Securing Networks with Cisco Routers and Switches

1. Which two statements are true regarding classic Cisco IOS Firewall configurations? (Choose two.)
A. You can apply the IP inspection rule in the inbound direction on the trusted interface.
B. You can apply the IP inspection rule in the outbound direction on the untrusted interface.
C. For temporary openings to be created dynamically by Cisco IOS Firewall, the access list for the returning traffic must be a standard ACL.
D. For temporary openings to be created dynamically by Cisco IOS Firewall, you must apply the IP inspectionrule to the trusted interface.
E. For temporary openings to be created dynamically by Cisco IOS Firewall, the inbound access list on the trustedinterface must be an extended ACL.
Answer: AB

2. Refer to the exhibit. Why is the Cisco IOS Firewall authentication proxy not working?
A. The aaa authentication auth-proxy default group tacacs+ command is missing in the configuration.
B. The router local username and password database is not configured.
C. Cisco IOS authentication proxy only supports RADIUS and not TACACS+.
D. HTTP server and AAA authentication for the HTTP server is not enabled.
E. The AAA method lists used for authentication proxy should be named "pxy" rather than "default" to match the authentication proxy rule name.
Answer: D

3. Refer to the exhibit. What additional configuration is required for the Cisco IOS Firewall to reset the TCPconnection if any peer-to-peer, tunneling, or instant messaging traffic is detected over HTTP?
A. class-map configuration for matching peer-to-peer, tunneling, and instant messaging traffic over HTTP, and a policy map specifying the reset action
B. the port-misuse default action reset alarm command in the HTTP application firewall policy configuration
C. the PAM configuration for mapping the peer-to-peer, tunneling, and instant messaging TCP ports to the HTTPapplication
D. the ip inspect name firewall im, ip inspect name firewall p2p, and ip inspect name firewall tunnel commands
E. the service default action reset command in the HTTP application firewall policy configuration
Answer: B

4. Refer to the exhibit. Why is the Total Active Signatures count zero?
A. The 128MB.sdf file in flash is corrupted.
B. IPS is in fail-open mode.
C. IPS is in fail-closed mode.
D. IPS has not been enabled on an interface yet.
E. The flash:/128MB.sdf needs to be merged with the built-in signatures first.
Answer: D

5. Which three configurations are required to enable the Cisco IOS Firewall to inspect a user-defined application which uses TCP ports 8000 and 8001? (Choose three.)
A. access-list 101 permit tcp any any eq 8000 access-list 101 permit tcp any any eq 8001 class-map user-10 match access-group 101
B. policy-map user-10 class user-10 inspect
C. ip port-map user-10 port tcp 8000 8001 description "TEST PROTOCOL"
D. ip inspect name test appfw user-10
E. ip inspect name test user-10
F. int {type|number} ip inpsect name test in
Answer: CEF

6. What are two benefits of using an Ipsec GRE tunnel? (Choose two.)
A. It allows dynamic routing protocol to run over the tunnel interface.
B. It has less overhead than running Ipsec in tunnel mode.
C. It allows IP multicast traffic.
D. It requires a more restrictive crypto ACL to provide finer security control.
E. It supports the use of dynamic crypto maps to reduce configuration complexity.
Answer: AC

7. Refer to the DMVPN topology diagram in the exhibit. Which two statements are correct? (Choose two.)
A. The hub router needs to have EIGRP split horizon disabled.
B. At the Spoke A router, the next hop to reach the 192.168.2.0/24 network is 10.0.0.1.
C. Before a spoke-to-spoke tunnel can be built, the spoke router needs to send an NHRP query to the hub toresolve the remote spoke router physical interface IP address.
D. At the Spoke B router, the next hop to reach the 192.168.1.0/24 network is 172.17.0.1.
E. The spoke routers act as the NHRP servers for resolving the remote spoke physical interface IP address.
F. At the Spoke A router, the next hop to reach the 192.168.0.0/24 network is 172.17.0.1.
Answer: AC

8. Referring to a DMVPN hub router tunnel interface configuration, what can happen if the ip nhrp map multicastdynamic command is missing on the tunnel interface?
A. The NHRP request and response between the spoke router and hub router will fail.
B. The GRE tunnel between the hub router and the spoke router will be down.
C. The Ipsec peering between the hub router and the spoke router will fail.
D. The dynamic routing protocol between the hub router and the spoke router will fail.
E. The NHRP mappings at the spoke routers will be incorrect.
F. The NHRP mappings at the hub router will be incorrect.
Answer: D

