Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
110 Cards in this Set
- Front
- Back
|
QUESTION 1:
A few small Certkiller locations use HFC cable to connect to the Certkiller WAN. Which HFC cable network statement is true about the downstream data channel to the customer and the upstream data channel to the service provider? A. The upstream data path is assigned a channel in a higher frequency range than the downstream path has. B. The downstream data path is assigned a 30 MHz channel and the upstream data path is assigned a 1 MHz channel. C. The downstream data path is assigned a fixed bandwidth channel and the upstream data path uses a variable bandwidth channel. D. Both upstream and downstream data paths are assigned in 6 MHz channels. E. None of the above. |
D. Both upstream and downstream data paths are assigned in 6 MHz channels.
|
|
|
QUESTION 2:
Many small Certkiller branch offices use broadband cable for data connection access. Which three modulation signaling standards are used in broadband cable technology? (Select three) A. S-Video B. NTSC C. SECAM D. PAL E. FEC F. FDM G. MLP |
B, C, D
|
|
|
QUESTION 3:
Some of the smaller Certkiller locations use HFC cable to connect to the Certkiller WAN. Which two statements are true about broadband cable (HFC) systems? (Select two) A. Cable modems operate at Layers 1, 2, and 3 of the OSI model. B. Cable modems operate at Layers 1 and 2 of the OSI model. C. A function of the cable modem termination system is to convert the digital data stream from the end user host into a modulated RF signal for transmission onto the cable system. D. Cable modems only operate at Layer 1 of the OSI model. E. A function of the cable modem termination system (CMTS) is to convert the modulated signal from the cable modem into a digital signal. |
B,E
|
|
|
QUESTION 4:
A Certkiller remote user is getting Internet access from the local cable provider. When an individual is connected to the Internet by way of a CATV cable service, what kind of traffic is considered upstream traffic? A. Traffic going from the user's home traveling to the headend. B. Broadcast traffic, including the cable TV signals. C. Traffic between the headend and the TV signal. D. Traffic between the headend and the supplier antenna. E. Traffic from outside the local cable segment serving the user's home. F. All of the above can be considered upstream |
A
|
|
|
QUESTION 5:
A new cable modem was shipped to the home of a Certkiller user, where it is being installed for the first time. When a DOCSIS 1.1 compliant cable modem first initializes, (boots up) what does it do? A. Establishes IP connectivity (DHCP). B. Determines the time of day. C. Requests a DOCSIS configuration file from a TFTP server. D. Scan for a downstream channel and the establishment of timing synchronization with the CMTS. E. None of the above |
D.
|
|
|
QUESTION 98:
You need to configure Easy VPN on a new Certkiller router using the SDM. Which two statements are true about the use of SDM to configure the Cisco Easy VPN feature on a router? (Select two) A. The Easy VPN server address must be configured when configuring the SDM Easy VPN Server wizard. B. An Easy VPN connection is a connection that is configured between two Easy VPN clients. C. The SDM Easy VPN Server wizard displays a summary of the configuration before applying the VPN config. D. The SDM Easy VPN Server wizard recommends using the Quick setup feature when configuring a dynamic multipoint VPN. E. The SDM Easy VPN Server wizard can be used to configure user XAuth authentication locally on the router or externally with a RADIUS server. F. The SDM Easy VPN Server wizard can be used to configure a GRE over IPSec site-to-site VPN or a dynamic multipoint VPN (DMVPN). |
C,E
|
|
|
QUESTION 99:
Certkiller uses the Easy VPN feature to connect remote users to the corporate network. Which three statements about the Cisco Easy VPN feature are true? (Select three) A. If the VPN server is configured for Xauth, the VPN client waits for a username / password challenge. B. The VPN client initiates aggressive mode (AM) if a pre-shared key is used for authentication during the IKE phase 1 process. C. When connecting with a VPN client, the VPN server must be configured for ISAKMP group 1, 2 or 5. D. The Cisco Easy VPN feature only supports transform sets that provide authentication and encryption. E. The VPN server can only be enabled on Cisco PIX Firewalls and Cisco VPN 3000 series concentrators. F. The VPN client verifies a server username/password challenge by using a AAA authentication server that supports TACACS+ or RADIUS. |
A,B,D
|
|
|
QUESTION 100:
A new Certkiller router was configured as shown in the exhibit below: Based on the information above, what two types of attacks does this IOS firewall configuration prevent? (Selcet two) A. Trojan horse B. Java applets C. DDOS D. SYN flood E. packet sniffers |
C,D
|
|
|
QUESTION 101:
The Certkiller security administrator is concerned about network attacks. Which two network attack statements are true? (Select two) A. Access attacks can consist of UDP and TCP SYN flooding, ICMP echo-request floods, and ICMP directed broadcasts. B. IP spoofing can be reduced through the use of policy-based routing. C. DoS attacks can be reduced through the use of access control configuration, encryption, and RFC 2827 filtering. D. DoS attacks can consist of IP spoofing and DDoS attacks. E. IP spoofing exploits known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. F. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the-middle attacks. |
D,F
|
|
|
QUESTION 102:
The Certkiller security administrator is concerned about the use of aunauthorized packet sniffers on the network. Which two statements below about packet sniffers or packet sniffing are true? (Select two) A. To reduce the risk of packet sniffing, cryptographic protocols such as Secure Shell Protocol (SSH) and Secure Sockets Layer (SSL) should be used. B. Packet sniffers can only work in a switched Ethernet environment. C. To reduce the risk of packet sniffing, traffic rate limiting and RFC 2827 filtering should be used. D. A packet sniffer requires the use of a network adapter card in nonpromiscuous mode to capture all network packets that are sent across a LAN. E. To reduce the risk of packet sniffing, strong authentication, such as one time passwords, should be used. |
A,E
|
|
|
QUESTION 103:
The security administrator is implementing Cisco tools to mitigate the risks of network attacks. Which two statements about common network attacks are true? (Select two) A. Access attacks can consist of password attacks, trust exploitation, port redirection, and man-in-the-middle attacks. B. Reconnaissance attacks can consist of password attacks, trust exploitation, port redirection and Internet information queries. C. Access attacks can consist of password attacks, ping sweeps, port scans, and man-in-the-middle attacks. D. Reconnaissance attacks can consist of packet sniffers, port scans, ping sweeps, and Internet information queries. E. Reconnaissance attacks can consist of ping sweeps, port scans, man-in-middle attacks and Internet information queries. F. Access attacks can consist of packet sniffers, ping sweeps, port scans, and man-in-the-middle attacks. |
A,D
|
|
|
QUESTION 104:
The Certkiller security administrator is concerned about reconnaissance attacks. Which two protocols can be used to prevent a reconnaissance attack? (Select two) A. IPsec B. NTP C. SNMP D. SSH E. Telnet F. FTP |
A,D
|
|
|
QUESTION 105:
You want to be sure to protect the Certkiller network against reconnaissance attacks. What technique can help to counter a reconnaissance attack? A. Implement a switched infrastructure. B. Disable port redirection. C. Disable accounts after a specific number of unsuccessful logins. D. Configure RFC 2827 filtering. E. None of the above. |
A
|
|
|
QUESTION 106:
The Certkiller network is concerned about security attacks. Which can be used to mitigate Trojan horse attacks? A. RFC 2827 filtering B. Implementation of traffic rate limiting C. The disabling of port redirection D. The use of antivirus software E. Implementing anti-DoS features F. None of the above |
D
|
|
|
QUESTION 107:
The Certkiller security administrator is researching ways to prevent worm attacks on Certkiller devices. What is a possible way to prevent a worm attack on a host PC? A. Implement TACACS+. B. Enable SSH. C. Enable encryption. D. Keep the operating system current with the latest patches. E. None of the above |
D
|
|
|
QUESTION 108:
The Certkiller security administrator is implementing Cisco devices to mitigate the threat of worms and viruses. Which two statements about worms, viruses, or Trojan horses are true? (Select two) A. A virus cannot spread to a new computer without human assistance. B. A worm can spread itself automatically from one computer to the next over an unprotected network. C. A virus has three components: an enabling vulnerability, a propagation mechanism, and a payload. D. A Trojan horse virus propagates itself by infecting other programs on the same computer. E. A Trojan horse has three components: an enabling vulnerability, a propagation mechanism, and a payload. F. A worm is a program that appears desirable but actually contains something harmful. |
A,B
|
|
|
QUESTION 109:
The Certkiller security administrator needs to mitigate the effects of a recent worm attack that has affected the network. What are the four steps, in their correct order, to mitigate a worm attack? A. Preparation, Identification, Traceback, and postmortem B. Contain, Inoculate, Quarantine, and Treat C. Identification, Inoculation, Postmortem, and Reaction D. Preparation, Classification, Teaction, and Treat E. Inoculate, Contain, Quarantine, and Treat F. Quarantine, Contain, and Treat |
B
|
|
|
QUESTION 110:
The Certkiller Security Administrator is concerned about network attacks. How can application layer attacks be mitigated? A. Disable port redirection. B. Implement traffic rate limiting. C. Install the latest patches. D. Implement Anti-DoS features. E. Implement RFC 2827 filtering |
C
|
|
|
QUESTION 111:
You need to enhance the security of network management protocol traffic across the Certkiller WAN. Which procedure is recommended to protect SNMP from application layer attacks? A. Use SNMP version 2. B. Implement RFC 2827 filtering. C. Configure SNMP with only read-only community strings. D. Create an access list on the SNMP server. E. None of the above. |
C
|
|
|
QUESTION 112:
The Certkiller network administrator has enabled the AutoSecure feature on a new Certkiller router. What is one benefit of AutoSecure? A. A multiuser logon screen is created with different privileges assigned to each member. B. By default, all passwords are encrypted with level 7 encryption. C. By default, a password is enabled on all ports. D. Command line questions are created that automate the configuration of security features. E. None of the above. |
D
|
|
|
QUESTION 113:
In order to enhance the security of a Certkiller router, One-Step Lockdown was used. Which two actions will take place when One-Step Lockdown is implemented? (Select two) A. A banner will be set. B. Logging will be enabled. C. Security passwords will be required to be a minimum of 8 characters. D. CDP will be enabled. E. Telnet settings will be disabled. F. None of the above |
A,B
|
|
|
QUESTION 114:
