Answer CCNA Security Chapter 4 Test – CCNAS v1.1

chapter 4 ccna security

This post is regarding questions and answer for CCNA Security Chapter 4 Test. The questions show here are based on CCNAS v1.1. All the answers has been verified to be 100% correct. I wish with all these questions and answers provided here will be a good guide and reference to all of us.

 

chapter 4 ccna security

Refer to the exhibit. The ACL statement is the only one explicitly configured on the router. Based on this information, which two conclusions can be drawn regarding remote access network connections? (Choose two.)

SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed.

Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are allowed.

SSH connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are allowed.

Telnet connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.

SSH connections from the 192.168.1.0/24 network to the 192.168.2.0/24 network are blocked.

Telnet connections from the 192.168.2.0/24 network to the 192.168.1.0/24 network are allowed.

 

Which two are characteristics of ACLs? (Choose two.)

Extended ACLs can filter on destination TCP and UDP ports.

Standard ACLs can filter on source TCP and UDP ports.

Extended ACLs can filter on source and destination IP addresses.

Standard ACLs can filter on source and destination IP addresses.

Standard ACLs can filter on source and destination TCP and UDP ports.

 

Which zone-based policy firewall zone is system-defined and applies to traffic destined for the router or originating from the router?

self zone

system zone

local zone

inside zone

outside zone

 

chapter 4 ccna security

Refer to the exhibit. If a hacker on the outside network sends an IP packet with source address 172.30.1.50, destination address 10.0.0.3, source port 23, and destination port 2447, what does the Cisco IOS firewall do with the packet?

The packet is forwarded, and an alert is generated.

The packet is forwarded, and no alert is generated.

The initial packet is dropped, but subsequent packets are forwarded.

The packet is dropped.

 

Which two parameters are tracked by CBAC for TCP traffic but not for UDP traffic? (Choose two.)

source port

protocol ID

sequence number

destination port

SYN and ACK flags

 

What is the first step in configuring a Cisco IOS zone-based policy firewall using the CLI?

What is the first step in configuring a Cisco IOS zone-based policy firewall via the CLI?

Create zones.

Define traffic classes.

Define firewall policies.

Assign policy maps to zone pairs.

Assign router interfaces to zones.

 

Class maps identify traffic and traffic parameters for policy application based on which three criteria? (Choose three.)

access group

access class

policy map

protocol

interface pairs

subordinate class map

 

Which statement describes the characteristics of packet-filtering and stateful firewalls as they relate to the OSI model?

Both stateful and packet-filtering firewalls can filter at the application layer.

A stateful firewall can filter application layer information, while a packet-filtering firewall cannot filter beyond the network layer.

A packet-filtering firewall typically can filter up to the transport layer, while a stateful firewall can filter up to the session layer.

A packet-filtering firewall uses session layer information to track the state of a connection, while a stateful firewall uses application layer information to track the state of a connection.

 

For a stateful firewall, which information is stored in the stateful session flow table?

TCP control header and trailer information associated with a particular session

TCP SYN packets and the associated return ACK packets

inside private IP address and the translated inside global IP address

outbound and inbound access rules (ACL entries)

source and destination IP addresses, and port numbers and sequencing information associated with a particular session

 

What is a limitation of using object groups within an access control entry?

It is not possible to append additional objects to a preexisting object group.

It is not possible to delete an object group or make an object group empty if the object group is already applied to an ACE.

To append additional objects to a preexisting object group that is applied to an ACE, the original object group must be removed using the no object group command, and then recreated and reapplied to the ACE.

To append additional objects to a preexisting object group that is applied to an ACE, the access control list must be removed using the no access-list command, and then reapplied.

 

When using CCP to apply an ACL, the administrator received an informational message indicating that a rule was already associated with the designated interface in the designated direction. The administrator continued with the association by selecting the merge option. Which statement describes the effect of the option that was selected?

Two separate access rules were applied to the interface.

A new combined access rule was created using the new access rule number. Duplicate ACEs were removed.

A new combined access rule was created using the new access rule number. Duplicate ACEs and overriding ACEs were highlighted to allow the administrator to  make adjustments

The existing rule was placed in a preview pane to allow the administrator to select specific ACEs to move to the new access rule.

