Questions from C0achGreece with corrected answers discussed on the forum:

*Q01 Which next-generation encryption algorithms support four variants?

A. SHA2
B. SHA1
C. MD5
D. HMAC
Answer: A

*Q02 Which type of malicious software can create a back‐door into a device or network?
A. worm
B. trojan
C. virus
D. bot
Answer: B

*Q03 Which attack can be prevented by OSPF authentication?

A. smurf attack
B. IP spoofing attack
C. buffer overflow attack
D. denial of service attack
Answer: D

*Q04 Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use
encryption?
A. authNoPriv
B. noAuthNoPriv
C. noAuthPriv
D. authPriv
Answer: A

*Q05 What are two advanced features of the Cisco AMP solution for endpoints? (Choose two)
A. reflection
B. foresight
C. sandboxing
D. contemplation
E. reputation
Answer: C, E

*Q06 What does the DH group refer to?

A. length of key hashing
B. length of key exchange
C. tunnel lifetime key
D. length of key for authentication
E. length of key for encryption
Answer: B

*Q07 In which two modes can the Cisco Web Security Appliance be deployed? (Choose two)
A. explicit proxy mode
B. as a transparent proxy using the Secure Sockets Layer protocol
C. as a transparent proxy using the Hyper Text Transfer Protocol
D. as a transparent proxy using the Web Cache Communication Protocol
E. explicit active mode
Answer: A, D

*Q08 Which type of mechanism does Cisco FirePOWER deploy to protect against email threats that
are detected moving across other networks?
A. reputation‐based
B. signature‐based
C. antivirus scanning
D. policy‐based
Answer: A

*Q09 Which action does standard antivirus software perform as part of the file‐analysis process?
A. execute the file in a simulated environment to examine its behaviour
B. examine the execution instructions in the file
C. flag the unexamined file as a potential threat
D. create a backup copy of the file
Answer: B

*Q10 When you edit an IPS subsignature, what is the effect on the parent signature and the family of
signatures?
A. The change applies to the parent signature and the subsignature that you edit.
B. The change applies to the parent signature and the entire family of subsignatures.
C. The change applies only to subsignatures that are numbered sequentially after the subsignature
that you edit.
D. Other signatures are unaffected; the change applies only to the subsignature that you edit.
Answer: D

Q11 Which two ESA services are available for incoming and outgoing mails? (Choose two)
A. DLP
B. reputation filter
C. content filter
D. anti-Dos
E. antispam
Answer: C, E

Q12 Which EAP method uses Protected Access Credentials?

A. EAP-FAST
B. EAP-TLS
C. EAP-PEAP
D. EAP-GTC
Answer: A

*Q13 You have implemented a dynamic blacklist, using intelligence to block illicit network activity.
However, the blacklist contains several approved connections that users must access for business
purposes. Which action can you take to retain the blacklist while allowing users to access the
approved sites?
A. Disable the dynamic blacklist and create a static blacklist in its place.
B. Create a whitelist and manually add the approved addresses.
C. Disable the dynamic blacklist and deny the specific address on a whitelist while permitting the
others.
D. Edit the dynamic blacklist to remove the approved addresses.
Answer: B

*Q14 Which two configurations can prevent VLAN hopping attack from attackers at VLAN 10?
(Choose two)
A. creating VLAN 99 and using switchport trunk native vlan 99 command on trunk ports
B. enabling BPDU guard on all access ports
C. using switchport trunk native vlan 10 command on trunk ports
D. using switchport nonegotiate command on dynamic desirable ports
E. applying ACL between VLANs
F: using switchport mode access command on all host ports
Answer: A, F

Q15 What is a limitation of network-based IPS?

A. It is unable to monitor attacks across the entire network.
B. It is most effective at the individual host level.
C. It must be individually configured to support every operating system on the network.
D. Large installations require numerous sensors to fully protect the network.
Answer: D

Q16 Which statement represents a difference between an access list on an ASA versus an access list
on a router?
A. The ASA does not support extended access lists
B. The ASA does not support number access lists
C. The ASA does not ever use a wildcard mask
D. The ASA does not support standard access lists
Answer: C

*Q17 Which three descriptions of RADIUS are true? (Choose three.)

A. It supports multiple transport protocols.
B. It uses TCP as its transport protocol.
C. Only the password is encrypted.
D. It uses UDP as its transport protocol.
E. It separates authentication, authorization and accounting.
F. It combines authentication and authorization.
Answer: C, D, F

*Q18 Which two models of ASA tend to be used in a data centre? (Choose two)
A. 5555X
B. ASA service module
C. 5585X
D. 5540
E. 5520
F. 5512X
Answer: B, C

*Q19 Which statement about interface and global access rules is true?
A. Interface access rules are processed before global access rules.
B. The implicit allow is processed after both the global and interface access rules.
C. If an interface access rule is applied, the global access rule is ignored.
D. Global access rules apply only to outbound traffic, but interface access rules can be applied in
either direction.
Answer: A

*Q20 Which security term refers to the likelihood that a weakness will be exploited to cause damage
to an asset?
A. threat
B. vulnerability
C. risk
D. countermeasure
Answer: C

*Q21 Which two descriptions of TACACS+ are true? (Choose two)

A. It uses TCP as its transport protocol.
B. It combines authentication and authorization.
C. Only the password is encrypted.
D. The TACACS+ header is unencrypted
E. It uses UDP as its transport protocol.
Answer: A, D

*Q22 Which term refers to the electromagnetic interference that can radiate from network cables?
A. emanations
B. multimode distortion
C. Gaussian distributions
D. Doppler waves
Answer: A
*Q23 Which mitigation technology for web-based threats prevents the removal of confidential data
from the network?
A. AMP
B. DLP
C. DCA
D. CTA
Answer: B

