FEDVTE CISCO CCNA SECURITY SELF-STUDY
PREP 2026 PREMIUM REVIEW QUESTIONS
CORRECT RESPONSES
◉ What is the default number of MAC addresses allowed on a switch
port that is configured with port security? Answer: 1
◉ Which of the following are the valid first four characters of a link-
local address? Answer: FE80
◉ How is the negotiation of the IPsec (IKE Phase 2) tunnel done
securely? Answer: Uses the IKE Phase 1 tunnel
◉ Which one of the following is true about a transparent firewall?
Answer: Implemented at Layer 2
◉ Which is the primary Layer 2 mechanism that allows multiple
devices in the same VLAN to communicate with each other even
though those devices are physically connected to different switches?
Answer: Trunk
◉ What is the default policy between an administratively created
zone and the self zone? Answer: Permit
,◉ What allows a firewall to be a DHCP client and a NAT/PAT device
at the same time? Answer: Dynamic PAT
◉ R1# show ipv6 int fa 0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, xxxxxxxx is FE80::218:B9FF:FE21:9278
No Virtual link-local address(es):
xxxxxxxxxx address(es):
2001:A:452:BAD:218:B9FF:FE21:9278, subnet is
2001:A:452:BAD::/64 [EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF21:9278
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 34618)
ND advertised reachable time is 0 (unspecified)
,ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
R1#
Review the output shown here. What is the address of
FE80::218:B9FF Answer: Link Local Address
◉ What may be the potential problem when enabling SSL VPNs on
an interface on the ASA? Answer: ASDM must be used with a
different URL
◉ From the router, which method tests the most about the ACS
configuration, without forcing you to log in again at the router?
Answer: test AAA
◉ Which of the following is a true statement about the difference
between RADIUS and TACACS+? Answer: TACACS+ is more secure
because it encrypts the entire body of the packet.
, ◉ Which elements of PKI would be found in a hierarchical PKI
environment and not found in a monolithic CA environment?
Answer: Subordinate CA
◉ Which of the following is an accurate statement about the Diffie-
Helman exchange? Answer: During IKE Phase 1, it is performed over
an unsecure network.
◉ Refer to the figure. In the Used By column, what are these items
referring to? Answer: Policy Maps, type inspect
◉ What is an application layer gateway (ALG) in the context of Cisco
ASA firewalls? Answer: The function of application proxying to
enforce security controls
◉ Which of the following commands enables you to disable DTP
behavior on one of your trunk links? Answer: Switchport
nonegotiate
◉ You want to use AAA to authenticate administrators before they
are given access to the routers. Which of the following would not be
used to verify the credentials? Answer: TFTP server
◉ What is the relationship between spoofing and a CAM table
overflow attack? Answer: Spoofing is impersonating another specific
PREP 2026 PREMIUM REVIEW QUESTIONS
CORRECT RESPONSES
◉ What is the default number of MAC addresses allowed on a switch
port that is configured with port security? Answer: 1
◉ Which of the following are the valid first four characters of a link-
local address? Answer: FE80
◉ How is the negotiation of the IPsec (IKE Phase 2) tunnel done
securely? Answer: Uses the IKE Phase 1 tunnel
◉ Which one of the following is true about a transparent firewall?
Answer: Implemented at Layer 2
◉ Which is the primary Layer 2 mechanism that allows multiple
devices in the same VLAN to communicate with each other even
though those devices are physically connected to different switches?
Answer: Trunk
◉ What is the default policy between an administratively created
zone and the self zone? Answer: Permit
,◉ What allows a firewall to be a DHCP client and a NAT/PAT device
at the same time? Answer: Dynamic PAT
◉ R1# show ipv6 int fa 0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, xxxxxxxx is FE80::218:B9FF:FE21:9278
No Virtual link-local address(es):
xxxxxxxxxx address(es):
2001:A:452:BAD:218:B9FF:FE21:9278, subnet is
2001:A:452:BAD::/64 [EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF21:9278
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 34618)
ND advertised reachable time is 0 (unspecified)
,ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
R1#
Review the output shown here. What is the address of
FE80::218:B9FF Answer: Link Local Address
◉ What may be the potential problem when enabling SSL VPNs on
an interface on the ASA? Answer: ASDM must be used with a
different URL
◉ From the router, which method tests the most about the ACS
configuration, without forcing you to log in again at the router?
Answer: test AAA
◉ Which of the following is a true statement about the difference
between RADIUS and TACACS+? Answer: TACACS+ is more secure
because it encrypts the entire body of the packet.
, ◉ Which elements of PKI would be found in a hierarchical PKI
environment and not found in a monolithic CA environment?
Answer: Subordinate CA
◉ Which of the following is an accurate statement about the Diffie-
Helman exchange? Answer: During IKE Phase 1, it is performed over
an unsecure network.
◉ Refer to the figure. In the Used By column, what are these items
referring to? Answer: Policy Maps, type inspect
◉ What is an application layer gateway (ALG) in the context of Cisco
ASA firewalls? Answer: The function of application proxying to
enforce security controls
◉ Which of the following commands enables you to disable DTP
behavior on one of your trunk links? Answer: Switchport
nonegotiate
◉ You want to use AAA to authenticate administrators before they
are given access to the routers. Which of the following would not be
used to verify the credentials? Answer: TFTP server
◉ What is the relationship between spoofing and a CAM table
overflow attack? Answer: Spoofing is impersonating another specific