To enhance the security of the Certkiller network, you have enabled the AutoSecure feature on every router. Which two statements about the AutoSecure feature are true? (Select two) A. To enable AutoSecure, the "auto secure" global configuration command must be used. B. AutoSecure automatically disables the CDP feature. C. The auto secure full command automatically configures the management and forwarding planes without any user intervention. D. If you enable AutoSecure, the minimum length of the login and enable passwords is set to 6 characters. E. Once AutoSecure has been configured the user can launch the SDM Web interface to perform a security audit. |
B,D
|
|
|
QUESTION 115:
In order to increase the security of the Certkiller network, the security administrator as enabled the AutoSecure feature in all the Certkiller routers. Which two statements about the Cisco AutoSecure feature are true? (Select two) A. The auto secure command can be used to secure the router login as well as the NTP and SSH protocols. B. For an interactive full session of AutoSecure, the auto secure login command should be used. C. If the SSH server was configured, the 1024 bit RSA keys are generated after the auto secure command is enabled. D. Cisco123 would be a valid password for both the enable password and the enable secret commands. E. All passwords entered during the AutoSecure configuration must be a minimum of 8 characters in length. |
A,C
|
|
|
QUESTION 116:
The following configuration was created automatically on a Certkiller router: Based on the output shown above, What Cisco feature generated the configuration? A. AAA B. EZ VPN C. IOS Firewall D. IOS IPS E. AutoSecure F. TACACS+ G. None of the above |
E
|
|
|
QUESTION 117:
A Certkiller router has been configured using the Authentication Proxy feature. Which statement best describes this feature? A. All traffic is permitted from the inbound to the outbound interface upon successful authentication of the user. B. Prior to responding to a proxy ARP, the router will prompt the user for a login and password which are authenticated based on the configured AAA policy. C. The proxy server capabilities of the IOS Firewall are enabled upon successful authentication of the user. D. A specific access profile is retrieved from a TACACS+ or RADIUS server and applied to an IOS Firewall based on user provided credentials. |
D
|
|
|
QUESTION 118:
Part of the Configuration file of an existing Certkiller router is shown below: Based on the information above, which two statements about the AAA configuration are true? (Select two) A. If a TACACS+ server is not available, then the user Certkiller could be able to enter privileged mode as long as the proper enable password is entered. B. Two authentication options are prescribed by the displayed aaa authentication command. C. The aaa new-model command forces the router to override every other authentication method previously configured for the router lines. D. A good security practice is to have the none parameter configured as the final method used to ensure that no other authentication method will be used. E. To increase security, group radius should be used instead of group tacacs+. F. If a TACACS+ server is not available, then a user connecting via the console port would not be able to gain access since no other authentication method has been defined. |
B,C
|
|
|
QUESTION 119:
You have been tasked with setting up AAA services on a new Certkiller router. Which command sequence is an example of a correctly configured AAA configuration that uses the local database? A. Certkiller 3(config)# aaa new-model Certkiller 3(config)# tacacs-server host 10.1.1.10 Certkiller 3(config)# tacacs-server key Certkiller 123 Certkiller 3(config)# aaa authentication login LOCAL_AUTH group tacacs+ Certkiller 3(config)# line con 0 Certkiller 3(config-line)# login authentication LOCAL_AUTH B. Certkiller 3(config)# username Certkiller password Certkiller Certkiller 3(config)# aaa new-model Certkiller 3(config)# aaa authentication login LOCAL_AUTH local Certkiller 3(config)# line con 0 Certkiller 3(config-line)# login authentication LOCAL_AUTH C. Certkiller 3(config)# username Certkiller password Certkiller Certkiller 3(config)# aaa new-model Certkiller 3(config)# aaa authentication login LOCAL_AUTH local Certkiller 3(config)# line con 0 Certkiller 3(config-line)# login authentication default D. Certkiller 3(config)# aaa new-model Certkiller 3(config)# tacacs-server host 10.1.1.10 Certkiller 3(config)# tacacs-server key Certkiller 123 Certkiller 3(config)# aaa authentication login LOCAL_AUTH group tacacs+ Certkiller 3(config)# line con 0 Certkiller 3(config-line)# login authentication default |
B
|
|
|
QUESTION 120:
AAA has been configured on a Certkiller IOS firewall. Which firewall feature allows per-user policy to be downloaded dynamically to the router from a TACACS+ or RADIUS server using AAA services? A. Port-to-Application Mapping (PAM) B. Intrusion Prevention System C. Lock-and-Key (dynamic ACLs) D. Authentication Proxy E. Reflexive ACLs F. None of the above |
D
|
|
|
QUESTION 121:
Router Certkiller 1 was configured as shown below: Based on the partial configuration shown above, which two statements are true? (Select two) A. To make the configuration more secure, the none parameter should be added to the end of the aaa authentication login LOCAL_AUTH local command. B. This is an example of a self-contained AAA configuration using the local database. C. If configured, the enable password could also be used to log into the console port. D. The command aaa authentication default should be issued for each line instead of the login authentication LOCAL_AUTH command. E. The local parameter is missing at the end of each aaa authentication LOCAL-AUTH command. F. To successfully establish a Telnet session with Certkiller 1, a user can enter the username Certkiller and password Certkiller 101. |
B,F
|
|
|
QUESTION 122:
The "aaa authentication enable default group radius enable" command was enabled on a Certkiller router. What is true regarding this command? A. If the radius server returns a 'failed' message, the enable password will be used. B. If the radius server returns an error, the enable password will be used. C. The command login authentication group will associate the AAA authentication to a specified interface. D. If the group database is unavailable, the radius server will be used. E. None of the above. |
B
|
|
|
QUESTION 123:
Your absent minded junior administrator has enabled AAA authentication on the Certkiller network, but forgot to set the authentication. What will happen when a user try's to login? A. Disallow a user from access to all resources after login. B. Allow any user to login without checking the authentication data. C. Record all access of resources and how long the user accessed each resource. D. Allow a user to access all resources after login. E. Not to record any access of resources after login. F. Disallow any user from logging in with or without a valid username and password. G. None of the above |
F
|
|
|
QUESTION 124:
What six types of accounting information does a TACACS+ / RADIUS server record? A. Connection, protocol, system, network, command, and resource B. Resource, interface, connection, system, command, and network C. Command, system, exec, network, connection, and resource D. Network, interface, exec, protocol, system, and resource E. Crypto, system, network, protocol, command, and resource F. None of the above |
C
|
|
|
QUESTION 125:
On one of the Certkiller routers the following configuration command was issued: Certkiller A(config)#aaa authentication login default group tacacs+ none What is this command used for? A. It uses the list of servers specified in group "TACACS+", if none are available, then no access is permitted. B. It uses the list of TACACS+ servers for authentication, if TACACS+ fails then uses no authentication. C. It uses the list of TACACS+ servers for authentication, if TACACS+ fails then no access is permitted. D. No authentication is required to login. E. It uses a subset of TACACS+ servers named "group" for authentication as defined by the aaa group servers tacacs+ command. F. TACACS+ is the first default authentication method |
B
|
|
|
QUESTION 126:
You have just received a brand new Cisco router and need to configure auditing on it. What command would you use to enable auditing of the privileged mode access commands? A. aaa accounting enable 15 B. ip audit enable C. aaa accounting command 15 D. aaa accounting enable priv E. None of the above |
C
|
|
|
QUESTION 127:
You are a senior network administrator and your junior administrator didn't arrive to work because he claimed he was sick. So you give him an assignment to do from home via Telnet. So from his home; he logged onto the companies router and entered the following command: Router(config)#aaa new-model Before entering anything else, the lazy junior administrator (with the intention of being cautious) thought it would be safe to save the configuration to NVRAM, log off from telnet and take a break for a few hours. Assuming that no local username or password exists on the router database, what will happen when the administrator tries to immediately establish another telnet session? (Choose two) A. The session asks for a username that may not exist. B. The router requires a reboot to so the administrator can login. C. The administrator must access the router through the console port to login. D. The administrator can log in without using a password. E. None of the above |
A,C
|
|
|
QUESTION 128:
Given the following configurationon a Certkiller router, which two statements about the router are true? (Choose two.) Certkiller 1(config)# aaa authentication login default group tacacs+ none A. No authentication is required to login. B. It uses TACACS+ as the first default authentication method. C. It uses the default local database for authentication. If authentication fails, then no access is permitted. D. It uses the list of servers specified in group "TACACS+". If none are available, then no access is permitted. E. It uses the list of TACACS+ servers for authentication. If the TACACS+ authentication servers are unavailable, then the router uses no authentication. F. It uses a subset of TACACS+ servers named "group" for authentication as defined by the aaa group server tacacs+ command. |
B,E
|
|
|
QUESTION 129:
A portion of the Certkiller network is shown below: Part of the Certkiller router configuration is shown below: ck1 (config)# access-list 150 permit tcp any 10.10.10.0 0.0.0.255 established ck1 (config)# access-list 150 deny ip any any CK1(config)# interface fa0/0 CK1(config-if)# ip access-group 150 in Based on the information above, what is the result of the ACL configuration that is displayed? A. TCP responses from the outside network for TCP connections that originated on the inside network are allowed. B. TCP responses from the inside network for TCP connections that originated on the outside network are denied. C. Any inbound packet with the SYN flag set to be routed is permitted. D. Inbound packets to request a TCP session with the 10.10.10.0/24 network are allowed. E. None of the above |
A
|
|
|
QUESTION 130:
A Certkiller router interface is configured with an inbound access control list and an inspection rule. How will an inbound packet on this interface be processed? A. The packet is processed by the inspection rule. If the packet does not match the inspection rule, the inbound ACL is invoked. B. The packet is processed by the inspection rule. If the packet matches the inspection rule, the inbound ACL is invoked. C. The packet is processed by the inbound ACL. If the packet is not dropped by the ACL, it is processed by the inspection rule. D. The packet is processed by the inbound ACL. If the packet is dropped by the ACL, it is processed by the inspection rule. E. None of the above. |
C
|
|
|
QUESTION 131:
You need to add an access list to a Certkiller router in order to increase the security of the network. Which two statements are correct about mitigating attacks by the use of access control lists? (Select two) A. Ensure that earlier statements in the ACL do not negate any statements that are found later in the list. B. Denied packets should be logged by an ACL that traps informational (level 6) messages. C. Each ACL that is created ends with an implicit permit all statement. D. More specific ACL statements should be placed earlier in the ACL. E. Extended ACLs on routers should always be placed as close to the destination as possible. F. IP packets that contain the source address of any internal hosts or networks inbound to a private network should be permitted. |
B,D
|
|
|
QUESTION 132:
While you were on your lunch break your apprentice trainee was busy configuring access lists. When you return to your workstation you find the following configuration: access-list101 permit ip any any access-list101 deny tcp any any eq ftp dialer-list 2 protocol ip list 101 What is true about the configuration that your trainee entered? (Choose all that apply) A. FTP traffic will be forwarded. B. Since FTP uses two sockets, both must be defined to prevent packet forwarding. C. FTP will cause the line to come up in a dialer or ISDN interface. D. FTP traffic will not be forwarded. |
A, C
|
|
|
QUESTION 133:
You need to configure NTP on a new Certkiller router. Which statement is true about a router configured with the "ntp trusted-key 10" command? A. The IOS will not permit "10" as an argument to the ntp trusted-key command. B. This router only synchronizes to a system that uses this key in its NTP packets. C. This router will join an NTP multicast group where all routers share the same trusted key. D. This command enables DES encryption of NTP packets. |
B
|
|
|
QUESTION 134:
You are configurig NTP on a new Certkiller router. Which global configuration mode command will configure a Cisco router as an authoritative NTP server? A. ntp peer B. ntp master C. ntp broadcast D. ntp server E. None of the above |
B
|
|
|
QUESTION 135:
You have been tasked with configuring security features on a new Cisco device. Which statement is true about the superview of Role-Based CLI? A. Commands cannot be directly configured for a superview. B. Any user with level 15 privileges can create or modify views and superviews. C. A CLI view cannot be shared by multiple superviews. D. The maximum number of CLI views which can exist is limited only by the amount of flash available. E. None of the above |
A
|
|
|
QUESTION 136:
Part of the configuration file of a Certkiller router is shown in the exhibit below: SDM has added the commands in the exhibit to the Certkiller router's configuration. What are three objectives that the commands above accomplish? (Select three) A. Sets the maximum number of unsuccessful SSH login attempts to two before locking access to the router B. Specifies SSH for remote management access C. Inspects SSH packets across all enabled interfaces every 60 seconds D. Prevents Telnet access to the device unless it is from the SDM workstation E. Sets the SSH timeout value to 60 seconds, a value that causes incomplete SSH connections to shut down after 60 seconds F. Forces the user to authenticate twice to prevent man-in-the-middle attacks |
A, B, E
|
|
|
QUESTION 137:
A new Certkiller router is being configured for the Network Time Protocol (NTP). Which statement is true about the global configuration command ntp server 198.133.219.25? A. The command configures the router to be the NTP time source for a peer located at IP address 198.133.219.25. B. Entering the command ntp server 198.133.219.26 would replace the original command ntp server 198.133.219.25. C. The command configures the router to provide the date and clock setting for a host located at IP address 198.133.219.25. D. The command configures the router to synchronize with an NTP time source located at IP address 198.133.219.25. E. None of the above. |
D
|
|
|
QUESTION 138:
Router Certkiller 2 is configured as shown below: CK2# config t CK2 (config)# logging host 192.168.2.7 CK2 (config)# logging trap informational CK2 (config)# exit CK2# debug ip ssh incoming ssh debugging is on CK2 Debug information exhibit: A user is unable to initiate an SSH session with Certkiller 2. To help troubleshoot the problem, Certkiller 2 has been configured as indicated in the exhibit. However, a second attempt to initiate an SSH connection to Certkiller 2 fails to generate debug information on the Syslog server. What configuration change would display the debug information on the Syslog server? A. Router Certkiller 2 must be configured with the logging trap debugging global configuration command. B. Router Certkiller 2 must be configured with the logging buffered informational global configuration command. C. Router Certkiller 2 should be configured with the debug ip packet EXEC command. D. Router Certkiller 2 must be configured with the correct Syslog IP address. E. Router Certkiller 2 must be configured with the logging monitor debugging global configuration command. F. None of the above. |
A
|
|
|
QUESTION 139:
The following output was shown on router Certkiller 2: On the basis of the information presented above, which configuration change would correct the Secure Shell (SSH) problem? A. Configure router Certkiller 2 with the crypto key generate rsa general-keys modulus modulus-number global configuration command. B. Configure router Certkiller 2 with the crypto key generate rsa usage-keys modulus modulus-number global configuration command. C. Configure router Certkiller 2 with the ip domain name domain-name global configuration command. D. Configure router Certkiller 2 with the no transport input telnet vty line configuration command. E. Configure router Certkiller 2 with the transport input ssh vty line configuration command. F. None of the above. |
E
|
|
|
QUESTION 140:
You need to configure a new Certkiller device using the Cisco SDM. What are three features in the SDM that role-based access provides? (Select three) A. It provides dynamic update of new IPS signatures for administrator, firewall administrator, easy VPN client, and read-only users B. It provides logical separation of the router between different router administrators and users C. It provides secure access to the SDM user interface and Telnet interface specific to the profile of each administrator D. It provides to end customers multiservice switching platforms (MSSPs) with a graphical, read-only view of the customer premises equipment (CPE) services E. It provides advanced troubleshooting using debug output analysis F. It provides configuration wizards for all routing protocols (like RIP, OSPF, EIGRP, BGP, IS-IS) |
B, C, D
|
|
|
Part of the configuration file of router Certkiller 3 is displayed below:
1. hostname ck3 ! 2. aaa new-model 3. username cisco password 0 ck101 4. ip domain-name rtp.ck.com ! 5. crypto key generate rsa 6. ip ssh time-out 60 7. ip ssh authentication-retries 2 ! 8 line vty 0 4 9 transport input ssh Refer to the numbers at the left of each configuration line. Of the numbered items in the exhibit, which combination is required to implement only SSH? A. 1, 4, 5, and 9 B. 5, 6, and 7 C. 5, 6, 7, and 9 D. 2, 3, 5, and 9 E. 1, 3, 5, 6, 7, and 9 F. None of the above |
A
|
|
|
QUESTION 142:
You have been tasked with implementing SSH on a new Certkiller router. Which two steps must be taken for SSH to be implemented on a router? (Select two) A. Ensure that the target routers are configured for AAA either locally or through a database B. Ensure that each router is using the correct domain name for the network C. Ensure that the Cisco IOS Firewall feature set is installed on the devices. D. Ensure that an ACL is configured on the VTY lines to block Telnet access |
A, B
|
|
|
QUESTION 143:
You need to secure some of the management protocols and services used on a new Certkiller router. Which two statements about management protocols are true? (Select two) A. NTP version 3 or above should be used because these versions support a cryptographic authentication mechanism between peers. B. TFTP authentication (username and password) is sent in an encrypted format, and no additional encryption is required. C. SNMP version 3 is recommended since it provides authentication and encryption services for management packets. D. Syslog version 2 or above should be used because it provides encryption of the syslog messages. E. SSH, SSL and Telnet are recommended protocols to remotely manage infrastructure devices. |
A, C
|
|
|
QUESTION 144:
You have been tasked with enhancing the security of the management protocols used on the Certkiller routers. Which two management protocols provide security enhancements such as cryptographic authentication and packet encryption of management traffic? (Select two) A. TFTP version 3 B. NTP version 3 C. Telnet version 3 D. SNMP version 3 E. Syslog version 3 |
B, D
|
|
|
QUESTION 145:
The Certkiller security administrator wants to increase the security of all the routers within the network. Which three techniques should be used to secure management protocols in Cisco routers? (Select three) A. Synchronize the NTP master clock with an Internet atomic clock. B. Configure SNMP with only read-only community strings. C. Implement RFC 2827 filtering at the perimeter router when allowing syslog access from devices on the outside of a firewall. D. Encrypt TFTP and syslog traffic in an IPSec tunnel. E. Use SNMP version 2. F. Use TFTP version 3 or above because these versions support a cryptographic authentication mechanism between peers. |
B, C, D
|
|
|
QUESTION 146:
A Certkiller router was recently upgraded to the firewall feature set. Which two statements are true about Cisco IOS Firewall? (Select two) A. It is implemented as a per-destination process. B. It enhances security for TCP and UDP applications. C. It enhances security for TCP applications only. D. It is implemented as a per-application process. E. It enhances security for UDP applications only. |
B, D
|
|
|
QUESTION 147:
A new Certkiller router with the IOS Firewall feature set needs to be configured. Which three statements about IOS Firewall configurations are true? (Select three) A. The ACL applied in the inbound direction on the unsecured interface should be an extended ACL. B. The IP inspection rule can be applied in the inbound direction on the secured interface. C. The IP inspection rule can be applied in the outbound direction on the unsecured interface. D. For temporary openings to be created dynamically by Cisco IOS Firewall, the IP inspection rule must be applied to the secured interface. E. For temporary openings to be created dynamically by Cisco IOS Firewall, the access-list for the returning traffic must be a standard ACL. F. The ACL applied in the outbound direction on the unsecured interface should be an extended ACL. |
A, B, C
