思科網(wǎng)絡(luò)工程師題庫1

1、CCNP/CCIE SecuritySCOR思科網(wǎng)絡(luò)工程師題庫1QI.In which form of attack is alternate encoding, such as hexadecimal representation, most often observed?Smurfdistributed denial of servicecross-site scriptingrootkit exploitAnswer: CExplanation:Cross site scripting (also known as XSS) occurs when a web application g

2、athers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message.Usually the attacker will enc

3、ode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. For example the code below is written in hex:ahref= txtSQL = SELECT * FROM Users WHERE Userid = + txtUserld; If user enter something like this:

4、100Q23.Which technology must be used to implement secure VPN connectivity among company branches over a private IP cloud with any-to-any scalable connectivity?A.B.A.B.C.D.FlexVPN IPsec DVTIGET VPNAnswer: DExplanation:Ciscos Group Encrypted Transport VPN (GETVPN) introduces the concept of a trusted g

5、roup to eliminate point-to-point tunnels and their associated overlay routing. All group members (GMs) share a common security association (SA), also known as a group SA. This enables GMs to decrypt traffic that was encrypted by any other GM.GETVPN provides instantaneous large-scale any-to-any IP co

6、nnectivity using a group IPsec security paradigm.Reference: ETVPN_ DI G_version_2_0_Externa I. pdfQ24,Which two conditions are prerequisites for stateful failover for IPsec? (Choose two)Only the IKE configuration that is set up on the active device must be duplicated on the standby device; the IPsec

7、 configuration is copied automaticallyThe active and standby devices can run different versions of the Cisco IOS software but must be the same type of device.The IPsec configuration that is set up on the active device must be duplicated on the standby deviceOnly the IPsec configuration that is set u

8、p on the active device must be duplicated on the standby device; the IKE configuration is copied automatically.The active and standby devices must run the same version of the Cisco IOS software and must be the same type of device.Answer: CEExplanation:Stateful failover for IP Security (IPsec) enable

9、s a router to continue processing and forwarding IPsec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if theactive router loses connectivity for any reason. This failover process

10、is transparent to users and does not require adjustment or reconfiguration of any remote peer.Stateful failover for IPsec requires that your network contains two identical routers that are available to be either the primary or secondary device. Both routers should be the same type of device, have th

11、e same CPU and memory, and have either no encryption accelerator or identical encryption accelerators.Prerequisites for Stateful Failover for IPsec Complete, Duplicate IPsec and IKE Configuration on the Active and Standby Devices This document assumes that you have a complete IKE and IPsec configura

12、tion. The IKE and IPsec configuration that is set up on the active device must be duplicated on the standby device. That is, the crypto configuration must be identical with respect to Internet Security Association and Key Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPsec profiles,

13、IPsec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on crypto map sets, all AAA configurations used for crypto, client configuration groups, IP local pools used for crypto, and ISAKMP profiles.Refere

14、nce: vailabili ty-15-mt-book/sec-state-fail-ipsec.htmlAlthough the prerequisites only stated that Both routers should be the same type of device but in the Restrictions for Stateful Failover for IPsec section of the link above, it requires Both the active and standby devices must run the identical v

15、ersion of the Cisco IOS software so answer E is better than answer B.Q25.Which VPN technology can support a multivendor environment and secure traffic between sites? A. SSL VPN B. GET VPN C. FlexVPN D. DMVPNAnswer: CExplanation:FlexVPN is an IKEv2-based VPN technology that provides several benefits

16、beyond traditional site-to- site VPN implementations. FlexVPN is a standards-based solution that can interoperate with nonCisco IKEv2 implementations. Therefore FlexVPN can support a multivendor environment. All of the three VPN technologies support traffic between sites (site-to-site or spoke-to-sp

17、oke).Q26.A network engineer is configuring DMVPN and entered the crypto isakmp key cisc0380739941 address command on hostA. The tunnel is not being established to hostB.What action is needed to authenticate the VPN?Change isakmp to ikev2 in the command on hostA.Enter the command with a different pas

18、sword on hostB.Enter the same command on hostB.Change the password on hostA to the default password.Answer: CQ27.Refer to the exhibit.*Jun 30 14:52:33.795: ISAKMP:(1002): retransmission skipped for phase 1 (timesince last transmission 504)R1#*Jun 30 16:52:40.183: ISAKMP:(1001):purging SA., sa=68CEE0

