Share your CCNA Security Experience

@Mostafa

Sorry for not replying sooner. It’s been a long/busy week. Lots of issues at work.

Pebcak05 at gmail dot com

@Bolo

My ccna R&S expires on 13th dec, so If I write an CCNA Sec Exam on 13dec and passed is my CCNA valid ?

CBT Nuggets are terrible so can someone please tell me what is the best material to study CCNA SECURITY

@soloman

Cisco says that to recertify you have to pass an exam before the certification expiration date. If before is really before, then up to 12 I’d say. Better ask them.

If I would choose between someone that took his cert shortly before the change and someone that took his certification after the adoption of the new structure I would go for the one that took his certification with the new structure. Any time. That way morons like Bolo would be out of hobby and work.

@20cm

Would you choose a certification shortly before the change or after the adoption of new structure, leaving morons like Bolo without hobby or work?
A. Certification or re-certification in old program.
B. New certification.
C. Ask mom for a hug because world is such a cruel place.
D. Going back to the basement and crying silently in a dark corner.

Correct answer is D, but C might be a possibility too.

@Rajeeb Sharma November 28th, 2019

Hello!

Congratulations!

Passed the 210-260 exam recently!

67 questions
1 Simulation
1 Drag and Drop (Shutdown, Restrict, Protect)

I mainly learned the PassLeader 210-260 dumps (553q NEW version), all questions are available in PassLeader.

Really helpful.

P.S.

Part of PassLeader 210-260 dumps are available here FYI:

drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg

(553q~~~NEW VERSION DUMPS Updated Recently!!!)

Good luck, all!

[copy that link and open it in your web browser]

And,

Part of PassLeader 210-260 IINS new questions (FYI):

[Get the download link at the end of this post]

NEW QUESTION 546
Which statement about TACACS+ is true?

A. Passwords are transmitted between the client and server using MD5 hasing.
B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
C. TACACS_ is used for access to network resources more than administrator access to network devices.
D. TACACS_ server listens UDP port 1813 for accounting.
E. All data that is transmitted between the client and TACACS+ server is cleartext.

Answer: C

NEW QUESTION 547
Which effect of the secure boot-image command is true?

A. It configure the device to boot to the secure IOS image.
B. It archives a secure copy of the device configuration.
C. It archives a secure copy of the IOS image.
D. It displays the status of the bootset.

Answer: C

NEW QUESTION 548
Which two statements about an IPS in tap mode are true? (Choose two.)

A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all traffic, regardless of its source or destination.
C. It directly analyzes the actual packets as they pass through the system.
D. It can analyze events without impacting network efficiency.
E. It is unable to drop packets in the main flow.

Answer: BC

NEW QUESTION 549
How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?

A. Passes the traffic.
B. Drops the traffic.
C. Broadcasts the traffic.
D. Looks for an ACL, and acts based upon the ACL.

Answer: C

NEW QUESTION 550
Which 802.1x component enforces the network access policy?

A. authentication server
B. authenticator
C. RADIUS server
D. supplicant

Answer: A

NEW QUESTION 551
Drag and Drop
Drag and drop the each port-security violation mode from the left onto the corresponding action on the right.

Answer:

NEW QUESTION 552
……

Download more NEW PassLeader 210-260 dumps from Google Drive here:

drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg

(553q~~~NEW VERSION DUMPS Updated Recently!!!)

Good luck, all!

[copy that link and open it in your web browser]

Thanks Bolo

@Bolo

What are two major considerations when choosing between a SPAN and a TAP when implementing IPS? (Choose two.)
A. the amount of bandwidth available
B. the way in which dropped packets will be handled
C. the type of analysis the IPS will perform
D. whether RX and TX signals will use separate ports
E. the way in which media errors will be handled

Any specific reason you would go for “C” as the second answer? My understanding was that IPS doesn’t care (it’s not even aware) where it receives the traffic from (SPAN or TAP) it will do what you ask it to do.

@Bolo

With regards to the comment “20cm” made – it looks like someone is really getting annoyed by the positive impact you make on the forum… perhaps people stopped paying for those useless PassLeader 210-260 dumps.

@Bolo

BTW, IPS connected to a SPAN or TAP, does it still act like an IPS nor more like an IDS?

Also, anyone uses VCE ExamSimulator on Apple devices?

Subscription is like £84.99 per month… anyone knows any good alternatives or Jailbreak is the only way…?

