CCNA Network Security Questions

58 questions · Network Security · All types, answers revealed

1
Multi-Selectmedium

A network engineer is implementing Cisco TrustSec in an enterprise network. Which two components are required for TrustSec to function correctly? (Choose two.)

Select 2 answers
A.ISE
B.AAA server
C.Firepower
D.SXP
E.SGACL
AnswersA, D

ISE is the policy server that defines TrustSec policies and distributes SGTs.

Why this answer

Cisco TrustSec uses the Identity Services Engine (ISE) as the centralized policy server to define and enforce security group tags (SGTs) and access policies. ISE is the mandatory policy decision point that assigns SGTs to endpoints and distributes them to network devices via SXP or inline tagging. Without ISE, there is no mechanism to create, manage, or propagate the SGT-based policies that TrustSec relies on.

Exam trap

Cisco often tests the distinction between required components (ISE and SXP) and optional or derivative elements (AAA server, Firepower, SGACLs) to catch candidates who confuse the policy enforcement mechanism with the foundational infrastructure.

2
MCQhard

A network administrator is configuring Cisco ASA with FirePOWER services. The administrator wants to inspect SSL traffic but is concerned about certificate pinning in modern applications. Which action should the administrator take to ensure that SSL inspection does not break applications that use certificate pinning?

A.Configure SSL inspection to bypass all traffic to avoid any issues
B.Install a custom root CA on all clients and configure the ASA to use that CA
C.Create an SSL decryption rule to exclude traffic from applications known to use certificate pinning
D.Use a decryption policy that decrypts the traffic but does not re-encrypt
AnswerC

Excluding pinned applications prevents the ASA from interfering with certificate validation.

Why this answer

Option C is correct because certificate pinning hardcodes the expected certificate or public key within an application. If the ASA decrypts and re-encrypts the traffic using a different certificate (even one signed by a trusted CA), the pinned certificate will not match, causing the application to reject the connection. By creating an SSL decryption rule that excludes traffic from applications known to use certificate pinning, the administrator avoids breaking those applications while still inspecting other SSL traffic.

Exam trap

Cisco often tests the misconception that installing a trusted root CA on clients is sufficient to handle all SSL inspection scenarios, but the trap here is that certificate pinning bypasses CA trust entirely by comparing against a hardcoded certificate or public key.

How to eliminate wrong answers

Option A is wrong because bypassing all SSL traffic defeats the purpose of SSL inspection and leaves all encrypted traffic uninspected, which is not a valid security strategy. Option B is wrong because installing a custom root CA on all clients does not solve certificate pinning; pinned applications compare the server certificate against a hardcoded value, not against a trusted CA chain, so the ASA's re-encrypted certificate will still fail the pinning check. Option D is wrong because decrypting without re-encrypting would send plaintext traffic to the client, which breaks TLS protocol expectations and would be rejected by the client; the ASA must re-encrypt to maintain a valid TLS session.

3
MCQhard

Refer to the exhibit. An engineer configured 802.1X on two switch ports. On Gi1/0/1, a VoIP phone and a PC are connected via a hub. On Gi1/0/2, only a single PC is connected. Which port will successfully authenticate both devices, and what is the issue with the other port?

A.Both ports will authenticate all connected devices because 802.1X supports multiple hosts by default.
B.Gi1/0/2 will authenticate the PC; Gi1/0/1 will fail because multi-auth is not supported on access ports.
C.Gi1/0/1 will authenticate both devices; Gi1/0/2 will fail because the tx-period is too long.
D.Gi1/0/1 will authenticate both devices; Gi1/0/2 will only authenticate the PC, and any additional device will be denied.
AnswerD

Multi-auth allows multiple devices; single-host allows only one.

Why this answer

Option D is correct because Gi1/0/1 is configured with the `authentication port-control auto` and `authentication host-mode multi-auth` commands, which allow both the VoIP phone and the PC to authenticate independently. Gi1/0/2 is configured with `authentication host-mode single-host` (the default), which only permits a single authenticated device; any additional device, such as a second PC connected via a hub, will be denied access.

Exam trap

Cisco often tests the distinction between `multi-auth` and `single-host` modes, and the trap here is that candidates assume 802.1X inherently supports multiple devices or that a long tx-period is the cause of failure, rather than recognizing the default single-host restriction on Gi1/0/2.

How to eliminate wrong answers

Option A is wrong because 802.1X does not support multiple hosts by default; the default host mode is single-host, which only allows one authenticated MAC address per port. Option B is wrong because multi-auth is supported on access ports; the issue with Gi1/0/1 is not about support but about the specific host-mode configuration shown in the exhibit. Option C is wrong because the tx-period (60 seconds) does not cause a failure on Gi1/0/2; the tx-period is a timer for reauthentication or EAP retransmission, and the exhibit shows Gi1/0/2 is configured with single-host mode, which is the actual reason it cannot authenticate multiple devices.

4
MCQmedium

A network engineer is trying to establish a site-to-site IPsec VPN between two Cisco routers. The IKEv2 proposal uses AES-256 encryption and SHA-256 hash. On the remote router, the configuration shows only AES-128 and SHA-1. What will happen during IKEv2 negotiation?

A.The router with stronger proposal will override the other.
B.The IKEv2 negotiation will fail because no common proposal exists.
C.The routers will automatically fall back to IKEv1.
D.The routers will negotiate and use AES-128 with SHA-256.
AnswerB

Both sides must have at least one matching proposal for IKEv2 to establish.

Why this answer

IKEv2 negotiation requires that both peers have at least one matching proposal (encryption, hash, DH group, etc.) in their configured transform sets. Since the local router offers AES-256/SHA-256 and the remote router only offers AES-128/SHA-1, there is no common proposal. IKEv2 does not perform automatic fallback or mixing of parameters; it simply fails if no match is found.

Exam trap

Cisco often tests the misconception that IKEv2 will automatically negotiate a 'best common' set of parameters or fall back to IKEv1, when in fact it requires an exact match on the entire proposal and has no backward compatibility with IKEv1.

How to eliminate wrong answers

Option A is wrong because IKEv2 does not allow one peer to override the other's proposal; negotiation is a matching process, not a strength-based override. Option C is wrong because IKEv2 and IKEv1 are separate protocols; there is no automatic fallback from IKEv2 to IKEv1 during negotiation—the administrator must explicitly configure IKEv1 if desired. Option D is wrong because IKEv2 does not mix parameters from different proposals; it requires an exact match on the entire proposal set (encryption AND hash), so AES-128 with SHA-256 is not a valid negotiated combination unless explicitly configured on both sides.

5
MCQeasy

A network engineer is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration includes a crypto map with a matching access list. Which command should be used to verify the security associations and error counters for the IPsec phase?

A.show crypto ipsec sa
B.show crypto engine statistics
C.debug crypto isakmp
D.show crypto isakmp sa
AnswerA

Displays IPsec security associations and packet/error counters.

Why this answer

The 'show crypto ipsec sa' command displays the IPsec security associations (SAs) and their associated packet/byte counters, including error counters such as 'pkts encaps failed' and 'pkts decap failed'. This directly verifies the IPsec Phase 2 SAs and identifies failures in encryption/decryption or integrity checks, which is essential for troubleshooting a tunnel that fails to establish.

Exam trap

Cisco often tests the distinction between IKE Phase 1 (ISAKMP) and IPsec Phase 2 (IPsec SA) commands, so the trap here is that candidates confuse 'show crypto isakmp sa' (Phase 1) with 'show crypto ipsec sa' (Phase 2) when the question specifically asks about IPsec phase verification.

How to eliminate wrong answers

Option B is wrong because 'show crypto engine statistics' shows the overall cryptographic hardware/software engine utilization and throughput, not per-SA IPsec phase details or error counters. Option C is wrong because 'debug crypto isakmp' is a debug command that shows IKEv1/IKEv2 Phase 1 negotiation messages, not the IPsec Phase 2 SA state or error counters; it is disruptive and should not be used for initial verification. Option D is wrong because 'show crypto isakmp sa' displays IKE Phase 1 security associations (ISAKMP SAs), not the IPsec Phase 2 SAs that are established after IKE negotiation completes.

6
Multi-Selectmedium

Which TWO are valid methods for implementing Network Admission Control (NAC) in a Cisco environment?

Select 2 answers
A.802.1X authentication
B.Dynamic ARP Inspection (DAI)
C.IP source guard
D.DHCP snooping
E.MAC Authentication Bypass (MAB)
AnswersA, E

802.1X is a standard for network access control.

Why this answer

802.1X authentication is a valid NAC method because it enforces port-based access control by requiring end devices to authenticate via EAP (Extensible Authentication Protocol) before gaining network access. It integrates with a RADIUS server (e.g., Cisco ISE) to validate credentials and dynamically assign VLANs or ACLs based on policy, making it a core NAC technology.

Exam trap

Cisco often tests the distinction between NAC enforcement mechanisms (like 802.1X and MAB) and Layer 2 security features (like DAI, IP source guard, and DHCP snooping), causing candidates to confuse port security or DHCP snooping with actual admission control methods.

7
MCQeasy

A company wants to deploy a site-to-site VPN between two branch offices using Cisco IOS routers. The security policy requires that all traffic between the sites must be encrypted and authenticated using strong encryption. The engineer chooses IPsec with IKEv2. Which IPsec transform set configuration provides the strongest encryption and authentication?

A.transform-set ESP-AES128 ESP-SHA-HMAC
B.transform-set ESP-AES256 ESP-SHA256-HMAC
C.transform-set ESP-DES ESP-MD5-HMAC
D.transform-set ESP-3DES ESP-SHA-HMAC
AnswerB

AES-256 and SHA-256 provide strong encryption and authentication.

Why this answer

Option B is correct because it specifies AES-256 encryption, which is the strongest symmetric cipher available in IPsec transform sets, combined with ESP-SHA256-HMAC for integrity and authentication. IKEv2 supports these modern algorithms, and this configuration meets the requirement for strong encryption and authentication.

Exam trap

Cisco often tests the distinction between ESP-SHA-HMAC (which implies SHA-1) and ESP-SHA256-HMAC (which implies SHA-256), leading candidates to mistakenly choose the weaker SHA-1 option when 'strongest' is required.

How to eliminate wrong answers

Option A is wrong because AES-128 provides only 128-bit encryption, which is weaker than AES-256 and does not meet the 'strongest' requirement. Option C is wrong because DES uses a 56-bit key, which is cryptographically weak and easily broken, and MD5 is a deprecated hash algorithm with known collision vulnerabilities. Option D is wrong because 3DES, while stronger than DES, uses only 168-bit effective key strength and is considered legacy, and ESP-SHA-HMAC refers to SHA-1 (160-bit), which is no longer recommended due to collision attacks.

