CCNA Security V2.0 Final Exam

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Jokinen
J
Jokinen
Community Contributor
Quizzes Created: 1 | Total Attempts: 325
| Attempts: 325
SettingsSettings
Please wait...
  • 1/98 Questions

    What is algorithm-type to protect the data in transit?

    • Hashing algorithm
    • Option 2
    • Option 3
    • Option 4
Please wait...
About This Quiz

The CCNA Security v2.0 Final Exam assesses advanced knowledge in network security, focusing on control plane protection, authentication methods, and security tools like Nmap. This quiz is essential for learners aiming to master security protocols and configurations in Cisco networks.

CCNA Security V2.0 Final Exam - Quiz

Quiz Preview

  • 2. 

    What is negotiated in the establishment of an IPsec tunnel between two IPsec hosts during IKE Phase 1?

    • ISAKMP SA policy

    • DH groups

    • Interesting traffic

    • Transform sets

    Correct Answer
    A. ISAKMP SA policy
    Explanation
    During IKE Phase 1, the ISAKMP SA (Internet Security Association and Key Management Protocol Security Association) policy is negotiated in the establishment of an IPsec tunnel between two IPsec hosts. The ISAKMP SA policy defines the parameters and settings for the secure communication between the hosts, including authentication methods, encryption algorithms, and key exchange protocols. This negotiation ensures that both hosts agree on the security parameters before establishing the IPsec tunnel for secure communication.

    Rate this question:

  • 3. 
    Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router by using the password cisco123. What is a possible cause of the problem? - ProProfs

    Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router by using the password cisco123. What is a possible cause of the problem?

    • The Telnet connection between RouterA and RouterB is not working correctly.

    • The password cisco123 is wrong.

    • The administrator does not have enough rights on the PC that is being used.

    • The enable password and the Telnet password need to be the same.

    Correct Answer
    A. The password cisco123 is wrong.
    Explanation
    The possible cause of the problem is that the password "cisco123" is wrong. This means that the administrator is entering an incorrect password when trying to gain Telnet access to RouterB.

    Rate this question:

  • 4. 

    Which security policy outlines the overall security goals for managers and technical personnel within an organization and includes the consequences of noncompliance with the policy?

    • End-user policy

    • Application policy

    • Governing policy

    • Technical policy

    Correct Answer
    A. Governing policy
    Explanation
    The governing policy outlines the overall security goals for managers and technical personnel within an organization. It is a high-level policy that sets the direction and framework for all other security policies. It includes the consequences of noncompliance with the policy, ensuring that managers and technical personnel understand the importance of adhering to the security goals and the potential repercussions if they fail to comply.

    Rate this question:

  • 5. 

    What is a secure configuration option for remote access to a network device?

    • Configure 802.1x.

    • Configure Telnet.

    • Configure SSH.

    • Configure an ACL and apply it to the VTY lines.

    Correct Answer
    A. Configure SSH.
    Explanation
    The most secure configuration option for remote access to a network device is to configure SSH. SSH (Secure Shell) is a cryptographic network protocol that provides secure communication over an insecure network. It uses encryption to protect the connection and authentication methods to ensure that only authorized users can access the device remotely. This makes SSH a more secure choice compared to Telnet, which sends data in plain text, and configuring an ACL (Access Control List) alone, which may not provide encryption for the remote access connection.

    Rate this question:

  • 6. 
    Refer to the exhibit. A network administrator configures AAA authentication on R1. The administrator then tests the configuration by telneting to R1. The ACS servers are configured and running. What will happen if the authentication fails? - ProProfs

    Refer to the exhibit. A network administrator configures AAA authentication on R1. The administrator then tests the configuration by telneting to R1. The ACS servers are configured and running. What will happen if the authentication fails?

    • The enable secret password could be used in the next login attempt.

    • The authentication process stops.

    • The username and password of the local user database could be used in the next login attempt.

    • The enable secret password and a random username could be used in the next login attempt.

    Correct Answer
    A. The authentication process stops.
    Explanation
    If the authentication fails, the authentication process will stop. This means that the user will not be able to access the device or perform any further actions until a successful authentication is completed. The enable secret password or any other credentials will not be used in the next login attempt.

    Rate this question:

  • 7. 

    Why are DES keys considered weak keys?

    • They are more resource intensive.

    • DES weak keys use very long key sizes.

    • They produce identical subkeys.

    • DES weak keys are difficult to manage.

    Correct Answer
    A. They produce identical subkeys.
    Explanation
    The reason DES keys are considered weak keys is because they produce identical subkeys. This means that certain keys in the DES algorithm result in the same subkeys being generated, which can lead to vulnerabilities and make it easier for attackers to exploit the encryption. Identical subkeys reduce the effective key length and weaken the overall security of the encryption algorithm.

