Home > Security Questions

Security Questions

March 16th, 2020 in ENCOR 350-401 Go to comments

Question 1


Lines (CON, AUX, VTY) default to level 1 privileges.

Question 2


MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks by using out-of-band methods for encryption keying. The MACsec Key Agreement (MKA) Protocol provides the required session keys and manages the required encryption keys. MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP-TLS) or Pre Shared Key (PSK) framework.

A switch using MACsec accepts either MACsec or non-MACsec frames, depending on the policy associated with the MKA peer. MACsec frames are encrypted and protected with an integrity check value (ICV). When the switch receives frames from the MKA peer, it decrypts them and calculates the correct ICV by using session keys provided by MKA. The switch compares that ICV to the ICV within the frame. If they are not identical, the frame is dropped. The switch also encrypts and adds an ICV to any frames sent over the secured port (the access point used to provide the secure MAC service to a MKA peer) using the current session key.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-9/configuration_guide/sec/b_169_sec_9300_cg/macsec_encryption.html

Note: Cisco Trustsec is the solution which includes MACsec.

Question 3


Cisco TrustSec uses tags to represent logical group privilege. This tag, called a Security Group Tag (SGT), is used in access policies. The SGT is understood and is used to enforce traffic by Cisco switches, routers and firewalls . Cisco TrustSec is defined in three phases: classification, propagation and enforcement.
When users and devices connect to a network, the network assigns a specific security group. This process is called classification. Classification can be based on the results of the authentication or by associating the SGT with an IP, VLAN, or port-profile (-> Answer A and answer C are not correct as they say “assigned … on a switch” only. Answer D is not correct either as it says “assigned to each router”).

Question 4


The Cisco TrustSec solution simplifies the provisioning and management of network access control through the use of software-defined segmentation to classify network traffic and enforce policies for more flexible access controls. Traffic classification is based on endpoint identity, not IP address, enabling policy change without net-work redesign.

Reference: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Apr2016/User-to-DC_Access_Control_Using_TrustSec_Deployment_April2016.pdf

Question 5


The “enable secret” password is always encrypted (independent of the “service password-encryption” command) using MD5 hash algorithm. The “enable password” does not encrypt the password and can be view in clear text in the running-config. In order to encrypt the “enable password”, use the “service password-encryption” command. This command will encrypt the passwords by using the Vigenere encryption algorithm. Unfortunately, the Vigenere encryption method is cryptographically weak and trivial to reverse.

The MD5 hash is a stronger algorithm than Vigenere so answer D is correct.

Question 6


According to the requirements (first use TACACS+, then allow login with no authentication), we have to use “aaa authentication login … group tacacs+ none” for AAA command.

The next thing to check is the if the “aaa authentication login default” or “aaa authentication login list-name” is used. The ‘default’ keyword means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature.

From above information, we can find out answer C is correct. Although the “password 7 0202039485748” line under “line vty 0 4” is not necessary.

If you want to learn more about AAA configuration, please read our AAA TACACS+ and RADIUS Tutorial – Part 2.

For your information, answer D would be correct if we add the following command under vty line (“line vty 0 4”): “login authentication telnet” (“telnet” is the name of the AAA list above)

Question 7


Firepower Threat Defense (FTD) provides six interface modes which are: Routed, Switched, Inline Pair, Inline Pair with Tap, Passive, Passive (ERSPAN).

When Inline Pair Mode is in use, packets can be blocked since they are processed inline
When you use Inline Pair mode, the packet goes mainly through the FTD Snort engine
When Tap Mode is enabled, a copy of the packet is inspected and dropped internally while the actual traffic goes through FTD unmodified


Question 8

  1. joe
    April 27th, 2020

    Hey, where can i find the pdf file for encor questions and answers. Thanks.

  2. Nedal_Shboul
    May 18th, 2020

    I think B is wrong and C is correct ans, right?


    Which feature does Cisco TrustSec use to provide scalable, secure communication throughout a network?
    A. security group tag ACL assigned to each port on a switch
    B. security group tag number assigned to each port on a network
    C. security group tag number assigned to each user on a switch
    D. security group tag ACL assigned to each router on a network

    June 6th, 2020

    I also think C is correct.

    Because a SGT is not an ACL, is a number assigned, and you don’t assign a SGT to each port, but to each user that is usually connected though a switch.

  4. Update
    June 13th, 2020

    Can anyone confirm correct answer for Q3?

  5. GZ
    July 11th, 2020

    SGT tags define role or business use case and can be assigned to users, endpoints, or other resources as they ingress the TrustSec network. It can happen in two ways:
    1- Dynamic: assigned dynamically and can be downloaded as an authorization option from ISE when authenticating using 801.1x, MAB or WebAuth.
    2- Static: used in data centre env, where dynamic assignment is not possible so statically assigned in several ways:
    -IP to STG tag
    -Subnet to SGT tag
    -VLAN to SGT tag
    -L2/L3 interface to STG tag
    -Port to SGT interface

    C (Incorrect) because it mentions only those users who are connected to a switch(seems the wired users), how about other users who are connected wireless or coming from another network or branch and might not go to switch and go to ISE through Router/firewall. It seems if the answer option was such that the users connecting on a network might have been correct.
    B (Correct) this is true as it explains one of the scenarios where an SGT tag is assigned to a port on a network.

  6. mimou
    August 8th, 2020

    the correct answer is C

  7. Mbubba
    September 7th, 2020

    the correct answer is B, a user does not receive a SGT. the port of on a network does. for example a port on a switch. if the endpoint wants to authenticate through ISE, then ISE will push back attributes via radius. you can check this on the cli with the command show access-session interface gigabitethernet 1/0/1 detail. the SGT will show up there.

  1. No trackbacks yet.