 

Which statement correctly describes how an ACL can be used with the access-class command to filter vty access to a router?

It is only possible to apply a standard ACL to the vty lines.

An extended ACL can be used to restrict vty access based on specific source addresses, destination addresses, and protocol.

An extended ACL can be used to restrict vty access based on specific source and destination addresses but not on protocol.

An extended ACL can be used to restrict vty access based on specific source addresses and protocol but the destination can only specify the keyword any.

 

To facilitate the troubleshooting process, which inbound ICMP message should be permitted on an outside interface?

echo request

echo reply

time-stamp request

time-stamp reply

router advertisement

 

Which command is used to activate an IPv6 ACL named ENG_ACL on an interface so that the router filters traffic prior to accessing the routing table?

access-group ipv6_ENG_ACL in

access-group ipv6_ENG_ACL out

ipv6 access-class ENG_ACL in

ipv6 access-class ENG_ACL out

ipv6 traffic-filter ENG_ACL in

ipv6 traffic-filter ENG_ACL out

 

Which statement describes a typical security policy for a DMZ firewall configuration?

Traffic that originates from the outside interface is permitted to traverse the firewall to the inside interface with little or no restrictions.

Traffic that originates from the DMZ interface is permitted to traverse the firewall to the outside interface with little or no restrictions.

Traffic that originates from the DMZ interface is selectively permitted to the outside interface. (Similar Question warning! Use this answer if this answer available. Otherwise use the other one)

Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface.

Return traffic from the outside that is associated with traffic originating from the inside is permitted to traverse from the outside interface to the DMZ interface.

Return traffic from the inside that is associated with traffic originating from the outside is permitted to traverse from the inside interface to the outside interface.

 

When configuring a Cisco IOS zone-based policy firewall, which two actions can be applied to a traffic class? (Choose two.)

log

hold

drop

inspect

copy

forward

 

chapter 4 ccna security

Refer to the exhibit. Which statement describes the function of the ACEs?

These ACEs allow for IPv6 neighbor discovery traffic.

These ACEs must be manually added to the end of every IPv6 ACL to allow IPv6 routing to occur.

These ACEs automatically appear at the end of every IPv6 ACL to allow IPv6 routing to occur.

These are optional ACEs that can be added to the end of an IPv6 ACL to allow ICMP messages that are defined in object groups named nd-na and nd-ns.

 

When implementing an inbound Internet traffic ACL, what should be included to prevent the spoofing of internal networks?

ACEs to prevent HTTP traffic

ACEs to prevent ICMP traffic

ACEs to prevent SNMP traffic

ACEs to prevent broadcast address traffic

ACEs to prevent traffic from private address spaces

 

Which statement describes one of the rules governing interface behavior in the context of implementing a zone-based policy firewall configuration?

An administrator can assign an interface to multiple security zones.

An administrator can assign interfaces to zones, regardless of whether the zone has been configured.

By default, traffic is allowed to flow among interfaces that are members of the same zone.

By default, traffic is allowed to flow between a zone member interface and any interface that is not a zone member.

 

chapter 4 ccna security

Refer to the exhibit. Which statement is true about the effect of this Cisco IOS zone-based policy firewall configuration?

The firewall will automatically drop all HTTP, HTTPS, and FTP traffic.

The firewall will automatically allow HTTP, HTTPS, and FTP traffic from s0/0 to fa0/0 and will track the connections. Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction.

The firewall will automatically allow HTTP, HTTPS, and FTP traffic from fa0/0 to s0/0 and will track the connections. Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction.

The firewall will automatically allow HTTP, HTTPS, and FTP traffic from fa0/0 to s0/0, but will not track the state of connections. A corresponding policy must be applied to allow return traffic to be permitted through the firewall in the opposite direction.

The firewall will automatically allow HTTP, HTTPS, and FTP traffic from s0/0 to fa0/0, but will not track the state of connections. A corresponding policy must be applied to allow return traffic to be permitted through the firewall in the opposite direction.

Another answer set [by Mr Jaya]

The firewall will automatically drop all HTTP, HTTPS, and FTP traffic.

