ENCOR-SECURITY Welcome to your CCNP ENCOR-SECURITY 1. Which place in the network (PIN) is considered to be the highest-risk, as it is the ingress and egress point for internet traffic? A. cloud B. data center C. WAN D. edge None 2. What threat protection actions are involved in the “before” phase of the attack continuum? A. defining the abilities and actions that are required when an attack gets through. B. establishing policies and implementing prevention measures to reduce risks. C. detecting, containing, and remediating attacks. D. conducting threat analysis and incident response. None 3. Which solution provides comprehensive network and data protection for organizations before, during, and after a malware attack? A. Cisco Umbrella B. Cisco ISE C. Cisco AMP D. Cisco Stealthwatch None 4. Which solution provides VPN access for clients and performs an assessment of the VPN client security posture compliance? A. Cisco Umbrella. B. Cisco AMP. C. Cisco Talos. D. Cisco AnyConnect. None 5. . What security capability is provided by applying Cisco WSA web reputation filters before an attack? A. prevents client devices from accessing dangerous websites containing malware or phishing links B. uses URL filtering to shut down access to websites known to host malware. C. provides administrators with granular control over web and mobile application usage behavior. D. inspects the network continuously for instances of undetected malware and breaches. None 6. Which security appliance passively monitors and analyzes network traffic for potential network intrusion attacks and logs the attacks for analysis? A. next-generation firewall B. web security appliance C. intrusion detection system D. intrusion prevention system None 7. . According to Gartner, Inc. what three capabilities must a next-generation firewall (NGFW) provide in addition to standard firewall features? (Choose three.) A. the ability to perform application-level inspection B. real-time contextual awareness C. incident response and forensics D. the ability to leverage external security intelligence E. an integrated IPS F. the ability to identify users who click malicious URLs 8. Which secure access solution can be implemented to authenticate endpoints that do not support 802.1x or MAB? A. Cisco TrustSec B. Cisco Identity-Based Network Services C. web authentication D. Enhanced Flexible Authentication None 9. Which EAP method makes use of the Protected Extensible Authentication Protocol (PEAP)? A. EAP challenge-based authentication method B. EAP tunneled TLS authentication method C. EAP TLS authentication method D. EAP inner authentication method None 10. What message is sent every 30 seconds by the 802.1x authenticator to an endpoint to initiate the MAB authentication process? A. RADIUS access-accept B. EAPoL identity request C. RADIUS access-request D. EAPoL start None 11. What are the three phases of TrustSec configuration? (Choose three.) A. access-request B. start C. ingress classification D. propagation E. access-accept F. egress enforcement 12. Which set of access control entries would allow all users on the 192.168.10.0/24 network to access a web server that is located at 172.17.80.1, but would not allow them to use Telnet? A. access-list 103 permit tcp 192.168.10.0 0.0.0.255 host 172.17.80.1 eq 80 access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23 B. access-list 103 permit tcp 192.168.10.0 0.0.0.255 any eq 80 access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq 23 C. access-list 103 deny tcp host 192.168.10.0 any eq 23 access-list 103 permit tcp host 192.168.10.1 eq 80 D. access-list 103 permit 192.168.10.0 0.0.0.255 host 172.17.80.1 access-list 103 deny tcp 192.168.10.0 0.0.0.255 any eq telnet None 13. Which three statements describe ACL processing of packets? (Choose three.) A. A packet that has been denied by one ACE can be permitted by a subsequent ACE. B. An implicit deny any rejects any packet that does not match any ACE. C. A packet that does not match the conditions of any ACE will be forwarded by default. D. Each statement is checked only until a match is detected or until the end of the ACE list. E. Each packet is compared to the conditions of every ACE in the ACL before a forwarding decision is made. F. A packet can either be rejected or forwarded as directed by the ACE that is matched. 14. What are two limitations of PACLs? (Choose two.) A. only support numbered ACLs B. only support extended ACLs C. can only filter Layer 2 traffic D. no support of ACLs that filter IPv6 packets E. no filtering of outbound traffic 15. An administrator defined a local user account with a secret password on router R1 for use with SSH. Which three additional steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.) A. Configure DNS on the router. B. Enable inbound vty Telnet sessions. C. Configure the IP domain name on the router. D. Configure a host name other than “Router”. E. Generate two-way pre-shared keys. F. Generate crypto keys. None 16. Which command produces an encrypted password that is easily reversible? A. username {username} secret {password} B. username {username} algorithm-type sha256 {password} C. enable secret {password} D. service password-encryption None 17. Which is the preferred method for securing device terminal lines? A. a password configured directly on the terminal lines B. username-based authentication C. AAA authentication D. username-based authentication restricted with an ACL None 18. What protocol is used to encapsulate the EAP data between the authenticator and authentication server performing 802.1X authentication? A. SSH B. TACACS+ C. RADIUS D. MD5 None 19. Which statement describes a difference between RADIUS and TACACS+? A. RADIUS separates authentication and authorization, whereas TACACS+ combines them as one process. B. RADIUS does not support EAP for 802.1x, whereas TACACS+ does. C. RADIUS encrypts only the password, whereas TACACS+ encrypts all communication. D. RADIUS uses TCP, whereas TACACS+ uses UDP. None 20. What is a feature of a Cisco IOS Zone-Based Policy Firewall? A. Router management interfaces must be manually assigned to the self zone. B. A router interface can belong to only one zone at a time. C. Service policies are applied in interface configuration mode. D. The pass action works in multiple directions. None 21. Which statement describes Cisco IOS Zone-Based Policy Firewall operation? A. The pass action works in only one direction. B. Router management interfaces must be manually assigned to the self zone. C. A router interface can belong to multiple zones. D. Service policies are applied in interface configuration mode. None 22. What are two characteristics of the ZBFW default zone? (Choose two.) A. By default, all IP addresses on a router are included in the default zone. B. It is a system built zone. C. By default, interfaces in the default zone are permitted to communicate with interfaces in other zones. D. All traffic is permitted by default to and from the default zone. E. Interfaces that are not members of other zones are placed in this zone by default. 