Share your CCNA Security Experience
November 5th, 2015
Go to comments
Please share with us your experience after taking the CCNA Security 210-260 exam, your materials, the way you learned, your recommendations…
Please share with us your experience after taking the CCNA Security 210-260 exam, your materials, the way you learned, your recommendations…
Become a member to practice all the questions on our site!
@Mostafa
I have an online course I’m finishing through Global Knowledge, Quizlet and reviewing all other materials.
The 21st is the earliest I feel comfortable doing it and my first test is being paid for by my company.
IF for some reason I fail, I’ll still have the two weeks to try again before I expire on Jan 10.
@Mostafa and other Security guys : Just to be clear are below dumps enough to pass this exam : coachgreece, cisco.pass4sure.210-260.v2019-10-28.by.daisy.201q , Youki 5-24-2019 , new question ccna security_yako ” With reading the last 5 pages from this form to correct wrong answers”. I’m planning to pass this exam within 2 weeks maximum…. thanks :)
That’s it!
Thanks for the help @CoachGreece @Youki @Anubis @Yakoussine it helped a lot!
1 Sim
1 DnD port security mentioned in a post here
67 Q
50% discount on all Cisco questions and answers. Biggest offer for Christmas. Regardless of whether there are major updates next year, free updates will be provided until you pass the exam. note! This is the only offer throughout the year.
Stable and effective CCNA questions and answers(URL NO ***)
Stable and effective CCNP questions and answers(URL NO ***)
Stable and effective CCIE questions and answers(URL NO ***)
Stable and effective CISSP questions and answers(URL NO ***)
ht*****tps://docs.google.c*****om/document/d/1YCdNtwSUrdTW68-9n2JAVEHJOKjsYQSgTmUewKNarG4/edit?usp=sharing
Joseph is a spammer spammer
Joseph is a spammer spammer
Joseph is a spammer spammer ………………
NEW QUESTION 546
Which statement about TACACS+ is true?
A. Passwords are transmitted between the client and server using MD5 hasing.
B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
C. TACACS_ is used for access to network resources more than administrator access to network devices.
D. TACACS_ server listens UDP port 1813 for accounting.
E. All data that is transmitted between the client and TACACS+ server is cleartext.
Answer: C
NEW QUESTION 547
Which effect of the secure boot-image command is true?
A. It configure the device to boot to the secure IOS image.
B. It archives a secure copy of the device configuration.
C. It archives a secure copy of the IOS image.
D. It displays the status of the bootset.
Answer: C
NEW QUESTION 548
Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all ewtraffic, regardlergess of its source or destination.
C. It directly analyzes the actual packets as they pass through the system.
D. It can analyze events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
Answer: BC
NEW QUESTION 549
How will a stateful firewall handle an inbound packet that it receives and cannot match in its state table?
A. Passes the traffic.
B. Drops the traffic.
C. Broadcasts the traffic.
D. Looks for an ACL, and acts based upon the ACL.
Answer: C
NEW QUESTION 550
Which 802.1x component enforces the network access policy?
A. authentication server
B. authenticator
C. RADIUS server
D. supplicant
Answer: A
NEW QUESTION 548
Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all ewtrafwefic, regardlergess of its source or destination.
C. It directly analyzes the actual packets as they pass through the system.
D. It can analyze events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
Answer: BC
Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all traffic, regardless of its source or destination.
C. It directly analyzes the actual packets as they pass through the system.
D. It can analyze events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
Answer: DE
Cheers!! I am seeing all kinds of study guides. I have somone thats suppose to email me CoachGreece study material. I am also writing down all the questions I see in this forum as well. Will this be enough to pass the test???
What is the main purpose of Control Plane Policing?
A. to prevent exhaustion of route-processor resources.
B. to define traffic classes.
C. to organize the egress packet queues.
D. to maintain the policy map.
Can someone help me with this answer…..It could be both A&B Im not sure…..Please help..
Passed today with a 917. Only used CoachGreece pdf and Youki 5-24-2019. Both are enough to pass.
67Q
Same SIM
Same D&D with port status.
