You are on page 1of 45

300-206

Implementing Cisco Edge Network Security Solutions
Version 5.3

QUESTION NO: 1
All 30 users on a single floor of a building are complaining about network slowness. After
investigating the access switch, the network administrator notices that the MAC address table is
full (10,000 entries) and all traffic is being flooded out of every port. Which action can the
administrator take to prevent this from occurring?
A. Configure port-security to limit the number of mac-addresses allowed on each port
B. Upgrade the switch to one that can handle 20,000 entries
C. Configure private-vlans to prevent hosts from communicating with one another
D. Enable storm-control to limit the traffic rate
E. Configure a VACL to block all IP traffic except traffic to and from that subnet
Answer: A

QUESTION NO: 2
A network printer has a DHCP server service that cannot be disabled. How can a layer 2 switch
be configured to prevent the printer from causing network issues?
A. Remove the ip helper-address
B. Configure a Port-ACL to block outbound TCP port 68
C. Configure DHCP snooping
D. Configure port-security
Answer: C

QUESTION NO: 3
A switch is being configured at a new location that uses statically assigned IP addresses. Which
will ensure that ARP inspection works as expected?
A. Configure the 'no-dhcp' keyword at the end of the ip arp inspection command

B. Enable static arp inspection using the command 'ip arp inspection static vlan vlan-number
C. Configure an arp access-list and apply it to the ip arp inspection command
D. Enable port security
Answer: C

QUESTION NO: 4
Which of the following would need to be created to configure an application-layer inspection of
SMTP traffic operating on port 2525?
A. A class-map that matches port 2525 and applying an inspect ESMTP policy-map for that class
in the global inspection policy
B. A policy-map that matches port 2525 and applying an inspect ESMTP class-map for that
policy
C. An access-list that matches on TCP port 2525 traffic and applying it on an interface with the
inspect option
D. A class-map that matches port 2525 and applying it on an access-list using the inspect option
Answer: A

QUESTION NO: 5
Which command is used to nest objects in a pre-existing group?
A. object-group
B. network group-object
C. object-group network
D. group-object
Answer: D

QUESTION NO: 6
Which threat-detection feature is used to keep track of suspected attackers who create
connections to too many hosts or ports?
A. complex threat detection
B. scanning threat detection
C. basic threat detection
D. advanced threat detection

Answer: B

QUESTION NO: 7
What is the default behavior of an access list on the Cisco ASA security appliance?
A. It will permit or deny traffic based on the access-list criteria.
B. It will permit or deny all traffic on a specified interface.
C. An access group must be configured before the access list will take effect for traffic control.
D. It will allow all traffic.
Answer: C

QUESTION NO: 8
What is the default behavior of NAT control on Cisco ASA Software Version 8.3?
A. NAT control has been deprecated on Cisco ASA Software Version 8.3.
B. It will prevent traffic from traversing from one enclave to the next without proper access
configuration.
C. It will allow traffic to traverse from one enclave to the next without proper access
configuration.
D. It will deny all traffic.
Answer: A

QUESTION NO: 9
Which three options are hardening techniques for Cisco IOS routers? (Choose three.)
A. limiting access to infrastructure with access control lists
B. enabling service password recovery
C. using SSH whenever possible
D. encrypting the service password
E. using Telnet whenever possible
F. enabling DHCP snooping
Answer: A, C, D

QUESTION NO: 10
Which three commands can be used to harden a switch? (Choose three.)
A. switch(config-if)# spanning-tree bpdufilter enable
B. switch(config)# ip dhcp snooping
C. switch(config)# errdisable recovery interval 900
D. switch(config-if)# spanning-tree guard root
E. switch(config-if)# spanning-tree bpduguard disable
F. switch(config-if)# no cdp enable
Answer: B, D, F

QUESTION NO: 11
What are three features of the Cisco ASA 1000V? (Choose three.)
A. cloning the Cisco ASA 1000V
B. dynamic routing
C. the Cisco VNMC policy agent
D. IPv6
E. active/standby failover
F. QoS
Answer: A, C, E

QUESTION NO: 12
If the Cisco ASA 1000V has too few licenses, what is its behavior?
A. It drops all traffic.
B. It drops all outside-to-inside packets.
C. It drops all inside-to-outside packets.
D. It passes the first outside-to-inside packet and drops all remaining packets.
Answer: D

QUESTION NO: 13
A network administrator is creating an ASA-CX administrative user account with the following
parameters:

sslconfig B. configsnmp D. System administrator D.   The user will be responsible for configuring security policies on network devices. Administrator B. Exec administrator Answer: B QUESTION NO: 14 What command alters the SSL ciphers used by the Cisco Email Security Appliance for TLS sessions and HTTPS access? A. What role will the administrator assign to the user? A. Root Administrator E. Security administrator C. The user needs read-write access to policies. sslciphers C. certconfig Answer: A QUESTION NO: 15 What is the CLI command to enable SNMPv3 on the Cisco Web Security Appliance? A. enablesnmp Answer: A QUESTION NO: 16 . snmpenable C. snmpconfig B. tlsconifg D. The account has no more rights than necessary for the job.

