CISCO CCNA Security Test
(167).jpg "CISCO CCNA Security Test - Quiz")
.
- 1.
Which VPN component ensures that data cannot be read while in transit?Select one:
- A.
Key exchange
- B.
Authentication
- C.
Encryption
- D.
Data integrity
Correct Answer
C. EncryptionExplanation
The correct answer is: encryptionRate this question:
-
- 2.
Which two places are valid logging destinations?Select one:
- A.
Syslog Server, NVRAM
- B.
Syslog Server, FTP Server
- C.
NVRAM, FTP Server
- D.
Secure Web Server, FTP Server
Correct Answer
A. Syslog Server, NVRAMExplanation
The correct answer is: Syslog Server, NVRAMRate this question:
-
- 3.
Review the following code snippet: aaa new-model aaa authentication login default group tacacs+ enable tacacs-server host 192.168.1.20 tacacs-server key T@C@c$P@ssW0rd!What is the password the TACACS server must use to establish a valid connection to the router?Select one:
- A.
Not enough information is provided.
- B.
The password is - T@C@c$P@ssW0rd!
- C.
No password is required with TACACS
- D.
The password is configured using the username command and is not shown in this configuration.
Correct Answer
B. The password is - T@C@c$P@ssW0rd!Explanation
The correct answer is: The password is - T@C@c$P@ssW0rd!Rate this question:
-
- 4.
Which plane is used to access, configure and manage a router?Select one:
- A.
Data plane
- B.
Network plane
- C.
Management plane
- D.
Control plane
Correct Answer
C. Management planeExplanation
The correct answer is: Management planeRate this question:
-
- 5.
Which option will disable the Daytime service on a Cisco router?Select one:
- A.
R1>no service daytime
- B.
R1(config)#no service udp-small-servers
- C.
R1(config)#no service daytime
- D.
R1(config)#no service tcp-small-servers
Correct Answer
D. R1(config)#no service tcp-small-serversExplanation
The correct answer is: R1(config)#no service tcp-small-serversRate this question:
-
- 6.
Which of the following IP addresses are considered private? Choose all correct answers.Select one or more:
- A.
10.10.30.1
- B.
203.193.193.222
- C.
172.32.254.1
- D.
192.167.23.11
Correct Answer
A. 10.10.30.1Explanation
The correct answer is: 10.10.30.1Rate this question:
-
- 7.
Which of the following is NOT considered best security practice when hardening Cisco IOS devices?Select one:
- A.
Use SSH only for remote management
- B.
Use SNMP v1 for management
- C.
Shutdown unused ports
- D.
Disable CDP
Correct Answer
B. Use SNMP v1 for managementExplanation
The correct answer is: Use SNMP v1 for managementRate this question:
-
- 8.
In a security context what does CIA stand for?Select one:
- A.
Central Intelligence Agency
- B.
Confidentiality, Integrity, Avoidance
- C.
Confidentiality, Integrity, Availability
- D.
Contextual Internet Availability
Correct Answer
C. Confidentiality, Integrity, AvailabilityExplanation
The correct answer is: Confidentiality, Integrity, AvailabilitRate this question:
-
- 9.
What would be the end result if the management plane of your router was compromised?Select one:
- A.
SNMP traps would not be received by the syslog server.
- B.
All management access to the router would be lost.
- C.
Packets would be dropped at increasing rates until the memory buffers overflowed.
- D.
CPU cycles would be wasted.
Correct Answer
B. All management access to the router would be lost.Explanation
The correct answer is: All management access to the router would be lost.Rate this question:
-
- 10.
Review the following code snippet and answer the statement at the bottom: line aux 0 transport input none transport output none no exec exec-timeout 0 1 no passwordThis code will result in the console port being disabled.Select one:
- A.
True
- B.
False
Correct Answer
B. FalseExplanation
This code will disabled the AUX port not the console port
The correct answer is 'False'.Rate this question:
-
- 11.
Consider the following code and answer the question below:interface ethernet 0ip access-group no_web outip access-list extended no_webdeny host 172.20.3.85 any eq httpdeny host 172.20.3.13 any eq httppermit 172.20.0.0 0.0.255.255 any eq httpIn what direction is the access-list applied?Select one:
- A.
Inbound on ethernet 0
- B.
Outbound on ethernet 0
- C.
Outbound on ethernet 1
- D.
Direction is not specified
Correct Answer
B. Outbound on ethernet 0Explanation
The correct answer is: Outbound on ethernet 0Rate this question:
-
- 12.
