Home > Share your CCNA Security Experience

Share your CCNA Security Experience

November 5th, 2015 Go to comments

Please share with us your experience after taking the CCNA Security 210-260 exam, your materials, the way you learned, your recommendations…

Comments (100) Comments
Comment pages
1 10 11 12 13 14 22 675
  1. Bolo
    December 22nd, 2019

    @scott
    Grats! And yes, I posted it not long ago – I think c0achGreece and new questions that appeared since August (and were all discussed here) is enough.

    @Luay
    Most of the people are reporting the VPN sim – where you need to answer 4 questions about different VPN settings, by checking ASDM GUI. The other thing is a lab – you need to configure NAT/ACL to enable access to web server and ping. I’d learn both just in case.

    About questions:
    How will a stateful firewall handle an inbound packet it receives and cannot match in its state table ?
    Answer is D – it will look for ACL.

    “A user on your network inadvertently activates a botnet program that was received as an email attachment. Which type of mechanism does Cisco Firepower use to detect and block only the botnet attack?”
    Answer is C – botnet traffic filter. That’s the mechanism – how it works internally is not important. Various other security features are reputation-based. This is only my opinion of course.

    @Star
    Yes, it is D.

  2. happiness
    December 22nd, 2019

    @Bolo
    Could you please share last update dump in pdf format ?

    @scott
    Could yo please share Coachgrace dump in pdf

  3. Ali Nader
    December 22nd, 2019

    What is the address to the Chinese web site?

  4. star
    December 22nd, 2019

    @bolo
    the answer is :B
    because it looks for the ACL by default.
    if the question was lile “…..state table what should be the default action?”
    but if it is not by default it will drop

  5. Luay
    December 22nd, 2019

    @Bolo .

    What you said the Sim Could be: VPN ( answer 4 questions by checking the ASDM GUI settings) or NAT SIM ( using ASDM GUI to answer 4 questions regarding to NAT/ACL Configurations : Create NAT , ACL, Verifying)…. is that correct!!

  6. gabbar
    December 22nd, 2019

    Q20 Which security term refers to the likelihood that a weakness will be exploited to cause damage to an asset?
    A. threat
    B. vulnerability
    C. risk
    D. countermeasure

    Answer: C

    Shouldn’t this be B?

  7. Marcus
    December 22nd, 2019

    Thanks Bolo

    all questions from Coach as you said and I passes the exam on Friday

  8. OneInMillion
    December 22nd, 2019

    Hi All

    I passed CCNA R&S last week and now want to prepare for CCNA Sec

    Does anyone have material or guide me for correct docs to prepare for CCNA Sec please.

    I want to study for 2 months before going through Dumps

  9. Bolo
    December 22nd, 2019

    @happiness
    Scroll up and read – links are there.

    @star
    The answer is D. If there is no match in the state table for the incoming packet, ACLs are checked. Stateful firewall checks the state table FIRST, then ACL. And ACL is only checked if the connection doesn’t exist in the state table.
    If you look online for ASA packet flow diagrams you will see the first step is called “Existing connection” or something similar – this is the state table check. And then it goes to ACL, if there is no matching connection in the state table.

    The only thing possibly disputable in this question is the packet type. After state table check, if the packet is not a TCP SYN or UDP packet, it will be dropped. But those details are not provided, so the general answer is that it will go for ACL check.

    @Luay
    For VPN you only have to answer questions.
    For NAT/ACL you have to configure them to access a web server and let the ping through.

    @Gabbar
    The answer is C. The word ‘weakness’ in the question can be substituted for ‘vulnerability’. But the likelihood of exploiting it is a risk.

    @Marcus
    Grats!

  10. x7xafc
    December 23rd, 2019

    @bolo “For NAT/ACL you have to configure them to access a web server and let the ping through” can you point me as to where i can find this lab? in which dump? I have studied Yuki, Coachgreece and Yako, did not find this one. help is much appreciated :)

  11. Dino Zoff
    December 23rd, 2019

    Congratulations!

    Passed the 210-260 exam on 20/Dec/2019!

    67 questions
    1 Simulation
    1 Drag and Drop (Shutdown, Restrict, Protect)

    I mainly learned the PassLeader 210-260 dumps (553q NEW version), all questions are available in PassLeader.

    Really helpful.

    P.S.

    Part of PassLeader 210-260 dumps are available here FYI:

    drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg

    (553q~~~NEW VERSION DUMPS Updated Recently!!!)

    Good luck, all!

    [copy that link and open it in your web browser]

  12. Dino Zoff
    December 23rd, 2019

    And,

    Part of PassLeader 210-260 IINS new questions (FYI):

    [Get the download link at the end of this post]

    NEW QUESTION 546
    Which statement about TACACS+ is true?

    A. Passwords are transmitted between the client and server using MD5 hasing.
    B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
    C. TACACS_ is used for access to network resources more than administrator access to network devices.
    D. TACACS_ server listens UDP port 1813 for accounting.
    E. All data that is transmitted between the client and TACACS+ server is cleartext.

    Answer: C

    NEW QUESTION 547
    Which effect of the secure boot-image command is true?

    A. It configure the device to boot to the secure IOS image.
    B. It archives a secure copy of the device configuration.
    C. It archives a secure copy of the IOS image.
    D. It displays the status of the bootset.

    Answer: C

    NEW QUESTION 548
    Which two statements about an IPS in tap mode are true? (Choose two.)

    A. It requires an synchronous routing configuration for full traffic analysis.
    B. The device forwards all traffic, regardless of its source or destination.
    C. It directly analyzes the actual packets as they pass through the system.
    D. It can analyze events without impacting network efficiency.
    E. It is unable to drop packets in the main flow.

    Answer: BC

    NEW QUESTION 549
    How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?

