CCNA Security Concepts Questions

72 questions · Security Concepts topic · All types, answers revealed

1
MCQeasy

Which Cisco TrustSec feature uses a classification packet to carry security group information across network devices?

A.Security Group Tag (SGT)
B.Security Group Access Control List (SGACL)
C.MACsec
D.Cisco TrustSec (CTS)
AnswerA

SGTs are inserted into packets to carry group information.

Why this answer

The Security Group Tag (SGT) is the Cisco TrustSec mechanism that embeds security group information directly into a packet's Ethernet frame (typically as a Cisco Meta Data or inline tag). This allows the packet to carry its source group identity across network devices, enabling consistent policy enforcement without requiring per-hop reclassification.

Exam trap

Cisco often tests the distinction between the tag that carries the group information (SGT) and the policy that enforces rules based on that tag (SGACL), so candidates mistakenly choose SGACL because they associate it with security group enforcement.

How to eliminate wrong answers

Option B is wrong because a Security Group Access Control List (SGACL) is a policy rule that defines permitted or denied actions based on SGTs, not a classification packet that carries group information. Option C is wrong because MACsec (802.1AE) provides link-layer encryption and integrity, not a mechanism to carry security group tags across devices. Option D is wrong because Cisco TrustSec (CTS) is the overarching architecture that includes SGT, SGACL, and other components; it is not a specific classification packet that carries group information.

2
MCQeasy

Refer to the exhibit. The tunnel is established but no traffic is encrypted. What is the most likely issue?

A.The transform set uses wrong encryption
B.The crypto map is not applied to the external interface
C.The access-list is too permissive
D.The peer address is wrong
AnswerB

The crypto map must be attached to an interface to enable encryption.

Why this answer

The most likely issue is that the crypto map is not applied to the external interface. In IPsec VPN configuration, the crypto map must be applied to the interface that sends and receives encrypted traffic (typically the outside/public-facing interface). Without this application, the router does not know which traffic to protect or how to negotiate the IPsec tunnel, even if the tunnel is established (e.g., IKE Phase 1 completes).

The tunnel may show as up due to successful ISAKMP negotiation, but no traffic will be encrypted because the crypto map's policy (including the access-list and transform set) is never enforced on the interface.

Exam trap

Cisco often tests the distinction between tunnel establishment (IKE Phase 1) and traffic encryption (IPsec Phase 2 + crypto map application), trapping candidates who assume a tunnel being 'up' means all components are correctly applied.

How to eliminate wrong answers

Option A is wrong because if the transform set used the wrong encryption algorithm (e.g., AES instead of 3DES), the tunnel would fail to establish entirely during IPsec Phase 2 negotiation due to mismatched proposals; the question states the tunnel is established, so the transform set is compatible. Option C is wrong because an overly permissive access-list (e.g., permitting all IP traffic) would actually cause more traffic to be encrypted, not less; the issue is that no traffic is encrypted, which points to the crypto map not being applied, not the ACL being too broad. Option D is wrong because if the peer address were incorrect, the router would be unable to reach the remote peer for IKE negotiation, and the tunnel would not be established at all; since the tunnel is up, the peer address is correctly configured.

3
MCQhard

A security engineer is analyzing logs from a Cisco ASA. They notice that a specific internal host is generating a high volume of outbound TCP SYN packets to multiple external IP addresses on port 443, but no SYN-ACK responses are received. What is the most likely explanation?

A.The ASA is configured to block outbound HTTPS traffic
B.The host is downloading a large malware file via HTTPS
C.The host is infected with malware that is performing a SYN flood denial-of-service attack
D.The host is establishing legitimate HTTPS connections
AnswerC

Spoofed or high-volume SYN packets without responses indicate a SYN flood attack.

Why this answer

Option C is correct because the host is sending a high volume of TCP SYN packets to multiple external IPs on port 443 without receiving SYN-ACK responses, which is characteristic of a SYN flood attack. In a SYN flood, the attacker (or infected host) sends many SYN packets to exhaust the target's connection table, but the lack of SYN-ACK responses indicates the targets are not completing the handshake, often because the source IP is spoofed or the targets are unresponsive. The Cisco ASA logs show outbound SYN packets with no corresponding SYN-ACKs, which aligns with the host being used as a source for a denial-of-service attack.

Exam trap

Cisco often tests the distinction between a host being the source of an attack versus being the victim, and the trap here is that candidates may assume the host is simply making legitimate outbound connections (Option D) without recognizing that the absence of SYN-ACK responses is the key anomaly that indicates an attack rather than normal traffic.

How to eliminate wrong answers

Option A is wrong because if the ASA were blocking outbound HTTPS traffic, the SYN packets would be dropped at the ASA and not reach the external IPs, so the logs would not show outbound SYN packets to port 443. Option B is wrong because downloading a large malware file via HTTPS would involve a full TCP three-way handshake (SYN, SYN-ACK, ACK) and subsequent data transfer, not just a flood of SYN packets with no responses. Option D is wrong because legitimate HTTPS connections require a completed three-way handshake, so the ASA logs would show SYN-ACK responses from the external servers, which are absent in this scenario.

4
MCQmedium

A company uses Cisco ISE for network access control. They want to allow employee-owned devices to access the guest network after a simple registration, while corporate devices get full access. Which ISE configuration best achieves this?

A.Use 802.1X with PEAP and machine certificates for all devices.
B.Use MAB for unknown devices, then perform posture assessment; redirect to registration portal if needed.
C.Use MAB only for corporate devices and deny all others.
D.Configure a single PSK for the guest SSID.
AnswerB

MAB captures MAC, posture checks compliance, registration portal allows onboarding.

Why this answer

Option D is correct because MAB for unknown devices with posture check is a common BYOD flow. Option A forces 802.1X on all devices, which may not be supported on guest devices. Option B uses PSK which is less secure.

Option C is for corporate devices.

5
Multi-Selecthard

Which THREE elements are essential components of a secure network architecture according to Cisco's SAFE model? (Choose three.)

Select 3 answers
A.Encryption for data in transit
B.A single firewall at the internet edge
C.Authentication, authorization, and accounting (AAA)
D.Network segmentation using VLANs or VRF
E.Large broadcast domains to simplify management
AnswersA, C, D

Protects confidentiality of data traversing the network.

Why this answer

Encryption for data in transit is a core component of Cisco's SAFE model because it ensures confidentiality and integrity of traffic traversing the network. SAFE mandates encryption protocols such as IPsec, TLS, or MACsec to protect against eavesdropping and man-in-the-middle attacks. This aligns with the model's principle of maintaining trustworthiness across all communication paths.

Exam trap

Cisco often tests the misconception that a single firewall is sufficient for edge security, but the SAFE model explicitly requires a layered security stack (firewall, IPS, and web/email security) at the internet edge to achieve defense-in-depth.

6
MCQmedium

A company is implementing a Zero Trust architecture. The security team needs to ensure that all traffic between workloads in a private cloud is encrypted and mutually authenticated. Which solution best meets these requirements?

A.MACsec on the network interfaces
B.IPsec VPN between each pair of workloads
C.SSH tunnels between workloads
D.Mutual TLS (mTLS) between workloads
AnswerD

mTLS provides both encryption and mutual authentication, making it ideal for Zero Trust workload communication.

Why this answer

Mutual TLS (mTLS) provides both encryption and mutual authentication by requiring each workload to present a valid X.509 certificate during the TLS handshake. This ensures that only verified workloads can communicate, and all traffic is encrypted at the application layer, making it the ideal choice for a Zero Trust architecture where every connection is authenticated and authorized regardless of network location.

Exam trap

Cisco often tests the distinction between network-layer encryption (IPsec, MACsec) and application-layer mutual authentication (mTLS), leading candidates to choose IPsec because it is familiar for site-to-site VPNs, but they overlook that Zero Trust requires per-workload identity verification, not just encryption.

How to eliminate wrong answers

Option A is wrong because MACsec operates at Layer 2 and provides encryption and authentication only between directly connected network interfaces (e.g., switch-to-switch or host-to-switch), not between individual workloads across a routed network; it cannot enforce per-workload mutual authentication. Option B is wrong because IPsec VPN between each pair of workloads creates a full-mesh of tunnels that is operationally complex and does not natively support mutual authentication using certificates without additional configuration (e.g., IKE with certificates), and it is not designed for the dynamic, service-to-service communication typical in private clouds. Option C is wrong because SSH tunnels provide encryption and authentication but are typically used for interactive sessions or port forwarding, not for automated, high-volume workload-to-workload traffic; they lack the standardized certificate-based mutual authentication and scalability of mTLS in a service mesh.

7
Drag & Dropmedium

Drag and drop the steps to configure 802.1X port-based authentication on a Cisco switch in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

AAA and RADIUS must be configured first, then the authentication list, global 802.1X enable, and finally interface-level enable.

8
Multi-Selectmedium

Which THREE of the following are benefits of using Cisco ISE for network access control?

Select 3 answers
A.Firewall integration
B.Guest access provisioning
C.Centralized policy management
D.Storage encryption
E.URL filtering
AnswersA, B, C

ISE uses pxGrid to share context with firewalls for dynamic policy updates.

Why this answer

Cisco ISE provides centralized policy management (option C) by allowing administrators to define and enforce access policies from a single console, which simplifies network access control across the entire organization. Guest access provisioning (option B) is a native feature of ISE that enables secure, self-service or sponsored guest onboarding with customizable captive portals and role-based access. Firewall integration (option A) is a benefit because ISE can dynamically communicate with Cisco firewalls (e.g., ASA, Firepower) via pxGrid to enforce context-aware policies, such as quarantining an infected endpoint or granting micro-segmentation based on user identity and device posture.

Exam trap

Cisco often tests the distinction between ISE's core AAA and policy management functions versus features like encryption or URL filtering that belong to other security domains, leading candidates to mistakenly attribute all security capabilities to a single product.

9
MCQhard

A financial company has a data center with Cisco FTD firewalls in a high-availability pair. They use Cisco ISE for network access control and Cisco Stealthwatch for network visibility. Recently, they deployed a new web application that is accessed by both internal employees and external customers. The application uses HTTPS on port 443. After deployment, the security team notices that the FTD is dropping some HTTPS sessions that appear legitimate. The drops are inconsistent and seem to occur only during peak hours. The FTD logs show the drop reason as 'TCP state violation'. The team has verified that the web server and clients are configured correctly. The Stealthwatch reports show no anomalies. What is the most likely cause and solution?

A.Enable SSL decryption to inspect the encrypted traffic
B.Increase the TCP timeout values on the FTD to accommodate longer sessions
C.Block all traffic to the web server except from trusted IPs
D.Configure TCP state bypass on the FTD for the web server traffic
AnswerD

Bypassing state tracking allows packets that may be asymmetric to pass without being dropped.

Why this answer

The 'TCP state violation' drops during peak hours indicate that the FTD's stateful inspection engine is seeing TCP segments that do not match the expected state machine, likely due to asymmetric routing or session timeouts under load. Configuring TCP state bypass for the web server traffic disables stateful inspection for those flows, allowing the firewall to forward packets based on ACLs alone without tracking TCP states, which resolves the issue without compromising security for legitimate traffic.

Exam trap

The trap here is that candidates often assume SSL decryption is needed for encrypted traffic issues, but the 'TCP state violation' drop reason directly points to a stateful inspection problem, not an encryption inspection problem.

How to eliminate wrong answers

Option A is wrong because SSL decryption would add processing overhead and is not designed to fix TCP state violations; it addresses content inspection, not stateful firewall drops. Option B is wrong because increasing TCP timeouts might help if sessions are timing out prematurely, but the drops are inconsistent and occur during peak hours, suggesting a state tracking issue under load rather than timeout expiration. Option C is wrong because blocking all traffic except from trusted IPs would deny external customers access, which contradicts the requirement that the application is accessed by both internal employees and external customers, and it does not address the TCP state violation drops.

10
MCQmedium

Refer to the exhibit. An IPsec VPN tunnel between two routers is not passing traffic. IKE phase 1 is not complete (MM_NO_STATE). Phase 2 has no SA. Which issue is most likely causing the problem?

A.The remote peer is not reachable due to a routing issue.
B.IKE policy mismatch (e.g., encryption, hash, or pre-shared key) causes phase 1 failure.
C.The ACL defining interesting traffic is misconfigured.
D.Mismatched IPsec transform sets between the peers.
AnswerB

MM_NO_STATE indicates no IKE SA; common cause is policy or PSK mismatch.

Why this answer

The IKE phase 1 state is MM_NO_STATE, which indicates that the Internet Key Exchange (IKE) Main Mode negotiation has not completed. This typically occurs when the peers cannot agree on the IKE policy parameters (encryption, hash, Diffie-Hellman group, authentication method, or pre-shared key). Since phase 2 (IPsec SA) depends on a successful phase 1, the failure cascades, making an IKE policy mismatch the most likely root cause.

