CCIE Security V4 350-018 (带部分中文注释)
CCIE SECURITY V4.0 350-018
186Q
注:本文全部为个人手打,目的是为了方便记忆。中文注释为个人翻译,不一定正确,仅供参考!
1,which two EIGRP packet tpes are considered to be unreliable packets?(那俩类型的EIGRP 包的是不可靠的包)
A,update
B,query
C,reply
D,hello
E,acknowledgement
(明显hello不一定有人回所以不会需要确认,ack为确认包也不再一直确认)
2,before BGP update messages may be sent,a neighbor must stabilize into which neighbor state?(BGP的邻居必须稳定在那种状态时可能会发送更新包)
A,active
B, idle
C,connected
D,established
(established状态为BGP对等体建立完成,这时才可以交换update)
3,which three statements are cortect when comparing mobile IPv6 and mobile IPv4 support?(那三句话正确的对比了移动IPV6 和移动IPV4)
A,mobile ipv6 does not require a foreign agent,but mobile ipv4 does
B,mobile ipv6 supports route optimization as a fundamental part of the protocol;ipv4 requires extensions
C,mobile ipv6 and mobile ipv4 use a directed broadcast approach for home agent address discovery
D,mobile ipv6 makes ues of its own routing header, mobile ipv4 uses only ip encapsulation
E,mobile ipv6 and mobile ipv4 use arp for neighbor discovery
F,mobile ipv4 has adopted the use of ipv6 ND
(v6不需要外地代理v4需要, 路由优化是v6基本协议的一部分,v4在扩展协议里,v6有自己的路由头v4只有ip封装)
4,which protocol does 802.1x use between the supplicant and the authenticator to authenticate users wish to access the network?(在802.1x的请求者和认证者间认证协议是那个)
A,snmp
B,tacacs+
C,radius
D,eap over lan
E,pppoe
(802.1x主要用于请求者和认证者间封装EAP的二层协议,简称EAPOL)
5,refer to the exhibit. Which message could contain an authenticated initial_contact notify
during IKE main mode negotiation?(参考下图,那条信息包含IKE主模式认证初始接触通知)
A,message3
B,message5
C,message1
D,none,initial_contact is sent only during quick mode
E,none,notify messages are sent only as independent message types
(1、2个包为认证和加密模式交换,3、4为DH交换,第5个包开始是认证信息) 6,which two statements are correct regarding the AES encryption algorithm?(关于AES加密下面那两个说法正确)
A,it is a FIPS-approved symmetric block cipher
B,it supports a block size of 128,192or 256 bits
C,it supports a variable length block size from 16 to 448 bits
D, it supports a cipher key size of 128,192or256 bits
E,the AES encryption algorithm is based on the presumed difficulty of factoring large integers
(AES是FIPS认可的一个块加密的对称密钥算法,块大小为128位,密钥大小可以为128、192或256)
7,what are two benefits of using IKEv2 instead of IKEv1 when deploying remot-access IPsec VPN?(用IKEV2代替IKEV1部署远程访问IPSECVPN的两个好处是什么)
A,IKEv2 supports EAP authentication methods as part of the protocol
B, IKEv2 inherently supports NAT traversal
C,IKEv2 messages use random message IDs
D,the IKEv2 SA plus the IPsec SA can be established in six messages instead of nine messages
E,all IKEv2 messages are encryption-protected
(EAP和NAT-T是IKEv2的标准组件,对于远程访问是对较方便的)
8,DNSSEC was designed to overcome which security limitation of DNS? (DNSSEC是被设计用于克服那种安全攻击的)
A,DNS man-in-the-middle attacks
B,DNS flood attacks
C,DNS fragmentation attacks
D,DNS hash attacks
E,DNS replay attacks
F,DNS violation attacks
(DNSSEC提供了源验证和数据完整性校验,可以有效的抵御中间人攻击)
9,which three statements true about MAC sec?(关于MACsec那三个描述是正确的)
A,it supports GCM modes of AES and 3DES
B,it is defined under IEEE 802.1AE
C,it provides hop-by-hop encryption at layer 2
D,MACsec expects a strict order of frames to prevent anti-replay
E,MKA is used for session and encryption key management
F,it uses EAP PACs to distribute encryption keys
(MACsec是遵循dot1ae的二层加密协议,加密点到点的数据,也就是说加密流量不会穿越二层设备,使用MKA协商和管理密钥)
10,which SSL protocol takes an application message to be transmitted,fragments the data into manageable blocks, optionally compresses the data,applies a MAC,encrypts,adds a header,and transmits the resulting unit in a TCP segment?