    A. Passes the traffic.
    B. Drops the traffic.
    C. Broadcasts the traffic.
    D. Looks for an ACL, and acts based upon the ACL.

    Answer: C

    NEW QUESTION 550
    Which 802.1x component enforces the network access policy?

    A. authentication server
    B. authenticator
    C. RADIUS server
    D. supplicant

    Answer: A

    NEW QUESTION 551
    Drag and Drop
    Drag and drop the each port-security violation mode from the left onto the corresponding action on the right.

    Answer:

    NEW QUESTION 552
    ……

    Download more NEW PassLeader 210-260 dumps from Google Drive here:

    drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg

    (553q~~~NEW VERSION DUMPS Updated Recently!!!)

    Good luck, all!

    [copy that link and open it in your web browser]

  13. Philip IS FAKE FAKE FAKE
    December 23rd, 2019

    Philip IS FAKE FAKE FAKE

    Philip IS FAKE FAKE FAKE

  14. Anonymous
    December 23rd, 2019

    Which statement about TACACS+ is true?

    A. Passwords are transmitted between the client and server using MD5 hasing.
    B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
    C. TACACS_ is used for access to network resources more than administrator access to network devices.
    D. TACACS_ server listens UDP port 1813 for accounting.
    E. All data that is transmitted between the client and TACACS+ server is cleartext.

    Answer: C

    NEW QUESTION 547
    Which effect of the secure boot-image command is true?

    A. It configure the device to boot to the secure IOS image.
    B. It archives a secure copy of the device configuration.
    C. It archives a secure copy of the IOS image.
    D. It displays the status of the bootset.

    Answer: C

    NEW QUESTION 548
    Which two statements about an IPS in tap mode are true? (Choose two.)

    A. It requires an synchronous routing configuration for full traffic analysis.
    B. The device forwards all traffic, regardless of its source or destination.
    C. It directly analyzes the actual packets as they pass through the system.
    D. It can analyze events without impacting network efficiency.
    E. It is unable to drop packets in the main flow.

    Answer: BC

    NEW QUESTION 549
    How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?

    A. Passes the traffic.
    B. Drops the traffic.
    C. Broadcasts the traffic.
    D. Looks for an ACL, and acts based upon the ACL.

    Answer: C

    NEW QUESTION 550
    Which 802.1x component enforces the network access policy?

    A. authentication server
    B. authenticator
    C. RADIUS server
    D. supplicant

    Answer: A

  15. Anonymous
    December 23rd, 2019

    NEW QUESTION 547
    Which effect of the secure boot-image command is true?

    A. It configure the device to boot to the secure IOS image.
    B. It archives a secure cowepy of the device configuration.
    C. It archives a secure copy of the IOS image.
    D. It displays the status of the bootset.

    Answer: C

  16. Bolo
    December 23rd, 2019

    @x7xafc
    It’s in Anubis IIRC

    @everyone
    Careful with PassLeader spammers – questions are valid but many answers are wrong. Read back through this thread to find correct answers.

  17. vce simlator
    December 23rd, 2019

    Hi guys,
    I’d really appreciated it if someone can provide the latest software VCE.

    thanks

  18. x7xafc
    December 23rd, 2019

    confused about the following questions:

    What features can protect the data plane? (choose three)
    A. policing
    B. ACLs
    C. IPS
    D. antispoofing
    E. QoS
    F. DHCP-snooping

    dumps say BDF. But someone here suggested IPS is mentioned in best practice in the OCG and DHCP-snooping as additional security. can someone clarify?

    In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three)
    A. When matching ACL entries are configured
    B. when matching NAT entries are configured
    C. When the firewall requires strict HTTP inspection
    D. When the firewall requires HTTP inspection
    E. When Firewall Recieves a FIN packet
    F. When the firewall already has a TCP connection

    ABF?

    Which two statements about the self zone on a Cisco zone-based policy firewall are true? (choose two)
    A. Multiple interfaces can be assigned to the self zone
    B. Traffic entering the self zone must match a rule
    C. Zone pairs that include the self zone apply to traffic transiting the device
    D. It can be either the source zone or the destination zone
    E. It supports stateful inspection for multicast traffic

    only D seem like the right answer? what’s the other. A is wrong cause you dont assign self zone, all router interface are by default self zones. B what? C i don’t know. E is definitely wrong

    anyone?

  19. gabbar
    December 23rd, 2019

    Your security team has discovered a malicious program that has been harvesting the CEO’s email messages and the company’s user database for the last 6 months. What type of attack did your team discover?
    A. social activism
    B. drive-by spyware
    C. targeted malware
    D. advance persistent threat
    E. Polymorphic virus……………
    ANSWER:DE

    Shouldn’t this be C and D?

  20. gabbar
    December 23rd, 2019

    Which IOS command is used to define the authentication key for NTP?
    A. Switch(config)#ntp authentication-key 1 md5 C1sc0
    B. Switch(config)#ntp trusted-key 1
    C. Switch(config)#ntp source 192.168.0.1
    D. Switch(config)#ntp authenticate
    Correct Answer: A

    Is A the correct answer? Some dumps say d.

  21. Bolo
    December 23rd, 2019

    @x7xafc

    I mentioned the IPS. Official cert guide books says that best practices for protecting the data plane are: ACLs, FW, IPS, TCP Intercept (reduce DoS), Unicast Reverse Path Forwarding (IP antispoof)
    And additional protections are: Port Security, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard

    HTTP GET questions: you are right, ABF.

    Self-zone question: I agree with you, only D is correct 100%. BCE are all wrong, so you only have A to pick. I don’t mind that it says ‘assign’ – since it doesn’t matter if router assigns them or a person (in case of the self-zone it’s a router). What I do mind is that interfaces are not assigned to the self-zone. IPs are assigned. But anyway, if the question really has 2 answers, I guess AD is the most correct combination.

