ccna security 640-554 qa

7/25/2019 CCNA Security 640-554 QA

1/50

QUESTION 1

Which two features are supported by Cisco IronPort Security Gateway? (Choose two.)

A. spam protection

B. outbrea inte!!i"ence

C. #$$P and #$$PS scannin"

%. emai! encryption

&. %%oS protection

Correct Answer:A%

QUESTION 2

Which option is a feature of Cisco ScanSafe techno!o"y?

A. spam protection

B. consistent c!oud'based po!icy

C. %%oS protection

%. SA &mai! %P

Correct Answer: B

QUESTION 3

Which two characteristics represent a b!ended threat? (Choose two.)

A. man'in'the'midd!e attac

B. tro*an horse attac

C. pharmin" attac

%. denia! of ser+ice attac

&. day ,ero attac

Correct Answer: B&

QUESTION 4

-nder which hi"her'!e+e! po!icy is a P/ security po!icy cate"ori,ed?

A. app!ication po!icy

B. %P po!icy

C. remote access po!icy

%. comp!iance po!icy

&. corporate WA/ po!icy


2/50

Correct Answer:C

QUESTION 5

efer to the e0hibit. What does the option secret 1 in the username "!oba! confi"uration modecommand indicate about the user password?

A. It is hashed usin" S#A.

B. It is encrypted usin" %# "roup

C. It is hashed usin" 2%1.

%. It is encrypted usin" the ser+ice password'encryption

command.&. It is hashed usin" a proprietary Cisco hashin" a!"orithm.3. It is encrypted usin" a proprietary Cisco encryption a!"orithm.

Correct

Answer:C

QUESTION 6

What does !e+e! 1 in this enab!e secret "!oba! confi"uration mode command indicate?

A. router4enab!e secret !e+e! 1 password

B. $he enab!e secret password is hashed usin"

2%1.

C. $he enab!e secret password is hashed usin"

S#A.

%. $he enab!e secret password is encrypted usin" Cisco proprietary !e+e! 1

encryption.

&. Set the enab!e secret command to pri+i!e"e !e+e! 1.3. $he enab!e secret password is for accessin" e0ec pri+i!e"e !e+e! 1.

Correct

Answer:&


3/50

QUESTION 7

Which Cisco mana"ement too! pro+ides the abi!ity to centra!!y pro+ision a!! aspects of de+iceconfi"uration across the Cisco fami!y of security products?

A. Cisco Confi"uration Professiona!B. Security %e+ice 2ana"er

C. Cisco Security 2ana"er

%. Cisco Secure 2ana"ement Ser+er

Correct

Answer: C

QUESTION 8

Which option is the correct representation of the IP+5 address6778977779817C97777977779:8B89:1A;97:8%?

A. 677899817c99:8b89:1a;97:8d

B. 6778979817c9799:8b89:1a;97:d8

C. 67789817c99:8b89:1a;99:8d

%. 6778979817c99:8b89:1a;9:8d

Correct

Answer: %

QUESTION 9

Which three options are common e0amp!es of AAA imp!ementation on Cisco routers? (Choose three.)

A. authenticatin" remote users who are accessin" the corporate A/ throu"h IPsec P/ connections

B. authenticatin" administrator access to the router conso!e port< au0i!iary port< and +ty

ports

C. imp!ementin" P=I to authenticate and authori,e IPsec P/ peers usin" di"ita!

certificates

%. tracin" Cisco /et3!ow accountin" statistics&. securin" the router by !ocin" down a!! unused ser+ices

3. performin" router commands authori,ation usin" $ACACS>

Correct

Answer:AB3


4/50

QUESTION 10

When AAA !o"in authentication is confi"ured on Cisco routers< which two authentication methods shou!dbe used as the fina! method to ensure that the administrator can sti!! !o" in to the router in case thee0terna!

AAA ser+er fai!s? (Choose two.)

A. "roup A%I-S

B. "roup

$ACACS>

C. !oca!%. rb1

&. enab!e

3. if'authenticated

Correct

Answer:C&

QUESTION 11

Which two characteristics of the $ACACS> protoco! are true? (Choose two.)