What is the main purpose of Control Plane Policing?
A. to prevent exhaustion of route-processor resources.
B. to define traffic classes.
C. to organize the egress packet queues.
D. to maintain the policy map.
The answer is A
EXPLANATION:
Control Plane Policing (CoPP) is a Cisco IOS-wide feature designed to allow users to manage the flow of traffic handled by the route processor of their network devices. CoPP is designed to prevent unnecessary traffic from overwhelming the route processor that, if left unabated, could affect system performance. Route processor resource exhaustion, in this case, refers to all resources associated with the punt path and route processor(s) such as Cisco IOS process memory and buffers, and ingress packet queues.
Cheers Mate!! Thank you!!
@Pebcak and Cisco GUY please post your emails here.
Put it up in gDrive for all the people, if u don’t mind. I’m assuming you want to share your material.
I have covered Coachgreese but only half way with Youki. I have also reviewed the new questions from yako. Do you think this will be enough to pass? I test tomorrow.:(
Link to Yako please?
Can someone share infomation about the STP Drag N DROP question seen on this test? or just explain it to me? Thank you kindly!!
It’s not STP DnD, more like Port Security:
Shutdown The interface is error-disabled
Shutdown Vlan The virtual layer 2 segment is disabled
Restrict When the number of secure MAC address on the port reaches a specified maximum limit, the port drops packet and sends an SNMP trap
Protect When the number of secure MAC addresses on the port reaches a special maximum, the port drops packets without notification.
Hey all,
Anyone has the 553q PDF dump and possibly VCE file to share?
anton . shawood @ gmail . com
Thank you
Please tell us the best dumps and post them here
Your help with dumps really help
Please
Thank you
Can anyone confirm this..
Which two statements about Hardware-Based encryption are true?
A. It is potentially easier to compromise than software-based encryption.
B. It can be implemented without impacting performance.
C. It is widely accessible.
D. It is highly cost-effective
E. It requires minimal configuration
Select 2: I think its B & D Or maybe D&E Can somone chime in?
@Curious
It’s B and E
@Mostafa : this is my email address {email not allowed}.. thanks
this is my email address Samiser123 @ gmail.com .. thanks
this is my email address Samiser123 @ gmail.com .. thanks
this is my email address Samiser123 @ gmail.com .. thanks
Valid dumps please
Bolo,
You seem informed.
Do you know if the questions and simulations covered in the Coachgreece PDF and VCE are enough to pass or are there possible questions from the anubis pdf (400+ bank questions)as well?
Some people are saying they had one sim with 4 questions but the coachgreese sims are one question per sim?
hello sir
can you share the dumps please for CCNA SECURITY
Thanks
Never mind about the sim questions. The Anubis pdf answered my question…
I still would like to know if coachgreece and Anubis are still enough to pass??
I understand some of the answers are incorrect.
[13:57, 25.11.2019] sea: NEW QUESTION 528
How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?
A. Update the IPS signature for HTTPS to validate DCE/RPC connections.
B. Block suspicious hosts f7rom DCE/RPC port 593.
C. Tunnel DCE/RPC traffic through GRE.
D. Configure the DCE/RPC preprocessor.
====================
Answer: B
is any one can share the last Dumb please
Better get Youki than Anubis – Youki has almost all incorrect answers from Anubis corrected. And people who passed this week are saying here that c0achgreece and Youki was enough for 900+ points.
How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?
A. Update the IPS signature for HTTPS to validate DCE/RPC connections.
B. Block suspicious hosts f7rom DCE/RPC port 593.
C. Tunnel DCE/RPC traffic through GRE.
D. Configure the DCE/RPC preprocessor.
The answer is D
Please share with me c0achgreece and Youki
Aijana dot sul add gmail dot com
Please please please taking the test next week
Please share with me c0achgreece and Youki
Aijana dot sul add gmail dot com
Please please please taking the test next week. Thanks in advance
Which description of the nonsecret numbers that are used to start a Diffie-Hellman exchange is true?
A. They are large pseudorandom numbers
B. They are very small numbers chosen from a table of known values
C. They are numeric values extracted from hashed system hostnames
D. They are preconfigured prime integers
D?