|
|
|
QUESTION 148:
What should the Certkiller security administrator who uses SDM consider when configuring the firewall on an interface that is used in a VPN connection? A. The firewall must permit encrypted traffic between the local and remote VPN peers. B. The firewall must permit traffic to a VPN concentrator only. C. The firewall must permit traffic going out of the local interface only. D. The firewall cannot be configured in conjunction with a VPN. E. None of the above |
A
|
|
|
QUESTION 149:
A Certkiller router was recently upgraded to the firewall feature set. Which two statements are true about the Cisco IOS Firewall set? (Select two) A. Traffic originating within the router is not inspected. B. protects against denial of service (DoS) attacks C. An ACL entry is statically created and added to the existing, permanent ACL. D. Temporary ACL entries are created and persist for the duration of the communication session. |
B, D
|
|
|
QUESTION 150:
You need to configure access rules on a new Certkiller router with the firewall feature set. Which three statements are true about a Cisco IOS Firewall? (Select three) A. It can be configured to block Java traffic. B. The inspection rules can be used to set timeout values for specified protocols. C. It can be configured to detect and prevent SYN-flooding denial-of-service (DoS) network attacks. D. The ip inspect cbac-name command must be configured in global configuration mode. E. It can only examine network layer and transport layer information. F. It can only examine transport layer and application layer information. |
Answer: A, B, C
|
|
|
QUESTION 151:
The Basic Firewall wizard has been used to configure a router as shown in the diagram below: Based on the information above, what is the purpose of the highlighted access list statement? A. to establish a DMZ by preventing traffic from interface VLAN10 being sent out interface Fa0/0 B. to prevent spoofing by blocking traffic entering interface Fa0/0 with a source address in the same subnet as interface VLAN10 C. to prevent spoofing by blocking traffic entering Fa0/0 with a source address in the RFC 1918 private address space D. to establish a DMZ by preventing traffic from interface Fa0/0 being sent out interface VLAN10 E. None of the above |
B
|
|
|
QUESTION 152:
A Certkiller site using VOIP requires support for skinny and H.323 voice protocols. How is this configured on an IOS firewall using the SDM? A. The Application Security tab is used to create a policy with voice support before the Firewall wizard is run. B. The Application Security tab is used to modify the SDM_High policy to add voice support prior to the Firewall wizard being run. C. The Advanced Firewall wizard is executed and a custom Application Security policy is selected in place of the default Application Security policies. D. The Basic Firewall wizard is executed and the High Security Application policy is selected. E. Noe of the above |
C
|
|
|
QUESTION 153:
A new Certkiller router needs to be configured using SDM. Which three statements are true when configuring Cisco IOS Firewall features using the SDM? (Select three) A. An optional DMZ interface can be specified in the Advanced Firewall Interface Configuration dialog box. B. Custom application policies for e-mail, instant messaging, HTTP, and peer-to-peer services can be created using the Intermediate Firewall wizard. C. The SDM provides a basic, intermediate, and advanced firewall wizard. D. Only the outside (untrusted) interface is specified in the Basic Firewall Interface Configuration dialog box. E. The outside interface that SDM can be launched from is configured in the Configuring Firewall for Remote Access dialog box. F. A custom application security policy can be configured in the Advanced Firewall Security Configuration dialog box. |
Answer: A, E, F
|
|
|
QUESTION 154:
A new Certkiller router needs to be configured using SDM. Which two commands will start services that should be enabled for SDM operations? (Select two) A. ip http secure-server B. ip http authentication local C. service tcp-small-servers D. service password-encryption E. ip dhcp-client network-discovery |
A, B
|
|
|
QUESTION 155:
You need to configure a new Certkiller router's firewall function via the SDM. Which two statements are true about the configuration of the Cisco IOS Firewall using the SDM? (Select two) A. The Advanced Firewall Configuration wizard applies access rules to the inside (trusted), outside (untrusted) and DMZ interfaces. B. To simplify the Firewall configuration task, the SDM provides Basic Firewall, Intermediate Firewall, and Advanced Firewall wizards. C. Cisco IOS Firewall features may be configured by choosing the Additional Tasks wizard. D. The Basic Firewall Configuration wizard applies default access rules to the inside (trusted), outside (untrusted) and DMZ interfaces. E. Firewall policies can be viewed from the Home screen of the SDM. |
A, E
|
|
|
QUESTION 156:
You need to configure a new Certkiller router via the SDM firewall wizard. Which statement is true about the SDM Basic Firewall wizard? A. The wizard permits the creation of a custom application security policy. B. The wizard can configure multiple DMZ interfaces for outside users. C. The wizard configures one outside interface and one or more inside interfaces. D. The wizard applies predefined rules to protect the private and DMZ networks. E. None of the above. |
C
|
|
|
QUESTION 157:
You need to configure a new Certkiller router using the Cisco SDM. Which privilege level is required when configuring the SDM? A. 1 B. 12 C. 0 D. 8 E. 10 F. 15 G. 255 H. None of the above |
F
|
|
|
QUESTION 157:
You need to configure a new Certkiller router using the Cisco SDM. Which privilege level is required when configuring the SDM? A. 1 B. 12 C. 0 D. 8 E. 10 F. 15 G. 255 H. None of the above |
F
|
|
|
QUESTION 158:
Part of the configuration file for a Certkiller router is displayed below: hostname Certkiller ! logging buffered 51200 warnings ! username cisco privilege 15 secret 0 cisco ! ip domain-name certkiller.com ! interface gi0/0 description $ETH-LAN44ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$ ip address 10.10.10.1 255.255.255.248 no shutdown ! ip http server ip http secure-server ip http authentication local ip http timout-polic idle 5 life 86400 requests 10000 <Output omitted> line con 0 login local line vty 0 4 privilege level 15 logi local transport input telnet transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet transport input telnet ssh ! ! End of SDM default config file end Based on this information, what is one of the objectives accomplished by the default startup configuration file created by the SDM? A. Blocks both Telnet and SSH B. Encrypts all HTTP traffic to prevent man-in-the-middle attacks C. Prevents the router from ever being used as an HTTP server D. Requires access authentication by a TACACS+ server E. Enables local logging to support the log monitoring function F. None of the above |
E
|
|
|
QUESTION 159:
A Certkiller router was configured as shown below: ip inspect name myfw ftp timeout 3600 ip inspect name myfw http timeout 3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw tftp timeout 3600 interface e0/1 ip address 172.16.1.2 255.255.255.0 ip access-group 111 in ip inspect myfw out access-list 111 deny icmp any 10.1.1.0 0.0.0.255 echo access-list 111 permit icmp any 10.1.1.0 0.0.0.255 What is the configuration of this Certkiller router an example of? A. infrastructure protection ACLs B. Authentication Proxy C. reflexive ACLs D. turbo ACLs E. distributed time-based ACLs F. IOS firewall |
F
|
|
|
QUESTION 160:
The following command was shown in the following exhibit: Certkiller1# show ip inspect session Established sessions Session 624C3 A4 (20.0.1.1:11006/->(150.150.150.2:23) tcp SIS_OPEN Based on the output shown above, what type of security configuration is being verified? A. Turbo ACLs B. IOS Firewall C. Authentication Proxy D. Reflexive ACLs E. Distributed Time-Based ACLs F. Infrastructure Protection ACLs G. None of the above |
B
|
|
|
QUESTION 161:
A Certkiller router was configured as shown below: ip inspect name myfw ftp timeout 3600 ip inspect name myfw http timeout 3600 ip inspect name myfw tcp timeout 3600 ip inspect name myfw udp timeout 3600 ip inspect name myfw tftp timeout 3600 interface e0/1 ip address 172.16.1.2 255.255.255.0 ip access-group 111 in ip inspect myfw out access-list 111 deny icmp any 10.1.1.0 0.0.0.255 echo access-list 111 permit icmp any 10.1.1.0 0.0.0.255 Based on the information shown above, what does this configuration accomplish? A. For the specified protocols, the configuration results in a timeout value of 3600 seconds for authentication of encrypted traffic. B. The configuration creates temporary openings in the access lists of the firewall. These openings have an absolute timeout value. C. The configuration permits ICMP outbound traffic, denies ICMP inbound traffic, and permits traffic that has been initiated from inside a router that has been synched with an NTP server. D. The configuration uses NTP synchronization to implement time-based ACLs. E. The configuration permits ICMP inbound traffic, denies ICMP outbound traffic, and permits traffic that has been initiated from inside a router that has been synched with an NTP server. F. The configuration creates temporary openings in the access lists of the firewall. These openings time out after the specified period of inactivity. G. None of the above. |
F
|
|
|
QUESTION 162:
Router Certkiller 2 connects to the Internet as shown below: Router Certkiller 2 is also configured as shown below: CertKiller2# show running-config | include inspect ip inspect name FIREWALL_ACL rcmd timeout 3600 ip inspect name FIREWALL_ACL http timeout 3600 ip inspect name FIREWALL_ACL realaudio timeout 3600 ip inspect name FIREWALL_ACL smtp timeout 3600 ip inspect name FIREWALL_ACL tftp timeout 30 ip inspect name FIREWALL_ACL udp timeout 15 ip inspect name FIREWALL_ACL tcp timeout 3600 The Certkiller network administrator wishes to mitigate network threats. Given that purpose, which two statements about the IOS firewall configuration shown above are true? A. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/1. B. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/0. C. The configuration excerpt is an example of a reflexive ACL. D. The command ip access-group FIREWALL_ACL in must be applied on interface FastEthernet 0/0. E. The command ip inspect FIREWALL_ACL out must be applied on interface FastEthernet 0/1. F. The configuration excerpt is an example of a CBAC list. |
E, F
|
|
|
QUESTION 163:
The Certkiller network administrator issued the "no ip inspect" command on a Cisco IOS firewall device. What are three objectives that this command achieves? (Select three) A. It removes the entire CBAC configuration B. It denies HTTP and Java applets to the inside interface but permits this traffic to the DMZ C. It removes all associated static ACLs D. It resets all global timeouts and thresholds to the defaults E. It deletes all existing sessions F. It turns off the automatic audit feature in SDM |
Answer: A, D, E
|
|
|
QUESTION 164:
A Certkiller IOS firewall is configured as shown below: ! ip inspect name voice skinny ip inspect name voice h323 ip inspect name voice tcp ip inspect name voice udp ! interface fa0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 100 in duplex auto speed auto ! interface fa0/1 ip address 1.1.10.254 255.255.255.0 ip access-group 101 in ip verify unicast reverse-path ip inspect voice in ! ! ip http server no ip http secure-server ! access-list 100 deny ip 10.1.10.0 0.0.0.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any ! access-list 101 permit icmp any host 10.1.10.254 echo-reply access-list 101 permit icmp any host 10.1.10.254 time-exceeded access-list 101 permit icmp any host 10.1.10.254 unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255.any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.16.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.25.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log This firewall has been configured to support skinny and H.323. Voice traffic is not passing through the firewall as expected. Based on the configuration shown above, what needs to be corrected in this configuration? A. Access list 101 needs to permit skinny and H.323. B. The "ip inspect voice in" command on interface FastEthernet 0/1 should be applied in the outbound direction. C. Access list 100 needs to permit skinny and H.323. D. The "ip inspect voice out" command should be applied to interface FastEthernet 0/0. E. None of the above. |
B
|
|
|
QUESTION 165:
A new Cisco IDS was installed in the Certkiller network. Which two statements about an Intrusion Detection System are true? (Select two) A. The IDS can send TCP resets to the source device. B. Default operation is for the IDS to discard malicious traffic. C. The IDS can send TCP resets to the destination device. D. The IDS is in the traffic path. E. The IDS listens promiscuously to all traffic on the network. |
A, E
|
|
|
QUESTION 166:
The Certkiller security administrator is concerned about network based intrusions and wants to implement an IDS solution. Which statement is true about signature-based intrusion detection? A. It performs analysis that is based on a predefined network security policy. B. It performs analysis that is based on known intrusive activities by matching predefined patterns in network traffic. C. It performs analysis by intercepting the procedural calls to the operating system kernel. D. It performs analysis that is based on anomalies in packets or packet sequences. It also verifies anomalies in traffic behavior. E. None of the above |
B
|
|
|
QUESTION 167:
What is the purpose of Security Device Event Exchange (SDEE) messages? A. SDEE messages can be viewed in real time using SDM. B. For SDEE messages to be viewed, the show ip ips all or show logging commands must be given first. C. SDEE messages are the SDM version of syslog messages. D. SDEE specifies the IPS/IDS message exchange format between an IPS/IDS device and IPS the management/monitoring station. E. SDEE messages displayed at the SDM window cannot be filtered. F. None of the above |
D
|
|
|
QUESTION 168:
In order to mitigate the threat of intrusions within the Certkiller network, the Certkiller network administrator has implemented Cisco IDS/IPS devices. Which three statements are true about Cisco Intrusion Detection System (IDS) and Cisco Intrusion Prevention System (IPS) functions? (Select three) A. IPS can detect misuse, abuse, and unauthorized access to networked resources and respond before network security can be compromised. B. IDS can detect misuse, abuse, and unauthorized access to networked resources but can only respond after an attack is detected. C. IDS can deny malicious traffic from the inside network whereas IPS can deny malicious traffic from outside the network. D. The signatures on the IDS devices are configured manually whereas the signature on the IPS devices are configured automatically. E. Only IDS systems provide real-time monitoring that includes packet capture and analysis of network packets. F. Both IDS and IPS systems provide real-time monitoring that involves packet capture and analysis of network packets. |
A, B, F
|
|
|
QUESTION 169:
When a new IPS device is installed in the Certkiller network it must be tuned to reduce the number of false positives. What is meant by the attack classification of "false positive" on a Cisco IPS device? A. A signature is not fired when non-offending traffic is captured and analyzed. B. A signature is not fired when offending traffic is detected. C. A signature is fired for nonmalicious traffic, benign activity. D. A signature is correctly fired when offending traffic is detected and an alarm is generated. E. None of the above. |
C
|
|
|
QUESTION 170:
A new Cisco IPS device was just installed in the Certkiller network. When packets in a session match a signature, what are three actions that the Cisco IOS Firewall IPS can take? (Select three) A. Drop the packets B. Send an alarm to a syslog server C. Reset the connection D. Notify a centralized management interface of a false positive E. Use the signature micro-engine to prevent a CAM Table Overflow Attack F. Remove the virus or worm from the packets and forward the packet through |
A, B, C
|
|
|
QUESTION 171:
SDM has been used to configure the locations from which the signature definition file (SDF) will be loaded as shown in the exhibit below: Based on the exhibit, what will happen if the SDF files in flash are not available at startup? A. All traffic will be inspected by the pre-built signatures bundled in the attack-drop.sdf file. B. All traffic will be marked as uninspected and will be checked after the signature file is loaded. C. All traffic will be inspected by the built-in signatures bundled with Cisco IOS Software. D. All traffic will flow uninspected or will be dropped. |
D
|
|
|
QUESTION 172:
You need to create policies on a new Certkiller IPS device. Which statement is true about the SDM IPS Policies wizard? A. The IPS Policies wizard only allows the use of default signatures which cannot be modified. B. When initially enabling the IPS Policies wizard, SDM automatically checks and downloads updates of default signatures available from CCO (cisco.com). C. In order to configure the IPS, the wizard requires that customized signature files be created. D. The wizard verifies whether the command is correct but does not verify available router resources before the signatures are deployed to the router. E. The IPS Policies wizard can be used to modify, delete, or disable signatures that have been deployed on the router. F. None of the above. |
E.
Explanation: The SDM provides a wide range of configuration capabilities for Cisco IOS IPS. All options are configurable through the IPS Edit menu. Additionally, SDM offers the IPS Policies wizard, which expedites the deployment of default IPS settings. The wizard provides configuration steps for interface and traffic flow selection, SDF location, and signature deployment. The wizard also verifies the available router resources before the commands are sent to the router. The IPS Policies wizard configures IPS using default signature descriptions, as defined in the SDF files provided by Cisco, or the built-in signatures included in the Cisco IOS. If you want to customize the signatures after the wizard deploys the default settings, you should use the IPS Edit menu available in SDM. Using the Edit menu, you can modify any signature parameter, as well as disable and delete the signatures. |
|
|
QUESTION 173:
A new Certkiller IPS device is being configured via SDM in the following exhibit: In this example, what are the ramifications of Fail Closed being enabled under Engine Options? A. The router will drop all packets that arrive on the affected interface. B. If the IPS detects any malicious traffic, it will cause the affected interface to close any open TCP connections. C. The IPS engine is enabled to scan data and drop packets depending upon the signature of the flow. D. If the IPS engine is unable to scan data, the router will drop all packets. E. None of the above. |
D
Click Global Settings in the menu of the Edit IPS tab to view and modify the general IPS settings configured on the router. These settings include reporting settings using two protocols: syslog and SDEE. See the status of the fail-closed setting. SDM default is fail-closed disabled. If enabled, the router will drop all packets if the IPS engine is unable to scan data. Finally, you can verify if the built-in signatures have been enabled for backup purposes if the configured SDF is unavailable or cannot be loaded. If you want to modify any of these global settings, click the Edit button in the upper-right corner of the window to perform the desired changes. |
|
|
QUESTION 174:
A Certkiller IPS device was configured using the SDM as shown below: Assume that a signature can identify an IP address as the source of an attack. Which action would automatically create an ACL that denies all traffic from an attacking IP address? A. DenyAttackerInline B. Alarm C. Deny-connection-inline D. Reset E. Drop F. DenyFlowInline G. None of the above |
A.
Explanation: The Cisco IOS IPS-enabled router uses this SDF to update the existing IPS configuration live, meaning that the number of running signatures and the way that the signatures are configured for actions to take when a signature match is made (alarm, drop, reset, denyAttackerInline, and denyFlowInline) all can be changed without a Cisco IOS Software image update. Use of the SDF for signature selection is replaced by the selection of Cisco IOS Software signature categories or selection or deselection of individual signatures and tuning of their parameters through the command-line interface (CLI). |
|
|
QUESTION 175:
The Certkiller network administrator used the Cisco SDM to manage the router as shown below: SDM has been used to configure IPS on the Certkiller router. While reviewing the Secure Device Event Exchange (SDEE) error messages, you noticed that SDM failed to load a signature definition file (SDF) from the specified URL locations. Which other location, if enabled, could the SDF be loaded from? A. The RAM of a PC B. The RAM of a router C. The startup configuration file of a router D. The flash memory of a router E. The running configuration file of a router F. None of the above |
D
Explanation: You may configure more than one SDF location by clicking the Add button. If you configure more than one SDF location, Cisco IOS will try to load them, starting from the top of the list. If IOS fails to load the SDF from the first location in the list, it will try the subsequent locations one by one until it successfully loads the SDF file. if SDM failed to load the signature file, it can load the signature from flash memory router. |
|
|
QUESTION 176:
A Certkiller router was configured as shown below: Certkiller3(config)# ip route vrf cust1 Certkiller3(config-router)# address-family ipv4 vrf cust1 Certkiller3(config-router-af)# redistribute static Certkiller3(config-router-af)# redistribute connected Based on the configuration made to router Certkiller 3, what is the purpose of the restribute commands? A. To redistribute routes specifically intop EIGRP B. To redistribute routes into the VRF BGP table C. To redistribute routes specifically intop RIP D. To define the MPLS labels to attach to packets by the CE router. E. To redistribute routes into the local IGP routing table. F. To redistribute routes specifically intop BGP G. To redistribute routes specifically intop OSPF H. To redistribute routes specifically intop IGP I. To define the MPLS labels to attach to packets by the PE router. J. None of the above |
B.