8
MCQmedium

An engineer applies the ACL shown in the exhibit to the inbound direction of interface GigabitEthernet0/0. The goal is to block all traffic from host 10.1.1.100 to the 192.168.0.0/16 network. However, traffic from 10.1.1.100 to 192.168.1.1 is still being permitted. What is the most likely reason?

A.The deny entry should be placed after the permit entry
B.The ACL should be applied outbound instead of inbound
C.The ACL is applied to the wrong direction; it should be 'out'
D.The traffic from 10.1.1.100 is entering through a different interface
AnswerD

If the traffic does not enter via GigabitEthernet0/0, the ACL will not be applied to it.

Why this answer

Option D is correct because ACLs process traffic only on the interface and direction to which they are applied. If the ACL is applied inbound on GigabitEthernet0/0 but the traffic from host 10.1.1.100 to 192.168.1.1 enters through a different interface (e.g., GigabitEthernet0/1), the ACL will never evaluate that traffic, allowing it to pass. This is a fundamental behavior of interface-based ACL filtering in Cisco IOS.

Exam trap

The trap here is that candidates often assume an ACL applied inbound on one interface will filter all traffic from a source, but Cisco tests the understanding that ACLs are interface- and direction-specific, and traffic can bypass the ACL if it enters through a different interface.

How to eliminate wrong answers

Option A is wrong because the order of entries in an ACL is critical; the deny entry must be placed before any permit entries that could match the same traffic, but here the deny is already first, so moving it after would make the problem worse, not fix it. Option B is wrong because applying the ACL outbound instead of inbound would not help if the traffic is entering through a different interface; the ACL would still only filter traffic exiting that specific interface, not traffic entering elsewhere. Option C is wrong because the direction 'in' vs 'out' is irrelevant if the traffic never traverses the interface where the ACL is applied; the ACL must be placed on the interface where the traffic enters the router.

9
Multi-Selectmedium

Which TWO of the following are valid methods for deploying Cisco Firepower Threat Defense (FTD) in high availability?

Select 2 answers
A.Active/Active failover
B.Clustering
C.Load balancing with external load balancer
D.Active/Standby failover
E.StackWise
AnswersB, D

FTD supports clustering for high availability and scalability.

Why this answer

Cisco FTD supports high availability through Active/Standby failover (option D) and clustering (option B). Active/Standby failover provides stateful redundancy with one unit handling traffic while the other monitors and takes over upon failure. Clustering groups multiple FTD devices into a single logical unit for both high availability and scalability, distributing traffic across members.

Exam trap

Cisco often tests the misconception that FTD supports Active/Active failover like ASA, but FTD only supports Active/Standby failover and clustering for high availability.

10
MCQhard

A security engineer is configuring a Cisco Firepower Threat Defense (FTD) device managed by FMC. They want to create a rule that blocks access to social media applications regardless of port or protocol. Which policy should be used?

A.Intrusion Policy
B.Prefilter Policy
C.SSL Policy
D.Access Control Policy with Application and URL filtering
AnswerD

Access control policies can include application and URL conditions.

Why this answer

An Access Control Policy with Application and URL filtering is the correct choice because it allows the security engineer to create a rule that blocks social media applications based on application signatures, independent of the port or protocol used. This policy inspects traffic at Layer 7, using the Cisco Firepower application detector database to identify and block applications like Facebook or Twitter even if they use non-standard ports or encryption.

Exam trap

The trap here is that candidates often confuse Prefilter Policy (which is for fast-path or block based on IP/port) with application-level blocking, but Cisco tests that only an Access Control Policy with application filtering can block applications regardless of port or protocol.

How to eliminate wrong answers

Option A is wrong because an Intrusion Policy is designed to detect and prevent network-based attacks using signatures and vulnerabilities, not to block specific applications based on identity. Option B is wrong because a Prefilter Policy operates at Layer 3/4 to fast-path or block traffic based on IP addresses, ports, or protocols, and cannot perform application-level identification to block social media regardless of port. Option C is wrong because an SSL Policy is used to decrypt or inspect encrypted traffic, but it does not contain rules to block applications; application blocking requires an Access Control Policy with application filtering.

11
Drag & Dropmedium

Drag and drop the steps to configure a Cisco IOS router as a Zone-Based Firewall (ZBF) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First assign interfaces to zones, then create class-map, policy-map, zone-pair, and apply the policy to the zone-pair.

12
MCQmedium

A company has deployed Cisco AnyConnect VPN for remote access. They want to enforce that only company-managed devices with compliant antivirus and disk encryption can connect. Which solution should be added to the ASA?

A.Cisco Identity Services Engine (ISE) with posture assessment
B.Cisco Firepower Threat Defense (FTD) with intrusion policy
C.Cisco Umbrella with DNS filtering
D.Cisco Stealthwatch with NetFlow
AnswerA

ISE performs posture checks to ensure devices meet compliance requirements.

Why this answer

Cisco ISE with posture assessment is the correct solution because it integrates with the ASA to enforce endpoint compliance before granting VPN access. Posture assessment checks for specific conditions such as antivirus status, disk encryption, and OS patch levels, ensuring only company-managed devices that meet security policies can connect via AnyConnect.

Exam trap

Cisco often tests the distinction between network security controls (like IPS, DNS filtering, or flow analysis) and endpoint compliance enforcement, leading candidates to confuse a posture assessment requirement with a general security appliance.

How to eliminate wrong answers

Option B is wrong because Firepower Threat Defense (FTD) with intrusion policy focuses on network-based threat detection and prevention (e.g., IPS/IDS), not on endpoint compliance checks like antivirus or disk encryption. Option C is wrong because Cisco Umbrella with DNS filtering provides cloud-delivered security by blocking malicious domains and enforcing web policies, but it does not assess the posture of the connecting device. Option D is wrong because Cisco Stealthwatch with NetFlow is used for network visibility and anomaly detection through flow analysis, not for enforcing endpoint security requirements like antivirus or encryption.

13
MCQmedium

A remote user is unable to connect to the corporate VPN using Cisco AnyConnect. The user has internet access and can reach the ASA's public IP. The ASA administrator checks and sees that the remote access VPN configuration is correct. What is the most likely client-side issue?

A.The client is using an outdated version of AnyConnect.
B.The client's DNS is not resolving the VPN hostname.
C.The client's firewall is blocking TCP port 443.
D.The client's certificate is expired or not trusted.
AnswerD

Certificate authentication failure is a common cause when ASA configuration is correct.

Why this answer

The user can reach the ASA's public IP and has internet access, which rules out basic connectivity issues. Since the ASA's VPN configuration is correct, the problem is likely on the client side. A common cause is an expired or untrusted certificate, as AnyConnect uses certificate-based authentication for the SSL/TLS handshake; if the client does not trust the server's certificate or the client's own certificate is expired, the VPN tunnel will fail to establish.

Exam trap

Cisco often tests the distinction between network-layer reachability (IP connectivity) and application-layer authentication (certificate trust), leading candidates to incorrectly choose firewall or DNS issues when the user can already reach the ASA's IP.

How to eliminate wrong answers

Option A is wrong because an outdated AnyConnect version typically causes feature incompatibility or connection failures only if the ASA requires a specific minimum version, but the question states the ASA configuration is correct and does not mention version mismatch; the user can reach the ASA's public IP, so the client is likely running a supported version. Option B is wrong because the user can reach the ASA's public IP directly, meaning DNS resolution is not required for the connection; if the hostname were used, DNS failure would prevent reaching the IP, but the user has already reached the IP. Option C is wrong because TCP port 443 is the default HTTPS port for AnyConnect SSL VPN; if the client's firewall were blocking TCP 443, the user would not be able to reach the ASA's public IP (since HTTPS traffic uses port 443), but the user can reach the IP, indicating port 443 is open.

14
Multi-Selecthard

A company is designing a remote access VPN solution using Cisco ASA with load balancing. Which three features are essential for high availability and redundancy? (Choose three.)

Select 3 answers
A.Failover
B.Object tracking
C.Split tunneling
D.AnyConnect profiles
E.Clustering
AnswersA, B, E

Failover provides active/standby redundancy, ensuring seamless failover if the active unit fails.

Why this answer

Failover is essential for high availability in Cisco ASA remote access VPN solutions. It allows a standby ASA to take over seamlessly if the primary unit fails, maintaining VPN sessions and ensuring uninterrupted remote access. This is achieved through stateful or stateless failover, where configuration and connection state are synchronized between the paired units.

Exam trap

Cisco often tests the distinction between features that provide redundancy (failover, clustering, object tracking) versus features that improve user experience or configuration convenience (split tunneling, AnyConnect profiles), leading candidates to mistakenly select the latter.

15
MCQmedium

A company is deploying a new ASA firewall in a DMZ design. They need to allow web traffic from the internet to a web server in the DMZ, while also permitting outbound traffic from the DMZ to the internet for software updates. Which access control approach best meets these requirements with minimal risk?

A.Create an ACL that permits all inbound and outbound traffic between DMZ and internet.
B.Create an ACL that permits established connections inbound, and allows HTTP/HTTPS from DMZ to internet with application inspection.
C.Create an ACL that permits inbound web traffic to the DMZ server and permits all outbound traffic from DMZ with no inspection.
D.Create an ACL that permits inbound web traffic to the DMZ server and denies all outbound traffic from DMZ.
AnswerB

Balances security and functionality by inspecting traffic and limiting outbound to necessary services.

Why this answer

Option B is correct because it uses the 'established' keyword to allow return traffic for inbound web connections while explicitly permitting outbound HTTP/HTTPS with application inspection. This minimizes risk by not blindly allowing all outbound traffic, and inspection ensures protocol compliance and stateful tracking.

Exam trap

Cisco often tests the misconception that simply allowing 'established' connections is sufficient for outbound traffic, but the trap here is that the question explicitly requires outbound HTTP/HTTPS for updates, which must be explicitly permitted and inspected, not just allowed as return traffic.

How to eliminate wrong answers

Option A is wrong because permitting all inbound and outbound traffic between DMZ and internet violates the principle of least privilege and creates a massive security risk. Option C is wrong because permitting all outbound traffic from DMZ with no inspection bypasses security controls, allowing potential malware exfiltration or unauthorized protocols. Option D is wrong because denying all outbound traffic from DMZ would prevent the required software updates, failing to meet the requirement.

