Home > Share your CCNA Security Experience

Share your CCNA Security Experience

November 5th, 2015 Go to comments

Please share with us your experience after taking the CCNA Security 210-260 exam, your materials, the way you learned, your recommendations…

Comments (100) Comments
Comment pages
1 12 13 14 15 16 22 675
  1. Anton
    January 7th, 2020

    @”no name because I passed the exam”

    The new question you are talking about looks similar to Q15 from yako PDF:

    Q15 Which two statement about STP attacks are true? (Choose two)
    A. The attacker sets up a rogue DHCP server to intercept requests
    B. They can be performed only when Cisco Discovery protocol is running
    C. Then can mitigate by disabling STP
    D. They can create the opportunity for subsequent man-in-the middle attacks
    E. The attacker sends BPDU messages to become the root bridge
    F. They can be executed only from a hub
    Answer: D, E

  2. Anton
    January 7th, 2020

    @EMK
    How is management traffic isolated on a Cisco ASR 1002?
    A. Traffic is isolated based upon how you configure routing on the device.
    B. There is no management traffic isolation on a Cisco ASR 1002.
    C. The management interface is configured in a special VRF that provides traffic isolation from the default routing table.
    D. Traffic isolation is done on the VLAN level.
    Answer: C

    Which type of social engineering attack targets top executives?
    A. baiting
    B. vishing
    C. whaling
    D. spear phishing
    Answer: C

    Which two actions can an end user take to manage a lost or stolen device in Cisco ISE? (Choose two.)
    A. Reinstate a device that the user previously marked as lost or stolen.
    B. Activate Cisco ISE Endpoint protection Services to quarantine the device.
    C. Request revocation of the digital certificate of the device.
    D. Add the MAC address of the device to a list of blacklisted devices.
    E. Force the device to be locked with a PIN.
    Answer: A, E

    Which command do you enter to verify the Phase 1 status of a VPN connection?
    A. debug crypto isakmp
    B. sh crypto session
    C. sh crypto isakmp sa
    D. sh crypto ipsec sa
    Answer: C
    Just remember ISAKMP – Phase1l; IPSEC – Phase2

  3. ztech
    January 7th, 2020

    @luay

    Are you done with exam? Kindly share the feedback.

  4. Anonymous
    January 7th, 2020

    How is management traffic isolated on a Cisco ASR 1002?
    A. Traffic is isolated based upon how you configure routing on the device.
    B. There is no management traffic isolation on a Cisco ASR 1002.
    C. The management interface is configured in a special VRF that provides traffic isolation from the default routing table.
    D. Traffic isolation is done on the VLAN level.
    Answer: C

    Which type of social engineering attack targets top executives?
    A. baiting
    B. vishing
    C. whaling
    D. spear phishing
    Answer: C

  5. Anonymous
    January 7th, 2020

    I’m a bit confused about Simulation question.
    Step1: Firewall, Configuration, NAT Rules, Name=Http, IP version IPv4, IP address=172.16.1.2 Static NAT=209.165.201.30
    But I have seen they filled reversely.
    Step1: Firewall, Configuration, NAT Rules, Name=Http, IP version IPv4, IP address=209.165.201.30 Static NAT=172.16.1.2

    Which one is the correct way to configure?

  6. Primal
    January 7th, 2020

    @Anonymous I would say the 1st one. You NAT the real address 172.16.1.2 (inside local) to the public accesible global address 209.165.201.30.

    In addition when you create the ACL to allow traffic to the webserver you reference teh “Real address) 172.16.1.2 NOT the translated address of 209.165.201.30. That was a big shift from the 8.2 to 8.3 ASA codebase

  7. Amjed
    January 7th, 2020

    please could you confirm if the YUKI responses are correct ?thank you

  8. Andy138
    January 7th, 2020

    Any help with these, Ive seen different anwers:

    In which two models can the Cisco Web Security Appliance be deployed? (Choose two.)
    A. as a transparent proxy using the Secure Sockets Layer Protocol
    B. as a transparent proxy using the HyperText Transfer Protocol
    C. explicit active mode
    D. as a transparent proxy using the Web Cache Communication Protocol
    E. explicit proxy mode

    How will the traffic be affected if policy from the self-zone is removed?
    A. all traffic will be inspected.
    B. traffic will not be inspected.
    C. traffic will be passed with logging action.

