CCNP Security Practice Test | Network Security (SENSS)

Class maps for OSI layers 3 and 4 identify traffic based on criteria such as protocols, ports, IP addresses, and other attributes for these layers.
Identify statements that correctly describe matching criteria. (Choose two)

A. IP DSCP allows you to match on a UDP port number within the specified range

B. IP flow represents all traffic going to a unique IP destination address

C. RTP port numbers allows you to define classes based on the differentiated services code point values defined within the ToS byte in the IP header

D. The default inspection traffic criterion will match all default TCP and User Datagram Protocol (UDP) destination ports that the security appliance inspects by default

Identify the features of the Zone-Based Policy Firewall. (Choose three)

A. It allows you to configure access rules between each zone pair that is available on the route

B. It is a collection of networks that are reachable over one router interface or over a specific set of router interfaces

C. It is a stateless packet filter with application inspection and control abilities

D. It is a stateful packet filter with application inspection and control abilities

How can routing protocol authentication be used as a control plane countermeasure?

A. Routing protocol authentication prevents spoofing of neighborships and routing information

B. Routing protocol authentication can prevent malicious updates from authenticated peers

C. Routing protocol authentication extends CoPP protection by making it simpler to deploy

D. Routing protocol authentication provides an additional defense layer to device-based data plane protection features

In an infrastructure with multiple devices, what would account for events occurring at inconstant times?

A. QoS is delaying certain logs.

B. Internal timers are not synced.

C. NTP protocol is not employed.

D. Network latency is occurring.

Which authorization methods are supported by TrustSec? (Choose three)

A. MAB

B. SGTACL

C. 802.1X-Rev

D. Downloadable ACL from ISE

E. Dynamic VLAN Assignment

Cisco SecureX is an access control strategy that allows for more effective, higher-level policy creation and enforcement for mobile users. Identify the statements that describe components of the of the SecureX architecture. (Choose two)

A. Cisco TrustSec function offers a web-based global network of shared resources, software, and information provided to Cisco customers on demand

B. Cisco Security Intelligence Operations (SIO) extends the access control functionality end-to-end, using security group tags

C. Cisco AnyConnect client provides a consistent user interface and consolidates traditional function-specific client software products into one product

D. Context awareness allows enforcement elements to use identity and location information to define access policy

Which two features correctly identify the DHCP snooping feature? (Choose two)

A. It can be used to provide isolation between ports within the same VLAN.

B. It can be used to monitor incoming traffic for acceptable levels.

C. It can be used to mitigate DHCP starvation to a degree.

D. It is used to prevent spoofing attacks.

E. It can be used to intercept and validate all ARP requests and responses.

Identify measures for securing management access to an infrastructure device. (Choose three)

A. Use management protocols with strong authentication to ensure the data confidentiality

B. Deploy SSL to deny access to management IP addresses of the device on all device interfaces

C. OOB management paths and filtering are methods to secure management access of the management plane

D. Perform network management using Telnet or HTTP to ensure secure connections

E. Interface ACLs or service-specific ACLs can be used to limit and filter management access to devices

Which of the following are characteristics of Cisco ASA global ACLs? (Choose three)

A. The ACEs are defined in the same manner as interface ACLs

B. A permit statement is needed in either the global ACL or an interface input ACL for any traffic to be allowed through the appliance

C. After an ACE has been added to the global ACL, all interface default policies are activated

D. Input traffic that does not match an input ACL that is configured for an interface will be compared against the global ACL

The Cisco MPF provides additional security services to OSI layers 3 and 4.
Identify examples of advanced ASA policies. (Choose three)

A. Inspects outgoing application layer traffic to prevent data loss

B. Redirects traffic coming from the Internet to an IPS module to scan traffic for malicious traffic

C. Allows groupings of hosts and networks that require the same ACL configuration

D. Prioritizes VoIP traffic between the office locations to prevent delays and packet losses for voice traffic

E. Controls which user sessions are permitted across the device and entered into the connection table

Which components is the Cisco SecureX architecture built upon? (Choose two)

A. Regulatory compliance

B. Network and global intelligence

C. Modularity and flexibility

D. Context-aware policy

Which command allows for the creation of a flow record?

