210-260 CCNA Security – IINS Exam Questions with Answers – Q121 to Q135

210-260 CCNA Security – IINS Exam Questions with Answers – Q121 to Q135

Question 121.
Which security measures can protect the control plane of a Cisco router? (Choose two.)
B. Parser views
C. Access control lists
D. Port security
Correct Answer: AE
Section: (none)


Three Ways to Secure the Control Plane
+ Control plane policing (CoPP): You can configure this as a filter for any traffic destined to an IP address on the router itself.
+ Control plane protection (CPPr): This allows for a more detailed classification of traffic (more than CoPP) that is going to use the CPU for handling.
+ Routing protocol authentication

Source: Cisco Official Certification Guide, Table 10-3 Three Ways to Secure the Control Plane , p.269

Question 122.
In which stage of an attack does the attacker discover devices on a target network?
A. Reconnaissance
B. Covering tracks
C. Gaining access
D. Maintaining access
Correct Answer: A
Section: (none)


Reconnaissance: This is the discovery process used to find information about the network. It could include scans of the network to find out which IP addresses respond, and further scans to see which ports on the devices at these IP addresses are open. This is usually the first step taken, to discover what is on the network and to determine potential vulnerabilities.

Source: Cisco Official Certification Guide, Table 1-5 Attack Methods, p.13

Question 123.
Which protocols use encryption to protect the confidentiality of data transmitted between two parties? (Choose two.)
C. Telnet
Correct Answer: BE
Section: (none)


+ Secure Shell (SSH) provides the same functionality as Telnet, in that it gives you a CLI to a router or switch; unlike Telnet, however, SSH encrypts all the packets that are used in the session.
+ For graphical user interface (GUI) management tools such as CCP, use HTTPS rather than HTTP because, like SSH, it encrypts the session, which provides confidentiality for the packets in that session.

Source: Cisco Official Certification Guide, Encrypted Management Protocols, p.287

Question 124.
What are the primary attack methods of VLAN hopping? (Choose two.)
A. VoIP hopping
B. Switch spoofing
C. CAM-table overflow
D. Double tagging
Correct Answer: BD
Section: (none)


VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging.
+ In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and trunking protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, Dynamic Trunking Protocol) used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.
+ In a double tagging attack, an attacking host connected on a 802.1q interface prepends two VLAN tags to packets that it transmits.

Source: https://en.wikipedia.org/wiki/VLAN_hopping

Question 125.
How can the administrator enable permanent client installation in a Cisco AnyConnect VPN firewall configuration?
A. Issue the command “anyconnect keep-installer” under the group policy or username webvpn mode
B. Issue the command ”anyconnect keep-installer installed” in the global configuration
C. Issue the command “anyconnect keep-installer installed” under the group policy or username webvpn mode
D. Issue the command “anyconnect keep-installer installer” under the group policy or username webvpn mode
Correct Answer: C
Section: (none)

@day-2 on securitytut.com

Dumps, Brad etc.. say the correct answer is ” C ” !

But as we figured out and also verified here :

To enable permanent client installation for a specific group or user, use the anyconnect keep-installer command from group-policy or username webvpn modes:

anyconnect keep-installer installer

The default is that permanent installation of the client is enabled. The client remains on the remote computer at the end of the session. The following example configures the existing group-policy sales to remove the client on the remote computer at the end of the session:

hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-policy)# anyconnect keep-installer installed none

So.. the command to enable it is “anyconnect keep-installer installeR” , right ?
BUT, to disable the feature of permanent client installation the command is referred as “anyconnect keepinstaller installeD none”

Doesn’t look good to me but IF we assume that it’s not a typo, the correct answer should be ” D ” , right ??

Take a look on the URL above that says “../asa/asa93/” !!! ASA93 … keep that in mind please..

I checked every version of cisco configuration guide for the ASA anyconnect remote access VPN.
Every cisco configuration guide beyond v9.3 (9.4, 9.5, 9.6, 9.7 .. latest) doesn’t refer the ACTUAL command to enable the feature. Only how to disable it which is the same..

