293 Answers

60 Questions
CCNA Security
?Which statement describes a best practice when configuring trunking on a switch port 31598

Disable double tagging by enabling DTP on the trunk port. - false

Enable encryption on the trunk port. - false
Enable authentication and encryption on the trunk port. - false
Limit the allowed VLAN(s) on the trunk to the native VLAN only. - false
Configure an unused VLAN as the native VLAN. - true

?Which type of Layer 2 attack causes a switch to flood all incoming traffic to all ports 31599

MAC spoofing attack - false

CAM overflow attack - true
VLAN hopping attack - false
STP attack - false

?What is the best way to prevent a VLAN hopping attack 31600

Encapsulate trunk ports with IEEE 802.1Q. - false

Physically secure data closets. - false
Disable DTP negotiations. - true
Enable BDPU guard. - false

?Which statement about PVLAN Edge is true 31601

PVLAN Edge can be configured to restrict the number of MAC addresses that appear on a single port. - false
The switch does not forward any traffic from one protected port to any other protected port. - true
By default, when a port policy error occurs, the switchport shuts down. - false
The switch only forwards traffic to ports within the same VLAN Edge. - false

If you are implementing VLAN trunking, which additional configuration parameter should be added to 31602
?the trunking configuration

no switchport mode access - false

no switchport trunk native VLAN 1 - false
switchport mode DTP - false
switchport nonnegotiate - true

When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a 31603
(.traffic class? (Choose three

pass - true

1 of 11 11/5/2013 7:01 AM
 police - false
inspect - true
drop - true
queue - false
shape - false

With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by 31604
(.the router when some of the router interfaces are assigned to a zone? (Choose three

traffic flowing between a zone member interface and any interface that is not a zone member - false
traffic flowing to and from the router interfaces (the self zone) - true
traffic flowing among the interfaces that are members of the same zone - true
traffic flowing among the interfaces that are not assigned to any zone - true
traffic flowing between a zone member interface and another interface that belongs in a different zone - false
traffic flowing to the zone member interface that is returned traffic - false

Which option is a key difference between Cisco IOS interface ACL configurations and Cisco ASA 31605
?appliance interface ACL configurations

The Cisco IOS interface ACL has an implicit permit-all rule at the end of each interface ACL. - false
Cisco IOS supports interface ACL and also global ACL. Global ACL is applied to all interfaces. - false
The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard masks. - true
The Cisco ASA appliance interface ACL also applies to traffic directed to the IP addresses of the Cisco ASA
appliance interfaces. - false
The Cisco ASA appliance does not support standard ACL. The Cisco ASA appliance only support extended
ACL. - false

(.Which two options are advantages of an application layer firewall? (Choose two 31606

provides high-performance filtering - false

makes DoS attacks difficult - true
supports a large number of applications - false
authenticates devices - false
authenticates individuals - true

?On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used 31607

used for SSH server/client authentication and encryption - false

used to verify the digital signature of the IPS signature file - true
used to generate a persistent self-signed identity certificate for the ISR so administrators can authenticate the
ISR when accessing it using Cisco Configuration Professional - false
used to enable asymmetric encryption on IPsec and SSL VPNs - false
used during the DH exchanges on IPsec VPNs - false

Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration 31608
(.Professional IPS wizard? (Choose four

Select the interface(s) to apply the IPS rule. - true

2 of 11 11/5/2013 7:01 AM
 Select the traffic flow direction that should be applied by the IPS rule. - true
Add or remove IPS alerts actions based on the risk rating. - false
Specify the signature file and the Cisco public key. - true
Select the IPS bypass mode (fail-open or fail-close). - false
Specify the configuration location and select the category of signatures to be applied to the selected
interface(s). - true

?Which statement is a benefit of using Cisco IOS IPS 31609

It uses the underlying routing infrastructure to provide an additional layer of security. - true
It works in passive mode so as not to impact traffic flow. - false
It supports the complete signature database as a Cisco IPS sensor appliance. - false
The signature database is tied closely with the Cisco IOS image. - false

?Which description of the Diffie-Hellman protocol is true 31610

It uses symmetrical encryption to provide data confidentiality over an unsecured communications channel. -
false
It uses asymmetrical encryption to provide authentication over an unsecured communications channel. - false
It is used within the IKE Phase 1 exchange to provide peer authentication. - false
It provides a way for two peers to establish a shared-secret key, which only they will know, even though they
are communicating over an unsecured channel. - true
It is a data integrity algorithm that is used within the IKE exchanges to guarantee the integrity of the message
of the IKE exchanges. - false

