SENSS 300-206 Practice Test

Cisco Practice Tests

Question 1 / 55 - Mode : Exam
DHCP does not include authentication and is therefore vulnerable to spoofing and other attacks. In which ways can you deploy DHCP control to help mitigate such attacks? (Choose four) A. Use ARP snooping to help protect against DHCP starvation threats B. Use static IP addresses to mitigate DHCP spoofing in smaller networks C. Limit the maximum number of MAC addresses per port to provide defense against DHCP starvation threats D. Use BPDU guard and root guard to prevent attacker attempts to use all available DHCP-assigned addresses in the network to deny DHCP service to legitimate users E. Use DHCP snooping to filter untrusted DHCP messages by building and maintaining a DHCP snooping binding database Which command allows for the creation of a flow record? A. ip flow monitor B. flow monitor C. \|b flow exporter \|p D. \|b show flow exporter statistics \|p What are the two methods of verifying that the Cisco ASA can communicate with the Cisco CDA? (Choose two) A. Use the test aaa-server ad-agent CLI command B. Use the ”Test” button in the Identity Options window in ASDM C. Use the Test button in the AAA Server Groups window in ASDM D. Use the test aaa-server authentication AD CLI command Identify the statements that describe NAT with PAT and policy-based NAT. (Choose three) A. Policy-based NAT can be used to implement destination-sensitive rules B. Dynamic PAT maps a local network to another global IP address using multiplexing C. Policy-based NAT is sensitive to all communicating endpoints D. Static PAT maps one global IP and service port to another global IP and service port E. Policy-based NAT is mainly used on networks with the same NAT requirements Which of the following commands allow for very extensive debugging of low-level inspection routines and should only be used as a last resort? A. debug policy-firewall protocol protocol_name B. debug security-policy protocol protocol_name C. debug policy-firewall inspect D. debug zone-security Identify the statements that describe the features of Network Time Protocol, or NTP. (Choose three) A. NTP can be used to monitor and filter traffic at all exit points B. NTP is required for certificate validation and analyzing past log events C. NTP is used to synchronize clocks between network devices D. NTP synchronization uses UDP port 23 for its transport E. NTP authentication is available for use over untrusted networks Identify the command to define a PVLAN association for mapping of community interfaces by being assigned to VLAN 600, where the port associated with VLAN 200 is the primary VLAN. A. switchport mode private-vlan promiscuous switchport private-vlan host-association 200 600 B. switchport mode private-vlan promiscuous switchport private-vlan mapping 200 600 C. switchport mode private-vlan host switchport private-vlan host-association 200 600 D. switchport mode private-vlan host switchport private-vlan host-mapping 200 600 Which attacks can be mitigated by using port security? (Choose two) A. Traffic capture B. CAM flooding C. VLAN hopping D. MAC spoofing Which of the following are functions of the Cisco IOS Zone-Based Policy Firewall HTTP inspector? (Choose three) A. It provides protection of both HTTP clients and servers B. It works at Layer 3 only C. It can automatically detect tunneling of peer-to-peer and IM attacks inside the HTTP protocol D. It inspects the HTTP protocol and allows administrators to specify granular access rules Select the statements that describe the concept of Network Security Zone implementation. (Choose two) A. Network Security Zones monitor and filter traffic at all exit points B. Network Security Zones create logical boundaries with a defined level of network security C. Network Security Zone implementation shuts down any discrete network entry points D. Network Security Zones assists network architects with the appropriate placement of services Cisco SecureX is an access control strategy that allows for more effective, higher-level policy creation and enforcement for mobile users. Identify the statements that describe components of the of the SecureX architecture. (Choose two) A. Cisco TrustSec function offers a web-based global network of shared resources, software, and information provided to Cisco customers on demand B. Cisco Security Intelligence Operations (SIO) extends the access control functionality end-to-end, using security group tags C. Cisco AnyConnect client provides a consistent user interface and consolidates traditional function-specific client software products into one product D. Context awareness allows enforcement elements to use identity and location information to define access policy Identify statements that describe plane and management plane security controls. (Choose two) A. Control plane security measures include secure management protocols, AAA, and MPP B. The control plane includes a control plane protection feature that extends policing functionality by allowing finer policing granularity C. Management plane control includes the use of management protocols with strong authentication to ensure the confidentiality of your data D. Network management on the management plane should always be performed using Telnet or HTTP How can SSH be configured to provide remote management of the Cisco ASA? (Choose four) A. SSH allows you to configure the management interface for OOB management access if you do not have ADSM access B. SSH allows you to define specific networks that