A. uses -%P ports 85:1 or 886

B. separates AAA functions

C. encrypts the body of e+ery pacet

%. offers e0tensi+e accountin" capabi!ities

&. is an open 3C standard protoco!

Correct Answer: BC

QUESTION 12

efer to the e0hibit. Which statement about this output is true?


5/50

A. $he user !o""ed into the router with the incorrect

username and password.

B. $he !o"in fai!ed because there was no defau!t enab!e

password.

C. $he !o"in fai!ed because the password

entered was incorrect.%. $he user !o""ed in and was "i+en pri+i!e"e

!e+e! 81.

Correct Answer: C


6/50

QUESTION 13

efer to the e0hibit. Which traffic is permitted by this AC?

A. $CP traffic sourced from any host in the [email protected] subnet on any port to host 86.85.8.6 port7 or ::;

B. $CP traffic sourced from host [email protected] on port 7 or ::; to host 86.85.8.6 on any port

C. any $CP traffic sourced from host [email protected].;7 destined to host 86.85.8.8

%. any $CP traffic sourced from host [email protected] to host 86.85.8.6

Correct Answer: C

QUESTION 14

efer to the e0hibit. Which statement about this partia! CI confi"uration of an access contro! !ist is true?

A. $he access !ist accepts a!! traffic on the 87.7.7.7

subnets.

B. A!! traffic from the 87.87.7.7 subnets is denied.C. n!y traffic from 87.87.7.87 is a!!owed.

%. $his confi"uration is in+a!id. It shou!d be confi"ured as an e0tended AC to permit theassociated wi!dcard mas.

&. 3rom the 87.87.7.7 subnet< on!y traffic sourced from 87.87.7.87 is a!!owedD traffic sourced fromthe other 87.7.7.7 subnets a!so is a!!owed.

3. $he access !ist permits traffic destined to the 87.87.7.87 host on 3ast&thernet77 from any source.

Correct Answer: &

QUESTION 15

Which type of Cisco ASA access !ist entry can be confi"ured to match mu!tip!e entries in asin"!e statement?

A. nested ob*ect'c!ass

B. c!ass'map


7/50

C. e0tended wi!dcard matchin"

%. ob*ect "roups

Correct Answer: %

QUESTION 16

Which statement about an access contro! !ist that is app!ied to a router interface is true?

A. It on!y fi!ters traffic that passes throu"h the

router.

B. It fi!ters pass'throu"h and router'"enerated

traffic.

C. An empty AC b!ocs a!! traffic.%. It fi!ters traffic in the inbound and outbound directions.

Correct Answer:A

QUESTION 17

Eou ha+e been tased by your mana"er to imp!ement sys!o" in your networ. Which option is animportant factor to consider in your imp!ementation?

A. -se SS# to access your sys!o" information.

B. &nab!e the hi"hest !e+e! of sys!o" function a+ai!ab!e to ensure that a!! possib!e e+ent messa"esare !o""ed.

C. o" a!! messa"es to the system buffer so that they can be disp!ayed when accessin" the

router.

%. Synchroni,e c!ocs on the networ with a protoco! such as /etwor $ime Protoco!.

Correct Answer: %

QUESTION 18

Which protoco! secures router mana"ement session traffic?

A. SS

$P

B. P

P

C. $e!net

%. SS

#

Correct Answer: %

QUESTION 19


8/50

Which two considerations about secure networ mana"ement are important? (Choose two.)

A. !o" tamperin"

B. encryption a!"orithmstren"th

C. accurate time

stampin"

%. off'sitestora"e

&. -se A%I-S for router commandsauthori,ation.

3. %o not use a !oopbac interface for de+ice mana"ementaccess.

Correct

Answer:AC

QUESTION20

Which command enab!es Cisco IS ima"eresi!ience?

A. secure boot'FIS ima"e

fi!ename B. secure boot'runnin"'

confi"C. secure boot'start

%. secure boot'ima"e

Correct

Answer:%

QUESTION

21

Which router mana"ement feature pro+ides for the abi!ity to confi"ure mu!tip!e administrati+e+iews?

A. ro!e'basedCI

B. +irtua! routin" and

forwardin"

C. secure confi" pri+i!e"e

H!e+e!