    Rate this question:

  • 8. 

    What type of algorithms require sender and receiver to exchange a secret key that is used to ensure the confidentiality of messages?

    • Symmetric algorithms

    • Hashing algorithms

    • Asymmetric algorithms

    • Public key algorithms

    Correct Answer
    A. Symmetric algorithms
    Explanation
    Symmetric algorithms require the sender and receiver to exchange a secret key that is used to ensure the confidentiality of messages. In symmetric encryption, the same key is used for both encryption and decryption. This means that both the sender and receiver need to have the same key in order to encrypt and decrypt the messages. By exchanging the secret key, the sender and receiver can securely communicate and ensure that only they can understand the encrypted messages.

    Rate this question:

  • 9. 

    A user successfully logs in to a corporate network via a VPN connection. Which part of the AAA process records that a certain user performed a specific operation at a particular date and time?

    • Authentication

    • Accounting

    • Access

    • Authorization

    Correct Answer
    A. Accounting
    Explanation
    The accounting part of the AAA process records the details of a user's specific operation, such as logging in to a corporate network via a VPN connection, at a particular date and time. This includes keeping track of the user's activities, usage, and any resources accessed during the session. Accounting helps in auditing and monitoring user actions, ensuring accountability and providing valuable information for billing, security, and compliance purposes.

    Rate this question:

  • 10. 

    What determines which switch becomes the STP root bridge for a given VLAN?

    • The lowest bridge ID

    • The highest MAC address

    • The highest priority

    • The lowest IP address

    Correct Answer
    A. The lowest bridge ID
    Explanation
    The STP root bridge is determined by the lowest bridge ID. The bridge ID is a combination of the bridge priority and the bridge MAC address. The bridge with the lowest bridge ID becomes the root bridge. The bridge priority can be manually configured, but by default, it is set to a value of 32768. The MAC address is unique to each bridge and is used as a tiebreaker if multiple bridges have the same priority. Therefore, the bridge with the lowest bridge ID, which is a combination of the lowest priority and lowest MAC address, becomes the STP root bridge.

    Rate this question:

  • 11. 

    An administrator workstation connects to a switch that connects to the Fa0/0 port of RouterA. RouterA connects to RouterB through serial interfaces labeled S0/0/1 on both routers. The following configuration is applied to RouterB. RouterB(config)# enable secret class123 RouterB(config)# username admin secret Cisco123 RouterB(config)# aaa new-model RouterB(config)# aaa authentication login default local-case line enable none RouterB(config)# aaa authentication login telnet local-case RouterB(config)# line vty 0 4 RouterB(config)# login authentication telnet Refer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router by using the password cisco123. What is a possible cause of the problem?

    • The wrong vty lines are configured.

    • AAA authorization is not configured.

    • The administrator has used the wrong password.

    • The administrator does not have enough rights on the PC that is being used.

    Correct Answer
    A. The administrator has used the wrong password.
    Explanation
    The possible cause of the problem is that the administrator has used the wrong password. This can be inferred from the given configuration on RouterB, where the username "admin" is set with the secret "Cisco123". However, in the question, it is mentioned that the administrator is unable to gain Telnet access using the password "cisco123". Therefore, it can be concluded that the password used by the administrator is incorrect.

    Rate this question:

  • 12. 

    What are two tasks that can be accomplished with the Nmap and Zenmap network tools? (Choose two.)

    • Password recovery

    • Password auditing

    • Identification of Layer 3 protocol support on hosts

    • TCP and UDP port scanning

    • Validation of IT system configuration

    Correct Answer(s)
    A. Identification of Layer 3 protocol support on hosts
    A. TCP and UDP port scanning
    Explanation
    Nmap and Zenmap are network tools that can be used for identifying Layer 3 protocol support on hosts. This means that they can help in determining which network protocols are supported by different hosts on a network. Additionally, these tools can also perform TCP and UDP port scanning, which involves checking open ports on a network host to identify potential vulnerabilities or services running on those ports. These tasks are important for network administrators to assess network security and ensure proper configuration.

    Rate this question:

  • 13. 

    What is a benefit of using a next-generation firewall rather than a stateful firewall?

    • Reactive protection against Internet attacks

    • Granularity control within applications

    • Support of TCP-based packet filtering

    • Support for logging

    Correct Answer
    A. Granularity control within applications
    Explanation
    A benefit of using a next-generation firewall rather than a stateful firewall is the granularity control within applications. Next-generation firewalls have the ability to inspect and control traffic at the application level, allowing for more specific and fine-tuned control over the applications being used. This can help prevent unauthorized access or usage of specific applications, providing a higher level of security and control compared to stateful firewalls which primarily focus on network-level filtering.

