You are on page 1of 20

QUESTION 1 Referring to CIA (confidentiality,Integrity and Availability), where would a hash-only make

more sense.
A. Data on File
B. Data at Rest
C. ...
D. ...
Correct Answer: B
Section: (none) Explanation
Explanation/Reference: Confidentiality
Confidentiality ensures that data is only viewable by authorized users. In other words, the goal of
confidentiality is to prevent the unauthorized disclosure of information. Loss of confidentiality indicates that
unauthorized users have been able to access information.
If there is a risk of sensitive data falling into the wrong hands, it should be encrypted to make it unreadable.
This includes encrypting data at rest and data in motion. Data at rest is any data stored as a file on a hard
drive, mobile device, or even a USB flash drive. Data in motion is any data traveling over a network. AES
is the most common symmetric encryption protocol used to encrypt data at rest. SSH, IPsec, SSL, and TLS
are some common encryption protocols used to encrypt data in motion.
Additionally, data should be protected with access controls to enforce confidentiality.

QUESTION 2 Phishing method on the phone.

B. vishing
C. phishing
D. mishing
Correct Answer: B
Section: (none) Explanation

QUESTION 3 At which Layer Data Center Operate?

A. ….
B. Data Center
C. ...
D. ...
Correct Answer: B
Section: (none) Explanation

QUESTION 4 How can you stop reconnaissance attack with cdp? In order to protect the switch from
reconnaissance attack when using CDP?
A. ….
B. Disable CDP on ports connected to end points (or Disable CPD on edfe ports)
C. Disable CDP on trunk ports
D. ...
Correct Answer: B
Section: (none) Explanation

QUESTION 5 which Firepower Management Center feature detects and blocks exploits and hack

A. content blocker
B. AMP - Advance Malware Protection
C. file control
D. intrusion prevention
Correct Answer: B
Section: (none) Explanation

QUESTION 6 What ips feature that is less secure among than the other option permit a better
throughput ?
A. …..
B. ...
C. Promiscuous
D. ...
Correct Answer: C
Section: (none) Explanation

QUESTION 7 To confirm that AAA authentication working.

A. Use the test aaa command.
B. Ping the NAS to confirm connectivity.
C. Use the Cisco-recommended configuration for AAA authentication.
D. Log into and out of the router, and then check the NAS authentication log.
Correct Answer: A
Section: (none) Explanation

QUESTION 8 Zone based firewall

B. zones must be made before applying interfaces.
C. enable zones first
D. ...
Correct Answer: B-C
Section: (none) Explanation

QUESTION 9 Which ports need to be active for AAA server to integrate with Microsoft AD
A. 445 & 8080
B. 443 & 389
C. 445 & 389
D. ... 443 & 8080
Correct Answer: C
Section: (none) Explanation

QUESTION 10 What does the command crypto isakmp nat-traversal do?

B. Enables udp port 4500 on all IPsec enabled interfaces
C. ...
D. ...
Correct Answer: B
Section: (none) Explanation

QUESTION 11 Why ipsec tunnel is not working?

A. …
B. because the ASA can’t receive packets from remote endpoint
C. ...
D. ...
Correct Answer: B
Section: (none) Explanation
QUESTION 12 What data is transferred during DH for making pub/prive key (something similar) - What
known number/sequence something like that) starts off the key
A. Prime Integer
B. Random number
C. ...
D. ...
Correct Answer: B
Section: (none) Explanation
Explanation/Reference: Si parla di scelta del Secret Random Number da parte degli interlocutori che
dovranno scambiarsi le chiavi pubbliche.