19、50, delme=68CEE056R1#*Jun 30 16:52:43.291: ISAKMP:(1002): retransmitting phase 1 MM_KEY_EXCH*Jun 30 14:52:43.291: ISAKMP (1002): incrementing error counter on sat attempt 5of 5: retransmit phase 1*Jun 30 14:52:43.295: ISAKMP:(1002): retransmitting phase 1 MH_KEY_EXCH*Jun 30 14:52:43.295: ISAKMP:(100

20、2): sending packet to my_port 500peer_port 500 (I) MM_KEY_EXCH*Jun 30 14:52:43.295: ISAKMP:(1002):Sending an IKE IPv4 Packet.R1#*Jun 30 14:52:53,299: ISAKMP:(1002): retransmitting phase 1 MM_KEY_EXCH.*Jun 30 14:52:53.299: ISAKMP:(1002): peer does not do paranoid keepalives.*Jun 30 14:52:53,299: ISAK

21、MP:(1002):deleting SA reason Death by retransmissionP1H state (I) MM_KEY_EXCH (peer )*Jun 30 14:52:53.303: ISAKMP:(1002):deleting SA reason Death by retransmissionP1M state (I) MM_KEY_EXCH (peer )*Jun 30 14:52:53307: ISAKMP; Unlocking peer struct 0 x48207318 forisadb_mark_sa_deleted(), count 0*Jun 3

22、0 14:52:53.307: ISAKMP: Deleting peer node by peer_reap for :68207318*Jun 30 14:52:53.311: ISAKMP:(1002):deleting node 79075537 error FALSE reason ”IKE deletedR1#*Jun 30 14:52:53.311: ISAKMP:(1002):deleting node -484575753 error FALSE reasonIKE deleted-*Jun 30 14:52:53.315: ISAKMP:(1002):lnput = IKE

23、_MESGNTERNAL, IKE_PHASE1_DEL*Jun 30 14:52:53.319: ISAKMP:(1002):Old State = IKEJ_MM5 New State = IKE_DEST_SAA network administrator configured a site-to-site VPN tunnel between two Cisco IOS routers, and hosts are unable to communicate between two sites of VPN. The network administrator runs the deb

24、ug crypto isakmp sa command to track VPN status.What is the problem according to this command output?hashing algorithm mismatchencryption algorithm mismatchauthentication key mismatchinteresting traffic was not appliedAnswer: CQ28.What is a difference between FlexVPN and DMVPN?DMVPN uses IKEvl or IK

25、Ev2, FlexVPN only uses IKEvlDMVPN uses only IKEvl FlexVPN uses only IKEv2FlexVPN uses IKEv2, DMVPN uses IKEvl or IKEv2FlexVPN uses IKEvl or IKEv2, DMVPN uses only IKEv2Answer: CQ29,Which protocol provides the strongest throughput performance when using Cisco AnyConnect VPN?TLSvl.2TLSvl.lBJTLSvlDTLSv

26、lAnswer: DExplanation:DTLS is used for delay sensitive applications (voice and video) as its UDP based while TLS is TCP based. Therefore DTLS offers strongest throughput performance. The throughput of DTLS at the time of AnyConnect connection can be expected to have processing performance close to V

27、PN throughput.Q30.What is a commonality between DMVPN and FlexVPN technologies?FlexVPN and DMVPN use IS-IS routing protocol to communicate with spokesFlexVPN and DMVPN use the new key management protocolFlexVPN and DMVPN use the same hashing algorithmsIOS routers run the same NHRP code for DMVPN and

28、 FlexVPNAnswer: DExplanation:In its essence, FlexVPN is the same as DMVPN. Connections between devices are still point-to-pointGRE tunnels, spoke-to-spoke connectivity is still achieved with NHRP redirectmessage, IOS routers even run the same NHRP code for both DMVPN and FlexVPN, which also means th

29、at both are Ciscos proprietary technologies.Reference: s:/cisco-flexvpn-dmvpn-high-level-design/Q31,The main function of northbound APIs in the SDN architecture is to enable communication between which two areas of a network?SDN controller and the cloudmanagement console and the SDN controllermanage