    Rate this question:

  • 14. 

    What algorithm is used to provide data integrity of a message through the use of a calculated hash value?

    • RSA

    • DH

    • AES

    • HMAC

    Correct Answer
    A. HMAC
    Explanation
    HMAC (Hash-based Message Authentication Code) is the algorithm used to provide data integrity of a message through the use of a calculated hash value. It involves a cryptographic hash function along with a secret key, which is used to generate the hash value. This hash value is then appended to the message, allowing the recipient to verify the integrity of the message by recalculating the hash value using the same key and comparing it to the received hash value.

    Rate this question:

  • 15. 

    What is a feature of a Cisco IOS Zone-Based Policy Firewall?

    • A router interface can belong to only one zone at a time.

    • Service policies are applied in interface configuration mode.

    • Router management interfaces must be manually assigned to the self zone.

    • The pass action works in multiple directions.

    Correct Answer
    A. A router interface can belong to only one zone at a time.
    Explanation
    A feature of a Cisco IOS Zone-Based Policy Firewall is that a router interface can belong to only one zone at a time. This means that each interface on the router can be assigned to a specific zone, and traffic between zones can be controlled and monitored based on the policies defined for each zone. This helps in enhancing network security by allowing administrators to enforce different security policies for different zones.

    Rate this question:

  • 16. 

    What Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?

    • DHCP spoofing

    • ARP spoofing

    • VLAN hopping

    • ARP poisoning

    Correct Answer
    A. VLAN hopping
    Explanation
    Disabling Dynamic Trunking Protocol (DTP) helps mitigate VLAN hopping. VLAN hopping is a Layer 2 attack where an attacker gains unauthorized access to different VLANs on a network by exploiting the trunking features of switches. By disabling DTP, which is used to negotiate trunking between switches, the attacker's ability to manipulate VLANs and gain unauthorized access is significantly reduced.

    Rate this question:

  • 17. 

    Why is hashing cryptographically stronger compared to a cyclical redundancy check (CRC)?

    • Hashes are never sent in plain text.

    • It is easy to generate data with the same CRC.

    • It is virtually impossible for two different sets of data to calculate the same hash output.

    • Hashing always uses a 128-bit digest, whereas a CRC can be variable length.

    Correct Answer
    A. It is virtually impossible for two different sets of data to calculate the same hash output.
    Explanation
    Hashing is cryptographically stronger compared to a cyclical redundancy check (CRC) because it is virtually impossible for two different sets of data to calculate the same hash output. This property is known as collision resistance and ensures that even a small change in the input data will produce a completely different hash value. In contrast, with a CRC, it is relatively easy to generate data with the same CRC, making it less secure for cryptographic purposes. Additionally, hashing always uses a fixed-length digest (such as 128-bit), while a CRC can have variable length, further enhancing the strength of hashing.

    Rate this question:

  • 18. 

    What is indicated by the use of the local-case keyword in a local AAA authentication configuration command sequence?

    • That AAA is enabled globally on the router.

    • That passwords and usernames are case-sensitive.

    • That a default local database AAA authentication is applied to all lines.

    • That user access is limited to vty terminal lines.

    Correct Answer
    A. That passwords and usernames are case-sensitive.
    Explanation
    The use of the local-case keyword in a local AAA authentication configuration command sequence indicates that passwords and usernames are case-sensitive. This means that when users enter their passwords or usernames, they must use the correct capitalization in order to authenticate successfully.

    Rate this question:

  • 19. 

    What is a result of securing the Cisco IOS image using the Cisco IOS Resilient Configuration feature?

    • When the router boots up, the Cisco IOS image is loaded from a secured FTP location.

    • The Cisco IOS image file is not visible in the output of the show flash command.

    • The Cisco IOS image is encrypted and then automatically backed up to the NVRAM.

    • The Cisco IOS image is encrypted and then automatically backed up to a TFTP server.

    Correct Answer
    A. The Cisco IOS image file is not visible in the output of the show flash command.
    Explanation
    The Cisco IOS Resilient Configuration feature ensures that the Cisco IOS image file is not visible in the output of the show flash command. This means that even if someone gains access to the router's flash memory, they will not be able to see the IOS image file. This adds an extra layer of security to the device, as it prevents potential attackers from easily identifying and analyzing the IOS image.

    Rate this question:

  • 20. 