Exam trap

Cisco often tests the distinction between IKE phase 1 and phase 2 failures, and the trap here is that candidates confuse a phase 2 issue (like ACL or transform set mismatch) with a phase 1 issue, but MM_NO_STATE specifically indicates phase 1 is incomplete.

How to eliminate wrong answers

Option A is wrong because a routing issue would prevent the remote peer from being reachable, but the exhibit shows the peer IP is configured and the tunnel interface is up; IKE would typically show a different error (e.g., 'Waiting for peer' or 'No route to peer') rather than MM_NO_STATE. Option C is wrong because the ACL defining interesting traffic only triggers IKE phase 2 (IPsec SA negotiation); phase 1 (IKE SA) does not depend on interesting traffic and would complete regardless of the ACL. Option D is wrong because mismatched IPsec transform sets affect phase 2 (IPsec SA) negotiation, not phase 1; phase 1 would still complete to MM_ACTIVE even if transform sets differ.

11
Multi-Selectmedium

A network administrator is configuring port security on a Cisco switch port connected to a single endpoint. The requirement is that only the first device that connects to the port is allowed, and any subsequent device that attempts to connect must trigger an error-disabled state. Which two features must be configured to meet this requirement?

Select 2 answers
A.switchport port-security aging type inactivity
B.switchport port-security mac-address sticky
C.switchport port-security mac-address 0000.1111.2222
D.switchport port-security violation shutdown
E.switchport port-security maximum 1
AnswersB, E

Sticky learning dynamically learns and remembers the first MAC.

Why this answer

Option B is correct because the 'switchport port-security mac-address sticky' command dynamically learns the MAC address of the first connected device and saves it as a sticky secure MAC address in the running configuration. Option E is correct because setting the maximum number of secure MAC addresses to 1 ensures that only the first device's MAC address is allowed; any additional device will trigger a security violation. Together, these two features enforce that only the first device can connect, and subsequent devices cause the port to enter an error-disabled state when combined with the shutdown violation mode.

Exam trap

Cisco often tests the misconception that the 'violation shutdown' command must be explicitly configured, when in fact it is the default violation mode for port security, so candidates incorrectly include it as a required feature instead of recognizing that the maximum and sticky commands are the two necessary configurations.

12
Multi-Selecthard

Which THREE of the following are valid characteristics of a next-generation firewall (NGFW) compared to a traditional stateful firewall? (Choose three.)

Select 3 answers
A.Decryption and inspection of SSL/TLS traffic
B.Application identification regardless of port
C.Support for network address translation (NAT)
D.Support for site-to-site VPNs
E.Integrated intrusion prevention system (IPS)
AnswersA, B, E

NGFWs can decrypt encrypted traffic for inspection.

Why this answer

A is correct because NGFWs can perform SSL/TLS decryption and inspection, allowing them to examine encrypted traffic for threats. Traditional stateful firewalls only inspect packet headers and state information, leaving encrypted payloads unexamined. This capability is critical for detecting malware or data exfiltration hidden in HTTPS sessions.

Exam trap

Cisco often tests the misconception that NAT and VPNs are exclusive to NGFWs, when in fact they are common features of both traditional stateful firewalls and NGFWs.

13
MCQeasy

Which security principle ensures that a user or system is granted only the minimum permissions necessary to perform a specific function?

A.Need-to-know
B.Least privilege
C.Separation of duties
D.Defense in depth
AnswerB

Directly refers to granting minimal necessary permissions.

Why this answer

The principle of least privilege dictates that a user, process, or system should be granted only the minimum permissions necessary to perform a specific function. In Cisco security contexts, this is enforced through features like Role-Based Access Control (RBAC) on Cisco IOS devices, where privilege levels (0-15) are assigned to restrict command access, or via TrustSec Security Group Tags (SGTs) that limit traffic flows to only required resources.

Exam trap

Cisco often tests least privilege by pairing it with 'need-to-know' as a distractor, hoping candidates confuse the data-centric 'need-to-know' with the permission-centric 'least privilege' principle.

How to eliminate wrong answers

Option A is wrong because need-to-know is an access control model that restricts access to data based on the user's requirement to know that information to perform their job, but it does not inherently limit the permissions to the minimum necessary for a function; it focuses on data classification and clearance levels, not on the granularity of permissions. Option C is wrong because separation of duties is a security principle that prevents a single individual from having conflicting responsibilities (e.g., both creating and approving a change), which reduces fraud risk, but it does not address the minimization of permissions for a single function. Option D is wrong because defense in depth is a layered security strategy that uses multiple overlapping controls (e.g., firewalls, IPS, VPNs) to protect assets, but it is not a principle that governs the granularity of permissions assigned to a user or system.

14
MCQhard

An engineer is troubleshooting an IPsec VPN between two Cisco routers. The tunnel is up, but traffic is not passing. The encryption domain on both sides is correctly configured. What is the most likely cause?

A.Mismatched IPSec transform sets
B.Routing loop
C.ACL on the WAN interface blocking ESP traffic
D.Mismatched IKE phase 1 parameters
AnswerC

ESP traffic (IP protocol 50) may be dropped by an inbound or outbound ACL.

Why this answer

When the IPsec tunnel is up but no traffic passes, the most common cause is that the WAN interface ACL is blocking ESP (protocol 50) or UDP/4500 (NAT-T) traffic. Even though IKE and IPsec SAs are established, if the ACL drops the encrypted packets, the tunnel appears operational but cannot forward data. This is distinct from transform set or IKE mismatches, which would prevent the tunnel from coming up at all.

Exam trap

Cisco often tests the distinction between tunnel establishment (IKE phase 1 and 2) and data-plane forwarding, tricking candidates into thinking a tunnel being 'up' guarantees traffic flow, when in fact ACLs or firewall rules can block the encrypted payload.

How to eliminate wrong answers

Option A is wrong because mismatched IPsec transform sets would prevent the IPsec SAs from being established, causing the tunnel to fail or not come up, not remain up with no traffic. Option B is wrong because a routing loop would cause traffic to be forwarded in a cycle, not simply stop passing; the tunnel being up indicates the routers can communicate, but a loop would manifest as high CPU or TTL expiration, not a silent traffic drop. Option D is wrong because mismatched IKE phase 1 parameters (e.g., encryption, hash, DH group) would prevent IKE phase 1 from completing, so the tunnel would never reach an 'up' state.

15
MCQeasy

A security administrator is tasked with implementing a solution that provides single sign-on (SSO) for users accessing multiple enterprise applications. The solution must support SAML 2.0 and integrate with the existing Microsoft Active Directory. Which component is essential for this architecture?

A.Certificate Authority (CA)
B.RADIUS server
C.Identity Provider (IdP)
D.Service Provider (SP)
AnswerC

The IdP authenticates users and generates SAML assertions for SSO.

Why this answer

Option C is correct because an Identity Provider (IdP) is the essential component that authenticates users against Microsoft Active Directory and issues SAML 2.0 assertions to enable single sign-on (SSO) across multiple enterprise applications. The IdP acts as the trusted source of identity, validating credentials and generating signed SAML tokens that Service Providers (SPs) accept without requiring separate logins.

Exam trap

Cisco often tests the distinction between the IdP and SP roles in SAML, and the trap here is that candidates mistakenly choose 'Service Provider' thinking it is the main component for SSO, when in fact the IdP is the central authentication authority that enables SSO across multiple SPs.

How to eliminate wrong answers

Option A is wrong because a Certificate Authority (CA) issues and manages digital certificates for encryption and signing, but it does not perform user authentication or issue SAML assertions, so it is not the core component for SSO with SAML 2.0. Option B is wrong because a RADIUS server provides AAA services for network access (e.g., VPN, wireless) using protocols like EAP, but it does not natively support SAML 2.0 or act as an identity provider for web-based SSO. Option D is wrong because a Service Provider (SP) is the application or resource that consumes SAML assertions to grant access, but it relies on an IdP to perform authentication and generate the assertions, making the IdP essential for the architecture.

16
Matchingmedium

Match each protocol to its default port number.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

443

22

53

25

161

Why these pairings

These are well-known port numbers for common protocols.

17
MCQhard

An engineer is troubleshooting traffic drops on a Cisco Firepower Threat Defense (FTD) device. The traffic is allowed by the access control policy but is being dropped. Which feature should the engineer check to identify the cause of the drop?

A.Check the 'show access-list' output for the hit count.
B.Check the 'show route' output for routing issues.
C.Use the 'capture' command with trace option to see packet flow and drop reason.
D.Check the 'show conn' output for the connection state.
AnswerC

Captures packets and shows the disposition, including drops.

Why this answer

Option C is correct because the 'capture' command with the 'trace' option on Cisco FTD provides a detailed, packet-level analysis of how traffic is processed through the firewall pipeline. It shows each step (e.g., ingress, routing, access control, NAT, egress) and explicitly states the drop reason, such as 'action-drop' due to intrusion prevention, URL filtering, or security intelligence, even when the access control policy appears to allow the traffic. This is the only option that directly identifies the specific cause of a drop in the data path.

Exam trap

Cisco often tests the misconception that 'show access-list hit counts' or 'show conn' can diagnose drops, but the trap here is that FTD has multiple inspection layers (prefilter, SSL, intrusion, file, etc.) beyond the basic access control policy, and only a packet trace can pinpoint which layer caused the drop.

How to eliminate wrong answers

Option A is wrong because 'show access-list' hit counts only indicate whether an access control entry (ACE) was matched, not why traffic is dropped after matching; a hit count does not reveal drops due to deeper inspection features like SSL decryption, file policy, or intrusion policy. Option B is wrong because 'show route' checks routing table entries for destination reachability, but traffic drops on FTD often occur after routing decisions (e.g., at the application layer) and routing issues would typically cause a 'no route' drop, not a silent drop when the policy allows traffic. Option D is wrong because 'show conn' displays the state of established connections (e.g., established, time_wait) but does not show why a new packet was dropped before a connection was created; it is useful for connection state but not for identifying drop reasons in the pre-filter or inspection pipeline.

18
MCQmedium

A network administrator is configuring Cisco Firepower Threat Defense (FTD) in routed mode to provide intrusion prevention (IPS) for internal traffic. They create an access control rule that allows traffic from the internal network (10.0.0.0/8) to the internet, and they attach an intrusion policy to this rule. After deploying the configuration, they generate known malicious traffic from a test host and observe that no alerts are triggered in the Firepower Management Center (FMC). The administrator checks the FTD and confirms that the Snort process is running, and the rule is at the top of the access control policy with action 'Allow'. What is the most likely cause of this issue?

A.The FTD is configured in transparent mode.
B.The traffic is being fast-pathed and bypassing the Snort engine.
C.The access control rule action is set to 'Allow' rather than 'Allow with Intrusion Prevention'.
D.The intrusion policy is not associated with the correct preprocessor.
AnswerC

IPS inspection requires the rule action to explicitly include intrusion prevention.

Why this answer

In Cisco Firepower Threat Defense (FTD), an access control rule with action 'Allow' permits traffic without sending it to the Snort intrusion inspection engine. To enable IPS, the rule action must be 'Allow with Intrusion Prevention', which explicitly invokes the intrusion policy. Since the rule was set to 'Allow', the malicious traffic bypassed Snort inspection entirely, so no alerts were generated.

Exam trap

Cisco often tests the distinction between 'Allow' and 'Allow with Intrusion Prevention' as a common pitfall, where candidates assume attaching an intrusion policy to any rule automatically invokes Snort inspection.

How to eliminate wrong answers

Option A is wrong because the FTD is confirmed to be in routed mode (as stated in the question), and transparent mode would not cause the Snort process to be running or affect rule action behavior. Option B is wrong because fast-pathing (hardware acceleration) only bypasses Snort for traffic that matches a fast-path rule or is not subject to inspection; here the rule is at the top with action 'Allow', which does not invoke Snort, so it is not a fast-path issue. Option D is wrong because the intrusion policy is correctly attached to the rule; the problem is the rule action itself, not the preprocessor association.

19
Multi-Selecthard

Which THREE of the following are common indicators of a DDoS attack at the network layer?

Select 3 answers
A.A spike in UDP traffic to a single target
B.Unusual traffic on non-standard TCP/UDP ports
C.A high number of TCP SYN packets from multiple sources
D.High CPU usage on network devices
E.A sudden increase in ICMP echo request packets from many IPs
AnswersA, C, E

UDP flood is a common network-layer DDoS.

Why this answer

A spike in UDP traffic to a single target is a classic indicator of a UDP flood attack, a common network-layer DDoS. Attackers send a high volume of UDP packets, often to random ports, overwhelming the target's ability to process them and consuming bandwidth. This is a direct Layer 3/4 attack that does not require a completed handshake, making it easy to generate and hard to mitigate without proper filtering.

Exam trap

Cisco often tests the distinction between network-layer (Layer 3/4) and application-layer (Layer 7) indicators, so candidates mistakenly choose 'unusual traffic on non-standard ports' as a network-layer indicator when it is actually a sign of application-layer attacks like HTTP floods or DNS amplification.