The firewall will automatically allow HTTP, HTTPS, and FTP traffic from s0/0/0 to g0/0, but will not track the state of connections. A corresponding policy must be applied to allow return traffic to be permitted through the firewall in the opposite direction.

The firewall will automatically allow HTTP, HTTPS, and FTP traffic from g0/0 to s0/0/0, but will not track the state of connections. A corresponding policy must be applied to allow return traffic to be permitted through the firewall in the opposite direction.

The firewall will automatically allow HTTP, HTTPS, and FTP traffic from s0/0/0 to g0/0 and will track the connections. Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction.

The firewall will automatically allow HTTP, HTTPS, and FTP traffic from g0/0 to s0/0/0 and will track the connections. Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction.

 

As i did mention above, the answers given should be 100% correct. If you find and error, mistake or wrong answers which you have doubt, please do comment below to share with all of us the correct answer. Invisible Algorithm also do appreciate any new questions or latest version of any test that you might want to share will all people. Do contact me for that purpose. Hopefully, everyone can get benefits from what we share.

Credit: This CCNA Security Chapter 4 Test is a contribution of Xase. All credits goes to him

 

New Questions Section – CCNA Security v1.2

 

[by Jose, Mr Jaya and TJ]

In addition to the criteria used by extended ACLs, what conditions are used by a classic firewall to filter traffic?

TCP/UPD source and destination port numbers

TCP/IP protocol numbers

IP source and destination addresses

Application layer protocol session information

 

[by Gilton]

Refer to the exhibit. Which Cisco IOS security feature is implemented on router FW?

classic firewall
reflexive ACL firewall
zone-based policy firewall
AAA access control firewall

 

[by Mar]

Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.)

An interface can be assigned to multiple security zones.

Interfaces can be assigned to a zone before the zone is created.

Pass, inspect, and drop options can only be applied between two zones.

If traffic is to flow between all interfaces in a router, each interface must be a member of a zone.

Traffic is implicitly prevented from flowing by default among interfaces that are members of the same zone.

To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.

 

When logging is enabled for an ACL entry, how does the router switch packets filtered by the ACL?

process switching

autonomous switching

topology-based switching

optimum switching

 

[by Jaime]

When a Cisco IOS zone-based policy firewall is being configured, which two actions can be applied to a traffic class? (Choose two.)
log
copy
inspect
hold
drop
forward

 

[by Gabriel and Mr Jaya]

A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table.

The internal interface ACL is reconfigured to allow the host IP address access to the Internet.

A dynamic ACL entry is added to the external interface in the inbound direction.

When traffic returns from its destination, it is reinspected, and a new entry is added to the state table.

The entry remains in the state table after the session is terminated so that it can be reused by the host.

 

[by abu7ala1]

Refer to the exhibit. What is represented by the area marked as “A”?
DMZ
internal network
perimeter security boundary
trusted network
untrusted network

 

[by LB and Mike]

Which type of packet is unable to be filtered by an outbound ACL?

broadcast packet

router-generated packet

ICMP packet

multicast packet

 

[by Mr Jaya]

Which two parameters are tracked by a classic firewall for TCP traffic but not for UDP traffic? (Choose two.)

destination port

sequence number

source port

protocol ID

SYN and ACK flags

 

[by CCNAS Student]

What are two characteristics of ACLs? (Choose two.)

Standard ACLs can filter on source and destination IP addresses.

Standard ACLs can filter on source TCP and UDP ports.

Standard ACLs can filter on source and destination TCP and UDP ports

Extended ACLs can filter on source and destination IP addresses.

Extended ACLs can filter on destination TCP and UDP ports.

 

Which statement describes one of the rules that govern interface behavior in the context of implementing a zone-based policy firewall configuration?

An administrator can assign interfaces to zones, regardless of whether the zone has been configured.

By default, traffic is allowed to flow between a zone member interface and any interface that is not a zone member.

By default, traffic is allowed to flow among interfaces that are members of the same zone.

An administrator can assign an interface to multiple security zones.

 

When an inbound Internet-traffic ACL is being implemented, what should be included to prevent the spoofing of internal networks?