Prime Infrastructure B. Prime Network Registrar D. B. What role will be assigned to the user? A. RADIUS Authentication C. LDAP authentication B.  The account has no more rights than necessary for the job. RSA Single use tokens Answer: A. SSH host keys E. System administrator D.) A. Prime Network Analysis Module . D QUESTION NO: 17 A network administrator is creating an ASA-CX administrative user account with the following parameters:  The user will be responsible for configuring security policies on network devices. TACAS D. Security administrator C. What three external modes of authentication are supported? (Choose three. Prime Assurance C. Common Access Card Authentication F. Administrator B. Exec administrator Answer: B QUESTION NO: 18 Which tool provides the necessary information to determine hardware lifecycle and compliance details for deployed network devices? A.  The user needs read-write access to policies. Root Administrator E.The Cisco Email Security Appliance can be managed with both local and external users of different privilege levels.

) A. Cisco IPS D. C QUESTION NO: 21 Which two web browsers are supported for the Cisco ISE GUI? (Choose two.) A. B. Cisco CRS Answer: A. Cisco Web Security Appliance F. Validated Design F. Google Chrome (all versions) . Cisco Email Security Appliance G. Cisco ASA C. Microsoft Internet Explorer version 8 in Internet Explorer 8-only mode D. Smart Business Architecture Answer: A. Change Audit C. Cisco WLC E. Netscape Navigator version 9 C.Answer: A QUESTION NO: 19 Which three compliance and audit report types are available in Cisco Prime Infrastructure? (Choose three. Service B. Vendor Advisory D. Cisco ASA CX H.) A. B. Microsoft Internet Explorer version 8 in all Internet Explorer modes E.x B. C QUESTION NO: 20 Cisco Security Manager can manage which three products? (Choose three. TAC Service Request E. Cisco IOS B. HTTPS-enabled Mozilla Firefox version 3.

D. It enables NAT policy rediscovery while leaving existing shared polices unchanged. Answer: D QUESTION NO: 25 . changeto/config context change D. which command is used to change between contexts? A. D. which statement about the main Cisco ASDM home page is true? A. changeto/config context 2 Answer: B QUESTION NO: 23 Which statement about the Cisco Security Manager 4. C. It enables NAT policy discovery as it updates shared polices. It is replaced by the Cisco AIP-SSM home page. The administrator can manually update the page. C. B. It must reconnect to the NAT policies database. changeto config context B. It displays a new Intrusion Prevention panel. C QUESTION NO: 22 When a Cisco ASA is configured in multicontext mode.Answer: A.4 NAT Rediscovery feature is true? A. changeto context C. It provides NAT policies to existing clients that connect from a new switch port. B. Answer: D QUESTION NO: 24 When you install a Cisco ASA AIP-SSM. It can update shared policies even when the NAT server is offline.

An SNMPv3 view is defined to configure the address of where the traps will be sent. It provides greater security than simple ACLs. B. E. Answer: A. F. It provides basic device management for large-scale deployments.Which Cisco product provides a GUI-based device management tool to configure Cisco access routers? A. Cisco CP Answer: D QUESTION NO: 26 Which statement about Cisco IPS Manager Express is true? A. Cisco ASA 5500 D. An SNMPv3 host is configured to define where the SNMPv3 traps will be sent. An SNMPv3 group is defined to configure the read and write views of the group.) A. C. It enables communication with Cisco ASA devices that have no administrative access. B. D. An SNMPv3 user is assigned to SNMPv3 group and defines the encryption and authentication credentials. It provides a GUI for configuring IPS sensors and security modules. An SNMPv3 host is used to configure the encryption and authentication credentials for SNMPv3 traps. C QUESTION NO: 28 . Answer: B QUESTION NO: 27 Which three options describe how SNMPv3 traps can be securely configured to be sent by IOS? (Choose three. C. D. B. An SNMPv3 group is used to configure the OIDs that will be reported. Cisco CP Express C. Cisco ASDM B.

flow-sampler-map flow1 one-out-of 100 interface fas0/0 flow-sampler flow1 D. Trace B. Informational D. Debug C. Which configuration enables sampling. Critical Answer: C QUESTION NO: 30 Which command sets the source IP address of the NetFlow exports of a device? A. assuming that NetFlow is already configured and running on the router's fa0/0 interface? A. ip flow-export source fas0/0 one-out-of 100 Answer: A QUESTION NO: 29 What is the default log level on the Cisco Web Security Appliance? A. flow monitor flow1 mode random one-out-of 100 interface fas0/0 ip flow monitor flow1 C. ip flow-export source . ip source flow-export B. ip source netflow-export C.A network engineer is asked to configure NetFlow to sample one of every 100 packets on a router's fa0/0 interface. flow-sampler-map flow1 mode random one-out-of 100 interface fas0/0 flow-sampler flow1 B.

