Share your SECURE Experience
Cisco has made changes for the Security exams by replacing the old CCSP with the new CCNP Security Certification with 4 modules: Secure, Firewall, IPS and VPN. In fact, the old CCSP and the new CCNP Security are very similar. Many candidates have requested us to put up materials for these new exams but it is a time-consuming work. In the mean time, we created the “Share your experience” for the SECURE exam. We really hope anyone who read securitytut, 9tut, digitaltut, certprepare, networktut and voicetut contribute to these sections as your experience is invaluable for CCNP Security learners to complete their goals.
Please share with us your experience after taking the SECURE 642-637 exam, your materials, the way you learned, your recommendations…
Hi cert.group ,
I have deadline for exam next week . I would like to ask you if exam has this question or not
Question 169
Lab Sim
The Secure -X company has recently ………
This task in the simulation Cisco Catalyst Switch console using CLI
and
Question 170
Lab Sim
The Secure -X company has started to tested the 802.1x ………
This task is simulation by accessing the ISE GUI
Thank you for info
Hi cert.group ,
I have deadline for exam 300-208 next week . I would like to ask you if final exam has this question or not
Question 169
Lab Sim
The Secure -X company has recently ………
This task in the simulation Cisco Catalyst Switch console using CLI
and
Question 170
Lab Sim
The Secure -X company has started to tested the 802.1x ………
This task is simulation by accessing the ISE GUI
Thank you for info
@LAB exam 300-208 can you share the dumps for 300-208 secure paper.
Congratulations!
Passed the 300-208 exam recently!
A lot of new questions in my 300-208 test, old version dumps are not valid enough for passing now.
I mainly learned the PassLeader 300-208 dumps (502q version), stable and valid enough for passing!
Good luck!
By the way:
PassLeader 300-208 dumps FYI:
od.lk/fl/NjFfMTUyNjc0NV8
(502q~~~NEW VERSION DUMPS!!!)
Good Luck!!!
[(copy that link and open it in your web browser!!!)]
More:
1. PassLeader 300-206 dumps FYI:
od.lk/fl/NjFfMTUyNjc0M18
(486q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
2. PassLeader 300-209 dumps FYI:
od.lk/fl/NjFfMTUyNjc0N18
(454q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
3. PassLeader 300-210 dumps FYI:
od.lk/fl/NjFfMTUyNjc0OV8
(502q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
Good Luck!!!
[(copy those links and open them in your web browser!!!)]
I have deadline for exam next week . I would like to ask you if exam has this question or not
Question 169
Lab Sim
The Secure -X company has recently ………
This task in the simulation Cisco Catalyst Switch console using CLI
and
Question 170
Lab Sim
The Secure -X company has started to tested the 802.1x ………
This task is simulation by accessing the ISE GUI
Thank you for info
Explanation: You can configure the timer for clients to transition from one state to the other state within a specified time using the network transition delay timer, which is required for Change of Authorization (CoA) to complete. It may require a longer delay time when clients need time to get a new VLAN IP address during success and failure of posture. When successfully postured, Cisco ISE allows clients to transition from unknown to compliant mode within the time specified in the network transition delay timer. Upon failure of posture, Cisco ISE allows clients to transition from unknown to noncompliant mode within the time specified in the timer.
14) What is the Radius attribute for timer?
A.-RADIUS Session-Timeout attribute Answer I think it is:
15) RADIUS Attributes
——————-
A.- 1 User-Name, 2 User-Password, 4 NAS-IP Address , 5 NAS-Port
16) Which two statements about Cisco Prime infrastructure are true?
A.It provides BugID informaswtion for Cisco IOS devices.
B.It can display diagnostiqsc data from Cisco NAMs.
C.It integrates with APICs_EM to enable Zero Touch Provision on Cisco network devices.
D.It integrates with APIC_EM PKI Service to crete PKI-secured routes with GRE.
E.It provides application visibility with NBAR.
17) Single SSID (advantages) vs Multiple/Dual SSID (Choose two)
Today I have done my test and get 965/1000.
Exam Very easy all questions in Dumps.
not difficult at all, do not worry.
Remove 1 star***
https:/*/priv.sh/d9HamP4
16) Which two statements about Cisco Prime infrastructure are true?
A.It provides BugID information for Cisco IOS devices.
B.It can display diagnsqostic data from Cisco NAMs.
C.It integrates with APICs_EM to enable Zero Touch Provision on Cisco network devices.
D.It integrates with APIC_EM PKI Service to crete PKI-secured routes with GRE.
E.It provides application visibility with NBAR.
17) Single SSID (advantages) vs Multiple/Dual SSID (Choose two)
A.- Single SSID – better iOS user experience
B.-Single SSID – should be used ins BYOD deployment
C.– Dual SSID – better security useqsr experience
D.– Single SSID? – … client already used wired 802.1X on another network
E.-onliy on Single SSID user can veirfy byod certificate.
Hi Guys,
one of our favourite questions again… And I think i found official answer to it.
Which 802.1x command is needed for ACL to be applied on a switch port?
A. dot1x system-auth-control
B. dot1x pae authenticator
C. authentication port-control auto
D. radius-server vsa send authentication
E. aaa authorization network default group radius
I would also go with E now – check out this article:
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/whitepaper_C11-731907.html
Focus on this part:
aaa authorization network default group radius -> Governs network authorizations via RADIUS (VLAN / ACL assignment)
If anyone has last minute feedback – It would be highly appreciated – sitting in the exam this week.
Greetings Kibo
And one last comment.. As this has been keeping me researching quite a lot too..
Which client interface or interfaces are provisioned when the Cisco ISE performs supplicant provisioning?
A: wireless and wired interface
B: wireless interface
C: active interfaces
D: wired interface
Check out:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010101.html
Pay attention to the note within the Create Native Supplicant Profiles section !!!
The provisioning wizard only configures interfaces which are !!! active !!!. Because of this, users with Wired and Wireless connections will not be provisioned for both interfaces, unless they are both active.
Passed my last exam of CCNP security 300-208.I got 870 marks. Thanks to everyone specially notes from @Ruff and @SMA from last 3 pages. Also, please trust GIO dumps and answers verified by everyone on this forum. 451q has lots of wrong answers. All new questions are not posted by anyone on this forum and I do not remember as well. There was one DD 2 sims no labs. One question i remember was radius attributes for mac address.
@kibo
Which interface-level command is needed to turn on dot1x authentication?
A.
authentication pae authenticator
B.
aaa server radius dynamic-author
C.
authentication host-mode single-host
D.
dot1x system-auth-control
Dumps are saying Answer is A, and some ppl are saying it should be C.
Would you please help on this confusing question?
Thanks a lot
Which interface-level command is needed to turn on dot1x authentication?.
A)authentication pae authenticator
B)aaa server radius dynamic-author
C)authentication host-mode single-host
D)dot1x system-auth-control
The answer is C. A is not a command . D is global enable dot1x.
Hi
300-208
Today i failed.
