Share your CCNA Security Experience
November 5th, 2015
Go to comments
Please share with us your experience after taking the CCNA Security 210-260 exam, your materials, the way you learned, your recommendations…
Please share with us your experience after taking the CCNA Security 210-260 exam, your materials, the way you learned, your recommendations…
Become a member to practice all the questions on our site!
@scott
Grats! And yes, I posted it not long ago – I think c0achGreece and new questions that appeared since August (and were all discussed here) is enough.
@Luay
Most of the people are reporting the VPN sim – where you need to answer 4 questions about different VPN settings, by checking ASDM GUI. The other thing is a lab – you need to configure NAT/ACL to enable access to web server and ping. I’d learn both just in case.
About questions:
How will a stateful firewall handle an inbound packet it receives and cannot match in its state table ?
Answer is D – it will look for ACL.
“A user on your network inadvertently activates a botnet program that was received as an email attachment. Which type of mechanism does Cisco Firepower use to detect and block only the botnet attack?”
Answer is C – botnet traffic filter. That’s the mechanism – how it works internally is not important. Various other security features are reputation-based. This is only my opinion of course.
@Star
Yes, it is D.
@Bolo
Could you please share last update dump in pdf format ?
@scott
Could yo please share Coachgrace dump in pdf
What is the address to the Chinese web site?
@bolo
the answer is :B
because it looks for the ACL by default.
if the question was lile “…..state table what should be the default action?”
but if it is not by default it will drop
@Bolo .
What you said the Sim Could be: VPN ( answer 4 questions by checking the ASDM GUI settings) or NAT SIM ( using ASDM GUI to answer 4 questions regarding to NAT/ACL Configurations : Create NAT , ACL, Verifying)…. is that correct!!
Q20 Which security term refers to the likelihood that a weakness will be exploited to cause damage to an asset?
A. threat
B. vulnerability
C. risk
D. countermeasure
Answer: C
Shouldn’t this be B?
Thanks Bolo
all questions from Coach as you said and I passes the exam on Friday
Hi All
I passed CCNA R&S last week and now want to prepare for CCNA Sec
Does anyone have material or guide me for correct docs to prepare for CCNA Sec please.
I want to study for 2 months before going through Dumps
@happiness
Scroll up and read – links are there.
@star
The answer is D. If there is no match in the state table for the incoming packet, ACLs are checked. Stateful firewall checks the state table FIRST, then ACL. And ACL is only checked if the connection doesn’t exist in the state table.
If you look online for ASA packet flow diagrams you will see the first step is called “Existing connection” or something similar – this is the state table check. And then it goes to ACL, if there is no matching connection in the state table.
The only thing possibly disputable in this question is the packet type. After state table check, if the packet is not a TCP SYN or UDP packet, it will be dropped. But those details are not provided, so the general answer is that it will go for ACL check.
@Luay
For VPN you only have to answer questions.
For NAT/ACL you have to configure them to access a web server and let the ping through.
@Gabbar
The answer is C. The word ‘weakness’ in the question can be substituted for ‘vulnerability’. But the likelihood of exploiting it is a risk.
@Marcus
Grats!
@bolo “For NAT/ACL you have to configure them to access a web server and let the ping through” can you point me as to where i can find this lab? in which dump? I have studied Yuki, Coachgreece and Yako, did not find this one. help is much appreciated :)
Congratulations!
Passed the 210-260 exam on 20/Dec/2019!
67 questions
1 Simulation
1 Drag and Drop (Shutdown, Restrict, Protect)
I mainly learned the PassLeader 210-260 dumps (553q NEW version), all questions are available in PassLeader.
Really helpful.
P.S.
Part of PassLeader 210-260 dumps are available here FYI:
drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg
(553q~~~NEW VERSION DUMPS Updated Recently!!!)
Good luck, all!
[copy that link and open it in your web browser]
And,
Part of PassLeader 210-260 IINS new questions (FYI):
[Get the download link at the end of this post]
NEW QUESTION 546
Which statement about TACACS+ is true?
A. Passwords are transmitted between the client and server using MD5 hasing.
B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
C. TACACS_ is used for access to network resources more than administrator access to network devices.
D. TACACS_ server listens UDP port 1813 for accounting.
E. All data that is transmitted between the client and TACACS+ server is cleartext.
Answer: C
NEW QUESTION 547
Which effect of the secure boot-image command is true?
A. It configure the device to boot to the secure IOS image.
B. It archives a secure copy of the device configuration.
C. It archives a secure copy of the IOS image.
D. It displays the status of the bootset.
Answer: C
NEW QUESTION 548
Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all traffic, regardless of its source or destination.
C. It directly analyzes the actual packets as they pass through the system.
D. It can analyze events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
Answer: BC
NEW QUESTION 549
How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?