16
MCQhard

A university is deploying 802.1X authentication for wired access using Cisco ISE. The network consists of Cisco Catalyst switches. The authentication is working for most users, but some users in a specific building are experiencing frequent authentication failures, especially during peak hours. The switches in that building are configured with RADIUS settings pointing to ISE. ISE logs show that authentication requests are being sent but sometimes time out. The network team suspects that the issue is related to RADIUS server load balancing, as the ISE deployment includes two nodes in a distributed model. What is the most likely cause of the timeouts?

A.The RADIUS shared secret is misconfigured on some switches.
B.The switches are not configured with the correct VLAN assignments.
C.The switches are using the wrong RADIUS accounting port.
D.The ISE nodes are not configured for load balancing, causing one node to be overwhelmed.
AnswerD

Without load balancing, all requests may go to one node, causing overload and timeouts during peak times.

Why this answer

Option D is correct because the symptoms—intermittent timeouts during peak hours in a specific building—point to a load-balancing issue. In a distributed ISE deployment, if the switches are not configured with multiple RADIUS server entries or if ISE nodes are not properly load-balanced (e.g., using a single primary server or missing secondary server configuration), one node can become overwhelmed with authentication requests, leading to timeouts. The fact that authentication works for most users but fails during peak hours in one building strongly suggests that the switches in that building are sending all requests to a single ISE node that cannot handle the load.

Exam trap

Cisco often tests the distinction between authentication failures caused by misconfiguration (e.g., shared secret, VLAN) versus performance-related timeouts due to load balancing, tempting candidates to pick a configuration error when the real issue is capacity or distribution.

How to eliminate wrong answers

Option A is wrong because a misconfigured RADIUS shared secret would cause consistent authentication failures for all users on the affected switches, not intermittent timeouts during peak hours. Option B is wrong because incorrect VLAN assignments would result in successful authentication but incorrect network access (e.g., wrong VLAN), not RADIUS timeouts. Option C is wrong because the RADIUS accounting port (typically UDP 1813) is used for accounting messages, not authentication; authentication uses UDP 1812, and a misconfigured accounting port would not cause authentication timeouts.

17
Multi-Selecthard

Which TWO are valid considerations for deploying Cisco Firepower NGIPS with inline mode? (Choose two.)

Select 2 answers
A.Inline mode automatically decrypts SSL traffic without configuration.
B.The IPS engine inspects all traffic regardless of prefilter policies.
C.Inline interfaces can drop malicious packets based on signatures and anomalies.
D.Inline mode requires the use of passive interfaces for failover.
E.Hardware bypass is supported on specific Firepower appliances to ensure network continuity during device failure.
AnswersC, E

Inline mode enables dropping of traffic.

Why this answer

Option C is correct because inline mode in Cisco Firepower NGIPS allows the system to actively drop malicious packets based on signature matches and anomaly detection. Unlike passive monitoring, inline interfaces sit directly in the traffic path, enabling the IPS engine to enforce blocking actions in real time.

Exam trap

Cisco often tests the misconception that inline mode automatically inspects all traffic, but candidates must remember that prefilter policies can bypass the IPS engine entirely, and SSL decryption is never automatic.

18
MCQhard

In a Cisco TrustSec deployment, security group tags (SGTs) are used to represent user and device roles. These tags must be propagated across the network. Which protocol is used to carry SGT information in Ethernet frames?

A.MPLS
B.VXLAN
C.GRE
D.IEEE 802.1Q with SGT encapsulation (Cisco proprietary)
AnswerD

Cisco TrustSec uses SGT over 802.1Q or other L2 methods.

Why this answer

Cisco TrustSec uses SGTs to enforce role-based access control. To propagate SGT information across the network, Cisco developed a proprietary extension to IEEE 802.1Q that embeds the SGT into the Ethernet frame header, specifically using the CMD (Cisco MetaData) field. This allows switches and routers to enforce security policies based on the SGT without requiring additional encapsulation overhead.

Exam trap

Cisco often tests the distinction between standard 802.1Q and the proprietary SGT extension, and the trap here is that candidates may confuse VXLAN's Group Policy ID (GPID) with the native Ethernet frame method, or assume MPLS or GRE are used for SGT transport because they are common encapsulation protocols.

How to eliminate wrong answers

Option A is wrong because MPLS (Multiprotocol Label Switching) is a label-switching mechanism used for traffic engineering and VPNs, not for carrying SGT information in Ethernet frames; TrustSec does not use MPLS for SGT propagation. Option B is wrong because VXLAN (Virtual Extensible LAN) is a network virtualization overlay protocol that encapsulates Layer 2 frames in UDP, but it is not the native method for carrying SGTs in Ethernet frames; while VXLAN can carry group policy information via the Group Policy ID (GPID) field, the question specifically asks for the protocol used in Ethernet frames, which is the Cisco proprietary 802.1Q extension. Option C is wrong because GRE (Generic Routing Encapsulation) is a tunneling protocol used to encapsulate packets for transport across IP networks, but it is not designed to carry SGT metadata within Ethernet frames.

19
Multi-Selecteasy

Which TWO of the following are required to configure a site-to-site IPsec VPN on a Cisco IOS router?

Select 2 answers
A.ISAKMP policy
B.ACL to define interesting traffic
C.NAT exemption for VPN traffic
D.AAA new-model
E.DHCP pool for remote clients
AnswersA, B

ISAKMP policy is required for IKE phase 1 negotiation.

Why this answer

ISAKMP (Internet Security Association and Key Management Protocol) policy is required to define the parameters for Phase 1 of an IPsec VPN, including encryption, authentication, Diffie-Hellman group, and lifetime. Without an ISAKMP policy, the router cannot establish the secure management tunnel needed to negotiate IPsec Security Associations (SAs).

Exam trap

Cisco often tests the distinction between mandatory and optional components, so the trap here is that candidates may think NAT exemption or AAA is always required, when in fact they are only needed in specific scenarios (e.g., overlapping subnets or centralized authentication).

20
MCQmedium

Refer to the exhibit. An ASA is configured with the above access-list and NAT rule. A web server is reachable from the internet via the public IP 203.0.113.10. However, internal users from the inside network cannot access the web server using its public IP address. What is the most likely cause?

A.The NAT rule is missing a static NAT for the server.
B.The access-list does not permit traffic from inside to outside for that destination.
C.The interface ACL is applied inbound on the inside interface.
D.The default route is missing.
AnswerA

Without a static NAT, internal users cannot access the server via the public IP due to lack of hairpinning.

Why this answer

The correct answer is A because the NAT rule shown is a static NAT for the web server, but it is missing the 'static' keyword or the bidirectional mapping required for internal users to reach the server using its public IP. Without a proper static NAT (e.g., 'nat (inside,outside) static 192.168.1.10 service tcp www www'), the ASA does not translate the source IP of internal traffic destined to 203.0.113.10 back to the server's private IP, causing the traffic to be dropped or misrouted.

Exam trap

The trap here is that candidates assume a single static NAT rule automatically handles all traffic directions, but Cisco tests the nuance that internal-to-internal traffic via the public IP requires explicit NAT configuration (often called 'NAT reflection' or 'hairpinning'), which is not implied by a basic static NAT.

How to eliminate wrong answers

Option B is wrong because the access-list shown permits traffic from inside to outside for the web server's public IP (203.0.113.10) on port 80, so the ACL is not the issue. Option C is wrong because the exhibit does not show an interface ACL applied inbound on the inside interface; the ACL shown is likely a global or NAT-related ACL, and an inbound ACL on the inside would block traffic from inside to outside if it denied the traffic, but no such ACL is indicated. Option D is wrong because a missing default route would affect all outbound traffic, not specifically the ability to reach the web server via its public IP from inside; the server is reachable from the internet, so routing to the public IP is functional.

21
Multi-Selectmedium

Which TWO are best practices for securing Cisco ASA remote access VPN? (Choose two.)

Select 2 answers
A.Disable clientless SSL VPN to force full-tunnel client.
B.Use pre-shared keys for user authentication to simplify deployments.
C.Enforce multi-factor authentication (MFA) for VPN users.
D.Use L2TP/IPsec for legacy compatibility.
E.Implement split-tunneling only for trusted networks and applications.
AnswersC, E

MFA adds security layer beyond passwords.

Why this answer

Option C is correct because enforcing multi-factor authentication (MFA) for VPN users adds an additional layer of security beyond just a password, significantly reducing the risk of credential theft and unauthorized access. Cisco ASA supports MFA integration with RADIUS servers (e.g., Cisco ISE, Duo Security) that can require a one-time password (OTP) or push notification, aligning with the principle of defense-in-depth for remote access VPNs.

Exam trap

Cisco often tests the misconception that disabling clientless SSL VPN or using pre-shared keys simplifies security, when in fact these options either do not enforce full-tunnel behavior or introduce significant authentication weaknesses.

22
MCQhard

A financial institution uses Cisco Firepower Threat Defense (FTD) for intrusion prevention and SSL decryption. The security team recently enabled SSL decryption on the FTD to inspect encrypted traffic. After the change, some internal applications that use client certificates for authentication stopped working. The FMC shows that SSL decryption is configured to inspect traffic to specific destination IPs. The applications are using a custom port (TCP 8443) for HTTPS. The administrator has already added the custom port to the SSL decryption policy. What is the most likely reason the applications are failing?

A.The applications are using client certificates, and the FTD is unable to re-encrypt with the original client certificate.
B.The applications are using IPsec, not SSL.
C.The internal CA certificate is not trusted by the FTD.
D.The FTD is not configured to inspect traffic on port 8443.
AnswerA

SSL decryption terminates the original SSL session, so client certificates are lost and cannot be passed to the server.

Why this answer

When FTD performs SSL decryption, it acts as a man-in-the-middle: it terminates the client's SSL connection, inspects the plaintext, and then initiates a new SSL connection to the server. If the client application presents a client certificate for authentication, the FTD cannot re-encrypt the new connection with that same client certificate because it does not have access to the client's private key. The server then rejects the re-encrypted connection, causing the application to fail.

Exam trap

Cisco often tests the misconception that adding the custom port to the SSL decryption policy is sufficient, when the real issue is the FTD's inability to re-encrypt with the original client certificate during mutual TLS authentication.

How to eliminate wrong answers

Option B is wrong because IPsec operates at Layer 3 and is not inspected by SSL decryption policies; the question explicitly states the applications use HTTPS on TCP 8443, which is SSL/TLS-based. Option C is wrong because the internal CA certificate not being trusted by the FTD would cause certificate validation errors for the server certificate, not specifically break client certificate authentication; the FTD can still forward client certificates if it has the private key, but the core issue is the inability to re-encrypt with the original client certificate. Option D is wrong because the administrator has already added the custom port (TCP 8443) to the SSL decryption policy, so the FTD is configured to inspect traffic on that port.