    The corporate security policy dictates that the traffic from the remote-access VPN clients must be separated between trusted traffic that is destined for the corporate subnets and untrusted traffic destined for the public Internet. Which VPN solution should be implemented to ensure compliance with the corporate policy?

    • MPLS

    • Hairpinning

    • GRE

    • Split tunneling

    Correct Answer
    A. Split tunneling
    Explanation
    Split tunneling should be implemented to ensure compliance with the corporate policy. Split tunneling allows remote-access VPN clients to access both the corporate subnets and the public Internet simultaneously. This means that the client's traffic can be separated, with trusted traffic being directed to the corporate subnets and untrusted traffic being directed to the public Internet. By implementing split tunneling, the corporate security policy regarding traffic separation can be enforced.

    Rate this question:

  • 21. 
    Refer to the exhibit. The ip verify source command is applied on untrusted interfaces. Which type of attack is mitigated by using this configuration? - ProProfs

    Refer to the exhibit. The ip verify source command is applied on untrusted interfaces. Which type of attack is mitigated by using this configuration?

    • DHCP spoofing

    • DHCP starvation

    • STP manipulation

    • MAC and IP address spoofing

    Correct Answer
    A. MAC and IP address spoofing
    Explanation
    The "ip verify source" command is used to mitigate MAC and IP address spoofing attacks. MAC spoofing involves changing the Media Access Control (MAC) address of a device to impersonate another device on the network, while IP address spoofing involves forging the source IP address in network packets. By applying the "ip verify source" command on untrusted interfaces, the network can verify the source MAC and IP addresses of incoming packets, helping to prevent spoofing attacks.

    Rate this question:

  • 22. 
    Refer to the exhibit. If a network administrator is using ASDM to configure a site-to-site VPN between the CCNAS-ASA and R3, which IP address would the administrator use for the peer IP address textbox on the ASA if data traffic is to be encrypted between the two remote LANs? - ProProfs

    Refer to the exhibit. If a network administrator is using ASDM to configure a site-to-site VPN between the CCNAS-ASA and R3, which IP address would the administrator use for the peer IP address textbox on the ASA if data traffic is to be encrypted between the two remote LANs?

    • 209.165.201.1

    • 192.168.1.3

    • 172.16.3.1

    • 172.16.3.3

    • 192.168.1.1

    Correct Answer
    A. 209.165.201.1
    Explanation
    The correct answer is 209.165.201.1. This IP address would be used as the peer IP address on the ASA because it represents the remote LAN that needs to be encrypted with the site-to-site VPN.

    Rate this question:

  • 23. 

    Which network security tool allows an administrator to test and detect weak passwords?

    • L0phtcrack

    • Tripwire

    • Nessus

    • Metasploit

    Correct Answer
    A. L0phtcrack
    Explanation
    L0phtcrack is a network security tool that is specifically designed to test and detect weak passwords. It is commonly used by administrators to assess the security of their network by identifying vulnerable passwords that could be easily exploited by attackers. L0phtcrack employs various techniques such as dictionary attacks, brute force attacks, and rainbow table attacks to crack passwords and provide insights into the strength of the network's password security.

    Rate this question:

  • 24. 

    On what switch ports should BPDU guard be enabled to enhance STP stability?

    • Only ports that attach to a neighboring switch

    • All PortFast-enabled ports

    • All trunk ports that are not root ports

    • Only ports that are elected as designated ports

    Correct Answer
    A. All PortFast-enabled ports
    Explanation
    Enabling BPDU guard on all PortFast-enabled ports enhances STP stability because PortFast allows for rapid transition of a port from blocking to forwarding state, bypassing the usual listening and learning states. However, this can lead to the introduction of loops in the network if a switch is mistakenly connected to a PortFast-enabled port. By enabling BPDU guard on these ports, any incoming BPDU (Bridge Protocol Data Unit) will cause the port to be put into an error-disabled state, preventing the creation of loops and improving STP stability.

    Rate this question:

  • 25. 

    A company deploys a hub-and-spoke VPN topology where the security appliance is the hub and the remote VPN networks are the spokes. Which VPN method should be used in order for one spoke to communicate with another spoke through the single public interface of the security appliance?

    • Split tunneling

    • MPLS

    • GRE

    • Hairpinning

    Correct Answer
    A. Hairpinning
    Explanation
    Hairpinning is the correct answer because it refers to the process of allowing communication between two remote VPN networks through the single public interface of the security appliance. In this scenario, when one spoke wants to communicate with another spoke, the traffic is sent to the security appliance, which then redirects it back out through the same interface to the destination spoke. This allows the communication to occur without the need for additional VPN tunnels or external routing.

    Rate this question:

  • 26. 