?Which IPsec transform set provides the strongest protection 31611

crypto ipsec transform-set 1 esp-3des esp-sha-hmac - false

crypto ipsec transform-set 2 esp-3des esp-md5-hmac - false
crypto ipsec transform-set 3 esp-aes 256 esp-sha-hmac - true
crypto ipsec transform-set 4 esp-aes esp-md5-hmac - false
crypto ipsec transform-set 5 esp-des esp-sha-hmac - false
crypto ipsec transform-set 6 esp-des esp-md5-hmac - false

Which two options are characteristics of the Cisco Configuration Professional Security Audit wizard? 31612
(.(Choose two

displays a screen with fix-it check boxes to let you choose which potential security-related configuration
changes to implement - true
has two modes of operation: interactive and non-interactive - false
automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the router - false
uses interactive dialogs and prompts to implement role-based CLI - false
requires users to first identify which router interfaces connect to the inside network and which connect to the
outside network - true

Which statement describes a result of securing the Cisco IOS image using the Cisco IOS image 31613
?resilience feature

3 of 11 11/5/2013 7:01 AM
 The show version command does not show the Cisco IOS image file location. - false
The Cisco IOS image file is not visible in the output from the show flash command. - true
When the router boots up, the Cisco IOS image is loaded from a secured FTP location. - false
The running Cisco IOS image is encrypted and then automatically backed up to the NVRAM. - false
The running Cisco IOS image is encrypted and then automatically backed up to a TFTP server. - false

Which aaa accounting command is used to enable logging of the start and stop records for user 31614
?terminal sessions on the router

aaa accounting network start-stop tacacs+ - false

aaa accounting system start-stop tacacs+ - false
aaa accounting exec start-stop tacacs+ - true
aaa accounting connection start-stop tacacs+ - false
aaa accounting commands 15 start-stop tacacs+ - false

Which access list permits HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host 31615
?192.168.1.10

access-list 101 permit tcp any eq 3030 - false

access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www - true
access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www - false
access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030 - false
access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255 - false
access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80 - false

?Which location is recommended for extended or extended named ACLs 31616

an intermediate location to filter as much traffic as possible - false

a location as close to the destination traffic as possible - false
when using the established keyword, a location close to the destination point to ensure that return traffic is
allowed - false
a location as close to the source traffic as possible - true

?Which statement about asymmetric encryption algorithms is true 31617

They use the same key for encryption and decryption of data. - false
They use the same key for decryption but different keys for encryption of data. - false
They use different keys for encryption and decryption of data. - true
They use different keys for decryption but the same key for encryption of data. - false

?Which option can be used to authenticate the IPsec peers during IKE Phase 1 31618

Diffie-Hellman Nonce - false

pre-shared key - true
XAUTH - false
integrity check value - false
ACS - false
AH - false

4 of 11 11/5/2013 7:01 AM
 ?Which single Cisco IOS ACL entry permits IP addresses from 172.16.80.0 to 172.16.87.255 31619

permit 172.16.80.0 0.0.3.255 - false

permit 172.16.80.0 0.0.7.255 - true
permit 172.16.80.0 0.0.248.255 - false
permit 176.16.80.0 255.255.252.0 - false
permit 172.16.80.0 255.255.248.0 - false
permit 172.16.80.0 255.255.240.0 - false

You want to use the Cisco Configuration Professional site-to-site VPN wizard to implement a site- 31620
to-site IPsec VPN using pre-shared key. Which four configurations are required (with no defaults)? (Choose
(.four

the interface for the VPN connection - true

the VPN peer IP address - true
the IPsec transform-set - false
the IKE policy - false
the interesting traffic (the traffic to be protected) - true
the pre-shared key - true

Which two options represent a threat to the physical installation of an enterprise network? (Choose 31621
(.two

surveillance camera - false

security guards - false
electrical power - true
computer room access - true
change control - false

?Which option represents a step that should be taken when a security policy is developed 31622

Perform penetration testing. - false

Determine device risk scores. - false
Implement a security monitoring system. - false
Perform quantitative risk analysis. - true

?Which type of network masking is used when Cisco IOS access control lists are configured 31623

extended subnet masking - false

standard subnet masking - false
priority masking - false
wildcard masking - true

?How are Cisco IOS access control lists processed 31624

Standard ACLs are processed first. - false

The best match ACL is matched first. - false
Permit ACL entries are matched first before the deny ACL entries. - false

