Professional Documents
Culture Documents
Exam 400-251: IT Certification Guaranteed, The Easy Way!
Exam 400-251: IT Certification Guaranteed, The Easy Way!
Exam 400-251: IT Certification Guaranteed, The Easy Way!
Exam : 400-251
Vendor : Cisco
Version : V17.35
1
IT Certification Guaranteed, The Easy Way!
NO.1 Drag and drop the FireAMP Connector policy types from the left onto the correct functions on
the right
Answer:
Explanation
1-C,2-A,3-D,4-B,5-E
NO.2 A device on your internal network is hard-coded with two DNS servers on the Internet
(1.1.1.53, 2.2.2.53).
However, you want to send all requests to your OpenDNS server (208.67.222.222). Which set of
commands do you run on the ASA to achieve this goal?
A. static (inside,outside) source any 1.1.1.53 destination 208.61.222.222 eq domain static
(inside,outside) source any 2.2.2.53 destination 208.67.222.222 eq domain
B. static (inside,outside) source any 208.67.222.222 destination 1.1.1.53 eq domain static
(inside,outside) source any 208.67.222.222 destination 2.2.2.53 eq domain
C. static (inside,outside) source any destination 208.61.222.222 eq domain
D. static (outside,inside) source any 208.67.222.222 destination 1.1.1.53 eq domain static
(outside,inside) source any 208.67.222.222 destination 2.2.2.53 eq domain E.
net (inside,outside) source any 1.1.1.53 destination 208.61.222.222 eq domain net (inside,outside)
source any 2.2.2.53 destination 208.67.222.222 eq domain
E. object network OpenDNS
host 208.67.222.222
!o
2
IT Certification Guaranteed, The Easy Way!
3
IT Certification Guaranteed, The Easy Way!
B. SenderBase uses DNS/based blacklist as one of the sources of information to define reputation
score of sender's IP address.
C. WSA uses SenderBase information to confiugre URL filtering policies.
D. ESA uses destination address reputation information from SenderBase to configure mail policies.
E. SenderBase uses spam complaints as one of the sources of information of defined reputation score
of receiver IP address.
F. ESA sees a high positive score from SenderBase as very likely that sender is sending spam.
Answer: B
NO.4 For your enterprise ISE deployment, you are looking to use certificate-based authentication for
all your Windows machines. You have already gone through the exercise of pushing the machine and
user certificates out to all the machines using GPO. Since certificate based authentication, by default,
doesn't check the certificate against Active Directory or requires credentials from the user, this
essentially means that no groups are returned as a part of the authentication request. What are the
possible ways to authorize the user based on Active Directory group membership?
A. Configure the Windows supplicant to use saved credentials as well as certificate-based
authentication
B. Enable Change of Authorization on the deployment to perform double authentication
C. Use EAP authorization to retrieve group information from Active Directory
D. The certificate should be configured with the appropriate attributes which contain appropriate
group information, which can be used in Authorization policies
E. Use ISE as the Certificate Authority, which will then allow automatic group retrieval from Active
Directory to perform the required authorization
F. Configure Network Access Device (NAD) to bypass certificate-based authentication and push
configured user credentials as a proxy to ISE
Answer: F
4
IT Certification Guaranteed, The Easy Way!
It has been reported that IP Phone is not able to establish connectivity after performing port
authentication.
Which possible issues is the reason?
A. Possible issue with the access list applied on the port
B. Due to multiple device authentication enabled on port
C. Authentication order should be reversed
D. Possible issue with dhcp pool configuration
E. Possible issue with the session OACL
F. Due to multiple domain authentication enabled on port
Answer: D
NO.6 You have an ISE deployment with 2 nodes that are configured as PAN and MnT (Primary and
Secondary), and
4 Policy Services Nodes. How many additional
PSNs can you add to this deployment?
5
IT Certification Guaranteed, The Easy Way!
A. 3
B. 0
C. 5
D. 1
E. 4
F. 2
Answer: D
NO.8 What will be used by WSA to apply the policies when identification is based on ISE?
A. SGT
B. proprietary protocol over TCP/8302
C. SXP
D. RADIUS
E. EAP
F. RPC
Answer: A
NO.9 An organization is deploying FTD in the data center. Products applications have been
connected; however, ping tests to resources firewall has two interfaces, INSIDE and OUTSIDE. The
problem might testing scenario is from the OUTSIDE. Which two commands can be the situation and
determine where the issue might be? (Choose two)
A. Packet-tracer input Outside <Protocol>< Destination IP><Source
B. Packet-tracer input Outside <Protocol><Source IP><Source Port
C. Packet-tracer input Inside <Protocol>< Destination IP><Source
D. Packet-tracer input Inside <Protocol>< Destination IP>< Destination
E. Packet-tracer input Outside <Protocol>< Destination IP>< Destination
F. Packet-tracer input lnside<Protocol>< Source IP>< Source Port
Answer: B F
6
IT Certification Guaranteed, The Easy Way!
NO.11 In FMC, which two elements can the correlation rule be based on ? (Choose two)
A. Malware detection
B. Database type
C. Change of Authorization
D. Authorization rule
7
IT Certification Guaranteed, The Easy Way!
NO.14 Which three transports have been defined for SNMPv3? (Choose three.)
A. DTLS
B. SSH
C. TLS
D. SSL
E. IPcec secured tunnel
F. GET
Answer: A B C
8
IT Certification Guaranteed, The Easy Way!
9
IT Certification Guaranteed, The Easy Way!
ASA2 is configured for the clientless SSL VPN connection with DNS server at
150.1.7.200 that is reachable only from the Management0/0 interface. The incoming VPN session will
be received on outside interface with authentication credentials Username: ccie, Password: ccie. ASA
2 is configured for the self-signed certificate with trustpoint "ccietrust" enabled for the outside
interface. It has been reported that resources accessibility is timing out after the VPN connection
establishment. What could be the reason?
A. The CA trustpoint "ccietrust" has incorrect keypair
B. The tunnel group is tied up with the incorrect group policy
C. Webvpn needs to be enabled on the management interface
D. Management interface has incorrect security level configured
E. The "ccieacl" should be configured for port 443
F. The domain-lookup should be performed from management interface
G. Incorrect banner value in the group policy
Answer: F
NO.16 What are three pieces of data you should review in response to a supported SSL MITM
attack? (Choose three.)
A. the MAC address of the SSL server
B. the MAC address of the attacker
C. the IP address of the SSL server
D. the X.509 certificate of the attacker
E. the X.509 certificate of the SSL server
F. the DNS name of the SSL server
Answer: C E F
NO.17 Which two statements about uRPF are true? (Choose two)
A. The administrator can configure the allow-default command to force the routing table to use only
the default route
B. In strict mode, only one routing path can be available to reach network devices on a subnet
C. The administrator can use the show cef interface command to determine whether uRPF is enabled
D. The administrator can configure the ip verify unicast source reachable-via any command to enable
the RPF check to work through HSRP routing groups
E. It is not supported on the Cisco ASA security appliance
Answer: B C
Explanation
Reverse Path Forwarding
http://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
10
IT Certification Guaranteed, The Easy Way!
E. The redirection of the identified traffic can only be performed on the interface basis.
Answer: C
NO.19 What are the two different modes in which private AMP cloud can be deployed ? (Choose
two)
A. Air Gap Mode
B. External Mode
C. Internal Mode
D. Public Mode
E. Cloud Mode
F. Cloud Proxy Mode
Answer: A F
NO.20 In your corporate environment, you have various Active Directory groups based on the
organizational structure and would like to ensure that users are only able to access certain resources
depending on which group(s) they belong to. This policy should apply across the network. You have
ISE, ASA and WSA deployed, and would like to ensure the appropriate policies are present to ensure
access is only based on the user's group membership. Additionally, you don't want the user to
authenticate multiple times to get access. Which two policies are used to set this up? (Choose two.)
A. Deploy Cisco TrustSec infrastructure, with ASA and WSA integrated with the ISE to transparently
identify user based on SGT assignment, when the user authenticates to the network. The SGTs can
then be used in access policies.
B. Deploy ISE, integrate it with Active Directory, and based on group membership authorize the user
to specific VLANs. These VLANs (with specific subnets) should then be used in access policies on the
ASA as well as the WSA.
C. Deploy a Single Sign-On infrastructure such as Ping, and integrate ISE, ASA and WSA with it. Access
policies will be applied based on the user's group membership retrieved from the authentication
infrastructure.
D. Configure ISE as an SSO Service Provider, and integrate with ASA and WSA using pxGrid. ASA and
WSA will be able to extract the relevant identity information from ISE to apply to the access policies
once the user has authenticated to the network.
E. Integrate ISE, ASA and WSA with Active Directory. Once user is authenticated to the network
through ISE, the ASA and WSA will automatically extract the identity information from AD to apply
the appropriate access policies.
F. Configure ISE to relay learned SGTs for the authenticated sessions with the binded destination
address using SXP speakers that will be used to apply access policies at the traffic ingress point for
segmentation
Answer: A C
NO.21 Which two descriptions of how the Cisco recommended wireless guest traffic isolation model
works are true? (Choose two.)
A. The foreign controller tunnels the traffic over EoIP to another WLC known as the anchor
controller, which is located in the DMZ, thus achieving traffic isolation and keeping guest traffic away
from corporate traffic
11
IT Certification Guaranteed, The Easy Way!
B. The anchor controller tunnels the traffic over LWPP to another WLC known as the foreign
controller, which is located in the DMZ, thus achieving traffic isolation and keeping guest traffic away
from the corporate traffic
C. The foreignt controller then tunnels the traffic over LWAPP to anchor WLC know as the anchor
controller, which is located in the DMZ, thus achieving traffic isolation and keeping guest traffic away
from the corporate traffic
D. The access point that serves the guest sets up LWAPP tunnel to a WLC controller known as the
anchor controller
E. The anchor controller tunnels the traffic over EoIP to another WLC known as the foreign controller,
which is located in the DMZ, thus acheiving traffic isolation and keeping guest traffic away from the
corporate traffic
F. The access point that serves the guest sets up an EoIP tunnel to a WLC controller known as the
foreign controller
G. The access point that serves the guest sets up a LWAPP tunnel to a WLC controller known as the
foreign controller
Answer: A G
NO.23 What technique can an attacker use to obfuscate a malware application payload, allowing it
to bypass standard security mechanisms?
A. Teredo tunneling
B. A PE32 header
C. Steganography
D. BASE64
E. Decryption
Answer: D
NO.24 Drag and drop the Fire AMP Connector Policy types from the left on to the correct functions
on the right.
12
IT Certification Guaranteed, The Easy Way!
Answer:
Explanation
1-3, 2-1, 3-4, 4-2, 5-5
NO.25 Which type of header attack is detected by Cisco ASA basic threat detection?
A. denial by access list
13
IT Certification Guaranteed, The Easy Way!
NO.26 Which three statements about SXP are true? (Choose three)
A. It resides in the control plane, where connections can be initiated from a listener.
B. Packets can be tagged with SGTs only with hardware support.
C. Each VRF supports only one CTS-SXP connection.
D. To enable an access device to use IP device tracking to learn source device IP addresses, DHCP
snooping must be configured.
E. The SGA ZBFW uses the SGT to apply forwarding decisions.
F. Separate VRFs require different CTS-SXP peers, but they can use the same source IP addresses.
Answer: B C E
NO.27 Which statement about deploying policies with the Firepower Management Center is true?
A. All policies are deployed on-demand when the administrator triggers them.
B. Deploy tasks can be scheduled to deploy policies automatically.
C. The leaf domain can deploy changes to all subdomains simultaneously.
D. The global domain can deploy changes to individual subdomains.
E. Policies are deployed automatically when the administrator saves them.
Answer: B
NO.28 Which feature does Cisco VSG use to redirect traffic in a Cisco Nexus 1000v Series Switch?
A. VEM
B. VPC
C. VDC
D. vPath
Answer: D
NO.29 Which of the following is one of the requirements for the FTD high availability setup?
A. Units should not have any uncommitted changes of FMC and should be fully deployed
B. Units should have DHCP configured for the interfaces
C. Units should be configured in transparent mode
D. Units should not synchronize using the same NTP source
E. Units should be configured in routed mode
F. Units should be in different domains in FMC
G. Units should have the same major software version running on them, minor and maintenance
version could be different
Answer: A
NO.30 Which two statements about DTLS are true? (Choose two.)
A. If DPD is enabled.DTLS can fall back to a TLS connection.
14
IT Certification Guaranteed, The Easy Way!
NO.31 Which command sequence can you enter to enable IP multicast for WCCPv2?
A. Router(config)#ip wccp web-cache group-address 224.1.1.100
Router(config)# interface FastEthernet0/0
Router(config-if)#ip wccp web-cache redirect out
B. Router(config)#ip wccp web-cache group-list
Router(config)# interface FastEthernet0/0
Router(config)# ip wccp web-cache group-listen
C. Router(config)#ip wccp web-cache service-list
Router(config)# interface FastEthernet0/0
Router(config)# ip wccp web-cache group-listen
D. Router(config)#ip wccp web-cache group-address 224.1.1.100
Router(config)# interface FastEthernet0/0
Router(config)# ip wccp web-cache redirect in
E. Router(config)#ip wccp web-cache group-address 224.1.1.100
Router(config)# interface FastEthernet0/0
Router(config)# ip wccp web-cache group-listen
Answer: E
NO.32 Drag LDAP queries used by ESA to query LDAP server on the left to its functionality on the
right.
Answer:
15
IT Certification Guaranteed, The Easy Way!
Explanation
1-5, 2-1, 3-4, 4-2, 5-3
NO.34 Which two event can cause a failover event on an active/standby setup? (Choose two)
A. The active unit experiences interface failure above the threshold.
B. The unit that was previously active recovers.
C. The stateful failover link fails.
D. The failover link fails.
E. The active unit fails.
Answer: A E
NO.35 Which protocol does ISE use to secure a connection through the Cisco IronPort tunne
infrastructure?
A. HTTP
B. IKEv2
C. TLS
D. SSH
E. SNMP
F. IKEv1
16
IT Certification Guaranteed, The Easy Way!
Answer: D
NO.37 You have an ISE deployment with two nodes that re configured as PAN and MnT (Primary and
Secondary), and four Policy Service Nodes. How many additional PSNs can you add to this
deployment?
A. 0
B. 1
C. 3
D. 5
E. 4
17
IT Certification Guaranteed, The Easy Way!
F. 2
Answer: B
NO.39 Which connection mechanism does the eSTREAMER service use to communicate?
A. IPsec tunnels with 3DES or AES encryption
B. TCP over SSL only
C. SSH
D. EAP-TLS tunnels
E. TCP with optional SSL encryption
F. IPsec tunnels with 3DES encryption only
Answer: B
NO.41 Which two requirements are necessary to generate the self-signed certificate for SSL VPN
deployment using AnyConnect with lOS router at the headend? (Choose two)
A. Enable WebVPN
B. Generate RSA key pair
C. Install AnyConnect package
D. Enable HTTP server
E. Configures PKI trustpoint
F. Enable CHAP
Answer: B E
18
IT Certification Guaranteed, The Easy Way!
NO.42 Which two options are normal functionalities for ICMP? (Choose two)
A. host detection
B. packet filtering
C. relaying traffic statistics to applications
D. path MTU discovery
E. port scanning
F. router discovery
Answer: A D
NO.43 Which statement about the Traffic Substitution and Insertion attack is true?
A. It substitutes by performing action slower than normal not exceeding threshold.
B. It is used for reconnaissance
C. It substitutes payload data in a different format but has the same meaning
D. It is form of a DoS attack
E. It substitutes payload data in the same format but has different meaning
F. It substitutes by performing action faster than normal not exceeding threshold
G. It is a from pivoting in the network
Answer: C
NO.44 Which statement is correct about MTA, ESA, and LDAP working together?
A. The LDAP initiates local query to route the incoming messages triggered by ESA.
B. The sending MTA acts on the query results from LDAP server to route the message.
C The ESA initiates the LDAP query and act upon the data received from LDAP server.
C. The ESA initiates the LDAP query and forwards the results to sending MTA for routing,
D. The sending MTA initiates LDAP query and forwards results to ESA for message authentication.
Answer: C
NO.45 Which two statements about 6to4 tunneling are true? (Choose two.)
A. It provides a /128 address block.
B. It supports static and BGPV4 routing.
C. It provides a /48 address block.
D. It supports managed NAT along the path of the tunnel.
E. The prefix address of the tunnel is determined by the IPv6 configuration of the interface.
F. It supports multihoming.
Answer: B C
NO.46 Which of the following is true regarding failover link when ASAs are configured in the failover
mode?
A. It is not recommended to use secure communication over failover link when ASA is terminating
the VPN tunnel
B. Only the configuration replication sent across the link can be secured using a failover key
C. The information sent over the failover link can only be in clear text
19
IT Certification Guaranteed, The Easy Way!
D. The information sent over the failover link can be send in clear text, or it could be secured
communication using a failover key
E. Failover key is not required for the secure communication over the failover link
F. The information sent over the failover link can only be sent as a secured communication
Answer: C
A. Users attempting to access the console port are authenticated against the TACACS+ server.
B. The device tries to reach the server every 24 hours and falls back to the LOCAL database if it fails.
C. If TACACS+ authentication fails, the ASA uses Cisco 123 as its default password.
D. The servers in the TACACS+ group are reactivated every 1440 seconds.
E. Any VPN user with a session timeout of 24 hours can access the device.
Answer: A
20
IT Certification Guaranteed, The Easy Way!
NO.51 Which two statements about Cisco AMP for Web Security are true? (Choose two.)
A. It can prevent malicious data exfiltration by blocking critical files from exiting through the Web
gateway.
B. It can perform reputation-based evaluation and blocking by uploading the fingerprint of incoming
files to a cloud-based threat intelligence network.
C. It can detect and block malware and other anomalous traffic before it passes through the Web
gateway.
D. It can perform file analysis by sandboxing known malware and comparing unknown files to a local
repository of the threats.
E. It can identify anomalous traffic passing through the Web gateway by comparing it to an
established of expected activity.
F. It continues monitoring files after they pass the Web gateway.
Answer: B
NO.52 What are two important guidelines to follow when implementing VTP? (Choose two.)