9. Which three of these statements are correct regarding DMVPN configuration? (Choose three.)
A. If running EIGRP over DMVPN, the hub router tunnel interface must have "next hop self" enabled: ip next-hop-self eigrp AS-Number
B. If running EIGRP over DMVPN, the hub router tunnel interface must have split horizon disabled: no ip split-horizon eigrp AS-Number
C. The spoke routers must be configured as the NHRP servers: ip nhrp nhs spoke-tunnel-ip-address
D. At the spoke routers, static NHRP mapping to the hub router is required: ip nhrp map hub-tunnel-ip-address hub-physical-ip-address
E. The GRE tunnel mode must be set to point-to-point mode: tunnel mode gre point-to-point
F. The GRE tunnel must be associated with an Ipsec profile: tunnel protection ipsec profile profile-name
Answer: BDF

10. When you configure Cisco IOS WebVPN, you can use the port-forward command to enable which function?
A. web-enabled applications
B. Cisco Secure Desktop
C. full-tunnel client
D. thin clientE. CIFS
F. OWA
Answer: D

11. Refer to the exhibit. What additional configuration is required to enable split tunneling?
A. the reverse-route command under "crypto dynamic-map mode 1"
B. the include-local-lan under "crypto dynamic-map mode 1"
C. the match address 199 command under "crypto dynamic-map mode 1"
D. the acl 199 command under "crypto isakmp client configuration group cisco"
E. the include-local-lan command under "crypto isakmp client configuration group cisco"
F. the reverse-route command under "crypto isakmp client configuration group cisco"
Answer: D

12. Refer to the exhibit. Which two statements are true about the configurations shown? (Choose two.)
A. The clickable links will have a heading entitled "MYLINKS".
B. The home page will have three clickable links on it.
C. ACS will be used for remote-user authentication by default.
D. This is an example of a clientless configuration.
E. Thin client (port forwarding) has been enabled using the url-text command.
Answer: BD

13. Which two commands are used to only allow SSH traffic to the router Eth0 interface and deny othermanagement traffic (BEEP, FTP, HTTP, HTTPS, SNMP, Telnet, TFTP) to the router interfaces? (Choose two.)
A. interface eth0
B. control-plane host
C. policy-map type port-filter policy-name
D. service-policy type port-filter input policy-name
E. management-interface eth0 allow sshF. Line vty 0 5transport input ssh
Answer: BE

14. Refer to the exhibit. Which optional AAA or RADIUS configuration command is used to support 802.1x guestVLAN functionality?
A. aaa authentication dot1x default group radius
B. aaa authorization network default group radius
C. aaa accounting dot1x default start-stop group radius
D. aaa accounting system default start-stop group radius
E. radius-server host 10.1.1.1 auth-port 1812 acct-port 1813
Answer: B

15. When configuring FPM, what should be the next step after the PHDFs have been loaded?
A. Define a stack of protocol headers.
B. Define a traffic policy.
C. Define a service policy.
D. Define a class map of type "access-control" for classifying packets.
E. Reload the router.
F. Save the PHDFs to startup-config.
Answer: A

16. Refer to the exhibit. What traffic will be matched to the "qt-class" traffic class?
A. all traffic matched by the "host-protocols" named access list
B. all traffic matched by the "host-protocols" nested class map
C. all TCP and UDP protocol ports open on the router not specifically matched
D. all traffic other than SNMP and Telnet to the router
E. all other traffic arriving at the interface where the "qt-policy" policy map is applied Answer: C

17. When configuring ACS 4.0 Network Access Profiles (NAPs), which three things can be used to determinehow an access request is classified and mapped to a profile? (Choose three.)
A. Network Access Filters (NAFs)
B. RADIUS Authorization Components (RACs)
C. the authentication method
D. the protocol types
E. advance filtering
F. RADIUS VSAs
Answer: ADE

18. Cisco Easy VPN Server pushes parameters such as the client internal IP address, DHCP server IP address, andWINS server IP address to the Cisco Easy VPN Remote client during which of these phases?
A. IKE Phase 1 first message exchange
B. IKE Phase 2 last message exchange
C. IKE mode configuration
D. IKE XAUTH E. IKE quick mode
Answer: C

19. Which of these statements is correct regarding user setup on ACS 4.0?
A. In the case of conflicting settings, the settings at the group level override the settings configured at the user level.
B. A user can belong to more than one group.
C. The username can contain characters such as "#" and "?".
D. By default, users are assigned to the default group.
E. The ACS PAP password cannot be used as the CHAP password also.
Answer: D

