Categories
210-260 Dumps

210-260 Real Exam Dumps Questions and answers 71-80

Get Full Version of the Exam
http://www.EnsurePass.com/210-260.html

Question No.71

What is the default timeout interval during which a router waits for responses from a TACACS server before declaring a timeout failure?

A.

5 seconds

B.

10 seconds

C.

15 seconds

D.

20 seconds

Correct Answer: A

Question No.72

How does PEAP protect the EAP exchange?

A.

It encrypts the exchange using the client certificate.

B.

It validates the server-supplied certificate and then encrypts the exchange using the client certificate.

C.

It encrypts the exchange using the server certificate.

D.

It validates the client-supplied certificate and then encrypts the exchange using the server certificate.

Correct Answer: C

Question No.73

Which address block is reserved for locally assigned unique local addresses?

A.

2002::/16

B.

FD00::/8

C.

2001::/32

D.

FB00::/8

Correct Answer: B

Question No.74

In which two situations should you use in-band management? (Choose two)

A.

When you require administrators access from multiple locations

B.

When you require ROMMON access

C.

When the control plane fails to respond

D.

When a network device fails to forward packets

E.

When Management applications need concurrent access to the device

Correct Answer: AE

Question No.75

What hash type does Cisco use to validate the integrity of downloaded images?

A.

Sha1

B.

Sha2

C.

Md5

D.

Md1

image

Correct Answer: C

Question No.76

Which statement about the communication between interfaces on the same security level is true?

A.

All Traffic is allowed by default between interfaces on the same security level.

B.

Interface on the same security level require additional configuration to permit inter-interface communication.

C.

Configuring interface on the same security level can cause asymmetric routing.

D.

You can configure only one interface on an individual security level.

Correct Answer: B

Question No.77

What configuration allows AnyConnect to authenticate automatically establish a VPN session when a user logs in to the computer?

A.

proxy

B.

Trusted Network Detection

C.

transparent mode

D.

always-on

Correct Answer: D

Question No.78

Which type of IPS can identify worms that are propagating in a network?

A.

Policy-based IPS

B.

Anomaly-based IPS

C.

Reputation-based IPS

D.

Signature-based IPS

Correct Answer: B

Question No.79

Which of the following are features of IPsec transport mode? (Choose three.)

A.

IPsec transport mode is used between end stations

B.

IPsec transport mode is used between gateways

C.

IPsec transport mode supports multicast

D.

IPsec transport mode supports unicast

E.

IPsec transport mode encrypts only the payload

F.

IPsec transport mode encrypts the entire packet

Correct Answer: ADE

image

Question No.80

Which firewall configuration must you perform to allow traffic to flow in both directions between two zones?

A.

You can configure a single zone pair that allows bidirectional traffic flows from for any zone except the self-zone.

B.

You must configure two zone pair, one for each direction.

C.

You can configure a single zone pair that allows bidirectional traffic flows for any zone.

D.

You can configure a single zone pair that allows bidirectional traffic flows only if the source zone is the less secure zone.

Correct Answer: B

Get Full Version of 210-260 Dumps

Categories
210-260 Dumps

210-260 Real Exam Dumps Questions and answers 81-90

Get Full Version of the Exam
http://www.EnsurePass.com/210-260.html

Question No.81

You have been tasked with blocking user access to websites that violate company policy, but the site use dynamic IP Addresses. What is the best practice URL filtering to solve the problem?

A.

Enable URL filtering and create a blacklist to block the websites that violate company policy.

B.

Enable URL filtering and create a whitelist to allow only the websites the company policy allow users to access.

C.

Enable URL filtering and use URL categorization to allow only the websites the company policy allow users to access.

D.

Enable URL filtering and create a whitelist to block the websites that violate company policy.

E.

Enable URL filtering and use URL categorization to block the websites that violate company policy.

Correct Answer: E

Question No.82

Refer to the following command.

Crypto ipsec transform-set myset esp-md5-hmac esp-esp-aes-256 What is the effect of the given command?

A.

It configure the network to use a different transform set between peers.