  22. Bolo
    December 23rd, 2019

    @Gabbar

    Question about CEO’s emails: you are right, CD. If I had to choose only one answer, I’d go with D.

    NTP authentication question: A is the correct answer. ntp authenticate command is used to enable authentication, not to define the key.

  23. x7xafc
    December 23rd, 2019

    @Bolo thanks for the clarifications! as for the protecting data plane question, I’m now wondering that the question says which “features” can protect the data plane. I’d reckon ACL, URPF and DHCP spoofing are all features of the IOS or FW whereas an IPS is a physical “device” not a feature? what you think?

  24. Bolo
    December 24th, 2019

    @x7xafc
    Good point, well made! IPS is not a feature. So it’s DHCP Snooping.

  25. Anonymous
    December 24th, 2019

    Which IOS command is used to define the authentication key for NTP?
    A. Switch(config)#ntp authentication-key 1 md5 C1sc0
    B. Switch(config)#ntp trusted-key 1
    C. Switch(config)#ntpsc source 192.168.0.1
    D. Switch(config)#ntp authenticate
    Correct Answer: A

    Is A the correct answer? Some dumps say d.

  26. Gabbar
    December 24th, 2019

    @Anonymous

    Bolo has already mentioned A is the correct answer.

  27. gabbar
    December 24th, 2019

    QUESTION 214
    Which option is a weakness in an information system that an attacker might leverage to gain
    unauthorized access to the system or its data?
    A. hack
    B. mitigation
    C. risk
    D. vulnerability
    E. exploit
    Answer: D

    Should the answer in this be C.

  28. gabbar
    December 24th, 2019

    Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router? (Choose two.)
    A. syslog
    B. SDEE
    C. FTP
    D. TFTP
    E. SSH
    F. HTTPS

    I think a and b.

  29. gabbar
    December 24th, 2019

    Which option is a key security component of an MDM deployment?
    A. using MS-CHAPv2 as the primary EAP method.
    B. using self-signed certificates to validate the server.
    C. using network-specific installer packages
    D. using an application tunnel by default.
    Answer: B

    is this not a?

  30. gabbar
    December 24th, 2019

    Which STP feature can prevent an attacker from becoming the root bridge by immediately shutting down the interface when it receives a BPDU?
    A. PortFast
    B. BPDU guard
    C. BPDU filtering
    D. root guard

    isn’t this root guard?

  31. gabbar
    December 24th, 2019

    QUESTION 468
    Which internet Multihoming solution is a resistant to a failure of any single component?

    A. Option A
    B. Option B
    C. Option C
    D. Option D
    Answer: A

    Shouldn’t this be b

    Passleader

  32. Eric
    December 25th, 2019

    Cisco is about to usher in a major change in February 2020, the exams will not be easy, and the earlier the certification, the more valuable it will be. I will help you pass the exam by February, please save time and arrange your exam as soon as possible.Provide CCNA, CCNP, CCIE and CISSP exam questions and answers。(Please note!url not have ***)
    ww***w.houzz.co***m/discussions/5837856/it-technology-decoration-reference

  33. Bolo
    December 25th, 2019

    @Gabbar

    Q.214: D – vulnerability is a weakness in the system. Risk is a possibility of that vulnerability to be exploited.

    Yes, it’s AB: syslog and SDEE

    It’s B. EAP method (MS-CHAPv2) is not a key component, it will depend on what devices support (for Apple stuff you’ll most likely end up using EAP-TLS). But certificates are essential, they are used to identify devices, and all devices in MDM deployment have to have them.
    The only thing I don’t like about this question is that it says ‘self-signed’ – you can of course use self-signed, but you can also (and prolly should) use external CA certificates.
    Still, certificate answer is the best one.

    It is B – BPDU Guard. The question does not specify the type of BPDU, it only says ‘receives a BPDU’. RootGuard works only in certain situations, it allows for normal BPDU traffic as long as it is not traffic designed to interfere with current STP setup and change root (in this exam Cisco call them ‘superior BPDU’).
    BPDU Guard on the other hand just err-disables a port as soon as it receives any BPDU.

    Q.468: Answer is the one where where 2 enterprise edge routers are connected to each other, and each of them is connected to a different ISP:

    ISP1 ISP2
    | |
    R1———-R2

  34. Bolo
    December 25th, 2019

    Thats ASCII art up there didn’t work…spaces were removed. R2 should be connected to ISP2, obviously.

  35. Anton
    December 25th, 2019

    @Bolo & Gabbar – where exactly did you get “Quetsion 468” from so I can see the diagrams?

    QUESTION 468
    Which internet Multihoming solution is a resistant to a failure of any single component?

    A. Option A
    B. Option B
    C. Option C
    D. Option D
    Answer: A

  36. x7x
    December 25th, 2019

    Which command can you enter to configure OSPF to use hashing to authenticate routing updates?
    A. ip ospf authentication message-digest
    B. ip ospf priority 1
    C. neighbor 192.168.0.112 cost md5
    D. ip ospf authentication-key

    I think it’s A?

    Which two statements about hardware-based encryption are true? (Choose two.)
    A. It is potentially easier to compromise than software-based encryption.
    B. It requires minimal configuration.
    C. It can be implemented without impacting performance.
    D. It is widely accessible.
    E. It is highly cost-effective.

    Some say it’s CB and some say it’s CE?

    Which three statements about host-based IPS are true? (Choose three)
    A. It can view encrypted files
    B. It can be deployed at the perimeter
    C. It uses signature-based policies
    D. It can have more restrictive policies than network-based IPS
    E. It works with deployed firewalls
    F. It can generate alerts based on behavior at the desktop level.

    DF im sure. but how A? it can view encrypted files? really. the only reference I got is that it can read the files after it’s been decrypted. thoughts?