Hey Curious,
Would you be able to share you pdf dumps?
Do you have the one with 553q? I was only able to find the one with 353q.
Please let me know – I’m planning to take the test before Cisco changes it on 24th of January.
Thanks Anonymous,
the c0achGreece from the first link – is that only a VCE file?
Do you have PDF with all these questions too?
PDFs with all those (Youki, c0achGreece, Anybis, Yako, daisy):
drive.google.com /drive /folders /1hol5viWl3lH5req2F2WQR_ffzCR-kxi8
Which command do you enter to verify the Phase 1 status of a VPN connection?
A. debug crypto isakmp
B. sh crypto session
C. sh crypto isakmp sa
D. sh crypto ipsec sa
On the dumps I am seeing the answer is C is this correct? or possibly D?
Phase 1 – isakmp
Phase 2 – ipsec
So the correct answer is C
Thank you Bolo!!
@Anonymous
The youki.vce dumps says cant open via VCE1.0.2 as it been created with newer version of VCE Exam simulator
can you give us new version of vce or update youki please
any advise on how many simoulator questions and where to find them
@Mark Davis: lab and sim are in the dumps linked above
@Thank You: can’t help you with .vce, sry. I don’t use VCEs, so I don’t have any players.
Hi , c0achGreece fine only have 67 questions so what is the passing possibility if someone only prepares from c0achGreece ?
@ Alina pssibility will be very slim. Consult and read thru other study material. Everything you need to pass is here. G00d Luck!!
Which 802.1x component enforces the network access policy?
a. RADIUS Server b. Authentication server c. Supplicant d. Authenticator
Asnwer is D……am I right or wrong anyone?
Today is a lucky day. I bought a CCNP question and answer for 50% off. I believe that I can get CCNP certification through this material. I have observed this website for a long time, and the website has helped many people pass CCNA CCNP CCIE. This is their only discount this year. Seize the opportunity. Although I heard that Cisco is about to usher in a major reform, the website can guarantee a free update for one year, so I am not worried about the next change of Cisco(URL NO *****)
ht*****tps://docs.google.c*****om/document/d/1YCdNtwSUrdTW68-9n2JAVEHJOKjsYQSgTmUewKNarG4/edit?usp=sharing
Hi all,
Has anyone managed to combine all these PDFs into one and added all the new question people are sharing here with us? It would be easier to study!
I have the PDF with 353q but from what I can see from the previous messages there is another one with 553q? Anyone has that available to share?
I’m happy to keep adding new questions to it.
Also, a question to you all – Cisco is changing the certificates on 24th of January 2020 – there will only be one single CCNA – no more CCNA Security, CCNA Design, CCNA Routing & Switching etc.
My question is, if someone already has CCNA Routing&Switching what is the point taking CCNA Security now if after 24th of Jan there will be no differences as all your CCNAs will become one?
Which 802.1x component enforces the network access policy?
a. RADIUS Server b. Authentication server c. Supplicant d. Authenticator
Asnwer is D……am I right or wrong anyone?
You are right – the answer is Authenticator (aka Policy Enforcement Point)
@Anton
Youki, Anubis etc. are such PDFs – a mix of everything. It’s just that noone has made a new one recently, though Youki is only few months old. If you studying seriously, you should be doing your own document with questions, IMHO that’s the best way. You get a chance to review, correct and memorize all of them.
Don’t worry about 500+ question dumps, those are PassLeader etc. paid dumps – full of wrong answers. And new questions from them usually appear here and are corrected by community.
As for certifying now – if you get any CCNA now (before 24th of February 2020), you will also get a new one. CCNA Sec serves for recertifying R&S, and possibly people prefer to sit old exam which has a lot of materials available, than the new one – which is still unknown.
@Bolo
Thank you for your prompt response. It all started making sense now. I do take the exam seriously, I have already finished studying the official book and did 5 days course. I still have some time left before the 24th so I will sit down and combine those PDFs into one and share it with you guys. Any new questions shared here will be regularly added to the new PDF so everyone is on the same page.