A. ip flow monitor

B. flow monitor

C. |b flow exporter |p

D. |b show flow exporter statistics |p

Which of the following options are the benefits of the Identity Internal Firewall? (Choose three)

A. Eliminates user activity monitoring

B. Simplifies the creation of security policies

C. Decouples network topology from security policies

D. Helps identify user activity on network resources

What statements describe the fundamental characteristics of zoning? (Choose three)

A. Each separate routable network can span across multiple security zones

B. If a new set of policy constraints are outlined an existing zone can be updated as required

C. The only zone that may connect to the public zone is the RZ

D. Every security zone connects to another zone via zone interface points

E. Each Network Security Zone contains one or more separate, routable networks

F. Data entering or leaving a zone must conform to the control requirements set by the policy for that zone

You need to order a new Cisco product for your NAT requirements. You need one that is easy to understand how the NAT configuration is used, that configures translations as network objects that are automatically added to the configuration, and that no longer requires to link NAT commands into one or more global commands.
Which Cisco product will suit your requirements?

A. Cisco IOS (and IOS XE) Software Routers with legacy NAT configuration

B. Cisco IOS (and IOS XE) Software Routers with NAT Virtual Interface

C. Cisco ASA 5500 Series Version 8.3 and later and Cisco ASA 5500-X Series

D. Cisco Adaptive Security Appliance 5500 Series Version 8.2 and earlier

You need to prevent LAN traffic from being disrupted by broadcast storms on a Catalyst 3550 switch interface. You have been notified to configure the switch to drop broadcast traffic when exceeding 70 percent of total available bandwidth. Traffic should resume automatically when approximately half the total of available bandwidth is detected.
What needs to be entered in the CLI?

A. Switch(config-if)# storm-control broadcast level 70 50

B. Switch(config-if)# storm-control broadcast level 70

C. Switch(config-if)# storm-control broadcast level bps 70
Switch(config-if)# storm-control action trap

D. Switch(config-if)# storm-control broadcast level 50 70

E. Switch(config-if)# storm-control broadcast level 70 50
Switch(config-if)# storm-control action shutdown

F. Switch(config-if)# storm-control broadcast level 70
Switch(config-if)# storm-control action shutdown

You need to enable strict uRPF and allow the router to ping its own interface. Which command should you use?

A. ip verify unicast source reachable-via rx allow-default allow–self-ping

B. ip verify unicast source reachable-via rx allow-self-ping

C. ip verify unicast source reachable-via any allow-self-ping

D. ip verify unicast source reachable-via any allow-default allow–self-ping

Which tool provides wired and wireless device lifecycle management?

A. Cisco Prime Network Analysis Module

B. Cisco Prime Infrastructure

C. Cisco Prime Network Registrar

D. Cisco Prime Assurance Manager

In SNMPv3, each managed node and NMS is a single entity. There are two types of entities, each containing different applications. What do managed node SNMP entities include? (Choose two)

A. SNMP applications

B. SNMP manager

C. SNMP MIB

D. SNMP agent

Which are valid statements regarding Cisco Prime Infrastructure and MSEs? (Choose two)

A. One MSE can be managed by a maximum of two Prime Infrastructures.

B. One MSE can be managed by one Prime Infrastructure.

C. A single Prime Infrastructure can manage numerous MSEs.

D. One MSE can be managed by numerous Prime Infrastructures.

E. A single Prime Infrastructure can manage a maximum of two MSEs.

F. A single Prime Infrastructure can manage up to three MSEs.

Identify the steps used in configuring uRPF on Cisco ASA security appliance interfaces. (Choose two)

A. Enable uRPF in the Anti-Spoofing configuration window for loose mode for the DMZ interface

B. Use the show mka policy command to verify uRPF statistics on uRPF enabled interfaces

C. Enable uRPF in the Anti-Spoofing configuration window for strict mode on all interfaces where spoofing can occur

D. Use the show ip verify statistics command to verify uRPF statistics on uRPF enabled interfaces

Which Zone-Based Policy Firewall protocol inspector would be used for the inspection of H.225 message types?

A. UNIX RPC

B. H.323

C. ESMTP

D. SIP

Which of these statements are correct about using the CLI to tune and verify inspection on the Cisco ASA for OSI layers 3 and 4? (Choose three)

A. The set connection timeout idle command sets the TCP idle timeout

B. The set connection timeout reset dcd command enables connections that can still process traffic to be expired

C. The command set connection decrement-ttl decrements Time to Live

D. The show service-policy set connection command displays per-class connection settings and statistics

E. You add the inspect icmp statement to default global policy map to inspect selective ICMP ping traffic

Which statements describe characteristics of control plane protection (CPP)? (Choose two)

A. Two control plane subinterfaces are automatically created by CPP

B. Configured as a service policy on a virtual data plane subinterface

C. Extends policing functionality by allowing finer policing granularity

D. CPP lets you filter and rate-limit the packets that are going to the control plane of the router and discard malicious and error packets

How can uRPF be used on Cisco IOS routers to make ALCs more scalable and manageable? (Choose two)

A. uRPF can be configured in strict or loose mode on routed interfaces where spoofing is not likely to occur

B. When a forward information base is trusted, uRPF can be used as a scalable replacement for ingress and egress anti-spoofing edge ACLs

