+ All Categories

642-637

Date post: 24-Oct-2014
Category:
Upload: fmsbr
View: 132 times
Download: 3 times
Share this document with a friend
Popular Tags:
66
Cisco 642-637 Securing Networks with Cisco Routers and Switches (SECURE) v1.0 Version: 6.0
Transcript
Page 1: 642-637

Cisco 642-637

Securing Networks with Cisco Routers and Switches

(SECURE) v1.0Version: 6.0

Page 2: 642-637

QUESTION NO: 1 Refer to the exhibit. Given the partial output of the debug command, what can be determined?

A. There is no ID payload in the packet, as indicated by the message ID = 0. B. The peer has not matched any offered profiles. C. This is an IKE quick mode negotiation. D. This is normal output of a successful Phase 1 IKE exchange.

Answer: B

Explanation:

QUESTION NO: 2 DRAG DROP

Answer:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 2

Page 3: 642-637

Explanation:

Existing lists of LAN switches

Existing user credentials

Existing addressing scheme

Existing transport protocols used in the environment.

QUESTION NO: 3

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 3

Page 4: 642-637

Refer to the exhibit. Which two Cisco IOS WebVPN features are enabled with the partialconfiguration shown? (Choose two.) A. The end-user Cisco AnyConnect VPN software will remain installed on the end system. B. If the Cisco AnyConnect VPN software fails to install on the end-user PC, the end user cannotuse other modes. C. Client based full tunnel access has been enabled. D. Traffic destined to the 10.0.0.0/8 network will not be tunneled and will be allowed access via asplit tunnel. E. Clients will be assigned IP addresses in the 10.10.0.0/16 range.

Answer: A,C

Explanation:

QUESTION NO: 4 Which two of these are benefits of implementing a zone-based policy firewall in transparent mode?(Choose two.)

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 4

Page 5: 642-637

A. Less firewall management is needed. B. It can be easily introduced into an existing network. C. IP readdressing is unnecessary. D. It adds the ability to statefully inspect non-IP traffic. E. It has less impact on data flows.

Answer: B,C

Explanation:

QUESTION NO: 5 When configuring a zone-based policy firewall, what will be the resulting action if you do notspecify any zone pairs for a possible pair of zones? A. All sessions will pass through the zone without being inspected. B. All sessions will be denied between these two zones by default. C. All sessions will have to pass through the router "self zone" for inspection before being allowedto pass to the destination zone. D. This configuration statelessly allows packets to be delivered to the destination zone.

Answer: B

Explanation:

QUESTION NO: 6 Refer to the exhibit. What can be determined from the output of this show command?

A. The IPsec connection is in an idle state. B. The IKE association is in the process of being set up. C. The IKE status is authenticated. D. The ISAKMP state is waiting for quick mode status to authenticate before IPsec parameters arepassed between peers E. IKE Quick Mode is in the idle state, indicating a problem with IKE phase 1.

Answer: C

Explanation:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 5

Page 6: 642-637

QUESTION NO: 7 DRAG DROP

Answer:

Explanation:

Delete IPsec security association –> clear crypto sa

Verify cryptographic configurations and show SA lifetimes -> show crypto map

Verify the IPsec protection policy settings - > show crypto ipsec transform-set

Verify current IPsec settings in use by the SAs – show cyrpto ipsec sa

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 6

Page 7: 642-637

Clear active IKE connections – clear crypto isakmp

QUESTION NO: 8 You are running Cisco IOS IPS software on your edge router. A new threat has become an issue.The Cisco IOS IPS software has a signature that can address the new threat, but you previouslyretired the signature. You decide to unretire that signature to regain the desired protection level.How should you act on your decision? A. Retired signatures are not present in the routers memory. You will need to download a newsignature package to regain the retired signature. B. You should re-enable the signature and start inspecting traffic for signs of the new threat. C. Unretiring a signature will cause the router to recompile the signature database, which cantemporarily affect performance. D. You cannot unretire a signature. To avoid a disruption in traffic flow, it's best to create a customsignature until you can download a new signature package and reload the router.

Answer: C

Explanation:

QUESTION NO: 9 Which statement best describes inside policy based NAT? A. Policy NAT rules are those that determine which addresses need to be translated per theenterprise security policy B. Policy NAT consists of policy rules based on outside sources attempting to communicate withinside endpoints. C. These rules use source addresses as the decision for translation policies. D. These rules are sensitive to all communicating endpoints.

Answer: A

Explanation:

QUESTION NO: 10 Refer to the exhibit. What can be determined about the IPS category configuration shown?

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 7

Page 8: 642-637

A. All categories are disabled. B. All categories are retired. C. After all other categories were disabled, a custom category named "os ios" was created D. Only attacks on the Cisco IOS system result in preventative actions.

Answer: D

Explanation:

QUESTION NO: 11 When Cisco IOS IPS is configured to use SDEE for event notification, how are events managed? A. They are stored in the router's event store and will allow authenticated remote systems to pullevents from the event store. B. All events are immediately sent to the remote SDEE server. C. Events are sent via syslog over a secure SSUTLS communications channel. D. When the event store reaches its maximum configured number of event notifications, the storedevents are sent via SDEE to a remote authenticated server and a new event store is created.

Answer: A

Explanation:

QUESTION NO: 12 Which two of these will match a regular expression with the following configuration parameters?[a-zA-Z][0-9][a-z] (Choose two.) A. Q3h

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 8

Page 9: 642-637

B. B4Mn C. aaB132AA D. c7lm E. BBpjnrIT

Answer: A,D

Explanation:

QUESTION NO: 13 Which of these is a configurable Cisco IOS feature that triggers notifications if an attack attemptsto exhaust critical router resources and if preventative controls have been bypassed or are notworking correctly? A. Control Plane Protection B. Management Plane Protection C. CPU and memory thresholding D. SNMPv3

Answer: C

Explanation:

QUESTION NO: 14 Which Cisco IOS IPS feature allows to you remove one or more actions from all active signaturesbased on the attacker and/or target address criteria, as well as the event risk rating criteria? A. signature event action filters B. signature event action overrides C. signature attack severity rating D. signature event risk rating

Answer: A

Explanation:

QUESTION NO: 15 You are troubleshooting reported connectivity issues from remote users who are accessingcorporate headquarters via an IPsec VPN connection. What should be your first step in

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 9

Page 10: 642-637

troubleshooting these issues? A. issue a show crypto isakmp policy command to verify matching policies of the tunnel endpoints B. ping the tunnel endpoint C. run a traceroute to verify the tunnel path D. debug the connection process and look for any error messages in tunnel establishment

Answer: B

Explanation:

QUESTION NO: 16 Which of these is correct regarding the configuration of virtual-access interfaces? A. They cannot be saved to the startup configuration. B. You must use static routes inside the tunnels. C. DVTI interfaces should be assigned a unique IP address range. D. The Virtual-Access 1 interface must be enabled in an up/up state administratively

Answer: A

Explanation:

QUESTION NO: 17 Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate routerinterfaces. All other zones and interfaces have been properly configured. Given the configurationexample shown, what can be determined?

