Transcript Slide 1
E-Security
CO73046
Network
Security
Contact:
Room:
Telephone:
MSN Messenger:
WWW:
[email protected]
C.63
X2759
[email protected]
http://www.dcs.napier.ac.uk/~bill
http://buchananweb.co.uk
Author: Bill Buchanan
Prof. Bill Buchanan
Work Schedule
Week
Date
Academic
Assessment
Lab/Tutorial
1
4 Feb
1: Introduction
2: Security Fundamentals
2
11 Feb
3: IDS
Lab 1: Packet Capture
Lab 2: Packet Capture (Filter)
3
18 Feb
4: Encryption
Lab 3: Packet Capture (IDS)
Lab 4: Packet Capture (ARP)
4
25 Feb
5: Authentication (Part 1)
Lab 5: IDS Snort 1
5
3 Mar
5: Authentication (Part 2)
Lab 6: IDS Snort 2
6
10 Mar
6: Software Security
Lab 7: Private-key encryption
7
17 Mar
7: Network Security
8: Secure Protocols
Lab 8: Public-key encryption
8
7 Apr
9
14 Apr
Security Specialisation (.NET
Security or Network Security)
10
21 Apr
Security Specialisation (.NET
Security or Network Security)
Specialisation Lab
11
28 Apr
Security Specialisation (.NET
Security or Network Security)
Specialisation Lab
12
5 May
Security Specialisation (.NET
Security or Network Security)
C/W hand-in (IDS) [50%]
MCQ Test [10%]
Author: Bill Buchanan
MCQ Test [40%]
Friday, 11 Apr 2008
Week 1-8
Academic
Element
On-line test:
40%
Coursework: Agent-based IDS
Web-CT submission:
50%
Web-CT
submission
.NET Security
On-line test:
10%
Cisco Academy NS 1
On-line test:
10%
On-line
test
Author: Bill Buchanan
Week 8-13
MCQ
Test
Author: Bill Buchanan
PIX Certification Questions
The Cisco Secure PIX Firewall Advanced exam
(CSPFA 642-521) is one of the exams associated
with the Cisco Certified Security Professional and
the Cisco Firewall Specialist certifications.
Candidates can prepare for this exam by taking
the CSPFA v3.2 course. This exam includes
simulations and tests a candidate's knowledge and
ability to describe, configure, verify and manage
the PIX Firewall product family. CCNA or CCDA
recertification candidates who pass the 642-521
CSPFA exam will be considered recertified at the
CCNA or CCDA level.
Author: Bill Buchanan
•
1. What is CA?
Author: Bill Buchanan
A. Configured applications
B. Cisco authentication
C. Certificate authority
D. Command approval
2. How many interfaces does the PIX 506 support?
Author: Bill Buchanan
A. 4
B. 2
C. 6
D. 3
3. How do you change the activation key on the
PIX?
Author: Bill Buchanan
A. Reset the PIX
B. With the checksum command
C. Copy a PIX image to the flash
D. The activation key cannot be changed
4. When configuring ACL to identify traffic that
requires encryption, two entries are needed. One
for inbound traffic and one for outbound traffic.
Author: Bill Buchanan
A. True
B. False
5. What is the different about the PIX privileged
access mode as opposed to the privileged access
mode of a Cisco IOS router?
Author: Bill Buchanan
A. The "?" command does not work on the PIX
B. No difference
C. Each configuration command is automatically saved
to flash
D. The ability to view the running configuration from
the configuration mode
7. What are some application layer protocols that
CBAC can inspect? (choose all that apply)
Author: Bill Buchanan
A. TFTP
B. TCP
C. SMTP
D. UDP
E. HTTP
F. FTP
8. What two commands are needed for inbound
access? (choose two)
Author: Bill Buchanan
A. Static
B. Access-list
C. PAT
D. NAT
9. In CBAC, what is a state table?
Author: Bill Buchanan
A. A table containing access-list information
B. A table containing information about the state of
CBAC
C. A table containing information about the state of the
packet's connection
D. A table containing routing information
10. What is required for stateful failover on the PIX
515? (choose all that apply)
Author: Bill Buchanan
A. Unrestricted software license
B. Cisco failover cable
C. Cisco IOS failover feature set
D. 2 Ethernet interfaces interconnected
11. What is the purpose of a syslog server?
Author: Bill Buchanan
A. To host websites
B. To collect system messages
C. To maintain current backup configurations
D. To maintain URL filtering information
12. Default "fixup protocol" commands cannot be
disabled.
Author: Bill Buchanan
A. True
B. False
13. What command deletes all authentication proxy
entries?
Author: Bill Buchanan
A. Clear ip authentication-proxy cache
B. Clear ip authentication-proxy cache all
C. Clear ip authentication-proxy cache
D. Clear authentication-proxy all entries
14. At what frequency does the PIX send hello
packets to the failover unit?
Author: Bill Buchanan
A. 15 seconds
B. 60 seconds
C. 6 seconds
D. 20 seconds
15. In AAA, what does the method keyword "local"
mean?
Author: Bill Buchanan
A. That the AAA server is local
B. Deny if login request is local
C. Use the local database for authentication
D. Authenticate if login request is local
16. What three types of entries does the PAM table
provide? (choose 3)
Author: Bill Buchanan
A. User defined
B. Internet specific
C. Host specific
D. System defined.
17. During IPSec security associations negotiation,
if there are multiple transform sets, which one is
used?
Author: Bill Buchanan
A. Is does not matter
B. The first common one
C. The first one
D. The last one
18. CBAC inspection can only be configured in one
direction.
Author: Bill Buchanan
A. False
B. True
19. How do you identify a syslog server on the
PIX?
Author: Bill Buchanan
A. logging host 10.1.1.1
B. TFTP server 10.1.1.1
C. syslog-server 10.1.1.1
D. syslog server 10.1.1.1
20. In CBAC, where are dynamic access entries
added?
Author: Bill Buchanan
A. A new access-list is configured for each access
entry
B. At the beginning of the access-list
C. A separate access-list is created for access entries
D. At the end of the access-list
21. You establish an IPSec tunnel with a remote
peer. You verify by viewing the security
associations. You view the security associations
two days later and find they are not there. What is
the problem?
Author: Bill Buchanan
A. This would not happen
B. You have used an incorrect command to view the
security associations
C. Your PIX is not powered up.
D. No traffic was identified to be encrypted.
22. What is the purpose of the "route 0 0"
command?
Author: Bill Buchanan
A. To configure a static route
B. To enable routing on the PIX
C. To configure a default route
D. To route between 2 interfaces
23. What does DDOS stand for?
Author: Bill Buchanan
A. Distributed denial of service
B. Dedicated Department of Security
C. Dead, Denied, Out of Service
D. Demand denial of service
24. In CBAC, how are half-open sessions
measured?
Author: Bill Buchanan
A. Both TCP & UPD half-open sessions are calculated
B. Only UDP half-open sessions are calculated
C. CBAC does not calculate half-open sessions
D. Only TCP half-open sessions are calculated
25. AAA stands for authentication, authorization,
&______________.
Author: Bill Buchanan
A. application
B. accounting
C. access control
D. authenticity
26. A transform set is a combination of ________
_______ & ____________. (choose all that apply)
Author: Bill Buchanan
A. access-list
B. crypto maps
C. security protocols
D. algorithms
27. At what layer of the OSI model does IPSec
provide security?
Author: Bill Buchanan
A. 4
B. 7
C. 8
D. 3
28. What is the purpose of the "clear access-list"
command?
Author: Bill Buchanan
A. Remove an access-list from an interface
B. To clear all access-list from the PIX
C. To clear all access-list counters
D. Invalid command
29. What are the two licenses supported on the
PIX515?
Author: Bill Buchanan
A. Unrestricted
B. Limited
C. Restricted
D. Unlimited
30. How are transform sets selected in manually
established security associations?
Author: Bill Buchanan
A. Transform sets are not used in manually established
security associations
B. Manually established security associations only
have one transform set
C. The first transform set is always used
D. The first common transform set is used
31. Access-list are supported with Radius
authorization.
Author: Bill Buchanan
A. True.
B. False
32. How do you view active NAT translations?
Author: Bill Buchanan
A. show nat-translations
B. show ip-nat translations
C. show xlate
D. show translations
33. What does IKE Extended authentication
provide?
Author: Bill Buchanan
A. Authentication of multiple IPSec peers
B. Auto-negotiation of IPSec security associations
C. User authentication using Radius/TACACS+
34. What are two purposes of NAT? (choose 2)
Author: Bill Buchanan
A. To build routing tables
B. To expedite packet inspection
C. To connect two separate interfaces
D. To conserve non-RFC1918 addresses
E. To hide internal servers and workstations real IP
addresses from the Internet
35. Only one IPSec tunnel can exist between two
peers.
Author: Bill Buchanan
A. False
B. True
36. How many hello packets must be missed
before the failover unit will become active?
Author: Bill Buchanan
A. 2
B. 3
C. 1
D. 5
37. What are the two transport layer protocols?
(choose 2)
Author: Bill Buchanan
A. TCP
B. IP
C. ICMP
D. UDP
38. How do you configure a PAT address?
Author: Bill Buchanan
A. Nat (Outside) 1 1.1.1.1 1.1.1.1 255.255.255.255
B. IP PAT (Outside) 1 1.1.1.1 255.255.255.255
C. PAT (Outside) 1 1.1.1.1 255.255.255.255
D. Global (Outside) 1 1.1.1.1 1.1.1.1 255.255.255.255
39. How many interfaces does the PIX 515R
support?
Author: Bill Buchanan
A. 3
B. 4
C. 2
D. 6
40. What are some advantages of using the PIX
firewall over other firewalls such as Microsoft
Proxy? (choose all that apply)
Author: Bill Buchanan
A. No security problems from running on top of other
operating systems
B. PIX firewall is plug and play, no configuration
required
C. PIX inspects on lower layer protocols
D. PIX does stateful packet inspections
E. One box solution
A. Enable the new interface in the configuration
B. Add the "conduit permit any any" statement to your
configuration
C. Nothing. The problem is probably with the clients
workstations, not the PIX.
D. Add the Cisco client proxy software to each workstation
on the new network.
Author: Bill Buchanan
41. You decide you need more interfaces for your PIX
515 and you already have the unrestricted license
installed. The PIX firewall only shipped with 2 Ethernet
interfaces. You install a new Ethernet interface that
you ordered from Cisco. After you power the PIX on,
you assign an IP address to the interface and
configure a NAT & global statement for the new
network. But users on the new network are unable to
browse the Internet. What else do you need to do?
42. What two concepts are included in data
authentication? (choose all that apply)
Author: Bill Buchanan
A. Anti replay
B. Data origin authentication
C. Data integrity.
D. Data confidentiality
43. What is the layer-4 difference between Radius
and TACACS+?
Author: Bill Buchanan
A. Radius uses TCP & TACACS+ uses UDP
B. Radius uses UDP & TACACS+ uses TCP
C. TACACS+ uses FTP & Radius uses TFTP
D. There is no layer-4 difference between Radius &
TACACS+
44. "Logging timestamp" specifies that syslog
messages sent to the syslog server should have a
time stamp value on each message.
Author: Bill Buchanan
A. True
B. False
45. What does the " crypto access-list" command
accomplish?
Author: Bill Buchanan
A. There are no such access list
B. They block non-encrypted traffic
C. They identify crypto map statements
D. Identifies which traffic is to be encrypted
46. What is the purpose of the outbound accesslist for a CBAC solution?
Author: Bill Buchanan
A. To block all traffic, CBAC will then inspect the traffic
and allow legitimate traffic out
B. Packets you want inspected by CBAC
C. The is no need for an outbound access-list in a
CBAC solution
D. To identify legitimate inbound traffic from the
Internet
47. How do you delete the following PAM entry? IP
port-map http port 81
Author: Bill Buchanan
A. clear IP port-map http port 81
B. This is a system-defined entry and cannot be
deleted
C. no IP port-map http port 81
D. delete IP port-map http port 81
48. What is the first step in configuring IPSec
without CA?
Author: Bill Buchanan
A. Crypto
B. ISAKMP
C. IKE
D. IPSEC
49. What version of IOS was the "ip port-map"
command introduced?
Author: Bill Buchanan
A. 13.(1)
B. 12.1
C. 11.0(1)
D. 12.05(t)
50. What is the purpose of the "fixup protocol"
commands?
Author: Bill Buchanan
A. To identify what protocols are permitted through the
PIX
B. Change PIX firewall application protocol feature
C. To identify what protocols are to be blocked by the
PIX
D. To map a protocol to a TCP or UDP port
51. Without stateful failover, how are active
connections handled?
