route to destinations on a
different subnet. An interface of an IPS can be put in promiscuous mode? when this happens, the device
operates as an IDS on that interface. However, an IPS does not require that a physical interface be in
promiscuous mode in order to monitor network traffic.
A firewall is a network security device that protects a trusted network from an untrusted network, such as
the Internet. Firewalls can operate in either routed mode or transparent mode. In routed mode, the firewall
acts as a Layer 3 device that can perform Network Address Translation (NAT) and route traffic between
virtual LANs (VLANs) on different subnets. In transparent mode, the firewall acts as a Layer 2 bridge in that
it can pass traffic through to destinations on the same subnet but cannot route to destinations on a different
subnet. Although a firewall is a security appliance that permits or denies traffic on a network, a firewall does
not require that a physical interface be in promiscuous mode in order to monitor network traffic.
A router is a device that connects multiple subnets of the same or different networks and passes
information between them. The functionality of a router can vary depending on the size of the network on
which it is deployed. For example, a Cisco IPS Advanced Integration Module (AIM) can be installed in a
router to integrate IPS functionality at the hardware level. Alternatively, an IOS feature set with IPS
capabilities can be installed to provide IPS functionality at the software level. A router operating as an IPS or
IDS can serve as a part of the network security structure as well as a bridge between two segments of the
network. Although a router can function as an IPS or IDS, a router does not require that a physical interface
be in promiscuous mode in order to monitor network traffic.
The Cisco Adaptive Security Appliance (ASA) is a multifunction appliance that can provide firewall, virtual
private network (VPN), intrusion prevention, and content security services. The Cisco ASA is based on the
framework of the Private Internet Exchange (PIX) firewall appliance. If used as an IPS device in IDS mode,
or promiscuous mode, the Cisco ASA can have a physical interface in promiscuous mode? however, Cisco
ASA does not require that a physical interface be in promiscuous mode in order to monitor network traffic.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 17, Difference Between IPS and IDS, pp. 460-462
QUESTION 114
Which of the following is typically implemented in a cluster configuration? (Select the best answer.)
A. ACS
B. CSA
C. CTA
D. SSC
Correct Answer: A
Section: (none)
Explanation
Explanation:
Cisco Secure Access Control System (ACS) is typically implemented in a cluster configuration. ACS is an
Authentication, Authorization, and Accounting (AAA) server that uses Remote Authentication DialIn User
Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) to provide AAA
services for users, hosts, and network infrastructure devices such as switches and routers. An ACS
deployment typically consists of a primary server responsible for configuration, authentication, and policy
enforcement and one or more secondary servers serving as a backup in case the primary server fails. In
largescale deployments, the primary server’s function is typically relegated to configuration and
synchronization services, whereas the secondary servers provide AAA services to the network clients.
Cisco Trust Agent (CTA) is responsible for ascertaining the status of security applications and management
tools that are installed on a client. As client software, CTA communicates host posture information back to a
network access device on a Cisco Network Admission Control (NAC) framework. NAC is a Cisco feature
that prevents hosts from accessing the network if they do not comply with organizational requirements, such
as containing an updated antivirus definition file. When NAC is configured on an access device, such as a
router or switch, the NAC device intercepts connections from hosts that are not yet registered on the
network. When a host attempts to connect to the network, the access device queries the CTA running on
the host for the host's security status. The access device then sends this information to the ACS, which
determines whether the host is in compliance with organizational security policies. If the host is in
compliance, it is allowed to access the network? if the host is not in compliance, it can be denied access,
quarantined, or allowed limited network access.
Cisco Secure Services Client (SSC) is client security software that facilitates the use of one authentication
framework for connecting to both wired and wireless devices on a Cisco Unified Wireless Network. SSC
makes use of the Extensible Authentication Protocol (EAP), WiFi Protected Access (WPA), and WPA2
standards to control network access and enforce security policies for clients using Microsoft Windows
platforms. Cisco SSC is not typically implemented in a cluster configuration.
Cisco Security Agent (CSA) is a Hostbased Intrusion Prevention System (HIPS) that can be installed on
host computers, servers, and pointofsale (POS) computers. CSA can help protect these devices from
malicious network traffic, such as zeroday attacks. In addition, CSA can provide local firewall services,
antivirus services, and security policy enforcement. CSA is not typically implemented in a cluster
configuration.Reference:
Cisco: Understanding the ACS Server Deployment (PDF)
QUESTION 115
Which of the following traffic types are blocked by default in a zone-based policy firewall configuration?
(Select 2 choices.)
A. traffic to or from the self zone

B. traffic between interfaces in the same zone
C. traffic between interfaces in a zone and interfaces not assigned to any zone
D. traffic between interfaces in different zones
E. traffic directly to or received from the router
Correct Answer: CD
Section: (none)
Explanation
Explanation:
In a zonebased policy firewall (ZFW) configuration, all traffic between interfaces in different zones is
blocked by default. In addition, all traffic between interfaces that have been assigned to a zone and
interfaces that are not assigned to any zone is blocked by default. ZFW is the latest iteration of Cisco’s
stateful firewall implementation, which was formerly called ContextBased Access Control (CBAC). With
ZFW, virtual security zones are specified and then interfaces are assigned to the appropriate zone. By
default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same
to or from other interfaces in the same zone is permitted, as is traffic to or from the router itself. When ZFW
is configured, a special zone called the self zone is automatically created and contains the IP addresses of
all the router interfaces. By default, all traffic to or from the self zone is implicitly permitted? this implicit
permission ensures that management access to the router is not lost when ZFW is configured.
In order for traffic to flow between userconfigured zones, stateful packet inspection policies must be
configured to explicitly permit traffic between the zones. The basic process is as follows:
Although inspection rules can be created for a large number of traffic types, stateful inspection of multicast
traffic is not supported by ZFW and must be handled by other security features, such as Control Plane
Policing (CoPP).
Reference:
Cisco: ZoneBased Policy Firewall Design and Application Guide: Rules For Applying ZoneBased Policy
FirewallCategory:
QUESTION 116
An inside host has initiated a TCP connection through a Cisco ASA to an outside server. The outside server
has responded with a SYN/ACK segment? however, the inside host has not yet responded with an ACK
segment.
Which of the following lines of output from the show conn command best represents the state of the
connection in this scenario? (Select the best answer.)
A. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
B. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
C. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
D. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
E. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
F. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO
Correct Answer: D
Section: (none)
Explanation
Explanation:
The following line of output from the show conn command on a Cisco Adaptive Security Appliance (ASA)
best represents the state of a connection that is waiting on only the ACK segment from an inside host:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
The output of the show conn command uses connection flags to indicate the status of each entry in the
ASA connection database. The connection database is used by the stateful firewall feature of the ASA to
track the state of each network connection that passes through it. The flags that an ASA uses to track a
connection entry are dependent on the interface that initiated the connection. Typically, each connection
entry has corresponding inside and outside interfaces. In terms of the connection database, the inside
interface for the entry is the interface with the higher security level, whereas the outside interface for the
entry is the interface with the lower security level. In addition, a data flow from the inside interface to the
outside interface is considered to be moving in the outbound direction and a data flow from the outside
interface to the inside interface is considered to be moving in the inbound direction.
When an ASA receives the first packet from a Transmission Control Protocol (TCP) connection, it creates
an entry in the connection database. The ASA immediately adds the B flag to the entry if the connection
was initiated from the outside. The ASA then uses various flags to indicate the progress of the TCP
threeway handshake. For example, if a connection is initiated from the inside, the ASA will add the saA
flags to the entry, as shown in the following command output:TCP outside 192.0.2.51:22 inside
10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
The s flag indicates that the ASA is awaiting a SYN segment from the outside host, and the a flag indicates
that the ASA is waiting for an ACK response segment to the SYN that was initiated from the inside host.
When the corresponding SYN/ACK segment is received from the outside host, it will satisfy both of these
flags and the ASA will clear the flags from the entry, as shown in the following command output:
The remaining A flag indicates that the ASA is awaiting an ACK segment from the inside host. When the
host on the inside responds to the SYN/ACK segment with the corresponding ACK segment, the ASA will
clear the A flag and will mark the connection with the U flag, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
The U flag indicates that the threeway handshake is complete and that the TCP session is established.
Once the TCP session is established, the host can begin to exchange data. In this example, the inside host
has established a Secure Shell (SSH) session to an outside server. When the outside server sends data to
the inside host, the ASA will add the I flag to the entry to indicate that data has passed through the session
in the inbound direction. Likewise, the ASA will add the O flag to the entry to indicate that data has passed
through the session in the outbound direction. Thus a normal TCP session should have flags similar to
those shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO
By contrast, if the connection were initiated from the outside, the ASA would have added the SaAB flags to
the entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
The S flag indicates that the ASA is awaiting a SYN segment from the inside host, and the A flag indicates
that the ASA is waiting for an ACK response segment to the SYN that was initiated from the outside host.
When the corresponding SYN/ACK segment is received from the inside host, it will satisfy both of these
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
The remaining a flag indicates that the ASA is awaiting an ACK segment from the outside host. When the
host on the outside responds to the SYN/ACK segment with the
QUESTION 117
Which of the following is an IOS privilege level that provides the highest level of access on a Cisco router?
A. 0
B. 1
C. 15
D. 16
Correct Answer: C
Section: (none)
Explanation
Explanation:
The highest level of access on a Cisco router is provided by IOS privilege level 15. Privilege levels can be
used to limit the IOS commands that a user can access. However, you are limited to 16 privilege levels,
some of which are used by default by the IOS. For example, privilege levels 1 and 15 are default IOS
privilege levels. Privilege level 1 allows a user to issue any command that is available at the user EXEC >
prompt. Privilege level 15 allows a user to issue any command that is available at the privileged EXEC #
prompt.
access to the command.
Because the default privilege level for a newly created local user account is 1, a newly created user will
always have access to the disable, enable, exit, help, and logoutcommands? these commands are
associated with privilege level 0. However, per user privilege levels can sometimes conflict with the privilege
levels set for virtual terminal (VTY) interfaces. In the event of a conflict, per user privileges override the
privileges configured for the VTY line causing the conflict.
Although there are 16 distinct privilege levels that can be assigned on a Cisco router, 16 is not a valid value
for a privilege level. Valid values for user assigned privilege levels are whole numbers ranging from 0
through 15.
Reference:
QUESTION 118
Which of the following statements is true regarding LDAP attribute maps on an ASA? (Select the best
answer.)
A. There is a defined limit on the number of LDAP attribute maps you can configure.
B. There is a defined limit on the number of attributes that can be mapped in each LDAP attribute map.
C. There is a defined limit on the number of LDAP servers to which an LDAP attribute map can be applied.
D. There is a defined limit on the number of AD multivalued attributes matched by an LDAP attribute map.
Correct Answer: D
Section: (none)
Explanation
Explanation:
When using Lightweight Directory Access Protocol (LDAP) attribute maps on a Cisco Adaptive Security
Appliance (ASA), there is a limit on the number of Active Directory (AD) multivalued attributes matched by
an LDAP attribute map. LDAP attribute maps are used to authorize virtual private network (VPN) users
based on specified AD attributes, such as group membership or department name. If an LDAP query
returns a multivalued attribute, such as the list of groups of which a user is a member, the ASA will match
only one of the returned values to the appropriate group policy. The ASA will select the matching group
policy with the least number of characters in the name and that starts with the lowest alphanumeric
character.
There is no defined limit on the number of LDAP attribute maps you can configure on an ASA. Because
LDAP attribute maps are dynamically allocated as they are needed, configuring a large number of attribute
maps does not unnecessarily burden the ASA during normal operations. Likewise, there is no defined limit
on the number of attributes that can be mapped in each LDAP attribute map.
There is no defined limit on the number of LDAP servers to which an LDAP attribute map can be applied.
When an LDAP attribute map is applied to a server, the ASA only verifies that the specified attribute map
exists. The same LDAP attribute map can be applied to multiple, different servers.
Reference:
QUESTION 119
Which of the following can be determined from the Route Details tab of the VPN Client Statistics dialog box
shown above? (Select the best answer.)
A. The VPN client cannot access devices on the local LAN.

B. The VPN client is configured to use split tunneling.
C. The VPN client is configured to use transparent tunneling.
D. The VPN client cannot access devices on the 172.16.20.0/24 network.
Correct Answer: B
Section: (none)
Explanation
Explanation:
The Route Details tab of the VPN Client Statistics dialog box displayed below indicates that the virtual
private network (VPN) client is configured to use split tunneling:
By default, all traffic from a VPN client is passed through an encrypted tunnel to the VPN server. However,
with split tunneling, only traffic destined for a protected subnet is passed through the encrypted tunnel? all
other traffic is processed normally. You can define protected subnets on the VPN server by entering the
network address of each protected subnet on the Split Tunneling tab of the Group Policy window or by
specifying an access control list (ACL) that includes each protected subnet. When a client establishes a
VPN session, the list of protected subnets is passed from the VPN server to the VPN client as part of the
session configuration parameters.
Alternatively, the VPN client can be configured to pass all nonlocal traffic through an encrypted tunnel to the
VPN server. If the group policy on the VPN server permits local LAN access and the VPN client is
configured to allow local LAN access, all traffic that is not destined to the local LAN is sent through the
encrypted tunnel. For example, if the VPN client had a locally configured route to the 192.168.13.0/24
network, packets destined for that network would be processed normally. However, any packets destined
for a network not in the VPN client's routing table, such as the Internet, would pass through the encrypted
tunnel to the VPN server. This configuration is represented on the Route Details tab of the VPN Client
Statistics dialog box shown below:
The VPN Client Statistics dialog box does not indicate that the client cannot access devices on the
172.16.20.0/24 network. Because the 172.16.20.0/24 network is listed in the Secured Routes pane, traffic
destined for the 172.16.20.0/24 network will pass through the encrypted tunnel to the VPN server. However,
traffic destined for a network not in the Secured Routes pane, such as the Internet or the local LAN, will not
pass through the tunnel and will be processed normally.
Likewise, the VPN Client Statistics dialog box does not indicate that the client cannot access devices on the
local LAN. Because the router is configured for split tunneling, only traffic destined for a network in the
Secured Routes pane is passed through an encrypted tunnel to the VPN server. All other traffic, including
local LAN traffic, is processed normally.
You cannot determine from the Route Details tab of the VPN Client Statistics dialog box whether the client
is configured to use transparent tunneling. The Tunnel Details tab of the VPN Client Statistics dialog box
indicates whether the client is configured to use transparent tunneling. Transparent tunneling facilitates the
creation of IP Security (IPSec) tunnels through a firewall or Network Address Translation (NAT) device.
When transparent tunneling is enabled on the client, encrypted packets are encapsulated in Transmission
Control Protocol (TCP) or User Datagram Protocol (UDP) packets prior to transmission through the firewall
or NAT device.
Reference:
Cisco: ASA/PIX: Allow Split Tunneling for VPN Clients on the ASA Configuration Example: Connect with the
VPN Client
CCNA Security 210260 Official Cert Guide, Chapter 8, Split Tunneling, pp. 227-228
QUESTION 120
Which of the following IPS detection methods is a string pattern-based detection method? (Select the best
answer.)
A. anomalybased detection
B. profilebased detection
C. signaturebased detection
D. policybased detection
Correct Answer: C
Section: (none)
Explanation
Explanation:
Signaturebased detection is a string patternbased detection method. Patternbased detection methods use
specific strings of text to detect malicious traffic. Many signaturebased detection methods can also use
protocols and port numbers to further specify malicious traffic patterns. The benefit of signaturebased
detection methods is that the number of false positives generated is typically low. However, the drawback is
that a modified attack cannot be detected by an old signature? the modified attack will not be detected until
a new signature is added for the modified attack. Therefore, Cisco recommends updating signature files,
including antivirus signatures, every time a new update is available.
Anomalybased detection methods and profilebased detection methods detect abnormal behavior on a
network. Traffic is classified as normal or abnormal based on information that is dynamically learned or
manually programmed. The benefit of anomalybased detection is that anything that is not specified as
normal is classified as abnormal? therefore, anomalybased detection can typically detect a wide range of
threats. One drawback of anomalybased detection is that new traffic patterns are required on a regular
basis on all but the smallest of networks, which leads to a lot of false positives. Another drawback is the
memory and processing power required to handle profiles for each user.
Policybased detection methods use algorithms to detect patterns in network traffic. The benefit of
policybased detection methods is that they can often detect when a coordinated attack, such as a
Distributed Denial of Service (DDoS) attack, is happening, whereas a signaturebased detection method
might detect only a collection of individual Denial of Service (DoS) attacks.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 17, SignatureBased IPS/IDS, p. 464 Symantec:
Network Intrusion Detection Signatures, Part One
QUESTION 121
You have been asked to add a key to an existing keychain. You issue the following commands to enter key
chain key configuration mode:
RouterA(config)#key chain chain1
RouterA(configkeychain)#key 2
RouterA(configkeychainkey)#keystring key2
The new key should be valid for three hours, and the router should begin sending the key at 9 a.m. on
January 13, 2015.
Which of the following commands should you issue next to achieve your goal? (Select the best answer.)
A. accep-tlifetime 09:00:00 Jan 13 2015 duration 3

B. accep-tlifetime 09:00:00 Jan 13 2015 duration 180
C. send-lifetime 09:00:00 Jan 13 2015 duration 180
D. send-lifetime 09:00:00 Jan 13 2015 duration 10800
Correct Answer: D
Section: (none)
Explanation
Explanation:
You should issue the send-lifetime 09:00:00 Jan 13 2015 duration 10800 command to specify that the key
in this scenario should be valid for three hours and that the router should begin sending the key at 9 a.m. on
January 13, 2015. The send-lifetime command is used to specify the period of time during which a key
should be sent by a router for authentication. The syntax for this command is send-lifetime starttime {infinite
| endtime | duration seconds}, where starttime specifies the date and time that the key should start being
sent. By default, keys are valid indefinitely? however, you can use the durationkeyword to specify a duration
value between 1 and 2,147,483,646 seconds. In this scenario, the duration is 10800 seconds, which is three
hours, and the start time is 09:00:00 Jan 13 2015, which corresponds to 9 a.m. on January 13, 2015.
You should not issue the sendlifetime 09:00:00 Jan 13 2015 duration 180command, because the key
duration is incorrectly specified as 180 seconds, which is three minutes, instead of 10,800 seconds, or three
hours.
You should not issue the accept-lifetime 09:00:00 Jan 13 2015 duration 3 command or the accept-lifetime
09:00:00 Jan 13 2015 duration 180 command. The accept-lifetime command specifies the time period
during which a received key is considered valid. By default, received keys are valid indefinitely. If no send-
lifetime command has been issued, the accept-lifetime command will limit the period of time in which the
received key is valid, but it will have no effect on the period of time during which the router sends the key for
authentication.
Reference:
Cisco: IP Routing ProtocolIndependent Commands: send-lifetime
QUESTION 122
Which of the following can be mitigated by installing a personal firewall on a laptop? (Select the best
answer.)
A. a SYN flood attack

B. a crosssite scripting attack
C. a portscanning attack
D. a sessionhijacking attack
Correct Answer: C
Section: (none)
Explanation
Explanation:
Installing a personal firewall on a laptop can mitigate a portscanning attack. In a portscanning attack, an
attacker uses a portscanning application to probe a computer to determine which ports are open and
vulnerable to an attack. After determining which ports are open, the attacker can attempt to access the
computer through an open port. With a personal firewall, you can protect a host from malicious traffic by
permitting or denying specific applications or network ports access to the host or its network interface.
Typically, a personal firewall provides sufficient granularity to specify the direction of a particular flow of
traffic. For example, you could permit outbound web traffic but deny all inbound traffic that does not
correspond to established outbound connections.
Installing a personal firewall on a laptop would not mitigate a sessionhijacking attack. A sessionhijacking
attack requires that the attacker determine the Initial Sequence Number (ISN) for a new Transmission
Control Protocol (TCP) session. The ISN is used during the TCP threeway handshake to synchronize the
states of the sending and receiving hosts. If an attacker can guess the ISN or any subsequent sequence
number for a connection, the attacker can hijack the session. Typically, an attacker will disrupt the
connection by forcing one of the hosts to become unsynchronized and will then assume the identity of the
unsynchronized host by spoofing its IP address. Session hijacking relies on the attacker being able to
determine the correct sequence number for any given segment in a TCP session. Because some hosts use
incremental ISNs and random sequence numbers, an attacker can determine the ISN for a new connection
on a vulnerable host by first initiating a connection to the host and determining the current ISN.
Installing a personal firewall on a laptop would not mitigate a crosssite scripting (XSS) attack. An XSS
attack takes advantage of weaknesses within a web application to insert malicious code into input fields on
a web form. If the attack is successful, the attacker might be able to inject code into the webpage, which
could allow the attacker to perform a variety of malicious tasks, such as redirecting visitors to another
website or harvesting cookies from the victim's computer. Serverside input validation can be used to
mitigate XSS attacks performed on web forms. However, other types of XSS attacks, such as a link in an
email to lure victims to a webpage containing malicious script, are not mitigated by input validation.
Installing a personal firewall on a laptop would not mitigate a SYN flood attack. A SYN flood attack sends a
large volume of SYN segments to a target host in an attempt to saturate the target's TCP connection table.
The SYN flood attack exploits the TCP threeway handshake by sending TCP SYN segments from spoofed
IP addresses. When the target host replies to the spoofed IP addresses, the target's packets are ignored
because the spoofed hosts do not have corresponding entries in their TCP connection tables. The target
host will continue to wait for responses from the spoofed hosts until the TCP handshake times out. With a
sufficient number of SYN requests, the target's TCP connection table can become full. Once the TCP
connection table is full, the target host will be unable to accept new TCP connections.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 19, Personal Firewalls and Host Intrusion Prevention
Systems, pp. 498-499
QUESTION 123
When a switch is configured with private VLANs, which of the following ports can an isolated port
communicate with? (Select the best answer.)
A. ports within the same community

B. ports within a different community
C. other isolated ports
D. promiscuous ports
Correct Answer: D
Section: (none)
Explanation
Explanation:
An isolated port can communicate with promiscuous ports when a switch is configured with private virtual
LANs (VLANs). Private VLANs can be configured on a switch to help isolate traffic within a VLAN. Private
VLANs can provide Layer 2 separation between ports that belong to the same VLAN. Because the
separation exists at Layer 2, the hosts can exist on the same IP subnet. The VLAN to which the hosts
belong is called the primary VLAN. To create a private VLAN, you must create secondary VLANs and
associate them with the primary VLAN. There are two types of secondary VLANs: community VLANs and
isolated VLANs. Ports that belong to a community VLAN can communicate with promiscuous ports and with
other ports that belong to the same community. However, they cannot communicate with isolated ports or
with ports that belong to other communities. Ports that belong to an isolated VLAN can communicate only
with promiscuous ports.
After configuring the private VLAN, you can configure ports to participate in the private VLAN. When
configuring a port to participate in a private VLAN, you must configure the port by issuing the switchport
mode privatevlan {promiscuous | host} command. The promiscuous keyword configures the port to
communicate with any secondary VLAN. Consequently, devices that should be reachable from any
secondary VLAN should be connected to promiscuous ports. For example, a router, a firewall, or a gateway
that any host should be able to reach should be connected to a promiscuous port. By contrast, devices
connected to isolated or community VLANs should be connected to host ports, which are configured by
using the host keyword.
Reference:
Cisco: Configuring Private VLANs: Understanding Private VLANs
QUESTION 124
Which of the following statements is not true regarding the IaaS service model? (Select the best answer.)
A. The consumer has control over the configuration of the OS running on the physical infrastructure in the
cloud.
B. The consumer has control over the physical infrastructure in the cloud.
C. The consumer has control over the allocation of processing, memory, storage, and network resources
within the cloud.
D. The consumer has control over development tools or APIs in the cloud running on the physical
infrastructure in the cloud.
Correct Answer: B
Section: (none)
Explanation
Explanation:
In the Infrastructure as a Service (IaaS) service model, the consumer does not have control over the
physical infrastructure in the cloud. The National Institute of Standards and Technology (NIST) defines
three service models in its definition of cloud computing: Software as a Service (SaaS), IaaS, and Platform
as a Service (PaaS).
The SaaS service model enables its consumer to access applications running in the cloud infrastructure but
does not enable the consumer to manage the cloud infrastructure or the configuration of the provided
applications. A company that licenses a service provider’s office suite and email service that is delivered to
end users through a web browser is using SaaS. SaaS providers use an Internetenabled licensing function,
a streaming service, or a web application to provide end users with software that they might otherwise
install and activate locally. Webbased email clients, such as Gmail and Outlook.com, are examples of
SaaS.
The PaaS service model provides its consumer with a bit more freedom than the SaaS model by enabling
the consumer to install and possibly configure providersupported applications in the cloud infrastructure. A
company that uses a service provider’s infrastructure, programming tools, and programming languages to
develop and serve cloudbased applications is using PaaS. PaaS enables a consumer to use the service
provider’s development tools or Application Programmer Interface (API) to develop and deploy specific
cloudbased applications or services. Another example of PaaS might be using a third party’s MySQL
database and Apache services to build a cloudbased customer relationship management (CRM) platform.
The IaaS service model provides the greatest degree of freedom by enabling its consumer to provision
processing, memory, storage, and network resources within the cloud infrastructure. The IaaS service
model also enables its consumer to install applications, including operating systems (OSs) and custom
applications. However, with IaaS, the cloud infrastructure remains in control of the service provider. A
company that hires a service provider to deliver cloudbased processing and storage that will house multiple
physical or virtual hosts configured in a variety of ways is using IaaS. For example, a company that wanted
to establish a web server farm by configuring multiple Linux Apache MySQL PHP (LAMP) servers could
save hardware costs by virtualizing the farm and using a provider’s cloud service to deliver the physical
infrastructure and bandwidth for the virtual farm. Control over the OS, software, and server configuration
would remain the responsibility of the organization, whereas the physical infrastructure and bandwidth
would be the responsibility of the service provider.
Reference:
NIST: Special Publication 800145: The NIST Definition of Cloud Computing (PDF)
QUESTION 125
Which of the following emailrelated FirePOWER preprocessors can extract and decode attachments in
clienttoserver traffic? (Select the best answer.)
A. only the IMAP preprocessor

B. only the POP3 preprocessor
C. only the SMTP preprocessor
D. only the POP3 and SMTP preprocessors
E. only the IMAP and SMTP preprocessors
F. the IMAP, POP3, and SMTP preprocessors
Correct Answer: F
Section: (none)
Explanation
Explanation:
On a Cisco FirePOWER Intrusion Prevention System (IPS), the Internet Message Access Protocol (IMAP),
Post Office Protocol version 3 (POP3), and Simple Mail Transfer Protocol (SMTP) preprocessors can
extract and decode attachments in clienttoserver traffic. The FirePOWER IMAP, POP3, and SMTP
preprocessors are Application layer inspection engines with the capability to decode email traffic and to
normalize the resulting data prior to forwarding the traffic to the intrusion rules engine for analysis.
In addition to generating an event when they observe anomalous traffic, the FirePOWER emailrelated
preprocessor engines can inspect the commands that pass between a client and a server to ensure that
they are compliant with the relevant Request for Comments (RFC). For example, the IMAP preprocessor
can generate an event when either a client command or a server response does not comply with RFC 3501,
which is the RFC that defines the IMAP protocol, and the POP3 preprocessor can do the same for
commands that do not comply with RFC 1939, which is the RFC that defines the POP3 protocol. By
contrast, the SMTP preprocessor provides the ability to normalize all, none, or a specific set of SMTP
commands, although a base set of commands will always be considered as part of the custom valid set if
normalization is enabled.
Reference:
Cisco: Application Layer Preprocessors: The IMAP Preprocessor
Cisco: Application Layer Preprocessors: The POP Preprocessor
Cisco: Application Layer Preprocessors: The SMTP Preprocessor
QUESTION 126
Which of the following authentication methods is not used with OSPFv3? (Select the best answer.)
A. plaintext
B. MD5
C. SHA1
D. IPv6 IPSec
Correct Answer: A
Section: (none)
Explanation
Explanation:
Plaintext authentication is not used with Open Shortest Path First version 3 (OSPFv3), which is also called
OSPF for IP version 6 (IPv6). OSPFv3 uses IPv6 IP Security (IPSec) authentication, which in turn uses
either Message Digest 5 (MD5) or the Secure Hash Algorithm 1 (SHA1). Although plaintext authentication is
not used by OSPFv3, you can configure OSPFv3 either to encrypt the MD5 or SHA1 hash that is used by
IPv6 IPSec or to leave the hash unencrypted. Encrypting the hash provides an extra layer of security but
requires additional processing that could introduce latency. You can issue either the ospfv3 authentication
command or the ipv6 ospf authentication command to configure authentication for OSPFv3 on an interface.
MD5 and plaintext authentication are supported by OSPF version 2 (OSPFv2), which is the IPv4 version of
OSPF. By default, no authentication method is used with OSPFv2. To configure a router for MD5
authentication, you should first configure the authentication password by issuing the ip ospf
authenticationkey password command in interface configuration mode. Then you should configure MD5
authentication for an OSPF interface by issuing the ip ospf authentication messagedigest command in
interface configuration mode. Because plaintext authentication is notoriously insecure, Cisco recommends
using MD5 authentication for OSPFv2 instead of plaintext authentication.
Reference:
Cisco: IPv6 Routing: OSPFv3 Authentication Support with IPsec: How to Configure IPv6 Routing: OSPFv3
Authentication Support with IPsec
QUESTION 127
You have configured a Cisco Catalyst switch to store its binding table on a local TFTP server.
Which of the following commands can you issue to verify the URL that the agent will use to store the
binding table on the TFTP server? (Select the best answer.)
A. show ip dhcp snooping

B. show ip dhcp snooping database
C. show ip dhcp snooping binding
D. show ip dhcp snooping statistics
Correct Answer: B
Section: (none)
Explanation
Explanation:
You can issue the show ip dhcp snooping database command to verify the Uniform Resource Locator
(URL) that the agent will use to store the binding table when Dynamic Host Configuration Protocol (DHCP)
snooping is configured on a Cisco Catalyst switch to store the binding table on a local Trivial File Transfer
Protocol (TFTP) server. DHCP snooping ensures that DHCP servers reside on trusted switch interfaces
and that all DHCP traffic from untrusted interfaces is verified before being forwarded. When a switch is
configured to use DHCP snooping, the switch tracks client Media Access Control (MAC) addresses and
their associated DHCP client hardware addresses in the DHCP snooping binding database, which is also
known as the binding table. If the switch receives DHCP packets that do not match entries in the binding
table, the switch drops the packets. The binding table can be stored locally or it can be stored on a remote
server.
The show ip dhcp snooping database command can be used to display the status of the DHCP snooping
binding table agent and statistics regarding the status of the binding table, such as the URL where the
binding table can be found and how many successful writes have been committed to the table. For
example, the following sample output indicates that the binding table is stored in a file named bindingtable
on the TFTP server with an IP address of 1.2.3.4:
The show ip dhcp snooping command displays general information regarding the DHCP snooping
configuration on a switch, such as the virtual LANs (VLANs) for which DHCP snooping is enabled and the
trusted state of each interface. For example, the following sample output indicates that DHCP snooping is
enabled for VLANs 101, 201, and 301:
The show ip dhcp snooping binding command displays the dynamic entries in the binding table. You must
use the show ip source binding command to view both static and dynamic binding table entries. For
example, the following sample output from the show ip dhcp snooping binding command indicates that two
DHCP clients from VLAN 101 have entries in the binding table:
The show ip dhcp snooping statistics command displays statistical information regarding the number of
frames that have been forwarded or dropped by the DHCP snooping configuration on a switch. You can use
the detail keyword to display expanded statistics, which include the number of packets dropped for each
denial category, such as binding mismatches or exceeded rate limits. For example, the following sample
output from the show ip dhcp snooping statistics command indicates that 1,450 packets were forwarded
and 105 packets were dropped from untrusted ports:
Packets Forwarded = 1450

Packets Dropped = 118
Packets Dropped From untrusted ports = 105
Reference:
Cisco: Cisco IOS IP Addressing Services Command Reference: show ip dhcp snooping database
QUESTION 128
You have configured a CoPP policy to mitigate the effects of DoS attacks on the router.
Which of the following packet types does the CoPP policy affect? (Select the best answer.)
A. packets originating from the control plane

B. packets destined to the control plane
C. packets originating from the data plane
D. packets destined to the data plane
Correct Answer: B
Section: (none)
Explanation
Explanation:
The Control Plane Policing (CoPP) policy in this scenario affects packets that are destined to the control
plane of a router. Packets destined to the control plane are typically packets intended to create or perform
network operations on a router, such as packets from dynamic routing protocols or Address Resolution
Protocol (ARP) packets. These packets cannot be handled by Cisco’s normal fastpath switching
mechanisms, such as Cisco Express Forwarding (CEF), because they require special handling by the
router's CPU, which is also known as the route processor. CoPP is a Cisco IOS feature that protects the
route processor of a router or switch from malicious traffic, such as Denial of Service (DoS) attacks.
The control plane is one of the four logical components that collectively define a router? the remaining
components are the data plane, the management plane, and the services plane. The control plane is the
home of the route processor and is essential to the forwarding of packets because routing protocol
operation, network management, and processbased switching all involve the control plane. CoPP filters the
types of packets that enter or exit the control plane and controls the rate at which permitted packets enter or
exit the control plane. Because traffic must pass through the control plane to reach the management plane,
CoPP protects the management plane as well.
The CoPP policy in this scenario does not affect packets that originate from the control plane of a router.
DoS attacks that target a router use packets either that are destined to the router itself or that require
special handling by the router's route processor. Because packets originating from the control plane have
already passed through the route processor, a CoPP policy that affects packets exiting the control plane
would not mitigate the effects of a DoS attack.
Cisco considers all packets that pass through a router without any interaction from the route processor as
data plane traffic, which is also known as transit traffic. Because DoS attacks on a router target the route
processor, a CoPP policy that protects a router from DoS attacks would not affect packets originating from
or destined to the data plane.
Reference:
Cisco: Control Plane Policing: Benefits of Control Plane Policing
QUESTION 129
Which of the following is the most likely reason for an organization to implement an extranet? (Select the
best answer.)
A. to provide customers with largescale computer services

B. to provide internal departments with independent security policies
C. to provide internal users with a customized website
D. to provide customers with access to the company’s internal network
Correct Answer: D
Section: (none)
Explanation
Explanation:
A company can implement an extranet to provide customers with access to the company’s internal network.
An extranet is a portion of a company’s internal network that is accessible to specific people outside of the
company, such as business partners, suppliers, or customers. By creating an extranet, a company can
provide a location for sharing information with external users. For example, a consulting company could
create an extranet for external customers to view and comment on the consulting company’s progress on
various projects. In many extranet implementations, the external customer network shares a bilateral
connection with the company’s internal network. This bilateral connection not only enables the external
customer to access portions of the company’s internal network, but it also enables portions of the
company’s internal network to access the portions of the external customer’s network.
An extranet is not implemented to provide customers with largescale computer services. A company could
implement a cloud computing infrastructure to provide largescale computer services over a vast network,
such as the Internet. Cloud computing allows for access to applications, storage space, and other services
on demand without requiring that the services be installed locally. Cloud computing can be used to replace
or supplement highly utilized local systems. The use of cloudbased services can simplify IT management by
reducing or eliminating the amount of time needed to install, upgrade, and manage services.
An extranet is not implemented to provide internal departments with independent security policies. A
company could implement security contexts on a firewall, such as the Cisco Adaptive Security Appliance
(ASA), to provide internal departments with independent security policies. Security contexts divide a single
ASA into multiple virtual devices with unique policies that can be managed by separate administrative
domains. This division enables a single physical ASA to provide security services for different departments
while keeping the departments logically separated.
An extranet is not implemented to provide internal users with a customized website. Instead, an intranet can
be created to provide internal users with their own website. An intranet provides a location for sharing
information among members of the company. Unlike an extranet, an intranet is typically available only to
internal users.
Reference:
SANS: SANS Institute InfoSec Reading Room: Security Considerations for Extranets (PDF)Category:
Security Concepts
QUESTION 130
Which of the following is the default connection profile that is applied to clientless SSL VPN connections?
A. DefaultRAGroup
B. DefaultWEBVPNGroup
C. DefaultSSLVPNGroup
D. DefaultL2LGroup
Correct Answer: B
Section: (none)
Explanation
Explanation:
The DefaultWEBVPNGroup connection profile is the default connection profile that is applied to clientless
Secure Sockets Layer (SSL) virtual private network (VPN) connections. Connection profiles are used to
separate remote VPN users into groups. For example, you can use one connection profile for contractors
and another connection profile for managers, with each profile providing access to different resources. If no
connection profile is associated with a particular user or if the user did not select a connection profile when
the user initiated the VPN connection, the default connection profile will be used. For SSL VPN connections,
the default connection profile is the DefaultWEBVPNGroup profile. You can edit the default connection
profiles, but you cannot delete them.
The DefaultRAGroup connection profile is not the default connection profile for clientless SSL VPN
connections. This profile is the default profile used for full tunneling IP Security (IPSec) VPN connections.
The DefaultL2LGroup connection profile is not the default connection profile for clientless SSL VPN
connections. This profile is the default profile used for IPSec LANtoLAN VPN connections.
The DefaultSSLVPNGroup connection profile is not the default connection profile for clientless SSL VPN
connections. This is not a default profile that is provided by Cisco. You can create a connection profile
named DefaultSSLVPNGroup, but it will not be used by default for clientless SSL VPN connections.
Reference:
QUESTION 131
You are configuring a connection profile for Cisco AnyConnect SSL VPN users. You have accessed the
Add SSL VPN Connection Profile dialog box in ASDM. You want to configure a group URL for the
connection profile.
On which of the following screens of this dialog box will you be able to accomplish your goal? (Select the
best answer.)
A. the Basic screen

B. the General screen
C. the Authorization screen
D. the SSL VPN screen
Correct Answer: D
Section: (none)
Explanation
Explanation:
You can configure a group Uniform Resource Locator (URL) for the connection profile that you are
configuring for Cisco AnyConnect Secure Sockets Layer (SSL) virtual private network (VPN) users on the
SSL VPN screen of the Add SSL VPN Connection Profiledialog box in Cisco Adaptive Security Device
Manager (ASDM). If you configure a group URL for SSL VPN users, the users can connect to the group
URL and will not be required to select a tunnel group when they establish a connection. In such a scenario,
the user is presented with only user name and password fields on the login screen. The Cisco Adaptive
Security Appliance (ASA) examines the URL from which the user is connecting and automatically applies
the connection profile associated with the URL. Configuring a group URL can help improve security
because the user is not presented with a list of available connection profiles.
To configure a group URL for a new SSL VPN connection profile in ASDM, you should click Configuration,
expand Network (Client) Access, click AnyConnect Connection Profiles, and click Add under Connection
Profiles, which will open the Add SSL VPN Connection Profile dialog box. In the Add SSL VPN Connection
Profile dialog box, expand Advanced and click SSL VPN to open the SSL VPN screen, which is shown in
You cannot configure a group URL on the Basic screen of the Add SSL VPN Connection Profile dialog box
in ASDM. On the Basic screen, you can configure the connection profile name, the Authentication,
Authorization, and Accounting (AAA) server group, the default group policy, and client addressing
information, such as Dynamic Host Configuration Protocol (DHCP) servers and IP address pools.
You cannot configure a group URL on the General screen of the Add SSL VPN Connection Profile dialog
box in ASDM. On the General screen, you can enable password management and configure password
expiration notification options.
You cannot configure a group URL on the Authorization screen of the Add SSL VPN Connection Profile
dialog box in ASDM. On the Authorization screen, you can configure an authorization server group and
user name certificate mapping.
Reference:
Cisco: General VPN Setup: Add or Edit SSL VPN Connections > Advanced > SSL VPN
QUESTION 132
You are configuring a connection profile for clientless SSL VPN connections. You have accessed the Add
Clientless SSL VPN Connection Profile dialog box in ASDM.
Which of the following authentication methods can you configure in this dialog box? (Select the best
answer.)
A. only AAA
B. only OTP
C. only digital certificates
D. both AAA and OTP
E. both AAA and digital certificates
Correct Answer: E
Section: (none)
Explanation
Explanation:
You can configure Authentication, Authorization, and Accounting (AAA) and digital certificate authentication
on the Add Clientless SSL VPN Connection Profile dialog box in Cisco Adaptive Security Device Manager
(ASDM). Connection profiles are used to separate remote virtual private network (VPN) users into groups.
For example, you can use one connection profile for contractors and another connection profile for
managers, with each profile providing access to different resources.
You can configure a new connection profile by using ASDM. To configure a new connection profile for
clientless Secure Sockets Layer (SSL) VPN connections by using ASDM, you should click Configuration,
click the Remote Access VPN button, expand Clientless SSL VPN Access, and click Connection Profiles,
which will open the Connection Profiles configuration pane. From this pane, you can view a list of existing
connection profiles and you can create new connection profiles. You should click the Add button under
Connection Profiles in the Connection Profiles screen to create a new connection profile and to open the
Add Clientless SSL VPN Connection Profile dialog box, which is shown in the following exhibit:
In this dialog box, you can configure the connection profile details, including the authentication method to
use, the Domain Name System (DNS) server to use, and the group policy to apply to the connection profile.
There are two authentication methods that are supported: AAA and Certificate. You can configure the
connection profile to use either or both of the methods.
You cannot configure onetime passwords (OTPs) as an authentication method for connection profiles on
the Add Clientless SSL VPN Connection Profile dialog box in ASDM. OTP is a two factor user
authentication method that typically uses a personal identification number (PIN) in conjunction with code
generated by a hardware or software token. The token is synchronized with a central server and periodically
generates a code. The code is only valid until the next code is generated, which typically occurs in less than
60 seconds.
Reference:
Cisco: Configuring Tunnel Groups, Group Policies, and Users: Connection Profile Connection Parameters
for SSL VPN Sessions
QUESTION 133
Which of the following can you mitigate by implementing DAI? (Select the best answer.)
A. ARP poisoning attacks