NTP logging is enabled. NTP access is enabled. ip netflow-export source Answer: C QUESTION NO: 31 Which two SNMPv3 features ensure that SNMP packets have been sent securely?" Choose two. console logging B. E . F. RADIUS logging Answer: A. TACACS+ logging C.D. A. D QUESTION NO: 33 Which three options are default settings for NTP parameters on a Cisco device? (Choose three. D. NTP authentication is disabled. E. D. B. C QUESTION NO: 32 Which three logging methods are supported by Cisco routers? (Choose three. C. encryption D. NTP logging is disabled. ACL logging F. host authorization B. NTP access is disabled.) A. syslog logging E.) A. compression Answer: B. authentication C. NTP authentication is enabled. C. terminal logging D. Answer: B.

The logging-buffer is dominated by %ASA-6-305009 log messages. to specify the protocol type for the packet trace Answer: B QUESTION NO: 37 Which two options are two purposes of the packet-tracer command? (Choose two. to provide detailed packet-trace information B. SSH B. TACACS+ Answer: A.QUESTION NO: 34 Which two parameters must be configured before you enable SCP on a router? (Choose two. authorization C. Which command suppresses those syslog messages while maintaining ability to troubleshoot? A. no logging message 305009 Answer: D QUESTION NO: 36 Which option describes the purpose of the input parameter when you use the packet-tracer command on a Cisco device? A. to display the trace capture in XML format D. to specify the source interface for the packet trace C.) A. no logging buffered 305009 B. ACLs D. message 305009 disable C.) . NTP E. B QUESTION NO: 35 A network engineer is troubleshooting and configures the ASA logging level to debugging. no message 305009 logging D.

Terminal monitor E. to correct dropped packets in a production network Answer: C. enable logging int e0/1 view logging D. Console logging <level> B. enable logging show logging B. to filter and monitor ingress traffic to a switch B. to configure an interface-specific packet trace C. logging enable logging view config Answer: B QUESTION NO: 39 Which command displays syslog messages on the Cisco ASA console as they occur? A. to debug packet drops in a production network E. logging enable show logging C.A. Logging trap <level> D. to inject virtual packets into the data path D. Logging monitor <level> Answer: B QUESTION NO: 40 . Logging console <level> C. D QUESTION NO: 38 Which set of commands enables logging and displays the log buffer on a Cisco ASA? A.

B. The configuration will not automatically be saved to NVRAM. The configuration will be updated with MAC addresses from traffic seen ingressing the port. The configuration will automatically be saved to NVRAM if no other changes to the configuration have been made. E QUESTION NO: 42 A Cisco ASA is configured for TLS proxy. When the Cisco Unified Communications Manager cluster is in non-secure mode . logging list critical_messages level 2 logging console enable critical_messages D.) A. Only MAC addresses with the 5th most significant bit of the address (the 'sticky' bit) set to 1 will be learned.Which set of commands creates a message list that includes all severity 2 (critical) messages on a Cisco security device? A. If configured on a trunk port without the 'vlan' keyword. The configuration will be updated with MAC addresses from traffic seen ingressing the port. it will apply to all vlans. logging list critical_messages level 2 console logging critical_messages B. D. Answer: B. E. C. Which two considerations must an administrator take into account when using the switchport port-security mac-address sticky command? (Choose two. When should the security appliance force remote IP phones connecting to the phone proxy through the internet to be in secured mode? A. logging list enable critical_messages level 2 console logging critical_messages Answer: B QUESTION NO: 41 An administrator is deploying port-security to restrict traffic from certain ports to specific MAC addresses. logging list critical_messages level 2 logging console critical_messages C. it will apply only to the native vlan. If configured on a trunk port without the 'vlan' keyword.