23. What is the Control Plane Policing (CoPP) feature designed to accomplish? A. disable control plane services to reduce overall traffic. B. manage services provided by the control plane. C. direct all excess traffic away from the route processor. D. prevent unnecessary traffic from overwhelming the route processor. None 24. Which command can be issued to protect a Cisco router from unauthorized automatic remote configuration? A. no cdp enable B. no service pad C. no service config D. no ip proxy-arp None 25. . Which vulnerability can be mitigated by disabling CDP and LLDP on a Cisco device? A. advertising detailed information about a device B. automatic remote configuration C. half-open or orphaned TCP connections D. answering APR requests intended for other devices None 26. Which type of threat defense is provided by Cisco Umbrella? A. blocking requests to malicious Internet destinations. B. monitoring and analyzing network traffic for potential network intrusion attacks. C. identifying and blocking zero-day threats that manage to infiltrate the network. D. blocking hidden malware from both suspicious and legitimate websites. None 27. Which Cisco solution is used by Cisco Web Security Appliance to detect and correlate threats in real time? A. Cisco Umbrella B. Cisco Talos C. Cisco Threat Grid D. Cisco ISE None 28. Refer to the exhibit. A network engineer must configure a password expiry mechanism on the gateway router for all local passwords to expire after 60 days. What is required to complete this task? A. Add the username admin privilege 15 common-criteria-policy Administrators password Cisco13579! command. B. Add the aaa authentication enable default Administrators command. C. The password expiry mechanism is on the AAA server and must be configured there. D. No further action is required. The configuration is complete. None 29. Refer to the exhibit. An engineer is investigating why guest users are able to access other guest user devices when the users are connected to the customer guest WLAN. What action resolves this issue? A. implement MFP client protection B. implement split tunneling C. implement P2P blocking D. implement Wi-Fi direct policy None 30. What is a characteristic of MACsec? A. 802.1AE provides encryption and authentication services B. 802.1AE is bult between the host and switch using the MKA protocol, which negotiates encryption keys based on the master session key from a successful 802 1X session C. 802.1AE is bult between the host and switch using the MKA protocol using keys generated via the Diffie-Hellman algorithm (anonymous encryption mode) D. 802.1AE is negotiated using Cisco AnyConnect NAM and the SAP protocol None 31. What is a characteristic of a next-generation firewall? A. only required at the network perimeter B. required in each layer of the network C. filters traffic using Layer 3 and Layer 4 information only D. provides intrusion prevention None 32. Refer to the exhibit. An engineer must block all traffic from a router to its directly connected subnet 209.165.200.0/24. The engineer applies access control list EGRESS in the outbound direction on the GigabitEthernet0/0 interface of the router. However, the router can still ping hosts on the 209.165.200.0/24 subnet. Which explanation of this behavior is true? A. Access control lists that are applied outbound to a router interface do not affect traffic that is sourced from the router. B. Only standard access control lists can block traffic from a source IP address. C. After an access control list is applied to an interface, that interface must be shut and no shut for the access control list to take effect. D. The access control list must contain an explicit deny to block traffic from the router. None 33. Refer to the exhibit Which single security feature is recommended to provide Network Access Control the enterprise? A. MAB B. 802.1X C. WebAuth D. port security sticky MAC None 34. Refer to the exhibit. An engineer must modify the access control list EGRESS to allow all IP traffic from subnet 10.1.10.0/24 to 10.1.2.0/24. The access control list is applied in the outbound direction on router interface GigabitEthernet 0/1. Which configuration command set will allow this traffic without disrupting existing traffic flows? A. Option A B. Option B C. Option C D. Option D None 35. Which two threats does AMP4E have the ability to block? (Choose two.) A. DDoS B. ransomware C. Microsoft Word macro attack D. SQL injection E. email phishing 36. Refer to the exhibit. An engineer must create a configuration that executes the show run command and then terminates the session when user CCNP logs in. Which configuration change is required? A. Add the access-class keyword to the username command B. Add the access-class keyword to the aaa authentication command C. Add the autocommand keyword to the username command D. Add the autocommand keyword to the aaa authentication command None 37. Refer to the exhibit. An engineer has configured Cisco ISE to assign VLANs to clients based on their method of authentication, but this is not working as expected. Which action will resolve this issue? A. enable AAA override B. utilize RADIUS profiling C. require a DHCP address assignment D. set a NAC state None 38. Refer to the exhibit. Based on the configuration in this WLAN security setting, which method can a client use to authenticate to the network? A. text string B. username and password C. certificate