are authorized to initiate an SSH connection to the ASA C. By default, SSH sessions left idle for ten minutes are closed by the adaptive security appliance D. SSH allows you to define how long a session can remain idle before being disconnected E. SSH parameters are configured on the ASA using the ASDM/HTTPS/Telnet/SSH option from the Management Access menu F. SSH allows you to define specific hosts that are authorized to initiate an SSH connection to the ASA You are configuring IP source address control using static addressing. Currently only IP Source Guard with IP address filtering is enabled. What command enables IP source guard with both IP and MAC address filtering on all DHCP-snooping-enabled ports? A. port-security B. errdisable recovery cause all C. ip source binding D. ip verify source port security Which components is the Cisco SecureX architecture built upon? (Choose two) A. Regulatory compliance B. Network and global intelligence C. Modularity and flexibility D. Context-aware policy Which of the following are characteristics of a Cisco ASA default access policy for interface access rules? (Choose three) A. For statefully managed protocols, ASA interface access rules only need to permit the initial packet B. There is an implicit deny rule at the end of the rules C. Interface access rules use wildcards D. The rule that matches first is selected Why is network infrastructure protection important within the network? (Choose three) A. It protects the underlying IT infrastructures that are comprised of applications, data at rest and in motion, and user components B. It sets a baseline for protecting network devices within the network and a secure foundation in which to build on C. Public-facing parts of the infrastructure are protected from threats such as DoS and unauthorized access D. It include design blueprints outlining principles such as defense-in depth and regulatory compliance Which command can be used to verify that secure management access protocols are configured on a Cisco IOS device? A. show management-interface B. show ip interfaces brief C. \|b show version \|p D. \|b show interfaces \|p Select statements that best describe characteristics of control plane security. (Choose three) A. Attackers can use a flooding attack to redirect sensitive traffic violating confidentiality and integrity B. A flooding attack on the routers CPU can result in all three plane functions being disabled C. Because the CPU is shared among the functional planes, excessive traffic to one plane can influence the behavior of the other two planes D. Malicious routing information can be injected into the routed control plane violating its ability to perform a denial-of-service attack E. Routing protocol filtering can be used to mitigate a slow path denial-of-service at Which command is used to verify PVLAN associations? A. show vlan private-vlan B. show interfaces if_name switchport C. \|b show vlan private-vlan type \|p Which tasks are involved in configuring SNMPv3 on Cisco IOS devices? (Choose three) A. Configure SNMP users and groups that will define transmission security, authentication, and access control parameters for individual management users B. Configure security features that are applied to SNMP traps and informs C. Configure SNMP views to allow the NMS to all sections of the MIB of the device D. Configure SNMP views to restrict the network management server to only the required section of the MIB of the device E. Apply the SNMPv3 views to their corresponding community strings What command syntax would be entered to assign monitor-only level access to the "show aaa exec" commands? A. privilege show level 3 mode configure command aaa B. privilege show level 3 mode exec command aaa C. privilege show level 3 mode exec aaa command D. privilege show level 3 mode configure aaa command Select the statements that best a describe Zone Interface Points. (Choose two) A. Zone Interface Points enforce zone data communication policy through perimeter security measures B. Only secured data communication is required to travel through a Zone Interface Point C. A Zone Interface Point can be created by using a combination of a firewall IDS and a router D. Zone Interface Points are able to implement the security policy of connecting zones as well as their own E. Additional security controls such an IPS may be required for any data communication that passes through a zone but not terminated in it Identify the statements that describe characteristics of management access AAA. (Choose four) A. RBAC restricts user access based on task functions and permission roles B. Management access AAA specifies what user can do on the device C. Management access AAA specifies what a user did on the device D. Management access AAA specifies who can access a network devices E. AAA authentication and authorization can be checked against a local database only F. Management access AAA provides secure management access to a network device using SNMP-based tools Which command will output Syslog messages to all available TTY lines? A. console logging B. monitor logging C. \|b logging console \|p D. \|b logging on \|p How can routing protocol filtering be used as a control plane countermeasure? (Choose three) A. Routing information filtering provides an additional defense layer to device-based data plane protection features B. Routing information filtering uses the IGP EIGRP when strict filtering is required C. Routing information filtering prevents spoofing of neighborships and routing