When the Cisco Unified Communications Manager is not part of a cluster D. detecting and preventing MAC address spoofing in switched environments D. By enabling ARP inspection. how can ARP traffic be controlled? A.B. detecting spoofed MAC addresses and tracking 802. identifying Layer 2 ARP attacks B. however. B QUESTION NO: 44 When a Cisco ASA is configured in transparent mode. NAT B.) A. however. When the Cisco Unified Communications Manager cluster is in secure mode only C. IPSec remote access VPN Answer: A.) A. SSL remote access VPN D. D . By configuring ACLs. ARP inspection is not supported D. dynamic routing C. mitigating man-in-the-middle attacks Answer: A. it cannot be controlled by an ACL B. When the Cisco ASA is configured for IPSec VPN Answer: A QUESTION NO: 43 Which two features are supported when configuring clustering of multiple Cisco ASA appliances? (Choose two. By configuring NAT and ARP inspection Answer: A QUESTION NO: 45 What are two primary purposes of Layer 2 detection in Cisco IPS networks? (Choose two. By enabling ARP inspection or by configuring ACLs C.1X actions and data communication after a successful client association C.

increased resiliency through MPLS FRR for AToM circuits and better bandwidth utilization through MPLS TE C. using multipacket inspection across all protocols to identify vulnerability-based attacks and to thwart attacks that hide within a data stream C. provided complete proactive protection against frame and device spoofing Answer: B. 1518 bytes C. mitigating man-in-the-middle attacks B.QUESTION NO: 46 What is the primary purpose of stateful pattern recognition in Cisco IPS networks? A. identifying Layer 2 ARP attacks Answer: B QUESTION NO: 47 What are two reasons to implement Cisco IOS MPLS Bandwidth-Assured Layer 2 Services? (Choose two.) A. 9216 bytes Answer: D QUESTION NO: 49 Which two statements about Cisco IDS are true? (Choose two. 1024 bytes B. for enhanced MPLS Layer 2 functionality D. enabled services over an IP/MPLS infrastructure. C QUESTION NO: 48 What is the maximum jumbo frame size for IPS standalone appliances with 1G and 10G fixed or add-on interfaces? A. 2156 bytes D. regardless of which systems access the device B. guaranteed bandwidth and peak rates as well as low cycle periods.) . detecting and preventing MAC address spoofing in switched environments D.

NIPS is more optimally designed for enterprise Internet edges than for internal network configurations. It is used for installations that require strong network-based protection and that include sensor tuning. G QUESTION NO: 52 IPv6 addresses in an organization's network are assigned using Stateless Address Autoconfiguration. It is preferred for detection-only deployment. It is used primarily to inspect egress traffic. B. C. C. It is used to monitor critical systems and to avoid false positives that block traffic. D. B. D. Internet edges are exposed to a larger array of threats. Internet edges provide connectivity to the Internet and other external networks. E.) A. to filter outgoing threats. C. Answer: B. Internet edges typically have a lower volume of traffic and threats are easier to detect. DHCPv6 Guard Answer: A. Answer: C. C QUESTION NO: 50 What are two reasons for implementing NIPS at enterprise Internet edges? (Choose two.) A. It is used to boost sensor sensitivity at the expense of false positives. Traffic Storm Control F. Router Advertisement Guard D. What is a security concern of using SLAAC for IPv6 address assignment? . Internet edges typically have a higher volume of traffic and threats are more difficult to detect. Neighbor Discovery Inspection E. Port Security G. D.A. Dynamic ARP Inspection C. D QUESTION NO: 51 Which four are IPv6 First Hop Security technologies? (Choose four. E. Send B.

Man-In-The-Middle attacks or traffic interception using spoofed IPv6 Router Advertisements B. Virtual Service Gateway C. inside C. Smurf or amplification attacks using spoofed IPv6 ICMP Neighbor Solicitations C. Denial of Service attacks using spoofed IPv6 Router Solicitations Answer: A QUESTION NO: 53 Which two device types can Cisco Prime Security Manager manage in Multiple Device mode? (Choose two. D QUESTION NO: 54 Which technology provides forwarding-plane abstraction to support Layer 2 to Layer 7 network services in Cisco Nexus 1000V? A.) A. outside B. Virtual Service Agent Answer: C QUESTION NO: 55 To which interface on a Cisco ASA 1000V firewall should a security profile be applied when a VM sits behind it? A. Virtual Service Data Path D. Denial of service attacks using TCP SYN floods D. management D. Cisco WSA D. Cisco ASA CX Answer: B. Cisco ESA B. DMZ . Virtual Service Node B.A. Cisco ASA C.

