Cisco 210-260 Free Practice Questions 2021

NEW QUESTION 1
Which IPS detection method can you use to detect attacks that based on the attackers IP addresses?

• A. Policy-based
• B. Anomaly-based
• C. Reputation-based
• D. Signature-based

Answer: D

NEW QUESTION 2
Which type of social-engineering attacks uses normal telephone service as the attack vector?

• A. vishing
• B. phising
• C. smishing
• D. war dialing

Answer: A

NEW QUESTION 3
Which feature can help a router or switch maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or switch?

• A. Control Plane Policing
• B. Service Policy
• C. Cisco Express Forwarding
• D. Policy Map

Answer: A

NEW QUESTION 4
A user reports difficulties accessing certain external web pages, When examining traffic to and from the external domain in full packet captures, you notice many SYNs that have the same sequence number, source, and destination IP address, but have different payloads.
Which problem is a possible Explanation: of this situation?

• A. insufficient network resources
• B. failure of full packet capture solution
• C. misconfiguration of web filter
• D. TCP injection

Answer: D

NEW QUESTION 5
What will happen with traffic if zone-pair created, but policy did not applied?

• A. All traffic will be droped.
• B. All traffic will be passed with logging.
• C. All traffic will be passed without logging.
• D. All traffic will be inspected.

Answer: A

NEW QUESTION 6
Which type of malicious software can create a back-door into a device or network?

• A. worm
• B. Trojan
• C. virus
• D. bot

Answer: B

NEW QUESTION 7
What are two challenges of using a network-based IPS? (Choose two )

• A. It must support multiple operating systems
• B. It is unable to determine whether a detected attack was successful.
• C. As the network expands, it requires you to add more sensors
• D. It requires additional storage and processor capacity on syslog servers.
• E. It is unable to detect attacks across the entire network

Answer: DE

NEW QUESTION 8
Which security term refers to the likelihood that a weakness will be exploited to cause damage to an asset?

• A. threat
• B. vulnerability
• C. risk
• D. countermeasure

Answer: B

NEW QUESTION 9
Which standard is a hybrid protocol that uses Oakley and Skeme key exchanges in an ISAKMP framework?

• A. IPSec
• B. SHA
• C. DES
• D. IKE

Answer: D

Explanation: The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to exchange keying material across an insecure connection using the Diffie•Hellman key exchange algorithm.
The protocol was proposed by Hilarie K. Orman in 1998, and formed the basis for the more widely used
Internet key exchange protocol
Source: https://en.wikipedia.org/wiki/Oakley_protocol IKE (Internet Key Exchange)
A key management protocol standard that is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE is a hybrid protocol that implements the Oakley key exchange and Skeme key exchange inside of the Internet Security Association and Key Management Protocol (ISAKMP) framework.
ISAKMP, Oakley, and Skeme are security protocols implemented by IKE Source: https://www.symantec.com/security_response/glossary/define.jsp?letter=i&word=ike-internet-key- exchange

NEW QUESTION 10
Which two commands are used to implement Cisco IOS Resilient Configuration? (Choose two.)

• A. secure boot-image
• B. copy running-config startup-config
• C. secure boot-config
• D. copy flash:/ios.bin tftp
• E. copy running-config tftp

Answer: AC

Explanation: The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).
In 12.3(8)T this feature was introduced.
The following commands were introduced or modified: secure boot-config, secure boot-image, showsecure bootset.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec

NEW QUESTION 11
Which of Diffie-Hellman group(s) is/are support(ed) by CISCO VPN Product (Choose all that apply?

• A. Group1
• B. Group2
• C. Group3
• D. Group5
• E. Group7
• F. Group8
• G. Group9

Answer: ABDE

NEW QUESTION 12
Which command do you enter to verify the status and settings of an IKE Phase 1 tunnel?

• A. show crypto Ipsec as output
• B. show crypto isakmp policy
• C. show crypto isakmp sa
• D. show crypto ipsec transform-sat

Answer: C

NEW QUESTION 13
Which alert protocol is used with Cisco IPS Manager Express to support up to 10 sensors?

• A. SDEE
• B. Syslog
• C. SNMP
• D. CSM

Answer: A

Explanation: IPS produces various types of events including intrusion alerts and status events. IPS communicates events to clients such as management applications using the proprietary RDEP2. We have also developed an IPS- industry leading protocol, SDEE, which is a product-independent standard for communicating security device events. SDEE is an enhancement to the current version of RDEP2 that adds extensibility features that are needed for communicating events generated by various types of security devices.
Source:
http://www.cisco.com/c/en/us/td/docs/security/ips/6-1/configuration/guide/ime/imeguide/ ime_system_architecture.html

NEW QUESTION 14
Which statements about reflexive access lists are true? (Choose three.)

• A. Reflexive access lists create a permanent ACE
• B. Reflexive access lists approximate session filtering using the established keyword
• C. Reflexive access lists can be attached to standard named IP ACLs
• D. Reflexive access lists support UDP sessions
• E. Reflexive access lists can be attached to extended named IP ACLs
• F. Reflexive access lists support TCP sessions

Answer: DEF

Explanation: To define a reflexive access list, you use an entry in an extended named IP access list. This entry must use the reflect keyword.
A reflexive access list is triggered when a new IP upper-layer session (such as TCP or UDP) is initiated from inside your network, with a packet traveling to the external network.
Moreover, the previous method of using the established keyword was available only for the TCP upper- layer protocol. So, for the other upper-layer protocols (such as UDP, ICMP, and so forth), you would have to either permit all incoming traffic or define all possible permissible source/destination host/port address pairs for each protocol. (Besides being an unmanageable task, this could exhaust NVRAM space.) Source: http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/ scfreflx.html#54908

NEW QUESTION 15
Which command should be used to enable AAA authentication to determine if a user can access the privilege command level?

• A. aaa authentication enable level
• B. aaa authentication enable default local
• C. aaa authentication enable method default
• D. aaa authentication enable local

Answer: B

Explanation: https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html

NEW QUESTION 16
In which three ways does the TACACS protocol differ from RADIUS? (Choose three.)

• A. TACACS uses TCP to communicate with the NAS.
• B. TACACS can encrypt the entire packet that is sent to the NAS.
• C. TACACS supports per-command authorization.
• D. TACACS authenticates and authorizes simultaneously, causing fewer packets to be transmitted.
• E. TACACS uses UDP to communicate with the NAS.
• F. TACACS encrypts only the password field in an authentication packet.

Answer: ABC