information D. Routing information filtering prevents route poisoning from routing peers On which types of remote access VPN clients can Cisco Prime Security Manager implement controls? (Choose two) A. Clientless SSL B. AnyConnect C. IPSec VPN Client D. Site-to-site Which of the following describe C3PL policy map functions? (Choose three) A. They determine the firewall policy applied to a class B. They are evaluated in reverse order C. They are applied to each configured zone pair D. They can use permit, deny, log, or special actions A Cisco security consultant is designing a firewall solution for a company. The company contains a single Active Directory Domain Services domain and has several remote employees. Management has given the following requirements: - Only HR employees can access the HR department network. - Users should not be prompted for login information. Which firewall solution can be used? A. Configure per-user policies using Cisco ASA cut-through proxy feature. B. Configure the Botnet Traffic Filter. C. Configure Cisco ASA Identity Firewall. D. Configure a reputation-based Cisco ASA access policy. When configuring policy-based NAT, which type of access control list should be configured to match both the source and destination IP addresses? A. Standard ACL B. Reflexive ACL C. Dynamic ACL D. Extended ACL Select the statements that explain how management access to Cisco adaptive security appliance devices can be secured? (Choose three) A. Telnet can be used on interfaces configured with the lowest security level to provide secure access B. The ASA has at least one dedicated management interface, which can be used for user traffic C. Out-of-band management paths and cryptography can protect against management session spoofing D. Remote management access has to be explicitly enabled using management rules for each protocol on any interface E. Strong authentication can be deployed to prevent identity theft and RBAC restrictions to limit access to specific management features What statements describe the functions of application inspections and controls? (Choose three) A. Two main approaches are used in the implementation of application layer controls B. Can prevent malicious content from being delivered to exposed client applications C. Are dependent on one another to provide a strong layer of defense to build a defense-in-depth solution D. Is able to prevent malicious protocol-level traffic from being delivered to target servers E. Can restrict or prevent covert tunneling channels What statements describe service placement within the network zone architecture? (Choose two) A. A service can be accessed from other adjacent zones and not just the zone in which it resides B. Services such as backup and auditing should be located in the Public Access Zone C. As a best practice authentication services should be placed in the Management Restricted Zone D. The placement of services and structure of Network Security Zones should be complimentary How can you verify your object groups on the Cisco ASA? (Choose two) A. With the show access-list command B. From the ADSM in Configuration > Firewall > Access Rules C. From the ADSM in Configuration > Firewall > Object Groups D. With the show object-list command How should you configure Zone-Based Policy Firewall zones and zone pairs? (Choose two) A. Create zones by tagging ACLs with a zone name B. Create zones by tagging interfaces with a zone name C. Separate resources into zones based on location D. Separate resources into zones based on resource sensitivity and trustworthiness A network has recently configured the following L2 Data Plane control: DHCP snooping. What will configuring this accomplish for the organization? (Choose two) A. Isolate same VLAN ports. B. Defend against ARP spoofing. C. Harden overall network security. D. Prevent STP operations from being influenced. Which destination is supported when implementing logging on a Cisco IOS software router or switch? A. Remote network management servers B. Cisco Adaptive Security Device Manger GUI C. Remote syslog servers D. E-mail systems What statements describe the default inspection policy and its tuning options on the ASA? (Choose four) A. By default, the ASA tracks all TCP and UDP flows using its connection table B. Default timers can be tuned using MPF or global timer settings to support local specifics C. Sessions are deleted from the connection table based on TCP connection close events or idle timeouts D. Stateful tracking of ICMP and ESP flows is enabled by default E. The state table anticipates extraordinary events such as a unresponsive host and deletes connections from the table F. The Cisco ASA by default decrements the IP TTL field Identify the statements that describe features of PVLANs? (Choose three) A. It eliminates the need for a separate VLAN and IP subnet per customer B. Isolated secondary VLANs configured inside the primary VLAN do not use layer 3 routing C. It provides a coarse access control mechanism that is easy to manage D. It provides Layer 2 isolation between ports within the same VLAN Which authentication protocol can be used by clients to provide secure management access to a Cisco device's CLI by using RSA pair keys? A. HTTPS B. SSHv2 C. Telnet D. SSH Which switch security feature measures bandwidth-based or packet-based traffic activity and can shut down a port if excessive activity is reached? A. RSPAN B. SPAN C. PVLAN D. Storm control A switch was configured with port security to restrict input to each interface to identify and limit the MAC addresses of stations allowed to access the port. You need to ensure that ports enter an error-disabled state and an SNMP trap message is sent if violations occur. What "switchport port-security violation" interface command parameter should be used? A. shutdown B. restrict C. protect D. errdisable Which Cisco switch features are used to restrict switch ports from being part of the STP bridge negotiation process? (Choose two) A. BPDU guard B. PortFast C. PVLAN D. Root guard Select the statements that describe Cisco modular network architecture principles and designs. (Choose three) A. Design blueprints include principles such as defense-in depth and regulatory compliance B. The architecture is delivered via validated design blueprints and security solutions C. Within the modular design all components are described by point platforms rather than functional roles D. Security design is composed of multiple, interrelated design modules working together to deliver an end-to-end security strategy E. The enterprise campus design module is the component that ties all other modules together You are troubleshooting an SSH connectivity issue with a Cisco ASA adaptive security appliance. The host has an interface address of 10.0.0.101 using port 1024 and the Cisco ASA adaptive security appliance has an interface address of 172.16.1.2. Which CLI command will allow you to quickly pinpoint the cause of the connectivity issue? A. ASA# packet-tracer input inside tcp 172.16.1.2 22 10.0.0.101 1024 B. ASA# packet-tracer input inside tcp 10.0.0.101 22 172.16.1.2 1024 C. ASA# \|b packet-tracer input inside tcp 10.0.0.101 1024 172.16.1.2 22 \|p D. ASA(config)# \|b packet-tracer input inside tcp 10.0.0.101 1024 172.16.1.2 22 \|p What statements describe the fundamental characteristics of zoning? (Choose three) A. Each separate routable network can span across multiple security zones B. If a new set of policy constraints are outlined an existing zone can be updated as required C. The only zone that may connect to the public zone is the RZ D. Every security zone connects to another zone via zone interface points E. Each Network Security Zone contains one or more separate, routable networks F. Data entering or leaving a zone must conform to the control requirements set by the policy for that zone Which type of attack can be mitigated by using BPDU guard? A. VLAN hopping B. STP spoofing C. DHCP server spoofing D. ARP spoofing Identify the statements that describe processes within the Cisco ASA Identity Firewall solution when used with Active Directory. (Choose three) A. Active Directory Domain Controllers authenticate the user and generate the user login security log event B. Cisco Context Directory Agent monitors the Active Directory Domain Controller security log events C. The Active Directory Domain Controllers update the Cisco ASA D. A user logs on to an Active Directory Domain How can you control management access to the ASA using management access AAA? (Choose three) A. By allowing management access to be based on the role of the user B. By using strong authentication methods and using TACACS+ and LDAP servers C. By not being permitted to reuse existing authentication databases D. It allows you to implement a strong administrator auditing policy E. AAA authorization and accounting processes do not require an existing authentication configuration Which command would be issued to set the GigabitEthernet0/0 as the dedicated management interface and allow only ssh? (Choose two) A. management-interface GigabitEthernet0/0 allow ssh B. management-interface Gi0/0 ssh C. \|b management-interface Gi0/0 allow ssh \|p D. management-interface GigabitEthernet0/0 ssh In what ways can ACLs protect the data plane? (Choose five) A. ACLs can be used to restrict user access based on the role of the user B. ACLs can reduce the chance of DoS attacks C. ACLs can be used to classify network traffic in order to protect other planes D. ACLs can block unwanted traffic or users E. ACLs can prevent spoofed packets F. ACLs can provide port security to prevent MAC flooding attacks G. ACLs can provide bandwidth control Which of the following is true when creating a remote management SSH access rule for a Cisco ASA? (Choose two) A. It is recommended to allow SSH versions 1 and 2. B. It is recommended to only allow SSH version 2. C. Idle time values may range from 1 to 60 minutes. D. The default idle time is 10 minutes. Examine the output in the exhibit. What can be concluded based upon this output? (Choose two) A. Access to the web site Brocadero.com is allowed. B. Peer-to-Peer file sharing is restricted. C. Access to Brocadero.com is denied. D. Torrent information is not restricted. You are going to implement Cisco MPF to provide granularity and flexibility when implementing network policies for traffic flows. Identify the statements that best describe how MPF works with OSI layer 3-4 traffic. (Choose two) A. You can create class maps for OSI layers 3 and 4 that classify traffic based only on IP addresses B. To associate an action with a specific traffic class, you create a service policy C. Class maps for layers 3 and 4 identify what policy to apply to the traffic D. Policy maps for layers 3 and 4 specify which traffic to apply policy to E. Service policy specifies where to apply the policy Which security features, provided by Layer 3 devices can protect network devices and network endpoints against L3 attacks? (Choose two) A. uRPF B. DHCP snooping C. PVLAN D. Interface ACLs

Our Recommended Premium CCNA Training Resources

These are the best CCNA training resources online:

Click Here to get the Cisco CCNA Gold Bootcamp, the most comprehensive and highest rated CCNA course online with a 4.8 star rating from over 30,000 public reviews. I recommend this as your primary study source to learn all the topics on the exam.

Want to take your practice tests to the next level? AlphaPrep’s purpose-built Cisco test engine has the largest question bank, adaptive questions, and advanced reporting which tells you exactly when you’re ready to pass the real exam. Click here for your free trial.

The SENSS 300-206 is for the CCNP Implementing Cisco Edge Network Security (SENSS) exam. You can use the practice test to check your knowledge and improve your understanding in preparation for the Cisco CCNP Security 300-206 certification exam.

The Cisco CCNP Security SENSS 300-206 practice exams include questions to test your Cisco knowledge of Cisco network perimeter edge devices security. The Cisco CCNP SENSS 300-206 exam objectives include Cisco threat defense, security devices GUIs and secured CLI management, management services on Cisco devices, troubleshooting, monitoring and reporting tools, threat defense architectures, and security components and considerations.

Passing the Cisco SENSS 300-206 exam validates your Cisco security knowledge as a network security engineer and proves that you can implement security in a Cisco router and a Cisco switch, implement ASA firewall features, and that you are knowledgeable in Cisco ASA firewall, Network Address Translation (NAT), Cisco Security Manager, Data Center Security Components, security operations management architectures.

SENSS 300-206 Practice Test

Complete this form to get your score report

Our Recommended Premium CCNA Training Resources