NEW QUESTION 1
On a Cisco ASA, how can you allow traffic to enter and exit via same interface?

• A. Configure both interfaces to have the same security level.
• B. Issue the command same-security-traffic permit inter-interface.
• C. Install a router on a stick.
• D. Issue the command same-security-traffic permit intra-interface.

Answer: D

Explanation:
To permit communication between interfaces with equal security levels, or to allow traffic to enter anciscoasad
exit the same interface, use the same-security-traffic command in global configuration mode. To disable the
same-security traffic, use the no form of this command.
same-security-traffic permit { inter-interface | intra-interface }
no same-security-traffic permit { inter-interface | intra-interface }
Syntax Description
inter-interface Permits communication between different interfaces that have the same security level.
intra-interface Permits communication in and out of the same interface. http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html

NEW QUESTION 2
Refer to the exhibit.

Which Information Is passed between the active and standby Cisco ASA firewalls over interface m0/0?

• A. TCP connection status
• B. network link status
• C. ARP table
• D. SIP signaling session

Answer: A

NEW QUESTION 3
Which four are IPv6 First Hop Security technologies? (Choose four.)

• A. Send
• B. Dynamic ARP Inspection
• C. Router Advertisement Guard
• D. Neighbor Discovery Inspection
• E. Traffic Storm Control
• F. Port Security
• G. DHCPv6 Guard

Answer: ACDG

NEW QUESTION 4
An engineer suspects that client workstations are experiencing extremely poor response time due to
a man in middle attack. Which feature must be enabled and configured to provide relief from this type of attack?

• A. Internet Key Exchange
• B. Link Aggregation
• C. Reverse ARP
• D. Dynamic ARP Inspection
• E. private VLANs

Answer: D

NEW QUESTION 5
What is a required attribute to configure NTP authentication on a Cisco ASA?

• A. Key ID
• B. IPsec
• C. AAA
• D. IKEv2

Answer: A

NEW QUESTION 6
What is the lowest combination of ASA model and license providing 1 Gigabit Ethernet interfaces?

• A. ASA 5505 with failover license option
• B. ASA 5510 Security+ license option
• C. ASA 5520 with any license option
• D. ASA 5540 with AnyConnect Essentials License option

Answer: B

NEW QUESTION 7
A network printer has a DHCP server service that cannot be disabled. How can a layer 2 switch be
configured to prevent the printer from causing network issues?

• A. Remove the ip helper-address
• B. Configure a Port-ACL to block outbound TCP port 68
• C. Configure DHCP snooping
• D. Configure port-security

Answer: C

NEW QUESTION 8
What are three attributes that can be applied to a user account with RBAC? (Choose three.)

• A. domain
• B. password
• C. ACE tag
• D. user roles
• E. VDC group tag
• F. expiry date

Answer: BDF

NEW QUESTION 9
Which two options are two purposes of the packet-tracer command? (Choose two.)

• A. to filter and monitor ingress traffic to a switch
• B. to configure an interface-specific packet trace
• C. to inject virtual packets into the data path
• D. to debug packet drops in a production network
• E. to correct dropped packets in a production network

Answer: CD

NEW QUESTION 10
A user is having trouble connecting to websites on the Internet. The network engineer proposes configuring a packet capture that captures only the HTTP response traffic on the Cisco Adaptive Security Appliance between the user’s workstation and Internet. If the user’s workstation IP address is 10.0.0.101, which ACE is needed to achieve this capture?

• A. access-list capture permit tcp host 10.0.0.101 eq 80 any
• B. access-list capture permit tcp host 10.0.0.101 any eq 80
• C. access-list capture permit tcp any eq 80 host 10.0.0.101
• D. access-list capture permit tcp any host 10.0.0.101 eq 80

Answer: D

NEW QUESTION 11
Which three options correctly identify the Cisco ASA1000V Cloud Firewall? (Choose three.)

• A. operates at Layer 2
• B. operates at Layer 3
• C. secures tenant edge traffic
• D. secures intraswitch traffic
• E. secures data center edge traffic
• F. replaces Cisco VSG
• G. complements Cisco VSG
• H. requires Cisco VSG

Answer: BCG

NEW QUESTION 12
Which five options are valid logging destinations for the Cisco ASA? (Choose five.)

• A. AAA server
• B. Cisco ASDM
• C. buffer
• D. SNMP traps
• E. LDAP server
• F. email
• G. TCP-based secure syslog server

Answer: BCDFG

NEW QUESTION 13
Which command is used to disable Cisco Discovery Protocol globally on a router?

• A. Cdp disable
• B. No cdp enable
• C. No cdp
• D. No cdp run

Answer: D

NEW QUESTION 14
DRAG DROP
Drag and drop the syslog message examples on the left onto the message security level on the right.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 15
Refer to the exhibit.

An engineer is configuring lOS rote based CLI access and is getting an error upon entering the command* exec include show ip bgp summary parser view command. Based on the console message received, which command would fix this error?