9/50

%. parser +iew +iew name

Correct

Answer:A

QUESTION22

Eou suspect that an attacer in your networ has confi"ured a ro"ue ayer 6 de+ice to intercept trafficfrom mu!tip!e A/s< which a!!ows the attacer to capture potentia!!y sensiti+e data.Which two methodswi!! he!p to miti"ate this type of acti+ity? (Choose two.)

A. $urn off a!! trun ports and manua!!y confi"ure each A/ as reJuired on each

port.

B. P!ace unused acti+e ports in an unused A/.C. Secure the nati+e A/< A/ 8< withencryption.

%. Set the nati+e A/ on the trun ports to an unused

A/.

&. %isab!e %$P on ports that reJuire trunin".

Correct

Answer:%&

QUESTION 23

Which statement describes a best practice when confi"urin" trunin" on a switch port?

A. %isab!e doub!e ta""in" by enab!in" %$P on the trun

port.

B. &nab!e encryption on the trun port.C. &nab!e authentication and encryption on the trun port.

%. imit the a!!owed A/(s) on the trun to the nati+e A/

on!y.

&. Confi"ure an unused A/ as the nati+e A/.

Correct

Answer:&

QUESTION 24

Which type of ayer 6 attac causes a switch to f!ood a!! incomin" traffic to a!! ports?

A. 2AC spoofin"

attac


10/50

B. CA2 o+erf!ow

attac

C. A/ hoppin"

attac

%. S$P attac

Correct

Answer:B

QUESTION 25

What is the best way to pre+ent a A/ hoppin" attac?

A. &ncapsu!ate trun ports with I&&&

76.8K.

B. Physica!!y secure data c!osets.

C. %isab!e %$Pne"otiations.

%. &nab!e B%P- "uard.

Correct

Answer:C

QUESTION 26

Which statement about PA/ &d"e is true?

A. PA/ &d"e can be confi"ured to restrict the number of 2AC addresses that appear on a sin"!eport.

B. $he switch does not forward any traffic from one protected port to any other protected port.

C. By defau!t< when a port po!icy error occurs< the switchport shuts

down.

%. $he switch on!y forwards traffic to ports within the same A/ &d"e.

Correct Answer:B

QUESTION 27

If you are imp!ementin" A/ trunin"< which additiona! confi"uration parameter shou!d be added tothe trunin" confi"uration?


11/50

A. no switchport mode access

B. no switchport trun nati+e A/ 8

C. switchport mode %$P

%. switchport nonne"otiate

Correct

Answer:%

QUESTION 28

When Cisco IS ,one'based po!icy firewa!! is confi"ured< which three actions can be app!ied to atraffic c!ass? (Choose three.)

A. pass

B. Jueu

eC. shap

e

%. po!ic

e

&. drop3. inspect

Correct

Answer:A&3

QUESTION 29

With Cisco IS ,one'based po!icy firewa!!< by defau!t< which three types of traffic are permitted bythe router when some of the router interfaces are assi"ned to a ,one? (Choose three.)

A. traffic f!owin" between a ,one member interface and any interface that is not a ,one member

B. traffic f!owin" to and from the router interfaces (the se!f ,one)

C. traffic f!owin" amon" the interfaces that are members of the same ,one

%. traffic f!owin" amon" the interfaces that are not assi"ned to any ,one

&. traffic f!owin" between a ,one member interface and another interface that be!on"s in a different,one

3. traffic f!owin" to the ,one member interface that is returned traffic

Correct

Answer:BC%

QUESTION 30

Which option is a ey difference between Cisco IS interface AC confi"urations and Cisco ASAapp!iance interface AC confi"urations?

A. $he Cisco IS interface AC has an imp!icit permit'a!! ru!e at the end of each interface AC.


12/50

B. Cisco IS supports interface AC and a!so "!oba! AC. G!oba! AC is app!ied to a!! interfaces.

C. $he Cisco ASA app!iance interface AC confi"urations use netmass instead of wi!dcard mass.

%. $he Cisco ASA app!iance interface AC a!so app!ies to traffic directed to the IP addresses of theCisco

ASA app!iance interfaces.