Passleader doesn’t help. Only under half of the questions were from passleader .
Kindly pls. to share dump where is correct and all question for actual exam .
thank you .
exam 300-208 sorry to hear but did you go through all the 502 questions in the PL dump
@Exam 300-208 which dumps you have used for preparation ???
Good afternoon friends,
Who has recently taken the 300-208 exam?
how did it go?
What dump do I use and can you send it to us?
Halo friends,
can anyone help me for 300-206 Exam i want to do it and i have no idea about available recent Dumps
Thank you
Congratulations!
Passed the 300-208 exam recently!
A lot of new questions in my 300-208 test, old version dumps are not valid enough for passing now.
I mainly learned the PassLeader 300-208 dumps (502q version), stable and valid enough for passing!
Good luck!
By the way:
PassLeader 300-208 dumps FYI:
od.lk/fl/NjFfMTUyNjc0NV8
(502q~~~NEW VERSION DUMPS!!!)
Good Luck!!!
[(copy that link and open it in your web browser!!!)]
More:
1. PassLeader 300-206 dumps FYI:
od.lk/fl/NjFfMTUyNjc0M18
(486q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
2. PassLeader 300-209 dumps FYI:
od.lk/fl/NjFfMTUyNjc0N18
(454q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
3. PassLeader 300-210 dumps FYI:
od.lk/fl/NjFfMTUyNjc0OV8
(502q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
Good Luck!!!
[(copy those links and open them in your web browser!!!)]
Friends and CCNP switch took the exam on Saturday i passed But ……
First of all yes few new questions which have not seen in any dumps . And most of the recent new questions posted in the previous page all came in my exam . PL has to update these . Hopefully they do . Sims are same 4 questions and 3 questions . Only 60 % from dumps again they twist the questions so need to be mindful. there were 2 to 3 new questions which were related to command syntax. Sorry cant remember but should be easy if read it carefully. Again 2 to 3 new questions which was not in any dump and pretty sure. As they say some might be lucky to get all from the dumps some dont . But still always there are new ones popping up from Cisco . All the best everyone .
s.i᧞FF᧞d/6UgS1᧞
Excuse pasleader labs for test 300-206 the answers are correct?
Hi Folks,
Could someone share which questions they have encountered with the 300-208 exam recently?
Thanks!
Question 169
Lab Sim
The Secure -X company has recently ………
This task in the simulation Cisco Catalyst Switch console using CLI
and
Question 170
Lab Sim
The Secure -X company has started to tested the 802.1x ………
This task is simulation by accessing the ISE GUI
Thank you for info
Explanation: You can configure the timer for clients to transition from one state to the other state within a specified time using the network transition delay timer, which is required for Change of Authorization (CoA) to complete. It may require a longer delay time when clients need time to get a new VLAN IP address during success and failure of posture. When successfully postured, Cisco ISE allows clients to transition from unknown to compliant mode within the time specified in the network transition delay timer. Upon failure of posture, Cisco ISE allows clients to transition from unknown to noncompliant mode within the time specified in the timer.
14) What is the Radius attribute for timer?
A.-RADIUS Session-Timeout attribute Answer I think it is:
15) RADIUS Attributes
——————-
A.- 1 User-Name, 2 User-Password, 4 NAS-IP Address , 5 NAS-Port
16) Which two statements about Cisco Prime infrastructure are true?
A.It provides BugID informaswtion for Cisco IOS devices.
B.It can display diagnostiqsc data from Cisco NAMs.
C.It integrates with APICs_EM to enable Zero Touch Provision on Cisco network devices.
D.It integrates with APIC_EM PKI Service to crete PKI-secured routes with GRE.
E.It provides application visibility with NBAR.
17) Single SSID (advantages) vs Multiple/Dual SSID (Choose two)
Question 170
Lab Sim
The Secure -X company has started to tested the 802.1x ………
This task is simulation by accessing the ISE GUI
Thank you for info
Explanation: You can configure the timer for clients to transition from one state to the other state within a specified time using the network transition delay timer, which is required for Change of Authorization (CoA) to complete. It may require a longer delay time when clients need time to get a new VLAN IP address during success and failure of posture. When successfully postured, Cisco ISE allows clients to transition from unknown to compliant mode within the time specified in thqae network transition delay timer. Upon failure of posture, Cisco ISE allows clients to transition from unknown to noncompliant mode within the time specified in the timer.
14) What is the Radius attribute for timer?
A.-RADIUS Session-Timeout attribute Answer I think it is:
Hello everyone,
Would anyone happen to have a link to a free ETE viewer?
Hi All,
Could someone post what drag and drops they encounter with exam 300-208 recently?
Which advantage is provided by using Active Directory as an external identity source?
A.
It supports SAML for single sign-on.
B.
It uses EAP chaining with EAP-FAST to authenticate users and computers.
C.
It supports two factor-authentication using a PIN and a token.
D.
It uses EAP chaining with EAP-TLS to authentication users and computers.
Answer: B
Other dump says Answer is A
Please help me sort out this.
Thanks.
Hi all
Thanks so much to Anonimous, sma,mmx page 57 to 60 thanks so much guys I pass mi SISAS today.
2DD, 2 SIMS (4 question, 3 question ones)
For study I use GIO I think it’s the best answered and please take some time to review this comments you had so many questions on this so i think you need to invest some time to read comment.
This is as much almost all questions I rememeber.
1.- Which Cisco ISE 1.x protocol can be used to control admin access to network access devices?
A. TACACS+
B. RADIUS
C. EAP
D. Kerberos
ISE`s support tacacs+ only after v2.0
2.- A network administrator found that the IP device tracking table on a switch is not getting updated when the client has a static IP address, but if the address is from DHCP, the
table is getting updated.
Which description of the cause issue is true?
A. IP device tracking is not configured properly
B. ARP inspection is on and there is no ARP ACL for static clients
C. The switch code must be upgraded
D. IP device tracking does not work with statically assigned IP addresses
3.- What steps must you perform to deploy a CA-signed identity certificate on an ISE device?
C. 1. Generate a signing request and save it as a file.
2. Download the CA server certificate and install it on ISE.
3. Access the ISE server and submit the CA request.
4. Install the issued certificate on the CA server.
D. 1. Generate a signing request and save it as a file.
2. Download the CA server certificate and install it on ISE.
3. Access the CA server and submit the CSR.
4. Install the issued certificate on the ISE.
4.- A network administrator must remediate unpatched servers by redirecting them to their remediation portal.
Which conditions in the authorization policy must the network administrator provision on the Cisco ISE to accomplish this?
A. quarantine
B. compliant
C. noncompliant
D. URL redirect
5.- Which internal Cisco ISE component reduces demand on JVM memory by limiting the number of devices the profiled handles?
A. eventHandlerQueueSize
B. forwarderQueueSize
C. maxEndPointsInLocalDb
D. networkDeviceEventHandler
6.- A network administrator noticed that wireless guests are able to access internal resources which should not be accessible.