@Anton

Yes, IPS doesn’t care where the traffic is coming from, but there is a difference in traffic coming from SPAN or TAP. SPAN traffic is “filtered”, for a lack of better word.

TAP can (if placed correctly) see all traffic, including L1 and media errors, undersized and malformed packets etc. – basically everything. SPAN will mostly copy and send over to IPS the traffic that was already manipulated by the switch, and certain packets will just not appear in it. Since answers B and E describe traffic that you could capture with TAP, but not SPAN – I include them under C – the type of analysis.

Few pages back I made an argument for every answer apart from D to possibly be correct. And if you think about asynchronous routing, even D could be correct – depending on the placement of SPAN/TAP in the network.

I hope this question is badly worded, and in reality there will be some detail to help decide which second answer is really correct. Or maybe it isn’t a “choose two” question.

And yes, it is actually IDS. Promiscuous IPS = IDS.

@Bolo
Of all parameters that are negotiated for the IKE Phase 1 tunnel, which parameter is the only one that does not have to exactly match between VPN peers to be accepted?
A. DH group
B. Hashing algorithm
C. Encryption algorithm
D. Digital signature
E. Authentication method
F. Lifetime

Yes, F is correct

Can u explain why F is correct ? I thought 5 parameter of IKE Phase 1 negotiated is HAGLE ?

@Trunk

F because lifetime does not have to match. All the other ones have to be the same on both ends. But you can set different lifetimes and the shorter one will be used.

okaty

Which type of firewall can perform deep packet inspection?
A. stateless firewall
B. packet-filtering firewall
C. application firewall
D. personal firewall 

Answer: B or C ???!

What is the main purpose of Control Plane Policing?
A. to prevent exhaustion of route-processor resources.
B. to define traffic classes.
C. to organize the egress packet queues.
D. to maintain the policy map.
Answer: A or B ?

What u think Bolo? Thanks so much

@Rony we are waiting your update if you did your exam.

@Trunk

C: application firewall
Not B because: packet filtering firewall is your standard cheap fw that works on IP addresses / ports

A: to prevent exhaustion of route-processor resources
Not B because: defining traffic classes is not a CoPP purpose. It is policing (regulating) the control plane – “traffic flow logic” – for example routing protocols.

@Bolo

Are all those questions people keeps asking you to confirm the answers for not covered in both (Youki & C0achGreece) PDF dumps?

@Anton

Yes, usually. But not all answers in dumps are correct. Last 2 questions asked here are from c0achGreece, and they both have wrong answers in the dump.

@ Bolo

Thanks, shall we get all the incorrect answers corrected? I’m working on creating a consolidated version of both documents. Once ready I will share it with you so we can make sure all the answers are corrected to the best of our knowledge.

@Bolo

BTW, I’m not going to bother with all the explanations and references as everyone is questioning everything here anyway…

@Anton

I guess some people put those explanations, because making dumps is their way of studying, and they just leave references at questions in case they come back and don’t remember why it was one or other answer.

Think if it’s worth your time to make another dump file, ‘cos this cert is going away in 2 months. Unless of course you’re doing it for yourself and just want to share afterwards.

Pass my test with 974/1000

All question come from c0achGreece and about new November question.
Answer is exactly like Bolo and every1 in here confirm.

Many thanks !
Goodluck !

Which command do you enter to verify the Phase 1 status of a VPN connection?

A. debug crypto isakmp
B. sh crypto sesewsion
C. sh crypto isakmp sa
D. sh crypto ipsec sa

On the dumps I am seeing the answer is C is this correct? or possibly D?

Thanks all, i passed my exam. I used the questions in this platform from page 251 coachgrees,news questions from .
947 for me was okay.
All the best

hello please share with me coch greese file and yako too. please. funjanet101 at gmail dot com

Grats Trunk and semwaNews, thanks for the feedback.

@Anonymous
If it asks about Phase 1, it is isakmp – so answer C is correct.
Answer D would be correct if asked about Phase 2.

@Thankt
Links are on page 252. Two for mediafire and one for gdrive. The one for gDrive has more pdfs than you will need – from what people are saying c0achGreece/Youki dumps + new questions that appear in this thread are enough.
Keep in mind that some answers in dumps and in new PL posted questions are wrong. You have to go through posts on this forum to find out correct answers.

@Bolo

Is it 24th of January or February the 210-260 expires?

I was thinking it is January but from what I can see now it is actually February.

@Trunk

Congratulations!

Do you or anyone else here have a list of “November questions” you mentioned in your comment above?

