210-260 Implementing Cisco Network Security Practice Exam Set 5

210-260 Implementing Cisco Network Security Practice Exam Set 5

You are configuring manual NAT on a Cisco Firepower device. Which of the following best describes the order in which the NAT rules will be processedX (Select the best answer.)


Options are :

  • shortest prefix first followed by longer prefixes
  • on a firstmatch basis in the order that they appear in the configuration
  • static rules first followed by dynamic rules
  • the most general rules first followed by the most specific rules

Answer : on a firstmatch basis in the order that they appear in the configuration

Which of the following is the man-in-the-middle attack that is most likely to be used to cause a workstation to send traffic to a false gateway IP addressX (Select the best answer.)


Options are :

  • ARP spoofing
  • DHCP spoofing
  • MAC spoofing
  • switch spoofing

Answer : DHCP spoofing

200-105 Interconnecting Cisco Networking Devices Part Exam Set 2

On a Cisco ASA, which of the following RADIUS authentication protocols are not supportedX (Select 2 choices.)


Options are :

  • PAP
  • PEAP
  • CHAP
  • EAPMD5

Answer : PEAP EAPMD5

Which of the following is the best reason to enforce blacklisting by security zone on a Cisco device that uses the Security Intelligence IP Address Reputation featureX (Select the best answer.)


Options are :

  • to validate a blacklist feed that has been obtained from a third party
  • to ensure that local hosts can communicate with a given IP address
  • to streamline performance of the IPS device
  • to manually control which networks are blocked by the IPS

Answer : to streamline performance of the IPS device

You are configuring a connection profile for clientless SSL VPN connections. You have accessed the Add Clientless SSL VPN Connection Profile dialog box in SDM. Which of the following authentication methods can you configure in this dialog boxX (Select the best answer.)


Options are :

  • both AAA and digital certificates
  • only digital certificates
  • only AAA
  • only OTP

Answer : both AAA and digital certificates

400-101 CCIE Routing and Switching Written Practice Exam Set 1

Which of the following commands should you issue when troubleshooting basic IKE peering to determine whether PSKs are present and matching on both peersX (Select the best answer.)


Options are :

  • show crypto isakmp policy
  • traceroute
  • debug crypto isakmp
  • ping

Answer : debug crypto isakmp

Which of the following occurs when an IDS or IPS does not identify malicious traffic that enters the networkX (Select the best answer.)


Options are :

  • a false positive
  • a false negative
  • a true positive
  • a true negative

Answer : a false negative

You want to use the authentication event noresponse action authorize vlan 101 command to ensure that network devices incapable of using 802.1X authentication are automatically placed into VLAN 101, which is the guest VLAN. Which of the following VLAN types can you specify as an 802.1X guest VLANX (Select the best answer.)


Options are :

  • an RSPAN VLAN
  • a primary private VLAN
  • a voice VLAN
  • a secondary private VLAN

Answer : a secondary private VLAN

300-320 Designing Cisco Network Service Architectures Exam Set 7

Which of the following web application threats is not typically mitigated by installing a WAFX (Select the best answer.)


Options are :

  • exploits related to uncloaked error messages
  • exploits against unknown vulnerabilities
  • exploits against known vulnerabilities
  • exploits related to directory traversal vulnerabilities

Answer : exploits against unknown vulnerabilities

You have configured the password management feature for a tunnel group on an ASA. The ASA is using a Cisco Secure ACS RADIUS server for AAA authentication. Which of the following actions will occur after a remote user with an expired password attempts to establish a VPN connectionX (Select the best answer.)


Options are :

  • The AnyConnect client will display an authentication failed dialog box and will not permit the user to establish the VPN connection until an admin unlocks the userís
  • The AnyConnect client will display a dialog box notifying the user that their password has expired but will permit the user to establish the VPN connection with the expired password.
  • The AnyConnect client will display a dialog box that prompts the user for a new password.
  • The AnyConnect client will display a dialog box that prompts the user for both their old password and a new password.