D. RADIUS token None 39. What is a fact about Cisco EAP-FAST? A. It does not require a RADIUS server certificate. B. It requires a client certificate. C. It is an IETF standard. D. It operates in transparent mode. None 40. Which algorithms are used to secure REST API from brute attacks and minimize the impact? A. SHA-512 and SHA-384 B. MD5 algorithm-128 and SHA-384 C. SHA-1, SHA-256, and SHA-512 D. PBKDF2, BCrypt, and SCrypt None 41. Refer to the exhibit. What is the effect of this configuration? A. The device will allow users at 192.168.0.202 to connect to vty lines 0 through 4 using the password ciscotestkey B. The device will allow only users at 192 168.0.202 to connect to vty lines 0 through 4 C. When users attempt to connect to vty lines 0 through 4. the device will authenticate them against TACACS* if local authentication fails D. The device will authenticate all users connecting to vty lines 0 through 4 against TACACS+ None 42. Which statement about TLS is true when using RESTCONF to write configurations on network devices? A. It is provided using NGINX acting as a proxy web server. B. It is no supported on Cisco devices. C. It required certificates for authentication. D. It is used for HTTP and HTTPs requests. None 43. When configuration WPA2 Enterprise on a WLAN, which additional security component configuration is required? A. NTP server B. PKI server C. RADIUS server D. TACACS server None 44. Refer to the exhibit. Which outbound access list, applied to the WAN interface of a router, permits all traffic except for http traffic sourced from the workstation with IP address 10.10.10.1? A. Option A B. Option B C. Option C D. Option D None 45. Refer to the exhibit. Security policy requires all idle-exec sessions to be terminated in 600 seconds. Which configuration achieves this goal? A. line vty 0 15 absolute-timeout 600 B. line vty 0 15 exec-timeout C. line vty 01 5 exec-timeout 10 0 D. line vty 0 4 exec-timeout 600 None 46. How does Cisco TrustSec enable more flexible access controls for dynamic networking environments and data centers? A. uses flexible NetFlow B. assigns a VLAN to the endpoint C. classifies traffic based on advanced application recognition D. classifies traffic based on the contextual identity of the endpoint rather than its IP address None 47. Which design principle slates that a user has no access by default to any resource, and unless a resource is explicitly granted, it should be denied? A. least privilege B. fail-safe defaults C. economy of mechanism D. complete mediation None 48. Which features does Cisco EDR use to provide threat detection and response protection? A. containment, threat intelligence, and machine learning B. firewalling and intrusion prevention C. container-based agents D. cloud analysis and endpoint firewall controls None 49. Which method of account authentication does OAuth 2.0 within REST APIs? A. username/role combination B. access tokens C. cookie authentication D. basic signature workflow None 50. Which technology provides a secure communication channel for all traffic at Layer 2 of the OSI model? A. MACsec B. IPsec C. SSL D. Cisco Trustsec None 51. Which component of the Cisco Cyber Threat Defense solution provides user and flow context analysis? A. Cisco Firepower and FireSIGHT B. Cisco Stealthwatch system C. Advanced Malware Protection D. Cisco Web Security Appliance None 52. Refer to the exhibit. Assuming the WLC's interfaces are not in the same subnet as the RADIUS server, which interface would the WLC use as the source for all RADIUS-related traffic? A. the interface specified on the WLAN configuration. B. any interface configured on the WLC C. the controller management interface D. the controller virtual interface None 53. Which technology uses network traffic telemetry, contextual information, and file reputation to provide insight into cyber threats? A. threat defense B. security services C. security intelligence D. segmentation None 54. Which encoding is used to protect a username and login with RESTful API basic authentication? A. Base64 B. MD5 C. SHA-1 D. Type-7 None 55. What is one primary REST security design principle? A. fail-safe defaults B. password hash C. adding a timestamp in requests D. OAuth None 56. Refer to the exhibit. PC-1 must access the web server on port 8080. To allow this traffic, which statement must be added to an access control list that is applied on SW2 port G0/0 in the inbound direction? A. permit host 172.16.0.2 host 192.168.0.5 eq 8080 B. permit host 192.168.0.5 host 172.16.0.2 eq 8080 C. permit host 192.168.0.5 eq 8080 host 172.16.0.2 D. permit host 192.168.0.5 it 8080 host 172.16.0.2 None 57. When firewall capabilities are considered, which feature is found only in Cisco nextgeneration firewalls? A. malware protection B. stateful inspection C. traffic filtering D. active/standby high availability None 58. Which feature does Cisco TrustSec use to provide scalable, secure communication throughout a network? A. security group tag ACL assigned to each port on a switch B. security group tag number assigned to each port on a network C. security group tag number assigned to each user on a switch D. security group tag ACL assigned to each router on a network None 59. A customer wants to provide wireless access to contractors using a guest portal on Cisco ISE. The portal is also used by employees. A solution is implemented, but contractors receive a certificate error when they attempt to access the portal. Employees can access the portal without any errors. Which change must be implemented to allow the contractors and employees to access the portal? A. Install a trusted third-party certificate on the Cisco ISE B. Install an internal CA signed certificate on the Cisco ISE. C. Install a trusted third-party certificate on the contractor devices. D. Install an internal CA signed certificate on the contractor devices. None 60. Refer to the exhibit. How does the router handle traffic after the CoPP policy is configured on the router? A. Traffic coming to R1 that does not match access list SNMP is dropped. B. Traffic coming to R1 that matches access list SNMP is policed. C. Traffic passing through R1 that matches access list SNMP is policed. D. Traffic generated by R1 that matches access