) A. CAC B. STUN Answer: D QUESTION NO: 57 Which two voice protocols can the Cisco ASA inspect? (Choose two. redirect Answer: C. Which feature must you configure to open data-channel pinholes for voice packets that are sourced from a TRP within the WAN? A. IAX C. MGCP B. CBAC D. CTIQBE Answer: A.) A. Skype D. D QUESTION NO: 58 You have explicitly added the line deny ipv6 any log to the end of an IPv6 ACL on a router interface. router solicitation B. neighbor solicitation D.Answer: B QUESTION NO: 56 You are configuring a Cisco IOS Firewall on a WAN router that is operating as a Trusted Relay Point (TRP) in a voice network. neighbor advertisement E. D . router advertisement C. Which two ICMPv6 packet types must you explicitly allow to enable traffic to traverse the interface? (Choose two. ACL C.

https://cisco.com/"*[^E]"xe"? A.com/ftp/ios/tftpserver. Dynamic Arp Inspection Answer: A QUESTION NO: 60 Which log level provides the most detail on the Cisco Web Security Appliance? A. Control Plane Protection D.exe B. Trace D. ASA 5505 with failover license option B. Debug B. MACsec B. ASA 5510 Security+ license option C.QUESTION NO: 59 Enabling what security mechanism can prevent an attacker from gaining network topology information from CDP? A. Flex VPN C. Informational Answer: C QUESTION NO: 61 What is the lowest combination of ASA model and license providing 1 Gigabit Ethernet interfaces? A.com/ftp/ios/tftpserver.cisco.cisco.exe . ASA 5540 with AnyConnect Essentials License option Answer: B QUESTION NO: 62 Which URL matches the regex statement "http"*/"www. Critical C. https://www. ASA 5520 with any license option D.

clientless SSL D. F .EXE Answer: A QUESTION NO: 63 Which two statements about Cisco IOS Firewall are true? (Choose two. D. It provides protocol-conformance checks against traffic. https:/www.C. expiry date Answer: B. It provides faster processing of packets than Cisco ASA devices provide. B.) A.com/ftp/ios/tftpserver. AnyConnect SSL B. C QUESTION NO: 64 Which two VPN types can you monitor and control with Cisco Prime Security Manager? (Choose two. It eliminates the need to secure host machines throughout the network. B QUESTION NO: 65 What are three attributes that can be applied to a user account with RBAC? (Choose three. domain B.cisco.Exe D. http:/www. It eliminates the need to secure routers and switches throughout the network. E.) A. ACE tag D. site-to-site C.) A. Answer: A. user roles E. It provides stateful packet inspection. password C.cisco. IPsec remote-access Answer: A.com/ftp/ios/tftpserver. D. VDC group tag F. C.

snmp-server group1 v3 east access Answer: A QUESTION NO: 69 SIMULATION . which account has most likely been improperly modified? A. snmp-server group1 v3 auth access east C. snmp-server group group1 v3 east D. user (the default user account) Answer: B QUESTION NO: 67 Which component does Cisco ASDM require on the host Cisco ASA 5500 Series or Cisco PIX security appliance? A.QUESTION NO: 66 If you encounter problems logging in to the Cisco Security Manager 4. casuser (the default service account) C. a SQL database D. admin (the default administrator account) B. a DES or 3DES license B. guest (the default guest account) D. a NAT policy server C. snmp-server group group1 v3 auth access east B. a Kerberos key E. a digital certificate Answer: A QUESTION NO: 68 Which command configures the SNMP server group1 to enable authentication for members of the access list east? A.4 web server or client or backing up its databases.

.

then add as shown here: . 2) Click on Rule Actions. then enable HTTP as shown here: 3) Click on Configure.Answer: Please check the steps in explanation part below: Explanation: 1) Click on Service Policy Rules. then Edit the default inspection rule.

4) Create the new map in ASDM like shown: .

5) Edit the policy as shown: 6) Hit OK QUESTION NO: 70 .

and 3. All SNMFV3 traffic on the inside interface will be denied by the global ACL B. .Which statement about how the Cisco ASA supports SNMP is true? A. but do not support the use of all three versions simultaneously.2c. The Cisco ASA and ASASM provide support for network monitoring using SNMP Versions 1.

E. for example. The Cisco ASA and ASASM have an SNMP agent that notifies designated management . SNMPv3 is more secure because it uses SSH as the transport mechanism. D. when a link in the network goes up or down. SNMPv3 is enabled by default and SNMP v1 and 2c are disabled by default.C. stations if events occur that are predefined to require a notification.. Answer: C This can be verified by this ASDM screen shot: QUESTION NO: 71 .

.

at least two interfaces Answer: A This can be verified via the ASDM screen shot shown here: QUESTION NO: 72 . at least one interface C. the SNMP inspection in the global_policy D. a group to which the user belongs. The authentication algorithm options are MD5 and SHA.SNMP users have a specified username. authentication password. When you create a user. an SNMP group B. The encryption algorithm options are DES. and 256 versions). 3DES. with which option must you associate it? A. andAES (which is available in 128.192. encryption password. and authentication and encryption algorithms to use.

