Which statement about extended access lists is true?
A.
Extended access lists perform filtering that is based on source and destination and are most
effective when applied to the destination
B.
Extended access lists perform filtering that is based on source and destination and are most
effective when applied to the source
C.
Extended access lists perform filtering that is based on destination and are most effective when
applied to the source
D.
Extended access lists perform filtering that is based on source and are most effective when
applied to the destination
Explanation:
Standard ACL
1) Able Restrict, deny & filter packets by Host Ip or subnet only.
2) Best Practice is put Std. ACL restriction near from Source Host/Subnet (Interface-Inbound).
3) No Protocol based restriction. (Only HOST IP).
Extended ACL
1) More flexible then Standard ACL.
2) You can filter packets by Host/Subnet as well as Protocol/TCPPort/UDPPort.
3) Best Practice is put restriction near form Destination Host/Subnet. (Interface-Outbound)
More:
QUESTION
How can you detect a false negative on an IPS?
A. View the alert on the IPS
B. Use a third-party to audit the next-generation firewall rules
C. Review the IPS console
D. Review the IPS log
E. Use a third-party system to perform penetration testing
Answer: E
Explanation:
QUESTION
Which two statement about stateless firewalls is true? (Choose two)
A. the Cisco ASA is implicitly stateless because it blocks all traffic by default.
B. They compare the 5-tuple of each incoming packets against configurable rules.
C. They cannot track connections..
D. They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS..
E. Cisco IOS cannot implement them because the platform is Stateful by nature
Answer: BC
Explanation:
QUESTION
Which three ESP fields can be encrypted during transmission? (Choose three)
A. Next Header
B. MAC Address
C. Padding
D. Pad Length
E. Sequence Number
F. Security Parameter Index
Answer: ACD
Explanation:
QUESTION
Which type of PVLAN port allows host in the same VLAN to communicate directly with the other?
A. promiscuous for hosts in the PVLAN
B. span for hosts in the PVLAN
C. Community for hosts in the PVLAN
D. isolated for hosts in the PVLAN
Answer: C
Explanation:
QUESTION
Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakamp sa command. What does the given output shows?
A. IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2
B. IKE Phase 1 main mode has successfully negotiate between 10.1.1.5 and10.10.10.2
C. IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2
D. IKE Phase 1 aggressive mode was create on 10.1.1.5, but it failed to negotiate with 10.10.10.2
Answer: A
Explanation:
QUESTION
Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakamp sa command. What does the given output shows?
A. IPSec Phase 2 established between 10.10.10.2 and 10.1.1.5
B. IPSec Phase 1 established between 10.10.10.2 and 10.1.1.5
C. IPSec Phase 2 is down due to a QM_IDLE state.
D. IPSec Phase 1 is down due to a QM_IDLE state.
Answer: B
Explanation:
QUESTION
Refer to the exhibit. You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel. What action can you take to correct the problem?
A. Edit the crypto keys on R1 and R2 to match.
B. Edit the crypto isakmp key command on each router with the address value of its own interface
C. Edit the ISAKMP policy sequence numbers on R1 and R2 to match.
D. set a valid value for the crypto key lifetime on each router.
Answer: A
Explanation:
Detailed Answers Explanation: http://www.braindump2go.org/2017-oct-newbraindump2go-210-260-exam-dumps-362q-for-100-passing-210-260-exam136-150.html