Part II: Perimiter Security

Reviewed by Editorial Team

The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.

Learn about Our Editorial Process

| By Hargroveb

Hargroveb

Community Contributor

Quizzes Created: 1 | Total Attempts: 63

| Attempts: 63

Quiz Flashcard

Questions

Feedback

During the Quiz End of Quiz

Difficulty

Sequential Easy First Hard First

1/53 Questions

Which of the following are considered IOS security features? (Choose four.)
- Stateful firewall
- MARS
- IPS
- VRF-aware firewall
- VPN

About This Quiz

Part II: Perimeter Security explores key IOS security features. It assesses skills in configuring routers, understanding security protocols, and managing network security. The quiz is vital for learners aiming to enhance their technical knowledge in network infrastructure security.

Quiz Preview

2.

Some ISRs include a USB port into which a flash drive can connect. What are three common uses for the flash drive? (Choose three.)
- Storing configuration files
- Storing a digital certificate
- Storing a copy of the IOS image
- Storing a username/password database
Correct Answer(s)

A. Storing configuration files
A. Storing a digital certificate
A. Storing a copy of the IOS image

Explanation

Flash drives can be used to store configuration files, which are used to configure network devices. They can also be used to store digital certificates, which are used for authentication and encryption purposes. Additionally, flash drives can be used to store a copy of the IOS image, which is the operating system software that runs on Cisco devices. Storing a username/password database is not a common use for a flash drive in this context.

Rate this question:
3.

The enable secret password appears as an MD5 hash in a router’s configuration file whereas the enable password is not hashed (or encrypted if the password-encryption service is not enabled). Why does Cisco still support the use of both enable secret and enable passwords in a router’s configuration?
- Because the enable secret password is a hash it cannot be decrypted. Therefore the enable password is used to match the password that was entered and the enable secret is used to verify that the enable password has not been modified since the hash was generated.
- The enable password is used for IKE Phase I whereas the enable secret password is used for IKE Phase II.
- The enable password is considered to be a router’s public key whereas the enable secret password is considered to be a router’s private key.
- The enable password is present for backward compatibility.
Correct Answer

A. The enable password is present for backward compatibility.
4.

What is an IOS router’s default response to multiple failed login attempts after the security authentication failure command has been issued?
- The login process is suspended for 10 seconds after 15 unsuccessful login attempts.
- The login process is suspended for 15 seconds after 10 unsuccessful login attempts.
- The login process is suspended for 30 seconds after 10 unsuccessful login attempts.
- The login process is suspended for 10 seconds after 30 unsuccessful login attempts.
Correct Answer

A. The login process is suspended for 15 seconds after 10 unsuccessful login attempts.

Explanation

After the security authentication failure command has been issued, an IOS router's default response is to suspend the login process for 15 seconds after 10 unsuccessful login attempts. This is a security measure to prevent brute-force attacks and unauthorized access to the router. By suspending the login process, it slows down the attacker's ability to guess passwords and provides a temporary block to protect the router from repeated login attempts.

Rate this question:
5.

What line configuration mode command would you enter to prevent a line (such as a console aux or vty line) connection from timing out because of inactivity?
- No service timeout
- Timeout-line none
- Exec-timeout 0 0
- Service timeout default
Correct Answer

A. Exec-timeout 0 0

Explanation

The correct answer is "exec-timeout 0 0". This command sets the timeout for the line to 0 minutes and 0 seconds, effectively disabling the timeout due to inactivity.

Rate this question:
6.

An IOS router’s privileged mode which you can access by entering the enable command followed by the appropriate password has which privilege level?
- 0
- 1
- 15
- 16
Correct Answer

A. 15

Explanation

The IOS router's privileged mode, accessed by entering the enable command and the correct password, has a privilege level of 15. This level allows the user to access and configure all router commands and features.

Rate this question:
7.

How is a CLI view different from a privilege level?
- A CLI view supports only commands configured for that specific view whereas a privilege level supports commands available to that level and all the lower levels.
- A CLI view can function without a AAA configuration whereas a privilege level requires AAA to be configured.
- A CLI view supports only monitoring commands whereas a privilege level allows a user to make changes to an IOS configuration.
- A CLI view and a privilege level perform the same function. However a CLI view is used on a Catalyst switch whereas a privilege level is used on an IOS router.
Correct Answer

A. A CLI view supports only commands configured for that specific view whereas a privilege level supports commands available to that level and all the lower levels.

