Cisco.ActualTest.642-637.v2012-08-09-129q-dd...Aug 09, 2012 · Version : 2012-08-09 Questions :...

Cisco.ActualTest.642-637.v2012-08-09-129q-dd

Number: 642-637Passing Score: 800Time Limit: 60 minFile Version: 2012-08-09

http://www.gratisexam.com/

Exam : Cisco 642-637

Version : 2012-08-09

Questions : 129

All the best .

By DD and Neil

Sections1. Router Security2. Switch Security3. VPN4. Zone Based Firewall5. IPS6. Drag and Drop7. Simlet-VPN8. Lab-ZBFW9. User Feedback

Exam A

QUESTION 1You have configured a guest VLAN using 802.1X on a Cisco Catalyst switch. A client incapable of using 802.1Xhas accessed the port and has been assigned to the guest VLAN. What happens when a client capable ofusing 802.1Xjoins the network on the same port?

A. The client capable of using 802.1X is allowed access and proper security policies are applied to the client.B. EAPOL packets will not be allowed on the guest VLAN and the access attempt with fail.C. The port is put into the unauthorized state in the user-configured access VLAN, and authentication is

restarted.D. This is considered a security breach by the authentication server and all users on the access port will be

placed into the restricted VLAN.

Correct Answer: CSection: Switch SecurityExplanation

Explanation/Reference:Usage Guidelines for Using Authentication Failed VLAN AssignmentWhen an authentication failed port is moved to an unauthorized state the authentication process is restarted. Ifyou should fail the authentication process again the authenticator waits in the held state. After you havecorrectly reauthenticated all 802.1x ports are reinitialized and treated as normal 802.1x ports.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/dot1x.html#wp1198927

QUESTION 2Refer to the exhibit. Given the partial output of the debug command, what can be determined?

A. There is no ID payload in the packet, as indicated by the message ID = 0.B. The peer has not matched any offered profiles.C. This is an IKE quick mode negotiation.D. This is normal output of a successful Phase 1 IKE exchange.

Correct Answer: DSection: VPNExplanation

Explanation/Reference:Page 397Verify a Successful Phase 1 ExchangeThe debug crypto isakmp debugging command will display the “SA has been authenticated” debug messageafter the IKE Phase 1 peering is successful.

NOTE

Some say that the best Cisco answer is still B (as in original Actual Test dump) not Neil's answer. e.g. Although the authentication of IKe phase 1 is authenticated, the exhibit question says “Given the partial outputof the “debug command”, what can be determined? 2 is best for the peer has not matched any offered profiles.

QUESTION 3Refer to the exhibit. Which two Cisco IOS WebVPN features are enabled with the partial configuration shown?(Choose two.)

A. The end-user CiscoAnyConnect VPN software will remain installed on the end system.B. If the CiscoAnyConnect VPN software fails to install on the end-user PC, the end user cannot use other

modes.C. Client based full tunnel access has been enabled.D. Traffic destined to the 10.0.0.0/8 network will not be tunneled and will be allowed access via a split tunnel.E. Clients will be assigned IP addresses in the 10.10.0.0/16 range.

Correct Answer: ACSection: VPNExplanation

Explanation/Reference:Page 550

QUESTION 4Which two of these are benefits of implementing a zone-based policy firewall in transparent mode? (Choosetwo.)

A. Less firewall management is needed.B. It can be easily introduced into an existing network.C. IP readdressing is unnecessary.D. It adds the ability to statefully inspect non-IP traffic.E. It has less impact on data flows.

Correct Answer: BCSection: Zone Based FirewallExplanation

Explanation/Reference:

QUESTION 5When configuring a zone-based policy firewall, what will be the resulting action if you do not specify any zonepairs for a possible pair of zones?

A. All sessions will pass through the zone without being inspected.B. All sessions will be denied between these two zones by default.


C. All sessions will have to pass through the router "self zone" for inspection before being allowed to pass tothe destination zone.

D. This configuration statelessly allows packets to be delivered to the destination zone.

Correct Answer: BSection: Zone Based FirewallExplanation

Explanation/Reference:Page 309Zone Pair ConfigurationThe configuration of the zone pair is important because its configuration dictates the direction in which traffic isallowed to flow. As stated previously, a zone pair is unidirectional and is the part of the configuration thatcontrols traffic between zones; this is referred to as interzone. If no zone pair is defined, traffic will not flowbetween zones

QUESTION 6Refer to the exhibit. What can be determined from the output of this show command?

A. The IPsec connection is in an idle state.B. The IKE association is in the process of being set up.C. The IKE status is authenticated.D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters are passed

between peersE. IKE Quick Mode is in the idle state, indicating a problem with IKE phase 1.

Correct Answer: CSection: VPNExplanation


Verify Local IKE SessionsUse the show crypto isakmp sa command to display the current IKE Security Associations (SA) on the localrouter. The QM_IDLE status indicates successful establishment of the IKE SA, meaning that the ISAKMPprocess is idle after having successfully negotiated and established SAs. Example 15-5 shows the output ofthe show crypto isakmp sa command.

QUESTION 7You are running Cisco lOS IPS software on your edge router. A new threat has become an issue.The Cisco lOS IPS software has a signature that can address the new threat, but you previously retired thesignature. You decide to unretire that signature to regain the desired protection level. How should you act onyour decision?

A. Retired signatures are not present in the routers memory. You will need to download a new signaturepackage to regain the retired signature.

B. You should re-enable the signature and start inspecting traffic for signs of the new threat.C. Unretiring a signature will cause the router to recompile the signature database, which can temporarily

affect performance.D. You cannot unretire a signature. To avoid a disruption in traffic flow, it's best to create a custom signature

until you can download a new signature package and reload the router.

Correct Answer: CSection: IPSExplanation

Explanation/Reference:Page 345■ Some signatures can be retired. This signature is not present in the router’s memory. Unretiring a retiredsignature requires that the router recompile the signature database.This can temporarily affect performance and take a long time with a large signature database.

QUESTION 8Which statement best describes inside policy based NAT?

A. Policy NAT rules are those that determine which addresses need to be translated per the enterprise securitypolicy

B. Policy NAT consists of policy rules based on outside sources attempting to communicate with insideendpoints.

C. These rules use source addresses as the decision for translation policies.D. These rules are sensitive to all communicating endpoints.

Correct Answer: ASection: Router Security

Explanation


QUESTION 9Refer to the exhibit. What can be determined about the IPS category configuration shown?

A. All categories are disabled.B. All categories are retired.C. After all other categories were disabled, a custom category named "os ios" was createdD. Only attacks on the Cisco IOS system result in preventative actions.

Correct Answer: DSection: IPSExplanation

Explanation/Reference:Page 345This configuration task is completed by entering the signature category configuration mode using the ip ipssignature-category command. See Example 13-3 for the relevant configuration. First, retire and disable allsignatures because only the desired signatures will be enabled. This is achieved using the category allcommand. Then, use the retiredtrue and enabled false commands to disable and retire all signatures by default. Next, enable all signaturesthat are designed to prevent attacks against Cisco IOS Software devices and assign a preventativeaction to them. Enter the category that comprises these signatures using the category os ios command andenable them by using the retired false andenabled true commands. Use the event-action produce-alert deny-packet-inline command to enable thesesignatures to generate an alert and drop the offending packets whenthey trigger.

QUESTION 10When Cisco IOS IPS is configured to use SDEE for event notification, how are events managed?

A. They are stored in the router's event store and will allow authenticated remote systems to pull events fromthe event store.

B. All events are immediately sent to the remote SDEE server.C. Events are sent viasyslog over a secure SSUTLS communications channel.D. When the event store reaches its maximum configured number of event notifications, the stored events are

sent via SDEE to a remote authenticated server and a new event store is created.

Correct Answer: ASection: IPSExplanation

Explanation/Reference:Page 358SDEE uses a pull communication model for event messages. This allows management consoles to pull alertsfrom the Cisco IPS sensors over an HTTPS connection.

When Cisco SDEE notification is enabled, by default, 200 events can be stored in the local event store. Thisnumber can be increased to hold a maximum of 1000. All stored events are lost if SDEE notifications aredisabled, and a new local event store is allocated when the notification feature is enabled again.

QUESTION 11Which two of these will match a regular expression with the following configuration parameters?[a-zA-Z][0-9][a-z] (Choose two.)