    When is the default deny all policy an exception in zone-based firewalls?
    A. When traffic sources from the router via the self zone
    B. When traffic traverses two interfaces in the same zone
    C. When traffic terminates on the router via the self zone
    D. When traffic traverses two interfaces in different zones

    Which two options are advantages of an application layer firewall? (Choose two.)
    A. provides high-performance filtering
    B. makes DoS attacks difficult
    C. supports a large number of applications
    D. authenticates devices
    E. authenticates individuals

  9. No name because I passed the exam
    January 7th, 2020

    @Anton …yes yes the STP question is the same question 100% in the exam

  10. Anonymous
    January 7th, 2020

    Any help with this question,

    A network security administrator checks the ASA firewall NAT policy table with the show nat command. Which statement is false?
    A. First policy in the Section 1 is dynamic nat entry defined in the object configuration.
    B. There are only reverse translation matches for the REAL_SERVER object.
    C. NAT policy in Section 2 is a static entry defined in the object configuration.
    D. Translation in Section 3 is used when a connection does not match any entries in first two sections.

    Answer: A

    which one is the correct answer? A or D ?

  11. Primal
    January 7th, 2020

    @Anonymous

    You dont shoe me the “Show NAT” command but the answer cannot be A as Section 1 is Manual NAT not Auto NAT (defined in the object)
    I say the answer is D,

  12. Anton
    January 7th, 2020

    @Anonymous & @Primal – where can I find that simulation question you are referring to in you posts above?

  13. Anton
    January 7th, 2020

    @”No name because I passed the exam” – thanks for confirming

  14. Anonymous
    January 7th, 2020

    @Anton The Access list sim? I had to go back a few pages it was a google link that had it in there with some other dumps. The sim is wrong though as the access list tells you to use the Trnslated IP and not the Real IP (priviate inside). That is 8.2 code.

  15. Anton
    January 7th, 2020

    @Anonymous – thanks for that, will try to dig it out.

  16. Adam
    January 7th, 2020

    What command can you use to verify the binding table status?
    A . show ip dhcp snooping database
    B . show ip dhcp snooping binding
    C . show ip dhcp snooping statistics
    D . show ip dhcp pool
    E . show ip dhcp source binding
    F . show ip dhcp snooping

    Hello guys I got two answer’s for this q
    which one is correct A/B ?

  17. Bolo
    January 7th, 2020

    A network security administrator checks the ASA firewall NAT policy table with the show nat command. Which statement is false?
    A. First policy in the Section 1 is dynamic nat entry defined in the object configuration.

    A is false, no need to see the output. Section 1 is for manual NAT entries and those can not be defined in the object configuration.

  18. Anton
    January 7th, 2020

    @Adam

    What command can you use to verify the binding table status?
    A . show ip dhcp snooping database
    B . show ip dhcp snooping binding
    C . show ip dhcp snooping statistics
    D . show ip dhcp pool
    E . show ip dhcp source binding
    F . show ip dhcp snooping
    Answer: B

  19. Anton
    January 7th, 2020

    @Bolo – do you have that SIM question guys are discussing above somewhere in you docs?

    I’m trying to find it

  20. Bolo
    January 7th, 2020

    @Anton
    IIRC it’s in Anubis file

  21. EMK
    January 7th, 2020

    @Anton /Bolo

    Kindly assist with the coachgrees questions you can send them to my email address {email not allowed}

    thanks in advance

  22. kme
    January 7th, 2020

    Kindly assist with the coachgrees questions eric kiarie @ yahoo com

  23. Primal
    January 7th, 2020

    @Adam
    Tricky question. I think it is A. As show ip dhcp snooping database does show the “status” as below:
    Load for five secs: 4%/0%; one minute: 4%; five minutes: 3%
    No time source, *05:54:35.898 EST Tue Jan 7 2020
    Agent URL :
    Write delay Timer : 300 seconds
    Abort Timer : 300 seconds

    Agent Running : No
    Delay Timer Expiry : Not Running
    Abort Timer Expiry : Not Running

    Last Succeded Time : None
    Last Failed Time : None
    Last Failed Reason : No failure recorded.

    Total Attempts : 0 Startup Failures : 0
    Successful Transfers : 0 Failed Transfers : 0
    Successful Reads : 0 Failed Reads : 0
    Successful Writes : 0 Failed Writes : 0
    Media Failures : 0

    whereas sho ip dhcp snooping bindings show actual Mac to IP bindings. Just my opinion

  24. EMK
    January 7th, 2020

    @Anton /Bolo

    Kindly assist with the coachgrees questions eric kiarie @ yahoo com

    Thanks in advance

  25. Andy138
    January 7th, 2020

    @ Bolo, is the Anubis sim correct with 172. being the inside local and the 209. being the static nat? I feel like that is correct but I have seen it switched around more than once.

  26. Primal
    January 7th, 2020

    @Andy138
    I work on ASAs as part of my job. The NAT on Anubis looks good. The access list is wrong for 8.3 code and above though. You reference “Real” ips in the access-list in newrer code. So the destination on the access rule should be 172.16.1.2. Look up how access list work differntly bteween 8.2 code and 8.3 and above. You will get what I mean. As what Cisco really wants on the sim, who knows

  27. Andy138
    January 7th, 2020

    @Bolo Appreciate the feedback, getting ready for my second attempt and got a document with all these corrected q&a’s. About enough to make my head spin! 846 the first time around.

  28. Primal
    January 7th, 2020

    @Andy138
    Good luck! You were so close last time. What sim did you have for the last attempt?

  29. Andy138
    January 7th, 2020

    @Primal, appreciate it. The last sim was verifying ASA configs and the DnD was the port security. It would be nice to get the same exam again but I doubt it so preparing for all possibilities

  30. Andy138
    January 7th, 2020

    I’ll let you know how it goes, taking it Friday as it was the soonest I could re-take it.

  31. Anonymous
    January 7th, 2020

    @ ANDY138

    KINDLY ASSIST WITH THE coachgrees questions YOU CAN SEND HERE

    eric kiarie @ yahoo com

  32. MQQ
    January 7th, 2020

    My Exam will be at Thursday 9/1
    I studied kharajee with bolo correction.
    is this enough?

    Please advise.

  33. MQQ
    January 7th, 2020

    My Exam will be on Thursday 9/1
    I studied k h a g e n s i t e . c o m with bolo correction.
    is this enough

    Please advise. **

  34. Andy138
    January 7th, 2020

    @ Anonymous I didnt use coach, been using PL and going through the last few pages of this feed getting some answers corrected.

  35. Caan
    January 7th, 2020

    Bolo bhai,
    confirm me below answer please

    Q526 What is the main purpose of Control Plane Policing?
    A. to prevent exhaustion of route-processor resources
    B. to organise the egress packet queues
    C. to define traffic classes
    D. to maintain the policy map

    A or C

  36. Rocky
    January 7th, 2020

    @Caan
    Q526 What is the main purpose of Control Plane Policing?
    Answer to prevent exhaustion of route-processor resources

  37. Anon
    January 7th, 2020

    This seems to have diiferent answers. Anyone know the real ones?

    QUESTION 106
    If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events
    will occur when the TACACS+ server returns an error? (Choose two.)
    A. Authentication attempts to the router will be denied
    B. The user will be prompted to authenticate using the enable password
    C. Authentication will use the router’s local database
    D. Authentication attempts will be sent to the TACACS+ server

  38. Luay
    January 8th, 2020

    @ Caan , q526: A

  39. Luay
    January 8th, 2020

    I passed my test 789.
    Thank you BoLo…

  40. Luay
    January 8th, 2020

    Sorry , I got 989… lol

  41. Anon
    January 8th, 2020

    Congrats! luay. Sim was ASDM SSL VPN? any other info?

  42. Luay
    January 8th, 2020

    Thank you Bolo, yes 4 questions ASDM SSL VPN . The same questions and answers in the dumps

  43. Anonymous
    January 8th, 2020

    @Luay from what dumps? Thanks!

  44. Luay
    January 8th, 2020

    @ Anonymous , I used Lead2Pass dumps . But its have alot of wrong answers , so i correct them by following Blolo answers in this form .

  45. Anonymous
    January 8th, 2020

    @Luay Is coachgreece and youki’s still valid? how about the drag and drop and sim?

  46. Harikrishnan A
    January 8th, 2020

    What is the pass mark for ccna security 210-260.
    Also please share drag and drop questions. I dont have any apart from shutdown,restrict,protect,shutdown vlan.

  47. Harikrishnan A
    January 8th, 2020

    Also please share the sim. i have only that clientless sslvpn asdm sim. IS any other is coming for exam. @Anton,@x7x,@ Bolo.
    @Anton – Thanks for port security D&D answer.

  48. Bolo
    January 8th, 2020

    Reposting the link for PDFs of all important files, and some rubbish (remove spaces in the link):

    drive.google.com /drive /folders /1hol5viWl3lH5req2F2WQR_ffzCR-kxi8

    Corrected answers, discussion etc. are all on this forum – don’t be lazy and read last few pages.

  49. Bolo
    January 8th, 2020

    @Luay
    Grats! Good score too, nice

    About that sim:
    ASA version can be checked in ASDM, in the Device Dashboard. Primal is right about differences between ASA versions and ACL config.
    If this sim comes up in the exam (which I haven’t seen anyone mentioning here in past months) you can check the ASA version, or just configure the ACL one way and see if it works.
    Keep in mind that devices in the sim are accessible and you have tools to verify if the config is correct. And TBH, you should not leave the sim without verifying everything.

  50. MQQ
    January 8th, 2020

    If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error? (Choose two.)

    A. The user will be prompted to authenticate using the enable password
    B. Authentication attempts to the router will be denied
    C. Authentication will use the router`s local database
    D. Authentication attempts will be sent to the TACACS+ server

    AB ?

    @bolo

  51. Joel
    January 8th, 2020

    Anyone has exam simulator to open ete and vcex files?
    Thank you!

  52. Anton
    January 8th, 2020

    @Luay – congrats!!!

    From Youki PDF:

    QUESTION 149
    Which feature filters CoPP packets?
    A. Policy maps
    B. Class maps
    C. Access control lists
    D. Route maps
    Answer: C

    Is this the correct answer?

  53. Anton
    January 8th, 2020

    @Bolo – thanks a lot! Got it now!

  54. Andy138
    January 8th, 2020

    1. Which statement about TACACS+ is true?
    A. Passwords are transmitted between the client and server using MD5 hashing.
    B. TACACS is flexible than RADIUS because it separates all AAA into individual processes.
    C. TACACS is used for access to network resources more than administrator access to network devices.
    D. TACACS server listens UDP port 1813 for accounting.
    E. All data that is transmitted between the client and TACACS+ server is cleartext
    Is it B or C?

    2. How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?
    A. Passes the traffic.
    B. Drops the traffic.
    C. Broadcasts the traffic.
    D. Looks for an ACL, and acts based upon the ACL.
    Is it C or D?

    3. What are two advanced features of the Cisco AMP solution for endpoints? (Choose two.)
    A. sandboxing
    B. reflection
    C. reputation
    D. foresight
    E. contemplation
    Is it A,B or A,C?

    4. In which two models can the Cisco Web Security Appliance be deployed? (Choose two.)
    A. as a transparent proxy using the Secure Sockets Layer Protocol
    B. as a transparent proxy using the HyperText Transfer Protocol
    C. explicit active mode
    D. as a transparent proxy using the Web Cache Communication Protocol
    E. explicit proxy mode
    Is it D,E?

  55. Andy138
    January 8th, 2020

    @Bolo, thanks for all you do!

  56. Anton
    January 8th, 2020

    @Andy138

    1. Which statement about TACACS+ is true?
    A. Passwords are transmitted between the client and server using MD5 hashing.
    B. TACACS is flexible than RADIUS because it separates all AAA into individual processes.
    C. TACACS is used for access to network resources more than administrator access to network devices.
    D. TACACS server listens UDP port 1813 for accounting.
    E. All data that is transmitted between the client and TACACS+ server is cleartext
    Answer: B

    2. How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?
    A. Passes the traffic.
    B. Drops the traffic.
    C. Broadcasts the traffic.
    D. Looks for an ACL, and acts based upon the ACL.
    Answer: D

    3. What are two advanced features of the Cisco AMP solution for endpoints? (Choose two.)
    A. sandboxing
    B. reflection
    C. reputation
    D. foresight
    E. contemplation
    Answer: A, C

    4. In which two models can the Cisco Web Security Appliance be deployed? (Choose two.)
    A. as a transparent proxy using the Secure Sockets Layer Protocol
    B. as a transparent proxy using the HyperText Transfer Protocol
    C. explicit active mode
    D. as a transparent proxy using the Web Cache Communication Protocol
    E. explicit proxy mode
    Answer: D, E

  57. Andy138
    January 8th, 2020

    @Anton appreciate it, thanks for all you do as well!

  58. Anton
    January 8th, 2020

    @Primal & Adam – I would still go with answer B

    What command can you use to verify the binding table status?
    A . show ip dhcp snooping database
    B . show ip dhcp snooping binding
    C . show ip dhcp snooping statistics
    D . show ip dhcp pool
    E . show ip dhcp source binding
    F . show ip dhcp snooping

    From my switch:

    SWITCH01#show ip dhcp snooping ?
    binding DHCP snooping bindings
    database DHCP snooping database agent
    statistics DHCP snooping statistics
    | Output modifiers

    SWITCH01#show ip dhcp snooping binding
    MacAddress IpAddress Lease(sec) Type VLAN Interface
    —————— ————— ———- ————- —- ——————–
    Total number of bindings: 0

    SWITCH01#show ip dhcp snooping database
    Agent URL :
    Write delay Timer : 300 seconds
    Abort Timer : 300 seconds

    Agent Running : No
    Delay Timer Expiry : Not Running
    Abort Timer Expiry : Not Running

    Last Succeded Time : None
    Last Failed Time : None
    Last Failed Reason : No failure recorded.

    Total Attempts : 0 Startup Failures : 0
    Successful Transfers : 0 Failed Transfers : 0
    Successful Reads : 0 Failed Reads : 0
    Successful Writes : 0 Failed Writes : 0
    Media Failures : 0

    I haven’t got DHCP snooping enabled here but my understanding is that the database agent usually points to an tftp location where the database with dhcp snooping bindings is stored (Configure the DHCP snooping database agent. This step ensures that database
    entries are restored after a restart or switchover).

    The command will display the information about the agent (URL) and some statistics not the binding.

  59. Anton
    January 8th, 2020

    @Anon – there is a massive debate with regards to this question hence different answer choices:

    QUESTION 106
    If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events
    will occur when the TACACS+ server returns an error? (Choose two.)
    A. Authentication attempts to the router will be denied
    B. The user will be prompted to authenticate using the enable password
    C. Authentication will use the router’s local database
    D. Authentication attempts will be sent to the TACACS+ server

    After careful command inspection the only right answer choice is “B” but because we have to go with 2x choices, I would go for “B” & “D”.

    I will have some time tomorrow to get this tested in the office on one of the spare routers and let you all know the results.

  60. Luay
    January 8th, 2020

    My grade in my test was:

    Security concepts 100%
    Security Routing and switching 88%
    Vpn 92%

  61. M&M
    January 8th, 2020

    I passed my test 942. dumps are valid

    Thank you BoLo…

  62. Anton
    January 8th, 2020

    @M&M – congrats!!!

    Which Dumps have you used?

  63. M&M
    January 8th, 2020

    coachgreece, youki’s and PassLeader Oct/Nov 2019

    67 questions
    1 Simulation ASA
    1 Drag and Drop (Shutdown)

  64. Anton
    January 8th, 2020

    @M&M – great, thank you for confirming!!!

  65. annoymous
    January 8th, 2020

    Q528

    D is correct

    ‘The DCE/RPC preprocessor uses these and other protocol-specific characteristics to monitor both protocols for anomalies and other evasion techniques, and to decode and defragment traffic before passing it to the rules engine’

    https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/application_layer_preprocessors.html

  66. Primal
    January 8th, 2020

    @Anton Thanks, that is nice. I can confirm ALOT of these questions are on the exam. I just passed late yesterday. On to JNCIA-Sec!

  67. Anton
    January 8th, 2020

    @Primal – thanks and congrats!!! I have a feeling this would be enough to pass but won’t take my chances and study Youki too.

    Good luck with your Juniper certifications!