A. When using secure mode VTP, only configure management domain passwords on VTP servers.
B. Enabling VTP pruning on a server will enable the feature for the entire management domain.
C. All switches in the VTP domain must run the same version of VTP.
D. CDP must be enabled on all switches in the VTP management domain.
E. Use of the VTP multi-domain feature should be restricted to migration and temporary
implementation.
Answer: B C
NO.53 Which two statements about the OpenDNS Anycast network are true? (Choose two.)
A. It ensures that requests are routed to the nearest data center
B. It is simpler and easier to scale than unicast
C. It automatically routes DNS requests to the server with the least load
D. It assigns an unique IP address and an unique hash value to each server, which dramatically
simplifies network management and ensures that failing servers can be identified and taken offline
immediately
E. It defends the network against DDoS attacks by forcing malicious traffic to a single server, which
leaves the remaining servers unaffected
F. It allows multiple servers at multiple locations to be represented by a single IP address
G. It is significantly more secure than unicast, but it may cause some additional latency
Answer: A F
21
IT Certification Guaranteed, The Easy Way!
NO.54 Which statement about the Cisco AMP Virtual Private Cloud Appliance is true for
deployments in air-gap mode?
A. The amp-sync tool syncs the threat-intelligence repository on the appliance directly with the AMP
public cloud.
B. The appliance can perform disposition lookup against either the Protect DB or the AMP public
cloud.
C. The appliance can perform disposition lookups against the Protect DB without an Internet
connection.
D. The appliance evaluates files against the threat intelligence and disposition information residing
on the Update Host.
E. The Update Host automatically downloads updates and deploys them to the Protect DB on a daily
basis.
Answer: C
NO.55 Which two statements about the MACsec security protocol are true? (Choose two.)
A. When switch-to-switch link security is configured in manual mode, the SAP operation mode must
be set to GCM.
B. MACsec is not supported in MDA mode.
C. Stations broadcast an MKA heartbeat that contains the key server priority.
D. MKA heartbeats are sent at a default interval of 3 seconds.
E. The SAK is secured by 128 bit AES-GCM by default.
Answer: C E
NO.56 Drag the PCI-DSS requirements on the left to its security controls on the right.
22
IT Certification Guaranteed, The Easy Way!
Answer:
Explanation
1-5, 2-1, 3-2, 4-3, 5-4
NO.57 Which statement about password encryption and integrity on a Cisco IOS device is true?
A. The 'service password-encryption" global command performs encryption and hashing of all the
passwords
B. The 'enable secret' uses DES for the password hashing
C. The 'service password-encryption' global command encrypts all the passwords except for CHAP
password
D. The enable secret is preferred over enable password because of encryption
E. The ' username <name> secret <password>' command encrypts the password with SHA-256
hashing
F. When ' enable secret' is missing from the configuration, the console session cannot get privilege
access using console password due to missing encryption
Answer: D
23
IT Certification Guaranteed, The Easy Way!
NO.59 Which two options are benefits of the Cisco ASA transparent firewall mode? (Choose two)
A. It can establish routing adjacencies.
B. It can perform dynamic routing.
C. It can be added to an existing network without significant reconfiguration.
D. It supports extended ACLs to allow Layer 3 traffic to pass from higher to lower security interfaces.
E. It provides SSL VPN support.
Answer: C D
NO.60 Which two statements about SPAN sessions are true? (Choose two.)
A. A single switch stack can support up to 32 source and RSPAN destination sessions.
B. Source ports and source VLANs can be mixed in the same session
C. They can monitor sent and received packets in the same session.
D. Multiple SPAN sessions can use the same destination port.
E. Local SPAN and RSPAN can be mixed in the same session.
F. They can be configured on ports in the disabled state before enabling the port.
Answer: C F
NO.61 Which three requirements for multicloud customers to connect, protect and consume cloud
services are true?
(Choose three)
24
IT Certification Guaranteed, The Easy Way!
A. Interoperability
B. Networking
C. API integration
D. Software
E. Analytics
F. Security
Answer: B E F
NO.62 Which statement about Nmap scanning on the Cisco Firepower System is true?
A. It can leverage multiple proxy devices to increase scan speed
B. It can scan TCP and UDP ports, but TCP ports require significantly more resources
C. The Fast Port Scan scans only the TCP ports that are lited in the nmap-service file
D. It can scan IP addresses, address blocks, and address ranges on IPv4 and IPv6 networks
E. It supports custom fingerprinting to identify malware by its unique characteristics in your specific
environment
F. It performs host discovery before each scan to identify hosts that are online and skips the full scan
for hosts that are offline
Answer: C
NO.63 On Nexus 9000, in Python interactive mode, which command is correctly used to disable an
interface?
A. cli("conf t ; interface eth1/1 ; shutdown")
B. cli("conf t"), cli("interface eth1/1"), cli("shutdown")
C. cli("interface eth1/1 ; shutdown")
D. cli("conf t"), cli("interface eth1/1 ; shutdown")
Answer: A
NO.65 Which three statements about WCCP are true? (Choose three.)
A. The minimum WCCP-Fast Timers messages interval is 500 ms
B. Is a specific capability is missing from the Capabilities Info component, the router is assumed to
support the default capability
C. If the packet return method is missing from a packet return method advertisement, the web cache
uses the Layer 2 rewrite method
D. The router must receive a valid receive ID before it negotiates capabilities
25
IT Certification Guaranteed, The Easy Way!
NO.66 Which two statements about role-based access control are true? (Choose two.)
A. The user profile on an AAA server is configured with the roles that grant user privileges.
B. If the same user name is used for a local user account and a remote user account, the roles
defined in the remote user account override the local user account.
C. Server profile administrators have read and write access to all system logs by default.
D. A view is created on the Cisco IOS device to leverage role-based access controls.
E. Network administrators have read and write access to all system logs by default.
Answer: A D
NO.67 Which statement about VRF-lite implementation in a service provider network is true?
A. It requires multiple links between CE and PE for each VPN connection to enable privacy
B. It uses input interfaces to differentiate routes for different VPNs on the CE device
C. It can only support one VRF instance per CE device
D. It can have multiple VRF instances associated with a single interface on a CE device
E. It supports multiple VPNs at a CE device but their address spaces should not overlap
Answer: B
26
IT Certification Guaranteed, The Easy Way!
AMP cloud is configured to report AMP connector scan events from windows machine belonging to
"Audit" group to FMC, but the scanned events are not showing up in FMC. What could be the
possible cause?
A. AMP cloud is pointing to incorrect FMC address
B. Possible issues with certificate download form AMP cloud fro FMC integration
C. Incorrect group is selected for the events export in AMP cloud for FMC
D. Event should be viewed as "Malware" event in FMC
E. DNS address is misconfigured on FMC
F. FMC is pointing to incorrect AMP cloud address
Answer: D
NO.69 Your customer wants to implement Cisco Firepower IPS and 1 secure policy.
However, a monitoring period of 2 weeks is applied against real traffic without causing an outage
before going in to fu of the default policies as a base and set the policy action to ensure.
Which two policies to achieve these requirements are true?
A. Set IPs policy to trust
B. Set IPs policy to Monitor
C. Base the IPS policy on the default Advanced Security over Connection
D. Base the IPS policy on the default Balanced Security and Connection
E. Base the IPS policy on the default Connectivity over Security
F. Base the IPS policy on the default Security over Connectivity
G. Set IPS Policy to No Drop
Answer: B D
NO.70 Which location for the PAC file on Cisco IronPort WSA in the default?
A)
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
NO.71 Which two statements about the Cognitive Threat Analytics feature of Cisco AMP for Web
Security are true? (Choose two.)
27
IT Certification Guaranteed, The Easy Way!
A. It can locate and identify indicators of prior malicious activity on the network and preserve
information for forensic analysis.
B. It can identify potential data exfiltration.
C. It uses a custom virtual appliance to perform reputation-based evaluation and blocking of
incoming files.
D. It can perform file analysis by sandboxing known malware and comparing unknown files to a local
repository of threats.
E. It can identify anomalous traffic passing through the Web gateway by comparing it to an
established baseline of expected activity.
F. It can identify anomalous traffic within the network by comparing it to an established baseline of
expected activity.
Answer: B F
NO.73 Which option happens for traffic analysis Is an inline, intrusion prevention and AMP for
Firepower deployment?
A. Intrusion policy
B. Security intelligence
C. Access control rule
D. Network discovery policy
E. Network analysis policy
F. File policy
G. SSL policy
Answer: C
NO.74 Which two options are benefits of global ACLs? (Choose two)
A. They save memory because they work without being replicated on each interface.
B. They are more efficient because they are processed before interface access rules.
C. They are flexible because they match source and destination IP addresses for packets that arrive
on any interface.
D. They only operate on logical interfaces.
E. They can be applied to multiple interfaces.
Answer: A C
NO.75 Which two types of IPv6 capabilities does Cisco ISE release 2.0 support? (Choose two.)
28
IT Certification Guaranteed, The Easy Way!
The FMC with address 161 1 7 16 is not seeing AMP Connector scan events that are reported to the
AMP cloud from the test-pc Windows machine that belongs to "protect" group. Which cause of the
issue is true?
A. The Windows machine belongs to an incorrect group in the AMP cloud policy.
B. The FMC was not added in the AMP cloud.
C. The incorrect group is selected for the events export in the AMP cloud for the FMC.
D. The Event must be viewed as a Connection event in the FMC.
E. The AMP cloud was not added in the FMC.
F. The Windows machine is not reporting scan events to the AMP cloud.
G. The Windows machine is not reporting events to the FMC.
Answer: A
NO.77 Which two combinations of node are allowed in a Cisco ISE distributed deployment? (Choose
two)
A. ISE cluster with eight nodes
B. Pair of passive ISE nodes for automatic failover
29
IT Certification Guaranteed, The Easy Way!
C. One or more policy service ISE nodes for session failover standalone
D. Primary and secondary administration ISE nodes for high availability
E. Active and standby ISE notes for high availibilty
Answer: B D
NO.78 A server with IP address 209.165.202.150 is protected behind the inside interface of a Cisco
ASA and the Internet on the outside interface. User on the Internet need to access the server ay any
time, but the firewall administrator does not want to apply NAT to the address of the server because
it is currently a public address.
Which three of the following commands can be used to accomplish this? (Choose three.)
A. static (outside, inside) 209.165.202.150.209.165.202.150 netmask 255.255.255.255
B. nat (inside) 1 209.165.202.150 255.255.255.255
C. static (inside, outside) 209.165.202.150.209.165.202.150 netmask 255.255.255.255
D. no nat-control
E. access-list no-nat permit ip host 209.165.202.150 any
nat (inside) 0 access-list no-nat
F. nat (inside) 0 209.165.202.150 255.255.255.255
Answer: C E F
NO.80 The SAML Single Sign-on ISE is supported by which four portals? (Choose four.)
A. Sponsor Portal
B. BYOD Portal
C. Employee Portal
D. Contractor Portal
E. Guest Portal (sponsored and self-registered)
F. My devices Portal
G. Wireless Client Portal
H. Certificate Provisioning Portal
Answer: A E F H
NO.81 When applying MD5 route authentication on routers running RIP or EIGRP, which two
important key chain considerations should be accounted for? (Choose two.)
A. Key 0 of all key chains must match for all routers in the autonomous system.
B. The lifetimes of the keys in the chain should overlap.
C. Routers should be configured for NTP to synchronize their clocks.
30
IT Certification Guaranteed, The Easy Way!
NO.82 Which statement is correct regarding password encryption and integrity on a Cisco IOS
device?
A. With "enable secret" missing in the configuration the console session cannot get privilege access
using console password due to missing encryption
B. The "enable password" is preferred over "enable secret" as it uses a stronger encryption algorithm
C. The "service password-encryption" global command encrypts all the passwords except the CHAP
secret
D. The "username <name> secret <password>" command encrypts the password with SHA-256
hashing
E. The "enable secret" uses MD5 for the password hashing
F. The "service password-encryption" global command performs both encryption and hashing of all
the passwords
Answer: E
NO.83 Which security control in PCl-DSS is responsible for restrictive card holder data access?
A. network access policy orchestration using DNAC
B. using strong encryption when sending card holder data over the network
C. identification of security vulnerabilities and their risk analysis
D. realtime traffic analysis for malware using ThreatGRID
E. rapid threat containment of infected host using Lancope and ISE
F. creating users access policies based on the least privilege concept
G. making sure card holder data is not recoverable after authorization
H. restricting public internet access to cardholder data environment
Answer: F
NO.85 An employee using an Android phone on your network has disabled DHCP, enabled it's
firewall, modified it's HTTP User-Agent header, to tool ISE into profiling it as a Windows 10 machine
31
IT Certification Guaranteed, The Easy Way!
connected to the wireless network. This user is now able to get authorization for unrestricted
network access using his Active Directory credentials, as your policy states that a Windows device
using AD credentials should be able to get full network access. Whereas, an Android device should
only get access to the Web proxy. Which two steps can you take to avoid this sort of rogue behavior?
(Choose two.)
A. Create an authentication rule that should only allow session with a specific HTTP User-Agent
header
B. Modify the authorization policy to only allow windows machines that have passed Machine
Authentication to get full network access
C. Add an authorization policy before the Windows authorization policy that redirects a user with a
static IP to a web portal for authentication
D. Chain an authorization policy to the Windows authorization policy that performs additional NMAP
scans to verify the machine type, before allowing access
E. Only allow certificate-based authentication from Windows endpoints, such as EAP-TLS, or PEAP-
TLS.
Should the endpoint use MSCHAPv2 (EAP or PEAP) the user shoujld be only given restricted access.
F. Perform CoA to push a restricted access when the machine is acquiring address using DHCP
Answer: B C
32
IT Certification Guaranteed, The Easy Way!
Customer has opened a case with Cisco TAC replace client supposed to login to the network. Using
MAB is no longer able Looking at the configuration of the switch what could be the possible
A. Issue with the DHCP pool configuration
B. Switch configuration is properly configured and the issue is on the
33
IT Certification Guaranteed, The Easy Way!
NO.88 Drag and drop the protocols on the left onto their descriptions on the right.
Answer:
34
IT Certification Guaranteed, The Easy Way!
Explanation
1-2, 2-4, 3-1, 4-3
NO.90 What are two characteristics of RPL, used in IoT environments?(Choose two)
A. It is an Exterior Gateway Protocol
B. It is a Interior Gateway Protocol
C. It is a hybrid protocol
D. It is link-state protocol
E. It is a distance-vector protocol
Answer: B E
35
IT Certification Guaranteed, The Easy Way!
NO.93 In which two ways does the Open DNS infrastructure ensure reliability? (Choose two)
A. It ensures redundancy by using at least two telecom carters at each site
B. it limits caching to reduce the Incidence of state and dead links
C. ft uses a self-healing network to protect against individual failures
D. Its networks are geographical^ integrated to reduce the potential impact of local issues.
E. Regional sites load-balance among one another to prevent bottlenecks
F. ft uses multicast routing to ensure that requests are routes to the nearest data center
G. ft uses a specialized form of multicast addressing called Geo cast ensure the most efficient when a
local site goes down
Answer: A G
NO.94 In your network, you require all guests to authenticate to the network before getting access.
However, you don't want to be stuck creating or approving accounts. It is preferred that this is all
taken care by the user, as long as their device is registered. Which two mechanisms can be used to
provide this functionality? (Choose two.)
A. Social media login, with device registration
B. Guest's own organization authentication service, with device registration
C. PAP based authentication, with device registration
D. Active Directory, with device registration
E. 802.1x based user registration, with device registration
F. Self-registration of user, with device registration
Answer: A F
NO.95 When you use the Firepower Management Center to deploy an access control policy to a
managed device, which process is restarted?
A. kupdate
B. snort
C. crond
D. reportd
E. mysqld
Answer: B
36
IT Certification Guaranteed, The Easy Way!
NO.96 Which two statements about Cisco ASA authentication using LDAP are true? (Choose two.)
A. It is a closed standard that manages directory-information services over distributed networks.
B. It can combine AD attributes and LDAP attributes to configure group policies on the Cisco ASA.
C. It uses attribute maps to map the AD memberOf attribute to the Cisco ASA Group-Policy attribute.
D. It can assign a group policy to a user based on access credentials.
E. It uses AD attribute maps to assign users to group policies configured under the WebVPN context.
F. The Cisco ASA can use more than one AD memberOf attribute to match a user to multiple group
policies.
Answer: C E
NO.97 Which three statements correctly describe the encoding used by NETCONF and RESTCONF?
{Choose three.)
A. NETCONF uses JSON-encoded data
B. RESTCONF uses JSON-encoded data
C. RESTCONF uses YAML-encoded data
D. NETCONF uses YAML-encoded data
E. RESTCONF uses XML-encoded data
F. NETCONF uses XML-encoded data
Answer: B E F
37
IT Certification Guaranteed, The Easy Way!
TACACS+ server
Answer: B F
NO.99 Which three statements are correct regarding EAP-Chaining? (Choose three)
A. Allows user and machine authentication with one RADIUS/EAP session
B. EAP-Chaining is enabled on AnyConnect NAM authomatically when EAP-FAST user and machine
authentication is enabled
C. EAP-FAST's PAC provisioning phase is responsible to establish SSH tunnel between supplicant and
ISE to perform EAP-Chaining
D. EAP-Chaining is enabled on NAM automatically when EAP-TLS user and machine authentication is
enabled
E. EAP-Chaining can only use EAP-FAST and requires the use of AnyConnect NAM
F. EAP-Chaining is supported on the Windows 802.1x supplicant
G. EAP-Fast does not allow to bind multiple authentications and this limitation is used for manual
authentication in EAP-Chaining
Answer: A B E
NO.100 You are considering using RSPAN to capture traffic between several switches. Which two
configuration aspects do you need to consider? (Choose two.)
A. All switches need to be running the same IOS version.
B. All distribution switches need to support RSPAN.
C. Not all switches need to support RSPAN for it to work.
D. The RSPAN VLAN need to be blocked on all trunk interfaces leading to the destination RSPAN
switch.
E. The RSPAN VLAN need to be allow on all trunk interfaces leading to the destination RSPAN switch.
Answer: B E
NO.101 Which requirement for the FTD high availability setup is true?
