Cisco 350-701 Implementing and Operating Cisco Security Core Technologies Exam Dumps and Practice Test Questions Set 13 Q 181-195

Visit here for our full Cisco 350-701 exam dumps and practice test questions.

Question 181: 

An administrator needs to configure Cisco FTD to perform URL filtering based on categories. Which feature provides this capability?

A) Security Intelligence

B) URL Filtering in Access Control Policy

C) DNS Policy

D) Intrusion Prevention

Answer: B

Explanation:

This question tests your understanding of Cisco Firepower Threat Defense URL filtering capabilities and where this feature is configured within the policy structure. URL filtering is essential for enforcing acceptable use policies and protecting users from malicious websites.

Option B is correct because URL Filtering in Access Control Policy provides category-based web access control in Cisco FTD deployments. URL filtering uses the Cisco Talos URL database containing millions of websites classified into categories such as social networking, gambling, adult content, malware sites, newly registered domains, and many others. Administrators configure URL filtering conditions within access control rules to allow, block, or monitor access to specific categories based on organizational policies. URL filtering can operate in different modes including using local URL cache for performance, querying cloud databases for comprehensive coverage, and combining both approaches. The feature supports custom URL lists for granular control over specific sites, reputation-based filtering to block risky sites, and logging for compliance and monitoring. URL filtering integrates with user identity from ISE or other sources to apply different policies based on user groups, enabling flexible enforcement that balances security with business requirements.

Option A is incorrect because Security Intelligence provides reputation-based blocking of known malicious IP addresses, URLs, and domains before traffic reaches access control rules, but it focuses on threat intelligence rather than category-based URL filtering for acceptable use policies. Security Intelligence uses continuously updated feeds of confirmed malicious sources and automatically blocks connections to these threats. While Security Intelligence can block malicious URLs, it operates as a pre-filter based on threat reputation rather than providing the comprehensive category-based filtering that organizations need for web access policies. Both features are valuable but serve different purposes in the security architecture.

Option C is incorrect because DNS Policy in FTD controls DNS requests and responses, providing DNS-layer security that can block malicious domains before connections are established. DNS policies can redirect DNS queries to Cisco Umbrella for cloud-based filtering or implement local DNS filtering rules. While DNS policy can enforce some category-based filtering when integrated with Umbrella, the native FTD URL filtering capability resides in access control policies and operates at the HTTP/HTTPS layer rather than DNS layer. DNS policy and URL filtering provide complementary protection at different network layers.

Option D is incorrect because Intrusion Prevention detects and blocks attack patterns in network traffic using signatures and anomaly detection but does not provide category-based URL filtering. IPS examines packet contents for exploit attempts, malware indicators, and protocol violations but does not classify websites into categories for access control. While IPS might detect malicious activity on websites, it operates differently from URL filtering which makes policy decisions based on website categorization. Organizations need both IPS for threat detection and URL filtering for web access control.

Question 182: 

Which protocol does Cisco ISE use to communicate with network access devices for authentication and authorization?

A) TACACS+

B) RADIUS

C) LDAP

D) SNMP

Answer: B

Explanation:

This question examines your knowledge of authentication protocols and specifically which protocol ISE uses for network access control communications. Understanding the protocols involved in ISE deployments is fundamental to proper configuration and troubleshooting.

Option B is correct because RADIUS is the primary protocol that Cisco ISE uses to communicate with network access devices such as switches, wireless controllers, VPN concentrators, and firewalls for authentication and authorization of network access requests. When a user or device attempts to connect to the network, the network access device sends a RADIUS Access-Request message to ISE containing credentials and contextual information. ISE authenticates the user against configured identity sources, evaluates authorization policies based on identity and posture, then returns a RADIUS Access-Accept or Access-Reject message containing authorization attributes such as VLAN assignments, Security Group Tags, or downloadable ACLs. RADIUS uses UDP ports 1812 for authentication and 1813 for accounting, providing a standardized protocol for AAA communications. ISE supports RADIUS features including change of authorization for dynamic policy updates and RADIUS accounting for session tracking.

Option A is incorrect because while TACACS+ is an authentication protocol that ISE supports for device administration, it is not the protocol used for network access control communications between ISE and network devices. TACACS+ provides authentication, authorization, and accounting for administrative access to network devices, enabling centralized management of administrator credentials and command authorization. ISE can act as a TACACS+ server for device administration use cases, but network access control for end users and endpoints uses RADIUS. The protocols serve different purposes with TACACS+ for device administration and RADIUS for network access.

Option C is incorrect because LDAP is a directory access protocol that ISE uses to communicate with external identity sources like Active Directory or other LDAP directories to retrieve user credentials and attributes, but it is not the protocol between ISE and network access devices. When ISE receives a RADIUS authentication request, it may use LDAP to query Active Directory for user authentication and group membership information, but the communication between the network device and ISE uses RADIUS. LDAP is one of several identity source protocols ISE supports along with Kerberos and ODBC.