Explanation

A CLI view is different from a privilege level because it only supports the commands that are specifically configured for that view. On the other hand, a privilege level supports not only the commands available at that level but also all the commands available at lower levels. This means that a user with a higher privilege level can access and execute a wider range of commands compared to a user with a specific CLI view.

Rate this question:
8.

To protect a router’s image and configuration against an attacker’s attempt to erase those files, the Cisco IOS Resilient Configuration feature keeps a secure copy of these files. What are these files called?
- The bootset
- The configset
- The backupset
- The backup-config
Correct Answer

A. The bootset

Explanation

The bootset refers to the files that are securely stored by the Cisco IOS Resilient Configuration feature to protect a router's image and configuration against an attacker's attempt to erase them. These files are essential for the proper functioning of the router and are kept secure to ensure the integrity and availability of the device's configuration.

Rate this question:
9.

When you configure Cisco IOS login enhancements for virtual connections what is the “quiet period”?
- The period of time between successive login attempts
- A period of time when no one is attempting to log in
- The period of time in which virtual login attempts are blocked following repeated failed login attempts
- The period of time in which virtual logins are blocked as security services fully initialize
Correct Answer

A. The period of time in which virtual login attempts are blocked following repeated failed login attempts

Explanation

The "quiet period" refers to the period of time in which virtual login attempts are blocked following repeated failed login attempts. This means that if there are multiple unsuccessful login attempts, the system will temporarily block any further login attempts from that source for a certain period of time. This is a security measure to prevent brute-force attacks or unauthorized access to the system. During the quiet period, the system will not accept any login attempts from the source that triggered the block.

Rate this question:
10.

In the banner motd # command, what does # represent?
- A single text character that will appear as the message of the day
- A delimiter indicating the beginning and end of a message of the day
- A reference to a system variable that contains a message of the day
- The enable mode prompt from where the message of the day will be entered into the IOS configuration
Correct Answer

A. A delimiter indicating the beginning and end of a message of the day

Explanation

The correct answer is "A delimiter indicating the beginning and end of a message of the day." In the banner motd # command, the "#" symbol is used as a delimiter to indicate the start and end of the message of the day. It helps to separate the actual message from the rest of the configuration and makes it easier to identify the MOTD section.

Rate this question:
11.

What Cisco IOS feature provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router and also provides multiple “smart wizards” and configuration tutorials?
- QPM
- SAA
- SMS
- SDM
Correct Answer

A. SDM

Explanation

SDM stands for Security Device Manager, which is a Cisco IOS feature that provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router. It also offers multiple "smart wizards" and configuration tutorials, making it easier for network administrators to set up and manage their routers. This tool simplifies the configuration process and allows administrators to quickly and efficiently configure various network features without the need for extensive command-line knowledge.

Rate this question:
12.

What are two options for running Cisco SDM? (Choose two.)
- Running SDM from a router’s flash
- Running SDM from the Cisco web portal
- Running SDM from within CiscoWorks
- Running SDM from a PC
Correct Answer(s)

A. Running SDM from a router’s flash
A. Running SDM from a PC

Explanation

SDM (Security Device Manager) can be run from a router's flash memory, allowing users to access and manage the router's security features directly from the device. Additionally, SDM can also be run from a PC, enabling users to access and manage the router's security features through a web-based interface on their computer. Running SDM from a router's flash and from a PC are two options for utilizing the SDM software.

Rate this question:
13.

Which of the following are valid SDM configuration wizards? (Choose three.)
- Security Audit
- VPN
- ACS
- NAT
- STP
Correct Answer(s)

A. Security Audit
A. VPN
A. NAT

Explanation

The correct answer is Security Audit, VPN, and NAT. These three options are valid SDM (Security Device Manager) configuration wizards. SDM is a web-based device management tool used to configure and manage Cisco networking devices. The Security Audit wizard helps in auditing the security settings of the device, ensuring that it is properly configured. The VPN wizard assists in setting up Virtual Private Network connections for secure communication. The NAT (Network Address Translation) wizard enables the configuration of NAT, allowing private IP addresses to be translated to public IP addresses for internet access.

Rate this question:
14.