&. $he Cisco ASA app!iance does not support standard AC. $he Cisco ASA app!iance on!y

support e0tended AC.

Correct

Answer:C

QUESTION 31

Which two options are ad+anta"es of an app!ication !ayer firewa!!? (Choose two.)

A. pro+ides hi"h'performance fi!terin"

B. maes %oS attacs difficu!t

C. supports a !ar"e number of app!ications

%. authenticates de+ices

&. authenticates indi+idua!s

Correct

Answer:B&

QUESTION 32

efer to the e0hibit. -sin" a statefu! pacet firewa!! and "i+en an inside AC entry of permit ip 86.85.8.77.7.7.611 any< what wou!d be the resu!tin" dynamica!!y confi"ured AC for the return traffic on the

outsideAC?

A. permit tcp host [email protected] eJ 7 host 86.85.8.88 eJ 6;77

B. permit ip [email protected] eJ 7 86.85.8.7 7.7.7.611 eJ 6;77C. permit tcp any eJ 7 host 86.85.8.88 eJ 6;77

%. permit ip host [email protected] eJ 7 host 86.85.8.7 7.7.7.611 eJ 6;77

Correct Answer:A


13/50

QUESTION 33

Which option is the resu!tin" action in a ,one'based po!icy firewa!! confi"uration with these conditions?

Source9 Lone 8

%estination9 Lone 6

Lone pair e0ists?9 Ees

Po!icy e0ists?9 /o

A. no impact to ,onin" or po!icy

B. no po!icy !ooup (pass)

C. drop%. app!y defau!t po!icy

Correct Answer: C

QUESTION 34

A Cisco ASA app!iance has three interfaces confi"ured. $he first interface is the inside interface with asecurity !e+e! of 877. $he second interface is the %2L interface with a security !e+e! of 17. $he thirdinterface is the outside interface with a security !e+e! of 7. By defau!t< without any access !ist confi"ured

C. aaa accountin" e0ec start'stop tacacs>%. aaa accountin" connection start'stop tacacs>

&. aaa accountin" commands 81 start'stop tacacs>

Correct

Answer: C

QUESTION 54

Which access !ist permits #$$P traffic sourced from host 87.8.86.877 port ;7;7 destined to host86.85.8.87?

A. access'!ist 878 permit tcp any eJ ;7;7

B. access'!ist 878 permit tcp 87.8.86.7 7.7.8.611 eJ ;7;7 86.85.8.7 7.7.7.81 eJ

www

C. access'!ist 878 permit tcp 87.8.86.7 7.7.7.611 eJ www 86.85.8.87 7.7.7.7 eJ www

%. access'!ist 878 permit tcp host 86.85.8.87 eJ 7 87.8.7.7 7.7.611.611 eJ ;7;7&. access'!ist 878 permit tcp 86.85.8.87 7.7.7.7 eJ 7 87.8.7.7 7.7.611.611

3. access'!ist 878 permit ip host 87.8.86.877 eJ ;7;7 host 86.85.8.877 eJ 7

Correct

Answer: B

QUESTION 55

Which !ocation is recommended for e0tended or e0tended named ACs?

A. an intermediate !ocation to fi!ter as much traffic as possib!e

B. a !ocation as c!ose to the destination traffic as possib!e


24/50

C. when usin" the estab!ished eyword< a !ocation c!ose to the destination point to ensure thatreturn traffic is a!!owed

%. a !ocation as c!ose to the source traffic as possib!e

Correct

Answer: %


25/50

QUESTION 56

Which statement about asymmetric encryption a!"orithms is true?

A. $hey use the same ey for encryption and decryption of data.

B. $hey use the same ey for decryption but different eys for encryption of

data.C. $hey use different eys for encryption and decryption of data.%. $hey use different eys for decryption but the same ey for encryption of data.

Correct

Answer:C

QUESTION 57

Which option can be used to authenticate the IPsec peers durin" I=& Phase 8?

A. %iffie'#e!!man /once

B. pre'shared ey

C. OA-$#

%. inte"rity chec +a!ue

&. A

CS

3. A

#

Correct

Answer:B

QUESTION 58

Which sin"!e Cisco IS AC entry permits IP addresses from [email protected] to [email protected][email protected]?