Looking at the settings on the Cisco ISE, the administrator notices that the correct ACL is applied in the Authorization Profile Settings and guests are being authorized using the
correct authorization profile.
Why is this happening?
A. Access type must be changed to ACCESS_REJECT with GUEST_ACL
B. GUEST_ACL syntax is incorrect
C. Airespace ACL Name must be configured instead of DACL name
D. Number ACL must be applied
Correct Answer: C
7.- While troubleshooting posture assessment issue on a Windows PC, the NAC Agent is not popping up as expected. Which logs would help in isolating the issue? (Choose two)
A. NAC Agent Logs
B. Cisco ISE ise-psc.log file
C. Cisco ISE profiler.log file
D. Cisco AnyConnect ISE posture logs
E. Dart Bundle
8.- Which two features are supported by named access lists but not numbered access lists? (Choose two)
A. Time-Based Access Control
B. Context-Based Access Control
C. IP Options Filtering
D. Upper-Layer Session Information
E. Noncontiguous Ports
Ans.- C, E
9.- You are managing a network environment in which clients that are successfully obtain a new VLAN IP address. Which timer can you use to increase the allowable amount of time for the client to undergo CoA?
A. keepalive timer
B. remediation timer
C. network transaction delay timer
D. minimum acceptable hold timer
10.- Which type of a sensor requires an embedded data collector in the switch to support profiling?
A. DHCP sensor
B. CDP sensor
C. IOS sensor
D. LLDP sensor
Answer: A
NEW QUESTION 441
11.- Which probe carries the IP address of the endpoint in the Framed-IP-Address attribute of the payload?
A. DNS probe
B. LLDP probe
C. RADIUS probe
D. DHCP probe
12.- Which guest service requires session services to be enabled on a cisco ISE node?
A. administration service
B. monitoring service
C. posture service
D. profiling service
13.- Which two troubleshooting tools are available within the diagnostics tools menu in cisco ISE?
A – TCP Dump
B – Expert troubleshooter
C – Execute Network Device
D – AAA Authentication Trouble
E – Policy Validator
14.- Which action must be taken by a Noncompliant wireless client to get out of quarantine status?
A. Disconnect from the WLAN controller and let the idle.
B. Adjust policy in BYOD portal.
C. Perform a periodic reassessment.
D. Download Posture Update.
17.- Which packets are allowed on a dot1x port with no authentication open before the port goes to an authorized state?
A. DHCP, EAPOL, HTTP
B. CDP, EAPOL, STP
C. CDP, DHCP, DNS
D. CDP, EAPOL, HTTP
Some dumps say A but u choose B.
Answer:
A
18.- What are the two values Cisco recommends that you configure and test when deploying MAB 802.1x? (Choose two.)
A. supp-timeout
B. server-timeout
C. max-req
D. max-reauth-req
E. tx-period
Answer:
B, D
Some say B and D but I say BE and this is my explanation.
Explination:
dot1x timeout tx-period and dot1x max-reauth-req
If IEEE 802.1X is enabled in addition to MAB, the switch sends an EAP Request-Identity frame upon link up. The switch waits for a period of time defined by dot1x timeout tx-period and then sends another Request- Identity frame. The number of times it resends the Request-Identity frame is defined by dot1x max-reauth-req.
Tip Best Practice Recommendation—Test tx-period and max-reauth-req in your network. Because the optimal value for the timeout depends on the specifics of your network, Cisco recommends that you use your deployment planning phase to test whatever value you select. Pay particular attention to DHCP clients, PXE clients, and the specifics of your managed desktop infrastructure
20.- What is the purpose of configuring Native Supplicant Profile on the Cisco ISE?
A. It provides posture assessments and remediation for devices that are attempting to gain access to the corporate network
B. It is used to register personal devices on the network.
C. It enforces the use of MSCHAPv2 or EAP-TLS for 802 1X authentication
D. It helps employees add and manage new devices by entering the MAC address for the device.
C its TRUE
21.- Q1. what came before mab
Ans: VMPS
Q2. Radius attribute 1,2,3,4,5,6,30,31,32,62
Q3. Radius attribute-value-pair
Q4. Accounting command on Cisco switch
23.- How dACL is entered (
Answer 1:
ip access-list extended ACL-ALLOW
permit ip any any
Answer 2:
– ip access-list …..
Answer 3:
permit ip any any (This one is true, when creating the dACL you only set the rules not if it is standard, extended,….)
Answer 4:
ip access-list standard
permit ip any
ANSWER:Permite IP any any
24.- Which advantage is provided by using Active Directory as an external identity source?
A. It supports SAML for single sign-on.
B. It uses EAP chaining with EAP-FAST to authenticate users and computers.
C. It supports two factor-authentication using a PIN and a token.
D. It uses EAP chaining with EAP-TLS to authentication users and computers.
Answer:
B
Some dumps are saying answer is A
25.- Given command “aaa accounting update newinfo periodic 30”, what is that about
Aaa accounting network default start-top group radius
AAA accounting update newinfo periodic 30
What is sent as a result of running the commands?
A. Interim accounting updates only when at least 30 new client attributes are buffered
B. Interim accounting updates that contain new client information every 30 minutes
C. Accounting information after every 30 client sessions.
D. Default accounting information every 30 minutes
Answer: B
26.- In what scenario need to finetune network trasaction delay?
– more time for user to remediate
– more time for user to log on the network
– more time for use to check compliance, some thing like that (I choose this,see explanation below)
27.- Private-group-ID 1:10 , Service-type 1:6, Medium-type 1:16, then ask what will be the VLAN number:-
– 10 (correct) its VLAN value
– 6
– 16
– 1
30.- Dynamic trustsec association, pick two.
– Interface
– VLAN
– IP subnet
– 802.1x
– MAB
31.- Which two profile attributes can be collected by a Cisco Wireless LAN Controller that supports Device Sensor? (Choose two.)
A. LLDP agent information
B. user agent
C. DHCP options
D. open ports
E. CDP agent information
F. FQDN
Correct Answer: BC?
34.- Advantages of running single SSID
– better security user experience
– better for user already access other 802.1x network before
[i chose these 2]
36.- RADIUS Attributes
——————-
A.- 1 User-Name, 2 User-Password, 4 NAS-IP Address , 5 NAS-Port
1 User-Name.- Name of the user being authenticated.
2 User-Password.- User’s password or input following an access challenge. Passwords longer than 16 characters are encrypted using IETF Draft #2 or later specifications.
4 NAS-IP Address .- IP address of the NAS that is requesting authentication.
5 NAS-Port
6 radius attribute (6) service-type
17) Single SSID (advantages) vs Multiple/Dual SSID (Choose two)
A.- Single SSID – better iOS user experience
B.-Single SSID – should be used ins BYOD deployment
C.– Dual SSID – better security useqsr experience
D.– Single SSID? – … client already used wired 802.1X on another network
E.-onliy on Single SSID user can veirfy byod certificate.