A. Q3hB. B4MnC. aaB132AAD. c7lmE. BBpjnrIT

Correct Answer: ADSection: IPSExplanation


QUESTION 12Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attempts to exhaustcritical router resources and if preventative controls have been bypassed or are not working correctly?

A. Control Plane ProtectionB. Management Plane ProtectionC. CPU and Memory thresholdingD. SNMPv3

Correct Answer: CSection: Router SecurityExplanation

Explanation/Reference:Page 261CPU and Memory ThresholdingOne of the ways to monitor whether an attack is occurring on a device is through the sim- ple monitoring ofdevice resources, including CPU and memory utilization. This is done by configuring the use of CPU or memorythreshold monitoring. Both of these features can be combined with a remote management server to notify anorganization when the CPU and memory conditions on a device become critical.

“With CPU Thresholding Notification, users can configure CPU utilization thresholds, which trigger a notificationwhen exceeded. Cisco IOS Software supports two CPU utilization thresholds:”

http://www.cisco.com/en/US/products/ps6642/products_data_sheet09186a00801f98de.html

QUESTION 13Which Cisco IOS IPS feature allows to you remove one or more actions from all active signatures based on theattacker and/or target address criteria, as well as the event risk rating criteria?

A. signature event action filtersB. signature event action overridesC. signature attack severity ratingD. signature event risk rating



QUESTION 14You are troubleshooting reported connectivity issues from remote users who are accessing corporateheadquarters via an IPsec VPN connection. What should be your first step in troubleshooting these issues?

A. issue a show crypto isakmp policy command to verify matching policies of the tunnel endpointsB. ping the tunnel endpointC. run a traceroute to verify the tunnel pathD. debug the connection process and look for any error messages in tunnel establishment

Correct Answer: BSection: VPNExplanation

Explanation/Reference:Page 398 - Very Important - several Questions from thisTroubleshooting FlowFollow these steps to proceed through the recommended flow for troubleshooting IKE peering:Step 1. Verify peer reachability using the ping and traceroute commands with the tunnel source and destinationIP addresses on both peers. If connectivity isverified, proceed to Step 2; otherwise, check the path between the two peers for routing or access (firewall oraccess list) issues.

Step 2. Verify the IKE policy on both peers using the show crypto isakmp policy command. Debug messagesrevealed by the debug crypto isakmp commandwill also point out IKE policy mismatches.

Step 3. Verify IKE peer authentication. The debug crypto isakmp command will display unsuccessfulauthentication.

Step 4. Upon successful completion of Steps 1–3, the IKE SA should be establishing. This can be verified withthe show crypto isakmp sa command and lookingfor a state of QM_IDLE.

QUESTION 15Which of these is correct regarding the configuration of virtual-access interfaces?

A. They cannot be saved to the startup configuration.B. You must use static routes inside the tunnels.

C. DVTI interfaces should be assigned a unique IP address range.D. The Virtual-Access 1 interface must be enabled in an up/up state administratively

Correct Answer: ASection: VPNExplanation


QUESTION 16Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. Allother zones and interfaces have been properly configured. Given the configuration example shown, what canbe determined.

A. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the10.10.10.0/24 network using the SSH protocol.

B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interfacewithin the INSIDE zone, communications must pass through the router self zone using the INTRAZONEpolicy.

C. This is an illegal configuration. You cannot have the same source and destination zones.D. This policy configuration is not needed, traffic within the same zone is allowed to pass by default.

Correct Answer: BSection: Router SecurityExplanation

Explanation/Reference:Page 309The zone pair can also be configured to control the traffic permitted directly into the device; this includes controland management plane traffic. This is configured by creating a zone pair using the self zone as the source ordestination zone. With the release of IOS 15.0.1M, it is also possible to control the traffic within the same zone;this is referred to as intrazone.

This is configured by creating a zone pair with the same two zone names as both source and destination.

QUESTION 17Which action does the command private-vlan association 100,200 take?

A. configures VLANs 100 and 200 and associates them as a communityB. associates VLANs 100 and 200 with the primary VLANC. creates two private VLANs with the designation of VLAN 100 and VLAN 200D. assigns VLANs 100 and 200 as an association of private VLANs

Correct Answer: BSection: Switch SecurityExplanation


QUESTION 18Which of these allows you to add event actions globally based on the risk rating of each event, without havingto configure each signature individually?

A. event action summarizationB. event action filterC. event action overrideD. signature event action processor


Explanation/Reference:page 349

QUESTION 19When using Cisco Easy VPN, what are the three options for entering an XAUTH username and password forestablishing a VPN connection from the Cisco Easy VPN remote router? (Choose three.)

A. using an external AAA serverB. entering the information via the router crypto ipsec client ezvpn connect CLI command in privileged EXEC

modeC. using the router local user databaseD. entering the information from the PC via a browserE. storing the XAUTH credentials in the router configuration file

Correct Answer: BDESection: Router SecurityExplanation

Explanation/Reference:Page 579 Begin by configuring the local network AAA authorization list with the aaa authoriza-tion network command.This will tell the router to use only the locally configured userdatabase on the router for its authorization resource.C

Page 582 If XAUTH is being used, it must be decided where to store the authentication credentials:■ Store the XAUTH username and password in the configuration file on therouter: This option is typically used if the router is shared between many PCs andthe goal is to have the VPN tunnel up all the time.E

■ Do not store the XAUTH username and password on the router: If this optionis used, a PC user who is connected to the router is presented with a web page thatallows the username and password to be manually entered.DPage 583 EZVPN Remote connection profile using the crypto ipsec client ezvpn command■ Use the group command to specify the group name and group password to authenticateto the EZVPN Server as a part of a group.■ Use the username command to specify the stored username and password used toprovide additional authentication using XAUTH.B

QUESTION 20Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPN hub router?

A. Only one tunnel can be created per tunnel source interface.B. Only one tunnel can be created and should be associated with a loopback interface for dynamic redundancyC. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub.D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a unique tunnel key.


Explanation/Reference:Page 470Task 4: Create an mGRE Tunnel InterfaceTask 4 creates the mGRE tunnel interface. Enter the interface tunnel command and then configure basic GREparameters. The tunnel mode gre multipoint command designates the tunnel interface as mGRE and the tunnelsource command specifies the physical interface to which the GRE tunnel is bound. The tunnel key commandis required and must match the tunnel key configured on the spokes. This command allows networkadministrators to run more than one DMVPN at a time on the same router. The GRE tunnel key thereforeuniquely identifies the DMVPN.

QUESTION 21Given the Cisco IOS command crypto key generate rsa label MY_KEYS modulus 2048, which additionalcommand keyword should be added if you would like to use these keys on another router or have the ability toback them up to another device?

A. redundancyB. exportableC. on:USB smart-tokenD. usage-keys



QUESTION 22Which two types of deployments can be implemented for a zone-based policy firewall? (Choose two.)

A. routed modeB. interzone modeC. fail open mode

D. transparent modeE. inspection mode

Correct Answer: ADSection: Zone Based FirewallExplanation


QUESTION 23What is the result of configuring the command dotlx system-auth-control on a Cisco Catalyst switch?

A. enables the switch to operate as the 802.1X supplicantB. globally enables 802.1X on the switchC. globally enables 802.1X and defines ports as 802.1X-capableD. places the configuration sub-mode intodotix-auth mode, in which you can identify the authentication server

parameters

Correct Answer: BSection: Switch SecurityExplanation


QUESTION 24Which information is displayed when you enter the Cisco IOS command show epm session?

A. Enforcement Policy Module sessionsB. External Proxy Mappings, per authenticated sessionsC. Encrypted Policy Management sessionsD. Enhanced Protected Mode sessions

Correct Answer: ASection: Router SecurityExplanation

Explanation/Reference:http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s4.html#wp1063145

QUESTION 25Refer to the exhibit. Based on the partial configuration shown, which additional configuration parameter isneeded under the GET VPN group member GDOI configuration?

A. key server IP addressB. local priorityC. mapping of the IPsec profile to the IPsec SAD. mapping of the IPsec transform set to the GDOI group



QUESTION 26Refer to the exhibit. Given the partial configuration shown, which two statements are correct? (Choose two.)

A. The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnel communication withthe peer.

B. The IP route statement to reach the remote network behind the DMVPN peer is incorrect, it should be iproute 192.168.2.0 255.255.255.0 tunnel 0.