A. permit [email protected] 7.7.;.611

B. permit [email protected] [email protected]

C. permit [email protected] 7.7.6:.611

%. permit [email protected] 611.611.616.7

&. permit [email protected] 611.611.6:.73. permit [email protected] 611.611.6:7.7

Correct

Answer:B


26/50

QUESTION 59

Eou want to use the Cisco Confi"uration Professiona! site'to'site P/ wi,ard to imp!ement a site' to'siteIPsec P/ usin" pre'shared ey. Which four confi"urations are reJuired (with no defau!ts)? (Choosefour.)

A. the interface for the P/ connectionB. the P/ peer IP address

C. the IPsec transform'set

%. the interestin" traffic (the traffic to be protected)

&. the pre'shared ey

3. the I=& po!icy

Correct

Answer:AB%&

QUESTION 60

Which two options represent a threat to the physica! insta!!ation of an enterprise networ? (Choose two.)

A. sur+ei!!ance camera

B. security "uards

C. e!ectrica! power

%. computer room access

&. chan"e contro!

Correct

Answer: C%

QUESTION 61

Which option represents a step that shou!d be taen when a security po!icy is de+e!oped?

A. Perform penetration testin".

B. %etermine de+ice ris scores.

C. Imp!ement a security monitorin"

system.

%. Perform Juantitati+e ris ana!ysis.

Correct

Answer: %

QUESTION 62

Which type of networ masin" is used when Cisco IS access contro! !ists are confi"ured?


27/50

A. e0tended subnet

masin"

B. standard subnet masin"

C. priority masin"%. wi!dcard masin"

Correct

Answer: %

QUESTION 63

#ow are Cisco IS access contro! !ists processed?


28/50

A. Standard ACs are processed first.

B. $he best match AC is matched first.

C. Permit AC entries are matched first before the deny AC

entries.

%. ACs are matched from top down.

&. $he "!oba! AC is matched first before the interface AC.

Correct

Answer:%

QUESTION 64

Which type of mana"ement reportin" is defined by separatin" mana"ement traffic from productiontraffic?

A. IPsec encryptedB. in'band

C. out'of'band

%. SS#

Correct

Answer:C

QUESTION 65

Which sys!o" !e+e! is associated with GWA/I/G?

A. 8

B. 6

C. ;

%. :

&. 1

3. 5

Correct

Answer:%

QUESTION 66

In which type of ayer 6 attac does an attacer broadcast B%P-s with a !ower switch priority?

A. 2AC spoofin"

attac


29/50

B. CA2 o+erf!ow

attac

C. A/ hoppin"

attac

%. S$P attac

Correct

Answer:%


30/50

QUESTION 67

Which security measure must you tae for nati+e A/s on a trun port?

A. /ati+e A/s for trun ports shou!d ne+er be used anywhere e!se on the switch.

B. $he nati+e A/ for trun ports shou!d be A/ 8.

C. /ati+e A/s for trun ports shou!d match access A/s to ensure that cross'A/ traffic frommu!tip!e switches can be de!i+ered to physica!!y disparate switches.

%. /ati+e A/s for trun ports shou!d be ta""ed with 76.8K.

Correct Answer:A

QUESTION 68

efer to the e0hibit. Which switch is desi"nated as the root brid"e in this topo!o"y?

A. It depends on which switch came on !ine first.

B. /either switch wou!d assume the ro!e of root brid"e because they ha+e the same defau!t priority.

C. switch O%. switch E

Correct Answer: C

QUESTION 69

Which type of firewa!! techno!o"y is considered the +ersati!e and common!y used firewa!! techno!o"y?

A. static pacet fi!ter firewa!!

B. app!ication !ayer firewa!!

C. statefu! pacet fi!ter firewa!!

%. pro0y firewa!!


31/50

&. adapti+e !ayer firewa!!

Correct Answer: C

QUESTION 70

Which type of /A$ is used where you trans!ate mu!tip!e interna! IP addresses to a sin"!e "!oba!< routab!eIP address?