20
MCQmedium

Refer to the exhibit. An administrator has configured the router with zone-based firewall rules. Traffic from the DMZ zone to the OUTSIDE zone is being dropped, although traffic from the INSIDE zone to the OUTSIDE zone flows normally. The DMZ zone is configured with security-level 50 and the INSIDE zone with 100. What is the most likely cause of the dropped traffic?

A.The inspect action is not applied to the DMZ traffic class
B.No zone-pair is defined for traffic from DMZ to OUTSIDE
C.The class-default action in the policy-map drops all traffic from DMZ
D.The DMZ has a lower security-level than the INSIDE zone, causing traffic to be implicitly denied
AnswerB

The zone-pair is only defined for source INSIDE to destination OUTSIDE, leaving DMZ traffic without any policy.

Why this answer

The zone-pair is only defined for source INSIDE to destination OUTSIDE, so there is no policy applied to traffic from DMZ to OUTSIDE. The class-default inside the DMZ_OUT_POLICY would drop all traffic, but that policy is not applied to DMZ->OUTSIDE. Option A is correct because the DMZ zone is not included in any zone-pair.

Options B and C are incorrect because security-levels are not used in ZBFW, and the policy-map itself is correct. Option D is incorrect because the inspect action is present for matched traffic.

21
MCQmedium

A network team is configuring Cisco FTD for a new branch office. They want to allow outbound web traffic but block all inbound traffic except for a specific public server. Which policy type should be used to allow the return traffic for outbound connections?

A.A stateless ACL
B.A stateful access rule
C.A NAT rule
D.SSL decryption
AnswerB

Stateful inspection tracks connections and allows return traffic automatically.

Why this answer

Cisco FTD uses a stateful firewall engine that tracks the state of outbound connections. When a stateful access rule permits outbound web traffic, the firewall automatically creates a dynamic pinhole for the return traffic, eliminating the need for explicit inbound rules. This is the correct policy type because it maintains session state and allows only related return packets, aligning with the requirement to block all other inbound traffic.

Exam trap

Cisco often tests the misconception that a stateless ACL can handle return traffic for outbound connections, but candidates forget that stateless firewalls require explicit inbound permit rules for return packets, whereas stateful firewalls automatically manage this via connection state tracking.

How to eliminate wrong answers

Option A is wrong because a stateless ACL evaluates each packet independently without tracking connection state, requiring explicit inbound rules for return traffic, which would violate the requirement to block all inbound traffic except for a specific public server. Option C is wrong because a NAT rule translates IP addresses but does not inherently permit or deny traffic; it must be paired with an access rule to control flow, and it does not handle stateful return traffic on its own. Option D is wrong because SSL decryption is used to inspect encrypted traffic for threats, not to allow return traffic for outbound connections; it operates on the application layer and does not manage firewall state.

22
MCQmedium

A company is deploying a new remote access solution for teleworkers. They need to ensure that only company-owned devices can connect, and that the devices meet security posture requirements. Which combination of technologies should be used?

A.Cisco AnyConnect VPN with posture assessment
B.IPsec VPN with pre-shared keys
C.DMVPN
D.SSL VPN without client
AnswerA

AnyConnect integrates with ISE for posture checks to enforce compliance.

Why this answer

Cisco AnyConnect VPN with posture assessment is correct because it provides both device authentication (ensuring only company-owned devices connect) and security posture checks (e.g., OS patch level, antivirus status, firewall enabled) via the Cisco Secure Client (formerly AnyConnect) and ISE (Identity Services Engine). This combination enforces compliance before granting network access, meeting the requirement for teleworker remote access.

Exam trap

Cisco often tests the distinction between user authentication and device posture assessment, where candidates mistakenly assume any VPN technology (like IPsec or SSL VPN) inherently provides device compliance checking, but only a client-based solution with posture assessment (e.g., AnyConnect + ISE) can enforce both device identity and security posture.

How to eliminate wrong answers

Option B is wrong because IPsec VPN with pre-shared keys only authenticates the VPN gateway or user, not the device itself, and lacks any posture assessment capability to verify security compliance. Option C is wrong because DMVPN is a dynamic multipoint VPN technology designed for site-to-site connectivity, not for teleworker remote access with device posture enforcement. Option D is wrong because SSL VPN without a client (clientless VPN) typically uses a web browser and cannot perform deep posture assessment or enforce device ownership policies, as it lacks the endpoint visibility and control that a full VPN client provides.

23
MCQhard

During a security audit, a penetration tester discovers that a Cisco ASA firewall is configured with a rule that permits traffic from the inside interface with a source IP address in the RFC 1918 range to the outside interface. The rule uses the 'inspect' command for HTTP and FTP. Which potential vulnerability does this configuration introduce?

A.FTP inspection permits anonymous login commands
B.The configuration allows traffic without network address translation (NAT)
C.The HTTP inspection may allow SQL injection attacks to bypass the firewall
D.The firewall may allow IP spoofing if antispoofing is not enabled
AnswerD

Permitting RFC 1918 addresses from the inside without antispoofing checks can allow an attacker to spoof internal IP addresses.

Why this answer

Option D is correct because the configuration permits traffic from RFC 1918 private IP addresses on the inside interface to the outside interface without any explicit antispoofing or Unicast Reverse Path Forwarding (uRPF) check. This allows an attacker on the inside network to spoof source IP addresses that appear to come from the inside subnet, bypassing the firewall's intended security boundary. Without antispoofing, the ASA will not verify that the source IP actually belongs to the inside network, enabling IP spoofing attacks.

Exam trap

Cisco often tests the misconception that 'inspect' commands automatically provide full security, when in reality they only perform stateful inspection and protocol compliance, not antispoofing or anti-spoofing protections like uRPF.

How to eliminate wrong answers

Option A is wrong because FTP inspection on a Cisco ASA does not inherently permit anonymous login commands; it only inspects FTP control channel commands and dynamic data ports, but does not allow or block specific authentication methods like anonymous logins. Option B is wrong because the question does not mention any NAT configuration, and the absence of NAT is not a vulnerability—it is a design choice; the vulnerability is the lack of antispoofing, not the lack of NAT. Option C is wrong because HTTP inspection on the ASA is designed to enforce protocol compliance and can filter certain application-layer attacks, but it does not specifically prevent SQL injection; SQL injection is a web application vulnerability that occurs at the application layer, not a firewall inspection bypass.

24
MCQmedium

Refer to the exhibit. An engineer has configured IP Source Guard and DHCP Snooping. A host with MAC 00:11:22:33:44:55 on Gi0/0 is assigned IP 192.168.1.10 via DHCP. However, the host cannot ping its default gateway 192.168.1.1. What is the most likely cause?

A.The DHCP snooping database is not updated because interface Gi0/1 is not trusted
B.The static IP source binding is configured on the wrong VLAN
C.ARP inspection is not enabled, so the switch drops ARP replies
D.The 'ip verify source' command is missing the 'port-security' keyword
AnswerA

Gi0/1 is not configured as trust, so DHCP replies from the server are dropped, and the host may not have a valid lease. However, the static binding exists, but dynamic bindings fail.

Why this answer

The host cannot ping its default gateway because DHCP Snooping marks interface Gi0/1 as untrusted by default. Since the DHCP server is connected to Gi0/1, the switch drops DHCP replies from that interface, preventing the DHCP snooping binding database from being updated with the host's IP address. Without a valid binding, IP Source Guard on Gi0/0 drops all IP traffic from the host, including pings to the gateway.

Exam trap

Cisco often tests the misconception that IP Source Guard works independently of DHCP Snooping, when in fact it relies entirely on the DHCP snooping binding database, and a missing trust configuration on the DHCP server-facing port is a common root cause.

How to eliminate wrong answers

Option B is wrong because the question states the host is assigned IP 192.168.1.10 via DHCP, and there is no mention of static bindings or VLAN mismatch; the issue is with DHCP snooping trust, not static binding configuration. Option C is wrong because Dynamic ARP Inspection (DAI) is not enabled by default and is not required for basic IP Source Guard operation; the problem is that IP Source Guard drops traffic due to missing DHCP snooping bindings, not ARP replies. Option D is wrong because the 'ip verify source' command does not require a 'port-security' keyword; the correct syntax is 'ip verify source' alone or with 'vlan dhcp-snooping', and port-security is a separate feature.

25
MCQhard

A financial institution with a flat Layer 2 network has experienced a ransomware incident where an infected workstation in the accounting department propagated laterally to a server in the finance department. The network spans 10 switches connected in a star topology with a collapsed core. The IT team wants to implement segmentation to contain such threats in the future, without requiring major hardware upgrades and with minimal change to IP addressing. The network currently uses a single VLAN with /16 subnet. Which of the following approaches would BEST achieve the segmentation goal, considering the constraints?

A.Use Spanning Tree Protocol with Private VLANs on all switches
B.Deploy a full-mesh VPN between all departments to encrypt and restrict traffic
C.Implement internal firewall zones using a next-generation firewall (NGFW) with application inspection and user identity
D.Deploy VLANs for each department and apply ACLs on the core router to restrict inter-VLAN traffic
AnswerC

An NGFW provides stateful, application-aware segmentation that can enforce micro-segmentation without IP changes and leverage existing VLAN trunking.

Why this answer

Implementing internal firewall zones with a next-generation firewall provides granular, stateful inspection and application-level segmentation. It can filter traffic between departments without changing IP addressing and leverages existing switch infrastructure. VLANs with ACLs on the edge router are stateless and can be bypassed; also they require reconfiguring IP addressing if VLANs are separate subnets, and ACLs on a core router do not provide the depth of inspection needed.

Deploying a VPN for all internal traffic is not scalable and adds latency. Using STP and PVLANs on switches can provide some isolation but does not prevent lateral movement at higher layers and is complex to manage across multiple switches without a fabric. Option B is the most effective given the constraints.

26
MCQmedium

An engineer is configuring Cisco ISE for guest access. The requirement is that guests must accept an acceptable use policy (AUP) before being granted network access. Which portal type should be used?

A.Sponsored guest portal
B.Hotspot guest portal
C.BYOD portal
D.Self-registration guest portal
AnswerD

Allows guests to register and accept AUP.

Why this answer

The self-registration guest portal is the correct choice because it allows guests to create their own credentials and, crucially, includes a configurable step where the user must accept an Acceptable Use Policy (AUP) before being granted network access. This portal type is specifically designed for scenarios where guests self-onboard and must acknowledge a policy, which is a core requirement for compliance in many guest access deployments.

Exam trap

The trap here is that candidates often confuse the 'hotspot guest portal' (which also shows a splash page) with the self-registration portal, but the hotspot portal does not require the user to create credentials or formally accept an AUP as a registration step—it only provides a simple click-through without identity creation.

How to eliminate wrong answers

Option A is wrong because a sponsored guest portal requires an existing employee (sponsor) to create the guest account, and while it can include an AUP, the primary mechanism for guest self-service with mandatory AUP acceptance is the self-registration portal, not the sponsored flow. Option B is wrong because a hotspot guest portal provides open, unauthenticated access (often with a simple click-through splash page) and does not require user registration or credential creation, so it lacks the self-registration step where an AUP is typically enforced. Option C is wrong because a BYOD portal is used for onboarding personal devices into the corporate network with certificate provisioning or posture assessment, not for guest access scenarios where an AUP must be accepted before network access is granted.

27
MCQhard

During a security incident, it is observed that a server behind a Cisco ASA is being accessed repeatedly with different source IPs in a short time. The firewall logs show many dropped packets to the server's IP on port 443. What is the most effective mitigation to reduce the impact while maintaining legitimate access?

A.Increase the connection timeout
B.Implement an access-list to allow only known source IPs
C.Configure a static route to null0 for the server's IP
D.Enable TCP Intercept with a low threshold
AnswerD

TCP Intercept mitigates SYN floods by intercepting and verifying connections.

Why this answer

TCP Intercept with a low threshold is the most effective mitigation because it protects the server from a SYN flood attack by intercepting TCP SYN packets and completing the three-way handshake on behalf of the server. This allows legitimate traffic to proceed while dropping excessive SYN requests from rapidly changing source IPs, which is exactly the behavior described in the scenario. Unlike other options, TCP Intercept dynamically manages connection attempts without blocking all unknown sources or disrupting legitimate access.

Exam trap

Cisco often tests the distinction between reactive mitigation (TCP Intercept) and static or blocking measures, leading candidates to choose access-lists or null routes that completely deny access instead of dynamically protecting the server.

How to eliminate wrong answers

Option A is wrong because increasing the connection timeout would only keep stale connections open longer, potentially exhausting resources and worsening the impact of the attack. Option B is wrong because implementing an access-list to allow only known source IPs is impractical for a public-facing server on port 443 (HTTPS), as it would block legitimate clients with unknown IPs and break normal web access. Option C is wrong because configuring a static route to null0 for the server's IP would drop all traffic to that server, including legitimate traffic, effectively taking the server offline rather than mitigating the attack while maintaining access.

