CCNA Security: 12-Question Practice Exam

CCNA Security is among the nine certifications retiring in February 2020. If you're currently studying for the 210-260 IINS, that probably means you already have at least your CCENT. That's great news. You're just one exam away from the CCNA Security and also the new CCNA certification.
Answer these 12 questions to get a feel for the questions you may see on the 210-260 IINS exam. Good luck!
1. You are interested in using security mechanisms that will ensure that your data is not manipulated when in transit after being sent by your workstation. What parts of CIA are you directly associated with in this case?
Confidentiality
Integrity
Authentication
Authorization
Correct Answer: b
Explanation: Integrity means that the data is not tampered with at rest or during transit.
2. You require a port on your Cisco switch to function as a Layer 3 port. What command does this?
no switchport
no l2 port
no layer2 enable
disable l2 switchport
Correct Answer: a
Explanation: You use the no switchport command in order to create a Layer 3 port on your Cisco device.
3. What zone is created by default on a Cisco router in a ZBF configuration?
in-out
inside
dmz
outside
self
Correct Answer: e
Explanation: With the Zone-Based Firewall, we take interfaces and place them into a new logical router structure called a zone. A zone is used to define interfaces that will share a security treatment. Cisco automatically designates a special zone for us called the Self Zone. This important zone is used for controlling traffic that is sourced from or directed to the router itself.
4. What is used in conjunction with a private key in PKI to form a key pair?
Certificate key
Main key
Public key
Default key
Correct Answer: c
Explanation: Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, where the public key verifies that a holder of the paired private key sent the message, and encryption, where only the paired private key holder can decrypt the message encrypted with the public key.
5. What is the most modern and sophisticated version of the stateful firewall functionality on a Cisco router?
CBAC
Reflexive ACLs
Lock and Key
ZBF
Correct Answer: d
Explanation: The Zone Based Firewall feature set represents the most modern and sophisticated way to implement advanced stateful firewall functionality on a Cisco router.
6. What method can you use to guard against spoofing types of attacks?
UDLD
BPDU Guard
uRPF
TrustSec
Correct Answer: c
Explanation: Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit the malicious traffic on an enterprise network. This security feature works by enabling a router to verify the reachability of the source address in packets being forwarded. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works in one of three different modes: strict mode, loose mode, or VRF mode. Note that not all network devices support all three modes of operation.
7. What command is used to enable the Port Security feature?
switchport port-security maximum 2
switchport port security on
switchport port-security
switchport port security enable
Correct Answer: c
Explanation: We use the switchport port-security command to ensure the feature is enabled.
8. You are running an ASA with 8.2 code. How can you ensure that NAT is required in order to allow inside clients to access outside resources?
nat-control
nat enable
nat enforce
nat enable yes
Correct Answer: a
Explanation: NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address.
9. Beyond the hash, group and encryption method, which of the following should be determined during IKE phase one?
Authentication and load balancing
Authorization and lifetime
Authentication and lifetime
Authorization and load balancing
Correct Answer: c
Explanation: Phase 1 of an AutoKey Internet Key Exchange (IKE) tunnel negotiation consists of the exchange of proposals for how to authenticate and secure the channel. The participants exchange proposals for acceptable security services such as:
Encryption algorithms: Data Encryption Standard (DES), triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES). (See IPsec Security Protocols.)
Authentication algorithms: Message Digest 5 (MD5 ) and Secure Hash Algorithm (SHA). (See IPsec Security Protocols.)
Diffie-Hellman (DH) group. (See Diffie-Hellman Exchange.)
Preshared key or RSA/DSA certificates. (See IPsec Key Management.)
A successful Phase 1 negotiation concludes when both ends of the tunnel agree to accept at least one set of the Phase 1 security parameters proposed and then process them.
10. You notice the following command in a proposed configuration for your ASA – route outside 0 0 192.168.1 1. What is this command accomplishing?
It is creating a default route to 192.168.1.1 using the outside interface with the default admin distance
It is creating a static route to 192.168.1.1 using the inside interface for traffic sourced from the outside interface
It is invalid and will return an Kill
It is creating a default route to 192.168.1.1 using the inside interface with the default admin distance
Correct Answer: a
Explanation: This command enables you to add a default route. The dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of the next-hop router. The addresses you specify for the static route are the addresses that are in the packet before entering the ASA and performing NAT. The distance is the administrative distance for the route. The default is 1 if you do not specify a value. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes.
11. You are interested in performing remote management and administration of your Cisco device, but you must ensure encryption is in use. What are two valid options to ensure this? (Choose two.)
Use Telnet
Use SNMP v2c
Use SSH
Use SNMP v3
Correct Answer: c, d
Explanation: Telnet and SNMP v2c do not offer options for encryption.
12. You are interested in implementing DAI on your network. What does this feature rely on in order to function?
Private VLAN
DHCP Snooping
TCP Intercept
Zone Based Firewall
Correct Answer: b
Explanation: DAI relies on the information obtained through the DHCP Snooping database. This database contains the legitimate IP address to MAC address mappings.
delivered to your inbox.
By submitting this form you agree to receive marketing emails from CBT Nuggets and that you have read, understood and are able to consent to our privacy policy.