NEW QUESTION 1
Which two options are open-source SDN controllers? (choose two)

• A. Opendaylight
• B. Big Cloud Fabric
• C. Application Policy Infrastructure Controller
• D. OpenContrail
• E. Virtual Application Networks SDN Controller

Answer: AD

NEW QUESTION 2
Which two combinations of node are allowed in a Cisco ISE distributed deployment? (Choose two)

• A. ISE cluster with eight nodes
• B. Pair of passive ISE nodes for automatic failover
• C. One or more policy service ISE nodes for session failover standalone
• D. Primary and secondary administration ISE nodes for high availability
• E. Active and standby ISE notes for high availibilty

Answer: BD

NEW QUESTION 3
Which three EAP protocols are supported in WPA and WPA2? (Choose three)

• A. EAP-PSK
• B. EAP-EKE
• C. EAP-FAST
• D. EAP-AKA
• E. EAP-SIM
• F. EAP-EEE

Answer: CDE

NEW QUESTION 4
On a Cisco Wireless LAN Controller (WLC), which web policy enables failed Layer 2 authentication to fall back to WebAuth authentication with a user name and password?

• A. On MACFilter Failure
• B. Passthrough
• C. Splash Page Web Redirect
• D. Conditional Web Redirect
• E. Authentication

Answer: A

NEW QUESTION 5
Which statement about the Traffic Substitution and Insertion attack is true?

• A. It substitutes by performing action slower than normal not exceeding threshol
• B. It is used for reconnaissance
• C. It substitutes payload data in a different format but has the same meaning
• D. It is form of a DoS attack
• E. It substitutes payload data in the same format but has different meaning
• F. It substitutes by performing action faster than normal not exceeding threshold
• G. It is a from pivoting in the network

Answer: C

NEW QUESTION 6
In a Cisco ISR with cloud Web Security Connector deployment, which command can you enter on the Cisco ISR G2 to verify connectivity to the CWS tower?

• A. Show policy-map
• B. Show service-policy
• C. Show ip nbar
• D. Show sw-module
• E. Mtrace
• F. Show content-scan summary

Answer: A

NEW QUESTION 7
Refer to the exhibit.
switch-A(config)# cgmp leave-prcessing
Which two effects of this configuration are true?(Choose two)

• A. IGMPv2 leave group messages are stored in the switch CAM table for faster processing
• B. Hosts send leave group messages to the all-router multicast address when they want to stop receiving data for that group
• C. It improves the processing time of CGMP leave messages
• D. Hosts send leave group messages to the Solicited-Node Address multicast address FF02::1:FF00:0000/104
• E. It optimizes the use of network bandwidth on the LAN segment
• F. It allows the switch to detect IGMPv2 leave group messages

Answer: EF

NEW QUESTION 8
Which statement about Password Authentication Protocol is true?

• A. RADIUS –based PAP authentication logs successful authentication attempts only.
• B. Its password in encrypted with a certificate.
• C. It offers strong protection against brute force attacks.
• D. RADIUS –based PAP authentication is based on the RADIUS Password attribute
• E. It is the most secure authentication method supported for authentication against the internal Cisco ISE database
• F. It uses a two-way handshake with an encrypted password

Answer: D

NEW QUESTION 9
On which geographic basis can the Cisco Firewall

• A. Source and destination country and continent
• B. Source city and country
• C. Source country
• D. Source and destination city and country
• E. Source and destination country
• F. Source country and continent

Answer: E

NEW QUESTION 10
All your employees must authenticate their devices to the network, be they company-owned or
employee-owned assets, with ISE as the authentication server, i ne primary identity store used is Microsoft Active Directory, with username and password authentication. To ensure the security of your enterprise, your security policy dictates that only company owned assets get access to the enterprise network, while personal assets have restricted access. Which configuration allows you to enforce this policy using only ISE and Active Directory?

• A. Configure an authentication policy that checks against the MAC address database of company assets in the ISE endpoint identity store to determine the level of access depending on the device.
• B. Deployment of a Mobile Device Management solution is required, which can be used to register all devices against the MDM server, and use that to assign appropriate access levels.
• C. Configure an authorization policy that assigns the device the appropriate profile based on whether the device passes Machine Authentication or not.
• D. Configure an authorization policy that checks against the MAC address database of company assets in the ISE endpoint identity store to ^determine the level of access depending on the device.
• E. Configure an authentication policy that uses the computer credentials in Active Directory to determine whether the device is company-owned or personal.

