Home > Share your CCNA Security Experience

Share your CCNA Security Experience

November 5th, 2015 Go to comments

Please share with us your experience after taking the CCNA Security 210-260 exam, your materials, the way you learned, your recommendations…

Comments (100) Comments
Comment pages
1 7 8 9 10 11 22 675
  1. Pebcak
    December 2nd, 2019

    @Mostafa

    I have an online course I’m finishing through Global Knowledge, Quizlet and reviewing all other materials.

    The 21st is the earliest I feel comfortable doing it and my first test is being paid for by my company.

    IF for some reason I fail, I’ll still have the two weeks to try again before I expire on Jan 10.

  2. Cisco Guy
    December 2nd, 2019

    @Mostafa and other Security guys : Just to be clear are below dumps enough to pass this exam : coachgreece, cisco.pass4sure.210-260.v2019-10-28.by.daisy.201q , Youki 5-24-2019 , new question ccna security_yako ” With reading the last 5 pages from this form to correct wrong answers”. I’m planning to pass this exam within 2 weeks maximum…. thanks :)

  3. @Cisco Guy
    December 2nd, 2019

    That’s it!

    Thanks for the help @CoachGreece @Youki @Anubis @Yakoussine it helped a lot!

    1 Sim
    1 DnD port security mentioned in a post here
    67 Q

  4. Joseph
    December 3rd, 2019

    50% discount on all Cisco questions and answers. Biggest offer for Christmas. Regardless of whether there are major updates next year, free updates will be provided until you pass the exam. note! This is the only offer throughout the year.
    Stable and effective CCNA questions and answers(URL NO ***)
    Stable and effective CCNP questions and answers(URL NO ***)
    Stable and effective CCIE questions and answers(URL NO ***)
    Stable and effective CISSP questions and answers(URL NO ***)
    ht*****tps://docs.google.c*****om/document/d/1YCdNtwSUrdTW68-9n2JAVEHJOKjsYQSgTmUewKNarG4/edit?usp=sharing

  5. Joseph is a spammer spammer
    December 3rd, 2019

    Joseph is a spammer spammer

    Joseph is a spammer spammer

    Joseph is a spammer spammer ………………

  6. Anonymous
    December 3rd, 2019

    NEW QUESTION 546
    Which statement about TACACS+ is true?

    A. Passwords are transmitted between the client and server using MD5 hasing.
    B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
    C. TACACS_ is used for access to network resources more than administrator access to network devices.
    D. TACACS_ server listens UDP port 1813 for accounting.
    E. All data that is transmitted between the client and TACACS+ server is cleartext.

    Answer: C

    NEW QUESTION 547
    Which effect of the secure boot-image command is true?

    A. It configure the device to boot to the secure IOS image.
    B. It archives a secure copy of the device configuration.
    C. It archives a secure copy of the IOS image.
    D. It displays the status of the bootset.

    Answer: C

    NEW QUESTION 548
    Which two statements about an IPS in tap mode are true? (Choose two.)

    A. It requires an synchronous routing configuration for full traffic analysis.
    B. The device forwards all ewtraffic, regardlergess of its source or destination.
    C. It directly analyzes the actual packets as they pass through the system.
    D. It can analyze events without impacting network efficiency.
    E. It is unable to drop packets in the main flow.

    Answer: BC

    NEW QUESTION 549
    How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?

    A. Passes the traffic.
    B. Drops the traffic.
    C. Broadcasts the traffic.
    D. Looks for an ACL, and acts based upon the ACL.

    Answer: C

    NEW QUESTION 550
    Which 802.1x component enforces the network access policy?

    A. authentication server
    B. authenticator
    C. RADIUS server
    D. supplicant

    Answer: A

  7. Anonymous
    December 3rd, 2019

    NEW QUESTION 548
    Which two statements about an IPS in tap mode are true? (Choose two.)

    A. It requires an synchronous routing configuration for full traffic analysis.
    B. The device forwards all ewtrafwefic, regardlergess of its source or destination.
    C. It directly analyzes the actual packets as they pass through the system.
    D. It can analyze events without impacting network efficiency.
    E. It is unable to drop packets in the main flow.

    Answer: BC

  8. @Anonymous
    December 3rd, 2019

    Which two statements about an IPS in tap mode are true? (Choose two.)