B. MAC spoofing attacks
C. MAC flooding attacks
D. VLAN hopping attacks
Correct Answer: A
Section: (none)
Explanation
Explanation:
Implementing Dynamic ARP Inspection (DAI) can help mitigate Address Resolution Protocol (ARP)
poisoning attacks. In an ARP poisoning attack, which is also known as an ARP spoofing attack, the attacker
sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker’s Media
Access Control (MAC) address with the IP address of a valid host on the network. Subsequently, traffic sent
to the valid host address will go through the attacker’s computer rather than directly to the intended
recipient.
You should change the native virtual LAN (VLAN) on trunk ports to an unused VLAN to mitigate VLAN
hopping attacks. In a VLAN hopping attack, attacker sends doubletagged 802.1Q frames over a trunk link.
A doubletagged frame is an Ethernet frame containing two distinct 802.1Q headers. Although doubletagging
can be used as a legitimate way to tunnel traffic through a network and is commonly used by service
providers, it can also be used by an attacker to circumvent security controls on an access switch. In a VLAN
hopping attack, the attacker attempts to inject packets into other VLANs by accessing the native VLAN on a
trunk and sending doubletagged 802.1Q frames to the switch. The switch strips the outer 802.1Q header
from the received frame and then forwards the frame, which still includes an 802.1Q header, across a trunk
port to the VLAN of the target host. A successful VLAN hopping attack enables an attacker to send
unidirectional traffic to other VLANs without the use of a router.
Implementing sticky secure MAC addresses can help mitigate MAC spoofing attacks. In a MAC spoofing
attack, an attacker uses the MAC address of another known host on the network in order to bypass port
security measures. MAC spoofing can also be used to impersonate another host on the network.
Limiting the number of MAC addresses permitted on a port can help mitigate MAC flooding attacks. In a
MAC flooding attack, an attacker generates thousands of forged frames every minute with the intention of
overwhelming the switch’s MAC address table. Once this table is flooded, the switch can no longer make
through the switch because all traffic will be sent out each port. A MAC flooding attack is also known as a
content addressable memory (CAM) table overflow attack.
Reference:
Cisco: Implementation of Security: ARP Spoofing Attack
QUESTION 134
You have configured a lawful intercept view, five CLI views, and two superviews on a Cisco router. How
many additional CLI views can you create? (Select the best answer.)
A. one
B. two
C. six
D. seven
Correct Answer: D
Section: (none)
Explanation
Explanation:
You can create seven additional commandline interface (CLI) views on a Cisco router if you have already
configured a lawful intercept view, five CLI views, and two superviews. A CLI view enables an administrator
to provide granular access to IOS commands and interfaces to a specific user or group of users. CLI views
can be grouped under a superview to provide access to all of the commands within each view. On hardware
platforms that support it, a single lawful intercept view can be created to provide secure access to a specific
set of commands pertaining to voice calls and their associated Simple Network Management Protocol
(SNMP) data.
The maximum number of CLI views you can create on a Cisco router is 15. This includes one lawful
intercept view and any combination of CLI views and superviews? however, this does not include the root
view, which is created by default and does not count against the number of available views. In this scenario,
you have created eight views: one lawful intercept view, five CLI views, and two superviews. Because you
can configure a maximum of 15 views, you can create only seven more views. Each of the newly created
views could be a CLI view or a superview but could not be a lawful intercept view, because one has already
been created.
Reference:
Cisco: RoleBased CLI Access: Restrictions for RoleBased CLI Access
QUESTION 135
Which of the following statements is true regarding the aaa new-modelcommand? (Select the best answer.)
A. The aaa new-model command must be issued prior to enabling AAA accounting on a router.
B. The aaa new-model command must be issued after enabling AAA authentication on a router.
C. The aaa new-model command configures AAA to work only with RADIUS servers.
D. The aaa new-model command configures AAA to work only with TACACS+ servers.
E. The aaa new-model command has been deprecated in Cisco IOS versions 12.3 and later.
Correct Answer: A
Section: (none)
Explanation
Explanation:
The aaa new-model command must be issued prior to enabling Authentication, Authorization, and
Accounting (AAA) accounting on a router. AAA can be used to control access to a router or switch. Before
configuring authentication, authorization, or accounting using AAA, you must first issue the aaa new-model
command to enable AAA on the device? the aaa authentication, aaa authorization, and aaa accounting
commands cannot be issued until the aaa new-model command is issued. When the aaa new-model
command is issued, local authentication is applied immediately to all router lines and interfaces? any
existing authentication methods are superseded by the aaa new-model command. All future connection
attempts will be authenticated using the method defined in the aaa authentication command.
When implementing AAA, you can configure users to be authenticated against a local database, against a
Remote Authentication DialIn User Service (RADIUS) server, or against a Terminal Access Controller
Access Control System Plus (TACACS+) server. You are not limited to a single type of authentication with
AAA.
The aaa newmodel command has not been deprecated in Cisco IOS versions 12.3 and later. This
command is required in these versions of Cisco IOS in order to implement AAA on a router or a switch.
Reference:
Cisco: Configuring Basic AAA on an Access Server: Enabling AAA
QUESTION 136
Which of the following signature microengines typically has the greatest effect on Cisco IOS IPS
performance? (Select the best answer.)
A. atomic-ip
B. normalizer
C. service-http
D. service-smb-advanced
E. string-tcp
Correct Answer: E
Section: (none)
Explanation
Explanation:
Of the choices provided, the stringtcp signature microengine (SME) typically has the greatest effect on
Cisco IOS Intrusion Prevention System (IPS) performance. An SME compiles a specific category of
signatures and loads them into the IPS regular expression table. Within each category is a number of
signatures that can analyze a packet or stream of packets for a particular pattern. For example, the
atomicip SME contains signatures that can recognize a pattern in a single packet, whereas the servicehttp
SME contains signatures than can recognize a pattern in a stream of Hypertext Transfer Protocol (HTTP)
packets. In general, the more of a packet or stream of packets that an SME needs to analyze, the greater
its impact on the available memory and CPU of the router. The stringtcp SME can analyze one or more
Transmission Control Protocol (TCP) packets and search for a particular string of text.
The atomicip SME can analyze the Layer 3 and Layer 4 header fields of a single packet. Because the
atomicip SME signatures operate on a single packet, they cannot preserve state information between
packets. However, atomicip SME signatures do not consume large amounts of memory or CPU resources
like stringbased SMEs can consume.
The servicehttp and servicesmbadvanced SMEs can analyze Layer 5 through 7 information for HTTP and
Server Message Block (SMB) network services, respectively. Service SMEs are typically the most
complicated SMEs because they understand and implement a significant portion of the network services for
which they are designed. For example, the servicehttp SME can effectively mimic the characteristics of a
web server in order analyze the HTTP payload between a web server and its client. Because service SMEs
have a deep knowledge of their underlying protocols, they can be optimized to decode only particular
portions of a data stream, thereby reducing their impact on the memory and CPU utilization.
The normalizer SME is targeted at fragmented IP datagrams. The normalizer SME reassembles the
fragmented IP datagrams and then analyzes the completed datagram before deciding whether the
datagram should be forwarded or discarded. If the normalizer SME decides that a datagram should be
forwarded but the datagram is too large to transmit, it will refragment the datagram prior to forwarding it. If
the normalizer SME had to analyze fragmented datagrams based on the many different ways that
destination devices might reassemble them, it could consume a significant amount of memory and CPU
resources? however, because the normalizer SME reassembles datagrams without regard to how the target
device will receive them, the process can be optimized with regard to memory and CPU utilization.
Reference:
Cisco: Cisco Intrusion Prevention System Device Manager Configuration Guide for IPS 5.1: Example String
TCP Signature
QUESTION 137
You have configured the password management feature for a tunnel group on an ASA. The ASA is using a
Cisco Secure ACS RADIUS server for AAA authentication.
Which of the following actions will occur after a remote user with an expired password attempts to establish
a VPN connection? (Select the best answer.)
A. The AnyConnect client will display an authentication failed dialog box and will not permit the user to
establish the VPN connection until an admin unlocks the user’s account.
B. The AnyConnect client will display a dialog box that prompts the user for a new password.
C. The AnyConnect client will display a dialog box that prompts the user for both their old password and a
new password.
D. The AnyConnect client will display a dialog box notifying the user that their password has expired but will
permit the user to establish the VPN connection with the expired password.
Correct Answer: B
Section: (none)
Explanation
Explanation:
In this scenario, the Cisco AnyConnect virtual private network (VPN) client will display a dialog box that
prompts the user for a new password after a remote user with an expired password attempts to establish a
VPN connection. When a Cisco Adaptive Security Appliance (ASA) is configured to use the password
management feature for a particular tunnel group, the ASA will use Microsoft Challenge Handshake
Authentication Protocol version 2 (MSCHAPv2) rather than Password Authentication Protocol (PAP) when
communicating with the Remote Authentication DialIn User Service (RADIUS) server and the AnyConnect
client. MSCHAPv2 supports password expiry and password change capabilities that are not inherently
supported by PAP or RADIUS. This enables the ASA to understand RadiusReject messages with password
expiry information instead of simply treating the messages as authentication failure messages. When the
ASA receives the RadiusReject message with password expiry information, it sends a MODE_CFG
message to the AnyConnect VPN client, causing it to display a dialog box that prompts the user for a new
password. The ASA then forwards the new password to the RADIUS server, and if the new password
meets the configured password requirements, the user is authenticated and the ASA can finish establishing
the VPN connection.
The AnyConnect client will not prevent the user from establishing a VPN connection until an administrator
unlocks the user’s account. Because the password management feature is enabled on the ASA, it has the
capability to prompt the user to update their expired password. However, if the password management
feature was not enabled on the ASA in this scenario, then RadiusReject messages received from the
RADIUS server would be interpreted as an authentication failure message and users with expired
passwords would be unable to establish VPN connections.
The AnyConnect client will not prompt the user for both their old password and a new password nor will it
permit the user to establish the VPN connection with an expired password.Reference:
Cisco: ASA Remote Access VPN IKE/SSL Password Expiry and Change for RADIUS, TACACS, and LDAP
Configuration Example: ASA with ACS via RADIUS
QUESTION 138
You want to issue the following block of commands on a Cisco ASA:
ASA(config)#nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT
INSIDESQLINT
You do not have CLI access to the ASA and must use ASDM instead.
Which of the following samples of the Add NAT Rule dialog box corresponds to the configuration needed to
achieve your goal? (Select the best answer.)
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: D
Section: (none)
Explanation
Explanation:
The following sample of the Add NAT Rule dialog box corresponds to the Cisco Adaptive Security Appliance
(ASA) configuration needed to achieve your goal using Cisco Adaptive Security Device Manager (ASDM):
In the exhibit shown above, the Match Criteria: Original Packet section of the Add NAT Rule dialog box
contains fields that correspond to the interface and IP address information in a matching packet prior to
translation. The Source Interface field specifies the real source interface, the Source Address field specifies
the real source IP address, the Destination Interface field specifies the real destination interface, the
Destination Address field specifies the real destination IP address, and the Service: field specifies the real
protocol port numbers for the original packet. By contrast, the Action: Translated Packet section of the Add
NAT Rule dialog box contains fields that correspond to the mapped interface and IP address information in
a matching packet after translation. The Source NAT Type field specifies the type of Network Address
Translation (NAT), the Source Address field specifies the mapped source IP address, the Destination
Address: field specifies the mapped destination IP address, and the Service: field specifies the mapped
protocol numbers for the translated packet.
The sample Add NAT Rule dialog box configures the ASA to map the real source IP address traffic from
any network attached to the DMZ network to the IP address assigned to the INSIDE interface. In addition,
the mapped destination IP address defined in the INSIDESQLEXT object is mapped to the real destination
IP address defined in the INSIDESQLINT object. The following diagram depicts the translation of the
addresses within matching packets where INSIDESQLEXT has an IP address of 192.168.15.2 and
INSIDESQLINT has an IP address of 192.168.13.2:
You could use the nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT
INSIDESQLINT command from global configuration mode to configure the same dynamic NAT rule as
shown in the sample. Add NAT Rule dialog box. When the nat command is issued from global configuration
mode, it is referred to as the nat (global) command and it can be used to configure twice NAT on the ASA.
Twice NAT enables you to specify a mapping for both the source address and destination address in a
packet. The nat (global) command in this scenario can be used to create a dynamic NAT rule which
translates traffic between the DMZ and INSIDE interfaces of the ASA. The abbreviated syntax to create a
dynamic NAT rule with the nat (global) command is nat (real_interface,mapped_interface) source dynamic
{real_object | any} {mapped_object | interface} destination static {mapped_object | interface} {real_object|
any}.
The following sample of the Add NAT Rule dialog box corresponds to the nat (DMZ, INSIDE) source
dynamic any interface destination static INSIDESQLINT INSIDESQLEXT command:
The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source
dynamic any interface destination static INSIDESQLEXT INSIDESQLINT command:
The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source
dynamic any interface destination static INSIDESQLINT INSIDESQLEXT command:
Reference:
Cisco: Configuring Twice NAT: Configuring Dynamic PAT (Hide)
Cisco: Cisco ASA Series Command Reference: nat (global)
QUESTION 139
You are using ASDM to verify an IPSec VPN configuration made by another administrator on an ASA.
Please click exhibit to answer the following questions.
Exhibit:
Which of the following tunneling protocols are supported by the boson group policy? (Select the best
answer.)
A. only clientless SSL VPN

B. only SSL VPN Client
C. only IPSec
D. both clientless SSL VPN and SSL VPN Client
E. both clientless SSL VPN and IPSec
F. clientless SSL VPN, SSL VPN Client, and IPSec
Correct Answer: C
Section: (none)
Explanation
Explanation:
The boson group policy supports only IP Security (IPSec) as a tunneling protocol. You can specify the
tunneling protocols that can be used to establish a connection to a tunnel group, which is also known as a
connection profile, either in a group policy or within a user account, depending on whether the tunneling
protocol configuration should be applied to a group or to a single user. When you configure a tunneling
protocol, you can specify one or more of the following four options: Clientless SSL VPN, SSL VPN Client,
IPSec, or L2TP/IPSec.
In this scenario, you can view the tunneling protocols that are configured for the boson group policy user
account by accessing the group policy information in Cisco Adaptive Security Device Manager (ASDM) by
clicking Configuration, clicking the Remote Access VPN button, expanding Network (Client) Access, clicking
Group Policies, and double clicking the boson group policy, which will open the Edit Internal Group Policy
dialog box. The More Options section on the General pane displays the Tunneling Protocols entry. This
entry for the boson group policy is configured with the IPsec option, which means that the boson group
policy supports only IPSec connections. The following exhibit displays the General pane of the Edit Internal
Group Policy dialog box for the boson group policy:
Reference:
QUESTION 140
Exhibit:
Which of the following IP address ranges will be used to assign address to VPN clients who connect by
using the boson connection profile? (Select the best answer.)
A. 10.1.1.50 through 10.1.1.75

B. 10.1.10.50 through 10.1.10.75
C. 192.168.0.100 through 192.168.0.125
D. 192.168.10.100 through 192.168.10.125
Correct Answer: A
Section: (none)
Explanation
Explanation:
Virtual private network (VPN) clients who connect by using the boson connection profile will be assigned an
IP address in the range from 10.1.1.50 through 10.1.1.75. You can create a local IP address pool on a
Cisco Adaptive Security Appliance (ASA) to deploy IP addresses to remote VPN clients. The IP address
pool can then be applied to Cisco AnyConnect or IP Security (IPSec) connection profiles. To view the IP
address pool that is associated with the boson connection profile in Cisco Adaptive Security Device
Manager (ASDM), you should click Configuration, click the Remote Access VPN button, expand Network
(Client) Access, click IPsec Connection Profiles, and then doubleclick boson, which will open the Edit IPsec
Remote Access Connection Profile dialog box, as shown in the following exhibit:
The Client Address Pools entry indicates that the boson_remote address pool has been configured for this
connection profile. To view the IP addresses associated with this address pool, you should expand Address
Assignment under Network (Client) Access and then click Address Pools, which will display the Address
Pools pane, as shown in the following exhibit:
On this pane, you can determine that the boson_remote address pool will distribute IP addresses in the
range from 10.1.1.50 through 10.1.1.75.
The boson_internal address pool will distribute IP addresses in the range from 10.1.10.50 through
10.1.10.75. The boson_extranet address pool will distribute IP addresses in the range from 192.168.0.100
through 192.168.0.125. The temporary address pool will distribute IP addresses in the range from
192.168.10.100 through 192.168.10.125. The boson_remote address pool will not distribute IP addresses in
any of these ranges.
Reference:
Cisco: Deploying the AnyConnect Cisco Mobility Client: Configure a method of address assignment
QUESTION 141
Exhibit:
Which of the following group policies will be based when a user establishes a VPN connection by using the
boson connection profile? (Select the best answer.)
A. internal
B. temporary
C. DfltGrpPolicy
D. boson
Correct Answer: D
Section: (none)
Explanation
Explanation:
The boson connection profile will use the boson group policy. When creating an IP Security (IPSec)
connection profile in Cisco Adaptive Security Device Manager (ASDM), you can specify a number of
parameters. For example, you can specify the type of authentication to use and the default group policy to
use for VPN connections made by using the connection profile. This information can be configured or
modified on the Add or Edit IPsec Remote Access Connection Profile dialog box in ASDM. To access this
dialog box in ASDM, you should click Configuration, click the Remote Access VPN button, expand Network
(Client) Access, click IPsec Connection Profiles, and then doubleclick the connection profile that you want
to view. The Edit IPsec Remote Access Connection Profile dialog box for the boson connection profile is
On the Basic pane, you can determine that the Group Policy setting is configured to use the boson group
policy. Thus the boson connection profile will not use the DfltGrpPolicy, the internal, or the temporary group
policies.
Reference:
QUESTION 142
Exhibit:
Which of the following will occur when a user attempts to establish a VPN connection to the ASA by using
the boson connection profile and the boson user account? (Select the best answer.)
A. The user will be unable to establish a VPN connection.

B. A banner will be displayed that states “Welcome to Boson Software!”
C. The internal group policy will be applied to the connection.
D. The VPN traffic will be sent by using only VLAN 2.
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the choices available, a banner will be displayed that states “Welcome to Boson Software!” when a user
attempts to establish a virtual private network (VPN) connection to the Cisco Adaptive Security Appliance
(ASA) by using the boson connection profile and the boson user account. You can configure a banner
message to be displayed when users establish a VPN connection. This information is configured in the
group policy that is associated with the connection profile used to create the connection.
In this scenario, the boson connection profile is associated with the boson group policy. The boson group
policy is configured to inherit the banner settings from the default group policy, DfltGrpPolicy. You can view
the banner settings by clicking Configuration, clicking the Remote Access VPN button, expanding Network
(Client) Access, clicking Group Policies, and doubleclicking the boson group policy, which will open the Edit
Internal Group Policy dialog box, as shown in the following exhibit:
Therefore, to determine whether a banner message will be displayed, you should view the details of the
DfltGrpPolicy group policy. By viewing the details of the default group policy, you can determine that a
banner message has been configured that states “Welcome to Boson Software!” The following exhibit
displays the details of the DfltGrpPolicy group policy:
Because the boson group policy inherits the Banner setting, VPN connections made by using connection
profiles that use the boson group policy will display the “Welcome to Boson Software!” banner message.
The boson user will be able to establish a VPN connection. There is nothing in the boson user’s profile
settings that would prevent the user from making a VPN connection. Moreover, the user will also be able to
establish a management session with the ASA, because the boson user has been granted administrative
access to the device.
The internal group policy will not apply to a VPN connection made by using the boson connection profile
and the boson user account. The boson connection profile is associated with the boson group policy, not
the internal group policy.
The VPN traffic will not be sent by using only virtual LAN (VLAN) 2 when a user makes a VPN connection
by using the boson connection profile and the boson user account. Although you can configure VLAN
restrictions for a group policy, none have been configured in this scenario.
Reference:
Cisco: General VPN Setup: Adding or Editing a Remote Access Internal Group Policy, General Attribute
QUESTION 143
Exhibit:
Which of the following users have been assigned to use the boson group policy? (Select the best answer.)
A. only jane
B. only john
C. only boson
D. both john and jane
E. john, jane, and boson
Correct Answer: D
Section: (none)
Explanation
Explanation:
Both the john and jane user accounts have been configured to use the boson group policy. When
configuring a user account, you can specify the group policy to associate with the user account. This is
configured on the VPN Policy pane of the Add or Edit User Account dialog box. You can access the Add or
Edit User Account dialog box in Cisco Adaptive Security Device Manager (ASDM) by clicking Configuration,
clicking the Remote Access VPN button, expanding AAA/Local Users, clicking Local Users, doubleclicking
the user, and clicking VPN Policy, as shown in the following exhibit:
For both the john and jane user accounts, the Group Policy setting is configured to use the boson group
policy. You can also view the group policy configuration for all users on the Local Users pane in ASDM. For
example, in the following exhibit, the VPN Group Policy column indicates that only the john and jane user
accounts are configured to use the boson group policy:
Reference:
Cisco: Configuring AAA Servers and the Local Database: Configuring VPN Policy Attributes for a User
QUESTION 144
You manage your company’s Cisco devices by using Telnet. Your supervisor is concerned about
eavesdropping over inband device management and has asked you to recommend a solution that would
allow you to disable the Telnet servers on each device.
Which of the following are you most likely to recommend as a replacement? (Select the best answer.)
A. SNMPv3
B. SSH
C. SFTP
D. SCP
Correct Answer: B
Section: (none)
Explanation
Explanation:
Most likely, you will recommend Secure Shell (SSH) as a replacement for Telnet as a method of inband
management on your company’s Cisco devices. SSH is a virtual terminal (VTY) protocol that can be used to
securely replace Telnet. Telnet is considered to be an insecure method of remote connection because it
sends credentials over the network in clear text. Therefore, you should replace Telnet with an encrypted
application, such as SSH, where possible. Encryption is a method of encoding network traffic so that it
cannot be read intransit. Thus encryption can be used to defeat eavesdropping attacks.
You are not likely to recommend any version of Simple Network Management Protocol (SNMP) as a
replacement for Telnet. However, if your company were using SNMP version 1 (SNMPv1) or SNMPv2 as a
means of inband management, you might recommend that your company use SNMPv3 instead. Three
versions of SNMP currently exist. SNMPv1 and SNMPv2 do not provide encryption? password information,
known as community strings, is sent as plain text with messages. SNMPv3 improves upon SNMPv1 and
SNMPv2 by providing encryption, authentication, and message integrity to ensure that the messages are
not tampered with during transmission.
You are not likely to recommend either Secure File Transfer Protocol (SFTP) or Secure Copy (SCP) as a
replacement for Telnet. However, either of those applications could replace File Transfer Protocol (FTP),
which is a protocol that is used to exchange files between devices. FTP transmits all data as clear text. Both
SFTP and SCP transmit information in an encrypted format.
Reference:
Cisco: Cisco Guide to Hardening IOS Devices: Use Secure Protocols When Possible
Cisco: SNMP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches): Versions of
SNMP
QUESTION 145
Which of the following commands should you issue when troubleshooting basic IKE peering to determine
whether PSKs are present and matching on both peers? (Select the best answer.)
A. ping
B. traceroute
C. show crypto isakmp policy
D. debug crypto isakmp
Correct Answer: D
Section: (none)
Explanation
Explanation:
You should issue the debug crypto isakmp command to determine whether preshared keys (PSKs) are
present and matching on both peers. If there is a PSK mismatch between the peers, you will see the 1d00h:
%CRYPTO4IKMP_BAD_MESSAGE: IKE message from 10.11.12.13 failed its sanity check or is malformed
When troubleshooting basic Internet Key Exchange (IKE) peering, you should perform the following steps:
1. Verify that the peers can reach each other.
2. Verify that the IKE policies match on both peers.
3. Verify that the peers successfully authenticate each other.
To verify that the peers can reach each other, you can issue the ping command. A successful ping indicates
that connectivity between the peers exists. If the ping is not successful, you can issue the traceroute
command to see where the fault is occurring along the path between the two peers.
To verify that the IKE policies match on both peers, you can issue the show crypto isakmp policy command
to display the IKE phase 1 policy settings that are configured on the router, including the encryption
algorithm, hash algorithm, authentication method, DiffieHellman (DH) key exchange mechanism, and
security association (SA) lifetime. The following displays sample output from the show crypto isakmp policy
command:

Global IKE policy
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys) hash algorithm:
Secure Hash Standard authentication method: PreShared Key DiffieHellman group:
#14 (2048 bit) lifetime: 3600 seconds, no volume limit
To configure IKE phase 1 policy parameters, issue the crypto isakmp policy prioritycommand to enter
ISAKMP policy configuration mode, where you can issue the following commands:
- authentication - encryption
- group
- hash
- lifetime
You can issue the debug crypto isakmp command to determine whether an IKE phase 1 policy mismatch is
occurring. The debug error message 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 will
appear when there is a phase 1 policy mismatch between the peers.
To verify that the peers successfully authenticate each other, you should issue the debug crypto isakmp
command. If the PSKs are present and matching on both peers, the IKE SA should establish successfully
and communication between the sites should occur.
Reference:
Cisco: IPsec Troubleshooting: Understanding and Using debug Commands: debug crypto isakmp
Cisco: Configuring Internet Key Exchange Version 2 (IKEv2): Example How a Policy Is Matched
QUESTION 146
Your company has installed and configured a Sourcefire device. You want to reduce false positives from a
trusted source.
Which of the following could you do? (Select 2 choices.)
A. Configure an Allow action with an Intrusion Policy.

B. Configure a Block action with an Intrusion Policy.
C. Configure a Trust action.
D. Configure an Allow action without an Intrusion Policy.
E. Configure a Block action without an Intrusion Policy.
F. Configure a Monitor action.
Correct Answer: CD
Section: (none)
Explanation
Explanation:
You could configure a Sourcefire Allow action without an Intrusion Policy to reduce false positives from a
trusted source. Alternatively, you could configure a Trust action. A false positive occurs when an intrusion
detection system (IDS) or intrusion prevention system (IPS) identifies nonmalicious traffic as malicious.
Sourcefire devices are commercial Cisco IDSs based on the opensource IDS known as Snort.
A Sourcefire device can match traffic based on a number of conditions, including security zones, networks,
virtual LAN (VLAN) tags, source or destination ports, applications, Uniform Resource Locators (URLs), or
users. The Sourcefire is also capable of handling traffic matching a given condition by applying an action, or
rule, to the traffic. The actions that are supported by a Sourcefire include all of the following:
- Monitor
- Trust
- Block
- Interactive Block
- Allow
Configuring actions is a step in configuring granular access control rules, which in turn is part of developing
an Access Control Policy.
A Sourcefire can inspect and log traffic that is passed by the Allow action. Sourcefire inspection occurs
when an Intrusion Policy is applied to this action. Applying an action without an Intrusion Policy performs the
given action when traffic matches a condition but does not inspect the traffic. Therefore, you could apply an
Allow action without an Intrusion Policy to allow all traffic matching a given condition and prevent that traffic
from generating a false positive. Conversely, you might apply an Allow action with an Intrusion Policy to
permit all but malicious traffic that matches a given condition.
The Trust action allows traffic to pass uninspected and not logged. Therefore, the Trust action can never
prevent malicious traffic from passing through the Sourcefire and will never generate false positives.You
cannot configure a Block action with an Intrusion Policy. In addition, you should not configure a Block action
to prevent false positives in this scenario. The Block action blocks traffic and does not perform any type of
inspection.
You do not need to configure a Monitor action. The Monitor action does not determine whether traffic is
blocked or allowed based on a matching condition? its purpose is to track traffic from the network. This
action is primarily used to log all traffic that connects to the Sourcefire. The Monitor action will log the traffic
even if does not match any other condition and is not allowed to pass.
Reference:
Cisco: Options to Reduce False Positive Intrusion Events: 2. Trust or Allow Rule
Cisco: FireSIGHT System User Guide Version 5.4.1: Using Rule Actions to Determine Traffic Handling and
Inspection
QUESTION 147
Which of the following is a reason to use the roundrobin assignment feature of dynamic PAT addresses?
A. You want to send traffic to more than one remote device.

B. You want to map a single internal IP address to a single routable IP address.
C. You want to prevent the misinterpretation of traffic as a DoS attack.
D. You want to use a single mapped routable address.
Correct Answer: C
Section: (none)
Explanation
Explanation:
You would use the roundrobin assignment feature of dynamic Port Address Translation (PAT) addresses if
you want to prevent the misinterpretation of traffic as a Denial of Service (DoS) attack. Dynamic PAT is a
form of Network Address Translation (NAT) that enables IP source addresses to be translated from many
unique IP addresses to one of a pool of routable IP address. NAT is most often used to conserve routable
IP addresses on the public side of a NAT router. When PAT is configured, an inside local address, along
with a port number, is typically mapped to a single inside global address. The NAT router uses port
numbers to keep track of which packets belong to each host.
Dynamic PAT is capable of mapping internal source addresses to more than one routable IP address.
Some security appliances could mistake a large number of packets from a single IP address as a DoS
attack attempt. Therefore, dynamic PAT supports the use of roundrobin to enable internal IP source
addresses to map to more than just one routable IP source address. By using dynamic PAT’s roundrobin
assignment of IP addresses, the risk of misidentification of large amounts of traffic as a DoS attack can be
mitigated.
You could use PAT if you wanted to translate many internal addresses to a single routable IP address.
However, you would not need to use the dynamic PAT roundrobin feature to achieve this task. Roundrobin
is used to cycle through a pool of routable IP addresses instead of translating to a single routable IP
address.
You would use static NAT to map a single internal IP address to a single routable IP address. Static NAT
translates a single inside local IP address to a single inside global IP address? the static mapping is
permanently present in the NAT translation table. It is therefore possible for someone on an outside network
to access a device on an inside network by using its inside global IP address.
You would not need to use dynamic PAT if you want to send traffic to more than one remote device. PAT
neither specifically enables nor specifically prevents the sending of traffic from one device to multiple
remote devices.
Reference:
Cisco: Information About NAT: Dynamic PAT: Dynamic PAT Disadvantages and Advantages
QUESTION 148
You are configuring manual NAT on a Cisco Firepower device.
Which of the following best describes the order in which the NAT rules will be processed? (Select the best
answer.)
A. on a firstmatch basis in the order that they appear in the configuration

B. the most general rules first followed by the most specific rules
C. static rules first followed by dynamic rules
D. shortest prefix first followed by longer prefixes
Correct Answer: A
Section: (none)
Explanation
Explanation:
The Firepower will process the Network Address Translation (NAT) rules on a firstmatch basis in the order
that they appear in the configuration if you are configuring manual NAT. There are two methods of
implementing NAT on a Cisco Firepower device: manual NAT and auto NAT. Of the two methods, auto
NAT is the simplest to configure because NAT rules are configured as components of a network object.
Both source and destination addresses are compared to the rules within the object. Manual NAT, on the
other hand, enables you to specify both the source address and the destination address of a mapping in a
single rule. Therefore, you can configure more granular mapping rules by using manual NAT.
Both manual NAT rules and auto NAT rules are stored in the same translation table. The table is divided
into three sections. Section 1 and Section 3 contain manual NAT rules, with Section 1 containing the most
specific manual NAT rules and Section 3 containing the most general NAT rules. Section 2 contains auto
NAT rules.
When the Firepower matches traffic to the NAT translation table, manual NAT rules in Section 1 are
processed first and in the order in which they were configured. Manual NAT rules are added to Section 1 by
default. If a match is found, rules in Section 2 and Section 3 are ignored. If the traffic does not match any of
the manual NAT rules in Section 1, the auto NAT rules in Section 2 are processed.
Auto NAT rules are automatically ordered by the device. Regardless of the order in which you configured
the rules in the network object, auto NAT will always attempt to match static rules before dynamic rules. In
addition, auto NAT will always attempt to match the longest address prefix first, meaning that the rule that
contains the smallest quantity of real IP addresses will be processed before rules containing a larger
quantity of real IP addresses. Therefore, a static NAT mapping that matches 10.10.10.0/24 will be
processed before a dynamic NAT mapping that matches 10.10.10.10/32, even though the 10.10.10.10/32
address has a longer prefix. If the traffic matches one of the auto NAT rules, rules in Section 3 are ignored.
If the traffic does not match any of the auto NAT rules, the device will next attempt to match the traffic to the
Section 3 manual NAT rules.
Similar to Section 1, the manual NAT rules in Section 3 are processed in the order that they appear in the
configuration. However, you must specifically place manual NAT rules in this section because the device
will not automatically place manual NAT rules there. Cisco recommends that the most general manual NAT
rules be placed in this section, with the most specific of those general rules configured first.
Reference:
Cisco: Firepower Management Center Configuration Guide, Version 6.0.1: NAT Rule Order
QUESTION 149
Which of the following is least likely to be considered a form of malware? (Select the best answer.)
A. bots
B. DDoS
C. Trojan horses
D. viruses
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the available choices, a Distributed Denial of Service (DDoS) attack is least likely to be considered a
form of malware. Malware, which is a term formed from the combination of the words malicious and
software, is unwanted software that is specifically designed to be malicious. Malware can damage or disrupt
systems, steal information from a user, or perform other unwanted and malicious actions.
A DDoS attack is a coordinated Denial of Service (DoS) attack that uses multiple attackers to target a single
host. For example, a large number of zombie hosts in a botnet could flood a target device with packets.
Because the flood of packets originates from multiple hosts and typically targets public services, such as
the web service, the target device might not detect the attack. If enough packets are sent to the target
device within a short period of time, the target will be unable to respond to legitimate packets because it is
waiting for a response to each of the requests originated by the attacker.
Bots are forms of malware. A bot is a type of automated software that can be used as a remote command
and control tool to exploit a compromised system for malicious purposes. For example, a botnet is a
network of bots on compromised systems that can be used to carry out coordinated attacks, such as a
DDoS attack.
Viruses are forms of malware. A virus is a type of software that can make copies of itself and inject them
into other software. Viruses can therefore spread across systems and networks. The level of damage that
can be inflicted by a virus ranges from annoyances to destruction of data.
Trojan horses are forms of malware. A Trojan horse is a malicious program that entices the user to execute
it by appearing to be a legitimate application. Trojan horses can be used to annoy users, steal information,
destroy data, or install back doors.
Reference:
Cisco: What Is the Difference: Viruses, Worms, Trojans, and Bots?
QUESTION 150
Which of the following occurs when an IDS or IPS does not identify malicious traffic that enters the
network? (Select the best answer.)
A. a false positive
B. a false negative
C. a true positive
D. a true negative
Correct Answer: B
Section: (none)
Explanation
Explanation:
A false negative occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) does
not identify malicious traffic that enters the network. False negatives can often lead to disastrous network
security problems. To properly secure a network, you should reduce the number of false negatives as much
as possible by finetuning IDS and IPS rules, even if more false positives are reported. Penetration testing
can help determine when an IDS or IPS is not detecting a genuine attack.
A false positive occurs when an IDS or IPS identifies nonmalicious traffic as malicious. Tuning must be
performed to minimize the number of false positives while eliminating false negatives. Not only can too
many false positives overburden a router, they can also overburden a network administrator because false
positives must usually be verified as harmless.
A true positive occurs when an IDS or IPS correctly identifies malicious traffic as malicious. For instance, a
true positive occurs when a virus or an attack is identified and the appropriate action is taken.
A true negative occurs when an IDS or IPS correctly identifies harmless traffic as harmless. For example, a
true negative occurs when an administrator correctly enters a password or when Hypertext Transfer
Protocol (HTTP) traffic is sent to a web server.
Reference:
Cisco: Cisco Secure IPS Excluding False Positive Alarms: False Positive and False Negative Alarms
QUESTION 151
Which of the following lost or stolen device options are available to employees when MDM is integrated with
ISE? (Select 3 choices.)
A. report device as lost or stolen

B. initiate a PIN lock
C. initiate a full or corporate wipe
D. quarantine the device
E. revoke the device’s digital certificate
Correct Answer: ABC

Section: (none)
Explanation
Explanation:
When Mobile Device Management (MDM) platforms are integrated with Cisco Identity Services Engine
(ISE), employees have the ability to report a device as lost or stolen, initiate a personal identification number
(PIN) lock, or initiate a full or corporate wipe. A corporate wipe, which is also known as a selective wipe,
removes only corporate data and applications from the device. A full wipe, which is also known as a factory
reset, removes all data from the device. An employee is also capable of reinstating a device to gain access
without having to reregister the device with ISE. Each of these options is available to the employee by using
ISE’s My Devices portal.
ISE is a nextgeneration Authentication, Authorization, and Accounting (AAA) platform with integrated
posture assessment, network access control, and client provisioning. ISE integrates with a number of MDM
frameworks, such as MobileIron and AirWatch. From ISE, you can easily provision network devices with
native supplicants available for Microsoft Windows, Mac OS X, Apple iOS, and Google Android. The
supplicants act as agents that enable you to perform various functions on the network device, such as
installing software or locking the screen with a PIN lock.
Only ISE administrators can quarantine a device and revoke the device’s digital certificate. However,
administrators are also capable of performing wipes and PIN locks without user notification or intervention.
Unlike employees, who initiate full wipes or corporate wipes by using the My Devices portal, an
administrator initiates a wipe or a PIN lock by using the ISE Endpoints screen. Whether an administrator
can initiate a full wipe or a corporate wipe depends on the MDM server policies and configuration. In a Bring
Your Own Device (BYOD) environment, administrators will most likely be able to perform only a corporate
wipe or a PIN lock on a device. If the device is a corporate device that an employee is simply allowed to
use, an administrator might be able to perform a full wipe from the Endpoints screen by selecting Full Wipe
from the MDM Access dropdown menu. Administrators can additionally force connected devices off the
network, add devices to the Blacklist Identity Group, and disable the device’s RSA SecurID token.
Reference:
Cisco: Managing a Lost or Stolen Device (PDF)
Cisco: Managing Network Devices: Wiping or Locking a DeviceCategory: Secure Access
QUESTION 152
Which of the following private VLAN port types communicate only with promiscuous ports? (Select the best
answer.)
A. community ports
B. isolated ports
C. SPAN ports
Correct Answer: B
Section: (none)
Explanation
Explanation:
Isolated private virtual LAN (VLAN) ports can communicate only with promiscuous ports. Private VLANs can
be configured on a switch to help isolate traffic within a VLAN. Private VLANs can provide Layer 2
separation between ports that belong to the same VLAN. Because the separation exists at Layer 2, the
hosts can exist on the same IP subnet. The VLAN to which the hosts belong is called the primary VLAN. To
create a private VLAN, you must create secondary VLANs and associate them with the primary VLAN.
Community private VLAN ports can communicate with promiscuous ports and with other ports that belong
to the same community. However, they cannot communicate with isolated ports or with ports that belong to
other communities. Promiscuous ports can communicate with all other private VLAN port types.
Switch Port Analyzer (SPAN) ports are not a private VLAN port type. SPAN is a means of monitoring traffic
on a switch by copying packets from a source port to a monitored port or mirrored port.
Reference:
Cisco: Configuring Isolated Private VLANs on Catalyst Switches: Background Theory
QUESTION 153
On which of the following layers of the hierarchical network design model should you implement PortFast,
BPDU guard, and root guard? (Select the best answer.)
A. only on core layer ports

B. only on distribution layer ports
C. only on access layer ports
D. only on core and distribution layer ports
E. on core, distribution, and access layer ports
Correct Answer: C
Section: (none)
Explanation
Explanation:
You should implement PortFast, BPDU guard, and root guard only on access layer ports. PortFast, BPDU
guard, and root guard are enhancements to Spanning Tree Protocol (STP). The access layer is the network
hierarchical layer where enduser devices connect to the network. The distribution layer is used to connect
the devices at the access layer to those in the core layer. The core layer, which is also referred to as the
backbone, is used to provide connectivity to devices connected through the distribution layer.
PortFast reduces convergence time by immediately placing user access ports into a forwarding state.
PortFast is recommended only for ports that connect to enduser devices, such as desktop computers.
Therefore, you would not enable PortFast on ports that connect to other switches, including distribution
layer ports and core layer ports. To enable PortFast, issue the spanningtree portfast command from
interface configuration mode.
BPDU guard disables ports that erroneously receive bridge protocol data units (BPDUs). User access ports
should never receive BPDUs, because user access ports should be connected only to enduser devices, not
to other switches. When BPDU guard is applied, the receipt of a BPDU on a port with BPDU guard enabled
will result in the port being placed into a disabled state, which prevents loops from occurring. To enable
BPDU guard, issue the spanningtree bpduguard enable command from interface configuration mode.
Root guard is used to prevent newly introduced switches from being elected as the root. The device with the
lowest bridge priority is elected the root. If an additional device is added to the network with a lower priority
than the current root, it will become the new root. However, this could cause the network to reconfigure in
unintended ways, particularly if an access layer switch were to become the root. To prevent this, root guard
can be applied to ports that connect to other switches in order to maintain control over which switch is the
root. Root guard is applied on a perport basis with the spanningtree guard root command.
Reference:
Cisco: Campus Network for High Availability Design Guide: Spanning Tree Protocol Versions
Cisco: Campus Network for High Availability Design Guide: Best Practices for Optimal
ConvergenceCategory:
Security Concepts
QUESTION 154
Which of the following is the man-in-the-middle attack that is most likely to be used to cause a workstation
to send traffic to a false gateway IP address? (Select the best answer.)
A. ARP spoofing
B. DHCP spoofing
C. MAC spoofing
D. switch spoofing
Correct Answer: B
Section: (none)
Explanation
Explanation:
Dynamic Host Configuration Protocol (DHCP) spoofing is the maninthemiddle attack that is most likely to be
used to cause a workstation to send traffic to a false gateway IP address. In a DHCP spoofing attack, a
rogue DHCP server is attached to the network in an attempt to intercept DHCP requests. The rogue DHCP
server can then respond to the DHCP requests with its own IP address as the default gateway address so
that all traffic is routed through the rogue DHCP server. DHCP snooping is a security technique that can be
used to mitigate DHCP spoofing.
In an Address Resolution Protocol (ARP) poisoning attack, which is also known as an ARP spoofing attack,
the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the
attacker's Media Access Control (MAC) address with the IP address of a valid host on the network.
Subsequently, traffic sent to the valid host address will go to the attacker's computer rather than to the
intended recipient.
MAC spoofing makes network traffic from a device look as if it is coming from a different device. MAC
spoofing is often implemented to bypass port security by making a device appear as if it were an authorized
device. Malicious users can also use MAC spoofing to intercept network traffic that should be destined for a
different device. ARP cache poisoning, content addressable memory (CAM) table flooding, and Denial of
Service (DoS) attacks can all be performed by MAC spoofing.
Switch spoofing is a virtual LAN (VLAN) hopping attack that is characterized by using Dynamic Trunking
Protocol (DTP) to negotiate a trunk link with a switch port in order to capture all traffic that is allowed on the
trunk. In a switch spoofing attack, the attacking system is configured to act like a switch with a trunk port.
This enables the attacking system to become a member of all VLANs, which enables the attacker to send
and receive traffic among the other VLANs.
Reference:
Cisco: DHCP Snooping: Overview of DHCP Snooping
Juniper Networks: Preventing DHCP Spoofing
QUESTION 155
On a Cisco ASA, which of the following RADIUS authentication protocols are not supported? (Select 2
choices.)
A. CHAP
B. EAPMD5
C. PAP
D. PEAP
E. MSCHAPv1F. MSCHAPv2
Correct Answer: BD
Section: (none)
Explanation
Explanation:
Neither Extensible Authentication Protocol (EAP)Message Digest 5 (MD5) nor Protected EAP (PEAP) are
supported by the Remote Authentication DialIn User Service (RADIUS) server on a Cisco Adaptive Security
Appliance (ASA). RADIUS is an Authentication, Authorization, and Accounting (AAA) server that uses User
Datagram Protocol (UDP) for packet delivery.
RADIUS and Terminal Access Controller Access Control System Plus (TACACS+) server groups on a
Cisco ASA support Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP version 1
(MSCHAPv1), and Password Authentication Protocol (PAP). A Cisco ASA supports a number of different
AAA server types, such as RADIUS, TACACS+, Lightweight Directory Access Protocol (LDAP), Kerberos,
and RSA Security Dynamics, Inc. (SDI) servers.
- ASCII
- PAP
- CHAP
- MSCHAPv1
- PAP
- CHAP
- MSCHAPv1
- MSCHAP version 2 (MSCHAPv2)
Reference:
Cisco: Configuring AAA Servers and the Local Database: RADIUS Server SupportCisco: Configuring AAA
Servers and the Local Database: TACACS+ Server Support
QUESTION 156
Which of the following is the best reason to enforce blacklisting by security zone on a Cisco device that
uses the Security Intelligence IP Address Reputation feature? (Select the best answer.)
A. to streamline performance of the IPS device

B. to ensure that local hosts can communicate with a given IP address
C. to validate a blacklist feed that has been obtained from a third party
D. to manually control which networks are blocked by the IPS
Correct Answer: A
Section: (none)
Explanation
Explanation:
Most likely, you would enforce blacklisting by security zone to streamline performance of the intrusion
prevention system (IPS) device. Enforcing blacklisting by security zone can be used to enhance the
performance of a Security Intelligence device by limiting the blacklisting to the specific security zones that
process the given traffic. For example, the blacklisting of IP addresses that send email traffic could be
restricted to a Security Zone that handles only email traffic.
You would configure the monitoronly setting if you wanted to validate a blacklist feed that has been obtained
from a third party. Security Intelligence devices, such as a Cisco Sourcefire IPS, are capable of accepting
manually imported lists of network addresses or feeds from third parties. Such devices can block IP
addresses or networks based on their reputation, which mitigates device overhead that comes from having
to analyze traffic from those networks. The monitoronly setting enables traffic from networks that are listed
within a given feed to be analyzed by the Security Intelligence device, but also logs the fact that the given
network matches the thirdparty feed. This enables an administrator to review the logs and the analysis of
traffic from networks on the feed to determine the validity of the feed.
You would add IP addresses to a custom whitelist to ensure that local hosts can communicate with a given
IP address. On Security Intelligence devices, whitelists can be used to override blacklisted IP addresses.
Whitelists can thus be used to enable communication with legitimate IP addresses that are listed on
thirdparty feeds or other blacklists that might be too broadly defined. From an administrative overhead
standpoint, you should first validate the feed, then implement the feed, and finally add IP addresses or
networks to the whitelist as necessary.
You would configure a custom blacklist to manually control which networks are blocked by the IPS. Security
Intelligence devices allow the creation of custom blacklists so that you can manually block specific IP
addresses or networks.
Reference:
Cisco: Blacklisting Using Security Intelligence IP Address Reputation: Choosing a Security Intelligence
Strategy
QUESTION 157
Which of the following is not true of SIM systems? (Select the best answer.)
A. They perform realtime threat detection.

