Open-ended questionsun.pdf

8/9/2019 Open-ended questionsun.pdf

1/38

2

1 What node defines the traffic to be encrypted in GET VPN?

Answer:Key server

2 What command do you need to enable proper IOS IPS processing of

fragmented IP packets?

Answer:Ip virtual-reassembly

3 What uRPF mode would you use in the environment with asymmetric

routing enabled?

Answer:loose

4 What is the ACL keyword you would use to permit all valid returning

TCP session traffic for

sessions initiated from the protected network?

Answer:established

5 What IOS firewall mode does not support the inspection and filtering

of Peer-to-Peer traffic?

Answer:transparent

6 What IOS feature allows you to configure RADIUS attributes locally

per-user?

www.CareerCert.info
http://www.careercert.info/http://www.careercert.info/


2/38

3

Answer:IOS local aaa

7 What is the RADIUS attribute name that specifies a peruser

group-policy name for the ASA

firewall?

Answer:class

8.There are two ARP Configuration info in interface e0 dump, output B

what happened about

output B ?

Outpiut A

192.168.1.73(mac ee:dd:aa:23:73 to 255.255.255.255. :who is

192.168.1.51s mac address

192.168.1.51(mac:11:22:33:44:51) to 192,168,1,73(macee:dd:aa:23:73

reply:

192.168.1.51s mac address is mac:11:22:33:44:51

Outpiut B

06:02:50.891192 arp reply 192.168.1.73 is-at 00:e0:4d:07:3b:ff

(00:e0:4d:07:3b:ff)


(00:e0:4d:07:3b:ff)

www.CareerCert.info


3/38

4


(00:e0:4d:07:3b:ff)

Answer:Output is lean 192.168.1.73s mac address and reply itself mac

address to 192.168.1.73

9.There is a router, following is Configuration info:

Ip inspect name myfw http

Ip inspect name myfw tcp

Ip inspect name myfw udp

Int interface-id

Ip inspect myfw in

Ip inspect myfw out

Ip access-g 101 in

Access-l 101 permit tcp any host Webserver eq 80

Access-l 101 deny ip any any

Asked above for the configuration of CBAC is to do the work?

Answer:Yes

10.Please write a method, Prevent dos attack on ASA

Answer:TCP Intercept

www.CareerCert.info


4/38

5

11.Switches connect to IPS, There are two vlan which trunk protocol will

be use?

Answer:802.1q

12.IPS6.1 added a new feature that can automatically learn attack and to

prevent attacks, which

feature?

Answer:Anomaly detection(AD)

13.There is a vpn, do not set tunnel, can do some of the features such as

native multicast,please

write the full name

Answer:Group Encrypted Transport (GET) VPN

14.What RFC outlined special use only IP address space from the A, B,

and C classes for ipv4?

Answer:RFC 3330

15.You are attempting to configure RIP version 2 so that it will unicast

messages to its RIP

neighbor. You have confirmed you have correctly configured the

neighbor command on the

www.CareerCert.info


5/38

6

device. What other command is required in this configuration?

Answer:Passive-interface

16.What is the resulting trunk configuration for the devices shown?

Hostname SW1

Interface gigabitethernet 0/9

Switchport trunk encapsulation dotlq

Switchport mode trunk

Switchport nonegotiate

Hostname SW2

Interface Gigabitethernet 0/9

Switchport trunk encapsulation dotlq

Switchport mode dynamic auto

Answer:Trunk off

19.What is the default behavior for a Catalyst switch if it receives a frame

and it possesses no

entry for the destination MAC address in the CAM?

Answer:Flood the frame

www.CareerCert.info


6/38

7

20.What command is used to create the remote SPAN VLAN in RSPAN?

Answer:Remote-span

21.What Cisco Catalyst switch STP mechanism can produce an

inconsistent state for a switch

port?

Answer:Loopguard

22.Your Cisco IPS sensor fired an alert for a non-malicious packet that

was attempting to enter

your network. What does Cisco term this type of condition?

Answer:False positive

24.Your Cisco IPS sensor fired an alert for a malicious packet that was

attempting to enter our

network. What is this conditional termed by Cisco?

