| ]

Here you will find answers to Security Device Manager SDM Questions

Question 1

For the following options, which one accurately matches the CU command(s) to the equivalent SDM wizard that performs similar configuration functions?

A. setup exec command and the SDM Security Audit wizard

B. auto secure exec command and the SDM One-Step Lockdown wizard

C. aaa configuration commands and the SDM Basic Firewall wizard

D. Cisco Common Classification Policy Language configuration commands and the SDM Site-to-Site VPN wizard

Answer: B

Question 2

Which three statements are valid SDM configuration wizards? (Choose three)

A. Security Audit

B. VPN

C. STP

D. NAT

Answer: A B D

Question 3

Which two protocols enable Cisco SDM to pull IPS alerts from a Cisco ISR router? (Choose two)

A:FTP

B:HTTPS

C.TFTP

D.SSH

E.Syslog

F.SDEE

Answer: B F

Question 4

When using the Cisco SDM Quick Setup Site-to-Site VPN wizard, which three parameters do you configure? (Choose three)

A. Interface for the VPN connection

B. IP address for the remote peer

C. Transform set for the IPsec tunnel

D. Source interface where encrypted traffic originates

Answer: A B D

Explanation

The image below shows parameters when using Cisco SDM Quick Setup Site-to-Site VPN wizard

SDM-Site-to-site-VPN.jpg

Question 5

If you click the Configure button along the top of Cisco SDM’s graphical interface,which Tasks button permits you to configure such features as SSH, NTP, SNMP, and syslog?

A. Additional Tasks

B. Security Audit

C. Intrusion Prevention

D. Interfaces and Connections

Answer: A

Question 6

Cisco SDM (Security Device Manager) is a Web-based device management tool for Cisco routers that can simplify router deployments and reduce ownership costs. Select two protocols from the following to enable Cisco SDM to pull IPS alerts from a Cisco ISR router. (Choose two)

A. TFTP

B. SDEE

C. SSH

D. HTTPS

Answer: B D

Explanation

We must also enable HTTP or HTTPS on the router when we enable SDEE. The use of HTTPS ensures that data is secured as it traverses the network.

Question 7

Refer to the exhibit. You are the network security administrator responsible for router security. Your network uses internal IP addressing according to RFC 1918 specifications. From the default rules shown, which access control list would prevent IP address spoofing of these internal networks?

IP_address_snooping_RFC.jpg


A. SDM_Default_196
B. SDM_Default_197
C. SDM_Default_198
D. SDM_Default_199

Answer: C

Explanation

Click on each access-list, in the SDM_DEFAULT_198 you will see something like this

IP_address_snooping_RFC_explain.jpg

To mitigate IP address spoofing, do not allow any IP packets containing the source address of any internal hosts or networks inbound to our private network. The SDM_DEFAULT_198 denies all packets containing the following IP addresses in their source field:

+ Current network 0.0.0.0/8 (only valid as source address)
+ Any local host addresses (127.0.0.0/8)
+ Any reserved private addresses (RFC 1918, Address Allocation for Private Internets)
+ Any addresses in the IP multicast address range (224.0.0.0/4)

Note: 0.0.0.0/8: addresses in this block refer to source hosts on “this” network.

For your information, we will apply this access list to the external interface of the router.

Question 8

Refer to the exhibit. Based on the VPN connection shown, which statement is true?

SDM-VPN.jpg

A. Traffic that matches access list 103 will be protected.
B. This VPN configuration will not work because the tunnel IP and peer IP are the same.
C. The tunnel is down as result of being a static rule. It should be configured as a Dynamic IPsec policy.
D. The tunnel is down because the transform set needs to Include the Authentication Header parameter.

Answer: A