  68. Anonymous
    January 9th, 2020

    QUESTION 106
    If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events
    will occur when the TACACS+ server returns an error? (Choose two.)
    A. Authentication attempts to the router will be denied
    B. The user will be prompted to wsauthenticate using the enable password
    C. Authentication will use the router’s local database
    D. Authentication attempts will be sent to the TACACS+ server

    After careful command inspection the only right answer choice is “B

  69. Koko
    January 9th, 2020

    Can anyone share the latest dump (valid) i can use to study ccna sec?

  70. Anonymous
    January 9th, 2020

    Anyone can help me a bit, I’m confused about this question

    If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use?

    A. loop guard
    B. root guard
    C. EtherChannel guard
    D. BPDU guard

    which one is correct answer ? B or D ?

  71. kris
    January 9th, 2020

    its b

  72. Anton
    January 9th, 2020

    @Anonymous

    If a switch receives a superior BPDU and goes directly into a blocked state, what mechanism must be in use?
    A. loop guard
    B. root guard
    C. EtherChannel guard
    D. BPDU guard
    Answer: B

  73. Arun
    January 9th, 2020

    Passed today with 950+ score.
    Many thanks to @Youki, @Bolo.

  74. Anton
    January 9th, 2020

    @Arun – congrats!!!

  75. kris
    January 9th, 2020

    @Arun what was in your exam? what sim? what did you use?

  76. Cisc0
    January 9th, 2020

    Root guard puts it in a blocking state, BDPU puts it in err-disabled state

  77. Anton
    January 9th, 2020

    @all

    QUESTION 106
    If a router configuration includes the line aaa authentication login default group tacacs+ enable, which events will occur when the TACACS+ server returns an error? (Choose two.)
    A. Authentication attempts to the router will be denied
    B. The user will be prompted to authenticate using the enable password
    C. Authentication will use the router’s local database
    D. Authentication attempts will be sent to the TACACS+ server

    So I have finally managed to test this. My config below:

    ###########################################################

    enable secret 5 $1$R7Xc$LiC8W5/TfSWAgHxqtwa82/
    username ciscoadmin privilege 15 secret 5 $1$R7Xc$LiC8W5/TfSWAgHxqtwa82/

    aaa new-model

    aaa authentication login default group tacacs+ enable
    aaa authorization exec default group tacacs+ none
    aaa accounting exec default start-stop group tacacs+

    tacacs-server host 10.10.10.10 key Password1
    tacacs-server host 10.10.10.11 key Password1

    line con 0
    transport input none
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    transport input telnet ssh

    ###########################################################

    I have tested with a console cable as well as by telneting to the device and the behavior is the same – I can log in to the device with the enable password successfully.

    With “debug aaa authentication” enabled I can see the requests going to the TACACS+ hosts, but because there is no configuration on the Cisco ACS done for my Router, after 5s it falls back to enable Password.

    If I try to SSH to the router, it won’t work because SSH requires username&password – I would have to add local method to the default list to make it work.

    If I unplug the LAN cable from the router, it asks for the enable password immediately (doesn’t wait 5s) as it can not contact the TACACS+ servers (tested via Console).

    It will never accept the local credentials even tho I had “ciscoadmin” configured and tried to SSH.

  78. Arun
    January 9th, 2020

    @Anton – Thanks
    @kris – 67 questions, 1 SIM with 4 questions and 1 drag and drop [Shutdown, Shutdown VLAN, Protect & Restrict]
    Youki/Coachgreece/this thread.

  79. EMK
    January 9th, 2020

    hi everyone would like to get a clarification on this question

    What features can protect the data plane? (choose 3)

    A. policing
    B. ACLs
    C. IPS
    D. antispoofing
    E. QoS
    F. DHCP-snooping

    on the official guide it says the following are used for security measures:Access control lists (ACL)
    Layer 2 controls, such as private
    VLANs, Spanning Tree Protocol
    (STP) guards
    IOS IPS, zone-based firewall

  80. EMK
    January 9th, 2020

    I believe with Anton’s and Bolo’s answers and explanations plus passleader we are good to go . All the best to everyone sitting for their exams. Thank you everyone on this forum . doing mine tomorrow

  81. MQQ
    January 9th, 2020

    Passed today with 984
    Special thanks for Bolo

    All the dumps from khagen site, I studied less than 100 questions but with bolo correction.

    Thanks all

  82. CJ
    January 9th, 2020

    khagen site whats the address?

