200-301: Cisco Certified Network Associate (CCNA) Part 12
Question #: 661
Topic #: 1
Refer to the exhibit. Which two commands must be configured on router R1 to enable the router to accept secure remote-access connections? (Choose two.)
A. ip ssh pubkey-chain
B. username cisco password 0 cisco
C. crypto key generate rsa
D. transport input telnet
E. login console
Selected Answer: AC
Question #: 662
Topic #: 1
Which service is missing when RADIUS is selected to provide management access to the WLC?
A. authorization
B. authentication
C. accounting
D. confidentiality
Selected Answer: D
Question #: 663
Topic #: 1
Which action implements physical access control as part of the security program of an organization?
A. setting up IP cameras to monitor key infrastructure
B. configuring a password for the console port
C. backing up syslogs at a remote location
D. configuring enable passwords on network devices
Selected Answer: A
Question #: 664
Topic #: 1
Which field within the access-request packet is encrypted by RADIUS?
A. authorized services
B. password
C. authenticator
D. username
Selected Answer: B
Question #: 665
Topic #: 1
A Cisco engineer is configuring a factory-default router with these three passwords:
✑ The user EXEC password for console access is p4ssw0rd1.
✑ The user EXEC password for Telnet access is s3cr3t2.
✑ The password for privileged EXEC mode is priv4t3p4ss.
Which command sequence must the engineer configure?
A. enable secret priv4t3p4ss ! line con 0 password p4ssw0rd1 ! line vty 0 15 password s3cr3t2
B. enable secret priv4t3p4ss ! line con 0 password p4ssw0rd1 login ! line vty 0 15 password s3cr3t2 login
C. enable secret priv4t3p4ss ! line con 0 password login p4ssw0rd1 ! line vty 0 15 password login s3cr3t2 login
D. enable secret privilege 15 priv4t3p4ss ! line con 0 password p4ssw0rd1 login ! line vty 0 15 password s3cr3t2 login
Selected Answer: B
Question #: 666
Topic #: 1
How does MAC learning function?
A. sends the frame back to the source to verify availably
B. rewrites the source and destination MAC address
C. drops received MAC addresses not listed in the address table
D. adds unknown source MAC addresses to the CAM table
Selected Answer: D
Question #: 667
Topic #: 1
DRAG DROP –
An engineer is tasked to configure a switch with port security to ensure devices that forward unicasts, multicasts, and broadcasts are unable to flood the port. The port must be configured to permit only two random MAC addresses at a time. Drag and drop the required configuration commands from the left onto the sequence on the right. Not all commands are used.
Select and Place:
Suggestion Answer:
Question #: 668
Topic #: 1
What is a function of Opportunistic Wireless Encryption in an environment?
A. provide authentication
B. protect traffic on open networks
C. offer compression
D. increase security by using a WEP connection
Selected Answer: B
Question #: 669
Topic #: 1
DRAG DROP –
Drag and drop the AAA features from the left onto the corresponding AAA security services on the right. Not all options are used.
Select and Place:
Suggestion Answer:
Question #: 670
Topic #: 1
Refer to the exhibit. Clients on the WLAN are required to use 802.11r. What action must be taken to meet the requirement?
A. Under Protected Management Frames, set the PMF option to Required.
B. Enable CCKM under Authentication Key Management.
C. Set the Fast Transition option and the WPA gtk-randomize State to disable.
D. Set the Fast Transition option to Enable and enable FT 802.1X under Authentication Key Management.
Selected Answer: D
Question #: 671
Topic #: 1
Refer to the exhibit. What must be configured to enable 802.11w on the WLAN?
A. Set Fast Transition to Enabled.
B. Enable WPA Policy.
C. Set PMF to Required.
D. Enable MAC Filtering.
Selected Answer: C
Question #: 672
Topic #: 1
Which encryption method is used by WPA3?
A. TKIP
B. AES
C. SAE
D. PSK
Selected Answer: B
Question #: 673
Topic #: 1
Which type of traffic is sent with pure IPsec?