A. Passes the traffic.
B. Drops the traffic.
C. Broadcasts the traffic.
D. Looks for an ACL, and acts based upon the ACL.
Answer: C
NEW QUESTION 550
Which 802.1x component enforces the network access policy?
A. authentication server
B. authenticator
C. RADIUS server
D. supplicant
Answer: A
NEW QUESTION 551
Drag and Drop
Drag and drop the each port-security violation mode from the left onto the corresponding action on the right.
Answer:
NEW QUESTION 552
……
Download more NEW PassLeader 210-260 dumps from Google Drive here:
drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg
(553q~~~NEW VERSION DUMPS Updated Recently!!!)
Good luck, all!
[copy that link and open it in your web browser]
Philip IS FAKE FAKE FAKE
Philip IS FAKE FAKE FAKE
Which statement about TACACS+ is true?
A. Passwords are transmitted between the client and server using MD5 hasing.
B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
C. TACACS_ is used for access to network resources more than administrator access to network devices.
D. TACACS_ server listens UDP port 1813 for accounting.
E. All data that is transmitted between the client and TACACS+ server is cleartext.
Answer: C
NEW QUESTION 547
Which effect of the secure boot-image command is true?
A. It configure the device to boot to the secure IOS image.
B. It archives a secure copy of the device configuration.
C. It archives a secure copy of the IOS image.
D. It displays the status of the bootset.
Answer: C
NEW QUESTION 548
Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all traffic, regardless of its source or destination.
C. It directly analyzes the actual packets as they pass through the system.
D. It can analyze events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
Answer: BC
NEW QUESTION 549
How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?
A. Passes the traffic.
B. Drops the traffic.
C. Broadcasts the traffic.
D. Looks for an ACL, and acts based upon the ACL.
Answer: C
NEW QUESTION 550
Which 802.1x component enforces the network access policy?
A. authentication server
B. authenticator
C. RADIUS server
D. supplicant
Answer: A
NEW QUESTION 547
Which effect of the secure boot-image command is true?
A. It configure the device to boot to the secure IOS image.
B. It archives a secure cowepy of the device configuration.
C. It archives a secure copy of the IOS image.
D. It displays the status of the bootset.
Answer: C
@x7xafc
It’s in Anubis IIRC
@everyone
Careful with PassLeader spammers – questions are valid but many answers are wrong. Read back through this thread to find correct answers.
Hi guys,
I’d really appreciated it if someone can provide the latest software VCE.
thanks
confused about the following questions:
What features can protect the data plane? (choose three)
A. policing
B. ACLs
C. IPS
D. antispoofing
E. QoS
F. DHCP-snooping
dumps say BDF. But someone here suggested IPS is mentioned in best practice in the OCG and DHCP-snooping as additional security. can someone clarify?
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three)
A. When matching ACL entries are configured
B. when matching NAT entries are configured
C. When the firewall requires strict HTTP inspection
D. When the firewall requires HTTP inspection
E. When Firewall Recieves a FIN packet
F. When the firewall already has a TCP connection
ABF?
Which two statements about the self zone on a Cisco zone-based policy firewall are true? (choose two)
A. Multiple interfaces can be assigned to the self zone
B. Traffic entering the self zone must match a rule
C. Zone pairs that include the self zone apply to traffic transiting the device
D. It can be either the source zone or the destination zone
E. It supports stateful inspection for multicast traffic
only D seem like the right answer? what’s the other. A is wrong cause you dont assign self zone, all router interface are by default self zones. B what? C i don’t know. E is definitely wrong
anyone?
Your security team has discovered a malicious program that has been harvesting the CEO’s email messages and the company’s user database for the last 6 months. What type of attack did your team discover?
A. social activism
B. drive-by spyware
C. targeted malware
D. advance persistent threat
E. Polymorphic virus……………
ANSWER:DE
Shouldn’t this be C and D?
Which IOS command is used to define the authentication key for NTP?
A. Switch(config)#ntp authentication-key 1 md5 C1sc0
B. Switch(config)#ntp trusted-key 1
C. Switch(config)#ntp source 192.168.0.1
D. Switch(config)#ntp authenticate
Correct Answer: A
Is A the correct answer? Some dumps say d.
@x7xafc
I mentioned the IPS. Official cert guide books says that best practices for protecting the data plane are: ACLs, FW, IPS, TCP Intercept (reduce DoS), Unicast Reverse Path Forwarding (IP antispoof)
And additional protections are: Port Security, DHCP Snooping, Dynamic ARP Inspection, IP Source Guard
HTTP GET questions: you are right, ABF.
Self-zone question: I agree with you, only D is correct 100%. BCE are all wrong, so you only have A to pick. I don’t mind that it says ‘assign’ – since it doesn’t matter if router assigns them or a person (in case of the self-zone it’s a router). What I do mind is that interfaces are not assigned to the self-zone. IPs are assigned. But anyway, if the question really has 2 answers, I guess AD is the most correct combination.