    Which interface option could be set through ASDM for a Cisco ASA?

    • Default route

    • Access list

    • VLAN ID

    • NAT/PAT

    Correct Answer
    A. VLAN ID
    Explanation
    VLAN ID is an interface option that can be set through ASDM for a Cisco ASA. VLANs (Virtual Local Area Networks) are used to logically divide a network into smaller segments, allowing for better network management and security. By setting the VLAN ID through ASDM, administrators can assign specific VLANs to different interfaces on the Cisco ASA, ensuring that traffic is properly segregated and controlled within the network.

    Rate this question:

  • 27. 

    Which three actions can the Cisco IOS Firewall IPS feature be configured to take when an intrusion activity is detected? (Choose three.)

    • Reset UDP connection

    • Reset TCP connection

    • Alert

    • Isolate

    • Inoculate

    • Drop

    Correct Answer(s)
    A. Reset TCP connection
    A. Alert
    A. Drop
    Explanation
    The Cisco IOS Firewall IPS feature can be configured to take three actions when an intrusion activity is detected: reset TCP connection, alert, and drop. When a TCP connection is reset, the firewall terminates the connection to prevent any further communication. Alerts are generated to notify administrators about the detected intrusion activity. The drop action discards the packets associated with the intrusion, effectively blocking them from reaching their destination.

    Rate this question:

  • 28. 

    Which statement describes the use of certificate classes in the PKI?

    • A class 5 certificate is more trustworthy than a class 4 certificate.

    • Email security is provided by the vendor, not by a certificate.

    • The lower the class number, the more trusted the certificate.

    • A vendor must issue only one class of certificates when acting as a CA.

    Correct Answer
    A. A class 5 certificate is more trustworthy than a class 4 certificate.
    Explanation
    Certificate classes in a Public Key Infrastructure (PKI) are used to indicate the level of trust and assurance associated with a certificate. In this context, the statement "A class 5 certificate is more trustworthy than a class 4 certificate" correctly describes the use of certificate classes. The higher the class number, the greater the level of trust and assurance provided by the certificate. Therefore, a class 5 certificate is considered more trustworthy than a class 4 certificate in the PKI.

    Rate this question:

  • 29. 

    What mechanism is used by an ASA 5505 device to allow inspected outbound traffic to return to the originating sender who is on an inside network?

    • Network Address Translation

    • Access control lists

    • Security zones

    • Stateful packet inspection

    Correct Answer
    A. Stateful packet inspection
    Explanation
    Stateful packet inspection is the mechanism used by an ASA 5505 device to allow inspected outbound traffic to return to the originating sender who is on an inside network. This mechanism keeps track of the state of network connections and ensures that only legitimate traffic is allowed back in. It examines the complete context of each packet, including the source and destination IP addresses, ports, and sequence numbers. By maintaining this state information, the ASA device can accurately determine which inbound packets are part of established connections and allow them to pass through while blocking unauthorized traffic.

    Rate this question:

  • 30. 

    What is a characteristic of most modern viruses?

    • They are usually found attached to online games.

    • Email viruses are the most common type of them.

    • They replicate themselves and locate new targets.

    • They are responsible for some of the most destructive internet attacks.

    Correct Answer
    A. Email viruses are the most common type of them.
    Explanation
    Most modern viruses are characterized by being email viruses, which means they are commonly spread through email attachments or links. This type of virus is prevalent due to the widespread use of email for communication and the ease with which viruses can be disguised as harmless files or links. Email viruses can cause significant damage by infecting a user's computer or network and spreading to other contacts. Therefore, being the most common type of virus, email viruses pose a significant threat to internet security.

    Rate this question:

  • 31. 

    Which two types of hackers are typically classified as grey hat hackers? (Choose two.)

    • Script kiddies

    • Vulnerability brokers

    • Cyber criminals

    • Hacktivists

    Correct Answer(s)
    A. Vulnerability brokers
    A. Hacktivists
    Explanation
    Grey hat hackers are individuals who operate between the boundaries of legal and illegal activities. They do not have malicious intent but still engage in hacking activities without proper authorization. Vulnerability brokers are grey hat hackers who discover and sell software vulnerabilities to interested parties, including both ethical and unethical actors. Hacktivists are also considered grey hat hackers as they use hacking techniques to promote political or social causes, often without explicit authorization. Therefore, vulnerability brokers and hacktivists are the two types of hackers typically classified as grey hat hackers.

    Rate this question:

  • 32. 

    What type of ACL is designed for use in the configuration of an ASA to support filtering for clientless SSL VPN’s?