B.

It merges authentication and encryption methods to protect traffic that matches an ACL.

C.

It configures encryption for MD5 HMAC.

D.

It configures authentications as AES 256.

Correct Answer: B

Question No.83

On which Cisco Configuration Professional screen do you enable AAA

A.

AAA Summary

B.

AAA Servers and Groups

C.

Authentication Policies

D.

Authorization Policies

Correct Answer: A

Question No.84

What are the three layers of a hierarchical network design? (Choose three.)

A.

core

B.

access

C.

server

D.

user

E.

internet

F.

distribution

Correct Answer: ABF

Question No.85

How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration?

A.

Issue the command anyconnect keep-installer under the group policy or username webvpn mode

B.

Issue the command anyconnect keep-installer installed in the global configuration

C.

Issue the command anyconnect keep-installer installed under the group policy or username webvpn mode

D.

Issue the command anyconnect keep-installer installer under the group policy or username webvpn mode

Correct Answer: C

Question No.86

Which statement correctly describes the function of a private VLAN?

A.

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains

B.

A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains

C.

A private VLAN enables the creation of multiple VLANs using one broadcast domain

D.

A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain

Correct Answer: A

Question No.87

How can you detect a false negative on an IPS?

A.

View the alert on the IPS

B.

Use a third-party to audit the next-generation firewall rules

C.

Review the IPS console

D.

Review the IPS log

E.

Use a third-party system to perform penetration testing

Correct Answer: E

Question No.88

What is the benefit of web application firewall?

A.

It accelerate web traffic.

B.

It blocks know vulnerabilities without patching applications.

C.

It supports all networking protocols.

D.

It simplifies troubleshooting.

Correct Answer: B

Question No.89

Which source port does IKE use when NAT has been detected between two VPN gateways?

A.

TCP 4500

B.

TCP 500

C.

UDP 4500

D.

UDP 500

Correct Answer: C

Question No.90

If a router configuration includes the line aaa authentication login default group tacacs enable, which events will occur when the TACACS server returns an error? (Choose two.)

A.

The user will be prompted to authenticate using the enable password.

B.

Authentication attempts to the router will be denied.

C.

Authentication will use the router`s local database.

D.

Authentication attempts will be sent to the TACACS server.

Correct Answer: AB

Get Full Version of 210-260 Dumps

Categories
210-260 Dumps

210-260 Real Exam Dumps Questions and answers 91-100

Get Full Version of the Exam
http://www.EnsurePass.com/210-260.html

Question No.91

Which Sourcefire event action should you choose if you want to block only malicious traffic from a particular end-user?

A.

Trust

B.

Block

C.

Allow without inspection

D.

Monitor

E.

Allow with inspection

Correct Answer: E

Explanation:

Allow with Inspection allows all traffic except for malicious traffic from a particular end-user. The other options are too restrictive, too permissive, or don鈥檛 exist.

Question No.92

Refer to the exhibit. With which NTP server has the router synchronized?

image

A.

192.168.10.7

B.

108.61.73.243

C.

209.114.111.1

D.

204.2.134.164

E.

132.163.4.103

F.

241.199.164.101

Correct Answer: A

Question No.93

Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?

A.

Unidirectional Link Detection

B.

Unicast Reverse Path Forwarding

C.

TrustSec

D.

IP Source Guard

Correct Answer: B

Question No.94

Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)

A.

Port security

B.

DHCP snooping

C.

IP source guard

D.

Dynamic ARP inspection

Correct Answer: BD

Question No.95

Which type of security control is defense in depth?

A.

Threat mitigation

B.

Risk analysis

C.

Botnet mitigation

D.

Overt and covert channels

Correct Answer: A

Question No.96

When a company puts a security policy in place, what is the effect on the company鈥檚 business?

A.

Minimizing risk

B.

Minimizing total cost of ownership

C.

Minimizing liability

D.

Maximizing compliance

Correct Answer: A

Question No.97

What is the primary purpose of a defined rule in an IPS?