A,SSL handshake protocol
B,SSL alert protocol
C,SSL record protocol
D,SSL change cipherspec protocol
(SSL协议可分为两层:SSL记录协议(SSL Record Protocol):它建立在可靠的传输协议(如TCP)之上,为高层协议提供数据封装、压缩、加密等基本功能的支持。SSL握手协议(SSL Handshake Protocol):它建立在SSL记录协议之上,用于在实际的数据传输开始前,通讯双方进行身份认证、协商加密算法、交换加密密钥等。)
11,IPsec SAs can be applied as a security mechanism for which three options?(IPsec SA安全机制可以应用那三个)
A,send
B,mobile IPv6
C,site-to-site virtual interfaces
D,OSPFv3
E,CAPWAP
F,LWAPP
(移动IPV6,点到点隧道接口,OSPFV3)
12,which four options valid EAP mechanisms to be used with WP2?(那四个类型的EAP可以用于WPA2)
A,PEAP
B,EAP-TLS
C,EAP-FAST
D,EAP-TTLS
E,EAPOL
F,EAP-RADIUS
G,EAP-MD5
(PEAP,EAP-TLS,EAP-FAST,EAP-TTLS)
13,according to OWASP guidelines,what is the recommended method to prevent cross-site request forgery?(根据OWASP指南,用什么方法可以避免跨站伪造请求)
A,allow only POST requests
B,mark all cookies as HTTP only
C,use per-session challenge tokens in links within your web application
D, always use the ”secure” attribute for cookies
E,require strong passwords
(OWASP建议加入token保护)
14,which option is used to collect wireless traffic passively,for the purposes of eavesdropping or information gathering? (那个选项用来被动窃听或收集无线信息)
A,network taps
B,repeater access points
C,wireless sniffers
D,intrusion prevention systems
(无线sniffers)
15,which traffic class is defined for non-business-relevant applications and receives any bandwidth that remains after Qos policies have been applied? (在Qos策略完成后仍然为非业务和带宽相关流量类型是那种)
A,scavenger class
B,best effort
C,discard eligible
D,priority queued
(清道夫级别的流量是指整个网络通信系统里面,一些新兴的流量,但是这些流量是对组织没有实质作用的)
16,in the context of a botnet ,what is true regarding a command and control server?(关于僵尸网络控制服务器的说法那个是正确的)
A,it can launch an attack using IRC or Twitter
B,it is another name for a zombie
C,it is used to generate a worm
D,it sends the command to the botnets via adware
(botnet一般通过社交网络对肉机发起攻击植入木马)
17,which option is used for anti-replay prevention in a Cisco IOS IPsec implementation?(下面那个选项用于实现恩科IOS中防IPsec重放攻击的)
A,session token
B,one-time password
C,tme stamps
D,sequence number
E,nonce
(序列号)
18,refer to the exhibit.what will be the default action?