A. multicast traffic from a server at one site to hosts at another location
B. broadcast packets from a switch that is attempting to locate a MAC address at one of several remote sites
C. unicast messages from a host at a remote site to a server at headquarters
D. spanning-tree updates between switches that are at two different sites
Selected Answer: C
Question #: 674
Topic #: 1
How does authentication differ from authorization?
A. Authentication is used to record what resource a user accesses, and authorization is used to determine what resources a user can access.
B. Authentication verifies the identity of a person accessing a network, and authorization determines what resource a user can access.
C. Authentication is used to determine what resources a user is allowed to access, and authorization is used to track what equipment is allowed access to the network.
D. Authentication is used to verify a person’s identity, and authorization is used to create syslog messages for logins.
Selected Answer: B
Question #: 675
Topic #: 1
An engineer has configured the domain name, user name, and password on the local router. What is the next step to complete the configuration for a Secure Shell access RSA key?
A. crypto key import rsa pem
B. crypto key generate rsa
C. crypto key zeroize rsa
D. crypto key pubkey-chain rsa
Selected Answer: B
Question #: 676
Topic #: 1
Which type if network attack overwhelms the target server by sending multiple packets to a port until the half-open TCP resources of the target are exhausted?
A. SYN flood
B. reflection
C. teardrop
D. amplification
Selected Answer: A
Question #: 677
Topic #: 1
Which two components comprise part of a PKI? (Choose two.)
A. preshared key that authenticates connections
B. one or more CRLs
C. RSA token
D. CA that grants certificates
E. clear-text password that authenticates connections
Selected Answer: BD
Question #: 678
Topic #: 1
DRAG DROP –
Drag and drop the descriptions of AAA services from the left onto the corresponding services on the right.
Select and Place:
Suggestion Answer:
Question #: 679
Topic #: 1
After a recent security breach and a RADIUS failure, an engineer must secure the console port of each enterprise router with a local username and password.
Which configuration must the engineer apply to accomplish this task?
A. aaa new-model line con 0 password plaintextpassword privilege level 15
B. aaa new-model aaa authorization exec default local aaa authentication login default radius username localuser privilege 15 secret plaintextpassword
C. username localuser secret plaintextpassword line con 0 no login local privilege level 15
D. username localuser secret plaintextpassword line con 0 login authentication default privilege level 15
Selected Answer: D
Question #: 680
Topic #: 1
Which wireless security protocol relies on Perfect Forward Secrecy?
A. WEP
B. WPA2
C. WPA
D. WPA3
Selected Answer: D
Question #: 681
Topic #: 1
What is a zero-day exploit?
A. It is when the network is saturated with malicious traffic that overloads resources and bandwidth.
B. It is when an attacker inserts malicious code into a SQL server.
C. It is when a new network vulnerability is discovered before a fix is available.
D. It is when the perpetrator inserts itself in a conversation between two parties and captures or alters data.
Selected Answer: C
Question #: 682
Topic #: 1
A network engineer is replacing the switches that belong to a managed-services client with new Cisco Catalyst switches. The new switches will be configured for updated security standards including replacing.
Telnet services with encrypted connections and doubling the modulus size from 1024. Which two commands must the engineer configure on the new switches?
(Choose two.)
A. transport input ssh
B. transport input all
C. crypto key generate rsa modulus 2048
D. crypto key generate rsa general-keys modulus 1024
E. crypto key generate rsa usage-keys
Selected Answer: AC
Question #: 683
Topic #: 1
What are two examples of multifactor authentication? (Choose two.)
A. single sign-on
B. soft tokens
C. passwords that expire
D. shared password repository
E. unique user knowledge
Selected Answer: BC
Question #: 684
Topic #: 1
Which characteristic differentiates the concept of authentication from authorization and accounting?
A. consumption-based billing
B. identity verification
C. user-activity logging
D. service limitations
Selected Answer: B
Question #: 685
Topic #: 1
What is a function of Cisco Advanced Malware Protection for a Next-Generation IPS?
