网络测试题

Which three security features were introduced with the SNMPv3 protocol? (Choose three.) A. Message integrity, which ensures that a packet has not been tampered with in-transit B. DoS prevention, which ensures that the device cannot be impacted by SNMP buffer overflow

C. Authentication, which ensures that the message is from a valid source

D. Authorization, which allows access to certain data sections for certain authorized users E. Digital certificates, which ensure nonrepudiation of authentications

F. Encryption of the packet to prevent it from being seen by an unauthorized source

QUESTION 2

Which four techniques can you use for IP management plane security? (Choose four.) A. Management Plane Protection B. uRPF

C. strong passwords D. RBAC

E. SNMP security measures F. MD5 authentication

QUESTION 3

Which three statements are true about PIM-SM operations? (Choose three.) A. PIM-SM supports RP configuration using static RP, Auto-RP, or BSR. B. PIM-SM uses a shared tree that is rooted at the multicast source.

C. Different RPs can be configured for different multicast groups to increase RP scalability. D. Candidate RPs and RP mapping agents are configured to enable Auto-RP. E. PIM-SM uses the implicit join model.

QUESTION 4

Which three options are security measures that are defined for Mobile IPv6? (Choose three.) A. IPsec SAs are used for binding updates and acknowledgements.

B. The use of IKEv1 or IKEv2 is mandatory for connections between the home agent and mobile node.

C. Mobile nodes and the home agents must support ESP in transport mode with non-NULL payload authentication.

D. Mobile IPv6 control messages are protected by SHA-2.

E. IPsec SAs are used to protect dynamic home agent address discovery.

F. IPsec SAs can be used to protect mobile prefix solicitations and advertisements.

QUESTION 5

Which three statements are true about DES? (Choose three.) A. A 56-bit key is used to encrypt 56-bit blocks of plaintext. B. A 56-bit key is used to encrypt -bit blocks of plaintext.

C. Each block of plaintext is processed through 16 rounds of identical operations. D. Each block of plaintext is processed through rounds of identical operations.

E. ECB, CBC, and CBF are modes of DES.

F. Each Block of plaintext is processed through 8 rounds of identical operations. G. CTR, CBC, and OFB are modes of DES.

QUESTION 6

Comparing and contrasting IKEv1 and IKEv2, which three statements are true? (Choose three.)

A. IKEv2 adds EAP as a method of authentication for clients; IKEv1 does not use EAP. B. IKEv1 and IKEv2 endpoints indicate support for NAT-T via the vendor_ID payload. C. IKEv2 and IKEv1 always ensure protection of the identities of the peers during the negotiation process.

D. IKEv2 provides user authentication via the IKE_AUTH exchange; IKEv1 uses the XAUTH exchange.

E. IKEv1 and IKEv2 both use INITIAL_CONTACT to synchronize SAs.

F. IKEv1 supports config mode via the SET/ACK and REQUEST/RESPONSE methods; IKEv2 supports only REQUEST/RESPONSE.

QUESTION 7

Which three nonproprietary EAP methods do not require the use of a client-side certificate for mutual authentication? (Choose three.) A. LEAP B. EAP-TLS C. PEAP D. EAP-TTLS E. EAP-FAST

QUESTION 8

When you compare WEP to WPA (not WPA2), which three protections are gained? (Choose three.)

A. a message integrity check B. AES-based encryption

C. avoidance of weak Initialization vectors D. longer RC4 keys E. a rekeying mechanism

QUESTION 9

Which three configuration tasks are required for VPN clustering of AnyConnect clients that are connecting to an FQDN on the Cisco ASA? (Choose three.)

A. The redirect-fqdn command must be entered under the load-balancing sub-configuration.

B. Each ASA in the VPN cluster must be able to resolve the IP of all DNS hostnames that are used in the cluster.

C. The identification and CA certificates for the master FQDN hostname must be imported into each VPN cluster-member device.

D. The remote-access IP pools must be configured the same on each VPN cluster-member interface.

QUESTION 10

Which three statements are true about objects and object groups on a Cisco ASA appliance that is running Software Version 8.4 or later? (Choose three.)

A. TCP, UDP, ICMP, and ICMPv6 are supported service object protocol types. B. IPv6 object nesting is supported.

C. Network objects support IPv4 and IPv6 addresses. D. Objects are not supported in transparent mode.

E. Objects are supported in single- and multiple-context firewall modes.

QUESTION 11

Which two options best describe the authorization process as it relates to network access? (Choose two.)

A. the process of identifying the validity of a certificate, and validating specific fields in the certificate against an identity store

B. the process of providing network access to the end user

C. applying enforcement controls, such as downloadable ACLs and VLAN assignment, to the network access session of a user

D. the process of validating the provided credentials

QUESTION 12

Which two methods are used for forwarding traffic to the Cisco ScanSafe Web Security service? (Choose two.)

A. Cisco AnyConnect VPN Client with Web Security and ScanSafe subscription B. Cisco ISR G2 Router with SECK9 and ScanSafe subscription

C. Cisco ASA adaptive security appliance using DNAT policies to forward traffic to ScanSafe subscription servers

D. Cisco Web Security Appliance with ScanSafe subscription

QUESTION 13

Which four statements about SeND for IPv6 are correct? (Choose four.) A. It protects against rogue RAs.

B. NDP exchanges are protected by IPsec SAs and provide for anti-replay. C. It defines secure extensions for NDP.

D. It authorizes routers to advertise certain prefixes.

E. It provides a method for secure default router election on hosts.

F. Neighbor identity protection is provided by Cryptographically Generated Addresses that are derived from a Diffie-Hellman key exchange.

