Question 131
Which attribute has the ability to change during the RADIUS CoA?
A. authorization
B. NTP
C. accessibility
D. membership
Question 132
An administrator configures new authorization policies within Cisco ISE and has difficulty profiling the devices. Attributes for the new Cisco IP phones that are profiled based on the RADIUS authentication are seen; however, the attributes for CDP or DHCP are not. What should the administrator do to address this issue?
A. Configure a service template within the switch to standardize the port configurations so that the correct information is sent to Cisco ISE.
B. Configure the ip dhcp snooping trust command on the DHCP interfaces to get the information to Cisco ISE.
C. Configure the authentication port-control auto feature within Cisco ISE to identify the devices that are trying to connect.
D. Configure the device sensor feature within the switch to send the appropriate protocol information.
Question 133
An organization deploys multiple Cisco FTD appliances and wants to manage them using one centralized solution. The organization does not have a local VM but does have existing Cisco ASA that must migrate over to Cisco FTDs. Which solution meets the needs of the organization?
A. Cisco FMC
B. CDO
C. CSM
D. Cisco FDM
Question 134
What is a benefit of using telemetry over SNMP to configure new routers for monitoring purposes?
A. Telemetry uses push and pull, which makes it more secure than SNMP.
B. Telemetry uses push and pull, which makes it more scalable than SNMP.
C. Telemetry uses a push method, which makes it faster than SNMP. Most Voted
D. Telemetry uses a pull method, which makes it more reliable than SNMP.
Question 135
Refer to the exhibit. A network engineer is testing NTP authentication and realizes that any device synchronizes time with this router and that NTP authentication is not enforced. What is the cause of this issue?
A. The hashing algorithm that was used was MD5, which is unsupported.
B. The key was configured in plain text.
C. NTP authentication is not enabled.
D. The router was not rebooted after the NTP configuration updated.
Question 136
An engineer has been tasked with configuring a Cisco FTD to analyze protocol fields and detect anomalies in the traffic from industrial systems. What must be done to meet these requirements?
A. Enable traffic analysis in the Cisco FTD.
B. Implement pre-filter policies for the CIP preprocessor.
C. Configure intrusion rules for the DNP3 preprocessor. Most Voted
D. Modify the access control policy to trust the industrial traffic.
Question 137
An organization uses Cisco FMC to centrally manage multiple Cisco FTD devices. The default management port conflicts with other communications on the network and must be changed. What must be done to ensure that all devices can communicate together?
A. Change the management port on Cisco FMC so that it pushes the change to all managed Cisco FTD devices.
B. Set the sftunnel port to 8305.
C. Manually change the management port on Cisco FMC and all managed Cisco FTD devices.
D. Set the sftunnel to go through the Cisco FTD.
Question 138
An administrator is establishing a new site-to-site VPN connection on a Cisco IOS router. The organization needs to ensure that the ISAKMP key on the hub is used only for terminating traffic from the IP address of 172.19.20.24. Which command on the hub will allow the administrator to accomplish this?
A. crypto isakmp identity address 172.19.20.24
B. crypto ca identity 172.19.20.24
C. crypto enrollment peer address 172.19.20.24
D. crypto isakmp key Cisco0123456789 172.19.20.24
Question 139
A Cisco FTD engineer is creating a newIKEv2 policy called s2s00123456789 for their organization to allow additional protocols to terminate network devices with.They currently only have one policy established and need the new policy to be a backup in case some devices cannot support the stronger algorithms listed in the primary policy. What should be done in order to support this?
A. Change the encryption to AES* to support all AES algorithms in the primary policy.
B. Make the priority for the primary policy 10 and the new policy 1.
C. Change the integrity algorithms to SHA* to support all SHA algorithms in the primary policy.
D. Make the priority for the new policy 5 and the primary policy 1.
Question 140
What is a functional difference between a Cisco ASA and Cisco IOS router with Zone-Based Policy Firewall?
A. The Cisco ASA can be configured for high availability, whereas the Cisco IOS router with Zone-Based Policy Firewall cannot.
B. The Cisco IOS router with Zone-Based Policy Firewall can be configured for high availability, whereas the Cisco ASA cannot.
C. The Cisco ASA denies all traffic by default, whereas the Cisco IOS router with Zone-Based Policy Firewall starts out by allowing all traffic, even on untrusted interfaces.
D. The Cisco IOS router with Zone-Based Policy Firewall denies all traffic by default, whereas Cisco ASA starts out by allowing traffic until rules are added.
