[Lead2pass Official] 2017 Updated Lead2pass Cisco 210-260 Exam Questions (241-260)

2017 September Cisco Official New Released 210-260 Dumps in Lead2pass.com!

100% Free Download! 100% Pass Guaranteed!

Whether you are a student attempting to pass 210-260 exam to be eligible for a post-graduate job, or a working professional hoping to improve your work credentials and earn that dream promotion Lead2pass is here to help. We have 210-260 exam dumps and brain dumps, so passing 210-260 exam is not an easy feat.

Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/210-260.html

QUESTION 241
Which privileged level is … by default? for user exec mode

A.    0
B.    1
C.    2
D.    5
E.    15

Answer: B
Explanation:
User EXEC mode commands are privilege level 1
Privileged EXEC mode and configuration mode commands are privilege level 15.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfpass.html

QUESTION 242
When is “Deny all” policy an exception in Zone Based Firewall

A.    traffic traverses 2 interfaces in same zone
B.    traffic sources from router via self zone
C.    traffic terminates on router via self zone
D.    traffic traverses 2 interfaces in different zones
E.    traffic terminates on router via self zone

Answer: A
Explanation:
+ There is a default zone, called the self zone, which is a logical zone. For any packets directed to the router directly (the destination IP represents the packet is for the router), the router automatically considers that traffic to be entering the self zone. In addition, any traffic initiated by the router is considered as leaving the self zone.
By default, any traffic to or from the self zone is allowed, but you can change this policy.
+ For the rest of the administrator-created zones, no traffic is allowed between interfaces in different zones.
+ For interfaces that are members of the same zone, all traffic is permitted by default.

QUESTION 243
Cisco Resilient Configuration Feature:

A.    Required additional space to store IOS image file
B.    Remote storage required to save IOS image
C.    Can be disabled …remote session
D.    Automatically detects image or config.version missmatch

Answer: D
Explanation:
The following factors were considered in the design of Cisco IOS Resilient Configuration:
+ The configuration file in the primary bootset is a copy of the running configuration that was in the router when the feature was first enabled.
+ The feature secures the smallest working set of files to preserve persistent storage space. No extra space is required to secure the primary Cisco IOS image file.
+ The feature automatically detects image or configuration version mismatch .
+ Only local storage is used for securing files, eliminating scalability maintenance challenges from storing multiple images and configurations on TFTP servers.
+ The feature can be disabled only through a console session http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_cfg/configuration/15-mt/sec-usr-cfg-15-mt-book/sec-resil-config.html

QUESTION 244
What are the two characteristics of IPS?

A.    Can drop traffic
B.    Does not add delay to traffic
C.    It is cabled directly inline
D.    Can`t drop packets on its own

Answer: AC
Explanation:
+ Position in the network flow: Directly inline with the flow of network traffic and every packet goes through the sensor on its way through the network.
+ Mode: Inline mode
+ The IPS can drop the packet on its own because it is inline. The IPS can also request assistance from another device to block future packets just as the IDS does.

QUESTION 245
What can cause the state table of a stateful firewall to update? (choose two)

A.    when connection is created
B.    connection timer expired within state table
C.    when packet is evaluated against the inbound access list and is …
D.    outbound packets forwarded to inbound interface
E.    when rate limiting is applied

Answer: AB
Explanation:
Stateful inspection monitors incoming and outgoing packets over time, as well as the state of the connection, and stores the data in dynamic state tables. This cumulative data is evaluated, so that filtering decisions would not only be based on administrator-defined rules, but also on context that has been built by previous connections as well as previous packets belonging to the same connection.
Entries are created only for TCP connections or UDP streams that satisfy a defined security policy.
In order to prevent the state table from filling up, sessions will time out if no traffic has passed for a certain period. These stale connections are removed from the state table.
https://en.wikipedia.org/wiki/Stateful_firewall

QUESTION 246
What IPSec mode is used to encrypt traffic between client and server vpn endpoints?

A.    tunnel
B.    Trunk
C.    Aggregated
D.    Quick
E.    Transport

Answer: E
Explanation:
+ IPSec Transport mode is used for end-to-end communications, for example, for communication between a client and a server or between a workstation and a gateway (if the gateway is being treated as a host). A good example would be an encrypted Telnet or Remote Desktop session from a workstation to a server.
+ IPsec supports two encryption modes: Transport mode and Tunnel mode. Transport mode encrypts only the data portion (payload) of each packet and leaves the packet header untouched. Transport mode is applicable to either gateway or host implementations, and provides protection for upper layer protocols as well as selected IP header fields.
http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html http://www.cisco.com/c/en/us/td/docs/net_mgmt/vpn_solutions_center/2-0/ip_security/provisioning/guide/ IPsecPG1.html
Generic Routing Encapsulation (GRE) is often deployed with IPsec for several reasons, including the following:
+ IPsec Direct Encapsulation supports unicast IP only. If network layer protocols other than IP are to be supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP packets.
+ IPmc is not supported with IPsec Direct Encapsulation. IPsec was created to be a security protocol between two and only two devices, so a service such as multicast is problematic. An IPsec peer encrypts a packet so that only one other IPsec peer can successfully perform the de-encryption. IPmc is not compatible with this mode of operation.
https://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f26a.pdf

QUESTION 247
Which command is used to verify VPN connection is operational (or something like that) ?