Consider the following code and answer the question below:ip access-list extended no_webdeny host 172.20.3.85 any eq httpdeny host 172.20.3.13 any eq httppermit 172.20.0.0 0.0.255.255 any eq httpHow would you modify the bolded code to deny all hosts on the subnet 172.20.4.0 from accessing via secure web?Select one:
- A.
Deny 172.20.4.0 0.0.0.255 any eq http
- B.
Deny 172.20.4.0 0.0.0.255 any eq secure
- C.
Deny 172.20.4.0 0.0.0.255 any eq https
- D.
Deny 172.20.4.0 0.0.0.255 any eq ssh
Correct Answer
C. Deny 172.20.4.0 0.0.0.255 any eq httpsExplanation
The correct answer is: deny 172.20.4.0 0.0.0.255 any eq httpsRate this question:
-
- 13.
Which one of the following wildcard masks will match exactly all hosts on the 172.16.0.0/24 and 172.16.1.0/24 subnets?Select one:
- A.
0.0.0.255
- B.
0.0.3.255
- C.
0.0.1.255
- D.
0.0.16.255
Correct Answer
C. 0.0.1.255Explanation
The correct answer is: 0.0.1.255Rate this question:
-
- 14.
What type of access list allows IP packets to be filtered based on upper-layer session information?Select one:
- A.
Standard
- B.
Extended
- C.
Reflexive
- D.
Dynamic
Correct Answer
C. ReflexiveExplanation
The correct answer is: ReflexiveRate this question:
-
- 15.
What is another name for Lock & Key access lists?Select one:
- A.
Dynamic Access List
- B.
Standard Access List
- C.
Reflexive Access List
- D.
Time-Based Access List
Correct Answer
A. Dynamic Access ListExplanation
The correct answer is: Dynamic Access ListRate this question:
-
- 16.
Which of the following answers describes CBAC?Select one:
- A.
A feature of firewall software which intelligently filters TCP and UDP packets based on application layer protocol session information.
- B.
A feature of router software that detects abnormal traffic patterns.
- C.
A feature of router software that controls authentication processes on the local router.
- D.
A feature of router software that blocks traffic based on specific patterns of behavior.
Correct Answer
A. A feature of firewall software which intelligently filters TCP and UDP packets based on application layer protocol session information.Explanation
The correct answer is: A feature of firewall software which intelligently filters TCP and UDP packets based on application layer protocol session information.Rate this question:
-
- 17.
Which item represents the standard IP ACL?Select one:
- A.
Access-list 50 deny 192.168.1.1 0.0.0.255
- B.
Access-list 110 permit ip any any
- C.
Access-list 2500 deny tcp any host 192.168.1.1 eq 22
- D.
Access-list 101 deny tcp any host 192.168.1.1
Correct Answer
A. Access-list 50 deny 192.168.1.1 0.0.0.255Explanation
The correct answer is: access-list 50 deny 192.168.1.1 0.0.0.255Rate this question:
-
- 18.
A network administrator is configuring ACLs on a Cisco router, to allow traffic from hosts on networks 172.17.146.0, 172.17.147.0, 172.17.148.0, and 172.17.149.0 only. Which two ACL statements, when combined, would you use to accomplish this task? (Choose two)
- A.
Access-list 10 permit ip 172.17.146.0 0.0.1.255
- B.
Access-list 10 permit ip 172.17.147.0 0.0.255.255
- C.
Access-list 10 permit ip 172.17.148.0 0.0.1.255
- D.
Access-list 10 permit ip 172.17.149.0 0.0.255.255
- E.
Access-list 10 permit ip 172.17.146.0 0.0.0.255
- F.
Access-list 10 permit ip 172.17.146.0 255.255.255.0
Correct Answer(s)
A. Access-list 10 permit ip 172.17.146.0 0.0.1.255
C. Access-list 10 permit ip 172.17.148.0 0.0.1.255Explanation
To accomplish the task of allowing traffic from hosts on networks 172.17.146.0, 172.17.147.0, 172.17.148.0, and 172.17.149.0 only, we need to use two ACL statements that cover all these networks while denying all other traffic.
The correct ACL statements to accomplish this task are:
access-list 10 permit ip 172.17.146.0 0.0.1.255
This statement permits traffic from the network 172.17.146.0 with a wildcard mask of 0.0.1.255, covering both the 172.17.146.0 and 172.17.147.0 networks.
access-list 10 permit ip 172.17.148.0 0.0.1.255
This statement permits traffic from the network 172.17.148.0 with a wildcard mask of 0.0.1.255, covering both the 172.17.148.0 and 172.17.149.0 networks.
Combining these two ACL statements will allow traffic from all specified networks while denying traffic from any other networks. Therefore, the correct options are:
access-list 10 permit ip 172.17.146.0 0.0.1.255
access-list 10 permit ip 172.17.148.0 0.0.1.255Rate this question:
-
- 19.
Which statement about access lists that are applied to an interface is true?Select one:
- A.
You can apply only one access list on any interface
- B.
You can configure one access list, per direction, per layer 3 protocol
- C.
You can place as many access lists as you want on any interface
- D.
You can configure one access list, per direction, per layer 2 protocol
Correct Answer
B. You can configure one access list, per direction, per layer 3 protocolExplanation
The correct answer is: you can configure one access list, per direction, per layer 3 protocolRate this question:
-
- 20.
You want to allow a temporary entry for a remote user with a specific username and password so that the user can access the entire network over the internet. Which ACL can be used?Select one:
- A.
Reflexive
- B.
Extended
- C.
Standard
- D.
Dynamic
Correct Answer
D. DynamicExplanation
The correct answer is: dynamicRate this question:
-
- 21.
What is the first step you should take when trying to secure your network?Select one:
- A.
Install a firewall
- B.
Install an IPS
- C.
Update servers and PCs with the latest patches & AV signatures
- D.
Develop a security policy
Correct Answer
D. Develop a security policyExplanation
The correct answer is: Develop a security policyRate this question:
-
- 22.
Which of the following is enabled when RSA keys are generated? Select one:
- A.
The password encryptions service
- B.
Telnet access with the password "password
- C.
SSL
- D.
SSH
Correct Answer
D. SSHExplanation
The correct answer is: SSHRate this question:
-
- 23.
If you're using an extended ACL to block traffic to a server located on the remote side of your WAN, where should you place the ACL? Choose the two best answers.Select one or more:
- A.
Remote side of the WAN
- B.
As close to the source as possible
- C.
On the local side of the WAN
- D.
As close to the destination as possible
Correct Answer(s)
B. As close to the source as possible
C. On the local side of the WANExplanation
The correct answer is: As close to the source as possible, On the local side of the WANRate this question:
-
- 24.
Which technology dynamically builds a table for the purpose of permitting thereturn traffic from an outside server, back to the client, in spite of a default securitypolicy that says no traffic is allowed to initiate from the outside networks?Select one:
- A.
Proxy
- B.
NAT
- C.
Packet filtering
- D.
Stateful filtering
Correct Answer
D. Stateful filteringExplanation
The correct answer is: Stateful filteringRate this question:
-
- 25.
What term refers to the internal IP address of a client using NAT as seen from other devices on the same internal network as the client?Select one:
- A.
Inside local
- B.
Inside global
- C.
Outside local
- D.
Outside global
Correct Answer
A. Inside localExplanation
The correct answer is: Inside localRate this question:
-
- 26.
If interface number 1 is in zone A, and interface number 2 is in zone B, and there is no policy or service commands applied yet to the configuration, what is the status of transit traffic that is being routed between these two interfaces?Select one:
- A.
Denied
- B.
Permitted
- C.
Inspected
- D.
Logged
Correct Answer
A. DeniedExplanation
The correct answer is: DeniedRate this question:
-
- 27.
What is the default policy between an administratively created zone and the self zone?Select one:
- A.
Deny
- B.
Permit
- C.
Inspect
- D.
Log
Correct Answer
B. PermitExplanation
The correct answer is: PermitRate this question:
-
- 28.
Why is it that the return traffic, from previously inspected sessions, is allowed back to the user, in spite of not having a zone pair explicitly configured that matches on the return traffic?Select one:
- A.
Stateful entries (from the initial flow) are matched, which dynamically allows return traffic.
- B.
Return traffic is not allowed because it is a firewall.
- C.
Explicit ACL rules need to be placed on the return path to allow the return traffic.
- D.
A zone pair in the opposite direction of the initial zone pair
Correct Answer
A. Stateful entries (from the initial flow) are matched, which dynamically allows return traffic.Explanation
The correct answer is: Stateful entries (from the initial flow) are matched, which dynamically allows return traffic.Rate this question:
-
- 29.
How does IPS have the ability to prevent an ICMP-based attack from reaching the intended victim?Select one:
- A.
Policy-based routing
- B.
TCP resets are used.
- C.
The IPS is inline with the traffic.
- D.
