Q61. Which two configurations are necessary to enable password-less SSH login to an IOS router? (Choose two.) 

A. Enter a copy of the administrator's public key within the SSH key-chain 

B. Enter a copy of the administrator's private key within the SSH key-chain 

C. Generate a 512-bit RSA key to enable SSH on the router 

D. Generate an RSA key of at least 768 bits to enable SSH on the router 

E. Generate a 512-bit ECDSA key to enable SSH on the router 

F. Generate a ECDSA key of at least 768 bits to enable SSH on the router 

Answer: A,D 

Q62. Which two statements about Cisco IOS Firewall are true? (Choose two.) 

A. It provides stateful packet inspection. 

B. It provides faster processing of packets than Cisco ASA devices provide. 

C. It provides protocol-conformance checks against traffic. 

D. It eliminates the need to secure routers and switches throughout the network. 

E. It eliminates the need to secure host machines throughout the network. 

Answer: A,C 

Q63. According to Cisco best practices, which two interface configuration commands help prevent VLAN hopping attacks? (Choose two.) 

A. switchport mode access 

B. switchport access vlan 2 

C. switchport mode trunk 

D. switchport access vlan 1 

E. switchport trunk native vlan 1 

F. switchport protected 

Answer: A,B 

Q64. How much storage is allotted to maintain system,configuration , and image files on the Cisco ASA 1000V during OVF template file deployment? 

A. 1GB 

B. 5GB 

C. 2GB 

D. 10GB 


Q65. Which statement about Dynamic ARP Inspection is true ? 

A. In a typical network, you make all ports as trusted expect for the ports connection to switches , which are untrusted 

B. DAI associates a trust state with each switch 

C. DAI determines the validity of an ARP packet based on valid IP to MAC address binding from the DHCP snooping database 

D. DAI intercepts all ARP requests and responses on trusted ports only 

E. DAI cannot drop invalid ARP packets 


Q66. Refer to the exhibit. 

Which two statements about this firewall output are true? (Choose two.) 

A. The output is from a packet tracer debug. 

B. All packets are allowed to 

C. All packets are allowed to 

D. All packets are denied. 

E. The output is from a debug all command. 

Answer: A,C 

Q67. Which Cisco Security Manager form factor is recommended for deployments with fewer than 25 devices? 

A. only Cisco Security Manager Standard 

B. only Cisco Security Manager Professional 

C. only Cisco Security Manager UCS Server Bundle 

D. both Cisco Security Manager Standard and Cisco Security Manager Professional 


Q68. Which command tests authentication with SSH and shows a generated key? 

A. show key mypubkey rsa 

B. show crypto key mypubkey rsa 

C. show crypto key 

D. show key mypubkey 


Q69. Which three commands can be used to harden a switch? (Choose three.) 

A. switch(config-if)# spanning-tree bpdufilter enable 

B. switch(config)# ip dhcp snooping 

C. switch(config)# errdisable recovery interval 900 

D. switch(config-if)# spanning-tree guard root 

E. switch(config-if)# spanning-tree bpduguard disable 

F. switch(config-if)# no cdp enable 

Answer: B,D,F 

Q70. Which URL matches the regex statement "http"*/"www.cisco.com/"*[^E]"xe"? 

A. https://www.cisco.com/ftp/ios/tftpserver.exe 

B. https://cisco.com/ftp/ios/tftpserver.exe 

C. http:/www.cisco.com/ftp/ios/tftpserver.Exe 

D. https:/www.cisco.com/ftp/ios/tftpserver.EXE