A,HTTP traffic to the facebook,youtube,and twitter websites will be dropped
B, HTTP traffic to the facebook and youtube websites will be dropped
C, HTTP traffic to the twitter and youtube websites will be dropped
D, HTTP traffic to the facebook and twitter websites will be dropped
19,which Cisco ASA feature can be used to update non-compliant antivirus/antispyware definition file on an anyconnect client?(ASA的那个特性可以用来更新anyconnect的病毒库)
A,dynamic access policies
B,dynamic access policies with host scan and advanced endpoint assessment
C,cisco secuer desktop
D,advanced endpoint assessment
(动态连接策略的主机扫描和高级终端评估)
20,refer to the exhibit, when configuring a Cisco IPS custom signature, what type of signature engine must you use to block podcast clients from accessing the network?(如图,当配置IPS自定仪sig时,需要什么类型的sig引擎来阻止播客客户端)
A,service HTTP
B,service TCP
C,string TCP
D,fixed TCP
E,service GENERIC
21, an attacker configures an access point to broadcast the same SSID that is used at a public hot-spot,and launches a deauthentication attack(DA) against the clients that are connected to the hot-spot, with the hope that the clients will then associate to the AP of the attacker.In addition to the deauthentication attack,what attack has been launched? (攻击者伪装一个公共热点的SSID并对客户正在连接的热点使用DA,目地是让客户连自己的热点,如要完成这个攻击除了DA还要那个攻击)
A,man-in-the-middle
B, MAC spoofing
C,layer 1 Dos
D, disassociation attack
(需要中间人攻击转发流量)
22,which statement best describes the concepts of rootkits and privilege escalation?(那句话最好的描述了rootkits和权限提升)
A,rootkits propagate themselves
B,privilege escalation is the result of a rootkit
C,rootkits are a result of a privilege escalation
D,both of these require a TCP port to gain access
(rootkit其主要功能为隐藏其他程式进程)
23,refer to the exhibit.which message of the ISAKMP exchange is failing?(如图,报错是ISAKMP EX的消息那个信息)
A,,main moed 1
B, main mode 3
C,aggressive mode 1
D, main mode 5
E,aggressive mode 2
24,which multicast capability is not supported by the Cisco ASA appliance?(ASA不支持那种组播功能)
A,ASA configured as a rendezvous point
B,sending multicast traffic across a VPN tunnel
C,NAT of multicast traffic
D,IGMP forwarding(stub) mode
(不支持组拨流量穿越VPN隧道)
25,refer to the exhibit. What type of attack is being mitigated on the Cisco ASA appliance?(如图的配置ASA正在防预什么攻击)
A,HTTPS certificate man-ih-the-middle attack
B,HTTP distributed denial of service attack
C,HTTP shockwave flash exploit
D,HTTP SQL injection attack
(SQL 注入)
26, which method of output queuing is supported on the Cisco ASA qppliance?(那种法方可以让ASA支持外出队列)
A,CBWFQ
B,priority queuing
C,MDRP
D,WFQ
E,custom queuing
(优先队列)
27,which four values can be used by the Cisco IPS appliance in the risk rating calculation?(那4个值影响IPS的RR风险评故)
A,attack severity rating
B,target value rating
C,signature fidelity rating
D,promiscuous delta
E,threat rating
F,alert rating
(攻击评估、目标值评估、标签可信度评估、混合标记)
28,which three authentication methods does the Cisco IBNS Flexible Authentication feature support?(思科IBNS 灵活认证功能支持那三种认证方式)
A,cut-through
B,dot1x
C,MAB
D,SSO
E,web authentication
(802.1X、MAC认证、网页认证)
29,Troubleshooting the web authentication fallback feature on a Cisco Catalyst switch shows that clients with the 802.1X supplicant are able to authenticate,but clients without the supplicant are not able to use web authentication.which configuration option will correct this issue?(排错客户端可以用802.1X认证,但网页认证不行。下面那个配置可以解决这个问题)
A,swich(config)#aaa accounting auth-proxy default start-stop group radius
B,swich(config)#authentication host-mode multi-auth
C,swich(config)#webauth
D,swich(config)#ip http server
E,switch(config)#authentication priority webauth dot1x
(网页认证时要开http服务)