    A. It requires an synchronous routing configuration for full traffic analysis.
    B. The device forwards all traffic, regardless of its source or destination.
    C. It directly analyzes the actual packets as they pass through the system.
    D. It can analyze events without impacting network efficiency.
    E. It is unable to drop packets in the main flow.

    Answer: DE

  9. Zero experience Guy
    December 3rd, 2019

    Cheers!! I am seeing all kinds of study guides. I have somone thats suppose to email me CoachGreece study material. I am also writing down all the questions I see in this forum as well. Will this be enough to pass the test???

  10. Campy
    December 3rd, 2019

    What is the main purpose of Control Plane Policing?
    A. to prevent exhaustion of route-processor resources.
    B. to define traffic classes.
    C. to organize the egress packet queues.
    D. to maintain the policy map.

    Can someone help me with this answer…..It could be both A&B Im not sure…..Please help..

  11. no_mans_land
    December 3rd, 2019

    Passed today with a 917. Only used CoachGreece pdf and Youki 5-24-2019. Both are enough to pass.

    67Q
    Same SIM
    Same D&D with port status.

  12. @Campy
    December 3rd, 2019

    What is the main purpose of Control Plane Policing?
    A. to prevent exhaustion of route-processor resources.
    B. to define traffic classes.
    C. to organize the egress packet queues.
    D. to maintain the policy map.

    The answer is A

    EXPLANATION:
    Control Plane Policing (CoPP) is a Cisco IOS-wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor that, if left unabated, could affect system performance. Route processor resource exhaustion, in this case, refers to all resources associated with the punt path and route processor(s) such as Cisco IOS process memory and buffers, and ingress packet queues.

  13. @ @Campy
    December 3rd, 2019

    Cheers Mate!! Thank you!!

  14. Mostafa
    December 3rd, 2019

    @Pebcak and Cisco GUY please post your emails here.

  15. Bolo @Mostafa
    December 3rd, 2019

    Put it up in gDrive for all the people, if u don’t mind. I’m assuming you want to share your material.

  16. @ No_mans_land
    December 3rd, 2019

    I have covered Coachgreese but only half way with Youki. I have also reviewed the new questions from yako. Do you think this will be enough to pass? I test tomorrow.:(

  17. Where is Yako?
    December 3rd, 2019

    Link to Yako please?

  18. STP Drag N Drop
    December 3rd, 2019

    Can someone share infomation about the STP Drag N DROP question seen on this test? or just explain it to me? Thank you kindly!!

  19. Bolo
    December 4th, 2019

    It’s not STP DnD, more like Port Security:

    Shutdown The interface is error-disabled
    Shutdown Vlan The virtual layer 2 segment is disabled
    Restrict When the number of secure MAC address on the port reaches a specified maximum limit, the port drops packet and sends an SNMP trap
    Protect When the number of secure MAC addresses on the port reaches a special maximum, the port drops packets without notification.

  20. Anton
    December 4th, 2019

    Hey all,

    Anyone has the 553q PDF dump and possibly VCE file to share?

    anton . shawood @ gmail . com

    Thank you

  21. NoJobYet
    December 4th, 2019

    Please tell us the best dumps and post them here

    Your help with dumps really help

    Please

  22. @Bolo
    December 4th, 2019

    Thank you

  23. Curious
    December 4th, 2019

    Can anyone confirm this..
    Which two statements about Hardware-Based encryption are true?

    A. It is potentially easier to compromise than software-based encryption.
    B. It can be implemented without impacting performance.
    C. It is widely accessible.
    D. It is highly cost-effective
    E. It requires minimal configuration

    Select 2: I think its B & D Or maybe D&E Can somone chime in?

  24. Bolo
    December 4th, 2019

    @Curious

    It’s B and E

  25. Cisco Guy
    December 4th, 2019

    @Mostafa : this is my email address {email not allowed}.. thanks

  26. Anonymous
    December 4th, 2019

    this is my email address Samiser123 @ gmail.com .. thanks

  27. December 4th, 2019
    December 4th, 2019

    this is my email address Samiser123 @ gmail.com .. thanks

  28. Cisco Guy
    December 4th, 2019

    this is my email address Samiser123 @ gmail.com .. thanks

  29. NoJobYet
    December 4th, 2019

    Valid dumps please

  30. Question for Bolo
    December 4th, 2019

    Bolo,
    You seem informed.

    Do you know if the questions and simulations covered in the Coachgreece PDF and VCE are enough to pass or are there possible questions from the anubis pdf (400+ bank questions)as well?