.

because traps are only sent to a configured user SSH. to process the SNMP host traffic. the Cisco ASA as a DHCP server. To configure SNMFV3 hosts. MACsec . Answer: B The username can be seen here on the ASDM simulator screen shot: QUESTION NO: 73 Enabling what security mechanism can prevent an attacker from gaining network topology information from CDP via a man-in-the-middle attack? A. C. which option must you configure in addition to the target IP address? A. so the user can connect to the Cisco ASA the Cisco ASA with a dedicated interface only for SNMP. so the SNMFV3 host can obtain an IP address a username. B.An SNMP host is an IP address to which SNMP notifications and traps are sent. D.

It will permit or deny all traffic on a specified interface. Control Plane Protection D. which command is used to nest objects in a pre-existing group? A. Answer: C . It will allow all traffic. Dynamic Arp Inspection Answer: A QUESTION NO: 74 On an ASA running version 9. It will permit or deny traffic based on the access list criteria. basic threat detection D. object-group B. group-object Answer: D QUESTION NO: 75 Which ASA feature is used to keep track of suspected attackers who create connections to too many hosts or ports? A. Flex VPN C. complex threat detection B. network group-object C. B. D. object-group network D.B. It will have no affect until applied to an interface. C. tunnel-group or other traffic flow. scanning threat detection C.0. advanced threat detection Answer: B QUESTION NO: 76 What is the default behavior of an access list on a Cisco ASA? A.

domain context 2 Answer: B QUESTION NO: 78 Which statement describes the correct steps to enable Botnet Traffic Filtering on a Cisco ASA version 9. D. Enable the use of the dynamic database. domain config name B. Enable the use of dynamic database. Botnet Traffic Filtering is not supported in transparent mode. traffic classification. enable traffic classification and actions. root guard F. C.QUESTION NO: 77 When configuring a new context on a Cisco ASA device. and actions. Enable DNS snooping. dot1x Answer: B QUESTION NO: 80 . port security B. B. dynamic ARP inspection D. enable DNS snooping. or unicast flood on a port? A. which command creates a domain for the context? A. BPDU guard E. changeto/domain name change D. Answer: C QUESTION NO: 79 Which Cisco switch technology prevents traffic on a LAN from being disrupted by a broadcast. and actions. multicast.0 transparent-mode firewall with an active Botnet Traffic Filtering license? A. storm control C. traffic classification. domain-name C.

D. VLAN hopping is avoided by configuring the native (untagged) VLAN on both sides of an ISL trunk to an unused VLAN ID. Configure ACS CLI command authorization sets for the Firewall Operators group. The following steps have been taken: . Your Chief Information Officer recently attended a security conference and has asked you to secure the network infrastructure from VLAN hopping.You are a security engineer at a large multinational retailer. There is no such thing as VLAN hopping because VLANs are completely isolated. VLAN hopping is avoided by configuring the native (untagged) VLAN on both sides of an IEEE 802. B. Configure ACS CLI command authorization sets for the Firewall Operators group. Use Cisco Directory Agent to configure the Firewall Admins group to have privilege level 15 access. Configure level 15 access to be assigned to members of the Firewall Admins group.1Q trunk to an unused VLAN ID. C. VLAN hopping can be avoided by using IEEE 802. C. Use TACACS+ for Authentication and Authorization into the Cisco ASA CLI. Use RADIUS for Authentication and Authorization into the Cisco ASA CLI. Configure level 15 access to be assigned to members of the Firewall Admins group. with ACS as the AAA server. Answer: B QUESTION NO: 82 A router is being enabled for SSH command line access. Active Directory Group membership cannot be used as a determining factor for accessing the Cisco ASA CLI. D. Which statement describes how VLAN hopping can be avoided? A.0 firewall and have been tasked with ensuring that the Firewall Admins Active Directory group has full access to the ASA configuration. Which statement describes how to set these access levels? A. with ACS as the AAA server. Answer: D QUESTION NO: 81 You are the administrator of a Cisco ASA 9. B.1X to dynamically assign the access VLAN to all endpoints and setting the default access VLAN to an unused VLAN ID. The Firewall Operators Active Directory group should have a more limited level of access. Also configure the Firewall Operators group to have privilege level 6 access.