28
MCQmedium

A network engineer is troubleshooting an issue where users on a specific VLAN cannot access the internet through a Cisco ASA firewall. The ASA has a default route pointing to the ISP router. The security policy includes an ACL that permits all traffic from the inside interface to the outside interface. What is the most likely cause of the problem?

A.The default route is misconfigured
B.DNS is not resolving domain names
C.NAT (Network Address Translation) is not configured
D.The ACL is blocking the traffic
AnswerC

Without NAT, private IP addresses cannot reach the internet because they are not routable.

Why this answer

The most likely cause is that NAT is not configured. Even though the ACL permits all traffic from inside to outside, the Cisco ASA requires NAT (or a NAT exemption rule) to translate private IP addresses to a routable public IP address when traffic traverses from a higher-security interface (inside) to a lower-security interface (outside). Without NAT, the ASA will drop the packets because it cannot determine how to route the private source addresses on the public internet, and the return traffic would have no way to reach the internal hosts.

Exam trap

Cisco often tests the misconception that an ACL permitting all traffic is sufficient for internet access, but the trap here is that the ASA requires NAT (or a NAT exemption) for traffic to traverse security levels, even when the ACL is permissive.

How to eliminate wrong answers

Option A is wrong because the default route is correctly pointing to the ISP router, and the issue is not about routing to the next hop but about address translation. Option B is wrong because DNS resolution is a separate function; even if DNS fails, users could still access the internet via IP addresses, and the problem states they cannot access the internet at all. Option D is wrong because the ACL explicitly permits all traffic from inside to outside, so it is not blocking the traffic.

29
MCQhard

A large enterprise with over 2,000 employees recently experienced a security breach. An attacker gained initial access through a phishing email and then moved laterally across the network to reach a critical database server. The network currently has a flat Layer 2 topology with all devices in a single large VLAN. The company wants to prevent lateral movement in the future while maintaining operational simplicity. They have a Cisco ISE deployment already but it is only used for wireless guest access. The security team is evaluating options. Option A: Deploy 802.1X with dynamic VLAN assignment across all wired ports. This would authenticate users and assign them to different VLANs based on identity. Option B: Implement micro-segmentation using Cisco TrustSec with Security Group Tags (SGTs) on the existing switches and enforce SGT-based policies on the firewalls. This would allow traffic control between groups regardless of IP. Option C: Install a next-generation firewall at the internet edge and enable IPS to block known attack signatures. Option D: Upgrade all access switches to support Private VLANs (PVLANs) and configure promiscuous ports for servers. Which solution BEST addresses the lateral movement problem while leveraging existing infrastructure?

A.Install a next-generation firewall at the internet edge and enable IPS.
B.Upgrade all access switches to support Private VLANs (PVLANs).
C.Deploy 802.1X with dynamic VLAN assignment across all wired ports.
D.Implement micro-segmentation using Cisco TrustSec with SGTs and enforce policies on firewalls.
AnswerD

SGTs allow traffic control based on group identity, preventing lateral movement even within the same subnet, and leverages existing ISE.

Why this answer

Option D is correct because Cisco TrustSec with Security Group Tags (SGTs) enables micro-segmentation at Layer 2, allowing traffic control between user groups and servers based on identity rather than IP address. This directly prevents lateral movement by enforcing policies that restrict which endpoints can communicate, even within the same VLAN, and it leverages the existing Cisco ISE deployment for policy management without requiring major topology changes.

Exam trap

Cisco often tests the distinction between network segmentation (VLANs/802.1X) and micro-segmentation (TrustSec/SGTs), where the trap is that candidates assume VLAN-based isolation is sufficient to prevent lateral movement, but it fails when an attacker compromises a device within the same VLAN or when VLAN hopping is possible.

How to eliminate wrong answers

Option A is wrong because installing a next-generation firewall at the internet edge with IPS only inspects traffic entering or leaving the network; it does not control lateral movement within the internal flat Layer 2 network, so an attacker who has already gained access can still move freely between devices. Option B is wrong because Private VLANs (PVLANs) isolate ports within a VLAN but require promiscuous ports for servers, which creates a single point of compromise; they also do not provide identity-based policy enforcement and would require significant reconfiguration of all access switches, increasing complexity. Option C is wrong because 802.1X with dynamic VLAN assignment authenticates users and places them into different VLANs, but within a single VLAN, lateral movement is still possible; it does not provide granular per-flow or per-group segmentation like SGTs, and it relies on VLAN boundaries that can be bypassed by an attacker who compromises a device in a trusted VLAN.

30
MCQeasy

An organization wants to restrict administrative access to Cisco network devices based on the time of day and source IP address. Which technology should be used?

A.TACACS+ with per-command authorization
B.SNMPv3 with ACLs
C.802.1X with EAP-TLS
D.IPsec VPN with extended authentication
AnswerA

TACACS+ allows granular control over administrative access, including time and source IP.

Why this answer

TACACS+ is the correct choice because it supports per-command authorization, which allows an administrator to define granular access policies based on attributes such as time of day and source IP address. This is achieved through the TACACS+ authorization process, where the AAA server evaluates the user's request against configured authorization rules before granting access to specific commands or sessions.

Exam trap

Cisco often tests the distinction between TACACS+ and RADIUS, where candidates mistakenly choose RADIUS-based options (like 802.1X) for device administration, not realizing that TACACS+ is the only protocol that supports per-command authorization and time-based access control for CLI access.

How to eliminate wrong answers

Option B is wrong because SNMPv3 with ACLs provides authentication and encryption for network management traffic but does not support per-command authorization or time-based access control for administrative CLI access. Option C is wrong because 802.1X with EAP-TLS is a port-based network access control method used for endpoint authentication at Layer 2, not for authorizing administrative commands on network devices. Option D is wrong because IPsec VPN with extended authentication secures remote connectivity and authenticates users, but it does not provide per-command authorization or time-of-day restrictions for device administration.

31
MCQhard

An organization discovers that a man-in-the-middle attack was successfully performed using a forged certificate issued by a trusted CA. The legitimate CA’s private key was compromised. Which PKI component was breached?

A.Certification Authority (CA) private key
B.Online Certificate Status Protocol (OCSP) responder
C.Registration Authority (RA)
D.Certificate Revocation List (CRL)
AnswerA

The CA private key is used to sign certificates; its compromise allows forging.

Why this answer

The correct answer is A because the man-in-the-middle attack succeeded due to a forged certificate issued by a trusted CA, which directly implies that the CA's private key was compromised. The CA's private key is the root of trust in a PKI; if it is stolen, an attacker can sign fraudulent certificates that will be trusted by all clients that trust the CA. Without the private key, the attacker could not have created a valid forged certificate.

Exam trap

Cisco often tests the distinction between components that issue certificates (CA) versus those that verify or manage status (OCSP, RA, CRL), and the trap here is confusing the CA's signing role with the RA's identity-verification role or the OCSP/CRL's status-checking role.

How to eliminate wrong answers

Option B is wrong because the OCSP responder provides real-time certificate status (valid, revoked, unknown) but does not issue certificates or hold the CA's signing key; compromising it would not allow forging certificates. Option C is wrong because the Registration Authority (RA) is responsible for verifying identity and forwarding certificate requests to the CA, but it does not hold the CA's private key and cannot sign certificates. Option D is wrong because the Certificate Revocation List (CRL) is a published list of revoked certificates; compromising it would not enable an attacker to forge new certificates, only to hide revocations.

32
Multi-Selecteasy

Which TWO of the following are common security objectives of the Cisco TrustSec solution? (Choose two.)

Select 2 answers
A.Microsegmentation of network traffic
B.VPN termination for remote users
C.End-to-end data encryption
D.Network topology discovery
E.Role-based access control using security group tags (SGTs)
AnswersA, E

TrustSec allows granular segmentation based on security groups.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to enforce microsegmentation by classifying traffic based on user, device, or role rather than IP addresses. This allows granular policy enforcement at the access layer, reducing lateral movement within the network. Microsegmentation is a core security objective of TrustSec, enabling dynamic, identity-based access control.

Exam trap

Cisco often tests the distinction between TrustSec's microsegmentation (using SGTs) and encryption (e.g., IPsec or MACsec), so the trap here is assuming that TrustSec provides end-to-end encryption when it actually focuses on access control and segmentation, not data confidentiality.

33
MCQeasy

An engineer is troubleshooting a Cisco ASA firewall and notices that traffic from a specific subnet is being dropped. The engineer wants to verify if the drop is due to an access control list (ACL) or an inspection policy. Which command should be used to see the reason for packet drops?

B.show asp drop
C.show conn
D.show service-policy
AnswerB

Displays packet drop counters with reasons, including ACL and inspection drops.

Why this answer

The 'show asp drop' command displays packet drop statistics from the Accelerated Security Path (ASP) on a Cisco ASA. It provides a detailed breakdown of why packets are dropped, including drops due to ACLs, inspection policies, or other security checks. This makes it the correct tool to differentiate between ACL and inspection policy drops.

Exam trap

Cisco often tests the distinction between commands that show configuration or active connections versus commands that show drop reasons, leading candidates to mistakenly choose 'show access-list' or 'show service-policy' because they think hit counts or policy statistics will reveal the drop cause.

How to eliminate wrong answers

Option A is wrong because 'show access-list' only displays the configured ACL entries and their hit counts, but does not show the specific reason for packet drops or differentiate between ACL and inspection policy drops. Option C is wrong because 'show conn' shows active connections in the connection table, not dropped packets or the reason for drops. Option D is wrong because 'show service-policy' displays the configuration and statistics of service policies (e.g., inspection policies), but does not show the specific reason for packet drops or provide drop counters.

34
Multi-Selectmedium

Which TWO of the following are valid methods for authenticating VPN users in a Cisco AnyConnect deployment?

Select 2 answers
D.LDAP
AnswersC, D

RADIUS is commonly used for VPN authentication.

Why this answer

Cisco AnyConnect VPN authentication can be performed using RADIUS, which is a widely supported AAA protocol. RADIUS enables centralized authentication, authorization, and accounting for VPN users, and it is natively integrated with Cisco ASA and Firepower Threat Defense (FTD) appliances for remote access VPNs.

Exam trap

Cisco often tests the distinction between AAA protocols for device administration (TACACS+) versus user authentication (RADIUS/LDAP), and the trap here is that TACACS+ is a valid AAA protocol but is not used for VPN user authentication in AnyConnect.

35
MCQeasy

Which security concept involves creating multiple layers of defense so that if one layer is breached, subsequent layers still provide protection?

A.Zero Trust
B.Defense in depth
C.Separation of duties
D.Least privilege
AnswerB

Layered security approach.

Why this answer

Defense in depth is a security architecture strategy that layers independent defensive mechanisms (e.g., firewalls, IDS/IPS, endpoint protection, encryption) so that if one layer is compromised, subsequent layers continue to protect the asset. This concept is fundamental to the 350-701 exam as it underpins Cisco's SecureX and integrated security fabric approach, where multiple controls (like ASA, Firepower, and Umbrella) work together to provide resilience against breaches.

Exam trap

Cisco often tests the distinction between Defense in depth and Zero Trust by presenting a scenario where multiple security controls are used, and candidates mistakenly choose Zero Trust because they associate 'multiple layers' with 'never trust, always verify,' but Zero Trust is about identity verification and micro-segmentation, not the layered stacking of independent defenses.

How to eliminate wrong answers

Option A is wrong because Zero Trust is a security model that assumes no implicit trust and requires continuous verification of every access request, but it does not inherently describe the layered stacking of defenses; it focuses on identity and context-based access control rather than multiple independent layers. Option C is wrong because Separation of duties is an administrative control that prevents a single individual from having excessive privileges or performing conflicting tasks (e.g., one person approves changes, another implements them); it does not create multiple technical defense layers. Option D is wrong because Least privilege is a principle that grants users only the minimum permissions needed to perform their job functions; it reduces the attack surface but does not involve stacking multiple defensive technologies to protect against successive breaches.

36
MCQeasy

Which type of firewall is best suited to inspect application-layer traffic and protect against exploits like SQL injection?

A.Stateful firewall
B.Application proxy firewall
C.Packet-filtering firewall
D.Next-generation firewall with IPS and application visibility
AnswerD

Provides application-layer inspection and protection.

Why this answer

A next-generation firewall (NGFW) with IPS and application visibility is best suited to inspect application-layer traffic and protect against exploits like SQL injection because it combines deep packet inspection (DPI), signature-based IPS, and application-level awareness. Unlike simpler firewalls, an NGFW can decode HTTP/HTTPS payloads, match patterns against SQL injection signatures (e.g., ' OR 1=1 --), and block malicious traffic at Layer 7 while maintaining stateful inspection.

Exam trap

Cisco often tests the misconception that a stateful firewall is sufficient for application-layer threats, but the trap here is that stateful firewalls only inspect up to Layer 4 and cannot detect payload-based exploits like SQL injection, which require Layer 7 inspection and IPS capabilities.