    Some people are saying they had one sim with 4 questions but the coachgreese sims are one question per sim?

  31. george
    December 4th, 2019

    hello sir

    can you share the dumps please for CCNA SECURITY

    Thanks

  32. Question for Bolo
    December 4th, 2019

    Never mind about the sim questions. The Anubis pdf answered my question…

    I still would like to know if coachgreece and Anubis are still enough to pass??
    I understand some of the answers are incorrect.

  33. Anonymous
    December 5th, 2019

    [13:57, 25.11.2019] sea: NEW QUESTION 528
    How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?

    A. Update the IPS signature for HTTPS to validate DCE/RPC connections.
    B. Block suspicious hosts f7rom DCE/RPC port 593.
    C. Tunnel DCE/RPC traffic through GRE.
    D. Configure the DCE/RPC preprocessor.

    ====================

    Answer: B

  34. Anonymous
    December 5th, 2019

    is any one can share the last Dumb please

  35. Bolo
    December 5th, 2019

    Better get Youki than Anubis – Youki has almost all incorrect answers from Anubis corrected. And people who passed this week are saying here that c0achgreece and Youki was enough for 900+ points.

  36. Bolo
    December 5th, 2019

    How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?

    A. Update the IPS signature for HTTPS to validate DCE/RPC connections.
    B. Block suspicious hosts f7rom DCE/RPC port 593.
    C. Tunnel DCE/RPC traffic through GRE.
    D. Configure the DCE/RPC preprocessor.

    The answer is D

  37. Anonymous
    December 5th, 2019

    Please share with me c0achgreece and Youki
    Aijana dot sul add gmail dot com
    Please please please taking the test next week

  38. AJ
    December 5th, 2019

    Please share with me c0achgreece and Youki
    Aijana dot sul add gmail dot com
    Please please please taking the test next week. Thanks in advance

  39. Anonymous
    December 5th, 2019

    Which description of the nonsecret numbers that are used to start a Diffie-Hellman exchange is true?
    A. They are large pseudorandom numbers
    B. They are very small numbers chosen from a table of known values
    C. They are numeric values extracted from hashed system hostnames
    D. They are preconfigured prime integers

    D?

  40. Anton
    December 5th, 2019

    Hey Curious,

    Would you be able to share you pdf dumps?

    Do you have the one with 553q? I was only able to find the one with 353q.

    Please let me know – I’m planning to take the test before Cisco changes it on 24th of January.

  41. Anton
    December 5th, 2019

    Thanks Anonymous,

    the c0achGreece from the first link – is that only a VCE file?

    Do you have PDF with all these questions too?

  42. Bolo
    December 5th, 2019

    PDFs with all those (Youki, c0achGreece, Anybis, Yako, daisy):
    drive.google.com /drive /folders /1hol5viWl3lH5req2F2WQR_ffzCR-kxi8

  43. Ip Helper
    December 5th, 2019

    Which command do you enter to verify the Phase 1 status of a VPN connection?

    A. debug crypto isakmp
    B. sh crypto session
    C. sh crypto isakmp sa
    D. sh crypto ipsec sa

    On the dumps I am seeing the answer is C is this correct? or possibly D?

  44. Bolo
    December 5th, 2019

    Phase 1 – isakmp
    Phase 2 – ipsec

    So the correct answer is C

  45. @Bolo
    December 5th, 2019

    Thank you Bolo!!

  46. Thank You
    December 5th, 2019

    @Anonymous

    The youki.vce dumps says cant open via VCE1.0.2 as it been created with newer version of VCE Exam simulator

    can you give us new version of vce or update youki please

  47. Mark Davis
    December 5th, 2019

    any advise on how many simoulator questions and where to find them

  48. Bolo
    December 5th, 2019

    @Mark Davis: lab and sim are in the dumps linked above
    @Thank You: can’t help you with .vce, sry. I don’t use VCEs, so I don’t have any players.

  49. Alina
    December 5th, 2019

    Hi , c0achGreece fine only have 67 questions so what is the passing possibility if someone only prepares from c0achGreece ?

  50. Anonymous
    December 5th, 2019

    @ Alina pssibility will be very slim. Consult and read thru other study material. Everything you need to pass is here. G00d Luck!!