A. Units must not synchronize using the same NTP source.
B. Units must have DHCP configured for the interfaces.
C. Units must have the same major, minor, and maintenance software version running on them.
D. Units can have any uncommitted changes on FMC and need not be fully deployed.
E. Units must be in different domains in FMC.
F. Units must be configured in routed mode.
G. Units must be configured in transparent mode.
Answer: C D
38
IT Certification Guaranteed, The Easy Way!
NO.103 Exhibit:
Refer to the exhibit. Customer has opened a case with Cisco TAC reporting issue client supposed to
login to the network using MAB is no longer able to access a Looking at the configuration of the
switch, what could be the possible cause of
A. AAA authorization is incorrectly configured
B. Switch configuration is properly configured and the issue is on the radius
C. Incorrect CTS configuration on switch
D. Issue with CoA configuration
39
IT Certification Guaranteed, The Easy Way!
NO.105 Which three flow protocols can tie SealthWatch System use lo monitor potential security
threats?
(Choose two)
A. OpenFlow
B. Ntop
C. IPFIX
D. NetFlow
E. sFlow
F. Jflow
Answer: C D E
NO.106 Exhibit:
40
IT Certification Guaranteed, The Easy Way!
NO.107 Which command on Cisco ASA you can enter to send debug messages to a syslog server?
A. logging debug-trace
B. logging host
C. logging traps
D. logging syslog
Answer: A
NO.108 What are the three configurations in which SSL VPN can be implemented? (Choose three.)
A. WebVPN
B. PVC TunnelMode
C. Interactivemode
D. L2TP overIPSec
E. Thin-Client
F. AnyConnect TunnelMode
G. Clientless
H. CHAP
41
IT Certification Guaranteed, The Easy Way!
Answer: E F G
NO.109 Which statement about deploying policies with the Firepower Management Center is true?
A. Deploy tasks can be scheduled to deploy policies automatically.
B. All policies are deployed on-demand when the administration triggers them.
C. Policies are deployed automatically when the administration saves them.
D. The leaf domain can deploy change store all sub domains simultaneously.
E. The global domain can deploy changes to individual subdomains.
Answer: A
NO.112 A university has hired you as a consultant to advise them on the starvation attacks in the
campus. They have already implemented DH control the situation but those do not fully contain the
issue. Which the issue? (Choose two.)
A. Use the ip dhcp snooping limit rate command on Trusted and Unsuitable values that are relevant
to each interface respectively.
B. Use the ip dhcp snooping verify mac-address command to ensure the DHCP request matches the
clifent hardware address (CHADDR) set
C. Use the ip dhcp snooping limit rate command only to ensure that request matches the client
identifier (CUD) field sent to the DHCP
D. Use the ip dhcp snooping limit rate command on trusted and unit value.
Answer: B C
NO.113 Which two design options are best to reduce security concerns when adopting loT into an
organization?
42
IT Certification Guaranteed, The Easy Way!
(Choose two.)
A. Segment the Field Area Network from the Data Center network.
B. Encrypt sensor data in transit.
C. Ensure that application can gather and analyze data at the edge.
D. Implement video analytics on IP cameras.
E. Encrypt data at rest on all devices in the loT network.
Answer: A B
NO.114 How many report templates does the Cisco Firepower Management Center support?
A. 5
B. 10
C. 50
D. 80
E. 100
F. Unlimited
Answer: F
NO.115 Which three statement about PKI on Cisco IOS Software are true? (Choose three)
A. The match certificate and allow expired-certificate commands are ignored unless the router clock
is set
B. OSCP enables a PKI to use a CRL without time limitations
C. Different OSCP servers can be configured for different groups of client certificates
D. OSCP is well-suited for enterprise PKIs in which CLRs expire frequently
E. Certificate-based ACLs can be configured to allow expired certificates if the peer is otherwise valid
F. If a certificate-based ACL specifies more than one field, any one successful field-to-value test is
treated as a match
Answer: C D E
NO.116 If multiple contexts share an ingress interface, which would be the criteria used by ASA for
packet classification?
A. Destination IP address
B. ASA ingress interface IP address
C. ASA ingress interface unique MAC address
D. ASA NAT configuration
E. Policy based routing on ASA
F. ASA egress interface IP address
G. Destination MAC address
Answer: C
NO.117 How does Scavenger-class Qos mitigate Dos and worm attacks?
A. It monitors normal traffic flow and drops burst traffic above the normal rate for a single host.
B. It matches traffic form individual hosts against the specific network characteristics of know attack
types.
43
IT Certification Guaranteed, The Easy Way!
C. It sets a specific intrusion detection mechanism and applied the appropriate ACL when matching
traffic is deleted.
D. It monitors normal traffic flow and aggressively drops sustained abnormally high traffic streams
form multiple hosts.
Answer: D
NO.118 Which IETF standard is the most efficient messaging protocol used in a toT network?
A. CoAP
B. Man
C. SNMP
D. KTTP
Answer: A
NO.120 What IOS feature can header attacks by using packet-header information to classify traffic?
A. TTL
B. CAR
C. FPM
D. TOS
E. LLQ
Answer: C
NO.121 In which two ways does OpenDNS ensure security? (Choose two
)
A. OpenDNS servers run a proprietary version of djbdns, which is a s maximum security
B. OpenDNS servers can analyze the hash of incoming URL stings to
C. It supports certificate authenticate for DNS connections
D. OpenDNS servers can integrate with the Cisco Network Registrar DNS traffic
E. It encrypts all DNS connections with SSL
F. The 24-hour network operations center guarantees that critical p. hardware vendors are applied
within 12 hours of release
G. It limits caching to efficiently purge spoofed and malicious address
H. It encrypts all DNS connections with DNSCrypt
Answer: B H
44
IT Certification Guaranteed, The Easy Way!
NO.123 Which statement about the Firepower Security Intelligence feature is true?
A. It uses user-configured ACLs to blacklist and whitelist traffic
B. It can override custom whitelists to provide greater security against emerging threats
C. It filters traffic after policy-based inspection is complete and before the default action is taken
D. Blacklisted traffic is blocked without further inspection
E. It filters traffic after policy-based inspection is completed and the default action is taken
Answer: D
There is no ICMP connectivity from VPN PC to Server 1 and Server2. What could be the possible
cause?
A. The destination port configuration missing in the access rule
B. The server network has incorrect mask in the access rule
45
IT Certification Guaranteed, The Easy Way!
NO.125 In your corporate environment, you have various Active Directory groups based on the
organizational structure. You want to ensure that users can access only certain resources depending
on which group(s) they belong to this policy must apply across the network. You have ISE. ASA, and
WSA deployed, and you want to ensure that the appropriate policies are present to ensure that
access is based only on the group membership of the user. Additionally, you do not want the user to
authenticate multiple times to get access. Which two policies are used to set this up? (Choose two.)
A. Deploy ISE, integrate it with Active Directory, and. based on group membership, authorize the user
to specific VLANs These VLANs (with specific subnets) are then used in access policies on the ASA as
well as the WSA
B. Configure ISE as an SSO service provider, and integrate with ASA and WSA using pxGrid ASA and
WSA can extract the relevant identity information from ISE to apply to the access policies after the
user has authenticated to the network.
C. Deploy a single sign-on infrastructure such as ping and integrate ISE. ASA and WSA with it, Access
policies are applied based on the user group membership retrieved from the authentication
infrastructure.
D. Configure ISE to relay learned SGTs for the authenticated sessions with the bound destination
address using SXP to SXP speakers that will be used to apply access policies at the traffic ingress point
for segmentation.
E. Integrate ISE, ASA, and WSA with Active Directory After the user is authenticated to the network
through ISE. the ASA and WSA automatically extracts the identity information from AD to apply the
appropriate access policies.
F. Deploy Cisco TrustSec infrastructure, with ASA and WSA integrated with ISE to transparently
identify users based on SGT assignment when the user authenticates to the network. The SGTs can
then be used in access policies.
Answer: C F
NO.126
46
IT Certification Guaranteed, The Easy Way!
NO.127 Which three of these make use of a certificate as part of the protocol? (Choose three)
A. LEAP
B. EAP-MDS
C. EAP-TTLS
D. EAP-PEAP
E. EAP-FAST
F. EAP-TLS
Answer: C E F
NO.128
47
IT Certification Guaranteed, The Easy Way!
Refer to the exhibit, Which statement about effect of this configuration is true?
A. it disables the use of guest VLANs on the switch
B. it block al EAPCK frames from passing through the switch
C. It enable 802.1x globally on the switch
D. It puts all ports on the switch into the authorized state
Answer: C
NO.129 Which two statements about EVPN are true? (Choose two.)
A. EVPN route exchange enables PEs to discover one another and elect a DF.
B. EVPN routes can advertise backbone MAC reachability.
C. EVLs allow you to map traffic on one or more VLANs or ports to a Bridge Domain.
D. EVPN routes can advertise VLAN membership and verify the reachability of Ethernet segments.
E. It is a next-generation Ethernet L2VPN solution that supports load balancing at the individual flow
level and provider advanced access redundancy.
F. It is a next-generation Ethernet L3VPN solution that simplifies control-plane operations and
enhances scalability.
Answer: A B
48
IT Certification Guaranteed, The Easy Way!
NO.132 Which statement about SMTP authentication in a Cisco ESA deployment is true?
A. It enables users at remote sites to retrieve their email messages via a secure client.
B. When SMTP authentication with forwarding is performed by a second SMTP server, the second
server also performs the transfer of queued messages.
C. It enables user at remote sites to release email messages for spam quarantine.
D. If an authentication user belongs to more one LDAP group, each with different user roles.
AsyncOs grants permissions in accordance with the least restrictive user role.
E. Clients can be authenticated with an LDAP bind or by fetching a passphrase attribute
Answer: E
NO.133 For your enterprise ISE deployment, you want to use certificate-based authentication for all
your Windows machines. You have already pushed the machine and user certificates out to all the
machines using GPO. by default, certificate-based authentication-does not check the certificate
against Active Directory, or requires credentials from the user. This essentially means that no groups
are returned as part of the authentication request. In which way can the user be authorized based on
Active Directory group membership?
A. Configure the Windows supplicant to used saved credentials as well as certificate-based
authentication
B. Enable Change of Authorization on the deployment to perform double authentication
C. Use ISE as the Certificate Authority, which will then allow for automatic group retrieval from Active
Directory to perform the required authorization
D. The certificate must be configured with the appropriate attributes that contain appropriate group
49
IT Certification Guaranteed, The Easy Way!
FMC with address 161.1.7.15 is not seeing AMP connector scan events reported to AMP cloud from
"test-pc" windows machine that belongs to "Protect" group. What could be the issue?
A. Windows machine not reporting scan events to AMP cloud
B. Windows machine not reporting events to FMC
C. Incorrect group is selected for the events export in AMP cloud for FMC
D. AMP cloud not added in FMC
E. FMC not added in AMP cloud
F. Windows machine belongs to incorrect group in AMP cloud policy.
G. Event should be viewed as "Connection" event in FMC
Answer: F
50
IT Certification Guaranteed, The Easy Way!
NO.137 Which statement is true regarding SSL policy implementation in a Firepower system?
A. Access control policy is optional for the SSL policy implementation
B. If Firepower system cannot decrypt the traffic, it allows the connection
C. Intrusion policy is mandatory to configure the SSL inspection
D. Access control policy is responsible to handle all the encrypted traffic if SSL policy is tied to it
E. Access control policy is invoked first before the SSL policy tied to it
F. IF SSL policy is not supported by the system, then access control policy handles all the encrypted
traffic
Answer: E
NO.138 Which two options are benefits of the Cisco ASA Identity Firewall? (Choose two.)
A. It can identify threats quickly based on their URLs.
B. It can operate completely independently of their services.
C. It can apply security policies on an individual user or user-group basis.
D. It decouples security policies from the network topology.
E. It supports an AD server module to verify identity data.
Answer: C D
NO.139 Which statement is true about Remote Triggered Black Hole Filtering feature (RTBH)?
A. It drops malicious traffic at the customer edge router by forwarding it to a Null0 interface
B. In RTBH filtering the trigger device redistributes static route to the iBGP peers
C. The Null0 interface used for filtering is able to receive the traffic, but never forwards it
D. It works in conjunction with QoS to drop the traffic that has less priority
E. It helps mitigate DDoS attack based only on source address
F. In FTBH filtering the trigger device is always an ISP edge router
Answer: B
NO.140 An university has hired you as a consultant to advise them on the best method to prevent
DHCP starvation attacks in the campus. They have already implemented DHCP snooping and port
51
IT Certification Guaranteed, The Easy Way!
security to control the situation, but those do not fully contain the issue. Which two actions do you
suggest to fix this issue? (Choose two.)
A. Use the ip dhcp snooping limit rate command on trusted and untrusted interfaces and set the rate
to suitable values that are relevant to each interface reqpectively.
B. Use the ip dhcp snooping verify mac-address command to ensure that the source MAC address in
the DHCP rquest matches the client hardware address (CHADDR) sent to the DHCP server.
C. Use the ip dhcp snooping verify mac-address command to ensure that the source MAC address in
the DHCP request matches the client identifier (CLID) field sent to the DHCP server.
D. Use the ip dhcp snooping limit rate command only to ensure that the source MAC address in the
DHCP request matches the client identifier (CLID) field sent to the DHCP server.
E. User the ip dhcp snooping limit rate command on trusted and untrusted interfaces set to the same
rate value.
F. Use the ip dhcp snooping limit rate command only on untrusted interfaces and set the rate to
suitable values that are relevant to the interface.
Answer: B F
NO.142 Which two characteristics correctly identify attributes of LPWA technologies? (Choose two)
A. Supports high-throughput bandwidth requirements
B. Provides better Quality of Service features than NB-loT
52
IT Certification Guaranteed, The Easy Way!
NO.143 Which option is a benefit of VRF Selection Using Policy-Based Routing for routing for packets
to different VPNs?
A. It suppprts more than one VPN per interface
B. It allows bidirectional traffic flow between the service provider and the CEs
C. It automatically enables fast switching on all directly connected interfaces
D. It can use global routing tables to forward packets if the destination address matches the VRF
configure on the interface
E. Every PE router in the service provider MPLS cloud can reach every customer network
F. It inreases the router performance when longer subnet masks are in use
Answer: D
NO.145 Which action must happen before you enroll a device to a mobile device management
service fro a different vendor?
A. wipe the entire device and start from scratch
B. Allow both vendor profiles remain on the device.
C. Remove the profiles form the previous vendor from the device
D. Alter the administrator so that they can remove this device form the network
Answer: C
NO.147 A customer is developing a strategy to deal with Wanna Cry variants that defect sandboxing
attempts and mask their present analyzed. Which four mechanisms can be used in this strategy?
A. Employ a DNS forwarder that responds to unknown domain names with a reachable IP (honey
53
IT Certification Guaranteed, The Easy Way!
pot) that can mimic sandboxing containment responses and alert when a possible threat is detected.
B. Apply route maps at the access layer that prevent all RPC and SMB communication throughout the
network.
C. Ensure that the standard desktop image used in the organization is an actively supported
operating system and that security patches are applied.
D. Run antimalware software on user endpoints and servers as well as ensure regular signature
updates.
E. Ensure that vulnerable services used for propagation of malware such as SMB are blocked on
public facing segments.
F. Employ URL/DNS inspection mechanisms that blackhole the request. This action prevents malware
from communicating with unknown domains and thus prevents the WannaCry malware from
becoming active.
G. Apply ACLs at the access layer that prevents all RPC and SMP communication throughout the
network..
Answer: D E F G
NO.148 Which effect of the ip nhrp map multicast dynamic command is true?
A. It configures a hub router to reflect the routes it learns from a spoke back to other spokes through
the same interface.
B. It configures a hub router to automatically add spoke routers to the multicast replication list of the
hub.
C. It enables a GRE tunnel to operate without the IPsec peer or crypto ACLs.
D. it enables a GRE tunnel to dynamically update the routing tables on the devices at each end of the
tunnel.
Answer: B
54
IT Certification Guaranteed, The Easy Way!
!c
rypto map r15r16 1516 ipsec-isakmp
set peer 10.1.7.16
set transform-set ts1516
match address 110
!i
nterface Loopback0
ip address 172.16.100.15 255.255.255.255
!i
nterface Loopback1
ip address 192.168.15.15 255.255.255.0
!i
nterface GigabiEthernet1
ip address 20.1.6.15 255.255.255.0
netgotiation auto
crypto map r15r16
!r
outer bgp 6
bgp log-neighbor-changes
network 172.16.100.15 mask 255.255.255.255
neighbor 20.1.6.18 remote-as 678
neighbor 20.1.6.18 password cisco
!i
p route 192.168.16.0 255.255.255.0 20.1.7.16
access-list 110 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
!n
tp authentication-key 11 md5 ccie
ntp authenticate
ntp trusted-key 12
ntp server 150.1.7.131 key 12
!i
p domain name cisco.com
R15 is trying to initiate Site-to-Site IPsec certificate based VPN tunnel with the peer at
20.1.7.16. The CA is running at port 80 on address 172.16.100.18. R15 has a BGP peer at 20.1.6.18
doing an authenticated session to establish reachability with the VPN remote site. The VPN tunnel
will secure traffic between 192.168.15.0/24 and 192.168.16.0/24 networks. It has been reported that
VPN tunnel is not coming up with remote site, what could be the issue?
A. Incorrect ACL defined for the traffic encryption
B. Incorrect static route
C. Incorrect crypto map configuration
D. The crypto map is not applied on the correct interface
E. Incorrect trustpoint configuration
F. Incorrect BGP peer configuration
Answer: E
55
IT Certification Guaranteed, The Easy Way!
NO.151 Which two functions of Cisco Content Security Management Appliance are true?(Choose
two)
A. SMA is used for on-box management of WSAs
B. SMA is used to configure NSAMP on the router
C. SMA is a centralized system used to collectively mange and report the WSAs that are deployed in a
network
D. SMA is used for sandboxing functionality to perform malware analysis
E. SMA is unified management platform that manages web security, performs troubleshooting and
maintains space for data storage.
Answer: C E
56
IT Certification Guaranteed, The Easy Way!
F. The port attempts 802.1x authentication first, and then falls back to MAC authentication bypass.
Answer: C F
NO.154 Which type of attack use a large number of spoofed MAC addresses to emulate wireless
client?
A. DoS against an access point
B. Dos against a client station
C. chopchop attack
D. Airsnaf attack
E. device-probing attack
F. authentication-failure attack
Answer: A
NO.155 Which three options are fields in a CoA Request Response code packet? (Choose three.)
A. Length
B. Acct-session-ID
C. Calling-station-ID
D. Identifier
E. Authenticator
F. State
Answer: B C F
NO.156 Which two options are open-source SDN controllers? (choose two)
A. Opendaylight
B. Big Cloud Fabric
C. Application Policy Infrastructure Controller
D. OpenContrail
E. Virtual Application Networks SDN Controller
Answer: A D
57
IT Certification Guaranteed, The Easy Way!
NO.159 Which two statements about Botnet Traffic Filter snooping are true? (Choose two.)
A. It can log and block suspicious connections from previously unknown bad domains and IP
addresses.
B. It requires the Cisco ASA DNS server to perform DNS lookups.
C. It requires DNS packet inspection to be enabled to filter domain names in the dynamic database.
D. It checks inbound traffic only.
E. It can inspect both IPv4 and IPv6 traffic.
F. It checks inbound and outbound traffic.
Answer: C F
58
IT Certification Guaranteed, The Easy Way!
NO.160 In ISO 27002, access control code of practice for Information Security Management serves
which of the following objective?
A. Implement proper control of user, network and application access.
B. Prevent the physical damage of the resources.
C. Optimize the audit process.
D. Educating employees on security requirements and issues.
Answer: A
NO.161 Which two statements about Cisco AMP for Web Security are true? (Choose two)
A. It can detect and block malware and other anomalous traffic before it passes through the Web
gateway.
B. It can identify anomalous traffic passing through the Web gateway by comparing it to an
established baseline of expected activity
C. It can perform file analysis by sandboxing known malware and comparing unknown files to a local
repository of threats
D. It continues monitoring files after they pass the Web gateway
E. It can prevent malicious data exfiltration by blocking critical files from exiting through the Web
gateway
F. It can perform reputation-based evaluation and blocking by uploading of incoming files to a cloud-
based threat intelligence network
Answer: D F
NO.162 Which two statements about MPP (Management Plane Protection) are true? (Choose two.)
A. It is supported on both distributed and hardware-swithched platforms.
B. Only out-of-band management interfaces are supported.
C. Only virtual interfaces associated with physical interfaces are supported.
D. It is supported on both active and standby management interfaces.
E. Only in-band management interfaces are supported.
F. Only virtual interfaces associated with sub-interfaces are supported.
Answer: C E
NO.163 Which three statements about EAP-Chaining are true? (Choose three.)
A. lt allows user and machine authentication with one RADIUS / EAP session.
B. It is supported on the Windows 802.1x supplicant.
C. It is enabled on NAM automatically when EAP-TLS user and machine authentication is enabled.
D. lt is enabled on Cisco AnyConnect NAM automatically when EAP-FAST user and machine
authentication is enabled.
E. lt can use only EAP-FAST, and it requires the use of Cisco AnyConnect NAM.
F. EAP-FAST does not allow multiple authentication binding, and this limitation is used for mutual
authentication in EAP-Chaining.
G. The EAP-FAST PAC provisioning phase is responsible to establish SSH tunnel between supplicant
and ISE to perform EAP-Chaining.
59
IT Certification Guaranteed, The Easy Way!
Answer: A D E
NO.164 Which policy action allows to a pass without any further inspection by the intrusion when
implementing Cisco Firepower access control policy?
A. Pass
B. Interactive block
C. Allow
D. Monitor
E. Block
F. Trust
Answer: F
output?
A. the Finger service
B. a BOOTP server
C. a TCP small server
D. the PAD service
Answer: C
60
IT Certification Guaranteed, The Easy Way!
161.1.7.14. Which of the following is true regarding packet capture from wireshark?
A. SXP keepalive message using TCP originated from ISE
B. ISE keepalive message for NDAC connection using TCP originated from ASA
C. TACACS connection keepalive using UDP originated from ASA
D. RADIUS connection keepalive using TCP originated from ISE
E. NTP keepalive message using UDP originated from ISE
F. SXP keepalive message for SXP connection using UDP originated from ASA
Answer: A
NO.170 R2 is configured as a WCCP router to redirect HTTP traffic for policy implementation sourced
from
172.61.1.0/24 network to WSA at 171.1.7.21 with the passphrase used for authentication is
"ccie'.The redirection is for traffic on the R2 Gi2 interface in the inbound direction. An issue is
reported that web sites are not accessible anymore. Which cause is true?
A. There is an issue with the routing of traffic between R2 and WSA.
B. There is an issue with the WCCP passphrase configured on R2.
C. There is an issue with the WCCP redirection applied G2 interface.
D. There is an issue with the source network defined for WCCP redirection.
E. There is an issue with the WSA server list binded for the redirection
F. There is an issue with the destination servers defined for WCCP redirection
Answer: D
NO.171 Which two description of the HomeNet and ExternalNet variable sets that are used within
Cisco Firepower access control and IPS policies are true? (Choose two)
A. They are used to exclude or include protected network subnets form security intelligence and
61
IT Certification Guaranteed, The Easy Way!
blacklist filtering
B. They are used to decrease the number of false positives by defining the protected network
C. They are used to fine tune the performance of the appliance by optimizing how signatures are
matched to packets based on the source and destination addresses in a packet
D. They are used for reporting reasons to give context on the direction of a connection or malicious
attack as it appears in the event viewer reports
E. They are a legacy sport feature that has no effect since Firepower 6.x.
Answer: A D
62
IT Certification Guaranteed, The Easy Way!
B. It can fetch user information from Active Directory on behalf of a WSA or Cisco ISE
C. It enables communication from the partner platform to the pxGrid controller
D. It supports an agentless solution for Cisco ISE
E. It leverages Cisco ISE control functions to manage connections and share information between
partners
F. It fetches user information from Active Directory and transmits it to the pxGrid controller
Answer: A
NO.174 Which authentication does WCCPv2 use to protect messages against Interception,
inspection, and replay attacks?
A. Clear text
B. Two factor
C. EAP
D. MD5
E. Kerberos
Answer: D
d
Which two statements about the given IPv6 ZBF configuration are true? (Choose two.)
A. It inspects TCP, UDP, ICMP, and FTP traffic from z1 to z2.
B. It provides backward compatibility with legacy IPv4 inspection.
C. It inspects TCP, UDP, ICMP, and FTP traffic from z2 to z1.
63
IT Certification Guaranteed, The Easy Way!
D. It passes TCP, UDP, ICMP, and FTP traffic in both directions between z1 and z2.
E. It provides backward compatibility with legacy IPv6 inspection.
F. It passes TCP, UDP, ICMP, and FTP traffic from z1 to z2.
Answer: A E
NO.176 Which two options are unicast address types for IPv6 addressing? (Choose two.)
A. static
B. link-local
C. established
D. dynamic
E. global
Answer: B E
NO.177 Which Cisco ASA firewall mode supports ASDM one-time-password authentication using
RSA SecurID?
A. network translation mode
B. transparent mode
C. single-context routed mode
D. multiple-context mode
Answer: C
64
IT Certification Guaranteed, The Easy Way!
which two statement about the given IPV6 ZBF configuration are true? (Choose two)
A. It provides backward compability with legacy IPv6 inspection
B. It inspect TCP, UDP,ICMP and FTP traffic from Z1 to Z2.
C. It inspect TCP, UDP,ICMP and FTP traffic from Z2 to Z1.
D. It inspect TCP,UDP,ICMP and FTP traffic in both direction between z1 and z2.
E. It passes TCP, UDP,ICMP and FTP traffic from z1 to z2.
F. It provide backward compatibility with legacy IPv4 inseption.
Answer: A B
NO.180 An sneaky employee using an Android phone on your network has disabled DHCP, enabled
it's firewall, modified it's HTTP User-Agent header, to fool ISE into profiling it as a Windows 10
machine connected to the wireless network. This user can now get authorization for unrestricted
network access using his Active Directory credentials, because your policy states that a Windows
device using AD credentials should be able to get full network access. However, an Android device
should only get access to the Web Proxy. Which two steps can you take to avoid this sort of rogue
behavior? (Choose two.)
A. Add an authorization policy before the Windows authorization policy that redirects a user with a
static IP to a web portal for authentication
B. Perform CoA to push a restricted access when the machine is acquiring address using DHCP.
C. Chain an authorization policy to the Windows authorization policy that performs additional NMAP
scans to verify the machine type before access is allowed
D. Create an authentication rule that allows only a session with a specific HTTP User-Agent header
E. Allow only certificate based authentication from Windows endpoints such as EAP-TLS or PEAP-TLS.
If the endpoint uses MSCHAPv2 (EAP or PEAP), the user
65
IT Certification Guaranteed, The Easy Way!
NO.182 What are two types of attacks against wireless networks that be prevented by a WLC?
(Choose two)
A. DHCP rouge server attacks
B. Layer 3 flooding attacks
C. Inverse ARP attacks on specific ports
D. IP spoofing attacks
E. ARP sniffing attacks on specific ports
Answer: A D
NO.183 Which Cisco Firepower interface mode allows you to send inline traffic directly through the
device and only inspect a copy of the traffic?
A. TAP mode
B. Automatic application bypass mode
C. Delay thresh-hold mode
D. Fast-path mode
Answer: A
66
IT Certification Guaranteed, The Easy Way!
NO.185 All your employees are required to authenticate their devices to the network, be it company
owned or employee owned assets, with ISE as the authentication server. The primary identity store
used is Microsoft Active directory, with username and password authentication. To ensure the
security of your enterprise, your security policy dictates that only company owned assets should be
able to get access to the enterprise network, while personal assets should have restricted access.
Which option would allow you to enforce this policy using only ISE and Active Directory?
A. Configure an authentication policy that uses the computer credentials in Active Directory to
determine whether the device is company owned or personal.
B. This would require deployment of a Mobile Device Management (MDM) solution, which can be
used to register all devices against the MDM server, and use that to assign appropriate access levels.
C. Configure an authentication policy that checks against the MAC address database of company
assets in ISE endpoint identity store to determine the level of access depending on the device.
D. Configure an authorization policy that checks against the MAC address database of company
assets in ISE endpoint identity store to determine the level of access depending on the device.
E. Configure an authorization policy that assigns the device the appropriate profile based on whether
the device passes Machine Authentication or not.
Answer: D
67
IT Certification Guaranteed, The Easy Way!
68
IT Certification Guaranteed, The Easy Way!
NO.190 ISE can be integrated with an MDM to ensure that only registered devices are allowed on
the network and use the MDM to push policies to the device. Devices can go in and out of
compliance, either due to policy changes on the MDM server, or another reason. For a device that
has already authenticated on the network and stays connected, but falls out of compliance, what can
be done to ensure that a non-copliant device is checked periodically and re-assessed before allowing
access to the network?
A. Enable Change of Authorization (CoA) on MDM
B. FireAMP connector scan can be used to relay posture information to ISE via the AMP cloud
C. The MDM agent will automatically disconnect the device from the network when it is non-
compliant
D. Enable Change of Authorization (CoA) on ISE
E. Enable Period Compliance Checking (PCC) on ISE
F. The MDM agent periodically sends a packet with compliance info that the wireless controller can
use to limit network access.
Answer: D
NO.192 Which two statements about a wireless access point configured with the guest-mode
command are true?
(Choose two.)
69
IT Certification Guaranteed, The Easy Way!
NO.193 What are the major components of a Firepower health monitor alert?
A. The severity level, one or more alert responses, and a remediation policy.
B. A health monitor, one or more alert responses, and a remediation policy.
C. One of more health modules, the severity level, and an alert response.
D. One of more health modules, one or more alert responses, and one or more alert actions.
E. One health modules and one or more alert responses.
Answer: C
NO.194 In which three configurations can SSL VPN be implemented? (Choose three)
A. CHAP
B. WebVPN
C. thin-client .
D. L2TP over IPsec
E. PVC tunnel mode
F. interactive mode
G. Cisco AnyConnect tunnel mode
H. clientless
Answer: C G H
NO.195 Which of the following is used by WSA to extract session information from ISE and use that
in access policies?
A. RPC
B. pxGrid
C. SXP
D. Proprietary protocol over TCP/8302
E. EAP
F. RADIUS
Answer: B
70
IT Certification Guaranteed, The Easy Way!
E. It is only supported in DHCP environments to detect invalid ARP requests and responses
F. It requires to enable DHCP snooping to build untrusted database for dropping invalid ARP requests
and responses
Answer: A
NO.198 What are the two different modes in which Private AMP cloud can be deployed? (Choose
two.)
A. Hybrid Mode
B. Internal Mode
C. Air Gap Mode
D. External Mode
E. Cloud-Proxy Mode
F. Public Mode
Answer: C E
NO.199 Which two statements about ICMP redirect messages are true? (Choose two.)
71
IT Certification Guaranteed, The Easy Way!
A. Redirects are only punted to the CPU if the packets are also source-routed.
B. The messages contain an ICMP Type 3 and ICMP code 7.
C. By default, configuring HSRP on the interface disables ICMP redirect functionality.
D. They are generated when a packet enters and exits the same route interface.
E. They are generated by the host to inform the router of an temate route to the destination.
Answer: C D
NO.200 What are three features that are enabled by generating Change of Authorization (CoA)
requests in a push model? (Choose three.)
A. session reauthentication
B. session identification
C. host reauthentication
D. MAC identification
E. session termination
F. host termination
Answer: B C E
NO.202 A client computer at 10.10.7.4 is trying to access a Linux server(11.0.1.9) that is running a
Tomcat Server application.
What TCP dump filter would be best to verify that traffic is reaching the Linux Server eth0 interface?
A. tcpdump -I eth0 host 10.10.7.4 and host 11.0.1.9 and port 8080.
B. tcpdump -l eth0 host 10.10.7.4 and 11.0.1.9.
C. tcpdump -I eth0 dst 11.0.1.9 and dst port 8080.
D. tcpdump -I eth0 scr 10.10.7.4 and dst 11.0.1.9 and dst port 8080
Answer: D
NO.203 Within Platform as a Service, which two components are managed by the customer?
(Choose two.)
A. Data
B. networking
C. middleware
D. applications
E. operating system
Answer: A D
72
IT Certification Guaranteed, The Easy Way!
A. The receiving server gets the signing public key from ISE
B. The ESA does not allow the creation of a signing key pair
C. The signing public key is required by the sending server
D. The signing private key is required by the receiving server
E. The receiving server gets the public from the DNS.
F. The domain profile is used to associate the receiving domain with the signing key
Answer: D
NO.205 Drag the network scan type on the left to its definition on the right.
Answer:
73
IT Certification Guaranteed, The Easy Way!
Explanation
1-6, 2-1, 3-5, 4-2, 5-3, 6-4
NO.206 Which two statements about the Cisco FireAMP solution are true? (Choose two.)
A. It can perform dynamic analysis in the Fire AMP Private Cloud.
B. The FireAMP Connector can detect malware in network traffic and when files are downloaded.
C. The FireAMP Private Cloud provides an on-premises option for file disposition lookups and
retrospect generation.
D. The FireAMP Connector is compatible with antivirus software on the endpoint, but you must
configure exclusion to prevent the Connector form scanning the antivirus directory.
E. The FireAMP Connector can provide information about potentially malicious network connections.
F. The FireAMP Private cloud can act as an anonymized proxy to transport endpoint event data to the
public cloud for disposition lookups.e
G. When a FireAMP Connector detects malware in network traffic, it generates a malware event and
a event.
Answer: A C
74
IT Certification Guaranteed, The Easy Way!
What feature must be implemented on the network to produce the given output?
A. CAR
B. PQ
C. WFQ
D. NBAR
E. CQ
Answer: D
NO.208 Which two statement about RADIUS VSAs are true?(Choose two)
A. They allow the RADIUS server to exchange vendor-specific information with the network access
server
B. They allow product form the other vendors to Interoperate with Cisco routers that support
RADIUS
C. They VSA Implementation supports multiple VSAs, including cisco-avpair
D. They can be used for both authentication and authentication on Cisco routers
E. Cisco's unique vendor-ID is 26
F. Cisco VSA Implementation allow TACACS+ authorization features to be used with a RADIUS server
Answer: A F
NO.209 Which of the following Cisco products gives ability to interact with malware for its behavior
analysis?
A. NGIPS
B. FMC
C. ASA
D. DNA
E. Threat Grid
F. pxGrid
Answer: E
75
IT Certification Guaranteed, The Easy Way!
NO.210 Which statement is true about the traffic substitution and insertion attack?
A. It is a form of pivoting in the network
B. It only works with FTP session
C. It is a form of DoS attack
D. It is an evasion technique
E. It is a form of timing attack
F. It is used for reconnaissance
Answer: D
NO.211 Which two events can cause a failover event on an active/standby setup? (Choose two.)
E. The unit that was previously active recovers
A. The stateful failover link fails
B. The failover link fails
C. The active unit experiences interface failure above the threshold
D. The active unit fails
Answer: C D
76
IT Certification Guaranteed, The Easy Way!
The AMP cloud is configured to report AMP Connector scan events from Windows machines that
belong to the Audit group to the FMC However, the scanned events are not showing up in the PMC.
Which possible cause is true?
A. There is a possible issue with certificate download from the AMP cloud for FMC integration.
B. The AMP cloud as pointing to an incorrect FMC address.
C. The event must be viewed as a malware event in the f MC.
77
IT Certification Guaranteed, The Easy Way!
NO.213 Which two options are benefits of network summarization? (Choose two.)
A. It prevents unnecessary routing updates at the summarization boundary if one of the routes in the
summary is unstable.
B. It can increase the convergence of the network.
C. It can summarize discontiguous IP addresses.
D. It can easily be added to existing networks.
E. It reduces the number of routes.
Answer: A E
NO.214 Your environment has a large number of network devices that are configured to use AAA for
authentication.
Additionally, your security policy requires use of Two-Factor Authentication or Multi-Factor
Authentication for all device administrators, which you have integrated with ACS. To simplify device
management, your organization has purchased Prime Infrastructure. What is the best way to get
Prime Infrastructure to authenticate to at your network of devices?
A. Create a user on ISE with a complex password for Prime Infrastructure, along with an
authorization policy that uses the ISE local identity store for that user.
B. Create a user on ISE with a complex password for Prime Infrastructure, along with an
authentication policy that uses the ISE local identity store for that user.
C. Configure a local user on each of the network device along with priority to user the local username
and password for Prime Infrastructure
D. Enable the AAA API on the network devices, generate an API token, and configure Prime
Infrastructure to use that toke when authenticating to the network device
E. Enable Multi-Factor authentication on Prime Infrastructure
Answer: B
NO.215 All your employees must authenticate their devices to the network, be they company-
owned or employee-owned assets, with ISE as the authentication server, i ne primary identity store
used is Microsoft Active Directory, with username and password authentication. To ensure the
security of your enterprise, your security policy dictates that only company owned assets get access
to the enterprise network, while personal assets have restricted access. Which configuration allows
you to enforce this policy using only ISE and Active Directory?
A. Configure an authentication policy that checks against the MAC address database of company
assets in the ISE endpoint identity store to determine the level of access depending on the device.
B. Deployment of a Mobile Device Management solution is required, which can be used to register all
devices against the MDM server, and use that to assign appropriate access levels.
C. Configure an authorization policy that assigns the device the appropriate profile based on whether
the device passes Machine Authentication or not.
D. Configure an authorization policy that checks against the MAC address database of company
78
IT Certification Guaranteed, The Easy Way!
assets in the ISE endpoint identity store to ^determine the level of access depending on the device.
E. Configure an authentication policy that uses the computer credentials in Active Directory to
determine whether the device is company-owned or personal.
Answer: D
NO.216 Which three messages are part of the SSL protocol? (Choose three.)
A. Message Authentication
B. CipherSpec
C. Record
D. Alert
E. Change CipherSpec
F. Handshake
Answer: D E F
NO.217 Nexus 9000 Platform supports which of the following configuration management tools?
A. Ansible
B. Chef
C. Jenkins
D. Pupet
E. Salt
Answer: D
NO.220 Which two commands would enable secure logging on a Cisco ASA to a syslog server at
79
IT Certification Guaranteed, The Easy Way!
10.0.0.1?
(Choose two.)
A. logging host inside 10.0.0.1 UDP/500 secure
B. logging host inside 10.0.0.1 TCP/1470 secure
C. logging host inside 10.0.0.1 UDP/447 secure
D. logging host inside 10.0.0.1 UDP/514 secure
E. logging host inside 10.0.0.1 TCP/1500 secure
Answer: B E
Which two configurations must you perform to enable the device to use this class map?
(Choose two)
A. Configure PDLM
B. Configure the ip nbar custom command
C. Configure the ip nbar protocol discovery command
D. Configure the transport hierarchy
E. Configure the DSCP value
Answer: B C
NO.223 Which two functionalities doe s the Threat Grid for the technology allow?
A. Deploy decoys for the malware to target
B. Know what changes the malware is making
C. Locate where the malware originated form
D. To encrypt packet without an agent
E. To decrypt packet without an agent
80
IT Certification Guaranteed, The Easy Way!
NO.224 Which of the following is a correct operational statement of DKIM signing in ESA?
A. The signing public key is required by the receiving server
B. The ESA does not allow to create signing key pair
C. The receiving server gets the signing public key from DNS
D. The domain profile in ESA is configured with signing public key
E. The outgoing profile in ESA is configured with signing private key
F. The signing private key is required by the sending server
Answer: C
NO.225 If an ASA device is configured as a remote access IPsec server with RADIUS authentication
and password management enabled, which type of authentication will it use?
A. RSA
B. MS-CHAPv2
C. MS-CHAPv1
D. NTLM
E. PAP
Answer: B
There is no ICMP connectivity from VPN_PC to Server1 and Server2. What could be the possible
cause?
A. The action is incorrect in the access rule
B. The destination port configuration is missing in the access rule
C. The server network has incorrect mask in the access rule
D. The VLAN tags configuration is missing in the access rule
E. The source network is incorrect in the access rule
F. The zone configuration is missing in the access rule
81
IT Certification Guaranteed, The Easy Way!
Answer: E
NO.227 Which command sequence do you enter to add the host 10.2.1.0 to the CISCO object
group?
A. object network CISCO
Network-object object 10.2.1.0
B. Object-group network CISCO
group-object 10.2.1.0
C. Object-group network CISCO
network-object host 10.2.1.0
D. Object- network CISCO
group-object 10.2.1.0
Answer: C
NO.228 In a large organization, with thousands of employees scattered across the globe, it is
difficult to provision and onboard new employee device with the correct profiles and certificates.
With ISE, it is possible to do that with client provided device. Which four conditions must be met?
(Choose four.)
A. Endpoint operating system should be supported
B. Client provisioning is enabled on ISE
C. The pxGrid controller should be enabled on ISE
D. Device MAC addresses are added to the Endpoint Identity Group
E. Profiling is enabled on ISE
F. SCEP Proxy is enabled on ISE
G. Microsoft windows server is configured with certificate services
H. ISE should be configured as SXP listener to push SGT-to-IP mapping to network access devices
I. Network access device and ISE should have the PAC provisioning for CTS environment
authentication
Answer: B D E F
Which type of packet can trigger the rate hmrter m the given configurator
A. Only DSCP 8000 packets
B. Only DSCP 1 packets
C. Only DSCP 1500 packets
D. DSCP 1, 1500, 3000, and 8000 packets
E. Only DSCP 3000 packets
Answer: A
82
IT Certification Guaranteed, The Easy Way!
NO.230 Which three statements are true after a successful IPsec negotiation has taken place?
(Choose three)
A. After IPsec tunnel is established data is encrypted using one set of DH-generated keying material
B. After the IPsec tunnel is established, data is encrypted using two sets of DH-generated keyring
material
C. Two tunnels were established, the first one is for ISAKMP and IPsec negotiation and the second
one is for data encryption as a result of IPsec negotiation
D. The ISAKMP tunnel was established to authenticate the peer and discreetly negotiate the IPsec
parameters
E. One secure channel and one tunnel were established, the secure channel was established by
ISAKMP negotiation followed by an IPsec tunnel for encrypting user data
F. The ISAKMP secure channel was established to authenticate the peer and discretely negotiate the
IPsec parameters
Answer: B E F
NO.231 Which two statements about ping flood attacks are true? (Choose two.)
A. They attack by sending ping requests to the broadcast address of the network.
B. They use SYN packets.
C. The attack is intended to overwhelm the CPU of the target victim.
D. They use UDP packets.
E. They use ICMP packets.
F. They attack by sending ping requests to the return address of the network.
Answer: C E
NO.232 Which Cisco Firepower intrusion Event Impact level indicates the vulnerable to the attack,
and requires the most immediate urgent.
A. Impact Level 3
B. Impact Level 4
C. Impact Level 2
D. Impact Level 0
E. Impact Level 1
Answer: E
NO.234 Which statement about the failover link when ASAs are configured in the failover mode is
83
IT Certification Guaranteed, The Easy Way!
true?
A. The information sent over the failover link can he sent only as a secured communication.
B. The information sent over the failover link cannot be sent in clear text, but it could be secured
communication using a failover key.
C. It is not recommended to use secure communication over the failover link when ASA terminating
the VPN tunnel
D. Only the configuration replication that is sent across the link can be secured using a failover key.
E. The information sent over the failover link can be in clear text
F. Failover key is not required for the secure communication over the failover link
Answer: E
A. The TACACS connection keep alive using UDP originated from ASA
B. The SXP message uses TCP port 64999 for connection termination
C. The RADIUS connection keep alive using TCP originated from ISE
84
IT Certification Guaranteed, The Easy Way!
D. The SXP message uses MD5 for authentication and integrity check.
E. The ISE keep alive message for NDAC connection using TCP originated from ASA
F. The NTP keep alive message using UDP originated from ISE
G. The SXP keep alive message for SXP connection using UDP originated from ASA
Answer: D
Which two statements about a device with this configuration are true? (Choose two.)
A. When a peer establishes a new connection to the device, CTS retains all existing SGT mapping
entries for 3 minutes.
B. If a peer reconnects to device within 120 seconds of terminating a CTS-SXP connection, the
reconciliation timer stats.
C. When a peer re-establishes a previous connection to the device, CTS retains all existing SGT
mapping entries for 3 minutes.
D. If a peer reconnects to device within 180 seconds of terminating a CTS-SXP connection, the
reconciliation timer stats.
E. If a peer re-establishes a connection to the device before the hold-down timer expires, the device
retains the SGT mapping entries it learned during the previous connection for an additional 3
minutes.
F. It sets the internal hold-down timer of the device to 3 minutes.
Answer: B E
NO.238 What are the three configurations in which SSL VPN can be Implemented? (Choose three)
A. WebVPN
B. PVC Tunnel Mode
C. Interactive mode
D. L2TP over IPSec
E. Thin-Client
F. AnyConnect Tunnel Mode
G. Clientless
H. CHAP
Answer: E F G
85
IT Certification Guaranteed, The Easy Way!
D. Each port in a private VLAN domain is a member of all the secondary VLANs in that domain.
E. A subdomain in a primary VLAN domain consists of multiple primary and secondary VLAN pairs.
F. Each secondary VLAN in a private VLAN domain must have a separate associated primary VLAN.
Answer: B
NO.240 In which type of multicast does the Cisco ASA forward IGMP messages to the upstream
router?
A. clustering
B. PIM multicast routing
C. stub multicast routing
D. multicast group concept
Answer: C
NO.241 ISE can be integrated with an MDM to ensure that only registered devices are allowed on
the network, and use the MDM to push policies to the device. Devices can go in and out of
compliance either due to policy changes on the MDM server, or another reason. Consider a device
that has already authenticated on the network, and stays connected, but fails out of compliance.
Which action can you take to ensure that a noncompliant device is checked periodically and re-
assessed before allowing access to the network?
A. Enable change of authorization on MDM
B. Fire-AMP consider scan can be used to relay posture information to ISE via FireAMP cloud
C. The MDM agent periodically sends a packet with compliance info that the wireless controller can
be used to limit network access
D. Enable Period compliance checking on ISE
E. Enable Change of authorization on ISE
F. The MDM agent automatically discounts the device from the network when it is noncompliant
Answer: E
NO.242 A hosted service provider is planning to use firewall contexts in its manage these firewalls
on behalf of its customers and allow them access management purposes the lead architect of the
service provider has decide interface to a single shared management zone VLAN (901) and allocate
assigned range of this VLAN. Which three statements about this design.
A. Though this design is valid, a physical interface cannot be allocated to traffic classifier restrictions,
this s only possible with sub interfaces
B. This design concept is valid and requires some modifications. However only allow customer
management access from the data VLANs in the adequate Layer 2/ Layer 3 separation between
tenants
C. The ASA multi context traffic classifier works differently for shared into VLAN and have the same
MAC address when NAT is in use, other rule use
D. The ASA classifier works only for data interfaces and not for manager Management-only)
command must be applied for this concept to work
E. This design concept is not valid because it is not possible to allocate a due to ASA traffic classifier
restrictions, this is only possible with sub
86
IT Certification Guaranteed, The Easy Way!
F. Sub interfaces of the interface can be allocated only to contexts and physical interface
G. The design for the management zone does not work unless unique
Answer: C D G
NO.244 Which two statements about the SeND protocol are true? (Choose two.)
A. It counters neighbor discovery threats.
B. It must be enabled before you can configure IPv6 addresses.
C. It supports numerous custom neighbor discovery messages.
D. It logs IPv6-related threats to an external log server.
E. It supports an autoconfiguration mechanism.
F. It uses IPsec as a baseline mechanism.
Answer: A E
NO.245 Which statement about managing Cisco ISE Guest Services is true?
A. Only a Super Admin or System Admin can delete the default Sponsor portal.
B. Only ISE administrators from an external identify store can be members of a Sponsor group.
C. By default, an ISE administrator can manage only the guest accounts he or she created in the
Sponsor portal.
D. ISE administrators can view and set a guest's password to a custom value in the Sponsor portal.
E. ISE administrators can access the Sponsor portal only if they have valid Sponsor accounts.
F. ISE administrators can access the Sponsor portal only from the Guest Access menu.
Answer: C
NO.246 Which two options are important considerations when you use NetFlow to obtain the full
picture of network taffic? (Choose two)
A. It monitors only TCP connections.
B. It monitors only routed traffic.
C. It monitors all traffic on the interface on which it is deployed.
D. It monitors only ingress traffic on the interface on which it is deployed.
E. It is unable to monitor over time.
Answer: B E
87
IT Certification Guaranteed, The Easy Way!
88
IT Certification Guaranteed, The Easy Way!
NO.250 Drag the ACI security principle on the left to its definition on the right.
Answer:
89
IT Certification Guaranteed, The Easy Way!
Explanation
1-6, 2-1, 3-5, 4-2, 5-3, 6-4
90
IT Certification Guaranteed, The Easy Way!
NO.252 Which three statements about RLDP are true? (Choose three.)
A. It detects rogue access points that are connected to the wired network.
B. It can detect rogue APs that use WPA encryption.
C. It can detect rogue APs operating only on 5 GHz.
D. It can detect rogue APs that use WEP encryption.
E. The AP is unable to serve clients while the RLDP process is active.
F. Active Rogue Containment can be initiated manually against rogue devices detected on the wired
network.
Answer: A E F
Explanation
Rogue Location Discovery Protocol (RLDP)
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/70987-rogue-
91
IT Certification Guaranteed, The Easy Way!
detect.html
NO.253 Which statement about the performance storage option in the AMP for Cisco Firepower
network-based solution is true?
A. If the system is configured to send files to the AMP cloud for dynamic analysis but the files is larger
the maximum value you configure, it is blocked automatically
B. You can configure the maximum file size that till be analyzed and potentially blocked, up to a
maximum of 10
C. The system inspects a configurable number of bytes in each file based on its file type
D. It a file matches a block malware rule but he system takes longer than the time period you
configure.
E. You can configure the file size for which a SHA 256 hash is calculated up to a maximum of 10 GB
F. The SHA-256 value of a file is calculated only if you configure a file policy with the malware cloud
lookup action
Answer: D
NO.254 Which statement about SenderBase reputation scoring on an ESA device is true?
A. Application traffic from known bad sites can be throttled or blocked
B. By default, all messages with a score below zero are dropped or throttled
C. MAil with scores in the medium range can be automatically routed for antimalware scanning
D. You can configure a custom score threshold for whitelisting messages
E. A high score indicates that a message is very likely to be spam
F. Sender reputation scores can be assigned to domains, IP addresses, and MAC addresses
Answer: D
NO.255 How is the Cisco IronPort email data loss prevention licensed?
A. It is a per-site license
B. It comes free with Iron Port Email server
C. It is a per-enterprise license
D. It is a per-server license
E. It is a per-user license
Answer: E
NO.256 What are the most common methods that security auditors use to access an organization's
security processes? (Choose two.)
A. physical observation
B. social engineering attempts
C. penetration testing
D. policy assessment
E. document review
F. interviews
Answer: A F
92
IT Certification Guaranteed, The Easy Way!
NO.257 Which three Cisco attributes for LDAP authorization are supported on the ASA? (Choose
three)
A. Web-VPN-ACL-Filters
B. IPsec-Default-Domain
C. IPsec-Client-Firewall-Name
D. Authorization-Type
E. L2TP-Encryption
F. Authenticated-User-idle-Timeout
Answer: A B F
NO.258 Which three statements about SCEP are true? (Choose three.)
A. It supports online certification revocation.
B. Cryptographically signed and encrypted messages are conveyed using PKCS#7
C. It supports multiple cryptographic algorithms including RSA.
D. The certificate request format uses PKCS#10.
E. CRL retrieval is supported through CDP(Certificate Distribution Point) queries.
F. It supports synchronous granting.
Answer: B D E
Explanation
Simple Certificate Enrollment Protocol
http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/116167-
technotescep-
00.html
93
IT Certification Guaranteed, The Easy Way!
NO.262 Which two protocols are supported when using TACACS+? (Choose two)
A. MS-CHAP
B. CHAP
C. NASI
D. HDLC
E. AppleTalk
Answer: C E
94
IT Certification Guaranteed, The Easy Way!
NO.267 Which three ISAKMP SA Message States can be output from the device that initiated an
IPSec tunnel?
(Choose three)
A. MM_WAIT_MSG4
B. MM_WAIT_MSG2
C. MM_WAIT_MSG5
D. MM_WAIT_MSG6
E. MM_WAIT_MSG1
F. MM_WAIT_MSG3
Answer: A B D
NO.268 Which statement about VRF-Lite implementation in a service provider network is true?
A. It disables the sharing of one CE device among multiple customers.
B. It can have multiple VRF instances associated with a single interface on a CE device.
C. It requires multiple links between CE and PE for each VPN connection to enable privacy.
D. It supports multiple VPNs at a CE device but their address spaces must not overlap.
E. It uses input interfaces to differentiate routes for different VPNs on the CE device.
F. It can support only one VRF instance per CE device.
Answer: E
95
IT Certification Guaranteed, The Easy Way!
authentication. The TACACS+ server then accesses the Active Directory Server through the firewall to
validate the user credentials. Which protocol-port pair must be allow access through the ASA
Firewall?
A. SMB over TCP 455
B. DNS over UDP 53
C. LDAP over UDP 389
D. global catalog over UDP 3268
E. TACACS+ over TCP 49
F. DNS over TCP 53
Answer: C
NO.270 Which statement about SenderBase sender-reputation filtering approaches on the Cisco
A. The conservative approach provides near zero false positives at the cost lower performance
B. The aggressive approach provides near zero false positives at the cost of lower performance
C. The aggressive approach provides maximum performance at the cost of numerous
D. The moderate approach provides maximum performance with some false positives
E. The conservative approach provides good performance with near zero false positives
F. The moderate approach combines high performance with some false positives
Answer: F
NO.271 Which two options can be used to further harden a Cisco Email Security Appliance? (Choose
two.)
A. Disable telnet
B. Rename the default administrator password
C. Disable HTTP and FTP services that are not required
D. Enable Cisco Discovery Protocol
E. Turn off TCP small services
Answer: A B
NO.272 Which four task items need to be performed for an effective nsk assessment and to
envaluate network posture? (Choose four.)
A. discovery
96
IT Certification Guaranteed, The Easy Way!
B. baselining
C. scanning
D. notification
E. validation
F. escalation
G. mitigation
H. profiling
Answer: A C E H
NO.273 Which of the following could be an evasion technique used by the attacker?
A. Port access using Dot1x
B. ACL implementation to drop unwanted traffic
C. TELNET to launch device administration session
D. Traffic encryption to bypass IPS detection
E. URL filtering to block malicious sites
F. NAT translations on routers and switches
Answer: D
NO.274 Which difference between DomainKeys and DKIM in Cisco ESA deployment is true?
A. Only Domain Keys support incoming-mail authentication
B. AsyncOS supports mail signing for DKIM only
C. Bounce and delay messages can use DKIM only
D. AsyncOS suppoets mail signing and incoming -mail authentication for DomainKeys only
E. If DomainKeys and DKIM are associated to mail flow AsynOS uses only DKIM to sign outgoing
F. Messages
G. Only DKIM supports incoming-mail verifications
Answer: D
NO.275 While a configuration audit is performed on a router, the set session-key command is found
un crypto map applied to a WAN interface. Which three statements about this command are true?
(Choose three)
A. This command sets a peer authentication string because the IPsec peer does not support
automate mutual authentication and a manual method is required
B. When configuring the Crypto map, (ipsec-manual) must be defined as part of the parameters
C. This command is used to encrypt traffic to another device which does not support internet key
D. Exchange
E. Another way of overcoming this issue is to use the crypto isakmmp peer address command with a
zeros wildcard address and mask combination
F. Both peers must be configured for manual peer authentication for this configuration to work
G. This command is used to manually configure an IPsec SA two entries are needed on each side to
encrypt and decrypt traffic over the tunnel
H. This command is used to manually configure an IPsec SA only one entry are needed on each side
97
IT Certification Guaranteed, The Easy Way!
NO.276 In which two modes can a private AMP cloud be deployed? (Choose two.)
A. internal mode
B. hybrid mode
C. air gap mode
D. cloud-proxy mode
E. cloud-proxy public mode
F. external mode
Answer: C D
NO.277 Which statement about securing TLS connections on the ESA is true?
A. The preconfigured demonstration certificate installed on the ESA can establish a secure, verify
able the connection.
B. it you apply a certificate to an ESA in cluster mode, it is a automatically propagated to the other
ESAs cluster.
C. Self-signed certificates and CA certificates can provide a verifiable connection The ESA supports
certificates in PKCS#7 and PKCS#12 format
D. Certificates that are imported to secure TLS connections can also be used by other services on the
including LDAPS and HTTPS
E. The ESA encrypts all message with a certificate before sending them over TL5 connnection.
F. After a certification is applied to an ESA Cluster using centralized management, new devices added
to automatically adopt the existing certificate.
Answer: D
NO.278 What are the three scanning engines that the Cisco IronPort dynamic vectoring and
streaming engine can use to protect against malware? (Choose three.)
A. McAfee
B. TrendMicro
C. Sophos
D. Webroot
E. F-Secure
F. Symantec
Answer: A C D
NO.279 Which Cisco ISE profiler service probe can collect information about Cisco Discovery
Protocol?
A. DHCP SPAN
B. RADIUS
C. SNMP Query
D. NetFlow
E. HTTP
98
IT Certification Guaranteed, The Easy Way!
F. DHCP
Answer: C
You applied this VPN cluster configuration to a Cisco ASA and the cluster failed to form.How do you
edit the configuration to correct the problem?
A. Define the maximum allowable number of VPN connections.
B. Define the master/slave relationship.
C. Configure the cluster IP address.
D. Enable load balancing.
Answer: C
NO.281 Which feature of WEP was intended to prevent an attacker from altering and resending data
packets over a WEP connection ?
A. The RC4 cipher
B. Transport Layer Security
C. Message Intergrity checks
D. MD5 hashing
E. The cyclic redundancy check
Answer: E
NO.283 How does the Cisco Firepower Decrypt-known method perform SSI decryption on inbound
traffic?
A. The system identifies the server certificate during the SSL handshake and downloads the associate
private key from the CA to decrypt the traffic
B. The system matches the incoming server certificate to a previously stored certificate on the server
and uses the private key to decrypt the traffic
C. The system uses a CA certificate on the server to resign the exchanges server certificate then uses
99
IT Certification Guaranteed, The Easy Way!
NO.284 In OpenStack, which two statements about the NOVA component are true? (Choose two.)
A. It provides the authentication and authorization services.
B. It launches virtual machine instances.
C. It is considered the cloud computing fabric controller.
D. It provides persistent block storage to running instances of virtual machines.
E. It tracks cloud usage statistics for billing purposes.
Answer: B C
NO.285 Which two methods can be used to remove the previous vendor profiles the mobile device?
A. Disable the ISE profiling feature
B. Vendor profiles cannot be remove
C. Go to My Devices portal in ISE and click corporate wipe
D. Use the "full wipe" option and reset the device to factory setting
E. Use the "corporate wipe" option offered by the vendor
Answer: C E
NO.287 A new computer is not getting its IPv6 address assigned by the router. While running
WireShark to try to troubleshoot the problem, you find a lot of date that is not helpful to nail down
the problem. What two filters would you apply to WireShark to filter the data that you are looking
for?(Choose two)
A. icmpv6.type == 135
B. icmpv6type == 136
C. icmpv6.type == 136
D. icmpv5type == 135
E. icmpv6type == 135
Answer: A C
NO.288 In a Cisco ASA multiple-context mode of operation configuration, what three session types
100
IT Certification Guaranteed, The Easy Way!
are resourcelimited by default when their context is a member of the default class? (Choose three.)
A. SSL VPN sessions
B. Telnet sessions
C. TCP session
D. IPSec sessions
E. ASDM sessions
F. SSH sessions
Answer: B D F
101
IT Certification Guaranteed, The Easy Way!
102
IT Certification Guaranteed, The Easy Way!
Which three additional configuration elements must you apply to complete a functional FlexVPN
deployment? (Choose three)
A. crypto ikev2 keyring default
peer PEER-ROUTER
address 2001::101/64
interface virtual-template5 type tunnel
ip nhrp network-id 10
ip nhrp shortcut loopback0
B. interface loopback0
tunnel mode ipsec ipv6
tunnel protection ipsec profile default
C. interface Tunnel0
bfd interval 50 min_rx 50 multiplier 3
no bfd echo
D. crypto ikev2 keyring KEYS
peer PEER-ROUTER
address 2001::101/64
crypto ikev2 profile default
aaa authorization group pak list ccie default
E. interface virtual-template5 type tunnel
ipv6 unnumbered loopback0
ipv6 eigrp 10
ipv6 enable
interface loopback0
ipv6 eigrp 10
F. aaa authorization network ccie local
Answer: C D E
NO.290 Which statement correctly represents the ACI security principle of Object Model?
A. It is logical representation of an application and its interdependencies in the network fabric
B. It is policy placed at the intersection of a source and destination EPGs.
C. It is defined by the policy applied between EPGs for communication.
D. lt consists of one or more tenants having multiple contexts.
E. These are rules and policies used by an EPG to communicate with other EPGs.
F. It is collection of endpoints representing an application with in a context.
Answer: D
103
IT Certification Guaranteed, The Easy Way!
NO.292 Which best practice can limit inbound TTL expiry attacks?
A. Setting the TTL value to zero.
B. Setting the TTL value to more than longest path in the network.
C. Setting the TTL value equal to the longest path in the network.
D. Setting the TTL value to less than the longest path in the network.
Answer: B
Explanation
In practice, filtering packets whereby TTL value is less than or equal to the value that is needed to
traverse the longest path across the network will completely mitigate this attack vector.
https://www.cisco.com/c/en/us/about/security-center/ttl-expiry-attack.html
NO.293 Which two parameters must be identical per interface while configuring virtual port
channels (Choose two)
A. network access control
B. IP sourcegard
C. Prrotocol independent multicast
D. Bridge Assurance setting
E. maximum transmission unit
Answer: D E
NO.294 For which of the four portals is the SAML Single Sign-On on ISE supported? (Choose four)
A. Wireless Client portal
B. Certificate Provisioning portal
C. Guest portal (sponsored and self-registered)
D. My Devices portal
E. Employee portal
F. Sponsor portal
G. Contractor portal
H. BYOD portal
Answer: B C D F
NO.295 Which two protocols are used by the management plane in a Cisco IDS device? (Choose
two)
A. IKEv2
B. Telnet
C. TLS
D. CHAP
E. DHCP
F. SNMP
104
IT Certification Guaranteed, The Easy Way!
G. PAP
H. 3DES
I. RIP
Answer: B F
NO.296 Which statement about MDM with the Cisco ISE is true?
A. The MDM's server certificate must be imported into the Cisco ISE Certificate Store before the
MDM and ISE can establish a connection.
B. MDM servers can generate custom ACLs for the Cisco ISE to apply to network devices.
C. The Cisco ISE supports a built-in list of MDM dictionary attributes it can use in authorization
policies.
D. The Cisco ISE supports limited built-in MDM functionality.
E. If a mobile endpoint fails posture compliance, both the user and the administrator are notified
immediately.
F. When a mobile endpoint becomes compliant the Cisco ISE records the updated device status in its
internal database.
Answer: A
Explanation
Mobile Device Management
https://meraki.cisco.com/blog/tag/mobile-device-management/
NO.297 Which statement about the TRUST action when configure an ACP is true?
A. it allows traffic to pass without inspection only of the source matches with an address defined in
the preprocessor list.
B. It allows matched traffic through without inspection.
C. It allows matched traffic to pass without inspection if the traffic source matches exists in the white
list.
D. It allows matched traffic through, but reverts to IPS inspection if a file inspection triggers malware
alert.
Answer: B
105
IT Certification Guaranteed, The Easy Way!
A customer reports to Cisco TAC that one of the Windows clients that is supposed to login in to the
network using MAB can no longer access any allowed resources. Which possible cause of the MAB
failure is true?
A. The switch is properly configured and the issue is on the RADIUS server
B. There is an issue with the CoA configuration
C. AAA authorization is incorrectly configured on the switch
D. There is an issue with the DHCP pool configuration
E. CTS is configured incorrectly on the switch
106
IT Certification Guaranteed, The Easy Way!
NO.299 An organization plans to upgrade its Internet-facing ASA running version 8.2 on an older HW
platform to
5585/X version 9.6. The configuration was backed up and submitted for review before the migration
takes place. Which three changes must be made before the configuration is applied to the new ASA
firewall?
(Choose three.)
A. Static NAT statements are changed to xlate statements
B. NAT control must be disabled so that traffic is allowed through the ASA
C. Inbound ACLs must contain the pre-NAT IP instead the post-NAT IP
D. NAT Control must be enabled so that traffic is allowed through the ASA
E. Static NAT statements are changed to NAT statements
F. Inbound ACLs must contain the post-NAT IP instead of the pre-NAT IP
Answer: A C D
NO.301 Which tunnel type does the Cisco unified Wireless Solution use to map a provisioned guest
WLAN to an anchor WLC?
A. PEAP
B. IPsec
C. TLS
D. GRE
E. EAPoL
F. EoIP
Answer: F
NO.302 Which three authorization technologies does Cisco TrustSec support? (Choose three)
A. 802.1X
B. SGACL
C. DACL
D. MAB
E. SGT
F. VLAN
107
IT Certification Guaranteed, The Easy Way!
Answer: C E F
NO.303 Which statement is true about Dual-Hub DMVPN implementation where each spoke has
two connections, one to each hub via different ISPs?
A. It uses point-to-point GRE tunnel
B. It does not allow tunnel protection using IPsec
C. It allows NHRP authentication
D. It uses two tunnel interfaces on each hub to terminate connection from each spoke
E. It uses a single tunnel interface on a spoke to connect two different hubs
Answer: C
NO.304 Which two benefits of the Stealth Watch Flow Collector are true? (Choose two)
A. It can be deployed with hardware appliances or as virtual machines
B. It provides round trip time and server-response time calculations to optimizes UDP
C. Connections
D. When deployed in a routed network its multiple flow sensors can aggregate data to provide full
network visibility Layer 1 to Layer 7
E. It eliminates the need for separate flow sensors and flow collections
F. It management console provides numerous drill-down tools to help administrators isolate the
cause of an incident
G. It integrates with Cisco Outbreak intelligence for full zero-day threat protection
H. It can be configured and managed with the stealth watch management console which is an
Intultive web interface, and a powerful CLI.
Answer: A B
NO.305 Which two design options are best to reduce security concerns when adopting loT into an
organization?
(Choose tow.)
A. Ensure that application can gather and analyze data at the edge.
B. Implement video analytics on IP cameras.
C. Encrypt sensor data in transit.
D. Segment the Field Area Network from the Data Center network.
E. Encrypt data at rest on all devices in the loT network.
Answer: C D
NO.306 Which two statements about application protocol detectors in the Cisco Fire? (Choose two)
A. They can analyze network traffic for specific application fingerprints
B. Port-based application protocol detectors can be modified for use as custom
C. Port-based and Firepower-based application protocol detectors can be import
D. firepower-based application protocol detectors are built in to the Firepower deactivated only by
the system
E. They can be activated by VDB updates, but must be deactivated manually
F. They can detect web-based application activity in HTTP traffic
108
IT Certification Guaranteed, The Easy Way!
Answer: B E
NO.309 Which two statements about MACsec are true? (Choose two)
A. It maintains network intelligence as it applied to router uplinks and downlinks.
B. It works in conjunction with IEEE 802.1X -2010 port-based access control.
109
IT Certification Guaranteed, The Easy Way!
NO.311 Which command sequence do you enter to add the host 10.2.1.0 to the CISCO object
group?
A. object-group network CISCO
group-object 10.2.1.0
B. object network CISCO
network-object object 10.2.1.0
C. object-group network CISCO
network-object host 10.2.1.0
D. object network CISCO
group-object 10.2.1.0
Answer: C
NO.313 Which file extensions are supported on the Firesight Management Center 6.1 file policies
that can be analyzed dynamically using the Threat Grid Sandbox integration?
A. MSEXEMSOLE2NEW-OFFICEPDF
B. DOCXWAVXLSTXT
C. TXTMSOLE2WAVPDF
D. DOCMSOLE2XMLPDF
Answer: A
110
IT Certification Guaranteed, The Easy Way!
NO.315 Aclientcomputerat10.10.7.14istryingtoaccessaLinuxserver(11.0.1.9)thatisrunninga
TomcatServer application. What TCP dump filter would be the best to verify that traffic is reaching
the Linux Server eth0 interface?
D. tcpdump -i eth0 host 10.10.7.2 and dst 11.0.1.9 and dst port 8080
A. tcpdump -i eth0 host 10.10.7.2 and host 11.0.1.9 and port8080
B. tcpdump -i eth0 host 10.10.7.2 and11.0.1.9
C. tcpdump -i eth0 host dst 11.0.1.9 and dst port8080
Answer: A
111
IT Certification Guaranteed, The Easy Way!
112
IT Certification Guaranteed, The Easy Way!
NO.321 Which statement about the restrictions of redirection on Cisco Cloud Web Security tunnels
on ISR4000 Series Router is true?
A. The cws-tunnel out command can be configured up to a maximum of three WAN interfaces
B. User authentication (through NTLM) is supported
C. Access lists based on object groups are supported in white listing and redirect list configuration
D. IPv6 is not supported
E. Multiple access list are supported for white listing
Answer: C
NO.322 Exhibit:
Refer to the exhibit, what is the effect of the given service policy
A. It blockscisco.com, msn.com, and facebct3k.com and permanant
B. It blocks facebook.com, msn.com, cisco.com and google.com
C. It blocks all domains except facebook.eom, msn.com, cisco
D. It blocks all domains except cisco.com, msn, com; and facebook.com
Answer: D
113
IT Certification Guaranteed, The Easy Way!
NO.325 Which are two of the valid IPv6 extension headers? (Choose two.)
A. Options
B. Authentication Header
C. Mobility
D. Protocol
E. Next Header
F. Hop Limit
Answer: B C
NO.326 Which statement about SSL policy implementation in a Cisco Firepower system is true?
A. Access control policy is required for the SSL policy implementation
B. If the Cisco Firepower system cannot decrypt the traffic, it allows the connection.
C. Access control policy is invoked first before the SSL policy tied to it
D. Intrusion policy is mandatory to configure the SSL inspection
E. If SSL policy is not supported by the system, then access control policy handles all the encrypted
traffic.
F. Access control policy is responsible to handle all the encrypted traffic if SSL policy is tried to it.
Answer: A
114
IT Certification Guaranteed, The Easy Way!
E. It configures the node to generate a link-local group report when it joins the solicited-node
multicast group.
Answer: C
NO.328 In an effort to secure your enterprise campus network, any endpoint that connects to the
network should authenticate before being granted access. For all corporate-owned endpoints, such
as laptops, mobile phones and tablets, you would like to enable 802.1x and once authenticated allow
full access to the network. For all employee owned personal devices, you would like to use web
authentication, and only allow limited access to the network. Which two authentication methods can
ensure that an employee on a personal device can't use his or her Active Directory credentials to log
on to the network by simply re configuring their supplicant to use
802.1x and getting unfettered access? (Choose two.)
A. Use PEAP-EAP-MSCHAPv2
B. Use EAP-FAST
C. Use EAP-TLS or EAP-TTLS
D. Use EAP-MSCHAPv2
E. Use PAP-CHAP-MSCHAP
F. Use PEAP-EAP-TLS
Answer: A B
NO.329 On a Cisco Wireless LAN Controller (WLC), which web policy enables failed Layer 2
authentication to fall back to WebAuth authentication with a user name and password?
A. On MAC Filter Failure
B. Passthrough
C. Splash Page Web Redirect
D. Conditional Web Redirect
E. Authentication
Answer: A
NO.331 What are three technologies that can be used to trace the source of an attack in a network
environment with multiple exit/entry points? (Choose three.)
A. ICMP Unreachable messages
B. Sinkholes
C. A honey pot
D. Remotely-triggered destination-based black holing
E. Traffic scrubbing
115
IT Certification Guaranteed, The Easy Way!
Answer: A D E
NO.333 Which of the following is the correct statement regarding enabling SMTP encryption on
ESA?
A. Enabling TLS is an optional step
B. TLS can be enabled only for receiving
C. Enabling TLS for delivery goes under the "Destination Controls" menu of mail policies
D. It only allows to use the self-signed certificates
E. TLS can be enabled only for delivery
F. It allows to import certificate from CA
Answer: C
NO.335 Which three commands can you use to configure VXLAN on a Cisco ASA firewall? (Choose
three)
A. sysopt connection tcomss.
B. nve-only
C. default-mcast-group
D. inspect vxlan
E. set ip next-hop verity-availability
F. segment-id
Answer: B C F
NO.336 A network architect has been tasked to migrate a customer's legacy infrastructure switches
116
IT Certification Guaranteed, The Easy Way!
from Nexus 9000 platform. Which peers will help him achieve his milestone?
A. Create a container providing separate execution space
B. Manage software upgrades via guest shell
C. Setup a Web-based interface for configuration management.
D. Allow guests temporary access to the CLI without logging in.
Answer: A
NO.338 196) Which four tasks are needed to configure RSA token authenticate
A. Generate the sdconf.rec file on the RSA server for the authenticate
B. Add the ACS server to the allowed ODBC query list on the server
C. Define an OSBC client connection on the SRA server
D. On the ACS server, define the ODBC connection and the s RSA server
E. Define an authentication agent on the RSA server
F. Add the RSA server as an external identity serve on ACS
G. Define an accounting agent on the RSA server
H. Upload the sdconf.rec to the ACS server
Answer: A E F H
NO.339 Which three statements about the keying methods used by MACSec are true? (Choose
117
IT Certification Guaranteed, The Easy Way!
three.)
A. SAP is not supported on switch SVls.
B. SAP is supported on SPAN destination ports.
C. MKA is implemented as an EAPoL packet exchange.
D. Key management for host-to-switch and switch-to-switch MACSec sessions is provided by MKA.
E. SAP is enabled by default for Cisco TrustSec in manual configuration mode.
F. A valid mode for SAP is NULL.
Answer: A C F
NO.340 What are two features that helps to mitigate man-in-the-middle attacks? (Choose two.)
A. DHCP snooping
B. ARP spoofing
C. destination MAC ACLs
D. dynamic ARP inspection
E. ARP sniffing on specific ports
Answer: A D
NO.341 Which command is required for bonnet filter on Cisco ASA to function properly?
A. dynamic-filter inspect tcp /80
B. dynamic-filter whitelist
C. inspect botnet
D. inspect dns dynamic-filter-snoop
Answer: D
NO.342 Drag each component of an Adaptive Wireless IPS deployment on the left to the matching
description on the right
118
IT Certification Guaranteed, The Easy Way!
Answer:
Explanation
119
IT Certification Guaranteed, The Easy Way!
A customer reports to Cisco TAC that one of the Windows clients that is supposed to log in to the
120
IT Certification Guaranteed, The Easy Way!
network using MAB can no longer access any allowed resources. Which possible cause of the MAB
failure is true?
A. MAB is disabled on port Gi1/0/9.
B. AAA authorization is incorrectly configured on the switch.
C. CTS is configured incorrectly on the switch.
Answer: A
NO.344 Which three EAP protocols are supported in WPA and WPA2? (Choose three)
A. EAP-PSK
B. EAP-EKE
C. EAP-FAST
D. EAP-AKA
E. EAP-SIM
F. EAP-EEE
Answer: C D E
NO.346 Which are three similarities between containers and virtual machines? (Choose three)
A. private space for processing
B. public interface
C. cannot mount file systems
D. share host system kernel
E. private network interface and IP address
F. allow custom routes
Answer: A E F
NO.347 Which statement about host data collection using Cisco Firepower system is true?
A. It does not have the information on host hops separation from the discovery point.
B. The system prohibits the collection of host data using the NetFlow to avoid inconsistencies
C. The system uses host fingerprint to relay host information to ISE using pxGrid.
D. It depends on the traffic analytics reported by the added host in the system.
E. It can report the operating system running on the host.
Answer: E
121
IT Certification Guaranteed, The Easy Way!
NO.348 Drag and drop the protocol on the left onto their description on the right:
Answer:
Explanation
A-2 B-4 C-1 D-3
NO.350 Which two protocols are used by the management plane in a Cisco IOS device? (Choose
two)
A. DHCP
122
IT Certification Guaranteed, The Easy Way!
B. FTP
C. NTP
D. CHAP
E. IKEv2
F. NETFLOW
G. PAP
H. TLS
I. 3DES
Answer: B F
NO.351 Which three types of addresses can the Botnet Traffic Filter feature of the Cisco ASA
monitor? (Choose three)
A. dynamic address
B. known malware addresses
C. known allowed addresses
D. ambiguous addresses
E. internal addresses
F. listed addresses
Answer: B C D
123
IT Certification Guaranteed, The Easy Way!
Users cannot access web servers 192.168.101.3/24 and 192.168 102.3/24 using Firefox web browser
when
172.6V1.0/24 network. Which possible cause is true?
A. The identification profile "Allowed Profile" has a misconfigured user agent.
B. The access policy "Allow policy" is pointing to an incorrect identification profile.
C. The access policy "Allow Policy" has an incorrect action set for the custom URL category.
D. The custom URL category "Allowed Sites" has an incorrect server address listed.
E. The identification profile "Allow Profile" has an incorrect protocol.
F. The identification profile "Allow Profile" has an incorrect source network.
Answer: A F
124
IT Certification Guaranteed, The Easy Way!
you issued the show crypto isakmp sa command to troubleshot of IPsec VPN.
What possible issue does the given output indicate?
A. The peer is failing to respond
B. The crypto ACU are mismatched
C. The pre-shared keys ire mismatched
D. The transform sets are mismatched
Answer: C
NO.354 Which of these command sequences will send an email to holly@invalid.com using SMTP?
A. HELO invalid.com
MAIL TO:<holly@invalid.com>
MESSAGE
END
B. MAIL FROM:<david@invalid.com>
RCPT TO:<holly@invalid.com>
DATA
C. HELO invalid.com
MAIL FROM:<david@invalid.com>
RCPT TO:<holly@invalid.com>
BODY
D. MAIL FROM:<david@invalid.com>
RCPT TO:<holly@invalid.com>
MESSAGE
Answer: B
NO.355 Which three VSA attributes are present in a RADIUS WLAN Access-Accept packet? (Choose
three)
A. Tunnel-Private-Group-ID
B. Tunnel-Type
C. SSID
D. EAP-Message
E. LEAP Session-Key
F. Authorization-Algorithm-Type
125
IT Certification Guaranteed, The Easy Way!
Answer: C E F
NO.357 Which IPS deployment mode is most reliant on the Automatic Application Bypass feature?
A. Passive
B. Strict
C. transparent
D. switched
E. tap
F. inline
Answer: F
NO.358 All your remote users use AnyConnect VPN to connect into your corporate network, with an
126
IT Certification Guaranteed, The Easy Way!
ASA providing the VPN service. Authentication is through ISE using RADIUS as the protocol. ISE uses
Active Directory as the Identity Source. You want to be able to assign different policies to users
depending on their group membership in Active Directory. Which is one possible way of doing that?
A. Configure an authorization policy in ISE to send back a RADIUS class-25 attribute with the name of
the ASA Tunnel Group (Connection Profile)
B. This is only possible when LDAP authorization is configured directly to Active Directory
C. Configure an authentication policy in ISE to send back a RADIUS class-25 attribute with the name
of the ASA Group Policy
D. Configure an authentication policy in ISE to send back a RADIUS class-25 attribute with the name
of the ASA Tunel Group (Connection Profile)
E. Configure an authorization policy in ISE to send back a RADIUS class-25 attribute with the name of
the ASA Group Policy
Answer: E
After you applied this EtherChannel configuration to a Cisco ASA, the EtherChannel Failed to come
up.
Which reason for the problem is the most likely?
A. The lacp system-priority and lacp port-priority values are the same.
B. The EtherChannel requires three ports, and only two are configured.
C. The Ehterchannel is disabled.
D. The channel-group modes are mismatched.
Answer: B
127
IT Certification Guaranteed, The Easy Way!
NO.361 Which encryption type is used by ESA for implementing the Email Encryption?
A. PKI
B. S/MIME Encryption
C. Identity Based Encryption(IBE)
D. TLS
E. SSL Encryption
Answer: B
128
IT Certification Guaranteed, The Easy Way!
sa ipsec 1
profile site_a
match address ipv4 site_a
replay counter window-size 64
no tag
address ipv4 10.1.20.3
!i
nterface GigabitEthernet3
ip address 10.1.20.3 255.255.255.0
!i
p access-list extended site_a
permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
R3 is the Key Server in GETVPN VRF-Aware implementation. The Group Members for the site_a
register with Key Server via interface address 10.1.20.3/24 in the management VRF "mgmt.".
The Group ID for the siste_a is 100 to retrieve group policy and keys from the key server.
The traffic to be encrypted by the site_a Group Members is between 1921.68.4.0/24 and
192.168.5.0/24.
Preshared-key used by the Group Members to authenticate with Key Server is "cissco". It has been
reported that Group Members are unable to perform encryption for the traffic defined in the group
policy of site_a. What could be the issue?
A. Incorrect encryption traffic defined in the group policy
B. Incorrect mode configuration in the transform set
C. Incorrect password in the keyring configuration
D. Incorrect security-association time in the IPsec profile
E. Incorrect encryption in ISAKMP policy
F. The GDOI group has incorrect local server address
G. The registration interface is not part of management VRF "mgmt."
Answer: G
NO.363 Which three types of addresses can the Botnet Filter feature of the Cisco ASA monitor?
(Choose three|
A. Known allowed addresses
B. Dynamic addresses
C. Internal addresses
D. Ambiguous addresses
E. Known malware addresses
F. Listed addresses
Answer: A D E
129
IT Certification Guaranteed, The Easy Way!
130
IT Certification Guaranteed, The Easy Way!
NO.365 Which two statements about the TTL value in an IPv4 header are true? (Choose two)
A. It is a 4-bit value.
B. It can be used for traceroute operations.
C. When it reaches 0, the router sends an ICMP Type 11 message to the originator.
D. Its maximum value is 128.
E. It is a 16-bit value.
Answer: B C
NO.367 A user attempts to browse the internet through a CWS Integrated muter, and the IITTP 403
Fabric Error message is returned. Which reason for problem is the most likely?
A. User authentication failed
B. The CWs connector is down
C. The user is not logged in to CWS
D. The user attempted to access web site that is blocked by CWS policy
E. The connection timed out
F. The CWS license has expires
Answer: F
NO.368 Which two statements are true about FireAMP private cloud deployment? (Choose two)
A. It can be deployed as hybrid mode
B. It can be deployed as air gap or cloud-proxy mode
C. When deployed as cloud-proxy mode internet connection is required for dispositions
D. It can be as an external mode
E. it can be deployed as internal mode
F. It can be deployed as public mode
Answer: B C
131
IT Certification Guaranteed, The Easy Way!
NO.371 Which three statements about VXLAN are true? (Choose three.)
A. It can converge topology without STP.
B. It enables up to 24 million VXLAN segments to coexist in the same administrative domain.
C. It uses encrypted TCP/IP packets to transport data over the physical network.
D. The VTEP encapsulates and de-encapsulates VXLAN traffic by adding or removing several fields,
including a 16-bit VXLAN header.
E. It uses a 24-bit VXLAN network identifier to provide layer 2 isolation between LAN segments.
F. It can migrate a virtual machine from one Layer 2 domain to another over a Layer 3 network.
Answer: A D E
Flexible NetFlow is failing to export IPv6 flow records from Router A to your flow collector.
132
IT Certification Guaranteed, The Easy Way!
What action can you take to allow the IPv6 flow records to be sent to the collector?
A. Remove the ip cef command from the configuration.
B. Add the ipv6 cef command to the configuration.
C. Create a new flow exporter with an IPv6 destination and apply it to the flow monitor.
D. Set the NetFlow export protocol to v5.
E. Configure the output-features command for the IPV4-EXPORTER.
Answer: C
NO.374
Refer the exhibit, Which Cisco firepower policy has detected a "CnC Connector" of comp event?
A. DNS policy
B. Network analysis policy
C. Identity policy
133
IT Certification Guaranteed, The Easy Way!
D. SSL policy
E. File policy
F. Intrusion policy
Answer: F
NO.375 Which statement about encryption headers on the Cisco ESA is true?
A. The optional Cisco Iron Port Encryption appliance provides extended encryption headers
B. They can be applied to outgoing messages only to force more secure message handling than is
provided by the current encryption settings on the ESA
C. Content filters can be applied to add encryption headers to outgoing messages only
D. They can be configured to enable return receipt, expire messages and prevent the recipient form
forwarding the message
Answer: D
NO.376
NO.378 Which two statements about internal detectors in the Cisco Firepower System are true?
(Choose two)
A. They are built in to the Firepower system and delivered automatically with firepower updates
B. They can be activated manually or configured to activate automatically under specific conditions
C. They can be modified for use as custom detectors
134
IT Certification Guaranteed, The Easy Way!
NO.379 Which command on Cisco ASA you can enter to send debug messages to a syslog server?
A. logging debug-trace
B. logging host
C. logging traps
D. logging syslog
Answer: A
NO.381 Various methods are available for load-balancing across WSA deployment. Which method
requires the least effort for all types of endpoints (campus and data center) across the enterprise?
A. Push out proxy settings to endpoints through Windows GPO settings
B. Host a PAC file on the WSA or an intranet web server and point all endpoints to it for auto-
configuration
C. Configure an SRV DNS record to point to the WSA for all WAN services
D. Use transparent Layer 4 redirection with multiple WSAs behind a load-balancer
E. Use WPAD that uses the IP addresses of the WSAs
Answer: D
NO.382 In FMC the correlation rule could be based on which two elements? (Choose two.)
A. Authorization rule
B. Intrusion event
C. CoA (Change of Authorization)
D. Traffic profile variation
E. NDAC (Network Device Admission Control)
F. SGT (Security Group Tag) mapping
G. Database type
H. Authentication condition
Answer: B D
135
IT Certification Guaranteed, The Easy Way!
A. to check for a TTL value in packet header of less than or equal to for successful peering
B. to protect against routing table corruption
C. to use for iBGP session
D. to protect against CPU utilization-based attacks
E. to authenticate a peer
Answer: D
NO.384 Which statement is true about VRF-lite implementation in a service provider network?
A. It requires multiple links between CE and PE for each VPN connection to enable privacy
B. It uses source address to differentiate routes for different VPNs on the CE device
C. It can only support one VRF instance per CE device
D. It can have multiple VRF instances associated with a single interface on a CE device
E. It supports multiple VPNs at a CE device but their address spaces should not overlap
F. It enables the sharing of one CE device among multiple customers
Answer: F
NO.385 Which three statements about communication between Cisco VSG and the VEM are true?
(Choose three.)
A. In Layer 3 mode, fragmentation with vPath is not supported.
B. vPath handled fragmentation for all adjacencies between Cisco VSG and the VEM.
C. If vPath encapsulation of a packet in Layer 2 mode causes the packet to exceed the interface MTU
size, it will be dropped.
D. Layer 3 adjacency between Cisco VSG and the VEM requires communication through a VMkernel
interface on the VEM.
E. vPath encapsulation of incoming packets can increase the frame size by up to 94 bytes.
F. Cisco VSG and VEM should be adjacent at Layer 3 when minimal latency is required.
Answer: A D E
NO.386 Which of the following is the correct rule with regards to Zone-Based Firewall
implementation?
A. Interface can be a member of only one zone.
B. All the interfaces of the device cannot be the part of the same zone.
C. If interface belongs to a zone then the traffic to and from the interface is always allowed.
D. By default traffic between the interfaces in the same zone is dropped.
E. Zone pair cannot have a zone as both source and destination.
F. If default zone is enabled then traffic from zone interface to non-zone interface will be dropped.
Answer: A
NO.387 Which three statements about Cisco AnyConnect SSL VPN with the ASA are true? (Choose
three)
A. DTLS can fall back to TLS without enabling dead peer detection.
B. By default, the VPN connection connects with DTLS.
C. Rea-time application performance improves if DTLS is implemented
136
IT Certification Guaranteed, The Easy Way!
D. Cisco AnyConnect connections use IKEv2 by default when it is configure as the primary protocol on
the client.
E. By default, the ASA uses the Cisco AnyConnect Essentials license.
F. The ASA will verify the remote HTTPS certificate.
Answer: C D E
NO.388 From the list below, which one is the major benefit of AMP Threat GRID?
A. AMP Threat Gird learns ONLY form data you pass on your network and not form anything else to
monitor for suspicious behavior. This makes
B. AMP Threat Grid combines Static, and Dynamic Malware analysis with threat intelligence into one
combined solution.
C. AMP Threat Grid analyzes suspicious behavior in your network against exactly 400 behavioral
indicators.
D. AMP Threat Grid collects file information from customer servers and run tests on them to see if
they are infected with viruses.
Answer: B
NO.389 When TCP Intercept is enabled in its default mode, how does it react to a SYN request?
A. It monitors the sequence of SYN, SYN-ACK, and ACK messages until the connection is fully
established.
B. It monitors the attempted connection and drops it if it fails to establish within 30 seconds.
C. It allows the connection without inspection.
D. It intercepts the SYN before it reaches the server and responds with a SYN-ACK.
E. It drops the connection.
Answer: D
NO.390 In FMC, which two elements can the correlation rule be based on? (Choose two.)
A. authorization rule
B. Security Group Tag mapping
C. discovery event
D. user activity
E. database type
F. authentication condition
G. Change of Authorization
H. Network Device Admission Control
Answer: C D
NO.391 Which protocol does ISE use to secure connection through the Cisco IronPort Tunnel
infrastructure?
A. SSH
B. IKEv1
C. IKEv2
D. SNMP
137
IT Certification Guaranteed, The Easy Way!
E. TLS
Answer: A
NO.393 Which three statements about 802.1x multiauthentication mode are true? (Choose three.)
A. It is recommended for guest VLANs.
B. On non-802.1x devices, it can support only one authentication method on a single port.
C. Each multiauthentication port can support only one voice VLAN.
D. It is recommended for auth-fall VLANs.
E. It requires each connected client to authenticate individually.
F. It can be deployed in conjunction with MDA functionality on voice VLANs.
Answer: C E F
NO.395 Which two statements about NVGRE are true? (Choose two.)
A. It supports up to 32 million virtual segments per instance.
B. The network switch handles the addition and removal of NVGRE encapsulation.
C. NVGRE endpoints can reside within a virtual machine.
D. It allows a virtual machine to retain its MAC and IP addresses when it is moved to a different
hypervisor on a different L3 network.
E. The virtual machines reside on a single virtual network regardless of their physical location.
Answer: C E
138
IT Certification Guaranteed, The Easy Way!
139
IT Certification Guaranteed, The Easy Way!
G. Switch configuration is properly configured and the issue is on the RADIUS server
Answer: E
NO.398 Which three statements about VRF-Aware Cisco Firewall are true? (Choose three.)
A. It supports both global and per-VRF commands and DoS parameters.
B. It enables service providers to deploy firewalls on customer devices.
C. It can generate syslog messages that are visible only to individual VPNs.
D. It can support VPN networks with overlapping address ranges without NAT.
E. It enables service providers to implement firewalls on PE devices.
F. It can run as more than one instance.
Answer: C E F
NO.399 Which configuration management tools does the Cisco Nexus 9000 platform support?
A. Puppet
B. Ansible
C. Salt
D. Chef
E. Jenkins
Answer: A
NO.400 Which two statements about Cisco VSG are true? (Choose two.)
A. Because it is deployed at Layer 2, it can be inserted without significant reengineering of the
network.
B. According to Cisco best practices, the VSG should use the same VLAN for VSM-VEM control traffic
and management traffic.
C. It uses optional IP-to-virtual machine mappings to simplify management of virtual machines.
D. It uses the Cisco VSG user agent to register with the Cisco Prime Network Services Controller.
E. It can be integrated with VMWare vCenter to provide transparent provisioning of policies and
profiles.
F. It has built-in intelligence for redirecting traffic and fast-path offload.
Answer: E F
NO.401 How does a Cisco ISE server determine whether a client supports EAP chaining?
A. It sends an identity-type TLV to the client and analyzes the response.
140
IT Certification Guaranteed, The Easy Way!
B. It analyzes the options field in the TCP header of the first packet it receives from the client.
C. It analyzes the X.509 certificate it receives from the client through the TLS tunnel.
D. It send an MD5 challenge to the client and analyzes the response.
E. It analyzes the EAPoL message the client sends during the initial handshake.
Answer: A
NO.402 Which statement about Remote Triggered Black Hole Filtering feature is true?
A. It works in conjunction with QoS to drop the traffic that has a lower priority.
B. The Null0 interface used for filtering able to receive the traffic but never forwards it.
C. In RTBH filtering, the trigger device redistributes dynamic routes to the eBGP peers.
D. It helps mitigate DDoS attack based only on destination address.
E. It drops malicious traffic at the customer edge router by forwarding it to a Null0 interface.
F. In RTBH filtering, the trigger device is always an ISP edge router.
Answer: C
NO.403 When an organization is choosing a cloud computing model to adopt, many consideration
are studies to determine the most suitable model. To which model is cloud interdependency mainly
attributed?
A. Hybrid cloud
B. Public cloud
C. Community cloud
D. Private cloud
Answer: A
NO.404 Which option does a wired MAB appear in ISE RADIUS live logs?
A. (Radius: Service-Type equals Framed) and (Radius: NAS-Port-Type equals Ethernet)
B. (Radius: Service-Type equals Call-Check) and (Radius: NAS-Port-Type equals Ethernet)
C. (Radius: Service-Type equals Call-Check) and (Radius: NAS-Port-Type equals PPPoEoVLAN)
D. (Radius: Service-Type equals Call-Check) and (Radius: NAS-Port-Type equals PPPoEoVLAN)
Answer: C
NO.405 Which two statements about a SMURF attack are true? (Choose two)
A. It is a distributed denial-of-service attack
B. The attacker uses a spoofed destination address to launch the attack.
C. It is used by the attackers to check if destination addresses are alive.
D. It sends ICMP Echo Requests to a spoofed source address of a subnet
E. To mitigate the attack you must disable IP directed broadcast on the router interface
F. It exhausts the victim machine resources with large number of ICMP Echo Requests from a subnet
G. It sends ICMP Echo Replies to known IP addresses in a subnet
Answer: A E
NO.406 As an enterprise, you have decided to use Cisco Umbrella (OpenDNS) services for all public
DNS requests.
141
IT Certification Guaranteed, The Easy Way!
In which two ways can you ensure that all DNS clients (endpoints) use this service for external
requests only? (Choose two.)
A. Install the umbrella proxy server on all the supported operating systems and configure it
appropriately
B. Use DHCP to push the OpenDNS servers to the endpoints
C. Install the Umbrella server in your data center that will provide these services locally
D. Install the Umbrella client on all the supported operating systems and configure it appropriately
E. Configure the OpenDNS servers as forwarders on your internal DNS servers
Answer: D E
NO.410 Which two statements about 802.1X components are true? (Choose two)
A. The access layer switch is the policy enforcement point.
B. The certificates that are used in the client-server-authentication process are stored on the access
switch.
C. The RADIUS server is the policy enforcement point.
142
IT Certification Guaranteed, The Easy Way!
Refer to the exhibit Customer has opened a case with Cisco TAC reporting issue that client connect to
the network using guest account. Looking at the configuration of the switch, w possible issue?
A. MAB should be disabled on the authentication port
B. Dynamic authorization configuration has incorrect RADIUS server
C. issue with the DHCP pool configuration
D. Dot1x is disabled on the authentication port
E. AAA network authorization incorrectly configured
F. CTS is incorrectly configured
G. Issue with redirect ACL "cwa_edirecrt"
Answer: G
NO.412 Which statement regarding the routing functions of the Cisco ASA is true running software
version 9.2?
143
IT Certification Guaranteed, The Easy Way!
A. The translation table cannot override the routing table for new connections.
B. Routes to the NuLL0 interface cannot be configured to black-hole traffic.
C. In a failover pair of ASAs, the standby firewall establishes a peer relationship with OSPF neighbors.
D. The ASA supports policy-based routing with route maps.
Answer: A
NO.413 Which ports is used by ISE pxGrid service for inter-node communication?
A. UDP port 161 and 162
B. TCP port 443
C. TCP port 5222
D. UPD port 9995
Answer: C
NO.414 Which Cisco Firepower intrusion Event Impact level indicates the host on the monitored
network is vulnerable to the attack, and requires the most immediate urgent response to be taken?
A. Impact Level 3
B. Impact Level 4
C. Impact Level 2
D. Impact Level 0
E. Impact Level 1
Answer: E
NO.415 In TLS Implementation on the Cisco Email Security Appliance cluster, the machine is
removed from the cluster and then added back. Which description of what happens to the machine-
level certificate true?
A. ESA cannot provider privacy for point-to point transmission of emails through encryption
B. The machine-level certificates are lost
C. The machine-level certificates are rebuilt by RAID 5
D. The cluster goes down.
Answer: C
NO.416 Which statements is true regarding ESA HAT configuration for the incoming mail?
A. It points to the address of ESA management interface
B. It points to the address of recipient mail server
C. it points to the address of DNS server
D. It points to the address of ESA listener interface
E. It points to the recipient address
F. It points to the sender address
Answer: F
NO.417 Which three ESMTP extensions are supported by the Cisco ASA?Choose three
A. NOOP
B. PIPELINING
144
IT Certification Guaranteed, The Easy Way!
C. SAML
D. 8BITMIME
E. STARTTLS
F. ATRN
Answer: A C E
NO.418 Which statement about Health Monitoring on the Firepower System is true?
A. When you delete a health policy that is applied to a device, the device reverts to the default
health policy.
B. If you apply a policy without active modules to a device, the previous health policy remains in
effect unless you delete it.
C. Health events are generated even when the health monitoring status is disabled.
D. Descendant domains in a multi-domain deployment can view, edit, and apply policies from
ancestor domains.
E. The administrator of a descendant domain is unable to edit or delete blacklists applied by the
administrator of an ancestor domain.
F. The default health policy is automatically applied to all managed devices.
Answer: C
NO.419 Which two statements about Cisco URL Filtering on Cisco IOS Software are true? (Choose
two)
A. It supports Websense and N2H2 filtering at the same time,
B. It supports local URL lists and third-party URL filtering servers.
C. By default, it uses ports 80 and 22.
D. It supports HTTP and HTTPS traffic.
E. BY default, it allows all URLs when the connection to the filtering server is down.
F. It requires minimal CPU time.
Answer: B F
NO.420 Drag the components of WIPS architecture on the left to their respective functionalities on
the right.
145
IT Certification Guaranteed, The Easy Way!
Answer:
Explanation
1-5, 2-1, 3-4, 4-2, 5-3
146
IT Certification Guaranteed, The Easy Way!
A. 10
B. unlimited
C. 5
D. 0
E. 1
F. 15
Answer: F
NO.422 Which criteria does ASA use for packet classification if multiple contexts share an ingress
interlace MAC address?
A. ASA ingress interface IP address
B. policy-based routing on ASA
C. destination IP address
D. destination MAC address
E. ASA ingress interface MAC address
F. ASA NAT configuration
G. ASA egress interface IP address
Answer: E
NO.423 Which entity is responsible for the Stealthwatch Management Center to interact with ISE?
A. FMC
B. DNA
C. pxGrid
D. ASA
E. Threat grid
F. NGIPs
Answer: C F
NO.424 Which three statements about the SHA-2 algorithm are true? (Choose three.)
A. It provides a fixed-length output using a collision-resistant cryptographic hash.
B. It provides a variable-length output using a collision-resistant cryptographic hash.
C. It generates a 512-bit message digest.
D. It generates a 160-bit message digest.
E. It is used for integrity verification
147
IT Certification Guaranteed, The Easy Way!
F. It is the collective term for the SHA-224, SHA-256, SHA-384, and SHA-512 algorithms.
Answer: A E F
NO.425 RFID is a technology widely used in loT networks today. Which two features of RFID
technologies are correct? (Choose two)
A. RFID readers do not require anti-collision protocols to minimize collisions
B. Semi-passive tags have an on-board power source which is used to energize microchips
C. RFID readers can suffer from a lack of sufficient memory and computational resources
D. RFID tag collision results in an increase of identification delays
E. RFID uses CDMA and CSMA for the prevention of collisions on RFID systems
Answer: C D
NO.426 Which of the following is AMP Endpoint offline engine for windows?
A. ClamAV
B. ClamAMP
C. TETRAAMP
D. TETRA
Answer: D
NO.427 In your ISE design, there are two TACACS profiles that are created for device administration:
IOS_HelpDesk_Profile, and IOS_Admin_Profile. The HelpDesk profile should login the user with
privilege 1, with ability to change privilege level to 15. The Admin profile should login the user with
privilege 15 by default. Which two commands must the HelpDesk enter on the IOS device to access
privilege level 15.?
(Choose two)
A. enable secret
B. enable 15
C. privilege level 15
D. enable privilege 15
E. enable
F. enable IOS_Admin_Profile
G. enable password
Answer: B E
NO.428 Which two statements about the Cisco AnyConnect VPN Client are true? (Choose two.)
A. It can use an SSL tunnel and a DTLS tunnel simultaneously.
B. It enables users to manage their own profiles.
C. It can be configured to download automatically without prompting the user.
D. By default, DTLS connections can fall back to TLS.
E. To improve security, keepalives are disabled by default.
Answer: A C
NO.429 In a Cisco ISR with cloud Web Security Connector deployment, which command can you
148
IT Certification Guaranteed, The Easy Way!
NO.432 The purpose of an authentication proxy is to force the user to authenticate to a network
device before users are allowed access through the device. This is primarily used for HTTP based
services, but also can be used for other services. In the case of an ASA, what does ISE have to send to
enforce this access policy?
A. LDAP attribute with ACL
B. Group Policy enabled for proxy-auth
C. Downloadable ACL
D. Not possible on the ASA
E. VLAN
F. Redirect URL to ISE
Answer: C
149
IT Certification Guaranteed, The Easy Way!
NO.435 Which of the following four traffic flows should be allowed during an unknow posture state?
(Choose four)
A. Traffic from AnyConnect client, with posture module, to ASA
B. Traffic to FireAMP cloud for AMP for endpoint scan results
C. Traffic to public search engines
D. Traffic to remediation servers, if needed
E. DHCP traffic
F. DNS traffic
G. SSH traffic for network device administration
H. Traffic to ISE PSNs to which Client Provisioning Protocol FQDN points
Answer: D E F H
150
IT Certification Guaranteed, The Easy Way!
Users are unable to access web server 192.168.101.3/24 and 1921.68.102.3/24 using Firefox web
browser when initiated from 172.16.1.0/24 network. What could be the possible cause?
A. Identification profile "allow Profile" has incorrect source subnet
B. Access policy "allow policy" is pointing to incorrect identification profile
C. Identification profile "alow Profile" has incorrect protocol
D. Access policy "allow policy" has incorrect action set for the custom URL category
E. Custom URL category "allowed sites" has incorrect server addresses listed
151
IT Certification Guaranteed, The Easy Way!
NO.437 Which effect of the crypto key encrypt write rsa command on a router is true?
A. The device locks the encrypted key, but the key is lost when the router is reloaded.
B. The device encrypts and locks the key before authenticating it with an external CA server.
C. The device unlocks the encrypted key, but the key is lost when the router is reloaded.
D. The device locks the encrypted key and saves it to the NVRAM.
E. The device saves the unlocked encrypted key to the NVRAM.
Answer: E
NO.439 Which option is a data modeling language used to model configuration and state data of
network elements?
A. RESTCONF
B. SNMPv4
C. NETCONF
D. YANG
Answer: D
NO.440 Which two statements about AMP. The Grid are true? (Choose two)
A. It can transmit suspected malware to the public AMP I threat Grid cloud for deeper analysis
B. It provides two separate on premises appliances to support powerful malware analysis and threat
intelligence features
C. It provides dynamic analysis reports and generates threat scores
D. It supports real time threat and behavioral analysis
E. It can be installed on individual endpoints to inspect local files for malware
F. It can act as an anonymized proxy to transport endpoint -vent data to the public AMP I threat Grid
cloud for threat detection
Answer: B C
NO.441 Which two statements about MAB are true? (Choose two)
A. It requires the administrator to create and maintain an accurate database of MAC addresses.
B. It server at the primary authentication mechanism when deployed in conjunction with 802.1x.
C. It operates at Layer 2 and Layer 3 of the OSI protocol stack.
152
IT Certification Guaranteed, The Easy Way!
NO.442 Which two statements about NetFlow Secure Event Logging on a Cisco ASA are true?
(Choose two)
A. It tracks configured collectors over TCP.
B. It is supported only in single-context mode.
C. It can export templates through NetFlow.
D. It can be used without collectors.
E. It supports one event type per collector.
F. It can log different event types on the same device to different collectors.
Answer: C F
NO.443 Which effect of the crypto key encrypt write rsa command on a router is true?
A. The device locks the encrypted key the saves it to the NVRAM
B. The device saves the unlocked encrypted key to the NVRAM
C. The device locks the encrypted key but the key is lost when the routers is reloaded
D. The device encrypts and locks key before authenticating it with an external CA server
Answer: B
NO.445 Which statement about the Cisco AMP Virtual Private Cloud Appliance is true for
deployments in cloudproxy mode?
A. The appliance can perform disposition lookups against the Protect DB without an internet
connection
B. The amp-sync tool syncs the threat-intelligence repository on the appliance on the AMP public
cloud through the Update Host
153
IT Certification Guaranteed, The Easy Way!
C. The appliance can automatically download threat-intelligence updates directly from the AMP
public cloud
D. The updates Host automatically downloads updates and deploys them to the Protect DB on a daily
basis
E. The appliance communicates directly with the endpoint connectors only
Answer: C
NO.446 Which LDAP query is used by ESA to authenticate users logging into an appliance?
A. chain queries
B. spam quarantine end-user authentication
C. group queries
D. acceptance query
E. spam quarantine alias consolidation
F. external authentication
G. SMTP authentication
H. certificate authentication
Answer: F
NO.447 Your organization is deploying an ESA for email security for inbound and outbound email. To
receive inbound emails from external organizations, you must set up your DNS servers with the
appropriate records so that the sending email server can determine which email gateway to send to.
Assume that you have two ESAs deployed and the hostnames and IP addresses are as follows:
esa1.myesa.com: 5.5.5.25 (Preferred)
esa2.myesa.com: 5.5.5.26
Which two options must you include in your DNS server to receive email from all external senders?
(Choose two.)
A. Forward Lookup Zone:
@ 3600 IN A 10 esa1.myesa.com
@ 3600 IN A 20 esa2.myesa.com
B. Forward Lookup Zone:
esa1 IN 3600 A 5.5.5.25
esa2 IN 3600 A 5.5.5.26
C. Forward Lookup Zone:
mail1.myesa.com 120 CNAME esa1.myesa.com
mail2.myesa.com 120 CNAME esa2.myesa.com
D. Forward Lookup Zone:
@ 3600 IN MX 10 mail1.myesa.com
@ 3600 IN MX 20 mail1.myesa.com
E. Reverse Lookup Zone for 5.5.5.:
25 3600 IN PTR esa1.myesa.com
26 3600 IN PTR esa2.myesa.com
Answer: C E
NO.448 Which three statements about Dynamic ARP inspection on Cisco switches are true? (Choose
154
IT Certification Guaranteed, The Easy Way!
three)
A. The trusted database can be manually configured using the CLI
B. Dynamic ARP inspection is supported only on access ports
C. Dynamic ARP inspection does no perform ingress security checking
D. DHCP snooping is used to dynamically build the trusted database
E. Dynamic ARP inspection checks ARP packets against the trusted database
F. Dynamic ARP inspection checks ARP packets on trusted and untrusted ports
Answer: A D E
155