5 of 11 11/5/2013 7:01 AM
 ACLs are matched from top down. - true
The global ACL is matched first before the interface ACL. - false

Which type of management reporting is defined by separating management traffic from production 31625
?traffic

IPsec encrypted - false

in-band - false
out-of-band - true
SSH - false

?Which syslog level is associated with LOG_WARNING 31626

1 - false
2 - false
3 - false
4 - true
5 - false
6 - false

?In which type of Layer 2 attack does an attacker broadcast BDPUs with a lower switch priority 31627

MAC spoofing attack - false

CAM overflow attack - false
VLAN hopping attack - false
STP attack - true

?Which security measure must you take for native VLANs on a trunk port 31628

Native VLANs for trunk ports should never be used anywhere else on the switch. - true
The native VLAN for trunk ports should be VLAN 1. - false
Native VLANs for trunk ports should match access VLANs to ensure that cross-VLAN traffic from multiple
switches can be delivered to physically disparate switches. - false
Native VLANs for trunk ports should be tagged with 802.1Q. - false

?Which type of firewall technology is considered the versatile and commonly used firewall technology 31629

static packet filter firewall - false

application layer firewall - false
stateful packet filter firewall - true
proxy firewall - false
adaptive layer firewall - false

Which type of NAT is used where you translate multiple internal IP addresses to a single global, 31630
?routable IP address

policy NAT - false

dynamic PAT - true

6 of 11 11/5/2013 7:01 AM
 static NAT - false
dynamic NAT - false
policy PAT - false

Which Cisco IPS product offers an inline, deep-packet inspection feature that is available in integrated 31631
?services routers

Cisco iSDM - false

Cisco AIM - false
Cisco IOS IPS - true
Cisco AIP-SSM - false

(.Which three modes of access can be delivered by SSL VPN? (Choose three 31632

full tunnel client - true

IPsec SSL - false
TLS transport mode - false
thin client - true
clientless - true
TLS tunnel mode - false

?During role-based CLI configuration, what must be enabled before any user views can be created 31633

multiple privilege levels - false

usernames and passwords - false
aaa new-model command - true
secret password for the root user - false
HTTP and/or HTTPS server - false
TACACS server group - false

(.Which three statements about applying access control lists to a Cisco router are true? (Choose three 31634

Place more specific ACL entries at the top of the ACL. - true
Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce "noise" on the
network. - false
ACLs always search for the most specific entry before taking any filtering action. - false
Router-generated packets cannot be filtered by ACLs on the router. - true
If an access list is applied but it is not configured, all traffic passes. - true

When port security is enabled on a Cisco Catalyst switch, what is the default action when the 31635
?configured maximum number of allowed MAC addresses value is exceeded

The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out. - false
The port is shut down. - true
The MAC address table is cleared and the new MAC address is entered into the table. - false
The violation mode of the port is set to restrict. - false

(.Which three statements about the Cisco ASA appliance are true? (Choose three 31636

7 of 11 11/5/2013 7:01 AM
 The DMZ interface(s) on the Cisco ASA appliance most typically use a security level between 1 and 99. -
true
The Cisco ASA appliance supports Active/Active or Active/Standby failover. - true
The Cisco ASA appliance has no default MPF configurations. - false
The Cisco ASA appliance uses security contexts to virtually partition the ASA into multiple virtual firewalls.
- true
The Cisco ASA appliance supports user-based access control using 802.1x. - false
An SSM is required on the Cisco ASA appliance to support Botnet Traffic Filtering. - false

You use Cisco Configuration Professional to enable Cisco IOS IPS. Which state must a signature be in 31637
?before any actions can be taken when an attack matches that signature

enabled - false
unretired - false
successfully complied - false
successfully complied and unretired - false
successfully complied and enabled - false
unretired and enabled - false
enabled, unretired, and successfully complied - true

Which statement describes how the sender of the message is verified when asymmetric encryption is 31638
?used

The sender encrypts the message using the sender's public key, and the receiver decrypts the message using
the sender's private key. - false
The sender encrypts the message using the sender's private key, and the receiver decrypts the message using
the sender's public key. - true
The sender encrypts the message using the receiver's public key, and the receiver decrypts the message using
the receiver's private key. - false
The sender encrypts the message using the receiver's private key, and the receiver decrypts the message using
the receiver's public key. - false
The sender encrypts the message using the receiver's public key, and the receiver decrypts the message using
the sender's public key. - false

?Which type of security control is defense in depth 31639

threat mitigation - true

risk analysis - false
botnet mitigation - false
overt and covert channels - false