Q24 What are two limitations of the self-zone policies on a zone-based firewall? (Choose two)
A. They restrict SNMP traffic.
B. They are unable to implement application inspection.
C. They are unable to block HTTPS traffic.
D. They are unable to support HTTPS traffic.
E. They are unable to perform rate limiting.
Answer: B, E

*Q25 What are two default behaviours of the traffic on a zone-based firewall? (Choose two)
A. The CBAC rules that are configured on router interfaces apply to zone interfaces.
B. Communication is blocked between interfaces that are members of the same zone.
C. Traffic within self zone uses an implicit deny all
D. All traffic between zones is implicitly blocked.
E. Communication is allowed between interfaces that are members of the same zone.
Answer: D, E

*Q26 Which two statements about Hardware-Based encryption are true? (Choose two)
A. It is potentially easier to compromise than software-based encryption.
B. It can be implemented without impacting performance.
C. It is widely accessible.
D. It is highly cost-effective
E. It requires minimal configuration
Answer: B, E

*Q27 Which path do you follow to enable AAA through the SDM?
A. Configure >Tasks >AAA
B. Configure > Authentication >AAA
C. Configure > Additional Authentication > AAA
D. Configure > Additional Tasks > AAA
E. Configure > AAA
Answer: D

*Q28 Refer to the exhibit. Which type of NAT is configured on a Cisco ASA?

A. dynamic NAT
B. source identity NAT
C. dynamic PAT
D. identity twice NAT
Answer: C

*Q29 When connecting to an external resource, you must change a source IP address to use one IP
address from a range of 207.165.201.1 to 207.165.201.30. Which option do you implement?
A. static destination NAT that uses a subnet as a real destination
B. dynamic source NAT that uses a range as a mapped source
C. dynamic source NAT that uses an IP address as a mapped source
D. static destination NAT that uses a subnet as a real source
Answer: B

*Q30 Refer to the exhibit. What is the effect of the given configuration?
A. It establishes the preshared key for the router
B. It establishes the preshared key for the switch
C. It establishes the preshared key for the firewall
D. It establishes the preshared key for the Cisco ISE appliance.
Answer: C

*Q31 In which type of attack does an attacker overwrite an entry in the CAM table to divert traffic
destined to a legitimate host?
A. MAC spoofing
B. ARP spoofing
C. CAM table overflow
D. DHCP spoofing
Answer: A

Q32 What is an advantage of split tunnelling?

A. It allows users with a VPN connection to a corporate network to access the Internet by using the
VPN for security
B. It enables the VPN server to filter traffic more efficiently.
C. It allows users with a VPN connection to a corporate network to access the Internet without
sending traffic across the corporate network.
D. It protects traffic on the private network from users on the public network.
Answer: C

*Q33 What does the policy map do in CoPP?

A. defines the action to be performed
B. defines packet selection parameters
C. defines the packet filter
D. defines service parameters
Answer: A

*Q34 What is the maximum number of methods that a single method list can contain?
A. 4
B. 3
C. 2
D. 5
Answer: A

*Q35 Which attack involves large numbers of ICMP packets with a spoofed source IP address?
A. Teardrop attack
B. smurf attack
C. Nuke attack
D. SYN Flood attack
Answer: B

*Q36 Which type of social engineering attack targets top executives?

A. baiting
B. vishing
C. whaling
D. spear phishing
Answer: C

Q37 Which command can you enter to verify the statistics of cisco IOS resilient configuration on cisco
router?
A. show binary file
B. show secure bootset
C. secure boot-config
D. secure boot-image
Answer: B

*Q38 What aims to remove the ability to deny an action?

A. Integrity
B. Deniability
C. Accountability
D. Non-Repudiation
Answer: D

*Q39 You have just deployed SNMPv3 in your environment. Your manager asks you make sure that
your agents can only talk to the SNMP Manager. What would you configure on your SNMP agents to
satisfy this request?
A. Routing Filter with the SNMP managers in it applied outbound
B. A SNMP View containing the SNMP managers
C. A standard ACL containing the SNMP managers applied to the SNMP configuration.
D. A SNMP Group containing the SNMP managers
Answer: C

*Q40 Drag and drop each feature that can protect against DHCP attacks from the left onto the correct
description on the right.

Answer:
*Q41 (same as Q26) Which two statements about hardware-based encryption are true? (Choose two)
A. It is potentially easier to compromise than software-based encryption.
B. It can be implemented without impacting performance.
C. It is widely accessible.
D. It is highly cost effective.
E. It requires minimal configuration.
Answer: B, E

*Q42 Which command do you enter to verify the Phase 1 status of a VPN connection?
A. debug crypto isakmp
B. sh crypto session
C. sh crypto isakmp sa
D. sh crypto ipsec sa
Answer: C

*Q43 What are two major considerations when choosing between a SPAN and a TAP when
implementing IPS? (Choose two)
A. the amount of bandwidth available
B. the way in which dropped packets will be handled
C. the type of analysis the IPS will perform
D. whether RX and TX signals will use separate ports
E. the way in which media errors will be handled
Answer: A, C

*Q44 Which information can you display by executing the show crypto ipsec sa command?
A. proxy information for the connection between two peers
B. IPsec SAs established between two peers
C. recent changes to the IP address of a peer router
D. ISAKMP SAs that are established between two peers
Answer: B

Q45 Which command enables port security to use sticky MAC address on a switch?
A. switchport port-security
B. switchport port security mac-address sticky
C. switchport port-security violation protect
D. switchport port-security violation restrict
Answer: B
Q46 When would you configure ip dhcp snooping trust command on a switch?
A. when the switch is connected to DHCP server.
B. when the switch is connected to client system.
C. when the switch is serving as an aggregator.
D. when the switch is working in an edge capacity.
Answer: A

*Q47 Which IDS/IPS state misidentifies acceptable behaviour as an attack?

A. false positive
B. false negative
C. true positive
D. true negative
Answer: A

*Q48 How is management traffic isolated on a Cisco ASR 1002?

