CCNA Security Chapter 2 Exam Answers
-
What command must be issued to enable login enhancements on a Cisco router?
- privilege exec level
- login delay
- login block-for*
- banner motd
-
What is the default privilege level of user accounts created on Cisco routers?
- 0
- 1
- 15*
- 16
-
A network administrator notices that unsuccessful login attempts have caused a router to enter quiet mode. How can the administrator maintain remote access to the networks even during quiet mode?
- Quiet mode behavior can be enabled via an ip access-group command on a physical interface.
- Quiet mode behavior will only prevent specific user accounts from attempting to authenticate.
- Quiet mode behavior can be overridden for specific networks by using an ACL.*
- Quiet mode behavior can be disabled by an administrator by using SSH to connect.
-
What is a characteristic of the Cisco IOS Resilient Configuration feature?
- It maintains a secure working copy of the bootstrap startup program.
- Once issued, the secure boot-config command automatically upgrades the configuration archive to a newer version after new configuration commands have been entered.
- A snapshot of the router running configuration can be taken and securely archived in persistent storage.*
- The secure boot-image command works properly when the system is configured to run an image from a TFTP server.
-
Which three areas of router security must be maintained to secure an edge router at the network perimeter? (Choose three.)
- remote access security
- zone isolation
- router hardening*
- operating system security*
- flash security
- physical security*
-
Which recommended security practice prevents attackers from performing password recovery on a Cisco IOS router for the purpose of gaining access to the privileged EXEC mode?
- Locate the router in a secure locked room that is accessible only to authorized personnel.*
- Configure secure administrative control to ensure that only authorized personnel can access the router.
- Keep a secure copy of the router Cisco IOS image and router configuration file as a backup.
- Provision the router with the maximum amount of memory possible.
- Disable all unused ports and interfaces to reduce the number of ways that the router can be accessed.
-
Refer to the exhibit. Based on the output of the show running-config command, which type of view is SUPPORT?
CCNA Security Chapter 2 Exam Answer v2 002
- CLI view, containing SHOWVIEW and VERIFYVIEW commands
- superview, containing SHOWVIEW and VERIFYVIEW views*
- secret view, with a level 5 encrypted password
- root view, with a level 5 encrypted secret password
-
An administrator defined a local user account with a secret password on router R1 for use with SSH. Which three additional steps are required to configure R1 to accept only encrypted SSH connections? (Choose three.)
- Enable inbound vty SSH sessions.*
- Generate two-way pre-shared keys.
- Configure DNS on the router.
- Configure the IP domain name on the router.*
- Enable inbound vty Telnet sessions.
- Generate the SSH keys.*
-
Which set of commands are required to create a username of admin, hash the password using MD5, and force the router to access the internal username database when a user attempts to access the console?
- R1(config)# username admin password Admin01pa55
R1(config)# line con 0
R1(config-line)# login local - R1(config)# username admin secret Admin01pa55
R1(config)# line con 0
R1(config-line)# login local* - R1(config)# username admin Admin01pa55 encr md5
R1(config)# line con 0
R1(config-line)# login local - R1(config)# username admin password Admin01pa55
R1(config)# line con 0
R1(config-line)# login - R1(config)# username admin secret Admin01pa55
R1(config)# line con 0
R1(config-line)# login
- R1(config)# username admin password Admin01pa55
-
Refer to the exhibit. Which statement about the JR-Admin account is true?
CCNA Security Chapter 2 Exam Answer v2 001
- JR-Admin can issue only ping commands.
- JR-Admin can issue show, ping, and reload commands.
- JR-Admin cannot issue any command because the privilege level does not match one of those defined.
- JR-Admin can issue debug and reload commands.
- JR-Admin can issue ping and reload commands*
-
Which two characteristics apply to role-based CLI access superviews? (Choose two.)
- A specific superview cannot have commands added to it directly.*
- CLI views have passwords, but superviews do not have passwords.
- A single superview can be shared among multiple CLI views.
- Deleting a superview deletes all associated CLI views.