A.

to detect internal attacks

B.

to define a set of actions that occur when a specific user logs in to the system

C.

to configure an event action that is pre-defined by the system administrator

D.

to configure an event action that takes place when a signature is triggered

Correct Answer: D

Explanation: http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/sec urity_manager/4-1/user/guide/CSMUserGuide_wrapper/ipsevact.pdf

Question No.98

When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops?

A.

STP elects the root bridge

B.

STP selects the root port

C.

STP selects the designated port

D.

STP blocks one of the ports

Correct Answer: A

Question No.99

Which option describes information that must be considered when you apply an access list to a physical interface?

A.

Protocol used for filtering

B.

Direction of the access class

C.

Direction of the access group

D.

Direction of the access list

image

Correct Answer: C

Question No.100

In which type of attack does an attacker send email message that ask the recipient to click a link such ashttps://www.cisco.net.cc/securelogs?

A.

pharming

B.

phishing

C.

solicitation

D.

secure transaction

Correct Answer: B

Get Full Version of 210-260 Dumps

Categories
210-260 Dumps

210-260 Real Exam Dumps Questions and answers 61-70

Get Full Version of the Exam
http://www.EnsurePass.com/210-260.html

Question No.61

A specific URL has been identified as containing malware. What action can you take to block users from accidentally visiting the URL and becoming infected with malware.

A.

Enable URL filtering on the perimeterrouter and add the URLs you want to block to the router#39;s local URL list.

B.

Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the router#39;s local URL list.

C.

Enable URL filtering on the perimeterrouter and add the URLs you want to allow to thefirewall#39;s local URL list.

D.

Create a blacklist that contains the URL you want toblock and activate the blacklist on theperimeter router.

E.

Create a whitelist that contains the URLs you want to allow and activate the whitelist on the perimeter router.

Correct Answer: A

Question No.62

When is the best time to perform an anti-virus signature update?

A.

Every time a new update is available.

B.

When the local scanner has detected a new virus.

C.

When a new virus is discovered in the wild.

D.

When the system detects a browser hook.

Correct Answer: A

Question No.63

Which statement about application blocking is true?

A.

It blocks access to specific programs.

B.

It blocks access to files with specific extensions.

C.

It blocks access to specific network addresses.

D.

It blocks access to specific network services.

image

Correct Answer: A

Question No.64

Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations.

To access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabled in this simulation.

To see all the menu options available on the left navigation pane, you may also need to un- expand the expanded menu first.

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

Which four tunneling protocols are enabled in the DfltGrpPolicy group policy? (Choose four)

A.

Clientless SSL VPN

B.

SSL VPN Client

C.

PPTP

D.

L2TP/IPsec

E.

IPsec IKEv1

F.

IPsec IKEv2

Correct Answer: ADEF

Explanation:

By clicking one the Configuration-gt; Remote Access -gt; Clientless CCL VPN Access-gt; Group Policies tab you can view the DfltGrpPolicy protocols as shown below:

image

Question No.65

Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations.

To access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabled in this simulation.

To see all the menu options available on the left navigation pane, you may also need to un- expand the expanded menu first.

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

Which user authentication method is used when users login to the Clientless SSLVPN portal using https://209.165.201.2/test?

A.

AAA with LOCAL database

B.

AAA with RADIUS server

C.

Certificate

D.

Both Certificate and AAA with LOCAL database

E.

Both Certificate and AAA with RADIUS server

Correct Answer: A

Explanation:

This can be seen from the Connection Profiles Tab of the Remote Access VPN configuration, where the alias of test is being used.

image

Question No.66

Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations.

To access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabled in this simulation.

To see all the menu options available on the left navigation pane, you may also need to un- expand the expanded menu first.

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

Which two statements regarding the ASA VPN configurations are correct? (Choose two)

A.

The ASA has a certificate issued by an external Certificate Authority associated to the ASDM_TrustPoint1.

B.

The DefaultWEBVPNGroup Connection Profile is using the AAA with RADIUS server method.

C.

The Inside-SRV bookmark references the https://192.168.1.2 URL.

D.