A. Traffic is isolated based upon how you configure routing on the device.
B. There is no management traffic isolation on a Cisco ASR 1002.
C. The management interface is configured in a special VRF that provides traffic isolation from the
default routing table.
D. Traffic isolation is done on the VLAN level.
Answer: C

SIM 1
In this simulation, you have access to ASDM only. Review the various ASA configurations using
ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations. To
access ASDM, click the ASA icon in the topology diagram.
Note: Not all ASDM functionalities are enabled in this simulation. To see all the menu options
available on the left navigation pane, you may also need to un-expand the expanded menu first.
*Q49 (SIM1 Q1) Which user authentication method is used when user login to the Clientless
SSL VPN portal using https://209.165.201.2/test ?
A. Both Certificate and AAA with local database.
B. AAA with RADIUS server.
C. Both Certificate and AAA with RADIUS server.
D. AAA with LOCAL database.
E. Certificate.
Answer: D

Explanation: To verify, within the ASDM go to “Configuration”  “Remote Access VPN” 

“Clientless SSL VPN Access”  “Connection Profiles” and find the connection profile called
“clientless” for which alias “test” has been configured. You can see the authentication method for that
connection profile is AAA(LOCAL) leading us to answer “D” being the only correct choice:

*Q50 (SIM1 Q2) When users login to the Clientless SSL VPN using the https://209.165.201.2/test
which group policy will be applied?
A. test
B. Sales
C. DefaultRAGroup
D. DefaultWEBVPNGroup
E. clientless
F. DFTGrpPolicy
Answer: B

Explanation: To verify, within the ASDM go to “Configuration”  “Remote Access VPN” 

“Clientless SSL VPN Access”  “Connection Profiles” and find the connection profile called
“clientless” for which alias “test” has been configured:
Highlight the name “clientless” and hit “Edit” to see that the Group Policy for that connection profile is
“Sales” which is leading us to answer “B” being the only correct choice:

*Q51 (SIM1 Q3) Which two statements regarding the ASA VPN configurations are correct?
(Choose two)
A. The Inside-SRV bookmark has not been applied to the Sales group policy.
B. The ASA has a certificate issued by an external Certificate Authority associated to the
ASDM_Trustpoint1.
C. The Inside-SRV bookmark references the https://10.2.1.1 URL.
D. Anyconnect, IPsec IKEv1 and IPsec IKEv2 VPN access is enabled on the outside interface.
E. Only Clientless SSL VPN VPN access is allowed with the Sales group Policy.
F. The DefaultWEBVPNGroup Connection Profile is using the AAA with Radius server method.
Answer: E, F
Explanation: To verify, within the ASDM go to “Configuration”  “Remote Access VPN” 
“Clientless SSL VPN Access”  “Portal”  “Bookmarks” and find the bookmark called “Inside-SRV”.
You can see by looking at “Group Policies/DAPs/LOCAL Users Using the Bookmarks” that this
bookmark is applied to the group policy called “Sales” which proves the answer “A” is incorrect.

Next highlight the bookmark called “Inside-SRV” and hit “Edit” to see the bookmark’s referenced URL
of http://192.168.1.2 which proves the answer “C” is incorrect (in other dumps the answer “C”
references the correct URL of http://192.168.1.2. If that’s the case, then answer “C” would be the
correct choice here).

Next go to “Configuration”  “Remote Access VPN”  “Certificate Management”  “Identity

Certificates” to see there is a certificate with associated trustpoint of “ASDM_TrustPoint1” which
indicates the answer “B” is incorrect as it asks for “CA Certificate” not “Identity Certificate”. It would
make sense to go to “Configuration”  “Remote Access VPN”  “Certificate Management”  “CA
Certificates” to actually verify if the CA Certificate isn’t associated with “ASDM_TrustPoint1” too.
Next go to “Configuration”  “Remote Access VPN”  “Network (Client) Access”  “AnyConnect
Connection Profiles” and look at “Access Interfaces” section of the page to see that “Allow access” for
“IPSec (IKEv2) Access” isn’t selected for “outside” interface which proves the answer “D” isn’t correct.

Next go to “Configuration”  “Remote Access VPN”  “Clientless SSL VPN Access”  “Connection
Profiles”. Individually highlight each connection profile (“DefaultRAGroup”, “DefaultWEBVPNGroup”,
“clientless”) and hit “Edit” to verify the default group policy. You can see the only connection profile
associated with “Sales” group policy is “clientess” which proves the answer “E” is the correct choice.
Next go to “Configuration”  “Remote Access VPN”  “Clientless SSL VPN Access”  “Connection
Profiles” and find the connection profile called “DefaultWEBVPNGroup”. You can see the
authentication method for that connection profile is AAA(RAD) (AAA with Radius server) which proves
the answer “F” is the correct choice here.
*Q52 (SIM1 Q4) Which four tunnelling protocols are enabled in the DfltGrpPolicy group policy?
(Choose four)
A. IPsec IKEv1
B. IPsec IKEv2
C. L2TP/IPsec
D. Clientless SSL VPN
E. SSL VPN Client
F. PPTP
Answer: A, B, C, D

Explanation: To verify, within the ASDM go to “Configuration”  “Remote Access VPN” 

“Clientless SSL VPN Access”  “Group Policies”. Find the group policy called “DfltGrpPolicy” and
look for tunnelling protocols configured (ikev1;ikev2;ssl-clientless;l2tp-ipsec) which are leading us to
answers “A”, “B”, “C” & “D” being the correct choices.
*Q53 There are two versions of IKEv1 and IKEv2. Both IKEv1 and IKEv2 protocol operate in phases.
IKEv1 operate in two phases. IKEv2 operates in how many phases?
A. 2
B. 3
C. 4
D. 5
Answer: A

Q54 Which command successfully creates an administrative user with a password of "cisco" on a
Cisco router?
A. username Operator privilege 7 password Cisco
B. username Operator privilege 1 password Cisco
C. username Operator privilege 15 password Cisco
D. username Operator password cisco privilege 15
Answer: C

*Q55 Which IPS detection method examines network traffic for preconfigured patterns?
A. signature-based detection
B. policy-based detection
C. anomaly-based detection
D. honey-pot detection
Answer: A

*Q56 What is the main purpose of Control Plane Policing?