Do you happen to know if the new exams on Professional level also refresh your Associate certs as it is right now?
@Anton
AFAIK, Pro level exams will refresh Associate levels, as it is now. There doesn’t seem to be a lot of changes to recertification, only adding new options with Continuous Education points etc.
@Bolo
Thank you for you answer.
So that being said, if I have, hypothetically lets say 5x CCNA certificates, all of them will be combined into a single CCNA certificate/title after 24th of Jan and there is no way to show/tell that I actually took 5x separate exams not just one?
In that case the only benefit would be to refresh my CCNA by taking one of the old exams for which we have these dumps, but if I have to refresh my CCNP anyway, I could just do that instead.
I’m asking because my plan was to take CCNA Security and then to start making my way through CCNP Security. Currently, even if you pass all 4x exams for your CCNP Security, if you don’t have your CCNA Security, you will not get the CCNP Security certificate but it looks like this is not the case with the new certs as there is only one general CCNA and you have to take only one exam to get CCNP Security therefore I may be better of to start preparing for the new CCNP Security instead.
@Anton
You will keep old CCNA certs until they expire, along with the new one. So if you recert on 20th of Feb your CCNA R&S, you will keep it until 2023.
CCNP Security now is 4 exams, and it will be 5 different certs after 24th of Feb. Whatever progress you have on the current CCNP Sec will be migrated to the new one – so old exams will give you new certs.
AFAIK new Pro levels will not require Associate level exam as a pre-requisite, so if your goal is the new CCNP Security, there is no point in doing any of current exams. Unless of course you’ve done or are ready to some, and you will migrate them. Check Cisco Cert Migration Tool for CCNP Sec.
Which two statements about the self zone on a Cisco zone-based policy firewall are true? (choose two)
A. Multiple interfaces can be assigned to the self zone
B. Traffic entering the self zone must match a rule
C. Zone pairs that include the self zone apply to traffic transiting the device
D. It can be either the source zone or the destination zone
E. It supports stateful inspection for multicast traffic
I can’t see two correct answers here. Only D is correct.
A: No, you can’t assign any interface to self zone. All IPs configured on the router belong to this zone – interfaces are assigned to other zones.
B: Only if it is traffic coming from another zone, in a zone pair. By default NO.
C: No, self zone traffic is traffic to/from the router itself.
E: This is not supported at all on zone level, CoPP is used for that.
please share the dumps for ccna security @Coachfree – the link which u provided is not valid.
@Hari
gDrive link I posted above works…
Gilbert IS FAKE FAKE FAKE FAKE
Gilbert IS FAKE FAKE FAKE FAKE
Hello Community,
THANKS YOU ALL, I pass the CCNA Sec exam, few days ago I get the ClientLess SSL VPN sim and the Shutdown, Shutdown VLAN, Restrict, Protect D&D question
I get a few new questions: The one I remember the most was something like:
In a Site to Site VPN which configuration can be different and still the VPN will come UP
authentication type
Encryption
lifetime ——-> Correct
Dont Remeber
Dont Remeber
I remeber tht I get the 550, 549, 546 and the emana questions
Of all parameters that are negotiated for the IKE Phase 1 tunnel, which parameter is the only one that does not have to exactly match between VPN peers to be accepted?
A. DH group
B. Hashing algorithm
C. Encryption algorithm
D. Digital signature
E. Authentication method
F. Lifetime
Yes, F is correct
@Anonymous
Gratz on the exam. And if you remember anything more about those new questions, even just a general idea, do tell us ;)
My CCNA R&S expires on 13th December 2019.
I am preparing for CCNA Security and not ready yet.
if I fail an exam on 10th Dec can I give retake an exam on 13th December. do I loose my validity of CCNA R&S ?
Hi Every,
what sort of questions come in simulations?
Do we need to configure anything or just answer questions ?
To be specific, if I re-cert my CCNP with one of the current professional level certs prior to Feb 22, 2020, will I also get the new CCNA and CCNP starting on 2/22/2020 until it expires in 2023?