QUESTION 13 Dos attack difficult to discover

A. Syn-flood attack
B. Peer-to-peer attacks
C. Low-rate dos attack
D. Trojan
Correct Answer: C
Section: (none) Explanation
QUESTION 14 Protocols supported in contest aware VRF over VRF lite? (2 choices)
B. Multicast
Correct Answer: AB
Section: (none) Explanation

question about show crypto isakmp sa ?
B. Remote peer was not able to encrypt the packet
C. ...
D. ...
Correct Answer: B
Section: (none) Explanation

what are the quantifiable things you would verify before introducing new technology in your
A. exploit
B. risk
C. vulnerability
D. virus
Correct Answer: B
Section: (none) Explanation
QUESTION 17 Which is a key security component of MDM deployment?
A. Using network-specific installer package
B. Using self-signed certificates to validate the server - generate self-signed certificate to connect to server
(Deployed certificates ;Issued certificate to the server likely)
C. Using application tunnel
D. Using MS-CHAPv2 as primary EAP method
Correct Answer: B
Section: (none) Explanation

What causes a client to be placed in a guest or restriced VLAN on an 802.1x enabled network.
A. client entered wrong credentials multiple times. When user failed to authenticate after certain number of
B. When 802.1X is not globally enabled on the Cisco catalyst switch
C. When AAA new-model is enabled
D. ...
Correct Answer: A
Section: (none) Explanation
Explanation/Reference: Replica della Q246
Il sito vceguide riporta come risposta esatta
"When 802.1X is not globally enabled on the Cisco catalyst switch"

QUESTION 19 Self zone (2 option)?

A. can be source or destination zone.
B. can be use stateful filtering during multicast.
C. all interfaces wil be used for self zone
D. ...
Correct Answer: AC
Section: (none) Explanation

QUESTION 20 Which IDS/IPS is used for monitoring system and something ?

B. ...
C. ...
D. ...
Correct Answer: A
Section: (none) Explanation

QUESTION 21 Which two ESP fields can be encrypted during transmission? (Choose Two.)
A. Padding
B. Sequence Number
C. Pad Length
D. Security Parameter Index
E. MAC Address
F. Next Header

The packet begins with two 4-byte fields (Security Parameters Index (SPI) and Sequence Number).
Following these fields is the Payload Data, which has substructure that depends on the choice of encryption
algorithm and mode, and on the use of TFC padding, which is examined in more detail later. Following the
Payload Data are Padding and Pad Length fields, and the Next Header field. The optional Integrity Check
Value (ICV) field completes the packet.

QUESTION 22 Which two statements describe DHCP spoofing attacks? (Choose Two.)
A. They can modify the flow of traffic in transit
B. They can access most network devices
C. They can physically modify the network gateway.
D. They are used to perform man-in-the-middle attacks
E. They protect the identity of the attacker by masking the DHCP address.
F. They use ARP poisoning.
DHCP spoofing occurs when an attacker attempts to respond to DHCP requests and trying to list themselves
(spoofs) as the default gateway or DNS server, hence, initiating a man in the middle attack. With that, it is
possible that they can intercept traffic from users before forwarding to the real gateway or perform DoS by
flooding the real DHCP server with request to choke ip address resources.

QUESTION 23 which of the Diffie-Hellman group are support by cisco VPN Product (Choose all that
A Group1
B Group2
C Group3
D Group5
E Group7
F Group8
G Group9
Answer: A-B-D-E

QUESTION 24 what type of Diffie-Hellman group would you expect to be utiliazed on a wireless device?
A Group4
B Group7
C Group5
D Group3

QUESTION 25 which of the following are IKE modes? (choose all and apply)
A Main Mode
B Fast Mode
C Aggressive Mode
D Quick Mode
E Diffie-Hellman Mode

QUESTION 26: Unicast Reverse Path Forwarding definition:

Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (uRPF) can mitigate spoofed IP packets. When this feature is enabled
an interface, as packets enter that interface the router spends an extra moment considering the source
of the packet. It then considers its own routing table, and if the routing table does not agree that the interface
that just received this packet is also the best egress interface to use for forwarding to the source address of
packet, it then denies the packet.
This is a good way to limit IP spoofing.
QUESTION 27: Man-in-the-middle attack definition:
Man-in-the-middle attacks: Someone or something is between the two devices who believe they are
communicating directly with each other. The “man in the middle” may be eavesdropping or actively changing
the data that is being sent between the two parties. You can prevent this by implementing Layer 2 dynamic
ARP inspection (DAI) and Spanning Tree Protocol (STP) guards to protect spanning tree. You can
implement it
at Layer 3 by using routing protocol authentication. Authentication of peers in a VPN is also a method of
preventing this type of attack.