@Anton

It expires in February.

Those are PassLeader November questions, just go back through this forum for correct answers, and for possibly more questions from people giving feedback about the exam:

drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg

But in all fairness, most of the time someone says that there are new questions, they are not right – it’s just that they didn’t remember or see the question in the dump.

THANKS ALL I PASSED MY TEST TODAY 923

@Bolo

Thanks Bolo – I just had a quick glance over the PassLeader November dumo and it looks like there are some mistakes. For instance:

NEW QUESTION 540
What is the range of levels provided by the Privilege command?
A. 0-16
B. 0-15
C. 1-16
D. 1-14
E. 0-14
F. 1-15
Answer: D

But it should actually be “B”

@Anton

As for PassLeader November dump, correct answers are:
Q.538: C
Q.539: F
Q.540: B
Q.541: B
Q.542: BC (same as dump)
Q.543: A
Q.544: A
Q.545: B
Q.546: B
Q.547: C (same as dump)
Q.548: DE
Q.549: D
Q.550: B
Q.551: drag and drop solution is correct

So, you can judge the quality of PL dumps yourself…

It’s quite possible that PL just gets the questions, then they come here and post them and we do the job of finding correct answers for them.
Or just this November dump is full of shit, October only had 3 wrong answers.

@ Bolo …October only had 3 wrong answers.?? please let me know thoes question

@Bolo

Thanks… that explains everything…

@Amin Jitendra

Q.525: BC
Q.528: D
Q.534: C

pass with the word file method
gut 9xx

The PL has many wrong and misleading answers i would avoid it

search here and make your own ques, answer and categorize,
sort the file

guys in exam

how many multiple choice
how many simulations
how many drag & drop
any other questions ?

Thank you

@Bolo
@Anton

Thank you for your great work on this forum (and to others as well!).

Back to this question:
If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error? (choose two)
A. The user will be prompted to authenticate using the enable password
B. Authentication will use the router’s local database
C. Authentication attempts will be sent to the TACACS+ server
D. Authentication attempts to the router will be denied

This is what I’ve found on Cisco pages: Troubleshoot TACACS Authentication Issues
How TACACS works
TACACS+ protocol uses Transmission Control Protocol (TCP) as the transport protocol with destination port number 49. When the Router receives a login request, it establishes a TCP connection with the TACACS server, post which a username prompt is displayed to the user. When the user enters the username, the Router again communicates with the TACACS server for the password prompt. Once the user enters the password, the Router send this information to the TACACS server again. The TACACS server verifies the user credentials and sends a response back to the Router. The result of a AAA session can be any of these:

PASS: When you are authenticated the service begins only if AAA authorization is configured on the router. The authorization phase begins at this time.

FAIL: When you have failed the authentication. You might be denied further access or be prompted to retry the login sequence, depending on the TACACS+ daemon. In this, you may need to check the policies configured for the user in TACACS server, if you receive a FAIL from the server

ERROR: It indicates an error occurred during authentication. This can be either at the daemon or in the network connection between the daemon and the router. If an ERROR response is received, the router typically tries to use an alternative method to authenticate the user.

So for me it is a clear A answer but then what else ?
B – no way, local method is not configured
C – if it’s after the error they don’t say anything about re-trying (only in case of FAIL and depends on daemon), maybe it depends on daemon configuration in this case as well ?
D – should not be denied right away as there’s still enable method configured

Can anyone share valid CCNA Security dumps!
zeus0091@gmaildotcom

if anyone wants dumps for 210-260 plz email me on charusatbatchc@gmaildotcom

Passed
n9.cl/tq1r

You can rely on this dump to pass the exam in the first attempt.

Good luck in the exam,

Best regards

what videos did you watch for ccna security
can we prepare in 1 month time if watching videos and practising ?

Thinking more about the Tacacs question above, I think only possible options are A and C because probably it will re-try to authenticate with tacacs and then go to next method
B and D do not look sound to me

Can someone explain me about the lab topology, I couldnt understand anything

@soloman: 67 questions – usually 1 sim (it has 4 questions), 2 DnD and rest MCQs

@@Asta: you have links a page or two back

@Edyta: depends on how you prepare and your capacity. If you get a right dump, with a bit of luck you can do it in a week or less – but you will not really know anything. If you want to study, 1 month is going to be very intense and you have to be smart – there’s no good material around to study for this exam. Official Cert Guide doesn’t even cover 50% of what you need to know. 31 Days Before Your CCNA Security is a decent supplementary book. CCNA Security Portable Command Guide also has some information in a very concise form. And there is a CBT Nuggets video course. And add to it going through exam objectives list and filling out what’s missing in those books/videos with Cisco knowledge base on the net. 1 month is very tight if you start from 0.