C. Packets that are coming from unexpected interfaces not found in the RIB and FIB are dropped

D. uRPF is suggested for when routing is not appropriately secured by using routing protocol authentication and filtering

Which Cisco switch features are used to restrict switch ports from being part of the STP bridge negotiation process? (Choose two)

A. BPDU guard

B. PortFast

C. PVLAN

D. Root guard

A host is having external connection issues, routing looks to be okay. You suspect that NAT is causing the problem. You have verified that all applicable interfaces are NAT enabled and assigned the correct inside or outside NAT domain role.
How can you check if there is an issue with the NAT rule configuration? (Choose two)

A. Use the debug ip nat command

B. Use the show ip nat translations command

C. Use the show ip nat statistics command

You have been asked to strengthen the security of each network switch. One method that needs to be employed is IP Source Guard.
Which levels of IP traffic filtering are available? (Choose two)

A. Destination MAC address filter

B. Destination IP and MAC address filter

C. Source MAC address filter

D. Source IP and MAC address filter

E. Source IP address filter

F. Destination IP address filter

Which tasks are involved in configuring SNMPv3 on Cisco IOS devices? (Choose three)

A. Configure SNMP users and groups that will define transmission security, authentication, and access control parameters for individual management users

B. Configure security features that are applied to SNMP traps and informs

C. Configure SNMP views to allow the NMS to all sections of the MIB of the device

D. Configure SNMP views to restrict the network management server to only the required section of the MIB of the device

E. Apply the SNMPv3 views to their corresponding community strings

A network has recently configured the following L2 Data Plane control: DHCP snooping. What will configuring this accomplish for the organization? (Choose two)

A. Isolate same VLAN ports.

B. Defend against ARP spoofing.

C. Harden overall network security.

D. Prevent STP operations from being influenced.

A company decides that a network IPS will be implemented into the company's firewall solution design. Which statement defines the functionality of the network IPS?

A. It utilizes an external reputation database.

B. It acts as an intermediary between clients and servers.

C. It utilizes either an AIC or AVC traffic analysis engine.

D. It utilizes an attack signature database.

Which Cisco IOS feature allows you to create different views of router configurations for different users?

A. FlexAuth

B. ACL

C. RBAC

D. SPAN

A network group named blcokNY was created. It contains only IPv4 networks. An IPv6 network needs to have the same ACLs applied to it. Which option would best achieve this requirement?

A. Access protocol configuration mode for the blockNY group and add the IPv6 network with the "network-object" command.

B. Issue the "no object-group network blockNY" command and then recreate the group so it includes all required networks.

C. Access protocol configuration mode for the blockNY group and add the IPv6 network with the "object-network" command.

D. Create a new network object group named blockNY_IPv6, add the IPv6 network using the "network-object" command, and create ACLs.

You are in the process of configuring PVLANs on a Cisco Catalyst switch. You need to configure the port that connects to the default gateway.
What type of port should be configured?

A. Promiscuous

B. Community

C. Isolated

D. Non-promiscuous

Identify the features of MACsec encryption. (Choose two)

A. Cisco TrustSec NDAC SAP can be configured for switched virtual interfaces

B. The MKA protocol provides the required session keys and manages the required encryption keys for switch-to-host encryption

C. It provides MAC layer encryption over wired networks using OOB methods for encryption keying

D. Cisco Catalyst switches support 802.1AE encryption with TrustSec NDAC on downlink ports for encryption between the switch and host devices

E. Cisco switches support MACsec link layer switch-to-switch security by using Cisco MKA and the SAP key exchange

Which three security features are available in SNMPv3? (Choose three)

A. Message integrity

B. Network address translation

C. Encryption

D. Port security

E. Authentication

Which of the following are true of stateful packet filtering? (Choose two)

A. Provide reliable access control through Layers 3 and 4

B. Typically used in a restrictive approach

C. Relies on a static rulebase of packet descriptions

D. Work best with layer 3 only filtering

DHCP does not include authentication and is therefore vulnerable to spoofing and other attacks. In which ways can you deploy DHCP control to help mitigate such attacks? (Choose four)

A. Use ARP snooping to help protect against DHCP starvation threats

B. Use static IP addresses to mitigate DHCP spoofing in smaller networks

C. Limit the maximum number of MAC addresses per port to provide defense against DHCP starvation threats

D. Use BPDU guard and root guard to prevent attacker attempts to use all available DHCP-assigned addresses in the network to deny DHCP service to legitimate users

E. Use DHCP snooping to filter untrusted DHCP messages by building and maintaining a DHCP snooping binding database

Which of the following are available firewall filtering technologies? (Choose three)

A. Stateless packet filtering

B. Reputation based filtering

C. IDS

D. Stateful packet filtering

Which of the following service groups are supported by the Cisco ASA by default? (Choose four)

A. TCP Service Group

B. ICMP Service Group

C. ARP Service group

D. TCP-UDP Service group

E. Any service group

F. UCDP Service Group

Which command set would be used to create an object group for a server running the DNS server service located on the 10.0.0.0 255.0.0.0 network?