30,which option on the Cisco ASA appliance must be enabled when implementing botnet traffic filtering?(ASA开启botnet流量过滤功能一定要启动那个选项)
A,HTTP inspection
B,static entries in the botnet blacklist and whitelist
C,global ACL
D,netflow
E,DNS inspection DNS snooping
(DNS监控和DNS监听)
31,refer to the exhibit.which statement about this Cisco catalyst switch 802.1X configuration is true?(如图,关于交换机的802.1X配置的说明那个是对的)
A,if an IP phone behind the switch port has an 802.1X supplicant ,MAC address bypss will still be used to authenticate the IP phone
B,if an IP phone behind the switch port has an 802.1X supplicant,802.1X authentication will be used to authenticate the IP phone
C, the authentication host-mode multi-domain command enables the PC connected behind the IP phone to bypss 802.1X authentication
D,using the authentication host-mode multi-domain command will allow up to eight PCs connected behind the IP phone via a hub to be individually authentication using 802.1X (如果IP电话的交换口有一个802.1X的请求者,MAB做为IP电话的认证)
32,which siangature engine is used to create a custom IPS signature on a Cisco IPS appliance that triggers when a vulnerable web application identified by the “/runscipt.php” URI is run? (那种IPS 的SIG引擎用来创建一个URI为“/runscipt.php”的触发器的)
A, AIC HTTP
B,service HTTP
C,string TCP D,atomic IP
E,META F,multi-string
33,with the Cisco FlexVPN,which four VPN deployments are supported?(FLEXVPN的四种部署方式)
A,site-to-site IPsec tunnels
B,dynamic spoke-to-spoke IPsec tunnels(partial mesh)
C,remote access from software or hardware IPsec clients
D,distributed full mesh IPsec tunnels
E,IPsec group encryption using GDOI
F,hub-and-spoke IPsec tunnels
(点到点IPsec隧道,动态端到端vpn,远程播号,星型IPsec隧道)
34,which four techniques can you use for ip management plane security?(保护IP管理流量安全的技术有那四个)
A,management plane protection
B,uRPF
C,strong password
D,RBAC
E,snmp security measures
F,MD5 authentication
(管理流量保护,强密码,角色访问控制,SNMP的安全措施)
35,which three statements about remotely triggered black hole filtering are true?(关于RTBH过滤的说法正确的是那三个)
A, if filters undesirable traffic
B,it uses BGP or OSPF trigger a network-wide remotely controlled response to attacks
C,it provides a rapid-response technique that can be used in handling security-related events an incidents
D,it requires uRPF
(过滤非法流量,它提供了一个快速相应的技术用于处理安全相关的事件,它需要uRPF) 36,which three statements about Cisco Flexible netflow are true?(关于思科灵活netflow的说法
正确的是那三个)
A,the packe information used to create flows is not configurable by the user
B,it supports IPv4 and IPv6 packet fields
C,it tracks all fields of an IPv4 header as well as sections of the data payload
D,it uses two types of flow cache,normal and permanent
E,it can be a useful tool in monitoring the network for attacks
(它支持IPv4和IPv6分组字段,它跟踪所有字段的IPv4头以及部分数据有效负载,它可以是一个有用的工具在监测网络攻击)
37,during a computer security forensic investigation, a laptop computer is retrieved that requires content analysis and information retrieval.which file system is on it,assuming it has the default in stallation of Microsoft windows vista operating system?(在计算机取证调查时,一台笔记本被拿来进行内容分析和信息检索,假设它的系统是VITSA需要什么文件系统)
A,HSFS
B,WinFS
C,NTFS
D,FAT
E,FAT32
38,which tree statements about the IANA are true?(关于IANA那三个说法是正确的)
A,IANA is a department that is operated by the IETF
B,IANA oversees global IP address allocation
C,IANA managed the root zone in the DNS
D,IANA is administered by the ICANN E,IANA defines URI schemes for use on the Internet
(它负责公网IP的分配和监督,它管理DNS根域,它被ICANN掌管)
39,what does the common criteria(CC)standard define?(什么是CC的标准定义)
A, the current list of common vulnerabilities and exposures(CVEs)
B,the U.S standards for encryption export regulations