@Marcus: 4 hosts, 1 ASA, 2 routers… Not sure what needs explanation, sorry.

@Mac0

This question keeps coming back. Depending on how you understand it and which Cisco documentation you read, answer can be AC or CD. We labbed this in PT, and enable was only used for authentication when TACACS was offline. A guy here on the forum found this in Cisco documentation:
“If multiple methods are configured, the first option will act as the primary option and the subsequent methods will act as failover options in the order they are specified. The device will use failover methods only when it fails to get a response from the current method. If an authentication failure is received, the device will not fail over to the next method.”

PT doesn’t have AAA debug, but has IP debug and it can be seen that there is always a connection to TACACS first – so answer C in what you posted is correct. And then it’s up to you and how you understand the “server returned an error” part of the question.

If you assume that it means TACACS is online and reachable (so you get a response), then the answer is D
If you assume that TACACS is not reachable, then the answer is A

Hi Guys
@BOLO I’ve corrected the answers in Passleader as you mentioned above for Oct and Nov. Do you think this dump would be enough to pass. if not could you please recommend a better one where all answers are correct
Thank you in advance

@Mac0 the way of Local will perform even it did not type , see the command ,please see ：
You can change an AAA authentication rule method.
The methods include the following:
• Group—RADIUS server groups
• Local—Local database on the device
• None—Username only
The default method is local.
The rules are applied in the sequence order. If all methods fail, the device uses the default local method

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_aaa.pdf
page 8,
so,my answer is A and B

Guys, shall we just get it tested?

I can create this in my network and see what it does instead of guessing

If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error? (choose two)
A. The user will be prompted to authenticate using the enable password
B. Authentication will use the router’s local database
C. Authentication attempts will be sent to the TACACS+ server
D. Authentication attempts to the router will be denied

@Adam
I think c0achGreece and new questions that appeared here since August or so should be enough to pass, if answers are correct.

@Hui Li
NX-OS is not in CCNA Security. Also, the command in the question overwrites default method list (which, when first applied with aaa new-model command contains local as a method, true), with 2 methods – and none of them is local. So local database will never be used on this device for aaa.

@Anton
We tested it, it’s on page 251, not far from the top.

@Anton great idea

@Hui Li
but first the enable method is tried and we do not have information whether it is PASS or FAIL so we can’t tell if it goes to the fallback local method.

Another thing I found on cisco forum is:
The tacacs-server timeout
The tacacs-server timeout the default is 5 seconds and retries is 3, so for each server failover , 30 seconds is what it will take.

So that would mean A and C

So really as Bolo pointed out above it depends on what information you find and what you believe :)
Classic ambiguous Cisco.

F- ’em I’m going to fight my battle for CCNA Sec tomorrow and we’ll see how that went.

@Bolo and all

I have c0achGreece (1 August 2019) with 67 questions (Is this Ok to Pass)

when you mentioned New questions, how many do they have and from which page I need to refer the new questions

I haven’t verified Q39 as being correct

Q21 Which two descriptions of TACACS+ are true? (Choose two.)
A. It uses TCP as its transport protocol.
B. It combines authentication and authorization.
C. Only the password is encrypted.
D. The TACACS+ header is unencrypted
E. It uses UDP as its transport protocol.

Answer: AD

Q22 Which term refers to the electromagnetic interference that can radiate from network cables?
A. emanations
B. multimode distortion
C. Gaussian distributions
D. Doppler waves

Answer: A

Q23 Which mitigation technology for web-based threats prevents the removal of confidential data from the network?
A. AMP
B. DLP
C. DCA
D. CTA

Answer: B Data Loss Prevention

Q24 What are two limitations of the self-zone policies on a zone-based firewall? (Choose two)
A. They restrict SNMP traffic.
B. They are unable to implement application inspection.
C. They are unable to block HTTPS traffic.
D. They are unable to support HTTPS traffic.
E. They are unable to perform rate limiting.

Answer: BE

Q25 What are two default behaviors of the traffic on a zone-based firewall? (Choose two.)
A. The CBAC rules that are configured on router interfaces apply to zone interfaces.
B. Communication is blocked between interfaces that are members of the same zone.
C. Traffic within self zone uses an implicit deny all
D. All traffic between zones is implicitly blocked.
E. Communication is allowed between interfaces that are members of the same zone.