@Gabbar
Question about CEO’s emails: you are right, CD. If I had to choose only one answer, I’d go with D.
NTP authentication question: A is the correct answer. ntp authenticate command is used to enable authentication, not to define the key.
@Bolo thanks for the clarifications! as for the protecting data plane question, I’m now wondering that the question says which “features” can protect the data plane. I’d reckon ACL, URPF and DHCP spoofing are all features of the IOS or FW whereas an IPS is a physical “device” not a feature? what you think?
@x7xafc
Good point, well made! IPS is not a feature. So it’s DHCP Snooping.
Which IOS command is used to define the authentication key for NTP?
A. Switch(config)#ntp authentication-key 1 md5 C1sc0
B. Switch(config)#ntp trusted-key 1
C. Switch(config)#ntpsc source 192.168.0.1
D. Switch(config)#ntp authenticate
Correct Answer: A
Is A the correct answer? Some dumps say d.
@Anonymous
Bolo has already mentioned A is the correct answer.
QUESTION 214
Which option is a weakness in an information system that an attacker might leverage to gain
unauthorized access to the system or its data?
A. hack
B. mitigation
C. risk
D. vulnerability
E. exploit
Answer: D
Should the answer in this be C.
Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router? (Choose two.)
A. syslog
B. SDEE
C. FTP
D. TFTP
E. SSH
F. HTTPS
I think a and b.
Which option is a key security component of an MDM deployment?
A. using MS-CHAPv2 as the primary EAP method.
B. using self-signed certificates to validate the server.
C. using network-specific installer packages
D. using an application tunnel by default.
Answer: B
is this not a?
Which STP feature can prevent an attacker from becoming the root bridge by immediately shutting down the interface when it receives a BPDU?
A. PortFast
B. BPDU guard
C. BPDU filtering
D. root guard
isn’t this root guard?
QUESTION 468
Which internet Multihoming solution is a resistant to a failure of any single component?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
Shouldn’t this be b
Passleader
Cisco is about to usher in a major change in February 2020, the exams will not be easy, and the earlier the certification, the more valuable it will be. I will help you pass the exam by February, please save time and arrange your exam as soon as possible.Provide CCNA, CCNP, CCIE and CISSP exam questions and answers。(Please note!url not have ***)
ww***w.houzz.co***m/discussions/5837856/it-technology-decoration-reference
@Gabbar
Q.214: D – vulnerability is a weakness in the system. Risk is a possibility of that vulnerability to be exploited.
Yes, it’s AB: syslog and SDEE
It’s B. EAP method (MS-CHAPv2) is not a key component, it will depend on what devices support (for Apple stuff you’ll most likely end up using EAP-TLS). But certificates are essential, they are used to identify devices, and all devices in MDM deployment have to have them.
The only thing I don’t like about this question is that it says ‘self-signed’ – you can of course use self-signed, but you can also (and prolly should) use external CA certificates.
Still, certificate answer is the best one.
It is B – BPDU Guard. The question does not specify the type of BPDU, it only says ‘receives a BPDU’. RootGuard works only in certain situations, it allows for normal BPDU traffic as long as it is not traffic designed to interfere with current STP setup and change root (in this exam Cisco call them ‘superior BPDU’).
BPDU Guard on the other hand just err-disables a port as soon as it receives any BPDU.
Q.468: Answer is the one where where 2 enterprise edge routers are connected to each other, and each of them is connected to a different ISP:
ISP1 ISP2
| |
R1———-R2
Thats ASCII art up there didn’t work…spaces were removed. R2 should be connected to ISP2, obviously.
@Bolo & Gabbar – where exactly did you get “Quetsion 468” from so I can see the diagrams?
QUESTION 468
Which internet Multihoming solution is a resistant to a failure of any single component?
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
Which command can you enter to configure OSPF to use hashing to authenticate routing updates?
A. ip ospf authentication message-digest
B. ip ospf priority 1
C. neighbor 192.168.0.112 cost md5
D. ip ospf authentication-key
I think it’s A?
Which two statements about hardware-based encryption are true? (Choose two.)
A. It is potentially easier to compromise than software-based encryption.
B. It requires minimal configuration.
C. It can be implemented without impacting performance.
D. It is widely accessible.
E. It is highly cost-effective.
Some say it’s CB and some say it’s CE?
Which three statements about host-based IPS are true? (Choose three)
A. It can view encrypted files
B. It can be deployed at the perimeter
C. It uses signature-based policies
D. It can have more restrictive policies than network-based IPS
E. It works with deployed firewalls
F. It can generate alerts based on behavior at the desktop level.
DF im sure. but how A? it can view encrypted files? really. the only reference I got is that it can read the files after it’s been decrypted. thoughts?
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
A. The interface on both switches may shut down
B. STP loops may occur
C. The switch with the higher native VLAN may shut down
D. The interface with the lower native VLAN may shut down
dump says B. but check the following reference from ciscopress. after reading that, it seems it could be A?
learningnetwork.cisco.com/docs/DOC-25797
@Anton – passleader dumps.