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 10

Page 11: 642-637

A. Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host inthe 10.10.10.0/24 network using the SSH protocol. B. If a host in the INSIDE zone attempts to communicate via SSH with another host on a differentinterface within the INSIDE zone, communications must pass through the router self zone usingthe INTRAZONE policy. C. This is an illegal configuration. You cannot have the same source and destination zones. D. This policy configuration is not needed, traffic within the same zone is allowed to pass bydefault.

Answer: D

Explanation:

QUESTION NO: 18 Which action does the command private-vlan association 100,200 take? A. configures VLANs 100 and 200 and associates them as a community B. associates VLANs 100 and 200 with the primary VLAN C. creates two private VLANs with the designation of VLAN 100 and VLAN 200 D. assigns VLANs 100 and 200 as an association of private VLANs

Answer: B

Explanation:

QUESTION NO: 19 Which of these allows you to add event actions globally based on the risk rating of each event,without having to configure each signature individually? A. event action summarization B. event action filter C. event action override D. signature event action processor

Answer: C

Explanation:

QUESTION NO: 20

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 11

Page 12: 642-637

When using Cisco Easy VPN, what are the three options for entering an XAUTH username andpassword for establishing a VPN connection from the Cisco Easy VPN remote router? (Choosethree.) A. using an external AAA server B. entering the information via the router crypto ipsec client ezvpn connect CLI command inprivileged EXEC mode C. using the router local user database D. entering the information from the PC via a browser E. storing the XAUTH credentials in the router configuration file

Answer: B,D,E

Explanation:

QUESTION NO: 21 Which of these is true regarding tunnel configuration when deploying a Cisco ISR as a DMVPNhub router? A. Only one tunnel can be created per tunnel source interface. B. Only one tunnel can be created and should be associated with a loopback interface for dynamicredundancy C. The GRE tunnel key is used to encrypt the traffic going through the tunnel through the hub. D. You can run multiple parallel DMVPNs on the hub router, but each tunnel requires a uniquetunnel key.

Answer: D

Explanation:

QUESTION NO: 22 Given the Cisco IOS command crypto key generate rsa label MY_KEYS modulus 2048, whichadditional command keyword should be added if you would like to use these keys on anotherrouter or have the ability to back them up to another device? A. redundancy B. exportable C. on:USB smart-token D. usage-keys

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 12

Page 13: 642-637

Answer: B

Explanation:

QUESTION NO: 23 Which two types of deployments can be implemented for a zone-based policy firewall? (Choosetwo.) A. routed mode B. interzone mode C. fail open mode D. transparent mode E. inspection mode

Answer: A,D

Explanation:

QUESTION NO: 24 DRAG DROP

Answer:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 13

Page 14: 642-637

Explanation: Dropping application layer protocol units that do not confirm to the protocol

standard.

An application-aware method of filtering that works on OSI layers 3 and 4.

Filtering inside the protocol and its related content

QUESTION NO: 25 What is the result of configuring the command dotlx system-auth-control on a Cisco Catalystswitch? A. enables the switch to operate as the 802.1X supplicant B. globally enables 802.1X on the switch C. globally enables 802.1X and defines ports as 802.1X-capable D. places the configuration sub-mode into dotix-auth mode, in which you can identify theauthentication server parameters

Answer: B

Explanation:

QUESTION NO: 26 Which information is displayed when you enter the Cisco IOS command show epm session? A. Enforcement Policy Module sessions B. External Proxy Mappings, per authenticated sessions C. Encrypted Policy Management sessions

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 14

Page 15: 642-637

D. Enhanced Protected Mode sessions

Answer: A

Explanation:

QUESTION NO: 27 Refer to the exhibit. Based on the partial configuration shown, which the GET VPN group memberGDOI configuration?

A. key server IP address B. local priority C. mapping of the IPsec profile to the IPsec SA D. mapping of the IPsec transform set to the GDOI group

Answer: A

Explanation:

QUESTION NO: 28 Refer to the exhibit. Given the partial configuration shown, which two statements are correct?(Choose two.)

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 15

Page 16: 642-637

A. The tunnel will use the routing protocol configured for GigabitEthemet 1/1 for all tunnelcommunication with the peer. B. The IP route statement to reach the remote network behind the DMVPN peer is incorrect, itshould be ip route 192.168.2.0 255.255.255.0 tunnel 0. C. This is an example of a static point-to-point VTI tunnel. D. The tunnel will use esp-sha-hmac encryption in ESP tunnel mode. E. The tunnel will use 128-bit AES encryption in ESP tunnel mode.

Answer: C,E

Explanation:

QUESTION NO: 29 You are troubleshooting a Cisco Easy VPN installation that is experiencing session establishmentproblems. You have verified that matching IKE and IPsec polices exist on both peers. The remoteclient has also successfully entered authentication credentials. What is the next step to take introubleshooting this problem? A. verify that the router is not denying traffic from the tunnel B. verify that the router is able to assign an IP address to the client C. examine routing tables D. issue a ping from the client to the router to verify reachability

Answer: B

Explanation:

QUESTION NO: 30 Which of these is a result of using the same routing protocol process for routing outside and insidethe VPN tunnel?

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 16

Page 17: 642-637

A. This will provide for routing-protocol-based failover redundancy. B. Spoke routers will able to dynamically learn routes to peer networks. C. This will allow VPN-encapsulated packets to be routed out the correct physical interface used toreach the remote peer D. The tunnel will constantly flap.

Answer: D

Explanation:

QUESTION NO: 31 DRAG DROP

Answer:

Explanation: VLAN Assignment

Time-based access

Endpoint posture assessment

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 17

Page 18: 642-637

QUESTION NO: 32 Refer to the exhibit. What can be determined from the output of this show command?

A. The switch port interface is enabled and operating as a community port. B. The interface is acting as an isolated switch port operating in VLAN 1. C. The interface is configured for Private VLAN Edge. D. The switch port interface is not a trusted port.