A. to prevent exhaustion of route-processor resources.
B. to define traffic classes.
C. to organize the egress packet queues.
D. to maintain the policy map.
Answer: A

*Q57 What action must you take on the ISE to blacklist a wired device?
A. Issue a COA request for the device’s MAC address to each access switch in the network.
B. Add the devices MAC address to a list of blacklisted devices.
C. Locate the switch through which the device is connected and push an ACL restricting all access by
the device.
D. Revoke the device’s certificate so it is unable to authenticate to the network.
Answer: B

*Q58 Which term is most closely aligned with the basic purpose of a SIEM solution?
A. Causality
B. Accountability
C. Non-Repudiation
D. Repudiation
Answer: B

*Q59 Which statement about the native VLAN is true?

A. It is the Cisco-recommended VLAN for user traffic.
B. It is most secure when it is assigned to VLAN1.
C. It is susceptible to VLAN hopping attacks.
D. It is the Cisco recommended VLAN for switch-management traffic.
Answer: C

*Q60 How does the 802.1x supplicant communicate with the authentication server?
A. The supplicant creates EAP packets and sends them to the authenticator, which translates them
into RADIUS and forwards them to the authentication server.
B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates
them into RADIUS and forwards them to the authentication server.
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates
them into EAP and forwards them to the authentication server.
D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates
them into EAP and forwards them to the authentication server.
Answer: B

Q61 Drag and drop the steps to configure a WSA from the left into the correct order on the right.

Answer:

Q62 Which IKE phase 1 parameter can you use to require the site-to-site VPN to use a pre-shared
key?
A. group
B. hash
C. authentication
D. encryption
Answer: C

*Q63 How can you prevent NAT rules from sending traffic to incorrect interfaces?
A. Configure twice NAT instead of object NAT.
B. Add the no-proxy-arp command to the nat line.
C. Assign the output interface in the NAT statement.
D. Use packet-tracer rules to reroute misrouted NAT entries.
Answer: C

*Q64 What is the minimum Cisco IOS version that supports zone-based firewalls?
A. 12.4(6)T
B. 15.1
C. 15.0
D. 12.1T
Answer: A

*Q65 Which type of firewall can perform deep packet inspection?

A. stateless firewall
B. packet-filtering firewall
C. application firewall
D. personal firewall
Answer: C

*Q66 What is the best definition of hairpinning?

A. traffic that enters and exits a device through the same interface
B. traffic that tunnels through a device interface
C. traffic that enters one interface on a device and that exits through another interface
D. ingress traffic that traverses the outbound interface on a device
Answer: A

*Q67 What are two features of transparent firewall mode? (Choose two)
A. It allows some traffic that is blocked in routed mode.
B. It conceals the presence of the firewall from attackers.
C. It is configured by default.
D. It acts as a routed hop in the network.
E. It enables the ASA perform as a router.
Answer: A, B
Questions from ‘new question ccna security_yako.pdf’ with corrected answers discussed on
the forum.

Q1 How does the Cisco ASA use Active Directory to authorize VPN users?
A. It queries the Active Directory server for a specific attribute for the specific user
B. It sends the username and password to retire an ACCEPT or Reject message from the Active
Directory server
C. It downloads and stores the Active Directory database to query for future authorization
D. It redirects requests to the Active Directory server defined for the VPN group
Answer: A

Q2 Which three statements about host-based IPS are true? (Choose three)
A. It can view encrypted files
B. It can be deployed at the perimeter
C. It uses signature-based policies
D. It can have more restrictive policies than network-based IPS
E. It works with deployed firewalls
F. It can generate alerts based on behaviour at the desktop level.
Answer: A, D, F

Q3 If a router configuration includes the line aaa authentication login default group tacacs+
enable, which events will occur when the TACACS+ server returns an error? (Choose two)
A. The user will be prompted to authenticate using the enable password
B. Authentication attempts to the router will be denied
C. Authentication will use the router`s local database
D. Authentication attempts will be sent to the TACACS+ server
Answer: A, D

Q4 Which of encryption technology has the broadest platform support to protect operating systems?
A. middleware
B. hardware
C. software
D. file-level
Answer: C

*Q5 Which technology can be used to rate data fidelity and to provide an authenticated hash for data
A. network blocking
B. signature updates
C. file analysis
D. file reputation
Answer: D

Q6 Your security team has discovered a malicious program that has been harvesting the CEO’s email
messages and the company’s user database for the last 6 months. What type of attack did your team
discover? (Choose two)
A. social activism
B. drive-by spyware
C. targeted malware
D. advance persistent threat
E. Polymorphic virus……………
Answer: C, D

Q7 If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
A. The interface on both switches may shut down
B. STP loops may occur
C. The switch with the higher native VLAN may shut down
D. The interface with the lower native VLAN may shut down
Answer: B

*Q8 Which type of firewall can perform deep packet inspection?

A. application firewall
B. stateless firewall
C. packet-filtering firewall
D. personal firewall
Answer: A

*Q9 When using Cisco cloud web protection, in what case proxy scanning is skipped.
A. When connected by wired connection.
B. When connected using wpa2 connection.
C. When connected to trusted corporate network.
D. When connected via vpn with proxy scanning skipped service.
Answer: C

*Q10 Which effect of the secure boot-image command is true?

