最新上传ccnasecurityfinalexamccnasv11.docx
《最新上传ccnasecurityfinalexamccnasv11.docx》由会员分享,可在线阅读,更多相关《最新上传ccnasecurityfinalexamccnasv11.docx(16页珍藏版)》请在冰豆网上搜索。
最新上传ccnasecurityfinalexamccnasv11
CCNASFinalExam-CCNASecurity:
ImplementingNetworkSecurity(Version1.1)
黑色加粗的为正确答案
1. WhenloggingisenabledforanACLentry,howdoestherouterswitchpacketsfilteredbytheACL?
topology-basedswitching
autonomousswitching
processswitching
optimumswitching
2. WhichstatementistrueabouttheOne-SteplockdownfeatureoftheCCPSecurityAuditwizard?
ItenablestheSecureCopyProtocol(SCP).
ItsupportsAAAconfiguration.
ItenablesTCPintercepts.
ItsetsanaccessclassACLonvtylines.
ItprovidesanoptionforconfiguringSNMPv3onallrouters.
3. WhatarethreecommonexamplesofAAAimplementationonCiscorouters?
(Choosethree.)
authenticatingadministratoraccesstotherouterconsoleport,auxiliaryport,andvtyports
authenticatingremoteuserswhoareaccessingthecorporateLANthroughIPsecVPNconnections
implementingpublickeyinfrastructuretoauthenticateandauthorizeIPsecVPNpeersusingdigitalcertificates
implementingcommandauthorizationwithTACACS+
securingtherouterbylockingdownallunusedservices
trackingCiscoNetflowaccountingstatistics
4.
Refertotheexhibit.TheadministratorcanpingtheS0/0/1interfaceofRouterBbutisunabletogainTelnetaccesstotherouterusingthepasswordcisco123.Whatisapossiblecauseoftheproblem?
TheTelnetconnectionbetweenRouterAandRouterBisnotworkingcorrectly.
Thepasswordcisco123iswrong.
TheenablepasswordandtheTelnetpasswordneedtobethesame.
TheadministratordoesnothaveenoughrightsonthePCthatisbeingused.
5.
Refertotheexhibit.AnadministratorhasenteredthecommandsthatareshownonrouterR1.Atwhattraplevelistheloggingfunctionset?
2
3
5
6
6. Ifaswitchisconfiguredwiththestorm-controlcommandandtheactionshutdownandactiontrapparameters,whichtwoactionsdoestheswitchtakewhenastormoccursonaport?
(Choosetwo.)
Theportisdisabled. (CorrectedbyElfnet)
Theswitchisrebooted.(Originalanswer)
AnSNMPlogmessageissent.
Theportisplacedinablockingstate.
Theswitchforwardscontroltrafficonly.
7. Whydoesawormposesagreaterthreatthanavirusposes?
Wormsrunwithinahostprogram.
Wormsarenotdetectedbyantivirusprograms.
Wormsdirectlyattackthenetworkdevices.
Wormsaremorenetwork-basedthanvirusesare.
8. WhenportsecurityisenabledonaCiscoCatalystswitch,whatisthedefaultactionwhenthemaximumnumberofallowedMACaddressesisexceeded?
Theviolationmodefortheportissettorestrict.
TheMACaddresstableiscleared,andthenewMACaddressisenteredintothetable.
Theportremainsenabled,butthebandwidthisthrottleduntiltheoldMACaddressesareagedout.
Theportisshutdown.
9. Whichtypeofencryptionalgorithmusespublicandprivatekeystoprovideauthentication,integrity,andconfidentiality?
IPsec
symmetric
asymmetric
sharedsecret
10. WhichthreestatementsdescribetheIPsecprotocolframework?
(Choosethree.)
AHusesIPprotocol51.
AHprovidesencryptionandintegrity.
AHprovidesintegrityandauthentication.
ESPusesUDPprotocol50.
ESPrequiresbothauthenticationandencryption.
ESPprovidesencryption,authentication,andintegrity.
11.
Refertotheexhibit.WhichinterfaceconfigurationcompletestheCBACconfigurationonrouterR1?
R1(config)#interfacefa0/0
R1(config-if)#ipinspectINSIDEin
R1(config-if)#ipaccess-groupOUTBOUNDin
R1(config)#interfacefa0/1
R1(config-if)#ipinspectINSIDEin
R1(config-if)#ipaccess-groupOUTBOUNDin
R1(config)#interfacefa0/1
R1(config-if)#ipinspectOUTBOUNDin
R1(config-if)#ipaccess-groupINSIDEout
R1(config)#interfacefa0/0
R1(config-if)#ipinspectOUTBOUNDin
R1(config-if)#ipaccess-groupINSIDEin
R1(config)#interfacefa0/1
R1(config-if)#ipinspectOUTBOUNDin
R1(config-if)#ipaccess-groupINSIDEin
12. WhichstatementdescribestheoperationoftheIKEprotocol?
ItusesIPsectoestablishthekeyexchangeprocess.
Itusessophisticatedhashingalgorithmstotransmitkeysdirectlyacrossanetwork.
Itcalculatessharedkeysbasedontheexchangeofaseriesofdatapackets.
ItusesTCPport50toexchangeIKEinformationbetweenthesecuritygateways.
13. WhichtwoconfigurationrequirementsareneededforremoteaccessVPNsusingCiscoEasyVPNServer,butarenotrequiredforsite-to-siteVPNs?