list SNMP is policed. None 61. Which threat defence mechanism, when deployed at the network perimeter, protects against zero-day attacks? A. intrusion prevention B. stateful inspection C. sandbox D. SSL decryption None 62. Refer to the exhibit The network administrator must be able to perform configuration changes when all the RADIUS servers are unreachable. Which configuration allows all commands to be authorized if the user has successfully authenticated? A. aaa authorization exec default group radius none B. aaa authentication login default group radius local none C. aaa authorization exec default group radius if-authenticated D. aaa authorization exec default group radius None 63. How can an engineer prevent basic replay attacks from people who try to brute force a system via REST API? A. Add a timestamp to the request In the API header. B. Use a password hash C. Add OAuth to the request in the API header. D. UseHTTPS None 64. Which NGFW mode block flows crossing the firewall? A. Passive B. Tap C. Inline tap D. Inline None 65. The login method is configured on the VTY lines of a router with these parameters. 1. The first method for authentication is TACACS 2. If TACACS is unavailable, login is allowed without any provided credentials Which configuration accomplishes this task? A. Option A B. Option B C. Option C D. Option D None 66. An engineer must create a new SSID on a Cisco 9800 wireless LAN controller. The client has asked to use a pre-shared key for authentication Which profile must the engineer edit to achieve this requirement? A. RF B. Policy C. WLAN D. Flex None 67. Refer to the exhibit. An engineer must permit traffic from these networks and block all other traffic An informational log message should be triggered when traffic enters from these prefixes Which access list must be used? A. access-list acl_subnets permit ip 10.0.32.0 0 0.0.255 log B. access-list acl_subn*ls permit ip 10.0.32.0 0.0.7.255 log C. access-list acl_subnets permit ip 10.0.32.0 0.0.7.255 access-list acl_subnets deny ip any log D. access-list acl_subnets permit ip 10.0.32.0 255.255.248.0 log None 68. An engineer is configuring local web authentication on a WLAN. The engineer chooses the Authentication radio button under the Layer 3 Security options for Web Policy. Which device presents the web authentication for the WLAN? A. ISE server B. local WLC C. RADIUS server D. anchor WLC None 69. A network engineer configures a WLAN controller with increased security for web access. There is IP connectivity with the WLAN controller, but the engineer cannot start a management session from a web browser. Which action resolves the issued? A. Disable JavaScript on the web browser B. Disable Adobe Flash Player C. Use a browser that supports 128-bit or larger ciphers. D. Use a private or incognito session. None 70. Refer to the exhibit. A company requires that all wireless users authenticate using dynamic key generation. Which configuration must be applied? A. AP(config-if-ssid)# authentication open wep wep_methods B. AP(config-if-ssid)# authentication dynamic wep wep_methods C. AP(config-if-ssid)# authentication dynamic open wep_dynamic D. AP(config-if-ssid)# authentication open eap eap_methods None 71. An engineer must configure AAA on a Cisco 9800 WLC for central web authentication Which two commands are needed to accomplish this task? (Choose two.) A. (Cisco Controller) > config wlan aaa-override disable B. (Cisco Controller) > config radius acct add 10.10.10.12 1812 SECRET C. (Cisco Controller) > config wlan aaa-override enable D. Device(config-locsvr-da-radius)# client 10.10.10.12 server-key O SECRET E. Device(config)# aaa server radius dynamic-author 72. An engineer must enable a login authentication method that allows a user to log in by using local authentication if all other defined authentication methods fail Which configuration should be applied? A. aaa authentication login CONSOLE group radius local-case enable aaa B. authentication login CONSOLE group radius local enable none C. aaa authentication login CONSOLE group radius local enable D. aaa authentication login CONSOLE group tacacs+ local enable None 73. Which deployment option of Cisco NGFW provides scalability? A. tap B. inline tap C. high availability D. clustering None 74. Refer to the exhibit. An engineer is designing a guest portal on Cisco ISE using the default configuration. During the testing phase, the engineer receives a warning when displaying the guest portal. Which issue is occurring? A. The server that is providing the portal has an expired certificate B. The server that is providing the portal has a self-signed certificate C. The connection is using an unsupported protocol D. The connection is using an unsupported browser None 75. Which network devices secure API platform? A. next-generation intrusion detection systems B. Layer 3 transit network devices C. content switches D. web application firewalls None 76. An engineer must protect their company against ransom ware attacks. Which solution allows the engineer to block the execution stage and prevent file encryption? A. Use Cisco AMP deployment with the Malicious Activity Protection engineer enabled. B. Use Cisco AMP deployment with the Exploit Prevention engine enabled. C. Use Cisco Firepower and block traffic to TOR networks. D. Use Cisco Firepower with Intrusion Policy and snort rules blocking SMB exploitation. None 77. Refer to the exhibit. What step resolves the authentication issue? A. use basic authentication B. change the port to 12446 C. target 192 168 100 82 in the URI D. restart the vsmart host None 78. What is provided by the Stealthwatch component of the Cisco Cyber Threat Defense solution? A. real-time threat management to stop DDoS attacks to the core and access networks B. real-time awareness of users, devices and traffic on the network C. malware control D. dynamic threat control for web traffic None 79. A network engineer is enabling HTTPS access to the core switch, which requires a certificate to be installed on the switch signed by the corporate certificate authority Which configuration commands are required to issue a certificate signing request from the core switch? A. Core-Switch(config)#crypto pki enroll Core-Switch Core-Switch(config)#ip http