Answer: true positive

25.Your Cisco IPS sensor did not fire an alert when a non-malicious

packet entered the network.

What does Cisco term this event?

www.CareerCert.info


7/38

8

Answer:Ture negative

26.Describe the difference between the restrict and protect options with

the Catalyst Port Security

feature?

Answer:The protect option will prevent unauthorized MAC addresses

from communicating through the

port, but it send no SNMP traps and does not increment the violation

counter. Restrict mod

do these things.

27.You need to limit traffic on your router to prevent dos attacks. You are

specifically concerned

about traffic destined to the router itself as opposed to through data

Answer: Control Plane Policing

28.At what layer of the OSI model does ISAKMP function?

Answer:Session

29.At what layer of the OSI model does S-HTTP function?

Answer:Application

www.CareerCert.info


8/38

9

31.You have learned that multicast will use RPF to guard against loops in

multicast transmissions.

What does RPF use to perform this check?

Answer:The routing table

32.How will a user be authenticated if the RADIUS servers respond with

a FAIL message? aaa

authentication enable default group radius enable

Answer:The user fails authention

33.What OSPF authentication type supports the use of multiple

authentication keys?

Answer:MD5

34.What is the default hash function used with "secret" type of password

encryptions?

Answer:MD5

35.What is the command to stop the router from responding to address

resolution requests sent

to other hosts?

Answer:No ip proxy-arp

www.CareerCert.info


9/38

10

36.What Port Security violation mode does not send an SNMP trap when

a violation occurs?

Answer:protect

37.When troubleshooting 802.1x, what command provides you with

information about all AAA

events associated with the protocol?

Answer:Debug dot1x aaa

38.What is the privilege level that is used for user mode Cisco router?

Answer:level one

39.You are considering the implementation of private VLANs in your ISP

infrastructure. What type of port would you typically configure for

interfaces that connect to systems that need to communicate with each

other?

Answer:Community ports

40.What uRPF mode you would use with asymmetric routing?

Answer:loose mode

www.CareerCert.info


10/38

11

41.What is the minimum allowed value of the BGP keeapalive timer in

Cisco IOS (in seconds):

Answer:one

42.What interface-level command would you use to prevent the Cisco

switch from disabling its

uplinks due to "Loopback" cause?

Answer:No keeplive

43.How will a user be authenticated if the RADIUS servers fail to respond

with this conf

aaa authentication enable default group radius enable

Answer:using Enable password to authenticate

44.SNMPv3 protects management information confidentiality by

using....\

Answer:Encryption

45.In order to reduce excessive flooding in RSTP topology due to link

flaps, what feature would

you configure?

Answer:Port fast

www.CareerCert.info


11/38

12

46.What technology will allow a router to monitor itself and avoid a

series of ongoing SNMP GET

requests?

Answer:Remote network monitoring

47.The BGP MD5 Authentication hash is carried within which field?

Answer:Tcp option

48.What check allows a router to see if a packet received arrives on the

best return path to the

source address of the packet?

Answer:Unicast reverse path forwarding

49.What is the name of the technique in which one host answers address

resolution requests

intended for another machine?

Answer:Proxy arp

50. The BPDU that contains information about a root bridge with worse

parameters than the one

know to the switch is called:

www.CareerCert.info


12/38

13

Answer:Inferior bpdu

51 What technology allows a router to respond to a Layer 2 name

resolution request of a host as

if it were the destination host itself?

Answer:Proxy arp

52 What keyword can ensure that DTP frames are not sent on an

unconditional trunk link?

Answer:Nonegotiate

53 What feature should you configure if network instabilities impose

high load on router CPU due

to perpetual RPF re

Answer:Rpf backoff

54 Provide at least two examples of RFC 1700 addresses?

Answer:127.0.0.1 and 0.0.0.0

55 You are configuring SNMP Version 3 on your Cisco router. What

keyword will allow you to

permit a user to have read access to all MIB variables on the device and

www.CareerCert.info


13/38

14

what SNMP mechanism

is used for this?