However, on EVERY cisco confifuration guide BEFORE v9.3 (9.2, 9.1 .. and all the way down) the command is referred as :

anyconnect keep-installer installed

which indicates that “C” is the correct answer !

According to other pages i got from a simple google search e.g. : h???s://www.cisco????/c/en/us/support/docs/ security/asa-5500-x-series-next-generation-firewalls/100597-technote-anyconnect-00.??ml

in some point it says :

Uninstall Automatically


The AnyConnect VPN Client uninstalls itself once the connection terminates. The client logs show that keep installed is set to disabled.
AnyConnect uninstalls itself despite that the keep installed option is selected on the Adaptive Security Device Manager (ASDM). In order to resolve this issue, configure the svc keep-installer installed command under group-policy.

Indicates that none of the answers is correct as “svc keep-installer installed” was valid for v8.3 and below !

Also here : h??ps:?/networklessons.??m/cisco/asa-firewall/cisco-asa-anyconnect-remote-access-vpn/

i’m copying/pasting from the url :

ASA1(config)# group-policy ANYCONNECT_POLICY attributes
ASA1(config-group-policy)# vpn-tunnel-protocol ssl-client ssl-clientless
ASA1(config-group-policy)# split-tunnel-policy tunnelspecified
ASA1(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL
ASA1(config-group-policy)# dns-server value
ASA1(config-group-policy)# webvpn
ASA1(config-group-webvpn)# anyconnect keep-installer installed

Indicates that “C” is correct too.. (but the asa version is not referred..)


On my virtual ASA version 9.6(2) in my group policy I have
ciscoasa(config)# group-policy GroupPolicy_SecurityTut attributes
Entering webvpn
ciscoasa(config-group-policy)# webvpn

And for the anyconnect keep-installer command it only shows me this
ciscoasa(config-group-webvpn)# anyconnect keep-installer ?

config-group-webvpn mode commands/options:
installed Keep the install enabler
none Do not keep the install enabler
ciscoasa(config-group-webvpn)# anyconnect keep-installer

So the command should be
ciscoasa(config-group-webvpn)# anyconnect keep-installer installed

I guess that sets it straight, right?

Question 126.
Which type of security control is defense in depth?
A. Threat mitigation
B. Risk analysis
C. Botnet mitigation
D. Overt and covert channels
Correct Answer: A
Section: (none)


Defense in-depth is the key to stopping most, but not all, network and computer related attacks. It’s a concept of deploying several layers of defense that mitigate security threats.

Source: http://security2b.blogspot.ro/2006/12/what-is-defense-in-depth-and-why-is-it.html

Question 127.
On which Cisco Configuration Professional screen do you enable AAA
A. Authentication Policies
B. Authorization Policies
C. AAA Summary
D. AAA Servers and Groups
Correct Answer: C
Section: (none)


Answer: C
Confidence level: 0%

Note: Never bothered to research this question.


The answer is C. AAA Summary

Question 128.
What are two uses of SIEM software? (Choose two.)
A. Performing automatic network audits
B. Alerting administrators to security events in real time
C. Configuring firewall and IDS devices
D. Scanning emails for suspicious attachments
E. Collecting and archiving syslog data
Correct Answer: BE
Section: (none)


Answer: B and E
Confidence level: 70%

Note: C and D are definitely incorrect, and E is definitely right. I’m not completely sure about A and B.


Security Information Event Management SIEM
+ Log collection of event records from sources throughout the organization provides important forensic tools and helps to address compliance reporting requirements.
+ Normalization maps log messages from different systems into a common data model, enabling the organization to connect and analyze related events, even if they are initially logged in different source formats.
+ Correlation links logs and events from disparate systems or applications, speeding detection of and reaction to security threats.
+ Aggregation reduces the volume of event data by consolidating duplicate event records.
+ Reporting presents the correlated, aggregated event data in real-time monitoring and long-term summaries.