How to eliminate wrong answers

Option A is wrong because a stateful firewall only tracks connection state (TCP handshake, sequence numbers) and inspects up to Layer 4, lacking the ability to parse application-layer payloads for SQL injection patterns. Option B is wrong because an application proxy firewall (a dedicated proxy) can inspect application traffic but is often slower, less scalable, and lacks integrated IPS signatures; the question asks for the 'best suited' modern solution, which is an NGFW with IPS and application visibility. Option C is wrong because a packet-filtering firewall operates only at Layers 3 and 4, filtering based on IP addresses, ports, and protocols, with no application-layer inspection to detect SQL injection.

37
Multi-Selecteasy

Which TWO of the following are components of Cisco TrustSec?

Select 2 answers
B.Security Group Tag (SGT)
C.Security Group Access Control List (SGACL)
D.MACsec
AnswersB, C

SGTs carry group membership information in packets.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on identity and enforce access control policies. SGTs are 16-bit values assigned to users or devices, and they are carried in the packet header (e.g., via Cisco Metadata or inline tagging) to allow policy enforcement at the network layer.

Exam trap

Cisco often tests the distinction between authentication/encryption protocols (802.1X, MACsec, IPsec) and the actual policy enforcement components (SGT and SGACL) of TrustSec, leading candidates to select 802.1X or MACsec as TrustSec components when they are merely supporting technologies.

38
MCQeasy

A company is implementing Cisco Umbrella to provide DNS-layer security. They want to block access to known malicious domains while allowing all other traffic. Which policy configuration should be used?

A.Create a block list with known malicious domains
B.Enable selective proxy for all traffic
C.Create an allow list with only safe domains
D.Use a custom policy with both allow and block lists
AnswerA

Block list allows all traffic except specified malicious domains.

Why this answer

Cisco Umbrella's DNS-layer security operates by intercepting DNS queries and comparing them against policy-defined lists. A block list containing known malicious domains is the correct approach because Umbrella will block DNS resolution for those domains while allowing all other traffic to pass through normally. This aligns with the requirement to block only malicious destinations without affecting access to legitimate sites.

Exam trap

Cisco often tests the distinction between DNS-layer security (which uses block lists for domain resolution) and proxy-based security (which inspects full HTTP/HTTPS traffic), leading candidates to mistakenly select proxy options like selective proxy when only DNS-layer blocking is needed.

How to eliminate wrong answers

Option B is wrong because enabling selective proxy for all traffic would route all web traffic through Umbrella's proxy, which is unnecessary for DNS-layer blocking and could introduce latency or break non-HTTP traffic. Option C is wrong because an allow list with only safe domains would block all traffic except those explicitly allowed, which is the opposite of the requirement to allow all other traffic. Option D is wrong because while custom policies can combine allow and block lists, the requirement specifically calls for blocking known malicious domains while allowing everything else, making a simple block list the most direct and correct configuration.

39
MCQhard

Refer to the exhibit. The crypto map is applied to an interface. Which additional configuration is necessary for IPsec to function correctly?

A.Define an extended access list for interesting traffic
B.Create a tunnel interface and apply the crypto map to it
C.Create a transform-set with the same parameters as the proposal
D.Configure an ISAKMP policy (IKE phase 1) with pre-shared key or certificate
AnswerD

IKE phase 1 must be configured to establish a secure channel before IPsec can work.

Why this answer

IPsec requires both IKE Phase 1 (ISAKMP) and Phase 2 to be configured. The crypto map references a transform-set and an access list, but without an ISAKMP policy defining authentication (pre-shared key or certificate) and encryption/hash parameters, IKE cannot establish a secure control channel. Option D is correct because the ISAKMP policy is mandatory for IKE Phase 1 negotiation before IPsec SAs can be created.

Exam trap

Cisco often tests the misconception that a crypto map alone is sufficient for IPsec, hiding the fact that IKE Phase 1 (ISAKMP policy) is a prerequisite that must be configured separately, leading candidates to overlook it when other options like transform-sets or access lists are already present.

How to eliminate wrong answers

Option A is wrong because an extended access list for interesting traffic is already referenced in the crypto map (as shown in the exhibit), so it is not missing. Option B is wrong because a tunnel interface is not required for site-to-site IPsec; the crypto map is applied directly to the physical or sub-interface, and creating a tunnel interface would be an unnecessary overlay. Option C is wrong because a transform-set is already defined and referenced in the crypto map; creating another with the same parameters would be redundant and not address the missing IKE Phase 1 configuration.

40
MCQmedium

A network security engineer is deploying Cisco Firepower Threat Defense (FTD) in a data center. The requirement is to inspect traffic between two internal VLANs while allowing the firewall to enforce access control policies based on source and destination zones. Which deployment mode should the engineer use?

A.Routed mode
B.Inline mode
C.Transparent mode
D.Hybrid mode
AnswerC

Transparent mode operates at layer 2, allowing inspection between VLANs without IP renumbering.

Why this answer

Transparent mode (Layer 2 mode) is correct because the requirement specifies inspecting traffic between two internal VLANs without routing. In transparent mode, the FTD acts as a bridge, forwarding frames based on MAC addresses while enforcing access control policies based on source and destination zones. This allows the firewall to inspect inter-VLAN traffic without requiring IP address changes or acting as a default gateway.

Exam trap

Cisco often tests the distinction between 'transparent mode' and 'inline mode'—the trap here is that candidates confuse 'inline' (a deployment topology for IPS sensors) with 'transparent' (a Layer 2 firewall mode), leading them to incorrectly select inline mode when the question asks about firewall deployment modes for FTD.

How to eliminate wrong answers

Option A is wrong because routed mode operates at Layer 3, requiring the FTD to be the next-hop gateway for each VLAN, which would change the network topology and introduce routing decisions not needed for internal VLAN-to-VLAN inspection. Option B is wrong because inline mode is a deployment method for IPS/IDS sensors (e.g., passive or inline tap), not a firewall mode; the FTD does not have an 'inline mode' as a standalone deployment mode—it is either routed, transparent, or hybrid. Option D is wrong because hybrid mode is not a standard deployment mode for FTD; the FTD supports routed and transparent modes, and while it can run multiple virtual firewalls in different modes, 'hybrid mode' is not a selectable deployment mode for a single FTD device.

41
MCQmedium

A company deploys Cisco ASA with clientless SSL VPN to provide remote access to internal web-based applications. Users connect via a web browser and authenticate using RADIUS. The security policy requires that users re-authenticate after 15 minutes of inactivity. The administrator configures the group-policy with 'vpn-idle-timeout 15' and 'vpn-session-timeout 60'. After testing, the administrator finds that users can still access the internal web applications even after the VPN session has timed out. The administrator checks the ASA logs and confirms that the VPN session is indeed terminated. The web applications are standard HTTP-based and do not have their own session timeout mechanisms. What is the most likely cause of this issue?

A.The web applications use persistent cookies that do not require re-authentication.
B.The clientless SSL VPN portal uses 'application-specific' timeout settings.
C.The RADIUS server is sending the 'Session-Timeout' attribute that overrides the ASA configuration.
D.The ASA is configured with 'webvpn' and 'cache' enabled, which caches the application pages.
AnswerA

Persistent cookies maintain the application session independently of the VPN session.

Why this answer

Option A is correct because clientless SSL VPN uses a web portal that relies on cookies to maintain the user's authenticated state. When the VPN session times out, the ASA terminates the VPN tunnel, but the web browser still holds the authentication cookie for the internal web application. Since the web application itself has no session timeout, the cookie remains valid, allowing the user to continue accessing the application without re-authentication.

The ASA's vpn-idle-timeout and vpn-session-timeout only control the VPN tunnel, not the application-layer cookies.

Exam trap

Cisco often tests the distinction between VPN-layer timeouts and application-layer session persistence, trapping candidates who assume that terminating the VPN tunnel automatically invalidates all application access.

How to eliminate wrong answers

Option B is wrong because 'application-specific' timeout settings in clientless SSL VPN are not a standard feature; the ASA does not have per-application timeout configurations that override the group-policy timeouts. Option C is wrong because the RADIUS 'Session-Timeout' attribute, if sent, would override the ASA's vpn-session-timeout, but the issue is that users can still access applications after the VPN session ends, which is not caused by an override—it's a cookie persistence problem. Option D is wrong because the 'webvpn cache' feature caches static content like images and CSS to improve performance, not authentication tokens or session state; it does not allow continued access after session termination.

42
Matchingmedium

Match each Cisco security solution to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall and IPS

DNS-layer security and web filtering

Endpoint threat detection and response

Network access control and policy enforcement

Network traffic analysis and anomaly detection

Why these pairings

These are primary use cases for Cisco security products.

43
Multi-Selecteasy

Which TWO of the following are core components of the Cisco Identity Services Engine (ISE) for policy enforcement?

Select 2 answers
A.Active Directory Integration
B.EAP-TLS
C.Policy Service Node (PSN)
D.Firepower Threat Defense
E.Network Access Device (NAD)
AnswersA, C

ISE integrates with Active Directory to retrieve user and group information for policy.

Why this answer

The Policy Service Node (PSN) is responsible for policy decision and enforcement, and Active Directory integration is a key component for identity mapping. NAD (Network Access Device) is an external device that ISE controls, not a component of ISE itself. EAP-TLS is an authentication protocol, and Firepower is a separate security product.

44
Multi-Selecthard

Which TWO of the following are true about MACsec?

Select 2 answers
A.It requires a PKI
B.It uses IEEE 802.1AE standard
C.It provides data confidentiality only
D.It is used for WLAN security
E.It operates at Layer 2
AnswersB, E

MACsec is defined by IEEE 802.1AE.

Why this answer

MACsec is defined by the IEEE 802.1AE standard, which specifies a security protocol for providing data confidentiality, integrity, and origin authenticity at Layer 2. It operates directly on Ethernet frames, encrypting the payload while preserving the frame header for transparent forwarding. This makes option B correct because the standard is the foundational reference for MACsec.

Exam trap

Cisco often tests the misconception that MACsec is a Layer 3 or application-layer security protocol, but the trap here is that candidates confuse it with IPsec (Layer 3) or WLAN security (Layer 2 but wireless), when MACsec is strictly a Layer 2 wired Ethernet security standard.

45
Multi-Selectmedium

Which TWO of the following are valid approaches to mitigate ARP spoofing attacks on a switched network?

Select 2 answers
A.Enable BPDU Guard on all switchports
B.Enable Dynamic ARP Inspection (DAI) on VLANs
C.Enable IP Source Guard on untrusted ports
D.Enable Port Security on all access ports
E.Enable DHCP Snooping globally
AnswersB, C

DAI validates ARP packets and drops invalid ones.

Why this answer

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. It relies on a DHCP snooping binding database to map IP addresses to MAC addresses, and it drops ARP packets that have invalid IP-to-MAC bindings, thereby preventing ARP spoofing attacks on a switched network.

Exam trap

Cisco often tests the dependency chain: candidates may think DHCP Snooping alone mitigates ARP spoofing, but it only provides the database; DAI is the feature that actually enforces ARP validation.

46
Multi-Selecthard

Which THREE of the following are key principles of the Cisco Zero Trust security model?

Select 3 answers
A.Never trust, always verify
B.Continuous monitoring and validation
C.Implicit trust for internal traffic
D.Perimeter-based security
E.Least privilege access
AnswersA, B, E

Core principle of zero trust.

Why this answer

Option A is correct because 'Never trust, always verify' is the foundational principle of the Cisco Zero Trust security model, which mandates that no user, device, or network segment is trusted by default, regardless of its location relative to the network perimeter. This principle eliminates implicit trust and requires authentication and authorization for every access request, aligning with the Zero Trust architecture defined in NIST SP 800-207.

Exam trap

Cisco often tests the misconception that Zero Trust still allows implicit trust for internal traffic or relies on a strong perimeter, when in fact the model explicitly removes all location-based trust and requires continuous verification for every access attempt.

47
Multi-Selectmedium

Which TWO of the following are best practices for securing Cisco routers against unauthorized access? (Choose two.)

Select 2 answers
A.Enable SNMP read-write community string for monitoring
B.Use the 'service password-enforcement' command to encrypt passwords with type 7
C.Disable unused services like HTTP server and CDP
D.Configure authentication using HTTP with local username/password
E.Use SSH version 2 for remote access
AnswersC, E

Disabling unnecessary services reduces the attack surface.

Why this answer

C is correct because disabling unused services like HTTP server and CDP reduces the attack surface of the router. The HTTP server can be exploited for web-based attacks, and CDP can leak sensitive network topology information. Cisco best practices recommend disabling all unnecessary services to minimize exposure.

Exam trap

Cisco often tests the distinction between 'service password-encryption' (type 7) and the stronger 'enable secret' (MD5 hash), leading candidates to mistakenly think type 7 encryption is secure.

48
MCQeasy

A company deploys Cisco Firepower Threat Defense (FTD) in transparent mode. They create an access control rule to allow HTTP traffic from the inside network (10.10.10.0/24) to a web server at 192.168.1.100. The rule is configured with action 'Allow', a source zone 'inside', a destination zone 'outside', and an intrusion policy attached. After deployment, users report they cannot access the web server. The administrator verifies that the web server is reachable from other networks and that the FTD management interface is accessible. The FTD's packet capture shows no traffic matching the rule. The rule is listed first in the access control policy. What is the most likely cause of the problem?

