Which one of these statements is an example of how trust and identity management solutions should be deployed in the enterprise campus network?
A.
Authentication validation should be deployed as close to the data center as possible.
B.
Use the principle of top-down privilege, which means that each subject should have the privileges that are necessary to perform their defined tasks, as well as all the tasks for those roles below them.
C.
Mixed ACL rules, using combinations of specific sources and destinations, should be applied as close to the source as possible.
D.
For ease of management, practice defense in isolation - security mechanisms should be in place one time, in one place.
Suggested Answer:Correct Answer:🗳️
Validating user authentication should be implemented as close to the source as possible, with an emphasis on strong authentication for access from untrusted networks. Access rules should enforce policy deployed throughout the network with the following guidelines: An integral part of identity and access control deployments is to allow only the necessary access. Highly distributed rules allow for greater granularity and scalability but, unfortunately, increase the management complexity. On the other hand, centralized rule deployment eases management but lacks flexibility and scalability. Practicing "defense in depth" by using security mechanisms that back each other up is an important concept to understand. For example, the perimeter Internet routers should use ACLs to filter packets in addition to the firewall inspecting packets at a deeper level. Cisco Press CCDA 640-864 Official Certification Guide Fourth Edition, Chapter 13
Exam E -
QUESTION 1 - Select and Place: Section:
Explanation -
Large-Building LANs - Large-building LANs are segmented by floors or departments. The building-access component serves one or more departments or floors. The building-distribution component serves one or more building- access components. Campus and building backbone devices connect the data center, building-distribution components, and the enterprise edge-distribution component. The access layer typically uses Layer 2 switches to contain costs, with more expensive Layer 3 switches in the distribution layer to provide policy enforcement. Current best practice is to also deploy multilayer switches in the campus and building backbone. Cisco Enterprise Architecture Model
Explanation - CCDA 640-864 Official Cert Guide Chapter 6
QUESTION 3 - Select and Place: Section:
Explanation - : amount of racks, equipment, cabling, people
Space - : rack servers vs blade servers
Weight load - : variability of computing load, computing power and memory requirements
Power - : arranging equipment racks face-to-face or back-to-back
Cooling - : abundant, variable, well organized and easy to maintain
Cabling - : disasters, fire suppression and alarm systems
Security - please refer to the link below. Link: http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a008073377d.pdf
QUESTION 4 - Select and Place: Section:
Explanation -
Small Office -
Redundant Links -
Internet Deployment Model -
Medium Office -
Redundant devices -
Private WAN deployment -
Large Office -
Redundant Links and Devices -
MPLS Deployment model -
Small Branch Design -
The - is recommended for branch offices that do not require hardware redundancy and that have a small user base supporting up to 50 small branch design users. This profile consists of an access router providing WAN services and connections for the LAN services. The Layer 3 WAN services are based on the WAN and Internet deployment model. A T1 is used for the primary link, and an ADSL secondary link is used for backup. Other network fundamentals are supported, such as EIGRP, floating static routes, and QoS for bandwidth protection.
Medium Branch Design -
The - medium branch design is recommended for branch offices of 50 to 100 users, which is similar to the small branch but with an additional access router in the WAN edge (slightly larger) allowing for redundancy services.
Large Branch Design -
The - large branch design is the largest of the branch profiles, supporting between 100 and 1000 users. This design profile is similar to the medium branch design in that it also provides dual access routers in the WAN edge. In addition, dual Adaptive Security Appliances (ASA) are used for stateful firewall filtering, and dual distribution switches provide the multilayer switching component. The WAN services use an MPLS deployment model with dual WAN links into the WAN cloud. Cisco Press CCDA 640-864 Official Certification Guide Fourth Edition, Chapter 7
QUESTION 5 - Select and Place: Section:
Explanation - Changed this one to Jolly Frogs suggestion from Actual Tests: Access: Protect against inadvertent loops Protect network services including DHCP, ARP, and IP spoofing protection Distribution: Protect the endpoints using network-based intrusion prevention Protect the infrastructure using NFP best practices Core: Filter and rate-limit control plane traffic Does not perform security functions to mitigate transit threats
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap5.html#wp1090913 http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap3.html 1 Access 2 Distribution 3 Access 4 Core 5 Access 6 Distribution Please refer to link. Link: http://www.ciscopress.com/articles/article.asp?p=1073230&seqNum=2
Network virtualization - encompasses logical isolated network segments that share the same physical infrastructure. Each segment operates independently and is logically separate from the other segments. Each network segment appears with its own privacy, security, independent set of policies, QoS levels, and independent routing paths.