B. They focus on policy and standards compliance.
C. They consolidate logs to a central server.
D. They analyze log data and report findings.
Correct Answer: A
Section: (none)
Explanation
Explanation:
Security Information Management (SIM) systems do not perform realtime analysis and detection. SIM
systems are focused more on the collection and analysis of logs in a nonrealtime fashion. For example, a
SIM system might centralize logging on a single device for review and analysis. Some SIM systems also
provide assessment tools that can flag potentially threatening events.
Security Event Management (SEM) systems perform realtime analysis and detection. SEM systems
typically analyze log data from a number of sources. Some systems also incorporate incident handling tools
that enable administrators to more effectively mitigate threats when they occur.
A Security Information and Event Management (SIEM) system combines both the realtime aspects of a
SEM system and the indepth analysis and timeline generation of a SIM system. Therefore, a SIEM system
is a hybrid of a SIM system and a SEM system.
Reference:
SANS: IDFAQ: What is The Role of a SIEM in Detecting Events of Interest?
Search Security: Tech Target: security information and event management (SIEM)
QUESTION 158
In the Cisco ISE GUI, you click Administration > Certificates > Certificate Store and notice that a SCEP
NDES server RA certificate is installed on the ISE node.
Which of the following best describes the reason the certificate is there? (Select the best answer.)
A. The ISE is a SCEP proxy for a Windows CA.

B. The ISE is a CA for the Windows AD domain.
C. The ISE has been compromised, and the CA chain has been altered.
D. The ISE requires the CA in order to mitigate a Windows Server SCEP bug.
Correct Answer: A
Section: (none)
Explanation
Explanation:
The Cisco Identity Services Engine (ISE) is a Simple Certificate Enrollment Protocol (SCEP) proxy for a
Windows certificate authority (CA) if you notice that a SCEP Network Device Enrollment Service (NDES)
server registration authority (RA) certificate is installed in the ISE's Certificate Store. Implementing ISE as a
SCEP proxy enables bring your own device (BYOD) users to register their devices on their own, without
administrative overhead from the IT department.
The ISE is not a CA for the Windows Active Directory (AD) domain. When configured with a SCEP CA
profile, the ISE will contain a SCEP NDES server RA certificate in the Certificate Store. RAs verify requests
for certificates and enable the CA to issue them.
The ISE does not require the CA in order to mitigate a Windows Server SCEP bug. However, configuring
ISE as a SCEP proxy to a Microsoft Windows 2008 R2 Server does require the installation of some
Microsoft SCEP implementation hotfixes.
There is nothing in this scenario to indicate that the ISE has been compromised. In addition, there is no
reason to suspect that the CA chain has been altered.
Reference:
Cisco: ISE SCEP Support for BYOD Configuration Example: Configure ISE as a SCEP proxy
QUESTION 159
You issue the following commands on a Cisco router:
tacacsserver host ts1 timeout 30 tacacsserver timeout 20
Which of the following is true about how the Cisco router communicates with the TACACS+ server? (Select
the best answer.)
A. The router will maintain an open TCP connection.

B. The router will maintain an open TCP connection for no more than 20 seconds.
C. The router will wait 20 seconds for the server to reply before declaring an error.
D. The router will wait 30 seconds for the server to reply before declaring an error.
Correct Answer: D
Section: (none)
Explanation
Explanation:
The router will wait 30 seconds for the server to reply before declaring an error. The tacacsserver host ts1
timeout 30 command in this scenario configures a router to connect to a Terminal Access Controller Access
Control System Plus (TACACS+) server named ts1. The timeout 30 keyword in this command configures
the router to wait 30 seconds for the server to reply before declaring an error.
The router will wait 30 seconds, not 20 seconds, for the server to reply before declaring an error. If the
timeout 30 keyword had not been specified in this scenario, the tacacsserver timeout 20 command would
have configured the router to wait 20 seconds for the server to reply before declaring an error. The timeout
30 keyword in this scenario overrides the value assigned by the tacacsserver timeout command.
The router will not maintain an open Transmission Control Protocol (TCP) connection, because the
singleconnection keyword has not been issued in this scenario. The singleconnection keyword configures
the router to maintain an open connection to the TACACS+ server. When the singleconnection keyword is
not configured, a Cisco router will open and close a TCP connection to the TACACS+ server each time it
needs to perform an operation. When the singleconnection keyword is configured, the router connects to
the TACACS+ server and maintains that connection even when it is not performing an operation. This
setting enhances the efficiency of the communications between the router and the TACACS+ server
because the router does not have to constantly close and open connections.
Reference:
Cisco: Configuring TACACS+: Identifying the TACACS+ Server Host
QUESTION 160
You are configuring VPN access for Cisco AnyConnect clients. You finish the configuration by establishing
a fail open policy.
Which of the following is true of AnyConnect clients that fail to establish a VPN session? (Select the best
answer.)
A. They are granted full access to the local network, but without security.
B. They are granted full access to the local network, including security.
C. They are denied full network access, except for local resources.
D. They are denied full network access, including local resources.
Correct Answer: A
Section: (none)
Explanation
Explanation:
Cisco AnyConnect clients that fail to establish a virtual private network (VPN) session under a fail open
policy are granted full access to the local network, but without the security provided by the Cisco
AnyConnect VPN service. Connect failure policies are typically applied when the Cisco AnyConnect
alwayson feature is configured. The alwayson feature enables Cisco AnyConnect clients to establish a VPN
session automatically whenever the client detects that the host is connected to an untrusted network. For
example, a laptop that is used both on a corporate LAN and for remote work might be configured to
automatically connect to the corporate VPN whenever the laptop is not directly connected to the corporate
LAN. However, any number of problems could prevent the client from actually establishing a connection to
the VPN.
There are two types of connect failure policies that you can enable for Cisco AnyConnect alwayson clients.
The fail open policy allows the client to complete a connection to the local network for access to the Internet
or local resources. However, because a VPN session has not been established, the security of the
AnyConnect device that is connected to the remote network could be compromised.
The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client
except to local devices and devices that are available by using split tunneling. This extra layer of security
could prevent the user from accessing the Internet and thus could compromise productivity if the user relies
on Internet access to complete workrelated tasks. Because the fail closed policy is so restrictive, Cisco
recommends implementing it by using a phased approach that includes initially implementing fail open and
surveying user activity for AnyConnect issues that might prevent seamless connections.
Reference:
Cisco: Configuring VPN Access: Connect Failure Policy for Alwayson VPN
QUESTION 161
Which of the following web application threats is not typically mitigated by installing a WAF? (Select the best
answer.)
A. exploits related to uncloaked error messages

B. exploits against known vulnerabilities
C. exploits related to directory traversal vulnerabilities
D. exploits against unknown vulnerabilities
E. exploits related to viruses in file uploads
Correct Answer: D
Section: (none)
Explanation
Explanation:
Of the available choices, exploits related to unknown vulnerabilities are not typically mitigated by installing a
web application firewall (WAF). A WAF sits between a web application and the end user in order to protect
the application from malicious activity and known vulnerabilities. Therefore, by installing a WAF, it is
possible to protect a vulnerable web application without modifying the application code.
WAFs are not typically capable of protecting a web application against unknown vulnerabilities. WAFs can
protect against known or common unpatched web application vulnerabilities by using techniques such as
cloaking to protect against information leakage related to uncloaked error messages, encrypting Uniform
Resource Locators (URLs) to protect against exploits related to directory traversal, and checking file
uploads for viruses.
Reference:
OWASP: Category:OWASP Best Practices: Use of Web Application Firewalls
QUESTION 162
Which of the following is a set of rules to which a Cisco IPS appliance can compare network traffic to
determine whether an attack is occurring? (Select the best answer.)
A. anomaly detection
B. global correlation
C. reputation filtering
D. a signature definition
E. a threat rating
Correct Answer: D
Section: (none)
Explanation
Explanation:
A signature definition is a set of rules to which a Cisco Intrusion Prevention System (IPS) appliance can
compare network traffic to determine whether an attack is occurring. If the network activity matches a
signature definition, IPS can trigger a specific response from other defined event action rule sets, such as
denying traffic from a host or alerting an administrator. IPS administrators can manually configure signature
definitions in Cisco IPS Device Manager (IDM) or use the Signature Wizard to create custom signature
definitions.
Global correlation is not a set of rules to which a Cisco IPS appliance can compare network traffic to
determine whether an attack is occurring. Global correlation enables IPS sensors to allow or deny traffic
based on the reputation of the sending device. When you enable global correlation, IPS devices will
periodically receive updates that include information about known malicious devices on the Internet from the
Cisco SensorBase Network. In addition, global correlation will send statistical information about attacks
against your company's network to the Cisco SensorBase Network. Cisco uses that information to detect
threat patterns on the Internet.
Reputation filtering is not a set of rules to which a Cisco IPS appliance can compare network traffic to
determine whether an attack is occurring. Reputation filtering denies packets from hosts that are
considered to have a malicious reputation based on the global correlation information that is available from
the Cisco SensorBase Network. Reputation filtering is different from global correlation inspection in that
reputation filtering denies traffic before the traffic is compared to any signature definitions. In addition,
reputation filtering does not generate alerts.
Anomaly detection is not a set of rules to which a Cisco IPS appliance can compare network traffic to
determine whether an attack is occurring. Anomaly detection enables IPS to learn what type of network
activity is normal activity for the network that is being protected. If a network starts to become congested by
traffic that is generated by a worm or if a host that is infected with a worm connects to the network and
attempts to infect other hosts, the anomaly detection feature can trigger a specific response, such as
denying traffic from the infected host or alerting an administrator.
A threat rating is not a set of rules to which a Cisco IPS appliance can compare network traffic to determine
whether an attack is occurring. A threat rating is an event action risk rating that has been lowered because
of a specific action taken by IPS. A risk rating is a numerical representation of the risk presented to a
network by a specific attack. Risk ratings can range from 0 through 100. Depending on the actions IPS has
taken in response to an event, IPS will subtract a value from the threat rating of the event. For example, if
IPS responds to a specific event by issuing a request to block the attacking host, a value of 20 will be
subtracted from the threat rating.
Reference:
Cisco: Defining Signatures: Understanding Signatures
QUESTION 163
Which of the following describes the primary difference between PGP and S/MIME? (Select the best
answer.)
A. PGP can be used to encrypt disk drives, but S/MIME cannot.

B. PGP can use SHA1 for data integrity, but S/MIME cannot.
C. S/MIME can be used to encrypt email messages, but PGP cannot.
D. S/MIME can use RSA for digital signatures, but PGP cannot.
Correct Answer: A
Section: (none)
Explanation
Explanation:
The primary difference between Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail
Extensions (S/MIME) is that PGP can be used to encrypt not only email messages, but also files and entire
disk drives. PGP is software that uses an asymmetric encryption method to encrypt information. To encrypt
a file or a message by using PGP, you must use the recipient's public key. The recipient will then use his or
her private key to decrypt the file or message.
Although PGP is an application and S/MIME is a standardsbased protocol, both can be used to provide
confidentiality, integrity, and nonrepudiation for email messages. Confidentiality is provided by an encryption
method, such as Triple Data Encryption Standard (3DES or TDES). Integrity is provided by a hashing
algorithm, such as Secure Hash Algorithm 1 (SHA1). Nonrepudiation is provided by creating digital
signatures with an asymmetric encryption method, such as RSA.
Many modern operating systems (OSs) offer their own builtin support for filelevel and disklevel encryption.
Therefore, thirdparty software is often no longer necessary for encrypting files.
Reference:
Search Security: Tech Target: Pretty Good Privacy (PGP)
Microsoft TechNet: Understanding S/MIME
QUESTION 164
Which of the following failover link configurations can leave an ASA vulnerable to replay attacks? (Select
the best answer.)
A. connecting the active and standby units directly with a crossover cable
B. connecting the active and standby units to a dedicated VLAN on a switch
C. sharing a regular data interface with the stateful failover link
D. sharing the LAN failover link with the stateful failover link
E. using a dedicated Ethernet interface as the stateful failover link
Correct Answer: C
Section: (none)
Explanation
Explanation:
Sharing a regular data interface with the stateful failover link on a Cisco Adaptive Security Appliance (ASA)
can leave the ASA vulnerable to replay attacks. A replay attack is a type of maninthemiddle attack in which
the attacker uses a packet sniffer to capture legitimate network data, such as authentication tokens and
preshared keys, and then replays the data to a target. In addition, the attacker might delay or modify the
captured data before directing it to the target. On an ASA, all LAN failover and stateful failover information is
transmitted as clear text by default. Therefore, sharing the stateful failover link with a regular data interface
can unnecessarily expose virtual private network (VPN) configuration information, such as user names,
passwords, and preshared keys (PSKs) to malicious users on the shared network segment. You can
mitigate this risk by configuring a failover key on both the active unit and the standby unit to protect failover
information. Cisco strongly recommends using a dedicated Ethernet interface or sharing a LAN failover link
instead of sharing the stateful failover link with a regular data interface.
ASAs can be configured to participate in either a stateless or a stateful failover implementation. In a
stateless failover implementation, the active unit and standby unit use a dedicated LAN link, known as a
LAN failover link, for failover traffic. The LAN failover link can use any unnamed Ethernet interface and can
connect the failover pair directly, with either a straightthrough or crossover Ethernet cable, or through a
switch, with no other devices on the same network segment or virtual LAN (VLAN) as the failover pair.
Although all failover traffic is sent as clear text by default, a LAN failover link does not leave an ASA
vulnerable to replay attacks because the failover pair are either directly connected or connected through a
dedicated VLAN.
By contrast, the failover link between two ASAs in a stateful failover implementation can use a dedicated
Ethernet link, a shared LAN failover link, or a shared regular data interface. If a dedicated Ethernet link is
used for stateful failover, it must follow the same connectivity guidelines as a LAN failover link: it can be
either a direct connection or a dedicated VLAN on a switch. Like a LAN failover link, a stateful failover link
using either a dedicated Ethernet link or a shared LAN failover link does not leave an ASA vulnerable to
replay attacks because the failover pair are either directly connected or connected through a dedicated
VLAN.
Reference:
Cisco: Information About High Availability: Stateful Failover LinkCategory: Cisco Firewall Technologies
QUESTION 165
Which of the following fields make up the header of an ESP packet? (Select 2 choices.)
A. Next Header
B. Pad Length
C. Padding
D. Security Parameter Index
E. Sequence Number
Correct Answer: DE
Section: (none)
Explanation
Explanation:
The Security Parameter Index (SPI) and Sequence Number fields make up the header of an Encapsulating
Security Payload (ESP) packet. ESP is an IP Security (IPSec) protocol that provides data integrity and
confidentiality for IP traffic. The ESP header is always part of the authenticated data in an ESP packet, but
the ESP header itself is never encrypted. By contrast, the ESP trailer, which is made up of the Padding, Pad
Length, and Next Header fields, is always part of the authenticated data and is always encrypted. The
following diagram illustrates the ESP packet format:
ESP can operate in transport mode or tunnel mode. In transport mode, ESP encrypts only the original
In tunnel mode, ESP encrypts the entire packet, including the original IP header, the original payload data,
and the resultant ESP trailer. The following diagram illustrates the components of an ESP packet in tunnel
mode:
Reference:
IETF: RFC 4303: IP Encapsulating Security Payload (ESP): 2. Encapsulating Security Payload Packet
Format
QUESTION 166
You want to use the authentication event noresponse action authorize vlan 101 command to ensure that
network devices incapable of using 802.1X authentication are automatically placed into VLAN 101, which is
the guest VLAN.
Which of the following VLAN types can you specify as an 802.1X guest VLAN? (Select the best answer.)
A. a primary private VLAN

B. a secondary private VLAN
C. a voice VLAN
D. an RSPAN VLAN
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the choices available, you can configure a secondary private virtual LAN (VLAN) as an 802.1X guest
VLAN with the authentication event noresponse action authorize vlan 101 command. The authentication
event noresponse action authorize vlancommand specifies the VLAN into which a switch should place a
port if it does not receive a response to the 802.1X Extensible Authentication Protocol over LAN (EAPoL)
messages it sends on that port. The VLAN ID must be a number from 1 through 4094. The VLAN ID can
specify any active VLAN except for a Remote Switch Port Analyzer (RSPAN) VLAN, a primary private
VLAN, or a voice VLAN. In addition, a guest VLAN can be configured on only access ports, not on routed
ports or trunk ports.
When a guest VLAN is configured, the switch will grant non802.1Xcapable clients access to the guest
VLAN? however, if an 802.1Xcapable device is detected, the switch will place the port into an unauthorized
state and will deny access to all devices on the port. You can use the authentication event fail action
command to specify how the switch should react if an 802.1X client is detected and the client fails to
authenticate. There are two configurable parameters: nextmethod and authorize vlanid. The authorize
vlanid parameter configures a restricted VLAN, which is functionally similar to the guest VLAN. The
nextmethod parameter configures the switch to attempt authentication by using the next authentication
method specified in the authentication order command. For example, if the authentication order 802.1X
mab webauth command has been configured and 802.1X authentication fails, the switch will attempt to use
Media Access Control (MAC) Authentication Bypass (MAB) to authenticate the client based on its MAC
address? if MAB fails, the switch will attempt webbased authentication. If the nextmethod parameter is
configured, the switch will indefinitely cycle through authentication methods unless Web Authentication
(WebAuth) is configured. If WebAuth is configured, the authentication process will not loop back to other
authentication methods and the switch will ignore EAPoL messages on the port.
Reference:
Cisco: Configuring IEEE 802.1x PortBased Authentication: Configuring a Guest VLAN
QUESTION 167
Which of the following statements is true about network traffic event logging in Cisco FireSIGHT
Management Center? (Select the best answer.)
A. Beginningofconnection events contain less information than endofconnection events.

B. Performance is optimized by logging both beginningofconnection events and end ofconnection events.
C. You can log only beginningofconnection events for encrypted connections handled by an SSL policy.
D. You can log only endofconnection events for blocked traffic.
Correct Answer: A
Section: (none)
Explanation
Explanation:
In Cisco FireSIGHT Management Center, beginningofconnection events contain less information than
endofconnection events. Cisco FireSIGHT Management Center, which was formerly called Sourcefire
Defense Center, can log beginningofconnection and endofconnection events for various types of network
traffic.
Although most network traffic will generate both kinds of events, blocked or blacklisted traffic is typically
denied without further processing and therefore only generates beginningofconnection events.
Beginningofconnection events contain a limited amount of information because they are generated based
on the information contained in the first few packets of a connection.
By contrast, endofconnection events are generated when a connection closes, times out, or can no longer
be tracked because of memory constraints. Endofconnection events contain significantly more information
than beginningofconnection events because they can draw upon data collected throughout the course of a
connection. This additional information can be used to create traffic profiles, generate connection
summaries, or graphically represent connection data. In addition, the data can be used for detailed analysis
or to trigger correlation rules based on session data. Endofconnection events are also required to log
encrypted connections that are handled by a Secure Sockets Layer (SSL) policy because there is not
enough information in the first few packets to indicate that a connection is encrypted.
Reference:
Cisco: Logging Connections in Network Traffic: Logging the Beginning or End of Connections
QUESTION 168
Which of the following are asymmetric algorithms? (Select 3 choices.)
A. DH
B. AES
C. 3DES
D. ECC
E. RC4
F. RSA
Correct Answer: ADF

Section: (none)
Explanation
Explanation:
DiffieHellman (DH), Elliptical Curve Cryptography (ECC), and RSA are asymmetric algorithms. DH is an
asymmetric key exchange method. DHA and ECC are asymmetric encryption algorithms. Asymmetric
encryption, also known as public key encryption, uses a public key to encrypt data and a different, yet
mathematically related, private key to decrypt data. Public key infrastructure (PKI) uses a certificate
authority (CA) to tie a public key to a user ID to further ensure the confidentiality of data. Asymmetric
encryption algorithms use more complex mathematical functions than symmetric encryption algorithms. As
a result, asymmetric encryption algorithms take longer to encrypt and decrypt data than symmetric
encryption algorithms. Other examples of asymmetric encryption algorithms include Digital Signature
Algorithm (DSA) and ElGamal.
Advanced Encryption Standard (AES), RC4, and Triple Data Encryption Standard (3DES) are examples of
symmetric encryption algorithms. When symmetric encryption algorithms are used, the same encryption
key is used to encrypt and decrypt data. Two types of symmetric algorithms exist: block ciphers and stream
ciphers. Block ciphers derive their name from the fact that they encrypt blocks of data. For example, AES
encrypts 128bit blocks of data. By contrast, stream ciphers are typically faster than block ciphers because
stream ciphers encrypt text of variable length depending on the size of the frame to be encrypted? stream
ciphers are not limited to specific block sizes. For example, RC4, a stream cipher, can encrypt data in
streams of 8 through 2,048 bits. Other examples of symmetric encryption algorithms include International
Data Encryption Algorithm (IDEA), Skipjack, and Blowfish.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 5, Symmetric and Asymmetric Algorithms, pp. 92-94
QUESTION 169
Which of the following statements are true regarding class maps on a Cisco ASA? (Select 2 choices.)
A. QoS traffic shaping is not available for all class maps.

B. Class maps apply specific security measures on a persession basis.
C. By default, no class maps are defined on an ASA.
D. Class maps must use an ACL to match traffic.
E. Class maps can match traffic based on application protocols.
F. Class maps identify the interface to which a policy map is applied.
Correct Answer: AE
Section: (none)
Explanation
Explanation:
Class maps can match traffic based on application protocols, and Quality of Service (QoS) traffic shaping is
not available for all class maps on a Cisco Adaptive Security Appliance (ASA). A class map is one of the
three basic components of Modular Policy Framework (MPF)? policy maps and service policies are the
other two components. MPF is a Cisco ASA feature that provides a flexible method of enabling security
policies on an interface. A class map identifies a specific flow of traffic, a policy map determines the action
that will be performed on the traffic, and a service policy ties this action to a specific interface. Generally,
each class map can contain only a single match statement, and a packet can match only a single class map
within the policy map of a particular feature type. For example, if a packet matched a class map for File
Transfer Protocol (FTP) inspection and a class map for traffic policing, the ASA would apply both policy
map actions to the packet. However, if a packet matched a class map for FTP inspection and a second,
different class map that included FTP inspection, the ASA would apply only the actions of the first matching
policy map. By default, two class maps are defined on an ASA? the classdefault and inspection_default
class maps are part of the default configuration of an ASA.
You can use the match command from class map configuration mode to identify traffic based on specified
characteristics. The keywords you can use to identify traffic in a class map are closely tied to their
respective characteristics. The match command supports the following key words: accesslist, port,
defaultinspectiontraffic, dscp, precedence, rtp, tunnelgroup, and any.
For example, you could issue the following commands to create a class map named CLASSMAP that
identifies traffic using Transmission Control Protocol (TCP) port 8080:
asa(config)#classmap CLASSMAP
asa(configcmap)#match port tcp eq 8080
Once traffic has been identified by a class map, the associated policy map can take action on that traffic. A
policy map typically contains references to one or more class maps and defines actions that should be
performed on traffic matched by the specified class maps. If traffic matches multiple class maps for
different actions within a policy map-for instance, if traffic matches a class map for application inspection as
well as a class map for priority queuing-the actions of both class maps will be applied to the traffic. To
continue the example from above, you could issue the following commands to configure a policy map
named POLICYMAP that matches traffic specified by the class map named CLASSMAP and then
processes the traffic with the Hypertext Transfer Protocol (HTTP) inspection engine:
asa(config)#policymap POLICYMAP
asa(configpmap)#class CLASSMAP
asa(configpmapc)#inspect http
A policy map does not act on traffic until the map has been applied to an interface by a service policy. A
service policy identifies the interface to which a policy map is applied? a service policy can be applied
globally to all interfaces, which will apply application inspection to only traffic entering the appliance.
Alternatively, a service policy can be applied to a single interface, which will apply application inspection to
traffic entering and exiting the interface. An interface service policy overrides a global service policy: if traffic
particular traffic flow. To complete the example, you could issue the following commands to apply the
POLICYMAP policy map to the inside interface:
asa(config)#servicepolicy POLICYMAP interface inside

QoS traffic shaping is available for only the classdefault class map.
Class maps do not apply specific security measures on a persession basis? dynamic access policies
(DAPs) can apply specific security measures on a persession basis. Configuring a DAP allows you to
resolve complications presented by the frequently inconsistent nature of a virtual private network (VPN). For
example, users might access your network from different remote locations, with each location having a
different configuration, thus presenting a variety of security issues for each individual situation. With a DAP,
you can apply specific security measures for each specific situation on a persession basis. Depending on
the circumstances of the next connection from a remote location, a different DAP may be applied if the
variables have changed.
Reference:
Cisco: Service Policy Using the Modular Policy Framework: Task Flow for Configuring Hierarchical Policy
Maps for QoS Traffic Shaping
Cisco: Service Policy Using the Modular Policy Framework: Creating a Layer 3/4 Class Map for Through
Traffic
QUESTION 170
Which of the following is true regarding the EAPFAST authentication process? (Select the best answer.)
A. A digital certificate is required only on the client.

B. A digital certificate is required only on the server.
C. Digital certificates are required on both the client and the server.
D. Digital certificates are not required on the client or the server.
Correct Answer: D
Section: (none)
Explanation
Explanation:
Digital certificates are not required on the client or the server during the Extensible Authentication Protocol
(EAP)Flexible Authentication via Secure Tunneling (FAST) authentication process? instead, EAPFAST
uses Protected Access Credentials (PACs). EAPFAST is an authentication protocol that can be used for
pointtopoint connections and for both wired and wireless links. The EAPFAST authentication process
consists of three phases. The first phase, which is optional and is considered phase 0, consists of
provisioning a client with a PAC, which is a digital credential that is used for authentication. A PAC can be
manually configured on a client, in which case phase 0 is not required. The second phase, which is referred
to as phase 1, involves creating a secure tunnel between the client and the server. The final phase, which is
referred to as phase 2, involves authenticating the client. If the client is authenticated, the client will be able
to access the network.
Other EAP methods exist that do rely on digital certificates for authentication. For example, EAPTransport
Layer Security (TLS) requires both a client and a server digital certificate, whereas Protected EAP (PEAP)
requires only servers to be configured with digital certificates. With PEAP, clients can use alternative
authentication methods, such as onetime passwords (OTPs).
Similar to EAPFAST, Lightweight EAP (LEAP) does not require either the server or the client to be
configured with a digital certificate. When LEAP is used, the client initiates an authentication attempt with a
Remote Authentication DialIn User Service (RADIUS) server. The RADIUS server responds with a
challenge response. If the challenge/response process is successful, the client then validates that the
RADIUS server is correct for the network. If the RADIUS server is validated, the client will connect to the
network.
Reference:
Cisco: EAP Methods Summary
Cisco: Configuring EAPFAST: Table 31 Connection Settings (PDF)
QUESTION 171
Which of the following security functions is associated with the data plane? (Select 2 choices.)
A. device configuration protection

B. signaling protection
C. traffic conditioning
D. traffic filtering
Correct Answer: CD
Section: (none)
Explanation
Explanation:
Traffic conditioning and traffic filtering are security features that are associated with the data plane. Cisco
devices are generally divided into three planes: the control plane, the management plane, and the data
plane. Each plane is responsible for different operations, and each plane can be secured by implementing
various security methods.
The data plane is responsible for traffic passing through the router, which is referred to as transit traffic.
Therefore, data plane security protects against unauthorized packet transmission and interception. Threats
such as IP spoofing, Media Access Control (MAC) address spoofing, Address Resolution Protocol (ARP)
spoofing, Dynamic Host Configuration Protocol (DHCP) spoofing, unauthorized traffic interception, and
unauthorized network access can be mitigated and monitored by implementing features such as the
following:
- ARP inspection
- Antispoofing access control lists (ACLs)
- DHCP snooping
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
The control plane is responsible for the creation and maintenance of structures related to routing and
forwarding. These functions are heavily dependent on the CPU and memory availability. Therefore, control
plane security methods protect against unauthorized traffic destined for the router, which can modify route
paths and consume excessive resources. Path modification can be caused by manipulating the traffic
generated by routing protocols, VLAN Trunking Protocol (VTP), and Spanning Tree Protocol (STP). Path
modification attacks can be mitigated by implementing routing protocol authentication and filtering, VTP
authentication, and STP protection features. In addition, excessive CPU and memory consumption can be
caused by control plane flooding. Resource consumption attacks can be mitigated by implementing control
plane filtering and rate limiting with Control Plane Policing (CoPP) and Control Plane Protection (CPPr).
Device configuration protection is associated with the management plane. Management plane security
protects against unauthorized device access and configuration. Unauthorized access can be mitigated by
implementing a strong Authentication, Authorization, and Accounting (AAA) solution and by implementing
Management Plane Protection (MPP), which creates protected management channels over which
administrators must connect in order to access device administration features. Management traffic can be
encrypted by implementing Secure Shell (SSH). You can mitigate unauthorized configuration of a device by
implementing RoleBased Access Control (RBAC), whereby administrators are limited to using only the
features they need to accomplish their jobs. Detection and logging of management plane access can be
performed by implementing Simple Network Management Protocol version 3 (SNMPv3) and Syslog
servers.
Reference:
QUESTION 172
Which of following capabilities do an IDS and IPS have in common? (Select the best answer.)
A. blocking a particular connection

B. blocking traffic from a particular host
C. modifying traffic
D. resetting TCP connections
Correct Answer: D
Section: (none)
Explanation
Explanation:
An Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) can both reset Transmission
Control Protocol (TCP) connections. An IDS is a network monitoring device that passively monitors network
traffic and actively sends alerts to a management station when it detects malicious traffic. An IDS typically
has one promiscuous network interface attached to each monitored network. Because traffic does not flow
through the IDS, the IDS is unable to directly block malicious traffic? however, an IDS can do any of the
following:
- Request that another device block a connection
- Request that another device block a particular host
An IDS can prevent further instances of previously detected malicious traffic from passing onto the network
by creating access control lists (ACLs) on routers in the traffic path or by configuring other security devices
that reside in the flow of traffic.
By contrast, an IPS typically sits inline with the flow of traffic and can therefore block malicious traffic before
it passes onto the network. An inline IPS can perform the following actions:
- Block traffic from a particular host
- Block a particular connection
- Modify traffic
However, if an IPS sits inline with traffic, a failed IPS device can cause all traffic to be dropped. Analyzing all
of the traffic that passes through the IPS can cause latency and jitter. Alternatively, an IPS can be
configured to operate in promiscuous mode, which would make it functionally similar to an IDS.
Reference:
Cisco: Managed Security Services Partnering for Network Security: Managed Intrusion Detection and
Prevention Systems
QUESTION 173
Which of the following statements are true regarding RADIUS? (Select 2 choices.)
A. It encrypts only the password in AccessRequest packets.

B. It combines authorization and authentication functions.
C. It provides more flexible security options than TACACS+.
D. It uses TCP port 49.
E. It is a Ciscoproprietary standard protocol.
Correct Answer: AB
Section: (none)
Explanation
Explanation:
Remote Authentication DialIn User Service (RADIUS) combines authentication and authorization into a
single function and encrypts only the password in AccessRequest packets. RADIUS is an Internet
Engineering Task Force (IETF) standard protocol for Authentication, Authorization, and Accounting (AAA)
operations. RADIUS uses User Datagram Protocol (UDP) for packet delivery. Because RADIUS encrypts
only the password of a packet, the rest of the packet would be viewable if the packet were intercepted by a
malicious user. RADIUS has fewer flexible security options than Terminal Access Controller Access Control
System Plus (TACACS+), because RADIUS combines the authentication and authorization functions of
AAA into a single function and does not provide router command authorization capabilities.
By contrast, TACACS+ is a Ciscoproprietary protocol that uses Transmission Control Protocol (TCP) for
transport during AAA operations. TACACS+ provides more security and flexibility than RADIUS because
TACACS+ encrypts the entire body of a packet and separates the authentication, authorization, and
accounting functions of AAA. This separation enables granular control of access to resources. For example,
TACACS+ gives administrators control over access to configuration commands? users can be permitted or
denied access to specific configuration commands. Because of this flexibility, TACACS+ is used with Cisco
Secure Access Control Server (ACS), which is a software tool that is used to manage user authorization for
router access.
Reference:
QUESTION 174
Which of the following protocols can IPSec use to provide the confidentiality component of the CIA triad?
(Select 2 choices.)
A. AES
B. AH
C. DES
D. MD5
E. SHA
Correct Answer: AC
Section: (none)
Explanation
Explanation:
Of the choices available, IP Security (IPSec) can use either Advanced Encryption Standard (AES) or Data
Encryption Standard (DES) to provide the confidentiality component of the confidentiality, integrity, and
availability (CIA) triad. The confidentiality component of the CIA triad ensures that transmitted data cannot
be read by an unauthorized party if the data is intercepted before it reaches its destination. Depending on
the amount of confidentiality desired, IPSec can use AES or DES with Encapsulating Security Payload
(ESP) in either transport mode or tunnel mode. In transport mode, ESP uses AES or DES to encrypt only
the original payload data and the resultant ESP trailer, leaving the original IP header unencrypted. The
following diagram illustrates the components of an ESP packet in transport mode:
In tunnel mode, ESP uses AES or DES to encrypt the entire packet, including the original IP header, the
original payload data, and the resultant ESP trailer. The following diagram illustrates the components of an
ESP packet in tunnel mode:
IPSec can use Authentication Header (AH) and ESP to provide the integrity component of the CIA triad, not
the confidentiality component. The integrity component of the CIA triad ensures that unauthorized parties
have not modified data as it was transmitted over the network. Data integrity is provided by using algorithms
such as Message Digest 5 (MD5) or Secure Hash Algorithm (SHA) to produce checksums on each end of
the connection. If the data generates the same checksum value on each end of the connection, the data
was not modified in transit. In addition, AH and ESP can authenticate the origin of transmitted data. Data
authentication is provided through various methods, including user name/password combinations,
preshared keys (PSKs), digital certificates, and onetime passwords (OTPs).
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 1, Confidentiality, Integrity, and Availability, pp. 14-15
IETF: RFC 4301: Security Architecture for the Internet Protocol: 3.2. How IPsec Works
QUESTION 175
You issue the following commands on a Cisco ASA with no other configured interfaces:
asa(config)#interface gigabitethernet 0/1
asa(configif)#speed 1000
asa(configif)#duplex full
asa(configif)#nameif inside
asa(configif)#ip address 10.1.1.1 255.255.255.0
asa(configif)#no shutdown
asa(configif)#exit
asa(config)#telnet 10.1.1.0 255.255.255.0 inside
asa(config)#telnet timeout 30
Which of the following statements is true regarding the resulting configuration? (Select the best answer.)
A. Telnet sessions will time out after 30 seconds of inactivity.