Only Clientless SSL VPN access is allowed with the Sales group policy.

E.

AnyConnect, IPSec IKEv1, and IPSec IKEv2 VPN access is enabled on the outside interface.

F.

The Inside-SRV bookmark has not been applied to the Sales group policy.

Correct Answer: BC

Explanation:

For B:

image

For C, Navigate to the Bookmarks tab:

image

Then hit 鈥渆dit鈥?and you will see this:

image

Not A, as this is listed under the Identity Certificates, not the CA certificates:

image

Note E:

image

Question No.67

Scenario

In this simulation, you have access to ASDM only. Review the various ASA configurations using ASDM then answer the five multiple choice questions about the ASA SSLVPN configurations.

To access ASDM, click the ASA icon in the topology diagram. Note: Not all ASDM functionalities are enabled in this simulation.

To see all the menu options available on the left navigation pane, you may also need to un- expand the expanded menu first.

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

When users login to the Clientless SSLVPN using https://209.165.201.2/test, which group policy will be applied?

A.

test

B.

clientless

C.

Sales

D.

DfltGrpPolicy

E.

DefaultRAGroup

F.

DefaultWEBVPNGroup

Correct Answer: C

Explanation:

First navigate to the Connection Profiles tab as shown below, highlight the one with the test alias:

image

Then hit the 鈥渆dit鈥?button and you can clearly see the Sales Group Policy being applied.

image

Question No.68

Scenario

Given the new additional connectivity requirements and the topology diagram, use ASDM to accomplish the required ASA configurations to meet the requirements.

New additional connectivity requirements:

Currently, the ASA configurations only allow on the Inside and DMZ networks to access any hosts on the Outside. Your task is to use ASDM to configure the ASA to also allow any host only on the Outside to HTTP to the DMZ server. The hosts on the Outside will need to use the 209.165.201.30 public IP address when HTTPing to the DMZ server.

Currently, hosts on the ASA higher security level interfaces are not able to ping any hosts on the lower security level interfaces. Your task in this simulation is to use ASDM to enable the ASA to dynamically allow the echo-reply responses back through the ASA.

Once the correct ASA configurations have been configured:

You can test the connectivity tohttp://209.165.201.30from the Outside PC browser.

You can test the pings to the Outside (www.cisco.com) by opening the inside PC command prompt window. In this simulation, only testing pings towww.cisco.comwill work.

To access ASDM, click the ASA icon in the topology diagram.

To access the Firefox Browser on the Outside PC, click the Outside PC icon in the topology diagram.

To access the Command prompt on the Inside PC, click the Inside PC icon in the topology diagram.

Note:

After you make the configuration changes in ASDM, remember to click Apply to apply the configuration changes.

Not all ASDM screens are enabled in this simulation, if some screen is not enabled, try to use different methods to configure the ASA to meet the requirements.

In this simulation, some of the ASDM screens may not look and function exactly like the real ASDM.

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

Correct Answer:

Follow the explanation part to get answer on this sim question.

First, for the HTTP access we need to creat a NAT object. Here I called it HTTP but it can be given any name.

image

Then, create the firewall rules to allow the HTTP access:

image

You can verify using the outside PCto HTTP into209.165.201.30.

For step two, to be able to ping hosts on the outside, we edit the last service policy shown below:

image

And then check the ICMP box only as shown below, then hit Apply.

image

After that is done, we can pingwww.cisco.comagain to verify:

image

Question No.69

Which command will configure a Cisco ASA firewall to authenticate users when they enter the enable syntax using the local database with no fallback method?

A.

aaa authentication enable console LOCAL SERVER_GROUP

B.

aaa authentication enable console SERVER_GROUP LOCAL

C.

aaa authentication enable console local

D.

aaa authentication enable console LOCAL

Correct Answer: D

Question No.70

Which of the following statements about access lists are true? (Choose three.)

A.

Extended access lists should be placed as near as possible to the destination

B.

Extended access lists should be placed as near as possible to the source

C.

Standard access lists should be placed as near as possible to the destination

D.

Standard access lists should be placed as near as possible to the source

E.