Answer: C

Explanation:

QUESTION NO: 33 You are troubleshooting a problem related to IPsec connectivity issues. You see that there is noISAKMP security association established between peers. You debug the connection process andsee an error message of 1d00h: ISAKMP (0:1): atts are not acceptable. Next payload is 0. Whatdoes this message indicate? A. This indicates a policy mismatch. B. This indicates that the offered attributes did not contain a payload. C. IKE has failed initial attempts and will resend policy offerings to the peer router. D. The time stamp of the message shows that it is one day old. This could indicate a possiblemismatch of system clocks and invalidate the connection attempt.

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 18

Page 19: 642-637

Answer: A

Explanation:

QUESTION NO: 34 Refer to the exhibit. Given the output shown, what can be determined?

A. An attacker has sent a spoofed DHCP address. B. An attacker has sent a spoofed ARP response that violates a static mapping. C. The MAC address has matched a deny rule within the ACL. D. This is an invalid proxy ARP packet, as indicated by the 0000.0000.0000 MAC address on thedestination

Answer: B

Explanation:

QUESTION NO: 35 Which command will enable a SCEP interface when you are configuring a Cisco router to be acertificate server? A. seep enable (under interface configuration mode) B. crypto pki seep enable C. grant auto D. ip http server

Answer: D

Explanation:

QUESTION NO: 36 When 802.1X is implemented, how do the client (supplicant) and authenticator communicate?

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 19

Page 20: 642-637

A. RADIUS B. TACACS+ C. MAB D. EAPOL

Answer: D

Explanation:

QUESTION NO: 37 Refer to the exhibit. Assuming that all other supporting configurations are correct, what can bedetermined from the partial IP admission configuration shown?

A. The router will forward authentication requests to a AAA server for authentication andauthorization. B. The local user password is thl3F4ftvA. C. The router will intercept incoming HTTP sessions on interface G0/0 for authentication. D. The SUPERUSER's privilege level is being restricted. E. The attribute type supplicant-group "SUPERUSER" configuration can be used to match criteriain the "inspect" class-map type using the match access-group option.

Answer: C

Explanation:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 20

Page 21: 642-637

QUESTION NO: 38 Which of these is an implementation guideline when deploying the IP Source Guard feature in anenvironment with multiple switches? A. Do not configure IP Source Guard on interswitch links. B. Configure PACLs for DHCP-addressed end devices. C. IP Source Guard must be configured in the trunk subconfiguration mode to work on interswitchlinks. D. Configure static IP Source Guard mapping for all access ports.

Answer: A

Explanation:

QUESTION NO: 39 DRAG DROP

Answer:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 21

Page 22: 642-637

Explanation: Dynamic Inside NAT

Dynamic Inside PAT

Static Inside NAT

Static Inside PAT

QUESTION NO: 40 What does the command errdisable recovery cause arp-inspection interval 300 provide for? A. It will disable a port when the ARP rate limit of 300 packets per second is received and wait aconfigured interval time before placing the port back in normal operation. B. It will inspect for ARP-disabled ports every 300 seconds. C. It will recover a disabled port and limit ARP traffic to 300 packets per second to avoid potentialARP attacks from reoccurring. D. It will recover a disabled port due to an ARP inspection condition in 5 minutes.

Answer: D

Explanation:

QUESTION NO: 41 You have configured Management Plane Protection on an interface on a Cisco router. What is theresulting action on implementing MPP?

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 22

Page 23: 642-637

A. Inspection of protected management interfaces is automatically configured to ensure thatmanagement protocols comply with standards. B. The router gives preference to the configured management interface. If that interface becomesunavailable, management protocols will be allowed on alternate interfaces. C. Along with normal user data traffic, management traffic is also allowed only on the protectedinterface. D. Only management protocols are allowed on the protected interface.

Answer: D

Explanation:

QUESTION NO: 42 DRAG DROP

Answer:

Explanation: Use static access ports

Disable DTP

Avoid trunk native VLAN on access ports

QUESTION NO: 43

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 23

Page 24: 642-637

Refer to the exhibit. What can be determined from the configuration shown?

A. The community SNMP string is SNMP-MGMT-VIEW. B. All interfaces will be included in the SNMP GETs. C. This SNMP group will only allow read access to interface MIBs. D. The SNMP server group is using 128-bit SHA authentication.

Answer: C

Explanation:

QUESTION NO: 44 When enabling the Cisco IOS IPS feature, which step should you perform to prevent roguesignature updates from being installed on the router? A. configure authentication and authorization for maintaining signature updates B. install a known RSA public key that correlates to a private key used by Cisco C. manually import signature updates from Cisco to a secure server, and then transfer files fromthe secure server to the router D. use the SDEE protocol for all signature updates from a known secure management station

Answer: B

Explanation:

QUESTION NO: 45 A user has requested a connection to an external website. After initiating the connection, amessage appears in the user's browser stating that access to the requested website has beendenied by the company usage policy. What is the most likely reason for this message to appear?

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 24

Page 25: 642-637

A. An antivirus software program has blocked the session request due to potential maliciouscontent. B. The network has been configured with a URL filtering service. C. The network has been configured for 802.1X authentication and the user has failed toauthenticate D. The user's configured policy access level does not contain proper permissions

Answer: B

Explanation:

QUESTION NO: 46 Refer to the exhibit. Given the partial configuration shown, what can be determined.

A. This is an example of a dynamic policy PAT rule. B. This is an example of a static policy NAT rule. C. Addresses in the 10.10.30.0 network will be exempt from translation when destined for the10.100.100.0 network. D. The extended access list provides for one-to-one translation mapping of the 10.10.30.0 networkto the 10.100.100.0 network

Answer: A

Explanation:

QUESTION NO: 47 When is it most appropriate to choose IPS functionality based on Cisco IOS software? A. when traffic rates are low and a complete signature is not required B. when accelerated, integrated performance is required using hardware ASIC-based IPSinspections C. when integrated policy virtualization is required D. when promiscuous inspection meets security requirements

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 25

Page 26: 642-637

Answer: A

Explanation:

QUESTION NO: 48 When performing NAT, which of these is a limitation you need to account for? A. exhaustion of port number translations B. embedded IP addresses C. security payload identifiers D. inability to provide mutual connectivity to networks with overlapping address spaces

Answer: B

Explanation:

QUESTION NO: 49 DRAG DROP

Answer:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 26

Page 27: 642-637

Explanation: Routing Protocol Filtering

BPDU Guard

VTP Authentication

Routing Protocol Authentication

QUESTION NO: 50 You have enabled Cisco IOS IPS on a router in your network. However, you are not seeingexpected events on your monitoring system (such as Cisco IME). On the router, you see eventsbeing captured. What is the next step in troubleshooting the problem? A. verify that syslog is configured to send events to the correct server B. verify SDEE communications C. verify event action rules D. verify that the IPS license is valid

Answer: B

Explanation:

QUESTION NO: 51 Which two of these are features of control plane security on a Cisco ISR? (Choose two. A. CoPP B. RBAC C. AAA D. CPPr E. uRPF F. FPM

Answer: A,D

Explanation:

QUESTION NO: 52 Which two of these are potential results of an attacker performing a DHCP server spoofing attack?(Choose two.)