ACEs to prevent broadcast address traffic

ACEs to prevent HTTP traffic

ACEs to prevent SNMP traffic

ACEs to prevent traffic from private address spaces

ACEs to prevent ICMP traffic

 

[by Sham]

A network administrator is implementing a Classic Firewall and a Zone-Based Firewall concurrently on a router. Which statement best describes this implementation?

The two models cannot be implemented on a single interface.

Both models must be implemented on all interfaces.

An interface must be assigned to a security zone before IP inspection can occur.

A Classic Firewall and Zone-Based Firewall cannot be used concurrently.

Sharing is Caring

55 thoughts on “Answer CCNA Security Chapter 4 Test – CCNAS v1.1”

  1. Which statement correctly describes how an ACL can be used with the access-class command to filter vty access to a router?

    It is only possible to apply a standard ACL to the vty lines.

    An extended ACL can be used to restrict vty access based on specific source addresses, destination addresses, and protocol.

    An extended ACL can be used to restrict vty access based on specific source and destination addresses but not on protocol.

    An extended ACL can be used to restrict vty access based on specific source addresses and protocol but the destination can only specify the keyword any.

    1. The Correct Answer is:-
      An extended ACL can be used to restrict vty access based on specific source addresses and protocol but the destination can only specify the keyword any.

  2. error in :
    Which statement describes a typical security policy for a DMZ firewall configuration?

    correct answer:
    Traffic that originates from the DMZ interface is selectively permitted to the outside interface.

  3. Which statement correctly describes how an ACL can be used with the access-class command to filter vty access to a router?

    correct answer is :
    An extended ACL can be used to restrict vty access based on specific source addresses and protocol but the destination can only specify the keyword any.

  4. This question is listed the answer is not an exact duplicate in the listing. Here is the question and all of the answers as listed on the test.

    2
    Which statement describes a typical security policy for a DMZ firewall configuration?

    Traffic that originates from the outside interface is permitted to traverse the firewall to the inside interface with little or no restrictions.

    Traffic that originates from the DMZ interface is selectively permitted to the outside interface.

    Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface.

    Return traffic from the outside that is associated with traffic originating from the inside is permitted to traverse from the outside interface to the DMZ interface.

    Return traffic from the inside that is associated with traffic originating from the outside is permitted to traverse from the inside interface to the outside interface.

  5. Which statement describes a typical security policy for a DMZ firewall configuration?

    the right is
    Traffic that originates from the DMZ interface is selectively permitted to the outside interface.

  6. please update the right answer for this question.i just had my exam.

    Which statement describes a typical security policy for a DMZ firewall configuration?

    Traffic that originates from the outside interface is permitted to traverse the firewall to the inside interface with little or no restrictions.

    Traffic that originates from the DMZ interface is permitted to traverse the firewall to the outside interface with little or no restrictions.

    Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface.( correct answer.*******…)

    Return traffic from the outside that is associated with traffic originating from the inside is permitted to traverse from the outside interface to the DMZ interface.

    Return traffic from the inside that is associated with traffic originating from the outside is permitted to traverse from the inside interface to the outside interface.

  7. I just had my exam, and the correct answer for the question:
    Which statement describes a typical security policy for a DMZ firewall configuration?

    Traffic that originates from the DMZ interface is selectively permitted to the outside interface.

    Please update!

  8. i was unclear to witch was the correct answer, so i went with the majority. I GOT 100% USING:

    Which statement describes a typical security policy for a DMZ firewall configuration?

    Traffic that originates from the outside interface is permitted to traverse the firewall to the inside interface with little or no restrictions.

    –>Traffic that originates from the DMZ interface is selectively permitted to the outside interface.

    Traffic that originates from the inside interface is generally blocked entirely or very selectively permitted to the outside interface.

    Return traffic from the outside that is associated with traffic originating from the inside is permitted to traverse from the outside interface to the DMZ interface.

    Return traffic from the inside that is associated with traffic originating from the outside is permitted to traverse from the inside interface to the outside interface.