  51. Anonymous
    December 6th, 2019

    Which 802.1x component enforces the network access policy?

    a. RADIUS Server b. Authentication server c. Supplicant d. Authenticator

    Asnwer is D……am I right or wrong anyone?

  52. Gilbert
    December 6th, 2019

    Today is a lucky day. I bought a CCNP question and answer for 50% off. I believe that I can get CCNP certification through this material. I have observed this website for a long time, and the website has helped many people pass CCNA CCNP CCIE. This is their only discount this year. Seize the opportunity. Although I heard that Cisco is about to usher in a major reform, the website can guarantee a free update for one year, so I am not worried about the next change of Cisco(URL NO *****)
    ht*****tps://docs.google.c*****om/document/d/1YCdNtwSUrdTW68-9n2JAVEHJOKjsYQSgTmUewKNarG4/edit?usp=sharing

  53. Anton
    December 6th, 2019

    Hi all,

    Has anyone managed to combine all these PDFs into one and added all the new question people are sharing here with us? It would be easier to study!

    I have the PDF with 353q but from what I can see from the previous messages there is another one with 553q? Anyone has that available to share?

    I’m happy to keep adding new questions to it.

    Also, a question to you all – Cisco is changing the certificates on 24th of January 2020 – there will only be one single CCNA – no more CCNA Security, CCNA Design, CCNA Routing & Switching etc.

    My question is, if someone already has CCNA Routing&Switching what is the point taking CCNA Security now if after 24th of Jan there will be no differences as all your CCNAs will become one?

  54. Bolo
    December 6th, 2019

    Which 802.1x component enforces the network access policy?

    a. RADIUS Server b. Authentication server c. Supplicant d. Authenticator

    Asnwer is D……am I right or wrong anyone?

    You are right – the answer is Authenticator (aka Policy Enforcement Point)

  55. Bolo
    December 6th, 2019

    @Anton

    Youki, Anubis etc. are such PDFs – a mix of everything. It’s just that noone has made a new one recently, though Youki is only few months old. If you studying seriously, you should be doing your own document with questions, IMHO that’s the best way. You get a chance to review, correct and memorize all of them.
    Don’t worry about 500+ question dumps, those are PassLeader etc. paid dumps – full of wrong answers. And new questions from them usually appear here and are corrected by community.

    As for certifying now – if you get any CCNA now (before 24th of February 2020), you will also get a new one. CCNA Sec serves for recertifying R&S, and possibly people prefer to sit old exam which has a lot of materials available, than the new one – which is still unknown.

  56. Anton
    December 6th, 2019

    @Bolo

    Thank you for your prompt response. It all started making sense now. I do take the exam seriously, I have already finished studying the official book and did 5 days course. I still have some time left before the 24th so I will sit down and combine those PDFs into one and share it with you guys. Any new questions shared here will be regularly added to the new PDF so everyone is on the same page.

    Do you happen to know if the new exams on Professional level also refresh your Associate certs as it is right now?

  57. Bolo
    December 6th, 2019

    @Anton

    AFAIK, Pro level exams will refresh Associate levels, as it is now. There doesn’t seem to be a lot of changes to recertification, only adding new options with Continuous Education points etc.

  58. Anton
    December 6th, 2019

    @Bolo

    Thank you for you answer.

    So that being said, if I have, hypothetically lets say 5x CCNA certificates, all of them will be combined into a single CCNA certificate/title after 24th of Jan and there is no way to show/tell that I actually took 5x separate exams not just one?

    In that case the only benefit would be to refresh my CCNA by taking one of the old exams for which we have these dumps, but if I have to refresh my CCNP anyway, I could just do that instead.

    I’m asking because my plan was to take CCNA Security and then to start making my way through CCNP Security. Currently, even if you pass all 4x exams for your CCNP Security, if you don’t have your CCNA Security, you will not get the CCNP Security certificate but it looks like this is not the case with the new certs as there is only one general CCNA and you have to take only one exam to get CCNP Security therefore I may be better of to start preparing for the new CCNP Security instead.

  59. Bolo
    December 6th, 2019

    @Anton

    You will keep old CCNA certs until they expire, along with the new one. So if you recert on 20th of Feb your CCNA R&S, you will keep it until 2023.

    CCNP Security now is 4 exams, and it will be 5 different certs after 24th of Feb. Whatever progress you have on the current CCNP Sec will be migrated to the new one – so old exams will give you new certs.
    AFAIK new Pro levels will not require Associate level exam as a pre-requisite, so if your goal is the new CCNP Security, there is no point in doing any of current exams. Unless of course you’ve done or are ready to some, and you will migrate them. Check Cisco Cert Migration Tool for CCNP Sec.