Explanation: BGP Distribution of VPN Routing Information: A service provider edge (PE) router can learn an IP prefix from a customer edge (CE) router by static configuration, through a BGP session with the CE router, or through the routing information protocol (RIP) exchange with the CE router. The IP prefix is a member of the IPv4 address family. After it learns the IP prefix, the PE converts it into a VPN-IPv4 prefix by combining it with an 8-byte route distinguisher (RD). The generated prefix is a member of the VPN-IPv4 address family. It serves to uniquely identify the customer address, even if the customer site is using globally nonunique (unregistered private) IP addresses. The route distinguisher used to generate the VPN-IPv4 prefix is specified by a configuration command associated with the VRF on the PE router. BGP distributes reachability information for VPN-IPv4 prefixes for each VPN. BGP communication takes place at two levels: within IP domains, known as an autonomous systems (interior BGP or IBGP) and between autonomous systems (external BGP or EBGP). PE-PE or PE-RR (route reflector) sessions are IBGP sessions, and PE-CE sessions are EBGP sessions. BGP propagates reachability information for VPN-IPv4 prefixes among PE routers by means of the BGP multiprotocol extensions (see RFC 2283, Multiprotocol Extensions for BGP-4) which define support for address families other than IPv4 . It does this in a way that ensures the routes for a given VPN are learned only by other members of that VPN, enabling members of the VPN to communicate with each other. Configuring Static Route PE to CE Routing Sessions To configure static route PE to CE routing sessions perform the following steps on the PE router: Command Purpose Step1 Router(config)# ip route Defines static route vrf vrf-name parameters for every PE to CE session. Step2 Router(config-router)# Defines static route parameters for every address-family ipv4 [unicast] vrf vrf-name BGP PE to CE routing session. The default is Off for auto-summary and synchronization in the VRF address-family submode. Step3 Router(config-router- Redistributes VRF af)# redistribute static static routes into the VRF BGP table. Step4 Router(config-router- Redistributes directly af)# redistribute static connected networks connected into the VRF BGP table. Step5 Router(config-router- Exits address family af)# exit-address-family configuration mode. Step6 Router(config-router)# (Optional) Exits to end privileged EXEC mode. Reference: http://www.cisco.com/en/US/products/sw/iosswrel/ps1612/products_feature_guide09186a00800e956e.html |
|
|
QUESTION 177:
Your boss at Certkiller .com, Mrs. Certkiller, is interested in xDSL. What can you tell her about this technology? (Select two) A. IDSL offers downstream and upstream rates of up to 1 Mbps over a maximum distance of 5.6 km (18,000 feet) B. ADSL offers downstream rates of up to 1 Mbps and upstream rates up to 8 Mbps over a maximum distance of 5.6 km (18,000 feet) C. VDSL offers downstream rates of up to 52 Mbps and upstream rates up to 13 Mbps over a maximum distance of 8.52 km (28,000 feet) D. ADSL offers downstream rates of up to 8 Mbps and upstream rates up to 1 Mbps over a maximum distance of 5.6 km (18,000 feet) E. VDSL offers downstream rates of up to 13 Mbps and upstream rates up to 52 Mbps over a maximum distance of 8.52 km (28,000 feet) F. G.SHDSL offers downstream and upstream rates of up to 2.3 Mbps over a maximum distance of 8.52 km (18,000 feet) |
D, F
Explanation: Asymmetrical DSL has higher downstream (from the provider's central office [CO] to the subscriber) bandwidth than upstream (from the subscriber to the CO.) Symmetrical DSL has the same bandwidth both downstream and upstream. You will sometimes see these referred to as "asynchronous" and "synchronous" DSL. The various types of DSL include the following: 1. ADSL- Asymmetric DSL supports both voice and data. Downstream bandwidth goes up to 8 Mbps; upstream goes up to 1 Mbps. Two other versions, ADSL2 and ADSL2+, provide 24 Mbps downstream and 1.5 Mbps upstream. The maximum distance from the CO is 18,000 feet, or 5.46 km. 2. RADSL- Rate-adaptive DSL changes the rate based on the local loop. 3. VDSL- Very-high-rate DSL can be either symmetric or asymmetric and can carry voice along with data. Maximum symmetric bandwidth is 26 Mbps; maximum asymmetric is 52 Mbps downstream and 13 Mbps upstream. The maximum distance from the CO is 4,500 feet, or 1.37 km. 4. IDSL- ISDN DSL carries only digital data (other forms of DSL send analog signals). It uses both ISDN B channels and the D channel, for a symmetric bandwidth of 144 kbps. The maximum distance for IDSL is 18,000 feet, or 5.46 km. 5. SDSL- Symmetric DSL carries only data, with a maximum for both downstream and upstream of 768 kbps. The distance limitation is 22,000 feet, or 6.7 km. It is a proprietary technology that uses only one twisted pair of wires. 6. HDSL- High-data-rate DSL uses two twisted pairs of wires to achieve a maximum symmetrical bandwidth of 2.048 Mbps. Its maximum distance from the CO is 12,000 feet, or 3.7 km. HDSL carries only data, no voice. 7. G.SHDSL- Symmetric high-speed DSL has a symmetrical data rate of 2.3 Mbps and the longest maximum distance: 28,000 feet, or 8.52 km. It also carries only data, no voice. Reference: CCNP ISCW Quick Reference Sheets (Digital Short Cut) Denise Donohue, Jay Swan ISBN: 1-58705-314-4 |
|
|
QUESTION 178:
Your boss at Certkiller , Mrs. Certkiller, asked you to configured ACLs in router CK1 , which is an IOS firewall device. Which of the following are true regarding the ACL configuration on this router? (Select two) A. It allows traffic that will be inspected by IOS firwall to leave the network through the firewall. B. It prevents traffic that will be inspected by IOS Firewall from leaving the network through the firewall. C. It permits broadcast messages with a source address of 255.255.255.255. D. You configure the ACL to deny traffic from the protected netwotk to the unprotected networks. E. You configure the extended ACLs to prevent IOS Firewall return traffic from entering the network throough the firewall. |
A, E
Explanation: SPI was introduced as a feature called Context-Based Access Control (CBAC). Prior to CBAC, Cisco IOS Software's only packet-filtering mechanism was the access control list (ACL). CBAC greatly enhanced the packet filtering capability of ACLs by introducing stateful filtering capability. The early Cisco IOS Firewall capability was occasionally perceived as a "glorified" ACL. This misconception is partly due to the fact thatACL monitoring commands were used to monitor CBAC activity, as well as the fact that inspection used (and still uses) ACLs to filter traffic, permitting desired traffic, while blocking unwanted, potentially harmful traffic. However, CBAC substantially augments an ACL's capability for restricting traffic. CBAC monitors several attributes in TCP connections, UDP sessions, and Internet Control Message Protocol (ICMP) dialogue to ensure that the only traffic allowed through a firewall ACL is the return traffic for dialogue that was originated on the private side of the firewall. Cisco IOS SPI can be explained most simply as being a mechanism to discover "good" connections that originate on the secure side of the firewall, and watch for and allow the return traffic that correlates with these connections. Connections originating on the unsecure side of the firewall are not allowed to reach the secure network, as controlled by an ACL facing the unsecure network. Cisco IOS Firewall Stateful Inspection Reference: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_implementation_design_guide09186a0080 0 |
|
|
QUESTION 179:
The Certkiller network topology is shown below: Partial configuration of router CK1 : INT FA0/0 IP INSPECT outside IN IP access-group INSIDEACL in ! int fa0/1 ip inspect INSIDE in ip access-group INSIDEACL in ! int fa0/2 ip access-group DMZACL in ! ip inspect name INSIDE tcp ip inspect name OUTSIDE tcp ! ip access-list extended OUTSIDEACL permit tcp any host 200.1.2.1 eq 25 permit tcp any host 200.1.2.2 eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access list extended INSIDEACL permit tcp any any eq 80 permit icmp any any packet-too-big deny ip any any log ! ip access-list extended DMZACL permit icmp any any packet-too-big deny ip any any log Please refer to the two exhibits above. Based on the configuration of router CK1 , what is true in this scenario? A. ICMP unreachable 'packet-too-big' messages are rejected on all interfaces to prevent DDOS attacks. B. Inside users are not permitted to browse the Internet. C. The TCP inspection will automatically allow return traffic of the outbound HTTP sessions and allow return traffic of the inbound SMTP and HTTP sessions. D. Inbound SMTP and HTTP are permitted by the ACL OUTSIDEACL. OUTSIDEACL is applied to the inside interface in the outbound direction. E. Outbound HTTP sessions are allowed by the ACL INSIDEACL. INSIDEACL is applied to the outside interface in the inbound direction. F. None of the above |
Answer: C
Explanation: In general, when inspection is configured for a protocol, return traffic entering the internal network will be permitted only if the packets are part of a valid, existing session for which state information is being maintained. In this case, all outbound TCP traffic using port 80 (HTTP) will be inspected and the return traffic will be dynamically allowed. For the inbound traffic, the OUTSIDEACL is used which will inspect the HTTP and SMTP traffic (TCP port 25). The return traffic will also be allowed back as the IOS firewall tracks the state of the session. |
|
|
QUESTION 180:
You need to configure and verify the Network Time Protocol (NTP) on router CK1 . Which two statements are true regarding NTP? (Select two) A. Whenever possible, configure NTP version 5 because it automatically provides authentication and encryption services. B. A stratum 0 time server is required for NTP operation. C. The "ntp server" global configuration is used to configure the NTP master clock to which other peers synchronize themselves. D. NTP is enabled on all interfaces by default, and all interfaces receive NTP packets. E. The show ntp status command displays detailed association information of all NTP peers. F. NTP operates on IP networks using User Datagram Protocol (UDP) port 123. |
Answer: E, F
Explanation: E: To show the status of Network Time Protocol (NTP), use the show ntp status EXEC command. The following is sample output from the show ntp status command: CK1 # show ntp status Clock is synchronized, stratum 4, reference is 192.168.13.57 nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**19 reference time is AFE2525E.70597B34 (00:10:22.438 PDT Mon Jul 5 1993) clock offset is 7.33 msec, root delay is 133.36 msec root dispersion is 126.28 msec, peer dispersion is 5.98 msec F:NTP is a UDP-based service. NTP servers use well-known port 123 to talk to each other and to NTP clients. NTP clients use random ports above 1023. The Network Time Protocol (NTP) is a protocol designed to time-synchronize a network of machines. NTP runs over UDP, which in turn runs over IP. NTP Version 3 is documented in RFC 1305. Incorrect Answers: A:Which version of NTP should I use? Unfortunately the answer to this question is not quite easy: Currently there are version three and version four implementations of NTP available. The latest software release being worked on is NTPv4, but the official Internet standard is still NTPv3. Version 5 is not yet available. Reference: http://www.ntp.org/ntpfaq/NTP-s-def.htm# Q-DEF-WHICH-VERSION B: Higher level stratum clocks can be used and a stratum 0 device is not required C: The "NTP master" command is used to configure a device as the Master clock. D: NTP services are disabled on all interfaces by default. NTP is enabled globally when any NTP commands are entered. |
|
|
QUESTION 181:
You need to make changes to an IPS device using the Security Device Manager (SDM). What are three configurable parameters when editing signatures in SDM? (Select three) A. EventAction B. AlarmSeverity C. EventMedia D. AlarmKeepalive E. EventAlarm F. AlarmTraits |
Answer: A, B, F
Explanation: Add, Edit, or Clone Signature: In SDM, this window contains fields and values described in the Field Definitions section. The fields vary depending on the signature, so this is not an exhaustive list of all the fields you might see. Field Definitions The following fields are in the Add, Edit, and Clone Signature windows in the SDM. SIGID-Unique numerical value assigned to this signature. This value allows Cisco IOS IPS to identify a particular signature. SigName-Name assigned to the signature. SubSig-Unique numerical value assigned to this subsignature. A subsig ID is used to identify a more granular version of a broad signature. AlarmInterval-Special Handling for timed events. Use AlarmInterval Y with MinHits X for X alarms in Y second interval. AlarmSeverity-Severity of the alarm for this signature. AlarmThrottle-Technique used for triggering alarms. AlarmTraits-User-defined traits further describing this signature. ChokeThreshold-Threshold value of alarms-per-interval that triggers autoswitch AlarmThrottle modes. If ChokeThreshold is defined, Cisco IOS IPS automatically switches AlarmThrottle modes if a large volume of alarms is seen in the ThrottleInterval. Enabled-Identifies whether or not the signature is enabled. A signature must be enabled in order for Cisco IOS IPS to protect against the traffic specified by the signature. EventAction-Actions Cisco IOS IPS will take if this signature is triggered. FlipAddr-True if the source and destination addresses, and their associated ports, are swapped in the alarm message. False if no swap occurs (default). MinHits-Specifies the minimum number of signature hits that must occur before the alarm message is sent. A hit is the appearance of the signature on the address key. SigComment-Comment or description text for the signature. SigVersion-Signature version. ThrottleInterval-Number of seconds defining an Alarm Throttle interval. This is used with the AlarmThrottle parameter to tune special alarm limiters. WantFrag-True enables inspection of fragmented packets only. False enables inspection of non-fragmented packets only. Choose "undefined" to allow for inspection of both fragmented and non-fragmented packets. http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a008081b4a8.htm |
|
|
QUESTION 182:
You need to configure a new intrusion detection system, named CKIDS1. When doing so, which two active response capabilities can be configured on CKIDS1 in response to malicious traffic detection? (Select 2) A. The transmission of a TCP reset to the offending end host. B. The ignition of dynamic access lists on the IDS to prevent further malicious traffic. C. The invoking of SNMP-sourced controls D. The shutdown of ports on intermediary devices E. The configuration of network devices to prevent malicious traffic from passing through F. None of the above |
Answer: A, E
Explanation: An action is the sensor's response to an event. An action only happens if the event is not filtered. Possible actions include TCP reset, block host, block connection, IP logging, and capturing the alert trigger packet. |
|
|
QUESTION 183:
Cisco IPS technology has been implemented within the Certkiller network. In this network, what are two possible actions an IOS IPS can take if a packet in a session matches a signature? (Select two) A. Drop the packet B. Reset the connections C. Check the packet agains an ACL D. Forward the packet E. None of the above |
Answer: A, B
Explanation: When a signature is matched, the IPS responds in real time, before network security can be compromised, and logs the event through Cisco IOS syslog messages or SDEE. You can configure IPS to choose the appropriate response to various threats. When packets in a session match a signature, IPS can take any of these actions, as appropriate: 1. Send an alarm to a syslog server or a centralized management interface. This action is typically combined with other preventive actions. 1. Drop the packet. This action is effective for all IP protocols and does not affect any legitimate user if the source IP address was spoofed. 2. Reset the connection. This action works only for TCP sessions. Reference: http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schfirwl.htm |
|
|
QUESTION 184:
As the Certkiller security administrator, you are concerned with virus and Trojan horse attacks. How can these attacks be mitigated? A. Enable trust levels. B. Use antivirus software C. Disable port scan D. Implement RFC 2827 filtering E. Deny echo replies on all edge routes. F. None of the above |
Answer: B
Explanation: The most common blunder people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus. While the words Trojan, worm and virus are often used interchangeably, they are not the same. Viruses, worms and Trojan Horses are all malicious programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you to better protect your computer from their often damaging effects. A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail. A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, The first steps to protecting your computer are to ensure your operating system (OS) is up-to-date. This is essential if you are running a Microsoft Windows OS. Secondly, you should have anti-virus software installed on your system and ensure you download updates frequently to ensure your software has the latest fixes for new viruses, worms, and Trojan horses. Reference: http://www.webopedia.com/DidYouKnow/Internet/2004/virus.asp |
|
|
QUESTION 185:
Part of the Certkiller network is shown below: Configuration exhibit: Certkiller2#show running-config <output omitted> int Se0/0 ip address 16.2.1.1 255.255.255.0 ip access-group 100 in <output omitted> access-list 100 permit tcp any 16.1.1.0 0.0.0.255 established access-list 100 deny ip any any log Based on the information provided above, the purpose of the access list on router Certkiller 2 allows TCP traffic from... A. ...any destination to reach the 16.1.1.0/24 network if the request originated from the inside network. B. ...any destination to reach the 16.1.1.0/24 network if the request originated from the Internet. C. ...any destination to reach the 16.1.1.0/24 network if the request originated from the inside network and has a port number greater then 1024. D. ...the 16.1.1.0/24 network to reach any destionation if the request originated from the inside network and has a port number greater less 1024. E. ...the 16.1.1.0/24 network to reach any destionation if the request originated from the Internet. F. None of the above |
Answer: A
Explanation: The "established" keyword is optional and for use with the TCP protocol only. It indicates an established connection. It specifies that the packet must be part of an established connection. In other words, the packet can't be attempting to start a new connection, like an incoming connection from the Internet. A match occurs if the TCP datagram has the ACK or RST bit set. The nonmatching case is that of the initial TCP datagram to form a connection. |
|
|
QUESTION 186:
Network topology exhibit: |---f0/0(CK3)f0/1---(internet) 10.2.1.1/24 10.1.1.1/24 Exhibit: Certkiller3(config)# access-list 109 permit tcp any 10.2.1.0 0.0.0.255 established Certkiller3(config)# access-list 109 deny ip any any log Certkiller3(config)# interface fa0/1 Certkiller3(config-if)# ip access-group 109 in You work as a network technician at Certkiller .com. You study the exhibits carefully. On the basis of the information that is presented, which statement is true? A. ACL 109 is deistned to prevent outbound IP address spoofing attacks. B. ACL 109 is deistned to allow packets with the SYN flag set to enter the router. C. ACL 109 is deistned to prevent any inbound packets with the ACK flag set from entering the router. D. ACL 109 should have been applied to interface Fa0/0. E. ACL 109 is deistned to allow packets with the ACK flag set to enter the router. F. ACL 109 is deistned to prevent any inbound packets with the SYN flag set from entering the router. |