  9. In addition to the criteria used by extended ACLs, what conditions are used by a classic firewall to filter traffic?

    Correct
    Response
    application layer protocol session information

      1. TCP/UPD source and destination port numbers

        TCP/IP protocol numbers

        IP source and destination addresses

        *application layer protocol session information*

  10. New Question:
    Refer to the exhibit. Which Cisco IOS security feature is implemented on router FW?
    —->classic firewall(correct answer)
    reflexive ACL firewall
    zone-based policy firewall
    AAA access control firewall

    Update please!!

  11. Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.)

    An interface can be assigned to multiple security zones.

    Pass, inspect, and drop options can only be applied between two zones.

    Interfaces can be assigned to a zone before the zone is created.

    Traffic is implicitly prevented from flowing by default among interfaces that are members of the same zone.

    If traffic is to flow between all interfaces in a router, each interface must be a member of a zone.

    To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.

  12. *New Question*
    When logging is enabled for an ACL entry, how does the router switch packets filtered by the ACL?

    process switching (answer)

    autonomous switching

    topology-based switching

    optimum switching

  13. Which three statements describe zone-based policy firewall rules that govern interface behavior and the traffic moving between zone member interfaces? (Choose three.)

    An interface can be assigned to multiple security zones.
    Interfaces can be assigned to a zone before the zone is created.

    Pass, inspect, and drop options can only be applied between two zones.(Answer)

    If traffic is to flow between all interfaces in a router, each interface must be a member of a zone.(Answer)

    Traffic is implicitly prevented from flowing by default among interfaces that are members of the same zone.

    To permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.(Answer)

  14. One more from v1.2

    When a Cisco IOS zone-based policy firewall is being configured, which two actions can be applied to a traffic class? (Choose two.)
    – log
    – copy
    – *inspect*
    – hold
    – *drop*
    – forward

  15. NEW QUESTION!!
    1. A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table.

    A dynamic ACL entry is added to the external interface in the inbound direction.(answer)

    1. Hi Gabriel, thanks for the new question. updated. Perhaps if you have all the answer options will be very helpful. Thanks

  16. Refer to the exhibit. Which statement is true about the effect of this Cisco IOS zone-based policy firewall configuration?

    correct answer is
    The firewall will automatically allow HTTP, HTTPS, and FTP traffic from g0/0 to s0/0/0 and will track the connections. Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction.

    1. Dear a,
      we have similar questions in the list.
      However we do notice new answers. So i believe it is difference “exhibit” that the question referred to. If you have the exhibit, please email to me [email protected] with all the answers options if possible. TQ

  17. Refer to the exhibit. What is represented by the area marked as “A”?
    – DMZ (Correct Answer) v.1.2
    – internal network
    – perimeter security boundary
    – trusted network
    – untrusted network

  18. Which statement correctly describes how an ACL can be used with the access-class command to filter vty access to a router?

    Correct answer.

    An extended ACL can be used to restrict vty access based on specific source addresses and protocol but the destination can only specify the keyword any.

  19. What are two characteristics of ACLs? (Choose two.)

    -Extended ACLs can filter on source and destination IP addresses.
    -Extended ACLs can filter on destination TCP and UDP ports.
    -Standard ACLs can filter on source and destination IP addresses.
    -Standard ACLs can filter on source TCP and UDP ports.
    -Standard ACLs can filter on source and destination TCP and UDP ports.

        1. — Extended ACLs can filter on destination TCP and UDP ports.
          — Extended ACLs can filter on source and destination IP addresses.

  20. I have encountered a question that I was not able to find. Please forgiv me if it was already added.

    Which type of packet is unable to be filtered by an outbound ACL?

    broadcast packet

    router-generated packet (I thing that this is the correct answer)

    ICMP packet

    multicast packet

  21. Which type of packet is unable to be filtered by an outbound ACL?
    multicast packet
    broadcast packet
    ICMP packet
    –>router-generated packet

  22. I guess I found somewhere wrong answer of following questions. Ignore if updated, If not , kindly update.

    Q) .When using CCP to apply an ACL, the administrator received an informational message indicating that a rule was already associated with the designated interface in the designated direction. The administrator continued with the association by selecting the merge option. Which statement describes the effect of the option that was selected?

    –Two separate access rules were applied to the interface.

    Correct answer> –A new combined access rule was created using the new access rule number. Duplicate ACEs were removed.

