• Recent Posts

  • AmazonExam

  • Braindumps

    Easy Pass Exams!
  • Testking

    Easy Pass Exams!
  • ExamCollection

    Easy Pass Exams!
  •  

    HOT 70-410 Exam VCE Dumps >> Free Download

    HOT 70-411 Exam VCE Dumps >> Free Download

    HOT 70-412 Exam VCE Dumps >> Free Download

    HOT 70-413 Exam VCE Dumps >> Free Download

    HOT 70-414 Exam VCE Dumps >> Free Download

    HOT 70-415 Exam VCE Dumps >> Free Download

    HOT 70-416 Exam VCE Dumps >> Free Download

    HOT 70-417 Exam VCE Dumps >> Free Download

    NEW 70-432 Exam VCE Dumps >> Free Download

    NEW 70-448 Exam VCE Dumps >> Free Download

    NEW 70-457 Exam VCE Dumps >> Free Download

    NEW 70-458 Exam VCE Dumps >> Free Download

    NEW 70-459 Exam VCE Dumps >> Free Download

    HOT 70-460 Exam VCE Dumps >> Free Download

    HOT 70-461 Exam VCE Dumps >> Free Download

    HOT 70-462 Exam VCE Dumps >> Free Download

    HOT 70-463 Exam VCE Dumps >> Free Download

    HOT 70-464 Exam VCE Dumps >> Free Download

    HOT 70-465 Exam VCE Dumps >> Free Download

    HOT 70-466 Exam VCE Dumps >> Free Download

    HOT 70-467 Exam VCE Dumps >> Free Download

    HOT 70-469 Exam VCE Dumps >> Free Download

    NEW 70-470 Exam VCE Dumps >> Free Download

    NEW 70-480 Exam VCE Dumps >> Free Download

    NEW 70-481 Exam VCE Dumps >> Free Download

    NEW 70-482 Exam VCE Dumps >> Free Download

    HOT 70-483 Exam VCE Dumps >> Free Download

    NEW 70-484 Exam VCE Dumps >> Free Download

    NEW 70-485 Exam VCE Dumps >> Free Download

    NEW 70-486 Exam VCE Dumps >> Free Download

    NEW 70-487 Exam VCE Dumps >> Free Download

    HOT 70-488 Exam VCE Dumps >> Free Download

    NEW 70-489 Exam VCE Dumps >> Free Download

    NEW 70-490 Exam VCE Dumps >> Free Download

    NEW 70-491 Exam VCE Dumps >> Free Download

    NEW 70-492 Exam VCE Dumps >> Free Download

    NEW 70-494 Exam VCE Dumps >> Free Download

    NEW 70-496 Exam VCE Dumps >> Free Download

    NEW 70-497 Exam VCE Dumps >> Free Download

    NEW 70-498 Exam VCE Dumps >> Free Download

    NEW 70-499 Exam VCE Dumps >> Free Download

    NEW 70-511 Exam VCE Dumps >> Free Download

    NEW 70-513 Exam VCE Dumps >> Free Download

    NEW 70-515 Exam VCE Dumps >> Free Download

    NEW 70-516 Exam VCE Dumps >> Free Download

    NEW 70-517 Exam VCE Dumps >> Free Download

    HOT 70-532 Exam VCE Dumps >> Free Download

    HOT 70-533 Exam VCE Dumps >> Free Download

    HOT 70-534 Exam VCE Dumps >> Free Download

    NEW 70-573 Exam VCE Dumps >> Free Download

    NEW 70-576 Exam VCE Dumps >> Free Download

    NEW 70-640 Exam VCE Dumps >> Free Download

    NEW 70-642 Exam VCE Dumps >> Free Download

    NEW 70-646 Exam VCE Dumps >> Free Download

    NEW 70-659 Exam VCE Dumps >> Free Download

    NEW 70-662 Exam VCE Dumps >> Free Download

    NEW 70-663 Exam VCE Dumps >> Free Download

    NEW 70-667 Exam VCE Dumps >> Free Download

    NEW 70-668 Exam VCE Dumps >> Free Download

    NEW 70-673 Exam VCE Dumps >> Free Download

    HOT 70-680 Exam VCE Dumps >> Free Download

    NEW 70-685 Exam VCE Dumps >> Free Download

    NEW 70-686 Exam VCE Dumps >> Free Download

    NEW 70-687 Exam VCE Dumps >> Free Download

    HOT 70-688 Exam VCE Dumps >> Free Download

    NEW 70-689 Exam VCE Dumps >> Free Download

    NEW 70-692 Exam VCE Dumps >> Free Download

    NEW 70-694 Exam VCE Dumps >> Free Download

    NEW 70-695 Exam VCE Dumps >> Free Download

    NEW 70-696 Exam VCE Dumps >> Free Download

    NEW 70-697 Exam VCE Dumps >> Free Download

    NEW 70-980 Exam VCE Dumps >> Free Download

    NEW 70-981 Exam VCE Dumps >> Free Download

    NEW 74-335 Exam VCE Dumps >> Free Download

    NEW 74-338 Exam VCE Dumps >> Free Download

    NEW 74-343 Exam VCE Dumps >> Free Download

    NEW 74-344 Exam VCE Dumps >> Free Download

    HOT 74-409 Exam VCE Dumps >> Free Download

    NEW 74-674 Exam VCE Dumps >> Free Download

    NEW 74-678 Exam VCE Dumps >> Free Download

    HOT 74-697 Exam VCE Dumps >> Free Download

    NEW 77-427 Exam VCE Dumps >> Free Download

  • « | Main | »