    If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
    A. The interface on both switches may shut down
    B. STP loops may occur
    C. The switch with the higher native VLAN may shut down
    D. The interface with the lower native VLAN may shut down

    dump says B. but check the following reference from ciscopress. after reading that, it seems it could be A?

    learningnetwork.cisco.com/docs/DOC-25797

  37. gabbar
    December 25th, 2019

    @Anton – passleader dumps.
    @bolo- Thank you very much. I really appreciate you answering our queries even on Christmas day. Thank you.

  38. gabbar
    December 25th, 2019

    @x7x

    Which command can you enter to configure OSPF to use hashing to authenticate routing updates?

    A. ip ospf authentication message-digest

    Which two statements about hardware-based encryption are true? (Choose two.)

    B. It requires minimal configuration.
    C. It can be implemented without impacting performance.

    Which three statements about host-based IPS are true? (Choose three)

    A. It can view encrypted files
    D. It can have more restrictive policies than network-based IPS
    F. It can generate alerts based on behavior at the desktop level.

    If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?

    B. STP loops may occur

    https://supportforums.cisco.com/discussion/12477986/using-different-native-vlans-different-ports-switch-configured-trunks

    Please don’t quote me on it, I’m just trying to help, to the best of my knowledge I feel these are the correct answers.

  39. Anton
    December 25th, 2019

    @Gabbar – which PassLeader dump exactly as I have been looking and couldn’t find it…

    @x7x – Gabbar provided all the corrected answers (to the best of our knowledge) for your questions – I’m actually working on getting a consolidated dump with all corrected answers from PassLeader, Youki, C0achgreece and all extra questions posted on this forum as it seems there is a lot of errors/mistakes.

  40. Rey mix
    December 25th, 2019

    Hi guys, tomorrow I will to do mi exam!! Whis me Luck!! Best Regards from México!!

  41. x7x
    December 26th, 2019

    QUESTION 259

    Which two NAT types allows only objects or groups to reference an IP address? (choose two)
    A. dynamic NAT
    B. dynamic PAT
    C. static NAT
    D. identity NAT

    DUMP: AC

    I only see 1 right answer here: Dynamic Nat. Can anyone clarify how static NAT is also an answer?

  42. @Rey mix
    December 26th, 2019

    best of luck! do share your experience after the exam

  43. @Rey mix
    December 26th, 2019

    Good luck. Let us know how you do today. I’m going to take the exam next week and would like to know if it’s changed.

  44. pK
    December 26th, 2019

    Hey guys, hope you are doing well.

    I watch cbt nugget’s 33hrs videos and done so many lab in gns3. Today it was my CCNA security exam.
    I prepared question answer from prepaway. But it was nightmare in exam. 10-12 questions and a dnd are new for me (may be prepaway is not updated). But lab and videos help me to get right answer. I passed the exam with 9xx score.
    Dnd is about port security which is not in prepaway. (Protect,restrict,shutdown,vlan shutdown).
    No configuration lab. Only lab with questions answer.

    if you want to practice on lab, there are eve-ng and gns3 available with images. You don’t need to add images manually. It’s loaded.

    Www. K h a g e n. Site

  45. gabbar
    December 26th, 2019

    @x7x

    htt**p://ww***w.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/
    nat_objects.html#61711
    According to this A seems to be the only correct answer. Maybe C is correct because it allows the use of a
    subnet too.

    @Anton

    I found the passleader dumps from a link in the comments, dont’ waste your time on it.
    It wil make you question your sanity. The same question is repeated multiple times with different wrong answers.

    You are able to see the question here:

    http***s://w****ww.slideshare.net/pdfandvce/pdf2019-new-braindump2go-210260-pdf-dumps-488qas-free-shareq467q480

  46. gabbar
    December 26th, 2019

    Where does the Datacenter operate?

    A. Distribution
    B. Access
    C. Core

    Answer: a

    Is this correct?

  47. gabbar
    December 26th, 2019

    By default, how does a zone-based firewall handle traffic to and from the self zone?

    A. It inspects all traffic to determine how it is handled.
    B. It drops all traffic.
    C. It permits all traffic after inspection.
    D. It permits all traffic without inspection.

    Answer: d

    Is this correct? in another dump it says c.

  48. Bolo
    December 26th, 2019

    @Rey mix
    Good luck!

    @x7x
    This question about NAT only has 1 correct answer – A. It must be a mistake in dumps if it says that 2 answers are correct.

    @pk
    Thanks for the info. We know that DnD, so I guess you are right that dumps you used were out of date. Grats on passing.

    @gabbar
    Datacenter question is strange. I think it looks different, or the question is different in the exam – if it comes up at all. As it is, from what I’ve seen, there doesn’t seem to be any answer that’s good.

    About self-zone traffic, it is D. If you want to inspect self zone traffic you need to configure policies for it. By default they are not configured.

  49. Rey mix
    December 26th, 2019

    Hi guys!!
    I passed my test today with 974!! Coachgreece and Passleader Nov 2019 with Bolo´s answers and corrections is valid, 100% Sure.

    @Bolo you are a great person and great teacher!! Blessings to you, thanks for your help during my preparation. Happy new year man!!

    Best Regards from Mexico and Happy New Year everybody!!

  50. x7x
    December 27th, 2019

    @Rey congratulation’s man! keep growing!

  51. Anonymous
    December 27th, 2019

    By default, how does a zone-based firewall handle traffic to and from the self zone?

    A. It inspects all traffic to determine how it is handled.
    B. It drops all traffic.
    C. It permits all traffic after inspection.
    D. It permits all traffic without inspection.

    Answer: d

  52. x7x
    December 27th, 2019

    QUESTION 234
    Which two characteristics of an application layer firewall are true? (Choose two)
    A. provides reverse proxy services
    B. is immune to URL manipulation
    C. provides protection for multiple applications
    D. provides stateful firewall functionality
    E. has low processor usage

    DUMPS: AC

    QUESTION 276
    Which two options are advantages of an application layer firewall? (Choose two.)
    A. provides high-performance filtering
    B. makes DoS attacks difficult
    C. supports a large number of applications
    D. authenticates devices
    E. authenticates individuals

    DUMPS: BE so surely one of these two are wrong?

  53. x7x
    December 27th, 2019

    Confused about these two as well:

    243. What is used for protecting FMC? (Firepower Management Center)

    A. AMP
    B. Intrusion Prevention
    C. Content Blocker
    D. File Control

    dumps: A

    QUESTION 296
    Which Firepower Management Center feature detects and blocks exploits and hack attempts?
    A. intrusion prevention
    B. advanced malware protection (AMP)
    C. content blocker
    D. file control

    Dump says A, but shouldn’t it be B?

  54. gabbar
    December 27th, 2019

    @x7x

    Both should be AMP from my understanding.

  55. gabbar
    December 27th, 2019

    @x7x

    Which two characteristics of an application layer firewall are true? (Choose two)
    A. provides reverse proxy services
    B. is immune to URL manipulation
    C. provides protection for multiple applications
    D. provides stateful firewall functionality
    E. has low processor usage

    DUMPS: AC

    Of all the above options A and C seem correct to me so I would say answers to both the
    questions are correct as per my understanding.

    Application layer firewalls typically do not support all applications, such as multimedia or peer-to-peer file sharing applications (to name a few). Instead,
    they are generally limited to one or a few connection types, typically common applications such as email, T elnet, FTP , and web services.
    But we can still pass this on as ‘multiple’ under the ciircustances.

    As per below:

    http://www.ciscopress.com/articles/article.asp?p=1888110

    Application layer firewalls offer advantages:

    Authenticate individuals, not devices
    Make it harder for hackers to spoof and implement denial-of-service (DoS) attacks
    Can monitor and filter application data
    Can provide detailed logging

    The disadvantages are as follows:

    Process packets in software
    Support a small number of applications
    Sometimes require special client software
    Are memory- and disk-intensive

    Application layer firewalls typically do not support all applications, such as multimedia or peer-to-peer file sharing applications (to name a few). Instead,
    they are generally limited to one or a few connection types, typically common applications such as email, T elnet, FTP , and web services.

  56. Bolo
    December 27th, 2019

    @x7x

    Q.234: only answer A is 100% correct. B is correct for WAFs, but it’s only 1 type of application firewall. CDE are incorrect. This question looks like another one that’s incomplete or copied with errors…

    Q.276: B and E is correct.

    Q.243/Q.296: FMC has File Policies (AMP+File Control) and Intrusion Policies (Intrusion Prevention) – those are 2 separate things and both, none or only 1 can be configured. When both are configured, File Policies are processed before Intrusion Policies. Also, AMP (File Policies) can not be a default action.

    Now for questions, Q.296 talks explicitly about hacks and exploits, so my answer would be A. But Q.243 doesn’t give any details, and both A and B are FMC security mechanisms. C is too, but it is a part of File Policies like AMP, and is used to block files that are not malware, so it can be discarded because it is not for protection.

    Sorry for not having better explanation. I see questions like this appear and I honestly think they are copied with errors, and in the real exam the question is more clear, so it is easier to answer.

  57. Bolo
    December 27th, 2019

    Haha, just seen gabbar’s comment. Well, understanding “multiple applications” that way, it might be a correct answer ;)

    Though I’m so used to the No.1 disadvantage of application firewalls: limited application support, that it did not occur to me :P

  58. Ensley
    December 27th, 2019

    Thank you so much

  59. Caan
    December 27th, 2019

    hi where can i find Passleader Nov 2019 with Bolo´s answers ???

    @Rey mix

    please update regaring the Sim, what u got and how did u answer it. thx

  60. Bolo
    December 27th, 2019

    @Caan

    On page 253 there’s a Drive link to the dump, and few posts below that I posted corrected answers.

  61. Rey mix
    December 28th, 2019

    @Caan, In the Page 253 there’s a link with the dumps, you can download. All Bolo’s answers and correctios are 100% valid for pass!!

  62. Bolo for president
    December 28th, 2019

    make it happen people!

  63. x7x
    December 28th, 2019

    QUESTION 270
    When is the default deny all policy an exception in zone-based firewalls?
    A. When traffic sources from the router via the self zone
    B. When traffic traverses two interfaces in the same zone
    C. When traffic terminates on the router via the self zone
    D. When traffic traverses two interfaces in different zones

    Dump says B. I think i saw in previous comments here that it’s B as well. But i found the following cisco link where cisco specifically say’s the following:

    “The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied.”

    reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html#topic2

    So according to this: C should be the answer?

    @Bolo @Gabbar thoughts?

  64. x7x
    December 28th, 2019

    How will the traffic be affected if policy from the self-zone is removed ?
    A. all traffic will be inspected.
    B. traffic will not be inspected.
    C. traffic will be passed with logging action.
    D. ……………..

    confused about this as well. Some say A, some say B

  65. Caan
    December 28th, 2019

    Thanks Bolo, Appreciate your help & effort.

    @ Rey mix: which sim ve you got in your exam?

  66. Bolo
    December 28th, 2019

    @x7x

    Q.270: yeah, I guess C is the most correct answer, because that’s word for word what Cisco says… although the behavior will be exactly the same for traffic originating from the self-zone, so answer A is also correct.
    While it is also true that traffic between interfaces in the same zone is allowed by default, the answer B says ‘traverses two interfaces’, so we don’t know where to/where from it is going.