Hi
Is there any ccnp security dumps here?
Thank you
You are configuring a site-to-site tunnel between two cisco routers by using IPsec. Which option do you set to specify the peer to which you want to connect?
a. IP address by using a crypto map
b. IP address of tunnel destination
c. Tunnel group that has a peer P address
d. IP address as part of the ISAKMP configuration
ANSWER: A
Is the correct answer D?
conf t
crypto isakmp policy 10
hash sha
authentication pre-share
group 2
lifetime 86400
encryption iskamp key securitytut address
You are configuring a site-to-site tunnel between two cisco routers by using IPsec. Which option do you set to specify the peer to which you want to connect?
a. IP address by using a crypto map
b. IP address of tunnel destination
c. Tunnel group that has a peer P address
d. IP address as part of the ISAKMP configuration
ANSWER: A
Is the correct answer D?
conf t
crypto isakmp policy 10
hash sha
authentication pre-share
group 2
lifetime 86400
encryption iskamp key securitytut address Remote_Peer_IP_ADDRESS
@ – please watch out. There is a 5 day ban after a failed exam.
This is taken from the Cisco website:
Retaking Exams:
Candidates who fail an exam must wait a period of five (5) calendar days, beginning the day after the failed attempt, before they may retest for the same exam. Once passed, a candidate must wait a minimum of 180 days before taking the same exam with an identical exam number.
Take care and good luck
@soloman: if you fail on 10th you will not be able to retake on 13th, and you will lose R&S
@Nick: both. There is a sim with questions, where you need to find out answers to 4 question by using ADSM GUI. And there’s a lab where you need to configure NAT and ACLs, also using GUI. Most of the time, from what people say here, you only get the sim with 4 questions.
@Question for Bolo: AFAIK, yes. You will get old CCNA renewed for 3 years, you will get a new one for the same period of time, and your CCNP will be migrated to a new CCNP. CCNP Migration Tool on the web can tell you how old CCNPs translate to new ones.
@Johnas: here not really. Posts you see about CCNP dumps are spammers from paid sites. There are other sites for those, look at the links on the right.
Thanks a lot @Bolo
@die4mysins
A is the correct answer. IP address during ISAKMP config is for identifying remote peers for key exchange during Phase 1 – IF you use preshared keys. If you authenticate using for example digital certificates, there won’t be any IP address there.
thrt
Of all parameters that are negotiated for the IKE Phase 1 tunnel, which parameter is the only one that does not have to exactly match between VPN peers to be accepted?????
A. DH group
B. Hashing algorithm
C. Encryption algorithm
D. Digital signature
E. Authentication method
F. Lifetime
Yes, F is correct
@Bolo Thanks
Just a clarification regarding the NAT Lab where you configure host to access your server in DMZ.
I see 2 dumps that they configured Network Object as
Dump 1
IP address 172.16.1.2
Translated Addr 209.165.201.30
Dump 2
IP address 209.165.201.30
Translated Addr 172.16.1.2
Which of the 2 would be correct?
Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all traffic, regardless of its source or destination.
C. It directly analyzes the actual packets as they pass through the system.
D. It can analyze events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
Answer: BC or CD?
@die4mysins
You have to translate inside IP in DMZ to outside public IP. So when creating NAT Object, IP Address should be the inside one, and Translated Address should be the public IP.
Looks like your Dump 1 has it right.
@die4mysins
Which two statements about an IPS in tap mode are true? (Choose two.)
A. It requires an synchronous routing configuration for full traffic analysis.
B. The device forwards all traffic, regardless of its source or destination.
C. It directly analyzes the actual packets as they pass through the system.
D. It can analyze events without impacting network efficiency.
E. It is unable to drop packets in the main flow.
I’d say it’s D and E.
A: what?
B: it doesn’t forward any traffic. TAP/SPAN receive a copy of traffic passing through
C: no. They analyze copies of packets.