23
MCQhard

A company uses FMC to manage FTD devices. After deploying a new intrusion policy, the analyst sees that no events are generated for a known vulnerability, even though the policy includes a rule for it. The analyst checks and the rule is enabled and the policy is applied. What is the most likely cause?

A.The rule is configured to 'Drop and Generate Events' but the device is in inline tap mode.
B.The device has not been rebooted after policy deployment.
C.The access control policy before the intrusion policy is blocking traffic.
D.The intrusion policy rule has a false-positive suppression.
AnswerC

If an access control rule denies or fast-paths traffic, it never reaches the intrusion policy for inspection.

Why this answer

Option C is correct because in a Cisco Firepower deployment, the access control policy (ACP) is evaluated before the intrusion policy. If the ACP is configured to block traffic matching the vulnerability's characteristics, the traffic never reaches the intrusion policy for inspection, so no intrusion events are generated even if the intrusion rule is enabled and applied.

Exam trap

The trap here is that candidates assume an enabled intrusion rule guarantees event generation, forgetting that the access control policy acts as a gatekeeper that can block traffic before it reaches the intrusion engine.

How to eliminate wrong answers

Option A is wrong because inline tap mode allows traffic to pass through without being dropped, but it still generates events; 'Drop and Generate Events' in inline tap mode would still generate events, not suppress them. Option B is wrong because FTD devices do not require a reboot after policy deployment; changes are applied via the Snort process restart or policy reload, not a full device reboot. Option D is wrong because false-positive suppression would suppress events for a rule that is generating alerts, but the scenario states no events are generated at all, indicating the traffic never reaches the intrusion rule, not that events are suppressed after generation.

24
Multi-Selectmedium

Which THREE are valid components of an IKEv2 exchange? (Choose three.)

Select 3 answers
A.Aggressive Mode exchange
B.Main Mode exchange
C.IKE_SA_INIT exchange
D.IKE_AUTH exchange
E.INFORMATIONAL exchange
AnswersC, D, E

First pair of messages to negotiate cryptographic parameters and exchange nonces.

Why this answer

IKEv2 simplifies the Internet Key Exchange process by using only two exchanges to establish an IPsec security association: the IKE_SA_INIT exchange (for negotiating cryptographic parameters and exchanging Diffie-Hellman public values) and the IKE_AUTH exchange (for authenticating the peers and establishing the first child SA). These are the mandatory exchanges defined in RFC 7296, making options C and D correct. The INFORMATIONAL exchange is also a valid component of IKEv2, used for error reporting and deleting SAs, which is why option E is correct.

Exam trap

Cisco often tests the distinction between IKEv1 and IKEv2 phases, and the trap here is that candidates familiar with IKEv1 mistakenly select Main Mode or Aggressive Mode as valid IKEv2 components, not realizing IKEv2 uses entirely different exchange names.

25
Multi-Selecthard

Which THREE of the following are features of Cisco Identity Services Engine (ISE) that can be used to enforce network access control?

Select 3 answers
A.Profiling
B.Posture assessment
C.Guest access management
D.Application visibility
E.NetFlow analysis
AnswersA, B, C

ISE can profile endpoints to identify device type and OS.

Why this answer

Profiling is a core ISE feature that uses passive and active fingerprinting techniques (e.g., DHCP, HTTP, SNMP, NetFlow) to identify endpoint attributes such as operating system, device type, and MAC vendor. This identity context allows ISE to enforce granular access policies based on the device class, such as blocking IoT sensors from reaching critical servers.

Exam trap

Cisco often tests the distinction between ISE's identity-based enforcement features (profiling, posture, guest) and network-layer monitoring tools (NetFlow, application visibility) that belong to other products like Stealthwatch or Firepower.

26
MCQeasy

A network engineer is troubleshooting an issue where an endpoint is failing to authenticate via 802.1X on a Cisco switch. The switch port is in unauthorized state. Which step should the engineer take first to identify the root cause?

A.Check the switch's RADIUS server reachability.
B.Check the ISE authentication logs for failure reasons.
C.Check the endpoint's supplicant configuration.
D.Check the CA server for certificate issues.
AnswerB

ISE logs provide detailed failure reasons, often indicating the exact step where authentication fails. This is the best first step.

Why this answer

The correct first step is to check the ISE authentication logs for failure reasons because the switch port is already in an unauthorized state, meaning the 802.1X authentication process has failed. ISE (the RADIUS server) logs provide the most granular failure reason, such as invalid credentials, unknown client, or EAP method mismatch, which directly pinpoints the root cause. Checking the switch's RADIUS reachability or endpoint configuration would be premature without first understanding why authentication was denied.

Exam trap

Cisco often tests the principle of 'start at the most specific source of truth'—the trap here is that candidates jump to checking network connectivity (Option A) or client configuration (Option C) without first consulting the authentication server logs, which contain the definitive failure reason.

How to eliminate wrong answers

Option A is wrong because checking RADIUS server reachability from the switch is a lower-layer connectivity check that would not explain why authentication failed if the server is reachable; the switch port being unauthorized indicates the RADIUS server likely received and rejected the request. Option C is wrong because checking the endpoint's supplicant configuration is a valid step but should come after reviewing the authentication logs to confirm whether the failure is client-side or server-side. Option D is wrong because checking the CA server for certificate issues is only relevant if EAP-TLS or a certificate-based method is used, and it is not the first step without knowing the failure reason from ISE logs.

27
MCQeasy

An administrator is troubleshooting authentication failures for VPN users. The RADIUS server is reachable via ping, but users receive 'AAA authentication failed'. Which command should be used to test communication with the RADIUS server?

A.aaa new-model
B.show radius server statistics
C.test aaa group radius user password
D.debug radius authentication
AnswerC

This command simulates RADIUS authentication to verify server reachability and credentials.

Why this answer

Option C is correct because the 'test aaa group radius user password' command is specifically designed to simulate an authentication attempt against a RADIUS server, allowing the administrator to verify whether the RADIUS server is properly processing credentials. Since the RADIUS server is reachable via ping but users still fail, this command isolates whether the issue lies in the AAA authentication process itself, such as incorrect shared secret, user credentials, or RADIUS attribute mismatches.

Exam trap

The trap here is that candidates often confuse reachability (ping) with successful AAA authentication, or they select 'debug radius authentication' thinking it will test the server, when in fact debug commands only observe traffic and do not initiate a test transaction.

How to eliminate wrong answers

Option A is wrong because 'aaa new-model' enables AAA on the device but does not test existing communication with a RADIUS server; it is a configuration command, not a diagnostic one. Option B is wrong because 'show radius server statistics' displays historical counters for RADIUS transactions (e.g., timeouts, retransmissions) but does not perform a live authentication test to validate credentials or shared secret. Option D is wrong because 'debug radius authentication' enables real-time logging of RADIUS exchanges, which can help observe failures but does not actively test authentication; it requires a live user attempt and can be disruptive in production due to high CPU usage.

28
MCQmedium

A network engineer is troubleshooting an issue where users on VLAN 10 cannot access the internet, but they can reach internal resources. The firewall is configured with a default route pointing to the ISP router. The engineer notices that NAT is configured but traffic is not being translated. Which configuration is most likely missing?

A.An ACL to match the traffic to be translated
B.A NAT pool with available public IP addresses
C.Port Address Translation (PAT) configuration
D.A route map to apply NAT based on destination
AnswerA

The ACL defines interesting traffic for NAT; without it, no packets are matched for translation.

Why this answer

For NAT to translate traffic, the firewall must know which traffic to translate. An ACL is used to match the source IP addresses (or networks) that should be translated. Without an ACL applied to the NAT rule, the firewall has no criteria to identify traffic from VLAN 10 for translation, so packets are forwarded without NAT, causing internet access to fail while internal routing works.

Exam trap

Cisco often tests the misconception that simply enabling NAT or PAT is enough, but the ACL is the critical component that defines the traffic to be translated, and candidates may overlook it because they assume NAT applies to all traffic by default.

How to eliminate wrong answers

Option B is wrong because a NAT pool is only needed for dynamic NAT with a range of public IPs; for typical PAT (overload) to a single interface IP, no pool is required. Option C is wrong because PAT is a type of NAT (often configured with 'overload'), but the core missing piece is the ACL to define which traffic is translated; PAT configuration alone does not specify the traffic. Option D is wrong because a route map for NAT based on destination is an advanced feature (e.g., policy NAT) and is not required for basic source NAT; the standard approach uses an ACL to match source addresses.

29
Matchingmedium

Match each Cisco ASA feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Modular Policy Framework for traffic inspection

High availability with active/standby or active/active

Graphical management interface

Command-line interface for configuration

VPN client for remote access

Why these pairings

These are common ASA features and their definitions.

30
MCQhard

A multinational company has deployed a Cisco Firepower 4100 series device as the perimeter firewall. The network consists of multiple internal segments: a corporate LAN (192.168.1.0/24), a data center (10.10.0.0/16), and a guest wireless network (172.16.0.0/16). The firewall is configured with the following access control policy rules: 1. Allow from any to any (for testing, but currently enabled) 2. Allow from corporate LAN to data center (destination ports TCP/443, TCP/8443) 3. Block from guest wireless to data center 4. Allow from any to internet (destination any) Recently, the security team discovered that a host in the guest network (172.16.5.50) is communicating with a server in the data center (10.10.10.100) on TCP port 443. The security team wants to immediately block this traffic without affecting other legitimate communications. Which action should be taken first?

A.Move rule 3 (block guest to data center) above rule 1 (allow all)
B.Modify rule 2 to include a deny for the guest subnet
C.Change rule 4 to block all traffic from guest network
D.Add a new rule after rule 4 to block the specific traffic
AnswerA

This ensures the block rule is evaluated before the allow rule, stopping the traffic.

Why this answer

Rule 1 is an 'allow any any' rule placed above rule 3, which is supposed to block guest-to-data-center traffic. Because Cisco Firepower processes access control rules in top-down order, rule 1 matches and permits the traffic before rule 3 can be evaluated. Moving rule 3 above rule 1 ensures the block action is applied first, immediately stopping the unwanted communication without altering other rules.

Exam trap

Cisco often tests the concept that a default 'allow any' rule placed above more specific deny rules will negate those denies, and candidates mistakenly think adding a new rule or modifying an existing rule later in the policy will override the earlier match.