A. It configures the device to boot to secure IOS image
B. It displays the status of the bootset
C. It archives a secure copy of the IOS image
D. It archives a secure copy of the device configuration
Answer: C

*Q11 On which operating system does the Cisco Email Security Appliance run?
A. Cisco IOS XR
B. Cisco IOS XE
C. Cisco AsyncOS
D. Cisco NX-OS
E. Cisco ESA-OS
Answer: C

*Q12 You are configuring an IPS that must be able to react to potential attack. Which deployment
method do you use?
A. Passive deployment that uses failsafe
B. Passive deployment that uses tap mode
C. Inline deployment that uses a SPAN
D. Transparent Inline Mode
Answer: D

*Q13 Drag and drop each port-security violation mode from the left onto the corresponding action on
the right.

Answer:
Q14 Refer to the exhibit. Your notice the error message in the syslog. Which command do you enter
on the switch to gather more information?

A. show ip dhcp snooping binding

B. show mac address-table
C. show ip arp
D. show ip source binding
Answer: A

*Q15 Which two statement about STP attacks are true? (Choose two)
A. The attacker sets up a rogue DHCP server to intercept requests
B. They can be performed only when Cisco Discovery protocol is running
C. Then can mitigate by disabling STP
D. They can create the opportunity for subsequent man-in-the middle attacks
E. The attacker sends BPDU messages to become the root bridge
F. They can be executed only from a hub
Answer: D, E

*Q16 Which statement about TACACS+ is true?

A. TACACS+ is used for user access to network resources more than administrative access to
network devices.
B. All data that is transmitted between the client and TACACS+ server is cleartext.
C. TACACS+ server listens UDP port 1813 for accounting.
D. TACACS+ is more flexible than RADIUS because it separates all AAA into individual process.
E. Password are transmitted between the client and server using MD5 hashing.
Answer: D

*Q17 You are configuring a site-to-site tunnel between two cisco routers by using IPsec. Which option
do you set to specify the peer to which you want to connect?
A. IP address by using a crypto map
B. IP address of tunnel destination
C. Tunnel group that has a peer P address
D. IP address as part of the ISAKMP configuration
Answer: A

*Q18 What type of malware spread and infects? (Choose two)

A. bot
B. torjan
C. virus
D. worm
E. backdoor
Answer: C, D
*Q19 How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC
service?
A. Update the IPS signature for HTTPS to validate DCE/RPC connections.
B. Block suspicious hosts from DCE/RPC port 593.
C. Tunnel DCE/RPC traffic through GRE.
D. Configure the DCE/RPC preprocessor.
Answer: D

*Q20 Which 802.1x component enforces the network access policy?

A. RADIUS Server
B. Authentication server
C. Supplicant
D. Authenticator
Answer: D

*Q21 Which two advantages does the on-premise model for MDM deployment have over the cloud-
based model? (Choose two)
A. The on-premise model is easier and faster to deploy than the cloud-based model
B. The on-premise model is more scalable than the cloud-based model
C. The on-premise model is generally less expensive than the cloud-based model
D. The on-premise model provides more control of the MDM solution than the cloud-based model
E. The on-premise model generally has less latency than the cloud-based model
Answer: D, E

*Q22 How does the 802.1x supplicant communicate with the authentication server?
A. The supplicant creates EAP packets and sends them to the authenticator, which translates them
into RADIUS and forwards them to the authentication server.
B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates
them into RADIUS and forwards them to the authentication server.
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates
them into EAP and forwards them to the authentication server.
D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates
them into EAP and forwards them to the authentication server.
Answer: B

*Q23 Which two actions can an end user take to manage a lost or stolen device in Cisco ISE?
(Choose two)
A. Activate Cisco ISE Endpoint Protection Services to quarantine the device
B. Add the MAC addresses of the device to a list of blacklisted devices
C. Force the device to be locked with a PIN
D. Request revocation of the digital certificate of the device
E. Reinstate a device that the user previously marked as lost or stolen
Answer: C, E

*Q24 How can you prevent NAT rules from sending traffic to incorrect interfaces?
A. Assign the output interface in the NAT statement
B. Add the no-proxy-arp command to the nat line
C. Configure twice NAT instead of object NAT
D. Use packet-tracer rules to reroute misrouted NAT entries
Answer: A
Questions from PassLeader with corrected answers discussed on the forum.

[July-2018] – Answers not verified

Q391 What are characteristics of the Radius Protocol? (Choose two)

A. Uses TCP port 49
B. Uses UDP Port 49
C. Uses TCP 1812/1813
D. Uses UDP 1812/1813
E. Combines authentication and authorization
Answer: D, E

Q392 Which command is to make sure that AAA Authentication is configured and to make sure that
user can access the exec level to configure?
A. AAA authentication enable default local
B. AAA authentication enable local
C. AAA authentication enable tacacs+ default
Answer: A

Q393 Which primary security attributes can be achieved by BYOD Architecture?(Choose two)
A. Trusted enterprise network
B. public wireless network
C. checking compliance with policy
D. pushing patches
Answer: A, C

Q394 A user reports difficulties accessing certain external web pages, when examining traffic to and
from the external domain in full packet captures, you notice many SYNs that have the same sequence
number, source, and destination IP address, but have different payloads. Which problem is a possible
explanation of this situation?
A. insufficient network resources
B. failure of full packet capture solution
C. misconfiguration of web filter
D. TCP injection
Answer: D

Q395 What is the primary purpose of the Integrated Services Routers (ISR) in the BYOD solution?
A. Provide connectivity in the home office environment back to the corporate campus
B. Provide WAN and Internet access for users on the corporate campus
C. Enforce firewall-type filtering in the data centre
D. Provide connectivity for the mobile phone environment back to the corporate campus
Answer: A

Q396 Which is not a function of mobile device management (MDM)?

A. Enforce strong passwords on BYOD devices
B. Deploy software updates to BYOD devices
C. Remotely wipe data from BYOD devices
D. Enforce data encryption requirements on BYOD devices
Answer: B

Q397 The purpose of the certificate authority (CA) is to ensure what?