Answer : The AnyConnect client will display a dialog box that prompts the user for a new password.

Which of the following lost or stolen device options are available to employees when MDM is integrated with ISEX (Select 3 choices.)


Options are :

  • initiate a PIN lock
  • report device as lost or stolen
  • initiate a full or corporate wipe
  • quarantine the device
  • revoke the deviceís digital certificate

Answer : initiate a PIN lock report device as lost or stolen initiate a full or corporate wipe

200-105 Interconnecting Cisco Networking Devices Part Exam Set 2

You have configured a CoPP policy to mitigate the effects of DoS attacks on the router. Which of the following packet types does the CoPP policy affectX (Select the best answer.)


Options are :

  • packets originating from the control plane
  • packets destined to the data plane
  • packets destined to the control plane
  • packets originating from the data plane

Answer : packets destined to the control plane

An inside host has initiated a TCP connection through a Cisco ASA to an outside server. The outside server has responded with a SYN/ACK segmentX however, the inside host has not yet responded with an ACK segment. Which of the following lines of output from the show conn command best represents the state of the connection in this scenarioX (Select the best answer.)


Options are :

  • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags SaAB
  • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags saA
  • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags aB
  • TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A

Answer : TCP outside 192.0.2.51:22 inside 10.1.1.18:12113 idle 0:00:00, bytes 0, flags A

Which of the following statements is true regarding the aaa new-modelcommandX (Select the best answer.)


Options are :

  • The aaa new-model command configures AAA to work only with RADIUS servers.
  • The aaa new-model command must be issued after enabling AAA authentication on a router.
  • The aaa new-model command must be issued prior to enabling AAA accounting on a router.
  • The aaa new-model command configures AAA to work only with TACACS+ servers.

Answer : The aaa new-model command must be issued prior to enabling AAA accounting on a router.

100-105 Net Cert Interconnecting Cisco Networking Exam Set 6

Which of following capabilities do an IDS and IPS have in commonX (Select the best answer.)


Options are :

  • resetting TCP connections
  • modifying traffic
  • blocking traffic from a particular host
  • blocking a particular connection

Answer : resetting TCP connections

Which of the following security functions is associated with the data planeX (Select 2 choices.)


Options are :

  • signaling protection
  • traffic filtering
  • device configuration protection
  • traffic conditioning

Answer : traffic filtering traffic conditioning

Which of the following fields make up the header of an ESP packetX (Select 2 choices.)


Options are :

  • Pad Length
  • Sequence Number
  • Security Parameter Index
  • Next Header

Answer : Sequence Number Security Parameter Index

200-125 Cisco Certified Network Associate Practice Exam Set 3

Which of the following statements are true regarding class maps on a Cisco ASAX (Select 2 choices.)


Options are :

  • Class maps can match traffic based on application protocols.
  • Class maps apply specific security measures on a persession basis.
  • QoS traffic shaping is not available for all class maps.
  • By default, no class maps are defined on an ASA.

Answer : Class maps can match traffic based on application protocols. QoS traffic shaping is not available for all class maps.

Which of the following IPS detection methods is a string pattern-based detection methodX (Select the best answer.)


Options are :

  • signaturebased detection
  • anomalybased detection
  • policybased detection
  • profilebased detection

Answer : signaturebased detection

You issue the following commands on a Cisco router: tacacsserver host ts1 timeout 30 tacacsserver timeout 20 Which of the following is true about how the Cisco router communicates with the TACACS+ serverX (Select the best answer.)


Options are :

  • The router will maintain an open TCP connection.
  • The router will maintain an open TCP connection for no more than 20 seconds.
  • The router will wait 30 seconds for the server to reply before declaring an error.
  • The router will wait 20 seconds for the server to reply before declaring an error.

Answer : The router will wait 30 seconds for the server to reply before declaring an error.