B. The ASA will assign the interface a security level of 0.
C. The ASA will assign the interface a security level of 100.
D. Telnet sessions will be denied until a security level is manually assigned.
Correct Answer: C
Section: (none)
Explanation
Explanation:
In this scenario, the Cisco Adaptive Security Appliance (ASA) will assign the GigabitEthernet 0/1 interface a
security level of 100. The block of commands in this scenario configures the GigabitEthernet 0/1 interface to
operate in fullduplex mode at a speed of 1,000 megabits per second (Mbps), names the interface “inside”,
and assigns an IP address 10.1.1.1 with a network mask of 255.255.255.0. In addition, the no shutdown
command enables the interface. The telnet commands define a network range that is permitted to Telnet to
the inside interface and configure a Telnet idletimeout value. Because no security level is manually
assigned to the interface, the ASA will automatically assign the interface a security level. The default
security level on an ASA is 0? however, the inside interface is an exception to this rule because it is
automatically assigned a security level of 100 if a security level is not explicitly configured. An interface can
be assigned any integervalued security level from 0 through 100.
Telnet sessions will not be denied to the GigabitEthernet 0/1 interface until a security level is manually
assigned. Normally, Telnet traffic is not permitted to the interface with the lowest security. However, if there
is only one configured interface and it has been configured with a security level of 100, Telnet traffic is
permitted even though the interface simultaneously has the highest security and the lowest security.
Because the ASA automatically assigns a security level of 100 to the inside interface, Telnet sessions will
be able to access the interface. If there were other active interfaces on the ASA, a Telnet session would be
permitted to the interface with the lowest security only if that session was protected by a virtual private
network (VPN) tunnel terminating on the interface. Although there are several methods for working around
Telnet access restrictions of the ASA, Cisco recommends disabling Telnet and using more secure methods
for management access, such as Secure Shell (SSH) or Secure Hypertext Transfer Protocol (HTTPS)
instead? neither HTTPS nor SSH is restricted by the security level of an interface.
Telnet sessions will not time out after 30 seconds of activity. The telnet timeout 30 command specifies an
inactivity timeout length of 30 minutes, not 30 seconds. The telnet timeout command accepts an integer
value from 1 through 1440 to specify the number of minutes a Telnet session can remain idle before the
ASA closes the connection.
Reference:
Cisco: Cisco ASA 5500 Series Command Reference: securitylevel
QUESTION 176
Which of the following vulnerabilities did the Blaster worm exploit on target hosts? (Select the best answer.)
A. a buffer overflow vulnerability in the DCOM RPC service

B. a buffer overflow vulnerability in IIS software
C. a buffer overflow vulnerability in Microsoft SQL Server
D. a remote code execution vulnerability in the printer spooler service
E. a remote code execution vulnerability in the processing of .lnk files
Correct Answer: A
Section: (none)
Explanation
Explanation:
The Blaster worm exploited a buffer overflow vulnerability in the Distributed Component Object Model
(DCOM) Remote Procedure Call (RPC) service on Microsoft Windows hosts. The worm carried a
destructive payload that configured the target host to engage in Denial of Service (DoS) attacks on
Microsoft update servers. Before Microsoft released a patch, several other worms exploited the
vulnerability. For example, the Welchia worm targeted the same vulnerability. Welchia was developed to
scan the network for vulnerable machines, infect them, and then remove the Blaster worm if present. It was
even designed to download and install the appropriate patch from Microsoft to fix the vulnerability that it and
Blaster initially exploited to infect the target machine. However, despite the goodnatured design intentions of
the Welchia worm, its networkscanning component inadvertently caused DoS attacks on several large
networks, including those of the United States armed forces.
Stuxnet is an example of a worm that exploited vulnerabilities in both the printer spooler service and the
processing of .lnk files. Stuxnet was used in an act of cyber warfare against Iranian industrial control
systems (ICSs). It was written to target specific ICSs by modifying code on programmable logic controllers
(PLCs). Stuxnet initially exploited vulnerabilities in the printer spooler service? however, later variants
exploited a vulnerability in the way that Windows processes shortcuts (.lnk files). Research from Symantec
published in 2011 indicated that at the time, over 60% percent of the Stuxnetaffected hosts had been in
Iran. Symantec analyzed Stuxnet and its variants and discovered that five organizations were the primary
targets of infection and that further infections were likely collateral damage from the aggressive manner in
which the worm spreads throughout the network. Given the considerable cost in resources and manhours
that would have been required to craft the Stuxnet worm, it was theorized that it was likely intended to
sabotage high value targets such as nuclear materials refinement facilities.
SQL Slammer is an example of a worm that exploited a buffer overflow vulnerability in Microsoft Structured
Query Language (SQL) server software. SQL Slammer spread at a tremendous rate and was reported to
have infected as many as 12,000 servers per minute. Its high scanning rate generated enough traffic on
many networks to effectively produce DoS effects as collateral damage to the infection.
Code Red is an example of a worm that exploited a buffer overflow vulnerability in Microsoft Internet
Information Server (IIS) software. Although not as efficient as SQL Slammer, Code Red still managed to
infect as many as 2,000 hosts per minute. The initial Code Red variant failed to infect more than a single set
of IP addresses? however, a later variant was reported to have affected over 350,000 hosts within the first
14 hours of its release into the wild.
Reference:
Cisco: The Internet Protocol Journal: Trends in Viruses and Worms
QUESTION 177
Which of the following statements is true regarding the primary bootset when the Cisco IOS Resilient
Configuration feature is enabled? (Select the best answer.)
A. The configuration file can be secured on a TFTP server, but the system image must be secured on local
storage.
B. The system image can be secured on a TFTP server, but the configuration file must be secured on local
storage.
C. The configuration file and the system image must both be secured on local storage.
D. The configuration file and the system image must both be secured on remote storage.
Correct Answer: C
Section: (none)
Explanation
Explanation:
The configuration file and the system image must both be secured on local storage when the Cisco IOS
Resilient Configuration feature is enabled. The Resilient Configuration feature is designed to protect system
and configuration files from tampering and accidental deletion. You can issue the following block of
commands to enable the Resilient Configuration feature:
Router(config)#secure bootimage
Router(config)#secure bootconfig
securely archived in local persistent storage? you cannot select a remote storage location. The secure
bootimage command enables the image resilience component of the Resilient Configuration feature and
longer be displayed when the dir command is issued from the command prompt of an EXEC shell. In
addition, because the system image file is not copied to a secure location, extra storage is not required to
secure it. By contrast, the secure bootconfig command creates a hidden copy of the running configuration
file. The secured versions of the system image and running configuration are referred to as the primary
bootset.
You can restore either or both components of the primary bootset at any time. The system image can be
restored from readonly memory (ROM) monitor (ROMmon) mode and the running configuration can be
restored from the global configuration mode by using the restore parameter of the secure bootconfig
command. Once the system image and running configuration have been secured, the router will track
version mismatches and produce a console message if the system image or running configuration have
console.
Reference:
Cisco: Cisco IOS Resilient Configuration: Feature Design of Cisco IOS Resilient ConfigurationCategory:
Secure Routing and Switching
QUESTION 178
Which of the following can be installed on a host to ensure that only specified inbound and outbound
connections are permitted? (Select the best answer.)
B. a HIPS
D. a proxy server
Correct Answer: C
Section: (none)
Explanation
Explanation:
A personal firewall can be installed on a host to ensure that only specified inbound and outbound
connections are permitted. A personal firewall can protect a host from malicious traffic by permitting or
denying specific applications or network ports access to the host or its network interface. Typically, a
personal firewall provides sufficient granularity to specify the direction of a particular flow of traffic. For
example, you could permit outbound web traffic but deny inbound Internet Control Message Protocol
(ICMP) messages.
analyze, and block malicious traffic before it infects devices. HIPS software can be installed on a host
computer to protect that computer against malicious traffic. By contrast, a Networkbased IPS (NIPS) is an
independent operating platform, often a standalone appliance or a hardware module installed in a chassis.
A NIPS device can be installed inline on a network to monitor and prevent malicious traffic from being sent
to other devices on the network. One advantage of using a NIPS over a HIPS is that a NIPS can detect
lowlevel network events, such as the scanning of random hosts on the network? a HIPS can only detect
scans for which it is the target. HIPS and a NIPS can be used together to provide an additional layer of
protection.
You could not install antivirus software to ensure that only specified inbound and outbound connections are
permitted. Antivirus software monitors the file system and memory space on a host for malicious code.
Although the antivirus software might protect the host from malicious file execution, it would be unable to
protect the host from malicious traffic. Some antivirus vendors offer integrated security suites, which feature
personal firewall, HIPS, antivirus, and antimalware components.
You could not install a proxy server on a host to ensure that only specified inbound and outbound
connections are permitted. A proxy server is typically an application layer gateway that provides resource
caching and traffic filtering for a particular class of traffic, such as web content. Although you could install a
proxy server locally on a host and use it to process specified outbound connections, it would not be able to
restrict outbound connections that were not configured to use the proxy nor would it be able to restrict
inbound connections.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 19, Mitigation Technologies for Endpoint Threats, pp.
498-499Category:
QUESTION 179
Which of the following statements are true regarding the FirePOWER inline normalization preprocessor
engine? (Select 2 choices.)
A. Inline normalization can process IPv4 and ICMPv4 traffic but not IPv6 traffic.
B. Inline normalization can process IPv4 and IPv6 traffic but not ICMPv4 traffic.
C. Inline normalization cannot detect TCP SYN flood attacks.
D. Inline normalization cannot detect TCP session hijacking attacks.
E. Inline normalization takes place immediately before decoding by the packet decoder.
Correct Answer: CD
Section: (none)
Explanation
Explanation:
The FirePOWER inline normalization preprocessor engine cannot detect Transmission Control Protocol
(TCP) SYN flood attacks or session hijacking attacks. The inline normalization preprocessor can be used by
a FirePOWER Intrusion Prevention System (IPS) that is deployed in an inline configuration. Packet
normalization can reduce the chances of malicious traffic evading detection. The inline normalization
process takes place immediately after the IPS packet decoder decodes the packet, which ensures that
packets being analyzed by the IPS are identical to the packets that will be assembled by the target host.
The inline normalization preprocessor can perform normalizations on various components of Internet
Control Message Protocol version 4 (ICMPv4), IP version 4 (IPv4), IPv6, and TCP packets. For example, it
can reset the timetolive (TTL) value on a packet if it detects a TTL value outside of a userdefined range.
The FirePOWER ratebased prevention preprocessor engine, not the inline normalization detection
preprocessor engine, can detect SYN flood traffic. The ratebased prevention preprocessor engine detects
traffic abnormalities based on the frequency of certain types of traffic. The following traffic patterns can
trigger ratebased attack prevention:
- Traffic containing excessive incomplete TCP connections
- Traffic containing excessive complete TCP connections
- Excessive rule matches for a particular IP address or range of IP addresses
- Excessive rule matches for one particular rule regardless of IP address
The FirePOWER TCP stream preprocessor engine, not the inline normalization detection preprocessor, can
detect session hijacking attacks. The stream preprocessor assembles the packets of a TCP data stream
into a single comprehensive unit for scanning. Because the TCP stream preprocessor has access to
multiple packets in a data stream, it can analyze state information, analyze payload anomalies, and identify
streambased attacks that are not possible to identify based on singlepacket analysis.
Reference:
Cisco: Configuring Transport & Network Layer Preprocessing: Normalizing Inline Traffic
QUESTION 180
What is the effect of the samesecuritytraffic permit intrainterface command on a Cisco ASA? (Select the
best answer.)
A. It allows communication between different interfaces that share the same security level.
B. It allows traffic to exit the same interface through which it entered.
C. It allows outbound traffic and the corresponding return traffic to pass through different ASAs.
D. It allows traffic destined to unprotected subnets to bypass a VPN tunnel.
Correct Answer: B
Section: (none)
Explanation
Explanation:
On a Cisco Adaptive Security Appliance (ASA), the samesecuritytraffic permit intrainterface command
allows traffic to exit the same interface through which it entered, which is also known as hairpinning. By
default, an ASA does not allow packets to enter and exit through the same physical interface. However,
because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is
sometimes necessary to allow a packet to enter and exit through the same interface. The
samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same
interface even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which
you would need to use the samesecuritytraffic permit intrainterface command is if multiple users need to
connect via virtual private network (VPN) through the same physical interface. These users will not be able
communicate with one another unless the samesecuritytraffic permit intrainterface command has been
issued from global configuration mode.
The samesecuritytraffic permit interinterface command, not the samesecuritytraffic permit intrainterface
command, allows communication between different interfaces that share the same security level. By
default, interfaces with the same security level are not allowed to communicate with each other.
A split tunneling policy, not the samesecuritytraffic permit intrainterfacecommand, allows traffic destined to
unprotected subnets to bypass an encrypted tunnel. With split tunneling, only traffic destined to protected
subnets is routed through the appropriate VPN tunnel. Traffic destined to unprotected subnets, such as the
Internet, can bypass the tunnel and be routed normally. You can issue the splittunnelpolicy and
splittunnelnetworklist commands to configure a split tunneling policy.
Transmission Control Protocol (TCP) bypass, not the samesecuritytraffic permit intrainterface command,
allows outbound traffic and the corresponding return traffic to pass through different ASAs. With TCP state
bypass, an ASA will allow a specific class of traffic to pass through the ASA without the traffic class having
an entry in the ASA's state table. TCP state bypass is disabled by default. You can issue the set connection
advancedoptions tcpstatebypass command to enable the TCP state bypass feature.
Reference:
Cisco: Configuring Interfaces: Allowing Same Security Level Communication Category:
VPN
QUESTION 181
Which of the following statements is not true regarding an IPS device? (Select the best answer.)
A. An IPS requires that at least one interface be in promiscuous mode.

B. Singlepacket attacks can be mitigated by an IPS.
C. Traffic leaves an IPS on a different interface than it entered.
D. An IPS cannot route to destinations on different subnets.
Correct Answer: A
Section: (none)
Explanation
Explanation:
An Intrusion Prevention System (IPS) does not require that at least one interface be in promiscuous mode.
An IPS sits inline with the flow of traffic, thus actively monitoring network traffic and blocking malicious
traffic, such as an atomic or singlepacket attack, before it spreads onto the network. An IPS requires at
least two interfaces for each monitored network: one interface listens to traffic entering the IPS, and the
other listens to traffic leaving the IPS. In addition, an IPS acts similarly to a Layer 2 bridge in that it can pass
traffic through to destinations on the same subnet? an IPS cannot route to destinations on a different
subnet. Because all monitored traffic must pass through the IPS, it can add latency to traffic flows on the
network.
By contrast, an Intrusion Detection System (IDS) typically has one promiscuous network interface attached
to each monitored network, with no IP address assigned to the monitoring interface. An IDS is a network
monitoring device that does not sit inline with the flow of network traffic? an IDS passively monitors a copy
of network traffic, not the actual packet. Since an IDS analyzes a copy of network traffic, an IDS can support
asymmetric traffic flows in which the original traffic may use a different return path than it used to arrive at
its original destination. Because monitored traffic does not pass through an IDS, it does not add latency to
the traffic flow.
Reference:
QUESTION 182
Which of the following statements is true regarding a split ACS deployment? (Select the best answer.)
A. Cisco recommends using a dedicated log collector instead of the primary or secondary server.
B. The split configuration has the drawback of making an administrator less aware of the functional status
of each server.
C. The AAA load is divided between the primary and secondary servers, which produces a lessthanoptimal
AAA flow.
D. The primary and secondary servers can be used for different, specialized operations such as network
admission and device administration.
Correct Answer: D
Section: (none)
Explanation
Explanation:
In a split Cisco Secure Access Control System (ACS) deployment, the primary and secondary servers can
be used for different, specialized operations such as network admission and device administration. ACS is
an Authentication, Authorization, and Accounting (AAA) server that uses Remote Authentication DialIn User
Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+) to provide AAA
services for users, hosts, and network infrastructure devices such as switches and routers. An ACS
deployment typically consists of a cluster containing a primary server and one or more secondary servers.
In a split ACS deployment, the AAA load is distributed between the primary and secondary server. This
distribution provides a more optimal AAA flow than a traditional smallscale deployment in which the
secondary server functions only as a backup if the primary server fails.
The split ACS deployment offers a few other advantages over a traditional smallscale deployment. For
example, an administrator will be more aware of the status of the primary and secondary servers because
they are both operational in a split ACS deployment. By contrast, in a traditional smallscale deployment, an
administrator will be less aware of the status of the secondary server because it is not actively involved in
the AAA process. In addition, because both servers are active, each server can be dedicated to a
specialized operation. For example, the primary server could be dedicated to device administration
operations and the secondary server could be dedicated to network admission operations. If either server
fails, the remaining server could take over the full load of AAA operations until the failed server is restored.
Reference:
Cisco: Understanding the ACS Server Deployment: Split ACS Deployment (PDF)
QUESTION 183
For which of the following traffic types is stateful inspection not supported in a ZFW configuration? (Select
the best answer.)
A. DNS
B. ICMP
C. IGMP
D. NetBIOS
E. Sun RPC
Correct Answer: C
Section: (none)
Explanation
Explanation:
Stateful inspection of Internet Group Management Protocol (IGMP) is not supported in a zonebased policy
firewall (ZFW) configuration. ZFW is the latest iteration of Cisco’s stateful firewall implementation, which
was formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified
and then interfaces are assigned to the appropriate zone. By default, all traffic is implicitly permitted to flow
between interfaces that have been assigned to the same zone? however, all traffic between zones is
blocked. In addition, all traffic to and from an interface is implicitly blocked by default when the interface is
assigned to a zone, but there are a few exceptions. Traffic to or from other interfaces in the same zone is
permitted as is traffic to or from the router itself.
permit traffic between zones. The basic process is as follows:
Inspection rules can be created for a large number of traffic types, including the following:
- Domain Name System (DNS)
- Internet Control Message Protocol (ICMP)
- Network Basic Input/Output System (NetBIOS)
- Sun Remote Procedure Call (RPC)
However, stateful inspection of multicast traffic, such as IGMP, is not supported by ZFW and must be
handled by other security features, such as Control Plane Policing (CoPP).
Reference:
Cisco: ZoneBased Policy Firewall Design and Application Guide: Rules For Applying ZoneBased Policy
FirewallCategory:
QUESTION 184
Which of the following commands is not available to a user with a privilege level of 0? (Select the best
answer.)
A. disable
B. enable
C. exit
D. login
E. logout
Correct Answer: D
Section: (none)
Explanation
Explanation:
The login command is not available to a user with a privilege level of 0. Privilege levels can be used to limit
the IOS commands that a user can access. The disable, enable, exit, help, and logout commands are
available to a user with a privilege level of 0. Because the default privilege level for a newly created local
user account is 1, a newly created user will always have access to the basic commands necessary to
escalate their privilege level or access the help system. You can assign a user one of 16 privilege levels,
some of which are used by default by the IOS. For example, privilege levels 1 and 15 are default IOS
privilege levels. Privilege level 1 allows a user to issue any command that is available at the user EXEC >
prompt. Privilege level 15 allows a user to issue any command that is available at the privileged EXEC #
prompt.
access to the command. Peruser privilege levels can sometimes conflict with the privilege levels set for
virtual terminal (VTY) interfaces. In the event of a conflict, peruser privileges override the privileges
configured for the VTY line causing the conflict.
Reference:
QUESTION 185
Which of the following is most likely to cause the greatest amount of disruption on a router? (Select the best
answer.)
A. spyware
B. a Trojan horse
C. a worm
D. a DDoS attack
Correct Answer: D
Section: (none)
Explanation
Explanation:
Of the available choices, a Distributed Denial of Service (DDoS) attack is most likely to cause the greatest
amount of disruption on a router. A DDoS attack is a coordinated Denial of Service (DoS) attack that uses
multiple attackers to target a single host. For example, a large number of zombie hosts in a botnet could
flood a target device with packets. Because the flood of packets originates from multiple hosts and typically
targets public services, such as the web service, the target device might not detect the attack. If enough
packets are sent to the target device within a short period of time, the target will be unable to respond to
legitimate packets because it is waiting for a response to each of the requests originated by the attacker.
A Trojan horse does not cause the greatest amount of disruption on a router. A Trojan horse is a type of
malicious software that appears to be legitimate software. Because a Trojan horse appears to be legitimate,
users often load the Trojan horse unknowingly. The Trojan horse can then affect the computer in several
ways. Some Trojan horses cause advertising popups to be displayed intermittently. Other Trojan horses
can cause more harm by deleting or damaging data. Because a router runs only Ciscoproprietary software,
there is little chance that a Trojan horse could inadvertently be installed.
Likewise, a worm does not cause the greatest amount of disruption on a router. A worm is a specific type of
standalone, malicious software that has the ability to selfpropagate. A worm typically exploits vulnerabilities
in an operating system (OS) to compromise a computer and to install copies of itself onto the infected
device. Because a router runs only Ciscoproprietary software, there is little chance that a worm could exploit
a vulnerability in its OS and infect the router. Although excessive network traffic caused by worm
propagation could negatively affect the performance of a router, it is unlikely that this traffic would be
comparable to the impact of a DDoS attack.
Spyware does not cause the greatest amount of disruption on a router. Spyware is a type of unwanted
software that can record a user's actions and personal information. Because a router runs only
Ciscoproprietary software, there is little chance that spyware could inadvertently be installed.
Reference:
Cisco: Defeating DDOS Attacks
QUESTION 186
The following partial command output is from the running configuration of an ASA that has been configured
to authorize VPN users based on their group membership in AD:
An LDAP authorization query for a VPN user returns the following values:

Which group policy will the ASA assign to the user in this scenario? (Select the best answer.)
A. Group1
B. Group2
C. Group3
D. Group4
E. Group5
Correct Answer: A
Section: (none)
Explanation
Explanation:
In this scenario, the Cisco Adaptive Security Appliance (ASA) will assign the group policy named Group1 to
the virtual private network (VPN) user. Lightweight Directory Access Protocol (LDAP) attribute maps are
used to authorize VPN users based on specified Active Directory (AD) attributes, such as group
membership or department name. The following sample output from the running configuration defines five
group policy mappings:
The ldap attributemap ExampleMap command creates an LDAP attribute map named ExampleMap. The
LDAP attribute map contains a mapname statement, which maps the AD memberOf attribute to the ASA
GroupPolicy attribute, and a series of mapvaluecommands, which map matching LDAP response strings to
ASA attributes. The mapvalue commands specify the mapping between AD group membership attributes in
an LDAP response and the ASA group policy to which they should be applied. When the ASA receives a
reply to an LDAP authorization query for the VPN user in this scenario, the following multiattribute response
is compared to the mapvalue statements in the LDAP attribute map:

If an LDAP query returns a multivalued attribute, the ASA will match only one of the returned values to the
appropriate group policy. The ASA will select the matching group policy with the least number of characters
in the name and that starts with the lowest alphanumeric character. In this scenario, four of the five
configured mapvalue statements will match the LDAP query response. Because the group policies in the
matched statement have names of identical length, the ASA will select the name based on its alphabetical
preference. Alphabetically, the name Group1 comes before any of the other matching group policy names:
Group3, Group4, and Group5.
Reference:
QUESTION 187
Which of the following descriptions most accurately describes split tunneling? (Select the best answer.)
A. It enables traffic to exit the same interface through which it entered.

B. It enables traffic to flow between interfaces that share the same security level.
C. It enables a VPN tunnel to form through a firewall or NAT device.
D. It enables a VPN tunnel to determine which traffic flows should be encrypted.
Correct Answer: D
Section: (none)
Explanation
Explanation:
Split tunneling enables a virtual private network (VPN) tunnel to determine which traffic flows should be
encrypted. Without split tunneling, all traffic that passes through a remote VPN router is encrypted and
forwarded through a tunnel to the VPN server, which is an inefficient use of the bandwidth and processing
power of the VPN server and the remote VPN router. Traffic that is destined for the Internet or another
unprotected network does not need to be encrypted or forwarded to the VPN server. Split tunneling uses an
access control list (ACL) to determine which traffic flows are permitted to pass through the encrypted
tunnel. Traffic destined for a protected network at the VPN server site is encrypted and allowed to pass
through the tunnel, whereas all other traffic is processed normally. This method reduces both the
processing load on the router and the amount of traffic that passes through the encrypted tunnel. Split
tunneling can also be applied to traffic from remote access VPN clients.
Transparent tunneling, not split tunneling, enables a VPN tunnel to form through a firewall or Network
Address Translation (NAT) device. When transparent tunneling is enabled on a VPN client, encrypted
packets are encapsulated in Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
packets prior to transmission through the firewall or NAT device.
The samesecuritytraffic permit intrainterface command enables traffic on a Cisco Adaptive Security
Appliance (ASA) to exit the same interface through which it entered, which is also known as hairpinning. By
default, an ASA does not allow packets to enter and exit through the same physical interface. However,
because multiple logical virtual LANs (VLANs) can be assigned to the same physical interface, it is
sometimes necessary to allow a packet to enter and exit through the same interface. The
samesecuritytraffic permit intrainterface command allows packets to be sent and received from the same
interface even if the traffic is protected by IP Security (IPSec) security policies. Another scenario for which
you would need to use the samesecuritytraffic permit intrainterface command is if multiple users need to
connect via VPN through the same physical interface. These users will not be able communicate with one
another unless the samesecuritytraffic permit intrainterface command has been issued from global
configuration mode.
Likewise, the samesecuritytraffic permit interinterface command enables traffic to flow between interfaces
that share the same security level. Typically, interfaces with the same security level are not allowed to
communicate.
Reference:
CCNA Security 210-260 Official Cert Guide, Chapter 8, Split Tunneling, pp. 227-228
QUESTION 188
Which of the following IPS detection types does not require regularly updated definition files? (Select the
best answer.)
A. patternbased
B. profilebased
C. signaturebased
D. reputationbased
Correct Answer: B
Section: (none)
Explanation
Explanation:
Profilebased detection methods, which are also known as anomalybased detection methods, do not require
regularly updated definition files. Profilebased detection methods detect abnormal behavior on a network.
Traffic is classified as normal or abnormal based on information that is dynamically learned or manually
programmed. The benefit of anomalybased detection is that anything that is not specified as normal is
classified as abnormal? therefore, anomalybased detection can typically detect a wide range of threats. One
drawback of anomalybased detection is that new traffic patterns are required on a regular basis on all but
the smallest of networks, which leads to a lot of false positives. Another drawback is the memory and
processing power required to handle profiles for each user.
By contrast, patternbased detection methods, which are also called signaturebased methods, require
regularly updated definition files. Patternbased detection methods use specific strings of text to detect
malicious traffic. Many signaturebased detection methods can also use protocols and port numbers to
further specify malicious traffic patterns. The benefit of signaturebased detection methods is that the
number of false positives generated is typically low. However, the drawback is that a modified attack cannot
be detected by old signature definition files? the modified attack will not be detected until a new signature is
added for the modified attack. Therefore, Cisco recommends updating signature files, including antivirus
signatures, every time a new update is available.
Reputationbased detection methods use information collected from a global network of security devices to
detect malicious traffic. Because the information available is constantly being updated, reputationbased
systems require frequent updates to their definition files. The primary advantage to these frequent updates
is that many attacks can be detected and prevented based on information gathered from other systems that
have already experienced the same attack.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 17, SignatureBased IPS/IDS, p. 464
QUESTION 189
Which of the following statements is true regarding the sendlifetime command? (Select the best answer.)
A. The default duration for sending keys is infinite.

B. You cannot specify a duration based on a specific start and end time.
C. The duration must be specified in oneminute increments.
D. The earliest start time value is January 1, 1970.
Correct Answer: A
Section: (none)
Explanation
Explanation:
When using the sendlifetime command, the default duration for sending keys is infinite. The sendlifetime
command is used to specify the period of time during which a key should be sent by a router for
authentication. The syntax for this command is sendlifetime starttime {infinite | endtime | duration
seconds}, where starttime specifies the date and time that the key should start being sent. The earliest valid
start time is January 1, 1993.
By default, keys are valid indefinitely? however, you can use the duration keyword to specify a duration
value between 1 and 2,147,483,646 seconds. For example, the sendlifetime 19:00:00 Feb 24 2015 duration
3600 command specifies that a key should be valid for 3,600 seconds, which is one hour, and that the
router should begin sending the key at 19:00:00 Feb 24 2015, which corresponds to 7 p.m. on February 24,
2015.
You can specify the duration as a specific start and end time. For example, you could issue the sendlifetime
19:00:00 Feb 24 2015 20:00:00 Feb 24 2015 command to achieve the same onehour duration as the
sendlifetime 19:00:00 Feb 24 2015 duration 3600 command.
Reference:
Cisco: IP Routing ProtocolIndependent Commands: sendlifetime
QUESTION 190
Which of the following is a show ntp associations command output symbol that indicates that an IP address
is an NTP master and the router is synchronized with the master? (Select the best answer.)
A. #
B. *
C. .
D. ~
E. +
Correct Answer: B
Section: (none)
Explanation
Explanation:
The asterisk (*) is a show ntp associations command output symbol that indicates that an IP address is a
Network Time Protocol (NTP) master and the router is synchronized with the master. The output of the
show ntp associations command displays the IP addresses of configured NTP servers as well as their
respective clock sources, strata, and reachability statistics. For example, in the following command output,
the NTP server at IP address 128.227.205.3 is a stratum 1 server that uses a global positioning system
(GPS) time source as its time source:
The * next to the IP address in the command output indicates that this server is an NTP master time source
to which the Cisco device is synched. The pound sign (#) next to the IP address indicates that this server is
an NTP master time source to which the Cisco device is not yet synched. The plus sign (+) next to the IP
address indicates that this server is an NTP master time source that is selected for synchronization but the
synchronization process has not yet begun. A tilde (~) next to an IP address indicates that the address was
manually configured.
The period (.) is a symbol displayed in the output of the show clock command, not the show ntp
associations command. If the time is set by a timing source and is not synchronized with that source, the
time is still considered authoritative but the . symbol is displayed in the output of the show clock command
to indicate the lack of time synchronization. The following command output indicates that the software clock
is authoritative but not synchronized with its time source:
.10:06:40.603 UTC Tue Jan 13 2015
The show clock command displays the current time as reported by the system software clock. If the
software clock is not set by a timing source, such as NTP, the system will flag the time as not authoritative
and the output of the show clock command will indicate the flag with the * symbol, as shown in the following
command output:
*10:06:40.603 UTC Tue Jan 13 2015
By contrast, if the time is set by a timing source and is synchronized with that source, the time is considered
authoritative and the output of the show clock command will not display any additional symbols. For
example, the absence of additional symbols in the following command output indicates that the software
clock is authoritative and synchronized with its time source:
10:06:40.603 UTC Tue Jan 13 2015
Reference:
Cisco: Cisco IOS Basic System Management Command Reference: show ntp associations
QUESTION 191
Which of the following impact levels is used by FireSIGHT to indicate that either the source or target host is
on a monitored network but has no corresponding entry in the network map? (Select the best answer.)
A. 0
B. 1
C. 2
D. 3
E. 4
Correct Answer: E
Section: (none)
Explanation
Explanation:
The impact level 4 is used by Cisco FireSIGHT Defense Center to indicate that either the source or target
host is on a monitored network but has no corresponding entry in the network map. FireSIGHT uses impact
levels to describe the potential severity of attacks. In the FireSIGHT system, managed devices, like Cisco
FirePOWER Intrusion Prevention Systems (IPSs), respond to an intrusion event by flagging the event with
an impact level and sending the event to the FireSIGHT Defense Center. The impact level is based on
accumulated intrusion data, network discovery data, and vulnerability information. The aggregated intrusion
event data typically contains contextual information about the event and includes a copy of the packet that
triggered the event.
The following table provides a summary of the FireSIGHT impact levels and their meaning:
Reference:
Cisco: Working with Intrusion Events: Using Impact Levels to Evaluate Events
QUESTION 192
Which of the following can the FirePOWER IMAP preprocessor extract in clienttoserver traffic? (Select the
best answer.)
A. attachments
B. file names
C. addresses
D. header data
Correct Answer: A
Section: (none)
Explanation
Explanation:
On a Cisco FirePOWER Intrusion Prevention System (IPS), the Internet Message Access Protocol (IMAP)
preprocessors can extract and decode attachments in clienttoserver traffic. The FirePOWER IMAP
preprocessor is an Application layer inspection engine with the capability to decode email traffic and to
normalize the resulting data prior to forwarding the traffic to the intrusion rules engine for analysis. Cisco
also provides Post Office Protocol version 3 (POP3) and Simple Mail Transfer Protocol (SMTP)
preprocessors.
In addition to generating an event when they observe anomalous traffic, the FirePOWER emailrelated
preprocessor engines can inspect the commands that pass between a client and a server to ensure that
they are compliant with the relevant Request for Comments (RFC). For example, the IMAP preprocessor
can generate an event when either a client command or a server response does not comply with RFC 3501,
which is the RFC that defines the IMAP protocol, and the POP3 preprocessor can do the same for
commands that do not comply with RFC 1939, which is the RFC that defines the POP3 protocol.
By contrast, the SMTP preprocessor provides the ability to normalize all, none, or a specific set of SMTP
commands, although a base set of commands will always be considered as part of the custom valid set if
normalization is enabled. In addition, the SMTP preprocessor can extract email file names, addresses, and
header data.
Reference:
Cisco: Application Layer Preprocessors: The IMAP Preprocessor
Cisco: Application Layer Preprocessors: The POP Preprocessor
Cisco: Application Layer Preprocessors: The SMTP Preprocessor
QUESTION 193
Which of the following routing protocols does not support MD5 authentication for secure route updates?
A. BGP
B. OSPF
C. RIPv1
D. RIPv2
E. EIGRP
Correct Answer: C
Section: (none)
Explanation
Explanation:
Routing Information Protocol version 1 (RIPv1) does not support Message Digest 5 (MD5) authentication for
secure route updates. Routing protocol spoofing can inject false routes into routing tables, which can
influence path selection through a routed network. You can mitigate routing table modification by
implementing routing protocol authentication and filtering. RIPv1 does not support any form of
authentication? however, its successor, RIP version 2 (RIPv2), supports either plaintext authentication or
MD5 authentication.
Border Gateway Protocol (BGP), Open Shortest Path First (OSPF), RIPv2, Enhanced Interior Gateway
Routing Protocol (EIGRP) all support MD5 authentication for secure route updates. Although many of these
protocols, such as OSPF, support plaintext authentication as an alternative to MD5, Cisco recommends
using MD5 for authentication because it is considerably more secure than plaintext authentication.
Alternatively, you can disable all dynamic routing protocols and use static routes to ensure that routes are
updated securely. However, static routes work well only on small, reliable networks. Static routes are not
scalable, because changes made on one router are not propagated to the other routers on the network?
each router must be modified manually.
Reference:
Cisco: Network Foundation Protection: Restrict Routing Protocol Membership
Cisco: Sample Configuration for Authentication in RIPv2
QUESTION 194
Which of the following is displayed by the show ip dhcp snooping databasecommand? (Select the best
answer.)
A. the DHCP snooping configuration for a switch

B. dynamic entries in the binding table
C. the status of the binding table
D. detailed DHCP snooping statistics
Correct Answer: C
Section: (none)
Explanation
Explanation:
The show ip dhcp snooping database command displays the status of the binding table. When Dynamic
Host Configuration Protocol (DHCP) snooping is configured on a Cisco Catalyst switch, the switch tracks
client Media Access Control (MAC) addresses and their associated DHCP client hardware addresses in the
DHCP snooping binding database, which is also known as the binding table. If the switch receives DHCP
packets that do not match entries in the binding table, the switch drops the packets. The binding table can
be stored locally or it can be stored on a remote server. The show ip dhcp snooping databasecommand can
be used to display the status of the DHCP snooping binding table agent and statistics regarding the status
of the binding table, such as the Uniform Resource Locator (URL) where the binding table can be found and
how many successful writes have been committed to the table. For example, the following sample output
indicates that the binding table is stored in a file named bindingtable on the Trivial File Transfer Protocol
(TFTP) server with an IP address of 1.2.3.4:
The show ip dhcp snooping command displays general information regarding the DHCP snooping
configuration on a switch, such as the virtual LANs (VLANs) for which DHCP snooping is enabled and the
trusted state of each interface. For example, the following sample output indicates that DHCP snooping is
enabled for VLANs 101, 201, and 301:
The show ip dhcp snooping binding command displays the dynamic entries in the binding table. You must
use the show ip source binding command to view both static and dynamic binding table entries. For
example, the following sample output from the show ip dhcp snooping binding command indicates that two
DHCP clients from VLAN 101 have entries in the binding table:
The show ip dhcp snooping statistics detail command displays detailed DHCP snooping statistics, which
include the number of packets dropped for each denial category, such as binding mismatches or exceeded
rate limits. For example, the following sample output from the show ip dhcp snooping statistics detail
command indicates that 2,130 packets were processed by DHCP snooping and 41 packets were dropped
because of binding mismatches:
Reference:
Cisco: Cisco IOS IP Addressing Services Command Reference: show ip dhcp snooping database
QUESTION 195
Under normal operating circumstances, which of the following planes sends the least amount of traffic to
the route processor of a Cisco router? (Select the best answer.)
A. the data plane

B. the control plane
C. the services plane
D. the management plane
Correct Answer: A
Section: (none)
Explanation
Explanation:
Under normal operating circumstances, the data plane sends the least amount of traffic to the route
processor of a Cisco router. The data plane is one of the four logical components that collectively define a
router? the remaining components are the control plane, the management plane, and the services plane.
Traffic from the data plane consists primarily of usergenerated traffic that is forwarded from one interface to
another on a router. This type of traffic is also referred to as transit traffic.
Cisco routers can use several different forwarding mechanisms to process transit traffic. The slowest of
these Layer 3 switching mechanisms is process switching, which uses the router's CPU, which is also
known as the route processor, to determine the next hop and forwarding interface associated with the
destination IP address of a received packet. Once a router has a corresponding entry in its route cache or
Cisco Express Forwarding (CEF) table, all subsequent packets matching that entry's destination can be
fastswitched to the appropriate interface without involving the CPU. The fastswitching mechanism can
handle significantly higher throughput than the processswitching mechanism because most, if not all, of its
functions can be implemented directly by the switching fabric of the router.
By contrast, nearly all traffic from the control plane and management plane is handled by the router
processor on a Cisco router. Control plane traffic typically consists of packets that are intended to create or
perform network operations on a router, such as packets from dynamic routing protocols or Address
Resolution Protocol (ARP) packets, whereas management plane traffic consists of packets used to
administer the router, such as Telnet or Secure Shell (SSH) session traffic. These packets cannot be
handled by Cisco’s normal fastpath switching mechanisms, because they require special handling by the
router's CPU.
Traffic from the services plane is a special kind of data plane traffic that requires some degree of
processing by the router CPU before it can be placed into the fastswitching path. For example, Generic
Routing Encapsulation (GRE) encapsulation or Quality of Service (QoS) processing might need to be
applied to traffic before it is placed into the fast path. Although not all services plane traffic must be
processed by the CPU, considerably more services plane traffic involves the CPU than data plane traffic
does.
Reference:
Cisco: Control Plane Policing Implementation Best Practices: Introduction: Network Device Operations
QUESTION 196
Which of the following best describes an external cloud? (Select the best answer.)
A. decentralized computer resources that can be accessed over the Internet

B. a network zone between the Internet and a private or trusted network
C. a portion of a private or trusted network that can be accessed by a business partner
D. websites available only to users inside a private network
Correct Answer: A
Section: (none)
Explanation
Explanation:
An external cloud is best described as decentralized computer resources that can be accessed over the
Internet. An external cloud allows for computer processes that are typically hosted internally to be moved to
an external provider, which can reduce the burden on system and network resources. In cloud computing,
there are two accepted types of cloud infrastructure: external and internal. External clouds are managed by
a service provider and are further broken down into two categories: public and private. With public clouds,
the service provider controls the cloud and its infrastructure, whereas with private clouds, the service
provider controls only the infrastructure. Internal clouds are similar to private clouds, except that the cloud is
owned and managed by the organization that uses it and not by a thirdparty service provider.
A portion of a private or trusted network that can be accessed by a business partner best describes an
extranet, not an external cloud. An extranet is a portion of a company’s internal network that is accessible to
specific people outside of the company, such as business partners, suppliers, or customers. By creating an
extranet, a company can provide a location for sharing information with external users. For example, a
consulting company could create an extranet for external customers to view and comment on the consulting
company’s progress on various projects. In many extranet implementations, the external customer network
shares a bilateral connection with the company’s internal network. This bilateral connection not only enables
the external customer to access portions of the company’s internal network, but it also enables portions of
the company’s internal network to access the portions of the external customer’s network.
A network zone between the Internet and a private or trusted network best describes a demilitarized zone
(DMZ), not an external cloud. DMZs are typically bordered by two firewalls: one that allows information to
flow between the DMZ and the Internet, and one that allows information to flow between the DMZ and the
private, or trusted, network.
Websites available only to users inside a private network best describe an intranet, not an external cloud.
An intranet can be created to provide internal users with their own website. An intranet provides a location
for sharing information among members of the company. Unlike an extranet, which is a portion of the
company’s network that is accessible by people outside the company, an intranet is typically available only
to internal users.
Reference:
Cisco: The Internet Protocol Journal, Volume 12, No.3: Cloud Computing A Primer
QUESTION 197
Which of the following statements are true regarding the DfltGrpPolicy group policy? (Select 3 choices.)
A. It cannot be modified.
B. It is the default policy used with the DefaultRAGroup connection profile.
C. It is the default policy used with the DefaultWEBVPNGroup connection profile.
D. It can be applied to user profiles.
E. It should be deleted if custom group policies are created.
Correct Answer: BCD

Section: (none)
Explanation
Explanation:
The DfltGrpPolicy group policy can be applied to user profiles and is the default policy used with both the
DefaultRAGroup and the DefaultWEBVPNGroup connection profiles. Group policies are used with Cisco
Adaptive Security Appliances (ASAs) to specify security policies and network settings that are used when
remote virtual private network (VPN) users log in to the ASA. Cisco ASAs include the DfltGrpPolicy group
policy, which is the default policy used for the default connection profiles that are included on an ASA:
DefaultRAGroup and DefaultWEBVPNGroup. You can customize the DfltGrpPolicy group policy and tailor it
to match your company’s requirements, and you can inherit policies from it from within custom group
policies. In addition to applying this group policy to connection profiles, you can also apply it to user profiles,
which you can use to create a specific set of policies for individual users.
The DfltGrpPolicy group policy cannot be deleted. You can create custom group policies, but you cannot
delete the default group policy.
Reference:
Cisco: Configuring Tunnel Groups, Group Policies, and Users: Default Group Policy
QUESTION 198
Which of the following is accomplished as a result of issuing the groupurl command on an ASA? (Select the
best answer.)
A. A list of bookmarks will be created for clientless SSL VPN users.

