Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

1 Neutral

About danamilo

  • Rank
    Advanced Member
  1. Anyone know if this guy is legit? --- radeon_india [Hidden Content] Anyone want to do a group buy? Dana
  2. what are you using for simulation? gns3 our unetlab?
  3. 470 ONLY and no it's not enough. Also lots of answers are wrong in the 470 questions.
  4. Can gns3 simulate everything that's needed for the exam? Same question for unetlab. I used IOU before and once I tried to do the UNETLAB but under Windows 10 there were problems and I couldn't get ASA image working.
  5. I want to create a lab for CCIE Security. What do I use GNS3 ou Unetlab?
  6. No new drag and drops. But I got only one drag and drop. Also I got a new question where they showed dir output and asked what was the correct choice: like is the file corrupted, or there is no running config, or that there are public and private certificate files present. something like that. For pxGRID: [Hidden Content] Also for MAB configuration, there was also guest vlan config istead f MAB, and SGT together with Radius server, so watch out for this.
  7. JUST PASSED THE EXAM. Got a lot of new questions. about Firepower, pxGrid, WSA, snort, WLC protecting the access point from which attacks. Also I hade like 7 configurations to analyse that are not in the PL and that concern the MAB configuration and some CTX.
  8. When configuration Cisco IOS firewall CBAC operation on Cisco routers, the "inspection rule" can be applied at which two location?(Choose two) A. at the trusted and untrusted interfaces in the inbound direction. B. at the trusted interface in the inbound direction. C. at the trusted and untrusted interfaces in the outbound direction. D. at the untrusted interface in the inbound direction. E. at the trusted interface in the outbound direction. F. at the untrusted interface in the outbound direction.
  9. Which statement about managing Cisco ISE Guest Services is true? A. Only a Super Admin or System Admin can delete the default Sponsor portal B. ISE administrators can view and set a guest's password to a custom value in the sponsor portal C. ISE administrators can access the Sponsor portal only if they have valid Sponsor accounts D. By default, an ISE administrator can manage only the guest accounts he or she created in the Sponsor portal E. Only ISE administrators from an external identity store can be members of a Sponsor group F. ISE administrator can access the Sponsor portal only from the Guest Access menu The correct answer is C, I believe: A - is not true (default Sponsor Portal can't be deleted) B - is not true, you can't set password for guest user to explicit value (there is not fixed bug for this: CSCut24539). For view of the pass - you can view it only if you are resetting guest password and want to send new details of the guest user to you by email or print a page. C - yes, it's true, you must create separate Sponsor Admin account to access Sponsor Portal (your ISE GUI admin credentials wouldn't work since it's separate table in ISE db) D - is not true, this depends on "Sponsor Group" to which you've assigned your Sponsor Admin user or group. E - is not true, internal users and groups are also supported for authentication on Sponsor Portal. I think the word ONLY is what's wrong.
  10. Can someone confirm this: Which two statements about NVGRE are true? (Choose two) A. It allows a virtual machine to retain its MAC and IP addresses when it is moved to different hypervisor on a different L3 network (if it's a different L3 network it can't keep the IP address) B. The virtual machines CAN reside on a single virtual network regardless of their physical location ( I put the CAN here) C. NVGRE endpoints can reside within a virtual machine D. The network switch handles the addition and removal of NVGRE encapsulation E. It supports up to 32 million virtual segments per instance (16million) From RFC: NVGRE endpoints are the ingress/egress points between the virtual and the physical networks. Any physical server or network device can be a NVGRE endpoint. One common deployment is for the NVGRE endpoint to be part of a hypervisor. The primary function of this endpoint is to encapsulate/decapsulate Ethernet data frames to and from the GRE tunnel, ensure Layer-2 semantics, and apply isolation policy scoped on VSID.