    CCIE R&S 350-001 Q&As – Implement Network Security (NBAR, NAT, ACL) (6-10)

    By admin | June 18, 2014

    Tagged with:

    Section 10 – Implement Network Security (NBAR, NAT, ACL)

    QUESTION 61
    Unicast Reverse Path Forwarding can perform all of these actions except which one?
    A.    examine all packets received to make sure that the source addresses and source interfaces appear in the routing table and match the interfaces where the packets were received
    B.    check to see if any packet received at a router interface arrives on the best return path
    C.    combine with a configured ACL
    D.    log its events, if you specify the logging options for the ACL entries used by the unicast rpf command
    E.    inspect IP packets encapsulated in tunnels, such as GRE
    Answer: E

    Explanation:
    For RPF to function, CEF must be enabled on the router. This is because the router uses the Forwarding Information Base (FIB) of CEF to perform the lookup process, which is built from the router’s routing table. In other words, RPF does not really look at the router’s routing table; instead, it uses the CEF FIB to determine spoofing.
    Also, RPF cannot detect all spoofed packets. For the network in this example, the perimeter router cannot determine spoofing from packets received on the external E1 interface if they match the default route statement. Therefore, the more routes your router has in its CEF FIB table, the more likely the router will be capable of detecting spoofing attacks. In addition, RPF cannot detect any spoofed packets that are encapsulated, such as packets encapsulated in GRE, IPSec, L2TP, and other packets.

    QUESTION 84
    Refer to the exhibit. BGP-4 routing to the Internet, in normal behavior, may create asymmetrical routing for different prefixes. The BGP routing table indicates that traffic should follow the paths indicated in the exhibit, but packets are not going further than the border router in AS 4. What could be the cause of this problem?
    A.    TCP Intercept is configured in AS 4.
    B.    Unicast Reverse Path Forwarding is configured in loose mode in this router.
    C.    Packets may be leaving AS 1 without the BGP routing flag set to 1.
    D.    Unicast Reverse Path Forwarding is configured in strict mode in this router.
    E.    There is a missing Unicast Reverse Path Forwarding configuration.
    Answer: D

    QUESTION 91
    If a certificate authority trustpoint is not configured when enabling HTTPS and the remote HTTPS server requires client authentication, connections to the secure HTTP client will fail. Which command must be enabled for correct operation?
    A.    ip http client secure-ciphersuite 3des-ede-cbc-sha
    B.    ip https max-connections 10
    C.    ip http timeout-policy idle 30 life 120 requests 100
    D.    ip http client secure-trustpoint trustpoint-name
    Answer: D
    Explanation:
    ip http client secure-trustpoint
    To specify the remote certificate authority (CA) trustpoint that should be used if certification is needed for the secure HTTP client, use the ip http client secure-trustpoint command in global configuration mode. To remove a client trustpoint from the configuration, use the no form of this command.
    ip http client secure-trustpoint trustpoint-name

    QUESTION 93
    A request arrived on your MPLS-vpn-bgp group. Due to a security breach, your customer is experiencing DoS attacks coming from specific subnets (200.0.10.0/24, 200.0.12.0/24). You have checked all MPLS-EBGP routes being advertised to BHK from other VPN sites and found four subnets listed:
    200.0.10.0/24, 200.0.11.0/24, 200.0.12.0/24, 200.0.13.0/24. You immediately apply an outbound ACL filter using the appropriate MPLS-EBGP tool: access-list 1 deny 0.0.0.0 255.255.254.255 access-list 1 permit any What happens when you apply this ACL on the MPLS-EBGP connection to BHK?
    A.    It blocks all routes.
    B.    It blocks the routes 200.0.12.0/24, 200.0.10.0/24 only.
    C.    It blocks the routes 200.0.12.0/24, 200.0.13.0/24 only.
    D.    It blocks the routes 200.0.10.0/24, 200.0.13.0/24 only.
    E.    Nothing happens, no routes are blocked.
    Answer: B

    QUESTION 141
    Which is the result of enabling IP Source Guard on an untrusted switch port that does not have DHCP snooping enabled?
    A.    DHCP requests will be switched in the software, which may result in lengthy response times.
    B.    The switch will run out of ACL hardware resources.
    C.    All DHCP requests will pass through the switch untested.
    D.    The DHCP server reply will be dropped and the client will not be able to obtain an IP address.
    Answer: D
    Explanation:
    IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host. Any IP traffic coming into the interface with a source IP address other than that assigned (via DHCP or static configuration) will be filtered out on the untrusted Layer 2 ports.
    The IP Source Guard feature is enabled in combination with the DHCP snooping feature on untrusted Layer 2 interfaces. It builds and maintains an IP source binding table that is learned by DHCP snooping or manually configured (static IP source bindings). An entry in the IP source binding table contains the IP address and the associated MAC and VLAN numbers. The IP Source Guard is supported on Layer 2 ports only, including access and trunk ports.

    187 Total Views 1 Views Today

    Topics: Cisco, Exam | Comments Off on CCIE R&S 350-001 Q&As – Implement Network Security (NBAR, NAT, ACL) (6-10)

    Tagged with:

    Comments are closed.