B. A VPN access method will be created in which the connection profile is automatically selected for VPN
users.
C. A webtype ACL will be created for a tunnel group.
D. A list of WebVPN servers will be applied to a user account.
Correct Answer: B
Section: (none)
Explanation
Explanation:
Issuing the groupurl command on a Cisco Adaptive Security Appliance (ASA) will create a virtual private
network (VPN) access method in which the connection profile is automatically selected for VPN users? the
groupurl command will create a group Uniform Resource Locator (URL) for Secure Sockets Layer (SSL)
VPN users. If you configure a group URL for SSL VPN users, the users can connect to the group URL and
will not be required to select a tunnel group when they establish a connection. In such a scenario, the user
is presented with only user name and password fields on the login screen. The Cisco ASA examines the
URL from which the user is connecting and automatically applies the connection profile associated with the
URL. Configuring a group URL can help improve security because the user is not presented with a list of
available connection profiles.
You can configure a group URL by using the groupurl command or by using Cisco Adaptive Security Device
Manager (ASDM). The syntax of the groupurl command is groupurl url [enable | disable]. This command
should be issued from tunnelgroupwebvpn configuration mode. To configure a group URL for a new SSL
VPN connection profile in ASDM, you should click Configuration, expand Network (Client) Access, click
AnyConnect Connection Profiles, and click Add under Connection Profiles, which will open the Add SSL
VPN Connection Profile dialog box. In the Add SSL VPN Connection Profile dialog box, expand Advanced,
and click SSL VPN to open the SSL VPN screen? on the SSL VPN screen, you can add a list of group
URLs in the Group URLsarea.
Issuing the groupurl command will not create a webtype access control list (ACL) for a tunnel group. You
can issue the accesslist webtype command to create a webtype ACL.
Issuing the groupurl command will not apply a list of WebVPN servers to a user account or create a list of
bookmarks for SSL VPN users. You can issue the urllist command to configure a list of WebVPN servers or
a list of URLs that will be applied to user profiles.
Reference:
Cisco: Cisco ASA 5500 Series Command Reference: groupurl
QUESTION 199
What is the default modulus size that is used to create a selfsigned certificate for SSL authentication on a
Cisco ASA? (Select the best answer.)
A. 512 bits
B. 768 bits
C. 1,024 bits
D. 2,048 bits
Correct Answer: C
Section: (none)
Explanation
Explanation:
The default modulus size that is used to create a selfsigned certificate for Secure Sockets Layer (SSL)
authentication on a Cisco Adaptive Security Appliance (ASA) is 1,024 bits. If no trust point has been
configured, an ASA dynamically generates a selfsigned certificate when an SSL connection is first
established. For example, when a Secure Hypertext Transfer Protocol (HTTPS) or a Cisco Adaptive
Security Device Manager (ASDM) connection is made to the ASA, a selfsigned certificate is used to
authenticate the ASA to the browser or ASDM client. You can view selfsigned certificates in ASDM by
opening the Configuration > Remote Access VPN > Certificate Management > Identity Certificates
pane. You can identify a selfsigned certificate in the Identity Certificatespane by looking for a certificate with
identical values in the Issued To and Issued Byfields. After selecting a certificate, you can click the Show
Details button to display detailed information about the certificate. Below, you can see a selfsigned
certificate associated with ASDM_Trustpoint0 and with a modulus of 1,024 bits:
Alternatively, you can examine a certificate by using a modern web browser. When a web browser or ASDM
session is presented with a selfsigned certificate, it will issue a warning to indicate that it cannot verify the
certificate with a root certificate authority (CA). Below, you can see an example of the warning information
presented by a browserbased HTTPS session that receives a selfsigned certificate:
You can view the details of the certificate by clicking the Certificate information link, which will display the
information about the contents of the certificate. You can determine that a certificate is selfsigned by noting
that the Issued to and Issued by fields in the certificate contain the same value, as shown in the example
below:
You can click the Details tab to view the contents of the certificate. Because this example is from an ASA
with a default configuration, you can see in the following exhibit that the modulus size in the Public key field
is 1,024 bits:
Reference:
Cisco: Cisco ASA 5500 Series Command Reference: crypto key generate rsa
QUESTION 200
Which of the following statements is true regarding private VLANs? (Select the best answer.)
A. Isolated ports can communicate only with other isolated ports in the same isolated VLAN.
B. Only a single community VLAN can be associated with a primary VLAN.
C. Community VLANs can send traffic to isolated ports but cannot receive traffic from them.
D. Every port in a private VLAN is a member of the primary VLAN.
Correct Answer: D
Section: (none)
Explanation
Explanation:
Every port in a private virtual LAN (VLAN) is a member of the primary virtual LAN (VLAN). Private VLANs
can be configured on a switch to help isolate traffic and provide Layer 2 separation between ports that
belong to the same VLAN. Because the separation exists at Layer 2, the hosts can exist on the same IP
subnet. The VLAN to which the hosts belong is called the primary VLAN. To create a private VLAN, you
must create one or more secondary VLANs and associate the secondary VLANs with the primary VLAN.
There are two types of secondary VLANs: community VLANs and isolated VLANs.
When configuring a port to participate in a private VLAN, you must configure the port by issuing the
switchport mode privatevlan {promiscuous | host} command. The promiscuous keyword configures the
port to communicate with any secondary VLAN. Consequently, devices that should be reachable from any
secondary VLAN should be connected to promiscuous ports. For example, a router, a firewall, or a gateway
that any host should be able to reach should be connected to a promiscuous port. By contrast, devices
connected to isolated or community VLANs should be connected to host ports, which are configured by
using the host keyword.
You can configure a primary VLAN by issuing the privatevlan primary command, and you can configure
secondary VLANs by issuing the privatevlan {isolated | community} command. Devices connected to a
community VLAN can communicate with other devices on the community VLAN as well as with the primary
VLAN. However, no devices on the community VLAN can communicate with a device that is connected to
an isolated port.
Ports that belong to an isolated VLAN can communicate only with promiscuous ports. Any traffic received
from isolated ports is forwarded only to promiscuous ports? thus isolated ports cannot communicate directly
with each other.
Reference:
Cisco: Configuring Private VLANs: Understanding Private VLANs
QUESTION 201
Which of the following examples best describes the SaaS service model? (Select the best answer.)
A. A company moves all companywide policy documents to an Internetbased virtual file system hosted by a
service provider.
B. A company hires a service provider to deliver cloudbased processing and storage that will house
multiple virtual hosts configured in a variety of ways.
C. A company licenses an office suite, including email service, that is delivered to the end user through a
web browser.
D. A company obtains a subscription to use a service provider’s infrastructure, programming tools, and
programming languages to develop and serve cloudbased applications.
Correct Answer: C
Section: (none)
Explanation
Explanation:
A company that licenses an office suite, including email service, that is delivered to the end user through a
web browser is an example of the Software as a Service (SaaS) service model. The National Institute of
Standards and Technology (NIST) defines three service models in its definition of cloud computing: SaaS,
Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
The SaaS service model enables its consumer to access applications running in the cloud infrastructure but
does not enable the consumer to manage the cloud infrastructure or the configuration of the provided
applications. A company that licenses a service provider’s office suite and email service that is delivered to
end users through a web browser is using SaaS. SaaS providers use an Internetenabled licensing function,
a streaming service, or a web application to provide end users with software that they might otherwise
install and activate locally. Webbased email clients, such as Gmail and Outlook.com, are examples of
SaaS.
The PaaS service model provides its consumer with a bit more freedom than the SaaS model by enabling
the consumer to install and possibly configure providersupported applications in the cloud infrastructure. A
company that uses a service provider’s infrastructure, programming tools, and programming languages to
develop and serve cloudbased applications is using PaaS. PaaS enables a consumer to use the service
provider’s development tools or Application Programmer Interface (API) to develop and deploy specific
cloudbased applications or services. Another example of PaaS might be using a third party’s MySQL
database and Apache services to build a cloudbased customer relationship management (CRM) platform.
The IaaS service model provides the greatest degree of freedom by enabling its consumer to provision
processing, memory, storage, and network resources within the cloud infrastructure. The IaaS service
model also enables its consumer to install applications, including operating systems (OSs) and custom
applications. However, with IaaS, the cloud infrastructure remains in control of the service provider. A
company that hires a service provider to deliver cloudbased processing and storage that will house multiple
physical or virtual hosts configured in a variety of ways is using IaaS. For example, a company that wanted
to establish a web server farm by configuring multiple Linux Apache MySQL PHP (LAMP) servers could
save hardware costs by virtualizing the farm and using a provider’s cloud service to deliver the physical
infrastructure and bandwidth for the virtual farm. Control over the OS, software, and server configuration
would remain the responsibility of the organization, whereas the physical infrastructure and bandwidth
would be the responsibility of the service provider.
A company that moves all companywide policy documents to an Internetbased virtual file system hosted by
a third party is using cloud storage. Cloud storage is a term used to describe the use of a service provider’s
virtual file system as a document or file repository. Cloud storage enables an organization to conserve
storage space on a local network. However, cloud storage is also a security risk in that the organization
might not have ultimate control over who can access the files.
Reference:
NIST: Special Publication 800145: The NIST Definition of Cloud Computing (PDF)
QUESTION 202
You have issued the logging enable command on an ASA with the default configuration.
Which of the following statements is true regarding the syslog messages that will be generated on this ASA
by default? (Select the best answer.)
A. The ASA will generate syslog messages that include a date.

B. The ASA will generate syslog messages that include a time.
C. The ASA will not generate syslog messages with a severity of 0.
D. The ASA will not generate syslog messages with a severity of 7.
E. The ASA will send syslog messages to only the console.
Correct Answer: C
Section: (none)
Explanation
Explanation:
A Cisco Adaptive Security Appliance (ASA) with a default configuration and logging enabled will not
generate system log (syslog) messages with a severity of 0. This value correlates with the severity of the
event that caused the message to be generated? higher values indicate a less severe event. Level 0 is an
emergency severity level and denotes that the system is unusable. Although an ASA will not generate
syslog messages with a severity level of 0, severity level 0 is supported on the ASA to ensure compatibility
with the UNIX syslog feature. The following table lists the syslog severity levels that can be generated by an
ASA:
When an ASA is configured to direct syslog messages to a specific output location, it will include all
messages with a severity level value less than or equal to the severity level value configured for that
particular location. For example, if an ASA is configured to output syslog messages with a severity of 7 to
the console, the ASA will also output syslog messages with a severity less than 7 to the console. Therefore,
the higher the severity level configured on the ASA, the more syslog messages generated and transmitted
to the configured logging destinations.
An ASA with a default configuration and logging enabled will not send syslog messages to only the console.
Although syslog messages for all supported severity levels are generated once logging has been enabled,
they are not directed to a destination until an output location has been configured on the ASA. Syslog
messages can be directed to several different locations, including the ASA’s console port? a syslog server?
a Simple Network Management Protocol (SNMP) server? an email address? or a remote session, such as
a Telnet session, a Secure Shell (SSH) session, or a Cisco Adaptive Security Device Manager (ASDM)
session. When configuring a target location for syslog messages, you must also specify the severity level
for the syslog messages that should be directed to the target location. Because directing syslog messages
to the console can degrade system performance, Cisco recommends configuring the internal buffer as a
destination for syslog messages and then using the show logging command to manually view the buffered
messages.
An ASA with a default configuration and logging enabled will not generate syslog messages that include a
date or time. Although the timestamp is not included by default, you can configure the syslog to include a
timestamp by issuing the logging timestamp command. In addition, you can configure the syslog to include
a device ID by issuing the logging deviceid command. The syntax for the logging deviceid command is
logging deviceid [contextname | hostname | ipaddress interfacename | string text].
Reference:
Cisco: Configuring Logging: Severity Levels
QUESTION 203
According to Cisco best practices, which of the following is true about the ideal application of an extended
access list? (Select the best answer.)
A. It should be applied in the inbound direction on the interface that is as close to the destination
aspossible.
B. It should be applied in the outbound direction on the interface that is as close to the destination
aspossible.
C. It should be applied in the inbound direction on the interface that is as close to the source as possible.
D. It should be applied in the outbound direction on the interface that is as close to the source as possible.
Correct Answer: C
Section: (none)
Explanation
Explanation:
According to Cisco best practices, extended access control lists (ACLs) should be applied in the inbound
direction on the interface that is as close to the source as possible. ACLs are used to identify traffic. Once
identified, the traffic can then be filtered, analyzed, forwarded, or influenced in various ways. ACLs can be
identified by an access list number or an access list name. Numbered ACLs ranging from 1 through 99 are
standard ACLs and can identify traffic based on only the source IP address. Numbered ACLs ranging from
100 through 199 are extended ACLs and can identify traffic based on source and destination IP addresses
as well as traffic type.
ACLs can consist of multiple access list statements, which are also known as access control entries
(ACEs). Packets are compared to each statement in sequence until a match is found. The permit and deny
keywords are used to indicate whether matching packets should be forwarded or dropped, respectively. If
the packet does not match any of the access list statements, the packet is dropped. This is called the
implicit deny rule? all traffic is dropped unless it is matched by one of the access list statements that is
configured with the permit keyword.
An ACL does not perform an action until it is applied to an interface. Only one ACL can be configured per
interface per direction. This means that a particular interface can be configured for one inbound and one
outbound ACL. According to Cisco best practices, extended IP ACLs should be placed as close as possible
to the source of traffic because extended ACLs have the ability to specify a destination IP address and port.
By contrast, standard ACLs should be placed as close to the destination network as possible because they
can filter addresses based on only the source IP address. If a standard ACL is placed too close to the
source network, it is possible that the limited granularity of the standard ACL could unintentionally cause
legitimate traffic to be filtered.
Reference:
Cisco: Configuring IP Access Lists: Apply ACLs
QUESTION 204
Which of the following statements is true regarding network object NAT on an ASA? (Select the best
answer.)
A. A single NAT rule can apply to both a source and destination address.
B. A network object or group is a parameter of the NAT configuration.
C. Network object NAT is more scalable than twice NAT.
D. Network object NAT can use network object groups to specify real and mapped addresses.
E. Network object NAT is easier to configure than twice NAT.
Correct Answer: E
Section: (none)
Explanation
Explanation:
Network object Network Address Translation (NAT) is easier to configure than twice NAT on a Cisco
Adaptive Security Appliance (ASA) configuration. You can implement NAT in two ways on an ASA: network
object NAT and twice NAT. With network object NAT, NAT is a parameter of a network object and the
network object serves as the real address for the translation. Network object NAT can apply to either a
source or destination address? however, two separate NAT rules would be required to translate both a
source and destination address. Because of these restrictions and limitations, network object NAT is easier
to configure than twice NAT.
By contrast, twice NAT can use network objects and groups to represent real and mapped addresses. The
network objects or groups in a twice NAT configuration are parameters of the NAT configuration and can
represent source real, source mapped, destination real, and destination mapped addresses. In addition,
service objects can be used to represent real and mapped source and destination network ports. Twice
NAT can specify both source and destination addresses in a single NAT rule, which makes it more scalable
than network object NAT. However, the additional capabilities of twice NAT make it more difficult to
configure than network object NAT.
Reference:
Cisco: Information About NAT: How NAT is Implemented
QUESTION 205
Upon which of the following languages is the Cisco FlexConfig scripting engine based? (Select the best
answer.)
A. Java
B. JavaScript
C. ActionScript
D. Bourne Again Shell
Correct Answer: A
Section: (none)
Explanation
Explanation:
The Cisco FlexConfig scripting engine is based on the Java programming language. The FlexConfig
scripting engine uses a subset of the commands from the Apache Velocity Template engine, which is an
opensource templating engine that can be used to create and reference dynamic configuration objects.
With FlexConfig, an administrator can create policies and objects to extend the capabilities of Cisco
Security Manager (CSM) to include configuration features that are not otherwise supported. For example,
you could use a FlexConfig script to loop through a specified group of phone numbers and assign a portion
of them to plain old telephone service (POTS) ports and the remainder to IP addresses for Voice over IP
(VoIP) operation.
The FlexConfig scripting engine is not based on the Bourne Again Shell (bash) command language. The
Cisco IOS commandline interface (CLI) is based on the bash command interpreter and, on some platforms,
includes all of the standard bash interpreter features in addition to a set of Ciscospecific commands.
The FlexConfig scripting engine is not based on the ActionScript or JavaScript programming languages.
Although many webbased management platforms, such as CSM or Cisco Configuration Professional
(CCP), rely on ActionScript or JavaScript for all or even part of their general implementation, the FlexConfig
scripting engine is a fully Javabased templating engine and is not dependent on other programming
languages or command interpreters.
Reference:
Apache: Apache Velocity Engine
Cisco: Managing FlexConfigs: Using Scripting Language Instructions
QUESTION 206
Refer to the exhibits:
You want to use ASDM to create a static network object NAT rule which will enable users on the OUTSIDE
network to reach an SMTP server on the INSIDE network by using the IP address defined by the
INSIDESMTPEXT object.
Which of the following samples of the Configuration > Firewall > NAT Rules pane corresponds to the
resulting configuration after you create the NAT rule? (Select the best answer.)
A. Option A
B. Option B
C. Option C
D. Option D
Correct Answer: B
Section: (none)
Explanation
Explanation:
The following sample of the Configuration > Firewall > NAT Rules pane corresponds to the resulting
configuration after you create the static Network Address Translation (NAT) rule in this scenario:
The network object NAT rule in this scenario creates a static NAT rule which will enable users on the
OUTSIDE network to reach a Simple Mail Transfer Protocol (SMTP) server on the INSIDE network by using
the IP address specified by the INSIDESMTPEXT network object, which is 198.51.100.3. The following
diagram illustrates the static rule by using a sample packet from a host with an IP address of
198.51.100.111:
You can configure a network object NAT rule from the Configuration > Firewall > NAT Rules pane in
Adaptive Security Device Manager (ASDM) by clicking the Add dropdown list, and selecting the Add
“Network Object” NAT rule to open the Add Network Object dialog box. The following sample Add Network
Object dialog box corresponds to the dialog box in this scenario:
The Name field in the Add Network Object dialog box specifies the name of the network object to which the
NAT rule will apply. The NAT rule will affect the source IP address of the specified network object. The Type
dropdown list specifies the type of network object that is being configured. A network object can be a single
IP address, a range of IP addresses, a network subnet, or a Fully Qualified Domain Name (FQDN). In this
scenario, the NAT rule is being configured for a single SMTP server, so the Host type is selected from the
dropdown list box in the dialog box. Because the Host type is selected, the IP Address field is displayed in
the dialog box. If something else had been selected, the appropriate fields would be displayed instead. For
example, if the Range type had been selected, the Start Address and End Address fields would have been
displayed instead of the IP Address field. The IP Address field specifies the IP Address that corresponds to
the network object; in this scenario, it refers to the real IP address of the SMTP server.
The NAT section of the Add Network Object dialog box is where NAT parameters can be configured. The
Add Automatic Address Translation Rules checkbox enables NAT for the object and creates the NAT rules
displayed in the Configuration > Firewall > NAT Rules pane of ASDM. The Type dropdown list in the NAT
section specifies the type of NAT that will be performed for the network object’s source IP address. You can
configure static NAT, dynamic NAT, and dynamic Port Address Translation (PAT). In this scenario, a static
NAT rule is required to translate the SMTP server’s real IP address to a mapped IP address on the
OUTSIDE network. The Translated Addr field specifies the mapped address that will be used as the source
of translated packets. In this scenario, the INSIDE SMTPEXT network object defines the IP address of the
SMTP server on the OUTSIDE network and is specified in the Translated Addr field. Because static NAT
has been selected as the translation type, none of the other fields in the dialog box are available. Fields
such as the PAT Pool Translated Address field become available only when a relevant translation type is
specified. The Advanced button is used to open the Advanced NAT Settings dialog box, as shown in the
following sample dialog box:
The Advanced NAT Settings dialog box can be used to specify additional translation parameters, such as
the source and destination interfaces. In addition, you can specify port translation for a network service. In
this scenario, we specify the INSIDE interface as the Source Interface, the OUTSIDE interface as the
Destination interface, and we specify Transmission Control Protocol (TCP) port 25, which is the port used
by SMTP, as both the real port and mapped port. Specifying the network service limits the static NAT rule to
only packets with the appropriate network port.
The following sample of the Configuration > Firewall > NAT Rules pane does not correspond to the resulting
configuration after you create the static NAT rule in this scenario, because no network service has been
specified for the original packets:
configuration after you create the static NAT rule in this scenario, because no source or destination
interfaces have been specified for the original packets:
configuration after you create the static NAT rule in this scenario, because neither a network service nor
source and destination interfaces have been specified for the original packets:
Reference:
Cisco: Configuring Network Object NAT: Configuring Static NAT or Static NATwithPortTranslation
QUESTION 207
One of your company’s headquarters routers is not forwarding packets to a branch location. The router is
housed in a locked room onsite. A junior administrator has remotely connected to the router to troubleshoot
the problem. You have been asked for assistance in interpreting some of the configuration output.
Which of the following methods are you least likely to use to connect to the router? (Select the best
answer.)
A. Telnet
B. SSH
C. a console port
D. a serial port
E. an auxiliary port
Correct Answer: D
Section: (none)
Explanation
Explanation:
Of the available choices, you are least likely to use a serial port to connect to the router. Serial ports and
Ethernet ports are used to directly connect Cisco routers to other network devices. For example, you might
use a serial port to directly connect a Cisco router to other data terminal equipment (DTE) or data
communications equipment (DCE) devices. You would also use a serial port to connect a router to a
Channel Service Unit/Data Service Unit (CSU/DSU).
You are likely to use inband tools, such as Telnet or Secure Shell (SSH), to connect to the router in this
scenario because the router is remotely accessible from your company’s network. Management
applications and administrators who want to manage a Cisco device when it is operating in its normal state
could connect to the device by using virtual terminal (VTY) application protocols such as Telnet or SSH.
The use of VTY lines typically allows multiple administrators or management applications to concurrently
access a device from more than one location.
You might use a console port or an auxiliary (AUX) port to connect to the router in this scenario, although
doing so is not necessary because the router is remotely accessible. In addition, connecting by either of
these methods requires you to be in the same room as the device. You are most likely to use either an AUX
port or a console port to manage a Cisco router outofband, such as when the router is in readonly memory
(ROM) monitor (ROMmon) mode. The AUX port on a Cisco router is typically capable of supporting most of
the features available on a console port. Cisco switches either do not have AUX ports or do not support
certain features, such as system recovery, on their AUX ports if they have them.
ROMmon is a management mode that Cisco routers and switches revert to when the system cannot find a
software image, the software image is corrupted, or the configuration register has been set to manually
enter ROMmon mode. Because ROMmon is an outofband management method, it can be used to recover
system software images, passwords, or other configuration data even when the router or switch is in a state
where it can no longer forward packets.
Reference:
Cisco: PPP BacktoBack Connections
QUESTION 208
You are troubleshooting IPSec VPN connectivity between two sites. From the local router, you are able to
ping the remote tunnel endpoint.
Which of the following steps should you perform next? (Select the best answer.)
A. Issue the traceroute command to trace the route to the tunnel endpoint.
B. Verify that the IKE policies match on both peers.
C. Verify that the peers successfully authenticate one another.
D. Reboot both devices.
Correct Answer: B
Section: (none)
Explanation
Explanation:
If you are able to ping the remote tunnel endpoint, you should verify that the Internet Key Exchange (IKE)
policies match on both peers. Issuing the show crypto isakmp policycommand will display the IKE phase 1
policy settings that are configured on the router, including the encryption algorithm, hash algorithm,
authentication method, DiffieHellman (DH) key exchange mechanism, and security association (SA)
lifetime. The following displays sample output from the show crypto isakmp policy command:
Global IKE policy
encryption algorithm: AES Advanced Encryption Standard (128 bit keys)
hash algorithm: Secure Hash Standard
authentication method: PreShared Key
DiffieHellman group: #14 (2048 bit)
lifetime: 3600 seconds, no volume limit
You can also issue the debug crypto isakmp command to determine whether an IKE phase 1 policy
mismatch is occurring. The debug error message 1d00h: ISAKMP (0:1): atts are not acceptable. Next
payload is 0 will appear when there is a phase 1 policy mismatch between the peers. To configure IKE
phase 1 policy parameters, issue the crypto isakmp policy priority command to enter ISAKMP policy
configuration mode, where you can issue the following commands:
- authentication
- encryption
- group
- hash
- lifetime
If the IKE phase 1 policies match, you should issue the debug crypto isakmp command to verify that the SA
authenticates. If there is a preshared key (PSK) mismatch between the peers, you will see the 1d00h:%
CRYPTO4IKMP_BAD_MESSAGE: IKE message from 10.11.12.13 failed its sanity check or is malformed
If you can ping the remote tunnel endpoint, there is no need to issue the traceroutecommand to trace the
route to the tunnel endpoint. A successful ping indicates that connectivity between the peers exists. If the
ping is not successful, you can issue the traceroute command to see where the fault is occurring along the
path between the two peers.
Rebooting peer routers should not be among the first actions you perform when troubleshooting IP Security
(IPSec) virtual private network (VPN) connectivity between two sites. If you have performed the other
troubleshooting steps but are still unable to establish a VPN connection, you might consider rebooting the
routers. However, rebooting is not likely to solve the connectivity problems.
Reference:
Cisco: Configuring Internet Key Exchange Version 2 (IKEv2): Example How a Policy Is Matched
Cisco: Internet Key Exchange Security Protocol Commands: show crypto isakmp policy
QUESTION 209
Which of the following is not a method of mitigating false positives on a Sourcefire device? (Select the best
answer.)
A. disabling unnecessary Snort rules

B. suppressing event notifications
C. reporting false positives to Cisco Technical Support
D. configuring an Allow action without inspection
E. configuring a Block action
Correct Answer: E
Section: (none)
Explanation
Explanation:
Configuring a Block action is not a method of mitigating false positives on a Sourcefire device. A false
positive occurs when an intrusion detection system (IDS) or intrusion prevention system (IPS) identifies
nonmalicious traffic as malicious. Sourcefire devices are commercial Cisco IDSs based on the opensource
IDS known as Snort. The Block action simply blocks traffic and does not perform any type of inspection.
Although the Block action might prevent notifications from false positives, it would also drop legitimate
traffic.
Configuring an Allow action without inspection is a method of mitigating false positives on a Sourcefire
device. A Sourcefire device can match traffic based on a number of conditions, including security zones,
networks, virtual LAN (VLAN) tags, source or destination ports, applications, Uniform Resource Locators
(URLs), or users. The Sourcefire is also capable of handling traffic matching a given condition by applying
an action, or rule, to the traffic. The actions that are supported by a Sourcefire include all of the following:
- Monitor
- Trust
- Block
- Interactive Block
- Allow
A Sourcefire can inspect and log traffic that is passed by the Allow action. Sourcefire inspection occurs
when an Intrusion Policy is applied to this action. Applying an action without an Intrusion Policy performs the
given action when traffic matches a condition but does not inspect the traffic. Therefore, you could apply an
Allow action without an Intrusion Policy to allow all traffic matching a given condition and prevent that traffic
from generating a false positive. Conversely, you might apply an Allow action with an Intrusion Policy to
permit all but malicious traffic that matches a given condition.
Disabling unnecessary Snort rules is a method of mitigating false positives on a Sourcefire device.
Unnecessary rules include rules that are designed to prevent the exploitation of vulnerabilities that have
been fixed, rendering the rule obsolete. Disabling such rules prevents them from generating alerts based on
matching traffic.
Reporting false positives to Cisco Technical Support is a method of mitigating false positives on a
Sourcefire device. Default Sourcefire Snort rules that trigger notifications might need to be modified by
Cisco’s Vulnerability Research Team (VRT) if the rule is causing legitimate traffic to be dropped.
Suppressing event notifications by using the Sourcefire Suppression feature is a method of mitigating false
positives on a Sourcefire device. The Suppression feature will prevent the Sourcefire device from sending
event notifications. However, the Suppression feature does not prevent the Sourcefire from processing
traffic. Therefore, the generation of false positives might still be a drain on device resources. Also,
legitimate traffic could be silently dropped.
Reference:
Cisco: Options to Reduce False Positive Intrusion Events: Options to Reduce False Positive Alerts
Cisco: FireSIGHT System User Guide Version 5.4.1: Using Rule Actions to Determine Traffic Handling and
Inspection
QUESTION 210
Which of the following actions is performed by dynamic NAT? (Select the best answer.)
A. mapping an inside local IP address to a specific global IP address

B. mapping an inside local IP address to a global IP address chosen from a pool
C. mapping an inside local IP address and port to a global IP address with a specific port
D. mapping an inside local IP address and port to a global IP address with a randomly selected port
Correct Answer: B
Section: (none)
Explanation
Explanation:
Dynamic Network Address Translation (NAT) maps an inside local IP address to a global IP address
chosen from a pool. This is often done to enable inside hosts with private, nonroutable IP addresses to use
a globally routable IP address so that the inside hosts can communicate over the Internet. The following
exhibit shows an example of dynamic NAT:
Static NAT maps an inside local IP address to a specific global IP address. This is often used to enable
outside hosts to connect to a device on the inside network, such as a web server, when port translation is
not required. The following exhibit shows an example of static NAT:
Static Port Address Translation (PAT), which is also called port forwarding, maps an inside local IP address
and port to a global IP address with a specific port. This is often used to enable outside hosts to connect to
a specific service on a device located on the inside network, such as a web server. The following exhibit
shows an example of static PAT:
Dynamic PAT, which is also called NAT overloading, maps an inside local IP address and port to a global IP
address with a randomly selected port. This is often done to enable multiple inside hosts with private,
nonroutable IP addresses to share a single globally routable IP address so that the inside hosts can
communicate over the Internet. The PAT router keeps track of each inside host by assigning a random port
number to the client for the duration of the communication.
However, dynamic PAT is capable of mapping internal source addresses to more than one routable IP
address. Some security appliances could mistake a large number of packets from a single IP address as a
DoS attack attempt. Therefore, dynamic PAT supports the use of roundrobin to enable internal IP source
addresses to map to more than just one routable IP source address. By using dynamic PAT’s roundrobin
assignment of IP addresses, the risk of misidentification of large amounts of traffic as a DoS attack can be
mitigated.
The following exhibit shows an example of dynamic PAT:
Reference:
Cisco: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration
Guide, 3.1: NAT Types
QUESTION 211
You are configuring auto NAT on a Cisco Firepower device. The network object contains rules of both static
and dynamic types from internal subnets. You have configured the rules in the following order:
1. Dynamic NAT: 172.16.1.0/28

2. Static NAT: 192.168.51.8/29
3. Static NAT: 10.10.10.0/24
4. Dynamic NAT: 192.168.32.0/24
5. Static NAT: 10.10.11.1/32
The Firepower receives internal traffic from the 192.168.51.8/29 subnet.

Which of the rules in this scenario will be processed? (Select 2 choices.)
A. 1
B. 2
C. 3
D. 4
E. 5
Correct Answer: BE
Section: (none)
Explanation
Explanation:
Of the auto Network Address Translation (NAT) rules configured in this scenario, only the static NAT rule
for the 10.10.11.1/32 network and the static NAT rule for the 192.168.51.8/29 network will be processed.
Auto NAT rules are automatically ordered by the device. Regardless of the order in which you configured
the rules in the network object, auto NAT will always attempt to match static rules before dynamic rules. In
addition, auto NAT will always attempt to match the longest address prefix first, meaning that the rule that
contains the smallest quantity of real IP addresses will be processed before rules containing a larger
quantity of real IP addresses. Therefore, a static NAT mapping that matches 10.10.10. 0/24 will be
processed before a dynamic NAT mapping that matches 10.10.10.10/32, even though the 10.10.10.10/32
address has a longer prefix.
In this scenario, auto NAT will first attempt to match the traffic to the static NAT rule with the 10.10.11.1/32
address. This is because that rule is the static rule with the longest prefix. Next, auto NAT will attempt to
match the traffic to the static rule with the second longest prefix, which is 192.168.51.8/29. Because the
traffic matches this rule, the device will not process any of the other auto NAT rules.
If the traffic in this scenario did not match the static 192.168.51.8/29 rule, the device would have continued
processing the auto NAT rules in the following order:
- Static NAT: 10.10.10.0/24
- Dynamic NAT: 172.16.1.0/28
- Dynamic NAT: 192.168.32.0/24
There are two methods of implementing NAT on a Cisco Firepower device: manual NAT and auto NAT. Of
the two methods, auto NAT is the simplest to configure because NAT rules are configured as components
of a network object. Both source and destination addresses are compared to the rules within the object.
Manual NAT, on the other hand, enables you to specify both the source address and the destination
address of a mapping in a single rule. Therefore, you can configure more granular mapping rules by using
manual NAT.
Both manual NAT rules and auto NAT rules are stored in the same translation table. The table is divided
into three sections. Section 1 and Section 3 contain manual NAT rules, with Section 1 containing the most
specific manual NAT rules and Section 3 containing the most general NAT rules. Section 2 contains auto
NAT rules.
When the Firepower matches traffic to the NAT translation table, manual NAT rules in Section 1 are
processed first and in the order in which they were configured. Manual NAT rules are added to Section 1 by
default. If a match is found, rules in Section 2 and Section 3 are ignored. If the traffic does not match any of
the manual NAT rules in Section 1, the auto NAT rules in Section 2 are processed.
If the traffic matches one of the auto NAT rules, rules in Section 3 are ignored. If the traffic does not match
any of the auto NAT rules, the device will next attempt to match the traffic to the Section 3 manual NAT
rules.
Similar to Section 1, the manual NAT rules in Section 3 are processed in the order that they appear in the
configuration. However, you must specifically place manual NAT rules in this section because the device
will not automatically place manual NAT rules there. Cisco recommends that the most general manual NAT
rules be placed in this section, with the most specific of those general rules configured first.
Reference:
Cisco: Firepower Management Center Configuration Guide, Version 6.0.1: NAT Rule Order
QUESTION 212
Which of the following fields make up the trailer of an ESP packet? (Select 3 choices.)
A. Next Header
B. Pad Length
C. Padding
D. Security Parameter Index
E. Sequence Number
Correct Answer: ABC

Section: (none)
Explanation
Explanation:
The Encapsulating Security Payload (ESP) trailer is made up of the Padding, Pad Length, and Next Header
fields. ESP is an IP Security (IPSec) protocol that provides data integrity and confidentiality for IP traffic. The
ESP trailer is always part of the authenticated data and is always encrypted. By contrast, the Security
Parameter Index (SPI) and Sequence Number fields make up the header of an ESP packet. The ESP
header is always part of the authenticated data in an ESP packet, but the ESP header itself is never
encrypted. The following diagram illustrates the ESP packet format:
ESP can operate in transport mode or tunnel mode. In transport mode, ESP encrypts only the original
In tunnel mode, ESP encrypts the entire packet, including the original IP header, the original payload data,
and the resultant ESP trailer. The following diagram illustrates the components of an ESP packet in tunnel
mode:
Reference:
IETF: RFC 4303: IP Encapsulating Security Payload (ESP): 2. Encapsulating Security Payload Packet
Format
QUESTION 213
You have issued the following commands to modify the 802.1X configuration on a switch port:
switch(configif)#authentication event fail action next-method
switch(configif)#authentication order mab dot1x
switch(configif)#authentication priority dot1x mab
switch(configif)#authentication event noresponse action authorize
vlan 1313
A new host is attached to the switch port. The host’s MAC address is not in the authentication database. In
addition, the host does not support 802.1X.
Which of the following statements is true regarding the host in this scenario? (Select the best answer.)
A. MAB will learn the new host’s MAC address and authorize the host for network access, and the switch
port will ignore the host’s 802.1X authentication attempts.
B. MAB will authorize the host for network access? however, the host will lose network access when it
attempts to authenticate with 802.1X.
C. The host will be assigned to VLAN 1313.
D. The host will fail MAB authentication, and the switch will place the port into an unauthorized state.
Correct Answer: C
Section: (none)
Explanation
Explanation:
In this scenario, the host will be assigned to virtual LAN (VLAN) 1313 because the authentication event
noresponse action authorize vlan 1313 command has been issued and the host does not support 802.1X
authentication. A switch port can be configured to use 802.1X, Media Access Control (MAC) Authentication
Bypass (MAB), or Web Authentication (WebAuth) to authenticate clients. The authentication event
noresponse action authorize vlan 1313 command specifies the VLAN into which a switch should place a
port if it does not receive a response to the Extensible Authentication Protocol over LAN (EAPoL) messages
it sends on that port. This enables devices that do not support 802.1X to be assigned to a guest VLAN.
When a guest VLAN is configured, the switch will grant non802.1Xcapable clients access to the guest
VLAN? however, if an 802.1Xcapable device is detected, the switch will place the port into an unauthorized
state and will deny access to all devices on the port.
The authentication order command is used to specify the order in which the switch should attempt the
configured authentication methods. By default, a switch will attempt 802.1X authentication before other
authentication methods. The authentication order mab dot1x command configures the switch to first use
MAB to authenticate a client based on MAC address. If the client’s MAC address is not in the authentication
database, the switch will then attempt to authenticate the client with 802.1X. In this scenario, the client’s
MAC address is not in the authentication database? therefore, MAB will not authorize the client for network
access. Normally, the configured authentication order is mirrored by the priority of each authentication
method? however, you can use the authentication priority command to change the priority. If the priority
mirrored the authentication order in this scenario, the switch would ignore EAPoL messages if the client
was authenticated by MAB and the client would continue to have authorized network access. However, the
authentication priority dot1x mab command changes the default priority behavior and assigns a higher
priority to 802.1X authentication than it does to MAB. This enables a client to use 802.1X authentication
even if it has successfully been authenticated by MAB. Unfortunately, the client is not an 802.1X client.
The authentication event fail action command specifies how the switch should react if an 802.1X client is
detected and the client fails to authenticate. There are two configurable parameters: nextmethod and
authorize vlanid. The authorize vlanid parameter configures the port to a specific restricted VLAN. The
nextmethod parameter configures the switch to attempt authentication by using the next authentication
method specified in the authentication order command. If the nextmethod parameter is configured, the
switch will indefinitely cycle through authentication methods unless WebAuth is configured. If WebAuth is
configured, the authentication process will not loop back to other authentication methods and the switch will
ignore EAPoL messages on the port.
Reference:
Cisco: Configuring IEEE 802.1x PortBased Authentication: Configuring a Guest VLAN
QUESTION 214
Your supervisor asks you to configure a local CA to help secure digital communications.
Which of the following best describes what your company is most likely implementing? (Select the best
answer.)
A. a PKI
B. symmetric encryption
C. asymmetric encryption
D. a oneway hash algorithm
Correct Answer: A
Section: (none)
Explanation
Explanation:
Of the available choices, your company is most likely implementing a public key infrastructure (PKI) if you
have been asked to configure a local certificate authority (CA) to help secure digital communications. A PKI
enables encrypted communication by using a combination of a public and a private key pair. A certificate is
bound to a user's public key, which is the key that is made available to anyone who wishes to send a
message to the owner of the key pair. The private key is a secret key that is not shared. If a private key
becomes compromised or is no longer needed, the associated CA should be notified immediately so that
the certificate revocation list (CRL) can be updated. Certificates typically contain information, such as the
owner's name and contact information, the public key, the key validity period, the digital signature of the
certificate, and the location where the CRL can be retrieved.
Although asymmetric encryption is used in a PKI infrastructure, in this scenario you are more specifically
implementing a PKI. DiffieHellman (DH), Elliptical Curve Cryptography (ECC), and RSA are asymmetric
algorithms. DH is an asymmetric key exchange method. ECC and RSA are asymmetric encryption
algorithms. Asymmetric encryption, also known as public key encryption, uses a public key to encrypt data
and a different, yet mathematically related, private key to decrypt data. PKI uses a certificate authority to tie
a public key to a user ID to further ensure the confidentiality of data. Asymmetric encryption algorithms use
more complex mathematical functions than symmetric encryption algorithms. As a result, asymmetric
encryption algorithms take longer to encrypt and decrypt data than symmetric encryption algorithms. Other
examples of asymmetric encryption algorithms include Digital Signature Algorithm (DSA) and ElGamal.
Your company is not implementing symmetric encryption. Advanced Encryption Standard (AES), RC4, and
Triple Data Encryption Standard (3DES) are examples of symmetric encryption algorithms. When
symmetric encryption algorithms are used, the same encryption key is used to encrypt and decrypt data.
Two types of symmetric algorithms exist: block ciphers and stream ciphers. Block ciphers derive their name
from the fact that they encrypt blocks of data. For example, AES encrypts 128bit blocks of data. By contrast,
stream ciphers are typically faster than block ciphers because stream ciphers encrypt text of variable length
depending on the size of the frame to be encrypted? stream ciphers are not limited to specific block sizes.
For example, RC4, a stream cipher, can encrypt data in streams of 8 through 2,048 bits. Other examples of
symmetric encryption algorithms include International Data Encryption Algorithm (IDEA), Skipjack, and
Blowfish.Your company is not implementing a oneway hash algorithm. Oneway hash algorithms, such as
Message Digest 5 (MD5) can be used to create checksums that represent every bit of data that is stored in
a file. Future hashes created from the same file can then be compared to the original hash to determine
whether anything has changed. Secure Hash Algorithm 1 (SHA1) is another hash algorithm that produces a
fixedlength value that corresponds to the content being parsed.
Reference:
Cisco: Cisco IOS PKI Overview Understanding and Planning a PKI: What Is Cisco IOS PKI
QUESTION 215
Which of the following authentication methods were invented by Cisco? (Select 2 choices.)
A. PEAP
B. EAPFAST
C. EAPTLS
D. EAPMD5
E. LEAP
Correct Answer: BE
Section: (none)
Explanation
Explanation:
Lightweight Extensible Authentication Protocol (LEAP) and Extensible Authentication Protocol (EAP)Flexible
Authentication via Secure Tunneling (FAST) are both authentication methods that were invented by Cisco.
LEAP is a wireless security method based on 802.1X. The Institute of Electrical and Electronics Engineers
(IEEE) 802.1X standard specifies an authentication mechanism using EAP. The 802.1X standard can use
digital certificates for authentication. Therefore, it is important to maintain an uptodate public key
infrastructure (PKI) configuration. LEAP was developed by Cisco to enable wireless authentication with
support for Authentication, Authorization, and Accounting (AAA) protocols, such as Remote Authentication
DialIn User Service (RADIUS).
Digital certificates are not required on the client or the server during the EAPFAST authentication process?
instead, EAPFAST uses Protected Access Credentials (PACs). EAPFAST is an authentication protocol that
can be used for pointtopoint connections and for both wired and wireless links. The EAPFAST
authentication process consists of three phases. The first phase, which is optional and is considered phase
0, consists of provisioning a client with a PAC, which is a digital credential that is used for authentication. A
PAC can be manually configured on a client, in which case phase 0 is not required. The second phase,
which is referred to as phase 1, involves creating a secure tunnel between the client and the server. The
final phase, which is referred to as phase 2, involves authenticating the client. If the client is authenticated,
the client will be able to access the network.
EAPTransport Layer Security (TLS) was not invented by Cisco. EAPTLS is an Internet Engineering Task
Force (IETF) standard that is defined in Request for Comments (RFC) 5216. In addition, Protected EAP
(PEAP) was not invented by Cisco alone. PEAP is an open standard developed by Cisco, Microsoft, and
RSA. PEAP and other later variants of EAP, such as EAPTLS, and EAPTunneled TLS (EAPTTLS), are
replacing LEAP.
EAPMessage Digest 5 (MD5) was not invented by Cisco. EAPMD5 uses an MD5 hash function to provide
security and is therefore considered weak when compared to later methods. EAP is an IETF standard that
was originally defined in RFC 2284.
Reference:
Cisco: Cisco LEAP
Cisco: EAP Methods SummaryCategory:
Secure Access
QUESTION 216
You have configured antispoofing ACLs and DHCP snooping.
Which of the following are you most likely securing? (Select the best answer.)
A. the control plane

B. the management plane
C. the data plane
D. every network plane
Correct Answer: C
Section: (none)
Explanation
Explanation:
Most likely, you are securing the data plane if you have configured antispoofing access control lists (ACLs)
and Dynamic Host Configuration Protocol (DHCP) snooping. The data plane is responsible for traffic
passing through the router, which is referred to as transit traffic. Therefore, data plane security protects
against unauthorized packet transmission and interception. Threats such as IP spoofing, Media Access
Control (MAC) address spoofing, Address Resolution Protocol (ARP) spoofing, DHCP spoofing,
unauthorized traffic interception, and unauthorized network access can be mitigated and monitored by
implementing features such as the following:
- ARP inspection
- Antispoofing ACLs
- DHCP snooping
- Port ACLs (PACLs)
- VLAN ACLs (VACLs)
You are securing the control plane if you have configured Control Plane Policing (CoPP), Control Plane
Protection (CPPr), routing protocol authentication, and filtering. The control plane is responsible for the
creation and maintenance of structures related to routing and forwarding. These functions are heavily
dependent on the CPU and memory availability. Therefore, control plane security methods protect against
unauthorized traffic destined for the router, which can modify route paths and consume excessive
resources. Path modification can be caused by manipulating the traffic generated by routing protocols,
VLAN Trunking Protocol (VTP), and Spanning Tree Protocol (STP). Path modification attacks can be
mitigated by implementing routing protocol authentication and filtering, VTP authentication, and STP
protection features. In addition, excessive CPU and memory consumption can be caused by control plane
flooding. Resource consumption attacks can be mitigated by implementing control plane filtering and rate
limiting with CoPP and CPPr.
You are securing the management plane if you have configured Authentication, Authorization, and
Accounting (AAA) solutions and Management Plane Protection (MPP). Device configuration protection is
associated with the management plane. Management plane security protects against unauthorized device
access and configuration. Unauthorized access can be mitigated by implementing a strong AAA solution
and by implementing MPP, which creates protected management channels over which administrators must
connect in order to access device administration features. Management traffic can be encrypted by
implementing Secure Shell (SSH). You can mitigate unauthorized configuration of a device by implementing
RoleBased Access Control (RBAC), whereby administrators are limited to using only the features they need
to accomplish their jobs. Detection and logging of management plane access can be performed by
implementing Simple Network Management Protocol version 3 (SNMPv3) and Syslog servers.
Reference:
QUESTION 217
You issue the following commands on a Cisco ASA. No other interfaces have been configured.
asa(config)#interface gigabitethernet 0/1
asa(configif)#speed 1000
asa(configif)#duplex full
asa(configif)#securitylevel 0
asa(configif)#nameif inside
asa(configif)#ip address 10.1.1.1
255.255.255.0 asa(configif)#no
shutdownasa(configif)#exit
asa(config)#telnet 10.1.1.0 255.255.255.0
inside asa(config)#telnet timeout 30
Which of the following statements is true regarding the resulting configuration? (Select the best answer.)
A. Telnet sessions will time out after 30 seconds of inactivity.