@bolo- Thank you very much. I really appreciate you answering our queries even on Christmas day. Thank you.
@x7x
Which command can you enter to configure OSPF to use hashing to authenticate routing updates?
A. ip ospf authentication message-digest
Which two statements about hardware-based encryption are true? (Choose two.)
B. It requires minimal configuration.
C. It can be implemented without impacting performance.
Which three statements about host-based IPS are true? (Choose three)
A. It can view encrypted files
D. It can have more restrictive policies than network-based IPS
F. It can generate alerts based on behavior at the desktop level.
If the native VLAN on a trunk is different on each end of the link, what is a potential consequence?
B. STP loops may occur
https://supportforums.cisco.com/discussion/12477986/using-different-native-vlans-different-ports-switch-configured-trunks
Please don’t quote me on it, I’m just trying to help, to the best of my knowledge I feel these are the correct answers.
@Gabbar – which PassLeader dump exactly as I have been looking and couldn’t find it…
@x7x – Gabbar provided all the corrected answers (to the best of our knowledge) for your questions – I’m actually working on getting a consolidated dump with all corrected answers from PassLeader, Youki, C0achgreece and all extra questions posted on this forum as it seems there is a lot of errors/mistakes.
Hi guys, tomorrow I will to do mi exam!! Whis me Luck!! Best Regards from México!!
QUESTION 259
Which two NAT types allows only objects or groups to reference an IP address? (choose two)
A. dynamic NAT
B. dynamic PAT
C. static NAT
D. identity NAT
DUMP: AC
I only see 1 right answer here: Dynamic Nat. Can anyone clarify how static NAT is also an answer?
best of luck! do share your experience after the exam
Good luck. Let us know how you do today. I’m going to take the exam next week and would like to know if it’s changed.
Hey guys, hope you are doing well.
I watch cbt nugget’s 33hrs videos and done so many lab in gns3. Today it was my CCNA security exam.
I prepared question answer from prepaway. But it was nightmare in exam. 10-12 questions and a dnd are new for me (may be prepaway is not updated). But lab and videos help me to get right answer. I passed the exam with 9xx score.
Dnd is about port security which is not in prepaway. (Protect,restrict,shutdown,vlan shutdown).
No configuration lab. Only lab with questions answer.
if you want to practice on lab, there are eve-ng and gns3 available with images. You don’t need to add images manually. It’s loaded.
Www. K h a g e n. Site
@x7x
htt**p://ww***w.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/
nat_objects.html#61711
According to this A seems to be the only correct answer. Maybe C is correct because it allows the use of a
subnet too.
@Anton
I found the passleader dumps from a link in the comments, dont’ waste your time on it.
It wil make you question your sanity. The same question is repeated multiple times with different wrong answers.
You are able to see the question here:
http***s://w****ww.slideshare.net/pdfandvce/pdf2019-new-braindump2go-210260-pdf-dumps-488qas-free-shareq467q480
Where does the Datacenter operate?
A. Distribution
B. Access
C. Core
Answer: a
Is this correct?
By default, how does a zone-based firewall handle traffic to and from the self zone?
A. It inspects all traffic to determine how it is handled.
B. It drops all traffic.
C. It permits all traffic after inspection.
D. It permits all traffic without inspection.
Answer: d
Is this correct? in another dump it says c.
@Rey mix
Good luck!
@x7x
This question about NAT only has 1 correct answer – A. It must be a mistake in dumps if it says that 2 answers are correct.
@pk
Thanks for the info. We know that DnD, so I guess you are right that dumps you used were out of date. Grats on passing.
@gabbar
Datacenter question is strange. I think it looks different, or the question is different in the exam – if it comes up at all. As it is, from what I’ve seen, there doesn’t seem to be any answer that’s good.
About self-zone traffic, it is D. If you want to inspect self zone traffic you need to configure policies for it. By default they are not configured.
Hi guys!!
I passed my test today with 974!! Coachgreece and Passleader Nov 2019 with Bolo´s answers and corrections is valid, 100% Sure.
@Bolo you are a great person and great teacher!! Blessings to you, thanks for your help during my preparation. Happy new year man!!
Best Regards from Mexico and Happy New Year everybody!!
@Rey congratulation’s man! keep growing!
By default, how does a zone-based firewall handle traffic to and from the self zone?
A. It inspects all traffic to determine how it is handled.
B. It drops all traffic.
C. It permits all traffic after inspection.
D. It permits all traffic without inspection.
Answer: d
QUESTION 234
Which two characteristics of an application layer firewall are true? (Choose two)
A. provides reverse proxy services
B. is immune to URL manipulation
C. provides protection for multiple applications
D. provides stateful firewall functionality
E. has low processor usage
DUMPS: AC
QUESTION 276
Which two options are advantages of an application layer firewall? (Choose two.)