    The other question is incomplete, but from answers posted I’d pick B. If there is no policy on the self-zone, there will be no inspection possible. Also, it is considered a misconfiguration to inspect traffic to/from the self-zone.

  67. x7x
    December 28th, 2019

    @Bolo thanks for the clarifications man!

  68. Caan
    December 28th, 2019

    Bolo : can you please confirm if below answer are correct,

    NEW QUESTION 522
    Which path do you follow to enable AAA through the SDM?

    A. Configure > Tasks > AAA
    B. Configure > Authentication > AAA
    C. Configure > Additional Authentication > AAA
    D. Configure > Additional Tasks > AAA
    E. Configure > AAA

    Answer: D

    NEW QUESTION 523
    What aims to remove the ability to deny an action?

    A. Integrity
    B. Deniability
    C. Accountability
    D. Non-Repudiation

    Answer: D

    NEW QUESTION 524
    In which two models can the Cisco Web Security Appliance be deployed? (Choose two.)

    A. as a transparent proxy using the Secure Sockets Layer Protocol
    B. as a transparent proxy using the HyperText Transfer Protocol
    C. explicit active mode
    D. as a transparent proxy using the Web Cache Communication Protocol
    E. explicit proxy mode

    Answer: DE

    NEW QUESTION 525
    Which two statements about hardware-based encryption are true? (Choose two.)

    A. It is potentially easier to compromise than software-based encryption.

    B. It requires minimal configuration.
    C. It can be implemented without impacting performance.
    D. It is widely accessible.
    E. It is highly cost-effective.

    Answer: CE

    NEW QUESTION 526
    What is the main purpose of Control Plane Policing?

    A. to prevent exhaustion of route-processor resources
    B. to organize the egress packet queues
    C. to define traffic classes
    D. to maintain the policy map

    Answer: C

    NEW QUESTION 527
    What is the best definition of hairpinning?

    A. ingress traffic that traverses the outbound interface on a device
    B. traffic that enters and exits a device through the same interface
    C. traffic that enters one interface on a device and that exits through another interface
    D. traffic that tunnels through a device interface

    Answer: B

    NEW QUESTION 528
    How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?

    A. Update the IPS signature for HTTPS to validate DCE/RPC connections.
    B. Block suspicious hosts from DCE/RPC port 593.
    C. Tunnel DCE/RPC traffic through GRE.
    D. Configure the DCE/RPC preprocessor.

    Answer: D

    NEW QUESTION 529
    Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use encryption?

    A. authPriv
    B. authNoPriv
    C. noAuthPriv
    D. noAuthNoPriv

    Answer: B

    NEW QUESTION 530
    Which type of firewall can perform deep packet inspection?

    A. application firewall
    B. stateless firewall
    C. packet-filtering firewall
    D. personal firewall

    Answer: A

    NEW QUESTION 531
    Which type of mechanism does Cisco FirePOWER deploy to protect against email threats that are detected moving across other networks?

    A. signature-based
    B. reputation-based
    C. antivirus scanning
    D. policy-based

    Answer: B

    NEW QUESTION 532
    You have implemented a dynamic blacklist, using security intelligence to block illicit network activity. However, the blacklist contains several approved connections that users must access for business purposes. Which action can you take to retain the blacklist while allowing users to access the approved sites?

    A. Create a whitelist and manually add the approved addresses.
    B. Edit the dynamic blacklist to remove the approved addresses.
    C. Disable the dynamic blacklist and deny the specific address on a whitelist while permitting the others.
    D. Disable the dynamic blacklist and create a static blacklist in its place.

    Answer: A

    NEW QUESTION 533
    Which command enables port security to use sticky MAC addresses on a switch?

    A. switchport port-security mac-address sticky
    B. switchport port-security
    C. switchport port-security violation protect
    D. switchport port-security violation restrict

    Answer: A

  69. Caan
    December 28th, 2019

    NEW QUESTION 534
    Which attack can be prevented by OSPF authentication?

    A. smurf attack
    B. IP spoofing attack
    C. Denial of service attack
    D. buffer overflow attack

    Answer: c

    NEW QUESTION 535

    Which mitigation technology for web-based threats prevents the removal of confidential data from the network?

    A. CTA
    B. AMP
    C. DLP
    D. DCA

    Answer: C

    NEW QUESTION 536
    N/A

    NEW QUESTION 537
    N/A

    NEW QUESTION 538
    Which component of a security zone firewall policy defines how traffic is handled?

    A. ACL
    B. Service policy
    C. Policy map
    D. Class map

    Answer: C

    NEW QUESTION 539
    Of all parameters that are negotiated for the IKE Phase 1 tunnel, which parameter is the only one that does not have to exactly match between VPN pees to be accepted?

    A. DH group
    B. Hashing algorithm
    C. Encryption algorithm
    D. Digital signature
    E. Authentication method
    F. Lifetime

    Answer: F

    NEW QUESTION 540
    What is the range of levels provided by the Privilege command?

    A. 0-16
    B. 0-15
    C. 1-16
    D. 1-14
    E. 0-14
    F. 1-15

    Answer: B

  70. gabbar
    December 29th, 2019

    @Caan

    Bolo has already provided the correct answeres for PL october and november in page 253.

    Here are the corrected answers from Bolo

    October:

    Q.525: BC
    Q.528: D
    Q.534: C

    November:

    Q.538: C
    Q.539: F
    Q.540: B
    Q.541: B
    Q.542: BC (same as dump)
    Q.543: A
    Q.544: A
    Q.545: B
    Q.546: B
    Q.547: C (same as dump)
    Q.548: DE
    Q.549: D
    Q.550: B
    Q.551: drag and drop solution is correct

  71. Anonymous
    December 29th, 2019

    NEW QUESTION 533
    Which command enables port security to use sticky MAC addresses on a switch?

