210-260 Dumps 210-260 Exam Questions 210-260 New Questions 210-260 PDF 210-260 VCE Cisco

[2017 New] 210-260 New Questions Free Download In Lead2pass (141-160)

2017 July Cisco Official New Released 210-260 Dumps in Lead2pass.com!

100% Free Download! 100% Pass Guaranteed!

The Cisco 210-260 PDF, 210-260 VCE and 210-260 exam questions and answers at Lead2pass are written and prepared by Cisco affiliated trainers and lecturers with decades of experience in the IT field. This ensures that you are equipped with the latest and most current information to give you a better chance of passing the Cisco 210-260 exam.

Following questions and answers are all new published by Cisco Official Exam Center: https://www.lead2pass.com/210-260.html

QUESTION 141
Which two next-generation encryption algorithms does Cisco recommends? (Choose two)

A.    SHA-384
B.    MD5
C.    DH-1024
D.    DES
E.    AES
F.    3DES

Answer: AE
Explanation:
From Cisco documentation:
A. SHA-384 – YES
B. MD5 – NO
C. DH-1024 – NO
D. DES – NO
E. AES – YES (CBC, or GCM modes)
F. 3DES – Legacy

QUESTION 142
When an administrator initiates a device wipe command from the ISE, what is the immediate effect?

A.    It requests the administrator to choose between erasing all device data or only managed corporate data.
B.    It requests the administrator to enter the device PIN or password before proceeding with the operation
C.    It immediately erases all data on the device.
D.    It notifies the device user and proceeds with the erase operation

Answer: A

QUESTION 143
How does a device on a network using ISE receive its digital certificate during the new-device registration process?

A.    ISE acts as a SCEP proxy to enable the device to receive a certificate from a central CA server
B.    The device request a new certificate directly from a central CA
C.    ISE issues a pre-defined certificate from a local database
D.    ISE issues a certificate from its internal CA server.

Answer: A
Explanation:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide.pdf

QUESTION 144
How can you detect a false negative on an IPS?

A.    View the alert on the IPS
B.    Use a third-party to audit the next-generation firewall rules
C.    Review the IPS console
D.    Review the IPS log
E.    Use a third-party system to perform penetration testing

Answer: E
Explanation:
Only penetration testing can confirm this. All the other options lead to inconclusive results and may still result in false negatives.

QUESTION 145
Which two statement about stateless firewalls is true? (Choose two)

A.    the Cisco ASA is implicitly stateless because it blocks all traffic by default.
B.    They compare the 5-tuple of each incoming packets against configurable rules.
C.    They cannot track connections..
D.    They are designed to work most efficiently with stateless protocols such as HTTP or HTTPS..
E.    Cisco IOS cannot implement them because the platform is Stateful by nature

Answer: BC
Explanation:
5-tuple is: source/destination IP, ports, and protocols. Stateless firewalls cannot track connections.

QUESTION 146
Which three ESP fields can be encrypted during transmission? (Choose three)

A.    Next Header
B.    MAC Address
C.    Padding
D.    Pad Length
E.    Sequence Number
F.    Security Parameter Index

Answer: ACD
Explanation:
The last encrypted part is the Payload Data. The unencrypted parts are the Security Parameter Index and the Sequence Number.

QUESTION 147
Which type of PVLAN port allows host in the same VLAN to communicate directly with the other?

A.    promiscuous for hosts in the PVLAN
B.    span for hosts in the PVLAN
C.    Community for hosts in the PVLAN
D.    isolated for hosts in the PVLAN

Answer: C
Explanation:
Hosts in the same PVLAN Community can communicate with one another.

QUESTION 148
Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakamp sa command. What does the given output shows?

 

A.    IKE Phase 1 main mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2
B.    IKE Phase 1 main mode has successfully negotiate between 10.1.1.5 and10.10.10.2
C.    IKE Phase 1 aggressive mode was created on 10.1.1.5, but it failed to negotiate with 10.10.10.2
D.    IKE Phase 1 aggressive mode was create on 10.1.1.5, but it failed to negotiate with 10.10.10.2

Answer: A
Explanation:
The MM_NO_STATE state indicates that the phase 1 policy does not match on both sides, therefore main mode failed to negotiate. Aggressive mode is indicated by AG instead of MM.

QUESTION 149
Refer to the exhibit while troubleshooting site-to-site VPN, you issued the show crypto isakamp sa command. What does the given output shows?

 

A.    IPSec Phase 2 established between 10.10.10.2 and 10.1.1.5
B.    IPSec Phase 1 established between 10.10.10.2 and 10.1.1.5
C.    IPSec Phase 2 is down due to a QM_IDLE state.
D.    IPSec Phase 1 is down due to a QM_IDLE state.

Answer: B
Explanation:
An IDLE state is good and means that the connection and key exchange have taken place successfully. QM indicates that the device is ready for phase 2 (quick mode) and subsequent data transfer.

QUESTION 150
Refer to the exhibit. You have configured R1 and R2 as shown, but the routers are unable to establish a site-to-site VPN tunnel. What action can you take to correct the problem?

 

A.    Edit the crypto keys on R1 and R2 to match.
B.    Edit the crypto isakmp key command on each router with the address value of its own interface
C.    Edit the ISAKMP policy sequence numbers on R1 and R2 to match.
D.    set a valid value for the crypto key lifetime on each router.