The IPS is in promiscuous mode
Correct Answer
C. The IPS is inline with the traffic.Explanation
The correct answer is: The IPS is inline with the traffic.Rate this question:
-
- 30.
Which method should you implement when it is not acceptable for an attack to reach its intended victim?Select one:
- A.
IDS
- B.
IPS
- C.
Out of band
- D.
Hardware appliance
Correct Answer
B. IPSExplanation
The correct answer is: IPSRate this question:
-
- 31.
Which method of IPS uses a baseline of normal network behaviour and looks for deviations from that baseline?Select one:
- A.
Reputation-based IPS
- B.
Policy-based IPS
- C.
Signature-based IPS
- D.
Anomaly-based IPS
Correct Answer
D. Anomaly-based IPSExplanation
The correct answer is: Anomaly-based IPSRate this question:
-
- 32.
Because of how a router operates, which IPS/IDS mode does it operate in?Select one:
- A.
Promiscuous
- B.
Out-of-band
- C.
IPS
- D.
IDS
Correct Answer
C. IPSExplanation
The correct answer is: IPSRate this question:
-
- 33.
Which of the following are examples of tuning a signature? (Choose all that apply.)Select one or more:
- A.
Changing the default severity level
- B.
Changing password by own
- C.
Disabling it if it was enabled by default
- D.
Changing the default action
Correct Answer(s)
A. Changing the default severity level
C. Disabling it if it was enabled by default
D. Changing the default actionExplanation
The correct answer is: Changing the default severity level, Disabling it if it was enabled by default, Changing the default actionRate this question:
-
- 34.
Why is it considered a best practice to avoid compiling, enabling, and running all available signatures? (Choose all that apply.)Select one or more:
- A.
CPU utilization
- B.
Memory utilization
- C.
The size of NVRAM
- D.
Not a best practice
Correct Answer(s)
A. CPU utilization
B. Memory utilizationExplanation
The correct answer is: CPU utilization, Memory utilizationRate this question:
-
- 35.
What element in a VPN provides the Privacy?Select one:
- A.
Data integrity
- B.
Confidentiality
- C.
Antireplay
- D.
Authentication
Correct Answer
B. ConfidentialityExplanation
The correct answer is: ConfidentialityRate this question:
-
- 36.
What algorithms in a VPN provide the confidentiality? (Choose all that apply.)Select one or more:
- A.
MD5
- B.
SHA-1
- C.
AES
- D.
3DES
Correct Answer(s)
C. AES
D. 3DESExplanation
The correct answer is: AES, 3DESRate this question:
-
- 37.
Which type of VPN technology is likely to be used in a site-to-site VPN?Select one:
- A.
SSL
- B.
TLS
- C.
HTTPS
- D.
IPsec
Correct Answer
D. IPsecExplanation
The correct answer is: IPsecRate this question:
-
- 38.
Why is the public key in a typical public-private key pair referred to as public?Select one:
- A.
Because the public already has it.
- B.
Because it is shared publicly.
- C.
Because it is a well-known algorithm that is published.
- D.
The last name of the creator was publica, which is Latin for public.
Correct Answer
B. Because it is shared publicly.Explanation
The correct answer is: Because it is shared publicly.Rate this question:
-
- 39.
Which of the following are negotiated during IKE Phase 1? (Choose all that apply.)Select one or more:
- A.
Hashing
- B.
DH group
- C.
Hex Encryption
- D.
Authentication method
Correct Answer(s)
A. Hashing
B. DH group
D. Authentication methodExplanation
The correct answer is: Hashing, DH group, Authentication methodRate this question:
-
- 40.
How is the negotiation of the IPsec (IKE Phase 2) tunnel done securely?Select one:
- A.
Uses the IKE Phase 1 tunnel
- B.
Uses the IPsec tunnel
- C.
Uses the IKE Phase 2 tunnel
- D.
Uses RSA
Correct Answer
A. Uses the IKE Phase 1 tunnelExplanation
The correct answer is: Uses the IKE Phase 1 tunnelRate this question:
-
- 41.
How is it possible that a packet with a private Layer 3 destination address is forwarded over the Internet?Select one:
- A.
It is encapsulated into another packet, and the Internet only sees the outside valid IP destination address.
- B.
It cannot be sent. It will always be dropped.
- C.
The Internet does not filter private addresses, only some public addresses, based on policy.
- D.
NAT is used to change the destination IP address before the packet is sent.
Correct Answer
C. The Internet does not filter private addresses, only some public addresses, based on policy.Explanation
The correct answer is: The Internet does not filter private addresses, only some public addresses, based on policy.Rate this question:
-
- 42.