A. provides high-performance filtering
B. makes DoS attacks difficult
C. supports a large number of applications
D. authenticates devices
E. authenticates individuals
DUMPS: BE so surely one of these two are wrong?
Confused about these two as well:
243. What is used for protecting FMC? (Firepower Management Center)
A. AMP
B. Intrusion Prevention
C. Content Blocker
D. File Control
dumps: A
QUESTION 296
Which Firepower Management Center feature detects and blocks exploits and hack attempts?
A. intrusion prevention
B. advanced malware protection (AMP)
C. content blocker
D. file control
Dump says A, but shouldn’t it be B?
@x7x
Both should be AMP from my understanding.
@x7x
Which two characteristics of an application layer firewall are true? (Choose two)
A. provides reverse proxy services
B. is immune to URL manipulation
C. provides protection for multiple applications
D. provides stateful firewall functionality
E. has low processor usage
DUMPS: AC
Of all the above options A and C seem correct to me so I would say answers to both the
questions are correct as per my understanding.
Application layer firewalls typically do not support all applications, such as multimedia or peer-to-peer file sharing applications (to name a few). Instead,
they are generally limited to one or a few connection types, typically common applications such as email, T elnet, FTP , and web services.
But we can still pass this on as ‘multiple’ under the ciircustances.
As per below:
http://www.ciscopress.com/articles/article.asp?p=1888110
Application layer firewalls offer advantages:
Authenticate individuals, not devices
Make it harder for hackers to spoof and implement denial-of-service (DoS) attacks
Can monitor and filter application data
Can provide detailed logging
The disadvantages are as follows:
Process packets in software
Support a small number of applications
Sometimes require special client software
Are memory- and disk-intensive
Application layer firewalls typically do not support all applications, such as multimedia or peer-to-peer file sharing applications (to name a few). Instead,
they are generally limited to one or a few connection types, typically common applications such as email, T elnet, FTP , and web services.
@x7x
Q.234: only answer A is 100% correct. B is correct for WAFs, but it’s only 1 type of application firewall. CDE are incorrect. This question looks like another one that’s incomplete or copied with errors…
Q.276: B and E is correct.
Q.243/Q.296: FMC has File Policies (AMP+File Control) and Intrusion Policies (Intrusion Prevention) – those are 2 separate things and both, none or only 1 can be configured. When both are configured, File Policies are processed before Intrusion Policies. Also, AMP (File Policies) can not be a default action.
Now for questions, Q.296 talks explicitly about hacks and exploits, so my answer would be A. But Q.243 doesn’t give any details, and both A and B are FMC security mechanisms. C is too, but it is a part of File Policies like AMP, and is used to block files that are not malware, so it can be discarded because it is not for protection.
Sorry for not having better explanation. I see questions like this appear and I honestly think they are copied with errors, and in the real exam the question is more clear, so it is easier to answer.
Haha, just seen gabbar’s comment. Well, understanding “multiple applications” that way, it might be a correct answer ;)
Though I’m so used to the No.1 disadvantage of application firewalls: limited application support, that it did not occur to me :P
Thank you so much
hi where can i find Passleader Nov 2019 with Bolo´s answers ???
@Rey mix
please update regaring the Sim, what u got and how did u answer it. thx
@Caan
On page 253 there’s a Drive link to the dump, and few posts below that I posted corrected answers.
@Caan, In the Page 253 there’s a link with the dumps, you can download. All Bolo’s answers and correctios are 100% valid for pass!!
make it happen people!
QUESTION 270
When is the default deny all policy an exception in zone-based firewalls?
A. When traffic sources from the router via the self zone
B. When traffic traverses two interfaces in the same zone
C. When traffic terminates on the router via the self zone
D. When traffic traverses two interfaces in different zones
Dump says B. I think i saw in previous comments here that it’s B as well. But i found the following cisco link where cisco specifically say’s the following:
“The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied.”
reference: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html#topic2
So according to this: C should be the answer?
@Bolo @Gabbar thoughts?
How will the traffic be affected if policy from the self-zone is removed ?
A. all traffic will be inspected.
B. traffic will not be inspected.
C. traffic will be passed with logging action.
D. ……………..
confused about this as well. Some say A, some say B
Happy New Year (2020)
https://www.google.com/maps/d/u/0/viewer?hl=en&mid=1Cixwd08F-EbtYnEwXRd8TsM_0cL7yakw&ll=37.044338800064956%2C-95.65191449999998&z=17
Thanks Bolo, Appreciate your help & effort.
@ Rey mix: which sim ve you got in your exam?
@x7x
Q.270: yeah, I guess C is the most correct answer, because that’s word for word what Cisco says… although the behavior will be exactly the same for traffic originating from the self-zone, so answer A is also correct.
While it is also true that traffic between interfaces in the same zone is allowed by default, the answer B says ‘traverses two interfaces’, so we don’t know where to/where from it is going.