) A. Command line menu for troubleshooting E. Event management and alerting D. C . A RSA keypair must be generated on the router B. Enter a copy of the administrator's private key within the SSH key-chain C. Generate a 512-bit RSA key to enable SSH on the router D. An access list permitting SSH outbound must be configured and applied to the vty ports D. • Local user accounts have been created. Generate a ECDSA key of at least 768 bits to enable SSH on the router Answer: A. An access list permitting SSH inbound must be configured and applied to the vty ports C. Ticketing management and tracking Answer: B.• The vty ports have been configured with transport input SSH and login local. Generate an RSA key of at least 768 bits to enable SSH on the router E. SSH v2.0 must be enabled on the router Answer: A QUESTION NO: 83 Which two configurations are necessary to enable password-less SSH login to an IOS router? (Choose two. • The enable password has been configured. What additional step must be taken if users receive a 'connection refused' error when attempting to access the router via SSH? A. Enter a copy of the administrator's public key within the SSH key-chain B.) A. Health and performance monitoring C. Generate a 512-bit ECDSA key to enable SSH on the router F. D QUESTION NO: 84 Which two features does Cisco Security Manager provide? (Choose two. Configuration and policy deployment before device discovery B.

) A. Answer: B. NTP authentication is disabled. E QUESTION NO: 87 Which two options are purposes of the packet-tracer command? (Choose two. to simulate network traffic through a data path D. enable_15 / (no password) E. E. F. When you attempt to connect to a Cisco ASA with a default configuration. NTP traffic is not restricted. to automatically correct an ACL entry in an ASA Answer: C. D. B. cisco / cisco Answer: D QUESTION NO: 86 Which three options are default settings for NTP parameters on a Cisco ASA? (Choose three. D. You are asked to configure the firewall through Cisco ASDM. asaAdmin / (no password) C. D. NTP traffic is restricted. NTP authentication is enabled. admin / admin B. to configure an interface-specific packet trace C. NTP logging is enabled. D . C. to filter and monitor ingress traffic to a switch B.1. It is not possible to use Cisco ASDM until a username and password are created via the username usernamepassword password CLI command.) A. NTP logging is disabled. which username and password grants you full access? A.QUESTION NO: 85 An administrator installed a Cisco ASA that runs version 9. to debug packet drops in a production network E.

255.100 B.2.150 host 10.1. capture traffic match 80 host 10. Server A is a busy server that offers these services: • World Wide Web • DNS Which command captures http traffic from Host A to Server A? A.100 E.2.1.150 host 10. Due to budget constraints.100 C.2. capture traffic match tcp host 10.100 host 10.150 D.1.255.1.2.2.2.2. capture traffic match udp host 10.192 host 10.1.2.0 255.1.1.2. capture traffic match ip 10.1.1. . one Cisco ASA 5550 will be replaced at a time.QUESTION NO: 88 Refer to the exhibit.150 host 10. capture traffic match tcp host 10.2.150 eq 80 Answer: D QUESTION NO: 89 Your company is replacing a high-availability pair of Cisco ASA 5550 firewalls with the newer Cisco ASA 5555-X models.1.

D QUESTION NO: 91 You are the administrator of a multicontext transparent-mode Cisco ASA that uses a shared interface that belongs to more than one context. Configure a unique MAC address per context with the mac-address auto command. B. IPv6 only C. Interfaces may not be shared between contexts in routed mode. Answer: B QUESTION NO: 90 In which two modes is zone-based firewall high availability available? (Choose two. Because the same interface will be used within all three contexts. You must use two dedicated interfaces. You must have at least 1 Gigabit Ethernet interface between the two Cisco ASAs for state exchange. B. routed mode only E. Configure a unique MAC address per context with the no mac-address auto command. transparent mode only F.) A. IPv4 and IPv6 D. D. C. One link is dedicated to state exchange and the other link is for heartbeats. IPv4 only B. D. C. Use static routes on the Cisco ASA to ensure that traffic reaches the correct context.Which statement about the minimum requirements to set up stateful failover between these two firewalls is true? A. both transparent and routed modes Answer: C. Answer: C . It is not possible to use failover between different Cisco ASA models. which statement describes how you will ensure that return traffic will reach the correct context? A. You must install the USB failover cable between the two Cisco ASAs and provide a 1 Gigabit Ethernet interface for state exchange.

switchport mode trunk D. switchport trunk native vlan 1 F. which two interface configuration commands help prevent VLAN hopping attacks? (Choose two. CAM attacks F. C QUESTION NO: 93 According to Cisco best practices. switch(config)#spanning-tree portfast bpdufilter default C. the switchport port-security maximum command can mitigate which two types of Layer 2 attacks? (Choose two. switchport protected Answer: A.) A. switchport access vlan 1 E. B QUESTION NO: 94 When it is configured in accordance to Cisco best practices. switch(config-if)#spanning-tree port-priority 0 Answer: A. switch(config-if)#spanning-tree portfast disable E. switch(config-if)#spanning-tree portfast D.) A. IP spoofing .QUESTION NO: 92 A rogue device has connected to the network and has become the STP root bridge.) A. switch(config)#spanning-tree portfast bpduguard default B. which has caused a network availability issue. switch(config-if)#switchport port-security violation protect F. switchport mode access B. switchport access vlan 2 C. MAC spoofing E. Which two commands can protect against this problem? (Choose two. rogue DHCP servers B. ARP attacks C. DHCP starvation D.

