210-260 CCNA Security – IINS Exam Questions with Answers – Q181 to Q195

210-260 CCNA Security – IINS Exam Questions with Answers – Q181 to Q195

Question 181.
Which security term refers to a person, property, or data of value to a company?
A. Risk
B. Asset
C. Threat prevention
D. Mitigation technique
Correct Answer: B
Section: (none)

Explanation
BD

This is an exact question from the Cisco Official Certification Guide 210-260.

Source: Cisco Official Certification Guide, Table 1-1 “Do I Know This Already?” Section-to-Question Mapping, p.3

Question 182.
What’s the technology that you can use to prevent non malicious program to run in the computer that is disconnected from the network?
A. Firewall
B. Software Antivirus
C. Network IPS
D. Host IPS.
Correct Answer: D
Section: (none)

Explanation

Question 183.
What command could you implement in the firewall to conceal internal IP address?
A. no source-route
B. no cdp run
C. no broadcast….
D. no proxy-arp
Correct Answer: D
Section: (none)

Explanation
BD

I believe these are not negating commands.

The Cisco IOS software uses proxy ARP (as defined in RFC 1027) to help hosts with no knowledge of routing determine the media addresses of hosts on other networks or subnets. For example, if the router receives an ARP request for a host that is not on the same interface as the ARP request sender, and if the router has all of its routes to that host through other interfaces, then it generates a proxy ARP reply packet giving its own local data-link address. The host that sent the ARP request then sends its packets to the router, which forwards them to the intended host. Proxy ARP is enabled by default.

Router(config-if)# ip proxy-arp – Enables proxy ARP on the interface.

Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfipadr.html#wp1001233

Question 184.
Which statement about college campus is true?
A. College campus has geographical position.
B. College campus Hasn`t got internet access.
C. College campus Has multiple subdomains.
D. College campus Has very beautiful girls
Correct Answer: A
Section: (none)

Explanation

Question 185.
Which firepower preprocessor block traffic based on IP?
A. Signature-Based
B. Policy-Based
C. Anomaly-Based
D. Reputation-Based
Correct Answer: D
Section: (none)

Explanation
BD

Access control rules within access control policies exert granular control over network traffic logging and handling. Reputation-based conditions in access control rules allow you to manage which traffic can traverse
your network, by contextualizing your network traffic and limiting it where appropriate. Access control rules govern the following types of reputation-based control:
+ Application conditions allow you to perform application control, which controls application traffic based on not only individual applications, but also applications’ basic characteristics: type, risk, business relevance, categories, and tags.
+ URL conditions allow you to perform URL filtering, which controls web traffic based on individual websites, as well as websites’ system-assigned category and reputation.

The ASA FirePOWER module can perform other types of reputation-based control, but you do not configure these using access control rules. For more information, see:
+ Blacklisting Using Security Intelligence IP Address Reputation explains how to limit traffic based on the reputation of a connection’s origin or destination as a first line of defense.
+ Tuning Intrusion Prevention Performance explains how to detect, track, store, analyze, and block the transmission of malware and other types of prohibited files.

Source: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa firepowermodule-user-guide-v541/AC-Rules-App-URL-Reputation.html

Question 186.
Which command enable ospf authentication on an interface?
A. ip ospf authentication message-digest
B. network 192.168.10.0 0.0.0.255 area 0
C. area 20 authentication message-digest
D. ip ospf message-digest-key 1 md5 CCNA
Correct Answer: A
Section: (none)

Explanation
BD

This question might be incomplete. Both ip ospf authentication message-digest and area 20 authentication message-digest command enable OSPF authentication through MD5.