D: yes, that’s the advantage TAP has over SPAN
E: it is unable, ‘cos it works with copies
CISCO says:
“With tap mode, the device is deployed inline, but instead of the packet flow passing through the device, a copy of each packet is sent to the device and the network traffic flow is undisturbed. Because you are working with copies of packets rather than the packets themselves, rules that you set to drop and rules that use the replace keyword do not affect the packet stream. However, rules of these types do generate intrusion events when they are triggered, and the table view of intrusion events indicates that the triggering packets would have dropped in an inline deployment.”
If a router configuration includes the line aaa authentication login default group tacacs+ enable, which eventswill occur when the TACACS+ server returns an error? (Choose two.)
A. Authentication attempts to the router will be denied
B. The user will be prompted to authenticate using the enable password
C. Authentication will use the router’s local database
D. Authentication attempts will be sent to the TACACS+ server
Correct Answer: AD
Answer B cannot be correct, because the TACACS is up & running (returns error).
Answer C cannot be correct beause the “local” variable isn’t stated in the command string.
Which component of a security zone firewall policy defines how traffic is handled?
A. ACL B. Service policy C. Policy map D. Class map
Answer: D
What is the range of levels provided by the Privilege command?
A. 0-16
B. 0-15
C. 1-16
D. 1-14
E. 0-14
F. 1-15
Answer: B
In a Cisco Cloud Web Security environment, when can network traffic bypass the scanning proxies?
A. When the client is on a trusted corporate network.
B. When the client is connected to a VPN service that bypass proxies.
C. When the client is connected to a WPA2 Enterprise network.
D. When the client is connected to a wired network
Answer: D.
Which statement about TACACS+ is true?
A. Passwords are transmitted between the client and server using MD5 hasing.
B. TACACS_ is flexible than RADIUS because it separates all AAA into individual processes.
C. TACACS_ is used for access to network resources more than administrator access to network devices.
D. TACACS_ server listens UDP port 1813 for accounting.
E. All data that is transmitted between the client and TACACS+ server is cleartext.
Answer: B
Am I right or wrong anyone ? I’m so confused right now and i have a test on monday.
pls help.Many thanks.
@Trunk
Which component of a security zone firewall policy defines how traffic is handled?
A. ACL
B. Service policy
C. Policy map
D. Class map
ANSWER C
A policy map is an association of traffic classes and actions. It specifies what actions should be performed on defined traffic classes.
—————–
In a Cisco Cloud Web Security environment, when can network traffic bypass the scanning proxies?
A. When the client is on a trusted corporate network.
B. When the client is connected to a VPN service that bypass proxies.
C. When the client is connected to a WPA2 Enterprise network.
D. When the client is connected to a wired network
ANSWER A
It’s called Secure Trusted Network Detection.
Other two questions have good answers.
Hi everyone,
Is it HIPS or NIPS in which ALTER THE ADMINSTRATOR is an option ( DRAG and DROP)
@bolo
Can you please confirm the correct answer:
Which two next-generation encryption algorithms does Cisco recommend? (Choose two.)
A. AES
B. 3DES
C. DES
D. MD5
E. DH-1024
F. SHA-384
@Nick
Alert the administrator applies to both. Drag twice.
A and F. Only AES and SHA-384 are NGE (Suite B) algorithms.
@Bolo
Thank you so much Mr.Bolo.
Just a few more question.Pls help confirm.
Which option is the logical container used to maintain information about the connections going
through a Cisco ASA firewall?
A. State table
B. NAT table
C. Routing table
D. Cisco Express Forwading table
Answer: B
On which operating system does the Cisco Email Security Appliance run?
A. Cisco ESA-OS
B. Cisco AsynOS
C. Cisco IOS XE
D. Cisco IOS XR
E. Cisco NX-OS
Answer: B
How will a stateful firewall handle an inbound packet that it receives and cannot match in its state
table?
A. Passes the traffic.
B. Drops the traffic.
C. Broadcasts the traffic.
D. Looks for an ACL, and acts based upon the ACL.
Answer: D
You are configuring an IPS that must be able to react to a potential attack. Which deployment do
you use?
A. Passive deployment that uses tap mode.
B. Transparent inline mode.
C. Passive deployment that uses failsafe.
D. Inline deployment that uses a SPAN.
Answer: A
Hi Friends,
Can you please assist with this?