A. BYOD endpoints are posture checked
B. BYOD endpoints belong to the organization
C. BYOD endpoints have no malware installed
D. BYOD users exist in the corporate LDAP directory
Answer: B

Q398 The purpose of the RSA SecureID server/application is to provide what?

A. Authentication, authorization, accounting (AAA) functions
B. One-time password (OTP) capabilities
C. 802.1X enforcement
D. VPN access
Answer: B

Q399 What does ASA Transparent mode support?

A. It supports OSPF.
B. It supports the use dynamic NAT.
C. IP for each interface.
D. Requires a management IP address.
Answer: B

Q400 What will happen with traffic if zone-pair created, but policy did not applied?
A. All traffic will be dropped.
B. All traffic will be passed with logging.
C. All traffic will be passed without logging.
D. All traffic will be inspected.
Answer: A

Q401 Which Cisco IOS device support firewall, antispyware, anti-phishing, protection, etc.?
A. Cisco IOS router
B. Cisco 4100 IOS IPS appliance
C. Cisco 5500 series ASA
D. Cisco 5500x next generation ASA
Answer: D

Q402 What configurations are under crypto map? (Choose two)

A. set peer
B. set host
C. set transform-set
D. interface
Answer: A, C

Q403 Which two options are Private-VLAN secondary VLAN types? (Choose two)
A. Isolated
B. Secured
C. Community
D. Common
E. Segregated
Answer: A, C

Q404 Which type of VLANs can communicate to PVLANs? (or something like this) (Choose two)
Which two are valid types of VLANs using PVLANs? (choose two)
A. promiscuous
B. isolated
C. community
D. backup
E. secondary
Answer: B, C

Q405 What protocol provides CIA?

A. HA
B. ESP
C. IKEV1
D. IKEV2
Answer: B

Q406
Drag the recommendations on the left to the Cryptographic Algorithms on the right. Options will be
used more than once.
Answer:

[Oct-2018] – Answers not verified

Q440 What are two reasons to recommend SNMPv3 over SNMPv2? (Choose two)
A. SNMPv3 is secure because you can configure authentication and privacy.
B. SNMPv3 is a Cisco proprietary protocol.
C. SNMPv2 is secure because you can configure authentication and privacy.
D. SNMPv2 is insecure because it sends information in clear text.
E. SNMPv3 is insecure because it sends information in clear text.
Answer: A, D

Q 441 Which two are valid types of VLANs using PVLANs? (Choose two)
A. Backup VLAN
B. Secondary VLAN
C. Promiscuous VLAN
D. Community VLAN
E. Isolated VLAN
Answer: D, E

Q442 Refer to the exhibit. Which area represents the data centre?
A. A
B. B
C. C
D. D
Answer: A

Q443 Which security principle has been violated if data is altered in an unauthorized manner?
A. accountability
B. availability
C. confidentiality
D. integrity
Answer: D

Q444 Which two actions can a zone-based firewall apply to a packet as it transits a zone pair?
(Choose two)
A. drop
B. inspect
C. queue
D. quarantine
E. block
Answer: A, B

*Q445 Which information can you display by executing the show crypto ipsec sa command?
A. proxy information for the connection between two peers
B. IPsec SAs established between two peers
C. recent changes to the IP address of a peer router
D. ISAKMP SAs that are established between two peers
Answer: B

Q446 Which command can you enter to configure OSPF to use hashing to authenticate routing
updates?
A. ip ospf authentication message-digest
B. ip ospf priority 1
C. neighbor 192.168.0.112 cost md5
D. ip ospf authentication-key
Answer: A

*Q447 How is management traffic isolated on a Cisco ASR 1002?

A. Traffic is isolated based upon how you configure routing on the device.
B. There is no management traffic isolation on a Cisco ASR 1002.
C. The management interface is configured in a special VRF that provides traffic isolation from the
default routing table.
D. Traffic isolation is done on the VLAN level.
Answer: C

Q448 Which statement about traffic inspection using the Cisco Modular Policy Framework on the ASA
is true?
A. HTTP inspection is supported with Cloud Web Security inspection.
B. QoS policing and QoS pnonty queuing can be configured for the same traffic.
C. ASA with FirePOWER supports HTTP inspection.
D. Traffic can be sent to multiple modules for inspection.
Answer: A

Q449 Which feature can help a router or switch maintain packet forwarding and protocol states
despite an attack or heavy traffic load on the router or switch?
A. Control Plane Policing
B. Policy Map
C. Service Policy
D. Cisco Express Forwarding
Answer: A

*Q450 Refer to the exhibit. What is the effect of the given configuration?

A. The two routers receive normal updates from one another.

B. It enables authentication.
C. It prevents keychain authentication.
D. The two devices are able to pass the message digest to one another.
Answer: B

[April-2019] – Answers verified

Q474 Which two actions can an end user take to manage a lost or stolen device in Cisco ISE?
(Choose two)
A. Reinstate a device that the user previously marked as lost or stolen.
B. Activate Cisco ISE Endpoint protection Services to quarantine the device.
C. Request revocation of the digital certificate of the device.
D. Add the MAC address of the device to a list of blacklisted devices.
E. Force the device to be locked with a PIN.
Answer: A, E

*Q475 What are two default behaviours of the traffic on a zone based firewall? (Choose two)
A. The CBAC rules that are configured on router interfaces apply to zone interfaces.
B. Communication is blocked between interfaces that are members of the same zone.
C. Traffic within the self zone uses an implicit deny all.
D. All traffic between zones is implicit blocked.
E. Communication is allowed between interfaces that are members of the same zone.
Answer: D, E

Q476 What is an advantage of split tunnelling?

A. It allows users with a VPN connection to a corporate network to access the Internet by using the
VPN for security.
B. It enables the VPN server to filter traffic more efficiently.
C. It allows users with a VPN connection to a corporate network to access the Internet without
sending traffic across the corporate network.
D. It protects traffic on the private network from users on the public network.
Answer: C

*Q477 Which IDS/IPS state misidentifies acceptable behaviour as an attack?