• A. enable secret <password>
• B. username <user> secret <password>
• C. password <password>
• D. secret 5 <encrypted password>

Answer: D

NEW QUESTION 16
About snmp v3 encryption, which option we have to use?

• A. priv
• B. auth
• C. encrypted

Answer: A

Explanation:
-Configure snmp group:snmp-server group [groupname {v1 | v2c | v3{auth | noauth | priv}}] [read readview] [write writeview] [notify notifyview] [access access-list]
-Configure snmp user: snmp-server user username group-name [remote host [udp-port port]] {v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password]} [access [ipv6 nacl] [priv {des | 3des | aes
{128 | 192 |256}} privpassword] {acl-number | acl-name}]
encrypet if the password are encrypted ex. insert password not in plain text for auth.

NEW QUESTION 17
A Cisco ASA requires an additional feature license to enable which feature?

• A. transparent firewall
• B. cut-thru proxy
• C. threat detection
• D. botnet traffic filtering
• E. TCP normalizer

Answer: D

NEW QUESTION 18
Which action can be taken as a preventive measure against VLAN hopping attacks?

• A. Configure an uplink to another switch as access port
• B. Set an unused VLAN as native VLAN on a trunk port
• C. Limit number of MAC addresses on a trunk port
• D. Configure port security on all switch ports

Answer: B

NEW QUESTION 19
Which Cisco TrustSec role does a Cisco ASA firewall serve within an identity architecture?

• A. Access Requester
• B. Policy Decision Point
• C. Policy Information Point
• D. Policy Administration Point
• E. Policy Enforcement Point

Answer: E

NEW QUESTION 20
When configuring a new context on a Cisco ASA device, which command creates a domain for the context?

• A. domain config name
• B. domain-name
• C. changeto/domain name change
• D. domain context 2

Answer: B

NEW QUESTION 21
An engineer is configuring MACsec encryption. Which two components?

• A. switch-to-switch connection
• B. user- facing downlink support
• C. switch-to-host connection
• D. switch port connected to other switches
• E. host-facing links

Answer: BC

NEW QUESTION 22
Which statement about Dynamic ARP Inspection is true ?

• A. In a typical network, you make all ports as trusted expect for the ports connection to switches , which areuntrusted
• B. DAI associates a trust state with each switch
• C. DAI determines the validity of an ARP packet based on valid IP to MAC address binding from the DHCPsnooping database
• D. DAI intercepts all ARP requests and responses on trusted ports only
• E. DAI cannot drop invalid ARP packets

Answer: C

NEW QUESTION 23
After a session has been secured with MACsec, which two types of traffic can be sent and received unencrypted?

• A. EAPOL-Start
• B. DHCP offer
• C. Cisco Discovery Protocol
• D. DHCP discover
• E. EAPOL-Logoff

Answer: AC

NEW QUESTION 24
An engineer is applying best practices to stop vlan hopping attacks? (Choose Two)

• A. disable DTP on user facing ports
• B. configure DHCP snooping on all switches
• C. use the vlan dot 1Q tag native command
• D. disable cisco discovary protocol on all switches
• E. configure IP on source Guard on all switches

Answer: AC

NEW QUESTION 25
Which policy map action makes a Cisco router behave as a stateful firewall for matching traffic?

• A. Log
• B. Inspect
• C. Permit
• D. Deny

Answer: B

NEW QUESTION 26
Which three options are hardening techniques for Cisco IOS routers? (Choose three.)

• A. limiting access to infrastructure with access control lists
• B. enabling service password recovery
• C. using SSH whenever possible
• D. encrypting the service password
• E. using Telnet whenever possible
• F. enabling DHCP snooping

Answer: ACD

NEW QUESTION 27
Which two configurations are the minimum needed to enable EIGRP on the Cisco ASA appliance?
(Choose two.)

• A. Enable the EIGRP routing process and specify the AS number.
• B. Define the EIGRP default-metric.
• C. Configure the EIGRP router ID.
• D. Use the neighbor command(s) to specify the EIGRP neighbors.
• E. Use the network command(s) to enable EIGRP on the Cisco ASA interface(s).

Answer: AE

NEW QUESTION 28
Which Cisco switch technology prevents traffic on a LAN from being disrupted by a broadcast,
multicast, or unicast flood on a port?

• A. port security
• B. storm control
• C. dynamic ARP inspection
• D. BPDU guard
• E. root guard
• F. dot1x

Answer: B

NEW QUESTION 29
Which hypervisor technology is supported by Cisco ASA 1000V Cloud Firewall?

• A. KVM
• B. XenServer
• C. Hyper-V
• D. VMware vSphere

Answer: D

Explanation:
https://www.cisco.com/c/en/us/products/collateral/security/asa-1000v-cloud-firewall/data_sheet_c78-687960.html

NEW QUESTION 30
......