  11. Which two statements about Network Edge Authentication Technology (NEAT) are true? (Choose two) A. It requires a standard ACL on the switch port B. It conflicts with auto-configuration C. It allows you to configure redundant links between authenticator and supplicant switches D. It supports port-based authentication on the authenticator switch E. It can be configured on both access ports and trunk ports F. It can be configured on both access ports and EtherChannel ports Which three statements about SXP are true?(Choose three) A. It resides in the control plane, where connections can be initiated from a listener. B. Packets can be tagged with SGTs only with hardware support. C. Each VRF supports only one CTS-SXP connection. D. To enable an access device to use IP device tracking to learn source device IP addresses, DHCP snooping must be configured. E. The SGA ZBPF uses the SGT to apply forwarding decisions. F. SeparateVRFs require different CTS-SXP peers, but they can use the same source IP addresses. What are the major components of a Firepower health monitor alert? A. A health monitor, one or more alert responses, and a remediation policy B. One or more health modules, one more alert responses, and one or more alert actions C. The severity level, one or more alert responses, and a remediation policy D. One or more health modules, the severity level, and an alert response E. One health module and one or more alert responses
  12. Great ! Thanks AllSaz! can we continue this? Which effect of this configuration is true? (config-if)# ip tcp adjust-mss 1452 (config-if)# ip mtu 1492 A. The PMTUD value sets itself to 1452 bytes when the interface MTU is set to 1492 bytes B. SYN packets carries 1452 bytes in the payload when the Ethernet MTU of the interface is set to 1492 bytes C. The maximum size of TCP SYN+ACK packets passing the transient host is set to 1452 bytes and the IP MTU of the interface is set to 1492 bytes D. The MSS to TCP SYN packets is set to 1452 bytes and the IP MTU of the interface is set to 1492 bytes E. The minimum size of TCP SYN+ACL packets passing the router is set to 1452 bytes and the IP MTU of the interface is set to 1492 bytes Which two statement about DHCP snooping are true ? (Choose Two) A. The binding database stores information about trusted interface. B. Massages sent from outside the service-provider network are untrusted. C. The binding database stores information about both IP and MAC addresses. D. The lease time in the binding database is a pre-set value. E. DHCP servers connect to untrusted interface on the switch. Which three statements about the SHA-2 algorithm are true? (Choose three) A. It provides a variable-length output using a collision-resistant cryptographic hash. B. It provides a fixed-length output using a collision-resistant cryptographic hash. C. It is used for integrity verification. D. It generates a 160-bit message digest. E. It is the collective term for the SHA-224, SHA-256, SHA-384, and SHA-512 algorithms. F. It generates a 512-bit message digest. Which three statement about VRF-Aware Cisco Firewall are true? (Choose three) A. It can run as more than one instance. B. It supports both global and per-VRF commands and DoS parameters. C. It can support VPN networks with overlapping address ranges without NAT. D. It enables service providers to implement firewalls on PE devices. E. It can generate syslog massages that are visible only to individual VPNs. F. It enables service providers to deploy firewalls on customer devices. Which two statements about EVPN are true? (Choose two) A. EVPN route exchange enables PEs to discover one another and elect a DF. B. EVPN routes can advertise backbone MAC reachability. C. EVIs allow you to map traffic on one or more VLANs or ports to a Bridge Domain. D. EVPN routes can advertise VLAN membership and verify the reachability of Ethernet segments. E. It is a next-generation Ethernet L2VPN solution that supports load balancing at the individual flow level and provider advanced access redundancy. F. It is a next-generation Ethernet L3VPN solution that simplifies control-plane operations and enhances scalability. Which two options are important considerations when you use netflow to obtain the full picture of network traffic?(Choose two) A. It monitors only TCP connections. B. It monitors only routed traffic. C. It monitors all traffic on the interface on which it is deployed. D. It monitors only ingress traffic on the interface on which it is deployed. E. It is unable to monitor over time What are the three response types for SCEP enrollment requests? (Choose three.) A. PKCS#7 B. Reject C. Pending D. PKCS#10 E. Success F. Renewal Which feature can you implement to protect against SYN-flooding DoS attacks? A. the ip verify unicast reverse-path command B. a null zero route C. CAR applied to icmp packets D. TCP Intercept According to RFC 2577, Which two options describe drawbacks of the FTP protocol? (Choose two) A. If access to the FTP server is restricted by network address, the server still is susceptible to spoofing attacks. B. Servers that apply connection limits to protect against brute force attacks are vulnerable to DoS attacks C. It is susceptible to man-m-the-middle attacks D. An attacker can validate user names if the 331 response is in use. E. It is susceptible to bounce attacks on port 1024 Which two design options are best to reduce security concerns when adopting loT into an organization?