- An administrator assigned a level of router access to the user ADMIN using the commands below.
Router(config)# privilege exec level 14 show ip route
Router(config)# enable algorithm-type scrypt secret level 14 cisco-level-10
Router(config)# username ADMIN privilege 14 algorithm-type scrypt secret cisco-level-10
Which two actions are permitted to the user ADMIN? (Choose two.)
The user can execute all subcommands under the show ip interfaces command.
The user can issue the show version command.
The user can only execute the subcommands under the show ip route command.
The user can issue all commands because this privilege level can execute all Cisco IOS commands.
The user can issue the ip route command.
The user can execute all subcommands under the show ip interfaces command.
The user can issue the show version command.
42. What mechanism is used by an ASA 5505 device to allow inspected outbound traffic to return to the originating sender who is on an inside network? Network Address Translation access control lists security zones stateful packet inspection
stateful packet inspection
43. Which two end points can be on the other side of an ASA site-to-site VPN configured using ASDM? (Choose two.) DSL switch Frame Relay switch ISR router another ASA multilayer switch
ISR router
another ASA
44. What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol? DHCP spoofing ARP spoofing VLAN hopping ARP poisoning
VLAN hopping
45. In an AAA-enabled network, a user issues the configure terminal command from the privileged executive mode of operation. What AAA function is at work if this command is rejected? authorization authentication auditing accounting
authorization
- An organization has configured an IPS solution to use atomic alerts. What type of response will occur when a signature is detected?
A counter starts and a summary alert is issued when the count reaches a preconfigured number.
The TCP connection is reset.
An alert is triggered each time a signature is detected.
The interface that triggered the alert is shutdown.
An alert is triggered each time a signature is detected.
47. What two algorithms can be part of an IPsec policy to provide encryption and hashing to protect interesting traffic? (Choose two.) PSK DH RSA AES SHA
AES
SHA
- Fill in the blank.
A stateful signature is also known as a ________signature.
Composite
- Why is hashing cryptographically stronger compared to a cyclical redundancy check (CRC)?
Hashes are never sent in plain text.
It is easy to generate data with the same CRC.
It is virtually impossible for two different sets of data to calculate the same hash output.
Hashing always uses a 128-bit digest, whereas a CRC can be variable length.
It is virtually impossible for two different sets of data to calculate the same hash output.
50. A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network? vulnerability scanning password cracking network scanning integrity checker
integrity
Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.)
This message is a level five notification message.
This message indicates that service timestamps have been globally enabled.
This message indicates that enhanced security was configured on the vty ports.
This message appeared because a major error occurred that requires immediate action.
This message appeared because a minor error occurred that requires further investigation.
This message is a level five notification message.
This message indicates that service timestamps have been globally enabled.
- What is required for auto detection and negotiation of NAT when establishing a VPN link?
Both VPN end devices must be configured for NAT.
No ACLs can be applied on either VPN end device.
Both VPN end devices must be NAT-T capable.
Both VPN end devices must be using IPv6.
Both VPN end devices must be NAT-T capable.
Refer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.)
Three security violations have been detected on this interface.
This port is currently up.
The port is configured as a trunk link.
Security violations will cause this port to shut down immediately.
There is no device currently connected to this port.
The switch port mode for this interface is access mode.
This port is currently up.
Security violations will cause this port to shut down immediately.
The switch port mode for this interface is access mode.
- In which two instances will traffic be denied as it crosses the ASA 5505 device? (Choose two.)
traffic originating from the inside network going to the DMZ network
traffic originating from the inside network going to the outside network
traffic originating from the outside network going to the DMZ network
traffic originating from the DMZ network going to the inside network
traffic originating from the outside network going to the inside network
traffic originating from the DMZ network going to the inside network
traffic originating from the outside network going to the inside network
- Refer to the exhibit. Based on the configuration that is shown, which statement is true about the IPS signature category?
Only signatures in the ios_ips advanced category will be compiled into memory for scanning.
All signatures categories will be compiled into memory for scanning, but only those signatures within the ios ips advanced category will be used for scanning purposes.
All signature categories will be compiled into memory for scanning, but only those signatures in the ios_ips basic category will be used for scanning purposes.
Only signatures in the ios_ips basic category will be compiled into memory for scanning.
Only signatures in the ios_ips basic category will be compiled into memory for scanning.
- Which two ports can send and receive Layer 2 traffic from a community port on a PVLAN? (Choose two.)
community ports belonging to other communities
promiscuous ports
isolated ports within the same community
PVLAN edge protected ports
community ports belonging to the same community
promiscuous ports
community ports belonging to the same community
- What is a feature of the TACACS+ protocol?
It utilizes UDP to provide more efficient packet transfer.
It combines authentication and authorization as one process.
It encrypts the entire body of the packet for more secure communications.
It hides passwords during transmission using PAP and sends the rest of the packet in plaintext.
It encrypts the entire body of the packet for more secure communications.
- Which security measure is best used to limit the success of a reconnaissance attack from within a campus area network?
Implement restrictions on the use of ICMP echo-reply messages.
Implement a firewall at the edge of the network.
Implement access lists on the border router.
Implement encryption for sensitive traffic.
Implement encryption for sensitive traffic.
- What is the benefit of the network-based IPS (NIPS) over host-based IPS (HIPS) deployment models?
NIPS provides individual host protection.
NIPS relies on centrally managed software agents.
NIPS monitors all operations within an operating system.
NIPS monitors network segments.
NIPS monitors network segments.
- What represents a best practice concerning discovery protocols such as CDP and LLDP on network devices?
LLDP on network devices?
Enable CDP on edge devices, and enable LLDP on interior devices.
Use the default router settings for CDP and LLDP.
Use the open standard LLDP rather than CDP.
Disable both protocols on all interfaces where they are not required.
Disable