A.    crypto ipsec sa

Answer: A
Explanation:
#show crypto ipsec sa – This command shows IPsec SAs built between peers In the output you see
#pkts encaps: 345, #pkts encrypt: 345, #pkts digest 0
#pkts decaps: 366, #pkts decrypt: 366, #pkts verify 0
which means packets are encrypted and decrypted by the IPsec peer.
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#ipsec_sa

QUESTION 248
What is the command to authenticate an NTP time source? (something in those lines)

A.    #ntp authentication-key 1 md5 141411050D 7
B.    #ntp authenticate
C.    #ntp trusted-key 1
D.    #ntp trusted-key 1

Answer: B
Explanation:
The command “ntp authenticate” authenticates the time source.
The command “ntp authentication-key” is the authentication key for trusted time sources.
See the following from a live router:
R1(config)# ntp ?
  access-group            Control NTP access
  allow                      Allow processing of packets
  authenticate             Authenticate time sources
  authentication-key      Authentication key for trusted time sources

QUESTION 249
How can you allow bidirational traffic? (something in those lines)

A.    static NAT
B.    dynamic NAT
C.    dynamic PAT
D.    multi-NAT

Answer: A
Explanation:
Bidirectional initiation–Static NAT allows connections to be initiated bidirectionally, meaning both to the host and from the host.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_overview.html

QUESTION 250
Which option is the default value for the Diffie–Hellman group when configuring a site-to-site VPN on an ASA device?

A.    Group 1
B.    Group 2
C.    Group 7
D.    Group 5

Answer: B

QUESTION 251
What two devices are components of the BYOD architecture framework? (Choose two)

A.    Identity Service Engine
B.    Cisco 3845 Router
C.    Wireless Access Points
D.    Nexus 7010 Switch
E.    Prime Infrastructure

Answer: AE

QUESTION 252
Where does the Datacenter operate?

 

A.    Distribution
B.    Access
C.    Core

Answer: A

QUESTION 253
Which option is the cloud based security service from Cisco that provides URL filtering web browsing content security, and roaming user protection?

A.    Cloud web security
B.    Cloud web Protection
C.    Cloud web Service
D.    Cloud advanced malware protection

Answer: A

QUESTION 254
Which product can be used to provide application layer protection for TCP port 25 traffic?

A.    ESA
B.    CWS
C.    WSA
D.    ASA

Answer: A

QUESTION 255
What is the actual IOS privilege level of User Exec mode?

A.    1
B.    0
C.    5
D.    15

Answer: A
Explanation:
By default, the Cisco IOS software command-line interface (CLI) has two levels of access to commands: user EXEC mode (level 1) and privileged EXEC mode (level 15). However, you can configure additional levels of access to commands, called privilege levels, to meet the needs of your users while protecting the system from unauthorized access. Up to 16 privilege levels can be configured, from level 0, which is the most restricted level, to level 15, which is the least restricted level.
http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfpass.html

QUESTION 256
What two actions would the zone base firewall when looking at the traffic?

A.    drop
B.    inspect
C.    forward

Answer: AB

QUESTION 257
What you called a person who hacks the system with script but instead of writing own script, the person uses existing script?

A.    script kiddy
B.    white hat hacker
C.    phreaker
D.    hacktivist

Answer: A

QUESTION 258
Regarding PVLAN diagram question:

Switch was in VLAN 300
Isolated Host 1 on VLAN 301
Host 2 and Host 4 on VLAN 303 or something (Community PVLAN)

Server is connected to Switch.
All host connects to switch.

A.    Host 2 (Host is part of community PVLAN).
B.    Other devices on VLAN XXX (VLAN were isolated host is connected, in my case it was Host 1).
C.    Server
D.    Host 4 (Host is part of community PVLAN)

Answer: C
Explanation:
Host 3 is not part of anyh PVLAN. It is also connected to switch.
So, Host 3 was not an option otherwise it could also be an answer.

QUESTION 259
Nat (inside,outside) dynamic interface

A.    static PAT
B.    static NAT
C.    dynamic PAT
D.    dynamic NAT

Answer: C
Explanation:
Configuring Dynamic NAT
nat (inside,outside) dynamic my-range-obj
Configuring Dynamic PAT (Hide)
nat (inside,outside) dynamic interface
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/nat_objects.html

QUESTION 260
Which two characteristics of an application layer firewall are true? (Choose two)

A.    provides reverse proxy services
B.    is immune to URL manupulation
C.    provides protection for multiple applications
D.    provide statefull firewall security
E.    has low processor usage

Answer: AC

Your focus should be getting the best dumps to prepare for 210-260 exam. That is where Lead2pass comes in. We have collected an extensive library of exam dumps from Cisco certification.

210-260 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDYUk3WWFWOEhsSU0

2017 Cisco 210-260 exam dumps (All 362 Q&As) from Lead2pass:

https://www.lead2pass.com/210-260.html [100% Exam Pass Guaranteed]