Standard access lists filter on the source address

F.

Standard access lists filter on the destination address

Correct Answer: BCE

Get Full Version of 210-260 Dumps

Categories
210-260 Dumps

210-260 Real Exam Dumps Questions and answers 51-60

Get Full Version of the Exam
http://www.EnsurePass.com/210-260.html

Question No.51

Which statement about communication over failover interfaces is true?

A.

All information that is sent over the failover and stateful failover interfaces is sent as clear text by default.

B.

All information that is sent over the failover interface is sent as clear text, but the stateful failover link is encrypted by default.

C.

All information that is sent over the failover and stateful failover interfaces is encrypted by default.

D.

User names, passwords, and preshared keys are encrypted by default when they are sent over the failover and stateful failover interfaces, but other information is sent as clear text.

Correct Answer: A

Question No.52

If a packet matches more than one class map in an individual feature type#39;s policy map, how does the ASA handle the packet?

A.

The ASA will apply the actions from only the first matching class map it finds for the feature type.

B.

The ASA will apply the actions from only the most specific matching class map it finds for the feature type.

C.

The ASA will apply the actions from all matching class maps it finds for the feature type.

D.

The ASA will apply the actions from only the last matching class map it finds for the feature type.

Correct Answer: A

Question No.53

For what reason would you configure multiple security contexts on the ASA firewall?

A.

To separate different departments and business units.

B.

To enable the use of VRFs on routers that are adjacently connected.

C.

To provide redundancy and high availability within the organization.

D.

To enable the use of multicast routing and QoS through the firewall.

Correct Answer: A

Question No.54

What is an advantage of placing an IPS on the inside of a network?

A.

It can provide higher throughput.

B.

It receives traffic that has already been filtered.

C.

It receives every inbound packet.

D.

It can provide greater security.

Correct Answer: B

image

Question No.55

What is the FirePOWER impact flag used for?

A.

A value that indicates the potential severity of an attack.

B.

A value that the administrator assigns to each signature.

C.

A value that sets the priority of a signature.

D.

A value that measures the application awareness.

Correct Answer: A

Question No.56

Which FirePOWER preprocessor engine is used to prevent SYN attacks?

A.

Rate-Based Prevention

B.

Portscan Detection

C.

IP Defragmentation

D.

Inline Normalization

Correct Answer: A

Question No.57

Which Sourcefire logging action should you choose to record the most detail about a connection?

A.

Enable logging at theend of the session.

B.

Enable logging at thebeginning of the session.

C.

Enable alerts via SNMP to log events off-box.

D.

Enable eStreamer to log events off-box.

Correct Answer: A

Question No.58

What can the SMTP preprocessor in FirePOWER normalize?

A.

It can extract and decode email attachments in client to server traffic.

B.

It can look up the email sender.

C.

It compares known threats to the email sender.

D.

It can forward the SMTP traffic to anemail filter server.

E.

It uses the Traffic Anomaly Detector.

Correct Answer: A

Question No.59

You want to allow all of your company#39;s users to access the Internet without allowing other Web servers to collect the IP addresses of individual users. What two solutions can you use? (Choose two).

A.

Configure a proxy server to hide users#39; local IP addresses.

B.

Assign unique IP addresses to all users.

C.

Assign the same IP address to all users.

D.

Install a Web content filter to hide users#39; local IP addresses.

E.

Configure a firewall to use Port Address Translation.

image

Correct Answer: AE

Question No.60

You have implemented a Sourcefire IPS and configured it to block certain addresses utilizing Security Intelligence IP Address Reputation. A user calls and is not able to access a certain IP address. What action can you take to allow the user access to the IP address?

A.

Create a whitelist and add the appropriate IP address to allow the traffic.

B.

Create a custom blacklist to allow the traffic.

C.

Create a user based access control rule to allow the traffic.

D.

Create a network based access control rule to allow the traffic.

E.

Create a rule to bypass inspection to allow the traffic.