Answer: A
Explanation:
The crypto keys don’t match here. I’ve inferred and assumed that the destination address at the end of the “Crypto isakmp key test12345 address 10.30.30.5” line is the IP address of R1. By extension, this would produce an MM_NO_STATE state if you ran the “show crypto isakmp sa” command, as it would never connect to begin phase 1.

QUESTION 151
Refer to the exhibit. Which statement about the given configuration is true?

 

A.    The timeout command causes the device to move to the next server after 20 seconds of TACACS inactivity.
B.    The single-connection command causes the device to process one TACACS request and then move to the next server.
C.    The single-connection command causes the device to establish one connection for all TACACS transactions.
D.    The router communicates with the NAS on the default port, TCP 1645

Answer: C
Explanation:
In order for TACACS+ servers to fail over, they must be configured in a TACACS server group, which these are not, which eliminates A and B. D is incorrect.

QUESTION 152
Refer to the exhibit. What is the effect of the given command?

 

A.    It configure the network to use a different transform set between peers.
B.    It merges authentication and encryption methods to protect traffic that matches an ACL.
C.    It configures encryption for MD5 HMAC.
D.    It configures authentications as AES 256.

Answer: B
Explanation:
Because a transform set defines a method to encrypt traffic: esp-aes-256 and a method to authenticate: esp-md5-hmac

QUESTION 153
Refer to the exhibit. What are two effects of the given command? (Choose two.)

 

A.    It configures authentication to use AES 256.
B.    It configures authentication to use MD5 HMAC.
C.    It configures authorization use AES 256.
D.    It configures encryption to use MD5 HMAC.
E.    It configures encryption to use AES 256.

Answer: BE

QUESTION 154
What is a valid implicit permit rule for traffic that is traversing the ASA firewall?

A.    Unicast IPv6 traffic from a higher security interface to a lower security interface is permitted in transparent mode only
B.    Only BPDUs from a higher security interface to a lower security interface are permitted in routed mode.
C.    ARPs in both directions are permitted in transparent mode only
D.    Unicast IPv4 traffic from a higher security interface to a lower security interface is permitted in routed mode only
E.    Only BPDUs from a higher security interface to a lower security interface are permitted in transparent mode.

Answer: C
Explanation:
IPv4 and IPv6 traffic is permitted in both routed and transparent mode from higher to lower security interfaces.

QUESTION 155
You have been tasked with blocking user access to website that violate company policy, but the site use dynamic IP Addresses. What is the best practice URL filtering to solve the problem?

A.    Enable URL filtering and create a blacklist to block the websites that violate company policy.
B.    Enable URL filtering and create a whitelist to allow only the websites the company policy allow users to access.
C.    Enable URL filtering and use URL categorization to allow only the websites the company policy allow users to access
D.    Enable URL filtering and create a whitelist to block the websites that violate company policy.
E.    Enable URL filtering and use URL categorization to block the websites that violate company policy.

Answer: E
Explanation:
Categorization will catch a large number of related websites, regardless of the address or IP.

QUESTION 156
What is the potential drawback to leaving VLAN 1 as the native VLAN?

A.    Gratuitous ARPs might be able to conduct a man-in-the-middle attack.
B.    The CAM might be overloaded, effectively turning the switch into hub.
C.    VLAN 1 might be vulnerable to IP address spoofing
D.    It may be susceptible to a VLAN hopping attack

Answer: D

QUESTION 157
Refer to the exhibit. Which line in this configuration prevents the HelpDesk user from modifying the interface configuration?

 

A.    Privilege exec level 9 show configure terminal
B.    Privilege exec level 7show start-up
C.    Privilege exec level 10 interface
D.    Username HelpDesk privilege 6 password help

Answer: A

QUESTION 158
Which IPS mode provides the maximum number of actions?

A.    Inline
B.    bypass
C.    span
D.    failover
E.    promiscuous

Answer: A
Explanation:
Because IPS inline gets the live traffic as it’s passing through the network and can take direct action on the traffic if it detects any malicious activity. The actions are drop, block, TCP reset, shun, alert, log, modify.

QUESTION 159
In which three cases does the ASA firewall permit inbound HTTP GET requests during normal operations? (Choose three)

A.    When matching ACL entries are configured
B.    when matching NAT entries are configured
C.    When the firewall requires strict HTTP inspection
D.    When the firewall requires HTTP inspection
E.    When the firewall receives a SYN-ACK packet
F.    When the firewall receives a SYN packet

Answer: ABE

QUESTION 160
Which technology can be used to rate data fidelity and to provide an authenticated hash for data?

A.    Network blocking
B.    signature updates
C.    file analysis
D.    file reputation

Answer: D

Lead2pass guarantees your 210-260 exam success with our exam resources. Our 210-260 braindumps are the latest and developed by experienced IT certification professionals working in today’s prospering companies and data centers. All our 210-260 braindumps include 210-260 real exam questions which guarantee your 100% success of 210-260 exam in your first try.

210-260 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDRVJLdVdkMjFoQVk

2017 Cisco 210-260 exam dumps (All 265 Q&As) from Lead2pass:

https://www.lead2pass.com/210-260.html [100% Exam Pass Guaranteed]