A.The intrusion policy is blocking the traffic.
B.The web server's IP address is not correctly defined in the network object.
C.The rule's action is set to 'Monitor' instead of 'Allow'.
D.The FTD is in transparent mode, so it does not use zones; the rule should be assigned to an interface pair.
AnswerD

Transparent mode FTD requires rules to be applied to specific interface pairs, not security zones.

Why this answer

In transparent mode, Cisco Firepower Threat Defense (FTD) operates as a Layer 2 bridge and does not use security zones. Instead, traffic is controlled by interface pairs. The rule configured with source and destination zones will never match traffic because transparent mode bypasses zone-based policy enforcement.

The correct approach is to assign the rule to an interface pair (e.g., inside to outside) rather than zones.

Exam trap

Cisco often tests the distinction between routed and transparent mode, specifically that transparent mode uses interface pairs instead of zones, leading candidates to overlook this fundamental difference and incorrectly assume zone-based rules work in all modes.

How to eliminate wrong answers

Option A is wrong because an intrusion policy attached to an Allow rule does not block traffic by default; it only inspects and alerts or drops based on signatures, and the packet capture shows no traffic matching the rule, indicating the rule itself is not being hit. Option B is wrong because the web server's IP address being incorrectly defined in a network object would cause a different rule to match or no match at all, but the packet capture shows no traffic matching the rule, pointing to a zone/interface mismatch rather than an object definition issue. Option C is wrong because if the rule's action were set to 'Monitor', traffic would still match the rule and appear in packet captures, but the users would be unable to access the web server only if a subsequent rule blocked it; the capture shows no match, so the action is not the problem.

49
MCQeasy

Which Cisco ISE node is responsible for authenticating endpoints and enforcing access policies?

A.Administration Node
B.pxGrid
C.Policy Service Node (PSN)
D.Monitoring Node
AnswerC

PSN performs authentication and policy enforcement.

Why this answer

The Policy Service Node (PSN) is the Cisco ISE component that performs endpoint authentication, authorization, and accounting (AAA) and enforces access policies by processing RADIUS requests from network access devices (NADs). It handles posture assessment, guest services, and client provisioning, making it the direct enforcement point for network access control.

Exam trap

Cisco often tests the distinction between management, monitoring, and enforcement roles, and the trap here is confusing the Administration Node (which defines policies) with the Policy Service Node (which enforces them), leading candidates to pick the Administration Node as the enforcement point.

How to eliminate wrong answers

Option A is wrong because the Administration Node manages the ISE configuration, certificates, and policy definitions but does not process authentication or enforce policies in real time. Option B is wrong because pxGrid (Platform Exchange Grid) is a data-sharing protocol for context exchange between ISE and other security systems, not an authentication or policy enforcement node. Option D is wrong because the Monitoring Node collects logs, metrics, and alerts for auditing and troubleshooting, but it does not participate in the authentication or enforcement of access policies.

50
Multi-Selectmedium

Which TWO methods can be used to enforce least privilege within a network infrastructure? (Choose two.)

Select 2 answers
A.Use Cisco TrustSec with SGTs and security group policies.
B.Use a single administrator account with full privileges for all IT staff.
C.Place all users in the same VLAN without ACLs.
D.Configure source NAT on the firewall to hide internal addresses.
E.Implement role-based access control (RBAC) on network devices.
AnswersA, E

SGTs enforce access based on group membership.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on user or device identity, not just IP addresses. Security group policies then enforce least privilege by allowing or denying communication between SGTs, ensuring that only necessary traffic flows between endpoints.

Exam trap

Cisco often tests the misconception that NAT or VLAN segmentation alone enforces least privilege, when in fact they lack identity-based or role-based access control required for true least privilege.

51
MCQeasy

After applying a new extended ACL inbound on an interface, users report they can no longer reach a critical server on a different subnet. The ACL permits the server's IP and required ports. What is the most likely cause?

A.The router has run out of memory for ACL processing.
B.The ACL is applied in the outbound direction instead of inbound.
C.The ACL is applied to the wrong interface.
D.The ACL is missing a permit for necessary traffic (e.g., return traffic or ARP), triggering the implicit deny.
AnswerD

Extended ACLs end with implicit deny; missing permit for other traffic blocks communication.

Why this answer

When an extended ACL is applied inbound on an interface, it filters traffic entering that interface before the routing decision. Even if the ACL permits the destination server's IP and required ports, it must also permit the return traffic (e.g., TCP acknowledgments, ICMP replies) from the server back to the users. If the ACL does not explicitly permit this return traffic, the implicit deny at the end of the ACL will drop it, breaking connectivity.

This is the most common cause of connectivity loss after applying an inbound ACL.

Exam trap

Cisco often tests the concept that an inbound ACL filters traffic before the routing decision, and candidates mistakenly focus only on the destination server's IP and ports, forgetting that return traffic must also be explicitly permitted to avoid the implicit deny.

How to eliminate wrong answers

Option A is wrong because ACL processing does not require significant memory; routers use TCAM or CPU-based lookups that are deterministic and do not fail due to memory exhaustion under normal conditions. Option B is wrong because the question states the ACL is applied inbound, and applying it outbound would filter traffic leaving the interface, which would not directly cause users to lose access to a server on a different subnet (the problem would manifest differently, such as inability to send traffic out). Option C is wrong because the question specifies the ACL is applied to the correct interface; if it were applied to the wrong interface, the symptoms would likely affect different traffic flows, not specifically the server reachability issue described.

52
MCQmedium

Refer to the exhibit. A network administrator applies the ACL to the interface. What is the effect on traffic inbound to the interface?

A.All TCP traffic is permitted; other IP traffic is denied
B.Only TCP traffic destined to 192.168.1.100 on port 80 is permitted; all other IP traffic is denied
C.All IP traffic is permitted
D.The ACL is applied outbound, so it has no effect on inbound traffic
AnswerB

The ACL permits only HTTP to that host and denies the rest.

Why this answer

The ACL is applied inbound on the interface and contains a single entry that permits TCP traffic from any source to destination 192.168.1.100 on port 80. Because there is an implicit deny all at the end of every standard and extended ACL, only traffic matching this specific permit statement is allowed; all other IP traffic is denied.

Exam trap

Cisco often tests the implicit deny all at the end of ACLs, and the trap here is that candidates may overlook that only the explicitly permitted traffic is allowed, assuming that a single permit statement implies all other traffic is also permitted.

How to eliminate wrong answers

Option A is wrong because the ACL does not permit all TCP traffic; it only permits TCP traffic destined to 192.168.1.100 on port 80, and other TCP traffic is denied by the implicit deny. Option C is wrong because the ACL explicitly restricts traffic, so not all IP traffic is permitted; only the specified TCP traffic is allowed. Option D is wrong because the ACL is applied inbound (ip access-group ACL_NAME in), not outbound, so it does affect inbound traffic.

53
Multi-Selecteasy

Which TWO benefits does centralized RADIUS authentication provide over local authentication on network devices? (Choose two.)

Select 2 answers
A.Centralized accounting and logging of all authentication attempts
B.Ability to change passwords or permissions in one place
C.Faster authentication because of local caching
D.Support for multiple authentication protocols like PAP, CHAP, EAP
E.No need for a backup authentication method
AnswersA, B

RADIUS server provides unified logs.

Why this answer

Centralized RADIUS authentication aggregates all authentication, authorization, and accounting (AAA) data on a single server. This provides a unified audit trail for all login attempts across network devices, enabling comprehensive logging and accounting that local authentication cannot offer. Local authentication logs are device-specific and lack centralized aggregation, making forensic analysis and compliance reporting more difficult.

Exam trap

Cisco often tests the misconception that centralized authentication is faster or eliminates the need for a backup method, when in reality it introduces dependency on network reachability and requires a fallback like local authentication for resilience.

54
MCQeasy

Refer to the exhibit. A user attempts to SSH to the router. The RADIUS server is unreachable. What will happen?

A.The user will be denied access because RADIUS is unreachable
B.The router will try TACACS+ as a fallback
C.The user will be authenticated using the local database
D.The user will be authenticated using RADIUS after a timeout
AnswerC

When RADIUS is unreachable, the router uses local authentication.

Why this answer

When RADIUS is unreachable and the router is configured for AAA authentication, the default behavior is to fall back to the local database if the 'local' keyword is included in the authentication method list. In this scenario, the user will be authenticated using the local database because the RADIUS server is unreachable, and the router has a local user account configured. This is a standard AAA fallback mechanism to ensure administrative access is not completely lost.

Exam trap

Cisco often tests the misconception that a RADIUS timeout will eventually allow authentication, but the trap here is that the router immediately falls back to the next method in the list (local) when the server is unreachable, not after a timeout.

How to eliminate wrong answers

Option A is wrong because the router does not immediately deny access; it falls back to the local database if configured. Option B is wrong because TACACS+ is only tried as a fallback if it is explicitly listed in the authentication method list; the exhibit does not show TACACS+ in the method list. Option D is wrong because RADIUS authentication will not proceed after a timeout; the router will move to the next method in the list (local) immediately upon RADIUS being unreachable.

55
MCQmedium

A company deploys Cisco ISE for network access control. They want to enforce that only employees with a valid certificate and a compliant posture can access the corporate Wi-Fi. Which policy combination should be used?

A.Authorization profile with dACL and a Posture Enforcement Policy (PEP)
B.Authentication using PEAP-MSCHAPv2 and a Posture Enforcement Policy (PEP)
C.Authentication using EAP-TLS and a Posture Enforcement Policy (PEP)
D.Guest portal with self-registration and a Posture Enforcement Policy (PEP)
AnswerC

EAP-TLS uses certificates for authentication, and PEP enforces posture compliance.

Why this answer

Option C is correct because EAP-TLS provides certificate-based mutual authentication, ensuring only employees with a valid certificate can authenticate. The Posture Enforcement Policy (PEP) then checks the endpoint's compliance (e.g., antivirus, patch level) before granting network access. This combination meets the requirement for both certificate validation and posture compliance enforcement on corporate Wi-Fi.

Exam trap

Cisco often tests the distinction between authentication protocols (EAP-TLS vs. PEAP-MSCHAPv2) and their ability to enforce certificate-based access, leading candidates to mistakenly choose PEAP-MSCHAPv2 (Option B) because it is commonly used with machine certificates, but it does not require a client certificate for user authentication.

How to eliminate wrong answers

Option A is wrong because an authorization profile with a downloadable ACL (dACL) controls post-authentication permissions but does not enforce certificate-based authentication; it assumes the user is already authenticated. Option B is wrong because PEAP-MSCHAPv2 uses a username/password (or machine credentials) for authentication, not a certificate, so it cannot enforce that only employees with a valid certificate gain access. Option D is wrong because a guest portal with self-registration is designed for unauthenticated guests, not for employees with certificates, and it does not enforce certificate-based authentication.

56
MCQeasy

A network engineer is configuring a new firewall to enforce security policies between two internal VLANs. The goal is to allow only HTTP traffic from the finance VLAN to the HR VLAN, while blocking all other traffic. Which type of firewall rule should be applied to achieve this requirement with minimal administrative overhead?

A.Explicit deny rule
B.Implicit deny rule
C.Stateful rule
D.Default-permit rule
AnswerA

An explicit deny at the end of the rule base ensures that only explicitly permitted traffic (HTTP) is allowed, following best practice.

Why this answer

Option A is correct because an explicit deny rule is required to block all traffic except HTTP from finance to HR. While firewalls have an implicit deny at the end of the rulebase, the requirement to 'block all other traffic' with minimal administrative overhead is best met by creating an explicit deny rule that matches the specific traffic flows to be blocked, ensuring clarity and preventing unintended implicit allow behavior. This approach avoids relying on the implicit deny, which could be overridden by a later default-permit rule or misconfiguration.

Exam trap

Cisco often tests the distinction between explicit deny and implicit deny, trapping candidates who think the implicit deny alone is sufficient to block traffic, when in fact an explicit deny rule is needed to enforce a specific block with minimal administrative overhead and to avoid reliance on default behaviors that can be overridden.

How to eliminate wrong answers

Option B is wrong because an implicit deny rule is automatically applied at the end of the firewall rulebase, but it does not block traffic before it; it only denies traffic that does not match any explicit rule. Relying solely on implicit deny would require an explicit permit rule for HTTP, but the question asks for blocking 'all other traffic' with minimal overhead, and implicit deny is not a rule you configure—it is a default behavior. Option C is wrong because a stateful rule refers to the firewall's ability to track connection states (e.g., allowing return traffic for established sessions), but it does not inherently block traffic; it is a property of how rules are processed, not a rule type that denies traffic.

Option D is wrong because a default-permit rule would allow all traffic by default, which directly contradicts the requirement to block all other traffic; this is the opposite of what is needed.