Option D is incorrect because SNMP is a network management protocol used for monitoring and configuring network devices but is not involved in authentication and authorization communications. While ISE may use SNMP to collect information from network devices for profiling or monitoring purposes, the authentication and authorization process uses RADIUS. SNMP provides device management capabilities while RADIUS provides AAA services, serving entirely different functions in network operations.

Question 183: 

An organization wants to implement application visibility and control on Cisco routers without deploying additional hardware. Which technology should be configured?

A) NBAR2

B) NetFlow

C) IP SLA

D) SNMP

Answer: A

Explanation:

This question tests your understanding of Cisco application recognition technologies and which features provide deep packet inspection for application identification directly on routers. Application visibility is essential for quality of service, security policies, and network analytics.

Option A is correct because NBAR2, which stands for Network-Based Application Recognition version 2, provides deep packet inspection and application recognition capabilities directly on Cisco routers and switches without requiring additional hardware. NBAR2 can identify over 1400 applications including web applications, mobile apps, encrypted traffic through behavioral analysis, and custom applications through signatures or sub-classifications. NBAR2 examines multiple packets and uses various techniques including protocol analysis, behavioral patterns, and machine learning to accurately identify applications even when they use dynamic ports or encryption. Once applications are identified, NBAR2 enables organizations to implement quality of service policies prioritizing critical applications, create security policies blocking unauthorized applications, generate application-based analytics for capacity planning, and enforce bandwidth limitations on non-business applications. NBAR2 integrates with other technologies like QoS, AVC (Application Visibility and Control), and Flexible NetFlow for comprehensive application management.

Option B is incorrect because NetFlow is a network telemetry protocol that exports flow records containing information about network conversations such as source, destination, ports, and byte counts, but it provides network-layer visibility rather than deep application identification. Standard NetFlow identifies traffic based on five-tuple information (source IP, destination IP, source port, destination port, protocol) but cannot recognize applications that use dynamic ports or identify specific web applications. While NetFlow with NBAR2 integration can include application names in flow records, NetFlow alone does not provide application recognition. NetFlow excels at traffic analysis and anomaly detection but requires NBAR2 for application-level visibility.

Option C is incorrect because IP SLA (Service Level Agreement) is a feature for measuring network performance metrics such as latency, jitter, packet loss, and availability by generating synthetic traffic and monitoring responses. IP SLA helps verify that networks meet performance requirements and can trigger actions when thresholds are violated. While valuable for performance monitoring and path selection, IP SLA does not provide application identification or visibility into actual user traffic. IP SLA generates test traffic rather than analyzing production application flows.

Option D is incorrect because SNMP is a protocol for network device management that collects statistics, monitors device health, and configures settings but does not provide application-level visibility into network traffic. SNMP can retrieve interface counters, CPU utilization, and device status but cannot identify which applications are consuming bandwidth or classify traffic flows. While SNMP data complements application visibility by providing device-level metrics, it does not offer the deep packet inspection needed for application recognition that NBAR2 provides.

Question 184: 

Which Cisco technology provides automated threat response by integrating security products and orchestrating actions across the security infrastructure?

A) Cisco Threat Response

B) Cisco SecureX

C) Cisco Talos

D) Cisco Umbrella Investigate

Answer: B

Explanation:

This question examines your knowledge of Cisco’s security orchestration and automation platform. Understanding how different security products integrate and automate responses is increasingly important as security teams face alert fatigue and need to respond faster to threats.

Option B is correct because Cisco SecureX is a cloud-native platform that provides integration, automation, and orchestration across Cisco’s security portfolio and third-party security products. SecureX connects products like Cisco Secure Endpoint (AMP), Secure Firewall, Umbrella, ISE, Secure Malware Analytics, Duo, and others into a unified architecture that shares threat intelligence and enables coordinated responses. The platform provides a single pane of glass for security operations, correlating data from multiple sources to provide context around security events. SecureX includes threat response workflows that can automatically investigate alerts, gather context from multiple security tools, and execute remediation actions like isolating infected endpoints, blocking malicious domains across the infrastructure, and updating firewall rules. This orchestration reduces manual effort, accelerates response times, and ensures consistent enforcement across all security layers.

Option A is incorrect because Cisco Threat Response is actually a component within SecureX rather than a standalone product. Threat Response provides the investigation and response workflows that security analysts use to research threats and coordinate actions, but it operates as part of the broader SecureX platform. Threat Response allows analysts to pivot across different security tools to investigate indicators of compromise, see where threats have appeared across the infrastructure, and take remediation actions. While Threat Response is critical functionality, SecureX is the comprehensive platform name.