Author: Bill Buchanan
A. Connections are maintained between the PIX and
the failover unit
B. Dropped
C. UDP connections are maintained
D. TCP connections are maintained
52. How many default routes can be assigned to
the PIX firewall?
Author: Bill Buchanan
A. 1 per network
B. 1.
C. As many as required
D. 1 per interface
E. 1 for the primary PIX and 1 for the standby PIX
53. You have a PIX firewall and you are only given
one public IP address from your ISP to use on the
PIX. You do not have any type of servers that need
be accessed from the Internet. What is a valid
quick solution to your problem?
Author: Bill Buchanan
A. Get a new ISP
B. PAT
C. Request additional IP addresses from your ISP
D. NAT
54. What three purposes does the failover cable
serve? (choose all that apply)
Author: Bill Buchanan
A. Power status of the other unit
B. Communication link
C. Unit identification of both units
D. Stateful information
55. Which PIX interface(s) do you apply the crypto
map statements?
Author: Bill Buchanan
A. To the outside interface
B. To the inside interface
C. To any interfaces that IPSec packets will traverse
D. All PIX interfaces
56. What is the purpose of authentication proxy?
Author: Bill Buchanan
A. Proxy of user logins
B. To enable AAA
C. Policies on per user basis
D. For user accounting
57. You are required to have two crypto access-list
for IPSec. One is to identify outbound traffic to be
encrypted, and the other is to identify inbound
traffic that should be encrypted.
Author: Bill Buchanan
A. False
B. True
58. PAT is not supported with the "fixup protocol
rtsp" command.
Author: Bill Buchanan
A. True
B. False
59. How do you configure a pool of public IP
addresses?
Author: Bill Buchanan
A. Global command
B. Pool command
C. NAT command.
D. Static command
60. What is the purpose of the "logging trap"
command?
Author: Bill Buchanan
A. Enables syslog traps
B. This is not a valid PIX command
C. Sends logs to a host named trap
D. Enables SMTP traps
61. The inbound access-list or conduit statements
must include permit statements for all IPSec traffic.
Author: Bill Buchanan
A. False
B. True
62. What is one difference between conduit
statements and access-list?
Author: Bill Buchanan
A. Conduit statements can only contain permit
statements
B. Conduit statements list the destination address
before the source address and accessC. Conduit statements do not contain the implicit deny
any at the end
D. Access-list cannot be applied to the interfaces of the
PIX
63. How do you configure a Web sense server on
the PIX?
Author: Bill Buchanan
A. server 10.1.1.1
B. websense-server 10.1.1.1
C. url-server 10.1.1.1
D. websense 10.1.1.1
64. How many hosts will PAT support?
Author: Bill Buchanan
A. 1024
B. unlimited
C. 64000
D. 1
65. When configuring a security association in
IPSec, the global lifetime default (the time when the
security association is renegotiated) is 28,800
seconds.
Author: Bill Buchanan
A. True
B. False
66. What is the goal of a DDOS attack?
Author: Bill Buchanan
A. To use the network to attack another network
B. To steal vital information
C. To take control of the network
D. To stop the network from working
67. What is required for stateful failover? (choose
all that apply)
Author: Bill Buchanan
A. FDDI interface
B. 1 interface interconnected
C. PIX failover cable.
D. 3 interfaces interconnected
68. What does ACS stand for?
Author: Bill Buchanan
A. Another Cisco Server
B. Authentication, Control, Secure
C. Access Control Server
D. Access, Control, Security
69. With the PIX Firewall, you can configure:
Author: Bill Buchanan
A. Separate groups of TACACS+ or RADIUS servers
for specifying different types of
B. None of the above. PIX does not support TACACS+
or RADIUS.
C. Only TACACS+ for inbound & outbound
connections
D. Only RADIUS for inbound & outbound connections
70. What command applies CBAC to an interface?
Author: Bill Buchanan
A. router# ip inspect NAME in interface outside
B. router(conf)#ip inspect NAME in
C. router(conf-if)#ip inspect NAME in
D. router(conf)#ip inspect NAME out
71. In CBAC, where does the router get the state
table information?
Author: Bill Buchanan
A. By inspecting the packet
B. From a PIX firewall
C. From routing tables
D. Configured by administrator
72. What three protocols does the PIX provide
credential prompts, with the proper configuration
of an AAA server? (choose 3)
Author: Bill Buchanan
A. HTTP
B. TFTP
C. FTP
D. HTTPS
E. Telnet
F. SSL
73. What command is required to save the
configuration to a remote device?
Author: Bill Buchanan
A. radius-server
B. Copy
C. Save
D. write
74. Authentication proxy only works with
TACACS+.
Author: Bill Buchanan
A. False
B. True
75. What is a dynamic crypto map?
Author: Bill Buchanan
A. There is no such thing as a dynamic crypto map
B. When the PIX gets the entire crypto map
configuration from a CA
C. A crypto map created solely by the PIX upon
negotiation with an IPSec peer
D. A crypto map without all the parameters configured
76. What command displays the authentication
proxy configuration?
Author: Bill Buchanan
A. Show version proxy-authentication
B. Show proxy-authentication
C. Show all proxy-authentication
D. Show ip proxy-authentication
77. What is a false-positive alarms?
Author: Bill Buchanan
A. Alarms that do not reach their intended destination
B. Legitimate alarms that are not triggered
C. Alarms caused by legitimate traffic
D. Alarms that an administrator ignores
78. What is data confidentiality?
Author: Bill Buchanan
A. IPSec receiver can detect & reject replayed packets
B. Receiver authenticates packets to ensure no
alterations have been made
C. Packets are encrypted before they are transmitted
across a network
D. Receiver can authenticate source of IPSec packets
79. You can configure conduit statements on a PIX
Firewall, but not access-list.
Author: Bill Buchanan
A. False
B. True
80. How is inbound access controlled? (choose all
that apply)
Author: Bill Buchanan
A. Global
B. Access-list
C. Static
D. NAT
81. How is outbound access enabled? (choose all
that apply)
Author: Bill Buchanan
A. Global
B. Static
C. NAT
D. Access-list
82. In CBAC, how are dynamic access-list entries
saved?
Author: Bill Buchanan
A. They are not saved
B. Write memory
C. Write tftp
D. Save access-list
83. The PIX is a single point of failure and has no
solution for redundancy. Cisco is working on a
solution for this right now.
Author: Bill Buchanan
A. True
B. False
84. A crypto map statement can contain multiple
access-lists.
Author: Bill Buchanan
A. False
B. True
85. How do you apply conduit statements to the
outside interface?
Author: Bill Buchanan
A. With the use of the conduit-outside statement
B. With the use of the conduit-group statement
C. No configuration required
D. Conduit statements cannot be applied to the outside
interface
86. What does the "clear filter" command
accomplish?
Author: Bill Buchanan
A. Clears all filter counters displayed by the show
filters command
B. Resets all filters to their original state
C. Invalid PIX command
D. Removes all filters from the PIX configuration
87. What two commands are needed for outbound
access? (choose 2)
Author: Bill Buchanan
A. PAT
B. Access list
C. NAT
D. Global
88. How does CBAC handle ICMP?
Author: Bill Buchanan
A. Only ICMP echo packets are inspected
B. All ICMP traffic is inspected by CBAC
C. ICMP traffic is not inspected by CBAC
D. ICMP traffic is denied by CBAC
89. What two commands enable viewing the url
filtering information? (choose 2)
Author: Bill Buchanan
A. show url-cache stats
B. show url-filtering
C. show filter-url
D. show perfmon
90. What are the two types of global timeouts for
IPSec on the PIX? (choose 2)
Author: Bill Buchanan
A. bandwidth
B. uptime
C. number of PPTP connections
D. time
91. What command is utilized to upgrade the IOS
version of the PIX?
Author: Bill Buchanan
A. Copy tftp flash
B. Copy flash tftp
C. Write tftp flash
D. Save tftp flash
92. What is the command to assign an IP address
to an interface?
Author: Bill Buchanan
A. nameif inside IP address 10.1.1.1 255.255.255.0
B. ip address inside 10.1.1.1 255.255.255.0
C. inside address 10.1.1.1 255.255.255.0
D. inside ip address 10.1.1.1 255.255.255.0
93. How do you reset a security association with an
IPSec peer?
Author: Bill Buchanan
A. Clear ipsec sa <peer name>
B. Disconnect the PIX from the network
C. Delete security-association
D. You must delete all IPSec configurations and
reconfigure
94. How is URL filtering accomplished?
Author: Bill Buchanan
A. With a Web sense server
B. With a Cisco IDS
C. With a PIX failover unit
D. URL filtering is not supported
95. What is the default time-out for authentication
proxy?
Author: Bill Buchanan
A. 60 seconds
B. 6 minutes
C. 60 minutes
D. 360 seconds
96. What traffic is identified in the inbound accesslist on a CBAC router?
Author: Bill Buchanan
A. Permitting traffic to be inspected by CBAC
B. FTP
C. Denying traffic to be inspected by CBAC
D. HTTP
97. How do you map a port to a specific host?
Author: Bill Buchanan
A. You cannot map to a specific host
B. IP port-map http port 81 host 10.1.1.1
C. An access-list permitting the host is required
D. IP port-map http port 81 10.1.1.1
98. What command displays all security
associations?
Author: Bill Buchanan
A. show ipsec security-associations
B. show ipsec security-associations
C. show ip security-associations
D. show ipsec security-associations all
99. When do you need an access-list applied
inbound to the inside interface?
Author: Bill Buchanan
A. When you want to block all outbound traffic
B. When you want to control the outbound traffic
C. Access-list cannot be applied to the inside interface
D. When you want to control inbound public traffic
100. What does CBAC stand for?
Author: Bill Buchanan
A. Control Based on Access list
B. Cisco Based Accounting Control.
C. Context Based Access Control
D. Cisco Based Access Control
101. How does the PIX initiate new IPSec security
associations using dynamic crypto maps?
Author: Bill Buchanan
A. By sending its public key to the remote peer
B. By sending an IKE key to the remote peer
C. By sending security association request to the
remote peer
D. The PIX cannot initiate an IPSec sa using dynamic
crypto maps
102. What is the purpose of a Web sense server?
Author: Bill Buchanan
A. To host our website
B. It is a syslog server for the PIX
C. URL filtering
D. To monitor the state of your Internet connection
103. How are outbound UDP sessions handled?
Author: Bill Buchanan
A. A connection state is maintained on the PIX.
B. All UDP traffic is permitted inbound unless blocked
with an access-list
C. The PIX does not recognize UDP sessions
D. All UDP traffic is blocked outbound unless permitted
with an access-list
104. How does a user receive a login screen
through authentication proxy?
Author: Bill Buchanan
A. Clicking on the authentication proxy icon on the
desktop
B. They do not, as authentication proxy uses their NT
login
C. By opening a Internet browser
D. From a command prompt
105. What command enables AAA on a Cisco
router?
Author: Bill Buchanan
A. aaa radius
B. aaa enable
C. enable aaa
D. aaa new-model
106. What does the "conduit" command do?
Author: Bill Buchanan
A. Nothing, the conduit is not a valid command on the
PIX
B. Enables the conduit interface on the PIX.
C. Permits/denies traffic if the specified conditions are
met.
D. Maps a local address to a global address.
107. What are the two ways security associations
can be established? (choose 2)
Author: Bill Buchanan
A. Manual
B. CRYPTO
C. ISAKMP
D. IKE.
108. How do you determine the amount of memory
and flash installed in the PIX?
Author: Bill Buchanan
A. show flash
B. show dram
C. show version
D. show memory
109. What is the purpose of PAM?
Author: Bill Buchanan
A. To identify users via port mapping
B. To create address pools for NAT
C. There is no such feature
D. To customize TCP & UDP port numbers
110. Which interfaces does the PIX send "hello"
packets out of for failover?
Author: Bill Buchanan
A. Only interfaces directly connected to each other
B. Inside
C. All including the failover cable
D. None, just over the failover cable
111. What is the purpose of the xlate command?
Author: Bill Buchanan
A. To configure translations
B. To configure PIX global timeouts
C. Xlate is not a valid command
D. To view and clear translations
112. How do you clear the logging buffer?
Author: Bill Buchanan
A. clear buffer
B. delete log
C. clear logging
D. delete log
113. What command saves the CA settings &
policies?
Author: Bill Buchanan
A. ca save all
B. save ca
C. Write memory
D. They cannot be saved
114. How is the configuration maintained between
the primary PIX and the standby unit?