A. inspecting specific files and file types for malware
B. authorizing potentially compromised wireless traffic
C. authenticating end users
D. URL filtering
Selected Answer: A
Question #: 686
Topic #: 1
What is a feature of WPA?
A. TKIP/MIC encryption
B. small Wi-Fi application
C. preshared key
D. 802.1x authentication
Selected Answer: A
Question #: 687
Topic #: 1
Which two practices are recommended for an acceptable security posture in a network? (Choose two.)
A. Use a cryptographic keychain to authenticate to network devices.
B. Place internal email and file servers in a designated DMZ.
C. Back up device configurations to encrypted USB drives for secure retrieval.
D. Disable unused or unnecessary ports, interfaces, and services.
E. Maintain network equipment in a secure location.
Selected Answer: AD
Question #: 688
Topic #: 1
How does WPA3 improve security?
A. It uses SAE for authentication.
B. It uses RC4 for encryption.
C. It uses TKIP for encryption.
D. It uses a 4-way handshake for authentication.
Selected Answer: A
Question #: 689
Topic #: 1
What is a function of a Next-Generation IPS?
A. correlates user activity with network events
B. serves as a controller within a controller-based network
C. integrates with a RADIUS server to enforce Layer 2 device authentication rules
D. makes forwarding decisions based on learned MAC addresses
Selected Answer: A
Question #: 690
Topic #: 1
DRAG DROP –
Drag and drop the statements about AAA from the left onto the corresponding AAA services on the right. Not all options are used.
Select and Place:
Suggestion Answer:
Question #: 691
Topic #: 1
DRAG DROP –
Drag and drop the elements of a security program from the left onto the corresponding descriptions on the right.
Select and Place:
Suggestion Answer:
Question #: 692
Topic #: 1
Which IPsec transport mode encrypts the IP header and the payload?
A. pipe
B. transport
C. control
D. tunnel
Selected Answer: D
Question #: 693
Topic #: 1
What is the default port-security behavior on a trunk link?
A. It places the port in the err-disabled state if it learns more than one MAC address.
B. It causes a network loop when a violation occurs.
C. It disables the native VLAN configuration as soon as port security is enabled.
D. It places the port in the err-disabled state after 10 MAC addresses are statically configured.
Selected Answer: A
Question #: 694
Topic #: 1
Which device separates networks by security domains?
A. intrusion protection system
B. firewall
C. wireless controller
D. access point
Selected Answer: B
Question #: 695
Topic #: 1
How are VLAN hopping attacks mitigated?
A. manually implement trunk ports and disable DTP
B. configure extended VLANs
C. activate all ports and place in the default VLAN
D. enable dynamic ARP inspection
Selected Answer: A
Question #: 696
Topic #: 1
Which enhancements were implemented as part of WPA3?
A. Forward secrecy and SAE in personal mode for secure initial key exchange
B. 802.1x authentication and AES-128 encryption
C. AES-64 in personal mode and AES-128 in enterprise mode
D. TKIP encryption improving WEP and per-packet keying
Selected Answer: A
Question #: 697
Topic #: 1
When a site-to-site VPN is configured which IPsec mode provides encapsulation and encryption of the entire original IP packet?
A. IPsec transport mode with AH
B. IPsec tunnel mode with AH
C. IPsec transport mode with ESP
D. IPsec tunnel mode with ESP
Selected Answer: D
Question #: 698
Topic #: 1
An engineer is configuring remote access to a router from IP subnet 10.139.58.0/28. The domain name, crypto keys, and SSH have been configured. Which configuration enables the traffic on the destination router?
A. line vty 0 15 access-class 120 in ! ip access-list extended 120 permit tcp 10.139.58.0 0.0.0.15 any eq 22
B. interface FastEthernet0/0 ip address 10.122.49.1 255.255.255.252 ip access-group 10 in ! ip access-list standard 10 permit udp 10.139.58.0 0.0.0.7 host 10.122.49.1 eq 22
C. interface FastEthernet0/0 ip address 10.122.49.1 255.255.255.252 ip access-group 110 in ! ip access-list standard 110 permit tcp 10.139.58.0 0.0.0.15 eq 22 host 10.122.49.1
D. line vty 0 15 access-group 120 in ! ip access-list extended 120 permit tcp 10.139.58.0 0.0.0.15 any eq 22
Selected Answer: A
Question #: 699
Topic #: 1
In an SDN architecture, which function of a network node is centralized on a controller?
A. Creates the IP routing table
B. Discards a message due filtering
C. Makes a routing decision
D. Provides protocol access for remote access devices
Selected Answer: A
Question #: 700
Topic #: 1
Which management security process is invoked when a user logs in to a network device using their username and password?
A. authentication
B. auditing
C. accounting
D. authorization
Selected Answer: A
Question #: 701
Topic #: 1
Refer to the exhibit. What are the two steps an engineer must take to provide the highest encryption and authentication using domain credentials from LDAP?
(Choose two.)
A. Select PSK under Authentication Key Management.
B. Select Static-WEP + 802.1X on Layer 2 Security.
C. Select WPA+WPA2 on Layer 2 Security.
D. Select 802.1X from under Authentication Key Management.
E. Select WPA Policy with TKIP Encryption.
Selected Answer: CD
Question #: 702
Topic #: 1
Which enhancement is implemented in WPA3?
A. employs PKI to identify access points
B. applies 802.1x authentication
C. uses TKIP
D. protects against brute force attacks
Selected Answer: D
Question #: 703
Topic #: 1
DRAG DROP –
Drag and drop the Cisco IOS attack mitigation features from the left onto the types of network attack they mitigate on the right.
Select and Place:
Suggestion Answer:
Question #: 704
Topic #: 1
SW1 supports connectivity for a lobby conference room and must be secured. The engineer must limit the connectivity from PC1 to the SW1 and SW2 network.
The MAC addresses allowed must be limited to two. Which configuration secures the conference room connectivity?
A. interface gi1/0/15 switchport port-security switchport port-security maximum 2
B. interface gi1/0/15 switchport port-security switchport port-security mac-address 0000.abcd.0004vlan 100
C. interface gi1/0/15 switchport port-security mac-address 0000.abcd.0004 vlan 100
D. interface gi1/0/15 switchport port-security mac-address 0000.abcd.0004 vlan 100 interface switchport secure-mac limit 2
Selected Answer: A
Question #: 705
Topic #: 1
Refer to the exhibit. An engineer is updating the management access configuration of switch SW1 to allow secured, encrypted remote configuration. Which two commands or command sequences must the engineer apply to the switch? (Choose two.)
A. SW1(config)#enable secret ccnaTest123
B. SW1(config)#username NEW secret R3mote123
C. SW1(config)#line vty 0 15 SW1(config-line)#transport input ssh
D. SW1(config)# crypto key generate rsa
E. SW1(config)# interface f0/1 SW1(confif-if)# switchport mode trunk
Selected Answer: AC
Question #: 706
Topic #: 1
Which port security violation mode allows from valid MAC addresses to pass but blocks traffic from invalid MAC addresses?
A. restrict
B. shutdown
C. protect
D. shutdown VLAN
Selected Answer: D
Question #: 707
Topic #: 1
A customer wants to provide wireless access to contractors using a guest portal on Cisco ISE. The portal is also used by employees. A solution is implemented, but contractors receive a certificate error when they attempt to access the portal. Employees can access the portal without any errors. Which change must be implemented to allow the contractors and employees to access the portal?
A. Install an Internal CA signed certificate on the Cisco ISE.
B. Install a trusted third-party certificate on the Cisco ISE.
C. Install an internal CA signed certificate on the contractor devices.
D. Install a trusted third-party certificate on the contractor devices.
Selected Answer: C
Question #: 708
Topic #: 1
Which two wireless security standards use counter mode cipher block chaining Message Authentication Code Protocol for encryption and data integrity? (Choose two.)
A. Wi-Fi 6
B. WPA3
C. WEP
D. WPA2
E. WPA
Selected Answer: BD
Question #: 709
Topic #: 1
A network engineer is implementing a corporate SSID for WPA3-Personal security with a PSK. Which encryption cipher must be configured?
A. CCMP128
B. GCMP256
C. CCMP256
D. GCMP128
Selected Answer: A
Question #: 710
Topic #: 1
What is a practice that protects a network from VLAN hopping attacks?
A. Implement port security on internet-facing VLANs
B. Enable dynamic ARP inspection
C. Assign all access ports to VLANs other than the native VLAN
D. Configure an ACL to prevent traffic from changing VLANs
Selected Answer: C
Question #: 711
Topic #: 1
An administrator must use the password complexity not manufacturer-name command to prevent users from adding `Cisco` as a password. Which command must be issued before this command?
A. login authentication my-auth-list
B. service password-encryption
C. password complexity enable
D. confreg 0x2142
Selected Answer: C
Question #: 712
Topic #: 1
An organization has decided to start using cloud-provided services. Which cloud service allows the organization to install its own operating system on a virtual machine?
A. platform-as-a-service
B. network-as-a-service
C. software-as-a-service
D. infrastructure-as-a-service
Selected Answer: D
Question #: 713
Topic #: 1
How do traditional campus device management and Cisco DNA Center device management differ in regards to deployment?
A. Traditional campus device management allows a network to scale more quickly than with Cisco DNA Center device management.
B. Cisco DNA Center device management can deploy a network more quickly than traditional campus device management.
C. Cisco DNA Center device management can be implemented at a lower cost than most traditional campus device management options.
D. Traditional campus device management schemes can typically deploy patches and updates more quickly than Cisco DNA Center device management.
Selected Answer: B
Question #: 714
Topic #: 1
Which purpose does a northbound API serve in a controller-based networking architecture?
A. facilitates communication between the controller and the applications
B. reports device errors to a controller
C. generates statistics for network hardware and traffic
D. communicates between the controller and the physical network hardware
Selected Answer: A
Question #: 715
Topic #: 1
What benefit does controller-based networking provide versus traditional networking?
A. allows configuration and monitoring of the network from one centralized point
B. provides an added layer of security to protect from DDoS attacks
C. combines control and data plane functionality on a single device to minimize latency
D. moves from a two-tier to a three-tier network architecture to provide maximum redundancy
Selected Answer: A
Question #: 716
Topic #: 1
What is an advantage of Cisco DNA Center versus traditional campus device management?
A. It is designed primarily to provide network assurance.
B. It supports numerous extensibility options, including cross-domain adapters and third-party SDKs.
C. It supports high availability for management functions when operating in cluster mode.
D. It enables easy autodiscovery of network elements in a brownfield deployment.
Selected Answer: B
Question #: 717
Topic #: 1
DRAG DROP –
Drag and drop the characteristics of networking from the left onto the correct networking types on the right.
Select and Place:
Suggestion Answer:
Question #: 718
Topic #: 1
What are two fundamentals of virtualization? (Choose two.)
A. It allows logical network devices to move traffic between virtual machines and the rest of the physical network.
B. It allows multiple operating systems and applications to run independently on one physical server.
C. It allows a physical router to directly connect NICs from each virtual machine into the network.
D. It requires that some servers, virtual machines, and network gear reside on the Internet.
E. The environment must be configured with one hypervisor that serves solely as a network manager to monitor SNMP traffic.
Selected Answer: AB
Question #: 719
Topic #: 1
How does Cisco DNA Center gather data from the network?
A. Devices use the call-home protocol to periodically send data to the controller
B. Devices establish an IPsec tunnel to exchange data with the controller
C. The Cisco CLI Analyzer tool gathers data from each licensed network device and streams it to the controller
D. Network devices use different services like SNMP, syslog, and streaming telemetry to send data to the controller
Selected Answer: D
Question #: 720
Topic #: 1
Which statement compares traditional networks and controller-based networks?
A. Only controller-based networks decouple the control plane and the data plane.
B. Traditional and controller-based networks abstract policies from device configurations.
C. Only traditional networks natively support centralized management.
D. Only traditional networks offer a centralized control plane.
Selected Answer: A