Device virtualization - allows for a single physical device to act like multiple copies of itself. Device virtualization enables many logical devices to run independently of each other on the same physical piece of hardware. The software creates virtual hardware that can function just like the physical network device. Another form of device virtualization entails using multiple physical devices to act as one logical unit. Cisco Press CCDA 640-864 Official Certification Guide Fourth Edition, Chapter 4
QUESTION 7 - Select and Place: Section:
Explanation - 1 Enterprise Edge 2 Internet Connectivity 3 Data Center 4 Enterprise Campus 5 E-Commerce 6 Remote Access and VPN please refer to link. Link: http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html#wp708979
CCDA Study Guide. Diane Teare -
QUESTION 8 - Select and Place: Section:
Explanation - I changed the answer on this to: Layer 2 between distribution and access layers, with a Layer 3 link between the distribution switches -> FHRP for convergence, no VLANs span between access layer switches across the distribution switches Layer 2 between distribution and access layers, with a Layer 2 link between the distribution switches -> Support Layer 2 VLANs spanning multiple access layer switches across the distribution switches VSS -> Convergence (FHRP) is not an issue
Original Answer was - Layer 2 between distribution and access layers, with a Layer 3 link between the distribution switches -> Support Layer 2 VLANs spanning multiple access layer switches across the distribution switches Layer 2 between distribution and access layers, with a Layer 2 link between the distribution switches -> FHRP for convergence, no VLANs span between access layer switches across the distribution switches
VSS - -> Convergence (FHRP) is not an issue The following are recommended best practices at the distribution layer: Cisco Press CCDA 640-864 Official Certification Guide Fourth Edition, Chapter 3
QUESTION 9 - Select and Place: Section:
Explanation - + classification and marking. ACLs + congestion avoidance. WRED + traffic conditioners: CAR + congestion management: LLQ + link efficiency: LFI Classication is the process of partitioning trafc into multiple priority levels or classes of service. Information in the frame or packet header is inspected, and the frames priority is determined.Marking is the process of changing the priority or class of service (CoS) setting within a frame or packet to indicate its classication. Classication is usually performed with access control lists (ACL), QoS class maps, or route maps, using various match criteria. Congestion-avoidance techniques monitor network trafc loads so that congestion can be anticipated and avoided before it becomes problematic. Congestion- avoidance techniques allow packets from streams identied as being eligible for early discard (those with lower priority) to be dropped when the queue is getting full. Congestion avoidance techniques provide preferential treatment for high priority trafc under congestion situations while maximizing network throughput and capacity utilization and minimizing packet loss and delay. Weighted random early detection (WRED) is the Cisco implementation of the random early detection (RED) mechanism. WRED extends RED by using the IP
Precedence bits in the IP - packet header to determine which trafc should be dropped; the drop-selection process is weighted by the IP precedence. Traffic conditioner consists of policing and shaping. Policing either discards the packet or modies some aspect of it, such as its IP Precedence or CoS bits, when the policing agent determines that the packet meets a given criterion. In comparison, trafc shaping attempts to adjust the transmission rate of packets that match a certain criterion. Shaper typically delays excess trafc by using a buffer or queuing mechanism to hold packets and shape the ow when the sources data rate is higher than expected. For example, generic trafc shaping uses a weighted fair queue to delay packets to shape the bw. Traffic conditioner is also referred to as Committed Access Rate (CAR). Congestion management includes two separate processes: queuing, which separates trafc into various queues or buffers, and scheduling, which decides from which queue trafc is to be sent next. There are two types of queues: the hardware queue (also called the transmit queue or TxQ) and software queues. Software queues schedule packets into the hardware queue based on the QoS requirements and include the following types: weighted fair queuing (WFQ), priority queuing (PQ), custom queuing (CQ), class-based WFQ (CBWFQ), and low latency queuing (LLQ). LLQ is also known as Priority QueuingClass-Based Weighted Fair Queuing (PQ-CBWFQ). LLQ provides a single priority but its preferred for VoIP networks because it can also congure guaranteed bandwidth for different classes of trafc queue. For example, all voice call trafc would be assigned to the priority queue, VoIP signaling and video would be assigned to a trafc class, FTP trafc would be assigned to a low-priority trafc class, and all other trafc would be assigned to a regular class. Link efciency techniques, including link fragmentation and interleaving (LFI) and compression. LFI prevents small voice packets from being queued behind large data packets, which could lead to unacceptable delays on low-speed links. With LFI, the voice gateway fragments large packets into smaller equal-sized frames and interleaves them with small voice packets so that a voice packet does not have to wait until the entire large data packet is sent. LFI reduces and ensures a more predictable voice delay. (Reference. Cisco Press Designing for Cisco Internetwork Solutions)