C. This is an example of a static point-to-point VTI tunnel.

D. The tunnel will use esp-sha-hmac encryption in ESP tunnel mode.E. The tunnel will use 128-bit AES encryption in ESP tunnel mode.

Correct Answer: CESection: VPNExplanation

Explanation/Reference:Page 400, 401

QUESTION 27You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishment problems.You have verified that matching IKE and IPsec polices exist on both peers. The remote client has alsosuccessfully entered authentication credentials. What is the next step to take in troubleshooting this problem?

A. verify that the router is not denying traffic from the tunnelB. verify that the router is able to assign an IP address to the clientC. examine routing tablesD. issue a ping from the client to the router to verify reachability



QUESTION 28Which of these is a result of using the same routing protocol process for routing outside and inside the VPNtunnel?

A. This will provide for routing-protocol-based failover redundancy.B. Spoke routers will able to dynamically learn routes to peer networks.C. This will allow VPN-encapsulated packets to be routed out the correct physical interface used to reach the

remote peerD. The tunnel will constantly flap.



Recursive Routing HazardYou must take precautions when configuring dynamic routing protocols to ensure thatthere is a device that participates in the same routing protocol both outside the VPN tunnel (thetransport network) and inside the tunnel (directly with VPN peers).This could be a possibility if an organization is in control of the transport network and wants to provide highavailability through dynamic routing, both inside the transport net-work and inside the VPN to ensure continuous connectivity.

This kind of routing requires that VPN devices be prevented from learning the paths to their remote peer tunneldestination IP addresses over the VPN tunnel itself. The single-hop path over the VPN will always be a better route than the path over the transport network. This situation willbreak the tunnel because it causes the VPN-encapsulated packetto be routed into its own tunnel interface instead of being routed out the correct physical interface that is used to

reach the remote VPN peer. Cisco IOS Software will react to thisbehavior by flapping the tunnel interface.

Use either route filtering or a different routing protocol for the transport network and the VPN networkto avoid this recursive routing issue.

QUESTION 29Refer to the exhibit. What can be determined from the output of this show command?

A. The switch port interface is enabled and operating as a community port.B. The interface is acting as an isolated switch port operating in VLAN 1.C. The interface is configured for Private VLAN Edge.D. The switch port interface is not a trusted port.



QUESTION 30You are troubleshooting a problem related to IPsec connectivity issues. You see that there is no ISAKMPsecurity association established between peers. You debug the connection process and see an error messageof 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. What does this message indicate?

A. This indicates a policy mismatch.B. This indicates that the offered attributes did not contain a payload.C. IKE has failed initial attempts and will resend policy offerings to the peer router.D. The time stamp of the message shows that it is one day old. This could indicate a possible mismatch of

system clocks and invalidate the connection attempt.



QUESTION 31

Refer to the exhibit. Given the output shown, what can be determined?

A. An attacker has sent a spoofed DHCP address.B. An attacker has sent a spoofed ARP response that violates a static mapping.C. The MAC address has matched a deny rule within the ACL.D. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC address on the destination


Explanation/Reference:You can create an extended ACL with MAC address mapping.

If you have a spoofed arp then the message will be different than ACL-DENY - it will be DHCP Snooping Deny.

http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_arpinspect.html#wp1125009

3550(config-arp-nacl)#permit ip host 192.168.69.25 mac host 000c.2957.6b39 logThis will permit a host with an IP of 192.168.69.25 and a Mac of 00-0c-29-57-6b-39 to arp on the network.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------If Host 2 attempts to send an ARP request with the IP address 10.0.0.1, DAI drops the request and logs thefollowing system message:

00:18:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Ethernet1/4, vlan 1.([0001.0001.0001/10.0.0.1/0000.0000.0000/0.0.0.0/01:53:21 UTC Fri Jun 13 2008])

00:12:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Ethernet2/3, vlan 1.([0002.0002.0002/10.0.0.3/0000.0000.0000/0.0.0.0/02:42:35 UTC Fri Jul 13 2008])

QUESTION 32Which command will enable a SCEP interface when you are configuring a Cisco router to be a certificateserver?

A. seep enable (under interface configuration mode)B. cryptopki seep enableC. grant autoD. ip http server

Correct Answer: DSection: Router SecurityExplanation


QUESTION 33

When 802.1X is implemented, how do the client (supplicant) and authenticator communicate?

A. RADIUSB. TACACS+C. MABD. EAPOL

Correct Answer: DSection: Switch SecurityExplanation

Explanation/Reference:Page: 119Note: EAPOL is used between the supplicant and the authenticator, while RADIUS is used between theauthenticator and the authentication server.

QUESTION 34Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be determined fromthe partial IP admission configuration shown?

A. The router will forward authentication requests toa AAA server for authentication and authorization.B. The local user password is thl3F4ftvA.C. The router will intercept incoming HTTP sessions on interface G0/0 for authentication.D. The SUPERUSER's privilege level is being restricted.

E. The attribute type supplicant-group "SUPERUSER" configuration can be used to match criteria in the"inspect" class-map type using the match access-group option.


Explanation/Reference:Page 170,171

QUESTION 35Which of these is an implementation guideline when deploying the IP Source Guard feature in an environmentwith multiple switches?

A. Do not configure IP Source Guard on inter-switch links.B. Configure PACLs for DHCP-addressed end devices.C. IP Source Guard must be configured in the trunk sub-configuration mode to work on inter-switch links.D. Configure static IP Source Guard mapping for all access ports.

Correct Answer: ASection: Switch SecurityExplanation


QUESTION 36What does the command errdisable recovery cause arp-inspection interval 300 provide for?

A. It will disable a port when the ARP rate limit of 300 packets per second is received and wait a configuredinterval time before placing the port back in normal operation.

B. It will inspect for ARP-disabled ports every 300 seconds.C. It will recover a disabled port and limit ARP traffic to 300 packets per second to avoid potential ARP attacks

from reoccurring.D. It will recover a disabled port due to an ARP inspection condition in 5 minutes.



QUESTION 37You have configured Management Plane Protection on an interface on a Cisco router. What is the resultingaction on implementing MPP?

A. Inspection of protected management interfaces is automatically configured to ensure that managementprotocols comply with standards.

B. The router gives preference to the configured management interface. If that interface becomes unavailable,management protocols will be allowed on alternate interfaces.

C. Along with normal user data traffic, management traffic is also allowed only on the protected interface.D. Only management protocols are allowed on the protected interface.

Correct Answer: DSection: Router Security

Explanation


QUESTION 38Refer to the exhibit. What can be determined from the configuration shown?

A. The community SNMP string is SNMP-MGMT-VIEW.B. All interfaces will be included in the SNMP GETs.C. This SNMP group will only allow read access to interface MIBs.D. The SNMP server group is using 128-bit SHA authentication.


Explanation/Reference:first line -- interfaces included specifies that this view is only allowed to see the interface MIB's

QUESTION 39When enabling the Cisco IOS IPS feature, which step should you perform to prevent rogue signature updatesfrom being installed on the router?

A. configure authentication and authorization for maintaining signature updatesB. install a known RSA public key that correlates to a private key used by CiscoC. manually import signature updates from Cisco to a secure server, and then transfer files from the secure

server to the routerD. use the SDEE protocol for all signature updates from a known secure management station

Correct Answer: BSection: IPSExplanation


QUESTION 40A user has requested a connection to an external website. After initiating the connection, a message appears inthe user's browser stating that access to the requested website has been denied by the company usage policy.What is the most likely reason for this message to appear?

A. An antivirus software program has blocked the session request due to potential malicious content.

B. The network has been configured with a URL filtering service.C. The network has been configured for 802.1X authentication and the user has failed to authenticateD. The user's configured policy access level does not contain proper permissions



QUESTION 41Refer to the exhibit. Given the partial configuration shown, what can be determined.

A. This is an example of a dynamic policy PAT rule.B. This is an example of a static policy NAT rule.C. Addresses in the 10.10.30.0 network will be exempt from translation when destined for the 10.100.100.0

network.D. The extended access list provides for one-to-one translation mapping of the 10.10.30.0 network to the

10.100.100.0 network



QUESTION 42When is it most appropriate to choose IPS functionality based on Cisco IOS software?

A. when traffic rates are low and a complete signature is not requiredB. when accelerated, integrated performance is required using hardware ASIC-based IPS inspectionsC. when integrated policy virtualization is requiredD. when promiscuous inspection meets security requirements



QUESTION 43When performing NAT, which of these is a limitation you need to account for?