Answer: DE

Q26 Which two statements about Hardware-Based encryption are true? (Choose two.)
A. It is potentially easier to compromise than software-based encryption.
B. It can be implemented without impacting performance.
C. It is widely accessible.
D. It is highly cost-effective
E. It requires minimal configuration

Answer: BD

Q27 Which path do you follow to enable AAA through the SDM?
A. Configure >Tasks >AAA
B. Configure > Authentication >AAA
C. Configure > Additional Authentication > AAA
D. Configure > Additional Tasks > AAA
E. Configure > AAA

Answer: D

Q28 Refer to the exhibit. Which type of NAT is configured on a Cisco ASA?

nat (ins,any) dynamic interface

A. dynamic NAT
B. source identity NAT
C. dynamic PAT
D. identity twice

NAT Answer: C

Q29 When connecting to an external resource, you must change a source IP address to use one IP address from a range of 207.165.201.1 to 207.165.201.30. Which option do you implement?
A. static destination NAT that uses a subnet as a real destination
B. dynamic source NAT that uses a range as a mapped source
C. dynamic Source NAT that uses an IP address as a mapped source
D. static destination NAT that uses a subnet as a real source

Answer: B

Q30 Refer to the exhibit. What is the effect of the given configuration?

Device #tunnel group 192.x.x.x ipsec-attributes Device# pre-shared-key cisco654

A. It establishes the preshared key for the router
B. It establishes the preshared key for the switch
C. It establishes the preshared key for the firewall
D. It establishes the preshared key for the Cisco ISE appliance.

Answer: C

Q31 In which type of attack does an attacker overwrite an entry in the CAM table to divert traffic destined to a legitimate host?
A. MAC spoofing
B. ARP spoofing
C. CAM table overflow
D. DHCP spoofing

Answer: A

Q32 What is an advantage of split tunneling?
A. It allows users with a VPN connection to a corporate network to access the Internet by using the VPN for security
B. It enables the VPN server to filter traffic more efficiently.
C. It allows users with a VPN connection to a corporate network to access the Internet without sending traffic across the corporate network.
D. It protects traffic on the private network from users on the public network.

Answer: C

Q33 What does the policy map do in CoPP?
A. defines the action to be performed
B. defines packet selection parameters
C. defines the packet filter
D. defines service parameters

Answer: A

Q34 What is the maximum number of methods that a single method list can contain?
A. 4
B. 3
C. 2
D. 5

Answer: A

Q35 Which attack involves large numbers of ICMP packets with a spoofed source IP address?
A. Teardrop attack
B. smurf attack
C. Nuke attack
D. SYN Flood attack

Answer: B

Q36 Which type of social engineering attack targets top executives?
A. baiting
B. vishing
C. whaling
D. spear phishing

Answer: C

Q37 Which command can you enter to verify the statistics of cisco IOS resilient configuration on cisco router?
A. show binary file
B. show secure bootset
C. secure boot-config
D. secure boot-image

Answer: B

Q38 What aims to remove the ability to deny an action?
A. Integrity
B. Deniability
C. Accountability
D. Non-Repudiation

Answer: D

Q39 You have just deployed SNMPv3 in your environment. Your manager asks you make sure that your agents can only talk to the SNMP Manager. What would you configure on your SNMP agents to satisfy this request?
A. Routing Filter with the SNMP managers in it applied outbound
B. A SNMP View containing the SNMP managers
C. A standard ACL containing the SNMP managers applied to the SNMMP configuration.
D. A SNMP Group containing the SNMP managers

Answer: *D* or C?

Q40. D&D

DHCP Snooping —> Blocks DHCP messages fro untrusted source

Dynamic ARP Inspection —> Verifies IP to MAC traffic on untrusted ports

Port Security —> Mitigates MAC address spoffing at the access interface

IP Source Guard —> Provides L2 interface security with port ACLs

friends,

I have a summary of the exam 210-260, 300-206, 300-208, 300-209 and 300-210.

You only need these files to pass 100% confirmed.

Many know me, if you are interested please write to the following email.

ccnpswicth@ gmail. com

Qs 44 and 47 have been corrected

C. to organize the egress packet queues.
D. to maintain the policy map.

Answer: *B*

Q57 What action must you take on the ISE to blacklist a wired device?
A. Issue a COA request for the device’s MAC address to each access switch in the network.
B. Add the devices MAC address to a list of blacklisted devices.
C. Locate the switch through which the device is connected and push an ACL restricting all access by the device.
D. Revoke the device’s certificate so it is unable to authenticate to the network.