18.- Enable Accounting to send Sensor information
device-sensor accounting
some other Question about TrustSec Close and low impact mode, SXP SGT Propa, SGTACL and SGFW.
Good Look now next exam
31.- Which two profile attributes can be collected by a Cisco Wireless LAN Controller that supports Device Sensor? (Choose two.)
A. LLDP agent information
B. user adagent
C. DHCP options
D. open ports
E. CDP agent information
F. FQDN
Correct Answer: BC????????????????????
QUESTION 328
Prime Uses Which protocol for devices discovery ?
A. STP
B. CDP
C. RARP
D. LLDP
Answer: CD
But Other dumps say answer is: BC, with the below explanation. Please help verify this. Thanks.
Explanation:
The LLDP answer is correct given
Cisco Prime Infrastructure uses and enhances the discovery mechanisms by using protocols
such as ping, SNMP (v1, v2c, and v3), Cisco® Discovery Protocol, Link Layer Discovery Protocol
(LLDP), and Open Shortest Path First (OSPF) to discover the network automatically. This section
will focus on how best to configure the discovery settings once and to automate the discovery,
going forward.
You can add devices to Cisco Prime Infrastructure in one of the following ways:
Use an automated process
Discovery Settings
Quick Discovery
Import devices from a CSV file.
Add devices manually by entering IP address and device credential information.
https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/prime-
infrastructure/guide-c07-736611.html
However RARP is an obsolete protocol to loo lookup ipv4 address from the MAC.
Thus the answer should be either SNMP or OSPF along with LLDP.
10.- Which type of a sensor requires an embedded data collector in the switch to support profiling?
A. DHCP sensor
B. CDP sensor
C. IOS sensor
D. LLDP sensor
cdp and lldp – agents in ios sensor
dhcp – probe in ise or agent in ios sensor
ise config:
“The Radius probe collects Radius session attributes as well as CDP, LLDP from IOS Sensor.”
12.- Which guest service requires session services to be enabled on a cisco ISE node?
A. administration service
B. monitoring service
C. posture service
D. profiling service
c – ISE config ”
Session Services include Network Access, Posture, Guest, and Client Provisioning. “
34.- Advantages of running single SSID
– better security user experience
– better for user already access other 802.1x network before
better sec is for dual ssid-
https://community.cisco.com/t5/security-documents/ise-byod-dual-vs-single-ssid-onboarding/ta-p/3641422
correct – something about idevices
Drag and Drop…..
You must configure a Cisco ASA 5500 Series as an NTP client by using authentication. (Drag and drop the configuration steps from the left into the correct order on the right.)
correct is
ntp auth
trust key
auth key
peer
but in real life you can configure it in any order :)
@George
My dear, thanks a lot for sharing such good questions.
But it would be more helpful if you have also included your possible answers for each question.
Please do so, my dear.
19) What is the purpose of configuring Native Supplicant Profile on the Cisco ISE?
B. It is used to register personal devices on the network.
C. It enforces the use of MSCHAPv2 or EAP-TLS for 802.1X authentication.
b –
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010101.html
You can create native supplicant profiles to enable users to bring their own devices into the Cisco ISE network. When the user signs in, Cisco ISE uses the profile that you associated with that user’s authorization requirements to choose the necessary supplicant provisioning wizard. The wizard runs and sets up the user’s personal device to access the network.
@George
Could you confirm which Drag & Drops and SIMs you encountered on the exam?
Thank-you for your post! much appreciated!
Can someone point me to tut share your experience for CCNP ROUTE SWITCH TSHOOT?
Thank you!!
Hi guys – sorry – I got really busy in the last couple fo days – but I wanted to send you my final update here…
Last week I have passed the 300-208 with 930 Points.
Here is how I studied
– I was lucky enough to have been on a course for the exam
– I am a CBT member
– I used the PL502 (which has loads of wrong answers) and compared it to GIO. Any question that had dubious answers I researched and clarified myself…
Don’t just learn the dumps by heart – understand what the questions are about – then you will easily answer the new/unknown questions.
I would give you the following tips:
– make sure you know the most common radius attributes by heart, 1,2,4,5,6,30 and 31.
– especially understand the difference between 30 and 31 as there were two questions where this will come in handy.
I had 60 questions, 2 Hotspots (4 and 3 questions) and the blacklist D&D.
I wish all of you good luck with your studies – to me – this was exam 4 out of 4 – so I am done
Thanks to all the active members here – that shared and helped.
Take care
Kibo
What is the purpose of configuring Native Supplicant Profile on the Cisco ISE?
A.It provides posture assessments and remediation for devices that are attempting to gain access to the corporate network.
B.It is used to register personal devices on the network.
C.It enforces the use of MSCHAPv2 or EAP-TLS for 802 1X authentication
D.It helps employees add and manage new devices by entering the MAC address for the device.
Answer: C
Some Dumps are saying, answer is B.
Please help some one with the exact answer. It is really confusing.
Thanks in advance.
Congratulations!
Passed the 300-208 exam recently!
A lot of new questions in my 300-208 test, old version dumps are not valid enough for passing now.
I mainly learned the PassLeader 300-208 dumps (502q version), stable and valid enough for passing!
Good luck!
By the way:
PassLeader 300-208 dumps FYI:
od.lk/fl/NjFfMTUyNjc0NV8
(502q~~~NEW VERSION DUMPS!!!)
Good Luck!!!
[(copy that link and open it in your web browser!!!)]
More:
1. PassLeader 300-206 dumps FYI:
od.lk/fl/NjFfMTUyNjc0M18
(486q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
2. PassLeader 300-209 dumps FYI:
od.lk/fl/NjFfMTUyNjc0N18
(454q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
3. PassLeader 300-210 dumps FYI:
od.lk/fl/NjFfMTUyNjc0OV8
(502q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
Good Luck!!!
[(copy those links and open them in your web browser!!!)]
QUESTION 328
Prime Uses Which protocol for devices discovery ?
A. STP
B. CDP
C. RARP
D. LLDP
Answer: CD
But Other dumps say answer is: BC, with the below explanation. Please help verify this. Thanks.
Explanation:
The LLDP answer is correct given
Cisco Prime Infrastructure uses and enhances the discovery mechanisms by using protocols
such as ping, SNMP (v1, v2c, and v3), Cisco® Discovery Protocol, Link Layer Discovery Protocol
(LLDP), and Open Shortest Path First (OSPF) to discover the network automatically. This section
will focus on how best to configure the discovery settings once and to automate the discovery,
going forward.
You can add devices to Cisco Prime Infrastructure in one of the following ways:
Use an automated process
Discovery Settings
Quick Discovery
Import devices from a CSV file…..
10.- Which type of a sensor requires an embedded data collector in the switch to support profiling?
A. DHCP sensor
B. CDP sensor
C. IOS sensor
D. LLDP sensor
cdp and lldp – agents in ios sensor
dhcp – probe in ise or agent in ios sensor
ise config:
“The Radius probe collects Radius session attributes as well as CDP, LLDP from IOS Sensor.”….