A. exhaustion of port number translationsB. embedded IP addressesC. security payload identifiers

D. inability to provide mutual connectivity to networks with overlapping address spaces



QUESTION 44You have enabled Cisco IOS IPS on a router in your network. However, you are not seeing expected events onyour monitoring system (such as Cisco IME). On the router, you see events being captured. What is the nextstep in troubleshooting the problem?

A. verify that syslog is configured to send events to the correct serverB. verify SDEE communicationsC. verify event action rulesD. verify that the IPS license is valid

Correct Answer: BSection: IPSExplanation


QUESTION 45Which two of these are features of control plane security on a Cisco ISR? (Choose two.)

A. CoPPB. RBACC. AAAD. CPPrE. uRPFF. FPM

Correct Answer: ADSection: Router SecurityExplanation


QUESTION 46Which two of these are potential results of an attacker performing a DHCP server spoofing attack? (Choosetwo.)

A. DHCP snoopingB. DoSC. confidentiality breachD. spoofed MAC addressesE. switch ports being converted to anuntrusted state

Correct Answer: BCSection: Router Security

Explanation


QUESTION 47When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned?

A. It is calculated from the Event Risk Rating.B. It is calculated from a combination of the Attack Severity Rating and Signature Fidelity RatingC. It is manually set by the administrator.D. It is set based upon SEAP functions.



QUESTION 48Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch?

A. enable NTP for event correlationB. enable IP routing authenticationC. configure an access list with exempt DHCP-initiated IP address rangesD. turn DHCP snooping on at least 24 hours in advance



QUESTION 49What action will the parameter-map type ooo global command enable?

A. globally initiates tuning of the router's TCP normalizer parameters for out-of-order packetsB. globally classifies type ooo packets within the parameter map and subsequent policy mapC. enables a parameter map named oooD. configures a global parameter map for traffic destined to the router itself



QUESTION 50You are loading a basic IPS signature package onto a Cisco router. After a period of time, you see thismessage:%IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 275013 ms. What do you expect happened duringdownloading and compilation of the files?

A. The files were successfully copied with an elapse time of 275013 ms.The router will continue with extractionand compilation of the signature database.

B. The signature engines were compiles, but there is no indication that the actual signatures were compiled.C. The compilation failed for some of the signature engines. There are 16 engines, but only 6

were completed according to the %IPS-6 messageD. The files were compiled without error.

Correct Answer: DSection: IPSExplanation


QUESTION 51Refer to the exhibit. Given the configuration shown, which of these statements is correct?

A. An external service is providing URL filtering via a subscription service.B. All HTTP traffic to websites with the name "Gambling" included in the URL will be reset.C. A service policy on the zone pair needs to be configured in the opposite direction or all return HTTP traffic

will be blocked by policyD. The URL filter policy has been configured in a fail-closed scenario.

Correct Answer: ASection: Zone Based FirewallExplanation


QUESTION 52Refer to the exhibit. Which two of these are most likely to have caused the issue with NHRP, given this outputof the show command? (Choose two.)

A. There was a network ID mismatch.B. The spoke router has not yet sent a request via Tunnel0.C. The spoke router received a malformed NHRP packet.D. There was an authentication key mismatch.E. The registration request was expecting a return request ID of 1201, but received an ID of 120.

Correct Answer: ADSection: VPNExplanation


QUESTION 53Refer to the exhibit. What can be determined from the information shown?

A. The user has been restricted to privilege level 1.B. The standard access list should be reconfigured as an extended access list to allow desired user

permissionsC. RBAC has been configured with restricted views.D. IP access list DMZ_ACL has not yet been configured with proper permissions.



QUESTION 54Refer to the exhibit. Assuming that all other supporting configurations are correct, what can be determined fromthe partial IP admission configuration shown?

A. The router will forward authentication requests toa AAA server for authentication and authorization.B. The user maint3nanc3 will have complete CLI command access once authenticated.C. After a period of 20 minutes, the user will again be required to provide authentication credentials.D. The authentication proxy will fail, because the router's HTTP server has not been enabled.E. All traffic entering interface GO/1 will be intercepted for authentication, but only Telnet traffic will be

authorized.



QUESTION 55What will the authentication event fail retry 0 action authorize vlan 300 command accomplish?

A. assigns clients that fail 802.1X authentication into the restricted VLAN 300B. assigns clients to VLAN 300 and attempts reauthorizationC. assigns a client to the guest VLAN 300 if it does not receive a response from the client to its EAPOL

request/identity frameD. locks out a user who fails an 802.1X authentication and does not allow the user to try to gain network

access again for 300 seconds

Correct Answer: ASection: Switch SecurityExplanation


QUESTION 56Which of these are the two types of keys used when implementing GET VPN?(Choose two)

A. public keyB. group encryption C. traffic encryption keyD. pre-shared keyE. key encryptionF. private key

Correct Answer: CESection: VPNExplanation


QUESTION 57Which Cisco IOS feature provides secure, on-demand meshed connectivity?

A. Easy VPNB. IPsec VPNC. mGRED. DMVPN



QUESTION 58You have configured a Cisco router to act a PKI certificate server. However,you are experiencing problemsstarting the server. You have verified that al CA parameters have been correctly configured. What is the nextstep you should take in troubleshooting this problem?

A. Disable and restart the router’s HTTP server functionB. Verify the RSA key pair and generate new keysC. Verify that correct time is being used and source are reachableD. Enable the SCEP interface


Explanation/Reference:Neil says Page 423 of guide but there are others who prefer the answer from the previous dump.

However, the question clearly states “You have verified that al CA parameters have been correctly configured”

So if the configuration is correctly configured, why would you enable SCEP interface again? The best answer isverify correct time is being used and source are reachable.

QUESTION 59Which three of these are features of data plane security on a Cisco ISR? (Choose three.)

A. Routing protocol filteringB. FPMC. uRPFD. RBACE. CPPrF. Netflow export

Correct Answer: BCFSection: Router SecurityExplanation


QUESTION 60When configuring URL filtering with the Trend Micro filtering service. Which of these steps must you take toprepare for configuration?

A. Define blacklists and whitelistsB. Categorize traffic typesC. Synchronize clocks via NTP to ensure accuracy of URL filter updates from the serviceD. Install the appropriate root CA certificate on the router

Correct Answer: BSection: Zone Based FirewallExplanation

Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/white_paper_c89-492776.pdf

A These are used as a fall back if Trend connection failsC, D needed to install Trend service

That leaves B

QUESTION 61Which of these correct regarding the functionally of DVTI tunnels?

A. DVTI tunnels are created dynamically from a preconfigured template as tunnels are established to the hubB. DVTI tunnels appear on the hub as tunnel interfacesC. The hub router needs a static DVTI tunnel to each spoke router in order to establish remote

communications from spoke to spokeD. Spoke router require a virtual template to clone the configuration on which the DVTI tunnel is established

Correct Answer: ASection: VPN

Explanation

Explanation/Reference:Another Cisco classic – this one is talking about functionality not configuration so I feel the answer is A not D –see page 4 of http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.pdf

QUESTION 62When you are configuring DHCP snooping, how should you classify access ports?

A. promiscuousB. trusted C. untrustedD. private



QUESTION 63When implementing GET VPN, which of these is a characteristic of GDOI IKE?

A. GDOI IKE sessions are established between all peers in the networkB. GDOI IKE uses UDP port 500C. Security associations do not need to linger between members once a group member has authenticated to

the key server and obtained the group policyD. Each pair of peers has a private set of IPsec security associations that is only shared between the two

peers

Correct Answer: CSection: VPNExplanation

Explanation/Reference:http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/deployment_guide_c07_554713.pdfSummarizes how it works and to me shows that answer C is correct

QUESTION 64When you are configuring a DMVPN network,which tunnel mode should you use for the hub routerconfiguration?

A. GRE multipointB. Nonbroadcast multiaccessC. Classic point-to-point GRED. IPsec multipoint


Explanation/Reference:http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html

The hub-and-spoke deployment model is the most common deployment model. This model is the mostscalable, and predominately mimics traditional Layer 2 leased line, Frame Relay, or ATM hub-and-spokenetworks. The headend is configured with a multipoint GRE (mGRE) interface, and the branch with a point-to-point (p2p) GRE interface.

QUESTION 65VPN Simlet # 1:

Type the name of the Router first you will type command in - ie R1# or R2#2 - leave a space and the type the command required to show the output you need to get thisinformation

(example - show XXXX XXXX XXXX)NB: remember the purpose is to familiarize you with the show commands - actual test will differ fromthese configurations

Correct Answer: R1# show crypto gdoi -or- R2# show crypto gdoiSection: Simlet-VPNExplanation

Explanation/Reference:This command will show you the KS ip address and your registration - with time to re-key

R1#show crypto gdoiGROUP INFORMATION

Group Name : GETVPNGROUP Group Identity : 67890 Rekeys received : 0 IPSec SA Direction : Both Active Group Server : 192.168.1.2 Group Server list : 192.168.1.2

GM Reregisters in : 3434 secs

Rekey Received : never

Rekeys received Cumulative : 0 After registration : 0

ACL Downloaded From KS 192.168.1.2: access-list permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

TEK POLICY for the current KS-Policy ACEs Downloaded: FastEthernet0/0: IPsec SA: spi: 0x673C7398(1732015000) transform: esp-aes esp-sha-hmac sa timing:remaining key lifetime (sec): (3571) Anti-Replay : Disabled




Correct Answer: R2# show crypto ipsec transform-setSection: Simlet-VPNExplanation


NB - only show run commands accepted are show run interfaces

R2#show crypto ipsec transform-setTransform set GETSET: { esp-sha-hmac } will negotiate = { Tunnel, }, { esp-256-aes } will negotiate = { Tunnel, },!



(example - show XXXX XXXX XXXX)This question will require you to use both R2 and then R1 - so three lines in totalNB: remember the purpose is to familiarize you with the show commands - actual test will differfrom these configurations

Correct Answer: R2# show crypto gdoi ks -or- R2# show crypto gdoi ks members -or- R1# show ip interfacebriefSection: Simlet-VPNExplanation


NB: it is assumed that only R1 is a member router and ISP is not a member

R1#show crypto gdoi ksTotal group members registered to this box: 0

Confirmed this is not the key server ----------------------------------------------------------------------------R2#show crypto gdoi ksTotal group members registered to this box: 2

Key Server Information For Group GETVPNGROUP: Group Name : GETVPNGROUP Group Identity : 67890 Group Members : 1 IPSec SA Direction : Both ACL Configured: access-list 101---------------------------------------------------------------------------R2#show crypto gdoi ks members

Group Member Information :

Number of rekeys sent for group GETVPNGROUP : 0

Group Member ID : 192.168.2.1Group ID : 67890Group Name : GETVPNGROUPKey Server ID : 0.0.0.0-----------------------------------------------------------------------------Confirm the IP address is associated with R1 and not ISP

R1#show ip interface briefInterface IP-Address OK? Method Status ProtocolFastEthernet0/0 192.168.2.1 YES manual up up

All commands can be referenced herehttp://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s3.html#wp1159252




Correct Answer: R2# show crypto gdoi group GETVPNGROUPSection: Simlet-VPNExplanation

Explanation/Reference:R2 is better as this is the KS

R2#show crypto gdoi group GETVPNGROUP Group Name : GETVPNGROUP (Multicast) Group Identity : 67890 Group Members : 2 IPSec SA Direction : Both Active Group Server : Local Group Rekey Lifetime : 86400 secs Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts: 2

IPSec SA Number : 10 IPSec SA Rekey Lifetime: 3600 secs Profile Name : GETPROFILE Replay method : Count Based Replay Window Size : 64 SA Rekey Remaining Lifetime : 1998 secs ACL Configured : access-list 101

Group Server list : Local

NB: some other tests have 2 answers highlighted- the question does not ask for (Choose Two) and mustassume on one selection is correct.




Correct Answer: R1# show crypto map -or- R1# show crypto isakmp keySection: Simlet-VPNExplanation

Explanation/Reference:R1 is the only group member that you can access so it it is assumed this is the only group member

R1#show crypto mapCrypto Map "CMAP" 10 gdoi Group Name: GETVPNGROUP identity number 67890 server address ipv4 192.168.1.2 Interfaces using crypto map CMAP: FastEthernet0/1----------------------------------------------------------------------------------------------R1#show crypto isakmp key

Keyring Hostname/Address Preshared Key

default 192.168.1.2 GETVPNKEY

QUESTION 70

When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you usefor the spoke router configuration?

A. GRE multipointB. classic point-to-point GREC. IPsec multipointD. nonbroadcast multiaccess


Explanation/Reference:http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html

The hub-and-spoke deployment model is the most common deployment model. This model is the mostscalable, and predominately mimics traditional Layer 2 leased line, Frame Relay, or ATM hub-and-spokenetworks. The headend is configured with a multipoint GRE (mGRE) interface, and the branch with a point-to-point (p2p) GRE interface.

Exam B

QUESTION 1Drag and Drop #1

Select and Place:

Correct Answer:

Section: Switch SecurityExplanation

Explanation/Reference:Page 113 of the CCNP Secure guide

Gathering Input Parameters

Because 802.1X authentication requires several technologies to work together, up-front planning helps ensure the success of the deployment. Part of this planning involves gathering important input information:

■ Determine the list of LAN switches that currently allow unauthorized users full access to the network. Use this list to determine which of these devices should be configured with 802.1X and the feature availability on the switches.

■ Determine what authentication database (such as Windows AD) is being used for user credentials. This allows you to determine whether you can leverage the same one and make the 802.1X deployment transparent to your users.

■ Determine the types of clients being used on the network (platform and operating systems). This is required to choose a compatible supplicant and to configure it ap- propriately.

■ Determine the software distribution mechanism in use by the organization. This will affect provisioning and supporting the supplicant on current and future client workstations.

■ Determine whether the network path between the supplicant and the authentication server is trusted. A trusted network path allows an anonymous EAP-FAST implementation, whereas a nontrusted network path requires separate EAP-FAST credentials.

QUESTION 2Drag & Drop #3

Select and Place:

Correct Answer:

Section: VPNExplanation

Explanation/Reference:Verify cryptographic configs

outer# show crypto isakmp policy rotection suite priority 15

ncryption algorithm: DES - Data Encryption Standard (56 bit keys) ash algorithm: Message Digest 5

uthentication method: Rivest-Shamir-Adleman Signature iffie-Hellman Group: #2 (1024 bit)

ifetime: 5000 seconds, no volume limit rotection suite priority 20

ncryption algorithm: DES - Data Encryption Standard (56 bit keys) ash algorithm: Secure Hash Standard

authentication method: preshared Ke


Select and Place:

Correct Answer:

Section: Router SecurityExplanation



Select and Place:

Correct Answer:




Select and Place:

Correct Answer:

Section: Drag and DropExplanation



Select and Place:

Correct Answer:




Select and Place:

Correct Answer:



QUESTION 8Drah & Drop #8

Select and Place:

Correct Answer:





Select and Place:

Correct Answer:


Explanation/Reference:Page 453 - CCNP Security Guide - Initial State

In its initial state, the network is purely hub-and-spoke and can stay that way if desired.The initial network properties are■ The hub knows the outer and inner IP addresses of each spoke in its NHRP database.■ Three spoke-to-hub GRE/IPsec tunnels are created.■ Any traffic from a spoke (whether to a hub or another spoke) must travel throughthe hub.Figure 17-1 DMPVN: Hub-and-Spoke Model


Select and Place:

Correct Answer:

Section: IPSExplanation


QUESTION 11

Drag & Drop 11

Select and Place:

Correct Answer:

Section: Router SecurityExplanation

Explanation/Reference:http://www.slideshare.net/CiscoSystems/ccsp-effective-deployment-of-cisco-asa-access-control

Go to slide > 50/73


Select and Place:

Correct Answer:




Select and Place:

Correct Answer:



QUESTION 14DRAG DROP

A. Router(config)# zone security INSIDERouter(config-sec-zone)#exitRouter(config)# zone security OUTSIDERouter(config-sec-zone)#exitRouter(config)# interface fa0/0/1Router(config-if)# no shutdownRouter(config-if)# zone-member security INSIDERouter(config-if)# exitRouter(config)# interface fa0/0/0Router(config-if)# no shutdownRouter(config-if)# zone-member security OUTSIDERouter(config-if)# exit

Router(config)# class-map type inspect match-any HTTP_POLICYRouter(config-cmap)# match protocol httpRouter(config-cmap)#exit

Router(config)# policy-map type inspect IN-TO-OUT-POLICYRouter(config-pmap)# class type inspect HTTP_POLICYRouter(config-pmap-c)# inspectRouter(config-pmap-c)#class-defaultRouter(config-pmap-c)#dropRouter(config-pmap-c)# exit

Router(config)# zone-pair security IN-TO-OUT source INSIDE destination OUTSIDERouter(config-sec-zone-pair)# service-policy type inspect IN-TO-OUT-POLICYRouter(config-sec-zone-pair)# end

Router(config)# copy running-config startup-config

Correct Answer: ASection: Lab-ZBFWExplanation

Explanation/Reference:1: we divide the network into 2 zones: INSIDE and OUTSIDE2: apply the interfaces to the appropiate Zone Members INSIDE | OUTSIDE3: create a class-map with defined name HTTP_POLICY > match HTTP protocol4: create a policy-map name IN-TO-OUT-POLICY: - define the class-map and apply action > inspect5: create a zone-pair > specify direction with source and destination6: apply policy to the zone-pair - policy created in step 47: std: copy run start

QUESTION 15When is it feasible for a port to be both a guest VLAN and a restricted VLAN?