secure-trustpoint Core-Switch B. Core-Switch(config)#crypto pki trustpoint Core-Switch Core-Switch(ca-trustpoint)#enrollment terminal Core-Switch(config)#crypto pki enroll Core-Switch C. Core-Switch(config)#crypto pki trustpoint Core-Switch Core-Switch(ca-trustpoint)#enrollment terminal Core-Switch(config)#ip http secure-trustpoint Core-Switch D. Core-Switch(config)#ip http secure-trustpoint Core-Switch Core-Switch(config)#crypto pki enroll Core-Switch None 80. How does Cisco Trustsec enable more access controls for dynamic networking environments and data centers? A. uses flexible NetFlow B. assigns a VLAN to the endpoint C. classifies traffic based an the contextual identity of the endpoint rather than its IP address D. classifies traffic based on advanced application recognition None 81. An engineer must configure a ACL that permits packets which include an ACK In the TCP header. Which entry must be Included In the ACL? A. access-list 110 permit tcp any any eq 21 tcp-ack B. access-list 10 permit ip any any eq 21 tcp-ack C. access-list 10 permit tcp any any eq 21 established D. access-list 110 permit tcp any any eq 21 established None 82. Refer to the exhibit. Which privilege level is assigned to VTY users? A. 1 B. 7 C. 13 D. 15 None 83. An engineer is configuring a new SSID to present users with a splash page for authentication. Which WLAN Layer 3 setting must be configured to provide this functionally? A. CCKM B. WPA2 Policy C. Local Policy D. Web Policy None 84. Refer to the exhibit. Which command must be configured for RESTCONF to operate on port 8888? A. ip http port 8888 B. restconf port 8888 C. ip http restconf port 8888 D. restconf http port 8888 None 85. Which two characteristics apply to the endpoint security aspect of the Cisco Threat Defense architecture?(Choose two.) Which two characteristics apply to the endpoint security aspect of the Cisco Threat Defense architecture?(Choose two.) B. outbound URL analysis and data transfer controls C. user context analysis D. blocking of fileless malware in real time E. cloud-based analysis of threats 86. What is one main REST security design principle? A. separation of privilege B. password hashing C. confidential algorithms D. OAuth None 87. Refer to the exhibit. A network engineer must log in to the router via the console, but the RADIUS servers are not reachable. Which credentials allow console access? A. the username "cisco" and the password "cisco123" B. no username and only the password "test123" C. no username and only the password "cisco123" D. the username "cisco" and the password "cisco" None 88. An engineer is configuring Local WebAuth on a Cisco Wireless LAN Controller. According to RFC 5737. Which VIRTUAL IP address must be used in this configuration? A. 192.0.2.1 B. 172.20.10.1 C. 1.1.1.1 D. 192.168.0.1 None 89. What is the API keys option for REST API authentication? A. a predetermined string that is passed from client to server B. a one-time encrypted token C. a username that is stored in the local router database D. a credential that is transmitted unencrypted None 90. What are the main components of Cisco TrustSec? A. Cisco ISE and Enterprise Directory Services B. Cisco ISE. network switches, firewalls, and routers C. Cisco ISE and TACACS+ D. Cisco ASA and Cisco Firepower Threat Defense None 91. Refer to the exhibit. Extended access-list 100 is configured on interface GigabitEthernet 0/0 in an inbound direction, but it does not have the expected behavior of allowing only packets to or from 192 168 0.0/16 Which command set properly configures the access list? A. R1(config)#no access-list 100 deny ip any any B. R1(config)#no access-list 100 seq 10 R1(config)#access-list 100 seq 40 deny ip any any C. R1(config)#ip access-list extended 100 R1(config-ext-nacl)#5 permit ip any any D. R1(config)#ip access-list extended 100 R1(config-ext-nacl)#no 10 None 92. Refer to the exhibit. Clients report that they cannot connect to this SSID using the provided PSK. Which action will resolve this issue? A. Apply the correct interface to this WLAN. B. Apply the changes this SSID. C. Select the PSK under authentication key management. D. Define the correct Radio Policy. None 93. Refer to the exhibit Remote users cannot access the Internet but can upload files to the storage server. Which configuration must be applied to allow Internet access? A. ciscoasa(config)# access-list MAIL_AUTH extended permit udp any any eq http ciscoasa(config)# aaa authentication listener http outside redirect B. ciscoasa(config)# access-list MAIL_AUTH extended permit tcp any any eq www ciscoasa(config)# aaa authentication listener http inside redirect C. ciscoasa(config)# access-list MAIL_AUTH extended permit tcp any any eq http ciscoasa(config)# aaa authentication listener http inside port 43 D. ciscoasa(config)# access-list HTTP_AUTH extended permit udp any any eq http ciscoasa(config)# aaa authentication listener http outside port 43 None 94. Which two new security capabilities are introduced by using a next-generation firewall at the Internet edge?(Choose two.) A. DVPN B. NAT C. stateful packet inspection D. application-level inspection E. integrated intrusion prevention 95. Which two methods are used to assign security group tags to the user in a Cisco Trust Sec architecture? (Choose two ) A. modular QoS B. policy routing C. web authentication D. DHCP E. IEEE 802.1x None 96. Refer to the exhibit. A company has an internal wireless network with a hidden SSID and RADIUS-based client authentication for increased security. An employee attempts to manually add the company network to a laptop, but the laptop does not attempt to connect to the network. The regulatory domains of the access points and the laptop are identical. Which action resolves this issue? A. Ensure that the "Connect even if this network is not broadcasting" option is selected. B. Limit the enabled wireless channels on the laptop to the maximum channel range that is supported by the access points. C. Change the security type to WPA2-Personal AES. D. Use the empty string as the hidden SSID network name. None 97. A network engineer wants to configure console access to a router without using AAA so that the privileged exec mode is entered directly after a user provides the correct