CCNA Security Part 2 Quiz

77 Questions | Total Attempts: 167

SettingsSettingsSettings
CCNA Security Quizzes & Trivia

CCNA Routing & Switching courses and prepares you for Cisco Security certification, Let's begin this quiz now!


Questions and Answers
  • 1. 
    What will be disabled as a result of the no service password-recovery command?
    • A. 

      Aaa new-model global configuration command.

    • B. 

      Change to the configuration register.

    • C. 

      Password encryption service.

    • D. 

      Ability to access ROMmon.

  • 2. 
    What occurs after RSA keys are generated on a Cisco router to prepare for secure device management?
    • A. 

      All vty ports are automatically configured for SSH to provide secure management.

    • B. 

      The general-purpose key size must be specified for authentication with the crypto key generate rsa general-keys mo command.

    • C. 

      The generated keys can be used by SSH.

  • 3. 
    Which action best describe a MAC address spoofing attack?
    • A. 

      Altering the MAC address of an attacking host to match that of a legitimate host.

    • B. 

      Bombarding a switch with fake source MAC addresses.

    • C. 

      Forcing the election of a rogue root bridge

    • D. 

      Flooding the LAN with excessive traffic

  • 4. 
    What functionality is provided by Cisco SPAN in a switched network?    
    • A. 

      It mitigates MAC address overflow attacks.

    • B. 

      It mirrors traffic that passes through a switch port or VLAN to another port for traffic analysis.

    • C. 

      It protects the switched network from receiving BPDUs on ports that should not be receiving them.

    • D. 

      It copies traffic that passes through a switch interface and sends the data directly to a syslog or SNMP server for analysis.

    • E. 

      It inspects voice protocols to ensure that SIP, SCCP, H.323, and MGCP requests conform to voice standards.

  • 5. 
    What precaution should be considered when the no service password–recovery command has been issued on an IOS device?    
    • A. 

      The passwords in the configuration files are in clear text.

    • B. 

      IOS recovery requires a new system flash with the IOS image.

    • C. 

      When the password is lost, access to the device will be terminated.

    • D. 

      The device must use simple password authentication and cannot have user authentication.

  • 6. 
    A network technician is configuring SNMPv3 and has set a security level of auth. What is the effect of this setting?  
    • A. 

      Authenticates a packet using the SHA algorithm only.

    • B. 

      Authenticates a packet by a string match of the username or community string.

    • C. 

      Authenticates a packet by using either the HMAC with MD5 method or the SHA method.

    • D. 

      Authenticates a packet by using either the HMAC MD5 or HMAC SHA algorithms and encrypts the packet using either the DES, 3DES or AES algorithms.

  • 7. 
    Refer to the exhibit. Which type of VPN is implemented?
    • A. 

      Remote-access GRE VPN

    • B. 

      Remote-access IPsec VPN

    • C. 

      Remote-access SSL VPN

    • D. 

      Site-to-site GRE VPN

    • E. 

      Site-to-site IPsec VPN

  • 8. 
    Router(config)# ntp authenticate Router(config)# ntp authentication-key 42 md5 aNiceKey Router(config)# ntp trusted-key 2 Refer to the exhibit. What will be the effect of the commands that are shown on R1?
    • A. 

      Authentication with the NTP master will be successful, and R1 will get the time from the NTP master.

    • B. 

      Authentication with the NTP master will be successful, but R1 will not get the time from the NTP master.

    • C. 

      Authentication with the NTP master will fail, and R1 will get the time from the NTP master.

    • D. 

      Authentication with the NTP master will fail, and R1 will not get the time from the NTP master.

  • 9. 
    What login enhancement configuration command helps successive login DoS attacks?
    • A. 

      Exec-timeout

    • B. 

      Login block-for

    • C. 

      Privilege exec level

    • D. 

      Service password-encryption

  • 10. 
    What are access attacks?
    • A. 

      Attacks that prevent users from accessing network services

    • B. 

      Attacks that modify or corrupt traffic as that traffic travels across the network

    • C. 

      Attacks that exploit vulnerabilities to gain access to sensitive information

    • D. 

      Attacks that involve the unauthorized discovery and mapping of systems, services, and vulnerability

  • 11. 
    Nov 30 11:00:24 EST: %SYS-5-CONFIG-I: Configured from console by vty0 (10.64.2.2) Refer to the exhibit. An administrator is examining the message in a syslog server. What can be determined from the message?
    • A. 

      This is a notification message for a normal but significant condition

    • B. 

      This is an alert message for which immediate action is needed

    • C. 

      This is an error message for which warning conditions exist.

    • D. 

      This is an error message indicating the system is unusable

  • 12. 
    Which three major subpolicies should comprise a comprehensive security policy that meets the security needs of a typical enterprise? (Choose three)
    • A. 

      End-user policies

    • B. 

      Departmental policies

    • C. 

      Governing policies

    • D. 

      Human resource policies

    • E. 

      Organizational policies

    • F. 

      Technical policies

  • 13. 
    R1(config)# logging host 10.1.1.17 R1(config)# logging trap errors R1(config)# logging source-interface loopback 0 R1(config)# logging on Refer to the exhibit. An administrator has entered the commands that are shown on router R1. At what trap level is the logging function set?
    • A. 

      2

    • B. 

      3

    • C. 

      5

    • D. 

      6

  • 14. 
    14. Which mitigation technique can help prevent MAC table overflow attacks?
    • A. 

