640-554 Implementing Cisco IOS Network Security · PDF fileIt should be configured as an...

640-554 Implementing Cisco IOS Network Security

Number: 640-554Passing Score: 804Time Limit: 120 minFile Version: 1.0

http://www.gratisexam.com/

Vendor: Cisco

Exam Code: 640-554

Exam Name: Implementing Cisco IOS Network Security

Date: 16-02-2013

By: Teddy Bear

Exam A

QUESTION 1Which two features are supported by Cisco IronPort Security Gateway? (Choose two.)

A. spam protectionB. outbreak intelligenceC. HTTP and HTTPS scanningD. email encryptionE. DDoS protection

Correct Answer: ADSection: (none)Explanation

Explanation/Reference:

QUESTION 2Which option is a feature of Cisco ScanSafe technology?

A. spam protectionB. consistent cloud-based policyC. DDoS protectionD. RSA Email DLP

Correct Answer: BSection: (none)Explanation


QUESTION 3Which two characteristics represent a blended threat? (Choose two.)

A. man-in-the-middle attackB. trojan horse attackC. pharming attackD. denial of service attackE. day zero attack

Correct Answer: BESection: (none)Explanation

Explanation/Reference:Blended threats combine the characteristics of viruses, worms, Trojan Horses, and malicious code with serverand Internet vulnerabilities to initiate, transmit, and spread an attack.therefore, the answers are B & E.

QUESTION 4Under which higher-level policy is a VPN security policy categorized?

A. application policy

B. DLP policyC. remote access policyD. compliance policyE. corporate WAN policy

Correct Answer: CSection: (none)Explanation


QUESTION 5What does level 5 in this enable secret global configuration mode command indicate?router#enable secret level 5 password

A. The enable secret password is hashed using MD5.B. The enable secret password is hashed using SHA.C. The enable secret password is encrypted using Cisco proprietary level 5 encryptionD. Set the enable secret command to privilege level 5.E. The enable secret password is for accessing exec privilege level 5.

Correct Answer: ESection: (none)Explanation


QUESTION 6Which Cisco management tool provides the ability to centrally provision all aspects of device configurationacross the Cisco family of security products?

A. Cisco Configuration ProfessionalB. Security Device ManagerC. Cisco Security ManagerD. Cisco Secure Management Server



QUESTION 7Which option is the correct representation of the IPv6 address 2001:0000:150C:0000:0000:41B1:45A3:041D?

A. 2001::150c::41b1:45a3:041dB. 2001:0:150c:0::41b1:45a3:04d1C. 2001:150c::41b1:45a3::41dD. 2001:0:150c::41b1:45a3:41d

Correct Answer: DSection: (none)

Explanation


QUESTION 8Which three options are common examples of AAA implementation on Cisco routers? (Choose three.)

A. authenticating remote users who are accessing the corporate LAN through IPsec VPN connectionsB. authenticating administrator access to the router console port, auxiliary port, and vty portsC. implementing PKI to authenticate and authorize IPsec VPN peers using digital certificatesD. tracking Cisco NetFlow accounting statisticsE. securing the router by locking down all unused servicesF. performing router commands authorization using TACACS+

Correct Answer: ABFSection: (none)Explanation

Explanation/Reference:When it comes to network security, AAA is a requirement. Here is what each of these are used for and why youshould care:

Authentication: Identifies users by login and password using challenge and response methodology before theuser even gains access to the network. Depending on your security options, it can also support encryption. Authorization: After initial authentication, authorization looks at what that authenticated user has access todo. RADIUS or TACACS+ security servers perform authorization for specific privileges by defining attribute-value (AV) pairs, which would be specific to the individual user rights. In the Cisco IOS, you can define AAAauthorization with a named list or authorization method. Accounting: The last “A” is for accounting. It provides a way of collecting security information that you canuse for billing, auditing, and reporting. You can use accounting to see what users do once they areauthenticated and authorized. For example, with accounting, you could get a log of when users logged in andwhen they logged out.

QUESTION 9When AAA login authentication is configured on Cisco routers, which two authentication methods should beused as the final method to ensure that the administrator can still log in to the router in case the external AAAserver fails? (Choose two.)

A. group RADIUSB. group TACACS+C. localD. krb5E. enableF. if-authenticated

Correct Answer: CESection: (none)Explanation


QUESTION 10Which two characteristics of the TACACS+ protocol are true? (Choose two.)

A. uses UDP ports 1645 or 1812B. separates AAA functionsC. encrypts the body of every packetD. offers extensive accounting capabilitiesE. is an open RFC standard protocol

Correct Answer: BCSection: (none)Explanation

Explanation/Reference:Whereas RADIUS combines authentication and authorization in a user profile, TACACS+ separates the twooperations. Another difference is that TACACS+ uses the Transmission Control Protocol (TCP) while RADIUSuses the User Datagram Protocol (UDP).

QUESTION 11Refer to the exhibit.Which traffic is permitted by this ACL?

A. TCP traffic sourced from any host in the 172.26.26.8/29 subnet on any port to host 192.168.1.2 port 80 or443

B. TCP traffic sourced from host 172.26.26.21 on port 80 or 443 to host 192.168.1.2 on any portC. any TCP traffic sourced from host 172.26.26.30 destined to host 192.168.1.1D. any TCP traffic sourced from host 172.26.26.20 to host 192.168.1.2



QUESTION 12Refer to the exhibit.Which statement about this partial CLI configuration of an access control list is true?

A. The access list accepts all traffic on the 10.0.0.0 subnets.B. All traffic from the 10.10.0.0 subnets is denied.C. Only traffic from 10.10.0.10 is allowed.D. This configuration is invalid. It should be configured as an extended ACL to permit the associated wildcard

mask.E. From the 10.10.0.0 subnet, only traffic sourced from 10.10.0.10 is allowed; traffic sourced from the other

10.0.0.0 subnets also is allowed.F. The access list permits traffic destined to the 10.10.0.10 host on FastEthernet0/0 from any source.



QUESTION 13Which type of Cisco ASA access list entry can be configured to match multiple entries in a single statement?

A. nested object-classB. class-mapC. extended wildcard matchingD. object groups

Correct Answer: DSection: (none)Explanation



QUESTION 14Which statement about an access control list that is applied to a router interface is true?

A. It only filters traffic that passes through the router.B. It filters pass-through and router-generated traffic.C. An empty ACL blocks all traffic.D. It filters traffic in the inbound and outbound directions.

Correct Answer: ASection: (none)Explanation


QUESTION 15You have been tasked by your manager to implement syslog in your network. Which option is an importantfactor to consider in your implementation?

A. Use SSH to access your syslog information.B. Enable the highest level of syslog function available to ensure that all possible event messages are logged.

C. Log all messages to the system buffer so that they can be displayed when accessing the router.D. Synchronize clocks on the network with a protocol such as Network Time Protocol.



QUESTION 16Which protocol secures router management session traffic?

A. SSTPB. POPC. TelnetD. SSH



QUESTION 17Which two considerations about secure network management are important? (Choose two.)

A. log tamperingB. encryption algorithm strengthC. accurate time stampingD. off-site storageE. Use RADIUS for router commands authorization.F. Do not use a loopback interface for device management access.

Correct Answer: ACSection: (none)Explanation


QUESTION 18Which command enables Cisco IOS image resilience?

A. secure boot-<IOS image filename>B. secure boot-running-configC. secure boot-startD. secure boot-image



The Cisco IOS Resilient Configuration feature enables a router to secure and maintain a working copy of therunning image and configuration so that those files can withstand malicious attempts to erase the contents ofpersistent storage (NVRAM and flash). http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtrescfg.html

QUESTION 19Which router management feature provides for the ability to configure multiple administrative views?

A. role-based CLIB. virtual routing and forwardingC. secure config privilege {level}D. parser view view name


Explanation/Reference:The Role-Based CLI Access feature allows the network administrator to define "views," which are a set ofoperational commands and configuration capabilities that provide selective or partial access to Cisco IOSEXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS command-lineinterface (CLI) and configuration information; that is, a view can define what commands are accepted and whatconfiguration information is visible. Thus, network administrators can exercise better control over access toCisco networking devices. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

QUESTION 20You suspect that an attacker in your network has configured a rogue Layer 2 device to intercept traffic frommultiple VLANs, which allows the attacker to capture potentially sensitive data. Which two methods will help tomitigate this type of activity? (Choose two.)

A. Turn off all trunk ports and manually configure each VLAN as required on each port.B. Place unused active ports in an unused VLAN.C. Secure the native VLAN, VLAN 1, with encryption.D. Set the native VLAN on the trunk ports to an unused VLAN.E. Disable DTP on ports that require trunking.

Correct Answer: DESection: (none)Explanation


QUESTION 21Which statement describes a best practice when configuring trunking on a switch port?

A. Disable double tagging by enabling DTP on the trunk port.B. Enable encryption on the trunk port.C. Enable authentication and encryption on the trunk port.D. Limit the allowed VLAN(s) on the trunk to the native VLAN only.E. Configure an unused VLAN as the native VLAN.



QUESTION 22Which type of Layer 2 attack causes a switch to flood all incoming traffic to all ports?

A. MAC spoofing attackB. CAM overflow attackC. VLAN hopping attackD. STP attack



QUESTION 23What is the best way to prevent a VLAN hopping attack?

A. Encapsulate trunk ports with IEEE 802.1Q.B. Physically secure data closets.C. Disable DTP negotiations.D. Enable BDPU guard.


Explanation/Reference:www.test-inexam.com 7 / 38

The safer , easier way to help you pass any IT exams.

QUESTION 24Which statement about PVLAN Edge is true?

A. PVLAN Edge can be configured to restrict the number of MAC addresses that appear on a single port.B. The switch does not forward any traffic from one protected port to any other protected port.C. By default, when a port policy error occurs, the switchport shuts down.D. The switch only forwards traffic to ports within the same VLAN Edge.


Explanation/Reference:The PVLAN edge (protected port) is a feature that has only local significance to the switch (unlike PrivateVlans), and there is no isolation provided between two protected ports located on different switches. Aprotected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also aprotected port in the same switch. Traffic cannot be forwarded between protected ports at L2, all traffic passingbetween protected ports must be forwarded through a Layer 3 (L3) device.http://www.cisco.com/en/US/tech/tk389/tk814/tk841/tsd_technology_support_sub-protocol_home.html

QUESTION 25If you are implementing VLAN trunking, which additional configuration parameter should be added to thetrunking configuration?

A. no switchport mode accessB. no switchport trunk native VLAN 1C. switchport mode DTPD. switchport nonnegotiate



QUESTION 26When Cisco IOS zone-based policy firewall is configured, which three actions can be applied to a traffic class?(Choose three.)

A. passB. policeC. inspectD. dropE. queueF. shape

Correct Answer: ACDSection: (none)Explanation


QUESTION 27With Cisco IOS zone-based policy firewall, by default, which three types of traffic are permitted by the routerwhen some of the router interfaces are assigned to a zone? (Choose three.)

A. traffic flowing between a zone member interface and any interface that is not a zone memberB. traffic flowing to and from the router interfaces (the self zone)C. traffic flowing among the interfaces that are members of the same zoneD. traffic flowing among the interfaces that are not assigned to any zoneE. traffic flowing between a zone member interface and another interface that belongs in a different zoneF. traffic flowing to the zone member interface that is returned traffic

Correct Answer: BCDSection: (none)Explanation


QUESTION 28Which option is a key difference between Cisco IOS interface ACL configurations and Cisco ASA applianceinterface ACL configurations?

A. The Cisco IOS interface ACL has an implicit permit-all rule at the end of each interface ACL.B. Cisco IOS supports interface ACL and also global ACL. Global ACL is applied to all interfaces.C. The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard masks.D. The Cisco ASA appliance interface ACL also applies to traffic directed to the IP addresses of the Cisco ASA

appliance interfaces.E. The Cisco ASA appliance does not support standard ACL. The Cisco ASA appliance only support extended

ACL.



QUESTION 29Which two options are advantages of an application layer firewall? (Choose two.)

A. provides high-performance filteringB. makes DoS attacks difficultC. supports a large number of applicationsD. authenticates devicesE. authenticates individuals

Correct Answer: BESection: (none)Explanation


QUESTION 30Which option is the resulting action in a zone-based policy firewall configuration with these conditions? Source: Zone 1Destination: Zone 2Zone pair exists?: YesPolicy exists?: No

A. no impact to zoning or policyB. no policy lookup (pass)C. dropD. apply default policy


Explanation/Reference:Zone-Based Policy Firewall (ZFW) is an alternative way to configure and deploy firewall policies. This newconfiguration model offers intuitive policies for multiple-interface routers, increased granularity and flexibility offirewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones untilan explicit policy is applied to allow desirable traffic.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns430/ns855/white_paper_c11-492830.html

QUESTION 31A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a securitylevel of 100. The second interface is the DMZ interface with a security level of 50. The third interface is theoutside interface with a security level of 0. By default, without any access list configured, which five types oftraffic are permitted? (Choose five.)

A. outbound traffic initiated from the inside to the DMZB. outbound traffic initiated from the DMZ to the outsideC. outbound traffic initiated from the inside to the outsideD. inbound traffic initiated from the outside to the DMZE. inbound traffic initiated from the outside to the insideF. inbound traffic initiated from the DMZ to the insideG. HTTP return traffic originating from the inside network and returning via the outside interfaceH. HTTP return traffic originating from the inside network and returning via the DMZ interfaceI. HTTP return traffic originating from the DMZ network and returning via the inside interfaceJ. HTTP return traffic originating from the outside network and returning via the inside interface

Correct Answer: Section: (none)Explanation

Explanation/Reference:Answer: A,B,C,G,H

QUESTION 32Which two protocols enable Cisco Configuration Professional to pull IPS alerts from a Cisco ISR router?(Choose two.)

A. syslogB. SDEEC. FTPD. TFTPE. SSHF. HTTPS

Correct Answer: BFSection: (none)Explanation


QUESTION 33Which two functions are required for IPsec operation? (Choose two.)

A. using SHA for encryptionB. using PKI for pre-shared key authenticationC. using IKE to negotiate the SAD. using AH protocols for encryption and authenticationE. using Diffie-Hellman to establish a shared-secret key



QUESTION 34On Cisco ISR routers, for what purpose is the realm-cisco.pub public encryption key used?

A. used for SSH server/client authentication and encryptionB. used to verify the digital signature of the IPS signature fileC. used to generate a persistent self-signed identity certificate for the ISR so administrators can authenticate

the ISR when accessing it using Cisco Configuration.D. used to enable asymmetric encryption on IPsec and SSL VPNsE. used during the DH exchanges on IPsec VPNs


Explanation/Reference:The crypto key is used to verify the digital signature for the master signature file (sigdef-default.xml) whosecontents are signed by a Cisco private key to guarantee its authenticity and integrity at every release.http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.html

QUESTION 35Which four tasks are required when you configure Cisco IOS IPS using the Cisco Configuration ProfessionalIPS wizard? (Choose four.)

A. Select the interface(s) to apply the IPS rule.B. Select the traffic flow direction that should be applied by the IPS rule.C. Add or remove IPS alerts actions based on the risk rating.D. Specify the signature file and the Cisco public key.E. Select the IPS bypass mode (fail-open or fail-close).F. Specify the configuration location and select the category of signatures to be applied to the selected

interface(s).

Correct Answer: ABDFSection: (none)Explanation


QUESTION 36Which statement is a benefit of using Cisco IOS IPS?

A. It uses the underlying routing infrastructure to provide an additional layer of security.B. It works in passive mode so as not to impact traffic flow.C. It supports the complete signature database as a Cisco IPS sensor appliance.D. The signature database is tied closely with the Cisco IOS image.



QUESTION 37You are the security administrator for a large enterprise network with many remote locations. You have beengiven the assignment to deploy a Cisco IPS solution. Where in the network would be the best place to deployCisco IOS IPS?

A. inside the firewall of the corporate headquarters Internet connectionB. at the entry point into the data centerC. outside the firewall of the corporate headquarters Internet connectionD. at remote branch offices



QUESTION 38Which IPS technique commonly is used to improve accuracy and context awareness, aiming to detect andrespond to relevant incidents only and therefore, reduce noise?

A. attack relevancyB. target asset valueC. signature accuracyD. risk rating



QUESTION 39Which two statements about SSL-based VPNs are true? (Choose two.)

A. Asymmetric algorithms are used for authentication and key exchange.B. SSL VPNs and IPsec VPNs cannot be configured concurrently on the same router.C. The application programming interface can be used to modify extensively the SSL client software for use in

special applications.D. The authentication process uses hashing technologies.E. Both client and clientless SSL VPNs require special-purpose client software to be installed on the client

machine.

Correct Answer: ADSection: (none)Explanation


QUESTION 40Which option describes the purpose of Diffie-Hellman?

A. used between the initiator and the responder to establish a basic security policyB. used to verify the identity of the peerC. used for asymmetric public key encryptionD. used to establish a symmetric shared key via a public key exchange process



QUESTION 41Which three statements about the IPsec ESP modes of operation are true? (Choose three.)

A. Tunnel mode is used between a host and a security gateway.B. Tunnel mode is used between two security gateways.C. Tunnel mode only encrypts and authenticates the data.D. Transport mode authenticates the IP header.E. Transport mode leaves the original IP header in the clear.

Correct Answer: ABESection: (none)Explanation

Explanation/Reference:Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec it provides originauthenticity, integrity, and confidentiality protection of packets. ESP also supports encryption-only andauthentication-only configurations, but using encryption without authentication is strongly discouraged becauseit is insecure. Unlike Authentication Header (AH), ESP in transport mode does not provide integrity andauthentication for the entire IP packet. However, in Tunnel Mode, where the entire original IP packet isencapsulated with a new packet header added, ESP protection is afforded to the whole inner IP packet(including the inner header) while the outer header (including any outer IPv4 options or IPv6 extension headers)remains unprotected. ESP operates directly on top of IP, using IP protocol number 50

In transport mode, only the payload of the IP packet is usually encrypted and/or authenticated. The routing isintact, since the IP header is neither modified nor encrypted

Tunneling takes an original IP packet header and encapsulates it within the ESP. Then, it adds a new IP headercontaining the address of a gateway device to the packet. Tunneling allows a user to send illegal IP addressesthrough a public network (like the Internet) that otherwise would not accept them.

http://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payloadhttp://www.cisco.com/en/US/docs/net_mgmt/vpn_solutions_center/2.0/ip_security/provisioning/guide/IPsecPG1.html#wp1022606

QUESTION 42When configuring SSL VPN on the Cisco ASA appliance, which configuration step is required only for CiscoAnyConnect full tunnel SSL VPN access and not required for clientless SSL VPN?

A. user authenticationB. group policyC. IP address poolD. SSL VPN interfaceE. connection profile



QUESTION 43For what purpose is the Cisco ASA appliance web launch SSL VPN feature used?

A. to enable split tunneling when using clientless SSL VPN accessB. to enable users to login to a web portal to download and launch the AnyConnect clientC. to enable smart tunnel access for applications that are not web-basedD. to optimize the SSL VPN connections using DTLSE. to enable single-sign-on so the SSL VPN users need only log in once



QUESTION 44Which statement describes how VPN traffic is encrypted to provide confidentiality when using asymmetricencryption?

A. The sender encrypts the data using the sender's private key, and the receiver decrypts the data using thesender's public key.

B. The sender encrypts the data using the sender's public key, and the receiver decrypts the data using thesender's private key.

C. The sender encrypts the data using the sender's public key, and the receiver decrypts the data using thereceiver's public key.

D. The sender encrypts the data using the receiver's private key, and the receiver decrypts the data using thereceiver's public key.

E. The sender encrypts the data using the receiver's public key, and the receiver decrypts the data using thereceiver's private key.

F. The sender encrypts the data using the receiver's private key, and the receiver decrypts the data using thesender's public key.



QUESTION 45Which four types of VPN are supported using Cisco ISRs and Cisco ASA appliances? (Choose four.)

A. SSL clientless remote-access VPNsB. SSL full-tunnel client remote-access VPNsC. SSL site-to-site VPNsD. IPsec site-to-site VPNs

E. IPsec client remote-access VPNsF. IPsec clientless remote-access VPNs

Correct Answer: ABDESection: (none)Explanation


QUESTION 46Which description of the Diffie-Hellman protocol is true?

A. It uses symmetrical encryption to provide data confidentiality over an unsecured communications channel.B. It uses asymmetrical encryption to provide authentication over an unsecured communications channel.C. It is used within the IKE Phase 1 exchange to provide peer authentication.D. It provides a way for two peers to establish a shared-secret key, which only they will know, even though they

are communicating over an unsecured channel.E. It is a data integrity algorithm that is used within the IKE exchanges to guarantee the integrity of the

message of the IKE exchanges.



QUESTION 47Which IPsec transform set provides the strongest protection?

A. crypto ipsec transform-set 1 esp-3des esp-sha-hmacB. crypto ipsec transform-set 2 esp-3des esp-md5-hmacC. crypto ipsec transform-set 3 esp-aes 256 esp-sha-hmacD. crypto ipsec transform-set 4 esp-aes esp-md5-hmacE. crypto ipsec transform-set 5 esp-des esp-sha-hmacF. crypto ipsec transform-set 6 esp-des esp-md5-hmac



QUESTION 48Which two options are characteristics of the Cisco Configuration Professional Security Audit wizard? (Choosetwo.)

A. displays a screen with fix-it check boxes to let you choose which potential security-related configurationchanges to implement

B. has two modes of operation: interactive and non-interactiveC. automatically enables Cisco IOS firewall and Cisco IOS IPS to secure the routerD. uses interactive dialogs and prompts to implement role-based CLIE. requires users to first identify which router interfaces connect to the inside network and which connect to the

outside network

Correct Answer: AESection: (none)Explanation


QUESTION 49Which statement describes a result of securing the Cisco IOS image using the Cisco IOS image resiliencefeature?

A. The show version command does not show the Cisco IOS image file location.B. The Cisco IOS image file is not visible in the output from the show flash command.C. When the router boots up, the Cisco IOS image is loaded from a secured FTP location.D. The running Cisco IOS image is encrypted and then automatically backed up to the NVRAM.E. The running Cisco IOS image is encrypted and then automatically backed up to a TFTP server.



QUESTION 50Which aaa accounting command is used to enable logging of the start and stop records for user terminalsessions on the router?

A. aaa accounting network start-stop tacacs+B. aaa accounting system start-stop tacacs+C. aaa accounting exec start-stop tacacs+D. aaa accounting connection start-stop tacacs+E. aaa accounting commands 15 start-stop tacacs+



QUESTION 51Which access list permits HTTP traffic sourced from host 10.1.129.100 port 3030 destined to host192.168.1.10?

A. access-list 101 permit tcp any eq 3030B. access-list 101 permit tcp 10.1.128.0 0.0.1.255 eq 3030 192.168.1.0 0.0.0.15 eq wwwC. access-list 101 permit tcp 10.1.129.0 0.0.0.255 eq www 192.168.1.10 0.0.0.0 eq wwwD. access-list 101 permit tcp host 192.168.1.10 eq 80 10.1.0.0 0.0.255.255 eq 3030E. access-list 101 permit tcp 192.168.1.10 0.0.0.0 eq 80 10.1.0.0 0.0.255.255F. access-list 101 permit ip host 10.1.129.100 eq 3030 host 192.168.1.100 eq 80

Correct Answer: B

Section: (none)Explanation


QUESTION 52Which location is recommended for extended or extended named ACLs?

A. an intermediate location to filter as much traffic as possibleB. a location as close to the destination traffic as possibleC. when using the established keyword, a location close to the destination point to ensure that return traffic is

allowedD. a location as close to the source traffic as possible



QUESTION 53Which statement about asymmetric encryption algorithms is true?

A. They use the same key for encryption and decryption of data.B. They use the same key for decryption but different keys for encryption of data.C. They use different keys for encryption and decryption of data.D. They use different keys for decryption but the same key for encryption of data.



QUESTION 54Which option can be used to authenticate the IPsec peers during IKE Phase 1?

A. Diffie-Hellman NonceB. pre-shared keyC. XAUTHD. integrity check valueE. ACSF. AH



QUESTION 55

Which single Cisco IOS ACL entry permits IP addresses from 172.16.80.0 to 172.16.87.255?

A. permit 172.16.80.0 0.0.3.255B. permit 172.16.80.0 0.0.7.255C. permit 172.16.80.0 0.0.248.255D. permit 176.16.80.0 255.255.252.0E. permit 172.16.80.0 255.255.248.0F. permit 172.16.80.0 255.255.240.0



QUESTION 56You want to use the Cisco Configuration Professional site-to-site VPN wizard to implement a site-to-site IPsecVPN using pre-shared key.Which four configurations are required (with no defaults)? (Choose four.)

A. the interface for the VPN connectionB. the VPN peer IP addressC. the IPsec transform-setD. the IKE policyE. the interesting traffic (the traffic to be protected)F. the pre-shared key

Correct Answer: ABEFSection: (none)Explanation


QUESTION 57Which two options represent a threat to the physical installation of an enterprise network? (Choose two.)

A. surveillance cameraB. security guardsC. electrical powerD. computer room accessE. change control

Correct Answer: CDSection: (none)Explanation


QUESTION 58Which option represents a step that should be taken when a security policy is developed?

A. Perform penetration testing.

B. Determine device risk scores.C. Implement a security monitoring system.D. Perform quantitative risk analysis.



QUESTION 59Which type of network masking is used when Cisco IOS access control lists are configured?

A. extended subnet maskingB. standard subnet maskingC. priority maskingD. wildcard masking



QUESTION 60How are Cisco IOS access control lists processed?

A. Standard ACLs are processed first.B. The best match ACL is matched first.C. Permit ACL entries are matched first before the deny ACL entries.D. ACLs are matched from top down.E. The global ACL is matched first before the interface ACL.



QUESTION 61Which type of management reporting is defined by separating management traffic from production traffic?

A. IPsec encryptedB. in-bandC. out-of-bandD. SSH



QUESTION 62Which syslog level is associated with LOG_WARNING?

A. 1B. 2C. 3D. 4E. 5F. 6



QUESTION 63In which type of Layer 2 attack does an attacker broadcast BDPUs with a lower switch priority?

A. MAC spoofing attackB. CAM overflow attackC. VLAN hopping attackD. STP attack



QUESTION 64Which security measure must you take for native VLANs on a trunk port?

A. Native VLANs for trunk ports should never be used anywhere else on the switch.B. The native VLAN for trunk ports should be VLAN 1.C. Native VLANs for trunk ports should match access VLANs to ensure that cross-VLAN traffic from multiple

switches can be delivered to physically disparate switches.D. Native VLANs for trunk ports should be tagged with 802.1Q.



QUESTION 65Which type of firewall technology is considered the versatile and commonly used firewall technology?

A. static packet filter firewallB. application layer firewall

C. stateful packet filter firewallD. proxy firewallE. adaptive layer firewall



QUESTION 66Which type of NAT is used where you translate multiple internal IP addresses to a single global, routable IPaddress?

A. policy NATB. dynamic PATC. static NATD. dynamic NATE. policy PAT



QUESTION 67Which Cisco IPS product offers an inline, deep-packet inspection feature that is available in integrated servicesrouters?

A. Cisco iSDMB. Cisco AIMC. Cisco IOS IPSD. Cisco AIP-SSM



QUESTION 68Which three modes of access can be delivered by SSL VPN? (Choose three.)

A. full tunnel clientB. IPsec SSLC. TLS transport modeD. thin clientE. clientlessF. TLS tunnel mode

Correct Answer: ADESection: (none)Explanation


QUESTION 69During role-based CLI configuration, what must be enabled before any user views can be created?

A. multiple privilege levelsB. usernames and passwordsC. aaa new-model commandD. secret password for the root userE. HTTP and/or HTTPS serverF. TACACS server group



QUESTION 70Which three statements about applying access control lists to a Cisco router are true? (Choose three.)

A. Place more specific ACL entries at the top of the ACL.B. Place generic ACL entries at the top of the ACL to filter general traffic and thereby reduce "noise" on the

network.C. ACLs always search for the most specific entry before taking any filtering action.D. Router-generated packets cannot be filtered by ACLs on the router.E. If an access list is applied but it is not configured, all traffic passes.

Correct Answer: ADESection: (none)Explanation


QUESTION 71When port security is enabled on a Cisco Catalyst switch, what is the default action when the configuredmaximum number of allowed MAC addresses value is exceeded?

A. The port remains enabled, but bandwidth is throttled until old MAC addresses are aged out.B. The port is shut down.C. The MAC address table is cleared and the new MAC address is entered into the table.D. The violation mode of the port is set to restrict.



QUESTION 72Which three statements about the Cisco ASA appliance are true? (Choose three.)

A. The DMZ interface(s) on the Cisco ASA appliance most typically use a security level between 1 and 99.B. The Cisco ASA appliance supports Active/Active or Active/Standby failover.C. The Cisco ASA appliance has no default MPF configurations.D. The Cisco ASA appliance uses security contexts to virtually partition the ASA into multiple virtual firewalls.E. The Cisco ASA appliance supports user-based access control using 802.1x.F. An SSM is required on the Cisco ASA appliance to support Botnet Traffic Filtering.

Correct Answer: ABDSection: (none)Explanation

Explanation/Reference:The DMZ interface won't use security level 0 or 100 as in most cases it'll be reserved to the inside network(100) and the outside network (0).The security appliance supports two failover configurations: Active/Active Failover and Active/Standby Failover.http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

QUESTION 73Refer to the exhibit.This Cisco IOS access list has been configured on the FA0/0 interface in the inbound direction. Which four TCPpackets sourced from 10.1.1.1 port 1030 and routed to the FA0/0 interface are permitted? (Choose four.)

A. destination ip address: 192.168.15.37 destination port: 22B. destination ip address: 192.168.15.80 destination port: 23C. destination ip address: 192.168.15.66 destination port: 8080D. destination ip address: 192.168.15.36 destination port: 80E. destination ip address: 192.168.15.63 destination port: 80F. destination ip address: 192.168.15.40 destination port: 21

Correct Answer: BCDESection: (none)Explanation


QUESTION 74You use Cisco Configuration Professional to enable Cisco IOS IPS. Which state must a signature be in beforeany actions can be taken when an attack matches that signature?

A. enabledB. unretiredC. successfully compliedD. successfully complied and unretiredE. successfully complied and enabledF. unretired and enabledG. enabled, unretired, and successfully complied

Correct Answer: GSection: (none)Explanation


QUESTION 75Which statement describes how the sender of the message is verified when asymmetric encryption is used?

A. The sender encrypts the message using the sender's public key, and the receiver decrypts the messageusing the sender's private key.

B. The sender encrypts the message using the sender's private key, and the receiver decrypts the messageusing the sender's public key.

C. The sender encrypts the message using the receiver's public key, and the receiver decrypts the messageusing the receiver's private key.

D. The sender encrypts the message using the receiver's private key, and the receiver decrypts the messageusing the receiver's public key.

E. The sender encrypts the message using the receiver's public key, and the receiver decrypts the messageusing the sender's public key.



QUESTION 76Which type of security control is defense in depth?

A. threat mitigationB. risk analysisC. botnet mitigationD. overt and covert channels



QUESTION 77Which options are two of the built-in features of IPv6? (Choose two.)

A. VLSMB. native IPsecC. controlled broadcastsD. mobile IPE. NAT

Correct Answer: BDSection: (none)Explanation


QUESTION 78Which option is a characteristic of the RADIUS protocol?

A. uses TCPB. offers multiprotocol supportC. combines authentication and authorization in one processD. supports bi-directional challenge



QUESTION 79Refer to the log below:14:00:09:TAC+: Opening TCP/IP connection to 192.168.60.15 using source 10.116.0.7914:00:09:TAC+: Sending TCP/IP packet number 383258052-1 to 192.168.60.15 (AUTHEN/START)14:00:09:TAC+: Receiving TCP/IP packet number 383258052-2 from 192.168.60.1514:00:09:TAC+ (383258052): received authen response status = GETUSER14:00:10:TAC+: send AUTHEN/CONT packet14:00:10:TAC+: Sending TCP/IP packet number 383258052-3 to 192.168.60.15 (AUTHEN/CONT)14:00:10:TAC+: Receiving TCP/IP packet number 383258052-4 from 192.168.60.1514:00:10:TAC+ (383258052): received authen response status = GETPASS14:00:14:

TAC+: send AUTHEN/CONT packet14:00:14:TAC+: Sending TCP/IP packet number 383258052-5 to 192.168.60.15 (AUTHEN/CONT)14:00:14:TAC+: Receiving TCP/IP packet number 383258052-6 from 192.168.60.1514:00:14:TAC+ (383258052): received authen response status = PASS14:00:14:TAC+: Closing TCP/IP connection to 192.168.60.15

Which statement about this debug output is true?

A. The requesting authentication request came from username GETUSER.B. The TACACS+ authentication request came from a valid user.C. The TACACS+ authentication request passed, but for some reason the user's connection was closed

immediately.D. The initiating connection request was being spoofed by a different source address.



QUESTION 80Which type of Cisco IOS access control list is identified by 100 to 199 and 2000 to 2699?

A. standardB. extendedC. namedD. IPv4 for 100 to 199 and IPv6 for 2000 to 2699



QUESTION 81Which priority is most important when you plan out access control lists?

A. Build ACLs based upon your security policy.B. Always put the ACL closest to the source of origination.C. Place deny statements near the top of the ACL to prevent unwanted traffic from passing through the router.D. Always test ACLs in a small, controlled production environment before you roll it out into the larger

production network.



QUESTION 82Which step is important to take when implementing secure network management?

A. Implement in-band management whenever possible.B. Implement telnet for encrypted device management access.C. Implement SNMP with read/write access for troubleshooting purposes.D. Synchronize clocks on hosts and devices.E. Implement management plane protection using routing protocol authentication.



QUESTION 83Which statement best represents the characteristics of a VLAN?

A. Ports in a VLAN will not share broadcasts amongst physically separate switches.B. A VLAN can only connect across a LAN within the same building.C. A VLAN is a logical broadcast domain that can span multiple physical LAN segments.D. A VLAN provides individual port security.



QUESTION 84Which Layer 2 protocol provides loop resolution by managing the physical paths to given network segments?

A. root guardB. port fastC. HSRPD. STP



QUESTION 85When STP mitigation features are configured, where should the root guard feature be deployed?

A. toward ports that connect to switches that should not be the root bridgeB. on all switch portsC. toward user-facing portsD. Root guard should be configured globally on the switch.

Correct Answer: A



QUESTION 86Which option is a characteristic of a stateful firewall?

A. can analyze traffic at the application layerB. allows modification of security rule sets in real time to allow return trafficC. will allow outbound communication, but return traffic must be explicitly permittedD. supports user authentication



QUESTION 87Which type of NAT would you configure if a host on the external network required access to an internal host?

A. outside global NATB. NAT overloadC. dynamic outside NATD. static NAT



QUESTION 88Which statement about disabled signatures when using Cisco IOS IPS is true?

A. They do not take any actions, but do produce alerts.B. They are not scanned or processed.C. They still consume router resources.D. They are considered to be "retired" signatures.



QUESTION 89Which type of intrusion prevention technology is the primary type used by the Cisco IPS security appliances?

A. profile-based

B. rule-basedC. protocol analysis-basedD. signature-basedE. NetFlow anomaly-based



QUESTION 90Which two services are provided by IPsec? (Choose two.)

A. ConfidentialityB. Encapsulating Security PayloadC. Data IntegrityD. Authentication HeaderE. Internet Key Exchange

Correct Answer: ACSection: (none)Explanation


QUESTION 91Refer to the exhibit. Which switch is designated as the root bridge in this topology?

A. It depends on which switch came on line first.

B. Neither switch would assume the role of root bridge because they have the same default priority.C. switch XD. switch Y


QUESTION 92Refer to the exhibit. Which three statements about these three show outputs are true? (Choose three.)

A. Traffic matched by ACL 110 is encrypted.B. The IPsec transform set uses SHA for data confidentiality.C. The crypto map shown is for an IPsec site-to-site VPN tunnel.D. The default ISAKMP policy uses a digital certificate to authenticate the IPsec peer.E. The IPsec transform set specifies the use of GRE over IPsec tunnel mode.F. The default ISAKMP policy has higher priority than the other two ISAKMP policies with a priority of 1 and 2

Correct Answer: ACDSection: (none)

Explanation


QUESTION 93Which two functions are required for IPsec operation? (Choose two.)

A. using SHA for encryptionB. using PKI for pre-shared-key authenticationC. using IKE to negotiate the SAD. using AH protocols for encryption and authenticationE. using Diffie-Hellman to establish a shared-secret key


QUESTION 94Refer to the exhibit. What does the option secret 5 in the username global configuration mode commandindicate about the user password?

A. It is hashed using SHA.B. It is encrypted using DH group 5.C. It is hashed using MD5.D. It is encrypted using the service password-encryption command.E. It is hashed using a proprietary Cisco hashing algorithm.F. It is encrypted using a proprietary Cisco encryption algorithm.


QUESTION 95Refer to the exhibit. Which statement about this output is true?

A. The user logged into the router with the incorrect username and password.B. The login failed because there was no default enable password.C. The login failed because the password entered was incorrect.D. The user logged in and was given privilege level 15.



QUESTION 96Refer to the exhibit. Which traffic is permitted by this ACL?

A. TCP traffic sourced from any host in the 172.26.26.8/29 subnet on any port to host 192.168.1.2 port 80 or443

B. TCP traffic sourced from host 172.26.26.21 on port 80 or 443 to host 192.168.1.2 on any portC. any TCP traffic sourced from host 172.26.26.30 destined to host 192.168.1.1D. any TCP traffic sourced from host 172.26.26.20 to host 192.168.1.2



QUESTION 97Refer to the exhibit. Using a stateful packet firewall and given an inside ACL entry of permit ip 192.16.1.0 0.0.0.255 any, what wouldbe the resulting dynamically configured ACL for the return traffic on the outside ACL?

A. permit tcp host 172.16.16.10 eq 80 host 192.168.1.11 eq 2300B. permit ip 172.16.16.10 eq 80 192.168.1.0 0.0.0.255 eq 2300C. permit tcp any eq 80 host 192.168.1.11 eq 2300D. permit ip host 172.16.16.10 eq 80 host 192.168.1.0 0.0.0.255 eq 2300



QUESTION 98A Cisco ASA appliance has three interfaces configured. The first interface is the inside interface with a securitylevel of 100. The second interface is the DMZ interface with a security level of 50. The third interface is theoutside interface with a security level of 0. By default, without any access list configured, which five types oftraffic are permitted? (Choose five.)

A. outbound traffic initiated from the inside to the DMZB. outbound traffic initiated from the DMZ to the outsideC. outbound traffic initiated from the inside to the outsideD. inbound traffic initiated from the outside to the DMZE. inbound traffic initiated from the outside to the insideF. inbound traffic initiated from the DMZ to the insideG. HTTP return traffic originating from the inside network and returning via the outside interfaceH. HTTP return traffic originating from the inside network and returning via the DMZ interfaceI. HTTP return traffic originating from the DMZ network and returning via the inside interface

J. HTTP return traffic originating from the outside network and returning via the inside interface

Correct Answer: ABCGHSection: (none)Explanation


QUESTION 99Which statement is true when you have generated RSA keys on your Cisco router to prepare for secure devicemanagement?

A. You must then zeroize the keys to reset secure shell before configuring other parameters.B. The SSH protocol is automatically enabled.C. You must then specify the general-purpose key size used for authentication with the crypto key generate rsa

general-keys modulus command.D. All vty ports are automatically enabled for SSH to provide secure management.



QUESTION 100What is the key difference between host-based and network-based intrusion prevention?

A. Network-based IPS is better suited for inspection of SSL and TLS encrypted data flows.B. Network-based IPS provides better protection against OS kernel-level attacks against hosts and servers.C. Network-based IPS can provide protection to desktops and servers without the need of installing specialized

software on the end hosts and servers.D. Host-based IPS can work in promiscuous mode or inline mode.E. Host-based IPS is more scalable then network-based IPS.F. Host-based IPS deployment requires less planning than network-based IPS.


QUESTION 101Refer to the exhibit. You are a network manager for your organization. You are looking at your Syslog serverreports. Based on the Syslog message shown, which two statements are true? (Choose two.)

A. Service timestamps have been globally enabled.B. This is a normal system-generated information message and does not require further investigation.C. This message is unimportant and can be ignored.D. This message is a level 5 notification message.

Correct Answer: ADSection: (none)

Explanation


QUESTION 102Refer to the exhibit. Which statement is correct based on the show login command output shown?

A. When the router goes into quiet mode, any host is permitted to access the router via Telnet, SSH, andHTTP, since the quiet-mode access list has not been configured.

B. The login block-for command is configured to block login hosts for 93 seconds.C. All logins from any sources are blocked for another 193 seconds.D. Three or more login requests have failed within the last 100 seconds.



QUESTION 103Which four methods are used by hackers? (Choose four.)

A. footprint analysis attackB. privilege escalation attackC. buffer Unicode attackD. front door attacksE. social engineering attackF. Trojan horse attack


QUESTION 104Which statement about Cisco IOS IPS on Cisco IOS Release 12.4(11)T and later is true?

A. uses Cisco IPS 5.x signature formatB. requires the Basic or Advanced Signature Definition FileC. supports both inline and promiscuous modeD. requires IEV for monitoring Cisco IPS alerts

E. uses the built-in signatures that come with the Cisco IOS image as backupF. supports SDEE, SYSLOG, and SNMP for sending Cisco IPS alerts


QUESTION 105Which characteristic is the foundation of Cisco Self-Defending Network technology?

A. secure connectivityB. threat control and containmentC. policy managementD. secure network platform


QUESTION 106Which kind of table do most firewalls use today to keep track of the connections through the firewall?

A. dynamic ACLB. reflexive ACLC. netflowD. queuingE. stateF. express forwarding



QUESTION 107Which Cisco IOS command is used to verify that either the Cisco IOS image, the configuration files, or bothhave been properly backed up and secured?

A. show archiveB. show secure bootsetC. show flashD. show file systemsE. dirF. dir archive


QUESTION 108What does the secure boot-config global configuration accomplish?

A. enables Cisco IOS image resilienceB. backs up the Cisco IOS image from flash to a TFTP serverC. takes a snapshot of the router running configuration and securely archives it in persistent storageD. backs up the router running configuration to a TFTP serverE. stores a secured copy of the Cisco IOS image in its persistent storage


QUESTION 109Refer to the exhibit. Based on the show policy-map type inspect zone-pair session command output shown,what can be determined about this Cisco IOS zone based firewall policy?

A. All packets will be dropped since the class-default traffic class is matching all traffic.B. This is an inbound policy (applied to traffic sourced from the less secured zone destined to the more

secured zone).C. This is an outbound policy (applied to traffic sourced from the more secured zone destined to the less

secured zone).D. Stateful packet inspection will be applied only to HTTP packets that also match ACL 110.E. All non-HTTP traffic will be permitted to pass as long as it matches ACL 110.F. All non-HTTP traffic will be inspected.

Correct Answer: D



QUESTION 110When using a stateful firewall, which information is stored in the stateful session flow table?

A. the outbound and inbound access rules (ACL entries)B. the source and destination IP addresses, port numbers, TCP sequencing information, and additional flags

for each TCP or UDP connection associated with a particular sessionC. all TCP and UDP header information onlyD. all TCP SYN packets and the associated return ACK packets onlyE. the inside private IP address and the translated inside global IP address


QUESTION 111Which statement is true about configuring access control lists to control Telnet traffic destined to the routeritself?

A. The ACL is applied to the Telnet port with the ip access-group command.B. The ACL should be applied to all vty lines in the in direction to prevent an unwanted user from connecting to

an unsecured port.C. The ACL applied to the vty lines has no in or out option like ACL being applied to an interface.D. The ACL must be applied to each vty line individually.


QUESTION 112When configuring role-based CLI on a Cisco router, which step is performed first?

A. Log in to the router as the root user.B. Create a parser view called "root view."C. Enable role-based CLI globally on the router using the privileged EXEC mode Cisco IOS command.D. Enable the root view on the router.E. Enable AAA authentication and authorization using the local database.F. Create a root local user in the local database.



QUESTION 113Refer to the exhibit. Which statement about the aaa configurations is true?

A. The authentication method list used by the console port is named test.B. The authentication method list used by the vty port is named test.C. If the TACACS+ AAA server is not available, no users will be able to establish a Telnet session with the

router.D. If the TACACS+ AAA server is not available, console access to the router can be authenticated using the

local database.E. The local database is checked first when authenticating console and vty access to the router.


QUESTION 114Which characteristic is a potential security weakness of a traditional stateful firewall?

A. It cannot support UDP flows.B. It cannot detect application-layer attacks.C. It cannot ensure each TCP connection follows a legitimate TCP three-way handshake.D. It works only in promiscuous mode.E. The status of TCP sessions is retained in the state table after the sessions terminate.F. It has low performance due to the use of syn-cookies.


QUESTION 115Refer to the exhibit and partial configuration. Which statement is true?

A. All traffic destined for network 172.16.150.0 will be denied due to the implicit deny all.B. All traffic from network 10.0.0.0 will be permitted.C. Access-list 101 will prevent address spoofing from interface E0.D. This is a misconfigured ACL resulting in traffic not being allowed into the router in interface S0.E. This ACL will prevent any host on the Internet from spoofing the inside network address as the source

address for packets coming into the router from the Internet.



QUESTION 116What will be disabled as a result of the no service password-recovery command?

A. changes to the config-register settingB. ROMMONC. password encryption serviceD. aaa new-model global configuration commandE. the xmodem privilege EXEC mode command to recover the Cisco IOS image


QUESTION 117What does the MD5 algorithm do?

A. takes a message less than 2^64 bits as input and produces a 160-bit message digestB. takes a variable-length message and produces a 168-bit message digestC. takes a variable-length message and produces a 128-bit message digestD. takes a fixed-length message and produces a 128-bit message digest



QUESTION 118You have configured a standard access control list on a router and applied it to interface Serial 0 in anoutbound direction. No ACL is applied to Interface Serial 1 on the same router. What happens when trafficbeing filtered by the access list does not match the configured ACL statements for Serial 0?

A. The resulting action is determined by the destination IP address.B. The resulting action is determined by the destination IP address and port number.C. The source IP address is checked, and, if a match is not found, traffic is routed out interface Serial 1.D. The traffic is dropped.


QUESTION 119You use Cisco Configuration Professional to enable Cisco lOS IPS. Which state must a signature be in beforeany actions can be taken when an attack matches that signature?

A. enabledB. unretiredC. successfully compliedD. successfully complied and unretiredE. successfully complied and enabledF. unretired and enabledG. enabled, unretired and successfully complied

Correct Answer: GSection: (none)Explanation


Exam B

QUESTION 1DRAG DROP

A.B.C.D.



Control plane secures traffic destined to the router itself Data plane secures transit traffic through the router Management plane secures router access

QUESTION 2Drag and Drop Questions

A.B.

C.D.


Explanation/Reference:Detects attacks based on known attack fingerprints signature-based Detects unexpected traffic spikes anomaly-basedOnly allows HTTPS traffic to the web server policy-based Detects events based on correlations with a blacklist downloaded from a dynamically updated database -reputation-based


A.B.C.D.


Explanation/Reference:GlobalLink-local6to4Site-local

QUESTION 4Drag and Drop QuestionsMatch the descriptions on the left with the IKE phases on the right.

A.B.C.D.




A.B.C.D.

Correct Answer: Section: (none)

Explanation


Can stop the attack trigger packet IPSNo network impact if there is a sensor overload IDSAllows malicious traffic to pass before it can respond IDS Deployed in promiscuous mode IDSCan use stream normalization techniques IPSMore vulnerable to network evasion techniques IDSHas some impact on network latency and jitter IPSDeployed in inline mode IPS


A.B.C.D.


Explanation/Reference:Can permit or deny traffic based on IP addressCan permit or deny traffic based on protocolCan permit or deny based on source and destination ports


A.B.C.D.


Explanation/Reference:TACACS+

--------------------Uses TCPSeparates the authentication, authorization, and accounting functionsEncrypts the entire body of the packetSupports authorization of router commands on a per-user of per-group basis

RADIUS--------------Uses UDPCombines the authentication and authorization functions Encrypts only the password



A.B.C.D.




A.B.C.D.

Correct Answer: ASection: (none)

Explanation


False positive an alarm is triggered by normal traffic or a benign action False negative a signature is not fired when offending traffic is detected True positive generates an alarm when offending traffic is detected True negative a signature is not fired when non-offending traffic is captured and analyzed


A.B.

C.D.



QUESTION 11

Select and Place:

Correct Answer:



QUESTION 12

Select and Place:

Correct Answer:



QUESTION 13

Select and Place:

Correct Answer:



QUESTION 14

Select and Place:

Correct Answer:



QUESTION 15

A.B.C.D.



Exam C

QUESTION 1

Which four properties are included in the inspection Cisco Map OUT_SERVICE? (Choose four)

A. FTPB. HTTPC. HTTPSD. SMTPE. P2PF. ICMP



First option:

Second option:

QUESTION 2

What NAT address will be assigned by ACL 1?

A. 192.168.1.0/25B. GlobalEthernet0/0 interface address.C. 172.25.223.0/24D. 10.0.10.0/24



QUESTION 3

Which Class Map is used by the INBOUND Rule?

A. SERVICE_INB. Class-map-ccp-cls-2C. Ccp-cts-2D. Class-map SERVICE_IN



QUESTION 4


Which policy is assigned to Zone Pair sdm-zip-OUT-IN?

A. Sdm-cls-httpB. OUT_SERVICEC. Ccp-policy-ccp-cls-1D. Ccp-policy-ccp-cls-2



QUESTION 5

What is included in the Network Object Group INSIDE? (Choose two)

A. Network 192.168.1.0/24B. Network 175.25.133.0/24C. Host 74.125.224.176D. Network 10.0.10.0/24E. Host 74.125.224.179

Correct Answer: BDSection: (none)Explanation


Exam D

QUESTION 1Lab Simulation

A.B.C.D.


Explanation/Reference:Switch1>enableSwitch1#config tSwitch1(config)#interface fa0/12Switch1(config-if)#switchport mode accessSwitch1(config-if)#switchport port-security maximum 2Switch1(config-if)#switchport port-security violation shutdown Switch1(config-if)#no shutSwitch1(config-if)#endSwitch1#copy run start

QUESTION 2

A.


Explanation/Reference:First step you need to know which interface is belong to OUTSIDE. To check this navigate to Configure>Interface Management>Interface and Connections and click on Edit Interface/Connection to

see which interface is belong to OUTSIDE by checking IP addresses assigned. In out case OUTSIDEinterface is FastEthernet0/1. Note it!

To configure NTP you have to navigate to Configure>Router>Time>NTP and SNMP and click on "Add.."button

Enter the NTP Server IP, choose interface, type key number, value and click on "Prefer" and Ok.

After save configuration file and click on "Deliver".

To configure Access Rules you have to go to Configure>Router>ACL>ACL Editor and click on "Add..."button.

Enter name as "Inbound", make sure it is Extended ACL and click on "Add..."

After check "Action", make sure it is "Permit" (it is default state in CCP), live source and destination as"Any" (it is default state in CCP). Then navigate to "Protocol and Service" and choose "EIGRP" as aprotocol. Click "Ok".

After click "Add..." now create another ACL to permit "HTTP" traffic.

Make sure "Action" is "Permit" (it is default state in CCP), live source as "Any" . In destination sectionchoose " A Network" as a "Type", put appropriate IP address and wildcard mask. Navigate to "Protocoland Service", select "TCP", source port live as "Any" (it is default state in CCP) but destination port wehave to change for "80". Click on Service box and pick up in the end of list www(80). Click "Ok" in bothwindows.

Now we have to associate our ACL rules to the OUTSIDE interface with INBOUND direction. Click on"Associate..".

Early we discovered that our OUTSIDE interface is FastEthernet0/1. Choose from list FastEthernet0/1,specify a destination as "Inbound". Click "Ok".

You will get this Cisco CP Warning. Requirements says that we have to add entry rule to allow NTPtraffic. Click "Yes".

Final step save the configuration and click "Deliver.


Date post:	15-Mar-2018
Category:	Documents
Upload:	dotram
View:	213 times
Download:	1 times

640-554 Implementing Cisco IOS Network Security · PDF fileIt should be configured as an...

Documents