https://www.newpassleader.com/Cisco/210-260-exam-preparation-materials.html
(312 Q&As Dumps, 30%OFF Special Discount: 30free)
NEW QUESTION NO: 4
What are two ways to prevent eavesdropping when you perform device-management tasks? (Choose two.)
A. Use an SSH connection.
B. Use SNMPv3.
C. Use out-of-band management.
D. Use SNMPv2.
E. Use in-band management.
Answer: A,B
Explanation/Reference:
Explanation:
To prevent eavesdropping during device management tasks, you can use SSH and SNMPv3 to get info on eavesdropping if any.
Reference: https://www.ietf.org/rfc/rfc5592.txt
NEW QUESTION NO: 5
Refer to the exhibit.
What is the effect of the given command sequence?
A. It configures IKE Phase 1.
B. It configures a site-to-site VPN tunnel.
C. It configures a crypto policy with a key size of 14400.
D. It configures IPSec Phase 2.
Answer: A
Explanation/Reference:
Explanation:
To create an IKE policy, enter the crypto ikev1 | ikev2 policy command from global configuration mode.
The prompt displays IKE policy configuration mode. For example:
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)#
After creating the policy, you can specify the settings for the policy.
Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/ asa_84_cli_config/vpn_ike.html
NEW QUESTION NO: 6
Which address block is reserved for locally assigned unique local addresses?
A. 2002::/16
B. FD00::/8
C. 2001::/32
D. FB00::/8
Answer: B
Explanation/Reference:
Explanation:
Using one of the common Unique Local IPv6 global prefix generators, the Acme corporate network was assigned the global prefix of 6D8D64AF0C; when pushed together with the common unique local locally assigned prefix (FD00::/8) the prefix expands to FD6D:8D64:AF0C::/48; this leaves Acme with an additional 16 bits of space to use for subnetting across their sites.
Reference: http://www.ciscopress.com/articles/article.asp?p=2154678&seqNum=2
NEW QUESTION NO: 7
Which type of mirroring does SPAN technology perform?
A. Remote mirroring over Layer 2
B. Remote mirroring over Layer 3
C. Local mirroring over Layer 2
D. Local mirroring over Layer 3
Answer: C
Explanation/Reference:
Explanation:
The traffic for each RSPAN session is carried as Layer 2 nonroutable traffic over a user-specified RSPAN VLAN that is dedicated for that RSPAN session in all participating switches. All participating switches must be trunk-connected at Layer 2.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/ guide/book/span.html
https://www.newpassleader.com/Cisco/210-260-exam-preparation-materials.html
What is a possible reason for the error message?Router(config)#aaa server?% Unrecognized command
A. The command syntax requires a space after the word "server"
B. The command is invalid on the target device
C. The router is already running the latest operating system
D. The router is a new device on which the aaa new-model command must be applied before continuing
Answer: D
Explanation/Reference:
Explanation:
It means that the router is a new device on which aaa new model command must be applied before inducting it into the system.
Reference: http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access- control-system-tacacs-/10384-security.html
NEW QUESTION NO: 9
Which sensor mode can deny attackers inline?
A. IPS
B. fail-close
C. IDS
D. fail-open
Answer: A
Explanation/Reference:
Explanation:
You can configure certain aspects of the deny attackers inline event action. You can configure the number of seconds you want to deny attackers inline and you can limit the number of attackers you want denied in the system at any one time.
Reference: http://www.cisco.com/c/en/us/td/docs/security/ips/5-1/configuration/guide/cli/cliguide/ cliEvAct.html
NEW QUESTION NO: 10
Which options are filtering options used to display SDEE message types? (Choose two.)
A. stop
B. none
C. error
D. all
Answer: C,D
Explanation/Reference:
Explanation:
Secure Device Event Exchange (SDEE) messages report on the progress of Cisco IOS IPS initialization and operation. Click to display the Edit IPS: SDEE Messages window, where you can review SDEE messages and filter them to display only error, status, or alert messages.
Reference: http://www.cisco.com/c/en/us/td/docs/routers/access/
cisco_router_and_security_device_manager/24/software/user/guide/IPS.html
NEW QUESTION NO: 11
What is the best way to confirm that AAA authentication is working properly?
A. Use the test aaa command.
B. Ping the NAS to confirm connectivity.
C. Use the Cisco-recommended configuration for AAA authentication.
D. Log into and out of the router, and then check the NAS authentication log.
Answer: A
Explanation/Reference:
To associate a dialed number identification service (DNIS) or calling line identification (CLID) user profile with the record that is sent to the RADIUS server or to manually test load-balancing server status, use the test aaa group command in privileged EXEC mode.
Reference: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-xe-3se-3850-cr-book/sec- s1-xe-3se-3850-cr-book_chapter_0101.html#wp1375904793
NEW QUESTION NO: 12
What type of packet creates and performs network operations on a network device?
A. control plane packets
B. data plane packets
C. management plane packets
D. services plane packets
Answer: A
Explanation/Reference:
Explanation:
Under normal network operating conditions, the vast majority of packets handled by network devices are data plane packets. These packets are handled in the fast path. Network devices are optimized to handle these fast path packets efficiently. Typically, considerably fewer control and management plane packets are required to create and operate IP networks. Thus, the punt path and route processor are significantly less capable of handling the kinds of packets rates experienced in the fast path since they are never directly involved in the forwarding of data plane packets
Reference: http://www.cisco.com/c/en/us/about/security-center/copp-best-practices.html
NEW QUESTION NO: 13
What are two default Cisco IOS privilege levels? (Choose two.)
A. 0
B. 1
C. 5
D. 7
E. 10
F. 15
Answer: B,F
Explanation/Reference:
Explanation:
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands:
user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.
Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/ scfpass.html#wp1001016
NEW QUESTION NO: 14
What features can protect the data plane? (Choose three.)
A. policing
B. ACLs
C. IPS
D. antispoofing
E. QoS
F. DHCP-snooping
Answer: B,D,F
Explanation/Reference:
Explanation:
Data plane security can be implemented using the following features:
Access control lists
Access control lists (ACLs) perform packet filtering to control which packets move through the network and where.
Antispoofing
ACLs can be used as an antispoofing mechanism that discards traffic that has an invalid source address.
Layer 2 security features
Cisco Catalyst switches have integrated features to help secure the Layer 2 infrastructure.
Reference: http://www.ciscopress.com/articles/article.asp?p=1924983&seqNum=5
https://www.newpassleader.com/Cisco/210-260-exam-preparation-materials.html
NEW QUESTION NO: 15
What type of attack was the Stuxnet virus?
A. cyber warfare
B. hacktivism
C. botnet
D. social engineering
Answer: A
Explanation/Reference:
Explanation:
Stuxnet virus is part of cyber warfare unleashed by governments to hinder their opponents computer systems and steal vital information.
Reference: https://en.wikipedia.org/wiki/Stuxnet
NEW QUESTION NO: 16
Which Sourcefire event action should you choose if you want to block only malicious traffic from a particular end user?
A. Allow with inspection
B. Allow without inspection
C. Block
D. Trust
E. Monitor
Answer: A
Explanation/Reference:
Explanation:
Choose allow with inspection to block only malicious traffic from a specific end user.
Reference: https://popravak.wordpress.com/2015/05/20/sourcefire-access-control-policies-part-two/
NEW QUESTION NO: 17
If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use?
A. root guard
B. EtherChannel guard
C. loop guard
D. BPDU guard
Answer: A
Explanation/Reference:
Explanation:
The root guard feature protects the network against such issues.
The configuration of root guard is on a per-port basis. Root guard does not allow the port to become an STP root port, so the port is always STP-designated. If a better BPDU arrives on this port, root guard does not take the BPDU into account and elect a new STP root. Instead, root guard puts the port into the root- inconsistent STP state. You must enable root guard on all ports where the root bridge should not appear.
In a way, you can configure a perimeter around the part of the network where the STP root is able to be located.
In the following figure, enable root guard on the Switch C port that connects to Switch D.
Switch C in figure below blocks the port that connects to Switch D, after the switch receives a superior BPDU. Root guard puts the port in the root-inconsistent STP state. No traffic passes through the port in this state. After device D ceases to send superior BPDUs, the port is unblocked again. Via STP, the port goes from the listening state to the learning state, and eventually transitions to the forwarding state.
Recovery is automatic; no human intervention is necessary.
This message appears after root guard blocks a port:
%SPANTREE-2-ROOTGUARDBLOCK: Port 1/1 tried to become non-designated in VLAN 77.
Moved to root-inconsistent state
Reference: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html
NEW QUESTION NO: 18
What is the transition order of STP states on a Layer 2 switch interface?
A. listening, learning, blocking, forwarding, disabled
B. listening, blocking, learning, forwarding, disabled
C. blocking, listening, learning, forwarding, disabled
D. forwarding, listening, learning, blocking, disabled
Answer: C
Explanation/Reference:
Explanation:
Each interface on a access point using spanning tree exists in one of these states:
Blocking-The interface does not participate in frame forwarding.
Listening-The first transitional state after the blocking state when the spanning tree determines that
the interface should participate in frame forwarding.
Learning-The interface prepares to participate in frame forwarding.
Forwarding-The interface forwards frames.
Disabled-The interface is not participating in spanning tree because of a shutdown port, no link on the
port, or no spanning-tree instance running on the port.
Reference: http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-3_7_JA/configuration/guide/ i1237sc/s37span.html#wp1040509
NEW QUESTION NO: 19
Which FirePOWER preprocessor engine is used to prevent SYN attacks?
A. Rate-Based Prevention
B. Portscan Detection
C. IP Defragmentation
D. Inline Normalization
Answer: A
Explanation/Reference:
Explanation:
The detection_filter keyword and the thresholding and suppression features provide other ways to filter either the traffic itself or the events that the system generates. You can use rate-based attack prevention alone or in any combination with thresholding, suppression, or the detection_filter keyword to prevent SYN attacks.
Reference: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa- firepower-module-user-guide-v541/Intrusion-Threat-Detection.html#10682
NEW QUESTION NO: 20
Which network device does NTP authenticate?
A. Only the time source
B. Only the client device
C. The firewall and the client device
D. The client device and the time source
Answer: A
Explanation/Reference:
Explanation:
NTP authentication, the device synchronizes to a time source only if the source carries one of the authentication keys specified by the ntp trusted-key command. The device drops any packets that fail the authentication check and prevents them from updating the local clock. NTP authentication is disabled by default.
Reference: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/system_management/ configuration/guide/sm_nx_os_cg/sm_3ntp.html#wp1100303
https://www.newpassleader.com/Cisco/210-260-exam-preparation-materials.html