  83. Cisc0
    January 9th, 2020

    @EMK
    B,D,F

  84. Primal
    January 9th, 2020

    @Anton
    Thanks for labbing that up! I would say that confirms B and D for the answer.

  85. Mqq
    January 9th, 2020

    k h a g e n s i t e . c o m

  86. Jamie
    January 9th, 2020

    @Arun
    How much of the exam was similar to Coachgreece questions?

  87. Anton
    January 9th, 2020

    @MQQ – congrats! Nice score by the way
    @Primal – not a problem and yes, I would go for B&D
    @EMK – good luck!

  88. Anton
    January 9th, 2020

    @Bolo

    Which answer would you go for?

    What features can protect the data plane? (Choose three)
    A. policing
    B. ACLs
    C. IPS
    D. antispoofing
    E. QoS
    F. DHCP-snooping
    Answer: A, B, F or B, D, F

  89. aek
    January 9th, 2020

    Hi all,
    @Bolo, @ Anton,@Arun

    Please someone can confirm which address should be applied on sim regarding ACL
    the real or translated?

    – Which IOS supports the real address since 8.4?
    I
    -if it ‘s the old ASDM which translated address need to be applied onto ACL,
    do we need to permit the traffic to the global address, as well?

    I’d really appreciated if someone can clarify it.
    Thanks

  90. Primal
    January 9th, 2020

    Policing is more associated with the Control Plane. B,D, and F are def. Data plane.

  91. CJ
    January 9th, 2020

    has anyone got anything to open ETE files?

  92. Anton
    January 9th, 2020

    @Primal – thanks for clarifying
    @aek – you can have a look at Primal’s comment with regards to ASA (bottom of the page 256)

    If I would get the LAB during my exam (which apparently haven’t happened for w while now) I would just get it tested with both options and see which one works.

  93. Primal
    January 9th, 2020

    @aek
    8.3 and above use real address for the acces-list 8.2 and below use the translated. Anton gave good advice. See which one works although I would try the real address first since it is current ios.

  94. aris
    January 9th, 2020

    @Andy
    1=DE
    2=YOU’RE MISSING THE D WHICH MIGHT BE CORRECT
    3=B
    4=BE

  95. aek
    January 9th, 2020

    Thanks @Anton,@Primal for your answers were so helpful.

    My questions is if the ASDM is 8.2 and below. If I’m not mistaken, it’s not enough just the translated addr, we have to permit traffic to global address , as well.

    Any advice ?
    thanks

  96. Primal
    January 9th, 2020

    @aek The internal address (inside local) is translated to inside global , so lots of times its the same IP as outside global depending on your perimeter design. just use the IP that you translated the inside ip to. It will work. Google some examples on th diffrence btween 8.2 and 8.3 nat, You will find TONS of examples.

  97. Andy138
    January 9th, 2020

    @Arun which ASA sim was it configuring or verifying configs?

  98. Nasser
    January 9th, 2020

    Hi all..
    Anyone here can tell me how many configuration questions (labs) are in the exam ?
    and what are the regular labs?

  99. travis
    January 9th, 2020

    @anton thankyou for taking time to sumerise the last few page of this site awesome effort!
    almost all i would go with the same answer but a few i have some queries:

    Q14 Which two configurations can prevent VLAN hopping attack from attackers at VLAN 10? (Choose
    two)
    A. creating VLAN 99 and using switchport trunk native vlan 99 command on trunk ports
    B. enabling BPDU guard on all access ports
    C. using switchport trunk native vlan 10 command on trunk ports
    D. using switchport nonegotiate command on dynamic desirable ports
    E. applying ACL between VLANs
    F: using switchport mode access command on all host ports
    Answer: A, F

    I would say D,F as this means that access ports cannot become trunk which is required in vlan hop attack also see Q496

  100. travis
    January 9th, 2020

    @anton

    Q404 Which type of VLANs can communicate to PVLANs? (or something like this) (Choose two)
    A. promiscuous
    B. isolated
    C. community
    D. backup
    E. secondary
    Answer: A, B

    I would assume this Q is wrong/ missing some detail and the answer is B,C also see Q441


  101. Note: Please do not open any suspicious links (especially short links and links that need to remove some words to open) in the comment section above as they are usually spams and may harm your computer.
Comment pages
1 12 13 14 15 16 22 675
Add a Comment