  60. Bolo
    December 6th, 2019

    Which two statements about the self zone on a Cisco zone-based policy firewall are true? (choose two)
    A. Multiple interfaces can be assigned to the self zone
    B. Traffic entering the self zone must match a rule
    C. Zone pairs that include the self zone apply to traffic transiting the device
    D. It can be either the source zone or the destination zone
    E. It supports stateful inspection for multicast traffic

    I can’t see two correct answers here. Only D is correct.

    A: No, you can’t assign any interface to self zone. All IPs configured on the router belong to this zone – interfaces are assigned to other zones.
    B: Only if it is traffic coming from another zone, in a zone pair. By default NO.
    C: No, self zone traffic is traffic to/from the router itself.
    E: This is not supported at all on zone level, CoPP is used for that.

  61. Hari
    December 6th, 2019

    please share the dumps for ccna security @Coachfree – the link which u provided is not valid.

  62. Bolo
    December 6th, 2019

    @Hari
    gDrive link I posted above works…

  63. Gilbert IS FAKE FAKE FAKE FAKE
    December 6th, 2019

    Gilbert IS FAKE FAKE FAKE FAKE

    Gilbert IS FAKE FAKE FAKE FAKE

  64. Anonymous
    December 6th, 2019

    Hello Community,

    THANKS YOU ALL, I pass the CCNA Sec exam, few days ago I get the ClientLess SSL VPN sim and the Shutdown, Shutdown VLAN, Restrict, Protect D&D question

    I get a few new questions: The one I remember the most was something like:
    In a Site to Site VPN which configuration can be different and still the VPN will come UP
    authentication type
    Encryption
    lifetime ——-> Correct
    Dont Remeber
    Dont Remeber

    I remeber tht I get the 550, 549, 546 and the emana questions

  65. Bolo
    December 6th, 2019

    Of all parameters that are negotiated for the IKE Phase 1 tunnel, which parameter is the only one that does not have to exactly match between VPN peers to be accepted?
    A. DH group
    B. Hashing algorithm
    C. Encryption algorithm
    D. Digital signature
    E. Authentication method
    F. Lifetime

    Yes, F is correct

  66. Bolo
    December 6th, 2019

    @Anonymous

    Gratz on the exam. And if you remember anything more about those new questions, even just a general idea, do tell us ;)

  67. soloman
    December 6th, 2019

    My CCNA R&S expires on 13th December 2019.
    I am preparing for CCNA Security and not ready yet.
    if I fail an exam on 10th Dec can I give retake an exam on 13th December. do I loose my validity of CCNA R&S ?

  68. Nick
    December 7th, 2019

    Hi Every,
    what sort of questions come in simulations?
    Do we need to configure anything or just answer questions ?

  69. Question for Bolo
    December 7th, 2019

    To be specific, if I re-cert my CCNP with one of the current professional level certs prior to Feb 22, 2020, will I also get the new CCNA and CCNP starting on 2/22/2020 until it expires in 2023?

  70. Johnas
    December 7th, 2019

    Hi
    Is there any ccnp security dumps here?

    Thank you

  71. die4mysins
    December 7th, 2019

    You are configuring a site-to-site tunnel between two cisco routers by using IPsec. Which option do you set to specify the peer to which you want to connect?
    a. IP address by using a crypto map
    b. IP address of tunnel destination
    c. Tunnel group that has a peer P address
    d. IP address as part of the ISAKMP configuration
    ANSWER: A

    Is the correct answer D?

    conf t
    crypto isakmp policy 10
    hash sha
    authentication pre-share
    group 2
    lifetime 86400
    encryption iskamp key securitytut address

  72. die4mysins
    December 7th, 2019

    You are configuring a site-to-site tunnel between two cisco routers by using IPsec. Which option do you set to specify the peer to which you want to connect?
    a. IP address by using a crypto map
    b. IP address of tunnel destination
    c. Tunnel group that has a peer P address
    d. IP address as part of the ISAKMP configuration
    ANSWER: A

    Is the correct answer D?

    conf t
    crypto isakmp policy 10
    hash sha
    authentication pre-share
    group 2
    lifetime 86400
    encryption iskamp key securitytut address Remote_Peer_IP_ADDRESS

  73. Kibo
    December 7th, 2019

    @ – please watch out. There is a 5 day ban after a failed exam.