Answer: B

Q58 Which term is most closely aligned with the basic purpose of a SIEM solution?
A. Causality
B. Accountability
C. Non-Repudiation
D. Repudiation

Answer: B

Q59 Which statement about the native VLAN is true?
A. It is the Cisco-recommended VLAN for user traffic.
B. It is most secure when it is assigned to VLAN1.
C. It is susceptible to VLAN hopping attacks.
D. It is the Cisco recommended VLAN for switch-management traffic.

Answer: C

Q60 How does the 802.1x supplicant communicate with the authentication server?
A. The supplicant creates EAP packets and sends them to the authenticator, which translates them into RADIUS and forwards them to the authentication server.
B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them into RADIUS and forwards them to the authentication server.
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates them into EAP and forwards them to the authentication server.
D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates them into EAP and forwards them to the authentication server.

Answer: B

I still have questions on Q62 and Q63 and I corrected Q65

Q60 D&D List steps to configure WSA:

1. Run System Wizard
2. Create Auth Realm
3. Configure Identity Management
4. Configure Directory Groups

Q62 Which IKE phase 1 parameter can you use to require the site-to-site VPN to use a pre-shared key?
A. group
B. hash
C. authentication
D. encryption

Answer: *C*

Q63 How can you prevent NAT rules from sending traffic to incorrect interfaces?
A. Configure twice NAT instead of object NAT.
B. Add the no-proxy-arp command to the nat line.
C. Assign the output interface in the NAT statement.
D. Use packet-tracer rules to reroute misrouted NAT entries.

Answer: *B* or C?

Q64 What is the minimum Cisco IOS version that supports zone-based firewalls?
A. 12.4(6)T
B. 15.1
C. 15.0
D. 12.1T

Answer: A

Q65 Which type of firewall can perform deep packet inspection?
A. stateless firewall
B. packet-filtering firewall
C. application firewall
D. personal firewall 

Answer: *B* Answer is C

From Wikipedia:
The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall, which is – without additional software – unable to control network traffic regarding a specific application. There are two primary categories of application firewalls, network-based application firewalls and host-based application firewalls.

Q66 What is the best definition of hairpinning?
A. traffic that enters and exits a device through the same interface
B. traffic that tunnels through a device interface
C. traffic that enters one interface on a device and that exits through another interface
D. ingress traffic that traverses the outbound interface on a device

Answer: A

Q67 What are two features of transparent firewall mode? (Choose two.)
A. It allows some traffic that is blocked in routed mode.
B. It conceals the presence of the firewall from attackers.
C. It is configured by default.
D. It acts as a router hop in the network.
E. It enables the ASA perform as a router.

Answer: AB

friends,
11
I have a summary of the exam 210-260, 300-206, 300-208, 300-209 and 300-210.

You only need these files to pass 100% confirmed.

Many know me, if you are interested please write to the following email.

ccnpswicth@ gmail. com

@c0achGreece dump spammer (with love)

Q09 Which action does standard antivirus software perform as part of the file‐analysis process?
A. execute the file in a simulated environment to examine its behavior
B. examine the execution instructions in the file
C. flag the unexamined file as a potential threat
D. create a backup copy of the file

Answer: B

Q39 You have just deployed SNMPv3 in your environment. Your manager asks you make sure that your agents can only talk to the SNMP Manager. What would you configure on your SNMP agents to satisfy this request?
A. Routing Filter with the SNMP managers in it applied outbound
B. A SNMP View containing the SNMP managers
C. A standard ACL containing the SNMP managers applied to the SNMMP configuration.
D. A SNMP Group containing the SNMP managers

Answer: C

Q63 How can you prevent NAT rules from sending traffic to incorrect interfaces?
A. Configure twice NAT instead of object NAT.
B. Add the no-proxy-arp command to the nat line.
C. Assign the output interface in the NAT statement.
D. Use packet-tracer rules to reroute misrouted NAT entries.

Answer: C

Q26 Which two statements about Hardware-Based encryption are true? (Choose two.)
A. It is potentially easier to compromise than software-based encryption.
B. It can be implemented without impacting performance.
C. It is widely accessible.
D. It is highly cost-effective
E. It requires minimal configuration

Answer: BE

Q67 What are two features of transparent firewall mode? (Choose two.)
A. It allows some traffic that is blocked in routed mode.
B. It conceals the presence of the firewall from attackers.
C. It is configured by default.
D. It acts as a router hop in the network.
E. It enables the ASA perform as a router.