Source: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-businessarchitectur /sbaSIEM_deployG.pdf

Question 129.
What are the three layers of a hierarchical network design? (Choose three.)
A. access
B. core
C. distribution
D. user
E. server
F. Internet
Correct Answer: ABC
Section: (none)


A typical enterprise hierarchical LAN campus network design includes the following three layers:
+ Access layer: Provides workgroup/user access to the network
+ Distribution layer: Provides policy-based connectivity and controls the boundary between the access and core layers
+ Core layer: Provides fast transport between distribution switches within the enterprise campus

Source: http://www.ciscopress.com/articles/article.asp?p=2202410&seqNum=4

Question 130.
In which two situations should you use in-band management? (Choose two.)
A. When a network device fails to forward packets
B. When management applications need concurrent access to the device
C. When you require administrator access from multiple locations
D. When you require ROMMON access
E. When the control plane fails to respond
Correct Answer: BC
Section: (none)


Answer: B and C
Confidence level: 90%

Question 131.
What are two ways to prevent eavesdropping when you perform device-management tasks? (Choose two.)
A. Use an SSH connection.
B. Use SNMPv3.
C. Use out-of-band management.
D. Use SNMPv2.
E. Use in-band management.
Correct Answer: AB
Section: (none)

Both SSH and SNMPv3 provide security of the packets through encryption.

Question 132.
In which three ways does the RADIUS protocol differ from TACACS? (Choose three.)
A. RADIUS uses UDP to communicate with the NAS.
B. RADIUS encrypts only the password field in an authentication packet.
C. RADIUS authenticates and authorizes simultaneously, causing fewer packets to be transmitted.
D. RADIUS uses TCP to communicate with the NAS.
E. RADIUS can encrypt the entire packet that is sent to the NAS.
F. RADIUS supports per-command authorization.
Correct Answer: ABC
Section: (none)


Source: Cisco Official Certification Guide, Table 3-2 TACACS+ Versus RADIUS, p.40

Question 133.
Which three statements describe DHCP spoofing attacks? (Choose three.)
A. They can modify traffic in transit.
B. They are used to perform man-in-the-middle attacks.
C. They use ARP poisoning.
D. They can access most network devices.
E. They protect the identity of the attacker by masking the DHCP address.
F. They can physically modify the network gateway.
Correct Answer: ABC
Section: (none)


DHCP spoofing occurs when an attacker attempts to respond to DHCP requests and trying to list themselves (spoofs) as the default gateway or DNS server, hence, initiating a man in the middle attack. With that, it is possible that they can intercept traffic from users before forwarding to the real gateway or perform DoS by flooding the real DHCP server with request to choke ip address resources.

Source: https://learningnetwork.cisco.com/thread/67229

Question 134.
A data breach has occurred and your company database has been copied. Which security principle has been violated?
A. confidentiality
B. availability
C. access
D. control
Correct Answer: A
Section: (none)


Confidentiality: There are two types of data: data in motion as it moves across the network; and data at rest, when data is sitting on storage media (server, local workstation, in the cloud, and so forth). Confidentiality means that only the authorized individuals/ systems can view sensitive or classified information.

Source: Cisco Official Certification Guide, Confidentiality, Integrity, and Availability, p.6

Question 135.
In which type of attack does an attacker send an email message that asks the recipient to click a link such as https://www.cisco.net.cc/securelogs?
A. phishing
B. pharming
C. solicitation
D. secure transaction
Correct Answer: A
Section: (none)


Phishing presents a link that looks like a valid trusted resource to a user. When the user clicks it, the user is prompted to disclose confidential information such as usernames/passwords.
Phishing elicits secure information through an e-mail message that appears to come from a legitimate source such as a service provider or financial institution. The e-mail message may ask the user to reply with the sensitive data, or to access a website to update information such as a bank account number.

Source: Cisco Official Certification Guide, Confidentiality, Table 1-5 Attack Methods, p.13; Social Engineering Tactics, p.29

About the author


Leave a Comment