Which of the following commands is used in global configuration mode to enable AAA?
- Aaa EXEC
- Aaa new-model
- Configure aaa-model
- Configure-model aaa
Correct Answer

A. Aaa new-model

Explanation

The correct answer is "aaa new-model" because this command is used in global configuration mode to enable AAA (Authentication, Authorization, and Accounting). AAA provides a framework for controlling access to network resources, authenticating users, and tracking their activities. By enabling AAA with the "aaa new-model" command, the network administrator can implement security measures and manage user access more effectively.

Rate this question:
15.

How do you define the authentication method that will be used with AAA?
- With a method list
- With a method statement
- With the method command
- With the method aaa command
Correct Answer

A. With a method list

Explanation

To define the authentication method that will be used with AAA, a method list is used. A method list is a logical grouping of authentication methods that are applied in a specific order. When configuring AAA, the administrator can create a method list and specify the authentication methods to be used, such as local authentication, RADIUS, or TACACS+. This allows for flexibility in defining the authentication process and determining the order in which methods are attempted for user authentication.

Rate this question:
16.

Which of the following are authentication methods that may be used with AAA? (Choose three.)
- Local
- Remote
- TACACS+
- RADIUS
- IPsec
Correct Answer(s)

A. Local
A. TACACS+
A. RADIUS

Explanation

AAA stands for Authentication, Authorization, and Accounting. It is a framework used for controlling access to computer resources. The question asks for authentication methods that can be used with AAA. Local authentication refers to the use of credentials stored locally on the device. TACACS+ and RADIUS are both network protocols used for authentication, authorization, and accounting. TACACS+ provides separate authentication, authorization, and accounting services, while RADIUS combines all three functions. Therefore, the correct answers are Local, TACACS+, and RADIUS.

Rate this question:
17.

To configure accounting in AAA, from which mode should the aaa accounting command be issued?
- Privileged EXEC
- Command mode
- Global configuration
- Admin EXEC
Correct Answer

A. Global configuration

Explanation

The aaa accounting command should be issued from the Global configuration mode to configure accounting in AAA. Global configuration mode allows the user to make changes to the global configuration of the device, including configuring AAA accounting. This mode provides access to a wide range of configuration commands that affect the entire system. By issuing the aaa accounting command in this mode, the user can configure the necessary accounting settings for AAA.

Rate this question:
18.

What does the aaa authentication login console-in local command do?
- It specifies the login authorization method list named console-in using the local username-password database on the router.
- It specifies the login authentication list named console-in using the local user-name-password database on the router.
- It specifies the login authentication method list named console-in using the local user database on the router.
- It specifies the login authorization method list named console-in using the local RADIUS username-password database.
Correct Answer

A. It specifies the login authentication method list named console-in using the local user database on the router.

Explanation

The correct answer is "It specifies the login authentication method list named console-in using the local user database on the router." This means that when a user tries to log in to the router via the console port, the router will use the specified authentication method list (console-in) and check the credentials against the local user database on the router.

Rate this question:
19.

Which command should be used to enable AAA authentication to determine if a user can access the privilege command level?
- Aaa authentication enable level
- Aaa authentication enable method default
- Aaa authentication enable default local
- Aaa authentication enable default
Correct Answer

A. Aaa authentication enable default

Explanation

The command "aaa authentication enable default" should be used to enable AAA authentication to determine if a user can access the privilege command level. This command sets the default authentication method for enabling privileged commands, using the local database as the authentication source.

Rate this question:
20.

Which of the following are features provided by Cisco Secure ACS 4.0 for Windows? (Choose three.)
- Cisco NAC support
- IPsec support
- Network access profiles
- NTVLM profiles
- Machine access restrictions
Correct Answer(s)

A. Cisco NAC support
A. Network access profiles
A. Machine access restrictions

Explanation

Cisco Secure ACS 4.0 for Windows provides three features: Cisco NAC support, Network access profiles, and Machine access restrictions. Cisco NAC support allows for Network Access Control, which helps to ensure that only authorized devices can access the network. Network access profiles enable administrators to define different levels of access for different users or groups. Machine access restrictions allow administrators to restrict network access based on specific machine characteristics, such as operating system or hardware.

Rate this question:
21.