    • Webtype

    •  Standard

    • Ethertype

    • Extended

    Correct Answer
    A. Webtype
    Explanation
    The correct answer is "Webtype" because this type of ACL is specifically designed for use in the configuration of an ASA (Adaptive Security Appliance) to support filtering for clientless SSL VPN's. The "Webtype" ACL allows the ASA to control the traffic flow for clientless SSL VPN connections, allowing or denying access to specific resources or networks based on defined rules.

    Rate this question:

  • 33. 

    A security technician is evaluating a new operations security proposal designed to limit access to all servers. What is an advantage of using network security testing to evaluate the new proposal?

    • Network security testing proactively evaluates the effectiveness of the proposal before any real threat occurs.

    • Network security testing is most effective when deploying new security proposals.

    • Network security testing is specifically designed to evaluate administrative tasks involving server and workstation access.

    • Network security testing is simple because it requires just one test to evaluate the new proposal.

    Correct Answer
    A. Network security testing proactively evaluates the effectiveness of the proposal before any real threat occurs.
    Explanation
    Network security testing is an advantage for evaluating the new operations security proposal because it allows for proactive evaluation of the proposal's effectiveness before any real threat occurs. By conducting security testing, potential vulnerabilities and weaknesses can be identified and addressed, ensuring that the proposal is robust and capable of protecting the servers from potential threats. This approach helps to enhance the overall security posture of the organization and minimizes the risk of successful attacks or breaches.

    Rate this question:

  • 34. 

    A network analyst wants to monitor the activity of all new interns. Which type of security testing would track when the interns sign on and sign off the network?

    • Vulnerability scanning

    • Password cracking

    • Network scanning

    • Integrity checker

    Correct Answer
    A. Integrity checker
    Explanation
    An integrity checker is a type of security testing that would track when the interns sign on and sign off the network. It is designed to monitor and verify the integrity of system files and configurations. By comparing the current state of the system with a known baseline, an integrity checker can detect any unauthorized changes or modifications, including login and logout activities. This would allow the network analyst to monitor the activity of the new interns and ensure the security and integrity of the network.

    Rate this question:

  • 35. 
    Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.) - ProProfs

    Refer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.)

    • This message is a level five notification message.

    • This message indicates that service timestamps have been globally enabled.

    • This message indicates that enhanced security was configured on the vty ports.

    • This message appeared because a major error occurred that requires immediate action.

    • This message appeared because a minor error occurred that requires further investigation.

    Correct Answer(s)
    A. This message is a level five notification message.
    A. This message indicates that service timestamps have been globally enabled.
    Explanation
    The two pieces of information that can be gathered from the generated message are:
    1. This message is a level five notification message - This indicates the severity or importance level of the message. Level five typically represents a notification or informational message.
    2. This message indicates that service timestamps have been globally enabled - This suggests that a feature called "service timestamps" has been enabled on a global scale, possibly for logging or troubleshooting purposes.

    Rate this question:

  • 36. 

    Which security implementation will provide control plane protection for a network device?

    • Encryption for remote access connections

    • AAA for authenticating management access

    • Routing protocol authentication

    • NTP for consistent timestamps on logging messages

    Correct Answer
    A. Routing protocol authentication
    Explanation
    Routing protocol authentication is a security implementation that provides control plane protection for a network device. It ensures that only authorized routers can participate in the routing process by verifying the authenticity of routing updates. This prevents unauthorized devices from injecting false routing information and helps in protecting the network against attacks such as route poisoning or route hijacking. By authenticating the routing protocol, the control plane of the network device is protected, enhancing the overall security of the network.

    Rate this question:

  • 37. 

    Which security policy characteristic defines the purpose of standards?

    • Step-by-step details regarding methods to deploy company switches

    • Recommended best practices for placement of all company switches

    • Required steps to ensure consistent configuration of all company switches

    • List of suggestions regarding how to quickly configure all company switches

    Correct Answer
    A. Required steps to ensure consistent configuration of all company switches
    Explanation
    The security policy characteristic that defines the purpose of standards is the required steps to ensure consistent configuration of all company switches. Standards provide a set of guidelines and procedures that must be followed in order to achieve a consistent and secure configuration across all switches. By enforcing these required steps, organizations can ensure that all switches are configured in a uniform and secure manner, reducing the risk of vulnerabilities and ensuring compliance with security policies.

    Rate this question:

  • 38. 
    Refer to the exhibit. Which conclusion can be made from the show crypto map command output that is shown on R1? - ProProfs

    Refer to the exhibit. Which conclusion can be made from the show crypto map command output that is shown on R1?

    • The crypto map has not yet been applied to an interface.

    • The current peer IP address should be 172.30.2.1.

