210-260 CCNA Security – IINS Exam Questions with Answers – Q31 to Q45

210-260 CCNA Security – IINS Exam Questions with Answers – Q31 to Q45

Question 31.
Refer to the exhibit.
ccna-security-iins-exam-questions-answers-q16-q30-31
What is the effect of the given command sequence?
A. It configures IKE Phase 1.
B. It configures a site-to-site VPN tunnel.
C. It configures a crypto policy with a key size of 14400.
D. It configures IPSec Phase 2.
Correct Answer: A
Section: (none)
Explanation
BD

Configure the IPsec phase1 with the 5 parameters HAGLE (Hashing-Authentication-Group-Lifetime-Encryption)

Question 32.
Refer to the exhibit.
ccna-security-iins-exam-questions-answers-q16-q30-32
What is the effect of the given command sequence?
A. It defines IPSec policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
B. It defines IPSec policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
C. It defines IKE policy for traffic sourced from 10.10.10.0/24 with a destination of 10.100.100.0/24.
D. It defines IKE policy for traffic sourced from 10.100.100.0/24 with a destination of 10.10.10.0/24.
Correct Answer: A
Section: (none)
Explanation
BD

A crypto ACL is a case for an extended ACL where we specify the source and destination address of the networks to be encrypted.

Question 33.
Refer to the exhibit.
ccna-security-iins-exam-questions-answers-q16-q30-33
While troubleshooting site-to-site VPN, you issued the show crypto isakmp sa command. What does the given output show?
A. IPSec Phase 1 is established between 10.10.10.2 and 10.1.1.5.
B. IPSec Phase 2 is established between 10.10.10.2 and 10.1.1.5.
C. IPSec Phase 1 is down due to a QM_IDLE state.
D. IPSec Phase 2 is down due to a QM_IDLE state.
Correct Answer: A
Section: (none)
Explanation
BD

This is the output of the #show crypto isakmp sa command. This command shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) built between peers – IPsec Phase1. The “established” clue comes from the state parameter QM_IDLE – this is what we want to see.

More on this
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug- 00.html

Question 34.
Refer to the exhibit.
ccna-security-iins-exam-questions-answers-q16-q30-33
While troubleshooting site-to-site VPN, you issued the show crypto ipsec sa command. What does the given output show?
A. IPSec Phase 2 is established between 10.1.1.1 and 10.1.1.5.
B. ISAKMP security associations are established between 10.1.1.5 and 10.1.1.1.
C. IKE version 2 security associations are established between 10.1.1.1 and 10.1.1.5.
D. IPSec Phase 2 is down due to a mismatch between encrypted and decrypted packets.
Correct Answer: A
Section: (none)
Explanation
BD

This command shows IPsec SAs built between peers – IPsec Phase2. The encrypted tunnel is build between 10.1.1.5 and 10.1.1.1 (the router from which we issued the command).

Question 35.
Refer to the exhibit.
ccna-security-iins-exam-questions-answers-q16-q30-35
The Admin user is unable to enter configuration mode on a device with the given configuration. What change can you make to the configuration to correct the problem?
A. Remove the autocommand keyword and arguments from the Username Admin privilege line.
B. Change the Privilege exec level value to 15.
C. Remove the two Username Admin lines.
D. Remove the Privilege exec line.
Correct Answer: A
Section: (none)
Explanation
BD

autocommand: (Optional) Causes the specified command to be issued automatically after the user logs in.When the command is complete, the session is terminated. Because the command can be any length and can contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
So after successfully logs in the Admin user sees the running configuration and immediately after is disconnected by the router. So removing the command lets keeps him connected.

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-xe-3se-3850-cr-book/sec-s1-xe- 3se-3850-cr-book_chapter_0110.html

Question 36.
After reloading a router, you issue the dir command to verify the installation and observe that the image file appears to be missing. For what reason could the image file fail to appear in the dir output?
A. The secure boot-image command is configured.
B. The secure boot-config command is configured.
C. The confreg 0x24 command is configured.
D. The reload command was issued from ROMMON.
Correct Answer: A
Section: (none)
Explanation
BD
#secure boot-image
This command enables or disables the securing of the running Cisco IOS image. Because this command has the effect of “hiding” the running image, the image file will not be included in any directory listing of the disk.

Source: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-crs1.html#wp3328121947

Question 37.
What is the effect of the send-lifetime local 23:59:00 31 December 2013 infinite command?
A. It configures the device to begin transmitting the authentication key to other devices at 00:00:00 local time on January 1, 2014 and continue using the key indefinitely.
B. It configures the device to begin transmitting the authentication key to other devices at 23:59:00 local time on December 31, 2013 and continue using the key indefinitely.
C. It configures the device to begin accepting the authentication key from other devices immediately and stop accepting the key at 23:59:00 local time on December 31, 2013.
D. It configures the device to generate a new authentication key and transmit it to other devices at 23:59:00 local time on December 31, 2013.
E. It configures the device to begin accepting the authentication key from other devices at 23:59:00 local time on December 31, 2013 and continue accepting the key indefinitely.
F. It configures the device to begin accepting the authentication key from other devices at 00:00:00 local time on January 1, 2014 and continue accepting the key indefinitely.
Correct Answer: B
Section: (none)
Explanation
BD

To send the valid key and to authenticate information from the local host to the peer, use the send-lifetime command in keychain-key configuration mode.

send-lifetime start-time [ duration duration value | infinite | end-time ]
start-time: Start time, in hh:mm:ss day month year format, in which the key becomes valid. The range is from 0:0:0 to 23:59:59.
infinite: (Optional) Specifies that the key never expires once it becomes valid.