Correct Answer: A

Get Full Version of 210-260 Dumps

Categories
210-260 Dumps

210-260 Real Exam Dumps Questions and answers 21-30

Get Full Version of the Exam
http://www.EnsurePass.com/210-260.html

Question No.21

What type of algorithm uses the same key to encrypt and decrypt data?

A.

a symmetric algorithm

B.

an asymmetric algorithm

C.

a Public Key Infrastructure algorithm

D.

an IP security algorithm

Correct Answer: A

Question No.22

Refer to the exhibit. How many times was a read-only string used to attempt a write operation?

image

A.

9

B.

6

C.

4

D.

3

E.

2

Correct Answer: A

Question No.23

Refer to the exhibit. Which statement about the device time is true?

image

A.

The time is authoritative, but the NTP process has lost contact with its servers.

B.

The time is authoritative because the clock is in sync.

C.

The clock is out of sync.

D.

NTP is configured incorrectly.

E.

The time is not authoritative.

Correct Answer: A

Question No.24

How does the Cisco ASA use Active Directory to authorize VPN users?

A.

It queries the Active Directory server for a specific attribute for the specified user.

B.

It sends the username and password to retrieve an ACCEPT or REJECT message from the Active Directory server.

C.

It downloads and stores the Active Directory database to query for future authorization requests.

D.

It redirects requests to the Active Directory server defined for the VPN group.

Correct Answer: A

Question No.25

Which statement about Cisco ACS authentication and authorization is true?

A.

ACS servers can be clustered to provide scalability.

B.

ACS can query multiple Active Directory domains.

C.

ACS uses TACACS to proxy other authentication servers.

D.

ACS can use only one authorization profile to allow or deny requests.

Correct Answer: A

Question No.26

Refer to the exhibit. If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how will the switch respond?

image

A.

The supplicant will fail to advance beyond the webauth method.

B.

The switch will cycle through the configured authentication methods indefinitely.

C.

The authentication attempt will time out and the switch will place the port into the unauthorized state.

D.

The authentication attempt will time out and the switch will place the port into VLAN 101.

Correct Answer: A

Question No.27

Which EAP method uses Protected Access Credentials?

A.

EAP-FAST

B.

EAP-TLS

C.

EAP-PEAP

D.

EAP-GTC

Correct Answer: A

Question No.28

What is one requirement for locking a wired or wireless device from ISE?

A.

The ISE agent must be installed on the device.

B.

The device must be connected to the network when the lock command is executed.

C.

The user must approve the locking action.

D.

The organization must implement an acceptable use policy allowing device locking.

Correct Answer: A

Question No.29

What VPN feature allows traffic to exit the security appliance through the same interface it entered?

A.

hairpinning

B.

NAT

C.

NAT traversal

D.

split tunneling

Correct Answer: A

Question No.30

What VPN feature allows Internet traffic and local LAN/WAN traffic to use the same network connection?

A.

split tunneling

B.

hairpinning

C.

tunnel mode

D.

transparent mode

Correct Answer: A

Get Full Version of 210-260 Dumps

Categories
210-260 Dumps

210-260 Real Exam Dumps Questions and answers 31-40

Get Full Version of the Exam
http://www.EnsurePass.com/210-260.html

Question No.31

Refer to the exhibit. What is the effect of the given command sequence?

image

A.

It configures IKE Phase 1.

B.

It configures a site-to-site VPN tunnel.

C.

It configures a crypto policy with a key size of 14400.

D.

It configures IPSec Phase 2.

Correct Answer: A

Question No.32

Refer to the exhibit. What is the effect of the given command sequence?

image

A.

It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.

B.

It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.

C.

It defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.

D.

It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.

Correct Answer: A

Question No.33

Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show?

image

A.

IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5.

B.

IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5.

C.

IPSec Phase 1 is down due to a QM_IDLE state.

D.

IPSec Phase 2 is down due to a QM_IDLE state.

Correct Answer: A

Question No.34

Refer to the exhibit. While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command. What does the given output show?

image

A.

IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5.

B.

ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1.

C.

IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5.

D.

IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets.

image

Correct Answer: A

Question No.35

Refer to the exhibit. The Admin user is unable to enter configuration mode on a device with the given configuration. What change can you make to the configuration to correct the problem?

image

A.

Remove the auto command keyword and arguments from the Username Admin privilege line.

B.

Change the Privilege exec level value to 15.

C.

Remove the two Username Admin lines.

D.

Remove the Privilege exec line.

Correct Answer: A

Question No.36

After reloading a router, you issue the dir command to verify the installation and observe that the image file appears to be missing. For what reason could the image file fail to appear in the dir output?

A.

The secure boot-image command is configured.

B.

The secure boot-comfit command is configured.

C.

The confreg 0x24 command is configured.

D.

The reload command was issued from ROMMON.

Correct Answer: A

Question No.37

What is the effect of the send-lifetime local 23:59:00 31 December 31 2013 infinite command?

A.

It configures the device to begin transmitting the authentication key to other devices at 00:00:00 local time on January 1, 2014 and continue using the key indefinitely.

B.

It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely.

C.

It configures the device to begin accepting the authentication key from other devices immediately and stop accepting the key at 23:59:00 local time on December 31, 2013.

D.

It configures the device to generate a new authentication key and transmit it to other devices at 23:59:00 local time on December 31, 2013.

E.

It configures the device to begin accepting the authentication key from other devices at 23:59:00 local time on December 31, 2013 and continue accepting the key indefinitely.

F.

It configures the device to begin accepting the authentication key from other devices at 00:00:00 local time on January 1, 2014 and continue accepting the key indefinitely.

Correct Answer: B

Question No.38

What type of packet creates and performs network operations on a network device?

A.

control plane packets

B.

data plane packets

C.

management plane packets

D.

services plane packets

Correct Answer: A

Question No.39

An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity?

A.

The switch could offer fake DHCP addresses.

B.

The switch could become the root bridge.

C.

The switch could be allowed to join the VTP domain.

D.

The switch could become a transparent bridge.

Correct Answer: B

Question No.40

In what type of attack does an attacker virtually change a device#39;s burned-in address in an attempt to circumvent access lists and mask the device#39;s true identity?

A.

gratuitous ARP

B.

ARP poisoning

C.

IP spoofing

D.

MAC spoofing

Correct Answer: D

Get Full Version of 210-260 Dumps

Categories
210-260 Dumps

210-260 Real Exam Dumps Questions and answers 1-10

Get Full Version of the Exam
http://www.EnsurePass.com/210-260.html

Question No.1

Which two services define cloud networks? (Choose two.)

A.

Infrastructure as a Service

B.

Platform as a Service

C.

Security as a Service

D.

Compute as a Service

E.

Tenancy as a Service

Correct Answer: AB

Question No.2

In which two situations should you use out-of-band management? (Choose two.)

A.

when a network device fails to forward packets

B.

when you require ROMMON access

C.

when management applications need concurrent access to the device

D.

when you require administrator access from multiple locations

E.

when the control plane fails to respond

Correct Answer: AB

Question No.3

In which three ways does the TACACS protocol differ from RADIUS? (Choose three.)

A.

TACACS uses TCP to communicate with the NAS.

B.

TACACS can encrypt the entire packet that is sent to the NAS.

C.

TACACS supports per-command authorization.

D.

TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted.

E.

TACACS uses UDP to communicate with the NAS.

F.

TACACS encrypts only the password field in an authentication packet.

Correct Answer: ABC

Question No.4

According to Cisco best practices, which three protocols should the default ACL allow on an access port to enable wired BYOD devices to supply valid credentials and connect to the network? (Choose three.)

A.

BOOTP

B.

TFTP

C.

DNS

D.

MAB

E.

HTTP

F.

802.1x

Correct Answer: ABC

Question No.5

Which two next-generation encryption algorithms does Cisco recommend? (Choose two.)

A.

AES

B.

3DES

C.

DES

D.

MD5

E.

DH-1024

F.

SHA-384

Correct Answer: AF

Question No.6

Which three ESP fields can be encrypted during transmission? (Choose three.)