A. false positive
B. false negative
C. true positive
D. true negative
Answer: A

*Q478 Which type of social engineering attack targets top executives?

A. baiting
B. vishing
C. whaling
D. spear phishing
Answer: C

Q479 Which type of firewall monitors and protects a specific system?

A. proxy firewall
B. stateless firewall
C. application firewall
D. personal firewall
Answer: D

Q480 On an ASA, which maps are used to identify traffic?

A. Policy maps
B. Class maps
C. Route maps
D. Service maps
Answer: B

Q481 Which two roles of the Cisco WSA are true? (Choose two)
A. web proxy
B. URL filter
C. antispam
D. IPS
E. firewall
Answer: A, B

*Q482 Which command do you enter to verify the Phase 1 status of a VPN connection?
A. debug crypto isakmp
B. show crypto session
C. show crypto isakmp sa
D. show crypto ipsec sa
Answer: C

*Q483 Which command enables authentication at the OSPFv2 routing process level?
A. area 0 authentication message-digest
B. area 0 authentication ipsec spi 500 md5 1234567890ABCDEF1234567890ABCDEF
C. ip ospf authentication message-digest
D. ip ospf message-digest-key 1 md5 C1sc0!
Answer: A

*Q484 What is the maximum number of methods that a single method list can contain?
A. 4
B. 3
C. 2
D. 5
Answer: A

*Q485 Which IPS detection method examines network traffic for preconfigured patterns?
A. signature-based detection
B. policy-based detection
C. anomaly-based detection
D. honey-pot detection
Answer: A

[May-2019] – Answers not verified

Q491 Which adverse consequence can occur on a network without BPDU guard?
A. The oldest switch can be elected as the root bridge.
B. Unauthorized switches that are connected to the network can cause spanning-tree loops.
C. Double tagging can cause the switches to experience CAM table overload.
D. Rogue switches can be difficult to detect.
Answer: B

Q492 Which two 802.1x features can you enable by running the IOS authentication priority
command? (Choose two)
A. forced authorized port state
B. Telnet authentication
C. automatic selection
D. Web authentication
E. MAC authentication bypass
Answer: D, E

Q493 If a personal Firewall specifically blocks NTP, which type of blocking is the firewall performing?
A. service
B. file
C. application
D. network
Answer: C

Q494 Which two problems can arise when a proxy firewall serves as the gateway between networks?
(Choose two)
A. It can cause reduced throughput.
B. It is unable to prevent direct connections to other networks.
C. It can prevent content caching.
D. It is unable to provide antivirus protection.
E. It can ktrtf application support.
Answer: A, E

Q495 What command could you implement in the firewall to conceal internal IP address?
A. no source-route
B. no cdp run
C. no broadcast
D. no proxy-arp
Answer: D

*Q496 Which two configurations can prevent VLAN hopping attack from attackers at VLAN 10?
(Choose two)
A. creating VLAN 99 and using switchport trunk native vlan 99 command on trunk ports
B. using switchport trunk native vlan 10 command on trunk ports
C: using switchport mode access command on all host ports
D. enabling BPDU guard on all access ports
E. using switchport nonegotiate command on dynamic desirable ports
F. applying ACL between VLANs
Answer: A, C

*Q497 What aims to remove the ability to deny an action?

A. integrity
B. deniability
C. accountability
D. non-repudiation
Answer: D

Q498 What are the direct two methods for redirecting web traffic to cisco web security? (Choose two)
A. Cisco ISE
B. 3rd party proxies
C. PAC file
D. NAC
Answer: B, C

Q499 What is a network IPS limitation?

A. Large network deployments require numerous sensors.
B. Unable to monitor attacks across entire network.
C. Something not useful.
D. Something useful.
Answer: A

*Q500 Which next-generation encryption algorithms support four variants?

A. SHA2
B. SHA1
C. MD5
D. HMAC
Answer: A

Q501 For the SNMP V3 access control, how to control access of clients & managers? (Choose two)
A. routing filtering
B. create access list
C. make managers view
D. authentication
Answer: B, D

Q502 About encryption protocol using in MPLS VPN confidentiality...?

A. IPsec
B. SSL
C. AES
D. 3DES
Answer: A

Q503 Why does ISE require its own certification issued by a trusted CA?
A. ISE certificate allow guest device to validate it as a trusted network device.
B. ISE certificate allow it to join the network security framework.
C. It request certificates for guest device from the CA server based on its own certificate.
D. It generate certificates for guest device based on its own certificate.
Answer: A

*Q504Which term is most closely aligned with the basic purpose of a SIEM solution?
A. Causality
B. Accountability
C. Non-Repudiation
D. Repudiation
Answer: B
*Q505 What are two features of transparent firewall mode? (Choose two)
A. It enables the ASA perform as a router.
B. It acts as a routed hop in the network.
C. It is configured by default.
D. It conceals the presence of the firewall from attackers.
E. It allows some traffic that is blocked in routed mode.
Answer: D, E

[Oct-2019] – Answers verified

*Q522 Which path do you follow to enable AAA through the SDM?
A. Configure > Tasks > AAA
B. Configure > Authentication > AAA
C. Configure > Additional Authentication > AAA
D. Configure > Additional Tasks > AAA
E. Configure > AAA
Answer: D

*Q523 What aims to remove the ability to deny an action?

A. Integrity
B. Deniability
C. Accountability
D. Non-Repudiation
Answer: D

*Q524 In which two models can the Cisco Web Security Appliance be deployed? (Choose two)
A. as a transparent proxy using the Secure Sockets Layer Protocol
B. as a transparent proxy using the HyperText Transfer Protocol
C. explicit active mode
D. as a transparent proxy using the Web Cache Communication Protocol
E. explicit proxy mode
Answer: D, E

*Q525 Which two statements about hardware-based encryption are true? (Choose two)
A. It is potentially easier to compromise than software-based encryption.
B. It requires minimal configuration.
C. It can be implemented without impacting performance.
D. It is widely accessible.
E. It is highly cost-effective.
Answer: B, C

*Q526 What is the main purpose of Control Plane Policing?

