Exam 400-251: IT Certification Guaranteed, The Easy Way!

IT Certification Guaranteed, The Easy Way!
Exam : 400-251
Title : CCIE Security Written Exam

(v5.0)
Vendor : Cisco
Version : V17.35
1
NO.1 Drag and drop the FireAMP Connector policy types from the left onto the correct functions on
the right
Answer:
Explanation
1-C,2-A,3-D,4-B,5-E
NO.2 A device on your internal network is hard-coded with two DNS servers on the Internet
(1.1.1.53, 2.2.2.53).
However, you want to send all requests to your OpenDNS server (208.67.222.222). Which set of
commands do you run on the ASA to achieve this goal?
A. static (inside,outside) source any 1.1.1.53 destination 208.61.222.222 eq domain static
(inside,outside) source any 2.2.2.53 destination 208.67.222.222 eq domain
B. static (inside,outside) source any 208.67.222.222 destination 1.1.1.53 eq domain static
(inside,outside) source any 208.67.222.222 destination 2.2.2.53 eq domain
C. static (inside,outside) source any destination 208.61.222.222 eq domain
D. static (outside,inside) source any 208.67.222.222 destination 1.1.1.53 eq domain static
(outside,inside) source any 208.67.222.222 destination 2.2.2.53 eq domain E.
net (inside,outside) source any 1.1.1.53 destination 208.61.222.222 eq domain net (inside,outside)
source any 2.2.2.53 destination 208.67.222.222 eq domain
E. object network OpenDNS
host 208.67.222.222
!o
2
bject network Rogue1-DNS

host 1.1.1.53
object network Rogue2-DNS
host 2.2.2.53
!o
bject-group network Rogue-DNS
network-object object Rogue1-DNS
!o
bject service udp-DNS
service udp destination eq domain
!o
bject service tcp-DNS
service tcp destination eq domain
!n
at (inside,outside) source static any interface destination static Rogue- DNS OpenDNS service udp
-DNS udp-DNS nat (inside,outside) source static any interface destination static Rogue- DNS OpenDNS
service tcp-DNS tcp-DNS
F. nat (inside,outside) source static any interface destination static Rogue- DNS OpenDNS service udp
-DNS udp-DNS nat (inside,outside) source static any interface destination static Rogue- DNS OpenDNS
G. object network OpenDNS
host 208.67.222.222
!
host 1.1.1.53
host 2.2.2.53
!o
bject-group network Rogue-DNS
!o
bject service udp-DNS
service udp destination eq domain
!o
bject service tcp-DNS
service tcp destination eq domain
!n
at (inside,outside) source static any interface destination static OpenDNS Rogue-DNS service udp-
DNS udp-DNS nat (inside,outside) source static any interface destination static OpenDNS Rogue-DNS
Answer: F
NO.3 Which statement is correct regarding the SenderBase functionality?

A. ESA sees a high negative score from SenderBase as very unlikely that sender is sending spam.
3
B. SenderBase uses DNS/based blacklist as one of the sources of information to define reputation
score of sender's IP address.
C. WSA uses SenderBase information to confiugre URL filtering policies.
D. ESA uses destination address reputation information from SenderBase to configure mail policies.
E. SenderBase uses spam complaints as one of the sources of information of defined reputation score
of receiver IP address.
F. ESA sees a high positive score from SenderBase as very likely that sender is sending spam.
Answer: B
NO.4 For your enterprise ISE deployment, you are looking to use certificate-based authentication for
all your Windows machines. You have already gone through the exercise of pushing the machine and
user certificates out to all the machines using GPO. Since certificate based authentication, by default,
doesn't check the certificate against Active Directory or requires credentials from the user, this
essentially means that no groups are returned as a part of the authentication request. What are the
possible ways to authorize the user based on Active Directory group membership?
A. Configure the Windows supplicant to use saved credentials as well as certificate-based
authentication
B. Enable Change of Authorization on the deployment to perform double authentication
C. Use EAP authorization to retrieve group information from Active Directory
D. The certificate should be configured with the appropriate attributes which contain appropriate
group information, which can be used in Authorization policies
E. Use ISE as the Certificate Authority, which will then allow automatic group retrieval from Active
Directory to perform the required authorization
F. Configure Network Access Device (NAD) to bypass certificate-based authentication and push
configured user credentials as a proxy to ISE
Answer: F
NO.5 Refer to the exhibit.
4
It has been reported that IP Phone is not able to establish connectivity after performing port
authentication.
Which possible issues is the reason?
A. Possible issue with the access list applied on the port
B. Due to multiple device authentication enabled on port
C. Authentication order should be reversed
D. Possible issue with dhcp pool configuration
E. Possible issue with the session OACL
F. Due to multiple domain authentication enabled on port
Answer: D
NO.6 You have an ISE deployment with 2 nodes that are configured as PAN and MnT (Primary and
Secondary), and
4 Policy Services Nodes. How many additional
PSNs can you add to this deployment?
5
A. 3
B. 0
C. 5
D. 1
E. 4
F. 2
Answer: D
NO.7 Which statement is true regarding x.509 certificate?

A. The version number in the certificate is the OS version of CA
B. The Subject Distinguished Name in the certificate is of the entity who issued the certificate
C. The algorithm in the certificate is used by the issuer to sign the certificate
D. The serial number in the certificate is common across the certificates issued by the same CA
E. The algorithm in the certificate is used by the subject to encrypt the traffic
F. The Issuer Distinguished Name in the certificate is of the entity to which the certificate is issued
Answer: C
NO.8 What will be used by WSA to apply the policies when identification is based on ISE?
A. SGT
B. proprietary protocol over TCP/8302
C. SXP
D. RADIUS
E. EAP
F. RPC
Answer: A
NO.9 An organization is deploying FTD in the data center. Products applications have been
connected; however, ping tests to resources firewall has two interfaces, INSIDE and OUTSIDE. The
problem might testing scenario is from the OUTSIDE. Which two commands can be the situation and
determine where the issue might be? (Choose two)
A. Packet-tracer input Outside <Protocol>< Destination IP><Source
B. Packet-tracer input Outside <Protocol><Source IP><Source Port
C. Packet-tracer input Inside <Protocol>< Destination IP><Source
D. Packet-tracer input Inside <Protocol>< Destination IP>< Destination
E. Packet-tracer input Outside <Protocol>< Destination IP>< Destination
F. Packet-tracer input lnside<Protocol>< Source IP>< Source Port
Answer: B F

Refer to the Exhibit.
6
What could be the reason for Dot1x session failure?

A. Incorrect identity source referenced
B. Incorrect authorization permission
C. Incorrect authentication rule
D. Identity source has the user present but not enabled
E. Incorrect authorization condition
F. Incorrect user group
G. Incorrect user string
Answer: D
NO.11 In FMC, which two elements can the correlation rule be based on ? (Choose two)
A. Malware detection
B. Database type
C. Change of Authorization
D. Authorization rule
7
E. Security Group Tag mapping

F. Network deviation from normal profile
G. Network Device Admission Control
H. Authentication condition
Answer: A F
NO.12 Which statement is an advantage of network segmentation?

A. It enables efficient network monitoring due to a flat network
B. It takes less time to design a complex network with segmentation as one of the critical
requirements
C. It allows flat network design for better security implementation
D. It allows efficient containment of a security incident as the effect will be limited to local subnet
E. It improves network performance by having broadcast traffic not limited to local subnets
F. It allows users to access the resource even though they won't need to for better visibility
Answer: D
NO.13 Whic statement about Dynamic ARP inspection is true?

A. It is supported only in DHCP environments to detect invalid ARP requests and response
B. It requires that DHCP snooping be enabled to build valid binding databas
C. It validates ARP requests and responses on untrusted ports using MAC address table
D. It validates ARP requests and responses on trusted ports using IP-to-MAC address binding
E. It forwards invalid ARP responses and requests on switch untrusted ports
F. It drops invalid ARP responses and requests on the switch trusted ports
Answer: B
NO.14 Which three transports have been defined for SNMPv3? (Choose three.)
A. DTLS
B. SSH
C. TLS
D. SSL
E. IPcec secured tunnel
F. GET
Answer: A B C

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 20.1.2.1 255.255.255.0
!i
nterface GigabitEthernet0/1
nameif inside
security-level 100
8
ip address 10.1.22.1 255.255.255.0

!i
nterface Management0/0
management-only
nameif mgmt
security-level 100
ip address 150.1.7.55 255.255.255.0
!
access-list
ccieacls webtype permit url http://server.cisco.com:80 log default
!c
rypto ca trustpoint ccietrust
enrolment self
subject-name CN=ASA2
serial-number
keypair cciekey
crl configure
!s
sl trust-point ccietrust outside
!d
ns domain-lookup inside
dns server-group DefaultDNS
name-server 150.1.7.100
domain-name cisco.com
!g
roup-policy cciegroup internal
group-policy ciegroup attributes
banner value CCIE Written!
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value servers
filter value ccieacls
!t
unnel-group ccietunnel type remote-access
tunnel-group ccietunnel general-attributes
default-group-policy cciegroup
!w
ebvpn
enable outside
tunnel-group-list enable
!c
rypto ikev2 remote-access trustpoint ccietrust
dynamic-access-policy-record DfltAccessPolicy
username ccie password mflDmeWbPK0tCAwZ encrypted
username ccie attributes
service-type remote-access
9
ASA2 is configured for the clientless SSL VPN connection with DNS server at
150.1.7.200 that is reachable only from the Management0/0 interface. The incoming VPN session will
be received on outside interface with authentication credentials Username: ccie, Password: ccie. ASA
2 is configured for the self-signed certificate with trustpoint "ccietrust" enabled for the outside
interface. It has been reported that resources accessibility is timing out after the VPN connection
establishment. What could be the reason?
A. The CA trustpoint "ccietrust" has incorrect keypair
B. The tunnel group is tied up with the incorrect group policy
C. Webvpn needs to be enabled on the management interface
D. Management interface has incorrect security level configured
E. The "ccieacl" should be configured for port 443
F. The domain-lookup should be performed from management interface
G. Incorrect banner value in the group policy
Answer: F
NO.16 What are three pieces of data you should review in response to a supported SSL MITM
attack? (Choose three.)
A. the MAC address of the SSL server
B. the MAC address of the attacker
C. the IP address of the SSL server
D. the X.509 certificate of the attacker
E. the X.509 certificate of the SSL server
F. the DNS name of the SSL server
Answer: C E F
NO.17 Which two statements about uRPF are true? (Choose two)
A. The administrator can configure the allow-default command to force the routing table to use only
the default route
B. In strict mode, only one routing path can be available to reach network devices on a subnet
C. The administrator can use the show cef interface command to determine whether uRPF is enabled
D. The administrator can configure the ip verify unicast source reachable-via any command to enable
the RPF check to work through HSRP routing groups
E. It is not supported on the Cisco ASA security appliance
Answer: B C
Explanation
Reverse Path Forwarding
http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
NO.18 Which statement is true about CWS configuration on ASA?

A. Class map is applied on the interface where the traffic will be received for filtering
B. Policy map applied on the interface has the information of filtered traffic and CWS proxies.
C. CWS proxies are defined in the class-map where traffic to be redirected identified
D. It is only allowed to defined one CWS proxy for redirection
10
E. The redirection of the identified traffic can only be performed on the interface basis.
Answer: C
NO.19 What are the two different modes in which private AMP cloud can be deployed ? (Choose
two)
A. Air Gap Mode
B. External Mode
C. Internal Mode
D. Public Mode
E. Cloud Mode
F. Cloud Proxy Mode
Answer: A F
NO.20 In your corporate environment, you have various Active Directory groups based on the
organizational structure and would like to ensure that users are only able to access certain resources
depending on which group(s) they belong to. This policy should apply across the network. You have
ISE, ASA and WSA deployed, and would like to ensure the appropriate policies are present to ensure
access is only based on the user's group membership. Additionally, you don't want the user to
authenticate multiple times to get access. Which two policies are used to set this up? (Choose two.)
A. Deploy Cisco TrustSec infrastructure, with ASA and WSA integrated with the ISE to transparently
identify user based on SGT assignment, when the user authenticates to the network. The SGTs can
then be used in access policies.
B. Deploy ISE, integrate it with Active Directory, and based on group membership authorize the user
to specific VLANs. These VLANs (with specific subnets) should then be used in access policies on the
ASA as well as the WSA.
C. Deploy a Single Sign-On infrastructure such as Ping, and integrate ISE, ASA and WSA with it. Access
policies will be applied based on the user's group membership retrieved from the authentication
infrastructure.
D. Configure ISE as an SSO Service Provider, and integrate with ASA and WSA using pxGrid. ASA and
WSA will be able to extract the relevant identity information from ISE to apply to the access policies
once the user has authenticated to the network.
E. Integrate ISE, ASA and WSA with Active Directory. Once user is authenticated to the network
through ISE, the ASA and WSA will automatically extract the identity information from AD to apply
the appropriate access policies.
F. Configure ISE to relay learned SGTs for the authenticated sessions with the binded destination
address using SXP speakers that will be used to apply access policies at the traffic ingress point for
segmentation
Answer: A C
NO.21 Which two descriptions of how the Cisco recommended wireless guest traffic isolation model
works are true? (Choose two.)
A. The foreign controller tunnels the traffic over EoIP to another WLC known as the anchor
controller, which is located in the DMZ, thus achieving traffic isolation and keeping guest traffic away
from corporate traffic
11
B. The anchor controller tunnels the traffic over LWPP to another WLC known as the foreign
from the corporate traffic
C. The foreignt controller then tunnels the traffic over LWAPP to anchor WLC know as the anchor
from the corporate traffic
D. The access point that serves the guest sets up LWAPP tunnel to a WLC controller known as the
anchor controller
E. The anchor controller tunnels the traffic over EoIP to another WLC known as the foreign controller,
which is located in the DMZ, thus acheiving traffic isolation and keeping guest traffic away from the
corporate traffic
F. The access point that serves the guest sets up an EoIP tunnel to a WLC controller known as the
foreign controller
G. The access point that serves the guest sets up a LWAPP tunnel to a WLC controller known as the
foreign controller
Answer: A G
NO.22 Which option best describes RPL?

A. RPL stands for Routing over low priority links that use link-state LSAs to determine the best route
between two root border routers.
B. RPL stands for Routing over low priority links that use distance vector DOGAG to determine the
best route between two root border routers.
C. RPL stands for Routing over Low-power Lossy Networks that use link-state LSAs to determine the
best route between leaves and the root border router.
D. RPL stands for Routing over Low-power Lossy Networks that use distance vector DOGAG to
determine the best route between leaves and the root border router.
Answer: D
NO.23 What technique can an attacker use to obfuscate a malware application payload, allowing it
to bypass standard security mechanisms?
A. Teredo tunneling
B. A PE32 header
C. Steganography
D. BASE64
E. Decryption
Answer: D
NO.24 Drag and drop the Fire AMP Connector Policy types from the left on to the correct functions
on the right.
12
Answer:
Explanation
1-3, 2-1, 3-4, 4-2, 5-5
NO.25 Which type of header attack is detected by Cisco ASA basic threat detection?
A. denial by access list
13
B. bad packet format

C. failed application inspection
D. connection limit exceeded
Answer: B
NO.26 Which three statements about SXP are true? (Choose three)
A. It resides in the control plane, where connections can be initiated from a listener.
B. Packets can be tagged with SGTs only with hardware support.
C. Each VRF supports only one CTS-SXP connection.
D. To enable an access device to use IP device tracking to learn source device IP addresses, DHCP
snooping must be configured.
E. The SGA ZBFW uses the SGT to apply forwarding decisions.
F. Separate VRFs require different CTS-SXP peers, but they can use the same source IP addresses.
Answer: B C E
NO.27 Which statement about deploying policies with the Firepower Management Center is true?
A. All policies are deployed on-demand when the administrator triggers them.
B. Deploy tasks can be scheduled to deploy policies automatically.
C. The leaf domain can deploy changes to all subdomains simultaneously.
D. The global domain can deploy changes to individual subdomains.
E. Policies are deployed automatically when the administrator saves them.
Answer: B
NO.28 Which feature does Cisco VSG use to redirect traffic in a Cisco Nexus 1000v Series Switch?
A. VEM
B. VPC
C. VDC
D. vPath
Answer: D
NO.29 Which of the following is one of the requirements for the FTD high availability setup?
A. Units should not have any uncommitted changes of FMC and should be fully deployed
B. Units should have DHCP configured for the interfaces
C. Units should be configured in transparent mode
D. Units should not synchronize using the same NTP source
E. Units should be configured in routed mode
F. Units should be in different domains in FMC
G. Units should have the same major software version running on them, minor and maintenance
version could be different
Answer: A
NO.30 Which two statements about DTLS are true? (Choose two.)
A. If DPD is enabled.DTLS can fall back to a TLS connection.
14
B. It is disabled by default if you enable SSL VPN on the interface.

C. It uses two simultaneous IPSec tunnels to carry traffic.
D. If DTLS is disabled on an interface, then SSL VPN connections must use SSL/TLS tunnels.
E. Because if requires two tunnels, it may experience more latency issues than SSL connections.
Answer: A D
NO.31 Which command sequence can you enter to enable IP multicast for WCCPv2?
A. Router(config)#ip wccp web-cache group-address 224.1.1.100
Router(config)# interface FastEthernet0/0
Router(config-if)#ip wccp web-cache redirect out
B. Router(config)#ip wccp web-cache group-list
Router(config)# ip wccp web-cache group-listen
C. Router(config)#ip wccp web-cache service-list
D. Router(config)#ip wccp web-cache group-address 224.1.1.100
Router(config)# ip wccp web-cache redirect in
E. Router(config)#ip wccp web-cache group-address 224.1.1.100
Answer: E
NO.32 Drag LDAP queries used by ESA to query LDAP server on the left to its functionality on the
right.
Answer:
15
Explanation
1-5, 2-1, 3-4, 4-2, 5-3
NO.33 Which statement describes a hybrid SDN framework?

A. The data plane is pulled form the networking element and put in a SDN controller
B. The control plane is pulled from the networking element and put in a SDN controller
C. The control plane function is split between a SDN controller and the networking element
D. The control plane and data plane is pulled from the networking element and put in a SDN
controller and SDN agent
Answer: C
NO.34 Which two event can cause a failover event on an active/standby setup? (Choose two)
A. The active unit experiences interface failure above the threshold.
B. The unit that was previously active recovers.
C. The stateful failover link fails.
D. The failover link fails.
E. The active unit fails.
Answer: A E
NO.35 Which protocol does ISE use to secure a connection through the Cisco IronPort tunne
infrastructure?
A. HTTP
B. IKEv2
C. TLS
D. SSH
E. SNMP
F. IKEv1
16
Answer: D

R1
ntp authentication-key 12 md5 cisco
ntp authenticate
ntp trusted-key 12
ntp source GigabitEthernet
ntp master 1
!i
nterface GigabitEthernet1
ip address 171.1.7.21 255.255.255.0
R2
ntp authenticate
ntp trusted-key 12
ntp trusted-key 102
ntp server 171.1.7.21 key 102
R2# ping 172.1.7.21
Type escape sequence to abort
Sending 5 100-byte ICMP Echos to 171.1.7.21, timeout is 2 seconds
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/5 ms
R2# sh ntp asso detail
171.1.7.21 configured ipv4, authenticated instance invalid, unsynced, stratum 6 ref ID INIT, time
00000000 0000000 (17:00:00.000 ccie Wed Dec 31, 2017) R2 is getting time synchronized from NTP
server R1. It has been reported that clock on R2 Is not able to associate with the NTP server R1. What
could be the possible cause?
A. R2 has incorrect NTP server address
B. R1 has incorrect NTP source interface defined
C. R2 has incorrect trusted key binded with the NTP server
D. R2 does not support NTP authentication
E. R2 should not have two trusted keys for the NTP authentication
F. R2 has connectivity issue with the NTP server
Answer: C
NO.37 You have an ISE deployment with two nodes that re configured as PAN and MnT (Primary and
Secondary), and four Policy Service Nodes. How many additional PSNs can you add to this
deployment?
A. 0
B. 1
C. 3
D. 5
E. 4
17
F. 2
Answer: B
NO.38 What would describe Cisco Virtual Topology System?

A. Package that contains an entire runtime environment
B. An agent that resides on physical devices
C. Web server hosting for NX-OS
D. Overlay provisioning and management solution
Answer: D
NO.39 Which connection mechanism does the eSTREAMER service use to communicate?
A. IPsec tunnels with 3DES or AES encryption
B. TCP over SSL only
C. SSH
D. EAP-TLS tunnels
E. TCP with optional SSL encryption
F. IPsec tunnels with 3DES encryption only
Answer: B
NO.40 Refer to the exhibit:
Which effect of this configuration is true?

A. If the RADIUS server is unreachable, SSH users cannot authenticate.
B. Users must be in the RADIUS server to access the serial console.
C. Users accessing the device via SSH and those accessing enable mode are authenticated against the
RADIUS server
D. All commands are validated by the RADIUS server before the device executes them.
E. Only SSH users are authenticated against the RADIUS server.
Answer: C
NO.41 Which two requirements are necessary to generate the self-signed certificate for SSL VPN
deployment using AnyConnect with lOS router at the headend? (Choose two)
A. Enable WebVPN
B. Generate RSA key pair
C. Install AnyConnect package
D. Enable HTTP server
E. Configures PKI trustpoint
F. Enable CHAP
Answer: B E
18
NO.42 Which two options are normal functionalities for ICMP? (Choose two)
A. host detection
B. packet filtering
C. relaying traffic statistics to applications
D. path MTU discovery
E. port scanning
F. router discovery
Answer: A D
NO.43 Which statement about the Traffic Substitution and Insertion attack is true?
A. It substitutes by performing action slower than normal not exceeding threshold.
B. It is used for reconnaissance
C. It substitutes payload data in a different format but has the same meaning
D. It is form of a DoS attack
E. It substitutes payload data in the same format but has different meaning
F. It substitutes by performing action faster than normal not exceeding threshold
G. It is a from pivoting in the network
Answer: C
NO.44 Which statement is correct about MTA, ESA, and LDAP working together?
A. The LDAP initiates local query to route the incoming messages triggered by ESA.
B. The sending MTA acts on the query results from LDAP server to route the message.
C The ESA initiates the LDAP query and act upon the data received from LDAP server.
C. The ESA initiates the LDAP query and forwards the results to sending MTA for routing,
D. The sending MTA initiates LDAP query and forwards results to ESA for message authentication.
Answer: C
NO.45 Which two statements about 6to4 tunneling are true? (Choose two.)
A. It provides a /128 address block.
B. It supports static and BGPV4 routing.
C. It provides a /48 address block.
D. It supports managed NAT along the path of the tunnel.
E. The prefix address of the tunnel is determined by the IPv6 configuration of the interface.
F. It supports multihoming.
Answer: B C
NO.46 Which of the following is true regarding failover link when ASAs are configured in the failover
mode?
A. It is not recommended to use secure communication over failover link when ASA is terminating
the VPN tunnel
B. Only the configuration replication sent across the link can be secured using a failover key
C. The information sent over the failover link can only be in clear text
19
D. The information sent over the failover link can be send in clear text, or it could be secured
communication using a failover key
E. Failover key is not required for the secure communication over the failover link
F. The information sent over the failover link can only be sent as a secured communication
Answer: C

A. Users attempting to access the console port are authenticated against the TACACS+ server.
B. The device tries to reach the server every 24 hours and falls back to the LOCAL database if it fails.
C. If TACACS+ authentication fails, the ASA uses Cisco 123 as its default password.
D. The servers in the TACACS+ group are reactivated every 1440 seconds.
E. Any VPN user with a session timeout of 24 hours can access the device.
Answer: A
NO.48 Which statement about EAP chaining is true?

A. It supports RADIUS and TACACS+ authentication
B. It performs authentication on a device-only basis
C. It locks a unique certificate to BYOD devices to differentiate them from corporate-owned devices
D. It requires EAP-FAST authentication
E. By default devices on which EAP chaining is not supported are immediately denied access to the
network
F. It can be deployed in an agentless environment
Answer: D
NO.49 Which command is used to enable 802.1x authorization on an interface?

A. authentication open
B. aaa authorization auth-proxy default
C. authentication control-direction both
D. aaa authorization network default group tacacs+
E. authentication port-control auto
Answer: D
NO.50 Which definition of Machine Access Restriction is true?
20
A. MAR offer security information and event management

B. MAR provides detailed malware analysis reports
C. MAR identifies threats on the cisco network by "learning" the topology, configuration and
behavior you environment
D. MAR is feature introduced into ISE and ACS as a way to verify a successful machine authenticated
E. MAR provides user authentication
Answer: D
NO.51 Which two statements about Cisco AMP for Web Security are true? (Choose two.)
A. It can prevent malicious data exfiltration by blocking critical files from exiting through the Web
gateway.
B. It can perform reputation-based evaluation and blocking by uploading the fingerprint of incoming
files to a cloud-based threat intelligence network.
C. It can detect and block malware and other anomalous traffic before it passes through the Web
gateway.
D. It can perform file analysis by sandboxing known malware and comparing unknown files to a local
repository of the threats.
E. It can identify anomalous traffic passing through the Web gateway by comparing it to an
established of expected activity.
F. It continues monitoring files after they pass the Web gateway.
Answer: B
NO.52 What are two important guidelines to follow when implementing VTP? (Choose two.)
A. When using secure mode VTP, only configure management domain passwords on VTP servers.
B. Enabling VTP pruning on a server will enable the feature for the entire management domain.
C. All switches in the VTP domain must run the same version of VTP.
D. CDP must be enabled on all switches in the VTP management domain.
E. Use of the VTP multi-domain feature should be restricted to migration and temporary
implementation.
Answer: B C
NO.53 Which two statements about the OpenDNS Anycast network are true? (Choose two.)
A. It ensures that requests are routed to the nearest data center
B. It is simpler and easier to scale than unicast
C. It automatically routes DNS requests to the server with the least load
D. It assigns an unique IP address and an unique hash value to each server, which dramatically
simplifies network management and ensures that failing servers can be identified and taken offline
immediately
E. It defends the network against DDoS attacks by forcing malicious traffic to a single server, which
leaves the remaining servers unaffected
F. It allows multiple servers at multiple locations to be represented by a single IP address
G. It is significantly more secure than unicast, but it may cause some additional latency
Answer: A F
21
NO.54 Which statement about the Cisco AMP Virtual Private Cloud Appliance is true for
deployments in air-gap mode?
A. The amp-sync tool syncs the threat-intelligence repository on the appliance directly with the AMP
public cloud.
B. The appliance can perform disposition lookup against either the Protect DB or the AMP public
cloud.
C. The appliance can perform disposition lookups against the Protect DB without an Internet
connection.
D. The appliance evaluates files against the threat intelligence and disposition information residing
on the Update Host.
E. The Update Host automatically downloads updates and deploys them to the Protect DB on a daily
basis.
Answer: C
NO.55 Which two statements about the MACsec security protocol are true? (Choose two.)
A. When switch-to-switch link security is configured in manual mode, the SAP operation mode must
be set to GCM.
B. MACsec is not supported in MDA mode.
C. Stations broadcast an MKA heartbeat that contains the key server priority.
D. MKA heartbeats are sent at a default interval of 3 seconds.
E. The SAK is secured by 128 bit AES-GCM by default.
Answer: C E
NO.56 Drag the PCI-DSS requirements on the left to its security controls on the right.
22
Answer:
Explanation
1-5, 2-1, 3-2, 4-3, 5-4
NO.57 Which statement about password encryption and integrity on a Cisco IOS device is true?
A. The 'service password-encryption" global command performs encryption and hashing of all the
passwords
B. The 'enable secret' uses DES for the password hashing
C. The 'service password-encryption' global command encrypts all the passwords except for CHAP
password
D. The enable secret is preferred over enable password because of encryption
E. The ' username <name> secret <password>' command encrypts the password with SHA-256
hashing
F. When ' enable secret' is missing from the configuration, the console session cannot get privilege
access using console password due to missing encryption
Answer: D
23
For which type of user is this downloadable ACL appropriate?

A. management
B. employees
C. guest users
D. network administrator
E. onside contractors
Answer: C
NO.59 Which two options are benefits of the Cisco ASA transparent firewall mode? (Choose two)
A. It can establish routing adjacencies.
B. It can perform dynamic routing.
C. It can be added to an existing network without significant reconfiguration.
D. It supports extended ACLs to allow Layer 3 traffic to pass from higher to lower security interfaces.
E. It provides SSL VPN support.
Answer: C D
NO.60 Which two statements about SPAN sessions are true? (Choose two.)
A. A single switch stack can support up to 32 source and RSPAN destination sessions.
B. Source ports and source VLANs can be mixed in the same session
C. They can monitor sent and received packets in the same session.
D. Multiple SPAN sessions can use the same destination port.
E. Local SPAN and RSPAN can be mixed in the same session.
F. They can be configured on ports in the disabled state before enabling the port.
Answer: C F
NO.61 Which three requirements for multicloud customers to connect, protect and consume cloud
services are true?
(Choose three)
24
A. Interoperability
B. Networking
C. API integration
D. Software
E. Analytics
F. Security
Answer: B E F
NO.62 Which statement about Nmap scanning on the Cisco Firepower System is true?
A. It can leverage multiple proxy devices to increase scan speed
B. It can scan TCP and UDP ports, but TCP ports require significantly more resources
C. The Fast Port Scan scans only the TCP ports that are lited in the nmap-service file
D. It can scan IP addresses, address blocks, and address ranges on IPv4 and IPv6 networks
E. It supports custom fingerprinting to identify malware by its unique characteristics in your specific
environment
F. It performs host discovery before each scan to identify hosts that are online and skips the full scan
for hosts that are offline
Answer: C
NO.63 On Nexus 9000, in Python interactive mode, which command is correctly used to disable an
interface?
A. cli("conf t ; interface eth1/1 ; shutdown")
B. cli("conf t"), cli("interface eth1/1"), cli("shutdown")
C. cli("interface eth1/1 ; shutdown")
D. cli("conf t"), cli("interface eth1/1 ; shutdown")
Answer: A
NO.64 Which WEP configuration can be exploited by a weak IV attack ?

A. When the static WEP password has been stored without encryption.
B. When a per-packet WEP key is in use.
C. When a 64-bit key is in use.
D. When the static WEP password has been given away.
E. When a 40-bit key is in use.
F. When the same WEP key is used to create every packet.
Answer: E
NO.65 Which three statements about WCCP are true? (Choose three.)
A. The minimum WCCP-Fast Timers messages interval is 500 ms
B. Is a specific capability is missing from the Capabilities Info component, the router is assumed to
support the default capability
C. If the packet return method is missing from a packet return method advertisement, the web cache
uses the Layer 2 rewrite method
D. The router must receive a valid receive ID before it negotiates capabilities
25
E. The assignment method supports GRE encapsulation for sending traffic

F. The web cache transmits its capabilities as soon as it receives a receive ID from router
Answer: A C E
Explanation
Web Cache Communication Protocol (WCCP)
http://www.cisco.com/c/en/us/td/docs/security/asa/special/wccp/guide/asa-wccp.html
NO.66 Which two statements about role-based access control are true? (Choose two.)
A. The user profile on an AAA server is configured with the roles that grant user privileges.
B. If the same user name is used for a local user account and a remote user account, the roles
defined in the remote user account override the local user account.
C. Server profile administrators have read and write access to all system logs by default.
D. A view is created on the Cisco IOS device to leverage role-based access controls.
E. Network administrators have read and write access to all system logs by default.
Answer: A D
NO.67 Which statement about VRF-lite implementation in a service provider network is true?
A. It requires multiple links between CE and PE for each VPN connection to enable privacy
B. It uses input interfaces to differentiate routes for different VPNs on the CE device
C. It can only support one VRF instance per CE device
D. It can have multiple VRF instances associated with a single interface on a CE device
E. It supports multiple VPNs at a CE device but their address spaces should not overlap
Answer: B
26
AMP cloud is configured to report AMP connector scan events from windows machine belonging to
"Audit" group to FMC, but the scanned events are not showing up in FMC. What could be the
possible cause?
A. AMP cloud is pointing to incorrect FMC address
B. Possible issues with certificate download form AMP cloud fro FMC integration
C. Incorrect group is selected for the events export in AMP cloud for FMC
D. Event should be viewed as "Malware" event in FMC
E. DNS address is misconfigured on FMC
F. FMC is pointing to incorrect AMP cloud address
Answer: D
NO.69 Your customer wants to implement Cisco Firepower IPS and 1 secure policy.
However, a monitoring period of 2 weeks is applied against real traffic without causing an outage
before going in to fu of the default policies as a base and set the policy action to ensure.
Which two policies to achieve these requirements are true?
A. Set IPs policy to trust
B. Set IPs policy to Monitor
C. Base the IPS policy on the default Advanced Security over Connection
D. Base the IPS policy on the default Balanced Security and Connection
E. Base the IPS policy on the default Connectivity over Security
F. Base the IPS policy on the default Security over Connectivity
G. Set IPS Policy to No Drop
Answer: B D
NO.70 Which location for the PAC file on Cisco IronPort WSA in the default?
A)
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
NO.71 Which two statements about the Cognitive Threat Analytics feature of Cisco AMP for Web
Security are true? (Choose two.)
27
A. It can locate and identify indicators of prior malicious activity on the network and preserve
information for forensic analysis.
B. It can identify potential data exfiltration.
C. It uses a custom virtual appliance to perform reputation-based evaluation and blocking of
incoming files.
D. It can perform file analysis by sandboxing known malware and comparing unknown files to a local
repository of threats.
E. It can identify anomalous traffic passing through the Web gateway by comparing it to an
established baseline of expected activity.
F. It can identify anomalous traffic within the network by comparing it to an established baseline of
expected activity.
Answer: B F
NO.72 Which statement is true regarding securing connection using MACsec?

A. It secures connection between two supplicant clients
B. Switch uses session keys to calculate decrypted packet ICV value for the frame integrity check
C. Switch configured for MACSec can only accept MACSec frames from the MACSec client
D. It is implemented after a successful MAB authentication of supplicant
E. It provides network layer encryption on a wireless network
F. ISAKMP protocol is used to manage MACSec encryption keys
Answer: B
NO.73 Which option happens for traffic analysis Is an inline, intrusion prevention and AMP for
Firepower deployment?
A. Intrusion policy
B. Security intelligence
C. Access control rule
D. Network discovery policy
E. Network analysis policy
F. File policy
G. SSL policy
Answer: C
NO.74 Which two options are benefits of global ACLs? (Choose two)
A. They save memory because they work without being replicated on each interface.
B. They are more efficient because they are processed before interface access rules.
C. They are flexible because they match source and destination IP addresses for packets that arrive
on any interface.
D. They only operate on logical interfaces.
E. They can be applied to multiple interfaces.
Answer: A C
NO.75 Which two types of IPv6 capabilities does Cisco ISE release 2.0 support? (Choose two.)
28
A. Enable DHCP for IPv6

B. Ability to add IPv6 addresses in host local table
C. Ability to only detect IPv6 traffic from endpoint
D. Ability to traceroute IPv6 Connector policy types from the left onto the correct
E. Ability to configure IPv6 static routes
Answer: B E
The FMC with address 161 1 7 16 is not seeing AMP Connector scan events that are reported to the
AMP cloud from the test-pc Windows machine that belongs to "protect" group. Which cause of the
issue is true?
A. The Windows machine belongs to an incorrect group in the AMP cloud policy.
B. The FMC was not added in the AMP cloud.
C. The incorrect group is selected for the events export in the AMP cloud for the FMC.
D. The Event must be viewed as a Connection event in the FMC.
E. The AMP cloud was not added in the FMC.
F. The Windows machine is not reporting scan events to the AMP cloud.
G. The Windows machine is not reporting events to the FMC.
Answer: A
NO.77 Which two combinations of node are allowed in a Cisco ISE distributed deployment? (Choose
two)
A. ISE cluster with eight nodes
B. Pair of passive ISE nodes for automatic failover
29
C. One or more policy service ISE nodes for session failover standalone
D. Primary and secondary administration ISE nodes for high availability
E. Active and standby ISE notes for high availibilty
Answer: B D
NO.78 A server with IP address 209.165.202.150 is protected behind the inside interface of a Cisco
ASA and the Internet on the outside interface. User on the Internet need to access the server ay any
time, but the firewall administrator does not want to apply NAT to the address of the server because
it is currently a public address.
Which three of the following commands can be used to accomplish this? (Choose three.)
A. static (outside, inside) 209.165.202.150.209.165.202.150 netmask 255.255.255.255
B. nat (inside) 1 209.165.202.150 255.255.255.255
C. static (inside, outside) 209.165.202.150.209.165.202.150 netmask 255.255.255.255
D. no nat-control
E. access-list no-nat permit ip host 209.165.202.150 any
nat (inside) 0 access-list no-nat
F. nat (inside) 0 209.165.202.150 255.255.255.255
Answer: C E F
NO.79 Which two characteristic of an loT network are true?(Choose two)

A. loT network must be designed for low-powered devices
B. The transmission rate in an loT network is consistent
C. loT networks are 100% reliable
D. loT networks use IS-IS for routing
E. toT networks are bandwith constrained
Answer: A E
NO.80 The SAML Single Sign-on ISE is supported by which four portals? (Choose four.)
A. Sponsor Portal
B. BYOD Portal
C. Employee Portal
D. Contractor Portal
E. Guest Portal (sponsored and self-registered)
F. My devices Portal
G. Wireless Client Portal
H. Certificate Provisioning Portal
Answer: A E F H
NO.81 When applying MD5 route authentication on routers running RIP or EIGRP, which two
important key chain considerations should be accounted for? (Choose two.)
A. Key 0 of all key chains must match for all routers in the autonomous system.
B. The lifetimes of the keys in the chain should overlap.
C. Routers should be configured for NTP to synchronize their clocks.
30
D. No more than three keys should be configured in any single chain.

E. Link compression techniques should be disabled on links transporting any MD5 hash.
Answer: B C
NO.82 Which statement is correct regarding password encryption and integrity on a Cisco IOS
device?
A. With "enable secret" missing in the configuration the console session cannot get privilege access
using console password due to missing encryption
B. The "enable password" is preferred over "enable secret" as it uses a stronger encryption algorithm
C. The "service password-encryption" global command encrypts all the passwords except the CHAP
secret
D. The "username <name> secret <password>" command encrypts the password with SHA-256
hashing
E. The "enable secret" uses MD5 for the password hashing
F. The "service password-encryption" global command performs both encryption and hashing of all
the passwords
Answer: E
NO.83 Which security control in PCl-DSS is responsible for restrictive card holder data access?
A. network access policy orchestration using DNAC
B. using strong encryption when sending card holder data over the network
C. identification of security vulnerabilities and their risk analysis
D. realtime traffic analysis for malware using ThreatGRID
E. rapid threat containment of infected host using Lancope and ISE
F. creating users access policies based on the least privilege concept
G. making sure card holder data is not recoverable after authorization
H. restricting public internet access to cardholder data environment
Answer: F
NO.84 Which statement about ASA clustering requirements is true?

A. Only routed mode is allowed in the single context mode
B. Units in the cluster can be running different software version as long as they have identical
hardware configuration
C. Units in the cluster can have different hardware configuration as long as they are running same
software version
D. Units in the cluster can be in different geographical locations
E. Units in the cluster can be in different security context modes
F. Units in the cluster cannot have different software version even though they have identical
hardware configuration.
Answer: F
NO.85 An employee using an Android phone on your network has disabled DHCP, enabled it's
firewall, modified it's HTTP User-Agent header, to tool ISE into profiling it as a Windows 10 machine
31
connected to the wireless network. This user is now able to get authorization for unrestricted
network access using his Active Directory credentials, as your policy states that a Windows device
using AD credentials should be able to get full network access. Whereas, an Android device should
only get access to the Web proxy. Which two steps can you take to avoid this sort of rogue behavior?
(Choose two.)
A. Create an authentication rule that should only allow session with a specific HTTP User-Agent
header
B. Modify the authorization policy to only allow windows machines that have passed Machine
Authentication to get full network access
C. Add an authorization policy before the Windows authorization policy that redirects a user with a
static IP to a web portal for authentication
D. Chain an authorization policy to the Windows authorization policy that performs additional NMAP
scans to verify the machine type, before allowing access
E. Only allow certificate-based authentication from Windows endpoints, such as EAP-TLS, or PEAP-
TLS.
Should the endpoint use MSCHAPv2 (EAP or PEAP) the user shoujld be only given restricted access.
F. Perform CoA to push a restricted access when the machine is acquiring address using DHCP
Answer: B C
32
Customer has opened a case with Cisco TAC replace client supposed to login to the network. Using
MAB is no longer able Looking at the configuration of the switch what could be the possible
A. Issue with the DHCP pool configuration
B. Switch configuration is properly configured and the issue is on the
33
C Dot1x should be globally disabled for the MAB to work

C. CoA configuration missing
D. Incorrect CTS configuration on switch
E. VLAN configuration is missing on the authentication port
F. AAA authorization is incorrectly configured
Answer: B
NO.87 Which of the following correctly describes NVGRE functionality?

A. In NVGRE network the endpoints are not responsible for the NVGRE encapsulation removal
B. It allows to create physical layer-2 topologies on physical layer-3 network
C. It tunnels PPP frames inside an IP packet over a physical network
D. In NVGRE network VSID does not need to be unique
E. It tunnels Ethernet frames inside an IP packet over a virtual network
F. It allows to create physical layer-2 topologies on virtual layer-3 network
G. In NVGRE network VSID is used to identify tenant's address space
Answer: G
NO.88 Drag and drop the protocols on the left onto their descriptions on the right.
Answer:
34
Explanation
1-2, 2-4, 3-1, 4-3
NO.89 Which statement description of the Strobe scan is true?

A. It never opens a full TCP connection. It checks the firewall deployment in the path
B. It relies on ICMP "port unreachable" message to determine if the port is open.
C. It is used to find the ports that already have an existing vulnerability to exploit.
D. It checks the firewall deployment in the path.
E. It is a directed scan to a known TCP/UDP port.
F. It evades network auditing tools.
Answer: C
NO.90 What are two characteristics of RPL, used in IoT environments?(Choose two)
A. It is an Exterior Gateway Protocol
B. It is a Interior Gateway Protocol
C. It is a hybrid protocol
D. It is link-state protocol
E. It is a distance-vector protocol
Answer: B E
What are two functionalities of this configuration? (Choose two)

A. Traffic will not be able to pass on gigabitEthernet0/1.
B. The ingress command is used for an IDS to send a reset on vlan 3 only.
C. The source interface should always be a VLAN.
D. The encapsulation command is used to do deep scan on dot1q encapsulation traffic
35
E. Traffic will only be sent to gigabitEthernet 0/20

Answer: B E
NO.92 Which two limitations of ISE inline posture are true?

A. The Cisco Discovery Protocol is not supported
B. QoS is not supported in a virtual environment
C. The Simple Network Management Protocol agent is not supported
D. Flexible NetFlow is not supported
E. Multicast is not supported
Answer: A C
NO.93 In which two ways does the Open DNS infrastructure ensure reliability? (Choose two)
A. It ensures redundancy by using at least two telecom carters at each site
B. it limits caching to reduce the Incidence of state and dead links
C. ft uses a self-healing network to protect against individual failures
D. Its networks are geographical^ integrated to reduce the potential impact of local issues.
E. Regional sites load-balance among one another to prevent bottlenecks
F. ft uses multicast routing to ensure that requests are routes to the nearest data center
G. ft uses a specialized form of multicast addressing called Geo cast ensure the most efficient when a
local site goes down
Answer: A G
NO.94 In your network, you require all guests to authenticate to the network before getting access.
However, you don't want to be stuck creating or approving accounts. It is preferred that this is all
taken care by the user, as long as their device is registered. Which two mechanisms can be used to
provide this functionality? (Choose two.)
A. Social media login, with device registration
B. Guest's own organization authentication service, with device registration
C. PAP based authentication, with device registration
D. Active Directory, with device registration
E. 802.1x based user registration, with device registration
F. Self-registration of user, with device registration
Answer: A F
NO.95 When you use the Firepower Management Center to deploy an access control policy to a
managed device, which process is restarted?
A. kupdate
B. snort
C. crond
D. reportd
E. mysqld
Answer: B
36
NO.96 Which two statements about Cisco ASA authentication using LDAP are true? (Choose two.)
A. It is a closed standard that manages directory-information services over distributed networks.
B. It can combine AD attributes and LDAP attributes to configure group policies on the Cisco ASA.
C. It uses attribute maps to map the AD memberOf attribute to the Cisco ASA Group-Policy attribute.
D. It can assign a group policy to a user based on access credentials.
E. It uses AD attribute maps to assign users to group policies configured under the WebVPN context.
F. The Cisco ASA can use more than one AD memberOf attribute to match a user to multiple group
policies.
Answer: C E
NO.97 Which three statements correctly describe the encoding used by NETCONF and RESTCONF?
{Choose three.)
A. NETCONF uses JSON-encoded data
B. RESTCONF uses JSON-encoded data
C. RESTCONF uses YAML-encoded data
D. NETCONF uses YAML-encoded data
E. RESTCONF uses XML-encoded data
F. NETCONF uses XML-encoded data
Answer: B E F
Which two effects of this configuration are true? (Choose two)

A. When a user logs in to privileged EXEC mode, the router will track all user activity
B. It configures the router's local database as the backup authentication method for all TTY, console,
and aux logins
C. If a user attempts to log in as a level 15 user, the local database will be used for authentication and
TACACS+ will be used for authorization
D. Configuration commands on the router are authorized without checking the TACACS+ server
E. When a user attempts to authenticate on the device, the TACACS+ server will prompt the user to
enter the username stored in the router's database
F. Requests to establish a reverse AUX connection to the router will be authorized against the
37
TACACS+ server
Answer: B F
NO.99 Which three statements are correct regarding EAP-Chaining? (Choose three)
A. Allows user and machine authentication with one RADIUS/EAP session
B. EAP-Chaining is enabled on AnyConnect NAM authomatically when EAP-FAST user and machine
authentication is enabled
C. EAP-FAST's PAC provisioning phase is responsible to establish SSH tunnel between supplicant and
ISE to perform EAP-Chaining
D. EAP-Chaining is enabled on NAM automatically when EAP-TLS user and machine authentication is
enabled
E. EAP-Chaining can only use EAP-FAST and requires the use of AnyConnect NAM
F. EAP-Chaining is supported on the Windows 802.1x supplicant
G. EAP-Fast does not allow to bind multiple authentications and this limitation is used for manual
authentication in EAP-Chaining
Answer: A B E
NO.100 You are considering using RSPAN to capture traffic between several switches. Which two
configuration aspects do you need to consider? (Choose two.)
A. All switches need to be running the same IOS version.
B. All distribution switches need to support RSPAN.
C. Not all switches need to support RSPAN for it to work.
D. The RSPAN VLAN need to be blocked on all trunk interfaces leading to the destination RSPAN
switch.
E. The RSPAN VLAN need to be allow on all trunk interfaces leading to the destination RSPAN switch.
Answer: B E
NO.101 Which requirement for the FTD high availability setup is true?
A. Units must not synchronize using the same NTP source.
B. Units must have DHCP configured for the interfaces.
C. Units must have the same major, minor, and maintenance software version running on them.
D. Units can have any uncommitted changes on FMC and need not be fully deployed.
E. Units must be in different domains in FMC.
F. Units must be configured in routed mode.
G. Units must be configured in transparent mode.
Answer: C D
NO.102 Which statement is true about Social Engineering attack?

A. It uses the reconnaissance method for exploitation.
B. It is a method of extracting a non-confidential information.
C. The "Phishing" technique is one of the ways to launch the attack.
D. It is always performed through an email from a person that you know.
E. It is always done by having malicious ads on untrusted websites for the users to browse.
38
F. It can be only done by a person who is not part of the organization.

Answer: A
NO.103 Exhibit:
Refer to the exhibit. Customer has opened a case with Cisco TAC reporting issue client supposed to
login to the network using MAB is no longer able to access a Looking at the configuration of the
switch, what could be the possible cause of
A. AAA authorization is incorrectly configured
B. Switch configuration is properly configured and the issue is on the radius
C. Incorrect CTS configuration on switch
D. Issue with CoA configuration
39
E. Dot 1x should be globally disabled for the MAC to work

F. Issue with the DHCP pool. configuration
G. Authentication port G1/0/9 is not configured to perform MAB
Answer: G

switch-A(config)# cgmp leave-prcessing
Which two effects of this configuration are true?(Choose two)
A. IGMPv2 leave group messages are stored in the switch CAM table for faster processing
B. Hosts send leave group messages to the all-router multicast address when they want to stop
receiving data for that group
C. It improves the processing time of CGMP leave messages
D. Hosts send leave group messages to the Solicited-Node Address multicast address
FF02::1:FF00:0000/104
E. It optimizes the use of network bandwidth on the LAN segment
F. It allows the switch to detect IGMPv2 leave group messages
Answer: E F
NO.105 Which three flow protocols can tie SealthWatch System use lo monitor potential security
threats?
(Choose two)
A. OpenFlow
B. Ntop
C. IPFIX
D. NetFlow
E. sFlow
F. Jflow
Answer: C D E
NO.106 Exhibit:
40
Refer to the exhibit, Which type of attack is illustrated?

A. ARP spoofing
B. CAM overflow
C. IP address spoofing
D. ICMP flood
Answer: A
NO.107 Which command on Cisco ASA you can enter to send debug messages to a syslog server?
A. logging debug-trace
B. logging host
C. logging traps
D. logging syslog
Answer: A
NO.108 What are the three configurations in which SSL VPN can be implemented? (Choose three.)
A. WebVPN
B. PVC TunnelMode
C. Interactivemode
D. L2TP overIPSec
E. Thin-Client
F. AnyConnect TunnelMode
G. Clientless
H. CHAP
41
Answer: E F G
NO.109 Which statement about deploying policies with the Firepower Management Center is true?
A. Deploy tasks can be scheduled to deploy policies automatically.
B. All policies are deployed on-demand when the administration triggers them.
C. Policies are deployed automatically when the administration saves them.
D. The leaf domain can deploy change store all sub domains simultaneously.
E. The global domain can deploy changes to individual subdomains.
Answer: A
NO.110 Which one is the major benefit of AMP Threat GRID?

* AMP Threat Grid analyzes suspicious activity in your network against exactly 400 behavior a
indicators
* AMP Threat Grid combines Static and Dynamic Malware analysis with threat intelligence info in one
combined solution combined solution
A. AMP Threat Grid learns only from data you pass on your network and not from anything else to
monitor for suspicious behavior. This makes the system much faster and efficient.
B. AMP Threat Grid collects file information from customer servers and runs test son them, to see if
they are infected with viruses
Answer: B
NO.111 Which three of these are properties of RC4? (Choose three.)

A. It is a block cipher.
B. It is a stream cipher.
C. It is used in AES.
D. It is a symmetric cipher.
E. It is used in SSL.
F. It is an asymmetric cipher.
Answer: B D E
NO.112 A university has hired you as a consultant to advise them on the starvation attacks in the
campus. They have already implemented DH control the situation but those do not fully contain the
issue. Which the issue? (Choose two.)
A. Use the ip dhcp snooping limit rate command on Trusted and Unsuitable values that are relevant
to each interface respectively.
B. Use the ip dhcp snooping verify mac-address command to ensure the DHCP request matches the
clifent hardware address (CHADDR) set
C. Use the ip dhcp snooping limit rate command only to ensure that request matches the client
identifier (CUD) field sent to the DHCP
D. Use the ip dhcp snooping limit rate command on trusted and unit value.
Answer: B C
NO.113 Which two design options are best to reduce security concerns when adopting loT into an
organization?
42
(Choose two.)
A. Segment the Field Area Network from the Data Center network.
B. Encrypt sensor data in transit.
C. Ensure that application can gather and analyze data at the edge.
D. Implement video analytics on IP cameras.
E. Encrypt data at rest on all devices in the loT network.
Answer: A B
NO.114 How many report templates does the Cisco Firepower Management Center support?
A. 5
B. 10
C. 50
D. 80
E. 100
F. Unlimited
Answer: F
NO.115 Which three statement about PKI on Cisco IOS Software are true? (Choose three)
A. The match certificate and allow expired-certificate commands are ignored unless the router clock
is set
B. OSCP enables a PKI to use a CRL without time limitations
C. Different OSCP servers can be configured for different groups of client certificates
D. OSCP is well-suited for enterprise PKIs in which CLRs expire frequently
E. Certificate-based ACLs can be configured to allow expired certificates if the peer is otherwise valid
F. If a certificate-based ACL specifies more than one field, any one successful field-to-value test is
treated as a match
Answer: C D E
NO.116 If multiple contexts share an ingress interface, which would be the criteria used by ASA for
packet classification?
A. Destination IP address
B. ASA ingress interface IP address
C. ASA ingress interface unique MAC address
D. ASA NAT configuration
E. Policy based routing on ASA
F. ASA egress interface IP address
G. Destination MAC address
Answer: C
NO.117 How does Scavenger-class Qos mitigate Dos and worm attacks?
A. It monitors normal traffic flow and drops burst traffic above the normal rate for a single host.
B. It matches traffic form individual hosts against the specific network characteristics of know attack
types.
43
C. It sets a specific intrusion detection mechanism and applied the appropriate ACL when matching
traffic is deleted.
D. It monitors normal traffic flow and aggressively drops sustained abnormally high traffic streams
form multiple hosts.
Answer: D
NO.118 Which IETF standard is the most efficient messaging protocol used in a toT network?
A. CoAP
B. Man
C. SNMP
D. KTTP
Answer: A
NO.119 A client computerat10.10.7.14 is trying to access a Linux server (11.0.1.9)that is running a

Tomcat Server application. What TCP dump filter would be the best to verify that traffic is reaching
the Linux Server eth0 interface?
A. tcpdump -i eth0 host 10.10.7.2 and host 11.0.1.9 and port8080
B. tcpdump -i eth0 host 10.10.7.2 and11.0.1.9
C. tcpdump -i eth0 host dst 11.0.1.9 and dst port8080
D. tcpdump -i eth0 host 10.10.7.2 and dst 11.0.1.9 and dst port 8080
Answer: A
NO.120 What IOS feature can header attacks by using packet-header information to classify traffic?
A. TTL
B. CAR
C. FPM
D. TOS
E. LLQ
Answer: C
NO.121 In which two ways does OpenDNS ensure security? (Choose two
)
A. OpenDNS servers run a proprietary version of djbdns, which is a s maximum security
B. OpenDNS servers can analyze the hash of incoming URL stings to
C. It supports certificate authenticate for DNS connections
D. OpenDNS servers can integrate with the Cisco Network Registrar DNS traffic
E. It encrypts all DNS connections with SSL
F. The 24-hour network operations center guarantees that critical p. hardware vendors are applied
within 12 hours of release
G. It limits caching to efficiently purge spoofed and malicious address
H. It encrypts all DNS connections with DNSCrypt
Answer: B H
44
NO.122 Which OpenStack project has orchestration capabilities?

A. Cinder
B. Horizon
C. Sahara
D. Heat
Answer: D
NO.123 Which statement about the Firepower Security Intelligence feature is true?
A. It uses user-configured ACLs to blacklist and whitelist traffic
B. It can override custom whitelists to provide greater security against emerging threats
C. It filters traffic after policy-based inspection is complete and before the default action is taken
D. Blacklisted traffic is blocked without further inspection
E. It filters traffic after policy-based inspection is completed and the default action is taken
Answer: D
There is no ICMP connectivity from VPN PC to Server 1 and Server2. What could be the possible
cause?
A. The destination port configuration missing in the access rule
B. The server network has incorrect mask in the access rule
45
C. The VLAN tags configuration missing in the access rule

D. The action is incorrect in the access rule
E. The source network is incorrect in the access rule
F. The zone configuration missing in the access rule
Answer: E
NO.125 In your corporate environment, you have various Active Directory groups based on the
organizational structure. You want to ensure that users can access only certain resources depending
on which group(s) they belong to this policy must apply across the network. You have ISE. ASA, and
WSA deployed, and you want to ensure that the appropriate policies are present to ensure that
access is based only on the group membership of the user. Additionally, you do not want the user to
authenticate multiple times to get access. Which two policies are used to set this up? (Choose two.)
A. Deploy ISE, integrate it with Active Directory, and. based on group membership, authorize the user
to specific VLANs These VLANs (with specific subnets) are then used in access policies on the ASA as
well as the WSA
B. Configure ISE as an SSO service provider, and integrate with ASA and WSA using pxGrid ASA and
WSA can extract the relevant identity information from ISE to apply to the access policies after the
user has authenticated to the network.
C. Deploy a single sign-on infrastructure such as ping and integrate ISE. ASA and WSA with it, Access
policies are applied based on the user group membership retrieved from the authentication
infrastructure.
D. Configure ISE to relay learned SGTs for the authenticated sessions with the bound destination
address using SXP to SXP speakers that will be used to apply access policies at the traffic ingress point
for segmentation.
E. Integrate ISE, ASA, and WSA with Active Directory After the user is authenticated to the network
through ISE. the ASA and WSA automatically extracts the identity information from AD to apply the
appropriate access policies.
F. Deploy Cisco TrustSec infrastructure, with ASA and WSA integrated with ISE to transparently
identify users based on SGT assignment when the user authenticates to the network. The SGTs can
then be used in access policies.
Answer: C F
NO.126
46
Refer to the exhibit. Which statement about router R1 is true?

A. Its NVRAM contains public and private crypto keys
B. RMON is configured
C. Its private-config is corrupt
D. Its startup configuration is missing
E. It running configuration is missing
Answer: A
Explanation
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/50282-
ios-caios.
html
NO.127 Which three of these make use of a certificate as part of the protocol? (Choose three)
A. LEAP
B. EAP-MDS
C. EAP-TTLS
D. EAP-PEAP
E. EAP-FAST
F. EAP-TLS
Answer: C E F
NO.128
47
Refer to the exhibit, Which statement about effect of this configuration is true?
A. it disables the use of guest VLANs on the switch
B. it block al EAPCK frames from passing through the switch
C. It enable 802.1x globally on the switch
D. It puts all ports on the switch into the authorized state
Answer: C
NO.129 Which two statements about EVPN are true? (Choose two.)
A. EVPN route exchange enables PEs to discover one another and elect a DF.
B. EVPN routes can advertise backbone MAC reachability.
C. EVLs allow you to map traffic on one or more VLANs or ports to a Bridge Domain.
D. EVPN routes can advertise VLAN membership and verify the reachability of Ethernet segments.
E. It is a next-generation Ethernet L2VPN solution that supports load balancing at the individual flow
level and provider advanced access redundancy.
F. It is a next-generation Ethernet L3VPN solution that simplifies control-plane operations and
enhances scalability.
Answer: A B
Which two effects of this configuration are true? (Choose two.)

A. The BGP neighbor session between R1 and R2 re-establishes after 100 minutes.
B. A warning message is displayed on R2 after it receives 50 prefixes.
C. A warning message is displayed on R2 after it receives 100 prefixes from neighbor 1.1.1.1.
D. The BGP neighbor session between R1 and R2 re-establishes after 50 minutes.
E. The BGP neighbor session tears down after R1 receive 100 prefixes from neighbor 1.1.1.1.
F. The BGP neighbor session tears down after R1 receive 200 prefixes from neighbor 2.2.2.2.
Answer: C F
48
What are two effects of the given configuration? (Choose two.)

A. FTP clients will be able to determine the server's system type.
B. The connection will remain open if the size of the STOR command is greater than a fixed constant.
C. TCP connections will be completed only to TCP ports from 1 to 1024.
D. The client must always send the PASV reply.
E. The connection will remain open if the PASV reply command includes 5 commas.
Answer: A E
NO.132 Which statement about SMTP authentication in a Cisco ESA deployment is true?
A. It enables users at remote sites to retrieve their email messages via a secure client.
B. When SMTP authentication with forwarding is performed by a second SMTP server, the second
server also performs the transfer of queued messages.
C. It enables user at remote sites to release email messages for spam quarantine.
D. If an authentication user belongs to more one LDAP group, each with different user roles.
AsyncOs grants permissions in accordance with the least restrictive user role.
E. Clients can be authenticated with an LDAP bind or by fetching a passphrase attribute
Answer: E
NO.133 For your enterprise ISE deployment, you want to use certificate-based authentication for all
your Windows machines. You have already pushed the machine and user certificates out to all the
machines using GPO. by default, certificate-based authentication-does not check the certificate
against Active Directory, or requires credentials from the user. This essentially means that no groups
are returned as part of the authentication request. In which way can the user be authorized based on
Active Directory group membership?
A. Configure the Windows supplicant to used saved credentials as well as certificate-based
authentication
B. Enable Change of Authorization on the deployment to perform double authentication
C. Use ISE as the Certificate Authority, which will then allow for automatic group retrieval from Active
Directory to perform the required authorization
D. The certificate must be configured with the appropriate attributes that contain appropriate group
49
information, which can be used in Authorization policies

E. Configure Network Access Device to bypass certificate-based authentication and push configured
user credentials as a proxy to ISE
F. Use EAP authorization to retrieve group information from Active Directory
Answer: E

Refer to the exhibit.
FMC with address 161.1.7.15 is not seeing AMP connector scan events reported to AMP cloud from
"test-pc" windows machine that belongs to "Protect" group. What could be the issue?
A. Windows machine not reporting scan events to AMP cloud
B. Windows machine not reporting events to FMC
C. Incorrect group is selected for the events export in AMP cloud for FMC
D. AMP cloud not added in FMC
E. FMC not added in AMP cloud
F. Windows machine belongs to incorrect group in AMP cloud policy.
G. Event should be viewed as "Connection" event in FMC
Answer: F
NO.135 Which statement describes a pure SDN framework environment?

A. The control plane and data plane is pulled from the networking element and put in a SDN
B. The control plane function is split between a SDN controller and the networking element
C. The data plane is pulled from the networking element and put in a SDN controller
50
D. The data plane is controlled by a centralized SDN element

E. The control plane is pulled from the networking element and put in a SDN controller
Answer: E
NO.136 Which description of TAP mode deployment in IPS is true?

A. Access rules configured in TAP mode does not generate events.
B. TAP mode is available when ports are configured as passive interfaces.
C. TAP mode implementation requires SPAN configuration on a switch.
D. TAP mode is not available when IPS is deployed inline.
E. Access rules configured in TAP mode generates events when triggered and perform definer action
on the traffic stream.
F. In TAP mode, traffic flow gets disturbed for analysis.
Answer: E
NO.137 Which statement is true regarding SSL policy implementation in a Firepower system?
A. Access control policy is optional for the SSL policy implementation
B. If Firepower system cannot decrypt the traffic, it allows the connection
C. Intrusion policy is mandatory to configure the SSL inspection
D. Access control policy is responsible to handle all the encrypted traffic if SSL policy is tied to it
E. Access control policy is invoked first before the SSL policy tied to it
F. IF SSL policy is not supported by the system, then access control policy handles all the encrypted
traffic
Answer: E
NO.138 Which two options are benefits of the Cisco ASA Identity Firewall? (Choose two.)
A. It can identify threats quickly based on their URLs.
B. It can operate completely independently of their services.
C. It can apply security policies on an individual user or user-group basis.
D. It decouples security policies from the network topology.
E. It supports an AD server module to verify identity data.
Answer: C D
NO.139 Which statement is true about Remote Triggered Black Hole Filtering feature (RTBH)?
A. It drops malicious traffic at the customer edge router by forwarding it to a Null0 interface
B. In RTBH filtering the trigger device redistributes static route to the iBGP peers
C. The Null0 interface used for filtering is able to receive the traffic, but never forwards it
D. It works in conjunction with QoS to drop the traffic that has less priority
E. It helps mitigate DDoS attack based only on source address
F. In FTBH filtering the trigger device is always an ISP edge router
Answer: B
NO.140 An university has hired you as a consultant to advise them on the best method to prevent
DHCP starvation attacks in the campus. They have already implemented DHCP snooping and port
51
security to control the situation, but those do not fully contain the issue. Which two actions do you
suggest to fix this issue? (Choose two.)
A. Use the ip dhcp snooping limit rate command on trusted and untrusted interfaces and set the rate
to suitable values that are relevant to each interface reqpectively.
B. Use the ip dhcp snooping verify mac-address command to ensure that the source MAC address in
the DHCP rquest matches the client hardware address (CHADDR) sent to the DHCP server.
C. Use the ip dhcp snooping verify mac-address command to ensure that the source MAC address in
the DHCP request matches the client identifier (CLID) field sent to the DHCP server.
D. Use the ip dhcp snooping limit rate command only to ensure that the source MAC address in the
DHCP request matches the client identifier (CLID) field sent to the DHCP server.
E. User the ip dhcp snooping limit rate command on trusted and untrusted interfaces set to the same
rate value.
F. Use the ip dhcp snooping limit rate command only on untrusted interfaces and set the rate to
suitable values that are relevant to the interface.
Answer: B F

Which two effects of this configuration are true? (Choose two)
A. User five can execute the show run command.

B. User five can view usernames and passwords.
C. User superuser can change usernames and passwords.
D. User superuser can view the configuration.
E. User superuser can view usernames and passpords.
F. User cisco can view usernames and passwords.
Answer: A D
NO.142 Which two characteristics correctly identify attributes of LPWA technologies? (Choose two)
A. Supports high-throughput bandwidth requirements
B. Provides better Quality of Service features than NB-loT
52
C. Supports over-the-air distances of over 30km

D. Capable of using unlicensed technologies such asSigFox
E. End-device with battery life lasting over 10 years
Answer: D E
NO.143 Which option is a benefit of VRF Selection Using Policy-Based Routing for routing for packets
to different VPNs?
A. It suppprts more than one VPN per interface
B. It allows bidirectional traffic flow between the service provider and the CEs
C. It automatically enables fast switching on all directly connected interfaces
D. It can use global routing tables to forward packets if the destination address matches the VRF
configure on the interface
E. Every PE router in the service provider MPLS cloud can reach every customer network
F. It inreases the router performance when longer subnet masks are in use
Answer: D
NO.144 Which of the following is true regarding OSPFv2 configuring on ASA?

A. It does not support stub area and not-so-stubby area
B. ASA can exist as ABR but not as ASBR
C. It supports virtual links
D. It only supports MD5 authentication with the peers
E. Routing decision is based on the hop counts to the destination
F. It allows to configure only one routing process
Answer: C
NO.145 Which action must happen before you enroll a device to a mobile device management
service fro a different vendor?
A. wipe the entire device and start from scratch
B. Allow both vendor profiles remain on the device.
C. Remove the profiles form the previous vendor from the device
D. Alter the administrator so that they can remove this device form the network
Answer: C
NO.146 Which effect of the crypto pki authenticate command is true?

A. It sets the certificate enrollment method.
B. It retrieves and authenticates a CA certificate.
C. It configures a CA trustpoint.
D. It displays the current CA certificate.
Answer: B
NO.147 A customer is developing a strategy to deal with Wanna Cry variants that defect sandboxing
attempts and mask their present analyzed. Which four mechanisms can be used in this strategy?
A. Employ a DNS forwarder that responds to unknown domain names with a reachable IP (honey
53
pot) that can mimic sandboxing containment responses and alert when a possible threat is detected.
B. Apply route maps at the access layer that prevent all RPC and SMB communication throughout the
network.
C. Ensure that the standard desktop image used in the organization is an actively supported
operating system and that security patches are applied.
D. Run antimalware software on user endpoints and servers as well as ensure regular signature
updates.
E. Ensure that vulnerable services used for propagation of malware such as SMB are blocked on
public facing segments.
F. Employ URL/DNS inspection mechanisms that blackhole the request. This action prevents malware
from communicating with unknown domains and thus prevents the WannaCry malware from
becoming active.
G. Apply ACLs at the access layer that prevents all RPC and SMP communication throughout the
network..
Answer: D E F G
NO.148 Which effect of the ip nhrp map multicast dynamic command is true?
A. It configures a hub router to reflect the routes it learns from a spoke back to other spokes through
the same interface.
B. It configures a hub router to automatically add spoke routers to the multicast replication list of the
hub.
C. It enables a GRE tunnel to operate without the IPsec peer or crypto ACLs.
D. it enables a GRE tunnel to dynamically update the routing tables on the devices at each end of the
tunnel.
Answer: B
NO.149 Refer to exhibit.

R15
crypto pki trustpoint ccier15
enrollment
url http://172.16.100.17:8080
serial-number
ip-address 172.16.100.15
subject-name CN=r15 O=cisco.com
revocation-check none
source interface Loopback0
rsakeypair ccier15
!c
rypto isakmp policy 1516
encr aes
hash md5
group 2
!c
rypto ipsec transform-set ts1516 esp-aes esp-sha-hmac
mode tunnel
54
!c
rypto map r15r16 1516 ipsec-isakmp
set peer 10.1.7.16
set transform-set ts1516
match address 110
!i
nterface Loopback0
ip address 172.16.100.15 255.255.255.255
!i
nterface Loopback1
ip address 192.168.15.15 255.255.255.0
!i
nterface GigabiEthernet1
ip address 20.1.6.15 255.255.255.0
netgotiation auto
crypto map r15r16
!r
outer bgp 6
bgp log-neighbor-changes
network 172.16.100.15 mask 255.255.255.255
neighbor 20.1.6.18 remote-as 678
neighbor 20.1.6.18 password cisco
!i
p route 192.168.16.0 255.255.255.0 20.1.7.16
access-list 110 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
!n
tp authentication-key 11 md5 ccie
ntp authenticate
ntp trusted-key 12
ntp server 150.1.7.131 key 12
!i
p domain name cisco.com
R15 is trying to initiate Site-to-Site IPsec certificate based VPN tunnel with the peer at
20.1.7.16. The CA is running at port 80 on address 172.16.100.18. R15 has a BGP peer at 20.1.6.18
doing an authenticated session to establish reachability with the VPN remote site. The VPN tunnel
will secure traffic between 192.168.15.0/24 and 192.168.16.0/24 networks. It has been reported that
VPN tunnel is not coming up with remote site, what could be the issue?
A. Incorrect ACL defined for the traffic encryption
B. Incorrect static route
C. Incorrect crypto map configuration
D. The crypto map is not applied on the correct interface
E. Incorrect trustpoint configuration
F. Incorrect BGP peer configuration
Answer: E
55
NO.150 Which statement about the wireless security technologies is true?

A. WPA2-PSK mode provides better security by having same passphrase across the network
B. WPA2 provides message integrity using AES
C. WPA2-PSK mode does not allow a passphrase to be stored locally on the device
D. WPA2 is more secure than WPA because it uses TKIP for encryption
E. WEP is more secure than WPA2 because it uses AES for encryption
F. WPA2-ENT mode does not require RADIUS for authentication
Answer: B
NO.151 Which two functions of Cisco Content Security Management Appliance are true?(Choose
two)
A. SMA is used for on-box management of WSAs
B. SMA is used to configure NSAMP on the router
C. SMA is a centralized system used to collectively mange and report the WSAs that are deployed in a
network
D. SMA is used for sandboxing functionality to perform malware analysis
E. SMA is unified management platform that manages web security, performs troubleshooting and
maintains space for data storage.
Answer: C E
Which two effects of this configuration are true? (Choose two.)

A. The switch periodically sends an EAP-Identity-Request to the endpoint supplicant.
B. The device allows multiple authenticated sessions for a single MAC address in the voice domain.
C. If the TACACS+ server is unreachable, the switch places hosts on critical ports in VLAN 50.
D. If the authentication priority is changed, the order in which authentication is performed also
changes.
E. If multiple hosts have authenticated to the same port, each can be in their own assigned VLAN.
56
F. The port attempts 802.1x authentication first, and then falls back to MAC authentication bypass.
Answer: C F
NO.153 Which statement is true regarding the wireless security technologies?

A. WPA provides message integrity using AES
B. WPA2-PSK mode allows passphrase to store locally on the device
C. WEP is more secure than WPA2 because it uses AES for encryption
D. WPA-ENT mode does not require RADIUS for authentication
E. WPA2-PSK mode provides better security by having same passphrase across the network
F. WPA2 is more secure than WPA because it uses TKIP for encryption
Answer: A
NO.154 Which type of attack use a large number of spoofed MAC addresses to emulate wireless
client?
A. DoS against an access point
B. Dos against a client station
C. chopchop attack
D. Airsnaf attack
E. device-probing attack
F. authentication-failure attack
Answer: A
NO.155 Which three options are fields in a CoA Request Response code packet? (Choose three.)
A. Length
B. Acct-session-ID
C. Calling-station-ID
D. Identifier
E. Authenticator
F. State
Answer: B C F
NO.156 Which two options are open-source SDN controllers? (choose two)
A. Opendaylight
B. Big Cloud Fabric
C. Application Policy Infrastructure Controller
D. OpenContrail
E. Virtual Application Networks SDN Controller
Answer: A D
57

A. It creates a resource class.
B. It creates a default class.
C. It oversubscribes VPN sessions for the given class.
D. It allows each context to use all available resources.
Answer: A
NO.158 Which statement about Cisco Firepower Advanced Malware

A. With dynamic analysis, the system pre classifies suspicious files a them to the AMP Threat Grid for
analysis
B. If the system determines a file inside an archive to be malware, blocking the archive
C. The SHA-256 value of a file is calculated only if you configure a Lookup action
D. If the system pre classifies a file potential malware, it automatic; administrator to take further
action
E. When local malware analysis is complete, it produces a threat s details of the analysis
F. The AMP for Firepower network-based solution supports malware files types than AMP for
endpoints The system can analyze up to two layers of nested files in ZIP are block files with more
layers
Answer: A
NO.159 Which two statements about Botnet Traffic Filter snooping are true? (Choose two.)
A. It can log and block suspicious connections from previously unknown bad domains and IP
addresses.
B. It requires the Cisco ASA DNS server to perform DNS lookups.
C. It requires DNS packet inspection to be enabled to filter domain names in the dynamic database.
D. It checks inbound traffic only.
E. It can inspect both IPv4 and IPv6 traffic.
F. It checks inbound and outbound traffic.
Answer: C F
58
NO.160 In ISO 27002, access control code of practice for Information Security Management serves
which of the following objective?
A. Implement proper control of user, network and application access.
B. Prevent the physical damage of the resources.
C. Optimize the audit process.
D. Educating employees on security requirements and issues.
Answer: A
NO.161 Which two statements about Cisco AMP for Web Security are true? (Choose two)
A. It can detect and block malware and other anomalous traffic before it passes through the Web
gateway.
B. It can identify anomalous traffic passing through the Web gateway by comparing it to an
established baseline of expected activity
C. It can perform file analysis by sandboxing known malware and comparing unknown files to a local
repository of threats
D. It continues monitoring files after they pass the Web gateway
E. It can prevent malicious data exfiltration by blocking critical files from exiting through the Web
gateway
F. It can perform reputation-based evaluation and blocking by uploading of incoming files to a cloud-
based threat intelligence network
Answer: D F
NO.162 Which two statements about MPP (Management Plane Protection) are true? (Choose two.)
A. It is supported on both distributed and hardware-swithched platforms.
B. Only out-of-band management interfaces are supported.
C. Only virtual interfaces associated with physical interfaces are supported.
D. It is supported on both active and standby management interfaces.
E. Only in-band management interfaces are supported.
F. Only virtual interfaces associated with sub-interfaces are supported.
Answer: C E
NO.163 Which three statements about EAP-Chaining are true? (Choose three.)
A. lt allows user and machine authentication with one RADIUS / EAP session.
B. It is supported on the Windows 802.1x supplicant.
C. It is enabled on NAM automatically when EAP-TLS user and machine authentication is enabled.
D. lt is enabled on Cisco AnyConnect NAM automatically when EAP-FAST user and machine
authentication is enabled.
E. lt can use only EAP-FAST, and it requires the use of Cisco AnyConnect NAM.
F. EAP-FAST does not allow multiple authentication binding, and this limitation is used for mutual
authentication in EAP-Chaining.
G. The EAP-FAST PAC provisioning phase is responsible to establish SSH tunnel between supplicant
and ISE to perform EAP-Chaining.
59
Answer: A D E
NO.164 Which policy action allows to a pass without any further inspection by the intrusion when
implementing Cisco Firepower access control policy?
A. Pass
B. Interactive block
C. Allow
D. Monitor
E. Block
F. Trust
Answer: F
NO.165 What are the advantages of using LDAP over AD?

A. LDAP allows for granular policy control, whereas AD does not.
B. LDAP provides for faster authentication
C. LDAP can be configured to use primary and secondary server, whereas AD cannot.
D. LDAP does not require ISE to join the AD domain
E. The closest LDAP servers are used for Authentication
Answer: C

Which service of feature must be enabled on 209.165.200.255 to produce the given
output?
A. the Finger service
B. a BOOTP server
C. a TCP small server
D. the PAD service
Answer: C
NO.167 Refer the exhibit.

***Missing Exhibit***
ASA at 150.1.7.43 is configured to receive IP address to SGT mapping from ISE at
60
161.1.7.14. Which of the following is true regarding packet capture from wireshark?
A. SXP keepalive message using TCP originated from ISE
B. ISE keepalive message for NDAC connection using TCP originated from ASA
C. TACACS connection keepalive using UDP originated from ASA
D. RADIUS connection keepalive using TCP originated from ISE
E. NTP keepalive message using UDP originated from ISE
F. SXP keepalive message for SXP connection using UDP originated from ASA
Answer: A
NO.168 Which statement about zone-based policy firewall implementation is true?

A. All the interfaces of the device cannot be the part of a same zone
B. By default, traffic between the interfaces in the same zone is allowed
C. An interface can be member of multiple one zones
D. If default zone is enabled, then traffic from zone interface to non-zone interface is dropped
E. A zone pair cannot have a zone as both source and destination
F. If an interface belong to a zone, then the traffic to and from that interface is always allowed
Answer: B
NO.169 Which statement about the SON framework environment is true?

A. The data plane is pulled from the networking element and put in an SON controller
B. The data plane is controlled by a centralized SON element
C. The control plane function is split between an SDN controller and the networking element
D. The control plane is pulled from the networking element and put in an SDN controller
E. The control plane and data plane are pulled from the networking element and put in an SON
Answer: D
NO.170 R2 is configured as a WCCP router to redirect HTTP traffic for policy implementation sourced
from
172.61.1.0/24 network to WSA at 171.1.7.21 with the passphrase used for authentication is
"ccie'.The redirection is for traffic on the R2 Gi2 interface in the inbound direction. An issue is
reported that web sites are not accessible anymore. Which cause is true?
A. There is an issue with the routing of traffic between R2 and WSA.
B. There is an issue with the WCCP passphrase configured on R2.
C. There is an issue with the WCCP redirection applied G2 interface.
D. There is an issue with the source network defined for WCCP redirection.
E. There is an issue with the WSA server list binded for the redirection
F. There is an issue with the destination servers defined for WCCP redirection
Answer: D
NO.171 Which two description of the HomeNet and ExternalNet variable sets that are used within
Cisco Firepower access control and IPS policies are true? (Choose two)
A. They are used to exclude or include protected network subnets form security intelligence and
61
blacklist filtering
B. They are used to decrease the number of false positives by defining the protected network
C. They are used to fine tune the performance of the appliance by optimizing how signatures are
matched to packets based on the source and destination addresses in a packet
D. They are used for reporting reasons to give context on the direction of a connection or malicious
attack as it appears in the event viewer reports
E. They are a legacy sport feature that has no effect since Firepower 6.x.
Answer: A D

R2# sh run | sec wcp
ip wccp web-cache redirect-list 101 group-list 12 password 0 ccie
ip wccp web-cache redirect in
!R
2# sh access-lists
Standard IP access list 11
10 permit 171.1.7.12
Standard IP access list 12
10 permit 171.1.7.21
Extended IP access list 101
10 permit tcp 172.16.1.0 0.0.0.255 host 192.168.101.3 eq www
20 permit tcp 172.16.1.0 0.0.0.255 host 192.168.102.3 eq www
R1# sh wccp interfaces
IPv4 WCCP interface configuration
GigabitEthernet1
Output services 0
Input services 1
Mcast services 0
Exclude In: False
R2# sh ip wccp wec-cache detail
No information is available for the service
R2 is configured as a WCCP router to redirect HTTP traffic for policy implementation to WSA as
171.1.7.12 with the passphrase used for authentication as "ccie". The redirection is for the traffic on
R2 Gi2 interface in the inbound direction. There is an issue reported that websites are not accessible
anymore. What could be the cause?
A. There is an issue with WSA server list binded for the redirection
B. There is an issue with routing of traffic between R2 and WSA
C. There is an issue with WCCP redirection applied on Gi2 interface
D. There is an issue with destination servers defined for WCCP redirection
E. There is an issue with WCCP passphrase cofnigured on R2
F. There is an issue with source network defined for WCCP redirection
Answer: A
NO.173 Which statement about the pxGrid connection agent is true?

A. It manages the sharing of contextual information between partner platforms
62
B. It can fetch user information from Active Directory on behalf of a WSA or Cisco ISE
C. It enables communication from the partner platform to the pxGrid controller
D. It supports an agentless solution for Cisco ISE
E. It leverages Cisco ISE control functions to manage connections and share information between
partners
F. It fetches user information from Active Directory and transmits it to the pxGrid controller
Answer: A
NO.174 Which authentication does WCCPv2 use to protect messages against Interception,
inspection, and replay attacks?
A. Clear text
B. Two factor
C. EAP
D. MD5
E. Kerberos
Answer: D
d
Which two statements about the given IPv6 ZBF configuration are true? (Choose two.)
A. It inspects TCP, UDP, ICMP, and FTP traffic from z1 to z2.
B. It provides backward compatibility with legacy IPv4 inspection.
C. It inspects TCP, UDP, ICMP, and FTP traffic from z2 to z1.
63
D. It passes TCP, UDP, ICMP, and FTP traffic in both directions between z1 and z2.
E. It provides backward compatibility with legacy IPv6 inspection.
F. It passes TCP, UDP, ICMP, and FTP traffic from z1 to z2.
Answer: A E
NO.176 Which two options are unicast address types for IPv6 addressing? (Choose two.)
A. static
B. link-local
C. established
D. dynamic
E. global
Answer: B E
NO.177 Which Cisco ASA firewall mode supports ASDM one-time-password authentication using
RSA SecurID?
A. network translation mode
B. transparent mode
C. single-context routed mode
D. multiple-context mode
Answer: C

A. The minimum size of TCP SYN+AK packets passing the router is set to 1452 bytes and the IP MTU
of the interface is set to 1492 bytes.
B. The minimum size of TCP SYN+AK packets passing the transient host is set to 1452 bytes and the IP
MTU of the interface is set to 1492 bytes.
C. The MSS of TCP SYN packets is set to 1452 bytes and the IP MTU of the interface is set to 1492
bytes.
D. The PMTUD value sets itself to 1452 bytes when the interface MTU is set to 1492 bytes.
E. SYN packets carry 1452 bytes in the payload when the Ethernet MTU of the interface is set to 1492
bytes.
Answer: C
NO.179 Refer to the exhibit
64
which two statement about the given IPV6 ZBF configuration are true? (Choose two)
A. It provides backward compability with legacy IPv6 inspection
B. It inspect TCP, UDP,ICMP and FTP traffic from Z1 to Z2.
C. It inspect TCP, UDP,ICMP and FTP traffic from Z2 to Z1.
D. It inspect TCP,UDP,ICMP and FTP traffic in both direction between z1 and z2.
E. It passes TCP, UDP,ICMP and FTP traffic from z1 to z2.
F. It provide backward compatibility with legacy IPv4 inseption.
Answer: A B
NO.180 An sneaky employee using an Android phone on your network has disabled DHCP, enabled
it's firewall, modified it's HTTP User-Agent header, to fool ISE into profiling it as a Windows 10
machine connected to the wireless network. This user can now get authorization for unrestricted
network access using his Active Directory credentials, because your policy states that a Windows
device using AD credentials should be able to get full network access. However, an Android device
should only get access to the Web Proxy. Which two steps can you take to avoid this sort of rogue
behavior? (Choose two.)
A. Add an authorization policy before the Windows authorization policy that redirects a user with a
static IP to a web portal for authentication
B. Perform CoA to push a restricted access when the machine is acquiring address using DHCP.
C. Chain an authorization policy to the Windows authorization policy that performs additional NMAP
scans to verify the machine type before access is allowed
D. Create an authentication rule that allows only a session with a specific HTTP User-Agent header
E. Allow only certificate based authentication from Windows endpoints such as EAP-TLS or PEAP-TLS.
If the endpoint uses MSCHAPv2 (EAP or PEAP), the user
65
is given only restricted access

F. Modify the authorization policy to allow only Windows machines that have passed Machine
Authentication to get full network access
Answer: E F
Which effect of this command is true?

A. The route immediately deletes its current public key from the cache and generates a new one.
B. The public key of the remote peer is deleted from the router cache.
C. The CA revokes the public key certificate of the router.
D. The current public key of the router is deleted from the cache when the router reboots, and the
router generates a new one.
E. The router sends a request to the CA to delete the router certificate from its configuration.
Answer: B
NO.182 What are two types of attacks against wireless networks that be prevented by a WLC?
(Choose two)
A. DHCP rouge server attacks
B. Layer 3 flooding attacks
C. Inverse ARP attacks on specific ports
D. IP spoofing attacks
E. ARP sniffing attacks on specific ports
Answer: A D
NO.183 Which Cisco Firepower interface mode allows you to send inline traffic directly through the
device and only inspect a copy of the traffic?
A. TAP mode
B. Automatic application bypass mode
C. Delay thresh-hold mode
D. Fast-path mode
Answer: A
NO.184 Which description of a Botnet attack is true?

A. It can be used to participate in DDoS.
B. It is form a wireless attack where the attacker installs an access point to create backdoor to a
network.
C. It is launched by a collection of noncompromised machines controlled by the Command and
Control system.
D. It is launched by a single machine controlled by the Command and Control system.
E. It is form of a fragmentation attack to evade an intrusion prevention security device.
F. It is a form of a man-in-the-middle attack where the compromised machine is controlled remotely.
Answer: A D
66
NO.185 All your employees are required to authenticate their devices to the network, be it company
owned or employee owned assets, with ISE as the authentication server. The primary identity store
used is Microsoft Active directory, with username and password authentication. To ensure the
security of your enterprise, your security policy dictates that only company owned assets should be
able to get access to the enterprise network, while personal assets should have restricted access.
Which option would allow you to enforce this policy using only ISE and Active Directory?
A. Configure an authentication policy that uses the computer credentials in Active Directory to
determine whether the device is company owned or personal.
B. This would require deployment of a Mobile Device Management (MDM) solution, which can be
used to register all devices against the MDM server, and use that to assign appropriate access levels.
C. Configure an authentication policy that checks against the MAC address database of company
assets in ISE endpoint identity store to determine the level of access depending on the device.
D. Configure an authorization policy that checks against the MAC address database of company
assets in ISE endpoint identity store to determine the level of access depending on the device.
E. Configure an authorization policy that assigns the device the appropriate profile based on whether
the device passes Machine Authentication or not.
Answer: D
NO.186 Which is an important consideration when deploying WSA load-balancing solution?

A. RIP is most efficient dynamic routing protocol when it comes to convergence and stability.
B. Management interface has to be shared with data interface being under-utilized.
C. Avoid the use of DNS server due to the network latency issue that could slow down the
resolutions.
D. Only one data interface has to be deployed.
E. Make sure that spanning-tree operation is stable at layer-2.
Answer: E

aaa new-model
aaa authentication login default group radius
aaa authentication login NO_AUTH none
aaa authentication login vty local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!u
sername cisco privilege 15 password 0 cisco
dot1x system-auth-control
!i
switchport mode access
ip access-group Pre-Auth in
authentication host-mode multi-auth
authentication open
67
authentication port-control auto

!v
lan 50
interface Vlan50
ip address 50.1.1.1 255.255.255.0
!i
p dhcp excluded-address 5.1.1.1
ip dhcp pool pc-pool
network 50.1.1.0 255.255.255.0
default-router 50.1.1.1
!i
p access-list extended Pre-Auth
permit udp any eq bootpc any eq bootps
deny ip any any
!r
adius server ccie
address ipv4 161.1.7.14 auth-port 1645 acct-port 1646
key cisco
!l
ine con 0
login authentication NO_AUTH
lien vty 0 4
login authentication vty
One of the Windows machines in your network is having connectivity issues using 802.1x. Windows
machines are set up to acquire an IP address from the DHCP server configured on the switch, which is
supposed to hand over IP addresses from the 50.1.1.0/24 network, and forward AAA requests to the
radius server at 161.1.7.14 using shared key "cisco". Knowing that interface Gi0/2 on SW1 may
receive authentication requests from other devices and looking at the provided switch configuration,
what could be the possible cause of this failure?
A. There is a RADIUS key mismatch
B. Authentication for multiple hosts is not configured on interface Gi0/2
C. 802.1x authentication is not enabled on interface Gi0/2.
D. An incorrect IP address is configured for SVI 50.
E. aaa network authorization is not configured.
F. 802.1x is disabled on the switch.
G. An incorrect default route is pushed on supplicant form SW1.
Answer: C
NO.188 Which one of these is part of the DevOps virtuous cycle?

A. increased latency
B. slower releases
C. improved scability
D. lower quality
Answer: C
68
What is the effect of the given command?

control-plane host
management-interface FastEhternet 0/0 allow ssh snmp
A. It enables CoPP on the FastEthernet 0/0 interface for SSH and SNMP management traffic.
B. It enables QoS policing on the control plane of the FastEthernet 0/0 interface.
C. It enables MPP on the FastEthernet 0/0 interface, allowing only SSH and SNMP management
traffic.
D. It enables MPP on the FastEthernet 0/0 interface by enforcing rate-limiting for SSH and SNMP
management traffic.
E. It enables MPP on the FastEthernet 0/0 interface for SNMP management traffic and CoPP for all
other protocols.
Answer: C
NO.190 ISE can be integrated with an MDM to ensure that only registered devices are allowed on
the network and use the MDM to push policies to the device. Devices can go in and out of
compliance, either due to policy changes on the MDM server, or another reason. For a device that
has already authenticated on the network and stays connected, but falls out of compliance, what can
be done to ensure that a non-copliant device is checked periodically and re-assessed before allowing
access to the network?
A. Enable Change of Authorization (CoA) on MDM
B. FireAMP connector scan can be used to relay posture information to ISE via the AMP cloud
C. The MDM agent will automatically disconnect the device from the network when it is non-
compliant
D. Enable Change of Authorization (CoA) on ISE
E. Enable Period Compliance Checking (PCC) on ISE
F. The MDM agent periodically sends a packet with compliance info that the wireless controller can
use to limit network access.
Answer: D
NO.191 Which statement is true regarding the wireless security technologies?

F. WPA2 is more secure than WPA because it uses TKIP for encryption
A. WPA provides message integrity using AES
B. WPA2-PSK mode allows passphrase to store locally on thedevice
C. WEP is more secure than WPA2 because it uses AES forencryption
D. WPA-ENT mode does not require RADIUS forauthentication
E. WPA2-PSKmodeprovidesbettersecuritybyhavingsamepassphraseacrossthenetwork
Answer: B
NO.192 Which two statements about a wireless access point configured with the guest-mode
command are true?
(Choose two.)
69
A. It can support more than one guest-mode SSID.

B. It supports associations by clients that perform passive scans.
C. It allows clients configured without SSIDs to associate.
D. It allows associated clients to transmit packets using its SSID.
E. If one device on a network is configure in guest-mode, clients can use the guest-mode SSID to
connect to any device in the same network.
Answer: B C
NO.193 What are the major components of a Firepower health monitor alert?
A. The severity level, one or more alert responses, and a remediation policy.
B. A health monitor, one or more alert responses, and a remediation policy.
C. One of more health modules, the severity level, and an alert response.
D. One of more health modules, one or more alert responses, and one or more alert actions.
E. One health modules and one or more alert responses.
Answer: C
NO.194 In which three configurations can SSL VPN be implemented? (Choose three)
A. CHAP
B. WebVPN
C. thin-client .
D. L2TP over IPsec
E. PVC tunnel mode
F. interactive mode
G. Cisco AnyConnect tunnel mode
H. clientless
Answer: C G H
NO.195 Which of the following is used by WSA to extract session information from ISE and use that
in access policies?
A. RPC
B. pxGrid
C. SXP
D. Proprietary protocol over TCP/8302
E. EAP
F. RADIUS
Answer: B
NO.196 Which statements is true regarding Dynamic ARP inspection (DAI)?

A. It requires that DHCP snooping be enabled to build valid binding database.
B. It drops invalid ARP responses and requests on the switch trusted ports
C. It forwards invalid ARP responses and requests on switch untrusted ports
D. It validates ARP requests and responses on trusted ports using IP-to-MAC address binding
70
E. It is only supported in DHCP environments to detect invalid ARP requests and responses
F. It requires to enable DHCP snooping to build untrusted database for dropping invalid ARP requests
and responses
Answer: A

R1(config)#parameter-map type inspect param-map
R1(config-profile)#sessions maximum 10000
R1(config-profile)#
R1(config-profile)#class-map type inspect match-any class
R1(config-cmap)#match protocol tcp
R1(config-cmap)#match protocol udp
R1(config-cmap)#match protocol icmp
R1(config-cmap)#match protocol ftp
R1(config-cmap)#
R1(config-cmap)#policy-map type inspect policy
R1(config-cmap)#class type inspect class
R1(config-cmap-c)#inspect param-map
R1(config-cmap-c)#
R1(config-cmap-c)#zone security z1
R1(config-sec-zone)#zone security z2
R1(config-sec-zone)#
R1(config-sec-zone)#zone-pair security zp source z1 destination z2
R1(config-sec-zone-pair)#service-policy type inspect policy
Which two statements about the given IPv6 ZBF configuration are true? (Choose two)
A. It passes TCP, UDP, ICMP and FTP traffic on both directions between z1 and z2
B. It provides backward compatibility with legacy IPv4 inspection
C. It passes TCP, UDP, ICMP and FTP traffic from z1 and z2
D. It inspects TCP, UDP, ICMP and FTP traffic from z2 and z1
E. It provides backward compatibility with legacy IPv6 inspection
F. It inspects TCP, UDP, ICMP and FTP traffic from z1 and z2
Answer: E F
NO.198 What are the two different modes in which Private AMP cloud can be deployed? (Choose
two.)
A. Hybrid Mode
B. Internal Mode
C. Air Gap Mode
D. External Mode
E. Cloud-Proxy Mode
F. Public Mode
Answer: C E
NO.199 Which two statements about ICMP redirect messages are true? (Choose two.)
71
A. Redirects are only punted to the CPU if the packets are also source-routed.
B. The messages contain an ICMP Type 3 and ICMP code 7.
C. By default, configuring HSRP on the interface disables ICMP redirect functionality.
D. They are generated when a packet enters and exits the same route interface.
E. They are generated by the host to inform the router of an temate route to the destination.
Answer: C D
NO.200 What are three features that are enabled by generating Change of Authorization (CoA)
requests in a push model? (Choose three.)
A. session reauthentication
B. session identification
C. host reauthentication
D. MAC identification
E. session termination
F. host termination
Answer: B C E
NO.201 Which description of a Dockers file is true?

A. repository for Docker images
B. software used to manage containers
C. message daemon files
D. text document used to build an image
Answer: D
NO.202 A client computer at 10.10.7.4 is trying to access a Linux server(11.0.1.9) that is running a
Tomcat Server application.
What TCP dump filter would be best to verify that traffic is reaching the Linux Server eth0 interface?
A. tcpdump -I eth0 host 10.10.7.4 and host 11.0.1.9 and port 8080.
B. tcpdump -l eth0 host 10.10.7.4 and 11.0.1.9.
C. tcpdump -I eth0 dst 11.0.1.9 and dst port 8080.
D. tcpdump -I eth0 scr 10.10.7.4 and dst 11.0.1.9 and dst port 8080
Answer: D
NO.203 Within Platform as a Service, which two components are managed by the customer?
(Choose two.)
A. Data
B. networking
C. middleware
D. applications
E. operating system
Answer: A D
NO.204 Which statement of DKIM signing in ESA is true?
72
A. The receiving server gets the signing public key from ISE
B. The ESA does not allow the creation of a signing key pair
C. The signing public key is required by the sending server
D. The signing private key is required by the receiving server
E. The receiving server gets the public from the DNS.
F. The domain profile is used to associate the receiving domain with the signing key
Answer: D
NO.205 Drag the network scan type on the left to its definition on the right.
Answer:
73
Explanation
1-6, 2-1, 3-5, 4-2, 5-3, 6-4
NO.206 Which two statements about the Cisco FireAMP solution are true? (Choose two.)
A. It can perform dynamic analysis in the Fire AMP Private Cloud.
B. The FireAMP Connector can detect malware in network traffic and when files are downloaded.
C. The FireAMP Private Cloud provides an on-premises option for file disposition lookups and
retrospect generation.
D. The FireAMP Connector is compatible with antivirus software on the endpoint, but you must
configure exclusion to prevent the Connector form scanning the antivirus directory.
E. The FireAMP Connector can provide information about potentially malicious network connections.
F. The FireAMP Private cloud can act as an anonymized proxy to transport endpoint event data to the
public cloud for disposition lookups.e
G. When a FireAMP Connector detects malware in network traffic, it generates a malware event and
a event.
Answer: A C
74
What feature must be implemented on the network to produce the given output?
A. CAR
B. PQ
C. WFQ
D. NBAR
E. CQ
Answer: D
NO.208 Which two statement about RADIUS VSAs are true?(Choose two)
A. They allow the RADIUS server to exchange vendor-specific information with the network access
server
B. They allow product form the other vendors to Interoperate with Cisco routers that support
RADIUS
C. They VSA Implementation supports multiple VSAs, including cisco-avpair
D. They can be used for both authentication and authentication on Cisco routers
E. Cisco's unique vendor-ID is 26
F. Cisco VSA Implementation allow TACACS+ authorization features to be used with a RADIUS server
Answer: A F
NO.209 Which of the following Cisco products gives ability to interact with malware for its behavior
analysis?
A. NGIPS
B. FMC
C. ASA
D. DNA
E. Threat Grid
F. pxGrid
Answer: E
75
NO.210 Which statement is true about the traffic substitution and insertion attack?
A. It is a form of pivoting in the network
B. It only works with FTP session
C. It is a form of DoS attack
D. It is an evasion technique
E. It is a form of timing attack
F. It is used for reconnaissance
Answer: D
NO.211 Which two events can cause a failover event on an active/standby setup? (Choose two.)
E. The unit that was previously active recovers
A. The stateful failover link fails
B. The failover link fails
C. The active unit experiences interface failure above the threshold
D. The active unit fails
Answer: C D
76
The AMP cloud is configured to report AMP Connector scan events from Windows machines that
belong to the Audit group to the FMC However, the scanned events are not showing up in the PMC.
Which possible cause is true?
A. There is a possible issue with certificate download from the AMP cloud for FMC integration.
B. The AMP cloud as pointing to an incorrect FMC address.
C. The event must be viewed as a malware event in the f MC.
77
D. The DNS address is misconfigured on the FMC.

E. An incorrect group is selected for the events export in the AMP cloud for FMC.
F. The FMC is pointing to an incorrect AMP cloud address.
Answer: C E
NO.213 Which two options are benefits of network summarization? (Choose two.)
A. It prevents unnecessary routing updates at the summarization boundary if one of the routes in the
summary is unstable.
B. It can increase the convergence of the network.
C. It can summarize discontiguous IP addresses.
D. It can easily be added to existing networks.
E. It reduces the number of routes.
Answer: A E
NO.214 Your environment has a large number of network devices that are configured to use AAA for
authentication.
Additionally, your security policy requires use of Two-Factor Authentication or Multi-Factor
Authentication for all device administrators, which you have integrated with ACS. To simplify device
management, your organization has purchased Prime Infrastructure. What is the best way to get
Prime Infrastructure to authenticate to at your network of devices?
A. Create a user on ISE with a complex password for Prime Infrastructure, along with an
authorization policy that uses the ISE local identity store for that user.
B. Create a user on ISE with a complex password for Prime Infrastructure, along with an
authentication policy that uses the ISE local identity store for that user.
C. Configure a local user on each of the network device along with priority to user the local username
and password for Prime Infrastructure
D. Enable the AAA API on the network devices, generate an API token, and configure Prime
Infrastructure to use that toke when authenticating to the network device
E. Enable Multi-Factor authentication on Prime Infrastructure
Answer: B
NO.215 All your employees must authenticate their devices to the network, be they company-
owned or employee-owned assets, with ISE as the authentication server, i ne primary identity store
used is Microsoft Active Directory, with username and password authentication. To ensure the
security of your enterprise, your security policy dictates that only company owned assets get access
to the enterprise network, while personal assets have restricted access. Which configuration allows
you to enforce this policy using only ISE and Active Directory?
A. Configure an authentication policy that checks against the MAC address database of company
assets in the ISE endpoint identity store to determine the level of access depending on the device.
B. Deployment of a Mobile Device Management solution is required, which can be used to register all
devices against the MDM server, and use that to assign appropriate access levels.
C. Configure an authorization policy that assigns the device the appropriate profile based on whether
the device passes Machine Authentication or not.
D. Configure an authorization policy that checks against the MAC address database of company
78
assets in the ISE endpoint identity store to ^determine the level of access depending on the device.
E. Configure an authentication policy that uses the computer credentials in Active Directory to
determine whether the device is company-owned or personal.
Answer: D
NO.216 Which three messages are part of the SSL protocol? (Choose three.)
A. Message Authentication
B. CipherSpec
C. Record
D. Alert
E. Change CipherSpec
F. Handshake
Answer: D E F
NO.217 Nexus 9000 Platform supports which of the following configuration management tools?
A. Ansible
B. Chef
C. Jenkins
D. Pupet
E. Salt
Answer: D
NO.218 Which statement about the Sender Base functionality is true?

A. SenderBase uses DNS-based blacklist as one of the sources of information to define reputation
score of sender's IP address
B. SenderBase uses spam complaints as one of the sources of information to define reputation score
of receiver's IP address of the sender and receiver
C. ESA uses destination address reputation information from SenderBase to configure mail policies.
D. ESA sees a high positive score from SenderBase as very likely that sender is sending spam
E. ESA sees a high negative score from SenderBase as very unlikely that sender is sending spam
F. ESA uses source address reputation information from SenderBase to stop spam
G. WSA uses SenderBase information to configure URL filtering policies
Answer: A
NO.219 Which statement correctly describes AES encryption algorithm?

A. It works on substitution and permutation principle
B. It uses three encryption keys of length 168, 112 and 56 bits
C. Reapplying same encryption key three times makes it less vulnerable then 3DES
D. It only provides data integrity
E. Theoretically 3DES is more secure then AES
Answer: A
NO.220 Which two commands would enable secure logging on a Cisco ASA to a syslog server at
79
10.0.0.1?
(Choose two.)
A. logging host inside 10.0.0.1 UDP/500 secure
B. logging host inside 10.0.0.1 TCP/1470 secure
C. logging host inside 10.0.0.1 UDP/447 secure
D. logging host inside 10.0.0.1 UDP/514 secure
E. logging host inside 10.0.0.1 TCP/1500 secure
Answer: B E
NO.221 Which statement about MDM is true?

A. If can support endpoints without requiring them to register
B. if an authorized user refreshes the web browser, the session must be reauthorized with the LDAP
server
C. Cisco iSE communication with the MDM server by way of REST API calls
D. MDM policies can be configured with as few as two attributes
E. it reports the IP address of the endpoint to the Cisco ISE as the input parameter of the endpoint
F. Each cisco ISE node requires its own MDM server
Answer: C
Which two configurations must you perform to enable the device to use this class map?
(Choose two)
A. Configure PDLM
B. Configure the ip nbar custom command
C. Configure the ip nbar protocol discovery command
D. Configure the transport hierarchy
E. Configure the DSCP value
Answer: B C
NO.223 Which two functionalities doe s the Threat Grid for the technology allow?
A. Deploy decoys for the malware to target
B. Know what changes the malware is making
C. Locate where the malware originated form
D. To encrypt packet without an agent
E. To decrypt packet without an agent
80
F. Understanding of which processes the malware is affect

Answer: D F
NO.224 Which of the following is a correct operational statement of DKIM signing in ESA?
A. The signing public key is required by the receiving server
B. The ESA does not allow to create signing key pair
C. The receiving server gets the signing public key from DNS
D. The domain profile in ESA is configured with signing public key
E. The outgoing profile in ESA is configured with signing private key
F. The signing private key is required by the sending server
Answer: C
NO.225 If an ASA device is configured as a remote access IPsec server with RADIUS authentication
and password management enabled, which type of authentication will it use?
A. RSA
B. MS-CHAPv2
C. MS-CHAPv1
D. NTLM
E. PAP
Answer: B
There is no ICMP connectivity from VPN_PC to Server1 and Server2. What could be the possible
cause?
A. The action is incorrect in the access rule
B. The destination port configuration is missing in the access rule
C. The server network has incorrect mask in the access rule
D. The VLAN tags configuration is missing in the access rule
E. The source network is incorrect in the access rule
F. The zone configuration is missing in the access rule
81
Answer: E
NO.227 Which command sequence do you enter to add the host 10.2.1.0 to the CISCO object
group?
A. object network CISCO
Network-object object 10.2.1.0
B. Object-group network CISCO
group-object 10.2.1.0
C. Object-group network CISCO
network-object host 10.2.1.0
D. Object- network CISCO
Answer: C
NO.228 In a large organization, with thousands of employees scattered across the globe, it is
difficult to provision and onboard new employee device with the correct profiles and certificates.
With ISE, it is possible to do that with client provided device. Which four conditions must be met?
(Choose four.)
A. Endpoint operating system should be supported
B. Client provisioning is enabled on ISE
C. The pxGrid controller should be enabled on ISE
D. Device MAC addresses are added to the Endpoint Identity Group
E. Profiling is enabled on ISE
F. SCEP Proxy is enabled on ISE
G. Microsoft windows server is configured with certificate services
H. ISE should be configured as SXP listener to push SGT-to-IP mapping to network access devices
I. Network access device and ISE should have the PAC provisioning for CTS environment
authentication
Answer: B D E F
Which type of packet can trigger the rate hmrter m the given configurator
A. Only DSCP 8000 packets
B. Only DSCP 1 packets
C. Only DSCP 1500 packets
D. DSCP 1, 1500, 3000, and 8000 packets
E. Only DSCP 3000 packets
Answer: A
82
NO.230 Which three statements are true after a successful IPsec negotiation has taken place?
(Choose three)
A. After IPsec tunnel is established data is encrypted using one set of DH-generated keying material
B. After the IPsec tunnel is established, data is encrypted using two sets of DH-generated keyring
material
C. Two tunnels were established, the first one is for ISAKMP and IPsec negotiation and the second
one is for data encryption as a result of IPsec negotiation
D. The ISAKMP tunnel was established to authenticate the peer and discreetly negotiate the IPsec
parameters
E. One secure channel and one tunnel were established, the secure channel was established by
ISAKMP negotiation followed by an IPsec tunnel for encrypting user data
F. The ISAKMP secure channel was established to authenticate the peer and discretely negotiate the
IPsec parameters
Answer: B E F
NO.231 Which two statements about ping flood attacks are true? (Choose two.)
A. They attack by sending ping requests to the broadcast address of the network.
B. They use SYN packets.
C. The attack is intended to overwhelm the CPU of the target victim.
D. They use UDP packets.
E. They use ICMP packets.
F. They attack by sending ping requests to the return address of the network.
Answer: C E
NO.232 Which Cisco Firepower intrusion Event Impact level indicates the vulnerable to the attack,
and requires the most immediate urgent.
A. Impact Level 3
B. Impact Level 4
C. Impact Level 2
D. Impact Level 0
E. Impact Level 1
Answer: E
NO.233 On which geographic basis can the Cisco Firewall

A. Source and destination country and continent
B. Source city and country
C. Source country
D. Source and destination city and country
E. Source and destination country
F. Source country and continent
Answer: E
NO.234 Which statement about the failover link when ASAs are configured in the failover mode is
83
true?
A. The information sent over the failover link can he sent only as a secured communication.
B. The information sent over the failover link cannot be sent in clear text, but it could be secured
communication using a failover key.
C. It is not recommended to use secure communication over the failover link when ASA terminating
the VPN tunnel
D. Only the configuration replication that is sent across the link can be secured using a failover key.
E. The information sent over the failover link can be in clear text
F. Failover key is not required for the secure communication over the failover link
Answer: E
NO.235 Which statement about Cisco ISE Guest portals is true?

A. To permit BYOD access, a Guest portal must use RADIUS authentication.
B. If you delete a Guest portal without removing its authorization policy and profiles, they will be
assigned automatically to the default Guest portal.
C. The Hotspot Guest portal can be configured for password-only authentication.
D. The Sponsored Guest portal allows guest users to create an account.
E. The sponsored-Guest portal and Self-Registered Guest portal require a defined Endpoint Identity
Group.
F. When you make changes to an authorized Guest portal configuration, it must be reauthorized
before the changes will take effect.
Answer: A
NO.236 Transmission control protocol, src port: 649999(64999), Dst

Port:49086(49086),Seq:2,Ack:2,Len:
Refer to the exhibit.
Refer to the exhibit. The ASA at 150.1.7.43 is configured to receive the IP address to SGT mapping
from ISE at 161.1.7.14. Which statement about this packet capture from Wireshark is true?
A. The TACACS connection keep alive using UDP originated from ASA
B. The SXP message uses TCP port 64999 for connection termination
C. The RADIUS connection keep alive using TCP originated from ISE
84
D. The SXP message uses MD5 for authentication and integrity check.
E. The ISE keep alive message for NDAC connection using TCP originated from ASA
F. The NTP keep alive message using UDP originated from ISE
G. The SXP keep alive message for SXP connection using UDP originated from ASA
Answer: D
Which two statements about a device with this configuration are true? (Choose two.)
A. When a peer establishes a new connection to the device, CTS retains all existing SGT mapping
entries for 3 minutes.
B. If a peer reconnects to device within 120 seconds of terminating a CTS-SXP connection, the
reconciliation timer stats.
C. When a peer re-establishes a previous connection to the device, CTS retains all existing SGT
mapping entries for 3 minutes.
D. If a peer reconnects to device within 180 seconds of terminating a CTS-SXP connection, the
reconciliation timer stats.
E. If a peer re-establishes a connection to the device before the hold-down timer expires, the device
retains the SGT mapping entries it learned during the previous connection for an additional 3
minutes.
F. It sets the internal hold-down timer of the device to 3 minutes.
Answer: B E
NO.238 What are the three configurations in which SSL VPN can be Implemented? (Choose three)
A. WebVPN
B. PVC Tunnel Mode
C. Interactive mode
D. L2TP over IPSec
E. Thin-Client
F. AnyConnect Tunnel Mode
G. Clientless
H. CHAP
Answer: E F G
NO.239 Which statement about private VLANs is true?

A. In a private VLAN domain, a secondary VLAN port must be an isolated port for it to be able to
communicate with a Layer 3 device.
B. A private VLAN domain can have only one primary VLAN.
C. In a private VLAN domain, a secondary VLAN can have only one promiscuous port.
85
D. Each port in a private VLAN domain is a member of all the secondary VLANs in that domain.
E. A subdomain in a primary VLAN domain consists of multiple primary and secondary VLAN pairs.
F. Each secondary VLAN in a private VLAN domain must have a separate associated primary VLAN.
Answer: B
NO.240 In which type of multicast does the Cisco ASA forward IGMP messages to the upstream
router?
A. clustering
B. PIM multicast routing
C. stub multicast routing
D. multicast group concept
Answer: C
NO.241 ISE can be integrated with an MDM to ensure that only registered devices are allowed on
the network, and use the MDM to push policies to the device. Devices can go in and out of
compliance either due to policy changes on the MDM server, or another reason. Consider a device
that has already authenticated on the network, and stays connected, but fails out of compliance.
Which action can you take to ensure that a noncompliant device is checked periodically and re-
assessed before allowing access to the network?
A. Enable change of authorization on MDM
B. Fire-AMP consider scan can be used to relay posture information to ISE via FireAMP cloud
C. The MDM agent periodically sends a packet with compliance info that the wireless controller can
be used to limit network access
D. Enable Period compliance checking on ISE
E. Enable Change of authorization on ISE
F. The MDM agent automatically discounts the device from the network when it is noncompliant
Answer: E
NO.242 A hosted service provider is planning to use firewall contexts in its manage these firewalls
on behalf of its customers and allow them access management purposes the lead architect of the
service provider has decide interface to a single shared management zone VLAN (901) and allocate
assigned range of this VLAN. Which three statements about this design.
A. Though this design is valid, a physical interface cannot be allocated to traffic classifier restrictions,
this s only possible with sub interfaces
B. This design concept is valid and requires some modifications. However only allow customer
management access from the data VLANs in the adequate Layer 2/ Layer 3 separation between
tenants
C. The ASA multi context traffic classifier works differently for shared into VLAN and have the same
MAC address when NAT is in use, other rule use
D. The ASA classifier works only for data interfaces and not for manager Management-only)
command must be applied for this concept to work
E. This design concept is not valid because it is not possible to allocate a due to ASA traffic classifier
restrictions, this is only possible with sub
86
F. Sub interfaces of the interface can be allocated only to contexts and physical interface
G. The design for the management zone does not work unless unique
Answer: C D G
NO.243 Which statement is true regarding TLS security protocol?

A. It only supports data authentication for the client-server session using a browser
B. TLS and SSL versions can interoperate in the client-server handshake
C. There is no difference between TLS and SSL versions 2 and 3
D. TLS versoin 1.0 ismore secure then SSL version 3.0
E. It is always recommended to disable TLS version 1.0 in the browser so that it only supports SSL for
better security
F. You need to replace SSL certificate with TLS certificate for successful TLS operation
Answer: D
NO.244 Which two statements about the SeND protocol are true? (Choose two.)
A. It counters neighbor discovery threats.
B. It must be enabled before you can configure IPv6 addresses.
C. It supports numerous custom neighbor discovery messages.
D. It logs IPv6-related threats to an external log server.
E. It supports an autoconfiguration mechanism.
F. It uses IPsec as a baseline mechanism.
Answer: A E
NO.245 Which statement about managing Cisco ISE Guest Services is true?
A. Only a Super Admin or System Admin can delete the default Sponsor portal.
B. Only ISE administrators from an external identify store can be members of a Sponsor group.
C. By default, an ISE administrator can manage only the guest accounts he or she created in the
Sponsor portal.
D. ISE administrators can view and set a guest's password to a custom value in the Sponsor portal.
E. ISE administrators can access the Sponsor portal only if they have valid Sponsor accounts.
F. ISE administrators can access the Sponsor portal only from the Guest Access menu.
Answer: C
NO.246 Which two options are important considerations when you use NetFlow to obtain the full
picture of network taffic? (Choose two)
A. It monitors only TCP connections.
B. It monitors only routed traffic.
C. It monitors all traffic on the interface on which it is deployed.
D. It monitors only ingress traffic on the interface on which it is deployed.
E. It is unable to monitor over time.
Answer: B E
NO.247 Which statement about Local Web Authentication is true?
87
A. It supports Change of Authorization and VLAN enforcement

B. It can use VLANs and ACLs to enforce authorization
C. The network device handles guest authentication
D. The ISE servers web pages
E. It supports posture and profiling services
F. The web portal can be customized locally or managed by the ISE
Answer: C

ASA1
router ospf 12
network 10.1.11.0 255.255.255.0 area 1
area 1 authentication message-digest
interface G0/1
namif inside
security-level 100
ip address 10.1.11.1 255.255.255.0 standby 10.1.11.2
ospf message-digest-key 12 md5 cisco
R2
router ospf 12
network 10.1.11.0 0.0.0.255 area 1
network 10.1.12.0 0.0.0.255 area 0
network 172.16.100.0 0.0.0.255 area 0
interface GigabitEthernet2
ip address 10.1.11.22 255.255.255.0
ip ospf message-digest-key 21 md5 cisco
Refer to the exhibit. Firewall ASA1 and router R2 are running OSPF routing process in area 1
connected via
10.11.1.0/24 subnet in the inside zone. It has been reported that ASA1 cannot see any OSPF learned
routes.
Which two possible issues are true?
A. The R2 has mismatched message-digest key IDs
B. On ASA1, a standby interface must be disabled on Gio/1 interface
C. On R2, an incorrect subnet is defined for the Gi2 interface
D. On ASA1, a Gi0/1 interface must have security level at "0"
E. On ASA1, an incorrect subnet mask is on the Gi0/1 interface
F. On R2, the 172.16.100.0/24 subnet must not be in the OSPF routing process
G. On R2, the 10.1.11.0/24 subnet must be in area "0"in the OSPF routing proces
Answer: A
88
Which level of encryption is set by this configurations?

A. 1024-bit
B. 192-bit
C. 56-bit
D. 168-bit
Answer: D
NO.250 Drag the ACI security principle on the left to its definition on the right.
Answer:
89
Explanation
1-6, 2-1, 3-5, 4-2, 5-3, 6-4

aaa new-model
!u
sername cisco privilege 15 password 0 cisco
dot1x system-auth-control
!i
ip access-group Pre-Auth in
authentication open
dot1x pae authenticator
!v
lan 50
interface Vlan50
ip address 50.1.1.1 255.255.255.0
!i
90

ip dhcp pool pc-pool
network 50.1.1.0 255.255.255.0
!i
p access-list extended Pre-Auth
permit udp any eq bootpc any eq bootps
deny ip any any
!
radius server ccie
address ipv4 161.1.7.14 auth-port 1645 acct-port 1646
key cisco
!l
ine con 0
login authentication NO_AUTH
lien vty 0 4
login authentication vty
One of the Windows machines in your network is having connectivity issues using
802.1x. Windows machines are set up to acquire an address from the DHCP server configured on the
switch, which is supposed to hand out IP addresses from the 50.1.1.0/24 network and forward AAA
requests to the RADIUS server at 161.1.7.14 using the key "cisco". Knowing that the interface Gi0/2
on the switch may receive authentication requests from other devices and looking at the provided
switch configuration, what could be the possible cause of this failure?
A. There ia a RADIUS key mismatch
B. 802.1x is disabled on the switch
C. aaa network authorization is not configured
D. Authentication for multiple hosts is not configured on interface Gi0/2
E. An incorrect IP address was configured on SVI 50
F. An incorrect default route is pushed on the supplicant form SW1
G. 802.1x authentication is not enabled on the interface Gi0/2
Answer: D
NO.252 Which three statements about RLDP are true? (Choose three.)
A. It detects rogue access points that are connected to the wired network.
B. It can detect rogue APs that use WPA encryption.
C. It can detect rogue APs operating only on 5 GHz.
D. It can detect rogue APs that use WEP encryption.
E. The AP is unable to serve clients while the RLDP process is active.
F. Active Rogue Containment can be initiated manually against rogue devices detected on the wired
network.
Answer: A E F
Explanation
Rogue Location Discovery Protocol (RLDP)
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/70987-rogue-
91
detect.html
NO.253 Which statement about the performance storage option in the AMP for Cisco Firepower
network-based solution is true?
A. If the system is configured to send files to the AMP cloud for dynamic analysis but the files is larger
the maximum value you configure, it is blocked automatically
B. You can configure the maximum file size that till be analyzed and potentially blocked, up to a
maximum of 10
C. The system inspects a configurable number of bytes in each file based on its file type
D. It a file matches a block malware rule but he system takes longer than the time period you
configure.
E. You can configure the file size for which a SHA 256 hash is calculated up to a maximum of 10 GB
F. The SHA-256 value of a file is calculated only if you configure a file policy with the malware cloud
lookup action
Answer: D
NO.254 Which statement about SenderBase reputation scoring on an ESA device is true?
A. Application traffic from known bad sites can be throttled or blocked
B. By default, all messages with a score below zero are dropped or throttled
C. MAil with scores in the medium range can be automatically routed for antimalware scanning
D. You can configure a custom score threshold for whitelisting messages
E. A high score indicates that a message is very likely to be spam
F. Sender reputation scores can be assigned to domains, IP addresses, and MAC addresses
Answer: D
NO.255 How is the Cisco IronPort email data loss prevention licensed?
A. It is a per-site license
B. It comes free with Iron Port Email server
C. It is a per-enterprise license
D. It is a per-server license
E. It is a per-user license
Answer: E
NO.256 What are the most common methods that security auditors use to access an organization's
security processes? (Choose two.)
A. physical observation
B. social engineering attempts
C. penetration testing
D. policy assessment
E. document review
F. interviews
Answer: A F
92
NO.257 Which three Cisco attributes for LDAP authorization are supported on the ASA? (Choose
three)
A. Web-VPN-ACL-Filters
B. IPsec-Default-Domain
C. IPsec-Client-Firewall-Name
D. Authorization-Type
E. L2TP-Encryption
F. Authenticated-User-idle-Timeout
Answer: A B F
NO.258 Which three statements about SCEP are true? (Choose three.)
A. It supports online certification revocation.
B. Cryptographically signed and encrypted messages are conveyed using PKCS#7
C. It supports multiple cryptographic algorithms including RSA.
D. The certificate request format uses PKCS#10.
E. CRL retrieval is supported through CDP(Certificate Distribution Point) queries.
F. It supports synchronous granting.
Answer: B D E
Explanation
Simple Certificate Enrollment Protocol
http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-
technotescep-
00.html
Which data format is used in this script?

A. JSON
B. YANG
C. API
D. XML
E. JavaScript
Answer: D
NO.260 AMP for Endpoint is supported on which of these platforms?

A. Windows, MAC, ANDROID
B. Windows, MAC, LINUX (SuSE, UBUNTU), ANDROID
93
C. Windows. ANDROID, LINUX (SuSE, REDHAT)

D. Windows, ANDROID, LINUX (REDHA, CentOS), MAC
Answer: D
NO.261 How would you best describe Jenkins?

A. An orchestration tool
B. Continuous integration and delivery application
C. Operations in a client/server model
D. Web-based repository hosting service
E. A REST client
Answer: B
NO.262 Which two protocols are supported when using TACACS+? (Choose two)
A. MS-CHAP
B. CHAP
C. NASI
D. HDLC
E. AppleTalk
Answer: C E
NO.263 Which statement about Botnet attack is true?

A. It is launched by a collection of noncompromised machines controlled by the Command and
Control system
B. It is launched by a single machine controlled by the Command and Control system
C. It is a form of a man-in-the-middle attack where the compromised machine is controlled remotely.
D. It is a form a wireless attack where the attacker installs an access point to create backdoor to a
network
E. It is a form of a fragmentation attack to evade an intrusion prevention security device
F. It can be used to steal data
Answer: F
NO.264 What is an example of a stream cipher?

A. RC4
B. RC5
C. DES
D. Blowfish
Answer: A
NO.265 Which two characteristics of DTLS are true? (Choose two)

A. It is used mostly by applications that use application layer object-protocols
B. It includes a congestion control mechanism
C. It completes key negotiation and bulk data transfer over a single channel.
D. It supports long data transfers and connectionless data transfers.
94
E. It cannot be used if NAT exists along the path.

F. It concludes a retransmission method because it uses an unreliable datagram transport.
Answer: B F
NO.266 Which description of the AES encryption algorithm is true?

A. Reapplying the same encryption key three times makes it less vulnerable than 3DES
B. Theoretically 3DES is more secure than AES
C. It uses the block of 64 bits
D. It provides only data integrity
E. It does not use the substitution and permutation principle
F. It uses three encryption keys of lengths 128, 192, and 256
Answer: F
NO.267 Which three ISAKMP SA Message States can be output from the device that initiated an
IPSec tunnel?
(Choose three)
A. MM_WAIT_MSG4
B. MM_WAIT_MSG2
C. MM_WAIT_MSG5
D. MM_WAIT_MSG6
E. MM_WAIT_MSG1
F. MM_WAIT_MSG3
Answer: A B D
NO.268 Which statement about VRF-Lite implementation in a service provider network is true?
A. It disables the sharing of one CE device among multiple customers.
B. It can have multiple VRF instances associated with a single interface on a CE device.
C. It requires multiple links between CE and PE for each VPN connection to enable privacy.
D. It supports multiple VPNs at a CE device but their address spaces must not overlap.
E. It uses input interfaces to differentiate routes for different VPNs on the CE device.
F. It can support only one VRF instance per CE device.
Answer: E

A user authenticates to the NAS , which communicates to the TACACS+ sever for
95
authentication. The TACACS+ server then accesses the Active Directory Server through the firewall to
validate the user credentials. Which protocol-port pair must be allow access through the ASA
Firewall?
A. SMB over TCP 455
B. DNS over UDP 53
C. LDAP over UDP 389
D. global catalog over UDP 3268
E. TACACS+ over TCP 49
F. DNS over TCP 53
Answer: C
NO.270 Which statement about SenderBase sender-reputation filtering approaches on the Cisco
A. The conservative approach provides near zero false positives at the cost lower performance
B. The aggressive approach provides near zero false positives at the cost of lower performance
C. The aggressive approach provides maximum performance at the cost of numerous
D. The moderate approach provides maximum performance with some false positives
E. The conservative approach provides good performance with near zero false positives
F. The moderate approach combines high performance with some false positives
Answer: F
NO.271 Which two options can be used to further harden a Cisco Email Security Appliance? (Choose
two.)
A. Disable telnet
B. Rename the default administrator password
C. Disable HTTP and FTP services that are not required
D. Enable Cisco Discovery Protocol
E. Turn off TCP small services
Answer: A B
NO.272 Which four task items need to be performed for an effective nsk assessment and to
envaluate network posture? (Choose four.)
A. discovery
96
B. baselining
C. scanning
D. notification
E. validation
F. escalation
G. mitigation
H. profiling
Answer: A C E H
NO.273 Which of the following could be an evasion technique used by the attacker?
A. Port access using Dot1x
B. ACL implementation to drop unwanted traffic
C. TELNET to launch device administration session
D. Traffic encryption to bypass IPS detection
E. URL filtering to block malicious sites
F. NAT translations on routers and switches
Answer: D
NO.274 Which difference between DomainKeys and DKIM in Cisco ESA deployment is true?
A. Only Domain Keys support incoming-mail authentication
B. AsyncOS supports mail signing for DKIM only
C. Bounce and delay messages can use DKIM only
D. AsyncOS suppoets mail signing and incoming -mail authentication for DomainKeys only
E. If DomainKeys and DKIM are associated to mail flow AsynOS uses only DKIM to sign outgoing
F. Messages
G. Only DKIM supports incoming-mail verifications
Answer: D
NO.275 While a configuration audit is performed on a router, the set session-key command is found
un crypto map applied to a WAN interface. Which three statements about this command are true?
(Choose three)
A. This command sets a peer authentication string because the IPsec peer does not support
automate mutual authentication and a manual method is required
B. When configuring the Crypto map, (ipsec-manual) must be defined as part of the parameters
C. This command is used to encrypt traffic to another device which does not support internet key
D. Exchange
E. Another way of overcoming this issue is to use the crypto isakmmp peer address command with a
zeros wildcard address and mask combination
F. Both peers must be configured for manual peer authentication for this configuration to work
G. This command is used to manually configure an IPsec SA two entries are needed on each side to
encrypt and decrypt traffic over the tunnel
H. This command is used to manually configure an IPsec SA only one entry are needed on each side
97
encrypt and decrypt traffic over the tunnel.

Answer: B E F
NO.276 In which two modes can a private AMP cloud be deployed? (Choose two.)
A. internal mode
B. hybrid mode
C. air gap mode
D. cloud-proxy mode
E. cloud-proxy public mode
F. external mode
Answer: C D
NO.277 Which statement about securing TLS connections on the ESA is true?
A. The preconfigured demonstration certificate installed on the ESA can establish a secure, verify
able the connection.
B. it you apply a certificate to an ESA in cluster mode, it is a automatically propagated to the other
ESAs cluster.
C. Self-signed certificates and CA certificates can provide a verifiable connection The ESA supports
certificates in PKCS#7 and PKCS#12 format
D. Certificates that are imported to secure TLS connections can also be used by other services on the
including LDAPS and HTTPS
E. The ESA encrypts all message with a certificate before sending them over TL5 connnection.
F. After a certification is applied to an ESA Cluster using centralized management, new devices added
to automatically adopt the existing certificate.
Answer: D
NO.278 What are the three scanning engines that the Cisco IronPort dynamic vectoring and
streaming engine can use to protect against malware? (Choose three.)
A. McAfee
B. TrendMicro
C. Sophos
D. Webroot
E. F-Secure
F. Symantec
Answer: A C D
NO.279 Which Cisco ISE profiler service probe can collect information about Cisco Discovery
Protocol?
A. DHCP SPAN
B. RADIUS
C. SNMP Query
D. NetFlow
E. HTTP
98
F. DHCP
Answer: C
You applied this VPN cluster configuration to a Cisco ASA and the cluster failed to form.How do you
edit the configuration to correct the problem?
A. Define the maximum allowable number of VPN connections.
B. Define the master/slave relationship.
C. Configure the cluster IP address.
D. Enable load balancing.
Answer: C
NO.281 Which feature of WEP was intended to prevent an attacker from altering and resending data
packets over a WEP connection ?
A. The RC4 cipher
B. Transport Layer Security
C. Message Intergrity checks
D. MD5 hashing
E. The cyclic redundancy check
Answer: E
NO.282 Which description of a hybrid SDN framework is true?

A. The control plane and data plane are pulled from the networking element and put in an SDN
B. The control plane function is split between a SDN controller and the networking element.
C. The data plane is pulled from the networking element and put in an SDN controller.
D. The control plane is pulled from the networking element and put in an SDN controller
Answer: B
NO.283 How does the Cisco Firepower Decrypt-known method perform SSI decryption on inbound
traffic?
A. The system identifies the server certificate during the SSL handshake and downloads the associate
private key from the CA to decrypt the traffic
B. The system matches the incoming server certificate to a previously stored certificate on the server
and uses the private key to decrypt the traffic
C. The system uses a CA certificate on the server to resign the exchanges server certificate then uses
99
the private key of the CA certificate to decrypt the traffic

D. The system uses a CA certificate cm the server to resign the exchanges server certificate then uses
separate private key to decrypt the traffic
Answer: C
NO.284 In OpenStack, which two statements about the NOVA component are true? (Choose two.)
A. It provides the authentication and authorization services.
B. It launches virtual machine instances.
C. It is considered the cloud computing fabric controller.
D. It provides persistent block storage to running instances of virtual machines.
E. It tracks cloud usage statistics for billing purposes.
Answer: B C
NO.285 Which two methods can be used to remove the previous vendor profiles the mobile device?
A. Disable the ISE profiling feature
B. Vendor profiles cannot be remove
C. Go to My Devices portal in ISE and click corporate wipe
D. Use the "full wipe" option and reset the device to factory setting
E. Use the "corporate wipe" option offered by the vendor
Answer: C E
NO.286 Which statement is true regarding Private VLAN?

A. A private VLAN domain can have multiple primary VLANs
B. Each secondary VLAN in a private VLAN domain needs to have a separate associated primary VLAN
C. Each port in a private VLAN domain is a member of all the secondary VLANs in the domain
D. A subdomain in a primary VLAN domain consists of a primary and secondary VLAN pair
E. In a private VLAN domain a secondary VLAN port needs to be an isolated port for it to be able to
communicate with a layer-3 device
F. In a private VLAN domain a secondary VLAN can have only one promiscuous port
Answer: F
NO.287 A new computer is not getting its IPv6 address assigned by the router. While running
WireShark to try to troubleshoot the problem, you find a lot of date that is not helpful to nail down
the problem. What two filters would you apply to WireShark to filter the data that you are looking
for?(Choose two)
A. icmpv6.type == 135
B. icmpv6type == 136
C. icmpv6.type == 136
D. icmpv5type == 135
E. icmpv6type == 135
Answer: A C
NO.288 In a Cisco ASA multiple-context mode of operation configuration, what three session types
100
are resourcelimited by default when their context is a member of the default class? (Choose three.)
A. SSL VPN sessions
B. Telnet sessions
C. TCP session
D. IPSec sessions
E. ASDM sessions
F. SSH sessions
Answer: B D F
101
102
Which three additional configuration elements must you apply to complete a functional FlexVPN
deployment? (Choose three)
A. crypto ikev2 keyring default
peer PEER-ROUTER
address 2001::101/64
interface virtual-template5 type tunnel
ip nhrp network-id 10
ip nhrp shortcut loopback0
B. interface loopback0
tunnel mode ipsec ipv6
tunnel protection ipsec profile default
C. interface Tunnel0
bfd interval 50 min_rx 50 multiplier 3
no bfd echo
D. crypto ikev2 keyring KEYS
peer PEER-ROUTER
address 2001::101/64
crypto ikev2 profile default
aaa authorization group pak list ccie default
E. interface virtual-template5 type tunnel
ipv6 unnumbered loopback0
ipv6 eigrp 10
ipv6 enable
interface loopback0
ipv6 eigrp 10
F. aaa authorization network ccie local
Answer: C D E
NO.290 Which statement correctly represents the ACI security principle of Object Model?
A. It is logical representation of an application and its interdependencies in the network fabric
B. It is policy placed at the intersection of a source and destination EPGs.
C. It is defined by the policy applied between EPGs for communication.
D. lt consists of one or more tenants having multiple contexts.
E. These are rules and policies used by an EPG to communicate with other EPGs.
F. It is collection of endpoints representing an application with in a context.
Answer: D
NO.291 Which of the following is true regarding ASA clustering requirements?

A. Only routed mode is allowed in the single context mode
B. Units in the cluster can be running different software version as long as they have identical
hardware configuration
C. Units in the cluster can have different hardware configuration as long as they are running same
software version
D. Units in the cluster can be in different geographical locations
103
E. Units in the cluster can be in different security context modes

F. Units in the cluster can have different amount of flash memory
Answer: F
NO.292 Which best practice can limit inbound TTL expiry attacks?
A. Setting the TTL value to zero.
B. Setting the TTL value to more than longest path in the network.
C. Setting the TTL value equal to the longest path in the network.
D. Setting the TTL value to less than the longest path in the network.
Answer: B
Explanation
In practice, filtering packets whereby TTL value is less than or equal to the value that is needed to
traverse the longest path across the network will completely mitigate this attack vector.
https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html
NO.293 Which two parameters must be identical per interface while configuring virtual port
channels (Choose two)
A. network access control
B. IP sourcegard
C. Prrotocol independent multicast
D. Bridge Assurance setting
E. maximum transmission unit
Answer: D E
NO.294 For which of the four portals is the SAML Single Sign-On on ISE supported? (Choose four)
A. Wireless Client portal
B. Certificate Provisioning portal
C. Guest portal (sponsored and self-registered)
D. My Devices portal
E. Employee portal
F. Sponsor portal
G. Contractor portal
H. BYOD portal
Answer: B C D F
NO.295 Which two protocols are used by the management plane in a Cisco IDS device? (Choose
two)
A. IKEv2
B. Telnet
C. TLS
D. CHAP
E. DHCP
F. SNMP
104
G. PAP
H. 3DES
I. RIP
Answer: B F
NO.296 Which statement about MDM with the Cisco ISE is true?
A. The MDM's server certificate must be imported into the Cisco ISE Certificate Store before the
MDM and ISE can establish a connection.
B. MDM servers can generate custom ACLs for the Cisco ISE to apply to network devices.
C. The Cisco ISE supports a built-in list of MDM dictionary attributes it can use in authorization
policies.
D. The Cisco ISE supports limited built-in MDM functionality.
E. If a mobile endpoint fails posture compliance, both the user and the administrator are notified
immediately.
F. When a mobile endpoint becomes compliant the Cisco ISE records the updated device status in its
internal database.
Answer: A
Explanation
Mobile Device Management
https://meraki.cisco.com/blog/tag/mobile-device-management/
NO.297 Which statement about the TRUST action when configure an ACP is true?
A. it allows traffic to pass without inspection only of the source matches with an address defined in
the preprocessor list.
B. It allows matched traffic through without inspection.
C. It allows matched traffic to pass without inspection if the traffic source matches exists in the white
list.
D. It allows matched traffic through, but reverts to IPS inspection if a file inspection triggers malware
alert.
Answer: B
105
A customer reports to Cisco TAC that one of the Windows clients that is supposed to login in to the
network using MAB can no longer access any allowed resources. Which possible cause of the MAB
failure is true?
A. The switch is properly configured and the issue is on the RADIUS server
B. There is an issue with the CoA configuration
C. AAA authorization is incorrectly configured on the switch
D. There is an issue with the DHCP pool configuration
E. CTS is configured incorrectly on the switch
106
F. MAB is disabled on port Gi1/0/9

Answer: F
NO.299 An organization plans to upgrade its Internet-facing ASA running version 8.2 on an older HW
platform to
5585/X version 9.6. The configuration was backed up and submitted for review before the migration
takes place. Which three changes must be made before the configuration is applied to the new ASA
firewall?
(Choose three.)
A. Static NAT statements are changed to xlate statements
B. NAT control must be disabled so that traffic is allowed through the ASA
C. Inbound ACLs must contain the pre-NAT IP instead the post-NAT IP
D. NAT Control must be enabled so that traffic is allowed through the ASA
E. Static NAT statements are changed to NAT statements
F. Inbound ACLs must contain the post-NAT IP instead of the pre-NAT IP
Answer: A C D
NO.300 Which mechanism is used by ISE to provide user information to WSA?

A. SNMP
B. iKEvl
C. SSH
D. pxGnd
E. IKEv2
F. TLS
Answer: D
NO.301 Which tunnel type does the Cisco unified Wireless Solution use to map a provisioned guest
WLAN to an anchor WLC?
A. PEAP
B. IPsec
C. TLS
D. GRE
E. EAPoL
F. EoIP
Answer: F
NO.302 Which three authorization technologies does Cisco TrustSec support? (Choose three)
A. 802.1X
B. SGACL
C. DACL
D. MAB
E. SGT
F. VLAN
107
Answer: C E F
NO.303 Which statement is true about Dual-Hub DMVPN implementation where each spoke has
two connections, one to each hub via different ISPs?
A. It uses point-to-point GRE tunnel
B. It does not allow tunnel protection using IPsec
C. It allows NHRP authentication
D. It uses two tunnel interfaces on each hub to terminate connection from each spoke
E. It uses a single tunnel interface on a spoke to connect two different hubs
Answer: C
NO.304 Which two benefits of the Stealth Watch Flow Collector are true? (Choose two)
A. It can be deployed with hardware appliances or as virtual machines
B. It provides round trip time and server-response time calculations to optimizes UDP
C. Connections
D. When deployed in a routed network its multiple flow sensors can aggregate data to provide full
network visibility Layer 1 to Layer 7
E. It eliminates the need for separate flow sensors and flow collections
F. It management console provides numerous drill-down tools to help administrators isolate the
cause of an incident
G. It integrates with Cisco Outbreak intelligence for full zero-day threat protection
H. It can be configured and managed with the stealth watch management console which is an
Intultive web interface, and a powerful CLI.
Answer: A B
NO.305 Which two design options are best to reduce security concerns when adopting loT into an
organization?
(Choose tow.)
A. Ensure that application can gather and analyze data at the edge.
B. Implement video analytics on IP cameras.
C. Encrypt sensor data in transit.
D. Segment the Field Area Network from the Data Center network.
E. Encrypt data at rest on all devices in the loT network.
Answer: C D
NO.306 Which two statements about application protocol detectors in the Cisco Fire? (Choose two)
A. They can analyze network traffic for specific application fingerprints
B. Port-based application protocol detectors can be modified for use as custom
C. Port-based and Firepower-based application protocol detectors can be import
D. firepower-based application protocol detectors are built in to the Firepower deactivated only by
the system
E. They can be activated by VDB updates, but must be deactivated manually
F. They can detect web-based application activity in HTTP traffic
108
Answer: B E

ASA# sh nat detail
Auto NAT Policies (Section 1)
1 (inside) to (outside) source static servers server1_t
translate_hits = 0 untranslate_hits = 5
Source = Origin 192.168.1.3/32. Translated 19.16.1.3/32
2 (inside) to (outside) source static servers server2_t
translate_hits = 0 untranslate_hits = 24
Source = Origin 192.168.2.3/32. Translated 19.16.2.3/32
ASA# sh access-list
access-list trustsec line 1 extended permit tcp security-group name employee (tag=16) any security-
group name engineering_int(tag=20) any eq 8080 (hitcnt=1) access-list trustsec line 2 extended
permit tcp security-group name guest (tag=17) any security-group name intranet_int(tag=10) any eq
8080 (hitcnt=1) ASA# sh cts exp sge-map SGT 17 IPv4 60.1.1.1 PeerIP 161.1.7.14 InsNum 1 Status
Active SGT 18 IPv4 19.16.1.1 PeerIP 161.1.7.14 InsNum 1 Status Active SGT 20 IPv4 192.168.1.3
PeerIP 161.1.7.14 InsNum 1 Status Active SGT 19 IPv4 19.16.2.3 PeerIP 161.1.7.14 InsNum 1 Status
Active SGT 15 IPv4 192.168.2.3 PeerIP 161.1.7.14 InsNum 1 Status Active SGT 16 IPv4 50.1.3.4 PeerIP
161.1.7.14 InsNum 1 Status Active Destination address with name "engineering_int" is visible to the
outside as which of the following addresses?
A. 19.16.1.3
B. 192.168.1.3
C. 50.1.1.1
D. 161.1.7.14
E. 60.1.1.1
F. 19.16.2.3
G. 192.168.2.3
Answer: A
NO.308 Which description of a Botnet attack is true ?

A. It can be used to participate in DDOS
B. It is from a wireless attack where the attacker installs an access point to create backdoor to a
network
C. It is launched by collection of non compromised machines controlled by the command and control
system
D. It is launched by a single machine controlled by the command and Control system
E. It is from of a fragmentation attack to evade an intrusion prevention security device
F. It is a from of a man-in-the-middle attack where the compromised machine is controlled remotely
Answer: A
NO.309 Which two statements about MACsec are true? (Choose two)
A. It maintains network intelligence as it applied to router uplinks and downlinks.
B. It works in conjunction with IEEE 802.1X -2010 port-based access control.
109
C. It uses symmetric-key encryption to protect data confidentiality.

D. It encrypts packets at Layer 3, which allows devices to handle packets in accordance with network
polices.
E. It can be enabled on individual port at Layer 3 to allow MACsec devices to access the network.
F. It can use IEEE 802.1x master keys to encrypt wired and wireless links
Answer: B C
NO.310 Which IPS deployment mode can blacklist traffic?

A. Transparent
B. Strict
C. Inline
D. Passive
E. Tap
F. Switched
Answer: C
NO.311 Which command sequence do you enter to add the host 10.2.1.0 to the CISCO object
group?
A. object-group network CISCO
B. object network CISCO
network-object object 10.2.1.0
C. object-group network CISCO
network-object host 10.2.1.0
D. object network CISCO
Answer: C
NO.312 Which host attributes can be assigned in compliance white list?

A. Verified unverified and complaint
B. Verified and unverified
C. Verified, unverified and evaluated
D. Complaint, noncompliant and not evaluated
E. Complaint and noncompliant
Answer: E
NO.313 Which file extensions are supported on the Firesight Management Center 6.1 file policies
that can be analyzed dynamically using the Threat Grid Sandbox integration?
A. MSEXEMSOLE2NEW-OFFICEPDF
B. DOCXWAVXLSTXT
C. TXTMSOLE2WAVPDF
D. DOCMSOLE2XMLPDF
Answer: A
110
Which meaning of this error message on a Cisco ASA is true?

A. The route map redistribution is configured incorrectly.
B. The default route is undefined.
C. packed was denied and dropped by an ACL.
D. The host is connected directly to the firewall.
Answer: B
NO.315 Aclientcomputerat10.10.7.14istryingtoaccessaLinuxserver(11.0.1.9)thatisrunninga
TomcatServer application. What TCP dump filter would be the best to verify that traffic is reaching
the Linux Server eth0 interface?
D. tcpdump -i eth0 host 10.10.7.2 and dst 11.0.1.9 and dst port 8080
A. tcpdump -i eth0 host 10.10.7.2 and host 11.0.1.9 and port8080
B. tcpdump -i eth0 host 10.10.7.2 and11.0.1.9
C. tcpdump -i eth0 host dst 11.0.1.9 and dst port8080
Answer: A
NO.316 Which statement is true about a SMURF attack?

A. The attacker uses spoofed destination address to launch the attack
B. It sends ICMP Echo Requests to a broadcast address of a subnet
C. In order to mitigate the attack you need to enable IP directed broadcast on the router interface
D. It sends ICMP Echo Replies to known IP addresses in a subnet
E. It is used by the attackers to check if destination addresses are alive
F. It exhausts the victim machine r poofed source address of a subnet resources with large number of
ICMP Echo Requests from a subnet
Answer: B
What are two effects of the given configuration? (Choose two.)

A. It enables the ASA to download the static botnet filter database.
B. It enables the ASA to download the dynamic botnet filter database.
C. It enables botnet filtering in single context mode.
111
D. It enables botnet filtering in mutiple context mode.

E. It enables multiple context mode.
F. It enables single context mode.
Answer: B D

A. The downloadable ACL and AV pair ACL are merged after three connection attempts are made to
the RADIUS server.
B. The downloadable ACL and AV pair ACL are merged immediately when the RADIUS server is
activated.
C. For all users, entries in a downloadable ACL are given priority over entries in an AC pair ACL.
D. The downloadable ACL and AV pair ACL entries are merged together,one ACE at a time.
E. A downloadable ACL is applied after an AV pair ACL.
Answer: E
NO.319 Which command is used to enable 802.1x authentication on an interface?

A. authentication port-control auto
B. aaa authorization auth-proxy default
C. aaa authorization network default group tacacs+
D. authentication control-direction both
E. authentication open
Answer: A
What feature does the given configuration implement?
112
A. DHCP Secured IP Address Assignment

B. DHCP snooping
C. dynamic ARP learning
D. ARP probing
Answer: A
NO.321 Which statement about the restrictions of redirection on Cisco Cloud Web Security tunnels
on ISR4000 Series Router is true?
A. The cws-tunnel out command can be configured up to a maximum of three WAN interfaces
B. User authentication (through NTLM) is supported
C. Access lists based on object groups are supported in white listing and redirect list configuration
D. IPv6 is not supported
E. Multiple access list are supported for white listing
Answer: C
NO.322 Exhibit:
Refer to the exhibit, what is the effect of the given service policy
A. It blockscisco.com, msn.com, and facebct3k.com and permanant
B. It blocks facebook.com, msn.com, cisco.com and google.com
C. It blocks all domains except facebook.eom, msn.com, cisco
D. It blocks all domains except cisco.com, msn, com; and facebook.com
Answer: D
NO.323 Which function of MSE in the WIPS architecture is true?

A. detects over-the-air traffic network anomalies and attacks
113
B. scans channels without impacting data-serving radios

C. provides view of security threats
D. performs the correlation of security events
E. channel to connect with ISE to implement CoA
F. applies rogue policy to mitigate rogue threats
G. detect rogue APs
Answer: D
NO.324 In which two situations is web authentication appropriate? (Choose two)

A. When secure connections to the network are unnecessary.
B. When a fallback authentication method is necessary
C. When 802.1x authentication is required.
D. When devices outside the control of the orgacization`s IT department are permitted to connect to
the network.
E. When WEP encryption must be deployed on a large scale.
Answer: B D
NO.325 Which are two of the valid IPv6 extension headers? (Choose two.)
A. Options
B. Authentication Header
C. Mobility
D. Protocol
E. Next Header
F. Hop Limit
Answer: B C
NO.326 Which statement about SSL policy implementation in a Cisco Firepower system is true?
A. Access control policy is required for the SSL policy implementation
B. If the Cisco Firepower system cannot decrypt the traffic, it allows the connection.
C. Access control policy is invoked first before the SSL policy tied to it
D. Intrusion policy is mandatory to configure the SSL inspection
E. If SSL policy is not supported by the system, then access control policy handles all the encrypted
traffic.
F. Access control policy is responsible to handle all the encrypted traffic if SSL policy is tried to it.
Answer: A

RTR-A(config-if)# ipv6 mld report-link local-groups
A. It enables MLD query messages for all link-local groups.
B. It enables local group membership for MLDv1 and MLDv2.
C. It enabled hosts to send MLD report messages for groups in 224.0.0.0/24.
D. It enables the host to send MLD report messages for nonlink local groups.
114
E. It configures the node to generate a link-local group report when it joins the solicited-node
multicast group.
Answer: C
NO.328 In an effort to secure your enterprise campus network, any endpoint that connects to the
network should authenticate before being granted access. For all corporate-owned endpoints, such
as laptops, mobile phones and tablets, you would like to enable 802.1x and once authenticated allow
full access to the network. For all employee owned personal devices, you would like to use web
authentication, and only allow limited access to the network. Which two authentication methods can
ensure that an employee on a personal device can't use his or her Active Directory credentials to log
on to the network by simply re configuring their supplicant to use
802.1x and getting unfettered access? (Choose two.)
A. Use PEAP-EAP-MSCHAPv2
B. Use EAP-FAST
C. Use EAP-TLS or EAP-TTLS
D. Use EAP-MSCHAPv2
E. Use PAP-CHAP-MSCHAP
F. Use PEAP-EAP-TLS
Answer: A B
NO.329 On a Cisco Wireless LAN Controller (WLC), which web policy enables failed Layer 2
authentication to fall back to WebAuth authentication with a user name and password?
A. On MAC Filter Failure
B. Passthrough
C. Splash Page Web Redirect
D. Conditional Web Redirect
E. Authentication
Answer: A
NO.330 Which description of SaaS is true?

A. a service offering on-demand licensed applications for end users
B. a service offering that allowing developers to build their own applications
C. a service offering on-demand software downloads
D. a service offering a software environment in which applications can be build and deployed.
Answer: A
NO.331 What are three technologies that can be used to trace the source of an attack in a network
environment with multiple exit/entry points? (Choose three.)
A. ICMP Unreachable messages
B. Sinkholes
C. A honey pot
D. Remotely-triggered destination-based black holing
E. Traffic scrubbing
115
Answer: A D E
NO.332 Which statement correctly describes TAP mode deployment in IPS?

A. Access rules configured in TAP mode generates events when triggered as well as perform defined
action on the traffic stream
B. TAP mode is available when ports are configured as passive iterfaces
C. Access rules configured in TAP mode do not generate events
D. TAP mode implementation requires SPAN configuration on a switch
E. TAP mode is available when IPS is deployed inline
F. In TAP mode traffic flow gets disturbed for analysis
Answer: E
NO.333 Which of the following is the correct statement regarding enabling SMTP encryption on
ESA?
A. Enabling TLS is an optional step
B. TLS can be enabled only for receiving
C. Enabling TLS for delivery goes under the "Destination Controls" menu of mail policies
D. It only allows to use the self-signed certificates
E. TLS can be enabled only for delivery
F. It allows to import certificate from CA
Answer: C
NO.334 Which statement correctly describes Botnet attack?

A. It is launched by a single machine controlled by command and control system
B. It is a form of a fragmentation attack to evade an intrusion prevention security device
C. It is a form of a man-in-the-middle attack where the compromised machine is controlled remotely
D. It is launched by a collection of machines controlled by command and control system
E. It is a form of a wireless attack where attacker installs an access point to create backdoor to a
network
F. It is launched by a collection of machines to execute DDoS against the attacker
Answer: D
NO.335 Which three commands can you use to configure VXLAN on a Cisco ASA firewall? (Choose
three)
A. sysopt connection tcomss.
B. nve-only
C. default-mcast-group
D. inspect vxlan
E. set ip next-hop verity-availability
F. segment-id
Answer: B C F
NO.336 A network architect has been tasked to migrate a customer's legacy infrastructure switches
116
from Nexus 9000 platform. Which peers will help him achieve his milestone?
A. Create a container providing separate execution space
B. Manage software upgrades via guest shell
C. Setup a Web-based interface for configuration management.
D. Allow guests temporary access to the CLI without logging in.
Answer: A
NO.337 Refer to the exhibit,
Refer to the exhibit,

what IPsec function does the given?
A. Crypto ACLconfirmation
B. DH exchangeje initiation
C. PFS parameter negotiation
D. Setting SPIsto pass traffic
Answer: B
Explanation
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-
firewalls/113574-tg-asa-ipsec-ike-debugs-main-00.htmlQM1
NO.338 196) Which four tasks are needed to configure RSA token authenticate
A. Generate the sdconf.rec file on the RSA server for the authenticate
B. Add the ACS server to the allowed ODBC query list on the server
C. Define an OSBC client connection on the SRA server
D. On the ACS server, define the ODBC connection and the s RSA server
E. Define an authentication agent on the RSA server
F. Add the RSA server as an external identity serve on ACS
G. Define an accounting agent on the RSA server
H. Upload the sdconf.rec to the ACS server
Answer: A E F H
NO.339 Which three statements about the keying methods used by MACSec are true? (Choose
117
three.)
A. SAP is not supported on switch SVls.
B. SAP is supported on SPAN destination ports.
C. MKA is implemented as an EAPoL packet exchange.
D. Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA.
E. SAP is enabled by default for Cisco TrustSec in manual configuration mode.
F. A valid mode for SAP is NULL.
Answer: A C F
NO.340 What are two features that helps to mitigate man-in-the-middle attacks? (Choose two.)
A. DHCP snooping
B. ARP spoofing
C. destination MAC ACLs
D. dynamic ARP inspection
E. ARP sniffing on specific ports
Answer: A D
NO.341 Which command is required for bonnet filter on Cisco ASA to function properly?
A. dynamic-filter inspect tcp /80
B. dynamic-filter whitelist
C. inspect botnet
D. inspect dns dynamic-filter-snoop
Answer: D
NO.342 Drag each component of an Adaptive Wireless IPS deployment on the left to the matching
description on the right
118
Answer:
Explanation
119
1-F, 2-E, 3-B, 4-G, 5-D, 6-C, 7-A
A customer reports to Cisco TAC that one of the Windows clients that is supposed to log in to the
120
network using MAB can no longer access any allowed resources. Which possible cause of the MAB
failure is true?
A. MAB is disabled on port Gi1/0/9.
B. AAA authorization is incorrectly configured on the switch.
C. CTS is configured incorrectly on the switch.
Answer: A
NO.344 Which three EAP protocols are supported in WPA and WPA2? (Choose three)
A. EAP-PSK
B. EAP-EKE
C. EAP-FAST
D. EAP-AKA
E. EAP-SIM
F. EAP-EEE
Answer: C D E
NO.345 Which description of configuring the port security feature true?

A. With regards to setting the maximum number of MACs for
maximum number of allowed AMCs for the access and voice
B. With regards to setting the maximum number of MACs for f maximum number of allowed ACs for
the access VLAN only'
C. It is not possible to set the maximum number MACs on the ; configured on the same switch port
D. With regards to setting the maximum number of post secure number of allowed MACs for the
voice VLAN only as a phone
Answer: A
NO.346 Which are three similarities between containers and virtual machines? (Choose three)
A. private space for processing
B. public interface
C. cannot mount file systems
D. share host system kernel
E. private network interface and IP address
F. allow custom routes
Answer: A E F
NO.347 Which statement about host data collection using Cisco Firepower system is true?
A. It does not have the information on host hops separation from the discovery point.
B. The system prohibits the collection of host data using the NetFlow to avoid inconsistencies
C. The system uses host fingerprint to relay host information to ISE using pxGrid.
D. It depends on the traffic analytics reported by the added host in the system.
E. It can report the operating system running on the host.
Answer: E
121
NO.348 Drag and drop the protocol on the left onto their description on the right:
Answer:
Explanation
A-2 B-4 C-1 D-3
NO.349 Which statement about Password Authentication Protocol is true?

A. RADIUS -based PAP authentication logs successful authentication attempts only.
B. Its password in encrypted with a certificate.
C. It offers strong protection against brute force attacks.
D. RADIUS -based PAP authentication is based on the RADIUS Password attribute
E. It is the most secure authentication method supported for authentication against the internal
Cisco ISE database
F. It uses a two-way handshake with an encrypted password
Answer: D
NO.350 Which two protocols are used by the management plane in a Cisco IOS device? (Choose
two)
A. DHCP
122
B. FTP
C. NTP
D. CHAP
E. IKEv2
F. NETFLOW
G. PAP
H. TLS
I. 3DES
Answer: B F
NO.351 Which three types of addresses can the Botnet Traffic Filter feature of the Cisco ASA
monitor? (Choose three)
A. dynamic address
B. known malware addresses
C. known allowed addresses
D. ambiguous addresses
E. internal addresses
F. listed addresses
Answer: B C D
123
Users cannot access web servers 192.168.101.3/24 and 192.168 102.3/24 using Firefox web browser
when
172.6V1.0/24 network. Which possible cause is true?
A. The identification profile "Allowed Profile" has a misconfigured user agent.
B. The access policy "Allow policy" is pointing to an incorrect identification profile.
C. The access policy "Allow Policy" has an incorrect action set for the custom URL category.
D. The custom URL category "Allowed Sites" has an incorrect server address listed.
E. The identification profile "Allow Profile" has an incorrect protocol.
F. The identification profile "Allow Profile" has an incorrect source network.
Answer: A F
NO.353 Refer to the exhibit,
124
you issued the show crypto isakmp sa command to troubleshot of IPsec VPN.
What possible issue does the given output indicate?
A. The peer is failing to respond
B. The crypto ACU are mismatched
C. The pre-shared keys ire mismatched
D. The transform sets are mismatched
Answer: C
NO.354 Which of these command sequences will send an email to holly@invalid.com using SMTP?
A. HELO invalid.com
MAIL TO:<holly@invalid.com>
MESSAGE
END
B. MAIL FROM:<david@invalid.com>
RCPT TO:<holly@invalid.com>
DATA
C. HELO invalid.com
MAIL FROM:<david@invalid.com>
BODY
D. MAIL FROM:<david@invalid.com>
MESSAGE
Answer: B
NO.355 Which three VSA attributes are present in a RADIUS WLAN Access-Accept packet? (Choose
three)
A. Tunnel-Private-Group-ID
B. Tunnel-Type
C. SSID
D. EAP-Message
E. LEAP Session-Key
F. Authorization-Algorithm-Type
125
Answer: C E F

ASA1
router ospf 12
network 10.1.11.0 255.255.255.0 area 1
!i
nameif inside
security-level 100
ip address 10.1.11.1 255.25.255.0 standby 10.1.11.2
ospf message-digest-key 12 md5 cisco
R2
router ospf 12
network 10.1.11.0 0.0.0.255 area 1
network 10.1.12.0 0.0.0.255 area 0
network 172.16.100.0 0.0.0.255 area 0
!i
ip address 10.1.11.22 255.255.255.0
ip ospf message-digest-key 21 md5 cisco
Firewall ASA1 and router R2 are running OSPF routing process in area 1 connected via 10.1.11.0/24
subnet in the inside zone. It has been reported that ASA1 is unable to see any OSPF learned routes.
What could be the reason?
A. On R1 10.1.11.0/24 subnet should be in area "0" in OSPF routing process
B. On ASA1 standby interface needs to be disable don Gi0/1 interface
C. On R1 incorrect subnet is defined for the Gi2 interface
D. On ASA1 Gi0/1 interface should have security level set at "0"
E. On ASA1 incorrect subnet mask on Gi0/1 interface
F. The R2 has mismatched message-digest key-id
Answer: F
NO.357 Which IPS deployment mode is most reliant on the Automatic Application Bypass feature?
A. Passive
B. Strict
C. transparent
D. switched
E. tap
F. inline
Answer: F
NO.358 All your remote users use AnyConnect VPN to connect into your corporate network, with an
126
ASA providing the VPN service. Authentication is through ISE using RADIUS as the protocol. ISE uses
Active Directory as the Identity Source. You want to be able to assign different policies to users
depending on their group membership in Active Directory. Which is one possible way of doing that?
A. Configure an authorization policy in ISE to send back a RADIUS class-25 attribute with the name of
the ASA Tunnel Group (Connection Profile)
B. This is only possible when LDAP authorization is configured directly to Active Directory
C. Configure an authentication policy in ISE to send back a RADIUS class-25 attribute with the name
of the ASA Group Policy
D. Configure an authentication policy in ISE to send back a RADIUS class-25 attribute with the name
of the ASA Tunel Group (Connection Profile)
E. Configure an authorization policy in ISE to send back a RADIUS class-25 attribute with the name of
the ASA Group Policy
Answer: E
After you applied this EtherChannel configuration to a Cisco ASA, the EtherChannel Failed to come
up.
Which reason for the problem is the most likely?
A. The lacp system-priority and lacp port-priority values are the same.
B. The EtherChannel requires three ports, and only two are configured.
C. The Ehterchannel is disabled.
D. The channel-group modes are mismatched.
Answer: B
NO.360 Which statement is correct regarding Cisco VSG functionality?
127
A. It allows Active-Active failover operation mode when deployed as HA pair.

B. It applies security profile only after VM instantiation.
C. It allows third-party orchestration tool to interact with XML API's for its provisioning.
D. It does not allow to extend Zone-based firewall capabilities to VMs on VXLAN.
E. It allows administrative segregation due to which Security Administration can author and manage
port profiles.
F. It does not provide trusted access to VMs in an enterprise data center.
Answer: C
NO.361 Which encryption type is used by ESA for implementing the Email Encryption?
A. PKI
B. S/MIME Encryption
C. Identity Based Encryption(IBE)
D. TLS
E. SSL Encryption
Answer: B

R3
ip vrf mgmt
!c
rypto keyring CCIE vrf mgmt
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!c
rypto isakmp policy 33
encr 3des
authentication pre-share
group 2
lifetime 600
!c
rypto ipsec transform-set site_ab esp-aes-256 esp-sha-hmac
mode tunnel
!c
rypto ipsec profile site_a
set security-association lifetime seconds 600
set transform-set site_ab
!c
rypto gdoi group group_a
identity number 100
server local
rekey algorithm aes 256
rekey lifetime seconds 300
rekey retransmit 10 number 3
rekey authentication mypubkey rsa cciekey
rekey transport unicast
128
sa ipsec 1
profile site_a
match address ipv4 site_a
replay counter window-size 64
no tag
address ipv4 10.1.20.3
!i
ip address 10.1.20.3 255.255.255.0
!i
p access-list extended site_a
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R3 is the Key Server in GETVPN VRF-Aware implementation. The Group Members for the site_a
register with Key Server via interface address 10.1.20.3/24 in the management VRF "mgmt.".
The Group ID for the siste_a is 100 to retrieve group policy and keys from the key server.
The traffic to be encrypted by the site_a Group Members is between 1921.68.4.0/24 and
192.168.5.0/24.
Preshared-key used by the Group Members to authenticate with Key Server is "cissco". It has been
reported that Group Members are unable to perform encryption for the traffic defined in the group
policy of site_a. What could be the issue?
A. Incorrect encryption traffic defined in the group policy
B. Incorrect mode configuration in the transform set
C. Incorrect password in the keyring configuration
D. Incorrect security-association time in the IPsec profile
E. Incorrect encryption in ISAKMP policy
F. The GDOI group has incorrect local server address
G. The registration interface is not part of management VRF "mgmt."
Answer: G
NO.363 Which three types of addresses can the Botnet Filter feature of the Cisco ASA monitor?
(Choose three|
A. Known allowed addresses
B. Dynamic addresses
C. Internal addresses
D. Ambiguous addresses
E. Known malware addresses
F. Listed addresses
Answer: A D E

R9
crypto ikev2 keyring ccier10
peer r10
address 20.1.4.11
pre-shared-key local ccier10
129
pre-shared-key remote ccier10

!c
rypto ikev2 profile ccier10
match identity remote address 20.1.4.10 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local ccier10
!c
rypto ipsec profile ccier10
set ikev2-profile ccier10
!i
nterface Loopback1
ip address 192.168.9.9 255.255.255.0
!i
nterface Tunnel34
ip address 172.16.2.9 255.255.255.0
tunnel source GigabitEthernet1
tunnel destination 20.1.4.10
tunnel protection ipsec profile ccier10
!i
ip address 20.1.3.9 255.255.255.0
negotiation auto
!r
outer eigrp 34
network 172.16.2.0 0.0.0.255
network 192.168.9.0
!r
outer bgp 3
bgp log-neighbor-changes
network 20.1.3.0 mask 255.255.255.0
neighbour 20.1.3.12 remote-as 345
netighbor 20.1.3.12 password cisco
R9 is running FLEXVPN with peer R10 at 20.1.4.10 using a pre-shared key "ccier10".
The IPSec tunnel is sourced from 172.16.2.0/24 network and is included in EIGRP routing process.
BGP nexthop is AS345 with address 20.1.3.12. It has been reported that FLEXVPN is down. What
could be the issue?
A. Incorrect IPSec profile configuration
B. Incorrect tunnel network address in EIGRP routing process
C. Incorrect tunnel source for the tunnel interface
D. Incorrect keyring configuration
E. Incorrect IKEv2 profile configuration
F. Incorrect local network address in BGP routing process
Answer: D
130
NO.365 Which two statements about the TTL value in an IPv4 header are true? (Choose two)
A. It is a 4-bit value.
B. It can be used for traceroute operations.
C. When it reaches 0, the router sends an ICMP Type 11 message to the originator.
D. Its maximum value is 128.
E. It is a 16-bit value.
Answer: B C
NO.366 Which statement about x.509 certificates is true?

A. The version number in the certificate is the OS version of the CA.
B. The Subject distinguished name in the certificate is of the entity who issued the certificate
C. The algorithm in the certificate is used by the subiect to encrypt the traffic
D. The serial number in the certificate is common across the certificates issued by the same CA
E. The algorithm in the certificate is used by the receiver to sign the certificate
F. The Issuer distinguished name in the certificate is of the entity issuing the certificate
Answer: F
NO.367 A user attempts to browse the internet through a CWS Integrated muter, and the IITTP 403
Fabric Error message is returned. Which reason for problem is the most likely?
A. User authentication failed
B. The CWs connector is down
C. The user is not logged in to CWS
D. The user attempted to access web site that is blocked by CWS policy
E. The connection timed out
F. The CWS license has expires
Answer: F
NO.368 Which two statements are true about FireAMP private cloud deployment? (Choose two)
A. It can be deployed as hybrid mode
B. It can be deployed as air gap or cloud-proxy mode
C. When deployed as cloud-proxy mode internet connection is required for dispositions
D. It can be as an external mode
E. it can be deployed as internal mode
F. It can be deployed as public mode
Answer: B C
NO.369 Which two characteristics of DTLS are true? (Choose two.)

A. It supports long data transfers and connectionless data transfers.
B. It includes a retransmission method because it uses an unreliable datagram transport.
C. It includes a congestion control mechanism.
D. It is used mostly by applications that use application layer object-security protocols.
E. It completes key negotiation and bulk data transfer over a single channel.
131
F. It cannot be used if NAT exists along the path.

Answer: B C
NO.370 Which statement correctly describes 3DES encryption algorithm?

A. It uses a set of three keys for encryption and a different set of three keys for decryption.
B. It is a block Cipher algorithm but weaker than DES due to smaller key size.
C. It is an asymmetric algorithm with a key size of 168 bits.
D. It does decryption in reverse order with the same set of keys used during encryption.
E. It is a block cipher algorithm with a key size of 56 bits.
F. It is a stream cipher algorithm with a key size of 168 bits.
Answer: D
NO.371 Which three statements about VXLAN are true? (Choose three.)
A. It can converge topology without STP.
B. It enables up to 24 million VXLAN segments to coexist in the same administrative domain.
C. It uses encrypted TCP/IP packets to transport data over the physical network.
D. The VTEP encapsulates and de-encapsulates VXLAN traffic by adding or removing several fields,
including a 16-bit VXLAN header.
E. It uses a 24-bit VXLAN network identifier to provide layer 2 isolation between LAN segments.
F. It can migrate a virtual machine from one Layer 2 domain to another over a Layer 3 network.
Answer: A D E
Flexible NetFlow is failing to export IPv6 flow records from Router A to your flow collector.
132
What action can you take to allow the IPv6 flow records to be sent to the collector?
A. Remove the ip cef command from the configuration.
B. Add the ipv6 cef command to the configuration.
C. Create a new flow exporter with an IPv6 destination and apply it to the flow monitor.
D. Set the NetFlow export protocol to v5.
E. Configure the output-features command for the IPV4-EXPORTER.
Answer: C
NO.373 Which three NETCONF datastores are valid? (Choose three)

A. candidate
B. running
C. startup
D. state
E. capabilities
F. notification
Answer: A B C
NO.374
Refer the exhibit, Which Cisco firepower policy has detected a "CnC Connector" of comp event?
A. DNS policy
B. Network analysis policy
C. Identity policy
133
D. SSL policy
E. File policy
F. Intrusion policy
Answer: F
NO.375 Which statement about encryption headers on the Cisco ESA is true?
A. The optional Cisco Iron Port Encryption appliance provides extended encryption headers
B. They can be applied to outgoing messages only to force more secure message handling than is
provided by the current encryption settings on the ESA
C. Content filters can be applied to add encryption headers to outgoing messages only
D. They can be configured to enable return receipt, expire messages and prevent the recipient form
forwarding the message
Answer: D
NO.376
Refer to the exhibit:

1d00h: IPSec (validate transform proposal): proxy identities not supported
1d00h: ISAKMP: IPSec policy invalid proposal
1d00h: ISAKMP (0:2): SA not acceptable
This error message is displayed while troubleshooting a newly set up IPsec VPN tunnel. Which cause
is the most probable?
A. Peer information is incorrectly configured on the remote IPsec router.
B. the Phase 1 policies are not compatible
C. the Phase 2 policies are not compatible
D. Crypto ACLs are not correctly mirrored on both ends of the tunnel.
E. Peer information is incorrectly configured on both sides of the tunnel.
Answer: C
NO.377 Which of the following is part of DevOps virtuous cycle?

A. Lower Quality
B. Increased Latency
C. Slower Releases
D. Improved Scalability
Answer: D
NO.378 Which two statements about internal detectors in the Cisco Firepower System are true?
(Choose two)
A. They are built in to the Firepower system and delivered automatically with firepower updates
B. They can be activated manually or configured to activate automatically under specific conditions
C. They can be modified for use as custom detectors
134
D. They can detect client and application traffic

E. They can detect only web-based application activity in FTTP traffic.
F. They can be deactivated manually or by VDB updates
Answer: A E
NO.379 Which command on Cisco ASA you can enter to send debug messages to a syslog server?
A. logging debug-trace
B. logging host
C. logging traps
D. logging syslog
Answer: A
NO.380 Which statement about Social Engineering attack is true?

A. It is a method of extracting non-confidential information
B. It can be done by a person who is inside or outside of the organization
C. It is always done by having malicious ads on untrusted websites for the users to browse
D. It is always performed through an email from a person that you know
E. The phishing technique cannot be used to launch the attack
F. It uses the reconnaissance method for exploitation
Answer: B
NO.381 Various methods are available for load-balancing across WSA deployment. Which method
requires the least effort for all types of endpoints (campus and data center) across the enterprise?
A. Push out proxy settings to endpoints through Windows GPO settings
B. Host a PAC file on the WSA or an intranet web server and point all endpoints to it for auto-
configuration
C. Configure an SRV DNS record to point to the WSA for all WAN services
D. Use transparent Layer 4 redirection with multiple WSAs behind a load-balancer
E. Use WPAD that uses the IP addresses of the WSAs
Answer: D
NO.382 In FMC the correlation rule could be based on which two elements? (Choose two.)
A. Authorization rule
B. Intrusion event
C. CoA (Change of Authorization)
D. Traffic profile variation
E. NDAC (Network Device Admission Control)
F. SGT (Security Group Tag) mapping
G. Database type
H. Authentication condition
Answer: B D
NO.383 What is the purpose of the BGP TTL security check?
135
A. to check for a TTL value in packet header of less than or equal to for successful peering
B. to protect against routing table corruption
C. to use for iBGP session
D. to protect against CPU utilization-based attacks
E. to authenticate a peer
Answer: D
NO.384 Which statement is true about VRF-lite implementation in a service provider network?
A. It requires multiple links between CE and PE for each VPN connection to enable privacy
B. It uses source address to differentiate routes for different VPNs on the CE device
C. It can only support one VRF instance per CE device
D. It can have multiple VRF instances associated with a single interface on a CE device
E. It supports multiple VPNs at a CE device but their address spaces should not overlap
F. It enables the sharing of one CE device among multiple customers
Answer: F
NO.385 Which three statements about communication between Cisco VSG and the VEM are true?
(Choose three.)
A. In Layer 3 mode, fragmentation with vPath is not supported.
B. vPath handled fragmentation for all adjacencies between Cisco VSG and the VEM.
C. If vPath encapsulation of a packet in Layer 2 mode causes the packet to exceed the interface MTU
size, it will be dropped.
D. Layer 3 adjacency between Cisco VSG and the VEM requires communication through a VMkernel
interface on the VEM.
E. vPath encapsulation of incoming packets can increase the frame size by up to 94 bytes.
F. Cisco VSG and VEM should be adjacent at Layer 3 when minimal latency is required.
Answer: A D E
NO.386 Which of the following is the correct rule with regards to Zone-Based Firewall
implementation?
A. Interface can be a member of only one zone.
B. All the interfaces of the device cannot be the part of the same zone.
C. If interface belongs to a zone then the traffic to and from the interface is always allowed.
D. By default traffic between the interfaces in the same zone is dropped.
E. Zone pair cannot have a zone as both source and destination.
F. If default zone is enabled then traffic from zone interface to non-zone interface will be dropped.
Answer: A
NO.387 Which three statements about Cisco AnyConnect SSL VPN with the ASA are true? (Choose
three)
A. DTLS can fall back to TLS without enabling dead peer detection.
B. By default, the VPN connection connects with DTLS.
C. Rea-time application performance improves if DTLS is implemented
136
D. Cisco AnyConnect connections use IKEv2 by default when it is configure as the primary protocol on
the client.
E. By default, the ASA uses the Cisco AnyConnect Essentials license.
F. The ASA will verify the remote HTTPS certificate.
Answer: C D E
NO.388 From the list below, which one is the major benefit of AMP Threat GRID?
A. AMP Threat Gird learns ONLY form data you pass on your network and not form anything else to
monitor for suspicious behavior. This makes
B. AMP Threat Grid combines Static, and Dynamic Malware analysis with threat intelligence into one
combined solution.
C. AMP Threat Grid analyzes suspicious behavior in your network against exactly 400 behavioral
indicators.
D. AMP Threat Grid collects file information from customer servers and run tests on them to see if
they are infected with viruses.
Answer: B
NO.389 When TCP Intercept is enabled in its default mode, how does it react to a SYN request?
A. It monitors the sequence of SYN, SYN-ACK, and ACK messages until the connection is fully
established.
B. It monitors the attempted connection and drops it if it fails to establish within 30 seconds.
C. It allows the connection without inspection.
D. It intercepts the SYN before it reaches the server and responds with a SYN-ACK.
E. It drops the connection.
Answer: D
NO.390 In FMC, which two elements can the correlation rule be based on? (Choose two.)
A. authorization rule
B. Security Group Tag mapping
C. discovery event
D. user activity
E. database type
F. authentication condition
G. Change of Authorization
H. Network Device Admission Control
Answer: C D
NO.391 Which protocol does ISE use to secure connection through the Cisco IronPort Tunnel
infrastructure?
A. SSH
B. IKEv1
C. IKEv2
D. SNMP
137
E. TLS
Answer: A
NO.392 Which statement about Cisco Firepower user agents is true?

A. User agents with the correct password can connect to the Firepower Management Center without
additional configuration of the server
B. They can be installed on Windows computers only
C. The User agent connection to the Firepower Management Center can be secured with IPsec.
D. A single user agent can send data to up to 10 Firepower Management Centers simultaneously.
E. It supports multiple user-management options, including Active Directory and LDAP.
Answer: E
NO.393 Which three statements about 802.1x multiauthentication mode are true? (Choose three.)
A. It is recommended for guest VLANs.
B. On non-802.1x devices, it can support only one authentication method on a single port.
C. Each multiauthentication port can support only one voice VLAN.
D. It is recommended for auth-fall VLANs.
E. It requires each connected client to authenticate individually.
F. It can be deployed in conjunction with MDA functionality on voice VLANs.
Answer: C E F
NO.394 What is the best description of a docker file?

A. Text document used to build an image
B. Message Daemon files
C. Software used to manage containers
D. Repository for docker images
Answer: A
NO.395 Which two statements about NVGRE are true? (Choose two.)
A. It supports up to 32 million virtual segments per instance.
B. The network switch handles the addition and removal of NVGRE encapsulation.
C. NVGRE endpoints can reside within a virtual machine.
D. It allows a virtual machine to retain its MAC and IP addresses when it is moved to a different
hypervisor on a different L3 network.
E. The virtual machines reside on a single virtual network regardless of their physical location.
Answer: C E

138
aaa accounting update newinfo

!i
ip dhcp excluded-address 60.1.1.2
!i
p dhcp pool mabpc-pool
network 60.1.1.0 255.255.255.0
!c
ts sxp enable
cts sxp default source-ip 10.9.31.22
cts sxp default password ccie
cts sxp connection peer 10.9.31.1 password default mode peer listener hold-time
0!d
ot1x system-auth-control
!i
nterface GigabitEthernet1/0/9
ip device tracking maximum 10
authentication host-mode multi-auth
mab
!r
adius-server host 161.1.7.14 key cisco
radius-server timeout 60
!
interface VLAN10
ip address 10.9.31.22 255.255.255.0
!i
nterface Vlan50
no ip address
!i
nterface Vlan60
ip address 60.1.1.2 255.255.255.0
!i
nterface Vlan150
ip address 150.1.7.2.255.255.255.0
Looking at the configuration what may cause the MAB authentication to fail for a supplicant?
A. There is an issue with the DHCP pool configuration
B. The VLAN configuration is missing on the authentication port
C. Incorrect CTS configuration on the switch
D. AAA authorization is incorrectly configured on the switch
E. CoA configuration is missing
F. Dot1x should be globally disabled for MAB to work
139
G. Switch configuration is properly configured and the issue is on the RADIUS server
Answer: E
NO.397 Which describes a capability of StealthWatch?

A. It triggers an alerts as soon as the Concern Index (Cl) value goes down by one point
B. It uses the baseline of normal behavior pre-configured by the user
C. Target Index (Tl) is same as Concern (CI) but it works on file sharing activities
D. StealthWatch Flow sensor component is responsible to increment Concern Index (CI)
E. It uses the TCP SYN packets to detect anomalies in the network devices
F. It uses the Concern Index to detect host anomalies
Answer: E
NO.398 Which three statements about VRF-Aware Cisco Firewall are true? (Choose three.)
A. It supports both global and per-VRF commands and DoS parameters.
B. It enables service providers to deploy firewalls on customer devices.
C. It can generate syslog messages that are visible only to individual VPNs.
D. It can support VPN networks with overlapping address ranges without NAT.
E. It enables service providers to implement firewalls on PE devices.
F. It can run as more than one instance.
Answer: C E F
NO.399 Which configuration management tools does the Cisco Nexus 9000 platform support?
A. Puppet
B. Ansible
C. Salt
D. Chef
E. Jenkins
Answer: A
NO.400 Which two statements about Cisco VSG are true? (Choose two.)
A. Because it is deployed at Layer 2, it can be inserted without significant reengineering of the
network.
B. According to Cisco best practices, the VSG should use the same VLAN for VSM-VEM control traffic
and management traffic.
C. It uses optional IP-to-virtual machine mappings to simplify management of virtual machines.
D. It uses the Cisco VSG user agent to register with the Cisco Prime Network Services Controller.
E. It can be integrated with VMWare vCenter to provide transparent provisioning of policies and
profiles.
F. It has built-in intelligence for redirecting traffic and fast-path offload.
Answer: E F
NO.401 How does a Cisco ISE server determine whether a client supports EAP chaining?
A. It sends an identity-type TLV to the client and analyzes the response.
140
B. It analyzes the options field in the TCP header of the first packet it receives from the client.
C. It analyzes the X.509 certificate it receives from the client through the TLS tunnel.
D. It send an MD5 challenge to the client and analyzes the response.
E. It analyzes the EAPoL message the client sends during the initial handshake.
Answer: A
NO.402 Which statement about Remote Triggered Black Hole Filtering feature is true?
A. It works in conjunction with QoS to drop the traffic that has a lower priority.
B. The Null0 interface used for filtering able to receive the traffic but never forwards it.
C. In RTBH filtering, the trigger device redistributes dynamic routes to the eBGP peers.
D. It helps mitigate DDoS attack based only on destination address.
E. It drops malicious traffic at the customer edge router by forwarding it to a Null0 interface.
F. In RTBH filtering, the trigger device is always an ISP edge router.
Answer: C
NO.403 When an organization is choosing a cloud computing model to adopt, many consideration
are studies to determine the most suitable model. To which model is cloud interdependency mainly
attributed?
A. Hybrid cloud
B. Public cloud
C. Community cloud
D. Private cloud
Answer: A
NO.404 Which option does a wired MAB appear in ISE RADIUS live logs?
A. (Radius: Service-Type equals Framed) and (Radius: NAS-Port-Type equals Ethernet)
B. (Radius: Service-Type equals Call-Check) and (Radius: NAS-Port-Type equals Ethernet)
C. (Radius: Service-Type equals Call-Check) and (Radius: NAS-Port-Type equals PPPoEoVLAN)
D. (Radius: Service-Type equals Call-Check) and (Radius: NAS-Port-Type equals PPPoEoVLAN)
Answer: C
NO.405 Which two statements about a SMURF attack are true? (Choose two)
A. It is a distributed denial-of-service attack
B. The attacker uses a spoofed destination address to launch the attack.
C. It is used by the attackers to check if destination addresses are alive.
D. It sends ICMP Echo Requests to a spoofed source address of a subnet
E. To mitigate the attack you must disable IP directed broadcast on the router interface
F. It exhausts the victim machine resources with large number of ICMP Echo Requests from a subnet
G. It sends ICMP Echo Replies to known IP addresses in a subnet
Answer: A E
NO.406 As an enterprise, you have decided to use Cisco Umbrella (OpenDNS) services for all public
DNS requests.
141
In which two ways can you ensure that all DNS clients (endpoints) use this service for external
requests only? (Choose two.)
A. Install the umbrella proxy server on all the supported operating systems and configure it
appropriately
B. Use DHCP to push the OpenDNS servers to the endpoints
C. Install the Umbrella server in your data center that will provide these services locally
D. Install the Umbrella client on all the supported operating systems and configure it appropriately
E. Configure the OpenDNS servers as forwarders on your internal DNS servers
Answer: D E
NO.407 Which three loT attack areas as defined by Client.?

A. Ecosystem access control
B. Local device vector injection
C. Remote data storage tempering
D. Local data storage
E. Middleware exploitation
F. Device physical interfaces
G. Vendor frontend API enumeration
Answer: A D F
NO.408 Which statement about the TLS security protocol is true?

A. TLS version 1.0 is less secure then SSL version 3.0
B. The TLS and SSL versions can interoperate in the client-server handshake
C. It is always recommended to disable TLS version 1.0 in the browser so that it only supports SSL for
better security
D. You need to replace SSL certificate with TLS certificate for successful TLS operation
E. There are differences between TLS and SSL version 2 and 3
F. It only supports data authentication for the client-server session using a browser
Answer: E
NO.409 Which two statements SCEP are true? (Choose two)

A. CA servers must support GetCACaps response messages in order in implement extended
functionality.
B. The GetCRL exchange is signed and encrypted only in the response direction.
C. It is vulnerable to downgrade attacks on its cryptographic capabilities.
D. The GetCACaps response message supports DES encryption and the SHA 128 hashing algorithm.
Answer: A C
NO.410 Which two statements about 802.1X components are true? (Choose two)
A. The access layer switch is the policy enforcement point.
B. The certificates that are used in the client-server-authentication process are stored on the access
switch.
C. The RADIUS server is the policy enforcement point.
142
D. The RADIUS server is the policy information point.

E. The RADIUS server is the policy decision point.
F. An LDAP server can serve as the policy enforcement point.
Answer: A E
Refer to the exhibit Customer has opened a case with Cisco TAC reporting issue that client connect to
the network using guest account. Looking at the configuration of the switch, w possible issue?
A. MAB should be disabled on the authentication port
B. Dynamic authorization configuration has incorrect RADIUS server
C. issue with the DHCP pool configuration
D. Dot1x is disabled on the authentication port
E. AAA network authorization incorrectly configured
F. CTS is incorrectly configured
G. Issue with redirect ACL "cwa_edirecrt"
Answer: G
NO.412 Which statement regarding the routing functions of the Cisco ASA is true running software
version 9.2?
143
A. The translation table cannot override the routing table for new connections.
B. Routes to the NuLL0 interface cannot be configured to black-hole traffic.
C. In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF neighbors.
D. The ASA supports policy-based routing with route maps.
Answer: A
NO.413 Which ports is used by ISE pxGrid service for inter-node communication?
A. UDP port 161 and 162
B. TCP port 443
C. TCP port 5222
D. UPD port 9995
Answer: C
NO.414 Which Cisco Firepower intrusion Event Impact level indicates the host on the monitored
network is vulnerable to the attack, and requires the most immediate urgent response to be taken?
A. Impact Level 3
B. Impact Level 4
C. Impact Level 2
D. Impact Level 0
E. Impact Level 1
Answer: E
NO.415 In TLS Implementation on the Cisco Email Security Appliance cluster, the machine is
removed from the cluster and then added back. Which description of what happens to the machine-
level certificate true?
A. ESA cannot provider privacy for point-to point transmission of emails through encryption
B. The machine-level certificates are lost
C. The machine-level certificates are rebuilt by RAID 5
D. The cluster goes down.
Answer: C
NO.416 Which statements is true regarding ESA HAT configuration for the incoming mail?
A. It points to the address of ESA management interface
B. It points to the address of recipient mail server
C. it points to the address of DNS server
D. It points to the address of ESA listener interface
E. It points to the recipient address
F. It points to the sender address
Answer: F
NO.417 Which three ESMTP extensions are supported by the Cisco ASA?Choose three
A. NOOP
B. PIPELINING
144
C. SAML
D. 8BITMIME
E. STARTTLS
F. ATRN
Answer: A C E
NO.418 Which statement about Health Monitoring on the Firepower System is true?
A. When you delete a health policy that is applied to a device, the device reverts to the default
health policy.
B. If you apply a policy without active modules to a device, the previous health policy remains in
effect unless you delete it.
C. Health events are generated even when the health monitoring status is disabled.
D. Descendant domains in a multi-domain deployment can view, edit, and apply policies from
ancestor domains.
E. The administrator of a descendant domain is unable to edit or delete blacklists applied by the
administrator of an ancestor domain.
F. The default health policy is automatically applied to all managed devices.
Answer: C
NO.419 Which two statements about Cisco URL Filtering on Cisco IOS Software are true? (Choose
two)
A. It supports Websense and N2H2 filtering at the same time,
B. It supports local URL lists and third-party URL filtering servers.
C. By default, it uses ports 80 and 22.
D. It supports HTTP and HTTPS traffic.
E. BY default, it allows all URLs when the connection to the filtering server is down.
F. It requires minimal CPU time.
Answer: B F
NO.420 Drag the components of WIPS architecture on the left to their respective functionalities on
the right.
145
Answer:
Explanation
1-5, 2-1, 3-4, 4-2, 5-3

What is the maximum number of site-to-site VPNs allowed by this configuration?
146
A. 10
B. unlimited
C. 5
D. 0
E. 1
F. 15
Answer: F
NO.422 Which criteria does ASA use for packet classification if multiple contexts share an ingress
interlace MAC address?
A. ASA ingress interface IP address
B. policy-based routing on ASA
C. destination IP address
D. destination MAC address
E. ASA ingress interface MAC address
F. ASA NAT configuration
G. ASA egress interface IP address
Answer: E
NO.423 Which entity is responsible for the Stealthwatch Management Center to interact with ISE?
A. FMC
B. DNA
C. pxGrid
D. ASA
E. Threat grid
F. NGIPs
Answer: C F
NO.424 Which three statements about the SHA-2 algorithm are true? (Choose three.)
A. It provides a fixed-length output using a collision-resistant cryptographic hash.
B. It provides a variable-length output using a collision-resistant cryptographic hash.
C. It generates a 512-bit message digest.
D. It generates a 160-bit message digest.
E. It is used for integrity verification
147
F. It is the collective term for the SHA-224, SHA-256, SHA-384, and SHA-512 algorithms.
Answer: A E F
NO.425 RFID is a technology widely used in loT networks today. Which two features of RFID
technologies are correct? (Choose two)
A. RFID readers do not require anti-collision protocols to minimize collisions
B. Semi-passive tags have an on-board power source which is used to energize microchips
C. RFID readers can suffer from a lack of sufficient memory and computational resources
D. RFID tag collision results in an increase of identification delays
E. RFID uses CDMA and CSMA for the prevention of collisions on RFID systems
Answer: C D
NO.426 Which of the following is AMP Endpoint offline engine for windows?
A. ClamAV
B. ClamAMP
C. TETRAAMP
D. TETRA
Answer: D
NO.427 In your ISE design, there are two TACACS profiles that are created for device administration:
IOS_HelpDesk_Profile, and IOS_Admin_Profile. The HelpDesk profile should login the user with
privilege 1, with ability to change privilege level to 15. The Admin profile should login the user with
privilege 15 by default. Which two commands must the HelpDesk enter on the IOS device to access
privilege level 15.?
(Choose two)
A. enable secret
B. enable 15
C. privilege level 15
D. enable privilege 15
E. enable
F. enable IOS_Admin_Profile
G. enable password
Answer: B E
NO.428 Which two statements about the Cisco AnyConnect VPN Client are true? (Choose two.)
A. It can use an SSL tunnel and a DTLS tunnel simultaneously.
B. It enables users to manage their own profiles.
C. It can be configured to download automatically without prompting the user.
D. By default, DTLS connections can fall back to TLS.
E. To improve security, keepalives are disabled by default.
Answer: A C
NO.429 In a Cisco ISR with cloud Web Security Connector deployment, which command can you
148
enter on the Cisco ISR G2 to verify connectivity to the CWS tower?

A. Show policy-map
B. Show service-policy
C. Show ip nbar
D. Show sw-module
E. Mtrace
F. Show content-scan summary
Answer: A
NO.430 Which statement about VRF-aware GDOI group members is true?

A. The GM cannot route control traffic through the same VRF as data traffic.
B. Multiple VRFs are used to separate control traffic and data traffic.
C. Registration traffic and rekey traffic must operate on different VRFs.
D. IPsec is used only to secure data traffic.
Answer: B

authentication priority dot1x mab authentication order dot1x mab authentication event fail action
next-method authentication event server dead action reinitialize vlan 50 authentication host-mode
multi-auth authentication violation restrict Which two effects of this configuration are true? (Choose
two.)
A. If the TACACS+ server is unreachable, the switch places hosts on critical ports in VLAN 50
B. The device allows multiple authenticated sessions for a single MAC address in the voice domain
C. If multiple hosts have authenticated to the sameport, each can bein their own assigned VLAN
D. If the authentication priority is changed the order in which authentication is performed also
changes
E. The switch periodically sends an EAP-Identity-Request to the endpoint supplicant
F. The port attempts 802.1x authentication first, and then falls back to MAC authentication bypass
Answer: A
NO.432 The purpose of an authentication proxy is to force the user to authenticate to a network
device before users are allowed access through the device. This is primarily used for HTTP based
services, but also can be used for other services. In the case of an ASA, what does ISE have to send to
enforce this access policy?
A. LDAP attribute with ACL
B. Group Policy enabled for proxy-auth
C. Downloadable ACL
D. Not possible on the ASA
E. VLAN
F. Redirect URL to ISE
Answer: C
149

A. It allows each context to user all available resources.
B. It oversubscribes VPN sessions for the given class.
C. It creates a default class.
D. It creates a resource class.
Answer: D
NO.434 What does NX-API use as its transport?

A. SCP
B. FTP
C. SSH
D. SFTP
E. HTTP/HTTPS
Answer: E
NO.435 Which of the following four traffic flows should be allowed during an unknow posture state?
(Choose four)
A. Traffic from AnyConnect client, with posture module, to ASA
B. Traffic to FireAMP cloud for AMP for endpoint scan results
C. Traffic to public search engines
D. Traffic to remediation servers, if needed
E. DHCP traffic
F. DNS traffic
G. SSH traffic for network device administration
H. Traffic to ISE PSNs to which Client Provisioning Protocol FQDN points
Answer: D E F H
150
Users are unable to access web server 192.168.101.3/24 and 1921.68.102.3/24 using Firefox web
browser when initiated from 172.16.1.0/24 network. What could be the possible cause?
A. Identification profile "allow Profile" has incorrect source subnet
B. Access policy "allow policy" is pointing to incorrect identification profile
C. Identification profile "alow Profile" has incorrect protocol
D. Access policy "allow policy" has incorrect action set for the custom URL category
E. Custom URL category "allowed sites" has incorrect server addresses listed
151
F. Identification profile "allowed Profile" has misconfigured user agent

Answer: F
NO.437 Which effect of the crypto key encrypt write rsa command on a router is true?
A. The device locks the encrypted key, but the key is lost when the router is reloaded.
B. The device encrypts and locks the key before authenticating it with an external CA server.
C. The device unlocks the encrypted key, but the key is lost when the router is reloaded.
D. The device locks the encrypted key and saves it to the NVRAM.
E. The device saves the unlocked encrypted key to the NVRAM.
Answer: E
NO.438 Which is true regarding Authentication Proxy?

A. It first checks if the NAT entry exists for the destination host
B. It prompts user with a web-based authentication if user authentication information found
C. ft does not apply the DACL for the traffic passing through the device
D. It applies a global ACL If the user authentication information not found
E. It triggers on HTTP, HTTPS and FTP connections
F. It triggers only on HTTP connection
Answer: F
NO.439 Which option is a data modeling language used to model configuration and state data of
network elements?
A. RESTCONF
B. SNMPv4
C. NETCONF
D. YANG
Answer: D
NO.440 Which two statements about AMP. The Grid are true? (Choose two)
A. It can transmit suspected malware to the public AMP I threat Grid cloud for deeper analysis
B. It provides two separate on premises appliances to support powerful malware analysis and threat
intelligence features
C. It provides dynamic analysis reports and generates threat scores
D. It supports real time threat and behavioral analysis
E. It can be installed on individual endpoints to inspect local files for malware
F. It can act as an anonymized proxy to transport endpoint -vent data to the public AMP I threat Grid
cloud for threat detection
Answer: B C
NO.441 Which two statements about MAB are true? (Choose two)
A. It requires the administrator to create and maintain an accurate database of MAC addresses.
B. It server at the primary authentication mechanism when deployed in conjunction with 802.1x.
C. It operates at Layer 2 and Layer 3 of the OSI protocol stack.
152
D. It can be used to authenticate network devices and users.

E. MAC addresses stored in the MAB database can be spoofed.
F. It is a strong authentication method.
Answer: A E
NO.442 Which two statements about NetFlow Secure Event Logging on a Cisco ASA are true?
(Choose two)
A. It tracks configured collectors over TCP.
B. It is supported only in single-context mode.
C. It can export templates through NetFlow.
D. It can be used without collectors.
E. It supports one event type per collector.
F. It can log different event types on the same device to different collectors.
Answer: C F
NO.443 Which effect of the crypto key encrypt write rsa command on a router is true?
A. The device locks the encrypted key the saves it to the NVRAM
B. The device saves the unlocked encrypted key to the NVRAM
C. The device locks the encrypted key but the key is lost when the routers is reloaded
D. The device encrypts and locks key before authenticating it with an external CA server
Answer: B
NO.444 Which statement about TLS support on the ESA is true?

A. By default the ESA encrypts all messages before sending them over a TLS connection
B. You can configure a content filter to encrypt a message with TLS immediately after the ESA
receives it
C. If the destination controls of a domain are set to TLS Required and the TLS connection is down, the
ESA ... (missing text)
D. TLS can secure messages for point-to-point transmission
E. If the destination controls of a domain are set to None, email message is sent over TLS if it is
available
F. If the destination controls of a domain are set to TLS Required and the TLS connection is down, the
ESA query connection comes up
G. If the destination controls of a domain are set to TLS Required and the TLS connection is down the
ESA encryption over a non-TLS connection
Answer: F
NO.445 Which statement about the Cisco AMP Virtual Private Cloud Appliance is true for
deployments in cloudproxy mode?
A. The appliance can perform disposition lookups against the Protect DB without an internet
connection
B. The amp-sync tool syncs the threat-intelligence repository on the appliance on the AMP public
cloud through the Update Host
153
C. The appliance can automatically download threat-intelligence updates directly from the AMP
public cloud
D. The updates Host automatically downloads updates and deploys them to the Protect DB on a daily
basis
E. The appliance communicates directly with the endpoint connectors only
Answer: C
NO.446 Which LDAP query is used by ESA to authenticate users logging into an appliance?
A. chain queries
B. spam quarantine end-user authentication
C. group queries
D. acceptance query
E. spam quarantine alias consolidation
F. external authentication
G. SMTP authentication
H. certificate authentication
Answer: F
NO.447 Your organization is deploying an ESA for email security for inbound and outbound email. To
receive inbound emails from external organizations, you must set up your DNS servers with the
appropriate records so that the sending email server can determine which email gateway to send to.
Assume that you have two ESAs deployed and the hostnames and IP addresses are as follows:
esa1.myesa.com: 5.5.5.25 (Preferred)
esa2.myesa.com: 5.5.5.26
Which two options must you include in your DNS server to receive email from all external senders?
(Choose two.)
A. Forward Lookup Zone:
@ 3600 IN A 10 esa1.myesa.com
@ 3600 IN A 20 esa2.myesa.com
B. Forward Lookup Zone:
esa1 IN 3600 A 5.5.5.25
esa2 IN 3600 A 5.5.5.26
C. Forward Lookup Zone:
mail1.myesa.com 120 CNAME esa1.myesa.com
mail2.myesa.com 120 CNAME esa2.myesa.com
D. Forward Lookup Zone:
@ 3600 IN MX 10 mail1.myesa.com
@ 3600 IN MX 20 mail1.myesa.com
E. Reverse Lookup Zone for 5.5.5.:
25 3600 IN PTR esa1.myesa.com
26 3600 IN PTR esa2.myesa.com
Answer: C E
NO.448 Which three statements about Dynamic ARP inspection on Cisco switches are true? (Choose
154
three)
A. The trusted database can be manually configured using the CLI
B. Dynamic ARP inspection is supported only on access ports
C. Dynamic ARP inspection does no perform ingress security checking
D. DHCP snooping is used to dynamically build the trusted database
E. Dynamic ARP inspection checks ARP packets against the trusted database
F. Dynamic ARP inspection checks ARP packets on trusted and untrusted ports
Answer: A D E
155

Exam 400-251: IT Certification Guaranteed, The Easy Way!

Uploaded by

Copyright:

Available Formats

You might also like

Exam 400-251: IT Certification Guaranteed, The Easy Way!

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exam 400-251: IT Certification Guaranteed, The Easy Way!

Uploaded by

Copyright:

Available Formats

IT Certification Guaranteed, The Easy Way!

Title : CCIE Security Written Exam

bject network Rogue1-DNS

NO.3 Which statement is correct regarding the SenderBase functionality?

NO.5 Refer to the exhibit.

NO.7 Which statement is true regarding x.509 certificate?

NO.10 Refer to the exhibit.

What could be the reason for Dot1x session failure?

E. Security Group Tag mapping

NO.12 Which statement is an advantage of network segmentation?

NO.13 Whic statement about Dynamic ARP inspection is true?

NO.15 Refer to the exhibit.

ip address 10.1.22.1 255.255.255.0

NO.18 Which statement is true about CWS configuration on ASA?

NO.22 Which option best describes RPL?

B. bad packet format

B. It is disabled by default if you enable SSL VPN on the interface.

NO.33 Which statement describes a hybrid SDN framework?

NO.36 Refer to the exhibit.

NO.38 What would describe Cisco Virtual Topology System?

NO.40 Refer to the exhibit:

Which effect of this configuration is true?

NO.47 Refer to the exhibit.

NO.48 Which statement about EAP chaining is true?

NO.49 Which command is used to enable 802.1x authorization on an interface?

NO.50 Which definition of Machine Access Restriction is true?

A. MAR offer security information and event management

NO.58 Refer to the exhibit.

For which type of user is this downloadable ACL appropriate?

NO.64 Which WEP configuration can be exploited by a weak IV attack ?

E. The assignment method supports GRE encapsulation for sending traffic

NO.68 Refer to the exhibit.

NO.72 Which statement is true regarding securing connection using MACsec?

A. Enable DHCP for IPv6

NO.76 Refer to the exhibit.

NO.79 Which two characteristic of an loT network are true?(Choose two)

D. No more than three keys should be configured in any single chain.

NO.84 Which statement about ASA clustering requirements is true?

NO.86 Refer to the exhibit.

C Dot1x should be globally disabled for the MAB to work

NO.87 Which of the following correctly describes NVGRE functionality?

NO.89 Which statement description of the Strobe scan is true?

NO.91 Refer to the exhibit.

What are two functionalities of this configuration? (Choose two)

E. Traffic will only be sent to gigabitEthernet 0/20

NO.92 Which two limitations of ISE inline posture are true?

NO.98 Refer to the exhibit.

Which two effects of this configuration are true? (Choose two)

NO.102 Which statement is true about Social Engineering attack?

F. It can be only done by a person who is not part of the organization.

E. Dot 1x should be globally disabled for the MAC to work

NO.104 Refer to the exhibit.

Refer to the exhibit, Which type of attack is illustrated?

NO.110 Which one is the major benefit of AMP Threat GRID?

NO.111 Which three of these are properties of RC4? (Choose three.)

NO.119 A client computerat10.10.7.14 is trying to access a Linux server (11.0.1.9)that is running a

NO.122 Which OpenStack project has orchestration capabilities?