    A. switchport port-security mac-address sticky
    B. switchport port-security
    C. switchport port-sdwecurity violation protect
    D. switchport port-security violation restrict

    Answer: A

  72. BD_DHK
    December 29th, 2019

    Which two statements about hardware-based encryption are true? (Choose two.)
    A. It is potentially easier to compromise than software-based encryption.
    B. It requires minimal configuration.
    C. It can be implemented without impacting performance.
    D. It is widely accessible.
    E. It is highly cost-effective.
    ANS: BC or BD or BE?

    Which two will be correct?

  73. Anton
    December 29th, 2019

    @BD_DHK – the answer for this question has already been provided dozens of times over the last few pages on the forum.

    Which two statements about hardware-based encryption are true? (Choose two.)
    A. It is potentially easier to compromise than software-based encryption.
    B. It requires minimal configuration.
    C. It can be implemented without impacting performance.
    D. It is widely accessible.
    E. It is highly cost-effective.
    Answer: B, C

  74. Anton
    December 29th, 2019

    Q450 Refer to the exhibit. What is the effect of the given configuration?

    Router1(config)#interface fastEthernet 0/0
    Router1(config-if)#ip ospf message-digest-key 1 md5 CISCOPASS
    Router1(config-if)#ip ospf authentication message-digest

    Router2(config)#interface fastEthernet 0/0
    Router2(config-if)#ip ospf message-digest-key 1 md5 CISCOPASS
    Router2(config-if)#ip ospf authentication message-digest

    A. The two routers receive normal updates from one another.
    B. It enables authentication.
    C. It prevents keycham authentication.
    D. The two devices are able to pass the message digest to one another.
    Answer: D

    Is the answer “D” the correct one?

  75. Bolo
    December 29th, 2019

    @Anton

    In this case, yes – D is correct. There is another version of this question, where keys are different: C1SCOPASS and CISCOPASS. For that other version answer C is the correct one.

  76. Bolo
    December 29th, 2019

    @Anton

    Hmm, after a second look, maybe it should be answer B: It enables authentication.

  77. Anton
    December 29th, 2019

    @Bolo – my bad, I have re-typed the configuration from the graphic in PL pdf and haven’t realised there is a deliberate mistake in the password configuration. Thanks for clarifying.

    BTW, that is what I thought too – if there was no typo in the password, it would most likely be answer “B”.

    Do we have all the answers for PL from [Oct-2018]? I would like to share the Word/PDF with you, so you could have a look and if you spot any errors I could get them corrected.

  78. Bolo
    December 29th, 2019

    @Anton

    I posted 3 corrections for PL October 2019. Never looked at any earlier PL dump than Oct/Nov from 2019.

    October:

    Q.525: BC
    Q.528: D
    Q.534: C

  79. Caan
    December 29th, 2019

    @bolo , can you confirm if its BC OR CE

    NEW QUESTION 525
    Which two statements about hardware-based encryption are true? (Choose two.)

    A. It is potentially easier to compromise than software-based encryption.
    B. It requires minimal configuration.
    C. It can be implemented without impacting performance.
    D. It is widely accessible.
    E. It is highly cost-effective.

    THX

  80. Bolo
    December 29th, 2019

    @Caan

    Man, you were already given answers I posted by gabbar, on this very page. And then this question was asked again by BD_DHK, and correct answer was given to him too, by Anton. And then you got the answer posted by me again in the post right above yours…

    Correct answer is FFS

  81. GABBAR
    December 29th, 2019

    Thank you Bolo, I’ve passed the exam with flying colors.

    You are a very good person, thank you.

    C0achgreece + Passleader Nov enough to pass.

    Happy new year Bolo.

  82. Bolo
    December 29th, 2019

    @GABBAR

    Congrats! And thanks for the feedback. Happy New Year to you too.

  83. gabbar
    December 29th, 2019

    @Bolo

    I can’t say it enough. You are the Hero!
    Thank you.

  84. x7x
    December 29th, 2019

    congratulations gabbar! best of luck for the future mate

  85. Gabbar
    December 29th, 2019

    @x7x

    Thank you.

    Good luck to you too for the exam.
    Happy new year.

  86. sInner
    December 30th, 2019

    is there any chance the questions will drastically change if i sit on the 1st of january since its a new year?

  87. James Hughes
    December 30th, 2019

    Congratulations!

    Passed the 210-260 exam recently!

    67 questions
    1 Simulation
    1 Drag and Drop (Shutdown, Restrict, Protect)

    I mainly learned the PassLeader 210-260 dumps (553q NEW version), all questions are available in PassLeader.

    Really helpful.

    P.S.

    Part of PassLeader 210-260 dumps are available here FYI:

    drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg

    (553q~~~NEW VERSION DUMPS Updated Recently!!!)

    Good luck, all!

    [copy that link and open it in your web browser]

  88. James Hughes
    December 30th, 2019

    And,

    Part of PassLeader 210-260 IINS new questions (FYI):

    [Get the download link at the end of this post]

    NEW QUESTION 546
    Which statement about TACACS+ is true?

    A. Passwords are transmitted between the client and server using MD5 hasing.
    B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
    C. TACACS_ is used for access to network resources more than administrator access to network devices.
    D. TACACS_ server listens UDP port 1813 for accounting.
    E. All data that is transmitted between the client and TACACS+ server is cleartext.

    Answer: C

    NEW QUESTION 547
    Which effect of the secure boot-image command is true?

    A. It configure the device to boot to the secure IOS image.
    B. It archives a secure copy of the device configuration.
    C. It archives a secure copy of the IOS image.
    D. It displays the status of the bootset.

    Answer: C

    NEW QUESTION 548
    Which two statements about an IPS in tap mode are true? (Choose two.)