    • There is a mismatch between the transform sets.

    • The tunnel configuration was established and can be tested with extended pings.

    Correct Answer
    A. The crypto map has not yet been applied to an interface.
    Explanation
    The exhibit shows the output of the "show crypto map" command on R1. Based on this output, it can be concluded that the crypto map has not yet been applied to an interface. This means that the VPN configuration has been created but has not been activated on any specific interface for the traffic to be encrypted or decrypted.

    Rate this question:

  • 39. 

    What is an advantage in using a packet filtering firewall versus a high-end firewall appliance?

    • Packet filters perform almost all the tasks of a high-end firewall at a fraction of the cost.

    • Packet filters provide an initial degree of security at the data-link and network layer.

    • Packet filters represent a complete firewall solution.

    • Packet filters are not susceptible to IP spoofing.

    Correct Answer
    A. Packet filters perform almost all the tasks of a high-end firewall at a fraction of the cost.
    Explanation
    An advantage of using a packet filtering firewall versus a high-end firewall appliance is that packet filters can perform most of the tasks of a high-end firewall but at a much lower cost. This means that organizations can achieve a high level of security without having to invest in expensive hardware or software. Packet filters are a cost-effective solution for providing an initial degree of security at the data-link and network layer, making them a favorable option for many businesses.

    Rate this question:

  • 40. 

    A company deploys a Cisco ASA with the Cisco CWS connector enabled as the firewall on the border of corporate network. An employee on the internal network is accessing a public website. What should the employee do in order to make sure the web traffic is protected by the Cisco CWS?

    • Register the destination website on the Cisco ASA.

    • Use the Cisco AnyConnect Secure Mobility Client first.

    • Use a web browser to visit the destination website.

    • First visit a website that is located on a web server in the Cisco CWS infrastructure.

    Correct Answer
    A. Use a web browser to visit the destination website.
    Explanation
    The employee should use a web browser to visit the destination website. This is because the Cisco ASA with the Cisco CWS connector enabled acts as the firewall on the corporate network's border. By using a web browser to visit the destination website, the web traffic will pass through the Cisco ASA and be protected by the Cisco CWS.

    Rate this question:

  • 41. 

    In an AAA-enabled network, a user issues the configure terminal command from the privileged executive mode of operation. What AAA function is at work if this command is rejected?

    • Authorization

    • Authentication

    • Auditing

    • Accounting

    Correct Answer
    A. Authorization
    Explanation
    If the "configure terminal" command is rejected in an AAA-enabled network, the AAA function at work is authorization. Authorization determines whether a user has the necessary privileges to perform a specific action or access certain resources. In this case, the rejection of the command indicates that the user does not have the authorization to enter the configuration mode.

    Rate this question:

  • 42. 

    If a network administrator wants to track the usage of FTP services, which keyword or keywords should be added to the aaa accounting command?

    • Exec default

    • Connection

    • Exec

    • Network

    Correct Answer
    A. Exec
    Explanation
    The keyword "exec" should be added to the aaa accounting command in order to track the usage of FTP services. This keyword specifically tracks the execution of commands on the device, which would include any FTP commands that are executed. By adding this keyword to the aaa accounting command, the network administrator will be able to monitor and track the usage of FTP services on the network.

    Rate this question:

  • 43. 

    What provides both secure segmentation and threat defense in a Secure Data Center solution?

    • Cisco Security Manager software

    • AAA server

    • Adaptive Security Appliance

    • Intrusion prevention system

    Correct Answer
    A. Adaptive Security Appliance
    Explanation
    The Adaptive Security Appliance (ASA) provides both secure segmentation and threat defense in a Secure Data Center solution. ASA is a firewall and security device that offers advanced security features such as intrusion prevention, virtual private network (VPN) capabilities, and secure segmentation through the use of firewall rules and policies. It helps protect the data center from external threats and ensures that different segments within the data center are isolated and secure from each other.

    Rate this question:

  • 44. 

    A network technician is attempting to resolve problems with the NAT configuration on anASA. The technician generates a ping from an inside host to an outside host. Whichcommand verifies that addresses are being translated on the ASA?

    • Show ip nat translation

    • Show running-config

    • Show xlate

    • Show ip address

    Correct Answer
    A. Show xlate
    Explanation
    The correct answer is "show xlate" because this command is used to display the translations that are currently active in the NAT table of the ASA. It will show the inside local IP addresses and corresponding outside global IP addresses that have been translated. This command helps the technician verify if the NAT configuration is working correctly and if addresses are being translated as expected.

    Rate this question:

  • 45. 

    Which statement describes a characteristic of the IKE protocol?

