Time limit: 0
Quiz-summary
0 of 44 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
Information
CCNA Security v2.0 Pretest Test Online
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 44 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Average score |
|
Your score |
|
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- Answered
- Review
-
Question 1 of 44
1. Question
1 pointsWhich statement describes the Cisco ASAv product?Correct
Incorrect
Hint
The Cisco Adaptive Security Virtual Appliance (ASAv) brings the power of ASA appliances to the virtual domain. The Cisco ASAv operates as a virtual machine (VM) using the interfaces on a host server to process traffic. -
Question 2 of 44
2. Question
1 pointsWhat two features must match between ASA devices to implement a failover configuration? (Choose two.)Correct
Incorrect
Hint
In order for two Cisco ASA 5505 devices to work in a failover configuration, both devices must be identical models with the same hardware configuration, number and types of interfaces, and the same amount of RAM. -
Question 3 of 44
3. Question
1 pointsWhat protocol is used to query the revocation status of an X.509 certificate?Correct
Incorrect
Hint
Online Certificate Status Protocol (OCSP) is an internet protocol used to query an OCSP server for the revocation status of an X.509 digital certificate. -
Question 4 of 44
4. Question
1 pointsWhich Cisco platform supports Cisco Snort IPS?Correct
Incorrect
Hint
The newer ISR routers, Cisco 4000 series, no longer support IOS IPS. The 4000 series routers provide IPS services using Snort. -
Question 5 of 44
5. Question
1 pointsWhich IDS/IPS signature alarm will look for packets that are destined to or from a particular port?Correct
Incorrect
Hint
Cisco IDS and IPS sensors can use four types of signature alarms or triggers:- Pattern-based detection – also known as signature-based detection, searches for a specific and pre-defined pattern. In most cases, the pattern is matched to the signature only if the suspect packet is associated with a particular service or destined to or from particular ports.
- Anomaly-based detection – also known as profile-based detection, involves first defining a profile of what is considered normal for the network or host. After defining normal activity, the signature triggers an action if excessive activity occurs beyond a specified threshold that is not included in the normal profile.
- Policy-based detection – also known as behavior-based detection, is similar to pattern-based detection, but instead of trying to define specific patterns, the administrator defines behaviors that are suspicious based on historical analysis.
- Honey pot-based detection – uses a dummy server to attract attacks.
-
Question 6 of 44
6. Question
1 pointsRefer to the exhibit. The exhibit shows a small switched network and the contents of the MAC address table of the switch. PC1 has sent a frame addressed to PC3. What will the switch do with the frame?Correct
Incorrect
Hint
The MAC address of PC3 is not present in the MAC table of the switch. Because the switch does not know where to send the frame that is addressed to PC3, it will forward the frame to all the switch ports, except for port 4, which is the incoming port. -
Question 7 of 44
7. Question
1 pointsWhat is a difference between ASA IPv4 ACLs and IOS IPv4 ACLs?Correct
Incorrect
Hint
There are many similarities between ASA ACLs and IOS ACLs, including:- In both, there is an implicit deny any
- Only one ACL per interface, per protocol, per direction still applies.
- Both use deny and permit ACEs.
- ACLs can be either named or numbered.
