CCNA Security: 12-Question Practice Exam

CCNA Security is among the nine certifications retiring in February 2020. If you're currently studying for the 210-260 IINS, that probably means you already have at least your CCENT. That's great news. You're just one exam away from the CCNA Security and also the new CCNA certification.

Answer these 12 questions to get a feel for the questions you may see on the 210-260 IINS exam. Good luck!

1. You are interested in using security mechanisms that will ensure that your data is not manipulated when in transit after being sent by your workstation. What parts of CIA are you directly associated with in this case?

1. Confidentiality

2. Integrity

3. Authentication

4. Authorization

Correct Answer: b

Explanation: Integrity means that the data is not tampered with at rest or during transit.

2. You require a port on your Cisco switch to function as a Layer 3 port. What command does this?

1. no switchport

2. no l2 port

3. no layer2 enable

4. disable l2 switchport

Correct Answer: a

Explanation: You use the no switchport command in order to create a Layer 3 port on your Cisco device.

3. What zone is created by default on a Cisco router in a ZBF configuration?

1. in-out

2. inside

3. dmz

4. outside

5. self

Correct Answer: e

Explanation: With the Zone-Based Firewall, we take interfaces and place them into a new logical router structure called a zone. A zone is used to define interfaces that will share a security treatment. Cisco automatically designates a special zone for us called the Self Zone. This important zone is used for controlling traffic that is sourced from or directed to the router itself.

4. What is used in conjunction with a private key in PKI to form a key pair?

1. Certificate key

2. Main key

3. Public key

4. Default key

Correct Answer: c

Explanation: Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, where the public key verifies that a holder of the paired private key sent the message, and encryption, where only the paired private key holder can decrypt the message encrypted with the public key.

5. What is the most modern and sophisticated version of the stateful firewall functionality on a Cisco router?

1. CBAC

2. Reflexive ACLs

3. Lock and Key

4. ZBF

Correct Answer: d

Explanation: The Zone Based Firewall feature set represents the most modern and sophisticated way to implement advanced stateful firewall functionality on a Cisco router.

6. What method can you use to guard against spoofing types of attacks?

1. UDLD

2. BPDU Guard

3. uRPF

4. TrustSec

Correct Answer: c

Explanation: Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works in one of three different modes: strict mode, loose mode, or VRF mode. Note that not all network devices support all three modes of operation.

7. What command is used to enable the Port Security feature?

1. switchport port-security maximum 2

2. switchport port security on

3. switchport port-security

4. switchport port security enable

Correct Answer: c

Explanation: We use the switchport port-security command to ensure the feature is enabled.

8. You are running an ASA with 8.2 code. How can you ensure that NAT is required in order to allow inside clients to access outside resources?

1. nat-control

2. nat enable

3. nat enforce

4. nat enable yes

Correct Answer: a

Explanation: NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address.

9. Beyond the hash, group and encryption method, which of the following should be determined during IKE phase one?

1. Authentication and load balancing

2. Authorization and lifetime

3. Authentication and lifetime

4. Authorization and load balancing

Correct Answer: c

Explanation: Phase 1 of an AutoKey Internet Key Exchange (IKE) tunnel negotiation consists of the exchange of proposals for how to authenticate and secure the channel. The participants exchange proposals for acceptable security services such as:

• Encryption algorithms: Data Encryption Standard (DES), triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES). (See IPsec Security Protocols.)

• Authentication algorithms: Message Digest 5 (MD5 ) and Secure Hash Algorithm (SHA). (See IPsec Security Protocols.)

• Diffie-Hellman (DH) group. (See Diffie-Hellman Exchange.)

• Preshared key or RSA/DSA certificates. (See IPsec Key Management.)

A successful Phase 1 negotiation concludes when both ends of the tunnel agree to accept at least one set of the Phase 1 security parameters proposed and then process them.

10. You notice the following command in a proposed configuration for your ASA – route outside 0 0 192.168.1 1. What is this command accomplishing?

1. It is creating a default route to 192.168.1.1 using the outside interface with the default admin distance

2. It is creating a static route to 192.168.1.1 using the inside interface for traffic sourced from the outside interface

3. It is invalid and will return an Kill

4. It is creating a default route to 192.168.1.1 using the inside interface with the default admin distance

Correct Answer: a

Explanation: This command enables you to add a default route. The dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of the next-hop router. The addresses you specify for the static route are the addresses that are in the packet before entering the ASA and performing NAT. The distance is the administrative distance for the route. The default is 1 if you do not specify a value. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes.

11. You are interested in performing remote management and administration of your Cisco device, but you must ensure encryption is in use. What are two valid options to ensure this? (Choose two.)

1. Use Telnet

2. Use SNMP v2c

3. Use SSH

4. Use SNMP v3

Correct Answer: c, d

Explanation: Telnet and SNMP v2c do not offer options for encryption.

12. You are interested in implementing DAI on your network. What does this feature rely on in order to function?

1. Private VLAN

2. DHCP Snooping

3. TCP Intercept

4. Zone Based Firewall

Correct Answer: b

Explanation: DAI relies on the information obtained through the DHCP Snooping database. This database contains the legitimate IP address to MAC address mappings.