(.Which two options are two of the built-in features of IPv6? (Choose two 31640

VLSM - false
native IPsec - true
controlled broadcasts - false
mobile IP - true

8 of 11 11/5/2013 7:01 AM
 NAT - false

?Which option is a characteristic of the RADIUS protocol 31641

uses TCP - false

offers multiprotocol support - false
combines authentication and authorization in one process - true
supports bi-directional challenge - false

?When STP mitigation features are configured, where should the root guard feature be deployed 31642

toward ports that connect to switches that should not be the root bridge - true
on all switch ports - false
toward user-facing ports - false
Root guard should be configured globally on the switch. - false

?Which option is a characteristic of a stateful firewall 31643

can analyze traffic at the application layer - false

allows modification of security rule sets in real time to allow return traffic - true
will allow outbound communication, but return traffic must be explicitly permitted - false
supports user authentication - false

Which type of NAT would you configure if a host on the external network required access to an 31644
?internal host

outside global NAT - false

NAT overload - false
dynamic outside NAT - false
static NAT - true

(.Which two functions are required for IPsec operation? (Choose two 31645

using SHA for encryption - false

using PKI for pre-shared-key authentication - false
using IKE to negotiate the SA - true
using AH protocols for encryption and authentication - false
using Diffie-Hellman to establish a shared-secret key - true

(.Which two features are supported by Cisco IronPort Security Gateway? (Choose two 31646

spam protection - true

outbreak intelligence - false
HTTP and HTTPS scanning - false
email encryption - true
DDoS protection - false

?Which option is a feature of Cisco ScanSafe technology 31647

9 of 11 11/5/2013 7:01 AM
 spam protection - false
consistent cloud-based policy - true
DDoS protection - false
RSA Email DLP - false

(.Which two characteristics represent a blended threat? (Choose two 31648

man-in-the-middle attack - false

trojan horse attack - true
pharming attack - false
pharming attack - false
day zero attack - true

?Under which higher-level policy is a VPN security policy categorized 31649

application policy - false

DLP policy - false
remote access policy - true
compliance policy - false
corporate WAN policy - false

?What does level 5 in this enable secret global configuration mode command indicate 31650

router#enable secret level 5 password - false

The enable secret password is hashed using MD5. - false
The enable secret password is hashed using SHA. - false
The enable secret password is encrypted using Cisco proprietary level 5 encryption. - false
Set the enable secret command to privilege level 5. - true
The enable secret password is for accessing exec privilege level 5. - false

Which Cisco management tool provides the ability to centrally provision all aspects of device 31651
?configuration across the Cisco family of security products

Cisco Configuration Professional - false

Security Device Manager - false
Cisco Security Manager - true
Cisco Secure Management Server - false

Which option is the correct representation of the IPv6 address 31652

?2001:0000:150C:0000:0000:41B1:45A3:041D

2001::150c::41b1:45a3:041d - false
2001:0:150c:0::41b1:45a3:04d1 - false
2001:150c::41b1:45a3::41d - false
2001:0:150c::41b1:45a3:41d - true

(.Which three options are common examples of AAA implementation on Cisco routers? (Choose three 31653

10 of 11 11/5/2013 7:01 AM
 authenticating remote users who are accessing the corporate LAN through IPsec VPN connections - true
authenticating administrator access to the router console port, auxiliary port, and vty ports - true
implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates - false
tracking Cisco NetFlow accounting statistics - false
securing the router by locking down all unused services - false
performing router commands authorization using TACACS+ - true

When AAA login authentication is configured on Cisco routers, which two authentication methods 31654
should be used as the final method to ensure that the administrator can still log in to the router in case the
(.external AAA server fails? (Choose two

group RADIUS - false

group TACACS+ - false
local - true
krb5 - false
enable - true
if-authenticated - false

(.Which two characteristics of the TACACS+ protocol are true? (Choose two 31655

uses UDP ports 1645 or 1812 - false

separates AAA functions - true
encrypts the body of every packet - true
offers extensive accounting capabilities - false
is an open RFC standard protocol - false

Which type of Cisco ASA access list entry can be configured to match multiple entries in a single 31656
?statement

nested object-class - false

class-map - false
extended wildcard matching - false
object groups - true

?Which statement about an access control list that is applied to a router interface is true 31657

It only filters traffic that passes through the router. - true

It filters pass-through and router-generated traffic. - false
An empty ACL blocks all traffic. - false
It filters traffic in the inbound and outbound directions. - false

11 of 11 11/5/2013 7:01 AM