Excuse Free Premium File.
What test are your comments from 300-206?
QUESTION 328
Prime Uses Which protocol for devices discovery ?
A. STP
B. CDP
C. RARP
D. LLDP
Answer: B D
Explanation:
The LLDP answer is correct given
CDP (Cisco Discovery Protocol),
Cisco Prime Infrastructure uses and enhances the discovery mechanisms by using protocols
such as ping, SNMP (v1, v2c, and v3), Cisco® Discovery Protocol, Link Layer Discovery Protocol
(LLDP), and Open Shortest Path First (OSPF) to discover the network automatically.
@Kibo
Could you tell us what hot spots and D&D you had?
Which action do you take to restrict network access for endpoints that are not posture compliant?
A.Configure a dACL on the NAD.
B.Configure client provisioning services on the Cisco ISE Server
C.Assign a dynamic VLAN on the NAD.
D.Define the policy by configuring a standard profile.s
Answer: C
But some dumps are saying answer is A
Dears, pls help me sort out this confusion.
Thanks in advance.
@kb
For me the answer is C
Explanation: is the endpoint is connecting for the first time? because the result is UNKNOWN so endpoint will be redirected to client provisioning portal for posture. In order to redirected to Client Provisioning portal, need a dACL on the NAD that will only permit ISE ip address and other ports for provisioning.
Once posture compliance module was installed in your endpoint, it will check the compliance base on your posture policy. So the result can be COMPLIANT or NON-COMPLIANT. You can configure in Authz for the NON-COMPLIANT user base on your CONDITION.
@kb
a is correct
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html
Configure Authorization Policy for Client Provisioning and Posture
The authorization policy sets the types of access and services to be granted to endpoints based upon their attributes such as identity, access method, and compliance with posture policies. The authorization policies in this example ensure that endpoints that are not posture compliant are quarantined; that is, the endpoints are granted limited access sufficient to provision agent software and to remediate failed requirements. Only posture compliant endpoints are granted privileged network access.
(Optional). Define a dACL that restricts network access for endpoints that are not posture compliant.
Hey Kibo, I saw your post about the 300-208 do you have any of that info still? I am planning on taking this soon.
Anyone know the answer to this. It was mentioned on the forum a couple of times.
Which two statements about Cisco Prime infrastructure are true?
A.It provides BugID information for Cisco IOS devices.
B.It can display diagnostic data from Cisco NAMs.
C.It integrates with APICs_EM to enable Zero Touch Provision on Cisco network devices.
D.It integrates with APIC_EM PKI Service to crete PKI-secured routes with GRE.
E.It provides application visibility with NBAR.
Hello everyone, the @sim’s google drive link is broken (asks for a request, but it doesn’t work). Could somebody to share the latest gio dumps with a normal link. Thank you in advance.
Congratulations!
Passed the 300-208 exam recently!
A lot of new questions in my 300-208 test, old version dumps are not valid enough for passing now.
I mainly learned the PassLeader 300-208 dumps (502q version), stable and valid enough for passing!
Good luck!
By the way:
PassLeader 300-208 dumps FYI:
od.lk/fl/NjFfMTUyNjc0NV8
(502q~~~NEW VERSION DUMPS!!!)
Good Luck!!!
[(copy that link and open it in your web browser!!!)]
More:
1. PassLeader 300-206 dumps FYI:
od.lk/fl/NjFfMTUyNjc0M18
(486q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
2. PassLeader 300-209 dumps FYI:
od.lk/fl/NjFfMTUyNjc0N18
(454q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
3. PassLeader 300-210 dumps FYI:
od.lk/fl/NjFfMTUyNjc0OV8
(502q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
Good Luck!!!
[(copy those links and open them in your web browser!!!)]
NEW QUESTION 446
You must implement DMVPN Phase 3 by using EIGRP as the dynamic routing protocol for the tunnel overlay. Which action do you take to allow EIGRP to advertise all routes between the hub and all the spokes?
A. Summarize routes from the hub to the spokes.
B. Disable split-horizon for EIGRP on the hub.
C. Configure the hub to set itself as the next hop when advertising networks to the spoke.
D. Add a distribute list to permit the spoke subnets and deny all other networks.
Answer: B
NEW QUESTION 448
When configuring a FlexVPN, which two components must be configured for IKEv2? (Choose two.)
A. persistence
B. profile
C. proposal
D. preference
E. method
Answer: BC
NEW QUESTION 449
What is a funwsctional difference between IKEV1 and IKEV2 on a router?
A. HSRP
B. RRI
C. DPD
D. Stateful Failover
Answer: C
NEW QUESTION 450
Which two descriptions of the characteristics of Cisco GET VPN are true? (Choose two.)
A. provides a tunelless transport mechanism
B. encrypts the data payload and IP header of a packet
C. requires that GRE tunnels exist between participating routers
D. uses a common set of traffic encryption keys shared by group members
E. uses VTIs to establish Ipsec tunnels
Answer: AD
NEW QUESTION 451
When using Clientless SSL VPN on a Cisco ASA, which authentication method is required for single sign-on?
A. TACACS
B. LOCAL
C. RAaDIUS
D. SAML 2.0
Answer: D
NEW QUESTION 448
When configuring a FlexVPN, which two components must be configured for IKEv2? (Choose two.)
A. persistence
B. profile
C. proqaposal
D. preference
E. method
Answer: BC
@Anonymous, hello.
Could you share the dumps that you have, please? Thank you in advance.
300-208 dumps are half valid. Failed today with an 806
@Anonymous
which dump did you use?
I’ve been fine tuning my studies with the Gio Dump. Does anyone know if this dump its still valid?
@Kibo,
when he says blacklist D&D, is this?
Blacklist provide a posture asessment for a device
certificate provisioning request a certificate for a device that is unable to use onboarding support
client provising remove a device
my devices register a los device
@Kibo,
when he says blacklist D&D, is this?
Blacklist provide a posture asessment for a device
certificate provisioning request a certificate for a device that is unable to use onboarding support
client provising remove a device
my devices register a los device
@Anonymous
Could you tell us what Drag and Drops, labs and SIMs you had on the exam?
Wrote last week Friday, missed passing score by 14 points. Dumps are semi-valid.
I used Cisco content, Pluralsight and Gio Dumps plus looked over passleader(not to trusted).
2 x Labs (3 and 4 question’s labs). Blacklist DnD (As CCNP SWITCH points to).
The last few questions were as strange as people have made them out to be above, but valid as well. Focus on Gio Dumps – research some of the answers in order to get a better understanding.
Examples of questions:
Radius Attributes question – one about which attribute would include a Mac Address:
A 1
B 2
C 6
D 31
Not sure about this??
Also another question about which Radius Attribute contains Mac Address:
Call-back was an option.
Guest posturing services question.
Going to take it again this week – this time I will pass as I know what to look out for!
@passNextTime, thank you for your feedback. Good luck with the next exam.