30、ment console and the cloudSDN controller and the management solutionAnswer: DQ32.Which two features of Cisco DNA Center are used in a Software Defined Network solution?(Choose two)accountingassuranceautomation D. authenticationE. encryptionAnswer: BCExplanation:What Cisco DNA Center enables you to d

31、o Automate: Save time by using a single dashboard to manage and automate your network. Quickly scale your business with intuitive workflows and reusable templates. Configure and provision thousands of network devices across your enterprise in minutes, not hours. Secure policy: Deploy group-based sec

32、ure access and network segmentation based on business needs. With Cisco DNA Center, you apply policy to users and applications instead of to your network devices. Automation reduces manual operations and the costs associated with human errors, resulting in more uptime and improved security. Assuranc

33、e then assesses the network and uses context to turn data into intelligence, making sure that changes in the network device policies achieve your intent. Assurance: Monitor, identify, and react in real time to changing network and wireless conditions. Cisco DNA Center uses your networks wired and wi

34、reless devices to create sensors everywhere, providing real-time feedback based on actual network conditions. The Cisco DNA Assurance engine correlates network sensor insights with streaming telemetry and compares this with the current context of these data sources. With a quick check of the health

35、scores on the Cisco DNA Center dashboard, you can see where there is a performance issue and identify the most likely cause in minutes. Extend ecosystem: With the new Cisco DNA Center platform, IT can now integrate Cisco solutions and third-party technologies into a single network operation for stre

36、amlining IT workflows and increasing business value and innovation. Cisco DNA Center allows you to run the network with open interfaces with IT and business applications, integrates across IT operations and technology domains, and can manage heterogeneous network devices.Reference: cisco-d na-center

37、-aag-cte-en.htmlQ33.Which functions of an SDN architecture require southbound APIs to enable communication?SDN controller and the network elementsmanagement console and the SDN controllermanagement console and the cloudSDN controller and the cloudAnswer: AExplanation:The Southbound API is used to co

38、mmunicate between Controllers and network devices, Q34.WhichAPI is used for Content Security?NX-OS APIIOS XR APIOpenVuln API D. AsyncOS APIAnswer: DQ35,Which two request of REST API are valid on the Cisco ASA Platform? (Choose two)putoptionsgetpushconnectAnswer: ACExplanation:The ASA REST API gives

39、you programmatic access to managing individual ASAs through a Representational State Transfer (REST) API. The API allows external clients to perform CRUD (Create, Read, Update, Delete) operations on ASA resources; it is based on the S protocol and REST methodology.All API requests are sent over S to

40、 the ASA, and a response is returned. Request Structure Available request methods are:GET Retrieves data from the specified object.PUT Adds the supplied information to the specified object; returns a 404 Resource Not Found error if the object does not exist.POST Creates the object with the supplied

41、information. DELETE Deletes the specified object. PATCH Applies partial modifications to the specified object.Reference: Q36.Refer to the exhibit.def add_device_to_dnac(dnacjp, devicejp, snmp_version, snmp_ro_community, snmp_rw_community, snmpretry, snmptimeout, cli_transport, username, password, en

42、able password): device_object =(IpAddress9:device ip.type，: NETWORKDEVICE1, computeDevice*: False,snmpVersion1: snmp_version, ,snmpROCommunity,: snmp_ro_community, ,snmpRWCommunity,: snmp_rw_community5 ,snmpRetry1: snmp_retryt ,snmpTimeout,: snmp_timeoutf ,cliTransporf: cli.transport, userNamo1: use

43、rname, password1: password,nablePassword1: enable_password response = requests.post( s:/dna/intent/api/v1/network- deviceformat(dnac_ip),data=json.dumps(device_object), headers=,X-Auth-Token*: .format(token), Content-type*: pplication/json, t ； verify=False)return responsajson)What is the result of

44、this Python script of the Cisco DNA Center API?adds authentication to a switchadds a switch to Cisco DNA Centerreceives information about a switchAnswer: BQ37,Refer to the exhibit.import requestsclient Jd = ta1b2c3d4e5f6g7h8i9j0apLkey = *a1 b2c3d4.e5f6-g7h8-i9j0-k112m3n4o5p6,url = ,response = reques