57
MCQhard

Refer to the exhibit. An administrator notices that DNS responses larger than 512 bytes are being dropped. Which configuration change should be made to allow larger DNS responses?

A.Remove the DNS inspection policy
B.Add an access-list to permit the traffic
C.Disable the set connection advanced-options command
D.Increase the message-length maximum under the DNS map
AnswerD

Raising the limit (e.g., to 4096) allows larger DNS responses.

Why this answer

The correct answer is D because DNS inspection on Cisco ASA/Firepower devices uses a DNS map to enforce a default maximum message length of 512 bytes, which aligns with the original DNS specification (RFC 1035). To allow larger DNS responses (e.g., those using EDNS0, which can exceed 512 bytes), you must increase the message-length maximum under the DNS map. This change permits the firewall to reassemble and forward DNS packets that exceed the default limit without dropping them.

Exam trap

Cisco often tests the misconception that ACLs or removing inspection policies are the solution for application-layer drops, when in fact the issue is a specific inspection parameter (DNS message-length) that must be tuned via a DNS map.

How to eliminate wrong answers

Option A is wrong because removing the DNS inspection policy entirely would disable all DNS inspection, including security checks like DNS query/response validation, which is an overly broad and insecure solution. Option B is wrong because an access-list permits traffic at the network layer based on IP addresses and ports, but it does not affect the application-layer inspection of DNS message length; the drop occurs due to the inspection engine, not a firewall ACL. Option C is wrong because the 'set connection advanced-options' command is used for advanced TCP connection settings (e.g., timeout, sequence number randomization) and has no bearing on DNS message-length limits.

58
MCQhard

Refer to the exhibit. A network engineer applies a zone-based firewall policy to a router. Users in the INSIDE zone report they can access HTTP servers on the OUTSIDE zone but cannot resolve DNS names or access MS-SQL servers. What does the policy do to DNS and MS-SQL traffic?

A.They are allowed because no 'inspect' action is applied to the class.
B.They are dropped because the BAD_TRAFFIC class explicitly drops them.
C.They are inspected and allowed through the firewall.
D.They are dropped because they do not match the GOOD_TRAFFIC class.
AnswerB

The class BAD_TRAFFIC includes DNS and MS-SQL and applies the drop action.

Why this answer

The correct answer is B because the zone-based firewall policy explicitly defines a class map (BAD_TRAFFIC) that matches DNS (UDP/53) and MS-SQL (TCP/1433) traffic and applies the 'drop' action. Since the policy-map uses a 'class-default' action of 'inspect' for GOOD_TRAFFIC, any traffic not matching GOOD_TRAFFIC but matching BAD_TRAFFIC is dropped before inspection can occur. The users' symptoms confirm that DNS and MS-SQL are being dropped, while HTTP (matched by GOOD_TRAFFIC) is inspected and allowed.

Exam trap

Cisco often tests the misconception that 'inspect' in class-default automatically allows all traffic, but the trap here is that explicit 'drop' actions in higher-priority class maps (like BAD_TRAFFIC) override any default inspection, causing candidates to overlook the sequential processing order of class maps in a policy-map.

How to eliminate wrong answers

Option A is wrong because the 'inspect' action is applied to the GOOD_TRAFFIC class, not to DNS or MS-SQL; the BAD_TRAFFIC class explicitly drops them, so they are not allowed by default. Option C is wrong because DNS and MS-SQL are not inspected or allowed; they are matched by the BAD_TRAFFIC class, which applies a 'drop' action, overriding any default inspection behavior. Option D is wrong because the traffic is not dropped due to a lack of match with GOOD_TRAFFIC; it is dropped because it explicitly matches the BAD_TRAFFIC class, which has a 'drop' action, and the policy processes class matches in order (BAD_TRAFFIC before class-default).

59
MCQhard

Refer to the exhibit. An engineer is analyzing an intrusion policy on Cisco Firepower Management Center (FMC). The network uses Windows servers and clients. A flood of HTTP traffic is being detected as a potential attack, but it is legitimate. Which preprocessor configuration change would most likely reduce false positives without losing detection of real attacks?

A.Disable the http_inspect preprocessor
B.Change global_sensitivity to medium
C.Change frag3 policy to bsd
D.Change stream5_tcp policy to linux
AnswerB

Lowering sensitivity reduces false positives for benign traffic while still detecting true attacks.

Why this answer

The http_inspect preprocessor's global_sensitivity setting controls how aggressively it normalizes HTTP traffic before analysis. Setting it to 'medium' reduces false positives from legitimate HTTP floods by relaxing the threshold for anomalous HTTP behavior, while still allowing the preprocessor to detect real attacks that exhibit more extreme deviations. This is the most targeted change because it directly addresses the flood of HTTP traffic without disabling the preprocessor entirely.

Exam trap

Cisco often tests the misconception that disabling a preprocessor or changing unrelated protocol policies (like TCP or IP fragmentation) is the solution, when the correct answer is a targeted tuning parameter within the relevant preprocessor.

How to eliminate wrong answers

Option A is wrong because disabling the http_inspect preprocessor would remove all HTTP normalization and inspection, likely causing the intrusion policy to miss real HTTP-based attacks (e.g., SQL injection, cross-site scripting) and potentially increasing false negatives. Option C is wrong because changing the frag3 policy to 'bsd' alters IP fragment reassembly behavior (e.g., handling overlapping fragments), which is unrelated to HTTP traffic floods and would not reduce false positives for HTTP-based events. Option D is wrong because changing the stream5_tcp policy to 'linux' modifies TCP stream reassembly parameters (e.g., handling of TCP retransmissions or window scaling), which does not address the HTTP flood issue and could disrupt legitimate TCP connections without affecting HTTP-level false positives.

60
MCQhard

A security architect is designing a zero-trust architecture for a remote workforce using Cisco SD-WAN. The company requires that all traffic between branch sites and the data center is encrypted and authenticated, and that no device can access resources unless it has a valid certificate. Which technology should be used to enforce device identity?

A.802.1X with EAP-TLS
B.Network Access Control (NAC)
C.Cisco TrustSec
AnswerC

TrustSec uses SGTs to enforce access based on device identity and is a key component of zero trust.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) and device identity based on certificates to enforce access control in a zero-trust architecture. It integrates with SD-WAN to ensure that only devices with valid certificates can communicate, meeting the requirement for encrypted and authenticated traffic between branch sites and the data center.

Exam trap

The trap here is that candidates often confuse IPsec VPN's encryption and authentication of the tunnel with device identity enforcement, but IPsec authenticates the peer (router or firewall), not the individual device, which is a critical distinction in zero-trust architectures.

How to eliminate wrong answers

Option A is wrong because 802.1X with EAP-TLS is a port-based authentication mechanism for network access control at the edge, not a technology for enforcing device identity across SD-WAN tunnels between branches and data centers. Option B is wrong because Network Access Control (NAC) is a broader framework for admission control, but it does not natively provide the certificate-based device identity enforcement and SGT-based segmentation that TrustSec offers in a zero-trust SD-WAN context. Option D is wrong because IPsec VPN provides encryption and authentication for traffic, but it does not enforce device identity via certificates; it authenticates the VPN gateway or peer, not the individual device accessing resources.

61
MCQhard

A security administrator discovers that users are evading the corporate firewall by using SSH to tunnel HTTP traffic to external servers. Which action can be taken on a Cisco ASA firewall to detect and prevent this?

A.Configure a dynamic PAT rule to limit the number of SSH sessions
B.Enable SSH inspection using the 'inspect ssh' command in the global policy
C.Create an access-list to block port 22 entirely
D.Implement SSL decryption to inspect the encrypted SSH payload
AnswerB

SSH inspection allows the firewall to apply deep inspection and enforce policies on SSH traffic.

Why this answer

Option B is correct because enabling SSH inspection with the 'inspect ssh' command on a Cisco ASA allows the firewall to monitor SSH control channel negotiations and detect when SSH is being used to tunnel other protocols (like HTTP). The ASA can then enforce policies to block such tunneling, preventing users from bypassing the corporate firewall.

Exam trap

Cisco often tests the misconception that blocking port 22 is a valid solution, but the trap is that this would also block legitimate SSH access, whereas SSH inspection provides granular control without disrupting normal operations.

How to eliminate wrong answers

Option A is wrong because dynamic PAT (Port Address Translation) limits the number of simultaneous translations, not the number of SSH sessions, and does not inspect or prevent SSH tunneling. Option C is wrong because blocking port 22 entirely would also block legitimate SSH administrative access, which is an overly restrictive and impractical solution. Option D is wrong because SSL decryption is designed to inspect HTTPS traffic, not SSH; SSH uses its own encryption protocol (not SSL/TLS), and the ASA cannot decrypt SSH payloads without breaking the SSH protocol.

62
MCQmedium

A company is designing a secure segmentation strategy for a three-tier web application. They want to isolate the web, application, and database tiers while allowing only necessary traffic. Which design best achieves defense-in-depth while minimizing complexity?

A.Place each tier in a separate VLAN and rely on ACLs on the distribution switch.
B.Deploy a dedicated firewall for each tier and connect them in series.
C.Use VRF-Lite with SGTs and enforce policies via Cisco ISE.
D.Place a single stateful firewall between each tier with separate interfaces.
AnswerC

Allows granular, policy-based segmentation without per-tier firewalls.

Why this answer

Option C is correct because VRF-Lite with Security Group Tags (SGTs) and Cisco ISE provides scalable, policy-based segmentation that follows the defense-in-depth principle. VRF-Lite creates separate routing tables for each tier, while SGTs enforce granular, identity-based access control at the network layer, reducing complexity compared to multiple firewalls or ACLs. This design allows necessary traffic between tiers without relying on IP addresses alone, aligning with zero-trust architecture.

Exam trap

Cisco often tests the misconception that stateful firewalls alone (Option D) or VLANs with ACLs (Option A) provide sufficient segmentation, but the trap is that defense-in-depth requires policy-based, identity-aware controls like SGTs to prevent lateral movement and reduce complexity in multi-tier applications.

How to eliminate wrong answers

Option A is wrong because relying solely on ACLs on a distribution switch lacks stateful inspection and cannot enforce application-layer policies, making it vulnerable to IP spoofing and insufficient for defense-in-depth. Option B is wrong because deploying a dedicated firewall for each tier in series introduces unnecessary complexity, latency, and single points of failure, violating the principle of minimizing complexity. Option D is wrong because placing a single stateful firewall between each tier with separate interfaces still creates a bottleneck and does not provide the granular, identity-based segmentation that SGTs offer, nor does it scale well for multi-tier environments.

63
Drag & Dropmedium

Drag and drop the steps to recover a lost password on a Cisco IOS router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enter ROMmon, change register to skip startup-config, boot, copy config, change password, save, and restore register.

64
MCQmedium

A network administrator is configuring management access on a Cisco router. The requirement is to provide encrypted remote access with AAA authentication and fallback to local credentials if the AAA server is unavailable. Which configuration best meets these requirements?

A.Enable Telnet with a local username and password.
B.Enable SSHv2 with AAA authentication and 'aaa authentication login default group radius local' configured.
C.Enable HTTP with AAA authentication.
D.Use SNMPv3 with read-write community strings.
AnswerB

SSH provides encryption, AAA with local fallback meets availability.

Why this answer

Option B is correct because SSHv2 provides encrypted remote access, and the command 'aaa authentication login default group radius local' configures AAA authentication with RADIUS as the primary method and local credentials as a fallback if the RADIUS server is unreachable. This meets the requirement for both encrypted access and AAA fallback to local authentication.

Exam trap

Cisco often tests the distinction between encrypted (SSH) and unencrypted (Telnet, HTTP) protocols, and the specific behavior of AAA fallback (local only on server non-response, not on authentication denial).

How to eliminate wrong answers

Option A is wrong because Telnet transmits all data, including credentials, in cleartext, failing the requirement for encrypted remote access. Option C is wrong because HTTP does not encrypt traffic by default; HTTPS would be required for encryption, and the question specifies 'HTTP' without encryption. Option D is wrong because SNMPv3 with read-write community strings is used for network management polling and configuration, not for interactive remote shell access, and community strings are not a secure authentication method for management access.

65
MCQmedium

A company is deploying Cisco Umbrella to protect against DNS-based threats. Which deployment method provides the most comprehensive coverage for all devices on the network without requiring per-device configuration?

A.Install the Umbrella roaming client on every endpoint.
B.Configure each device's DNS settings to use Umbrella's resolvers.
C.Deploy a PAC file that routes all traffic through a proxy with DNS filtering.
D.Configure the network's DNS forwarders to point to Umbrella's DNS resolvers.
AnswerD

Covers all devices using the network's DNS.

Why this answer

Option D is correct because configuring the network's DNS forwarders to point to Umbrella's DNS resolvers (typically on the organization's DHCP server or router) ensures that all DNS queries from any device on the network are automatically forwarded to Umbrella for filtering, without requiring any per-device configuration. This method provides comprehensive coverage for all devices, including those that cannot run agents (e.g., IoT devices, printers, guest devices), by intercepting DNS traffic at the network level.