QUESTION 28: The NAT traversal definition:

NAT-T (NAT Traversal)
If both peers support NAT-T, and if they detect that they are connecting to each other through a Network
Address Translation (NAT) device (translation is happening), they may negotiate that they want to put a fake
UDP port 4500 header on each IPsec packet (before the ESP header) to survive a NAT device that
may have a problem tracking an ESP session (Layer 4 protocol 50).

QUESTION 29: Refer to the exhibit.

While troubleshooting … VPN, you issued the show crypto ipsec sa command.Why ipsec tunnel is not
local ident (addr/mask/prot/port): …
remote ident (addr/mask/prot/port): …
current_peer: x.x.x.x
#pkts encaps: 7065, #pkts encrypt: 7065, #pkts digest: 7065
#pkts decaps: x (I can’t remember if it was 0),#pkts decrypt: 0, #pkts verify: 0
local crypto endpt.: x.x.x.x remote crypto endpt.: y.y.y.y
A. because the ASA can’t receive packets from remote endpoint
B. the peers are not on the same network subnet
C. udp port 500 it’s blocked (or something similar)
D. …

Which option is the resulting action in a zone-based policy firewall configuration with these conditions? A. no i

A. no impact to zoning or policy

B. no policy lookup (pass)
C. drop
D. apply default policy
Correct Answer: C
Section: (none)
Explanation: pol-fw.html

What is a benefit of a web application firewall?
A. It blocks known vulnerabilities without patching applications.
B. It simplifies troubleshooting.
C. It accelerates web traffic.
D. It supports all networking protocols.
Correct Answer: A
Section: (none)

Which two characteristics of the TACACS+ protocol are true? (Choose two.)
A. uses UDP ports 1645 or 1812
B. separates AAA functions
C. encrypts the body of every packet
D. offers extensive accounting capabilities
E. is an open RFC standard protocol
Correct Answer: BC
Section: (none)

You are the security administrator for a large enterprise network with many remote locations. You have been
given the assignment to deploy a Cisco IPS solution.
Where in the network would be the best place to deploy Cisco IOS IPS?
A. Inside the firewall of the corporate headquarters Internet connection
B. At the entry point into the data center
C. Outside the firewall of the corporate headquarters Internet connection
D. At remote branch offices
Correct Answer: D
Section: (none)
Refer to the exhibit. Which statement about this output is true?

A. The user logged into the router with the incorrect username and password.
B. The login failed because there was no default enable password.
C. The login failed because the password entered was incorrect.
D. The user logged in and was given privilege level 15.
Correct Answer: C
Section: (none)

Which three options are common examples of AAA implementation on Cisco routers? (Choose three.)
A. authenticating remote users who are accessing the corporate LAN through IPsec VPN connections
B. authenticating administrator access to the router console port, auxiliary port, and vty ports
C. implementing PKI to authenticate and authorize IPsec VPN peers using digital certificates
D. tracking Cisco NetFlow accounting statistics
E. securing the router by locking down all unused services
F. performing router commands authorization using TACACS+
Correct Answer: ABF
Section: (none)
Explanation: l
Need for AAA Services
Security for user access to the network and the ability to dynamically define a user's profile to gain access to
network resources has a legacy dating back to
asynchronous dial access. AAA network security services provide the primary framework through which a
network administrator can set up access control on
network points of entry or network access servers, which is usually the function of a router or access server.
Authentication identifies a user; authorization determines what that user can do; and accounting monitors the
network usage time for billing purposes. AAA
information is typically stored in an external database or remote server such as RADIUS or TACACS+.
The information can also be stored locally on the access server or router. Remote security servers, such as
RADIUS and TACACS+, assign users specific
privileges by associating attribute-value (AV) pairs, which define the access rights with the appropriate user.
All authorization methods must be defined through

On Cisco ISR routers, for what purpose is the public encryption key used?
A. used for SSH server/client authentication and encryption
B. used to verify the digital signature of the IPS signature file
C. used to generate a persistent self-signed identity certificate for the ISR so administrators can authenticate
the ISR when accessing it using Cisco Configuration
D. used to enable asymmetric encryption on IPsec and SSL VPNs
E. used during the DH exchanges on IPsec VPNs
Correct Answer: B
Section: (none)

Which aaa accounting command is used to enable logging of the start and stop records for user terminal
sessions on the router?
A. aaa accounting network start-stop tacacs+
B. aaa accounting system start-stop tacacs+
C. aaa accounting exec start-stop tacacs+
D. aaa accounting connection start-stop tacacs+
E. aaa accounting commands 15 start-stop tacacs+
Correct Answer: C
Refer to the below. Which statement about this debug output is true?