QUESTION 10 - Select and Place: Section:
Explanation - + provides secure network access, isolates and controls infected devices attempting access: Trust and Identity Management + uses encryption and authentication to provide secure transport across untrusted networks: Secure Connectivity + uses security integrated into routers, switches, and appliances to defend against attacks: Threat Defense + integrates security into the network to identify, prevent, and adapt to threats: Cisco Self-Defending Network Trust and identity management solutions provide secure network access and admission at any point in the network and isolate and control infected or unpatched devices that attempt to access the network. If you are trusted, you are granted access. We can understand "trust" is the security policy applied on two or more network entities and allows them to communicate or not in a specific circumstance. "Identity" is the "who" of a trust relationship. The main purpose of Secure Connectivity is to protect the integrity and privacy of the information and it is mostly done by encryption and authentication. The purpose of encryption is to guarantee condentiality; only authorized entities can encrypt and decrypt data. Authentication is used to establish the subjects identity. For example, the users are required to provide username and password to access a resource
QUESTION 11 - Select and Place: Section:
Explanation - + protects the endpoints (desktops, laptops and servers): Cisco Security Agent + provides multiple functions as a high performance security appliance. ASA + prevents DDoS attacks: Anomaly Guard and Detector + provides Web-Based VPN services: SSL Service Module + prevents attacks inline. IPS Appliance
QUESTION 12 - Select and Place: Section:
Explanation - + limits the number of frames transmitted before an acknowledgement is received: window size + reduces data size to save transmission time, optimizing the use of WAN bandwidth: data compression + allows network administrators to manage the varying demands generated by applications: queuing + discards packets or modifies some aspect of them (such as IPprecedence): traffic policing
QUESTION 13 - Select and Place: Section:
Explanation - a. MIB (Management Information Base) A MIB is nothing more than a database of objects. The MIB has a tree- like structure, similar to a file system. Each leaf object represents a parameter on the managed device. A common understanding of the MIB between NMSand agent is what allows SNMP communications to work. b. SNMP ( Simple Network Management Protocol) Simple Network Management Protocol (SNMP) is the de facto standard network management protocol for the IP protocol suite. Developed in the late 1980s by the IETF (Internet Engineering Task Force), SNMP provides a simple means for vendors to provide management capabilities to their networking devices SNMP defines a manager/agent relationship for network management. A manager device essentially has two functions: monitor and control. It monitors network devices (agents) by sending queries for performance, configuration, and status information. It controls agents by sending directives to change configuration parameters. An example of an SNMP manager is an NMS (network management station) running CiscoWorks2000, while an agent might be a Cisco 7500 router. The NMS, acting as manager, communicates with the 7500, acting as agent, for information about its performance. SNMP is the protocol they use to communicate. An NMS can manage systems that include hosts, servers, routers, switches, hubs, UPSs, or most any network-attached device. The NMS runs the network management applications, such as CiscoWorks2000, that present management information to network managers and other users. The processing of SNMP is mostly performed by the NMS.
QUESTION 14 -
Data Center Design 3.0 - Select and Place: Section:
Explanation - Unified computing Cisco Unified Computing System (UCS) is an innovative next-generation data center platform that converges computing, network, storage, and virtualization together into one system. Integrates lossless 10GE unified network fabric with x86 architecture-based servers. Allows for Cisco Virtual Interface Card to virtualize your network interfaces on your server. Offers Cisco VN-Link virtualization. Supports Extended Memory Technology patented by Cisco. Increases productivity with just-in-time provisioning using service profiles. In addition, the newer Data Center 3.0 architecture increases the overall return on investment (ROI) and lowers the total cost of ownership (TCO). Virtualization Virtual local-area network (VLAN), virtual storage-area network (VSAN), and virtual device contexts (VDC) help to segment the LAN, SAN, and network devices instances. for virtual machines (VM). Flexible networking options with support for all server form factors and vendors, including support for blade servers from Cisco, Dell, IBM, and HP with integrated Ethernet and Fibre Channel switches. . Each VLAN and VSAN operates independently from one another. Exam F
This section is not available anymore. Please use the main Exam Page.200-310 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
craterman
5 years, 5 months ago