Which of the following would cause a VPN tunnel using IPsec to never initialize or work correctly? (Choose all that apply.)Select one or more:
- A.
Incompatible IKE Phase 2 transform sets
- B.
Incorrect pre-shared keys or missing digital certificates
- C.
Incorrect dns
- D.
Incorrect routing
Correct Answer(s)
A. Incompatible IKE Phase 2 transform sets
B. Incorrect pre-shared keys or missing digital certificates
D. Incorrect routingExplanation
The correct answer is: Incompatible IKE Phase 2 transform sets, Incorrect pre-shared keys or missing digital certificates, Incorrect routingRate this question:
-
- 43.
Which of the following are defense-in-depth approaches? (Choose all that apply.)Select one or more:
- A.
Performing filtering at the router and the firewall
- B.
Requiring authentication for the administrator to connect
- C.
Implementing multiple security features on the firewall only, because of the dedicated appliance having the CPU and resources to implement all of them
- D.
Don't use proxy
Correct Answer(s)
A. Performing filtering at the router and the firewall
B. Requiring authentication for the administrator to connect
C. Implementing multiple security features on the firewall only, because of the dedicated appliance having the CPU and resources to implement all of themExplanation
The correct answer is: Performing filtering at the router and the firewall, Requiring authentication for the administrator to connectRate this question:
-
- 44.
What is the term for tricking a user into revealing sensitive or confidential information, including information about user credentials?Select one:
- A.
Eavesdropping
- B.
Cross-site scripting
- C.
Denial of service
- D.
Social engineering
Correct Answer
D. Social engineeringExplanation
The correct answer is: Social engineeringRate this question:
-
- 45.
Which device can analyze network traffic in real time, generate alerts, and even prevent the first malicious packet from entering the network?Select one:
- A.
IPS
- B.
CSM
- C.
IDS
- D.
CCP
Correct Answer
A. IPSExplanation
The correct answer is: IPSRate this question:
-
- 46.
What happens when an access list has 100 lines and a match occurs on line 14?Select one:
- A.
Lines 15 through 100 are parsed as a group object.
- B.
The ACL acts on the packet, and no further list processing is done for that packet.
- C.
The ACL is processed all the way through line 100, to see whether there is a more strict policy that should be applied
- D.
There cannot be a line 14 because the only lines permitted start with 10 and increment by 10.
Correct Answer
B. The ACL acts on the packet, and no further list processing is done for that packet.Explanation
The correct answer is: The ACL acts on the packet, and no further list processing is done for that packet.Rate this question:
-
- 47.
Which of the following is not a best practice to protect the management plane?(Choose all that apply.)Select one or more:
- A.
HTTP
- B.
Telnet
- C.
HTTPS
- D.
SSH
Correct Answer(s)
A. HTTP
B. TelnetExplanation
The correct answer is: HTTP, TelnetRate this question:
-
- 48.
Which one of the following follows best practices for a secure password? Select one:
- A.
AbC123!
- B.
SlE3peR1#
- C.
Tough-passfraze
- D.
NterEstIng-PaSsW0Rd
Correct Answer
B. SlE3peR1#Explanation
The correct answer is: SlE3peR1#Rate this question:
-
- 49.
How can you implement role-based access control (RBAC)? (Choose all that apply.)Select one or more:
- A.
Provide the password for a custom privilege level to users in a given role
- B.
Associate user accounts with specific views
- C.
Use access lists to specify which devices can connect remotely
- D.
Use AAA to authorize specific users for specific sets of permissions
Correct Answer(s)
A. Provide the password for a custom privilege level to users in a given role
B. Associate user accounts with specific views
D. Use AAA to authorize specific users for specific sets of permissionsExplanation
The correct answer is: Provide the password for a custom privilege level to users in a given role, Associate user accounts with specific views,
Use AAA to authorize specific users for specific sets of permissionsRate this question:
-
- 50.
Which of the following enables you to protect the data plane? (Choose all that apply.)Select one or more:
- A.
IOS Zone-Based Firewall
- B.
Port Security
- C.
Proxy
- D.
IPS
Correct Answer(s)
A. IOS Zone-Based Firewall
B. Port Security
D. IPSExplanation
You have correctly selected 1.
The correct answer is: IOS Zone-Based Firewall, IPS, Port securityRate this question:
-
Quiz Review Timeline +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Feb 13, 2024Quiz Edited by
ProProfs Editorial Team -
Dec 13, 2014Quiz Created by
Achmad Sagaf
Back to top