Check answers here:
Chapters 25 – 26: Access Control and Infrastructure Security Exam Answers
Quiz-summary
0 of 32 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
Information
CCNP ENCOR v8 Chapters 25 – 26: Access Control and Infrastructure Security Test Online
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 32 questions answered correctly
Your time:
Time has elapsed
You have reached 0 of 0 points, (0)
Average score |
|
Your score |
|
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- Answered
- Review
-
Question 1 of 32
1. Question
1 pointsWhich place in the network (PIN) is considered to be the highest-risk, as it is the ingress and egress point for internet traffic?Correct
Incorrect
Hint
The network edge is the ingress and egress point for traffic to and from the internet. It is the most important place in the network (PIN) for e-commerce and is also the highest-risk PIN. -
Question 2 of 32
2. Question
1 pointsWhat threat protection actions are involved in the “before” phase of the attack continuum?Correct
Incorrect
Hint
Threat protection activities before a network attack include establishing the policies and implementing prevention solutions that can reduce risk. -
Question 3 of 32
3. Question
1 pointsQuestion as presented: Match the Cisco Safe security concepts to the description. (Not all options are used.)Correct
Incorrect
Hint
-
Question 4 of 32
4. Question
1 pointsQuestion as presented: Match the Cisco SAFE component with the description. (Not all options are used.)Correct
Incorrect
-
Question 5 of 32
5. Question
1 pointsWhich solution provides comprehensive network and data protection for organizations before, during, and after a malware attack?Correct
Incorrect
Hint
Cisco Advanced Malware Protection (AMP) is a malware analysis and protection solution that provides comprehensive protection for organizations across the full attack continuum: before, during, and after. -
Question 6 of 32
6. Question
1 pointsWhich solution provides VPN access for clients and performs an assessment of the VPN client security posture compliance?Correct
Incorrect
Hint
Cisco AnyConnect is a client software product that provides VPN access to clients and also is capable of assessing endpoint compliance with antivirus, antispyware, and firewall software installed on the host. -
Question 7 of 32
7. Question
1 pointsWhat security capability is provided by applying Cisco WSA web reputation filters before an attack?Correct
Incorrect
Hint
Cisco Web Security Appliance (WSA) provides a variety of protections across the attack continuum before, during, and after an attack. Before an attack Cisco WSA uses web reputation filters to prevent client devices from accessing dangerous websites containing malware or phishing links and to block those that fall below a defined security threshold. -
Question 8 of 32
8. Question
1 pointsWhich security appliance passively monitors and analyzes network traffic for potential network intrusion attacks and logs the attacks for analysis?Correct
Incorrect
Hint
An intrusion detection system (IDS) is a system that passively monitors and analyzes network traffic for potential network intrusion attacks and logs the intrusion attack data for security analysis. -
Question 9 of 32
9. Question
1 pointsAccording to Gartner, Inc. what three capabilities must a next-generation firewall (NGFW) provide in addition to standard firewall features? (Choose three.)Correct
Incorrect
Hint
In addition to IPS functionality, Gartner Inc. states a next-generation firewall (NGFW) should include the following capabilities:- An integrated IPS
- Application-level inspection
- The ability to leverage external security intelligence to address evolving security threats
-
Question 10 of 32
10. Question
1 pointsQuestion as presented: Match the security platform to the description. (Not all options are used.)Correct
Incorrect
-
Question 11 of 32
11. Question
1 pointsWhich secure access solution can be implemented to authenticate endpoints that do not support 802.1x or MAB?Correct
Incorrect
Hint
Some endpoints that need access to the network may not have 802.1x supplicants and may not know the MAC address to perform MAB. This can be a problem for contractors or visitors that need internet access. In such cases web authentication can be implemented to present a user with web portal requesting a username and password. -
Question 12 of 32
12. Question
1 pointsWhich EAP method makes use of the Protected Extensible Authentication Protocol (PEAP)?Correct
Incorrect
Hint
PEAP is used in EAP tunneled TLS authentication methods. PEAP forms an encrypted TLS tunnel between the supplicant and the authentication server and uses an EAP authentication inner method to authenticate the supplicant through the outer PEAP TLS tunnel. -
Question 13 of 32
13. Question
1 pointsWhat message is sent every 30 seconds by the 802.1x authenticator to an endpoint to initiate the MAB authentication process?Correct
Incorrect
Hint
The authenticator initiates the 802.1x MAB authentication process by sending an EAPoL identity request message to the endpoint every 30 seconds to determine if it has a supplicant. -
Question 14 of 32
14. Question
1 pointsWhat are the three phases of TrustSec configuration? (Choose three.)Correct
Incorrect
Hint
TrustSec configuration occurs in three phases: Ingress classification – where SGT tags are assigned to users and resources Propagation – where mappings to the TrustSec devices are made based on SGT tags Egress enforcement – where policies are enforced at the egress point of the TrustSec network -
Question 15 of 32
15. Question
1 pointsWhich set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet?Correct
Incorrect
Hint
For an extended ACL to meet these requirements the following need to be included in the access control entries:identification number in the range 100-199 or 2000-2699 permit or deny parameter protocol source address and wildcard destination address and wildcard port number or name
-
Question 16 of 32
16. Question
1 pointsWhich three statements describe ACL processing of packets? (Choose three.)Correct
Incorrect
Hint
When packets are checked against an access list, each ACE in the access list is checked in sequence until a match is detected. At the end of all access lists is an implicit deny any ACE. Packets will be dropped or forwarded as directed by the matching ACE. -
Question 17 of 32
17. Question
1 pointsRefer to the exhibit. An ACL was configured on R1 with the intention of denying traffic from subnet 172.16.4.0/24 into subnet 172.16.3.0/24. All other traffic into subnet 172.16.3.0/24 should be permitted. This standard ACL was then applied outbound on interface G0/0/0. Which conclusion can be drawn from this configuration?Correct
Incorrect
Hint
Because of the implicit deny at the end of all ACLs, the access-list 1 permit any command must be included to ensure that only traffic from the 172.16.4.0/24 subnet is blocked and that all other traffic is allowed. -
Question 18 of 32
18. Question
1 pointsWhat are two limitations of PACLs? (Choose two.)Correct
Incorrect
Hint
PACLs have some limitations and restrictions. PACLs do not support filtering of outbound traffic on an interface and they do not support ACLs filtering IPv6. Also, PACLs do not support Layer 2 control packets like STP, CDP, or VTP and are only supported in hardware. -
Question 19 of 32
19. Question
1 pointsAn administrator defined a local user account with a secret password on router R1 for use with SSH. Which three additional steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.)Correct
Incorrect
Hint
There are three steps to configure SSH support on a Cisco router:- Step 1: Configure a hostname.
- Step 2: Configure a domain name.
- Step 3: Generate crypto keys.
-
Question 20 of 32
20. Question
1 pointsWhich command produces an encrypted password that is easily reversible?Correct
Incorrect
Hint
The service password-encryption command uses a Cisco proprietary Vignere cypher algorithm which is weak and easily reversible. The enable secret and the username secret commands encrypt passwords using the MD5 hashing algorithm and the username algorithm-type sha 256 command uses a SHA-256 hashed secret and is considered uncrackable. -
Question 21 of 32
21. Question
1 pointsWhich is the preferred method for securing device terminal lines?Correct
Incorrect
Hint
The preferred method for securing device terminal lines is to use an AAA server. Username-based authentication is recommended as a backup. Configuring a password directly on the line is not recommended. -
Question 22 of 32
22. Question
1 pointsWhat protocol is used to encapsulate the EAP data between the authenticator and authentication server performing 802.1X authentication?Correct
Incorrect
Hint
Encapsulation of EAP data between the authenticator and the authentication server is performed using RADIUS. -
Question 23 of 32
23. Question
1 pointsWhich statement describes a difference between RADIUS and TACACS+?Correct
Incorrect
Hint
TACACS+ uses TCP, encrypts the entire packet (not just the password), and separates authentication and authorization into two distinct processes. Both protocols are supported by the Cisco Secure ACS software. -
Question 24 of 32
24. Question
1 pointsWhat is a feature of a Cisco IOS Zone-Based Policy Firewall?Correct
Incorrect
Hint
The pass action allows traffic in only one direction. Interfaces automatically become members of the self zone. Interfaces are assigned to a zone in interface configuration mode, but most configuration takes place in global configuration mode and associated submodes. An interface can belong to only one zone at a time. -
Question 25 of 32
25. Question
1 pointsWhich statement describes Cisco IOS Zone-Based Policy Firewall operation?Correct
Incorrect
Hint
The pass action allows traffic only in one direction. Interfaces automatically become members of the self zone. Interfaces are assigned to zones in interface configuration mode, but most configuration takes place in global configuration mode and associated submodes. Interfaces can belong to only one zone at any time. -
Question 26 of 32
26. Question
1 pointsWhat are two characteristics of the ZBFW default zone? (Choose two.)Correct
Incorrect
Hint
The default zone is a system-level zone. If an interface is not configured as part of another security zone, it is placed in the default zone automatically. Interfaces in different zones are not permitted to communicate by default. -
Question 27 of 32
27. Question
1 pointsWhat is the Control Plane Policing (CoPP) feature designed to accomplish?Correct
Incorrect
Hint
Control Plane Policing (CoPP) does not manage or disable any services. It does not direct traffic away from the route processor, but rather it prevents unnecessary traffic from getting to the route processor. -
Question 28 of 32
28. Question
1 pointsWhich command can be issued to protect a Cisco router from unauthorized automatic remote configuration?Correct
Incorrect
Hint
Service configuration allows Cisco devices to be configured automatically from remote devices using TFTP. By disabling this service with the no service config command, the threat of an unauthorized automatic device configuration can be mitigated. -
Question 29 of 32
29. Question
1 pointsWhich vulnerability can be mitigated by disabling CDP and LLDP on a Cisco device?Correct
Incorrect
Hint
Both CDP and LLDP are topology discovery tools and can advertise detailed information about a device. To prevent a Cisco device from sending CDP and LLDP packets onto the network, both protocols should be disabled. -
Question 30 of 32
30. Question
1 pointsWhich type of threat defense is provided by Cisco Umbrella?Correct
Incorrect
-
Question 31 of 32
31. Question
1 pointsWhich Cisco solution is used by Cisco Web Security Appliance to detect and correlate threats in real time?Correct
Incorrect
-
Question 32 of 32
32. Question
1 pointsRefer to the exhibit. Which two ACLs, if applied to the G0/1 interface of R2, would permit only the two LAN networks attached to R1 to access the network that connects to R2 G0/1 interface? (Choose two.)Correct
Incorrect
Hint
The permit 192.168.10.0 0.0.0.127 command ignores bit positions 1 through 7, which means that addresses 192.168.10.0 through 192.168.10.127 are allowed through. The two ACEs of permit 192.168.10.0 0.0.0.63 and permit 192.168.10.64 0.0.0.63 allow the same address range through the router.