Answer: AB – answer A is a bit different, something alone the line of A. It allows more traffic than routed mode. But it is a correct answer

@Nabha

c0achGreece, and new questions that were discussed here since August are enough. Of course SIM and DnD are required too, can’t recall if they are in c0AchGreece’s dump.

@c0achGreece spammer (with love)

You skipped questions 41-56

@Bolo It looks like i tripped a spam filter because I can’t post the missed Qs

I corrected 44 and 47

Q41 Which two statements are correct about hardware-based encryption are true? (Choose two.)
A. It is potentially easier to compromise than software-based encryption.
B. It can be implemented without impacting performance.
C. It is widely accessible.
D. It is highly cost effective.
E. It requires minimal configuration.

Answer: BD

Q42 Which command do you enter to verify the Phase 1 status of a VPN connection?
A. debug crypto isakmp
B. sh crypto session
C. sh crypto isakmp sa
D. sh crypto ipsec sa

Answer: C

Q43 What are two major considerations when choosing between a SPAN and a TAP when implementing IPS? (Choose two.)
A. the amount of bandwidth available
B. the way in which dropped packets will be handled
C. the type of analysis the IPS will perform
D. whether RX and TX signals will use separate ports
E. the way in which media errors will be handled

Answer: *AB* or BC?

Q44 Which information can you display by executing the show crypto ipsec sa command?
A. proxy information for the connection between two peers
B. IPsec SAs established between two peers
C. recent changes to the IP address of a peer router
D. ISAKMP SAs that are established between two peers

Answer: B Coach said C which is incorrect. From Cisco:
show crypto ipsec sa
This command shows IPsec SAs built between peers.
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#ipsec_sa

Q45 Which command enables port security to use sticky MAC address on a switch?
A. switchport port-security
B. switchport port security mac-address sticky
C. switchport port-security violation protect
D. switchport port-security violation restrict

Answer: B

Q46 When would you configure ip dhcp snooping trust command on a switch?
A. when the switch is connected to DHCP server.
B when the switch is connected to client system.
C. when the switch is serving as an aggregator.
D. when the switch is working in an edge capacity.

Answer: A

Q47 Which IDS/IPS state misidentifies acceptable behavior as an attack?
A. false positive
B. false negative
C. true positive
D. true negative

Answer: *A* Should be B

From page 463 of the Cert Guide:

A false positive is when the sensor generates an alert about traffic and that traffic is not malicious or important as related to the safety of the network. False positives are easy to identify because alerts are generated and easily viewed. A false negative, however, is when there is malicious traffic on the network, and for whatever reason the IPS/IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that anything negative is going on.

Q48 How is management traffic isolated on a Cisco ASR 1002?
A. Traffic is isolated based upon how you configure routing on the device.
B. There is no management traffic isolation on a Cisco ASR 1002.
C. The management interface is configured in a special VRF that provides traffic isolation from the default routing table.
D. Traffic isolation is done on the VLAN level.

Answer: C

I’ll try to post the remaining Qs later today

@Not Coach

Q47 is A 100% – it asks for acceptable behavior being alerted/blocked as attack = non malicious = false positive

Passed Yesterday ! Dump used :

n9.cl/tq1r

You can rely on this dump to pass the exam in the first attempt.

Good luck in the exam,

Best regards

@Mac0 Yep I see that now…

Hooot quistion … Please need help !!
Of all parameters that are negotiated for IKE Phase 1 tunnel , which parameter is the only one that does not have exactly match between VPN peers to be accepted?

A. DH group
B.Hashing algorithm
C.Encryption Algorithm
D. Digital Signature
E. Authentication Method
F.Lifetime

@Luay F lifetime

I’ve seen this one multiple times in the dumps incorrect and not even full question.
Youki has it correct so I felt like posting:

QUESTION 309
Which description of the nonsecret numbers that are used to start a Diffie-Hellman exchange is true?
A. They are large pseudorandom numbers.
B. They are very small numbers chosen from a table of known values
C. They are numeric values extracted from hashed system hostnames.
D. They are preconfigured prime integers
Correct Answer: D

Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
A. Smart tunnels can be used by clients that do not have administrator privileges
B. Smart tunnels support all operating systems
C. Smart tunnels offer better performance than port forwarding
D. Smart tunnels require the client to have the application installed locally

@Not Coach , Thank You

What does the dh group length of key for encryption key :
A- Length of key for exchange
B- Length of key for encryption
C- Length of key for authantication
D- Length of key for hashing

@Lyay Authentication follows the DH key exchange so the answer should be C

Please help with this question !!

