CCNA Security: 12-Question Practice Exam

CCNA Security is among the nine certifications retiring in February 2020. If you're currently studying for the 210-260 IINS, you probably already have at least your CCENT. That's great news. You're just one exam away from the CCNA Security and the new CCNA certification.

Answer these 12 questions to get a feel for the questions you may see on the 210-260 IINS exam. Good luck!

1. You are interested in using security mechanisms to ensure that your data is not manipulated in transit after being sent by your workstation. What parts of the CIA are you directly associated with in this case?

1. Confidentiality

2. Integrity

3. Authentication

4. Authorization

Correct Answer: b

Explanation: Integrity means the data is not tampered with at rest or during transit. 

2. You require a port on your Cisco switch to function as a Layer 3 port. What command does this?

1. no switch port

2. no l2 port

3. no layer2 enable

4. disable l2 switch port

Correct Answer: a

Explanation: You use the no switch port command to create a Layer 3 port on your Cisco device.

3. What zone is created by default on a Cisco router in a ZBF configuration?

1. in-out

2. inside

3. dmz

4. outside

5. self

Correct Answer: e

Explanation: With the Zone-Based Firewall, we place interfaces into a new logical router structure called a zone. A zone is used to define interfaces that will share a security treatment. Cisco automatically designates a special zone for us called the Self Zone. This important zone is used to control traffic that is sourced from or directed to the router itself.

4. What is used in conjunction with a private key in PKI to form a key pair?

1. Certificate key

2. Main key

3. Public key

4. Default key

Correct Answer: c

Explanation: Public-key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys that may be disseminated widely and private keys that are known only to the owner. This accomplishes two functions: authentication, where the public key verifies that a holder of the paired private key sent the message, and encryption, where only the paired private key holder can decrypt the message encrypted with the public key.

5. What is the most modern and sophisticated version of the stateful firewall functionality on a Cisco router?

1. CBAC

2. Reflexive ACLs

3. Lock and Key

4. ZBF

Correct Answer: d

Explanation: The Zone-Based Firewall feature set represents the most modern and sophisticated way to implement advanced stateful firewall functionality on a Cisco router. 

6. What method can you use to guard against spoofing types of attacks?

1. UDLD

2. BPDU Guard

3. uRPF

4. TrustSec

Correct Answer: c

Explanation: Network administrators can use Unicast Reverse Path Forwarding (Unicast RPF) to help limit malicious traffic on an enterprise network. This security feature enables a router to verify the source address's reachability in forwarded packets. This capability can limit the appearance of spoofed addresses on a network. If the source IP address is not valid, the packet is discarded. Unicast RPF works in three modes: strict mode, loose mode, or VRF mode. Note that not all network devices support all three modes of operation.

7. What command is used to enable the Port Security feature?

1. switch port port-security maximum 2

2. switch port port-security on

3. switch port port-security

4. switch port port-security enable

Correct Answer: c

Explanation: We use the switch port port-security command to enable the feature.

8. You are running an ASA with 8.2 code. How can you ensure that NAT is required to allow inside clients to access outside resources?

1. nat-control

2. nat enable

3. nat enforce

4. nat enable yes

Correct Answer: a

Explanation: NAT control requires packets traversing from an inside interface to an outside interface to match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address. 

9. Beyond the hash, group, and encryption method, which of the following should be determined during IKE phase one?

1. Authentication and load balancing

2. Authorization and lifetime

3. Authentication and lifetime

4. Authorization and load balancing

Correct Answer: c

Explanation: Phase 1 of an AutoKey Internet Key Exchange (IKE) tunnel negotiation consists of exchanging proposals for how to authenticate and secure the channel. The participants exchange proposals for acceptable security services such as:

• Encryption algorithms: Data Encryption Standard (DES), triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES). (See IPsec Security Protocols.)

• Authentication algorithms: Message Digest 5 (MD5 ) and Secure Hash Algorithm (SHA). (See IPsec Security Protocols.)

• Diffie-Hellman (DH) group. (See Diffie-Hellman Exchange.)

• Preshared key or RSA/DSA certificates. (See IPsec Key Management.)

A successful Phase 1 negotiation concludes when both ends of the tunnel agree to accept at least one set of the Phase 1 security parameters proposed and then process them.

10. You notice the following command in a proposed configuration for your ASA – route outside 0 0 192.168.1 1. What is this command accomplishing?

1. It is creating a default route to 192.168.1.1 using the outside interface with the default admin distance

2. It is creating a static route to 192.168.1.1 using the inside interface for traffic sourced from the outside interface

3. It is invalid and will return an Kill

4. It is creating a default route to 192.168.1.1 using the inside interface with the default admin distance

Correct Answer: a

Explanation: This command enables you to add a default route. The dest_ip and mask are the IP addresses of the destination network, and the gateway_ip is the address of the next-hop router. The addresses you specify for the static route are those in the packet before entering the ASA and performing NAT.

The distance is the administrative distance for the route. The default is 1 if you do not specify a value. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connected routes.

11. You are interested in performing remote management and administration of your Cisco device, but you must ensure encryption is in use. What are two valid options to ensure this? (Choose two.)

1. Use Telnet

2. Use SNMP v2c

3. Use SSH

4. Use SNMP v3

Correct Answer: c, d

Explanation: Telnet and SNMP v2c do not offer encryption options. 

12. You are interested in implementing DAI on your network. What does this feature rely on in order to function?

1. Private VLAN

2. DHCP Snooping

3. TCP Intercept

4. Zone Based Firewall

Correct Answer: b

Explanation: DAI relies on the information obtained through the DHCP Snooping database. This database contains the legitimate IP address to MAC address mappings.