-
Question 8 of 44
8. Question
1 pointsWhat type of algorithms require sender and receiver to exchange a secret key that is used to ensure the confidentiality of messages?Correct
Incorrect
Hint
Symmetric algorithms use the same key, a secret key, to encrypt and decrypt data. This key must be pre-shared before communication can occur. Asymmetric algorithms require more processing power and overhead on the communicating devices because these keys can be long in order to avoid being hacked. -
Question 9 of 44
9. Question
1 pointsWhat is the one major difference between local AAA authentication and using the login local command when configuring device access authentication?Correct
Incorrect
Hint
Local AAA authentication works very similar to the login local command, except that it allows you to specify backup authentication methods as well. Both methods require that local usernames and passwords be manually configured on the router. -
Question 10 of 44
10. Question
1 pointsWhat is a result of securing the Cisco IOS image using the Cisco IOS Resilient Configuration feature?Correct
Incorrect
Hint
When using the Cisco IOS Resilient Configuration feature, a secure copy of the IOS image is stored in flash and is hidden from view and and not included in any directory listings. -
Question 11 of 44
11. Question
1 pointsWhich two wildcard masks are required in an extended access list entry that blocks the traffic from network 192.168.20.0/26 to network 172.16.32.0/28? (Choose two.)Correct
Incorrect
-
Question 12 of 44
12. Question
1 pointsWhich two statements describe static routes? (Choose two.)Correct
Incorrect
-
Question 13 of 44
13. Question
1 pointsWhen is UDP preferred to TCP?Correct
Incorrect
Hint
UDP can be used when an application can tolerate some data loss. UDP is the preferred protocol for applications that provide voice or video that cannot tolerate delay. -
Question 14 of 44
14. Question
1 pointsRefer to the exhibit. An extended access list has been created to prevent human resource users from gaining access to the accounting server. All other network traffic is to be permitted. When following the ACL configuration guidelines, on which router, interface, and direction should the access list be applied?Correct
Incorrect
Hint
The ACL configuration guidelines recommend placing extended access control lists as close to the source of network traffic as possible and placing standard access control lists as close to the destination of network traffic as possible. -
Question 15 of 44
15. Question
1 pointsRefer to the exhibit. What would be a valid network address for the new subnet on RTA?Correct
Incorrect
-
Question 16 of 44
16. Question
1 pointsRefer to the exhibit. What two pieces of information can be gathered from the generated message? (Choose two.)Correct
Incorrect
Hint
A Cisco router log message consists for three parts:- the timestamp
- the log message and severity level
- the message text
-
Question 17 of 44
17. Question
1 pointsRefer to the exhibit. The network administrator is configuring the port security feature on switch SWC. The administrator issued the command show port-security interface fa 0/2 to verify the configuration. What can be concluded from the output that is shown? (Choose three.)Correct
Incorrect
Hint
Because the security violation count is at 0, no violation has occurred. The system shows that 3 MAC addresses are allowed on port fa0/2, but only one has been configured and no sticky MAC addresses have been learned. The port is up because of the port status of secure-up. The violation mode is what happens when an unauthorized device is attached to the port. A port must be in access mode in order to activate and use port security. -
Question 18 of 44
18. Question
1 pointsWhich three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)Correct
Incorrect
Hint
An administrator can create customized privilege levels and assign different commands to each level. However, this method of controlling he level of access to the router has limitations. Using privilege levels access to specific interfaces or ports cannot be controlled and availability of commands cannot be customized across levels. -
Question 19 of 44
19. Question
1 pointsWhat are two protocols that are used by AAA to authenticate users against a central database of usernames and password? (Choose two.)Correct
Incorrect
Hint
By using TACACS+ or RADIUS, AAA can authenticate users from a database of usernames and passwords stored centrally on a server such as a Cisco ACS server. -
Question 20 of 44
20. Question
1 pointsWhat is the main difference between the implementation of IDS and IPS devices?Correct
Incorrect
Hint
An IPS is deployed in inline mode and will not allow malicious traffic to enter the internal network without first analyzing it. An advantage of this is that it can stop an attack immediately. An IDS is deployed in promiscuous mode. It copies the traffic patterns and analyzes them offline, thus it cannot stop the attack immediately and it relies on another device to take further actions once it detects an attack. Being deployed in inline mode, an IPS can negatively impact the traffic flow. Both IDS and IPS can use signature-based technology to detect malicious packets. An IPS cannot replace other security devices, such as firewalls, because they perform different tasks. -