The other question is incomplete, but from answers posted I’d pick B. If there is no policy on the self-zone, there will be no inspection possible. Also, it is considered a misconfiguration to inspect traffic to/from the self-zone.
@Bolo thanks for the clarifications man!
Bolo : can you please confirm if below answer are correct,
NEW QUESTION 522
Which path do you follow to enable AAA through the SDM?
A. Configure > Tasks > AAA
B. Configure > Authentication > AAA
C. Configure > Additional Authentication > AAA
D. Configure > Additional Tasks > AAA
E. Configure > AAA
Answer: D
NEW QUESTION 523
What aims to remove the ability to deny an action?
A. Integrity
B. Deniability
C. Accountability
D. Non-Repudiation
Answer: D
NEW QUESTION 524
In which two models can the Cisco Web Security Appliance be deployed? (Choose two.)
A. as a transparent proxy using the Secure Sockets Layer Protocol
B. as a transparent proxy using the HyperText Transfer Protocol
C. explicit active mode
D. as a transparent proxy using the Web Cache Communication Protocol
E. explicit proxy mode
Answer: DE
NEW QUESTION 525
Which two statements about hardware-based encryption are true? (Choose two.)
A. It is potentially easier to compromise than software-based encryption.
B. It requires minimal configuration.
C. It can be implemented without impacting performance.
D. It is widely accessible.
E. It is highly cost-effective.
Answer: CE
NEW QUESTION 526
What is the main purpose of Control Plane Policing?
A. to prevent exhaustion of route-processor resources
B. to organize the egress packet queues
C. to define traffic classes
D. to maintain the policy map
Answer: C
NEW QUESTION 527
What is the best definition of hairpinning?
A. ingress traffic that traverses the outbound interface on a device
B. traffic that enters and exits a device through the same interface
C. traffic that enters one interface on a device and that exits through another interface
D. traffic that tunnels through a device interface
Answer: B
NEW QUESTION 528
How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?
A. Update the IPS signature for HTTPS to validate DCE/RPC connections.
B. Block suspicious hosts from DCE/RPC port 593.
C. Tunnel DCE/RPC traffic through GRE.
D. Configure the DCE/RPC preprocessor.
Answer: D
NEW QUESTION 529
Which SNMPv3 security level provides authentication using HMAC with MD5, but does not use encryption?
A. authPriv
B. authNoPriv
C. noAuthPriv
D. noAuthNoPriv
Answer: B
NEW QUESTION 530
Which type of firewall can perform deep packet inspection?
A. application firewall
B. stateless firewall
C. packet-filtering firewall
D. personal firewall
Answer: A
NEW QUESTION 531
Which type of mechanism does Cisco FirePOWER deploy to protect against email threats that are detected moving across other networks?
A. signature-based
B. reputation-based
C. antivirus scanning
D. policy-based
Answer: B
NEW QUESTION 532
You have implemented a dynamic blacklist, using security intelligence to block illicit network activity. However, the blacklist contains several approved connections that users must access for business purposes. Which action can you take to retain the blacklist while allowing users to access the approved sites?
A. Create a whitelist and manually add the approved addresses.
B. Edit the dynamic blacklist to remove the approved addresses.
C. Disable the dynamic blacklist and deny the specific address on a whitelist while permitting the others.
D. Disable the dynamic blacklist and create a static blacklist in its place.
Answer: A
NEW QUESTION 533
Which command enables port security to use sticky MAC addresses on a switch?
A. switchport port-security mac-address sticky
B. switchport port-security
C. switchport port-security violation protect
D. switchport port-security violation restrict
Answer: A
NEW QUESTION 534
Which attack can be prevented by OSPF authentication?
A. smurf attack
B. IP spoofing attack
C. Denial of service attack
D. buffer overflow attack
Answer: c
NEW QUESTION 535
Which mitigation technology for web-based threats prevents the removal of confidential data from the network?
A. CTA
B. AMP
C. DLP
D. DCA
Answer: C
NEW QUESTION 536
N/A
NEW QUESTION 537
N/A
NEW QUESTION 538
Which component of a security zone firewall policy defines how traffic is handled?
A. ACL
B. Service policy
C. Policy map
D. Class map
Answer: C
NEW QUESTION 539
Of all parameters that are negotiated for the IKE Phase 1 tunnel, which parameter is the only one that does not have to exactly match between VPN pees to be accepted?
A. DH group
B. Hashing algorithm
C. Encryption algorithm
D. Digital signature
E. Authentication method
F. Lifetime
Answer: F
NEW QUESTION 540
What is the range of levels provided by the Privilege command?
A. 0-16
B. 0-15
C. 1-16
D. 1-14
E. 0-14
F. 1-15
Answer: B
@Caan
Bolo has already provided the correct answeres for PL october and november in page 253.