A. po!icy /A$

B. dynamic

PA$

C. static /A$

%. dynamic

/A$

&. po!icy PA$

Correct

Answer: B

QUESTION 71

Which Cisco IPS product offers an in!ine< deep'pacet inspection feature that is a+ai!ab!e ininte"rated ser+ices routers?

A. Cisco

iS%2

B. Cisco AI2

C. Cisco IS IPS%. Cisco AIP'

SS2

Correct

Answer: C

QUESTION 72

Which three modes of access can be de!i+ered by SS P/? (Choose three.)

A. fu!! tunne! c!ient

B. IPsec SS

C. $S transport mode

%. thin c!ient

&. c!ient!ess

3. $S tunne! mode


32/50

Correct

Answer:A%&

QUESTION 73%urin" ro!e'based CI confi"uration< what must be enab!ed before any user +iews can be created?


33/50

A. mu!tip!e pri+i!e"e !e+e!s

B. usernames and passwords

C. aaa new'mode! command

%. secret password for the root user

&. #$$P andor #$$PS ser+er

3. $ACACS ser+er "roup

Correct

Answer:C

QUESTION 74

Which three statements about app!yin" access contro! !ists to a Cisco router are true? (Choose three.)

A. P!ace more specific AC entries at the top of the AC.

B. P!ace "eneric AC entries at the top of the AC to fi!ter "enera! traffic and thereby reduce QnoiseRon the networ.

C. ACs a!ways search for the most specific entry before tain" any fi!terin"

action.

%. outer'"enerated pacets cannot be fi!tered by ACs on the router.&. If an access !ist is app!ied but it is not confi"ured< a!! traffic passes.

Correct

Answer:A%&

QUESTION 75

When port security is enab!ed on a Cisco Cata!yst switch< what is the defau!t action when theconfi"ured ma0imum number of a!!owed 2AC addresses +a!ue is e0ceeded?

A. $he port remains enab!ed< but bandwidth is thrott!ed unti! o!d 2AC addresses are a"ed

out.

B. $he port is shut down.

C. $he 2AC address tab!e is c!eared and the new 2AC address is entered into the

tab!e.

%. $he +io!ation mode of the port is set to restrict.

Correct

Answer: B

QUESTION 76

Which three statements about the Cisco ASA app!iance are true? (Choose three.)


34/50

A. $he %2L interface(s) on the Cisco ASA app!iance most typica!!y use a security !e+e! between 8 and

.

B. $he Cisco ASA app!iance supports Acti+eActi+e or Acti+eStandby fai!o+er.C. $he Cisco ASA app!iance has no defau!t 2P3 confi"urations.

%. $he Cisco ASA app!iance uses security conte0ts to +irtua!!y partition the ASA into mu!tip!e+irtua! firewa!!s.

&. $he Cisco ASA app!iance supports user'based access contro! usin" 76.80.

3. An SS2 is reJuired on the Cisco ASA app!iance to support Botnet $raffic 3i!terin".


35/50

Correct

Answer:AB%

QUESTION 77

efer to the e0hibit. $his Cisco IS access !ist has been confi"ured on the 3A77 interface in theinbound direction. Which four $CP pacets sourced from 87.8.8.8 port 87;7 and routed to the 3A77interface are permitted? (Choose four.)

A. destination ip address9 86.85.81.;@ destination port9 66

B. destination ip address9 86.85.81.7 destination port9 6;

C. destination ip address9 86.85.81.55 destination port9 77

%. destination ip address9 86.85.81.;5 destination port9 7

&. destination ip address9 86.85.81.5; destination port9 7

3. destination ip address9 86.85.81.:7 destination port9 68

Correct

Answer:BC%&

QUESTION 78

Eou use Cisco Confi"uration Professiona! to enab!e Cisco IS IPS. Which state must a si"nature bein before any actions can be taen when an attac matches that si"nature?

A. enab!ed

B. unretired

C. successfu!!y comp!ied


36/50

%. successfu!!y comp!ied and

unretired

&. successfu!!y comp!ied and

enab!ed 3. unretired and enab!edG. enab!ed< unretired< and successfu!!y comp!ied

Correct Answer: G

QUESTION 79

Which statement describes how the sender of the messa"e is +erified when asymmetric encryption isused?

