210-260 CCNA Security – IINS Exam Questions with Answers – Q106 to Q120
Question 106.
Which Cisco feature can help mitigate spoofing attacks by verifying symmetry of the traffic path?
A. Unidirectional Link Detection
B. Unicast Reverse Path Forwarding
C. TrustSec
D. IP Source Guard
Correct Answer: B
Section: (none)
Explanation
BD
Unicast Reverse Path Forwarding (uRPF) can mitigate spoofed IP packets. When this feature is enabled on an interface, as packets enter that interface the router spends an extra moment considering the source address of the packet. It then considers its own routing table, and if the routing table does not agree that the interface that just received this packet is also the best egress interface to use for forwarding to the source address of the packet, it then denies the packet.
This is a good way to limit IP spoofing.
Source: Cisco Official Certification Guide, Table 10-4 Protecting the Data Plane, p.270
Question 107.
What is the most common Cisco Discovery Protocol version 1 attack?
A. Denial of Service
B. MAC-address spoofing
C. CAM-table overflow
D. VLAN hopping
Correct Answer: A
Section: (none)
Explanation
BD
CDP contains information about the network device, such as the software version, IP address, platform, capabilities, and the native VLAN. When this information is available to an attacker computer, the attacker from that computer can use it to find exploits to attack your network, usually in the form of a Denial of Service (DoS) attack.
Source: https://howdoesinternetwork.com/2011/cdp-attack
Question 108.
What is the Cisco preferred countermeasure to mitigate CAM overflows?
A. Port security
B. Root guard
C. IP source guard
D. Dynamic port security
Correct Answer: D
Section: (none)
Explanation
Brad
Answer: D
Confidence level: 75%
Note: According to multiple links, port security is used to mitigate CAM overflow attacks. However, I found the following statement on a Cisco page: “A more administratively scalable solution is the implementation of dynamic port security at the switch”. Because of this, I believe the verbiage “Cisco preferred” would point to answer D.
Brad’s source link (maybe): http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-seriesswitches/72846-layer2 secftrs-catl3fixed.html
BD
User @Answer on securitytut.com considers A. as the correct answer.
Question 109.
Which option is the most effective placement of an IPS device within the infrastructure?
A. Inline, behind the internet router and firewall
B. Inline, before the internet router and firewall
C. Promiscuously, after the Internet router and before the firewall
D. Promiscuously, before the Internet router and the firewall
Correct Answer: A
Section: (none)
Explanation
BD
Firewalls are generally designed to be on the network perimeter and can handle dropping a lot of the nonlegitimate traffic (attacks, scans etc.) very quickly at the ingress interface, often in hardware.
An IDS/IPS is, generally speaking, doing more deep packet inspections and that is a much more computationally expensive undertaking. For that reason, we prefer to filter what gets to it with the firewall line of defense before engaging the IDS/IPS to analyze the traffic flow.
Source: https://supportforums.cisco.com/discussion/12428821/correct-placement-idsips-network-architecture
Question 110.
If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error? (Choose two.)
A. Authentication attempts to the router will be denied
B. The user will be prompted to authenticate using the enable password
C. Authentication will use the router’s local database
D. Authentication attempts will be sent to the TACACS+ server
Correct Answer: BD
Section: (none)
Explanation
Brad
Answer: B and C
Confidence level: 60%
Notes: This is a widely debated question. See below:
– D is known incorrect. The router will eventually attempt to communicate with the TACACS server again, but not immediately.
– We know B is correct based on the command line
– Cisco devices store the enable password locally, and default behavior is for Cisco devices to fallback to local authentication when a TACACS/Radius server is down or returns an error. This is why I choose answer C.
– A user on the securitytut forums said that they labbed this scenario up and that A is a correct answer, not C. I have no way of verifying whether that user made a mistake or not, so I am sticking with the answer my research turned up.
BD
Two things I need to say. One, local database has nothing to do with enable secret/password as it is literally created using username/password command combinations. Second there is no fallback safety failover with aaa if you specify exact methods. Those exact methods are the only methods used, nothing else.
On the previous post I pasted an output for the authentication process with TACACS+ and enable. At a point there was a timeout message which resulted in switching to the second authentication method, ENABLE. “Use the timeout integer argument to specify the period of time (in seconds) the router will wait for a response from the daemon before it times out and declares an error.”
As a reference I used http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/ scftplus.html
What concerns me is „If an ERROR response is received, the network access server will typically try to use an alternative method for authenticating the user.” It doesn’t specifically say „The router retries to connect with the TACACS+”.
Question 111.
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?