    A. It requires an synchronous routing configuration for full traffic analysis.
    B. The device forwards all traffic, regardless of its source or destination.
    C. It directly analyzes the actual packets as they pass through the system.
    D. It can analyze events without impacting network efficiency.
    E. It is unable to drop packets in the main flow.

    Answer: BC

    NEW QUESTION 549
    How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?

    A. Passes the traffic.
    B. Drops the traffic.
    C. Broadcasts the traffic.
    D. Looks for an ACL, and acts based upon the ACL.

    Answer: C

    NEW QUESTION 550
    Which 802.1x component enforces the network access policy?

    A. authentication server
    B. authenticator
    C. RADIUS server
    D. supplicant

    Answer: A

    NEW QUESTION 551
    Drag and Drop
    Drag and drop the each port-security violation mode from the left onto the corresponding action on the right.

    Answer:

    NEW QUESTION 552
    ……

    Download more NEW PassLeader 210-260 dumps from Google Drive here:

    drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg

    (553q~~~NEW VERSION DUMPS Updated Recently!!!)

    Good luck, all!

    [copy that link and open it in your web browser]

  89. Djash
    December 30th, 2019

    How do i sign up for premium membership?

  90. Holy
    December 30th, 2019

    Greetings friends, is there a CCNA cloud forum??? Please advise, thanks…

  91. BD_DHK
    December 30th, 2019

    NEW QUESTION 550
    Which 802.1x component enforces the network access policy?

    A. authentication server
    B. authenticator
    C. RADIUS server
    D. supplicant

    Answer: A

    My Question, is it A or B.

    The authenticator enforces both the locally configured network access policy and the dynamically assigned network access policy returned by the authentication server

    https: // http://www.cisco.com /c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

  92. Anonymous
    December 30th, 2019

    NEW QUESTION 546
    Which statement about TACACS+ is true?

    A. Passwords are transmitted between the client and server using MD5 hasing.
    B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
    C. TACACS_ is used for access to network resources more than administrator access to network devices.
    D. TACACS_ server listens UDP port 1813 for accounting.
    E. All data that is transmitted between the client and TACACS+ server is cleartext.

    Answer: C

    NEW QUESTION 547
    Which effect of the secure boot-image command is true?

    A. It configure the device to boot to the secure IOS image.
    B. It archives a secure copy of the device configuration.
    C. It archives a secure copy of the IOS image.
    D. It displays the status of the bootset.

    Answer: C

    NEW QUESTION 548
    Which two statements about an IPS in tap mode are true? (Choose two.)

    A. It requires an synchronous routing configuration for full traffic analysis.
    B. The device forwards all traffic, regardless of its source or destination.
    C. It directly analyzes the actual packets as they pass through the system.
    D. It can analyze events without impacting network efficiency.
    E. It is unable to drop packets in the main flow.

    Answer: BC

    NEW QUESTION 549
    How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?

    A. Passes the traffic.
    B. Drops the traffic.
    C. Broadcasts the traffic.
    D. Looks for an ACL, and acts based upon the ACL.

    Answer: C

    NEW QUESTION 550
    Which 802.1x component enforces the network access policy?

    A. authentication server
    B. authenticator
    C. RADIUS server
    D. supplicant

    Answer: A

  93. Copy link and paste in your browser
    December 30th, 2019

    I pass 978/1000

    67 questions
    1 Simulation
    1 Drag and Drop (Shutdown, Restrict, Protect)

    Copy link and paste in your browser
    lop.by/L5V

  94. Anonymous
    December 30th, 2019

    Which statement about TACACS+ is true?

    A. Passwords are transmitted between the client and server using MD5 hasing.
    B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
    C. TACACS_ is used for access to network resources more than administrator access to network devices.
    D. TACACS_ server listens UDP port 1813 for accounting.
    E. All data that is transmitted between the client and TACACS+ server is cleartext.

    Answer: C

  95. Need_help
    December 30th, 2019

    Hi Dears,

    Could you please share latest dumps.

  96. FuseEngr
    December 30th, 2019

    Hi, I have passed CCNA Cyberops 210-250 exam yesterday. Now i’m planning for 210-255 exam, Anyone here who will attempt or any of your friend of friend ? Please refer to me

    packetdr0p at hotmail (dot) com

  97. EMK
    December 30th, 2019

    q36. Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)

    A. Smart tunnels can be used by clients that do not have administrator privileges
    B. Smart tunnels support all operating systems
    C. Smart tunnels offer better performance than port forwarding
    D. Smart tunnels require the client to have the application installed locally

    would like to ask which is the correct answer is it AD or is it AC. In the Passleader dumps they are saying AD but on Leadtopass dumps they are saying AC

  98. Anton
    December 30th, 2019

    @Bolo – thank you
    @Gabbar – congrats and Happy New Year!
    @sInner – I don’t think so, I have done that before (took exam in Jan, and the questions were the same)

    Q28 Refer to the exhibit. Which type of NAT is configured on a Cisco ASA?
    ###
    nat (ins,any) dynamic interface
    ###

    A.Dynamic NAT
    B. source identity NAT
    C. Dynamic PAT
    D. identity twice NAT
    Answer:C

    Shouldn’t the command for Dynamic PAT look more like the below?

    nat(any,outgoing) dynamic interface

    Does this mean the administrator named one of the interfaces as “ins” and changed the NAT direction?

  99. Bolo
    December 30th, 2019

    @sInner
    Questions usually don’t change drastically. There is always a chance that some of the current known questions will be replaced with new ones, but I never heard about whole exam changing. Also, I don’t think it has anything to do with new year.

    @BD_DHK
    It’s B – authenticator (aka Policy Enforcement Point)

    @EMK
    It’s AD.


  100. Note: Please do not open any suspicious links (especially short links and links that need to remove some words to open) in the comment section above as they are usually spams and may harm your computer.
Comment pages
1 10 11 12 13 14 22 675
Add a Comment