login credentials. Which action achieves this goal? A. Configure login authentication privileged on line con 0. B. Configure a local username with privilege level 15. C. Configure privilege level 15 on line con 0. D. Configure a RADIUS or TACACS+ server and use it to send the privilege level. None 98. What is one method for achieving REST API security? A. using a combination of XML encryption and XML signatures. B. using HTTPS and TLS encryption. C. using a MDS hash to verify the integrity. D. using built-in protocols known as Web Services Security. None 99. Which solution simplifies management of secure access to network resources? A. RFC 3580-based solution to enable authenticated access leveraging RADIUS and AV pairs B. 802.1AE to secure communication in the network domain C. ISE to automate network access control leveraging RADIUS AV pairs D. TrustSec to logically group internal user environments and assign policies None 100. How is traffic classified when using Cisco TrustSec technology? A. with the IP address B. with the VLAN C. with the security group tag D. with the MAC address None 101. A customer deploys a new wireless network to perform location-based services using Cisco DNA Spaces The customer has a single WLC located on-premises in a secure data center. The security team does not want to expose the WLC to the public Internet. Which solution allows the customer to securely send RSSI updates to Cisco DNA Spaces? A. Implement Cisco Mobility Services Engine B. Replace the WLC with a cloud-based controller. C. Perform tethering with Cisco DNA Center. D. Deploy a Cisco DNA Spaces connector as a VM. None 102. What is a benefit of using segmentation with TrustSec? A. Integrity checks prevent data from being modified in transit. B. Packets sent between endpoints on a LAN are encrypted using symmetric key cryptography. C. Security group tags enable network segmentation. D. Firewall rules are streamlined by using business-level profiles. None 103. Which authorization framework gives third-party applications limited access to HTTP services? A. iPsec B. Basic Auth C. GRE D. OAuth 2.0 None 104. Which two features are available only in next-generation firewalls? (Choose two.) A. virtual private network B. deep packet inspection C. stateful inspection D. application awareness E. packet filtering None 105. What is a client who is running 802.1x for authentication reffered to as? A. supplicant B. NAC device C. authenticator D. policy enforcement point None 106. An engineer is connected to a Cisco router through a Telnet session. Which command must be issued to view the logging messages from the current session as soon as they are generated by the router? A. logging buffer B. service timestamps log uptime C. logging host D. terminal monitor None 107. What is the result of applying this access control list? ip access-list extended STATEFUL 10 permit tcp any any established 20 deny ip any any A. TCP traffic with the URG bit set is allowed B. TCP traffic with the SYN bit set is allowed C. TCP traffic with the ACK bit set is allowed D. TCP traffic with the DF bit set is allowed None 108. A wireless administrator must create a new web authentication corporate SSID that will be using ISE as the external RADIUS server. The guest VLAN must be specified after the authentication completes. Which action must be performed to allow the ISE server to specify the guest VLAN? A. Enable AAA Override. B. Enable Network Access Control State. C. Set AAA Policy name. D. Set RADIUS Profiling. None 109. What is a benefit of Cisco TrustSec in a multilayered LAN network design? A. Policy or ACLS are nor required. B. There is no requirements to run IEEE 802.1X when TrustSec is enabled on a switch port. C. Applications flows between hosts on the LAN to remote destinations can be encrypted. D. Policy can be applied on a hop-by-hop basis. None 110. An engineer must protect the password for the VTY lines against over-the-shoulder attacks. Which configuration should be applied? A. service password-encryption B. username netadmin secret 9 $9$vFpMf8elb4RVV8$seZ/bDA C. username netadmin secret 7$1$42J36k33008Pyh4QzwXyZ4 D. line vty 0 15 p3ssword XD822j None 111. An engineer must configure router R1 to validate user logins via RADIUS and fall back to the local user database if the RADIUS server is not available. Which configuration must be applied? A. aaa authorization exec default radius local B. aaa authorization exec default radius C. aaa authentication exec default radius local D. aaa authentication exec default radius None 112. Which mechanism can be used to enforce network access authentication against an AAA server if the endpoint does not support the 802.1X supplicant functionality? A. WebAuth B. MACsec C. private VLANs D. port security None 113. Which security measure mitigates a man-in-the-middle attack of a REST API? A. SSL certificates B. biometric authentication C. password hash D. non repudiotion feature None 114. Refer to the exhibit. An engineer configures a new WLAN that will be used for secure communications; however, wireless clients report that they are able to communicate with each other. Which action resolves this issue? A. Enable Client Exclusions. B. Disable Aironet IE C. Enable Wi-Fi Direct Client Policy D. Enable P2P Blocking. None 115. Refer to the exhibit. Which configuration enables fallback to local authentication and authorization when no TACACS+ server is available? A. Router(config)# aaa authentication login default local Router(config)# aaa authorization exec default local B. Router(config)# aaa authentication login default group tacacs+ local Router(config)# aaa authorization exec default group tacacs+ local C. Router(config)# aaa fallback local D. Router(config)# aaa authentication login FALLBACK local Router(config)# aaa authorization exec FALLBACK local None 116. An engineer must configure an EXEC authorization list that first checks a AAA server then a local username. If both methods fail, the user is denied. Which configuration should be applied? A. aaa authorization exec default local group tacacs+ B. aaa authorization exec default local group radius none C. aaa authorization exec default group radius local none D. aaa authorization exec default group radius local