    This is taken from the Cisco website:

    Retaking Exams:
    Candidates who fail an exam must wait a period of five (5) calendar days, beginning the day after the failed attempt, before they may retest for the same exam. Once passed, a candidate must wait a minimum of 180 days before taking the same exam with an identical exam number.

    Take care and good luck

  74. Bolo
    December 7th, 2019

    @soloman: if you fail on 10th you will not be able to retake on 13th, and you will lose R&S

    @Nick: both. There is a sim with questions, where you need to find out answers to 4 question by using ADSM GUI. And there’s a lab where you need to configure NAT and ACLs, also using GUI. Most of the time, from what people say here, you only get the sim with 4 questions.

    @Question for Bolo: AFAIK, yes. You will get old CCNA renewed for 3 years, you will get a new one for the same period of time, and your CCNP will be migrated to a new CCNP. CCNP Migration Tool on the web can tell you how old CCNPs translate to new ones.

    @Johnas: here not really. Posts you see about CCNP dumps are spammers from paid sites. There are other sites for those, look at the links on the right.

  75. Nick
    December 7th, 2019

    Thanks a lot @Bolo

  76. Bolo
    December 7th, 2019

    @die4mysins

    A is the correct answer. IP address during ISAKMP config is for identifying remote peers for key exchange during Phase 1 – IF you use preshared keys. If you authenticate using for example digital certificates, there won’t be any IP address there.

  77. Anonymous
    December 7th, 2019

    thrt

  78. Anonymous
    December 7th, 2019

    Of all parameters that are negotiated for the IKE Phase 1 tunnel, which parameter is the only one that does not have to exactly match between VPN peers to be accepted?????
    A. DH group
    B. Hashing algorithm
    C. Encryption algorithm
    D. Digital signature
    E. Authentication method
    F. Lifetime

    Yes, F is correct

  79. die4mysins
    December 7th, 2019

    @Bolo Thanks

    Just a clarification regarding the NAT Lab where you configure host to access your server in DMZ.
    I see 2 dumps that they configured Network Object as

    Dump 1
    IP address 172.16.1.2
    Translated Addr 209.165.201.30

    Dump 2
    IP address 209.165.201.30
    Translated Addr 172.16.1.2

    Which of the 2 would be correct?

  80. die4mysins
    December 7th, 2019

    Which two statements about an IPS in tap mode are true? (Choose two.)
    A. It requires an synchronous routing configuration for full traffic analysis.
    B. The device forwards all traffic, regardless of its source or destination.
    C. It directly analyzes the actual packets as they pass through the system.
    D. It can analyze events without impacting network efficiency.
    E. It is unable to drop packets in the main flow.

    Answer: BC or CD?

  81. Bolo
    December 7th, 2019

    @die4mysins

    You have to translate inside IP in DMZ to outside public IP. So when creating NAT Object, IP Address should be the inside one, and Translated Address should be the public IP.
    Looks like your Dump 1 has it right.

  82. Bolo
    December 7th, 2019

    @die4mysins

    Which two statements about an IPS in tap mode are true? (Choose two.)
    A. It requires an synchronous routing configuration for full traffic analysis.
    B. The device forwards all traffic, regardless of its source or destination.
    C. It directly analyzes the actual packets as they pass through the system.
    D. It can analyze events without impacting network efficiency.
    E. It is unable to drop packets in the main flow.

    I’d say it’s D and E.

    A: what?
    B: it doesn’t forward any traffic. TAP/SPAN receive a copy of traffic passing through
    C: no. They analyze copies of packets.
    D: yes, that’s the advantage TAP has over SPAN
    E: it is unable, ‘cos it works with copies

    CISCO says:
    “With tap mode, the device is deployed inline, but instead of the packet flow passing through the device, a copy of each packet is sent to the device and the network traffic flow is undisturbed. Because you are working with copies of packets rather than the packets themselves, rules that you set to drop and rules that use the replace keyword do not affect the packet stream. However, rules of these types do generate intrusion events when they are triggered, and the table view of intrusion events indicates that the triggering packets would have dropped in an inline deployment.”