20. Refer to the exhibit. When you configure DHCP snooping, which ports should be configured as trusted ?
A. port A only
B. port E only
C. ports B and C
D. ports A, B, and C
E. ports B, C, and E
F. ports A, B, C, and E
Answer: D

21. When you implement IBNS (802.1x authentication), what is defined using the Tunnel-Private-Group-ID (81)RADIUS attribute?
A. the EAP type
B. the shared secret key
C. the ACL name
D. the VLAN name
E. the NAPF. The NAF
Answer: D

22. Refer to the partial classic Cisco IOS Firewall configuration shown in the exhibit. Which three are the correctmissing configuration commands? (Choose three.)
A. 1=ip inspect myfw in
B. 1=ip access-group 51 in
C. 2=ip access-group 101 in
D. 2=ip inspect myfw out
E. 3=ip access-group 111 in
F. 3=ip inspect myfw in
Answer: ACE

23. Refer to the exhibit. Given that the fa0/1 interface is the trusted interface, what could be a reason for users on the trusted inside networks not to be able to successfully establish outbound HTTP connections?
A. The outgoing ACL on the fa0/1 interface is not set.
B. The FWRULE inspection policy is not inspecting HTTP traffic.
C. ACL 104 is denying the outbound HTTP traffic.
D. The outgoing inspection rule on the fa0/1 interface is not set.
E. ACL 104 is denying the return HTTP traffic.
F. The FWRULE inspection policy is not configured correctly.
Answer: C

24. Cisco IOS Zone-Based Firewall uses which of these to identify a service or application from traffic flowingthrough the firewall?
A. NBAR
B. extended access list
C. PAM table
D. deep packet inspection
E. application layer inspection
F. CEF table
Answer: C

25. Refer to the exhibit. Why is auth-proxy not working?
A. The AAA authentication method-list is not configured.
B. HTTPS is not enabled on the router.
C. The local username and password database is not configured.
D. The aaa authorization command is not correct.
E. The ip auth-proxy HQU interface configuration command is missing the in direction option.F. AAA accounting is not enabled.
Answer: D

26. Refer to the exhibit. Which two configuration commands are used to apply an inspect policy map for traffic traversing from the E0 or E1 interface to the S3 interface? (Choose two.)
A. zone-pair security test source Z1 destination Z2
B. interface E0
C. policy-map myfwpolicy class class-default inspect
D. ip inspect myfwpolicy out
E. ip inspect myfwpolicy in
F. service-policy type inspect myfwpolicy
Answer: AF

27. Refer to the exhibit. What will result from this zone-based firewall configuration?
A. All traffic from the private zone to the public zone will be dropped.
B. All traffic from the private zone to the public zone will be permitted but not inspected.
C. All traffic from the private zone to the public zone will be permitted and inspected.
D. All traffic from the public zone to the private zone will be permitted but not inspected.
E. Only HTTP and DNS traffic from the private zone to the public zone will be permitted and inspected.
F. Only HTTP and DNS traffic from the public zone to the private zone will be permitted and inspected.
Answer: A

28. What does this command do?router(config)# ip port-map user-1 port tcp 4001
A. enables application firewall inspection on a user-defined application that is mapped to TCP port 4001
B. enables NBAR to recognize a user-defined application on TCP port 4001
C. enables the Cisco IOS Firewall to inspect TCP port 4001 as part of the ip inspect name xxx TCP inspection rule
D. defines a user application in the PAM table where the user-defined application is called "user-1" and that application is mapped to TCP port 4001
Answer: D

29. Refer to the exhibit. Which two statements are correct? (Choose two.)
A. Cisco IOS IPS will fail-open.
B. The basic signatures (previously known as 128MB.sdf) will be used if the built-in signatures fail to load.
C. The built-in signatures will be used.
D. SDEE alert messages will be enabled.E. syslog alert messages will be enabled.
Answer: AC

30. When verifying Cisco IOS IPS operations, when should you expect Cisco IOS IPS to start loading the signatures?
A. immediately after you configure the ip ips sdf location flash:filename command
B. immediately after you configure the ip ips sdf builtin command
C. after you configure a Cisco IOS IPS rule in the global configuration
D. after traffic reaches the interface with Cisco IOS IPS enabled
E. when the first Cisco IOS IPS rule is enabled on an interface
F. when the SMEs are put into active state using the ip ips name rule-name command Answer: E