Question 21 of 44
21. Question
1 pointsRefer to the exhibit. A network administrator is configuring inter-VLAN routing on a network. For now, only one VLAN is being used, but more will be added soon. What is the missing parameter that is shown as the highlighted question mark in the graphic?Correct
Incorrect
Hint
The completed command would be encapsulation dot1q 7. The encapsulation dot1q part of the command enables trunking and identifies the type of trunking to use. The 7 identifies the VLAN number. -
Question 22 of 44
22. Question
1 pointsA network technician has been asked to design a virtual private network between two branch routers. Which type of cryptographic key should be used in this scenario?Correct
Incorrect
Hint
A symmetric key requires that both routers have access to the secret key that is used to encrypt and decrypt exchanged data. -
Question 23 of 44
23. Question
1 pointsWhich three actions can the Cisco IOS Firewall IPS feature be configured to take when an intrusion activity is detected? (Choose three.)Correct
Incorrect
Hint
In IPS implementation, when a signature detects a matching activity, the signature triggers one or more of these actions:- Generates an alert
- Logs the activity
- Drops or prevent the activity
- Resets a TCP connection
- Blocks future activity
- Allows the activity
-
Question 24 of 44
24. Question
1 pointsWhat Layer 2 attack is mitigated by disabling Dynamic Trunking Protocol?Correct
Incorrect
Hint
Mitigating a VLAN hopping attack can be done by disabling Dynamic Trunking Protocol (DTP) and by setting the native VLAN of trunk links to VLANs not in use. -
Question 25 of 44
25. Question
1 pointsMatch the network security testing technique with how it is used to test network security. (Not all options are used.)Correct
Incorrect
Hint
Network scanning tools are used to probe network devices, servers and hosts for open TCP or UDP ports. Vulnerability scanning tools are used to discover security weaknesses in a network or computer system. Penetration testing tools are used to determine the possible outcome of a successful attack on a network or computer system. -
Question 26 of 44
26. Question
1 pointsRefer to the exhibit. R1 was configured with the static route command ip route 209.165.200.224 255.255.255.224 S0/0/0 and consequently users on network 172.16.0.0/16 are unable to reach resources on the Internet. How should this static route be changed to allow user traffic from the LAN to reach the Internet?Correct
Incorrect
Hint
The static route on R1 has been incorrectly configured with the wrong destination network and mask. The correct destination network and mask is 0.0.0.0 0.0.0.0. -
Question 27 of 44
27. Question
1 pointsA small company has a web server in the office that is accessible from the Internet. The IP address 192.168.10.15 is assigned to the web server. The network administrator is configuring the router so that external clients can access the web server over the Internet. Which item is required in the NAT configuration?Correct
Incorrect
Hint
A static NAT configuration is necessary for a web server that is accessible from the Internet. The configuration is achieved via an ip nat inside source static <inside local> <inside global> command under the global configuration mode. An IP address pool and an ACL are necessary when configuring dynamic NAT and PAT. The keyword overload is used to configure PAT. -
Question 28 of 44
28. Question
1 pointsRefer to the exhibit. A network administrator has configured R1 as shown. When the administrator checks the status of the serial interface, the interface is shown as being administratively down. What additional command must be entered on the serial interface of R1 to bring the interface up?Correct
Incorrect
Hint
By default all router interfaces are shut down. To bring the interfaces up, an administrator must issue the no shutdown command in interface mode. -
Question 29 of 44
29. Question
1 pointsRefer to the exhibit. What command would be used to configure a static route on R1 so that traffic from both LANs can reach the 2001:db8:1:4::/64 remote network?Correct
Incorrect
Hint
To configure an IPv6 static route, use the ipv6 route command followed by the destination network. Then add either the IP address of the adjacent router or the interface R1 will use to transmit a packet to the 2001:db8:1:4::/64 network. -
Question 30 of 44
30. Question
1 pointsA network administrator needs to configure a standard ACL so that only the workstation of the administrator with the IP address 192.168.15.23 can access the virtual terminal of the main router. Which two configuration commands can achieve the task? (Choose two.)Correct
Incorrect
Hint
To permit or deny one specific IP address, either the wildcard mask 0.0.0.0 (used after the IP address) or the wildcard mask keyword host (used before the IP address) can be used. -
Question 31 of 44
31. Question
1 pointsHow many classful networks are summarized by the static summary route ip route 192.168.32.0 255.255.248.0 S0/0/0?Correct
Incorrect
Hint
A summary route of 192.168.32.0 with a network prefix of /21 will summarize 8 routes. The network prefix has moved from the classful boundary of 24 to the left by 3 bits. These 3 bits identify that 8 networks are summarized. The networks that are summarized would be 192.168.32.0/24 through 192.168.39.0/24. -