A. SDEE
B. Syslog
C. SNMP
D. CSM
Correct Answer: A
Section: (none)
Explanation
BD
IPS produces various types of events including intrusion alerts and status events. IPS communicates events to clients such as management applications using the proprietary RDEP2. We have also developed an IPSindustry leading protocol, SDEE, which is a product-independent standard for communicating security device events. SDEE is an enhancement to the current version of RDEP2 that adds extensibility features that are needed for communicating events generated by various types of security devices.
Question 112.
When a switch has multiple links connected to a downstream switch, what is the first step that STP takes to prevent loops?
A. STP elects the root bridge
B. STP selects the root port
C. STP selects the designated port
D. STP blocks one of the ports
Correct Answer: A
Section: (none)
Explanation
BD
First when the switches are powered on all the ports are in Blocking state (20 sec), during this time the
+ Root Bridge is elected by exchanging BPDUs
+ The other switches will elect their Root ports
+ Every network segment will choosee their Designated port
Source: https://learningnetwork.cisco.com/thread/7677
Question 113.
Which type of address translation should be used when a Cisco ASA is in transparent mode?
A. Static NAT
B. Dynamic NAT
C. Overload
D. Dynamic PAT
Correct Answer: A
Section: (none)
Explanation
BD
+ Because the transparent firewall does not have any interface IP addresses, you cannot use interface PAT.
Question 114.
Which components does HMAC use to determine the authenticity and integrity of a message? (Choose two.)
A. The password
B. The hash
C. The key
D. The transform set
Correct Answer: BC
Section: (none)
Explanation
BD
In cryptography, a keyed-hash message authentication code (HMAC) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. It may be used to simultaneously verify both the data integrity and the authentication of a message.
Source: https://en.wikipedia.org/wiki/Hash-based_message_authentication_code
Question 115.
What is the default timeout interval during which a router waits for responses from a TACACS server before declaring a timeout failure?
A. 5 seconds
B. 10 seconds
C. 15 seconds
D. 20 seconds
Correct Answer: A
Section: (none)
Explanation
BD
To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.
If the command is not configured, the timeout interval is 5.
Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srftacs.html
Question 116.
Which RADIUS server authentication protocols are supported on Cisco ASA firewalls? (Choose three.)
A. EAP
B. ASCII
C. PAP
D. PEAP
E. MS-CHAPv1
F. MS-CHAPv2
Correct Answer: CEF
Section: (none)
Explanation
BD
The ASA supports the following authentication methods with RADIUS servers:
+ PAP — For all connection types.
+ CHAP and MS-CHAPv1 — For L2TP-over-IPsec connections.
+ MS-CHAPv2 – For L2TP-over-IPsec connections
There is an alternate version of this question that replaces RADIUS with TACACS. In that case, B is correct and F is not.
Question 117.
Which command initializes a lawful intercept view?
A. username cisco1 view lawful-intercept password cisco
B. parser view cisco li-view
C. li-view cisco user cisco1 password cisco
D. parser view li-view inclusive
Correct Answer: C
Section: (none)
Explanation
BD
Like a CLI view, a lawful intercept view restricts access to specified commands and configuration information. Specifically, a lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of simple network management protocol (SNMP) commands that store information about calls and users.
#li-view li-password user username password password
Source: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
Question 118.
Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)
A. Port security
B. DHCP snooping
C. IP source guard
D. Dynamic ARP inspection
Correct Answer: BD
Section: (none)
Explanation
BD
+ ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from a host even if an ARP request was not received.
+ DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-themiddle attacks.
+ DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database.
Source: Cisco Official Certification Guide, Dynamic ARP Inspection, p.254
Question 119.
Which of the following statements about access lists are true? (Choose three.)
A. Extended access lists should be placed as near as possible to the destination
B. Extended access lists should be placed as near as possible to the source
C. Standard access lists should be placed as near as possible to the destination
D. Standard access lists should be placed as near as possible to the source
E. Standard access lists filter on the source address
F. Standard access lists filter on the destination address
Correct Answer: BCE
Section: (none)
Explanation
BD
Source: http://www.ciscopress.com/articles/article.asp?p=1697887
Question 120.
Which statement about extended access lists is true?
A. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the destination
B. Extended access lists perform filtering that is based on source and destination and are most effective when applied to the source
C. Extended access lists perform filtering that is based on destination and are most effective when applied to the source
D. Extended access lists perform filtering that is based on source and are most effective when applied to the destination
Correct Answer: B
Section: (none)
Explanation
BD
Source: http://www.ciscopress.com/articles/article.asp?p=1697887