  83. Goodluck
    December 7th, 2019

    If a router configuration includes the line aaa authentication login default group tacacs+ enable, which eventswill occur when the TACACS+ server returns an error? (Choose two.)
    A. Authentication attempts to the router will be denied
    B. The user will be prompted to authenticate using the enable password
    C. Authentication will use the router’s local database
    D. Authentication attempts will be sent to the TACACS+ server
    Correct Answer: AD

    Answer B cannot be correct, because the TACACS is up & running (returns error).
    Answer C cannot be correct beause the “local” variable isn’t stated in the command string.

  84. Trunk
    December 7th, 2019

    Which component of a security zone firewall policy defines how traffic is handled?

    A. ACL B. Service policy C. Policy map D. Class map

    Answer: D

    What is the range of levels provided by the Privilege command?

    A. 0-16
    B. 0-15
    C. 1-16
    D. 1-14
    E. 0-14
    F. 1-15
    Answer: B

    In a Cisco Cloud Web Security environment, when can network traffic bypass the scanning proxies?

    A. When the client is on a trusted corporate network.
    B. When the client is connected to a VPN service that bypass proxies.
    C. When the client is connected to a WPA2 Enterprise network.
    D. When the client is connected to a wired network

    Answer: D.

    Which statement about TACACS+ is true?

    A. Passwords are transmitted between the client and server using MD5 hasing.
    B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
    C. TACACS_ is used for access to network resources more than administrator access to network devices.
    D. TACACS_ server listens UDP port 1813 for accounting.
    E. All data that is transmitted between the client and TACACS+ server is cleartext.

    Answer: B
    Am I right or wrong anyone ? I’m so confused right now and i have a test on monday.
    pls help.Many thanks.

  85. Bolo
    December 7th, 2019

    @Trunk

    Which component of a security zone firewall policy defines how traffic is handled?
    A. ACL
    B. Service policy
    C. Policy map
    D. Class map

    ANSWER C
    A policy map is an association of traffic classes and actions. It specifies what actions should be performed on defined traffic classes.

    —————–

    In a Cisco Cloud Web Security environment, when can network traffic bypass the scanning proxies?
    A. When the client is on a trusted corporate network.
    B. When the client is connected to a VPN service that bypass proxies.
    C. When the client is connected to a WPA2 Enterprise network.
    D. When the client is connected to a wired network

    ANSWER A
    It’s called Secure Trusted Network Detection.

    Other two questions have good answers.

  86. Nick
    December 7th, 2019

    Hi everyone,
    Is it HIPS or NIPS in which ALTER THE ADMINSTRATOR is an option ( DRAG and DROP)

  87. Nick
    December 7th, 2019

    @bolo
    Can you please confirm the correct answer:
    Which two next-generation encryption algorithms does Cisco recommend? (Choose two.)
    A. AES
    B. 3DES
    C. DES
    D. MD5
    E. DH-1024
    F. SHA-384

  88. Bolo
    December 8th, 2019

    @Nick

    Alert the administrator applies to both. Drag twice.

    A and F. Only AES and SHA-384 are NGE (Suite B) algorithms.

  89. Trunk
    December 8th, 2019

    @Bolo
    Thank you so much Mr.Bolo.
    Just a few more question.Pls help confirm.

    Which option is the logical container used to maintain information about the connections going
    through a Cisco ASA firewall?
    A. State table
    B. NAT table
    C. Routing table
    D. Cisco Express Forwading table
    Answer: B

    On which operating system does the Cisco Email Security Appliance run?
    A. Cisco ESA-OS
    B. Cisco AsynOS
    C. Cisco IOS XE
    D. Cisco IOS XR
    E. Cisco NX-OS

    Answer: B

    How will a stateful firewall handle an inbound packet that it receives and cannot match in its state
    table?
    A. Passes the traffic.
    B. Drops the traffic.
    C. Broadcasts the traffic.
    D. Looks for an ACL, and acts based upon the ACL.

    Answer: D

    You are configuring an IPS that must be able to react to a potential attack. Which deployment do
    you use?
    A. Passive deployment that uses tap mode.
    B. Transparent inline mode.
    C. Passive deployment that uses failsafe.
    D. Inline deployment that uses a SPAN.
    Answer: A

  90. Rony
    December 8th, 2019

    Hi Friends,
    Can you please assist with this?
    (Answer A or B)
    How does the 802.1x supplicant communicate with the authentication server?
    A. The supplicant creates EAP packets and sends them to the authenticator, which translates them into
    RADIUS and forwards them to the authentication server.
    B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them into
    RADIUS and forwards them to the authentication server.
    C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates them into
    EAP and forwards them to the authentication server.
    D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates them
    into EAP and forwards them to the authentication server.