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 27

Page 28: 642-637

A. DHCP snooping B. DoS C. confidentiality breach D. spoofed MAC addresses E. switch ports being converted to an untrusted state

Answer: B,C

Explanation:

QUESTION NO: 53 When Cisco IOS IPS signatures are being tuned, how is the Target Value Rating assigned? A. It is calculated from the Event Risk Rating. B. It is calculated from a combination of the Attack Severity Rating and Signature Fidelity Rating C. It is manually set by the administrator. D. It is set based upon SEAP functions.

Answer: C

Explanation:

QUESTION NO: 54 Which of these should you do before configuring IP Source Guard on a Cisco Catalyst switch? A. Enable NTP for event correlation B. Enable IP routing authentication C. Configure an access list with exempt DHCP-initiated IP address ranges D. Turn DHCP snooping on at least 24 hours in advance

Answer: D

Explanation:

QUESTION NO: 55 What action will the parameter-map type ooo global command enable? A. globally initiates tuning of the router's TCP normalizer parameters for out-of-order packets

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 28

Page 29: 642-637

B. globally classifies type ooo packets within the parameter map and subsequent policy map C. enables a parameter map named ooo D. configures a global parameter map for traffic destined to the router itself

Answer: A

Explanation:

QUESTION NO: 56 DRAG DROP

Answer:

Explanation: Port ACLs

Port Security

VLAN ACLs

Private VLANs

QUESTION NO: 57 Scenario:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 29

Page 30: 642-637

To access the router console ports, refer to the exhibit and click router R1 or R2 for access. TheISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode.Using CLI show commands, answer the questions presented regarding GET VPN configurations.For this exercise, you will not be able to use show running-config or show start-conflg CLIcommands. You may use other specific show run and global show commands to determine thecorrect answers. Not all Cisco IOS CU features are enabled for this simulation.

What is the registration status of the group member router and what is the IP addresses of the keyserver? (Choose two.) A. group registration has not yet been attempted B. the member router is registered with the C. 192.168.2.2 D. 192.168.12

Answer: B,D

Explanation:

QUESTION NO: 58 Scenario: To access the router console ports, refer to the exhibit and click router R1 or R2 for access. The

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 30

Page 31: 642-637

ISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode.Using CLI show commands, answer the questions presented regarding GET VPN configurations.For this exercise, you will not be able to use show running-config or show start-conflg CLIcommands. You may use other specific show run and global show commands to determine thecorrect answers. Not all Cisco IOS CU features are enabled for this simulation.

On the key server router, what is the name of the transform set applied to the IPsec profile andwhich protection services is the transform set providing? (Choose two.) A. the name is ESP-3DES-SHA B. the name is GETSET C. the transform set is offering esp-aes esp-sha-hrnac D. the transform set is offering esp-3des esp-sha-hmac

Answer: B,C

Explanation:

QUESTION NO: 59 Scenario: To access the router console ports, refer to the exhibit and click router R1 or R2 for access. TheISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode.

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 31

Page 32: 642-637

Using CLI show commands, answer the questions presented regarding GET VPN configurations.For this exercise, you will not be able to use show running-config or show start-conflg CLIcommands. You may use other specific show run and global show commands to determine thecorrect answers. Not all Cisco IOS CU features are enabled for this simulation.

Which router is acting as the key server and which is acting as a group member? (Choose two.) A. Router 1 is the key server B. Router 2 is the key server C. Router 1 is the group member D. Router 2 is the group member E. The ISP router is the key server F. The ISP router is the group member G. Router 1 and Router 2 are both key servers H. Router 1 and Router 2 are both group members

Answer: B,F

Explanation:

QUESTION NO: 60 Scenario:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 32

Page 33: 642-637

To access the router console ports, refer to the exhibit and click router R1 or R2 for access. TheISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode.Using CLI show commands, answer the questions presented regarding GET VPN configurations.For this exercise, you will not be able to use show running-config or show start-conflg CLIcommands. You may use other specific show run and global show commands to determine thecorrect answers. Not all Cisco IOS CU features are enabled for this simulation.

What is the Identity used to distinguish the GETVPNGROUP GDOI group? A. the IP address of the peer B. identity number 67890 C. group 14 D. GETVPNKEY

Answer: A,D

Explanation:

QUESTION NO: 61 Scenario: To access the router console ports, refer to the exhibit and click router R1 or R2 for access. TheISP router will not need to be accessed. You will be placed directly into Cisco IOS enable mode.Using CLI show commands, answer the questions presented regarding GET VPN configurations.For this exercise, you will not be able to use show running-config or show start-conflg CLI

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 33

Page 34: 642-637

commands. You may use other specific show run and global show commands to determine thecorrect answers. Not all Cisco IOS CU features are enabled for this simulation.

On the group member router, where is the crypto map applied and what is the ISAKMP sharedkey? (Choose two.) A. the crypto map is applied to the FastEthernet0/1 interface B. the crypto map name is applied globally on the router and is active on all enabled a interfaces C. the shared Key Is GETVPNKEY D. the shared Key is 67890

Answer: A,B

Explanation:

QUESTION NO: 62 Which protocol is EAP encapsulated in for communications between the authenticator and theauthentication server? A. EAP-MD5 B. IPsec C. EAPOL D. RADIUS

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 34

Page 35: 642-637

Answer: D

Explanation:

QUESTION NO: 63 You are loading a basic IPS signature package onto a Cisco router. After a period of time, you seethis message: %IPS-6-ALL_ENGINE_BUILDS_COMPLETE: elapsed time 275013 ms. What do you expecthappened during downloading and compilation of the files? A. The files were successfully copied with an elapse time of 275013 ms. The router will continuewith extraction and compilation of the signature database. B. The signature engines were compiles, but there is no indication that the actual signatures werecompiled. C. The compilation failed for some of the signature engines. There are 16 engines, but only 6 werecompleted according to the %IPS-6 message D. The files were compiled without error.

Answer: D

Explanation:

QUESTION NO: 64 Refer to the exhibit. Given the configuration shown, which of these statements is correct?

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 35

Page 36: 642-637

A. An external service is providing URL filtering via a subscription service. B. All HTTP traffic to websites with the name "Gambling" included in the URL will be reset. C. A service policy on the zone pair needs to be configured in the opposite direction or all returnHTTP traffic will be blocked by policy D. The URL filter policy has been configured in a fail-closed scenario.

