210-260
Free trial
Verified
Question 1
Which two services define cloud networks? (Choose two.)
- A: Infrastructure as a Service
- B: Platform as a Service
- C: Security as a Service
- D: Compute as a Service
- E: Tenancy as a Service
Question 2
Which two statements about stateless firewalls are true? (Choose two.)
- A: They compare the 5-tuple of each incoming packet against configurable rules.
- B: They cannot track connections.
- C: They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS.
- D: Cisco IOS cannot implement them because the platform is stateful by nature.
- E: The Cisco ASA is implicitly stateless because it blocks all traffic by default.
Question 3
What is the Cisco preferred countermeasure to mitigate CAM overflows?
- A: Port security
- B: Dynamic port security
- C: IP source guard
- D: Root guard
Question 4
Which three statements about host-based IPS are true? (Choose three.)
- A: It can view encrypted files.
- B: It can have more restrictive policies than network-based IPS.
- C: It can generate alerts based on behavior at the desktop level.
- D: It can be deployed at the perimeter.
- E: It uses signature-based policies.
- F: It works with deployed firewalls.
Question 5
What three actions are limitations when running IPS in promiscuous mode? (Choose three.)
- A: deny attacker
- B: deny packet
- C: modify packet
- D: request block connection
- E: request block host
- F: reset TCP connection
Question 6
Refer to the exhibit.
What is the effect of the given command?
- A: It merges authentication and encryption methods to protect traffic that matches an ACL.
- B: It configures the network to use a different transform set between peers.
- C: It configures encryption for MD5 HMAC.
- D: It configures authentication as AES 256.
Question 7
How can FirePOWER block malicious email attachments?
- A: It forwards email requests to an external signature engine.
- B: It scans inbound email messages for known bad URLs.
- C: It sends the traffic through a file policy.
- D: It sends an alert to the administrator to verify suspicious email messages.
Question 8
Which type of secure connectivity does an extranet provide?
- A: other company networks to your company network
- B: remote branch offices to your company network
- C: your company network to the Internet
- D: new networks to your company network
Question 9
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three).
- A: when a matching TCP connection is found
- B: when the firewall requires strict HTTP inspection
- C: when the firewall receives a FIN packet
- D: when matching ACL entries are configured
- E: when the firewall requires HTTP inspection
- F: when matching NAT entries are configured
Question 10
If a switch port goes directly into a blocked state only when a superior BPDU is received, what mechanism must be in use?
- A: STP BPDU guard
- B: loop guard
- C: STP Root guard
- D: EtherChannel guard
Question 11
Which two characteristics apply to an Intrusion Prevention System (IPS)? (Choose two.)
- A: Does not add delay to the original traffic
- B: Cabled directly inline with the flow of the network traffic
- C: Can drop traffic based on a set of rules
- D: Cannot drop the packet on its own
- E: Runs in promiscuous mode
Question 12
Which quantifiable item should you consider when your organization adopts new technologies?
- A: exploits
- B: risk
- C: threats
- D: vulnerability
Question 13
Refer to the exhibit.
A network security administrator checks the ASA firewall NAT policy table with the show nat command. Which statement is false?
- A: First policy in the Section 1 is dynamic nat entry defined in the object configuration.
- B: There are only reverse translation matches for the REAL_SERVER object.
- C: NAT policy in Section 2 is a static entry defined in the object configuration.
- D: Translation in Section 3 is used when a connection does not match any entries in first two sections.
Question 14
In which two situations should you use out-of-band management? (Choose two.)
- A: when a network device fails to forward packets
- B: when you require ROMMON access
- C: when management applications need concurrent access to the device
- D: when you require administrator access from multiple locations
- E: when the control plane fails to respond
Question 15
Referencing the CIA model, in which scenario is a hash-only function most appropriate?
- A: securing data at rest
- B: securing wireless transmissions
- C: securing data in files
- D: securing real-time traffic
Question 16
Which command do you enter to enable authentication for OSPF on an interface?
- A: router(config-router)#area 0 authentication message-digest
- B: router(config-router)#ip ospf authentication-key CISCOPASS
- C: router(config-if)#ip ospf message-digest-key 1 md5 CISCOPASS
- D: router(config-if)#ip ospf authentication message-digest
Question 17
Which two functions can SIEM provide? (Choose two.)
- A: dual-factor authentication
- B: proactive malware analysis to block malicious traffic
- C: centralized firewall management
- D: correlation between logs and events from multiple systems
- E: event aggregation that allows for reduced log storage requirements
Question 18
Refer to the exhibit.
Which statement about the device time is true?
- A: The time is authoritative, but the NTP process has lost contact with its servers.
- B: The time is authoritative because the clock is in sync.
- C: The clock is out of sync.
- D: NTP is configured incorrectly.
- E: The time is not authoritative.
Question 19
Refer to the exhibit.
If a supplicant supplies incorrect credentials for all authentication methods configured on the switch, how will the switch respond?
- A: The supplicant will fail to advance beyond the webauth method.
- B: The switch will cycle through the configured authentication methods indefinitely.
- C: The authentication attempt will time out and the switch will place the port into the unauthorized state.
- D: The authentication attempt will time out and the switch will place the port into VLAN 101.
Question 20
In which three ways does the TACACS protocol differ from RADIUS? (Choose three.)
- A: TACACS uses TCP to communicate with the NAS.
- B: TACACS can encrypt the entire packet that is sent to the NAS.
- C: TACACS supports per-command authorization.
- D: TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted.
- E: TACACS uses UDP to communicate with the NAS.
- F: TACACS encrypts only the password field in an authentication packet.
Question 21
According to Cisco best practices, which three protocols should the default ACL allow on an access port to enable wired BYOD devices to supply valid credentials and connect to the network? (Choose three.)
- A: BOOTP
- B: TFTP
- C: DNS
- D: MAB
- E: HTTP
- F: 802.1x
Question 22
What command can you use to verify the binding table status?
- A: show ip dhcp snooping database
- B: show ip dhcp snooping binding
- C: show ip dhcp snooping statistics
- D: show ip dhcp pool
- E: show ip dhcp source binding
- F: show ip dhcp snooping
Question 23
If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use?
- A: root guard
- B: EtherChannel guard
- C: loop guard
- D: BPDU guard
Question 24
Which two next-generation encryption algorithms does Cisco recommend? (Choose two.)
- A: AES
- B: 3DES
- C: DES
- D: MD5
- E: DH-1024
- F: SHA-384
Question 25
Which three ESP fields can be encrypted during transmission? (Choose three.)
- A: Security Parameter Index
- B: Sequence Number
- C: MAC Address
- D: Padding
- E: Pad Length
- F: Next Header
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!