A.

Security Parameter Index

B.

Sequence Number

C.

MAC Address

D.

Padding

E.

Pad Length

F.

Next Header

Correct Answer: DEF

Question No.7

What are two default Cisco IOS privilege levels? (Choose two.)

A.

0

B.

1

C.

5

D.

7

E.

10

F.

15

Correct Answer: BF

Question No.8

Which two authentication types does OSPF support? (Choose two.)

A.

plaintext

B.

MD5

C.

HMAC

D.

AES 256

E.

SHA-1

F.

DES

Correct Answer: AB

Question No.9

Which two features do CoPP and CPPr use to protect the control plane? (Choose two.)

A.

QoS

B.

traffic classification

C.

access lists

D.

policy maps

E.

class maps

F.

Cisco Express Forwarding

Correct Answer: AB

Question No.10

Which two statements about stateless firewalls are true? (Choose two.)

A.

They compare the 5-tuple of each incoming packet against configurable rules.

B.

They cannot track connections.

C.

They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.

D.

Cisco IOS cannot implement them because the platform is stateful by nature.

E.

The Cisco ASA is implicitly stateless because it blocks all traffic by default.

Correct Answer: AB

Get Full Version of 210-260 Dumps

Categories
210-260 Dumps

210-260 Real Exam Dumps Questions and answers 11-20

Get Full Version of the Exam
http://www.EnsurePass.com/210-260.html

Question No.11

Which three statements about Cisco host-based IPS solutions are true? (Choose three.)

A.

It can view encrypted files.

B.

It can have more restrictive policies than network-based IPS.

C.

It can generate alerts based on behavior at the desktop level.

D.

It can be deployed at the perimeter.

E.

It uses signature-based policies.

F.

It works with deployed firewalls.

Correct Answer: ABC

Question No.12

What three actions are limitations when running IPS in promiscuous mode? (Choose three.)

A.

deny attacker

B.

deny packet

C.

modify packet

D.

request block connection

E.

request block host

F.

reset TCP connection

Correct Answer: ABC

Question No.13

When an IPS detects an attack, which action can the IPS take to prevent the attack from spreading?

A.

Deny the connection inline.

B.

Perform a Layer 6 reset.

C.

Deploy an antimalware system.

D.

Enable bypass mode.

Correct Answer: A

Question No.14

What is an advantage of implementing a Trusted Platform Module for disk encryption?

A.

It provides hardware authentication.

B.

It allows the hard disk to be transferred to another device without requiring re-encryption.dis

C.

It supports a more complex encryption algorithm than other disk-encryption technologies.

D.

It can protect against single points of failure.

Correct Answer: A

Question No.15

What is the purpose of the Integrity component of the CIA triad?

A.

to ensure that only authorized parties can modify data

B.

to determine whether data is relevant

C.

to create a process for accessing data

D.

to ensure that only authorized parties can view data

Correct Answer: A

Question No.16

In a security context, which action can you take to address compliance?

A.

Implement rules to prevent a vulnerability.

B.

Correct or counteract a vulnerability.

C.

Reduce the severity of a vulnerability.

D.

Follow directions from the security appliance manufacturer to remediate a vulnerability.

Correct Answer: A

Question No.17

Which type of secure connectivity does an extranet provide?

A.

other company networks to your company network

B.

remote branch offices to your company network

C.

your company network to the Internet

D.

new networks to your company network

Correct Answer: A

Question No.18

Which tool can an attacker use to attempt a DDoS attack?

A.

botnet

B.

Trojan horse

C.

virus

D.

adware

Correct Answer: A

Question No.19

What type of security support is provided by the Open Web Application Security Project?

A.

Education about common Web site vulnerabilities.

B.

A Web site security framework.

C.

A security discussion forum for Web site developers.

D.

Scoring of common vulnerabilities and exposures.

Correct Answer: A

Question No.20

What type of attack was the Stuxnet virus?

A.

cyber warfare

B.

hacktivism

C.

botnet

D.

social engineering

Correct Answer: A

Get Full Version of 210-260 Dumps