None 117. Which two security features are available when implementing NTP? (Choose two ) A. symmetric server passwords B. dock offset authentication C. broadcast association mode D. encrypted authentication mechanism E. access list-based restriction scheme None 118. Which access control feature does MAB provide? A. user access based on IP address B. allows devices to bypass authenticate* C. network access based on the physical address of a device D. simultaneous user and device authentication None 119. A wireless network engineer must configure a WPA2+WPA3 policy with the Personal security type. Which action meets this requirement? A. Configure the GCMP256 encryption cipher. B. Configure the CCMP256 encryption cipher. C. Configure the CCMP128 encryption cipher. D. Configure the GCMP128 encryption cipher. None 120. Reter to the exhibit. A client requests a new SSID that will use web-based authentication and external RADIUS servers. Which Layer 2 security mode must be selected? A. WPA + WPA2 B. WPA2 + WPA3 C. Static WEP D. None None 121. Which method ensures the confidentiality of data exchanged over a REST API? A. Use the POST method instead of URL-encoded GET to pass parameters. B. Encode sensitive data using Base64 encoding. C. Deploy digest-based authentication to protect the access to the API. D. Use TLS to secure the underlying HTTP session. None 122. Refer to the exhibit. Which configuration must be applied for the TACACS+ server to grant access-level rights to remote users A. R1(config)# aaa authentication login enable B. R1(config)# aaa authorization exec default local if-authenticated C. R1(config)# aaa authorization exec default group tacacs+ D. R1(config)# aaa accounting commands 15 default start-stop group tacacs+ None 123. Refer to the exhibit. Which result Is achieved by the CoPP configuration? A. Traffic that matches entry 10 of ACL 100 is always allowed. B. Class-default traffic is dropped. C. Traffic that matches entry 10 of ACL 100 is always allowed with a limited CIR. D. Traffic that matches entry 10 of ACL 100 is always dropped. None 124. Which method requires a client to authenticate and has the capability to function without encryption? A. open B. WEP C. WebAuth D. PSK None 125. When the `'deny'' statement is used within a route map that is used for policy-based routing how is the traffic that matches the deny route-map line treated? A. Traffic is routed to the null 0 interface of the router and discarded. B. Traffic is returned to the normal forwarding behavior of the router. C. An additional sequential route-map line is needed to divert the traffic to the router's normal forwarding behavior. D. An additional sequential route-map line is needed to policy route this irafic. None 126. An engineer must configure a router to allow users to run spathic configuration commands by validating the user against the router database. Which configuration must be applied? A. aaa authentication network default local B. aaa authentication exec default local C. aaa authorization exec default local D. aaa authorization network default local None 127. When should the MAC authentication bypass feature be used on a switch port? A. when authentication is required, but the attached host does not support 802.1X B. when the attached host supports limited 802.1X C. when authentication should be bypassed for select hosts based on their MAC address D. when the attached host supports 802.1X and must authenticate itself based on its MAC address instead of user credentials None 128. Which of the following attacks becomes more effective because of global leakages of users passwords? A. Dictionary B. Brute-force C. Phishing D. Deauthentication None 129. What is provided to the client to identify the authenticated session in subsequent API calls after authenticating to the Cisco DNA Center API? A. username and password B. client X.500 certificate C. authentication token D. session cookie None 130. Refer to the exhibit. An administrator must enaWe RESTCONP access to a router. Which two commands or command sets must be added to the existing configuraton? (Choose two.) A. aaa authentication login default local aaa authorization exec default local B. restconf C. line vty 0 15 D. netconf-yang E. username restconf privilege 0 131. What are two benefits of using Cisco TrustSec? (Choose two.) A. consistent network segmentation B. advanced endpoint protection against malware C. simplified management of network access D. unknown file analysis using sandboxing E. end-to-end traffic encryption 132. An engineer must construct an access list for a Cisco Catalyst 9800 Series WLC that will redirect wireless guest users to a splash page that is hosted on a Cisco ISE server The Cisco ISE servers are hosted at 10.9.11.141 and 10.1.11.141. Which access list meets the requirements? A. Option A B. Option B C. Option C D. Option D None 133. Which security feature does stateless authentication and authorization use for REST API calls? A. OAuth 2 token B. API keys C. SSL/TLS certificate encryption D. Cookie-based session authentication None 134. Which statement about Cisco EAP-FAST is true? A. It does not require a RADIUS server certificate B. It requires a client certificate C. It is an IETF standard. D. It operates in transparent mode None 135. Which access controls list allows only TCP traffic with a destination port range of 22-433, excluding port 80? A. deny tcp any any eq 80 permit tcp any any gt 21 lt 444 B. permit tcp any any range 22 443 deny tcp any any eq 80 C. permit tcp any any eq 80 D. deny tcp any any eq 80 permit tcp any any range 22 443 None 136. Which standard access control entry permits from odd-numbered hosts in the 10.0.0.0/24 subnet? A. Permit 10.0.0.0.0.0.0.1 B. Permit 10.0.0.1.0.0.0.0 C. Permit 10.0.0.1.0.0.0.254 D. Permit 10.0.0.0.255.255.255.254 None 137. Refer to the exhibit. To which setting is the client limitation for WLAN LAP1 configured? A. 60 B. 1800 C. Client exclusion is not enabled D. 25 None 138. Which NGFW mode blocks flows crossing the firewall? A. tap B. inline C. passive D. inline tap None 139. Which standard access control entry permits traffic from odd-numbered hosts in the 10.0.0.0/24 subnet? A. permit 10.0.0.0 0.0.0.1 B. permit 10.0.0.1 0.0.0.254 C. permit 