C,tools to support the development of pivotal,forward-looking information system technologies
D,the intemational standards for evaluating trust in information systems and products
E,the intemational standards for privacy laws
F,the standards for establishing a security incident response system
(共同准则是美国、欧盟和加拿大联合研究制订的“信息技术安全共同评价准则”的简称。是对计算机产品安全的评价准则。用于评估信息系统和产品安全的国际标准)
40,which three types of information could be used during the incident response in vestigation phase?(那三类信息被用于事件响应调查阶段)
A,netflow data
B,SNMP alerts
C,encryption policy
D,syslog output
E,IT compliance reports
(netfow数据,SNMP报告,系统日志)
41,which of the following best describes Chain of Evidence in the context of security forensics?(下列哪条最好的说明了上下文安全取证的证据链)
A,Evidence is locked down,but not necessarily authenticated
B,Evidence is controlled and accounted for to maintain its authenticity and integrity
C,the general whereabouts of evidence is known
D,someone knows where the evidence is and can say who had it if it is not logged
(证据是可控和可说明的以保证它的真实的和完整的)
42,which option is a benefit of implementing RFC 2827?(哪一个选项是执行RFC 2827的好处) A,prevents DOS from legitimate,non-hostile end sytems
B,prevents disruption of special services such as Mobile IP
C,defeats Dos attack which employ IP soure address spoofing
D,restricts directed broadcasts at the ingress router
E,allows DHCP or BOOTP packets to reach the relay agents as appropriate
(防止源IP地址欺骗的DOS攻击)
43,which of the following provides the features of route summarization,assignment of contiguous blocks of addresses,and combining routes for multiple classful networks into a single route? (下面哪个选项提供了多类连续地址的路由汇总功能)
A,classless interdomain routing
B,route summarization
C,supernetting
D,private IP addressing
(无类域间路由)
44,aggregate global IPv6 addresses begin with which bit pattem in the first 16-bit group?(IPv6的聚集公共地址开始于第一个16位组的那个位列)
A, 000/3
B,001/3
C,010/2
D,011/2
45,which layer of the OSI reference model typically deals with the physical addressing of interface cards?(OSI参考模型中的那一层处理接口卡的物理地址)
A,physical layer
B,data-lin layer
C,network layer
D,host layer
(数据链路层)
46,which statement best describes a key difference in IPv6 fragmentation support compared to IPv4?(下面哪个描述最好的说明了IPv6分片与IPv4分片的关键区别)
A,in IPv6,ip fragmentation is no longer needed because all internet links must have an IP MTU of 1280 byes or greater
B,in IPv6,PMTUD is no longer performed by the source node of an IP packet
C,in IPv6,ip fragmentation is no longer needed since all nodes must perform PMTUD and send packets equal to or smaller than the minimum discovered path MTU
D,in IPv6, PMTUD is no longer performed by any node since the don’t fragment flag is removed from the IPv6 header
E,in IPv6,ip fragmentation is performed only by the source node of a large packet, and not by
any other devices in the data path
(与IPv4不同的是IPv6的分片操作只能在源节点进行,而前者在沿途的中间节点上也可以进行)
47,refer to the exhibit.it shows the format of an IPv6 router advertisement packet.if the router lifetime value is set to 0, what does that mean?(如图,这是一个IPv6的路由通告包,如果lifetime 置0了说明什么)
A,the router that is sending the RA is not the derault router
B, the router that is sending the RA is the default router
C, the router that is sending the RA will never power down
D, the router that is sending the RA is the NTP master
E, the router that is sending the RA is a certificate authority
F, the router that is sending the RA has its time synchronized to an NTP source (这个路由器发送一个RA说明它不是默认路由器)
48,if a host receives a TCP packet with an SEQ number of 1234,an ACK number of 5678,and a length of 1000 bytes,what will it send I reply?(一个主机收到一个SEQ为1234、ACK为5678的1000字节的包,那它会发什么样的包呢?)