Option C is incorrect because Cisco Talos is the threat intelligence organization within Cisco that researches threats, develops security signatures, maintains reputation databases, and provides intelligence feeds to Cisco security products. Talos intelligence powers many Cisco security products but Talos itself is not an orchestration platform. Talos provides the threat data that SecureX and other products consume, but the orchestration and automation capabilities reside in SecureX. Understanding the distinction between threat intelligence providers and orchestration platforms is important for architecting security solutions.

Option D is incorrect because Cisco Umbrella Investigate is a threat intelligence and investigation tool that allows security analysts to research domains, IPs, and file hashes to understand their risk and relationships to known threats. Investigate provides visibility into infrastructure used by attackers and helps determine whether observed indicators are malicious. While Investigate is valuable for threat hunting and investigation, it is a research tool rather than an orchestration platform. SecureX integrates with Investigate to leverage its intelligence during automated workflows, but Investigate itself does not orchestrate actions across the security infrastructure.

Question 185: 

An administrator configures a Cisco router with the command: access-class 10 in vty 0 4. What is the purpose of this command?

A) Applies ACL 10 to filter traffic on interface VLAN 10

B) Restricts remote access to the router based on ACL 10

C) Enables SSH on VTY lines 0-4

D) Configures console port security

Answer: B

Explanation:

This question tests your understanding of Cisco IOS access control and specifically how to restrict management access to network devices. Protecting management interfaces is a critical security control that prevents unauthorized administrative access.

Option B is correct because the access-class command applies an access control list to VTY (virtual terminal) lines to restrict which IP addresses can establish remote connections to the router for management purposes. Breaking down the syntax: access-class specifies that an ACL should be applied to line access, 10 references standard access list 10 which defines permitted source addresses, in specifies the direction (inbound connections to the router), and vty 0 4 identifies VTY lines 0 through 4 which handle remote access sessions. This configuration allows only source IP addresses permitted by ACL 10 to establish Telnet or SSH sessions to the router, blocking all other connection attempts. This is a fundamental security practice that implements management plane protection by limiting who can remotely administer network devices. Organizations typically configure access-class to permit only jump hosts or management network addresses.

Option A is incorrect because the access-class command applies to line access control rather than interface traffic filtering. To filter traffic on an interface, administrators use the ip access-group command. Additionally, the vty keyword specifically indicates virtual terminal lines used for remote access rather than VLAN interfaces. Interface ACLs filter user traffic passing through the router while access-class ACLs control administrative access to the router itself. Understanding the distinction between data plane and management plane access control is important for properly securing network infrastructure.

Option C is incorrect because access-class applies access control but does not enable or configure the transport protocol itself. To enable SSH, administrators must configure crypto keys, set SSH version, and specify allowed transport protocols using the transport input ssh command on VTY lines. Access-class only controls which source addresses can connect after SSH or Telnet is enabled. A complete secure remote access configuration requires both enabling SSH as the transport protocol and restricting source addresses with access-class.

Option D is incorrect because VTY lines handle remote network access (Telnet/SSH) while the console port is configured separately using line console 0. Console port security is configured with different commands and does not use VTY line configuration. Console security might include access-class for local login restrictions, password requirements, and timeout settings, but the command shown specifically applies to VTY lines. Organizations should secure both console and VTY access but through separate configuration stanzas.

Question 186: 

Which feature in Cisco DNA Center provides network segmentation by mapping users and devices to Security Group Tags?

A) SD-Access

B) Assurance

C) Network Hierarchy

D) Device 360

Answer: A

Explanation:

This question examines your knowledge of Cisco Software-Defined Access architecture and how it implements policy-based segmentation. Understanding SD-Access is important as organizations move toward intent-based networking and micro-segmentation.

Option A is correct because SD-Access (Software-Defined Access) is Cisco’s implementation of software-defined networking for enterprise campus networks that uses Security Group Tags for policy-based segmentation. SD-Access creates an overlay network using VXLAN encapsulation where endpoints are assigned to Security Groups based on identity, device type, or location. ISE acts as the policy engine, assigning SGTs to endpoints during authentication based on attributes like user identity, device posture, and location. The network fabric then enforces security policies based on SGT-to-SGT communication rules defined in scalable group access policies, enabling micro-segmentation without complex VLAN and ACL configurations. SD-Access provides consistent policy enforcement across wired and wireless networks, automatic network provisioning through fabric automation, and simplified operations through DNA Center management. This architecture enables zero-trust security models where access is granted based on identity rather than network location.

Option B is incorrect because Assurance is the DNA Center feature that provides AI-driven network insights, troubleshooting, and proactive monitoring rather than network segmentation. Assurance collects telemetry from network devices, applies machine learning to identify issues, provides guided remediation workflows, and offers client and application health visibility. While Assurance helps ensure that SD-Access is operating correctly and security policies are being enforced, it does not implement the segmentation itself. Assurance and SD-Access are complementary DNA Center capabilities serving different purposes.

Option C is incorrect because Network Hierarchy in DNA Center organizes sites, buildings, and areas for logical grouping and policy assignment but does not implement Security Group Tag-based segmentation. Network hierarchy provides the structure for applying configurations and policies to groups of devices but the actual segmentation using SGTs is implemented through SD-Access. Network hierarchy is a foundational organizational concept while SD-Access is the technical implementation of policy-based segmentation.

Option D is incorrect because Device 360 is a DNA Center feature providing detailed visibility into individual device status, configuration, health, and connected clients but does not implement segmentation. Device 360 gives administrators a comprehensive view of specific devices including inventory information, configuration details, interfaces, clients, and issues. While useful for troubleshooting and managing devices, Device 360 is a monitoring and visibility feature rather than a segmentation implementation. SD-Access provides the segmentation architecture that Device 360 helps monitor and manage.

Question 187: 

An organization experiences a security incident where an attacker gains access to internal systems and moves laterally across the network. Which security concept could have limited this lateral movement?

A) Network segmentation

B) Patch management

C) User awareness training

D) Password complexity

Answer: A

Explanation:

This question tests your understanding of defense-in-depth strategies and specifically which security controls limit lateral movement after initial compromise. Preventing lateral movement is critical for containing breaches and protecting high-value assets.

Option A is correct because network segmentation divides networks into isolated zones with controlled communication paths, preventing attackers from freely moving between systems after compromising an initial entry point. Segmentation can be implemented through VLANs, firewalls, security groups, micro-segmentation, and zero-trust architectures that enforce least-privilege access between network segments. When properly implemented, segmentation requires attackers to overcome additional security controls to move from one segment to another, buying time for detection and limiting damage scope. Segmentation should isolate sensitive assets like databases and domain controllers, separate user networks from server networks, quarantine guest and IoT devices, and implement granular controls between application tiers. Without segmentation, flat networks allow attackers to use compromised credentials or exploits to access any system, rapidly escalating privileges and exfiltrating data. Modern approaches include micro-segmentation using Security Group Tags that enforce policies at the workload level regardless of physical network topology.

Option B is incorrect because while patch management closes vulnerabilities that attackers might exploit during lateral movement, it does not structurally prevent lateral movement the way segmentation does. Patches address specific vulnerabilities but cannot eliminate all weaknesses or prevent abuse of legitimate credentials and administrative tools. Attackers often use valid credentials obtained through phishing or other means, moving laterally through standard protocols that patches do not restrict. Patch management is essential for reducing attack surface but must be combined with network segmentation for defense in depth. Both controls are important but address different aspects of security.

Option C is incorrect because user awareness training helps prevent initial compromise by teaching users to recognize phishing, social engineering, and other attack techniques, but it does not prevent lateral movement after a system is compromised. Training reduces the likelihood of successful initial attacks but assumes some compromises will occur. Once an attacker gains access, user awareness does not impede lateral movement across the technical infrastructure. Training is a preventive control for the human element while segmentation is a detective and preventive control for technical infrastructure. Comprehensive security requires both.

Option D is incorrect because password complexity requirements make passwords harder to guess or crack through brute force but do not prevent lateral movement after credentials are legitimately or illegitimately obtained. Attackers often acquire valid credentials through phishing, keyloggers, or credential dumping from compromised systems, bypassing password complexity entirely. Complex passwords are valuable for authentication security but do not restrict what authenticated users or compromised accounts can access. Network segmentation enforces access controls regardless of how authentication was achieved, limiting what systems authenticated users can reach.

Question 188: 

Which Cisco feature provides dynamic VLAN assignment based on user identity during network authentication?

A) Private VLAN

B) VLAN Trunking Protocol

C)1X with RADIUS VLAN assignment

D) VLAN Access Control Lists

Answer: C

Explanation:

This question examines your knowledge of identity-based network access control and how VLANs can be dynamically assigned during authentication. Dynamic VLAN assignment enables flexible policy enforcement based on user or device identity rather than static switch port configurations.

Option C is correct because 802.1X authentication combined with RADIUS VLAN assignment enables dynamic placement of users into appropriate VLANs based on their identity, group membership, device type, or posture. When a user connects to an 802.1X-enabled switch port, the switch requests authentication from a RADIUS server like Cisco ISE. After successful authentication, ISE evaluates authorization policies considering factors like Active Directory group membership, device compliance status, time of day, and location. Based on policy evaluation, ISE returns a RADIUS Access-Accept message containing VLAN assignment attributes that instruct the switch to place the authenticated user in a specific VLAN. This allows organizations to implement role-based network access where employees, contractors, guests, and BYOD devices are automatically placed in appropriate network segments with corresponding access policies. Dynamic VLAN assignment eliminates the need to manually configure VLANs per port and allows flexible policy enforcement that adapts to changing user contexts.

Option A is incorrect because Private VLANs provide Layer 2 isolation within a VLAN by subdividing VLANs into isolated, community, and promiscuous ports but do not provide dynamic assignment based on user identity. PVLANs are statically configured per port and enforce isolation rules preventing certain ports from communicating with each other while sharing the same IP subnet. PVLANs are useful for service provider environments and server farms but do not integrate with authentication systems for identity-based assignment. Dynamic VLAN assignment requires authentication integration that PVLANs do not provide.

Option B is incorrect because VLAN Trunking Protocol is a Cisco proprietary protocol that propagates VLAN configuration information across switches to maintain consistent VLAN databases, but it does not assign users to VLANs dynamically based on authentication. VTP simplifies VLAN administration in large switched networks by distributing VLAN configuration from a VTP server to VTP clients, but VLAN assignment to ports is still static or requires authentication integration. VTP operates at the management plane while dynamic VLAN assignment during authentication operates at the access control plane.

Option D is incorrect because VLAN Access Control Lists filter traffic between VLANs at Layer 3 but do not dynamically assign VLANs based on user identity. VACLs apply to all traffic entering or exiting a VLAN, providing an additional security layer by filtering based on Layer 3 and Layer 4 criteria. While VACLs can enforce security policies on dynamically assigned VLANs, they do not perform the dynamic assignment itself. VACLs are security filters while 802.1X with RADIUS provides identity-based VLAN assignment.

Question 189: 

An administrator needs to configure Cisco Umbrella to provide DNS-layer security for roaming users. Which component must be deployed on user endpoints?

A) AnyConnect with Umbrella Roaming Security module

B) Virtual Appliance

C) DNS forwarder

D) Web proxy

Answer: A

Explanation:

This question tests your understanding of Cisco Umbrella deployment architectures and specifically how to protect users who work outside the corporate network. Roaming user protection is essential in modern distributed work environments.

Option A is correct because the Cisco AnyConnect client with Umbrella Roaming Security module provides DNS-layer protection for laptops and mobile devices regardless of their location. When users work from home, coffee shops, or other locations outside the corporate network, they bypass traditional network-based security controls. The Umbrella Roaming Security module integrates with AnyConnect and redirects all DNS queries from the endpoint to Umbrella cloud resolvers where security policies are enforced. This ensures consistent protection whether users are on-network or off-network. The module registers the device with Umbrella using device identifiers, enables per-user policies when combined with Active Directory integration, and provides visibility into all DNS requests from the endpoint. Organizations deploy AnyConnect with multiple security modules including VPN, Umbrella Roaming Security, and others for comprehensive endpoint protection that travels with users.

Option B is incorrect because Umbrella Virtual Appliances are deployed in corporate data centers or branch offices to redirect DNS traffic from network infrastructure to Umbrella, protecting all users on that network. Virtual appliances provide DNS forwarding and optional caching for on-premises networks but do not protect roaming users who are off the corporate network. When users work remotely, their DNS queries would bypass the corporate virtual appliance and use local or ISP DNS resolvers without protection. Virtual appliances and roaming client are complementary deployment models with virtual appliances for network-based protection and roaming client for endpoint-based protection.

Option C is incorrect because while DNS forwarders redirect DNS queries to Umbrella resolvers, this approach works at the network level through router or firewall configuration rather than protecting individual roaming endpoints. Configuring local infrastructure to forward DNS to Umbrella protects users while on the corporate network but provides no protection when users work remotely. DNS forwarding is appropriate for branch offices, guest networks, or locations where endpoint agents cannot be deployed, but roaming user protection requires endpoint-based enforcement through the AnyConnect Umbrella module.

Option D is incorrect because web proxies intercept and inspect HTTP/HTTPS traffic rather than providing DNS-layer security. While Umbrella includes Secure Web Gateway functionality that operates as a web proxy, the DNS-layer protection that blocks domains before connections are established is delivered through DNS interception either via network-based forwarding or endpoint-based redirection through the roaming client. The roaming security module specifically addresses DNS protection for mobile users while proxy features provide additional web content inspection for allowed domains.

Question 190: 

Which type of certificate is used in a Public Key Infrastructure where the issuing authority’s identity is cryptographically verified?

A) Self-signed certificate

B) Digital certificate from a trusted Certificate Authority

C) Wildcard certificate

D) Pre-shared key

Answer: B

Explanation:

This question examines your understanding of PKI concepts and certificate trust models. Understanding how certificates establish trust is fundamental to secure communications and authentication.

Option B is correct because digital certificates issued by trusted Certificate Authorities provide cryptographic verification of identity through a hierarchical trust model. CAs are organizations that validate identity claims before issuing certificates, acting as trusted third parties that bind public keys to identities. When a CA issues a certificate, it digitally signs the certificate with its private key, allowing anyone with the CA’s public key to verify the certificate’s authenticity. Clients trust certificates because they trust the issuing CA’s root certificate, which is typically pre-installed in operating systems and browsers. This chain of trust extends through intermediate CAs to end-entity certificates, enabling scalable trust establishment without requiring direct knowledge of every certificate holder. Public CAs like DigiCert, GlobalSign, and Let’s Encrypt are trusted by default in most systems, while private CAs can be established for organizational internal use.

Option A is incorrect because self-signed certificates have the subject and issuer as the same entity, meaning the certificate is signed by the private key corresponding to the public key in the certificate itself. Self-signed certificates provide encryption but not cryptographically verified identity because there is no trusted third party validating the identity claim. Clients cannot automatically trust self-signed certificates because there is no chain to a trusted root CA. Self-signed certificates are appropriate for testing, internal systems where trust can be manually established, or as root certificates, but they do not provide the verified identity trust that CA-issued certificates offer.

Option C is incorrect because wildcard certificates are a type of certificate that can secure multiple subdomains of a domain using a wildcard character in the common name (e.g., *.example.com), but this describes the scope of the certificate rather than the trust model. Wildcard certificates are still issued by Certificate Authorities and follow the same PKI trust model as standard certificates. The wildcard aspect addresses certificate management efficiency rather than identity verification. Wildcard certificates can be CA-issued or self-signed, so this answer does not specifically address the cryptographically verified identity aspect.

Option D is incorrect because pre-shared keys are symmetric secrets shared between parties for authentication and encryption but are not part of Public Key Infrastructure or certificate-based trust. PSKs are used in protocols like IPsec VPNs and WiFi WPA2-Personal for simpler authentication without certificates. PSKs do not provide non-repudiation or scalable trust establishment that PKI offers. While PSKs have use cases, they represent a different authentication model from certificate-based PKI where identity is verified by trusted authorities.

Question 191: 

An administrator configures QoS on a router to prioritize VoIP traffic. Which QoS mechanism classifies traffic and applies appropriate priority markings?

A) Policing

B) Shaping

C) Marking

D) Queuing

Answer: C

Explanation:

This question tests your understanding of Quality of Service mechanisms and the different functions involved in QoS implementation. Proper QoS requires classification, marking, queuing, and congestion management working together.

Option C is correct because marking is the QoS mechanism that classifies traffic and applies priority indicators in packet headers that other network devices use to make forwarding decisions. Marking typically modifies the DSCP (Differentiated Services Code Point) field in the IP header or the CoS (Class of Service) bits in the 802.1Q Ethernet frame header. Classification identifies traffic based on various criteria including Layer 3/4 information like IP addresses and ports, Layer 7 information through NBAR application recognition, or existing QoS markings from trusted sources. After classification, marking sets appropriate priority values that downstream devices use for queue selection, congestion handling, and bandwidth allocation. For VoIP traffic, marking typically sets DSCP EF (Expedited Forwarding) value of 46 to indicate high-priority real-time traffic requiring low latency and jitter. Marking should occur as close to the traffic source as possible, typically at access layer switches or directly on endpoints, establishing QoS treatment for the traffic’s entire path through the network.

Option A is incorrect because policing enforces bandwidth limits by dropping or remarking packets that exceed configured rates rather than classifying and marking traffic. Policing measures traffic rates and compares them against committed information rates and burst sizes, taking action on non-compliant traffic. While policing can work in conjunction with marked traffic to enforce bandwidth policies, it does not perform the initial classification and marking that establishes priority levels. Policing is a rate-limiting mechanism while marking is a classification and prioritization mechanism serving different QoS functions.

Option B is incorrect because shaping controls traffic rates by buffering excess packets and transmitting them gradually rather than dropping them, smoothing traffic bursts to conform to bandwidth limits. Shaping delays packets to enforce rate limits without packet loss, which is preferable to policing when the receiving interface can handle buffering. Like policing, shaping enforces bandwidth policies but does not classify traffic or apply priority markings. Shaping responds to existing markings when determining which traffic to delay during congestion but is not the mechanism that initially marks traffic for priority treatment.

Option D is incorrect because queuing organizes packets into different queues for transmission based on their markings and applies scheduling algorithms to determine transmission order, but it does not perform the classification and marking itself. Queuing mechanisms like Low Latency Queuing or Class-Based Weighted Fair Queuing read existing QoS markings and place packets into priority, bandwidth-guaranteed, or best-effort queues accordingly. Queuing depends on traffic already being marked to function properly. Marking must occur before queuing can provide differentiated treatment.

Question 192: 

Which Cisco feature provides posture assessment to verify endpoint security compliance before granting network access?

A)1X authentication

B) Port security

C) NAC (Network Access Control) with posture checking

D) MAC address filtering

Answer: C

Explanation:

This question examines your knowledge of Network Access Control and specifically the posture assessment capabilities that verify endpoint compliance with security policies. Posture checking is essential for preventing compromised or non-compliant devices from accessing network resources.

Option C is correct because Network Access Control with posture checking evaluates endpoint security compliance before granting network access, verifying that devices meet organizational security requirements. Cisco ISE implements NAC with posture assessment that can check for antivirus software presence and updates, operating system patch levels, host-based firewall status, encryption settings, prohibited applications, registry settings, and custom compliance criteria. Posture assessment can operate in different modes including agent-based using AnyConnect with ISE Posture module for comprehensive checks, agentless using client provisioning or network scanning for limited assessment without software installation, and temporal agent for temporary lightweight assessment. Based on posture results, ISE assigns appropriate authorization including full access for compliant devices, restricted access to remediation servers for non-compliant devices, or quarantine for severely non-compliant devices. Posture assessment reduces risk from compromised or unpatched endpoints that could introduce malware or vulnerabilities.

Option A is incorrect because while 802.1X provides authentication to verify user identity and device credentials, it does not inherently include posture assessment to evaluate endpoint security compliance. 802.1X handles authentication and authorization but posture checking requires additional functionality to inspect endpoint security status. Organizations typically combine 802.1X authentication with NAC posture assessment where ISE performs both functions, but 802.1X alone only handles identity verification. The authentication success does not indicate whether the device has current antivirus or operating system patches.

Option B is incorrect because port security is a switch feature that limits which MAC addresses can connect to switch ports, preventing unauthorized devices from connecting but not assessing security posture of authorized devices. Port security can restrict ports to specific MAC addresses or limit the number of MAC addresses per port, providing basic access control. However, port security does not evaluate whether connecting devices meet security requirements like patch levels or antivirus status. Port security provides physical connection control while NAC with posture provides security compliance verification.

Option D is incorrect because MAC address filtering permits or denies access based on hardware addresses but does not assess endpoint security posture. MAC filtering provides basic access control by maintaining lists of allowed MAC addresses but cannot verify that allowed devices are properly secured. MAC addresses can be spoofed, making this a weak security control. MAC filtering determines which devices can connect but not whether those devices are secure and compliant. NAC with posture goes beyond identity to verify security hygiene.

Question 193: 

An organization needs to detect command and control traffic from compromised endpoints communicating with external servers. Which technology would be most effective?

A) Stateful firewall rules

B) Network behavior analysis

C) Static route configuration

D) Port security

Answer: B

Explanation:

This question tests your understanding of advanced threat detection techniques and which technologies can identify malicious communications that may bypass traditional security controls. Detecting C2 traffic is critical for identifying and containing compromised systems.

Option B is correct because network behavior analysis uses machine learning and behavioral analytics to identify anomalous communication patterns that indicate command and control activity. NB solutions like Cisco Stealthwatch/Secure Network Analytics analyze network telemetry including NetFlow, IPFIX, and full packet data to establish baselines of normal behavior for users, devices, and applications. When endpoints exhibit unusual behaviors such as beaconing at regular intervals to external IP addresses, communicating with rarely-accessed destinations, generating abnormal traffic volumes, using unusual ports or protocols, or accessing known malicious infrastructure, NB detects these deviations and generates alerts. Behavioral analysis can detect C2 traffic even when it uses legitimate protocols, encryption, or blends with normal traffic because the overall pattern differs from established baselines. NB provides visibility into encrypted traffic through metadata analysis, detects lateral movement within networks, and identifies data exfiltration attempts, making it highly effective against advanced persistent threats.

Option A is incorrect because stateful firewall rules filter traffic based on predefined policies allowing or blocking based on source, destination, port, and protocol, but they cannot detect sophisticated C2 traffic that uses allowed protocols and destinations. Many C2 communications use HTTP/HTTPS to blend with legitimate web traffic or leverage compromised legitimate websites as command servers. Firewall rules that permit web browsing cannot distinguish between legitimate web access and C2 communications within that traffic. Firewalls are necessary perimeter controls but must be complemented with behavior analysis to detect threats within allowed traffic flows.

Option C is incorrect because static route configuration determines paths for network traffic forwarding but provides no security inspection or threat detection capabilities. Static routes are basic routing mechanisms that direct traffic toward destinations but have no visibility into traffic contents or patterns. While routing can direct traffic through security inspection points, static routes themselves do not detect threats. Static routes serve a fundamental networking function but are not security detection technologies.

Option D is incorrect because port security restricts which MAC addresses can connect to switch ports but provides no visibility into traffic content or behavioral patterns. Port security prevents unauthorized physical connections but cannot detect what authorized devices are doing on the network. Once a device passes port security checks, port security has no awareness of the device’s communications or whether it is compromised and performing C2 communications. Port security is an access control mechanism while behavior analysis is a threat detection mechanism.

Question 194: 

Which protocol provides secure encrypted communication between Cisco security devices and management platforms for configuration and monitoring?

A) Telnet

B) HTTPS

C) TFTP

D) HTTP

Answer: B

Explanation:

This question examines your knowledge of secure management protocols used for administering security infrastructure. Using encrypted protocols for management communications prevents credential theft and configuration tampering.

Option B is correct because HTTPS provides secure encrypted communication for web-based management interfaces using HTTP over TLS/SSL encryption. Cisco security devices like Firepower Management Center, Cisco Defense Orchestrator, ISE, and Umbrella dashboard use HTTPS for secure management access. HTTPS encrypts all management traffic including login credentials, configuration changes, and monitoring data, preventing eavesdropping and man-in-the-middle attacks. Modern security platforms exclusively use HTTPS for management interfaces, often disabling HTTP entirely or redirecting HTTP to HTTPS. HTTPS operates on TCP port 443 by default and provides server authentication through certificates, ensuring administrators connect to legitimate management platforms rather than imposter sites. Best practices require validating certificates, using strong cipher suites, and implementing client certificates for mutual authentication when appropriate.

Option A is incorrect because Telnet transmits all data including credentials in cleartext without encryption, making it completely unsuitable for secure device management. Telnet sessions can be intercepted to capture passwords and monitor configuration changes. Telnet was historically used for device management but represents a significant security vulnerability. Modern security best practices require disabling Telnet on all devices and using SSH for command-line management. Any organization still using Telnet for management faces serious security risks including credential theft and unauthorized configuration changes.

Option C is incorrect because TFTP is a simple file transfer protocol that transmits data without authentication or encryption, making it inappropriate for secure management. While TFTP might be used for transferring configuration backups or firmware images in controlled environments, it provides no security and should not be used for management communications over untrusted networks. TFTP lacks both confidentiality and integrity protection, making files vulnerable to interception and modification. Secure alternatives like SFTP or SCP should be used for file transfers involving security-sensitive data.

Option D is incorrect because HTTP transmits data in cleartext without encryption, providing no protection for management communications. HTTP was used by older management interfaces but has been replaced by HTTPS in modern security platforms. Management over HTTP exposes credentials and configurations to interception and man-in-the-middle attacks. Most contemporary devices either disable HTTP entirely or redirect it to HTTPS to force encrypted communications. Using HTTP for security device management contradicts fundamental security principles and should never be implemented in production environments.

Question 195: 

An administrator needs to configure Cisco Firepower to block file downloads based on file type. Which security feature should be configured?

A) File Policy

B) Access Control Policy

C) Intrusion Policy

D) Security Intelligence

Answer: A

Explanation:

This question tests your understanding of Cisco Firepower content security features and specifically which capability controls file handling based on file characteristics. File control is important for preventing malware delivery and enforcing acceptable use policies.

Option A is correct because File Policy in Cisco Firepower defines how the system handles files detected in network traffic, including blocking specific file types, categories, or individual files based on characteristics. File policies can block file types like executables, archives, documents, or multimedia based on security or business requirements. File policy rules specify conditions such as application protocol, direction of transfer, user identity, and file type, then apply actions including block file to prevent download, malware cloud lookup to submit files to AMP Threat Grid for analysis, block malware to prevent files identified as malicious, or detect files for logging without blocking. File policies provide granular control such as blocking executable downloads from the internet while permitting them from internal application servers or blocking specific categories like multimedia files to conserve bandwidth. File policy integrates with AMP file reputation and sandboxing to provide comprehensive file-based threat protection beyond simple type blocking.

Option B is incorrect because Access Control Policy defines overall traffic handling including which connections to allow or block based on network, application, and user criteria, but it does not provide granular file-type-based control. Access control policies invoke other inspection policies including file policies, intrusion policies, and malware inspection, but the specific file type blocking capability resides in file policy. Access control rules might specify that web traffic should have file policy applied, but the file policy itself defines which file types to block. These policies work hierarchically with access control providing the framework and file policy providing specialized file handling.

Option C is incorrect because Intrusion Policy defines which intrusion prevention signatures and preprocessors detect attacks and malicious activity in packet contents but does not specifically control file downloads by type. While IPS might detect exploit code within files or malicious file characteristics, it focuses on attack pattern detection rather than administrative control of file categories. IPS operates at the packet and protocol level while file policy operates at the application and content level. Both provide important security but serve different purposes with intrusion prevention detecting threats and file policy enforcing file handling policies.

Option D is incorrect because Security Intelligence provides reputation-based blocking of connections to known malicious IP addresses, URLs, and domains before deeper inspection but does not control file types. Security Intelligence blocks connections to threat sources based on continuously updated intelligence feeds but does not inspect file contents or types within allowed connections. Security Intelligence operates as a pre-filter while file policy operates on allowed traffic to inspect and control file transfers. Organizations need both Security Intelligence to block connections to malicious sources and file policy to control legitimate file transfers.