(Choosetwo.)
grouppolicylookup (CorrectedbyElfnet)
IPsectranslations (OriginalAnswer)
virtualtemplateinterface
IKEpolicies
transformsets
14. WhatcanbeusedasaVPNgatewaywhensettingupasite-to-siteVPN?
CiscoCatalystswitch
Ciscorouter
CiscoUnifiedCommunicationsManager
CiscoAnyConnect
15. WhichtypeofLayer2attackmakesahostappearastherootbridgeforaLAN?
LANstorm
MACaddressspoofing
MACaddresstableoverflow
STPmanipulation
VLANattack
16.
Refertotheexhibit.AnadministratorhasconfiguredastandardACLonR1andappliedittointerfaceserial0/0/0intheoutbounddirection.Whathappenstotrafficleavinginterfaceserial0/0/0thatdoesnotmatchtheconfiguredACLstatements?
TheresultingactionisdeterminedbythedestinationIPaddress.
TheresultingactionisdeterminedbythedestinationIPaddressandportnumber.
ThesourceIPaddressischeckedand,ifamatchisnotfound,trafficisroutedoutinterfaceserial0/0/1.
Thetrafficisdropped.
17. Theuseof3DESwithintheIPsecframeworkisanexampleofwhichofthefiveIPsecbuildingblocks?
authentication
confidentiality
Diffie-Hellman
integrity
nonrepudiation
18.
Refertotheexhibit.WhichtwostatementsarecorrectregardingtheconfigurationonswitchS1?
(Choosetwo.)
PortFa0/5stormcontrolforbroadcastswillbeactivatediftrafficexceeds80.1percentofthetotalbandwidth.
PortFa0/6stormcontrolformulticastsandbroadcastswillbeactivatediftrafficexceeds2,000,000packetspersecond.
PortFa0/6stormcontrolformulticastswillbeactivatediftrafficexceeds2,000,000packetspersecond.
PortFa0/5stormcontrolformulticastswillbeactivatediftrafficexceeds80.1percentofthetotalbandwidth.
PortFa0/5stormcontrolforbroadcastsandmulticastswillbeactivatediftrafficexceeds80.1percentof2,000,000packetspersecond.
19. WhatisacharacteristicofAAAaccounting?
Accountingcanonlybeenabledfornetworkconnections.
UsersarenotrequiredtobeauthenticatedbeforeAAAaccountinglogstheiractivitiesonthenetwork. (Original)
Possibletriggersfortheaaaaccountingexecdefaultcommandincludestart-stopandstop-only. (CorrectedbyJoker!
)
Accountingisconcernedwithallowinganddisallowingauthenticatedusersaccesstocertainareasandprogramsonthenetwork.
20. AnetworktechnicianisconfiguringSNMPv3andhassetasecuritylevelofauth.Whatistheeffectofthissetting?
authenticatesapacketusingtheSHAalgorithmonly
authenticatesapacketbyastringmatchoftheusernameorcommunitystring
authenticatesapacketbyusingeithertheHMACwithMD5methodortheSHAmethod
authenticatesapacketbyusingeithertheHMACMD5orHMACSHAalgorithmsandencryptsthepacketusingeithertheDES,3DESorAESalgorithms
21. WhichactionbestdescribesaMACaddressspoofingattack?
alteringtheMACaddressofanattackinghosttomatchthatofalegitimatehost
bombardingaswitchwithfakesourceMACaddresses
forcingtheelectionofaroguerootbridge
floodingtheLANwithexcessivetraffic
22. Whenconfiguringasite-to-siteIPsecVPNusingtheCLI,theauthenticationpre-sharecommandisconfiguredintheISAKMPpolicy.Whichadditionalpeerauthenticationconfigurationisrequired?
ConfigurethemessageencryptionalgorithmwiththeencryptiontypeISAKMPpolicyconfigurationcommand.
ConfiguretheDHgroupidentifierwiththegroupnumberISAKMPpolicyconfigurationcommand.
Configureahostnamewiththecryptoisakmpidentityhostnameglobalconfigurationcommand.
ConfigureaPSKwiththecryptoisakmpkeyglobalconfigurationcommand.
23. Whichthreestatementsdescribelimitationsinusingprivilegelevelsforassigningcommandauthorization?
(Choosethree.)
Thereisnoaccesscontroltospecificinterfacesonarouter.
Therootusermustbeassignedtoeachprivilegeleveldefined.
Commandssetonahigherprivilegelevelarenotavailableforlowerprivilegedusers.
ViewsarerequiredtodefinetheCLIcommandsthateachusercanaccess.
Creatingauseraccountthatneedsaccesstomostbutnotallcommandscanbeatediousprocess.
Itisrequiredthatall16privilegelevelsbedefined,whethertheyareusedornot.
24. WhichsetofCiscoIOScommandsinstructstheIPStocompileasignaturecategorynamedios_ipsintomemoryanduseittoscantraffic?
R1(config)#ipipssignature-category
R1(config-ips-category)#categoryall
R1(config-ips-category-action)#retiredfalse
R1(config)#ipipssignature-category
R1(config-ips-category)#categoryios_ipsbasic
R1(config-ips-category-action)#retiredfalse
R1(config)#ipipssignature-category
R1(config-ips-category)#categoryall
R1(config-ips-category-action)#noretiredfalse
R1(config)#ipipssignature-category
R1(config-ips-category)#categoryios_ipsbasic
R1(config-ips-category-action)#noretiredfalse
25.
Refertotheexhibit.Whichthreethingsoccurifauserattemptstologinfourtimeswithin10secondsusinganincorrectpassword?
(Choosethree.)
Subsequentvirtualloginattemptsfromtheuserareblockedfor60seconds.
Duringthequietmode,anadministratorcanvirtuallyloginfromanyhostonnetwork172.16.1.0/24.
Subsequentconsoleloginattemptsareblockedfor60seconds.
Amessageisgenerate