Which of the following browsers are supported for use with Cisco Secure ACS? (Choose three.)
- Opera 9.2
- Microsoft Internet Explorer 6 with SP1
- Netscape 7.1
- Firefox 2.0
- Netscape 7.2
Correct Answer(s)

A. Microsoft Internet Explorer 6 with SP1
A. Netscape 7.1
A. Netscape 7.2
22.

Which of the following ports are used with RADIUS authentication and authorization? (Choose two.)
- UDP port 2000
- TCP port 2002
- UDP port 1645
- TCP port 49
- UDP port 1812
Correct Answer(s)

A. UDP port 1645
A. UDP port 1812

Explanation

RADIUS (Remote Authentication Dial-In User Service) is a protocol used for authentication and authorization in network services. It operates over UDP (User Datagram Protocol). UDP port 1645 is the standard port used for RADIUS authentication, while UDP port 1812 is used for RADIUS accounting. TCP ports 2000 and 2002 are not commonly associated with RADIUS, and TCP port 49 is used for TACACS (Terminal Access Controller Access-Control System) rather than RADIUS. Therefore, the correct answer is UDP port 1645 and UDP port 1812.

Rate this question:
23.

Which of the following are valid responses that the TACACS+ daemon might provide the NAS during the authentication process? (Choose three.)
- Accept
- Reject
- Approved
- Continue
- Failed
Correct Answer(s)

A. Accept
A. Reject
A. Continue

Explanation

During the authentication process, the TACACS+ daemon may provide the NAS (Network Access Server) with three valid responses: Accept, Reject, and Continue. "Accept" indicates that the authentication is successful and the user is granted access. "Reject" signifies that the authentication failed, and access is denied. "Continue" means that further authentication steps are required before a final decision can be made. The other options, "Approved" and "Failed," are not valid responses that the TACACS+ daemon would provide.

Rate this question:
24.

Which RADIUS message type contains AV pairs for username and password?
- Access-Request
- Access-Accept
- Access-Reject
- Access-Allow
Correct Answer

A. Access-Request

Explanation

The Access-Request RADIUS message type contains AV (Attribute-Value) pairs for username and password. This message type is used by a RADIUS client to initiate the authentication process with a RADIUS server. The AV pairs within the Access-Request message include the user's credentials, such as the username and password, which are necessary for the server to verify and authorize the user's access.

Rate this question:
25.

To enable AAA through the SDM you choose which of the following?
- Configure > Tasks > AAA
- Configure > Authentication > AAA
- Configure > Additional Tasks > AAA
- Configure > Additional Authentication > AAA
Correct Answer

A. Configure > Additional Tasks > AAA

Explanation

The correct answer is "Configure > Additional Tasks > AAA". This option is the most appropriate because it specifically mentions "Additional Tasks", indicating that it is an additional configuration option for AAA. The other options do not mention "Additional Tasks" and may not provide the necessary settings for enabling AAA through the SDM.

Rate this question:
26.

If you need to use Simple Network Management Protocol (SNMP) on your network what version does Cisco recommend?
- Version 2
- Version 2c
- Version 3
- Version 3c
Correct Answer

A. Version 3

Explanation

Cisco recommends using Version 3 of the Simple Network Management Protocol (SNMP) for network management. This version provides enhanced security features, including authentication and encryption, which are crucial for protecting sensitive network information. Version 3 also offers improved performance and scalability compared to previous versions, making it the preferred choice for SNMP implementation in Cisco networks.

Rate this question:
27.

What are two automated approaches for hardening the security of a Cisco IOS router? (Choose two.)
- AutoQoS
- AutoSecure
- Cisco SDM’s One-Step Lockdown
- Cisco IPS Device Manager (IDM)
Correct Answer(s)

A. AutoSecure
A. Cisco SDM’s One-Step Lockdown

Explanation

AutoSecure is an automated approach for hardening the security of a Cisco IOS router. It is a feature that automatically applies a set of recommended security configurations to the router, making it more secure against potential vulnerabilities.

Cisco SDM's One-Step Lockdown is another automated approach for hardening the security of a Cisco IOS router. It is a feature of Cisco Security Device Manager (SDM) that provides a simple and guided process to secure the router by enabling security features, configuring access control lists, and implementing other security measures.

Rate this question:
28.