A. to prevent exhaustion of route-processor resources
B. to organize the egress packet queues
C. to define traffic classes
D. to maintain the policy map
Answer: A

*Q527 What is the best definition of hairpinning?

A. ingress traffic that traverses the outbound interface on a device
B. traffic that enters and exits a device through the same interface
C. traffic that enters one interface on a device and that exits through another interface
D. traffic that tunnels through a device interface
Answer: B

*Q528 How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC
service?
A. Update the IPS signature for HTTPS to validate DCE/RPC connections.
B. Block suspicious hosts from DCE/RPC port 593.
C. Tunnel DCE/RPC traffic through GRE.
D. Configure the DCE/RPC preprocessor.
Answer: D

*Q529 Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use
encryption?
A. authPriv
B. authNoPriv
C. noAuthPriv
D. noAuthNoPriv
Answer: B

*Q530 Which type of firewall can perform deep packet inspection?

A. application firewall
B. stateless firewall
C. packet-filtering firewall
D. personal firewall
Answer: A

*Q531 Which type of mechanism does Cisco FirePOWER deploy to protect against email threats that
are detected moving across other networks?
A. signature-based
B. reputation-based
C. antivirus scanning
D. policy-based
Answer: B

*Q532 You have implemented a dynamic blacklist, using security intelligence to block illicit network
activity. However, the blacklist contains several approved connections that users must access for
business purposes. Which action can you take to retain the blacklist while allowing users to access
the approved sites?
A. Create a whitelist and manually add the approved addresses.
B. Edit the dynamic blacklist to remove the approved addresses.
C. Disable the dynamic blacklist and deny the specific address on a whitelist while permitting the
others.
D. Disable the dynamic blacklist and create a static blacklist in its place.
Answer: A

Q533 Which command enables port security to use sticky MAC addresses on a switch?
A. switchport port-security mac-address sticky
B. switchport port-security
C. switchport port-security violation protect
D. switchport port-security violation restrict
Answer: A

*Q534 Which attack can be prevented by OSPF authentication?

A. smurf attack
B. IP spoofing attack
C. Denial of service attack
D. buffer overflow attack
Answer: C

*Q535 Which mitigation technology for web-based threats prevents the removal of confidential data
from the network?
A. CTA
B. AMP
C. DLP
D. DCA
Answer: C
[Nov-2019] – Answers verified

*Q538 Which component of a security zone firewall policy defines how traffic is handled?
A. ACL
B. Service policy
C. Policy map
D. Class map
Answer: C

*Q539 Of all parameters that are negotiated for the IKE Phase 1 tunnel, which parameter is the only
one that does not have to exactly match between VPN pees to be accepted?
A. DH group
B. Hashing algorithm
C. Encryption algorithm
D. Digital signature
E. Authentication method
F. Lifetime
Answer: F

*Q540 What is the range of levels provided by the Privilege command?

A. 0-16
B. 0-15
C. 1-16
D. 1-14
E. 0-14
F. 1-15
Answer: B

*Q541 You are configuring an IPS that must be able to react to a potential attack. Which deployment
do you use?
A. Passive deployment that uses tap mode.
B. Transparent inline mode.
C. Passive deployment that uses failsafe.
D. Inline deployment that uses a SPAN.
Answer: B

*Q542 Which two types of malware can self-replica and spread? (Choose two)
A. Backdoors
B. Worms
C. Viruses
D. Trojans
E. Bots
Answer: B, C

*Q543 In a Cisco Cloud Web Security environment, when can network traffic bypass the scanning
proxies?
A. When the client is on a trusted corporate network.
B. When the client is connected to a VPN service that bypass proxies.
C. When the client is connected to a WPA2 Enterprise network.
D. When the client is connected to a wired network.
Answer: A

*Q544 Which option is the logical container used to maintain information about the connections going
through a Cisco ASA firewall?
A. State table
B. NAT table
C. Routing table
D. Cisco Express Forwarding table
Answer: A

*Q545 On which operating system does the Cisco Email Security Appliance run?
A. Cisco ESA-OS
B. Cisco AsyncOS
C. Cisco IOS XE
D. Cisco IOS XR
E. Cisco NX-OS
Answer: B

*Q546 Which statement about TACACS+ is true?

A. Passwords are transmitted between the client and server using MD5 hashing.
B. TACACS is flexible than RADIUS because it separates all AAA into individual processes.
C. TACACS is used for access to network resources more than administrator access to network
devices.
D. TACACS server listens UDP port 1813 for accounting.
E. All data that is transmitted between the client and TACACS+ server is cleartext.
Answer: B

*Q547 Which effect of the secure boot-image command is true?

A. It configures the device to boot to the secure IOS image.
B. It archives a secure copy of the device configuration.
C. It archives a secure copy of the IOS image.
D. It displays the status of the bootset.
Answer: C

*Q548 Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all traffic, regardless of its source or destination.
C. It directly analyses the actual packets as they pass through the system.
D. It can analyse events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
Answer: D, E

*Q549 How will a stateful firewall handle an inbound packet that it receives and cannot match in its
state table?
A. Passes the traffic.
B. Drops the traffic.
C. Broadcasts the traffic.
D. Looks for an ACL, and acts based upon the ACL.
Answer: D

*Q550 Which 802.1x component enforces the network access policy?

A. authentication server
B. authenticator
C. RADIUS server
D. supplicant
Answer: B

*Q551 Drag and drop each port-security violation mode from the left onto the corresponding action on
the right.
Answer:
Other Drag&Drop Questions

Q1 Drag functions on the left to the corresponding fields on the right (HIPS – Host base IPS; NIPS –
Network based IPS)

Answer: