CCNA Security 210-260 IINS - Exam 3

show crypto ipsec sa

show crypto map

show crypto isakmp sa

show crypto engine connection active

It blocks known vulnerabilities without patching applications

It supports all networking protocols.

It accelerates web traffic

It simplifies troubleshooting

IPsec Phase 1 is down due to a QM_IDLE state

IPsec Phase 1 is established between 10.10.10.2 and 10.1.1.5

IPsec Phase 2 is down due to a QM_IDLE state

IPsec Phase 2 is established between 10.10.10.2 and 10.1.1.5

The isolated port can communicate only with community ports

The isolated port can communicate only with other isolated ports

The isolated port can communicate with other isolated ports and the promiscuous port

The isolated port can communicate only with the promiscuous port

It can lookup the email sender

It can extract and decode email attachments in client to server traffic

It compares known threats to the email sender

It uses Traffic Anomaly Detector

It can forward the SMTP traffic to an email filter server

STP selects the designated port

STP elects the root bridge

STP selects the root port

STP blocks one of the ports

A private VLAN enables the creation of multiple VLANs using one broadcast domain.

A private VLAN partitions the Layer 3 broadcast domain of a VLAN into subdomains.

A private VLAN combines the Layer 2 broadcast domains of many VLANs into one major broadcast domain

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains

To create customized policies

To detect unknown attacks

To normalize streams

To collect information about attacks

ESP

HTTPS

SSH

IPsec

FD00::/8

2002::/16

FB00::/8

2001::32

Botnet

Trojan horse

Virus

Adware

ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server

ISE issues a certificate from its internal CA server

ISE issues a pre-defined certificate from a local database

The device requests a new certificate directly from a central CA

Edit the crypto keys on R1 and R2 to match

Edit the ISAKMP policy sequence numbers on R1 and R2 to match

Set a valid value for the crypto key lifetime on each router

Edit the crypto isakmp key command on each router with the address value of it's own interface

IPsec Phase 2 is established between 10.1.1.1 and 10.1.1.5

ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1

IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5

IPsec Phase 2 is down due to a mismatch between encrypted and descrypted packets

Implement rules to prevent a vulnerability

Correct or counteract a vulnerability

Reduce the severity of a vulnerability

Follow directions from the security appliance manufacturer to remediate a vulnerability

Inline

Promiscuous

Span

Failover

Bypass

Spoofing

Malware

Spam

Phishing

File reputation

File analysis

Signature updates

Network blocking

Phishing

Pharming

Solicitation

Secure transaction

Always-on

Proxy

Transparent Mode

Trusted Network Detection

TCP 4500

TCP 500

UDP 4500

UDP 500

Privilege exec level 9 configure terminal

Privilege exec level 10 interface

Username HelpDesk privilege 6 password help

Privilege exec level 7 show start-up

Extended access lists perform filtering that is based on source and destination and are most effective when applied closest to the destination.

Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source.

Extended access lists perform filtering that is based on destination and are most effective when applied to the source.

Extended access lists perform filtering that is based on source and are most effective when applied to the destination,

Port security

Dynamic port security

IP source guard

Root guard

Enable URL filtering on the perimeter router and add the URLs you want to block to the router's local URL list.

Enable URL filtering on the perimeter firewall and add the URLs you want to allow to the router's local URL list.

Enable URL filtering on the perimeter router and add the URLs you want to allow to the firewall's local URL list

Create a blacklist that contains the URL you want to block and activate the blacklist on the perimeter router.

Create a whitelist that contains the URLs you want to allow and activate the whitelist on the perimeter router.

Access control lists

Class maps

Policy maps

Route maps

IKE Phase 1 main mode was created on 10.1.1.5, but failed to negotiate with 10.10.10.2

IKE Phase 1 main mode has successfully negotiated between 10.1.1.5 and 10.10.10.2

IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2

IKE Phase 1 aggressive has successfully negotiated between 10.1.1.5 and 10.10.10.2

9

6

4

3

2

0

The secure boot-image command is configured

The secure boot-comfit command is configured

The confreg 0x24 command is configured

The reload command was issued from ROMMON

Minimizing risk

Minimizing total cost of ownership

Minimizing liability

Maximizing compliance

NAT

Hairpinning

Trusted Network Detection

Certification Authority

Remote mirroring over Layer 2

Remote mirroring over Layer 3

Local mirroring over Layer 2

Local mirroring over Layer 3

The trunk port would go into an error-disabled state

A VLAN hopping attack would be successful

A VLAN hopping attack would be prevented

The attacker VLAN will be pruned

Denial of Service

MAC-Address spoofing

CAM-table overflow

VLAN hopping

Remove the autocommand keyword and arguments from the username admin privilege line.

Change the Privilege exec level value to 15

Remove the two Username Admin lines

Remove the Privilege exec line

AAA Summary

AAA Servers and Groups

Authentication Policies

Authorization Policies

Policy-based IPS

Anomaly-based IPS

Reputation-based IPS

Signature-based IPS

Process ID

Area ID

Administrative Distance Value

ABR ID

Interfaces on the same security level require additional configuration to permit interface communication.

Configuring interfaces on the same security level can use asymmetric routing.

All traffic is allowed by default between interfaces on the same security level.

You can configure only one interface on an individual security level.

0.0.0.31

0.0.0.27

0.0.0.224

0.0.0.255

Protocol used for filtering

Direction of the access class

Direction of the access group

Direction of the access list

To ensure that only authorized parties can modify data

To determine whether data is relevant

To create a process for accessing data

To ensure that only authorized parties can view the data

It encrypts the exchange using the server certificate

It encrypts the exchange using the client certificate

It validated the server-supplied certificate, and then encrypts the exchange using the client side certificate.

It validates the client-supplied certificate, and then encrypts the exchange using the server certificate.

The interface on both switches may shut down

STP loops may occur

The switch with the higher native VLAN may shut down

The switch with the lower native VLAN may shut down

Traffic between two interfaces in the same zone is allowed by default.

Traffic between interfaces in the same zone is blocked unless you configure the same security permit command,

Traffic between interfaces in the same zone is always blocked.

Traffic between interfaces in the same zone is blocked unless you apply a service policy to the zone pair.

The single-connection command causes the device to establish one connection for all TACACS translations.

The single-connection command causes the device to process one TACACS request and then move to the next server.

The timeout command causes the device to move to the next server after 20 seconds of TACACS inactivity

The router communicates with the NAS on the default port, TCP 1645

MAC spoofing

Gratuitous ARP

MAC flooding

DoS

Warning

Informational

Notification

Debugging

A stateful firewall

A personal firewall

A proxy firewall

An application firewall

A stateless firewall

Contextual analysis

Holistic understanding of threats

Graymail management and filtering

Signature-based IPS

Enable logging at the end of the session

Enable logging at the beginning of the session

Enable alerts via SNMP to log events off-box

Enable eStreamer to log events off-box

Every time a new update is available

When the local scanner has detected a new virus

When a new virus is discovered in the wild

When the system detects a browser hook

username cisco1 view lawful-intercept password cisco

parser view cisco li-view

li-view cisco user cisco1 password cisco

parser view li-view inclusive

Stateful packet

Application

Packet

Proxy