Regarding your question:
Radius Attributes question – one about which attribute would include a Mac Address:
A 1
B 2
C 6
D 31
The answer should be D 31
However, because the MAC address is sent in the clear in Attribute 31 (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password.
and check the table 1
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html
BTW @passNextTime, @CCNP SWITCH, @Tom, could you guys share the latest dumps that you have, please. Provide normal access, so everyone could download them from your link because sim’s google drive link is broken and I couldn’t download them.
Thank you in advance.
@ccpnexam
https:/*/*drive.google.com/file/d/1s6cQ7wuqF8Zlarag_4xzRwj3eCJZP1XG/view?usp=sharing
@ccpnexam
https:/*/*drive.google.com/file/d/1-rEq_ujnGdZLoLAOmFNKGBjP9LcpfNFP/view?usp=sharing
Can someone share the Gio Dumps please
@CCNP SWITCH, thanks a lot for sharing.
@Rayns, please, check two links that CCNP SWITCH has just shared.
Guys, if you have any questions or would like to clarify some topics, let’s discuss everything here. I’ll be monitoring this forum every day and try to find the required info. So let’s do it!!!
@ccpnexam both the GIO and passleader are not enough to pass. I took it last week and failed by 40 points. There are a lot of questions missing.
@Anonymous, so to hear that, wish you to take it the next time. Thank you for your feedback. You wrote that there are a lot of missing questions in the dumps, but I see that you posted here new questions and other posts here… Do you mean that these new/missing questions are not even here in the forum? And how many are they? 40 points – it’s not a lot, man, it’s just a few questions… so I’m sure you will be able to take it the next time.
@Anonymous, sorry to hear that*
I will be taking mines relatively soon, I want to thank you guys for putting the time in helping your peers.
My all 3 CCNPs are expiring next month. Can someone suggest if any of CCNP exam with stable dump and may be with less questions
@Rayns if you find one let me know im in the same boat.
Hi All,
who knows the correct answer to this question?
Which two additional fields are added to an Ethernet frame when implementing MACsec?
(Choose two.)
A. encapsulating security payload
B. authentication header
C. message authentication code
D. authentication host mode
E. security tag
Anyone know the correct answer?
Which client interface or interfaces are provisioned when the Cisco ISE performs supplicant
provisioning?
A. wireless and wired interface
B. wireless interface
C. active interfaces
D. wired interface
@Rayns & @Anonymous me too on the same boat like you both ….
Both can you share your mail id ?????
efsfe
@Tom,
Which client interface or interfaces are provisioned when the Cisco ISE performs supplicant
provisioning?
A. wireless and wired interface
B. wireless interface
C. active interfaces
D. wired interface
Answer is C
The provisioning wizard only configures interfaces which are active. Because of this, users with Wired and Wireless connections will not be provisioned for both interfaces, unless they are both active.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010101.html
@Tom
Which two additional fields are added to an Ethernet frame when implementing MACsec?
(Choose two.)
A. encapsulating security payload
B. authentication header
C. message authentication code
D. authentication host mode
E. security tag
Answer is C and E
Here is the confirmation:
MACsec frame format, which is similar to the Ethernet frame, but includes additional fields:
*Security Tag, which is an extension of the EtherType
*Message authentication code (ICV)
https:/*/*en.wikipedia.org/wiki/IEEE_802.1AE
who knows the correct answer to this question?
Which two additional fields are added to an Ethernet frame when implementing MACsec?
(Choose two.)
A. encapsulatiwdng security payload
B. authentication header
C. message authentication code
D. authentication host mode
E. security tag
Which client interface or interfaces are provisioned when the Cisco ISE performs supplicant
provisioning?
A. wireless and wired interface
B. wireless interface
C. active interfaces
D. wired interface
Answer is C
Which three statements are true regarding MAB ?
A. The MAC address is sent in a RADIUS Access-REquest message
B. It is commonly coqenfigured with network printers
C. It uses certifiasccates in the authentication process
D. It uses EAP to authenticate users
E. It allows exemptions from 802.1X authetication
@Anonymous
Which three statements are true regarding MAB ?
A. The MAC address is sent in a RADIUS Access-REquest message
B. It is commonly coqenfigured with network printers
C. It uses certifiasccates in the authentication process
D. It uses EAP to authenticate users
E. It allows exemptions from 802.1X authetication
Answers: A B E
The MAC address is sent in a RADIUS Access-REquest message – “After the switch learns the source MAC address, it discards the packet. Then the switch crafts a RADIUS Access-Request packet.”
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html
It allows exemptions from 802.1X authetication – this is true, because MAB is MAC Authentication Bypass (AUTHENTICATION BYPASS), so you release(exempt) some devices to use 802.1x authentication.
It is commonly configured with network printers – this is also correct, because printers doesn’t support any supplicants (native or AnyConnect), there are no users to interact with the browser for Web Authentication, so the only way to provide the access in your network is to use MAB.
SISAS 300-208 Official Cert Guide:
“in a wired world there are so many devices that require network access without any user interaction. Consider devices such as IP cameras, IP phones, printers, fax machines, badge readers, and so much more. Therefore, MAC Authentication Bypass (MAB) had to be added to the process flow.”
For the other questions, I’ve provided the answers yesterday
What features are available to the Rule-based Policy type versus the Simple Policy type for the ISE Authentication Policies? (Choose three)
A. You can use different identity sources for different policies
B. You can define one or more conditions using attributes from the ISE dictionary
C. You can define conditions to allow ISE to dynamically choose protocols
D. You can define allowed static protocols and identify rule sources
Question: You need to configure Cisco ISE to redirect unknown users to the central web authentication portal.
Which setting should be configured for the MAB authentication rule?
A. Reject
B. Continue
C. Quarantine
D. Drop
Correct answer: B
Explanation: Central WebAuth makes use of a fail-open MAC Authentication Bypass (MAB) authentication rule. The authentication rule must be configured to continue when the user is not found. This configuration allows further actions to be taken by the Cisco Identity Services Engine (ISE) and the network access device (NAD). For example, you can allow MAB to complete with success, but assign the attribute Authentication Status the value of UnknownUser. An authorization policy rule that requires this condition will then be applied and its authorization profile will specify the redirection to the central web authentication portal.
If a reject is configured, Cisco Identity Services Engine (ISE) will send a reject response, and unknown users will not be redirected to the central web authentication portal.
If a drop is configured, Cisco Identity Services Engine (ISE) will send no response, and unknown users will not be redirected to the central web authentication portal.
Quarantine is not a valid course of action for a user not found authentication failure.
________________________________________
Question: How are Cisco ISE guest services enabled?
A. By using the Cisco ISE admin portal
B. By configuring a NAD
C. By installing NAC Agents
D. By the WebAuth functionality
Correct answer: D
Explanation: Cisco Identity Services Engine (ISE) guest services are enabled by the WebAuth functionality. When a guest user first connects to the local network, either through a wireless or wired connection, the Cisco ISE assigns that user a restrictive authorization profile defined to support the WebAuth function.