Exam trap

Cisco often tests the distinction between endpoint-based and network-based deployment methods, and the trap here is that candidates assume the roaming client (Option A) provides the most comprehensive coverage, when in fact network-level DNS forwarding covers all devices without per-device configuration.

How to eliminate wrong answers

Option A is wrong because installing the Umbrella roaming client on every endpoint requires per-device configuration and ongoing management, and it cannot cover non-managed or legacy devices that cannot run the client. Option B is wrong because configuring each device's DNS settings individually is impractical for large networks, does not scale, and fails to cover devices with hardcoded DNS or those that ignore manual DNS settings. Option C is wrong because deploying a PAC file only affects web traffic routed through a proxy; it does not intercept all DNS queries (e.g., non-HTTP traffic, direct DNS lookups) and still requires per-browser or per-system configuration, leaving gaps in coverage.

66
MCQhard

A security engineer is evaluating a web application firewall (WAF) rule set. The application uses a custom REST API that accepts JSON payloads. Which WAF rule is most effective at preventing SQL injection attacks while minimizing false positives?

A.Apply a generic SQL injection signature set from the WAF vendor
B.Block requests containing 'SELECT' or 'UNION' in the URL
C.Set the maximum request size to 10 MB
D.Use a rule that parses JSON and checks for abnormal structures that indicate injection
AnswerD

JSON-specific validation reduces false positives while catching injection attempts.

Why this answer

Option D is correct because JSON-based APIs require context-aware parsing to detect SQL injection within structured payloads. A rule that parses JSON and checks for abnormal structures can identify injection attempts (e.g., nested objects or unexpected keys) without relying on simple keyword matching, which reduces false positives. This approach aligns with the WAF's ability to decode and inspect JSON fields for malicious SQL patterns while ignoring benign data.

Exam trap

Cisco often tests the misconception that generic signature sets are universally effective, but the trap here is that custom APIs with JSON payloads require context-aware parsing to avoid false positives and catch injection in non-keyword forms.

How to eliminate wrong answers

Option A is wrong because generic SQL injection signature sets often produce high false positives in custom REST APIs, as they match common SQL keywords (e.g., 'SELECT') that may appear legitimately in JSON values (e.g., a field named 'select'). Option B is wrong because blocking requests containing 'SELECT' or 'UNION' in the URL is ineffective for JSON payloads sent via POST or PUT methods, where injection occurs in the request body, not the URL; it also causes false positives for legitimate API calls. Option C is wrong because setting the maximum request size to 10 MB does not prevent SQL injection; it only limits the payload size, which is unrelated to injection detection and may block legitimate large JSON payloads.

67
MCQmedium

Refer to the exhibit. What is the most likely reason for the high number of 'No route to host' drops on a Cisco ASA?

A.Firewall is in transparent mode
B.Interface is down
C.Missing static route on the ASA
D.Incorrect NAT rule
AnswerC

Without a route to the destination, the ASA cannot forward the packet.

Why this answer

The 'No route to host' drop on a Cisco ASA indicates that the firewall has no valid route in its routing table to reach the destination IP address of the packet. Option C is correct because a missing static route (or dynamic route) for the destination network prevents the ASA from performing a route lookup, causing it to drop the packet with this specific syslog message. This is a Layer 3 forwarding issue, not a policy or NAT problem.

Exam trap

Cisco often tests the distinction between Layer 3 routing drops ('No route to host') and Layer 2/interface drops, or between routing issues and NAT/policy failures, so candidates must remember that 'No route to host' is exclusively a routing table lookup failure, not a firewall rule or interface problem.

How to eliminate wrong answers

Option A is wrong because transparent mode (Layer 2 bridge) does not perform IP routing; 'No route to host' drops are a Layer 3 routing issue that only occurs in routed mode. Option B is wrong because if an interface were down, the ASA would generate 'Interface down' or 'No buffer' drops, not 'No route to host' — the latter specifically indicates a missing route, not a link failure. Option D is wrong because an incorrect NAT rule would cause 'NAT failed' or 'Translation creation failed' drops, or asymmetric routing issues, but not a 'No route to host' drop, which occurs before NAT processing in the packet flow.

68
MCQhard

A network engineer is troubleshooting a site-to-site IPsec VPN that fails to establish. The IKE phase 1 completes successfully, but phase 2 fails. The debug output shows 'IPSEC(validate_proposal): transform set proposal mismatch'. Both peers have the same transform set configured. What is the most likely cause?

A.Mismatched IPsec lifetime values
B.Missing route for the remote subnet
C.Mismatched encryption/authentication algorithms in the transform set
D.Incorrect pre-shared key
AnswerC

Even if both sets are named the same, the actual algorithms might differ; 'transform set proposal mismatch' indicates algorithm mismatch.

Why this answer

The error 'IPSEC(validate_proposal): transform set proposal mismatch' indicates that the IPsec transform sets proposed by the two peers do not match during IKE phase 2 negotiation. Even if the transform sets appear identical in configuration, a mismatch in the encryption algorithm (e.g., AES-256 vs AES-128) or authentication algorithm (e.g., SHA-1 vs SHA-256) will cause this failure. Since IKE phase 1 completed successfully, the pre-shared key and routing are not the issue, and lifetime mismatches typically generate a different error.

Exam trap

Cisco often tests the distinction between IKE phase 1 and phase 2 failures, and the trap here is that candidates assume identical transform set names mean identical algorithms, ignoring that default values (like AES key length) can differ between devices or IOS versions.

How to eliminate wrong answers

Option A is wrong because mismatched IPsec lifetime values (e.g., 3600 vs 86400 seconds) would cause a 'lifetime mismatch' or 'proposal mismatch' error, but the debug output specifically mentions 'transform set proposal mismatch', which points to algorithms, not lifetimes. Option B is wrong because a missing route for the remote subnet would prevent traffic from triggering the VPN or cause packets to be dropped, but it would not produce a transform set mismatch error during phase 2 negotiation. Option D is wrong because an incorrect pre-shared key would cause IKE phase 1 to fail (e.g., 'invalid pre-shared key' or 'authentication failure'), not phase 2, and the question states phase 1 completes successfully.

69
MCQeasy

A network engineer needs to implement a security solution that provides encryption, integrity, and authentication at Layer 2 between two switches. Which technology should be used?

A.SSL/TLS
D.MACsec
AnswerD

MACsec provides Layer 2 encryption, integrity, and authentication.

Why this answer

MACsec (IEEE 802.1AE) provides hop-by-hop encryption, integrity, and authentication at Layer 2 (the data link layer) directly on Ethernet frames. It uses GCM-AES-128 or GCM-AES-256 to encrypt the entire payload and authenticate the frame, ensuring confidentiality and integrity between directly connected switches without requiring IP-layer processing.

Exam trap

Cisco often tests the distinction between Layer 2 encryption (MACsec) and Layer 3 encryption (IPsec), and the trap here is that candidates confuse 'encryption between switches' with IPsec because IPsec is the most commonly known encryption protocol, but it operates at a higher layer and requires IP routing.

How to eliminate wrong answers

Option A is wrong because SSL/TLS operates at Layer 4 (Transport Layer) and is designed for securing application-layer communications like HTTPS, not for encrypting Layer 2 Ethernet frames between switches. Option B is wrong because IPsec operates at Layer 3 (Network Layer) and secures IP packets between hosts or networks, requiring IP routing and not providing Layer 2 frame-level encryption between directly connected switches. Option C is wrong because 802.1X is a port-based network access control (NAC) protocol used for authentication of devices at the access layer, but it does not provide encryption or integrity for data frames; it only controls admission to the network.

70
MCQhard

A large enterprise uses Cisco TrustSec to enforce segmentation between departments. The network consists of Cisco Catalyst switches running IOS XE with IP ACLs and Security Group Tags (SGTs). The security policy requires that traffic from the Engineering group (SGT=10) to the Finance group (SGT=20) be allowed only to TCP port 443. The administrator configures a Security Group Access Control List (SGACL) on Cisco ISE with a permit statement for TCP 443 and a deny for all other traffic, and pushes it to the switches. After deployment, they notice that Engineering users can access Finance servers not only on TCP 443 but also on other ports. The administrator verifies that the SGACL is correctly configured on ISE and that the switches are receiving the SGTs. Additionally, the switches have IP ACLs on the interfaces. What is the most likely cause of this issue?

A.The SGT classification is not occurring on the access switches.
B.The SGACL is applied only on the inbound direction of the interface.
C.The switches are not running Cisco TrustSec-compatible software.
D.The IP ACLs on the switches are overriding the SGACL.
AnswerD

IP ACLs are evaluated before SGACLs and can permit traffic that SGACLs would deny.

Why this answer

The most likely cause is that IP ACLs on the switch interfaces are overriding the SGACL. In Cisco TrustSec, SGACLs are applied after SGT classification and are evaluated in the forwarding path, but if a traditional IP ACL is configured on the same interface, it is processed first and can permit or deny traffic independently of the SGACL. Since the IP ACLs are present and not configured to match the required policy, they allow traffic on ports other than TCP 443, bypassing the SGACL enforcement.

Exam trap

Cisco often tests the interaction between traditional ACLs and SGACLs, where candidates assume SGACLs always take precedence, but in reality, IP ACLs are evaluated first and can override the SGACL policy.

How to eliminate wrong answers

Option A is wrong because the administrator verified that the switches are receiving the SGTs, indicating SGT classification is occurring correctly. Option B is wrong because SGACLs in Cisco TrustSec are applied in both directions by default (based on the SGT source and destination), not just inbound; the direction of application is not the issue here. Option C is wrong because the switches are running IOS XE with IP ACLs and SGTs, which implies they support TrustSec features; the problem is not software incompatibility but a configuration conflict.

71
MCQeasy

A security engineer is configuring a Cisco ASA to block traffic from a specific IP address. Which access control entry (ACE) should be applied to the inbound direction of the outside interface?

A.access-list outside_in extended deny ip any host 10.1.1.1
B.access-list outside_in extended deny ip host 10.1.1.1 any
C.access-list outside_in extended deny tcp any host 10.1.1.1
D.access-list outside_in extended deny tcp host 10.1.1.1 any eq 80
AnswerB

Correctly blocks all IP traffic from the specified host.

Why this answer

Option B is correct because the ACE uses the 'ip' protocol to block all traffic from the specific source host 10.1.1.1 to any destination, which is the most comprehensive way to block all IP traffic from that address. In Cisco ASA ACLs, the order of source and destination is 'source destination', so 'deny ip host 10.1.1.1 any' correctly matches packets with source IP 10.1.1.1 and any destination, applied inbound on the outside interface to block traffic entering the network.

Exam trap

Cisco often tests the source-destination order in ACL syntax, and the trap here is that candidates mistakenly reverse the order (putting the target IP as the destination instead of the source) or unnecessarily restrict the protocol, thinking that blocking TCP alone is sufficient.

How to eliminate wrong answers

Option A is wrong because it specifies 'any' as the source and 'host 10.1.1.1' as the destination, which would block traffic from any source going to 10.1.1.1, not traffic originating from 10.1.1.1. Option C is wrong because it restricts the protocol to TCP only, so non-TCP traffic (e.g., UDP, ICMP) from 10.1.1.1 would not be blocked, leaving a security gap. Option D is wrong because it further narrows the rule to TCP traffic from host 10.1.1.1 to any destination on port 80 only, which fails to block other protocols or ports from that IP address.

72
MCQmedium

An organization wants to enforce micro-segmentation in a data center to isolate application tiers. Which Cisco technology allows defining security policies based on endpoint groups rather than IP addresses?

A.Cisco ASA with access-lists
B.Cisco TrustSec with Security Group Tags (SGTs)
C.Cisco ISE with guest services
D.Cisco Firepower NGFW with URL filtering
AnswerB

TrustSec uses SGTs for group-based policy enforcement, ideal for micro-segmentation.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to classify traffic based on endpoint groups (e.g., application tiers) rather than IP addresses. This allows micro-segmentation by enforcing policies that follow the traffic regardless of IP changes, using SGTs carried in the packet via Cisco Metadata (CMD) or inline tagging.

Exam trap

Cisco often tests the distinction between IP-based ACLs (ASA) and identity-based segmentation (TrustSec), so the trap here is assuming that any firewall or NGFW can achieve micro-segmentation without understanding that TrustSec's SGTs are specifically designed for endpoint-group policies independent of IP addresses.

How to eliminate wrong answers

Option A is wrong because Cisco ASA with access-lists relies on static IP addresses and port numbers, not endpoint groups, making it unsuitable for dynamic micro-segmentation that follows workloads. Option C is wrong because Cisco ISE with guest services focuses on guest user authentication and policy enforcement for network access, not on defining security policies between application tiers within a data center. Option D is wrong because Cisco Firepower NGFW with URL filtering controls web traffic based on URLs and categories, not on endpoint group-based segmentation between application tiers.

Ready to test yourself?

Try a timed practice session using only Security Concepts questions.