Here are the corrected answers from Bolo
October:
Q.525: BC
Q.528: D
Q.534: C
November:
Q.538: C
Q.539: F
Q.540: B
Q.541: B
Q.542: BC (same as dump)
Q.543: A
Q.544: A
Q.545: B
Q.546: B
Q.547: C (same as dump)
Q.548: DE
Q.549: D
Q.550: B
Q.551: drag and drop solution is correct
NEW QUESTION 533
Which command enables port security to use sticky MAC addresses on a switch?
A. switchport port-security mac-address sticky
B. switchport port-security
C. switchport port-sdwecurity violation protect
D. switchport port-security violation restrict
Answer: A
Which two statements about hardware-based encryption are true? (Choose two.)
A. It is potentially easier to compromise than software-based encryption.
B. It requires minimal configuration.
C. It can be implemented without impacting performance.
D. It is widely accessible.
E. It is highly cost-effective.
ANS: BC or BD or BE?
Which two will be correct?
@BD_DHK – the answer for this question has already been provided dozens of times over the last few pages on the forum.
Which two statements about hardware-based encryption are true? (Choose two.)
A. It is potentially easier to compromise than software-based encryption.
B. It requires minimal configuration.
C. It can be implemented without impacting performance.
D. It is widely accessible.
E. It is highly cost-effective.
Answer: B, C
Q450 Refer to the exhibit. What is the effect of the given configuration?
Router1(config)#interface fastEthernet 0/0
Router1(config-if)#ip ospf message-digest-key 1 md5 CISCOPASS
Router1(config-if)#ip ospf authentication message-digest
Router2(config)#interface fastEthernet 0/0
Router2(config-if)#ip ospf message-digest-key 1 md5 CISCOPASS
Router2(config-if)#ip ospf authentication message-digest
A. The two routers receive normal updates from one another.
B. It enables authentication.
C. It prevents keycham authentication.
D. The two devices are able to pass the message digest to one another.
Answer: D
Is the answer “D” the correct one?
@Anton
In this case, yes – D is correct. There is another version of this question, where keys are different: C1SCOPASS and CISCOPASS. For that other version answer C is the correct one.
@Anton
Hmm, after a second look, maybe it should be answer B: It enables authentication.
@Bolo – my bad, I have re-typed the configuration from the graphic in PL pdf and haven’t realised there is a deliberate mistake in the password configuration. Thanks for clarifying.
BTW, that is what I thought too – if there was no typo in the password, it would most likely be answer “B”.
Do we have all the answers for PL from [Oct-2018]? I would like to share the Word/PDF with you, so you could have a look and if you spot any errors I could get them corrected.
@Anton
I posted 3 corrections for PL October 2019. Never looked at any earlier PL dump than Oct/Nov from 2019.
October:
Q.525: BC
Q.528: D
Q.534: C
@bolo , can you confirm if its BC OR CE
NEW QUESTION 525
Which two statements about hardware-based encryption are true? (Choose two.)
A. It is potentially easier to compromise than software-based encryption.
B. It requires minimal configuration.
C. It can be implemented without impacting performance.
D. It is widely accessible.
E. It is highly cost-effective.
THX
@Caan
Man, you were already given answers I posted by gabbar, on this very page. And then this question was asked again by BD_DHK, and correct answer was given to him too, by Anton. And then you got the answer posted by me again in the post right above yours…
Correct answer is FFS
Thank you Bolo, I’ve passed the exam with flying colors.
You are a very good person, thank you.
C0achgreece + Passleader Nov enough to pass.
Happy new year Bolo.
@GABBAR
Congrats! And thanks for the feedback. Happy New Year to you too.
@Bolo
I can’t say it enough. You are the Hero!
Thank you.
congratulations gabbar! best of luck for the future mate
@x7x
Thank you.
Good luck to you too for the exam.
Happy new year.
is there any chance the questions will drastically change if i sit on the 1st of january since its a new year?
Congratulations!
Passed the 210-260 exam recently!
67 questions
1 Simulation
1 Drag and Drop (Shutdown, Restrict, Protect)
I mainly learned the PassLeader 210-260 dumps (553q NEW version), all questions are available in PassLeader.
Really helpful.
P.S.
Part of PassLeader 210-260 dumps are available here FYI:
drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg
(553q~~~NEW VERSION DUMPS Updated Recently!!!)
Good luck, all!
[copy that link and open it in your web browser]
And,
Part of PassLeader 210-260 IINS new questions (FYI):
[Get the download link at the end of this post]
NEW QUESTION 546
Which statement about TACACS+ is true?
A. Passwords are transmitted between the client and server using MD5 hasing.
B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
C. TACACS_ is used for access to network resources more than administrator access to network devices.
D. TACACS_ server listens UDP port 1813 for accounting.
E. All data that is transmitted between the client and TACACS+ server is cleartext.
Answer: C
NEW QUESTION 547
Which effect of the secure boot-image command is true?