A. this configuration scenario is never be implementedB. when you have configured the port for promiscuous modeC. when private VLANs have been configured to place each end device into different subnetsD. when you want to allow both types of users the same services

Correct Answer: DSection: (none)Explanation


QUESTION 16Refer to the exhibit.

What can be determined from the information provided in the system image output?

A. The router supports LDAP.

B. A Key Version of "A" indicates that this is an advanced IP security image of the Cisco IOS system.C. The router is in ROM monitor mode.D. This is a digitally-signed Cisco IOS image.



QUESTION 17Which three of these are sources used when the router is configured for URL filtering? (Choose three.)

A. Websense URL filterB. AAA server downloadable ACLsC. ASA URL filter feature setD. Trend Micro cloud-based URL filter serviceE. locally configured filter rules on the routerF. Cisco SenderBase URL filtering service

Correct Answer: ADESection: (none)Explanation


QUESTION 18In an 802.1X environment, which feature allows for non-802.1X-supported devices such as printers and faxmachines to authenticate?

A. multiauthB. WebAuthC. MABD. 802.1X guest VLAN

Correct Answer: CSection: (none)Explanation


QUESTION 19The advantages of virtual tunnel interfaces (VTIs) over GRE VPN solutions are which three of the following?(Choose three.)

A. VTI can support QoS.B. VTI provides a routable interface.C. VTI supports nonencrypted tunnels.D. VTI is more scalable than a GRE-based VPN solution.E. IPsec VTIs need fewer established SAs to cover different types of traffic, both unicast and multicast, thus

enabling improved scaling.

F. IPsec VTIs require a loopback interface for configuration.

Correct Answer: BCESection: (none)Explanation

Explanation/Reference:page 391, CCNP Security SECURE 642-637 Official Cert Guide

IPsec VTIs have many benefits:■ Simplify configuration: Configuring IPsec peering is much simpler when using virtual tunnel interfaces ascompared to configuring IPsec peering with crypto maps orGRE/IPsec tunnels.■ Flexible interface feature support: An IPsec VTI is a Cisco IOS Software interface that offers the flexibilityof accepting features that can be applied to physical interfaces(that operate on ciphertext traffic) or the IPsec VTI that operates on clear-text traffic.■ Support for multicast: IPsec VTIs support multicast traffic such as voice and video.■ Better scalability: IPsec VTIs require fewer SAs to support all types of traffic.■ Routable interface: Like GRE/IPsec, VTIs support all types of IP routing protocols, which provides scalabilityand redundancy.

QUESTION 20In Cisco IOS 15.0.1M code for the router platform, which new feature has been added to the zone- based policyfirewall?

A. removal of support for port-to-application matchingB. ability to configure policies for traffic that is traveling between interfaces in the same security zoneC. intrazone traffic is not freely permitted by default nowD. NBAR is not compatible with transparent firewall

Correct Answer: BSection: (none)Explanation

Explanation/Reference:Page: 309, CCNP Security SECURE 642-637 Official Cert Guide

With the release of IOS 15.0.1M, it is also possible to control the traffic within the same zone; this is referred toas intrazone. This is configured by creating a zone pair with the same two zone names as both source anddestination.

QUESTION 21When configuring NAT, which three protocols that are shown may have limitations or complications when usingNAT? (Choose three.)

A. KerberosB. HTTPSC. NTPD. SIPE. FTPF. SQL

Correct Answer: ADESection: (none)

Explanation

Explanation/Reference:Page:278

As with any technology, the use of NAT can introduce problems because some technologiesdo not support the use of NAT. These limitations include

■ Embedding address complications: For the correct operation of NAT, it must understandthe source and destination address information for each conversation. Someprotocols obscure this information, which can be troublesome.

■ Encryption and authorization protocol support: Because the point in many ofthese protocols is to ensure that a packet has not been interfered with in transit, the useof NAT in itself already breaks this requirement because it alters the original packet.Some protocols are likely to fail in situations where traffic traverses a NAT device.

■ Logging complications: The use of NAT can complicate the way to view and interpretlogs. As the address that is used for a specific packet changes from an inside tooutside interface, this must be considered when using logging.

QUESTION 22Which two answers are potential results of an attacker that is performing a DHCP server spoofing attack?(Choose two.)

A. ability to selectively change DHCP options fields of the current DHCP server, such as the giaddr field.B. DoSC. excessive number of DHCP discovery requestsD. ARP cache poisoning on the routerE. client unable to access network resources

Correct Answer: BESection: (none)Explanation

Explanation/Reference:Page : 67

DHCP Server SpoofingWith DHCP server spoofing, the attacker can set up a rogue DHCP server and respond to DHCP requests fromclients on the network. This type of attack can often be grouped with a DHCP starvation attack because thevictim server will not have any new IP addresses to give out, which raises the chance of new clients using therouge DHCP server. This information, which is given out by the rogue DHCP server, could send all the trafficthrough a rogue gateway, which can then capture the traffic for further analysis.

QUESTION 23Cisco IOS Software displays the following message: DHCP_SNOOPING_5-DHCP_SNOOPING_MATCH_MAC_FAIL. What does this message indicate?

A. The message indicates that an attacker is pretending to be a DHCP server on an untrusted port.B. The source MAC address in the Ethernet header does not match the address in the "chaddr" field of the

DHCP request message.C. The message indicates that the DHCP snooping has dropped a DHCP message that claimed an existing,

legitimate host is present on an unexpected interface.D. A Layer 2 port security MAC address violation has occurred on an interface that is set up for untrusted

DHCP snooping.


Explanation/Reference:Actual Log from Switch configured for DHCP spoofing

007850: Nov 26 09:02:55.484 CET: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL:DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type:DHCPRELEASE, chaddr: 0016.4487.6527, MAC sa: 0017.422e.d204

The switch logging message basically says that the MAC address of the client contained in the chaddr (clienthardware address) field in the DHCP message does not match the source MAC address of the frame in whichthe DHCP message is encapsulated. In other words, the interface for which the DHCP message was createddoes not match the interface through which the message was actually transmitted.

https://supportforums.cisco.com/thread/344460


Based on the partial configuration that is provided, if a non-802.1X client connects to a port on this switch,which VLAN will it be assigned to, and how long will it take for the port to time out and transition to the guestVLAN? (Choose all that apply.)

A. The switch is configured for the default 802.1X timeout period of 90 seconds.B. The 802.1X authentication process will time out in 10 seconds and immediately change the port to the guest

VLAN.C. The 802.1X authentication process will time out, and the switch will roll over the port to the guest VLAN in

15 seconds.D. The non-802.1X client and phones will all be assigned to VLAN 30.E. The non-802.1X client will be assigned to VLAN 40.F. The non-802.1X client will be assigned to VLAN 10.

Correct Answer: CESection: (none)

Explanation

Explanation/Reference:Page : 119The authenticator expects to receive the EAP-Response/Identity frame as a response to its EAP-Request/Identity frame. If it has not received this frame within the default retransmissiontime, it will resend the Request frame. The default retransmission timer is 30 seconds. You can adjust this timeto increase response times, which will allow a faster 802.1Xauthentication process. The retransmission timer is changed with the dot1x timeout txperiod interfacecommand.