B. The ASA will deny SSH connections to the interface.
C. The ASA will reassign the interface a security level of 100.
D. Telnet sessions will be denied because a security level is manually assigned.
Correct Answer: D
Section: (none)
Explanation
Explanation:
In this scenario, the Cisco Adaptive Security Appliance (ASA) will deny Telnet sessions to the
GigabitEthernet 0/1 interface because a security level is manually assigned. Normally, Telnet traffic is not
permitted to the interface with the lowest security. However, if there is only one configured interface and it
has been configured with a security level of 100, Telnet traffic is permitted even though the interface is
simultaneously the interface with the lowest security and the highest security. Because the interface in this
scenario has been manually assigned the lowest security level of 0, the Telnet session will be denied. If
there were other active interfaces on the ASA, a Telnet session would be permitted to the interface with the
lowest security only if that session was protected by a virtual private network (VPN) tunnel terminating on
the interface.
The ASA will not deny Secure Shell (SSH) connections to the interface. Although there are several methods
for working around Telnet access restrictions of the ASA, Cisco recommends disabling Telnet and using
more secure methods for management access, such as SSH or Secure Hypertext Transfer Protocol
(HTTPS) instead? neither HTTPS nor SSH is restricted by the security level of an interface.
The block of commands in this scenario configures the GigabitEthernet 0/1 interface to operate in full
duplex mode at a speed of 1000 megabits per second (Mbps), assigns the interface a security level of 0,
names the interface “inside”, and assigns an IP address 10.1.1.1 with a network mask of 255.255.255.0. In
addition, the no shutdown command enables the interface. The telnet commands define a network range
that is permitted to Telnet to the inside interface and configure a Telnet idletimeout value. The default
security level on an ASA is 0? however, the inside interface is an exception to this rule because it is
automatically assigned a security level of 100 if a security level is not explicitly configured. An interface can
be assigned any integervalued security level from 0 through 100.
Telnet sessions will not time out after 30 seconds of activity. The telnet timeout 30 command specifies an
inactivity timeout length of 30 minutes, not 30 seconds. The telnet timeout command accepts an integer
value from 1 through 1440 to specify the number of minutes a Telnet session can remain idle before the
ASA closes the connection.
Reference:
Cisco: Cisco ASA 5500 Series Command Reference: securitylevel
QUESTION 218
Which of the following vulnerabilities did the Stuxnet worm exploit on target hosts? (Select 2 choices.)
A. a buffer overflow vulnerability in the DCOM RPC service

B. a buffer overflow vulnerability in IIS software
C. a buffer overflow vulnerability in Microsoft SQL Server
D. a remote code execution vulnerability in the printer spooler service
E. a remote code execution vulnerability in the processing of .lnk files
Correct Answer: DE
Section: (none)
Explanation
Explanation:
Stuxnet exploited vulnerabilities in both the printer spooler service and the processing of .lnk files. Stuxnet
was used in an act of cyber warfare against Iranian industrial control systems (ICSs). It was written to target
specific ICSs by modifying code on programmable logic controllers (PLCs). Stuxnet initially exploited
vulnerabilities in the printer spooler service? however, later variants exploited a vulnerability in the way that
Windows processes shortcuts (.lnk files). Research from Symantec published in 2011 indicated that at the
time, over 60% percent of the Stuxnetaffected hosts had been in Iran. Symantec analyzed Stuxnet and its
variants and discovered that five organizations were the primary targets of infection and that further
infections were likely collateral damage from the aggressive manner in which the worm spreads throughout
the network. Given the considerable cost in resources and manhours that would have been required to craft
the Stuxnet worm, it was theorized that it was likely intended to sabotage highvalue targets such as nuclear
materials refinement facilities.
The Blaster worm exploited a buffer overflow vulnerability in the Distributed Component Object Model
(DCOM) Remote Procedure Call (RPC) service on Microsoft Windows hosts. The worm carried a
destructive payload that configured the target host to engage in Denial of Service (DoS) attacks on
Microsoft update servers. Before Microsoft released a patch, several other worms exploited the
vulnerability. For example, the Welchia worm targeted the same vulnerability. Welchia was developed to
scan the network for vulnerable machines, infect them, and then remove the Blaster worm if present. It was
even designed to download and install the appropriate patch from Microsoft to fix the vulnerability that it and
Blaster initially exploited to infect the target machine. However, despite the goodnatured design intentions of
the Welchia worm, its networkscanning component inadvertently caused DoS attacks on several large
networks, including those of the United States armed forces.
SQL Slammer exploited a buffer overflow vulnerability in Microsoft Structured Query Language (SQL)
server software. SQL Slammer spread at a tremendous rate and was reported to have infected as many as
12,000 servers per minute. Its high scanning rate generated enough traffic on many networks to effectively
produce DoS effects as collateral damage to the infection.
Code Red exploited a buffer overflow vulnerability in Microsoft Internet Information Server (IIS) software.
Although not as efficient as SQL Slammer, Code Red still managed to infect as many as 2,000 hosts per
minute. The initial Code Red variant failed to infect more than a single set of IP addresses? however, a later
variant was reported to have affected over 350,000 hosts within the first 14 hours of its release into the wild.
Reference:
Cisco: Protecting Industrial Control Systems with Cisco IPS Industrial Signatures
Symantec: Security Response: W32.Stuxnet Dossier (PDF)
QUESTION 219
Which of the following security applications is least likely to be included in a vendor’s desktop security
suite? (Select the best answer.)
B. a HIPS
D. a proxy server
Correct Answer: D
Section: (none)
Explanation
Explanation:
Of the available choices, a proxy server is least likely to be included in a vendor’s desktop security suite. A
proxy server is typically an application layer gateway that provides resource caching and traffic filtering for a
particular class of traffic, such as web content. Although you could install a proxy server locally on a host, it
would not have a significant effect on malicious traffic directed at the host nor would it be able to analyze its
content.
malicious traffic on that host and is more likely to be included in a vendor’s desktop security suite than a
proxy server. An Intrusion Prevention System (IPS) can be used to actively monitor, analyze, and block
malicious traffic before it infects devices. HIPS software can be installed on a host computer to protect that
computer against malicious traffic. By contrast, a Networkbased IPS (NIPS) is an independent operating
platform, often a standalone appliance or a hardware module installed in a chassis. A NIPS device can be
installed inline on a network to monitor and prevent malicious traffic from being sent to other devices on the
network. One advantage of using a NIPS over a HIPS is that a NIPS can detect lowlevel network events,
such as the scanning of random hosts on the network? a HIPS can only detect scans for which it is the
target. A HIPS and a NIPS can be used together to provide an additional layer of protection.
A personal firewall is more likely to be included in a vendor’s desktop security suite than a proxy server. A
personal firewall can work in conjunction with other software, such as a HIPS or a NIPS, to protect a host
from a wider array of malicious activities. For example, Cisco Advanced Malware Protection (AMP) for
Endpoints can work in conjunction with a personal firewall to provide threat protection and advanced
analytics.
Antivirus software is more likely to be included in a vendor’s desktop security suite than a proxy server.
Antivirus software monitors the file system and memory space on a host for malicious code. Although the
antivirus software might protect the host from malicious file execution, it would be unable to protect the host
from malicious traffic. Some antivirus vendors offer integrated security suites, which feature personal
firewall, HIPS, antivirus, and antimalware components.
Reference:
QUESTION 220
Which of the following commands should you issue to allow communication between different ASA
interfaces that share the same security level? (Select the best answer.)
A. samesecuritytraffic permit interinterface

B. samesecuritytraffic permit intrainterface
C. securitylevel 0
D. securitylevel 100
E. established
Correct Answer: A
Section: (none)
Explanation
Explanation:
You should issue the samesecuritytraffic permit interinterface command on a Cisco Adaptive Security
Application (ASA) to allow communication between different interfaces that share the same security level.
Typically, interfaces with the same security level are not allowed to communicate with each other.
You should not issue the samesecurity traffic permit intrainterface command to allow communication
between different interfaces that share the same security level. You should issue the samesecuritytraffic
permit intrainterface command to allow a packet to exit an ASA through the same interface through which it
entered, which is also known as hairpinning. By default, an ASA does not allow packets to enter and exit
through the same physical interface. However, because multiple logical virtual LANs (VLANs) can be
assigned to the same physical interface, it is sometimes necessary to allow a packet to enter and exit
through the same interface. The samesecuritytraffic permit intrainterface command allows packets to be
sent and received from the same interface even if the traffic is protected by IP Security (IPSec) security
policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface
command is if multiple users need to connect via virtual private network (VPN) through the same physical
interface. These users will not be able communicate with one another unless the samesecuritytraffic permit
intrainterface command has been issued from global configuration mode.
You should not issue either the securitylevel 0 command or the securitylevel 100 command to allow
communication between different interfaces that share the same security level. The securitylevel command
is used to set the security level on a physical interface. Security level 0 should be used to achieve the lowest
security level possible, whereas security level 100 should be used to achieve the highest security level
available.
You should not issue the established command to allow communication between different interfaces that
share the same security level. The established command is used to allow inbound traffic on any interface
that has already established an outbound connection with the ASA. For example, you could issue the
established tcp 4567 0 command to configure the ASA to allow an external host to initiate a connection
through the ASA to an internal host after the internal host has first established a Transmission Control
Protocol (TCP) connection to port 4567 on the external host. The established command is often used to
support protocols such as streaming media protocols that negotiate the ports for return traffic.
Reference:
Cisco: Configuring Interfaces: Allowing Same Security Level Communication
QUESTION 221
Which of the following facilitates the use of one authentication framework for connecting to both wired and
wireless devices on a Cisco Unified Wireless Network? (Select the best answer.)
A. ACS
B. CSA
C. CTA
D. SSC
Correct Answer: D
Section: (none)
Explanation
Explanation:
Cisco Secure Services Client (SSC) is client security software that facilitates the use of one authentication
framework for connecting to both wired and wireless devices on a Cisco Unified Wireless Network. SSC
makes use of the Extensible Authentication Protocol (EAP), WiFi Protected Access (WPA), and WPA2
standards to control network access and enforce security policies for clients using Microsoft Windows
platforms.
Cisco Secure Access Control System (ACS) is an Authentication, Authorization, and Accounting (AAA)
server that uses Remote Authentication DialIn User Service (RADIUS) and Terminal Access Controller
Access Control System Plus (TACACS+) to provide AAA services for users, hosts, and network
infrastructure devices such as switches and routers. ACS is typically implemented in a cluster configuration.
An ACS deployment typically consists of a primary server responsible for configuration, authentication, and
policy enforcement and one or more secondary servers serving as a backup in case the primary server
fails. In largescale deployments, the primary server’s function is typically relegated to configuration and
synchronization services, whereas the secondary servers provide AAA services to the network clients.
Cisco Trust Agent (CTA) is responsible for ascertaining the status of security applications and management
tools that are installed on a client. As client software, CTA communicates host posture information back to a
network access device on a Cisco Network Admission Control (NAC) framework. NAC is a Cisco feature
that prevents hosts from accessing the network if they do not comply with organizational requirements, such
as containing an updated antivirus definition file. When NAC is configured on an access device, such as a
router or switch, the NAC device intercepts connections from hosts that are not yet registered on the
network. When a host attempts to connect to the network, the access device queries the CTA running on
the host for the host's security status. The access device then sends this information to the ACS, which
determines whether the host is in compliance with organizational security policies. If the host is in
compliance, it is allowed to access the network? if the host is not in compliance, it can be denied access,
quarantined, or allowed limited network access.
Cisco Security Agent (CSA) is a Hostbased Intrusion Prevention System (HIPS) that can be installed on
host computers, servers, and pointofsale (POS) computers. CSA can help protect these devices from
malicious network traffic, such as zeroday attacks. In addition, CSA can provide local firewall services,
antivirus services, and security policy enforcement. CSA does not facilitate the use of one authentication
framework for connecting to both wired and wireless devices on a Cisco Unified Wireless Network.
Reference:
Cisco: Cisco Secure Services Client
QUESTION 222
An outside host has established an SSH connection with an inside host. Both hosts have sent and received
data over the SSH session.
Which of the following lines of output from the show conn command best represents the state of the
connection in this scenario? (Select the best answer.)
A. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
B. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
C. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
D. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A
E. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
F. TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIOB
Correct Answer: F
Section: (none)
Explanation
Explanation:
The following line of output from the show conn command on a Cisco Adaptive Security Appliance (ASA)
best represents the state of a Secure Shell (SSH) connection that has been established and on which both
hosts have sent and received data:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIOB
The output of the show conn command uses connection flags to indicate the status of each entry in the
ASA connection database. The connection database is used by the stateful firewall feature of the ASA to
track the state of each network connection that passes through it. The flags that an ASA uses to track a
connection entry are dependent on the interface that initiated the connection. Typically, each connection
entry has corresponding inside and outside interfaces. In terms of the connection database, the inside
interface for the entry is the interface with the higher security level, whereas the outside interface for the
entry is the interface with the lower security level. In addition, a data flow from the inside interface to the
outside interface is considered to be moving in the outbound direction and a data flow from the outside
interface to the inside interface is considered to be moving in the inbound direction.
When an ASA receives the first packet from a Transmission Control Protocol (TCP) connection, it creates
an entry in the connection database. The ASA immediately adds the B flag to the entry if the connection
was initiated from the outside. The ASA then uses various flags to indicate the progress of the TCP
threeway handshake. For example, if a connection is initiated from the inside, the ASA will add the saA
flags to the entry, as shown in the following command output: TCP outside 192.0.2.51:22 inside
10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
The s flag indicates that the ASA is awaiting a SYN segment from the outside host, and the a flag indicates
that the ASA is waiting for an ACK response segment to the SYN that was initiated from the inside host.
When the corresponding SYN/ACK segment is received from the outside host, it will satisfy both of these
The remaining A flag indicates that the ASA is awaiting an ACK segment from the inside host. When the
host on the inside responds to the SYN/ACK segment with the corresponding ACK segment, the ASA will
clear the A flag and will mark the connection with the U flag, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags U
The U flag indicates that the threeway handshake is complete and that the TCP session is established.
Once the TCP session is established, the host can begin to exchange data. In this example, the inside host
has established an SSH session to an outside server. When the outside server sends data to the inside
host, the ASA will add the I flag to the entry to indicate that data has passed through the session in the
inbound direction. Likewise, the ASA will add the O flag to the entry to indicate that data has passed through
the session in the outbound direction. Thus a normal TCP session should have flags similar to those shown
in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags UIO
By contrast, if the connection were initiated from the outside, the ASA would have added the SaAB flags to
the entry, as shown in the following command output:
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
The S flag indicates that the ASA is awaiting a SYN segment from the inside host, and the A flag indicates
that the ASA is waiting for an ACK response segment to the SYN that was initiated from the outside host.
When the corresponding SYN/ACK segment is received from the inside host, it will satisfy both of these
TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
The remaining a flag indicates that the ASA is awaiting an ACK segment from the outside host. When the
host on the outside responds to the SYN/ACK segment with the corresponding ACK segment, the ASA will
clear the a flag and will mark the connection with
QUESTION 223
Which of the following is a term used to describe a network of tools that are used to gather information
about attack methods that are used by malicious users? (Select the best answer.)
A. botnet
B. honeynet
C. honeypot
D. sinkhole
E. black hole
Correct Answer: B
Section: (none)
Explanation
Explanation:
A honeynet is a network of honeypots. A honeypot is a tool used to gather information about the attack
methods used by malicious users. Honeypots, which can be composed of hardware or virtual assets,
contain seemingly valuable information designed to attract malicious activities. By attracting malicious users
to honeypots, administrators can analyze the methods and tools used in an attack and then use that
information to protect legitimate resources.
A botnet is a network of compromised computers, known as zombies, which can be used to send spam as
well as perform Distributed Denial of Service (DDoS) attacks and Denial of Service (DoS) attacks. In
addition, zombies can collect personally identifiable information (PII), such as account login information and
bank account information. Zombies are controlled remotely by malicious users without the knowledge of the
computer's owner. A host can become a zombie by executing a virus or by using an operating system (OS)
that does not contain the latest updates.
A black hole is a trafficfiltering destination used to mitigate networkbased attacks originating from a known
host address or range of addresses. With blackhole traffic filtering, all traffic from an address or range of
addresses is considered malicious and is routed to a black hole, typically the null interface of a router.
Packets routed to the null interface are discarded without further processing by the router.
Similarly, a sinkhole is a trafficfiltering destination used to mitigate networkbased attacks. With sinkhole
traffic filtering, all traffic from an address or range of addresses is considered suspicious and is routed to a
sinkhole, which is a device that can capture the traffic and analyze it before determining whether the traffic
should be discarded.
Reference:
SANS Institute InfoSec Reading Room: Honey Pots and Honey Nets Security through Deception (PDF)
QUESTION 224
Which of the following most accurately describes transparent mode tunneling? (Select the best answer.)
A. It enables traffic to exit the same interface through which it entered.

B. It enables traffic to flow between interfaces that share the same security level.
C. It enables a VPN tunnel to form through a firewall or NAT device.
D. It enables a VPN tunnel to determine which traffic flows should be encrypted.
Correct Answer: C
Section: (none)
Explanation
Explanation:
Transparent mode on a Cisco Adaptive Security Appliance (ASA) enables a virtual private network (VPN)
tunnel to form through a firewall or Network Address Translation (NAT) device. When transparent tunneling
is enabled on a VPN client, encrypted packets are encapsulated in Transmission Control Protocol (TCP) or
User Datagram Protocol (UDP) packets prior to transmission through the firewall or NAT device.
Hairpinning enables ASA traffic to exit the same interface through which it entered. The samesecuritytraffic
permit intrainterface command enables hairpinning. By default, an ASA does not allow packets to enter and
exit through the same physical interface. However, because multiple logical virtual LANs (VLANs) can be
assigned to the same physical interface, it is sometimes necessary to allow a packet to enter and exit
through the same interface. The samesecuritytraffic permit intrainterface command allows packets to be
sent and received from the same interface even if the traffic is protected by IP Security (IPSec) security
policies. Another scenario for which you would need to use the samesecuritytraffic permit intrainterface
command is if multiple users need to connect via VPN through the same physical interface. These users
will not be able communicate with one another unless the samesecuritytraffic permit intrainterface
command has been issued from global configuration mode.
Likewise, the samesecuritytraffic permit interinterface command enables traffic to flow between interfaces
that share the same security level. Typically, interfaces with the same security level are not allowed to
communicate.
Split tunneling enables a VPN tunnel to determine which traffic flows should be encrypted. Without split
tunneling, all traffic that passes through a remote VPN router is encrypted and forwarded through a tunnel
to the VPN server, which is an inefficient use of the bandwidth and processing power of the VPN server and
the remote VPN router. Traffic that is destined for the Internet or another unprotected network does not
need to be encrypted or forwarded to the VPN server. Split tunneling uses an access control list (ACL) to
determine which traffic flows are permitted to pass through the encrypted tunnel. Traffic destined for a
protected network at the VPN server site is encrypted and allowed to pass through the tunnel, whereas all
other traffic is processed normally. This method reduces both the processing load on the router and the
amount of traffic that passes through the encrypted tunnel. Split tunneling can also be applied to traffic from
remote access VPN clients.
Reference:
Cisco: Configuring the Transparent or Routed Firewall: Information About Transparent Firewall Mode
QUESTION 225
Which of the following would you most likely configure on a host to alert you about possible attacks without
filtering traffic? (Select the best answer.)
A. a botnet
B. a honeypot
D. a HIDS
Correct Answer: D
Section: (none)
Explanation
Explanation:
Most likely, you would configure a Hostbased Intrusion Detection System (HIDS) to alert you about possible
attacks without taking action to protect the system. A HIDS is a software or hardwarebased system that
detects intrusions by monitoring system activity, such as resource usage. By monitoring and auditing activity
on the host, the HIDS can detect anomalies associated with an intrusion and can issue an alert. Although a
HIDS could alert you about incoming traffic, it would not be able to filter that traffic.
You could configure a personal firewall to block incoming traffic on a specific port. A personal firewall is a
softwarebased system that controls the flow of network traffic. A personal firewall can be configured to allow
traffic or to block traffic. For example, you can configure a firewall to block or allow traffic based on the port
on which that traffic is being sent.
You are not likely to configure a honeypot on a host to alert you about possible attacks without filtering
traffic. A honeypot is a decoy system that is made to appear vulnerable to network intruders for the purpose
of trapping them? it also logs information about the attack for further study.
You would not install a botnet to block incoming traffic on a specific port. A botnet is a network of zombies.
Zombies, or bots, are compromised computers that can be used to perform Denial of Service (DoS) or
Distributed DoS (DDoS) attacks and to send spam.
Reference:
QUESTION 226
Which of the following forms of malware are typically standalone software that appear to be legitimate
applications? (Select the best answer.)
A. bots
B. Trojan horses
C. viruses
D. worms
Correct Answer: B
Section: (none)
Explanation
Explanation:
Of the available choices, Trojan horses are the forms of malware that are typically standalone software that
appear to be legitimate applications. Malware, which is a term formed from the combination of the words
malicious and software, is unwanted software that is specifically designed to be malicious. Malware can
damage or disrupt systems, steal information from a user, or perform other unwanted and malicious
actions. Trojan horses can be used to annoy users, steal information, destroy data, or install back doors.
Bots are forms of malware but are not typically standalone software that appear to be legitimate
applications. A bot is a type of automated software that can be used as a remote command and control tool
to exploit a compromised system for malicious purposes. For example, a botnet is a network of bots on
compromised systems that can be used to carry out coordinated attacks, such as a Distributed Denial of
Service (DDoS) attack.
Viruses are forms of malware but are not typically standalone software that appear to be legitimate
applications. A virus is a type of software that can make copies of itself and inject them into other software.
Viruses can therefore spread across systems and networks. The level of damage that can be inflicted by
viruses ranges from annoyances to destruction of data.
Worms are forms of malware but are not typically standalone software that appear to be legitimate
applications. Similar to a virus, a worm is a type of software that can make copies of itself and propagate
across a network. However, a worm is typically standalone software that does not require human interaction
in order to propagate.
Reference:
Cisco: What Is the Difference: Viruses, Worms, Trojans, and Bots?
QUESTION 227
The IPS on your company's network is blocking normal web traffic.
Which of the following best describes what the IPS has identified? (Select the best answer.)
A. a false positive
B. a false negative
C. a true positive
D. a true negative
Correct Answer: A
Section: (none)
Explanation
Explanation:
The intrusion prevention system (IPS) has identified a false positive. A false positive occurs when an
intrusion detection system (IDS) or an IPS identifies nonmalicious traffic as malicious. Tuning must be
performed to minimize the number of false positives while eliminating false negatives. Not only can too
many false positives overburden a device, they can also overburden a network administrator because false
positives must usually be verified as harmless.
A false negative occurs when an IDS or IPS does not identify malicious traffic that enters the network. False
negatives can often lead to disastrous network security problems. To properly secure a network, you should
reduce the number of false negatives as much as possible by finetuning IDS and IPS rules, even if more
false positives are reported. Penetration testing can help determine when an IDS or IPS is not detecting a
genuine attack.
A true positive occurs when an IDS or IPS correctly identifies malicious traffic as malicious. For instance, a
true positive occurs when a virus or an attack is identified and the appropriate action is taken.
A true negative occurs when an IDS or IPS correctly identifies harmless traffic as harmless. For example, a
true negative occurs when an administrator correctly enters a password or when Hypertext Transfer
Protocol (HTTP) traffic is sent to a web server.
Reference:
Cisco: Cisco Secure IPS Excluding False Positive Alarms: False Positive and False Negative Alarms
QUESTION 228
Which of the following EAP methods requires digital certificates to be installed on the server but not on the
client? (Select the best answer.)
A. EAPFAST
B. EAPPEAP
C. EAPTLS
D. LEAP
Correct Answer: B
Section: (none)
Explanation
Explanation:
Protected Extensible Authentication Protocol (PEAP) requires digital certificates to be installed on the server
but not on the client. PEAP is an open standard developed by Cisco, Microsoft, and RSA. PEAP and other
later variants of Extensible Authentication Protocol (EAP), such as EAPTransport Layer Security (EAPTLS),
and EAPTunneled TLS (EAPTTLS), are replacing Lightweight EAP (LEAP). PEAP clients can use
alternative authentication methods, such as onetime passwords (OTPs).
EAPTLS requires both a client and a server digital certificate. EAPTLS is an authentication protocol that can
be used for pointtopoint connections and for both wired and wireless links. EAPTLS performs mutual
authentication to secure the authentication process. When EAPTLS is used, a digital certificate must be
installed on the authentication server and each client that must authenticate with the server. The digital
certificate used on clients and the server must be obtained from the same certificate authority (CA).
LEAP does not require either the server or the client to be configured with a digital certificate. When LEAP
is used, the client initiates an authentication attempt with a Remote Authentication DialIn User Service
(RADIUS) server. The RADIUS server responds with a challenge response. If the challenge/response
process is successful, the client then validates that the RADIUS server is correct for the network. If the
RADIUS server is validated, the client will connect to the network.
Similar to LEAP, EAPFlexible Authentication via Secure Tunneling (FAST) does not require either the
server or the client to be configured with a digital certificate. When EAPFAST is used, Protected Access
Credentials (PACs) are used to authenticate users. The EAPFAST authentication process consists of three
phases. The first phase, which is optional and is considered phase 0, consists of provisioning a client with a
PAC, which is a digital credential that is used for authentication. A PAC can be manually configured on a
client, in which case phase 0 is not required. The second phase, which is referred to as phase 1, involves
creating a secure tunnel between the client and the server. The final phase, which is referred to as phase 2,
involves authenticating the client. If the client is authenticated, the client will be able to access the network.
Reference:
Cisco: Cisco Protected Extensible Authentication Protocol
QUESTION 229
Which of the following lost or stolen device options are not available to employees when MDM is integrated
with ISE? (Select 2 choices.)
A. report device as lost or stolen

B. initiate a PIN lock
C. initiate a full or corporate wipe
D. quarantine the device
E. revoke the device’s digital certificate
Correct Answer: DE
Section: (none)
Explanation
Explanation:
When Mobile Device Management (MDM) platforms are integrated with Cisco Identity Services Engine
(ISE), only ISE administrators can quarantine a device and revoke the device’s digital certificate.
Administrators are also capable of performing wipes and personal identification number (PIN) locks without
user notification or intervention. Unlike employees, who initiate full wipes or corporate wipes by using the My
Devices portal, an administrator initiates a wipe or a PIN lock by using the ISE Endpoints screen. Whether
an administrator can initiate a full wipe or a corporate wipe depends on the MDM server policies and
configuration. In a Bring Your Own Device (BYOD) environment, administrators will most likely be able to
perform only a corporate wipe or a PIN lock on a device. If the device is a corporate device that an
employee is simply allowed to use, an administrator might be able to perform a full wipe from the Endpoints
screen by selecting Full Wipefrom the MDM Access dropdown menu. Administrators can additionally force
connected devices off the network, add devices to the Blacklist Identity Group, and disable the device’s
RSA SecurID token.
Employees have the ability to report a device as lost or stolen, initiate a PIN lock, or initiate a full or
corporate wipe when MDM platforms are integrated with Cisco ISE. A corporate wipe, which is also known
as a selective wipe, removes only corporate data and applications from the device. A full wipe, which is also
known as a factory reset, removes all data from the device. An employee is also capable of reinstating a
device to gain access without having to reregister the device with ISE. Each of these options is available to
the employee by using ISE’s My Devices portal.
ISE is a nextgeneration Authentication, Authorization, and Accounting (AAA) platform with integrated
posture assessment, network access control, and client provisioning. ISE integrates with a number of MDM
frameworks, such as MobileIron and AirWatch. From ISE, you can easily provision network devices with
native supplicants available for Microsoft Windows, Mac OS X, Apple iOS, and Google Android. The
supplicants act as agents that enable you to perform various functions on the network device, such as
installing software or locking the screen with a PIN lock.
Reference:
Cisco: Managing a Lost or Stolen Device (PDF)
Cisco: Managing Network Devices: Wiping or Locking a DeviceCategory:
Secure Access
QUESTION 230
Which of the following private VLAN port types can communicate with promiscuous private VLAN ports but
not with isolated private VLAN ports? (Select 2 choices.)
A. community ports
B. isolated ports
C. SPAN ports
E. trunk ports
Correct Answer: AB
Section: (none)
Explanation
Explanation:
Community private virtual LAN (VLAN) ports can communicate with promiscuous ports and with other ports
that belong to the same community, but not with isolated ports. Isolated private VLAN ports, on the other
hand, can communicate only with promiscuous ports. Promiscuous private VLAN ports are capable of
communicating with any other type of port.
Private VLANs can be configured on a switch to help isolate traffic within a VLAN. Private VLANs provide
Layer 2 separation between ports that belong to the same VLAN. Because the separation exists at Layer 2,
the hosts can exist on the same IP subnet. The VLAN to which the hosts belong is called the primary VLAN.
To create a private VLAN, you must create secondary VLANs and associate them with the primary VLAN.
Switch Port Analyzer (SPAN) ports are not a private VLAN port type. SPAN is a means of monitoring traffic
on a switch by copying packets from a source port to a monitored port or mirrored port. In addition, trunk
ports are not a private VLAN port type. Trunk ports are used to connect switches to other switches.
Reference:
Cisco: Configuring Isolated Private VLANs on Catalyst Switches: Background Theory
QUESTION 231
In which layer of the campus network hierarchy are ACLs and interVLAN routing typically implemented?
A. access
B. core
C. distribution
D. transport
Correct Answer: C
Section: (none)
Explanation
Explanation:
The distribution layer of the campus network hierarchy is where access control lists (ACLs) and interVLAN
routing are typically implemented. The campus network hierarchy is a design framework that is used to
outline different segments of a campus network, how they interact, and best practices for implementation.
The campus network hierarchy is broken into three distinct hardware layers: access, distribution, and core.
The distribution layer serves as an aggregation point for access layer network links. Because the
distribution layer is the intermediary between the access layer and the core layer, the distribution layer is the
ideal place to enforce security policies, provide load balancing, provide Quality of Service (QoS), and
perform tasks that involve packet manipulation, such as routing. Because the distribution layer connects to
both the access and core layers, it often comprises multilayer switches that can perform both Layer 3
routing functions and Layer 2 switching functions. You should also perform networkbased intrusion
prevention in the distribution layer, protecting the access layer devices from threats.
The access layer, which typically comprises Layer 2 switches, serves as a media termination point for
endpoints, such as servers and workstations. Because access layer devices provide access to the network,
the access layer is the ideal place to perform user authentication and port security. Dynamic ARP
Inspection (DAI), Dynamic Host Configuration Protocol (DHCP) snooping, and IP spoofing protection are
also typically implemented in the access layer. Although you can use ACLs in the access layer to classify
and mark traffic for QoS configurations, interVLAN routing is not typically implemented in the access layer.
The core layer provides fast transport services and redundant connectivity to the distribution layer. The core
layer acts as the network's backbone? thus it is essential that every distribution layer device have multiple
paths to the core layer. Multiple paths between the core and distribution layer devices ensure that network
connectivity is maintained if a link or device fails in either layer. Because the core layer focuses on low
latency and fast transport services, you should not implement mechanisms that can introduce unnecessary
latency into the core layer. For example, mechanisms such as processbased switching, packet
manipulation, and packet filtering introduce latency and should be avoided in the core layer.
In all three layers, you should use Network Foundation Protection (NFP) best practices. You should also
protect against inadvertent loops by using Spanning Tree Protocol (STP). Finally, you should ensure that
control plane traffic is filtered and ratelimited.
The Transport layer is an Open Systems Interconnection (OSI) model layer, not a campus network
hierarchy layer. Therefore, the Transport layer is not where ACLs and interVLAN routing are typically
implemented.
Reference:
Cisco: Enterprise Campus: Campus Distribution Layer Infrastructure Security
QUESTION 232
Which of the following is a VLAN hopping attack that uses DTP to negotiate a trunk link? (Select the best
answer.)
A. ARP spoofing
B. DHCP spoofing
C. MAC spoofing
D. switch spoofing
Correct Answer: D
Section: (none)
Explanation
Explanation:
Switch spoofing is a virtual LAN (VLAN) hopping attack that is characterized by using Dynamic Trunking
Protocol (DTP) to negotiate a trunk link with a switch port in order to capture all traffic that is allowed on the
trunk. In a switch spoofing attack, the attacking system is configured to act like a switch with a trunk port.
This enables the attacking system to become a member of all VLANs, which enables the attacker to send
and receive traffic among the other VLANs.
Dynamic Host Configuration Protocol (DHCP) spoofing is a maninthemiddle attack that is most likely to be
used to cause a workstation to send traffic to a false gateway IP address. In a DHCP spoofing attack, a
rogue DHCP server is attached to the network in an attempt to intercept DHCP requests. The rogue DHCP
server can then respond to the DHCP requests with its own IP address as the default gateway address so
that all traffic is routed through the rogue DHCP server. DHCP snooping is a security technique that can be
used to mitigate DHCP spoofing.
In an Address Resolution Protocol (ARP) poisoning attack, which is also known as an ARP spoofing attack,
the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the
attacker's Media Access Control (MAC) address with the IP address of a valid host on the network.
Subsequently, traffic sent to the valid host address will go to the attacker's computer rather than to the
intended recipient.
MAC spoofing makes network traffic from a device look as if it is coming from a different device. MAC
spoofing is often implemented to bypass port security by making a device appear as if it were an authorized
device. Malicious users can also use MAC spoofing to intercept network traffic that should be destined for a
different device. ARP cache poisoning, content addressable memory (CAM) table flooding, and Denial of
Service (DoS) attacks can all be performed by MAC spoofing.
Reference:
Cisco: Switch Attacks and Countermeasures: VLAN Based Attacks (PDF)
QUESTION 233
On a Cisco ASA, which of the following authentication protocols is not supported by the TACACS+ server?
A. ASCII
B. CHAP
C. PAP
D. MSCHAPv1
E. MSCHAPv2
Correct Answer: E
Section: (none)
Explanation
Explanation:
The Terminal Access Controller Access Control System Plus (TACACS+) server on a Cisco Adaptive
Security Appliance (ASA) does not support Microsoft Challenge Handshake Authentication Protocol version
2 (MSCHAPv2). Remote Authentication DialIn User Service (RADIUS) and TACACS+ server groups on a
Cisco ASA support Challenge Handshake Authentication Protocol (CHAP), MSCHAP version 1
(MSCHAPv1), and Password Authentication Protocol (PAP).
A Cisco ASA supports a number of different Authentication, Authorization, and Accounting (AAA) server
types, such as RADIUS, TACACS+, Lightweight Directory Access Protocol (LDAP), Kerberos, and RSA
Security Dynamics, Inc. (SDI) servers.
- ASCII
- PAP
- CHAP
- MSCHAPv1
- PAP
- CHAP
- MSCHAPv1
- MSCHAPv2
Reference:
Cisco: Configuring AAA Servers and the Local Database: TACACS+ Server Support
Cisco: Configuring AAA Servers and the Local Database: RADIUS Server Support
QUESTION 234
Which of the following are true of ARP traffic on a Cisco zonebased firewall in transparent mode? (Select 2
choices.)
A. It is denied by default.
B. It is permitted only in the inbound direction.
C. It is permitted only in the outbound direction.
D. It is permitted in both inbound and outbound directions.
E. It can be controlled by ARP inspection but not by access rules.
Correct Answer: DE
Section: (none)
Explanation
Explanation:
Address Resolution Protocol (ARP) traffic is permitted in both inbound and outbound directions when a
Cisco zonebased firewall, such as a Cisco Adaptive Security Appliance (ASA), is operating in transparent
mode. In addition, ARP can be controlled by ARP inspection, but not by access rules, on a Cisco ASA that
is operating in transparent mode. The default bidirectional flow of ARP traffic in transparent mode is known
as an implicit permit. All of the following traffic is implicitly permitted when a Cisco zonebased firewall is
operating in transparent mode:
- IP version 4 (IPv4) traffic from a higher security interface to a lower security interface
- IPv6 traffic from a higher security interface to a lower security interface
- ARP traffic in both directions
- Bridge protocol data unit (BPDU) traffic in both directions
Thus a Cisco zonebased firewall operating in transparent mode implicitly permits certain types of traffic at
both Layer 2 and Layer 3 of the Open Systems Interconnection (OSI) network model. However, when a
Cisco zonebased firewall is operating in routed mode, only Layer 3 IPv4 and IPv6 traffic from a higher
security interface to a lower security interface are implicitly permitted.
In either mode, an extended access rule is required to permit additional types of IPv4 traffic. To permit
additional types of IPv6 traffic, an IPv6 access rule is required. To permit other types of Layer 2 traffic, an
EtherType rule is required.
Reference:
Cisco: Configuring Access Rules: General Information About Rules
QUESTION 235
Which of the following statements about the test aaa group command is not true? (Select the best answer.)
A. It does not work with a RADIUS server configuration.

