Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Which set of commands creates a message list that includes all severity 2 (critical) messages on a Cisco security device?
A. logging list critical_messages level 2
console logging critical_messages
B. logging list critical_messages level 2
logging console critical_messages
C. logging list critical_messages level 2
logging console enable critical_messages
D. logging list enable critical_messages level 2
console logging critical_messages
Answer: B
Q2. When it is configured in accordance to Cisco best practices, the switchport port-security maximum command can mitigate which two types of Layer 2 attacks? (Choose two.)
A. rogue DHCP servers
B. ARP attacks
C. DHCP starvation
D. MAC spoofing
E. CAM attacks
F. IP spoofing
Answer: C,E
Q3. How much storage is allotted to maintain system,configuration , and image files on the Cisco ASA 1000V during OVF template file deployment?
A. 1GB
B. 5GB
C. 2GB
D. 10GB
Answer: C
Q4. Which option is a valid action for a port security violation?
A. Reset
B. Reject
C. Restrict
D. Disable
Answer: C
Q5. An administrator is deploying port-security to restrict traffic from certain ports to specific MAC addresses. Which two considerations must an administrator take into account when using the switchport port-security mac-address sticky command? (Choose two.)
A. The configuration will be updated with MAC addresses from traffic seen ingressing the port. The configuration will automatically be saved to NVRAM if no other changes to the configuration have been made.
B. The configuration will be updated with MAC addresses from traffic seen ingressing the port. The configuration will not automatically be saved to NVRAM.
C. Only MAC addresses with the 5th most significant bit of the address (the 'sticky' bit) set to 1 will be learned.
D. If configured on a trunk port without the 'vlan' keyword, it will apply to all vlans.
E. If configured on a trunk port without the 'vlan' keyword, it will apply only to the native vlan.
Answer: B,E
Q6. A network engineer is troubleshooting and configures the ASA logging level to debugging. The logging-buffer is dominated by %ASA-6-305009 log messages. Which command suppresses those syslog messages while maintaining ability to troubleshoot?
A. no logging buffered 305009
B. message 305009 disable
C. no message 305009 logging
D. no logging message 305009
Answer: D
Q7. Which three compliance and audit report types are available in Cisco Prime Infrastructure? (Choose three.)
A. Service
B. Change Audit
C. Vendor Advisory
D. TAC Service Request
E. Validated Design
F. Smart Business Architecture
Answer: A,B,C
Q8. Enabling what security mechanism can prevent an attacker from gaining network topology information from CDP via a man-in-the-middle attack?
A. MACsec
B. Flex VPN
C. Control Plane Protection
D. Dynamic Arp Inspection
Answer: A
Q9. Which function does DNSSEC provide in a DNS infrastructure?
A. It authenticates stored information.
B. It authorizes stored information.
C. It encrypts stored information.
D. It logs stored security information.
Answer: A
Q10. Which two features does Cisco Security Manager provide? (Choose two.)
A. Configuration and policy deployment before device discovery
B. Health and performance monitoring
C. Event management and alerting
D. Command line menu for troubleshooting
E. Ticketing management and tracking
Answer: B,C
Q11. What is the primary purpose of stateful pattern recognition in Cisco IPS networks?
A. mitigating man-in-the-middle attacks
B. using multipacket inspection across all protocols to identify vulnerability-based attacks and to thwart attacks that hide within a data stream
C. detecting and preventing MAC address spoofing in switched environments
D. identifying Layer 2 ARP attacks
Answer: B
Q12. Which statement about Dynamic ARP Inspection is true ?
A. In a typical network, you make all ports as trusted expect for the ports connection to switches , which are untrusted
B. DAI associates a trust state with each switch
C. DAI determines the validity of an ARP packet based on valid IP to MAC address binding from the DHCP snooping database
D. DAI intercepts all ARP requests and responses on trusted ports only
E. DAI cannot drop invalid ARP packets
Answer: C
Q13. In a Cisco ASAv failover deployment, which interface is preconfigured as the failover interface?
A. GigabitEthernet0/2
B. GigabitEthernet0/4
C. GigabitEthernet0/6
D. GigabitEthernet0/8
Answer: D
Q14. Which option is the Cisco ASA on-box graphical management solution?
A. SSH
B. ASDM
C. Console
D. CSM
Answer: B
Q15. Which Layer 2 security feature validates ARP packets?
A. DAI
B. DHCP server
C. BPDU guard
D. BPDU filtering
Answer: A