Answer: A

Explanation:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 36

Page 37: 642-637

QUESTION NO: 65 DRAG DROP

Answer:

Explanation: Spoke-to-hub GRE and IPSec tunnels are created

NHRP mappings are created.

All spoke traffic is forwarded to the hub.

QUESTION NO: 66 Refer to the exhibit. Which two of these are most likely to have caused the issue with NHRP, giventhis output of the show command? (Choose two.)

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 37

Page 38: 642-637

A. There was a network ID mismatch. B. The spoke router has not yet sent a request via Tunnel0. C. The spoke router received a malformed NHRP packet. D. There was an authentication key mismatch. E. The registration request was expecting a return request ID of 1201, but received an ID of 120.

Answer: A,D

Explanation:

QUESTION NO: 67 DRAG DROP

Answer:

Explanation: Event action filter

Event action override

Target value rating

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 38

Page 39: 642-637

QUESTION NO: 68 You have configured a guest VLAN using 802.1X on a Cisco Catalyst switch. A client incapable ofusing 802.1X has accessed the port and has been assigned to the guest VLAN. What happenswhen a client capable of using 802.1Xjoins the network on the same port? A. The client capable of using 802.1X is allowed access and proper security policies are applied tothe client. B. EAPOL packets will not be allowed on the guest VLAN and the access attempt with fail. C. The port is put into the unauthorized state in the user-configured access VLAN, andauthentication is restarted. D. This is considered a security breach by the authentication server and all users on the accessport will be placed into the restricted VLAN.

Answer: C

Explanation:

QUESTION NO: 69 Refer to the exhibit. What can be determined from the information shown?

A. The user has been restricted to privilege level 1. B. The standard access list should be reconfigured as an extended access list to allow desireduser permissions C. RBAC has been configured with restricted views.

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 39

Page 40: 642-637

D. IP access list DMZ_ACL has not yet been configured with proper permissions.

Answer: C

Explanation:

QUESTION NO: 70 Refer to the exhibit. Assuming that all other supporting configurations are correct, what can bedetermined from the partial IP admission configuration shown?

A. The router will forward authentication requests to a AAA server for authentication andauthorization. B. The user maint3nanc3 will have complete CLI command access once authenticated. C. After a period of 20 minutes, the user will again be required to provide authenticationcredentials. D. The authentication proxy will fail, because the router's HTTP server has not been enabled. E. All traffic entering interface GO/1 will be intercepted for authentication, but only Telnet traffic willbe authorized.

Answer: C

Explanation:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 40

Page 41: 642-637

QUESTION NO: 71 What will the authentication event fail retry 0 action authorize vlan 300 command accomplish? A. assigns clients that fail 802.1X authentication into the restricted VLAN 300 B. assigns clients to VLAN 300 and attempts reauthorization C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to itsEAPOL request/identity frame D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gainnetwork access again for 300 seconds

Answer: A

Explanation:

QUESTION NO: 72 DRAG DROP

Answer:

Explanation:

Protocol verification

Payload minimization

Protocol minimization

Application layer inspections

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 41

Page 42: 642-637

QUESTION NO: 73 When you are configuring a hub-and-spoke DMVPN network, which tunnel mode should you usefor the spoke router configuration? A. GRE multipoint B. classic point-to-point GRE C. IPsec multipoint D. nonbroadcast multiaccess

Answer: B

Explanation:

QUESTION NO: 74 Which Cisco IOS feature provides secure, on-demand, meshed connectivity? A. DMVPN B. Easy VPN C. IPsec VPN D. mGRE

Answer: A

Explanation:

QUESTION NO: 75 You have configured a Cisco router to act a PKI certificate server. However, you are experiencingproblems starting the server. You have verified that al CA parameters have been correctlyconfigured. What is the next step you should take in troubleshooting this problem? A. Disable and restart the router’s HTTP server function B. Enable the SCEP interface C. Verify the RSA key pair and generate new keys D. Verify that the correct time is being used and time source are reachable

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 42

Page 43: 642-637

Answer: D

Explanation:

QUESTION NO: 76 Which three of these are features of data plane security on a Cisco ISR? (Choose three) A. uRPF B. NetFlow export C. FPM D. CPPr E. RBAC F. routing protocol filtering

Answer: A,B,C

Explanation:

QUESTION NO: 77 What will the authentication event fail retry 0 action authorize vlan 300 command accomplish? A. assigns clients that fail 802.1X authentication into the restricted VLAN 300 B. assigns clients to VLAN 300 and attempts reauthorization C. assigns a client to the guest VLAN 300 if it does not receive a response from the client to itsEAPOL request/identity frame D. locks out a user who fails an 802.1X authentication and does not allow the user to try to gainnetwork access again for 300 seconds

Answer: A

Explanation:

QUESTION NO: 78 When you are configuring DHCP snooping, how should you classify access ports? A. untrusted B. trusted C. promiscuous

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 43

Page 44: 642-637

D. private

Answer: A

Explanation:

QUESTION NO: 79 When configuring URL filtering with the Trend Micro filtering service, which of these steps mustyou take to prepare for configuration? A. define blacklists and whitelists B. categorize traffic types C. install the appropriate root CA certificate on the router D. synchronize clocks via NTP to ensure accuracy of URL filter updates from the service

Answer: D

Explanation:

QUESTION NO: 80 Which of these is correct regarding the functionality of DVTI tunnels? A. DVTI tunnels are created dynamically from a preconfigured template as tunnels are establishedto the hub. B. The hub router needs a static DVT1 tunnel to each spoke router in order to establish remotecommunications from spoke to spoke. C. Spoke routers require a virtual template to clone the configuration on which the DVTI tunnel isestablished. D. DVTI tunnels appear on the hub as tunnel interfaces.

Answer: C

Explanation:

QUESTION NO: 81 When implementing GET VPN, which of these is a characteristic of GDOI IKE? A. GDOI IKE sessions are established between all peers in the network.

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 44

Page 45: 642-637

B. Security associations do not need to linger between members once a group member hasauthenticated to the key server and obtained the group policy. C. Each pair of peers has a private set of IPsec security associations that is only shared betweenthe two peers. D. GDOI IKE uses UDP port 500.

Answer: B

Explanation:

QUESTION NO: 82 DRAG DROP

Answer:

Explanation:

User Traffic Encapsulation

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 45

Page 46: 642-637

Tunneling VPN

Non-tunneling VPN

Configuration Scalability

Automated peer discovery

Manual provisioning of paths

Authentication Scalability

Manual provisioning of peer identity

PKI provisioning

QUESTION NO: 83 DRAG DROP

Answer:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 46

Page 47: 642-637

Explanation:

Step 1 – The VPN Client initiates IKE Phase 1.