Source: http://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r4-2/security/command/reference/ b_syssec_cr42crs/b_syssec_cr41crs_chapter_0100.html#wp2198915138

Question 38.
What type of packet creates and performs network operations on a network device?
A. control plane packets
B. data plane packets
C. management plane packets
D. services plane packets
Correct Answer: A
Section: (none)
Explanation
BD

Control plane: This includes protocols and traffic that the network devices use on their own without direct interaction from an administrator. An example is a routing protocol.

Source: Cisco Official Certification Guide, The Network Foundation Protection Framework, p.264

Question 39.
An attacker installs a rogue switch that sends superior BPDUs on your network. What is a possible result of this activity?
A. The switch could offer fake DHCP addresses.
B. The switch could become the root bridge.
C. The switch could be allowed to join the VTP domain.
D. The switch could become a transparent bridge.
Correct Answer: B
Section: (none)
Explanation
BD

If a switch receives an inferior BPDU, nothing changes. Receiving a superior BPDU will kick off a reconvergence of the STP topology. So the rogue switch may become a root bridge.

Source: http://www.networkpcworld.com/what-are-inferior-and-superior-bpdus-of-stp/

Question 40.
In what type of attack does an attacker virtually change a device’s burned-in address in an attempt to circumvent access lists and mask the device’s true identity?
A. gratuitous ARP
B. ARP poisoning
C. IP spoofing
D. MAC spoofing
Correct Answer: D
Section: (none)
Explanation
BD

A device’s burned-in address is its MAC address. So by changing it to something else may trick hosts on the network into sending packets to it.

Question 41.
What command can you use to verify the binding table status?
A. “show ip dhcp snooping binding”
B. “show ip dhcp pool”
C. “show ip dhcp source binding”
D. “show ip dhcp snooping”
E. “show ip dhcp snooping database”
F. “show ip dhcp snooping statistics”
Correct Answer: A
Section: (none)
Explanation
Brad
Answer: E

Confidence level: 80%

Note: I researched this question at the following link:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_58_se/command/ reference/2960cr/cli2.html

If not E is not the correct answer, then the answer is A. However, I’m pretty sure it is E based on these two quotes:
“Use the show ip dhcp snooping binding command in EXEC mode to display the DHCP snooping binding database and configuration information for all interfaces on a switch.”
“Use the show ip dhcp snooping database command in EXEC mode to display the status of the DHCP snooping binding database agent.

BD

@Answer on securitytut.com made a valid comment on the fact that it’s not asking about the database agent, as Brad’s reference, but on the status (not statistics) of the binding table

On CCNP R&S TShoot 300-135 Official Guide, page 267 it says …

Example 7-26 Verifying DHCP Snooping Bindings

SW1# show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————– ———- ————- —- ————–
08:00:27:5D:06:D6 10.1.1.10 67720 dhcp-snooping 10 FastEthernet0/1

Total number of bindings: 1

So, what is DHCP Snooping bindings and what is the status of binding table? Aren’t they the same. An if so it clearly says “verify”.

Question 42.
If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use?
A. STP root guard
B. EtherChannel guard
C. loop guard
D. STP BPDU guard
Correct Answer: A
Section: (none)
Explanation
Brad

Answer: A
Confidence level: 100%

Remember: The phrase “only superior BPDUs” is the key to the correct answer. BPDU guard will block a port if *ANY* BPDU is received.

BD

Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs.

Source: http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/10588-74.html

Question 43.
Which statement about a PVLAN isolated port configured on a switch is true?
A. The isolated port can communicate only with the promiscuous port.
B. The isolated port can communicate with other isolated ports and the promiscuous port.
C. The isolated port can communicate only with community ports.
D. The isolated port can communicate only with other isolated ports.
Correct Answer: A
Section: (none)
Explanation

BD

Isolated — An isolated port is a host port that belongs to an isolated secondary VLAN. This port has complete isolation from other ports within the same private VLAN domain, except that it can communicate with associated promiscuous ports. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports. You can have more than one isolated port in a specified isolated VLAN. Each port is completely isolated from all other ports in the isolated VLAN.

Source: http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/ CLIConfigurationGuide/PrivateVLANs.html

Question 44.
If you change the native VLAN on the trunk port to an unused VLAN, what happens if an attacker attempts a double-tagging attack?
A. The trunk port would go into an error-disabled state.
B. A VLAN hopping attack would be successful.
C. A VLAN hopping attack would be prevented.
D. The attacked VLAN will be pruned.
Correct Answer: C
Section: (none)
Explanation
BD

VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging.
Double Tagging can only be exploited when switches use “Native VLANs”. Double Tagging can be mitigated by either one of the following actions:
+ Simply do not put any hosts on VLAN 1 (The default VLAN)
+ Change the native VLAN on all trunk ports to an unused VLAN ID

Source: https://en.wikipedia.org/wiki/VLAN_hopping

Question 45.
What is a reason for an organization to deploy a personal firewall?
A. To protect endpoints such as desktops from malicious activity.
B. To protect one virtual network segment from another.
C. To determine whether a host meets minimum security posture requirements.
D. To create a separate, non-persistent virtual environment that can be destroyed after a session.
E. To protect the network from DoS and syn-flood attacks.
Correct Answer: A
Section: (none)
Explanation
BD

The term personal firewall typically applies to basic software that can control Layer 3 and Layer 4 access to client machines. HIPS provides several features that offer more robust security than a traditional personal firewall, such as host intrusion prevention and protection against spyware, viruses, worms, Trojans, and other types of malware.

Source: Cisco Official Certification Guide, Personal Firewalls and Host Intrusion Prevention Systems , p.499

About the author

Scott

Leave a Comment