(Choose two) A. Ensure that applications can gather and analyze data at the edge. B. Implement video analytics on IP cameras. C. Encrypt sensor data in transit. D. Segment the Field Area Network form the Data Center network. E. Encrypt data at rest on all devices in the IOT network. Which three statements are true regarding RFC 5176 (Change of Authorization)? (Choose three.) A. It defines a mechanism to allow a RADIUS server to initiate a communication inbound to a NAD. B. It defines a wide variety of authorization actions, including "reauthenticate." C. It defines the format for a Change of Authorization packet. D. It defines a DM. E. It specifies that TCP port 3799 be used for transport of Change of Authorization packets. Which three attributes may be configured as part of the Common Tasks panel of an authorization profile in the Cisco ISE solution? (Choose three.) A. VLAN B. voice VLAN C. dACL name D. voice domain permission E. SGT On an ASA firewall in multiple context mode running version8.X What is the default number of VPN site-to site tunnels per context? A. 0 sessions B. 2 sessions C. 1 sessions D. 4 sessions Which three statements are true regarding Security Group Tags? (Choose three.) A. When using the Cisco ISE solution, the Security Group Tag gets defined as a separate authorization result. B. When using the Cisco ISE solution, the Security Group Tag gets defined as part of a standard authorization profile. C. Security Group Tags are a supported network authorization result using Cisco ACS 5.x. D. Security Group Tags are a supported network authorization result for 802.1X, MAC Authentication Bypass, and WebAuth methods of authentication. E. A Security Group Tag is a variable length string that is returned as an authorization result. Which two statements about SGT Exchange Protocol are true? (Choose two) A. It propagates the IP-to-SGT binding table across network devices that do not have the ability to perform SGT tagging at Layer 2 to devices that support it B. SXP runs on UDP port 64999 C. A connection is established between a "listener" and a "speaker" D. SXP is only supported across two hops E. SXPv2 introduces connection security via TLS Which two statements about a device with this configuration are true? (Choose two) cts sxp reconciliation period 180 A. When a peer establishes a new connection to the device, CTS retains all existing SGT mapping,entries for 3 minutes. B. If a peer reconnects to device within 120 seconds of terminating a CTS-SXP connection, the reconciliation timer stats. C. When a peer re-establishes a previous connection to the device, CTS retains all existing SGT mapping entries for 3 minutes. D. If a peer reconnects to device within 180 seconds of terminating a CTS-SXP connection, the reconciliation timer stats. E. If a peer re-establishes a connection to the device before the hold-down timer expires, the device retains the SGT mapping entries it learned during the previous connection for an additional 3 minutes. F. It sets the internal hold-down timer of the device to 3 minutes. What are two security controls you can implement to protect your organization's network from virus and worm outbreak? (Choose two) A. Require users to authenticate before accessing the network B. Quarantine hosts that fail to meet your organization's IT security requirements C. Implement Cisco identity service Engine (ISE) for network security D. Implement routing protocols with strong interface authentication E. Deploy Cisco prime LMS to manage network security Which two statements about Botnet Traffic Filter snooping are true?(Choosetwo) A. It can log and block suspicious connections from previously unknown bad domains and IP addresses. B. It requires the Cisco ASA DNS server to perform DNS lookups. C. It requires DNS packet inspection to be enabled to filter domain names in the dynamic database. D. It checks inbound traffic only. E. It can inspect both IPv4 and IPv6 traffic. F. It checks inbound and outbound traffic. Which two statements about Cisco VSG are true? (Choose two) A. Because it is deployed at Layer 2, it can be inserted without significant reengineering of the network. B. According to Cisco best practices, the VSG should use the same VLAN for VSM-VEM control traffic and management traffic. C. It uses optional IP-to-virtual machine mappings to simplify management of virtual machines. D. It uses the Cisco VSG user agent to register with the Cisco Prime Network Services Controller. E. It can be integrated with VMWare vCenter to provide transparent provisioning of policies and profiles. F. It has built-in intelligence for redirecting traffic and fast-path