Step 2 – The VPN Client establishes an ISAKMP SA.

Step 3 – The Easy VPN Server accepts the SA proposal.

Step 4 – The Easy VPN Server initiates a username and password challenge.

Step 5 – The mode configuration process is initiated.

Step 6 – The RRI process is initiated.

Step 7 – IPSec quick mode completes the connection process

QUESTION NO: 84 Which of these are the two types of keys used when implementing GET VPN? (Choose two) A. key encryption B. group encryption C. pre-shared key D. public key E. private key F. traffic encryption key

Answer: A,F

Explanation:

QUESTION NO: 85 CORRECT TEXT

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 47

Page 48: 642-637

Scenario: You have been given the task of performing initial zone-based policy firewall configurations. Youwill need to create zones, assign the zones to specific interfaces, and create zone pairs to allowfor traffic flow between interfaces. You will also need to define a zone-based policy firewall andassign the policy to the zone pair. To access the router console ports, refer to the exhibit, click therouter for access, and perform the following tasks.

Note that when performing the configuration, you should use the exact names highlighted in boldbelow: Globally create zones and label them with the following names: • OUTSIDE • IHSIDE • Assign interfaces to zones as indicated in the exhibit • Create a zone pair for traffic flowing from the inside to outside zones named IH-TO-OUT - •Define a zone-based firewall policy named IH-TO-OUT-POLICY • Use the "match protocol" classification option to statefully inspect HTTP traffic and drop all othertraffic • Use a class-map named HTTP_POLICY Apply zone-based firewall policy IN-TO-OUT-POLICY to the zone pair

Answer: First we divide the networks into 2 zones: Inside and Outside.

Router(config)#zone security INSIDE

Router(config)#zone security OUTSIDE

Router(config)#interface fa0/0/1

Router(config-if)#no shutdown

Router(config-if)#zone-member security INSIDE

Router(config)#interface fa0/0/0

Router(config-if)#no shutdown

Router(config-if)#zone-member security OUTSIDE

Router(config)#class-map type inspect match-any HTTP_POLICY

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 48

Page 49: 642-637

Router(config-cmap)#match protocol http

Router(config)#policy-map type inspect IN-TO-OUT-POLICY

Router(config-pmap)#class type inspect HTTP_POLICY

Router(config-pmap-c)#inspect

Router(config)#zone-pair security IN-TO-OUT-POLICY source INSIDE destination OUTSIDE

Router(config-sec-zone-pair)#service-policy type inspect IN-TO-OUT-POLICY

QUESTION NO: 86 Refer to the exhibit.

What can be determined from the partial configuration shown A. The zone-based policy firewall is providing for bridging of non-IP protocols. B. Since the interfaces are in the same bridge group, access policies are not required. C. Traffic flow will be allowed to pass between the interfaces without being inspected. D. The zone-based policy firewall is operating in transparent mode.

Answer: D

Explanation:

QUESTION NO: 87 When is it feasible for a port to be both a guest VLAN and a restricted VLAN? A. this configuration scenario is never be implemented B. when you have configured the port for promiscuous mode C. when private VLANs have been configured to place each end device into different subnets D. when you want to allow both types of users the same services

Answer: D

Explanation:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 49

Page 50: 642-637

QUESTION NO: 88 Refer to the exhibit.

What can be determined from the information provided in the system image output? A. The router supports LDAP. B. A Key Version of "A" indicates that this is an advanced IP security image of the Cisco IOSsystem. C. The router is in ROM monitor mode. D. This is a digitally-signed Cisco IOS image.

Answer: D

Explanation:

QUESTION NO: 89 Which three of these are sources used when the router is configured for URL filtering? (Choosethree.) A. Websense URL filter B. AAA server downloadable ACLs C. ASA URL filter feature set D. Trend Micro cloud-based URL filter service E. locally configured filter rules on the router F. Cisco SenderBase URL filtering service

Answer: A,D,E

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 50

Page 51: 642-637

Explanation:

QUESTION NO: 90 In an 802.1X environment, which feature allows for non-802.1X-supported devices such asprinters and fax machines to authenticate? A. multiauth B. WebAuth C. MAB D. 802.1X guest VLAN

Answer: C

Explanation:

QUESTION NO: 91 The advantages of virtual tunnel interfaces (VTIs) over GRE VPN solutions are which three of thefollowing? (Choose three.) A. VTI can support QoS. B. VTI provides a routable interface. C. VTI supports nonencrypted tunnels. D. VTI is more scalable than a GRE-based VPN solution. E. IPsec VTIs need fewer established SAs to cover different types of traffic, both unicast andmulticast, thus enabling improved scaling. F. IPsec VTIs require a loopback interface for configuration.

Answer: A,B,E

Explanation:

QUESTION NO: 92 In Cisco IOS 15.0.1M code for the router platform, which new feature has been added to the zone-based policy firewall? A. removal of support for port-to-application matching B. ability to configure policies for traffic that is traveling between interfaces in the same security

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 51

Page 52: 642-637

zone C. intrazone traffic is not freely permitted by default now D. NBAR is not compatible with transparent firewall

Answer: B

Explanation:

QUESTION NO: 93 When configuring NAT, which three protocols that are shown may have limitations orcomplications when using NAT? (Choose three.) A. Kerberos B. HTTPS C. NTP D. SIP E. FTP F. SQL

Answer: A,D,E

Explanation:

QUESTION NO: 94 Which two answers are potential results of an attacker that is performing a DHCP server spoofingattack? (Choose two.) A. ability to selectively change DHCP options fields of the current DHCP server, such as thegiaddr field. B. DoS C. excessive number of DHCP discovery requests D. ARP cache poisoning on the router E. client unable to access network resources

Answer: B,E

Explanation:

QUESTION NO: 95

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 52

Page 53: 642-637

Cisco IOS Software displays the following message: DHCP_SNOOPING_5-DHCP_SNOOPING_MATCH_MAC_FAIL. What does this message indicate? A. The message indicates that an attacker is pretending to be a DHCP server on an untrustedport. B. The source MAC address in the Ethernet header does not match the address in the "chaddr"field of the DHCP request message. C. The message indicates that the DHCP snooping has dropped a DHCP message that claimedan existing, legitimate host is present on an unexpected interface. D. A Layer 2 port security MAC address violation has occurred on an interface that is set up foruntrusted DHCP snooping.

Answer: B

Explanation:

QUESTION NO: 96 Refer to the exhibit.

Based on the partial configuration that is provided, if a non-802.1X client connects to a port on thisswitch, which VLAN will it be assigned to, and how long will it take for the port to time out andtransition to the guest VLAN? (Choose all that apply.) A. The switch is configured for the default 802.1X timeout period of 90 seconds. B. The 802.1X authentication process will time out in 10 seconds and immediately change the portto the guest VLAN. C. The 802.1X authentication process will time out, and the switch will roll over the port to theguest VLAN in 15 seconds. D. The non-802.1X client and phones will all be assigned to VLAN 30.

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 53

Page 54: 642-637

E. The non-802.1X client will be assigned to VLAN 40. F. The non-802.1X client will be assigned to VLAN 10.

Answer: C,E

Explanation:

QUESTION NO: 97 When 802.1X is implemented, how do the authenticator and authentication server communicate? A. RADIUS B. TACACS+ C. MAB D. EAPOL

Answer: A

Explanation:

QUESTION NO: 98 Refer to the exhibit.

What can be determined about IPS updates from the configuration shown? A. Updates will be stored on the ida-client server. B. Updates will be stored in the directory labeled "cisco." C. Updates will be retrieved from an external source every day of the week. D. Updates will occur once per week on Sundays between midnight and 6 a.m. (0000 and 0600).

Answer: C

Explanation:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 54

Page 55: 642-637

QUESTION NO: 99 Refer to the exhibit.

Which of these is correct based on the partial configuration shown? A. The policy is configured to use an authentication key of "rsa-sig." B. The policy is configured to use hashing group sha-1. C. The policy is configured to use triple DES IPsec encryption. D. The policy is configured to use digital certificates. E. The policy is configured to use access list 101 to identify the IKE-protected traffic.

Answer: D

Explanation:

QUESTION NO: 100 When uploading an IPS signature package to a Cisco router, what is required for the upload toself-extract the files? A. the idconf on the end of the copy command B. a public key on the Cisco router C. IPS must be disabled on the upload interface D. HTTP Secured server must be enabled

Answer: A

Explanation:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 55

Page 56: 642-637

QUESTION NO: 101 To prevent a spanning-tree attack, which command should be configured on a distribution switchport that is connected to an access switch? A. spanning-tree portfast bpduguard default B. spanning-tree backbone fast C. spannning-tree bpduguard enable D. spanning-tree guard root

Answer: D

Explanation:

QUESTION NO: 102 In a GETVPN solution, which two ways can the key server distribute the new keys to the groupmembers during the rekey process? (Choose two.) A. multicast UDP transmission B. multicast TCP transmission C. unicast UDP transmission D. unicast TCP transmission

Answer: A,C

Explanation:

QUESTION NO: 103 You are a network administrator and are moving a web server from inside the company network toa DMZ segment that is located on a Cisco router. The web server was located at IP address172.16.10.50 on the inside and changed to the IP address 172.20.10.5 on the DMZ. Additionally,you are moving the web port to 8080 but do not want your inside users to be affected. Which NATstatement should you configure on your router to support the change? A. hostname(config)# ip nat inside source static 172.16.10.50 172.20.10.5 B. hostname(config)# ip nat inside source static tcp 172.16.10.50 80 172.20.10.5 8080 C. hostname(config)# ip nat outside source static tcp 172.16.10.50 80 172.20.10.5 8080 D. hostname(config)# ip nat static outside source tcp 172.20.10.5 80 172.16.10.50 8080

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 56

Page 57: 642-637

E. hostname(config)# ip nat static inside source udp 172.20.10.50 172.20.10.5

Answer: B

Explanation:

QUESTION NO: 104 When configuring NAT, and your solution requires the ability to see the inside local and outsideglobal address entries and any TCP or UDP port in the show ip nat command output, how shouldNAT be configured on the router? A. use the overload option on the end of your static NAT statement B. include both static and dynamic NAT configuration on the router C. tie the ip nat inside command to a dynamic NAT pool D. attach a route-map to the ip nat inside command E. configure the ip nat inside command to an extended ACL

Answer: D

Explanation:

QUESTION NO: 105 Refer to the exhibit.

You are working for a corporation that has connected its network to a partner network. Based onthis partial configuration that is supplied in the exhibit, which two things happen to traffic that isinbound from the partner network (outside is 10.10.30.0/24) and the return traffic from the inside

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 57

Page 58: 642-637

as it travels through this router? (Choose two.) A. The source address of the IP packets that are traveling from the 10.10.30.0/24 network to10.10.19.0/24 are translated to 172.19.1.0/24. B. The destination address of IP packets that are traveling from 10.10.19.0/24 to any IP network istranslated to 172.19.1.0/24. C. IP traffic that is flowing from 10.10.19.0/24 to 10.10.30.0/24 has the source address translatedto 172.19.1.0/24. D. The destination address of IP packets that are traveling from 10.10.19.0/24 to 10.10.30.0/24are translated to 172.19.1.0/24. E. The destination address of IP packets that are traveling from 10.10.30.0/24 to 10.10.19.0/24 aretranslated to 172.19.1.0/24.

Answer: A,D

Explanation:

QUESTION NO: 106 You are a network administrator that is deploying a Cisco router that needs to support both PATand site-to-site VPN on one public IP address. In order to make both work simultaneously, howshould the NAT configuration be set up? A. The VPN configuration should be set up with a static NAT configuration. B. Because PAT does support AH, the VPN tunnel must not be configured with EncapsulatingSecurity Payload (ESP). C. An ACL should be attached to the nat command to permit the NAT traffic and deny the VPNtraffic. D. The nat configuration command needs to include a range of IP addresses with the overloadword on the end. E. A route-map should be used with the nat command to support the use of AH and ESP. F. The ip nat inside command needs to exclude the VPN source address in the NAT pool.

Answer: C

Explanation:

QUESTION NO: 107 Refer to the exhibit.

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 58

Page 59: 642-637

Based on the configuration that is shown in the exhibit, select the three answers that apply.(Choose three.) A. The configuration supports multidomain authentication, which allows one MAC address on thevoice VLAN and one on the data VLAN. B. Traffic will not flow for either the phone or the host computer until one device completes the802.1X authentication process. C. Registration and DHCP traffic will flow on either the data or voice VLAN before authentication. D. The port will only require the 802.1X supplicant to authenticate one time. E. MAC Authentication Bypass will be attempted only after 802.1X authentication times out. F. Non-802.1X devices are supported on this port by setting up the host for MAC addressauthentication in the endpoint database.