    • It uses UDP port 500 to exchange IKE information between the security gateways.

    • IKE Phase 1 can be implemented in three different modes: main, aggressive, or quick.

    • It allows for the transmission of keys directly across a network.

    • The purpose of IKE Phase 2 is to negotiate a security association between two IKE peers.

    Correct Answer
    A. It uses UDP port 500 to exchange IKE information between the security gateways.
    Explanation
    IKE (Internet Key Exchange) is a protocol used for establishing a secure communication channel between two security gateways. One of the characteristics of the IKE protocol is that it uses UDP port 500 for exchanging IKE information between the gateways. UDP (User Datagram Protocol) is a connectionless protocol that allows for fast and efficient communication. By using UDP port 500, IKE ensures that the exchange of information between the gateways is secure and reliable.

    Rate this question:

  • 46. 
    Refer to the exhibit. Based on the security levels of the interfaces on the ASA, what statement correctly describes the flow of traffic allowed on the interfaces? - ProProfs

    Refer to the exhibit. Based on the security levels of the interfaces on the ASA, what statement correctly describes the flow of traffic allowed on the interfaces?

    • Traffic that is sent from the LAN and the Internet to the DMZ is considered inbound.

    • Traffic that is sent from the DMZ and the Internet to the LAN is considered outbound.

    • Traffic that is sent from the LAN to the DMZ is considered is considered inbound.

    • Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.

    Correct Answer
    A. Traffic that is sent from the DMZ and the LAN to the Internet is considered outbound.
    Explanation
    The security levels of the interfaces on the ASA determine the flow of traffic. In this scenario, the LAN and DMZ have higher security levels compared to the Internet. According to the answer, traffic sent from the DMZ and the LAN to the Internet is considered outbound. This means that traffic originating from the protected networks (LAN and DMZ) and going towards the less secure network (Internet) is allowed.

    Rate this question:

  • 47. 

    Which IDS/IPS signature alarm will look for packets that are destined to or from a particular port?

    • Honey pot-based

    • Anomaly-based

    • Signature-based

    • Policy-based

    Correct Answer
    A. Signature-based
    Explanation
    Signature-based IDS/IPS alarms are designed to detect specific patterns or signatures in network traffic. In this case, the alarm will look for packets that are destined to or from a particular port. It will compare the network traffic against a database of known signatures or patterns associated with malicious activity, and if a match is found, it will trigger an alarm. This method is effective for detecting known threats and attacks, but it may not be as effective against new or unknown threats.

    Rate this question:

  • 48. 

    What is a characteristic of a role-based CLI view of router configuration?

    • When a superview is deleted, the associated CLI views are deleted.

    • A single CLI view can be shared within multiple superviews.

    • A CLI view has a command hierarchy, with higher and lower views.

    • Only a superview user can configure a new view and add or remove commands from the existing views.

    Correct Answer
    A. A single CLI view can be shared within multiple superviews.
    Explanation
    In a role-based CLI view of router configuration, a single CLI view can be shared within multiple superviews. This means that multiple users with different roles or privileges can have access to the same CLI view and make configuration changes accordingly. This allows for better collaboration and flexibility in managing the router configuration.

    Rate this question:

  • 49. 
    Refer to the exhibit. An administrator issues these IOS login enhancement commands to increase the security for login connections. What can be concluded about them? - ProProfs

    Refer to the exhibit. An administrator issues these IOS login enhancement commands to increase the security for login connections. What can be concluded about them?

    • Because the login delay command was not used, a one-minute delay between login attempts is assumed.

    • The hosts that are identified in the ACL will have access to the device.

    • The login block-for command permits the attacker to try 150 attempts before being stopped to try again.

    • These enhancements apply to all types of login connections.

    Correct Answer
    A. The hosts that are identified in the ACL will have access to the device.
    Explanation
    The given commands indicate that the hosts identified in the ACL will have access to the device. These commands are used to increase the security for login connections, but they do not provide any information about a login delay or the number of login attempts permitted before being stopped. Additionally, it is not mentioned whether these enhancements apply to all types of login connections or not.

    Rate this question:

Quiz Review Timeline (Updated): Sep 4, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Sep 04, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Apr 23, 2020
    Quiz Created by
    Jokinen

Recent Quizzes

CCNA security final exam quiz CCNA security final exam quiz
CCNA – Security Questions Quiz CCNA – Security Questions Quiz
Cisco CCNA Security Test Cisco CCNA Security Test
CCNA Security Part 2 quiz CCNA Security Part 2 quiz
ccna security chapter 2 ccna security chapter 2
ccna security chapter 1 ccna security chapter 1
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.