offload. Which option is benefit of VRF Selection using PBR for packets to different VPNs? A. It increases the router performance when longer subnet masks are in use B. It supports more than one VPN per interface C. It allows bidirectional traffic flow between the service provider and the CEs D. It automatically enables fast switching on all directly connected interfaces E. It can use global routing tables to forward packets if the destination address matches the VRF configured on the interface F. Every PE router in the service provider MPLS cloud can reach every customer network You are developing an application to manage the traffic flow of a switch using an OpenDaylight controller. Knowing you use a Northbound REST API ,which statement is true? A. Different applications, even in different languages, cannot use the same functions in a REST API at same time. B. The server retains client state records C. We must teach our applications about the Southbound protocol(s) used D. The applications are considered to be the clients, and the controller is considered to be the server No idea here A server with Ip address is protected behind the inside of a cisco ASA or PIX security appliance and the internet on the outside interface .User on the internet need to access the server at any time but the firewall administrator does not want to apply NAT to the address of the server because it is currently a public address which three of the following command can be used to accomplish this? (Choose three) A. static (inside,outside) netmask B. nat (inside) 1 C. no nat-control D. nat (inside) 0 209.16S.202.150 E. static (outside.insid) netmask F. access-list no-nat permit ip host any nat (inside) 0 access-list no-nat
  13. Thanks AllSaz SGACL is more about the enforcement in TrustSec. For me that means authorization. So I woulg go with SGACL, DACL, VLAN So I have the next set of questions: Which two options are benefits of the Cisco ASA Identity Firewall? (Choose two) A. It can apply security policies on an individual user or user-group basis B. It can identify threats quickly based on their URLs C. It can operate completely independently of other services D. It decouples security policies from the network topology E. It supports an AD server module to verify identity data Which statement about MDM with the Cisco ISE is true? A. The MDM's server certificate must be imported into the Cisco ISE Certificate Store before the MDM and ISE can establish a connection. B. MDM servers can generate custom ACLs for the Cisco ISE to apply to network devices. C. The Cisco ISE supports a built-in list of MDM dictionary attributes it can use in authorization policies. D. The Cisco ISE supports limited built-in MDM functionality. E. If a mobile endpoint fails posture compliance, both the user and the administrator are notified immediately. F. When a mobile endpoint becomes compliant the Cisco ISE records the updated device status in its internal database. What are three technologies that can be used to trace the source of an attack in a network environment with multiple exit/entry points? (Choose three) A. Remotely-triggered destination-based black holing B. ICMP Unreachable messages C. Sinkholes D. A honey pot E. Traffic scrubbing Which two options are benefits of the Cisco ASA transparent firewall mode?(Choose two) A. It can establish routing adjacencies. B. It can perform dynamic routing. C. It can be added to an existing network without significant reconfiguration. D. It supports extended ACLs to allow Layer 3 traffic to pass from higher lower security interfaces. E. It provides SSL VPN support. Which WEP configuration can be exploited by a weak IV attack? A. When the static WEP password has been stored without encryption. B. When a per-packet WEP key is in use. C. When a 64-bit key is in use. D. When the static WEP password has been given away. E. When a 40-bit key is in use. F. When the same WEP key is used to create every packet. Which two statements about the MACsec security protocol are true? (Choose two) A. Stations broadcast an MKA heartbeat the contains the key server priority. B. The SAK is secured by 128-bit AES-GCM by default. C. When switch-to-switch link security is configured in manual mode, the SAP operation mode must be set to GCM. D. MACsec is not supported in MDA mode. E. MKA heartbeats are sent at a default interval of 3 seconds. What is the effect of the Cisco Application Control Engine (ACE. command ipv6 fragment min-mtu 1024 ? A. It configures the interface to fragment packets on connections with MTUs of 1024 or greater B. It sets the MTU to 1024 bytes for an IPv6 VLAN interface that accepts fragmented packets C. It configures the interface to attempt to reassemble only IPv6 fragments that are less than 1024 bytes D. It configures the interface to fragment packets on connections with MTUs of 1024 or less E. It configures the interface to attempt to reassemble only IPv6 fragments that are at least 1024 bytes Which three options are methods of load-balancing data in an ASA cluster environment?(Choose three) A. HSRP B. spanned EtherChannel C. distance-vector routing D. PBR E. floating static routes F. ECMP
