CCNA Security final exam

Questions from CCNA Final Exam.

Exam question unformated - http://dl.dropbox.com/u/61785248/SEC%20unformated.doc

1) The difference between CEF, FAST SWITCHING and PROCESS SWITCHING.
Process switching - very slow !
Router looks on destination IP address, compare it with routing table --> See what is the next hop address, then sends ARP --> change old MAC with the new one. Since now router change old source MAC address to itself address, and change destination address on next hop address.
The same situation is with every single packet.
The only fast mechanism in "process switching" is related with MAC cache table.

Fast switching
The same process like in "process switching", but only for first packet.
Router knows, that for this particular session everything gonna be the same, so only the first packet is checking.
Limitation and problems are related with ACLs and with the load sharing (packet load sharing), and of course the first packet have to be checked --> it takes time.

CEF - very fast
No ro table, separate FIB table and Adjacency table (with next hop IP and MAC addresses)
everything in cache.
------
Process switching requires the CPU to be personally involved with every forwarding decision.

Fast switching still uses the CPU, but after a packet has been forwarded, information about how to reach the destination is stored in a fast-switching cache.  This way, when another packet going to the same destination is seen, the next hop information can be re-used from the cache, so the processor doesn’t have to look up and assemble all the information again.  If the information is not cached, (for example a first packet for a given destination network) the CPU will have a similar workload, for that packet, as if fast switching was not in use.

Cisco Express Forwarding (CEF), is the evolution of optimizing the router to make it be able to forward more packets faster.  CEF cheats a little, by building a Forwarding Information Base (FIB), and an adjacency table.  The FIB is accessed very quickly based on how they built it (it is Cisco proprietary), and contains pre-computed reverse lookups, next hop information for routes including the interface and L2 information to use.  (All the stuff a router would have to consider when forwarding a packet).
------
In short:
- Process switching is like doing math, long hand. 
- Fast switching, using the cache, is like doing a problem once long hand, and subsequent problems you remember the answer for, (from memory, or the cache).
- CEF is like having programmed an excel spreadsheet, and when the numbers hit the cells, the answer is already calculated.

2) WebLaunch from AnyConnect Wizard

WebLaunch -

3) VPN Split tunneling
Without split tunneling, all IP traffic leaving the client’s machine goes through the tunnel to the ASA  (regardless of the destination), and if those resources being sought are not behind the ASA, the ASA also needs to be configured to NAT and redirect those requests out to the Internet.
A split tunnel addresses this issue by sending traffic down the VPN only if it is destined for specific networks located at the headquarter site. All other traffic is sent normally, outside the VPN.



3) CCP Easy VPN Server wizard
28. Which authentication method is available when specifying a method list for group policy lookup using the CCP Easy VPN Server wizard?
Active Directory
Kerberos
Certificate Authority
RADIUS
TACACS+




39. An administrator wants to prevent a rogue Layer 2 device from intercepting traffic from multiple VLANs on a network. Which two actions help mitigate this type of activity? (Choose two.)

+Disable DTP on ports that require trunking.
-Place unused active ports in an unused VLAN.
-Secure the native VLAN, VLAN 1, with encryption.
+Set the native VLAN on the trunk ports to an unused VLAN.
Turn off trunking on all trunk ports and manually configure each VLAN as required on each port.
 
---
 secure boot


---
The three security audit tools that are available include:
 - Security Audit wizard - a security audit feature provided through CCP. The Security Audit wizard provides a list of vulnerabilities and then allows the administrator to choose which potential security-related configuration changes to implement on a router.
----


Refer to the exhibit. Which option tab on the CCP screen is used to view the Top Threats table and deploy signatures associated with those threats?
Create IPS
Edit IPS
+Security Dashboard
IPS Sensor
IPS Migration

------

===[ FINAL SBA de repetat ]=== 
  line vty 5 15
login local
*---
CORP(config)#ntp update-calendar 
----
  • AAA authentication using the local database as the default for console line and vty lines access
CORP(config)# aaa new model
CORP(config)# aaa authentication login default local
CORP(config)# aaa authorization exec default local
CORP(config)# line vty 0 4
CORP(config-line)# login authentication default
CORP(config-line)# line vty 5 15
CORP(config-line)# login authentication default
CORP(config-line)# line con 0
CORP(config-line)# login authentication default
 ---
SW1(config)# interface fa0/24
SW1(config)# storm-control broadcast level 50
---
  • Enable BPDU guard on FastEthernet ports 0/1 to 0/23.
SW1(config)# interface range fa0/1-23
SW1(config-if-range)# spanning-tree portfast
SW1(config-if-range)# spanning-tree bpduguard enable
-----
  • Set the maximum number of learned MAC addresses to 2 on FastEthernet ports 0/1 to 0/23. Allow the MAC address to be learned dynamically and to shutdown the port if a violation occurs.
SW1(config)# interface range fa0/1-23
SW1(config-if-range)# switchport port-security
SW1(config-if-range)# switchport port-security maximum 2
SW1(config-if-range)# switchport port-security violation shutdown
SW1(config-if-range)# switchport port-security mac-address sticky
---
. Configure the IPS signature storage location to be flash:ipsdir.
CORP(config)# ip ips config location flash:ipsdir/ retries 1
---