Network access devices (NADs) are Remote Authentication Dial-In User Service (RADIUS) clients and Cisco Identity Services Engine (ISE) is their RADIUS server. Configuring a NAD does not enable guest services.
The Cisco Identity Services Engine (ISE) admin portal is part of the Cisco ISE Guest Service applications. This is not used to enable guest services.
The security posture of the endpoints is communicated to the Cisco Identity Services Engine (ISE) policy service node by Network Admission Control (NAC) agents. The NAC agents are installed on the clients and interact with the posture service to enforce security policies on the endpoints. They assist you in evaluating clients against posture policies and ensuring that clients meet requirements that are required for compliance with the security policies of your organization. It is not the NAC agent that enables guest services.
________________________________________
Question: What option simplifies ACL management?
A. dACLs
B. VLANs
C. Security Group Access
Correct answer: C
Explanation: This is correct. Security Group Access can help simplify ACL management by using security group tags. Security Group Access requires users, endpoint devices, and resources to share access control policies.
This is incorrect. VLANs are less recommended than dACLs and SGAs since they do not require an access control list. However, by using VLAN assignments, you can control which actions a user can perform once authenticated.
This is incorrect. Dynamic ACLs can be configured on a switch port, for example, and are used to control what a user can do once authenticated. dACLs can be used to control protocols, ports, as well access control.
________________________________________
Question: What features describe EAP Chaining?
A. Uses Identity-Type TLV as an optional third phase of the authentication
B. Supports authentication of machine and user inside the same TLS outer tunnel
C. Was first implemented in EAP-FASTv2
D. It is an IETF standard called TLV-TEAP
Correct answer: B C
________________________________________
Question: From which location in the Cisco ISE can you view endpoint profiler summary information?
A. Administration | Identity Management | Groups | Endpoint Identity Groups | Profiled
B. |b Policy |p || |b Policy Elements |p || |b Results |p || |b Authentication |p || |b Allowed Protocols Services |p
C. |b Policy |p || |b Policy Elements |p || |b Conditions, Profiler |p
D. |b Operations |p || |b Reports |p || |b Catalog |p || |b Endpoint |p
Correct answer: D
Explanation: Cisco Identity Services Engine (ISE) provides a set of predefined report definitions on endpoint profiling that can be used to efficiently manage your network. The standard reports for endpoint profiling include the following:
– Endpoint_MAC_Authentication_Summary
– Endpoint_Profiler_Summary
– Endpoint_Time_To_Profile
– Top_N_Authentications_By_Endpoint_Calling_Station_ID
– Top_N_Authentications_By_Machine
The Endpoint_Profiler_Summary report allows you to view endpoint profiler summary information associated with a specific MAC address for a specified time period. These reports are located using the following path: “Operations” – “Reports” – “Catalog” – “Endpoint”.
The “Policy” | “Policy Elements” | “Conditions, Profiler” path will not allow you to view endpoint profiler summary information. Rather, this location will allow you to examine the details of conditions specified in the rules. You can also perform a read-only expansion of the condition details by hovering the mouse pointer over the condition field and clicking the details icon.
The “Policy” | “Policy Elements” | “Results” | “Authentication” | “Allowed Protocols Services” path will not allow you to view endpoint profiler summary information. In Cisco Identity Services Engine (ISE), you have the option of using the built-in allowed protocol set or create a custom list of allowed authentication protocols. You can view and customize the default protocol set. It is named Default Network Access and can be edited in the “Policy” | “Policy Elements” | “Results” | “Authentication” | “Allowed Protocols Services” menu.
The “Administration” | “Identity Management” | “Groups” | “Endpoint Identity Groups” | “Profiled” path will not allow you to view endpoint profiler summary information. If you select the option “Yes, create matching identity group” in the profiling policy configuration, a profiled endpoint identity group will be automatically created in the Cisco Identity Services Engine (ISE). This group is added even before any endpoints are profiled using the given policy. You can view the profiled endpoint identity group in the “Administration | Identity Management | Groups | Endpoint Identity Groups | Profiled |p .
________________________________________
Question: What are the two steps required to validate the ISE certificate?
A. Second, verify the server certificate
B. Second, verify the server signature
C. First, verify the server signature
D. First, verify the server certificate
Correct answer: B D
________________________________________
Question: When is Transport Layer Security, or TLS, used in the Cisco ISE environment?
A. Protection of tunneled EAP protocols
B. Clients need to verify a user’s authenticity
C. HTTPS-based administrative access and WebAuth
D. LDAPS
Correct answer: A C D
________________________________________
Question: What is the function of the CoA used in Cisco ISE posture service?
A. It is used for authenticating and encrypting packets between two adjacent devices.
B. It is used to categorize incoming packets into flows.
C. It is used to change endpoint status after authorization and compliance checks.
D. It is used to ensure accurate local timekeeping of endpoints.
Correct answer: C
Explanation: The Change of Authorization (CoA) is a standards-based method to change an endpoint authorization status after successful authentication and after confirmation of endpoint compliance. The authentication, authorization, and accounting (AAA) framework uses CoA messages to dynamically modify active subscriber sessions. After successful authentication, an endpoint is allowed basic network connectivity. This basic connectivity profile enables the Cisco Identity Services Engine (ISE) to perform profiling and security posture functions.
MACsec is a standard for authenticating and encrypting packets between two adjacent devices. Many Cisco Catalyst switches support MACsec encryption with MKA on downlink ports for encryption between the switch and host devices. It is not a function of Change of Authorization (CoA).
Network Time Protocol (NTP) is a protocol built on top of TCP that ensures accurate local timekeeping with reference to radio and atomic clocks located on the Internet. It is not a function of Change of Authorization (CoA).
NetFlow is a feature of some routers that allows them to categorize incoming packets into flows. Because packets in a flow often can be treated in the same way, this classification can be used to bypass some of the work of the router and accelerate its switching operation. It is not a function of Change of Authorization (CoA).
________________________________________
Question: Which statement describes SGT tagging?
A. Only statically assigns classifications
B. Policy is applied via SGACL or SGFW
C. It is propagated via offline tagging
D. Classification assigned on outbound
Correct answer: B
Explanation: This option is correct. The SGT is enforced by applying the policy via the Secure Group Access Control Lists or Secure Group Firewall, thus enabling policy application from one SGT tag to another SGT tag. For instance, from an IT user SGT tag to a Finance server SGT tag.
This option is incorrect. The SGT or tag classification is assigned inbound, or at ingress. For instance, as a user sends traffic to an access port on a switch ingress tagging is inserted at that point.
This option is incorrect. The SGT or tag classifications can be applied either through static mapping or through a dynamic process.
This option is incorrect. The SGT is propagated via inline tagging, through the switch matrix. For noncompliant devices, such as Adaptive Security Appliances, SXP, or SGT Exchange Protocol can be used to propagate the SGT.