    In website > –A new combined access rule was created using the new access rule number. Duplicate ACEs and overriding ACEs were highlighted to allow the administrator to make adjustments.

    —The existing rule was placed in a preview pane to allow the administrator to select specific ACEs to move to the new access rule.

  23. Question) A router has been configured as a classic firewall and an inbound ACL applied to the external interface. Which action does the router take after inbound-to-outbound traffic is inspected and a new entry is created in the state table?

    1) The internal interface ACL is reconfigured to allow the host IP address access to the Internet.

    ——> 2) A dynamic ACL entry is added to the external interface in the inbound direction.

    3) When traffic returns from its destination, it is reinspected, and a new entry is added to the state table.

    4) The entry remains in the state table after the session is terminated so that it can be reused by the host.

    Question) In addition to the criteria used by extended ACLs, what conditions are used by a classic firewall to filter traffic?

    1) TCP/IP protocol numbers

    2) IP source and destination addresses

    3) TCP/UDP source and destination port numbers

    ——> 4) application layer protocol session information

    Question) Refer to the exhibit. Which statement is true about the effect of this Cisco IOS zone-based policy firewall configuration? (CCNAS1.png)
    (do email me and I will reply with the picture)
    1) The firewall will automatically drop all HTTP, HTTPS, and FTP traffic.

    2) The firewall will automatically allow HTTP, HTTPS, and FTP traffic from s0/0/0 to g0/0, but will not track the state of connections. A corresponding policy must be applied to allow return traffic to be permitted through the firewall in the opposite direction.

    3) The firewall will automatically allow HTTP, HTTPS, and FTP traffic from g0/0 to s0/0/0, but will not track the state of connections. A corresponding policy must be applied to allow return traffic to be permitted through the firewall in the opposite direction.

    4) The firewall will automatically allow HTTP, HTTPS, and FTP traffic from s0/0/0 to g0/0 and will track the connections. Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction.

    —–> 5) The firewall will automatically allow HTTP, HTTPS, and FTP traffic from g0/0 to s0/0/0 and will track the connections. Tracking the connection allows only return traffic to be permitted through the firewall in the opposite direction.

    Question) Which two parameters are tracked by a classic firewall for TCP traffic but not for UDP traffic? (Choose two.)

    1) destination port

    —–> 2) sequence number

    3) source port

    4) protocol ID

    —–> 5) SYN and ACK flags

  24. What is the first step in configuring a Cisco IOS zone-based policy firewall via the CLI?

    Define traffic classes.

    Define firewall policies.

    Assign router interfaces to zones.

    Create zones.*********

    Assign policy maps to zone pairs.

  25. What are two characteristics of ACLs? (Choose two.)

    Standard ACLs can filter on source and destination IP addresses.
    Standard ACLs can filter on source TCP and UDP ports.
    Standard ACLs can filter on source and destination TCP and UDP ports
    **Extended ACLs can filter on source and destination IP addresses.**
    **Extended ACLs can filter on destination TCP and UDP ports.**

    Which statement describes one of the rules that govern interface behavior in the context of implementing a zone-based policy firewall configuration?

    An administrator can assign interfaces to zones, regardless of whether the zone has been configured.

    By default, traffic is allowed to flow between a zone member interface and any interface that is not a zone member.

    **By default, traffic is allowed to flow among interfaces that are members of the same zone.**

    An administrator can assign an interface to multiple security zones.

    When an inbound Internet-traffic ACL is being implemented, what should be included to prevent the spoofing of internal networks?

    ACEs to prevent broadcast address traffic

    ACEs to prevent HTTP traffic

    ACEs to prevent SNMP traffic

    **ACEs to prevent traffic from private address spaces**

    ACEs to prevent ICMP traffic

  26. new question:

    A network administrator is implementing a Classic Firewall and a Zone-Based Firewall concurrently on a router. Which statement best describes this implementation?

    1. The two models cannot be implemented on a single interface.

      Both models must be implemented on all interfaces.

      An interface must be assigned to a security zone before IP inspection can occur.

      A Classic Firewall and Zone-Based Firewall cannot be used concurrently.

Leave a Reply

Your email address will not be published. Required fields are marked *