Answer: E
|
|
|
QUESTION 187:
Network topology exhibit: Certkiller3(config)# access-list 150 deny ip 10.2.1.0 0.0.0.255 any log Certkiller3(config)# access-list 150 deny ip 127.0.0.0 0.255.255.255 any log Certkiller3(config)# access-list 150 deny ip 0.0.0.0 0.255.255.255.255 any log Certkiller3(config)# access-list 150 deny ip 172.16.0.0 0.15.255.255 any log Certkiller3(config)# access-list 150 deny ip 192.168.0.0 0.0.255.255 any log Certkiller3(config)# access-list 150 deny ip 224.0.0.0 15.255.255.255 any log Certkiller3(config)# access-list 150 deny ip host 255.255.255.255 any log Certkiller3(config)# access-list 150 permit ip any 10.2.1.0 0.0.0.255 You work as a network technician at Certkiller .com. You study the exhibits carefully. Which configuration option would correctly configurate Certkiller 3 to mitigate a range of threats? A. Certkiller 3(config)#line vty 0 4 Certkiller 3(config-line)# access-class 150 out B. Certkiller 3(config)#line vty 0 4 Certkiller 3(config-line)# access-class 150 in C. Certkiller 3(config)# interface Fa0/1 Certkiller 3(config-if)#ip access-gropup 150 in D. Certkiller 3(config)# interface Fa0/1 Certkiller 3(config-if)#ip access-gropup 150 out E. Certkiller 3(config)# interface Fa0/0 Certkiller 3(config-if)#ip access-gropup 150 out F. Certkiller 3(config)# interface Fa0/0 Certkiller 3(config-if)#ip access-gropup 150 in |
C
|
|
|
QUESTION 188:
What are three methods of network reconnaissance? Select three. A. port scan B. packet sniffer C. IP spoofing D. One-time password E. Dictionary attack F. Ping sweep |
A, B, F
|
|
|
QUESTION 189:
Exhibit: <OUTPUT OMITTED> 00:19:29: %DIALER-5-BIND: Interface Vi2 bound to profile Di1 00:19:29: Vi2 PPP: Using dialer call direction 00:19:29: Vi2 PPP: Treating connection as a callout 00:19:29: Vi2 PPP: Authorization required 00:19:29: Vi2 PPP: No remote authentication for call-out 00:19:29: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up 00:19:31: Vi2 CHAP: I challenge id 1 len 24 from "ISP" 00:19:31: Vi2 CHAP: Using hostname from interface CHAP 00:19:31: Vi2 CHAP: Using password from AAA 00:19:31: Vi2 CHAP: O RESPONSE id 1 len 25 from "CPE" 00:19:32: Vi2 CHAP: I SUCCESS id 1 len 4 00:19:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up <output omitted> You work as a network technician at Certkiller .com. You study the exhibit carefully. What two statements are true in this scenario? Select two. A. The output is the result of the debug ppp negotiation command. B. This is the CPE router. C. The output is the result of the debug ppp authentication command. D. This is the ISP router. E. The ISP router initiated the connection to the CPE router. F. The output is the result of the debug pppoe events command. |
B, C
|
|
|
QUESTION 190:
You work as a network technician at Certkiller .com. You study the exhibits carefully. What two statements are true in this context? A. The Edit IPS window is currently displaying the signatures in Summary view. B. Signature 1102 has been triggered because of matching traffic. C. The Edit IPS window is currently displaying the Global Settings information. D. Any traffic matching signature 1107 will generate an alarm, reset the connection, and be dropped. E. The Edit IPS window is currently displaying the signatures in Details view. F. Signature 1102 has been modified, but the changes have not been applied to the router. |
E, F
|
|
|
QUESTION 191:
Which two statements about the transmission of signals over a cable are true? Select two. A. Upstream signals travel from the subscriber to the cable operator and use frequencises in the range 5 to 42 Mhz. B. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of 5 to 42 Mhz. C. Downstram and upstream signals operate in the same frequency ranges. D. Upstream signals travel from the subscriber to the cable operator and use frequencises in the range 50 to 860 Mhz. E. Upstream signals travel from the subscriber to the cable operator and use frequencises in the range 5 to 860 Mhz. F. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of 50 to 860 Mhz. G. Downstream signals travel from the cable operator to the subscriber and use frequencies in the range of 5 to 860 Mhz. |
B, F
|
|
|
QUESTION 192:
Which four outbound ICMP message types would normally be permitted? Select four. A. echo B. packet too big C. source quench D. time exceeded E. parameter problem F. echo reply |
A,B,C,E
|
|
|
QUESTION 193:
Exhibit: 06:36:03: Vi1 PPP: Treating connection as a callout 06:36:03: Vi1 PPP: Phase is ESTABLISHING, Active Open [0 sess, 1 load] 06:36:03: Vi1 PPP: No remote authentication for call-out 06:36:03: Vi1 LCP: 0 CONFREQ [Closed} id 1 len 10 06:36:03: Vi1 LCP: MagicNumber 0x03013D43 (0x050603013D43) <...part of the output omitted...> 06:36:05: Vi1 LCP: State is Open 06:36:05: Vi1 PPP: Phase is AUTHENTICATING, by the peer [0 sess, 1 load] 06:36:05: Vi1 CHAP: I CHALLENGE id 9 len 26 from "nrp-b" 06:36:05: Vi1 CHAP: Using alternate hostname client1 <...part of the output omitted...> 06:36:05: Vi1 CHAP: I SUCCESS id 9 len 4 06:36:05: Vi1 PPP: Phase is FORWARDING [0 sess, 1 load] 06:36:05: Vi1 PPP: Phase is AUTHENTICATING [0 sess, 1 load] 06:36:05: Vi1 PPP: Phase is UP [0 sess, 1 load] 06:36:05: Vi1 IPCP: I CONFREQ [REQsent] id 1 len 10 06:36:05: Vi1 IPCP: Address 8.8.8.1 (0x030608080801) 06:36:05: Vi1 IPCP: Address 9.9.9.2 (0x030609090902) <...part of the output omitted...> 06:36:05: Vi1 IPCP: State is open 06:36:05: Di1 IPCP: Install negotiated IP interface address 9.9.9.2 06:36:05: Di1 IPCP: Install route to 8.8.8.1 06:36:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up You work as a network technician at Certkiller .com. You study the exhibits carefully. What conclusion can be made from the output of the debug ppp pegotiation command? A. PPP has set up a functional connection. B. There are IP control Protocol (IPCP) failures. C. There is no PPP response from the remote router. D. There is an authentication failure. E. Link Control Protocol (LCP) is not opened. |
A
|
|
|
QUESTION 194:
You work as a network technician at Certkiller .com. You study the exhibits carefully. When editing the invalid DHCP Packet signature using security device manager (SDM), which additional severity levels can be chosen? Select two. A. debug B. live C. low D. formal E. urgent F. warning G. informational H. high I. medium |
C,G,H
|
|
|
QUESTION 195:
Which PPPoE configuration statement is true? A. The ip mtu 1492 command must be applied on the dialer interface. B. When the pppoe enable command is applied on the Ethernet interface, a PVC will be created. C. A PVC must be created before the pppoe enable command on the Ethernet interface is entered. D. The ip mtu 1492 command must be applied on the Ethernet interface. E. The ip mtu 1496 command must be applied on the dialer interface. F. The encapsulator ppp command must be applied on the Ethernet interface. G. The dsl operating-mode auto command is required. H. The ip mtu 1496 command must be applied on the Ethernet interface. |
D
|
|
|
QUESTION 196:
You work as a network technician at Certkiller .com. You study the exhibit carefully. You are walking through the SDM Site-to-Site VPN Wizard. What are three requirements that are access by the Add button? Select three. A. IKE lifetime B. Bits that are used in AES encryption method C. Keyed-hash message authentication mode D. IPSec authentication method E. Diffie-Hellman group F. IPSec proposal priority. |
A,C,E
|
|
|
QUESTION 197:
Which three protocols are available for local redundancy in a backup VPN scenario? Select three. A. GLBP B. RSVP C. HSRP D. PPP E. VRRP F. A routing protocol G. Proxy arp |
A,C,E
|
|
|
QUESTION 198:
Which two devices serve as the main components in a DSL data service network? Select two. A. CO switch B. ATU-C C. ATU-R D. SOHO workstation E. Pots splitter |
B,C
|
|
|
QUESTION 199:
At what size should the MTU on LAN interfaces be set in the implementation of MPLS VPNs with traffic engineering? A. 1550 bytes B. 1516 bytes C. 1524bytes D. 1528 bytes E. 1520 bytes F. 1500 bytes G. 1532 bytes H. 1512 bytes |
H
|
|
|
QUESTION 200:
You work as a network technician at Certkiller .com. You study the exhibit carefully. Which statement best describes Security Device Event Exchange (SDEE)? A. It is an OSI level-7 protocol, and it is used to exchange IPS messages between IPS agents B. It is an application level communications protocol that is used to exchange IPS messages IPS clients and servers. C. The primary purpose of SDEE is for SDM users to send messages to IPS agents D. It is a process for ensuring IPS communications between the SDM-enabled devices E. It is a suite of protocols for ensuring IPS communications between the SDM-enabled devices |
B
|
|
|
QUESTION 201:
Which two statements about the Security Device Manager (SDM) Intrusion Prevention System (IPS) Rule Wizard are true? Select two. A. Once all interfaces have rules applied to them, you cannot re-initiate the IPS Rule wizard to make changes. B. Changes the IPS rules can be made using the Configure IPS tab.. C. By default, the Use Built-in Signatures (as backu) checkbox is not selected. D. When using the wizard for the first time, you will be prompted to enable the Security Device Event Exchange (SDEE). E. Changes the IPS rules can be made using the Edit Firewall Policy/ACL tab. F. Once all interfaces have rules applied to them, you can re-initiate the IPS Rule wizard to make changes. |
D,F
|
