CCIE Security Exam (v4.1)
Question No: 141 – (Topic 2)
For what reason has the IPv6 Type 0 Routing Header been recommended for deprecation?
When Type 0 traffic is blocked by a firewall policy, all other traffic with routing headers is dropped automatically.
It can conflict with ingress filtering.
It can create a black hole when used in combination with other routing headers.
Attackers can exploit its functionality to generate DoS attacks.
Answer: D Explanation:
The functionality provided by IPv6#39;s Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of- service traffic. This document updates the IPv6 specification to deprecate the use of IPv6 Type 0 Routing Headers, in light of this security concern.
Question No: 142 – (Topic 2)
What is the default duration of IPS anomaly detection’s learning accept mode?
Answer: C Explanation:
Although anomaly detection is in detect mode by default, it conducts an initial learning accept mode for the default period of 24 hours.
Question No: 143 – (Topic 2)
Refer to the exhibit.
Which option describes the behavior of this configuration?
The switch initiates the authentication.
The client initiates the authentication.
The device performs subsequent IEEE 802.1X authentication if it passed MAB authentication. If the device fails IEEE 802.1X, it will start MAB again.
Devices that perform IEEE 802.1X should be in the MAC address database for successful authentication.
IEEE 802.1x devices must first authenticate via MAB to perform subsequent IEEE 802.1X authentication. If 802.1X fails, the device is assigned to the default guest VLAN.
Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity- based-networking-service/application_note_c27-573287.html
Question No: 144 – (Topic 2)
In the IPv6 address 2001:DB8:130F::870:0:140B/64, which portion is the IPv6 interface identifier?
Explanation: The CIDR prefix representation is used to represent the IPv6 address. An example of this notation is: 2001:DB8:130F::870:0:140B/64
The /64 indicates that the first 64 bits are being used to represent the network and the last 64 bits are being used to represent the interface identifier.
Question No: 145 – (Topic 2)
Which statement about the fragmentation of IPsec packets in routers is true?
By default if the packet size exceeds MTU of ingress physical interface, it will be fragmented and sent without encryption.
By default if the packet size exceeds MTU of the egress physical interface, it will be dropped.
By default, the router knows the IPsec overhead to add to the packet, performs a lookup if the packet will exceed egress physical interface IP MTU after encryption, then fragments the packet before encrypting and separately encrypts the resulting IP fragments.
By default, the IP packets that need encryption are first encrypted with ESP, if the resulting encrypted packet exceeds the IP MTU on the egress physical interface, then the encrypted packet is fragmented before being sent.
Question No: 146 – (Topic 2)
What is the range of valid stratum numbers for NTP when configuring a Cisco IOS device as an authoritative NTP server?
0 to 16
1 to 15
0 to 4
1 to 16
Answer: B Explanation:
When configuring a Cisco device as NTP master its clock becomes a reference clock for time synchronization to other devices. The stratum of the NTP master can be configured in the range 1-15, but will usually be configured as stratum-1
Question No: 147 – (Topic 2)
What technology can secure DNS information in IP networks?
a combination of DNS and SSL/TLS
a combination of DNS and IPSec
Answer: D Explanation:
DNSSEC supplements the hierarchical nature of the DNS with cryptographic characteristics that make it possible to verify the authenticity of information stored in the DNS. This validation makes it possible for resolvers to be assured that when they request a particular piece of information from the DNS, that they do in fact receive the correct information as published by the authoritative source.
This assurance is made possible using cryptographic signatures included in the DNS by a source organization. These signatures are calculated on a complete Resource Record set, not individual Resource Records. The signatures are published in a DNSSEC-specific resource record type called RRSIG. For example, setting aside the requisite infrastructure, by publishing the signature for an A record, the source organization makes it possible for resolvers on the Internet to verify that the A record contains authentic data and is correct as published. A DNS server is only signing data for which it is authoritative, for example, the DNS server does not sign NS records that delegate subdomains from its zone.
Question No: 148 – (Topic 2)
To transport VXLAN traffic, which minimum MTU change, from a default MTU of 1500 bytes on the port, is required to avoid fragmentation and performance degradation?
Answer: D Explanation:
VXLAN traffic is encapsulated in a UDP packet when sent out to the physical network. This encapsulation imposes the following overhead on each packet:
Outer Ethernet Header (14) UDP header (8) IP header (20) VXLAN header (8) = 50 bytes
To avoid fragmentation and possible performance degradation, all the physical network devices transporting the VXLAN traffic need to handle 50 bytes greater than the maximum transmission unit (MTU) size expected for the frame. Therefore, adjust the MTU settings for all these devices, which will transport the VXLAN traffic.
Question No: 149 – (Topic 2)
Which of these is an invalid syslog facility?
Question No: 150 – (Topic 2)
Depending on configuration, which two behaviors can the ASA classifier exhibit when it receives unicast traffic on an interface that is shared by multiple contexts? (Choose two.)
It is classified using the destination address of the packet using the NAT table.
It is classified using the destination address of the packet using the connection table.
It is classified by copying and sending the packet to all the contexts.
it is classified using the destination address of the packet using the routing table.
It is classified using the destination MAC address of the packet.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|