A. The requesting authentication request came from username GETUSER.

B. The TACACS+ authentication request came from a valid user.
C. The TACACS+ authentication request passed, but for some reason the user's connection was closed
D. The initiating connection request was being spoofed by a different source address.
Correct Answer: B

Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router?
(Choose two.)
A. syslog
Correct Answer: BF
Section: (none)
Refer to the exhibit. Using a stateful packet firewall and given an inside ACL entry of permit ip any, what would be the resulting dynamically
configured ACL for the return traffic on the outside ACL?

A. permit tcp host eq 80 host eq 2300

B. permit ip eq 80 eq 2300
C. permit tcp any eq 80 host eq 2300
D. permit ip host eq 80 host eq 2300
Correct Answer: A
Section: (none)

Which two options are advantages of an application layer firewall? (Choose two.)
A. provides high-performance filtering
B. makes DoS attacks difficult
C. supports a large number of applications
D. authenticates devices
E. authenticates individuals
Correct Answer: BE
Section: (none)

With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the router
when some of the router interfaces are assigned to a
zone? (Choose three.)
A. traffic flowing between a zone member interface and any interface that is not a zone member
B. traffic flowing to and from the router interfaces (the self zone)
C. traffic flowing among the interfaces that are members of the same zone
D. traffic flowing among the interfaces that are not assigned to any zone
E. traffic flowing between a zone member interface and another interface that belongs in a different zone
F. traffic flowing to the zone member interface that is returned traffic
Correct Answer: BCD

Which statement is a benefit of using Cisco IOS IPS?
A. It uses the underlying routing infrastructure to provide an additional layer of security.
B. It works in passive mode so as not to impact traffic flow.
C. It supports the complete signature database as a Cisco IPS sensor appliance.
D. The signature database is tied closely with the Cisco IOS image.
Correct Answer: A
Section: (none)

When AAA login authentication is configured on Cisco routers, which two authentication methods should be
used as the final method to ensure that the
administrator can still log in to the router in case the external AAA server fails? (Choose two.)
A. group RADIUS
B. group TACACS+
C. local
D. krb5
E. enable
F. if-authenticated
Correct Answer: CE

What are two challenges faced when deploying host-level IPS? (Choose Two)
A. The deployment must support multiple operating systems.
B. It does not provide protection for offsite computers.
C. It is unable to provide a complete network picture of an attack.
D. It is unable to determine the outcome of every attack that it detects.
E. It is unable to detect fragmentation attacks.
Correct Answer: AB

Which option is a characteristic of the RADIUS protocol?
A. uses TCP
B. offers multiprotocol support
C. combines authentication and authorization in one process
D. supports bi-directional challenge
Correct Answer: C
Section: (none)

Which statement about zone-based firewall configuration is true?
A. Traffic is implicitly denied by default between interfaces the same zone
B. Traffic that is desired to or sourced from the self-zone is denied by default
C. The zone must be configured before a can be assigned
D. You can assign an interface to more than one interface
Correct Answer: C
Section: (none)

Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?
A. nested object-class
B. class-map
C. extended wildcard matching
D. object groups
Correct Answer: D
Section: (none)
A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a
security level of 100. The second interface is the DMZ
interface with a security level of 50. The third interface is the outside interface with a security level of 0.
By default, without any access list configured, which five types of traffic are permitted? (Choose five.)
A. outbound traffic initiated from the inside to the DMZ
B. outbound traffic initiated from the DMZ to the outside
C. outbound traffic initiated from the inside to the outside
D. inbound traffic initiated from the outside to the DMZ
E. inbound traffic initiated from the outside to the inside
F. inbound traffic initiated from the DMZ to the inside
G. HTTP return traffic originating from the inside network and returning via the outside interface
H. HTTP return traffic originating from the inside network and returning via the DMZ interface
I. HTTP return traffic originating from the DMZ network and returning via the inside interface
J. HTTP return traffic originating from the outside network and returning via the inside interface
Correct Answer: ABCGH
Section: (none)

Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration Professional
IPS wizard? (Choose four.)
A. Select the interface(s) to apply the IPS rule.
B. Select the traffic flow direction that should be applied by the IPS rule.
C. Add or remove IPS alerts actions based on the risk rating.
D. Specify the signature file and the Cisco public key.
E. Select the IPS bypass mode (fail-open or fail-close).
F. Specify the configuration location and select the category of signatures to be applied to the selected
Correct Answer: ABDF
I got 65 questions.
*ASDM simulation 4MCQ completely different the answers on EKE. You have to search the correct answer
but is easier if you know how to interact with the ASDM.
*ASDM lab like EKE. NAT+ACL
*2 Drag and Drop with hashing and encryption technologies obsoletes and legacy
Ex: DES- Avoid
MD5- Avoid
Algorithm Operation Status Alternative QCR1 Mitigation

DES Encryption Avoid AES — —

3DES Encryption Legacy AES — Short key lifetime

RC4 Encryption Avoid AES — —

AES-CBC mode Encryption Acceptable AES-GCM ✓ (256-bit) —

AES-GCM mode Authenticated encryption NGE2 — ✓ (256-bit) —

DH-768, -1024 Key exchange Avoid DH-3072 (Group 15) — —

RSA-768, -1024 Encryption RSA-3072 — —

DSA-768, -1024 DSA-3072

Authentication — —

DH-2048 Key exchange Acceptable ECDH-256 — —

RSA-2048 Encryption — — —

DSA-2048 ECDSA-256
Authentication — —

DH-3072 Key exchange Acceptable ECDH-256 — —

RSA-3072 Encryption — — —

DSA-3072 Authentication ECDSA-256 — —

MD5 Integrity Avoid SHA-256 — —

SHA-1 Integrity Legacy SHA-256 — —

SHA-256 Integrity NGE SHA-384 — —

SHA-384 — ✓ —

SHA-512 — ✓ —

HMAC-MD5 Integrity Legacy HMAC-SHA-256 — Short key lifetime

HMAC-SHA-1 Integrity Acceptable HMAC-SHA-256 — —

HMAC-SHA-256 Integrity NGE — ✓ —

ECDH-256 Key exchange Acceptable ECDH-384 — —

Authentication — —

ECDH-384 Key exchange NGE — — —

Authentication — — —

1. QCR = quantum computer resistant.

2. NGE = next generation encryption.

*MDM Deployment Options question
2- Cloud-based


In the on-premise MDM deployment model, the MDM software resides on premises on a
dedicated server (or servers), typically within the Internet Edge or DMZ.

This model is generally better suited to IT staff that have a higher-level of technical
expertise (such that they can configure, periodically-update and manage such a server) or
to enterprises that may have stricter security/confidentiality requirements (which may
preclude the management of their devices by a cloud-based service).

The on-premise model may also present moderate performance benefits to some
operational flows (due to its relative proximity to the devices, as opposed to a cloud-based
service). For example, if a network access policy included the “MDM Reachability” check,
this test would likely be much more responsive in an on-premise MDM deployment model
versus a cloud-based model.

The network topology for a campus BYOD network utilizing an On-Prem MDM deployment
model is illustrated in Figure 6-1.

Figure 6-1 Campus BYOD Network with On-Prem MDM (at the Internet Edge)

In the Cloud-Based MDM deployment model, MDM functionality is delivered to customers

in a SaaS manner: the software resides wholly within the MDM vendor’s cloud, with a
custom-tailored virtual instance provided for each customer.

From a customer’s perspective, this model is greatly simplified (as now they do not have to
configure, update, maintain and manage the MDM software); however, as a trade-off, they
relinquish a degree of control over all their devices (and also some of the data on these
devices) to the third-party MDM SaaS provider, which may pose security concerns. As
such, this model may be better suited to small- or medium-sized businesses that have
moderate IT technical expertise and unexceptional security requirements.