      Root guard

    • B. 

      BPDU guard

    • C. 

      Storm control

    • D. 

      Switchport security

  • 15. 
    15. An organization requires that individual users be authorized to issue specific Cisco IOS commands. Which AAA protocols support this requirement?  
    • A. 

      TACACS+ because it separates authentication and authorization, allowing for more customization.

    • B. 

      RADIUS because it supports multiple protocols, including ARA and NetBEUI.

    • C. 

      TACACS+ because it supports extensive accounting on a per-user or per-group basis.

    • D. 

      RADIUS because it implements authentication and authorization as one process.

  • 16. 
    Refer to the exhibit. Based on the IPS configuration that is provided, which statement is true?
    • A. 

      The signatures in all categories will be retired and not be used by the IPS.

    • B. 

      The signatures in all categories will be compiled into memory and used by the IPS.

    • C. 

      Only the signatures in the ios_ips basic category will be compiled into memory and used by the IPS.

    • D. 

      The signatures in the ios_ips basic category will be retired and the remaining signatures will be compiled into memory and used by the IPS.

  • 17. 
    Refer to the exhibit. Based on the provided configuration, which traffic will be examined by the IPS that is configured on router R1?
    • A. 

      Traffic that is initiated from LAN 1 and LAN 2

    • B. 

      Http traffic that is initiated from LAN 1

    • C. 

      Return traffic from the web server

    • D. 

      Traffic that is destined to LAN 1 and LAN 2

    • E. 

      No traffic will be inspected

  • 18. 
    Refer to the exhibit. An administrator is configuring ZPF using the SDM Basic Firewall Configuration wizard. Which command is generated after the administrator selects the Finish button?
    • A. 

      Zone security Out-zone on interface Fa0/0

    • B. 

      Zone security Out-zone on interface S0/0/0

    • C. 

      Zone member security Out-zone on interface Fa0/0

    • D. 

      Zone member security Out-zone on interface s0/0/0

  • 19. 
    Which two statements describe appropriate general guidelines for configuring and applying ACLs? (Choose two)
    • A. 

      Multiple ACLs per protocol and per direction can be applied to an interface.

    • B. 

      If an ACL contains no permit statements, all traffic is denied by default.

    • C. 

      The most specific ACL statements should be entered first because of the top-down sequential nature of ACLs.

    • D. 

      Standard ACLs are placed closest to the source, whereas Extended ACLs are placed closest to the destination.

    • E. 

      If a single ACL is to be applied to multiple interfaces, it must be configured with a unique number for each interface.

  • 20. 
    Choose three) Which three statements are characteristics of the IPsec protocol?
    • A. 

      IPsec is a framework of open standards.

    • B. 

      IPsec is implemented at Layer 4 of the OSI model.

    • C. 

      IPsec ensures data integrity by using a hash algorithm.

    • D. 

      IPsec uses digital certificates to guarantee confidentiality

    • E. 

      IPsec is bound to specific encryption algorithms, such as 3DES and AES.

    • F. 

      IPsec authenticates users and devices that communicate independently.

  • 21. 
    Which three additional precautions should be taken when remote access is required in addition to local access of networking devices? (Choose three)
    • A. 

      A legal notice should not be displayed when access is obtained.

    • B. 

      All activity to the specified ports that are required for access should be unrestricted.

    • C. 

      All configuration activities should required the use of SSH or HTTPS.

    • D. 

      All administrative traffic should be dedicated to the management network.

    • E. 

      The number of failed login attempts should not be limited, but the time between attempts should.

    • F. 

      Packet filtering should be required so that only identified administration hosts and protocols can gain access.

  • 22. 
    Which statement describes a factor to be considered when configuring a zone-based policy firewall?
    • A. 

      An interface can belong to multiple zones.

    • B. 

      The router always filters the traffic between interfaces in the same zone.

    • C. 

      The router always filters the traffic between interfaces in the same zone.

    • D. 

      A zone must be configured with the zone security global command before it can be used in the zone-member security command.

  • 23. 
    What is a result of securing the Cisco IOS image using the Cisco IOS Resilient Configuration feature?
    • A. 

      The Cisco IOS image file is not visible in the output of the show flash command.

    • B. 

      The Cisco IOS image is encrypted and then automatically backed up to a TFTP server.

    • C. 

      The Cisco IOS image is encrypted and then automatically backed up to the NVRAM.

    • D. 

      When the router boots up, the Cisco IOS image is loaded from a secure FTP location

  • 24. 
    What are three common examples of AAA implementation on Cisco routers? (Choose three)
    • A. 

      Authenticating administrator access to the router console port, and vty ports

    • B. 

      Authenticating remote users who are accessing the corporate LAN through IPsec VPN connections

    • C. 

      Implementing public key infrastructure to authenticate and authorize IPsec VPN peers using digital certificates

    • D. 

      Implementing command authorization with TACACS+

    • E. 

      Securing the router by locking down all unused services

    • F. 

      Tracking Cisco Netflow accounting statistics

  • 25. 
    When port security is enabled on a Cisco Catalyst switch, what is the default action when the maximum number of allowed MAC addresses is exceeded?
    • A. 

      The violation mode for the port is set to restrict.

    • B. 

      The MAC address table is cleared, and the new MAC address is entered into the table.

    • C. 

      The port remains enabled, but the bandwidth is throttled until the old MAC addresses are aged out.

    • D. 

      The port is shut down.

Related Topics
Back to Top Back to top