Which action best describe a MAC address spoofing attack?
Altering the MAC address of an attacking host to match that of a legitimate host.
Bombarding a switch with fake source MAC addresses.
Forcing the election of a rogue root bridge
Flooding the LAN with excessive traffic
What functionality is provided by Cisco SPAN in a switched network?
It mitigates MAC address overflow attacks.
It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis.
It protects the switched network from receiving BPDUs on ports that should not be receiving them.
It copies traffic that passes through a switch interface and sends the data directly to a syslog or SNMP server for analysis.
It inspects voice protocols to ensure that SIP, SCCP, H.323, and MGCP requests conform to voice standards.
What precaution should be considered when the no service password–recovery command has been issued on an IOS device?
The passwords in the configuration files are in clear text.
IOS recovery requires a new system flash with the IOS image.
When the password is lost, access to the device will be terminated.
The device must use simple password authentication and cannot have user authentication.
A network technician is configuring SNMPv3 and has set a security level of auth. What is the effect of this setting?
Authenticates a packet using the SHA algorithm only.
Authenticates a packet by a string match of the username or community string.
Authenticates a packet by using either the HMAC with MD5 method or the SHA method.
Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using either the DES, 3DES or AES algorithms.
Refer to the exhibit. Which type of VPN is implemented?
Router(config)# ntp authenticate
Router(config)# ntp authentication-key 42 md5 aNiceKey
Router(config)# ntp trusted-key 2
Refer to the exhibit. What will be the effect of the commands that are shown on R1?
Authentication with the NTP master will be successful, and R1 will get the time from the NTP master.
Authentication with the NTP master will be successful, but R1 will not get the time from the NTP master.
Authentication with the NTP master will fail, and R1 will get the time from the NTP master.
Authentication with the NTP master will fail, and R1 will not get the time from the NTP master.
What login enhancement configuration command helps successive login DoS attacks?
Service password-encryption
Attacks that prevent users from accessing network services
Attacks that modify or corrupt traffic as that traffic travels across the network
Attacks that exploit vulnerabilities to gain access to sensitive information
Attacks that involve the unauthorized discovery and mapping of systems, services, and vulnerability
Nov 30 11:00:24 EST: %SYS-5-CONFIG-I: Configured from console by vty0 (10.64.2.2)
Refer to the exhibit. An administrator is examining the message in a syslog server. What can be determined from the message?
This is a notification message for a normal but significant condition
This is an alert message for which immediate action is needed
This is an error message for which warning conditions exist.
This is an error message indicating the system is unusable
Which three major subpolicies should comprise a comprehensive security policy that meets the security needs of a typical enterprise? (Choose three)
R1(config)# logging host 10.1.1.17
R1(config)# logging trap errors
R1(config)# logging source-interface loopback 0
R1(config)# logging on
Refer to the exhibit. An administrator has entered the commands that are shown on router R1. At what trap level is the logging function set?
14.
Which mitigation technique can help prevent MAC table overflow attacks?
15.
An organization requires that individual users be authorized to issue specific Cisco IOS commands. Which AAA protocols support this requirement?
TACACS+ because it separates authentication and authorization, allowing for more customization.
RADIUS because it supports multiple protocols, including ARA and NetBEUI.
TACACS+ because it supports extensive accounting on a per-user or per-group basis.
RADIUS because it implements authentication and authorization as one process.
Refer to the exhibit. Based on the IPS configuration that is provided, which statement is true?
The signatures in all categories will be retired and not be used by the IPS.
The signatures in all categories will be compiled into memory and used by the IPS.
Only the signatures in the ios_ips basic category will be compiled into memory and used by the IPS.
The signatures in the ios_ips basic category will be retired and the remaining signatures will be compiled into memory and used by the IPS.
Refer to the exhibit. Based on the provided configuration, which traffic will be examined by the IPS that is configured on router R1?
Traffic that is initiated from LAN 1 and LAN 2
Http traffic that is initiated from LAN 1
Return traffic from the web server
Traffic that is destined to LAN 1 and LAN 2
No traffic will be inspected
Refer to the exhibit. An administrator is configuring ZPF using the SDM Basic Firewall Configuration wizard. Which command is generated after the administrator selects the Finish button?
Zone security Out-zone on interface Fa0/0
Zone security Out-zone on interface S0/0/0
Zone member security Out-zone on interface Fa0/0
Zone member security Out-zone on interface s0/0/0
Which two statements describe appropriate general guidelines for configuring and applying ACLs? (Choose two)
Multiple ACLs per protocol and per direction can be applied to an interface.
If an ACL contains no permit statements, all traffic is denied by default.
The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs.
Standard ACLs are placed closest to the source, whereas Extended ACLs are placed closest to the destination.
If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.
Choose three)
Which three statements are characteristics of the IPsec protocol?
IPsec is a framework of open standards.
IPsec is implemented at Layer 4 of the OSI model.
IPsec ensures data integrity by using a hash algorithm.
IPsec uses digital certificates to guarantee confidentiality
IPsec is bound to specific encryption algorithms, such as 3DES and AES.
IPsec authenticates users and devices that communicate independently.
Which three additional precautions should be taken when remote access is required in addition to local access of networking devices? (Choose three)
A legal notice should not be displayed when access is obtained.
All activity to the specified ports that are required for access should be unrestricted.
All configuration activities should required the use of SSH or HTTPS.
All administrative traffic should be dedicated to the management network.
The number of failed login attempts should not be limited, but the time between attempts should.
Packet filtering should be required so that only identified administration hosts and protocols can gain access.
Which statement describes a factor to be considered when configuring a zone-based policy firewall?
An interface can belong to multiple zones.
The router always filters the traffic between interfaces in the same zone.
The router always filters the traffic between interfaces in the same zone.
A zone must be configured with the zone security global command before it can be used in the zone-member security command.
What is a result of securing the Cisco IOS image using the Cisco IOS Resilient Configuration feature?
The Cisco IOS image file is not visible in the output of the show flash command.
The Cisco IOS image is encrypted and then automatically backed up to a TFTP server.
The Cisco IOS image is encrypted and then automatically backed up to the NVRAM.
When the router boots up, the Cisco IOS image is loaded from a secure FTP location
What are three common examples of AAA implementation on Cisco routers? (Choose three)
Authenticating administrator access to the router console port, and vty ports
Authenticating remote users who are accessing the corporate LAN through IPsec VPN connections
Implementing public key infrastructure to authenticate and authorize IPsec VPN peers using digital certificates
Implementing command authorization with TACACS+
Securing the router by locking down all unused services
Tracking Cisco Netflow accounting statistics
When port security is enabled on a Cisco Catalyst switch, what is the default action when the maximum number of allowed MAC addresses is exceeded?
The violation mode for the port is set to restrict.
The MAC address table is cleared, and the new MAC address is entered into the table.
The port remains enabled, but the bandwidth is throttled until the old MAC addresses are aged out.
Which three statements describe the IPsec protocol framework? (Choose three)
AH provides encryption and integrity.
AH provides integrity and authentication.
ESP uses UDP protocol 50.
ESP requires both authentication and encryption.
ESP provides encryption, authentication, and integrity.
Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)
There is no access control to specific interfaces on a router.
The root user must be assigned to each privilege level defined.
Commands set on a higher privilege level are not available for lower privileged users
Views are required to define the CLI commands that each user can access.
Creating a user account that needs access to most but not all commands can be a tedious process
It is required that all 16 privilege levels be defined, whether they are used