Which of the following router services can best help administrators correlate events appearing in a log file?
- Finger
- TCP small services
- CDP
- NTP
Correct Answer

A. NTP

Explanation

NTP (Network Time Protocol) can best help administrators correlate events appearing in a log file. NTP is a protocol used to synchronize the time of devices on a network. By ensuring that all devices have the same accurate time, administrators can easily correlate events in log files, as the timestamps will be consistent across all devices. This can be particularly useful when troubleshooting network issues or investigating security incidents.

Rate this question:
29.

What management topology keeps management traffic isolated from production traffic?
- OOB
- OTP
- SAFE
- MARS
Correct Answer

A. OOB

Explanation

The management topology that keeps management traffic isolated from production traffic is Out-of-Band (OOB). Out-of-Band management involves using a separate network or connection for managing devices, separate from the network used for regular data traffic. This ensures that management tasks and traffic do not interfere with or disrupt the production traffic, enhancing security and network performance.

Rate this question:
30.

What syslog logging level is associated with warnings?
- 3
- 4
- 5
- 6
Correct Answer

A. 4

Explanation

Syslog logging level 4 is associated with warnings. The syslog logging levels range from 0 to 7, with level 0 being the most critical and level 7 being the least critical. Level 4 is considered as "Warning" level, which indicates potential issues or conditions that may require attention but are not critical. Therefore, in this case, the correct answer is 4.

Rate this question:
31.

Information about a managed device’s resources and activity is defined by a series of objects. What defines the structure of these management objects?
- LDAP
- CEF
- FIB
- MIB
Correct Answer

A. MIB

Explanation

MIB stands for Management Information Base. It is a database that defines the structure and properties of management objects in a managed device. MIB contains information about the device's resources and activity, allowing network administrators to monitor and manage the device effectively. It provides a standardized way to organize and access information from network devices, enabling network management systems to retrieve and manipulate data from these devices using protocols like SNMP (Simple Network Management Protocol). Therefore, MIB defines the structure of management objects in a managed device.

Rate this question:
32.

When SSH is configured what is the Cisco minimum recommended modulus value?
- 256 bits
- 512 bits
- 1024 bits
- 2048 bits
Correct Answer

A. 1024 bits

Explanation

The Cisco minimum recommended modulus value for SSH configuration is 1024 bits. This refers to the size of the encryption key used in the SSH protocol. A larger modulus value provides stronger encryption and enhances security. However, a modulus value of 1024 bits is considered the minimum recommended by Cisco, indicating that it provides a reasonable level of security while balancing performance.

Rate this question:
33.

If you click the Configure button along the top of Cisco SDM’s graphical interface which Tasks button allows you to configure such features as SSH,NTP,SNMP and syslog?
- Additional Tasks
- Interfaces and Connections
- Security Audit
- Intrusion Prevention
Correct Answer

A. Additional Tasks

Explanation

Clicking the Configure button along the top of Cisco SDM's graphical interface allows the user to access additional tasks for configuring features such as SSH, NTP, SNMP, and syslog. These additional tasks are separate from the main tasks and options provided in the interface, and they provide a way to configure specific features that are not included in the default configuration options.

Rate this question:
34.

Which of the following is not a feature of Cisco Integrated Services routers? (Choose all that apply.)
- USB Port (most models)
- Unified Network Services
- Integrated PoE VoIP port
- Integrated Security
- Firewire port
Correct Answer(s)

A. Integrated PoE VoIP port
A. Firewire port

Explanation

Cisco ISRs do not contain integrated Power over Ethernet
(PoE) ports or VoIP ports or Firewire ports. Some of the features are available as option cards on modular ISRs.

Rate this question:
35.

True or false. By default, Cisco router passwords must contain at least 10 characters.
- TRUE
- FALSE
Correct Answer

A. FALSE

Explanation

It is also a trick question! Cisco recommends that passwords should be at least 10 characters in length, but there is no default rule.Passwords can be blank. That is why this chapter stresses basics such as best practices for passwords.

Rate this question:
36.

Which statement about the service password-encryption command is correct?
- It encrypts all passwords in the router’s configuration file with an AES (Advanced Encryption Standard) 256-bit level encryption.
- With the exception of the hashed enable secret, all passwords on the router are encrypted.
- All passwords on the router are encrypted.
- It has no effect unless the service password secret-encrypt command is also issued.
- None of the above.
Correct Answer

A. With the exception of the hashed enable secret, all passwords on the router are encrypted.

Explanation

Answer D is a trick because that command doesn’t exist and
answer A is just plain wrong. Answer C is tricky too because we learn in this chapter that passwords on the router are not encrypted unless we use the service passwordencryption command.