Question 32 of 44
32. Question
1 pointsWhich two Layer 2 security best practices would help prevent VLAN hopping attacks? (Choose two.)Correct
Incorrect
Hint
Allowing end-user devices to negotiate trunk settings via DTP can lead to a VLAN hopping attack, so DTP autonegotiation should be disabled on access ports. Configuring a trunk link with a native VLAN that is also used for end-users can lead to VLAN hopping attacks as well. The native VLAN should be set to a VLAN that is not used anywhere else. -
Question 33 of 44
33. Question
1 pointsA destination route in the routing table is indicated with a code D. Which kind of route entry is this?Correct
Incorrect
Hint
Routes in a routing table are manually created or dynamically learned. Letter D indicates that the route was learned dynamically through the EIGRP routing protocol. -
Question 34 of 44
34. Question
1 pointsRefer to the exhibit. The administrator can ping the S0/0/1 interface of RouterB but is unable to gain Telnet access to the router by using the password cisco123. What is a possible cause of the problem?Correct
Incorrect
Hint
To authenticate and log in using a Telnet vty line, the network administrator is required to use the local username and password that has been configured on the local router. This is evidenced by the application of the aaa authentication login telnet local-case command. The administrator must use a capital C in Cisco123 to match the applied configuration. -
Question 35 of 44
35. Question
1 pointsRefer to the exhibit. A host connected to Fa0/0 is unable to acquire an IP address from this DHCP server. The output of the debug ip dhcp server command shows “DHCPD: there is no address pool for 192.168.1.1”. What is the problem?Correct
Incorrect
-
Question 36 of 44
36. Question
1 pointsRefer to the exhibit. Which sequence of commands will configure router A for OSPF?Correct
Incorrect
-
Question 37 of 44
37. Question
1 pointsSwitch port Fa0/24 was previously configured as a trunk, but now it is to be used to connect a host to the network. How should the network administrator reconfigure switch port Fa0/24?Correct
Incorrect
-
Question 38 of 44
38. Question
1 pointsWhich device performs the function of determining the path that messages should take through internetworks?Correct
Incorrect
Hint
A router is used to determine the path that the messages should take through the network. A firewall is used to filter incoming and outgoing traffic. A DSL modem is used to provide Internet connection for a home or an organization. -
Question 39 of 44
39. Question
1 pointsThe ARP table in a switch maps which two types of address together?Correct
Incorrect
Hint
The switch ARP table keeps a mapping of Layer 2 MAC addresses to Layer 3 IP addresses. These mappings can be learned by the switch dynamically through ARP or statically through manual configuration. -
Question 40 of 44
40. Question
1 pointsWhen applied to a router, which command would help mitigate brute-force password attacks against the router?Correct
Incorrect
Hint
The login block-for command sets a limit on the maximum number of failed login attempts allowed within a defined period of time. If this limit is exceeded, no further logins are allowed for the specified period of time. This helps to mitigate brute-force password cracking since it will significantly increase the amount of time required to crack a password. The exec-timeout command specifies how long the session can be idle before the user is disconnected. The service password-encryption command encrypts the passwords in the running configuration. The banner motd command displays a message to users who are logging in to the device. -
Question 41 of 44
41. Question
1 pointsWhich statement describes a characteristic of the traceroute utility?Correct
Incorrect
Hint
Traceroute is a utility that generates a list of hops (or routers) along the path from a source host to the destination host. -
Question 42 of 44
42. Question
1 pointsRefer to the exhibit. What has to be done in order to complete the static NAT configuration on R1?Correct
Incorrect
Hint
In order for NAT translations to work properly, both an inside and outside interface must be configured for NAT translation on the router. -
Question 43 of 44
43. Question
1 pointsWhich statement accurately describes dynamic NAT?Correct
Incorrect
Hint
Dynamic NAT provides a dynamic mapping of inside local to inside global IP addresses. NAT is merely the one-to-one mapping of one address to another address without taking into account whether the address is public or private. DHCP is automatic assignment of IP addresses to hosts. DNS is mapping host names to IP addresses. -
Question 44 of 44
44. Question
1 pointsWhich command would be best to use on an unused switch port if a company adheres to the best practices as recommended by Cisco?Correct
Incorrect
Hint
Unlike router Ethernet ports, switch ports are enabled by default. Cisco recommends disabling any port that is not used. The ip dhcp snooping command globally enables DHCP snooping on a switch. Further configuration allows defining ports that can respond to DHCP requests. The switchport port-security command is used to protect the network from unidentified or unauthorized attachment of network devices.