The network topology for a branch BYOD network utilizing a cloud-based MDM
deployment model is illustrated in Figure 6-2.

Figure 6-2 Branch BYOD Network with Cloud-Based MDM

Enterprise Integration Considerations
In addition to the integrating the corporate network with the MDM—which is discussed in
great detail in this document—other enterprise services and resources are also important
to integrate with the MDM system, including:

 Corporate Directory Services

 Certificate Authority (CA) and Public Key Infrastructure (PKI)

 Email Infrastructure

 Content Repositories

 Management Systems
Use the 20 new questions uploaded by @SDM prefer on August 30th, 2017 and also the questions that he
shared after its exam. @SDM prefer on September 1st, 2017
Eke still valid for training. Good luck

Please post this on security tut as EXCALIBUR. I habe no access to it. Just email

Just passed. Got both ASDM simulations (NAT & 4MCQ). Two drag and drop question regarding
encryption (Avoid/Legacy, Obsolet/Legacy: SHA1-MD5-DES-3DES-HMAC MD5). Also got about 6-8
completely new questions and different wording in many questions. Sorry but I can I can only remember

– What’s the highest security level can be applied to an ASA interface?

a. 0
b. 50
c. 100
d. 200

– Which security concerns can be leveraged by BYOD (something similar)? (Choose 2)

EKE is still valid, but you can’t limit to it. Thanks Brad, BD, SDM and all other folks.

Target Achieved

EKE is still valid. But Dondarion has correctly said- 6 – 7 completely new questions.
So just go for it before more new questions are introduced.

Apart from those mentioned by Dondarion, I remember below two :

– How will the traffic be affected if policy from the self zone is removed ?
a) all traffic will be inspected.
b) traffic will not be inspected.
C) traffic will be passed with logging action.

The Self Zone

The router itself is defined as a separate security zone, with the fixed name Self, and since IOS firewalls
support examination of traffic (TCP, UDP and H.323 only) that terminates or originates on the router
(together known as "local" traffic), incoming and outgoing router traffic can be subject to rules in the
same way as routed inter-zone traffic.

When an interface is assigned to a zone, the hosts connected to that interface are included in that
zone. By default, traffic is allowed to flow between interfaces that are members of the same zone, while
a default "deny-all" policy is applied to traffic moving between zones.

However, traffic flowing directly between other zones and the router's IP interfaces (the Self zone) is
implicitly allowed. This ensures that connectivity to the router's management interfaces is maintained
when a zone firewall configuration is applied to the router.

This also means that traffic flowing to and from the IP addresses of the router's interfaces is not initially
controlled by zone policies. If you wish to control traffic moving between the router interfaces and other
zones, you must apply rules that block or allow this local traffic.

When configuring the rules for the Self zone, consider the following:

• All IP addresses configured on the router belong to the Self zone, regardless of interface zone
• Traffic to and from the Self zone is unrestricted until you configure explicit rules to the contrary.

That is, when you configure a zone-based firewall rule that includes the Self zone, traffic between
the Self zone and the other zone is immediately restricted in both directions. For example, if you
define a rule affecting traffic from the "Private" zone to the Self zone, the router cannot originate
any traffic to the Private zone until you define one or more rules for Self to Private.

Traffic between the router itself and other zones that are not included in the Self-zone rules
remains unaffected.

• The Inspect action is not allowed in rules that apply to the Self zone.

When configuring restrictions on inbound Self-zone traffic, consider the necessary outbound traffic
(including the routing and network management protocols). For example, if you restrict inbound traffic
from a zone to the router itself, the routing protocols could stop working on all interfaces belonging to
that zone.

How will SDM be accessed ?

a) from pc
b) from mobile
c) from router flash
d) from some cisco web portal.

(wordings of que-ans are different – just remember something like above).

Thank you so much Brad, BD, SDM and all other guys who helped.

All the best who are planning to give the exam !

C u all in CCNP portal now..


2 new drag & drop.

New questions are like below

One is mobile device management (MDM)

another one is BYOD but option has changed completely
Another one ASA highest security level
Drag and drop both are Des, 3des, md5, hmac-md5 related.
Secure or legacy.
Cisco SDM
self zone traffic inspection