Answer: D

NEW QUESTION 11
For your enterprise ISE deployment, you want to use certificate-based authentication for all your Windows machines. You have already pushed the machine and
user certificates out to all the machines using GPO. by default, certificate-based authentication-does not check the certificate against Active Directory, or
requires credentials from the user. This essentially means that no groups are returned as part of the authentication request. In which way can the user be authorized based on Active Directory group membership?

• A. Configure the Windows supplicant to used saved credentials as well as certificate-based authentication
• B. Enable Change of Authorization on the deployment to perform double authentication
• C. Use ISE as the Certificate Authority, which will then allow for automatic group retrieval from Active Directory to perform the required authorization
• D. The certificate must be configured with the appropriate attributes that contain appropriate group information, which can be used in Authorization policies
• E. Configure Network Access Device to bypass certificate-based authentication and push configured user credentials as a proxy to ISE
• F. Use EAP authorization to retrieve group information from Active Directory

Answer: C

NEW QUESTION 12
What are the three scanning engines that the Cisco IronPort dynamic vectoring and streaming engine can use to protect against malware? (Choose three.)

• A. McAfee
• B. TrendMicro
• C. Sophos
• D. Webroot
• E. F-Secure
• F. Symantec

Answer: ACD

NEW QUESTION 13
Which three statements about communication between Cisco VSG and the VEM are true? (Choose three.)

• A. In Layer 3 mode, fragmentation with vPath is not supported.
• B. vPath handled fragmentation for all adjacencies between Cisco VSG and the VEM.
• C. If vPath encapsulation of a packet in Layer 2 mode causes the packet to exceed the interface MTU size, it will be dropped.
• D. Layer 3 adjacency between Cisco VSG and the VEM requires communication through a VMkernel interface on the VEM.
• E. vPath encapsulation of incoming packets can increase the frame size by up to 94 bytes.
• F. Cisco VSG and VEM should be adjacent at Layer 3 when minimal latency is required.

Answer: ADE

NEW QUESTION 14
Which statement is true regarding SSL policy implementation in a Firepower system?

• A. Access control policy is optional for the SSL policy implementation
• B. If Firepower system cannot decrypt the traffic, it allows the connection
• C. Intrusion policy is mandatory to configure the SSL inspection
• D. Access control policy is responsible to handle all the encrypted traffic if SSL policy is tied to it
• E. Access control policy is invoked first before the SSL policy tied to it
• F. IF SSL policy is not supported by the system, then access control policy handles all the encrypted traffic

Answer: E

NEW QUESTION 15
Refer to the exhibit.

After you applied this EtherChannel configuration to a Cisco ASA, the EtherChannel Failed to come up.
Which reason for the problem is the most likely?

• A. The lacp system-priority and lacp port-priority values are the same.
• B. The EtherChannel requires three ports, and only two are configured.
• C. The Ehterchannel is disabled.
• D. The channel-group modes are mismatched.

Answer: B

NEW QUESTION 16
Which two functions of Cisco Content Security Management Appliance are true?(Choose two)

• A. SMA is used for on-box management of WSAs
• B. SMA is used to configure NSAMP on the router
• C. SMA is a centralized system used to collectively mange and report the WSAs that are deployed in a network
• D. SMA is used for sandboxing functionality to perform malware analysis
• E. SMA is unified management platform that manages web security, performs troubleshooting and maintains space for data storage.

Answer: CE

NEW QUESTION 17
Which connection mechanism does the eSTREAMER service use to communicate?

• A. IPsec tunnels with 3DES or AES encryption
• B. TCP over SSL only
• C. SSH
• D. EAP-TLS tunnels
• E. TCP with optional SSL encryption
• F. IPsec tunnels with 3DES encryption only

Answer: B

NEW QUESTION 18
What are the most common methods that security auditors use to access an organization’s security
processes? (Choose two.)

• A. physical observation
• B. social engineering attempts
• C. penetration testing
• D. policy assessment
• E. document review
• F. interviews

Answer: AF