  91. Rony
    December 8th, 2019

    Please help me with these as well:

    How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?
    A. Update the IPS signature for HTTPS to validate DCE/RPC connections
    B. Block suspicious hosts from DCE/RPC port 593
    C. Tunnel DCE/RPC traffic through GRE
    D. Configure the DCE/RPC preprocessor

    ==============
    Which attack can be prevented by OSPF authentication?
    A. smurf attack
    B. IP spoofing attack
    C. Denial of service attack
    D. buffer overflow attack
    thanks

  92. Trunk
    December 8th, 2019

    @Rony

    How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?
    A. Update the IPS signature for HTTPS to validate DCE/RPC connections
    B. Block suspicious hosts from DCE/RPC port 593
    C. Tunnel DCE/RPC traffic through GRE
    D. Configure the DCE/RPC preprocessor
    Answer: D
    ==============
    Which attack can be prevented by OSPF authentication?
    A. smurf attack
    B. IP spoofing attack
    C. Denial of service attack
    D. buffer overflow attack

    Answer: C
    OSPF can be configured to authenticate every OSPF message. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a Denial-of-Service attack.

  93. Rony
    December 8th, 2019

    Another one guys:
    What are two major considerations when choosing between a SPAN and a TAP when implementing IPS? (Choose two.)
    A. the amount of bandwidth available
    B. the way in which dropped packets will be handled
    C. the type of analysis the IPS will perform
    D. whether RX and TX signals will use separate ports
    E. the way in which media errors will be handled

  94. Rony
    December 8th, 2019

    @Trunk, Thanks a lot mate

  95. wolverine
    December 8th, 2019

    CCNA sec dumps

    pay after exam no issue

    s a l m a n k h a 8 9 9 @ g m a i l . c o m

  96. Bolo
    December 8th, 2019

    @Trunk

    Which option is the logical container used to maintain information about the connections going
    through a Cisco ASA firewall?
    A. State table
    B. NAT table
    C. Routing table
    D. Cisco Express Forwading table

    Answer: A

    ——————————————

    You are configuring an IPS that must be able to react to a potential attack. Which deployment do
    you use?
    A. Passive deployment that uses tap mode.
    B. Transparent inline mode.
    C. Passive deployment that uses failsafe.
    D. Inline deployment that uses a SPAN.
    Answer: B

    Other 2 answers are correct.

  97. Bolo
    December 8th, 2019

    @Rony

    How does the 802.1x supplicant communicate with the authentication server?
    A. The supplicant creates EAP packets and sends them to the authenticator, which translates them into
    RADIUS and forwards them to the authentication server.
    B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them into
    RADIUS and forwards them to the authentication server.
    C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates them into
    EAP and forwards them to the authentication server.
    D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates them
    into EAP and forwards them to the authentication server.

    ANSWER: B

    —————————————-

    What are two major considerations when choosing between a SPAN and a TAP when implementing IPS? (Choose two.)
    A. the amount of bandwidth available
    B. the way in which dropped packets will be handled
    C. the type of analysis the IPS will perform
    D. whether RX and TX signals will use separate ports
    E. the way in which media errors will be handled

    ANSWER: A,C
    This one’s a nightmare. A seems 100% correct, but there are arguments for any of the other answers, so… I’d pick C

  98. Rony
    December 8th, 2019

    Thanks Heaps @Bolo
    My exam is tomorrow. I will update how it goes.

  99. Bolo
    December 8th, 2019

    @Rony: good luck tomorrow! See you here after :)

  100. Anonymous
    December 8th, 2019

    How does the 802.1x supplicant communicate with the authentication server?
    A. The supplicant creates EAP packets and sends them to the authenticator, which translates them into
    RADIUS and forwards them to the authentication server.
    B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them into
    RADIUS and forwards them to the authentication server.
    C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates them into
    EAP and forwards them to the authentication server.
    D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates them
    into EAP and forwards them to the authentication server.

    ANSWER: B


  101. Note: Please do not open any suspicious links (especially short links and links that need to remove some words to open) in the comment section above as they are usually spams and may harm your computer.
Comment pages
1 7 8 9 10 11 22 675
Add a Comment