How to eliminate wrong answers

Option B is wrong because modifying rule 2 to deny the guest subnet would break the intended allow rule for corporate LAN to data center, and it would not block the specific traffic unless the deny is placed before the allow, which still requires reordering. Option C is wrong because changing rule 4 to block all traffic from guest network would also block legitimate guest internet access, violating the requirement to not affect other communications. Option D is wrong because adding a new rule after rule 4 would never be evaluated for this traffic, as rule 1 (allow any any) already permits it earlier in the sequence.

31
MCQhard

A network administrator is configuring IKEv2 on a Cisco router and wants to ensure that the router does not initiate connections but only responds to incoming IKEv2 requests. Which configuration command should be applied?

A.crypto ikev2 no initiate
B.crypto ikev2 passive
C.crypto ikev2 limit max-incoming-sa 10
D.crypto ikev2 limit max-negotiations 10
AnswerB

This command disables IKEv2 initiation, making the router respond-only.

Why this answer

The 'crypto ikev2 passive' command configures the router to only respond to incoming IKEv2 requests and never initiate its own IKEv2 connections. This is essential for scenarios where the router must act as a responder only, such as in hub-and-spoke VPN topologies where the hub should not initiate tunnels.

Exam trap

Cisco often tests the distinction between 'passive' mode and other IKEv2 limit commands, where candidates mistakenly choose a limit-based command (like max-incoming-sa or max-negotiations) thinking it prevents initiation, but only 'passive' actually stops the router from sending initial IKEv2 messages.

How to eliminate wrong answers

Option A is wrong because 'crypto ikev2 no initiate' is not a valid Cisco IOS command; the correct syntax uses the 'passive' keyword. Option C is wrong because 'crypto ikev2 limit max-incoming-sa 10' limits the number of incoming security associations, but does not prevent the router from initiating IKEv2 connections. Option D is wrong because 'crypto ikev2 limit max-negotiations 10' limits the number of simultaneous IKEv2 negotiations, but does not prevent the router from acting as an initiator.

32
MCQeasy

A large enterprise uses Cisco Firepower Threat Defense (FTD) as its next-generation firewall. The network team recently deployed a new application that uses HTTPS for all communications. Users report that the application is slow and sometimes fails to load pages. The security team suspects that SSL inspection might be causing the issue. The FTD is configured with an SSL policy that decrypts all HTTPS traffic using a self-signed certificate. The internal CA is not trusted by the application servers. Which action should the engineer take to resolve the performance and connectivity issues while maintaining security visibility?

A.Increase the SSL decryption resources by adding more FTD modules.
B.Create an SSL decryption bypass rule for the specific application servers' IP addresses.
C.Install the internal CA certificate on all application servers.
D.Disable SSL inspection globally on the FTD.
AnswerB

Allows trusted traffic to pass without inspection, reducing load and avoiding certificate errors.

Why this answer

Option B is correct because the application servers do not trust the FTD's self-signed certificate, causing SSL/TLS handshake failures or performance degradation due to certificate validation errors and renegotiation. By creating an SSL decryption bypass rule for the specific application servers' IP addresses, the engineer exempts that traffic from inspection, resolving connectivity and performance issues while still inspecting other HTTPS traffic for security visibility.

Exam trap

Cisco often tests the misconception that performance issues from SSL inspection are always due to resource exhaustion, leading candidates to choose scaling solutions (Option A) instead of recognizing that certificate trust mismatches cause handshake failures and retransmissions.

How to eliminate wrong answers

Option A is wrong because adding more FTD modules increases processing capacity but does not address the root cause: the application servers reject the self-signed certificate, leading to handshake failures regardless of resources. Option C is wrong because installing the internal CA certificate on application servers would require trust configuration on external or third-party servers, which is often impractical or outside the enterprise's control, and does not fix the immediate performance issue caused by SSL inspection overhead. Option D is wrong because disabling SSL inspection globally removes security visibility for all HTTPS traffic, which is excessive and violates the requirement to maintain security visibility.

33
Drag & Dropmedium

Drag and drop the steps to configure a Cisco router as a DHCP server in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create pool, define network, then set options like default-router and dns-server, and exclude addresses before or after.

34
MCQeasy

An administrator is configuring a Cisco ASA 5500-X to perform SSL inspection for outbound traffic. The users must be able to access HTTPS websites without certificate errors. Which configuration step is essential for the ASA to perform decryption?

A.Configure the ASA to use a self-signed certificate without distribution.
B.Import the web server's private key onto the ASA.
C.Configure AAA authentication for SSL inspection.
D.Generate a trusted root CA certificate on the ASA and distribute it to all client machines.
AnswerD

Clients need to trust the ASA's certificate to avoid warnings.

Why this answer

Option D is correct because for the ASA to perform SSL inspection (a man-in-the-middle proxy), it must generate a trusted root CA certificate that is installed as a trusted root on all client machines. This allows the ASA to dynamically sign the web server's certificate during the SSL handshake, so clients trust the re-encrypted traffic without certificate errors.

Exam trap

Cisco often tests the misconception that the ASA needs the server's private key (Option B) to decrypt traffic, when in fact the ASA performs a full man-in-the-middle proxy and only needs its own trusted CA certificate distributed to clients.

How to eliminate wrong answers

Option A is wrong because a self-signed certificate without distribution would cause certificate errors on clients, as they do not trust the ASA's self-signed root. Option B is wrong because importing the web server's private key onto the ASA is not required for SSL inspection; the ASA acts as a proxy and generates its own keys for the session, and obtaining the server's private key would be a security violation and impractical for all outbound sites. Option C is wrong because AAA authentication is used for user access control, not for the cryptographic trust needed to avoid certificate errors during SSL decryption.

35
MCQhard

A company uses Cisco Firepower Threat Defense (FTD) managed by FMC. They want to enable URL filtering based on user identity from an Active Directory (AD) source. Which configuration steps are required on the FMC?

A.Create a URL category and associate it with a user group in the access control policy.
B.Configure an identity source (AD), create realm and user groups, then configure URL filtering rules with user conditions.
C.Create URL filtering rules first, then assign to users via dynamic object.
D.Configure identity source and NAT policy, then apply URL filtering.
AnswerB

Standard workflow for identity-based URL filtering in FMC.

Why this answer

Option B is correct because to enable URL filtering based on user identity from Active Directory, you must first configure an identity source (AD) on the FMC, then create a realm and import user groups. After that, you can configure URL filtering rules within an access control policy that includes user conditions to match traffic against specific AD users or groups. This sequence ensures the FTD can resolve user identity before applying URL category-based actions.

Exam trap

Cisco often tests the misconception that you can directly associate URL categories with user groups in the access control policy without first configuring the identity source and realm, leading candidates to pick Option A.

How to eliminate wrong answers

Option A is wrong because creating a URL category and associating it with a user group in the access control policy is not the first step; the identity source and realm must be configured first to establish user identity mapping. Option C is wrong because creating URL filtering rules first and then assigning them to users via a dynamic object bypasses the necessary identity source configuration and realm setup, and dynamic objects are not used for user identity in URL filtering. Option D is wrong because configuring a NAT policy is unrelated to URL filtering based on user identity; the correct prerequisite is configuring the identity source and realm, not NAT.

36
MCQeasy

An administrator is configuring Cisco ISE to profile endpoints. The administrator wants to ensure that endpoints are correctly identified based on MAC address and hostname. Which of the following is a prerequisite for successful profiling?

A.The DHCP server must be configured with option 82.
B.The endpoints must have the ISE agent installed.
C.The network devices must have profiling enabled and be configured with SNMP.
D.The switch must be configured with SNMP v3.
AnswerC

Network devices must be configured with SNMP to allow ISE to poll for MAC addresses and hostnames.

Why this answer

C is correct because Cisco ISE uses SNMP to query network devices (switches, wireless LAN controllers) for endpoint attributes such as MAC addresses and hostnames. Profiling must be enabled on the network devices, and SNMP (typically v2c or v3) must be configured so that ISE can collect the necessary data via MIBs like BRIDGE-MIB or ENTITY-MIB to correlate MAC-to-port mappings and hostname information.

Exam trap

The trap here is that candidates often think an agent or a specific DHCP option is required for profiling, but Cisco tests the understanding that passive network probes like SNMP are the foundational mechanism for MAC and hostname discovery without endpoint software.

How to eliminate wrong answers

Option A is wrong because DHCP option 82 (Relay Agent Information) is used for DHCP snooping and IP address tracking, not for profiling endpoints based on MAC address and hostname; ISE can use DHCP probes, but option 82 is not a prerequisite. Option B is wrong because the ISE agent (anyconnect or posture agent) is required for advanced endpoint posture assessment, but basic profiling based on MAC address and hostname can be done passively via network probes (SNMP, DHCP, HTTP) without any agent installed. Option D is wrong because while SNMP v3 provides encryption and authentication, it is not a mandatory prerequisite; SNMP v2c is commonly used and sufficient for profiling, and the requirement is simply that SNMP is configured, not specifically v3.

37
MCQhard

An engineer is designing a FlexVPN deployment with multiple hub routers and spoke routers. The spokes need to establish tunnels to the closest hub based on latency. Which feature should be configured to achieve dynamic hub selection?

A.Configure static priority on each hub and use priority-based selection.
B.Use Multipoint GRE with mGRE and NHRP for dynamic tunnel selection.
C.Use DHCP option 121 to push static routes for hub selection.
D.Implement IKEv2 redirect mechanism to direct spokes to the optimal hub.
AnswerD

IKEv2 redirect allows hubs to redirect spokes to a better hub based on location or latency.

Why this answer

The IKEv2 redirect mechanism allows a hub to inform a spoke of a more optimal hub based on metrics such as latency or load. The spoke then initiates a new IKEv2 connection to the recommended hub, enabling dynamic hub selection without manual configuration. This is the standard Cisco solution for FlexVPN deployments requiring proximity-based tunnel establishment.

Exam trap

Cisco often tests the IKEv2 redirect mechanism as the only standards-based method for dynamic hub selection in FlexVPN, and the trap here is that candidates confuse DMVPN's mGRE/NHRP (which handles spoke-to-spoke tunnels) with the hub-selection problem, leading them to choose Option B.

How to eliminate wrong answers

Option A is wrong because static priority on hubs does not adapt to real-time network conditions like latency; it forces spokes to always prefer a fixed hub regardless of performance. Option B is wrong because mGRE and NHRP are used for dynamic spoke-to-spoke tunnel establishment (DMVPN phase 2/3), not for selecting the best hub based on latency. Option C is wrong because DHCP option 121 pushes static routes for routing purposes, not for dynamic tunnel endpoint selection based on latency.