Author: Bill Buchanan
A. Standby is configured and configuration is replicated
to primary
B. Primary is configured and configuration is replicated
to standby
C. Both must be configured separately
D. The standby does not maintain a current
configuration until failover occurs
115. How does CBAC allow traffic through the
router?
Author: Bill Buchanan
A. All traffic is blocked by the router
B. Traffic must be permitted in the pre-configured
access-list
C. All traffic is allowed through
D. Using access-list entries
116. In the following command, what does the
keyword "http" represent?
Ip port-map http port 81
Author: Bill Buchanan
A. It identifies the table for the port-mapping to
reference
B. Nothing, the command is invalid
C. it identifies the application name
D. it redirects all http traffic from port 80
117. What is the purpose of the "nameif"
command?
Author: Bill Buchanan
A. To shutdown an interface on the PIX
B. To enable an interface on the PIX
C. The nameif is not a valid PIX command.
D. To assign a security level and name to an interface.
118. How do you view the running configuration?
Author: Bill Buchanan
A. write terminal
B. show running-configuration
C. show all-configuration
D. show configuration
119. What platforms support CBAC? (choose all
that apply)
Author: Bill Buchanan
A. PIX 515
B. 1600
C. PIX 506
D. 2500
120. By default what are the two interface names
on the PIX Firewall? (choose 2)
Author: Bill Buchanan
A. Ethernet
B. DMZ
C. Serial
D. 100Mb
E. Inside
F. Outside
121. What command clears the IPSec security
associations?
Author: Bill Buchanan
A. clear ipsec sa
B. clear security-associations
C. clear ipsec
D. clear sa
122. How does activex blocking affect activex
traffic to servers identified by an alias command?
Author: Bill Buchanan
A. Allows activex traffic to the server
B. Inspects the activex applet from the servers
C. Does not block activex traffic from the server
D. Blocks all activex traffic from the server
Test 1
Author: Bill Buchanan
Author: Prof Bill Buchanan
1. In which type of attack does the potential intruder
attempt to discover and map out systems,
services, and vulnerabilities?
stake out
reconnaissance
tapping
sniffing
Author: Bill Buchanan
A
B
C
D
1. In which type of attack does the potential intruder
attempt to discover and map out systems,
services, and vulnerabilities?
stake out
reconnaissance
tapping
sniffing
Author: Bill Buchanan
A
B
C
D
2. Which type of attack prevents a user from
accessing the targeted file server?
Reconnaissance attack
Denial of service attack
Prevention of entry attack
Disruption of structure attack
Author: Bill Buchanan
A
B
C
D
2. Which type of attack prevents a user from
accessing the targeted file server?
Reconnaissance attack
Denial of service attack
Prevention of entry attack
Disruption of structure attack
Author: Bill Buchanan
A
B
C
D
3. Which type of action does the "ping sweep" pose
to an organization?
eavesdropping
reconnaissance
denial of service
unauthorized access
Author: Bill Buchanan
A
B
C
D
3. Which type of action does the "ping sweep" pose
to an organization?
eavesdropping
reconnaissance
denial of service
unauthorized access
Author: Bill Buchanan
A
B
C
D
3. Which type of action does the "ping sweep" pose
to an organization?
eavesdropping
reconnaissance
denial of service
unauthorized access
Author: Bill Buchanan
A
B
C
D
4. An employee of ABC Company receives an e-mail from a
co-worker with an attachment. The employee opens the
attachment and receives a call from the network
administrator a few minutes later, stating that the
employee's machine has been attacked and is sending
SMTP messages. Which category of attack is this?
denial of service
trojan horse
port scanning
password attack
social engineering
Author: Bill Buchanan
A
B
C
D
E
4. An employee of ABC Company receives an e-mail from a
co-worker with an attachment. The employee opens the
attachment and receives a call from the network
administrator a few minutes later, stating that the
employee's machine has been attacked and is sending
SMTP messages. Which category of attack is this?
denial of service
trojan horse
port scanning
password attack
social engineering
Author: Bill Buchanan
A
B
C
D
E
5. What is a major characteristic of a Worm?
Author: Bill Buchanan
A malicious software that copies itself into other
executable programs
B tricks users into running the infected software
C a set of computer instructions that lies dormant
until triggered by a specific event
D exploits vulnerabilities with the intent of
propagating itself across a network
5. What is a major characteristic of a Worm?
Author: Bill Buchanan
A malicious software that copies itself into other
executable programs
B tricks users into running the infected software
C a set of computer instructions that lies dormant
until triggered by a specific event
D exploits vulnerabilities with the intent of
propagating itself across a network
6. A large investment firm has been attacked by a worm. In
which order should the network support team perform the
steps to mitigate the attack?
A
B
C
D
E
C,A,D,B
A,B,C,D
A,C,B,D
D,A,C,B
C,B,A,D
Author: Bill Buchanan
A. inoculation
B. treatment
C. containment
D. quarantine
6. A large investment firm has been attacked by a worm. In
which order should the network support team perform the
steps to mitigate the attack?
A
B
C
D
E
C,A,D,B
A,B,C,D
A,C,B,D
D,A,C,B
C,B,A,D
Author: Bill Buchanan
A. inoculation
B. treatment
C. containment
D. quarantine
At XYZ Company, the policy for network use requires that
employees log in to a Windows domain controller when they
power on their work computers. Although XYZ does not
implement all possible security measures, outgoing traffic is
filtered using a firewall. Which security model is the
company using?
A
B
C
D
open access
closed access
hybrid access
restrictive access
Author: Bill Buchanan
7
At XYZ Company, the policy for network use requires that
employees log in to a Windows domain controller when they
power on their work computers. Although XYZ does not
implement all possible security measures, outgoing traffic is
filtered using a firewall. Which security model is the
company using?
A
B
C
D
open access
closed access
hybrid access
restrictive access
Author: Bill Buchanan
7
8 Which three of these are common causes of persistent
vulnerabilities in networks? (Choose three.)
new exploits in existing software
misconfigured hardware or software
poor network design
changes in the TCP/IP protocol
changes in the core routers on the Internet
end-user carelessness
Author: Bill Buchanan
A
B
C
D
E
F
8 Which three of these are common causes of persistent
vulnerabilities in networks? (Choose three.)
new exploits in existing software
misconfigured hardware or software
poor network design
changes in the TCP/IP protocol
changes in the core routers on the Internet
end-user carelessness
Author: Bill Buchanan
A
B
C
D
E
F
9. A new network administrator is assigned the task of
conducting a risk assessment of the company's network.
The administrator immediately conducts a vulnerability
assessment. Which important task should the administrator
have completed first?
threat identification
security level application
patch and update deployment
asset identification
perimeter security upgrade
Author: Bill Buchanan
A
B
C
D
E
9. A new network administrator is assigned the task of
conducting a risk assessment of the company's network.
The administrator immediately conducts a vulnerability
assessment. Which important task should the administrator
have completed first?
threat identification
security level application
patch and update deployment
asset identification
perimeter security upgrade
Author: Bill Buchanan
A
B
C
D
E
10.A company deployed a web server on the company DMZ to
provide external web services. While reviewing firewall log
files, the administrator discovered that a connection was
made to the internal e-mail server from the web server in
DMZ. After reviewing the e-mail server logs, the
administrator discovered that an unauthorized account was
created. What type of attack was successfully carried out?
phishing
port redirection
trust exploitation
man-in-the-middle
Author: Bill Buchanan
A
B
C
D
10.A company deployed a web server on the company DMZ to
provide external web services. While reviewing firewall log
files, the administrator discovered that a connection was
made to the internal e-mail server from the web server in
DMZ. After reviewing the e-mail server logs, the
administrator discovered that an unauthorized account was
created. What type of attack was successfully carried out?
phishing
port redirection
trust exploitation
man-in-the-middle
Author: Bill Buchanan
A
B
C
D
11.Users are unable to access a company server. The system
logs show that the server is operating slowly because it is
receiving a high level of fake requests for service. Which
type of attack is occurring?
reconnaissance
access
DoS
worms, viruses, and Trojan horses
Author: Bill Buchanan
A
B
C
D
11.Users are unable to access a company server. The system
logs show that the server is operating slowly because it is
receiving a high level of fake requests for service. Which
type of attack is occurring?
reconnaissance
access
DoS
worms, viruses, and Trojan horses
Author: Bill Buchanan
A
B
C
D
12.Which two are examples of Distributed Denial of Service
attacks? (Choose two.)
SYN Flood
Stacheldraht
Ping of Death
Smurf
WinNuke
Targa.c
Author: Bill Buchanan
A
B
C
D
E
F
12.Which two are examples of Distributed Denial of Service
attacks? (Choose two.)
SYN Flood
Stacheldraht
Ping of Death
Smurf
WinNuke
Targa.c
Author: Bill Buchanan
A
B
C
D
E
F
13.Which two of these are examples of DDoS network attacks?
(Choose two.)
smurf attack
Tribal Flood Network (TFN)
teardrop.c
man-in-the-middle attack
port redirection
social engineering
Author: Bill Buchanan
A
B
C
D
E
F
13.Which two of these are examples of DDoS network attacks?
(Choose two.)
smurf attack
Tribal Flood Network (TFN)
teardrop.c
man-in-the-middle attack
port redirection
social engineering
Author: Bill Buchanan
A
B
C
D
E
F
14.Which Cisco tool can be used to convert Cisco PIX Security
Appliance conduit statements to equivalent access-list
statements?
Cisco AutoSecure
Output Interpreter
Cisco Router Audit Tool
Microsoft Baseline Security Analyzer
PIX Outbound/Conduit Conversion Tool
Author: Bill Buchanan
A
B
C
D
E
14.Which Cisco tool can be used to convert Cisco PIX Security
Appliance conduit statements to equivalent access-list
statements?
Cisco AutoSecure
Output Interpreter
Cisco Router Audit Tool
Microsoft Baseline Security Analyzer
PIX Outbound/Conduit Conversion Tool
Author: Bill Buchanan
A
B
C
D
E
15.Which tool is used to test security by rapidly
performing a port scan of a single host or a range
of hosts?
Cisco Router Audit Tool (RAT)
Microsoft Baseline Security Analyzer
Network Mapper (Nmap)
Cisco AutoSecure
Author: Bill Buchanan
A
B
C
D
15.Which tool is used to test security by rapidly
performing a port scan of a single host or a range
of hosts?
Cisco Router Audit Tool (RAT)
Microsoft Baseline Security Analyzer
Network Mapper (Nmap)
Cisco AutoSecure
Author: Bill Buchanan
A
B
C
D
16.Which two are technological weaknesses that can lead to a
breach in an organization's security? (Choose two.)
software compatibility weakness
DHCP security weakness
TCP/IP protocol weakness
operating system weakness
LDAP weakness
Author: Bill Buchanan
A
B
C
D
E
16.Which two are technological weaknesses that can lead to a
breach in an organization's security? (Choose two.)
software compatibility weakness
DHCP security weakness
TCP/IP protocol weakness
operating system weakness
LDAP weakness
Author: Bill Buchanan
A
B
C
D
E
Test 2
Author: Bill Buchanan
Author: Prof Bill Buchanan
1 What is the effect of applying this command to a Cisco
router?
router(config)# no service finger
UNIX commands are disabled on the router.
All TCP/IP services are disabled.
PING usage is disabled.
Users logged into the router remotely will not be able to see
if other users are logged into the router.
Author: Bill Buchanan
A
B
C
D
2 Why does SSH provide better security than Telnet?
Author: Bill Buchanan
A SSH compresses data while Telnet does not compress data.
B SSH encrypts data with private key while Telnet uses public
key.
C SSH encrypts data while Telnet uses clear text in
transmitting data.
D SSH encrypts data with public key while Telnet uses hashing
algorithm.
2 Why does SSH provide better security than Telnet?
Author: Bill Buchanan
A SSH compresses data while Telnet does not compress data.
B SSH encrypts data with private key while Telnet uses public
key.
C SSH encrypts data while Telnet uses clear text in
transmitting data.
D SSH encrypts data with public key while Telnet uses hashing
algorithm.
3 The network administrator of company XYZ likes to secure
routers by disabling the password recovery procedure for
anyone who gains physical access to the router. Which
command would be used to achieve this goal?
router(config)# no rommon-mode
router(config)# no password-recovery
router(config)# no service password-recovery
router(config)# no rommon-password recovery
Author: Bill Buchanan
A
B
C
D
3 The network administrator of company XYZ likes to secure
routers by disabling the password recovery procedure for
anyone who gains physical access to the router. Which
command would be used to achieve this goal?
router(config)# no rommon-mode
router(config)# no password-recovery
router(config)# no service password-recovery
router(config)# no rommon-password recovery
Author: Bill Buchanan
A
B
C
D
4
A partial router configuration is shown in the graphic. The network
administrator adds the following command at the router prompt.