WHAT IS THE RANGE OF LEVEL PROVIDED BY THE privilege command ?
A. 0-14
B.0-15
C.0-16
D.1-14
E.1-15
F.1-16

kyft

A false positive is when the sensor generates an alert about traffic and that traffic is not malicious or important as related to the safety of the network. False positives are easy to identify because alerts are generated and easily viewed. A false negative, however, is when there is malicious traffic on the network, and for whatever reason the IPS/IDS did not trigger an alert, so there is no visual indicator (at least from the IPS/IDS system) that anything negative is going on.

Q48 How is management traffic isolated on a Cisco ASR 1002?
A. Traffic is isolated bawdsed upon how you configure routing on the device.
B. There is no management traffic isolation on a Cisco ASR 1002.
C. The management interface is configured in a special VRF that provides traffic isolation from the default routing table.
D. Traffic isolation is done on the VLAN level.

Answer: C

CCNA, CCNP, CCIE and CISSP exam questions and answers. There are great deals before Christmas. Offer only once a year! This is the best opportunity to buy CCNA or CCNP or CCIE or CISSP. Don’t worry about the upcoming big changes in Cisco. Updates are free for at least one year and you are guaranteed to take the exam with the latest answers. The ultimate purpose of our service is to make you pass the exam smoothly. Good luck everyone.
https://www.houzz.com/discussions/5837856/it-technology-decoration-reference

Rose IS SPAMMER SPAMMER

Rose IS SPAMMER SPAMMER

@Luay

Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
A. Smart tunnels can be used by clients that do not have administrator privileges
B. Smart tunnels support all operating systems
C. Smart tunnels offer better performance than port forwarding
D. Smart tunnels require the client to have the application installed locally

AD

@Bolo

please guide for latest dumps thanks.

@ADIL

C’mon, you have links and questions with corrected answers posted here. Just have a look.

@Coach’s dump 41 – 48
Q.41: BE
Q.43: AC
Q.47: A

@Coach’s dump 61 – 67
Q.62: C
Q.63: C

@Luay
Question about DH group is:
What does the DH group refer to:
A. length of key for hashing
B. length of key for key exchange
C. tunnel lifetime key
D. length of key for authentication
E. length of key for encryption

And the answer is B

@Luay

What is the range of levels provided by the privilege command?

Answer is B: 0-15

What are two major considerations when choosing between a SPAN and a TAP when implementing IPS?

Anyone knows the best answer? I guess amount of bandwidth and dropped packets.

@Goodluck

The answer to this question is literally two posts above, Q.43. And the full question is on this very page, few posts above more.

Passed 99x/1000

Thanks to everyone here.

OCG + 31 days + dumps and googling all for myself if they were unclear

Which command do you enter to enable authentication for OSPF on an interface?
A. ip ospf message-digest-key 1 md5 CISCOPASS
B. area 0 authentication message-digest
C. ip ospf authentication-key CISCOPASS
D. ip ospf authentication message-digest

@Mac0 – congrats!!! What do you mean by “31 days”?

@Bolo
Aren’t Q26 and Q41 from C0achGreece dump the same?

Grats Mac0! 99x! What part you lost points on? Or maybe you remember the question itself?
Were there any surprises?

@Anton
The book – 31 Days Before Your CCNA Security Exam.
And yes, they are the same. Answer is no impact on performance and minimal configuration needed.

@ADIL
Answer is D

@bolo and all Thanks for coach dumps, can you also do some simulation in gns3 and explain the questions and answers please

I pass with 958,
about the Lab, remember ,In 8.3 and later code you must use the Real IP of the host in the ACL and not the translated IP;in the Dump, it use the Translated IP,
I guess in 210-260, it depends on before 8.2

@Bolo – thank you!

@Marcus
No, sry. Speaking for myself only, I’m not willing to prepare dumps with explanations for anyone. If you don’t trust answers I post here, you’re more than welcome to do your own research ;)

@Hui Li
Grats!

@bolo, I trust your answers and all here.

I am confused about lab so I need know how to find answers if ips are changed or what commands I need to use to find the information.

@Marcus
What is confusing about the lab?