Answer:The keyword that should be used is INTERNET. This effectively

includes all MIB variables in the

view since the Internet portion of the MIB tree is so high up. When

configuring SNMP v3, you

create a view, then a group to use this view, and then a user in the group.

56 What is the function of the command shown in the exhibit?

Aaa new-model

Answer:This command changes the security method used by the device.

It enables the use of

Authentication, Authorization, and Accounting.

57 What is the purpose of the keyword local in the following command?

aaa authentication login default group radius local

Answer:This keyword provides a "backdoor" for access in the event the

RADIUS servers are unavailable.

58 Examine the configuration shown. What happens when the RADIUS

servers do not have an account information for the attempting to log in?

The user will be denied access to the network

www.CareerCert.info


14/38

15

59 What type of routing is supported with security contexts?

Answer:STATIC

60 Outline the core idea of the threat detection process in the ASA

firewall.

Answer:The threat detection engine monitors various system counters,

such as packet drops, policy

violations, the number of connections exceeding thresholds, etc. Based

on the rate of the various

drop events, the firewall may generate an attack event.

61 Loop-Guard will mark the port inconsistent if the port stop

receiving ...

Answer:Bridge protocol data units(BPDU)

62 What is the protocol supported by the ASA firewall for scalable

multicast routing?

Answer:PIM SPARE-MODE

63 What happens if a standby unit does not receive a response on the

failover link, but receives a

www.CareerCert.info


15/38

16

response on any other interface?

Answer:The standby unit does not perform failover, but the failover link

is marked as non-functional. A

manual intervention is required to fix the problem.

64 Name a type of IP addressing that is not supported by failover mode.

Answer:DHCP PPPOE IPV6

65 What is the implication of enabling outside dynamic NAT?

Answer:You have to configure a static NAT mapping for every outside IP

that you need to access from the

inside.

66 How many packets constitute IKE Aggressive Mode exchange?

Answer:3

67 With IKE Main Mode, pre-shared keys authentication, and hostnames

used for endpoints

identity, what is used to look up a pre-shared key for the peer?

Answer:Ip address

68 Describe the main benefits of using Virtual Tunnel Interfaces with

www.CareerCert.info


16/38


17/38

18

72 With ezVPN Remote Client Mode, what ezVPN feature prevents the

use of the device NAT

configuration?

Answer:Split-tunneling

74 What is the default MAC address-table aging time in Cisco switches, in

seconds?

Answer:Three hundred seconds

75 Which Ethernet Switching feature is used stop the propagation of

unnecessary broadcast and

unknown unicast frames across trunk links?

Answer:Vtp pruning

76 Which SNMP version 3 security level features authentication based on

the MD5 or SHA

algorithms but does not provide encryption?

Answer:Authnopriv

77 What version of SNMP includes built-in support for both encryption

and authentication?

www.CareerCert.info


18/38

19

Answer:Version three

78 You want to protect against Layer 2 loops in the event of a

unidirectional link failure. You want

to ensure you are also protected against a problem caused by software

on the router. What

mechanism should you use?

Answer:Spanning tree protocol, loopguard

79 What feature helps to mitigate problems that are caused by

malformed or forged IP source

addresses that are passing through a router?

Answer:Unicast reverse path forwarding(uRPF)

81 Name one type of encryption key used with GET VPN?

Answer:KEK or TEK

82.Description what is methods can detection and control on router ?

Answer:IOS firewall; for example Stateful Packet

Inspection(SPI),CBAC,ZFW ,and so on

83.Your IPS sensor has failed to detect a malicious packet that entered

www.CareerCert.info


19/38

20

the network and caused

damage. What is this termed by Cisco in security terminology?

Answer:False negative

84.What RFC outlines important special-use ipv4 addresses?

Answer:RFC1918

85.What RFC provides information about defeating Denial of Service

attacks through the use of

network ingress filtering?

Answer:RFC2827

86.the following in the ASA ,config request of Failover, whether is

correct?

1 Same hardware model

2 Same software version

3 Same numbers of interface and interface type

4 Same flash

5 Same DRAM

6 Same operating mode

Answer:NO

www.CareerCert.info


20/38

21

87.In easy vpn mode config,need give client an ip address as loopback of

client,which solutions

can be successfully

Answer:Client connect mode is client.