Rate this question:
37.

You have entered the following commands to create a view called ISP: CiscoISR(config)parser view ISP CiscoISR(config-view)#secret 0 hardtoguess Which one of the following commands enable users of this view to access the configure mode from a terminal?
- Commands configure include all terminal
- Commands exec include all configure
- Commands include exec configure
- Commands exec include configure terminal
- None of the above.
Correct Answer

A. Commands exec include all configure

Explanation

This is a bit of a trick question because answer B enables configuration from not only the terminal but also from other sources. The syntax of the other (but wrong) answers is all mixed up.

Rate this question:
38.

What (in the right order) does AAA stand for?
- Access, accountability, administration
- Administration, access, accounting
- Accounting, access, administration
- Authentication, authorization, accounting
- Authorization, accounting, administration
Correct Answer

A. Authentication, authorization, accounting

Explanation

The correct answer is "Authentication, authorization, accounting." This order represents the steps in a typical security protocol. Authentication verifies the identity of a user, authorization determines what actions they are allowed to perform, and accounting keeps track of their activities for auditing purposes.

Rate this question:
39.

Which of the following is true about the Cisco Secure ACS Solution Engine? (Choose all that are correct.)
- Must be installed on an existing installation of Windows Server.
- Must be installed on an existing installation of Windows Server or Sun Solaris.
- An appliance-based solution that supports up to 50 AAA clients, as well as 350 unique user logons in a 24-hour period.
- An appliance-based solution.
- TACACS+ only
Correct Answer

A. An appliance-based solution.

Explanation

The Cisco Secure ACS Solution Engine is an appliance-based solution, meaning it is a self-contained hardware device that is designed to perform a specific function. It does not require installation on an existing Windows Server or Sun Solaris. It supports up to 50 AAA clients and 350 unique user logons in a 24-hour period. It also supports TACACS+ protocol.

Rate this question:
40.

Fill in the blanks with the correct words from the list: When designing an AAA solution, remote administrative access is also known as_____ mode. Another name for remote network access is _____ mode.
- Packet, character
- Character, network
- Network, character
- Character, packet
- Packet, network
Correct Answer

A. Character, packet

Explanation

When designing an AAA solution, remote administrative access is also known as character mode. Another name for remote network access is packet mode.

Rate this question:
41.

What command will display a list of all local AAA users who have been locked out?
- Show aaa local user lockout
- Show aaa user all
- Show aaa sessions
- Show aaa local lockout
- None of the above.
Correct Answer

A. Show aaa local user lockout

Explanation

Answer B is the command that displays detailed statistics
of all logged in users. Answer C is used to display current sessions of users who have been authenticated, authorized, or accounted by the AAA module. The command in answer D doesn’t exist.

Rate this question:
42.

Which protocols are supported in the AAA dialog between a Cisco IOS router and Cisco Secure ACS? (Choose all that apply.)
- LDAP
- Active Directory
- OBDC
- RADIUS
- TACACS+
Correct Answer(s)

A. RADIUS
A. TACACS+

Explanation

This is a trick question. The question is not which protocols does Cisco Secure ACS work with to authenticate to an external database. If that was the question, you could choose everything in the list. Answers D and E are correct because only RADIUS and TACACS+ are choices for protocols that work between the AAA client (the Cisco IOS router) and the AAA server (Cisco Secure ACS).

Rate this question:
43.

Which of the following statements is most correct concerning RADIUS and TACACS+?
- RADIUS has rich accounting and TACACS+ is capable of customizable userlevel policies such as command authorization.
- RADIUS encrypts the whole communication between the AAA client and server, whereas TACACS+ only encrypts the password.
- RADIUS uses UDP for transport and TACACS+ uses TCP.
- RADIUS is a proprietary standard, whereas TACACS+ is Open Source.
- RADIUS uses UDP ports 1645 and 1646 exclusively
Correct Answer(s)

A. RADIUS has rich accounting and TACACS+ is capable of customizable userlevel policies such as command authorization.
A. RADIUS uses UDP for transport and TACACS+ uses TCP.