A
B
C
D
Which of the following is correct?
The current password will continue to be used as a valid password
until changed.
No password is required.
The current password is invalid and will not allow a login.
A password that is at least ten characters long must immediately be
implemented for a successful login.
version 12.3
hostname router
line con 0
line aux 0
line vty 0 4
login
password cisco
Author: Bill Buchanan
router(config)# security passwords min-length 10
4
A partial router configuration is shown in the graphic. The network
administrator adds the following command at the router prompt.
A
B
C
D
Which of the following is correct?
The current password will continue to be used as a valid
password until changed.
No password is required.
The current password is invalid and will not allow a login.
A password that is at least ten characters long must immediately be
implemented for a successful login.
version 12.3
hostname router
line con 0
line aux 0
line vty 0 4
login
password cisco
Author: Bill Buchanan
router(config)# security passwords min-length 10
Which two steps are necessary to ensure that your HIDS
and HIPS do not miss any exploits? (Choose two.)
A
upgrade the HIDS and HIPS software as new versions are
released
perform periodic vulnerability assessment
monitor alerts and logs
update signatures on a regular basis
ensure that all security patches are loaded on the host
machine
B
C
D
E
Author: Bill Buchanan
5
Which two steps are necessary to ensure that your HIDS
and HIPS do not miss any exploits? (Choose two.)
A
upgrade the HIDS and HIPS software as new versions are
released
perform periodic vulnerability assessment
monitor alerts and logs
update signatures on a regular basis
ensure that all security patches are loaded on the host
machine
B
C
D
E
Author: Bill Buchanan
5
6 The Security Wheel promotes a continuous
process to retest and reapply updated security
measures. What is the core or “hub” component
of the Security Wheel?
testing policy
monitor
improve
security policy
Author: Bill Buchanan
A
B
C
D
6 The Security Wheel promotes a continuous
process to retest and reapply updated security
measures. What is the core or “hub” component
of the Security Wheel?
testing policy
monitor
improve
security policy
Author: Bill Buchanan
A
B
C
D
After providing for all operational requirements of the
network, the network support team has determined that the
servers should be hardened against security threats so that
the network can operate at full potential. At which stage of
the network life cycle does server hardening occur?
A
B
C
D
E
planning
design
implementation
operation
optimization
Author: Bill Buchanan
7
After providing for all operational requirements of the
network, the network support team has determined that the
servers should be hardened against security threats so that
the network can operate at full potential. At which stage of
the network life cycle does server hardening occur?
A
B
C
D
E
planning
design
implementation
operation
optimization
Author: Bill Buchanan
7
8
What are three major functions performed by the security management
subsystem, CiscoWorks VMS? (Choose three.)
Author: Bill Buchanan
A to manage access control lists for Cisco PIX Security Appliances
B to enforce access control policies between two processes running on a server
C to capture and analyze network traffic, and respond to network intrusions
D to identify sensitive network resources
E to respond to first-stage denial of service network attacks
F to monitor and log access to network resources
8
What are three major functions performed by the security management
subsystem, CiscoWorks VMS? (Choose three.)
Author: Bill Buchanan
A to manage access control lists for Cisco PIX Security Appliances
B to enforce access control policies between two processes running on a server
C to capture and analyze network traffic, and respond to network intrusions
D to identify sensitive network resources
E to respond to first-stage denial of service network attacks
F to monitor and log access to network resources
9
A network administrator has just completed security training
and has decided to change from HIDS to HIPS to protect
hosts. Which of these would be a major advantage gained
from the change?
Author: Bill Buchanan
A HIPS does not require host-based client software.
B HIPS would prevent the need to update signature files as often.
C HIPS would be able to prevent intrusions.
D HIPS would consume fewer system resources.
9
A network administrator has just completed security training
and has decided to change from HIDS to HIPS to protect
hosts. Which of these would be a major advantage gained
from the change?
Author: Bill Buchanan
A HIPS does not require host-based client software.
B HIPS would prevent the need to update signature files as often.
C HIPS would be able to prevent intrusions.
D HIPS would consume fewer system resources.
10 A network administrator installs a new stateful firewall.
Which type of security solution is this?
Author: Bill Buchanan
A secure connectivity
B threat defense
C policy enforcement
D trust and identity
E authentication
10 A network administrator installs a new stateful firewall.
Which type of security solution is this?
Author: Bill Buchanan
A secure connectivity
B threat defense
C policy enforcement
D trust and identity
E authentication
11 XYZ Company recently adopted software for installation on
critical servers that will detect malicious attacks as they
occur. In addition, the software will stop the execution of the
attacks and send an alarm to the network administrator.
Which technology does this software utilize?
Author: Bill Buchanan
A host-based intrusion detection
B host-based intrusion protection
C host-based intrusion prevention
D host-based intrusion notification
11 XYZ Company recently adopted software for installation on
critical servers that will detect malicious attacks as they
occur. In addition, the software will stop the execution of the
attacks and send an alarm to the network administrator.
Which technology does this software utilize?
Author: Bill Buchanan
A host-based intrusion detection
B host-based intrusion protection
C host-based intrusion prevention
D host-based intrusion notification
12 A security team is charged with hardening network devices.
What must be accomplished first before deciding how to
configure security on any device?
Author: Bill Buchanan
A Audit all relevant network devices.
B Document all router configurations.
C Create or update security policies.
D Complete a vulnerability assessment.
12 A security team is charged with hardening network devices.
What must be accomplished first before deciding how to
configure security on any device?
Author: Bill Buchanan
A Audit all relevant network devices.
B Document all router configurations.
C Create or update security policies.
D Complete a vulnerability assessment.
13
On a Monday morning, network engineers notice that the log files on the
central server are larger than normal. Examining the log reveals that the
majority of the entries are from sensors deployed on the perimeter of the
network. The logs reveal that a worm attack was successfully stopped by
the perimeter devices. Based on this information, which of these
technologies is this company using?
Author: Bill Buchanan
A NIDS using passive technology
B HIPS using passive technology
C NIDS using active technology
D HIDS using passive technology
E HIPS using active technology
13
On a Monday morning, network engineers notice that the log files on the
central server are larger than normal. Examining the log reveals that the
majority of the entries are from sensors deployed on the perimeter of the
network. The logs reveal that a worm attack was successfully stopped by
the perimeter devices. Based on this information, which of these
technologies is this company using?
Author: Bill Buchanan
A NIDS using passive technology
B HIPS using passive technology
C NIDS using active technology
D HIDS using passive technology
E HIPS using active technology
14 Which two objectives must a security policy accomplish?
(Choose two.)
Author: Bill Buchanan
A provide a checklist for the installation of secure servers
B describe how the firewall must be configured
C document the resources to be protected
D identify the security objectives of the organization
E identify the specific tasks involved in hardening a router
14 Which two objectives must a security policy accomplish?
(Choose two.)
Author: Bill Buchanan
A provide a checklist for the installation of secure servers
B describe how the firewall must be configured
C document the resources to be protected
D identify the security objectives of the organization
E identify the specific tasks involved in hardening a router
15 Which router command will result in the router only
accepting passwords of 16 characters or more?
Author: Bill Buchanan
A service password-encryption
B enable secret min-length 16
C security passwords min-length 16
D security passwords max-length 16
15 Which router command will result in the router only
accepting passwords of 16 characters or more?
Author: Bill Buchanan
A service password-encryption
B enable secret min-length 16
C security passwords min-length 16
D security passwords max-length 16
16 Which command will encrypt all passwords in the router
configuration file?
Author: Bill Buchanan
A enable secret
B password encrypt all
C enable password-encryption
D service password-encryption
E no clear-text password
16 Which command will encrypt all passwords in the router
configuration file?
Author: Bill Buchanan
A enable secret
B password encrypt all
C enable password-encryption
D service password-encryption
E no clear-text password
17 MD5 can be used for authenticating routing protocol
updates for which three protocols? (Choose three.)
Author: Bill Buchanan
A RIPv1
B RIPv2
C IGRP
D EIGRP
E BGP
17 MD5 can be used for authenticating routing protocol
updates for which three protocols? (Choose three.)
Author: Bill Buchanan
A RIPv1
B RIPv2
C IGRP
D EIGRP
E BGP
Which configuration will allow an administrator to access the console port using a
password of password?
A
router(config)# line aux 0
router(config-line)# login
router(config-line)# password password
router(config)# line console 0
router(config-line)# login
router(config-line)# password password
router(config)# line console 0
router(config-line)# password password D
router(config)# line console 0
router(config-line)# access
router(config-line)# password password
router(config)# line vty 0
router(config-line)# password password
router(config)# line vty 0
router(config-line)# access
router(config-line)# password password
B
C
D
E
F
Author: Bill Buchanan
18
Which configuration will allow an administrator to access the console port using a
password of password?
A
router(config)# line aux 0
router(config-line)# login
router(config-line)# password password
router(config)# line console 0
router(config-line)# login
router(config-line)# password password
router(config)# line console 0
router(config-line)# password password D
router(config)# line console 0
router(config-line)# access
router(config-line)# password password
router(config)# line vty 0
router(config-line)# password password
router(config)# line vty 0
router(config-line)# access
router(config-line)# password password
B
C
D
E
F
Author: Bill Buchanan
18
19 Which command sets the inactivity timer, for a particular line
or group of lines, to four minutes and fifteen seconds?
router(config)# line-timeout 4 15
router(config-line)# line-timeout 4 15
router(config-line)# exec-timeout 255
router(config-line)# timeout 255
router(config-line)# exec-timeout 4 15
router(config-line)# line-timeout 255
Author: Bill Buchanan
A
B
C
D
E
F
19 Which command sets the inactivity timer, for a particular line
or group of lines, to four minutes and fifteen seconds?
router(config)# line-timeout 4 15
router(config-line)# line-timeout 4 15
router(config-line)# exec-timeout 255
router(config-line)# timeout 255
router(config-line)# exec-timeout 4 15
router(config-line)# line-timeout 255
Author: Bill Buchanan
A
B
C
D
E
F
20 Which encryption type uses the MD5 hash
algorithm?
Author: Bill Buchanan
A Type 0
B Type 1
C Type 5
D Type 7
20 Which encryption type uses the MD5 hash
algorithm?
Author: Bill Buchanan
A Type 0
B Type 1
C Type 5
D Type 7
21 Real-time intrusion detection occurs at which stage of the
Security Wheel?
Author: Bill Buchanan
A securing stage
B monitoring stage
C testing stage
D improvement stage
E reconnaissance stage
21 Real-time intrusion detection occurs at which stage of the
Security Wheel?
Author: Bill Buchanan
A securing stage
B monitoring stage
C testing stage
D improvement stage
E reconnaissance stage
22 Which privilege level has the most access to the Cisco
IOS?
Author: Bill Buchanan
A level 0
B level 1
C level 7
D level 15
E level 16
F level 20
22 Which privilege level has the most access to the Cisco
IOS?
Author: Bill Buchanan
A level 0
B level 1
C level 7
D level 15
E level 16
F level 20
Author: Bill Buchanan
Which algorithm implements stateful connection control
through the PIX Security Appliance?
A
B
C
D
E
Network Address Translation
Algorithm Access Control
Security Algorithm Adaptive
Security Algorithm
Spanning Tree Protocol Algorithm
Author: Bill Buchanan
1
Once the SDM startup wizard has been completed for the
first time, which two are required on a host PC for
connection to the Cisco router via HTTP or HTTPS using
SDM? (Choose two.)
A
B
C
D
E
F
IP address from 10.10.10.2 to 10.10.10.254
IP address from 10.0.0.2 to 10.0.0.254
IP address from 10.10.10.1 to 10.10.10.254
SSL capability
Java and JavaScript enabled on the browser
VPN connection
Author: Bill Buchanan
2
The Cisco Security Device Manager (SDM) allows
administrators to securely configure supported routers by
using which security protocol in Microsoft Internet Explorer?
A
B
C
D
E
IPSec
SSL
SSH
L2TP
PPTP
Author: Bill Buchanan
3
The network administrator for a small technology firm needs
to implement security on the network. The administrator
needs a PIX Security Appliance that will handle three
Ethernet interfaces. Which PIX model would be the best
choice for the company?
A
B
C
D
506E
515E
525
535
Author: Bill Buchanan
4
What is the maximum number of licensed users supported
by the Cisco 501 Security Appliance?
A
B
C
D
E
F
25
100
250
1000
2500
unlimited
Author: Bill Buchanan
5
A network administrator has received a Cisco PIX Security Appliance from another
division within the company. The existing configuration has IP addresses that will
cause problems on the network. What command sequence will successfully clear all
the existing IP addresses and configure a new IP address on ethernet0?