10.0.0.1 0.0.0.0 D. permit 10.0.0.0 255.255.255.254 None 140. How is OAuth framework used in REST API? A. as a framework to hash the security information in the REST URL B. by providing the external application a token that authorizes access to the account C. as a framework to hide the security information in the REST URL D. by providing the user credentials to the external application None 141. Which security option protects credentials from sniffer attacks in a basicAPI authentication? A. next-generation firewall B. TLS or SSL for communication C. VPN connection between client and server D. AAA services to authenticate the API None 142. Which two security mechanisms are used by Cisco Threat Defense to gain visibility into the most dangerous cyber threats? (Choose two.) A. virtual private networks B. file reputation C. VLAN segmentation D. Traffic Telemetry E. dynamic enforce policy 143. Which characteristic applies to the endpoint security aspect of the Cisco Threat Defense architecture? A. detect and block ransomware in email attachments B. outbound URL analysis and data transfer controls C. user context analysis D. blocking of fileless malware in real time None 144. Refer to the exhibit. A network engineer must permit administrators to automatically authenticate if there is no response from either of the AAA servers. Which configuration achieves these results? A. aaa authentication enable default group radius local B. aaa authentication login default group radius C. aaa authentication login default group tacacs+ line D. aaa authentication login default group radius none None 145. Refer to the exhibit. An engineer is configuring WebAuth on a Cisco Catalyst 9800 Series WLC. The engineer has purchased a third-party certificate using the FQDN of the WLC as the CN and intends to use it on the WebAuth splash page. What must be configured so that the clients do not receive a certificate error? A. Virtual IPv4 Hostname must match the CN of the certificate B. Virtual IPv4 Address must be set to a routable address C. Web Auth Intercept HTTPs must be enabled D. Trustpoint must be set to the management certificate of the WLC None 146. Refer to the exhibit. An SSID is configured and both clients can reach their gateways on the Layer 3 switch, but they cannot communicate with each other. Which action resolves this issue? A. Set the WMM Policy to Allowed B. Set the P2P Blocking Action to Disabled C. Set the WMM Policy to Required D. Set the P2P Blocking Action to Forward-UpStream None 147. Refer to the exhibit. An engineer must configure a Cisco WLC with WPA2 Enterprise mode and avoid global server lists. Which action is required? A. Enable EAP parameters B. Apply CISCO ISE default settings C. Select a RADIUS authentication server D. Disable the RADIUS server accounting interim update None 148. Which two statements about AAA authentication are true? (Choose two) A. RADIUS authentication queries the router`s local username database B. TACACS+ authentication uses an RSA server to authenticate users C. Local user names are case-insensitive D. Local authentication is maintained on the router E. KRB5 authentication disables user access when an incorrect password is entered None 149. Refer to the exhibit. Which password allows access to line con 0 for a username of "tommy" under normal operation? A. Cisco B. local C. 0 Cisco D. Tommy None 150. A customer has completed the installation of a Wi-Fi 6 greenfield deployment at their new campus. They want to leverage Wi-Fi 6 enhanced speeds on the trusted employee WLAN. To configure the employee WLAN, which two Layer 2 security policies should be used? (Choose two.) A. WPA2 (AES) B. 802.1X C. OPEN D. WEP E. WPA (AES) 151. Which IEEE standard provides the capability to permit or deny network connectivity based on the user or device identity? A. 802.1d B. 802.1w C. 802.1q D. 802.1x None 152. Which mechanism can be used to enforce network access authentication against an AAA server if the endpoint does not support the 802.1X supplicant functionality? A. private VLANs B. port security C. MAC Authentication Bypass D. MACsec None 153. What is a characteristic of MACsec? A. 802.1AE is built between the host and switch using the MKA protocol, which negotiates encryption keys based on the primary session key from a successful 802.1X session. B. 802.1AE is negotiated using Cisco AnyConnect NAM and the SAP protocol. C. 802.1AE is built between the host and switch using the MKA protocol using keys generated via the Diffie-Hellman algorithm (anonymous encryption mode). D. 802.1AE provides encryption and authentication services. None 154. Refer to the exhibit.The control plane is heavily impacted after the CoPP configuration is applied to the router. Which command removal lessens the impact on the control plane? A. access-list 120 permit eigrp any host 224.0.0.10 B. access-list 120 permit ospf any C. access-list 120 permit udp any any eq pim-auto-rp D. access-list 120 permit tcp any gt 1024 eq bgp log None 155. Which two actions are recommended as security best practice to protect REST API (Choose two) A. Use TACACACS+ authentication B. Enable dual authentication of the session C. Enable out-of band authentication D. Use SSL for encryption E. Use a password hash 156. Which component does Cisco Threat Defense use to measure bandwidth, application performance, and utilization? A. NetFlow B. Cisco Umbrella C. TrustSec D. Advanced Malware Protection for Endpoints None 157. Which time protocol offers security features and utilizes site-local IPv6 multicast addresses? A. NTPv3 B. PTP IEEE 1588v1 C. NTPv4 D. PTP IEEE 1588v2 None 158. None 159. Which access control feature does MAB provide? A. user access based on IP address B. allows devices to bypass authenticate* C. network access based on the physical address of a device D. simultaneous user and device authentication None 160. How does Cisco Trustsec enable more access controls for dynamic networking environments and data centers? A. uses flexible NetFlow B. assigns a VLAN to the endpoint C. classifies traffic based an the contextual identity of the endpoint rather than its IP address D. classifies traffic based on advanced application recognition None 1 out of 160 Please fill in the comment box below. Time's up