88.please give fourth method about IPS Configuration

Answer:

Two layer 2 devices ( no trunk)

Two layer 2 devices (802.1q trunked)

Two layer 3 devices

Bridging two VLANS

89 What name would you use with the IOS EzVPN server to lock the user

EZVPN within a group

GROUP?

Answer:EZVPN@ GROUP

90 What IOS feature is used to request XAUTH credentials in

http-intercept mode?

Answer:Auth-proxy

www.CareerCert.info


21/38

22

91 What IOS feature would you use to secure the router from

port-scanning attacks?

Answer:Control plane protection

92 What command would you enter to prevent the router from

generating ICMP Administratively

Prohibited messages when dropping packets denied by an ACL?

Answer:No ip unreachables

93 In addition to permitting TCP Option 19, what other feature do you

need to enable in order to

permit BGP connections across the firewall?

Answer:No random sequencing

94 What is the password that the Cisco IOS router uses to download the

ezVPN group policy from

the RADIUS server?

Answer:cisco

95 What TACACS+ shell (exec) attribute do you need to modify in order

to change the user's

privilege level?

www.CareerCert.info


22/38

23

Answer:Priv-lvl

96 What type of private-VLAN allows communicating only with the

promiscuous port?

Answer:lsolated VLAN

97 What IOS feature allows communication on the same subnet among

protected switch ports by

means of intermediate devices?

Answer:Local proxy

98 What Spanning Tree feature would you use to prevent a false root

bridge injection?

Answer:Root Guard

99 What other ICMP message type, in addition to unreachable, do you

need to permit in order to

make the UNIX traceroute command successfully work across the

firewall?

Answer:Time-exceeded

100 What is the important step to do before loading IOS IPS v5.x

www.CareerCert.info


23/38

24

signatures packages in the

router in order to prevent memory starvation?

Answer:Retire all signatures and unretire only the needed ones. The full

amount of all v5.x signatures

could not be compiled due to the router's limited memory. Retired

signatures are not being

compiled and don't consume memory.

101 What IPS feature allows for detection of new Internet worms?

Answer:Anomaly detection

102 What security feature would you use to prevent Man-in-the-Middle

ARP based attacks?

Answer:Arp inspection

103 What happens by default when two interfaces of the same security

level attempt to pass

packets on the ASA?

Answer:The packets are dropped

104 What command allows you to use your management 0/0 interface

www.CareerCert.info


24/38

25

for data traffic on an ASA?

Answer:No management-only

105 What type of access-list is used on the ASA in a configuration that

supports filtering for

clientless SSL VPN?

Answer:webtype

106 What object-group type would you use to identify DNS (TCP/UDP),

LDAP (TCP), and RADIUS

(UDP) traffic?

Answer:object-group Service

107 When would you prefer to use DMVPN over GET VPN for Unicast

traffic protection?

Answer:Due to its header preservation nature, GET VPN is best deployed

within large corporate networks,

such as company sites connected via MPLS VPNs, or corporate WANs.

DMVPN hides the internal

packet's IP addresses and thus is suitable for deployments over Internet

and public networks.

www.CareerCert.info


25/38

26

108 What is the order of operations for "NAT" and "access-group"

features when packets leave a

router out of the "IP NAT outside" interface?

Answer:The NAT features are first, followed by the access-group

features.

109 What is the feature that you would use to block packets based on

certain payload pattern?

Answer:Flexible Packet Matching

110 What is the main difference between the legacy TCP Intercept and

CBAC TCP Intercept?

Answer:CBAC TCP Intercept actually works for both TCP and UDP

sessions. CBAC interception is always

on when you apply a CBAC rule to the interface, and you cannot specify

the inspection scope.

Lastly, CBAC allows enforcing per-host connection limits, which is not

possible with legacy TCP

intercept.