A
pix1(config)# clear ip all
pix1(config)# interface ethernet0
pix1(config-if)# ip address 192.168.1.2
pix1(config)# clear ip
pix1(config)# interface ethernet0
pix1(config-if)# ip address 192.168.1.2 255.255.255.0
pix1(config)# no ip address
pix1(config)# interface ethernet0
pix1(config-if)# ip address 192.168.1.2 255.255.255.0
pix1(config)# clear ip
pix1(config)# interface ethernet0
pix1(config-if)# ip address 192.168.1.2 0.0.0.255
B
C
D
Author: Bill Buchanan
6
A network team is configuring a Cisco PIX Security Appliance for
NAT so that local addresses are translated. The team is creating a
global address pool using a subnet of network 192.168.5.0 with a
27-bit mask. What is the proper syntax to set up this global
address pool?
A
B
C
D
E
F
pix1(config)# global (inside) 1 192.168.5.33-192.168.5.62
pix1(config)# global (outside) 1 192.168.5.33-192.168.5.62
pix1(config)# global (inside) 1 192.168.5.65-192.168.5.95
pix1(config)# global (outside) 1 192.168.5.65-192.168.5.95
pix1(config)# global (inside) 1 192.168.5.64-192.168.5.127
pix1(config)# global (outside) 1 192.168.5.65-192.168.5.127
Author: Bill Buchanan
7
8 Which command displays the value of the
activation key?
write net
show version
show terminal
show configure
Author: Bill Buchanan
A
B
C
D
A network administrator has configured an access control
list on the Cisco PIX Security Appliance that allows inside
hosts to ping outside hosts for troubleshooting. Which
debug command can be used to troubleshoot if pings
between hosts are not successful?
A
B
C
D
debug icmp inside outside
debug ping
debug icmp trace
debug trace icmp
Author: Bill Buchanan
9
10 Which protocol provides time synchronization?
STP
TSP
NTP
SMTP
L2TP
Author: Bill Buchanan
A
B
C
D
E
11 Which command would configure a PIX Security
Appliance to send syslog messages from its
inside interface to a syslog server with the IP
address of 10.0.0.3?
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#
syslog inside 10.0.0.3
logging inside 10.0.0.3
syslog host inside 10.0.0.3
logging host inside 10.0.0.3
Author: Bill Buchanan
A
B
C
D
12 The configuration in the graphic has been entered into a
PIX Security Appliance with three interfaces. The interfaces
are inside, outside, and DMZ. What source address range
will the traffic from inside devices use when they access
devices in the DMZ?
10.0.0.1 to 10.0.0.254
172.16.0.20 to 172.16.0.254
172.16.0.1 to 172.16.0.254
192.168.0.20 to 192.168.0.254
10.0.0.1 to 10.255.255.254
Author: Bill Buchanan
A
B
C
D
E
13 What source IP address will the traffic from devices in the
10.0.2.0 network have when they leave the trusted
network?
D
192.168.0.8 always
192.168.0.9 always
192.168.0.8 if ports are available, or 192.168.0.9 if
192.168.0.8's ports are exhausted
192.168.0.9 if ports are available, or 192.168.0.8 if
192.168.0.9's ports are exhausted
Author: Bill Buchanan
A
B
C
14 The commands in the graphic have been entered into a PIX
Security Appliance. Which two statements are accurate
descriptions of what will happen to outgoing traffic when it leaves
the trusted network? (Choose two.)
B
C
D
E
The source IP address will be from a pool of addresses in the
192.168.0.3 to 192.168.0.254 range.
The source port will be a random port above port 1023.
The source IP address will be 192.168.0.2 for all outgoing traffic.
The source port will be port 1024.
The source IP address will be in the range 10.0.0.1 to
10.0.255.254.
Author: Bill Buchanan
A
15 Which three are requested by the Cisco PIX
Security Appliance setup dialog? (Choose three.)
domain name
outside IP address
inside IP address
hostname
date and time
Author: Bill Buchanan
A
B
C
D
E
16 Interface Ethernet3 on a PIX Security Appliance has been
configured with three subinterfaces to pass tagged traffic
from three different VLANs. What protocol will be used to
tag the VLAN traffic?
ISL
802.1x
VTP
802.1q
Author: Bill Buchanan
A
B
C
D
17 Which two commands will configure a static default route on
the PIX Security Appliance in the network shown in the
graphic? (Choose two.)
route inside outside 0.0.0.0 0.0.0.0 172.16.0.2 1
route outside 0.0.0.0 0.0.0.0 172.16.0.2 1
ip route inside outside 0 0 192.168.0.2 1
route outside 0 0 172.16.0.2 1
ip route inside outside 0 0 172.16.0.2 1
route outside 0 0 192.168.0.2 1
Author: Bill Buchanan
A
B
C
D
E
F
18 Which command will produce output, similar to
that shown in the graphic, to verify the installation
of a FWSM on a router?
show port
show module
show firewall
show interface
Author: Bill Buchanan
A
B
C
D
Author: Bill Buchanan
Test 4
How are transactions between a RADIUS client and a
RADIUS server authenticated?
A
by using a shared secret which is never sent over the
network
by hashing the secret using MD5 and then sending it over
the network
by hashing the secret using MD4 and then sending it over
the network
by using a clear-text password and then sending it over the
network
B
C
D
Author: Bill Buchanan
1
2
The S/KEY system involves three main components. There
is a client and a host. What is the third component?
A
B
C
D
a plain text password
a password calculator
a public and private key
biometric authentication
Author: Bill Buchanan
Client, host, password calculator
3 RADIUS uses which transport layer protocol?
IP
TCP
UDP
ICMP
DLC
Author: Bill Buchanan
A
B
C
D
E
4 Which authentication method is susceptible to
playback attacks?
passwords using S/KEY
passwords using token card
passwords requiring periodic change
passwords using one-time password technology
Author: Bill Buchanan
A
B
C
D
5 Which authentication method sends passwords
over the network in clear text yet protects against
eavesdropping and password cracking attacks?
authentication with FTP
authentication with Telnet
authentication with S/KEY
authentication in POP3 e-mail
Author: Bill Buchanan
A
B
C
D
After a security audit, network managers realized that the
authentication method used by their telecommuting
employees needed to be improved. They set up a server
and installed client software on the employee laptops of
their remote users. They also provided a device for each
remote user that generated a password every time they
needed to make a remote network connection. Which
A
B
C
D
authentication technology does this process describe?
authentication with S/KEY authentication with token card
authentication with encrypted password
authentication with compressed password
Author: Bill Buchanan
6
7 What function does a digital certificate offer to
information security?
authorization
accounting
nonrepudiation
intrusion prevention
Author: Bill Buchanan
A
B
C
D
Bookline Inc., an online bookstore, recently installed a web server
running Microsoft Windows 2003 Server. Where should the
company obtain a digital signature for the web server in order to
assure customers that they are connecting to Bookline's server
and not an impersonating web server?
A
a digital signature generated by the CA in Microsoft's corporate
headquarters
a digital signature generated by the CA from a trusted third party
a digital signature generated by the CA from a government agency
a digital signature generated by any CA that establishes a secure
connection
B
C
D
Author: Bill Buchanan
8
A large law firm wishes to secure dialup access to its
corporate network for employees working at home. Since
much of the data to be transmitted is highly confidential, the
firm requires a high level of encryption and also prefers that
each component of AAA be provided separately. Which
security protocol best meets these requirements?
A
B
C
D
TACACS
XTACACS
TACACS+
RADIUS
Author: Bill Buchanan
9
10 Which two statements are true of Cisco Identity Based
Networking Services (IBNS)? (Choose two.)
Cisco IBNS uses Cisco-proprietary protocols.
Cisco IBNS is a standards-based solution.
Cisco IBNS associates users with physical ports.
Cisco IBNS associates policies with physical ports.
Cisco IBNS associates policies with users.
Author: Bill Buchanan
A
B
C
D
E
11 The administration manager has decided to implement Network
Admission Control (NAC) on the corporate network. The Cisco
Trust Agent software and NAC-compliant routers and switches
have been installed. Which two additional NAC components are
required to implement the NAC solution? (Choose two.)
access control policy server
TACACS+ server
NAC cosponsor application server
VPN systems
remote access server
posture validation management system
Author: Bill Buchanan
A
B
C
D
E
F
12 What are three reasons TACACS+ is preferred over
RADIUS for authentication services? (Choose three.)
E
F
RADIUS has limited name space for attributes.
RADIUS is not an industry supported standard.
TACACS+ encrypts the entire TACACS+ packet.
TACACS+ authentication is included with more recent
Windows Server versions.
TACACS+ separates authentication and authorization.
RADIUS uses TCP as a transport protocol creating
additional overhead.
Author: Bill Buchanan
A
B
C
D
13 A static username/password authentication method is
susceptible to which three types of attacks? (Choose three.)
playback
theft
teardrop
syn flood
eavesdropping
Author: Bill Buchanan
A
B
C
D
E
14 Company security policy requires the use of a centralized
AAA server for network access authentication. Which two
protocols are supported by the AAA server? (Choose two.)
IPSec
SSL
RADIUS
TACACS+
SSH
Author: Bill Buchanan
A
B
C
D
E
15 Which three are functions of AAA? (Choose three.)
accounting
availability
authentication
architecture
authorization
accessibility
Author: Bill Buchanan
A
B
C
D
E
F
Test 4
16 A network administrator wishes to use port-level
authentication technology to determine network access and
assign IP addresses from different DHCP pools to
authenticated and unauthenticated users. What
standardized framework supports this objective?
IEEE 802.1x
IEEE 802.11af
IEEE 802.1q
IEEE 802.1p
Author: Bill Buchanan
A
B
C
D
Author: Bill Buchanan
Test 5
Test 5
1 What will be the result of executing the command
in the graphic?
Author: Bill Buchanan
A The default login method will use TACACS+ only.
B TACACS+ accounting will be enabled at login.
C The enable password will be used if a TACACS+
server is not available.
D The default TACACS+ user shell will be enabled.
2
A network administrator is setting up a computer to run
Cisco Secure ACS to support a Cisco VPN 3000
concentrator. Which protocol does the administrator need to
enable on CSACS?
A
B
C
D
E
MD5
HMAC
RADIUS
TACACS+
IEEE 802.1X
Author: Bill Buchanan
Test 5
3
Which AAA service reduces IT operating costs by providing
detailed reporting and monitoring of network user behavior,
and also by keeping a record of every access connection
and device configuration change across the network?
A
B
C
D
authentication
accreditation
accounting
authorization
Author: Bill Buchanan
Test 5
4
Cisco Secure ACS can use a number of databases for
username and password authentication. Which three
databases does Cisco Secure ACS support? (Choose
three.)
A
B
C
D
E
Windows 2000 server user database
NDS database
Windows 2000 server authentication database
Microsoft Access database
Cisco Secure ACS user database
Author: Bill Buchanan
Test 5
5
After Cisco Secure ACS is implemented, users report that
they are restricted from accessing the network. The Cisco
Secure ACS switches and routers are communicating
properly. What is the first step for troubleshooting the
problem?
A
B
Execute debug commands on the router.
Check the available logs in CSACS Reports and Activity
for abnormalities.
Verify that the administrator has an account allowing remote
access to the CSACS.
Verify that the CSACS user database is enabled.
C
D
Author: Bill Buchanan
Test 5
Test 5
6 What tool should you use to add a single user
account to the Cisco Secure ACS for Windows
user database?
database replication
Unknown User Policy
RDBMS Synchronization
Cisco Secure ACS HTML interface
Author: Bill Buchanan
A
B
C
D
7
Which two actions are available when using the Cisco
Secure ACS database replication features? (Choose two.)
A
update of configuration items from a late release to an
earlier release of Cisco Secure ACS
bidirectional database replication between a primary and a
secondary Cisco Secure ACS
scheduled replication of part of the database from a primary
to a secondary Cisco Secure ACS
export of configuration items from a primary to a secondary
Cisco Secure ACS
B
C
D
Author: Bill Buchanan
Test 5
8
Refer to the exhibit. Which two services can the network
access server use to direct requests from the remote user
to the Cisco Secure ACS authentication service? (Choose
two.)
A
B
C
D
E
CSAuth
CSUtil
RADIUS
RDBMS
TACACS+
Author: Bill Buchanan
Test 5
Test 5
9
RTA(config)# tacacs-server key 2bor!2b@?
RTA(config)# tacacs-server host 10.1.2.4
RTA(config)# tacacs-server host 10.1.2.5
What will be the effect of these commands on router RTA?
B
C
D
The TACACS+ server is now authenticating for the hosts 10.1.2.4 and
10.1.2.5.
The TACACS+ server key has been exported to the hosts 10.1.2.4 and
10.1.2.5.
The TACACS+ servers 10.1.2.4 and 10.1.2.5 and the router have been set
to share the same authentication key.
The TACACS+ servers are 10.1.2.4 and 10.1.2.5 and the configuration
adds router RTA as a third TACACS+ server
Author: Bill Buchanan
A
Test 5
10
RTA(config)# aaa new-model
RTA(config)# aaa authentication login default group tacacs+ enable
After entering the configuration shown, the administrator loses the
connection to the router before having the chance to create a new
TACACS+ account. What is the easiest way for the administrator to regain
administrative access to router RTA?
B
C
D
Connect to the router, and use the default TACACS+ username and
password.
Erase NVRAM, and redo the configuration from scratch.
Connect to the router, and supply the enable password.
Perform a password recovery procedure on the router.
Author: Bill Buchanan
A
Test 5
11 Which two user databases does Cisco Secure ACS for
Windows use to authenticate users? (Choose two.)
external user database with appropriate API
RADIUS user database
TACACS+ user database
Windows 2000 Server user database
Windows XP user database
Author: Bill Buchanan
A
B
C
D
E
Test 5
12 An information technology organization uses Cisco Secure
ACS for Windows Server version 3.2. The system
administrators want to provide a method for users to
change their own passwords without intervention from the
IT organization. What is required to allow users to change
passwords with a web-based utility?
Enable UCP on Windows 2000 Server.
Configure a Microsoft IIS 4.0 or later.
Enable UCP on Cisco Secure ACS for Windows.
Configure IIS logging with the user Secure ACS password.
Author: Bill Buchanan
A
B
C
D
Test 5
13 Which tool is used to set up CSACS for Windows
Server after the initial installation is completed?
web browser
telnet session
command line interface on the Windows server
router configured as an AAA client
Author: Bill Buchanan
A
B
C
D
Test 5
14 Which basic user-network security protocol is
supported by Cisco Secure ACS and requires a
single log in by users?
CHAP
IPSec
RADIUS
PAP
Author: Bill Buchanan
A
B
C
D
Test 5
15 In the Cisco Secure ACS Windows architecture
CSRadius provides communication between
RADIUS AAA clients and which service?
CSAdmin
CSAuth
CSLog
CSMon
Author: Bill Buchanan
A
B
C
D
Test 5
16 There are five ways to create user accounts in the Cisco
Secure ACS for Windows 2000 Servers. Which two support
importing user accounts from external sources? (Choose
two.)
Cisco Secure ACS HTML interface
Unknown User Policy
RDBMS Synchronization
CSUtil.exe
Database Replication
Author: Bill Buchanan
A
B
C
D
E
Author: Bill Buchanan
Test 6
1
Which command associates the group MYGROUP with the
AAA server using the TACACS+ protocol?
A
B
C
D
Pixfirewall(config)# aaa-server MYGROUP tacacs+ protocol
Pixfirewall(config)# aaa-server protocol tacacs+ MYGROUP
Pixfirewall(config)# aaa-server tacacs+ protocol MYGROUP
Pixfirewall(config)# aaa-server MYGROUP protocol tacacs+
Author: Bill Buchanan
Test 6
2
Which configuration command defines the association of
initiating HTTP protocol traffic with an authentication proxy
name MYPROXY?
A
B
C
D
Router(config)# ip auth-proxy MYPROXY http
Router(config)# auth-proxy MYPROXY ip http
Router(config)# ip auth-proxy name MYPROXY http
Router(config)# auth-proxy name MYPROXY ip http
Author: Bill Buchanan
Test 6
Test 6
3
With the following configuration command, how long does
the PIX Security Appliance try to access the AAA server
10.0.1.10 before choosing the next AAA server if there is no
response from 10.0.1.10?
aaa-server MYTACACS (inside) host 10.0.1.10 secretkey
12 seconds
15 seconds
20 seconds
30 seconds
Author: Bill Buchanan
A
B
C
D
Test 6
4 Which command will enable AAA services on a
router?
Router(config)# aaa enable
Router(config)# aaa new-model
Router(config)# aaa set enable
Router(config)# aaa new-model enable
Author: Bill Buchanan
A
B
C
D
5
What is the default timeout in minutes for the inactivity-timer
parameter of the ip auth-proxy command?
A
B
C
D
E
15
30
45
60
90
Author: Bill Buchanan
Test 6
Test 6
6
The network administrator configured the aaa authorization command
below on the PIX Security Appliance. What is the effect of this command?
pix(config)# aaa authorization include tcp/22 outside 0.0.0.0 0.0.0.0 0.0.0.0
0.0.0.0 auth1
FTP traffic from outside is subject to authorization by the AAA server.
SSH traffic from outside is subject to authorization by the AAA server.
HTTP traffic from outside is subject to authorization by the AAA server.
SMTP traffic from outside is subject to authorization by the AAA server.
Author: Bill Buchanan
A
B
C
D
7
Which type of authentication is being used when
authentication is required via the PIX Security Appliance
before direct traffic flow is allowed between users and the
company web server?
A
B
C
D
access authentication
console access authentication
cut-through proxy authentication
tunnel access authentication
Author: Bill Buchanan
Test 6
Test 6
8
What will be the effect in the router after these configuration commands are entered?
Router(config)# ip auth-proxy name aprule http
Router(config)# interface ethernet0
Router(config-if)# ip auth-proxy aprule
B
C
D
An authentication proxy rule called aprule is created making all authentication proxy
services available only through the ethernet0 interface.
An authentication proxy rule called aprule has been created for the HTTP protocol
and is associated with the ethernet0 interface.
An authentication proxy rule called aprule has been created for all protocols except
the HTTP protocol and is associated with the ethernet0 interface.
An authentication proxy rule called aprule has been created for the HTTP server
running internally to the router and is associated with anyone attempting to access the
web server from the ethernet0 interface.
Author: Bill Buchanan
A
9
When Cisco IOS Firewall authentication proxy is enabled, a user
sends HTTP traffic which will trigger the authentication proxy.
What is the first action taken by the proxy?
A
B
The user will be asked to supply a valid username and password.
The TACACS+ server will be contacted to see if the user is a valid
user.
The authentication proxy will check to see if the user has already
been authenticated.
If the authentication proxy has no user account for the user, it will
check to see if a default guest user has been defined.
C
D
Author: Bill Buchanan
Test 6
10
A TACACS+ server is configured to provide authentication, authorization, and accounting. The IP
address of the server is 192.168.50.1, and the AAA authentication encryption key is S3crtK3y.
Which command sequence will configure a Cisco router to communicate with the TACACS+ server?
A
Router(config)# aaa new-model
Router(config)# aaa authentication default group tacacs+
Router(config)# aaa authorization auth-proxy default group tacacs+
Router(config)# aaa tacacs-server host 192.168.50.1
Router(config)# aaa tacacs-server key S3crtK3y
Router(config)# aaa enable
Router(config)# aaa authentication default group tacacs+
Router(config)# aaa authorization auth-proxy default group tacacs+
Router(config)# tacacs-server host 192.168.50.1
Router(config)# tacacs-server key S3crtK3y
Router(config)# aaa enable
Router(config)# aaa authentication login default group tacacs+
Router(config)# aaa authorization auth-proxy default group tacacs+
Router(config)# aaa tacacs-server host 192.168.50.1
Router(config)# aaa tacacs-server key S3crtK3y
Router(config)# aaa new-model
Router(config)# aaa authentication login default group tacacs+
Router(config)# aaa authorization auth-proxy default group tacacs+
Router(config)# tacacs-server host 192.168.50.1
Router(config)# tacacs-server key S3crtK3y
B
C
D
Author: Bill Buchanan
Test 6
11
The lead network administrator notices that unknown users have made
router configuration changes. These changes are adversely affecting the
network. Which command can be entered on the router to help identify
future configuration changes and who made these changes?
A
B
C
D
aaa accounting
show uauth
aaa accounting console
aaa accounting match
Author: Bill Buchanan
Test 6
Test 6
12
Refer to the exhibit. Since ABC, Inc. is strengthening security, a PIX Security
Appliance firewall must be configured with AAA services. Accounting should be
provided for all FTP and HTTP traffic from any host to the WWW server at
192.168.2.10.
Which command sequence would successfully process the desired traffic to the
NY_ACS accounting server?
B
C
C
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http
pixfirewall(config)# aaa accounting match 110 outside NY_ACS
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http
pixfirewall(config)# aaa accounting access-list 110 outside 10.0.0.2
pixfirewall(config)# access-list 110 permit tcp any host 10.0.0.2 eq ftp
pixfirewall(config)# access-list 110 permit tcp any host 10.0.0.2 eq http
pixfirewall(config)# aaa accounting match 110 outside NY_ACS
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq ftp
pixfirewall(config)# access-list 110 permit tcp any host 192.168.2.10 eq http
pixfirewall(config)# aaa accounting match 110 outside 10.0.0.2
Author: Bill Buchanan
A
Test 6
13 Which command displays the current authenticated users, the host
IP to which they are bound, and any cached IP and port
authorization information on a Cisco PIX Security Appliance
configured for AAA?
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)#
show aaa all
show uauth
show aaa statistics
show aaa-server
Author: Bill Buchanan
A
B
C
D
Test 6
14 Which two are functions of accounting on the PIX Security
Appliance? (Choose two.)
to track user activities on the PIX.
to control administration of the PIX.
to control user access to the PIX.
to create records that are stored on a designated AAA server.
to build and maintain tunnel sessions with the PIX.
Author: Bill Buchanan
A
B
C
D
E
Test 6
15
Refer to the exhibit. An administrator enters the following configuration to
collect accounting statistics for all HTTP traffic to the web server through a
PIX Security Appliance.
fwl(config)# access-list 110 permit tcp any host 192.168.0.2 eq www
fwl(config)# aaa accounting match 110 outside Web_Server
The statistics are to be logged to an accounting server as shown in the
exhibit. However, after starting the accounting, no data is being logged to
the NY_ACS server.
D
Author: Bill Buchanan
A
B
C
What changes to the configuration must the administrator make to correct
the problem?
Change “192.168.0.2” to “10.0.0.2” in the access-list configuration line.
Change “host 192.168.0.2” to “any” in the access-list configuration line.
Change “Web_Server” to “NY_ACS” in the aaa-accounting configuration
line.
Change “outside” to “inside” in the aaa-accounting configuration line.
16
A user has initiated an HTTP session through a firewall and has been
authenticated by an authentication proxy. They have not generated any
traffic in a while and the idle timer has expired for that user. What will the
user have to do to allow them to go through the firewall again?
A
B
C
D
The user can manually restart the idle timer.
The user can simply TFTP their user profile to the proxy.
The user must wait two minutes before initiating another session.
The user can re-authenticate and initiate another HTTP session through
the firewall.
Author: Bill Buchanan
Test 6
Author: Bill Buchanan
Test 7
1
IEEE 802.1x can be used to authenticate users for wireless
access to network resources. Which protocol has Cisco
incorporated into its Wireless Security Suite to provide
mutual authentication between the client and the
authentication server?
A
B
C
D
CHAP
EAP
PAP
WEP
Author: Bill Buchanan
Test 7
2
Which two sections of Cisco Secure ACS can be used to
configure RADIUS profiles? (Choose two.)
A
B
C
D
E
Interface Setup
Server Setup
Group Setup
Network Setup
User Setup
Author: Bill Buchanan
Test 7
Test 7
A
B
C
D
A network team has been tasked to develop a Cisco Secure
ACS solution for port-based authentication. The network
operation center for all three regions is located at Region 1.
What is the best solution to ensure availability to a Cisco
Secure ACS for port-based authentication?
Install a centralized primary and secondary authentication
server at Region 1, which Region 2 and 3 will use for
authentication.
Install a primary authentication server at each region and
use one of the authentication servers from another region
for redundancy.
Install a primary authentication server at Region 1 for
Region 2 and 3 to authenticate, and install a secondary
authentication server at Region 2 and 3 for redundancy.
Install a primary authentication server at each region and a
secondary authentication server at Region 1 for the network
operation center clients only.
Author: Bill Buchanan
3
4
Port-based authentication is implemented as shown in the
graphic. What protocol will be required for the client-toswitch connection and the switch-to-Cisco Secure ACS
communications?
A
B
C
D
ISL; RADIUS
802.1x; RADIUS
802.1q; TACACS+
L2TP; TACACS+
Author: Bill Buchanan
Test 7
5
In configuring 802.1x authentication method with the aaa
authentication dot1x command, at least one of which two
possible options must be entered to create a default list
when a named list is not specified on a Catalyst switch?
(Choose two.)
A
B
C
D
group tacacs+
group radius
local
none
Author: Bill Buchanan
Test 7
6
A network administrator wants to configure a Catalyst
switch to use a RADIUS server at 172.16.23.31 or a backup
RADIUS server at 172.16.23.32 if the first server is
unavailable. The administrator wants to use the default
RADIUS UDP port and a shared key of Rad4Me. Which
configuration will accomplish this goal?
A
Switch(config)# radius-server auth-port 1812 key Rad4Me host
172.16.23.31
Switch(config)# radius-server auth-port 1812 key Rad4Me host
172.16.23.32
Switch(config)# radius-server host 172.16.23.31 auth-port 1812
key Rad4Me
Switch(config)# radius-server host 172.16.23.32 auth-port 1812
key Rad4Me
Switch(config)# radius-server host 172.16.23.31 172.16.23.32 key
Rad4Me auth-port 1812
Switch(config)# radius-server host 172.16.23.31 key Rad4Me
auth-port 1812
Switch(config)# radius-server host 172.16.23.32 key Rad4Me
auth-port 1812
B
C
D
Author: Bill Buchanan
Test 7
7
The dot1x port-control auto interface configuration
command has been configured on the Catalyst 2950 shown
in the graphic. What is the effect of this command when the
link between the switch and the end user becomes active?
A
The end user initiates authentication by sending an EAPOLstart frame once it receives an EAP request from the switch.
The authentication server initiates authentication after being
notified that the link is active.
The switch initiates authentication with the end user.
The switch automatically places the connected port in an
authorized state.
B
C
D
Author: Bill Buchanan
Test 7
8
Refer to the graphic. A small company purchased a Cisco
Aironet access point to provide wireless connectivity to staff
members. Since other companies in the office complex use
wireless, the network support staff wants to be certain that
only authorized users access the company network through
the new access point. For simplicity, they also want a
protocol that is used by Aironet wireless access points,
requires no certificates, and supports mutual authentication
using the logon password for each user. Which protocol
should be used?
A
B
C
D
EAP-MD5
EAP-TLS
LEAP
PEAP
Author: Bill Buchanan
Test 7
9
What are three characteristics of PEAP? (Choose three.)
A
B
C
authored by Cisco Systems, Microsoft, and RSA Security
relies on a shared secret for authentication
requires digital certificates for authentication of servers and
users
supports mutual authentication
transports authentication messages through an encrypted
tunnel
uses a one-way hash of passwords
D
E
F
Author: Bill Buchanan
Test 7
Test 7
10 If an administrator attempts to configure a switch with
802.1x port-based authentication, which three port types will
display an error message? (Choose three.)
static access ports
trunk ports
dynamic ports
ports on the same VLAN
secure ports
ports on different VLANs
Author: Bill Buchanan
A
B
C
D
E
F
Test 7
11 Refer to the graphic. During 802.1x port-based
authentication, each frame exchanged between the end
user and the Catalyst 2950 is encapsulated with a frame
header. For what protocol are these frames encapsulated?
Ethernet
RADIUS
EAP
PPP
IP
Author: Bill Buchanan
A
B
C
D
E
Test 7
12 Which three conclusions can be made based on the
configuration below? (Choose three.)
Switch# configure terminal
Switch(config)# interface fastethernet0/12
Switch(config-if)# dot1x port-control auto
Switch(config-if)# dot1x re-authentication
Switch(config-if)# dot1x timeout re-authperiod 180
B
C
D
E
F
Users connected to the switch will need to be
reauthenticated after three hours.
Users connected to the switch will need to be
reauthenticated after three minutes.
The switch has been configured for 802.1x authentication.
Port 12 of the switch is not a trunk port.
Port 12 of the switch is not a static port.
Port 12 of the switch is a dynamic-access port.
Author: Bill Buchanan
A
Author: Bill Buchanan
Test 8
1
Which command will turn off CBAC alert messages to the
console?
A
B
C
D
router(config)# ip inspect alert-off
router(config)# no ip inspect alert
router(config)# no ip inspect alert-off
router(config)# ip inspect alert log-only
Author: Bill Buchanan
Test 8
2
The timeout value in the ip inspect name command is
configured in which units?
A
B
C
D
seconds
milliseconds
microseconds
minutes
Author: Bill Buchanan
Test 8
3
What does CBAC look for when inspecting TCP sequence
numbers?
A
CBAC uses the sequence numbers to defragment the full
packet.
CBAC checks that the sequence numbers are within an
expected range.
CBAC rejects packets that arrive at an unusually high
sequence rate.
CBAC matches the source sequence numbers to the
destination sequence numbers.
B
C
D
Author: Bill Buchanan
Test 8
4
Which statement is correct concerning CBAC inspection
rules?
A
Alert, audit-trail, and timeout are configurable per protocol
and override corresponding global settings.
Alert, audit-trail, and timeout are only globally configurable.
Alert, audit-trail, and timeout are not configurable globally.
Alert, audit-trail, and timeout are configurable only for TCP.
B
C
D
Author: Bill Buchanan
Test 8
5
Which statement is true concerning CBAC and
fragmentation inspection rules?
A
An inspection rule instructing the router to fragment packets
should always be utilized.
A fragmentation rule forces fragments to be buffered until
the corresponding initial fragment is received.
A fragmentation rule forces non-initial fragments to be
discarded unless the initial fragment was allowed to pass.
A fragmentation rule should not be used on exterior
gateways.
B
C
D
Author: Bill Buchanan
Test 8
6
A network administrator needs to configure the router to
redirect incoming HTTP requests to a web server at port
8020. Which command should be used?
A
B
C
D
Router(config)# ip port-map http eq 8020
Router(config)# ip port-map http port 8020
Router(config)# ip port-map port 8020 http
Router(config)# ip port-map port 8020 eq http
Author: Bill Buchanan
Test 8
7
The IT department has decided to offer web and FTP
services using TCP port 8000. The web server IP address is
192.168.3.4 and the FTP server IP address is 192.168.5.6.
What commands are required to configure the perimeter
router to redirect the web and FTP traffic?
A
Router(config)# access-list 10 permit 192.168.5.6
Router(config)# access-list 20 permit 192.168.3.4
Router(config)# ip port-map http port 8000 list 10
Router(config)# ip port-map ftp port 8000 list 20
Router(config)# access-list 10 permit 192.168.3.4
Router(config)# access-list 20 permit 192.168.5.6
Router(config)# ip port-map ftp port 8000 list 10
Router(config)# ip port-map http port 8000 list 20
Router(config)# access-list 10 permit 192.168.3.4
Router(config)# access-list 20 permit 192.168.5.6
Router(config)# ip port-map http port 8000 list 10
Router(config)# ip port-map ftp port 8000 list 20
Router(config)# access-list 10 permit 192.168.3.4
Router(config)# access-list 20 permit 192.168.5.6
Router(config)# ip port-map http list 10 port 8000
Router(config)# ip port-map ftp list 20 port 8000
B
C
D
Author: Bill Buchanan
Test 8
8
The graphic shows a client opening a Telnet session to a
remote host. Which ACL entry will be created by CBAC to
allow traffic to return to complete a successful Telnet
connection?
A
access-list 110 permit udp host 10.0.0.5 eq 23 host
192.168.2.50 eq 2447
access-list 110 permit tcp host 10.0.0.5 eq 23 host
192.168.2.50 eq 2447
access-list 110 permit tcp host 192.168.2.50 eq 23 host
10.0.0.5 eq 2447
access-list 110 permit tcp host 10.0.0.5 eq 2447 host
192.168.2.50 eq 23
B
C
D
Author: Bill Buchanan
Test 8
9
CBAC is configured on the router shown in the graphic, the
statement shown in the graphic is included in access control
list 101, and the access control list is applied to interface
s0/0 as shown. Single-channel TCP inspection is not
included in the CBAC inspection rule. What will happen if
the workstation tries to send a Telnet packet to the Internet?
A
The packet will be forwarded by the router as soon as it
matches the ACL statement.
The packet will be dropped by the router when no match is
found in CBAC.
The packet will be forwarded by the router, but return Telnet
traffic will not be allowed.
The packet will be forwarded after CBAC inspection
determines that Telnet is an allowed protocol.
B
C
D
Author: Bill Buchanan
Test 8
Test 8
10 Which filtering technology maintains complete connection
information for each TCP or UDP connection and logs the
information in a session flow table?
packet filtering
stateful filtering
ACL directional filtering
URL filtering
Author: Bill Buchanan
A
B
C
D
Test 8
11 Which filtering technology is often effective but can be
circumvented using packet fragmentation?
packet filtering
stateful filtering
URL filtering
ACL directional filtering
Author: Bill Buchanan
A
B
C
D
Test 8
12 What is the result of the command shown below?
Router(config)# ip inspect name tester icmp alert on
audit-trail on timeout 30
B
C
D
inspects ICMP traffic and sends any alert and audit
messages to the log file on tester
inspects IP traffic and sends an ICMP alert and audit
message to tester if an outgoing IP packet is not
acknowledged within 30 seconds
inspects ICMP traffic and maintains state information on
common types of ICMP traffic
inspects ICMP traffic and maintains state information
according to the tester rule set
Author: Bill Buchanan
A
Test 8
A
B
C
D
E
Refer to the graphic. If the complete configuration CBAC on CorpFW is
correctly entered, which two statements describe the outcome of the
completed configuration? (Choose two.)
CBAC will delete all half-open connections necessary to accommodate
new connections after 300 users have accessed the servers within the last
six minutes.
CBAC will delete all half-open connections necessary to accommodate
new connections after 150 users have accessed the FTP servers within
the last six minutes.
CBAC will delete all half-open connections necessary to accommodate
new connections after more than 300 users have half-open attempts to
reach the corporate web server within the last minute.
CBAC will delete all half-open connections necessary to accommodate
new connections after 150 users have accessed the network within the last
minute.
CBAC will stop deleting half-open connections after fewer than 150 users
have accessed the network within the last minute.
Author: Bill Buchanan
13
Test 8
14 Which two configurations will protect the FTP server in the DMZ
from DoS attacks? (Choose two.)
B
C
D
E
CorpFW(config)# max-incomplete host 142.22.2.10
CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time
0
CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time
0
CorpFW(config)# ip inspect name Protect ftp timeout 3600
CorpFW(config)# interface FastEthernet 0/0
CorpFW(config-if)# max incomplete host 142.22.2.10
CorpFW(config)# ip inspect max-incomplete high 400
CorpFW(config)# ip inspect max-incomplete low 200
CorpFW(config)# ip inspect tcp max-incomplete host 60 block-time
0
CorpFW(config)# ip inspect udp max-incomplete host 60 blocktime 0
Author: Bill Buchanan
A
Test 8
15 The administrator has two goals. First, the administrator
plans to use CBAC to block encapsulated Java applets from
IP address 172.16.16.1. Then, the administrator plans to
use CBAC to block DoS attacks such as the ping-of-death
from external network. Which goals are accomlished when
the three commands below are entered?
A
B
C
D
The first goal is not accomplished because CBAC cannot
block encapsulated Java applets. The second goal is
accomplished.
The first goal is not accomplished because a subnet mask,
not a wild card mask, must be used. The second goal is
accomplished.
The first goal is accomplished. The second goal is not
accomplished because CBAC provides limited stateful
inspection for ICMP.
Both goals are accomplished.
Author: Bill Buchanan
router(config)# ip access-list 1 deny 172.16.16.1 0.0.0.0
router(config)# ip inspect name FWALL http java-list 1
timeout 120
router(config)# ip inspect name FWALL icmp timeout 50
Test 8
16 Which two are types of port mapping supported by PAM?
(Choose two.)
host
reverse
dynamic
DNS
subnet-specific
Author: Bill Buchanan
A
B
C
D
E
Test 8
17 What is the effect after these two commands are configured
on a router?
router(config)# ip inspect max-incomplete high 300
router(config)# ip inspect max-incomplete low 100
B
C
D
When the combination of half-open TCP and UDP sessions
reaches 300, CBAC begins deleting them.
When the number falls to 100, CBAC stops deleting them.
When the number of half-open sessions per minute reaches
300, CBAC begins deleting them.
When the number falls to 100 per minute, CBAC stops
deleting them. When the number of half-open sessions
reaches 100, CBAC begins deleting them.
When the number of cleared sessions equals 300, CBAC
stops deleting them. When the number of half-open TCP
sessions reaches 300, CBAC begins deleting them. When
the number falls to 100, CBAC stops deleting them.
Author: Bill Buchanan
A
Test 8
18 What is indicated if two endpoints in a connection receive
reset packets from CBAC?
D
A session has ended by CBAC's proxy fin method.
A DoS attack has been halted by CBAC's threshold method.
Sequence checking has occured using CBAC's state table
method.
Spoofing has been prevented using CBAC's session
checking method
Author: Bill Buchanan
A
B
C
Test 8
19 What happens when the following commands are
executed?
router(config)# no ip inspect udp idle-time 45
router(config)# ip inspect dns-timeout 10
C
D
The router will not manage any inactive UDP connections.
The only UDP connections that the router will manage are
DNS connections.
The router proxies DNS requests and manages them for 10
seconds.
The router will manage UDP connections for 30 seconds
and DNS connections for 10.
Author: Bill Buchanan
A
B
Author: Bill Buchanan
Test 9
1
Which three statements describe the use of ACLs on a
Cisco PIX Security Appliance? (Choose three.)
A
ACLs are used to restrict outbound traffic flowing from a
lower to a higher security level interface.
ACLs are used to restrict outbound traffic flowing from a
higher to a lower security level interface.
If no ACL is attached to an interface, inbound traffic is
permitted by default unless explicitly denied.
If no ACL is attached to an interface, outbound traffic is
permitted by default unless explicitly denied.
Cisco PIX Security Appliance ACLs use a wildcard mask
like Cisco IOS ACLs.
Cisco PIX Security Appliance ACLs use a regular subnet
mask unlike Cisco IOS ACLs.
B
C
D
E
F
Author: Bill Buchanan
Test 9
Test 9
2 The Cisco PIX Security Appliance allows the use
of network, protocol, service and ICMP-type
object grouping with ACLs. Which statement
describes the service object group?
Author: Bill Buchanan
A It is used to group client hosts, server hosts, or
subnets.
B It is used to group protocols, such as IP, TCP, and
UDP.
C It is used to group TCP or UDP port numbers.
D It is used to group ICMP message types.
Test 9
3 which three channels are used by RTSP
applications in standard RTP mode? (Choose
three.)
master control channel
RTP data channel
TCP control channel
RDT data channel
RTP resend channel
RTCP reports
Author: Bill Buchanan
A
B
C
D
E
F
Test 9
4 What is the effect when the command shown in
the graphic is configured on a Cisco PIX Security
Appliance?
Author: Bill Buchanan
A ActiveX objects are allowed to local host
192.168.2.5 only.
B ActiveX objects are sent to a filtering server at
192.168.2.5.
C ActiveX objects are blocked on all inbound
connections to local host 192.168.2.5.
D ActiveX objects are blocked from local host
192.168.2.5 to all outbound connections.
Test 9
5 A network administrator is considering a URLfiltering application server to work with the Cisco
PIX Security Appliance running OS version 6.2.
Which application would support the filtering of
URL strings longer than 1159 bytes?
N2H2
Websense
either Websense or N2H2
any URL-based filtering application
Author: Bill Buchanan
A
B
C
D
Test 9
6 What is the function of the service-policy
command within the Modular Policy Framework?
defines a set of services set by policies
enables a set of policies on an interface
identifies traffic flows according to services
groups a set of policies according to services
Author: Bill Buchanan
A
B
C
D
Test 9
7 Which two commands are used to deny a specific
SNMP version and then enable SNMP application
inspection on a Cisco PIX Security Appliance?
(Choose two.)
snmp-map
snmp inspect
inspect snmp
inspect snmp-map
snmp-map inspect
Author: Bill Buchanan
A
B
C
D
E
Test 9
8 The Cisco PIX Security Appliance with software
version 6.2 or higher has eliminated the need for
the alias command when configuring NAT
translation of IP addresses imbedded in DNS
messages. Which two commands can now
support NAT translation of DNS messages, so
that the alias command is no longer required?
(Choose two.)
dns-route
nat
route-map
static
dns
Author: Bill Buchanan
A
B
C
D
E
9
A network administrator configured a Cisco PIX Security
Appliance to limit connections to the application server at
192.168.10.5. Which configuration identifies traffic flows for
the application server?
A
PIX(config)# access-list 125 permit tcp any host
192.168.10.5
PIX(config)# class-map APP_Server
PIX(config-cmap)# match any
PIX(config)# access-list 125 permit tcp any host
192.168.10.5
PIX(config)# service-policy APP_Server
PIX(config-smap)# match access-group 125
PIX(config)# access-list 125 permit tcp any host
192.168.10.5
PIX(config)# policy-map APP_Server
PIX(config-pmap)# match access-list 125
PIX(config)# access-list 125 permit tcp any host
192.168.10.5
PIX(config)# class-map APP_Server
PIX(config-cmap)# match access-list 125
B
C
D
Author: Bill Buchanan
Test 9
Test 9
A
B
C
D
object-group host 3HOSTS
network-object host 10.1.1.1
network-object host 10.1.1.2
network-object host 10.1.1.3
object-group network 3HOSTS
network-object host 10.1.1.1
network-object host 10.1.1.2
network-object host 10.1.1.3
object-group network 3HOSTS
host-object host 10.1.1.1
host-object host 10.1.1.2
host-object host 10.1.1.3
object-group host 3HOSTS
host-object host 10.1.1.1
host-object host 10.1.1.2
host-object host 10.1.1.3
Author: Bill Buchanan
10 A network administrator wants to configure an object group
to permit hosts 10.1.1.1, 10.1.1.2, and 10.1.1.3 access to
network servers. Which commands must be entered to
correctly configure an object group for the three hosts?
Test 9
11 A network administrator has created the object
group 10HOSTS to allow ten hosts access to
specific network services. Which command does
an administrator use to verify that the object
group has been configured successfully?
show access-list
show host-group
show 10HOSTS
show object-group
Author: Bill Buchanan
A
B
C
D
Test 9
12 Which two statements describe the object-group
and group-object commands? (Choose two.)
Author: Bill Buchanan
A The object-group command is a subcommand of
the group-object command.
B The object-group command defines which type of
object group will be created.
C The object-group command can contain other
group objects.
D The group-object command can contain object
groups of different types.
E The group-object command enables the
construction of hierarchical, or nested, object
groups.
Test 9
13 Which command is used to enable a Turbo ACL after it has
been configured in global configuration mode?
pixfirewall(config)# access-list compiled
pixfirewall(config)# ip access-list compiled
pixfirewall(config)# access-group ACL_ID turbo
pixfirewall(config)# access-list compiled ACL_ID
Author: Bill Buchanan
A
B
C
D
Test 9
14 Refer to the graphic. What is the result when the
network administrator enters the command
shown?
fw1(config)# access-list aclout line 4 permit tcp
any host 192.168.0.9 eq www
Author: Bill Buchanan
A It will replace the existing line 4 in the ACL.
B It will push the current ACL line 4 and all of the
lines that follow down one line.
C It will require the ACL to be deleted and rewritten
because it cannot be inserted as line 4.
D It will be appended to the end of the ACL, and the
current line 4 will be deleted.
Test 9
15 Refer to the configuration shown in the graphic.
Both commands have been entered into the
Cisco PIX Security Appliance. Why might the
administrator have chosen to allow ICMP
unreachable traffic to be permitted at the outside
interface?
Author: Bill Buchanan
A Denying ICMP unreachable traffic will disable
routing updates.
B ICMP unreachable traffic is required by web
browsers.
C Denying ICMP unreachable traffic can halt PPTP
and IPSec traffic.
D ICMP unreachable traffic is required for ACLs to
work properly.
Test 9
16 Which two URL-filtering applications can be used
with the PIX Security Appliance? (Choose two.)
IIS
Websense
NetSensor
N2H2
Author: Bill Buchanan
A
B
C
D
Test 9
17 Why would Service object groups be placed in an
access list?
Author: Bill Buchanan
A A Service object group is used to indicate either
the source or the destination port in an access
list.
B A Service object group is used in place of the
keyword ip, tcp, udp or icmp.
C A Service object group is used in place of source
or destination server address.
D A Service object group is used in place of listing
individual servers that offer the same service.
Author: Bill Buchanan
Test 9
Test 10
1 A network administrator wants to configure an
access switch to protect it from being exploited by
attackers sending BPDUs through PortFastenabled ports. Which command implements this
security option by putting any attacked port in an
error-disabled state?
Author: Bill Buchanan
A Switch(config)# spanning-tree portfast
bpdudisable default
B Switch(config)# spanning-tree portfast bpduerror
default
C Switch(config)# spanning-tree portfast bpdufilter
default
D Switch(config)# spanning-tree portfast bpduguard
default
Test 10
2 As shown in the graphic, an intruder has
connected to ports on two different access
switches and wishes to spoof as the root bridge.
What would the attacker send in the indicated
direction to complete this exploit?
Author: Bill Buchanan
A BPDUs with a lower bridge priority
B BPDUs with a higher bridge priority
C VTP frames with a lower VLAN identity
D VTP frames with a higher VLAN identity
Test 10
3 A Cisco Catalyst switch is configured as shown in
the graphic. Which type of attack is the network
administrator trying to prevent?
ping flood
CAM table overflow
MAC spoofing
DHCP starvation
Author: Bill Buchanan
A
B
C
D
4
Which three statements describe a CAM table overflow
attack? (Choose three.)
A
The limitations of the switch software image are exploited
via flooding of frames.
The limitations of the fixed hardware of the CAM table are
exploited via flooding of MAC addresses.
The limitations of the switch memory cause the switch to
operate like a hub in response to overflowing traffic.
The configuration of VLANs on the switch minimizes the
exploit by containing the flood of traffic to the VLAN
supporting the attacker.
The impact of the CAM table overflow attack can be
lessened with the implementation of macof.
The limitation of CAM table size causes the switch to flood
traffic to all VLANs under CAM table overflow attack.
B
C
D
E
F
Author: Bill Buchanan
Test 10
Test 10
5 Which two commands can be used to verify port
security configuration? (Choose two.)
Switch# show cam
Switch# show buffer
Switch# show port-security interface interface_id
Switch# show vlan vlan_id port-security
Switch# show port-security vlan vlan_id
Author: Bill Buchanan
A
B
C
D
E
Test 10
Author: Bill Buchanan
6 Which type of attack involves an attacking system
becoming a member of all VLANs?
..
A switch spoofing
B double tagging
C private proxy
D trunk spoofing
7
A
B
C
D
The hosts shown in the graphic and all other hosts in the same IP network
are members of private VLAN 3 and, by design, should be unable to
communicate at Layer 2. What ACL can be configured on the gateway
router and applied to interface Fa0/1 to ensure that hosts on the private
VLAN are unable to communicate with each other at Layer 3 but are still
able to communicate with other networks?
Router(config)# access-list 135 deny ip any 192.168.20.0 0.0.0.255
Router(config)# access-list 135 permit ip any any
Router(config)# interface fastethernet 0/1
Router(config-if)# ip access-group 135 out
Router(config)# access-list 135 deny ip 192.168.20.0 0.0.0.255 any
Router(config)# access-list 135 permit ip any any
Router(config)# interface fastethernet 0/1
Router(config-if)# ip access-group 135 in
Router(config)# access-list 135 deny ip 192.168.20.0 0.0.0.255
192.168.20.0 0.0.0.255
Router(config)# access-list 135 permit ip any any
Router(config)# interface fastethernet 0/1
Router(config-if)# ip access-group 135 out
Router(config)# access-list 135 deny ip 192.168.20.0 0.0.0.255
192.168.20.0 0.0.0.255
Router(config)# access-list 135 permit ip any any
Router(config)# interface fastethernet 0/1
Router(config-if)# ip access-group 135 in
Author: Bill Buchanan
Test 10
Test 10
8
Which statement describes the purpose of the configuration
shown below?
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 3
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# ip dhcp snooping limit rate 30
B
C
D
It is meant to disable any hosts that are attached to VLAN 3
and are configured for DHCP configuration rather than
static IP addresses.
It is meant to disable any rogue DHCP servers that are
attached to VLAN 3.
It is meant to monitor VLAN 3 for DHCP attacks that will
deplete the DHCP pool.
It is meant to monitor VLAN 3 and disable any hosts that
are using static IP addresses rather than DHCP addresses.
Author: Bill Buchanan
A
Test 10
9 Which type of output would be produced on a
switch after entering the command?
Switch# show ip dhcp snooping binding
Author: Bill Buchanan
A DHCP servers on the snooped network
B DHCP clients on all DHCP snooped switches on
the network
C DHCP clients connected to DHCP snooped ports
on the switch
D all active protocols on all DHCP clients connected
to DHCP snooped ports on the switch