A. It configure the device to boot to the secure IOS image.
B. It archives a secure copy of the device configuration.
C. It archives a secure copy of the IOS image.
D. It displays the status of the bootset.
Answer: C
NEW QUESTION 548
Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all traffic, regardless of its source or destination.
C. It directly analyzes the actual packets as they pass through the system.
D. It can analyze events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
Answer: BC
NEW QUESTION 549
How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?
A. Passes the traffic.
B. Drops the traffic.
C. Broadcasts the traffic.
D. Looks for an ACL, and acts based upon the ACL.
Answer: C
NEW QUESTION 550
Which 802.1x component enforces the network access policy?
A. authentication server
B. authenticator
C. RADIUS server
D. supplicant
Answer: A
NEW QUESTION 551
Drag and Drop
Drag and drop the each port-security violation mode from the left onto the corresponding action on the right.
Answer:
NEW QUESTION 552
……
Download more NEW PassLeader 210-260 dumps from Google Drive here:
drive.google.com/drive/folders/0B-ob6L_QjGLpM1dfWVNVZ3Z5dzg
(553q~~~NEW VERSION DUMPS Updated Recently!!!)
Good luck, all!
[copy that link and open it in your web browser]
How do i sign up for premium membership?
Greetings friends, is there a CCNA cloud forum??? Please advise, thanks…
NEW QUESTION 550
Which 802.1x component enforces the network access policy?
A. authentication server
B. authenticator
C. RADIUS server
D. supplicant
Answer: A
My Question, is it A or B.
The authenticator enforces both the locally configured network access policy and the dynamically assigned network access policy returned by the authentication server
https: // http://www.cisco.com /c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html
NEW QUESTION 546
Which statement about TACACS+ is true?
A. Passwords are transmitted between the client and server using MD5 hasing.
B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
C. TACACS_ is used for access to network resources more than administrator access to network devices.
D. TACACS_ server listens UDP port 1813 for accounting.
E. All data that is transmitted between the client and TACACS+ server is cleartext.
Answer: C
NEW QUESTION 547
Which effect of the secure boot-image command is true?
A. It configure the device to boot to the secure IOS image.
B. It archives a secure copy of the device configuration.
C. It archives a secure copy of the IOS image.
D. It displays the status of the bootset.
Answer: C
NEW QUESTION 548
Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all traffic, regardless of its source or destination.
C. It directly analyzes the actual packets as they pass through the system.
D. It can analyze events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
Answer: BC
NEW QUESTION 549
How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?
A. Passes the traffic.
B. Drops the traffic.
C. Broadcasts the traffic.
D. Looks for an ACL, and acts based upon the ACL.
Answer: C
NEW QUESTION 550
Which 802.1x component enforces the network access policy?
A. authentication server
B. authenticator
C. RADIUS server
D. supplicant
Answer: A
I pass 978/1000
67 questions
1 Simulation
1 Drag and Drop (Shutdown, Restrict, Protect)
Copy link and paste in your browser
lop.by/L5V
Which statement about TACACS+ is true?
A. Passwords are transmitted between the client and server using MD5 hasing.
B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
C. TACACS_ is used for access to network resources more than administrator access to network devices.
D. TACACS_ server listens UDP port 1813 for accounting.
E. All data that is transmitted between the client and TACACS+ server is cleartext.
Answer: C
Hi Dears,
Could you please share latest dumps.
Hi, I have passed CCNA Cyberops 210-250 exam yesterday. Now i’m planning for 210-255 exam, Anyone here who will attempt or any of your friend of friend ? Please refer to me
packetdr0p at hotmail (dot) com
q36. Which statements about smart tunnels on a Cisco firewall are true? (Choose two.)
A. Smart tunnels can be used by clients that do not have administrator privileges
B. Smart tunnels support all operating systems
C. Smart tunnels offer better performance than port forwarding
D. Smart tunnels require the client to have the application installed locally
would like to ask which is the correct answer is it AD or is it AC. In the Passleader dumps they are saying AD but on Leadtopass dumps they are saying AC
@Bolo – thank you
@Gabbar – congrats and Happy New Year!
@sInner – I don’t think so, I have done that before (took exam in Jan, and the questions were the same)
Q28 Refer to the exhibit. Which type of NAT is configured on a Cisco ASA?
###
nat (ins,any) dynamic interface
###
A.Dynamic NAT
B. source identity NAT
C. Dynamic PAT
D. identity twice NAT
Answer:C
Shouldn’t the command for Dynamic PAT look more like the below?
nat(any,outgoing) dynamic interface
Does this mean the administrator named one of the interfaces as “ins” and changed the NAT direction?
@sInner
Questions usually don’t change drastically. There is always a chance that some of the current known questions will be replaced with new ones, but I never heard about whole exam changing. Also, I don’t think it has anything to do with new year.
@BD_DHK
It’s B – authenticator (aka Policy Enforcement Point)
@EMK
It’s AD.