  14. Can someone confirm the answers below? Any ideas on this one? I would say C and F Which two characteristics of DTLS are true?(Choose two ) A. It is used mostly by applications that use application layer object-protocols B. It includes a congestion control mechanism C. It completes key negotiation and bulk data transfer over a single channel. D. It supports long data transfers and connectionless data transfers. E. It cannot be used if NAT exists along the path. F. It concludes a retransmission method because it uses an unreliable datagram transport Also: Which three authorization technologies does Cisco Trust Sec support?(Choose three) A. 802.1x. B. SGACL. C. DACL. D. MAB. E. SGT. F. VLAN. B C F (but for me F should be Dynamc VLAN) And this one? ?? A E F Which three statements about PKI on Cisco IOS Software are true?(Choose three) A. OCSP is well-suited for enterprise PKIs in which CRLs expire frequently. B. The match certificate and allow expired-certificate commands are ignored unless the router clock is set C. If a certificate-based ACL specifies more than one filed, any one successful field-to- value test is treated as a match. D. OCSP enables a PKI to use a CRL without time limitations. E. Certificate-based ACLs can be configured to allow expired certificates if the peer is otherwise valid. F. Different OCSP servers can be configured for different groups of client certificates. Which two statements about header attacks are true?(Choose Two) A. An attacker can use IPv6 Next Header attacks to steal user data and launch phishing attacks. B. An attacker can use HTTP Header attacks to launch a DoS attack. C. An attacker can execute a spoofing attack by populating the RH0 routing header subtype with multiple destination addresses. D. An attacker can leverage an HTTP response header to write malicious cookies. E. An attacker can leverage an HTTP response header to inject malicious code into an application layer. F. An attacker can use vulnerabilities in the IPv6 routing header to launch attacks at the application layer. Answer: B,C? Which two statements about IKEv2 are true? (Choose two) A. It uses EAP authentication B. It uses X.509 certificates for authentication C. The profile is a collection of transforms used to negotiate IKE SAs D. It supports DPD and Nat-T by default E. The profile contains a repository of symmetric and asymmetric preshared keys F. At minimum, a complete proposal requires one encryption algorithm and one integrity algorithm D and F? What are three pieces of data you should review in response to a suspected SSL MITM attack? (Choose three) A. The IP address of the SSL server B. The X.509 certificate of the SSL server C. The MAC address of the attacker D. The MAC address of the SSL server E. The X.509 certificate of the attacker F. The DNS name off the SSL server Which three statements about WCCP are true?(Choose three) A. If a specific capability is missing from the Capabilities Info Component, the router is assumed to support the default capability. B. The web cache transmits its capabilities as soon as it receives a receive ID from a router. C. The minimum WCCP-Fast Timers message interval is 500 ms. D. The assignment method supports GRE encapsulation for sending traffic. E. If the packet return method is missing from a packet return method advertisement, the web cache uses the Layer 2 rewrite method. F. The router must receive a valid receive ID before it negotiates capabilities. --------------------------------------------------------------------------------------------------------- Which two statements about MAB are true?(Choose two) A. It requires the administrator to create and maintain an accurate database of MAC address. B. It server at the primary authentication mechanism when deployed in conjunction with 802.1x. C. It operates at layer 2 and layer 3 of the OSI protocol stack. D. It can be used to authenticate network devices and users. E. MAC addresses stored in the MAB database can be spoofed. F. It is a strong authentication method. What are two important guidelines to follow when implementing VTP? (Choose two) A. Enabling VTP pruning on a server will enable the feature for the entire management domain B. When using secure mode VTP, only configure management domain passwords on VTP servers C. All switches in the VTP domain must run the same version of VTP D. Use of the VTP multi-domain feature should be restricted to migration and temporary implementation E. CDP must be enabled on all switches in the VTP management domain And lastly this one : Which three global correlation feature can be enabled from cisco IPD device manager (Cisco IDM)? (Choose three) A. Network Reputation B. Global Data Interaction C. Signature Correlation D. Reputation Filtering E. Global Correlation Inspection F. Data Contribution G. Reputation Assignment I would say Reputation Filtering, Global Correlation Inspection , Signature Correlation
  • Create New...