A. object-group network DNS
network-object 10.0.0.0 255.0.0.0

B. object-group host DNS
network-object host 10.0.1.0

C. object-group protocol DNS
network-object host 10.0.1.0

D. object-group network DNS
network-object host 10.0.1.0

Examine the output in the exhibit. You are troubleshooting the syslog message displayed in the output. Which severity level is outlined within the syslog message?

A. Alert

B. Critical

C. Emergency

D. Warning

Which of the following describe C3PL policy map functions? (Choose three)

A. They determine the firewall policy applied to a class

B. They are evaluated in reverse order

C. They are applied to each configured zone pair

D. They can use permit, deny, log, or special actions

Identify the ways in which IP spoofing is used? (Choose three)

A. Spoofing nonexistent hosts by injecting packets with a forged source address in the network avoiding detection

B. Spoofing an existing host using IP source routing exploiting IP address-based authentication between networked systems

C. Spoofing an existing host by simply injecting packets with a forged source address in the network exploiting IP address-based authentication between networked systems

D. Spoofing can be to accommodate ARP attacks in non-DHCP environments

E. Spoofing is mainly used to attack Layer 2 data plane controls using storm control mechanisms

Which of the following best describes a parameter map?

A. Augment basic inspection with the capability to recognize and apply service-specific actions

B. A threshold setting for classifying traffic that exceeds a defined maximum threshold

C. Specifies the actions to take when traffic matches defined criteria

D. Objects that describe different classes of traffic

Which of the following commands is used to display the configuration of an inspection class map?

A. show class-map type inspect

B. show class-map type-inspect

C. show inspect class-map

D. show class-map inspect

How can storm control prevent LAN traffic from being disrupted by storms? (Choose three)

A. The switch can be configured to shut down the port when the falling threshold is reached

B. It uses thresholds to block and restore the forwarding of broadcast, unicast, or multicast packets

C. The switch port can be configured with a threshold level to be used for a specific traffic type

D. Storm control can be configured to measure traffic activity by bandwidth percentage

E. Broadcast traffic activity can only be tracked by packets per second on the interface

Which command enables the Cisco ASA to display syslog messages for SSH sessions?

A. logging message

B. logging monitor

C. |b logging enable |p

D. |b logging list |p

E. logging SSH

Review the exhibit. What can be concluded using this information? (Choose two)

Review the exhibit. What can be concluded using this information?

A. HTTPS access has been configured.

B. HTTP access has been configured.

C. SSH has been allowed on the management interface.

D. An OOB Management Interface has been configured.

Which of the following are features of Application layer gateways? (Choose three)

A. Use a permissive filtering only

B. Provide automatic protocol normalization

C. They provide access control from layers 3 through 7

D. Can perform content analysis and buffering

Which attacks can be mitigated by using port security? (Choose two)

A. Traffic capture

B. CAM flooding

C. VLAN hopping

D. MAC spoofing

A network administrator is planning to implement application layer controls on a Cisco ASA. Which approach should be used to limit the amount of application data through the endpoint?

A. Payload minimization

B. Protocol verification

C. Application layer signatures

D. Protocol minimization

Recently, Cisco Botnet Traffic Filter was enabled. However, after traffic analysis, it is determined that data is being sent to and from a known Botnet. Which two separate configurations could be implemented to resolve this issue? (Choose two)

A. Create a static database entry.

B. Disable traffic classification.

C. Configure a domain name server.

D. Disable DNS inspection.

Firewall threat controls should be placed throughout the Cisco modular network architecture, one option for a control are stateful packet filters. Which statements are true of stateful packet filters? (Choose two)

A. They offer high performance

B. They provide application layer access control

C. They are most suited to static TCP applications

D. They offer access control on layers 3 and 4

Examine the output in the exhibit. What can be concluded based upon the output?

A. The connection is blocked because Telnet has not been configured properly.

B. The connection is blocked because NAT is not configured properly.

C. There is no connectivity issue.

D. The connection is blocked by a configured interface access rule.

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?

Why?

While calculating your results take a moment to complete our simple survey!

How likely is it that you would recommend LearnCisco.net to a friend or colleague?

Why?

How likely is it that you would recommend LearnCisco.net
to a friend or colleague?