Answer: C. ARP attacks C. CAM attacks F. To protect Host A and Host B from communicating with each other. Host A on a promiscuous port and Host B on a community port B.) A. which type of PVLAN port should be used for each host? A. E QUESTION NO: 95 When configured in accordance to Cisco best practices. MAC spoofing E. the ip verify source command can mitigate which two types of Layer 2 attacks? (Choose two. F QUESTION NO: 96 Refer to the exhibit. IP spoofing Answer: D. DHCP starvation D. Host A on a community port and Host B on a promiscuous port . rogue DHCP servers B.

Host A on a community port and Host B on a community port Answer: E QUESTION NO: 97 Which security operations management best practice should be followed to enable appropriate network access for administrators? A. secures tenant edge traffic D. operates at Layer 3 C. DHCPv6 Guard B. secures intraswitch traffic E. Provide full network access from dedicated network administration systems B. replaces Cisco VSG . Host A on an isolated port and host B on an isolated port F. Host A on a promiscuous port and Host B on a promiscuous port E. IPv6 Source Guard Answer: B. Dedicate a separate physical or logical plane for management traffic D. secures data center edge traffic F. Host A on an isolated port and Host B on a promiscuous port D. IPv6 Prefix Guard C.) A.C. D QUESTION NO: 99 Which three options correctly identify the Cisco ASA1000V Cloud Firewall? (Choose three. Configure switches as terminal servers for secure device access Answer: C QUESTION NO: 98 Which two features block traffic that is sourced from non-topological IPv6 addresses? (Choose two. Configure the same management account on every network device C. operates at Layer 2 B. IPv6 RA Guard D.) A.

authentication C. D. C. encryption D. C QUESTION NO: 102 An attacker has gained physical access to a password protected router. Answer: A.) A. service password-encryption D. E.G: complements Cisco VSG H: requires Cisco VSG Answer: B. Which command will prevent access to the startup-config in NVRAM? A. C QUESTION NO: 101 Which two statements about zone-based firewalls are true? (Choose two. C. host authorization B. compression Answer: B. An interface can only be in one zone. no confreg 0x2142 Answer: A . B. More than one interface can be assigned to the same zone. no service password-recovery B. no service startup-config C. Only one interface can be in a given zone. G QUESTION NO: 100 Which two SNMPv3 features ensure that SNMP packets have been sent securely? (Choose two. Every device interface must be a member of a zone. An interface can be a member of multiple zones.) A.

Auth priv Answer: A QUESTION NO: 105 In IOS routers. ACL permitting udp 123 from ntp server B. Priv C. No auth D. show crypto key D. what configuration can ensure both prevention of ntp spoofing and accurate time ensured? A. Cisco IPS Manager Express C. Cisco IPS Device Manager . show crypto key mypubkey rsa C. show key mypubkey rsa B. ntp authentication C.QUESTION NO: 103 Which command tests authentication with SSH and shows a generated key? A. local system clock Answer: B QUESTION NO: 106 Which product can manage licenses. and a single signature policy for 15 separate IPS appliances? A. updates. multiple ntp servers D. show key mypubkey Answer: B QUESTION NO: 104 Which configuration keyword will configure SNMPv3 with authentication but no encryption? A. Cisco Security Manager B. Auth B.

router(conf-ssh-pubkey-user)#key-string enable ssh Answer: B . D. B. E QUESTION NO: 108 When you set a Cisco IOS Router as an SSH server. and tertiary VLANs are required for private VLAN implementation. which command specifies the RSA public key of the remote peer when you set the SSH server to perform RSA-based authentication? A. Primary. secondary. Promiscuous ports can talk to isolated and community ports. C. Community ports can talk to each other as well as the promiscuous port. router(config-ssh-pubkey)#key-string D. Cisco Adaptive Security Device Manager Answer: A QUESTION NO: 107 Which three statements about private VLANs are true? (Choose three. F. Private VLANS run over VLAN Trunking Protocol in transparent mode. D. Private VLANs run over VLAN Trunking Protocol in client mode. E.D. router(conf-ssh-pubkey-user)#key-string C.) A. Answer: B. Isolated ports can talk to promiscuous and community ports. router(config-ssh-pubkey-user)#key B.