(Answer A or B)
How does the 802.1x supplicant communicate with the authentication server?
A. The supplicant creates EAP packets and sends them to the authenticator, which translates them into
RADIUS and forwards them to the authentication server.
B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them into
RADIUS and forwards them to the authentication server.
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates them into
EAP and forwards them to the authentication server.
D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates them
into EAP and forwards them to the authentication server.
Please help me with these as well:
How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?
A. Update the IPS signature for HTTPS to validate DCE/RPC connections
B. Block suspicious hosts from DCE/RPC port 593
C. Tunnel DCE/RPC traffic through GRE
D. Configure the DCE/RPC preprocessor
==============
Which attack can be prevented by OSPF authentication?
A. smurf attack
B. IP spoofing attack
C. Denial of service attack
D. buffer overflow attack
thanks
@Rony
How can you mitigate DCE/RPC evasion techniques while allowing access to the DCE/RPC service?
A. Update the IPS signature for HTTPS to validate DCE/RPC connections
B. Block suspicious hosts from DCE/RPC port 593
C. Tunnel DCE/RPC traffic through GRE
D. Configure the DCE/RPC preprocessor
Answer: D
==============
Which attack can be prevented by OSPF authentication?
A. smurf attack
B. IP spoofing attack
C. Denial of service attack
D. buffer overflow attack
Answer: C
OSPF can be configured to authenticate every OSPF message. This is usually done to prevent a rogue router from injecting false routing information and therefore causing a Denial-of-Service attack.
Another one guys:
What are two major considerations when choosing between a SPAN and a TAP when implementing IPS? (Choose two.)
A. the amount of bandwidth available
B. the way in which dropped packets will be handled
C. the type of analysis the IPS will perform
D. whether RX and TX signals will use separate ports
E. the way in which media errors will be handled
@Trunk, Thanks a lot mate
CCNA sec dumps
pay after exam no issue
s a l m a n k h a 8 9 9 @ g m a i l . c o m
@Trunk
Which option is the logical container used to maintain information about the connections going
through a Cisco ASA firewall?
A. State table
B. NAT table
C. Routing table
D. Cisco Express Forwading table
Answer: A
——————————————
You are configuring an IPS that must be able to react to a potential attack. Which deployment do
you use?
A. Passive deployment that uses tap mode.
B. Transparent inline mode.
C. Passive deployment that uses failsafe.
D. Inline deployment that uses a SPAN.
Answer: B
Other 2 answers are correct.
@Rony
How does the 802.1x supplicant communicate with the authentication server?
A. The supplicant creates EAP packets and sends them to the authenticator, which translates them into
RADIUS and forwards them to the authentication server.
B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them into
RADIUS and forwards them to the authentication server.
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates them into
EAP and forwards them to the authentication server.
D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates them
into EAP and forwards them to the authentication server.
ANSWER: B
—————————————-
What are two major considerations when choosing between a SPAN and a TAP when implementing IPS? (Choose two.)
A. the amount of bandwidth available
B. the way in which dropped packets will be handled
C. the type of analysis the IPS will perform
D. whether RX and TX signals will use separate ports
E. the way in which media errors will be handled
ANSWER: A,C
This one’s a nightmare. A seems 100% correct, but there are arguments for any of the other answers, so… I’d pick C
Thanks Heaps @Bolo
My exam is tomorrow. I will update how it goes.
@Rony: good luck tomorrow! See you here after :)
How does the 802.1x supplicant communicate with the authentication server?
A. The supplicant creates EAP packets and sends them to the authenticator, which translates them into
RADIUS and forwards them to the authentication server.
B. The supplicant creates EAP packets and sends them to the authenticator, which encapsulates them into
RADIUS and forwards them to the authentication server.
C. The supplicant creates RADIUS packets and sends them to the authenticator, which translates them into
EAP and forwards them to the authentication server.
D. The supplicant creates RADIUS packets and sends them to the authenticator, which encapsulates them
into EAP and forwards them to the authentication server.
ANSWER: B