If the switch fails to authenticate a client, such as the user entering a bad password, the switch waits a period oftime before trying again. The default value for this quiet timer is60 seconds. You can lower this value, thus giving the client a faster response time with the dot1x timeoutquiet-period seconds interface configuration command.

QUESTION 25Which protocol is EAP encapsulated in for communications between the authenticator and the authenticationserver?

A. EAP-MD5B. IPsecC. EAPOLD. RADIUS


Explanation/Reference:Page: 119Note: EAPOL is used between the supplicant and the authenticator, while RADIUS is used between theauthenticator and the authentication server.


What can be determined about IPS updates from the configuration shown?

A. Updates will be stored on the ida-client server.B. Updates will be stored in the directory labeled "cisco."C. Updates will be retrieved from an external source every day of the week.

D. Updates will occur once per week on Sundays between midnight and 6 a.m. (0000 and 0600).


Explanation/Reference:Task 2: Configure Automatic Signature UpdatesThe second task illustrates how to configure the router to attempt to retrieve automatic signature updates fromCisco.com or a local server.

To do this, first configure the update URL using the ida-client server url command. Use the https://www.cisco.com/cgi-bin/front.x/ids/locator/locator.pl URL. Next, create anauto-update profile using the ip ips auto-update command. Use the cisco command inside the profile todesignate obtaining updates from Cisco.com. To control when the updateattempts occur, use the occur-at command. Example 13-9 illustrates the setup of the configuration to retrieveautomatic updates from the Cisco.com repository as well as toprovide the Cisco.com credentials that will be used for authentication through using the username command.Example 13-10 illustrates the setup of the configuration to retrieveautomatic updates from a local staging server.

The following specifics are used in the example:■ Days of the week: 0-6 (Sunday–Saturday)■ Minutes: Minutes from the top of the hour (0)■ Hour: Hour of the day (3:00 a.m.)

Comment: According to the given exhibit Update occured every day (Sunday to saturday) @ 00:01am(or 12:01am)


Which of these is correct based on the partial configuration shown?

A. The policy is configured to use an authentication key of "rsa-sig."B. The policy is configured to use hashing group sha-1.C. The policy is configured to use triple DES IPsec encryption.D. The policy is configured to use digital certificates.E. The policy is configured to use access list 101 to identify the IKE-protected traffic.



QUESTION 28When uploading an IPS signature package to a Cisco router, what is required for the upload to self-extract thefiles?

A. the idconf on the end of the copy commandB. a public key on the Cisco routerC. IPS must be disabled on the upload interfaceD. HTTP Secured server must be enabled

Correct Answer: ASection: (none)Explanation

Explanation/Reference:Page: 344First, the signature package must be downloaded from Cisco.com. Go to the download section of Cisco.comand navigate to Products > Security > Integrated Router/SwitchSecurity > Integrated Threat Control > Cisco IOS Intrusion Prevention System Feature Software > IOS IPSSignature Data File. Download the latest package, which should havea filename in the format IOS-Sxxx-CLI.pkg. Put the file on the server from which you will transfer it to therouter. Use the copy command to transfer the file to the router’s idconf alias. This causes the router to download andunpack the contents of the file (XML files)

QUESTION 29To prevent a spanning-tree attack, which command should be configured on a distribution switch port that isconnected to an access switch?

A. spanning-tree portfast bpduguard defaultB. spanning-tree backbone fastC. spannning-tree bpduguard enableD. spanning-tree guard root


Explanation/Reference:Page: 74To mitigate STP manipulation, two different features can be used. The Root Guard feature is configured on aswitchport that should never become a root port, or in other words, theport that forwards traffic going toward the root bridge. A good example of this would be a connection between adistribution layer switch and an access layer switch. In this scenario,the port on the distribution switch going toward the access layer should never become a root port because theaccess layer switch should never become the root switch. Ifthe switchport does receive a superior BPDU, the port will go into root-inconsistent state, indicating that anotherswitch is attempting to become the root switch.

Enables the Root Guard feature on a switchport Switch(config-if)# spanning-tree guard root

QUESTION 30In a GETVPN solution, which two ways can the key server distribute the new keys to the group members duringthe rekey process? (Choose two.)

A. multicast UDP transmissionB. multicast TCP transmissionC. unicast UDP transmissionD. unicast TCP transmission

Correct Answer: ACSection: (none)Explanation

Explanation/Reference:Page : 505Rekeying MethodsGET VPNs use rekey messages to refresh their IPsec SAs (session keys) outside of IKE sessions. When thegroup IPsec SAs are about to expire, one single rekey message for a particulargroup is generated on the key server. Distribution of the rekey message does not require that new IKE sessionsbe created. GET supports rekeying for unicast and multicast.

QUESTION 31You are a network administrator and are moving a web server from inside the company network to a DMZsegment that is located on a Cisco router. The web server was located at IP address 172.16.10.50 on theinside and changed to the IP address 172.20.10.5 on the DMZ. Additionally, you are moving the web port to8080 but do not want your inside users to be affected. Which NAT statement should you configure on yourrouter to support the change?

A. hostname(config)# ip nat inside source static 172.16.10.50 172.20.10.5B. hostname(config)# ip nat inside source static tcp 172.16.10.50 80 172.20.10.5 8080C. hostname(config)# ip nat outside source static tcp 172.16.10.50 80 172.20.10.5 8080D. hostname(config)# ip nat static outside source tcp 172.20.10.5 80 172.16.10.50 8080E. hostname(config)# ip nat static inside source udp 172.20.10.50 172.20.10.5


Explanation/Reference:Page: 280

QUESTION 32When configuring NAT, and your solution requires the ability to see the inside local and outside global addressentries and any TCP or UDP port in the show ip nat command output, how should NAT be configured on therouter?

A. use the overload option on the end of your static NAT statementB. include both static and dynamic NAT configuration on the routerC. tie the ip nat inside command to a dynamic NAT poolD. attach a route-map to the ip nat inside commandE. configure the ip nat inside command to an extended ACL


Explanation/Reference:https://supportforums.cisco.com/docs/DOC-5061

To configure static NAT with the route-map option, issue the ip nat inside source static local-ip global-iproute-map map-name command from global configuration mode


You are working for a corporation that has connected its network to a partner network. Based on this partialconfiguration that is supplied in the exhibit, which two things happen to traffic that is inbound from the partnernetwork (outside is 10.10.30.0/24) and the return traffic from the inside as it travels through this router?(Choose two.)

A. The source address of the IP packets that are traveling from the 10.10.30.0/24 network to 10.10.19.0/24 aretranslated to 172.19.1.0/24.

B. The destination address of IP packets that are traveling from 10.10.19.0/24 to any IP network is translatedto 172.19.1.0/24.

C. IP traffic that is flowing from 10.10.19.0/24 to 10.10.30.0/24 has the source address translated to172.19.1.0/24.

D. The destination address of IP packets that are traveling from 10.10.19.0/24 to 10.10.30.0/24 are translatedto 172.19.1.0/24.

E. The destination address of IP packets that are traveling from 10.10.30.0/24 to 10.10.19.0/24 are translatedto 172.19.1.0/24.

Correct Answer: ADSection: (none)Explanation


QUESTION 34You are a network administrator that is deploying a Cisco router that needs to support both PAT and site-to-siteVPN on one public IP address. In order to make both work simultaneously, how should the NAT configurationbe set up?

A. The VPN configuration should be set up with a static NAT configuration.B. Because PAT does support AH, the VPN tunnel must not be configured with Encapsulating Security

Payload (ESP).C. An ACL should be attached to the nat command to permit the NAT traffic and deny the VPN traffic.D. The nat configuration command needs to include a range of IP addresses with the overload word on the

end.E. A route-map should be used with the nat command to support the use of AH and ESP.F. The ip nat inside command needs to exclude the VPN source address in the NAT pool.




Based on the configuration that is shown in the exhibit, select the three answers that apply. (Choose three.)

A. The configuration supports multidomain authentication, which allows one MAC address on the voice VLANand one on the data VLAN.

B. Traffic will not flow for either the phone or the host computer until one device completes the 802.1Xauthentication process.

C. Registration and DHCP traffic will flow on either the data or voice VLAN before authentication.D. The port will only require the 802.1X supplicant to authenticate one time.E. MAC Authentication Bypass will be attempted only after 802.1X authentication times out.F. Non-802.1X devices are supported on this port by setting up the host for MAC address authentication in the

endpoint database.