A. $he sender encrypts the messa"e usin" the senderNs pub!ic ey< and the recei+er decrypts themessa"e usin" the senderNs pri+ate ey.

B. $he sender encrypts the messa"e usin" the senderNs pri+ate ey< and the recei+er decrypts themessa"e usin" the senderNs pub!ic ey.

C. $he sender encrypts the messa"e usin" the recei+erNs pub!ic ey< and the recei+er decrypts themessa"e usin" the recei+erNs pri+ate ey.

%. $he sender encrypts the messa"e usin" the recei+erNs pri+ate ey< and the recei+er decrypts themessa"e usin" the recei+erNs pub!ic ey.

&. $he sender encrypts the messa"e usin" the recei+erNs pub!ic ey< and the recei+er decrypts themessa"e usin" the senderNs pub!ic ey.

Correct Answer: B

QUESTION 80

efer to the e0hibit. Which three statements about these three show outputs are true? (Choose three.)


37/50

A. $raffic matched by AC 887 is encrypted.

B. $he IPsec transform set uses S#A for data confidentia!ity.

C. $he crypto map shown is for an IPsec site'to'site P/ tunne!.

%. $he defau!t ISA=2P po!icy uses a di"ita! certificate to authenticate the IPsec peer.

&. $he IPsec transform set specifies the use of G& o+er IPsec tunne! mode.

3. $he defau!t ISA=2P po!icy has hi"her priority than the other two ISA=2P po!icies with a priority of 8and 6

Correct Answer:AC%

QUESTION 81

Which type of security contro! is defense in depth?

A. threat miti"ation

B. ris ana!ysis

C. botnet miti"ation

%. o+ert and co+ert channe!s

Correct Answer:A

QUESTION 82

Which two options are two of the bui!t'in features of IP+5? (Choose two.)

A. S2

B. nati+e IPsec

C. contro!!ed broadcasts


38/50

%. mobi!e IP

&. /A$


39/50

Correct

Answer: B%

QUESTION 83

Which option is a characteristic of the A%I-S protoco!?

A. uses $CP

B. offers mu!tiprotoco! support

C. combines authentication and authori,ation in one process

%. supports bi'directiona! cha!!en"e

Correct

Answer: C

QUESTION 84

efer to the be!ow. Which statement about this debu" output is true?

8:977979 $AC>9 penin" $CPIP connection to 86.85.57.81 usin" source 87.885.7.@

8:977979 $AC>9 Sendin" $CPIP pacet number ;;61716'8 to 86.85.57.81 (A-$#&/S$A$)

8:977979 $AC>9 ecei+in" $CPIP pacet number ;;61716'6 from 86.85.57.81

8:977979 $AC> (;;61716)9 recei+ed authen response status G&$-S&

8:9779879 $AC>9 send A-$#&/C/$ pacet

8:9779879 $AC>9 Sendin" $CPIP pacet number ;;61716'; to 86.85.57.81 (A-$#&/C/$)

8:9779879 $AC>9 ecei+in" $CPIP pacet number ;;61716': from 86.85.57.81

8:9779879 $AC> (;;61716)9 recei+ed authen response status G&$PASS

8:97798:9 $AC>9 send A-$#&/C/$ pacet

8:97798:9 $AC>9 Sendin" $CPIP pacet number ;;61716'1 to 86.85.57.81 (A-$#&/C/$)

8:97798:9 $AC>9 ecei+in" $CPIP pacet number ;;61716'5 from 86.85.57.81

8:97798:9 $AC> (;;61716)9 recei+ed authen response status PASS

8:97798:9 $AC>9 C!osin" $CPIP connection to 86.85.57.81

A. $he reJuestin" authentication reJuest came from username

G&$-S&.


40/50

B. $he $ACACS> authentication reJuest came from a +a!id user.

C. $he $ACACS> authentication reJuest passed< but for some reason the userNs connection wasc!osed immediate!y.

%. $he initiatin" connection reJuest was bein" spoofed by a different source address.

Correct

Answer: B


41/50

QUESTION 85

Which type of Cisco IS access contro! !ist is identified by 877 to 8 and 6777 to 65?