________________________________________
Question: Which options are examples of statically assigned SGT classifications?
A. IP host to SGT
B. VLAN to SGT
C. 802.1x
D. Web Authentication
E. MAC to SGT
Correct answer: A B
Explanation: Static tagging can be configured on the network access device (NAD) or on the Identity Services Engine (ISE) and then downloaded to the NAD. Examples of static tagging include a mapping of an IP host or subnet to a security group tag (SGT) or the mapping of a VLAN to a SGT. Numerous other options exist, with varying support depending on the device platforms and software versions.
Static tagging can be configured on the network access device (NAD) or on the Identity Services Engine (ISE) and then downloaded to the NAD. Examples of static tagging include a mapping of an IP host or subnet to a security group tag (SGT) or the mapping of a VLAN to a SGT. Numerous other options exist, with varying support depending on the device platforms and software versions.
MAC to security group tag (SGT) is not a form of dynamic or static classification. The SGT classifications are as follows:
Dynamic:
802.1X
MAC Authentication Bypass
Web Authentication
Static mappings:
IP host or subnet to SGT
VLAN to SGT
Dynamic tagging can be deployed in combination with 802.1X authentication, MAC Authentication Bypass (MAB), or Web authentication. In these access methods, the Cisco Identity Services Engine (ISE) can push a security group tag (SGT) to the network access device (NAD) to be inserted into the client traffic. The SGT is applied as a permission in the authorization policy rules. This permission can be assigned in addition to, or instead of, an authorization profile.
Dynamic tagging can be deployed in combination with 802.1X authentication, MAC Authentication Bypass (MAB), or Web authentication. In these access methods, the Cisco Identity Services Engine (ISE) can push a security group tag (SGT) to the network access device (NAD)to be inserted into the client traffic. The SGT is applied as a permission in the authorization policy rules. This permission can be assigned in addition to, or instead of, an authorization profile.
________________________________________
Question: What is used to propagate SGT within the network?
A. Inline tagging
B. SGFW
C. SGACL
D. SXP
Correct answer: A D
Explanation: SGT eXchange Protocol (SXP) and Inline tagging are used to propagate security group tag (SGT). Security group mappings follow the traffic through the network. With inline tagging, the SGT is imbedded in the Ethernet frame header. Not all network devices support inline tagging. SXP is used to transport SGT mappings across devices that do not support inline tagging.
Security group mappings follow the traffic through the network. This can be accomplished either through inline tagging or the SGT eXchange Protocol (SXP). With inline tagging, the security group tag (SGT) is imbedded in the Ethernet frame header. Not all network devices support inline tagging. SXP is used to transport SGT mappings across devices that do not support inline tagging.
Security Group Firewall (SGFW) is not used to propagate security group tag (SGT) within a network. Cisco TrustSec enforcement is implementing a permit or deny policy decision based on the source and destination SGTs. This can be accomplished with Security Group Access Control Lists (SGACLs) on switching platforms and SGFW on routing and firewall platforms.
Security Group Access Control List (SGACL) is not used to propagate security group tag (SGT) within a network. Cisco TrustSec enforcement is implementing a permit or deny policy decision based on the source and destination SGTs. This can be accomplished with SGACLs on switching platforms and Security Group Firewall (SGFW) on routing and firewall platforms.
________________________________________
Question: Which options are true when the SNMPPortsAndOS-scan type is run against an endpoint?
A. TCP/UDP ports 1-1024 and SNMP ports are queried if they are open.
B. Ports 161 and 162 are queried if they are open.
C. The OS version is queried.
D. TCP ports 1-1024 and SNMP ports are queried if they are open.
Correct answer: B C
Explanation: The SNMPPortsAndOS-scan scans the OS and OS version that an endpoint is running. It can be used for endpoints that are identified and matched initially with an Unknown profile for better classification.
The SNMPPortsAndOS-scan triggers an SNMP Query when SNMP ports (161 and 162) are open. It can be used for endpoints that are identified and matched initially with an Unknown profile for better classification.
The SNMPPortsAndOS-scan scan does not query TCP ports 1-1024 and SNMP ports if they are open. There is no option that scans the OS, TCP, and SNMP ports. The SNMPPortsAndOS-scan scan can is used to scan the OS and SNMP ports and the CommonPortsAndOS-scan is used to scan the common TCP/UDP ports and the OS.
The SNMPPortsAndOS-scan scan does not query TCP/UDP ports 1-1024 and SNMP ports if they are open. There is no option that scans the OS, TCP, and SNMP ports. The SNMPPortsAndOS-scan scan is used to scan the OS and SNMP ports and the CommonPortsAndOS-scan is used to scan the common TCP/UDP ports and the OS.
Guys, please, let me know your opinion regarding this question:
Which three network access devices allow for static security group tag assignment? (Choose three.)
A. intrusion prevention system
B. access layer switch
C. data center access switch
D. load balancer
E. VPN concentrator
F. wireless LAN controller
According to the gio’s answer, it should be BCE. B and C (switches) are correct. But not sure about VPN concentrator. The VPN Concentrator is ASA, but I don’t see it can support static SGT assignment (IP to SGT or VLAN to SGT), but if you check 5760 Wireless Controller Series, it supports Dynamic, IP to SGT, VLAN to SGT, Port to SGT, Subnet to SGT
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf
@ccnp static SGT supports VPN concentrator.
Congratulations!
Passed the 300-208 exam recently!
A lot of new questions in my 300-208 test, old version dumps are not valid enough for passing now.
I mainly learned the PassLeader 300-208 dumps (502q version), stable and valid enough for passing!
Good luck!
By the way:
PassLeader 300-208 dumps FYI:
od.lk/fl/NjFfMTUyNjc0NV8
(502q~~~NEW VERSION DUMPS!!!)
Good Luck!!!
[(copy that link and open it in your web browser!!!)]
More:
1. PassLeader 300-206 dumps FYI:
od.lk/fl/NjFfMTUyNjc0M18
(486q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
2. PassLeader 300-209 dumps FYI:
od.lk/fl/NjFfMTUyNjc0N18
(454q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
3. PassLeader 300-210 dumps FYI:
od.lk/fl/NjFfMTUyNjc0OV8
(502q~~~NEW VERSION DUMPS!!!)
~~~~~~~~~~~~~~~~~~~~~~~~~
Good Luck!!!
[(copy those links and open them in your web browser!!!)]
Koichiro Tsutsumi IS SPAM SPAM SPAM SPAM
Koichiro Tsutsumi IS SPAM SPAM SPAM SPAM
Which two protocols does Cisco Prime Infrastructure use for device discovery? (Choose two.)
A. SNAP
B. LLDP
C. RARP
D. DNS
E. LACP
Answer: BD
Shouldn’t the answer be BC ?
Guys pls say something on this. Thanks
Hi,
Anyone can tell if there’s are new questions in 300-208? Many thanks
Hi,
The dump PL 502q is valid ?
Thanks
The dump PL 502q is enough to Pass?