38
MCQmedium

A company's remote employees use Cisco AnyConnect to connect to the corporate network. The VPN is configured with split tunneling so that only traffic to the corporate subnet (10.0.0.0/8) goes through the tunnel, and all other traffic goes directly to the internet. Recently, several employees reported that they cannot access the corporate file server (IP 10.2.3.4) even though they can connect to the VPN. The network team checks the ASA configuration and confirms that the split tunnel ACL includes the corporate subnet. The AnyConnect client shows that it is connected. What is the most likely cause of the issue?

A.The ASA is performing NAT on the VPN traffic.
B.The DNS resolution for the file server is failing due to VPN DNS settings.
C.The file server's firewall is blocking VPN traffic.
D.The split tunnel ACL is not being applied correctly, and traffic is going direct to internet.
AnswerB

Split tunneling often requires DNS to be resolved via the corporate DNS server; misconfiguration can cause resolution failures.

Why this answer

When split tunneling is configured, DNS queries for corporate resources are often sent to the corporate DNS server through the tunnel. If the VPN adapter's DNS settings are not properly configured or the corporate DNS server is unreachable, the client cannot resolve the file server's hostname to its IP address (10.2.3.4), even though the IP itself is reachable via the tunnel. This is a common misconfiguration where the client uses its local DNS server, which does not have records for the internal corporate domain.

Exam trap

Cisco often tests the distinction between network-layer connectivity (IP reachable) and application-layer resolution (DNS), leading candidates to focus on routing or firewall issues when the real problem is DNS misconfiguration in split-tunnel scenarios.

How to eliminate wrong answers

Option A is wrong because NAT on VPN traffic would typically translate the source IP of the client, but it would not prevent access to a specific IP like 10.2.3.4; NAT might cause issues with routing or application protocols, but the symptom here is inability to access a specific server, not a general connectivity failure. Option C is wrong because the file server's firewall blocking VPN traffic would affect all VPN users consistently, not just those reporting issues, and the scenario states that the VPN connection is established and the split tunnel ACL includes the subnet, implying the traffic reaches the server but fails at a higher layer. Option D is wrong because the network team confirmed the split tunnel ACL includes the corporate subnet, and the AnyConnect client shows it is connected, so traffic to 10.0.0.0/8 should be routed through the tunnel; if the ACL were misapplied, the client would likely show no tunnel route or the user would be unable to ping the server IP directly, which is not stated.

39
Multi-Selecteasy

Which two conditions must be met for Cisco Firepower Threat Defense (FTD) to perform SSL decryption?

Select 2 answers
A.The FTD must have a decryption certificate (server certificate) installed.
B.The client must be using TLS 1.2 or higher.
C.The FTD must have a URL Filtering license.
D.A valid certificate authority (CA) certificate for the internal CA must be installed on the FTD.
E.The decryption policy must be configured on the FTD device.
AnswersA, D

The decryption certificate is used to establish a new TLS session with the client.

Why this answer

SSL decryption requires both a trusted CA certificate to re-sign the server certificate and a decryption certificate (server certificate) to present to the client. Options A, C, and D are not prerequisites.

40
MCQmedium

An engineer is configuring Cisco Firepower Threat Defense (FTD) with a pre-filter policy to block traffic from known malicious IP addresses before it reaches the access control policy. The pre-filter rules are configured to block traffic from the malicious IPs. However, the engineer notices that some traffic from those IPs is still being allowed. What is the most likely reason?

A.A pre-filter rule with a lower priority (higher number) is matching the traffic first and allowing it
B.The pre-filter rules are configured with the wrong source interface
C.The access control policy is overriding the pre-filter policy
D.The default action for the pre-filter policy is set to 'Allow'
AnswerA

Pre-filter rules are evaluated in order; if a rule with a lower priority (higher number) matches first, it could allow traffic that should be blocked.

Why this answer

Pre-filter rules are evaluated in order of priority (lower numbers first). If a rule with a higher priority number (lower priority) is configured to allow traffic, it will be matched before a lower-numbered (higher priority) block rule if the allow rule appears earlier in the sequence. This causes the traffic to be permitted before reaching the intended block rule, which is why some malicious IP traffic is still allowed.

Exam trap

Cisco often tests the misconception that pre-filter rules are evaluated in the order they appear in the GUI (which is by rule number), and that a higher-priority (lower number) rule can be accidentally placed after a lower-priority (higher number) rule if the engineer does not manually assign rule numbers or reorder them correctly.

How to eliminate wrong answers

Option B is wrong because the source interface is a match condition, not an ordering issue; if the wrong interface were configured, the rule would simply not match the traffic, not cause a higher-priority allow rule to override a block. Option C is wrong because pre-filter policies are evaluated before access control policies in the FTD data plane, so the access control policy cannot override a pre-filter block; if a pre-filter rule allows traffic, the access control policy can then block it, but not vice versa. Option D is wrong because the default action for a pre-filter policy is to continue to the access control policy (not 'Allow' or 'Block' by default), and even if set to 'Allow', it would only apply to traffic that does not match any pre-filter rule, not override a matching block rule.

41
MCQeasy

Refer to the exhibit. A security analyst sees this syslog message on a Cisco ASA. What does it indicate?

A.A TCP connection from 10.10.10.10 to 203.0.113.50 was denied.
B.A TCP connection from 203.0.113.50 to 10.10.10.10 was denied by the ACL named OUTSIDE.
C.A TCP connection from 203.0.113.50 to 10.10.10.10 was allowed and logged.
D.The ASA interface OUTSIDE is experiencing high CPU due to Denial of Service.
AnswerB

The syslog clearly indicates a deny by access-group OUTSIDE.

Why this answer

The syslog message shows an ACL deny action on the OUTSIDE interface for a TCP connection from source 203.0.113.50 to destination 10.10.10.10. The format '%ASA-4-106023' indicates a deny, and the interface name 'OUTSIDE' is explicitly stated. The source IP is listed first in the message, confirming the connection attempt originated from 203.0.113.50.

Exam trap

Cisco often tests the order of IP addresses in syslog messages—candidates mistakenly assume the first IP is the destination, but in ASA syslogs, the source IP is listed first, leading to reversed direction errors.

How to eliminate wrong answers

Option A is wrong because the source and destination IPs are reversed; the syslog shows the source as 203.0.113.50 and destination as 10.10.10.10, not the other way around. Option C is wrong because the syslog code 106023 indicates a deny action, not an allow; allowed connections use code 106100 or similar. Option D is wrong because the message is a specific ACL deny log, not a CPU utilization or DoS alert; high CPU would generate different syslog messages (e.g., %ASA-4-422001).

42
MCQmedium

A company has a Cisco ASA firewall configured with multiple access-lists applied to the outside interface. The security team is investigating reports that legitimate HTTPS traffic to a public web server located on a DMZ is intermittently being blocked. The firewall configuration includes an ACL that permits traffic to the web server's IP address on TCP 443, but also includes a general deny rule for all other traffic. The engineer notices that the permit rule is placed after a deny rule that blocks traffic from a specific source subnet that is used by internal users for testing. The internal users report that they can access the web server, but external users sometimes experience timeouts. What is the most likely cause of the intermittent blocking?

A.The permit rule for HTTPS is not hitting because traffic is being matched by a preceding deny rule.
B.The external users are hitting the firewall's connection limit.
C.The ASA is performing NAT incorrectly for the web server traffic.
D.The ASA is experiencing high CPU utilization causing packet drops.
AnswerA

If a deny rule earlier in the ACL matches the traffic, the permit rule is never evaluated, causing blocking.

Why this answer

The most likely cause is that the permit rule for HTTPS (TCP 443) is placed after a deny rule that blocks traffic from a specific source subnet. Since ACLs on a Cisco ASA are processed sequentially from top to bottom, if a packet matches the earlier deny rule, it will be dropped before reaching the permit rule. This explains why external users (who may be sourced from the blocked subnet or whose traffic is inadvertently matched by the deny rule due to overlapping or misconfigured source conditions) experience intermittent timeouts, while internal users from a different subnet are not affected.

Exam trap

Cisco often tests the concept of ACL sequential processing and the importance of rule order, where candidates mistakenly assume that a permit rule later in the list will override an earlier deny rule, or that the ASA uses a 'best-match' approach like a routing table.

How to eliminate wrong answers

Option B is wrong because the firewall's connection limit would affect all new connections uniformly, not just external users intermittently, and the scenario describes a specific ACL ordering issue rather than a resource exhaustion symptom. Option C is wrong because incorrect NAT would typically cause a complete failure to reach the web server or asymmetric routing issues, not intermittent blocking that correlates with ACL order. Option D is wrong because high CPU utilization would cause general packet loss or performance degradation across all traffic, not selectively block only external HTTPS traffic while internal users remain unaffected.

43
MCQeasy

A Cisco ASA firewall is configured with multiple contexts. The administrator needs to allow traffic from a context to pass through the management context for management purposes. Which type of interface should be used for this inter-context communication?

A.Use a shared interface that is allowed in multiple contexts.
B.Configure a virtual interface in each context and bridge them.
C.Use a dedicated physical interface for each context and route through the backplane.
D.Configure a subinterface on the management interface for each context.
AnswerA

Shared interfaces allow multiple contexts to use the same physical interface, enabling inter-context communication.

Why this answer

In multiple-context mode on a Cisco ASA, inter-context communication (such as allowing a user context to send management traffic to the management context) is achieved by using a shared interface. A shared interface is assigned to multiple security contexts, enabling them to communicate directly without requiring a physical or virtual crossover cable. This design allows the management context to receive traffic from other contexts for monitoring or administrative purposes while maintaining separation of forwarding tables.

Exam trap

Cisco often tests the misconception that inter-context communication requires a physical connection or a dedicated management path, when in fact the shared interface feature is the correct and supported method for allowing traffic between contexts on the same ASA.

How to eliminate wrong answers

Option B is wrong because bridging virtual interfaces between contexts would create a Layer 2 loop and is not a supported method for inter-context communication on the ASA; the ASA uses routed mode between contexts. Option C is wrong because using a dedicated physical interface for each context and routing through the backplane is unnecessary and inefficient—the ASA backplane is not a routable interface, and inter-context traffic should use shared interfaces or context-to-context routing via the system execution space. Option D is wrong because subinterfaces on the management interface cannot be assigned to other contexts; the management interface is reserved for out-of-band management and does not support being shared or used for inter-context data traffic.

44
Multi-Selectmedium

A security engineer is configuring Cisco TrustSec on a network. Which TWO actions are required to enable TrustSec on a Cisco switch?

Select 2 answers
A.Enable MACsec encryption on all trunk links.
B.Define Security Group Tags (SGTs) on the switch using the 'cts role-based sgt' command or via RADIUS.
C.Deploy Cisco ISE as the only policy server.
D.Apply IP access-lists on interfaces to filter traffic based on source IP.
E.Configure 802.1X or MAC Authentication Bypass (MAB) on the switch ports.
AnswersB, E

SGTs must be defined to tag traffic.

Why this answer

B is correct because Security Group Tags (SGTs) are the fundamental building blocks of Cisco TrustSec, used to classify traffic and enforce role-based access control. SGTs can be defined locally on the switch using the 'cts role-based sgt' command or dynamically assigned via a RADIUS server (such as Cisco ISE) during authentication. Without SGTs, the switch cannot perform the source-based or destination-based policy enforcement that TrustSec relies on.

Exam trap

Cisco often tests the misconception that MACsec encryption is a prerequisite for TrustSec, when in fact it is an optional enhancement; the real requirement is the definition and assignment of SGTs, along with port-based authentication (802.1X or MAB) to dynamically bind SGTs to endpoints.

45
MCQhard

Refer to the exhibit. An engineer has configured the ACL on the GigabitEthernet0/0 interface. Which of the following is true about the effect of this ACL?

A.It blocks all IP traffic from entering G0/0 because of the deny statement.
B.It blocks traffic sourced from 10.0.0.0/8 entering G0/0, but allows other traffic.
C.It permits all traffic because the ACL is misconfigured.
D.It blocks traffic destined to 10.0.0.0/8 entering G0/0, but allows other traffic.
AnswerB

The deny statement blocks source 10.0.0.0/8, and the permit any any allows all else.

Why this answer

The ACL is applied inbound on GigabitEthernet0/0 with a single deny statement for source IP 10.0.0.0/8. Since ACLs have an implicit deny any at the end, traffic from the 10.0.0.0/8 range is blocked, but all other IP traffic is implicitly permitted because the explicit deny only matches that source range. This makes option B correct.

Exam trap

Cisco often tests the misconception that a single deny statement in an ACL blocks all traffic, when in fact the implicit permit any allows all other traffic unless a permit any is explicitly omitted or the ACL is applied in a way that triggers the implicit deny.

How to eliminate wrong answers

Option A is wrong because the ACL does not block all IP traffic; it only blocks traffic sourced from 10.0.0.0/8, and the implicit permit any allows other traffic. Option C is wrong because the ACL is not misconfigured; it correctly denies traffic from the specified source network and permits all other traffic due to the implicit permit. Option D is wrong because the ACL filters based on source IP address, not destination IP address; the deny statement matches source 10.0.0.0/8, not destination.

46
MCQhard

An administrator is migrating an ASA firewall to a cloud environment and wants to use FlexConfig to push additional configuration. After applying the FlexConfig, the ASA does not show the expected commands. Which of the following is a likely reason?

A.The ASA model does not support FlexConfig.
B.The ASA must be rebooted for FlexConfig to take effect.
C.The FlexConfig is not associated with the device in ASDM.
D.The FlexConfig contains syntax errors that are silently ignored.
AnswerC

FlexConfig must be associated with the device in ASDM or CLI; otherwise, it will not be applied.

Why this answer

FlexConfig is a feature of Cisco ASDM that allows administrators to push additional CLI commands to an ASA that are not natively supported by the ASDM GUI. For FlexConfig to work, the configuration template must be explicitly associated with the target device within ASDM. If this association is missing, the ASA will not receive or apply the FlexConfig commands, even if the template is correctly written and the device supports the feature.

Exam trap

Cisco often tests the distinction between creating a FlexConfig template and actually associating it with a device, because candidates mistakenly believe that simply uploading a template is sufficient for it to be applied.

How to eliminate wrong answers

Option A is wrong because FlexConfig is supported on all ASA models that run ASA software version 8.4(2) or later, including virtual ASAv instances used in cloud environments. Option B is wrong because FlexConfig changes take effect immediately after the ASA reloads its configuration; no system reboot is required. Option D is wrong because FlexConfig templates with syntax errors are not silently ignored; the ASA will reject the invalid commands and generate error messages in the syslog or CLI output, alerting the administrator to the problem.

47
MCQmedium

A security administrator is reviewing firewall logs and notices that an internal user is generating excessive outbound DNS queries to a known malicious domain. The company uses Cisco Umbrella for DNS-layer security. How should the administrator investigate and block this traffic?

A.Check the Cisco Umbrella dashboard for the domain, identify the internal IP, and block the domain via policy.
B.Create a firewall ACL to block the IP address of the DNS server from the internal user.
C.Disable the user's network access temporarily and inform the IT department.
D.Enable full packet capture on the internal network and wait for the next occurrence.
AnswerA

Umbrella provides visibility and enforcement at the DNS layer, stopping malicious queries before connection.

Why this answer

Option A is correct because Cisco Umbrella is a DNS-layer security solution that can log and block DNS queries to malicious domains. The administrator should first check the Umbrella dashboard to identify the internal IP generating the excessive queries, then create a policy to block the domain, which will prevent all subsequent DNS resolutions to that domain without affecting other traffic.

Exam trap

Cisco often tests the candidate's understanding that DNS-layer security (like Umbrella) is the appropriate tool for blocking malicious domains at the DNS level, rather than using traditional firewall ACLs or reactive measures that do not leverage the solution's policy-based blocking capabilities.

How to eliminate wrong answers

Option B is wrong because blocking the DNS server IP address would prevent the user from resolving any domains, not just the malicious one, and does not leverage the DNS-layer security capabilities of Umbrella. Option C is wrong because disabling the user's network access is a reactive, disruptive measure that does not address the root cause or allow for forensic analysis; it also bypasses the proper use of Umbrella's policy controls. Option D is wrong because enabling full packet capture is a passive monitoring technique that does not block the traffic and delays remediation; it is inefficient compared to using the existing Umbrella dashboard and policy enforcement.

48
Multi-Selecthard

Which THREE are characteristics of Cisco Stealthwatch?

Select 3 answers
A.Can integrate with Cisco ISE for automated threat response
B.Provides behavioral analysis to detect threats
C.Acts as a next-generation firewall
D.Uses NetFlow and IPFIX for network traffic visibility
E.Functions as an intrusion prevention system (IPS)
AnswersA, B, D

Integration allows ISE to enforce policies based on Stealthwatch alerts.

Why this answer

Option A is correct because Cisco Stealthwatch can integrate with Cisco ISE (Identity Services Engine) via pxGrid or REST API to enable automated threat response. When Stealthwatch detects anomalous behavior, it can trigger ISE to enforce policy changes such as quarantining an endpoint or dynamically applying a security group access control list (SGACL), closing the loop between detection and remediation.

Exam trap

Cisco often tests the distinction between detection/visibility tools (Stealthwatch) and inline enforcement devices (NGFW/IPS), so the trap here is that candidates confuse Stealthwatch's behavioral analysis and flow-based monitoring with the packet-inspecting, blocking capabilities of a next-generation firewall or intrusion prevention system.

49
MCQmedium

A company wants to provide both corporate and guest wireless access using the same access points. They require that guest users be placed into a separate VLAN and have internet-only access. Which Cisco solution should be used?

A.Cisco Identity Services Engine (ISE) with dACL and VLAN assignment
B.Cisco Prime Infrastructure
C.Cisco Flexible NetFlow
D.Cisco TrustSec with SGT
AnswerA

ISE can assign VLANs and downloadable ACLs based on user or device identity.

Why this answer

Cisco ISE with downloadable ACLs (dACL) and VLAN assignment is the correct solution because it enables dynamic per-user policy enforcement. When a guest user authenticates, ISE can place them into a dedicated guest VLAN and apply a dACL that restricts traffic to internet-only access, while corporate users remain in their native VLAN with full internal access. This leverages RADIUS CoA (Change of Authorization) and 802.1X to dynamically assign VLANs and filter traffic at the access point or switch.

Exam trap

The trap here is that candidates often confuse Cisco Prime Infrastructure or TrustSec as policy enforcement tools, but Prime is only for management and TrustSec uses SGTs for role-based access, not direct VLAN assignment for guest isolation.

How to eliminate wrong answers

Option B is wrong because Cisco Prime Infrastructure is a management and monitoring platform, not a policy enforcement engine; it cannot dynamically assign VLANs or apply per-user access control lists. Option C is wrong because Cisco Flexible NetFlow is a traffic monitoring and analysis tool that provides visibility into network flows, but it does not enforce access control or VLAN assignment. Option D is wrong because Cisco TrustSec with SGT (Security Group Tags) provides role-based access control using tag propagation, but it does not natively support VLAN assignment for guest segmentation; it relies on SGT-to-VLAN mapping which is not the direct mechanism for placing guest users into a separate VLAN with internet-only access.

50
MCQhard

A security engineer is implementing Cisco Identity Services Engine (ISE) for 802.1X authentication. The requirement is to allow full network access for corporate devices that pass posture assessment, while providing limited access for guest devices. The engineer configures an authorization policy with conditions based on identity group and posture status. However, guest devices are still getting full access. What is the most likely cause?

A.The guest devices are not passing the certificate validation
B.The authorization rule for corporate devices is placed above the guest rule, and guest devices are matching the corporate rule first
C.MAC Authentication Bypass (MAB) is not enabled for the guest devices
D.The RADIUS attributes for dACL are not being sent correctly
AnswerB

ISE uses first-match; if guest devices match an earlier rule, they get the associated permissions.

Why this answer

Cisco ISE authorization policies are evaluated in top-down order, and the first matching rule is applied. If the corporate device rule is placed above the guest rule, guest devices that do not meet the posture condition may still match the corporate rule if the condition is not restrictive enough (e.g., if the identity group condition is broad or the posture check is not enforced as a required match). This results in guest devices receiving full access instead of the intended limited access.

Exam trap

Cisco often tests the concept that authorization rules are processed top-down and that a less specific rule placed above a more specific rule can cause unintended matches, leading candidates to overlook the importance of rule ordering and condition specificity.

How to eliminate wrong answers

Option A is wrong because certificate validation is part of the authentication phase (EAP-TLS or PEAP), not the authorization policy; failing certificate validation would prevent authentication entirely, not cause guest devices to get full access. Option C is wrong because MAB is a fallback authentication method for devices that do not support 802.1X, not a factor in authorization policy ordering; enabling MAB would not change which authorization rule matches first. Option D is wrong because RADIUS attributes for dACL are sent as part of the authorization result, not the cause of a misordered policy; if the wrong rule matches, the dACL attributes would be applied correctly for that rule, but the rule itself is incorrect.