Explanation

Answer B is backwards. It’s TACACS+ that encrypts the whole communication, whereas RADIUS encrypts only the password. Answer D is incorrect but for a tricky reason. Although RADIUS is open source, TACACS+ isn’t quite a proprietary standard because Cisco has published it as an RFC (Request for Comment), part of the IETF standards track. Answer E is incorrect because RADIUS can use either ports 1645 and 1646 or ports 1812 and 1813 for authentication/authorization and accounting, respectively.

Rate this question:
44.

Which of the following are not included in the three main task areas in setting up for external AAA? (Choose all that apply.)
- Configure the AAA network.
- Install AAA supplicant software on IP hosts that will authenticate to the IOS router.
- Identify traffic to which AAA is applied.
- Set up users.
- Install Cisco Secure ACS Solution Engine module on the Cisco IOS router.
Correct Answer(s)

A. Install AAA supplicant software on IP hosts that will authenticate to the IOS router.
A. Install Cisco Secure ACS Solution Engine module on the Cisco IOS router.

Explanation

Answer B is correct because you do not need special software on an IP host in order to enable AAA for the network. Answer E is correct because the Cisco Secure ACS Solution Engine is an appliance that comprises a selfcontained AAA server solution. It is not an add-on module for a router, and the router is the AAA client in this scenario anyway.

Rate this question:
45.

Select the one answer with the correct two terms to fill in the following blanks. There are two distinct types of AAA authorization policies: .________ policies that define access rules to the router. .________ policies that define access rules through the router.
- Network, Exec
- Packet, Character
- Character, Packet
- Exec, Network
- Administrative, User
Correct Answer

A. Exec, Network

Explanation

The use of the terms “packet” and “character” are deliberately misleading because these refer to types of access in general (see Figure 3.10), but not specific types of AAA authorization policies. Answer E is simply wrong but sounds like it might be right to someone who hasn’t read the Exam Cram.

Rate this question:
46.

Which of the following is not a consideration for setting up technical controls in support of secure logging?
- How can the confidentiality of logs as well as communicating log messages be assured?
- How do you log events from several devices in one central place?
- What are the most critical events to log?
- What are the most important logs?
- None of the above.
Correct Answer

A. None of the above.

Explanation

The question is asking for a consideration that is not relevant when setting up technical controls for secure logging. The options provided all relate to important considerations when setting up technical controls for secure logging, such as ensuring the confidentiality of logs, centralizing log events from multiple devices, and determining the most critical and important logs to track. Therefore, the correct answer is "None of the above" as all the options provided are considerations for setting up technical controls in support of secure logging.

Rate this question:
47.

Fill in the blank with the correct term from the choices. One communication path between management hosts and the devices they manage is__________, meaning that the traffic flows within a network separate from the production network.
- In-band
- Inter-vlan
- Private
- Out-of-band
- Intranet
Correct Answer

A. Out-of-band

Explanation

A design goal for a secure network is to try to separate management traffic from the production networks wherever possible. Answer A is the opposite. The other answers are incorrect because they are not used in this context.

Rate this question:
48.

True or false. A general management guideline is to ensure that clocks on network devices are not synchronized with an external time source because this is a known vulnerability.
- TRUE
- FALSE
Correct Answer

A. FALSE

Explanation

This is a bit of a trick question. Yes, there are some known vulnerabilities with synchronizing clocks with external time sources, but these are outweighed by the advantage of having all network devices’ clocks synchronized to a single time source.

Rate this question:
49.

To what menus do you have to navigate to setup logging in the SDM?
- Configure->Router Management->Additional Tasks->Logging
- Configure->Additional Tasks->Router Properties->Logging
- Monitor->System Properties->Configure->Syslog
- Configure->Additional Tasks->Router Properties->Syslog
- Monitor->Logging Options->Syslog Setup
Correct Answer

A. Configure->Additional Tasks->Router Properties->Logging

Quiz Review Timeline (Updated): Jun 22, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

Current Version
Jun 22, 2023

Quiz Edited by
ProProfs Editorial Team
Jun 06, 2010

Quiz Created by
Hargroveb

Part II: Perimiter Security

Which of the following are considered IOS security features? (Choose four.)

Quiz Preview

Some ISRs include a USB port into which a flash drive can connect. What are three common uses for the flash drive? (Choose three.)

