Chapter 0 - General 650-554 Questions Flashcards Preview

Cisco CCNA Security (640-554) > Chapter 0 - General 650-554 Questions > Flashcards

Flashcards in Chapter 0 - General 650-554 Questions Deck (28):

When looking at this console message. What does the 5 in "SYS-5-Config" stand for?


Feb 1 10:1208 PST: %SYS-5-CONFIG_I: Configured from console by vty0 (

The 5 means this is a level 5 notification message.

     0                       Emergency

     1                        Alert

     2                       Critical

     3                       Error

     4                       Warning

     5                       Notificational

     6                       Informational

     7                       Debugging


What is referred to in a "bootset"?

The combination of the IOS image and configuration file (startup config) is a bootset.


What does DSCP mean?

Differentiated Services Code Point (DSCP) is a field in an IP packet that enables different levels of service to be assigned to network traffic. This is achieved by marking each packet on the network with a DSCPcode and appropriating to it the corresponding level of service.


What does "EF" stand for in DSCP EF?

The Expedited Forwarding (EF) model is used to provide resources to latency (delay) sensitive real-time, interactive traffic.

The EF model uses one marking -- DSCP 46


What is a class-map used for?

The class-map command defines a named object representing a class of traffic, specifying the packet matching criteria that identifies packets that belong to this class. 

hostname(config)# access-list tcp_traffic permit tcp any any
hostname(config)# class-map tcp_traffic
hostname(config-cmap)# match access-list tcp_traffic

After a traffic class is applied to an interface, packets received on that interface are compared to the criteria defined by the match statements in the class map. If the packet matches the specified criteria, it is included in the traffic class and is subjected to any actions associated with that traffic class. Packets that do not match any of the criteria in any traffic class are assigned to the default traffic class.


What are the "traditional" pieces of a QoS strategy?

• Defining traffic classes (class-map command).

• Associating policies and actions with each class of traffic (policy-map command).

• Attaching policies to logical or physical interfaces (service-policy command).


What is a policy-map used for?

The policy-map command defines a named object that represents a set of policies to be applied to a set of traffic classes. An example of such a policy is policing the traffic class to some maximum rate. For example:

hostname(config)# policy-map qos_policy
hostname(config-pmap)# class voip_traffic
hostname(config-pmap-c)# priority

This policy-map would tag all traffic identified by the voip_traffic class into the low latency queue (LLQ) which has priority over all other traffic.



What does a service-policy do?

The service-policy command attaches a policy-map and its associated policies to a target, named interface.

hostname(config)# service-policy policy-map-name interface outside

IMPORTANT:  if you are differentiating between priority traffic and best-effort traffic, you must define a low-latency queue (priority-queue command) on each named, physical interface transmitting prioritized traffic.

hostname(config)# priority-queue interface

Only one interface policy-map can be applied to an interface at any one time.


How would you use a class-map to identify traffic on mutiple ports?

The following commands show how to use an access list to identify multiple TCP ports with an access list:

hostname(config)# access-list interesting_traffic any any tcp eq 23
hostname(config)# access-list interesting_traffic any any tcp eq 80
hostname(config)# class-map telnet_web_traffic
hostname(config-cmap)# match access-list interesting_traffic


How are Cisco Configuration Professional and Cisco Security Manager different?

CCP - Free / Used only for routers and switches

CSM - Enterprise-level confguration tool used to manage most all of Cisco products (Paid software)


What are the 4 main features about TACACS+ you need to know?

Uses port TCP 49

Encrypts entire packet payload

Separates AAA functions

Cisco proprietary


What are some key things to know about RADIUS?


Combines authentication and authorization functions

Has no option to authorize router commands


Uses UDP ports 1645 or 1812

Is an open standard (not proprietary)

Encrypts only the password in the Access-Request packet.


How can stored passwords hashed by MD5 be saved more securely?

By using a technique known as SALT.

We can randomize the hashes by appending or prepending a random string, called a salt, to the password before hashing. This makes the same password hash into a completely different string every time. To check if a password is correct, we need the salt, so it is usually stored in the user account database along with the hash, or as part of the hash string itself.

The salt does not need to be secret. Just by randomizing the hashes, lookup tables, reverse lookup tables, and rainbow tables become ineffective. An attacker won't know in advance what the salt will be, so they can't pre-compute a lookup table or rainbow table.


How do you enable IOS image resilience on a Cisco router?

1.    enable

2.    configure terminal

3.    secure boot-image

4.    secure boot-config

to view: show secure bootset

The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash).


What is Perfect Forward Secrecy?

Perfect Forward Secrecy (PFS) is a data encoding property that ensures the integrity of a session key in the event that a long-term key is compromised. PFS accomplishes this by enforcing the derivation of a new key for each and every session.


What should be the first thing you think of when you see Rivest-Shamir-Adleman?


Digial Signatures


What is the foundation of Cisco's Self-Defending Network technology?

Secure Network Platform



What router management feature provids the ability to configure multiple administrative views?


role-based CLI


What is the most basic way to describe what Diffie-Heliman actually does?

It provides a way for two peers to establish a shared-secret key, which only they know, even though they are communicating over an unsecure channel.


Which 3 applications comprise Cisco Security Manager (CSM)?

Configuration Manager

Event Viewer

Report Manager



What 3 applications comprise Cisco Security Manager (CSM)?

  • Configuration Manager
  • Event Viewer
  • Report Manager


Which IOS command will verify authentication between a router and an AAA server

test aaa group


Which two IPSec protocols are used to protect data in motion?

ESP - Encapsulating Security Payload Protocol

AH - Authentication Header Protocol


What protocol number does Authentication Header (AH) operate on?

Protocol number 51


What protocol number does Encapsulating Security Payload (ESP) operate on?

Protocol number 50


What is IP Source Guard used for?

IP Source Guard is a security feature that restricts IP traffic on untrusted Layer 2 ports by filtering traffic based on the DHCP snooping binding database or manually configured IP source bindings.

This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host.


What is IP Cisco Express Forwarding (CEF)?

Cisco Express Forwarding (CEF) is an advanced, Layer 3 switching technology inside a router. It defines the fastest method by which a Cisco router forwards packets from ingress to egress interfaces.

Theip cef command enables CEF globally, and the ip route-cache cef command enables CEF on an interface.