200-310 Designing for Cisco Inter network Solutions Exam Set 4

You have configured a Cisco Catalyst switch to store its binding table on a local TFTP server. Which of the following commands can you issue to verify the URL that the agent will use to store the binding table on the TFTP serverX (Select the best answer.)


Options are :

  • show ip dhcp snooping database
  • show ip dhcp snooping
  • show ip dhcp snooping statistics
  • show ip dhcp snooping binding

Answer : show ip dhcp snooping database

Which of the following is a set of rules to which a Cisco IPS appliance can compare network traffic to determine whether an attack is occurringX (Select the best answer.)


Options are :

  • a signature definition
  • reputation filtering
  • global correlation
  • anomaly detection

Answer : a signature definition

Which of the following failover link configurations can leave an ASA vulnerable to replay attacksX (Select the best answer.)


Options are :

  • connecting the active and standby units to a dedicated VLAN on a switch
  • sharing a regular data interface with the stateful failover link
  • connecting the active and standby units directly with a crossover cable
  • sharing the LAN failover link with the stateful failover link

Answer : sharing a regular data interface with the stateful failover link

200-125 CCNA Cisco Certified Network Associate Test Set 3

You are configuring VPN access for Cisco AnyConnect clients. You finish the configuration by establishing a fail open policy. Which of the following is true of AnyConnect clients that fail to establish a VPN sessionX (Select the best answer.)


Options are :

  • They are denied full network access, except for local resources.
  • They are granted full access to the local network, including security.
  • They are denied full network access, including local resources.
  • They are granted full access to the local network, but without security.

Answer : They are granted full access to the local network, but without security.

When a switch is configured with private VLANs, which of the following ports can an isolated port communicate withX (Select the best answer.)


Options are :

  • promiscuous ports
  • other isolated ports
  • ports within the same community
  • ports within a different community

Answer : promiscuous ports

Your company has installed and configured a Sourcefire device. You want to reduce false positives from a trusted source. Which of the following could you doX (Select 2 choices.)


Options are :

  • Configure an Allow action with an Intrusion Policy.
  • Configure an Allow action without an Intrusion Policy.
  • Configure a Trust action
  • Configure a Block action with an Intrusion Policy.

Answer : Configure an Allow action without an Intrusion Policy. Configure a Trust action

200-125 Cisco Certified Network Associate Practice Exam Set 11

You have configured a lawful intercept view, five CLI views, and two superviews on a Cisco router. How many additional CLI views can you createX (Select the best answer.)


Options are :

  • SEVEN
  • ONE
  • TWO
  • SIX

Answer : SEVEN

Which of the following private VLAN port types communicate only with promiscuous portsX (Select the best answer.)


Options are :

  • isolated ports
  • SPAN ports
  • promiscuous ports
  • community ports

Answer : isolated ports

Which of the following statements is not true regarding the IaaS service modelX (Select the best answer.)


Options are :

  • The consumer has control over development tools or APIs in the cloud running on the physical infrastructure in the cloud.
  • The consumer has control over the allocation of processing, memory, storage, and network resources within the cloud.
  • The consumer has control over the physical infrastructure in the cloud.
  • The consumer has control over the configuration of the OS running on the physical infrastructure in the cloud.

Answer : The consumer has control over the physical infrastructure in the cloud.

200-125 Cisco Certified Network Associate (CCNA) Exam Set 6

In the Cisco ISE GUI, you click Administration > Certificates > Certificate Store and notice that a SCEP NDES server RA certificate is installed on the ISE node. Which of the following best describes the reason the certificate is thereX (Select the best answer.)


Options are :

  • The ISE has been compromised, and the CA chain has been altered.
  • The ISE is a SCEP proxy for a Windows CA.
  • The ISE is a CA for the Windows AD domain.

Answer : The ISE is a SCEP proxy for a Windows CA.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions