640-553 CCNAS Certification Tests

Cisco 640-553

CISCO 640-553 IINS Implementing Cisco IOS Network

Security

Practice TestVersion 1.8

Actu

alTe

sts.

com

QUESTION NO: 1

Examine the following options, which access list will permit HTTP traffic sourced from host

10.1.129.100 port 3030 destined to host 192.168.1.10?

A. access-list 101 permittcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030

B. access-list 101permit tcp any eq 3030

C. access-list 101permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq www

D. access-list 101permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq www

Answer: D

QUESTION NO: 2 DRAG DROP

Drag three proper statements about the IPsec protocol on the above to the list on the below.

Answer:

Cisco 640-553: Practice Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

Actu

alTe

sts.

com

QUESTION NO: 3

In a brute-force attack, what percentage of the keyspace must an attacker generally search

through until he or she finds the key that decrypts the data?

A. Roughly 50 percent

B. Roughly 66 percent

C. Roughly 75 percent

D. Roughly 10 percent

Answer: A

QUESTION NO: 4

The information of Cisco Router and Security Device Manager(SDM) is shown below:



Actu

alTe

sts.

com

Within the "sdm-permit" policy map, what is the action assigned to the traffic class "class-default"?

A. inspect



Actu

alTe

sts.

com

B. drop

C. police

D. pass

Answer: B


On the basis of the description of SSL-based VPN, place the correct descriptions in the proper

locations.

Answer:



Actu

alTe

sts.

com

QUESTION NO: 6

Which description is correct based on the exhibit and partial configuration?

A. All traffic destined for network 172.16.150.0 will be denied due to the implicitdeny all.

B. All traffic from network 10.0.0.0 will be permitted.

C. Access-list 101 will prevent address spoofing from interface E0.

D. This ACL will prevent any host on the Internet from spoofing the inside network address as the

source address for packets coming into the router from the Internet.



Actu

alTe

sts.

com

Answer: C

QUESTION NO: 7

For the following items ,which one can be used to authenticate the IPsec peers during IKE Phase

1?

A. pre-shared key

B. integrity check value

C. XAUTH

D. Diffie-Hellman Nonce

Answer: A

QUESTION NO: 8

Which description about asymmetric encryption algorithms is correct?

A. They use the same key for encryption and decryption of data.

B. They use different keys for decryption but the same key for encryption of data.

C. They use different keys for encryption and decryption of data.

D. They use the same key for decryption but different keys for encryption of data.

Answer: C

QUESTION NO: 9

For the following items, which management topology keeps management traffic isolated from

production traffic?

A. OTP

B. OOB

C. SAFE

D. MARS

Answer: B

QUESTION NO: 10

You work as a network engineer, do you know an IPsec tunnel is negotiated within the protection

of which type of tunnel?



Actu

alTe

sts.

com

A. L2F tunnel

B. L2TP tunnel

C. GRE tunnel

D. ISAKMP tunnel

Answer: D

QUESTION NO: 11

As a candidate for CCNA examination, when you are familiar with the basic commands, if you

input the command "enable secret level 5 password" in the global mode , what does it indicate?

A. Set the enable secret command to privilege level 5.

B. The enable secret password is hashed using MD5.

C. The enable secret password is for accessing exec privilege level 5.

D. The enable secret password is hashed using SHA.

E. The enable secret password is encrypted using Cisco proprietary level 5 encryption.

Answer: C

QUESTION NO: 12

Examine the following options ,when editing global IPS settings, which one determines if the IOS-

based IPS feature will drop or permit traffic for a particular IPS signature engine while a new

signature for that engine is being compiled?

A. Enable Signature Default

B. Enable Engine Fail Closed

C. Enable Default IOS Signature

D. Enable Fail Opened

Answer: B

QUESTION NO: 13

Which statement best describes Cisco IOS Zone-Based Policy Firewall?

A. A router interface can belong to multiple zones.

B. Policy maps are used to classify traffic into different traffic classes, and class maps are used to

assign action to the traffic classes.

C. The pass action works in only one direction.



Actu

alTe

sts.

com

D. A zone-pair is bidirectional because it specifies traffic flowing among the interfaces within the

zone-pair in both directions.

Answer: C

QUESTION NO: 14

Which feature is a potential security weakness of a traditional stateful firewall?

A. It cannot support UDP flows.

B. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake.

C. It cannot detect application-layer attacks.

D. The status of TCP sessions is retained in the state table after the sessions terminate.

Answer: C

QUESTION NO: 15

LAB



Actu

alTe

sts.

com



Actu

alTe

sts.

com



Actu

alTe

sts.

com

Explanation:

Switch1>enable

Switch1#config t

Switch1( config )#interface fa0/12

Switch1( config -if)# switchport mode access

Switch1( config -if)# switchport port-security maximum 2

Switch1( config -if)# switchport port-security violation shutdown

Switch1( config -if)#no shut

Switch1( config -if)#end

Switch1#copy run start

QUESTION NO: 16

How does CLI view differ from a privilege level?

A. A CLI view supports only commands configured for that specific view, whereas a privilege level

supports commands available to that level and all the lower levels.

B. A CLI view can function withouta AAA configuration, whereas a privilege level requires AAA to

be configured.

C. A CLI view supports only monitoring commands, whereas a privilege level allows a user to

make changes to an IOS configuration.

D. A CLI view and a privilege level perform the same function. However, a CLI view is used on a

Catalyst switch, whereas a privilege level is used on an IOS router.

Answer: A

QUESTION NO: 17 HOTSPOT

..

Answer:



Actu

alTe

sts.

com

QUESTION NO: 18

Which statement best describes configuring access control lists to control Telnet traffic destined to

the router itself?

A. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface.

B. The ACL is applied to the Telnet port with the ip access-group command.

C. The ACL must be applied to each vty line individually.

D. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from

connecting to an unsecured port.

Answer: D


On the basis of the Cisco IOS Zone-Based Policy Firewall, by default, which three types zone?



Actu

alTe

sts.

com

Drag three proper characterizations on the above to the list on the below.

Answer:



Actu

alTe

sts.

com

QUESTION NO: 20

What is the MD5 algorithm used for?

A. takes a fixed-length message and produces a 128-bit message digest

B. takes a variable-length message and produces a 168-bit message digest

C. takes a message less than 2^64 bits as input and produces a 160-bit message digest

D. takes a variable-length message and produces a 128-bit message digest

Answer: D

QUESTION NO: 21

For the following options ,which one accurately matches the CLI command(s) to the equivalent

SDM wizard that performs similar configuration functions?

A. aaa configuration commands and the SDM Basic Firewall wizard

B. setup exec command and the SDM Security Audit wizard

C. auto secure exec command and the SDM One-Step Lockdown wizard

D. Cisco Common Classification Policy Language configuration commands and the SDM Site-to-

Site VPN wizard

Answer: C

QUESTION NO: 22 CORRECT TEXT

.



Actu

alTe

sts.

com



Actu

alTe

sts.

com

input answer here:

Answer: 1

QUESTION NO: 23

When configuring Cisco IOS login enhancements for virtual connections, what is the "quiet

period"?

A. The period of time in which virtual login attempts are blocked, following repeated failed login

attempts

B. The period of time in which virtual logins are blocked as security services fully initialize

C. A period of time when no one is attempting to log in

D. The period of time between successive login attempts



Actu

alTe

sts.

com

Answer: A

QUESTION NO: 24

Based on the following items, which two types of interfaces are found on all network-based IPS

sensors? (Choose two.)

A. Loopback interface

B. Command and control interface

C. Monitoring interface

D. Management interface

Answer: B,C

QUESTION NO: 25

Which description is true about the show login command output displayed in the exhibit?

A. Three or more login requests have failed within the last 100 seconds.

B. When the router goes into quiet mode, any host is permitted to access the router via Telnet,

SSH, and HTTP, since the quiet-mode access list has not been configured.

C. The login block-for command is configured to block login hosts for 93 seconds.

D. All logins from any sources are blocked for another 193 seconds.

Answer: A

QUESTION NO: 26

If a switch is working in the fail-open mode, what will happen when the switch's CAM table fills to

capacity and a new frame arrives?

A. A copy of the frame is forwarded out all switch ports other than the port the frame was received

on.



Actu

alTe

sts.

com

B. The frame is transmitted on the native VLAN.

C. The switch sends a NACK segment to the frame's source MAC address.

D. The frame is dropped.

Answer: A

QUESTION NO: 27

Given the exhibit below. You are a network manager of your company. You are reading your

Syslog server reports. On the basis of the Syslog message shown, which two descriptions are

correct? (Choose two.)

A. This is a normal system-generated information message and does not require further

investigation.

B. Service timestamps have been globally enabled.

C. This message is unimportant and can be ignored.

D. This message is a level 5 notification message.

Answer: B,D


..

Answer:



Actu

alTe

sts.

com

QUESTION NO: 29

What will be enabled by the scanning technology-The Dynamic Vector Streaming (DVS)?

A. Firmware-level virus detection

B. Signature-based virus filtering

C. Layer 4 virus detection

D. Signature-based spyware filtering

Answer: D

QUESTION NO: 30

Which statement best describes the relationships between AAA function and TACACS+, RADIUS

based on the exhibit shown?

A. TACACS+ - CK1 and CK4

RADIUS - CK2 and CK3

B. TACACS+ - CK2 and CK4


C. TACACS+ - CK1 and CK3


D. TACACS+ - CK2 and CK3


Answer: B

QUESTION NO: 31

The enable secret password appears as an MD5 hash in a router's configuration file, whereas the

enable password is not hashed (or encrypted, if the password-encryption service is not enabled).

What is the reason that Cisco still support the use of both enable secret and enable passwords in

a router's configuration?



Actu

alTe

sts.

com

A. The enable password is present for backward compatibility.

B. Because the enable secret password is a hash, it cannot be decrypted. Therefore, the enable

password is used to match the password that was entered, and the enable secret is used to verify

that the enable password has not been modified since the hash was generated.

C. The enable password is considered to be a router's public key, whereas the enable secret

password is considered to be a router's private key.

D. The enable password is used for IKE Phase I, whereas the enable secret password is used for

IKE Phase II.

Answer: A

QUESTION NO: 32

When configuring AAA login authentication on Cisco routers, which two authentication methods

should be used as the final method to ensure that the administrator can still log in to the router in

case the external AAA server fails?

(Choose two.)

A. group RADIUS

B. group TACACS+

C. local

D. krb5

E. enable

F. if-authenticated

Answer: C,E

QUESTION NO: 33

Which kind of table will be used by most firewalls today to keep track of the connections through

the firewall?

A. reflexive ACL

B. dynamic ACL

C. queuing

D. netflow

E. state

Answer: E



Actu

alTe

sts.

com

QUESTION NO: 34

Based on the username global configuration mode command displayed in the exhibit. What does

the option secret 5 indicate about the enable secret password?

A. It is hashed using MD5.

B. It is encrypted using a proprietary Cisco encryption algorithm.

C. It is hashed using SHA.

D. It is encrypted using DH group 5.

Answer: A

QUESTION NO: 35

Before a Diffie-Hellman exchange may begin, the two parties involved must agree on what?

A. Two secret keys

B. Twononsecret keys

C. Two secret numbers

D. Twononsecret numbers

Answer: D

QUESTION NO: 36

Examine the following items, which one offers a variety of security solutions, including firewall,

IPS, VPN, antispyware, antivirus, and antiphishing features?

A. Cisco IOS router

B. Cisco PIX 500 series security appliance

C. Cisco 4200 series IPS appliance

D. Cisco ASA 5500 series security appliance

Answer: D

QUESTION NO: 37

Which three items are Cisco best-practice recommendations for securing a network? (Choose

three.)



Actu

alTe

sts.

com

A. Routinely apply patches to operating systems and applications.

B. Disable unneeded services and ports on hosts.

C. Deploy HIPS software on all end-user workstations.

D. Require strong passwords, and enable password expiration.

Answer: A,B,D

QUESTION NO: 38

What Cisco Security Agent Interceptor is in charge of intercepting all read/write requests to the rc

files in UNIX?

A. Configuration interceptor

B. Network interceptor

C. File system interceptor

D. Execution space interceptor

Answer: A


..

Answer:



Actu

alTe

sts.

com

QUESTION NO: 40

Information about a managed device??s resources and activity is defined by a series of objects.

What defines the structure of these management objects?

A. MIB

B. FIB

C. LDAP

D. CEF

Answer: A

QUESTION NO: 41

Which location will be recommended for extended or extended named ACLs?

A. when using the established keyword, a location close to the destination point to ensure that

return traffic is allowed

B. an intermediate location to filter as much traffic as possible

C. a location as close to the source traffic as possible

D. a location as close to the destination traffic as possible

Answer: C

QUESTION NO: 42

Refer to Cisco IOS Zone-Based Policy Firewall, where will the inspection policy be applied?

A. to the zone-pair

B. to the zone

C. to the interface

D. to the global service policy

Answer: A

QUESTION NO: 43

Which statement is true about vishing?

A. Influencing users to forward a call to a toll number (for example, a long distance or international

number)

B. Influencing users to provide personal information over a web page



Actu

alTe

sts.

com

C. Using an inside facilitator to intentionally forward a call to a toll number (for example, a long

distance or international number)

D. Influencing users to provide personal information over the phone

Answer: D

QUESTION NO: 44

Which item is the great majority of software vulnerabilities that have been discovered?

A. Stack vulnerabilities

B. Heap overflows

C. Software overflows

D. Buffer overflows

Answer: D


..



Actu

alTe

sts.

com



Actu

alTe

sts.

com

input answer here:

Answer: 3,6

QUESTION NO: 46

Which one of the following items may be added to a password stored in MD5 to make it more

secure?

A. Ciphertext

B. Salt

C. Cryptotext

D. Rainbow table

Answer: B



Actu

alTe

sts.

com


Answer:

QUESTION NO: 48

Which example is of a function intended for cryptographic hashing?

A. MD65

B. SHA-135

C. XR12

D. MD5

Answer: D

QUESTION NO: 49

Which algorithm was the first to be found suitable for both digital signing and encryption?

A. HMAC

B. RSA

C. MD5



Actu

alTe

sts.

com

D. SHA-1

Answer: B

QUESTION NO: 50

Which is the main difference between host-based and network-based intrusion prevention?

A. Host-based IPS can work in promiscuous mode or inline mode.

B. Network-based IPS can provide protection to desktops and servers without the need of

installing specialized software on the end hosts and servers.

C. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows.

D. Host-based IPS deployment requires less planning than network-based IPS.

Answer: B

QUESTION NO: 51

Which classes does the U.S. government place classified data into? (Choose three.)

A. Top-secret

B. Confidential

C. SBU

D. Secret

Answer: A,B,D

QUESTION NO: 52

With the increasing development of network, various network attacks appear. Which statement

best describes the relationships between the attack method and the result?

A. Ping Sweep - CK2 and CK4

Port Scan - CK1, CK3 and CK5



Actu

alTe

sts.

com

B. Ping Sweep - CK1 and CK5


C. Ping Sweep - CK1 and CK3


D. Ping Sweep - CK2 and CK3


Answer: A

QUESTION NO: 53

Which three options are network evaluation techniques? (Choose three.)

A. Performing end-user training on the use of antispyware software

B. Performing virus scans

C. Scanning a network for active IP addresses and open ports on those IP addresses

D. Using password-cracking utilities

Answer: B,C,D

QUESTION NO: 54

What should be enabled before any user views can be created during role-based CLI configuration

?

A. aaa new-model command

B. secret password for the root user

C. usernames and passwords

D. multiple privilege levels

Answer: A

QUESTION NO: 55

You are a network technician at Certpaper.com. Which description is correct when you have

generated RSA keys on your Cisco router to prepare for secure device management?

A. You must then specify the general-purpose key size used for authentication with the crypto key

generatersa general-keys modulus command.

B. You must thenzeroize the keys to reset secure shell before configuring other parameters.

C. Allvty ports are automatically enabled for SSH to provide secure management.



Actu

alTe

sts.

com

D. The SSH protocol is automatically enabled.

Answer: D

QUESTION NO: 56

Which result is of securing the Cisco IOS image by use of the Cisco IOS image resilience feature?

A. The Cisco IOS image file will not be visible in the output from the show flash command.

B. The show version command will not show the Cisco IOS image file location.

C. When the router boots up, the Cisco IOS image will be loaded from a secured FTPlocation.

D. The running Cisco IOS image will be encrypted and then automatically backed up to a TFTP

server.

Answer: A

QUESTION NO: 57

What are four methods used by hackers? (Choose four.)

A. footprint analysis attack

B. privilege escalation attack

C. buffer Unicode attack

D. social engineering attack

E. front door attacks

F. Trojan horse attack

Answer: A,B,D,F

QUESTION NO: 58

Which are the best practices for attack mitigations?



Actu

alTe

sts.

com

A. CK2, CK5, CK6 and CK8

B. CK3, CK4, CK6 and CK7

C. CK1, CK2, CK3 and CK5

D. CK2, CK5, CK6 and CK7

E. CK2, CK3, CK6 and CK8

Answer: A


Drag two characteristics of the SDM Security Audit wizard on the above to the list on the below.

Answer:



Actu

alTe

sts.

com

QUESTION NO: 60




Actu

alTe

sts.

com

Within the "sdm-inspect" policy map, what is the action assigned to the traffic class "sdm-invalid-

src", and which traffic is matched by the traffic class "sdm-invlid-src" ? (Choose two.)



Actu

alTe

sts.

com

A. traffic matched by the nested "sdm-cls-insp-traffic" class map

B. traffic matched by ACL 105

C. inspect/log

D. traffic matched by ACL 104

Answer: A,B

QUESTION NO: 61

Which description is true about ECB mode?

A. In ECB mode, each 56-bit plain-text block is exclusive ORed (XORed) bitwise with the previous

ciphertext block.

B. ECB mode uses the same 64-bit key to serially encrypt each 56-bit plain-text block.

C. In ECB mode, each 64-bit plain-text block is exclusive ORed (XORed) bitwise with the previous

ciphertext block.

D. ECB mode uses the same 56-bit key to serially encrypt each 64-bit plain-text block.

Answer: D

QUESTION NO: 62

Which statement is true about a certificate authority (CA)?

A. An entity responsible for registering the private key encryption used in a PKI

B. An agency responsible for granting and revoking public-private key pairs

C. A trusted third party responsible for signing the public keys of entities in aPKIbased system

D. A trusted third party responsible for signing the private keys of entities in aPKIbased system

Answer: C

QUESTION NO: 63

Which statement is not a reason for an organization to incorporate a SAN in its enterprise

infrastructure?

A. To decrease both capital and operating expenses associated with data storage

B. To decrease the threat of viruses and worm attacks against data storage devices

C. To meet changing business priorities, applications, and revenue growth

D. To increase the performance of long-distance replication, backup, and recovery



Actu

alTe

sts.

com

Answer: B

QUESTION NO: 64

Which two ports are used with RADIUS authentication and authorization?(Choose two.)

A. UDP port 1812

B. UDP port 2000

C. TCP port 2002

D. UDP port 1645

Answer: A,D

QUESTION NO: 65

Which three statements are valid SDM configuration wizards? (Choose three.)

A. NAT

B. VPN

C. STP

D. Security Audit

Answer: A,B,D

QUESTION NO: 66

With which three tasks does the IPS Policies Wizard help you? (Choose three.)

A. Selecting the interface to which the IPS rule will be applied

B. Selecting the Signature Definition File (SDF) that the router will use

C. Selecting the direction of traffic that will be inspected

D. Selecting the inspection policy that will be applied to the interface

Answer: A,B,C

QUESTION NO: 67

Instructions

To access the Cisco Router and Security Device Manager(SDM) utility click on the console host

icon that is connected to a ISR router.

You can click on the grey buttons below to view the different windows.



Actu

alTe

sts.

com

Each of the windows can be minimized by clicking on the [-].You can also reposition a window by

dragging it by the title bar.

The "Tab" key and most commands that use the "Control"or "Escape" keys are not supported and

are not necessary to complete this simulation.



Actu

alTe

sts.

com

Which two options correctly identify the associated interface with the correct security zone?

(Choose two.)

A. FastEthernet0/0 and 0/1 are associated to the "in-zone" zone.

B. FastEthernet0/0 and 0/1 are not associated to any zone.

C. FastEthernet0/0 and 0/1 are associated to the "self" zone.

D. FastEthernet0/1 is associated to the "out-zone" zone.

E. FastEthernet0/0 is associated to the "in-zone" zone.

F. FastEthernet0/0 and 0/1 are associated to the "out-zone" zone.

Answer: D,E

QUESTION NO: 68

What is the purpose of the secure boot-config global configuration ?

A. takes a snapshot of the router running configuration and securely archives it in persistent

storage

B. stores a secured copy of the Cisco IOS image in its persistent storage

C. backs up the Cisco IOS image from flash to a TFTP server

D. enables Cisco IOS image resilience

Answer: A

QUESTION NO: 69

Observe the following options carefully, which two attacks focus on RSA? (Choose all that apply.)

A. BPA attack

B. Adaptive chosenciphertext attack

C. DDoS attack

D. Man-in-the-middle attack

Answer: A,B

QUESTION NO: 70

Examine the following options , which Spanning Tree Protocol (STP) protection mechanism

disables a switch port if the port receives a Bridge Protocol Data Unit (BPDU)?

A. UplinkFast



Actu

alTe

sts.

com

B. PortFast

C. BPDU Guard

D. Root Guard

Answer: C

QUESTION NO: 71

Which Public Key Cryptographic Standards (PKCS) defines the syntax for encrypted messages

and messages with digital signatures?

A. PKCS #7

B. PKCS #8

C. PKCS #10

D. PKCS #12

Answer: A

QUESTION NO: 72

Which one is the most important based on the following common elements of a network design?

A. Business needs

B. Risk analysis

C. Security policy

D. Best practices

Answer: A

QUESTION NO: 73

Which firewall best practices can help mitigate worm and other automated attacks?

A. Segment security zones

B. Restrict access to firewalls

C. Use logs and alerts

D. Set connection limits

Answer: D



Actu

alTe

sts.

com

QUESTION NO: 74

For the following statements, which one is perceived as a drawback of implementing Fibre

Channel

Authentication Protocol (FCAP)?

A. It is restricted in size to only three segments.

B. It requires the use ofnetBT as the network protocol.

C. It requires the implementation of IKE.

D. It relies on an underlying Public Key Infrastructure (PKI).

Answer: D

QUESTION NO: 75

Which type of firewall is needed to open appropriate UDP ports required for RTP streams?

A. Stateful firewall

B. Proxy firewall

C. Packet filtering firewall

D. Stateless firewall

Answer: A

QUESTION NO: 76

Which one of the following commands can be used to enable AAA authentication to determine if a

user can access the privilege command level?

A. aaa authentication enable method default

B. aaa authentication enable default

C. aaa authentication enable level

D. aaa authentication enable default local

Answer: B

QUESTION NO: 77

For the following attempts, which one is to ensure that no one employee becomes a pervasive

security threat, that data can be recovered from backups, and that information system changes do

not compromise a system's security?



Actu

alTe

sts.

com

A. Strategic security planning

B. Disaster recovery

C. Implementation security

D. Operations security

Answer: D

QUESTION NO: 78

Which item is the correct matching relationships associated with IKE Phase?

A. IKE Phase 1 - CK1 and CK4

IKE Phase 2 - CK2, CK3 and CK5

B. IKE Phase 1 - CK2 and CK4


C. IKE Phase 1 - CK2 and CK3


D. IKE Phase 1 - CK1 and CK2


Answer: A

QUESTION NO: 79

For the following statements, which one is the strongest symmetrical encryption algorithm?

A. AES

B. 3DES

C. DES

D. Diffie-Hellman

Answer: A



Actu

alTe

sts.

com

QUESTION NO: 80

Which protocol will use a LUN as a way to differentiate the individual disk drives that comprise a

target device?

A. SCSI

B. HBA

C. ATA

D. iSCSI

Answer: A

QUESTION NO: 81




Actu

alTe

sts.

com

Which three protocols are matched by the "sdm-cls-insp-traffic" class map? (Choose three)

A. pop3



Actu

alTe

sts.

com

B. ftp

C. 12tp

D. sql-net

Answer: A,B,D

QUESTION NO: 82

Which statement best describes the Turbo ACL feature? (Choose all that apply.)

A. The Turbo ACL feature processes ACLs into lookup tables for greater efficiency.

B. The Turbo ACL feature leads to increased latency, because the time it takes to match the

packet is variable.

C. The Turbo ACL feature leads to reduced latency, because the time it takes to match the packet

is fixed and consistent.

D. Turbo ACLs increase the CPU load by matching the packet to a predetermined list.

Answer: A,C

QUESTION NO: 83

What is the objective of the aaa authentication login console-in local command?

A. It specifies the login authentication method list named console-in using the local user database

on the router.

B. It specifies the login authorization method list named console-in using the local RADIUS

username-password database.

C. It specifies the login authentication list named console-in using the local username- password

database on the router.

D. It specifies the login authorization method list named console-in using the local username-

password database on the router.

Answer: A

QUESTION NO: 84

Stream ciphers run on which of the following?

A. Fixed-length groups of digits called blocks

B. Individual blocks, one at a time, with the transformations varying during the encryption

C. Individual digits, one at a time, with the transformations varying during the encryption



Actu

alTe

sts.

com

D. Fixed-length groups of bits called blocks

Answer: C

QUESTION NO: 85

After enabling port security on a Cisco Catalyst switch, what is the default action when the

configured maximum of allowed MAC addresses value is exceeded?

A. The port's violation mode is set to restrict.

B. The port is shut down.

C. The MAC address table is cleared and the new MAC address is entered into the table.

D. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out.

Answer: B

QUESTION NO: 86

Which item is correct regarding Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later ?

A. requires the Basic or Advanced Signature Definition File

B. uses the built-in signatures that come with the Cisco IOS image as backup

C. supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts

D. uses Cisco IPS 5.x signature format

Answer: D

QUESTION NO: 87

Regarding constructing a good encryption algorithm, what does creating an avalanche effect

indicate?

A. Altering the key length causes theciphertext to be completely different.

B. Changing only a few bits of aciphertext message causes the plain text to be completely

different.

C. Altering the key length causes the plain text to be completely different.

D. Changing only a few bits of a plain-text message causes theciphertext to be completely

different.

Answer: D



Actu

alTe

sts.

com

QUESTION NO: 88

A standard access control list has been configured on a router and applied to interface Serial 0 in

an outbound direction. No ACL is applied to Interface Serial 1 on the same router. What will

happen when traffic being filtered by the access list does not match the configured ACL

statements for Serial 0?

A. The traffic is dropped.

B. The resulting action is determined by the destination IP address.

C. The source IP address is checked, and, if a match is not found, traffic is routed out interface

Serial 1.

D. The resulting action is determined by the destination IP address and port number.

Answer: A

QUESTION NO: 89

What will be disabled as a result of the no service password-recovery command?

A. password encryption service

B. changes to theconfig-register setting

C. thexmodem privilege EXEC mode command to recover the Cisco IOS image

D. ROMMON

Answer: D

QUESTION NO: 90




Actu

alTe

sts.

com

Which poicy map is associated to the "adm-zp-in-out" security zone pair?

A. sdm-permit-icmpreply



Actu

alTe

sts.

com

B. adm-permit

C. sdm-inspect

D. sdm-insp-traffic

Answer: B


Answer:

QUESTION NO: 92

Which statement is true about a Smurf attack?

A. It sends ping requests in segments of an invalid size.

B. It intercepts the third step in a TCP three-way handshake to hijack a session.

C. It sends ping requests to a subnet, requesting that devices on that subnet send ping replies to a

target system.

D. It uses Trojan horse applications to create a distributed collection of "zombie" computers, which

can be used to launch a coordinatedDDoS attack.

Answer: C

QUESTION NO: 93

When using the Cisco SDM Quick Setup Siteto-Site VPN wizard, which three parameters do you

configure? (Choose three.)



Actu

alTe

sts.

com

A. Source interface where encrypted traffic originates

B. IP address for the remote peer

C. Transform set for theIPsec tunnel

D. Interface for the VPN connection

Answer: A,B,D

QUESTION NO: 94

On the basis of the show policy-map type inspect zone-pair session command output provided in

the exhibit.What can be determined about this Cisco IOS zone based firewall policy?

A. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.

B. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the

more secured zone).

C. This is an outbound policy (applied to traffic sourced from the more secured zone destined to

the less secured zone).

D. All packets will be dropped since the class-default traffic class is matching all traffic.

Answer: A

QUESTION NO: 95

Which name is of the e-mail traffic monitoring service that underlies that architecture of IronPort?



Actu

alTe

sts.

com

A. SenderBase

B. TrafMon

C. IronPort M-Series

D. E-Base

Answer: A

QUESTION NO: 96

How do you define the authentication method that will be used with AAA?

A. With the methodaaa command

B. With the method command

C. With a method list

D. With a method statement

Answer: C


..



Actu

alTe

sts.

com



Actu

alTe

sts.

com

input answer here:

Answer: 4

QUESTION NO: 98

Refer to the exhibit. You are the network security administrator responsible for router security.

Your network uses internal IP addressing according to RFC 1918 specifications. From the default

rules shown, which access control list would prevent IP address spoofing of these internal

networks?



Actu

alTe

sts.

com

A. SDM_Default_197

B. SDM_Default_199

C. SDM_Default_196

D. SDM_Default_198

Answer: D

QUESTION NO: 99

Please choose the correct matching relationships between the cryptography algorithms and the

type of algorithm.

A. Symmetric - CK1, CK4 and CK5

Asymmetric - CK2, CK3 and CK6

B. Symmetric - CK2, CK4 and CK5


C. Symmetric - CK1, CK2 and CK3




Actu

alTe

sts.

com

D. Symmetric - CK2, CK5 and CK6


Answer: A

QUESTION NO: 100

For the following items, which one acts as a VPN termination device and is located at a primary

network location?

A. Broadband service

B. Headend VPN device

C. VPN access device

D. Tunnel

Answer: B

QUESTION NO: 101

Refer to the exhibit. Based on the VPN connection shown, which statement is true?

A. Traffic that matches access list 103 will be protected.

B. This VPN configuration will not work because the tunnel IP and peer IP are the same.

C. The tunnel is down because the transform set needs to include the Authentication Header

parameter.

D. The tunnel is down as result of being a static rule. It should be configured as a DynamicIPsec

policy.

Answer: A

QUESTION NO: 102

As a network engineer at Certpaper.com, you are responsible for Certpaper network. Which will be

necessarily taken into consideration when implementing Syslogging in your network?



Actu

alTe

sts.

com

A. Enable the highest level ofSyslogging available to ensure you log all possible event messages.

B. Use SSH to access yourSyslog information.

C. Log all messages to the system buffer so that they can be displayed when accessing the router.

D. Syncronize clocks on the network with a protocol such as Network Time Protocol.

Answer: D

QUESTION NO: 103

Which type of MAC address is dynamically learned by a switch port and then added to the switch's

running configuration?

A. Static secure MAC address

B. Dynamic secure MAC address

C. Pervasive secure MAC address

D. Sticky secure MAC address

Answer: D

QUESTION NO: 104

What is the objective of Diffie-Hellman?

A. used to verify the identity of the peer

B. used between the initiator and the responder to establish a basic security policy

C. used to establish a symmetric shared key via a public key exchange process

D. used for asymmetric public key encryption

Answer: C

QUESTION NO: 105

Which VoIP components can permit or deny a call attempt on the basis of a network's available

bandwidth?

A. MCU

B. Application server

C. Gateway

D. Gatekeeper

Answer: D



Actu

alTe

sts.

com

QUESTION NO: 106

Which information is stored in the stateful session flow table while using a stateful firewall?

A. the inside private IP address and the translated inside global IP address

B. the source and destination IP addresses, port numbers, TCP sequencing information, and

additional flags for each TCP or UDP connection associated with a particular session

C. the outbound and inbound access rules (ACL entries)

D. all TCP and UDP header information only

Answer: B


.



Actu

alTe

sts.

com



Actu

alTe

sts.

com

input answer here:

Answer: 3

QUESTION NO: 108

When configuring SSH, which is the Cisco minimum recommended modulus value?

A. 2048 bits

B. 1024 bits

C. 256 bits

D. 512 bits

Answer: B



Actu

alTe

sts.

com

QUESTION NO: 109

Which type of intrusion prevention technology will be primarily used by the Cisco IPS security

appliances?

A. signature-based

B. profile-based

C. rule-based

D. protocol analysis-based

Answer: A

QUESTION NO: 110

Which two statements are correct regarding a Cisco IP phone??s web access feature? (Choose

two.)

A. It can provide IP address information about other servers in the network.

B. It requires login credentials, based on the UCM user database.

C. It is enabled by default.

D. It uses HTTPS.

Answer: A,C

QUESTION NO: 111

Which option ensures that data is not modified in transit?

A. Authorization

B. Confidentiality

C. Authentication

D. Integrity

Answer: D

QUESTION NO: 112

Which method is of gaining access to a system that bypasses normal security measures?

A. Starting a Smurf attack

B. Conducting social engineering

C. Creating a back door



Actu

alTe

sts.

com

D. Launching aDoS attack

Answer: C

QUESTION NO: 113

Which two actions can be configured to allow traffic to traverse an interface when zone-based

security is being employed? (Choose two.)

A. Pass

B. Flow

C. Allow

D. Inspect

Answer: A,D

QUESTION NO: 114

Which three are distinctions between asymmetric and symmetric algorithms? (Choose all that

apply.)

A. Only symmetric algorithms have a key exchange technology built in.

B. Asymmetric algorithms are used quite often as key exchange protocols for symmetric

algorithms.

C. Only asymmetric algorithms have a key exchange technology built in.

D. Asymmetric algorithms are based on more complex mathematical computations.

Answer: B,C,D

QUESTION NO: 115

Which two primary port authentication protocols are used with VSANs? (Choose two.)

A. SPAP

B. CHAP

C. DHCHAP

D. ESP

Answer: B,C



Actu

alTe

sts.

com

QUESTION NO: 116

When configuring role-based CLI on a Cisco router, which action will be taken first ?

A. Create a parser view called "root view."

B. Log in to the router as the root user.

C. Enable the root view on the router.

D. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS

command.

Answer: C

QUESTION NO: 117

Which statement is correct regarding the aaa configurations based on the exhibit provided?

A. The authentication method list used by thevty port is named test.

B. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session

with the router.

C. If the TACACS+ AAA server is not available, console access to the router can be authenticated

using the local database.

D. The authentication method list used by the console port is named test.

Answer: A

QUESTION NO: 118

Which one of the aaa accounting commands can be used to enable logging of both the start and

stop records for user terminal sessions on the router?

A. aaa accounting connection start-stop tacacs+

B. aaa accounting exec start-stop tacacs+

C. aaa accounting system start-stop tacacs+

D. aaa accounting network start-stop tacacs+



Actu

alTe

sts.

com

Answer: B

QUESTION NO: 119

What is a static packet-filtering firewall used for ?

A. It validates the fact that a packet is either a connection request or a data packet belonging to a

connection.

B. It evaluates network packets for valid data at the application layer before allowing connections.

C. It analyzes network traffic at the network and transport protocol layers.

D. It keeps track of the actual communication process through the use of a state table.

Answer: C

QUESTION NO: 120

For the following options, which feature is the foundation of Cisco Self-Defending Network

technology?

A. secure network platform

B. secure connectivity

C. threat control and containment

D. policy management

Answer: A


..

Answer:



Actu

alTe

sts.

com


Which three common examples are of AAA implementation on Cisco routers? Please place the

correct descriptions in the proper locations.

Answer:



Actu

alTe

sts.

com

QUESTION NO: 123

If you click the Configure button along the top of Cisco SDM??s graphical interface,which Tasks

button permits you to configure such features as SSH, NTP, SNMP, and syslog?

A. Interfaces and Connections

B. Intrusion Prevention

C. Security Audit

D. Additional Tasks

Answer: D

QUESTION NO: 124

In an IEEE 802.1x deployment, between which two devices EAPOL messages typically are sent?

A. Between the supplicant and the authenticator

B. Between the authenticator and the authentication server

C. Between the supplicant and the authentication server



Actu

alTe

sts.

com

D. Between the RADIUS server and the authenticator

Answer: A

QUESTION NO: 125

Which one of the Cisco IOS commands can be used to verify that either the Cisco IOS image, the

configuration files, or both have been properly backed up and secured?

A. show archive

B. show flash

C. show file systems

D. show securebootset

Answer: D

QUESTION NO: 126

Instructions

To access the Cisco Router and Security Device Manager(SDM) utility click on the console host

icon that is connected to a ISR router.

You can click on the grey buttons below to view the different windows.

Each of the windows can be minimized by clicking on the [-].You can also reposition a window by

dragging it by the title bar.

The "Tab" key and most commands that use the "Control"or "Escape" keys are not supported and

are not necessary to complete this simulation.



Actu

alTe

sts.

com

Which statements is correct regarding the "sdm-permit" policy map?

A. Traffic not matched by any of the class maps within that policy map will be inspected



Actu

alTe

sts.

com

B. Traffic matching the "SDM_CA_SERVER" traffic class will be dropped.

C. That policy map is applied to traffic sourced from the "self" zone and destined to the "out-zone"

zone.

D. Traffic matching the "sdm-access" traffic class will be inspected.

Answer: B

QUESTION NO: 127

Which key method is used to detect and prevent attacks by use of IDS and/or IPS technologies?

A. Signature-based detection

B. Anomaly-based detection

C. Honey pot detection

D. Policy-based detection

Answer: A

QUESTION NO: 128

Please choose the correct description about Cisco Self-Defending Network characteristics.

A. INTEGRATED - CK2

COLLABORATIVE - CK1

ADAPTIVE - CK3

B. INTEGRATED - CK1

COLLABORATIVE - CK2

ADAPTIVE - CK3

C. INTEGRATED - CK3

COLLABORATIVE - CK2

ADAPTIVE - CK1

D. INTEGRATED - CK2

COLLABORATIVE - CK3

ADAPTIVE - CK1

Answer: A



Actu

alTe

sts.

com


Answer:

Explanation:


Answer:



Actu

alTe

sts.

com

Explanation:


Answer:

Explanation:



Actu

alTe

sts.

com


Answer:

Explanation:



Actu

alTe

sts.

com


Answer:


Match the descriptions on the left with the IKE phases on the right.



Actu

alTe

sts.

com

Answer:



Date post:	18-Nov-2014
Category:	Documents
Upload:	cibeles
View:	121 times
Download:	0 times

640-553 CCNAS Certification Tests

Documents