Use the ip ospf authentication-key interface command to specify this password. If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf messagedigest key interface command.

interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA

Source: Cisco Official Certification Guide, Implement Routing Update Authentication on OSPF, p.348 To enable authentication for an OSPF area, use the area authentication command in router configuration mode. To remove an authentication specification of an area or a specified area from the configuration, use the no form of this command.

area area-id authentication [message-digest] no area area-id authentication [message-digest]

Read more here

Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/iproute/command/reference/fiprrp_r/1rfospf.html

An overall guide:
Source: https://supportforums.cisco.com/document/22961/ospf-authentication

Question 187.
Which component of CIA triad relate to safe data which is in transit?
A. Confidentiality
B. Integrity
C. Availability
D. Scalability
Correct Answer: B
Section: (none)

Explanation
BD

Integrity: Integrity for data means that changes made to data are done only by authorized individuals/systems. Corruption of data is a failure to maintain data integrity.

Source: Cisco Official Certification Guide, Confidentiality, Integrity, and Availability, p.6

Question 188.
Which command help user1 to use enable,disable,exit&etc commands?
A. catalyst1(config)#username user1 privilege 0 secret us1pass
B. catalyst1(config)#username user1 privilege 1 secret us1pass
C. catalyst1(config)#username user1 privilege 2 secret us1pass
D. catalyst1(config)#username user1 privilege 5 secret us1pass
Correct Answer: A
Section: (none)

Explanation
BD

To understand this example, it is necessary to understand privilege levels. By default, there are three command levels on the router:
+ privilege level 0 — Includes the disable, enable, exit, help, and logout commands.
+ privilege level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
+ privilege level 15 — Includes all enable-level commands at the router# prompt.

Source: http://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-controlsystem-tacacs-/23383-showrun.html

Question 189.
Command ip ospf authentication key 1 is implemented in which level.
A. Interface
B. process
C. global
D. enable
Correct Answer: A
Section: (none)

Explanation
BD

Use the ip ospf authentication-key interface command to specify this password. If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf messagedigest-key interface command.

interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA

Source: Cisco Official Certification Guide, Implement Routing Update Authentication on OSPF, p.348

The OSPFv2 Cryptographic Authentication feature allows you to configure a key chain on the OSPF interface to authenticate OSPFv2 packets by using HMAC-SHA algorithms. You can use an existing key chain that is being used by another protocol, or you can create a key chain specifically for OSPFv2.

If OSPFv2 is configured to use a key chain, all MD5 keys that were previously configured using the ip ospf
message-digest-key command are ignored.

Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet0/0/0
Device (config-if)# ip ospf authentication key-chain sample1
Device (config-if)# end

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/xe-3s/iro-xe-3s-book/iroospfv2-crypto-authen-xe.html
In both cases OSPF and OSPFv1 the ip ospf authentication is inserted at interface level

Question 190.
Which line in the following OSPF configuration will not be required for MD5 authentication to work?

interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 CCNA
!
router ospf 65000
router-id 192.168.10.1
area 20 authentication message-digest
network 10.1.1.0 0.0.0.255 area 10
network 192.168.10.0 0.0.0.255 area 0
!

A. ip ospf authentication message-digest
B. network 192.168.10.0 0.0.0.255 area 0
C. area 20 authentication message-digest
D. ip ospf message-digest-key 1 md5 CCNA
Correct Answer: C
Section: (none)

Explanation
BD

This is an exact question from the Cisco Official Certification Guide 210-260.

Source: Cisco Official Certification Guide, Table 13-1 “Do I Know This Already?” Section-to-Question Mapping,
p.342

Question 191.
Which of the following pairs of statements is true in terms of configuring MD authentication?
A. Interface statements (OSPF, EIGRP) must be configured; use of key chain in OSPF
B. Router process (OSPF, EIGRP) must be configured; key chain in EIGRP
C. Router process or interface statement for OSPF must be configured; key chain in EIGRP
D. Router process (only for OSPF) must be configured; key chain in OSPF
Correct Answer: C
Section: (none)

Explanation
BD

This is an exact question from the Cisco Official Certification Guide 210-260.
Source: Cisco Official Certification Guide, Table 13-1 “Do I Know This Already?” Section-to-Question Mapping,
p.343

SOURCE: http://www.ciscopress.com/store/ccna-security-210-260-official-cert-guide-9781587205668 (Update
TAB > Download the errata ) < this is updates for cert guide
The correct answer changed from “Router process (only for OSPF) must be configured; key chain in EIGRP” to “Router process or interface statement for OSPF must be configured; key chain in EIGRP”

Question 192.
Which two NAT types allows only objects or groups to reference an IP address? (choose two)
A. dynamic NAT
B. dynamic PAT
C. static NAT
D. identity NAT
Correct Answer: AC
Section: (none)

Explanation
BD

Adding Network Objects for Mapped Addresses
For dynamic NAT, you must use an object or group for the mapped addresses. Other NAT types have the
option of using inline addresses, or you can create an object or group according to this section.

* Dynamic NAT:
+ You cannot use an inline address; you must configure a network object or group.
+ The object or group cannot contain a subnet; the object must define a range; the group can include hosts and ranges.
+ If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback.

* Dynamic PAT (Hide):
+ Instead of using an object, you can optionally configure an inline host address or specify the interface address.
+ If you use an object, the object or group cannot contain a subnet; the object must define a host, or for a PAT pool, a range; the group (for a PAT pool) can include hosts and ranges.

* Static NAT or Static NAT with port translation:
+ Instead of using an object, you can configure an inline address or specify the interface address (for static NAT-with-port-translation).
+ If you use an object, the object or group can contain a host, range, or subnet.

* Identity NAT
+ Instead of using an object, you can configure an inline address.
+ If you use an object, the object must match the real addresses you want to translate.

Source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/

According to this A seems to be the only correct answer. Maybe C is correct because it allows the use of a subnet too.

Question 193.
What port option in a PVLAN that can communicate with every other ports…
A. Promiscuous ports
B. Community ports
C. Ethernet ports
D. Isolate ports
Correct Answer: A
Section: (none)

Explanation
BD

+ Promiscuous — A promiscuous port belongs to the primary VLAN. The promiscuous port can communicate with all interfaces, including the community and isolated host ports, that belong to those secondary VLANs associated to the promiscuous port and associated with the primary VLAN.
+ Isolated — An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete
isolation from other ports within the same private VLAN domain, except that it can communicate with associated promiscuous ports
+ Community — A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other ports in the same community VLAN and with associated promiscuous ports

Source: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/ CLIConfigurationGuide/PrivateVLANs.html

Question 194.
which are two valid TCP connection states (pick 2) is the gist of the question.
A. SYN-RCVD
B. Closed
C. SYN-WAIT
D. RCVD
E. SENT
Correct Answer: AB
Section: (none)

Explanation
BD

TCP Finite State Machine (FSM) States, Events and Transitions
+ CLOSED: This is the default state that each connection starts in before the process of establishing it begins.
The state is called “fictional” in the standard.
+ LISTEN
+ SYN-SENT
+ SYN-RECEIVED: The device has both received a SYN (connection request) from its partner and sent its own
SYN. It is now waiting for an ACK to its SYN to finish connection setup.
+ ESTABLISHED
+ CLOSE-WAIT
+ LAST-ACK
+ FIN-WAIT-1
+ FIN-WAIT-2
+ CLOSING
+ TIME-WAIT

Source: http://tcpipguide.com/free/t_TCPOperationalOverviewandtheTCPFiniteStateMachineF-2.htm

Question 195.
Which of the following commands result in a secure bootset? (Choose all that apply.)
A. secure boot-set
B. secure boot-config
C. secure boot-files
D. secure boot-image
Correct Answer: BD
Section: (none)
Explanation
BD

This is an exact question from the Cisco Official Certification Guide 210-260.

Source: Cisco Official Certification Guide, Table 11-1 “Do I Know This Already?” Section-to-Question Mapping, p.276

About the author

Scott

Leave a Comment