Answer: A,C,F

Explanation:

QUESTION NO: 108 You are finding that the 802.1X-configured ports are going into the error-disable state. Whichcommand will show you the reason why the port is in the error-disable state, and which commandwill automatically be re-enabled after a specific amount of time? (Choose two.) A. show error-disable status B. show error-disable recovery C. show error-disable flap-status D. error-disable recovery cause security-violation E. error-disable recovery cause dot1x

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 59

Page 60: 642-637

F. error-disable recovery cause l2ptguard

Answer: B,D

Explanation:

QUESTION NO: 109 Your company has a requirement that if security is compromised on phase 1 of a Diffie-Hellmankey exchange that a secondary option will strengthen the security on the IPsec tunnel. Whatshould you implement to ensure a higher degree of key material security? A. Diffie-Hellman Phase II ESP B. PFS Group 5 C. Transform-set SHA-256 D. XAUTH with AAA authentication E. Diffie-Hellman Group 5 Phase I

Answer: B

Explanation:

QUESTION NO: 110 Which solution on a Cisco router requires the loading of a protocol header definition file (PHDF)? A. reflexive access control lists B. NetFlow C. Flexible Packet Matching D. Control Plane Policing

Answer: C

Explanation:

QUESTION NO: 111 You are troubleshooting a problem for which end users are reporting connectivity issues. Yournetwork has been configured with Layer 2 protection controls. You have determined that theDHCP snooping database is correct and that proper static addressing maps have beenconfigured. Which of these should be your next step in troubleshooting this problem?

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 60

Page 61: 642-637

A. Generate a proxy ARP request and verify that the DHCP database has been updated asexpected. B. Temporarily disable DHCP snooping and test connectivity again. C. Clear the ARP tables and have end users release and renew their DHCP-learned addressing. D. Use a protocol analyzer to determine if there are malformed DHCP or ARP packets.

Answer: D

Explanation:

QUESTION NO: 112 You are troubleshooting a reported connectivity issue from a remote office whose users areaccessing corporate headquarters via an IPsec VPN connection. You issued a show cryptoisakmp sa command on the headend router, and the state has MM_NO_STATE. Which debugcommand should you enter next, and which part of the VPN tunnel establishment process isfailing? (Choose two.) A. ISAKMP Phase II B. ISAKMP Phase I C. debug crypto isakmp sa D. debug crypto isakmp E. debug crypto ipsec

Answer: B,D

Explanation:

QUESTION NO: 113 You are installing a brand-new, site-to-site VPN tunnel and notice that it is not working correctly.When connecting to the corporate router and issuing a show crypto ipsec sa command, you noticethat for this particular SA that packets are being encrypted but not decrypted. What are twopotential reasons for this problem? (Choose two.) A. XAUTH needs to be enabled. B. Inbound and outbound IP 50 packets are being filtered at the remote site. C. The transform-set needs to be set to transport mode. D. The access-list attached to the crypto map at the remote site is incorrect. E. The remote site is failing Diffie-Hellman Phase I negotiation. F. The NAT exception on the corporate side is filtering the return packets.

Answer: B,D

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 61

Page 62: 642-637

Explanation:

QUESTION NO: 114 Which two of these are features of control plane security on a Cisco ISR? (Choose two.) A. CoPP B. RBAC C. AAA D. CPPr E. uRPF F. FPM

Answer: A,D

Explanation:

QUESTION NO: 115 Which additional configuration steps are required for a zone-based policy firewall to operate in aVRF scenario? A. You must assign zone-based policy firewall bridge groups to work in the virtual environment. B. Separate zone-based policy firewall policies must be defined for each VRF environment. C. Separate zones must be defined for each virtual zone-based policy firewall instance. D. No special zone-based policy firewall configurations are needed.

Answer: D

Explanation:

QUESTION NO: 116 You are troubleshooting an IPsec VPN problem. During debugging of IPsec operations, you seethe message "attributes not acceptable" on the IKE responder after issuing the debug cryptoisakmp command. Which step should you take next? A. verify matching ISAKMP policies on each peer B. verify that an IKE security association has been established between peers C. verify that IPsec transform sets match on each peer D. verify if default IPsec attributes are in place on each peer

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 62

Page 63: 642-637

Answer: C

Explanation:

QUESTION NO: 117 Which state is a Cisco IOS IPS signature in if it does not take an appropriate associated actioneven if it has been successfully compiled? A. retired B. disabled C. unsupported D. inactive

Answer: B

Explanation:

QUESTION NO: 118 Which CLI command would you use to verify installed SSL VPN licensing on a Cisco 1900, 2900,or 3900 Series ISR? A. show crypto ssl license B. show crypto webvpn details C. show webvpn license D. show webvpn ssl license count all E. show webvpn gateway

Answer: C

Explanation:

QUESTION NO: 119 Which statement is correct regarding GRE tunnel endpoints when you are configuring GRE overIPsec? A. The tunnel interfaces of both endpoints must be in the same IP subnet. B. A mirror image of the IPsec crypto ACL needs to be configured to permit the interesting end-user traffic between the GRE endpoints.

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 63

Page 64: 642-637

C. The tunnel interfaces of both endpoints should be configured to use the outside IP address ofthe router as the unnumbered IP address. D. For high availability, the GRE tunnel interface should be configured with a primary and abackup tunnel destination IP address.

Answer: A

Explanation:

QUESTION NO: 120 Refer to the exhibit.

Which of these is correct regarding the configuration parameters shown? A. Complete certificates will be written to and stored in NVRAM. B. The RSA key pair is valid for five hours before being revoked. C. The router is configured as a certificate server. D. Certificate lifetimes are mismatched and will cause intermittent connectivity errors. E. The router has enrolled to the MY-TRUSTPOINT PKI server, which is an external CA server.

Answer: C

Explanation:

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 64

Page 65: 642-637

QUESTION NO: 121 Refer to the exhibit.

When you are using dynamic IPsec VTI tunnels, what can you determine about virtual-accessinterfaces from the output shown? A. The Virtual-Access1 interface currently does not have an IPsec peer connection established. B. The Virtual-Access2 interface does not yet have an IPsec peer defined. C. The Virtual-Access1 interface is in the down/down state, because the virtual tunnel sourcephysical interface is down. D. The Virtual-Access1 interface, which is used internally by the Cisco IOS software, is alwaysdown.

Answer: D

Explanation:

QUESTION NO: 122 Refer to the exhibit.

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 65

Page 66: 642-637

Based on the partial configuration shown, which additional configuration parameter is neededunder the GET VPN group member GDOI configuration? A. key server IP address B. local priority C. mapping of the IPsec profile to the IPsec SA D. mapping of the IPsec transform set to the GDOI group

Answer: A

Cisco 642-637 Exam

"Pass Any Exam. Any Time." - www.actualtests.com 66


Recommended