B. It can be used to verify a AAA server configuration.
C. It can generate a "User rejected" message if the server is alive.
D. It associates a DNIS or CLID named user profile with a record sent to the server.
Correct Answer: A
Section: (none)
Explanation
The Cisco test aaa group command does work with a Remote Authentication DialIn User Service (RADIUS)
configuration. The syntax of the test aaa group command is test aaa group {groupname | radius}
username password newcode [profile profilename], where groupname is a subset of RADIUS servers,
username is the name for the test user, and password is the test user's password.
The test aaa group command can associate a Dialed Number Identification Service (DNIS) or Caller Line
Identification (CLID) named user profile with a record sent to the server. The newcode keyword configures
the command to support a CLID or DNIS user profile association with the RADIUS server. The profile
profilename keyword associates the user profile specified by profilename with the RADIUS server.
The test aaa group command is used to verify an Authentication, Authorization, and Accounting (AAA)
server configuration. RADIUS is a protocol that is used with AAA operations. RADIUS uses User Datagram
Protocol (UDP) for packet delivery and is less secure and less flexible than TACACS+. RADIUS encrypts
only the password of a packet? the rest of the packet would be viewable if the packet were intercepted by a
malicious user. With RADIUS, the authentication and authorization functions of AAA are combined into a
single function, which limits the flexibility that administrators have when configuring these functions.
Furthermore, RADIUS does not provide router command authorization capabilities.
The test aaa group command can generate either a "User rejected" message or a "User successfully
authenticated" message if the RADIUS server is alive. In order to generate either of those messages, the
test aaa command must be able to connect to the RADIUS server.
Reference:
Cisco: Demystifying RADIUS Server Configurations
QUESTION 236
Which of the following tasks does CASE on an ESA not perform when detecting a possible threat? (Select
the best answer.)
A. checking the reputation of the email sender

B. scanning the content of the email message
C. analyzing the email message's call to action
D. analyzing how the message is constructed
E. checking the reputation of the email receiver
Correct Answer: E
Section: (none)
Explanation
Explanation:
The Cisco Context Adaptive Scanning Engine (CASE) on an Email Security Appliance (ESA) does not
check the reputation of the email receiver when detecting a possible threat. CASE is a technology that is
intended to detect email threats as they are received.
CASE check the reputation of an email sender. As part of this process, CASE submits the email sender to
the Cisco SenderBase Network, which contains data on hundreds of thousands of email networks. The
sender is assigned a score based on this information.
CASE scans the content of the email message, including the message's call to action. The content of the
email messaging could contain language, links, or a call to action that is indicative of a phishing scam.
CASE analyzes how the message is constructed. For example, the message might be constructed in such
a way so that it appears to be from a given type of email client. An email message that appears to be from a
Microsoft Outlook client might not actually have been sent by using Microsoft Outlook.
Reference:
Cisco: Secure solutions for advanced email threats (PDF)
Cisco: User Guide for AsyncOS 11.0 for Cisco Email Security Appliances: Context Adaptive Scanning
Engine
QUESTION 237
You upload a file named isitbad.docx to AMP for analysis. While reviewing the AMP logs, you receive the
following output:
Wed Feb 17 12:41:05 2015 Info: File reputation query initiating. File Name =
'isitbad.docx', MID = 856, File Size = 174401 bytes, File Type = application/msword
Wed Feb 17 12:41:10 2015 Info: Response received for file reputation query from Cache.
File Name = 'isitbad.docx', MID = 856, Disposition = file unknown, Malware = None, Reputation Score = 0,
sha256 = 78d80f8fb0e6eaa2988d11607ec6a00840147f8188f6db8b7d00d907440d7aaa, upload_action = 1
A. The file was uploaded to the cloud and determined to be clean.

B. The file was not uploaded to the cloud, and its disposition is unknown.
C. The file was uploaded to the cloud, but its disposition is unknown.
D. The file was uploaded to the cloud and was determined to be malware.
E. The file was not uploaded to the cloud but was determined to be clean.
F. The file was not uploaded to the cloud but was determined to be malware.
Correct Answer: C
Section: (none)
Explanation
Explanation:
The file named isitbad.docx was uploaded to Advanced Malware Protection (AMP), but its disposition is
unknown. AMP is a feature of the Cisco Email Security Appliance (ESA) that can be used to test a given file
against a file reputation service in the cloud. The file reputation service that is used by AMP attempts to
authenticate a Secure Hash Algorithm 256 (SHA256) hash for the file that is being uploaded against the file
reputation database. The service also rates the data fidelity of the uploaded file by assigning it a reputation
score.
The AMP log output in this scenario indicates that the file named isitbad.docx has been determined to be
174,401 bytes and is a Microsoft Word file. The file was successfully uploaded to the cloud service, which is
indicated by both the value of the upload_actionfield, which is 1, and the value of the Disposition field, which
is file unknown. If the file had not been uploaded, either the upload_action field would contain a different
value, such as 2, or the Disposition field would contain an error phrase that indicates that the file could not
be uploaded for a scan, such as unscannable. If the file that is being analyzed is already known to the file
reputation service, the upload_action field will contain a value of either 0 or 2 and will not be uploaded to the
cloud.
Reference:
Cisco: ESA File Analysis Through AMP Verification Procedures: File Uploaded for AnalysisCisco: Blocking
Malware and Prohibited Files: Understanding Malware Protection and File Control
QUESTION 238
Which of the following commands should you issue when troubleshooting basic IKE peering to determine
whether PSKs are present and matching on both peers? (Select the best answer.)
A. ping
B. traceroute
C. show crypto isakmp policy
D. debug crypto isakmp
Correct Answer: D
Section: (none)
Explanation
You should issue the debug crypto isakmp command to determine whether preshared keys (PSKs) are
present and matching on both peers. If there is a PSK mismatch between the peers, you will see the 1d00h:
%CRYPTO4IKMP_BAD_MESSAGE: IKE message from 10.11.12.13 failed its sanity check or is malformed
When troubleshooting basic Internet Key Exchange (IKE) peering, you should perform the following steps:
1. Verify that the peers can reach each other.
2. Verify that the IKE policies match on both peers.
3. Verify that the peers successfully authenticate each other.
To verify that the peers can reach each other, you can issue the ping command. A successful ping indicates
that connectivity between the peers exists. If the ping is not successful, you can issue the traceroute
command to see where the fault is occurring along the path between the two peers.
To verify that the IKE policies match on both peers, you can issue the show crypto isakmp policy command
to display the IKE phase 1 policy settings that are configured on the router, including the encryption
algorithm, hash algorithm, authentication method, DiffieHellman (DH) key exchange mechanism, and
security association (SA) lifetime. The following displays sample output from the show crypto isakmp policy
command:
Global IKE policy
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys)
hash algorithm: Secure Hash Standard
authentication method: PreShared Key
DiffieHellman group: #14 (2048 bit)
lifetime: 3600 seconds, no volume limit
In order for virtual private network (VPN) peers to successfully negotiate a key management tunnel during
IKE phase 1, the peers must agree on security parameters. For example, when RouterA sends an IKE
policy proposal to RouterB, the IKE policy is compared with the IKE policies defined on RouterB. The
proposed policy must be an exact match to one of RouterB's locally defined policies? otherwise, it will be
rejected. The one exception to this rule is the value of the IKE lifetime parameter. An IKE lifetime is
considered a match if the value is less than or equal to the IKE lifetime defined in the local policy. If the IKE
lifetime value is less than that of the local policy, the router will use the lesser of the two values. For
example, when RouterA initiates a connection to RouterB, RouterA will only consider lifetime values from
RouterB’s policies as matching if they are less than or equal to 14,400 seconds.
To configure IKE phase 1 policy parameters, issue the crypto isakmp policy prioritycommand to enter
Internet Security Association and Key Management Protocol (ISAKMP) policy configuration mode, where
you can issue the following commands:
-authentication
- encryption
- group
- hash
- lifetime
You can issue the debug crypto isakmp command to determine whether an IKE phase 1 policy mismatch is
occurring. The debug error message 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0 will
appear when there is a phase 1 policy mismatch between the peers.
To verify that the peers successfully authenticate each other, you should issue the debug crypto isakmp
command. If the PSKs are present and matching on both peers, the IKE SA should establish successfully
and communication between the sites should occur.
Reference:
Cisco: IPSec Troubleshooting: Understanding and Using debug Commands: debug crypto isakmp
QUESTION 239
You have configured a Cisco ESA URL filtering with a URL Category action that redirects the URLs of adult
content sites and sites that have not been categorized to the Cisco Cloud Web Security proxy service.
However, you receive a report that users are successfully accessing adult content sites from the company
network.
Which of the following could be the problem? (Select the best answer.)
A. You did not specify any text to replace the URL.

B. You did not defang the URL so that it cannot be clicked.
C. The connection to the Cisco Cloud Web Security proxy service timed out.
D. The adult content sites being visited are uncategorized.
Correct Answer: C
Section: (none)
Explanation
Explanation:
The problem could be that the connection to the Cisco Cloud Web Security proxy service timed out if you
have configured a Uniform Resource Locator (URL) Category action that redirects the URLs of adult
content sites and sites that have not been categorized to the proxy service. The Cisco Email Security
Appliance (ESA) supports URL filtering, which can be used to test the reputation of URL links in email
messages or to compare the content of the URL to a list of categories of sites that violate company policy.
By using URL filtering with URL categorization, it is possible to limit user access to a given site without
relying on a blacklist of the site's possible IP addresses.
There are three options for action when a link in an email message matches a given URL category or its
reputation score falls within a specified range:
- Defang the URL - renders the URL unclickable, although the user can still copy and paste the URL
- Redirect the URL to the Cisco Cloud Web Security proxy service redirects the URL to a proxy, which
blocks the site if it is malicious and displays a message to the user
- Replace the URL with specific text or the URL to thirdparty proxy service - replaces the link in the original
email message with specific warning text provided by the administrator or with a link that redirects to a
thirdparty proxy service
You can also choose to apply any of those actions to sites that are not yet categorized in the URL database.
In this scenario, both sites that fit into the adult URL category and sites that are not categorized should be
redirected to the Cisco Cloud Web Security proxy service. However, if a connection to the Cisco Cloud Web
Security proxy service times out, URL filtering will automatically allow the user to connect to the target site
by using the link in the original email message.
There is not enough information in this scenario to determine whether the adult sites being visited are
uncategorized. However, if the sites were uncategorized and the connection to the Cisco Cloud Web
Security proxy service was reliable, users would still be redirected to the Cisco Cloud Web Security proxy.
In this scenario, you have configured uncategorized sites to redirect to the proxy. You do not need to defang
the URL. In this scenario, you have chosen to redirect adult site content and uncategorized content to the
Cisco Cloud Web Security proxy.
You do not need to specify text to replace the URL. In this scenario, you have chosen to redirect adult site
content and uncategorized content to the Cisco Cloud Web Security proxy.
Reference:
Cisco: Cisco AsyncOS 8.5.6 for Email User Guide: Redirected URLs: What Does the End User
Experience? (PDF)
QUESTION 240
An inbound TCP SYN packet arrives at the ingress interface of a Cisco ASA 8.2 firewall. The packet is not
part of an established session. The packet reaches the interface’s internal buffer and the input counter is
incremented.
Which of the following actions will occur next? (Select the best answer.)
A. The packet will be processed by interface ACLs.

B. The packet is forwarded to the outbound interface.
C. The packet is subjected to an inspection check.
D. The packet's IP header is translated by NAT/PAT.
Correct Answer: A
Section: (none)
Explanation
Explanation:
The inbound Transmission Control Protocol (TCP) SYN packet will be processed by interface access
control lists (ACLs) if it is not part of an established session. A Cisco Adaptive Security Appliance (ASA) 8.2
performs all of the following checks when a packet arrives on the inbound interface:
- Increments the input counter
- Determines whether the packet is part of an established connection
- If not an established connection, processes the packet by using the interface ACLs
- If not an established connection, verifies the packet for translation rules
- Conducts an inspection of the packet to determine protocol compliance
- Translates the IP header according to Network Address Translation (NAT) rules
- Forwards the packet to the outbound interface
Inbound TCP packets that are not part of an established connection should be SYN packets, which is the
first packet that is sent during TCP's threeway handshake. Inbound TCP SYN packets are permitted by the
ASA as long as the packet is permitted by an interface ACL rule and is successfully translated by NAT or
Port Address Translation (PAT). The TCP SYNACK packet is the second phase of the TCP threeway
handshake? it is sent by the host that received the SYN packet to the host that is attempting to establish a
connection. Therefore, an ASA will permit an inbound TCP SYNACK packet only if it is part of an
established connection.
It is important to note that the Cisco ASA 8.3 and later modify the ASA packet process algorithm. When
configuring NAT for the ASA 8.3 and later, you should use the client's real IP address instead of the ASA's
public IP address. Thus, if the ASA in this scenario were an ASA 8.3 or later, the packet's IP header would
be translated by NAT or PAT prior to being processed by interface ACLs.
Reference:
Cisco: ASA 8.2: Packet Flow through an ASA Firewall: Cisco ASA Packet Process Algorithm
QUESTION 241
Which of the following can be used by Cisco IPS devices to report intrusion alerts? (Select 2 choices.)
A. SDEE
B. SNMPv1
C. SNMPv2
D. SNMPv3
E. Syslog
Correct Answer: AE
Section: (none)
Explanation
Explanation:
Cisco Intrusion Prevention System (IPS) devices can use either Security Device Event Exchange (SDEE) or
Syslog to report intrusion alerts. SDEE is a protocol that was designed for reporting security events by using
an encrypted and authenticated session between devices. For example, Cisco IPS Manager Express (IME)
can monitor up to 10 security sensors by using the SDEE protocol.
The Syslog protocol is used to transmit logging information, including security events, from a device to a
syslog server. However, data sent using Syslog is typically sent as plain text. An attacker could intercept the
messages and view the contents of the messages. By default, when User Datagram Protocol (UDP) is
used, Syslog data is sent over UDP port 514, and when Transmission Control Protocol (TCP) is used,
Syslog data is sent over TCP port 1468.
Cisco IPS devices do not use Simple Network Management Protocol (SNMP) to report intrusion alerts.
SNMP is used to monitor and manage network devices by collecting statistical data about those devices.
Three versions of SNMP currently exist. SNMP version 1 (SNMPv1) and SNMPv2 do not provide
encryption? password information, known as community strings, is sent as plain text with messages. If an
attacker intercepts the message, the attacker can view the password information. SNMPv3 improves upon
SNMPv1 and SNMPv2 by providing encryption, authentication, and message integrity to ensure that the
messages are not tampered with during transmission. Thus, whenever possible, you should use SNMPv3
instead of SNMPv1 or SNMPv2. SNMP uses UDP port 161 for SNMP control traffic and UDP port 162 for
SNMP trap traffic.
Reference:
Cisco: Cisco IOS Intrusion Prevention System: Monitoring Cisco IOS IPS Signatures via Syslog or SDEE
QUESTION 242
You are using ASDM to verify a VPN configuration made by another administrator on an ASA. Please click
exhibit to examine the network configuration.
Exhibit:
A user accesses the VPN by typing https://203.0.113.1/BosonUsers in a browser's location bar. Which
interface will accept the connection? (Select the best answer.)
A. the DMZ interface

B. the inside interface
C. the outside interface
D. the mgmt interface
Correct Answer: C
Section: (none)
Explanation
Explanation:
The outside interface will accept the connection when a user accesses the virtual private network (VPN) by
typing https://203.0.113.1/BosonUsers in a browser's location bar. In this scenario, the user is accessing the
clientless Secure Sockets Layer (SSL) VPN, which enables VPN connectivity by using a browser instead of
a VPN client. In Cisco Adaptive Security Device Manager (ASDM), you can determine the interface on
which the clientless SSL VPN is listening by navigating to Configuration > Remote Access VPN >
Clientless SSL VPN Access > Connection Profiles. The Enable interfaces for clientless SSL VPN access
area contains check boxes that indicate the interfaces that are allowed access to the clientless SSL VPN. In
this scenario, only the outside interface is selected, as shown in the following exhibit:
Reference:
Cisco: Configuring Clientless SSL VPN (PDF)
QUESTION 243
Exhibit:
A user accesses the VPN by typing https://203.0.113.1/BosonUsers in a browser's location bar. How will the
user be authenticated to the VPN? (Select the best answer.)
A. by a RADIUS server
B. by a TACACS+ server
C. by HTTP credentials
D. by the local database
E. by a certificate
Correct Answer: D
Section: (none)
Explanation
Explanation:
The user will be authenticated to the virtual private network (VPN) by the local database when the user
accesses the VPN by typing https://203.0.113.1/BosonUsers in a browser's location bar. In this scenario,
the location BosonUsers is an alias for the Cisco Adaptive Security Appliance (ASA) connection profile
named BosonVPN, as shown in the following exhibit:
By navigating to Configuration > Remote Access VPN > Clientless SSL VPN Access> Connection Profiles,
you can also determine that the authentication method for the connection profile named BosonVPN is AAA
(LOCAL), which indicates that users will be authenticated by using the local Authentication, Authorization,
and Accounting (AAA) database instead of a AAA server or a certificate. Although multiple authentication
methods can be configured for a single connection profile, in this scenario only the AAA(LOCAL)method is
configured for the BosonVPN connection profile. If you were to select the BosonVPN connection profile, you
could modify the way in which BosonVPN users authenticate to the VPN, as shown in the following exhibit:
Reference:
QUESTION 244
Exhibit:
A user prefers to access the BosonVPN by some means other than a browser. Which of the following
should you tell the user? (Select the best answer.)
A. The user must use clientless SSL VPN access at this time.
B. The user will need to install the SSL VPN client.
C. The user can connect by using IPsec instead.
D. The user can connect by using L2TP instead.
Correct Answer: A
Section: (none)
Explanation
Explanation:
You should tell the user that the user must use clientless Secure Sockets Layer (SSL) virtual private
network (VPN) access at this time, because that is the only method that is currently enabled for the Cisco
Adaptive Security Appliance (ASA) BosonVPN connection profile in this scenario. You can determine which
types of VPN tunneling protocols are enabled for a given connection profile by navigating to Configuration >
Remote Access VPN > Clientless SSL VPN Access > Group Policies in Cisco Adaptive Security Device
Manager (ASDM), as shown in the following exhibit:
In the exhibit above, only the sslclientless tunneling protocol is enabled for VPN users who are associated
with the connection profiles named BosonVPN and bsnadmin. You can modify which tunnel protocols are
available for a given profile by selecting the appropriate group policy.
Reference:
QUESTION 245
Exhibit:
A user accesses the VPN by typing https://203.0.113.1/default in a browser's location bar. Which of the
following methods will authenticate the user? (Select 2 choices.)
A. a RADIUS server
B. a TACACS+ server
C. the HTTP credentials
D. the local database
E. a certificate
Correct Answer: DE
Section: (none)
Explanation
Explanation:
A user who accesses the virtual private network (VPN) by typing https://203.0.113.1/default in a browser's
location bar will be authenticated by using both the Cisco Adaptive Security Appliance (ASA) Authentication,
Authorization, and Accounting (AAA) local database and by using a certificate. In this scenario, the
defaultalias is associated with the DefaultWEBVPNGroup connection profile. You can determine which
profile uses the alias by navigating to Configuration > Remote Access VPN > Clientless SSL VPN Access >
Connection Profiles in Cisco Adaptive Security Device Manager (ASDM), as shown in the following exhibit:
Based on the exhibit above, you can determine that the DefaultWEBVPNGroupconnection profile is
configured with two authentication methods: AAA(LOCAL) and Certificate. Although multiple AAA servers
can be configured for a single connection profile, in this scenario only the AAA(LOCAL) AAA server is
configured for the DefaultWEBVPNGroup connection profile. If you were to select the
DefaultWEBVPNGroup connection profile, you could modify the way in which default users authenticate to
the VPN, as shown in the following exhibit:
The AAA Server Group dropdown menu enables you to select a different AAA authentication server if one
has been configured. If a server other than LOCAL is selected, you can select the Use LOCAL if Server
Group fails check box to use the local database as a backup authentication method for whatever AAA
server is in use.
Reference:
Cisco: Configuring Clientless SSL VPN: Configuring Clientless SSL VPN Access (PDF)
QUESTION 246
A user accesses the VPN by typing https://203.0.113.1/default in a browser's location bar.
Exhibit:
A. The local database will be used to authenticate only if RADIUS fails.

B. The group policy named DfltGrpPolicy will be applied.
C. The user's DNS server will be boson.com.
D. The session will fail because Clientless SSL VPN is not enabled.
Correct Answer: B
Section: (none)
Explanation
Explanation:
The group policy named DfltGrpPolicy will be applied if the user accesses the virtual private network (VPN)
by typing https://203.0.113.1/default in a browser's location bar. In this scenario, the default alias is
associated with the Cisco Adaptive Security Appliance (ASA) connection profile named
DefaultWEBVPNGroup. You can determine which aliases are associated with which connection profiles by
navigating to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection
Profiles in Cisco Adaptive Security Device Manager (ASDM), as shown in the following exhibit:
You can determine which group policy will be applied by examining the value in the Group Policy column of
the connection profile's entry in the Connection Profiles area of the Connection Profiles screen. If you
wanted to modify the group policy value in ASDM, you would select the appropriate connection profile. The
Group Policy dropdown menu will then enable you to select the group policy that should be applied to the
connection profile, as shown in the following exhibit:
Reference:
Cisco: Configuring Clientless SSL VPN: Configuring Clientless SSL VPN Access (PDF)
QUESTION 247
Your corporate network uses MobileIron as an MDM for ISE. You have been informed that a user has lost
his phone and that you must perform a selective wipe on the device.
Which of the following will not be removed from the device during the selective wipe? (Select the best
answer.)
A. the MobileIron app
B. the CA certificate for the WiFi profile installed by ISE
C. corporate applications installed by MDM
D. the MDM profile and all of its subprofiles
Correct Answer: B
Section: (none)
Explanation
Explanation:
The certificate authority (CA) certificate for the WiFi profile installed by Cisco Identity Services Engine (ISE)
is not removed when you perform a selective wipe. ISE is a nextgeneration Authentication, Authorization,
and Accounting (AAA) platform with integrated posture assessment, network access control, and client
provisioning. ISE integrates with a number of Mobile Device Management (MDM) frameworks, such as
MobileIron and AirWatch. From ISE, you can easily provision network devices with native supplicants
available for Microsoft Windows, Mac OS X, Apple iOS, and Google Android. The supplicants act as agents
that enable you to perform various functions on the network device, such as installing software or locking
the screen with a personal identification number (PIN) lock.
For devices like phones, ISE relies on MDM servers to carry out the specific administrative actions selected
in ISE. For example, when a selective wipe is selected for a device in ISE, a request is made to the
appropriate MDM server to carry out the action. The MDM server communicates with its corresponding
agent and removes all corporate applications and installed profiles, including any subprofiles. The selective
wipe also removes the MDM agent, which in this scenario is the MobileIron App. Through an MDM server,
ISE can perform a full wipe, a selective wipe, or a PIN lock depending on the severity of the security risk of
the lost phone.
An administrator can also initiate a selective wipe if an employee is terminated. However, the administrator
should also take steps to blacklist the device within ISE and remove the user accounts privileges so that the
user cannot reenroll the device. The administrator can then force the user's device to attempt an immediate
reauthentication against ISE by revoking the user certificate on the CA server. This will cause the device to
match the blacklist upon its attempt to reenroll.
Reference:
Cisco: Integrating MobileIron with Cisco Identity Services Engine: Corporate Wipe (PDF)
QUESTION 248
Which of the following statements is true regarding security contexts on a new Cisco ASA in multiple
context mode? (Select the best answer.)
A. You cannot delete the current admin context.

B. You can delete a single security context with the clear configure context command.
C. You can delete all security contexts with the no context command.
D. You cannot delete a security context from the active unit in a failover configuration.
E. You can delete a security context only by editing the system configuration.
Correct Answer: E
Section: (none)
Explanation
Explanation:
You can delete a security context only by editing the system configuration on a new Cisco Adaptive Security
Appliance (ASA). Security contexts divide a single ASA into multiple virtual devices with unique policies.
This division enables a single physical ASA to provide security services for different departments while
keeping the departments logically separated. The system configuration contains the startup configuration
and resides in the system execution space, which is also called the system context. You can add, modify,
and delete security contexts from the system execution space. You can issue the contextcommand from
configuration mode to create a new security context and to enter context configuration mode, which is used
to edit an existing security context. Conversely, you can issue the no context command from configuration
mode to delete a single security context. For example, you can issue the no context CTX1 command to
delete a context named CTX1.
You cannot issue the no context command to delete the current admin context. You can delete the current
admin context only if you delete all of the configured security contexts on the ASA. You can issue the clear
configure context command from the system context to remove all security contexts from the system
configuration of an ASA. You can issue the show context command to determine the name of the current
admin context and to display a list of the security contexts currently configured on an ASA. Sample output
from the show context command is shown below:
The current admin context can be identified by the * character to the left of the context name in the output of
the show context command.
You can delete a security context from the active unit in a failover configuration. When you issue the no
context command on the active unit of a failover pair, the security context will also be deleted from the
standby unit after the configuration synchronization is complete. Cisco warns that the synchronization
process can take a few seconds to complete and that any error messages related to the deleted context are
likely due to synchronization delay and should therefore be ignored.
Reference:
Cisco: Managing Multiple Context Mode: Removing a Security Context
QUESTION 249
Which of the following commands can be used to determine the SPI that a router will use to reach an active
IPSec peer? (Select the best answer.)
A. show crypto ipsec sa

B. show crypto session
C. show crypto isakmp sa active
D. show crypto ipsec securityassociation
Correct Answer: A
Section: (none)
Explanation
Explanation:
The show crypto ipsec sa command can be used to determine the Security Parameter Index (SPI) that a
router will use to reach an active IP Security (IPSec) peer. Each IPSec security association (SA) is uniquely
identified by its corresponding IPSec peer address, security protocol, and SPI. Because IPSec SAs are
unidirectional, two SAs are required between active IPSec peers: an inbound SA and an outbound SA. The
SPI associated with the outbound SA is generated by the local peer during phase 2 of the Internet Key
Exchange (IKE) negotiation process and is used by the remote peer as the inbound SPI associated with this
SA. Likewise, the SPI associated with the inbound SA on the local peer corresponds to the outbound SPI
that was generated by the remote peer during its portion of phase 2 negotiations.
The show crypto ipsec sa command displays detailed information about IPSec SAs, including the IP
addresses of the crypto endpoints (IPSec peers), the number of packets encrypted and decrypted, the
security protocol, and the corresponding SPIs. For example, the following partial command output shows
the SPIs associated with the SAs between the local peer, 10.10.10.2, and the remote peer 10.20.20.2 on
interface FastEthernet 0/0:
The show crypto session command displays a summary of all current IKE SAs and their corresponding
IPSec SAs? however, the command does not display the SPI that a router will use to reach an active IPSec
peer. Sample output from the show crypto sessioncommand is shown below:
The show crypto isakmp sa active command displays active IKE SAs, not configuration and operational
details of an IPSec connection. SA information is displayed in a summarized format, as shown below:
dst src state connid slot status
10.20.20.2 10.10.10.2 QM_IDLE 1 0 ACTIVE
For each SA, the dst field displays the IP address of the remote IKE peer, whereas the src field reveals the
IP address of a local interface. An active IKE SA is typically in the QM_IDLE state, as indicated by the state
field. The state field indicates the IKE negotiation state of an SA. An SA in the QM_IDLE state indicates that
phase 1 negotiations have completed and that the SA is ready for quick mode negotiation of an IPSec SA.
Because multiple SAs can exist between a particular source and destination, each SA is assigned a unique
connection ID, as shown in the connid field. You should issue the show crypto isakmp sa command without
the active keyword to display all current IKE SAs.
The show crypto ipsec securityassociation command displays the SA lifetime configured for an existing
IPSec SA. You can issue the crypto ipsec security association lifetime seconds seconds command from
global configuration mode to configure the SA lifetime. The command output below displays a default SA
lifetime configuration:
Security association lifetime: 4608000 kilobytes/3600 seconds
Reference:
Cisco: Cisco IOS Security Command Reference: show crypto ipsec sa
QUESTION 250
Which of the following can be installed on a host to analyze and prevent malicious traffic on that host?
A. a HIDS
B. a HIPS
C. a NIPS
D. a NIDS
Correct Answer: B
Section: (none)
Explanation
Explanation:
analyze, and block malicious traffic before it infects devices. Typically, an IPS is configured to block only
traffic that has been definitively marked as malicious. Traffic that is suspect but has not been confirmed as
malicious is referred to as gray area trafficand is not discarded by an IPS.
HIPS software can be installed on a host computer in conjunction with a hostbased firewall to protect the
computer and the data it holds against malicious traffic. Because HIPS software is installed on a host
computer, it can directly access the host operating system (OS) as well as encrypted traffic on the host. By
contrast, a Networkbased IPS (NIPS) device is a standalone platform that can be installed in conjunction
with networkbased firewalls to monitor and prevent malicious traffic from being sent to any device on the
network.
An Intrusion Detection System (IDS) is similar to an IPS, but IDS devices do not sit inline with traffic. Thus
IDS devices are primarily used for monitoring traffic and hosts rather than actively preventing attacks. If
malicious activity is discovered, an IDS device can send an alert to a management station. However,
because the IDS does not sit inline with traffic, the traffic will have already affected the network or host by
the time the alert is sent. A Hostbased IDS (HIDS) can be used to monitor activity on a single host? a HIDS
can monitor traffic being sent to and from a host and can monitor OS files for suspicious changes. By
contrast, a Networkbased IDS (NIDS) can be used to monitor all network traffic.
Reference:
QUESTION 251
Which of the following is an open framework used to guide an organization in making software security
decisions that are in alignment with the organization’s risk profile? (Select the best answer.)
A. SAMM
B. ZAP
C. WTE
D. OWTF
Correct Answer: A
Section: (none)
Explanation
Explanation:
The Software Assurance Maturity Model (SAMM) is an open framework used to guide an organization in
making software security decisions that are in alignment with the organization’s risk profile. The SAMM is
published by the Open Web Application Security Project (OWASP), which is a multinational, notforprofit
organization that provides frameworks, documentation, tools, and community forums with a focus on
application security. Like all OWASP documentation, the SAMM is licensed under the Creative Commons
AttributionShare Alike 3.0 License, which is a common Free/Libre and Open Source Software (FLOSS)
license that allows redistribution and modification of the original content with the appropriate attribution and
the requirement to distribute the derivative work under the same license as the original.
The Offensive Web Testing Framework (OWTF), Zed Attack Proxy (ZAP), and Web Testing Environment
(WTE) are not open frameworks used to guide an organization in making software security decisions that
are in alignment with the organization’s risk profile. OWTF is a penetration testing tool designed to
automate some of the lower level and tedious parts of the penetration testing process. Its aim is to provide
the penetration tester with more time to analyze and investigate complex vulnerabilities. ZAP is an
integrated penetration testing tool for web applications. It provides automated scanning tools and a suite of
tools that can be used to manually probe for vulnerabilities. WTE is a consolidated testing environment that
can be distributed as a virtual machine, a bootable image, or as individual Linux packages. WTE aims to
provide a sandbox in which testers, developers, and trainers can interact with security tools provided by
OWASP and other FLOSS developers. WTE is based on the OWASP Live CD Project.
Reference:
OpenSAMM: Software Assurance Maturity Model
OWASP: Category: Software Assurance Maturity Model
QUESTION 252
Which of the following attacks involves overwhelming a switch's CAM table? (Select the best answer.)
A. ARP poisoning
B. ARP spoofing
C. MAC flooding
D. MAC spoofing
Correct Answer: C
Section: (none)
Explanation
Explanation:
A Media Access Control (MAC) flooding attack involves overwhelming a switch's content addressable
memory (CAM) table. Switches and bridges store learned MAC addresses in the CAM table, which is also
known as the MAC address table. When the CAM table becomes full, no more MAC addresses can be
learned. If a switch receives traffic destined for a MAC address that is not in its MAC address table, the
switch floods the traffic out every port except the port that originated the traffic. Consequently, in a MAC
flooding attack, an attacker attempts to fill the CAM table so that any further traffic will be sent to all ports.
Then, because traffic is flooded out every interface, the attacker can view any traffic that is sent to the
switch.
A MAC spoofing attack involves using the MAC address of a legitimate host on the network in order to
bypass port security measures, not overwhelming a switch’s CAM table. Normally, the MAC address
associated with a host corresponds to the unique, burnedin address (BIA) of its network interface. However,
in a MAC spoofing attack, a malicious user virtually modifies the BIA to match the MAC address of the
legitimate host on the network. Mimicking the MAC address of a known host can be used to overcome
simple security measures such as Layer 2 access control lists (ACLs).
An Address Resolution Protocol (ARP) poisoning attack, which is also known as an ARP spoofing attack,
involves sending gratuitous ARP (GARP) messages to a target host. The GARP messages associate the
attacker's MAC address with the IP address of a valid host on the network. Subsequently, traffic sent to the
valid host address will go to the attacker's computer rather than to the intended recipient.
Reference:
Cisco: Layer 2 Security Features on Cisco Catalyst Layer 3 Fixed Configuration Switches Configuration
Example: Background Information
QUESTION 253
Which of the following statements are true regarding a ZFW? (Select 2 choices.)
A. A zone can contain more than one interface.

B. An interface can reside in more than one zone.
C. The firewall can operate in transparent mode.
D. Stateful packet inspection is supported for multicast traffic.
E. Stateful packet inspection is supported for IPv6 traffic.
Correct Answer: AC
Section: (none)
Explanation
Explanation:
With a zonebased policy firewall (ZFW), a zone can contain more than one interface and the firewall can
operate in transparent mode. ZFW is the latest iteration of Cisco’s stateful firewall implementation, which
was formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified
and then interfaces are assigned to the appropriate zone. A zone may contain more than one interface?
however, an interface may not be assigned to more than one zone.
By default, all traffic is implicitly permitted to flow between interfaces that have been assigned to the same
to or from other interfaces in the same zone is permitted, as is traffic to or from the router itself.
permit traffic between zones. Inspection rules can be created for a large number of traffic types, including
the following:
Domain Name System (DNS)
Internet Control Message Protocol (ICMP)
Network Basic Input/Output System (NetBIOS)
Sun Remote Procedure Call (RPC)
However, stateful inspection of IP version 6 (IPv6) traffic and multicast traffic, such as Internet Group
Management Protocol (IGMP), is not supported by a ZFW and must be handled by other security features,
such as Control Plane Policing (CoPP).
A ZFW can operate in transparent mode or in routed mode. In transparent mode, a ZFW operates as a
Layer 2 firewall, bridging traffic between interfaces and filtering traffic at Layer 3 through Layer 7. The
trusted and untrusted interfaces of the firewall are connected to the same IP subnet, and the firewall bridges
traffic between the interfaces. By contrast, a ZFW in routed mode operates as a Layer 3 firewall, routing
traffic between interfaces and filtering traffic at Layer 3 through Layer 7. The trusted and untrusted
interfaces of the firewall are on different IP subnets, and the firewall routes traffic between the interfaces.
Reference:
Cisco: ZoneBased Policy Firewall Design and Application Guide: Designing ZoneBased Policy Network
Security
Cisco: ZoneBased Policy Firewall Design and Application Guide: Stateful Inspection Transparent Firewall
QUESTION 254
Which of the following is true regarding loop guard? (Select the best answer.)
A. Loop guard should be used in conjunction with root guard.

B. Loop guard should be used in conjunction with PortFast.
C. Loop guard places inconsistent ports into the blocking state.
D. Loop guard is used to disable ports that receive BPDUs.
Correct Answer: C
Section: (none)
Explanation
Explanation:
Loop guard places inconsistent ports into the blocking state. Loop guard prevents a switch port from
transitioning to the forwarding state when it stops receiving bridge protocol data units (BPDUs)? this
prevents switching loops from occurring. A port configured with loop guard that stops receiving BPDUs will
be put into the loopinconsistent state, as shown in the following output:
%SPANTREE4LOOPGUARDBLOCK: No BPDUs were received on port 0/1 in vlan 4. Moved to loop

inconsistent state
After the port starts receiving BPDUs again, loop guard enables the port to transition through the normal
Spanning Tree Protocol (STP) states.
Loop guard should not be used in conjunction with root guard. Root guard is used to prevent newly
introduced switches from being elected the new root. This allows administrators to maintain control over
which switch is the root. When STP is used, the device with the lowest bridge priority is elected the root. If
an additional device is added to the network with a lower priority than the current root, it will send superior
BPDUs and be elected the new root. However, this could cause the network to reconfigure in unintended
ways. To prevent this, root guard can be applied. If root guard is enabled on a loop guard-enabled port, loop
guard will be automatically disabled.
Loop guard should not be used in conjunction with PortFast. PortFast reduces convergence time by
immediately placing edge ports into a forwarding state. PortFast is recommended for ports that connect to
enduser devices, such as desktop computers. In addition, PortFast cannot be used with loop guard. If
PortFast is enabled on a loop guard-enabled port, loop guard will be automatically disabled.
Loop guard is not used to disable ports that receive BPDUs. Instead, BPDU guard is used to disable ports
that erroneously receive BPDUs. BPDU guard is applied to edge ports that have PortFast enabled. Because
PortFast automatically places ports into a forwarding state, a switch that has been connected to a
PortFastenabled port could cause switching loops. However, when BPDU guard is applied, the receipt of a
BPDU on a port with BPDU guard enabled will result in the port being placed into an errdisable state, which
prevents loops from occurring.
Reference:
Cisco: SpanningTree Protocol Enhancements using Loop Guard and BPDU Skew Detection Features:
Feature DescriptionCategory:
Secure Routing and Switching
QUESTION 255
What is the minimum DH modulus size recommended by Cisco to provide acceptable security when DH
must be used instead of an NGE algorithm? (Select the best answer.)
A. 768 bits
B. 1,024 bits
C. 2,048 bits
D. 3,072 bits
Correct Answer: C
Section: (none)
Explanation
Explanation:
The minimum DiffieHellman (DH) modulus size recommended by Cisco to provide acceptable security
when DH must be used instead of a Next Generation Encryption (NGE) algorithm is 2,048 bits. NGE
algorithms are a collection of cryptographic technologies that are efficient, scalable, and expected to
provide reliable security for at least the next decade. Because of recent advances in computing power,
many cryptographic algorithms no longer provide adequate security. DH algorithms with a smaller modulus
size do not provide a level of security that is likely to meet the confidentiality requirements of the enterprise
over the next decade.
Increasing the modulus size used by an algorithm can provide a higher level of security? however, if the
algorithm is inherently inefficient, the increased modulus size can adversely affect the performance of the
device using the algorithm. For maximum security without using an NGE, Cisco recommends using DH with
a 3,072bit modulus (DH3072)? however, because DH is not particularly efficient when configured with a
large modulus, Cisco considers a 2,048 bit modulus as an acceptable compromise between security and
efficiency. Any modulus size less than 2,048 bits, such as 1,024 bits or 758 bits, is not considered to
provide an acceptable level of security.
Ideally, standard DH should be replaced with an NGE such as Elliptical Curve DH with a 384bit modulus
(ECDH384) for improved security without a negative impact on performance or a loss of scalability. Other
examples of NGE algorithms are Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) and
Secure Hash Algorithm 2 (SHA2), which includes SHA with a 256bit digest (SHA256) and SHA with a 512bit
digest (SHA512).
Reference:
Cisco: Next Generation Encryption: Recommendations for Cryptographic Algorithms
QUESTION 256
Which of the following is a QoS feature that can apply policies to individual controlplane subinterfaces?
A. CoPP
B. CPPr
C. MPP
D. uRPF
Correct Answer: B
Section: (none)
Explanation
Explanation:
Control Plane Protection (CPPr) is a Quality of Service (QoS) feature that can apply policies to individual
controlplane subinterfaces. Control plane traffic is traffic that is destined to the router and that requires CPU
intervention for processing. Because control plane traffic requires CPU intervention, it is possible to
overload the CPU with a surge of traffic. When the CPU is overloaded, the router might be unable to update
its routing information and transit traffic can be affected. With CPPr, traffic from the aggregate control plane
interface is classified into one of three control plane subinterfaces: host, transit, or Cisco Express
Forwarding (CEF) exception. QoS policies can then be applied to each of the subinterfaces individually.
Like CPPr, Control Plane Policing (CoPP) is a QoS feature that can be used to limit the type and amount of
traffic that reaches the control plane. However, CoPP policies are applied to the aggregate control plane
interface and not to the individual control plane subinterfaces.
Management Plane Protection (MPP) is a security feature that can specify one or more interfaces as
management interfaces, not a QoS feature that can apply policies to individual control plane subinterfaces.
A management interface is an interface that is permitted to receive management traffic, which is traffic from
a specific set of network protocols that is destined for the router. Once MPP is enabled, only specified types
of management traffic are permitted on their respective management interfaces. MPP simplifies the
configuration of management plane security policies because it reduces the number of configuration steps
required to restrict management access to the router. Without MPP, you would need to create the
appropriate access control lists (ACLs) and apply them in the inbound direction to every interface on the
router if you wanted to limit access to one or more interfaces and management protocols.
Unicast Reverse Path Forwarding (uRPF) is an antispoofing mechanism that verifies that the source
address of a packet is reachable from the interface on which the packet was received, not a QoS feature
that can apply policies to individual controlplane subinterfaces. If uRPF is used in conjunction with an ACL,
it can cause packets to become packetswitched. Packet switching requires CPU intervention and can
create a burden on the control plane.
Reference:
Cisco: Control Plane Protection: Control Plane Protection
QUESTION 257
Which of the following is an independent cryptographic processor that provides hardwarebased
authentication services for PCs? (Select the best answer.)
A. TPM
B. TNC
C. MTM
D. TMI
Correct Answer: A
Section: (none)
Explanation
Explanation:
A Trusted Platform Module (TPM) is an independent cryptographic processor that provides hardwarebased
authentication and full disk encryption services for personal computers (PCs). TPM uses an encrypted
memory module, which provides an additional security layer for properties such as passwords, digital
certificates, and encryption keys. Because the encryption keys are stored in the TPM module, any data
stored on an associated encrypted drive cannot be decrypted once the drive is removed from the original
device.
A Mobile Trusted Module (MTM) is the TPMequivalent for mobile phones. With an integrated MTM, a
mobile phone can have a hardwarebased root of trust. A hardwarebased root of trust ensures the integrity
of the mobile phone, including any stored keys or certificates, and can facilitate secure transactions, such
as enterprise access or online banking.
Trusted Network Connect (TNC) is a vendorneutral standard to enforce endpoint integrity and network
access policies. TNC can be implemented in the device that an endpoint uses for network access or within
the existing network infrastructure. TNC is intended to support interoperability between a variety of vendors
of endpoints and network infrastructure devices.
Trusted MultiTenant Infrastructure (TMI) is an open framework that defines reference models for trusted
cloud or shared infrastructures. Because of the recent rise in cloudbased computing, the Trusted
Computing Group (TCG) has published the TMI framework as a first step toward implementing trustbased
models in shared, multiprovider infrastructures.
Reference:
Trusted Computing Group: Trusted Platform Module (TPM) Summary
QUESTION 258
Which of the following statements is true regarding the SA lifetime specified in a matching IKE policy?
A. The value specified by the remote peer must be equal to the value specified by the local peer.
B. The value specified by the remote peer must be less than or equal to the value specified by the local
peer.
C. The value specified by the remote peer must be greater than or equal to the value specified by the local
peer.
D. The value specified by the remote peer must be less than the value specified by the local peer.
E. The value specified by the remote peer must be greater than the value specified by the local peer.
Correct Answer: B
Section: (none)
Explanation
Explanation:
In an Internet Key Exchange (IKE) policy, the security association (SA) lifetime specified by the remote peer
must be less than or equal to the value specified by the local peer. Virtual private network (VPN) peers
establish a connection through a series of negotiations and authentications. Initially, the VPN peers
negotiate an IKE SA and establish a tunnel for key management and authentication. This initial phase is
referred to as IKE phase 1. The key management tunnel is used to protect the subsequent negotiation of IP
Security (IPSec) SAs. This secondary negotiation phase is referred to as IKE phase 2.
Each VPN peer defines a collection of security parameters in an IKE policy. These parameters are used to
negotiate the creation of the key management tunnel in IKE phase 1. There are six required parameters in
an IKE policy:
Policy priority - specifies the order in which policies are negotiated with a peer
Authentication method - indicates whether a preshared key or an RSA digital certificate is used to verify
the identity of an IKE peer
Encryption algorithm - indicates the data protection method used to secure IKE traffic
Hashbased Message Authentication Code (HMAC) algorithm - indicates the data integrity method
used to verify the integrity of IKE traffic
DiffieHellman (DH) group - specifies how keying material is generated between IKE peers
Lifetime - specifies the length of time that a key is considered valid? the default is 86,400 seconds, or 24
hours
If an IKE policy does not specify a parameter and its associated value, the VPN peer will use the default
value by default. For example, the default IKE policy settings for a Cisco Apative Security Appliance (ASA)
running software revision 8.4 or higher are shown below:
The default IKE policy settings are combined with the configuration parameters specified in the running
configuration. For example, because the following block of commands does not specify an HMAC
algorithm, the ASA would use the default value, which is SHA1:
ASA(config)#crypto ikev1 policy 1