What is an IOS router’s default response to multiple failed login attempts after the security authentication failure command has been issued?

What line configuration mode command would you enter to prevent a line (such as a console aux or vty line) connection from timing out because of inactivity?

An IOS router’s privileged mode which you can access by entering the enable command followed by the appropriate password has which privilege level?

How is a CLI view different from a privilege level?

To protect a router’s image and configuration against an attacker’s attempt to erase those files, the Cisco IOS Resilient Configuration feature keeps a secure copy of these files. What are these files called?

When you configure Cisco IOS login enhancements for virtual connections what is the “quiet period”?

In the banner motd # command, what does # represent?

What Cisco IOS feature provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router and also provides multiple “smart wizards” and configuration tutorials?

What are two options for running Cisco SDM? (Choose two.)

Which of the following are valid SDM configuration wizards? (Choose three.)

Which of the following commands is used in global configuration mode to enable AAA?

How do you define the authentication method that will be used with AAA?

Which of the following are authentication methods that may be used with AAA? (Choose three.)

To configure accounting in AAA, from which mode should the aaa accounting command be issued?

What does the aaa authentication login console-in local command do?

Which command should be used to enable AAA authentication to determine if a user can access the privilege command level?

Which of the following are features provided by Cisco Secure ACS 4.0 for Windows? (Choose three.)

Which of the following browsers are supported for use with Cisco Secure ACS? (Choose three.)

Which of the following ports are used with RADIUS authentication and authorization? (Choose two.)

Which of the following are valid responses that the TACACS+ daemon might provide the NAS during the authentication process? (Choose three.)

Which RADIUS message type contains AV pairs for username and password?

To enable AAA through the SDM you choose which of the following?

If you need to use Simple Network Management Protocol (SNMP) on your network what version does Cisco recommend?

What are two automated approaches for hardening the security of a Cisco IOS router? (Choose two.)

Which of the following router services can best help administrators correlate events appearing in a log file?

What management topology keeps management traffic isolated from production traffic?

What syslog logging level is associated with warnings?

Information about a managed device’s resources and activity is defined by a series of objects. What defines the structure of these management objects?

When SSH is configured what is the Cisco minimum recommended modulus value?

If you click the Configure button along the top of Cisco SDM’s graphical interface which Tasks button allows you to configure such features as SSH,NTP,SNMP and syslog?

Which of the following is not a feature of Cisco Integrated Services routers? (Choose all that apply.)

True or false. By default, Cisco router passwords must contain at least 10 characters.

Which statement about the service password-encryption command is correct?

You have entered the following commands to create a view called ISP: CiscoISR(config)parser view ISP CiscoISR(config-view)#secret 0 hardtoguess Which one of the following commands enable users of this view to access the configure mode from a terminal?

What (in the right order) does AAA stand for?

Which of the following is true about the Cisco Secure ACS Solution Engine? (Choose all that are correct.)

Fill in the blanks with the correct words from the list: When designing an AAA solution, remote administrative access is also known as_____ mode. Another name for remote network access is _____ mode.

What command will display a list of all local AAA users who have been locked out?

Which protocols are supported in the AAA dialog between a Cisco IOS router and Cisco Secure ACS? (Choose all that apply.)

Which of the following statements is most correct concerning RADIUS and TACACS+?

Which of the following are not included in the three main task areas in setting up for external AAA? (Choose all that apply.)

Select the one answer with the correct two terms to fill in the following blanks. There are two distinct types of AAA authorization policies: .________ policies that define access rules to the router. .________ policies that define access rules through the router.

Which of the following is not a consideration for setting up technical controls in support of secure logging?

Fill in the blank with the correct term from the choices. One communication path between management hosts and the devices they manage is__________, meaning that the traffic flows within a network separate from the production network.

True or false. A general management guideline is to ensure that clocks on network devices are not synchronized with an external time source because this is a known vulnerability.

To what menus do you have to navigate to setup logging in the SDM?

Fill in the blanks with the correct words from the list: When designing an AAA solution, remote administrative access is also known as_ mode. Another name for remote network access is _ mode.

Select the one answer with the correct two terms to fill in the following blanks. There are two distinct types of AAA authorization policies: . policies that define access rules to the router. . policies that define access rules through the router.