45、ts.get(url, auth=(clientjd, apLkey)response Json = responsejson()for computer in responsejson data*:ne two rk_add resses = computernetwork.addresses*for networkjnterface in network_addresses:mac . networkjnterface.get(,mac,)ip s networkjnterface.get(*ip,)ipv6 = networkjnterface.get(,ipv6,)print(mac,

46、 ip. ipv6)What does the API do when connected to a Cisco security appliance?get the process and PID information from the computers in the networkcreate an SNMP pull mechanism for managing AMPgather network telemetry information from AMP for endpointsgather the network interface information about the

47、 computers AMP seesAnswer: DExplanation:The call to API of allows us to fetch list of computers across your organization that Advanced Malware Protection (AMP) sees.Reference: = GET+%2Fvl%2Fcomputers&apihost=a pi.apjc.amp.cisco &api_resource=Computer&apLversion=vlQ38.Which feature requires a network

48、 discovery policy on the Cisco Firepower Next Generation Intrusion Prevention System?A. Security Intelligence B.Impact FlagsHealth MonitoringURL Filtering Answer: BQ39.Which two deployment model configurations are supported for Cisco FTDv in AWS? (Choose two)Cisco FTDv configured in routed mode and

49、managed by an FMCv installed in AWSCisco FTDv with one management interface and two traffic interfaces configuredCisco FTDv configured in routed mode and managed by a physical FMC appliance on premisesCisco FTDv with two management interfaces and one traffic interface configuredCisco FTDv configured

50、 in routed mode and IPv6 configuredAnswer: ACQ40.Which option is the main function of Cisco Firepower impact flags?They alert administrators when critical events occur.They highlight known and suspected malicious IP addresses in reports.They correlate data about intrusions and vulnerability.They ide

51、ntify data that the ASA sends to the Firepower module.Answer: CQ41.On Cisco Firepower Management Center, which policy is used to collect health modules alerts from managed devices?health policysystem policycorrelation policyaccess control policyhealth awareness policyAnswer: AQ42.Which license is re

52、quired for Cisco Security Intelligence to work on the Cisco Next Generation Intrusion Prevention System?controlmalwareURL filteringprotectAnswer: DQ43.Which two are valid suppression types on a Cisco Next Generation Intrusion Prevention System? (Choose two)PortRuleSourceD. ApplicationE. ProtocolAnsw

53、er: BCQ44,Which feature is configured for managed devices in the device platform settings of the Firepower Management Center?quality of servicetime synchronizationnetwork address translationsintrusion policyAnswer: BQ45.Which information is required when adding a device to Firepower Management Cente

54、r?username and passwordencryption methoddevice serial numberregistration keyAnswer: DQ46,Which two deployment modes does the Cisco ASA FirePower module support? (Choose two)transparent moderouted modeinline modeactive modepassive monitor-only modeAnswer: CEOR 1=1 then the SQL statement will look lik

55、e this:SELECT * FROM Users WHERE Userid = 100 OR 1=1;The SQL above is valid and will return ALL rows from the Users table, since OR 1=1 is always TRUE. A hacker might get access to all the user names and passwords in this database.Q3.Which two prevention techniques are used to mitigate SQL injection

56、 attacks? (Choose two)Check integer, float, or Boolean string parameters to ensure accurate values.Use prepared statements and parameterized queries.Secure the connection between the web and the app tier.Write SQL code instead of using object-relational mapping libraries.Block SQL code execution in

57、the web application database login.Answer: ABQ4.Which two endpoint measures are used to minimize the chances of falling victim to phishing and social engineering attacks? (Choose two)Patch for cross-site scripting.Perform backups to the private cloud.Protect against input validation and character es

58、capes in the endpoint.Install a spam and virus email filter.Protect systems with an up-to-date antimalware program.Answer: DEExplanation:Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is t

59、o steal sensitive data like credit card and login information, or to install malware on the victims machine.Q5.Which two mechanisms are used to control phishing attacks? (Choose two)Enable browser alerts for fraudulent websites.Define security group memberships.Revoke expired CRL of the websites.Use

60、 antispyware software.匚 Implement email filtering techniques.Answer: AEExplanation:You can configure your ASA FirePOWER module using one of the following deployment models: You can configure your ASA FirePOWER module in either an inline or a monitor-only (inline tap or passive) deployment.Reference: