DUMPS BASE
EXAM DUMPS
CISCO 300-208
28% OFF Automatically For You Implementing Cisco Secure Access Solutions
1. Topic 1, Exam Pool A What are three portals provided by PSN? (Choose three.) A. Monitoring B. Troubleshooting C. Sponsor D. Guest E. My devices F. Admin Answer: C, D, E
2.A customer is concerned with the use of the issued laptops even when devices are not on the corporate network. Which agent continues to be operational even when the host is not on the Cisco ISE network? A. Cisco ISE Agent B. Cisco NAC Agent C. Cisco Custom Agent D. Cisco NAC Web Agent Answer: B
3.A company has implemented a dual SSID BYOD design. A provisioning SSID is used for user registration, and an employee SSID is used for company network access. How is the layer 2 security of the provisioning SSID configured? A. 802.1X B. Open C. WPA2 D. MAC filtering disabled Answer: B
4.A company has implemented a dual SSID BYOD design. A provisioning SSID is used for user registration, and an employee SSID is used for company network access. Which controller option must be enabled to allow a user to switch immediately from the provisioning SSID to the employee SSID after registration has been completed? A. AAA override B. User Idle Timeout C. Fast SSID Change D. AP Fallback
Answer: C
5.An engineer must enable SGACL policy globally for a Cisco TrustSec Cenabled routed interface. Which command must be used? A. cts role-based monitor enable B. cts role-based enfrocement C. cts role-based sgt-caching with-enforcement D. cts role-based monitor permissions from {sgt_num} to {dgt_num}][ipv4| ipv6] Answer: B
6.What two values does Cisco recommend you adjust and test to set the optimal timeout value for your network’s specific 802.1X MAB deployment? A. Max-reath-req B. Supp-timeout C. Max-req D. Tx-period E. Server-timeout Answer: A, D
7.Refer to the exhibit.
Which ISE flow mode does this diagram represent? A. Closed mode B. Monitor mode C. Application mode D. Low-impact mode Answer: B
8.Which two protocols does Cisco Prime Infrastructure use for device discovery? (Choose two.) A. SNAP B. LLDP C. RARP D. DNS E. LACP Answer: BD
9.An engineer is designing a BYOD environment utilizing Cisco ISE for devices that
do not support native supplicants. Which portals must the security engineer configure to accomplish this task? A. Client Provisioning Portals B. BYOD Portals C. My Devices Portals D. MDM Portals Answer: C
10.An engineer must limit the configuration parameters that can be executed on the Cisco ASAs deployed throughout the network. Which command allows the engineer to complete this task? A. AAA-server tacacs1(inside) host 10.5.109.18 $3cr37 timeout2 ! aaa authorization command tacacs1 B. AAA-server tacacs1(inside) host 10.5.109.18 $3cr37 timeout2 ! aaa authentication ssh console tacacs1 C. AAA-server tacacs1(inside) host 10.5.109.18 $3cr37 timeout2 ! aaa authorization exec authentication-server D. AAA-server tacacs1(inside) host 10.5.109.18 $3cr37 timeout2 ! aaa authentication exclude ssh Answer: A
11.Refer to the exhibit.
If the host sends a packet across the Cisco TrustSec domain, where is the SGACL enforced? A. At the egress router B. Dynamically at the host C. After the packet enters the Cisco TrustSec domain D. At the ingress router. Answer: A
12.Which type of SGT propagation does a WLC in a data center require? A. SXP B. SGT Reflector C. SGT inline tagging D. SGT Reflector Answer: C
13.Which two accounting types are used to implement accounting with RADIUS? (Choose two.) A. Network B. User C. Attribute D. Device E. Resource Answer: AE
14.Which functionality does the Cisco ISE BYOD flow provide? A. It provides support for native supplicants, allowing users to connect devices directly to the network. B. It provides the My Devices portal, allowing users to add devices to the network. C. It provides support for users to install the Cisco NAC agent on enterprise devices. D. It provides self-registration functionality to allow guest users to access the network. Answer: A
15.Which description of SXP is true? A. applies SGT along every hop in the network path B. propagates SGT on a device upon which SGT inline tagging is unsupported C. removes SGT from every in the network path D. propagates SGT on a device which inline tagging is supported Answer: B Explanation:
Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/borderlessnetworks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf
16.You must recover a wireless client from quarantine. You disconnect the client from the network. Which action do you take next? A. Reboot the client machine after the idle timeout period expires. B. Start a manual reassessment C. Reconnect to the network after the idle timeout period expires. D. Turn off the MIC of the client Answer: C Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_use r_guide/ise_ pos_pol.html
17.Which internal Cisco ISE component reduces demand on JVM memory by limiting the number of devices the profiler handles? A. eventHandlerQueueStze B. maxEndPomtslnLocalDb C. NetworkDeviceEventHandter D. forwarderQueueSize Answer: A
18.Which action do you take to define the global authorization exception policy by using a Device Admin Policy Set? A. Configure the policy by using Proxy Sequence mode. B. Configure a rule-based condition in a policy set. C. Define the policy for each group of devices. D. Define the policy by configuring a standard profile Answer: B
19.In the redirect URL authorization attribute, which Cisco ISE node acts as the web server when performing CWA? A. Administration B. Monitoring C. Policy Service D. pxGrid Answer: C Explanation:
Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise _admin_guide_23/b_ise_admin_guide_23_chapter_01111.html
20.Which two protocols are supported with the Cisco IOS Device Sensor? (Choose two.) A. SNMP B. Cisco Discovery Protocol C. RADIUS D. LLDP E. NetFlow Answer: B, D Explanation: Device Sensor feature is used to gather raw endpoint data from network devices using protocols such as Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), and DHCP. The endpoint data is made available to registered clients in the context of an access session. Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/ release/15-0_1_se/device_sensor/guide/sensor_guide.html
21.What sends the redirect ACL that is configured in the authorization profile back to the Cisco WLC? A. Event B. Cisco-av-pair C. State attribute D. Class attribute Answer: B Explanation: Reference: https://community.cisco.com/t5/policy-and-access/ise-airespace-acl-wlcproblem/td-p/2110491
22.While troubleshooting a posture assessment issue on a Windows PC, the NAC Agent is not popping up as expected. Which two logs would help in isolating the issue? (Choose two.) A. Cisco AnyConnect ISE posture logs B. NAC agent logs C. Dart bundle D. Cisco ISE profiler log file E. Cisco ISE ise-psc.log file Answer: DE
23.A manager of Company A is hosting a conference. Conference participants use a code on the AUP page of the hot-spot guest portal. Which code must the manager create on Cisco ISE before the meeting? A. user code B. pass code C. access code D. registration code Answer: C
24.Which command is needed to enable dotlx globally on the switch? A. aaa authentication dotlx default group radius B. dotlx system-auth-control C. dotlx pae authenticator D. authentication port-control auto Answer: B Explanation: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_usr_8021x/configuration/xe-3se/3850/secuser8021x-xe-3se-3850-book/config-ieee-802x-pba.html
25.DRAG DROP Drag and drop the portals from the left onto the correct portal tasks on the right.
Answer:
Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise _admin_guide_14/b_ise_admin_guide_14_chapter_010000.html
26.A security engineer must provision dynamic TrustSec classifications. Which two classification options must the engineer select to accomplish this task? (Choose two.) A. interface B. 802.1X C. MAB D. IP subnet E. VLAN Answer: BC Explanation: Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/borderlessnetworks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf page 11
27.A wireless deployment must check guest device compliance before allowing access to the network. Which type of guest deployment is needed to allow the Client Provisioning portal? A. central web authentication B. sponsored C. hotspot D. self-registered Answer: C
28.Which characteristic of an SGT enforcement policy is true? A. An SGFW has an implicit permit at the beginning. B. An SGFW has an implicit deny at the end. C. An SGACL has an implicit deny at the end. D. An SGACL has an explicit deny at the beginning. Answer: B Explanation: Unlike ACLs with an implicit deny at the end, Security Group ACLs (SGACLs) implemented on a switching platform have an implicit permit to Unknown or an implicit permit to all. This policy is not enforced on the Cisco ASA firewall or the Cisco IOS zone-based firewall acting as an SGFW, where an implicit deny is still maintained. On a switch, if no specific tag value is assigned to a server, the destination is considered Unknown and the packet is forwarded by default Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprisenetworks/trustsec/branch-segmentation.pdf
29.When configuring a BYOD portal, which two tasks must be completed? (Choose two.) A. Enable policy services. B. Create endpoint identity groups C. Customize device portals D. Create a client provisioning portal. E. Create external identity sources. Answer: AB Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/14/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_010000.html
30.A customer has implemented a BYOD policy to allow employees to use personal devices on the corporate network. Which two methods can an employee use to add their devices to the network? (Choose two.) A. Client Information Signaling B. My Device portal C. Client Handshake Authentication D. Helpdesk registration E. native supplicants Answer: BE Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise _admin_guide_24/b_ise_admin_guide_24_new_chapter_010000.html
31.Which type of probe is required when using a Cisco IOS Sensor-enabled network switch? A. network scan probe B. HTTP probe C. RADIUS probe D. NetFlow probe Answer: C
32.An organization is deciding between single or dual SSID solutions for onboarding BYOD devices. Which item must be considered before selecting the dual SSID solution? A. Wireless coverage is reduced with dual SSIDs B. Additional access points are required for dual SSID. C. Dedicated controllers are required for dual SSIDs. D. The second SSID adds channel overhead Answer: D Explanation: Reference: https://community.cisco.com/t5/security-documents/ise-byod-dual-vssingle-ssid-onboarding/ta-p/3641422
33.Which two values are compared by the binary comparison function in authentication that is based on Active Directory? A. subject alternative name and the common name B. user-presented password hash and a hash stored in Active Directory C. user-presented certificate and a certificate stored in Active Directory D. MS-CHAPv2 provided machine credentials and credentials stored in Active Directory Answer: AD Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/ISEADIntegrationDoc/b_ISE-ADIntegration.html
34.A new consultant must be granted network access for only six months. Which type of ISE default guest account must be used to allow this access1? A. contractor B. temporary C. employee D. annual
Answer: A Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise _admin_guide_21/b_ise_admin_guide_20_chapter_01110.pdf
35.Which two statements about RADIUS are true1? (Choose two.) A. It uses UDP ports 1812 and 1813. B. It encrypts the payload. C. It encrypts the password only D. It uses TCP ports 1812 and 1813. E. It separates authorization and authentication functions Answer: AC Explanation: Reference: https://www.cisco.com/c/en/us/support/docs/security-vpn/remoteauthentication-dial-user-service-radius/13838-10.html#comp_udp_tcp
36.Which method of registering devices on the BYOD My Devices Portal requires that the user have a supplicant installed? A. MAB B. single SS1D C. web authentication D. dual SSID Answer: D
37.Which two options are advantages of using the Cisco IOS Device Sensor as compared to other profiling probes'? (Choose two.) A. uses RADIUS authentication messages to send gathered data to a Cisco ISE server B. provides DHCP information to a Cisco ISE server without using an IP helper address C. reduces the amount of traffic going to a Cisco ISE server D. collects switch CPU and RAM usage for monitoring purposes E. replaces all the other profiling probes Answer: BC
38.In an 802. 1X deployment what two components are responsible for facilitating the authentication process? (Choose two.) A. MACSec B. MAC address
C. an authentication server D. a router E. a supplicant Answer: CE Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Trust Sec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html
39.What is the purpose of configuring Native Supplicant Profile on the Cisco ISE? A. It provides posture assessments and remediation for devices that are attempting to gain access to the corporate network. B. It is used to register personal devices on the network. C. It enforces the use of MSCHAPv2 or EAP-TLS for 802 1X authentication D. It helps employees add and manage new devices by entering the MAC address for the device. Answer: B
40.A network administrator must remediate unpatched servers by redirecting them to their remediation portal. Which conditions in the authorization policy must the network administrator provision on Cisco ISE to accomplish this task? A. noncompliant B. quarantine C. compliant D. URL redirect Answer: D
41.A network administrator noticed that wireless guests are able to access internal resources which should not be accessible. Looking at the settings on the Cisco ISE, the administrator notices that the correct ACL is applied in Authorization Profile Settings and guests are being authorized using the correct authorization profile. Why is this happening? A. Number ACL must be applied. B. Airespace ACL Name must be configured instead of DACL Name. C. Access Type must be changed to ACCESS_REJECT with GUEST_ACL D. GUEST_ACL syntax is incorrect Answer: B
42.You have a VPN client that is quarantined.
Which action do you take to restart the posture session? A. Send a CoA message B. Reconnect the VPN tunnel. C. Configure a authentication timer D. Enable periodic reassessment Answer: A Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_use r_guide/ise_pos_pol.html
43.How long are sessions kept in the ISE Monitoring and Troubleshooting node If there is authentication but no accounting? A. 5 hours B. 5 days C. 1 hour D. 1 day Answer: C Explanation: https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_gui de_21/b_ise_admin_guide_20_chapter_011000.html
44.DRAG DROP Drag and drop each posture assessment outcome from the left onto the appropriate definition on the right.
Answer:
45.Which two features are supported by named access list, but not numbered access list? (Choose two.) A. IP options filtering B. Timed-Based Access Control C. noncontiguous ports D. upper-layer session information E. Context-Based Access Control Answer: AC Explanation: https://www.cisco.com/c/en/us/td/docs/iosxml/ios/sec_data_acl/configuration/xe-3s/sec-data-acl-xe-3s-book/sec-acl-named.pdf
46.In an ISE 1.3 environment which two remediation types are supported on the NAC agent for Macintosh1? (Choose two.) A. antivirus remediation (manual) B. link remediation (automatic) C. link remediation (manual) D. antivirus remediation (automatic) E. antispyware remediation (manual) Answer: CD Explanation: Reference: https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/www.cisco. com/content/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_pos_pol.ht ml.xml&platform=Cisco Identity Services Engine
47.Which characteristic of static SGT classification is true? A. uses MAB B. maps a tag to an IP address C. maps a tag to a MAC address D. uses web authentication Answer: B
Explanation: Reference: https://www.cisco.com/c/dam/en/us/solutions/collateral/borderlessnetworks/trustsec/C07-730151-00_overview_of_trustSec_og.pdf
48.Which two endpoint operating systems are supported during BYOD onboarding? (Choose two.) A. Red Hat Enterprise Linux B. BlackBerry C. Nook D. Microsoft Windows E. Android Answer: DE Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise _admin_guide_22/b_ise_admin_guide_22_chapter_01111.pdf
49.Which WLC debug command would be used to troubleshoot authentication issues on a 802. 1X enabled WLAN? A. debug dot11 aaa manager all B. debug wps mfp Iwapp C. debug dot11 state D. debug dot1x events Answer: D
50.A network administrator found that the IP device tracking table on a switch is not getting updated when the client has a static IP address, but if the address is from DHCP, the table is getting updated. Which description of the cause of this issue is true? A. The switch code must be upgraded. B. IP device tracking is not configured properly C. ARP inspection is on and there is no ARP ACL for static clients D. IP device tracking does not work with statically assigned IP addresses Answer: C
51.Which two types of web portals are related to guest services? (Choose two ) A. limited access portal B. sponsor portal C. guest services portal D. user portal
E. admin portal Answer: BE
52.Which ISE deployment mode is similar to the industry standard 802 1X behavior? A. policy mode B. monitor mode C. closed mode D. low-impact mode Answer: C
53.Refer to the exhibit.
Which ISE flow mode does this diagram represent? A. closed mode B. low-impact mode C. application mode
D. monitor mode Answer: A
54.Which action is a Cisco recommended practice while attempting to increase efficiency on the monitoring nodes? A. Back up data and transfer to a remote repository on regular basis B. Remove endpoints when not active. C. Re-index the data on a regular basis. D. Compress the data regularly Answer: A Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise _admin_guide_14/b_ise_admin_guide_14_chapter_011001.html
55.Which action do you take to restrict network access for endpoints that are not posture compliant? A. Configure a dACL on the NAD. B. Configure client provisioning services on the Cisco ISE Server. C. Assian a dynamjc VLAN oq the, NAD. D. Define the policy by configuring a standard profile. Answer: B
56.A Cisco ISE deployment wants to use Active Directory as an external identity source. Which technology is a prerequisite to configure ISE/Active Directory integration? A. WINS B. NTP C. PTP D. CHAP Answer: B Explanation: Reference: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_director y_integration/b_ISE_AD_integration_2x.html#reference_8DC463597A644A5C9CF5D 582B77BB24F
57.An engineer has created a redirect ACL to forward traffic to Cisco ISE. Which TCP port is used for the guest portal On ISE? A. 8080 B. 443
C. 8021 D. 8443 Answer: D Explanation: Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-servicesengine/115732-central-web-auth-00.html
58.An ISE1.3 environment, which path does a network engineer use to set up a selfregistered guest portal? A. Guest Access > Configure > Guest Portals B. Security > Access Control Lists > Guest Portals C. Policy > Settings > Guest Portals D. Policy > Authorization > Guest Portals Answer: A Explanation: Reference: https://www.cisco.com/c/en/us/support/docs/security/identity-servicesengine/118742-configure-ise-00.html
59.What is the first Step for configuring Cisco ISE for the onboarding process? A. Configure the default action that must be taken when .in unsupported device attempts to connect and cannot be provisioned B. Create the native supplicant profile that is sent to the end user device. C. Configure different web portals based on a number of attributes available from the authentication request D. Configure the action that is taken when an unsupported device attempts to connect to a secure network Answer: B Explanation: Reference: CCNP Security SISAS 300-208 Official Cert Guide By Aaron T. Woland, Christoffer Heffner, Kevin Redmon page 557
60.What are two functions of Diagnostic tool? (Choose two.) A. enable B. network down C. TCP dump D. Execute network device command Answer: C, D
61.What are Supplicant and Authentication server that support EAP Chaining?
A. Cisco Anyconnect NAM B. ACS C. ISE D. NFL Answer: C
62.Which RADIUS attribute can be used to dynamically assign the inactivity active timer for MAB users from Cisco ISE node? A. Idle-timeout attribute B. Session-timeout attribute C. Radius-server timeout D. Termination-action attribute Answer: A
63.If the user is in a non-compliant state and wants to Get out of quarantine, what must be done? A. download posture B. download profiling C. download mab D. download web agent Answer: A
64.You are finding that the 802.1X-configured ports are going into the error-disable state. Which command will show you the reason why the port is in the error-disable state, and which command will automatically be re-enabled after a specific amount of time? (Choose two.) A. show error-disable status B. show error-disable recovery C. show error-disable flap-status D. error-disable recovery cause security-violation E. error-disable recovery cause dot1x F. error-disable recovery cause l2ptguard Answer: B, D
65.Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts to exhaust critical router resources and if preventative controls have been bypassed or are not working correctly? A. Control Plane Protection
B. Management Plane Protection C. CPU and memory thresholding D. SNMPv3 Answer: C
66.Which Cisco IOS IPS feature allows to you remove one or more actions from all active signatures based on the attacker and/or target address criteria, as well as the event risk rating criteria? A. signature event action filters B. signature event action overrides C. signature attack severity rating D. signature event risk rating Answer: A
67.Which action does the command private-vlan association 100,200 take? A. configures VLANs 100 and 200 and associates them as a community B. associates VLANs 100 and 200 with the primary VLAN C. creates two private VLANs with the designation of VLAN 100 and VLAN 200 D. assigns VLANs 100 and 200 as an association of private VLANs Answer: B
68.Which of these allows you to add event actions globally based on the risk rating of each event, without having to configure each signature individually? A. event action summarization B. event action filter C. event action override D. signature event action processor Answer: C
69.Which two are technologies that secure the control plane of the Cisco router? (Choose two.) A. Cisco IOS Flexible Packet Matching B. uRPF C. routing protocol authentication D. CPPr E. BPDU protection F. role-based access control Answer: C, D
70.What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst switch? A. enables the switch to operate as the 802.1X supplicant B. globally enables 802.1X on the switch C. globally enables 802.1X and defines ports as 802.1X-capable D. places the configuration sub-mode into dotix-auth mode, in which you can identify the authentication server parameters Answer: B
71.Cisco IOS IPS uses which alerting protocol with a pull mechanism for getting IPS alerts to the network management application? A. HTTPS B. SMTP C. SNMP D. syslog E. SDEE F. POP3 Answer: E
72.When enabling the Cisco IOS IPS feature, which step should you perform to prevent rogue signature updates from being installed on the router? A. configure authentication and authorization for maintaining signature updates B. install a known RSA public key that correlates to a private key used by Cisco C. manually import signature updates from Cisco to a secure server, and then transfer files from the secure server to the router D. use the SDEE protocol for all signature updates from a known secure management station Answer: B
73.When is it most appropriate to choose IPS functionality based on Cisco IOS software? A. when traffic rates are low and a complete signature is not required B. when accelerated, integrated performance is required using hardware ASIC-based IPS inspections C. when integrated policy virtualization is required D. when promiscuous inspection meets security requirements Answer: A
74.Which Cisco IOS IPS risk rating component uses a low value of 75, a medium value of 100, a high value of 150, and a mission-critical value of 200? A. Signature Fidelity Rating B. Attack Severity Rating C. Target Value Rating D. Attack Relevancy Rating E. Promiscuous Delta F. Watch List Rating Answer: C
75.Which two of these are potential results of an attacker performing a DHCP server spoofing attack? (Choose two.) A. DHCP snooping B. DoS C. confidentiality breach D. spoofed MAC addresses E. switch ports being converted to an untrusted state Answer: B, C
76.When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned? A. It is calculated from the Event Risk Rating. B. It is calculated from a combination of the Attack Severity Rating and Signature Fidelity Rating C. It is manually set by the administrator. D. It is set based upon SEAP functions. Answer: C
77.When performing NAT, which of these is a limitation you need to account for? A. exhaustion of port number translations B. embedded IP addresses C. security payload identifiers D. inability to provide mutual connectivity to networks with overlapping address spaces Answer: B
78.Which two answers are potential results of an attacker that is performing a DHCP server spoofing attack? (Choose two.) A. ability to selectively change DHCP options fields of the current DHCP server, such
as the giaddr field. B. DoS C. excessive number of DHCP discovery requests D. ARP cache poisoning on the router E. client unable to access network resources Answer: B, E
79.When configuring NAT, which three protocols that are shown may have limitations or complications when using NAT? (Choose three.) A. Kerberos B. HTTPS C. NTP D. SIP E. FTP F. SQL Answer: A, D, E
80.Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated action even if it has been successfully compiled? A. retired B. disabled C. unsupported D. inactive Answer: B
81.Which statement best describes inside policy based NAT? A. Policy NAT rules are those that determine which addresses need to be translated per the enterprise security policy B. Policy NAT consists of policy rules based on outside sources attempting to communicate with inside endpoints. C. These rules use source addresses as the decision for translation policies. D. These rules are sensitive to all communicating endpoints. Answer: A
82.When is it feasible for a port to be both a guest VLAN and a restricted VLAN? A. this configuration scenario is never be implemented B. when you have configured the port for promiscuous mode C. when private VLANs have been configured to place each end device into different subnets
D. when you want to allow both types of users the same services Answer: D
83.In an 802.1X environment, which feature allows for non-802.1X-supported devices such as printers and fax machines to authenticate? A. multiauth B. WebAuth C. MAB D. 802.1X guest VLAN Answer: C
84.Which three of these are features of data plane security on a Cisco ISR? (Choose three.) A. Routing protocol filtering B. FPM C. uRPF D. RBAC E. CPPr F. Netflow export Answer: B, C, F
85.When you are configuring DHCP snooping, how should you classify access ports? A. untrusted B. trusted C. promiscuous D. private Answer: A
86.When 802.1X is implemented, how do the client (supplicant) and authenticator communicate? A. RADIUS B. TACACS+ C. MAB D. EAPOL Answer: D
87.When Cisco IOS IPS is configured to use SDEE for event notification, how are events managed?
A. They are stored in the router's event store and will allow authenticated remote systems to pull events from the event store. B. All events are immediately sent to the remote SDEE server. C. Events are sent via syslog over a secure SSUTLS communications channel. D. When the event store reaches its maximum configured number of event notifications, the stored events are sent via SDEE to a remote authenticated server and a new event store is created Answer: A
88.What is the SGt assignment when authentication is not available or SGT method for non-authenticating devices? A. dynamic B. static C. SXP D. Default Answer: A
89.You are troubleshooting reported connectivity issues from remote users who are acessing corporate headquarters via an IPsec VPN connection. What should be your first step in troubleshooting these issues? A. issue a show crypto isakmp policy command to verify matching policies of the tunnel endpoints B. ping the tunnel endpoint C. run a traceroute to verify the tunnel path D. debug the connection process and look for any error messages in tunnel establishment Answer: B
90.When configuring the Auto Update feature for Cisco IOS IPS, what is a recommended best practice? A. Synchronize the router's clock to the PC before configuring Auto Update. B. Clear the router's flash of unused signature files. C. Enable anonymous TFTP downloads from Cisco.com and specify the download frequency. D. Create the appropriate directory on the router's flash memory to store the download signature files. E. Download the realm-cisco.pub.key file and update the public key stored on the router. Answer: A
91.Which three statement about Windows Server Update Services remediation are true? A. WSUS can install the latest service pack available B. WSUS checks for automatic update configuration on Windows C. WSUS checks for client behavior anomalies D. WSUS remediates Windows client from a locally manage WSUS server E. WSUS remediates Windows client from a Microsoft manage WSUS server F. WSUS provides links to update AV/AS Answer: A, D, E
92.An engineer wants do allow dynamic vlan assignment from ISE. What must be configured on the switch? A. DTP B. VTP C. AAA authentication D. AAA authorization Answer: D
93.Which two components are required for creating native supplicant profile? (Choose two.) A. Operating System B. Connection type wired/wireless C. Ios Sutten D. BYOD Answer: A, B
94.An engineer wants to migrate 802.1x deployment phase from Open to low impact mode. Which options she select? A. Ingress access list applied to the interface B. Authentication host mode to multiple domain C. Open authentication to the domain D. Authentication host mode to multiple authentication Answer: A
95.A security engineer has configured a switch port in x closed mode. Which protocol is allowed to pass? A. HTTP
B. EAPOL C. Bootps D. ARP E. PXE Answer: B
96.Which NAC agents support remediation? (Choose three.) A. Windows NAC B. Windows web-based NAC C. MAC NAC D. MAC web-based NAC Answer: ABC
97.The switch 2960-x the below configuration: (sw-if)# switchport mode access (sw-if)# authentication port-control auto (sw-if)# dot1x pae authenticator After you connected unmanaged switch to the port dot1x failed, what is the problem? A. missing command "mab" B. there is no Bpdu in the port C. eapol packet not received in the port D. missing command "authentication host-mode multi-host" E. missing command "authentication host-mode multi-auth Answer: A
98.The posture run-time services encapsulates which protocol services, and all the interactions that happen between the NAC Agents? A. SWISS B. MAB C. DOT1X D. DEFAULT Answer: A
99.Which protocol provides the real time request to the service running on the CA? A. DOS B. FILE C. MAB D. OCSP Answer: D
100.What are the two values Cisco recommends that you configure and test when deploying MAB 802.1x? (Choose two.) A. supp-timeout B. server-timeout C. max-req D. max-reauth-req E. tx-period Answer: B, D
GET FULL VERSION OF 300-208 DUMPS
Powered by TCPDF (www.tcpdf.org)