A. standard

B. e0tended

C. named%. IP+: for 877 to 8 and IP+5 for 6777 to 65

Correct Answer: B

QUESTION 86

Which priority is most important when you p!an out access contro! !ists?

A. Bui!d ACs based upon your security po!icy.

B. A!ways put the AC c!osest to the source of ori"ination.

C. P!ace deny statements near the top of the AC to pre+ent unwanted traffic from passin" throu"h therouter.

%. A!ways test ACs in a sma!!< contro!!ed production en+ironment before you ro!! it out into the !ar"erproduction networ.

Correct Answer:A

QUESTION 87

Which step is important to tae when imp!ementin" secure networ mana"ement?

A. Imp!ement in'band mana"ement whene+er possib!e.

B. Imp!ement te!net for encrypted de+ice mana"ement access.

C. Imp!ement S/2P with readwrite access for troub!eshootin" purposes.

%. Synchroni,e c!ocs on hosts and de+ices.&. Imp!ement mana"ement p!ane protection usin" routin" protoco! authentication.

Correct Answer: %

QUESTION 88

Which statement best represents the characteristics of a A/?

A. Ports in a A/ wi!! not share broadcasts amon"st physica!!y separate switches.


42/50

B. A A/ can on!y connect across a A/ within the same bui!din".

C. A A/ is a !o"ica! broadcast domain that can span mu!tip!e physica! A/ se"ments.

%. A A/ pro+ides indi+idua! port security.

Correct Answer: C

QUESTION 89

Which ayer 6 protoco! pro+ides !oop reso!ution by mana"in" the physica! paths to "i+en networse"ments?

A. root "uard

B. port fast

C. #SP

%. S$P

Correct Answer: %

QUESTION 90

When S$P miti"ation features are confi"ured< where shou!d the root "uard feature be dep!oyed?

A. toward ports that connect to switches that shou!d not be the root brid"e

B. on a!! switch ports

C. toward user'facin" ports

%. oot "uard shou!d be confi"ured "!oba!!y on the switch.

Correct Answer:A

QUESTION 91

Which option is a characteristic of a statefu! firewa!!?

A. can ana!y,e traffic at the app!ication !ayer

B. a!!ows modification of security ru!e sets in rea! time to a!!ow return traffic

C. wi!! a!!ow outbound communication< but return traffic must be e0p!icit!y permitted%. supports user authentication

Correct Answer: B


43/50

QUESTION 92

Which type of /A$ wou!d you confi"ure if a host on the e0terna! networ reJuired access to an interna!host?

A. outside "!oba! /A$

B. /A$ o+er!oad

C. dynamic outside /A$

%. static /A$

Correct Answer: %

QUESTION 93

Which statement about disab!ed si"natures when usin" Cisco IS IPS is true?

A. $hey do not tae any actions< but do produce a!erts.B. $hey are not scanned or processed.C. $hey sti!! consume router resources.

%. $hey are considered to be QretiredR si"natures.

Correct Answer: C

QUESTION 94

Which type of intrusion pre+ention techno!o"y is the primary type used by the Cisco IPS security

app!iances?

A. profi!e'based

B. ru!e'based

C. protoco! ana!ysis'based

%. si"nature'based

&. /et3!ow anoma!y'based

Correct Answer: %

QUESTION 95

Which two ser+ices are pro+ided by IPsec? (Choose two.)

A. Confidentia!ity

B. &ncapsu!atin" Security Pay!oad

C. %ata Inte"rity

%. Authentication #eader


44/50

&. Internet =ey &0chan"e

Correct Answer:AC


45/50

QUESTION 96%AG A/% %P Se!ect and P!ace9

Correct

Answer:

QUESTION 97

%AG A/% %P

Se!ect and P!ace9


46/50

C

o

rr

e

c

t

A

n

s

we

r:

QUESTION 98

%AG %P

Se!ect and P!ace9


47/50

C

o

rr

e

c

t

A

n

s

w

e

r:


48/50

QUESTION 99

%AG %P

Se!ect and P!ace9

C

o

rr

e

c

t

A

n

s

w

e

r:


49/50

QUESTION 100

%AG A/% %P

Se!ect and P!ace9

Correct Answer:


50/50

ccna security 640-554 qa

Documents