ASA(configikev1policy)#authentication rsasig
ASA(configikev1policy)#encryption aes 192
ASA(configikev1policy)#group 1
ASA(configikev1policy)#lifetime 14400
In order for VPN peers to successfully negotiate a key management tunnel during IKE phase 1, the peers
must agree on security parameters. For example, when ASA1 sends an IKE policy proposal to ASA2, the
IKE policy is compared with the IKE policies defined on ASA2. The proposed policy must be an exact match
to one of ASA2's locally defined policies? otherwise, it will be rejected. The one exception to this rule is the
value of the IKE lifetime parameter. An IKE lifetime is considered a match if the value is less than or equal
to the IKE lifetime defined in the local policy. If the IKE lifetime value is less than that of the local policy, the
router will use the lesser of the two values. For example, when ASA1 initiates a connection to ASA2, ASA1
will only consider lifetime values from ASA2's policies as matching if they are less than or equal to 14,400
seconds.
Reference:
Cisco: Cisco IOS Security Command Reference: lifetime (IKE policy)
QUESTION 259
Implementing which of the following features provides a cloudbased subscription method of URL filtering
that can be used with Cisco's ZFW? (Select the best answer.)
A. Websense
B. Trend Micro TRPS
C. Secure Computing SmartFilter
D. blacklists and whitelists
Correct Answer: B
Section: (none)
Explanation
Explanation:
The Trend Micro Trend Router Provisioning Server (TRPS) provides a cloudbased subscription method of
Uniform Resource Locator (URL) filtering that can be used with Cisco's zonebased policy firewall (ZFW).
URL filtering inspects Hypertext Transfer Protocol (HTTP) requests and blocks access to websites that
match certain criteria. For example, URL filtering is commonly configured on perimeter routers to prevent
users from inadvertently accessing URLs that have been deemed inappropriate or identified as hosting
malware. Subscriptionbased URL filtering services assign websites to categories, which are used by
administrators to limit or block access to these sites. With a Trend Micro subscription, the Cisco firewall
sends URL queries to a TRPS located on the Internet. The TRPS will reply with category information for the
requested URL. The Cisco firewall will then allow or block the traffic based on the category.
Websense and Secure Computing SmartFilter provide a local serverbased method of URL filtering that can
be used with Cisco's ZFW. The Cisco firewall sends URL queries to the Websense or SmartFilter server.
The server will reply with category information for the requested URL. The Cisco firewall will then allow or
block the traffic based on the category. The primary difference between a Websense or SmartFilter server
and a TRPS is that the Websense and SmartFilter servers are hosted on the local network? the TRPS is
located on the Internet.
Blacklists and whitelists are methods of URL filtering that can be used with Cisco's ZFW. However, they do
not require a subscription? these features are included in the Cisco IOS. A blacklist contains a list of
domains that you want to explicitly block, and a whitelist contains a list of domains that you want to explicitly
allow. You can also block traffic that contains certain keywords in the URL. Blacklists, whitelists, and URL
keyword filtering can be used in conjunction with a URL filtering subscription service.
Reference:
Cisco: Subscriptionbased Cisco IOS Content Filtering
Cisco: Cisco IOS Content Filtering Configuration Guide
QUESTION 260
Which of the following best describes how an IPS is similar to an IDS? (Select the best answer.)
A. They both sit in the path of network traffic.

B. Neither sits in the path of network traffic.
C. They both prevent malicious traffic from infiltrating the network.
D. They can both use signatures to detect malicious traffic.
Correct Answer: D
Section: (none)
Explanation
Explanation:
Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) devices are similar in that they can
both use signatures to detect malicious traffic. Patternmatching IDS and IPS devices use specific strings of
text called signatures to detect malicious traffic. The primary benefit of signaturebased detection methods is
that the number of false positives generated is typically low. However, signaturebased detection methods
do not provide adequate protection against new attacks. Although signatures can be added as new threats
are found, there is always a delay between the time a threat is released and the time a signature is
developed to detect the threat.
IPS devices typically sit inline in the path of network traffic? however, IDS devices typically do not. Because
traffic flows through an IPS, an IPS can detect malicious traffic as it enters the IPS device and can prevent
the malicious traffic from infiltrating the network. An IPS can work in conjunction with a network firewall?
however, Cisco recommends deploying an IPS on the inside interface of the firewall in order to prevent the
IPS from wasting resources by analyzing traffic that will ultimately be blocked by the firewall. This enables
the IPS to efficiently analyze the traffic that the firewall permits onto the network, rather than processing
every inbound packet.
By contrast, an IDS device merely sniffs the network traffic by using a promiscuous network interface.
Because network traffic does not flow through an IDS device, the IDS device can detect malicious traffic but
cannot prevent it from infiltrating the network. When an IDS detects malicious traffic, it can alert other
network devices in the traffic path so that further traffic can be blocked. In addition, an IDS can be
configured to send a Transmission Control Protocol (TCP) reset notification or an Internet Control Message
Protocol (ICMP) unreachable message to the source and destination addresses.
Protocolbehavior IDS and IPS devices use rules to detect protocol traffic that does not follow standard
methods of operation. The rules used by protocolbehavior devices are usually based on the Request for
Comment (RFC) documents that define each protocol. Although protocolbehavior devices can detect
nonstandard traffic, there is no way to know for sure whether the traffic is caused by a malicious user or by
a poorly coded application. Therefore, protocolbehavior devices have a higher rate of false positives.
Anomalydetection IDS and IPS devices detect abnormalities in network traffic behavior. To enable
anomalydetection devices to detect abnormalities in traffic, the devices must first take a baseline reading of
what normal network traffic patterns are like. Once the baseline is taken, an anomalydetection device will
compare future traffic against the baseline to detect abnormal traffic flows. Anomalydetection devices have
a higher false positive rate, but they are capable of detecting new attacks.
Reference:
QUESTION 261
Which of the following statements is true regarding traditional stateful packetfiltering firewalls? (Select the
best answer.)
A. They are more efficient than stateless packetfiltering firewalls.

B. They can operate at Layers 3, 4, 5, and 7 of the OSI model.
C. They prevent more types of attacks than Application layer firewalls do.
D. They can defend against DoS attacks.
Correct Answer: D
Section: (none)
Explanation
Explanation:
Stateful packetfiltering firewalls can defend against Denial of Service (DoS) attacks. Stateful packetfiltering
firewalls use a state table to track session information. Session information is maintained and tracked by
stateful packetfiltering firewalls in order to determine whether packets should be permitted or blocked. For
example, when monitoring Transmission Control Protocol (TCP) traffic, the stateful packet filter adds an
entry to the state table when a TCP session is permitted. Subsequent packets are verified against the state
table to ensure that the packets belong to an established connection. If the TCP packet does not belong to
an established connection, the packets are dropped. Thus, if an attacker attempts to send a flood of
packets to the network, the packets will be dropped if they do not match a connection in the table.
By contrast, a stateless packetfiltering firewall, which is also referred to as a static packetfiltering firewall,
evaluates and either blocks or allows individual packets based on the Layer 3 and Layer 4 information in the
packet header. Specifically, stateless packetfiltering firewalls can use the source and destination IP
addresses, source and destination port numbers, and protocol type listed in the packet header? these
values are commonly known as the 5tuple. Because a stateless packetfiltering firewall allows all traffic from
an approved IP address, stateless packetfiltering firewalls are susceptible to IP spoofing attacks, which is a
type of attack wherein an attacker uses the source IP address of a trusted host to send messages to other
computers. In addition, because a stateless packetfiltering firewall does not maintain a table of active
connections, it is more efficient than a stateful packetfiltering firewall.
Traditional stateful packetfiltering firewalls can operate at Layers 3, 4, and 5 of the Open Systems
Interconnection (OSI) model but not at Layer 7. Application inspection firewalls, also known as application
proxies, can operate at Layer 7-the Application layer-as well as at Layers 3, 4, and 5. This enables
application inspection firewalls to prevent more types of attacks than traditional stateful packetfiltering
firewalls do. Because they can operate at the Application layer, application inspection firewalls can be used
to prevent applicationspecific traffic.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 14, Stateful Packet Filtering, pp. 363-364
QUESTION 262
You are analyzing recent intrusion events in FireSIGHT Defense Center and notice several events with blue
icons.
To which of the following vulnerability classifications do the blue icons correspond? (Select the best
answer.)
A. unknown target
B. vulnerable
C. potentially vulnerable
D. not vulnerable
Correct Answer: A
Section: (none)
Explanation
Explanation:
A blue icon is used in intrusion event records by Cisco FireSIGHT Defense Center to classify a vulnerability
as an unknown target. An unknown target classification indicates that either the source or target host is on a
monitored network but has no corresponding entry in the network map. FireSIGHT uses impact levels to
describe the potential severity of attacks. In the FireSIGHT system, managed devices, like Cisco
FirePOWER Intrusion Prevention Systems (IPSs), respond to an intrusion event by flagging the event with
an impact level and sending the event to the FireSIGHT Defense Center. The impact level is based on
accumulated intrusion data, network discovery data, and vulnerability information. The aggregated intrusion
event data typically contains contextual information about the event and includes a copy of the packet that
triggered the event.
The following table provides a summary of the FireSIGHT impact levels and their meaning:
Reference:
Cisco: Working with Intrusion Events: Using Impact Levels to Evaluate Events
QUESTION 263
Which of the following SNMP actions are used by an NMS to extract information from an SNMP agent?
(Select 2 choices.)
A. get
B. getNext
C. set
D. inform
E. trap
Correct Answer: AB
Section: (none)
Explanation
Explanation:
The get and getNext actions are used by a network management station (NMS) to extract information from
a Simple Network Management Protocol (SNMP) agent. SNMP is a protocol that an NMS can use to
communicate with an agent in the same community. If the NMS and the agent do not share the same
community string, the NMS is not permitted to communicate with the agent. SNMP communities can be
configured to be either readonly or readwrite. Readonly communities enable an NMS to retrieve
Management Information Base (MIB) data from a community, whereas readwrite communities enable an
NMS to modify and retrieve MIB data. If the NMS is authorized to communicate with the agent of a readonly
community, the NMS can take any of the following actions:
get - request a particular item from the MIB
getNext - request the next sequential item from the MIB
getBulk - request several sequential items from the MIB
By contrast, if the NMS is authorized to communicate with the agent of a readwrite community, the NMS
can take any of the following actions:
get - request a particular item from the MIB
getNext - request the next sequential item from the MIB
getBulk - request several sequential items from the MIB
set - modify an item in the MIB
The SNMP agent typically accumulates statistical data regarding the number and type of SNMP requests
and responses it has processed. For example, on Cisco routers, you can use the show snmp command to
display the accumulated SNMP statistics, as shown in the following sample output:
Chassis: 4279256517
1230 SNMP packets input
2 Bad SNMP version errors
5 Unknown community name
4 Illegal operation for community name supplied
0 Encoding errors
0 Number of requested variables
0 Number of altered variables
680 Getrequest PDU
479 Getnext PDUs
60 Setrequest PDUs
0 Input queue packet drops (Maximum queue size 1000)
1230 SNMP packets output
0 Too big errors (Maximum packet size 1500)
No such name errors
Bad values errors
0 General errors
762 Response PDUs 0 Trap PDUs
SNMP logging: disabled
The sample output indicates the number of get, getNext, and set requests that have been received by the
router as well as statistics on the number of various types of SNMP packets the router has sent in response
to NMS queries. For example, the Illegal operation for community name supplied field in the sample output
indicates that four SNMP packets requested an operation that was not allowed for the associated
community, such as a set request for a community that permits only get requests. In addition, the Unknown
community name field indicates that five SNMP packets were received with unknown community strings.
The trap and inform actions are not used by an NMS to extract information from an SNMP agent. Instead,
the trap and inform actions are used by an SNMP agent to alert an NMS when a particular threshold has
been exceeded:
trap - send to the NMS an alert that does not require an acknowledgment
inform - send to the NMS an alert that requires an acknowledgment
Although the inform action is more reliable than the trap action, the inform action can consume additional
resources. The inform action can be sent multiple times until the NMS acknowledges it. In addition, the
agent stores the data from the inform action in local memory until the NMS acknowledges the receipt of the
notification.
Reference:
Cisco: Configuring SNMP Support: SNMP Get
QUESTION 264
Which of the following statements is true regarding stateful firewalls? (Select the best answer.)
A. Their primary purpose is to hide the source of a network connection.

B. They operate at the Application layer of the OSI model.
C. They allow traffic into a network only if a corresponding request was sent from inside the network.
D. They can block traffic that contains specific web content.
Correct Answer: C
Section: (none)
Explanation
Explanation:
Stateful firewalls allow traffic into a network only if a corresponding request was sent from inside the
network. A stateful firewall makes filtering decisions based on previous packets that have been sent. It does
so by keeping track of the state of each session. When an outbound session is initiated, the stateful firewall
will create an entry in the firewall’s state table and dynamically allow the return traffic in the inbound
direction. Inbound traffic from other sources will be blocked unless there is a corresponding outbound
session listed in the state table. Stateful firewalls are more secure than packet filtering firewalls, which
make filtering decisions based on each packet individually without regard to session state.
The primary purpose of a stateful firewall is not to hide the source of a network connection. If you want to
hide the source of a network connection, you should use a proxy firewall or implement Network Address
Translation (NAT) or Port Address Translation (PAT). A proxy firewall terminates the connection with the
source device and initiates a new connection with the destination device, thereby hiding the true source of
the traffic. When the reply comes from the destination device, the proxy firewall forwards the reply to the
original source device. NAT is used to translate private addresses used on an internal network to public
addresses that are routable over the Internet. Because NAT performs address translation between private
and public addresses, NAT effectively hides the address scheme used by the internal network, which can
increase security. NAT also reduces the number of public IP addresses that a company needs to allow its
devices to access Internet resources, thereby conserving IP version 4 (IPv4) address space.
Stateful firewalls do not operate at the Application layer of the Open Systems Interconnection (OSI) model.
Both stateful firewalls and packet filtering firewalls operate at the Network layer and the Transport layer of
the OSI model. Stateful firewalls and packet filtering firewalls do not understand Application layer data, so
they cannot filter traffic based on that data. For example, a stateful firewall cannot block traffic that contains
specific web content, because the stateful firewall does not understand Hypertext Transfer Protocol (HTTP)
data.
Reference:
CCNA Security 210260 Official Cert Guide, Chapter 14, Stateful Packet Filtering, pp. 363-364
QUESTION 265
Which of the following statements is true regarding the autocommand keyword when used with the
username command on Cisco routers? (Select the best answer.)
A. The specified command cannot exceed 255 characters.

B. The autocommand keyword must be the username command’s last argument.
C. The specified command cannot contain embedded spaces.
D. The user session is not terminated if the autocommand keyword fails to execute its specified command.
Correct Answer: B
Section: (none)
Explanation
Explanation:
When the autocommand keyword is used with the username command on a Cisco router, it must be the
last commandline argument specified. The username command creates and configures entries in a router’s
local authentication database. The usernamecommand requires a user name as its main argument? the
user name must be a single string of text without blank spaces or quotation marks. There are a number of
keywords that can be used with the username command to customize user characteristics, such as
passwords, privilege levels, and automatic commands. The autocommand keyword configures a command
that will execute immediately after a user successfully logs in to a Cisco router. The command specified by
the autocommand keyword can be of any length and can contain embedded spaces. Because the
command can be of any length, the autocommand keyword must be the username command’s last
argument. The username command can accept multiple arguments, such as the password and privilege
keywords, on a single command line. Alternatively, each keyword can be specified with the username
command on its own line. For example, the username boson password cisco privilege 15 autocommand
show process cpu historycommand is equivalent to the following block of commands:
RouterA(config)#username boson password cisco
RouterA(config)#username boson privilege 15
RouterA(config)#username boson autocommand show process cpu history
The sample command block configures a user name of boson with a password of cisco, configures a
privilege level of 15, and causes the EXEC shell to execute the show process cpu history command after
the user successfully logs in to the router. If the command is successful, the output will be displayed on the
user’s terminal and then the session will be automatically disconnected. However, if the command fails to
execute, only an error message will be displayed on the user’s terminal before the session is automatically
disconnected. Because the user session is disconnected by default after the output from the autocommand
keyword is displayed, you must use the nohangup keyword if you intend to change the default behavior and
leave the user session intact.
Reference:
Cisco: RoleBased CLI Access: username
QUESTION 266
Refer to the exhibit.
The network you administer consists of the devices shown in the exhibit. Each link is 100 megabits per
second (Mbps) and is connected to a FastEthernet port. Switch S1 is the root bridge. You enable root guard
on Fa0/0 on switch S2 and switch S3 by issuing the spanningtree guard root command in interface
configuration mode on both switch ports. You also enable the UplinkFast feature on S2 and S3 by issuing
the spanningtree uplinkfast command in global configuration mode on both switches.
Which of the following statements best describes what will occur if the link between S1 and S2 is broken?
A. Traffic will follow its normal path from Host2 to S1.

B. The Fa0/0 port on both switches will be put into the rootinconsistent (blocked) state.
C. Only Fa0/0 on S2 will be put into the rootinconsistent (blocked) state.
D. Only Fa0/0 on S3 will be put into the rootinconsistent (blocked) state.
Correct Answer: C
Section: (none)
Explanation
Explanation:
If the link between S1 and S2 is broken, the Fa0/0 port on S2 will be placed into the rootinconsistent state.
When root guard is enabled on a port, it prevents a port from becoming a root port. Normally, a port that
receives a superior bridge protocol data unit (BPDU) will become the root port. However, if a port configured
with root guard receives a superior BPDU, the port transitions to the rootinconsistent state and the port will
be blocked until it stops receiving superior BPDUs. As a result, root guard can be used to influence the
placement of the root bridge on a network by preventing other switches from propagating superior BPDUs
throughout the network and becoming the root bridge.
When the root bridge detects the broken link, it will send out BPDUs to converge the network topology.
Since root guard was enabled on Fa0/0 on S2, the interface will be placed into the rootinconsistent state
when it receives superior BPDUs from Fa0/0 on S3. Thus root guard prevents Fa0/0 on S2 from being
selected as a root port. The port will remain in the rootinconsistent state until it stops receiving superior
BPDUs from Fa0/0 on S3.
Fa0/0 on S3 will not be placed into the rootinconsistent state, because it will not receive superior BPDUs
from S2. S3 will continue to receive superior BPDUs from S1.
Traffic would not follow its normal path from Host2 to the root bridge if the link between S1 and S2 were
broken. When the link between S1 and S2 is up, traffic from Host2 travels from S4 to S2 to S1. This is
based on the root path cost. The root path cost is an accumulation of path costs from bridge to bridge. A
Fast Ethernet link has a path cost of 19. There are two 100megabits per second (Mbps) paths, so the root
path cost from S4 to S2 to S1 equals 38. The root path cost from S4 to S3 to S1 also equals 38. If the root
path cost is identical, the bridge ID (BID) is used to determine the path. In this scenario, S2 has a priority of
32768, as does S3. However, the Media Access Control (MAC) address for S2, 000000000002, is lower
than the MAC address for S3, 000000000003, making S2 the designated bridge. If the link between S1 and
S2 breaks, the path for traffic coming from Host2 will be rerouted from its normal path to the S4 to S3 to S1
path.
Reference:
Cisco: Spanning Tree Protocol Root Guard Enhancement
QUESTION 267
Which of the following is a Cisco AMP for Endpoints feature that can prevent specific programs from
running on managed endpoints? (Select the best answer.)
A. file reputation
B. device trajectory
C. file trajectory
D. outbreak control
Correct Answer: D
Section: (none)
Explanation
Explanation:
The outbreak control feature of Cisco Advanced Malware Protection (AMP) for Endpoints can prevent
specific programs from running on managed endpoints. AMP for Endpoints is a hostbased malware
detection and prevention platform that runs on Microsoft Windows, Mac OS X, Linux, and Google Android.
Like many other antimalware packages, AMP for Endpoints monitors network traffic and application
behavior to protect a host from malicious traffic. However, unlike many of its competitors, AMP for
Endpoints continues its analysis after a disposition has been assigned to a file or traffic flow. When malware
is detected, the outbreak control feature of AMP for Endpoints can use application blocking to ensure that a
compromised application does not spread the infection. Outbreak control provides for granular control over
which applications are blocked and can use whitelists to ensure that missioncritical software continues to
run even during an outbreak.
File reputation, file trajectory, and device trajectory are not AMP for Endpoints features that prevent specific
programs from running on managed endpoints. File reputation uses information collected from a global
network of security devices to analyze and detect malicious traffic. File trajectory tracks the spread of
suspicious files throughout the network, which can reduce the analysis time if a suspicious file is determined
to be malicious. Likewise, device trajectory tracks file and network activity on endpoints to reduce the
overall analysis time when malicious software is detected.
Reference:
QUESTION 268
You have been asked to use ASDM to change the global application inspection settings on an ASA at the
edge of your network.
Which of the following panes in the firewall configuration navigation tree can you use to achieve this task?
A. Access Rules
B. Service Policy Rules
C. Filter Rules
D. Advanced
Correct Answer: B
Section: (none)
Explanation
Explanation:
You can use the Service Policy Rules pane in the firewall configuration navigation tree of Cisco Adaptive
Security Device Manager (ASDM) to change the global application inspection settings on a Cisco Adaptive
Security Appliance (ASA) at the edge of your network. Application inspection is one of the actions that can
be applied to traffic with a policy map. Services that embed IP addresses in the packet or that utilize
dynamically assigned ports for secondary channels require deep packet inspection, which is provided by
Application layer protocol inspection. Some traffic, such as Internet Control Message Protocol (ICMP)
traffic, might be dropped if inspection for that protocol is not enabled. You can use ASDM to make changes
to the global policy by navigating to the Service Policy Rules pane, highlighting the inspection policy, and
clicking Edit, as shown in the following exhibit:
From the Edit Service Policy Rule dialog box, click the Rule Actions tab, where you will find the protocol
inspection configurations for the global policy. For example, you could select the check box next to the
ICMP field in the following exhibit to enable the ASA to inspect ICMP traffic so that ICMP replies from valid
ICMP requests are not inadvertently dropped:
The Access Rules pane in ASDM cannot be used to change the global application inspection settings on an
ASA at the edge of your network. The Access Rules pane is used to configure security policies related to
controlling access to your network. All inbound traffic must pass through the firewall? by default, no traffic
can pass unless an access rule is configured to permit it. The Access Rules pane is shown in the following
exhibit:
The Filter Rules pane in ASDM cannot be used to change the global application inspection settings on an
ASA at the edge of your network. The Filter Rules pane is used to configure Uniform Resource Locator
(URL) filtering, which prevents inappropriate Internet usage on a secure network. Typically, URL filtering is
not handled directly by the ASA but by some other server that must be enabled via the URL Filtering
Servers pane before you can add filter rules. When a user makes a request for content from an outside
address, the ASA sends a message to the filtering server; if the response from the filtering server indicates
that there is no filter prohibiting access to that URL, the ASA will allow the requested content. The Filter
Rules pane is shown in the following exhibit:
The Advanced pane in ASDM cannot be used to change the global application inspection settings on an
ASA at the edge of your network. From the Advanced pane, you are able to configure several advanced
firewall protection features, such as encrypted traffic inspection, IP audit, and fragment size. The Advanced
pane is shown in the following exhibit:
Reference:
Cisco: Configuring Application Layer Protocol Inspection: Configuring Application Inspection
QUESTION 269
Which of the following configuration parameters is not displayed on the Connection Profiles pane for
clientless SSL VPN connections in ASDM? (Select the best answer.)
A. the authentication method to use

B. the login page settings to use
C. the interfaces to use
D. the tunneling protocols to use
Correct Answer: D
Section: (none)
Explanation
Explanation:
The tunneling protocols to use are not displayed on the Connection Profiles pane for clientless Secure
Sockets Layer (SSL) virtual private network (VPN) connections in Cisco Adaptive Security Device Manager
(ASDM). The Connection Profiles pane displays a quick summary of information related to the connection
profiles that have previously been configured. This pane also enables you to configure additional connection
profiles. The type of information displayed on the Connection Profiles pane includes the interfaces on the
Cisco Adaptive Security Appliance (ASA) that are enabled for VPN access, the login page settings, a list of
connection profiles that have been configured, the alias associated with the connection profiles, the
authentication method to use for connections made using the connection profiles, and the interfaces to use
for connections made using the connection profiles. An example of the Connection Profiles pane is shown
in the following exhibit:
The Group Policies pane for clientless SSL VPN connections in ASDM displays a quick summary of
information relating to the group policies that are configured on the ASA. The type of information that is
displayed on this pane includes the tunneling protocols that are enabled for each group policy, the type of
each group policy, and the Authentication, Authorization, and Accounting (AAA) server group that is to be
used by each group policy. An example of the Group Policies pane is shown in the following exhibit:
Reference:
Cisco: Configuring Clientless SSL VPN: Configuring Clientless SSL VPN Access
QUESTION 270
You are configuring a group policy for Cisco AnyConnect VPN connections. You have accessed the Add
Internal Group Policy dialog box for the group policy.
On what pane will you be able to configure a VLAN restriction? (Select the best answer.)
A. the Customization pane

B. the Servers pane
C. the General pane
D. the SSL VPN Client pane
Correct Answer: C
Section: (none)
Explanation
Explanation:
You can configure a virtual LAN (VLAN) restriction in a group policy for Cisco AnyConnect virtual private
network (VPN) clients on the General pane of the Add Internal Group Policy dialog box for the group policy.
You can configure a VLAN restriction so that all VPN traffic that is generated by using the associated group
policy is sent to the specified VLAN. By configuring a VLAN restriction, you can control the VPN traffic.
To configure a VLAN restriction in Cisco Adaptive Security Device Manager (ASDM) for a group policy that
will be used for Cisco AnyConnect clients, you should click Configuration, click the Remote Access VPN
button, expand Network (Client) Access, click Group Policies, and click the Add button to create a new
group policy, or you should select the group policy to modify and click the Edit button to edit an existing
group policy. Depending on whether you click the Add button or the Edit button, the Add Internal Group
Policy dialog box or the Edit Internal Group Policy dialog box will open. The General pane of these dialog
boxes contains a list of general configuration options, including the banner to display to users, the IP
address pool to use, the tunneling protocols to use, and the VLAN to which VPN traffic should be restricted.
The following exhibit displays an example configuration in which VPN connections made by using the
boson_grp group policy will be restricted to VLAN 10:
You cannot configure a VLAN restriction on the Customization pane of the Add Internal Group Policy dialog
box for a group policy for Cisco AnyConnect VPN clients. On this pane, you can configure the customization
object to apply to the VPN connection, the home page Uniform Resource Locator (URL), and a custom
access denied message to display to users.
You cannot configure a VLAN restriction on the Servers pane of the Add Internal Group Policy dialog box
for a group policy for Cisco AnyConnect VPN clients. On this pane, you can configure the Domain Name
System (DNS) servers to use for the connection and the Windows Internet Name Service (WINS) servers
to use for the connection.
You cannot configure a VLAN restriction on the SSL VPN Client pane of the Add Internal Group Policy
dialog box for a group policy for Cisco AnyConnect VPN clients. On this pane, you can configure whether
the Cisco AnyConnect VPN client installer remains on client systems, whether compression should be
applied to the VPN session, the maximum transmission unit (MTU) for the connection, and the client profile
to download to clients.
Reference:
QUESTION 271
Which of the following are transmitted by SDEE? (Select the best answer.)
A. SDFs
B. TFTP data
C. IPS events
D. SNMP traps
Correct Answer: C
Section: (none)
Explanation
Explanation:
Intrusion Prevention System (IPS) events are transmitted by Security Device Event Exchange (SDEE)
between IPSenabled clients and a centralized IPS management server. SDEE uses Secure Sockets Layer
(SSL), which provides a secure communication channel between the devices, to send data. Because the
channel between the devices is secure, exchanging SDEE messages is more secure than exchanging
syslog messages.
Signature definition files (SDFs) are not transmitted by SDEE. By default, a router will use the builtin SDF
that is hardcoded into the IOS. However, you can issue the ip ips sdf location command to specify an
alternative SDF for Cisco IOS IPS to use. The SDF files can be specified as a file name located in Flash
memory, on a File Transfer Protocol (FTP) server, on a Trivial FTP (TFTP) server, or on a Remote Copy
Protocol (RCP) server. If the specified SDF cannot be loaded, the builtin SDF is used.
Simple Network Management Protocol (SNMP) traps are not transmitted by SDEE. SNMP is used to
monitor and manage network devices by collecting statistical data about those devices. SNMP version 3
(SNMPv3) provides encryption? SNMPv1 and SNMPv2 do not.
TFTP data is not transmitted by SDEE. TFTP is a management protocol that can be used to transfer
configuration files and SDFs between devices. When you use TFTP to send data, the data is sent as plain
text? TFTP does not provide encryption. In addition, TFTP does not provide message integrity or
authentication.
Reference:
Cisco: Intrusion Prevention System Modules for Integrated Services Routers (PDF)
QUESTION 272
You want to configure a WSA to permit access to a particular social media site? however, you also want to
deny access to some of the features on that site, such as uploading files and liking posts.
Which of the following WSA features should you configure to achieve your goal (Select the best answer.)
A. AMP
B. AVC
C. DCA
D. DLP
Correct Answer: B
Section: (none)
Explanation
Section: Content and Endpoint Security Explanation
You should configure the Application Visibility and Control (AVC) feature on a Cisco Web Security
Appliance (WSA) if you want to permit access to a particular social media site and deny the use of some of
the features on that site, such as uploading files and liking posts. A WSA is a standalone web gateway that
offers features that can mitigate webbased attacks, enforce acceptable use policies, and provide detailed
reporting. The AVC feature provides an administrator with granular control over a wide range of web
applications, including the ability to disable application features, limit application bandwidth, and constrain
application access to a particular set of users or period of time. The AVC feature is included as part of the
Cisco Web Security Essentials software license, which also includes the following:
Uniform Resource Locator (URL) filtering
Threat intelligence using the Cisco Talos threat detection network
Layer 4 traffic monitoring - Policy management
Actionable reporting
Data Loss Prevention (DLP), including thirdparty DLP integration
The URL filtering feature on a WSA can be used to permit or deny access to a particular social media site?
however, it does not provide the ability to deny access to some of the features on that site. The URL filtering
feature uses a database of over 50 million URLs to protect users from sites that are known to host
malicious content. The Dynamic Content Analysis (DCA) feature enhances basic URL filtering by enabling
the WSA to determine whether unknown URLs post a threat. The DCA engine can scan unknown URLs
and their associated content text in real time and can successfully categorize URLs with an error rate of
less than 10 percent.
The DLP feature on a WSA can be used to prevent sensitive data from being transmitted to the web. DLP
engines, which include any integrated thirdparty solutions, inspect outbound traffic for specified criteria,
such as credit card numbers or customer data, and can take the appropriate action. A WSA can use the
Internet Content Adaptation Protocol (ICAP) to integrate thirdparty DLP solutions to enhance its traffic
inspection and analysis capabilities. The Advanced Malware Protection (AMP) feature on a WSA can be
used to enable advanced malware detection, blocking, analysis, and retroactive reporting on a WSA. The
AMP feature enhances the dynamic reputationbased and behaviorbased malware analysis processes
available on the WSA with enhanced file reputation, file sandboxing, and retrospective file analysis.
Enhanced file analysis enables the WSA to fingerprint a file and send it to the Cisco Security Intelligence
Operations (SIO) for a reputation verdict. File sandboxing provides a secure environment where the
behavior of a file, such as a compressed archive or a Microsoft Office document, can be analyzed.
Retrospective file analysis, which is also known as file retrospection, enables the WSA to track files that
were originally deemed as safe and were later determined to be a threat. This helps an administrator
determine who might be at risk from those files.
Reference:
Cisco: Cisco Web Security: Granular Acceptable Use Controls
Cisco: Cisco Web Security Appliance Data Sheet: Features and Benefits
QUESTION 273
Which of the following statements are true regarding ACLs? (Select 3 choices.)
A. If a packet is permitted by one entry, it cannot be denied by a more specific entry later in the ACL.
B. If a packet is denied by one entry, it cannot be permitted by a more specific entry later in the ACL.
C. If a packet does not match any entries in the ACL, it is permitted.
D. If a packet does not match any entries in the ACL, it is denied.
E. An ACL cannot contain two conflicting entries that refer to the same source address.
F. An ACL cannot contain two conflicting entries that refer to the same destination address.
Correct Answer: ABD

Section: (none)
Explanation
Explanation:
If a packet is permitted by one access control entry (ACE), it cannot be denied by a more specific entry later
in the access control list (ACL). Likewise, if a packet is denied by an ACE, it cannot be permitted by a more
specific entry later in the ACL. In addition, if a packet does not match any entries in the ACL, it is denied.
ACLs are processed in a sequential manner, from the first entry in the list to the last entry. Because ACLs
are processed from top to bottom, correct sequencing is critical to ensuring proper filtering. More specific
entries should be located higher in an ACL so that they are processed before less specific entries. This
helps ensure that statements located higher in an ACL do not negate the intended impact of statements
located lower in the ACL.
An ACL can contain multiple entries that conflict. For example, you could inadvertently have one entry that
permits traffic from a specific source or destination IP address and have another entry that denies traffic
from the same source or destination IP address. You should use caution when editing ACL entries. New
entries are added to the end of an ACL by default and do not override conflicting entries. Because new
statements added to an existing ACL are appended to the end of the existing ACL, it might be necessary to
recreate the ACL if you need to make significant changes to an ACL or add a statement that should appear
at or near the top of the ACL.
Reference:
Cisco: Configuring IP Access Lists: Process ACLs
QUESTION 274
Which of the following NAT types effectively exempts one or more addresses from translation? (Select the
best answer.)
A. dynamic NAT
B. dynamic PAT
C. identity NAT
D. static NAT
Correct Answer: C
Section: (none)
Explanation
Explanation:
Identity Network Address Translation (NAT) is a NAT type that effectively exempts one or more addresses
from translation. With identity NAT, real addresses and mapped addresses are identical for a particular
NAT rule. For example, an identity rule might specify that a real address of 192.168.13.1 on the inside
interface should be translated to a mapped address of 192.168.13.1 on the outside interface. Because the
real and mapped addresses are identical in an identity NAT rule, any matching addresses effectively bypass
NAT. A common use for identity NAT is to exempt remote access virtual private network (VPN) client
addresses from the NAT rules applied to the VPN gateway interfaces.
Static NAT, dynamic NAT, and dynamic Port Address Translation (PAT) are not NAT types that effectively
exempt one or more addresses from translation. Static NAT provides a bidirectional translation between
real and mapped IP addresses. As the name implies, static NAT specifies a mapping between real and
mapped addresses that does not change over time. Static NAT rules typically define onetoone mappings of
real and mapped addresses. By contrast, dynamic NAT provides unidirectional mappings between one or
more real addresses and one or more mapped addresses. The addresses are mapped on a firstcome,
firstserved basis, and mappings can be initiated only by hosts with real addresses. Dynamic PAT provides
mappings between one or more real addresses and a single mapped address. With dynamic PAT, the
source port of each real address is used to identify the associated mapped port and address. Like dynamic
NAT, dynamic PAT mappings occur on a firstcome, firstserved basis and mappings can be initiated only by
hosts with real addresses.
Reference:
Cisco: Information About NAT: Identity NAT

210-260.examcollection - Premium.exam.274q: Number: 210-260 Passing Score: 800 Time Limit: 120 Min File Version: 1.0

Uploaded by

Copyright:

Available Formats

210-260.examcollection - Premium.exam.274q: Number: 210-260 Passing Score: 800 Time Limit: 120 Min File Version: 1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

210-260.examcollection - Premium.exam.274q: Number: 210-260 Passing Score: 800 Time Limit: 120 Min File Version: 1.0

Uploaded by

Copyright:

Available Formats

210-260.examcollection.premium.exam.

Implementing Cisco Network Security

A. VPN clients will be authenticated using the local AAA database.

A. only the boson connection profile

A. so that the risk of exposure of VPN configuration information is mitigated

40 deny ip any any log

A. Add a rule to permit DNS traffic before rule 40.

A. They communicate by using the same transport protocol.

A. data encryption B. an IPS

- Traffic containing excessive incomplete Transmission Control Protocol (TCP) connections

A. IPv6 unicast traffic

Correct Answer: BCD

memberOf: value = CN=Managers,CN=Users,OU=bsnsw,DC=boson,DC=com

You issue the following commands on Router2:

Router1 and Router2 do not form an OSPF adjacency.

A. an OSPF area mismatch

Which of the following is true? (Select the best answer.)

A. Router2 has successfully authenticated the NTP clients connected to Router2.

The following states are used during aggressive mode:

A. crypto ipsec transform-set set1 esp-aes esp-sha-hmac

A. The command will fail.

A. protecting against phishing

A. The file was uploaded to the cloud and determined to be clean.

A. You did not specify any text to replace the URL.

A. The packet will be processed by interface ACLs.

A. the encryption status of the disk

Which of the following statements is true? (Select the best answer.)

A. It can monitor the network for port scans.

A. It is exclusively a North American nonprofit organization.

A. S0/1/0 can send traffic to the dmz zone.

A. an independent cryptographic processor embedded into computers

A. PSKbased authentication method

A. traffic sent from specific domains

A. Implement sticky MAC addresses.

A. It can operate at Layer 4 of the OSI model.

A. Unknown community name

A. They maintain a state table.

A. The autocommand command fails, and the user is disconnected.

A. SwitchB will immediately become the root bridge.

A. It cannot block polymorphic malware.

A. a banner message for VPN clients

Correct Answer: ACD

Correct Answer: BCE

A. The pass action is bidirectional and automatically permits return traffic.

A. The client will be unable to establish a connection to the ASA.

A. asa(config)#object network INSIDENetwork

A. No text will be displayed in the title portion of the portal screen.

A. The on-screen keyboard will not be displayed on any pages.

A. It will use the boson_grp group policy.

Correct Answer: BCG

A. No banner message will be displayed.

Correct Answer: ABD

A. The user will have no access.

You issue the following commands on Router2:

interface serial 0/0 ip ospf

Router1 and Router2 do not form an OSPF adjacency.

A. an OSPF area mismatch

A. to manage network devices

A. ESP with 128bit AES