A, a TPC packet with SEQ number:6678,and ACK number:1234
B, a TPC packet with SEQ number:2234,and ACK number:5678
C, a TPC packet with SEQ number:1234,and ACK number:2234
D, a TPC packet with SEQ number:5678,and ACK number:2234
49,a network administrator uses a LAN analyzer to troubleshoot OSPF router exchange messages sent to all OSPF routers. To which one of these MAC addresses are these messages sent?( 一个网络管理员用一个分析器去排查OSPF的交换信息,需要监听那个MAC地址)
A,00-00-1c-ef-00-00
B,01-00-5e-00-00-05
C,01-00-5e-5f-00-00
D,ef-ff-ff-00-00-05
E,ef-00-00-ff-ff-ff
F,ff-ff-ff-ff-ff-ff
(224.0.0.5和MAC为0100.5e00.0005)
50,comparing and contrasting IKEv1 and IKEv2,which three statements are ture?(关于IKEv2和IKEv1的对比下面哪三个是正确的)
A,IKEv2 adds EAP as a method of authentication for clients;IKEv1 does not use EAP
B,IKEv1 and IKEv2 endpoints indicate support for NAT-Tvia the vendor_ID payload
C,IKEv2 and IKEv1 always ensure protection of the identities of the peers during the
negotiation process
D,IKEv2 provides user authentication via the IKE_AUTH exchange;IKEv1 uses the XAUTH exchange
E,IKEv1 and IKEv2 both use INITIAL_CONTACT to synchronize SAs
F,IKEv1 supports config mode via the SET/ACK and REQUEST/RESPONSE methods;IKEv2 supports only REQUST/RESPONSE
(v2可以支持EAP但v1不行,v2使用IKE_AUTH交换认证v1用XAUTH交换,它们都使用INITIAL_CONTACT同步SA)
51,which three statements about GDOI are true?(关于GDOI哪三个说法是正确的)
A,GDOI uses TCP port 848
B,the GROUPKEY_PULL exchange is protected by an IKE phase 1 exchange
C,the KEK protects the GROUPKEY_PUSH message
D,the TEK is used to encrypt and decrypt data traffic
E,GDOI does not support PFS
(GKEY_PULL通过IKE第一阶段进行安全交换,KTK用于保护GKY_PUSH,TEK用于保护数流量)
52,which three nonproprietary EAP methods do not require the use of a client-side certificate for mutual authentication?(哪三种非专属EAP模式不能用于客户端证书双向认证的)
A,LEAP
B,EAP-TLS
C,PEAP
D,EAP-TTLS
E,EAP-FAST
(PEAP,EAP-TTLS,EAP-PAST)
53,when you compare WEP to WPA(not WPA2), which three protections are gained?(WPA比WEP 在安全方面哪三点得到了改进)
A,a message integrity check
B,AES-based encryption
C,avoidance of weak initialization vectors
D,longer RC4 keys
E,a rekeying mechanism
(信息完整校验,加长的初始向量,重协商机制)
54,which option shows the correct sequence of the DHCP packets that are involved in IP address assignment between the DHCP client and the server? (关于DHCP分配地址的包过程下面正确的是)
A,REQUEST-OFFER-ACK
B,DISCOVER-OFFER-REQUEST-ACK
C,REQUEST-ASSIGN-ACK
D,DISCOVER-ASSIGN-ACK
E,REQUEST-DISCOVER-OFFER-ACK
55,which common FTP clinet command transmits a direct,byte-for-byte copy of a file? (常见的FTP客户端二进制模式的命令是哪个)
A,ascii
B,binary
C,hash
D,quote
E,glob
56,which option is a desktop sharing application,used across a variety of platforms,with default TCP ports 5800/5801 and 5900/5901?(哪个跨平台的桌面共享程序的默认端口是5800/5801和5900/5901)
A,X windows
B remote desktop protocol
C,VNC
D,desktop proxy
57,which two of the following provide protect against man-in-the-midde attacks?(下面那两个选项提供中间人攻击保护)
A,TCP initial sequence number randomization
B,TCP sliding-window checking
C,network address translation
D,IPsec VPNs
E,secure sockets layer
(IPsec和ssl)
58,refer to the exhibit.which statement is true?(如图,下面哪个说法是正确的)
A,this packet decoder is using relative TCP sequence numbering
B,this TCP client is proposing the use of TCP window scaling
C,this packet represents an active FTP data session
D,this packet contains no TCP payload
(有syn的包为tcp的握手包不会包含负载的)
59,an exploit that involves connecting to a specific TCP port and gaining access to an administrative command prompt is an example of which type of attack?(用一个程序连接到一个特殊的TCP端口并可以获取管理员的权限的方法是哪种类型的攻击)
A,botnet
B,Trojan horse
C,privilege escalation
D,DOS
(特权升级)
60,when configuring an infrastructure ACL to protect the IPv6 infrastructure of an enterprise network,where should the iACL be applied?(当用一个基本ACL来保护一个IPv6的网络时,iACL 应该在哪应用)
A,all infrastructure devices in both the inbound and outbound direction
B,all infrastructure devices in the inbound direction
C,all infrastructure devices in the outbound direction
D,all parameter devices in both inbound and outbound direction
E,all parameter devices in inbound direction
F,all parameter devices in the outbound direction
(所以参数设备的入站方向)
61,what feature on the Cisco ASA is used to check for the presence of an up-to-date antivirus vendor on an AnyConnect client?(ASA上的那个功能是用来检查Anyconnect客户的病毒更新的) A,dynamic access policies with no additional options
B,dynamic access policies with host scan enabled
C,advanced endpoint assessment
D,LDAP attribute maps obtained from antivirus vendor
(启到动态接入策路的主机扫描)
62,what type of attck consists of injecting traffic that is marked with the DSCP value of EF into the network?(什么类型的攻击包含一个被标记为EF的DSCP注入网络)
A,brute-force attack
B,QOS marking attack
C,DHCP starvation attack
D,SYN flood attack
(DSCP标记为EF为加速转发)
63,which statement is true regarding Cisco ASA operations using software versions 8.3 and later?(那个描述关于ASA8.3以后版本是正确的)
A,the global access list is matched first before the interface access lists
B,both the interface and global access lists can be applied in the input or output direction
C,when creating an access list entry using the Cisco ASDM Add Access Rule window,choosing “global” as the interface will apply the access list entry globally
D,NAT control is enabled by default
E,The static CLI command is used to configure static NAT translation rules
(全局ACL优先接口ACL匹配)
64,which three multicast features are supported on the Cisco ASA?(那三个组播功能是ASA可以支持的)
A,PIM sparse mode
B,IGMP forwarding
C,Auto-RP
D,NAT of multicast traffic
(PIM(协议无关组播)稀疏模式,IGMP,NAT组播流量)
65,which three configuration tasks are required for VPN clustering of AnyConnect clients that are connecting to an FQDN on the Cisco ASA?(ASA让AC客户端可以通过域名连接VPN集群需要做
那三个配置)
A,the redirect-fqdn command must be entered under the vpn load-balancing sub-configuration B,each ASA in the VPN cluster must be able to resolve the IP of all DNS hostnames that are used in the cluster
C,the identification and CA certificates for the master FQDN hostname must be imported into each VPN cluster-member device
D,the remote-access IP pools must be configured the same on each VPN cluster-member interface
(必须在VPN负载均衡子配置中输入FQDN重定向,每个ASA都必须都够解析DNS,每个ASA都必须导入FQDN的证书)
66,which three statements are true about objects and object groups on a Cisco ASA appliance that is running Software Version 8.4 or later?(哪三个描述关于ASA8.4这后版本的object和object groups是正确的)
A,TCP,UDP,ICMP,and ICMPv6 are supported service object protocol types
B,IPv6 object nesting is supported
C,Network objects support IPv4 and IPv6 addresses
D,Objects are not supported in transparent mode
E,Objects are supported in single-and multiple-context firewall modes
(TCP等是支持服务的协议目标,网络目标支持IPV6和V4,单模式和多模式防火墙都支持) 67,which command is used to replicate HTTP connections from the active to the standby Cisco ASA appliance in failover?(那个命令用来在ASA的FO环境中从主拷贝HTTP连接到备用)
A,monitor-interface http
B,failover link fove replicate http
C,failover replication http
D,interface fover replicate http standby
E,NO command is needed,as this is the default behavior
68,refer to the exhibit.given the Cisco ASA configuration above,which commands need to be added in order for the Cicso ASA appliance to deny all IPv6 packets with more than three extension headers?(如图参考配置在ASA中需要那个命令来丢掉所有超过三个扩展头部的IPv6的包)
policy-map type inspect ipv6 IPv6-map
match header routing-type range 0 255
drop
class-map outside-class
match any
policy-map outside-policy
class outside-class
inspect ipv6 IPv6-map
service-policy outside-policy interface outside
A,policy-map type insepect ipv6 IPv6-map
match ipv6 header Count>3
B,policy-map outside-policy
class outside-class
inspect ipv6 header count gt 3
C,class-map outside-class
match ipv6 header count greater 3
D,policy-map type inspect ipv6 ipv6-map
match header count gt 3
drop
69,which C3PL configuration component is used to tune the inspection timers such as setting the tcp idle-time and tcp synwait-time on the Cisco ZBFW?(在C3PL的那个组件用来调整检查时间如TCP的超时时间)
A,class-map type inspect
B,parameter-map type inspect
C,service-policy type inspect
D,policy-map type inspect tcp
E,inspect-map type tcp
(参数MAP)
70,which three NAT types support bidirectional traffic initiation?(那三种NAT支持两向流量启动) A,static NAT
B,NAT exemption
C,policy NAT with nat/global
D.static PAT
E,identity NAT
(静态NAT,NAT免除,静态PAT)
71,which IPS module can be installed on the Cisco ASA 5520 appliance?(哪个IPS模块可以安装在ASA5520上)
A,IPS-AIM
B,AIP-SSM
C,AIP-SSC
D,NME-IPS-K9
E,IDSM-2
72which two options best describe the authorization process as it relates to network access?(那
两个描述最好的说明了网络接入的授权过程)
A,the process of identifying the validity of a certificate,and validating specific fields in the certificate against an identity store
B,the process of providing network access to the end user
C,applying enforcement controls,such as downloadble ACLs and VLAN assignment,to the network access session of a user
D,the process of validating the provided credentials
(这个过程为最终用户提供网络访问,可以执行一个控制,如下载ACL和VLAN)
73,If ISE is not Layer 2 adjacent to the Wireless LAN Controller, which two options should be configured on the Wireless LAN Controller to profile wireless endpoints accurately?(如果ISE不是2二连接到无线控制器,那二个选项应该配置到无线控制器)
A. Configure the Call Station ID Type to be: "IP Address".
B. Configure the Call Station ID Type to be: "System MAC Address".
C. Configure the Call Station ID Type to be: "MAC and IP Address".
D. Enable DHCP Proxy.
E. Disable DHCP Proxy.
74,refer to the exhibit. To configure the Cisco ASA ,what should you enter in the Name
field,under the Group Authentication option for the IPsec VPN client?(如图,在组认证下的NAME 选项应该填什么)
A,group policy name
B,crypto map name
C,isakmp policy name
D,crypto ipsec transform-set name
E,tunnel group name
75,refer to the exhibit. On r1,encrypt counters are incrementing. On R2,packets are decrypted,but the encrypt counter is not being incremented. What is the most likely cause of this issue?(如图R1有加密,R2有解密无加密什么样的原因最有可能出现这个问题)
A,a routing problem on r1
B,a routing problem on r2
C,incomplete IPAsec SA establishment
D,crypto engine failure on r2 E,IPsec rekeying is occurring
(R2上路由有问题)
76,which tow methods used for forwarding traffic to the Cisco ScanSafe Web Security service?(哪二个方法用于将流量送到WSA)
A,cisco anyconnect VPN client with web security and scansafe subscription
B,cisco ISR G2 router with SECK9 and scansafe subscription
C,cisco ASA adaptive security appliance using DNAT policies to forward traffic to scansafe subscription servers
D,cisco web security appliance with scansafe subscription
(ISR路由器使用SECK9和SS订阅,ASA使用DNAT策略)
77,which four statements about SeND for IPv6 are correct?(哪4个描述关于SaND IPV6是正确) A,it protects against rogue RAs
B,NDP exchenges are protected by IPsec SAs and provide for anti-replay
C,it defines secure extensions for NDP
D,it authorizes routers to advertise certain prefixes
E,it provides a method for secure default router election on hosts
F,neighbor identity protection is provided by Cryptographically Generated Addresses that are derived from a Diffie-hellman key exchange
G,it is facilitated by the Certification Path Request and Certifiation Path Response ND messages (它免受非法RAs,它为NDP定义了安全扩展,它授权路由器通告,它提供了一个默认的路由器选举方法)
78,what is the recommended network MACSec policy mode for high security deployments?(什么样的部署方式是MACSec策略最安全的模式)
A,should-secure
B,must-not-secure
C,must-secure