51
MCQhard

A security team suspects that malware is exfiltrating data by encoding it in DNS queries. Which Cisco security solution is specifically designed to analyze DNS traffic for malicious activity?

A.Cisco Firepower NGFW
B.Cisco Stealthwatch
C.Cisco Email Security Appliance
D.Cisco Umbrella
AnswerD

Umbrella provides DNS security and can detect tunneling.

Why this answer

Cisco Umbrella is a cloud-delivered security solution that provides DNS-layer security by intercepting and analyzing DNS queries. It can detect and block DNS-based data exfiltration techniques, such as DNS tunneling, by inspecting DNS request patterns and comparing them against threat intelligence feeds. This makes it the correct choice for analyzing DNS traffic for malicious activity.

Exam trap

Cisco often tests the distinction between network security appliances that inspect traffic (like Firepower) versus cloud-based DNS security (Umbrella), leading candidates to mistakenly choose Firepower because they think 'DNS traffic analysis' implies a firewall feature.

How to eliminate wrong answers

Option A is wrong because Cisco Firepower NGFW is a next-generation firewall that inspects network traffic at layers 3-7 but does not have native, dedicated DNS traffic analysis for detecting data exfiltration via DNS tunneling; it relies on Snort rules or external integrations. Option B is wrong because Cisco Stealthwatch focuses on network visibility and behavioral analytics using NetFlow/IPFIX data, not deep DNS query inspection, and is not specifically designed to analyze DNS traffic for malicious activity. Option C is wrong because Cisco Email Security Appliance (ESA) is designed to protect against email-based threats such as spam, phishing, and malware, and does not analyze DNS traffic.

52
MCQeasy

A network administrator is configuring 802.1X authentication on Cisco switches for wired endpoints. Which protocol is used between the client (supplicant) and the switch (authenticator)?

A.RADIUS
B.EAP over UDP
C.EAP over LAN (EAPoL)
D.TACACS+
AnswerC

EAPoL is the standard protocol for 802.1X between client and switch.

Why this answer

In 802.1X authentication, the client (supplicant) communicates with the switch (authenticator) using EAP over LAN (EAPoL), which is defined in IEEE 802.1X-2004. EAPoL encapsulates EAP frames in Ethernet frames, allowing the supplicant to send authentication credentials to the authenticator before granting network access. The authenticator then relays these EAP messages to the authentication server (typically a RADIUS server) using RADIUS, but the direct protocol between client and switch is EAPoL.

Exam trap

Cisco often tests the distinction between the protocol used on the client-to-switch link (EAPoL) versus the protocol used on the switch-to-server link (RADIUS), causing candidates to mistakenly select RADIUS or TACACS+ because they are more familiar with AAA protocols.

How to eliminate wrong answers

Option A is wrong because RADIUS is used between the authenticator (switch) and the authentication server, not between the client and the switch; the client never sends RADIUS packets directly to the switch. Option B is wrong because EAP over UDP is not a standard protocol for 802.1X; EAPoL uses Ethernet frames (Layer 2), not UDP (Layer 4), and EAP over UDP is sometimes used in other contexts like EAP-FAST but not for wired 802.1X supplicant-authenticator communication. Option D is wrong because TACACS+ is a Cisco-proprietary protocol used for device administration (AAA for CLI access), not for network access control via 802.1X; it separates authentication, authorization, and accounting but is not used in the 802.1X framework.

53
Matchingmedium

Match each encryption algorithm to its type.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Symmetric block cipher

Asymmetric public-key algorithm

Hash function

Symmetric block cipher (legacy)

Key exchange algorithm

Why these pairings

These are common encryption algorithms and their categories.

54
MCQeasy

An engineer is troubleshooting a site-to-site IPsec VPN between two Cisco routers. The tunnel is not establishing. Which command would verify that IKE phase 1 negotiations have completed successfully?

A.show crypto ipsec sa
B.show crypto isakmp sa
C.show crypto map
D.debug crypto isakmp
AnswerB

This command displays IKE phase 1 security associations.

Why this answer

The 'show crypto isakmp sa' command displays the state of IKE (Internet Key Exchange) Phase 1 security associations (SAs). A successful Phase 1 negotiation is indicated by a state of 'MM_ACTIVE' (Main Mode) or 'QM_IDLE' (Aggressive Mode), confirming that the peers have mutually authenticated and established a secure ISAKMP tunnel. This is the direct verification command for Phase 1 completion.

Exam trap

Cisco often tests the distinction between Phase 1 (ISAKMP) and Phase 2 (IPsec) commands, trapping candidates who confuse 'show crypto ipsec sa' (Phase 2) with 'show crypto isakmp sa' (Phase 1) for verifying IKE negotiations.

How to eliminate wrong answers

Option A is wrong because 'show crypto ipsec sa' displays IPsec Phase 2 SAs, which are only created after IKE Phase 1 has completed; it cannot verify Phase 1 status. Option C is wrong because 'show crypto map' displays the crypto map configuration and its applied interfaces, but it does not show the dynamic state or negotiation progress of IKE Phase 1 SAs. Option D is wrong because 'debug crypto isakmp' is a real-time troubleshooting tool that shows IKE events as they occur, but it is not a verification command for completed negotiations and can be resource-intensive on a production router.

55
MCQmedium

A company has a site-to-site VPN between two ASA firewalls using IKEv2. The tunnel was working but after an upgrade, it fails. The engineer verifies that the pre-shared keys match, IKE proposals are compatible, and the crypto ACL is correctly defined. What is the next likely cause to investigate?

A.The firewall rules on the intermediate devices are blocking ISAKMP traffic.
B.The ACL for interesting traffic is missing.
C.The crypto map is not applied to the correct interface.
D.The MTU is too high.
AnswerA

Intermediate firewall changes during upgrade can block UDP ports 500 and 4500, preventing IKE negotiation. This is a common cause.

Why this answer

The correct answer is A because the tunnel was working before the upgrade and the engineer has already verified that the pre-shared keys, IKE proposals, and crypto ACL are correct. After an ASA upgrade, intermediate firewall rules or ACLs may be reset or changed, potentially blocking ISAKMP (UDP 500/4500) traffic. Since the tunnel fails to establish, the next logical step is to check if ISAKMP traffic is being permitted through all intermediate devices, as this is a common post-upgrade issue.

Exam trap

Cisco often tests the misconception that post-upgrade failures are always due to configuration mismatches, but the trap here is that intermediate firewall rules or ACL changes are frequently overlooked after an upgrade, even when all other parameters are verified as correct.

How to eliminate wrong answers

Option B is wrong because the engineer has already verified that the crypto ACL is correctly defined, so missing interesting traffic ACL is not the issue. Option C is wrong because if the crypto map were not applied to the correct interface, the tunnel would never have worked before the upgrade, and the engineer would have seen a misconfiguration during verification. Option D is wrong because an MTU that is too high typically causes fragmentation or performance issues, not a complete failure of IKEv2 tunnel establishment, and the tunnel was working before the upgrade with the same MTU.

56
MCQmedium

Refer to the exhibit. A host with IP address 10.0.0.5 sends traffic to destination 192.168.2.10. The traffic is not being translated. What is the most likely cause?

A.The security-level of the inside interface is too high to allow NAT.
B.The ACL INSIDE_NAT does not permit traffic to the destination network 192.168.2.0/24.
C.The interface outside does not have a valid IP address assigned.
D.The NAT statement uses source dynamic instead of source static; dynamic cannot translate internal IPs.
AnswerB

The ACL only permits traffic to 192.168.3.0/24, so 192.168.2.0/24 traffic is not matched and hence not translated.

Why this answer

The access-list INSIDE_NAT permits traffic to network 192.168.3.0/24, but the destination is 192.168.2.10, which is not matched. Therefore, NAT is not applied to that traffic. Option A is correct.

Options B, C, and D are not relevant because dynamic NAT is allowed, outside interface has an IP, and security-level does not affect NAT.

57
MCQhard

A large enterprise uses Cisco ISE for network access control with 802.1X authentication (PEAP-MSCHAPv2) on wired ports. Access switches are Cisco Catalyst 3850s running IOS-XE 16.9, and ISE is version 2.7 with all patches. Recently, users in the finance department report intermittent connectivity issues when connecting to the network. The issue is sporadic: a user may connect successfully one day, then fail multiple times the next day. Switch logs show frequent 'EAP timeout' errors for these users. The network team has verified that the RADIUS servers are reachable and have sufficient CPU and memory. The ISE logs show no authentication failures, only that some EAP conversations are dropped mid-exchange. What is the most likely cause of these intermittent failures?

A.The switch is configured with a RADIUS timeout value that is too low.
B.The switch port is configured with a dynamic VLAN assignment that does not exist on the switch.
C.The user's machine certificate has expired.
D.The ISE server is configured with an incorrect shared secret for the switch.
AnswerA

A low timeout can cause the switch to abort EAP exchanges when network latency spikes, leading to intermittent timeouts.

Why this answer

The EAP timeout errors and intermittent nature point to the RADIUS timeout being too low on the switch, causing it to drop EAP conversations during periods of high latency. Options A, B, and D would cause consistent failures for affected users, not intermittent issues.

58
MCQmedium

A network engineer is configuring OSPF on a Cisco router and needs to enable authentication between neighbors. The authentication type should be MD5. Which configuration step is required?

A.ospf authentication-key under router ospf
B.ip ospf authentication message-digest under the interface
C.area 0 authentication command in router configuration
D.ip ospf authentication null
AnswerB

This interface command enables MD5 authentication.

Why this answer

Option B is correct because to enable OSPF MD5 authentication on a Cisco router, the 'ip ospf authentication message-digest' command must be applied under the specific interface. This command tells OSPF to use MD5 (message-digest) authentication for that interface, and it must be paired with an 'ip ospf message-digest-key' command to define the actual key. The authentication type is configured at the interface level, not globally under the OSPF routing process.

Exam trap

Cisco often tests the distinction between area-level authentication (which defaults to simple) and interface-level MD5 authentication, causing candidates to mistakenly choose 'area 0 authentication' thinking it covers MD5.

How to eliminate wrong answers

Option A is wrong because 'ospf authentication-key' is a command used under the interface, not under router ospf, and it configures simple (type 1) authentication, not MD5. Option C is wrong because 'area 0 authentication' enables authentication for the entire area but defaults to simple authentication unless 'message-digest' is appended; it does not specify MD5 by itself and still requires interface-level commands. Option D is wrong because 'ip ospf authentication null' explicitly disables authentication on the interface, which is the opposite of what is required.

Ready to test yourself?

Try a timed practice session using only Network Security questions.