G. It is facilitated by the Certification Path Request and Certification Path Response ND

QUESTION 14

Which three statements about NetFlow version 9 are correct? (Choose three.)

A. It is backward-compatible with versions 8 and 5.

B. Version 9 is dependent on the underlying transport; only UDP is supported. C. A version 9 export packet consists of a packet header and flow sets.

D. Generating and maintaining valid template flow sets requires additional processing. E. NetFlow version 9 does not access the NetFlow cache entry directly. messages.

QUESTION 15

Which three statements about VXLANs are true? (Choose three.)

A. It requires that IP protocol 8472 be opened to allow traffic through a firewall. B. Layer 2 frames are encapsulated in IP, using a VXLAN ID to identify the source VM. C. A VXLAN gateway maps VXLAN IDs to VLAN IDs.

D. IGMP join messages are sent by new VMs to determine the VXLAN multicast IP. E. A VXLAN ID is a 32-bit value.

QUESTION 16

Which multicast routing mechanism is optimal to support many-to-many multicast applications? A. PIM-SM B. MOSPF C. DVMRP D. BIDIR-PIM E. MSDP

QUESTION 17

Which technology, configured on the Cisco ASA, allows Active Directory authentication credentials to be applied automatically to web forms that require authentication for clientless SSL connections? A. one-time passwords B. certificate authentication

C. user credentials obtained during authentication D. Kerberos authentication

QUESTION 18

When implementing WLAN security, what are three benefits of using the TKIP instead of WEP? (Choose three.)

A. TKIP uses an advanced encryption scheme based on AES.

B. TKIP provides authentication and integrity checking using CBC-MAC. C. TKIP provides per-packet keying and a rekeying mechanism. D. TKIP provides message integrity check.

E. TKIP reduces WEP vulnerabilities by using a different hardware encryption chipset. F. TKIP uses a 48-bit initialization vector.

QUESTION 19

Which two statements about SHA are correct? (Choose two.)

A. Five 32-bit variables are applied to the message to produce the 160-bit hash. B. The message is split into -bit blocks for processing. C. The message is split into 512-bit blocks for processing. D. SHA-2 and MD5 both consist of four rounds of processing.

QUESTION 20

Which three statements about LDAP are true? (Choose three.) A. LDAP uses UDP port 3 by default.

B. LDAP is defined in terms of ASN.1 and transmitted using BER. C. LDAP is used for accessing X.500 directory services. D. An LDAP directory entry is uniquely identified by its DN.

E. A secure connection via TLS is established via the UseTLS operation.

QUESTION 21

Which two EAP methods may be susceptible to offline dictionary attacks? (Choose two.) A. EAP-MD5 B. LEAP

C. PEAP with MS-CHAPv2 D. EAP-FAST

QUESTION 22

Which three attributes may be configured as part of the Common Tasks panel of an authorization profile in the Cisco ISE solution? (Choose three.) A. VLAN B. voice VLAN C. dACL name

D. voice domain permission E. SGT

QUESTION 23

Which two statements describe the Cisco TrustSec system correctly? (Choose two.) A. The Cisco TrustSec system is a partner program, where Cisco certifies third-party security products as extensions to the secure infrastructure.

B. The Cisco TrustSec system is an approach to certifying multimedia and collaboration applications as secure.

C. The Cisco TrustSec system is an Advanced Network Access Control System that leverages enforcement intelligence in the network infrastructure.

D. The Cisco TrustSec system tests and certifies all products and product versions that make up the system as working together in a validated manner.

QUESTION 24

Which option is the correct definition for MAB?

A. MAB is the process of checking the mac-address-table on the local switch for the sticky

address. If the mac-address of the device attempting to access the network matches the configured sticky address, it will be permitted to bypass 802.1X authentication.

B. MAB is a process where the switch will send an authentication request on behalf of the endpoint that is attempting to access the network, using the mac-address of the device as the credentials. The authentication server evaluates that MAC address against a list of devices permitted to access the network without a stronger authentication.

C. MAB is a process where the switch will check a local list of MAC addresses to identify systems that are permitted network access without using 802.1X.

D. MAB is a process where the supplicant on the endpoint is configured to send the MAC address of the endpoint as its credentials.

QUESTION 25

Which three statements are true about the Cisco NAC Appliance solution? (Choose three.) A. In a Layer 3 OOB ACL deployment of the Cisco NAC Appliance, the discovery host must be configured as the untrusted IP address of the Cisco NAC Appliance Server.

B. In a Cisco NAC Appliance deployment, the discovery host must be configured on a Cisco router using the \"NAC discovery-host\" global configuration command.

C. In a VRF-style OOB deployment of the Cisco NAC Appliance, the discovery host may be the IP address that is on the trusted side of the Cisco NAC Appliance Server. D. In a Layer 3 IB deployment of the Cisco NAC Appliance, the discovery host may be configured as the IP address of the Cisco NAC Appliance Manager.

QUESTION 26

Which QoS marking is only locally significant on a Cisco router? A. MPLS EXP B. DSCP C. QoS group D. IP precedence E. traffic class F. flow label

QUESTION 27

Which three control plane subinterfaces are available when implementing Cisco IOS Control Plane Protection? (Choose three.) A. CPU B. host C. fast-cache D. transit E. CEF-exception F. management

1. ACF 2. ACDE 3. ACD 4. ACF 5. BCE 6. ADE 7. CDE 8. ACE 9. ABC 10. ACE 11. BC 12. BC 13. ACDE 14. CDE 15. BCD 16. D 17. C 18. CDF 19. AC 20. BCD 21. AB 22. ACD 23. CD 24. B 25. ACD 26. C 27. BDE