Questão 1
Questão
Which statement describes a stateful firewall?
Responda
-
It can only filter packets based on limited Layer 3 and 4 information.
-
It can filter packets based on information at Layers 3, 4, 5 and 7 of the OSI reference model.
-
It can expand the number of IP addresses available and can hide network addressing design.
-
It can determine if the connection is in the initiation, data transfer, or termination phase.
Questão 2
Questão
What are two characteristics of ACLs? (Choose two.)
Responda
-
Extended ACLs can filter on destination TCP and UDP ports.
-
Standard ACLs can filter on source TCP and UDP ports.
-
Extended ACLs can filter on source and destination IP addresses.
-
Standard ACLs can filter on source and destination IP addresses.
-
Standard ACLs can filter on source and destination TCP and UDP ports.
Questão 3
Questão
In general which ICMP message type should be stopped inbound?
Responda
-
echo
-
echo-reply
-
unreachable
-
source quench
Questão 4
Questão
Which two types of addresses should be denied inbound on a router interface that attaches to the Internet? (Choose two.)
Responda
-
private IP addresses
-
public IP addresses
-
NAT translated IP addresses
-
any IP address that starts with the number 127
-
any IP address that starts with the number 1
Questão 5
Questão
Where is the firewall policy applied when using Classic Firewall?
Responda
-
security zones
-
self zone
-
multiple zones
-
interfaces
Questão 6
Questão
Consider the following access list command applied outbound on a router serial interface:
access-list 100 deny icmp 192.168.10.0 0.0.0.255 any echo reply
What is the effect of applying this access list command?
Responda
-
The only traffic denied is ICMP-based traffic. All other traffic is allowed.
-
The only traffic denied is echo-replies sourced from the 192.168.10.0/24 network. All other traffic is allowed.
-
Users on the 192.168.10.0/24 network are not allowed to transmit traffic to any other destination.
-
No traffic will be allowed outbound on the serial interface.
Questão 7
Questão
What is the result in the self zone if a router is the source or destination of traffic?
Responda
-
No traffic is permitted.
-
All traffic is permitted.
-
Only traffic that originates in the router is permitted.
-
Only traffic that is destined for the router is permitted.
Questão 8
Questão
Consider the configured access list.
R1# show access-lists
extended IP access list 100
deny tcp host 10.1.1.2 host 10.1.1.1 eq telnet
deny tcp host 10.1.2.2 host 10.1.2.1 eq telnet
permit ip any any (15 matches)
What are two characteristics of this access list? (Choose two.)
Responda
-
The access list has been applied to an interface.
-
A network administrator would not be able to tell if the access list has been applied to an interface or not.
-
The 10.1.2.1 device is not allowed to telnet to the 10.1.2.2 device.
-
Any device on the 10.1.1.0/24 network (except the 10.1.1.2 device) can telnet to the router that has the IP address 10.1.1.1 assigned.
-
Only the 10.1.1.2 device can telnet to the router that has the 10.1.1.1 IP address assigned.
-
Any device can telnet to the 10.1.2.1 device.
Questão 9
Questão
Refer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet?
Responda
-
The packet is forwarded, and an alert is generated.
-
The packet is forwarded, and no alert is generated.
-
The initial packet is dropped, but subsequent packets are forwarded.
-
The packet is dropped.
Questão 10
Questão
Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?
Responda
-
ipv6 access-class ENG_ACL in
-
ipv6 access-class ENG_ACL out
-
ipv6 traffic-filter ENG_ACL in
-
ipv6 traffic-filter ENG_ACL out
Questão 11
Questão
Refer to the exhibit. Which statement describes the function of the ACEs?
Responda
-
These ACEs allow for IPv6 neighbor discovery traffic.
-
These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing to occur.
-
These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to occur.
-
These are optional ACEs that can be added to the end of an IPv6 ACL to allow ICMP messages that are defined in object groups named nd-na and nd-ns.
Questão 12
Questão
A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table?
Responda
-
A dynamic ACL entry is added to the external interface in the inbound direction.
-
The internal interface ACL is reconfigured to allow the host IP address access to the Internet.
-
The entry remains in the state table after the session is terminated so that it can be reused by the host.
-
When traffic returns from its destination, it is reinspected, and a new entry is added to the state table.
Questão 13
Questão
If the provided statements are in the same ACL, which statement should be listed first in the ACL according to best practice?
Responda
-
permit ip any any
-
permit udp 172.16.0.0 0.0.255.255 host 172.16.1.5 eq snmptrap
-
permit tcp 172.16.0.0 0.0.3.255 any established
-
permit udp any any range 10000 20000
-
deny udp any host 172.16.1.5 eq snmptrap
-
deny tcp any any eq telnet
Questão 14
Questão
Which command will verify a Zone-Based Policy Firewall configuration?
Responda
-
show interfaces
-
show protocols
-
show zones
-
show running-config
Questão 15
Questão
Refer to the exhibit. The network "A" contains multiple corporate servers that are accessed by hosts from the Internet for information about the corporation. What term is used to describe the network marked as "A"?
Questão 16
Questão
When a Cisco IOS Zone-Based Policy Firewall is being configured, which two options can be configured to a traffic class? (Choose two of the best.)
Responda
-
log
-
hold
-
drop
-
inspect
-
copy
-
forward