Q1. Which three statements about the Cisco IPS sensor are true? (Choose three.)
A. You cannot pair a VLAN with itself.
B. For a given sensing interface, an interface used in a VLAN pair can be a member of another inline interface pair.
C. For a given sensing interface, a VLAN can be a member of only one inline VLAN pair, however, a given VLAN can
be a member of an inline VLAN pair on more than one sensing interface.
D. The order in which you specify the VLANs in a inline pair is significant.
E. A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs.
Answer: A,C,E
Explanation:
Inline VLAN Interface Pairs
You cannot pair a VLAN with itself.
For a given sensing interface, a VLAN can be a member of only one inline VLAN pair. However, a given VLAN can be a member of an inline VLAN pair on more than one sensing interface.
The order in which you specify the VLANs in an inline VLAN pair is not significant.
A sensing interface in inline VLAN pair mode can have from 1 to 255 inline VLAN pairs.
Q2. DRAG DROP
Drag and drop ESP header field on the left to the appropriate field length on the right
Answer:
Q3. Which three statements about the Unicast RPF in strict mode and loose mode are true?(Choose three)
A. Loose mode requires the source address to be present in the routing table.
B. Inadvertent packet loss can occur when loose mode is used with asymmetrical routing.
C. Interfaces in strict mode drop traffic with return that point to the Null 0 Interface.
D. Strict mode requires a default route to be associated with the uplink network interface.
E. Strict mode is recommended on interfaces that will receive packets only from the same subnet to which is assigned.
F. Both loose and strict modes are configured globally on the router.
Answer: A,C,E
Q4. Which three statements about Unicast RPF in strict mode and loose mode are true? (choose three)
A. Inadvertent packet loss can occur when loose mode is used with asymmetrical routing.
B. Strict mode requires a default route to be associated with the uplink network interface.
C. Both loose and strict modes are configured globally on the router.
D. Loose mode requires the source address to be present in the routing table.
E. Strict mode is recommended on interfaces that will receive packets only form the same subnet to which the interface is assigned.
F. Interfaces in strict mode drop traffic with return routes that point to the NULL 0 interface.
Answer: D,E,F
Q5. DRAG DROP
Drag and drop each RADIUS packet field on the left onto the matching decription on the right.
Answer:
Explanation: A-5,B-2,C-1,D-3,E-4
Q6. Refer to the exhibit. What protocol format is illustrated?
A. GR
B. AH
C. ESP
D. IP
Answer: B
Q7. DRAG DROP
Drag each IPsec term on the left to the definition on the right?
Answer:
Explanation: AH: Provides integrity service only for IP packets ESP: Provides integrity and encryption services for IP packets
SA: The relationship between two peers that determine which algo and keys the peers use to communicate securely
SADB: A container that stores the policy requirements for a security ass to be esta SPD: A container for the parameters of each active security asso
SPI: An identification tag that is added to the packet header of traffic intended to be tunneled
Q8. Refer to the exhibit. Which statement about the effect of this configuration is true?
A. reply protection is disable
B. It prevent man-in-the-middle attacks
C. The replay window size is set to infinity
D. Out-of-order frames are dropped
Answer: D
Q9. Class -map nbar_rtp
Match protocol rtp payload-type “0,1,4-0x10, 10001b – 10010b,64”
The above NBAR configuration matches RTP traffic with which payload types?
A)
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
Q10. DRAG DROP
Drag and drop the DNS record types from the left to the matching descriptions to the right
Answer:
Explanation:
DNSkEY: contains a public key for use by the resolver NSEC: Link to the zone's next record name
NSEC3 : contains a hashed link to the zone's next record name PRSIG: contains the record set's DNSSEC signature
NSEC3PARAM : used by authoritative DNS servers when responding to DNSSEC requests
DS : holds the delegated zone's name