111 Describe limitations regarding vsO on a Cisco IPS appliance.

www.CareerCert.info


26/38

27

Answer:The default virtual sensor is vsO. You cannot delete the default

virtual sensor. The interface list,

the AD operational mode, the inline TCP session tracking mode, and the

virtual sensor

description are the only configuration features you can change for the

default virtual sensor. You

cannot change the signature definition, event action rules, or anomaly

detection policies.

112 Name three potential negative issues regarding Intrusion Prevention

as opposed to Intrusion

Detection approaches to

Answer:

1)Traffic slowed on the network as a result of the Intrusion Prevention

process. This is especially

problematic for latency sensitive apps.

2) False positives prevent traffic from entering thenetwork.

3) Overrunning the sensor is a possibility and it can have a very

detrimental effect.

113 What is the primary detection technology used by Cisco IPS?

Answer:Signature-based

www.CareerCert.info


27/38

28

114 What is the IPS evasive technique that disguises the attack to

conceal it using special

characters or representations?

Answer:Obfuscation

115 What is the mode that an IDS/IPS appliance uses for IDS operation?

Answer:Promiscuous

116 What is the mode that an IDS/IPS appliance uses for IPS operation?

Answer:lnline

117 You want to ensure that when there is a failure on your ASA, there is

no disruption of client

connections. What must you configure?

Answer:Stateful Failover Link

118 Your adaptive security appliance is to function as the PIM RP. What

address of the ASA

should you use as the RP address?

Answer:The untranslated outside address

www.CareerCert.info


28/38

29

119 What transport protocol does RADIUS use in its operation?

Answer:User datagram protocol(UDP)

120 In the RADIUS packet exchange between a client and server, what is

an A-V Pair?

Answer:Attribute value

121 What message is in response to an Access Request message from a

RADIUS client if the

username and password is correct?

Answer:Access

122 What command is used on a Cisco router in order to switch to the

AAA security

methodology?

Answer:Aaa new-model

123 What is the transport protocol and port used by TACACS+? Answer in

the format Protocol

Port#.

Answer:Tcp 49

www.CareerCert.info


29/38

30

124 What is unique about the way TACACS+ handles the AAA functions in

comparison to RADIUS?

Answer:TACACS+ separates each of the three mechanisms of

authentication, authorization, and

accounting.

125 Which AAA protocol supports per user access control lists?

Answer:TACACS+

126 Describe the difference in the approach to the encryption of packets

between RADIUS and

TACACS+ messages?

Answer:TACACS+ encrypts the entire body of its messages. RADIUS only

encrypts the password in the

Access-Request message.

127 How does RADIUS treat the functions of AAA?

Answer:RADIUS combines the authentication and authorization

functions in its operation.

128 What hash algorithm features greater security than MD5 and

features the use of a 160-bit

www.CareerCert.info


30/38

31

hash output?

Answer:sha

129 What key security function do hashing algorithms provide? Answer

in the format of a single word.

Answer:Integrity

130 What hashing algorithm takes a message of arbitrary length and

produces an output of a 128

bit "fingerprint"?

Answer:MD5

131 What technology inserts a shared secret into a hash algorithm in

order to eliminate the man

in the middle attacks possible with hashing?

Answer:Hash Message Authentication Code(HMAC)

132 What type of encryption technology uses two specially created

mathematical keys in order to

perform encryption and decryption? Use a single word response.

Answer:symmetric

www.CareerCert.info


31/38

32

133 What type of security cipher technology operates on one digit at a

time? Use a single word

response.

Answer:stream

134 What is often considered the main disadvantage of the use of

asymmetric encryption

algorithms?

Answer:They are slower than symmetric.

135 What is the purpose of the Diffie-Hellman algorithm in a secured

infrastructure?

Answer:The Diffie-Hellman algorithm is used to obtain a shared secret

key agreement between two

devices over an insecure medium like the Internet.

136 What field can you use to distinguish between L2F and L2TP packets

in the network? Use a

single word response.

Answer:version

137 IPSec tunnels data through IP using one of two different protocols.

www.CareerCert.info


32/38

33

Which of these two

protocols does not provide for payload encryption?

Answer:Authentication Header(AH)

138 What IPSec mode features the encapsulation of the original Layer 3

header and payload

inside of an IPSec packet? Use a single word answer.

Answer:Tunnel

139 What type of public key cryptography does SSH rely upon?

Answer:Rsa

140 What command enables a router as an SSH server by creating the

public key?

Answer:crypto key generate rsa

141 What protocol do most VPDNs rely upon to encapsulate data in

transit across a common

network infrastructure?

Answer:Point to point protocol(PPP)

142 What VPDN protocol was invented by Cisco systems as a method for

www.CareerCert.info


33/38

34

tunneling private IP

addressed systems over PPP or SLIP using a home gateway as the

concentrator?

Answer:Layer 2 Forwarding Protocol(L2F protocol)

143 What VPDN protocol was invented by Microsoft and provides a

seamless integration of

remote PPP capable devices into the enterprise network?

Answer:Point-to-point Tunneling Protocol(PPTP)

144 What type of tunnel is created when a PPP client directly negotiates

a PPTP tunnel with the

PPTP network server?

Answer:voluntary tunnel

145 PPTP tunnels can be encrypted through the use of what Microsoft

technology?

Answer:Microsoft Point-to-Point Encryption(MPPE)

146 You must configure your ASA device to permit PPTP traffic. What

protocol and port should

you permit? Answer in the form protocol acronym:port#

www.CareerCert.info


34/38

35

Answer:Tcp:1723

147 The header used in the PPTP encapsulation process is similar to

what other header?

Answer:GRE

148 What PPTP tunnel type supports end-to-end confidentiality?

Answer:Voluntary Tunnel

149 What standards based VPDN protocol was a collaborative effort

between Cisco, Microsoft

and others?

Answer:L2tp

150 What device represents the client side of the L2TP network and

typically exits on the switch infrastructure between remote dial up nodes

and the access server that terminated inbound PPP

sessions?

Answer:L2TP Access Concentrator

151 A typical L2TP session resembles what type of PPTP tunnel?

Answer:Compulsory

www.CareerCert.info


35/38

36

152 L2TP uses what protocol to maintain control data and tunnel data

simultaneously?

Answer:Udp

153 What field is used to distinguish L2F from L2TP?

Answer:The version field

154 What device resides on the server side of the L2TP VPDN?

Answer:L2tp network server

155 PE routers in an MPLS VPN typically use what protocol to carry

VPNv4 addresses?

Answer:Mp-bgp

156 What is typically used in order to provide confidentiality in an MPLS

VPN?

Answer:Ipsec

157 SSLVPNs are created at what layer of the OSI Model?

Answer:Transport layer

www.CareerCert.info


36/38

37

158 What is the name of the 8-Byte unique identifier used to identify a

VPN in an MPLS VPN?

Answer:RD

159 In an IPSEC VPN, security parameters, including keys used for

symmetric encryption, are

communicated securely using what protocol?

Answer:Ike

160 In an SSL VPN, what type of encryption is typically used for initial

client/server

authentication?

Answer:Public Key Encryption

161 In addition to Multiport GRE (mGRE), what other major technology

is used to facilitate

spoke-to spoke DMVPN connections?

Answer:Nhrp

162 The IKE protocol is used within what framework?

Answer:ISAKMP

www.CareerCert.info


37/38

38

163 A goal of IPSEC is to provide confidentiality, authentication,

nonrepudiation, and what else?

Answer:Integrity

164 access-list 102 permit tcp any host 192.168.1.1

class-map conn

match access-group 102

policy-map conn

class-map conn

set connent eb 1

service-policy conn in interface outside

what technology the same effect with the ASA MPF technology in ASA?

Answer:TCP intercept

165 proxy authentiate use TACACS+ or RADIUS to authenticate.what two

name of protocol support proxy authenticate?

Answer:http and telnet

166 ASA object group?

Answer:

Object group can group like-objects together.

You can use the object group in an ACE instead of having to enter an ACE

www.CareerCert.info


38/38

for each object separately .You can create the following types of object

groups:

protocol

network

service

ICMP type

www.CareerCert.info

Open-ended questionsun.pdf

Documents

Transcript of Open-ended questionsun.pdf