Correct Answer: ACFSection: (none)Explanation

Explanation/Reference:Page : 174-178

QUESTION 36You are finding that the 802.1X-configured ports are going into the error-disable state. Which command willshow you the reason why the port is in the error-disable state, and which command will automatically be re-enabled after a specific amount of time? (Choose two.)

A. show error-disable statusB. show error-disable recoveryC. show error-disable flap-statusD. error-disable recovery cause security-violationE. error-disable recovery cause dot1xF. error-disable recovery cause l2ptguard

Correct Answer: BDSection: (none)Explanation


QUESTION 37Your company has a requirement that if security is compromised on phase 1 of a Diffie-Hellman key exchangethat a secondary option will strengthen the security on the IPsec tunnel. What should you implement to ensurea higher degree of key material security?

A. Diffie-Hellman Phase II ESPB. PFS Group 5C. Transform-set SHA-256D. XAUTH with AAA authenticationE. Diffie-Hellman Group 5 Phase I



IPsec PhasesIPsec has two phases:■ Phase 1: Two IKE peers establish a secure, authenticated channel and establish shared keying informationusing a Diffie-Hellman key exchange. This channel is known as the IKE (or ISAKMP) SA. Phase 1 can functionin either main mode or aggressive mode.

■ Phase 2: Additional SAs are established for use by services, such as IPsec or any other service that needssecure keying material or parameter negotiation, or both.IPsec session keys are derived from the initial keying material that was obtained during the Phase 1 Diffie-Hellman key exchange. The IPsec session keys can be optionallycreated using new, independent Diffie-Hellman key exchanges by enabling the Perfect Forward Secrecy (PFS)option. This Phase 2 exchange is called the IKE QuickMode. IKE Quick Mode is one of two modes of IKE Phase 2, with the other being the Group Domain ofInterpretation (GDOI) Mode used by GET VPN.

QUESTION 38

Which solution on a Cisco router requires the loading of a protocol header definition file (PHDF)?

A. reflexive access control listsB. NetFlowC. Flexible Packet MatchingD. Control Plane Policing



FPM is implemented using a filtering policy that is divided into four tasks:■ Loading of a Protocol Header Description File (PHDF)■ Defining a class map and a specific protocol stack chain (traffic class)■ Defining a service policy (traffic policy)■ Application of a service policy on a specific interface

QUESTION 39You are troubleshooting a problem for which end users are reporting connectivity issues. Your network hasbeen configured with Layer 2 protection controls. You have determined that the DHCP snooping database iscorrect and that proper static addressing maps have been configured. Which of these should be your next stepin troubleshooting this problem?

A. Generate a proxy ARP request and verify that the DHCP database has been updated as expected.B. Temporarily disable DHCP snooping and test connectivity again.C. Clear the ARP tables and have end users release and renew their DHCP-learned addressing.D. Use a protocol analyzer to determine if there are malformed DHCP or ARP packets.


Explanation/Reference:Explanation:

QUESTION 40You are troubleshooting a reported connectivity issue from a remote office whose users are accessingcorporate headquarters via an IPsec VPN connection. You issued a show crypto isakmp sa command on theheadend router, and the state has MM_NO_STATE. Which debug command should you enter next, and whichpart of the VPN tunnel establishment process is failing? (Choose two.)

A. ISAKMP Phase IIB. ISAKMP Phase IC. debug crypto isakmp saD. debug crypto isakmpE. debug crypto ipsec



Please check answer B

Troubleshooting FlowFollow these steps to proceed through the recommended flow for troubleshooting IKE peering:Step 1. Verify peer reachability using the ping and traceroute commands with the tunnel source anddestination IP addresses on both peers. If connectivity is verified, proceed to Step 2; otherwise, check the path between the two peers for routing or access (firewall oraccess list) issues.

Step 2. Verify the IKE policy on both peers using the show crypto isakmp policy command. Debug messagesrevealed by the debug crypto isakmp commandwill also point out IKE policy mismatches.

Step 3. Verify IKE peer authentication. The debug crypto isakmp command will display unsuccessfulauthentication.

Step 4. Upon successful completion of Steps 1–3, the IKE SA should be establishing. This can be verified withthe show crypto isakmp sa command and lookingfor a state of QM_IDLE.

QUESTION 41You are installing a brand-new, site-to-site VPN tunnel and notice that it is not working correctly. Whenconnecting to the corporate router and issuing a show crypto ipsec sa command, you notice that for thisparticular SA that packets are being encrypted but not decrypted. What are two potential reasons for thisproblem? (Choose two.)

A. XAUTH needs to be enabled.B. Inbound and outbound IP 50 packets are being filtered at the remote site.C. The transform-set needs to be set to transport mode.D. The access-list attached to the crypto map at the remote site is incorrect.E. The remote site is failing Diffie-Hellman Phase I negotiation.F. The NAT exception on the corporate side is filtering the return packets.



QUESTION 42Which additional configuration steps are required for a zone-based policy firewall to operate in a VRF scenario?

A. You must assign zone-based policy firewall bridge groups to work in the virtual environment.B. Separate zone-based policy firewall policies must be defined for each VRF environment.C. Separate zones must be defined for each virtual zone-based policy firewall instance.D. No special zone-based policy firewall configurations are needed.


Explanation/Reference:Ensure that you utilized several security layers in your design to adequately protect the rest of your networkfrom the guest VLAN. You might even consider putting them in a separate Virtual Routing and Forwarding(VRF) instance. VRFs are configurations on Cisco IOS Software routers and switches that can be used toprovide traffic separation, making them a good solution to keep guest traffic segregated from your corporate

traffic.

QUESTION 43You are troubleshooting an IPsec VPN problem. During debugging of IPsec operations, you see the message"attributes not acceptable" on the IKE responder after issuing the debug crypto isakmp command. Which stepshould you take next?

A. verify matching ISAKMP policies on each peerB. verify that an IKE security association has been established between peersC. verify that IPsec transform sets match on each peerD. verify if default IPsec attributes are in place on each peer


Explanation/Reference:The show crypto isakmp policy command can be executed on both peers to compare IKE parameters andensure that they match. The debug crypto isakmp debugging command will display debugging messagesduring IKE negotiation and session establishment. These debugging commands should be executed andanalyzed on both peers.

QUESTION 44Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated action even if it hasbeen successfully compiled?

A. retiredB. disabledC. unsupportedD. inactive



QUESTION 45Which CLI command would you use to verify installed SSL VPN licensing on a Cisco 1900, 2900, or 3900Series ISR?

A. show crypto ssl licenseB. show crypto webvpn detailsC. show webvpn licenseD. show webvpn ssl license count allE. show webvpn gateway



QUESTION 46

Which statement is correct regarding GRE tunnel endpoints when you are configuring GRE over IPsec?

A. The tunnel interfaces of both endpoints must be in the same IP subnet.B. A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting end- user traffic

between the GRE endpoints.C. The tunnel interfaces of both endpoints should be configured to use the outside IP address of the router as

the unnumbered IP address.D. For high availability, the GRE tunnel interface should be configured with a primary and a backup tunnel

destination IP address.




Which of these is correct regarding the configuration parameters shown?

A. Complete certificates will be written to and stored in NVRAM.B. The RSA key pair is valid for five hours before being revoked.C. The router is configured as a certificate server.D. Certificate lifetimes are mismatched and will cause intermittent connectivity errors.E. The router has enrolled to the MY-TRUSTPOINT PKI server, which is an external CA server.




When you are using dynamic IPsec VTI tunnels, what can you determine about virtual-access interfaces fromthe output shown?

A. The Virtual-Access1 interface currently does not have an IPsec peer connection established.B. The Virtual-Access2 interface does not yet have an IPsec peer defined.C. The Virtual-Access1 interface is in the down/down state, because the virtual tunnel source physical interface

is down.D. The Virtual-Access1 interface, which is used internally by the Cisco IOS software, is always down.



Neil's suggested answer is D,

yes, in the book there is some relevant sentence, p.407, I quote: “A special Virtual-Access1 interface is usedinternally by Cisco IOS Software and is always present in the output of this command.” but not always DOWN!!!

as follows from:http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.pdf

"...When the Easy VPN neg

Cisco.ActualTest.642-637.v2012-08-09-129q-dd...Aug 09, 2012 · Version : 2012-08-09 Questions :...

Documents

Transcript of Cisco.ActualTest.642-637.v2012-08-09-129q-dd...Aug 09, 2012 · Version : 2012-08-09 Questions :...