- Users logged in to a superview can access all commands specified within the associated CLI views.*
-
Which three types of views are available when configuring the role-based CLI access feature? (Choose three.)
- superview*
- admin view
- root view*
- superuser view
- CLI view*
- config view
-
If AAA is already enabled, which three CLI steps are required to configure a router with a specific view? (Choose three.)
- Create a superview using the parser view view-name command.
- Associate the view with the root view.
- Assign users who can use the view.
- Create a view using the parser view view-name command.*
- Assign a secret password to the view.*
- Assign commands to the view.*
-
What occurs after RSA keys are generated on a Cisco router to prepare for secure device management?
- The keys must be zeroized to reset Secure Shell before configuring other parameters.
- All vty ports are automatically configured for SSH to provide secure management.
- The general-purpose key size must be specified for authentication with the crypto key generate rsa general-keys moduluscommand.
- The generated keys can be used by SSH.*
- Which three statements describe limitations in using privilege levels for assigning command authorization? (Choose three.)
- Creating a user account that needs access to most but not all commands can be a tedious process.*
- Views are required to define the CLI commands that each user can access.
- Commands set on a higher privilege level are not available for lower privilege users.*
- It is required that all 16 privilege levels be defined, whether they are used or not.
- There is no access control to specific interfaces on a router.*
- The root user must be assigned to each privilege level that is defined.
-
What is a requirement to use the Secure Copy Protocol feature?
- At least one user with privilege level 1 has to be configured for local authentication.
- A command must be issued to enable the SCP server side functionality.*
- A transfer can only originate from SCP clients that are routers.
- The Telnet protocol has to be configured on the SCP server side.
-
What is a characteristic of the MIB?
- The OIDs are organized in a hierarchical structure.*
- Information in the MIB cannot be changed.
- A separate MIB tree exists for any given device in the network.
- Information is organized in a flat manner so that SNMP can access it quickly.
-
Which three items are prompted for a user response during interactive AutoSecure setup? (Choose three.)
- IP addresses of interfaces
- content of a security banner*
- enable secret password*
- services to disable
- enable password*
- interfaces to enable
-
A network engineer is implementing security on all company routers. Which two commands must be issued to force authentication via the password 1A2b3C for all OSPF-enabled interfaces in the backbone area of the company network? (Choose two.)
- area 0 authentication message-digest*
- ip ospf message-digest-key 1 md5 1A2b3C*
- username OSPF password 1A2b3C
- enable password 1A2b3C
- area 1 authentication message-digest
-
What is the purpose of using the ip ospf message-digest-key key md5 password command and the area area-id authentication message-digest command on a router?
- to configure OSPF MD5 authentication globally on the router*
- to enable OSPF MD5 authentication on a per-interface basis
- to facilitate the establishment of neighbor adjacencies
- to encrypt OSPF routing updates
-
What are two reasons to enable OSPF routing protocol authentication on a network? (Choose two.)
- to provide data security through encryption
- to ensure faster network convergence
- to ensure more efficient routing
- to prevent data traffic from being redirected and then discarded*
- to prevent redirection of data traffic to an insecure link*
-
Which two options can be configured by Cisco AutoSecure? (Choose two.)
- enable secret password*
- interface IP address
- SNMP
- security banner*
- syslog
-
Which three functions are provided by the syslog logging service? (Choose three.)
- setting the size of the logging buffer
- specifying where captured information is stored*
- gathering logging information*
- authenticating and encrypting data sent over the network
- distinguishing between information to be captured and information to be ignored*
- retaining captured messages on the router when a router is rebooted
-
What is the Control Plane Policing (CoPP) feature designed to accomplish?
- disable control plane services to reduce overall traffic
- prevent unnecessary traffic from overwhelming the route processor*
- direct all excess traffic away from the route process
- manage services provided by the control plane
-
Which three actions are produced by adding Cisco IOS login enhancements to the router login process? (Choose three.)
- permit only secure console access
- create password authentication
- automatically provide AAA authentication
- create syslog messages*
- slow down an active attack*
- disable logins from specified hosts*